Lecturer: Moni Naor

Foundations of Cryptography

Lecture 14: Malleability, Chosen Ciphertext Attacks, Cramer-
Shoup Cryptosystem
Recap of last weeks lecture
Black-box zero-knowledge
Perfect and Statistical Zero-knowledge
Limitations and relaxations
Proofs of knowledge
Public-key identification
Random oracles
Interactive Authentication

Interactive Authentication
P wants to convince V that he is approving message m
P has a public key K
P
of an encryption scheme E.

To authenticate a message m:
V P: Choose r 2
R
{0,1}
n
.
Send c=E(m r, K
P
)
P V: Receiving c
Decrypt c using K
S

Verify that prefix of plaintext is m.
If yes - send r.
V is satisfied if he receives the same r he chose
Is it Safe?
security: Existential unforgeability against adaptive chosen
message attack
Adversary can ask to authenticate any sequence of messages m
1
,

m
2
,
Has to succeed in making V accept a message m not authenticated
Has complete control over the channels

Intuition of security: if E does not leak information about
plaintext
Nothing is leaked about r

if E is semantically secure against chosen plaintext attacks:
Adversary might change c=E(m r, K
P
) into c=E(m r, K
P
)
Malleability
not sufficient to verify correct form of ciphertext in simulation
Closer to a chosen ciphertext attack
just
Encryption - Attacks
Chosen Plaintext
Minimal attack relevant to PKCs. Assumes decrypted messages
remain secret.

CCA1: Chosen Ciphertext - preprocessing mode
(Lunch-break)
Challenge ciphertext is given after adversary relinquishes control
of decryption device.
Good model for membership queries in computational learning.

CCA2: Chosen Ciphertext - postprocessing mode
Challenge ciphertext is known when the attacks takes place
but cannot submit it!
Encryption - Notions of Breaking

Semantic Security: whatever is computable about the
plaintext given the ciphertext is computable without it.

Minimal notion of security for single encrypter.

Non-malleable security - whatever is computable in an
encrypted form about the plaintext given the ciphertext is
computable without it.

Important for achieving independence of messages.

Application: auctions
Bidders submit their bids
Highest one should win
Want to keep values secret
until all bids submitted
independent
Example: Auctions
Different requirements - different notions.

Semantic security is not sufficient for guaranteeing the independence of
bids.

If key is used for a Single auction and secrecy is not required after the
auction is over
Non-malleable security against chosen plaintext attacks.

If key is used for many auctions and secrecy is not required after the
auction is over
Non-malleable security against
Chosen Ciphertext Attack in the preprocessing mode.

If key is used for many auctions and secrecy is required after the auction
is over
Non-malleable security against
Chosen Ciphertext Attacks in the postprocessing mode.
Semantic Security
Whatever Adversary A can compute on encrypted string X

e{0,1}
n
, so
can A that does not see the encryption of X,
A selects:
Distribution D
n
on {0,1}
n
Relation R(X,Y) - computable in probabilistic polynomial time
For every pptm A choosing a distribution D
n
on {0,1}
n
there is an
pptm A so that for all pptm relation R
for Xe
R
D
n



| Pr|R(X,A(E(X))| - Pr|R(X,A())

| |

is negligible

In other words:
The outputs of A and A

are indistinguishable even for a tester who is
aware of X
X Y
R
E(X)
A
X Y
R
.
A
A: D
n
A: D
n

X 2
R
D
n
Non-Malleable Security
Whatever Adversary A can compute on encrypted string X

e{0,1}
n
, so
can A that does not see the encryption of X

A selects:
Distribution D
n
on {0,1}
n
Relation R(X,Y) - computable in probabilistic polynomial time
For every pptm A choosing a distribution D
n
on {0,1}
n
there is an
pptm A so that for all pptm relation R
for Xe
R
D
n



| Pr|R(X,D(A(E(X)))| - Pr|R(X, D(A()))

| |

is negligible

In other words:
The outputs of A and A

are indistinguishable even for a tester who gets
the decryptions of what they output.
Encrypt
X D
R
E(X)
A
.
A: D
n
A: D
n

X 2
R
D
n
Y
X D
R
A
Y
Deal with invalid
ciphertext
Combinations
Attack
Breaking
CCA1
(lunch-time)
CCA2
(post-processing)
CPA
Semantic
Security
Non-
Malleability
All implications are proper
All combinations are useful
in some circumstances
Principles for Increasing Security
Essentially all constructions achieving better than se-
mantic security against chosen plaintext attacks use:
Redundancy in the encryption.
Validation that ciphertext is of the right form.

