Presentation is loading. Please wait.

Presentation is loading. Please wait.

Cryptography Lecture 6 Arpita Patra. Quick Recall and Today’s Roadmap >> MAC for fixed-length messages >> Domain Extension for MAC >> Authenticated Encryption:

Published byPosy Johnston Modified over 8 years ago

Similar presentations

Presentation on theme: "Cryptography Lecture 6 Arpita Patra. Quick Recall and Today’s Roadmap >> MAC for fixed-length messages >> Domain Extension for MAC >> Authenticated Encryption:"— Presentation transcript:

1 Cryptography Lecture 6 Arpita Patra

2 Quick Recall and Today’s Roadmap >> MAC for fixed-length messages >> Domain Extension for MAC >> Authenticated Encryption: Privacy and Integrity; Definition: CCA-security + unforgeability. >> AE: Other definitions; >> AE  CCA Security >> Construction (again a bit tricky) based on CPA secure SKE + CMA-secure MAC >> AE: proof of Security >> Hash Function: Various Security Notions >> Markle-Damgaard Domain Extension >> Davis-Meyer Construction

3 Different Definitions of AE Definition 1 >> CCA Security >> Unforgeability (the adversary cannot come up with a ciphertext for a message that he has not queried/seen before). Does not rule out the adversary’s ability to come up with a valid ciphertext for a message that he has quired/seen before Definition 2 >> CPA Security >> Ciphertext Integrity (the adversary cannot come up with a valid ciphertext for ANY message). Implies if receiver has received a valid ciphertext that it is THE ciphertext sent by the sender. >> CCA Security Implication is Explicit >> CCA Security Implication is NOT Explicit and trivial– Needs a proof

4 Ciphertext Integrity Experiment  = (Gen, Enc, Dec) Experiment CiIn (n) A,  I can forge  PPT Attacker A Let me verify Gen(1 n ) k Encryption Oracle message Encryption Q = {c 1, …, c t } Ciphertext c Dec k (c) = m   c  Q and 1 Dec k (c) = m =  c  Q or 0  Has ciphertext intigrity if for every PPT A: negl(n) Pr CiIn (n) A,   game output

5 Authenticated Encryption is CCA-secure Theorem: Every Authenticated Encryption is CCA-secure Proof: On the board.

6 Authenticated Encryption  CCA-security  For simplicity and without loss of generality, we assume that the attacker queries decryption oracle for ciphertexts not returned by the encryption oracle  Decryption oracle will return plaintexts which attacker already knows for such queries m 0, m 1 M 1, …, M q C 1, …, C q C* 1, …, C* q M* 1, …, M* q c  Enc k (m 0 ) M 1, …, M q C 1, …, C q C * 1, …, C * q M * 1, …, M * q m 0, m 1 M 1, …, M q C 1, …, C q C* 1, …, C* q M* 1, …, M* q c  Enc k (m 1 ) M 1, …, M q C 1, …, C q C * 1, …, C * q M * 1, …, M * q  c b’ = 1

7 Authenticated Encryption  CCA-security  For simplicity and without loss of generality, we assume that the attacker queries decryption oracle for ciphertexts not returned by the encryption oracle  Decryption oracle will return plaintexts which attacker already knows for such queries m 0, m 1 M 1, …, M q C 1, …, C q C* 1, …, C* q M* 1, …, M* q c  Enc k (m 0 ) M 1, …, M q C 1, …, C q C * 1, …, C * q M * 1, …, M * q m 0, m 1 M 1, …, M q C 1, …, C q C* 1, …, C* q M* 1, …, M* q c  Enc k (m 1 ) M 1, …, M q C 1, …, C q C * 1, …, C * q M * 1, …, M * q m 0, m 1 M 1, …, M q C 1, …, C q C* 1, …, C* q M* 1, …, M* q c  Enc k (m 0 ) M 1, …, M q C 1, …, C q C * 1, …, C * q M * 1, …, M * q , …,   c b’ = 1  Since the encryption scheme is authenticated  The attacker cannot create a “new” ciphertext (not received from the encryption oracle) and query it from the decryption oracle  Will violate ciphertext integrity

