B504/I538: Introduction to Cryptography Spring 2017 • Lecture 13 (2017—02—21)

Assignment 3 is due next Tuesday! (2017—02—28) (That’s just one week from today!!)

Recall: Nested CBC-MAC (NMAC) m≔ m 1 m 2 ⋯ m n mn m1 m2 k1 k1 k1    F k1 F k1 . . . F k1 F k2 0 s k2 t Compute Naïve CBC-MAC with first key MAC the Naïve CBC-MAC with second key

Hash-based MAC (HMAC) The most widely used MAC algorithm in practice Hs is a collision-resistant (keyed) hash function k is the secret MAC key opad = 0x5c5c5c ... 5c ipad = 0x363636 ... 36 1 block "outer" pad HMACs,k(m) := Hs( (k ⊕ opad ) 11 Hs( (k ⊕ ipad ) 11 m ) ) "inner" pad n blocks 1 block Chosen so that (opad ⊕ ipad ) has large Hamming weight

HMAC . . . h s h s h s h s h s m1 mn t m≔ m 1 m 2 ⋯ m n k ⊕ ipad 0 s k ⊕ opad h s h s 0 s t

Simpler HMAC constructions? Q: Is H(k 11 m) a secure MAC? A: No! (But why?) Suppose H is constructed using Merkle-Damgård construction Given (m, H(k 11 m)) it is easy to compute m' := m 11 m'' and t' such that t' = H(k 11 m')! (But how?) Just set t' = H(t 11 m'') Q: Is H(m 11 k) a secure MAC? A: Errr, well....sort of!? It's not as secure as HMAC! (But why?) If H(m0) = H(m1) then H(m0 11 k) = H(m1 11 k) Weakness in collision-resistance of H implies weakness in HMAC

Simpler HMAC constructions? Q: Is H(k 11 m 11 k) a secure HMAC? A: I don't know! Possibly? This is essentially HMAC without ipad and opad Proof of existential unforgeability for HMAC requires that ipad and opad differ in at least one bit! H(k 11 m 11 k) falls to "target prefix collision" attacks against H

Generic birthday attack Let H: {0, 1}* → {0, 1}s and consider the following algorithm: Choose N := (5/4) · 2s/2 distinct messages, m1, . . . , mN, each uniformly at random For i = 1, . . . , N, compute yi := H(mi) If yi = yj for some i ≠ j, then output (mi, mj) Thm (birthday paradox): Let r1, . . . , rN be independently and identically distributed random variables taking on values in {0, 1}s. If N = (5/4) · 2s/2, then Pr[ ∃i ≠ j, ri = rj ]≥ 1/2.

Generic birthday attack Thm (birthday paradox): Let r1, . . . , rN be independently and identically distributed random variables taking on values in {0, 1}s. If N = (5/4) · 2s/2, then Pr[ ∃i ≠ j, ri = rj ]> 1/2. Proof (for uniform random variables): Pr[∃i ≠ j, ri = rj ] = 1 - Pr[∀i ≠ j, ri ≠ rj ] = 1 - ((2s-1)/2s) ((2s-2)/2s) . . . ((2s-N+1)/2s) = 1 - i = 1 n−1 (1 − i/2s) ≥ 1 - i = 1 n−1 e -i/2s (1-x ≤ e-x) = 1 - e-1/2s∑ i ≥ 1 - e-(N2/2)/2s = 1 - e-((5/4 2s/2)2/2)/2s = 1-e-25/32 ≥ 0.54

Generic birthday attack Obs: An attacker A that uses the generic birthday attack can find collisions with advantage Advcollision(A) > 1/2 in O(s·2s/2) time (albeit with O(s·2s/2) storage Q: Is this a problem? A: No! (in theory); Possibly! (in practice) Real hash functions have fixed-length outputs Need to ensure that 2s/2 work is infeasible....or do we? Memory is scarcer than time Q: Is it sufficient to ensure no real attacker can store s·2s/2 bits? A: Perhaps surprisingly, no!

"Small-space" birthday attack Consider an attacker A that works as follows: Choose a random initial value m0 Set m := m0 and m' := m0 For i = 1, 2, 3, . . ., do the following Compute m := H(m) and m' := H(H(m')) // now m = H(i)(m0) and m' = H(2i)(m0) If m == m', break from loop Set m' := m and m := m0 For j = 1, . . ., i, do the following If H(m) == H(m'), return (m, m') Else, set m := H(m) and m' := H(m') // now m = H(j)(m0) and m' = H(i+j)(m0) Thm: The above small-space birthday attack finds a collision with probability at least 1/2 in O(s·2s/2) time using O(1) storage.

