CPSC 91 Computer Security Fall Computer Security. Assignment #3 Solutions

Similar documents
CPSC 91 Computer Security Fall Computer Security. Assignment #2

SYMMETRIC ENCRYPTION. Mihir Bellare UCSD 1

Modern Cryptography Lecture 4

SYMMETRIC ENCRYPTION. Syntax. Example: OTP. Correct decryption requirement. A symmetric encryption scheme SE = (K, E, D) consists of three algorithms:

Cryptography: The Landscape, Fundamental Primitives, and Security. David Brumley Carnegie Mellon University

Symmetric Encryption

Solution of Exercise Sheet 7

CS 6260 Applied Cryptography

CTR mode of operation

Provable-Security Approach begins with [GM82] Classical Approach. Practical Cryptography: Provable Security as a Tool for Protocol Design

CS 4770: Cryptography. CS 6750: Cryptography and Communication Security. Alina Oprea Associate Professor, CCIS Northeastern University

Solutions for week 1, Cryptography Course - TDA 352/DIT 250

CS 6260 Applied Cryptography

Lecture 6. 2 Adaptively-Secure Non-Interactive Zero-Knowledge

Notes for Lecture A can repeat step 3 as many times as it wishes. We will charge A one unit of time for every time it repeats step 3.

Block Ciphers/Pseudorandom Permutations

CPA-Security. Definition: A private-key encryption scheme

CSA E0 235: Cryptography March 16, (Extra) Lecture 3

A note on the equivalence of IND-CCA & INT-PTXT and IND-CCA & INT-CTXT

Pr[C = c M = m] = Pr[C = c] Pr[M = m] Pr[M = m C = c] = Pr[M = m]

Lecture 9 Julie Staub Avi Dalal Abheek Anand Gelareh Taban. 1 Introduction. 2 Background. CMSC 858K Advanced Topics in Cryptography February 24, 2004

Lecture 5, CPA Secure Encryption from PRFs

Lecture 6. Winter 2018 CS 485/585 Introduction to Cryptography. Constructing CPA-secure ciphers

BLOCK CIPHERS KEY-RECOVERY SECURITY

Block ciphers And modes of operation. Table of contents

Cryptography 2017 Lecture 2

8 Security against Chosen Plaintext

Lecture 8 Alvaro A. Cardenas Nicholas Sze Yinian Mao Kavitha Swaminathan. 1 Introduction. 2 The Dolev-Dwork-Naor (DDN) Scheme [1]

2 Message authentication codes (MACs)

Lecture 11: Non-Interactive Zero-Knowledge II. 1 Non-Interactive Zero-Knowledge in the Hidden-Bits Model for the Graph Hamiltonian problem

PERFECT SECRECY AND ADVERSARIAL INDISTINGUISHABILITY

Computational security & Private key encryption

Constructing Variable-Length PRPs and SPRPs from Fixed-Length PRPs

Lecture 4: Perfect Secrecy: Several Equivalent Formulations

CS 282A/MATH 209A: Foundations of Cryptography Prof. Rafail Ostrovsky. Lecture 7

Question 2.1. Show that. is non-negligible. 2. Since. is non-negligible so is μ n +

Symmetric Encryption. Adam O Neill based on

Private-Key Encryption

FORGERY ON STATELESS CMCC WITH A SINGLE QUERY. Guy Barwell University of Bristol

CSA E0 235: Cryptography (19 Mar 2015) CBC-MAC

Stream ciphers. Pawel Wocjan. Department of Electrical Engineering & Computer Science University of Central Florida

Provable Security in Symmetric Key Cryptography

Lecture 5: Pseudorandom functions from pseudorandom generators

ECS 189A Final Cryptography Spring 2011

Provable security. Michel Abdalla

Solutions to homework 2

Applied cryptography

COS433/Math 473: Cryptography. Mark Zhandry Princeton University Spring 2017

Outline. The Game-based Methodology for Computational Security Proofs. Public-Key Cryptography. Outline. Introduction Provable Security

Lecture 9 - Symmetric Encryption

COS433/Math 473: Cryptography. Mark Zhandry Princeton University Spring 2017

CPSC 467b: Cryptography and Computer Security

Online Cryptography Course. Using block ciphers. Review: PRPs and PRFs. Dan Boneh

