Relations Among Notions of Security for Public-Key Encryption Schemes

M. Bellare

y

A. Desai

z

D. Pointcheval

x

P. Rogaway

June 2001

Abstract

We compare the relative strengths of popular notions of security for public-key encryption schemes. We consider the goals of privacy and non-malleability, each under chosen-plaintext attack and two kinds of chosen-ciphertext attack. For each of the resulting pairs of de nitions we prove either an implication (every scheme meeting one notion must meet the other) or a separation (there is a scheme meeting one notion but not the other, assuming the rst notion can be met at all). We similarly treat plaintext awareness, a notion of security in the randomoracle model. An additional contribution of this paper is a new de nition of non-malleability which we believe is simpler than the previous one.

Asymmetric encryption, Chosen ciphertext security, Non-malleability, RackoSimon attack, Plaintext awareness, Relations among de nitions. Keywords:

Dept.

of Computer Science & Engineering, University of California at San Diego, 9500 Gilman Drive, La Jolla, CA 92093, USA. E-Mail: [email protected] URL: http://www-cse.ucsd.edu/users/mihir =. Supported in part by NSF CAREER Award CCR-9624439 and a 1996 Packard Foundation Fellowship in Science and Engineering. yNTT Multimedia Communications Laboratories, 250 Cambridge Avenue, Suite 300, Palo Alto, CA 94306. Email: [email protected] Work done while author was at UCSD, supported in part by the above-mentioned grants of the rst author. zLaboratoire d'Informatique de l'Ecole Normale Superieure, 45 rue d'Ulm, F { 75230 Paris Cedex 05. E-mail: [email protected] URL: http://www.dmi.ens.fr/~pointche/. xDept. of Computer Science, Engineering II Bldg., One Shields Avenue, University of California at Davis, Davis, CA 95616, USA. E-mail: [email protected] URL: http://www.cs.ucdavis.edu/~rogaway/. Supported by NSF CAREER Award CCR-9624560 and a MICRO grant from RSA Data Security, Inc..

Contents 1 Introduction 1.1 1.2 1.3 1.4 1.5 1.6

Notions of Encryption Scheme Security . Implications and Separations . . . . . . Plaintext Awareness . . . . . . . . . . . De nitional Contributions . . . . . . . . Motivation . . . . . . . . . . . . . . . . Related Work and Discussion . . . . . .

. . . . . .

. . . . . .

. . . . . .

. . . . . .

. . . . . .

. . . . . .

. . . . . .

. . . . . .

. . . . . .

. . . . . .

. . . . . .

. . . . . .

. . . . . .

. . . . . .

. . . . . .

. . . . . .

. . . . . .

. . . . . .

. . . . . .

. . . . . .

. . . . . .

. . . . . .

. . . . . .

. . . . . .

. . . . . .

1 1 1 2 3 3 4

2 De nitions of Security

5

3 Relating IND and NM

9

2.1 Framework . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2.2 Indistinguishability of Encryptions . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2.3 Non-Malleability . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3.1 3.2 3.3 3.4 3.5 3.6 3.7

Results . . . . . . . . . . . . . . . . . . . . . . . . Notation and Preliminaries . . . . . . . . . . . . Proof of Theorem 3.1: NM-ATK ) IND-ATK . Proof of Theorem 3.3: IND-CCA2 ) NM-CCA2 Proof of Theorem 3.5: IND-CCA1 6) NM-CPA . Proof of Theorem 3.6: NM-CPA 6) IND-CCA1 . Proof of Theorem 3.7: NM-CCA1 6) NM-CCA2

4 Results on PA 4.1 4.2 4.3 4.4

De nition . . . . . . . . . . . . . . . . . . Results . . . . . . . . . . . . . . . . . . . . Proof of Theorem 4.2: PA ) IND-CCA2 Proof of Theorem 4.4: IND-CCA26)PA .

References

. . . .

. . . .

. . . .

. . . .

. . . . . . .

. . . . . . .

. . . . . . .

. . . . . . .

. . . . . . .

. . . . . . .

. . . . . . .

. . . . . . .

. . . . . . .

. . . . . . .

. . . . . . .

. . . . . . .

. . . . . . .

. . . . . . .

. . . . . . .

. . . . . . .

. . . . . . .

. . . . . . .

. . . . . . .

. . . . . . .

. . . .

. . . .

. . . .

. . . .

. . . .

. . . .

. . . .

. . . .

. . . .

. . . .

. . . .

. . . .

. . . .

. . . .

. . . .

. . . .

. . . .

. . . .

. . . .

. . . .

6 6 7

9 10 11 12 13 15 18

22 22 23 24 26

28

1 Introduction In this paper we compare the relative strengths of various notions of security for public-key encryption. We want to understand which de nitions of security imply which others. We start by sorting out some of the notions we will consider.

1.1 Notions of Encryption Scheme Security A convenient way to organize de nitions of secure encryption is by considering separately the various possible goals and the various possible attack models, and then obtain each de nition as a pairing of a particular goal and a particular attack model. This viewpoint was suggested to us by Moni Naor [25]. We consider two dierent goals: indistinguishability of encryptions, due to Goldwasser and Micali [21], and non-malleability, due to Dolev, Dwork and Naor [13]. Indistinguishability (IND) formalizes an adversary's inability to learn any information about the plaintext x underlying a challenge ciphertext y, capturing a strong notion of privacy. Non-malleability (NM) formalizes an adversary's inability, given a challenge ciphertext y, to output a dierent ciphertext y0 such that the plaintexts x; x0 underlying these two ciphertexts are \meaningfully related". (For example, x0 = x + 1.) It captures a sense in which ciphertexts can be tamper-proof. Along the other axis we consider three dierent attacks. In order of increasing strength these are chosen-plaintext attack (CPA), non-adaptive chosen-ciphertext attack (CCA1), and adaptive chosen-ciphertext attack (CCA2). Under CPA the adversary can obtain ciphertexts of plaintexts of her choice. In the public-key setting, giving the adversary the public key suÆces to capture these attacks. Under CCA1, formalized by Naor and Yung [26], the adversary gets, in addition to the public key, access to an oracle for the decryption function. The adversary may use this decryption function only for the period of time preceding her being given the challenge ciphertext y. (The term non-adaptive refers to the fact that queries to the decryption oracle cannot depend on the challenge y. Colloquially this attack has also been called a \lunchtime," \lunch-break," or \midnight" attack.) Under CCA2, due to Racko and Simon [27], the adversary again gets (in addition to the public key) access to an oracle for the decryption function, but this time she may use this decryption function even on ciphertexts chosen after obtaining the challenge ciphertext y, the only restriction being that the adversary may not ask for the decryption of y itself. (The attack is called adaptive because queries to the decryption oracle can depend on the challenge y.) As a mnemonic for the abbreviations CCA1 / CCA2, just remember that the bigger number goes with the stronger attack. One can \mix-and-match" the goals fIND; NMg and attacks fCPA; CCA1; CCA2g in any combination, giving rise to six notions of security: IND-CPA; IND-CCA1; IND-CCA2; NM-CPA; NM-CCA1; NM-CCA2 : Most are familiar (although under dierent names). IND-CPA is the notion of [21];1 IND-CCA1 is the notion of [26]; IND-CCA2 is the notion of [27]; NM-CPA, NM-CCA1 and NM-CCA2 are from [13, 14, 15].

1.2 Implications and Separations In this paper we work out the relations between the above six notions. For each pair of notions A; B 2 f IND-CPA; IND-CCA1; IND-CCA2; NM-CPA; NM-CCA1; NM-CCA2 g, we show one of 1

Goldwasser and Micali referred to IND-CPA as polynomial security, and also showed this was equivalent to another notion, semantic security.

1

NM-CPA

3.1

?

IND-CPA Figure 1: from

i

NM-CCA1

3.6

3.5

q

3.1

? IND-CCA1

3.7

- NM-CCA2 6 3.1 3.3 ? IND-CCA2

An arrow is an implication, and in the directed graph given by the arrows, there is a path

A to B if and only A ) B.

others follow automatically.

The hatched arrows represent separations we actually prove; all

The number on an arrow or hatched arrow refers to the theorem in

this paper which establishes this relationship.

the following:

A ) B: A proof that if PE is any encryption scheme meeting notion of security A then PE also meets notion of security B.

A 6) B:

A construction of an encryption scheme PE that provably meets notion of security A but provably does not meet notion of security B.2

We call a result of the rst type an implication, and a result of the second type a separation. For each pair of notions we provide one or the other, so that no relation remains open. These results are represented diagrammatically in Figure 1. The (unhatched) arrows represent implications that are proven or trivial, and the hatched arrows represent explicitly proven separations. Speci cally, the non-trivial implication is that IND-CCA2 implies NM-CCA2, and the separations shown are that IND-CCA1 does not imply NM-CPA; nor does NM-CPA imply IND-CCA1; nor does NM-CCA1 imply NM-CCA2. Figure 1 represents a complete picture of relations in the following sense. View the picture as a graph, the edges being those given by the (unhatched) arrows. (So there are eight edges.) We claim that for any pair of notions A; B, it is the case that A implies B if and only if there is a path from A to B in the graph. The \if" part of this claim is of course clear from the de nition of implication. The \only if" part of this claim can be veri ed for any pair of notions by utilizing the hatched and unhatched arrows. For example, we claim that IND-CCA1 does not imply IND-CCA2. For if we had that IND-CCA1 implies IND-CCA2 then this, coupled with NM-CCA1 implying IND-CCA1 and IND-CCA2 implying NM-CCA2, would give NM-CCA1 implying NM-CCA2, which we know to be false. That IND-CCA2 implies all of the other notions helps bolster the view that adaptive CCA is the \right" version of CCA on which to focus. (IND-CCA2 has already proven to be a better tool for protocol design.) We thus suggest that, in the future, \CCA" should be understood to mean adaptive CCA.

1.3 Plaintext Awareness Another adversarial goal we will consider is plaintext awareness (PA), rst de ned by Bellare and Rogaway [6]. PA formalizes an adversary's inability to create a ciphertext y without \knowing" its underlying plaintext x. (In the case that the adversary creates an \invalid" ciphertext what she should know is that the ciphertext is invalid.) 2

This will be done under the assumption that there exists some scheme meeting notion question is vacuous. This (minimal) assumption is the only one made.

2

A, since otherwise the

So far, plaintext awareness has only been de ned in the random-oracle (RO) model. Recall that in the RO model one embellishes the customary model of computation by providing all parties (good and bad alike) with a random function H from strings to strings. See [5] for a description of the random-oracle model and a discussion of its use. The six notions of security we have described can be easily \lifted" to the RO model, giving six corresponding de nitions. Once one makes such de nitional analogs it is easily veri ed that all of the implications and separations mentioned in Section 1.2 and indicated in Figure 1 also hold in the RO setting. For example, the RO version of IND-CCA2 implies the RO version of NM-CCA2. Since PA has only been de ned in the RO model it only makes sense to compare PA with other RO notions. Our results in this vein are as follows. Theorem 4.2 shows that PA (together with the RO version of IND-CPA) implies the RO version of IND-CCA2. In the other direction, Theorem 4.4 shows that the RO version of IND-CCA2 does not imply PA.

1.4 De nitional Contributions Beyond the implications and separations we have described, we have two de nitional contributions: a new de nition of non-malleability, and a re nement to the de nition of plaintext awareness. The original de nition of non-malleability [13, 14, 15] is in terms of simulation, requiring, for every adversary, the existence of some appropriate simulator. We believe our formulation is simpler. It is de ned via an experiment involving only the adversary; there is no simulator. Nonetheless, the de nitions are equivalent [7], under any form of attack. Thus the results in this paper are not aected by the de nitional change. We view the new de nition as an additional, orthogonal contribution which could simplify the task of working with non-malleability. We also note that our de nitional idea lifts to other settings, like de ning semantic security [21] against chosen-ciphertext attacks. (Semantic security seems not to have been de ned against CCA.) With regard to plaintext awareness, we make a small but important re nement to the de nition of [6]. The change allows us to substantiate their claim that plaintext awareness implies chosen-ciphertext security and non-malleability, by giving us that PA (plus IND-CPA) implies the RO versions of IND-CCA2 and NM-CCA2. Our re nement is to endow the adversary with an encryption oracle, the queries to which are not given to the extractor. See Section 4.

