1. No category

b := {0,1}

SECURITY AND VERIFICATION
Lecture 3: What kind of attacks are there? - Chosen Ciphertexts Attacks
Tamara Rezk
INDES TEAM, INRIA
January 17th, 2012
Plan
 Lecture 1 Chosen Plaintext Attacks (CPA assumption)
 CPA schemes: ElGamal, Paillier
 Lecture 2 Game-based proofs
 CPA proof: ElGamal
 Today:
 CPA proof: Paillier
 Limits on provable cryptography
 Chosen Ciphertext Attacks (CCA assumption)
 CCA1 proof: using proof of knowledge-zero knowledge (PKZK)
 From interactive to non-interactive PKZK
 CCA2
 an example of a CCA2 scheme
Observational Equivalence
P0 and P1 are observational equivalent with respect to
variable x, denoted P0 {x} P1 if
Pr[P0; x = v] = Pr[P1; x =v] for all v
P0 and P1 are observational equivalent with respect to
variable x, denoted P0 {x1..xn} P1 if
Pr[P0; x1 = v1 ˄.. x2 = v2 ˄..] = Pr[P1; x1 = v1 ˄.. x2 = v2 ˄..]
for all v1…vn
Game-based proofs
How to prove cryptography?
G0  G1  G2 …  Gn
For each arrow, we have that either :
Pr[Gi; g=b] ≤ Pr[Gi+1; g=b]
or
Gi {g} Gi+1
Assume that generateN() is a probabilistic function that generates two primes with
the property that gcd(p*q, (p*q) ) = 1 and g with g a generator for the
multiplicative group {1 … n2-1}. Then Paillier encryption is defined by:
G() =
p,q,g:= generateN(); n := p * q;
ke := (n, g); kd:= (p,q)
Assume x is in {1…n-1}
E (x, (n,g)) = y := {1.. n-1}; c:= yn * g x mod n2
PAILLIER ENCRYPTION
Paillier encryption
CR(x0, x1 ) = if (b = 0)
then {y:= {1..n-1}; c :=yn mod n2}
else {c:= {1.. n2 -1}}
DRA = b := {0,1};
p,q,q:= generateN(); n := p * q;
B[CR]
| Pr[DRA; g’ =b] - ½ | is negligible for ɳ (ɳ is called security parameter, order of
the group , ie n2 -1 ) . Attacker B does not have p, or q.
PROVABLE CRYPTOGRAPHY
Decisional Reduosity
Assumption
CR(x0, x1 ) = if (b = 0)
then {y:= {1..n-1}; c :=yn mod n2}
else {c:= {1.. n2 -1}}
DRA = b := {0,1};
nth residuo modulo n2
p,q,g:= generateN(); n := p * q;
B[CR]
| Pr[DRA; g’ =b] - ½ | is negligible for ɳ (ɳ is called security parameter, order of
the group , ie n2 -1 )
PROVABLE CRYPTOGRAPHY
Decisional Reduosity
Assumption
E(x0, x1 ) = if (b = 0)
then {c := E (x0, ke)}
else {c := E(x1,ke)};
CPA = b := {0,1};
ke, kd := G(); A[E]
| Pr[CPA; g =b] - ½ | is negligible for ɳ (ɳ is called security parameter)
PROVABLE CRYPTOGRAPHY
Chosen-plaintext attack (CPA)
THEOREM
THEOREM
Theorem
Paillier encryption scheme is resistent to
Chosen Plaintext Attacks
E(x0, x1 ) = if (b = 0)
then {c := E (x0, ke)}
else {c := E(x1,ke)};
CPApaillier = b := {0,1};
ke, kd := G(); A[E]
PROOF OF CPA OF PAILLIER
GAME 0
E(x0, x1 ) = if (b = 0)
then {y := {1.. n-1}; c:= yn * g x0 mod n2 }
else {y := {1.. n-1}; c:= yn * g x1 mod n2 }
CPApaillier1 = b := {0,1};
p,q,q:= generateN(); n := p * q;
ke := (n, g); kd:= (p,q);
A[E]
PROOF OF CPA OF PAILLIER
step 1: INLINE
CPApaillier {g} CPApaillier1
E(x0, x1 ) = if (b = 0)
then {y := {1.. n-1}; c:= yn * g x0 mod n2 }
else {y := {1.. n-1}; c:= yn * g x1 mod n2 }
CPApaillier1 = b := {0,1};
p,q,q:= generateN(); n := p * q;
ke := (n, g); kd:= (p,q);
A[E]
PROOF OF CPA OF PAILLIER
step 1: INLINE
E(x0, x1 ) = if (b = 0)
then {y := {1.. n-1}; c:= yn * g x0 mod n2 }