Validation is the trickiest part.
Relatively simple in:
Private-key Encryption
Random Oracles
Private-key World
Preventing CCA in the postprocing mode: add private-key authentication.
Shared key: S
1
and S
2
, seeds to a pseudo-random function F

To encrypt m
Choose random r. Let Y=F
S
1
(r) m and let Z= F
S
2
(r Y)
Send (r,Y,Z)
To decrypt (r,Y,Z):
let Z = F
S
2
(r Y) .
If Z = Z let m = F
S
1
(r) Y
If Z Z output invalid

Claim: scheme is NM-secure against CCA2
No adversary can generate another ciphertext that is not labeled
invalid.
No information from rejection!

DDN Lite: The Idea
Start with a Semantic secure PKC against CPA.

Have many different instances of the original scheme

Each encryption should use a different subset of the keys
enforce by one-time signatures.

Before decryption - verify consistency.

Properties: If the original scheme is SS against chosen plaintext
attack the result is NM-secure against chosen plaintext attacks.

If the original scheme is S-secure against CCA in the preprocessing
mode, the result is NM-secure against CCA in the preprocessing
mode.
DDN Lite
Public-Key: hK
1
0
, K
1
1
i, hK
2
0
, K
2
1
i, hK
n
0
, K
n
1
i
A function h:{0,1}* {0,1}
n
- UOHWF
Private-Key: Decryption keys of {K
i
b
}.

Encryption of a message m:
Choose at random K
OS
, the public-key of a one-time signature
scheme
Let b
1
, b
2
, b
n
= h(K).
Encrypt m using keys K
i
b
i
to obtain C
1
, C
2
, , C
n
.
Sign hC
1
, C
2
, C
n
i using K
OS
-1
and h;
Ciphertext is: K
OS
, hC
1
, , C
n
i, S.

Decryption of ciphertext K
OS
, C
1
, C
n
, S
Verify the signature S on hC
1
, C
2
, ,C
n
i using K
OS
.
Verify the consistency (equality) of all the plaintexts.
Decrypt using any one of the keys.
hard to find collision with target input
Let S be the result
Each is the public key of a SS PKC
Ideas for achieving resistance to CCA
Add redundancy - hard to generate frivolous ciphertexts
Add methods to check consistency
This is the trickiest part:
Non interactive zero-knowledge
Specific schemes
Decrypt only if given ciphertext passes the consistency checks

Important point: may decrypt with several different private keys
C
2 Proof of consistency
C
1
If we have consistency than can decrypt with either key

Proofs of consistency
How to have a proof of consistency that does not
leak the plaintext
Non-Interactive Zero-Knowledge (NIZK)

How to make the proof itself non-malleable
Ow can change it and get a different ciphertext with the
same plaintext

Approaches for obtaining CCA/NM
General NIZK

Specific NIZK
Cramer-Shoup: special verifier

Through IBE Identity Based Encryption
Discrete Log Problem
Let G be a group and g an element in G.
Let y=g
z
and x the minimal non negative
integer satisfying the equation.
x is called the discrete log of y to base g.
Example: y=g
x
mod p in the multiplicative group of Z
p
In general: easy to exponentiate via repeated squaring
Consider binary representation
What about discrete log?
If difficult, f(g,x) = (g, g
x
) is a one-way function

