9
Symmetric-Key Encryption

Chosen-Ciphertext Attacks Against Encryption

Imagine you discover a bug in your company's flagship software product. It decrypts ciphertexts received from the network, but a bug causes a crash if the resulting plaintext includes a null character. Luckily, you are absolutely confident that no plaintext with a null character is ever encrypted. So you might conclude that this weird bug will never be triggered, and that the software will never crash in this way.

Depending on the choice of encryption scheme, you might be totally wrong! In some schemes, including all of the ones we've seen so far, an adversary can trigger the bug. What's worse, by observing which ciphertexts trigger the crash and which don't, the adversary can completely break the encryption scheme!

9.1. Format-oracle attacks and malleability

Let's formalize the important features of the scenario described above. The victim decrypts each ciphertext it receives. To keep things concrete, let's assume the victim uses CTR mode encryption (construction 8.5.4). The adversary learns whether the resulting plaintext contains a null character. It doesn't actually matter how the adversary learns this information: It could be due to a crash (e.g., a webserver giving http response code 500), an error message, or from the expected functionality of the software. All that matters is that the adversary can learn the answer to this single yes/no question about ciphertexts that it provides.

We can formalize the situation by imagining the adversary having access to the following library:

K{0,1}λ\key \gets \bits^\secpar
nulloracle(C)\subname{nulloracle}(\ctxt):
M:=CTR.Dec(K,C)\ptxt := \textsf{CTR}.\Dec(\key,\ctxt) // CTR mode decryption
if M\ptxt contains 00\byte{00} character:
return true\mytrue
else return false\myfalse

In this section we will write bytes/characters in hex like 00\byte{00}, c8\byte{c8}, etc. The null character is 00\byte{00}.

Why is this subroutine called nulloracle\subname{nulloracle}? In colloquial language, an oracle is a mystic who answers questions on behalf of the gods, often in an enigmatic way. You might need to do a bit of work to decipher the mysterious answers you get from an oracle. In cryptography and other areas of computer science, an oracle is an algorithm that solves a very specific kind of problem, which you might be allowed to call on inputs of your choice but not “look inside.” You might use an oracle that solves one kind of problem to help solve a different one.

Our scenario provides the adversary with an oracle that answers a very specific question: Does the decryption of this ciphertext contain any null characters? We will show the surprising fact that if you can obtain answers to these kinds of questions, then you can completely decrypt any ciphertext of your choice!

Claim 9.1.1 (Null-oracle attack)

An adversary who has access to nulloracle\subname{nulloracle} can efficiently compute Dec(K,C)\Dec(\key,\ctxt) for any C\ctxt.

9.1.1. CTR mode is malleable

To understand the null-oracle attack, we must first understand a curious property of CTR mode. Given a ciphertext C=C0C1C\ctxt = \ctxt_0 \| \ctxt_1 \| \cdots \| \ctxt_\ell, the decryption algorithm computes the first output block M1\ptxt_1 as:

M1:=F(K,C0)C1. \ptxt_1 := F(\key, \ctxt_0) \oplus \ctxt_1.

How does the output of Dec\Dec change if we flip some bits in C1\ctxt_1? Flipping certain bits is the same as xor'ing C1\ctxt_1 with a certain string Δ\Delta (Δ\Delta contains 1\bit1 in each position whose bit should flip). If we replace C1\ctxt_1 with C1Δ\ctxt_1 \oplus \Delta, then the decryption algorithm computes its first output block as:

F(K,C0)(C1Δ)=M1Δ. F(\key, \ctxt_0) \oplus (\ctxt_1 \hl{\oplus \Delta}) = \ptxt_1 \hl{\oplus \Delta} .

In other words, if we flip some bits in C1\ctxt_1, then the corresponding bits will flip in M1\ptxt_1. Of course, there is nothing special about the first block in CTR mode; the same is true for all ciphertext blocks, apart from the IV:

Fact 9.1.2 (CTR mode malleability)

In CTR mode,

So, even without knowing what is inside a ciphertext, we can make predictable changes to its contents. We call this kind of property malleability:

Definition 9.1.3 (Malleability)

An encryption scheme is malleable if (informally), given an encryption C\ctxt of an unknown plaintext M\ptxt, it is possible to create a new ciphertext CC\ctxt' \ne \ctxt where M=Dec(K,C)\ptxt' = \Dec(\key,\ctxt') is somehow related to M\ptxt, so that M\ptxt' reveals some information about M\ptxt.

CTR mode is malleable via xor in quite an extreme way. Given an encryption C\ctxt of an unknown plaintext M\ptxt, it is possible to create a new ciphertext that decrypts to MΔ\ptxt \oplus \Delta, for any Δ\Delta of our choice.

9.1.2. The attack

So how does CTR mode's malleability lead to an attack that lets the adversary decrypt arbitrary ciphertexts? Suppose the adversary captures a ciphertext C\ctxt and wants to discover the unknown value M=Dec(K,C)\ptxt = \Dec(\key,\ctxt).

Suppose the last byte of M\ptxt is bb, so we can write M\ptxt as M=Mb\ptxt = \ptxt' \| b. What will happen if the adversary sends the ciphertext C(00b)\ctxt \oplus (\cdots\bit{00}\|b) to the null-character oracle? Applying fact 9.1.2, we can deduce that this ciphertext decrypts to:

M(00b)=(Mb)(00b)=M(bb)=M00.\begin{aligned} \ptxt \oplus (\cdots \bit{00} \| b ) &= (\ptxt' \| b) \oplus (\cdots \bit{00}\| b) \\ &= \ptxt' \| (b \oplus b)\\ &= \ptxt' \| \byte{00}.\end{aligned}

Since the modified ciphertext decrypts to a plaintext that contains a null byte, the oracle will respond with true\mytrue.

The adversary probably doesn't know the last plaintext byte bb in advance. However, it can generate and send the following 255 ciphertexts to the null-oracle:

C(0001),C(0002),C(0003),C(00fe),C(00ff).\begin{gathered} \ctxt \oplus ( \cdots \bit{00} \| \byte{01} ), \\ \ctxt \oplus ( \cdots \bit{00} \| \byte{02} ), \\ \ctxt \oplus ( \cdots \bit{00} \| \byte{03} ), \\ \vdots \\ \ctxt \oplus ( \cdots \bit{00} \| \byte{fe} ), \\ \ctxt \oplus ( \cdots \bit{00} \| \byte{ff} ).\end{gathered}

One of these ciphertexts will cause nulloracle\subname{nulloracle} to return true\mytrue, and that special ciphertext will reveal the last character of the original (secret) M\ptxt. For example, if nulloracle\subname{nulloracle} responds true\mytrue on input C(00c8)\ctxt \oplus (\cdots \bit{00} \| \byte{c8}), then the adversary can conclude that last byte of M\ptxt is c8\byte{c8}.

Again, there is nothing special about the last ciphertext byte. The same approach can be used to discover any byte of the original plaintext, by xor'ing the corresponding byte of ciphertext with all 255 possible guesses.

null-oracle attack\text{null-oracle attack}
// given C=C0C\ctxt = \ctxt_0 \| \cdots \| \ctxt_\ell, compute Dec(K,C)\Dec(\key,\ctxt)
n:=n := {}number of bytes in C1C\ctxt_1 \| \cdots \| \ctxt_\ell // excludes IV
M:=\ptxt := {}empty string
for i=1i=1 to nn: // find the iith byte of the plaintext
for each b{01,,ff}b \in \{ \byte{01}, \ldots, \byte{ff} \}: // try all possible bytes
Δ:=(00)n\Delta := (\byte{00})^n // nn null bytes
Δ[i]:=b\Delta[i] := b // set iith byte of Δ\Delta
// does (iith byte of plaintext)b==00{} \oplus b == \byte{00}?
if nulloracle(C(0λΔ))==true\subname{nulloracle}\bigl( \ctxt \oplus (\bit0^\secpar \| \Delta) \bigr) == \mytrue:
M:=Mb\ptxt := \ptxt \| b
next ii
return M\ptxt

Isn't this just a brute-force attack?
Yes and no. It is a brute-force attack on each byte of the plaintext, independently. To recover an entire nn-byte plaintext, the attack needs to call nulloracle\subname{nulloracle} at most 255n255n times. A brute-force attack on the entire plaintext would require 255n255^n effort, since that's how many nn-byte (null-free) strings there are. This attack is exponentially faster.

This attack requires the adversary to make a lot of queries. Can't it be mitigated by rate-limiting the number of ciphertexts any user can send?
Maybe, but this is a cryptography book! Wouldn't it be preferable to completely invalidate the attack at the cryptographic level, rather than continue to use an encryption scheme with such a dangerous property? That's what we'll do in the rest of the chapter.

Can't you mitigate the attack by simply fixing the bug that crashes when encountering a null byte?
The null-character attack was just one illustrative example of a larger class of attacks called format-oracle attacks. Format-oracle attacks can exist even without any implementation bugs. To perform a format-oracle attack, we simply need a victim who accepts untrusted ciphertexts from the outside world, decrypts them, and then, depending on the result of decryption, does either one thing or another, in a way that is visible to the adversary. The last step can be due to an accidental bug or the intended functionality of the system.

Here are a few real-world examples of format-oracle attacks.

  • The most famous example is a padding-oracle attack. CBC mode requires padding (section 8.6) to support non-block-aligned plaintexts. Many real-world implementations were written without considering the possibility of invalid padding, so they crash when they encounter it. In other words, they expose to the adversary an oracle reporting whether the string Dec(K,C)\Dec(\key,\ctxt) has valid padding. When this happens, the adversary can decrypt arbitrary plaintexts. Padding oracle attacks are behind several real-world attacks on the SSH and SSL/TLS protocols.

  • A victim uses the contents of a ciphertext to determine how much data to process internally. For example, the victim interprets the plaintext as a number nn and performs nn operations. The adversary can deduce roughly how much data is processed by carefully measuring the victim's response time. In other words, the adversary obtains access to an oracle revealing some (approximate) numerical values inside Dec(K,C)\Dec(\key,\ctxt). Attacks of this kind have been used to successfully break older versions of the SSH and SSL/TLS protocols.

  • Older versions of Apple iMessage used gzip compression, and would respond differently based on whether a ciphertext decrypted to a valid gzip file or not. That is, they exposed an oracle reporting whether Dec(K,C)\Dec(\key,\ctxt) is a valid gzip file. With a clever understanding of the gzip file format, an adversary could use this oracle to silently recover private messages.

  • A victim may decrypt a ciphertext and return an error if the result is not a valid XML file, exposing an XML-format oracle. This XML format oracle can be used to decrypt arbitrary plaintexts.

See the chapter notes for further reading about these attacks. Some of them are explored in the exercises.

I thought CTR mode was secure, and now you are saying it's not?
CTR mode is indeed CPA-secure, but CPA security is not enough. In the null-oracle attack scenario, the victim runs the decryption algorithm on ciphertexts chosen by the adversary, even if it's only to check whether the resulting plaintext contains any null characters. The CPA attack scenario does not consider this case.

9.2. Defining security against chosen-ciphertext attacks

Format-oracle attacks demonstrate that CPA-secure encryption doesn't always meet our expectations. We expect that the nulloracle\subname{nulloracle} subroutine will give the adversary the ability to learn whether the victim's plaintexts contain null characters. If the victim is careful enough to avoid null characters in its plaintexts, then we expect nulloracle\subname{nulloracle} to always return false\myfalse, and to therefore be useless. But, contrary to those expectations, nulloracle\subname{nulloracle} gives the adversary the ability to completely decrypt ciphertexts.

Real-world systems receive ciphertexts from the network, decrypt those ciphertexts, and then do something based on the result. But the CPA attack scenario doesn't involve the decryption algorithm at all, so CPA security can't tell us what happens in real-world situations like these. When a victim decrypts ciphertexts chosen by the adversary, we describe the situation as a chosen-ciphertext attack.

First attempt at a security definition: We can follow our usual approach to formalize an attack scenario. In a chosen-ciphertext attack, a victim runs both the encryption and decryption algorithms, manages the secret key, but leaves everything else under control of the adversary. In the real-or-random paradigm, we say that an encryption scheme is secure if its ciphertexts are pseudorandom.

Following this reasoning, we would say that the scheme Σ\Sigma is secure against chosen-ciphertext attacks if the following two libraries are indistinguishable:

Lreal\lib{real}
K{0,1}λ\key \gets \bits^\secpar
cca.enc(M)\ccaenc(\ptxt):
C:=Σ.Enc(K,M)\hl{\ctxt := \Sigma.\Enc(\key,\ptxt)}
return C\ctxt
cca.dec(C)\ccadec(\ctxt):
return Σ.Dec(K,C)\Sigma.\Dec(\key,\ctxt)
\indist
Lrand\lib{rand}
K{0,1}λ\key \gets \bits^\secpar
cca.enc(M)\ccaenc(\ptxt):
CΣ.C(M)\hl{\ctxt \gets \Sigma.\C(|\ptxt|)}
return C\ctxt
cca.dec(C)\ccadec(\ctxt):
return Σ.Dec(K,C)\Sigma.\Dec(\key,\ctxt)

Unfortunately, these libraries don't lead to a useful security definition, because they can never be indistinguishable. An adversary can call cca.enc(M)\ccaenc(\ptxt) to get a ciphertext C\ctxt, then give C\ctxt immediately as input to cca.dec\ccadec. In Lreal\lib{real}, the result will always be M\ptxt. In Lrand\lib{rand}, the result is unlikely to be M\ptxt because C\ctxt is a meaningless string that is unrelated to M\ptxt. An adversary can always successfully distinguish these two libraries with this simple strategy.

