-------------------------------------------------------------------------- CSE 227 - Lecture 5 - October 29, 2001 -------------------------------------------------------------------------- Annuncements:(1) Next weeks' class shortened: 6-8 pm (no break). I have a plane to catch. (2) Projects - read some paper not assigned but you needn't do a writuep. Bring the paper you read (must be provable-security paper) to our "final discussion" and we'll spend some time (x mins, maybe 0) discussing it and some time (30-x) discussing course material that I choose. When you do the signup I'll ask you for the paper: signups: Thursday, Nov 29 (week 9) -won't cover lect 10 Thursday, Dec 13 (finals week) ________________________________________________________________ Last time: o notions of sym encryption Today: Sym encryption, lecture 2 of 2 0. Review the notions: lr, rr, fg; sem 1. Using the definition to break schemes ECB, CBC-CTRIV, CBC-chainedIV 2. Some equivalences 2.1 lr -> rr 2.2 rr -> lr 2.3 rr -> fg 2.4 fg -> rr 3. Security of CTRC mode 4. Security of CBC$ mode 4.1 ind$-cpa -> rr 4.2 the BAD-event approach 4.3 Proof sketch 5. CCA-security 6. Non-malleability 6.1 Definition 6.2 Claim: ind-cca <==> nm-cca <==> nm-cpa 6.3 Prove: ---> _____________________________________________________________________________ 0. Review Enc scheme syntax Pi = (\K, \E, \D) \E: {0,1} -> {0,1}^* probabilistic: or stateful * Adv^rr_Pi(A) = Pr[K <- \K; A^E_K(.) ] - Pr [ K <- \K: A^E_K($^|.|) ] * Adv^lr_Pi(A) = Pr[K <- \K; A^left_K(.,.)=1] - Pr[K <- \K; A^right_K(.,.)=1] Adv^fg_Pi(A) = 2 Pr[k <- K; (M_0, M_1, s) <- A^E_k(find); b <- 0; C <- E_k(M_b): A^E_k(guess,s,C) = b] - 1 Semantic security "whatever you can know about the plaintext given the ciphertext you can know just as well in the ABSENCE of the ciphertext" Adv^sem_Pi(A) = Pr [K <- \K; (\M,f,s) <- A^E_k(select); M <- \M; C <- E_K(M): A^E_K (predict,C,s) = f(x) ] - Pr [K <- \K; (\M,f,s) <- A^E_k(select); M,M' <- \M; C <- E_K(M'): A^E_K (predict,C,s) = f(x) ] (all messages output by \M have the same length) Claim "equivalence" of all these notions _____________________________________________________________________________ 1. Using the definition to break schemes -- break the following in the rr-sense. Then go back and break in the lr-sense. ECB Arbitrary deterministic scheme: ask (0, 1), (0,2) CBC-counter-IV CBCC-chained-with-last-block _____________________________________________________________________________ 2. Some equivalences 2.1. lr -> rr Let Arr be an adversary that breaks Pi=(K,E,D) in the rr-sense. Construct adversary Alr that break Pi in the lr sense. Definition of Alr^f(.,.) Run Arr^g When Arr make an oracle query g(X): Choose a random X' of the same length as X. Y = f(X,X') return Y When Arr outputs a bit, b, output b 2.2. rr -> lr Let Alr be an adversary that breaks Pi=(K,E,D) in the lr-sense. Construct adversary Arr that break Pi in the rr sense. Definition of Arr^g(.) X - p = Pr[K\getsr\K: A^left_K(.,.)=1] $ $ r = Pr[K\getsr\K: A^$(.,.)=1] encrypt a random string of the length of the two queries - X' q = Pr[K\getsr\K: A^right_K(.,.)=1] e = p-q = (p-r) + (r-q) so p-r > e/2 ............ or r-q>=e/2 | Run Alr^f | Run Alr^f When Alr queries f(X,X') | When Alr queries f(X,X') Return g(X) | Return g(X') When Alr outputs b | When Alr outputs b Output b | Output 1-b | 2.3. rr --> fg If Pi is secure in the rr-sense then Pi is secure in the fg-sense. Suppose there was an adversary FG that attacks Pi in the fg-sense. Then there would be an adversary RR that attacks Pi rr-sense. Definition of RR^g ------------------ Run FG^f (find) When FG makes a query x of f, answer with g(x). When FG outputs (M_0, M_1, s): b <- {0,1} C <- g(M_b) Run FG^f (guess, C, s) When FG makes a query x of f, answer with g(x) When FG outputs a bit, b', If b=b' then return 1 // guess "real" else return 0 // guess "fake" Analysis of RR^g ---------------- Suppose that g is instantiated by a "real" encryption oracle. Perfectly simulates FG's "native" environment: Pr [ RR^{E_K(.)}=1 ] = Pr [ k <- K; (M_0, M_1, s) <- A^E_k (find); b <- {0,1}; C <- E_k(M_b): A^E_k (guess, C, s) =b] If g is instantiated by a "fake" encryption oracle: Pr [ RR^{E_K($^|.|)}=1 ] = 1/2 So Adv^rr (RR) = [ RR^{E_k(.)}=1 ] - Pr [ RR^{E_k($^|.|)=1 ] = Pr [ k <- K; (M_0, M_1, s) <- A^E_k (find); b <- {0,1}; C <- E_k(M_b): A^E_k (guess, C, s) =b] - 1/2 So 2 Adv^rr (RR) = 2 Pr [ k <- K; (M_0, M_1, s) <- A^E_k (find); b <- {0,1}; C <- E_k(M_b): A^E_k (guess, C, s) =b] - 1 = Adv^fg (FG) ie Adv^rr (RR) = Adv^fg / 2 2.4. fg -> rr (but in a weaker way!!) If Pi is secure in the fg-sense then Pi is secure in the rr-sense. Suppose there is an adversary RR that attacks Pi in the rr-sense. Then there is an adversary FG that attacks fg-sense. Idea .... RR makes q queries to g. Suppose answer all random p_q -- gap all real p_0 __/ real real real real p_0 $$ real real real p_1 $$ $$ real real p_2 $$ $$ $$ real p_3 $$ $$ $$ $$ p_4 Answer answer first j random, <-- p_j next q-j real. p_0 p_1 ... p_q p_0 - p_q > delta, so there is some p_j - p_{j+1} > delta/q (0 <= i < q) In fact, for a random i, E [ p_j - p_{j+1} ] > delta/q Definition of FG^f 0 <= j <= q-1 -------------------------------------- FG^f(find) .......... choose j at random from {0..q-1} Run RR^g: When RR makes it's i'th query, x_i, of g: * if i <= j, return y_i <- f($^|.|) * if i = j+1, we are done with the find-stage. Output (M_0, M_1, s) <- ($^|x_i|, x_i, current state of RR) real oracle: encrypt M_0 : p_j rand oracle: encrypt $^|M| : p_j+1 // C <- E_k(M_b) for some random bit b. We don't see b or k FG^f(guess, C, s) .......... Restore RR to state s. RR just asked some query x_{j+1}. Return C. Continue running RR. When RR makes subsequent oracle queries, x_i, of g: return f(x_i) When RR outputs a bit, b', output b'. Analysis of FG^f ---------------- You get the idea... 3. Security of CTRC mode ------------------------------------------------------------------------ Prop (informal): Security of CTR-mode. If f is a secure PRP, CTR[f] is a secure encryption scheme. Namely, if there is an adversary A that breaks CTR[f], there is an adversary B that breaks f (in the prf-sense). ------------------------------------------------------------------------ Proof: Let A be an adversary that attacks CTR[f] in the rr-sense. We must construct an adversary B that distinguishes real PRF F_K from a random function rho. Common idea: first pretend that f were a RANDOM function. Argue that there would be NO advantage: Pr [A^CTR_rho(.) = 1 ] = Pr [A^CTR_rho($^|.|) = 1 ] = Pr [A^CTR_k ($^|.|) = 1 ] no matter what A does -- because all it sees is the next counter and uniform random bits. Know: Pr [A^CTR_k(.) = 1] - Pr [A^CTR_k($^|.