Download Construction of a Non-Malleable Encryption Scheme from Any ... and more Slides Cryptography and System Security in PDF only on Docsity!
Construction of a Non-Malleable Encryption
Scheme from Any Semantically Secure One
Rafael Pass^1 , abhi shelat^2 , and Vinod Vaikuntanathan^3 (^1) Cornell University (^2) IBM ZRL (^3) MIT
Abstract. There are several candidate semantically secure encryption schemes, yet in many applications non-malleability of encryptions is crucial. We show how to transform any semantically secure encryption scheme into one that is non-malleable for arbitrarily many messages.
Keywords. Public-key Encryption, Semantic Security, Non-malleability, Non- interactive Zero-knowledge Proofs.
1 Introduction
The most basic goal of an encryption scheme is to guarantee the privacy of data. In the case of public-key encryption, the most universally accepted formalization of such privacy is the notion of semantic security as defined by Goldwasser and Micali [GM84]. Intuitively, semantic security guarantees that whatever a polynomial-time machine can learn about a message given its encryption, it can learn even without the encryption. Non-malleability, as defined by Dolev, Dwork and Naor [DDN00], is a stronger notion of security for encryption schemes. In addition to the privacy guaran- tee, non-malleability of an encryption scheme guarantees that it is infeasible to modify ciphertexts α 1 ,... , αn into one, or many, other ciphertexts of messages related to the decryption of α 1 ,... , αn. At first one might wonder whether it is possible to violate non-malleability, i.e., modify ciphertexts into ciphertexts of related messages, without violating semantic security, i.e. without learning anything about the original message. It turns out, however, that many semantically secure encryption schemes, including the original one proposed in [GM84], are easily malleable. Thus, non- malleability is a strictly stronger requirement than semantic security. Moreover, non-malleability is often times indispensable in practical applications. For exam- ple, no one would consider secure an electronic “sealed-bid” auction in which an adversary can consistently bid exactly one more dollar than the previous bidders. The importance of non-malleability raises an important question:
Is it possible to immunize any semantically secure encryption scheme against malleability attacks?
The work of Dolev, Dwork and Naor partially answers this question affirma- tively. They show how to perform such an immunization (for the even stronger chosen-ciphertext attack) assuming the existence of enhanced trapdoor permu- tations. Subsequently, several other constructions of non-malleable encryption schemes have been presented under various number-theoretic assumptions such as decisional Diffie-Hellman [CS98] and quadratic-residuosity [CS02]. Neverthe- less, there exist some notable computational assumptions, such as computational Diffie-Hellman, and the worst-case hardness of various lattice-problems [AD97, Reg05], under which semantically secure encryption schemes exist, yet no non- malleable encryption schemes are known. Another partial answer comes from a single-message non-malleable encryp- tion scheme based on any semantically secure scheme called DDNLite [Nao04, Dwo99]. By single-message, we mean that the DDNLite scheme is secure only when the adversary receives one ciphertext.^4 As was stated in [DDN00], many- message security is a sine qua non of non-malleable encryption, and indeed the classic motivating examples for non-malleability (such as auctions) require it. In this paper, our main result is to fully address the posed question. We show how to immunize any semantically secure encryption scheme into one that is non-malleable for any number of messages without any further computational assumptions.
Main Theorem 1 (Informal) Assume the existence of an encryption scheme that is semantically secure against chosen-plaintext attacks (CPA). Then there exists an encryption scheme that is many-message non-malleable against CPA.
As an additional contribution, we show that even in the case of single-message security, the previous definitions of non-malleability and also the DDN-Lite scheme allow a subtle class of malleability attacks. We address this issue by presenting a stronger definition of non-malleability and emphasize that our con- struction meets this stronger notion.
1.1 Definitional Contributions
Our main conceptual contribution is to strengthen the definition of non-malleable encryption. Our definition has the advantage of being both technically simple and providing a natural explanation of non-malleability. In one sentence, our definition technically captures the following requirement:
“No matter what encryptions the adversary receives, the decryption of his output will be indistinguishable.”
Recall the indistinguishability-based definition of secrecy: an adversary can- not distinguish between the ciphertexts of any two messages of his choosing. Another way of phrasing this definition is to say that no matter which encryp- tion an adversary receives, his output will be indistinguishable.
