Presentation is loading. Please wait.

Presentation is loading. Please wait.

Cryptography Lecture 12 Arpita Patra © Arpita Patra.

Published byDanijel Varga Modified over 5 years ago

Similar presentations

Presentation on theme: "Cryptography Lecture 12 Arpita Patra © Arpita Patra."— Presentation transcript:

1 Cryptography Lecture 12 Arpita Patra © Arpita Patra

2 Recall Security definitions of MAC- cma, strong cma, cmva, strong cmva
Construction from PRF Domain Extension: How to find a tag for long message CBC-MAC Authenticated Encryption (AE)- message privacy + integrity Definition Construction of AE from- cpa-secure SKE + scma-secure MAC

3 Today’s Goal Authenticated Encryption (AE)
Construction of AE from- cpa-secure SKE + scma-secure MAC Proof AE → cca-secure SKE Looking back and ahead

4 Authenticated Encryption
 = (Gen, Enc, Dec) is an authenticated encryption if -  = (Gen, Enc, Dec) is cpa-secure AND -  = (Gen, Enc, Dec) has ciphertext integrity (hard to come up with a ciphertext that has valid decryption even after sufficient training )

5 AE: Encrypt then Authenticate
’ = (Gen’, Enc’, Dec’): authenticated encryption E = (Enc, Dec) be a cpa-secure SKE and M = (Mac, Vrfy) be a scma-secure MAC Dec’ (c, t)  if VrfykM(c) = 0 kE kM Else m:= DeckE(c) Enc’ m c  EnckE(m) kE kM t  MackM(c) Gen’ 1n kE R {0, 1}n kM R {0, 1}n Lemma: If E is cpa-secure then  is cpa-secure. AE A cpa game for E cpa game for  Training Phase Training Phase m0, m1 m0, m1 kE kM c*  EnckE(mb) (c*, t*) ti  MackM(ci) t*  MackM(c*) Training Phase Training Phase ti  MackM(ci) b’ b’ Non-negligible advantage Non-negligible advantage

6 Ciphertext Integrity Experiment
Experiment CiIn (n) A,   = (Gen, Enc, Dec) PPT Attacker A Encryption Oracle message k Encryption I can forge  Let me verify Gen(1n) Ciphertext c Q = {c1, …, ct} game output Deck(c) = m   Deck(c) = m =  and or c  Q c  Q 1  Has ciphertext intigrity if for every PPT A: negl(n) Pr CiIn (n) = 1 A, 

7 AE: Encrypt then Authenticate
’ = (Gen’, Enc’, Dec’): authenticated encryption E = (Enc, Dec) be a cpa-secure SKE and M = (Mac, Vrfy) be a scma-secure MAC Dec’ (c, t)  if VrfykM(c) = 0 kE kM Else m:= DeckE(c) Enc’ m c  EnckE(m) kE kM t  MackM(c) Food for thought: Does a similar reduction hold for authenticate-then-encrypt?? Gen’ 1n kE R {0, 1}n kM R {0, 1}n Lemma: If E is scma-secure then  has ciphertext integrity. AM A scma game M CiIn game for  Training Phase Training Phase Adv is good at finding a different ciphertext for the same message, he queried before. So though c * is valid is corresponds to same m||t. kM (c*, t*) kE (c*, t*) ci  EnckE(mi) (c*, t*)  {(c1, t1), …, (cq, tq)} and is a valid forgery (c*, t*)  {(c1, t1), …, (cq, tq)} and Dec’kM, kE(c*, t*) = 1 Non-negligible advantage Non-negligible advantage

