immunizing encryption schemes from decryption errors cynthia dwork moni naor omer reingold weizmann...

Immunizing Encryption Schemes from Decryption Errors

Cynthia Dwork Moni Naor Omer Reingold

Weizmann Institute of ScienceMicrosoft Research

Public-Key Encryption Scheme A triple (G,E,D) such that:

• G generates: public key KP & secret key KS

• Encrypting message m (w/ public key KP & random coins r):

c = E(KP, m, r)

• Decrypting ciphertext c=E(KP, m, r) (w/ secret key KS):

D(KS, E(KP, m, r)) = m

Should this hold: Always? (perfect correctness)With high probability?

Correctness

What About Decryption Errors?• Goldwasser and Micali 84: required perfect

correctness • Two examples with imperfect correctness:

– Ajtai-Dwork 97 (errors can be avoided [GGH97])– NTRU

• Is low probability of error merely an aesthetic nuisance?• Proos 03: Chosen ciphertext attack on a version of NTRU

that was supposed to be immune to such attacks– Used the small probability of error of NTRU

• In general: perfect security is vital for (current methods of) protecting against CCA CCA=Chosen Ciphertext Attacks

Non-Malleability and Immunity to CCA• Add redundancy and prove consistency [NY90,DDN91…]

– Knowing any of multiple private keys is sufficient for decryption

– Indistinguishable to attacker which key you know• Problem: what if there are errors:

– you prove consistency with what?– proof may fail or be meaningless – reveal which key you know

• In an adversarial setting: the low probability event may be amplified by the attacker

E1(M) E2(M) Proof of consistency

This Work• When decryption errors are very infrequent: extremely

efficient way to get perfect correctness.• Amplification methods for handling frequent errors,

even when encryption scheme is only weakly one-way.• Conclude: error-prone encryption schemes can be

turned non-malleable, CCA2-secure.– If proofs of consistency are available

• Efficient `direct’ solution using the random-oracle methodology.

Notion of Correctness• Perfectly correct:

private/public key pair KS, KP ; possible m and r

D(KS, E(KP, m, r)) = m• -correct:

Pr[D(KS, E(KP, m, r)) = m] ≥

– prob. over KS, KP, m and r

• Almost all keys perfectly correct: – w/ probability ≥ 1-negligible over KS, KP ; m and r

D(KS, E(KP, m, r)) = m

– sufficient to plug into standard constructions!

Infrequent Errors• Let (G,E,D) be an ≥1-2-4n correct scheme

– Assume, ℓ(n) random bits to encrypt an n bit message.

• Let g: {0,1}n {0,1}ℓ(n) be a pseudo-random generator

• Define (G’,E’,D’):– G’ outputs a pair KS, KP as well as ρ 2R {0,1}ℓ(n)

• Public key (Kp ,ρ)– To encrypt m choose t 2R {0,1}n and evaluate

E(KP, m, ρ g(t)) – Decryption D’ is the same as in D

Security and Correctness of New Scheme• Claim: Type of security (semantic or non-malleable) under

type of attack (CPA, CCA) is preserved.

Proof: For any fixed ρ the random string used ρg(t) is indistinguishable from random

• Theorem: If (G,E,D) is an ≥ 1-2-4n - correct scheme then (G’,E’,D’) is almost-all-keys perfectly correct

Proof: – With overwhelming prob. over ρ the set

{ρg(t)} avoids all the bad random strings …– Similar technique in:

• Lautmann’s BPP in PH • Bit commitment from p.r. (Naor)• Zaps and Apps (Dwork-Naor)

Error Disappearance• With probability at least 1-2-n over the choice of KS,KP:

Probm,r [D(KS, E(KP, m, r)) ≠ m] ≤ 2-3n

• For such “good” KS, KP, since ρ 2R {0,1}ℓ(n)

Probm,t,ρ [D(KS, E(KP, m, ρ g(t)) ≠ m] ≤ 2-3n

• Small enough to use union bound over all t,m2 {0,1}n Get: With probability at least 1-2-(n-1) over the choice of KS,KP and ρ have that t,m 2 {0,1}n

D(KS, E(KP, m, ρ g(t))) = m• This effectively pushes all the errors into ρ

which is part of the public key

Immunizing Weak Encryption Schemes• What about smaller ? • Easy: simple repetition reduces error (semantic security and

non-malleability are preserved).• What if the adversary has a non-negligible probably of

decrypting (i.e. the scheme is only weakly one-way)?– Cannot reduce error by simple repetition!

• Question: How do we go from an -correct -oneway cryptosystem (>) to an almost-all-keys perfectly correct one?

Alice Bob

Eve

Natural Approach• Use error correcting codes that can be decoded from

an -fraction of correct symbols, but not from a -fraction.

• This approach works in the information theoretic setting, much more subtle in the computational setting!– Reason: Eve may get more than just -fraction of symbols,

but rather some information about each symbol• Example: Eve gets a list decoding

Alice Bob

Eve

Other Information-Theoretic ToolsPolarization in the statistical setting

Sahai-Vadhan 97: given a pair of distributions X0, X1 create two new ones Y0, Y1 such that if

• Dist(X0,X1) ≤ threshold ’ Dist(Y0,Y1) exp. small• Dist(X0,X1) ≥ threshold ’ Dist(Y0,Y1) exp. close to 1Relation to error reduction: assume -correct -oneway one-

bit encryption scheme– X0 encryption of 0 and X1 and encryption of 1– Bob can distinguish X0 from X1 with advantage ≥ ’ – Eve cannot distinguish X0 from X1 with advantage ≤ ’ – Strengthened encryption scheme defines Y0, Y1 with polarized

“distances”

New Results• Provide a collection of basic transformations, for amplification.

