security and verification lecture 3: what kind of attacks are there? - chosen ciphertexts attacks...
TRANSCRIPT
![Page 1: SECURITY AND VERIFICATION Lecture 3: What kind of attacks are there? - Chosen Ciphertexts Attacks Tamara Rezk INDES TEAM, INRIA January 17 th, 2012](https://reader030.vdocuments.mx/reader030/viewer/2022032516/56649c755503460f9492818b/html5/thumbnails/1.jpg)
SECURITY AND VERIFICATION
Lecture 3: What kind of attacks are there? - Chosen Ciphertexts AttacksTamara RezkINDES TEAM, INRIA January 17th, 2012
![Page 2: SECURITY AND VERIFICATION Lecture 3: What kind of attacks are there? - Chosen Ciphertexts Attacks Tamara Rezk INDES TEAM, INRIA January 17 th, 2012](https://reader030.vdocuments.mx/reader030/viewer/2022032516/56649c755503460f9492818b/html5/thumbnails/2.jpg)
Plan Lecture 1 Chosen Plaintext Attacks (CPA assumption)
CPA schemes: ElGamal, Paillier
Lecture 2 Game-based proofs CPA proof: ElGamal
Today: CPA proof: Paillier Limits on provable cryptography Chosen Ciphertext Attacks (CCA assumption) CCA1 proof: using proof of knowledge-zero knowledge (PKZK) From interactive to non-interactive PKZK CCA2 an example of a CCA2 scheme
![Page 3: SECURITY AND VERIFICATION Lecture 3: What kind of attacks are there? - Chosen Ciphertexts Attacks Tamara Rezk INDES TEAM, INRIA January 17 th, 2012](https://reader030.vdocuments.mx/reader030/viewer/2022032516/56649c755503460f9492818b/html5/thumbnails/3.jpg)
Observational EquivalenceP0 and P1 are observational equivalent with respect to
variable x, denoted P0 {x} P1 if
Pr[P0; x = v] = Pr[P1; x =v] for all v
P0 and P1 are observational equivalent with respect to variable x, denoted P0 {x1..xn} P1 if
Pr[P0; x1 = v1 ˄.. x2 = v2 ˄..] = Pr[P1; x1 = v1 ˄.. x2 = v2 ˄..]
for all v1…vn
![Page 4: SECURITY AND VERIFICATION Lecture 3: What kind of attacks are there? - Chosen Ciphertexts Attacks Tamara Rezk INDES TEAM, INRIA January 17 th, 2012](https://reader030.vdocuments.mx/reader030/viewer/2022032516/56649c755503460f9492818b/html5/thumbnails/4.jpg)
Game-based proofsHow to prove cryptography?
G0 G1 G2 … Gn
For each arrow, we have that either :
Pr[Gi; g=b] ≤ Pr[Gi+1; g=b]
or
Gi {g} Gi+1
![Page 5: SECURITY AND VERIFICATION Lecture 3: What kind of attacks are there? - Chosen Ciphertexts Attacks Tamara Rezk INDES TEAM, INRIA January 17 th, 2012](https://reader030.vdocuments.mx/reader030/viewer/2022032516/56649c755503460f9492818b/html5/thumbnails/5.jpg)
PAILLIER ENCRYPTIO
NPaillier encryption
Assume that generateN() is a probabilistic function that generates two primes with the property that gcd(p*q, (p*q) ) = 1 and g with g a generator for the multiplicative group {1 … n2-1}. Then Paillier encryption is defined by:
G() =
p,q,g:= generateN(); n := p * q;
ke := (n, g); kd:= (p,q)
Assume x is in {1…n-1}
E (x, (n,g)) = y := {1.. n-1}; c:= yn * g x mod n2
![Page 6: SECURITY AND VERIFICATION Lecture 3: What kind of attacks are there? - Chosen Ciphertexts Attacks Tamara Rezk INDES TEAM, INRIA January 17 th, 2012](https://reader030.vdocuments.mx/reader030/viewer/2022032516/56649c755503460f9492818b/html5/thumbnails/6.jpg)
PROVABLE CRYPTO
GRAPH
Y
Decisional Reduosity Assumption
CR(x0, x1 ) = if (b = 0)
then {y:= {1..n-1}; c :=yn mod n2}
else {c:= {1.. n2 -1}}
DRA = b := {0,1};
p,q,q:= generateN(); n := p * q;
B[CR]
| Pr[DRA; g’ =b] - ½ | is negligible for ɳ (ɳ is called security parameter, order of the group , ie n2 -1 ) . Attacker B does not have p, or q.