8 Need for Independent Keys
’ = (Gen’, Enc’, Dec’): authenticated encryption E = (Enc, Dec) be a cpa-secure SKE and M = (Mac, Vrfy) be a scma-secure MAC Dec’ (c, t)  if VrfykM(c) = 0 kE kM Else m:= DeckE(c) Enc’ m c  EnckE(m) kE kM t  MackM(c) Gen’ 1n kE R {0, 1}n kM R {0, 1}n cca-secure !! F: SPRP E : To encrypt m  {0, 1}n/2, select a random r  {0, 1}n/2 and output c  Fk(m || r). F is a PRP then so is F-1 scma-secure M :To authenticate c  {0, 1}n, output tag t := Fk-1(c) No it is secure provided the encryption and MAC keys are independent Assume kE = kM = k ? - Enc’k(m) = Mack(Enck(m)) = Fk-1(Fk(m || r)) = m || r Does this mean that Encrypt-then-authenticate approach is insecure ?

9 Every AE is cca-secure Theorem: Every Authenticated Encryption is cca-secure Proof: On the board.

10 Authenticated Encryption  CCA-security
For simplicity and without loss of generality, we assume that the attacker queries decryption oracle for ciphertexts not returned by the encryption oracle Decryption oracle will return plaintexts which attacker already knows for such queries m0, m1 M1, …, Mq C1, …, Cq C*1, …, C*q M*1, …, M*q c  Enck(m0) m0, m1 M1, …, Mq C1, …, Cq C*1, …, C*q M*1, …, M*q c  Enck(m1) c b’ = 1 b’ = 1

11 Authenticated Encryption  CCA-security
For simplicity and without loss of generality, we assume that the attacker queries decryption oracle for ciphertexts not returned by the encryption oracle Decryption oracle will return plaintexts which attacker already knows for such queries m0, m1 M1, …, Mq C1, …, Cq C*1, …, C*q M*1, …, M*q c  Enck(m0) m0, m1 M1, …, Mq C1, …, Cq C*1, …, C*q M*1, …, M*q c  Enck(m1) b’ = 1 c m0, m1 Since the encryption scheme is authenticated M1, …, Mq C*1, …, C*q C1, …, Cq M*1, …, M*q , …,  The attacker cannot create a “new” ciphertext (not received from the encryption oracle) and query it from the decryption oracle c  Enck(m0) Will violate ciphertext integrity b’ = 1 M1, …, Mq C*1, …, C*q C1, …, Cq M*1, …, M*q , …, 

12 Authenticated Encryption  CCA-security
For simplicity and without loss of generality, we assume that the attacker queries decryption oracle for ciphertexts not returned by the encryption oracle Decryption oracle will return plaintexts which attacker already knows for such queries m0, m1 M1, …, Mq C1, …, Cq C*1, …, C*q M*1, …, M*q c  Enck(m0) m0, m1 M1, …, Mq C1, …, Cq C*1, …, C*q M*1, …, M*q c  Enck(m1) b’ = 1 c c m0, m1 m0, m1 M1, …, Mq C*1, …, C*q M1, …, Mq C*1, …, C*q C1, …, Cq , …,  C1, …, Cq M*1, …, M*q , …,  c  Enck(m0) c  Enck(m1) M1, …, Mq C*1, …, C*q M1, …, Mq C*1, …, C*q b’ = 1 C1, …, Cq , …,  C1, …, Cq M*1, …, M*q , …,  Due to the same argument --- ciphertext integrity

13 Authenticated Encryption  CCA-security
For simplicity and without loss of generality, we assume that the attacker queries decryption oracle for ciphertexts not returned by the encryption oracle Decryption oracle will return plaintexts which attacker already knows for such queries m0, m1 M1, …, Mq C1, …, Cq C*1, …, C*q M*1, …, M*q c  Enck(m0) m0, m1 M1, …, Mq C1, …, Cq C*1, …, C*q M*1, …, M*q c  Enck(m1) c c m0, m1 m0, m1 M1, …, Mq C*1, …, C*q M1, …, Mq C*1, …, C*q C1, …, Cq , …,  C1, …, Cq , …,  c  Enck(m0) c  Enck(m1) M1, …, Mq C*1, …, C*q M1, …, Mq C*1, …, C*q C1, …, Cq , …,  C1, …, Cq , …,  Decryption queries are “useless” for the attacker

