Download presentation
Presentation is loading. Please wait.
1
Authenticated encryption
3
Mac forgery game M β{} k β π
0,1 π πβ² Mβπβͺ{πβ²} Repeat as many times
as the adversary wants π‘β² βππ π π (πβ²) π‘β² Wins if π βπ π£πππππ¦ π,π‘ =1 (π,π‘)
4
Mac forgery game Allow the adversary to learn tags for as many message as he wants A mac scheme is secure if Pr πππ£ π€πππ π‘βπ πππππππ¦ ππππ β€ππππ(π )
5
Does authentication imply secrecy
Consider the question from the quiz The answer is yes. To prove this is the case, we will take an adversary which forges a mac for this scheme and breaks the original mac scheme
6
Does authentication imply secrecy
Consider the question from the quiz More formally, if the scheme is insecure => β π΄β πππ which produces π‘=(π‘β,πβ) such that ππππππ¦(π,π,(π‘β,πβ)) = ππππ‘πππ‘ for a fresh mβ However since ππππππ¦β (π,π,(π‘β,πβ)) = ππππππ¦(π,π,π‘β), this means that the adversary created a mac tag for the original scheme. Hence, the original scheme is not a mac scheme. By contradiction, we have a mac scheme.
7
Lesson Lesson Authentication β Encryption Encryption β Authentication In the future, if I ever see anyone mention ciphertext in a question that only talks about macs, there will be a loss of points.
8
Validation-oracle indistinguishability game
Validation-oracle games Adversary chooses π 0 , π 1 In πΊ 0 , the game returns πΈππ π 0 In πΊ 1 , the game returns πΈππ( π 1 ) In both πΊ 0 and πΊ 1 , the adversary can send extra ciphertexts and the oracle tells the adversary if the decryption of the ciphertext falls into the message space The adversary has to guess which game he is playing
9
Validation-oracle indistinguishability game
π 0 , π 1 π 0 , π 1 c cβπΈππ( π 0 ) c cβπΈππ( π 1 ) πβ² π β² π£βπ·ππ πβ² βπ π£βπ·ππ πβ² βπ v π£ Repeat as many times as the distinguisher wants Repeat as many times as the distinguisher wants πΊ 0 πΊ 1
10
Pseudo-random function
A class of functions ( πΉ 1 ,β¦, πΉ 2 π ) is pseudo-random if the following two games are indistinguishable F βππππππ ππ’πππ‘πππ k β π
0,1 π F β πΉ πΎ m m wβπΉ(π) π€βπΉ(π) π€ π€ Repeat as many times as the distinguisher wants Repeat as many times as the distinguisher wants πΊ 0 πΊ 1
11
CPA-secure encryption scheme from PRF
πΎππ¦πππ {1} π π β π
0,1 π πΈπ π π π π β π
0,1 π πβ π, πΉ π π βπ π·π π π π π,π βπ πβ πΉ π π βπ Important property π·ππ πΈππ π β π =π+π
12
Breaking security of the scheme using validation oracle
Let the message space be M = {1100,0110,0101} Important property: Let r,v =πΈππ(π) then π·ππ π,π£βπ =πβπ Given validation oracle Consider what happens if we decrypt (π,π£βπ,π£βπ)β 0,π₯ with π=0011 β1111βπ 0110, β0110, 0110βπ
13
Why do we care about the validation oracle
When people encrypt messages and send it to servers, it is typical that if the decrypted message does not have the right format it returns an error Original PKCS paper (detailing how to use Crypto in the real world) had an attack where the attacker can modify the ciphertext and learn one bit depending on if an error received a message
14
General format of a validation attack
Take the message space M Generate a modification of the ciphertext which maps certain encrypted messages back to the ciphertext and others not Especially useful if the encryption scheme is homomorphic: (πΈππ,π·ππ) is homomorphic if there exists β,β such that πΈππ π 1 β π 2 = πΈππ π 1 β πΈππ( π 2 )
15
Some homomorphic encryption scheme
Especially useful if the encryption scheme is homomorphic: (πΈππ,π·ππ) is homomorphic if there exists β,β such that πΈππ π 1 β π 2 = πΈππ π 1 β πΈππ( π 2 ) One-time pad β ββ β β β RSA, El-gammal β β+ ββ Γ
16
Authenticated encryption
Authenticated (adversary cannot forge a ciphertext) Encrypted (adversary cannot learn message)
17
Chosen-ciphertext game
Distinguisher loses automatically if π = πβ² π 0 , π 1 π 0 , π 1 c cβπΈππ( π 0 ) c cβπΈππ( π 1 ) πβ² π β² m mβπ·ππ(πβ²) π mβπΈππ(πβ²) Repeat as many times as the distinguisher wants Repeat as many times as the distinguisher wants πΊ 0 πΊ 1
18
Unforgeability game M β{} k β π
0,1 π πβ² Mβπβͺ{πβ²} πβ² βπΈππ(πβ²) cβ²
πβ² βπΈππ(πβ²) cβ² Wins if Dec(c) β β₯ Dec(c)βπ π
19
Authenticated encryption
An Encryption scheme (πΊππ,πΈππ,π·ππ) is an authenticated encryption scheme if Unforgeable CCA-secure
20
Three Candidates for AE from mac + enc
We assume πΈππ is a secure encryption scheme π΄π’π‘β is a secure message authentication code Show which two are insecure and which is secure, here are the hint πΈππβ( π 1 || π 2 ) = πΈππ( π 1 ) || πΈππ( π 2 ) is a secure encryption scheme Authβ(m) = (auth(m),m) is a secure encryption scheme Encrypt-and-mac encrypt-then-mac Mac-then-encrypt πΈππ (π) c β² βπΈππ π π‘β π΄π’π‘β(m) πβ( π β² ,π‘) π‘β π΄π’π‘β(cβ) π€β(π,π‘) cβπΈππ(π€)
21
Insecure schemes Encrypt and mac
Answer: if authentication leaks the message, then this encryption scheme also leaks the message Encrypt-and-mac πΈππ (π) c β² βπΈππ π π‘β π΄π’π‘β(m) πβ( π β² ,π‘)
22
Insecure schemes Mac then encrypt
Answer: Let π 0 , π‘ 0 = πΈππ π 0 , π 2 , π‘ 2 = πΈππ πβ² We have that π·ππ( π 2 , π‘ 0 ) = π 0 if and only if π 2 = π·ππ π 0 Encrypt-and-mac πΈππ (π) c β² βπΈππ π π‘β π΄π’π‘β(m) πβ( π β² ,π‘)
23
Authenticated encryption with associated (public) data
πΈππ πππ‘π,π β(πππ‘π,π,π‘) Correctness: π·ππ πππ‘π,πΈππ(πππ‘π,π) =(πππ‘π,π) Authentication Impossible to create a fresh pair such that: (πππ‘π,πβ²) has been seen before Dec πππ‘πβ,πβ,π‘β β β₯ Indistinguishability
24
Galois-counter mode Combines Information theoretic mac with counter-mode Uses one-time mac over binary field. πΈππ(πππ‘π,π) πΌπ β π
0,1 π/2 π 1 ,β¦, π π βπ π΄ 1 ,β¦, π΄ β βπππ‘π π 1 β πΈ π πΌπ,0 π 2 β πΈ π πΌπ,1 π 1 ,β¦, π π βπΆππ
( π 1 ,β¦, π π ;πππ’ππ‘ππ= πΌπ || 2 ) πβππ‘π(π,β,πππ‘π, π 1 ,β¦, π π ) cβ(π,β,πππ‘π, π 1 ,β¦, π π ,π)
Similar presentations