The Real Definition: To arrive at the actual definition of chosen-ciphertext security, we must make one small modification to the Lrand\lib{rand} library. We usually call a ciphertext produced as output of cca.enc\ccaenc a challenge ciphertext. When cca.dec\ccadec is given such a challenge ciphertext that was the result of a previous call to cca.enc(M)\ccaenc(\ptxt), rather than trying to decrypt it as usual, it should “lie” and simply give M\ptxt as the response. This modification is enough to thwart the simple attack described above, and it results in a security definition that can be achieved.

Definition 9.2.1 (CCA security)

An encryption scheme Σ\Sigma has security against chosen-ciphertext attacks (CCA security) if the following two libraries are indistinguishable:

Lcca-realΣ\lib{cca-real}^\Sigma
K{0,1}λ\key \gets \bits^\secpar
cca.enc(M)\ccaenc(\ptxt):
C:=Σ.Enc(K,M)\ctxt := \Sigma.\Enc(\key,\ptxt)
return C\ctxt
cca.dec(C)\ccadec(\ctxt):
return Σ.Dec(K,C)\Sigma.\Dec(\key,\ctxt)
\indist
Lcca-randΣ\lib{cca-rand}^\Sigma
K{0,1}λ\key \gets \bits^\secpar
cca.enc(M)\ccaenc(\ptxt):
CΣ.C(M)\ctxt \gets \Sigma.\C(|\ptxt|)
D[C]:=M\mathcal{D}[\ctxt] := \ptxt
return C\ctxt
cca.dec(C)\ccadec(\ctxt):
if D[C]\mathcal{D}[\ctxt] defined: return D[C]\mathcal{D}[\ctxt]
return Σ.Dec(K,C)\Sigma.\Dec(\key,\ctxt)

Lcca-rand\lib{cca-rand} uses a dictionary D[]\mathcal{D}[\cdot] to keep track of how to respond to requests to decrypt challenge ciphertexts.

A Metaphor for CCA Security: It's normal to be a little confused by the CCA security definition. I like the following physical metaphor: I will place any message of your choice into a special “challenge” envelope and seal it. I will gladly open any envelope in the universe that you bring to me; however, there is no need for me to open the challenge envelope, since we both already know what's inside. Of course, the contents of other envelopes have nothing to do with the contents of challenge envelope. In fact, the contents of other envelopes won't even help you discover that I was actually lying to you! What you thought was the challenge envelope was actually a decoy piece of paper disguised to look like an envelope. My challenge “envelope” doesn't have a message inside—it doesn't even have an inside.

CTR mode encryption fails this envelope metaphor because of its malleability. Returning to the physical analogy, malleability is like having a weird machine that can clone sealed envelopes while modifying what's inside. Put a sealed envelope containing M\ptxt into the cloning machine (along with a string Δ\Delta), and what comes out is a different sealed envelope containing MΔ\ptxt \oplus \Delta. Now opening these clones (revealing MΔ\ptxt \oplus \Delta) will help you learn what's inside the special envelope.

What does it mean for encryption to be secure, against an adversary who can run the decryption algorithm?
When a security definition gives some information to the adversary, it's our way of saying “it's safe to use this information however you like,” because giving the information directly to the adversary is the worst case.

The CCA security definition formalizes the idea that “it's safe to use the outputs of Dec(K,)\Dec(\key,\cdot) however you like.” There will be no unintended consequences like in a format-oracle attack: What you see is what you get. If the functionality of your system reveals some partial information about Dec(K,C)\Dec(\key,\ctxt) to an adversary, and the encryption scheme is CCA-secure, then that's the only thing the adversary can learn about the contents of ciphertexts.

9.2.1. ☆ Other approaches for defining security

Definition 9.2.1 is not the most common way to define CCA security in the cryptographic literature.

  • Like all security definitions in this book, definition 9.2.1 follows the real-or-random paradigm. It is possible (and more traditional) to define CCA security in the left-or-right style—the result would generalize the left-or-right definition for CPA security from definition 8.1.2.

  • Any definition of CCA security must deal with the event that the adversary invokes cca.dec\ccadec on a challenge ciphertext. Our approach, taken in definition 9.2.1, is to “patch” cca.dec\ccadec in Lcca-rand\lib{cca-rand} to always give the “expected result” for these special ciphertexts. A different (and more traditional) approach is to make cca.dec\ccadec in both libraries simply refuse to decrypt challenge ciphertexts. The two approaches are equivalent (see exercise 9.8).

The standard, traditional way to define CCA security (which you might see in other resources) uses the left-or-right paradigm and also refuses to decrypt the challenge ciphertexts. The two libraries look like this:

Lcca-leftΣ\lib{cca-left}^\Sigma
K{0,1}λ\key \gets \bits^\secpar
cca.enc(ML,MR)\ccaenc(\ptxt_L, \ptxt_R):
C:=Σ.Enc(K,ML)\ctxt := \Sigma.\Enc(\key,\hl{\ptxt_L})
// X\mathcal{X} = challenge ciphertexts
X:=X{C}\mathcal{X} := \mathcal{X} \cup \{ \ctxt \}
return C\ctxt
cca.dec(C)\ccadec(\ctxt):
if CX\ctxt \in \mathcal{X}: return err\myerr
return Σ.Dec(K,C)\Sigma.\Dec(\key,\ctxt)
\indist
Lcca-leftΣ\lib{cca-left}^\Sigma
K{0,1}λ\key \gets \bits^\secpar
cca.enc(ML,MR)\ccaenc(\ptxt_L, \ptxt_R):
C:=Σ.Enc(K,MR)\ctxt := \Sigma.\Enc(\key,\hl{\ptxt_R})
// X\mathcal{X} = challenge ciphertexts
X:=X{C}\mathcal{X} := \mathcal{X} \cup \{ \ctxt \}
return C\ctxt
cca.dec(C)\ccadec(\ctxt):
if CX\ctxt \in \mathcal{X}: return err\myerr
return Σ.Dec(K,C)\Sigma.\Dec(\key,\ctxt)

9.3. Chosen-ciphertext attack strategies

The best way to get a better intuition about CCA security is to attack the encryption schemes that we've already studied.

9.3.1. A first example

Let's start with the first CPA-secure encryption scheme we saw, construction 8.3.1:

K={0,1}λM={0,1}λC={0,1}2λ\begin{aligned} \K &= \bits^\secpar \\ \M &= \bits^\secpar \\ \C &= \bits^{2\secpar} \end{aligned}
Enc(K,M)\Enc(\key, \ptxt):
R{0,1}λR \gets \bits^\secpar
S:=F(K,R)MS := F(\key,R) \oplus \ptxt
return RSR \| S
Dec(K,RS)\Dec(\key, R \| S):
M:=F(K,R)S\ptxt := F(\key,R) \oplus S
return M\ptxt

This scheme is not CCA-secure. In other words, there is an efficient attack that can distinguish the following two libraries:

Lcca-real\lib{cca-real}
K{0,1}λ\key \gets \bits^\secpar
cca.enc(M)\ccaenc(\ptxt):
// Enc(K,M)\Enc(\key,\ptxt):
R{0,1}λR \gets \bits^\secpar
S:=F(K,R)MS := F(\key,R) \oplus \ptxt
return RSR \| S
cca.dec(RS)\ccadec(R\|S):
// Dec(K,RS)\Dec(\key,R\|S):
M:=F(K,R)S\ptxt := F(\key,R) \oplus S
return M\ptxt
≊̸\not\indist
Lcca-rand\lib{cca-rand}
K{0,1}λ\key \gets \bits^\secpar
cca.enc(M)\ccaenc(\ptxt):
// C{} \gets \C:
RS{0,1}2λR\|S \gets \bits^{2\secpar}
D[RS]:=M\mathcal{D}[R\|S] := \ptxt
return RSR \| S
cca.dec(RS)\ccadec(R\|S):
if D[RS]\mathcal{D}[R\|S] defined: return D[RS]\mathcal{D}[R\|S]
// Dec(K,RS)\Dec(\key,R\|S):
M:=F(K,R)S\ptxt := F(\key,R) \oplus S
return M\ptxt

Notice that the entire ciphertext RSR\|S is used as the index in D[]\mathcal{D}[\cdot]. This is an important fact about the CCA security definition.

Understanding the CCA Attack Scenario

When Lcca-rand\lib{cca-rand} indexes into the D[]\mathcal{D}[\cdot] dictionary, it treats the entire ciphertext as a monolithic string. It doesn't care about the internal structure of ciphertexts.

Have you already noticed that this encryption scheme is simply CTR mode restricted to a single block? Then it's no surprise that the attack against this scheme involves CTR mode's malleability. Translating fact 9.1.2 to the terminology of this 1-block scheme, we know:

if Dec(K,RS)=M\Dec(\key, R\|S) = \ptxt then Dec(K,R(SΔ))=MΔ.\Dec\bigl(\key, R\|(S \oplus \Delta) \bigr) = \ptxt \oplus \Delta.

You can see malleability reflected in the schematic diagram of this scheme's decryption algorithm. Changes to the ciphertext block SS are propagated directly to the output plaintext M\ptxt, because the “path” from SS to M\ptxt includes only an xor operation.

A calling program to the Lcca-*\lib{cca-*} libraries can use this malleability to attack CCA security as follows:

A\A
M{0,1}λ\ptxt \gets \bits^\secpar
Δ:=\Delta := {}arbitrary, nonzero, λ\secpar-bit string
RS:=cca.enc(M)R \| S := \ccaenc(\ptxt)
M:=cca.dec(R(SΔ))\ptxt' := \ccadec\bigl( R \| (S \oplus \Delta) \bigr)
return M==MΔ\ptxt' == \ptxt \oplus \Delta

When this calling program is linked to Lcca-real\lib{cca-real}, it returns true\mytrue with probability 1, thanks to the scheme's malleability property.

What about when it is linked to Lcca-rand\lib{cca-rand}? We can understand the behavior of ALcca-rand\A \link \lib{cca-rand} through the following observations:

  • cca.enc\ccaenc is called once, which has the effect of assigning D[RS]:=M\mathcal{D}[ R \| S ] := \ptxt.

  • Since Δ0λ\Delta \ne \bit0^\secpar, the ciphertext R(SΔ)R \| (S \oplus \Delta) is different from RSR \| S. Therefore, the call to cca.dec\ccadec will find D[R(SΔ)]\mathcal{D}[R \| (S \oplus \Delta)] undefined. It doesn't matter that both of these ciphertexts have the same RR! Lcca-rand\lib{cca-rand} doesn't “see” the internal structure of ciphertexts; it treats them as monolithic strings. The strings RSR\|S and R(SΔ)R\|(S\oplus \Delta) are different strings.

  • The library writes M\ptxt to D[]\mathcal{D}[\cdot] but never reads from it. Hence, it does not use the value of M\ptxt at all.

  • The calling program does not use the value of M\ptxt until its return statement.

These observations imply that the choice of M\ptxt is independent of everything that happens before the calling program's return statement. We can imagine an equivalent computation in which M\ptxt is sampled at the last possible moment, just before the return statement, and after M\ptxt' and Δ\Delta have been fixed. Once these values have been fixed, there is only one choice of M\ptxt that satisfies the condition M==MΔ\ptxt' == \ptxt \oplus \Delta and causes the calling program to return true\mytrue. Since M\ptxt is chosen uniformly, the probability that the calling program returns true\mytrue is only 1/2λ1/2^\secpar. (This is why it was convenient to sample M\ptxt uniformly in this attack, rather than let it be arbitrary.)

Since the two probabilities differ by more than a negligible amount, the attack is successful and the scheme does not have CCA security.

This attack is the simplest example of a common strategy for chosen-ciphertext attacks:

Malleability Strategy

To break the CCA security of a scheme:

  1. Study the decryption algorithm of the scheme. It often helps to draw a schematic diagram.

  2. See whether any changes to a ciphertext make a predictable change to the plaintext.

  3. Formalize an attack in which the adversary (1) requests the encryption of a chosen plaintext; (2) modifies the ciphertext as above; (3) asks for the modified ciphertext to be decrypted.

9.3.2. A second example

The previous scheme was malleable via xor, a fact that you could see reflected in the schematic diagram of its decryption algorithm. Let's try a harder challenge, with a scheme that does not have such obvious malleability.

