CCA-Security and Authenticated Encryption

Saravanan Vijayakumaran

Department of Electrical Engineering, IIT Bombay

August 30, 2024

Chosen-Ciphertext Attacks

  • CPA-secure schemes guard against passive adversaries
    • Adversary can query encryption oracle but is still limited to observing the challenge ciphertext
  • Active adversaries are modeled by the CCA threat model
    • Such an adversary can modify the ciphertext before it is decrypted by the honest parties
    • In the real world, the adversary could observe the effect of the modification
    • In the worst-case, the corresponding plaintext is revealed

CCA Threat Model

  • Adversary has access to an encryption oracle
  • Adversary also has access to a decryption oracle
  • Adversary then attempts to recover information about the underlying plaintext of some other ciphertext produced using the same key

Padding-Oracle Attacks

  • A real-world example of the devastating effect of chosen-ciphertext attacks
  • Exploits a popular padding scheme for CBC-mode encryption to recover the whole plaintext

CBC-Mode Encryption

  • Let \vec{m} = \langle m_1,m_2,\ldots,m_l\rangle where m_i \in \{0,1\}^n

  • Let F be a block cipher with block length n

  • A uniform initialization vector (IV) of length n is chosen

  • c_0 = IV. For i = 1,\ldots,l, c_i \coloneqq F_k(c_{i-1}\oplus m_i)

  • For i = 1,2,\ldots,l, m_i \coloneqq F_k^{-1}(c_i)\oplus c_{i-1}.

Padding

  • In CBC-mode encryption, the message length is a multiple of the block length

  • If not, message needs to be padded

  • Let encoded data denote the padded message

  • Padding must be invertible

    • The message should be recoverable from the encoded data

Padding Scheme from PKCS #7 Standard

  • Let m denote the original message
  • Assume that |m| is an integral number of bytes
  • Let L be the block length of F in bytes
  • Let b denote the padding length in bytes
  • b is an integer from 1 to L
    • b =0 is not allowed

Padding Scheme from PKCS #7 Standard

  • Suppose L is less than 256
  • We append to the message the integer b (represented in 1 byte) repeated b times
  • For example, if 4 bytes are needed then 0x04040404 is appended
  • If |m| is already a multiple of L, then L bytes are appended each of which is equal to L

Removing the Padding

  • Given a ciphertext corresponding to encoded data, the receiver first applies the decryption algorithm

  • The value b of the last byte is read

  • The final b bytes of the encoded data are checked to be equal to b

Decryption Oracle from Padding Errors

  • If padding is incorrect, the standard procedure is to return a “bad padding” error

  • This error message is a partial decryption oracle

  • Using these error messages, an adversary can completely recover the original message

Padding Oracle Attack Example

  • Consider a 3-block ciphertext from CBC-mode encryption

  • m_2 = F_k^{-1}(c_2) \oplus c_1

  • Note that m_2 ends in \textsf{0x}b \textsf{0x}b \ldots \textsf{0x}b

Padding Oracle Attack Example

  • Suppose an adversary changes c_1 to c_1', but keeps IV and c_2 the same
  • Then m_2 is changed to m_2' = F_k^{-1}(c_2) \oplus c_1'
  • If the c_1 and c_1' differ only in the ith byte, then m_2 and m_2' also differ only in the ith byte

Padding Oracle Attack Example

Learning b

  • Suppose there is a server that receives ciphertexts and returns padding oracle error (if any)
  • The attacker modifies the first byte of c_1 to get c_1', and sends (IV, c_1', c_2) to the server
    • If error is returned, then b=L
    • The server is reading all L bytes of m_2'
  • Otherwise, the attacker modifies the second byte of c_1 and sends (IV, c_1', c_2). And so on.
  • The first byte where decryption fails reveals b