1.5 Motivation In recent years there has been an increasing role played by public-key encryption schemes which meet notions of security beyond IND-CPA. We are realizing that one of their most important uses is as tools for designing higher-level protocols. For example, encryption schemes meeting IND-CCA2 appear to be the right tools in the design of authenticated key exchange protocols in the public-key setting [1]. As another example, the designers of SET (Secure Electronic Transactions) selected an encryption scheme which achieves more than IND-CPA [28]. This was necessary, insofar as the SET protocols would be wrong if instantiated by a primitive which achieves only IND-CPA security. Because encryption schemes which achieve more than IND-CPA make for easier-to-use (or harder-to-misuse) tools, emerging standards rightly favor them. We comment that if one takes the CCA models \too literally" the attacks we describe seem rather arti cial. Take adaptive CCA, for example. How could an adversary have access to a decryption oracle, yet be forbidden to use it on the one point she really cares about? Either she has the oracle and can use it as she likes, or she does not have it at all. Yet, in fact, just such a setting eectively arises when encryption is used in session key exchange protocols. In general, 3

one should not view the de nitional scenarios we consider too literally, but rather understand that these are the right notions for schemes to meet when these schemes are to become generally-useful tools in the design of high level protocols.

1.6 Related Work and Discussion The most recent version of the work of Dolev, Dwork and Naor, the manuscript [15], has, independently of our work, considered the question of relations among notions of encryptions beyond IND-CPA. It contains (currently in Remark 3.6) various claims that overlap to some extent with ours. (Public versions of their work, namely the 1991 proceedings version [13] and the 1995 technical report [14], do not contain these claims.) Foundations. The theoretical treatment of public-key encryption begins with Goldwasser and Micali [21] and continues with Yao [29], Micali, Racko and Sloan [24], and Goldreich [18, 19]. These works treat privacy under chosen-plaintext attack (the notion we are capturing via IND-CPA). They show that various formalizations of it are equivalent, in various models. Speci cally, Goldwasser and Micali introduced, and showed equivalent, the notions of indistinguishability and semantic security; Yao introduced a notion based on computational entropy; Micali, Racko and Sloan showed that appropriate variants of the original de nition are equivalent to this; Goldreich [18] made important re nements to the notion of semantic security and showed that the equivalences still held; and Goldreich [19] provided de nitions and equivalences for the case of uniform adversaries. We build on these foundations both conceptually and technically. In particular, this body of work eectively justi es our adopting one particular formulation of privacy under chosen-plaintext attack, namely IND-CPA. None of the above works considered chosen-ciphertext attacks and, in particular, the question of whether indistinguishability and semantic security are equivalent in this setting. In fact, semantic security under chosen-ciphertext attack seems to have not even been de ned. As mentioned earlier, de nitions for semantic security under CCA can be obtained along the lines of our new de nition of non-malleability. We expect (and hope) that, after doing this, the equivalence between semantic security and indistinguishability continue to hold with respect to CCA, but this has not been checked. Recent work on simplifying non-malleability. As noted above, Bellare and Sahai [7] have shown that the de nition of non-malleability given in this paper is equivalent to the original one of [13, 14, 15]. In addition, they provide a novel formulation of non-malleability in terms of indistinguishability, showing that non-malleability is just a form of indistinguishability under a certain type of attack they call a parallel attack. Their characterization can be applied to simplify some of the results in this paper. Schemes. It is not the purpose of this paper to discuss speci c schemes designed for meeting any of the notions of security described in this paper. Nonetheless, as a snapshot of the state of the art, we attempt to summarize what is known about meeting \beyond-IND-CPA" notions of security. Schemes proven secure under standard assumptions include that of [26], which meets IND-CCA1, that of [13], which meets IND-CCA2, and the much more eÆcient recent scheme of Cramer and Shoup [10], which also meets IND-CCA2. Next are the schemes proven secure in a random-oracle model; here we have those of [5, 6], which meet PA and are as eÆcient as schemes in current standards. Then there are schemes without proofs, such as those of [11, 30]. Finally, there are schemes for non-standard models, like [16, 27]. We comment that it follows from our results that the above mentioned scheme of [10], shown to meet IND-CCA2, is also non-malleable, even under an adaptive chosen-ciphertext attack. Relations.

4

This paper is about relating notions of security for public-key (ie. asymmetric) encryption. The same questions can be asked for private-key (ie. symmetric) encryption. De nitions for symmetric encryption scheme privacy under CPA were given by [2]. Those notions can be lifted to deal with CCA. De nitions for non-malleability in the private-key setting can be obtained by adapting the public-key ones. Again we would expect (and hope) that, if properly done, the analogs to the relations we have proven remain. One feature of de nitions in this setting is worth highlighting. Recall that in the public-key setting, nothing special had to be done to model CPA; it corresponds just to giving the adversary the public key. Not so in a private-key setting. The suggestion of [3] is to give the adversary an oracle for encryption under the private key. This must be done in all de nitions, and it is under this notion that we expect to see an analog of the results for the public-key case. Goldreich, in discussions on this issue, has noted that in the private-key case, one can consider an attack setting weaker than CPA, where the adversary is not given an encryption oracle. He points out that under this attack it will not even be true that non-malleability implies indistinguishability. Encryption scheme security which goes beyond indistinguishability is important in the privatekey case too, and we feel it deserves a full treatment of its own which would explore and clarify some of the above issues. Further remarks. We comment that non-malleability is a general notion that applies to primitives other than encryption [13]. Our discussion is limited to its use in asymmetric encryption. Bleichenbacher [8] has recently shown that a popular encryption scheme, RSA PKCS #1, does not achieve IND-CCA1. He also describes a popular protocol for which this causes problems. His results reinforce the danger of assuming anything beyond IND-CPA which has not been demonstrated. A preliminary version of this paper appeared as [3]. We include here material which was omitted from that abstract due to space limitations. Symmetric encryption.

2 De nitions of Security This section provides formal de nitions for the six notions of security of an asymmetric (ie., publickey) encryption scheme discussed in Section 1.1. Plaintext awareness will be described in Section 4. We begin by describing the syntax of an encryption scheme, divorcing syntax from the notions of security. Experiments. We use standard notations and conventions for writing probabilistic algorithms and experiments. If A is a probabilistic algorithm, then A(x1 ; x2 ; : : : ; r) is the result of running A on inputs x1 ; x2 ; : : : and coins r. We let y A(x1 ; x2 ; : : :) denote the experiment of picking r at random and letting y be A(x1 ; x2 ; : : : ; r). If S is a nite set then x S is the operation of picking an element uniformly from S . If is neither an algorithm nor a set then x is a simple assignment statement. We say that y can be output by A(x1 ; x2 ; : : :) if there is some r such that A(x1 ; x2 ; : : : ; r) = y. Syntax and conventions. The syntax of an encryption scheme speci es what kinds of algorithms make it up. Formally, an asymmetric encryption scheme is given by a triple of algorithms, PE = (K; E ; D), where K, the key generation algorithm, is a probabilistic algorithm that takes a security parameter k 2 N and returns a pair (pk ; sk ) of matching public and secret keys. E , the encryption algorithm, is a probabilistic algorithm that takes a public key pk and a message x 2 f0; 1g to produce a ciphertext y. 5

D,

the decryption algorithm, is a deterministic algorithm which takes a secret key sk and ciphertext y to produce either a message x 2 f0; 1g or a special symbol ? to indicate that the ciphertext was invalid. We require that for all (pk ; sk ) which can be output by K(k), for all x 2 f0; 1g , and for all y that can be output by Epk (x), we have that Dsk (y) = x. We also require that K, E and D can be computed in polynomial time. As the notation indicates, the keys are indicated as subscripts to the algorithms. Recall that a function : N ! R is negligible if for every constant c 0 there exists an integer k such that (k) k for all k k . c

c

c

2.1 Framework The formalizations that follow have a common framework that it may help to see at a high level rst. In formalizing both indistinguishability and non-malleability we regard an adversary A as a pair of probabilistic algorithms, A = (A1 ; A2 ). (We will say that A is polynomial time if both A1 and A2 are.) This corresponds to A running in two \stages." The exact purpose of each stage depends on the particular adversarial goal, but for both goals the basic idea is that in the rst stage the adversary, given the public key, seeks and outputs some \test instance," and in the second stage the adversary is issued a challenge ciphertext y generated as a probabilistic function of the test instance, in a manner depending on the goal. (In addition A1 can output some state information s that will be passed to A2 .) Adversary A is successful if she passes the challenge, with what \passes" means again depending on the goal. We consider three types of attacks under this setup. In a chosen-plaintext attack (CPA) the adversary can encrypt plaintexts of her choosing. Of course a CPA is unavoidable in the public-key setting: knowing the public key, an adversary can, on her own, compute a ciphertext for any plaintext she desires. So in formalizing de nitions of security under CPA we \do nothing" beyond giving the adversary access to the public key; that's already enough to make a CPA implicit. In a non-adaptive chosen-ciphertext attack (CCA1) we give A1 (the public key and) access to a decryption oracle, but we do not allow A2 access to a decryption oracle. This is sometimes called a non-adaptive chosen-ciphertext attack, in that the decryption oracle is used to generate the test instance, but taken away before the challenge appears. In an adaptive chosen-ciphertext attack (CCA2) we continue to give A1 (the public key and) access to a decryption oracle, but also give A2 access to the same decryption oracle, with the only restriction that she cannot query the oracle on the challenge ciphertext y. This is an extremely strong attack model. As a mnemonic, the number i in CCAi can be regarded as the number of adversarial stages during which she has access to a decryption oracle. Additionally, the bigger number corresponds to the stronger (and chronologically later) formalization. By the way: we do not bother to explicitly give A2 the public key, because A1 has the option of including it in s.

2.2 Indistinguishability of Encryptions The classical goal of secure encryption is to preserve the privacy of messages: an adversary should not be able to learn from a ciphertext information about its plaintext beyond the length of that plaintext. We de ne a version of this notion, indistinguishability of encryptions (IND), following [21, 24], through a simple experiment. Algorithm A1 is run on input the public key, pk . At the end 6

of A1 's execution she outputs a triple (x0 ; x1 ; s), the rst two components being messages which we insist be of the same length, and the last being state information (possibly including pk ) which she wants to preserve. A random one of x0 and x1 is now selected, say x . A \challenge" y is determined by encrypting x under pk . It is A2 's job to try to determine if y was selected as the encryption of x0 or x1 , namely to determine the bit b. To make this determination A2 is given the saved state s and the challenge ciphertext y. For concision and clarity we simultaneously de ne indistinguishability with respect to CPA, CCA1, and CCA2. The only dierence lies in whether or not A1 and A2 are given decryption oracles. We let the string atk be instantiated by any of the formal symbols cpa; cca1; cca2, while ATK is then the corresponding formal symbol from CPA; CCA1; CCA2. When we say O = ", where i 2 f1; 2g, we mean O is the function which, on any input, returns the empty string, ". b

b

i

i

De nition 2.1 [IND-CPA, IND-CCA1, IND-CCA2] Let PE = (K; E ; D) be an encryption scheme and let A = (A1 ; A2 ) be an adversary. For atk 2 fcpa; cca1; cca2g and k 2 N let, -atk ind-atk-1 -atk-0 (k) = 1 ] Advind (k) = 1 ] Pr[ Expind PE (k) = Pr[ ExpPE PE ;A

;A

;A

where, for b 2 f0; 1g, -atk- (k) Experiment Expind PE R (pk ; sk ) K(k) ; (x0 ; x1 ; s) b

;A

Return d

and

AO1 1 () (pk ) ; y

Epk (x ) ; d b

AO2 2 () (x0 ; x1 ; s; y)

O () = " and O () = " O () = Dsk () and O () = " O () = Dsk () and O () = Dsk () Above it is mandated that jx j = jx j. In the case of CCA2, we further insist that A does not ask its oracle to decrypt y. We say that PE is secure in the sense of IND-ATK if A being polynomial-time implies that AdvPE - () is negligible. If atk = cpa then If atk = cca1 then If atk = cca2 then

1

2

1

2

1

2

0

1

2

ind atk ;A

2.3 Non-Malleability We will need to discuss vectors of plaintexts or ciphertexts. A vector is denoted in boldface, as in x. We denote by jxj the number of components in x, and by x[i] the i-th component, so that x = (x[1]; : : : ; x[jxj]). We extend the set membership notation to vectors, writing x 2 x or x 62 x to mean, respectively, that x is in or is not in the set f x[i] : 1 i jxj g. It will be convenient to extend the decryption notation to vectors with the understanding that operations are performed componentwise. Thus x Dsk (y) is shorthand for the following: for 1 i jyj do x[i] Dsk (y[i]). We will consider relations of arity t where t will be polynomial in the security parameter k. Rather than writing R(x1 ; : : : ; x ) we write R(x; x), meaning the rst argument is special and the rest are bunched into a vector x with jxj = t 1. Idea. The notion of non-malleability was introduced in [13], and re ned subsequently. The goal of the adversary, given a ciphertext y, is not (as with indistinguishability) to learn something about its plaintext x, but only to output a vector y of ciphertexts whose decryption x is \meaningfully related" to x, meaning that R(x; x) holds for some relation R. The question is how exactly one measures the advantage of the adversary. This turns out to need care. One possible formalization Notation.

t

7

is that of [13, 14, 15], which is based on the idea of simulation; it asks that for every adversary there exists a certain type of \simulator" that does just as well as the adversary but without being given y. Here, we introduce a novel formalization which seems to us to be simpler. Our formalization does not ask for a simulator, but just considers an experiment involving the adversary. It turns out that our notion is equivalent to DDN's [7]. Our formalization. Let A = (A1 ; A2 ) be an adversary. In the rst stage of the adversary's attack, A1 , given the public key pk , outputs a description of a message space, described by a sampling algorithm M . The message space must be valid, which means that it gives non-zero probability only to strings of some one particular length. In the second stage of the adversary's attack, A2 receives an encryption y of a random message, say x1 , drawn from M . The adversary then outputs a (description of a) relation R and a vector y (no component of which is y). She hopes that R(x; x) holds, where x Dsk (y). An adversary (A1 ; A2 ) is successful if she can do this with a probability signi cantly more than that with which R(x0 ; x) holds for some random hidden x0 M .

