CSA E0 235: Cryptography
19 April 2015
Scribe for Lecture # 11
Instructor: Arpita Patra
1
Submitted by: Nithin V Nath
CCA Secure KEM Scheme
In previous lecture a CPA secure KEM scheme called El-Gamal like KEM was introduced.
We will now show that this scheme is CCA secure under a different assumption called Oracle
Diffie-Hellman.
1.1
Oracle Diffie-Hellman (ODH) Assumption
Definition 1 We say ODH problem is hard relative to (G, o) and a hash function H : G →
{0, 1}m if ∀A ∈ PPT:
h
i
h
i
|Pr AOy (·) (G, o, q, g, g x , g y , H(g xy ) = 1 − Pr AOy (·) (G, o, q, g, g x , g y , r) = 1 | ≤ negl() (1)
♦
H(g xy )
{0, 1}m
That is it is hard to distinguish
from a random string
oracle access Oy (x) := H(xy). Note that g x cannot be queried.
even given
gx, gy
and
ODH assumption is the belief that there exist a group and a hash function that satisfies
the above definition.
1.2
ElGamal like KEM
ElGamal like KEM (Π)
Gen(1n ):
(G, o, q, g)
Pick random x (secret key)
h = gx
pk = (G, o, q, g, h, H)
sk = x
Encapspk (1n ):
c = g y for random y
k = H(hy ) = H(g xy )
(c, k)
11-1
Decsk (c):
k = H(cx ) = H(g xy )
Theorem 1 Π is CCA-secure KEM under ODH assumption
2
Diffie-Hellman Integrated Encryption Scheme (DHIES) ISO/IEC 18033-2
DHIES is a CCA secure hybrid encryption scheme which uses
• El Gamal like KEM
• CPA secure SKE
• Strong CMA secure MAC.
2.1
Construction
GenHyb :
(G, o, q, g)
Pick random x (secret key)
h = gx
H : G → {0, 1}2n
pk = (G, o, q, g, h, H)
sk = x
EncHyb
pk (m):
c = g y for random y
k = (kE ||kM ) = H(hy ) = H(g xy )
A
cCP A = EncCP
kE (m)
A CP A
tM AC = MacsCM
(c
)
kM
cSKE = (cCP A , tM AC )
(c, cSKE )
SKE ):
DecHyb
sk (c, c
(kE ||kM ) = H(cx ) = H(g xy )
VrfysCM A (cCP A , tM AC )
A CP A
m = DecCP
)
kE (c
11-2
3
Cramer-Shoup Cryptosystem
The CramerShoup system is a public key encryption algorithm, and was the first efficient
scheme proven to be secure against adaptive chosen ciphertext attack using standard cryptographic assumptions. Its security is based on the computational intractability of Decisional
Diffie-Hellman assumption.
We will use the following route-map to step-by-step build towards the Cramer-Shoup Cryptosystem and at the same time analyse each of those steps.
1. An Alternative formulation for DDH Assumption
2. CPA Secure Scheme
3. CCA1 Secure Scheme
4. CCA Secure Scheme
3.1
Alternate view of Decisional Diffie-Hellman
Let (G, o, q, g) be a cyclic group where q is the order and g the generaton. Recall DDH
assumption which says that given g a and g b , g ab ”looks random”. More formally,
Assumption (Decisional Diffie-Hellman) Given a group (G, o, q, g) and x, y, z 0 are randomly chosen from G, and z = xy, any probabilistic polynomial time algorithm A can
0
distinguish between (g, g x , g y , g z ) and (g, g x , g y , g z ) with only negligible probability.
0
|Pr[A(g, g x , g y , g z ) = 1] − Pr[A(g, g x , g y , g z ) = 1]| ≤ negl()
Now we try to rewrite the above formulation using the following fact.
Fact 2 In a cyclic group, all elements except identity element are generators.