(^4) As pointed out by Genaro and Lindell [GL03], the DDNLite scheme is in fact mal- leable when the adversary receives multiple ciphertexts.
Under the original definition, one can verify that Bob does not formally win the non-malleability game, and thus an encryption scheme which allows such an attack would still be considered non-malleable under CPA.^6
Many messages More interestingly, we also show that this small detail is the key factor which allows one to prove composability of the non-malleable encryption scheme, i.e., that a single-message secure scheme will also be non-malleable when the adversary receives many messages. Indeed, Gennaro and Lindell [GL03, p.17] point out that one-message non-malleability does not imply many-message non- malleability under the [DDN00] definition. As mentioned above, this feature is very important in practice, since an adversary may receive several encryptions and we still want to guarantee non-malleability. To understand the problem, many-message non-malleability is usually proven through a reduction of the following form: an adversary that can break the many-message non-malleability can be used to break the single-message non- malleability. Such a proof requires a hybrid argument in which one feeds the adversary one of two specially-constructed distribution of ciphertexts, on which it is possible to distinguish the adversary’s output. However, since the input to the adversary is hybrid, the adversary may produce invalid ciphertexts—and such may be the basis upon which the adversary’s output is distinguishable. If, in the single-message definition, the experiment unconditionally outputs 0 if the adversary produces any invalid ciphertexts, then we do not even have the chance to use the distinguisher which breaks the many-message case to break the single-message one.
Many Keys There is one final issue which arises in practice. The adversary may receive encryptions under different public keys. Here too, we define a notion of non-malleability. Although this scenario is also usually handled by a standard hybrid argument, there are a few definitional issues to consider.
1.2 Overview of our Construction
The immunization paradigm introduced by Dolev, Dwork and Naor is elegant and conceptually simple. To encrypt a message, one (a) generates several en- cryptions of the same message under independent public keys, (b) gives a non- interactive zero-knowledge proof that all resulting ciphertexts are encryptions of the same message, and (c) signs the entire bundle with a one-time signature. Because one-time signatures can be constructed from one-way functions, only step (b) in the DDN construction requires an extra computational assumption— namely the existence of trapdoor permutations. Indeed, non-interactive zero- knowledge proofs have been well-studied, and it remains a pressing open ques-
(^6) A similar attack applies to the classic auction example presented in [DDN00]. Here, if Bob knows Alice’s bid is in the range [x, y] and Bob can submit y − x bids, the same attack allows Bob to generate a set of bids such that exactly one bid matches Alice’s bid and all the rest decrypt to invalid ciphertexts.
tion whether they can be constructed without using trapdoor permutations or assumptions of comparable magnitude.^7 In the context of non-malleable encryption, however, our main observation is that standard non-interactive zero-knowledge proofs are not necessary. Instead, we use designated verifier proofs in which only a verifier with some special se- cret information related to the common random string can verify the proof. (In contrast, standard non-interactive proofs can be verified by any third party with access to the proof and the common random string.) For example, the non-malleable encryption constructions of Cramer and Shoup [CS98, CS02] can be interpreted as using some form of designated verifier proofs based on spe- cific number-theoretic assumptions. This was further generalized by Elkind and Sahai [ES02] through the notion of simulation-sound designated verifier NIZK proofs. Our main technical result is to show that
† Plain designated verifier NIZK proofs are sufficient to obtain non-malleable encryption schemes, and †† Plain designated-verifier NIZK proofs can be constructed from any seman- tically secure encryption scheme.
The first of these results follows by an argument essentially similar to the one employed in [DDN00]. At a high-level, our approach to constructing a plain designated verifier NIZK proof is to crush a Σ-protocol for N P (such as Blum’s Hamiltonicity proto- col [Blu86]) into a non-interactive proof with only the help of a semantically- secure encryption scheme.
Towards CCA2 Security The main results in this paper relate to non-malleability under a chosen plaintext attack. In the stronger chosen ciphertext attack (of which there are two varieties, CCA1 and CCA2), the adversary also has access to a decryption oracle at various stages of the attack. A natural question is whether our same techniques can be used to immunize against a malleability attack in these stronger CCA attack models. Unfortunately, when designated-verifier NIZK proofs are sequentially com- posed, it is possible for the verifier’s secret information to leak. In particular, a malicious prover who can interactively submit proofs and learn whether they are accepted or not might be able to learn about the verifier’s secret information. Because a CCA1 or CCA2 attack provides precisely such an opportunity, the soundness of the designated verifier proof system will no longer hold. Thus, our technique does not provide a method to achieve full CCA security.
