Presentation is loading. Please wait.

Presentation is loading. Please wait.

Topic 11: Authenticated Encryption + CCA-Security

Published byCurtis Harry Sparks Modified over 5 years ago

Similar presentations

Presentation on theme: "Topic 11: Authenticated Encryption + CCA-Security"— Presentation transcript:

1 Topic 11: Authenticated Encryption + CCA-Security
Cryptography CS 555 Topic 11: Authenticated Encryption + CCA-Security

2 Recap Message Authentication Codes Secrecy vs Confidentiality
Today’s Goals: Authenticated Encryption Build Authenticated Encryption Scheme with CCA-Security

3 Authenticated Encryption
Encryption: Hides a message from the attacker Message Authentication Codes: Prevents attacker from tampering with message

4 Unforgeable Encryption Experiment ( Encforge 𝐴,Π (𝑛))
c1 = EncK(m1) m2 c2 = EncK (m2) mq cq = EncK(mq) 𝑐 s.t 𝑐∉ 𝑐1,…,cq Encforge 𝐴,Π 𝑛 =1 if Deck 𝑐 ≠⊥ K = Gen(.) ∀𝑃𝑃𝑇 𝐴 ∃𝜇 (negligible) s.t Pr Encforge 𝐴,Π 𝑛 =1 ≤𝜇(𝑛)

5 Unforgeable Encryption Experiment ( Encforge 𝐴,Π (𝑛))
c1 = EncK(m1) m2 Call Π an authenticated encryption scheme if it is CCA-secure and any PPT attacker wins Encforge with negligible probability c2 = EncK (m2) Game is very similar to MAC-Forge game mq cq = EncK(mq) 𝑐 s.t 𝑐∉ 𝑐1,…,cq Encforge 𝐴,Π 𝑛 =1 if Deck 𝑐 ≠⊥ K = Gen(.) ∀𝑃𝑃𝑇 𝐴 ∃𝜇 (negligible) s.t Pr Encforge 𝐴,Π 𝑛 =1 ≤𝜇(𝑛)

6 Building Authenticated Encryption
Attempt 1: Let Enc 𝐾 ′ 𝑚 be a CPA-Secure encryption scheme and let Mac 𝐾 ′ 𝑚 be a secure MAC 𝐸𝑛𝑐 𝐾 𝑚 = Enc 𝐾 ′ 𝑚 , Mac 𝐾 ′ 𝑚 Any problems? Enc 𝐾 ′ 𝑚 = 𝑟, 𝐹 𝑘 𝑟 ⨁𝑚 Mac 𝐾 ′ 𝑚 = 𝐹 𝑘 𝑚

7 Building Authenticated Encryption
Attempt 1: 𝐸𝑛𝑐 𝐾 𝑚 = 𝑟, 𝐹 𝑘 𝑟 ⨁𝑚, 𝐹 𝑘 𝑚 CPA-Attack: Intercept ciphertext c 𝑐= 𝐸𝑛𝑐 𝐾 𝑚 = 𝑟, 𝐹 𝑘 𝑟 ⨁𝑚, 𝐹 𝑘 𝑚 Ask to encrypt r 𝑐𝑟= 𝐸𝑛𝑐 𝐾 𝑟 = 𝑟′, 𝐹 𝑘 𝑟′ ⨁𝑟, 𝐹 𝑘 𝑟 𝑚= 𝐹 𝑘 𝑟 ⨁ 𝐹 𝑘 𝑟 ⨁𝑚

8 Building Authenticated Encryption
Attempt 1: Let Enc 𝐾 ′ 𝑚 be a CPA-Secure encryption scheme and let Mac 𝐾 ′ 𝑚 be a secure MAC 𝐸𝑛𝑐 𝐾 𝑚 = Enc 𝐾 ′ 𝑚 , Mac 𝐾 ′ 𝑚 Attack exploited fact that same secret key used for MAC’/Enc’