14 Authenticated Encryption  CCA-security
For simplicity and without loss of generality, we assume that the attacker queries decryption oracle for ciphertexts not returned by the encryption oracle Decryption oracle will return plaintexts which attacker already knows for such queries m0, m1 M1, …, Mq C1, …, Cq C*1, …, C*q M*1, …, M*q c  Enck(m0) m0, m1 M1, …, Mq C1, …, Cq C*1, …, C*q M*1, …, M*q c  Enck(m1) c c m0, m1 m0, m1 M1, …, Mq M1, …, Mq C1, …, Cq C1, …, Cq c  Enck(m0) c c  Enck(m1) M1, …, Mq M1, …, Mq b’ = 1 b’ = 1 C1, …, Cq C1, …, Cq Since the scheme is an authentic encryption  it is CPA-secure

15 Authenticated Encryption  CCA-security
For simplicity and without loss of generality, we assume that the attacker queries decryption oracle for ciphertexts not returned by the encryption oracle Decryption oracle will return plaintexts which attacker already knows for such queries m0, m1 M1, …, Mq C1, …, Cq C*1, …, C*q M*1, …, M*q c  Enck(m0) m0, m1 M1, …, Mq C1, …, Cq C*1, …, C*q M*1, …, M*q c  Enck(m1) c c c m0, m1 m0, m1 M1, …, Mq M1, …, Mq C1, …, Cq C1, …, Cq c  Enck(m0) c c  Enck(m1) M1, …, Mq M1, …, Mq C1, …, Cq C1, …, Cq

16 CCA-security vs Authenticated Encryption
Every authenticated encryption scheme is also a cca-secure cipher What about the converse ? There are encryption schemes which are only cca-secure (Assignment problem) Conceptually the goal of CCA-security and authenticated encryption are different CCA-security : aim to achieve only privacy even if an attacker disrupts the communication Authenticated encryption: aim is to achieve both privacy as well as integrity Which is more efficient ? In the symmetric-key world both are almost equivalent No reason to just use a cca-secure scheme (instead of an authenticated encryption) if the major concern is efficiency In the public-key world, the difference is more pronounced Depending upon the application need to determine whether to go for CCA-security or authenticated encryption

17 Different Definitions of AE
Definition 2 (KL) > cca Security > Weak Ciphertext Intigrity / Unforgeability (the adversary cannot come up with a ciphertext for a message that he has not queried before). Does not rule out the adversary’s ability to come up with a valid ciphertext for a message that he has queried before > cpa Security > Ciphertext Integrity (the adversary cannot come up with a valid ciphertext for ANY message). Implies if receiver has received a valid ciphertext that it is THE ciphertext sent by the sender. > cca Security Implication is NOT Explicit and trivial– Needs a proof > cca Security Implication is Explicit CT14 (for two): Authenticate-then-encrypt approach instantiated with cpa-secure SKE and cma-secure MAC yields a cpa-secure scheme with WEAK ciphertext integrity. CT15 (for two): F: SPRP, m: n/2 bits, k= n-bits, c = Fk(m||r), r: n/2 bit random string. Prove cca-security. Prove that it is not secure according to Definition 2 of AE.

18

Download ppt "Cryptography Lecture 12 Arpita Patra © Arpita Patra."

Similar presentations

SECURITY AND VERIFICATION Lecture 4: Cryptography proofs in context Tamara Rezk INDES TEAM, INRIA January 24 th, 2012.

SECURITY AND VERIFICATION Lecture 4: Cryptography proofs in context Tamara Rezk INDES TEAM, INRIA January 24 th, 2012.
Dan Boneh Authenticated Encryption Definitions Online Cryptography Course Dan Boneh.

