Chosen-Ciphertext Attacks Against Encryption
Imagine you discover a bug in your company's flagship software product. It decrypts ciphertexts received from the network, but a bug causes a crash if the resulting plaintext includes a null character. Luckily, you are absolutely confident that no plaintext with a null character is ever encrypted. So you might conclude that this weird bug will never be triggered, and that the software will never crash in this way.
Depending on the choice of encryption scheme, you might be totally wrong! In some schemes, including all of the ones we've seen so far, an adversary can trigger the bug. What's worse, by observing which ciphertexts trigger the crash and which don't, the adversary can completely break the encryption scheme!
9.1. Format-oracle attacks and malleability
Let's formalize the important features of the scenario described above. The victim decrypts each ciphertext it receives. To keep things concrete, let's assume the victim uses CTR mode encryption (construction 8.5.4). The adversary learns whether the resulting plaintext contains a null character. It doesn't actually matter how the adversary learns this information: It could be due to a crash (e.g., a webserver giving http response code 500), an error message, or from the expected functionality of the software. All that matters is that the adversary can learn the answer to this single yes/no question about ciphertexts that it provides.
We can formalize the situation by imagining the adversary having access to the following library:
In this section we will write bytes/characters in hex like , , etc. The null character is .
Why is this subroutine called ? In colloquial language, an oracle is a mystic who answers questions on behalf of the gods, often in an enigmatic way. You might need to do a bit of work to decipher the mysterious answers you get from an oracle. In cryptography and other areas of computer science, an oracle is an algorithm that solves a very specific kind of problem, which you might be allowed to call on inputs of your choice but not “look inside.” You might use an oracle that solves one kind of problem to help solve a different one.
Our scenario provides the adversary with an oracle that answers a very specific question: Does the decryption of this ciphertext contain any null characters? We will show the surprising fact that if you can obtain answers to these kinds of questions, then you can completely decrypt any ciphertext of your choice!
An adversary who has access to can efficiently compute for any .
9.1.1. CTR mode is malleable
To understand the null-oracle attack, we must first understand a curious property of CTR mode. Given a ciphertext , the decryption algorithm computes the first output block as:
How does the output of change if we flip some bits in ? Flipping certain bits is the same as xor'ing with a certain string ( contains in each position whose bit should flip). If we replace with , then the decryption algorithm computes its first output block as:
In other words, if we flip some bits in , then the corresponding bits will flip in . Of course, there is nothing special about the first block in CTR mode; the same is true for all ciphertext blocks, apart from the IV:
In CTR mode,
So, even without knowing what is inside a ciphertext, we can make predictable changes to its contents. We call this kind of property malleability:
An encryption scheme is malleable if (informally), given an encryption of an unknown plaintext , it is possible to create a new ciphertext where is somehow related to , so that reveals some information about .
CTR mode is malleable via xor in quite an extreme way. Given an encryption of an unknown plaintext , it is possible to create a new ciphertext that decrypts to , for any of our choice.
9.1.2. The attack
So how does CTR mode's malleability lead to an attack that lets the adversary decrypt arbitrary ciphertexts? Suppose the adversary captures a ciphertext and wants to discover the unknown value .
Suppose the last byte of is , so we can write as . What will happen if the adversary sends the ciphertext to the null-character oracle? Applying fact 9.1.2, we can deduce that this ciphertext decrypts to:
Since the modified ciphertext decrypts to a plaintext that contains a null byte, the oracle will respond with .
The adversary probably doesn't know the last plaintext byte in advance. However, it can generate and send the following 255 ciphertexts to the null-oracle:
One of these ciphertexts will cause to return , and that special ciphertext will reveal the last character of the original (secret) . For example, if responds on input , then the adversary can conclude that last byte of is .
Again, there is nothing special about the last ciphertext byte. The same approach can be used to discover any byte of the original plaintext, by xor'ing the corresponding byte of ciphertext with all 255 possible guesses.
Isn't this just a brute-force attack?
Yes and no.
It is a brute-force attack on each byte of the plaintext, independently.
To recover an entire -byte plaintext, the attack needs to call at most times.
A brute-force attack on the entire plaintext would require effort, since that's how many -byte (null-free) strings there are.
This attack is exponentially faster.
This attack requires the adversary to make a lot of queries. Can't it be mitigated by rate-limiting the number of ciphertexts any user can send?
Maybe, but this is a cryptography book!
Wouldn't it be preferable to completely invalidate the attack at the cryptographic level, rather than continue to use an encryption scheme with such a dangerous property?
That's what we'll do in the rest of the chapter.
Can't you mitigate the attack by simply fixing the bug that crashes when encountering a null byte?
The null-character attack was just one illustrative example of a larger class of attacks called format-oracle attacks.
Format-oracle attacks can exist even without any implementation bugs.
To perform a format-oracle attack, we simply need a victim who accepts untrusted ciphertexts from the outside world, decrypts them, and then, depending on the result of decryption, does either one thing or another, in a way that is visible to the adversary.
The last step can be due to an accidental bug or the intended functionality of the system.
Here are a few real-world examples of format-oracle attacks.
-
The most famous example is a padding-oracle attack. CBC mode requires padding (section 8.6) to support non-block-aligned plaintexts. Many real-world implementations were written without considering the possibility of invalid padding, so they crash when they encounter it. In other words, they expose to the adversary an oracle reporting whether the string has valid padding. When this happens, the adversary can decrypt arbitrary plaintexts. Padding oracle attacks are behind several real-world attacks on the SSH and SSL/TLS protocols.
