1 / 24

Non-Malleable Non-Interactive Zero Knowledge and Adaptive Chosen-Ciphertext Security

Non-Malleable Non-Interactive Zero Knowledge and Adaptive Chosen-Ciphertext Security. Amit Sahai (MIT). What We Do. Identify a new security concern for Non-Interactive Zero Knowledge (NIZK) in shared random string model. Show how to overcome this concern  stronger notion of NIZK .

tallys
Download Presentation

Non-Malleable Non-Interactive Zero Knowledge and Adaptive Chosen-Ciphertext Security

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Non-Malleable Non-InteractiveZero KnowledgeandAdaptive Chosen-CiphertextSecurity Amit Sahai (MIT)

  2. What We Do • Identify a new security concern for Non-Interactive Zero Knowledge (NIZK) in shared random string model. • Show how to overcome this concern  stronger notion of NIZK. • Show how to use this to build a simple general construction of a public-key encryption scheme secure against strongest form of chosen-ciphertext attack (CCA).

  3. Outline • Non-Interactive Zero Knowledge (NIZK) • The issue: multi-party scenario & malleability • Chosen-Ciphertext Security for Encryption • How NIZK fits in: [NY] scheme & our scheme • How to achieve non-malleable NIZK.

  4. Non-Interactive Proof System[BFM88] shared random string  Prover Verifier Proof  accept/reject • For any NP language L: • If x L with witness w, Verifier always acceptsProver(x,w). • For any (even unbounded) cheating Prover P, Probability that P() outputs x L and  such thatVerifier accepts (x,) is negligible.

  5. NIZK [BFM88,FLS90]  {0,1}k  x, w x, w   Simulator  Simulator s.t.  Verifiers: Cannot distinguish two scenarios. Note: above is adaptive “one proof” version.

  6. NIZK • NIZK: exists for all NP if trapdoor permutations exist [FLS90,BY92] • Interactive ZK: useful for security of high level protocols, e.g. general multi-party computation. • Non-Interactive ZK: useful for strengthening security of ordinary non-interactive cryptographic primitives: • Security against active adversaries: • Signatures: chosen-message attack [BG89] • Encryption: chosen-ciphertext attack [NY90,RS91,DDN91,here]

  7. What can go wrong? shared random string  P V x,  x’, ’ A • Even though  satisfies definition of NIZK, A can modify  to produce proof of statement for which Adoes not know a witness.

  8. Malleability • This is the problem of malleability [DDN91]. • [DDN91] introduced notion for interactive ZK in concurrent setting. (also for encryption, commitment) • For NIZK same problem arises even without concurrency. • Can this really happen? Isn’t it supposed to be zero-knowledge? • Yes! (we’ll see examples later) • Why? Look again at def. of NIZK: • “What one can output seeing an NIZK is indist. from what one can output without seeing it,but only if output is examined independently of the actual shared random string!”

  9. NIZK [BFM88,FLS90]  {0,1}k  x, w x, w   Simulator  Simulator s.t.  Verifiers: Cannot distinguish two scenarios. Note: above is adaptive “one proof” version.

  10. What can we hope for? • Cannot hope to achieve completely: “What one can output seeing an NIZK is indist. from what one can output without seeing it.” • Impossible, since adversary can always just copy proof. • Instead, following [DDN91], non-malleability of NIZK proofs: • “Whatever one can prove after seeing an NIZK proof, one could also have proved before seeing it,except for the ability to duplicate the proof.” • This is what we formulate and achieve.

  11. CCA-secure Encryption:Lunchtime Attack (CCA1) [NY90] public key Experiment CCA1 (m0,m1) bR{0,1} y=E(mb) guess for b We say scheme is CCA1-secure if no poly-time adversarycan guess correctly with prob. negligibly more than 1/2.

  12. CCA-secure Encryption:Adaptive Attack (CCA2)[RS91] public key Experiment CCA1 (m0,m1) bR{0,1} y=E(mb) CCA2 Cannot Ask for decryption ofy guess for b We say scheme is CCA2-secure if no poly-time adversarycan guess correctly with prob. negligibly more than 1/2.

