Trance-0/NoteNextra-origin
1
0
Fork 0
Code Issues Pull Requests Actions 1 Packages Projects Releases Wiki Activity
Files
62066170051890da5e5a793bad16e3079ef68e2a
NoteNextra-origin/pages/CSE442T/CSE442T_L22.md
Zheyuan Wu 26fef331dd Update CSE442T_L22.md
2024-11-25 15:27:56 -06:00

2.9 KiB
Raw Blame History

Lecture 22

Chapter 7: Types of Attacks

So far we've sought security against


c\gets Enc_k(m)

Adversary knows c, but nothing else.

Known plaintext attack (KPA)

Adversary has seen (m_1,Enc_k(m_1)),(m_2,Enc_k(m_2)),\cdots,(m_q,Enc_k(m_q)).

m_1,\cdots,m_q are known to the adversary.

Given new c=Enc_k(m), is previous knowledge helpful?

Chosen plaintext attack (CPA)

Adversary can choose m_1,\cdots,m_q and obtain Enc_k(m_1),\cdots,Enc_k(m_q).

Then adversary see new encryption c=Enc_k(m). with the same key.

Example:

In WWII, Japan planned to attack "AF", but US suspected it means Midway.

So US use Axis: Enc_k(AF) and ran out of supplies.

Then US know Japan will attack Midway.

Chosen ciphertext attack (CCA)

Adversary can choose c_1,\cdots,c_q and obtain Dec_k(c_1),\cdots,Dec_k(c_q).

Capture these ideas with the adversary having oracle access.


\Pi=(Gen,Enc,Dec)

private key encryption scheme.


IND_b^{O_1,O_2}(\Pi,\mathcal{A},n)

where O_1 and O_2 are the round 1 and round 2 oracle access.

b is zero or one denoting the real scheme or the adversary's challenge.

n is the security parameter.

is the following experiment:

  • Key k\gets Gen(1^n)
  • Adversary \mathcal{A}^{O_1(k)}(1^n) queries oracles
  • m_0,m_1\gets \mathcal{A}^{O_2(k)}(1^n)
  • c\gets Enc_k(m_b)
  • \mathcal{A}^{O_2(c)}(1^n,c) queries oracles
  • \mathcal{A} outputs bit b' which is either zero or one

\Pi is CPA/CCA1/CCA2 secure if for all PPT adversaries \mathcal{A},


\{IND_0^{O_1,O_2}(\Pi,\mathcal{A},n)\}_n\approx\{IND_1^{O_1,O_2}(\Pi,\mathcal{A},n)\}_n

where \approx is statistical indistinguishability.

Security O_1 O_2
CPA Enc_k Enc_k
CCA1 Enc_k,Dec_k Enc_k
CCA2 (or full CCA) Enc_k,Dec_k Enc_k,Dec_k^*

Note that Dec_k^* will not allowed to query decryption of a functioning ciphertext.

Theorem: Our mms private key encryption scheme is CPA, CCA1 secure.

Have a PRF family \{f_k\}:\{0,1\}^|k|\to\{0,1\}^{|k|}

Gen(1^n) outputs k\in\{0,1\}^n and samples f_k from the PRF family.

Enc_k(m) samples r\in\{0,1\}^n and outputs (r,f_k(r)\oplus m). For multi-message security, we need to encrypt m_1,\cdots,m_q at once.

Dec_k(r,c) outputs f_k(r)\oplus c.

Familiar Theme:

  • Show the R.F. version is secure.
    • F\gets RF_n
  • If the PRF version were insecure, then the PRF can be distinguished from a random function...

IND_b^{O_1,O_2}(\Pi,\mathcal{A},n), F\gets RF_n

  • Enc queries (m_1,(r_1,m_1\oplus F_k(r_1))),\cdots,(m_{q_1},(r_{q_1},m_{q_1}\oplus F_k(r_{q_1})))
  • Dec queries (s_1,c_1),\cdots,(s_{q_2},c_{q_2}), where m_i=c_i-F_k(s_i)
  • m_0,m_1\gets \mathcal{A}^{O_2(k)}(1^n), Enc_F(m_b)=(R,M_b+F(R))
  • Query round similar to above.

As long as R was never seen in querying rounds, P[\mathcal{A} \text{ guesses correctly}]=1/2.

P[R\text{ was seen before}]\leq \frac{p(n)}{2^n} (by the total number of queries in all rounds.)