De nition 2.2 [NM-CPA, NM-CCA1, NM-CCA2] Let PE = (K; E ; D) be an encryption scheme and let A = (A1 ; A2 ) be an adversary. For atk 2 fcpa; cca1; cca2g and k 2 N let, -atk nm-atk-1 -atk-0 (k) = 1 ] Advnm (k) = 1 ] Pr[ Expnm PE (k) = Pr[ ExpPE PE ;A

;A

;A

where, for b 2 f0; 1g, -atk- (k) Experiment Expnm PE 1 () (pk ; sk ) R K(k) ; (M; s) AO (pk ) ; x0 ; x1 M ; y 1 O 2 () (R; y) A2 (M; s; y) ; x Dsk (y) ; If y 62 y ^ ? 62 x ^ R(x ; x) then d 1; else d 0 ; b

;A

Return

and

Epk (x ) ; 1

b

d

O () = " and O () = " O () = Dsk () and O () = " O () = Dsk () and O () = Dsk () We insist, above, that M is valid: jxj = jx0 j for any x; x0 that are given non-zero probability in the If atk = cpa then If atk = cca1 then If atk = cca2 then

1

2

1

2

1

2

message space M . In the case of CCA2, we further insist that A2 does not ask its oracle to decrypt y. We say that PE is secure in the sense of NM-ATK if for every polynomial p(k): if A runs in time p(k), outputs a (valid) message space M samplable in time p(k), and outputs a relation R -atk computable in time p(k), then Advnm PE () is negligible. ;A

The condition that y 62 y is made in order to not give the adversary credit for the trivial and unavoidable action of copying the challenge ciphertext. Otherwise, she could output the equality relation R, where R(a; b) holds i a = b, and output y = (y), and be successful with probability one. We also declare the adversary unsuccessful when some ciphertext y[i] does not have a valid decryption (that is, ? 2 x), because in this case, the receiver is simply going to reject the adversary's message anyway. The requirement that M is valid is important; it stems from the fact that encryption is not intended to conceal the length of the plaintext.

8

3 Relating IND and NM We state more precisely the results summarized in Figure 1 and provide proofs. As mentioned before, we summarize only the main relations (the ones that require proof); all other relations follow as corollaries.

3.1 Results The rst result, that non-malleability implies indistinguishability under any type of attack, was of course established by [13] in the context of their de nition of non-malleability, but since we have a new de nition of non-malleability, we need to re-establish it. The (simple) proof of the following is in Section 3.3.

Theorem 3.1 [NM-ATK ) IND-ATK]

PE

is secure in the sense of

If a scheme PE is secure in the sense of NM-ATK IND-ATK, for any attack ATK 2 fCPA; CCA1; CCA2g.

then

Remark 3.2 Recall that the relation R in De nition 2.2 was allowed to have any polynomially bounded arity. However, the above theorem holds even under a weaker notion of NM-ATK in which the relation R is restricted to have arity two. The proof of the following is in Section 3.4.

Theorem 3.3 [IND-CCA2 then

PE

) NM-CCA2]

is secure in the sense of

If a scheme

NM-CCA2.

PE

is secure in the sense of

IND-CCA2

Remark 3.4 Theorem 3.3 coupled with Theorem 3.1 and Remark 3.2 says that in the case of

CCA2 attacks, it suÆces to consider binary relations, meaning the notion of NM-CCA2 restricted to binary relations is equivalent to the general one. Now we turn to separations. Adaptive chosen-ciphertext security implies non-malleability according to Theorem 3.3. In contrast, the following says that non-adaptive chosen-ciphertext security does not imply non-malleability. The proof is in Section 3.5.

Theorem 3.5 [IND-CCA16)NM-CPA]

If there exists an encryption scheme

PE

which is secure

0 in the sense of IND-CCA1, then there exists an encryption scheme PE which is secure in the sense of IND-CCA1 but which is not secure in the sense of NM-CPA. Now one can ask whether non-malleability implies chosen-ciphertext security. The following says it does not even imply the non-adaptive form of the latter. (As a corollary, it certainly does not imply the adaptive form.) The proof is in Section 3.6.

Theorem 3.6 [NM-CPA6)IND-CCA1]

If there exists an encryption scheme

NM-CPA, then there exists an encryption scheme PE 0 NM-CPA but which is not secure in the sense of IND-CCA1.

in the sense of of

PE

which is secure

which is secure in the sense

Now the only relation that does not immediately follow from the above results or by a trivial reduction is that the version of non-malleability allowing CCA1 does not imply the version that allows CCA2. See Section 3.7 for the proof of the following.

Theorem 3.7 [NM-CCA16)NM-CCA2]

If there exists an encryption scheme

NM-CCA1, then there exists an encryption scheme PE 0 NM-CCA1 but which is not secure in the sense of NM-CCA2.

in the sense of of

9

PE

which is secure

which is secure in the sense

3.2 Notation and Preliminaries For relations R which could be of arbitrary arity we use the simplifying notation R(a; b) as a shorthand for R(a; b) when it is clear that b[1] = b and jbj = 1. We let a denote the bitwise complement (namely the string obtained by ipping each bit) of a. For an IND-ATK adversary A = (A1 ; A2 ) we will, whenever convenient, assume that the messages x0 ; x1 that A1 outputs are distinct. Intuitively this cannot decrease the advantage because the contribution to the advantage in case they are equal is zero. Actually one has to be a little careful. The claim will be that we can modify A to make sure that the output messages are distinct, and one has to be careful to make sure that when A outputs equal messages the modi ed adversary does not get any advantage, so that the advantage of the modi ed adversary is the same as that of the original one. For completeness we encapsulate the claim in the following proposition.

Let A = (A1 ; A2 ) be any adversary attacking encryption scheme PE in the IND-ATK. Then there exists another adversary B = (B1 ; B2 ) attacking PE in the sense of IND-ATK such that the two (equal length) messages that B1 outputs are always distinct, -atk ind-atk Advind PE (k) = AdvPE (k), and the running time of B is within a constant factor of that of A. Proof: Adversaries A and B have access to an oracle O1 in their rst stage and an oracle O2 in their second stage, these oracles being instantiated according to the attack ATK as described in the de nitions. The adversary B = (B1 ; B2 ) is as follows: Algorithm B1O1 (pk ) Algorithm B2O2 (x00 ; x01 ; s0 ; y ) where s0 = s k d O 0 0 2 1 if d = 0 then c AO (x0 ; x1 ; s) A1 (pk ) 2 (x0 ; x1 ; s; y ) if x0 6= x1 then d 0 else d 1 else c f0; 1g return c x00 x0 ; s0 s k d if d = 0 then x01 x1 else x01 x0 0 0 0 return (x0 ; x1 ; s ) Note that by de ning x00 ; x01 this way we always have x00 6= x01 . Also note that when x0 = x1 we have B2 output a random bit c to make sure its advantage in that case is zero. It is easy to see that the running time of B is within a constant factor of that of A. Now we -atk ind-atk claim that Advind PE (k) = AdvPE (k). To justify this, consider the experiments underlying the de nitions of the advantages of A and B , respectively:

Proposition 3.8 sense of

;B

;A

;B

;A

= (pk ; sk )

Experiment1

def

Experiment2

def

y

= (pk ; sk )

y

K(k) ; (x ; x ; s) 0

A1 (pk ) ; b O 2 A (x0 ; x1 ; s; y) 1

f0; 1g ;

Epk (x ) ; c K(k) ; (x ; x ; s) A ( ) ; b f0; 1g ; Epk (x ) ; c B O2 (x0 ; x0 ; s k d; y) : 2

b

0

1 pk

1

0

2

b

1

In the last experiment, x00 ; x01 ; d are de ned in terms of x0 ; x1 as per the code of B1 . Let Pr1 [ ] = Pr[Experiment1 : ] be the probability function under Experiment1 and Pr2 [ ] = Pr[Experiment2 : ] be that under Experiment2. By de nition -atk ind-atk Advind PE (k) = 2 Pr1 [ b = c ] 1 and AdvPE (k) = 2 Pr2 [ b = c ] 1 : Thus it suÆces to show that Pr1 [ b = c ] = Pr2 [ b = c ]. Let E denote the event that x0 = x1 , or, equivalently, that d = 1. Then ;A

;B

h

i

h i

j E ] Pr [ E ] + Pr b = c j E Pr E h i h i [ b = c j E ] Pr [ E ] + Pr b = c j E Pr E :

Pr1 [ b = c ] = Pr1 [ b = c

1

1

Pr2 [ b = c ] = Pr2

2

2

10

1 2

That Pr1 [ b = c ] = Pr2 [ b = c ] now follows by putting together the following observations:

Pr1 [ E ] = Pr2 [ E ] since E depends only on A1 . Pr1 [ b = c j E ] = 1=2 because when E is true, A2 has no information about b. On the other hand Pr2 [ b = c j E ] = 1=2 because when E is true we have B2 output a random bit. Pr1 b = c j E = Pr2 b = c j E because in this case the experiments are the same, namely we are looking at the output of A2 .

h

i

h

i

This completes the proof of Proposition 3.8.

