Homework 3: Solution

Transcription

1 Homework 3: Solution March 28, 2013 Thanks to Sachin Vasant and Xianrui Meng for contributing their solutions. Exercise 1 We construct an adversary A + that does the following to win the CPA game: 1. Select two random messages m 0, m 1 and send the same to challenger. 2. The challenger returns the challenge ciphertext (c, m b ). 3. Return 0 if m b equals m 0 else return 1. It follows that this adversary wins in case the encryption was valid (as the correct m b is sent with the ciphertext). If the adversary fails, then the ciphertext generated isn t valid. The reduction constructs an adversary A using A A acts as the oracle for Enc +. It merely relays the queries to Enc oracle. 2. Suppose the challenge ciphertext that A receives is c. Then for A + (in turn for A) to successfully break the scheme, A must correctly guess m b and send the challenge ciphertext (c, m b ). Clearly, step 2 isn t feasible. If A could guess m b by itself correctly, it would never require A +. Hence, reduction fails due to such a challenge ciphertext generation. Exercise 2a Algorithm Gen + : Algorithm Enc + ((k 1, k 2 ), m): Algorithm Dec + ((k 1, k 2 ), c, σ): k 1 Gen c Enc(k 1, m) b Ver(k 2, (σ, c)) k 2 Gen σ Sign(k 2, c) If b = 0, return Return k 1, k 2 Return (c, σ) o/w, return m Dec(k 1, c) Let the encryption above (Gen +, Enc +, Dec + ) denote by Π and the underlying encryption CPA scheme by Π, we ll show that the scheme is CCA-secure if MAC is CMA-secure and Π is CPAsecure. Assume we have a ppt attacker A that can win the game with probability half plus a negligible. In the CCA game, A has the encryption oracle access and the decryption oracle access. We can see that the CMA-secure MAC provides authenticity of the message, so we first show that, up to negligible probability, A cannot generates a new query (c, σ) to the decryption oracle which is valid (Ver k2 (c, σ)), while this query was not obtained from the encryption oracle or as a challenge ciphertext. Let NQuery be the event that A can generate such a new and valid query (c, σ), we ll 1

2 show this happens with negligible probability. Then we ll prove the CCA security of the Π by reducing it to the Π s CPA security. Denote q(n) be the upper bound on the number of deception oracle queries made by A, we ll show that we can build a F that simulates the A s CCA game as below: On input of 1 n, having the oracle access of Sign and Ver: 1. Random choose k 1 {0, 1} n. 2. Random choose i {1,..., q(n)}. 3. Run the attacker A. When A makes encryption oracle query for message m, do the following: (a) Get c Enc k1 (m). (b) Query the Sign oracle on c, get σ Sign(k 2, c). (c) Return (c, σ) to A The challenge ciphertext is prepared in the same (toss a coin b, and send back Enc k1 (k 1, m b )) When A makes decryption oracle query for ciphertext (c, σ), do the following: (a) Run b Ver(k 2, σ) (b) If b = 1, return Dec(k 1, c); o/w return. After polynomial many queries, the i-th decryption queries (c, σ) was given to F. F will just output (c, σ). F expects the i-th query made by A is a good forgery. The view of A when run as a subroutine by F is distributed identically to the view of A in the CCA game except the event NQuery occurs. Suppose the NQuery occurs, then F have correctly guess the index i from 1... q(n), so that F can create a valid forgery. So denote MACForge be the event that F successfully make a forgery, we have Pr [MACForge] Pr[NQuery]/q(n) Due to the MAC security, we the Pr[NQuery] q(n) ɛ(n) = ρ(n), where ɛ(n) and ρ(n) are some negligible probability in the security parameter n. Now we the above to prove the CCA security of Π. We have Pr[A wins CCA game] Pr[NQuery] + Pr[A wins CCA game NQuery] Next we ll show under the event NQuery, the probability for A win the CCA game less than 1/2 plus negligible, otherwise, we can build an attacker A that break the underlying CPA-secure scheme as below. So assume that we have A s.t. Pr[A wins CCA game NQuery] 1/2 + negl, A runs as below: On input 1 n and has access to Enc k1 ( ): 1. Randomly select the k 2 {0, 1} n. 2. Run A on input 1 n. When A makes an encryption query for the message m: (a) Query m to Enc k1 (m) and receive c in response. (b) Compute σ MAC k2 (c), and hand (c, σ) to A 2