![Page 7: SECURITY AND VERIFICATION Lecture 3: What kind of attacks are there? - Chosen Ciphertexts Attacks Tamara Rezk INDES TEAM, INRIA January 17 th, 2012](https://reader030.vdocuments.mx/reader030/viewer/2022032516/56649c755503460f9492818b/html5/thumbnails/7.jpg)
PROVABLE CRYPTO
GRAPH
Y
Decisional Reduosity Assumption
CR(x0, x1 ) = if (b = 0)
then {y:= {1..n-1}; c :=yn mod n2}
else {c:= {1.. n2 -1}}
DRA = b := {0,1};
p,q,g:= generateN(); n := p * q;
B[CR]
| Pr[DRA; g’ =b] - ½ | is negligible for ɳ (ɳ is called security parameter, order of the group , ie n2 -1 )
nth residuo modulo n2
![Page 8: SECURITY AND VERIFICATION Lecture 3: What kind of attacks are there? - Chosen Ciphertexts Attacks Tamara Rezk INDES TEAM, INRIA January 17 th, 2012](https://reader030.vdocuments.mx/reader030/viewer/2022032516/56649c755503460f9492818b/html5/thumbnails/8.jpg)
PROVABLE CRYPTO
GRAPH
Y
Chosen-plaintext attack (CPA)
E(x0, x1 ) = if (b = 0)
then {c := E (x0, ke)}
else {c := E(x1,ke)};
CPA = b := {0,1};
ke, kd := G(); A[E]
| Pr[CPA; g =b] - ½ | is negligible for ɳ (ɳ is called security parameter)
![Page 9: SECURITY AND VERIFICATION Lecture 3: What kind of attacks are there? - Chosen Ciphertexts Attacks Tamara Rezk INDES TEAM, INRIA January 17 th, 2012](https://reader030.vdocuments.mx/reader030/viewer/2022032516/56649c755503460f9492818b/html5/thumbnails/9.jpg)
THEO
REMTHEOREM
Theorem
Paillier encryption scheme is resistent to Chosen Plaintext Attacks
![Page 10: SECURITY AND VERIFICATION Lecture 3: What kind of attacks are there? - Chosen Ciphertexts Attacks Tamara Rezk INDES TEAM, INRIA January 17 th, 2012](https://reader030.vdocuments.mx/reader030/viewer/2022032516/56649c755503460f9492818b/html5/thumbnails/10.jpg)
PROO
F OF CPA O
F PAILLIERGAME 0
E(x0, x1 ) = if (b = 0)
then {c := E (x0, ke)}
else {c := E(x1,ke)};
CPApaillier = b := {0,1};
ke, kd := G(); A[E]
![Page 11: SECURITY AND VERIFICATION Lecture 3: What kind of attacks are there? - Chosen Ciphertexts Attacks Tamara Rezk INDES TEAM, INRIA January 17 th, 2012](https://reader030.vdocuments.mx/reader030/viewer/2022032516/56649c755503460f9492818b/html5/thumbnails/11.jpg)
PROO
F OF CPA O
F PAILLIERstep 1: INLINE
E(x0, x1 ) = if (b = 0)
then {y := {1.. n-1}; c:= yn * g x0 mod n2 }
else {y := {1.. n-1}; c:= yn * g x1 mod n2 }
CPApaillier1 = b := {0,1};
p,q,q:= generateN(); n := p * q;
ke := (n, g); kd:= (p,q);
A[E]
![Page 12: SECURITY AND VERIFICATION Lecture 3: What kind of attacks are there? - Chosen Ciphertexts Attacks Tamara Rezk INDES TEAM, INRIA January 17 th, 2012](https://reader030.vdocuments.mx/reader030/viewer/2022032516/56649c755503460f9492818b/html5/thumbnails/12.jpg)
PROO
F OF CPA O
F PAILLIERstep 1: INLINE
E(x0, x1 ) = if (b = 0)
then {y := {1.. n-1}; c:= yn * g x0 mod n2 }
else {y := {1.. n-1}; c:= yn * g x1 mod n2 }
CPApaillier1 = b := {0,1};
p,q,q:= generateN(); n := p * q;
ke := (n, g); kd:= (p,q);
A[E]
CPApaillier {g} CPApaillier1
![Page 13: SECURITY AND VERIFICATION Lecture 3: What kind of attacks are there? - Chosen Ciphertexts Attacks Tamara Rezk INDES TEAM, INRIA January 17 th, 2012](https://reader030.vdocuments.mx/reader030/viewer/2022032516/56649c755503460f9492818b/html5/thumbnails/13.jpg)
PROO
F OF CPA O
F PAILLIERstep 2: DEADCODE
E(x0, x1 ) = if (b = 0)
then {y := {1.. n-1}; c:= yn * g x0 mod n2 }
else {y := {1.. n-1}; c:= yn * g x1 mod n2 }
CPApaillier1 = b := {0,1};
p,q,q:= generateN(); n := p * q;
ke := (n, g); kd:= (p,q);
A[E]
![Page 14: SECURITY AND VERIFICATION Lecture 3: What kind of attacks are there? - Chosen Ciphertexts Attacks Tamara Rezk INDES TEAM, INRIA January 17 th, 2012](https://reader030.vdocuments.mx/reader030/viewer/2022032516/56649c755503460f9492818b/html5/thumbnails/14.jpg)
