Lecturer: Moni Naor

Foundations of Cryptography

Lecture 14: Malleability, Chosen Ciphertext Attacks, Cramer-Shoup Cryptosystem

Recap of last week’s lecture– Black-box zero-knowledge– Perfect and Statistical Zero-knowledge

• Limitations and relaxations– Proofs of knowledge

• Public-key identification – Random oracles– Interactive Authentication

Interactive AuthenticationP wants to convince V that he is approving message mP has a public key KP of an encryption scheme E.

To authenticate a message m:• V P: Choose r 2R {0,1}n. Send c=E(m ° r, KP)• P V: Receiving c

Decrypt c using KS

Verify that prefix of plaintext is m. If yes - send r.V is satisfied if he receives the same r he chose

Is it Safe?security: Existential unforgeability against adaptive chosen

message attack– Adversary can ask to authenticate any sequence of messages m1,

m2, …– Has to succeed in making V accept a message m not authenticated– Has complete control over the channels

• Intuition of security: if E does not leak information about plaintext – Nothing is leaked about r

• if E is semantically secure against chosen plaintext attacks: – Adversary might change c=E(m ° r, KP) into c’=E(m’ ° r, KP)

• Malleability– not sufficient to verify correct form of ciphertext in simulation

• Closer to a chosen ciphertext attack

“just”

Encryption - Attacks • Chosen Plaintext

– Minimal attack relevant to PKCs. Assumes decrypted messages remain secret.

• CCA1: Chosen Ciphertext - preprocessing mode (Lunch-break) – Challenge ciphertext is given after adversary relinquishes control

of decryption device.– Good model for membership queries in computational learning.

• CCA2: Chosen Ciphertext - postprocessing mode– Challenge ciphertext is known when the attacks takes place– but cannot submit it!

Encryption - Notions of Breaking

• Semantic Security: whatever is computable about the plaintext given the ciphertext is computable without it.

– Minimal notion of security for single encrypter.

• Non-malleable security - whatever is computable in an encrypted form about the plaintext given the ciphertext is computable without it.

– Important for achieving independence of messages.

Application: auctions•Bidders submit their bids

Highest one should win

•Want to keep values secret until all bids submitted

independent

Example: AuctionsDifferent requirements - different notions.

• Semantic security is not sufficient for guaranteeing the independence of bids.

• If key is used for a Single auction and secrecy is not required after the auction is over – – Non-malleable security against chosen plaintext attacks.

• If key is used for many auctions and secrecy is not required after the auction is over – – Non-malleable security against – Chosen Ciphertext Attack in the preprocessing mode.

• If key is used for many auctions and secrecy is required after the auction is over – Non-malleable security against – Chosen Ciphertext Attacks in the postprocessing mode.

Semantic SecurityWhatever Adversary A can compute on encrypted string X 0,1n, so

can A’ that does not see the encryption of X, A selects:• Distribution Dn on 0,1n

• Relation R(X,Y) - computable in probabilistic polynomial timeFor every pptm A choosing a distribution Dn on 0,1n there is an

pptm A’ so that for all pptm relation R for XR Dn

PrR(X,A(E(X)) - PrR(X,A’())

is negligible

In other words:

The outputs of A and A’ are indistinguishable even for a tester who is aware of X

X Y

R

E(X)

A

X Y

R

.

A’

A: Dn A’: Dn

¼

X 2R Dn

Non-Malleable SecurityWhatever Adversary A can compute on encrypted string X 0,1n, so

can A’ that does not see the encryption of X

A selects:• Distribution Dn on 0,1n

• Relation R(X,Y) - computable in probabilistic polynomial timeFor every pptm A choosing a distribution Dn on 0,1n there is an

pptm A’ so that for all pptm relation R for XR Dn

PrR(X,D(A(E(X))) - PrR(X, D(A’()))

is negligible

In other words:

The outputs of A and A’ are indistinguishable even for a tester who gets the decryptions of what they output.

Encrypt

X D

R

E(X)

A

.

A: Dn A’: Dn

¼

X 2R Dn

Y

X D

R

A’

Y

Deal with invalid ciphertext

Combinations

AttackBreaking

CCA1

(lunch-time)

CCA2

(post-processing)

CPA

Semantic

Security

Non-

Malleability

All implications are proper

All combinations are useful in some circumstances

Principles for Increasing Security

Essentially all constructions achieving better than se-mantic security against chosen plaintext attacks use:• Redundancy in the encryption.• Validation that ciphertext is of the right form.