Lectures 2+3: Provable Security

1 Cryptographic hash functions

Lecture 18 - Secret Sharing, Visual Cryptography, Distributed Signatures

Homework 7 Solutions

III. Pseudorandom functions & encryption

INDIAN INSTITUTE OF TECHNOLOGY KHARAGPUR Stamp / Signature of the Invigilator

ASYMMETRIC ENCRYPTION

Modes of Operations for Wide-Block Encryption

EME : extending EME to handle arbitrary-length messages with associated data

Lecture 7: Boneh-Boyen Proof & Waters IBE System

CS 282A/MATH 209A: Foundations of Cryptography Prof. Rafail Ostrosky. Lecture 4

Models and analysis of security protocols 1st Semester Symmetric Encryption Lecture 5

The Advanced Encryption Standard

Lecture 4: DES and block ciphers

Technische Universität München (I7) Winter 2013/14 Dr. M. Luttenberger / M. Schlund SOLUTION. Cryptography Endterm

Lecture 1: Perfect Secrecy and Statistical Authentication. 2 Introduction - Historical vs Modern Cryptography

A block cipher enciphers each block with the same key.

Lecture 7: CPA Security, MACs, OWFs

Quantum-secure symmetric-key cryptography based on Hidden Shifts

Semantic Security of RSA. Semantic Security

Lecture 24: MAC for Arbitrary Length Messages. MAC Long Messages

Lecture 16 Chiu Yuen Koo Nikolai Yakovenko. 1 Digital Signature Schemes. CMSC 858K Advanced Topics in Cryptography March 18, 2004

CHALMERS GÖTEBORGS UNIVERSITET. TDA352 (Chalmers) - DIT250 (GU) 11 April 2017, 8:30-12:30

U.C. Berkeley CS276: Cryptography Luca Trevisan February 5, Notes for Lecture 6

RSA-OAEP and Cramer-Shoup

1 Cryptographic hash functions

Lecture 12: Block ciphers

CPSC 467: Cryptography and Computer Security

Digital Signatures. Adam O Neill based on

Winter 2008 Introduction to Modern Cryptography Benny Chor and Rani Hod. Assignment #2

MESSAGE AUTHENTICATION CODES and PRF DOMAIN EXTENSION. Mihir Bellare UCSD 1

On The Security of The ElGamal Encryption Scheme and Damgård s Variant

ZCZ: Achieving n-bit SPRP Security with a Minimal Number of Tweakable-block-cipher Calls

Introduction on Block cipher Yoyo Game Application on AES Conclusion. Yoyo Game with AES. Navid Ghaedi Bardeh. University of Bergen.

Chapter 11. Asymmetric Encryption Asymmetric encryption schemes

Cryptography. Lecture 2: Perfect Secrecy and its Limitations. Gil Segev

REMARKS ON IBE SCHEME OF WANG AND CAO

CPSC 467b: Cryptography and Computer Security

Advanced Topics in Cryptography

10 Concrete candidates for public key crypto

Lecture 13: Private Key Encryption

Lecture 10 - MAC s continued, hash & MAC

Lecture 15 & 16: Trapdoor Permutations, RSA, Signatures

6.892 Computing on Encrypted Data September 16, Lecture 2

The Pseudorandomness of Elastic Block Ciphers

Jay Daigle Occidental College Math 401: Cryptology

RSA RSA public key cryptosystem

Transcription:

CPSC 91 Computer Security Assignment #3 Solutions 1. Show that breaking the semantic security of a scheme reduces to recovering the message. Solution: Suppose that A O( ) is a message recovery adversary against an encryption scheme E. construct an adversary B O (, ) that breaks the semantic security of E as follows: B O (, ) : - Pick two messages at random M 0, M 1 $ {0, 1} n. - Ask (M 0, M 1 ) to oracle O (, ) and get a ciphertext c. - Run A O( ) (c ). When A O( ) makes a query M to its oracle, answer it as follows: - Ask (M, M) to oracle O (, ) and get a ciphertext c - Give c back to A O( ) as the answer to its oracle query. - When A O( ) is done, it outputs a message M. - If M = M 0, output 0. - If M = M 1, output 1. - If M is anything else, pick a random bit b $ {0, 1} and output b. Analysis: Define the following events: Guess is the event that B output is correct. Correct is the event that A returns the correct message. Unlucky is the event that A returns the message that makes B s guess incorrect. Junk is the event that A returns neither M 0 nor M 1. It should be clear that Correct, Unlucky and Junk are disjoint, and that one of them always happens. So, using the equation we proved in class: B,E = 2 P (Guess) 1 Let s expand each of these terms. = 2 P (Guess&&Correct) + 2 P (Guess&&Unlucky) + 2 P (Guess&&Junk) 1 P (Guess&&Correct) = P (Guess Correct) P (Correct) = P (Correct) because the guess is always correct when the key is correct = Adv MR A,E P (Guess&&Unlucky) = P (Guess Unlucky) P (Unlucky) by definition of the advantage of A in a MR attack (*) = 0 because the guess is never correct by definition when Unlucky happens We