PROO
F OF CPA O
F PAILLIERstep 2: DEADCODE
E(x0, x1 ) = if (b = 0)
then {y := {1.. n-1}; c:= yn * g x0 mod n2 }
else {y := {1.. n-1}; c:= yn * g x1 mod n2 }
CPApaillier2 = b := {0,1};
p,q,q:= generateN(); n := p * q;
ke := (n, g); A[E]
CPApaillier1 {g} CPApaillier2
![Page 15: SECURITY AND VERIFICATION Lecture 3: What kind of attacks are there? - Chosen Ciphertexts Attacks Tamara Rezk INDES TEAM, INRIA January 17 th, 2012](https://reader030.vdocuments.mx/reader030/viewer/2022032516/56649c755503460f9492818b/html5/thumbnails/15.jpg)
PROO
F OF CPA O
F PAILLIERstep 3 INLINE
CR(x0, x1 ) = if (b = 0)
then {y:= {1..n-1}; c :=yn mod n2}
else {c:= {1.. n2 -1}}
E(x0, x1 ) = if (b = 0)
then {y := {1.. n-1}; c:= yn * g x0 mod n2 }
else {y := {1.. n-1}; c:= yn * g x1 mod n2 }
DRA = b := {0,1};
p,q,q:= generateN(); n := p * q; B[CR]
B = ke := (n, g);
A[CR; c:= c * g x0 mod n2 ]; g0:=g;
A[CR; c:= c * g x1 mod n2 ]; g1:=g;
if (g0 =0 OR g1 =1 ) then g’ = 0 else g’:= 1
![Page 16: SECURITY AND VERIFICATION Lecture 3: What kind of attacks are there? - Chosen Ciphertexts Attacks Tamara Rezk INDES TEAM, INRIA January 17 th, 2012](https://reader030.vdocuments.mx/reader030/viewer/2022032516/56649c755503460f9492818b/html5/thumbnails/16.jpg)
PROO
F OF CPA O
F PAILLIERCalculating probabilities
CR(x0, x1 ) = if (b = 0)
then {y:= {1..n-1}; c :=xn mod n2}
else {c:= {1.. n2 -1}}
DRA = b := {0,1};
p,q,q:= generateN(); n := p * q; B[CR]
B = ke := (n, g);
A[CR; c:= c * g x0 mod n2 ]; g0:=g;
A[CR; c:= c * g x1 mod n2 ]; g1:=g;
if (g0 =0 OR g1 =1 ) then g’ = 0 else g’:= 1½ Pr[CPApaillier2;g=b] = Pr[DRA;g’=0 and b=0]
½ Pr[CPApaillier2;g=b] ≤ Pr[DRA;g’=b]
![Page 17: SECURITY AND VERIFICATION Lecture 3: What kind of attacks are there? - Chosen Ciphertexts Attacks Tamara Rezk INDES TEAM, INRIA January 17 th, 2012](https://reader030.vdocuments.mx/reader030/viewer/2022032516/56649c755503460f9492818b/html5/thumbnails/17.jpg)
½ Pr[CPApaillier2;g=b] = Pr[DRA;g’=1 and b=1]
½ Pr[CPApaillier2;g=b] ≤ Pr[DRA;g’=b]
PROO
F OF CPA O
F PAILLIERstep 3 INLINE
CR(x0, x1 ) = if (b = 0)
then {y:= {1..n-1}; c :=xn mod n2}
else {c:= {1.. n2 -1}}
DRA = b := {0,1};
p,q,q:= generateN(); n := p * q; B[CR]
B = ke := (n, g);
A[CR; c:= c * g x0 mod n2 ]; g0:=g;
A[CR; c:= c * g x1 mod n2 ]; g1:=g;
if (g0 =0 OR g1 =1 ) then g’ = 1 else g’:= 0
negligible
![Page 18: SECURITY AND VERIFICATION Lecture 3: What kind of attacks are there? - Chosen Ciphertexts Attacks Tamara Rezk INDES TEAM, INRIA January 17 th, 2012](https://reader030.vdocuments.mx/reader030/viewer/2022032516/56649c755503460f9492818b/html5/thumbnails/18.jpg)
![Page 19: SECURITY AND VERIFICATION Lecture 3: What kind of attacks are there? - Chosen Ciphertexts Attacks Tamara Rezk INDES TEAM, INRIA January 17 th, 2012](https://reader030.vdocuments.mx/reader030/viewer/2022032516/56649c755503460f9492818b/html5/thumbnails/19.jpg)
NO
![Page 20: SECURITY AND VERIFICATION Lecture 3: What kind of attacks are there? - Chosen Ciphertexts Attacks Tamara Rezk INDES TEAM, INRIA January 17 th, 2012](https://reader030.vdocuments.mx/reader030/viewer/2022032516/56649c755503460f9492818b/html5/thumbnails/20.jpg)
Assume that generateN() is a probabilistic function that generates two primes with the property that gcd(p*q, (p*q) ) = 1 and g with g a generator for the multiplicative group {1 … n2-1}. Then Paillier encryption is defined by:
G() = p,q,q:= generateN(); n := p * q; ke := (n, g); kd:= (p,q)Assume x is in {1…n-1}
E (x, (n,g)) = y := {1.. n-1}; c:= yn * g x mod n2
E (x0, (n,g)) * E (x1, (n,g)) =
y0n * g
x0 mod n2 * y1n * g
x1 mod n2 =
y0n *y1 n * g
x0 *g x1 mod n2 =
(y0 *y1 )n * g
x0 +x1 mod n2 =
E (x0+x1, (n,g))
A property of Paillier encryptions:
