Download presentation
Presentation is loading. Please wait.
Published byPosy Johnston Modified over 8 years ago
1
Cryptography Lecture 6 Arpita Patra
2
Quick Recall and Today’s Roadmap >> MAC for fixed-length messages >> Domain Extension for MAC >> Authenticated Encryption: Privacy and Integrity; Definition: CCA-security + unforgeability. >> AE: Other definitions; >> AE CCA Security >> Construction (again a bit tricky) based on CPA secure SKE + CMA-secure MAC >> AE: proof of Security >> Hash Function: Various Security Notions >> Markle-Damgaard Domain Extension >> Davis-Meyer Construction
3
Different Definitions of AE Definition 1 >> CCA Security >> Unforgeability (the adversary cannot come up with a ciphertext for a message that he has not queried/seen before). Does not rule out the adversary’s ability to come up with a valid ciphertext for a message that he has quired/seen before Definition 2 >> CPA Security >> Ciphertext Integrity (the adversary cannot come up with a valid ciphertext for ANY message). Implies if receiver has received a valid ciphertext that it is THE ciphertext sent by the sender. >> CCA Security Implication is Explicit >> CCA Security Implication is NOT Explicit and trivial– Needs a proof
4
Ciphertext Integrity Experiment = (Gen, Enc, Dec) Experiment CiIn (n) A, I can forge PPT Attacker A Let me verify Gen(1 n ) k Encryption Oracle message Encryption Q = {c 1, …, c t } Ciphertext c Dec k (c) = m c Q and 1 Dec k (c) = m = c Q or 0 Has ciphertext intigrity if for every PPT A: negl(n) Pr CiIn (n) A, game output
5
Authenticated Encryption is CCA-secure Theorem: Every Authenticated Encryption is CCA-secure Proof: On the board.
6
Authenticated Encryption CCA-security For simplicity and without loss of generality, we assume that the attacker queries decryption oracle for ciphertexts not returned by the encryption oracle Decryption oracle will return plaintexts which attacker already knows for such queries m 0, m 1 M 1, …, M q C 1, …, C q C* 1, …, C* q M* 1, …, M* q c Enc k (m 0 ) M 1, …, M q C 1, …, C q C * 1, …, C * q M * 1, …, M * q m 0, m 1 M 1, …, M q C 1, …, C q C* 1, …, C* q M* 1, …, M* q c Enc k (m 1 ) M 1, …, M q C 1, …, C q C * 1, …, C * q M * 1, …, M * q c b’ = 1
7
Authenticated Encryption CCA-security For simplicity and without loss of generality, we assume that the attacker queries decryption oracle for ciphertexts not returned by the encryption oracle Decryption oracle will return plaintexts which attacker already knows for such queries m 0, m 1 M 1, …, M q C 1, …, C q C* 1, …, C* q M* 1, …, M* q c Enc k (m 0 ) M 1, …, M q C 1, …, C q C * 1, …, C * q M * 1, …, M * q m 0, m 1 M 1, …, M q C 1, …, C q C* 1, …, C* q M* 1, …, M* q c Enc k (m 1 ) M 1, …, M q C 1, …, C q C * 1, …, C * q M * 1, …, M * q m 0, m 1 M 1, …, M q C 1, …, C q C* 1, …, C* q M* 1, …, M* q c Enc k (m 0 ) M 1, …, M q C 1, …, C q C * 1, …, C * q M * 1, …, M * q , …, c b’ = 1 Since the encryption scheme is authenticated The attacker cannot create a “new” ciphertext (not received from the encryption oracle) and query it from the decryption oracle Will violate ciphertext integrity
8