3.3 Proof of Theorem 3.1:

) IND-ATK

NM-ATK

We are assuming that encryption scheme PE is secure in the NM-ATK sense. We will show it is also secure in the IND-ATK sense. Let B = (B1 ; B2 ) be a IND-ATK adversary attacking PE . We want -atk to show that Advind PE () is negligible. To this end, we describe a NM-ATK adversary A = (A1 ; A2 ) attacking PE . Adversaries A and B have access to an oracle O1 in their rst stage and an oracle O2 in their second stage, these oracles being instantiated according to the attack ATK as per the de nitions. Recall that z denotes the bitwise complement of a string z . ;B

1 Algorithm AO 1 (pk )

0 0 2 Algorithm AO 2 (M; s ; y ) where s = (x0 ; x1 ; pk ; s)

(x0 ; x1 ; s) B1O1 (pk ) M := fx0 ; x1 g s0 (x0 ; x1 ; pk ; s) return (M; s0 )

c B2O2 (x0 ; x1 ; s; y) y0 Epk (x ) return (R; y 0 ) where R(a; b) = 1 i a = b c

The notation M := fx0 ; x1 g means that M is being assigned the probability space which assigns to 2 each of x0 and x1 a probability of 1=2. AO outputs (the description of) the complement relation 2 R, which for any arguments a; b is 1 if a = b and 0 otherwise. We consider the advantage of A, given by -atk nm-atk-1 -atk-0 (k) = 1 ] Advnm (k) = 1 ] Pr[ Expnm PE (k) = Pr[ ExpPE PE ;A

where -atk-1 (k) def Expnm = PE

;A

h

;A

-atk-0 (k) = Expnm PE

def

;A

h

;A

K(k) ; (M; s0 )

AO1 1 (pk ) ; x

Epk (x) ; i (R; y0 ) AO2 (M; s0 ; y) ; x0 Dsk (y0 ) : y 6= y0 ^ ? = 6 x0 ^ R(x; x0 ) ; ) K(k) ; (M; s0 ) AO1 ( ) ; x; x~ M ; y Epk (x) ; i (R; y0 ) AO2 (M; s0 ; y) ; x0 Dsk (y0 ) : y 6= y0 ^ ? = 6 x0 ^ R(~x; x0 ) :

(pk ; sk )

M; y

2

(pk

sk

1

pk

2

-atk ind-atkThe advantage of B is given by Advind (k) = b ] PE (k) = 2 Pr[ ExpPE b

h

;B

-atk- (k) def Expind = Pr (pk ; sk ) PE b

;B

y

;B

K(k) ; (x ; x ; s) 0

Epk (x ) ; c b

1

1, where

B1O1 (pk ) ; b

i

B2O2 (x0 ; x1 ; s; y) : c = b :

f0; 1g ;

By Proposition 3.8 we may assume here, without loss of generality, that we always have x0 = 6 x1 . This turns out to be important below. 11

-atk-1 (k) = 1 ] = Pr[ Expind-atk- (k) = b ]. Pr[ Expnm PE PE 0 Proof: Look rst at the code of A2 . Note that R(x; x ) is true i Dsk (y ) = x . Also note that when 0 0 R(x; x ) is true it must be that x 6= x and hence, by the unique decryptability of the encryption scheme, that y 6= y0 . Also we always have ? 6= x0 . -atk- (k). An important observation is that Dsk (y) = x i b = c. (This uses Now, consider Expind PE the fact that x0 6= x1 , and would not be true otherwise.) Now one can put this together with the above and see that b = c in the experiment underlying p exactly when y 6= y0 ^ ? 6= x0 ^ R(x; x0 ) -atk-1 (k). 2 in the experiment Expnm PE nm-atk-0 Claim 2: Pr[ ExpPE (k) = 1 ] = 1=2. Proof: This follows from an information theoretic fact, namely that A has no information about the message x~ with respect to which its success is measured. 2 -atk nm-atk Now we can apply the claims to get Advind PE (k) = 2 AdvPE (k). But since PE is secure in the -atk ind-atk NM-ATK sense we know that Advnm PE () is negligible, and hence the above implies AdvPE () is negligible too. This concludes the proof of Theorem 3.1. The claim of Remark 3.2 is clear from the above because the relation R output by A is binary. b

Claim 1:

;A

;B

c

b

c

;B

k

;A

;A

;B

;A

;A

3.4 Proof of Theorem 3.3:

;B

IND-CCA2

) NM-CCA2

We are assuming that encryption scheme PE is secure in the IND-CCA2 sense. We show it is also secure in the NM-CCA2 sense. The intuition is simple: since the adversary has access to the decryption oracle, she can decrypt the ciphertexts she would output, and so the ability to output ciphertexts is not likely to add power. For the proof, let B = (B1 ; B2 ) be an NM-CCA2 adversary attacking PE . We must show -cca2 () is negligible. To this end, we describe an IND-CCA2 adversary A = (A1 ; A2 ) that Advnm PE attacking PE . 0 0 sk sk Algorithm AD Algorithm AD 2 (x0 ; x1 ; s ; y ) where s = (M; s) 1 (pk ) (R; y) B2Dsk (M; s; y) ; x Dsk (y) (M; s) B1Dsk (pk ) if (y 62 y ^ ? 62 x ^ R(x0 ; x)) then d 0 x0 M ; x1 M 0 else d f0; 1g s (M; s) return d return (x0 ; x1 ; s0 ) Notice A is polynomial time under the assumption that the running time of B , the time to compute R, and the time to sample from M are all bounded by a xed polynomial in k. The advantage of -cca2 (k) = p (0) p (1) where for b 2 f0; 1g we let A is given by Advind PE p (b) = Pr (pk ; sk ) K(k) ; (x0 ; x1 ; s0 ) ADsk (pk ) ; y Epk (x ) : ;B

h

;A

k

k

i

k

Also for b 2 f0; 1g we let p0 (b) = Pr (pk ; sk )

h

k

AD2 sk (x0 ; x1 ; s0 ; y) = 0 :

K(k) ; (M; s)

1

b

B1Dsk (pk ) ; x0 ; x1

Epk (x ) ; i B D (M; s; y) ; x Dsk (y) : y 62 y ^ ? 2= x ^ R(x ; x) :

(R; y)

2

M; y

b

sk

0

Now observe that A2 may return 0 either when x is R-related to x0 or as a result of the coin ip. Continuing with the advantage then, -cca2 (k) = p (0) p (1) = 1 [1 + p0 (0)] 1 [1 + p0 (1)] = 1 [p0 (0) p0 (1)] Advind PE 2 2 2 ;A

k

k

k

12

k

k

k

We now observe that the experiment of B2 being given a ciphertext of x1 and R-relating x to -cca2-0 (k) = 1 ]. On the other hand, in case it is x0 , we are looking at x0 , is exactly Pr[ Expnm PE nm-cca2- 1 Pr[ ExpPE (k) = 1 ]. -cca2 (k) = p0 (0) p0 (1) = 2 Advind-cca2 (k) : Advnm PE PE ind-cca2 But we know that AdvPE () is negligible because PE is secure in the sense of IND-CCA2. It nm-cca2 follows that AdvPE () is negligible, as desired. ;B

;B

;B

k

k

;A

;A

;B

3.5 Proof of Theorem 3.5:

IND-CCA1

6) NM-CPA

Assume there exists some IND-CCA1 secure encryption scheme PE = (K; E ; D), since otherwise the theorem is vacuously true. We now modify PE to a new encryption scheme PE 0 = (K0 ; E 0 ; D0 ) which is also IND-CCA1 secure but not secure in the NM-CPA sense. This will prove the theorem. The new encryption scheme PE 0 = (K0 ; E 0 ; D0 ) is de ned as follows. Here x denotes the bitwise complement of string x, namely the string obtained by ipping each bit of x. 0 (x) 0 (y1 ky2 ) Algorithm Epk Algorithm K0 (k ) Algorithm Dsk (pk ; sk ) K(k) return Dsk (y1 ) y1 Epk (x) ; y2 Epk (x) return (pk ; sk ) return y1 ky2 In other words, a ciphertext in the new scheme is a pair y1 k y2 consisting of the encryption of the message and its complement. In decrypting, the second component is ignored. It is now quite easy to see that: Claim 3.9 PE 0 is not secure in the NM-CPA sense.

Proof: Given a ciphertext y1 k y2 of a message x, it is easy to create a ciphertext of x: just output y2 k y1 . Thus, the scheme is malleable. Formally, we can specify a polynomial time adversary A = (A1 ; A2 ) that breaks PE 0 in the sense of NM-CPA, with probability almost one, as follows. A1 (pk ) outputs (M; ) where M puts a uniform distribution on f0; 1g . Then algorithm A2 (M; ; y1 k y2 ) outputs (R; y2 k y1 ) where R describes the binary relation de ned by R(m1 ; m2 ) = 1 i m1 = m2 . It is easy to see that the plaintext, x0 , corresponding to the ciphertext that A outputs is R-related to x with probability 1. Observe that -cpa the probability of some random plaintext x~ being R-related to x0 is at most 2 . Thus Advnm PE 0 (k) is 1 2 which is not negligible. (In fact it is close to one.) Hence A is a successful adversary and k

k

;A

k

the scheme is not secure in the sense of NM-CPA.

On the other hand, a hybrid argument establishes that PE 0 retains the IND-CCA1 security of PE : Claim 3.10 PE 0 is secure in the sense of IND-CCA1.

Proof: Let B = (B1 ; B2 ) be some polynomial time adversary attacking PE 0 in the IND-CCA1 sense. -cca1 We want to show that Advind PE 0 (k) is negligible. To do so, consider the following probabilities, de ned for i; j 2 f0; 1g: ;B

h

K(k) ; (x ; x ; s) i B (x ; x ; s; y ky ) = 1 :

p (i; j ) = Pr (pk ; sk ) k

2

0

0

1

1

1

B1Dsk (pk ) ; y1

Epk (x ) ; y

2

i

Epk (x ) : j

2

-cca1 We know that Advind PE 0 (k) = p (1; 1) p (0; 0). The following lemmas state that, under our assumption that PE is IND-CCA1-secure, it must be that the dierences p (1; 1) p (1; 0) and ;B

k

k

k

13

k

p (1; 0) p (0; 0) are both negligible. This will complete the proof since -cca1 Advind PE 0 (k) = p (1; 1) p (0; 0) = [p (1; 1) p (1; 0)] + [p (1; 0) p (0; 0)] ; k

k

k

;B

k

k

k

k

k

being the sum of two negligible functions, will be negligible. So it remains to (state and) prove the lemmas. Lemma 1: p (1; 1) p (1; 0) is negligible. Proof: We can construct an adversary A = (A1 ; A2 ) that attacks the scheme PE in the IND-CCA1 sense, as follows: k

k

sk Algorithm AD 1 (pk )

(x0 ; x1 ; s)

Dsk0

B1 (pk ) m0 x0 ; m1 x1 return (m0 ; m1 ; s)

Algorithm A2 (m0 ; m1 ; s; y )

y1 Epk (m1 ) ; y2 y d B2 (m0 ; m1 ; s; y1 k y2 ) return d

D0 0 oracle. It can do this by replying The computation B1 sk (pk ) is done by A1 simulating the Dsk 0 . This adversary is to query y1 k y2 via Dsk (y1 ), using its own Dsk oracle and the de nition of Dsk polynomial time. One can now check the following:

h h

Pr (pk ; sk ) Pr (pk ; sk )

K(k) ; (m ; m ; s) K(k) ; (m ; m ; s) 0 0

1 1

AD1 sk (pk ) ; y AD1 sk (pk ) ; y

i

Epk (m ) : A (m ; m ; s; y) = 1 = p (1; 1) i Epk (m ) : A (m ; m ; s; y) = 1 = p (1; 0) 1

2

0

1

0

2

0

1

k

k

-cca1 (k) = p (1; 1) p (1; 0). The assumed security of PE in the IND-CCA1 sense now Thus Advind PE implies the latter dierence is negligible. 2 Lemma 2: p (1; 0) p (0; 0) is negligible. Proof: We can construct an adversary A = (A1 ; A2 ) that attacks the scheme PE in the IND-CCA1 sense, as follows: k

;A

k

k

k

sk Algorithm AD 1 (pk )

Dsk0

(x0 ; x1 ; s) B1 (pk ) return (x0 ; x1 ; s)

Algorithm A2 (x0 ; x1 ; s; y )

y1 y and y2 Epk (x0 ) d B2 (x0 ; x1 ; s; y1 ky2 ) return d

0 given Dsk . We observe that Again A is polynomial time and can simulate Dsk

h h

Pr (pk ; sk ) Pr (pk ; sk )

K(k) ; (x ; x ; s) K(k) ; (x ; x ; s) 0 0

1 1

AD1 sk (pk ) ; y AD1 sk (pk ) ; y

i

Epk (x ) : A (x ; x ; s; y) = 1 i Epk (x ) : A (x ; x ; s; y) = 1 1

2

0

1

0

2

0

1

= p (1; 0) k

= p (0; 0) k

-cca1 (k) = p (1; 0) p (0; 0). The assumed security of PE in the IND-CCA1 sense now Thus Advind PE implies the latter dierence is negligible. 2 This completes the proof of Claim 3.10. ;A

k

k

Remark 3.11 We could have given a simpler scheme PE 0 than the one above that would be secure 0 (x) y k b where in the IND-CCA1 sense but not in the NM-CPA sense. Let K0 be as above, let Epk 0 0 y Epk (x) and b f0; 1g and Dsk (b k y) Dsk (y). The malleability of PE arises out of the ability 14

of the adversary to create another ciphertext from the challenge ciphertext y k b, by returning y k b. This is allowed by De nition 2.2 since the only restriction is that the vector of ciphertexts y the adversary outputs should not contain y k b. However, the de nition of [13] did not allow this, and, in order to have a stronger separation result that also applies to their notion, we gave the above more involved construction.