– Related to [SV97].

– Life is somewhat harder in the computational setting …• Starting with an -correct -oneway cryptosystem an almost-all-

keys perfectly correct one (previous results) CCA and non-malleability• Relation between and (for which the transformation works):

– Constant decryption errors: for any < 1 there is an <<1– Very frequent decryption errors: for any > 1/poly and <

4/const• Open: show the same for every - > 1/poly

– Likely to imply similar improvement for the statistical case.

Basic TransformationsParallel Repetition • repeat everything k times:

– Choose k independent public/private key pairs– the encryption Ek of a k-tuple m=(m1, m2,…mk) is

Ek(m)=E(m1), E(m2),…, E(mk)

• Bad news: probability of legitimate encryption for a random m is k

• Good news: probability of adversarial encryption:– Would like it to be k

– Can view it as a three round game – [BIN 97] deals with such games

gets us “close to that” ¼ k/c

• The adversary is hurt more if ‹‹

V: choose (kp, ks,m)

Send (kp Ep(m))

P: sends m’

V: Send (m,ks )

P wins if m’=m

Basic Transformations (cont.)

Hard-Core Bit • The encryption of a bit b is (E(m),r,r.m©b)

where m is a random message• Usage: turning one-wayness into indistinguishabilityGoldreich-Levin: an advantage in guessing the

inner product bit is translated into a list of at most √ candidates for m given E(m)Can use to invert E(m) with probability at least √

If (=upper bound on inverting E) is negligible we get semantic security

Basic Transformations (cont.)

Direct Product• Choose k independent public/private key pairs• The encryption Ek of m is k independent

encryptions E(m), E(m),…, E(m) • Decryption is by plurality • Reverse effect to parallel repetition: both legitimate

recipient and the adversary can do better.– The legitimate recipient gains more if ‹‹

Combining the Basic Transformations

• Best way of combining, depends on values of and . Example, well separated constants:

Transformation Correctness One - Wayness

Starting Point O(log n) parallel-repetition 1/n 1/n8 Inner Product 1/2 + 1/(2n) 1/2 + O(1/n4)

O(n3) direct product 1- 2-5n 1/2 + O(1/n)

n parallel-repetition 1- n . 2-5n neg

Inner Product 1- (n/2) . 2-5n IND-CPA

Using the Random Oracles Methodology

• Let (G,E,D) be an -correct scheme that is one-way

For random message m and random encryption: probability adversary retrieves m is negligible

• If is negligible, can transform (G,E,D) directly and very efficiently to a full fledged NM-CCA-post scheme.

The construction• E is an -correct -oneway for negligible , • H1, H2, H3, H4 be idealized random functions • FS a shared-key encryptionEncryption of message m:• Choose t 2R {0,1}n/2

• Compute z=H1(t) , w=H2(z) © t and r= H3(z ◦ w). The encrypted message is (c1,c2):– c1= Epk(z ◦ w,r) – c1= FS(m) where s=H4(t)

Decryption of (c1,c2)• Apply D to c1 and obtain candidates for z and w. • Set t=H2(z) © w and r = H3(z ◦ w).• Check that H1(t) = z and that for $r = H3(z ◦ w) we have that c1=E(z ◦

w,r).• Check, using s=H4(t), that c2 is a valid ciphertext under Fs.• If any of the tests fails, output “invalid”.• Otherwise, output Fs (c2) - the decryption of c2 using s.

Why is it secure?• Once t 2 {0,1}n/2 has been chosen: unique ciphertext

corresponding to it• Once t 2 {0,1}n/2 is known, easy to decrypt ciphertext, even

without access to sk. • Security against chosen ciphertext attacks – follow the adversary

calls to H1 .Immunity against decryption errors • Decryption errors have NOT disappeared, but hard to find them. • Partition all strings c into those the range of E and those not

– Depending on the existence of m and r such that c= Epk(m,r).• Consider a candidate ciphertext (c1,c2) given to D':• If c1 is not in the range of E, then it is going to be rejected by D'• Security rests on the hardness of finding among the bad pairs z ◦

w,r one where– r= H3(z ◦ w). – H1(H2(z) © w) = z.

• This is difficult for any fixed sparse set of bad pairs and a random set of functions H1, H2, H3

Encryption of message m:• Choose t 2R {0,1}n/2 and compute

z=H1(t) ,

w=H2(z) © t ,

r= H3(z ◦ w).

The encrypted message is (c1,c2):– c1= Epk(z ◦ w,r)

– c1= FS(m) where s=H4(t)

Concluding Remarks

• When decryption errors are very rare, they can be avoided almost for free.

• Can immune even very weak schemes against decryption errors

• Life is (as usual) relatively easy with random oracles

• Open problem: handle arbitrary - > 1/poly– Seems hard even in the (cleaner) statistical setting