secure channels summer term 2018 · secure channels summer term 2018 problem set 2 prof. stefan...
TRANSCRIPT
![Page 1: Secure Channels Summer Term 2018 · Secure Channels Summer Term 2018 Problem Set 2 Prof. Stefan Lucks, Eik List May 4, 2018 Chair of Media Security Secure Channels Summer 2018 May](https://reader035.vdocuments.net/reader035/viewer/2022071014/5fcd1253d5ae0433eb5e85f4/html5/thumbnails/1.jpg)
Secure ChannelsSummer Term 2018
Problem Set 2
Prof. Stefan Lucks, Eik List
May 4, 2018
Chair of Media Security Secure Channels Summer 2018 May 4, 2018 1/21
![Page 2: Secure Channels Summer Term 2018 · Secure Channels Summer Term 2018 Problem Set 2 Prof. Stefan Lucks, Eik List May 4, 2018 Chair of Media Security Secure Channels Summer 2018 May](https://reader035.vdocuments.net/reader035/viewer/2022071014/5fcd1253d5ae0433eb5e85f4/html5/thumbnails/2.jpg)
Agenda
In this problem set, you should learn/deepen your understanding in. . .
. . . security notions for encryption,
. . . their relations, and
. . . reductionist proofs (simulator proofs).
Chair of Media Security Secure Channels Summer 2018 May 4, 2018 2/21
![Page 3: Secure Channels Summer Term 2018 · Secure Channels Summer Term 2018 Problem Set 2 Prof. Stefan Lucks, Eik List May 4, 2018 Chair of Media Security Secure Channels Summer 2018 May](https://reader035.vdocuments.net/reader035/viewer/2022071014/5fcd1253d5ae0433eb5e85f4/html5/thumbnails/3.jpg)
Simulator ProofsRelations among Notions
How can we show:
Notion X =⇒ Notion Y ?
Means: Every scheme Π that is secure against X-adversariesis also secure against Y -adversaries
Chair of Media Security Secure Channels Summer 2018 May 4, 2018 3/21
![Page 4: Secure Channels Summer Term 2018 · Secure Channels Summer Term 2018 Problem Set 2 Prof. Stefan Lucks, Eik List May 4, 2018 Chair of Media Security Secure Channels Summer 2018 May](https://reader035.vdocuments.net/reader035/viewer/2022071014/5fcd1253d5ae0433eb5e85f4/html5/thumbnails/4.jpg)
Simulator ProofsRelations among Notions
How can we show:
Notion X =⇒ Notion Y ?
Means: Every scheme Π that is secure against X-adversariesis also secure against Y -adversaries
By contradiction!
If an efficient Y -adversary AY that wins the Y security game would
exist, then we could use (= simulate) it to win the X security game
=⇒ There exists no efficient Y -adversary with significantadvantage on Π
Chair of Media Security Secure Channels Summer 2018 May 4, 2018 3/21
![Page 5: Secure Channels Summer Term 2018 · Secure Channels Summer Term 2018 Problem Set 2 Prof. Stefan Lucks, Eik List May 4, 2018 Chair of Media Security Secure Channels Summer 2018 May](https://reader035.vdocuments.net/reader035/viewer/2022071014/5fcd1253d5ae0433eb5e85f4/html5/thumbnails/5.jpg)
Simulator ProofsRelations among Notions
Input of AY
Response to AY
Input of AX
Response of OY
Result of AY
Result of AX
win/not win
......AY AX OX
Chair of Media Security Secure Channels Summer 2018 May 4, 2018 4/21
![Page 6: Secure Channels Summer Term 2018 · Secure Channels Summer Term 2018 Problem Set 2 Prof. Stefan Lucks, Eik List May 4, 2018 Chair of Media Security Secure Channels Summer 2018 May](https://reader035.vdocuments.net/reader035/viewer/2022071014/5fcd1253d5ae0433eb5e85f4/html5/thumbnails/6.jpg)
Task 1: Simulator Proofs – Relations among Notions
a) RoR-CPA security =⇒ LoR-CPA security
b) Sem-CPA security =⇒ FtG-CPA security
c) LoR-CPA security =⇒ FtG-CPA security
Input of AY
Response to AY
Input of AX
Response of OY
Result of AY
Result of AX
win/not win
......AY AX OX
Chair of Media Security Secure Channels Summer 2018 May 4, 2018 5/21
