G22.3220-001/G63.2180 Advanced Cryptography
11/18/09
Lecture 11
Lecturer: Yevgeniy Dodis
Scribe: Daniel Wichs
Summary: In this lecture, we introduce Designated Verifier NIZKs and Hash Proof Systems [CS02]. We then use these to construct efficient CCA secure schemes without Random
Oracles. By instantiating an appropriate Hash Proof System, we get the Cramer-Shoup
[CS98] encryption scheme based on the DDH assumption.
1
Designated Verifier NIZKs
Last Time: Simulation Sound NIZKS & Connection to CCA Security. Last time
we introduced Simulation-Sound NIZKs, and constructed a 1-Time Simulation Sound NIZK
(1-SS NIZK). We then showed how to get CCA secure encryption from CPA encryption and
NIZKs in one of two ways: using standard NIZK and n copies of a CPA encryption scheme
([DDN00]) or using 1-SS NIZK and 2 copies of a CPA encryption scheme ([NY90]). Since
our general NIZK constructions were not very efficient, neither are the resulting CCA-secure
encryption schemes.
Recall the Naor-Yung construction: to encrypt a message m compute:
c1 = E1 (m), c2 = E2 (m), π = {proof : D1 (c1 ) = D2 (c2 )}
where (E1 , D1 ), (E2 , D2 ) are two independently keyed copies of a CPA-secure encryption. To
prove security, we needed the proof π to be 1-SS NIZK.
The big question for this lecture is if we can instantiate the above construction, or
similar constructions, efficiently.
Designated Verifier NIZK. As a first observation, we notice that we do not need the
full power of NIZKs for the Naor-Yung construction. In particular, the proofs do not need
to be publicly verifiable by all parties, but only by the decryptor, who can do so using a
secret trapdoor key. Therefore, we can use a weakened notion of a NIZK proof, where only
a single designated verifier, who possesses some trapdoor-key for the NIZK system, can
verify proofs. The difference between NIZKs and designated-verifier NIZKs is similar to the
difference between signatures (where any party that has a public-key can verify) and MACs
(where only the party possessing a secret-key can verify) – in both cases, public verifiability
is more difficult/expensive to achieve.
With designated-verifier (DV) NIZKs for a language L, any party can compute a proof
π for a statement y ∈ L using a witness x (so that (y, x) ∈ RL ) and the crs of the NIZK. The
crs is generated along with a trapdoor-key tk, and only the party possessing tk can verify a
proof π for a statement y. We make several simplifications to the notation of DV-NIZKs:
• The trapdoor-key tk used by the verifier to verify proofs π is the same as the one used
by the simulator to generate fake proofs.
L11-1
• Simulating fake proofs and verifying proofs is essentially the same: to verify a proof π
?
for a statement y, run a procedure V(y, tk) = π̃ and check π = π̃. We can also think
of π̃ as a simulated proof for y.
Definition 1 (Designated-Verifier NIZK (DV-NIZK)) A designated-verifier (DV) NIZK
for an NP-language L, with corresponding relation RL , consists of algorithms (Gen, P, V)
with syntax:
• Gen(1λ ) → (crs, tk).
• P(y, x, crs) → π for (y, x) ∈ RL .
• V(y, tk) → π̃.
We require that the systems satisfies the following properties.
Correctness: For all (y, x) ∈ RL , we have Pr[π = π̃] = 1, where the probability is taken
over (crs, tk) ← Gen(1λ ), π ← P(y, x, crs) and π̃ ← V(y, tk).
(We can relax this to probability 1 − negl(λ)).
Soundness: For all PPT adversarial provers P̃ , we have
(crs, tk) ← Gen(1λ )
∗
∗
∗ ≤ negl(λ).
Pr y 6∈ L ∧ V (y , tk) = π (y ∗ , π ∗ ) ← P̃ checktk (·,·)
The adversarial prover P̃ gets oracle-access to checktk (·, ·), which, on input (y, π),
?
checks V(y, tk) = π and outputs 1 if yes, 0 otherwise.
