immunizing encryption schemes from decryption errors cynthia dwork moni naor omer reingold weizmann...
TRANSCRIPT
Immunizing Encryption Schemes from Decryption Errors
Cynthia Dwork Moni Naor Omer Reingold
Weizmann Institute of ScienceMicrosoft Research
Public-Key Encryption Scheme A triple (G,E,D) such that:
• G generates: public key KP & secret key KS
• Encrypting message m (w/ public key KP & random coins r):
c = E(KP, m, r)
• Decrypting ciphertext c=E(KP, m, r) (w/ secret key KS):
D(KS, E(KP, m, r)) = m
Should this hold: Always? (perfect correctness)With high probability?
Correctness
What About Decryption Errors?• Goldwasser and Micali 84: required perfect
correctness • Two examples with imperfect correctness:
– Ajtai-Dwork 97 (errors can be avoided [GGH97])– NTRU
• Is low probability of error merely an aesthetic nuisance?• Proos 03: Chosen ciphertext attack on a version of NTRU
that was supposed to be immune to such attacks– Used the small probability of error of NTRU
• In general: perfect security is vital for (current methods of) protecting against CCA CCA=Chosen Ciphertext Attacks
Non-Malleability and Immunity to CCA• Add redundancy and prove consistency [NY90,DDN91…]
– Knowing any of multiple private keys is sufficient for decryption
– Indistinguishable to attacker which key you know• Problem: what if there are errors:
– you prove consistency with what?– proof may fail or be meaningless – reveal which key you know
• In an adversarial setting: the low probability event may be amplified by the attacker
E1(M) E2(M) Proof of consistency
This Work• When decryption errors are very infrequent: extremely
efficient way to get perfect correctness.• Amplification methods for handling frequent errors,
even when encryption scheme is only weakly one-way.• Conclude: error-prone encryption schemes can be
turned non-malleable, CCA2-secure.– If proofs of consistency are available
• Efficient `direct’ solution using the random-oracle methodology.
Notion of Correctness• Perfectly correct:
private/public key pair KS, KP ; possible m and r
D(KS, E(KP, m, r)) = m• -correct:
Pr[D(KS, E(KP, m, r)) = m] ≥
– prob. over KS, KP, m and r
• Almost all keys perfectly correct: – w/ probability ≥ 1-negligible over KS, KP ; m and r
D(KS, E(KP, m, r)) = m
– sufficient to plug into standard constructions!
Infrequent Errors• Let (G,E,D) be an ≥1-2-4n correct scheme
– Assume, ℓ(n) random bits to encrypt an n bit message.
• Let g: {0,1}n {0,1}ℓ(n) be a pseudo-random generator
• Define (G’,E’,D’):– G’ outputs a pair KS, KP as well as ρ 2R {0,1}ℓ(n)
• Public key (Kp ,ρ)– To encrypt m choose t 2R {0,1}n and evaluate
E(KP, m, ρ g(t)) – Decryption D’ is the same as in D
Security and Correctness of New Scheme• Claim: Type of security (semantic or non-malleable) under
type of attack (CPA, CCA) is preserved.
Proof: For any fixed ρ the random string used ρg(t) is indistinguishable from random
• Theorem: If (G,E,D) is an ≥ 1-2-4n - correct scheme then (G’,E’,D’) is almost-all-keys perfectly correct
Proof: – With overwhelming prob. over ρ the set
{ρg(t)} avoids all the bad random strings …– Similar technique in:
• Lautmann’s BPP in PH • Bit commitment from p.r. (Naor)• Zaps and Apps (Dwork-Naor)
Error Disappearance• With probability at least 1-2-n over the choice of KS,KP:
Probm,r [D(KS, E(KP, m, r)) ≠ m] ≤ 2-3n
• For such “good” KS, KP, since ρ 2R {0,1}ℓ(n)
Probm,t,ρ [D(KS, E(KP, m, ρ g(t)) ≠ m] ≤ 2-3n
• Small enough to use union bound over all t,m2 {0,1}n Get: With probability at least 1-2-(n-1) over the choice of KS,KP and ρ have that t,m 2 {0,1}n
D(KS, E(KP, m, ρ g(t))) = m• This effectively pushes all the errors into ρ
which is part of the public key
Immunizing Weak Encryption Schemes• What about smaller ? • Easy: simple repetition reduces error (semantic security and
non-malleability are preserved).• What if the adversary has a non-negligible probably of
decrypting (i.e. the scheme is only weakly one-way)?– Cannot reduce error by simple repetition!
• Question: How do we go from an -correct -oneway cryptosystem (>) to an almost-all-keys perfectly correct one?
Alice Bob
Eve
Natural Approach• Use error correcting codes that can be decoded from
an -fraction of correct symbols, but not from a -fraction.
• This approach works in the information theoretic setting, much more subtle in the computational setting!– Reason: Eve may get more than just -fraction of symbols,
but rather some information about each symbol• Example: Eve gets a list decoding
Alice Bob
Eve
Other Information-Theoretic ToolsPolarization in the statistical setting
Sahai-Vadhan 97: given a pair of distributions X0, X1 create two new ones Y0, Y1 such that if
• Dist(X0,X1) ≤ threshold ’ Dist(Y0,Y1) exp. small• Dist(X0,X1) ≥ threshold ’ Dist(Y0,Y1) exp. close to 1Relation to error reduction: assume -correct -oneway one-
bit encryption scheme– X0 encryption of 0 and X1 and encryption of 1– Bob can distinguish X0 from X1 with advantage ≥ ’ – Eve cannot distinguish X0 from X1 with advantage ≤ ’ – Strengthened encryption scheme defines Y0, Y1 with polarized
“distances”
New Results• Provide a collection of basic transformations, for amplification.
