NoteNextra-origin/content/CSE442T/CSE442T_L22.md

CSE442T Introduction to Cryptography (Lecture 22)

Chapter 7: Composability

So far we've sought security against

c\gets Enc_k(m)

Adversary knows c, but nothing else.

Attack models

Known plaintext attack (KPA)

Adversary has seen (m_1,Enc_k(m_1)),(m_2,Enc_k(m_2)),\cdots,(m_q,Enc_k(m_q)).

m_1,\cdots,m_q are known to the adversary.

Given new c=Enc_k(m), is previous knowledge helpful?

Chosen plaintext attack (CPA)

Adversary can choose m_1,\cdots,m_q and obtain Enc_k(m_1),\cdots,Enc_k(m_q).

Then adversary see new encryption c=Enc_k(m). with the same key.

Example:

In WWII, Japan planned to attack "AF", but US suspected it means Midway.

So US use Axis: Enc_k(AF) and ran out of supplies.

Then US know Japan will attack Midway.

Chosen ciphertext attack (CCA)

Adversary can choose c_1,\cdots,c_q and obtain Dec_k(c_1),\cdots,Dec_k(c_q).

Definition 168.1 (Secure private key encryption against attacks)

Capture these ideas with the adversary having oracle access.

Let \Pi=(Gen,Enc,Dec) be a private key encryption scheme. Let a random variable IND_b^{O_1,O_2}(\Pi,\mathcal{A},n) where \mathcal{A} is an n.u.p.p.t. The security parameter is n\in \mathbb{N}, b\in\{0,1\} denoting the real scheme or the adversary's challenge.

The experiment is the following:

• Key k\gets Gen(1^n)
• Adversary \mathcal{A}^{O_1(k)}(1^n) queries oracle O_1
• m_0,m_1\gets \mathcal{A}^{O_1(k)}(1^n)
• c\gets Enc_k(m_b)
• \mathcal{A}^{O_2(c)}(1^n,c) queries oracle O_2 to distinguish c is encryption of m_0 or m_1
• \mathcal{A} outputs bit b' which is either zero or one

\Pi is CPA/CCA1/CCA2 secure if for all PPT adversaries \mathcal{A},

\{IND_0^{O_1,O_2}(\Pi,\mathcal{A},n)\}_n\approx\{IND_1^{O_1,O_2}(\Pi,\mathcal{A},n)\}_n

where \approx is statistical indistinguishability.

Security	O_1	O_2
CPA	Enc_k	Enc_k
CCA1	Enc_k,Dec_k	Enc_k
CCA2 (or full CCA)	Enc_k,Dec_k	Enc_k,Dec_k^*

Note that Dec_k^* will not allowed to query decryption of a functioning ciphertext.

You can imagine the experiment is a class as follows:

n = 1024

@lru_cache(None)
def oracle_1(m,key,**kwargs):
    """
    Query oracle 1
    """
    pass

@lru_cache(None)
def oracle_2(c,key,**kwargs):
    """
    Query oracle 2
    """
    pass

class Experiment:
    def __init__(self, key, oracle_1, oracle_2):
        self.key = key
        self.oracle_1 = oracle_1
        self.oracle_2 = oracle_2

    def sufficient_trial(self):
        pass

    def generate_test_message(self):
        pass

    def set_challenge(self, c):
        self.challenge = c

    def query_1(self):
        while not self.sufficient_trial():
            self.oracle_1(m,self.key,**kwargs)

    def challenge(self):
        """
        Return m_0, m_1 for challenge
        """
        m_0, m_1 = self.generate_test_message()
        self.m_0 = m_0
        self.m_1 = m_1
        return m_0, m_1

    def query_2(self, c):
        while not self.sufficient_trial():
            self.oracle_2(c,self.key,**kwargs)

    def output(self):
        return 0 if self.challenge==m_0 else 1

if __name__ == "__main__":
    key =  random.randint(0, 2**n)
    exp = Experiment(key, oracle_1, oracle_2)
    exp.query_1()
    m_0, m_1 = exp.challenge()
    choice = random.choice([m_0, m_1])
    exp.set_challenge(choice)
    exp.query_2()
    b_prime = exp.output()
    print(f"b'={b_prime}, b={choice==m_0}")

Theorem: Our mms private key encryption scheme is CPA, CCA1 secure.