![Page 21: SECURITY AND VERIFICATION Lecture 3: What kind of attacks are there? - Chosen Ciphertexts Attacks Tamara Rezk INDES TEAM, INRIA January 17 th, 2012](https://reader030.vdocuments.mx/reader030/viewer/2022032516/56649c755503460f9492818b/html5/thumbnails/21.jpg)
E(x0, x1 ) = if (b = 0)
then {y := {1.. n-1}; c:= yn * g x0 mod n2 }
else {y := {1.. n-1}; c:= yn * g x1 mod n2 };
log := log + m
D(m) = if (m log)
then {x := 0}
else {x := D(m,kd)};
GamePaillier = b := {0,1}; p,q,q:= generateN();
n := p * q;ke := (n, g); kd:= (p,q);A[E, D]
![Page 22: SECURITY AND VERIFICATION Lecture 3: What kind of attacks are there? - Chosen Ciphertexts Attacks Tamara Rezk INDES TEAM, INRIA January 17 th, 2012](https://reader030.vdocuments.mx/reader030/viewer/2022032516/56649c755503460f9492818b/html5/thumbnails/22.jpg)
E(x0, x1 ) = if (b = 0)
then {m:=x0;y := {1.. n-1}; c:= yn * g x0 mod n2 }
else {m:=x1;y := {1.. n-1}; c:= yn * g x1 mod n2 };
log := log + c
D(m) = if (m log)
then {x := 0}
else {x := D(m,kd)};
GamePaillier = b := {0,1}; p,q,q:= generateN();
n := p * q;ke := (n, g); kd:= (p,q);A[E, D]
A[E, D] = x0 := 1; x1 := 2; E; m:=c * c; D;
if (x = 2) then g:=0 else g:=1
![Page 23: SECURITY AND VERIFICATION Lecture 3: What kind of attacks are there? - Chosen Ciphertexts Attacks Tamara Rezk INDES TEAM, INRIA January 17 th, 2012](https://reader030.vdocuments.mx/reader030/viewer/2022032516/56649c755503460f9492818b/html5/thumbnails/23.jpg)
We have proved Paillier to be CPA.This is only one kind of attack. Paillier is secure for an adversary with the power of making chosen plaintext attacks (usually, the weaker kind of attack possible), but not for all possible attacks: for example, it is not secure for chosen ciphertext attacks.
Important: Provable cryptography only guarantees that no partial information is reveal for a given class of attack. It does not imply total security.
![Page 24: SECURITY AND VERIFICATION Lecture 3: What kind of attacks are there? - Chosen Ciphertexts Attacks Tamara Rezk INDES TEAM, INRIA January 17 th, 2012](https://reader030.vdocuments.mx/reader030/viewer/2022032516/56649c755503460f9492818b/html5/thumbnails/24.jpg)
Another Look to Provable Cryptography
“the treatment of hashed ElGamal encryption in is in some sense a remarkable achievement … so successful in turning something that should be interesting and accessible to everyone into something lengthy, unreadable, and boring.”
Neal Koblitz
![Page 25: SECURITY AND VERIFICATION Lecture 3: What kind of attacks are there? - Chosen Ciphertexts Attacks Tamara Rezk INDES TEAM, INRIA January 17 th, 2012](https://reader030.vdocuments.mx/reader030/viewer/2022032516/56649c755503460f9492818b/html5/thumbnails/25.jpg)
Another Look to ElGammal …
![Page 26: SECURITY AND VERIFICATION Lecture 3: What kind of attacks are there? - Chosen Ciphertexts Attacks Tamara Rezk INDES TEAM, INRIA January 17 th, 2012](https://reader030.vdocuments.mx/reader030/viewer/2022032516/56649c755503460f9492818b/html5/thumbnails/26.jpg)
Another Look to Provable Cryptography• A security theorem is conditional in a strong sense — it assumes the intractability of some mathematical problem…
• Often the intractability assumption is made for a complicated and contrived problem that has never been carefully studied. In fact, in some cases the problem is trivially equivalent to the cryptanalysis problem for the protocol whose security is being "proved," and the "proof" is essentially circular.
• Certain attacks — especially side-channel attacks — are very hard to model, and the models that have been proposed are woefully inadequate. The problem is that the adversary is always coming up with ingenious new methods to compromise the security of a cryptographic system.