-
A victim uses the contents of a ciphertext to determine how much data to process internally. For example, the victim interprets the plaintext as a number and performs operations. The adversary can deduce roughly how much data is processed by carefully measuring the victim's response time. In other words, the adversary obtains access to an oracle revealing some (approximate) numerical values inside . Attacks of this kind have been used to successfully break older versions of the SSH and SSL/TLS protocols.
-
Older versions of Apple iMessage used gzip compression, and would respond differently based on whether a ciphertext decrypted to a valid gzip file or not. That is, they exposed an oracle reporting whether is a valid gzip file. With a clever understanding of the gzip file format, an adversary could use this oracle to silently recover private messages.
-
A victim may decrypt a ciphertext and return an error if the result is not a valid XML file, exposing an XML-format oracle. This XML format oracle can be used to decrypt arbitrary plaintexts.
See the chapter notes for further reading about these attacks. Some of them are explored in the exercises.
I thought CTR mode was secure, and now you are saying it's not?
CTR mode is indeed CPA-secure, but CPA security is not enough.
In the null-oracle attack scenario, the victim runs the decryption algorithm on ciphertexts chosen by the adversary, even if it's only to check whether the resulting plaintext contains any null characters.
The CPA attack scenario does not consider this case.
9.2. Defining security against chosen-ciphertext attacks
Format-oracle attacks demonstrate that CPA-secure encryption doesn't always meet our expectations. We expect that the subroutine will give the adversary the ability to learn whether the victim's plaintexts contain null characters. If the victim is careful enough to avoid null characters in its plaintexts, then we expect to always return , and to therefore be useless. But, contrary to those expectations, gives the adversary the ability to completely decrypt ciphertexts.
Real-world systems receive ciphertexts from the network, decrypt those ciphertexts, and then do something based on the result. But the CPA attack scenario doesn't involve the decryption algorithm at all, so CPA security can't tell us what happens in real-world situations like these. When a victim decrypts ciphertexts chosen by the adversary, we describe the situation as a chosen-ciphertext attack.
First attempt at a security definition: We can follow our usual approach to formalize an attack scenario. In a chosen-ciphertext attack, a victim runs both the encryption and decryption algorithms, manages the secret key, but leaves everything else under control of the adversary. In the real-or-random paradigm, we say that an encryption scheme is secure if its ciphertexts are pseudorandom.
Following this reasoning, we would say that the scheme is secure against chosen-ciphertext attacks if the following two libraries are indistinguishable:
Unfortunately, these libraries don't lead to a useful security definition, because they can never be indistinguishable. An adversary can call to get a ciphertext , then give immediately as input to . In , the result will always be . In , the result is unlikely to be because is a meaningless string that is unrelated to . An adversary can always successfully distinguish these two libraries with this simple strategy.
The Real Definition: To arrive at the actual definition of chosen-ciphertext security, we must make one small modification to the library. We usually call a ciphertext produced as output of a challenge ciphertext. When is given such a challenge ciphertext that was the result of a previous call to , rather than trying to decrypt it as usual, it should “lie” and simply give as the response. This modification is enough to thwart the simple attack described above, and it results in a security definition that can be achieved.
An encryption scheme has security against chosen-ciphertext attacks (CCA security) if the following two libraries are indistinguishable:
uses a dictionary to keep track of how to respond to requests to decrypt challenge ciphertexts.
A Metaphor for CCA Security: It's normal to be a little confused by the CCA security definition. I like the following physical metaphor: I will place any message of your choice into a special “challenge” envelope and seal it. I will gladly open any envelope in the universe that you bring to me; however, there is no need for me to open the challenge envelope, since we both already know what's inside. Of course, the contents of other envelopes have nothing to do with the contents of challenge envelope. In fact, the contents of other envelopes won't even help you discover that I was actually lying to you! What you thought was the challenge envelope was actually a decoy piece of paper disguised to look like an envelope. My challenge “envelope” doesn't have a message inside—it doesn't even have an inside.
CTR mode encryption fails this envelope metaphor because of its malleability. Returning to the physical analogy, malleability is like having a weird machine that can clone sealed envelopes while modifying what's inside. Put a sealed envelope containing into the cloning machine (along with a string ), and what comes out is a different sealed envelope containing . Now opening these clones (revealing ) will help you learn what's inside the special envelope.
What does it mean for encryption to be secure, against an adversary who can run the decryption algorithm?
When a security definition gives some information to the adversary, it's our way of saying “it's safe to use this information however you like,”
because giving the information directly to the adversary is the worst case.
The CCA security definition formalizes the idea that “it's safe to use the outputs of however you like.” There will be no unintended consequences like in a format-oracle attack: What you see is what you get. If the functionality of your system reveals some partial information about to an adversary, and the encryption scheme is CCA-secure, then that's the only thing the adversary can learn about the contents of ciphertexts.
9.2.1. ☆ Other approaches for defining security
Definition 9.2.1 is not the most common way to define CCA security in the cryptographic literature.
-
Like all security definitions in this book, definition 9.2.1 follows the real-or-random paradigm. It is possible (and more traditional) to define CCA security in the left-or-right style—the result would generalize the left-or-right definition for CPA security from definition 8.1.2.
