CCA-Security and Authenticated Encryption

Saravanan Vijayakumaran

Department of Electrical Engineering, IIT Bombay

September 5, 2023

Chosen-Ciphertext Attacks

• CPA-secure schemes guard against passive adversaries
  • Adversary can query encryption oracle but is still limited to observing the challenge ciphertext
• Active adversaries are modeled by the CCA threat model
  • Such an adversary can modify the ciphertext before it is decrypted by the honest parties
  • In the real world, the adversary could observe the effect of the modification
  • In the worst-case, the corresponding plaintext is revealed

CCA Threat Model

• Adversary has access to an encryption oracle
• Adversary also has access to a decryption oracle
• Adversary then attempts to recover information about the underlying plaintext of some other ciphertext produced using the same key

Padding-Oracle Attacks

• A real-world example of the devastating effect of chosen-ciphertext attacks
• Exploits a popular padding scheme for CBC-mode encryption to recover the whole plaintext

CBC-Mode Encryption

• Let \vec{m} = \langle m_1,m_2,\ldots,m_l\rangle where m_i \in \{0,1\}^n

• Let F be a block cipher with block length n

• A uniform initialization vector (IV) of length n is chosen

• c_0 = IV. For i = 1,\ldots,l, c_i \coloneqq F_k(c_{i-1}\oplus m_i)

• For i = 1,2,\ldots,l, m_i \coloneqq F_k^{-1}(c_i)\oplus c_{i-1}.

Padding

• In CBC-mode encryption, the message length is a multiple of the block length

• If not, message needs to be padded

• Let encoded data denote the padded message

• Padding must be invertible

  • The message should be recoverable from the encoded data

Padding Scheme from PKCS #7 Standard

• Let m denote the original message
• Assume that |m| is an integral number of bytes
• Let L be the block length of F in bytes
• Let b denote the padding length in bytes
• b is an integer from 1 to L
  • b =0 is not allowed

Padding Scheme from PKCS #7 Standard

• Suppose L is less than 256
• We append to the message the integer b (represented in 1 byte) repeated b times
• For example, if 4 bytes are needed then 0x04040404 is appended
• If |m| is already a multiple of L, then L bytes are appended each of which is equal to L

Removing the Padding

• Given a ciphertext corresponding to encoded data, the receiver first applies the decryption algorithm

• The value b of the last byte is read

• The final b bytes of the encoded data are checked to be equal to b

Decryption Oracle from Padding Errors

• If padding is incorrect, the standard procedure is to return a “bad padding” error

• This error message is a partial decryption oracle

• Using these error messages, an adversary can completely recover the original message

Padding Oracle Attack Example

• Consider a 3-block ciphertext from CBC-mode encryption

• m_2 = F_k^{-1}(c_2) \oplus c_1

• Note that m_2 ends in \textsf{0x}b \textsf{0x}b \ldots \textsf{0x}b

Padding Oracle Attack Example

• Suppose an adversary changes c_1 to c_1', but keeps IV and c_2 the same
• Then m_2 is changed to m_2' = F_k^{-1}(c_2) \oplus c_1'
• If the c_1 and c_1' differ only in the ith byte, then m_2 and m_2' also differ only in the ith byte

Padding Oracle Attack Example

Learning b

• Suppose there is a server that receives ciphertexts and returns padding oracle error (if any)
• The attacker modifies the first byte of c_1 to get c_1', and sends (IV, c_1', c_2) to the server
  • If error is returned, then b=L
  • The server is reading all L bytes of m_2'
• Otherwise, the attacker modifies the second byte of c_1 and sends (IV, c_1', c_2). And so on.
• The first byte where decryption fails reveals b

Padding Oracle Attack Example

Learning the Final Message Byte

• Consider the case when b < L
• The attacker knows that the m_2 ends with \textsf{0x}M \textsf{0x}b \ldots \textsf{0x}b
• Define \Delta_i as \begin{align*} \Delta_i = & \textsf{0x}00 \cdots \textsf{0x}00 &\textsf{0x}i \; &\overbrace{\textsf{0x}(b+1) \cdots \textsf{0x}(b+1)}^{b \text{ times}} \\ \oplus & \textsf{0x}00 \cdots \textsf{0x}00 & \textsf{0x}00 \; & \overbrace{\textsf{0x}b \cdots \textsf{0x}b}^{b \text{ times}} \end{align*}