Define 2 generators g0 , g1 where
g0 = g
g1 = g x
g y and g xy need to be rewritten in terms of g0 and g1
g y = g0y
g xy = g1y
11-3
(2)
So the tuples in DDH assumption becomes
(g0 , g1 , g0y , g1y )
(DDH tuple)
0
(g0 , g1 , g0y , g1y )
(y’ random; non-DDH tuple)
Therefore the DDH assumption can be rewritten as
Assumption (Alternate Decisional Diffie-Hellman) Given a group (G, o, q, g) and g0 , g1
are randomly chosen from G, and r, r0 ∈ Zq , any probabilistic polynomial time algorithm A
0
can distinguish between (g0 , g1 , g0r , g1r ) and (g0 , g1 , g0r , g1r ) with only negligible probability.
0
|Pr[A(g0 , g1 , g0r , g1r ) = 1] − Pr[A(g0 , g1 , g0r , g1r ) = 1]| ≤ negl()
(3)
Now we can see how this alternate formulation leads to an encryption scheme. We would
like the following scenario:
• The receiver constructs a public key u from (G, o, q, g0 , g1 ) with the help of secret
(x, y).
• The sender should be able to add a randomness r to the public key and form v. This
v can be used to encrypt the message.
• The scheme must depend on the alternate DDH assumption
3.1.1
Randomization
To meet these, consider the following randomization:
• Input: (g0 , g1 , h0 , h1 )
• Output:
– Pick random (x, y) from Zq
– u = g0x · g1y .
– v = hx0 · hy1 .
Case 1: The input was a DDH tuple. (g0 , g1 , h0 = g0r , h1 = g1r )
Claim 3 ur = v
Proof ur = (g0x · g1y )r = (g0rx · g1ry ) = (hx0 · hy1 ) = v
0
Case 2: The input was not a DDH tuple. (g0 , g1 , h0 = g0r , h1 = g1r )
Claim 4 Given (g0 , g1 , h0 , h1 , u) , an unbounded adversary can guess v with probability at most 1/|G|
11-4
Proof From the given data, A can compute r, r0 , α, R where g1 = g α and R is the
discrete log of u.
u = g0R = (g0x · g1y ) = g0x+αy
0
0
v = hx0 · hy1 = g0rx · g1r y = g0rx+αr y
From these 2 equations, we get
x + αy = R and
rx + αr0 y = R0
There are 3 unknown variables R0 , x, y but only 2 equations. Therefore there are an
infinitely many solutions. So the best A can do is guess v at random.
One key observation in the Randomization is that v can be computed in two ways.
1. Given x, y, h0 , h1
2. Given r, u, v = ur
Using this we can arrive at a CPA-secure scheme.
3.2
CPA Secure Scheme
Consider the following Gen, Enc and Dec algorithms:
Scheme 1
Gen(1n ):
(G, o, q, g0 , g1 )
Pick random (x, y) from Zq
Compute u = g0x · g1y
pk = (G, o, q, g0 , g1 , u), sk = (x, y)
Encpk (m):
Pick random r from Zq
h0 = g0r , h1 = g1r
c = ur · m = v · m
Return (h0 , h1 , c)
Decsk=x,y (h0 , h1 , c):
v = hx0 · hy1
m = c/v
11-5
Theorem 5 If DDH is hard, then Π is CPA-secure scheme
Proof Assume Π is not CPA-secure. Then there exists a PPT adversary A, polynomial
p(n) such that
1
1
cpa
P r P ubKA,Π
(n) = 1 > +
(4)
2 p(n)
We can use this adversary to break the DDH assumption. The reduction is as follows:
Case 1: DDH tuple (g0 , g1 , h0 = g0r , h1 = g1r )
hx0 · hy1 = g0rx · g1ry = ur = v
cpa
In this case the game is between D and A is same as P ubKA,Π
0
Case 2: Non-DDH tuple (g0 , g1 , h0 = g0r , h1 = g1r )
0
hx0 · hy1 = g0rx · g1r y is a uniformly random element.
