Secure Channels Summer Term 2018 · Secure Channels Summer Term 2018 Problem Set 2 Prof. Stefan...

Secure ChannelsSummer Term 2018

Problem Set 2

Prof. Stefan Lucks, Eik List

May 4, 2018

Chair of Media Security Secure Channels Summer 2018 May 4, 2018 1/21

Agenda

In this problem set, you should learn/deepen your understanding in. . .

. . . security notions for encryption,

. . . their relations, and

. . . reductionist proofs (simulator proofs).


Simulator ProofsRelations among Notions

How can we show:

Notion X =⇒ Notion Y ?

Means: Every scheme Π that is secure against X-adversariesis also secure against Y -adversaries



How can we show:

Notion X =⇒ Notion Y ?

Means: Every scheme Π that is secure against X-adversariesis also secure against Y -adversaries

By contradiction!

If an efficient Y -adversary AY that wins the Y security game would

exist, then we could use (= simulate) it to win the X security game

=⇒ There exists no efficient Y -adversary with significantadvantage on Π



Input of AY

Response to AY

Input of AX

Response of OY

Result of AY

Result of AX

win/not win

......AY AX OX


Task 1: Simulator Proofs – Relations among Notions

a) RoR-CPA security =⇒ LoR-CPA security

b) Sem-CPA security =⇒ FtG-CPA security

c) LoR-CPA security =⇒ FtG-CPA security

Input of AY

Response to AY

Input of AX

Response of OY

Result of AY

Result of AX

win/not win

......AY AX OX


Task 1a) LoR-CPA =⇒ RoR-CPA

(M0i , M1

i )

Ci

Mbi

Ci

β′

β′

β′ = β

......ALoR-CPA ARoR-CPA ORoR-CPA


Task 1a) LoR-CPA =⇒ RoR-CPA

(M0i , M1

i )

Ci

Mbi

Ci

β′

β′

β′ = β


Initialization: ARoR-CPA chooses b

$← {0, 1}

Querying: ARoR-CPA forwards messages M b

i to its oracle and theresponses Ci to A

LoR-CPA, for 1 ≤ i ≤ q

Guessing: ARoR-CPA forwards the bit β′ to the oracle


Task 1a) LoR-CPA =⇒ RoR-CPA – Advantage

(M0i , M1

i )

Ci

Mbi

Ci

β′

β′

β′ = β


2 Cases:1 ORoR-CPA returns real ciphertexts: Exactly the LoR-CPA setting

=⇒ Adv(ARoR-CPA) = Adv(ALoR-CPA)2 ORoR-CPA returns random ciphertexts:

ALoR-CPA has no advantage in general =⇒ Adv(ARoR-CPA) ≥ 0.


Task 1a) LoR-CPA =⇒ RoR-CPA – Advantage

(M0i , M1

i )

Ci

Mbi

Ci

β′

β′

β′ = β


2 Cases:1 ORoR-CPA returns real ciphertexts: Exactly the LoR-CPA setting

=⇒ Adv(ARoR-CPA) = Adv(ALoR-CPA)2 ORoR-CPA returns random ciphertexts:

ALoR-CPA has no advantage in general =⇒ Adv(ARoR-CPA) ≥ 0.

Both cases occur with probability 1/2:

Adv(ARoR-CPA) = 1/2 ·Adv(ALoR-CPA) + 0 · 1/2


Task 1b) Sem-CPA =⇒ FtG-CPA

Mi for 1 ≤ i < q′

Ci

Mi

Ci

(M0q′ , M1

q′ )

Cβ

q′

M

Cβ

q′← EncrK(M

β′

q′)

Mi for q′ < i ≤ q

Ci

Mi

Ci

β′

(f, α = 1)

AFtG-CPA ASem-CPA OSem-CPA


Task 1b) Sem-CPA =⇒ FtG-CPA

Initialization: As in usual Sem-CPA gameQuerying: ASem-CPA simply forwards queries from and to AFtG-CPA

Challenge: After AFtG-CPA chooses the challenge query, (M0q′ , M1

q′ ),

ASem-CPA derives the distribution M:

M(M) :=

1/2 if M = M0q′ ,

1/2 if M = M1q′ ,

0 otherwise.

=⇒ The oracle chooses Mq′ as either M0q′ or M1

q′ at random with pr.1/2 each

Guessing: AFtG-CPA outputs β′.ASem-CPA chooses f to model exactly the FtG-CPA response:

f(M) :=

{

1 if M = Mβ′

q′

0 otherwise.

ASem-CPA sends (f, α = 1) to the oracle

It holds:

Adv(ASem-CPA) = Adv(AFtG-CPA)


Task 1c) LoR-CPA =⇒ FtG-CPA


Ci

(Mi, Mi)

Ci

(M0q′ , M1

q′ )

Cβ

q′

(M0q′ , M1

q′ )

Cβ

q′


Ci

(Mi, Mi)

Ci

β′

β = β′

AFtG-CPA ALoR-CPA OLoR-CPA

Task 1c) LoR-CPA =⇒ FtG-CPA


Ci

(Mi, Mi)

Ci

(M0q′ , M1

q′ )

Cβ

q′

(M0q′ , M1

q′ )

Cβ

q′


Ci

(Mi, Mi)

Ci

β′

β = β′

AFtG-CPA ALoR-CPA OLoR-CPA

Querying: ALoR-CPA submits Mi twice to its oracle

Challenge/Guessing: Exactly as in FtG-CPA game

Adv(ALoR-CPA) = Adv(AFtG-CPA)

Parity Security

For all n-bit strings X = (x1, . . . , xn):

Parity(X) = x1 ⊕ x2 ⊕ . . .⊕ xn

Parity-Chosen-Plaintext-Security (Par-CPA) Experiment

The oracle chooses K$← {0, 1}k

1 For 1 ≤ i ≤ q′ < q:

Eve chooses Mi ∈ {0, 1}n and asks the oracle forCi ← EncrK(Mi).