![Page 7: Secure Channels Summer Term 2018 · Secure Channels Summer Term 2018 Problem Set 2 Prof. Stefan Lucks, Eik List May 4, 2018 Chair of Media Security Secure Channels Summer 2018 May](https://reader035.vdocuments.net/reader035/viewer/2022071014/5fcd1253d5ae0433eb5e85f4/html5/thumbnails/7.jpg)
Task 1a) LoR-CPA =⇒ RoR-CPA
(M0i , M1
i )
Ci
Mbi
Ci
β′
β′
β′ = β
......ALoR-CPA ARoR-CPA ORoR-CPA
Chair of Media Security Secure Channels Summer 2018 May 4, 2018 6/21
![Page 8: Secure Channels Summer Term 2018 · Secure Channels Summer Term 2018 Problem Set 2 Prof. Stefan Lucks, Eik List May 4, 2018 Chair of Media Security Secure Channels Summer 2018 May](https://reader035.vdocuments.net/reader035/viewer/2022071014/5fcd1253d5ae0433eb5e85f4/html5/thumbnails/8.jpg)
Task 1a) LoR-CPA =⇒ RoR-CPA
(M0i , M1
i )
Ci
Mbi
Ci
β′
β′
β′ = β
......ALoR-CPA ARoR-CPA ORoR-CPA
Initialization: ARoR-CPA chooses b
$← {0, 1}
Querying: ARoR-CPA forwards messages M b
i to its oracle and theresponses Ci to A
LoR-CPA, for 1 ≤ i ≤ q
Guessing: ARoR-CPA forwards the bit β′ to the oracle
Chair of Media Security Secure Channels Summer 2018 May 4, 2018 6/21
![Page 9: Secure Channels Summer Term 2018 · Secure Channels Summer Term 2018 Problem Set 2 Prof. Stefan Lucks, Eik List May 4, 2018 Chair of Media Security Secure Channels Summer 2018 May](https://reader035.vdocuments.net/reader035/viewer/2022071014/5fcd1253d5ae0433eb5e85f4/html5/thumbnails/9.jpg)
Task 1a) LoR-CPA =⇒ RoR-CPA – Advantage
(M0i , M1
i )
Ci
Mbi
Ci
β′
β′
β′ = β
......ALoR-CPA ARoR-CPA ORoR-CPA
2 Cases:1 ORoR-CPA returns real ciphertexts: Exactly the LoR-CPA setting
=⇒ Adv(ARoR-CPA) = Adv(ALoR-CPA)2 ORoR-CPA returns random ciphertexts:
ALoR-CPA has no advantage in general =⇒ Adv(ARoR-CPA) ≥ 0.
Chair of Media Security Secure Channels Summer 2018 May 4, 2018 7/21
![Page 10: Secure Channels Summer Term 2018 · Secure Channels Summer Term 2018 Problem Set 2 Prof. Stefan Lucks, Eik List May 4, 2018 Chair of Media Security Secure Channels Summer 2018 May](https://reader035.vdocuments.net/reader035/viewer/2022071014/5fcd1253d5ae0433eb5e85f4/html5/thumbnails/10.jpg)
Task 1a) LoR-CPA =⇒ RoR-CPA – Advantage
(M0i , M1
i )
Ci
Mbi
Ci
β′
β′
β′ = β
......ALoR-CPA ARoR-CPA ORoR-CPA
2 Cases:1 ORoR-CPA returns real ciphertexts: Exactly the LoR-CPA setting
=⇒ Adv(ARoR-CPA) = Adv(ALoR-CPA)2 ORoR-CPA returns random ciphertexts:
ALoR-CPA has no advantage in general =⇒ Adv(ARoR-CPA) ≥ 0.
Both cases occur with probability 1/2:
Adv(ARoR-CPA) = 1/2 ·Adv(ALoR-CPA) + 0 · 1/2
Chair of Media Security Secure Channels Summer 2018 May 4, 2018 7/21
![Page 11: Secure Channels Summer Term 2018 · Secure Channels Summer Term 2018 Problem Set 2 Prof. Stefan Lucks, Eik List May 4, 2018 Chair of Media Security Secure Channels Summer 2018 May](https://reader035.vdocuments.net/reader035/viewer/2022071014/5fcd1253d5ae0433eb5e85f4/html5/thumbnails/11.jpg)
Task 1b) Sem-CPA =⇒ FtG-CPA
Mi for 1 ≤ i < q′
Ci
Mi
Ci
(M0q′ , M1
q′ )
Cβ
q′
M
Cβ
q′← EncrK(M
β′
q′)
Mi for q′ < i ≤ q
Ci
Mi
Ci
β′
(f, α = 1)
AFtG-CPA ASem-CPA OSem-CPA
Chair of Media Security Secure Channels Summer 2018 May 4, 2018 8/21
![Page 12: Secure Channels Summer Term 2018 · Secure Channels Summer Term 2018 Problem Set 2 Prof. Stefan Lucks, Eik List May 4, 2018 Chair of Media Security Secure Channels Summer 2018 May](https://reader035.vdocuments.net/reader035/viewer/2022071014/5fcd1253d5ae0433eb5e85f4/html5/thumbnails/12.jpg)
Task 1b) Sem-CPA =⇒ FtG-CPA
Initialization: As in usual Sem-CPA gameQuerying: ASem-CPA simply forwards queries from and to AFtG-CPA
Challenge: After AFtG-CPA chooses the challenge query, (M0q′ , M1
q′ ),
ASem-CPA derives the distribution M:
M(M) :=
1/2 if M = M0q′ ,
1/2 if M = M1q′ ,
0 otherwise.