Padding Oracle Attack Example

Learning the Final Message Byte

• Attacker sends (IV, c_1 \oplus \Delta_i, c_2) to the server
• The final b+1 bytes of the resulting encoded data are \textsf{0x}(M\oplus i)\underbrace{\textsf{0x}(b+1) \cdots \textsf{0x}(b+1)}_{b \text{ times}}
• Decryption fails unless \textsf{0x}(M \oplus i) = \textsf{0x}(b+1)
• Attacker needs to try at most 256 values for i
• When decryption succeeds, attacker learns that M = \textsf{0x}(b+1) \oplus \textsf{0x}i

Padding Oracle Attack Example

Learning the Other Message Bytes

• Now, the attacker knows that the m_2 ends with \textsf{0x}M\textsf{0x}a \textsf{0x}b \ldots \textsf{0x}b for an unknown M and known a
• Assume that b < L-1
• What can the attacker do to recover this M?
• How can we relax the b< L-1 and b < L assumptions?

Defining CCA-Security

• Adversary is given access to both an encryption oracle and a decryption oracle
• Adversary then chooses a pair of messages m_0, m_1
• An encryption scheme will be CCA-secure if the adversary cannot determine which one was encrypted with probability significantly better than \frac{1}{2}

CCA Indistinguishability Experiment

Consider the CCA indistinguishability experiment \textsf{PrivK}^{\textsf{cca}}_{\mathcal{A}, \Pi}(n):

• A key k is generated by running \textsf{Gen}(1^n).

• The adversary \mathcal{A} is given 1^n and oracle access to \textsf{Enc}_k(\cdot) and \textsf{Dec}_k(\cdot)

• It outputs a pair of messages m_0, m_1 \in \mathcal{M} with |m_0| = |m_1|.

• A uniform bit b \in \{0,1\} is chosen

• Ciphertext c \leftarrow \textsf{Enc}_k(m_b) is computed and given to \mathcal{A}. c is called the challenge ciphertext

• The adversary \mathcal{A} continues to have oracle access to \textsf{Enc}_k(\cdot) and \textsf{Dec}_k(\cdot)

• \mathcal{A} is not allowed to query the latter on the challenge ciphertext itself

• Eventually, A outputs a bit b'

• The output of the experiment is defined to be 1 if b' = b, and 0 otherwise. If output is 1, we say that \mathcal{A} succeeds.

CCA Security Definition

• A private-key encryption scheme \Pi = (\textsf{Gen}, \textsf{Enc}, \textsf{Dec}) has indistinguishable encryptions under a chosen-ciphertext attack, or is CCA-secure, if for all PPT adversaries \mathcal{A} there is a negligible function \textsf{negl} such that \Pr\left[ \textsf{PrivK}^{\textsf{cca}}_{\mathcal{A},\Pi}(n) = 1\right] \le \frac{1}{2} + \textsf{negl}(n).

Previous Schemes are not CCA-secure

• All the schemes we have seen so far are not CCA-secure
• Consider the CPA-secure scheme where m \in \{0,1\}^n was encrypted as \langle r, F_k(r) \oplus m \rangle for some random r \in \{0,1\}^n
• How can we show that it is not CCA-secure?

Authenticated Encryption

• Instead of constructing a CCA-secure encryption, we will construct a scheme that achieves authenticated encryption
• AE schemes guarantee both CCA-security and message integrity

Defining Authenticated Encryption

• Let \Pi = (\textsf{Gen}, \textsf{Enc}, \textsf{Dec}) be private-key encryption scheme.
• We want
  • \Pi to be CCA-secure
  • \Pi to satisfy existential unforgeability under an adaptive chosen-message attack
• But \Pi does not have the syntax of a MAC

MAC Definition

• A message authentication code (MAC) consists of three PPT algorithms (\textsf{Gen}, \textsf{Mac}, \textsf{Vrfy}) such that:

  1. \textsf{Gen} takes as input 1^n and outputs a key k with |k| \ge n

  2. The tag-generation algorithm \textsf{Mac} takes as input k and a message m \in \{0,1\}^*, and outputs a tag t

  3. The deterministic verification algorithm \textsf{Vrfy} takes as inputs k, m, and t. It outputs a bit b with b=1 meaning valid and b=0 meaning invalid

Unforgeable Encryption Experiment

• We want \Pi to satisfy a notion of message integrity

• Unforgeable encryption experiment \textsf{Enc-Forge}_{\mathcal{A}, \Pi}(n):

  • Run \textsf{Gen}(1^n) to obtain a key k

  • The adversary \mathcal{A} is given input 1^n and access to an encryption oracle \textsf{Enc}_k(\cdot)

  • The adversary outputs a ciphertext c

  • Let m \coloneqq \textsf{Dec}_k(c), and let \mathcal{Q} denote the set of all \mathcal{A}’s queries to its encryption oracle

  • The output of the experiment is 1 if and only if

    1. m \neq \perp and
    2. m \notin \mathcal{Q}.

