immunizing encryption schemes from decryption errors cynthia dwork moni naor omer reingold weizmann...
Post on 18-Dec-2015
227 Views
Preview:
TRANSCRIPT
Immunizing Encryption Schemes from Decryption Errors
Cynthia Dwork Moni Naor Omer Reingold
Weizmann Institute of ScienceMicrosoft Research
Public-Key Encryption Scheme A triple (G,E,D) such that:
• G generates: public key KP & secret key KS
• Encrypting message m (w/ public key KP & random coins r):
c = E(KP, m, r)
• Decrypting ciphertext c=E(KP, m, r) (w/ secret key KS):
D(KS, E(KP, m, r)) = m
Should this hold: Always? (perfect correctness)With high probability?
Correctness
What About Decryption Errors?• Goldwasser and Micali 84: required perfect
correctness • Two examples with imperfect correctness:
– Ajtai-Dwork 97 (errors can be avoided [GGH97])– NTRU
• Is low probability of error merely an aesthetic nuisance?• Proos 03: Chosen ciphertext attack on a version of NTRU
that was supposed to be immune to such attacks– Used the small probability of error of NTRU
• In general: perfect security is vital for (current methods of) protecting against CCA CCA=Chosen Ciphertext Attacks
Non-Malleability and Immunity to CCA• Add redundancy and prove consistency [NY90,DDN91…]
– Knowing any of multiple private keys is sufficient for decryption
– Indistinguishable to attacker which key you know• Problem: what if there are errors:
– you prove consistency with what?– proof may fail or be meaningless – reveal which key you know
• In an adversarial setting: the low probability event may be amplified by the attacker
E1(M) E2(M) Proof of consistency
This Work• When decryption errors are very infrequent: extremely
efficient way to get perfect correctness.• Amplification methods for handling frequent errors,
even when encryption scheme is only weakly one-way.• Conclude: error-prone encryption schemes can be
turned non-malleable, CCA2-secure.– If proofs of consistency are available
• Efficient `direct’ solution using the random-oracle methodology.
Notion of Correctness• Perfectly correct:
private/public key pair KS, KP ; possible m and r
D(KS, E(KP, m, r)) = m• -correct:
Pr[D(KS, E(KP, m, r)) = m] ≥
– prob. over KS, KP, m and r
• Almost all keys perfectly correct: – w/ probability ≥ 1-negligible over KS, KP ; m and r
D(KS, E(KP, m, r)) = m
– sufficient to plug into standard constructions!
Infrequent Errors• Let (G,E,D) be an ≥1-2-4n correct scheme
– Assume, ℓ(n) random bits to encrypt an n bit message.
• Let g: {0,1}n {0,1}ℓ(n) be a pseudo-random generator
• Define (G’,E’,D’):– G’ outputs a pair KS, KP as well as ρ 2R {0,1}ℓ(n)
• Public key (Kp ,ρ)– To encrypt m choose t 2R {0,1}n and evaluate
E(KP, m, ρ g(t)) – Decryption D’ is the same as in D
Security and Correctness of New Scheme• Claim: Type of security (semantic or non-malleable) under
type of attack (CPA, CCA) is preserved.
Proof: For any fixed ρ the random string used ρg(t) is indistinguishable from random
• Theorem: If (G,E,D) is an ≥ 1-2-4n - correct scheme then (G’,E’,D’) is almost-all-keys perfectly correct
Proof: – With overwhelming prob. over ρ the set
{ρg(t)} avoids all the bad random strings …– Similar technique in:
• Lautmann’s BPP in PH • Bit commitment from p.r. (Naor)• Zaps and Apps (Dwork-Naor)
Error Disappearance• With probability at least 1-2-n over the choice of KS,KP:
Probm,r [D(KS, E(KP, m, r)) ≠ m] ≤ 2-3n
• For such “good” KS, KP, since ρ 2R {0,1}ℓ(n)
Probm,t,ρ [D(KS, E(KP, m, ρ g(t)) ≠ m] ≤ 2-3n
• Small enough to use union bound over all t,m2 {0,1}n Get: With probability at least 1-2-(n-1) over the choice of KS,KP and ρ have that t,m 2 {0,1}n
D(KS, E(KP, m, ρ g(t))) = m• This effectively pushes all the errors into ρ
which is part of the public key
Immunizing Weak Encryption Schemes• What about smaller ? • Easy: simple repetition reduces error (semantic security and
non-malleability are preserved).• What if the adversary has a non-negligible probably of
decrypting (i.e. the scheme is only weakly one-way)?– Cannot reduce error by simple repetition!
• Question: How do we go from an -correct -oneway cryptosystem (>) to an almost-all-keys perfectly correct one?
Alice Bob
Eve
Natural Approach• Use error correcting codes that can be decoded from
an -fraction of correct symbols, but not from a -fraction.