Padding Oracle Attack Example

Learning the Final Message Byte

  • If b=L, then m_2 consists of L bytes each equal to L
  • Suppose b < L
  • The attacker knows that the m_2 ends with \textsf{0x}M \textsf{0x}b \ldots \textsf{0x}b
  • Define \Delta_i as \begin{align*} \Delta_i = & \textsf{0x}00 \cdots \textsf{0x}00 &\textsf{0x}i \; &\overbrace{\textsf{0x}(b+1) \cdots \textsf{0x}(b+1)}^{b \text{ times}} \\ \oplus & \textsf{0x}00 \cdots \textsf{0x}00 & \textsf{0x}00 \; & \overbrace{\textsf{0x}b \cdots \textsf{0x}b}^{b \text{ times}} \end{align*}

Padding Oracle Attack Example

Learning the Final Message Byte in m_2

  • Attacker sends (IV, c_1 \oplus \Delta_i, c_2) to the server
  • The final b+1 bytes of the resulting encoded data are \textsf{0x}(M\oplus i)\underbrace{\textsf{0x}(b+1) \cdots \textsf{0x}(b+1)}_{b \text{ times}}
  • Decryption fails unless \textsf{0x}(M \oplus i) = \textsf{0x}(b+1)
  • Attacker needs to try at most 256 values for i
  • When decryption succeeds, attacker learns that M = \textsf{0x}(b+1) \oplus \textsf{0x}i

Padding Oracle Attack Example

Learning the Other Message Bytes in m_2

  • If b=L-1, m_2 has been fully recovered
  • Suppose b < L-1
  • Now, the attacker knows that the m_2 ends with \textsf{0x}M\textsf{0x}a \textsf{0x}b \ldots \textsf{0x}b for an unknown M and known a
  • What can the attacker do to recover this M?

Padding Oracle Attack Example

Learning Message Bytes in m_1

  • Suppose an adversary changes IV to IV', but keeps c_1 the same
  • Then m_1 is changed to m_1' = F_k^{-1}(c_1) \oplus IV'
  • If the IV and IV' differ only in the ith byte, then m_1 and m_1' also differ only in the ith byte

Padding Oracle Attack Example

Learning Message Bytes in m_1

  • For 0 \le i \le 255, the attacker chooses \Delta_i as \begin{align*} \Delta_i = \underbrace{\textsf{0} \| \textsf{0} \| \cdots \| \textsf{0}}_{L-1 \text{ times}} \| \underbrace{i}_{\text{1 byte}} \end{align*}

  • The attacker sends (IV \oplus \Delta_i, c_1) to the padding oracle.

  • Then m_1 is changed to m_1^{(i)} = F_k^{-1}(c_1) \oplus IV \oplus \Delta_i = m_1 \oplus \Delta_i

  • Key observation: For at least one i, the padding oracle returns \textsf{ok}

Padding Oracle Attack Example

Learning Message Bytes in m_1

  • Let m_{1,j} denote the jth byte of m_1 for j \in \{1,2,\ldots,L\}
  • If m_{1,L} \oplus i = 1, then the padding oracle will return \textsf{ok} for any values of m_{1,1}, m_{1,2}, \cdots, m_{1,L-1}
  • If m_{1,L} \oplus i = 2, then padding oracle will return \textsf{ok} if m_{1,L-1} = 2
  • If m_{1,L} \oplus i = 3, then padding oracle will return \textsf{ok} if m_{1, L-2} =m_{1,L-1} = 3
  • How can we recover m_1?

Defining CCA-Security

  • Adversary is given access to both an encryption oracle and a decryption oracle
  • Adversary then chooses a pair of messages m_0, m_1
  • An encryption scheme will be CCA-secure if the adversary cannot determine which one was encrypted with probability significantly better than \frac{1}{2}

CCA Indistinguishability Experiment

Consider the CCA indistinguishability experiment \textsf{PrivK}^{\textsf{cca}}_{\mathcal{A}, \Pi}(n):

  • A key k is generated by running \textsf{Gen}(1^n).

  • The adversary \mathcal{A} is given 1^n and oracle access to \textsf{Enc}_k(\cdot) and \textsf{Dec}_k(\cdot)

  • It outputs a pair of messages m_0, m_1 \in \mathcal{M} with |m_0| = |m_1|.