Have a PRF family \{f_k\}:\{0,1\}^{|k|}\to\{0,1\}^{|k|}

Gen(1^n) outputs k\in\{0,1\}^n and samples f_k from the PRF family.

Enc_k(m) samples r\in\{0,1\}^n and outputs (r,f_k(r)\oplus m). For multi-message security, we need to encrypt m_1,\cdots,m_q at once.

Dec_k(r,c) outputs f_k(r)\oplus c.

Familiar Theme:

• Show the R.F. version is secure.
  • F\gets RF_n
• If the PRF version were insecure, then the PRF can be distinguished from a random function...

IND_b^{O_1,O_2}(\Pi,\mathcal{A},n), F\gets RF_n

• Enc queries (m_1,(r_1,m_1\oplus F_k(r_1))),\cdots,(m_{q_1},(r_{q_1},m_{q_1}\oplus F_k(r_{q_1})))
• Dec queries (s_1,c_1),\cdots,(s_{q_2},c_{q_2}), where m_i=c_i-F_k(s_i)
• m_0,m_1\gets \mathcal{A}^{O_2(k)}(1^n), Enc_F(m_b)=(R,M_b+F(R))
• Query round similar to above.

As long as R was never seen in querying rounds, P[\mathcal{A} \text{ guesses correctly}]=1/2.

P[R\text{ was seen before}]\leq \frac{p(n)}{2^n} (by the total number of queries in all rounds.)

This encryption scheme is not CCA2 secure.

After round 1, O^n,1^n\gets \mathcal{A}^{O_1(k)}(1^n),

(r,m+F(r))=(r,c) in round 2.

Query Dec_F(r,c+0\ldots 01)=0\ldots 01 \text{ or } 1\ldots 10.

c+0\ldots 01-F(r)=M+0\ldots 01

Encrypt then authenticate

Have a PRF family \{f_k\}:\{0,1\}^|k|\to\{0,1\}^{|k|}

Gen(1^n) outputs k_1,k_2\in\{0,1\}^n and samples f_k from the PRF family.

Enc_{k_1,k_2}(m) samples r\in\{0,1\}^n and let c_1=f_{k_1}(r)\oplus m and c_2=f_{k_2}(c_1). Then we output (r,c_1,c_2). where c_1 is the encryption, and c_2 is the tag. For multi-message security, we need to encrypt m_1,\cdots,m_q at once.

Dec_{k_1,k_2}(r,c_1,c_2) checks if c_2=f_{k_2}(c_1). If so, output c_1-f_{k_1}(r). Otherwise, output \bot.

Show that this scheme is CPA secure.

1. Show that the modifier version \Pi'^{RF} where f_{k_2} is replaced with a random function is CCA2 secure.
2. If ours isn't, then PRF detector can be created.

Suppose \Pi^RF is not secure, then \exists \mathcal{A} which can distinguish IND_i^{O_1,O_2}(\Pi'^{RF},\mathcal{A},n) with non-negligible probability. We will use this to construct B which breaks the CPA security of \Pi.

Let B be the PPT algorithm that on input 1^n, does the following:

• Run \mathcal{A}^{O_1,O_2}(\Pi'^{RF},\mathcal{A},n)
• Let m_0,m_1 be the messages that \mathcal{A} asked for in the second round.
• Choose b\in\{0,1\} uniformly at random.
• Query Enc_{k_1,k_2}(m_b) to the oracle.
• Let c be the challenge ciphertext.
• Return whatever \mathcal{A} outputs.