Talk announcement please consider attending!

Transcription

1 Talk announcement please consider attending! Where: Maurer School of Law, Room 335 When: Thursday, Feb 5, 12PM 1:30PM Speaker: Rafael Pass, Associate Professor, Cornell University, Topic: Reasoning Cryptographically About Knowledge ABSTRACT: Cryptographic notions of knowledge consider the knowledge obtained, or possessed, by computationally-bounded agents under adversarial conditions. In this talk, we will survey some recent cryptographically-inspired approaches for reasoning about agents' knowledge in the context of mechanism design, coding theory, voting theory and weather forecasting.

2 Optional lab for Assignment 1 solutions: Date: TOMORROW (Tuesday, Feb 3) Time: 1PM 2PM Place: LH 101 (Assignment 2 is due one week from Wednesday!)

3 a1q3a Many students did not follow my hint! Let E be the event that m has property P and let F N be the event that A(m) outputs N consecutive zeros Question asks you to solve for Pr E F N A common (but incorrect) response: Pr[E] = ε (true) Pr F 0 E = δ (true) Pr F 0 E = 1 δ (true) Hence, Pr F 0 = ε δ (true) Hence, Pr F 0 = ε (1 δ) (not true!!! ) Hence, Pr F N = ε (1 δ) N (not true!!! ) Hence Pr[E F N ] = (1 ε 1 δ N ) (not true!!!) What is this probability???

4 a1q3c Another ubiquitous mistake (nobody lost marks, though). What is wrong with the following? 1 2 N /99 N hence, N = 24 consecutive 0s suffice. Log Log N 1 / N N N N 23.24

5 Last Wednesday s lecture: Pseudorandom functions and permutations Birthday bounds Block ciphers Modes of operation (maybe?) Today s lecture: Modes of operation Message authentication codes

6 Review: PRF formal definition Let Func[n] be the set of all function from {0,1} n to 0,1 n Def: A keyed function F: {0,1} {0,1} {0,1} is a pseudorandom function (PRF) iff, for every PPT distinguisher D, there exists a negligible function ε: N R + such that Pr D F(k, ) 1 n = 1 k R 0,1 n Pr D f 1 n = 1 f R Func[n] ε(n)

7 Review: PRF indistinguishability game 1 n 1 N Game 0: Challenger k R 0,1 n D given oracle access to F(k, ) Distinguisher D F(k, ) 1 n 1 N b {0,1} Game 1: 1 n 1 N Challenger f R Func[n] D given oracle access to f Distinguisher D f( ) 1 n 1 N b {0,1} Distinguisher s wins if it outputs b = 0 in Game 0 or b = 1 in Game 1

8 Review: PRP formal definition Let Perm[n] denote the set of all permutations on {0,1} n A keyed permutation is efficient if there is a PPT algorithm to compute its inverse. Def: A keyed permutation Π: {0,1} {0,1} {0,1} is a pseudorandom permutation (PRP) iff it is efficient and, for every PPT distinguisher D, there exists a negligible function ε: N R + such that Pr D Π(k, ) 1 n = 1 k R 0,1 n Pr D π( ) 1 n = 1 π R Perm[n] ε(n)

9 Review: Strong PRPs Def: A keyed bijection Π: {0,1} {0,1} {0,1} is a strong pseudorandom permutation (SPRP) iff it is efficient and, for every PPT distinguisher D, there exists a negligible function ε: N R + such that Pr D Π k,,π 1 (k, ) 1 n = 1 k R 0,1 n Pr D π,π 1 ( ) 1 n = 1 π R Perm[n] ε(n) NOTE: Distinguisher gets oracle access both to the permutation and to the inverse permutation!

10 Fixed-length encryption from strong PRPs Gen(1 n ) outputs k R 0,1 n Enc k (m) outputs c Π k, m Dec k (c) outputs m Π 1 k, c Is this secure? Goals: YES, but only if the key is used to encrypt a single fixed-length plaintext Security for multiple encryptions variable-length encryption with short ciphertexts

11 I538: Introduction to Cryptography Ryan Henry Computationally secret encryption Modes of operation

12 Electronic Code Book (ECB) m m 1 m 2 m l m 1 m 2 k k k m 3 Π k Π k Π k c 1 c 2 c l c c 1 c 2 c l Split m into k -bit blocks and apply PRP Π k to each block individually Does ECB mode offer IND-CPA security? NO! Indistinguishable encryptions in the presence of an eavesdropper? NO!