Organization Our paper is organized into three sections. In §2, we present our new definition of non-malleable encryption. In §3, we define and construct des- ignated verifier NIZK proof systems from any semantically-secure encryption scheme. Finally, in §4, we show that the DDN scheme when implemented with
(^7) The work of [PS05] begins to address this question by presenting certain models of NIZK proofs that are either unconditional or only require one-way functions.
NMEb(Π, A, k, ) : (pk, sk) ← Gen(1k) (m 0 , m 1 , stateA) ← A 1 (pk) s.t. |m 0 | = |m 1 | y ← Encpk(mb) (c 1 ,... , c) ← A 2 (y, stateA)
Output (d 1 ,... , d`) where di =
⊥ if ci = y Decsk(ci) otherwise
(Gen, Enc, Dec) is non-malleable under a chosen-plaintext attack if ∀ p.p.t. algo- rithms A = (A 1 , A 2 ) and for any polynomial p(k), the following two ensembles are computationally indistinguishable:
{ NME 0 (Π, A, k, p(k))
k∈N
c ≈
NME 1 (Π, A, k, p(k))
k∈N
Let us remark on the natural similarity of the above definition with the def- inition of indistinguishable security of an encryption scheme. Indeed, the first few lines of the experiment are exactly the same. In the last step, we add the requirement that the decryptions (modulo copying) of the output of A 2 are in- distinguishable in the two experiments. This captures the requirement that even the decryption of the adversary’s output must be computationally independent of the values (even when if they are encrypted) received as inputs.
This definition both highlights the essence of non-malleability for encryption schemes and, similar to the original notion of indistinguishable security, provides the most technically convenient formalization to use in larger proofs.
Syntactic Differences with the IND-PA0 definition As we discussed in the In- troduction, there is ambiguity as to how the IND-PA0 [BS99] definition treats invalid ciphertexts. Aside from this semantic difference, one can see that our definition is a simplification of IND-PA0. We simply eliminate the guess stage of the experiment.
2.3 Many Message Non-malleability
Notice that Definition 3 only applies when the adversary A 2 receives one encryp- tion as an input. In practice, an adversary may receive several encryptions under many different public keys, and we would still like to guarantee non-malleability.
Definition 4 (Many Message Non-Malleability). Let Π = (Gen, Enc, Dec) be an encryption scheme and let the random variable mNMb(Π, A, k, ) where b ∈ { 0 , 1 }, A = (A 1 , A 2 ) and k,, J ∈ N denote the result of the following probabilistic experiment :
mNMb(Π, A, k, , J): For i = 0,... , J, (pki, ski) ← Gen(1k) ((m^01 , m^11 , t 1 ),... , (m^0 , m^1 , t), state) ← A 1 (pk 1 ,... , pkJ ) s.t. |m^0 i | = |m^1 i | For j = 0,... , yj ← Encpktj (mbj ) ((c 1 , s 1 ),... , (c, s)) ← A 2 (y 1 ,... , y, state)
Output (d 1 ,... , d`) where di =
⊥ if si 6 ∈ [1, J] ⊥ if ci = yj and si = tj , j ∈ [1, J] Decsksi (ci) otherwise
We say that (Gen, Enc, Dec) is non-malleable under a chosen-plaintext attack if for all p.p.t. algorithms A = (A 1 , A 2 ) and for all polynomials `(·), J(·), the following two ensembles are computationally indistinguishable:
{ mNM 0 (Π, A, k, `(k), J(k))
k∈N
c ≈
mNM 1 (Π, A, k, `(k), J(k))
k∈N
Theorem 1. An encryption scheme is non-malleable iff it is many message non-malleable.
