AuthenticatedAuthenticatedEncryptionEncryption

Jeremy, Paul, Ken, and MikeJeremy, Paul, Ken, and Mike

ObjectivesObjectives

Examine three methods of authenticatedExamine three methods of authenticatedencryption and determine the best solutionencryption and determine the best solutionconsidering performance and securityconsidering performance and security

Basic ComponentsBasic Components

MessageMessageAuthenticationAuthentication

CodeCode

SymmetricSymmetricEncryptionEncryption

+

Both of these components are used as black boxesBoth of these components are used as black boxes

Generic CompositionGeneric Composition

Note:Note: We separate the taggingWe separate the tagging

and verificationand verificationalgorithmalgorithm

key the-k

key theoflength parameter,security -

algorithm generationkey randomized -K

algorithm verifing tag- V

algorithm tagging- T

schemetion authentica Message -MA

Algorithm Decryption - D

algorithm encryption - E

scheme encryption Symmetric -

κ

SE

Basic ComponentsBasic Components

Message Authentication Code (MAC)Message Authentication Code (MAC) Integrity / AuthenticityIntegrity / Authenticity

Integrity of Plaintext (INT-PTXT)Integrity of Plaintext (INT-PTXT) Integrity of Integrity of Ciphertext Ciphertext (INT-CTXT)(INT-CTXT)

Symmetric EncryptionSymmetric EncryptionPrivacyPrivacy

IndistinguishabilityIndistinguishabilityChosen-plaintext attack (IND-CPA)Chosen-plaintext attack (IND-CPA)Chosen-Chosen-ciphertext ciphertext attack (IND-CCA)attack (IND-CCA)

Non-malleabilityNon-malleabilityChosen-plaintext attack (NM-CPA)Chosen-plaintext attack (NM-CPA)Chosen-Chosen-ciphertext ciphertext attack (NM-CPA)attack (NM-CPA)

IntegrityIntegrity

Integrity of Plaintext (INT-PTXT)Integrity of Plaintext (INT-PTXT) Computationally infeasible to produce aComputationally infeasible to produce a

ciphertext ciphertext decrypting to a message which thedecrypting to a message which thesender has never encryptedsender has never encrypted

Integrity of Integrity of Ciphertext Ciphertext (INT-CTXT)(INT-CTXT) Computationally infeasible to produce aComputationally infeasible to produce a

ciphertext ciphertext not previously produced by thenot previously produced by thesender, regardless of whether or not thesender, regardless of whether or not theunderlying plaintext is underlying plaintext is ““newnew””

Integrity of symmetricIntegrity of symmetricencryption schemedencryption schemed

Algorithm D*K(C)

If DK(C) ≠ ⊥, then return 1 Else return 0

Verification algorithmor

Verification oracle

SE = (E, K, D)

E – Encryption Algorithm

K– Randomized key generation algorithm

D – Decryption Algorithm

Integrity of AuthenticatedIntegrity of Authenticatedencryption schemeencryption scheme

The scheme SE is said to be INT-PTXT if theThe scheme SE is said to be INT-PTXT if thefunction function (the advantage of (the advantage of AAptxtptxt) is) isvery small for any adversary whose time-very small for any adversary whose time-complexity is polynomial in k.complexity is polynomial in k.

Likewise, the scheme SE is said to be INT-CTXTLikewise, the scheme SE is said to be INT-CTXTif the function (the advantage of if the function (the advantage of AActxtctxt))is very small for any adversary whose time-is very small for any adversary whose time-complexity is polynomial in k.complexity is polynomial in k.