3.6 Proof of Theorem 3.6:

NM-CPA

6) IND-CCA1

Let's rst back up a bit and provide some intuition about why the theorem might be true and how we can prove it. Intuition and first attempts. At rst glance, one might think NM-CPA does imply IND-CCA1 (or even IND-CCA2), for the following reason. Suppose an adversary has a decryption oracle, and is asked to tell whether a given ciphertext y is the encryption of x0 or x1 , where x0 ; x1 are messages she has chosen earlier. She is not allowed to call the decryption oracle on y. It seems then the only strategy she could have is to modify y to some related y0 , call the decryption oracle on y0 , and use the answer to somehow help her determine whether the decryption of y was x0 or x1 . But if the scheme is non-malleable, creating a y0 meaningfully related to y is not possible, so the scheme must be chosen-ciphertext secure. The reasoning above is fallacious. The aw is in thinking that to tell whether y is an encryption of x0 or x1 , one must obtain a decryption of a ciphertext y0 related to the challenge ciphertext y. In fact, what can happen is that there are certain strings whose decryption yields information about the secret key itself, yet the scheme remains non-malleable. The approach to prove the theorem is to modify a NM-CPA scheme PE = (K; E ; D) to a new scheme PE 0 = (K0 ; E 0 ; D0 ) which is also NM-CPA but can be broken under a non-adaptive chosenciphertext attack. (We can assume a NM-CPA scheme exists since otherwise there is nothing to prove.) A rst attempt to implement the above idea (of having the decryption of certain strings carry information about the secret key) is straightforward. Fix some ciphertext u not in the range 0 (u) = sk to return the secret key whenever it is given this special ciphertext. of E and de ne Dsk In all other aspects, the new scheme is the same as the old one. It is quite easy to see that this scheme falls to a (non-adaptive) chosen-ciphertext attack, because the adversary need only make query u of its decryption oracle to recover the entire secret key. The problem is that it is not so easy to tell whether this scheme remains non-malleable. (Actually, we don't know whether it is or not, but we certainly don't have a proof that it is.) As this example indicates, it is easy to patch PE so that it can be broken in the sense of IND-CCA1; what we need is that it also be easy to prove that it remains NM-CPA secure. The idea of our construction below is to use a level of indirection: sk is returned by D0 in response to a query v which is itself a random string that can only be obtained by querying D0 at some other known point u. Intuitively, this scheme will be NM-CPA secure since v will remain unknown to the adversary. Our construction. Given a non-malleable encryption scheme PE = (K; E ; D ) we de ne a new encryption scheme PE 0 = (K0 ; E 0 ; D0 ) as follows: 0 (x) Algorithm D0 Algorithm Epk Algorithm K0 (k ) k sk k k (b k y ) where b 2 f0; 1g (pk ; sk ) K(k) y Epk (x) if b = 0 then return Dsk (y ) u; v f0; 1g return 0 k y else if y = u then return v 0 pk k u pk else if y = v return sk 0 sk k u k v sk else return ? return (pk 0 ; sk 0 ) u

u

k

15

v

The proof of Theorem 3.6 is completed by establishing that IND-CCA1 attack but remains NM-CPA secure. Claim 3.12 PE 0 is not secure in the sense of IND-CCA1. Analysis.

PE 0

is vulnerable to a

0 Proof: The adversary queries Dsk k k () at 1 k u to get v, and then queries it at the point 1 k v, u

v

to get sk . At this point, knowing the secret key, she can obviously perform the distinguishing task we later require of her. If you wish to see it more formally, the nd stage A1 of the adversary gets pk as above and outputs any two distinct, equal length messages x0 ; x1 . In the next stage, it receives a ciphertext 0 (x ) where b was a random bit. Now it can compute Dsk (y) to recover the message 0 k y Epk k and thus determine b with probability one. It is obviously polynomial time. u

Remember that following:

b

PE is assumed secure in the sense of NM-CPA.

We will use this to establish the

Claim 3.13 PE 0 is secure in the sense of NM-CPA. Proof: To prove this claim we consider a polynomial time adversary B attacking

PE 0 in the NM-CPA sense. We want to show that AdvPE 0 () is negligible. To do this, we construct an adversary A = (A1 ; A2 ) that attacks PE in the NM-CPA sense. The idea is that A can run B as a subroutine and simulate the choosing of u; v by the key generation algorithm K0 for B . nm cpa ;B

Algorithm A1 (pk )

f0; 1g 0 pk k u pk (M; s) B1 (pk 0 ) s0 (s; u; v; pk ) return (M; s0 ) u; v

k

Algorithm A2 (M; s0 ; y ) where s0 = (s; u; v; pk )

(R; z) B2 (M; s; 0 k y) for 1 i jzj do parse z[i] as b k z where b is a bit for 1 i jzj do if b = 0 then y[i] z else if (b = 1) ^ (z = u) then y[i] Epk (v ) else y[i] y return (R; y) i

i

i

i

i

i

i

-cpa We now de ne two experiments. The rst is the one under which Advnm PE (k) is evaluated, and -cpa the second is the one under which Advnm PE 0 (k) is evaluated: ;A

:B

= (pk ; sk ) K(k) ; (M; (s; u; v; pk )) A1 (pk ) ; x; x~ M ; y Epk (x) ; (R; y) A2 (M; (s; u; v; pk ); y) ; x Dsk (y) def Experiment2 = (pk k u; sk k u k v ) K0 (k) ; (M; s) B1(pk k u) ; x; x~ M ; 0 (x) ; (R; z) B2 (M; s; 0 k y) ; w D0 0 k y Epk k sk k k (z) : Experiment1

def

u

u v

Let Pr1 [ ] = Pr[Experiment1 : ] be the probability function under Experiment1 and Pr2 [ ] = Pr[Experiment2 : ] be that under Experiment2. Let E1 ,E2 , and E3 be the following events:

E1 def = def E2 = E3 def =

8i : (b 9i : (b 9i : (b

i

i

i

= 0) _ (b = 1 ^ z = u) i

i

= 1 ^ z = v ^ u 6= v) i

=1^z = 6 u ^ z =6 v) i

16

i

For j = 1; 2; 3 let

p(1; j ) = Pr1 [ y 62 y ^ ? 62 x ^ R(x; x) j E ] Pr1 [ y 62 y ^ ? 62 x ^ R(~x; x) j E ] p(2; j ) = Pr2 [ 0 k y 62 z ^ ? 62 w ^ R(x; w) j E ] Pr2 [ 0 k y 62 z ^ ? 62 w ^ R(~x; w) j E ] : j

j

j

By conditioning we have: -cpa Advnm PE ;A (k) =

j

P P

p(1; j ) Pr1 [ E ] 3 =1 p(2; j ) Pr2 [ E ] : 3 j =1

j

j

j

AdvPE -0 (k ) = -cpa nm-cpa We now upper bound Advnm PE 0 (k) in terms of AdvPE (k) by a series of lemmas. The rst observation is that the probability of our three events is the same in both experiments. nm cpa ;B

;A

;B

Pr1 [ E ] = Pr2 [ E ] for j = 1; 2; 3. These events depend only on the keys and B . 2

Lemma 1: Proof:

j

j

Let q be a polynomial which bounds the running time of B . In particular we can assume jzj < q(k). Lemma 2: p(2; 1) p(1; 1) + q (k ) 2 . Proof: By event E1 every z[i] = b k z has either (b = 0) or (b = 1 ^ z = u). If b = 0 then A will output z in Experiment1, while B would be outputting 0 k z in Experiment2. 0 But Dsk k k (0 k z ) = Dsk (z ), and furthermore y = z (the challenge to A is equal to this component of A's output) i 0 k y = 0 k z (the challenge to B is equal to this component of B 's output). Thus A properly simulates B . 0 If b = 1 and z = u then Dsk k k (b k z ) = v is random and independent of the execution of B . To \simulate" it we have A output an encryption of random v. But, A will only be successful if the created ciphertext is dierent from y. The probability of this not happening can be upper bounded by the probability that v = Dsk (y), which is at most 2 . The worst case in this event is when 8i : (b = 1 ^ z = u). Since jzj q(k), the probability, under this event, that A does not match the advantage of B , is at most q(k) 2 . 2 k

i

i

i

i

i

i

u

i

v

i

i

i

i

i

i

i

u

i

v

i

k

i

i

k

Pr1 [ E2 ] q(k) 2 . Proof: B has no information about v since the latter was chosen independently of its execution, and also u has a 2 chance of equaling v. The Lemma follows since jzj < q(k). 2 k

Lemma 3:

k

p(1; 3) = p(2; 3) = 0. Proof: When event E3 happens in Experiment1, one of the ciphertexts y[i] that A2 outputs equals y and hence there is no contribution to the success probability. When event E3 happens in 0 Experiment2, the de nition of Dsk k k says that the decryption of some z[i] is ? and hence again Lemma 4:

u

v

there is no contribution to the success probability. In other words, in both cases, there is no success in either the \real" or the \random" experiment. 2 From Lemmas 1,2,3,4 we get -cpa 3 Advnm =1 p(2; j ) Pr1 [ E ] PE 0 (k) = q(k) 2 + p(1; 1) Pr1[ E1 ] + p(2; 2) Pr1[ E2 ] + p(1; 3) Pr1 [ E3 ] q(k) 2 + p(1; 1) Pr1[ E1 ] + p(1; 2) Pr1[ E2 ] + p(1; 3) Pr1 [ E3 ] ;B

P

j

j

k k

17

+ (p(2; 2) p(1; 2)) Pr1 [ E2 ] q(k) 2 + 3=1 p(1; j ) Pr1 [ E ] + Pr1 [ E2 ] -cpa 2q(k) 2 + Advnm PE (k) :

P

k

j

j

k

;A

-cpa The assumption that PE is secure in the sense of NM-CPA implies that Advnm PE (k) is negligible, -cpa and hence it follows that Advnm PE 0 (k) is negligible. ;A

;B

3.7 Proof of Theorem 3.7:

NM-CCA1

6) NM-CCA2

The approach, as before, is to take a NM-CCA1 secure encryption scheme PE = (K; E ; D) and modify it to a new encryption scheme PE 0 = (K0 ; E 0 ; D0 ) which is also NM-CCA1 secure, but can be broken in the NM-CCA2 sense. Intuition. Notice that the construction of Section 3.6 will no longer work, because the scheme constructed there, not being secure in the sense of IND-CCA1, will certainly not be secure in the sense of NM-CCA1, for the same reason: the adversary can obtain the decryption key in the rst stage using a couple of decryption queries. Our task this time is more complex. We want queries made in the second stage, after the challenge is received, to be important, meaning they can be used to break the scheme, yet, somehow, queries made in the rst stage cannot be used to break the scheme. This means we can no longer rely on a simplistic approach of revealing the secret key in response to certain queries. Instead, the \breaking" queries in the second stage must be a function of the challenge ciphertext, and cannot be made in advance of seeing this ciphertext. We implement this idea by a \tagging" mechanism. The decryption function is capable of tagging a ciphertext so as to be able to \recognize" it in a subsequent query, and reveal in that stage information related speci cally to the ciphertext, but not directly to the secret key. The tagging is implemented via pseudorandom function families. Our construction. Let PE = (K; E ; D ) be the given NM-CCA1 secure encryption scheme. Fix a family F = f F : k 1 g of pseudorandom functions as per [20]. (Notice that this is not an extra assumption. We know that the existence of even a IND-CPA secure encryption scheme implies the existence of a one-way function [23] which in turn implies the existence of a family of pseudorandom functions [22, 20].) Here each F = f F : K 2 f0; 1g g is a nite collection in which each key K 2 f0; 1g indexes a particular function F : f0; 1g ! f0; 1g . We de ne the new encryption scheme PE 0 = (K0 ; E 0 ; D0 ) as follows. Recall that " is the empty string. 0 (x) Algorithm D0 Algorithm Epk Algorithm K0 (k ) sk k (b k y k z ) where b is a bit (pk ; sk ) K(k) y Epk (x) if (b = 0) ^ (z = ") then return Dsk (y ) K f0; 1g return 0 k y k " else if (b = 1) ^ (z = ") then return F (y ) 0 sk k K sk else if (b = 1) ^ (z = F (y )) return Dsk (y ) return (pk ; sk 0 ) else return ? k

k

k

k

K

K

k

k

K

k

K

K

The proof of Theorem 3.7 is completed by establishing that NM-CCA2 attack but remains NM-CCA1 secure. Claim 3.14 PE 0 is not secure in the sense of NM-CCA2. Analysis.

