202 lines
6.0 KiB
Markdown
202 lines
6.0 KiB
Markdown
# CSE442T Lecture 22
|
|
|
|
## Chapter 7: Composability
|
|
|
|
So far we've sought security against
|
|
|
|
$$
|
|
c\gets Enc_k(m)
|
|
$$
|
|
|
|
Adversary knows $c$, but nothing else.
|
|
|
|
### Attack models
|
|
|
|
#### Known plaintext attack (KPA)
|
|
|
|
Adversary has seen $(m_1,Enc_k(m_1)),(m_2,Enc_k(m_2)),\cdots,(m_q,Enc_k(m_q))$.
|
|
|
|
$m_1,\cdots,m_q$ are known to the adversary.
|
|
|
|
Given new $c=Enc_k(m)$, is previous knowledge helpful?
|
|
|
|
#### Chosen plaintext attack (CPA)
|
|
|
|
Adversary can choose $m_1,\cdots,m_q$ and obtain $Enc_k(m_1),\cdots,Enc_k(m_q)$.
|
|
|
|
Then adversary see new encryption $c=Enc_k(m)$. with the same key.
|
|
|
|
Example:
|
|
|
|
In WWII, Japan planned to attack "AF", but US suspected it means Midway.
|
|
|
|
So US use Axis: $Enc_k(AF)$ and ran out of supplies.
|
|
|
|
Then US know Japan will attack Midway.
|
|
|
|
#### Chosen ciphertext attack (CCA)
|
|
|
|
Adversary can choose $c_1,\cdots,c_q$ and obtain $Dec_k(c_1),\cdots,Dec_k(c_q)$.
|
|
|
|
|
|
#### Definition 168.1 (Secure private key encryption against attacks)
|
|
|
|
Capture these ideas with the adversary having oracle access.
|
|
|
|
Let $\Pi=(Gen,Enc,Dec)$ be a private key encryption scheme. Let a random variable $IND_b^{O_1,O_2}(\Pi,\mathcal{A},n)$ where $\mathcal{A}$ is an n.u.p.p.t. The security parameter is $n\in \mathbb{N}$, $b\in\{0,1\}$ denoting the real scheme or the adversary's challenge.
|
|
|
|
The experiment is the following:
|
|
|
|
- Key $k\gets Gen(1^n)$
|
|
- Adversary $\mathcal{A}^{O_1(k)}(1^n)$ queries oracle $O_1$
|
|
- $m_0,m_1\gets \mathcal{A}^{O_1(k)}(1^n)$
|
|
- $c\gets Enc_k(m_b)$
|
|
- $\mathcal{A}^{O_2(c)}(1^n,c)$ queries oracle $O_2$ to distinguish $c$ is encryption of $m_0$ or $m_1$
|
|
- $\mathcal{A}$ outputs bit $b'$ which is either zero or one
|
|
|
|
$\Pi$ is CPA/CCA1/CCA2 secure if for all PPT adversaries $\mathcal{A}$,
|
|
|
|
$$
|
|
\{IND_0^{O_1,O_2}(\Pi,\mathcal{A},n)\}_n\approx\{IND_1^{O_1,O_2}(\Pi,\mathcal{A},n)\}_n
|
|
$$
|
|
|
|
where $\approx$ is statistical indistinguishability.
|
|
|
|
|Security|$O_1$|$O_2$|
|
|
|:---:|:---:|:---:|
|
|
|CPA|$Enc_k$|$Enc_k$|
|
|
|CCA1|$Enc_k,Dec_k$|$Enc_k$|
|
|
|CCA2 (or full CCA)|$Enc_k,Dec_k$|$Enc_k,Dec_k^*$|
|
|
|
|
Note that $Dec_k^*$ will not allowed to query decryption of a functioning ciphertext.
|
|
|
|
You can imagine the experiment is a class as follows:
|
|
|
|
```python
|
|
n = 1024
|
|
|
|
@lru_cache(None)
|
|
def oracle_1(m,key,**kwargs):
|
|
"""
|
|
Query oracle 1
|
|
"""
|
|
pass
|
|
|
|
@lru_cache(None)
|
|
def oracle_2(c,key,**kwargs):
|
|
"""
|
|
Query oracle 2
|
|
"""
|
|
pass
|
|
|
|
class Experiment:
|
|
def __init__(self, key, oracle_1, oracle_2):
|
|
self.key = key
|
|
self.oracle_1 = oracle_1
|
|
self.oracle_2 = oracle_2
|
|
|
|
def sufficient_trial(self):
|
|
pass
|
|
|
|
def generate_test_message(self):
|
|
pass
|
|
|
|
def set_challenge(self, c):
|
|
self.challenge = c
|
|
|
|
def query_1(self):
|
|
while not self.sufficient_trial():
|
|
self.oracle_1(m,self.key,**kwargs)
|
|
|
|
def challenge(self):
|
|
"""
|
|
Return m_0, m_1 for challenge
|
|
"""
|
|
m_0, m_1 = self.generate_test_message()
|
|
self.m_0 = m_0
|
|
self.m_1 = m_1
|
|
return m_0, m_1
|
|
|
|
def query_2(self, c):
|
|
while not self.sufficient_trial():
|
|
self.oracle_2(c,self.key,**kwargs)
|
|
|
|
def output(self):
|
|
return 0 if self.challenge==m_0 else 1
|
|
|
|
if __name__ == "__main__":
|
|
key = random.randint(0, 2**n)
|
|
exp = Experiment(key, oracle_1, oracle_2)
|
|
exp.query_1()
|
|
m_0, m_1 = exp.challenge()
|
|
choice = random.choice([m_0, m_1])
|
|
exp.set_challenge(choice)
|
|
exp.query_2()
|
|
b_prime = exp.output()
|
|
print(f"b'={b_prime}, b={choice==m_0}")