• This approach works in the information theoretic setting, much more subtle in the computational setting!– Reason: Eve may get more than just -fraction of symbols,
but rather some information about each symbol• Example: Eve gets a list decoding
Alice Bob
Eve
Other Information-Theoretic ToolsPolarization in the statistical setting
Sahai-Vadhan 97: given a pair of distributions X0, X1 create two new ones Y0, Y1 such that if
• Dist(X0,X1) ≤ threshold ’ Dist(Y0,Y1) exp. small• Dist(X0,X1) ≥ threshold ’ Dist(Y0,Y1) exp. close to 1Relation to error reduction: assume -correct -oneway one-
bit encryption scheme– X0 encryption of 0 and X1 and encryption of 1– Bob can distinguish X0 from X1 with advantage ≥ ’ – Eve cannot distinguish X0 from X1 with advantage ≤ ’ – Strengthened encryption scheme defines Y0, Y1 with polarized
“distances”
New Results• Provide a collection of basic transformations, for amplification.
– Related to [SV97].
– Life is somewhat harder in the computational setting …• Starting with an -correct -oneway cryptosystem an almost-all-
keys perfectly correct one (previous results) CCA and non-malleability• Relation between and (for which the transformation works):
– Constant decryption errors: for any < 1 there is an <<1– Very frequent decryption errors: for any > 1/poly and <
4/const• Open: show the same for every - > 1/poly
– Likely to imply similar improvement for the statistical case.
Basic TransformationsParallel Repetition • repeat everything k times:
– Choose k independent public/private key pairs– the encryption Ek of a k-tuple m=(m1, m2,…mk) is
Ek(m)=E(m1), E(m2),…, E(mk)
• Bad news: probability of legitimate encryption for a random m is k
• Good news: probability of adversarial encryption:– Would like it to be k
– Can view it as a three round game – [BIN 97] deals with such games
gets us “close to that” ¼ k/c
• The adversary is hurt more if ‹‹
V: choose (kp, ks,m)
Send (kp Ep(m))
P: sends m’
V: Send (m,ks )
P wins if m’=m
Basic Transformations (cont.)
Hard-Core Bit • The encryption of a bit b is (E(m),r,r.m©b)
where m is a random message• Usage: turning one-wayness into indistinguishabilityGoldreich-Levin: an advantage in guessing the
inner product bit is translated into a list of at most √ candidates for m given E(m)Can use to invert E(m) with probability at least √
If (=upper bound on inverting E) is negligible we get semantic security
Basic Transformations (cont.)
Direct Product• Choose k independent public/private key pairs• The encryption Ek of m is k independent
encryptions E(m), E(m),…, E(m) • Decryption is by plurality • Reverse effect to parallel repetition: both legitimate
recipient and the adversary can do better.– The legitimate recipient gains more if ‹‹
Combining the Basic Transformations
• Best way of combining, depends on values of and . Example, well separated constants:
Transformation Correctness One - Wayness
Starting Point O(log n) parallel-repetition 1/n 1/n8 Inner Product 1/2 + 1/(2n) 1/2 + O(1/n4)
O(n3) direct product 1- 2-5n 1/2 + O(1/n)
n parallel-repetition 1- n . 2-5n neg
Inner Product 1- (n/2) . 2-5n IND-CPA
Using the Random Oracles Methodology
• Let (G,E,D) be an -correct scheme that is one-way
For random message m and random encryption: probability adversary retrieves m is negligible
• If is negligible, can transform (G,E,D) directly and very efficiently to a full fledged NM-CCA-post scheme.
The construction• E is an -correct -oneway for negligible , • H1, H2, H3, H4 be idealized random functions • FS a shared-key encryptionEncryption of message m:• Choose t 2R {0,1}n/2
• Compute z=H1(t) , w=H2(z) © t and r= H3(z ◦ w). The encrypted message is (c1,c2):– c1= Epk(z ◦ w,r) – c1= FS(m) where s=H4(t)
Decryption of (c1,c2)• Apply D to c1 and obtain candidates for z and w. • Set t=H2(z) © w and r = H3(z ◦ w).• Check that H1(t) = z and that for $r = H3(z ◦ w) we have that c1=E(z ◦
w,r).• Check, using s=H4(t), that c2 is a valid ciphertext under Fs.• If any of the tests fails, output “invalid”.• Otherwise, output Fs (c2) - the decryption of c2 using s.
Why is it secure?• Once t 2 {0,1}n/2 has been chosen: unique ciphertext
corresponding to it• Once t 2 {0,1}n/2 is known, easy to decrypt ciphertext, even
without access to sk. • Security against chosen ciphertext attacks – follow the adversary
calls to H1 .Immunity against decryption errors • Decryption errors have NOT disappeared, but hard to find them. • Partition all strings c into those the range of E and those not
– Depending on the existence of m and r such that c= Epk(m,r).• Consider a candidate ciphertext (c1,c2) given to D':• If c1 is not in the range of E, then it is going to be rejected by D'• Security rests on the hardness of finding among the bad pairs z ◦
w,r one where– r= H3(z ◦ w). – H1(H2(z) © w) = z.
• This is difficult for any fixed sparse set of bad pairs and a random set of functions H1, H2, H3
Encryption of message m:• Choose t 2R {0,1}n/2 and compute
z=H1(t) ,
w=H2(z) © t ,
r= H3(z ◦ w).
The encrypted message is (c1,c2):– c1= Epk(z ◦ w,r)
– c1= FS(m) where s=H4(t)
Concluding Remarks
• When decryption errors are very rare, they can be avoided almost for free.
• Can immune even very weak schemes against decryption errors
• Life is (as usual) relatively easy with random oracles
• Open problem: handle arbitrary - > 1/poly– Seems hard even in the (cleaner) statistical setting
top related