PE 0

is vulnerable to a

Proof: The idea is that while the adversary may not ask for the decryption of the challenge ciphertext 0ky k " in its second stage, it may ask for the decryption of 1kykF (y). This is in fact exactly the decryption of 0ky k ". The adversary rst needs to compute F (y) without access to K . This is easily done by calling the decryption oracle on 1kyk". K

K

18

More precisely, the adversary A = (A1 ; A2 ) works like this. In the rst stage it outputs a message space M consisting of two distinct strings x0 ; x1 , each having probability 1=2. A2 , given challenge ciphertext 0ky k ", makes query 1kyk" to get F (y), and outputs (R; Z ) where R(a; b) = 1 i a = b is the equality relation, and Z = 1 k y k F (y). Notice that Z 6= 0ky k " so this is a valid nm-cca2- 1 0 0 output, but Dsk (k) = 1 ] = 1. On the other hand, k (Z ) = Dsk k (0ky k ") so Pr[ ExpPE nm-cca2 nm-cca2- 0 Pr[ ExpPE (k) = 1 ] 1=2. So AdvPE (k) 1=2, which is certainly not negligible. K

K

K

;A

K

;A

;A

Remember that PE is assumed secure in the sense of NM-CCA1. We will use this to establish the following: Claim 3.15 PE 0 is secure in the sense of NM-CCA1. Let us rst give some intuition and then the proof. The key point is that to defeat the scheme, the adversary must obtain F (y) where 0 k y k " is the challenge. However, to do this she requires the decryption oracle. This is easy for an NM-CCA2 adversary but not for an NM-CCA1 adversary, which has a decryption oracle available only in the rst stage, when y is not yet known. Once y is provided (in the second stage) the possibility of computing F (y) is small because the decryption oracle is no longer available to give it for free, and the pseudorandomness of F makes it hard to compute on one's own. K

K

Proof of Claim 3.15: To prove this claim we consider a polynomial time adversary B attacking

PE 0

-cca1 in the NM-CCA1 sense. We want to show that Advnm PE 0 () is negligible. To do this, we consider the following adversary A = (A1 ; A2 ) attacking PE in the NM-CCA1 sense. The idea is that A can choose the key K for the key generation algorithm K0 of B and thus provide a simulation of the decryption oracle of B . ;B

sk Algorithm AD 1 (pk )

K f0; 1g D0 (M; s) B1 sk k K (pk ) s0 (s; K; pk ) return (M; s0 ) k

Algorithm A2 (M; s0 ; y ) where s0 = (s; K; pk )

(R; z) B2 (M; s; 0 k y k ") for 1 i jzj do parse z[i] as b k u k v where b is a bit for 1 i jzj do if (b = 0) ^ (v = ") then y[i] u else if (b = 1) ^ (v = ") then y[i] Epk (F (u )) else if (b = 1) ^ (v = F (u )) then y[i] u else y[i] y return (R; y) i

i

i

i

i

i

i

i

i

i

K

i

K

i

i

i

The analysis follows in spirit that in the proof of Claim 3.13; the key new element is the pseudorandom function. Roughly we seek to recapture the lemmas in that proof modulo the security of the pseudorandom function family. -cca1 (k) is evaluFor the proof, we de ne two experiments. The rst is the one under which Advnm PE nm-cca1 ated, and the second is the one under which AdvPE 0 (k) is evaluated: ;A

;B

sk = (pk ; sk ) K(k) ; (M; (s; K; pk )) AD ~ M ; y Epk (x) ; 1 (pk ) ; x; x (R; y) A2 (M; (s; K; pk ); y) ; x Dsk (y) 0 def Experiment2 = (pk ; sk k K ) K0(k) ; (M; s) B1Dsk k K (pk ) ; x; x~ M ; 0 (x) ; (R; z) B2 (M; s; 0 k y k ") ; w D0 0 k y k " Epk k sk k (z) :

Experiment1

def

u

K

19

Let Pr1 [ ] = Pr[Experiment1 : ] be the probability function under Experiment1 and Pr2 [ ] = Pr[Experiment2 : ] be that under Experiment2. Let E1 ,E2 , and E3 be the following events:

8i : (v 9i : (b 9i : (b

E1 def = def E2 = E3 def =

i

i

i

= ") _ (b = 1 ^ v = F (u ) ^ u = 6 y) i

i

K

i

i

= 1 ^ v = F (u ) ^ u = y ^ v = 6 ") i

K

i

i

i

K

i

i

i

=1^v = 6 F (u ) ^ v =6 ") _ (b = 0 ^ v =6 ") i

i

For j = 1; 2; 3 let = Pr1 [ y 62 y ^ ? 62 x ^ R(x; x) j Ej ] Pr1 [ y 62 y ^ ? 62 x ^ R(~x; x) j Ej ] p(2; j ) = Pr2 [ 0 k y k " 62 z ^ ? 62 w ^ R(x; w) j Ej ] Pr2 [ 0 k y k " 62 z ^ ? 62 w ^ R(~ x; w) p(1; j )

By conditioning we have: -cpa Advnm PE ;A (k) =

P P

j

Ej

]:

p(1; j ) Pr1 [ E ] 3 =1 p(2; j ) Pr2 [ E ] : 3 j =1

j

j

j

AdvPE -0 (k ) = -cpa nm-cpa We now upper bound Advnm PE 0 (k) in terms of AdvPE (k) by a series of lemmas. nm cpa ;B

;A

;B

Pr1 [ E ] = Pr2 [ E ] for j = 1; 2; 3. These events depend only on the keys and B . 2

Lemma 1: Proof:

j

j

Let q be a polynomial which bounds the running time of B and in particular so that jzj < q(k). Lemma 2: p(2; 1) p(1; 1) + (k ) for some negligible function depending on B . Proof: We consider two possible cases for values of z[i] = b k u k v , given event E1 . First suppose (b = 1 ^ v = F (u ) ^ u 6= y). Note that v = F (u ) implies v 6= " since the output of F is always k bits long. Now, from the code of A2 , we see that in this case A2 sets y[i] to u . Observe that if ciphertext y[i] (respectively z[i]) that A (respectively B ) creates equals y (respectively 0 k y k ") then there is no contribution to the success probability. Since b = 1 we know that z[i] 6= 0 k y k ". On the other hand the condition u 6= y means that y[i] 6= y too. From the 0 de nition of D0 we have Dsk k (1 k u k F (u )) = Dsk (u ), so A is properly simulating B . (Meaning the contribution to their respective success probabilities is the same.) For the second case, namely v = ", we consider the two possible values of b . 0 If b = 0 then A will set y[i] = u , and from the de nition of D0 we have Dsk k (0 k u k ") = Dsk (u ). Observe that A will output a ciphertext y[i] that equals y if and only if B outputs a ciphertext z[i] that equals 0 k y k ". So again A is properly simulating B . 0 0 If b = 1 then Dsk k (1 k u k ") = F (u ) by de nition of D . A correctly \simulates" this by outputting an encryption of F (u ). This choice of A contributes to the success probability as long as it is dierent from y. The probability of this not happening can be upper bounded by the probability that Epk (F (u )) = y. We must consider the worst case, which is when 8i : (b = 1^v = "), so we are interested in bounding the probability that there is some i such that Epk (F (u )) = y. Intuitively, such \ciphertext collisions" are unlikely since otherwise the scheme would not be secure even in the sense of IND-CCA1. Formally, one can show that the probability of such collisions is at most (k), where () is a negligible function depending on B , by showing that if not, we could design an adversary A0 that would break the scheme in the sense of IND-CCA1. This is standard, and a sketch of the details follows. i

i

i

K

i

i

i

i

i

K

i

i

K

i

i

i

i

K

K

i

i

i

i

i

i

i

i

K

K

K

K

K

i

i

i

i

i

i

K

20

i

i

In the rst stage A0 does what A does, picking a key K so that it can provide a simulation of the decryption oracle of B , similar to the simulation provided by A. It runs the rst stage of B and picks a pair of messages uniformly from the message space output by B . In the second stage it is given an encryption of one of these messages as the challenge. It then obtains a polynomial number of encryptions of one of the messages and checks if any of the resulting ciphertexts match the challenge ciphertext. If it does then it bets that the challenge ciphertext corresponds to this message, otherwise it decides by ipping a coin. Observe that the success of A0 is exactly one half the probability of there being some i such that Epk (F (u )) = y since the experiments de ning the success of A0 and the upper bound on the probability in question are similar. Since PE is given to be secure in the NM-CCA1 sense (and therefore in the IND-CCA1 sense, see Theorem 3.1), we get a bound of (k) where is a negligible function depending on B . 2 K

i

Notice that in the above we did not use the security of the pseudorandom function family. That comes up only in the next lemma. Accordingly, in the following, for any polynomial f we let Æ (k) be a negligible function which upper bounds the advantage obtainable by any adversary in distinguishing F from a family of random functions when the running time of this adversary is at most f (k). Lemma 3: Pr1 [ E2 ] q (k ) [Æ (k ) + (k )] for some negligible function that depends on B . Proof: Event E2 occurs if B outputs 1 k u k v where u = y and v = F (y ). The claim is that this happens with only a small probability. Note that it is not impossible for B to compute the value of F on a point, even though F is pseudorandom, because it can compute F (m) on a point m of its choice simply by querying its decryption oracle on 1 k m k ". However, this oracle is only available in the rst stage, and in that stage B does not know y. When she does get to know y (in the second stage) she no longer has the decryption oracle. The pseudorandomness of F then says her chance of computing F (y) is small. To turn this intuition into a formal proof, rst imagine that we use, in the role of F , a random function g. (Imagine that Dsk k has oracle access to g and uses it in the role of F .) In the resulting scheme and experiment, it is clear that the chance that B computes g(y) is at most 2 plus the chance that she made a query involving y to the decryption oracle in the rst stage. Since y is a ciphertext created after the rst stage, we claim that the chance that B could make a query involving y in her rst stage is negligible. This is true because if not, we would contradict the fact that PE is IND-CCA1. (This can be argued analogously to the argument in the previous Lemma. We omit the details.) Let (k) then be the negligible probability of computing g(y). Now given that F is pseudorandom in nature we can bound the probability of B correctly computing F (y) by Æ (k) + (k) for some polynomial q which depends on B . (Justi ed below.) So while B could always pick u to be y, she would have a negligible probability of setting v to be F (y). In the worst case this event could happen with probability at most jzj [Æ (k) + (k)]. The bound of Æ (k) + (k) mentioned above is justi ed using the assumed security of F as a pseudorandom function family. If the event in question had a higher probability, we would be able to construct a distinguisher between F and the family of random functions. This distinguisher would get an oracle g for some function and has to tell whether g is from F or is a random function of k bits to k bits. It would itself pick the secret keys underlying Experiment1 or Experiment2 and run the adversaries A or B . It can test whether or not the event happens because it knows all decryption keys. If it happens it bets that g is pseudorandom, because the chance under a random function is at most 2 + (k). Since this kind of argument is standard, we omit the details. 2 f

q

i

i

i

i

K

K

K

K

K

K

K

k

K

q

i

i

K

q

q

k

k

21

p(1; 3) = p(2; 3) = 0. Proof: When event E3 happens in Experiment1, one of the ciphertexts y[i] that A2 outputs equals y and hence there is no contribution to the success probability. When event E3 happens in 0 Experiment2, the de nition of Dsk k says that the decryption of some z[i] is ? and hence again Lemma 4:

K

there is no contribution to the success probability. In other words, in both cases, there is no success in either the \real" or the \random" experiment. 2 From Lemmas 1,2,3,4 we get -cca1 3 Advnm =1 p(2; j ) Pr1 [ E ] PE 0 (k) = (k) + p(1; 1) Pr1 [ E1 ] + p(2; 2) Pr1[ E2 ] + p(1; 3) Pr1[ E3 ] (k) + p(1; 1) Pr1 [ E1 ] + p(1; 2) Pr1[ E2 ] + p(1; 3) Pr1[ E3 ] + (p(2; 2) p(1; 2)) Pr1 [ E2 ] (k) + 3=1 p(1; j ) Pr1[ E ] + Pr1[ E2 ] -cpa (k) + q(k) [Æ (k) + (k)] + Advnm PE (k) : ;B

P

j

j

P

j

j

q

;A

Since Æ (k) and (k) are negligible quantities, the assumption that PE is secure in the sense -cca1 () is negligible, and hence it follows that Advnm-0 cca1 () is of NM-CCA1 implies that Advnm PE PE negligible. q