Security Definitions

• A private-key encryption scheme \Pi is unforgeable if for all PPT adversaries \mathcal{A}, there is a negligible function such that: \Pr\left[ \textsf{Enc-Forge}_{\mathcal{A},\Pi}(n) = 1 \right] \le \textsf{negl}(n).
• A private-key encryption scheme \Pi is an authenticated encryption scheme if it is CCA-secure and unforgeable.
• It is possible to define AE schemes using a single experiment

Motivating the Definition (1/2)

• We will require two different scenarios to be indistinguishable to an attacker

• First scenario: The attacker is given access to encryption and decryption oracles

• Second scenario: The two oracles are changed as follows

  • The attacker is given access to \textsf{Enc}_k^0(\cdot) where \textsf{Enc}_k^0(m) = \textsf{Enc}_k(0^{|m|})

  • The attacker is given access to \textsf{Dec}_\perp(\cdot) that always returns the error symbol \perp

Motivating the Definition (2/2)

• If an attacker cannot distinguish between the two scenarios, then this means that

  1. any new ciphertexts generated by the attacker will be invalid and
  2. the attacker cannot distinguish a real encryption oracle from an oracle that always encrypts the all-zeros string.

• 1 \implies Chosen-ciphertext attacks become useless

• 2 \implies Chosen-plaintext attacks become useless

Authenticated-Encryption Experiment

For a private-key encryption scheme \Pi and adversary \mathcal{A}, define the experiment \textsf{PrivK}^{\textsf{ae}}_{\mathcal{A}, \Pi}(n):

• A key k is generated by running \textsf{Gen}(1^n).

• A uniform bit b \in \{0,1\} is chosen

• The adversary \mathcal{A} is given 1^n and access to two oracles:

  • If b = 0, then \mathcal{A} is given access to \textsf{Enc}_k(\cdot) and \textsf{Dec}_k(\cdot).
  • If b = 1, then \mathcal{A} is given access to \textsf{Enc}^0_k(\cdot) and \textsf{Dec}_\perp(\cdot).

• \mathcal{A} is not allowed to query a ciphertext c to its second oracle that it previously received as the response from its first oracle.

• A outputs a bit b'

• The output of the experiment is defined to be 1 if b' = b, and 0 otherwise. If output is 1, we say that \mathcal{A} succeeds.

AE Security Definition

• A private-key encryption scheme \Pi = (\textsf{Gen}, \textsf{Enc}, \textsf{Dec}) is an authenticated encryption (AE) scheme, if for all PPT adversaries \mathcal{A} there is a negligible function \textsf{negl} such that \Pr\left[ \textsf{PrivK}^{\textsf{cca}}_{\mathcal{A},\Pi}(n) = 1\right] \le \frac{1}{2} + \textsf{negl}(n).

• The two definitions of AE schemes are equivalent

Strongly Secure MACs

• A CPA-secure scheme and a strongly secure MAC can be combined to get an AE scheme

Message Authentication Experiment

• Recall the experiment \textsf{Mac-forge}_{\mathcal{A},\Pi}(n):
  • A key k is generated by running \textsf{Gen}(1^n)
  • The adversary \mathcal{A} is given input 1^n and oracle access to \textsf{Mac}_k(\cdot). The adversary eventually outputs (m,t)
  • Let \mathcal{Q} denote the set of all queries by \mathcal{A}
  • \mathcal{A} succeeds if and only if
    1. \textsf{Vrfy}_k(m,t) = 1 and
    2. m \notin \mathcal{Q}
  • If \mathcal{A} succeeds, the output of the experiment is 1. Otherwise, the output is 0.