8 Authenticated Encryption  CCA-security  For simplicity and without loss of generality, we assume that the attacker queries decryption oracle for ciphertexts not returned by the encryption oracle  Decryption oracle will return plaintexts which attacker already knows for such queries m 0, m 1 M 1, …, M q C 1, …, C q C* 1, …, C* q M* 1, …, M* q c  Enc k (m 0 ) M 1, …, M q C 1, …, C q C * 1, …, C * q M * 1, …, M * q m 0, m 1 M 1, …, M q C 1, …, C q C* 1, …, C* q M* 1, …, M* q c  Enc k (m 1 ) M 1, …, M q C 1, …, C q C * 1, …, C * q M * 1, …, M * q m 0, m 1 M 1, …, M q C 1, …, C q C* 1, …, C* q c  Enc k (m 0 ) M 1, …, M q C 1, …, C q C * 1, …, C * q , …,   c m 0, m 1 M 1, …, M q C 1, …, C q C* 1, …, C* q M* 1, …, M* q c  Enc k (m 1 ) M 1, …, M q C 1, …, C q C * 1, …, C * q M * 1, …, M * q , …,   c b’ = 1  Due to the same argument --- ciphertext integrity

9 Authenticated Encryption  CCA-security  For simplicity and without loss of generality, we assume that the attacker queries decryption oracle for ciphertexts not returned by the encryption oracle  Decryption oracle will return plaintexts which attacker already knows for such queries m 0, m 1 M 1, …, M q C 1, …, C q C* 1, …, C* q M* 1, …, M* q c  Enc k (m 0 ) M 1, …, M q C 1, …, C q C * 1, …, C * q M * 1, …, M * q m 0, m 1 M 1, …, M q C 1, …, C q C* 1, …, C* q M* 1, …, M* q c  Enc k (m 1 ) M 1, …, M q C 1, …, C q C * 1, …, C * q M * 1, …, M * q m 0, m 1 M 1, …, M q C 1, …, C q C* 1, …, C* q c  Enc k (m 0 ) M 1, …, M q C 1, …, C q C * 1, …, C * q , …,   c m 0, m 1 M 1, …, M q C 1, …, C q C* 1, …, C* q c  Enc k (m 1 ) M 1, …, M q C 1, …, C q C * 1, …, C * q , …,   Decryption queries are “useless” for the attacker  c

10 Authenticated Encryption  CCA-security  For simplicity and without loss of generality, we assume that the attacker queries decryption oracle for ciphertexts not returned by the encryption oracle  Decryption oracle will return plaintexts which attacker already knows for such queries m 0, m 1 M 1, …, M q C 1, …, C q C* 1, …, C* q M* 1, …, M* q c  Enc k (m 0 ) M 1, …, M q C 1, …, C q C * 1, …, C * q M * 1, …, M * q m 0, m 1 M 1, …, M q C 1, …, C q C* 1, …, C* q M* 1, …, M* q c  Enc k (m 1 ) M 1, …, M q C 1, …, C q C * 1, …, C * q M * 1, …, M * q m 0, m 1 M 1, …, M q C 1, …, C q c  Enc k (m 0 ) M 1, …, M q C 1, …, C q  c m 0, m 1 M 1, …, M q C 1, …, C q c  Enc k (m 1 ) M 1, …, M q C 1, …, C q  c b’ = 1  Since the scheme is an authentic encryption  it is CPA-secure  c

11 Authenticated Encryption  CCA-security  For simplicity and without loss of generality, we assume that the attacker queries decryption oracle for ciphertexts not returned by the encryption oracle  Decryption oracle will return plaintexts which attacker already knows for such queries m 0, m 1 M 1, …, M q C 1, …, C q C* 1, …, C* q M* 1, …, M* q c  Enc k (m 0 ) M 1, …, M q C 1, …, C q C * 1, …, C * q M * 1, …, M * q m 0, m 1 M 1, …, M q C 1, …, C q C* 1, …, C* q M* 1, …, M* q c  Enc k (m 1 ) M 1, …, M q C 1, …, C q C * 1, …, C * q M * 1, …, M * q m 0, m 1 M 1, …, M q C 1, …, C q c  Enc k (m 0 ) M 1, …, M q C 1, …, C q  c m 0, m 1 M 1, …, M q C 1, …, C q c  Enc k (m 1 ) M 1, …, M q C 1, …, C q  c  c  c