In this case the game is Π̃ and since it is uniformly random, the probability is:
1
cpa
Pr P ubKA,
(n)
=
1
=
Π̃
2
(5)
From Equation 4 and Equation 5, we get
| Pr [D(DDH tuple) = 1] − Pr [D(non-DDH tuple) = 1] | >
1
p(n)
This violates the DDH assumption. Therefore Π is CPA secure
At this point, we can ask why ElGamal encryption cannot be reduced in a similar way
11-6
to come up with a CCA secure encryption scheme. The problem with ElGamal cryptosystem is that in the reduction, the secret key is not with D. And so decryption oracle service
cannot be provided.
However in the above scheme, D can provide the Decryption Oracle service also as the
secret x, y is chosen by D. But even then, the scheme is not CCA secure as it is malleable. (h0 , h1 , 2c) is an encryption for 2m.
3.3
CCA1 security
We now analyse the CCA1 security of this scheme. Now the reduction is slightly modified
as the adversary A has decryption oracle access.
Claim 6 An unbounded adversary Au can know x, y and guess b with probability 1 using
just one decryption query.
Proof Au can compute discrete log of u and g1 , say R and α
u = g0R = (g0x · g1y ) = g0x+αy
(6)
⇒x + αy = R
Au need another linearly independent equation on x and y to recover them. An illegal
0
decryption query (h0 = g0r , h1 = g1r , c) can help.
0
0
c/m = v = g0R = (hx0 · hy1 ) = g0rx+r αy
⇒rx + r0 αy = R0
11-7
(7)
Note that inorder for Equation 6 and Equation 7 to linearly independent, r0 6= r.
Solving both, A can get the secret key (x, y). Therefore
cpa
Pr P ubKA,
(n)
=
1
=1
Π̃
3.3.1
Towards CCA1 Security
The problem in the above scheme is that the adversary is able to make illegal decryption
queries. Inorder to prevent that, a checking mechanism can be introduced in Dec so that
illegal queries will be rejected with high probability.
Modify the CPA Secure Scheme to following.
Scheme 2
Gen(1n ):
(G, o, q, g0 , g1 )
Pick random (x, y, x0 , y 0 ) from Zq
0
Compute u = g0x · g1y
e = g0x · g1y
0
pk = (G, o, q, g0 , g1 , u, e), sk = (x, y, x0 , y 0 )
Encpk (m):
Pick random r from Zq
h0 = g0r , h1 = g1r
c = ur · m = v · m;
f = er
Return (h0 , h1 , c, f )
Decsk=x,y,x0 ,y0 (h0 , h1 , c, f ):
0
f = hx0 · hy1
0
v = hx0 · hy1
m = c/v
Claim 7 An unbounded adversary can compute secret (x, y) only with negligible probability
and hence can only guess bit b with probability no better than 12 + negl().
11-8
Proof
Au can compute discrete log of u, e and g1 , say R, S and α.
u = g0R = (g0x · g1y ) = g0x+αy
(8)
⇒x + αy = R
0
0
0
e = g0S = (g0x · g1y ) = g0x +αy
0
(9)
⇒x0 + αy 0 = S
This will help Au get 2 linearly independent equations but there are 3 variables R, S and
α.
0
0
If Au is able to guess the value of f = hx0 · hy1 , the decryption query will pass the checkingS
and Au will get a decrypted message m. Then using m, another equation can be formed to
solve for x and y.
0
0
c/m = v = g0R = (hx0 · hy1 ) = g0rx+r αy
⇒rx + r0 αy = R0
(10)
Equation 8 and Equation 10 are linearly independent and can be solved to get (x, y).
We therefore need to find the probability of Au guessing f .