=⇒ The oracle chooses Mq′ as either M0q′ or M1
q′ at random with pr.1/2 each
Guessing: AFtG-CPA outputs β′.ASem-CPA chooses f to model exactly the FtG-CPA response:
f(M) :=
{
1 if M = Mβ′
q′
0 otherwise.
ASem-CPA sends (f, α = 1) to the oracle
It holds:
Adv(ASem-CPA) = Adv(AFtG-CPA)
Chair of Media Security Secure Channels Summer 2018 May 4, 2018 9/21
![Page 13: Secure Channels Summer Term 2018 · Secure Channels Summer Term 2018 Problem Set 2 Prof. Stefan Lucks, Eik List May 4, 2018 Chair of Media Security Secure Channels Summer 2018 May](https://reader035.vdocuments.net/reader035/viewer/2022071014/5fcd1253d5ae0433eb5e85f4/html5/thumbnails/13.jpg)
Task 1c) LoR-CPA =⇒ FtG-CPA
Mi for 1 ≤ i < q′
Ci
(Mi, Mi)
Ci
(M0q′ , M1
q′ )
Cβ
q′
(M0q′ , M1
q′ )
Cβ
q′
Mi for q′ < i ≤ q
Ci
(Mi, Mi)
Ci
β′
β = β′
AFtG-CPA ALoR-CPA OLoR-CPA
![Page 14: Secure Channels Summer Term 2018 · Secure Channels Summer Term 2018 Problem Set 2 Prof. Stefan Lucks, Eik List May 4, 2018 Chair of Media Security Secure Channels Summer 2018 May](https://reader035.vdocuments.net/reader035/viewer/2022071014/5fcd1253d5ae0433eb5e85f4/html5/thumbnails/14.jpg)
Task 1c) LoR-CPA =⇒ FtG-CPA
Mi for 1 ≤ i < q′
Ci
(Mi, Mi)
Ci
(M0q′ , M1
q′ )
Cβ
q′
(M0q′ , M1
q′ )
Cβ
q′
Mi for q′ < i ≤ q
Ci
(Mi, Mi)
Ci
β′
β = β′
AFtG-CPA ALoR-CPA OLoR-CPA
Querying: ALoR-CPA submits Mi twice to its oracle
Challenge/Guessing: Exactly as in FtG-CPA game
Adv(ALoR-CPA) = Adv(AFtG-CPA)
![Page 15: Secure Channels Summer Term 2018 · Secure Channels Summer Term 2018 Problem Set 2 Prof. Stefan Lucks, Eik List May 4, 2018 Chair of Media Security Secure Channels Summer 2018 May](https://reader035.vdocuments.net/reader035/viewer/2022071014/5fcd1253d5ae0433eb5e85f4/html5/thumbnails/15.jpg)
Parity Security
For all n-bit strings X = (x1, . . . , xn):
Parity(X) = x1 ⊕ x2 ⊕ . . .⊕ xn
Parity-Chosen-Plaintext-Security (Par-CPA) Experiment
The oracle chooses K$← {0, 1}k
1 For 1 ≤ i ≤ q′ < q:
Eve chooses Mi ∈ {0, 1}n and asks the oracle forCi ← EncrK(Mi).
2 Eve chooses a distribution M of n-bit plaintexts and sends M to theoracle.
3 The oracle chooses uniformly at random a message M$←M {0, 1}n
according to M and responds with C ← EncrK(M).
