A note on the equivalence of IND-CCA & INT-PTXT and IND-CCA & INT-CTXT

Transcription

1 A note on the equivalence of IND-CCA & INT-PTXT and IND-CCA & INT-CTXT Daniel Jost, Christian Badertscher, Fabio Banfi Department of Computer Science, ETH Zurich, Switzerland Abstract The security for authenticated encryption schemes is often captured by demanding CCA security (IND-CCA) and integrity of plaintexts (INT-PTXT). In this short note, we prove that this implies in particular integrity of ciphertexts, i.e., INT-CTXT. Hence, the two sets of requirements mentioned in the title are equivalent. 1 The Security Games We treat the stateful notions in this short note since they are the most widely used notions for authenticated encryption (the main use case is realizing a cryptographic channel). A proof for the non-stateful versions would follow along the same lines. We restate the relevant stateful notions from [BKN04 formally in Figure 1 and Figure. A (stateful) authenticated encryption scheme consists of a triple of algorithms Ψ = (Gen, E, D) for key generation, encryption, and decryption, respectively, as defined in detail in [BKN04 (including the definitions of correctness and being stateful). The message space is denoted by M and the ciphertext space is denoted by C. Our notation follows basically the notation of [BN08; BKN04. IND-sfCCA Ψ b {0, 1} Sampling u.a.r. from {0, 1}. sync 1 Oracle LR Input: (m 0, m 1 ) M M c E(k, m b ) Oracle Dec sync 0 if sync = 0 then return m return Input: d {0, 1} return (d = b) Figure 1: IND-sfCCA Ψ security for stateful CCA security of an authenticated encryption scheme. 1

2 INT-sfCTXT Ψ INT-sfPTXT Ψ sync 1 win 0 c E(k, m) sync 0 if m sync = 0 then win 1 return win sync 1 win 0 c E(k, m) S[i m sync 0 if m sync = 0 then win 1 return win Figure : The INT-sfPTXT Ψ and INT-sfCTXT Ψ security games for stateful plaintext- and ciphertext-integrity, respectively, of an authenticated encryption scheme. INT-PTXT & IND-CCA implies INT-CTXT Let A denote an INT-sfCTXT attacker. In the following we show that Adv IND-sfCTXT Ψ,A Adv IND-sfCCA Ψ,A 1 + Adv IND-sfCCA Ψ,A +3 Adv IND-sfPTXT Ψ,A 3 where A 1, A, and A 3 denote slight modifications of A with roughly the same efficiency. As a first hybrid, we consider the game H 0 depicted in Figure 3, that essentially works like INT-sfCTXT Ψ, but initially flips a uniform random bit z, and then the encryption oracle instead of encrypting the message m encrypts z m, i.e., either the all-zero or all-one bit string of the length of m. By definition of the advantage of an adversary in the forgery game, we have Adv IND-sfCTXT Ψ,A := Pr [ A INT-sfCTXTΨ 1 = Pr [ A H0 1 + ( Pr [ A INT-sfCTXTΨ 1 Pr [ A H0 1 ) (1) In the following, we will first upper bound the second term, and then proceed to upper bound Pr [ A H0 1 as a second step..1 Upper bounding the second term Consider the following bit-guessing game G 0, shown in Figure 4, that initially flips a bit b and then either behaves exactly like INT-sfCTXT Ψ, if b = 0, or like H 0 if b = 1, and the goal of the adversary is to guess b in the end. In addition, the adversary also gets access to an oracle HasWon that allows him to query the win flag of INT-sfCTXT Ψ or H 0, respectively. We now define A 0 as follows: A 0 internally runs A forwarding all queries and responses to the Enc and VF oracles. Once A calls, A 0 first queries the HasWon oracle, and then calls with d = 0 if HasWon returned true and d = 1 otherwise. Observe that the bit-guessing game G 0 behaves exactly as INT-sfCTXT Ψ if b = 0 and exactly like H 0 if b = 1. By definition of G 0 and A 0 we obtain [ Pr A G0 0 1 b = 0 = Pr AG 0 0 [d = b b = 0 = Pr AG 0 0 [d = 0 b = 0 = Pr AG 0 0 [win = 1 b = 0 = Pr [ A INT-sfCTXTΨ 1