9 Independent Key Principle
“different instances of cryptographic primitives should always use independent keys”

10 Building Authenticated Encryption
Attempt 2: (Encrypt-and-Authenticate) Let Enc 𝐾 𝐸 ′ 𝑚 be a CPA- Secure encryption scheme and let Mac 𝐾 𝑀 ′ 𝑚 be a secure MAC. Let 𝐾= 𝐾 𝐸 , 𝐾 𝑀 then 𝐸𝑛𝑐 𝐾 𝑚 = Enc 𝐾 𝐸 ′ 𝑚 , Mac 𝐾 𝑀 ′ 𝑚 Any problems? Enc 𝐾 𝐸 ′ 𝑚 = 𝑟, 𝐹 𝐾 𝐸 𝑟 ⨁𝑚 Mac 𝐾 𝑀 ′ 𝑚 = 𝐹 𝐾 𝑀 𝑚

11 Building Authenticated Encryption
Attempt 2: 𝐸𝑛𝑐 𝐾 𝑚 = 𝑟, 𝐹 𝐾 𝐸 𝑟 ⨁𝑚, 𝐹 𝐾 𝑀 𝑚 CPA-Attack: Select m0,m1 Obtain ciphertext c 𝑐= 𝑟, 𝐹 𝐾 𝐸 𝑟 ⨁𝑚𝑏, 𝐹 𝐾 𝑀 𝑚𝑏 Ask to encrypt m0 𝑐𝑟= 𝑟′, 𝐹 𝐾 𝐸 𝑟′ ⨁𝑚0, 𝐹 𝐾 𝑀 𝑚0 𝐹 𝐾 𝑀 𝑚0 =? 𝐹 𝐾 𝑀 𝑚𝑏

12 Building Authenticated Encryption
Attempt 2: 𝐸𝑛𝑐 𝐾 𝑚 = 𝑟, 𝐹 𝐾 𝐸 𝑟 ⨁𝑚, 𝐹 𝐾 𝑀 𝑚 CPA-Attack: Select m0,m1 Obtain ciphertext c 𝑐= 𝑟, 𝐹 𝐾 𝐸 𝑟 ⨁𝑚𝑏, 𝐹 𝐾 𝑀 𝑚𝑏 Ask to encrypt m0 𝑐𝑟= 𝑟′, 𝐹 𝐾 𝐸 𝑟′ ⨁𝑚0, 𝐹 𝐾 𝑀 𝑚0 𝐹 𝐾 𝑀 𝑚0 =? 𝐹 𝐾 𝑀 𝑚𝑏 Encrypt and Authenticate Paradigm does not work in general

13 Building Authenticated Encryption
Attempt 3: (Authenticate-then-encrypt) Let Enc 𝐾 𝐸 ′ 𝑚 be a CPA- Secure encryption scheme and let Mac 𝐾 𝑀 ′ 𝑚 be a secure MAC. Let 𝐾= 𝐾 𝐸 , 𝐾 𝑀 then 𝐸𝑛𝑐 𝐾 𝑚 = Enc 𝐾 𝐸 ′ 𝑚∥𝑡 , where t=Mac 𝐾 𝑀 ′ 𝑚 Doesn’t necessarily work: See textbook

14 Building Authenticated Encryption
Attempt 4: (Encrypt-then-authenticate) Let Enc 𝐾 𝐸 ′ 𝑚 be a CPA-Secure encryption scheme and let Mac 𝐾 𝑀 ′ 𝑚 be a secure MAC. Let 𝐾= 𝐾 𝐸 , 𝐾 𝑀 then 𝐸𝑛𝑐 𝐾 𝑚 = c, Mac 𝐾 𝑀 ′ c where c=Enc 𝐾 𝐸 ′ 𝑚 Secure?