•AND MORE Neal Koblitz
![Page 27: SECURITY AND VERIFICATION Lecture 3: What kind of attacks are there? - Chosen Ciphertexts Attacks Tamara Rezk INDES TEAM, INRIA January 17 th, 2012](https://reader030.vdocuments.mx/reader030/viewer/2022032516/56649c755503460f9492818b/html5/thumbnails/27.jpg)
Chosen Ciphertext Attacks (CCA)• CCA are strong forms of active attacks
• We will see two type of them a priori CCA and a posteriori CCA
• In both, the adversary has access to decryption requests
• CAVEAT: some use CCA to mean CCA2
![Page 28: SECURITY AND VERIFICATION Lecture 3: What kind of attacks are there? - Chosen Ciphertexts Attacks Tamara Rezk INDES TEAM, INRIA January 17 th, 2012](https://reader030.vdocuments.mx/reader030/viewer/2022032516/56649c755503460f9492818b/html5/thumbnails/28.jpg)
Chosen-cyphertext attack 2 (CCA1)
E = if (b = 0)
then {m := E (x0, ke)}
else {m := E(x1,ke)};
CCA1 = b := {0,1};
ke, kd := Ge(); A[D]; E;A’
D = x := D(m,kd);
![Page 29: SECURITY AND VERIFICATION Lecture 3: What kind of attacks are there? - Chosen Ciphertexts Attacks Tamara Rezk INDES TEAM, INRIA January 17 th, 2012](https://reader030.vdocuments.mx/reader030/viewer/2022032516/56649c755503460f9492818b/html5/thumbnails/29.jpg)
Example: A CCA1 scheme We will define a CCA1 scheme < G’, E’ , D’ >
It is based on a CPA scheme < G , E , D >
It is based on a non-interactive ZK scheme (P , V , R, S)
![Page 30: SECURITY AND VERIFICATION Lecture 3: What kind of attacks are there? - Chosen Ciphertexts Attacks Tamara Rezk INDES TEAM, INRIA January 17 th, 2012](https://reader030.vdocuments.mx/reader030/viewer/2022032516/56649c755503460f9492818b/html5/thumbnails/30.jpg)
Proof of Knowledge Zero Knowledge
a prover gives a proof of some secret that he knows
![Page 31: SECURITY AND VERIFICATION Lecture 3: What kind of attacks are there? - Chosen Ciphertexts Attacks Tamara Rezk INDES TEAM, INRIA January 17 th, 2012](https://reader030.vdocuments.mx/reader030/viewer/2022032516/56649c755503460f9492818b/html5/thumbnails/31.jpg)
Proof of Knowledge Zero Knowledge
a prover gives a proof of some secret that he knowsbut without revealing the secret!
![Page 32: SECURITY AND VERIFICATION Lecture 3: What kind of attacks are there? - Chosen Ciphertexts Attacks Tamara Rezk INDES TEAM, INRIA January 17 th, 2012](https://reader030.vdocuments.mx/reader030/viewer/2022032516/56649c755503460f9492818b/html5/thumbnails/32.jpg)
Proof of Knowledge Zero Knowledge
a prover gives a proof of some secret that he knowsbut without revealing the secret!
Example: If x in Zq is the secret, the prover can exhibit witnesses based on gx
, showing that he knows x
(a concrete protocol later)
![Page 33: SECURITY AND VERIFICATION Lecture 3: What kind of attacks are there? - Chosen Ciphertexts Attacks Tamara Rezk INDES TEAM, INRIA January 17 th, 2012](https://reader030.vdocuments.mx/reader030/viewer/2022032516/56649c755503460f9492818b/html5/thumbnails/33.jpg)
Proof of Knowledge Zero Knowledge: properties
ZK schemes have to satisfy: Soundness: the verification procedure cannot
“accept” valid false statements, except for negligible probability
Completeness: if a statement is true then the verifier “accepts” it, except for negligible probability
Zero-Knowledge: the adversary cannot guess the secret by using the scheme!
![Page 34: SECURITY AND VERIFICATION Lecture 3: What kind of attacks are there? - Chosen Ciphertexts Attacks Tamara Rezk INDES TEAM, INRIA January 17 th, 2012](https://reader030.vdocuments.mx/reader030/viewer/2022032516/56649c755503460f9492818b/html5/thumbnails/34.jpg)
Proof Systems Schemes for ZKA proof of knowledge zero knowledge scheme is a tuple
(P , V , R, S) P (prover) is a probabilistic program that takes as inputs
a secret s, a witness w, and outputs a proof p in DV (verifier) is a probabilistic program that takes a witness
and a proof and outputs zero or oneR is a NP relation that depends on secret s S is a simulator, a probabilistic program that outputs a
“proof” in D without using secret s.