Usually, we will require a strengthening of the soundness property to:
t-Time Simulation Soundness (t-SS): This is analogous to the definition of soundness,
except that we consider adversarial provers P̃ checktk (·,·), V(·,tk) , which also (in addition
to oracle-access to checktk (·, ·)) get to ask up to t queries to the oracle V(·, tk). This
oracle, on input yi , outputs π̃i ← V(yi , tk). Note, that the queries yi need not be in
the language L. The value y ∗ produced by P̃ at the end must differ from any of the t
queries yi submitted to the V(·, tk) oracle.
Notice that, in the above definition, we did not require a special NIZK property, since
it now simply follows by correctness. The simulator simply runs π̃ ← V(y, tk), which has
the same distribution as π ← P(y, x, crs). Also, recall that for CCA security we only need
a 1-Time SS property, so that is what we will focus on.
2
Hash Proof-Systems.
Of course, it’s not clear how to construct Designated-Verifier NIZKs. In particular, the
soundness (and simulation-soundness) properties are fairly delicate to check. Therefore,
we also define a special form of DV NIZKs, called hash proof systems [CS02], where the
simulation-soundness property holds information-theoretically.
L11-2
Definition 2 (Hash-Proof System (HPS)) A hash proof system (HPS) for a language
L consists of algorithms (Gen, P, V), with the same syntax as a Designated-Verifier NIZK,
and satisfying the same correctness condition. Instead of “soundness” (or t-SS), we require
t-universality, which we define as follows. For all (fixed) choices of t distinct elements
y1 , . . . , yt with yi 6∈ L, we have
(crs, V(y1 , tk), . . . , V(yt , tk)) ≡ (crs, r1 , . . . , rt )
where (crs, tk) ← Gen(1λ ) and r1 , . . . , rt are uniform and independent elements (over some
well-defined domain). The “≡” symbol denotes “distributional equivalence”.
Theorem 3 Any (t + 1)-universal HPS for a language L is also a designated-verifier t-SS
NIZK for L, if the domain-size of the proofs π is super-polynomial.
Proof:(sketch) We show that t-SS holds unconditionally, even for unbounded adversaries.
The main idea is to look at what information the adversary can get about tk during the
SS-game. This only consists of the crs and (up to) t-proofs π1 , . . . , πt for some distinct false
statements y1 , . . . , yt . 1 But, by t + 1 universality, the proof π ∗ for any new statement
y ∗ 6∈ L is distributed randomly and independently of the information the adversary sees.
Therefore, the probability that even an unbounded adversary can predict such a proof is at
most an inverse of the domain-size of the proofs π, and thus negligible.
Since we care about 1-SS for CCA security, we would like to achieve 2-universal HPS.
However, even 1-universal HPS is interesting, and is worth seing as a warm-up.
A 1-universal HPS for the DDH Language. Let G be a group of prime-order |G| = q.
Let g1 , g2 be two generators of G. We show how to build a 1-universal HPS for a language
LDDH = {(u1 , u2 ) : ∃r s.t. u1 = g1r , u2 = g2r } of DDH tuples.2 Define:
Gen(1λ ): Pick x1 , x2 ← Zq (at random). Set crs = c = g1x1 g2x2 and tk = (x1 , x2 ).
P((u1 = g1r , u2 = g2r ), r, crs): To prove (u1 , u2 ) ∈ LDDH given witness r, compute π = cr .
V((u1 , u2 ), tk = (x1 , x2 )): To verify the statement (u1 , u2 ) compute π̃ = ux1 1 ux2 2 .
Theorem 4 The above system (Gen, P, V) is a 1-universal HPS for LDDH .
Proof: Correctness follows since:
π = cr = (g1x1 g2x2 )r = g1rx1 g2rx2 = ux1 1 ux2 2 = π̃
1
Repeated statement y can be ignored, since their corresponding proofs are always the same. True
statements y can also be ignored, since their proofs do not reveal any information about tk. Calls to check(·, ·)
can be ignored since, for true statements y, the output is independent of tk and, for false statements, we
can assume w.log. that the adv. never gives a good π, as otherwise he can win the game by just outputting
(y, π) without calling check(·, ·) (here we assume that the number of queries is bounded).