  • A uniform bit b \in \{0,1\} is chosen

  • Ciphertext c \leftarrow \textsf{Enc}_k(m_b) is computed and given to \mathcal{A}. c is called the challenge ciphertext

  • The adversary \mathcal{A} continues to have oracle access to \textsf{Enc}_k(\cdot) and \textsf{Dec}_k(\cdot)

  • \mathcal{A} is not allowed to query the latter on the challenge ciphertext itself

  • Eventually, \mathcal{A} outputs a bit b'

  • The output of the experiment is defined to be 1 if b' = b, and 0 otherwise. If output is 1, we say that \mathcal{A} succeeds.

CCA Security Definition

  • A private-key encryption scheme \Pi = (\textsf{Gen}, \textsf{Enc}, \textsf{Dec}) has indistinguishable encryptions under a chosen-ciphertext attack, or is CCA-secure, if for all PPT adversaries \mathcal{A} there is a negligible function \textsf{negl} such that \Pr\left[ \textsf{PrivK}^{\textsf{cca}}_{\mathcal{A},\Pi}(n) = 1\right] \le \frac{1}{2} + \textsf{negl}(n).

Previous Schemes are not CCA-secure

  • All the schemes we have seen so far are not CCA-secure
  • Consider the CPA-secure scheme where m \in \{0,1\}^n was encrypted as \langle r, F_k(r) \oplus m \rangle for some random r \in \{0,1\}^n
  • How can we show that it is not CCA-secure?

Authenticated Encryption

  • Instead of constructing a CCA-secure encryption, we will construct a scheme that achieves authenticated encryption
  • AE schemes guarantee both CCA-security and message integrity

Defining Authenticated Encryption

  • Let \Pi = (\textsf{Gen}, \textsf{Enc}, \textsf{Dec}) be a private-key encryption scheme.
  • We want
    • \Pi to be CCA-secure
    • \Pi to satisfy existential unforgeability under an adaptive chosen-message attack
  • But \Pi does not have the syntax of a MAC

MAC Definition

  • A message authentication code (MAC) consists of three PPT algorithms (\textsf{Gen}, \textsf{Mac}, \textsf{Vrfy}) such that:

    1. \textsf{Gen} takes as input 1^n and outputs a key k with |k| \ge n

    2. The tag-generation algorithm \textsf{Mac} takes as input k and a message m \in \{0,1\}^*, and outputs a tag t

    3. The deterministic verification algorithm \textsf{Vrfy} takes as inputs k, m, and t. It outputs a bit b with b=1 meaning valid and b=0 meaning invalid

Unforgeable Encryption Experiment

  • We want \Pi to satisfy a notion of message integrity

  • Unforgeable encryption experiment \textsf{Enc-Forge}_{\mathcal{A}, \Pi}(n):

    • Run \textsf{Gen}(1^n) to obtain a key k

    • The adversary \mathcal{A} is given input 1^n and access to an encryption oracle \textsf{Enc}_k(\cdot)

    • The adversary outputs a ciphertext c

    • Let m \coloneqq \textsf{Dec}_k(c), and let \mathcal{Q} denote the set of all \mathcal{A}’s queries to its encryption oracle

    • The output of the experiment is 1 if and only if

      1. m \neq \perp and
      2. m \notin \mathcal{Q}.