)(int, ⋅−ctxtASE ctxt

Adv

)(int, ⋅− ptxtASE ptxt

Adv

0return else 1return then

)(E query to anever was)( M -

and 1, returns )(-

such that )( oracle the

toCquery a makes )( If

)(

)( Experiment

K

*

*

)(),(

int,

*

⋅

⋅

Κ←⋅⋅Ε

−

CDdef

CD

D

A

K

kExp

K

Dptxt

R

ptxtASE

K

K

K

ptxt

κ

κ

0return else 1return then

)(E toresponse anever was -

and 1, returns )(-

such that )( oracle the

toCquery a makes )( If

)(

)( Experiment

K

*

*

)(),(

int,

*

⋅

⋅

Κ←⋅⋅Ε

−

C

CD

D

A

K

kExp

K

K

K

ctxt

Dctxt

R

ctxtASE

κ

κ

]1)(Pr[)(

]1)(Pr[)(

int,

int,

int,

int,

==

==

−−

−−

kExpkAdv

kExpkAdv

ctxtASE

ctxtASE

ptxtASE

ptxtASE

ctxtctxt

ptxtptxt

)}({max),,,,,(

)}({max),,,,,(

int,

int

int,

int

kAdvqqtkAdv

kAdvqqtkAdv

ctxtASE

Adede

ctxtSE

ptxtASE

Adede

ptxtSE

ctxtctxt

ptxtptxt

−−

−−

=

=

µµ

µµ

Advantages of the adversaries

Advantages of the scheme

Integrity of AuthenticatedIntegrity of Authenticatedencryption schemeencryption scheme

IndistinguishabilityIndistinguishability

Indistinguishability Indistinguishability of Chosen Plaintextof Chosen PlaintextAttack (IND-CPA)Attack (IND-CPA)

Indistinguishability Indistinguishability of Chosen of Chosen CiphertextCiphertextAttack (IND-CCA)Attack (IND-CCA)

If MIf M00 and M and M11 are encrypted, a are encrypted, a ‘‘reasonablereasonable’’adversary should not be able to determineadversary should not be able to determinewhich message is sent.which message is sent.

Left-or-rightLeft-or-right

ΣΣKK((LRLR(.,.,b)), where b {0, 1}, to take input (M(.,.,b)), where b {0, 1}, to take input (M00,,MM11) |M) |M00| = |M| = |M11||

if b = 0if b = 0C C ΣΣKK(M(M00))

return Creturn C

elseelseC C ΣΣKK(M(M11))

return Creturn C As was mentioned from AdamAs was mentioned from Adam’’s lecture, we consider thes lecture, we consider the

encryption scheme to be encryption scheme to be ““goodgood”” if a if a ““reasonablereasonable”” adversary adversarycannot obtain cannot obtain ““significantsignificant”” advantage in distinguishing the cases advantage in distinguishing the casesb = 0 and b = 1 given access to the left-or-right oracle.b = 0 and b = 1 given access to the left-or-right oracle.

Non-malleabilityNon-malleability

Prevents the generation of aPrevents the generation of a ciphertext ciphertext whosewhoseplaintexts are meaningfulplaintexts are meaningful

Requires that an attacker given a challengeRequires that an attacker given a challengeciphertext ciphertext be unable to modify it into another,be unable to modify it into another,different different ciphertext ciphertext in such a way that thein such a way that theplaintexts underlying the two plaintexts underlying the two ciphertexts ciphertexts areare““meaningful relatedmeaningful related”” to each other. to each other.

i.e.i.e. Ptxt1: send a check of $100.00Ptxt1: send a check of $100.00 Ptxt2: send a check of $1000.00Ptxt2: send a check of $1000.00