• Probability of guessing f in the first decryption query: Since x0 , y 0 is picked at random,
0
0
0
hx0 · hy1 is uniformly random for Au given (g0 , g1 , h0 = g0r , h1 = g1r , e). Therefore
Pr[Au succeeds in first DQ] =
1
|G|
which is negligible
• If the first query is rejected, Au can guess f 0 with f 0 6= f
Pr[Au succeeds in second DQ] =
11-9
1
|G − 1|
• Similarly, Au can make polynomially many queries t.
Pr[Au succeeds in tth DQ] =
⇒ Pr[Au succeeds in one of t DQs] =
1
|G − t|
t
= negl()
|G − t|
1
CCA1
⇒ Pr P ubKA
(n)
=
1
≤ + negl()
u ,Π̃
2
Therefore Scheme 2 is CCA1 secure.
3.4
Towards CCA Security
Claim 8 Scheme 2 is not CCA secure. Just one decryption query in post-challenge phase
is enough for an unbounded powerful adversary to compute (x, y) completely and guess bit
b with probability 1
Proof
Au can compute discrete log of u and g1 , say R and α. We have therefore Equation 8 and
Equation 9.
0
Consider the case when D received a non-DDH tuple (g0 , g1 , h∗0 = g0r , h∗1 = g1r )
∗
0
0
0
f ∗ = g0S = (hx0 · h1 y 0 ) = g0rx +r αy
0
(11)
⇒rx0 + r0 αy 0 = S ∗
Solving Equation 9 and Equation 11 gives (x0 , y 0 )
Now Au can make illegal decryption queries in post-challenge phase and still pass the verification and get m and discover (x, y) as was done in previous proof (Equation 10). Now
Au has computed all the secret keys and hence Scheme 2 is not CCA secure.
We need to ensure Au cannot make illegal decryption queries even after seeing the challenge
ciphertext. For that we first explore increasing the number of variables.
Scheme 3
Gen(1n ):
(G, o, q, g0 , g1 )
Pick random (x, y, x0 , y 0 , x00 , y 00 ) from Zq
Compute u = g0x · g1y
0
e = g0x · g1y
0
00
k = g0x · g1y
00
pk = (G, o, q, g0 , g1 , u, e, k), sk = (x, y, x0 , y 0 , x00 , y 00 )
11-10
Encpk (m):
Pick random r from Zq
h0 = g0r , h1 = g1r
c = ur · m = v · m;
f = er ;
l = kr
Return (h0 , h1 , c, f )
Decsk=x,y,x0 ,y0 ,x00 ,y00 (h0 , h1 , c, f , l):
0
0
00
00
f = hx0 · hy1
l = hx0 · hy1
v = hx0 · hy1
m = c/v
Claim 9 Scheme 3 is not CCA-secure.
Proof
Au can compute discrete log of u and g1 , say R and α. Along with Equation 8 and Equation 9
adversary now can get another equation,
00
k = g0T = (g0x · g1 y 00 ) = g0x
00 +αy 00
(12)
⇒x00 + rαy 00 = T
0
Consider the case when D received a non-DDH tuple (g0 , g1 , h∗0 = g0r , h∗1 = g1r ). Equation 11
still holds and from l∗ the below equation follows
∗
00
l∗ = g0T = (hx0 · h1 y 00 ) = g0rx
⇒rx0 + r0 αy 00 = T ∗
00 +r 0 αy 00
(13)
Au can now compute (x00 , y 00 ) using the new equations Equation 12 and Equation 13. Thus
adding a new variable this way did not provide any advantage.
It is easy to see that Au can now make an illegal post-challenge query that passess verification to get Equation 10 with which (x, y) can be found.
Consider another scheme which is close to the final Cramer-Shoup cryptosystem but is still
not CCA secure.
