1. B504/I538: Introduction to Cryptography
Spring • Lecture 13
(2017—02—21)

2. Assignment 3 is due next Tuesday!
(2017—02—28)
(That’s just one week from today!!)

3. Recall: Nested CBC-MAC (NMAC)
m≔ m 1 m 2 ⋯ m n mn m1 m2 k1 k1 k1   
F k1
F k1
. . .
F k1
F k2
0 s k2 t
Compute Naïve CBC-MAC with first key
MAC the Naïve CBC-MAC with second key

4. Hash-based MAC (HMAC)
The most widely used MAC algorithm in practice
Hs is a collision-resistant (keyed) hash function
k is the secret MAC key
opad = 0x5c5c5c ... 5c
ipad = 0x
1 block
"outer" pad
HMACs,k(m) := Hs( (k ⊕ opad ) 11 Hs( (k ⊕ ipad ) 11 m ) )
"inner" pad
n blocks
1 block
Chosen so that (opad ⊕ ipad ) has
large Hamming weight

5. HMAC . . . h s h s h s h s h s m1 mn t m≔ m 1 m 2 ⋯ m n k ⊕ ipad 0 s
k ⊕ opad
h s
h s
0 s t

6. Simpler HMAC constructions?
Q: Is H(k 11 m) a secure MAC?
A: No! (But why?)
Suppose H is constructed using Merkle-Damgård construction
Given (m, H(k 11 m)) it is easy to compute m' := m 11 m'' and t' such that t' = H(k 11 m')! (But how?)
Just set t' = H(t 11 m'')
Q: Is H(m 11 k) a secure MAC?
A: Errr, well....sort of!? It's not as secure as HMAC! (But why?)
If H(m0) = H(m1) then H(m0 11 k) = H(m1 11 k)
Weakness in collision-resistance of H implies weakness in HMAC

7. Simpler HMAC constructions?
Q: Is H(k 11 m 11 k) a secure HMAC?
A: I don't know! Possibly?
This is essentially HMAC without ipad and opad
Proof of existential unforgeability for HMAC requires that ipad and opad differ in at least one bit!
H(k 11 m 11 k) falls to "target prefix collision" attacks against H

8. Generic birthday attack
Let H: {0, 1}* → {0, 1}s and consider the following algorithm:
Choose N := (5/4) · 2s/2 distinct messages, m1, , mN, each uniformly at random
For i = 1, , N, compute yi := H(mi)
If yi = yj for some i ≠ j, then output (mi, mj)
Thm (birthday paradox): Let r1, , rN be independently and
identically distributed random variables taking on values in {0, 1}s.
If N = (5/4) · 2s/2, then Pr[ ∃i ≠ j, ri = rj ]≥ 1/2.

9. Generic birthday attack
Thm (birthday paradox): Let r1, , rN be independently and
identically distributed random variables taking on values in {0, 1}s.
If N = (5/4) · 2s/2, then Pr[ ∃i ≠ j, ri = rj ]> 1/2.
Proof (for uniform random variables):
Pr[∃i ≠ j, ri = rj ]
= 1 - Pr[∀i ≠ j, ri ≠ rj ]
= 1 - ((2s-1)/2s) ((2s-2)/2s) ((2s-N+1)/2s)
= 1 - i = 1 n−1 (1 − i/2s)
≥ 1 - i = 1 n−1 e -i/2s (1-x ≤ e-x)
= 1 - e-1/2s∑ i
≥ 1 - e-(N2/2)/2s
= 1 - e-((5/4 2s/2)2/2)/2s = 1-e-25/32 ≥ 0.54

10. Generic birthday attack
Obs: An attacker A that uses the generic birthday attack can find collisions with advantage Advcollision(A) > 1/2 in O(s·2s/2) time (albeit with O(s·2s/2) storage
Q: Is this a problem?
A: No! (in theory); Possibly! (in practice)
Real hash functions have fixed-length outputs
Need to ensure that 2s/2 work is infeasible....or do we? Memory is scarcer than time
Q: Is it sufficient to ensure no real attacker can store s·2s/2 bits?
A: Perhaps surprisingly, no!