4 For q′ + 1 ≤ i ≤ q:
Eve chooses Mi ∈ {0, 1}n and asks the oracle for Ci ← EncrK(Mi)
5 Eve outputs a bit β ∈ {0, 1}. She wins iff Parity(M) = β.
![Page 16: Secure Channels Summer Term 2018 · Secure Channels Summer Term 2018 Problem Set 2 Prof. Stefan Lucks, Eik List May 4, 2018 Chair of Media Security Secure Channels Summer 2018 May](https://reader035.vdocuments.net/reader035/viewer/2022071014/5fcd1253d5ae0433eb5e85f4/html5/thumbnails/16.jpg)
Task 2: Parity Security
a) Prove (or disprove): Sem-CPA =⇒ Par-CPA
b) Prove (or disprove): Par-CPA =⇒ Sem-CPA
Chair of Media Security Secure Channels Summer 2018 May 4, 2018 12/21
![Page 17: Secure Channels Summer Term 2018 · Secure Channels Summer Term 2018 Problem Set 2 Prof. Stefan Lucks, Eik List May 4, 2018 Chair of Media Security Secure Channels Summer 2018 May](https://reader035.vdocuments.net/reader035/viewer/2022071014/5fcd1253d5ae0433eb5e85f4/html5/thumbnails/17.jpg)
Task 2a) Sem-CPA =⇒ Par-CPA
Mi for 1 ≤ i < q′
Ci
Mi
Ci
M
Cβ
q′
M
Cβ
q′← EncrK (M
β
q′)
Mi for q′ < i ≤ q
Ci
Mi
Ci
α(Parity, α)
Parity(Mβ
q′ ) = α
APar-CPA ASem-CPA OSem-CPA
Chair of Media Security Secure Channels Summer 2018 May 4, 2018 13/21
![Page 18: Secure Channels Summer Term 2018 · Secure Channels Summer Term 2018 Problem Set 2 Prof. Stefan Lucks, Eik List May 4, 2018 Chair of Media Security Secure Channels Summer 2018 May](https://reader035.vdocuments.net/reader035/viewer/2022071014/5fcd1253d5ae0433eb5e85f4/html5/thumbnails/18.jpg)
Task 2a) Sem-CPA =⇒ Par-CPA
Initialization: As in usual Sem-CPA game
Querying: ASem-CPA simply forwards queries from and to AFtG-CPA
Guessing:
APar-CPA outputs β′ as guess for Parity (M)ASem-CPA chooses f(M) := Parity(M) and α = β′.
Adv(ASem-CPA) = Adv(APar-CPA)
Chair of Media Security Secure Channels Summer 2018 May 4, 2018 14/21
![Page 19: Secure Channels Summer Term 2018 · Secure Channels Summer Term 2018 Problem Set 2 Prof. Stefan Lucks, Eik List May 4, 2018 Chair of Media Security Secure Channels Summer 2018 May](https://reader035.vdocuments.net/reader035/viewer/2022071014/5fcd1253d5ae0433eb5e85f4/html5/thumbnails/19.jpg)
Task 2b) Par-CPA 6=⇒ Sem-CPA
Assume: Sem-CPA-secureEncr : {0, 1}k × {0, 1}n →{0, 1}n
lsb : {0, 1}n → {0, 1} returnsthe least significant bit
Define: Encr′ :
{0, 1}k × {0, 1}n → {0, 1}n:
M
C
Encr
Encr′
K
1
Encr′
K(M) := EncrK(M)[n..2] ‖ lsb(M).
Chair of Media Security Secure Channels Summer 2018 May 4, 2018 15/21
![Page 20: Secure Channels Summer Term 2018 · Secure Channels Summer Term 2018 Problem Set 2 Prof. Stefan Lucks, Eik List May 4, 2018 Chair of Media Security Secure Channels Summer 2018 May](https://reader035.vdocuments.net/reader035/viewer/2022071014/5fcd1253d5ae0433eb5e85f4/html5/thumbnails/20.jpg)
Task 2b) Par-CPA 6=⇒ Sem-CPA
Assume: Sem-CPA-secureEncr : {0, 1}k × {0, 1}n →{0, 1}n
lsb : {0, 1}n → {0, 1} returnsthe least significant bit
Define: Encr′ :
{0, 1}k × {0, 1}n → {0, 1}n:
M
C
Encr
Encr′
K
1
Encr′
K(M) := EncrK(M)[n..2] ‖ lsb(M).
