CPSC 91 Computer Security Fall Computer Security. Assignment #3 Solutions

Transcription

1 CPSC 91 Computer Security Assignment #3 Solutions 1. Show that breaking the semantic security of a scheme reduces to recovering the message. Solution: Suppose that A O( ) is a message recovery adversary against an encryption scheme E. construct an adversary B O (, ) that breaks the semantic security of E as follows: B O (, ) : - Pick two messages at random M 0, M 1 $ {0, 1} n. - Ask (M 0, M 1 ) to oracle O (, ) and get a ciphertext c. - Run A O( ) (c ). When A O( ) makes a query M to its oracle, answer it as follows: - Ask (M, M) to oracle O (, ) and get a ciphertext c - Give c back to A O( ) as the answer to its oracle query. - When A O( ) is done, it outputs a message M. - If M = M 0, output 0. - If M = M 1, output 1. - If M is anything else, pick a random bit b $ {0, 1} and output b. Analysis: Define the following events: Guess is the event that B output is correct. Correct is the event that A returns the correct message. Unlucky is the event that A returns the message that makes B s guess incorrect. Junk is the event that A returns neither M 0 nor M 1. It should be clear that Correct, Unlucky and Junk are disjoint, and that one of them always happens. So, using the equation we proved in class: B,E = 2 P (Guess) 1 Let s expand each of these terms. = 2 P (Guess&&Correct) + 2 P (Guess&&Unlucky) + 2 P (Guess&&Junk) 1 P (Guess&&Correct) = P (Guess Correct) P (Correct) = P (Correct) because the guess is always correct when the key is correct = Adv MR A,E P (Guess&&Unlucky) = P (Guess Unlucky) P (Unlucky) by definition of the advantage of A in a MR attack (*) = 0 because the guess is never correct by definition when Unlucky happens We

2 P (Guess&&Junk) = P (Guess Junk)P (Junk) = 1 P (Junk) because when Junk happens, B outputs a random bit 2 = 1 (1 P (Correct) P (Unlucky)) 2 = 1 (1 AdvMR A,E n ) The second to last line is because Correct, Unlucky and Junk are disjoint, and that one of them always happens. The last line uses the same reasoning as line (*), and the fact that P (Unlucky) = 1 2 because n the incorrect message is random and independent from the choice of the key and the other message. Plugging all these in the equation of the previous page, we get B,E = 2 P (Guess&&Correct) + 2 P (Guess&&Lucky) + 2 P (Guess&&Unlucky) + 2 P (Guess&&Junk) 1 = 2AdvA,E KR (1 AdvKR A,E 1 2 n ) 1 = AdvA,E KR 1 2 n So our adversary B advantage against the semantic security of E is as large as the probability that A recovers the key, so that if A is a good adversary against the MR security of E, then B is a good adversary against the semantic security of E. Conversely, if no adversary can break the semantic security of E with significant advantage, then no adversary will be able to recover messages of E with significant probability.

3 2. Let E = (K, E, D) be a stateful variant of CBC in which the first block of the first ciphertext is chosen at random, and for other ciphertexts, the first block of the ciphertext is the last block of the previous ciphertext. Show that this is not semantically secure. Solution: A O(, ) : Ask (0 n, 0 n ) to O, get ciphertext c = c 0 c 1 Ask (c 0 c 1, c 0 c 1 ), get ciphertext c = c 0 c 1 If c 1 = c 1 output 0, else output 1 Here is the idea. Since we know that the message encrypted in the first query is 0 n, then we know that bc(k, c 0 ) = c 1, where k is the key for the encryption scheme 1. Also, the when answering the second query, if the first message is chosen, the block cipher will be calculated on c 1 (c 0 c 1 ) = c 0, which will result in the same second message block as in the first query. If the second message is chose, the block cipher will be calculated on a different value, which will result in a different output since the block cipher is a permutation. Therefore, the adversary always correctly guesses if the first or second message gets encrypted, so: A,CBC var = 1 0 = 1 So the encryption scheme is not secure. 1 We don t know what that key is, but the equation holds regardless of what that key is.

4 3. Let bc : {0, 1} k {0, 1} n {0, 1} n be a block cipher. Consider encryption scheme E = (K, E, D) defined by the following algorithms: K: - Pick a random key k $ {0, 1} k - Return k. The message space is M = {0, 1} n E(k, M): - Pick a random r $ {0, 1} n - Compute z = bc(k, r) and w = z M - return ciphertext c = r w D(k, c): - Split c into 2 n-bit strings c 0 and c 1 (if this fails, return ) - Compute y = bc(k, c 0 ) and m = y c 1 - Return message m Show that if bc is a secure PRF, then the encryption scheme above is semantically secure. Solution: Suppose that there exists an adversary A O(, ) that breaks the semantic security of E. We construct an adversary B O ( ) that breaks the block cipher as follows: B O ( ) : - Pick a random bit b $ {0, 1} - Run A O(, ). When A O(, ) makes query (M 0, M 1 ) to its encryption oracle, answer it as follows: - Pick a random r $ {0, 1} n - Ask r to O, get value z - Compute w = z M b - Return c = r w to A as the answer to its query - When A is done, it outputs a bit b - If b = b output 1, else output 0 The idea is that if B s oracle is the block cipher, then all the encryption queries are answered perfectly, and A will have a good probability of guessing the bit b. On the other hand, if the encryption B s oracle is a random function, then hopefully, A s probability of correctly guessing the bit will be lower.