DL Assumption for group G:
No efficient algorithm can solve for Xe
R
[0..n-1]

whp the DL
problem for Y=g
a

Discrete Log Problem
Very useful group for DL:
P and Q: Large primes, s.t. Q | P-1
g: an element of order Q in Z
P
*
.
Best known algorithms -
\Q or
subexponential in log P

Randomized reduction:
given Y generate Y = Yg
r
for re
R
[Q]
Diffie-Hellman
The Diffie-Hellman assumption
Let G be a group and g an element in G.
Given g, X=g
a
and Y=g
b
it is hard to find Z=g
ab

for random a and b the probability of a poly-time machine outputting
g
ab
is negligible
More accurately: a sequence of groups

Dont know how to verify whether given Z is equal to g
ab


Decisional Diffie-Hellman Problem
For for generator g of a group of size Q and a,be

[Q]
Given g, Y=g
a
, X=g
b
and Z decide whether Z =g
ab
or Z = g
ab

Equivalent: is log
g
Y = log
X
Z


DDH-Assumption:
The DDH-Problem is hard in the worst case.

Average DDH
For a,be
R
[Q] and c which is either
c= ab
ce
R
[Q]
Given
Y=g
a
and X=g
b
and Z =g
c

decide whether
Z =g
ab
or Z= g
ab

DDH-Assumption average case:
The DDH-Problem is hard for above distribution
Worst to Average case reduction
Theorem:The average case and worst case of the
DDH-Assumption are equivalent.
Given g
a
and g
b
and g
c
(and P, Q)
Sample r,s
1
,s
2
e
R
[Q]
compute
g
a
= (g
a
)
r
g
s
1
g
b
= (g
b
) g
s
2
g
c
= (g
c
)
r
(g
a
)
r
s
2 (g
b
)
s
1 g
s
1
s
2
a = ra+s
1
mod Q
b = b+s
2
mod Q
ab=rab+ras
2
+bs
1
+s
1
s
2

c is either ab or not
Worst to average
If c = ab+e mod Q then
a = ra+s
1
mod Q
b = b+s
2
mod Q
c'= a'b'+ e r mod Q

Always: a and b' are uniformly distributed.
If e =0, then c' = a'b'.
Otherwise c' is uniform and independent in [Q]
a = ra+s
1
mod Q
b = b+s
2
mod Q
ab=rab+ras
2
+bs
1
+s
1
s
2

Evidence to Validity of DDH
Endured extensive research for DH search
DH-search related to discrete log
Hard for generic algorithms
that work in a black-box group)
Computing the most significant bits of g
ab
is hard
Random-self-reducibility.
El-Gamal Cryptosystem variant:
Private key a e
R
[Q]

Public key Y=g
a
and P, Q and h
To encrypt M
choose re
R
[Q] compute X=g
r
and Y
r

send hX , h(Y
r
)Mi
To decrypt hX, Wi:
compute X
a
= Y
r
and
output h(X
a
) W
How is h chosen?
Pair-wise independence
suffices
Z
P
Subgroup of
size Q

{0,1}
k
h
El-Gamal Security
Under the DDH assumption cryptosystem is
semantically secure against chosen plaintext
but...
Scheme is malleable
To change M to M=MC :
change hX, Wi to hX, WCi

Proving consistency of exponentiations
Given g
1
,

g
2
, X
1
, X
2
Is there is an r where X
1
=g
1
r
and X
2
=g
2
r


Honest verifier zero-knowledge proof:
Verifier sends Z = g
1
b
1
g
2
b
2
for random b
1
, b
2
Prover sends V = Z
r
Verifier accepts iff X
1
b
1
X
2
b
2
= V

Simulator: choose random b
1
, b
2
and output
(g
1
b
1
g
2
b
2
, X
1
b
1
X
2
b
2
)
Leaks only a linear equation for
b
1
and b
2
generators

Proving consistency of exponentiations
Given g
1
,

g
2
, X
1
, X
2
Is there is an r where X
1
=g
1
r
and X
2
=g
2
r


Honest verifier zero-knowledge proof:
Verifier sends Z = g
1
b
1 g
2
b
2 for random b
1
, b
2
Prover sends V = Z
r
Verifier accepts iff X
1
b
1X
2
b
2 = V

Soundness: if X
1
=g
1
r
and X
2
=g
2
r+e
then
X
1
b
1
X
2
b
2
= g
1
r
b
1
g
2
(r+e)
b
2
= g
1
r
b
1

g
2
r
b
2
g
2
e
b
2
= Z
r
(g
2
e
)

b
2
Leaks only a linear equation for
b
1
and b
2
Random in the group

Z can be known when X
1

and X
2
are chosen!