Sketch: To prove the forward implication, we use an adversary (A 1 , A 2 ) and a distinguisher D which breaks the many-message non-malleability of Π with advantage η to to break the non-malleability of Π with advantage η/^2. Define a new experiment mNM(b 1 ,...,b)(Π, A, k, , J) indexed by an-bit string (b 1 ,... , b) which is the same as mNM 0 (Π, A, k,, J) except in the fifth line
(change is underlined): yj ← Encpktj (m bj j ). Define^ B(i) = (
i ︷ ︸︸ ︷ 0 ,... , 0 ,
`−i ︷ ︸︸ ︷ 1 ,... , 1)
and note that mNM 0 = mNMB(0) and mNM 1 = mNMB(). Because D distin- guishes mNM 0 from mNM 1 , there exists some g∗^ ∈ [1,] such that D distinguishes mNMB(g∗) from mNMB(g∗+1) with advantage η/. This suggests the following ad- versary: A′ 1 (pk) guesses value g ∈ [1,], generates J − 1 public keys (pki, ski), and feeds (pk 1 ,... , pkg− 1 , pk, pkg+1,... , pkJ ) to A 1 to get a vector of triples ((m^01 , m^11 , t 1 ),... , (m^0 , m^1 , t)). Finally, A′^ outputs (m^0 g , m^1 g ) as its challenge pair and outputs state information with g, all public keys, etc. Adversary A′ 2 (y, state′), on input an encryption y, simulates the replaced line 5 of experiment mNMB(g) with the exception that it uses y for the gth encryption: yg ← y. It then feeds vector y to A 2 to produce ((c 1 , s 1 ),... , (c, s`)). A′ 2 must produce ciphertexts only for pk, and can do so by simply decrypting and re-encrypting^8 appropriately. The rest of the argument concludes by conditioning on the event that g = g∗. � One can see here the importance of removing the invalid ciphertext restriction for the hybrid argument to work. Because the reduction feeds a hybrid distribu- tion to A 2 , A 2 may produce invalid ciphertexts, and these ⊥ values may form
(^8) There is one technicality concerning how A′ 2 can form invalid ciphertexts; we defer it to the full version.
- adaptive zero-knowledge: For every p.p.t. theorem chooser A, there exists a p.p.t. simulator S = (S 1 , S 2 ) such that the outputs of the following experiments are indistinguishable. ZKA(k) ZKSA(k) (pp, sp) ← D(1k) (pp′, sp′, state) ← S 1 (1k) (x, w, stateA) ← A(pp) (x, w, stateA) ← A(pp′) π ← P (pp, x, w) π′^ ← S 2 (pp′, sp′, x, state) If (x, w) ∈/ RL, output ⊥ If (x, w) ∈/ RL, output ⊥ Else output (pp, sp, x, π, stateA) Else output (pp′, sp′, x, π′, stateA)
Note that the Verifier V is a deterministic machine. This extra restriction is only used to simplify the exposition of our constructions.
3.2 Constructions
Before giving a high-level view of our protocol, let us briefly recall the structure of a 3-round honest-verifier zero-knowledge proof of knowledge for N P , also referred to as a Σ-protocol [CDS94].
Σ-protocols A Σ-protocol consists of four algorithms P 1 , V 1 , P 2 , V 2. On input, a statement x and a witness w, the first algorithm P 1 (x, w) produces a pair (a, s) which represent a “commitment” and related state information. The Prover then sends a to the Verifier. The verifier runs V 1 (x, a) to produce a random challenge b and sends b to the Prover. The prover runs P 2 (s, b) to produce a response cb and sends it to the Verifier. Finally, the verifier runs V 2 (x, a, b, cb) to determine whether to accept the proof. An example of such a protocol is Blum’s Hamil- tonicity protocol. The properties of Σ-protocols, namely completeness, special soundness, and special honest-verifier zero-knowledge, are presented in [CDS94].
Construction summary. In our construction, the prover receives k pairs of public encryption keys as the public parameter. The verifier receives the same k pairs, and also receives a secret parameter consisting of the secret key for exactly one key in each pair. A proof consists of k triples. To generate the ith triple of a proof, the prover runs the Σ-protocol prover algorithm on (x, w) using both 0 and 1 as the verifier’s challenge to produce a triple (ai, c 0 ,i, c 1 ,i). The prover encrypts this triple as (ai, Encpk 0 ,i (c 0 ,i), Encpk 1 ,i (c 1 ,i)). (We note that Camenisch and Damg˚ard use a similar idea in [CD00] to construct an interactive verifiable encryption scheme. The roots of this idea begin to appear much earlier in [KMO89].) To verify the proof, V considers each triple (ai, α 0 ,i, α 1 ,i) and decrypts either the second or third component using the secret key given in sp. He then runs the Σ-protocol verifier on (ai, fi, Dec(αfi,i)), and accepts if all k triples are accepting proofs. There is one additional detail to consider. The Σ-protocol for Blum Hamil- tonicity requires a commitment scheme. Normally, a one-round commitment
scheme requires trapdoor permutations. To get around this problem, we use a two-round commitment scheme (such as Naor [Nao91]) which can be constructed from one-way functions, which are in turn implied by the semantically-secure en- cryption scheme. The first round message of the commitment scheme is placed in the public parameter.
