Presentation is loading. Please wait.

Presentation is loading. Please wait.

B504/I538: Introduction to Cryptography

Similar presentations


Presentation on theme: "B504/I538: Introduction to Cryptography"— Presentation transcript:

1 B504/I538: Introduction to Cryptography
Spring • Lecture 13 (2017—02—21)

2 Assignment 3 is due next Tuesday!
(2017—02—28) (That’s just one week from today!!)

3 Recall: Nested CBC-MAC (NMAC)
m≔ m 1 m 2 ⋯ m n mn m1 m2 k1 k1 k1 F k1 F k1 . . . F k1 F k2 0 s k2 t Compute Naïve CBC-MAC with first key MAC the Naïve CBC-MAC with second key

4 Hash-based MAC (HMAC) The most widely used MAC algorithm in practice Hs is a collision-resistant (keyed) hash function k is the secret MAC key opad = 0x5c5c5c ... 5c ipad = 0x 1 block "outer" pad HMACs,k(m) := Hs( (k ⊕ opad ) 11 Hs( (k ⊕ ipad ) 11 m ) ) "inner" pad n blocks 1 block Chosen so that (opad ⊕ ipad ) has large Hamming weight

5 HMAC . . . h s h s h s h s h s m1 mn t m≔ m 1 m 2 ⋯ m n k ⊕ ipad 0 s
k ⊕ opad h s h s 0 s t

6 Simpler HMAC constructions?
Q: Is H(k 11 m) a secure MAC? A: No! (But why?) Suppose H is constructed using Merkle-Damgård construction Given (m, H(k 11 m)) it is easy to compute m' := m 11 m'' and t' such that t' = H(k 11 m')! (But how?) Just set t' = H(t 11 m'') Q: Is H(m 11 k) a secure MAC? A: Errr, well....sort of!? It's not as secure as HMAC! (But why?) If H(m0) = H(m1) then H(m0 11 k) = H(m1 11 k) Weakness in collision-resistance of H implies weakness in HMAC

7 Simpler HMAC constructions?
Q: Is H(k 11 m 11 k) a secure HMAC? A: I don't know! Possibly? This is essentially HMAC without ipad and opad Proof of existential unforgeability for HMAC requires that ipad and opad differ in at least one bit! H(k 11 m 11 k) falls to "target prefix collision" attacks against H

8 Generic birthday attack
Let H: {0, 1}* → {0, 1}s and consider the following algorithm: Choose N := (5/4) · 2s/2 distinct messages, m1, , mN, each uniformly at random For i = 1, , N, compute yi := H(mi) If yi = yj for some i ≠ j, then output (mi, mj) Thm (birthday paradox): Let r1, , rN be independently and identically distributed random variables taking on values in {0, 1}s. If N = (5/4) · 2s/2, then Pr[ ∃i ≠ j, ri = rj ]≥ 1/2.

9 Generic birthday attack
Thm (birthday paradox): Let r1, , rN be independently and identically distributed random variables taking on values in {0, 1}s. If N = (5/4) · 2s/2, then Pr[ ∃i ≠ j, ri = rj ]> 1/2. Proof (for uniform random variables): Pr[∃i ≠ j, ri = rj ] = 1 - Pr[∀i ≠ j, ri ≠ rj ] = 1 - ((2s-1)/2s) ((2s-2)/2s) ((2s-N+1)/2s) = 1 - i = 1 n−1 (1 − i/2s) ≥ 1 - i = 1 n−1 e -i/2s (1-x ≤ e-x) = 1 - e-1/2s∑ i ≥ 1 - e-(N2/2)/2s = 1 - e-((5/4 2s/2)2/2)/2s = 1-e-25/32 ≥ 0.54

10 Generic birthday attack
Obs: An attacker A that uses the generic birthday attack can find collisions with advantage Advcollision(A) > 1/2 in O(s·2s/2) time (albeit with O(s·2s/2) storage Q: Is this a problem? A: No! (in theory); Possibly! (in practice) Real hash functions have fixed-length outputs Need to ensure that 2s/2 work is infeasible....or do we? Memory is scarcer than time Q: Is it sufficient to ensure no real attacker can store s·2s/2 bits? A: Perhaps surprisingly, no!