else {y := {1.. n-1}; c:= yn * g x1 mod n2 }
CPApaillier1 = b := {0,1};
p,q,q:= generateN(); n := p * q;
ke := (n, g); kd:= (p,q);
A[E]
PROOF OF CPA OF PAILLIER
step 2: DEADCODE
CPApaillier1 {g} CPApaillier2
E(x0, x1 ) = if (b = 0)
then {y := {1.. n-1}; c:= yn * g x0 mod n2 }
else {y := {1.. n-1}; c:= yn * g x1 mod n2 }
CPApaillier2 = b := {0,1};
p,q,q:= generateN(); n := p * q;
ke := (n, g); A[E]
PROOF OF CPA OF PAILLIER
step 2: DEADCODE
CR(x0, x1 ) = if (b = 0)
then {y:= {1..n-1}; c :=yn mod n2}
else {c:= {1.. n2 -1}}
E(x0, x1 ) = if (b = 0)
then {y := {1.. n-1}; c:= yn * g x0 mod n2 }
else {y := {1.. n-1}; c:= yn * g x1 mod n2 }
DRA = b := {0,1};
p,q,q:= generateN(); n := p * q; B[CR]
B = ke := (n, g);
A[CR; c:= c * g x0 mod n2 ]; g0:=g;
A[CR; c:= c * g x1 mod n2 ]; g1:=g;
if (g0 =0 OR g1 =1 ) then g’ = 0 else g’:= 1
PROOF OF CPA OF PAILLIER
step 3 INLINE
CR(x0, x1 ) = if (b = 0)
then {y:= {1..n-1}; c :=xn mod n2}
else {c:= {1.. n2 -1}}
DRA = b := {0,1};
p,q,q:= generateN(); n := p * q; B[CR]
B = ke := (n, g);
A[CR; c:= c * g x0 mod n2 ]; g0:=g;
A[CR; c:= c * g x1 mod n2 ]; g1:=g;
if (g0 =0 OR g1 =1 ) then g’ = 0 else g’:= 1
½ Pr[CPApaillier2;g=b] = Pr[DRA;g’=0 and b=0]
½ Pr[CPApaillier2;g=b] ≤ Pr[DRA;g’=b]
PROOF OF CPA OF PAILLIER
Calculating probabilities
CR(x0, x1 ) = if (b = 0)
then {y:= {1..n-1}; c :=xn mod n2}
else {c:= {1.. n2 -1}}
DRA = b := {0,1};
p,q,q:= generateN(); n := p * q; B[CR]
B = ke := (n, g);
A[CR; c:= c * g x0 mod n2 ]; g0:=g;
A[CR; c:= c * g x1 mod n2 ]; g1:=g;
if (g0 =0 OR g1 =1 ) then g’ = 1 else g’:= 0
negligible
½ Pr[CPApaillier2;g=b] = Pr[DRA;g’=1 and b=1]
½ Pr[CPApaillier2;g=b] ≤ Pr[DRA;g’=b]
PROOF OF CPA OF PAILLIER
step 3 INLINE
We have proved Paillier to be CPA.
Then is Paillier encryption secure?
We have proved Paillier to be CPA.
Then is Paillier encryption secure?
NO
A property of Paillier encryptions:
Assume that generateN() is a probabilistic function that generates two primes with the
property that gcd(p*q, (p*q) ) = 1 and g with g a generator for the multiplicative
group {1 … n2-1}. Then Paillier encryption is defined by:
G() = p,q,q:= generateN(); n := p * q; ke := (n, g); kd:= (p,q)
Assume x is in {1…n-1}
E (x, (n,g)) = y := {1.. n-1}; c:= yn * g x mod n2
E (x0, (n,g)) * E (x1, (n,g)) =
y0n * g x0 mod n2 * y1n * g x1 mod n2 =
y0n *y1 n * g x0 *g x1 mod n2 =
(y0 *y1 )n * g x0 +x1 mod n2 =
E (x0+x1, (n,g))
An attack to Paillier encryption:
E(x0, x1 ) = if (b = 0)
then {y := {1.. n-1}; c:= yn * g x0 mod n2 }
else {y := {1.. n-1}; c:= yn * g x1 mod n2 };
log := log + m
D(m) = if (m  log)
then {x := 0}
else {x := D(m,kd)};
GamePaillier = b := {0,1}; p,q,q:= generateN();
n := p * q;ke := (n, g); kd:= (p,q);A[E, D]
An attack to Paillier encryption:
E(x0, x1 ) = if (b = 0)
then {m:=x0;y := {1.. n-1}; c:= yn * g x0 mod n2 }
else {m:=x1;y := {1.. n-1}; c:= yn * g x1 mod n2 };
log := log + c
D(m) = if (m  log)
then {x := 0}
else {x := D(m,kd)};
GamePaillier = b := {0,1}; p,q,q:= generateN();
n := p * q;ke := (n, g); kd:= (p,q);A[E, D]
A[E, D] = x0 := 1; x1 := 2; E; m:=c * c; D;
if (x = 2) then g:=0 else g:=1
We have proved Paillier to be CPA.
