Unconditionally Secure Authenticated Encryption with Shorter Keys
Authenticated Encryptionastubble/dss/ae.pdfAuthenticated Encryption Jeremy, Paul, Ken, and Mike...
Transcript of Authenticated Encryptionastubble/dss/ae.pdfAuthenticated Encryption Jeremy, Paul, Ken, and Mike...
AuthenticatedAuthenticatedEncryptionEncryption
Jeremy, Paul, Ken, and MikeJeremy, Paul, Ken, and Mike
ObjectivesObjectives
Examine three methods of authenticatedExamine three methods of authenticatedencryption and determine the best solutionencryption and determine the best solutionconsidering performance and securityconsidering performance and security
Basic ComponentsBasic Components
MessageMessageAuthenticationAuthentication
CodeCode
SymmetricSymmetricEncryptionEncryption
+
Both of these components are used as black boxesBoth of these components are used as black boxes
Generic CompositionGeneric Composition
Note:Note: We separate the taggingWe separate the tagging
and verificationand verificationalgorithmalgorithm
key the-k
key theoflength parameter,security -
algorithm generationkey randomized -K
algorithm verifing tag- V
algorithm tagging- T
schemetion authentica Message -MA
Algorithm Decryption - D
algorithm encryption - E
scheme encryption Symmetric -
κ
SE
Basic ComponentsBasic Components
Message Authentication Code (MAC)Message Authentication Code (MAC) Integrity / AuthenticityIntegrity / Authenticity
Integrity of Plaintext (INT-PTXT)Integrity of Plaintext (INT-PTXT) Integrity of Integrity of Ciphertext Ciphertext (INT-CTXT)(INT-CTXT)
Symmetric EncryptionSymmetric EncryptionPrivacyPrivacy
IndistinguishabilityIndistinguishabilityChosen-plaintext attack (IND-CPA)Chosen-plaintext attack (IND-CPA)Chosen-Chosen-ciphertext ciphertext attack (IND-CCA)attack (IND-CCA)
Non-malleabilityNon-malleabilityChosen-plaintext attack (NM-CPA)Chosen-plaintext attack (NM-CPA)Chosen-Chosen-ciphertext ciphertext attack (NM-CPA)attack (NM-CPA)
IntegrityIntegrity
Integrity of Plaintext (INT-PTXT)Integrity of Plaintext (INT-PTXT) Computationally infeasible to produce aComputationally infeasible to produce a
ciphertext ciphertext decrypting to a message which thedecrypting to a message which thesender has never encryptedsender has never encrypted
Integrity of Integrity of Ciphertext Ciphertext (INT-CTXT)(INT-CTXT) Computationally infeasible to produce aComputationally infeasible to produce a
ciphertext ciphertext not previously produced by thenot previously produced by thesender, regardless of whether or not thesender, regardless of whether or not theunderlying plaintext is underlying plaintext is ““newnew””
Integrity of symmetricIntegrity of symmetricencryption schemedencryption schemed
Algorithm D*K(C)
If DK(C) ≠ ⊥, then return 1 Else return 0
Verification algorithmor
Verification oracle
SE = (E, K, D)
E – Encryption Algorithm
K– Randomized key generation algorithm
D – Decryption Algorithm
Integrity of AuthenticatedIntegrity of Authenticatedencryption schemeencryption scheme
The scheme SE is said to be INT-PTXT if theThe scheme SE is said to be INT-PTXT if thefunction function (the advantage of (the advantage of AAptxtptxt) is) isvery small for any adversary whose time-very small for any adversary whose time-complexity is polynomial in k.complexity is polynomial in k.
Likewise, the scheme SE is said to be INT-CTXTLikewise, the scheme SE is said to be INT-CTXTif the function (the advantage of if the function (the advantage of AActxtctxt))is very small for any adversary whose time-is very small for any adversary whose time-complexity is polynomial in k.complexity is polynomial in k.
