Update CSE442T_L22.md

pages/CSE442T/CSE442T_L22.md

@@ -1 +1,110 @@
-# Lecture 22
+# Lecture 22
+
+## Chapter 7: Types of Attacks
+
+So far we've sought security against
+
+$$
+c\gets Enc_k(m)
+$$
+
+Adversary knows $c$, but nothing else.
+
+### Known plaintext attack (KPA)
+
+Adversary has seen $(m_1,Enc_k(m_1)),(m_2,Enc_k(m_2)),\cdots,(m_q,Enc_k(m_q))$.
+
+$m_1,\cdots,m_q$ are known to the adversary.
+
+Given new $c=Enc_k(m)$, is previous knowledge helpful?
+
+### Chosen plaintext attack (CPA)
+
+Adversary can choose $m_1,\cdots,m_q$ and obtain $Enc_k(m_1),\cdots,Enc_k(m_q)$.
+
+Then adversary see new encryption $c=Enc_k(m)$. with the same key.
+
+Example:
+
+In WWII, Japan planned to attack "AF", but US suspected it means Midway.
+
+So US use Axis: $Enc_k(AF)$ and ran out of supplies.
+
+Then US know Japan will attack Midway.
+
+### Chosen ciphertext attack (CCA)
+
+Adversary can choose $c_1,\cdots,c_q$ and obtain $Dec_k(c_1),\cdots,Dec_k(c_q)$.
+
+Capture these ideas with the adversary having oracle access.
+
+$$
+\Pi=(Gen,Enc,Dec)
+$$
+
+private key encryption scheme.
+
+$$
+IND_b^{O_1,O_2}(\Pi,\mathcal{A},n)
+$$
+
+where $O_1$ and $O_2$ are the round 1 and round 2 oracle access.
+
+$b$ is zero or one denoting the real scheme or the adversary's challenge.
+
+$n$ is the security parameter.
+
+is the following experiment:
+
+- Key $k\gets Gen(1^n)$
+- Adversary $\mathcal{A}^{O_1(k)}(1^n)$ queries oracles
+- $m_0,m_1\gets \mathcal{A}^{O_2(k)}(1^n)$
+- $c\gets Enc_k(m_b)$
+- $\mathcal{A}^{O_2(c)}(1^n,c)$ queries oracles
+- $\mathcal{A}$ outputs bit $b'$ which is either zero or one
+
+$\Pi$ is CPA/CCA1/CCA2 secure if for all PPT adversaries $\mathcal{A}$,
+
+$$
+\{IND_0^{O_1,O_2}(\Pi,\mathcal{A},n)\}_n\approx\{IND_1^{O_1,O_2}(\Pi,\mathcal{A},n)\}_n
+$$
+
+where $\approx$ is statistical indistinguishability.
+
+|Security|$O_1$|$O_2$|
+|:---:|:---:|:---:|
+|CPA|$Enc_k$|$Enc_k$|
+|CCA1|$Enc_k,Dec_k$|$Enc_k$|
+|CCA2 (or full CCA)|$Enc_k,Dec_k$|$Enc_k,Dec_k^*$|
+
+Note that $Dec_k^*$ will not allowed to query decryption of a functioning ciphertext.
+
+#### Theorem: Our mms private key encryption scheme is CPA, CCA1 secure.
+
+Have a PRF family $\{f_k\}:\{0,1\}^|k|\to\{0,1\}^{|k|}$
+
+$Gen(1^n)$ outputs $k\in\{0,1\}^n$ and samples $f_k$ from the PRF family.
+
+$Enc_k(m)$ samples $r\in\{0,1\}^n$ and outputs $(r,f_k(r)\oplus m)$. For multi-message security, we need to encrypt $m_1,\cdots,m_q$ at once.
+
+$Dec_k(r,c)$ outputs $f_k(r)\oplus c$.
+
+Familiar Theme:
+
+- Show the R.F. version is secure.
+  - $F\gets RF_n$
+- If the PRF version were insecure, then the PRF can be distinguished from a random function...
+
+$IND_b^{O_1,O_2}(\Pi,\mathcal{A},n), F\gets RF_n$
+
+- $Enc$ queries $(m_1,(r_1,m_1\oplus F_k(r_1))),\cdots,(m_{q_1},(r_{q_1},m_{q_1}\oplus F_k(r_{q_1})))$
+- $Dec$ queries $(s_1,c_1),\cdots,(s_{q_2},c_{q_2})$, where $m_i=c_i-F_k(s_i)$
+- $m_0,m_1\gets \mathcal{A}^{O_2(k)}(1^n)$, $Enc_F(m_b)=(R,M_b+F(R))$
+- Query round similar to above.
+
+As long as $R$ was never seen in querying rounds, $P[\mathcal{A} \text{ guesses correctly}]=1/2$.
+
+$P[R\text{ was seen before}]\leq \frac{p(n)}{2^n}$ (by the total number of queries in all rounds.)
+
+
+