Validation is the trickiest part.• Relatively simple in:

– Private-key Encryption– Random Oracles

Private-key WorldPreventing CCA in the postprocing mode: add private-key authentication.• Shared key: S1 and S2, seeds to a pseudo-random function F

To encrypt m• Choose random r. Let Y=FS1

(r) © m and let Z= FS2(r ◦Y)

• Send (r,Y,Z)To decrypt (r,Y,Z):

let Z’ = FS2(r ◦Y) .

– If Z’ = Z let m = FS1(r) © Y

– If Z’ ≠ Z output invalid

Claim: scheme is NM-secure against CCA2• No adversary can generate another ciphertext that is not labeled invalid.

•No information from rejection!

DDN Lite: The Idea Start with a Semantic secure PKC against CPA.

• Have many different instances of the original scheme

• Each encryption should use a different subset of the keys – – enforce by one-time signatures.

• Before decryption - verify consistency.

• Properties: If the original scheme is SS against chosen plaintext attack the result is NM-secure against chosen plaintext attacks.

• If the original scheme is S-secure against CCA in the preprocessing mode, the result is NM-secure against CCA in the preprocessing mode.

DDN LitePublic-Key: hK1

0, K11i, hK2

0, K21i, … hKn

0, Kn1i

• A function h:{0,1}* {0,1}n - UOHWFPrivate-Key: Decryption keys of {Ki

b}.

Encryption of a message m: • Choose at random KOS, the public-key of a one-time signature

scheme • Let b1, b2, … bn = h(K).• Encrypt m using keys Ki

bi to obtain C1, C2, …, Cn.• Sign hC1, C2, … Cni using KOS

-1 and h; • Ciphertext is: KOS, hC1, …, Cni, S.

Decryption of ciphertext KOS, C1, … Cn, S• Verify the signature S on hC1, C2, … ,Cni using KOS.• Verify the consistency (equality) of all the plaintexts.• Decrypt using any one of the keys.

hard to find collision with target input

Let S be the result

Each is the public key of a SS PKC

Ideas for achieving resistance to CCA• Add redundancy - hard to generate frivolous ciphertexts• Add methods to check consistency

– This is the trickiest part:• Non interactive zero-knowledge• Specific schemes

• Decrypt only if given ciphertext passes the consistency checks

Important point: may decrypt with several different private keys

C2 Proof of consistencyC1

If we have consistency than can decrypt with either key

Proofs of consistency

• How to have a proof of consistency that does not leak the plaintext– Non-Interactive Zero-Knowledge (NIZK)

• How to make the proof itself non-malleable – Ow can change it and get a different ciphertext with the

same plaintext

Approaches for obtaining CCA/NM

• General NIZK

• Specific NIZK – Cramer-Shoup: special verifier

• Through IBE – Identity Based Encryption

Discrete Log Problem• Let G be a group and g an element in G.• Let y=gz and x the minimal non negative integer satisfying the equation.

x is called the discrete log of y to base g.• Example: y=gx mod p in the multiplicative group of Zp• In general: easy to exponentiate via repeated squaring

– Consider binary representation• What about discrete log?

– If difficult, f(g,x) = (g, gx) is a one-way function

DL Assumption for group G: • No efficient algorithm can solve for XR[0..n-1] whp the DL

problem for Y=ga

Discrete Log Problem

Very useful group for DL:• P and Q: Large primes, s.t. Q | P-1• g: an element of order Q in ZP

*.Best known algorithms -

– Q or– subexponential in log P

Randomized reduction:given Y generate Y’ = Ygr for rR [Q]

Diffie-Hellman The Diffie-Hellman assumption

Let G be a group and g an element in G.Given g, X=ga and Y=gb it is hard to find Z=gab

for random a and b the probability of a poly-time machine outputting gab is negligible

More accurately: a sequence of groups

Don’t know how to verify whether given Z’ is equal to gab

Decisional Diffie-Hellman Problem

For for generator g of a group of size Q and a,b [Q]

Given g, Y=ga, X=gb and Z decide whether Z =gab or Z gab

Equivalent: is logg Y = logX Z

DDH-Assumption:• The DDH-Problem is hard in the worst case.