2
Note that the language LDDH is parameterized by G, g1 , g2
L11-3
1-Universality can be argued by showing that, for any fixed (u1 , u2 ) 6∈ LDDH the distribution
of ( crs = c , π = V((u1 , u2 ), tk) ) is that of two random and independent group elements.
Consider the map
f (x1 , x2 ) = (crs, π) = (g1x1 g2x2 , ux1 1 ux2 2 )
mapping trapdoors tk = (x1 , x2 ) to (crs, π) pairs. If we show that this map is injective then
we are done, since we are applying this map to a random input and hence will get a random
output. We will show an equivalent statement that the map f ′ (x1 , x2 ) = logg1 (f (x1 , x2 )) =
(logg1 (c), logg1 (π)) is injective. Let
u1 = g1r1 , u2 = g2r2 = g1βr2
for some r1 6= r2 and β = logg1 (g2 ). We write
c = g1x1 g2x2 = g1x1 +βx2 , π = ux1 1 u2x2 = g1r1 x1 +βr2 x2
so (c, π) = (g1z1 , g1z2 ) for
z1
x1
=M
z2
x2
,
where M =
1
β
r1 r2 β
In other words f ′ (x1 , x2 ) = M (x1 , x2 )T . Since det(M ) = β(r1 − r2 ), the matrix M is not
singular, which shows that f ′ is injective and concludes the proof.
A 2-universal HPS for the DDH Language. We now give a slightly more complicated
2-universal HPS for the language LDDH . The parameters are the same as in the previous
scheme, but will also make use of a collision-resistant hash function H : {0, 1}∗ → Zp .
Define:
Gen(1λ ): Pick x1 , x2 , y1 , y2 ← Zq (at random). Set
crs = (c, d) where c = g1x1 g2x2 , d = g1y1 g2y2
tk = (x1 , x2 , y1 , y2 )
.
P((u1 = g1r , u2 = g2r ), r, crs = (c, d)): To prove (u1 , u2 ) ∈ LDDH given witness r, compute
α = H(u1 , u2 ). Output π = cr dαr .
V((u1 , u2 ), tk = (x1 , x2 , y1 , y2 )): To verify the statement (u1 , u2 ), compute α = H(u1 , u2 )
and
π̃ = ux1 1 +αy1 ux2 2 +αy2 .
Theorem 5 The above system (Gen, P, V) is a 2-universal HPS for LDDH .
L11-4
Proof: Correctness follows since:
π = cr dαr = (g1x1 g2x2 )r (g1y1 g2y2 )αr = (ux1 1 ux2 2 )(uy11 uy22 )α = ux1 1 +αy1 ux2 2 +αy2 = π̃
r′
r′
For 2-universality, fix two distinct statements (u1 , u2 ) = (g1r1 , g2r2 ) and (u′1 , u′2 ) = (g11 , g22 ),
which are not in LDDH so r1 6= r2 and r1′ 6= r2′ . Let g1β = g2 . Then, define
f (x1 , x2 , y1 , y2 ) = (crs, π1 = V((u1 , u2 ), tk), π2 = V((u′1 , u′2 ), tk))
′
′
= (g1x1 g2x2 , g1y1 g2y2 , ux1 1 +αy1 ux2 2 +αy2 , u1′x1 +α y1 u2′x2 +α y2 )
r ′ x1 +βr2′ x2 +α′ r1′ y1 +α′ βr2′ y2
= (g1x1 +βx2 , g1y1 +βy2 , g1r1 x1 +βr2 x2 +αr1 y1 +αβr2 y2 , g11
where α = H(u1 , u2 ), α′ = H(u′1 , u′2 ).