K={0,1}λM={0,1}λC={0,1}2λ\begin{aligned} \K &= \bits^\secpar \\ \M &= \bits^\secpar \\ \C &= \bits^{2\secpar} \end{aligned}
Enc(K,M)\Enc(\key, \ptxt):
R{0,1}λR \gets \bits^\secpar
S:=F(K,R)F(K,M)S := F(\key,R) \oplus F(\key,\ptxt)
return RSR \| S
Dec(K,RS)\Dec(\key, R \| S):
M:=F1(K,F(K,R)S)\ptxt := F^{-1}\bigl(\key, F(\key,R) \oplus S \bigr)
return M\ptxt

Focusing on the decryption algorithm, changes to RR or to SS propagate through an instance of FF or F1F^{-1} before affecting the output plaintext. From the adversary's perspective, F±F^{\pm} acts like a random function; any change in an input leads to an unpredictable change in the output. Hence, unlike in the previous scheme, the adversary cannot predict how a change to the ciphertext will affect the plaintext.

To attack this new scheme, we need a new approach, which I call the Frankenstein strategy. Ciphertexts in this scheme have two halves, so what would happen if we mix and match the halves of two different ciphertexts? Surprisingly, something interesting:

Claim 9.3.1 (Frankenstein ciphertexts)

In the scheme above, if R1S1R_1 \| S_1 and R2S2R_2 \| S_2 are encryptions of the same plaintext (say, M\ptxt), then R1S2R_1 \| S_2 and R2S1R_2 \| S_1 are also encryptions of the same plaintext (but possibly different than M\ptxt).

Proof:

If R1S1R_1 \| S_1 and R2S2R_2 \| S_2 encrypt the same plaintext M\ptxt, then they satisfy the following relationship:

S1=F(K,R1)F(K,M);S2=F(K,R2)F(K,M).\begin{aligned} S_1 &= F(\key, R_1) \oplus F(\key, \ptxt); \\ S_2 &= F(\key, R_2) \oplus F(\key, \ptxt).\end{aligned}

Now follow the decryption algorithm on R1S2R_1 \| S_2 and R2S1R_2 \| S_1:

Dec(K,R1S2)=F1(K,F(K,R1)S2)=F1(K,F(K,R1)F(K,R2)F(K,M));\begin{aligned} \Dec(\key, R_1 \| S_2 ) &= F^{-1}\bigl(\key, F(\key,R_1) \oplus S_2 \bigr) \\ &= F^{-1}\bigl(\key, F(\key,R_1) \oplus F(\key,R_2) \oplus F(\key,\ptxt) \bigr); \end{aligned}
Dec(K,R2S1)=F1(K,F(K,R2)S1)=F1(K,F(K,R2)F(K,R1)F(K,M)).\begin{aligned} \Dec(\key, R_2 \| S_1 ) &= F^{-1}\bigl(\key, F(\key,R_2) \oplus S_1 \bigr) \\ &= F^{-1}\bigl(\key, F(\key,R_2) \oplus F(\key,R_1) \oplus F(\key,\ptxt) \bigr).\end{aligned}

An adversary will probably not be able to predict this value, but both ciphertexts decrypt to this same value.

We are now ready to formalize the attack. We will refer to the new “mismatched” ciphertexts R1S2R_1 \| S_2 and R2S1R_2 \| S_1 as Frankenstein ciphertexts. A chosen-ciphertext attack against the scheme is a program that successfully distinguishes the following two libraries:

Lcca-real\lib{cca-real}
K{0,1}λ\key \gets \bits^\secpar
cca.enc(M)\ccaenc(\ptxt):
// return Enc(K,M)\Enc(\key,\ptxt)
R{0,1}λR \gets \bits^\secpar
S:=F(K,R)F(K,M)S := F(\key,R) \oplus F(\key,\ptxt)
return RSR \| S
cca.dec(RS)\ccadec(R\|S):
// return Dec(K,RS)\Dec(\key,R\|S)
M:=F1(K,F(K,R)S)\ptxt := F^{-1}\bigl(\key, F(\key,R) \oplus S \bigr)
return M\ptxt
≊̸\not\indist
Lcca-rand\lib{cca-rand}
K{0,1}λ\key \gets \bits^\secpar
cca.enc(M)\ccaenc(\ptxt):
RS{0,1}2λR \| S \gets \bits^{2\secpar}
return RSR \| S
cca.dec(RS)\ccadec(R\|S):
if D[RS]\mathcal{D}[R\|S] defined: return D[RS]\mathcal{D}[R\|S]
// return Dec(K,RS)\Dec(\key,R\|S)
M:=F1(K,F(K,R)S)\ptxt := F^{-1}\bigl(\key, F(\key,R) \oplus S \bigr)
return M\ptxt

The calling program is as follows:

A\A
M:=\ptxt := {} arbitrary string in {0,1}λ\bits^\secpar
R1S1:=cca.enc(M)R_1 \| S_1 := \ccaenc(\ptxt)
R2S2:=cca.enc(M)R_2 \| S_2 := \ccaenc(\ptxt)
M1:=cca.dec(R1S2)\ptxt^*_1 := \ccadec( R_1 \| S_2 )
M2:=cca.dec(R2S1)\ptxt^*_2 := \ccadec( R_2 \| S_1 )
return M1==M2\ptxt^*_1 == \ptxt^*_2

When linked to Lcca-real\lib{cca-real}, the program outputs true\mytrue with probability 1 according to claim 9.3.1. When A\A is linked to Lcca-rand\lib{cca-rand}, we must consider two cases:

  • Case 1: If R1=R2R_1 = R_2 or S1=S2S_1 = S_2 (or both) then we in fact have:

    {R1S1,R2S2}={R1S2,R2S1}. \{ R_1 \| S_1, R_2 \| S_2 \} = \{ R_1 \| S_2, R_2 \| S_1 \}.

    The Frankenstein ciphertexts are the same as the original ciphertexts (this also includes the case where all four ciphertexts are the same). In other words, the calling program calls cca.dec\ccadec on the original challenge ciphertexts, which will be found in D[]\mathcal{D}[\cdot]. Thus, both calls to cca.dec\ccadec will return M\ptxt, and the calling program returns true\mytrue. Since R1,R2,S1,S2R_1, R_2, S_1, S_2 are distributed uniformly, the probability of this case is at most 2/2λ2/2^{\secpar}.

  • Case 2: R1R2R_1 \ne R_2 and S1S2S_1 \ne S_2. Then the original ciphertexts and Frankenstein ciphertexts are all distinct. So when the calling program calls cca.dec\ccadec, the Frankenstein ciphertexts will not be found in D[]\mathcal{D}[\cdot], and the library will proceed to decrypt them as usual. The two resulting plaintexts are identical, and A\A returns true\mytrue, if and only if:

    M1=M2    Dec(K,R1S2)=Dec(K,R2S1)    F1(K,F(K,R1)S2)=F1(K,F(K,R2)S1)    F(K,R1)S2=F(K,R2)S1.\begin{aligned} M_1^* &= M^*_2 \\ \iff \Dec(\key, R_1 \| S_2) &= \Dec(\key, R_2 \| S_1) \\ \iff F^{-1}\bigl(\key, F(\key,R_1) \oplus S_2\bigr) &= F^{-1}\bigl(\key, F(\key,R_2) \oplus S_1\bigr) \\ \iff F(\key,R_1) \oplus S_2 &= F(\key,R_2) \oplus S_1.\end{aligned}

    The last step follows by applying F(K,)F(\key,\cdot) to both sides, to cancel F1F^{-1}. The final condition happens with probability 1/2λ1/2^\secpar because S1S_1 and S2S_2 are sampled uniformly in Lcca-rand\lib{cca-rand}, and independent of K\key.

The overall probability that the calling program outputs true\mytrue is at most the sum of these two cases, 3/2λ3/2^\secpar. The difference between output probabilities for Lcca-real\lib{cca-real} and Lcca-rand\lib{cca-rand} is nonnegligible, so the scheme does not have CCA security.

Frankenstein Strategy

Try the following approach in a chosen-ciphertext attack:

  1. Request two separate encryptions of chosen plaintexts; it often helps to use the same plaintext.

  2. Mix and match parts of the resulting ciphertexts to obtain two Frankenstein ciphertexts.

  3. Ask for the Frankenstein ciphertexts to be decrypted and see whether anything interesting happens.

9.4. Message authentication codes

Chosen-ciphertext attacks have shown us that there is risk involved when decrypting a ciphertext that has been crafted by the adversary. Imagine there was some way to “certify” that a ciphertext was not adversarially generated, but was generated by someone who knows the secret key. Such a certification would give the decryption algorithm a way to distinguish honestly generated ciphertexts from adversarially generated ones, so that it could refuse to decrypt (e.g., return an error) the adversarially generated ones.

What we are asking for is not to hide the ciphertext but to authenticate it: to ensure that it was generated by someone who knows the secret key. Later we will discuss how to apply this idea to chosen-ciphertext attacks; for now, let's develop more clarity about authenticating that some data was generated/chosen by someone who knows the secret key.

Let's begin with a simple thought experiment. I choose a string SS uniformly at random from {0,1}λ\bits^\secpar, but keep it secret. Will you be able to guess what it is? Probably not! Even if I let you have many guesses (any polynomial in λ\secpar) you will guess correctly only with negligible probability.

Now suppose that instead of one string, I have many strings stored in a random dictionary; let's call it L[]\prftable[\cdot]. Each L[X]\prftable[X] is chosen uniformly and independently. You can ask me to reveal any value in the dictionary; just provide its location XX and I will tell you L[X]\prftable[X]. You can also try to guess a value, by providing XX and your guess YY for L[X]\prftable[X]. Is it possible for you to correctly guess a string that I haven't yet revealed? Again, the answer is no, except with negligible probability. Since all of the strings are chosen independently, seeing other strings doesn't help you correctly guess this string.

If we now replace the random dictionary with a PRF, we will have what is called a message authentication code (MAC). For every string XX, the PRF output F(K,X)F(\key,X) is hard to predict by someone who doesn't know K\key, even if they are allowed to see PRF outputs for other strings XXX' \ne X. Thus, only someone who knows K\key can generate a pair (X,F(K,X))(X, F(\key,X)).

We call F(K,X)F(\key,X) the tag (or MAC tag) of XX; it authenticates XX. If you see XX accompanied by the correct value F(K,X)F(\key,X), you can conclude that someone who knows K\key has vouched for XX. (Be careful: It doesn't mean that the person you're currently talking to knows K\key; perhaps that person is replaying a correct pair (X,F(K,X))(X, F(\key,X)) that they heard from someone else who knows the key.)

A tag can be verified by recomputing the “correct” tag using the secret key, and comparing it to the given tag. A forgery occurs when an adversary generates a correct tag without having seen it before. The security guarantee of a MAC is that it is hard to generate a forgery, even after seeing many examples of correct tags. We can formalize this MAC property of PRFs as follows:

Lemma 9.4.1 (MAC property of PRFs)

If FF is a secure PRF with output length λ\secpar, then the following two libraries are indistinguishable:

Lmac-real\lib{mac-real}
K{0,1}λ\key \gets \bits^\secpar
mac.guess(X,Y)\macguess(X,Y):
return Y==F(K,X)Y == F(\key,X)
mac.reveal(X)\macreveal(X):
return F(K,X)F(\key,X)
\indist
Lmac-ideal\lib{mac-ideal}
mac.guess(X,Y)\macguess(X,Y):
if L[X]\prftable[X] undefined: return false\myfalse
return Y==L[X]Y == \prftable[X]
mac.reveal(X)\macreveal(X):
if L[X]\prftable[X] undefined: L[X]{0,1}λ\prftable[X] \gets \bits^\secpar
return L[X]\prftable[X]

These two libraries may seem strange, because this is the first time we are using libraries to define an authenticity property rather than a privacy (information-hiding) property. You can make sense of the libraries in the following way:

  • In Lmac-real\lib{mac-real}, it is possible for mac.guess(X,Y)\macguess(X,Y) to output true\mytrue before mac.reveal(X)\macreveal(X) has been called.

  • In Lmac-ideal\lib{mac-ideal}, it is not possible for mac.guess(X,Y)\macguess(X,Y) to output true\mytrue before mac.reveal(X)\macreveal(X) has been called, because L[X]\prftable[X] remains undefined until mac.reveal(X)\macreveal(X) has been called.

  • Thus, if an adversary can correctly guess a valid tag “early,” before it is revealed, then mac.reveal\macreveal in Lmac-real\lib{mac-real} would return true\mytrue but in Lmac-ideal\lib{mac-ideal} it would return false\myfalse. These different responses would allow the adversary to easily distinguish the libraries. So if the libraries are indistinguishable, then it must be hard to correctly guess a valid tag early—that is, to generate a forgery.

Proof:

The main idea of the proof is to define a bad event that corresponds to the calling program making a correct “early” guess, and then show that this bad event has negligible probability. Most of the steps in the proof serve to make the bad-event probability easier to analyze.