Average DDHFor a,bR [Q] and c which is either

– c= ab

– cR [Q]

Given Y=ga and X=gb and Z =gc

decide whether Z =gab or Z gab

DDH-Assumption average case:• The DDH-Problem is hard for above distribution

Worst to Average case reductionTheorem:The average case and worst case of the

DDH-Assumption are equivalent.• Given ga and gb and gc (and P, Q) • Sample r,s1,s2R [Q]

• compute ga’ = (ga)r gs1

gb’ = (gb) gs2

gc’ = (gc)r (ga)rs2 (gb)s1 gs1s2

a’ = ras1 mod Qb’ = bs2 mod Qa’b’=rab+ras2+bs1+s1s2

c is either ab or not

…Worst to average

If c = abe mod Q then – a’ = ras1 mod Q

– b’ = bs2 mod Q

– c'= a'b'+ e r mod Q

• Always: a’ and b' are uniformly distributed. • If e =0, then c' = a'b'. • Otherwise c' is uniform and independent in [Q]

a’ = ras1 mod Qb’ = bs2 mod Qa’b’=rab+ras2+bs1

+s1s2

Evidence to Validity of DDH

• Endured extensive research for DH search– DH-search related to discrete log

• Hard for generic algorithms – that work in a black-box group)

• Computing the most significant bits of gab is hard• Random-self-reducibility.

El-Gamal Cryptosystem variant:

• Private key a R [Q]

• Public key Y=ga and P, Q and h• To encrypt M

– choose rR [Q] compute X=gr and Yr

– send hX , h(Yr)Mi

• To decrypt hX, Wi:– compute Xa = Yr and – output h(Xa) W

How is h chosen?

Pair-wise independence suffices

ZP

Subgroup of size Q

{0,1}k

h

El-Gamal Security

Under the DDH assumption cryptosystem is semantically secure against chosen plaintext

but...• Scheme is malleable

– To change M to M’=MC :change hX, Wi to hX, WCi

Proving consistency of exponentiations

• Given g1, g2, X1 , X2

Is there is an r where X1=g1r and X2=g2

r

Honest verifier zero-knowledge proof: Verifier sends Z = g1

b1 g2b2 for random b1, b2

Prover sends V = Zr

Verifier accepts iff X1b1X2

b2 = V

Simulator: choose random b1, b2 and output (g1

b1 g2b2 , X1

b1 X2b2 )

Leaks only a linear equation for b1 and b2

generators

Proving consistency of exponentiations

• Given g1, g2, X1 , X2

Is there is an r where X1=g1r and X2=g2

r

Honest verifier zero-knowledge proof: Verifier sends Z = g1

b1 g2b2 for random b1, b2

Prover sends V = Zr

Verifier accepts iff X1b1X2

b2 = V

Soundness: if X1=g1r and X2=g2

r+e then

X1b1X2

b2 = g1rb1 g2

(r+e)b2 = g1rb1 g2

rb2 g2eb2

= Zr (g2e ) b2

Leaks only a linear equation for b1 and b2

Random in the group

Z can be known when X1 and X2 are chosen!

Cramer-Shoup Lite• Private key: a, b1, b2 R [Q]

• Public key: – g1, g2, Y=g1

a and Z=g1b1 g2

b2

• To encrypt M – choose rR [Q]

– compute Yr, X1=g1r, X2=g2

r and Zr

– send hX1, X2, h(Yr)M, Zri• To decrypt hX1, X2, W, Vi

– check validity: X1b1 X2

b2 = V and if yes

compute X1a = Yr. Output h(Yr)W

Cramer-Shoup Complexity

• Encryption: 4 modular exponentiations • Decryption: 3 modular exponentiations

Cramer Shoup SecurityUnder the DDH assumption cryptosystem is

semantically secure against chosen plaintext

Show that the scheme secure against chosen ciphertext attacks (preprocessing)

but...• Scheme is malleable

– To change M to M’=MC

change hX, Wi to hX,WCi

Chosen Ciphertext Attacks - Lunchtime

Adversary T has temporary access to decryption oracle. Then it is given a challenge• Semantic security - adversary chooses two message

hM0, M1i • For dR0,1 it is given E(Md) and has to guess d.

