Why does this attack on a simplified version of the Naor-Yung scheme not work for the original scheme?

Question

tl;dr: We were given a homework, in which we should discuss, whether encrypting twice in the Naor-Yung scheme is actually necessary. I could prove that it is, by constructing an attacker on a scheme which encrypts only once. However, it seems to me, as if this attack could also work on the original version. This obviously has to be wrong. I would like to know where I am wrong.

We are currently discussing the Naor-Yung scheme in a lecture and were given the following homework:

Consider the CPA-secure PKE $\Pi_1 := (\mathsf{Gen}_1, \mathsf{Enc}_1, \mathsf{Dec}_1)$, the language \begin{align*} \mathcal{L} := \left\{ (\mathsf{ek},c) \mid \exists m,s : \mathsf{Enc}_1(\mathsf{ek},m;s) = c \right\} \in \mathcal{NP} \end{align*} (where $s$ is the random tape) and the NIZK $(\mathsf{V}, \mathsf{P})$ for $\mathcal{L}$.

We define a new PKE $\Pi = (\mathsf{Gen}, \mathsf{Enc}, \mathsf{Dec})$ as follows:

• $\mathsf{Gen}(1^n)$:
  • $(\mathsf{dk}', \mathsf{ek}') \leftarrow \mathsf{Gen}_1(1^n)$
  • $r \leftarrow \left\{ 0,1 \right\}^{\mathsf{poly}(n)}$
  • $\mathsf{ek} := (\mathsf{ek}', r)$
  • $\mathsf{dk} := (\mathsf{ek}', \mathsf{dk}', r)$
  • return $(\mathsf{ek}, \mathsf{dk})$
• $\mathsf{Enc}(\mathsf{ek}, m)$
  • $s \leftarrow \left\{ 0,1 \right\}^{\mathsf{poly}(n)}$
  • $c' \leftarrow \mathsf{Enc}_1(\mathsf{ek'}, m; s)$
  • $\pi \leftarrow \mathsf{P}(r,(\mathsf{ek}',c'),(m,s))$
  • return $c:=(c', \pi)$
• $\mathsf{Dec}(\mathsf{dk}, c)$
  • return $\left\{ \begin{array}{ll} \mathsf{Dec}_1(\mathsf{dk}',c') & \textrm{if } \mathsf{V}(r, (\mathsf{ek}',c'), \pi) = 1 \\ \bot & \, \textrm{else} \\ \end{array} \right.$

Is $\Pi$ CCA1-secure?

So basically, the question was, whether encrypting twice (as in Naor-Yung) is actually necessary.

I came up with the following solution:

We take a CPA-secure PKE $\Pi_0 := (\mathsf{Gen}_0, \mathsf{Enc}_0, \mathsf{Dec}_0)$ and define $\Pi_1 := (\mathsf{Gen}_0, \mathsf{Enc}_1, \mathsf{Dec}_1)$ with:

• $\mathsf{Enc}_1(\mathsf{ek}, m)$
  • $t \leftarrow \left\{0,1\right\}^n$
  • return $(c,t) := (\mathsf{Enc}_0(\mathsf{ek}, m),t)$
• $\mathsf{Dec}(\mathsf{dk}, (c,t))$
  • return $\left\{ \begin{array}{ll} \mathsf{dk} & \textrm{if } t = 0^n \\ \mathsf{Dec}_0(\mathsf{dk},c)& \, \textrm{else} \\ \end{array} \right.$

It is obvious, that this construction is also CPA-secure, thus we may use it in $\Pi$.

Using a NIZK $(\mathsf{V}_0, \mathsf{P}_0)$ for the language \begin{align*} \mathcal{L}_0 := \left\{ (\mathsf{ek},c) \mid \exists m,s : \mathsf{Enc}_0(\mathsf{ek},m;s) = c \right\} \in \mathcal{NP} \end{align*} we find a straightforward construction for the NIZK $(\mathsf{V}, \mathsf{P})$ for $\mathcal{L}$. (In short: We can simply omit the random string $t$ and then use $\mathsf{V}_0$, respectively $\mathsf{P}_0$.)

Now the following problem arises: If $\pi$ proves $(\mathsf{ek}, (c,t)) \in \mathcal{L}$, then $\pi$ also proves $(\mathsf{ek}, (c,t')) \in \mathcal{L}$ for any $t' \in \left\{0,1\right\}^n$. This allows a CCA1 attacker to completely break $\Pi$:

1. Choose a random message $m$ and compute $((c',t),\pi) \leftarrow \mathsf{Enc}(\mathsf{ek},m)$
2. Use the decryption oracle to compute $\mathsf{dk} \leftarrow \mathsf{Dec}(\mathsf{dk},((c',0^n),\pi))$

Hence, $\Pi$ is not CCA1-secure.

---

Now to my question. It is not part of the homework, but it genuinely interests me: I would argue, that this technique can similarly be applied to the Naor-Yung scheme, because I can not figure out the point at which it would fail. However, it is clear to me, that it must fail of course, since we already proved in the lecture, that the scheme is CCA1-secure.

So, where does my technique fail?

If I would have to guess, I would say, that my construction for $(\mathsf{V}, \mathsf{P})$ maybe is not ZK.

However, I have already tried constructing a reduction from a distinguisher for $(\mathsf{V}_0, \mathsf{P}_0)$ to a distinguisher for $(\mathsf{V}, \mathsf{P})$, to prove that it actually is a ZK and do not see, where I could have made a mistake. (The reduction simply appends random strings to the cipher texts.)

Answer 1

If $\pi$ proves $(ek,(c,t)) \in \cal L$, then $\pi$ also proves $(ek,(c,t')) \in \cal L$.

It is true that $(ek,(c,t)) \in \mathcal L \implies (ek,(c,t')) \in \mathcal L$. So a proof of the first expression should convince you of the second expression too. But it doesn't mean that in the NIZK scheme, a valid proof of the first expression literally also serves as a proof of the second expression. Usually the proofs need to be bound tightly to the specific statement being proven, and can't be used for multiple statements.

More generally, suppose we are dealing with a language $\mathcal{L}$ where we know that $x \in \mathcal L \iff f(x) \in \mathcal L$ for some function $f$. (In our case $f$ flips some bits in a ciphertext.) You are claiming that $\textsf{Ver}(x,\pi) =1 \implies \textsf{Ver}(f(x),\pi)$ in the NIZK scheme. Let's say that the NIZK scheme has a "double-duty proofs" property if this is true.

Double-duty proofs would violate a standard property of NIZK schemes called simulation soundness. Simulation soundness says that an adversary can't compute proofs of false statements, even after seeing simulated proofs of false statements.

Suppose the attacker requests a simulated proof $\pi$ of a false statement $x \not\in \mathcal L$. Then $f(x) \not\in \mathcal{L}$ either, but double-duty proofs property would imply that $\pi$ also verifies as a proof of the (false) statement $f(x)$. So the attacker can easily find a proof of a false statement, violating simulation soundness.

So even if we see a proof of $x \in \mathcal L$, and we know that this implies $f(x) \in \mathcal L$ also, it should still be hard to come up with a proof of $f(x) \in \mathcal L$. This is because the witness for $f(x)$ is related to the witness of $x$. We should only be able to come up with a proof of $f(x) \in \mathcal L$ by knowing the witness.

I don't remember all the gory details of Naor-Yung right now, but I would not be surprised if it required some kind of simulation-soundness. The security proof has to give out proofs of false statements (when the two ciphertexts encrypt different things) while still preventing the attacker from decrypting bogus ciphertexts.