)(int, ⋅−ctxtASE ctxt
Adv
)(int, ⋅− ptxtASE ptxt
Adv
0return else 1return then
)(E query to anever was)( M -
and 1, returns )(-
such that )( oracle the
toCquery a makes )( If
)(
)( Experiment
K
*
*
)(),(
int,
*
⋅
⋅
Κ←⋅⋅Ε
−
CDdef
CD
D
A
K
kExp
K
Dptxt
R
ptxtASE
K
K
K
ptxt
κ
κ
0return else 1return then
)(E toresponse anever was -
and 1, returns )(-
such that )( oracle the
toCquery a makes )( If
)(
)( Experiment
K
*
*
)(),(
int,
*
⋅
⋅
Κ←⋅⋅Ε
−
C
CD
D
A
K
kExp
K
K
K
ctxt
Dctxt
R
ctxtASE
κ
κ
]1)(Pr[)(
]1)(Pr[)(
int,
int,
int,
int,
==
==
−−
−−
kExpkAdv
kExpkAdv
ctxtASE
ctxtASE
ptxtASE
ptxtASE
ctxtctxt
ptxtptxt
)}({max),,,,,(
)}({max),,,,,(
int,
int
int,
int
kAdvqqtkAdv
kAdvqqtkAdv
ctxtASE
Adede
ctxtSE
ptxtASE
Adede
ptxtSE
ctxtctxt
ptxtptxt
−−
−−
=
=
µµ
µµ
Advantages of the adversaries
Advantages of the scheme
Integrity of AuthenticatedIntegrity of Authenticatedencryption schemeencryption scheme
IndistinguishabilityIndistinguishability
Indistinguishability Indistinguishability of Chosen Plaintextof Chosen PlaintextAttack (IND-CPA)Attack (IND-CPA)
Indistinguishability Indistinguishability of Chosen of Chosen CiphertextCiphertextAttack (IND-CCA)Attack (IND-CCA)
If MIf M00 and M and M11 are encrypted, a are encrypted, a ‘‘reasonablereasonable’’adversary should not be able to determineadversary should not be able to determinewhich message is sent.which message is sent.
Left-or-rightLeft-or-right
ΣΣKK((LRLR(.,.,b)), where b {0, 1}, to take input (M(.,.,b)), where b {0, 1}, to take input (M00,,MM11) |M) |M00| = |M| = |M11||
if b = 0if b = 0C C ΣΣKK(M(M00))
return Creturn C
elseelseC C ΣΣKK(M(M11))
return Creturn C As was mentioned from AdamAs was mentioned from Adam’’s lecture, we consider thes lecture, we consider the
encryption scheme to be encryption scheme to be ““goodgood”” if a if a ““reasonablereasonable”” adversary adversarycannot obtain cannot obtain ““significantsignificant”” advantage in distinguishing the cases advantage in distinguishing the casesb = 0 and b = 1 given access to the left-or-right oracle.b = 0 and b = 1 given access to the left-or-right oracle.
Non-malleabilityNon-malleability
Prevents the generation of aPrevents the generation of a ciphertext ciphertext whosewhoseplaintexts are meaningfulplaintexts are meaningful
Requires that an attacker given a challengeRequires that an attacker given a challengeciphertext ciphertext be unable to modify it into another,be unable to modify it into another,different different ciphertext ciphertext in such a way that thein such a way that theplaintexts underlying the two plaintexts underlying the two ciphertexts ciphertexts areare““meaningful relatedmeaningful related”” to each other. to each other.