Authenticated Encryption CCA-security For simplicity and without loss of generality, we assume that the attacker queries decryption oracle for ciphertexts not returned by the encryption oracle Decryption oracle will return plaintexts which attacker already knows for such queries m 0, m 1 M 1, …, M q C 1, …, C q C* 1, …, C* q M* 1, …, M* q c Enc k (m 0 ) M 1, …, M q C 1, …, C q C * 1, …, C * q M * 1, …, M * q m 0, m 1 M 1, …, M q C 1, …, C q C* 1, …, C* q M* 1, …, M* q c Enc k (m 1 ) M 1, …, M q C 1, …, C q C * 1, …, C * q M * 1, …, M * q m 0, m 1 M 1, …, M q C 1, …, C q C* 1, …, C* q c Enc k (m 0 ) M 1, …, M q C 1, …, C q C * 1, …, C * q , …, c m 0, m 1 M 1, …, M q C 1, …, C q C* 1, …, C* q M* 1, …, M* q c Enc k (m 1 ) M 1, …, M q C 1, …, C q C * 1, …, C * q M * 1, …, M * q , …, c b’ = 1 Due to the same argument --- ciphertext integrity
9
Authenticated Encryption CCA-security For simplicity and without loss of generality, we assume that the attacker queries decryption oracle for ciphertexts not returned by the encryption oracle Decryption oracle will return plaintexts which attacker already knows for such queries m 0, m 1 M 1, …, M q C 1, …, C q C* 1, …, C* q M* 1, …, M* q c Enc k (m 0 ) M 1, …, M q C 1, …, C q C * 1, …, C * q M * 1, …, M * q m 0, m 1 M 1, …, M q C 1, …, C q C* 1, …, C* q M* 1, …, M* q c Enc k (m 1 ) M 1, …, M q C 1, …, C q C * 1, …, C * q M * 1, …, M * q m 0, m 1 M 1, …, M q C 1, …, C q C* 1, …, C* q c Enc k (m 0 ) M 1, …, M q C 1, …, C q C * 1, …, C * q , …, c m 0, m 1 M 1, …, M q C 1, …, C q C* 1, …, C* q c Enc k (m 1 ) M 1, …, M q C 1, …, C q C * 1, …, C * q , …, Decryption queries are “useless” for the attacker c
10
Authenticated Encryption CCA-security For simplicity and without loss of generality, we assume that the attacker queries decryption oracle for ciphertexts not returned by the encryption oracle Decryption oracle will return plaintexts which attacker already knows for such queries m 0, m 1 M 1, …, M q C 1, …, C q C* 1, …, C* q M* 1, …, M* q c Enc k (m 0 ) M 1, …, M q C 1, …, C q C * 1, …, C * q M * 1, …, M * q m 0, m 1 M 1, …, M q C 1, …, C q C* 1, …, C* q M* 1, …, M* q c Enc k (m 1 ) M 1, …, M q C 1, …, C q C * 1, …, C * q M * 1, …, M * q m 0, m 1 M 1, …, M q C 1, …, C q c Enc k (m 0 ) M 1, …, M q C 1, …, C q c m 0, m 1 M 1, …, M q C 1, …, C q c Enc k (m 1 ) M 1, …, M q C 1, …, C q c b’ = 1 Since the scheme is an authentic encryption it is CPA-secure c
11
Authenticated Encryption CCA-security For simplicity and without loss of generality, we assume that the attacker queries decryption oracle for ciphertexts not returned by the encryption oracle Decryption oracle will return plaintexts which attacker already knows for such queries m 0, m 1 M 1, …, M q C 1, …, C q C* 1, …, C* q M* 1, …, M* q c Enc k (m 0 ) M 1, …, M q C 1, …, C q C * 1, …, C * q M * 1, …, M * q m 0, m 1 M 1, …, M q C 1, …, C q C* 1, …, C* q M* 1, …, M* q c Enc k (m 1 ) M 1, …, M q C 1, …, C q C * 1, …, C * q M * 1, …, M * q m 0, m 1 M 1, …, M q C 1, …, C q c Enc k (m 0 ) M 1, …, M q C 1, …, C q c m 0, m 1 M 1, …, M q C 1, …, C q c Enc k (m 1 ) M 1, …, M q C 1, …, C q c c c
12
Ingredients for Authenticated Encryption >> CPA-secure SKE >> CMA-secure MAC >> How to combine them– crux of AE
13
Attempt I (Encrypt-and-Authenticate) Let E = (Enc, Dec) be a CPA-secure cipher and M = (Mac, Vrfy) be a MAC Algorithm Gen in both E and M selects a random key from the respectively domain Enc Mac m kEkE kMkM c t (c, t) Encryption k E and k M are independent keys for E and M m Dec (c, t) kEkE c Decryption m Vrfy kMkM t 1