|
|
```
|
|
|
|
#### Theorem: Our mms private key encryption scheme is CPA, CCA1 secure.
|
|
|
|
Have a PRF family $\{f_k\}:\{0,1\}^{|k|}\to\{0,1\}^{|k|}$
|
|
|
|
$Gen(1^n)$ outputs $k\in\{0,1\}^n$ and samples $f_k$ from the PRF family.
|
|
|
|
$Enc_k(m)$ samples $r\in\{0,1\}^n$ and outputs $(r,f_k(r)\oplus m)$. For multi-message security, we need to encrypt $m_1,\cdots,m_q$ at once.
|
|
|
|
$Dec_k(r,c)$ outputs $f_k(r)\oplus c$.
|
|
|
|
Familiar Theme:
|
|
|
|
- Show the R.F. version is secure.
|
|
- $F\gets RF_n$
|
|
- If the PRF version were insecure, then the PRF can be distinguished from a random function...
|
|
|
|
$IND_b^{O_1,O_2}(\Pi,\mathcal{A},n), F\gets RF_n$
|
|
|
|
- $Enc$ queries $(m_1,(r_1,m_1\oplus F_k(r_1))),\cdots,(m_{q_1},(r_{q_1},m_{q_1}\oplus F_k(r_{q_1})))$
|
|
- $Dec$ queries $(s_1,c_1),\cdots,(s_{q_2},c_{q_2})$, where $m_i=c_i-F_k(s_i)$
|
|
- $m_0,m_1\gets \mathcal{A}^{O_2(k)}(1^n)$, $Enc_F(m_b)=(R,M_b+F(R))$
|
|
- Query round similar to above.
|
|
|
|
As long as $R$ was never seen in querying rounds, $P[\mathcal{A} \text{ guesses correctly}]=1/2$.
|
|
|
|
$P[R\text{ was seen before}]\leq \frac{p(n)}{2^n}$ (by the total number of queries in all rounds.)
|
|
|
|
**This encryption scheme is not CCA2 secure.**
|
|
|
|
After round 1, $O^n,1^n\gets \mathcal{A}^{O_1(k)}(1^n)$,
|
|
|
|
$(r,m+F(r))=(r,c)$ in round 2.
|
|
|
|
Query $Dec_F(r,c+0\ldots 01)=0\ldots 01 \text{ or } 1\ldots 10$.
|
|
|
|
$c+0\ldots 01-F(r)=M+0\ldots 01$
|
|
|
|
### Encrypt then authenticate
|
|
|
|
Have a PRF family $\{f_k\}:\{0,1\}^|k|\to\{0,1\}^{|k|}$
|
|
|
|
$Gen(1^n)$ outputs $k_1,k_2\in\{0,1\}^n$ and samples $f_k$ from the PRF family.
|
|
|
|
$Enc_{k_1,k_2}(m)$ samples $r\in\{0,1\}^n$ and let $c_1=f_{k_1}(r)\oplus m$ and $c_2=f_{k_2}(c_1)$. Then we output $(r,c_1,c_2)$. where $c_1$ is the encryption, and $c_2$ is the tag. For multi-message security, we need to encrypt $m_1,\cdots,m_q$ at once.
|
|
|
|
$Dec_{k_1,k_2}(r,c_1,c_2)$ checks if $c_2=f_{k_2}(c_1)$. If so, output $c_1-f_{k_1}(r)$. Otherwise, output $\bot$.
|
|
|
|
Show that this scheme is CPA secure.
|
|
|
|
1. Show that the modifier version $\Pi'^{RF}$ where $f_{k_2}$ is replaced with a random function is CCA2 secure.
|
|
2. If ours isn't, then PRF detector can be created.
|
|
|
|
Suppose $\Pi^RF$ is not secure, then $\exists \mathcal{A}$ which can distinguish $IND_i^{O_1,O_2}(\Pi'^{RF},\mathcal{A},n)$ with non-negligible probability. We will use this to construct $B$ which breaks the CPA security of $\Pi$.
|
|
|
|
Let $B$ be the PPT algorithm that on input $1^n$, does the following:
|
|
|
|
- Run $\mathcal{A}^{O_1,O_2}(\Pi'^{RF},\mathcal{A},n)$
|
|
- Let $m_0,m_1$ be the messages that $\mathcal{A}$ asked for in the second round.
|
|
- Choose $b\in\{0,1\}$ uniformly at random.
|
|
- Query $Enc_{k_1,k_2}(m_b)$ to the oracle.
|
|
- Let $c$ be the challenge ciphertext.
|
|
- Return whatever $\mathcal{A}$ outputs.
|
|
|