(we do not include here the algorithm for “extraction”)
![Page 35: SECURITY AND VERIFICATION Lecture 3: What kind of attacks are there? - Chosen Ciphertexts Attacks Tamara Rezk INDES TEAM, INRIA January 17 th, 2012](https://reader030.vdocuments.mx/reader030/viewer/2022032516/56649c755503460f9492818b/html5/thumbnails/35.jpg)
Zero Knowledge (indistinguishability)O = if (b = 0)
then {p := P (s, w)}
else {p:= S(w)};
ZK = b := {0,1};
A[O]
![Page 36: SECURITY AND VERIFICATION Lecture 3: What kind of attacks are there? - Chosen Ciphertexts Attacks Tamara Rezk INDES TEAM, INRIA January 17 th, 2012](https://reader030.vdocuments.mx/reader030/viewer/2022032516/56649c755503460f9492818b/html5/thumbnails/36.jpg)
Example: A CCA1 scheme (Naor-Yung) We will define a CCA1 scheme < G’, E’ , D’ >It is based on a CPA scheme < G , E , D >It is based on a ZK scheme (P , V , R, S)
G’‘ ( ) =
k0e, k0d:= G( ); k1e, k1d:= G( )
E ‘(x, (k0e , k1e)) =
e0, e1 := E (x, k0e ); E (x, k1e);
p:= P(e0, e1, x); c:= e0,e1, p0,p1,p
D ‘ ((e0,e1, p), (k0e , k1e)) =
if V(e0, e1,,p) = true then x: = D(e1, k1d)
![Page 37: SECURITY AND VERIFICATION Lecture 3: What kind of attacks are there? - Chosen Ciphertexts Attacks Tamara Rezk INDES TEAM, INRIA January 17 th, 2012](https://reader030.vdocuments.mx/reader030/viewer/2022032516/56649c755503460f9492818b/html5/thumbnails/37.jpg)
Proof of CCA1 of Naor-Yung scheme Naor-Yung scheme is CCA1
Theorem
Naor-Yung encryption scheme is resistent to Chosen Ciphertext Attacks version 1 (CCA1)
![Page 38: SECURITY AND VERIFICATION Lecture 3: What kind of attacks are there? - Chosen Ciphertexts Attacks Tamara Rezk INDES TEAM, INRIA January 17 th, 2012](https://reader030.vdocuments.mx/reader030/viewer/2022032516/56649c755503460f9492818b/html5/thumbnails/38.jpg)
E = if (b = 0)
then {m := E (x0, ke)}
else {m := E(x1,ke)};
CCA1 = b := {0,1};
ke, kd := Ge(); A[D]; E;A’
D = x := D(m,kd);
![Page 39: SECURITY AND VERIFICATION Lecture 3: What kind of attacks are there? - Chosen Ciphertexts Attacks Tamara Rezk INDES TEAM, INRIA January 17 th, 2012](https://reader030.vdocuments.mx/reader030/viewer/2022032516/56649c755503460f9492818b/html5/thumbnails/39.jpg)
E = if (b = 0)
then {e0, e1 := E r0 (x0, k0e ); Er1 (x0, k1e);
p0,p1,p:= P (e0, e1, x0, r0,r1,); c:= e0,e1, p0,p1,p }
else {e0, e1 := E r0’ (x1, k0e ); Er1’ (x1, k1e);
p:= P(e0, e1, x1, r0’,r1’); c:= e0,e1, p0,p1,p
};
CCA1-1 = b := {0,1};
k0e, k0d:= G( );
k1e, k1d:= G( )
A[D]; E;A’
D = if V(e0, e1,p0,p1,p) = true then x: = D(e1, k1d)Inline
CCA1 {g} CCA1-1
![Page 40: SECURITY AND VERIFICATION Lecture 3: What kind of attacks are there? - Chosen Ciphertexts Attacks Tamara Rezk INDES TEAM, INRIA January 17 th, 2012](https://reader030.vdocuments.mx/reader030/viewer/2022032516/56649c755503460f9492818b/html5/thumbnails/40.jpg)
E = if (b = 0)
then {e0, e1 := E (x0, k0e ); E (x0, k1e);
p0,p1,p:= S(e0, e1);c:= e0,e1, p0,p1,p }
else {e0, e1 := E (x1, k0e ); E (x1, k1e);
p0,p1,p:= S(e0, e1); c:= e0,e1, p0,p1,p
};
CCA1-2 = b := {0,1};
k0e, k0d:= G( );
k1e, k1d:= G( )
A[D]; E; A’
D = if V(e0, e1,p0,p1,p) = true then x: = D(e1, k1d)Zero knowledge
CCA1-1 {g} CCA1-2
![Page 41: SECURITY AND VERIFICATION Lecture 3: What kind of attacks are there? - Chosen Ciphertexts Attacks Tamara Rezk INDES TEAM, INRIA January 17 th, 2012](https://reader030.vdocuments.mx/reader030/viewer/2022032516/56649c755503460f9492818b/html5/thumbnails/41.jpg)
E = if (b = 0)
then {e0, e1 := E (x0, k0e ); E (x0, k1e);
