Update CSE442T_L22.md

pages/CSE442T/CSE442T_L22.md

@@ -106,5 +106,39 @@ As long as $R$ was never seen in querying rounds, $P[\mathcal{A} \text{ guesses
 
 $P[R\text{ was seen before}]\leq \frac{p(n)}{2^n}$ (by the total number of queries in all rounds.)
 
+**This encryption scheme is not CCA2 secure.**
 
+After round 1, $O^n,1^n\gets \mathcal{A}^{O_1(k)}(1^n)$,
+
+$(r,m+F(r))=(r,c)$ in round 2.
+
+Query $Dec_F(r,c+0\ldots 01)=0\ldots 01 \text{ or } 1\ldots 10$.
+
+$c+0\ldots 01-F(r)=M+0\ldots 01$
+
+### Encrypt then authenticate
+
+Have a PRF family $\{f_k\}:\{0,1\}^|k|\to\{0,1\}^{|k|}$
+
+$Gen(1^n)$ outputs $k_1,k_2\in\{0,1\}^n$ and samples $f_k$ from the PRF family.
+
+$Enc_{k_1,k_2}(m)$ samples $r\in\{0,1\}^n$ and let $c_1=f_{k_1}(r)\oplus m$ and $c_2=f_{k_2}(c_1)$. Then we output $(r,c_1,c_2)$. where $c_1$ is the encryption, and $c_2$ is the tag. For multi-message security, we need to encrypt $m_1,\cdots,m_q$ at once.
+
+$Dec_{k_1,k_2}(r,c_1,c_2)$ checks if $c_2=f_{k_2}(c_1)$. If so, output $c_1-f_{k_1}(r)$. Otherwise, output $\bot$.
+
+Show that this scheme is CPA secure.
+
+1. Show that the modifier version $\Pi'^{RF}$ where $f_{k_2}$ is replaced with a random function is CCA2 secure.
+2. If ours isn't, then PRF detector can be created.
+
+Suppose $\Pi^RF$ is not secure, then $\exists \mathcal{A}$ which can distinguish $IND_i^{O_1,O_2}(\Pi'^{RF},\mathcal{A},n)$ with non-negligible probability. We will use this to construct $B$ which breaks the CPA security of $\Pi$.
+
+Let $B$ be the PPT algorithm that on input $1^n$, does the following:
+
+- Run $\mathcal{A}^{O_1,O_2}(\Pi'^{RF},\mathcal{A},n)$
+- Let $m_0,m_1$ be the messages that $\mathcal{A}$ asked for in the second round.
+- Choose $b\in\{0,1\}$ uniformly at random.
+- Query $Enc_{k_1,k_2}(m_b)$ to the oracle.
+- Let $c$ be the challenge ciphertext.
+- Return whatever $\mathcal{A}$ outputs.