Hybrid Sequence:
The starting point is Lmac-real\lib{mac-real}.
We replace the PRF with a lazy random dictionary L[]\prftable[\cdot]. The standard three-hop maneuver is not shown.
We can keep track of which values of XX have had their L[X]\prftable[X] value revealed, in the set R\mathcal{R}. We define a bad event when the caller guesses L[X]\prftable[X] before it has been revealed. Neither of these changes affects the library's outputs; they are purely internal bookkeeping.
We can change the library's behavior after the bad event is triggered. The change is indistinguishable, assuming we later show that the bad event has negligible probability.
In the current hybrid we sample L[X]\prftable[X] as soon as it is needed, whether for mac.guess\macguess or mac.reveal\macreveal. Then we trigger the bad event as early guesses arrive. An equivalent approach is to keep track of early guesses, sample L[X]\prftable[X] only in mac.reveal\macreveal (or at the end of time if mac.reveal\macreveal is never called for XX), and trigger the bad event then, when L[X]\prftable[X] is sampled.
XRX \in \mathcal{R} if and only if L[X]\prftable[X] is defined. Thus, we can do away with R\mathcal{R} and change the condition “if X∉RX \not\in \mathcal{R} to “if L[X]\prftable[X] undefined.” The second if-statement in mac.guess\macguess is unreachable and can be removed.
Lmac-real\lib{mac-real}
K{0,1}λ\key \gets \bits^\secpar
mac.guess\macguess(X,YX,Y):
return Y==Y == {}
F(K,X)F(\key,X)
L[X]\prftable[X]
mac.reveal\macreveal(XX):
return
F(K,X)F(\key,X)
L[X]\prftable[X]

The final hybrid has identical behavior to Lmac-ideal\lib{mac-ideal}, but with extra logic used only to trigger the bad event. It suffices to show that the bad event has negligible probability.

The bad event is triggered only when L[X]early[X]\prftable[X] \in \textsf{early}[X] for some XX. For any particular XX, L[X]\prftable[X] is sampled uniformly, and after the contents of early[X]\textsf{early}[X] have been determined. In other words, L[X]\prftable[X] is independent of early[X]\textsf{early}[X]. So we have:

Pr[L[X]early[X]]=early[X]2λ. \PR{ \prftable[X] \in \textsf{early}[X] } = \displaystyle\frac{ | \textsf{early}[X] | }{2^\secpar}.

Each call to mac.guess\macguess adds at most one item to one of the early[X]\textsf{early}[X] sets. Let qq be the total number of times the calling program calls mac.guess\macguess; thus, qq is a polynomial in the security parameter. Applying a union bound, we have:

Pr[bad event]Xearly[X]2λ=Xearly[X]2λq2λ.\begin{aligned} \PR{\text{bad event}} \le \sum_{X} \frac{| \textsf{early}[X] |}{2^\secpar} = \frac{ \sum_{X} |\textsf{early}[X]| }{2^\secpar} \le \frac{q}{2^\secpar}.\end{aligned}

The probability is negligible.

MACs as a separate cryptographic primitive: In this book, we define message authentication (MAC) as a convenient property of PRFs. That's because most MACs you will see in practice are simply PRFs. In other sources, you may see MACs defined as a separate cryptographic primitive.

  • In this book, a MAC algorithm is always a PRF, and therefore generates pseudorandom tags. In the cryptographic literature, we generally call something a MAC when we don't care about its outputs being pseudorandom, and care only about its outputs being unforgeable. Being pseudorandom is just one natural way, but not the only way, to be unforgeable. For example, appending extra 0\bit0's to the end of a tag does not make tags any easier to forge, but does prevent them from being pseudorandom. Traditional security definitions for MACs therefore do not require the MAC algorithm's outputs to be pseudorandom, as we do in lemma 9.4.1.

  • PRFs are always deterministic. But when treating MACs as a full-fledged primitive, it may make sense to allow a MAC algorithm to be randomized.

  • Every deterministic MAC algorithm has a canonical verification method: Deterministically recompute the correct tag and compare to the given tag. Only deterministic MACs are considered in this book, so MAC tags are always verified using this canonical method. In a randomized MAC, each message can have several valid tags, so we must specify a separate (noncanonical) verification algorithm to go with the MAC algorithm.

  • Suppose we are using a MAC scheme in which message M\ptxt has several different tags that verify successfully. Then suppose an adversary queries mac.reveal\macreveal to learn one valid tag TT for M\ptxt. Is it considered a forgery if the adversary then successfully guesses a different, but valid, tag TTT' \ne T for the same message M\ptxt? The answer may depend on the application we have in mind for the MAC. Strong unforgeability demands that it be hard to guess new valid tags, even to messages for which the adversary has already seen a valid tag. Weak unforgeability means that it should be hard to guess valid tags of only new messages, for which the adversary has not seen any valid tag. It is not considered a forgery to guess a new tag for M\ptxt after seeing a valid tag for M\ptxt. The distinction between strong and weak unforgeability is irrelevant for deterministic MAC algorithms with canonical verification.

9.5. Encrypt-then-MAC

With a MAC, we can transform any CPA-secure encryption into a CCA-secure one. The idea is to append a MAC tag of the ciphertext. The decryption algorithm should verify this tag before decrypting, and return an error if the tag is invalid. Only someone who knows the secret key can compute the correct MAC tag, and so only “legitimate” ciphertexts will be decrypted. This approach thwarts chosen-ciphertext attacks because if an adversary tries to tamper with a ciphertext in any way, they will not be able to produce the correct tag for the modified ciphertext.

Construction 9.5.1 (Encrypt-then-MAC)

Let Σ\Sigma be an SKE scheme, and let FF be a PRF with output length λ\secpar whose domain includes Σ.C\Sigma.\C (often this means FF must support variable-length input). Then encrypt-then-MAC is defined as the following encryption scheme:

K=Σ.K×{0,1}λM=Σ.MC()=Σ.C()×{0,1}λ\begin{aligned} \K &= \Sigma.\K \times \bits^\secpar \\ \M &= \Sigma.\M \\ \C(\ell) &= \Sigma.\C(\ell) \times \bits^\secpar \end{aligned}
Enc((Ke,Km),M)\Enc\bigl( (\key_e,\key_m), \ptxt \bigr):
C:=Σ.Enc(Ke,M)\ctxt := \Sigma.\Enc(\key_e, \ptxt)
T:=F(Km,C)T := F(\key_m, \ctxt)
return CT\ctxt \| T
\quad
Dec((Ke,Km),CT)\Dec\bigl( (\key_e,\key_m), \ctxt \| T \bigr):
if F(Km,C)TF(\key_m, \ctxt) \ne T: return err\myerr
return Σ.Dec(Ke,C)\Sigma.\Dec(\key_e, \ctxt)

Ciphertexts in the new scheme consist of two parts: a ciphertext from the underlying scheme Σ\Sigma, plus a tag. It is important to use independent keys for Σ\Sigma and the MAC/PRF.

Claim 9.5.2 (CCA security of Encrypt-then-MAC)

If Σ\Sigma is a CPA-secure SKE scheme, and FF is a secure PRF, then Encrypt-then-MAC (construction 9.5.1) is CCA-secure.

In other words, using the fact that Σ\Sigma has CPA security and FF is a secure PRF, the following two libraries are indistinguishable:

Lcca-real\lib{cca-real}
KeΣ.K\key_e \gets \Sigma.\K
Km{0,1}λ\key_m \gets \bits^\secpar
cca.enc(M)\ccaenc(\ptxt):
// Enc((Ke,Km),M)\Enc\bigl( (\key_e, \key_m), \ptxt \bigr):
C:=Σ.Enc(Ke,M)\ctxt := \Sigma.\Enc(\key_e, \ptxt)
T:=F(Km,C)T := F(\key_m, \ctxt)
return CT\ctxt \| T
cca.dec(CT)\ccadec(\ctxt \| T):
// Dec((Ke,Km),CT)\Dec\bigl( (\key_e, \key_m), \ctxt \| T\bigr):
if F(Km,C)TF(\key_m, \ctxt) \ne T: return err\myerr
return Σ.Dec(Ke,C)\Sigma.\Dec(\key_e, \ctxt)
\indist
Lcca-rand\lib{cca-rand}
KeΣ.K\key_e \gets \Sigma.\K
Km{0,1}λ\key_m \gets \bits^\secpar
cca.enc(M)\ccaenc(\ptxt):
// CTC\ctxt\|T \gets \C:
CΣ.C(M)\ctxt \gets \Sigma.\C(|\ptxt|)
T{0,1}λT \gets \bits^\secpar
D[CT]:=M\mathcal{D}[\ctxt\|T] := \ptxt
return CT\ctxt \|T
cca.dec(CT)\ccadec(\ctxt\|T):
if D[CT]\mathcal{D}[\ctxt\|T] defined: return D[CT]\mathcal{D}[\ctxt\|T]
// Dec((Ke,Km),CT)\Dec\bigl( (\key_e, \key_m), \ctxt \| T\bigr):
if F(Km,C)TF(\key_m, \ctxt) \ne T: return err\myerr
return Σ.Dec(Ke,C)\Sigma.\Dec(\key_e, \ctxt)

Proof idea: The two libraries, which we would like to prove are indistinguishable, both feature the Σ.Dec\Sigma.\Dec algorithm. However, we may only use the fact that Σ\Sigma is CPA-secure. The libraries that define CPA security do not mention Σ.Dec\Sigma.\Dec at all. You can think of CPA security as saying “ciphertexts are pseudorandom, if the key is used only for the encryption algorithm and nothing else.”

Thus, our main strategy in this proof is to rewrite the libraries so that Σ.Dec\Sigma.\Dec doesn't appear at all. You might be wondering how this is possible. The main insight is that the library only runs Σ.Dec\Sigma.\Dec if the MAC tag verifies successfully. If the MAC is secure, then we expect this to be possible only for ciphertexts generated by the library itself. But if the library originally generated a ciphertext, then it should already know the corresponding plaintext, and it should not need to run Σ.Dec\Sigma.\Dec.

In more detail:

  • Whenever the cca.enc\ccaenc subroutine generates a ciphertext, it can internally store the plaintext that was used. If that ciphertext is later given to cca.dec\ccadec, the library can retrieve the plaintext from this storage, so it doesn't need to run Σ.Dec\Sigma.\Dec.

  • When cca.dec\ccadec sees a ciphertext that was not previously generated by cca.enc\ccaenc, we do not expect the MAC tag to be valid. In other words, we expect that cca.dec\ccadec will return err\myerr before even reaching the line where it calls Σ.Dec\Sigma.\Dec. In these cases, Σ.Dec\Sigma.\Dec is not needed.

So the only situation where cca.dec\ccadec truly needs to run Σ.Dec\Sigma.\Dec are the cases where the adversary successfully generates a MAC forgery. These cases should be negligibly likely; we express this idea formally by arguing that the library is indistinguishable from one that doesn't use Σ.Dec\Sigma.\Dec in this case (and thus, never uses Σ.Dec\Sigma.\Dec at all).

Proof (details):

Hybrid Sequence:
The starting point is Lcca-real\lib{cca-real}.
We can add a cache to remember the plaintexts of ciphertexts generated in cca.enc\ccaenc.
Apply the MAC property of the PRF, in a three-hop maneuver:
We now argue that the three if-conditions in cca.dec\ccadec are exhaustive. Why? Suppose the second and third if-statements are not taken, then we must have L[C]=T\prftable[\ctxt] = T. But the library assigns to L[C]:=T\prftable[\ctxt] := T only in cca.enc\ccaenc, where it also assigns to D[CT]\mathcal{D}[\ctxt\|T]! So the first if-statement would have been taken this case. Knowing that the last line of cca.dec\ccadec is unreachable, we can remove it:
Now that Ke\key_e is used only to call Σ.Enc\Sigma.\Enc, we can apply CPA security. The three-hop maneuver is omitted.
It is only with negligible birthday probability that C\ctxt repeats in the first line of cca.enc\ccaenc. Thus the if-statement on the next line is always taken (except with negligible probability), and its body can be made unconditional. This can be shown in a standard sequence of steps (involving either a bad event or an appeal to lemma 4.5.7), which are omitted here.
Suppose cca.enc\ccaenc generates a ciphertext CT\ctxt \| T, and later cca.dec\ccadec is called with a ciphertext of the form CT\ctxt \| T'. Then cca.dec\ccadec will return err\myerr if TTT \ne T' and otherwise return D[CT]\mathcal{D}[\ctxt\|T]. In particular, cca.dec\ccadec never needs to consult L[C]\prftable[\ctxt]. Therefore, cca.enc\ccaenc does not need to assign L[C]\prftable[\ctxt].
Finally, we can perform several of the previous changes, this time in reverse, and obtain Lcca-rand\lib{cca-rand}.
Lcca-real\lib{cca-real}
KeΣ.K\key_e \gets \Sigma.\K
Km{0,1}λ\key_m \gets \bits^\secpar
cca.enc\ccaenc(M\ptxt):
// C\ctxt
Enc(K,M){}\gets \Enc(\key,\ptxt)
TC(M)\| T \gets \C^*(|\ptxt|):
C\ctxt
:=Σ.Enc(Ke,M){}:= \Sigma.\Enc(\key_e, \ptxt)
Σ.C(M){}\gets \Sigma.\C(|\ptxt|)
TT
:={}:= {}
F(Km,C)F(\key_m, \ctxt)
mac.reveal(C)\macreveal(\ctxt)
L[C]\prftable[\ctxt]
L[C]{0,1}λ\prftable[C] \gets \bits^\secpar
{0,1}λ{}\gets \bits^\secpar
return CT\ctxt \| T
cca.dec\ccadec(CT\ctxt \| T):
// Σ.Dec(K,C)\Sigma.\Dec(\key,\ctxt)
if
F(Km,C)TF(\key_m, \ctxt) \ne T: return err\myerr
not mac.guess(C,T)\macguess(\ctxt, T): return err\myerr
L[C]T\prftable[\ctxt] \ne T: return err\myerr
F(Km,C)TF(\key_m,\ctxt) \ne T: return err\myerr
return Dec(Ke,C)\Dec(\key_e, \ctxt)
\link
Lmac-real\lib{mac-real}
K{0,1}λ\key \gets \bits^\secpar
mac.guess\macguess(X,YX,Y):
return Y==F(K,X)Y == F(\key,X)
mac.reveal\macreveal(XX):
return F(K,X)F(\key,X)
Lmac-ideal\lib{mac-ideal}
mac.guess\macguess(X,YX,Y):
if L[X]\prftable[X] undefined: return false\myfalse
return Y==L[X]Y == \prftable[X]
mac.reveal\macreveal(XX):
if L[X]\prftable[X] undefined: L[X]{0,1}λ\prftable[X] \gets \bits^\secpar
return L[X]\prftable[X]

Encrypt-then-MAC in practice: GCM is a standardized SKE scheme, and one of the most commonly used CCA-secure schemes. It is an instance of encrypt-then-MAC, where the underlying CPA encryption is CTR mode. (It uses a MAC that we discuss later in chapter 11). In the interest of efficiency, GCM uses related keys for the encryption and MAC steps. Of course, this is not secure in general (see this chapter's exercises) but GCM's specific design is justified with a security proof.