12 Ingredients for Authenticated Encryption >> CPA-secure SKE >> CMA-secure MAC >> How to combine them– crux of AE

13 Attempt I (Encrypt-and-Authenticate)  Let  E = (Enc, Dec) be a CPA-secure cipher and  M = (Mac, Vrfy) be a MAC  Algorithm Gen in both  E and  M selects a random key from the respectively domain Enc Mac m kEkE kMkM c t (c, t) Encryption  k E and k M are independent keys for  E and  M m Dec (c, t) kEkE c Decryption m Vrfy kMkM t 1

14 Enc Mac m kEkE kMkM c t (c, t) Encryption  k E and k M are independent keys for  E and  M  Dec (c, t) kEkE c Decryption m Vrfy kMkM t 0  Not necessarily --- a secure MAC not necessarily preserves the privacy of m  Ex: a MAC may always output the first two bits of m as the first two bits of MAC tag  In general if the MAC is deterministic (ex CBC-MAC) then tag for m will be “fixed”  This approach used in SSH --- does this guarantee authenticated encryption ? In general this approach is not recommended Attempt I (Encrypt-and-Authenticate)  Let  E = (Enc, Dec) be a CPA-secure cipher and  M = (Mac, Vrfy) be a MAC  Algorithm Gen in both  E and  M selects a random key from the respectively domain

15 Enc kEkE t m Mac kMkM c Encryption Decryption c Dec kEkE m || t Vrfy kMkM 1 m Attempt II (Authenticate-then-Encrypt)  Let  E = (Enc, Dec) be a CPA-secure cipher and  M = (Mac, Vrfy) be a MAC  Algorithm Gen in both  E and  M selects a random key from the respectively domain

16 Enc kEkE t m Mac kMkM c Encryption Decryption c Dec kEkE m || t Vrfy kMkM 0   Note that the resultant encryption scheme is randomized --- even if MAC is deterministic  Unfortunately the above approach does not always lead to an authenticated cipher  There exists an instantiation of  E which is CPA-secure and which when combined with any MAC using the above approach does not lead to an authenticated cipher  This approach used in SSL --- does this guarantee authenticated encryption ?  CBC-mode of encryption + MAC using above approach  authenticated encryption  Security of this approach depends upon the underlying instantiation of  E In general this approach is not recommended Attempt II (Authenticate-then-Encrypt)  Let  E = (Enc, Dec) be a CPA-secure cipher and  M = (Mac, Vrfy) be a MAC  Algorithm Gen in both  E and  M selects a random key from the respectively domain

17 c t Encryption m Enc kEkE kEkE Mac c Dec kEkE c Decryption 1 (c, t) Vrfy kMkM t c m Attempt III (Encrypt-then-Authenticate)  Let  E = (Enc, Dec) be a CPA-secure cipher and  M = (Mac, Vrfy) be a MAC  Algorithm Gen in both  E and  M selects a random key from the respectively domain

18 c t Encryption m Enc kEkE kEkE Mac c  (c, t) Decryption Vrfy kMkM t 0 c  This approach used in IPSec --- does this guarantee authenticated encryption ?  Note that the resultant encryption scheme is randomized --- even if MAC is deterministic  Fortunately this approach always lead to an AE, irrespective of how  E and  M are instantiated Attempt III (Encrypt-then-Authenticate)  Let  E = (Enc, Dec) be a CPA-secure cipher and  M = (Mac, Vrfy) be a MAC  Algorithm Gen in both  E and  M selects a random key from the respectively domain

19 Authenticated Encryption: Generic Construction  Let  E = (Enc, Dec) be a CPA-secure cipher and  M = (Mac, Vrfy) be a MAC  Then construction  ’ = (Gen’, Enc’, Dec’) is an authenticated encryption where: Dec’ (c, t)  if Vrfy k M (c) = 0 kEkE kMkM Else m:= Dec k E (c) Gen’ 1n1n k E  R {0, 1} n k M  R {0, 1} n Enc’ m c  Enc k E (m) kEkE kMkM t  Mac k M (c)  If  E is CPA-secure then  is also CPA-secure --- proof by contrapositive A  E -CPA A  -CPA M 1, …, M q kEkE C 1, …, C q kMkM t i  Mac k M (C i ) (C 1, t 1 ), … (C q, t q ) m 0, m 1 c*  Enc k E (m b ) t*  Mac k M (c*) (c*, t*) M 1, …, M q ( C 1, t 1 ), … ( C q, t q ) M 1, …, M q C 1, …, C q t i  Mac k M ( C i ) b’ Non-negligible advantage