i.e.i.e. Ptxt1: send a check of $100.00Ptxt1: send a check of $100.00 Ptxt2: send a check of $1000.00Ptxt2: send a check of $1000.00
Non-malleability - FormallyNon-malleability - Formally
x
),,(
)(
)(),(
)(
)(Exp Experiment
2
1
cpa
))(.,.,(
A SE,
return
scpAx
cDp
kAsc
Kk
b
cpa
k
bLREcpa
R
bcpanm
k
←
←
←
←
−−
κ
x
),,(
)(
)(),(
)(
)(Exp Experiment
2
1
cca
))(.,.,(
A SE,
return
scpAx
cDp
kAsc
Kk
b
cca
k
bLREcca
R
bccanm
k
←
←
←
←
−−
κ
]1)(Pr[]1)(Pr[)(
]1)(Pr[]1)(Pr[)(
0,
1,,
0,
1,,
=−==
=−==
−−−−−
−−−−−
kExpkExpkAdv
kExpkExpkAdv
ccanmASE
ccanmASE
cpanmASE
cpanmASE
cpanmASE
cpanmASE
ccaccacca
cpacpacpa
)}({max),,,(
)}({max),,,(
,
,
kAdvqtkAdv
kAdvqtkAdv
ccanmASE
Aee
ccanmSE
cpanmASE
Aee
cpanmSE
ccacca
cpacpa
−−
−−
=
=
µ
µ
oracles 2 ),,(
oracle 1 ),,(
1} {0,b
D) E, (K, SE
21
21
ccaccacca
cpacpacpa
AAA
AAA
N
=
=
∈
∈
=
κ
If negligible, NM-CPA Secure
If negligible, NM-CCA Secure
UnforgeabilityUnforgeability
Weak Weak Unforgeability Unforgeability against Chosenagainst ChosenMessage Attacks (WUF-CMA)Message Attacks (WUF-CMA) Adversary Adversary FF can can’’t create a new message andt create a new message and
tagtag
Strong Strong Unforgeabililty Unforgeabililty against Chosenagainst ChosenMessage Attacks (SUF-CMA)Message Attacks (SUF-CMA) Adversary Adversary FF can can’’t create a new tag for ant create a new tag for an
existing messageexisting message
DifficultiesDifficulties
The notions of authenticity are byThe notions of authenticity are bythemselves quite disjoint from the notionsthemselves quite disjoint from the notionsof privacyof privacy i.e. Sending the message in the clear with ani.e. Sending the message in the clear with an
accompanying (strong) MAC achieves INT-accompanying (strong) MAC achieves INT-CTXT but no kind of privacyCTXT but no kind of privacy
Relations among notions ofRelations among notions ofsymmetric encryptionsymmetric encryption
INT-CTXT ^ IND-CPAINT-CTXT ^ IND-CPA IND-CCAIND-CCA
INT-PTXT ^ IND-CPAINT-PTXT ^ IND-CPA IND-CPAIND-CPA NM-CCANM-CCA
NM-CPANM-CPA
Relations among notions of symmetricRelations among notions of symmetricencryptionencryption
Theorem 3.1Theorem 3.1
A A –– adversary mounting an attack against integrity of plaintexts of SE adversary mounting an attack against integrity of plaintexts of SE AA’’ –– adversary mounting an attack against integrity of adversary mounting an attack against integrity of ciphertexts ciphertexts of SEof SE AA’’ = A = A
PTXTINTCTXTINT −→−
query winning theis - C
A(C)return
(k)A' Adversary
It is initiative that if an adversary violates integrity of plaintextsof a scheme SE = (K,E,D) also violates integrity of ciphertextsof the same scheme
),,,,,(),,,,,( intintdede
ctxtSEdede
ptxtSE qqtkAdvqqtkAdv µµµµ −− ≤
)()( int',
int, kAdvkAdv ctxt
ASEptxtASE
−− ≤
Proposition 3.3Proposition 3.3
IND-CCA IND-CCA INT-PTXTINT-PTXT
