You are currently browsing the tag archive for the ‘CCA security’ tag.
Scribed by Guoming Wang
Summary
Today we show how to construct an efficient CCAsecure publickey encryption scheme in the random oracle model using RSA.
As we discussed in the previous lecture, a cryptographic scheme defined in the random oracle model is allowed to use a random function which is known to all the parties. In an implementation, usually a cryptographic hash function replaces the random oracle. In general, the fact that a scheme is proved secure in the random oracle model does not imply that it is secure when the random oracle is replaced by a hash function; the proof of security in the random oracle model gives, however, at least some heuristic confidence in the soundness of the design.
Summary
Today we show how to construct an efficient CCAsecure publickey encryption scheme in the random oracle model using RSA.
As we discussed in the previous lecture, a cryptographic scheme defined in the random oracle model is allowed to use a random function which is known to all the parties. In an implementation, usually a cryptographic hash function replaces the random oracle. In general, the fact that a scheme is proved secure in the random oracle model does not imply that it is secure when the random oracle is replaced by a hash function; the proof of security in the random oracle model gives, however, at least some heuristic confidence in the soundness of the design.
Notes scribed by Joel Weinberger
Summary
Last time, we showed that combining a CPAsecure encryption with a secure MAC gives a CCAsecure encryption scheme. Today we shall see that such a combination has to be done carefully, or the security guarantee on the combined encryption scheme will not hold.
We then begin to talk about cryptographic hash functions, and their construction via the MerkleDamgård transform.
Scribed by James Cook
Summary
Last time we described a secure MAC (message authentication code) based on pseudorandom functions. Its disadvantage was the length of the tag, which grew with the length of the message.
Today we describe the CBCMAC, also based on pseudorandom functions, which has the advantage of short tags. We skip its security analysis.
Next, we show that combining a CPAsecure encryption with a secure MAC gives a CCAsecure encryption scheme.
Summary
Last time we described a secure MAC (message authentication code) based on pseudorandom functions. Its disadvantage was the length of the tag, which grew with the length of the message.
Today we describe the CBCMAC, also based on pseudorandom functions, which has the advantage of short tags. We skip its security analysis.
Next, we show that combining a CPAsecure encryption with a secure MAC gives a CCAsecure encryption scheme.
Scribed by Ian Haken
Summary
The encryption scheme we saw last time, based on pseudorandom functions, works and is CPAsecure, but it is not used in practice. A disadvantage of the scheme is that the length of the encryption is twice the length of the message being sent.
Today we see the “counter mode” generalization of that scheme, which has considerably smaller overhead for long messages, and see that this preserves CPAsecurity.
We then give the definition of pseudorandom permutation, which is a rigorous formalization of the notion of block cipher from applied cryptography, and see two ways of using block ciphers to perform encryption. One is totally insecure (ECB), the other (CBC) achieves CPA security.
1. The Randomized Counter Mode
Recall that a pseudorandom function is a function which looks approximately like a random function . With the encryption method from the previous lecture (in which the ciphertext is a random followed by ) the encryption of a message is twice as long as the original message. We now define an encryption method which continues to use a pseudorandom function, but whose ciphertext overhead is marginal.
Suppose we have a pseudorandom function . We describe an encryption scheme that works for messages of variable length. We assume without loss of generality that the length of the message is a multiple of , and we write a plaintext of length as , a sequence of blocks of length .
 :
 pick a random
 output
(When is a binary string in and is an integer, means the binary representation of the sum mod of (seen as an integer) and .)
Observe that the ciphertext length is which is a negligable overhead when .
Theorem 1 Suppose is a secure pseudorandom function; then, when used to encrypt messages of length , the above scheme is CPA secure.
Example 1 Consider the values which these variables might take in the transmission of a large (e.g. 4GB) file. If we let , , , , then we end up with an approximately CPA secure transmission.
Proof: Recall the proof from last time in which we defined , where is a truly random function. Given messages and a cryptanalytic algorithm , we considered:
 (a)
 (b)
 (c)
 (d)
We were able to show in the previous proof that , , and , thus showing that . Our proof will follow similarly.