15 Building Authenticated Encryption
Theorem: (Encrypt-then-authenticate) Let Enc 𝐾 𝐸 ′ 𝑚 be a CPA-Secure encryption scheme and let Mac 𝐾 𝑀 ′ 𝑚 be a secure MAC. Then the following construction is an authenticated encryption scheme. 𝐸𝑛𝑐 𝐾 𝑚 = c, Mac 𝐾 𝑀 ′ c where c=Enc 𝐾 𝐸 ′ 𝑚 Proof? Two Tasks: Encforge 𝐴,Π CCA-Security

16 Building Authenticated Encryption
Theorem: (Encrypt-then-authenticate) Let Enc 𝐾 𝐸 ′ 𝑚 be a CPA-Secure encryption scheme and let Mac 𝐾 𝑀 ′ 𝑚 be a secure MAC. Then the following construction is an authenticated encryption scheme. 𝐸𝑛𝑐 𝐾 𝑚 = c, Mac 𝐾 𝑀 ′ c where c=Enc 𝐾 𝐸 ′ 𝑚 Proof Intuition: Suppose that we have already shown that any PPT attacker wins Encforge 𝐴,Π with negligible probability. Why does CCA-Security now follow from CPA-Security? CCA-Attacker has decryption oracle, but cannot exploit it! Why? Always sees ⊥ “invalid ciphertext” when he query with unseen ciphertext

17 Proof Sketch Let ValidDecQuery be event that attacker submits new/valid ciphertext to decryption oracle Show Pr[ValidDecQuery] is negl(n) for any PPT attacker Hint: Follows from strong security of MAC since 𝐸𝑛𝑐 𝐾 𝑚 = c, Mac 𝐾 𝑀 ′ c This also implies unforgeability. Show that attacker who does not issue valid decryption query wins CCA- security game with probability ½ + negl(n) Hint: otherwise we can use A to break CPA-security Hint 2: simulate decryption oracle by always returning ⊥ when given new ciphertext

18 Secure Communication Session
Solution? Alice transmits c1 = EncK(m1) to Bob, who decrypts and sends Alice c2 = EncK(m2) etc… Authenticated Encryption scheme is Stateless For fixed length-messages We still need to worry about Re-ordering attacks Alice sends 2n-bit message to Bob as c1 = EncK(m1), c2 = EncK(m2) Replay Attacks Attacker who intercepts message c1 = EncK(m1) can replay this message later in the conversation Reflection Attack Attacker intercepts message c1 = EncK(m1) sent from Alice to Bob and replays to c1 Alice only

19 Secure Communication Session
Defense Counters (CTRA,B,CTRB,A) Number of messages sent from Alice to Bob (CTRA,B) --- initially 0 Number of messages sent from Bob to Alice (CTRB,A) --- initially 0 Protects against Re-ordering and Replay attacks Directionality Bit bA,B = 0 and bB,A = 1 (e.g., since A < B) Alice: To send m to Bob, set c=EncK(bA,B ∥ CTRA,B ∥m), send c and increment CTRA,B Bob: Decrypts c, (if ⊥ then reject), obtain b ∥ CTR ∥m If CTR≠ CTRA,B or b≠bA,B then reject Otherwise, output m and increment CTRA,B

20 Authenticated Security vs CCA-Security
Authenticated Encryption  CCA-Security (by definition) CCA-Security does not necessarily imply Authenticate Encryption But most natural CCA-Secure constructions are also Authenticated Encryption Schemes Some constructions are CCA-Secure, but do not provide Authenticated Encryptions, but they are less efficient. Conceptual Distinction CCA-Security the goal is secrecy (hide message from active adversary) Authenticated Encryption: the goal is integrity + secrecy

21 Next Class Read Katz and Lindell 5.1-5.2 Cryptographic Hash Functions
Homework 2 Assigned

Download ppt "Topic 11: Authenticated Encryption + CCA-Security"

Similar presentations

CS555Topic 191 Cryptography CS 555 Topic 19: Formalization of Public Key Encrpytion.

CS555Topic 191 Cryptography CS 555 Topic 19: Formalization of Public Key Encrpytion.
CIS 5371 Cryptography 3b. Pseudorandomness.