-
Any definition of CCA security must deal with the event that the adversary invokes on a challenge ciphertext. Our approach, taken in definition 9.2.1, is to “patch” in to always give the “expected result” for these special ciphertexts. A different (and more traditional) approach is to make in both libraries simply refuse to decrypt challenge ciphertexts. The two approaches are equivalent (see exercise 9.8).
The standard, traditional way to define CCA security (which you might see in other resources) uses the left-or-right paradigm and also refuses to decrypt the challenge ciphertexts. The two libraries look like this:
9.3. Chosen-ciphertext attack strategies
The best way to get a better intuition about CCA security is to attack the encryption schemes that we've already studied.
9.3.1. A first example
Let's start with the first CPA-secure encryption scheme we saw, construction 8.3.1:
This scheme is not CCA-secure. In other words, there is an efficient attack that can distinguish the following two libraries:
Notice that the entire ciphertext is used as the index in . This is an important fact about the CCA security definition.
When indexes into the dictionary, it treats the entire ciphertext as a monolithic string. It doesn't care about the internal structure of ciphertexts.
Have you already noticed that this encryption scheme is simply CTR mode restricted to a single block? Then it's no surprise that the attack against this scheme involves CTR mode's malleability. Translating fact 9.1.2 to the terminology of this 1-block scheme, we know:
if then
You can see malleability reflected in the schematic diagram of this scheme's decryption algorithm. Changes to the ciphertext block are propagated directly to the output plaintext , because the “path” from to includes only an xor operation.
A calling program to the libraries can use this malleability to attack CCA security as follows:
When this calling program is linked to , it returns with probability 1, thanks to the scheme's malleability property.
What about when it is linked to ? We can understand the behavior of through the following observations:
-
is called once, which has the effect of assigning .
-
Since , the ciphertext is different from . Therefore, the call to will find undefined. It doesn't matter that both of these ciphertexts have the same ! doesn't “see” the internal structure of ciphertexts; it treats them as monolithic strings. The strings and are different strings.
-
The library writes to but never reads from it. Hence, it does not use the value of at all.
-
The calling program does not use the value of until its return statement.
These observations imply that the choice of is independent of everything that happens before the calling program's return statement. We can imagine an equivalent computation in which is sampled at the last possible moment, just before the return statement, and after and have been fixed. Once these values have been fixed, there is only one choice of that satisfies the condition and causes the calling program to return . Since is chosen uniformly, the probability that the calling program returns is only . (This is why it was convenient to sample uniformly in this attack, rather than let it be arbitrary.)
Since the two probabilities differ by more than a negligible amount, the attack is successful and the scheme does not have CCA security.
This attack is the simplest example of a common strategy for chosen-ciphertext attacks:
To break the CCA security of a scheme:
-
Study the decryption algorithm of the scheme. It often helps to draw a schematic diagram.
-
See whether any changes to a ciphertext make a predictable change to the plaintext.
-
Formalize an attack in which the adversary (1) requests the encryption of a chosen plaintext; (2) modifies the ciphertext as above; (3) asks for the modified ciphertext to be decrypted.
9.3.2. A second example
The previous scheme was malleable via xor, a fact that you could see reflected in the schematic diagram of its decryption algorithm. Let's try a harder challenge, with a scheme that does not have such obvious malleability.
Focusing on the decryption algorithm, changes to or to propagate through an instance of or before affecting the output plaintext. From the adversary's perspective, acts like a random function; any change in an input leads to an unpredictable change in the output. Hence, unlike in the previous scheme, the adversary cannot predict how a change to the ciphertext will affect the plaintext.
To attack this new scheme, we need a new approach, which I call the Frankenstein strategy. Ciphertexts in this scheme have two halves, so what would happen if we mix and match the halves of two different ciphertexts? Surprisingly, something interesting:
In the scheme above, if and are encryptions of the same plaintext (say, ), then and are also encryptions of the same plaintext (but possibly different than ).
If and encrypt the same plaintext , then they satisfy the following relationship:
Now follow the decryption algorithm on and :
An adversary will probably not be able to predict this value, but both ciphertexts decrypt to this same value.
We are now ready to formalize the attack. We will refer to the new “mismatched” ciphertexts and as Frankenstein ciphertexts. A chosen-ciphertext attack against the scheme is a program that successfully distinguishes the following two libraries:
The calling program is as follows:
When linked to , the program outputs with probability 1 according to claim 9.3.1. When is linked to , we must consider two cases:
-
Case 1: If or (or both) then we in fact have:
The Frankenstein ciphertexts are the same as the original ciphertexts (this also includes the case where all four ciphertexts are the same). In other words, the calling program calls on the original challenge ciphertexts, which will be found in . Thus, both calls to will return , and the calling program returns . Since are distributed uniformly, the probability of this case is at most .
-
Case 2: and . Then the original ciphertexts and Frankenstein ciphertexts are all distinct. So when the calling program calls , the Frankenstein ciphertexts will not be found in , and the library will proceed to decrypt them as usual. The two resulting plaintexts are identical, and returns , if and only if:
The last step follows by applying to both sides, to cancel . The final condition happens with probability because and are sampled uniformly in , and independent of .
The overall probability that the calling program outputs is at most the sum of these two cases, . The difference between output probabilities for and is nonnegligible, so the scheme does not have CCA security.
Try the following approach in a chosen-ciphertext attack:
-
Request two separate encryptions of chosen plaintexts; it often helps to use the same plaintext.
-
Mix and match parts of the resulting ciphertexts to obtain two Frankenstein ciphertexts.
