Cryptography Lecture 12 Arpita Patra © Arpita Patra

Recall Security definitions of MAC- cma, strong cma, cmva, strong cmva Construction from PRF Domain Extension: How to find a tag for long message CBC-MAC Authenticated Encryption (AE)- message privacy + integrity Definition Construction of AE from- cpa-secure SKE + scma-secure MAC

Today’s Goal Authenticated Encryption (AE) Construction of AE from- cpa-secure SKE + scma-secure MAC Proof AE → cca-secure SKE Looking back and ahead

Authenticated Encryption  = (Gen, Enc, Dec) is an authenticated encryption if -  = (Gen, Enc, Dec) is cpa-secure AND -  = (Gen, Enc, Dec) has ciphertext integrity (hard to come up with a ciphertext that has valid decryption even after sufficient training )

AE: Encrypt then Authenticate ’ = (Gen’, Enc’, Dec’): authenticated encryption E = (Enc, Dec) be a cpa-secure SKE and M = (Mac, Vrfy) be a scma-secure MAC Dec’ (c, t)  if VrfykM(c) = 0 kE kM Else m:= DeckE(c) Enc’ m c  EnckE(m) kE kM t  MackM(c) Gen’ 1n kE R {0, 1}n kM R {0, 1}n Lemma: If E is cpa-secure then  is cpa-secure. AE A cpa game for E cpa game for  Training Phase Training Phase m0, m1 m0, m1 kE kM c*  EnckE(mb) (c*, t*) ti  MackM(ci) t*  MackM(c*) Training Phase Training Phase ti  MackM(ci) b’ b’ Non-negligible advantage Non-negligible advantage

Ciphertext Integrity Experiment Experiment CiIn (n) A,   = (Gen, Enc, Dec) PPT Attacker A Encryption Oracle message k Encryption I can forge  Let me verify Gen(1n) Ciphertext c Q = {c1, …, ct} game output Deck(c) = m   Deck(c) = m =  and or c  Q c  Q 1  Has ciphertext intigrity if for every PPT A: negl(n) Pr CiIn (n) = 1 A,  

AE: Encrypt then Authenticate ’ = (Gen’, Enc’, Dec’): authenticated encryption E = (Enc, Dec) be a cpa-secure SKE and M = (Mac, Vrfy) be a scma-secure MAC Dec’ (c, t)  if VrfykM(c) = 0 kE kM Else m:= DeckE(c) Enc’ m c  EnckE(m) kE kM t  MackM(c) Food for thought: Does a similar reduction hold for authenticate-then-encrypt?? Gen’ 1n kE R {0, 1}n kM R {0, 1}n Lemma: If E is scma-secure then  has ciphertext integrity. AM A scma game M CiIn game for  Training Phase Training Phase Adv is good at finding a different ciphertext for the same message, he queried before. So though c * is valid is corresponds to same m||t. kM (c*, t*) kE (c*, t*) ci  EnckE(mi) (c*, t*)  {(c1, t1), …, (cq, tq)} and is a valid forgery (c*, t*)  {(c1, t1), …, (cq, tq)} and Dec’kM, kE(c*, t*) = 1 Non-negligible advantage Non-negligible advantage

Need for Independent Keys ’ = (Gen’, Enc’, Dec’): authenticated encryption E = (Enc, Dec) be a cpa-secure SKE and M = (Mac, Vrfy) be a scma-secure MAC Dec’ (c, t)  if VrfykM(c) = 0 kE kM Else m:= DeckE(c) Enc’ m c  EnckE(m) kE kM t  MackM(c) Gen’ 1n kE R {0, 1}n kM R {0, 1}n cca-secure !! F: SPRP E : To encrypt m  {0, 1}n/2, select a random r  {0, 1}n/2 and output c  Fk(m || r). F is a PRP then so is F-1 scma-secure M :To authenticate c  {0, 1}n, output tag t := Fk-1(c) No it is secure provided the encryption and MAC keys are independent Assume kE = kM = k ? - Enc’k(m) = Mack(Enck(m)) = Fk-1(Fk(m || r)) = m || r Does this mean that Encrypt-then-authenticate approach is insecure ?

Every AE is cca-secure Theorem: Every Authenticated Encryption is cca-secure Proof: On the board.

Authenticated Encryption  CCA-security For simplicity and without loss of generality, we assume that the attacker queries decryption oracle for ciphertexts not returned by the encryption oracle Decryption oracle will return plaintexts which attacker already knows for such queries m0, m1 M1, …, Mq C1, …, Cq C*1, …, C*q M*1, …, M*q c  Enck(m0) m0, m1 M1, …, Mq C1, …, Cq C*1, …, C*q M*1, …, M*q c  Enck(m1)  c b’ = 1 b’ = 1

Authenticated Encryption  CCA-security For simplicity and without loss of generality, we assume that the attacker queries decryption oracle for ciphertexts not returned by the encryption oracle Decryption oracle will return plaintexts which attacker already knows for such queries m0, m1 M1, …, Mq C1, …, Cq C*1, …, C*q M*1, …, M*q c  Enck(m0) m0, m1 M1, …, Mq C1, …, Cq C*1, …, C*q M*1, …, M*q c  Enck(m1) b’ = 1  c m0, m1 Since the encryption scheme is authenticated M1, …, Mq C*1, …, C*q C1, …, Cq M*1, …, M*q , …,  The attacker cannot create a “new” ciphertext (not received from the encryption oracle) and query it from the decryption oracle c  Enck(m0) Will violate ciphertext integrity b’ = 1 M1, …, Mq C*1, …, C*q C1, …, Cq M*1, …, M*q , …, 