Theorem 2. Assume there exists a semantically secure encryption scheme. Then there exists a designated verifier NIZK proof system for any language L ∈ N P.
Sampling Algorithm D(1k^ ). For i = 1,... , k and b = 0, 1, run Gen(1k^ ) 2k times with independent random coins, to get k key-pairs (pkbi , skbi ). For i = 1 ,... , k, flip coin fi ← {^ R 0 , 1 }. Generate the receiver message σ for a two-round commitment scheme. Let ppdv^ def = [(pk^0 i , pk^1 i , σ)]ki=1 and spdv^ def = [fi, skf i i]ki=1. Output (ppdv , spdv ). Prover P (ppdv , x, w). For i = 0,... , k, generate triples as follows:
(ai, si) ← P 1 (x, w) cb,i ← P 2 (s, b) for both b = 0, 1 αb,i ← Encpkb,i (cb,i) for b = 0, 1.
and output π def = [(ai, α 0 ,i, α 1 ,i)]ki=1. Verifier V (ppdv , spdv , x, π). Parse π into k triples of the form (ai, α 0 ,i, α 1 ,i). For i = 1,... , k, compute mi def = Decskfi i (αfi,i) and run the verifier V 2 (ai, fi, mi). If all k proofs are accepted, output accept, else output reject.
Fig. 1. Designated Verifier NIZK Protocol
The proof that the scheme in Fig. 1 is a designated verifier NIZK proof system is standard and omitted for lack of space. �
4 Constructing a Non-malleable Encryption Scheme
In this section, we construct an encryption scheme that is non-malleable under CPA attacks. Our construction is exactly the DDN construction [DDN00] in which the standard NIZK proof is replaced with a designated-verifier NIZK proof. By the results from the previous section, our construction only relies on the assumption of the existence of a semantically secure encryption scheme.
Theorem 3 (Main Theorem, restated). Assume there exists an encryption scheme that is semantically-secure under a CPA attack. Then, there exists an encryption scheme that is non-malleable for many messages under a CPA attack.
NMGen(1k^ ) :
- For i ∈ [1, k], b ∈ { 0 , 1 }, run Gen(1k^ ) to generate key-pairs (pkbi , skbi ).
- Run D(1k^ ) to generate (pp, sp). Set pk def =
n (〈pk^0 i , pk^1 i 〉)ki=1, pp
o and sk def =
n (〈sk^0 i , sk^1 i 〉)ki=1, sp
o . NMEncpk(m) :
- Run the signature algorithm GenSig(1k^ ) to generate (sksig, vksig). Let (v 1 ,... , vk ) be the binary representation of vksig.
- Compute the ciphertexts ci ← Encpkvi i (m). Let c def = (c 1 , c 2 ,... , ck ).
- Run the designated verifier NIZK Prover to generate a proof π that [(c 1 ,... , ck ), (pkv 11 ,... , pkv kk )] ∈ L.
- Compute the signature σ ← Signsksig(〈c, π〉). Output the tuple [c, π, vksig, σ]. NMDecsk(c) :
- Verify the signature with Vervksig[〈c, π〉, σ]; output ⊥ upon failure.
- Verify the proof with V (pp, sp, (c, pk), π); output ⊥ upon failure.
- Let vksig = (v 1 ,... , vk ). Compute m 1 = Decskv 1 i (c 1 ) and output the result.
Fig. 2. The Non-malleable Encryption Scheme Π
Lemma 2. If E′^ = (Gen′, Enc′, Dec′) is a semantically secure encryption scheme, then Π is a non-malleable encryption scheme.