Security Definitions

  • A private-key encryption scheme \Pi is unforgeable if for all PPT adversaries \mathcal{A}, there is a negligible function such that: \Pr\left[ \textsf{Enc-Forge}_{\mathcal{A},\Pi}(n) = 1 \right] \le \textsf{negl}(n).
  • A private-key encryption scheme \Pi is an authenticated encryption scheme if it is CCA-secure and unforgeable.
  • It is possible to define AE schemes using a single experiment

Motivating the Definition (1/2)

  • We will require two different scenarios to be indistinguishable to an attacker

  • First scenario: The attacker is given access to encryption and decryption oracles

  • Second scenario: The two oracles are changed as follows

    • The attacker is given access to \textsf{Enc}_k^0(\cdot) where \textsf{Enc}_k^0(m) = \textsf{Enc}_k(0^{|m|})

    • The attacker is given access to \textsf{Dec}_\perp(\cdot) that always returns the error symbol \perp (on ciphertexts not generated by the encryption oracle)

Motivating the Definition (2/2)

  • If an attacker cannot distinguish between the two scenarios, then this means that

    1. any new ciphertexts generated by the attacker will be invalid and
    2. the attacker cannot distinguish a real encryption oracle from an oracle that always encrypts the all-zeros string.

  • 1 \implies Chosen-ciphertext attacks become useless

  • 2 \implies Chosen-plaintext attacks become useless

Authenticated-Encryption Experiment

For a private-key encryption scheme \Pi and adversary \mathcal{A}, define the experiment \textsf{PrivK}^{\textsf{ae}}_{\mathcal{A}, \Pi}(n):

  • A key k is generated by running \textsf{Gen}(1^n).

  • A uniform bit b \in \{0,1\} is chosen

  • The adversary \mathcal{A} is given 1^n and access to two oracles:

    • If b = 0, then \mathcal{A} is given access to \textsf{Enc}_k(\cdot) and \textsf{Dec}_k(\cdot).
    • If b = 1, then \mathcal{A} is given access to \textsf{Enc}^0_k(\cdot) and \textsf{Dec}_\perp(\cdot).

  • \mathcal{A} is not allowed to query a ciphertext c to its second oracle that it previously received as the response from its first oracle.

  • \mathcal{A} outputs a bit b'

  • The output of the experiment is defined to be 1 if b' = b, and 0 otherwise. If output is 1, we say that \mathcal{A} succeeds.

AE Security Definition

  • A private-key encryption scheme \Pi = (\textsf{Gen}, \textsf{Enc}, \textsf{Dec}) is an authenticated encryption (AE) scheme, if for all PPT adversaries \mathcal{A} there is a negligible function \textsf{negl} such that \Pr\left[ \textsf{PrivK}^{\textsf{ae}}_{\mathcal{A},\Pi}(n) = 1\right] \le \frac{1}{2} + \textsf{negl}(n).

  • The two definitions of AE schemes are equivalent

Strongly Secure MACs

  • A CPA-secure scheme and a strongly secure MAC can be combined to get an AE scheme

Message Authentication Experiment

  • Recall the experiment \textsf{Mac-forge}_{\mathcal{A},\Pi}(n):
    • A key k is generated by running \textsf{Gen}(1^n)
    • The adversary \mathcal{A} is given input 1^n and oracle access to \textsf{Mac}_k(\cdot). The adversary eventually outputs (m,t)
    • Let \mathcal{Q} denote the set of all queries by \mathcal{A}
    • \mathcal{A} succeeds if and only if
      1. \textsf{Vrfy}_k(m,t) = 1 and
      2. m \notin \mathcal{Q}
    • If \mathcal{A} succeeds, the output of the experiment is 1. Otherwise, the output is 0.

Secure MAC Definition

  • A MAC \Pi = (\textsf{Gen}, \textsf{Mac}, \textsf{Vrfy}) is secure, if for all PPT adversaries \mathcal{A}, there is a negligible function such that \Pr\left[ \textsf{Mac-forge}_{\mathcal{A}, \Pi}(n) = 1\right] \le \textsf{negl}(n).
  • A secure MAC ensures that an adversary cannot generate a valid tag on messages in \mathcal{Q}^c
  • But it allows adversaries to generate different valid tags on messages in \mathcal{Q}
  • In some settings, it is useful to prevent such behavior

Strongly Secure Message Authentication Experiment

  • Consider the experiment \textsf{Mac-sforge}_{\mathcal{A},\Pi}(n):
    • A key k is generated by running \textsf{Gen}(1^n)
    • The adversary \mathcal{A} is given input 1^n and oracle access to \textsf{Mac}_k(\cdot). The adversary eventually outputs (m,t)
    • Let \mathcal{Q} denote the set of all query-response pairs (m,t)
    • \mathcal{A} succeeds if and only if
      1. \textsf{Vrfy}_k(m,t) = 1 and
      2. (m,t) \notin \mathcal{Q}
    • If \mathcal{A} succeeds, the output of the experiment is 1. Otherwise, the output is 0.