We will first show that for any
hence showing and . Suppose for a contradiction that this is not the case, i.e. and where is of complexity such that
Define as a program which simulates . (Note that has complexity ). Noting that and , this program would be a counterexample to being secure.
Now we want to show that , , and such that the complexity of is ,
As in the previous proof, we consider the requests may make to the oracle . The returned values from the oracle would be , where ranges between and the number of requests to the oracle. Since has complexity limited by , we can assume . As before, if none of the overlap with (for ) then only sees a random stream of bits from the oracle. Otherwise, if for some , then can recover, and hence distinguish, and . Hence the probability of distinguishing is plus the probability of a collision.
Note that the th oracle request will have a collision with some iff . If we have then obviously there is a collision, and otherwise so so there is a collision with . If is outside this range, then there is no way a collision can occur. Since is chosen randomly from the space of , there is a probability that the th oracle request has a collision. Hence is an upper bound on the probability that there is a collision in at least one the oracle requests.
Combining these results, we see that , i.e.
◻
2. Pseudorandom Permutations
2.1. Some Motivation
Suppose the message stream has known messages, such as a protocol which always has a common header. For example, suppose Eve knows that Bob is sending an email to Alice, and that the first block of the message is the sender’s email. That is, suppose Eve knows that “bob@cs.berkeley.edu”. If Eve can insert or modify messages on the channel, then upon seeing the ciphertext she could then send to Alice the stream “bob@cs.berkeley.edu” “eve@cs.berkeley.edu” . The result is that the message received by Alice would appear to be sent from “eve@cs.berkeley.edu”, but remain otherwise unchanged.
2.2. Definition
Denote by the set of permutations .
Definition 2 A pair of functions , is a secure pseudorandom permutation if:
 For every , the functions and are permutations (i.e. bijections) and are inverses of each other.
 For every oracle algorithm that has complexity at most
That is, to any algorithm that doesn’t know , the functions look like a random permutation and its inverse.
In applied cryptography literature, pseudorandom permutations are called block ciphers.
How do we construct pseudorandom permutations? There are a number of block cipher proposals, including the AES standard, that have been studied extensively and are considered safe for the time being. We shall prove later that any construction of pseudorandom functions can be turned into a construction of pseudorandom permutations; also, every construction of pseudorandom generators can be turned into a pseudorandom function, and every oneway function can be used to construct a pseudorandom generator. Ultimately, this will mean that it is possible to construct a block cipher whose security relies, for example, on the hardness of factoring random integers. Such a construction, however, would not be practical.
3. Encryption Using Pseudorandom Permutations
Here are two ways of using Pseudorandom Functions and Permutations to perform encryption. Both are used in practice.
3.1. ECB Mode
The Electronic CodeBook mode of encryption works as follows
Exercise 1 Show that ECB is messageindistinguishable for onetime encryption but not for two encryptions.
3.2. CBC Mode
In its simplest instantiation the Cipher BlockChaining mode works as follows:
 : pick a random string , output
Note that this similar to (but a bit different from) the scheme based on pseudorandom functions that we saw last time. In CBC, we take advantage of the fact that is now a permutation that is efficiently invertible given the secret key, and so we are allowed to put the inside the computation of .
There is a generalization in which one can use the same random string to send several messages. (It requires synchronization and state information.)
 :
 pick a random string
 output where
 where
Exercise 2 This mode achieves CPA security.
Note that CBC overcomes the above problem in which Eve knows a particular block of the message being sent, for if Eve modified in the encryption that Bob was sending to Alice (as in the example above) then the change would be noticeable because would not decrypt correctly.
Summary
The encryption scheme we saw last time, based on pseudorandom functions, works and is CPAsecure, but it is not used in practice. A disadvantage of the scheme is that the length of the encryption is twice the length of the message being sent.
Today we see the “counter mode” generalization of that scheme, which has considerably smaller overhead for long messages, and see that this generalizes preserves CPAsecurity.