Cramer-Shoup Lite
Private key: a, b
1
, b
2
e
R
[Q]

Public key:
g
1
,

g
2
, Y=g
1
a
and Z=g
1
b
1
g
2
b
2

To encrypt M
choose re
R
[Q]
compute Y
r
, X
1
=g
1
r
, X
2
=g
2
r
and Z
r

send hX
1
, X
2
, h(Y
r
)M, Z
r
i
To decrypt hX
1
, X
2
, W, Vi
check validity: X
1
b
1
X
2
b
2
= ? V and if yes
compute X
1
a
= Y
r
. Output h(Y
r
)W
Cramer-Shoup Complexity
Encryption: 4 modular exponentiations
Decryption: 3 modular exponentiations

Cramer Shoup Security
Under the DDH assumption cryptosystem is
semantically secure against chosen plaintext
Show that the scheme secure against chosen ciphertext
attacks (preprocessing)
but...
Scheme is malleable
To change M to M=MC
change hX, Wi to hX,WCi
Chosen Ciphertext Attacks - Lunchtime
Adversary T has temporary access to decryption oracle.
Then it is given a challenge
Semantic security - adversary chooses two message
hM
0
, M
1
i
For de
R
{0,1} it is given E(M
d
) and has to guess d.
Let p
d
= Pr|T(E(M
d
)) =1 , d

|

T Wins if |p
1
- p
0
|> c
Proof of security
Show how to use an adversary that can break CS scheme
for breaking DDH
Given hg
1
,

g
2
,

X
1
, X
2
i want to distinguish
X
1
=g
1
r
, X
2
=g
2
r
for re
R
[Q] and random g
1
, g
2

or
X
1
=g
1
r
1
, X
2
=g
2
r
2
for r
1
,

r
1
e
R
[Q] and random g
1
, g
2


...Proof of security - simulation
Given hg
1
,

g
2
,

X
1
, X
2
i

generate
Private key a
1
, a
2
, b
1
, b
2
e
R
[Q] and
Public key
hg
1
,

g
2
, Y = g
1
a
1
g
2
a
2
, Z=g
1
b
1
g
2
b
2
i
To decrypt hX
1
, X
2
, W, V i
check X
1
b
1
X
2
b
2
= ? V and if pass
compute X
1
a

1
X
2
a
2
= Y
r
. Output h(Y
r
)W

Normal operation, independent of X
1
, X
2
...Proof of security - simulation
When adversary chooses hM
0
, M
1
i:
Generate For de
R
{0,1} the ciphertext
hX
1
, X
2
, h(X
1
a
1
X
2
a
2
) M
d

,

V = X
1
b
1
X
2
b
2
i
Claim:
If log
g
1
X
1
= log
g
2
X
2
then ciphertext is valid
If

log
g
1
X
1
= log
g
2
X
2
then ciphertext is inconsistent
and independent of d
Important property of scheme
For both real and simulated scheme:
no (even powerful) adversary can find an
inconsistent ciphertext that is considered `valid.

Key point:
b
1
and b
2
are random in [Q]. Z=g
1
b
1
g
2
b
2
reveals one
linear equation
still Q possibilities for (b
1
, b
2
).