11-11
Scheme 4
Gen(1n ):
(G, o, q, g0 , g1 )
Pick random (x, y, x0 , y 0 , x00 , y 00 ) from Zq
Compute u = g0x · g1y
0
e = g0x · g1y
0
00
k = g0x · g1y
00
pk = (G, o, q, g0 , g1 , u, e, k), sk = (x, y, x0 , y 0 , x00 , y 00 )
Encpk (m):
Pick random r from Zq
h0 = g0r , h1 = g1r
c = ur · m = v · m;
f = er · k r
Return (h0 , h1 , c, f )
Decsk=x,y,x0 ,y0 ,x00 ,y00 (h0 , h1 , c, f ):
0
00
0
f = hx0 +x · hy1 +y
00
v = hx0 · hy1
m = c/v
The above scheme is very similar to Scheme 2 where instead of e = e · k, x0 = x0 + x00 and
y 0 = y 0 + y 00 .
Claim 10 Scheme 4 is not CCA secure.
Proof Like in previous cases, we have Equation 8, Equation 9 and Equation 12.
∗
0
r(x0 +x00 )+r0 α(y 0 +y 00 )
00
f ∗ = g0S = (hx0 +x · h1 y 0 + y 00 ) = g0
⇒r(x0 + x00 ) + r0 α(y 0 + y 00 ) = S ∗
(14)
From Equation 9, Equation 12 and Equation 14, Au can compute (x0 + x00 ) and (y 0 + y 00 )
which is enough to make an illegal decryption query in the post-challenge phase.
We can now use the insights obtained from these schemes to reach at Cramer-Shoup cryptosystem.
11-12
3.5
Cramer-Shoup Cryptosystem
Cramer-Shoup Scheme
Gen(1n ):
(G, o, q, g0 , g1 )
Pick random (x, y, x0 , y 0 , x00 , y 00 ) from Zq
Compute u = g0x · g1y
0
e = g0x · g1y
0
00
k = g0x · g1y
00
pk = (G, o, q, g0 , g1 , u, e, k, H), sk = (x, y, x0 , y 0 , x00 , y 00 )
Encpk (m):
Pick random r from Zq
h0 = g0r , h1 = g1r
β = H(h0 , h1 , c)
c = ur · m = v · m;
f = er · k βr
Return (h0 , h1 , c, f )
Decsk=x,y,x0 ,y0 ,x00 ,y00 (h0 , h1 , c, f ):
β = H(h0 , h1 , c)
0
00
0
f = hx0 +βx · hy1 +βy
00
v = hx0 · hy1
m = c/v
First we will see why the previous argument doesn’t hold anymore. Equation 14 changes
to
0
0
r(x0 +βx00 )+r0 α(y 0 +βy 00 )
00
f ∗ = g0S = (h0x +βx · h1 y 0 + βy 00 ) = g0
⇒r(x0 + βx00 ) + r0 α(y 0 + βy 00 ) = S 0
(15)
Au can still compute (x0 + βx00 ) and (y 0 + βy 00 ). But now we have added a dependency
of the ciphertext c into the checking mechanism. So inorder to make an illegal postchallenge decryption query, Au must find a collision for H. That is, (h00 , h01 , c0 ) such that
β = H(h00 , h01 , c0 ).
Theorem 11 If DDH is hard and H is a collision resistant hash function, then Π is a
CCA-secure scheme.
Proof
11-13
Case 1: (h0 , h1 , c) = (h∗0 , h∗1 , c∗)andf ∗ 6= f . In this case D will reject
Case 2: (h0 , h1 , c) 6= (h∗0 , h∗1 , c∗)andf ∗ = f . i.e., H(h0 , h1 , c) = H(h∗0 , h∗1 , c∗). This can happen
only with negligible probability since H is assumed to be collision resistant.
Case 3: H(h0 , h1 , c) 6= H(h∗0 , h∗1 , c∗) There is a small chance that this ciphertext is a valid one.
1
This can happen with at most probability |G|
. This is because there are four variables
0
0
00
00
x , y , x , y but only 3 equations can be obtained from e, kandc. The only way is to
pick randomly from the group, the probability of which succeeding is negligible.
This reduction ensures that if there is an adversary A that can break the CCA security of
Cramer-Shoup scheme with significant probability, then D will break the DDH assumption.
11-14