Secure MAC Definition

• A MAC \Pi = (\textsf{Gen}, \textsf{Mac}, \textsf{Vrfy}) is secure, if for all PPT adversaries \mathcal{A}, there is a negligible function such that \Pr\left[ \textsf{Mac-forge}_{\mathcal{A}, \Pi}(n) = 1\right] \le \textsf{negl}(n).
• A secure MAC ensures that an adversary cannot generate a valid tag on messages in \mathcal{Q}^c
• But it allows adversaries to generate different valid tags on messages in \mathcal{Q}
• In some settings, it is useful to prevent such behavior

Strongly Secure Message Authentication Experiment

• Consider the experiment \textsf{Mac-sforge}_{\mathcal{A},\Pi}(n):
  • A key k is generated by running \textsf{Gen}(1^n)
  • The adversary \mathcal{A} is given input 1^n and oracle access to \textsf{Mac}_k(\cdot). The adversary eventually outputs (m,t)
  • Let \mathcal{Q} denote the set of all query-response pairs (m,t)
  • \mathcal{A} succeeds if and only if
    1. \textsf{Vrfy}_k(m,t) = 1 and
    2. (m,t) \notin \mathcal{Q}
  • If \mathcal{A} succeeds, the output of the experiment is 1. Otherwise, the output is 0.

Strongly Secure MAC Definition

• A MAC \Pi = (\textsf{Gen}, \textsf{Mac}, \textsf{Vrfy}) is strongly secure, if for all PPT adversaries \mathcal{A}, there is a negligible function such that \Pr\left[ \textsf{Mac-sforge}_{\mathcal{A}, \Pi}(n) = 1\right] \le \textsf{negl}(n).

• Proposition: Let \Pi = (\textsf{Gen}, \textsf{Mac}, \textsf{Vrfy}) be a secure deterministic MAC that uses canonical verification. Then \Pi is strongly secure.

Authenticated Encryption Schemes

• A CPA-secure encryption scheme and a strongly secure MAC can be carefully combined to achieve an AE scheme
• There are three natural combinations; only one gives an AE scheme

The Three Combinations

• Let \Pi_E = (\textsf{Enc}, \textsf{Dec}) be a CPA-secure encryption scheme and let \Pi_M = (\textsf{Mac}, \textsf{Vrfy}) denote a strongly secure MAC
• Three natural approaches to combining encryption and authentication
  • Encrypt-and-authenticate
  • Authenticate-then-encrypt
  • Encrypt-then-authenticate

Encrypt-and-authenticate

• Assume independent keys k_E and k_M for \Pi_E and \Pi_M

• Encrypt-and-authenticate: Given a plaintext message m, the sender transmits ciphertext \langle c, t \rangle where: c \leftarrow \textsf{Enc}_{k_E}(m) \text{ and } t \leftarrow \textsf{Mac}_{k_M}(m).

• The receiver decrypts c to recover m; assuming no error occurred, it then verifies the tag t.

• If a deterministic MAC is used, then not CPA-secure

Authenticate-then-encrypt

• Authenticate-then-encrypt: A MAC tag t is first computed, and then the message and tag are encrypted together
• Given a message m, the sender transmits the ciphertext c computed as: t \leftarrow \textsf{Mac}_{k_M}(m) \text{ and } c \leftarrow \textsf{Enc}_{k_E}(m \| t).
• The receiver decrypts c to recover m \| t; assuming no error occurred, it then verifies the tag t
• Padding-oracle attacks can be carried out

Encrypt-then-authenticate

• Encrypt-then-authenticate: Given a plaintext message m, the message is first encrypted and then a MAC tag is computed over the result

• The ciphertext is the pair \langle c, t \rangle where: c \leftarrow \textsf{Enc}_{k_E}(m) \text{ and } t \leftarrow \textsf{Mac}_{k_M}(c).

• The receiver first verifies the tag t; assuming no error occurred it decrypts c to recover m.

• Theorem: If \Pi_E = (\textsf{Enc}, \textsf{Dec}) is a CPA-secure encryption scheme and \Pi_M = (\textsf{Mac}, \textsf{Vrfy}) is a strongly secure MAC, then the encrypt-then-authenticate approach is an authenticated encryption scheme

Intuition for Security of the Scheme

• The ciphertext is the pair \langle c, t \rangle where: c \leftarrow \textsf{Enc}_{k_E}(m) \text{ and } t \leftarrow \textsf{Mac}_{k_M}(c).

• Strong security of \Pi_M \implies

  • Adversary cannot generate any c it did not receive from its encryption oracle
  • Decryption oracle is useless

Further Reading

• Sections 5.1, 5.2, 5.3 from Katz & Lindell
• Section 4.2 from Katz & Lindell (for strongly secure MACs)