3 INT-sfCTXT Ψ and H 0 sync 1 win 0 c E(k, m) sync 0 if m sync = 0 then win 1 return win Figure 3: The first hybrid H 0 compared to the original INT-sfCTXT Ψ security game. G 0 and G 1 b {0, 1} sync 1 win 0 if b = 0 then c E(k, m) sync 0 if m sync = 0 then win 1 if sync = 0 then return 1. Oracle HasWon return win Input: d {0, 1} return d = b Figure 4: The bit-guessing games G 0 and G 1. 3

4 G 1 and G b {0, 1} sync 1 win 0 if b = 0 then c E(k, m) m 0 m m 1 z m c E(k, m b ) sync 0 if sync = 0 then m m m if m sync = 0 then win 1 if sync = 0 then return 1. Oracle HasWon return win Input: d {0, 1} return d = b Figure 5: The bit-guessing games G in comparison to G 1. and [ Pr A G0 0 1 b = 1 = Pr AG 0 0 [d = b b = 1 = Pr AG 0 0 [d = 1 b = 1 which yields G 1 G = Pr AG 0 0 [win = 0 b = 1 = 1 Pr [ A H0 1, Pr [ A INT-sfCTXTΨ 1 Pr [ A H0 1 [ [ = Pr A G0 0 1 b = 0 + Pr A G0 0 1 b = 1 1 ( [ = Pr A G ). [ We now proceed by bounding Pr A G0 0 1 using a sequence of simple modifications: The game G 1, as depicted in Figure 4, behaves like G 0 except that the VF oracle returns true instead of (m ) if sync = 1. Since sync = 1 implies c = C[j and / M, however, by correctness of the scheme this behavior is equivalent. Consider the game G as depicted in Figure 5. Observe that in the Enc oracle the same message gets encrypted as in G 1. In the VF oracle it sets m to if sync 0. Note however, that in this case the value of m does not matter anymore. Thus, G 1 and G behave equivalently. It is now easy to see that winning G can be reduced to winning IND-sfCCA Ψ as sketched in Figure 6. For every adversary A 0 against G we can build A 1 against IND-sfCCA Ψ that works as follows: it initially flips a bit z and then internally runs A 0 and for every query m of the Enc oracle it queries the LR oracle of IND-sfCCA Ψ with m 0 = m and m 1 = z m. In addition, A 1 keeps track whether A 0 is still in sync, so that on a query c to the VF oracle by () 4

5 G b {0, 1} sync 1 win 0 m 0 m m 1 z m c E(k, m b ) sync 0 if sync = 0 then m m m if m sync = 0 then win 1 if sync = 0 then return 1. Oracle HasWon return win Input: d {0, 1} return d = b Figure 6: The reduction from G to IND-sfCCA Ψ. The lines with the blue shade and the solid border belong to the IND-sfCCA Ψ game, whereas the green shaded ones with the dashed border belong to the reduction. The uncolored lines are for bookkeeping that is replicated in both the IND-sfCCA Ψ game as well as the reduction. A 0 it can query the decryption oracle on c and then reply correctly to A 0. It is easy to see that A 1 guesses b correctly if and only if A 0 guesses b correctly by simply forwarding the guess. Thus we obtain [ [ [ [ Pr A G0 0 1 = Pr A G1 0 1 = Pr A G 0 1 = Pr A IND-sfCCAΨ 1 1, and combining this with () yields the desired bound Pr [ A INT-sfCTXTΨ 1 Pr [ A H0 1 ( [ = Pr A G ) ( [ = Pr A IND-sfCCAΨ ) =: Adv IND-sfCCA Ψ,A 1, (3) where in the last step we used the definition of the (bit-guessing) advantage of a CCA adversary.. Bounding the first winning probability In the following section we upper bound the probability Pr [ A H0 1 using the hybrids H 1 and H, depicted in Figure 7 and Figure 8, respectively. H 1 The game H 1 replaces the sync and the win flags of H 0 by two pairs of flags (sync 1, sync ) and (win 1, win ), respectively. Note that sync in H 1 is defined exactly equivalent to sync of H 0, and thus win 1 win is true in H 1 if and only if win is true in H 0. Hence, the two games behave equivalently. 5

