Security Against Chosen-Ciphertext Attacks (CCA)

Until now, we have defined security against two types of adversaries: a pas-sive adversary that only eavesdrops, and an active adversary that carries out a chosen-plaintext attack. A third type of attack, called achosen-ciphertext attack, is even more powerful than these two. In a chosen-ciphertext attack, we provide the adversary with the ability to encrypt any messages of its choice as in a chosen-plaintext attack, and also provide the adversary with the ability to decrypt any ciphertexts of its choice (with one exception discussed later).

10In particular, estimates from [45] indicate that on a typical home PC the stream cipher RC4 is only about twice as fast as the block cipher AES, measured in terms of bits/second.

Formally, we give the adversary access to adecryption oracle in addition to the encryption oracle. We present the formal definition and defer further discussion until afterward.

Consider the following experiment for any private-key encryption scheme Π = (Gen,Enc,Dec), adversaryA, and valuenfor the security parameter.

The CCA indistinguishability experimentPrivK^cca_A,Π(n):

1. A random key kis generated by runningGen(1ⁿ).

2. The adversaryAis given input1ⁿand oracle access toEnck(·) andDeck(·). It outputs a pair of messagesm0, m1of the same length.

3. A random bit b ← {0,1} is chosen, and then a ciphertext c ← Enck(mb) is computed and given to A. We call c the challenge ciphertext.

4. The adversary A continues to have oracle access to Enck(·) and Deck(·), but is not allowed to query the latter on the challenge ciphertext itself. Eventually, Aoutputs a bit b⁰. 5. The output of the experiment is defined to be 1 ifb⁰=b, and

0 otherwise.

DEFINITION 3.31 A private-key encryption schemeΠhas indistinguish-able encryptions under a chosen-ciphertext attack (or is CCA-secure) if for all probabilistic polynomial-time adversaries A there exists a negligible function neglsuch that:

Pr[PrivK^cca_A,Π(n) = 1]≤1

2+negl(n),

where the probability is taken over all random coins used in the experiment.

In the experiment above, the adversary’s access to the decryption oracle is unlimited except for the restriction that the adversary may not request de-cryption of the challenge ciphertext itself. This restriction is necessary or else there is clearly no hope for any encryption scheme to satisfy Definition 3.31.

Are chosen-ciphertext attacks realistic? As in the case of a chosen-plaintext attack, we do not expect honest parties to decrypt arbitrary ciphertexts of an adversary’s choice. Nevertheless, there may be scenarios where an adver-sary might be able to influence what gets decrypted, and learn some partial information about the result:

1. In the case of Midway (see Section 3.5) it is conceivable that the US cryptanalysts might also have tried to send encrypted messages to the Japanese and then monitor their behavior. Such behavior (e.g., move-ment of forces and the like) could have provided important information about the underlying plaintext.

2. Imagine a user communicating with their bank, where all communica-tion is encrypted. If this communicacommunica-tion is not authenticated, then an adversary may be able to send certain ciphertexts on behalf of the user;

the bank will decrypt these ciphertext, and the adversary may learn something about the result. For example, if a ciphertext corresponds to anill-formed plaintext (e.g., a gibberish message, or simply one that is not formatted correctly), the adversary may be able to deduce this from the pattern of the subsequent communication.

3. Encryption is often used in higher-level protocols; e.g., an encryption scheme might be used as part of an authentication protocol where one party sends a ciphertext to the other, who decrypts it and returns the result. (Note: we donot recommend such a protocol, but protocols like these are sometimes suggested.) In this case, one of the honest parties may exactly act like a decryption oracle.

