Secure ChannelsSummer Term 2018
Problem Set 2
Prof. Stefan Lucks, Eik List
May 4, 2018
Chair of Media Security Secure Channels Summer 2018 May 4, 2018 1/21
Agenda
In this problem set, you should learn/deepen your understanding in. . .
. . . security notions for encryption,
. . . their relations, and
. . . reductionist proofs (simulator proofs).
Chair of Media Security Secure Channels Summer 2018 May 4, 2018 2/21
Simulator ProofsRelations among Notions
How can we show:
Notion X =⇒ Notion Y ?
Means: Every scheme Π that is secure against X-adversariesis also secure against Y -adversaries
Chair of Media Security Secure Channels Summer 2018 May 4, 2018 3/21
Simulator ProofsRelations among Notions
How can we show:
Notion X =⇒ Notion Y ?
Means: Every scheme Π that is secure against X-adversariesis also secure against Y -adversaries
By contradiction!
If an efficient Y -adversary AY that wins the Y security game would
exist, then we could use (= simulate) it to win the X security game
=⇒ There exists no efficient Y -adversary with significantadvantage on Π
Chair of Media Security Secure Channels Summer 2018 May 4, 2018 3/21
Simulator ProofsRelations among Notions
Input of AY
Response to AY
Input of AX
Response of OY
Result of AY
Result of AX
win/not win
......AY AX OX
Chair of Media Security Secure Channels Summer 2018 May 4, 2018 4/21
Task 1: Simulator Proofs – Relations among Notions
a) RoR-CPA security =⇒ LoR-CPA security
b) Sem-CPA security =⇒ FtG-CPA security
c) LoR-CPA security =⇒ FtG-CPA security
Input of AY
Response to AY
Input of AX
Response of OY
Result of AY
Result of AX
win/not win
......AY AX OX
Chair of Media Security Secure Channels Summer 2018 May 4, 2018 5/21
Task 1a) LoR-CPA =⇒ RoR-CPA
(M0i , M1
i )
Ci
Mbi
Ci
β′
β′
β′ = β
......ALoR-CPA ARoR-CPA ORoR-CPA
Chair of Media Security Secure Channels Summer 2018 May 4, 2018 6/21
Task 1a) LoR-CPA =⇒ RoR-CPA
(M0i , M1
i )
Ci
Mbi
Ci
β′
β′
β′ = β
......ALoR-CPA ARoR-CPA ORoR-CPA
Initialization: ARoR-CPA chooses b
$← {0, 1}
Querying: ARoR-CPA forwards messages M b
i to its oracle and theresponses Ci to A
LoR-CPA, for 1 ≤ i ≤ q
Guessing: ARoR-CPA forwards the bit β′ to the oracle
Chair of Media Security Secure Channels Summer 2018 May 4, 2018 6/21
Task 1a) LoR-CPA =⇒ RoR-CPA – Advantage
(M0i , M1
i )
Ci
Mbi
Ci
β′
β′
β′ = β
......ALoR-CPA ARoR-CPA ORoR-CPA
2 Cases:1 ORoR-CPA returns real ciphertexts: Exactly the LoR-CPA setting
=⇒ Adv(ARoR-CPA) = Adv(ALoR-CPA)2 ORoR-CPA returns random ciphertexts:
ALoR-CPA has no advantage in general =⇒ Adv(ARoR-CPA) ≥ 0.
Chair of Media Security Secure Channels Summer 2018 May 4, 2018 7/21
Task 1a) LoR-CPA =⇒ RoR-CPA – Advantage
(M0i , M1
i )
Ci
Mbi
Ci
β′
β′
β′ = β
......ALoR-CPA ARoR-CPA ORoR-CPA
2 Cases:1 ORoR-CPA returns real ciphertexts: Exactly the LoR-CPA setting
=⇒ Adv(ARoR-CPA) = Adv(ALoR-CPA)2 ORoR-CPA returns random ciphertexts:
ALoR-CPA has no advantage in general =⇒ Adv(ARoR-CPA) ≥ 0.