Inconsistent = Invalid
Each candidate ciphertext hX
1
, X
2
,W,Vi such that
log
g
1
X
1
= log
g
2
X
2
can be viewed as a query on value (b
1
, b
2
).
With probability 1-1/Q the answer is invalid
Whp (1-q/Q) adversary never gets decryption on
invalid ciphertext
No ``information from rejection!
No decryption of consistent ciphertext reveals
information regarding a
1
, a
2
Y=g
1
a
1
g
2
a
2
reveals one linear equation
decryptions do not reveal more equations


The only inconsistent ciphertext that adversary sees
is the challenge ciphertext.
If

log
g
1
X
1
= log
g
2
X
2
then ciphertext is invalid and
independent of d


Let
p
0
= Pr|T(E(M
0
)) =1 , d = 0

|
p
1
= Pr|T(E(M
1
)) =1 , d = 1

|
p = Pr|T =1 , ciphertext is invalid

|

| p
1
- p
0
|> c either
| p
1
- p|> c/2 or
| p
0
- p|> c/2
Can distinguish DDH with advantage c/2
Cramer-Shoup: Full Strength
Private key: a, b
1
, b
2
, c
1
, c
2
e
R
[Q]

Public key:
g
1
,

g
2
, Y=g
1
a
, Z=g
1
b
1 g
2
b
2, Z=g
1
c
1 g
2
c
2 and H

To encrypt M, choose re
R
[Q] and
compute Y
r
, X
1
=g
1
r
, X
2
=g
2
r
, W = h(Y
r
)M
o =H(W, X
1
,

X
2
)
send hX
1
, X
2
,W, Z
r
Z
or
i
To decrypt hX
1
, X
2
, W, Vi
check validity: X
1
b
1

+

oc
1
X
1
b
2

+

oc
2
= ? V and if pass
compute X
1
a
= Y
r
. Output h(Y
r
)W
One-way hash
A UOWHF
Cramer Shoup (full strength) Security
Under the DDH assumption cryptosystem is

non-malleable
against
chosen ciphertext attacks in postprocessing
mode

Conclusions
The CS scheme is within a multiplicative constant of
``vanilla Diffie-Hellman, yet enjoys provable
resistance to CCA
Authentication: given CCA resistance - the only
known Diffie-Hellman based public-key
authentication -
can be used for deniable authentication

Interactive Authentication
P wants to convince V that he is approving message m
P has a public key K
P
of an encryption scheme E.

To authenticate a message m:
V P: Choose r 2
R
{0,1}
n
.
Send c=E(m r, K
P
)
P V: Receiving c
Decrypt c using K
S

Verify that prefix of plaintext is m.
If yes - send r.
V is satisfied if he receives the same r he choose
Is it Safe?
Want: Existential unforgeability against adaptive chosen message
attack
Adversary can ask to authenticate any sequence m
1
,

m
2
,
Has to succeed in making V accept a message m not authenticated
Has complete control over the channels

Intuition of security: if E does not leak information about plaintext
Nothing is leaked about r

Several problems: if E is just semantically secure against
chosen plaintext attacks:
Adversary might change c=E(m r, K
P
) into c=E(m r, K
P
)
Malleability
not sufficient to verify correct form of ciphertext in simulation
Closer to a chosen ciphertext attack
No receipts
Can the verifier convince third party that the prover
approved a certain message?
Authentication and Non-Repudiation
Key idea of modern cryptography [Diffie-Hellman]:
can make authentication (signatures) transferable to third
party - Non-repudiation.
Essential to contract signing, e-commerce
Digital Signatures: last 25 years major effort in
Research
Notions of security
Computationally efficient constructions
Technology, Infrastructure (PKI), Commerce, Legal
Is non-repudiation always desirable?
Not necessarily so:
Privacy of conversation, no (verifiable) record.
Do you want everything you ever said to be held against
you?
If Bob pays for the authentication, shouldn't be able to
transfer it for free
Perhaps can gain efficiency

Alternative: (Plausible) Deniability
If the recipient (or any recipient) could have generated the
conversation himself
or an indistinguishable one

Deniable Authentication
Setting:
Sender has a public key known to receiver
Want to an authentication scheme such that the receiver
keeps no receipt of conversation.