}
else {e0, e1 := E (x1, k0e ); E (x1, k1e);
};
CCA1-3 = b := {0,1};
k0e, k0d:= G( );
k1e, k1d:= G( )
A[D]; E; p0,p1,p:= S(e0, e1); c:= e0,e1, p0,p1,p ; A’
D = if V(e0, e1,p0,p1,p) = true then x: = D(e1, k1d)Code motion
CCA1-2 {g} CCA1-3
![Page 42: SECURITY AND VERIFICATION Lecture 3: What kind of attacks are there? - Chosen Ciphertexts Attacks Tamara Rezk INDES TEAM, INRIA January 17 th, 2012](https://reader030.vdocuments.mx/reader030/viewer/2022032516/56649c755503460f9492818b/html5/thumbnails/42.jpg)
E = if (b = 0)
then {e0, e1 := E (x0, k0e ); E (x0, k1e);
}
else {
e0, e1 := E (x1, k0e ); E (x1, k1e); };
CCA1-4 = b := {0,1};
k0e, k0d:= G( );
BB = k1e, k1d:= G( ) ;
A[D]; E; p0,p1,p:= S(e0, e1); c:= e0,e1, p0,p1,p ; A’
D = if V(e0, e1,p0,p1,p) = true then x: = D(e1, k1d)Inline
CCA1-3 {g} CCA1-4
![Page 43: SECURITY AND VERIFICATION Lecture 3: What kind of attacks are there? - Chosen Ciphertexts Attacks Tamara Rezk INDES TEAM, INRIA January 17 th, 2012](https://reader030.vdocuments.mx/reader030/viewer/2022032516/56649c755503460f9492818b/html5/thumbnails/43.jpg)
E = if (b = 0)
then {e0, e1 := E (x0, k0e ); E (x0, k1e); }
else {e0, e1 := E (x1, k0e ); E (x1, k1e); };
E’ = if (b = 0)
then {e0, := E (x0, k0e ) }
else {e0 := E (x1, k0e ) };
CPA = b := {0,1};
k0e, k0d:= G( );
BB = k1e, k1d:= G( ) ;A[D]; E’; e1 := E (x0, k1e );
p0,p1,p:= S(e0, e1); c:= e0,e1, p0,p1,p ; if V(e0, e1,p0,p1,p) = true then A’ else g:=1
D = if V(e0, e1,p0,p1,p) = true then x: = D(e1, k1d)A cpa attacker
![Page 44: SECURITY AND VERIFICATION Lecture 3: What kind of attacks are there? - Chosen Ciphertexts Attacks Tamara Rezk INDES TEAM, INRIA January 17 th, 2012](https://reader030.vdocuments.mx/reader030/viewer/2022032516/56649c755503460f9492818b/html5/thumbnails/44.jpg)
E = if (b = 0)
then {e0, e1 := E (x0, k0e ); E (x0, k1e); }
else {e0, e1 := E (x1, k0e ); E (x1, k1e); };
E’ = if (b = 0)
then {e0, := E (x0, k0e ) }
else {e0 := E (x1, k0e ) };
CPA = b := {0,1};
0e, k0d:= G( );
BB = k1e, k1d:= G( ) ;A[D]; E’; e1 := E (x0, k1e );
p0,p1,p:= S(e0, e1); c:= e0,e1, p0,p1,p ; if V(e0, e1,p0,p1,p) = true then A’ else g:=1
D = if V(e0, e1,p0,p1,p) = true then x: = D(e1, k1d)A cpa attacker
Pr[CCA1-4;g=b]=
Pr[CCA1-4;g=0 and b=0] +
Pr[CCA1-4;g=1 and b=1] =
1/2 Pr[CPA;g=b] + 1/2
![Page 45: SECURITY AND VERIFICATION Lecture 3: What kind of attacks are there? - Chosen Ciphertexts Attacks Tamara Rezk INDES TEAM, INRIA January 17 th, 2012](https://reader030.vdocuments.mx/reader030/viewer/2022032516/56649c755503460f9492818b/html5/thumbnails/45.jpg)
E = if (b = 0)
then {e0, e1 := E (x0, k0e ); E (x0, k1e); }
else {e0, e1 := E (x1, k0e ); E (x1, k1e); };
E’ = if (b = 0)
then {e0, := E (x0, k0e ) }
else {e0 := E (x1, k0e ) };
CPA = b := {0,1};
0e, k0d:= G( );
BB = k1e, k1d:= G( ) ;A[D]; E’; e1 := E (x0, k1e );
p0,p1,p:= S(e0, e1); c:= e0,e1, p0,p1,p ; if V(e0, e1,p0,p1,p) = true then A’ else g:=1
D = if V(e0, e1,p0,p1,p) = true then x: = D(e1, k1d)A cpa attacker
Pr[CCA1-4;g=b]=
Pr[CCA1-4;g=0 and b=0] +
Pr[CCA1-4;g=1 and b=1] =
1/2 Pr[CPA;g=b] + 1/2
negligeable
![Page 46: SECURITY AND VERIFICATION Lecture 3: What kind of attacks are there? - Chosen Ciphertexts Attacks Tamara Rezk INDES TEAM, INRIA January 17 th, 2012](https://reader030.vdocuments.mx/reader030/viewer/2022032516/56649c755503460f9492818b/html5/thumbnails/46.jpg)