Non-malleability - FormallyNon-malleability - Formally

x

),,(

)(

)(),(

)(

)(Exp Experiment

2

1

cpa

))(.,.,(

A SE,

return

scpAx

cDp

kAsc

Kk

b

cpa

k

bLREcpa

R

bcpanm

k

←

←

←

←

−−

κ

x

),,(

)(

)(),(

)(

)(Exp Experiment

2

1

cca

))(.,.,(

A SE,

return

scpAx

cDp

kAsc

Kk

b

cca

k

bLREcca

R

bccanm

k

←

←

←

←

−−

κ

]1)(Pr[]1)(Pr[)(

]1)(Pr[]1)(Pr[)(

0,

1,,

0,

1,,

=−==

=−==

−−−−−

−−−−−

kExpkExpkAdv

kExpkExpkAdv

ccanmASE

ccanmASE

cpanmASE

cpanmASE

cpanmASE

cpanmASE

ccaccacca

cpacpacpa

)}({max),,,(

)}({max),,,(

,

,

kAdvqtkAdv

kAdvqtkAdv

ccanmASE

Aee

ccanmSE

cpanmASE

Aee

cpanmSE

ccacca

cpacpa

−−

−−

=

=

µ

µ

oracles 2 ),,(

oracle 1 ),,(

1} {0,b

D) E, (K, SE

21

21

ccaccacca

cpacpacpa

AAA

AAA

N

=

=

∈

∈

=

κ

If negligible, NM-CPA Secure

If negligible, NM-CCA Secure

UnforgeabilityUnforgeability

Weak Weak Unforgeability Unforgeability against Chosenagainst ChosenMessage Attacks (WUF-CMA)Message Attacks (WUF-CMA) Adversary Adversary FF can can’’t create a new message andt create a new message and

tagtag

Strong Strong Unforgeabililty Unforgeabililty against Chosenagainst ChosenMessage Attacks (SUF-CMA)Message Attacks (SUF-CMA) Adversary Adversary FF can can’’t create a new tag for ant create a new tag for an

existing messageexisting message

DifficultiesDifficulties

The notions of authenticity are byThe notions of authenticity are bythemselves quite disjoint from the notionsthemselves quite disjoint from the notionsof privacyof privacy i.e. Sending the message in the clear with ani.e. Sending the message in the clear with an

accompanying (strong) MAC achieves INT-accompanying (strong) MAC achieves INT-CTXT but no kind of privacyCTXT but no kind of privacy

Relations among notions ofRelations among notions ofsymmetric encryptionsymmetric encryption

INT-CTXT ^ IND-CPAINT-CTXT ^ IND-CPA IND-CCAIND-CCA

INT-PTXT ^ IND-CPAINT-PTXT ^ IND-CPA IND-CPAIND-CPA NM-CCANM-CCA

NM-CPANM-CPA

Relations among notions of symmetricRelations among notions of symmetricencryptionencryption

Theorem 3.1Theorem 3.1

A A –– adversary mounting an attack against integrity of plaintexts of SE adversary mounting an attack against integrity of plaintexts of SE AA’’ –– adversary mounting an attack against integrity of adversary mounting an attack against integrity of ciphertexts ciphertexts of SEof SE AA’’ = A = A

PTXTINTCTXTINT −→−

query winning theis - C

A(C)return

(k)A' Adversary

It is initiative that if an adversary violates integrity of plaintextsof a scheme SE = (K,E,D) also violates integrity of ciphertextsof the same scheme

),,,,,(),,,,,( intintdede

ctxtSEdede

ptxtSE qqtkAdvqqtkAdv µµµµ −− ≤

)()( int',

int, kAdvkAdv ctxt

ASEptxtASE

−− ≤

Proposition 3.3Proposition 3.3

IND-CCA IND-CCA INT-PTXTINT-PTXT

Given a symmetric encryption scheme Given a symmetric encryption scheme SESEwhich is IND-CCA secure, we canwhich is IND-CCA secure, we canconstruct a symmetric encryption schemeconstruct a symmetric encryption schemeSESE which is also IND-CCA secure but is which is also IND-CCA secure but isnotnot INT-PTXT secure INT-PTXT secure

IND-CCA INT-PTXTIND-CCA INT-PTXT

CReturn C'||0 C

)(k

EC'

)(E Algorithm

←

← M

Mk

0return Else

Mreturn );'(D M then 0 b if

)(k

Ebit a is b whereC'||b as C Parse

)(D Algorithm

Ck

M

Ck

←=

←

•Let SE = (K, E, D)