We then give the definition of pseudorandom permutation, which is a rigorous formalization of the notion of block cipher from applied cryptography, and see two ways of using block ciphers to perform encryption. One is totally insecure, the other achieves CPA security.
1. The Randomized Counter Mode
Suppose we have a pseudorandom function ; we describe an encryption scheme that works for messages of variable length. We assume without loss of generality that the length of the message is a multiple of , and we write a plaintext of length as , a sequence of blocks of length .
 :
 pick a random ;
 output
(When is a binary string in and is an integer, means the binary representation of the sum mod of (seen as an integer) and .)
Theorem 1 Suppose is a secure pseudorandom function; then, when used to encrypt messages of length , the above scheme is secure against CPA
2. Pseudorandom Permutations
Denote by the set of permutations ,
Definition 2 (Pseudorandom Permutation) A pair of functions is a secure pseudorandom permutation if:
 For every , the functions and are permutations and are one the inverse of the other;
 For every oracle algorithm that has complexity at most and that makes at most oracle queries we have
That is, without knowing the random key , the permutation and its inverse look like a completely random permutation and its inverse.
In the applied cryptography literature, pseudorandom permutations are called block ciphers.
How do we construct pseudorandom permutations? There are a number of block ciphers proposal, including the AES standard, that have been studied extensively and are considered safe for the time being. We shall prove later that any construction of pseudorandom functions can be turned into a construction of pseudorandom permutations; also, every construction of pseudorandom generators can be turned into a pseudorandom function, and every oneway function can be used to construct a pseudorandom generator. Ultimately, this will mean that it is possible to construct a block cipher whose security relies, for example, on the hardness of factoring random integers. Such a construction, however, would not be practical.
3. Encryption Using Pseudorandom Permutations
Here are two ways of using Pseudorandom Functions and Permutations to perform encryption. Both are used in practice.
3.1. ECB Mode
The Electronic CodeBook mode of encryption works as follows
Exercise 1 Show that ECB is messageindistinguishable for onetime encryption but not for two encryptions.
3.2. CBC Mode
In its simplest instantiation the Cipher BlockChaining mode works as follows:
 pick a random string , output
Note that this similar to (but a bit different from) the scheme based on pseudorandom functions that we saw last time. In CBC, we take advantage of the fact that is now a permutation that is efficiently invertible given the secret key, and so we are allowed to put the inside the computation of .
There is a generalization in which one can use the same random string to send several messages. (It requires synchronization and state information.)

 pick a random string ;
 and output where
 where
This mode achieves CPA security.
4. The Ultimate Security
CPA security is not yet the strongest possible definition of security. It does not capture the possibility that an active adversary might obtain plaintextciphertext pairs in which the ciphertext depends arbitrarily on the challenge that the adversary is trying to decode. Suppose that the encryption scheme is part of a larger protocol in which sender and receiver are expected to exchange messages in a certain format. Then the attacker can send a ciphertext (of which it does not know the decoding), and then see whether it receives a short reply (indicative that it is the encryption of “message invalid”) or a longer one (which would be the continuation of the protocol).
In a chosen ciphertext attack (CCA), an attacker is allowed to gain decodings of ciphertexts of her choice. A system is secure if, for any two messages , their encodings are indistinguishable even to an adversary that can make arbitrary use of an encoding and a decoding oracle, with the only provision that it cannot query the decryption oracle on the challenge string.
Definition 3 (CCA Security) An encryption scheme is CCA Secure if for every two messages and for every oracle algorithm that satisfies the following two properties
 has complexity ;
 when given input and oracles , never queries oracle with the string ;
We have
It is not hard to show that all the encryption schemes we have seen so far fail CCA security.
Instead of trying to tweak the schemes in order to try and gain CCA security, we shall adopt a more modular design approach.
First, we will move on to discuss message authentication, which is an important goal in itself, for example when communicating with your online banking system. Then, we shall see that a CPAsecure encryption scheme, augmented with a proper message authentication scheme, automatically guarantees CCA security, because an attacker can never make any use of a decryption oracle.
Recent Comments