f is injective. We notice that log(f ) is
M (x1 , x2 , y1 , y2 )T where

1
 0
M =
 r1
r1′
)
To show 2-universality, we only need show that
a linear function given by log(f (x1 , x2 , y1 , y2 )) =

β
0
0
0
1
β 

βr2 αr1 αβr2 
βr2′ α′ r1′ α′ βr2′
The determinant of M is given by det(M ) = β 2 (r2 − r1 )(r2′ − r1′ )(α − α′ ). Therefore, the
function f is injective if r2 6= r1 , r2′ 6= r1′ , α 6= α′ . The first two conditions hold by the
assumption that the two statements (u1 , u2 ), (u′1 , u′2 ) are not in LDDH . The third condition
holds since the two statements are distinct, and by the collision resistance of the hash
function H. 3
Remark on Labels. We can generalize the notion of a HPS or a (DV) SS NIZK to
include labels so that the prover computes a proof for a statement y ∈ L w.r.t. a label e.
In particular, instead of having a proof system for L, we would like one for the language
L′ = L||{0, 1}∗ = {(y, e) : y ∈ L, e ∈ {0, 1}∗ }. For universality, this means that we only
require that the pairs (yi , ei ) to be distinct (but the yi alone might not be).
In the 2-universal DDH example above, this is easy to do just by adding the label e to
the input of the hash function H.
3
CCA-Secure Encryption from HPS:
Instantiating Naor-Yung
With the view of an HPS as a special type of DV SS NIZK, we can instantiate the Naor-Yung
construction directly. Let’s focus on ElGamal encryption with public-key h = g x , secret-key
x and encryption Eh (m; r) = (g r , hr · m). To prove that two ciphertexts c1 = (e1 , w1 ), c2 =
(e2 , w2 ), encrypted using public keys h1 , h2 , decrypt to the same value it suffices to show
that
(u1 , u2 , w1 /w2 ) ∈ LElGamal where LElGamal = {(g r1 , g r2 , hr11 /hr22 ) : r1 , r2 ∈ Zq }
def
3
In particular, the Hash Proof System property is not information theoretic as required in the definition,
but this distinction will not matter for us.
L11-5
This language is somewhat different than LDDH and so me must construct a new 2universal HPS for this language. This proof system, shown below, is somewhat less efficient
than the one for LDDH . However, once we show that it is 2-universal, it yields a 1-SS DV
NIZK and therefore, allows us to instantiate Naor-Yung directly.
An HPS for Equality of ElGamal Ciphertexts.
proceeds as follows.
The HPS for the language LElGamal
Gen(1λ ): Pick x1 , x2 , x3 , y1 , y2 , y3 ← Zq (at random). Set
y 1 y3
y2 −y3
3
crs = (c1 , c2 , d1 , d2 ) where c1 = g x1 hx1 3 , c2 = g x1 h−x
2 , d1 = g h , d2 = g h
tk = (x1 , x2 , x3 , y1 , y2 , y3 )
.
P((u1 = g r1 , u2 = g r2 , w = hr11 /hr22 ), (r1 , r2 ), crs): To prove (u1 , u2 , w) ∈ LElGamal given witness r1 , r2 , compute α = H(u1 , u2 ). Output
π = cr11 cr22 (dr11 dr22 )α
.
V((u1 , u2 , w), tk): To verify the statement (u1 , u2 , w), given the trapdoor tk = (x1 , x2 , x3 , y1 , y2 , y3 ),
compute α = H(u1 , u2 ) and
π̃ = (ux1 1 ux2 2 w3x )(uy11 uy22 wy3 )α
The proof that this system is a 2-universal HPS is similar to the proof of Theorem 5 and
we omit it.
4
CCA-Secure Encryption from HPS: A Direct Approach.
We now show a slightly simpler approach to building CCA secure encryption from HPS.
Of course, since HPS is an information theoretic primitive, we will also need to make some
computational assumption on the language L for the HPS.
Membership Indistinguishable Languages. We will need an HPS for a language L
for which there exists some language L̄ such that:
• L ∩ L̄ = ∅.