11 "Small-space" birthday attack
Consider an attacker A that works as follows: Choose a random initial value m0 Set m := m0 and m' := m0 For i = 1, 2, 3, . . ., do the following Compute m := H(m) and m' := H(H(m')) // now m = H(i)(m0) and m' = H(2i)(m0) If m == m', break from loop Set m' := m and m := m0 For j = 1, . . ., i, do the following If H(m) == H(m'), return (m, m') Else, set m := H(m) and m' := H(m') // now m = H(j)(m0) and m' = H(i+j)(m0) Thm: The above small-space birthday attack finds a collision with probability at least 1/2 in O(s·2s/2) time using O(1) storage.

12 Recall: IND-CPA security game
Challenger (C) Attacker (A) 1 s 1 s k ← Gen(1 s) b ∈ 𝑅 {0, 1} (m10, m11) m10, m11 ∈ M (1 m10 1 = 1 m11 1) c1 c1 ← Enck(m1b) (m20, m21) m20, m21 ∈ M (1 m20 1 = 1 m21 1) c2 c2 ← Enck(m2b) (mn0, mn1) mn0, mn1 ∈ M (1 mn0 1 = 1 mn1 1) cn cn ← Enck(mnb) b‘ ∈ {0, 1} Define A’s advantage to be AdvCPA(A) := 1 Pr[b = b’]- 1/2 1

13 Secrecy versus Authenticity
Secrecy / confidentiality IND-CPA: indistiguishable multiple encryptions in the presence of an eavesdropper Provides ”security” in the presence of passive attackers Authenticity / integrity Existential unforgeability under adaptive chosen message attacks Provides “security” in the presence of active attackers “security” == secrecy “security” == integrity

14 Active versus passive attackers
attacker only leverages passive observations and its prior knowledge Chosen plaintext attacks force us to consider secrecy with respect to the “worst case” observations and prior knowledge Active attackers Attacker also alters communications to in an attempt to break security Eavesdropping ciphertexts Known distribution on plaintext i.e., adds, removes, reorders, modifies, duplicates, or delays messages

15 Chosen ciphertext security
Looking back: attacker was allowed to choose plaintexts Challenger acted as an encryption oracle Going forward: attacker can also choose ciphertexts Challenger still acts as an encryption oracle Challenger also acts as a decryption oracle

16 Active attack on IND-CPA secure crypto
server dest CBC mode m dest ∥ m←Dec k (IV,c) (IV,c)← Enc k (dest∥m) (IV′, c) dest′ ∥ m←Dec k (IV′, c) m

17 Active attack on IND-CPA secure crypto
Remote terminal app (SSH): each keystroke encrypted in CTR mode Bad checksum (drop packet) 1 byte c ←Enc k (TCP_header ∥ checksum ∥ keystroke) 2 bytes ACK c ⨁ 00⋯0 ∥ checksum′ ∥ keystroke′ c ⨁ 00⋯0 ∥ checksum′′ ∥ keystroke′′ c ⨁ 00⋯0 ∥ checksum′′′ ∥ keystroke′′′ c ⨁ 00⋯0 ∥ checksum′′′′ ∥ keystroke′′′′ ACK

18 A lesson learned IND-CPA security cannot guarantee secrecy under active attacks Attacker can compromise security by modifying ciphertexts Recall: MAC schemes provide existential unforgeability against active attacks