Both cases occur with probability 1/2:
Adv(ARoR-CPA) = 1/2 ·Adv(ALoR-CPA) + 0 · 1/2
Chair of Media Security Secure Channels Summer 2018 May 4, 2018 7/21
Task 1b) Sem-CPA =⇒ FtG-CPA
Mi for 1 ≤ i < q′
Ci
Mi
Ci
(M0q′ , M1
q′ )
Cβ
q′
M
Cβ
q′← EncrK(M
β′
q′)
Mi for q′ < i ≤ q
Ci
Mi
Ci
β′
(f, α = 1)
AFtG-CPA ASem-CPA OSem-CPA
Chair of Media Security Secure Channels Summer 2018 May 4, 2018 8/21
Task 1b) Sem-CPA =⇒ FtG-CPA
Initialization: As in usual Sem-CPA gameQuerying: ASem-CPA simply forwards queries from and to AFtG-CPA
Challenge: After AFtG-CPA chooses the challenge query, (M0q′ , M1
q′ ),
ASem-CPA derives the distribution M:
M(M) :=
1/2 if M = M0q′ ,
1/2 if M = M1q′ ,
0 otherwise.
=⇒ The oracle chooses Mq′ as either M0q′ or M1
q′ at random with pr.1/2 each
Guessing: AFtG-CPA outputs β′.ASem-CPA chooses f to model exactly the FtG-CPA response:
f(M) :=
{
1 if M = Mβ′
q′
0 otherwise.
ASem-CPA sends (f, α = 1) to the oracle
It holds:
Adv(ASem-CPA) = Adv(AFtG-CPA)
Chair of Media Security Secure Channels Summer 2018 May 4, 2018 9/21
Task 1c) LoR-CPA =⇒ FtG-CPA
Mi for 1 ≤ i < q′
Ci
(Mi, Mi)
Ci
(M0q′ , M1
q′ )
Cβ
q′
(M0q′ , M1
q′ )
Cβ
q′
Mi for q′ < i ≤ q
Ci
(Mi, Mi)
Ci
β′
β = β′
AFtG-CPA ALoR-CPA OLoR-CPA
Task 1c) LoR-CPA =⇒ FtG-CPA
Mi for 1 ≤ i < q′
Ci
(Mi, Mi)
Ci
(M0q′ , M1
q′ )
Cβ
q′
(M0q′ , M1
q′ )
Cβ
q′
Mi for q′ < i ≤ q
Ci
(Mi, Mi)
Ci
β′
β = β′
AFtG-CPA ALoR-CPA OLoR-CPA
Querying: ALoR-CPA submits Mi twice to its oracle
Challenge/Guessing: Exactly as in FtG-CPA game
Adv(ALoR-CPA) = Adv(AFtG-CPA)
Parity Security
For all n-bit strings X = (x1, . . . , xn):
Parity(X) = x1 ⊕ x2 ⊕ . . .⊕ xn
Parity-Chosen-Plaintext-Security (Par-CPA) Experiment
The oracle chooses K$← {0, 1}k
1 For 1 ≤ i ≤ q′ < q:
Eve chooses Mi ∈ {0, 1}n and asks the oracle forCi ← EncrK(Mi).
2 Eve chooses a distribution M of n-bit plaintexts and sends M to theoracle.
3 The oracle chooses uniformly at random a message M$←M {0, 1}n
according to M and responds with C ← EncrK(M).
4 For q′ + 1 ≤ i ≤ q:
Eve chooses Mi ∈ {0, 1}n and asks the oracle for Ci ← EncrK(Mi)
5 Eve outputs a bit β ∈ {0, 1}. She wins iff Parity(M) = β.
Task 2: Parity Security
a) Prove (or disprove): Sem-CPA =⇒ Par-CPA
b) Prove (or disprove): Par-CPA =⇒ Sem-CPA
Chair of Media Security Secure Channels Summer 2018 May 4, 2018 12/21
Task 2a) Sem-CPA =⇒ Par-CPA
Mi for 1 ≤ i < q′
Ci
Mi
Ci
M
Cβ
q′
M
Cβ
q′← EncrK (M
β
q′)
Mi for q′ < i ≤ q
Ci
Mi
Ci
α(Parity, α)
Parity(Mβ
q′ ) = α
APar-CPA ASem-CPA OSem-CPA
Chair of Media Security Secure Channels Summer 2018 May 4, 2018 13/21
Task 2a) Sem-CPA =⇒ Par-CPA
Initialization: As in usual Sem-CPA game
Querying: ASem-CPA simply forwards queries from and to AFtG-CPA
Guessing:
APar-CPA outputs β′ as guess for Parity (M)ASem-CPA chooses f(M) := Parity(M) and α = β′.