•We define a such that is IND-CCA secure but is not INT-PTXT secure

•Basically a certain known string (or strings) will be viewed by asvalid and decrypted to certain known messages, so that forgery is easy

•However these ‘ciphertexts’ will never be produced by the encryptionalgorithm, so privacy will not be affected

SE SE

D

),,( DEKSE =

IND-CCA INT-PTXTIND-CCA INT-PTXTAttackAttack

Query 10 is a validQuery 10 is a validciphertextciphertext

It decrypts to a It decrypts to a msg msg (0)(0)that the adversarythat the adversarynever queried of itsnever queried of itsoracleoracle

0)10(D

)(D oracle to10query Submit

)(AAdversary

*

*

)(,)(E

k

k

K

=

•••

⋅

⋅⋅ kkD

10 1010

(little Endian, LSB 1st)

1)(int, =− kAdv ptxtASE

A makes zero queries to and one query to totaling 2 bits, and Is Certainly poly(k)-time

)(EK ⋅ )(DK ⋅

IND-CCA INT-PTXTIND-CCA INT-PTXTIND-CCA SecureIND-CCA Secure

It is easy for B to break the scheme if A canIt is easy for B to break the scheme if A can0 A Else

)(D A then 0 b if

bit a is b where||b as C Parse

do oracle decryption its toCquery a makesA when

)),,M((E||0A

do oracle encryptionright -or-left its to,Mquery a makesA when

do 1,....q ifor

)(BAdversary

'k

i'

i

i

1,i,0k

1,i,0

e

)()),(.,.,(Ek

⇐

⇐=

⇐

+=

⋅

i

i

i

i

d

DbLR

C

C

bMLR

M

q

kk

To prove that is IND-CCA secure, it sufficesTo prove that is IND-CCA secure, it suffices(enough) to associate with any poly(k)-time(enough) to associate with any poly(k)-timeadversary B attacking SE in the IND-CCAadversary B attacking SE in the IND-CCAsense such thatsense such that

SE

B simulates A andUses its oracles toAnswer A’s oraclequeries

)()( ,,kAdvkAdv ccaind

BSEccaindASE

−− ≤

Other RelationsOther Relations

Theorem 3.2Theorem 3.2 INT-CTXT ^ IND-CPA INT-CTXT ^ IND-CPA IND-CCA IND-CCA

Proposition 3.4Proposition 3.4 INT-PTXT ^ IND-CPA (does not) INT-PTXT ^ IND-CPA (does not) NM-CPANM-CPA

Security of the CompositeSecurity of the CompositeSchemesSchemes

SecureSecureProven to meet the security requirement, assumingProven to meet the security requirement, assumingcomponent encryption scheme meets IND-CPA andcomponent encryption scheme meets IND-CPA andmessage authentication scheme is message authentication scheme is unforgeable unforgeable underunderCMACMA

InsecureInsecureSomeSome IND-CPA secure symmetric encryption and IND-CPA secure symmetric encryption andsome message authentication scheme some message authentication scheme unforgeableunforgeableunder CMA exist that doesnunder CMA exist that doesn’’t meet the securityt meet the securityrequirementrequirement

Generic CompositionGeneric Composition

Using both functions as black boxesUsing both functions as black boxes

MACMAC SymmetricSymmetricEncryptionEncryption

Encrypt-and-MACEncrypt-and-MAC

MAC (M)MAC (M)Encrypt (M)Encrypt (M) IIIIC =C =

Encrypt-and-MAC SecurityEncrypt-and-MAC Security

InsecureInsecureInsecureInsecureINT-CTXTINT-CTXT

SecureSecureSecureSecureINT-PTXTINT-PTXTIntegrityIntegrity

InsecureInsecureInsecureInsecureNM-CPANM-CPA

InsecureInsecureInsecureInsecureIND-CCAIND-CCA

InsecureInsecureInsecureInsecureIND-CPAIND-CPA

PrivacyPrivacy

Strong MACStrong MACWeak MACWeak MACSecuritySecurity

Encrypt (M Encrypt (M ) )