CIS 5371 Cryptography 3b. Pseudorandomness.
1 Introduction CSE 5351: Introduction to cryptography Reading assignment: Chapter 1 of Katz & Lindell.

1 Introduction CSE 5351: Introduction to cryptography Reading assignment: Chapter 1 of Katz & Lindell.
Asymmetric Cryptography part 1 & 2 Haya Shulman Many thanks to Amir Herzberg who donated some of the slides from

Asymmetric Cryptography part 1 & 2 Haya Shulman Many thanks to Amir Herzberg who donated some of the slides from
1 CIS 5371 Cryptography 9. Data Integrity Techniques.

1 CIS 5371 Cryptography 9. Data Integrity Techniques.
Dan Boneh Authenticated Encryption Definitions Online Cryptography Course Dan Boneh.

Dan Boneh Authenticated Encryption Definitions Online Cryptography Course Dan Boneh.
8. Data Integrity Techniques

8. Data Integrity Techniques
CS555Topic 211 Cryptography CS 555 Topic 21: Digital Schemes (1)

CS555Topic 211 Cryptography CS 555 Topic 21: Digital Schemes (1)
CS555Spring 2012/Topic 111 Cryptography CS 555 Topic 11: Encryption Modes and CCA Security.

CS555Spring 2012/Topic 111 Cryptography CS 555 Topic 11: Encryption Modes and CCA Security.
CMSC 414 Computer and Network Security Lecture 5 Jonathan Katz.

CMSC 414 Computer and Network Security Lecture 5 Jonathan Katz.
Game-based composition for key exchange Cristina Brzuska, Marc Fischlin (University of Darmstadt) Nigel Smart, Bogdan Warinschi, Steve Williams (University.

Game-based composition for key exchange Cristina Brzuska, Marc Fischlin (University of Darmstadt) Nigel Smart, Bogdan Warinschi, Steve Williams (University.
CS555Spring 2012/Topic 31 Cryptography CS 555 Topic 3: One-time Pad and Perfect Secrecy.

CS555Spring 2012/Topic 31 Cryptography CS 555 Topic 3: One-time Pad and Perfect Secrecy.
CS555Spring 2012/Topic 71 Cryptography CS 555 Topic 7: Stream Ciphers and CPA Security.

CS555Spring 2012/Topic 71 Cryptography CS 555 Topic 7: Stream Ciphers and CPA Security.
1/28 Chosen-Ciphertext Security from Identity- Based Encryption Jonathan Katz U. Maryland Ran Canetti, Shai Halevi IBM.

1/28 Chosen-Ciphertext Security from Identity- Based Encryption Jonathan Katz U. Maryland Ran Canetti, Shai Halevi IBM.
CS555Spring 2012/Topic 81 Cryptography CS 555 Topic 8: Pseudorandom Functions and CPA Security.

CS555Spring 2012/Topic 81 Cryptography CS 555 Topic 8: Pseudorandom Functions and CPA Security.
Cryptography Lecture 9 Arpita Patra © Arpita Patra.

Cryptography Lecture 9 Arpita Patra © Arpita Patra.
Dan Boneh Authenticated Encryption CBC paddings attacks Online Cryptography Course Dan Boneh.

Dan Boneh Authenticated Encryption CBC paddings attacks Online Cryptography Course Dan Boneh.
Cryptography Lecture 10 Arpita Patra © Arpita Patra.

Cryptography Lecture 10 Arpita Patra © Arpita Patra.
Cryptography Lecture 6 Arpita Patra. Quick Recall and Today’s Roadmap >> MAC for fixed-length messages >> Domain Extension for MAC >> Authenticated Encryption:

Cryptography Lecture 6 Arpita Patra. Quick Recall and Today’s Roadmap >> MAC for fixed-length messages >> Domain Extension for MAC >> Authenticated Encryption:
Topic 36: Zero-Knowledge Proofs

Topic 36: Zero-Knowledge Proofs

Similar presentations

Ads by Google