Adv(ASem-CPA) = Adv(APar-CPA)
Chair of Media Security Secure Channels Summer 2018 May 4, 2018 14/21
Task 2b) Par-CPA 6=⇒ Sem-CPA
Assume: Sem-CPA-secureEncr : {0, 1}k × {0, 1}n →{0, 1}n
lsb : {0, 1}n → {0, 1} returnsthe least significant bit
Define: Encr′ :
{0, 1}k × {0, 1}n → {0, 1}n:
M
C
Encr
Encr′
K
1
Encr′
K(M) := EncrK(M)[n..2] ‖ lsb(M).
Chair of Media Security Secure Channels Summer 2018 May 4, 2018 15/21
Task 2b) Par-CPA 6=⇒ Sem-CPA
Assume: Sem-CPA-secureEncr : {0, 1}k × {0, 1}n →{0, 1}n
lsb : {0, 1}n → {0, 1} returnsthe least significant bit
Define: Encr′ :
{0, 1}k × {0, 1}n → {0, 1}n:
M
C
Encr
Encr′
K
1
Encr′
K(M) := EncrK(M)[n..2] ‖ lsb(M).
Clearly: Encr′ is not Sem-CPA-secure, but can be
Par-CPA-secure
It follows: Par-CPA 6=⇒ Sem-CPA
Chair of Media Security Secure Channels Summer 2018 May 4, 2018 15/21
Task 2b) Par-CPA 6=⇒ Sem-CPA
Define ASem-CPA:
Chooses M as the uniform distribution over all n-bit plaintextsDerive α← lsb(Cq′ )Provide f(M) := lsb(M) and α as final steps to the oracle.
ASem-CPA always wins the Sem-CPA-game against Encr
′
But: Assuming Encr is Sem-CPA-secure and n > 1:=⇒ No information about parity in ciphertexts(For n = 1, the leaked LSB would be the parity)
Chair of Media Security Secure Channels Summer 2018 May 4, 2018 16/21
Task 3Padding-oracle Attack on CBC
System: AES-CBC-encryption (1 block = 16 bytes)
Known: Ciphertext (C0, . . . , Cm)
Goal: Recover the original plaintext (M1, . . . , Mm)
M1 M2 Mm
C0
C1 C2 Cm
EKEKEK · · ·
Task 3Padding-oracle Attack on CBC
Padding:
N = 16− (|M | mod 16)
M = M ‖ (〈N〉)N
E.g.:
pad((M1, . . . , M15) = (M1, . . . , M15, 1)
pad((M1, . . . , M7)) = (M1, . . . , M7, 9, . . . , 9)
pad((M1, . . . , M16)) = (M1, . . . , M16, 16, . . . , 16).
M1 M2 Mm
C0
C1 C2 Cm
EKEKEK · · ·
Task 3Padding-oracle Attack on CBC
KKKK
M1 M2 Mm−1 Mm
C0
C1 C2 Cm−1 Cm
EEEE
.
.
.
D
D
1: for all Blocks i from m− 1 downto 0 do2: D := (D15, . . . , D0) = (0, . . . , 0)3: for all Bytes j from 0 to 15 do4: for v from 0 to 255 do5: Compute Byte Dj := v⊕ (j + 1)6: Ask for the decryption of7: C′ := (C0, . . . , Ci−1, Ci ⊕D, Ci+1)8: if C′ is deemed valid then9: Store byte M j
i+1 := v
10: For all k ∈ {0, . . . , j}: Dk := M ji+1 ⊕ (j + 1)⊕ (j + 2)
11: Guess next byte (goto 3)
12: return The recovered plaintext M = (M1, . . . , Mm)
Recap
Reductionist Proofs
Encryption 6= Authenticated Encryption
Chair of Media Security Secure Channels Summer 2018 May 4, 2018 20/21
Questions?