Authenticated Encryption. Jeremy, Paul, Ken, and Mike

uthntcatd Encrypton Jrmy Paul Kn and M

Objctvs Examn thr mthods of authntcatd ncrypton and dtrmn th bst soluton consdrng prformanc and scurty

Basc Componnts Mssag uthntcaton Cod + Symmtrc Encrypton Both of ths componnts ar usd as blac boxs

Gnrc Composton - Symmtrcncrypton schm E - ncrypton algorthm D - Dcrypton lgorthm M - Mssag authntcaton schm T - taggng algorthm V - tag vrfng algorthm K - randomzd y gnraton algorthm κ - scurty paramtr lngth of th y - th y Not: W sparat th taggng and vrfcaton algorthm

Basc Componnts Mssag uthntcaton Cod MC Intgrty / uthntcty Intgrty of Plantxt INT-PTXT Intgrty of Cphrtxt INT-CTXT Symmtrc Encrypton Prvacy Indstngushablty Chosn-plantxt attac IND-CP Chosn-cphrtxt attac IND-CC Non-mallablty Chosn-plantxt attac NM-CP Chosn-cphrtxt attac NM-CP

Intgrty Intgrty of Plantxt INT-PTXT Computatonally nfasbl to produc a cphrtxt dcryptng to a mssag whch th sndr has nvr ncryptd Intgrty of Cphrtxt INT-CTXT Computatonally nfasbl to produc a cphrtxt not prvously producd by th sndr rgardlss of whthr or not th undrlyng plantxt s nw

Intgrty of symmtrc ncrypton schmd = E K D lgorthm D * K C If D K C thn rturn 1 Els rturn 0 Vrfcaton algorthm or Vrfcaton oracl E Encrypton lgorthm K Randomzd y gnraton algorthm D Dcrypton lgorthm

Intgrty of uthntcatd ncrypton schm Th schm s sad to b INT-PTXT f th nt ptxt functon dv th advantag of ptxt s ptxt vry small for any advrsary whos tm- complxty s polynomal n. Lws th schm s sad to b INT-CTXT nt ctxt f th functon dv ctxt th advantag of ctxt s vry small for any advrsary whos tm- complxty s polynomal n.

Intgrty of uthntcatd ncrypton schm Exprmnt Exp R K Κ κ If th oracl D - D ΕK D ptxt * K * C rturns1 and - M df D κ mas a qury C to K * K nt ptxt ptxt such that thn rturn 1ls rturn 0 C was nvr a qury to E K Exprmnt Exp R K Κ κ If th oracl D - D - C ΕK D ctxt * K * κ mas a qury C to * K nt ctxt ctxt such that C rturns1 and was nvr a rspons toe thn rturn 1ls rturn 0 K dv dv nt ptxt ptxt nt ctxt ctxt = = Pr[ Exp Pr[ Exp nt ptxt ptxt nt ctxt ctxt = 1] = 1] dvantags of th advrsars dv dv nt ptxt nt ctxt t q t q q q d d µ µ µ µ d d = = max{ dv max{ dv ptxt ctxt nt ptxt ptxt nt ctxt ctxt } } dvantags of th schm

Indstngushablty Indstngushablty of Chosn Plantxt ttac IND-CP Indstngushablty of Chosn Cphrtxt ttac IND-CC If M0 M and M1 M ar ncryptd a rasonabl advrsary should not b abl to dtrmn whch mssag s snt.

Lft-or-rght Σ K LR..b whr b {0 1} to ta nput M 0 M 1 M 0 = M 1 f b = 0 C Σ K M 0 rturn C ls C Σ K M 1 rturn C s was mntond from dam s s lctur w consdr th ncrypton schm to b good f a rasonabl advrsary cannot obtan sgnfcant advantag n dstngushng th cass b = 0 and b = 1 gvn accss to th lft-or-rght oracl.