20 Authenticated Encryption: Generic Construction  Let  E = (Enc, Dec) be a CPA-secure cipher and  M = (Mac, Vrfy) be a MAC  Then construction  = (Gen’, Enc’, Dec’) is an authenticated encryption where: Dec’ (c, t)  if Vrfy k M (c) = 0 kEkE kMkM Else m:= Dec k E (c) Gen’ 1n1n k E  R {0, 1} n k M  R {0, 1} n Enc’ m c  Enc k E (m) kEkE kMkM t  Mac k M (c)  Security: need to show that  has CPA-security and ciphertext integrity  If  M is a secure MAC then  has ciphertext integrity --- proof by contrapositive A  M -MAC A  -CI M 1, …, M q C 1, …, C q kMkM t 1, …, t q kEkE C i  Mac k E (M i ) (C 1, t 1 ), … (C q, t q ) (c*, t*) such that Non-negligible advantage t i  Mac k M (C i ) (c*, t*)  {(C 1, t 1 ), …, (C q, t q )} and is a valid ciphertext (c*, t*) such that (c*, t*)  {(C 1, t 1 ), …, (C q, t q )} and Vrfy k M (c*, t*) = 1

21 Need for Independent Keys  When a crypto primitive is constructed by combining several crypto sub-primitives then it is advisable to use independent keys for each sub-primitive Dec’ (c, t)  if Vrfy k M (c) = 0 kEkE kMkM Else m:= Dec k E (c) Gen’ 1n1n k E  R {0, 1} n k M  R {0, 1} n Enc’ m c  Enc k E (m) kEkE kMkM t  Mac k M (c)  Ex: consider the previous construction where k E = k M = k  Suppose Enc and MAC are as follows:  To encrypt m  {0, 1} n/2, select a random r  {0, 1} n/2 and output c  F k (m || r), where F is a SPRP --- is this encryption scheme CPA-secure ?  It is actually CCA-secure !!  As F is a SPRP  To authenticate c  {0, 1} n, output tag t := F k -1 (c)  Is this a secure MAC ?  It is a secure MAC because if F is a PRP then so is F -1  What will happen if we combine this Enc and MAC with k E = k M = k ?  Enc’ k (m) = Mac k (Enc k (m)) =F k -1 (F k (m || r)) = m || r  Does this mean that Encrypt-then-authenticate approach is insecure ?  No it is secure provided the encryption and MAC keys are independent

22 CCA-security vs Authenticated Encryption  Every authenticated encryption scheme is also a CCA-secure cipher  What about the converse ?  There are encryption schemes which are only CCA-secure (Assignment problem)  Conceptually the goal of CCA-security and authenticated encryption are different  CCA-security : aim to achieve only privacy even if an attacker disrupts the communication  Authenticated encryption: aim is to achieve both privacy as well as integrity  Which is more efficient ?  In the symmetric-key world both are almost equivalent  No reason to just use a CCA-secure scheme (instead of an authenticated encryption) if the major concern is efficiency  In the public-key world, the difference is more pronounced  Depending upon the application need to determine whether to go for CCA-security or authenticated encryption

23 Picture So Far (Computational World) COA IND Paradigm SEM Paradigm ≈ CPA CCA Authenticated Encryption Ciphertext Intigrity Strong CMA Strong CMVA UnforgeableCMA CMVA Selective Opening Attack (SOA) Security- Multi sender/ multi-receiver setting ……… Key Indistinguishable CMA- Anonymous Authentication Key Indistinguishable CMVA- Anonymous Authentication ……..

24

Download ppt "Cryptography Lecture 6 Arpita Patra. Quick Recall and Today’s Roadmap >> MAC for fixed-length messages >> Domain Extension for MAC >> Authenticated Encryption:"

Similar presentations

CMSC 414 Computer (and Network) Security Lecture 4 Jonathan Katz.