Recall: IND-CPA security game Challenger (C) Attacker (A) 1 s 1 s k ← Gen(1 s) b ∈ 𝑅 {0, 1} (m10, m11) m10, m11 ∈ M (1 m10 1 = 1 m11 1) c1 c1 ← Enck(m1b) (m20, m21) m20, m21 ∈ M (1 m20 1 = 1 m21 1) c2 c2 ← Enck(m2b) ⋮ (mn0, mn1) mn0, mn1 ∈ M (1 mn0 1 = 1 mn1 1) cn cn ← Enck(mnb) b‘ ∈ {0, 1} Define A’s advantage to be AdvCPA(A) := 1 Pr[b = b’]- 1/2 1

Secrecy versus Authenticity Secrecy / confidentiality IND-CPA: indistiguishable multiple encryptions in the presence of an eavesdropper Provides ”security” in the presence of passive attackers Authenticity / integrity Existential unforgeability under adaptive chosen message attacks Provides “security” in the presence of active attackers “security” == secrecy “security” == integrity

Active versus passive attackers attacker only leverages passive observations and its prior knowledge Chosen plaintext attacks force us to consider secrecy with respect to the “worst case” observations and prior knowledge Active attackers Attacker also alters communications to in an attempt to break security Eavesdropping ciphertexts Known distribution on plaintext i.e., adds, removes, reorders, modifies, duplicates, or delays messages

Chosen ciphertext security Looking back: attacker was allowed to choose plaintexts Challenger acted as an encryption oracle Going forward: attacker can also choose ciphertexts Challenger still acts as an encryption oracle Challenger also acts as a decryption oracle

Active attack on IND-CPA secure crypto Email server dest CBC mode m dest ∥ m←Dec k (IV,c) (IV,c)← Enc k (dest∥m) (IV′, c) dest′ ∥ m←Dec k (IV′, c) m

Active attack on IND-CPA secure crypto Remote terminal app (SSH): each keystroke encrypted in CTR mode Bad checksum (drop packet) 1 byte c ←Enc k (TCP_header ∥ checksum ∥ keystroke) 2 bytes ACK c ⨁ 00⋯0 ∥ checksum′ ∥ keystroke′ c ⨁ 00⋯0 ∥ checksum′′ ∥ keystroke′′ c ⨁ 00⋯0 ∥ checksum′′′ ∥ keystroke′′′ c ⨁ 00⋯0 ∥ checksum′′′′ ∥ keystroke′′′′ ACK

A lesson learned IND-CPA security cannot guarantee secrecy under active attacks Attacker can compromise security by modifying ciphertexts Recall: MAC schemes provide existential unforgeability against active attacks

Chosen ciphertext attacks (IND-CCA1) Non-adaptive Chosen ciphertext attacks (IND-CCA1) Challenger (C) Attacker (A) 1 s 1 s k ← Gen(1 s) b ∈ 𝑅 {0, 1} (m1, c1) (m1, c1) ∈ M x C c1’ ←Enck(m1) m1’ ←Deck(c1) (c1’, m1’) (m2, c2) (m2, c2) ∈ M x C c2’ ←Enck(m2) m2’ ←Deck(c2) (c2’, m2’) ⋮ (M0, M1) (M0, M1) ∈ M x M C C ←Enck(Mb) b‘ ∈ {0, 1} Define A’s advantage to be AdvCCA1(A) := 1 Pr[b = b’]- 1/2 1

Chosen ciphertext attacks (IND-CCA1) Non-adaptive Chosen ciphertext attacks (IND-CCA1) Defn: An encryption scheme (Gen, Enc, Dec) has indistinguishable encryptions under (non-adaptive) chosen ciphertext attacks (or is IND-CCA1 secure) if, for every PPT attacker A, there exists a negligible function 𝜀:ℕ→ ℝ + such that AdvCCA1(A) ≤ 𝜀(s). IND-CCA1 sometimes called a “lunchtime security” Alice uses Bob’s decryption machinery while is out for lunch When Bob returns, Alice loses access to her decryption oracle Alice wishes to formulate a sequence of queries she can issue over lunch hour that will help her decrypt future messages to Bob

Insufficiency of IND-CCA1 security Q: Is IND-CCA1 sufficient? A: NO! (But why?) The title of this slide suggests otherwise… The “1” in “IND-CCA1” suggests existence of “IND-CCA2” IND-CCA1 does not protect against the attacks we used to motivate chosen ciphertext security! However, IND-CCA1 is no worse than IND-CPA Thm: If (Gen, Enc, Dec) is an IND-CCA1 secure encryption scheme, then it is also an IND-CPA secure encryption scheme. Moreover, the converse of this theorem is false! (i.e., IND-CPA ⇏ IND-CCA1)

Chosen ciphertext attacks (IND-CCA1) Adaptive Chosen ciphertext attacks (IND-CCA1) Challenger (C) Attacker (A) 1 s 1 s k ← Gen(1 s) b ∈ 𝑅 {0, 1} (m1, c1) (m1, c1) ∈ M x C c1’ ←Enck(m1) m1’ ←Deck(c1) (c1’, m1’) ⋮ (M0, M1) (M0, M1) ∈ M x M C C ←Enck(Mb) ⋮ (mn, cn) A cannot ask for Deck(C) (mn, cn) ∈ M x C \ {C} c1’ ←Enck(mn) m1’ ←Deck(cn) (cn’, mn’) b‘ ∈ {0, 1} Define A’s advantage to be AdvCCA2(A) := 1 Pr[b = b’]- 1/2 1

Chosen ciphertext attacks (IND-CCA2) Adaptive Chosen ciphertext attacks (IND-CCA2) Defn: An encryption scheme (Gen, Enc, Dec) has indistinguishable encryptions under adaptive chosen ciphertext attacks (or is IND-CCA2 secure) if, for every PPT attacker A, there exists a negligible function 𝜀:ℕ→ ℝ + such that AdvCCA2(A) ≤ 𝜀(s). The following theorem is trivially true Thm: If (Gen, Enc, Dec) is an IND-CCA2 secure encryption scheme, then it is also an IND-CCA1 secure (and, therefore, IND-CPA secure) encryption scheme. Moreover, the converse of this theorem is false! (i.e., IND-CCA1 ⇏ IND-CCA2)

Authenticated encryption Defn: An authenticated encryption scheme is a triple of algorithms (Gen, AuthEnc, AuthDec) such that Gen: 1 ℕ → K is a randomized “key generation” algorithm; AuthEnc: K ⨉ M → Ck is an randomized “authenticated encryption” algorithm; AuthDec: K ⨉ C’ → M∪{⊥} is a deterministic “decryption” algorithm. invalid ciphertext flag K is the key space M is the message space Ck is the ciphertext space C’ is a superset of C (the set of possible keys) (the set of possible messages) (the set of possible ciphertexts under the key k) (the set of things that look like possible ciphertexts) Intuitively, 1C 1 << 1C’1 and given c∈C’ it should be hard to tell if c∈Ck

Correctness for authenticated encryption Intuitively: Correctness is the property of being able to decrypt “properly encrypted” messages (given the correct key) Defn: An authenticated encryption scheme (Gen, AuthEnc, AuthDec) with key space K and message space M is correct if ∀k ∈ K and ∀m ∈ M , Pr[ AuthDeck( AuthEnck(m) ) = m ]= 1 and, ∀c ∈ C’ \ Ck, Pr[AuthDeck(c) = ⊥]= 1

Ciphertext integrity game Challenger (C) Forger (A) 1 s 1 s k ← Gen(1 s) m1 m1 ∈ M c1 c1 ← AuthEnck(m1) m2 m2 ∈ M c2 c2 ← AuthEnck(m2) ⋮ mn mn ∈ M cn cn ← AuthEnck(mn) c ∈ C’ \ {c1,…,cn} Define A’s advantage to be AdvCI(A) := 1 Deck(c) ≠ ⊥1

Unforgeable authenticated encryption Defn: An authenticated encryption scheme (Gen, AuthEnc, AuthDec) is existentially unforgeable under adaptive chosen plaintext attacks if, for every PPT attacker A, there exists a negligible function 𝜀:ℕ→ ℝ + such that AdvCI(A) ≤ 𝜀(s).

Achieving IND-CCA2 security Thm: If (Gen, AuthEnc, AuthDec) is an authenticated encryption scheme that (i) is existentially unforgeable under adaptive chosen message attacks, and (ii) has indistinguishable multiple encryptions under adaptive chosen plaintext attacks, then (Gen, AuthEnc, AuthDec) is IND-CCA2 secure. Idea: Construct an IND-CCA2 secure scheme by making an IND-CPA secure scheme unforgeable using a MAC scheme!

Encrypt-and-MAC (GenE, Enc, Dec) is an IND-CPA secure encryption scheme (GenM, MAC, Verify) is an existentially unforgeable MAC Gen(1s) outputs k=(kE, kM) where kE←GenE(1s) and kM ←GenM(1s) AuthEnck(m) outputs (c, t) where c←EnckE(m) and t←MACkM(m) AuthDeck(c, t) computes m’←DeckE(c) and outputs m’ if VerifykM(m, t)=1 and ⊥ otherwise

MAC-then-encrypt (GenE, Enc, Dec) is an IND-CPA secure encryption scheme (GenM, MAC, Verify) is an existentially unforgeable MAC Gen(1s) outputs k=(kE, kM) where kE←GenE(1s) and kM ←GenM(1s) AuthEnck(m) outputs c←EnckE(m 11 t) where t←MACkM(m) AuthDeck(c) computes m’ 11 t’←DeckE(c) and outputs m’ if VerifykM(m’, t’)=1 and ⊥ otherwise

Encrypt-then-MAC (GenE, Enc, Dec) is an IND-CPA secure encryption scheme (GenM, MAC, Verify) is an existentially unforgeable MAC Gen(1s) outputs k=(kE, kM) where kE←GenE(1s) and kM ←GenM(1s) AuthEnck(m) outputs (c, t) where c←EnckE(m) and t←MACkM(c) AuthDeck(c, t) outputs m’←DeckE(c) if VerifykM(c, t)=1 and ⊥ otherwise

Security of MAC+encryption constructions Secrecy Integrity Composition method IND-CPA IND-CCA Plaintext Ciphertext x x x Encrypt-and-MAC x MAC-then-Encrypt x x x Encrypt-then-MAC strongly unforgeable MAC weakly unforgeable MAC

That’s all for today, folks!