This is only one kind of attack. Paillier is secure for an
adversary with the power of making chosen plaintext
attacks (usually, the weaker kind of attack possible),
but not for all possible attacks: for example, it is not
secure for chosen ciphertext attacks.
Important: Provable cryptography only guarantees that
no partial information is reveal for a given class of
attack. It does not imply total security.
Another Look to Provable
Cryptography
“the treatment of hashed ElGamal encryption in is in
some sense a remarkable achievement … so
successful in turning something that should be
interesting and accessible to everyone into
something lengthy, unreadable, and boring.”
Neal Koblitz
Another Look to ElGammal …
Another Look to Provable
Cryptography
• A security theorem is conditional in a strong sense — it assumes the
intractability of some mathematical problem…
• Often the intractability assumption is made for a complicated and contrived
problem that has never been carefully studied. In fact, in some cases the
problem is trivially equivalent to the cryptanalysis problem for the protocol
whose security is being "proved," and the "proof" is essentially circular.
• Certain attacks — especially side-channel attacks — are very hard to model,
and the models that have been proposed are woefully inadequate. The
problem is that the adversary is always coming up with ingenious new
methods to compromise the security of a cryptographic system.
•AND MORE
Neal Koblitz
Chosen Ciphertext Attacks (CCA)
• CCA are strong forms of active attacks
• We will see two type of them a priori CCA and a posteriori
CCA
• In both, the adversary has access to decryption requests
• CAVEAT: some use CCA to mean CCA2
Chosen-cyphertext attack 2 (CCA1)
E = if (b = 0)
then {m := E (x0, ke)}
else {m := E(x1,ke)};
D = x := D(m,kd);
CCA1 = b := {0,1};
ke, kd := Ge(); A[D]; E;A’
Example: A CCA1 scheme
 We will define a CCA1 scheme < G’, E’ , D’ >
 It is based on a CPA scheme < G , E , D >
 It is based on a non-interactive ZK scheme (P , V , R, S)
Proof of Knowledge Zero
Knowledge
 a prover gives a proof of some secret that he knows
Proof of Knowledge Zero
Knowledge
 a prover gives a proof of some secret that he knows
 but without revealing the secret!
Proof of Knowledge Zero
Knowledge
 a prover gives a proof of some secret that he knows
 but without revealing the secret!
Example: If x in Zq is the secret, the prover can exhibit
witnesses based on gx , showing that he knows x
(a concrete protocol later)
Proof of Knowledge Zero
Knowledge: properties
ZK schemes have to satisfy:
 Soundness: the verification procedure cannot
“accept” valid false statements, except for negligible
probability
 Completeness: if a statement is true then the verifier
“accepts” it, except for negligible probability
 Zero-Knowledge: the adversary cannot guess the
secret by using the scheme!
Proof Systems Schemes for ZK
A proof of knowledge zero knowledge scheme is a tuple
(P , V , R, S)
 P (prover) is a probabilistic program that takes as inputs
a secret s, a witness w, and outputs a proof p in D
 V (verifier) is a probabilistic program that takes a witness
and a proof and outputs zero or one
 R is a NP relation that depends on secret s
 S is a simulator, a probabilistic program that outputs a
“proof” in D without using secret s.