P (Guess&&Junk) = P (Guess Junk)P (Junk) = 1 P (Junk) because when Junk happens, B outputs a random bit 2 = 1 (1 P (Correct) P (Unlucky)) 2 = 1 (1 AdvMR A,E 2 1 2 n ) The second to last line is because Correct, Unlucky and Junk are disjoint, and that one of them always happens. The last line uses the same reasoning as line (*), and the fact that P (Unlucky) = 1 2 because n the incorrect message is random and independent from the choice of the key and the other message. Plugging all these in the equation of the previous page, we get B,E = 2 P (Guess&&Correct) + 2 P (Guess&&Lucky) + 2 P (Guess&&Unlucky) + 2 P (Guess&&Junk) 1 = 2AdvA,E KR + 2 0 + (1 AdvKR A,E 1 2 n ) 1 = AdvA,E KR 1 2 n So our adversary B advantage against the semantic security of E is as large as the probability that A recovers the key, so that if A is a good adversary against the MR security of E, then B is a good adversary against the semantic security of E. Conversely, if no adversary can break the semantic security of E with significant advantage, then no adversary will be able to recover messages of E with significant probability.

2. Let E = (K, E, D) be a stateful variant of CBC in which the first block of the first ciphertext is chosen at random, and for other ciphertexts, the first block of the ciphertext is the last block of the previous ciphertext. Show that this is not semantically secure. Solution: A O(, ) : Ask (0 n, 0 n ) to O, get ciphertext c = c 0 c 1 Ask (c 0 c 1, c 0 c 1 ), get ciphertext c = c 0 c 1 If c 1 = c 1 output 0, else output 1 Here is the idea. Since we know that the message encrypted in the first query is 0 n, then we know that bc(k, c 0 ) = c 1, where k is the key for the encryption scheme 1. Also, the when answering the second query, if the first message is chosen, the block cipher will be calculated on c 1 (c 0 c 1 ) = c 0, which will result in the same second message block as in the first query. If the second message is chose, the block cipher will be calculated on a different value, which will result in a different output since the block cipher is a permutation. Therefore, the adversary always correctly guesses if the first or second message gets encrypted, so: A,CBC var = 1 0 = 1 So the encryption scheme is not secure. 1 We don t know what that key is, but the equation holds regardless of what that key is.

3. Let bc : {0, 1} k {0, 1} n {0, 1} n be a block cipher. Consider encryption scheme E = (K, E, D) defined by the following algorithms: K: - Pick a random key k $ {0, 1} k - Return k. The message space is M = {0, 1} n E(k, M): - Pick a random r $ {0, 1} n - Compute z = bc(k, r) and w = z M - return ciphertext c = r w D(k, c): - Split c into 2 n-bit strings c 0 and c 1 (if this fails, return ) - Compute y = bc(k, c 0 ) and m = y c 1 - Return message m Show that if bc is a secure PRF, then the encryption scheme above is semantically secure. Solution: Suppose that there exists an adversary A O(, ) that breaks the semantic security of E. We construct an adversary B O ( ) that breaks the block cipher as follows: B O ( ) : - Pick a random bit b $ {0, 1} - Run A O(, ). When A O(, ) makes query (M 0, M 1 ) to its encryption oracle, answer it as follows: - Pick a random r $ {0, 1} n - Ask r to O, get value z - Compute w = z M b - Return c = r w to A as the answer to its query - When A is done, it outputs a bit b - If b = b output 1, else output 0 The idea is that if B s oracle is the block cipher, then all the encryption queries are answered perfectly, and A will have a good probability of guessing the bit b. On the other hand, if the encryption B s oracle is a random function, then hopefully, A s probability of correctly guessing the bit will be lower.