Clearly: Encr′ is not Sem-CPA-secure, but can be
Par-CPA-secure
It follows: Par-CPA 6=⇒ Sem-CPA
Chair of Media Security Secure Channels Summer 2018 May 4, 2018 15/21
![Page 21: Secure Channels Summer Term 2018 · Secure Channels Summer Term 2018 Problem Set 2 Prof. Stefan Lucks, Eik List May 4, 2018 Chair of Media Security Secure Channels Summer 2018 May](https://reader035.vdocuments.net/reader035/viewer/2022071014/5fcd1253d5ae0433eb5e85f4/html5/thumbnails/21.jpg)
Task 2b) Par-CPA 6=⇒ Sem-CPA
Define ASem-CPA:
Chooses M as the uniform distribution over all n-bit plaintextsDerive α← lsb(Cq′ )Provide f(M) := lsb(M) and α as final steps to the oracle.
ASem-CPA always wins the Sem-CPA-game against Encr
′
But: Assuming Encr is Sem-CPA-secure and n > 1:=⇒ No information about parity in ciphertexts(For n = 1, the leaked LSB would be the parity)
Chair of Media Security Secure Channels Summer 2018 May 4, 2018 16/21
![Page 22: Secure Channels Summer Term 2018 · Secure Channels Summer Term 2018 Problem Set 2 Prof. Stefan Lucks, Eik List May 4, 2018 Chair of Media Security Secure Channels Summer 2018 May](https://reader035.vdocuments.net/reader035/viewer/2022071014/5fcd1253d5ae0433eb5e85f4/html5/thumbnails/22.jpg)
Task 3Padding-oracle Attack on CBC
System: AES-CBC-encryption (1 block = 16 bytes)
Known: Ciphertext (C0, . . . , Cm)
Goal: Recover the original plaintext (M1, . . . , Mm)
M1 M2 Mm
C0
C1 C2 Cm
EKEKEK · · ·
![Page 23: Secure Channels Summer Term 2018 · Secure Channels Summer Term 2018 Problem Set 2 Prof. Stefan Lucks, Eik List May 4, 2018 Chair of Media Security Secure Channels Summer 2018 May](https://reader035.vdocuments.net/reader035/viewer/2022071014/5fcd1253d5ae0433eb5e85f4/html5/thumbnails/23.jpg)
Task 3Padding-oracle Attack on CBC
Padding:
N = 16− (|M | mod 16)
M = M ‖ (〈N〉)N
E.g.:
pad((M1, . . . , M15) = (M1, . . . , M15, 1)
pad((M1, . . . , M7)) = (M1, . . . , M7, 9, . . . , 9)
pad((M1, . . . , M16)) = (M1, . . . , M16, 16, . . . , 16).
M1 M2 Mm
C0
C1 C2 Cm
EKEKEK · · ·
![Page 24: Secure Channels Summer Term 2018 · Secure Channels Summer Term 2018 Problem Set 2 Prof. Stefan Lucks, Eik List May 4, 2018 Chair of Media Security Secure Channels Summer 2018 May](https://reader035.vdocuments.net/reader035/viewer/2022071014/5fcd1253d5ae0433eb5e85f4/html5/thumbnails/24.jpg)
Task 3Padding-oracle Attack on CBC
KKKK
M1 M2 Mm−1 Mm
C0
C1 C2 Cm−1 Cm
EEEE
.
.
.
D
D
1: for all Blocks i from m− 1 downto 0 do2: D := (D15, . . . , D0) = (0, . . . , 0)3: for all Bytes j from 0 to 15 do4: for v from 0 to 255 do5: Compute Byte Dj := v⊕ (j + 1)6: Ask for the decryption of7: C′ := (C0, . . . , Ci−1, Ci ⊕D, Ci+1)8: if C′ is deemed valid then9: Store byte M j
i+1 := v
10: For all k ∈ {0, . . . , j}: Dk := M ji+1 ⊕ (j + 1)⊕ (j + 2)
11: Guess next byte (goto 3)
12: return The recovered plaintext M = (M1, . . . , Mm)
![Page 25: Secure Channels Summer Term 2018 · Secure Channels Summer Term 2018 Problem Set 2 Prof. Stefan Lucks, Eik List May 4, 2018 Chair of Media Security Secure Channels Summer 2018 May](https://reader035.vdocuments.net/reader035/viewer/2022071014/5fcd1253d5ae0433eb5e85f4/html5/thumbnails/25.jpg)
Recap
Reductionist Proofs
Encryption 6= Authenticated Encryption
Chair of Media Security Secure Channels Summer 2018 May 4, 2018 20/21
![Page 26: Secure Channels Summer Term 2018 · Secure Channels Summer Term 2018 Problem Set 2 Prof. Stefan Lucks, Eik List May 4, 2018 Chair of Media Security Secure Channels Summer 2018 May](https://reader035.vdocuments.net/reader035/viewer/2022071014/5fcd1253d5ae0433eb5e85f4/html5/thumbnails/26.jpg)
Questions?