MAC-then-EncryptMAC-then-Encrypt

MAC (M)MAC (M)C =C = IIII

MAC-then-Encrypt SecurityMAC-then-Encrypt Security

InsecureInsecureInsecureInsecureINT-CTXTINT-CTXT

SecureSecureSecureSecureINT-PTXTINT-PTXTIntegrityIntegrity

InsecureInsecureInsecureInsecureNM-CPANM-CPA

InsecureInsecureInsecureInsecureIND-CCAIND-CCA

SecureSecureSecureSecureIND-CPAIND-CPA

PrivacyPrivacy

Strong MACStrong MACWeak MACWeak MACSecuritySecurity

Encrypt-then-MACEncrypt-then-MAC

MAC ( )MAC ( )Encrypt (M)Encrypt (M)Encrypt (M)Encrypt (M) IIIIC =C =

Encrypt-then-MAC SecurityEncrypt-then-MAC Security

SecureSecureInsecureInsecureINT-CTXTINT-CTXT

SecureSecureSecureSecureINT-PTXTINT-PTXTIntegrityIntegrity

SecureSecureInsecureInsecureNM-CPANM-CPA

SecureSecureInsecureInsecureIND-CCAIND-CCA

SecureSecureSecureSecureIND-CPAIND-CPA

PrivacyPrivacy

Strong MACStrong MACWeak MACWeak MACSecuritySecurity

Summary of MethodsSummary of Methods

SecureSecureSecureSecureSecureSecureSecureSecureSecureSecureEncrypt-then-MACEncrypt-then-MAC

InsecureInsecureSecureSecureInsecureInsecureInsecureInsecureSecureSecureMAC-then-EncryptMAC-then-Encrypt

InsecureInsecureSecureSecureInsecureInsecureInsecureInsecureInsecureInsecureEncrypt-and-MACEncrypt-and-MAC

INT-CTXTINT-CTXTINT-PTXTINT-PTXTNM-CPANM-CPAIND-CCAIND-CCAIND-CPAIND-CPA

IntegrityIntegrityPrivacyPrivacyCompositionCompositionMethodMethod

InsecureInsecureSecureSecureInsecureInsecureInsecureInsecureSecureSecureEncrypt-then-MACEncrypt-then-MAC

InsecureInsecureSecureSecureInsecureInsecureInsecureInsecureSecureSecureMAC-then-EncryptMAC-then-Encrypt

InsecureInsecureSecureSecureInsecureInsecureInsecureInsecureInsecureInsecureEncrypt-and-MACEncrypt-and-MAC

INT-CTXTINT-CTXTINT-PTXTINT-PTXTNM-CPANM-CPAIND-CCAIND-CCAIND-CPAIND-CPA

IntegrityIntegrityPrivacyPrivacyCompositionCompositionMethodMethod

Weakly Weakly Unforgeable Unforgeable

Strongly Strongly Unforgeable Unforgeable

Theorem 4.7Theorem 4.7

Encrypt-then-MAC method is IND-CPAEncrypt-then-MAC method is IND-CPAand INT-PTXTand INT-PTXT

