Cryptography Lecture - PowerPoint Presentation

Cryptography Lecture 9Arpita Patra © Arpita Patra

Recall Attack on cpa-secure scheme from PRF>> cpa -security to cca -security Definitions- cma, scma, cmva, scmva >> MAC Padding Oracle Attack on CBC mode

Today’s Goal Recall of security definitions of MACConstruction from PRF Domain Extension: How to find a tag for long message CBC-MAC Authenticated Encryption (AE)- message privacy + integrity Definition Any AE is cca-secure. Stronger than cca -security. Nontrivial proof Construction of AE from- cpa -secure SKE + cma -secure MAC

Security for MAC Randomized PPT Chosen Message Attack (CMA) It is not possible to come up with ( m,t ) if no tag on m is not seen before Randomized PPT Chosen Message and Verification Attack ( CMVA) It is not possible to come up with ( m,t ) if ( m,t ) has not been seen before. It is not possible to come up with ( m,t ) if ( m,t ) is not seen before It is not possible to come up with ( m,t ) if ( m,t ) is not seen before

CMA Security for MAC Experiment Mac-forge (n) A,   = (Gen, Mac, Vrfy), n I can break  Run time: Poly(n) Attacker A Let me verify Q = {(m 1 , …,m l } Gen(1 n ) k Training Phase Forged tag generated by A (m, t) g ame output 1 (A succeeds) if Vrfy k (m, t) = 1 and m  Q 0 (A fails) otherwise  i s CMA- secure if for every A, there is a negl (n) such that Pr [Mac-forge (n) = 1]  negl (n) A,  cma cma

Strong CMA Security for MACExperiment Mac-sforge (n) A,   = (Gen, Mac, Vrfy), n I can break  Run time: Poly(n) Attacker A Let me verify Q = {(m 1 , t 1 ), …,(m l , t l)} Gen(1n) k Training Phase Forged tag generated by A (m, t) g ame output 1 (A succeeds) if Vrfy k (m, t) = 1 and (m, t)  Q 0 (A fails) otherwise  i s strong CMA-secure if for every A, there is a negl (n) such that Pr [Mac- s forge (n) = 1]  negl (n) A,  cma cma

CMA and strong CMA Security - It is NOT true that you need randomized MAC to satisfy scma -security - Any MAC that has canonical verification and cma -secure is also scma-secure. - Every deterministic MAC has canonical verification - For deterministic MAC, enough to prove cma -security as scma security is ‘free’ - PRF-based scheme is scma -secure (because it is deterministic and provably cma -secure).

What is not Captured in MAC Security Definition >> Let a bank user X sends the following instruction to the bank: “transfer $1000 from account #X to account #Y“ >> What if an attacker simply sends 10 copies of the original (message, tag) pair --Bank will consider each request genuine --- disaster for X >> The above attack is called replay attack Why Replay Attack is not taken care in MAC Definition >> Additional techniques like (synchronized) counters, timestamp , etc are used If A returns ( m,t ) for a already queried message, we don’t consider that as the break. >> What it captures in real scenario? if ( m,t ) is a valid pair generated by the sender, then there is no harm if the receiver accepts it even though adv forwards it (may be at a later point of time) >> Is it problematic? >> Whether this attack is of concern depends on actual application scenario>> So it is better to deal with this in the outer protocol (that used MAC for authentication)

Fixed-length MAC from PRF If instead a TRF f was used to compute tag then an attacker can guess f(m) for a “new” m with probability at most 2 -n The same should hold even if a PRF is used (as key is unknown) Let F:{0, 1}n x {0, 1} n  {0, 1} n be a PRF Then  = (Gen, Mac, Vrfy ) is a fixed-length MAC for n-bit strings where : Gen 1 nk R {0, 1}n Mac m {0, 1}n k (Deterministic Mac)t:= Fk (m) Vrfy m ,t k 0, if t  F k (m) 1, if t = F k (m) Theorem: If F is a PRF then  is a cma -secure MAC. Show that if  is not cma -secure then F is not a PRF by designing a distinguisher for F