19 Chosen ciphertext attacks (IND-CCA1)
Non-adaptive Chosen ciphertext attacks (IND-CCA1) Challenger (C) Attacker (A) 1 s 1 s k ← Gen(1 s) b ∈ 𝑅 {0, 1} (m1, c1) (m1, c1) ∈ M x C c1’ ←Enck(m1) m1’ ←Deck(c1) (c1’, m1’) (m2, c2) (m2, c2) ∈ M x C c2’ ←Enck(m2) m2’ ←Deck(c2) (c2’, m2’) (M0, M1) (M0, M1) ∈ M x M C C ←Enck(Mb) b‘ ∈ {0, 1} Define A’s advantage to be AdvCCA1(A) := 1 Pr[b = b’]- 1/2 1

20 Chosen ciphertext attacks (IND-CCA1)
Non-adaptive Chosen ciphertext attacks (IND-CCA1) Defn: An encryption scheme (Gen, Enc, Dec) has indistinguishable encryptions under (non-adaptive) chosen ciphertext attacks (or is IND-CCA1 secure) if, for every PPT attacker A, there exists a negligible function 𝜀:ℕ→ ℝ + such that AdvCCA1(A) ≤ 𝜀(s). IND-CCA1 sometimes called a “lunchtime security” Alice uses Bob’s decryption machinery while is out for lunch When Bob returns, Alice loses access to her decryption oracle Alice wishes to formulate a sequence of queries she can issue over lunch hour that will help her decrypt future messages to Bob

21 Insufficiency of IND-CCA1 security
Q: Is IND-CCA1 sufficient? A: NO! (But why?) The title of this slide suggests otherwise… The “1” in “IND-CCA1” suggests existence of “IND-CCA2” IND-CCA1 does not protect against the attacks we used to motivate chosen ciphertext security! However, IND-CCA1 is no worse than IND-CPA Thm: If (Gen, Enc, Dec) is an IND-CCA1 secure encryption scheme, then it is also an IND-CPA secure encryption scheme. Moreover, the converse of this theorem is false! (i.e., IND-CPA ⇏ IND-CCA1)

22 Chosen ciphertext attacks (IND-CCA1)
Adaptive Chosen ciphertext attacks (IND-CCA1) Challenger (C) Attacker (A) 1 s 1 s k ← Gen(1 s) b ∈ 𝑅 {0, 1} (m1, c1) (m1, c1) ∈ M x C c1’ ←Enck(m1) m1’ ←Deck(c1) (c1’, m1’) (M0, M1) (M0, M1) ∈ M x M C C ←Enck(Mb) (mn, cn) A cannot ask for Deck(C) (mn, cn) ∈ M x C \ {C} c1’ ←Enck(mn) m1’ ←Deck(cn) (cn’, mn’) b‘ ∈ {0, 1} Define A’s advantage to be AdvCCA2(A) := 1 Pr[b = b’]- 1/2 1

23 Chosen ciphertext attacks (IND-CCA2)
Adaptive Chosen ciphertext attacks (IND-CCA2) Defn: An encryption scheme (Gen, Enc, Dec) has indistinguishable encryptions under adaptive chosen ciphertext attacks (or is IND-CCA2 secure) if, for every PPT attacker A, there exists a negligible function 𝜀:ℕ→ ℝ + such that AdvCCA2(A) ≤ 𝜀(s). The following theorem is trivially true Thm: If (Gen, Enc, Dec) is an IND-CCA2 secure encryption scheme, then it is also an IND-CCA1 secure (and, therefore, IND-CPA secure) encryption scheme. Moreover, the converse of this theorem is false! (i.e., IND-CCA1 ⇏ IND-CCA2)

24 Authenticated encryption
Defn: An authenticated encryption scheme is a triple of algorithms (Gen, AuthEnc, AuthDec) such that Gen: 1 ℕ → K is a randomized “key generation” algorithm; AuthEnc: K ⨉ M → Ck is an randomized “authenticated encryption” algorithm; AuthDec: K ⨉ C’ → M∪{⊥} is a deterministic “decryption” algorithm. invalid ciphertext flag K is the key space M is the message space Ck is the ciphertext space C’ is a superset of C (the set of possible keys) (the set of possible messages) (the set of possible ciphertexts under the key k) (the set of things that look like possible ciphertexts) Intuitively, 1C 1 << 1C’1 and given c∈C’ it should be hard to tell if c∈Ck