Proof. To prove that Π is a non-malleable encryption scheme, we need to show that for any p.p.t. adversary A and for all polynomials p(k), { NME 0 (Π, A, k, p(k))
k∈N
c ≈
NME 1 (Π, A, k, p(k))
k∈N
We show this by a hybrid argument. Consider the following experiments:
Experiment NME (1) b (Π, A, k, p(k))^ – Using a Simulated NIZK Proof:^ proceeds exactly like NMEb except that the simulator for the designated verifier NIZK proof system is used to generate the public parameters and to compute the challenge ciphertext (as opposed to generating an honest proof by running the prover algorithm P ). Let S = (S 1 , S 2 ) denote the simulator guaranteed by the
adaptive zero-knowledge of (D, P, V ). More formally, NME(1) b proceeds exactly like NMEb except for the following differences:
- The encryption key (pk, sk) is generated by (1) honestly running the key- generation algorithm Gen to generate the 2k encryption keys (pkbi , skbi ), but (2) running the simulator S 1 (1k) to generate the key-pair (pp, sp) for the designated verifier NIZK (instead of running D(1k) as in NMGen).
- Generate k encryptions of mb (just as in Steps 1 and 2 of NMEnc). But, instead of using the designated verifier prover, generate a “simulated proof”
by running S 2. (Note that S 2 does not use the witness—namely, mb and the randomness used for encryption—in order to generate the simulated proof).
Experiment NME(2) b (Π, A, k, p(k)) – Semantic Security of E′: proceeds exactly
like NME(1) b except for the following differences:
- Run Gen′^ to get two sets of public keys P K = {pki}ki=1 and P K′^ = {pk′ i}ki=1, along with the corresponding secret-keys SK = {ski}ki=1 and SK′^ = {sk′ i}ki=1. Generate a verification key and signing key for the sig- nature scheme (vksig∗, sksig∗). Construct a public-key for Π as follows: Let vi be the ith^ bit of vksig∗. Set pkv i i= pki, skv i i= ⊥, pk^1 i −vi= pk′ i and sk^1 i −vi= sk′ i. (NME(2) b will use the secret-keys corresponding to each pk′ i, but not pki, later in the experiment).
- After receiving the tuple (ψ 1 ,... , ψ`) of ciphertexts from A 2 , decrypt each ψj =
[
cj , πj , vksigj , σj
]
as follows: If the signature σj in ψj does not verify, output ⊥. If vksigj = vksig∗, output ⊥. If the NIZK proof πj fails ver- ification, output ⊥. Else, decrypt one of the components of ψj , for which the secret-key is known (such a component is guaranteed to exist, since vksigj 6 = vksig∗) and output the result.
We now show that these experiments are indistinguishable. The following claim follows from the adaptive zero-knowledge property of the NIZK system.
Claim 1
NMEb(Π, A, k, p(k))
k∈N
c ≈
NME(1) b (Π, A, k, p(k))
k∈N
Proof. Assume, for contradiction, that there exists a p.p.t. algorithm D which distinguishes NMEb(Π, A, k, p(k)) from NME(1) b (Π, A, k, p(k)). Then, we con- struct a theorem-chooser Azk and a ZK distinguisher Dzk that violate the adap- tive zero-knowledge of the proof system (D, P, V ) for the language L. That is, Dzk distinguishes between the experiments ZKAzk and ZKSAzk , where S is the zero-knowledge simulator. On input pp, the theorem-chooser Azk works as follows:
- Run Gen(1k) 2k times, to generate 2k key-pairs (pkbi , skbi )i∈[k],b∈{ 0 , 1 }. Run the adversary A 1 on input
[
(pkbi )i∈[k],b∈{ 0 , 1 }, pp
]
. A 1 returns a pair of plain- texts m 0 and m 1 and a string state.
- Produce the challenge ciphertext c as follows:
- Generate a key-pair (sksig, vksig) for the signature scheme.
- Pick a random b ∈ { 0 , 1 }, and for 1 ≤ i ≤ k, let ci ← Encpkvii (mb; ri), where ri is the randomness used for encryption. Let c denote (c 1 , c 2 ,... , ck) and pk denote (pkv 11 ,... , pkv kk ), and r de- note (r 1 , r 2 ,... , rk).
- Let x = (c, pk) and w = (mb, r). Output the theorem-witness pair (x, w). Also output the contents of the work-tape as stateA.
The ZK distinguisher Dzk, on input (pp, sp), the theorem (c, pk), the proof π and the state stateA, does the following:
- As picks one of the ciphertexts at random, say
[
c, π, vksig, σ
]
and outputs the pair (c, π).
