Cryptography Lecture 10 Arpita Patra © Arpita Patra

Recall -Security definitions of MAC- cma, strong cma, cmva, strong cmva -Construction from PRF -Domain Extension: How to find a tag for long message o CBC-MAC -Authenticated Encryption (AE)- message privacy + integrity o Definition o Construction of AE from- cpa-secure SKE + scma-secure MAC

Today’s Goal -Authenticated Encryption (AE) o Definition (Recall) o Construction of AE from- cpa-secure SKE + scma-secure MAC o Proof -Looking back and ahead -Some Rectifications

CMA Security for MAC Experiment Mac-forge (n) A,   = (Gen, Mac, Vrfy), n I can break  Run time: Poly(n) Attacker A Let me verify Q = {(m 1, …,m l } Gen(1 n ) k Training Phase Forged tag generated by A (m, t) game output  1 (A succeeds) if Vrfy k (m, t) = 1 and m  Q  0 (A fails) otherwise  is CMA- secure if for every A, there is a negl(n) such that Pr [Mac-forge (n) = 1]  negl(n) A,  cma

Strong CMA Security for MAC Experiment Mac-sforge (n) A,   = (Gen, Mac, Vrfy), n I can break  Run time: Poly(n) Attacker A Let me verify Q = {(m 1, t 1 ), …,(m l, t l )} Gen(1 n ) k Training Phase Forged tag generated by A (m, t) game output  1 (A succeeds) if Vrfy k (m, t) = 1 and (m, t)  Q  0 (A fails) otherwise  is strong CMA-secure if for every A, there is a negl(n) such that Pr [Mac-sforge (n) = 1]  negl(n) A,  cma

Rectifications Rectification: It is NOT true that you need randomized MAC to satisfy scma-security - Any MAC that has canonical verification and cma-secure is also scma-secure. - Every deterministic MAC has canonical verification - For deterministic MAC, enough to prove cma-security as scma security is ‘free’ - AE: authenticate-and-encrypt can never be cpa-secure when you use deterministic make as a building block. - PRF-based scheme is scma-secure (because it is deterministic and provably cma-secure). - AE: Encrypt-then-authenticate; we have built both the primitives

Authenticated Encryption  = (Gen, Enc, Dec) is an authenticated encryption if -  = (Gen, Enc, Dec) is cpa-secure AND -  = (Gen, Enc, Dec) has ciphertext integrity (hard to come up with a ciphertext that has valid decryption even after sufficient training )

Ciphertext Integrity Experiment  = (Gen, Enc, Dec) Experiment CiIn (n) A,  I can forge  PPT Attacker A Let me verify Gen(1 n ) k Encryption Oracle message Encryption Q = {c 1, …, c t } Ciphertext c Dec k (c) = m   c  Q and 1 Dec k (c) = m =  c  Q or 0  Has ciphertext intigrity if for every PPT A: negl(n) Pr CiIn (n) = 1 A,   game output

AE: Encrypt then Authenticate  E = (Enc, Dec) be a cpa-secure SKE and  M = (Mac, Vrfy) be a scma-secure MAC  ’ = (Gen’, Enc’, Dec’): authenticated encryption Dec’ (c, t)  if Vrfy k M (c) = 0 kEkE kMkM Else m:= Dec k E (c) Gen’ 1n1n k E  R {0, 1} n k M  R {0, 1} n Enc’ m c  Enc k E (m) kEkE kMkM t  Mac k M (c) Lemma: If  E is cpa-secure then  is cpa-secure. AEAE AA kEkE kMkM t i  Mac k M (c i ) m 0, m 1 c*  Enc k E (m b ) t*  Mac k M (c*) (c*, t*) t i  Mac k M (c i ) b’ Non-negligible advantage Training Phase cpa game for  cpa game for  E

AE: Encrypt then Authenticate  E = (Enc, Dec) be a cpa-secure SKE and  M = (Mac, Vrfy) be a scma-secure MAC  ’ = (Gen’, Enc’, Dec’): authenticated encryption Dec’ (c, t)  if Vrfy k M (c) = 0 kEkE kMkM Else m:= Dec k E (c) Gen’ 1n1n k E  R {0, 1} n k M  R {0, 1} n Enc’ m c  Enc k E (m) kEkE kMkM t  Mac k M (c) Lemma: If  E is scma-secure then  has ciphertext integrity. AMAM AA kMkM kEkE c i  Enc k E (m i ) (c*, t*) Non-negligible advantage Training Phase CiIn game for  scma game  M (c*, t*)  {(c 1, t 1 ), …, (c q, t q )} and is a valid forgery (c*, t*)  {(c 1, t 1 ), …, (c q, t q )} and Dec’ k M, k E (c*, t*) = 1 Food for thought: Does a similar reduction hold for authenticate-then- encrypt??