Non-mallablty Prvnts th gnraton of a cphrtxt whos plantxts ar manngful Rqurs that an attacr gvn a challng cphrtxt b unabl to modfy t nto anothr dffrnt cphrtxt n such a way that th plantxts undrlyng th two cphrtxts ar manngful rlatd to ach othr... Ptxt1: snd a chc of $100.00 Ptxt2: snd a chc of $1000.00

Non-mallablty - Formally Non-mallablty - Formally x Exp Exprmnt 2 1 cpa.. rturn s c p x c D p s c K b cpa b LR E cpa R b cpa nm κ x Exp Exprmnt 2 1 cca.. rturn s c p x c D p s c K b cca b LR E cca R b cca nm κ 1] Pr[ 1] Pr[ 1] Pr[ 1] Pr[ 0 1 0 1 = = = = = = Exp Exp dv Exp Exp dv cca nm cca nm cpa nm cpa nm cpa nm cpa nm cca cca cca cpa cpa cpa } max{ } max{ dv q t dv dv q t dv cca nm cca nm cpa nm cpa nm cca cca cpa cpa = = µ µ 2 oracls 1oracl {01} b D E K 2 1 2 1 cca cca cca cpa cpa cpa N = = = κ If nglgbl NM-CP If nglgbl NM-CC

Unforgablty Wa Unforgablty aganst Chosn Mssag ttacs WUF-CM dvrsary F can t t crat a nw mssag and tag Strong Unforgabllty aganst Chosn Mssag ttacs SUF-CM dvrsary F can t t crat a nw tag for an xstng mssag

Dffcults Th notons of authntcty ar by thmslvs qut dsjont from th notons of prvacy.. Sndng th mssag n th clar wth an accompanyng strong MC achvs INT- CTXT but no nd of prvacy

Rlatons among notons of symmtrc ncrypton INT-CTXT ^ IND-CP IND-CC NM-CP INT-PTXT ^ IND-CP IND-CP NM-CC

Rlatons among notons of symmtrc INT CTXT INT ncrypton Thorm 3.1 PTXT nt ptxt nt ctxt dv t q q µ µ dv t q q µ µ advrsary mountng an attac aganst ntgrty of plantxts of advrsary mountng an attac aganst ntgrty of cphrtxts of = dvrsary ' rturn C C - s th wnnngqury d d dv It s ntatv that f an advrsary volats ntgrty of plantxts of a schm = KED also volats ntgrty of cphrtxts of th sam schm nt d d ptxt nt ctxt dv '

Proposton 3.3 IND-CC INT-PTXT Gvn a symmtrc ncrypton schm whch s IND-CC scur w can construct a symmtrc ncrypton schm whch s also IND-CC scur but s not INT-PTXT scur

IND-CC INT-PTXT Lt = K E D W dfn a such that s IND-CC scur but s not INT- PTXT scur Bascally a crtan nown strng or strngs wll b vwd by as vald and dcryptd to crtan nown mssags so that forgry s asy Howvr ths cphrtxts wll nvr b producd by th ncrypton algorthm so prvacy wll not b affctd lgorthm E M C' E M C 0 C' Rturn C = K E D D lgorthm D C Pars C as b C' whr b s a bt E M f b = 0 thn M D C'; rturn M Elsrturn 0

IND-CC INT-PTXT ttac dvrsary D Submt qury 10 to oracl D * 10 = 0 E K D 10 1010 lttl Endan LSB 1 st dv nt ptxt = 1 * Qury 10 s a vald cphrtxt It dcrypts to a msg 0 that th advrsary nvr qurd of ts oracl mas zro qurs to E K and on qury to D K totalng 2 bts and Is Crtanly poly-tm

IND-CC INT-PTXT dvrsary B E for = 1...q whn mas a qury M 0 E whn mas a qury C ' Pars C as b C f b = 0 thn D Els 0 LR.. b D + q do LRM d 0 whr b IND-CC To prov that s IND-CC scur t suffcs nough to assocat wth any poly-tm advrsary B attacng n th IND-CC nd cca nd cca sns such that dv dv B M C 1 ' 0 to ts dcrypton oracl do M b 1 s a bt to ts lft - or - rght ncrypton oracl do B smulats and Uss ts oracls to nswr s oracl qurs It s asy for B to bra th schm f can

Othr Rlatons Thorm 3.2 INT-CTXT ^ IND-CP IND-CC Proposton 3.4 INT-PTXT ^ IND-CP dos not NM-CP

Scurty of th Compost Schms Provn to mt th scurty rqurmnt assumng componnt ncrypton schm mts IND-CP and mssag authntcaton schm s unforgabl undr CM Som IND-CP scur symmtrc ncrypton and som mssag authntcaton schm unforgabl undr CM xst that dosn t t mt th scurty rqurmnt