Security Proof m 1 (m 1 , y 1 ) m 1 D A Theorem. If F k is a PRF, then  is a CMA-secure scheme. Proof: Assume  is NOT secure A, p(n): 1/p(n ) Pr forge ( n) A,  cma = 1 > F k (PRF) f (TRF) y 1 Repeat ( m,t ) m y Repeat Pr f orge (n ) A,  cma = 1 1 if y = t & m  Q 0 otherwise Q = {m 1 , …, m l } = 2 -n Pr [D () = 1] = F k Pr [D () = 1] = f

Domain Extension SKE MAC Given a scheme that handles fixed-length message. How to handle arbitrary-length messages Break the message into blocks and encrypt each block using fixed-length scheme (minimum security notion CPA-security) The same does not work here– Additional tricks necessary Want efficiency?– Go for Mode of operations Want efficiency?– CBC-MAC, C-MAC, Hash-and-MAC, HMAC

Domain Extension Warning!! Simple ideas do not work !!Attempt I Divide the message into blocks and authenticate each separately via fixed-length MAC m 1 m 2 m 3 m n n n k Mac Mac Mac t 1 = Mac k (m 1 ) t 2 = Mac k (m 2 ) t 3 = Mac k (m 3 ) Mac k (m) = t = t 1 || t 2 || t 3 Block re-ordering attack : Given (m, t) , where m = m 1 || m 2 || m 3 and t = t 1 || t 2 || t 3 Then (m’, t’) is a valid pair , where m’ = m 2 || m 1 || m 3 and t’ = t 2 || t 1 || t 3

Domain Extension for MAC Prevent the previous attack by authenticating block index along with each block m 1 m 2 m 3 m n n n k Mac Mac Mac t 1 = Mac k (1 || m 1 ) t 2 = Mac k (2 || m 2 ) t 3 = Mac k (3 || m 3 ) Attempt II Warning!! Simple ideas do not work !! 1 2 3 Truncation attack : A valid ( msg , tag) pair can be generated by dropping ( msg , tag) blocks from the end (m 1 || m 2 , t 1 || t 2 ) is a valid new ( msg , tag) pair generated from (m 1 || m 2 || m 3 , t 1 || t 2 || t 3 ) Mac k (m) = t = t 1 || t 2 || t 3

Domain Extension for MAC Prevent the previous attack by additionally authenticating message length with each block m 1 m 2 m 3 m k Mac Mac Mac t 1 = Mac k (l || 1 || m 1 ) l = 3n t 2 = Mac k (l || 2 || m 2 ) t 3 = Mac k (l || 3 || m 3 ) Attempt III Warning!! Simple ideas do not work !! 1 2 3 l l l Mix-and-match attack : Suppose attacker learns (m 1 || m 2 || m 3 , t 1 || t 2 || t 3 ) and (m’ 1 || m’ 2 || m’ 3 , t’ 1 || t’ 2 || t’ 3 ) where | m 1 || m 2 || m 3 | = | m’ 1 || m’ 2 || m’ 3 | Then (m 1 || m’ 2 || m 3 , t 1 || t’ 2 || t 3 ) is a valid, new (message, tag) pair Mac k (m) = t = t 1 || t 2 || t 3

Domain Extension for MAC Prevent the previous attack by additionally authenticating a random identifier with each block; a fresh random identifier for each message m 1 m 2 m 3 m k Mac Mac Mac t 1 = Mac k (r || l || 1 || m 1 ) l t 2 = Mac k (r || l || 2 || m 2 ) t 3 = Mac k (r || l || 3 || m 3 ) Attempt IV Warning!! Simple ideas do not work !! 1 2 3 l l l r r r Is this construction secure ? --- yes (it is in fact a randomized MAC) But this is highly inefficient --- each invocation of Mac is now invoked only on n/4 bits of m So if |m| = dn bits , then it requires 4d invocations of Mac algorithm and tag size is 4dn bits Ahhhh Finally! Mac k (m) = t = t 1 || t 2 || t 3 Is Randomization necessary for domain extension?-- NO

CBC-MAC for Arbitrary-length Messages Let F: {0, 1}n x {0, 1}n  {0, 1}n be a PRF, whose key k is agreed between S and R Let S has a message m with |m| = dn , where d is some polynomial in n m 1 m 2 m 3 m F    F F t = Mac k (m) F k |m| Length of m (i.e. |m|) need to be prepended, not appended --- otherwise insecure CBC-Mac: The tag consists of only n bits Only d invocations of PRF Highly efficient 4dn bits 4d invocations of PRF