The probability that As outputs a false statement and an accepting proof pair is, by our assumption, at least (^) p(k)^1 q(k) , which is a contradiction to the soundness
of (D, P, V ). �
SubClaim. For b ∈ { 0 , 1 }, Pr[badNIZK(NME(1) b )] = Pr[badNIZK(NME(2) b )] = negl(k).
Proof. We start by noting that Pr[badNIZK(NME (1) b )] = Pr[badNIZK(NME
(2) b )]. This follows because the adversary’s view in experiments NME(1) b and NME(2) b are identical until the point when the adversary A 2 outputs the ciphertexts. We proceed to show that for b ∈ { 0 , 1 }, Pr[badNIZK(NME(1) b )] is negligible in k. This is shown by an argument similar to the one used in the proof of Claim 1.
Assume, for contradiction, that Pr[badNIZK(NME (1) b )] is non-negligible. Then, we construct a pair of machines (Azk, Dzk) that violate the adaptive zero-knowledge of the proof system (D, P, V ). On input a public parameter pp for the NIZK proof system, Azk and Dzk work exactly as in the proof of Claim 1, except that in Step 3, when A 2 returns a sequence of ciphertexts (ψ 1 ,... , ψp(k)), Dzk looks for a ciphertext ψi such that not all the components of ψi decrypt to the same message, and the NIZK proof in ψi is accepting. If there exists such an i, then Dzk returns “Fail” and otherwise returns “OK”. Note that by definition, when Dzk receives a real proof, it outputs “Fail” with probability Pr[badNIZK(NMEb)]. On the other hand, when run on a simulated
proof, it outputs “Fail” with probability Pr[badNIZK(NME(1) b )]. However, in Step 1a, we showed that the former probability is negligible. If the latter probability is non-negligible, then Dzk distinguishes between a simulated proof and a real proof, contradicting the adaptive zero-knowledge property of the proof system (D, P, V ). �
Let ψi =
[
ci, πi, vksigi, σi
]
denote the ith^ ciphertext returned by A 2. Define
badSig(NME( bj )) to be the event that, in experiment NME( bj )(Π, A, k, p(k)), there exists an index i such that vksigi = vksig and Ver(vksigi, ci, πi) = accept. Since the signature scheme is (strongly) existentially unforgeable, it follows that,
for b ∈ { 0 , 1 } and j ∈ { 1 , 2 }, Pr[badSig(NME( bj ))] = negl(k).
Let badKey(NME( bj )) denote the event that for one of the public keys, say pkˆ,
generated in the experiment NME( bj ), there exists a pair of messages m, m′^ and
random coins r, r′^ such that m 6 = m′^ and Enc( pk, m, rˆ ) = Enc( pk, mˆ ′, r′). Since the encryption scheme used is perfectly correct, by the union bound, we have Pr[badKey(NME( bj ))] = negl(k). Let failb(·) denote the event badNIZK(·) ∨ badSig(·) ∨ badKey(·). It follows,
by a union bound, that Pr[failb(NME( bj ))] = negl(k), for j ∈ { 1 , 2 }.
We show that conditioned on the event failb(NME( bj )) (for j ∈ { 1 , 2 }) not
happening, NME (1) b and^ NME
(2) b are identical. Note that the view of^ A^ in both the experiments is (syntactically) the same. Since badSig(NME( bj )) does not hap- pen, A uses a different verification key in all the ciphertexts ψi it returns. This means that NME( bj )can decrypt at least one of the components of each ψi, using
a secret-key it knows, to get a message mi. Since badNIZK(NME( bj )) does not hap- pen, mi must be the message that is encrypted in all the other components of ψi too. Thus, ψi is a valid encryption of mi. Also, since badKey(NME( bj )) does not happen, mi is the unique such message. Thus the tuple of messages returned in both NME(1) b and NME(2) b are exactly the same, and thus the outputs of NME(1) b
and NME(2) b are identical.