  13. Encryption • CCA2-security needed for use in general applications, e.g. encryption of e-mail. • CCA2-secure encryption is component in: • Authentication and Key Exchange Protocols [BCK98] • Electronic Payment Protocols [SET97] • Deniable Message Authentication [DNS98]

  14. Encryption: Prior Work • [NY90]: CCA1-secure scheme on general assumptions. • [RS91]: CCA2-secure scheme on general assumptions in a trusted center model. • [DDN91]: CCA2-secure scheme on general assumptions, but quite involved construction, using many encryptions. • More recently, efficient CCA2-secure schemes: • Based on Random Oracles [BR93,BR94] • Based on Decisional Diffie-Hellman [CS98] • Here: simple modular CCA2-scheme based on general assumptions, using non-malleable NIZK.

  15. [NY90] • Based on any sem-secure encryption scheme and NIZK: • New Public Key: two encryption keys & random string: (E1, E2, ) • To encrypt x: send E1(x), E2(x), NIZK proof that two encryptions are consistent. • [NY90] show that this is CCA1-secure.

  16. [NY90]: Not CCA2-secure • Problem: NIZK can be malleable: • Example: bit-by-bit encryption, bit-by-bit NIZK. • (E1(m0) E1(m1), E2(m0) E2(m1), NIZK  = (0 1) ) • ( E1(m1) E1(m0), E2(m1) E2(m0), NIZK  = (1 0) ) • Get Decryption: m1 m0 • Know message is m0 m1

  17. Solution • Modify [NY90] to use non-malleable NIZK instead: • Same Public Key: two encryption keys & random string: (E1, E2, ) • To encrypt x: send E1(x), E2(x), non-malleable NIZK proof that two encryptions are consistent. • We show: this is CCA2-secure. Thus: • If efficient non-malleable NIZK proof of consistency found for some particular efficient encryption scheme, this implies new efficient CCA2-secure encryption scheme.

  18. NIZK non-malleable NIZK • We give transformation from NIZK  non-malleable NIZK based on any one-way function. • Use idea introduced in [DDN91] in context of encryption. • We abstract and generalize this idea, which we callUnduplicatable Set Selection,and apply it to NIZK.

  19. Unduplicatable Set Selection • Setup: q players • Set of Objects: O1, O2, …, Om • Function f(,): Takes an object Oj and other input x, e.g. f(O3,x). • Each player has some private inputs x1,…, xk • Each player should select a random subset of objects, and evaluate f on these objects with private inputs,e.g. f(O2,x1), f(O7,x2),…, f(O3,xk) • Want to force each player to either: • Completely duplicate another player’s output OR • Use a unique subset of objects.

  20. Unduplicatable Set Selection (cont.) • Ingredients: (For q=2) • (one-time) signature scheme, produces keys (VK,SK). • Function g mapping distinct VK to distinct subsets of objects (i.e. g is 1-1). e.g. interpret VK as poly over finite field, and evaluate at several points. • Each player: • Picks (VK,SK) pair for signature scheme. • Uses g(VK) to select subset of objects {Oj} • Outputs ( VK, y = {f(Oj,xi)}, SignSK(y) )

  21. Unduplicatable Set Selection (cont.) • Why does it work? • Suppose first player outputs: ( VK, y = {f(Oj,xi)}, SignSK(y) ) • If second player chooses VK’  VK, then g(VK’)  g(VK), so subset will be distinct. • If VK’=VK, then cannot sign any message except y. Hence, output is identical. • Actually need slightly stronger than normal signature scheme here -- to ensure that different signature of same message cannot be output. Construction is in paper.

  22. non-malleable NIZK • “Whatever one could prove after seeing an NIZK proof, one could also have proved before seeing it,except for the ability to duplicate the proof.” • Use Unduplicatable Set Selection where: • Objects are “shared” random strings • Function f produces (normal) NIZK proof. • Thus, given proof , force adversary to either: • Duplicate  exactly, OR • Use a new random string for proof.

  23. Open Problems • Our transformation works against any fixed number of proofs. Can one achieve NIZK non-malleable after seeingany poly number of proofs? • Can one define and achieve yet stronger notions of NIZK?

  24. NIZK [BFM88,FLS90]  {0,1}k  x, w x, w   Simulator Note: above is adaptive “one proof” version.

More Related