Let pd PrT(E(Md )) ‘1’ d

• T Wins if p1 - p0

Proof of security

Show how to use an adversary that can break CS scheme for breaking DDH

Given hg1, g2, X1, X2i want to distinguish

• X1=g1r , X2=g2

r for rR [Q] and random g1, g2

or• X1=g1

r1, X2=g2r2 for r1, r1 R [Q] and random g1,

g2

...Proof of security - simulationGiven hg1, g2, X1, X2 i generate

• Private key a1, a2, b1, b2 R [Q] and • Public key

hg1, g2, Y = g1a1 g2

a2, Z=g1b1g2

b2 i• To decrypt hX’1, X’2 , W, V i

– check X’1b1X’2

b2 = V and if pass

compute X’1a

1 X’2a2 = Yr . Output h(Yr)W

Normal operation, independent of X1, X2

...Proof of security - simulation

When adversary chooses hM0 , M1i: Generate For dR0,1 the ciphertext

hX1, X2 , h(X1a1 X2

a2 ) Md , V = X1

b1 X2

b2i

Claim:

If logg1X1 = logg2

X2 then ciphertext is valid

If logg1X1 logg2

X2 then ciphertext is inconsistent

and independent of d

Important property of scheme

For both real and simulated scheme: • no (even powerful) adversary can find an

inconsistent ciphertext that is considered `valid’.

• Key point: b1 and b2 are random in [Q]. Z=g1

b1g2b2 reveals

one linear equation still Q possibilities for (b1, b2 ).

Inconsistent = Invalid

• Each candidate ciphertext hX’1, X’2,W’,V’i such that logg1

X1 logg2X2

can be viewed as a query on value (b1, b2 ).

• With probability 1-1/Q the answer is invalid• Whp (1-q/Q) adversary never gets decryption on

invalid ciphertext• No ``information” from rejection!

• No decryption of consistent ciphertext reveals information regarding a1, a2

Y=g1a1g2

a2 reveals one linear equation decryptions do not reveal more equations

• The only inconsistent ciphertext that adversary sees is the challenge ciphertext.

If logg1X1 logg2

X2 then ciphertext is invalid and independent of d

• Let p0 PrT(E(M0 )) ‘1’ d 0

p1 PrT(E(M1 )) ‘1’ d 1

p’ PrT ‘1’ ciphertext is invalid

p1 - p0 either p1 - p’ /2 or

p0 - p’ /2

Can distinguish DDH with advantage /2

Cramer-Shoup: Full Strength• Private key: a, b1, b2, c1, c2 R [Q] • Public key:

– g1, g2, Y=g1a, Z=g1

b1 g2b2, Z’=g1

c1 g2c2 and H

• To encrypt M, choose rR [Q] and– compute Yr, X1=g1

r, X2=g2r, W = h(Yr)M

=H(W, X1 , X2 )

– send hX1, X2 ,W, Zr Z’ri• To decrypt hX1, X2, W, Vi

– check validity: X1b

1 + c

1 X1b

2 + c

2 = V and if pass

– compute X1a = Yr. Output h(Yr)W

One-way hash

A UOWHF

Cramer Shoup (full strength) Security

Under the DDH assumption cryptosystem is

• non-malleable against • chosen ciphertext attacks in postprocessing

mode

Conclusions

• The CS scheme is within a multiplicative constant of ``vanilla” Diffie-Hellman, yet enjoys provable resistance to CCA

• Authentication: given CCA resistance - the only known Diffie-Hellman based public-key authentication - – can be used for deniable authentication

Interactive AuthenticationP wants to convince V that he is approving message mP has a public key KP of an encryption scheme E.

To authenticate a message m:• V P: Choose r 2R {0,1}n. Send c=E(m ° r, KP)• P V: Receiving c

Decrypt c using KS

Verify that prefix of plaintext is m. If yes - send r.V is satisfied if he receives the same r he choose

Is it Safe?Want: Existential unforgeability against adaptive chosen message

attack– Adversary can ask to authenticate any sequence m1, m2, …– Has to succeed in making V accept a message m not authenticated– Has complete control over the channels

• Intuition of security: if E does not leak information about plaintext – Nothing is leaked about r

• Several problems: if E is “just” semantically secure against chosen plaintext attacks: – Adversary might change c=E(m ° r, KP) into c’=E(m’ ° r, KP)

• Malleability– not sufficient to verify correct form of ciphertext in simulation

• Closer to a chosen ciphertext attack

No receipts

• Can the verifier convince third party that the prover approved a certain message?

