Cryptography

1
Cryptography

• Lecture 11Stefan Dziembowskiwww.dziembowski.net
  
• stefan_at_dziembowski.net

2
Plan

1. Definition of CCA-security
2. Construction of the CCA-secure schemes
3. in the private-key settings,
4. in the public-key settings.

3
Problem

• How to encode a message m before encrypting it
  (with RSA, for example)?

m
decode(v)
x encode(m)
v zd mod N
xe mod N
z
4
Remember the chosen-plaintext attack?
security parameter 1n

1. selects random (pk,sk) Gen(1n)
2. chooses a random b 0,1

pk
oracle
challenge phase
m0,m1
chooses m0,m1
c Enc(pk,mb)
has to guess b
5
The PKCS 1 v1.5 encoding

• We observed that encoding has to be randomized.
• This is the encoding that we presented

k bytes
00000000 00000002 r 00000000 m
(k - D - 3) random bytes
D bytes
6
Todays lecture

• The PKCS 1 v1.5 encoding looks ad-hoc...
• Today we present a more scientific encoding.
• For this, we are going to use a stronger security
  definition.

7
Chosen Ciphertext Attack (CCA)

• The adversary may also choose a ciphertext and
  learn the corresponding plaintext.
• Does it make sense?
• Arent we too paranoid?
• How to formalize it?

8
Arent we too paranoid?

• No!
• Bleichenbacher 1998 showed a practical chosen
  ciphertext attack on encoding proposed for the
  PKCS 1 v.2 standard.
• see also Bleichenbacher, D., Kaliski B.,
  Staddon J., "Recent results on PKCS 1 RSA
  encryption standard", RSA Laboratories' bulletin
  7, ftp//ftp.rsasecurity.com/pub/pdfs/bulletn7.pd
  f
• Why is Blaichenbachers attack practical?
• Because it assumes that the adversary can get
  only one bit of information about the
  plaintext...

9
PKCS 1 RSA Encryption Standard Version 2

• public-key (N,e)
• let k length on N in bytes.
• let D length of the plaintext
• requirement D k - 11.
• Enc((N,e), m) xe mod N, where x is equal to

k bytes
00000000 00000002 r 00000000 m
(k - D - 3) random bytes
D bytes
10
Bleichenbachers attack the scenario
sk (N,d)
pk (N,d)
c
c1
computes x c1d mod N and checks if x is a
correct PKCS 1 v2 encoding
yes/no
. . .
Goal compute cd mod N
ck
yes/no
Bleichenbacher 1998 There exists a successful
attack that requires k 220 questions for N
1024.
11
So, chosen ciphertext attacks are practical!

• In Bleichenbachers attack the adversary could
  obtain just one bit of information.
• Conservative approach
• assume that he can get the entire plaintext.

12
Idea

• Provide a security definition that covers this
  type of an attack.
• Propose a scheme that is provably secure
  according to this definition.
• This will lead to an encoding that is less ad-hoc
  than PKCS 1 v1.5

13
CCA - security

• It makes sense to consider CCA-security in
• private-key settings
• public-key settings

more interesting
14
Decryption oracle

• To define the CCA-security we consider a
  decryption oracle.

c1
sk
Dsk(c1)
c2
Dsk(c2)
Dsk(ci) error if ci cannot be decrypted
. . .
ck
Dsk(ck)
15
Decryption/encryption oracle

• Two types of queries

Decrypt ci
(sk,pk)
Dsk(ci)
Encrypt mi
Epk(mi)
We assume that also CPA is allowed.
16
CCA-security the game
in the private-key settings pk sk
security parameter 1n

1. selects random (pk,sk) Gen(1n)
2. chooses a random b 0,1

pk (in the public-key settings)
CCA-attack
oracle
challenge phase
m0,m1
chooses m0,m1
c Enc(pk,mb)
m0 m1
CCA-attack
Here Eve cannot ask for decryption of c.
has to guess b
17
CCA-security
Alternative name CCA-secure
Security definition We say that (Gen,Enc,Dec)
has indistinguishable encryptions under a
chosen-ciphertext attack (CCA) if any
randomized polynomial time adversary guesses
b correctly with probability at most 0.5
e(n), where e is negligible.
18
CCA in practice (1/2)

• Some actions of the receiver may depend on the
  decrypted message.
• For example, the receiver may communicate an
  error if the message looks strange.
• (like in the Bleichenbachers attack)

19
CCA in practice (2/2)
m
Some top-secret information Alice
Alice c E(pk,m)
replies (in an encrypted way) to Alice quoting m
(pk,sk)
Alice
Eve c
replies quoting mD(sk,c)
wants to decrypt c
Why Eve cannot just set c c ? Because Bob
would get suspicious (why message from Eve has
Alices name inside?)
20
CCA in the private-key settings

• CCA-security in the private-key settings can be
  achieved by adding authentication.
• How to combine authentication with encryption?
• We already considered this problem some time ago.