Insecurity of the schemes we have studied. None of the encryption schemes we have seen is CCA-secure. We will demonstrate this for Construc-tion 3.25, where encrypConstruc-tion is carried out asEnck(m) =hr, Fk(r)⊕mi. The fact that this scheme is not CCA-secure can be easily demonstrated as fol-lows. An adversaryArunning in the CCA indistinguishability experiment can choosem0 = 0ⁿ and m1 = 1ⁿ. Then, upon receiving a ciphertextc =hr, si, the adversary A can flip the first bit of s and ask for a decryption of the resulting ciphertextc⁰. Sincec⁰ 6=c, this query is allowed, and the decryption oracle answers with either 10ⁿ⁻¹ (in which case it is clear that b = 0) or 01ⁿ⁻¹ (in which caseb= 1). This example demonstrates why CCA-security is so stringent. Specifically, any encryption scheme that allows ciphertexts to be manipulated in a “logical way” cannot be secure. Thus, CCA-security actually implies a very important property called non-malleability.

Loosely speaking, a non-malleable encryption scheme has the property that if the adversary tries to modify a given ciphertext, the result is either an illegal ciphertext or one that encrypts a plaintext having no relation to the original one. We leave for an exercise the demonstration that none of the modes of encryption that we have seen yields a CCA-secure encryption scheme.

Construction of a CCA-secure encryption scheme. We show how to construct a CCA-secure encryption scheme in Section 4.8. The construction is presented there because it uses tools that we develop in Chapter 4.

References and Additional Reading

The modern, computational approach to cryptography was initiated in a ground-breaking paper by Goldwasser and Micali [70]. That paper introduced

the notion of semantic security, and showed how this goal could be achieved in the setting of public-key encryption (see Chapters 9 and 10).

Formal definitions of security against chosen-plaintext attacks were given by Luby [90] and Bellare et al. [15]. Chosen-ciphertext attacks (in the context of public-key encryption) were first formally defined by Naor-Yung [99] and Rackoff-Simon [109], and were considered also in [51] and [15]. See [83] for other notions of security for private-key encryption.

The notion of pseudorandomness was first introduced by Yao [134]. Pseu-dorandom generators were defined and constructed by Blum and Micali [28], who also pointed out their connection to encryption via stream ciphers (the use of stream ciphers for encryption pre-dated the formal notion of pseudo-random generators). Pseudopseudo-random functions were defined and constructed by Goldreich et al. [67] and their application to encryption was demonstrated in subsequent work by the same authors [68]. Pseudorandom permutations were studied by Luby and Rackoff [91].

Various modes of operation were standardized in [103], and the CBC and CTR modes of encryption were proven secure in [15]. For more recent modes of encryption, see http://csrc.nist.gov/CryptoToolkit. A good but some-what outdated overview of stream ciphers used in practice can be found in [93, Chapter 6]. The RC4 stream cipher is discussed in [112] and an accessible dis-cussion of recent attacks and their ramifications can be found in [57].

Exercises

3.1 Prove Proposition 3.7.

3.2 The best algorithm known today for finding the prime factors of ann-bit number runs in time 2^c·n

1

3(logn)²³. Assuming 4Ghz computers andc= 1 (and that the units of the given expression are clock cycles), estimate the size of numbers that cannot be factored for the next 100 years.

3.3 Prove that Definition 3.9 cannot be satisfied if Π can encrypt arbitrary-length messages and the adversary is not restricted to output equal-length messages in experimentPrivK^eav_A,Π.

Hint:Letq(n) be a polynomial upper-bound on the length of the cipher-text when Π is used to encrypt a single bit. Then consider an adversary who outputsm0∈ {0,1}andm1∈ {0,1}^q(n)+2.

3.4 Say Π = (Gen,Enc,Dec) is such that for k output by Gen(1ⁿ), algo-rithmEnckis only defined for messages of length at most`(n) (for some polynomial `). Construct a scheme satisfying Definition 3.9 when the adversary isnot restricted to output equal-length messages in experi-mentPrivK^eav_A,Π.

3.5 Prove the equivalence of Definition 3.10 and Definition 3.9.

3.6 LetGbe a pseudorandom generator where|G(s)| ≥2· |s|.

(a) DefineG⁰(s)^def= G(s0^|s|). IsG⁰ necessarily a pseudorandom gener-ator?