– Related to [SV97].
– Life is somewhat harder in the computational setting …• Starting with an -correct -oneway cryptosystem an almost-all-
keys perfectly correct one (previous results) CCA and non-malleability• Relation between and (for which the transformation works):
– Constant decryption errors: for any < 1 there is an <<1– Very frequent decryption errors: for any > 1/poly and <
4/const• Open: show the same for every - > 1/poly
– Likely to imply similar improvement for the statistical case.
Basic TransformationsParallel Repetition • repeat everything k times:
– Choose k independent public/private key pairs– the encryption Ek of a k-tuple m=(m1, m2,…mk) is
Ek(m)=E(m1), E(m2),…, E(mk)
• Bad news: probability of legitimate encryption for a random m is k
• Good news: probability of adversarial encryption:– Would like it to be k
– Can view it as a three round game – [BIN 97] deals with such games
gets us “close to that” ¼ k/c
• The adversary is hurt more if ‹‹
V: choose (kp, ks,m)
Send (kp Ep(m))
P: sends m’
V: Send (m,ks )
P wins if m’=m
Basic Transformations (cont.)
Hard-Core Bit • The encryption of a bit b is (E(m),r,r.m©b)
where m is a random message• Usage: turning one-wayness into indistinguishabilityGoldreich-Levin: an advantage in guessing the
inner product bit is translated into a list of at most √ candidates for m given E(m)Can use to invert E(m) with probability at least √
If (=upper bound on inverting E) is negligible we get semantic security
Basic Transformations (cont.)
Direct Product• Choose k independent public/private key pairs• The encryption Ek of m is k independent
encryptions E(m), E(m),…, E(m) • Decryption is by plurality • Reverse effect to parallel repetition: both legitimate
recipient and the adversary can do better.– The legitimate recipient gains more if ‹‹
Combining the Basic Transformations
• Best way of combining, depends on values of and . Example, well separated constants:
Transformation Correctness One - Wayness
Starting Point O(log n) parallel-repetition 1/n 1/n8 Inner Product 1/2 + 1/(2n) 1/2 + O(1/n4)
O(n3) direct product 1- 2-5n 1/2 + O(1/n)
n parallel-repetition 1- n . 2-5n neg
Inner Product 1- (n/2) . 2-5n IND-CPA
Using the Random Oracles Methodology
• Let (G,E,D) be an -correct scheme that is one-way
For random message m and random encryption: probability adversary retrieves m is negligible
• If is negligible, can transform (G,E,D) directly and very efficiently to a full fledged NM-CCA-post scheme.
The construction• E is an -correct -oneway for negligible , • H1, H2, H3, H4 be idealized random functions • FS a shared-key encryptionEncryption of message m:• Choose t 2R {0,1}n/2
• Compute z=H1(t) , w=H2(z) © t and r= H3(z ◦ w). The encrypted message is (c1,c2):– c1= Epk(z ◦ w,r) – c1= FS(m) where s=H4(t)
Decryption of (c1,c2)• Apply D to c1 and obtain candidates for z and w. • Set t=H2(z) © w and r = H3(z ◦ w).• Check that H1(t) = z and that for $r = H3(z ◦ w) we have that c1=E(z ◦
w,r).• Check, using s=H4(t), that c2 is a valid ciphertext under Fs.• If any of the tests fails, output “invalid”.• Otherwise, output Fs (c2) - the decryption of c2 using s.
Why is it secure?• Once t 2 {0,1}n/2 has been chosen: unique ciphertext
corresponding to it• Once t 2 {0,1}n/2 is known, easy to decrypt ciphertext, even
without access to sk. • Security against chosen ciphertext attacks – follow the adversary
calls to H1 .Immunity against decryption errors • Decryption errors have NOT disappeared, but hard to find them. • Partition all strings c into those the range of E and those not
– Depending on the existence of m and r such that c= Epk(m,r).• Consider a candidate ciphertext (c1,c2) given to D':• If c1 is not in the range of E, then it is going to be rejected by D'• Security rests on the hardness of finding among the bad pairs z ◦
w,r one where– r= H3(z ◦ w). – H1(H2(z) © w) = z.
• This is difficult for any fixed sparse set of bad pairs and a random set of functions H1, H2, H3
Encryption of message m:• Choose t 2R {0,1}n/2 and compute
z=H1(t) ,
w=H2(z) © t ,
r= H3(z ◦ w).
The encrypted message is (c1,c2):– c1= Epk(z ◦ w,r)
– c1= FS(m) where s=H4(t)
Concluding Remarks
• When decryption errors are very rare, they can be avoided almost for free.
• Can immune even very weak schemes against decryption errors
• Life is (as usual) relatively easy with random oracles
• Open problem: handle arbitrary - > 1/poly– Seems hard even in the (cleaner) statistical setting