Information-theoretic MAC RA13: Definition (restriction on key usage/one-time) Construction from Universal Function Proof of security RA14: Limitations of i.t MAC

The Picture Till Now SKE MAC Privacy Integrity & Authentication Not necessarily provide integrity and authentication; >> easy to come of with a valid ciphertext >> easy to manipulate known ciphertext N ot necessarily provide privacy; >> Easy to distinguish tags of two different messages Jonathan Katz, Moti Yung: Unforgeable Encryption and Chosen Ciphertext Secure Modes of Operation. FSE 2000: 284-299Mihir Bellare, Chanathip Namprempre:Authenticated Encryption: Relations among Notions and Analysis of the Generic Composition Paradigm. ASIACRYPT 2000: 531-545 Authenticated Encryption

Authenticated Encryption But how do we define such security of such a primitive ? Way out: try to capture secrecy and authenticity/integrity separately in the definition For secrecy , we demand CPA security: no PPT attacker should be able to non-negligibly distinguish between encryption of two messages of its choice, even if it has access to encryption oracle service For integrity/authentication, we demand something similar to strong cma -security for MAC. No PPT attacker can come up with a valid ciphertext for ANY message ). Implies if receiver has received a valid ciphertext that it is THE ciphertext sent by the sender. Let  = (Gen, Enc, Dec) be a SKE. Intuitively we demand the following secrecy and integrity property to be satisfied by  to qualify it as an AE scheme :Modeled via a new experiment which exactly captures the above --- CiIn  is an authenticated encryption scheme if no PPT attacker is able to non-negligibly win the CPA-experiment and CiIn experiment with respect to  Open channel AE Secure & Authenticated channel >> Ci-In is similar in spirit of Mac-sforge >> We need to introduce new game and definition since MAC and SKE has different sintax

Authenticated Encryption  = (Gen, Enc, Dec) is an authenticated encryption if -  = (Gen, Enc , Dec) is cpa -secure AND-  = (Gen, Enc, Dec) has ciphertext integrity (hard to come up with a ciphertext that has valid decryption even after sufficient training )

Ciphertext Integrity Experiment  = (Gen, Enc, Dec) Experiment CiIn (n) A,  I can forge  PPT Attacker A Let me verify Gen(1 n ) k Encryption Oracle message Encryption Q = {c 1 , …, c t } Ciphertext c Dec k (c) = m   c  Q a nd 1 Dec k (c) = m =  c  Q or 0  Has ciphertext intigrity if for every PPT A: negl (n) Pr CiIn (n) A,   g ame output

Ingredients for Authenticated Encryption >> cpa-secure SKE >> scma -secure MAC >> How to combine them– crux of AE

Attempt I (Encrypt-and-Authenticate) Let E = ( Enc , Dec) be a cpa -secure SKE and M = (Mac, Vrfy) be a scma-secure MAC Algorithm Gen in both  E and  M selects a random key from the respectively domain Enc Mac m k E k M c t (c, t) Encryption k E and k M are independent keys for  E and  M m Dec (c, t) k E c Decryption m Vrfy k M t 1

Enc Mac m k E k M c t (c, t) Encryption k E and k M are independent keys for  E and  M  Dec (c, t) k E c Decryption m Vrfy k M t 0 Not necessarily --- a secure MAC not necessarily preserves the privacy of m Ex: a MAC may always output the first two bits of m as the first two bits of MAC tag This approach used in SSH --- does this guarantee authenticated encryption ? In general this approach is not recommended Attempt I (Encrypt-and-Authenticate) Let  E = ( Enc , Dec) be a cpa -secure SKE and  M = (Mac, Vrfy ) be a scma -secure MAC Algorithm Gen in both  E and  M selects a random key from the respectively domain

Enc k E t m Mac k M c Encryption Decryption c Dec k E m || t Vrfy k M 1 m Attempt II (Authenticate-then-Encrypt) Let  E = ( Enc , Dec) be a cpa -secure SKE and  M = (Mac, Vrfy ) be a scma -secure MAC Algorithm Gen in both  E and  M selects a random key from the respective domain