11. "Small-space" birthday attack
Consider an attacker A that works as follows:
Choose a random initial value m0
Set m := m0 and m' := m0
For i = 1, 2, 3, . . ., do the following
Compute m := H(m) and m' := H(H(m')) // now m = H(i)(m0) and m' = H(2i)(m0)
If m == m', break from loop
Set m' := m and m := m0
For j = 1, . . ., i, do the following
If H(m) == H(m'), return (m, m')
Else, set m := H(m) and m' := H(m') // now m = H(j)(m0) and m' = H(i+j)(m0)
Thm: The above small-space birthday attack finds a collision with probability at least 1/2 in O(s·2s/2) time using O(1) storage.

12. Recall: IND-CPA security game
Challenger (C)
Attacker (A)
1 s
1 s
k ← Gen(1 s)
b ∈ 𝑅 {0, 1}
(m10, m11)
m10, m11 ∈ M
(1 m10 1 = 1 m11 1) c1
c1 ← Enck(m1b)
(m20, m21)
m20, m21 ∈ M
(1 m20 1 = 1 m21 1) c2
c2 ← Enck(m2b) ⋮
(mn0, mn1)
mn0, mn1 ∈ M
(1 mn0 1 = 1 mn1 1) cn
cn ← Enck(mnb)
b‘ ∈ {0, 1}
Define A’s advantage to be AdvCPA(A) := 1 Pr[b = b’]- 1/2 1

13. Secrecy versus Authenticity
Secrecy / confidentiality
IND-CPA: indistiguishable multiple encryptions in the presence of an eavesdropper
Provides ”security” in the presence of passive attackers
Authenticity / integrity
Existential unforgeability under adaptive chosen message attacks
Provides “security” in the presence of active attackers
“security” == secrecy
“security” == integrity

14. Active versus passive attackers
attacker only leverages passive observations and its prior knowledge
Chosen plaintext attacks force us to consider secrecy with respect to the “worst case” observations and prior knowledge
Active attackers
Attacker also alters communications to in an attempt to break security
Eavesdropping
ciphertexts
Known distribution
on plaintext
i.e., adds, removes, reorders, modifies,
duplicates, or delays messages

15. Chosen ciphertext security
Looking back: attacker was allowed to choose plaintexts
Challenger acted as an encryption oracle
Going forward: attacker can also choose ciphertexts
Challenger still acts as an encryption oracle
Challenger also acts as a decryption oracle

16. Active attack on IND-CPA secure crypto
server
dest
CBC mode m
dest ∥ m←Dec k (IV,c)
(IV,c)← Enc k (dest∥m)
(IV′, c)
dest′ ∥ m←Dec k (IV′, c) m

17. Active attack on IND-CPA secure crypto
Remote terminal app (SSH): each keystroke encrypted in CTR mode
Bad checksum (drop packet)
1 byte
c ←Enc k (TCP_header ∥ checksum ∥ keystroke)
2 bytes
ACK
c ⨁ 00⋯0 ∥ checksum′ ∥ keystroke′
c ⨁ 00⋯0 ∥ checksum′′ ∥ keystroke′′
c ⨁ 00⋯0 ∥ checksum′′′ ∥ keystroke′′′
c ⨁ 00⋯0 ∥ checksum′′′′ ∥ keystroke′′′′
ACK

18. A lesson learned
IND-CPA security cannot guarantee secrecy under active attacks
Attacker can compromise security by modifying ciphertexts
Recall: MAC schemes provide existential unforgeability against active attacks