(we do not include here the algorithm for “extraction”)
Zero Knowledge
(indistinguishability)
O = if (b = 0)
then {p := P (s, w)}
else {p:= S(w)};
ZK = b := {0,1};
A[O]
Example: A CCA1 scheme
(Naor-Yung)
 We will define a CCA1 scheme < G’, E’ , D’ >
 It is based on a CPA scheme < G , E , D >
 It is based on a ZK scheme (P , V , R, S)
G’‘ ( ) =
k0e, k0d:= G( ); k1e, k1d:= G( )
E ‘(x, (k0e , k1e)) =
e0, e1 := E (x, k0e ); E (x, k1e);
p:= P(e0, e1, x); c:= e0,e1, p0,p1,p
D ‘ ((e0,e1, p), (k0e , k1e)) =
if V(e0, e1,,p) = true then x: = D(e1, k1d)
Proof of CCA1 of Naor-Yung
scheme
 Naor-Yung scheme is CCA1
Theorem
Naor-Yung encryption scheme is resistent to
Chosen Ciphertext Attacks version 1 (CCA1)
E = if (b = 0)
then {m := E (x0, ke)}
else {m := E(x1,ke)};
D = x := D(m,kd);
CCA1 = b := {0,1};
ke, kd := Ge(); A[D]; E;A’
Inline
D = if V(e0, e1,p0,p1,p) = true then x: = D(e1, k1d)
E = if (b = 0)
then {e0, e1 := E r0 (x0, k0e ); Er1 (x0, k1e);
p0,p1,p:= P (e0, e1, x0, r0,r1,); c:= e0,e1, p0,p1,p }
else {
e0, e1 := E r0’ (x1, k0e ); Er1’ (x1, k1e);
p:= P(e0, e1, x1, r0’,r1’); c:= e0,e1, p0,p1,p
};
CCA1-1 = b := {0,1};
k0e, k0d:= G( );
k1e, k1d:= G( )
A[D]; E;A’
CCA1 {g} CCA1-1
Zero knowledge
D = if V(e0, e1,p0,p1,p) = true then x: = D(e1, k1d)
E = if (b = 0)
then {e0, e1 := E (x0, k0e ); E (x0, k1e);
p0,p1,p:= S(e0, e1);c:= e0,e1, p0,p1,p }
else {
e0, e1 := E (x1, k0e ); E (x1, k1e);
p0,p1,p:= S(e0, e1); c:= e0,e1, p0,p1,p
};
CCA1-2 = b := {0,1};
k0e, k0d:= G( );
k1e, k1d:= G( )
A[D]; E; A’
CCA1-1 {g} CCA1-2
Code motion
D = if V(e0, e1,p0,p1,p) = true then x: = D(e1, k1d)
E = if (b = 0)
then {e0, e1 := E (x0, k0e ); E (x0, k1e);
}
else {
e0, e1 := E (x1, k0e ); E (x1, k1e);
};
CCA1-3 = b := {0,1};
k0e, k0d:= G( );
k1e, k1d:= G( )
A[D]; E; p0,p1,p:= S(e0, e1); c:= e0,e1, p0,p1,p ; A’
CCA1-2 {g} CCA1-3
Inline
D = if V(e0, e1,p0,p1,p) = true then x: = D(e1, k1d)
E = if (b = 0)
then {e0, e1 := E (x0, k0e ); E (x0, k1e);
}
else {
e0, e1 := E (x1, k0e ); E (x1, k1e); };
CCA1-4 = b := {0,1};
k0e, k0d:= G( );
CCA1-3 {g} CCA1-4
B
B = k1e, k1d:= G( ) ;
A[D]; E; p0,p1,p:= S(e0, e1); c:= e0,e1, p0,p1,p ; A’
A cpa attacker
D = if V(e0, e1,p0,p1,p) = true then x: = D(e1, k1d)
E = if (b = 0)
then {e0, e1 := E (x0, k0e ); E (x0, k1e); }
else {e0, e1 := E (x1, k0e ); E (x1, k1e); };
E’ = if (b = 0)
then {e0, := E (x0, k0e ) }
else {e0 := E (x1, k0e ) };
CPA = b := {0,1};
k0e, k0d:= G( );
B
B = k1e, k1d:= G( ) ;A[D]; E’; e1 := E (x0, k1e );
p0,p1,p:= S(e0, e1); c:= e0,e1, p0,p1,p ; if V(e0, e1,p0,p1,p) = true
then A’ else g:=1
A cpa attacker
D = if V(e0, e1,p0,p1,p) = true then x: = D(e1, k1d)
E = if (b = 0)
then {e0, e1 := E (x0, k0e ); E (x0, k1e); }
else {e0, e1 := E (x1, k0e ); E (x1, k1e); };
E’ = if (b = 0)
Pr[CCA1-4;g=b]=
then {e0, := E (x0, k0e ) }
Pr[CCA1-4;g=0 and b=0] +
else {e0 := E (x1, k0e ) };
Pr[CCA1-4;g=1 and b=1] =
1/2 Pr[CPA;g=b] + 1/2
CPA = b := {0,1};
0e, k0d:= G( );
B
B = k1e, k1d:= G( ) ;A[D]; E’; e1 := E (x0, k1e );