2 Eve chooses a distribution M of n-bit plaintexts and sends M to theoracle.

3 The oracle chooses uniformly at random a message M$←M {0, 1}n

according to M and responds with C ← EncrK(M).

4 For q′ + 1 ≤ i ≤ q:

Eve chooses Mi ∈ {0, 1}n and asks the oracle for Ci ← EncrK(Mi)

5 Eve outputs a bit β ∈ {0, 1}. She wins iff Parity(M) = β.

Task 2: Parity Security

a) Prove (or disprove): Sem-CPA =⇒ Par-CPA

b) Prove (or disprove): Par-CPA =⇒ Sem-CPA


Task 2a) Sem-CPA =⇒ Par-CPA


Ci

Mi

Ci

M

Cβ

q′

M

Cβ

q′← EncrK (M

β

q′)


Ci

Mi

Ci

α(Parity, α)

Parity(Mβ

q′ ) = α

APar-CPA ASem-CPA OSem-CPA


Task 2a) Sem-CPA =⇒ Par-CPA

Initialization: As in usual Sem-CPA game

Querying: ASem-CPA simply forwards queries from and to AFtG-CPA

Guessing:

APar-CPA outputs β′ as guess for Parity (M)ASem-CPA chooses f(M) := Parity(M) and α = β′.

Adv(ASem-CPA) = Adv(APar-CPA)


Task 2b) Par-CPA 6=⇒ Sem-CPA

Assume: Sem-CPA-secureEncr : {0, 1}k × {0, 1}n →{0, 1}n

lsb : {0, 1}n → {0, 1} returnsthe least significant bit

Define: Encr′ :

{0, 1}k × {0, 1}n → {0, 1}n:

M

C

Encr

Encr′

K

1

Encr′

K(M) := EncrK(M)[n..2] ‖ lsb(M).



Assume: Sem-CPA-secureEncr : {0, 1}k × {0, 1}n →{0, 1}n

lsb : {0, 1}n → {0, 1} returnsthe least significant bit

Define: Encr′ :

{0, 1}k × {0, 1}n → {0, 1}n:

M

C

Encr

Encr′

K

1

Encr′

K(M) := EncrK(M)[n..2] ‖ lsb(M).

Clearly: Encr′ is not Sem-CPA-secure, but can be

Par-CPA-secure

It follows: Par-CPA 6=⇒ Sem-CPA



Define ASem-CPA:

Chooses M as the uniform distribution over all n-bit plaintextsDerive α← lsb(Cq′ )Provide f(M) := lsb(M) and α as final steps to the oracle.

ASem-CPA always wins the Sem-CPA-game against Encr

′

But: Assuming Encr is Sem-CPA-secure and n > 1:=⇒ No information about parity in ciphertexts(For n = 1, the leaked LSB would be the parity)


Task 3Padding-oracle Attack on CBC

System: AES-CBC-encryption (1 block = 16 bytes)

Known: Ciphertext (C0, . . . , Cm)

Goal: Recover the original plaintext (M1, . . . , Mm)

M1 M2 Mm

C0

C1 C2 Cm

EKEKEK · · ·


Padding:

N = 16− (|M | mod 16)

M = M ‖ (〈N〉)N

E.g.:

pad((M1, . . . , M15) = (M1, . . . , M15, 1)

pad((M1, . . . , M7)) = (M1, . . . , M7, 9, . . . , 9)

pad((M1, . . . , M16)) = (M1, . . . , M16, 16, . . . , 16).

M1 M2 Mm

C0

C1 C2 Cm

EKEKEK · · ·


KKKK

M1 M2 Mm−1 Mm

C0

C1 C2 Cm−1 Cm

EEEE

.

.

.

D

D

1: for all Blocks i from m− 1 downto 0 do2: D := (D15, . . . , D0) = (0, . . . , 0)3: for all Bytes j from 0 to 15 do4: for v from 0 to 255 do5: Compute Byte Dj := v⊕ (j + 1)6: Ask for the decryption of7: C′ := (C0, . . . , Ci−1, Ci ⊕D, Ci+1)8: if C′ is deemed valid then9: Store byte M j

i+1 := v

10: For all k ∈ {0, . . . , j}: Dk := M ji+1 ⊕ (j + 1)⊕ (j + 2)

11: Guess next byte (goto 3)

12: return The recovered plaintext M = (M1, . . . , Mm)

Recap

Reductionist Proofs

Encryption 6= Authenticated Encryption


Questions?

Date post:	22-Aug-2020
Category:	Documents
Upload:	others
View:	0 times
Download:	0 times

Secure Channels Summer Term 2018 · Secure Channels Summer Term 2018 Problem Set 2 Prof. Stefan...

Documents