13 Insecurity of ECB mode (b, 1 n ) 0,1 1 N 1 n 1 N Challenger m 0, m 1 M, m 0 = m 1 k Gen 1 n c Enc k (m b ) Attacker (A) b {0,1} Choose m, m {0,1} n one block each Set m 0 m m and m 1 m m two blocks each Output 1 if c has form c 1 c 1 and output 0 if c has form c 1 c 2 Advantage is Adv eav A = 1 2

14 Insecurity of ECB mode (in picture form) plaintext (bitmap) ECB mode ciphertext CBC mode ciphertext

15 Cipher Block Chaining (CBC) m m 1 m 2 m l m 1 m 2 k k k m l Π k Π k Π k IV c 1 c 2 c l c IV, c 1 c 2 c l Choose IV R {0,1} n and XOR first block with IV prior to encryption XOR each subsequent plaintext block with ciphertext of preceding block Reveal IV along with ciphertext

16 Output Feedback (OFB) m m 1 m 2 m l k k k F k F k F k IV m 1 c 1 m 2 c 2 m l c l c (IV, c 1 c 2 c l ) Choose IV R {0,1} n and XOR first block with F k (IV) i To encrypt ith plaintext block, XOR by F k Reveal IV along with ciphertext IV

17 Counter mode (CTR) m m 1 m 2 m l k IV+1 k IV+2 k IV+l F k F k F k m 1 m 2 m l c 1 c 2 c l c (IV, c 1 c 2 c l ) Essentially a block-by-block stream cipher

18 Comparing modes of operation Electronic Code Book (ECB) mode Pros: simple, parallelizable, non-malleable Cons: no CPA security, no secrecy in the presence of an eavesdropper Cipher Block Chaining (CBC) mode Pros: CPA-secure, parallelizable decryption Cons: encryption is inherently sequential, malleable Output Feedback (OFB) mode Pros: CPA-secure Cons: encryption and decryption both inherently sequential, malleable Counter (CTR) mode Pros: CPA-secure, fully parallelizable Cons: malleable

19 I538: Introduction to Cryptography Ryan Henry Message authentication codes Motivation, definitions, and constructions

20 Secrecy vs Authenticity So far we have only worried about message secrecy Secrecy / authenticity! OTP, stream cipher, CTR and OFB mode Flip bit of CT flip corresponding bit of PT ECB mode Flip bit of CT randomize block of PT Add/remove/permute CT blocks add/remove/permute PT blocks CBC mode Are authenticity attacks possible? YES! Is this detectable?

21 Malleability of CBC mode c (IV, c 1 c 2 c 3 ) c 1 c 2 k k k c 3 IV What integrity attacks are possible? Π 1 k Π 1 k Π 1 k m 1 m 2 m 3 Flip bit in IV flip corresponding bit in m 1 Truncate c 3 from CT truncate m 3 from PT Flip bit in c i randomize m i and flip corresponding bit in m i+1 m m 1 m 2 m 3

22 Non-cryptographic integrity checks Cyclic Redundancy Check (CRC) Detects random errors due to noise channel Not intended to detect intentional errors introduced by an Attacker Straw man proposal: Alice computes c Enc k (m) using CTR mode block cipher Alice computes t CRC(c) Ciphertext is c = c t What can possibly go wrong? c is malleable attacker can modify c and then update t to match!

23 Non-cryptographic integrity checks A candidate fix: Compute t CRC m Ciphertext is c Enc k (m t) What can possibly go wrong now? CRC is linear!! CRC x y z = CRC x CRC y CRC(z) Integrity in the presence of attackers requires a secret key

24 Message authentication codes (MACs) Def: A message authentication code (MAC) is a triple of algorithms (Gen, MAC, Ver) Gen: 1 N K is a randomized algorithm MAC: K M T is a (usually) deterministic algorithm Ver: K M T {0,1} is a deterministic algorithm Often write MAC k (m) instead of MAC k, m, Ver k (m, t) instead of Ver k, m, t M is the message space K is the key space T is the tag space set of possible messages set of possible keys set of possible tags

25 Correctness Intuitively: the property of being able to verify (given the right key) Def: A MAC (Gen, MAC, Ver) is correct if k K and m M, Pr[ Ver k (m, MAC k (m)) = 1 ] = 1