Authenticated Encryption  CCA-security For simplicity and without loss of generality, we assume that the attacker queries decryption oracle for ciphertexts not returned by the encryption oracle Decryption oracle will return plaintexts which attacker already knows for such queries m0, m1 M1, …, Mq C1, …, Cq C*1, …, C*q M*1, …, M*q c  Enck(m0) m0, m1 M1, …, Mq C1, …, Cq C*1, …, C*q M*1, …, M*q c  Enck(m1) b’ = 1  c  c m0, m1 m0, m1 M1, …, Mq C*1, …, C*q M1, …, Mq C*1, …, C*q C1, …, Cq , …,  C1, …, Cq M*1, …, M*q , …,  c  Enck(m0) c  Enck(m1) M1, …, Mq C*1, …, C*q M1, …, Mq C*1, …, C*q b’ = 1 C1, …, Cq , …,  C1, …, Cq M*1, …, M*q , …,  Due to the same argument --- ciphertext integrity

Authenticated Encryption  CCA-security For simplicity and without loss of generality, we assume that the attacker queries decryption oracle for ciphertexts not returned by the encryption oracle Decryption oracle will return plaintexts which attacker already knows for such queries m0, m1 M1, …, Mq C1, …, Cq C*1, …, C*q M*1, …, M*q c  Enck(m0) m0, m1 M1, …, Mq C1, …, Cq C*1, …, C*q M*1, …, M*q c  Enck(m1)  c  c m0, m1 m0, m1 M1, …, Mq C*1, …, C*q M1, …, Mq C*1, …, C*q C1, …, Cq , …,  C1, …, Cq , …,  c  Enck(m0) c  Enck(m1) M1, …, Mq C*1, …, C*q M1, …, Mq C*1, …, C*q C1, …, Cq , …,  C1, …, Cq , …,  Decryption queries are “useless” for the attacker

Authenticated Encryption  CCA-security For simplicity and without loss of generality, we assume that the attacker queries decryption oracle for ciphertexts not returned by the encryption oracle Decryption oracle will return plaintexts which attacker already knows for such queries m0, m1 M1, …, Mq C1, …, Cq C*1, …, C*q M*1, …, M*q c  Enck(m0) m0, m1 M1, …, Mq C1, …, Cq C*1, …, C*q M*1, …, M*q c  Enck(m1)  c  c m0, m1 m0, m1 M1, …, Mq M1, …, Mq C1, …, Cq C1, …, Cq c  Enck(m0)  c c  Enck(m1) M1, …, Mq M1, …, Mq b’ = 1 b’ = 1 C1, …, Cq C1, …, Cq Since the scheme is an authentic encryption  it is CPA-secure

Authenticated Encryption  CCA-security For simplicity and without loss of generality, we assume that the attacker queries decryption oracle for ciphertexts not returned by the encryption oracle Decryption oracle will return plaintexts which attacker already knows for such queries m0, m1 M1, …, Mq C1, …, Cq C*1, …, C*q M*1, …, M*q c  Enck(m0) m0, m1 M1, …, Mq C1, …, Cq C*1, …, C*q M*1, …, M*q c  Enck(m1)  c  c  c m0, m1 m0, m1 M1, …, Mq M1, …, Mq C1, …, Cq C1, …, Cq c  Enck(m0)  c c  Enck(m1) M1, …, Mq M1, …, Mq C1, …, Cq C1, …, Cq

CCA-security vs Authenticated Encryption Every authenticated encryption scheme is also a cca-secure cipher What about the converse ? There are encryption schemes which are only cca-secure (Assignment problem) Conceptually the goal of CCA-security and authenticated encryption are different CCA-security : aim to achieve only privacy even if an attacker disrupts the communication Authenticated encryption: aim is to achieve both privacy as well as integrity Which is more efficient ? In the symmetric-key world both are almost equivalent No reason to just use a cca-secure scheme (instead of an authenticated encryption) if the major concern is efficiency In the public-key world, the difference is more pronounced Depending upon the application need to determine whether to go for CCA-security or authenticated encryption

Different Definitions of AE Definition 2 (KL) > cca Security > Weak Ciphertext Intigrity / Unforgeability (the adversary cannot come up with a ciphertext for a message that he has not queried before). Does not rule out the adversary’s ability to come up with a valid ciphertext for a message that he has queried before > cpa Security > Ciphertext Integrity (the adversary cannot come up with a valid ciphertext for ANY message). Implies if receiver has received a valid ciphertext that it is THE ciphertext sent by the sender. > cca Security Implication is NOT Explicit and trivial– Needs a proof > cca Security Implication is Explicit CT14 (for two): Authenticate-then-encrypt approach instantiated with cpa-secure SKE and cma-secure MAC yields a cpa-secure scheme with WEAK ciphertext integrity. CT15 (for two): F: SPRP, m: n/2 bits, k= n-bits, c = Fk(m||r), r: n/2 bit random string. Prove cca-security. Prove that it is not secure according to Definition 2 of AE.