6 H 0 and H 1 sync 1 win 0 win 1 0 win 0 sync 0 if m sync = 0 then win 1 if m sync 1 = 0 sync = 0 then win 1 1 if m sync 1 = 1 sync = 0 then win 1 return win return win 1 win Figure 7: The game H 1 is equivalent to H 0, which is best seen by observing that the sync flag is identical to the sync one of H 0. H 1 and H win 1 0 win 0 if m sync 1 = 0 sync = 0 then win 1 1 if m sync 1 = 0 then win 1 1 if m sync 1 = 1 sync = 0 then win 1 return win 1 win Figure 8: The game H is equivalent to H 1 as well. Observe that sync 1 = 0 implies that j > i or m S[j for some j. In the latter case, the correctness of the scheme however implies that c[j C[j and thus sync = 0 as well. 6

7 P 0 and C 0 win 1 0 win 0 if m sync 1 = 0 then win 1 1 if m sync 1 = 1 sync = 0 then win 1 return win 1 return win Figure 9: The games P 0 and C 0 are identical to H, except that the winning condition win 1 win of the latter has been replaced by checking only one of the respective flags. H The game H is equivalent to H 1 except that the former no longer checks for sync = 0 when setting win 1 to true. Observe however that by the correctness of the scheme we have that m S[j implies c C[j and thus sync 1 = 0 implies sync = 0. Hence, the two games are equivalent as well. Now, consider the two games P 0 and C 0 as depicted in Figure 9. Observe that each of those games is equivalent to H except for the winning condition that only checks for win 1 or win, respectively, instead of win 1 win. Using the union bound we therefore obtain Pr [ A H0 1 = Pr [ A H1 1 = Pr [ A H 1 Pr [ A P0 1 + Pr [ A C0 1. (4) We proceed by bounding those two terms separately in the next sections..3 Upper bounding the advantage on P 0 Consider the game P 1 as shown in Figure 10, which basically corresponds to P 0 with all code related to the two unused flags win and sync removed. Moreover, the Enc-oracle has slightly been rewritten without changing the behavior. It is now easy to reduce any adversary A winning P 1 to another adversary A 3 winning INT-sfPTXT Ψ, as highlighted in Figure 11: A 3 initially flips a bit z and then whenever A queries the Enc oracle on m, A 3 queries the actual Enc-oracle on m = z m. Clearly, A 3 wins INT-sfPTXT Ψ if and only if A wins P 1. As a consequence, we have Pr [ A P0 1 = Pr [ A P1 1 [ = Pr A INT-sfPTXTΨ 3 1 = Adv IND-sfPTXT Ψ,A 3. (5).4 Upper bounding the advantage on C 0 In the following section, we upper bound Pr [ A C0 1 using a sequence of hybrids C 1, C, C 3, C 4, C 5, and C 6. 7

8 P 0 and P 1 win 1 0 win 0 if m sync 1 = 0 then win 1 1 if m sync 1 = 1 sync = 0 then win 1 return win 1 m z m c E(k, m ) S[i m Figure 10: The game P 1 that is equivalent to P 0. P 1 win 1 0 if m sync 1 = 0 then win 1 1 return win 1 m z m c E(k, m ) S[i m Figure 11: The reduction from P 1 to INT-sfPTXT Ψ. The lines with the blue shade and the solid border belong to the INT-sfPTXT Ψ game, whereas the green shaded ones with the dashed border belong to the reduction. 8