26 MAC-Forgery game 1 n 1 N MAC Oracle m 1 M Attacker 1 n 1 N k Gen(1 n ) t 1 MAC k (m 1 ) m 2 M t 2 MAC k (m 2 ) A MAC(k, ) m q M t q MAC k (m q ) (m, t) M T Attackers wins if (m, t) {(m 1, t 1 ),..., (m q, t q )} and Ver k m, t = 1

27 Existential unforgeability Intuitively: the property of being secure against malicious tampering A s success probability in the MAC-Forgery game denoted Adv MAC A Def: A MAC (Gen, MAC, Ver) is existentially unforgeable under adaptive chosen message attacks if, for every PPT adversary A, there exists a negligible function ε: N R + such that Adv MAC A ε n.

28 Fixed-length MAC from PRFs Gen(1 n ) outputs k R 0,1 n MAC k (m) outputs t F k, m Ver k (m, t) outputs 1 if F k, m = t and 0 otherwise Thm: If F: {0,1} n {0,1} n {0,1} n is a PRF, then (Gen, MAC, Ver) as defined above is existentially unforgeable under adaptive chosen message attacks.

29 PRF fixed-length MAC reduction PRF distinguisher (D) 1 n, O D gets oracle access either to MAC k ( ) or to a PRF F k, In both cases, k R {0,1} n oracle D has advantage Adv PRF D = Adv MAC A! b 1 n t 1 O(m 1 ) t q O(m q ) MAC attacker (A) m 1 m q Adv CPA A = ε(n) (m, t) /

30 Replay attacks MACs guarantee the authenticity of messages in most cases An important case where they do not is replay attacks Common ways to prevent replay: sequence numbers and timestamps

31 Naïve CBC-MAC Let F k k {0,1} be any PRF family Gen(1 n ) outputs k R 0,1 n MAC k m does the following: split m into n-bit blocks m 1,..., m l initialize t 0 = 0 n compute t i = F k (t i 1 m i ) for i = 1,..., l output the tag t = t l Ver k (m, t) outputs 1 if t = MAC k (m) and 0 otherwise

32 Naïve CBC-MAC m m 1 m 2 m 3 m 1 m 2 k k k m 3 F k F k F k 0 n t Is naïve CBC-MAC existentially unforgeable under adaptive chosen message attacks? NO! (but why?)

33 Attacking naïve CBC-MAC 1 n 1 N MAC Oracle Attacker 1 n 1 N k Gen(1 n ) A MAC(k, ) m M t MAC k (m) Indeed: t 1 F k m = t so that t 2 F k m t t = t (m m t, t) M T

34 CBC-MAC Fix 1: Prepend the length Let F k k {0,1} be any PRF family Gen(1 n ) outputs k R 0,1 n MAC k m does the following: split m into n-bit blocks m 1,..., m l initialize t 0 F k (l) pad l to n bits compute t i F k (t i 1 m i ) for i = 1,..., l output the tag t F k (t l )? Ver k (m, t) outputs 1 if t = MAC k (m) and 0 otherwise

35 CBC-MAC Fix 2: nested CBC-MAC (NMAC) Let F k k {0,1} be any PRF family Gen(1 n ) outputs k = (k 1, k 2 ) R 0,1 n {0,1} n MAC k m does the following: split m into n-bit blocks m 1,..., m l initialize t 0 0 n compute t i F k1 (t i 1 m i ) for i = 1,..., l output the tag t F k2 (t l )? Naïve CBC-MAC on the tag using second key Ver k (m, t) outputs 1 if t = MAC k (m) and 0 otherwise

36 CBC-MAC Fix 3: Use a length-specific key Let F k k {0,1} be any PRF family Gen(1 n ) outputs k R 0,1 n MAC k m does the following: split m into n-bit blocks m 1,..., m l compute a key k l F k (l) initialize t 0 0 n compute t i F kl (t i 1 m i ) for i = 1,..., l output the tag t t l derive length-specific key from length + master key? Ver k (m, t) outputs 1 if t = MAC k (m) and 0 otherwise

37 CBC-MAC vs CBC mode encryption CBC mode uses random IV Otherwise, cannot be IND-CPA secure! CBC-MAC uses a fixed IV Otherwise, cannot be existentially unforgeable against chosen message attacks! CBC mode outputs every block of ciphertext Otherwise, cannot be correct! CBC-MAC only outputs last block Otherwise, cannot be existentially unforgeable against chosen message attacks!