Authentication and Non-Repudiation• Key idea of modern cryptography [Diffie-Hellman]:

can make authentication (signatures) transferable to third party - Non-repudiation.

– Essential to contract signing, e-commerce…• Digital Signatures: last 25 years major effort in

– Research• Notions of security• Computationally efficient constructions

– Technology, Infrastructure (PKI), Commerce, Legal

Is non-repudiation always desirable?

Not necessarily so:• Privacy of conversation, no (verifiable) record.

– Do you want everything you ever said to be held against you?

• If Bob pays for the authentication, shouldn't be able to transfer it for free

• Perhaps can gain efficiency

Alternative: (Plausible) DeniabilityIf the recipient (or any recipient) could have generated the conversation himself

or an indistinguishable one

Deniable AuthenticationSetting:• Sender has a public key known to receiver• Want to an authentication scheme such that the receiver

keeps no receipt of conversation.

This means:• Any receiver could have generated the conversation itself.

– There is a simulator that for any message m and verifier V* generates an indistinguishable conversation.

– Exactly as in Zero-Knowledge!– An example where zero-knowledge is the ends, not the means!

Proof of security consists of Unforgeability and Deniability

Ring Signatures and AuthenticationCan we keep the sender anonymous?Idea: prove that the signer is a member of an ad hoc set

– Other members do not cooperate– Use their `regular’ public-keys

• Encryption – Should be indistinguishable which member of the set is

actually doing the authentication

Bob

Alice? Eve

A Public Key Authentication Protocol

P has a public key PK of an encryption scheme E.To authenticate a message m:• V P : Choose r R {0,1}n and random bits

2{0,1}* Send Y=E(PK, mr, )• P V : Verify that prefix of plaintext is indeed m. If yes - send r.V accepts iff the received r’=r

Is it Unforgeable? Is it Deniable

Security of the schemeUnforgeability: depends on the strength of E• Sensitive to malleability:

– if given E(PK, mr, ) can generate E(PK, m’r’, ’) where m’ is related to m and r’ is related to x then can forge.

• The protocol allows a chosen ciphertext attack on E.– Even of the post-processing kind!

• Can prove that any strategy for existential forgery can be translated into a CCA strategy on E

• Works even against concurrent executions.

Deniability: does V retain a receipt??– It does not retain one for an honest V– Need to prove knowledge of r

We saw an encryption scheme satisfying the desired requirements

Simulator for honest receiverChoose r R {0,1}n. Output: hY=E(PK, mr, ), x, i

Has exactly the same distribution as a real conversation when the verifier is following the protocolStatistical indistinguishability

Verifier might cheat by checking whether certain ciphertext have as a prefix mNo known concrete way of doing harm this way

Encryption as Commitment

When the public key PK is fixed and known Y=E(PK, x, ) can be seen as commitment to x

To open x: reveal , the random bits used to create Y

Perfect binding: from unique decryption For any Y there are no two different x and x’ and and ’ s.t.

Y=E(PK, x, ) =E(PK, x’, ’)

Secrecy: no information about x is leaked to those not knowing private key PS

Deniable Protocol P has a public key PK of an encryption scheme E.

To authenticate message m:

• V P: Choose xR{0,1}n.

Send Y=E(PK, mx , )

• P V: Send E(PK, x, )

• V P: Send x and - opening Y=E(PK, mx, )

• P V: Open E(PK, x, ) by sending .

P commits to the value x. Does not want to reveal it

yet

Security of the schemeUnforgeability: as before - depends on the strength of E

can simulate previous scheme (with access to D(PK , . ))Important property: E(PK, x, ) is a non-malleable commitment (wrt

the encryption) to x.

Deniability: can run simulator:• Extract x by running with E(PK, garbage, ) and rewinding• Expected polynomial time• Need the semantic security of E - it acts as a commitment

scheme

Ring Signatures and AuthenticationWant to keep the sender anonymous by proving

that the signer is a member of an ad hoc set – Other members do not cooperate– Use their `regular’ public-keys– Should be indistinguishable which member of the set

is actually doing the authentication

Bob

Alice? Eve

Ring Authentication Setting• A ring is an arbitrary set of participants including the

authenticator • Each member i of the ring has a public encryption key

PKi

– Only i knows the corresponding secret key PSi

• To run a ring authentication protocol both sides need to know PK1

, PK2, …, PKn

the public keys of the ring members

...