3 When A makes an decryption query for the message (c, σ) (Note here, we re assume that the NQuery does not occur): (a) If (c, σ) was a response to a previous encryption query for a message m, return m. Otherwise, return. 3. When A outputs messages (m 0, m 1 ), output these same messages and receive a challenge ciphertext c from the challenge oracle. Then A will compute σ MAC k2 (c ), then give back A (c, σ ) as a challenge ciphertext. A continue answering A s oracle access queries as above. 4. Output the same b as the output by A. Clearly, A runs in probabilistic polynomial time. As long as the event NQuery does not happen, the view of A simulated by A is distributed the same as the view of A in the CPA game. We note that A does not have the access of the decryption oracle since it simply expects any decryption query by A that was not the result of a previous encryption query is invalid (of course this is under the assumption that NQuery does not occur.) If A has can win the CCA game negligible better than half, A can win the CPA game negligible better than half also. Therefore, we have Pr[A wins CPA game] Pr[A wins CPA game NQuery] = Pr[A wins CCA game NQuery] 1/2 + negl. This contradicts the CPA-secure assumption. Therefore, combining together, This completes the proof. Exercise 2b Pr[A wins CCA game] Pr[NQuery] + Pr[A wins CCA game NQuery] 1/2 + ρ(n) + negl = 1/2 + negl Assume a MAC, such that MAC (k, m) = (m, σ MAC(k, m)), where MAC(k, m) is a secure MAC. From the previous problem set, we know that MAC is also a secure MAC. Therefore, we now see that the ciphertext obtained on running Enc ((k 1, k 2 ), m) is (c, (m, σ)). In other words,we have (c, m, σ). From the previous exercise we know that, this is not a CPA secure encryption. Exercise 2c From the above two examples, we notice from (a) that first encrypting and then authenticating the results is always CCA secure. However, individually encrypting and authenticating the message as in part (b) is not always secure; the security in this case depends on the individual scheme under consideration. Exercise 3 1. The checksum provides data integrity (i.e., the received data is without errors/noise), while the MAC provides data origin authentication. Moreover the checksum must be re-computed and verified by all intermediate routers, as the hop counts are changed at every router. If we replace the checksum with a MAC, it is infeasible to expect that these intermediate routers 3

4 can compute/verify the MAC (since that amounts to a forgery on the MAC). We have earlier seen how encryption-only IPSec can be broken completely. Hence, authentication is necessary. Any entity can generate a packet with a valid checksum (as show in the next segment). Thus, checksum doesn t guarantee data origin authentication. Hence, IPSec requires both checksum and MAC. 2. The generator polynomials of the CRC are public knowledge. Therefore, anyone can compute the CRC. Therefore, the forger of the MAC will have to merely compute the CRC himself to output the forgery (the probability of success is 1, assuming the correctness of the CRC algorithm). 3. We see that this holds for a CRC of any length, since the generator polynomial is public. Exercise 4a Here we assume that A is willing to reveal her identity once she knows she is talking to B, but not if she thinks she is talking to E. Before Alice sends her identity to Bob, she first waits to receive a message signed from Bob that contains the signature of the keys they agreed upon, i.e. SIG B (g x, g y ). Even if Eve acts as a man-in-the-middle and creates her own keys (one for the communication with Alice, in which she will act as Bob, and one for ( Bob, in which she will act as Alice) she will not be able to sign with Bob s public key the g x, g y ) part, where g y is chosen by Eve, so that Eve knows y. That means that Alice will not reply back to Bob, or if she will, she will encrypt everything with K e derived from g xy ; while Eve knows g x and g y, she does not know x or y, and therefore (by the Diffie-Hellman assumption) she cannot compute g xy. Therefore she cannot compute K e and therefore she cannot decrypt Alice s reply. E could learn B s identity as follows: generate and send some g x to B; B will send back g y and a message containing B s identity, encrypted with K e, which is derived from g x y. Since E knows x, having generated it, E can compute g x y readily, thus, E can recover B s encrypted identity. Exercise 4b 1. There are two options for Eve: either she will be passively listening on the line or she will be actively send messages impersonating Alice and/or Bob. In the first case, she is not able to learn anything, as both Bob and Alice have encrypted their messages using the key they agreed on. In the second case, Eve will try to play the part of Alice for Bob and encrypt the message containing Alice s identity, but she cannot sign (g y, g x ) as Alice, so Bob will not verify this message and Eve will never get back a response from Bob containing his identity. 2. On the other hand, if Eve is impersonating Bob, she will exchange keys and agree upon a common one with Alice, and then Alice will send Eve her identity encrypted with this key. The only thing that Eve needs to do is to decrypt the message and read this identity. 4

5 Exercise 4c We ll pull off an attack in which A will communicate with B while thinking they communicate with E. Suppose Alice sends g x A to Eve Eve sends g x A to Bob Bob replies back to Eve with g y, B, SIG B (g x A, g y ) Eve replies back to Alice with g y, E, SIG E (g x A, g y ). Here we suppose that Eve has claimed the public key of B as her own. Alice sends to Eve g y, B, SIG A (g y, g x A), MAC Km (A) Eve relays g y, B, SIG A (g y, g x A), MAC Km (A) to Bob In this way, Bob will think that he has talked with Alice all the time, while Alice knows she was talking with Eve. (Note that this attack fails if the Public Key Infrastructure requires Eve to prove possession of the secret key SK A ; see HW4.) 5