;A

;B

4 Results on PA In this section we de ne plaintext awareness and prove that it implies the random-oracle version of IND-CCA2, but is not implied by it. Throughout this section we shall be working exclusively in the RO model. As such, all notions of security de ned earlier refer, in this section, to their RO counterparts. These are obtained in a simple manner. To modify De nitions 2.1 and 2.2, begin the speci ed experiment (the experiment which de nes advantage) by choosing a random function H from the set of all functions from some appropriate domain to appropriate range. (These sets might change from scheme to scheme.) Then provide an H -oracle to A1 and A2 , and allow that Epk and Dsk may depend on H (which we write as Epk and Dsk ). H

H

4.1 De nition Our de nition of PA is from [6], except that we make one important re nement. An adversary B for plaintext awareness is given a public key pk and access to the random oracle H . We also provide B with an oracle for Epk . (This is our re nement, and its purpose is explained later.) The adversary outputs a ciphertext y. To be plaintext aware the adversary B should necessarily \know" the decryption x of its output. To formalize this it is demanded there exist some (universal) algorithm K (the \plaintext extractor") that could have output x just by looking at the public key, B 's H -queries and the answers to them, and the answers to B 's queries to Epk . Let us now summarize the formal de nition H and then discuss it. By (hH ; C ; y) run B Epk (pk ) we mean the following. Run B on input pk and oracles H and Epk , recording B 's interaction with its oracles. Form into a list hH = ((h1 ; H1); : : : ; (h H ; H H )) all of B 's H -oracle queries, h1 ; : : : ; h H , and the corresponding answers, H1 ; : : : ; H H . Form into a list C = (y1 ; : : : ; y E ) the answers (ciphertexts) received as a result of E pk -queries. (The messages that formed the actual queries are not recorded.) Finally, record B 's output, y. H

H

H;

H

q

q

q

H

q

22

q

De nition 4.1 [Plaintext Awareness { PA] Let PE = (K; E ; D) be an encryption scheme, let B be an adversary, and let K be an algorithm (the \knowledge extractor"). For any k 2 N de ne Succpa PE ;B;K (k)

h

= Pr H

def

K(k) ;

Hash ; (pk ; sk )

(hH ; C ; y)

i

H run B H;Epk (pk ) :

K (hH ; C ; y; pk ) = Dsk (y) : H

We insist that y 62 C ; that is, B never outputs a string y which coincides with the value returned from some Epk -query. We say that K is a (k)-extractor if K has running time polynomial in the length of its inputs and for every adversary B , Succpa (k) (k). We say that PE is secure in PE the sense of PA if PE is secure in the sense of IND-CPA and there exists a (k)-extractor K where 1 (k) is negligible. Let us now discuss this notion with particular attention to our re nement, which, as we said, consists of providing the adversary with the oracle for Epk . At rst glance this may seem redundant: since B has the public key, can it not encrypt on its own? It can. But, in the random-oracle model, encrypting such points oneself involves making H -queries (remember that Epk itself makes H queries), meaning B knows the oracle queries used by Epk to produce the ciphertext. (Formally, H they become part of the transcript run B Epk .) This does not accurately model the real world, where B may have access to ciphertexts via eavesdropping, where B 's state of knowledge does not include the underlying oracle queries. By giving B an encryption oracle Epk whose H -queries (if any) are not made a part of B 's transcript we get a stronger de nition. Intuitively, should you learn a ciphertext y1 for which you do not know the plaintext, still you should be unable to produce a ciphertext (other than y1 ) whose plaintext you know. Thus the Epk oracle models the possibility that B may obtain ciphertexts in ways other than encrypting them herself. We comment that plaintext awareness, as we have de ned it, is only achievable in the randomoracle model. (It is easy to see that if there is a scheme not using the random oracle for which an extractor as above exists then the extractor is essentially a decryption box. This can be formalized to a statement that an IND-CPA scheme cannot be plaintext aware in the above sense without using the random oracle.) It remains an interesting open question to nd an analogous but achievable formulation of plaintext awareness for the standard model. One might imagine that plaintext awareness coincides with semantic security coupled with a (non-interactive) zero-knowledge proof of knowledge [12] of the plaintext. But this is not valid. The reason is the way the extractor operates in the notion and scheme of [12]: the common random string (even if viewed as part of the public key) is under the extractor's control. In the PA notion, pk is an input to the extractor and it cannot play with any of it. Indeed, note that if one could indeed achieve PA via a standard proof of knowledge, then it would be achievable in the standard (as opposed to random-oracle) model, and we just observed above that this is not possible with the current de nition. H

;B;K

H

H

H

H;

H

H

4.2 Results The proof of the following is in Section 4.3. Theorem 4.2 [PA ) IND-CCA2] If encryption scheme is secure in the RO sense of IND-CCA2.

PE

Corollary 4.3 [PA ) NM-CCA2] If encryption scheme PE is secure in the RO sense of

NM-CCA2.

is secure in the sense of

is secure in the sense of

Proof: Follows from Theorems 4.2 and the RO-version of Theorem 3.3. 23

PA

then it

PA then PE

The above results say that PA ) IND-CCA2 following, whose proof is in Section 4.4.

Theorem 4.4 [IND-CCA26)PA]

) NM-CCA2.

If there exists an encryption scheme

IND-CCA2, then there exists an encryption scheme IND-CCA2 but which is not secure in the sense of PA.

RO sense of sense of

In the other direction, we have the

4.3 Proof of Theorem 4.2:

PA

PE 0

PE

which is secure in the

which is secure in the RO

) IND-CCA2

The basic idea for proving chosen-ciphertext security in the presence of some kind of proof of knowledge goes back to [16, 17, 9, 12]. Let us begin by recalling it. Assume there is some adversary A = (A1 ; A2 ) that breaks PE in the IND-CCA2 sense. We construct an adversary A0 = (A01 ; A02 ) that breaks PE in the IND-CPA sense. The idea is that A0 will run A and use the extractor to simulate the decryption oracle. At rst glance it may seem that the same can be done here, making this proof rather obvious. That is not quite true. Although we can follow the same paradigm, there are some important new issues that arise and must be dealt with. Let us discuss them. The rst is that the extractor cannot just run on any old ciphertext. (Indeed, if it could, it would be able to decrypt, and we know that it cannot.) The extractor can only be run on transcripts that originate from adversaries B in the form of De nition 4.1. Thus to reason about the eectiveness of A0 we must present adversaries who output as ciphertext the same strings that A0 would ask of its decryption oracle. This is easy enough for the rst ciphertext output by A, but not after that, because we did not allow our B s to have decryption oracles. The strategy will be to de ne a sequence of adversaries B1 ; : : : ; B so that B uses the knowledge extractor K for answering the rst i 1 decryption queries, and then B outputs what would have been its i-th decryption query. In fact this adversary A0 might not succeed as often as A, but we will show that the loss in advantage is still tolerable. Yet, that is not the main problem. The more subtle issue is how the encryption oracle given to the adversary comes into the picture. Adversary B will have to call its encryption oracle to \simulate" production of the challenge ciphertext received by A2 . It cannot create this ciphertext on its own, because to do so would incorrectly augment its transcript by the ensuing H -query. Thus, in fact, only one call to the encryption oracle will be required | yet this call is crucial. Construction. For contradiction we begin with an IND-CCA2-adversary A = (A1 ; A2 ) with a -cca2 (k) against PE . In addition, we know there exists a plaintext non-negligible advantage, Advind PE extractor, K , with high probability of success, Succpa (k), for any adversary B . Using A and K PE -cpa 0 0 0 we construct an IND-CPA-adversary A = (A1 ; A2 ) with a non-negligible advantage, Advind PE 0 (k) 0 against PE . Think of A as the adversary A with access only to a simulated decryption oracle rather than the real thing. If A(; ; ) is any probabilistic algorithm then A(x; y; ; R) means we run it with coin tosses xed to R. Let " denote the empty list. The adversary is de ned as follows: Intuition.

q

i

i

i

;A

;B;K

;A

24

Algorithm A01 (pk ; R) hH

Algorithm A02 (x0 ; x1 ; (s; hH ; pk ); y ; R)

"

Take R1 from R Run A1 (pk ; R1 ), wherein When A1 makes a query, h, to H : A1 asks its H -oracle h, obtaining H (h) Put (h; H (h)) at end of hH Answer A1 with H (h) H When A1 makes its j th query, y , to Dsk : x K (hH ; "; y; pk ) Answer A1 with x Finally A1 halts, outputting (x0 ; x1 ; s) return (x0 ; x1 ; (s; hH ; pk ))

Take R2 from R Run A2 (x0 ; x1 ; s; y ; R2 ), wherein When A2 makes a query, h, to H : A2 asks its H -oracle h, obtaining H (h) Put (h; H (h)) at end of hH Answer A2 with H (h) H When A2 makes its j th query, y , to Dsk : x K (hH ; (y ); y ; pk ) Answer A2 with x Finally A2 halts, outputting bit, d

0

0

0

0

return d

To reason about the behavior of A0 we describe adversaries B1 ; : : : ; B , where q is the number of decryption queries made by A. Adversary B1 runs A)1, answeriing A1 's H -oracle queries using its own H -oracle, being careful to collect up the questions and their answers, forming a list of these, hH . When A1 nally makes its rst decryption query, y1 , algorithm B1 halts, outputting y1 . Algorithm B2 likewise runs A1 . As before, H -queries (and their answers) are recorded in hH . When the rst query y1 to Dsk is made, B2 passes y1 to K along with the transcript hH and pk . Since A1 does not have access to an encryption oracle, the ciphertext list C that K expects will be empty (C = "). Algorithm B2 then passes on K 's answer to A1 and continues running A1 , appropriately updating hH , until the second query, y2 , is made to Dsk . Then B2 outputs y2 . This process continues in this way to construct each B for i 2 f1; : : : ; q1 g, where q1 is the number of Dsk -queries made by A1 . This is described by the left-hand column below. Analysis.

q

H

H

i

H

H

2f

H;Epk

(pk ; R) // i 1; : : : ; q " Let R1 ; R2 be taken from R. Run A1 (pk ; R1 ), wherein When A1 makes a query, h, to H : Bi asks its H -oracle h, obtaining H (h) Put (h; H (h)) at end of hH Answer A1 with H (h) H When A1 makes its j th query, y , to sk : if j = i then return y and halt else x K (hH ; "; y; pk ) Answer A1 with x Finally, A1 halts, outputting (x0 ; x1 ; s)

Algorithm Bi

g

d

hH

// Algorithm

f0; 1g

Bi ,

continued

H Using Bi 's encryption oracle, let y Epk (xd ) Run A2 (x0 ; x1 ; s; y ; R2 ), wherein When A2 makes a query, h, to H : Bi asks its H -oracle h, obtaining H (h) Put (h; H (h)) at end of hH Answer A2 with H (h) H When A2 makes its j -th query, y , to Dsk : if i = j + q1 then return y and halt else x K (hH ; (y ); y ; pk ) Answer A2 with x

D

0

0

0

Having de ned adversaries corresponding to each decryption query made by A1 , we now need to do this for A2 . Recall that adversary A2 gets as input (x0 ; x1 ; s; y) where, in the experiment de ning advantage, y is selected according to y Epk (x ) for a random bit d. Remember that A2 is prohibited from asking Dsk (y), although A2 may make other (possibly related) decryption queries. How then can we pass y to our decryption simulation mechanism? This is where the encryption oracle and the ciphertext list C come in. We de ne adversaries B 1 +1 , . . . , B just like we de ned B1 ; : : : ; B 1 , except that this time C = (y) rather than being empty. This is shown above in the righ-hand column. DH Let us now see how good a simulation A01 is for A1 sk . Note that the values (x0 ; x1 ; s) produced by A01 are not necessarily the same as what A1 would have output after the analagous interactions H

d

H

q

q

25

q

with Dsk , since one of K 's answers may not be the correct plaintext. Let D be the event that at least one of K 's answers to A1 's decryption queries was not the correct plaintext. Using the existence of B1 ; B2 ; : : : we can lower bound the probability of the correctness of K 's answers in A01 by DH Pr[A01 (pk ) = A1 sk (pk )] 1 Pr[D] 1 q1 (1 (k)) : Letting q2 be the number of decryption oracle queries made by A2 , we similarly have for A02 that and that DH DH Pr[A02 (x0 ; x1 ; (s; hH ); y) = A2 sk (x0 ; x1 ; s; y) j A01 (pk) = A1 sk (pk )] 1 q2 (1 (k)) : Now using the above, one can see that H