-
Ask for the Frankenstein ciphertexts to be decrypted and see whether anything interesting happens.
9.4. Message authentication codes
Chosen-ciphertext attacks have shown us that there is risk involved when decrypting a ciphertext that has been crafted by the adversary. Imagine there was some way to “certify” that a ciphertext was not adversarially generated, but was generated by someone who knows the secret key. Such a certification would give the decryption algorithm a way to distinguish honestly generated ciphertexts from adversarially generated ones, so that it could refuse to decrypt (e.g., return an error) the adversarially generated ones.
What we are asking for is not to hide the ciphertext but to authenticate it: to ensure that it was generated by someone who knows the secret key. Later we will discuss how to apply this idea to chosen-ciphertext attacks; for now, let's develop more clarity about authenticating that some data was generated/chosen by someone who knows the secret key.
Let's begin with a simple thought experiment. I choose a string uniformly at random from , but keep it secret. Will you be able to guess what it is? Probably not! Even if I let you have many guesses (any polynomial in ) you will guess correctly only with negligible probability.
Now suppose that instead of one string, I have many strings stored in a random dictionary; let's call it . Each is chosen uniformly and independently. You can ask me to reveal any value in the dictionary; just provide its location and I will tell you . You can also try to guess a value, by providing and your guess for . Is it possible for you to correctly guess a string that I haven't yet revealed? Again, the answer is no, except with negligible probability. Since all of the strings are chosen independently, seeing other strings doesn't help you correctly guess this string.
If we now replace the random dictionary with a PRF, we will have what is called a message authentication code (MAC). For every string , the PRF output is hard to predict by someone who doesn't know , even if they are allowed to see PRF outputs for other strings . Thus, only someone who knows can generate a pair .
We call the tag (or MAC tag) of ; it authenticates . If you see accompanied by the correct value , you can conclude that someone who knows has vouched for . (Be careful: It doesn't mean that the person you're currently talking to knows ; perhaps that person is replaying a correct pair that they heard from someone else who knows the key.)
A tag can be verified by recomputing the “correct” tag using the secret key, and comparing it to the given tag. A forgery occurs when an adversary generates a correct tag without having seen it before. The security guarantee of a MAC is that it is hard to generate a forgery, even after seeing many examples of correct tags. We can formalize this MAC property of PRFs as follows:
If is a secure PRF with output length , then the following two libraries are indistinguishable:
These two libraries may seem strange, because this is the first time we are using libraries to define an authenticity property rather than a privacy (information-hiding) property. You can make sense of the libraries in the following way:
-
In , it is possible for to output before has been called.
-
In , it is not possible for to output before has been called, because remains undefined until has been called.
-
Thus, if an adversary can correctly guess a valid tag “early,” before it is revealed, then in would return but in it would return . These different responses would allow the adversary to easily distinguish the libraries. So if the libraries are indistinguishable, then it must be hard to correctly guess a valid tag early—that is, to generate a forgery.
The main idea of the proof is to define a bad event that corresponds to the calling program making a correct “early” guess, and then show that this bad event has negligible probability. Most of the steps in the proof serve to make the bad-event probability easier to analyze.
The final hybrid has identical behavior to , but with extra logic used only to trigger the bad event. It suffices to show that the bad event has negligible probability.
The bad event is triggered only when for some . For any particular , is sampled uniformly, and after the contents of have been determined. In other words, is independent of . So we have:
Each call to adds at most one item to one of the sets. Let be the total number of times the calling program calls ; thus, is a polynomial in the security parameter. Applying a union bound, we have:
The probability is negligible.
MACs as a separate cryptographic primitive: In this book, we define message authentication (MAC) as a convenient property of PRFs. That's because most MACs you will see in practice are simply PRFs. In other sources, you may see MACs defined as a separate cryptographic primitive.
-
In this book, a MAC algorithm is always a PRF, and therefore generates pseudorandom tags. In the cryptographic literature, we generally call something a MAC when we don't care about its outputs being pseudorandom, and care only about its outputs being unforgeable. Being pseudorandom is just one natural way, but not the only way, to be unforgeable. For example, appending extra 's to the end of a tag does not make tags any easier to forge, but does prevent them from being pseudorandom. Traditional security definitions for MACs therefore do not require the MAC algorithm's outputs to be pseudorandom, as we do in lemma 9.4.1.
-
PRFs are always deterministic. But when treating MACs as a full-fledged primitive, it may make sense to allow a MAC algorithm to be randomized.
-
Every deterministic MAC algorithm has a canonical verification method: Deterministically recompute the correct tag and compare to the given tag. Only deterministic MACs are considered in this book, so MAC tags are always verified using this canonical method. In a randomized MAC, each message can have several valid tags, so we must specify a separate (noncanonical) verification algorithm to go with the MAC algorithm.
-
Suppose we are using a MAC scheme in which message has several different tags that verify successfully. Then suppose an adversary queries to learn one valid tag for . Is it considered a forgery if the adversary then successfully guesses a different, but valid, tag for the same message ? The answer may depend on the application we have in mind for the MAC. Strong unforgeability demands that it be hard to guess new valid tags, even to messages for which the adversary has already seen a valid tag. Weak unforgeability means that it should be hard to guess valid tags of only new messages, for which the adversary has not seen any valid tag. It is not considered a forgery to guess a new tag for after seeing a valid tag for . The distinction between strong and weak unforgeability is irrelevant for deterministic MAC algorithms with canonical verification.