5 ANALYSIS: To analyse the advantage of B, it is useful to define the following games: Game G 0 - Pick a random key k $ {0, 1} k - Pick a random bit b $ {0, 1} - Run A O(, ). When A O(, ) makes query (M 0, M 1 ) to its encryption oracle, answer it as follows: - Compute c E(k, M b ) - Return c to A as the answer to its query - When A is done, it outputs a bit b - If b = b output 1, else output 0 So Game G 0 is just like the regular guessing game. Game G 1 - Pick a random key k $ {0, 1} k - Pick a random bit b $ {0, 1} - Initialize an empty list L - Run A O(, ). When A O(, ) makes query (M 0, M 1 ) to its encryption oracle, answer it as follows: - Pick a random r $ {0, 1} n - Pick a random z $ {0, 1} n - If there exists an element (r, ζ) L - set BAD true, z ζ - Compute w = z M b - Return c = r w to A as the answer to its query - Return c to A as the answer to its query - When A is done, it outputs a bit b - If b = b output 1, else output 0 In Game G 1, it is as if the block cipher had been replaced by a random function. The mess with the list is so that in the unlikely event that the same random string is generated twice for encryption, the answer of the random function will be consistent.

6 Game G 2 - Pick a random key k $ {0, 1} k - Pick a random bit b $ {0, 1} - Initialize an empty list L - Run A O(, ). When A O(, ) makes query (M 0, M 1 ) to its encryption oracle, answer it as follows: - Pick a random r $ {0, 1} n - Pick a random z $ {0, 1} n - If there exists an element (r, ζ) L - set BAD true - Compute w = z M b - Return c = r w to A as the answer to its query - Return c to A as the answer to its query - When A is done, it outputs a bit b - If b = b output 1, else output 0 Game G 2 is the same as Game G 1 except that the answers are no longer consistent when the same random value is generated twice. As we have seen in class with CTRS, the probability that the adversary correctly guesses the bit is exactly 1 2 because the ciphertexts are just random bits independent from the message. Now, since Game G 0 is the normal guessing game, we get that A,E = 2P (G 0 = 1) 1 (as seen in class) By design, the probability that Game G 0 outputs 1 is also exactly the same as the probability that B O ( ) outputs 1 when its oracle is the block cipher. Also, Game G 1 outputs 1 exactly with the same probability that B O ( ) outputs 1 when its oracle is a random function. So: Adv P RF B,bc = P (G 0 = 1) P (G 1 = 1) For simplicity, I removed the absolute value in the equation above because we could force the above to be positive by inverting the output of B if necessary. Now, Game G 1 can be a little hard to analyse directly because of the small probability that the same value r is used twice, which is why we use Game G 2. Note that up to the point where the flag BAD is set to true, the two games are identical. Let Bad be the event that the flag BAD gets set to true. Then P (G 1 = 1) = P (G 1 = 1) P (G 2 = 1) + P (G 2 = 1) P (G 1 = 1) P (G 2 = 1) + P (G 2 = 1) P (G 1 = 1&&bad) + P (G 1 = 1&&bad) P (G 2 = 1&&bad) P (G 2 = 1&&bad) + P (G 2 = 1) P (G 1 = 1&&bad) P (G 2 = 1&&bad) + P (G 2 = 1) P (G 1 = 1 bad)p (bad) P (G 2 = 1 bad)p (bad) + P (G 2 = 1) P (G 1 = 1 bad) P (G 2 = 1 bad) P (bad) + P (G 2 = 1) P (bad) + P (G 2 = 1) q(q 1) 2 n

7 Where the last line uses an argument similar to what we did for the PRF-PRP switching lemma, and q is the number of queries A makes to the encryption oracle, and the fact that P (G 2 = 1) = 1 2. Therefore Adv P RF B,bc = P (G 0 = 1) P (G 1 = 1) P (G 0 = 1) q(q 1) 2 n Putting this together with our equation on AdvA,E CP A, we get A,E RF q(q 1) 2(AdvP B,bc + 2Adv P RF B,bc + 2 n ) 1 q(q 1) 2 n So that if A breaks the semantic security of E, and AdvA,E CP A is away from zero, then AdvP RF B,bc will be away from zero as well, and B breaks the block cipher. Note to students: This turned out to be a little more involved than I remembered, so half of the points for this question will be bonus points.

8 4. Show that the encryption scheme CTR$ is not secure against a chosen-ciphertext attack. You will need Monday s lecture for this. It s really quite easy. Solution: A O(, ),O ( ) : Ask (0 n, 1 n ) to O, get ciphertext c = c 0 c 1 Compute c 1 = c 1 0 n 1 1 (this will flip the last bit of c 1 ) Ask c 0 c 1 to O, get message m Output the first bit of m Modifying the last bit of c 1 has the effect of modifying the last bit of the encrypted message, and has no effect on the first bit of the message. Therefore, the adversary always correctly guesses which of the two messages was encrypted, so: So the encryption scheme is not secure. Adv CCA A,CT R$ = 1 0 = 1