This means:
Any receiver could have generated the conversation itself.
There is a simulator that for any message m and verifier V*
generates an indistinguishable conversation.
Exactly as in Zero-Knowledge!
An example where zero-knowledge is the ends, not the means!
Proof of security consists of Unforgeability and Deniability
Ring Signatures and Authentication
Can we keep the sender anonymous?
Idea: prove that the signer is a member of an ad hoc set
Other members do not cooperate
Use their `regular public-keys
Encryption
Should be indistinguishable which member of the set is
actually doing the authentication
Bob
Alice?
Eve
A Public Key Authentication Protocol
P has a public key P
K
of an encryption scheme E.
To authenticate a message m:
V P : Choose r e
R
{0,1}
n
and random bits 2{0,1}
*


Send Y=E(P
K
, mr, )
P V : Verify that prefix of plaintext is indeed m.
If yes - send r.
V accepts iff the received r=r

Is it Unforgeable? Is it Deniable
Security of the scheme
Unforgeability: depends on the strength of E
Sensitive to malleability:
if given E(P
K
, mr, ) can generate E(P
K
, mr, ) where m is
related to m and r is related to x then can forge.
The protocol allows a chosen ciphertext attack on E.
Even of the post-processing kind!
Can prove that any strategy for existential forgery can be
translated into a CCA strategy on E
Works even against concurrent executions.


Deniability: does V retain a receipt??
It does not retain one for an honest V
Need to prove knowledge of r
We saw an encryption scheme satisfying the desired requirements
Simulator for honest receiver
Choose r e
R
{0,1}
n
.

Output: hY=E(P
K
, mr, ), x, i

Has exactly the same distribution as a real conversation
when the verifier is following the protocol
Statistical indistinguishability

Verifier might cheat by checking whether certain ciphertext
have as a prefix m
No known concrete way of doing harm this way
Encryption as Commitment
When the public key P
K
is fixed and known Y=E(P
K
, x, )
can be seen as commitment to x
To open x: reveal , the random bits used to create Y

Perfect binding: from unique decryption
For any Y there are no two different x and x and and s.t.
Y=E(P
K
, x, ) =E(P
K
, x, )

Secrecy: no information about x is leaked to those not
knowing private key P
S
Deniable Protocol
P has a public key P
K
of an encryption scheme E.

To authenticate message m:
V P: Choose xe
R
{0,1}
n
.
Send Y=E(P
K
, mx , )
P V: Send E(P
K
, x, t)
V P: Send x and - opening Y=E(P
K
, mx, )
P V: Open E(P
K
, x, t) by sending t.

P commits to the value x.
Does not want to reveal it
yet
Security of the scheme
Unforgeability: as before - depends on the strength of E

can simulate previous scheme (with access to D(P
K
,
.
))
Important property: E(P
K
, x, t) is a non-malleable commitment (wrt
the encryption) to x.

Deniability: can run simulator:
Extract x by running with E(P
K
, garbage, t) and rewinding
Expected polynomial time
Need the semantic security of E - it acts as a commitment
scheme
Ring Signatures and Authentication
Want to keep the sender anonymous by proving
that the signer is a member of an ad hoc set
Other members do not cooperate
Use their `regular public-keys
Should be indistinguishable which member of the set
is actually doing the authentication
Bob
Alice? Eve
Ring Authentication Setting
A ring is an arbitrary set of participants including
the authenticator
Each member i of the ring has a public encryption
key P
K
i

Only i knows the corresponding secret key P
S
i

To run a ring authentication protocol both sides
need to know P
K
1
, P
K
2
, , P
K
n

the public keys of the ring members
...
An almost Good Ring Authentication Protocol
Ring has public keys P
K
1
, P
K
2
, , P
K
n
of encryption scheme E
To authenticate message m with jth decryption key P
S
j
:

V P: Choose x e{0,1}
n
.
Send E(P
K
1
, mx, r
1
), E(P
K
2
, mx, r
2
), , E(P
K
n
, mx, r
n
)
P V: Decrypt E(P
K
j
, mx, r
j
), using P
S
j
and
Send E(P
K
1
, x, t
1
), E(P
K
2
, x, t
2
), , E(P
K
n
, x, t
n
)
V P: open all the E(P
K
i
, mx, r
i
) by
Send x and r
1
, r
2
, r
n