14
Enc Mac m kEkE kMkM c t (c, t) Encryption k E and k M are independent keys for E and M Dec (c, t) kEkE c Decryption m Vrfy kMkM t 0 Not necessarily --- a secure MAC not necessarily preserves the privacy of m Ex: a MAC may always output the first two bits of m as the first two bits of MAC tag In general if the MAC is deterministic (ex CBC-MAC) then tag for m will be “fixed” This approach used in SSH --- does this guarantee authenticated encryption ? In general this approach is not recommended Attempt I (Encrypt-and-Authenticate) Let E = (Enc, Dec) be a CPA-secure cipher and M = (Mac, Vrfy) be a MAC Algorithm Gen in both E and M selects a random key from the respectively domain
15
Enc kEkE t m Mac kMkM c Encryption Decryption c Dec kEkE m || t Vrfy kMkM 1 m Attempt II (Authenticate-then-Encrypt) Let E = (Enc, Dec) be a CPA-secure cipher and M = (Mac, Vrfy) be a MAC Algorithm Gen in both E and M selects a random key from the respectively domain
16
Enc kEkE t m Mac kMkM c Encryption Decryption c Dec kEkE m || t Vrfy kMkM 0 Note that the resultant encryption scheme is randomized --- even if MAC is deterministic Unfortunately the above approach does not always lead to an authenticated cipher There exists an instantiation of E which is CPA-secure and which when combined with any MAC using the above approach does not lead to an authenticated cipher This approach used in SSL --- does this guarantee authenticated encryption ? CBC-mode of encryption + MAC using above approach authenticated encryption Security of this approach depends upon the underlying instantiation of E In general this approach is not recommended Attempt II (Authenticate-then-Encrypt) Let E = (Enc, Dec) be a CPA-secure cipher and M = (Mac, Vrfy) be a MAC Algorithm Gen in both E and M selects a random key from the respectively domain
17
c t Encryption m Enc kEkE kEkE Mac c Dec kEkE c Decryption 1 (c, t) Vrfy kMkM t c m Attempt III (Encrypt-then-Authenticate) Let E = (Enc, Dec) be a CPA-secure cipher and M = (Mac, Vrfy) be a MAC Algorithm Gen in both E and M selects a random key from the respectively domain
18
c t Encryption m Enc kEkE kEkE Mac c (c, t) Decryption Vrfy kMkM t 0 c This approach used in IPSec --- does this guarantee authenticated encryption ? Note that the resultant encryption scheme is randomized --- even if MAC is deterministic Fortunately this approach always lead to an AE, irrespective of how E and M are instantiated Attempt III (Encrypt-then-Authenticate) Let E = (Enc, Dec) be a CPA-secure cipher and M = (Mac, Vrfy) be a MAC Algorithm Gen in both E and M selects a random key from the respectively domain
19
Authenticated Encryption: Generic Construction Let E = (Enc, Dec) be a CPA-secure cipher and M = (Mac, Vrfy) be a MAC Then construction ’ = (Gen’, Enc’, Dec’) is an authenticated encryption where: Dec’ (c, t) if Vrfy k M (c) = 0 kEkE kMkM Else m:= Dec k E (c) Gen’ 1n1n k E R {0, 1} n k M R {0, 1} n Enc’ m c Enc k E (m) kEkE kMkM t Mac k M (c) If E is CPA-secure then is also CPA-secure --- proof by contrapositive A E -CPA A -CPA M 1, …, M q kEkE C 1, …, C q kMkM t i Mac k M (C i ) (C 1, t 1 ), … (C q, t q ) m 0, m 1 c* Enc k E (m b ) t* Mac k M (c*) (c*, t*) M 1, …, M q ( C 1, t 1 ), … ( C q, t q ) M 1, …, M q C 1, …, C q t i Mac k M ( C i ) b’ Non-negligible advantage