Given a symmetric encryption scheme Given a symmetric encryption scheme SESEwhich is IND-CCA secure, we canwhich is IND-CCA secure, we canconstruct a symmetric encryption schemeconstruct a symmetric encryption schemeSESE which is also IND-CCA secure but is which is also IND-CCA secure but isnotnot INT-PTXT secure INT-PTXT secure
IND-CCA INT-PTXTIND-CCA INT-PTXT
CReturn C'||0 C
)(k
EC'
)(E Algorithm
←
← M
Mk
0return Else
Mreturn );'(D M then 0 b if
)(k
Ebit a is b whereC'||b as C Parse
)(D Algorithm
Ck
M
Ck
←=
←
•Let SE = (K, E, D)
•We define a such that is IND-CCA secure but is not INT-PTXT secure
•Basically a certain known string (or strings) will be viewed by asvalid and decrypted to certain known messages, so that forgery is easy
•However these ‘ciphertexts’ will never be produced by the encryptionalgorithm, so privacy will not be affected
SE SE
D
),,( DEKSE =
IND-CCA INT-PTXTIND-CCA INT-PTXTAttackAttack
Query 10 is a validQuery 10 is a validciphertextciphertext
It decrypts to a It decrypts to a msg msg (0)(0)that the adversarythat the adversarynever queried of itsnever queried of itsoracleoracle
0)10(D
)(D oracle to10query Submit
)(AAdversary
*
*
)(,)(E
k
k
K
=
•••
⋅
⋅⋅ kkD
10 1010
(little Endian, LSB 1st)
1)(int, =− kAdv ptxtASE
A makes zero queries to and one query to totaling 2 bits, and Is Certainly poly(k)-time
)(EK ⋅ )(DK ⋅
IND-CCA INT-PTXTIND-CCA INT-PTXTIND-CCA SecureIND-CCA Secure
It is easy for B to break the scheme if A canIt is easy for B to break the scheme if A can0 A Else
)(D A then 0 b if
bit a is b where||b as C Parse
do oracle decryption its toCquery a makesA when
)),,M((E||0A
do oracle encryptionright -or-left its to,Mquery a makesA when
do 1,....q ifor
)(BAdversary
'k
i'
i
i
1,i,0k
1,i,0
e
)()),(.,.,(Ek
⇐
⇐=
⇐
+=
⋅
i
i
i
i
d
DbLR
C
C
bMLR
M
q
kk
To prove that is IND-CCA secure, it sufficesTo prove that is IND-CCA secure, it suffices(enough) to associate with any poly(k)-time(enough) to associate with any poly(k)-timeadversary B attacking SE in the IND-CCAadversary B attacking SE in the IND-CCAsense such thatsense such that
SE
B simulates A andUses its oracles toAnswer A’s oraclequeries
)()( ,,kAdvkAdv ccaind
BSEccaindASE
−− ≤
Other RelationsOther Relations
Theorem 3.2Theorem 3.2 INT-CTXT ^ IND-CPA INT-CTXT ^ IND-CPA IND-CCA IND-CCA
Proposition 3.4Proposition 3.4 INT-PTXT ^ IND-CPA (does not) INT-PTXT ^ IND-CPA (does not) NM-CPANM-CPA
Security of the CompositeSecurity of the CompositeSchemesSchemes
SecureSecureProven to meet the security requirement, assumingProven to meet the security requirement, assumingcomponent encryption scheme meets IND-CPA andcomponent encryption scheme meets IND-CPA andmessage authentication scheme is message authentication scheme is unforgeable unforgeable underunderCMACMA
InsecureInsecureSomeSome IND-CPA secure symmetric encryption and IND-CPA secure symmetric encryption andsome message authentication scheme some message authentication scheme unforgeableunforgeableunder CMA exist that doesnunder CMA exist that doesn’’t meet the securityt meet the securityrequirementrequirement