19. Chosen ciphertext attacks (IND-CCA1)
Non-adaptive
Chosen ciphertext attacks (IND-CCA1)
Challenger (C)
Attacker (A)
1 s
1 s
k ← Gen(1 s)
b ∈ 𝑅 {0, 1}
(m1, c1)
(m1, c1) ∈ M x C
c1’ ←Enck(m1)
m1’ ←Deck(c1)
(c1’, m1’)
(m2, c2)
(m2, c2) ∈ M x C
c2’ ←Enck(m2)
m2’ ←Deck(c2)
(c2’, m2’) ⋮
(M0, M1)
(M0, M1) ∈ M x M C
C ←Enck(Mb)
b‘ ∈ {0, 1}
Define A’s advantage to be AdvCCA1(A) := 1 Pr[b = b’]- 1/2 1

20. Chosen ciphertext attacks (IND-CCA1)
Non-adaptive
Chosen ciphertext attacks (IND-CCA1)
Defn: An encryption scheme (Gen, Enc, Dec) has indistinguishable encryptions under (non-adaptive) chosen ciphertext attacks (or is IND-CCA1 secure) if, for every PPT attacker A, there exists a negligible function 𝜀:ℕ→ ℝ + such that AdvCCA1(A) ≤ 𝜀(s).
IND-CCA1 sometimes called a “lunchtime security”
Alice uses Bob’s decryption machinery while is out for lunch
When Bob returns, Alice loses access to her decryption oracle
Alice wishes to formulate a sequence of queries she can issue over lunch hour that will help her decrypt future messages to Bob

21. Insufficiency of IND-CCA1 security
Q: Is IND-CCA1 sufficient?
A: NO! (But why?)
The title of this slide suggests otherwise…
The “1” in “IND-CCA1” suggests existence of “IND-CCA2”
IND-CCA1 does not protect against the attacks we used to motivate chosen ciphertext security!
However, IND-CCA1 is no worse than IND-CPA
Thm: If (Gen, Enc, Dec) is an IND-CCA1 secure encryption scheme, then it is also an IND-CPA secure encryption scheme.
Moreover, the converse of this theorem is false! (i.e., IND-CPA ⇏ IND-CCA1)

22. Chosen ciphertext attacks (IND-CCA1)
Adaptive
Chosen ciphertext attacks (IND-CCA1)
Challenger (C)
Attacker (A)
1 s
1 s
k ← Gen(1 s)
b ∈ 𝑅 {0, 1}
(m1, c1)
(m1, c1) ∈ M x C
c1’ ←Enck(m1)
m1’ ←Deck(c1)
(c1’, m1’) ⋮
(M0, M1)
(M0, M1) ∈ M x M C
C ←Enck(Mb) ⋮
(mn, cn)
A cannot
ask for Deck(C)
(mn, cn) ∈ M x C \ {C}
c1’ ←Enck(mn)
m1’ ←Deck(cn)
(cn’, mn’)
b‘ ∈ {0, 1}
Define A’s advantage to be AdvCCA2(A) := 1 Pr[b = b’]- 1/2 1

23. Chosen ciphertext attacks (IND-CCA2)
Adaptive
Chosen ciphertext attacks (IND-CCA2)
Defn: An encryption scheme (Gen, Enc, Dec) has indistinguishable encryptions under adaptive chosen ciphertext attacks (or is IND-CCA2 secure) if, for every PPT attacker A, there exists a negligible function 𝜀:ℕ→ ℝ + such that AdvCCA2(A) ≤ 𝜀(s).
The following theorem is trivially true
Thm: If (Gen, Enc, Dec) is an IND-CCA2 secure encryption scheme, then it is also an IND-CCA1 secure (and, therefore, IND-CPA secure) encryption scheme.
Moreover, the converse of this theorem is false! (i.e., IND-CCA1 ⇏ IND-CCA2)

24. Authenticated encryption
Defn: An authenticated encryption scheme is a triple of algorithms (Gen, AuthEnc, AuthDec) such that
Gen: 1 ℕ → K is a randomized “key generation” algorithm;
AuthEnc: K ⨉ M → Ck is an randomized “authenticated encryption” algorithm;
AuthDec: K ⨉ C’ → M∪{⊥} is a deterministic “decryption” algorithm.
invalid ciphertext flag
K is the key space
M is the message space
Ck is the ciphertext space
C’ is a superset of C
(the set of possible keys)
(the set of possible messages)
(the set of possible ciphertexts under the key k)
(the set of things that look like possible ciphertexts)
Intuitively, 1C 1 << 1C’1 and given c∈C’ it should be hard to tell if c∈Ck

