Non-interactive Zero-knowledge - DiSE: Distributed Symmetric-key Encryption

Let R be an efficiently computable binary relation. For pairs (s, w) ∈ R, we refer to s

as the statement and w as the witness. Let L be the language of statements in R, i.e.

L={s:∃w such thatR(s, w) = 1}. We define non-interactive zero-knowledge arguments of knowledge in the random oracle model based on the work of Faust et al. [FKMV12].

Definition A.6 (Non-interactive Zero-knowledge Argument of Knowledge) LetH:

{0,1}∗ _{→ {}₀_,₁_}poly(κ) _{be a hash function modeled as a random oracle. A} _NIZK _{for a binary}

relation R consists of two PPT algorithms Prove and Verify with oracle access to H defined as follows:

− ProveH(s, w) takes as input a statement s and a witness w, and outputs a proof π if

(s, w)∈R and ⊥ otherwise.

− VerifyH(s, π) takes as input a statement s and a candidate proof π, and outputs a bit b∈ {0,1} denoting acceptance or rejection.

These two algorithms must satisfy the following properties:

− Perfect completeness: For any (s, w)∈R,

VerifyH(s, π) = 1 |π ←ProveH(s, w)

= 1.

− Zero-knowledge: There must exist a pair of PPT simulators (S1,S2) such that for all

PPT adversary A, Pr[A H,ProveH₍₁κ_{) = 1]}₋_Pr[_AS1(·),S20(·,·)₍₁κ_{) = 1]} ≤negl(κ) for some negligible function negl, where

− S1 simulates the random oracle H;

− S₂0 returns a simulated proof π ← S2(s) on input (s, w) if (s, w)∈R and ⊥ otherwise;

− S1 and S2 share states.

− Argument of knowledge: There must exist a PPT simulator S1 such that for all PPT

adversaryA, there exists a PPT extractorEA such that

(s, w)∈/ R and VerifyH(s, π) = 1|

(s, π)← AS1(·)₍₁κ_);_w_{← E}A₍_{s, π, Q}₎i_≤_negl(_κ₎ for some negligible function negl, where

− S₁ is like above;

Fiat-Shamir transform. Let (Prove,Verify) be a three-round public-coin honest-verifier zero-knowledge interactive proof system (a sigma protocol) with unique responses. LetHbe a function with range equal to the space of the verifier’s coins. In the random oracle model, the proof system (ProveH,VerifyH) derived from (Prove,Verify) by applying the Fiat-Shamir transform satisfies the zero-knowledge and argument of knowledge properties defined above. See Definition 1, 2 and Theorem 1, 3 in Faust et al. [FKMV12] for more details. (They actually show that these properties hold even when adversary can ask for proofs of false statements.)

B

A few failed attempts in detail

B.1 Attempt 1: Distributed Encryption Scheme proposed by Naor et al.

The work of Naor et al. [NPR99], which puts forward the DPRF constructions we use in this paper, also proposes the only distributed symmetric-key encryption proposal we are aware of. Their proposal appeared before any formal treatment of threshold symmetric-key existed, and in fact even prior to the introduction of authenticated encryption in the non-distributed setting. Hence, it is only natural that their scheme does not meet the strong security notions we introduce here. We review their protocol in Figure11 and argue why it fails to meet the security definitions introduced in this paper.10

(In)-security of ΠNPR. The protocol ΠNPR is CPA-secure against malicious adversaries if the underlying DPRF satisfies weak-malicious security. The formal proof is similar to the proof of the CPA-security of our protocol (c.f. Theorem7.4) and hence we omit it. However, we argue that ΠNPR does not satisfy authenticity (c.f. Definition6.8) even when the corrupt parties follow the protocol. To see this, first observe that a ciphertext in this protocol is a tuple c := (j, k, e) where k = y ⊕w, y := DP(jke) and e ← sENC.Encrypt_w(m) for some message m. After obtaining this ciphertext, an adversary can go “off-line” and compute another ciphertext c0 = (j, k0, e) which now decrypts to m0 := sENC.Decrypt_w0(e) where

w0 = k0 ⊕y. This is possible since CPA-security does not guarantee that a ciphertext c

can not be decrypted with another secret-key w0 (although the message m0 will not reveal any information about m by CPA-security). So the adversary could produce many valid ciphertexts by running just one encryption session, and thus win the authenticity game. (If we consider adversaries that choose their own w, then it becomes even harder to make the scheme secure.)

The authors also mention that “in order [to] combat changes to the stored information one should use parts of y as an authentication key to eand w” (symbols in the quote have been replaced with the equivalent ones here). As we interpret, one can additionally use a message-authentication code (MAC) so that the ciphertext would look like c := (j, k, e, t) where k := w⊕y1, t = MACy2(e||w) and (y1||y2) := DP(jke). However, the modified

construction still does not satisfy the authenticity requirement (c.f. Def. 6.8) because once an adversary gets the MAC keyy2 through an encryption session, it can re-launch the same attack, this time attaching a correct MAC computed withy2.

We present a slightly different version here that does not use a collision-resistant hash function or a decryption policy, but incorporates the identity of the initiating party in computing the ciphertext. This does not interfere in any way with the security analysis we carry out.

Ingredients:

− An (n, t)-DPRF protocolDP:= (DP.Setup,DP.Eval, DP.Combine).

− A CPA secure symmetric-key encryption scheme: sENC := (sENC.Kgen,sENC.Encrypt, sENC.Decrypt).

Setup(1κ, n, t)→_Jsk_K_[_n_], pp: Run DP.Setup(1κ, n, t) to get ((rk1, . . . , rkn), pp0). Setski :=rki for

i∈[n] andpp:=pp0.

DistEnc(JskK[n],[j:m, S], pp)→[j:c/⊥]: To encrypt a messagemwith the help of parties inS:

− Party j samples w←sENC.Keygen(1κ_{) and computes} _e_←_sENC.Encrypt

w(m). Then it sends e to all parties inS.

− For everyi∈S, partyirunsDP.Eval(ski, jke, pp) to getyi, and sends it to partyj.

− Partyj runsCombine({(i, yi)}i∈S, pp) to gety or⊥. In the latter case, it outputs⊥. Otherwise,

it outputsc:= (j, k, e) wherek:=y⊕w.

DistDec(_Jsk_K_[_n_],[j0:c, S], pp)→[j0:m/⊥]: To decrypt a ciphertextcwith the help of parties inS:

− Partyj0 first parsesc into (j, k, e). Then it sendsjketo all the parties inS.

− Fori∈S, partyi receivesxand checks if it is of the formj?_k_e? _{for some}_j? _∈_[_n_{]. If not, then} it sends⊥to partyj0. Else, it runsDP.Eval(ski, x, pp) to getyi, and sends it to partyj0.

− Partyj0 runsCombine({(i, yi)}i∈S, pp) to getyor⊥. In the latter case, it outputs⊥. Otherwise, it computesw:=k⊕y and outputsm:=sENC.Decrypt_w(e).

Figure 11: Description of the protocol ΠNPR

In document DiSE: Distributed Symmetric-key Encryption (Page 40-42)