An almost Good Ring Authentication ProtocolRing has public keys PK1

, PK2, …, PKn

of encryption scheme E

To authenticate message m with jth decryption key PSj:

V P: Choose x {0,1}n. Send E(PK1

, mx, r1), E(PK2, mx, r2), …, E(PKn

, mx, rn)

P V: Decrypt E(PKj, mx, rj), using PSj

and

Send E(PK1, x, 1), E(PK2

, x, 2), …, E(PKn, x, n)

V P: open all the E(PKi, mx, ri) by

Send x and r1, r2 ,… rn

P V: Verify consistency and open all E(PKi, x, ti) by

Send t 1, 2 ,… n

Problem: what if not all suffixes (x‘s) are equal

The Ring Authentication ProtocolRing has public keys PK1

, PK2, …, PKn

of encryption scheme E

To authenticate message m with jth decryption key PSj:

V P: Choose x {0,1}n. Send E(PK1

, mx, r1), E(PK2, mx, r2), …, E(PK1

, mx, rn)

P V: Decrypt E(PKj, mx, rj), using PSj

and

Send E(PK1, x1, t1), E(PK2

, x2, t2), …, E(PKn, xn, tn)

Where x=x1+x2 + xn

V P: open all the E(PKi, mx, ri) by

Send x and r1, r2 ,… rn

P V: Verify consistency and open all E(PKi, x, ti) by

Send t1, t2 ,… tn and x1, x2 ,…, xn

Complexity of the scheme

Sender: single decryption, n encryptions and n encryption verifications

Receiver: n encryptions and n encryption verifications

Communication Complexity: O(n) public-key encryptions

Security of the scheme

Unforgeability: as before (assuming all keys are well chosen) since

E(PK1, x1, t1), E(PK2

, x2, t2),…,E(PK1, xn, tn)

where x=x1+x2 + xn

is a non-malleable commitment to x

Source Hiding: which key was used (among well chosen keys) is – Computationally indistinguishable during protocol– Statistically indistinguishable after protocol

• If ends successfully

Deniability: Can run simulator `as before’

Properties of the Scheme

• Works with any good encryption scheme - members of the ring are unwilling participants.

• Fairly efficient scheme:– Need n encryptions n verifications and one decryption

• Can extend the scheme so that convince a verifier that At least k members confirm the message.

• What are the social implications of the existence of ring authentication?

Sources

• Dolev, Dwork and Naor: Non Malleable Cryptography, Siam J. computing 2000. also Siam Review 2003

• Cramer and Shoup: Design and analysis of practical public-key encryption schemes secure against adaptive chosen ciphertext attack (see www.shoup.net)

• Lindell: A Simpler Construction of CCA2-Secure Public-Key Encryption Under General Assumptions. In Eurocrypt 2003,

Question: zero-knowledge protocol for subset sum

• Give a direct protocol (i.e. not through a reduction to hamiltoncity) for the subset sum problem

• Subset sum problem: given – n numbers 0 ≤ a1, a2 ,…, an < 2m

– Target sum T – Is there a subset S⊆ {1,...,n} such that

∑ i S ai,=T mod 2m

Question: statistically hiding, computationally biding commitments from collision intractable hash functions• Goal: construct a commitment scheme where • the induced distribution of the transcript is (nearly independent of the

string committed to• No PPT sender can with probability (1-negligible) reveal two different

strings following the commit phase.

Protocol for committing to a bit b. Let H be a family of collision intractable hash functions

Commit:• Receiver: choose h 2 H and give to sender• Sender: choose random z and r. Send h(z),r and hz¢ri©bReveal: publish z

Prove that the protocol satisfies the above requirements

Inner product over GF[2]

Find the errorLet E be an public-key encryption scheme which is errorless.Let H be a family of collision intractable hash functionsCommit: Sender chooses • Key for E(KP,KS) and h 2 H and sends

h,KP,E(KP,x),h(x ◦ E(Kp,x)) Reveal: publish KS

Show that there exists a family H be a family of collision intractable hash functions such that the scheme is insecure for any E.

Assuming collision intractable hash functions exists