9.5.1. Alternatives to encrypt-then-MAC

Not every way of combining a MAC and CPA-secure SKE results in CCA security. In fact, some combinations even make security worse! Here are the most natural ways to combine a MAC and encryption:

encrypt-then-MAC\text{encrypt-then-MAC}
Enc((Ke,Km),M)\Enc( (\key_e, \key_m), \ptxt ):
C:=Σ.Enc(Ke,M)\ctxt := \Sigma.\Enc(\key_e, \ptxt)
// MAC the ciphertext
T:=F(Km,C)T := F(\key_m, \ctxt)
// append tag to output
return CT\ctxt \| T
\quad
encrypt-and-MAC\text{encrypt-and-MAC}
Enc((Ke,Km),M)\Enc( (\key_e, \key_m), \ptxt ):
C:=Σ.Enc(Ke,M)\ctxt := \Sigma.\Enc(\key_e, \ptxt)
// MAC the plaintext
T:=F(Km,M)T := F(\key_m, \hl{\ptxt})
// append tag to output
return CT\ctxt \| T
\quad
MAC-then-encrypt\text{MAC-then-encrypt}
Enc((Ke,Km),M)\Enc( (\key_e, \key_m), \ptxt ):
// MAC the plaintext
T:=F(Km,M)T := F(\key_m, \hl{\ptxt})
// encrypt plaintext + tag
C:=Σ.Enc(Ke,MT)\ctxt := \Sigma.\Enc(\key_e, \ptxt \hl{\| T})
return C\ctxt
  • Encrypt-then-MAC, as we just saw, provides CCA security.

  • Encrypt-and-MAC does not have not CCA security. In fact, it does not even have CPA security! It is easy to tell whether two ciphertexts contain the same plaintext, because their tags will be the same!

  • MAC-then-encrypt has a more complicated story. Depending on the choice of Σ\Sigma, it may or may not provide CCA security. In other words, there are some choices of CPA-secure Σ\Sigma that cause MAC-then-encrypt to have CCA security, and others that do not. The CPA security of Σ\Sigma is simply not enough to conclude whether MAC-then-encrypt is safe. The exercises explore MAC-then-encrypt in more detail.

9.6. Authenticated encryption and associated data

CCA security is a step in the right direction from CPA security, but not the gold standard for modern encryption schemes. In this section, we explore additional security properties and useful features that useful in practice.

9.6.1. Authenticated encryption

Encrypt-then-MAC achieves a convenient property: Only someone who knows the secret key can generate a ciphertext C\ctxt such that Dec(K,C)err\Dec(\key,\ctxt) \ne \myerr. In other words, the fact that a ciphertext decrypts without error authenticates its author as a valid key-holder.

This useful security property isn't actually required by CCA security. CCA security asks only that the value Dec(K,C)\Dec(\key,\ctxt') is not helpful to the adversary, for any C\ctxt' that was not generated by the library itself. Of course, one way for Dec(K,C)\Dec(\key,\ctxt') to be unhelpful is for Dec(K,C)=err\Dec(\key,\ctxt') = \myerr, as in encrypt-then-MAC. But the CCA security definition leaves open the possibility of a scheme whose Dec\Dec never outputs err\myerr (see this chapter's exercises).

Authentication is a useful property for an encryption scheme, so it makes sense to enshrine it in our security definitions. The result is what we call authenticated encryption:

Definition 9.6.1 (Authenticated encryption)

A SKE scheme Σ\Sigma is a secure authenticated encryption (AE) scheme if the following two libraries are indistinguishable:

Lae-realΣ\lib{ae-real}^\Sigma
KΣ.K\key \gets \Sigma.\K
ae.enc(M)\aeenc(\ptxt):
return Σ.Enc(K,M)\Sigma.\Enc(\key,\ptxt)
ae.dec(C)\aedec(\ctxt):
return Σ.Dec(K,C)\Sigma.\Dec(\key,\ctxt)
\indist
Lae-randΣ\lib{ae-rand}^\Sigma
ae.enc(M)\aeenc(\ptxt):
CΣ.C(M)\ctxt \gets \Sigma.\C(|\ptxt|)
D[C]:=M\mathcal{D}[\ctxt] := \ptxt
return C\ctxt
ae.dec(C)\aedec(\ctxt):
if D[C]\mathcal{D}[\ctxt] defined: return D[C]\mathcal{D}[\ctxt]
else: return err\myerr

In Lae-rand\lib{ae-rand}, if the adversary calls ae.dec\aedec on a ciphertext that was not generated by the library itself, the response is always err\myerr. So if the two libraries are indistinguishable, it must also be hard for an adversary to find a ciphertext that causes the real decryption algorithm (ae.dec\aedec of Lae-real\lib{ae-real}) to output something other than err\myerr.

Claim 9.6.2 (AE security of Encrypt-then-MAC)

Encrypt-then-MAC (construction 9.5.1) is a secure AE, if the underlying Σ\Sigma is a CPA-secure SKE and FF is a secure PRF.

The proof follows exactly the same steps as claim 9.5.2, but stops just before the last step that is shown. In that hybrid, the ciphertext is sampled uniformly, and the library's decryption subroutine outputs err\myerr to any ciphertext that it (the library) did not previously generate.

AE is a strictly stronger security property than CCA, meaning:

Claim 9.6.3 (AE implies CCA)

If an encryption scheme Σ\Sigma is a secure AE, then it is also CCA-secure.

9.6.2. Associated data

Sometimes even more fine-grained control over authentication is useful. Imagine the following conversation between Alice and Bob, who share a key K\key:

Alice and Bob share a key, which only they know, and they use it for authenticated encryption. Don't worry that Bob's messages are not encrypted—that is not crucial to this example. When Bob sees a ciphertext that decrypts without error, he concludes that it contains Alice's intent, so he can act on it accordingly. An adversary cannot learn anything by observing Alice's ciphertexts, nor can it insert its own ciphertexts that Bob will decrypt successfully.

Some time passes, and an adversary managed to take over control of Alice and Bob's network connection. Bob is no longer communicating with Alice, but with the adversary, who replays one of her previous ciphertext at just the right time:

What went wrong? The ciphertext contains a message that Alice intended, but for a different context! It is not always enough to authenticate someone's intent in isolation, because their intent may change or depend on context. Think of an AE ciphertext as a certificate from Alice that says “whenever anyone presents this ciphertext, in any context, please act on the following information...”

One way to fix this problem is to force Alice to include some of the context in the plaintext, which Bob can check:

The replay attack has been prevented, but with the unpleasant side-effect of increasing the length of Alice's plaintext, and therefore her ciphertext. In this case, both Alice and Bob already know the “correct” context (keywords display or delete), so it seems wasteful for Alice to include it as part of her plaintext. She doesn't want to encrypt it, as if it were new information to Bob; she only wants to authenticate it.

We can more efficiently incorporate context into encryption by modifying its interface. Instead of calling it “context,” we usually call it associated data. Think of associated data as information that the sender and receiver already know. The sender encrypts a ciphertext with this data in mind, and the receiver decrypts with it in mind.

Definition 9.6.4 (Associated data)

A SKE scheme Σ\Sigma supports associated data if its Enc\Enc and Dec\Dec algorithms both take an additional argument A\ad as follows:

  • Enc\Enc: a (possibly randomized) algorithm that takes a key KK\key \in \K, associated data AAA \in \A, and plaintext MM\ptxt \in \M as input, and outputs a ciphertext CC\ctxt \in \C.

  • Dec\Dec: a deterministic algorithm that takes a key KK\key \in \K, associated data AAA \in \A, and ciphertext CC\ctxt \in \C as input, and outputs a plaintext MM\ptxt \in \M.

The scheme satisfies correctness if, for all KK,AA,MM\key \in \K, A \in \A, \ptxt \in \M:

Pr[Dec(K,A,Enc(K,A,M))=M]=1. \PR{ \Dec\bigl( \key, A, \Enc(\key, A, \ptxt) \bigr) = \ptxt } = 1.

The probability is over the randomness in Enc\Enc.

In most encryption schemes with associated data, the size of the ciphertext depends only on the plaintext M\ptxt, and not at all on the associated data.

An authenticated encryption scheme that supports associated data is called an AEAD scheme. The idea behind the AEAD security definition is that it is hard to generate a ciphertext that decrypts without error under any associated-data, except for ciphertext-associated-data pairs that were generated by the library itself. Of course, this is in addition to the requirement that ciphertexts are pseudorandom.

Definition 9.6.5 (AEAD)

An encryption scheme Σ\Sigma with associated data is a secure authenticated encryption with associated data (AEAD) scheme if the following two libraries are indistinguishable:

Laead-realΣ\lib{aead-real}^\Sigma
KΣ.K\key \gets \Sigma.\K
aead.enc(A,M)\aeadenc(\hl{\ad},\ptxt):
return Σ.Enc(K,A,M)\Sigma.\Enc(\key,\hl{\ad},\ptxt)
aead.dec(A,C)\aeaddec(\hl{\ad},\ctxt):
return Σ.Dec(K,A,C)\Sigma.\Dec(\key,\hl{\ad},\ctxt)
\indist
Laead-randΣ\lib{aead-rand}^\Sigma
aead.enc(A,M)\aeadenc(\hl{\ad},\ptxt):
CΣ.C(M)\ctxt \gets \Sigma.\C(|\ptxt|)
D[A,C]:=M\mathcal{D}[\hl{\ad},\ctxt] := \ptxt
return C\ctxt
aead.dec(A,C)\aeaddec(\hl{\ad},\ctxt):
if D[A,C]\mathcal{D}[\hl{\ad},\ctxt] defined:
return D[A,C]\mathcal{D}[\hl{\ad},\ctxt]
else: return err\myerr

In our running example, Alice and Bob can protect themselves from a replay attack by using AEAD. The adversary attempts to replay one of Alice's old ciphertexts under a different associated data than intended, which Bob can detect.

This is only a simple toy example; realistically, “display” and “delete” are too vague as associated data in a real application. Just because Alice wants to delete a particular file today doesn't mean she wants to delete it tomorrow, but the associated data keywords “display” and “delete” are the same today and tomorrow. Since associated data is essentially free, it should include as much information as you can imagine.

In this example, Alice is answering a specific question from Bob. If Bob's question is also encrypted, we might use Bob's ciphertext as the associated data for Alice's ciphertext, since it is something that the both already know. Even if Bob asks the same question tomorrow, his ciphertext will be different, so the associated data will be different.

AEAD is an elegant and useful abstraction. When used with empty associated data, AEAD collapses to plain AE; when used with empty plaintext, AEAD collapses to a PRF/MAC. Leading SKE schemes, like AES-GCM, are explicitly standardized as AEAD schemes.

Encrypt-then-MAC: It is possible to modify the encrypt-then-MAC recipe to support associated data. Perhaps unsurprisingly, it can be incorporated into the MAC along with the CPA ciphertext. The exercises explore the security of this construction, along with other approaches to AEAD.

Exercises

  1. Suppose you are given a ciphertext C=C0C1C\ctxt = \ctxt_0 \| \ctxt_1 \| \cdots \| \ctxt_\ell, which is the encryption of an unknown plaintext M=M1M\ptxt = \ptxt_1 \| \cdots \| \ptxt_\ell. Show how to construct a new ciphertext that decrypts to MiMj\ptxt_i \| \cdots \| \ptxt_j, for any iji \le j (without knowing the scheme's encryption key or M\ptxt).

    1. Using CBC mode (construction 8.5.3)

    2. Using CTR mode (construction 8.5.4)

  2. You have access to an oracle for CBC-mode decryption, with an unknown and secret key K\key. Show how you can use this oracle to compute F1(K,X)F^{-1}(\key,X) for any XX of your choice.