-cpa Advind PE ;A0 (k)

-cca2 Advind PE ;A (k)

2q (1

(k));

where q = q1 + q2 and represents the total number of decryption oracle queries made by the adversary A. A01 runs A1 , asking for q1 executions of K . Similarly A02 runs A2 , asking for q2 executions of K . Hence the running time of our new adversary A0 is equal to t + q t , where t and t are the running times of A and K respectively, which is polynomial if A and K are polynomial time. -cca2 (k) is non-negligible and 1 (k) is negligible, so Advind-cpa Under our assumptions Advind PE PE 0 (k) is non-negligible, and PE is not secure in the sense of IND-CPA security. In concrete security terms, the advantage drops linearly in q while the running time grows linearly in q. Note that it was important in the proof that K almost always succeeded; it would not have worked with (k) = 0:5, say. A

K

A

;A

4.4 Proof of Theorem 4.4:

K

;A

IND-CCA2

6)PA

Assume there exists some IND-CCA2 secure encryption scheme PE = (K; E ; D), since otherwise the theorem is vacuously true. We now modify PE to a new encryption scheme PE 0 = (K0 ; E 0 ; D0 ) which is also IND-CCA2 secure but not secure in the PA sense. This will prove the theorem. The new encryption scheme PE 0 = (K0 ; E 0 ; D0 ) is de ned as follows: 0 (x) Algorithm D0 (y) Algorithm Epk Algorithm K0 (k ) k sk k (pk ; sk ) K(k) return Epk (x) return Dsk (y ) b f0; 1g ; a Epk (b) 0 pk k a ; sk 0 sk k b pk return (pk 0 ; sk 0 ) H

H

a

b

H

k

H

H

In other words, the only dierence is that in the new scheme, the public key contains a random ciphertext a whose decryption is in the secret key. Our two claims are that PE 0 remains IND-CCA2 secure, but is not PA. This will complete the proof.

Claim 4.5 PE 0 is secure in the sense of IND-CCA2. Proof: Recall our assumption is that PE is IND-CCA2 secure. To prove the claim we consider a polynomial time adversary B attacking PE 0 in the IND-CCA2 sense. We want to show that -cca2 Advind PE 0 () is negligible. To do this, we consider the following adversary A = (A1 ; A2 ) attacking PE in the IND-CCA2 sense. The idea is that A can simulate the choosing of a by the key generation algorithm K0 for B , and thus has access to the corresponding secret b. Note that having an oracle 0 oracle made by B : to query y for Dsk , it is indeed possible for A to reply to any queries to the Dsk k it simply returns Dsk (y). ;B

H

H

b

H

26

DH

Algorithm A1 sk (pk )

0 0 sk Algorithm AD 2 (x0 ; x1 ; s ; y ) where s = (s; a; b)

f0; 1g ; a Epk (b) 0 k a 0H D (x ; x ; s) B k b ( k a) b

k

pk

s0

0

H

pk

d

pk

1

1

sk

(s; a; b) return (x0 ; x1 ; s0 )

0

pk

ka

Dsk0 k b

B2

return d

pk

(x0 ; x1 ; s; y)

-cca2 (k) = Advind-0 cca2 (k). The assumption that It is clear that A is polynomial time and that Advind PE PE -cca2 (k) is negligible, and hence it follows PE is secure in the sense of IND-CCA2 implies that Advind PE -0 cca2 (k) is negligible. that Advind PE Claim 4.6 PE 0 is not plaintext-aware. ;A

;B

;A

;B

Proof: We consider the following speci c adversary B that outputs as her ciphertext the value a in her public key: EH Algorithm B pk 0 (pk 0 ) where pk 0 = pk k a H;

return

a

Intuitively, this adversary defeats any aspiring plaintext extractor: It will not be possible to construct a plaintext extractor for this B as long as PE 0 is secure in the sense of IND-CPA. Hence there does not exist a plaintext extractor for PE 0 . The formal proof is by contradiction. Assume PE 0 is PA. Then there exists a plaintext-extractor K 0 for PE 0 . We now de ne an adversary A = (A1 ; A2 ) that attacks PE in the sense of IND-CPA. the empty list. Algorithm A1 (pk )

x0 x1

Algorithm A2 (x0 ; x1 ; pk ; y )

f0; 1g f0; 1g

0

(pk ; y) K 0 ("; "; y; pk 0 ) 0 if x = x0 then d 0 else if x0 = x1 then d else d f0; 1g

k

pk

x0

k

return (x0 ; x1 ; pk )

return

1

d

Consider the experiment de ning the success of (A1 ; A2 ) in attacking PE in the sense of IND-CPA. In this experiment, y is the encryption of a random k-bit string. This means that in the input ("; "; y; pk 0 ) given to K , the distribution of ("; "; y) is exactly that of run B Epk0 (pk 0 ). This is because B , the adversary we de ned above, has no interaction with its oracles, and the value a in the public key pk 0 is itself the encryption of a random k-bit string. Thus, our assumption that K 0 works means that the extraction is successful with probability Succpa PE 0 0 (k). Thus pa 0 (k ) 1 1 SuccPE 0 -cpa (k) Succpa : Advind ( k ) 0 PE PE 0 2 2 The rst term is a lower bound on the probability that A2 outputs 0 when the message was x0 . The second term is an upper bound on the probability that it outputs 1 when the message was x0 . Now since K 0 is assumed to be a good extractor we know that Succpa (k) for some 0 (k ) = 1 PE 0 ind-cpa negligible function () and hence AdvPE (k) is not negligible. (In fact is of the form 1 0 (k) for some negligible function 0 ().) This contradicts the indistinguishability of PE , as desired. ;B;K

;B;K

;A

;B;K

k

;B;K

;A

27

Acknowledgments Following an oral presentation of an earlier version of this paper, Moni Naor suggested that we present notions of security in a manner that treats the goal and the attack model orthogonally [25]. We are indebted to him for this suggestion. We also thank Hugo Krawczyk, Moti Yung, and the (other) members of the CRYPTO '98 program committee for excellent and extensive comments. Finally we thank Oded Goldreich for many discussions on these topics.

References [1] [2]

M. Bellare, R. Canetti and H. Krawczyk, A modular approach to the design and analysis of authentication and key exchange protocols. of Computing, ACM, 1998.

Proceedings of the 30th Annual Symposium on the Theory

M. Bellare, A. Desai, E. Jokipii and P. Rogaway,

ric encryption: Analysis of the DES modes of operation. Foundations of Computer Science, IEEE, 1997.

A concrete security treatment of symmetProceedings of the 38th Symposium on

[3]

M. Bellare, A. Desai, D. Pointcheval and P. Rogaway,

[4]

M. Bellare, R. Impagliazzo and M. Naor, Does parallel repetition lower the error in computa-

Relations among notions of security for public-key encryption schemes. Preliminary version of this paper. Advances in Cryptology | Crypto '98 Proceedings, Lecture Notes in Computer Science, H. Krawczyk, ed., Springer-Verlag 1998. tionally sound protocols? IEEE, 1997.

,

Proceedings of the 38th Symposium on Foundations of Computer Science

[5]

M. Bellare and P. Rogaway,

[6]

M. Bellare and P. Rogaway,

Random oracles are practical: a paradigm for designing eÆcient protocols. First ACM Conference on Computer and Communications Security, ACM, 1993. Optimal asymmetric encryption { How to encrypt with RSA. , Lecture Notes in Computer Science Vol. 950, A. De Santis

Advances in Cryptology { EUROCRYPT '94

ed., Springer-Verlag, 1994. [7] [8] [9]

M. Bellare and A. Sahai, Non-Malleable Encryption: Equivalence between Two Notions, and an Indistinguishability-Based Characterization. Advances in Cryptology { in Computer Science Vol. 1666, M. Wiener ed., Springer-Verlag, 1999.

, Lecture Notes

CRYPTO '99

D. Bleichenbacher, A chosen ciphertext attack against protocols based on the RSA encryption standard PKCS #1, Advances in Cryptology { CRYPTO Vol. 1462, H. Krawczyk ed., Springer-Verlag, 1998.

, Lecture Notes in Computer Science

'98

M. Blum, P. Feldman and S. Micali, Non-interactive zero-knowledge and its applications. ceedings of the 20th Annual Symposium on the Theory of Computing

, ACM, 1988.

Pro-

[10]

R. Cramer and V. Shoup, A practical public key cryptosystem provably secure against adaptive

[11]

I. Damgard, Towards practical public key cryptosystems secure against chosen ciphertext attacks.

chosen ciphertext attack. Advances in Cryptology | Crypto '98 Proceedings, Lecture Notes in Computer Science, H. Krawczyk, ed., Springer-Verlag 1998. , Lecture Notes in Computer Science Vol. 576, J. Feigenbaum

Advances in Cryptology { CRYPTO '91

ed., Springer-Verlag, 1991. [12]

A. De Santis and G. Persiano, Zero-knowledge proofs of knowledge without interaction. ings of the 33rd Symposium on Foundations of Computer Science

[13]

, IEEE, 1992.

D. Dolev, C. Dwork, and M. Naor, Non-malleable cryptography. , ACM, 1991.

Proceed-

Proceedings of the 23rd Annual

Symposium on the Theory of Computing

[14]

D. Dolev, C. Dwork, and M. Naor, , 1995.

Non-malleable cryptography.

Weizmann Institute of Science

28

Technical Report CS95-27,

[15]

D. Dolev, C. Dwork, and M. Naor, 391-437, 2000

[16]

.

Z. Galil, S. Haber and M. Yung, Security against replay chosen ciphertext attack. Science, Vol. 2, ACM, 1991.

[19]

Advances in Cryptology {

, Lecture Notes in Computer Science Vol. 218, H. Williams ed., Springer-Verlag, 1985.

Computing and Cryptography

[18]

SIAM J. Computing, 30 (2)

Z. Galil, S. Haber and M. Yung, Symmetric public key encryption. CRYPTO '85

[17]

Non-malleable cryptography.

Distributed

, DIMACS Series in Discrete Mathematics and Theoretical Computer

O. Goldreich, Foundations of cryptography. Class notes, Spring 1989, Technion University. O. Goldreich, A uniform complexity treatment of encryption and zero-knowledge.

Journal of Cryp-

, Vol. 6, 1993, pp. 21-53.

tology

[20]

O. Goldreich, S. Goldwasser and S. Micali, How to construct random functions. ACM,

Vol. 33, No. 4, 1986, pp. 210{217.

Journal of the

[21]

S. Goldwasser and S. Micali, Probabilistic encryption.

[22]

J. Hastad, R. Impagliazzo, L. Levin and M. Luby, A pseudorandom generator from any one-way

[23]

28:270{299, 1984. function.

,

Journal of Computer and System Sciences

, Vol. 28, No. 4, 1999, pp. 1364{1396.

SIAM J. on Computing

R. Impagliazzo and M. Luby, One-way functions are essential for complexity based cryptography. Proceedings of the 30th Symposium on Foundations of Computer Science

[24]

S. Micali, C. Rackoff and R. Sloan, , April 1988.

, IEEE, 1989.

The notion of security for probabilistic cryptosystems.

SIAM J. on Computing

[25] [26]

M. Naor, private communication, March 1998. M. Naor and M. Yung, Public-key cryptosystems provably secure against chosen ciphertext attacks. Proceedings of the 22nd Annual Symposium on the Theory of Computing

[27]

, ACM, 1990.

C. Rackoff and D. Simon, Non-interactive zero-knowledge proof of knowledge and chosen ciphertext attack. Advances in Cryptology { CRYPTO J. Feigenbaum ed., Springer-Verlag, 1991.

, Lecture Notes in Computer Science Vol. 576,

'91

[28]

SETCo (Secure Electronic Transaction LLC), The SET standard | book 3 | formal protocol de -

[29]

A. Yao, Theory and applications of trapdoor functions.

nitions (version 1.0). May 31, 1997. Available from http://www.setco.org/ , IEEE, 1982.

Proceedings of the 23rd Symposium on

Foundations of Computer Science

[30]

Y. Zheng and J. Seberry, Immunizing public key cryptosystems against chosen ciphertext attack. IEEE Journal on Selected Areas in Communications

29

, vol. 11, no. 5, 715{724 (1993).