Strongly Secure MAC Definition

  • A MAC \Pi = (\textsf{Gen}, \textsf{Mac}, \textsf{Vrfy}) is strongly secure, if for all PPT adversaries \mathcal{A}, there is a negligible function such that \Pr\left[ \textsf{Mac-sforge}_{\mathcal{A}, \Pi}(n) = 1\right] \le \textsf{negl}(n).

  • Proposition: Let \Pi = (\textsf{Gen}, \textsf{Mac}, \textsf{Vrfy}) be a secure deterministic MAC that uses canonical verification. Then \Pi is strongly secure.

Authenticated Encryption Schemes

  • A CPA-secure encryption scheme and a strongly secure MAC can be carefully combined to achieve an AE scheme
  • There are three natural combinations; only one gives an AE scheme

The Three Combinations

  • Let \Pi_E = (\textsf{Enc}, \textsf{Dec}) be a CPA-secure encryption scheme and let \Pi_M = (\textsf{Mac}, \textsf{Vrfy}) denote a strongly secure MAC
  • Three natural approaches to combining encryption and authentication
    • Encrypt-and-authenticate
    • Authenticate-then-encrypt
    • Encrypt-then-authenticate

Encrypt-and-authenticate

  • Assume independent keys k_E and k_M for \Pi_E and \Pi_M

  • Encrypt-and-authenticate: Given a plaintext message m, the sender transmits ciphertext \langle c, t \rangle where: c \leftarrow \textsf{Enc}_{k_E}(m) \text{ and } t \leftarrow \textsf{Mac}_{k_M}(m).

  • The receiver decrypts c to recover m; assuming no error occurred, it then verifies the tag t.

  • If a deterministic MAC is used, then not CPA-secure

Authenticate-then-encrypt

  • Authenticate-then-encrypt: A MAC tag t is first computed, and then the message and tag are encrypted together
  • Given a message m, the sender transmits the ciphertext c computed as: t \leftarrow \textsf{Mac}_{k_M}(m) \text{ and } c \leftarrow \textsf{Enc}_{k_E}(m \| t).
  • The receiver decrypts c to recover m \| t; assuming no error occurred, it then verifies the tag t
  • Padding-oracle attacks can be carried out

Encrypt-then-authenticate

  • Encrypt-then-authenticate: Given a plaintext message m, the message is first encrypted and then a MAC tag is computed over the result

  • The ciphertext is the pair \langle c, t \rangle where: c \leftarrow \textsf{Enc}_{k_E}(m) \text{ and } t \leftarrow \textsf{Mac}_{k_M}(c).

  • The receiver first verifies the tag t; assuming no error occurred it decrypts c to recover m.

  • Theorem: If \Pi_E = (\textsf{Enc}, \textsf{Dec}) is a CPA-secure encryption scheme and \Pi_M = (\textsf{Mac}, \textsf{Vrfy}) is a strongly secure MAC, then the encrypt-then-authenticate approach is an authenticated encryption scheme

Intuition for Security of the Scheme

  • The ciphertext is the pair \langle c, t \rangle where: c \leftarrow \textsf{Enc}_{k_E}(m) \text{ and } t \leftarrow \textsf{Mac}_{k_M}(c).

  • Strong security of \Pi_M \implies

    • Adversary cannot generate any c it did not receive from its encryption oracle
    • Decryption oracle is useless

Further Reading

  • Sections 5.1, 5.2, 5.3 from Katz & Lindell
  • Section 4.2 from Katz & Lindell (for strongly secure MACs)