20
Authenticated Encryption: Generic Construction Let E = (Enc, Dec) be a CPA-secure cipher and M = (Mac, Vrfy) be a MAC Then construction = (Gen’, Enc’, Dec’) is an authenticated encryption where: Dec’ (c, t) if Vrfy k M (c) = 0 kEkE kMkM Else m:= Dec k E (c) Gen’ 1n1n k E R {0, 1} n k M R {0, 1} n Enc’ m c Enc k E (m) kEkE kMkM t Mac k M (c) Security: need to show that has CPA-security and ciphertext integrity If M is a secure MAC then has ciphertext integrity --- proof by contrapositive A M -MAC A -CI M 1, …, M q C 1, …, C q kMkM t 1, …, t q kEkE C i Mac k E (M i ) (C 1, t 1 ), … (C q, t q ) (c*, t*) such that Non-negligible advantage t i Mac k M (C i ) (c*, t*) {(C 1, t 1 ), …, (C q, t q )} and is a valid ciphertext (c*, t*) such that (c*, t*) {(C 1, t 1 ), …, (C q, t q )} and Vrfy k M (c*, t*) = 1
21
Need for Independent Keys When a crypto primitive is constructed by combining several crypto sub-primitives then it is advisable to use independent keys for each sub-primitive Dec’ (c, t) if Vrfy k M (c) = 0 kEkE kMkM Else m:= Dec k E (c) Gen’ 1n1n k E R {0, 1} n k M R {0, 1} n Enc’ m c Enc k E (m) kEkE kMkM t Mac k M (c) Ex: consider the previous construction where k E = k M = k Suppose Enc and MAC are as follows: To encrypt m {0, 1} n/2, select a random r {0, 1} n/2 and output c F k (m || r), where F is a SPRP --- is this encryption scheme CPA-secure ? It is actually CCA-secure !! As F is a SPRP To authenticate c {0, 1} n, output tag t := F k -1 (c) Is this a secure MAC ? It is a secure MAC because if F is a PRP then so is F -1 What will happen if we combine this Enc and MAC with k E = k M = k ? Enc’ k (m) = Mac k (Enc k (m)) =F k -1 (F k (m || r)) = m || r Does this mean that Encrypt-then-authenticate approach is insecure ? No it is secure provided the encryption and MAC keys are independent
22
CCA-security vs Authenticated Encryption Every authenticated encryption scheme is also a CCA-secure cipher What about the converse ? There are encryption schemes which are only CCA-secure (Assignment problem) Conceptually the goal of CCA-security and authenticated encryption are different CCA-security : aim to achieve only privacy even if an attacker disrupts the communication Authenticated encryption: aim is to achieve both privacy as well as integrity Which is more efficient ? In the symmetric-key world both are almost equivalent No reason to just use a CCA-secure scheme (instead of an authenticated encryption) if the major concern is efficiency In the public-key world, the difference is more pronounced Depending upon the application need to determine whether to go for CCA-security or authenticated encryption
23
Picture So Far (Computational World) COA IND Paradigm SEM Paradigm ≈ CPA CCA Authenticated Encryption Ciphertext Intigrity Strong CMA Strong CMVA UnforgeableCMA CMVA Selective Opening Attack (SOA) Security- Multi sender/ multi-receiver setting ……… Key Indistinguishable CMA- Anonymous Authentication Key Indistinguishable CMVA- Anonymous Authentication ……..
Similar presentations
© 2025 SlidePlayer.com. Inc.
All rights reserved.