25 Correctness for authenticated encryption
Intuitively: Correctness is the property of being able to decrypt “properly encrypted” messages (given the correct key) Defn: An authenticated encryption scheme (Gen, AuthEnc, AuthDec) with key space K and message space M is correct if ∀k ∈ K and ∀m ∈ M , Pr[ AuthDeck( AuthEnck(m) ) = m ]= 1 and, ∀c ∈ C’ \ Ck, Pr[AuthDeck(c) = ⊥]= 1

26 Ciphertext integrity game
Challenger (C) Forger (A) 1 s 1 s k ← Gen(1 s) m1 m1 ∈ M c1 c1 ← AuthEnck(m1) m2 m2 ∈ M c2 c2 ← AuthEnck(m2) mn mn ∈ M cn cn ← AuthEnck(mn) c ∈ C’ \ {c1,…,cn} Define A’s advantage to be AdvCI(A) := 1 Deck(c) ≠ ⊥1

27 Unforgeable authenticated encryption
Defn: An authenticated encryption scheme (Gen, AuthEnc, AuthDec) is existentially unforgeable under adaptive chosen plaintext attacks if, for every PPT attacker A, there exists a negligible function 𝜀:ℕ→ ℝ + such that AdvCI(A) ≤ 𝜀(s).

28 Achieving IND-CCA2 security
Thm: If (Gen, AuthEnc, AuthDec) is an authenticated encryption scheme that (i) is existentially unforgeable under adaptive chosen message attacks, and (ii) has indistinguishable multiple encryptions under adaptive chosen plaintext attacks, then (Gen, AuthEnc, AuthDec) is IND-CCA2 secure. Idea: Construct an IND-CCA2 secure scheme by making an IND-CPA secure scheme unforgeable using a MAC scheme!

29 Encrypt-and-MAC (GenE, Enc, Dec) is an IND-CPA secure encryption scheme (GenM, MAC, Verify) is an existentially unforgeable MAC Gen(1s) outputs k=(kE, kM) where kE←GenE(1s) and kM ←GenM(1s) AuthEnck(m) outputs (c, t) where c←EnckE(m) and t←MACkM(m) AuthDeck(c, t) computes m’←DeckE(c) and outputs m’ if VerifykM(m, t)=1 and ⊥ otherwise

30 MAC-then-encrypt (GenE, Enc, Dec) is an IND-CPA secure encryption scheme (GenM, MAC, Verify) is an existentially unforgeable MAC Gen(1s) outputs k=(kE, kM) where kE←GenE(1s) and kM ←GenM(1s) AuthEnck(m) outputs c←EnckE(m 11 t) where t←MACkM(m) AuthDeck(c) computes m’ 11 t’←DeckE(c) and outputs m’ if VerifykM(m’, t’)=1 and ⊥ otherwise

31 Encrypt-then-MAC (GenE, Enc, Dec) is an IND-CPA secure encryption scheme (GenM, MAC, Verify) is an existentially unforgeable MAC Gen(1s) outputs k=(kE, kM) where kE←GenE(1s) and kM ←GenM(1s) AuthEnck(m) outputs (c, t) where c←EnckE(m) and t←MACkM(c) AuthDeck(c, t) outputs m’←DeckE(c) if VerifykM(c, t)=1 and ⊥ otherwise

32 Security of MAC+encryption constructions
Secrecy Integrity Composition method IND-CPA IND-CCA Plaintext Ciphertext x x x Encrypt-and-MAC x MAC-then-Encrypt x x x Encrypt-then-MAC strongly unforgeable MAC weakly unforgeable MAC

33 That’s all for today, folks!


Download ppt "B504/I538: Introduction to Cryptography"

Similar presentations


Ads by Google