Need for Independent Keys  E : To encrypt m  {0, 1} n/2, select a random r  {0, 1} n/2 and output c  F k (m || r). cca-secure !!  M : To authenticate c  {0, 1} n, output tag t := F k -1 (c) F is a PRP then so is F -1 scma-secure  Assume k E = k M = k ? - Enc’ k (m) = Mac k (Enc k (m)) =F k -1 (F k (m || r)) = m || r  Does this mean that Encrypt-then-authenticate approach is insecure ? No it is secure provided the encryption and MAC keys are independent  E = (Enc, Dec) be a cpa-secure SKE and  M = (Mac, Vrfy) be a scma-secure MAC  ’ = (Gen’, Enc’, Dec’): authenticated encryption Dec’ (c, t)  if Vrfy k M (c) = 0 kEkE kMkM Else m:= Dec k E (c) Gen’ 1n1n k E  R {0, 1} n k M  R {0, 1} n Enc’ m c  Enc k E (m) kEkE kMkM t  Mac k M (c) F: SPRP

Every AE is cca-secure Theorem: Every Authenticated Encryption is cca-secure Proof: On the board.

Authenticated Encryption  CCA-security  For simplicity and without loss of generality, we assume that the attacker queries decryption oracle for ciphertexts not returned by the encryption oracle  Decryption oracle will return plaintexts which attacker already knows for such queries m 0, m 1 M 1, …, M q C 1, …, C q C* 1, …, C* q M* 1, …, M* q c  Enc k (m 0 ) M 1, …, M q C 1, …, C q C * 1, …, C * q M * 1, …, M * q m 0, m 1 M 1, …, M q C 1, …, C q C* 1, …, C* q M* 1, …, M* q c  Enc k (m 1 ) M 1, …, M q C 1, …, C q C * 1, …, C * q M * 1, …, M * q  c b’ = 1

Authenticated Encryption  CCA-security  For simplicity and without loss of generality, we assume that the attacker queries decryption oracle for ciphertexts not returned by the encryption oracle  Decryption oracle will return plaintexts which attacker already knows for such queries m 0, m 1 M 1, …, M q C 1, …, C q C* 1, …, C* q M* 1, …, M* q c  Enc k (m 0 ) M 1, …, M q C 1, …, C q C * 1, …, C * q M * 1, …, M * q m 0, m 1 M 1, …, M q C 1, …, C q C* 1, …, C* q M* 1, …, M* q c  Enc k (m 1 ) M 1, …, M q C 1, …, C q C * 1, …, C * q M * 1, …, M * q m 0, m 1 M 1, …, M q C 1, …, C q C* 1, …, C* q M* 1, …, M* q c  Enc k (m 0 ) M 1, …, M q C 1, …, C q C * 1, …, C * q M * 1, …, M * q , …,   c b’ = 1  Since the encryption scheme is authenticated  The attacker cannot create a “new” ciphertext (not received from the encryption oracle) and query it from the decryption oracle  Will violate ciphertext integrity

Authenticated Encryption  CCA-security  For simplicity and without loss of generality, we assume that the attacker queries decryption oracle for ciphertexts not returned by the encryption oracle  Decryption oracle will return plaintexts which attacker already knows for such queries m 0, m 1 M 1, …, M q C 1, …, C q C* 1, …, C* q M* 1, …, M* q c  Enc k (m 0 ) M 1, …, M q C 1, …, C q C * 1, …, C * q M * 1, …, M * q m 0, m 1 M 1, …, M q C 1, …, C q C* 1, …, C* q M* 1, …, M* q c  Enc k (m 1 ) M 1, …, M q C 1, …, C q C * 1, …, C * q M * 1, …, M * q m 0, m 1 M 1, …, M q C 1, …, C q C* 1, …, C* q c  Enc k (m 0 ) M 1, …, M q C 1, …, C q C * 1, …, C * q , …,   c m 0, m 1 M 1, …, M q C 1, …, C q C* 1, …, C* q M* 1, …, M* q c  Enc k (m 1 ) M 1, …, M q C 1, …, C q C * 1, …, C * q M * 1, …, M * q , …,   c b’ = 1  Due to the same argument --- ciphertext integrity