Gnrc Composton Usng both functons as blac boxs MC Symmtrc Encrypton

Encrypt-and-MC C = Encrypt M II MC M

Encrypt-and-MC Scurty Scurty IND-CP Wa MC Strong MC Prvacy IND-CC NM-CP Intgrty INT-PTXT INT-CTXT

MC-thn-Encrypt C = Encrypt M MC M II

MC-thn-Encrypt Scurty Scurty IND-CP Wa MC Strong MC Prvacy IND-CC NM-CP Intgrty INT-PTXT INT-CTXT

Encrypt-thn-MC C = Encrypt M II MC Encrypt M

Encrypt-thn-MC Scurty Scurty IND-CP Wa MC Strong MC Prvacy IND-CC NM-CP Intgrty INT-PTXT INT-CTXT

Summary of Mthods Summary of Mthods Encrypt-thn-MC Encrypt-thn-MC MC-thn-Encrypt MC-thn-Encrypt Encrypt-and-MC Encrypt-and-MC INT-CTXT INT-CTXT INT-PTXT INT-PTXT NM-CP NM-CP IND-CC IND-CC IND-CP IND-CP Intgrty Intgrty Prvacy Prvacy Composton Composton Mthod Mthod Encrypt-thn-MC Encrypt-thn-MC MC-thn-Encrypt MC-thn-Encrypt Encrypt-and-MC Encrypt-and-MC INT-CTXT INT-CTXT INT-PTXT INT-PTXT NM-CP NM-CP IND-CC IND-CC IND-CP IND-CP Intgrty Intgrty Prvacy Prvacy Composton Composton Mthod Mthod Waly Waly Unforgabl Unforgabl Strongly Strongly Unforgabl Unforgabl

Thorm 4.7 Encrypt-thn-MC mthod s IND-CP and INT-PTXT b a symmtrc schm M b mssag authntcaton schm dv dv nd cpa nt ptxt t q µ t q q d dv µ µ nd cpa d t q µ dv wuf cma M t q q d µ µ d

Thorm 4.7 - IND-CP dv nd cpa nd cpa dv t q µ p dvrsary m For = 1...q do Whn mas a C E E K p R K K b' Rturn b' m LR.. b κ LRM κ qury M o M 1 o M b; τ 1 to ts lft Τ K m C or rght ; C τ ncrypton oracl do

Thorm 4.7 - INT-PTXT dv nt ptxt wuf cma dv M p dvrsary R Τ K E K m For = 1...q C F Pars C K V κ as C K m + q Whn mas a M ; τ Whn mas a p.. d κ do qury M τ ; v Τ K qury C m V to ts ncrypton oracl do C K m ' ; C C τ ; v ' ' τ to ts vrfcaton oracl do

Proposton 4.9 Encrypt-thn-MC mthod wth a SUF- CM-scur MC s INT-CTXT IND-CP and IND-CC dv nt ctxt suf cma dv M F dv dv dv nd cpa nt ctxt nd cca t q µ dv t q t q q d q d µ µ dv t q µ µ µ 2 dv nd cpa d d + suf cma M dv nd cpa t q suf cma M t q t q q d µ q µ d + q l µ µ d + q l µ d

Concluson Encrypt-thn-MC provds th most scur soluton for authntcatd ncrypton

CBC Cphr Bloc Chan If IV s dffrnt thn nstancs of sam msg or bloc wll b ncryptd dffrntly If K th cphr bloc C gts corruptd n transmsson only blocs P and P+1 ar affctd Ths can also allow som msg tamprng If on plantxt bloc P s changd ll subsqunt cphrtxt blocs wll b affctd Ths lads to an ffctv MC

ECB Elctronc Cod Boo If th sam y s usd thn dntcal plantxt blocs map to dntcal cphrtxt

Proposton 4.1 Encrypt-and MC mthod s not IND-CP

Proposton 4.2 Encrypt-and MC mthod s IND-CP nscur for any dtrmnstc MC

Thorm 4.3 Encrypt-and-MC s INT-PTXT scur

Proposton 4.4 Encrypt-and-MC mthod s not INT- CTXT scur

Thorm 4.5 MC-thn-ncrypt mthod s both INT- PTXT an IND-CP scur

Proposton 4.6 MC-thn-ncrypt mthod s not NM-CP scur

Proposton 4.8 Encrypt-thn-MC mthod wth a WUF- CM-scur MC s not NM-CP scur