Generic CompositionGeneric Composition
Using both functions as black boxesUsing both functions as black boxes
MACMAC SymmetricSymmetricEncryptionEncryption
Encrypt-and-MACEncrypt-and-MAC
MAC (M)MAC (M)Encrypt (M)Encrypt (M) IIIIC =C =
Encrypt-and-MAC SecurityEncrypt-and-MAC Security
InsecureInsecureInsecureInsecureINT-CTXTINT-CTXT
SecureSecureSecureSecureINT-PTXTINT-PTXTIntegrityIntegrity
InsecureInsecureInsecureInsecureNM-CPANM-CPA
InsecureInsecureInsecureInsecureIND-CCAIND-CCA
InsecureInsecureInsecureInsecureIND-CPAIND-CPA
PrivacyPrivacy
Strong MACStrong MACWeak MACWeak MACSecuritySecurity
Encrypt (M Encrypt (M ) )
MAC-then-EncryptMAC-then-Encrypt
MAC (M)MAC (M)C =C = IIII
MAC-then-Encrypt SecurityMAC-then-Encrypt Security
InsecureInsecureInsecureInsecureINT-CTXTINT-CTXT
SecureSecureSecureSecureINT-PTXTINT-PTXTIntegrityIntegrity
InsecureInsecureInsecureInsecureNM-CPANM-CPA
InsecureInsecureInsecureInsecureIND-CCAIND-CCA
SecureSecureSecureSecureIND-CPAIND-CPA
PrivacyPrivacy
Strong MACStrong MACWeak MACWeak MACSecuritySecurity
Encrypt-then-MACEncrypt-then-MAC
MAC ( )MAC ( )Encrypt (M)Encrypt (M)Encrypt (M)Encrypt (M) IIIIC =C =
Encrypt-then-MAC SecurityEncrypt-then-MAC Security
SecureSecureInsecureInsecureINT-CTXTINT-CTXT
SecureSecureSecureSecureINT-PTXTINT-PTXTIntegrityIntegrity
SecureSecureInsecureInsecureNM-CPANM-CPA
SecureSecureInsecureInsecureIND-CCAIND-CCA
SecureSecureSecureSecureIND-CPAIND-CPA
PrivacyPrivacy
Strong MACStrong MACWeak MACWeak MACSecuritySecurity
Summary of MethodsSummary of Methods
SecureSecureSecureSecureSecureSecureSecureSecureSecureSecureEncrypt-then-MACEncrypt-then-MAC
InsecureInsecureSecureSecureInsecureInsecureInsecureInsecureSecureSecureMAC-then-EncryptMAC-then-Encrypt
InsecureInsecureSecureSecureInsecureInsecureInsecureInsecureInsecureInsecureEncrypt-and-MACEncrypt-and-MAC
INT-CTXTINT-CTXTINT-PTXTINT-PTXTNM-CPANM-CPAIND-CCAIND-CCAIND-CPAIND-CPA
IntegrityIntegrityPrivacyPrivacyCompositionCompositionMethodMethod
InsecureInsecureSecureSecureInsecureInsecureInsecureInsecureSecureSecureEncrypt-then-MACEncrypt-then-MAC
InsecureInsecureSecureSecureInsecureInsecureInsecureInsecureSecureSecureMAC-then-EncryptMAC-then-Encrypt
InsecureInsecureSecureSecureInsecureInsecureInsecureInsecureInsecureInsecureEncrypt-and-MACEncrypt-and-MAC
INT-CTXTINT-CTXTINT-PTXTINT-PTXTNM-CPANM-CPAIND-CCAIND-CCAIND-CPAIND-CPA
IntegrityIntegrityPrivacyPrivacyCompositionCompositionMethodMethod
Weakly Weakly Unforgeable Unforgeable
Strongly Strongly Unforgeable Unforgeable
Theorem 4.7Theorem 4.7
Encrypt-then-MAC method is IND-CPAEncrypt-then-MAC method is IND-CPAand INT-PTXTand INT-PTXT
SE be a symmetric schemeSE be a symmetric scheme
MA be message authentication schemeMA be message authentication scheme