Authenticated Encryption  CCA-security  For simplicity and without loss of generality, we assume that the attacker queries decryption oracle for ciphertexts not returned by the encryption oracle  Decryption oracle will return plaintexts which attacker already knows for such queries m 0, m 1 M 1, …, M q C 1, …, C q C* 1, …, C* q M* 1, …, M* q c  Enc k (m 0 ) M 1, …, M q C 1, …, C q C * 1, …, C * q M * 1, …, M * q m 0, m 1 M 1, …, M q C 1, …, C q C* 1, …, C* q M* 1, …, M* q c  Enc k (m 1 ) M 1, …, M q C 1, …, C q C * 1, …, C * q M * 1, …, M * q m 0, m 1 M 1, …, M q C 1, …, C q C* 1, …, C* q c  Enc k (m 0 ) M 1, …, M q C 1, …, C q C * 1, …, C * q , …,   c m 0, m 1 M 1, …, M q C 1, …, C q C* 1, …, C* q c  Enc k (m 1 ) M 1, …, M q C 1, …, C q C * 1, …, C * q , …,   Decryption queries are “useless” for the attacker  c

Authenticated Encryption  CCA-security  For simplicity and without loss of generality, we assume that the attacker queries decryption oracle for ciphertexts not returned by the encryption oracle  Decryption oracle will return plaintexts which attacker already knows for such queries m 0, m 1 M 1, …, M q C 1, …, C q C* 1, …, C* q M* 1, …, M* q c  Enc k (m 0 ) M 1, …, M q C 1, …, C q C * 1, …, C * q M * 1, …, M * q m 0, m 1 M 1, …, M q C 1, …, C q C* 1, …, C* q M* 1, …, M* q c  Enc k (m 1 ) M 1, …, M q C 1, …, C q C * 1, …, C * q M * 1, …, M * q m 0, m 1 M 1, …, M q C 1, …, C q c  Enc k (m 0 ) M 1, …, M q C 1, …, C q  c m 0, m 1 M 1, …, M q C 1, …, C q c  Enc k (m 1 ) M 1, …, M q C 1, …, C q  c b’ = 1  Since the scheme is an authentic encryption  it is CPA-secure  c

Authenticated Encryption  CCA-security  For simplicity and without loss of generality, we assume that the attacker queries decryption oracle for ciphertexts not returned by the encryption oracle  Decryption oracle will return plaintexts which attacker already knows for such queries m 0, m 1 M 1, …, M q C 1, …, C q C* 1, …, C* q M* 1, …, M* q c  Enc k (m 0 ) M 1, …, M q C 1, …, C q C * 1, …, C * q M * 1, …, M * q m 0, m 1 M 1, …, M q C 1, …, C q C* 1, …, C* q M* 1, …, M* q c  Enc k (m 1 ) M 1, …, M q C 1, …, C q C * 1, …, C * q M * 1, …, M * q m 0, m 1 M 1, …, M q C 1, …, C q c  Enc k (m 0 ) M 1, …, M q C 1, …, C q  c m 0, m 1 M 1, …, M q C 1, …, C q c  Enc k (m 1 ) M 1, …, M q C 1, …, C q  c  c  c

CCA-security vs Authenticated Encryption  Every authenticated encryption scheme is also a cca-secure cipher  What about the converse ?  There are encryption schemes which are only cca-secure (Assignment problem)  Conceptually the goal of CCA-security and authenticated encryption are different  CCA-security : aim to achieve only privacy even if an attacker disrupts the communication  Authenticated encryption: aim is to achieve both privacy as well as integrity  Which is more efficient ?  In the symmetric-key world both are almost equivalent  No reason to just use a cca-secure scheme (instead of an authenticated encryption) if the major concern is efficiency  In the public-key world, the difference is more pronounced  Depending upon the application need to determine whether to go for CCA-security or authenticated encryption

Different Definitions of AE Definition 1 > cca Security > Weak Ciphertext Intigrity / Unforgeability (the adversary cannot come up with a ciphertext for a message that he has not queried before). Does not rule out the adversary’s ability to come up with a valid ciphertext for a message that he has queried before Definition 2 (KL) > cpa Security > Ciphertext Integrity (the adversary cannot come up with a valid ciphertext for ANY message). Implies if receiver has received a valid ciphertext that it is THE ciphertext sent by the sender. > cca Security Implication is Explicit > cca Security Implication is NOT Explicit and trivial– Needs a proof CT14 (for two): Authenticate-then-encrypt approach instantiated with cpa-secure SKE and cma-secure MAC yields a cpa-secure scheme with WEAK ciphertext integrity. CT15 (for two): F: SPRP, m: n/2 bits, k= n-bits, c = F k (m||r), r: n/2 bit random string. Prove cca-security. Prove that it is not secure according to Definition 2 of AE.

Looking Back Perfect Security Computational Security Ind / Sem Paradigm coa-securityPRG cpa-securityPRF cca-security Authenticated Encryption Classical SKEs Dual Limitations MACs cma/scma-securityPRF

Looking Back and Ahead OWF PRG PRF Secret Key World: SKE, MAC (1) (2)(3) (4) (5) (6) (7) From Number Theory > These results have profound theoretical value! > Direct Constructions From Number Theory > Only the practical construction from stream ciphers/ AES are used in practice