There is a secret x that the prover wants to prove that he knowsThe NP relation that depends on x is “logg z = x and logh z’ = x“ , where g and h are generators for the multiplicative group { 1…q-1}The protocol for generating a proof is P0;V0;P1 and to verify isV1 where:
P0(g,h) = w := {1…q-1} la, lb := gw, hw
V0 (la,lb) = lc := {1…q-1}; P1 (w,x ,lc) = p := w + x * lc mod q
V0 ( p, la,lb , gx, hx ) = if (gp = la * gx*lc and hp = lb * hx*lc ) then true else false
![Page 47: SECURITY AND VERIFICATION Lecture 3: What kind of attacks are there? - Chosen Ciphertexts Attacks Tamara Rezk INDES TEAM, INRIA January 17 th, 2012](https://reader030.vdocuments.mx/reader030/viewer/2022032516/56649c755503460f9492818b/html5/thumbnails/47.jpg)
Exercise: Assume that lc := {1…q-1} and that lc is a parameter of P0. Show that in the protocol for generating a proof is P0; P1 and to verify V1 the prover can cheat (he can prove he knows x, without knowing it)
P0(g,h,lc) = w := {1…q-1} la, lb := gw, hw
P1 (w,x ,lc) = p := w + x * lc mod q
V0 ( p, la,lb , gx, hx ) = if (gp = la * gx*lc and hp = lb * hx*lc ) then true else false
![Page 48: SECURITY AND VERIFICATION Lecture 3: What kind of attacks are there? - Chosen Ciphertexts Attacks Tamara Rezk INDES TEAM, INRIA January 17 th, 2012](https://reader030.vdocuments.mx/reader030/viewer/2022032516/56649c755503460f9492818b/html5/thumbnails/48.jpg)
From interactive to non-interactive
There is a secret x that the prover wants to prove that he knowsThe NP relation that depends on x is “logg z = x and logh z’ = x“ , where g and h are generators for the multiplicative group { 1…q-1}The protocol for generating a proof is P and to verify is V where:
P(g,h,x) = w := {1…q-1} a, b := gw, hw
lc := H( a + b); p := w + x * lc mod q
V ( p, lc , gx, hx ) = a, b := gx lc * gp, hx lc * hp if (H(a+b) = lc ) then true else false
![Page 49: SECURITY AND VERIFICATION Lecture 3: What kind of attacks are there? - Chosen Ciphertexts Attacks Tamara Rezk INDES TEAM, INRIA January 17 th, 2012](https://reader030.vdocuments.mx/reader030/viewer/2022032516/56649c755503460f9492818b/html5/thumbnails/49.jpg)
Chosen-cyphertext attack 2 (CCA2)
E = if (b = 0)
then {m := E (x0, ke)}
else {m := E(x1,ke)};
log := log + m
CCA2 = b := {0,1};
log := nil;
ke, kd := Ge(); A[E,D]
D = if (m log)
then {x := 0}
else {x := D(m,kd)};
![Page 50: SECURITY AND VERIFICATION Lecture 3: What kind of attacks are there? - Chosen Ciphertexts Attacks Tamara Rezk INDES TEAM, INRIA January 17 th, 2012](https://reader030.vdocuments.mx/reader030/viewer/2022032516/56649c755503460f9492818b/html5/thumbnails/50.jpg)
Let H : { 0,1}l {0,1}l
G : { 0,1}l {0,1}p-l
be two hash functions
RSA-OAEP –ENC (m,ke)=r := { 0,1}l ;s:= H( r ) + m; t := G(s) + rc:= rsa-enc(s++t,ke)
RSA-OAEP –DEC (c,kd)=(s,t) := rsa-dec(c,kd) ;r:= t + G(s) ;m: = s + H( r )
![Page 51: SECURITY AND VERIFICATION Lecture 3: What kind of attacks are there? - Chosen Ciphertexts Attacks Tamara Rezk INDES TEAM, INRIA January 17 th, 2012](https://reader030.vdocuments.mx/reader030/viewer/2022032516/56649c755503460f9492818b/html5/thumbnails/51.jpg)
READIN
GSlides, Notes, Bibliography
• Slides and exercises: www-sop.inria.fr/members/Tamara.Rezk/teaching
• Public-key Cryptosystems Provably Secure againstChosen Ciphertext Attacks – Naor, Yung
• Non-Interactive Proof of Knowledge and ChosenCiphertext Attacks Rackoff, Simon
• Another Look to Provable Cryptography – Neal Koblitz http://anotherlook.ca/
• Code-based Game-Playing Proofs and the Security of Triple Encryption – Bellare, Rogaway