|) = 1] = delta Algorithm: B^f: ---------------- Run A^CTR, simulating the encryption oracle CTR by using f. When A outputs a bit, b, return b. ----------------- Pr [ B^E_k = 1 ] = Pr [A^CTR_k(.) = 1] Pr [ B^rho = 1 ] = Pr [A^CTR_rho(.) = 1] = Pr [A^CTR_k($^|.|) = 1] So Adv^prf(B) = Pr [ B^E_k = 1 ] - Pr [ B^rho = 1 ] = Pr [ A^CTR_k(.) = 1] - Pr [A^CTR_k($^|.|) = 1] = Adv^rr Adv^rr (D) = Pr [ A^E_k(.) = 1 ] - Pr [ A^\rho(.) = 1 ] = Adv^prf (A) = Pr [ RR^E_k(.) = 1] - Pr [ RR^\rho(.) = 1] ------------------------------------------------------------------------------------------ 4. Security of CBC$ mode 4.1 ind$-cpa -> rr 4.2 the BAD-event approach 4.3 Proof sketch When in doubt: prove something STRONGER than what you're after. When in doubt: prove something WEAKER than what you're after. Adv^r$_Pi (A) = Pr[K <- \K; A^{E_K(.)}=1] - Pr[K <- \K; A^{$^E_K(.)}=1] All schemes we're interested in actually have the structure that | E_K(M) | = \ell(|M|) so we can make that assumption if it looks simpler to you: Adv^r$ (A) = Pr[K <- \K; A^{E_K(.)}=1] - Pr[K <- \K; A^{$^ell(|.|)}=1] rr --> r$ ? NO. Consider encryption scheme where ciphertexts always end in 0. r$ --> rr YES. Idea: Argue directly for a change. If Pi is secure in the r$-sense then Pi is secure in the rr-sense. If Pi is r$-secure: For ANY reasonable adversary $A$, Pr [A^E_K(.) = 1] \approx Pr[A^$ = 1] (1) Fix A. Consider the corresponding adversary B that runs A, figures out what A would ask, and then asks its oracle that many random bits. We know that because equation (1) holds for ANY adversary A .... so it holds for B. But then Pr [A^E_K(.) = 1] \approx Pr [B^E_K($^|.|) = 1] = Pr[A^E_K($)=1]. More formally: For any A running in time t, making q queries of total length mu, | Pr [A^E_K(.) = 1] - Pr[A^$ = 1] | <= Adv^r$_Pi (t,q,mu) (2) <= Adv^r$_Pi (t+O(mu),q,mu) For any A running in time t, making q queries of total length mu, let Ba be the adversary we have described: time is t+O(mu), queries still q, length still mu: | Pr [Ba^E_K(.) = 1] - Pr[Ba^$ = 1] | <= Adv^r$_Pi (t+O(mu),q,mu) But Ba^E_K(.) oracle is just the same as A with an E_K($^|.|) oracle; and Ba^$ (.) oracle is just the same as A with a $(.) oracle, so | Pr [A^E_K($^|.|) = 1] - Pr[A^$ = 1] | <= Adv^r$_Pi (t+O(mu),q,mu) (3) Thus changing the second term in (2) to what is close to it -- | Pr [A^E_K(.) = 1] - Pr[A^E_K($) = 1] | <= 2 Adv^r$_Pi (t+O(mu),q,mu) || Adv^rr(A) ----------------------------------------------------------------- BAD-event approach Idea: illustrate with pi, pi' homework example: Let \Adv(A) = \Pr[\pi\getsr\Perm{n}\andthen A^{\pi,\pi}=1] - \Pr[\pi,\pi'\getsr\Perm{n}\andthen A^{\pi,\pi'}=1] and let \Adv(qleft,qright) = max \{\Adv(A)\} over all adversaries that ask at most qleft queries of her "left" oracle and qright queries of the "right" oracle, never making the same query to both oracles (nor shall we allow the adversary to repeat a query to a single oracle). Upperbound \Adv(qleft,qright). ---------------------------------------------------------------------- The following simulates (pi,pi): "Game 1" The following simulates (pi,pi'): "Game 2" ------------------------------------------- ------------------------------------------- Init: L = R = \emptyset L = R = \emptyset left(X): Y \getsr \complement{L\cup R} Y \getsr \complement{L} L = L \cup {Y} L = L cup {Y} return Y return Y right(X): Y \getsr \complement{L\cup R} y \getsr \complement{R} R = R \cup {Y} R = R \cup {y} return Y return y Problem is, the two games above aren't