ANALYSIS: To analyse the advantage of B, it is useful to define the following games: Game G 0 - Pick a random key k $ {0, 1} k - Pick a random bit b $ {0, 1} - Run A O(, ). When A O(, ) makes query (M 0, M 1 ) to its encryption oracle, answer it as follows: - Compute c E(k, M b ) - Return c to A as the answer to its query - When A is done, it outputs a bit b - If b = b output 1, else output 0 So Game G 0 is just like the regular guessing game. Game G 1 - Pick a random key k $ {0, 1} k - Pick a random bit b $ {0, 1} - Initialize an empty list L - Run A O(, ). When A O(, ) makes query (M 0, M 1 ) to its encryption oracle, answer it as follows: - Pick a random r $ {0, 1} n - Pick a random z $ {0, 1} n - If there exists an element (r, ζ) L - set BAD true, z ζ - Compute w = z M b - Return c = r w to A as the answer to its query - Return c to A as the answer to its query - When A is done, it outputs a bit b - If b = b output 1, else output 0 In Game G 1, it is as if the block cipher had been replaced by a random function. The mess with the list is so that in the unlikely event that the same random string is generated twice for encryption, the answer of the random function will be consistent.

Game G 2 - Pick a random key k $ {0, 1} k - Pick a random bit b $ {0, 1} - Initialize an empty list L - Run A O(, ). When A O(, ) makes query (M 0, M 1 ) to its encryption oracle, answer it as follows: - Pick a random r $ {0, 1} n - Pick a random z $ {0, 1} n - If there exists an element (r, ζ) L - set BAD true - Compute w = z M b - Return c = r w to A as the answer to its query - Return c to A as the answer to its query - When A is done, it outputs a bit b - If b = b output 1, else output 0 Game G 2 is the same as Game G 1 except that the answers are no longer consistent when the same random value is generated twice. As we have seen in class with CTRS, the probability that the adversary correctly guesses the bit is exactly 1 2 because the ciphertexts are just random bits independent from the message. Now, since Game G 0 is the normal guessing game, we get that A,E = 2P (G 0 = 1) 1 (as seen in class) By design, the probability that Game G 0 outputs 1 is also exactly the same as the probability that B O ( ) outputs 1 when its oracle is the block cipher. Also, Game G 1 outputs 1 exactly with the same probability that B O ( ) outputs 1 when its oracle is a random function. So: Adv P RF B,bc = P (G 0 = 1) P (G 1 = 1) For simplicity, I removed the absolute value in the equation above because we could force the above to be positive by inverting the output of B if necessary. Now, Game G 1 can be a little hard to analyse directly because of the small probability that the same value r is used twice, which is why we use Game G 2. Note that up to the point where the flag BAD is set to true, the two games are identical. Let Bad be the event that the flag BAD gets set to true. Then P (G 1 = 1) = P (G 1 = 1) P (G 2 = 1) + P (G 2 = 1) P (G 1 = 1) P (G 2 = 1) + P (G 2 = 1) P (G 1 = 1&&bad) + P (G 1 = 1&&bad) P (G 2 = 1&&bad) P (G 2 = 1&&bad) + P (G 2 = 1) P (G 1 = 1&&bad) P (G 2 = 1&&bad) + P (G 2 = 1) P (G 1 = 1 bad)p (bad) P (G 2 = 1 bad)p (bad) + P (G 2 = 1) P (G 1 = 1 bad) P (G 2 = 1 bad) P (bad) + P (G 2 = 1) P (bad) + P (G 2 = 1) q(q 1) 2 n+1 + 1 2

Where the last line uses an argument similar to what we did for the PRF-PRP switching lemma, and q is the number of queries A makes to the encryption oracle, and the fact that P (G 2 = 1) = 1 2. Therefore Adv P RF B,bc = P (G 0 = 1) P (G 1 = 1) P (G 0 = 1) q(q 1) 2 n+1 1 2 Putting this together with our equation on AdvA,E CP A, we get A,E RF q(q 1) 2(AdvP B,bc + 2Adv P RF B,bc + 2 n+1 1 2 ) 1 q(q 1) 2 n So that if A breaks the semantic security of E, and AdvA,E CP A is away from zero, then AdvP RF B,bc will be away from zero as well, and B breaks the block cipher. Note to students: This turned out to be a little more involved than I remembered, so half of the points for this question will be bonus points.

4. Show that the encryption scheme CTR$ is not secure against a chosen-ciphertext attack. You will need Monday s lecture for this. It s really quite easy. Solution: A O(, ),O ( ) : Ask (0 n, 1 n ) to O, get ciphertext c = c 0 c 1 Compute c 1 = c 1 0 n 1 1 (this will flip the last bit of c 1 ) Ask c 0 c 1 to O, get message m Output the first bit of m Modifying the last bit of c 1 has the effect of modifying the last bit of the encrypted message, and has no effect on the first bit of the message. Therefore, the adversary always correctly guesses which of the two messages was encrypted, so: So the encryption scheme is not secure. Adv CCA A,CT R$ = 1 0 = 1

2024 © sciencedocbox.com Privacy Policy | Terms of Service | Feedback