Evolution of Proofs in Cryptography

Slide Note
Embed
Share

Cryptography has evolved from classical proofs to interactive and probabilistically checkable proofs, enabling the development of applications like Non-Malleable and Chosen-Ciphertext Secure Encryption Schemes. Non-Malleability protects against active attacks like malleability and chosen-ciphertext attacks, ensuring secure communication in the digital world. The concept of IND-CCA Security plays a crucial role in constructing CCA-Secure Encryption. NIZK Proofs of Knowledge are instrumental in enhancing security protocols.

ahmari
ahmari Follow

Uploaded on Sep 06, 2024 | 0 Views

Download Presentation

Please find below an Image/Link to download the presentation.

The content on the website is provided AS IS for your information and personal use only. It may not be sold, licensed, or shared on other websites without obtaining consent from the author. Download presentation by click this link. If you encounter any issues during the download, it is possible that the publisher has removed the file from their server.

E N D

Presentation Transcript

  1. MIT 6.875 Foundations of Cryptography Lecture 17

  2. We saw: a NIZK for all of NP in the CRS model

  3. This was only the beginning Proofs vs. Arguments: Soundness against a computationally bounded prover. Why? 1. It allows us to get perfect zero knowledge for all of NP. Recall perfect ZK proofs do not exist for NP- complete languages, unless the polynomial hierarchy collapses. 2. It allows us to get very short proofs = succinct arguments or SNARGs.

  4. The Evolution of Proofs CLASSICAL Proofs Prover writes down a string (proof); Verifier checks. Complexity class NP INTERACTIVE Proofs Prover and Verifier talk back and forth. Complexity class IP = PSPACE >> NP Graph non-iso PROBABILISTICALLY CHECKABLE Proofs Non-interactive, but Verifier only looks at 3 bits of proof Complexity class NEXP >> PSPACE MULTIPROVER interactive proofs . Proofs in the Wild:

  5. An Application of NIZK: Non-malleable and Chosen Ciphertext Secure Encryption Schemes

  6. Non-Malleability m Dec(sk,c) c Enc(pk,m) sk Public-key directory pk Bob

  7. Active Attacks 1: Malleability c Enc(pk,$100) sk ATTACK: Adversary could modify ( maul ) an encryption of m into an encryption of a related message m .

  8. Active Attacks 2: Chosen-Ciphertext Attack c* Enc(pk,m) sk ATTACK: Adversary may have access to a decryption oracle and can use it to break security of a target ciphertext c* or even extract the secret key! In fact, Bleichenbacher showed how to extract the entire secret key given only a ciphertext verification oracle.

  9. IND-CCA Security Challenger Eve ?? ??,?? ??? 1? ?? ???(??,??) ,?1 = |?1 | ?0 ?.?. ?0 ) ? 0,1 ;? ???(??,?? ? ?? ?? ? ???(??,??) ???(??,??) Eve wins if ? = ?. IND-CCA secure if no PPT Eve can win with prob. > 1 2+ negl(?). ?

  10. Constructing CCA-Secure Encryption (Intuition) NIZK Proofs of Knowledge should help! Idea: The encrypting party attaches an NIZK proof of knowledge of the underlying message to the ciphertext. ?: (c = CPAEnc ?;? ,proof ? ?? ? ???? ? ??? ? ) This idea will turn out to be useful, but NIZK proofs themselves can be malleable!

  11. Constructing CCA-Secure Encryption (Intuition) Digital Signatures should help! OUR GOAL: Hard to modify an encryption of m into an encryption of a related message, say m+1. an encryption of a related message, say m+1. OUR GOAL: Hard to modify an encryption of m into

  12. Constructing CCA-Secure Encryption Let s start with Digital Signatures. ?: (c = CPAEnc ??,?;? ,???????? ,??) ?: (c = CPAEnc ??,?;? ,???? ? ) where the encryptor produces a signing / verification key pair by running ???,?? ????.???(1?) Is this CCA-secure/non-malleable? If the adversary changes ??, all bets are off! Lesson: NEED to tie the ciphertext c to ??in a meaningful way.

  13. Observation: IND-CPA Different-Key Non-malleability Different-Key NM: Given ??,?? ,CPAEnc ??,?;? , can an adversary produce CPAEnc ?? ,? + 1;? ? NO! Suppose she could. Then, I can come up with a reduction that breaks the IND-CPA security of CPAEnc ??,?;? .