Dan Boneh Authenticated Encryption Definitions Online Cryptography Course Dan Boneh.
Cryptography Lecture 10 Arpita Patra. Quick Recall and Today’s Roadmap >> CPA & CPA-mult security >> Equivalence of CPA and CPA-mult security >> El Gamal.

Cryptography Lecture 10 Arpita Patra. Quick Recall and Today’s Roadmap >> CPA & CPA-mult security >> Equivalence of CPA and CPA-mult security >> El Gamal.
CS555Spring 2012/Topic 111 Cryptography CS 555 Topic 11: Encryption Modes and CCA Security.

CS555Spring 2012/Topic 111 Cryptography CS 555 Topic 11: Encryption Modes and CCA Security.
IND-CPA and IND-CCA Concepts Summary  Basic Encryption Security Definition: IND-CPA  Strong Encryption Security Definition: IND-CCA  IND-CPA, IND-CCA.

IND-CPA and IND-CCA Concepts Summary  Basic Encryption Security Definition: IND-CPA  Strong Encryption Security Definition: IND-CCA  IND-CPA, IND-CCA.
Cryptography Lecture 2 Arpita Patra. Summary of Last Class  Introduction  Secure Communication in Symmetric Key setting >> SKE is the required primitive.

Cryptography Lecture 2 Arpita Patra. Summary of Last Class  Introduction  Secure Communication in Symmetric Key setting >> SKE is the required primitive.
Secure Computation Lecture 13-14 Arpita Patra. Recap >> Improving the complexity of GMW > Step I: Offline: O(n 2 c AND ) OTs; Online: i.t., no crypto.

Secure Computation Lecture Arpita Patra. Recap >> Improving the complexity of GMW > Step I: Offline: O(n 2 c AND ) OTs; Online: i.t., no crypto.
Cryptography Lecture 4 Arpita Patra.

Cryptography Lecture 4 Arpita Patra.
CS555Spring 2012/Topic 71 Cryptography CS 555 Topic 7: Stream Ciphers and CPA Security.

CS555Spring 2012/Topic 71 Cryptography CS 555 Topic 7: Stream Ciphers and CPA Security.
Cryptography Lecture 6 Arpita Patra © Arpita Patra.

Cryptography Lecture 6 Arpita Patra © Arpita Patra.
CS555Spring 2012/Topic 81 Cryptography CS 555 Topic 8: Pseudorandom Functions and CPA Security.

CS555Spring 2012/Topic 81 Cryptography CS 555 Topic 8: Pseudorandom Functions and CPA Security.
Cryptography Lecture 8 Arpita Patra © Arpita Patra.

Cryptography Lecture 8 Arpita Patra © Arpita Patra.
Cryptography Lecture 9 Arpita Patra © Arpita Patra.

Cryptography Lecture 9 Arpita Patra © Arpita Patra.
Cryptography Lecture 10 Arpita Patra © Arpita Patra.

Cryptography Lecture 10 Arpita Patra © Arpita Patra.
Cryptography Lecture 3 Arpita Patra © Arpita Patra.

Cryptography Lecture 3 Arpita Patra © Arpita Patra.
Cryptography Lecture 6 Arpita Patra. Quick Recall and Today’s Roadmap >> MAC for fixed-length messages >> Domain Extension for MAC >> Authenticated Encryption:

Cryptography Lecture 6 Arpita Patra. Quick Recall and Today’s Roadmap >> MAC for fixed-length messages >> Domain Extension for MAC >> Authenticated Encryption:
Message Authentication Codes

Message Authentication Codes
Cryptography Lecture 5 Arpita Patra © Arpita Patra.

Cryptography Lecture 5 Arpita Patra © Arpita Patra.
Updated Office Hours Tuesday: 10:30 AM-11:30 AM

Updated Office Hours Tuesday: 10:30 AM-11:30 AM
B504/I538: Introduction to Cryptography

B504/I538: Introduction to Cryptography

Similar presentations

Ads by Google