9 C 0 and C 1 win 1 0 win 0 if m sync 1 = 0 then win 1 1 if m sync 1 = 1 sync = 0 then win 1 return win Figure 1: The game C 1 that is equivalent to C 0. C 1 C C 3 The game C 1, as depicted in Figure 1, corresponds to C 0 with all code related to the unused flag win 1 removed. Hence, the two games behave obviously equivalent. The game C corresponds to C 1 with the winning flag win replaced by a variable d guessing z. It is depicted in Figure 13. Note that sync 1 = 1 implies m = S[j, and thus m = z l for some length l > 0 (we use here that the empty bit-string is not in the message space). Hence, setting d to the first bit of m implies that the game is won, and is thus equivalent to setting the winning flag in C 1. The game C 3, as depicted in Figure 14, corresponds to C but with d initialized to 0 instead of giving an adversary a fifty percent chance of winning the game without setting the win flag. This makes C 3 a bit-guessing game. Observe that Pr AC 3 [win = 1 = Pr AC [win = 1 = Pr [ A C 1 and yielding Pr AC 3 [d = z win = 1 = Pr AC 3 [win = 1, Pr [ A C3 1 = Pr AC 3 [d = z = Pr AC 3 [d = z win = 1 + Pr AC 3 [d = z win = 0 = Pr AC 3 [d = z win = 1 + Pr AC 3 [d = z win = 0 Pr AC 3 [win = 0 = Pr AC 3 [d = z win = ( ) 1 Pr AC 3 [win = 1 = Pr [ A C ( 1 Pr [ A C 1 ). Rewriting the last equation we obtain Pr [ A C 1 ( = Pr [ A C3 1 1 ). (6) 9

10 C 1 and C win 0 d if m sync 1 = 1 sync = 0 then win 1 return win return (d = z) Figure 13: The game C, where m(1) denotes the first bit of m. Note that sync = 1 implies m = S[j = z l for some l > 0 (since λ / M). Hence, we have win = 1 iff d = z. C and C 3 win 0 d d 0 if m sync 1 = 1 sync = 0 then win 1 return (d = z) Figure 14: The bit-guessing game C 3. Observe that in comparison to C, the adversary has a fifty percent chance of winning the game without managing to set the win flag. 10

11 C 3 and C 4 d 0 bad 0 if m sync 1 = 1 sync = 0 then if m sync = 0 then if sync 1 = 1 then bad 1 return (d = z) Figure 15: The game C 4, that introduces the bad flag. It behaves equivalent to C 3, however, since bad is an internal variable only. C 4 C 5 The game C 4, as depicted in Figure 15, corresponds to C 3 with a bad flag introduced. The two games behave obviously equivalent. The game C 5 is depicted in Figure 16 and is identical until bad to C 5. Hence, by the Fundamental Lemma of game-playing we have Pr [ A C4 1 Pr [ A C5 1 + Pr [ A C4 sets bad. (7) C 6 C 7 We defer bounding the probability of bad being set to the end of the proof and continue bounding Pr [ A C5 1. The game C 6, as depicted in Figure 17, is a version of C 5 with the internal bad flag removed. This, in addition, allows removing all code related to the sync 1 flag without altering the behavior. The game C 7 is depicted in Figure 18. First, compared to C 6 the Enc-oracle has slightly been rewritten without modifying the behavior. Then, in the VF-oracle, in case of sync = 1 we no longer but true. Since sync = 1 implies c = C[j, however, we have by correctness that m M and thus m. Moreover, if sync = 1, we then reset m to without affecting the behavior. Hence, C 7 and C 6 behave equivalently. Now, observe that C 7 can be easily reduced to IND-sfCCA Ψ, as shown in Figure 19. For every adversary A against C 7 we can build A against IND-sfCCA Ψ that works as follows: it internally runs A and for every query m of the Enc oracle it queries the LR oracle of IND-sfCCA Ψ with m 0 = 0 m and m 1 = 1 m. In addition, A keeps track whether A is still in sync, so that on a query c to the VF oracle by A it queries the decryption oracle on c and then replies correctly to A. Moreover, once it detects that A is out of sync and the ciphertext decrypted to a valid ciphertext, it uses the first bit of the decrypted message as the guess of z. It is now easy to see that Pr [ A C7 1 [ = Pr A IND-sfCCAΨ 1. (8) 11