  3. Suppose you have access to the null-character-oracle from section 9.1, and you obtain a ciphertext whose plaintext is known to contain exactly one null character, but in an unknown position. Show how to determine the location of the null character.

  4. Suppose you have access to a system that decrypts chosen CTR ciphertexts and crashes if the last character of a plaintext is not null! Show how you can use this bug to completely decrypt arbitrary ciphertexts.

  5. Suppose you have access to a null-character-oracle similar to section 9.1, but for CBC encryption instead of CTR. Show how you can decrypt arbitrary CBC ciphertexts with access to this oracle.

  6. h In this exercise, you will recreate the famous padding-oracle attack against CBC mode. Suppose you are given a CBC ciphertext C=C0C\ctxt = \ctxt_0 \| \ldots \| \ctxt_\ell that decrypts to an unknown plaintext M=M1M\ptxt = \ptxt_1 \| \cdots \| \ptxt_\ell under an unknown key K\key.

    1. Describe how to use C\ctxt to construct a CBC ciphertext that decrypts to the single block Mi\ptxt_i for any ii.

    2. Describe how to construct a CBC ciphertext that decrypts to MiΔ\ptxt_i \oplus \Delta for any ii and Δ\Delta.

    3. Now suppose you have access to the following oracle, which checks for the presence of PKCS#7 padding (example 8.6.3):

      K{0,1}λ\key \gets \bits^\secpar
      paddingoracle(C)\subname{paddingoracle}(\ctxt):
      M:=Dec(K,C)\ptxt := \Dec(\key,\ctxt)
      if M\ptxt ends in 01\bit{01} or 0202\bit{0202} or ... or 08088 copies\underbrace{\bit{08}\cdots \bit{08}}_{\text{8 copies}}:
      return true\mytrue
      else return false\myfalse

      Describe how to decrypt all of C\ctxt, in O()O(\ell) calls to paddingoracle.

    For part (c), decrypt one plaintext block at a time. For each block, start by deducing its last byte.

  7. Prove that if an SKE scheme has CCA security then it also has CPA security. The proof should be very easy.

  8. The Lcca-rand\lib{cca-rand} library in the CCA security definition maintains a dictionary data structure, mapping ciphertexts to plaintexts. This exercise is about an alternative way to define CCA security. Prove that Σ\Sigma has CCA security if and only if the following two libraries are indistinguishable:

    L1\lib{1}
    K{0,1}λ\key \gets \bits^\secpar
    cca.enc(M)\ccaenc(\ptxt):
    C:=Σ.Enc(K,M)\hl{\ctxt := \Sigma.\Enc(\key,\ptxt)}
    X:=X{C}\mathcal{X} := \mathcal{X} \cup \{ \ctxt \}
    return C\ctxt
    cca.dec(C)\ccadec(\ctxt):
    if CX\ctxt \in \mathcal{X}: return err\myerr
    return Σ.Dec(K,C)\Sigma.\Dec(\key,\ctxt)
    \indist
    L2\lib{2}
    K{0,1}λ\key \gets \bits^\secpar
    cca.enc(M)\ccaenc(\ptxt):
    CΣ.C(M)\hl{\ctxt \gets \Sigma.\C(|\ptxt|)}
    X:=X{C}\mathcal{X} := \mathcal{X} \cup \{ \ctxt \}
    return C\ctxt
    cca.dec(C)\ccadec(\ctxt):
    if CX\ctxt \in \mathcal{X}: return err\myerr
    return Σ.Dec(K,C)\Sigma.\Dec(\key,\ctxt)
  9. Let FF be a secure SPRP with blocklength n+λn + \secpar. Prove that the following encryption scheme (the same as in exercise 8.13) satisfies CCA security:

    K={0,1}λM={0,1}nC={0,1}n+λ\begin{aligned} \K &= \bits^\secpar \\ \M &= \bits^n \\ \C &= \bits^{n+\secpar} \end{aligned}
    Enc(K,M)\Enc(\key,\ptxt):
    R{0,1}λR \gets \bits^\secpar
    C:=F(K,MR)C := F(\key, \ptxt \| R)
    return CC
    Dec(K,C)\Dec(\key,C):
    return first nn bits of F1(K,C)F^{-1}(\key,C)
  10. Show that the following encryption scheme does not have CCA security:

    K={0,1}λM={0,1}λC={0,1}2λ\begin{aligned} \K &= \bits^{\secpar} \\ \M &= \bits^{\secpar} \\ \C &= \bits^{2\secpar} \end{aligned}
    Enc(K,M)\Enc(\key,\ptxt):
    R{0,1}λR \gets \bits^\secpar
    S:=F(K,RM)S := F(\key, R \oplus \ptxt)
    return RSR \| S
    Dec(K,RS)\Dec(\key,R \| S):
    return F1(K,S)RF^{-1}(\key, S) \oplus R
  11. Write the decryption algorithm for the following encryption scheme, then show that it does not have CCA security:

    K={0,1}λM={0,1}λC={0,1}3λ\begin{aligned} \K &= \bits^{\secpar} \\ \M &= \bits^{\secpar} \\ \C &= \bits^{3\secpar} \end{aligned}
    Enc(K,M)\Enc(\key,\ptxt):
    R{0,1}λR \gets \bits^\secpar
    S{0,1}λS \gets \bits^\secpar
    X:=F(K,R)SX := F(\key,R) \oplus S
    Y:=F(K,SM)Y := F(\key,S \oplus \ptxt)
    return RXYR \| X \| Y
  12. Write the decryption algorithm for the following encryption scheme, then show that it does not have CCA security:

    K={0,1}2λM={0,1}2λC={0,1}3λ\begin{aligned} \K &= \bits^{2\secpar} \\ \M &= \bits^{2\secpar} \\ \C &= \bits^{3\secpar} \end{aligned}
    Enc(K1K2,M1M2)\Enc(\key_1\|\key_2,\ptxt_1 \| \ptxt_2):
    R{0,1}λR \gets \bits^\secpar
    S:=F(K1,RM1M2)M1S := F(\key_1, R \oplus \ptxt_1 \oplus \ptxt_2 ) \oplus \ptxt_1
    T:=F(K2,RM1M2)T := F(\key_2, R \oplus \ptxt_1 \oplus \ptxt_2 )
    return RSTR \| S \| T
  13. Show that the following encryption scheme does not have CCA security:

    K={0,1}λM={0,1}λC={0,1}2λ\begin{aligned} \K &= \bits^{\secpar} \\ \M &= \bits^{\secpar} \\ \C &= \bits^{2\secpar} \end{aligned}
    Enc(K,M)\Enc(\key,\ptxt):
    R{0,1}λR \gets \bits^\secpar
    S:=F(K,F(K,R)M)S := F\bigl(\key, F(\key,R) \oplus \ptxt \bigr)
    return RSR \| S
    Dec(K,RS)\Dec(\key,R \| S):
    return F1(K,S)F(K,R)F^{-1}(\key, S) \oplus F(\key, R)
  14. Show that the following encryption scheme does not have CCA security:

    K={0,1}2λM={0,1}λC={0,1}2λ\begin{aligned} \K &= \bits^{2\secpar} \\ \M &= \bits^{\secpar} \\ \C &= \bits^{2\secpar} \end{aligned}
    Enc(K1K2,M)\Enc(\key_1\|\key_2,\ptxt):
    R{0,1}λR \gets \bits^\secpar
    X:=F(K1,R)X := F(\key_1, R)
    Y:=F(K2,RM)Y := F(\key_2, R \oplus \ptxt)
    return XYX \| Y
    Dec(K1K2,XY)\Dec(\key_1\|\key_2,X \| Y):
    return F1(K1,X)F1(K2,Y)F^{-1}(\key_1,X) \oplus F^{-1}(\key_2,Y)
  15. Show that the following encryption scheme does not have CCA security:

    K={0,1}λM={0,1}λC={0,1}2λ\begin{aligned} \K &= \bits^{\secpar} \\ \M &= \bits^{\secpar} \\ \C &= \bits^{2\secpar} \end{aligned}
    Enc(K,M)\Enc(\key,\ptxt):
    R{0,1}λR \gets \bits^\secpar
    X:=F(K,R)X := F(\key, R)
    Y:=F(K,RF(K,M))Y := F\bigl(\key, R \oplus F(\key,\ptxt) \bigr)
    return XYX \| Y
    Dec(K,XY)\Dec(\key,X \| Y):
    return F1(F1(K,Y)F1(K,X))F^{-1}\bigl( F^{-1}(\key, Y) \oplus F^{-1}(\key, X) \bigr)
  16. Write the decryption algorithm for the following scheme, then show that it does not have CCA security:

    K={0,1}2λM={0,1}λC={0,1}2λ\begin{aligned} \K &= \bits^{2\secpar} \\ \M &= \bits^{\secpar} \\ \C &= \bits^{2\secpar} \end{aligned}
    Enc(K1K2,M)\Enc(\key_1\|\key_2,\ptxt):
    R{0,1}λR \gets \bits^\secpar
    X:=F(K1,R)X := F(\key_1, R)
    Y:=F(K2,R)F(K2,M)Y := F(\key_2, R) \oplus F(\key_2, \ptxt)
    return XYX \| Y
  17. One idea to strengthen CBC mode encryption against chosen-ciphertext attacks is to encrypt an additional block of 0\bit0s and check for the presence of these 0\bit0s when decrypting. Unfortunately, this idea fails to achieve CCA security.

    Let CBC\textsf{CBC} refer to the CBC encryption scheme (construction 8.5.3) using a block cipher of blocklength λ\secpar. In this exercise we use CBC restricted to inputs with exactly 2 plaintext blocks, to construct an encryption scheme supporting 1-block plaintexts. We will consider two ways to add an all-0\bit0 block to CBC mode: before or after the plaintext.

    1. Show that the following encryption scheme is not CCA-secure:

      Enc(K,M)\Enc(\key,\ptxt):
      // M=λ|\ptxt| = \secpar
      return CBC.Enc(K,M0λ)\textsf{CBC}.\Enc(\key, \ptxt \| \bit0^\secpar)
      Dec(K,C)\Dec(\key,\ctxt):
      MX:=CBC.Dec(K,C)\ptxt \| X := \textsf{CBC}.\Dec(\key, \ctxt)
      if X0λX \ne \bit0^\secpar: return err\myerr
      return M\ptxt
    2. Show that the following encryption scheme is not CCA-secure:

      Enc(K,M)\Enc(\key,\ptxt):
      // M=λ|\ptxt| = \secpar
      return CBC.Enc(K,0λM)\textsf{CBC}.\Enc(\key, \bit0^\secpar \| \ptxt )
      Dec(K,C)\Dec(\key,\ctxt):
      XM:=CBC.Dec(K,C)X \| \ptxt := \textsf{CBC}.\Dec(\key, \ctxt)
      if X0λX \ne \bit0^\secpar: return err\myerr
      return M\ptxt
  18. Write the decryption algorithm for the following block cipher mode, then show that it does not have CCA security:

    K={0,1}λM=({0,1}λ)C()={0,1}(+1)λ\begin{aligned} \K &= \bits^{\secpar} \\ \M &= (\bits^{\secpar})^* \\ \C(\ell) &= \bits^{(\ell+1)\secpar} \end{aligned}
    Enc(K,M1M)\Enc(\key,\ptxt_1 \| \cdots \| \ptxt_\ell):
    C0{0,1}λ\ctxt_0 \gets \bits^\secpar
    M0:=0λ\ptxt_0 := \bit0^\secpar
    for i=1i=1 to \ell:
    Ci:=F(K,Ci1Mi)Mi1\ctxt_i := F(\key, \ctxt_{i-1} \oplus \ptxt_i) \oplus \ptxt_{i-1}
    return C0C1C\ctxt_0 \| \ctxt_1 \| \cdots \| \ctxt_\ell
  19. You are given a ciphertext C=C0C1C\ctxt = \ctxt_0 \| \ctxt_1 \| \cdots \| \ctxt_\ell, which is a CTR-mode encryption of an unknown plaintext M1M\ptxt_1 \| \cdots \| \ptxt_\ell. What can you say about the result of decrypting the modified ciphertext

    C:=(C0+1)C1C? \ctxt' := (\ctxt_0 + 1) \| \ctxt_1 \| \cdots \| \ctxt_\ell ?

    How does the result of decryption compare to M1M\ptxt_1 \| \cdots \| \ptxt_\ell?

  20. Show that the following encryption scheme does not have CCA security, even if Σ\Sigma does:

    Σ2.K=Σ.KΣ2.M=Σ.M×Σ.MΣ2.C=Σ.C×Σ.C\begin{aligned} \Sigma_2.\K &= \Sigma.\K \\ \Sigma_2.\M &= \Sigma.\M \times \Sigma.\M \\ \Sigma_2.\C &= \Sigma.\C \times \Sigma.\C \end{aligned}
    \quad
    Σ2.Enc(K,M1M2)\Sigma_2.\Enc( \key, \ptxt_1 \| \ptxt_2 ):
    C1=Σ.Enc(K,M1)\ctxt_1 = \Sigma.\Enc(\key, \ptxt_1)
    C2=Σ.Enc(K,M2)\ctxt_2 = \Sigma.\Enc(\key, \ptxt_2)
    return (C1,C2)(\ctxt_1, \ctxt_2)
    \quad
    Σ2.Dec(K,(C1,C2))\Sigma_2.\Dec( \key, (\ctxt_1,\ctxt_2)):
    M1=Σ.Dec(K,C1)\ptxt_1 = \Sigma.\Dec(\key, \ctxt_1)
    M2=Σ.Dec(K,C2)\ptxt_2 = \Sigma.\Dec(\key, \ctxt_2)
    return M1M2\ptxt_1 \| \ptxt_2

    (However, the scheme is CPA-secure if Σ\Sigma is.)