9.5. Encrypt-then-MAC
With a MAC, we can transform any CPA-secure encryption into a CCA-secure one. The idea is to append a MAC tag of the ciphertext. The decryption algorithm should verify this tag before decrypting, and return an error if the tag is invalid. Only someone who knows the secret key can compute the correct MAC tag, and so only “legitimate” ciphertexts will be decrypted. This approach thwarts chosen-ciphertext attacks because if an adversary tries to tamper with a ciphertext in any way, they will not be able to produce the correct tag for the modified ciphertext.
Let be an SKE scheme, and let be a PRF with output length whose domain includes (often this means must support variable-length input). Then encrypt-then-MAC is defined as the following encryption scheme:
Ciphertexts in the new scheme consist of two parts: a ciphertext from the underlying scheme , plus a tag. It is important to use independent keys for and the MAC/PRF.
If is a CPA-secure SKE scheme, and is a secure PRF, then Encrypt-then-MAC (construction 9.5.1) is CCA-secure.
In other words, using the fact that has CPA security and is a secure PRF, the following two libraries are indistinguishable:
Proof idea: The two libraries, which we would like to prove are indistinguishable, both feature the algorithm. However, we may only use the fact that is CPA-secure. The libraries that define CPA security do not mention at all. You can think of CPA security as saying “ciphertexts are pseudorandom, if the key is used only for the encryption algorithm and nothing else.”
Thus, our main strategy in this proof is to rewrite the libraries so that doesn't appear at all. You might be wondering how this is possible. The main insight is that the library only runs if the MAC tag verifies successfully. If the MAC is secure, then we expect this to be possible only for ciphertexts generated by the library itself. But if the library originally generated a ciphertext, then it should already know the corresponding plaintext, and it should not need to run .
In more detail:
-
Whenever the subroutine generates a ciphertext, it can internally store the plaintext that was used. If that ciphertext is later given to , the library can retrieve the plaintext from this storage, so it doesn't need to run .
-
When sees a ciphertext that was not previously generated by , we do not expect the MAC tag to be valid. In other words, we expect that will return before even reaching the line where it calls . In these cases, is not needed.
So the only situation where truly needs to run are the cases where the adversary successfully generates a MAC forgery. These cases should be negligibly likely; we express this idea formally by arguing that the library is indistinguishable from one that doesn't use in this case (and thus, never uses at all).
Encrypt-then-MAC in practice: GCM is a standardized SKE scheme, and one of the most commonly used CCA-secure schemes. It is an instance of encrypt-then-MAC, where the underlying CPA encryption is CTR mode. (It uses a MAC that we discuss later in chapter 11). In the interest of efficiency, GCM uses related keys for the encryption and MAC steps. Of course, this is not secure in general (see this chapter's exercises) but GCM's specific design is justified with a security proof.
9.5.1. Alternatives to encrypt-then-MAC
Not every way of combining a MAC and CPA-secure SKE results in CCA security. In fact, some combinations even make security worse! Here are the most natural ways to combine a MAC and encryption:
-
Encrypt-then-MAC, as we just saw, provides CCA security.
-
Encrypt-and-MAC does not have not CCA security. In fact, it does not even have CPA security! It is easy to tell whether two ciphertexts contain the same plaintext, because their tags will be the same!
-
MAC-then-encrypt has a more complicated story. Depending on the choice of , it may or may not provide CCA security. In other words, there are some choices of CPA-secure that cause MAC-then-encrypt to have CCA security, and others that do not. The CPA security of is simply not enough to conclude whether MAC-then-encrypt is safe. The exercises explore MAC-then-encrypt in more detail.
9.6. Authenticated encryption and associated data
CCA security is a step in the right direction from CPA security, but not the gold standard for modern encryption schemes. In this section, we explore additional security properties and useful features that useful in practice.
9.6.1. Authenticated encryption
Encrypt-then-MAC achieves a convenient property: Only someone who knows the secret key can generate a ciphertext such that . In other words, the fact that a ciphertext decrypts without error authenticates its author as a valid key-holder.
This useful security property isn't actually required by CCA security. CCA security asks only that the value is not helpful to the adversary, for any that was not generated by the library itself. Of course, one way for to be unhelpful is for , as in encrypt-then-MAC. But the CCA security definition leaves open the possibility of a scheme whose never outputs (see this chapter's exercises).
Authentication is a useful property for an encryption scheme, so it makes sense to enshrine it in our security definitions. The result is what we call authenticated encryption:
A SKE scheme is a secure authenticated encryption (AE) scheme if the following two libraries are indistinguishable:
In , if the adversary calls on a ciphertext that was not generated by the library itself, the response is always . So if the two libraries are indistinguishable, it must also be hard for an adversary to find a ciphertext that causes the real decryption algorithm ( of ) to output something other than .
Encrypt-then-MAC (construction 9.5.1) is a secure AE, if the underlying is a CPA-secure SKE and is a secure PRF.
The proof follows exactly the same steps as claim 9.5.2, but stops just before the last step that is shown. In that hybrid, the ciphertext is sampled uniformly, and the library's decryption subroutine outputs to any ciphertext that it (the library) did not previously generate.
AE is a strictly stronger security property than CCA, meaning:
If an encryption scheme is a secure AE, then it is also CCA-secure.