  14. Observation: IND-CPA Different-Key Non-malleability Different-Key NM: Given ??,?? ,CPAEnc ??,?;? , can an adversary produce CPAEnc ?? ,? + 1;? ? Reduction = CPA adversary Pick (?? ,?? ) ?? ??,?? ??????(??,?) ??????(??,?) ??????(?? ,? + ?) ? Diff-Key NM adversary Decrypt and subtract 1.

  15. Putting it together CCA Public Key: ?? public keys of the CPA scheme ??1,0 ??1,1 ??2,1 (where ? = |??|) ??2,0 ???,0 ???,1 CCA Encryption: First, pick a sign/ver key pair (???,??) ??1,??1??2,??2 ???,??? ?? = where ???,? ??????(???,?,?) Output (??,??,? = ????(???,??)).

  16. Putting it together Non-malleability rationale: Either Adversary keeps ?? the same (in which case she has to break the signature scheme); or She changes the ?? in which case she breaks the diff-NM game, and therefore CPA security. CCA Encryption: First, pick a sign/ver key pair (???,??) ??1,??1??2,??2 ???,??? ?? = where ???,? ??????(???,?,?) Output (??,??,? = ????(???,??)).

  17. Call it a day? We are not done!! Adversary could create ill-formed ciphertexts (e.g. the different ??s encrypt different messages) and uses it for a Bleichenbacher-like attack. CCA Encryption: First, pick a sign/ver key pair (???,??) ??1,??1??2,??2 ???,??? ?? = where ???,? ??????(???,?,?) Output (??,??,? = ????(???,??)).

  18. NIZK Proofs to the Rescue CCA Public Key: ?? public keys of the CPA scheme ??1,0 ??1,1 ??2,1 ??2,0 ???,0 ???,1 , ??? NP statement: there exist CCA Encryption: First, pick a sign/ver key pair (???,??) ?,??,? such that each ???,?= ??????(???,?,?;??,?) ??1,??1??2,??2 ???,??? ?? = where ???,? ??????(???,?,?;??,?) = = NIZK proof that CT is well-formed Output (??,??,? = ????(???,??)). Output (??, ,??,? = ????(???, ??, )).

  19. Are there other attacks? Did we miss anything else? Turns out NO. We can prove that this is CCA-secure.

  20. The Encryption Scheme CCA Keys: ??1,0 ??1,1 ??1,0 ??1,1 ??2,0 ??2,1 ???,0 ???,1 , ??? PK= SK= CCA Encryption: First, pick a sign/ver key pair (???,??) ??1,??1??2,??2 ???,??? ?? = where ???,? ??????(???,?,?;??,?) = NIZK proof that CT is well-formed Output (??, ,??,? = ????(???, ??, )).

  21. The Encryption Scheme CCA Encryption: First, pick a sign/ver key pair (???,??) ??1,??1??2,??2 ???,??? ?? = where ???,? ??????(???,?,?;??,?) = NIZK proof that CT is well-formed Output (??, ,??,? = ????(???, ??, )). CCA Decryption: Check the signature. Check the NIZK proof. Decrypt with ??1,??1.

  22. Proof Sketch Let s play the CCA game with the adversary. We will use her to break either the NIZK soundness/ZK, the signature scheme or the CPA-secure scheme.

  23. Proof Sketch Let s play the CCA game with the adversary. Hybrid 0: Play the CCA game as prescribed. Hybrid 1: Observe that ??? ?? . Observe that this means each query ciphertext-tuple involves a different public-key from the challenge ciphertext. Use the different private-key to decrypt. (If the adv sees a difference, she broke NIZK soundness) (Otherwise break signature) Hybrid 2: Now change the CRS/ into simulated CRS/ ! (OK by ZK) If the Adv wins in this hybrid, she breaks IND-CPA!

  24. Another Application of NIZK: Digital Signatures

  25. Bellare-Goldwasser Signatures Keys: VK= C: Commitment to K; NIZK CRS. SK= PRF seed K Signature of M: ? = ????(?) ????Proof of Correctness Verification: Check the NIZK Proof NP statement: there exist ?,? such that ? = ??? ?;? and ? = ????(?)