  21. Show that the following encryption scheme does not have CCA security, even if Σ\Sigma does:

    Σ2.K=Σ.KΣ2.M=Σ.MΣ2.C=Σ.C×Σ.C\begin{aligned} \Sigma_2.\K &= \Sigma.\K \\ \Sigma_2.\M &= \Sigma.\M \\ \Sigma_2.\C &= \Sigma.\C \times \Sigma.\C \end{aligned}
    \quad
    Σ2.Enc(K,M)\Sigma_2.\Enc( \key, \ptxt ):
    C1=Σ.Enc(K,M)\ctxt_1 = \Sigma.\Enc(\key, \ptxt)
    C2=Σ.Enc(K,M)\ctxt_2 = \Sigma.\Enc(\key, \ptxt)
    return (C1,C2)(\ctxt_1, \ctxt_2)
    \quad
    Σ2.Dec(K,(C1,C2))\Sigma_2.\Dec( \key, (\ctxt_1,\ctxt_2)):
    M1=Σ.Dec(K,C1)\ptxt_1 = \Sigma.\Dec(\key, \ctxt_1)
    M2=Σ.Dec(K,C2)\ptxt_2 = \Sigma.\Dec(\key, \ctxt_2)
    if M1M2\ptxt_1 \ne \ptxt_2: return err\myerr
    return M1\ptxt_1

    (However, the scheme is CPA-secure if Σ\Sigma is.)

  22. Show that the following encryption scheme does not have CCA security, even if Σ\Sigma does:

    Σ2.K=Σ.K×Σ.KΣ2.M=Σ.M={0,1}nΣ2.C=Σ.C×Σ.C\begin{aligned} \Sigma_2.\K &= \Sigma.\K \times \Sigma.\K \\ \Sigma_2.\M &= \Sigma.\M = \bits^n\\ \Sigma_2.\C &= \Sigma.\C \times \Sigma.\C \end{aligned}
    \quad
    Σ2.Enc((K1,K2),M)\Sigma_2.\Enc\bigl( (\key_1, \key_2), \ptxt \bigr):
    R{0,1}nR \gets \bits^n
    C1=Σ.Enc(K1,R)\ctxt_1 = \Sigma.\Enc(\key_1, R)
    C2=Σ.Enc(K2,RM)\ctxt_2 = \Sigma.\Enc(\key_2, R \oplus \ptxt)
    return (C1,C2)(\ctxt_1, \ctxt_2)
    Σ2.Dec((K1,K2),(C1,C2))\Sigma_2.\Dec\bigl( (\key_1,\key_2), (\ctxt_1,\ctxt_2)\bigr):
    M1=Σ.Dec(K1,C1)\ptxt_1 = \Sigma.\Dec(\key_1, \ctxt_1)
    M2=Σ.Dec(K2,C2)\ptxt_2 = \Sigma.\Dec(\key_2, \ctxt_2)
    return M1M2\ptxt_1 \oplus \ptxt_2
  23. Show that there is a polynomial-time calling program that can distinguish Lmac-real\lib{mac-real} from Lmac-ideal\lib{mac-ideal} (lemma 9.4.1) with advantage 1/2n1/2^n, when the PRF has output length nn.

  24. Suppose we want to compute a MAC of a pair of strings (A,B)(A,B). This situation refers to lemma 9.4.1, where the XX-values are not strings but pairs of strings. Seeing the correct tag for many choices of (A,B)(A,B) should not make it easier to guess the correct tag for any different (A,B)(A,B).

    1. Show that if AA and BB can be variable-length, then F(K,AB)F(\key, A\|B) is not a secure way to compute a MAC of the pair (A,B)(A,B).

    2. Suggest a secure way to MAC a pair of strings and prove that your construction satisfies the MAC property from lemma 9.4.1.

  25. Suppose we instantiate the encrypt-then-MAC recipe with the (CPA-secure) encryption scheme from construction 8.3.1 and 2-block CBC-MAC. The result would be secure if the encryption and MAC use independent keys. Show that the result does not achieve CCA security if the same key is used for both components, even if FF is a secure PRF:

    Enc(K,M)\Enc(\key, \ptxt):
    // CPA encryption:
    R{0,1}λR \gets \bits^\secpar
    S:=F(K,R)MS := F(\key,R) \oplus \ptxt
    // CBC-MAC of RSR\|S
    T:=F(K,RF(K,S))T := F\bigl(\key, R \oplus F(\key,S) \bigr)
    return RSTR\|S\|T
    Dec(K,RST)\Dec(\key, R \| S \| T):
    // check MAC:
    if TF(K,RF(K,S))T \ne F\bigl(\key, R \oplus F(\key,S) \bigr):
    return err\myerr
    // CPA decryption:
    return F(K,R)SF(\key,R) \oplus S
  26. This problem is the same as the previous, except now we use 1-block CBC encryption. Show that the following scheme does not achieve CCA security if the same key is used for both components, even if FF is a secure PRF:

    Enc(K,M)\Enc(\key, \ptxt):
    // CPA encryption:
    R{0,1}λR \gets \bits^\secpar
    S:=F(K,RM)S := F(\key,R \hl{ \oplus \ptxt} )
    // CBC-MAC of RSR\|S
    T:=F(K,RF(K,S))T := F\bigl(\key, R \oplus F(\key,S) \bigr)
    return RSTR\|S\|T
    Dec(K,RST)\Dec(\key, R \| S \| T):
    // check MAC:
    if TF(K,RF(K,S))T \ne F\bigl(\key, R \oplus F(\key,S) \bigr):
    return err\myerr
    // CPA decryption:
    return F1(K,S)RF^{-1}(\key,S) \oplus R
  27. Recall the CPA-secure encryption scheme from construction 8.3.1. It encrypts one plaintext block into two ciphertext blocks, the first of which is sampled uniformly. When using this encryption scheme in the encrypt-then-MAC recipe, you might be tempted to MAC only the second ciphertext block, since the plaintext does not affect the first ciphertext block. Show that the resulting scheme does not achieve CCA security, even if FF is a secure PRF:

    Enc(KeKm,M)\Enc\bigl(\key_e\|\key_m, \ptxt\bigr):
    // CPA encryption:
    R{0,1}λR \gets \bits^\secpar
    S:=F(Ke,R)MS := F(\key_e,R) \oplus \ptxt
    // MAC of SS only:
    T:=F(Km,S)T := F(\key_m,S)
    return RSTR\|S\|T
    Dec(KeKm,RST)\Dec\bigl(\key_e \| \key_m, R \| S \| T\bigr):
    // check MAC of SS only:
    if TF(Km,S)T \ne F(\key_m,S):
    return err\myerr
    // CPA decryption:
    return F(Ke,R)SF(\key_e,R) \oplus S
  28. Encrypt-and-encrypted-MAC refers to the following combination of a CPA-secure encryption scheme Σ\Sigma and MAC/PRF FF:

    Enc((Ke,Km),M)\Enc\bigl( (\key_e,\key_m), \ptxt \bigr):
    C:=Σ.Enc(Ke,M)\ctxt := \Sigma.\Enc(\key_e, \ptxt)
    // compute MAC of plaintext
    T:=F(Km,M)T := F(\key_m, \hl{\ptxt})
    // encrypt tag
    T:=Σ.Enc(Ke,T)T^* := \Sigma.\Enc(\key_e, T)
    return CT\ctxt \| T^*
    \quad
    Dec((Ke,Km),CT)\Dec\bigl( (\key_e,\key_m), \ctxt \| T^* \bigr):
    T:=Σ.Dec(Ke,T)T := \Sigma.\Dec(\key_e, T^*)
    M:=Σ.Dec(Ke,C)\ptxt := \Sigma.\Dec(\key_e, \ctxt)
    if F(Km,M)TF(\key_m, \ptxt) \ne T: return err\myerr
    return M\ptxt

    Show that the scheme is not CCA-secure, no matter the choice of Σ\Sigma.

  29. Let Σ\Sigma be a CPA-secure SKE scheme, and define the new variant Σ\Sigma' via:

    Σ.Enc(K,M)\Sigma'.\Enc(\key,\ptxt):
    C:=Σ.Enc(K,M)\ctxt := \Sigma.\Enc(\key,\ptxt)
    return C0\ctxt \| \bit0
    \quad
    Σ.Dec(K,C)\Sigma'.\Dec(\key,\ctxt):
    C:=C\ctxt':= \ctxt, with its last bit removed
    return Σ.Dec(K,C)\Sigma.\Dec(\key,\ctxt')

    Thus, Σ.Dec\Sigma'.\Dec ignores the last bit of its ciphertext.

    1. Prove that if Σ\Sigma has CPA security, then Σ\Sigma' does too.

    2. Prove that MAC-then-encrypt (described in section 9.5; not encrypt-then-MAC!) is not CCA-secure, if it is instantiated with Σ\Sigma' as its CPA-secure component. Thus, there exist CPA-secure schemes that are incompatible with MAC-then-encrypt. The decryption algorithm for MAC-then-encrypt is not given in the text. Assume that it verifies the MAC tag in the obvious way.

  30. Prove that MAC-then-encrypt (section 9.5; not encrypt-then-MAC!) is CCA-secure (or AE-secure) when applied to CTR mode (construction 8.5.4).

  31. Consider the following encoding method.

    • encode(X)\textsf{encode}(X): Replace each 0\bit0 in XX with 01\bit{01}, and replace each 1\bit1 in XX with 11\bit{11}. The result is twice as long as XX.

    • decode(Y)\textsf{decode}(Y): Break YY into chunks of 2 bits. Replace each 11\bit{11} chunk with 1\bit{1}, and any other chunk with 0\bit{0}.

    Note that decode(encode(X))=X\textsf{decode}(\textsf{encode}(X)) = X for all strings XX.

    Now consider the following encryption scheme, which is MAC-then-encrypt, applied to a variant of CTR mode that first encodes the plaintext with encode()\textsf{encode}(\cdot):

    Enc(KeKm,M)\Enc(\key_e\|\key_m, \ptxt):
    // encode plaintext
    M1M=encode(M)\ptxt_1 \| \cdots \| \ptxt_\ell = \hl{\textsf{encode}}(\ptxt)
    // MAC (original) plaintext
    M+1:=F(Km,M)\ptxt_{\ell+1} := F(\key_m, \ptxt)
    // CTR-mode encrypt plaintext + tag
    C0{0,1}λ\ctxt_0 \gets \bits^\secpar
    for i=1i = 1 to +1\ell+1:
    Ci:=F(Ke,C0+i1)Mi\ctxt_i := F(\key_e, \ctxt_0 + i-1) \oplus \ptxt_i
    return C0C1C+1\ctxt_0 \| \ctxt_1 \| \cdots \| \ctxt_{\ell+1}
    Dec(KeKm,C0C+1)\Dec(\key_e\|\key_m, \ctxt_0 \| \cdots \| \ctxt_{\ell+1}):
    // CTR-mode decryption
    for i=1i = 1 to +1\ell+1:
    Mi:=F(Ke,C0+i1)Ci\ptxt_i := F(\key_e, \ctxt_0 + i-1) \oplus \ctxt_i
    // decode original plaintext
    M:=decode(M1M)\ptxt := \hl{\textsf{decode}}(\ptxt_1 \| \cdots \| \ptxt_\ell)
    // verify tag
    if F(Km,M)M+1F(\key_m, \ptxt) \ne \ptxt_{\ell+1}: return err\myerr
    return M\ptxt
    1. Prove that this encryption scheme is CPA-secure if FF is a secure PRF. You can use the fact that normal CTR encryption (construction 8.5.4) is CPA-secure.

    2. Suppose an adversary has access to the following interface:

      KeKm{0,1}2λ\key_e \| \key_m \gets \bits^{2\secpar}
      is_valid(C)\subname{is\_valid}(\ctxt):
      if err==Dec(KeKm,C)\myerr == \Dec(\key_e\|\key_m, \ctxt): return false\myfalse
      return true\mytrue

      Here Dec\Dec refers to the decryption algorithm given above. Show that the adversary can use this interface to compute Dec(KeKm,C)\Dec( \key_e \| \key_m, \ctxt) for any C\ctxt of its choice.