CMSC 414 Computer (and Network) Security Lecture 4 Jonathan Katz.
CS555Topic 191 Cryptography CS 555 Topic 19: Formalization of Public Key Encrpytion.

CS555Topic 191 Cryptography CS 555 Topic 19: Formalization of Public Key Encrpytion.
Cryptography Lecture 9 Arpita Patra.

Cryptography Lecture 9 Arpita Patra.
CIS 5371 Cryptography 3b. Pseudorandomness.

CIS 5371 Cryptography 3b. Pseudorandomness.
Rennes, 23/10/2014 Cristina Onete Putting it all together: using multiple primitives together.

Rennes, 23/10/2014 Cristina Onete Putting it all together: using multiple primitives together.
CMSC 414 Computer and Network Security Lecture 5 Jonathan Katz.

CMSC 414 Computer and Network Security Lecture 5 Jonathan Katz.
CMSC 414 Computer and Network Security Lecture 4 Jonathan Katz.

CMSC 414 Computer and Network Security Lecture 4 Jonathan Katz.
Asymmetric Cryptography part 1 & 2 Haya Shulman Many thanks to Amir Herzberg who donated some of the slides from

Asymmetric Cryptography part 1 & 2 Haya Shulman Many thanks to Amir Herzberg who donated some of the slides from
CS555Spring 2012/Topic 41 Cryptography CS 555 Topic 4: Computational Approach to Cryptography.

CS555Spring 2012/Topic 41 Cryptography CS 555 Topic 4: Computational Approach to Cryptography.
CS555Topic 211 Cryptography CS 555 Topic 21: Digital Schemes (1)

CS555Topic 211 Cryptography CS 555 Topic 21: Digital Schemes (1)
Cryptography Lecture 8 Stefan Dziembowski

Cryptography Lecture 8 Stefan Dziembowski
Cryptography Lecture 10 Arpita Patra. Quick Recall and Today’s Roadmap >> CPA & CPA-mult security >> Equivalence of CPA and CPA-mult security >> El Gamal.

Cryptography Lecture 10 Arpita Patra. Quick Recall and Today’s Roadmap >> CPA & CPA-mult security >> Equivalence of CPA and CPA-mult security >> El Gamal.
Lecture 11 Chosen-Ciphertext Security Stefan Dziembowski www.dziembowski.net MIM UW 14.12.12ver 1.0.

Lecture 11 Chosen-Ciphertext Security Stefan Dziembowski MIM UW ver 1.0.
CS555Spring 2012/Topic 111 Cryptography CS 555 Topic 11: Encryption Modes and CCA Security.

CS555Spring 2012/Topic 111 Cryptography CS 555 Topic 11: Encryption Modes and CCA Security.
Cryptography Lecture 11 Stefan Dziembowski

Cryptography Lecture 11 Stefan Dziembowski
Two New Online Ciphers Mridul Nandi National Institute of Standards and Technology, Gaithersburg, MD Indocrypt 2008, Kharagpur.

Two New Online Ciphers Mridul Nandi National Institute of Standards and Technology, Gaithersburg, MD Indocrypt 2008, Kharagpur.
Cryptography Lecture 2 Arpita Patra. Summary of Last Class  Introduction  Secure Communication in Symmetric Key setting >> SKE is the required primitive.

Cryptography Lecture 2 Arpita Patra. Summary of Last Class  Introduction  Secure Communication in Symmetric Key setting >> SKE is the required primitive.
Cryptography Lecture 7 Arpita Patra. Quick Recall and Today’s Roadmap >> Hash Function: Various Security Notions >> Markle-Damgaard Domain Extension >>

Cryptography Lecture 7 Arpita Patra. Quick Recall and Today’s Roadmap >> Hash Function: Various Security Notions >> Markle-Damgaard Domain Extension >>
Integrity via Encryption with Redundancy  Question: Encryption is not ideal for authentication. But, can we gain security advantages if we add recognizable.

Integrity via Encryption with Redundancy  Question: Encryption is not ideal for authentication. But, can we gain security advantages if we add recognizable.
CS426Fall 2010/Lecture 61 Computer Security CS 426 Lecture 6 Cryptography: Message Authentication Code.

CS426Fall 2010/Lecture 61 Computer Security CS 426 Lecture 6 Cryptography: Message Authentication Code.

Similar presentations

Ads by Google