),,,,,(),,,,,(
),,,(),,,(int
dedecmawuf
MAdedeptxt
SE
cpaindSE
cpaindSE
qqtkAdvqqtkAdv
qtkAdvqtkAdv
µµµµ
µµ−−
−−
≤
≤
Theorem 4.7 - IND-CPATheorem 4.7 - IND-CPA
b'Return
b'A
||);());,,M((C
do oracle encryption ),(Mquery a makesA When
do q1,...., iFor
)(k
)(A
1,o i,i
1,o i,
m
))(.,.,(EKe
p
⇒
⇐Τ←←
−−
=
←
iiiKiiK
i
mR
bLR
CACbMLRE
rightorleftitstoM
K
Adversary
meττ
κ
κ
),,,()( , µqtkAdvkAdv cpaindASE
cpaindSE p
−− ≤
Theorem 4.7 - INT-PTXTTheorem 4.7 - INT-PTXT
iiiKiii
ii
KiK
eR
V
vACVvC
CACE
K
Adversary
mii
iime
mKmK
⇐←
⇐Τ←←
+=
←
⋅Τ
);,(;|| as C Parse
do oracleion verificatits toCquery a makesA When
||);();M(C
do oracle encryption its toMquery a makesA When
do qq1,...., iFor
)(k
)(F
''i
i
'ii
i
de
e
(.,.)),(
p
ττ
ττ
κ
κ
)()( ,int,
kAdvkAdv cmawufAM
ptxtASE p
−− ≤
Proposition 4.9Proposition 4.9
Encrypt-then-MAC method with a SUF-Encrypt-then-MAC method with a SUF-CMA-secure MAC is INT-CTXT, IND-CPA,CMA-secure MAC is INT-CTXT, IND-CPA,and IND-CCAand IND-CCA
)()( ,int,
kAdvkAdv cmasufFMA
ctxtASE
−− ≤
),,,(
),,,,,(2),,,,,(
),,,,,(),,,,,(
),,,(),,,(int
eecpaind
SE
deedecmasuf
MAdedeccaind
SE
deedecmasuf
MAdedectxt
SE
cpaindSE
cpaindSE
qtkAdv
lqqqtkAdvqqtkAdv
lqqqtkAdvqqtkAdv
qtkAdvqtkAdv
µ
µµµµ
µµµµ
µµ
−
−−
−−
−−
+
+×≤
+≤
≤
Conclusion Conclusion
Encrypt-then-MAC provides the most secureEncrypt-then-MAC provides the most securesolution for authenticated encryptionsolution for authenticated encryption
CBC CBC –– Cipher Block Chain Cipher Block Chain
•If IV is different then instances of samemsg (or block) will be encrypted differently
•If K’th cipher block Ck gets corrupted intransmission – only blocks Pk and Pk+1 areaffected
•This can also allow some msgtampering
•If one plaintext block Pk is changed – Allsubsequent ciphertext blocks will beaffected
•This leads to an effective MAC
ECB ECB –– Electronic Code Electronic CodeBookBook
If the same key is used then identical plaintext blocks map toidentical ciphertext
Proposition 4.1Proposition 4.1
Encrypt-and MAC method is not IND-CPAEncrypt-and MAC method is not IND-CPA
Proposition 4.2Proposition 4.2
Encrypt-and MAC method is IND-CPAEncrypt-and MAC method is IND-CPAinsecure for any deterministic MAC)insecure for any deterministic MAC)
Theorem 4.3Theorem 4.3
Encrypt-and-MAC is INT-PTXT secureEncrypt-and-MAC is INT-PTXT secure
Proposition 4.4Proposition 4.4
Encrypt-and-MAC method is not INT-Encrypt-and-MAC method is not INT-CTXT secureCTXT secure
Theorem 4.5Theorem 4.5
MAC-then-encrypt method is both INT-MAC-then-encrypt method is both INT-PTXT an IND-CPA securePTXT an IND-CPA secure
Proposition 4.6Proposition 4.6
MAC-then-encrypt method is not NM-CPAMAC-then-encrypt method is not NM-CPAsecuresecure
Proposition 4.8Proposition 4.8
Encrypt-then-MAC method with a WUF-Encrypt-then-MAC method with a WUF-CMA-secure MAC is not NM-CPA secureCMA-secure MAC is not NM-CPA secure