SE be a symmetric schemeSE be a symmetric scheme

MA be message authentication schemeMA be message authentication scheme

),,,,,(),,,,,(

),,,(),,,(int

dedecmawuf

MAdedeptxt

SE

cpaindSE

cpaindSE

qqtkAdvqqtkAdv

qtkAdvqtkAdv

µµµµ

µµ−−

−−

≤

≤

Theorem 4.7 - IND-CPATheorem 4.7 - IND-CPA

b'Return

b'A

||);());,,M((C

do oracle encryption ),(Mquery a makesA When

do q1,...., iFor

)(k

)(A

1,o i,i

1,o i,

m

))(.,.,(EKe

p

⇒

⇐Τ←←

−−

=

←

iiiKiiK

i

mR

bLR

CACbMLRE

rightorleftitstoM

K

Adversary

meττ

κ

κ

),,,()( , µqtkAdvkAdv cpaindASE

cpaindSE p

−− ≤

Theorem 4.7 - INT-PTXTTheorem 4.7 - INT-PTXT

iiiKiii

ii

KiK

eR

V

vACVvC

CACE

K

Adversary

mii

iime

mKmK

⇐←

⇐Τ←←

+=

←

⋅Τ

);,(;|| as C Parse

do oracleion verificatits toCquery a makesA When

||);();M(C

do oracle encryption its toMquery a makesA When

do qq1,...., iFor

)(k

)(F

''i

i

'ii

i

de

e

(.,.)),(

p

ττ

ττ

κ

κ

)()( ,int,

kAdvkAdv cmawufAM

ptxtASE p

−− ≤

Proposition 4.9Proposition 4.9

Encrypt-then-MAC method with a SUF-Encrypt-then-MAC method with a SUF-CMA-secure MAC is INT-CTXT, IND-CPA,CMA-secure MAC is INT-CTXT, IND-CPA,and IND-CCAand IND-CCA

)()( ,int,

kAdvkAdv cmasufFMA

ctxtASE

−− ≤

),,,(

),,,,,(2),,,,,(

),,,,,(),,,,,(

),,,(),,,(int

eecpaind

SE

deedecmasuf

MAdedeccaind

SE

deedecmasuf

MAdedectxt

SE

cpaindSE

cpaindSE

qtkAdv

lqqqtkAdvqqtkAdv

lqqqtkAdvqqtkAdv

qtkAdvqtkAdv

µ

µµµµ

µµµµ

µµ

−

−−

−−

−−

+

+×≤

+≤

≤

Conclusion Conclusion

Encrypt-then-MAC provides the most secureEncrypt-then-MAC provides the most securesolution for authenticated encryptionsolution for authenticated encryption

CBC CBC –– Cipher Block Chain Cipher Block Chain

•If IV is different then instances of samemsg (or block) will be encrypted differently

•If K’th cipher block Ck gets corrupted intransmission – only blocks Pk and Pk+1 areaffected

•This can also allow some msgtampering

•If one plaintext block Pk is changed – Allsubsequent ciphertext blocks will beaffected

•This leads to an effective MAC

ECB ECB –– Electronic Code Electronic CodeBookBook

If the same key is used then identical plaintext blocks map toidentical ciphertext

Proposition 4.1Proposition 4.1

Encrypt-and MAC method is not IND-CPAEncrypt-and MAC method is not IND-CPA

Proposition 4.2Proposition 4.2

Encrypt-and MAC method is IND-CPAEncrypt-and MAC method is IND-CPAinsecure for any deterministic MAC)insecure for any deterministic MAC)

Theorem 4.3Theorem 4.3

Encrypt-and-MAC is INT-PTXT secureEncrypt-and-MAC is INT-PTXT secure

Proposition 4.4Proposition 4.4

Encrypt-and-MAC method is not INT-Encrypt-and-MAC method is not INT-CTXT secureCTXT secure

Theorem 4.5Theorem 4.5

MAC-then-encrypt method is both INT-MAC-then-encrypt method is both INT-PTXT an IND-CPA securePTXT an IND-CPA secure

Proposition 4.6Proposition 4.6

MAC-then-encrypt method is not NM-CPAMAC-then-encrypt method is not NM-CPAsecuresecure

Proposition 4.8Proposition 4.8

Encrypt-then-MAC method with a WUF-Encrypt-then-MAC method with a WUF-CMA-secure MAC is not NM-CPA secureCMA-secure MAC is not NM-CPA secure