21
Authentication and Encryption

• Options
• Encrypt-and-authenticate
• c ? Enck1(m) and t ? Mack2 (m)
• Authenticate-then-encrypt
• t ? Mack2 (m) and c ? Enck1(mt)
• Encrypt-then-authenticate
• c ? Enck1(m) and t ? Mack2 (c)

wrong
better
the best
22
A CCA-secure encryption scheme

• (Gen,Enc,Dec) a CPA-secure encryption scheme
• (GenMAC,Tag,Vrfy) a MAC.
• Create a new encryption scheme (Gen,Enc,Dec)
  where
• Gen(1n) (Gen(1n),GenMAC(1n)),
• Enc((k0,k1),m) (Enc(k0,m),
  Tag(k1,Enc(k0,m)))
• Dec((k0,k1),m) decrypt and verify the tag

23
Why is it secure?

• Intuition
• An adversary cannot create a new valid pair
• (Enc(k0,m), Tag(k1,Enc(k0,m)))
• without knowing k1.
• So he will always receive an error message from
  the oracle
• (unless he replays the ciphertexts that he
  already received from the oracle but this gives
  him no extra information)

24
Is authenticate-then-encrypt secure?

• Authenticate-then-encrypt
• t ? Mack2 (m) and c ? Enck1(mt)
• Not always!
• There exists (artificial) counter-examples...

25
The first counter-example

• Authenticate-then-encrypt
• t ? Mack2 (m) and c ? Enck1(mt)
• Suppose the encryption scheme adds a random bit
  at the end of the ciphertext.

Enck1(m Mack2 (m))
B
Then
Enck1(m Mack2 (m))
neg B
is a different ciphertext and the adversary is
allowed to ask the oracle to decrypt it. This
example is really artificial. There exist better
ones...
26
The second counter-example

• Consider the following transformation
• T 0,1 ? 0,1
• defined on every (x1,x2,...,xn) as
• T(x1,x2,...,xn) (U(x1),U(x2),...,U(xn)),
• where
• U(0) 00
• U(1) 01, or 10, randomly.
• This transformation is of course invertible.
• Example

1 1 0 0 1
T
0 1 1 0 0 0 0 0 0 1
27
Remember the stream ciphers?
s
IV
G(IV,s)
m
xor
G(IV,s) xor m
IV
Enc(s,m)
28
Our new (artificial) encryption scheme
To encrypt a message m do the following
s
IV
G(IV,s)
T(m)
xor
G(IV,s) xor T(m)
IV
Enc(s,m)
If Enc is CPA-secure then also this scheme is
CPA-secure.
29
CCA-security?
Suppose we use this encryption scheme with the
authenticate-then-encrypt method t ? Mack2 (m)
and c ? Enck1(mt)
s
IV
G(IV,s)
T(m, Mack2 (m))
xor
G(IV,s) xor T(m, Mack2 (m) )
IV
Enc(s,m)
30
How does the ciphertext look?
pad1
pad2
T(m)
T(Mack2 (m))
xor
T(m) xor pad1
T(Mack2 (m)) xor pad2
31
The attack

• The adversary that wants to decrypt the first bit
  of

C1
C2
can modify the ciphertext by flipping the first
two bits
C1
C2
1 1
xor
C
X X
C2
If the first two bits are 01 or 10 then the
corresponding plaintext doesnt change. If the
first two bits are 00 then the plaintext changes
and the tag becomes invalid!
32
The chosen-ciphertext attack(just based on the
error messages)

• The adversary is given c and wants to learn the
  first bit of the corresponding plaintext.
• Let c be the ciphertext c with the first two
  bits flipped.
• The adversary sends c to the oracle.
• If the oracle answers error then the adversary
  knows that the first bit was 0.
• The same can be done for any other bit.

33
These examples are artificial

• It is likely that for many normal schemes this
  combination is secure.
• However, these examples show that the
  authenticate-then-encrypt method cannot be proven
  secure...
• (from the standard assumptions)

34
How does it look in the public-key settings

• There are many constructions of a CCA-secure
  public-key encryption scheme.
• Probably the most famous is the one of Cramer and
  Shoup
• Ronald Cramer and Victor Shoup "A practical
  public key cryptosystem provably secure against
  adaptive chosen ciphertext attack." 1998.
• It is based on hardness of discrete logarithm and
  is quite efficient.
• Still, many practitioners prefer more efficient
  schemes (with a weaker security proof).