P V: Verify consistency and open all E(P
K
i
, x, t
i
) by
Send t t
1
, t
2
, t
n

Problem: what if not all suffixes (xs) are equal
The Ring Authentication Protocol
Ring has public keys P
K
1
, P
K
2
, , P
K
n
of encryption scheme E
To authenticate message m with jth decryption key P
S
j
:
V P: Choose x e{0,1}
n
.
Send E(P
K
1
, mx, r
1
), E(P
K
2
, mx, r
2
), , E(P
K
1
, mx, r
n
)
P V: Decrypt E(P
K
j
, mx, r
j
), using P
S
j
and
Send E(P
K
1
, x
1
, t
1
), E(P
K
2
, x
2
, t
2
), , E(P
K
n
, x
n
, t
n
)
Where x=x
1
+x
2
+ x
n

V P: open all the E(P
K
i
, mx, r
i
) by
Send x and r
1
, r
2
, r
n

P V: Verify consistency and open all E(P
K
i
, x, t
i
) by
Send t
1
, t
2
, t
n
and x
1
, x
2
,, x
n


Complexity of the scheme
Sender: single decryption, n encryptions and n
encryption verifications
Receiver: n encryptions and n encryption
verifications
Communication Complexity: O(n) public-key
encryptions
Security of the scheme
Unforgeability: as before (assuming all keys are well chosen)
since
E(P
K
1
, x
1
, t
1
), E(P
K
2
, x
2
, t
2
),,E(P
K
1
, x
n
, t
n
)
where x=x
1
+x
2
+ x
n

is a non-malleable commitment to x

Source Hiding: which key was used (among well chosen keys)
is
Computationally indistinguishable during protocol
Statistically indistinguishable after protocol
If ends successfully

Deniability: Can run simulator `as before
Properties of the Scheme
Works with any good encryption scheme - members
of the ring are unwilling participants.
Fairly efficient scheme:
Need n encryptions n verifications and one decryption
Can extend the scheme so that convince a verifier
that At least k members confirm the message.

What are the social implications of the existence of
ring authentication?
Sources
Dolev, Dwork and Naor: Non Malleable Cryptography,
Siam J. computing 2000. also Siam Review 2003
Cramer and Shoup: Design and analysis of practical
public-key encryption schemes secure against adaptive
chosen ciphertext attack (see www.shoup.net)
Lindell: A Simpler Construction of CCA2-Secure Public-
Key Encryption Under General Assumptions.
In Eurocrypt 2003,
Question: zero-knowledge protocol for
subset sum
Give a direct protocol (i.e. not through a reduction to
hamiltoncity) for the subset sum problem
Subset sum problem: given
n numbers 0 a
1
,

a
2
,,

a
n
<

2
m
Target sum T
Is there a subset S {1,...,n} such that

i eS
a
i
,=T mod 2
m


Question: statistically hiding, computationally biding
commitments from collision intractable hash functions
Goal: construct a commitment scheme where
the induced distribution of the transcript is (nearly independent of the
string committed to
No PPT sender can with probability (1-negligible) reveal two different
strings following the commit phase.

Protocol for committing to a bit b. Let H be a family of collision
intractable hash functions
Commit:
Receiver: choose h 2 H and give to sender
Sender: choose random z and r. Send h(z),r and hzrib
Reveal: publish z

Prove that the protocol satisfies the above requirements
Inner product over
GF[2]
Find the error
Let E be an public-key encryption scheme which is errorless.
Let H be a family of collision intractable hash functions
Commit:
Sender chooses
Key for E(K
P
,K
S
) and h 2 H and sends
h,K
P
,E(K
P
,x),h(x E(K
p
,x))
Reveal: publish K
S


Show that there exists a family H be a family of collision intractable hash
functions such that the scheme is insecure for any E.
Assuming collision intractable hash
functions exists