12 C 4 and C 5 d 0 bad 0 if m sync = 0 then if sync 1 = 1 then bad 1 return (d = z) Figure 16: The game C 4 that is identical until bad to the game C 5. C 5 and C 6 d 0 bad 0 if m sync = 0 then if sync 1 = 1 then bad 1 return (d = z) Figure 17: The game C 6. Since bad is an internal variable only, removing this flag and all then unused code related to setting it does not affect the behavior. 1

13 C 6 and C 7 d 0 m 0 0 m m 1 1 m c E(k, m z) if sync = 0 then m m m if m sync = 0 then if sync = 0 then return 1 return (d = z) Figure 18: The game C 7. Observe that in the VF oracle, if sync = 1, then we have c = C[j, which by correctness in turn implies that the cyphertext decrypts to the original message that is not equal to. Moreover, if sync = 1, then m is unused for the rest of the oracle call. C 7 d 0 m 0 0 m m 1 1 m c E(k, m z) if sync = 0 then m m m if m sync = 0 then if sync = 0 then return 1 return (d = z) Figure 19: The reduction from C 7 to IND-sfCCA Ψ. The lines with the blue shade and the solid border belong to the IND-sfCCA Ψ game, whereas the green shaded ones with the dashed border belong to the reductions. The uncolored lines are for bookkeeping that is replicated in both the IND-sfCCA Ψ game as well as the reduction. 13

14 Putting all together especially (6), (7), and (8) we obtain Pr [ A C0 1 = Pr [ A C1 1 = Pr [ A C 1 ( = Pr [ A C3 1 1 ) ( = Pr [ A C4 1 1 ) ( Pr [ A C5 1 + Pr [ A C4 sets bad 1 ) ( = Pr [ A C6 1 + Pr [ A C4 sets bad 1 ) ( = Pr [ A C7 1 + Pr [ A C4 sets bad 1 ) ( [ = Pr A IND-sfCCAΨ 1 + Pr [ A C4 sets bad 1 ) = Adv IND-sfCCA Ψ,A + Pr [ A C4 sets bad. (9) It remains to bound Pr [ A C4 sets bad. To this end, consider the game B 0, depicted in Figure 0, which is identical to C 4 except that the winning condition is no longer win being set, but bad being set. Hence, by definition we have Pr [ A C4 sets bad = Pr [ A B0 1, and moreover, it is easy to see that both B 1 and B behaves equivalently as well, as seen in Figures 0 and 1. Finally, observe that B is almost identical to the game P 1 defined above, as shown in Figure. Thus, using (5) we obtain Pr [ A C4 sets bad [ = Pr A INT-sfPTXTΨ 3 1. (10) Combining (1), (3), (4), (5), (9), and (10) concludes the proof. 14

15 B 0 and B 1 d 0 bad 0 if m sync = 0 then if sync 1 = 1 then bad 1 if sync 1 = 0 then bad 1 return bad Figure 0: The games B 0 and B 1. The former is identical to C 4 except that in the finalization now the bad flag gets checked. Moreover, B 1 behaves equivalent to B 0, since d is unused. B 1 and B bad 0 if m sync = 0 then if sync 1 = 0 then bad 1 if m sync 1 = 0 then bad 1 return bad Figure 1: The game P. Note that by correctness sync 1 = 0 implies sync = 0, and thus removing the former check does not change the behavior. 15

16 B and P 1 bad 0 win 1 0 if m sync 1 = 0 then bad 1 win 1 1 return bad return win 1 m z m c E(k, m ) S[i m Figure : It is easy to verify that B is equivalent to the game P 1 that has already been defined above. 16

17 References [BKN04 [BN08 M. Bellare, T. Kohno, and C. Namprempre, Breaking and provably repairing the SSH authenticated encryption scheme, ACM Transactions on Information and System Security, vol. 7, no., pp , 004. doi: / [Online. Available: M. Bellare and C. Namprempre, Authenticated encryption: Relations among notions and analysis of the generic composition paradigm, Journal of Cryptology, vol. 1, no. 4, pp , 008. doi: /s x. [Online. Available: pdf. 17