p0,p1,p:= S(e0, e1); c:= e0,e1, p0,p1,p ; if V(e0, e1,p0,p1,p) = true
then A’ else g:=1
A cpa attacker
D = if V(e0, e1,p0,p1,p) = true then x: = D(e1, k1d)
E = if (b = 0)
then {e0, e1 := E (x0, k0e ); E (x0, k1e); }
else {e0, e1 := E (x1, k0e ); E (x1, k1e); };
E’ = if (b = 0)
Pr[CCA1-4;g=b]=
then {e0, := E (x0, k0e ) }
Pr[CCA1-4;g=0 and b=0] +
else {e0 := E (x1, k0e ) };
Pr[CCA1-4;g=1 and b=1] =
1/2 Pr[CPA;g=b] + 1/2
CPA = b := {0,1};
0e, k0d:= G( );
B
negligeable
B = k1e, k1d:= G( ) ;A[D]; E’; e1 := E (x0, k1e );
p0,p1,p:= S(e0, e1); c:= e0,e1, p0,p1,p ; if V(e0, e1,p0,p1,p) = true
then A’ else g:=1
A simple ZK protocol
There is a secret x that the prover wants to prove that he knows
The NP relation that depends on x is “logg z = x and logh z’ = x“ , where g and
h are generators for the multiplicative group { 1…q-1}
The protocol for generating a proof is P0;V0;P1 and to verify isV1 where:
P0(g,h) =
w := {1…q-1}
la, lb := gw, hw
V0 (la,lb) =
lc := {1…q-1};
P1 (w,x ,lc) =
p := w + x * lc mod q
V0 ( p, la,lb , gx, hx ) =
if (gp = la * gx*lc and hp = lb * hx*lc ) then true else false
A simple ZK protocol
Exercise: Assume that lc := {1…q-1} and that lc is a parameter of P0.
Show that in the protocol for generating a proof is P0; P1 and to verify V1 the
prover can cheat (he can prove he knows x, without knowing it)
P0(g,h,lc) =
w := {1…q-1}
la, lb := gw, hw
P1 (w,x ,lc) =
p := w + x * lc mod q
V0 ( p, la,lb , gx, hx ) =
if (gp = la * gx*lc and hp = lb * hx*lc ) then true else false
From interactive to non-interactive
A simple ZK protocol
There is a secret x that the prover wants to prove that he knows
The NP relation that depends on x is “logg z = x and logh z’ = x“ , where g and
h are generators for the multiplicative group { 1…q-1}
The protocol for generating a proof is P and to verify is V where:
P(g,h,x) =
w := {1…q-1}
a, b := gw, hw
lc := H( a + b);
p := w + x * lc mod q
V ( p, lc , gx, hx ) =
a, b := gx lc * gp, hx lc * hp
if (H(a+b) = lc ) then true else false
Chosen-cyphertext attack 2 (CCA2)
E = if (b = 0)
then {m := E (x0, ke)}
else {m := E(x1,ke)};
log := log + m
CCA2 = b := {0,1};
log := nil;
ke, kd := Ge(); A[E,D]
D = if (m  log)
then {x := 0}
else {x := D(m,kd)};
Example of CCA2 scheme:
RSA-OAEP (in PKCS standard)
Let
H : { 0,1}l  {0,1}l
G : { 0,1}l  {0,1}p-l
be two hash functions
RSA-OAEP –ENC (m,ke)=
r := { 0,1}l ;
s:= H( r ) + m;
t := G(s) + r
c:= rsa-enc(s++t,ke)
RSA-OAEP –DEC (c,kd)=
(s,t) := rsa-dec(c,kd) ;
r:= t + G(s) ;
m: = s + H( r )
•
Slides and exercises:
www-sop.inria.fr/members/Tamara.Rezk/teaching
• Public-key Cryptosystems Provably Secure against
Chosen Ciphertext Attacks – Naor, Yung
• Non-Interactive Proof of Knowledge and Chosen
Ciphertext Attacks Rackoff, Simon
• Another Look to Provable Cryptography –
Neal Koblitz http://anotherlook.ca/
• Code-based Game-Playing Proofs and the
Security of Triple Encryption – Bellare, Rogaway
READING
Slides, Notes, Bibliography

 Download  Report

Paperzz.com

Your Paperzz

© Copyright 2025 Paperzz