9.6.2. Associated data
Sometimes even more fine-grained control over authentication is useful. Imagine the following conversation between Alice and Bob, who share a key :
Alice and Bob share a key, which only they know, and they use it for authenticated encryption. Don't worry that Bob's messages are not encrypted—that is not crucial to this example. When Bob sees a ciphertext that decrypts without error, he concludes that it contains Alice's intent, so he can act on it accordingly. An adversary cannot learn anything by observing Alice's ciphertexts, nor can it insert its own ciphertexts that Bob will decrypt successfully.
Some time passes, and an adversary managed to take over control of Alice and Bob's network connection. Bob is no longer communicating with Alice, but with the adversary, who replays one of her previous ciphertext at just the right time:
What went wrong? The ciphertext contains a message that Alice intended, but for a different context! It is not always enough to authenticate someone's intent in isolation, because their intent may change or depend on context. Think of an AE ciphertext as a certificate from Alice that says “whenever anyone presents this ciphertext, in any context, please act on the following information...”
One way to fix this problem is to force Alice to include some of the context in the plaintext, which Bob can check:
The replay attack has been prevented, but with the unpleasant side-effect of increasing the length of Alice's plaintext, and therefore her ciphertext. In this case, both Alice and Bob already know the “correct” context (keywords display or delete), so it seems wasteful for Alice to include it as part of her plaintext. She doesn't want to encrypt it, as if it were new information to Bob; she only wants to authenticate it.
We can more efficiently incorporate context into encryption by modifying its interface. Instead of calling it “context,” we usually call it associated data. Think of associated data as information that the sender and receiver already know. The sender encrypts a ciphertext with this data in mind, and the receiver decrypts with it in mind.
A SKE scheme supports associated data if its and algorithms both take an additional argument as follows:
-
: a (possibly randomized) algorithm that takes a key , associated data , and plaintext as input, and outputs a ciphertext .
-
: a deterministic algorithm that takes a key , associated data , and ciphertext as input, and outputs a plaintext .
The scheme satisfies correctness if, for all :
The probability is over the randomness in .
In most encryption schemes with associated data, the size of the ciphertext depends only on the plaintext , and not at all on the associated data.
An authenticated encryption scheme that supports associated data is called an AEAD scheme. The idea behind the AEAD security definition is that it is hard to generate a ciphertext that decrypts without error under any associated-data, except for ciphertext-associated-data pairs that were generated by the library itself. Of course, this is in addition to the requirement that ciphertexts are pseudorandom.
An encryption scheme with associated data is a secure authenticated encryption with associated data (AEAD) scheme if the following two libraries are indistinguishable:
In our running example, Alice and Bob can protect themselves from a replay attack by using AEAD. The adversary attempts to replay one of Alice's old ciphertexts under a different associated data than intended, which Bob can detect.
This is only a simple toy example; realistically, “display” and “delete” are too vague as associated data in a real application. Just because Alice wants to delete a particular file today doesn't mean she wants to delete it tomorrow, but the associated data keywords “display” and “delete” are the same today and tomorrow. Since associated data is essentially free, it should include as much information as you can imagine.
In this example, Alice is answering a specific question from Bob. If Bob's question is also encrypted, we might use Bob's ciphertext as the associated data for Alice's ciphertext, since it is something that the both already know. Even if Bob asks the same question tomorrow, his ciphertext will be different, so the associated data will be different.
AEAD is an elegant and useful abstraction. When used with empty associated data, AEAD collapses to plain AE; when used with empty plaintext, AEAD collapses to a PRF/MAC. Leading SKE schemes, like AES-GCM, are explicitly standardized as AEAD schemes.
Encrypt-then-MAC: It is possible to modify the encrypt-then-MAC recipe to support associated data. Perhaps unsurprisingly, it can be incorporated into the MAC along with the CPA ciphertext. The exercises explore the security of this construction, along with other approaches to AEAD.
Exercises
-
Suppose you are given a ciphertext , which is the encryption of an unknown plaintext . Show how to construct a new ciphertext that decrypts to , for any (without knowing the scheme's encryption key or ).
-
Using CBC mode (construction 8.5.3)
-
Using CTR mode (construction 8.5.4)
-
-
You have access to an oracle for CBC-mode decryption, with an unknown and secret key . Show how you can use this oracle to compute for any of your choice.
-
Suppose you have access to the null-character-oracle from section 9.1, and you obtain a ciphertext whose plaintext is known to contain exactly one null character, but in an unknown position. Show how to determine the location of the null character.
-
Suppose you have access to a system that decrypts chosen CTR ciphertexts and crashes if the last character of a plaintext is not null! Show how you can use this bug to completely decrypt arbitrary ciphertexts.
-
Suppose you have access to a null-character-oracle similar to section 9.1, but for CBC encryption instead of CTR. Show how you can decrypt arbitrary CBC ciphertexts with access to this oracle.
-
h In this exercise, you will recreate the famous padding-oracle attack against CBC mode. Suppose you are given a CBC ciphertext that decrypts to an unknown plaintext under an unknown key .
-
Describe how to use to construct a CBC ciphertext that decrypts to the single block for any .
-
Describe how to construct a CBC ciphertext that decrypts to for any and .
-
Now suppose you have access to the following oracle, which checks for the presence of PKCS#7 padding (example 8.6.3):
:if ends in or or ... or :returnelse returnDescribe how to decrypt all of , in calls to paddingoracle.
For part (c), decrypt one plaintext block at a time. For each block, start by deducing its last byte.
-
-
Prove that if an SKE scheme has CCA security then it also has CPA security. The proof should be very easy.