(b) DefineG⁰(s)^def= G(s1· · ·sn/2), wheres=s1· · ·sn. IsG⁰necessarily a pseudorandom generator?

3.7 Assuming the existence of pseudorandom functions, prove that there exists an encryption scheme that has indistinguishable multiple encryp-tions in the presence of an eavesdropper (i.e., is secure with respect to Definition 3.19), but is not CPA-secure (i.e., is not secure with respect to Definition 3.22).

Hint: You will need to use the fact that in a chosen-plaintext attack the adversary can choose its queries to the encryption oracleadaptively.

3.8 Proveunconditionally the existence of an efficient pseudorandom func-tionF :{0,1}^∗×{0,1}^∗→ {0,1}^∗where the input-length islogarithmic in the key-length (i.e.,F(k, x) is defined only when|x|= log|k|, in which case|F(k, x)|=|k|).

Hint: Use the fact that any random function is also pseudorandom.

3.9 Present a construction of a variable output-length pseudorandom gener-ator from any pseudorandom function. Prove your construction secure.

3.10 LetGbe a pseudorandom generator and defineG⁰(s) to be the output of Gtruncated to nbits (wheresis of lengthn). Prove that the function Fk(x) =G⁰(k)⊕xis not pseudorandom.

3.11 Prove Proposition 3.29 (i.e., prove that any pseudorandom permutation is also a pseudorandom function).

Hint: Show that in polynomial time, a random permutation cannot be distinguished from a random function (use the results of Section A.4).

3.12 Define a notion of perfect secrecy against a chosen-plaintext attack via the natural adaptation of Definition 3.22. Show that the definition can-not be achieved.

3.13 Let (Gen,Enc,Dec) be an encryption scheme defined as follows:

(a) Gen outputs a keykfor a pseudorandom permutationF.

(b) Upon inputm∈ {0,1}^n/2and keyk, algorithmEncchooses a ran-dom stringr← {0,1}^n/2of lengthn/2 and computesc=Fk(rkm).

Show how to decrypt, and prove that this scheme is CPA-secure. (If you are looking for a real challenge, prove that this scheme is actually CCA-secure.)

3.14 Consider a variant of CBC mode encryption where the sender simply increments theIV by 1 each time a message is encrypted (rather than choosingIV at random each time). Show that the resulting scheme is not CPA-secure.

3.15 Present formulas for decryption of all the different modes of encryption we have seen. For which modes can decryption be parallelized?

3.16 Complete the proof of Theorem 3.30.

3.17 LetF be a pseudorandom function such thatFk, for k∈ {0,1}ⁿ, maps

`in(n)-bit inputs to `out(n)-bit outputs. (Throughout this chapter, we have assumed`in(n) =`out(n) =n.)

(a) Consider implementing counter mode encryption using an F of this form. For which functions`in, `out is the resulting encryption scheme CPA-secure?

(b) Consider implementing counter mode encryption using an F as above, but only for fixed-length messages of length `(n)·`out(n).

For which `in, `out is the scheme CPA-secure? For which `in, `out

does the scheme have indistinguishable encryptions in the presence of an eavesdropper?

3.18 Let Π1 = (Gen1,Enc1,Dec1) and Π2 = (Gen2,Enc2,Dec2) be two en-cryption schemes for which it is known that at least one is CPA-secure.

The problem is that you don’t know which one is CPA-secure and which one may not be. Show how to construct an encryption scheme Π that is guaranteed to be CPA-secure as long as at least one of Π1 or Π2 is CPA-secure. Try to provide a full proof of your answer.

Hint: Generate two plaintext messages from the original plaintext so that knowledge of either one of the parts reveals nothing about the plain-text, but knowledge of both does yield the original plaintext.

3.19 Show that the CBC, OFB, and counter modes of encryption do not yield CCA-secure encryption schemes.

Chapter 4

Message Authentication Codes and