  32. Formally prove claim 9.6.3 (AE implies CCA).

  33. Let Σ\Sigma be a secure AE scheme, and let FF be a secure PRF. Append λ\secpar bits to Σ\Sigma's secret key (ignored by the encryption algorithm), and modify Σ\Sigma's decryption algorithm as follows:

    Dec(K1K2,C)\Dec^*(\key_1 \| \key_2, \ctxt):
    M:=Dec(K1,C)\ptxt := \Dec(\key_1, \ctxt)
    if M==err\ptxt == \myerr:
    return F(K2,C)F(\key_2, \ctxt)
    else: return M\ptxt

    The modified scheme no longer has AE security, since its Dec\Dec algorithm never returns err\myerr. Nevertheless, prove that it is CCA secure.

  34. Let FF be a secure SPRP with blocklength n+2λn + 2\secpar. Prove that the following encryption scheme satisfies AE security:

    K={0,1}λM={0,1}nC={0,1}n+2λ\begin{aligned} \K &= \bits^\secpar \\ \M &= \bits^n \\ \C &= \bits^{n+2\secpar} \end{aligned}
    Enc(K,M)\Enc(\key,\ptxt):
    R{0,1}λR \gets \bits^\secpar
    C:=F(K,MR0λ)C := F(\key, \ptxt \| R \| \bit0^\secpar)
    return CC
    Dec(K,C)\Dec(\key,C):
    Y:=F1(K,C)Y := F^{-1}(\key,C)
    if last λ\secpar bits of Y0λY \ne \bit0^\secpar:
    return err\myerr
    else: return first nn bits of YY

    (Compare to exercise 9.9.)

  35. Let Σ\Sigma be a secure AE scheme, with Σ.M={0,1}n+λ\Sigma.\M = \bits^{n+\secpar}. Prove that the following encryption scheme also has AE security:

    Σ2.K=Σ.KΣ2.M={0,1}nΣ2.C=Σ.C×Σ.C\begin{aligned} \Sigma_2.\K &= \Sigma.\K \\ \Sigma_2.\M &= \bits^n \\ \Sigma_2.\C &= \Sigma.\C \times \Sigma.\C \end{aligned}
    \quad
    Σ2.Enc(K,M)\Sigma_2.\Enc( \key, \ptxt ):
    R{0,1}λR \gets \bits^\secpar
    C1=Σ.Enc(K,MR)\ctxt_1 = \Sigma.\Enc(\key, \ptxt \| R)
    C2=Σ.Enc(K,MR)\ctxt_2 = \Sigma.\Enc(\key, \ptxt \| R)
    return (C1,C2)(\ctxt_1, \ctxt_2)
    Σ2.Dec(K,(C1,C2))\Sigma_2.\Dec( \key, (\ctxt_1,\ctxt_2)):
    M1=Σ.Dec(K,C1)\ptxt_1 = \Sigma.\Dec(\key, \ctxt_1)
    M2=Σ.Dec(K,C2)\ptxt_2 = \Sigma.\Dec(\key, \ctxt_2)
    if err{M1,M2}\myerr \in \{ \ptxt_1, \ptxt_2 \}: return err\myerr
    if M1M2\ptxt_1 \ne \ptxt_2: return err\myerr
    return first nn bits of M1\ptxt_1
  36. Write a reasonable definition of AE security for a nonce-based (rather than randomized) encryption scheme. The adversary should not be allowed to repeat nonces in calls to Enc\Enc, but it may repeat them in calls to Dec\Dec. Describe how to construct secure nonce-based AE from CPA-secure nonce-based encryption, and prove the security of your construction.

  37. Let F±F^{\pm} be a secure SPRP with blocklength n+λn + \secpar. Prove that the following nonce-based scheme achieves the nonce-based AE security definition from the previous exercise.

    K={0,1}λN={0,1}λM={0,1}nC={0,1}n+λ\begin{aligned} \K &= \bits^\secpar \\ \N &= \bits^\secpar \\ \M &= \bits^n \\ \C &= \bits^{n+\secpar} \end{aligned}
    \quad
    Enc(K,N,M)\Enc(\key,N,\ptxt):
    C:=F(K,MN)\ctxt := F(\key, \ptxt \| N)
    return C\ctxt
    Dec(K,N,C)\Dec(\key,N,\ctxt):
    // M=n;N=λ|\ptxt| = n; |N'| = \secpar:
    MN:=F1(K,C)\ptxt \| N' := F^{-1}(\key, \ctxt)
    if NNN \ne N': return err\myerr
    else: return M\ptxt

    It is important that the set of possible nonces is N={0,1}λ\N = \bits^\secpar, so be sure your proof uses this fact.

  38. Let Σ\Sigma be a secure AE scheme, and let FF be a PRF with inputs and outputs of length λ\secpar. Consider the following encryption scheme that supports associated data:

    K=Σ.K×{0,1}λA={0,1}nM=Σ.MC()=Σ.C()×{0,1}λ\begin{aligned} \K &= \Sigma.\K \times \bits^\secpar \\ \A &= \bits^n \\ \M &= \Sigma.\M \\ \C(\ell) &= \Sigma.\C(\ell) \times \bits^\secpar \end{aligned}
    Dec(KeKm,A,CT)\Dec\bigl( \key_e \| \key_m, A, \ctxt\|T \bigr):
    if TF(Km,A)T \ne F(\key_m, A): return err\myerr
    return Σ.Dec(Ke,C)\Sigma.\Dec(\key_e, \ctxt)
    Enc(KeKm,A,M)\Enc\bigl( \key_e \| \key_m , A, \ptxt \bigr):
    C:=Σ.Enc(Ke,M)\ctxt := \Sigma.\Enc(\key_e, \ptxt)
    T:=F(Km,A)T := F(\key_m, A)
    return CT\ctxt \| T

    Show that the scheme is not a secure AEAD.

  39. Let Σ\Sigma be a secure AE scheme, and consider the following encryption scheme that supports associated data:

    K=Σ.KM=Σ.MC()=Σ.C(+n)\begin{aligned} \K &= \Sigma.\K \\ \M &= \Sigma.\M \\ \C(\ell) &= \Sigma.\C(\ell+n) \end{aligned}
    Enc(K,A,M)\Enc\bigl( \key, A, \ptxt \bigr):
    C:=Σ.Enc(K,MA)\ctxt := \Sigma.\Enc(\key, \ptxt \| A)
    return C\ctxt
    \quad
    Dec(K,A,C)\Dec\bigl( \key, A, \ctxt \bigr):
    // A=n|A'| = n:
    MA:=Σ.Dec(K,C)\ptxt \| A' := \Sigma.\Dec(\key,\ctxt)
    if AAA \ne A': return err\myerr
    return M\ptxt
    1. Prove that if A={0,1}n\A = \bits^n, then the new scheme is a secure AEAD.

    2. Suppose instead that A={0,1}\A = \bits^*. Show that the resulting scheme is not a secure AEAD.

    Thus, this construction is secure for fixed-length associated data, but not variable-length.

  40. Let Σ\Sigma be a CPA-secure encryption scheme, and let FF be a secure variable-length PRF with λ\secpar bits of output. Consider the following variant of encrypt-then-MAC that incorporates associated data. Differences from standard encrypt-then-MAC have been highlighted:

    K=Σ.K×{0,1}λM=Σ.MC()=Σ.C()×{0,1}λ\begin{aligned} \K &= \Sigma.\K \times \bits^\secpar \\ \M &= \Sigma.\M \\ \C(\ell) &= \Sigma.\C(\ell) \times \bits^\secpar \end{aligned}
    Enc((Ke,Km),A,M)\Enc\bigl( (\key_e,\key_m), \hl{A,} \ptxt \bigr):
    C:=Σ.Enc(Ke,M)\ctxt := \Sigma.\Enc(\key_e, \ptxt)
    T:=F(Km,CA)T := F(\key_m, \ctxt \hl{\| A})
    return CT\ctxt \| T
    Dec((Ke,Km),A,CT)\Dec\bigl( (\key_e,\key_m), \hl{A,} \ctxt \| T \bigr):
    if F(Km,CA)TF(\key_m, \ctxt \hl{\|A}) \ne T: return err\myerr
    return Σ.Dec(Ke,C)\Sigma.\Dec(\key_e, \ctxt)
    1. Prove that if A={0,1}n\A = \bits^n (the set of allowed associated data strings), then the scheme is a secure AEAD.

    2. Show that if A={0,1}\A = \bits^*, and Σ\Sigma is CBC encryption, then the scheme is not a secure AEAD.

    3. Suggest how to modify the scheme to support A={0,1}\A = \bits^*.

  41. Let Σ\Sigma be a secure AE scheme with key space K={0,1}λ\K = \bits^\secpar, and let FF be a secure variable-length PRF with λ\secpar bits of output. Prove that the following encryption scheme is a secure AEAD:

    K={0,1}λA={0,1}M=Σ.MC()=Σ.C()\begin{aligned} \K &= \bits^\secpar \\ \A &= \bits^* \\ \M &= \Sigma.\M \\ \C(\ell) &= \Sigma.\C(\ell) \end{aligned}
    Enc(K,A,M)\Enc\bigl( \key, A, \ptxt \bigr):
    K:=F(K,A)\key^* := F(\key, A)
    C:=Σ.Enc(K,M)\ctxt := \Sigma.\Enc(\key^*, \ptxt)
    return C\ctxt
    Dec(K,A,C)\Dec\bigl( \key, A, \ctxt \bigr):
    K:=F(K,A)\key^* := F(\key, A)
    return Σ.Dec(K,C)\Sigma.\Dec(\key^*, \ctxt)

Chapter Notes

The first, and most well-known, format-oracle attack is due to Bleichenbacher [48], who used it to attack the padding used in the RSA-PKCS#1 encryption standard. Before then, chosen-ciphertext attacks were often considered to be of only theoretical interest. Chosen-ciphertext attacks, especially in the context of RSA, are sometimes called Bleichenbacher attacks.

Vaudenay was the first to describe the classic padding-oracle attack on CBC mode, from exercise 9.6 [214]. The attack was later extended to work through a timing side-channel by Canvel, Hiltgen, Vaudenay, and Vuagnoux [61]. These attacks resulted in a total break of certain implementations of the SSL protocol.

Various format-oracle attacks were identified and studied by Mitchell [164]. One category of format-oracle attack involves a victim who determines how much data to process based on the contents of a ciphertext. Albrecht, Paterson, and Watson use an attack of this kind to break older versions of the SSH protocol [1]. AlFardan and Paterson use an attack of this kind to break older versions of the TLS protocol [2].

Jager and Somorovsky [126] devised an attack on a standard for XML encryption, which exposed a format oracle for the XML file format. The term “format-oracle attack” is due to Maury, Reinhard, Levillain, and Gilbert [157], who describe several format-oracle attacks that exploit internal data formats in OpenPGP. Garman, Green, Kaptchuk, Miers, and Rushanan [106] discovered a format-oracle attack on the Apple iMessage system, involving the gzip compression format.

Our definition of CCA security is commonly known as “IND-CCA2” in the literature, and was first introduced (in the context of public-key encryption) by Rackoff and Simon [187]. An earlier security definition, known as IND-CCA1, was introduced by Naor and Yung [170]. In IND-CCA1, the adversary is forbidden from accessing the decryption functionality after receiving a challenge ciphertext.

Katz and Yung comprehensively study a variety of security definitions for symmetric-key encryption, showing separations, equivalences, and implications among all of them [130]. Bellare, Hofheinz, and Kiltz study four natural but slightly different ways to formalize CCA security in the left-or-right paradigm, and find that not all are equivalent [19]. In any such security definition involving chosen ciphertext attacks, the libraries must handle the case that the adversary asks to decrypt one a challenge ciphertext. Exercise 9.8 explores a different approach that the library can take to handle these situations. Rogaway and Zhang propose a systematic way to address these kinds of situations in security definitions [196], not limited to just CCA security.

Gilbert, MacWilliams, and Sloane were the first to formalize the problem of symmetric-key authentication [110], for which MACs are the solution. In the paper that first introduces PRFs, Goldreich, Goldwasser, and Micali observe the natural connection between PRFs and MACs [113].

Our definition of a MAC allows the adversary to make any number of mac.guess\macguess queries. In some traditional security definitions for a MAC, the adversary is allowed at most one query to mac.guess\macguess. This restricted security definition is equivalent to ours, in most situations. The exception is the case of plain/weak unforgeability against a MAC scheme with noncanonical verification algorithm. Bellare, Goldreich, and Mityagin construct a contrived counterexample MAC scheme that is secure against adversaries making a single mac.guess\macguess query but insecure in general [17].

Bellare and Namprempre [24] classify different ways to construct authenticated encryption from a CPA-secure encryption and a MAC. Although MAC-then-encrypt is not always secure, Krawczyk [140] showed that it is secure when the encryption method is CBC or CTR. Exercise 9.31 is from [140].

Namprempre, Rogaway, and Shrimpton [168] discuss how the encrypt-then-MAC construction is sensitive to subtleties in how the encryption and MAC components are formalized (nonce-based vs. randomized, left-or-right vs. real-or-random) and how associated data is incorporated.

Our security definition for AE is most similar to the one from Rogaway and Shrimpton [195], building on an earlier proposal of Shrimpton [207]. The idea of incorporating associated data into encryption is due to Rogaway [190].

  1. Previous Chapter8. Chosen-Plaintext Attacks Against Encryption
  2. Next Chapter10. Collision-Resistant Hash Functions