-
The library in the CCA security definition maintains a dictionary data structure, mapping ciphertexts to plaintexts. This exercise is about an alternative way to define CCA security. Prove that has CCA security if and only if the following two libraries are indistinguishable:
:return:if : returnreturn:return:if : returnreturn -
Let be a secure SPRP with blocklength . Prove that the following encryption scheme (the same as in exercise 8.13) satisfies CCA security:
-
Show that the following encryption scheme does not have CCA security:
-
Write the decryption algorithm for the following encryption scheme, then show that it does not have CCA security:
-
Write the decryption algorithm for the following encryption scheme, then show that it does not have CCA security:
-
Show that the following encryption scheme does not have CCA security:
-
Show that the following encryption scheme does not have CCA security:
-
Show that the following encryption scheme does not have CCA security:
-
Write the decryption algorithm for the following scheme, then show that it does not have CCA security:
-
One idea to strengthen CBC mode encryption against chosen-ciphertext attacks is to encrypt an additional block of s and check for the presence of these s when decrypting. Unfortunately, this idea fails to achieve CCA security.
Let refer to the CBC encryption scheme (construction 8.5.3) using a block cipher of blocklength . In this exercise we use CBC restricted to inputs with exactly 2 plaintext blocks, to construct an encryption scheme supporting 1-block plaintexts. We will consider two ways to add an all- block to CBC mode: before or after the plaintext.
-
Show that the following encryption scheme is not CCA-secure:
-
Show that the following encryption scheme is not CCA-secure:
-
-
Write the decryption algorithm for the following block cipher mode, then show that it does not have CCA security:
-
You are given a ciphertext , which is a CTR-mode encryption of an unknown plaintext . What can you say about the result of decrypting the modified ciphertext
How does the result of decryption compare to ?
-
Show that the following encryption scheme does not have CCA security, even if does:
(However, the scheme is CPA-secure if is.)
-
Show that the following encryption scheme does not have CCA security, even if does:
(However, the scheme is CPA-secure if is.)
-
Show that the following encryption scheme does not have CCA security, even if does:
-
Show that there is a polynomial-time calling program that can distinguish from (lemma 9.4.1) with advantage , when the PRF has output length .
-
Suppose we want to compute a MAC of a pair of strings . This situation refers to lemma 9.4.1, where the -values are not strings but pairs of strings. Seeing the correct tag for many choices of should not make it easier to guess the correct tag for any different .
-
Show that if and can be variable-length, then is not a secure way to compute a MAC of the pair .
-
Suggest a secure way to MAC a pair of strings and prove that your construction satisfies the MAC property from lemma 9.4.1.
-
-
Suppose we instantiate the encrypt-then-MAC recipe with the (CPA-secure) encryption scheme from construction 8.3.1 and 2-block CBC-MAC. The result would be secure if the encryption and MAC use independent keys. Show that the result does not achieve CCA security if the same key is used for both components, even if is a secure PRF:
-
This problem is the same as the previous, except now we use 1-block CBC encryption. Show that the following scheme does not achieve CCA security if the same key is used for both components, even if is a secure PRF:
-
Recall the CPA-secure encryption scheme from construction 8.3.1. It encrypts one plaintext block into two ciphertext blocks, the first of which is sampled uniformly. When using this encryption scheme in the encrypt-then-MAC recipe, you might be tempted to MAC only the second ciphertext block, since the plaintext does not affect the first ciphertext block. Show that the resulting scheme does not achieve CCA security, even if is a secure PRF:
-
Encrypt-and-encrypted-MAC refers to the following combination of a CPA-secure encryption scheme and MAC/PRF :
Show that the scheme is not CCA-secure, no matter the choice of .
-
Let be a CPA-secure SKE scheme, and define the new variant via:
Thus, ignores the last bit of its ciphertext.
-
Prove that if has CPA security, then does too.
-
Prove that MAC-then-encrypt (described in section 9.5; not encrypt-then-MAC!) is not CCA-secure, if it is instantiated with as its CPA-secure component. Thus, there exist CPA-secure schemes that are incompatible with MAC-then-encrypt. The decryption algorithm for MAC-then-encrypt is not given in the text. Assume that it verifies the MAC tag in the obvious way.
-
-
Prove that MAC-then-encrypt (section 9.5; not encrypt-then-MAC!) is CCA-secure (or AE-secure) when applied to CTR mode (construction 8.5.4).
-
Consider the following encoding method.
-
: Replace each in with , and replace each in with . The result is twice as long as .
-
: Break into chunks of 2 bits. Replace each chunk with , and any other chunk with .
Note that for all strings .
Now consider the following encryption scheme, which is MAC-then-encrypt, applied to a variant of CTR mode that first encodes the plaintext with :
-
Prove that this encryption scheme is CPA-secure if is a secure PRF. You can use the fact that normal CTR encryption (construction 8.5.4) is CPA-secure.
-
Suppose an adversary has access to the following interface:
:if : returnreturnHere refers to the decryption algorithm given above. Show that the adversary can use this interface to compute for any of its choice.
-
-
Formally prove claim 9.6.3 (AE implies CCA).
-
Let be a secure AE scheme, and let be a secure PRF. Append bits to 's secret key (ignored by the encryption algorithm), and modify 's decryption algorithm as follows:
The modified scheme no longer has AE security, since its algorithm never returns . Nevertheless, prove that it is CCA secure.
-
Let be a secure SPRP with blocklength . Prove that the following encryption scheme satisfies AE security:
(Compare to exercise 9.9.)