Combining the above with the fact that the events failb(·) occur with a negli-
gible probability, we have NME(1) b (Π, A, k, p(k))
s ≈ NME(2) b (Π, A, k, p(k)). �
Claim 3 For every p.p.t. machine A, there exists a p.p.t. machine B such that for b ∈ { 0 , 1 }, { NME(2) b (Π, A, k, p(k))
k∈N
INDb(E′, B, k)
k∈N
Proof. The machine B is constructed as follows. B simply simulates the ex- periment NME(2) b , except that instead of generating pk by itself, it uses pk = {pki}ki=1 received from the outside. Let (m 0 , m 1 ) be the pair of messages the ad- versary A 1 returns. B then outputs (m 0 , m 1 ) and receives a challenge ciphertext
cb from the outside. B performs the same operations as the experiment NME(2) b to generate the challenge ciphertext Cb for A 2. Finally, A 2 returns a sequence of
ciphertexts (ψ 1 , ψ 2 ,... , ψp(k)). B decrypts these ciphertexts just as in NME (2) b and outputs the plaintexts. (Note that NME (2) b uses only^ sk
′ (^) and not sk in order
to decrypt the messages).
It is easy to see that B simulates the experiment NME(2) b perfectly using the public-keys and ciphertexts received from the outside, and thus { NME(2) b (Π, A, k, p(k))
k∈N
INDb(E′, B, k)
k∈N �
To conclude the proof, we combine the last three claims to conclude that for every p.p.t. adversary A, there is a p.p.t. adversary B such that
NMEb(Π, A, k, p(k))
c ≈ NME(1) b (Π, A, k, p(k))
s ≈ NME(2) b (Π, A, k, p(k)) ≡ INDb(E′, B, k)
Since by the semantic security of E′, IND 0 (E′, B, k)
c ≈ IND 1 (E′, B, k), it holds
that NME 0 (Π, A, k, p(k)) c ≈ NME 1 (Π, A, k, p(k)). �
[Reg05] Oded Regev. On lattices, learning with errors, random linear codes, and cryptography. In STOC, pages 84–93, 2005. [Rom90] J. Rompel. One-way functions are necessary and sufficient for secure sig- natures. In STOC, pages 387–394, 1990.
A DDN-Lite Does Not Achieve Definition 3
DDN-Lite is a candidate single-message non-malleable encryption scheme based on any semantically secure scheme which has been informally discussed in [Nao04, Dwo99]. In this section, we show that DDNLite does not meet our stronger defi- nition of non-malleability (Definition 3). We remark that DDNLite can, however, be proven secure under the DDN and equivalent [BDPR98, BS99]) definitions of non-malleability because in weaker notions, the adversary is considered to have lost the game if she produces invalid ciphertexts in the experiment. Let us briefly summarize the DDN-Lite scheme. The public key consists of k pairs of encryption keys (just as in our scheme) and a universal one-way hash function h. To encrypt a message m, generate a key pair (sksig, vksig) for a one-time signature scheme, hash the verification key vksig to get (b 1 ,... , bk) ← h(vksig), compute the ciphertexts ci = Epkbi i (m), compute the signature σ =
Signsksig(c 1 ,... , ck) and output the tuple [(c 1 , c 2 ,... , ck), vksig, σ]. To decrypt a ciphertext c parsed as [(c 1 , c 2 ,... , ck), vksig, σ], first verify the signature σ and output ⊥ if Ver rejects. Otherwise, decrypt the ci’s with the corresponding secret- keys to get corresponding messages mi. If all the mi’s are equal, then output one of the mi’s, else output ⊥.
Claim 4 The DDN-lite encryption scheme does not satisfy Definition 3.
Proof. We specify an adversary A = (A 1 , A 2 ) such that the two experiments {NME 0 (Π, A, k, p(k))}k∈N and {NME 1 (Π, A, k, p(k))}k∈N are distinguishable. A works as follows:
- A 1 outputs two arbitrary messages (m 0 , m 1 ) and no state information.
- On input ciphertext c =
[
(e 1 ,... , ek), vksig, σ
]
, let (b 1 ,... , bk) ← h(vksig). A 2 produces a new ciphertext c′^ as follows. Generate a new signing key (sksig′, vksig′). Compute (b′ 1 ,... , b′ k) ← h(vksig′). Output ciphertexts c′^ = ((x 1 ,... , xk), vksig′, σ′) where
xi =
ei if b′ i = bi E pkb
′ i i
(m 0 ) otherwise
and σ′^ is the signature of (x 1 ,... , xk) under the signing key sksig′.
Now, notice that NME 0 (Π, A, k, ) = m 0 and NME 1 (Π, A, k,) = ⊥ which can be easily distinguished. �
