Presentation is loading. Please wait.

Presentation is loading. Please wait.

Cryptography Lecture 10 Arpita Patra © Arpita Patra.

Published byAmelia Merritt Modified over 9 years ago

Similar presentations

Presentation on theme: "Cryptography Lecture 10 Arpita Patra © Arpita Patra."— Presentation transcript:

1 Cryptography Lecture 10 Arpita Patra © Arpita Patra

2 Recall -Security definitions of MAC- cma, strong cma, cmva, strong cmva -Construction from PRF -Domain Extension: How to find a tag for long message o CBC-MAC -Authenticated Encryption (AE)- message privacy + integrity o Definition o Construction of AE from- cpa-secure SKE + scma-secure MAC

3 Today’s Goal -Authenticated Encryption (AE) o Definition (Recall) o Construction of AE from- cpa-secure SKE + scma-secure MAC o Proof -Looking back and ahead -Some Rectifications

4 CMA Security for MAC Experiment Mac-forge (n) A,   = (Gen, Mac, Vrfy), n I can break  Run time: Poly(n) Attacker A Let me verify Q = {(m 1, …,m l } Gen(1 n ) k Training Phase Forged tag generated by A (m, t) game output  1 (A succeeds) if Vrfy k (m, t) = 1 and m  Q  0 (A fails) otherwise  is CMA- secure if for every A, there is a negl(n) such that Pr [Mac-forge (n) = 1]  negl(n) A,  cma

5 Strong CMA Security for MAC Experiment Mac-sforge (n) A,   = (Gen, Mac, Vrfy), n I can break  Run time: Poly(n) Attacker A Let me verify Q = {(m 1, t 1 ), …,(m l, t l )} Gen(1 n ) k Training Phase Forged tag generated by A (m, t) game output  1 (A succeeds) if Vrfy k (m, t) = 1 and (m, t)  Q  0 (A fails) otherwise  is strong CMA-secure if for every A, there is a negl(n) such that Pr [Mac-sforge (n) = 1]  negl(n) A,  cma

6 Rectifications Rectification: It is NOT true that you need randomized MAC to satisfy scma-security - Any MAC that has canonical verification and cma-secure is also scma-secure. - Every deterministic MAC has canonical verification - For deterministic MAC, enough to prove cma-security as scma security is ‘free’ - AE: authenticate-and-encrypt can never be cpa-secure when you use deterministic make as a building block. - PRF-based scheme is scma-secure (because it is deterministic and provably cma-secure). - AE: Encrypt-then-authenticate; we have built both the primitives

7 Authenticated Encryption  = (Gen, Enc, Dec) is an authenticated encryption if -  = (Gen, Enc, Dec) is cpa-secure AND -  = (Gen, Enc, Dec) has ciphertext integrity (hard to come up with a ciphertext that has valid decryption even after sufficient training )

8 Ciphertext Integrity Experiment  = (Gen, Enc, Dec) Experiment CiIn (n) A,  I can forge  PPT Attacker A Let me verify Gen(1 n ) k Encryption Oracle message Encryption Q = {c 1, …, c t } Ciphertext c Dec k (c) = m   c  Q and 1 Dec k (c) = m =  c  Q or 0  Has ciphertext intigrity if for every PPT A: negl(n) Pr CiIn (n) = 1 A,   game output

9 AE: Encrypt then Authenticate  E = (Enc, Dec) be a cpa-secure SKE and  M = (Mac, Vrfy) be a scma-secure MAC  ’ = (Gen’, Enc’, Dec’): authenticated encryption Dec’ (c, t)  if Vrfy k M (c) = 0 kEkE kMkM Else m:= Dec k E (c) Gen’ 1n1n k E  R {0, 1} n k M  R {0, 1} n Enc’ m c  Enc k E (m) kEkE kMkM t  Mac k M (c) Lemma: If  E is cpa-secure then  is cpa-secure. AEAE AA kEkE kMkM t i  Mac k M (c i ) m 0, m 1 c*  Enc k E (m b ) t*  Mac k M (c*) (c*, t*) t i  Mac k M (c i ) b’ Non-negligible advantage Training Phase cpa game for  cpa game for  E

10 AE: Encrypt then Authenticate  E = (Enc, Dec) be a cpa-secure SKE and  M = (Mac, Vrfy) be a scma-secure MAC  ’ = (Gen’, Enc’, Dec’): authenticated encryption Dec’ (c, t)  if Vrfy k M (c) = 0 kEkE kMkM Else m:= Dec k E (c) Gen’ 1n1n k E  R {0, 1} n k M  R {0, 1} n Enc’ m c  Enc k E (m) kEkE kMkM t  Mac k M (c) Lemma: If  E is scma-secure then  has ciphertext integrity. AMAM AA kMkM kEkE c i  Enc k E (m i ) (c*, t*) Non-negligible advantage Training Phase CiIn game for  scma game  M (c*, t*)  {(c 1, t 1 ), …, (c q, t q )} and is a valid forgery (c*, t*)  {(c 1, t 1 ), …, (c q, t q )} and Dec’ k M, k E (c*, t*) = 1 Food for thought: Does a similar reduction hold for authenticate-then- encrypt??

11 Need for Independent Keys  E : To encrypt m  {0, 1} n/2, select a random r  {0, 1} n/2 and output c  F k (m || r). cca-secure !!  M : To authenticate c  {0, 1} n, output tag t := F k -1 (c) F is a PRP then so is F -1 scma-secure  Assume k E = k M = k ? - Enc’ k (m) = Mac k (Enc k (m)) =F k -1 (F k (m || r)) = m || r  Does this mean that Encrypt-then-authenticate approach is insecure ? No it is secure provided the encryption and MAC keys are independent  E = (Enc, Dec) be a cpa-secure SKE and  M = (Mac, Vrfy) be a scma-secure MAC  ’ = (Gen’, Enc’, Dec’): authenticated encryption Dec’ (c, t)  if Vrfy k M (c) = 0 kEkE kMkM Else m:= Dec k E (c) Gen’ 1n1n k E  R {0, 1} n k M  R {0, 1} n Enc’ m c  Enc k E (m) kEkE kMkM t  Mac k M (c) F: SPRP

12 Every AE is cca-secure Theorem: Every Authenticated Encryption is cca-secure Proof: On the board.

13 Authenticated Encryption  CCA-security  For simplicity and without loss of generality, we assume that the attacker queries decryption oracle for ciphertexts not returned by the encryption oracle  Decryption oracle will return plaintexts which attacker already knows for such queries m 0, m 1 M 1, …, M q C 1, …, C q C* 1, …, C* q M* 1, …, M* q c  Enc k (m 0 ) M 1, …, M q C 1, …, C q C * 1, …, C * q M * 1, …, M * q m 0, m 1 M 1, …, M q C 1, …, C q C* 1, …, C* q M* 1, …, M* q c  Enc k (m 1 ) M 1, …, M q C 1, …, C q C * 1, …, C * q M * 1, …, M * q  c b’ = 1

14 Authenticated Encryption  CCA-security  For simplicity and without loss of generality, we assume that the attacker queries decryption oracle for ciphertexts not returned by the encryption oracle  Decryption oracle will return plaintexts which attacker already knows for such queries m 0, m 1 M 1, …, M q C 1, …, C q C* 1, …, C* q M* 1, …, M* q c  Enc k (m 0 ) M 1, …, M q C 1, …, C q C * 1, …, C * q M * 1, …, M * q m 0, m 1 M 1, …, M q C 1, …, C q C* 1, …, C* q M* 1, …, M* q c  Enc k (m 1 ) M 1, …, M q C 1, …, C q C * 1, …, C * q M * 1, …, M * q m 0, m 1 M 1, …, M q C 1, …, C q C* 1, …, C* q M* 1, …, M* q c  Enc k (m 0 ) M 1, …, M q C 1, …, C q C * 1, …, C * q M * 1, …, M * q , …,   c b’ = 1  Since the encryption scheme is authenticated  The attacker cannot create a “new” ciphertext (not received from the encryption oracle) and query it from the decryption oracle  Will violate ciphertext integrity

15 Authenticated Encryption  CCA-security  For simplicity and without loss of generality, we assume that the attacker queries decryption oracle for ciphertexts not returned by the encryption oracle  Decryption oracle will return plaintexts which attacker already knows for such queries m 0, m 1 M 1, …, M q C 1, …, C q C* 1, …, C* q M* 1, …, M* q c  Enc k (m 0 ) M 1, …, M q C 1, …, C q C * 1, …, C * q M * 1, …, M * q m 0, m 1 M 1, …, M q C 1, …, C q C* 1, …, C* q M* 1, …, M* q c  Enc k (m 1 ) M 1, …, M q C 1, …, C q C * 1, …, C * q M * 1, …, M * q m 0, m 1 M 1, …, M q C 1, …, C q C* 1, …, C* q c  Enc k (m 0 ) M 1, …, M q C 1, …, C q C * 1, …, C * q , …,   c m 0, m 1 M 1, …, M q C 1, …, C q C* 1, …, C* q M* 1, …, M* q c  Enc k (m 1 ) M 1, …, M q C 1, …, C q C * 1, …, C * q M * 1, …, M * q , …,   c b’ = 1  Due to the same argument --- ciphertext integrity

16 Authenticated Encryption  CCA-security  For simplicity and without loss of generality, we assume that the attacker queries decryption oracle for ciphertexts not returned by the encryption oracle  Decryption oracle will return plaintexts which attacker already knows for such queries m 0, m 1 M 1, …, M q C 1, …, C q C* 1, …, C* q M* 1, …, M* q c  Enc k (m 0 ) M 1, …, M q C 1, …, C q C * 1, …, C * q M * 1, …, M * q m 0, m 1 M 1, …, M q C 1, …, C q C* 1, …, C* q M* 1, …, M* q c  Enc k (m 1 ) M 1, …, M q C 1, …, C q C * 1, …, C * q M * 1, …, M * q m 0, m 1 M 1, …, M q C 1, …, C q C* 1, …, C* q c  Enc k (m 0 ) M 1, …, M q C 1, …, C q C * 1, …, C * q , …,   c m 0, m 1 M 1, …, M q C 1, …, C q C* 1, …, C* q c  Enc k (m 1 ) M 1, …, M q C 1, …, C q C * 1, …, C * q , …,   Decryption queries are “useless” for the attacker  c

17 Authenticated Encryption  CCA-security  For simplicity and without loss of generality, we assume that the attacker queries decryption oracle for ciphertexts not returned by the encryption oracle  Decryption oracle will return plaintexts which attacker already knows for such queries m 0, m 1 M 1, …, M q C 1, …, C q C* 1, …, C* q M* 1, …, M* q c  Enc k (m 0 ) M 1, …, M q C 1, …, C q C * 1, …, C * q M * 1, …, M * q m 0, m 1 M 1, …, M q C 1, …, C q C* 1, …, C* q M* 1, …, M* q c  Enc k (m 1 ) M 1, …, M q C 1, …, C q C * 1, …, C * q M * 1, …, M * q m 0, m 1 M 1, …, M q C 1, …, C q c  Enc k (m 0 ) M 1, …, M q C 1, …, C q  c m 0, m 1 M 1, …, M q C 1, …, C q c  Enc k (m 1 ) M 1, …, M q C 1, …, C q  c b’ = 1  Since the scheme is an authentic encryption  it is CPA-secure  c

18 Authenticated Encryption  CCA-security  For simplicity and without loss of generality, we assume that the attacker queries decryption oracle for ciphertexts not returned by the encryption oracle  Decryption oracle will return plaintexts which attacker already knows for such queries m 0, m 1 M 1, …, M q C 1, …, C q C* 1, …, C* q M* 1, …, M* q c  Enc k (m 0 ) M 1, …, M q C 1, …, C q C * 1, …, C * q M * 1, …, M * q m 0, m 1 M 1, …, M q C 1, …, C q C* 1, …, C* q M* 1, …, M* q c  Enc k (m 1 ) M 1, …, M q C 1, …, C q C * 1, …, C * q M * 1, …, M * q m 0, m 1 M 1, …, M q C 1, …, C q c  Enc k (m 0 ) M 1, …, M q C 1, …, C q  c m 0, m 1 M 1, …, M q C 1, …, C q c  Enc k (m 1 ) M 1, …, M q C 1, …, C q  c  c  c

19 CCA-security vs Authenticated Encryption  Every authenticated encryption scheme is also a cca-secure cipher  What about the converse ?  There are encryption schemes which are only cca-secure (Assignment problem)  Conceptually the goal of CCA-security and authenticated encryption are different  CCA-security : aim to achieve only privacy even if an attacker disrupts the communication  Authenticated encryption: aim is to achieve both privacy as well as integrity  Which is more efficient ?  In the symmetric-key world both are almost equivalent  No reason to just use a cca-secure scheme (instead of an authenticated encryption) if the major concern is efficiency  In the public-key world, the difference is more pronounced  Depending upon the application need to determine whether to go for CCA-security or authenticated encryption

20 Different Definitions of AE Definition 1 > cca Security > Weak Ciphertext Intigrity / Unforgeability (the adversary cannot come up with a ciphertext for a message that he has not queried before). Does not rule out the adversary’s ability to come up with a valid ciphertext for a message that he has queried before Definition 2 (KL) > cpa Security > Ciphertext Integrity (the adversary cannot come up with a valid ciphertext for ANY message). Implies if receiver has received a valid ciphertext that it is THE ciphertext sent by the sender. > cca Security Implication is Explicit > cca Security Implication is NOT Explicit and trivial– Needs a proof CT14 (for two): Authenticate-then-encrypt approach instantiated with cpa-secure SKE and cma-secure MAC yields a cpa-secure scheme with WEAK ciphertext integrity. CT15 (for two): F: SPRP, m: n/2 bits, k= n-bits, c = F k (m||r), r: n/2 bit random string. Prove cca-security. Prove that it is not secure according to Definition 2 of AE.