-
Let be a secure AE scheme, with . Prove that the following encryption scheme also has AE security:
-
Write a reasonable definition of AE security for a nonce-based (rather than randomized) encryption scheme. The adversary should not be allowed to repeat nonces in calls to , but it may repeat them in calls to . Describe how to construct secure nonce-based AE from CPA-secure nonce-based encryption, and prove the security of your construction.
-
Let be a secure SPRP with blocklength . Prove that the following nonce-based scheme achieves the nonce-based AE security definition from the previous exercise.
It is important that the set of possible nonces is , so be sure your proof uses this fact.
-
Let be a secure AE scheme, and let be a PRF with inputs and outputs of length . Consider the following encryption scheme that supports associated data:
Show that the scheme is not a secure AEAD.
-
Let be a secure AE scheme, and consider the following encryption scheme that supports associated data:
-
Prove that if , then the new scheme is a secure AEAD.
-
Suppose instead that . Show that the resulting scheme is not a secure AEAD.
Thus, this construction is secure for fixed-length associated data, but not variable-length.
-
-
Let be a CPA-secure encryption scheme, and let be a secure variable-length PRF with bits of output. Consider the following variant of encrypt-then-MAC that incorporates associated data. Differences from standard encrypt-then-MAC have been highlighted:
-
Prove that if (the set of allowed associated data strings), then the scheme is a secure AEAD.
-
Show that if , and is CBC encryption, then the scheme is not a secure AEAD.
-
Suggest how to modify the scheme to support .
-
-
Let be a secure AE scheme with key space , and let be a secure variable-length PRF with bits of output. Prove that the following encryption scheme is a secure AEAD:
Chapter Notes
The first, and most well-known, format-oracle attack is due to Bleichenbacher [48], who used it to attack the padding used in the RSA-PKCS#1 encryption standard. Before then, chosen-ciphertext attacks were often considered to be of only theoretical interest. Chosen-ciphertext attacks, especially in the context of RSA, are sometimes called Bleichenbacher attacks.
Vaudenay was the first to describe the classic padding-oracle attack on CBC mode, from exercise 9.6 [214]. The attack was later extended to work through a timing side-channel by Canvel, Hiltgen, Vaudenay, and Vuagnoux [61]. These attacks resulted in a total break of certain implementations of the SSL protocol.
Various format-oracle attacks were identified and studied by Mitchell [164]. One category of format-oracle attack involves a victim who determines how much data to process based on the contents of a ciphertext. Albrecht, Paterson, and Watson use an attack of this kind to break older versions of the SSH protocol [1]. AlFardan and Paterson use an attack of this kind to break older versions of the TLS protocol [2].
Jager and Somorovsky [126] devised an attack on a standard for XML encryption, which exposed a format oracle for the XML file format. The term “format-oracle attack” is due to Maury, Reinhard, Levillain, and Gilbert [157], who describe several format-oracle attacks that exploit internal data formats in OpenPGP. Garman, Green, Kaptchuk, Miers, and Rushanan [106] discovered a format-oracle attack on the Apple iMessage system, involving the gzip compression format.
Our definition of CCA security is commonly known as “IND-CCA2” in the literature, and was first introduced (in the context of public-key encryption) by Rackoff and Simon [187]. An earlier security definition, known as IND-CCA1, was introduced by Naor and Yung [170]. In IND-CCA1, the adversary is forbidden from accessing the decryption functionality after receiving a challenge ciphertext.
Katz and Yung comprehensively study a variety of security definitions for symmetric-key encryption, showing separations, equivalences, and implications among all of them [130]. Bellare, Hofheinz, and Kiltz study four natural but slightly different ways to formalize CCA security in the left-or-right paradigm, and find that not all are equivalent [19]. In any such security definition involving chosen ciphertext attacks, the libraries must handle the case that the adversary asks to decrypt one a challenge ciphertext. Exercise 9.8 explores a different approach that the library can take to handle these situations. Rogaway and Zhang propose a systematic way to address these kinds of situations in security definitions [196], not limited to just CCA security.
Gilbert, MacWilliams, and Sloane were the first to formalize the problem of symmetric-key authentication [110], for which MACs are the solution. In the paper that first introduces PRFs, Goldreich, Goldwasser, and Micali observe the natural connection between PRFs and MACs [113].
Our definition of a MAC allows the adversary to make any number of queries. In some traditional security definitions for a MAC, the adversary is allowed at most one query to . This restricted security definition is equivalent to ours, in most situations. The exception is the case of plain/weak unforgeability against a MAC scheme with noncanonical verification algorithm. Bellare, Goldreich, and Mityagin construct a contrived counterexample MAC scheme that is secure against adversaries making a single query but insecure in general [17].
Bellare and Namprempre [24] classify different ways to construct authenticated encryption from a CPA-secure encryption and a MAC. Although MAC-then-encrypt is not always secure, Krawczyk [140] showed that it is secure when the encryption method is CBC or CTR. Exercise 9.31 is from [140].
Namprempre, Rogaway, and Shrimpton [168] discuss how the encrypt-then-MAC construction is sensitive to subtleties in how the encryption and MAC components are formalized (nonce-based vs. randomized, left-or-right vs. real-or-random) and how associated data is incorporated.
Our security definition for AE is most similar to the one from Rogaway and Shrimpton [195], building on an earlier proposal of Shrimpton [207]. The idea of incorporating associated data into encryption is due to Rogaway [190].