Department of Electrical Engineering, IIT Bombay
September 5, 2023
Let \vec{m} = \langle m_1,m_2,\ldots,m_l\rangle where m_i \in \{0,1\}^n
Let F be a block cipher with block length n
A uniform initialization vector (IV) of length n is chosen
c_0 = IV. For i = 1,\ldots,l, c_i \coloneqq F_k(c_{i-1}\oplus m_i)
For i = 1,2,\ldots,l, m_i \coloneqq F_k^{-1}(c_i)\oplus c_{i-1}.
In CBC-mode encryption, the message length is a multiple of the block length
If not, message needs to be padded
Let encoded data denote the padded message
Padding must be invertible
Given a ciphertext corresponding to encoded data, the receiver first applies the decryption algorithm
The value b of the last byte is read
The final b bytes of the encoded data are checked to be equal to b
If padding is incorrect, the standard procedure is to return a “bad padding” error
This error message is a partial decryption oracle
Using these error messages, an adversary can completely recover the original message
Consider a 3-block ciphertext from CBC-mode encryption
m_2 = F_k^{-1}(c_2) \oplus c_1
Note that m_2 ends in \textsf{0x}b \textsf{0x}b \ldots \textsf{0x}b
Consider the CCA indistinguishability experiment \textsf{PrivK}^{\textsf{cca}}_{\mathcal{A}, \Pi}(n):
A key k is generated by running \textsf{Gen}(1^n).
The adversary \mathcal{A} is given 1^n and oracle access to \textsf{Enc}_k(\cdot) and \textsf{Dec}_k(\cdot)
It outputs a pair of messages m_0, m_1 \in \mathcal{M} with |m_0| = |m_1|.
A uniform bit b \in \{0,1\} is chosen
Ciphertext c \leftarrow \textsf{Enc}_k(m_b) is computed and given to \mathcal{A}. c is called the challenge ciphertext
The adversary \mathcal{A} continues to have oracle access to \textsf{Enc}_k(\cdot) and \textsf{Dec}_k(\cdot)
\mathcal{A} is not allowed to query the latter on the challenge ciphertext itself
Eventually, A outputs a bit b'
The output of the experiment is defined to be 1 if b' = b, and 0 otherwise. If output is 1, we say that \mathcal{A} succeeds.
A message authentication code (MAC) consists of three PPT algorithms (\textsf{Gen}, \textsf{Mac}, \textsf{Vrfy}) such that:
\textsf{Gen} takes as input 1^n and outputs a key k with |k| \ge n
The tag-generation algorithm \textsf{Mac} takes as input k and a message m \in \{0,1\}^*, and outputs a tag t
The deterministic verification algorithm \textsf{Vrfy} takes as inputs k, m, and t. It outputs a bit b with b=1 meaning valid and b=0 meaning invalid
We want \Pi to satisfy a notion of message integrity
Unforgeable encryption experiment \textsf{Enc-Forge}_{\mathcal{A}, \Pi}(n):
Run \textsf{Gen}(1^n) to obtain a key k
The adversary \mathcal{A} is given input 1^n and access to an encryption oracle \textsf{Enc}_k(\cdot)
The adversary outputs a ciphertext c
Let m \coloneqq \textsf{Dec}_k(c), and let \mathcal{Q} denote the set of all \mathcal{A}’s queries to its encryption oracle
The output of the experiment is 1 if and only if
We will require two different scenarios to be indistinguishable to an attacker
First scenario: The attacker is given access to encryption and decryption oracles
Second scenario: The two oracles are changed as follows
The attacker is given access to \textsf{Enc}_k^0(\cdot) where \textsf{Enc}_k^0(m) = \textsf{Enc}_k(0^{|m|})
The attacker is given access to \textsf{Dec}_\perp(\cdot) that always returns the error symbol \perp
If an attacker cannot distinguish between the two scenarios, then this means that
1 \implies Chosen-ciphertext attacks become useless
2 \implies Chosen-plaintext attacks become useless
For a private-key encryption scheme \Pi and adversary \mathcal{A}, define the experiment \textsf{PrivK}^{\textsf{ae}}_{\mathcal{A}, \Pi}(n):
A key k is generated by running \textsf{Gen}(1^n).
A uniform bit b \in \{0,1\} is chosen
The adversary \mathcal{A} is given 1^n and access to two oracles:
\mathcal{A} is not allowed to query a ciphertext c to its second oracle that it previously received as the response from its first oracle.
A outputs a bit b'
The output of the experiment is defined to be 1 if b' = b, and 0 otherwise. If output is 1, we say that \mathcal{A} succeeds.
A private-key encryption scheme \Pi = (\textsf{Gen}, \textsf{Enc}, \textsf{Dec}) is an authenticated encryption (AE) scheme, if for all PPT adversaries \mathcal{A} there is a negligible function \textsf{negl} such that \Pr\left[ \textsf{PrivK}^{\textsf{cca}}_{\mathcal{A},\Pi}(n) = 1\right] \le \frac{1}{2} + \textsf{negl}(n).
The two definitions of AE schemes are equivalent
A MAC \Pi = (\textsf{Gen}, \textsf{Mac}, \textsf{Vrfy}) is strongly secure, if for all PPT adversaries \mathcal{A}, there is a negligible function such that \Pr\left[ \textsf{Mac-sforge}_{\mathcal{A}, \Pi}(n) = 1\right] \le \textsf{negl}(n).
Proposition: Let \Pi = (\textsf{Gen}, \textsf{Mac}, \textsf{Vrfy}) be a secure deterministic MAC that uses canonical verification. Then \Pi is strongly secure.
Assume independent keys k_E and k_M for \Pi_E and \Pi_M
Encrypt-and-authenticate: Given a plaintext message m, the sender transmits ciphertext \langle c, t \rangle where: c \leftarrow \textsf{Enc}_{k_E}(m) \text{ and } t \leftarrow \textsf{Mac}_{k_M}(m).
The receiver decrypts c to recover m; assuming no error occurred, it then verifies the tag t.
If a deterministic MAC is used, then not CPA-secure
Encrypt-then-authenticate: Given a plaintext message m, the message is first encrypted and then a MAC tag is computed over the result
The ciphertext is the pair \langle c, t \rangle where: c \leftarrow \textsf{Enc}_{k_E}(m) \text{ and } t \leftarrow \textsf{Mac}_{k_M}(c).
The receiver first verifies the tag t; assuming no error occurred it decrypts c to recover m.
Theorem: If \Pi_E = (\textsf{Enc}, \textsf{Dec}) is a CPA-secure encryption scheme and \Pi_M = (\textsf{Mac}, \textsf{Vrfy}) is a strongly secure MAC, then the encrypt-then-authenticate approach is an authenticated encryption scheme
The ciphertext is the pair \langle c, t \rangle where: c \leftarrow \textsf{Enc}_{k_E}(m) \text{ and } t \leftarrow \textsf{Mac}_{k_M}(c).
Strong security of \Pi_M \implies