yet of the right "form" to allow BAD-event analysis. The trick is to "unify" the games into a common one, like this: Init: L = R = \emptyset left(X): Y \getsr \complement{L} if (Y \in R) and GAME1 then bad=\true, Y\getsr \complement{L\cup R} L = L \cup {Y} return Y right(X): Y \getsr \complement{R} if (Y \in L) and GAME1 then bad=\true, Y \getsr \complement{L\cup R} R = R \cup {Y} return Y Let BAD be the event that bad is set to true in the game above. There are q opportunities for BAD to be set. Each time we choose a random point Y in a set of size > 2^n - q, where: at most 0 ponts are bad, 1 point is bad, 2 points are bad, ... q-1 points are bad. So Pr[bad gets set] <= (0+1+2+...+(q-1)) / (2^n -q) 0.5 q^2 / (2^n-q) Assume q < 2^n/2. Then <= q^2 / 2^n Question: can you squeeze another factor of 2 out? Suppose adverary asks q/2 left() queries and then the right queries Pr[A^Game1 = 1] - Pr[A^Game2 =1] <= Pr[BAD] Wlog, A is deterministic. Let R be the coins used in the game. Let N = # of possible coins. Pr[A^Game1 = 1] - Pr[A^Game2 =1] = | {R: A{^Game1(R)}=1} | / N - | {R: B{^Game1(R)}=1} | / N = ( | {R: A^{Game1(R)}=1 and A^Game1(R) does not cause bad=true} + (a) | {R: A^{Game1(R)}=1 and A^Game1(R) causes bad=true} | - | {R: A^{Game1(R)}=1 and A^Game2(R) does not cause bad=true} + (a') identical | {R: A^{Game1(R)}=1 and A^Game2(R) causes bad=true} | ) / N = ( | {R: A^{Game1(R)}=1 and A^Game1(R) causes bad=true} | - | {R: A^{Game1(R)}=1 and A^Game2(R) causes bad=true} | ) / N (b) zero = | {R: A^{Game1(R)}=1 and A^Game1(R) causes bad=true} | / N <= | {R: A^Game1(R) causes bad=true} | / N <= Pr[bad gets set to true] ----------------------------------------------------------------- Now: want to show that CBC$ oracles looks just like a $-oralce. Step 1: do for a random function Step 2: pass to a PRF Step 3: invoke the switching lemma Claim: If A asks at most q queries that total at most mn bits Pr[rho<-Rand(n,n): A^{CBC$_rho(.)}=1] = Pr[ A^$=1] <= (q+m)^2/2^{n+1} Game 1: Real CBC_rho Game 2: Random On input M[1] M[2] ... M[m] where |M[i]|=n Initialization: rho is a partial function from {0,1}^n -> {0,1}^n. Initially UNDEFINED at each domain point. C[0] <- {0,1}^n for i = 1 to m do X[i] = C[i-1] xor M[i] C[i] <- {0,1}^n if game1 and dom(C[i-1] xor M[i]) is defined then bad=true, Y[i] = rho(X[i]) rho(X[i]) = C[i] return C[0] C[1] ... C[m] Claim: Pr[bad gets set to true] <= q^2/2^{n+1} ---------------------------------------------------------------------- 5. CCA-security Explain idea -- secure even if the adversar can DECRYPT chosen messages. Huh? Lunchtime attack. Contrivted. But wait. Give adversary E_K(LR(.,.,b)) and D_K(.) Adversary's job, as before, is to distinguish b=0 and b=1, ie. left_K(.,.) and D_K(.) -vs- right_K(.,.) and D_K(.) Disallow decrption of C when C is the result of an earlier E_K(LR(.,.,b)) oracle query. Adv^lr-cca_Pi(A) = Pr[K <- \K; A^{left_K (.,.), D_K(.)}=1] - Pr[K <- \K; A^{right_K(.,.), D_K(.)}=1] 6. Non-malleability 6.1 Definition Adv^nm-cpa_Pi(A) = Pr[K <- \K; (M,s) <- A(); x<-M; y<-E_K(x); (R,y') <- A(M,s,y); x <- D_K(y): y' \ne y and R(x,x')] - Pr[K<-\K; (M,s)<-A(); x,x*<-M; y<-E_K(x*); (R,y') <- A(M,s,y); x <- D_K(y): y' \ne y and R(x,x')] 6.2 Claim: ind-cca <==> nm-cca <==> nm-cpa 6.3 Proof. Not hard, but can't absorb the new notions quicly enough to do this. 12345678901234567890123456789012345678901234567890123456789012345678901234567890