35
Plan

• We present two CCA-secure schemes based on RSA.
• efficient and simple,
• even more efficient and a bit less simple.

36
First attempt

• Idea take the symmetric-key CCA-secure scheme
  (Enc,Dec) and use something similar to hybrid
  encryption.
• public key (N,e) private key (N,d)
• Enc((N,e),m) (re mod N, Enc(r,m))
• Dec((N,d),(c0,c1)) Dec(c0d mod N, c1)

r is random
37
Problem

• Enc((N,e),m) (re mod N, Enc(r,m))
• N is normally much larger than the length of a
  key for symmetric encryption.
• Typically N 1024 and length of the key is
  128.
• First idea truncate.
• But is it secure?
• It may be the case that
• RSA is hard to invert, but
• 128 first bits are easy to compute...

38
Idea

• Instead of truncating hash!
• t length of the symmetric key
• H 0,1 ? 0,1t a hash function
• Enc((N,e),m) (re mod N, Enc(H(r),m))
• Dec((N,d),(c0,c1)) Dec((H(c0)d mod N, c1)
• But can we prove anything about it?
• depends...

39
Which properties should H have?

• If we just assume that H is collision-resistant
  we cannot prove anything...
• We have to assume that H outputs random values
  on different inputs.
• This can be formalized by modeling H as random
  oracle.
• This is also called a Random Oracle Model.
• And it is controversial.

40
The Random Oracle Model (ROM)

• In the proofs we model the hash function as a
  random oracle.

real protocol
in the proof
SHA1
oracle O
41
The oracle O
Everybody (including the adversary) can query the
oracle
oracle O has a random function H 0,1 ?
0,1n
x
H(x)
In the proofevery call to the hash function is
replaced with the query to the oracle O
42
Problems with the ROM

• This model is too strong.
• Random Oracle cannot be implemented in real-life.
• Moreover, there are examples of protocols that
  are secure in ROM,
• butthey are not secure if the random oracle is
  replaced with any hash function.
• The Random-Oracle Model, Revisited. R. Canetti,
  O. Goldreich and S. Halevi. J. ACM 51(4) 557-594
  (2004).

43
Security proof the intuition

• H a hash function
• Enc((N,e),m) (re mod N, Enc(H(r), m))
• Why is this scheme secure in the random oracle
  model?
• Because, as long as the adversary did not query
  the oracle on r, the value of H(r) is completely
  random.
• To learn r the adversary would need to compute it
  from re mod N, so he would need to invert RSA.
• So (with a very high probability) from the point
  of view of the adversary H(r) is random.
• Therefore the CCA security of (Enc,Dec) follows
  from the CCA-security of (Enc,Dec).

44
Disadvantages of this method

• Enc((N,e),m) (re mod N, Enc(H(r), m))
• The ciphertext is longer than the plaintext.
• This is especially important if the message is
  short.
• Therefore in practice another method is used
• Optimal Asymmetric Encryption Padding (OAEP).

45
Optimal Asymmetric Encryption Padding (OAEP)
the history

• Introduced inM. Bellare, P. Rogaway. Optimal
  Asymmetric Encryption -- How to encrypt with RSA.
  Eurocrypt '94
• An error in the security proof was spoted inV.
  Shup. OAEP Reconsidered. Crypto 01
• This error was repaired inE. Fujisaki, T.
  Okamoto, D. Pointcheval, and J. Stern. RSA-OAEP
  is secure under the RSA assumption. Crypto 01
• It is now a part of a PKCS1 v. 2.0 standard.

46
OAEP

• G,H hash functions
• OAEP(m)

n/4
n/4
n/4
m
000...0
random r
G
H
X
Y
47
How to invert?
check if Z 000...0
m
Z
G
H
X
Y
48
RSA-OAEP

• private key (N,d)
• public key (N,e)
• Enc((N,e),m) (OAEP(m))e mod N
• Dec((N,e),m) (OAEP-1(m))d mod N

49
Security the intuition
1. OAEP is hard to invert if you dont know X
and Y completely.
m
000...0
random r
G
H
X
Y
50
Why?
Assume G and H are random oracles...
m
Z
G
H
X
Y
51
Security the intuition
2. It is hard to produce a valid (X,Y) without
knowing m
m
000...0
random r
G
H
X
Y
52
Why?
Again, look at OAEP-1 and assume that G and H are
random oracles.
requirement Z 000...0
m
Z
G
H
X
Y
53
Security the conclusion

• If it is hard to produce a valid (X,Y) without
  knowing m, then CCA should not help the
  adversary.
• Because he will only receive the error messages
  from the oracle.
• (that was just an intuition in reality the
  proof is complicated)