25. Correctness for authenticated encryption
Intuitively: Correctness is the property of being able to decrypt “properly encrypted” messages (given the correct key)
Defn: An authenticated encryption scheme (Gen, AuthEnc, AuthDec) with key space K and message space M is correct if ∀k ∈ K and ∀m ∈ M ,
Pr[ AuthDeck( AuthEnck(m) ) = m ]= 1
and, ∀c ∈ C’ \ Ck,
Pr[AuthDeck(c) = ⊥]= 1

26. Ciphertext integrity game
Challenger (C)
Forger (A)
1 s
1 s
k ← Gen(1 s) m1
m1 ∈ M c1
c1 ← AuthEnck(m1) m2
m2 ∈ M c2
c2 ← AuthEnck(m2) ⋮ mn
mn ∈ M cn
cn ← AuthEnck(mn)
c ∈ C’ \ {c1,…,cn}
Define A’s advantage to be AdvCI(A) := 1 Deck(c) ≠ ⊥1

27. Unforgeable authenticated encryption
Defn: An authenticated encryption scheme (Gen, AuthEnc, AuthDec) is existentially unforgeable under adaptive chosen plaintext attacks if, for every PPT attacker A, there exists a negligible function 𝜀:ℕ→ ℝ + such that AdvCI(A) ≤ 𝜀(s).

28. Achieving IND-CCA2 security
Thm: If (Gen, AuthEnc, AuthDec) is an authenticated encryption scheme that
(i) is existentially unforgeable under adaptive chosen message attacks, and
(ii) has indistinguishable multiple encryptions under adaptive chosen plaintext attacks,
then (Gen, AuthEnc, AuthDec) is IND-CCA2 secure.
Idea: Construct an IND-CCA2 secure scheme by making an IND-CPA secure scheme unforgeable using a MAC scheme!

29. Encrypt-and-MAC
(GenE, Enc, Dec) is an IND-CPA secure encryption scheme
(GenM, MAC, Verify) is an existentially unforgeable MAC
Gen(1s) outputs k=(kE, kM) where kE←GenE(1s) and kM ←GenM(1s)
AuthEnck(m) outputs (c, t) where c←EnckE(m) and t←MACkM(m)
AuthDeck(c, t) computes m’←DeckE(c) and outputs m’ if VerifykM(m, t)=1 and ⊥ otherwise

30. MAC-then-encrypt
(GenE, Enc, Dec) is an IND-CPA secure encryption scheme
(GenM, MAC, Verify) is an existentially unforgeable MAC
Gen(1s) outputs k=(kE, kM) where kE←GenE(1s) and kM ←GenM(1s)
AuthEnck(m) outputs c←EnckE(m 11 t) where t←MACkM(m)
AuthDeck(c) computes m’ 11 t’←DeckE(c) and outputs m’ if VerifykM(m’, t’)=1 and ⊥ otherwise

31. Encrypt-then-MAC
(GenE, Enc, Dec) is an IND-CPA secure encryption scheme
(GenM, MAC, Verify) is an existentially unforgeable MAC
Gen(1s) outputs k=(kE, kM) where kE←GenE(1s) and kM ←GenM(1s)
AuthEnck(m) outputs (c, t) where c←EnckE(m) and t←MACkM(c)
AuthDeck(c, t) outputs m’←DeckE(c) if VerifykM(c, t)=1 and ⊥ otherwise

32. Security of MAC+encryption constructions
Secrecy
Integrity
Composition method
IND-CPA
IND-CCA
Plaintext
Ciphertext x x x
Encrypt-and-MAC x
MAC-then-Encrypt x x x
Encrypt-then-MAC
strongly unforgeable MAC
weakly unforgeable MAC

33. That’s all for today, folks!