• There is an efficient algorithm that samples uniformly random elements y ← L along
with a witness x.
• There is an efficient algorithm that samples uniformly random elements y ← L̄.
• It is computationally hard to distinguish y ← L from y ← L̄.
L11-6
We call such languages membership indistinguishable.4
A perfect example comes from LDHH where we can define the language L̄DDH (relative
to public parameter g1 , g2 ) by:
L̄DDH = {u1 , u2 : ∃r1 6= r2 s.t. u1 = g1r1 , u2 = g2r2 }.
Membership indistinguishability then follows by the DDH assumption.
The Abstract Construction. Let Π = (Gen, P, V) be a 1-universal HPS for a language
L, and Π′ = (Gen′ , P ′ , V ′ ) be a 2-universal HPS for the same language L so that Π′ supports
labels. We define an encryption scheme (GenE , E, D) as follows:
GenE : Choose (crs, tk) ← Gen(1λ ), (crs′ , tk′ ) ← Gen′ (1λ ). Output
pk = (crs, crs′ ) , sk = (tk, tk′ ).
Epk (m) : Choose y ← L together with a witness x. Compute π = P(y, x, crs), c = π ⊕ mb
and π ′ = P ′ ((y, c), x, crs′ ) to be a proof of statement y with label c. Output
C = (y, c, π ′ ).
Dsk (C): Parse C = (y, c, π ′ ). Compute π̃ = V(y, tk), π̃ ′ = V ′ (y, tk′ ). If π ′ 6= π̃ ′ output ⊥.
Else output c ⊕ π̃.
We will prove the CCA security of the above construction. However, as a first step,
it’s worth verifying that the system is even CPA secure, since this is already non-obvious.
The main idea is that the challenge ciphertext is generated using y ← L, π = P(y, x, crs) =
V(y, tk). However, this is indistinguishable from y ← L̄, π = V(y, tk) by the membership
indistinguishability of L. But, by the 1-universality of Π, the value π = V(y, tk) for y 6∈ L
is uniformly random and hence perfectly hides the encrypted message. We now prove CCA
security, which is a little more complicated.
Theorem 6 Assume that L is a membership indistinguishable language, Π = (Gen, P, V) is
a 1-universal HPS for L, and Π′ = (Gen′ , P ′ , V ′ ) is a 2-universal HPS for L with proofs the
come from some super-polynomial sized domain. Then the above defined encryption scheme
is CCA-2 secure.
Proof: We do a series of games argument to show security.
Game 0: This is the original CCA-2 security game. The adversary has access to a decryption oracle Dsk (·) and gets a challenge-ciphertext
Epk (mb ) = (y, c, π ′ ) : (y, x) ← RL , π ← P(y, x, crs), c = mb ⊕ π, π ′ ← P ′ ((y, c)x, crs′ )
of message mb .
4
We can relax this requirement to the existence of some distributions (not necessarily uniform ones) over
subsets of L and L̄.
L11-7
Game 1: We compute the challenge ciphertext by computing π, π ′ using the verification
algorithms and their corresponding trapdoor keys:
(y, c, π ′ ) : (y, x) ← RL , π ← V(y, tk), c = mb ⊕ π, π ′ ← V ′ ((y, c), tk′ )
By the correctness of the HPS, this is only a syntactical change and does not modify
the distribution of the game at all.
Game 2: We modify the challenge ciphertext still further, by choosing y ← L̄. That is:
(y, c, π ′ ) : y ← L̄, π ← V(y, tk), c = mb ⊕ π, π ′ ← V ′ ((y, c), tk′ )
By the membership indistinguishability property of the language L, Games 1 and 2
are indistinguishable.
Game 3: We now modify the decryption oracle to automatically output ⊥ on any input
Ci = (yi , ci , πi′ ) containing yi 6∈ L. For yi ∈ L, the oracle runs as previously (and can
also return ⊥ if the proof πi′ does not verify)/ Note that this differs from Game 2,
where the decryption oracle outputs ⊥ iff π̃i ′ 6= πi′ where π̃i ′ = V ′ ((yi , ci ), tk′ ).