21

22 Looking Back Perfect Security Computational Security Ind / Sem Paradigm coa-securityPRG cpa-securityPRF cca-security Authenticated Encryption Classical SKEs Dual Limitations MACs cma/scma-securityPRF

23 Looking Back and Ahead OWF PRG PRF Secret Key World: SKE, MAC (1) (2)(3) (4) (5) (6) (7) From Number Theory > These results have profound theoretical value! > Direct Constructions From Number Theory > Only the practical construction from stream ciphers/ AES are used in practice

24

Download ppt "Cryptography Lecture 10 Arpita Patra © Arpita Patra."

Similar presentations

SECURITY AND VERIFICATION Lecture 4: Cryptography proofs in context Tamara Rezk INDES TEAM, INRIA January 24 th, 2012.

SECURITY AND VERIFICATION Lecture 4: Cryptography proofs in context Tamara Rezk INDES TEAM, INRIA January 24 th, 2012.
CMSC 414 Computer (and Network) Security Lecture 4 Jonathan Katz.

CMSC 414 Computer (and Network) Security Lecture 4 Jonathan Katz.
Cryptography Lecture 9 Arpita Patra.

Cryptography Lecture 9 Arpita Patra.
CIS 5371 Cryptography 3b. Pseudorandomness.

CIS 5371 Cryptography 3b. Pseudorandomness.
Foundations of Cryptography Lecture 13 Lecturer: Moni Naor.

Foundations of Cryptography Lecture 13 Lecturer: Moni Naor.
CMSC 414 Computer and Network Security Lecture 4 Jonathan Katz.

CMSC 414 Computer and Network Security Lecture 4 Jonathan Katz.
Asymmetric Cryptography part 1 & 2 Haya Shulman Many thanks to Amir Herzberg who donated some of the slides from

Asymmetric Cryptography part 1 & 2 Haya Shulman Many thanks to Amir Herzberg who donated some of the slides from
1 CIS 5371 Cryptography 9. Data Integrity Techniques.

1 CIS 5371 Cryptography 9. Data Integrity Techniques.
CS555Spring 2012/Topic 41 Cryptography CS 555 Topic 4: Computational Approach to Cryptography.

CS555Spring 2012/Topic 41 Cryptography CS 555 Topic 4: Computational Approach to Cryptography.
8. Data Integrity Techniques

8. Data Integrity Techniques
CS555Topic 211 Cryptography CS 555 Topic 21: Digital Schemes (1)

CS555Topic 211 Cryptography CS 555 Topic 21: Digital Schemes (1)
Cryptography Lecture 8 Stefan Dziembowski

Cryptography Lecture 8 Stefan Dziembowski
Cryptography Lecture 3 Arpita Patra.

Cryptography Lecture 3 Arpita Patra.
Cryptography Lecture 10 Arpita Patra. Quick Recall and Today’s Roadmap >> CPA & CPA-mult security >> Equivalence of CPA and CPA-mult security >> El Gamal.

Cryptography Lecture 10 Arpita Patra. Quick Recall and Today’s Roadmap >> CPA & CPA-mult security >> Equivalence of CPA and CPA-mult security >> El Gamal.
Lecture 11 Chosen-Ciphertext Security Stefan Dziembowski www.dziembowski.net MIM UW 14.12.12ver 1.0.

Lecture 11 Chosen-Ciphertext Security Stefan Dziembowski MIM UW ver 1.0.
CS555Spring 2012/Topic 111 Cryptography CS 555 Topic 11: Encryption Modes and CCA Security.

CS555Spring 2012/Topic 111 Cryptography CS 555 Topic 11: Encryption Modes and CCA Security.
CMSC 414 Computer and Network Security Lecture 5 Jonathan Katz.

CMSC 414 Computer and Network Security Lecture 5 Jonathan Katz.
Cryptography Lecture 2 Arpita Patra. Summary of Last Class  Introduction  Secure Communication in Symmetric Key setting >> SKE is the required primitive.

Cryptography Lecture 2 Arpita Patra. Summary of Last Class  Introduction  Secure Communication in Symmetric Key setting >> SKE is the required primitive.
Cryptography Lecture 7 Arpita Patra. Quick Recall and Today’s Roadmap >> Hash Function: Various Security Notions >> Markle-Damgaard Domain Extension >>

Cryptography Lecture 7 Arpita Patra. Quick Recall and Today’s Roadmap >> Hash Function: Various Security Notions >> Markle-Damgaard Domain Extension >>
Secure Computation Lecture 13-14 Arpita Patra. Recap >> Improving the complexity of GMW > Step I: Offline: O(n 2 c AND ) OTs; Online: i.t., no crypto.

Secure Computation Lecture Arpita Patra. Recap >> Improving the complexity of GMW > Step I: Offline: O(n 2 c AND ) OTs; Online: i.t., no crypto.

Similar presentations

Ads by Google