  26. Proof Sketch Let s play the EUF-CMA game with the adversary. Hybrid 0: Play the EUF-CMA game as prescribed. Hybrid 1: Change the verification algorithm (for the forged signature (? ,(? ,? ))) to also check that ? = ????(? ), in addition to the NIZK check. (Adv wins in H1 with essentially the same prob. as in H0; otherwise break NIZK soundness)

  27. Proof Sketch Let s play the EUF-CMA game with the adversary. Hybrid 0: Play the EUF-CMA game as prescribed. Hybrid 1: Change the verification algorithm (for the forged signature (? ,(? ,? ))) to also check that ? = ????(? ), in addition to the NIZK check. Hybrid 2: Change CRS to simulated CRS. To answer signature queries, use simulated NIZK proofs. (OK by Zero knowledge)

  28. Proof Sketch Let s play the EUF-CMA game with the adversary. Hybrid 0: Play the EUF-CMA game as prescribed. Hybrid 1: Change the verification algorithm (for the forged signature (? ,(? ,? ))) to also check that ? = ????(? ), in addition to the NIZK check. Hybrid 2: Change CRS to simulated CRS. To answer signature queries, use simulated NIZK proofs. Hybrid 3: LetC be a commitment to the 0string. (OK by commitment hiding)

  29. Proof Sketch Let s play the EUF-CMA game with the adversary. Hybrid 0: Play the EUF-CMA game as prescribed. Hybrid 1: Change the verification algorithm (for the forged signature (? ,(? ,? ))) to also check that ? = ????(? ), in addition to the NIZK check. Hybrid 2: Change CRS to simulated CRS. To answer signature queries, use simulated NIZK proofs. Hybrid 3: LetC be a commitment to the 0string. In hybrid 3, Adv is winning in the PRF game. (Contradiction by PRF security)

Related


Evolution of Proofs in Computer Science: Zero-Knowledge Proofs Overview

Evolution of Proofs in Computer Science: Zero-Knowledge Proofs Overview

cvesc
Cryptography,.Quantum-safe Cryptography& Quantum Cryptography

Cryptography,.Quantum-safe Cryptography& Quantum Cryptography

pendragon
Evolution of Cryptography: From Ancient Techniques to Modern Security Mechanisms

Evolution of Cryptography: From Ancient Techniques to Modern Security Mechanisms

damari
Exploring FAEST: Post-Quantum Signatures and Zero-Knowledge Proofs

Exploring FAEST: Post-Quantum Signatures and Zero-Knowledge Proofs

borys
Zero-Knowledge Proofs in Cryptography

Zero-Knowledge Proofs in Cryptography

jevo_89
Post-Quantum Cryptography Security Proofs and Models Overview

Post-Quantum Cryptography Security Proofs and Models Overview

siddhi
Foundations of Cryptography: MIT Course Overview and Key Concepts

Foundations of Cryptography: MIT Course Overview and Key Concepts

dherb
New Directions in Cryptography: Harta Dwijaksara, Yi Jae Park

New Directions in Cryptography: Harta Dwijaksara, Yi Jae Park

antwu
Evolution of Proofs in Computer Science

Evolution of Proofs in Computer Science

larsen_a
Mathematical Proof Techniques and Examples

Mathematical Proof Techniques and Examples

harmone
Understanding Exhaustive Proofs and Proof by Cases in Discrete Math

Understanding Exhaustive Proofs and Proof by Cases in Discrete Math

oluwase
Quantum NIZK Proofs Explained with Dominique Unruh

Quantum NIZK Proofs Explained with Dominique Unruh

samanv
Challenges in Constant-Round Public-Coin Zero-Knowledge Proofs

Challenges in Constant-Round Public-Coin Zero-Knowledge Proofs

nstai
Exploring Cloud Cryptography for Secure Data Processing

Exploring Cloud Cryptography for Secure Data Processing

vespera
Overview of Basic Security Properties and Cryptography Fundamentals

Overview of Basic Security Properties and Cryptography Fundamentals

kawhi
Introduction to Cryptography: The Science of Secure Communication

Introduction to Cryptography: The Science of Secure Communication

catt504
Efficient Verified Cryptography in F* by Jean-Karim Zinzindohou

Efficient Verified Cryptography in F* by Jean-Karim Zinzindohou

rago_a
Cryptographic Center in Novosibirsk: Advancements in Cryptography and Research

Cryptographic Center in Novosibirsk: Advancements in Cryptography and Research

lott995
Understanding Indirect Proofs: Contradiction and Contraposition Examples

Understanding Indirect Proofs: Contradiction and Contraposition Examples

zaccai
Algebra and Geometry Reasoning: Concepts and Proofs

Algebra and Geometry Reasoning: Concepts and Proofs

dom_spa
Advancements in Interactive Proofs for Efficient Computation

Advancements in Interactive Proofs for Efficient Computation

nier630
Constant Round Interactive Proofs for Delegating Computations

Constant Round Interactive Proofs for Delegating Computations

dnils
Understanding Predicate Logic and Quantifiers for Symbolic Proofs

Understanding Predicate Logic and Quantifiers for Symbolic Proofs

mara_r
The Fascinating World of Cryptography

The Fascinating World of Cryptography

solveig

More Related Content