Enc k E t m Mac k M c Encryption Decryption c Dec k E m || t Vrfy k M 0  Unfortunately the above approach does not always lead to an authenticated cipher There exists an instantiation of  E which is cpa -secure and which when combined with any MAC using the above approach does not lead to an authenticated cipher This approach used in SSL --- does this guarantee authenticated encryption ? CBC-mode of encryption + MAC using above approach  authenticated encryption Security of this approach depends upon the underlying instantiation of  E In general this approach is not recommended Attempt II (Authenticate-then-Encrypt) Let  E = ( Enc , Dec) be a cpa -secure SKE and  M = (Mac, Vrfy ) be a scma -secure MAC Algorithm Gen in both  E and  M selects a random key from the respectively domain

c t Encryption m Enc k E k E Mac c Dec k E c Decryption 1 (c, t) Vrfy k M t c m Attempt III (Encrypt-then-Authenticate) Let  E = ( Enc , Dec) be a cpa -secure SKE and  M = (Mac, Vrfy ) be a scma -secure MAC Algorithm Gen in both  E and  M selects a random key from the respectively domain

c t Encryption m Enc k E k E Mac c  (c, t) Decryption Vrfy k M t 0 c This approach used in IPSec --- does this guarantee authenticated encryption ? Fortunately this approach always lead to an AE , irrespective of how  E and  M are instantiated Attempt III (Encrypt-then-Authenticate) Let Let  E = ( Enc , Dec) be a cpa -secure SKE and  M = (Mac, Vrfy ) be a scma -secure MAC Algorithm Gen in both  E and  M selects a random key from the respectively domain

AE: Encrypt then Authenticate E = ( Enc , Dec) be a cpa -secure SKE and M = (Mac, Vrfy) be a scma-secure MAC ’ = (Gen’, Enc’, Dec’): authenticated encryption Dec’ (c, t)  if Vrfy k M (c) = 0 k E k M Else m:= Dec k E (c) Gen’ 1 n kE R {0, 1}n k M  R {0, 1} n Enc’ m c  Enc k E (m) k E k M t  Mac k M (c) Lemma: If  E is cpa -secure then  is cpa -secure. A  E A  k E k M t i  Mac k M ( c i ) m 0 , m 1 m 0 , m 1 c*  Enc k E ( m b ) t*  Mac k M (c*) (c*, t*) t i  Mac k M ( c i ) b’ b’ Non-negligible advantage Non-negligible advantage Training Phase Training Phase Training Phase Training Phase cpa game for  cpa game for  E

AE: Encrypt then Authenticate E = ( Enc , Dec) be a cpa -secure SKE and M = (Mac, Vrfy) be a scma-secure MAC ’ = (Gen’, Enc’, Dec’): authenticated encryption Dec’ (c, t)  if Vrfy k M (c) = 0 k E k M Else m:= Dec k E (c) Gen’ 1 n kE R {0, 1}n k M  R {0, 1} n Enc’ m c  Enc k E (m) k E k M t  Mac k M (c) Lemma: If  E is scma -secure then  has ciphertext integrity. A  M A  k M k E c i  Enc k E ( m i ) (c*, t *) (c*, t*) Non-negligible advantage Non-negligible advantage Training Phase Training Phase CiIn game for  scma game  M (c*, t*)  {(c 1 , t 1 ), …, ( c q , t q )} and is a valid forgery (c*, t*)  {(c 1 , t 1 ), …, ( c q , t q )} and Dec’ k M , k E (c*, t*) = 1 Food for thought: Does a similar reduction hold for authenticate-then-encrypt??

Need for Independent Keys E : To encrypt m  {0, 1} n/2 , select a random r  {0, 1}n/2 and output c  Fk(m || r). cca -secure !!  M : To authenticate c  {0, 1} n , output tag t := F k -1 (c)F is a PRP then so is F-1 scma -secureAssume k E = kM = k ? - Enc’k(m) =Mack (Enck(m)) = Fk -1(Fk(m || r)) = m || r Does this mean that Encrypt-then-authenticate approach is insecure ? No it is secure provided the encryption and MAC keys are independent  E = ( Enc , Dec) be a cpa -secure SKE and  M = (Mac, Vrfy ) be a scma -secure MAC ’ = (Gen’, Enc’, Dec’): authenticated encryption Dec’ (c, t)  if Vrfy k M (c) = 0 k E k M Else m:= Dec k E (c) Gen’ 1 n k E  R {0, 1} n k M  R {0, 1} n Enc’ m c  Enc k E (m) k E k M t  Mac k M (c) F: SPRP