Let us look at how the games differ in more detail. Let the challenge ciphertext be
(y, c, π ′ ) and the ith query to the decryption oracle be (yi , ci , πi′ ). Then, we break the
analysis into two cases:
• (yi , ci ) = (y, c). In both, games 2 and 3, the oracle returns ⊥ when πi′ = π ′
(because the input to the decryption oracle is the challenge ciphertext) and also
when πi′ 6= π ′ (because then the verification rejects). So this case is the same in
both games.
• (yi , ci ) 6= (y, c). Games 2 and 3 differ only if yi 6∈ L and πi′ = V ′ ((yi , c)tk′ ). We
argue that this happens with negligible probability. The only information the
adversary has about tk′ consists of crs′ and π ′ = V((y, c), tk′ ). Therefore, by the
2-universality of Π′ , the value πi′ = V ′ ((yi , ci ), tk′ ) is a random value which is
independent of everything the adversary sees during the game. The probability
that the adversary can guess this value is negligible (assuming that the size of πi′
is super-logarithmic).
Game 4:
We lastly modify the challenge ciphertext to be
(y, c, π ′ ) : y ← L̄, π ← $, c = mb ⊕ π, π ′ ← V ′ ((y, c), tk′ )
where π is uniformly random. Games 3 and 4 are (information theoretically) indistinguishable by the 1-universality of Π. This is because the only information the
adversary gets about tk in Game 3 consists of crs and π, since the decryption oracle
only computes V(y, tk) = P(y, x, crs) for y ∈ L. But then, by 1-universality π is
uniformly distributed.
Note that, in game 4, the ciphertext is independent of the message mb . Therefore
the adversary’s success probability (of guessing which message mb was encrypted) is
0. Therefore the original advantage of the adversary in Game 0 is only negligible,
proving CCA security.
L11-8
4.1
The Cramer-Shoup Encryption Scheme
We now describe the Cramer-Shoup [CS98] encryption scheme. This scheme exactly follows
by instantiating our abstract construction above with the language LDDH and the constructions of 1-universal and 2-universal HPS for this language. Altogether, this results in the
following system:
Parameters: A group G of prime order q and two generators g1 , g2 , hash function H
mapping into Zq .
GenE Choose sk = (x1 , x2 , y2 , y2 , z1 , z2 ) ← Z6q and set
pk = (c = g1x1 g2x2 , d = g1y1 g2y2 , h = g1z1 g2z2 ).
Epk (m): Choose r ← Zq set u1 = g1r , u2 = g2r . Compute e = hr · m, α = H(u1 , u2 , e),
v = cr dαr . Output (u1 , u2 , e, v).
Dsk (C = (u1 , u2 , e, v)): Compute α = H(u1 , u2 , e) and ṽ = (ux1 1 +αy1 ux2 2 +αy2 ). If ṽ 6= v
output ⊥, else output e · (uz11 uz22 )−1 .
The proof of security follows from our general framework (Theorem 6) under the DDH
assumption.
References
[CS98]
Ronald Cramer and Victor Shoup. A practical public key cryptosystem provably
secure against adaptive chosen ciphertext attack. In CRYPTO, pages 13–25, 1998.
[CS02]
Ronald Cramer and Victor Shoup. Universal hash proofs and a paradigm for
adaptive chosen ciphertext secure public-key encryption. In EUROCRYPT, pages
45–64, 2002.
[DDN00] Danny Dolev, Cynthia Dwork, and Moni Naor. Nonmalleable cryptography. SIAM
J. Comput., 30(2):391–437, 2000.
[NY90]
Moni Naor and Moti Yung. Public-key cryptosystems provably secure against
chosen ciphertext attacks. In Proceedings of the 22nd Annual ACM Symposium
on Theory of Computing, pages 427–437, 1990.
L11-9