A note on the equivalence of IND-CCA & INT-PTXT and IND-CCA & INT-CTXT Daniel Jost, Christian Badertscher, Fabio Banfi Department of Computer Science, ETH Zurich, Switzerland daniel.jost@inf.ethz.ch christian.badertscher@inf.ethz.ch fabio.banfi@inf.ethz.ch Abstract The security for authenticated encryption schemes is often captured by demanding CCA security (IND-CCA) and integrity of plaintexts (INT-PTXT). In this short note, we prove that this implies in particular integrity of ciphertexts, i.e., INT-CTXT. Hence, the two sets of requirements mentioned in the title are equivalent. 1 The Security Games We treat the stateful notions in this short note since they are the most widely used notions for authenticated encryption (the main use case is realizing a cryptographic channel). A proof for the non-stateful versions would follow along the same lines. We restate the relevant stateful notions from [BKN04 formally in Figure 1 and Figure. A (stateful) authenticated encryption scheme consists of a triple of algorithms Ψ = (Gen, E, D) for key generation, encryption, and decryption, respectively, as defined in detail in [BKN04 (including the definitions of correctness and being stateful). The message space is denoted by M and the ciphertext space is denoted by C. Our notation follows basically the notation of [BN08; BKN04. IND-sfCCA Ψ b {0, 1} Sampling u.a.r. from {0, 1}. sync 1 Oracle LR Input: (m 0, m 1 ) M M c E(k, m b ) Oracle Dec sync 0 if sync = 0 then return m return Input: d {0, 1} return (d = b) Figure 1: IND-sfCCA Ψ security for stateful CCA security of an authenticated encryption scheme. 1
INT-sfCTXT Ψ INT-sfPTXT Ψ sync 1 win 0 c E(k, m) sync 0 if m sync = 0 then win 1 return win sync 1 win 0 c E(k, m) S[i m sync 0 if m sync = 0 then win 1 return win Figure : The INT-sfPTXT Ψ and INT-sfCTXT Ψ security games for stateful plaintext- and ciphertext-integrity, respectively, of an authenticated encryption scheme. INT-PTXT & IND-CCA implies INT-CTXT Let A denote an INT-sfCTXT attacker. In the following we show that Adv IND-sfCTXT Ψ,A Adv IND-sfCCA Ψ,A 1 + Adv IND-sfCCA Ψ,A +3 Adv IND-sfPTXT Ψ,A 3 where A 1, A, and A 3 denote slight modifications of A with roughly the same efficiency. As a first hybrid, we consider the game H 0 depicted in Figure 3, that essentially works like INT-sfCTXT Ψ, but initially flips a uniform random bit z, and then the encryption oracle instead of encrypting the message m encrypts z m, i.e., either the all-zero or all-one bit string of the length of m. By definition of the advantage of an adversary in the forgery game, we have Adv IND-sfCTXT Ψ,A := Pr [ A INT-sfCTXTΨ 1 = Pr [ A H0 1 + ( Pr [ A INT-sfCTXTΨ 1 Pr [ A H0 1 ) (1) In the following, we will first upper bound the second term, and then proceed to upper bound Pr [ A H0 1 as a second step..1 Upper bounding the second term Consider the following bit-guessing game G 0, shown in Figure 4, that initially flips a bit b and then either behaves exactly like INT-sfCTXT Ψ, if b = 0, or like H 0 if b = 1, and the goal of the adversary is to guess b in the end. In addition, the adversary also gets access to an oracle HasWon that allows him to query the win flag of INT-sfCTXT Ψ or H 0, respectively. We now define A 0 as follows: A 0 internally runs A forwarding all queries and responses to the Enc and VF oracles. Once A calls, A 0 first queries the HasWon oracle, and then calls with d = 0 if HasWon returned true and d = 1 otherwise. Observe that the bit-guessing game G 0 behaves exactly as INT-sfCTXT Ψ if b = 0 and exactly like H 0 if b = 1. By definition of G 0 and A 0 we obtain [ Pr A G0 0 1 b = 0 = Pr AG 0 0 [d = b b = 0 = Pr AG 0 0 [d = 0 b = 0 = Pr AG 0 0 [win = 1 b = 0 = Pr [ A INT-sfCTXTΨ 1
INT-sfCTXT Ψ and H 0 sync 1 win 0 c E(k, m) sync 0 if m sync = 0 then win 1 return win Figure 3: The first hybrid H 0 compared to the original INT-sfCTXT Ψ security game. G 0 and G 1 b {0, 1} sync 1 win 0 if b = 0 then c E(k, m) sync 0 if m sync = 0 then win 1 if sync = 0 then return 1. Oracle HasWon return win Input: d {0, 1} return d = b Figure 4: The bit-guessing games G 0 and G 1. 3
G 1 and G b {0, 1} sync 1 win 0 if b = 0 then c E(k, m) m 0 m m 1 z m c E(k, m b ) sync 0 if sync = 0 then m m m if m sync = 0 then win 1 if sync = 0 then return 1. Oracle HasWon return win Input: d {0, 1} return d = b Figure 5: The bit-guessing games G in comparison to G 1. and [ Pr A G0 0 1 b = 1 = Pr AG 0 0 [d = b b = 1 = Pr AG 0 0 [d = 1 b = 1 which yields G 1 G = Pr AG 0 0 [win = 0 b = 1 = 1 Pr [ A H0 1, Pr [ A INT-sfCTXTΨ 1 Pr [ A H0 1 [ [ = Pr A G0 0 1 b = 0 + Pr A G0 0 1 b = 1 1 ( [ = Pr A G0 0 1 1 ). [ We now proceed by bounding Pr A G0 0 1 using a sequence of simple modifications: The game G 1, as depicted in Figure 4, behaves like G 0 except that the VF oracle returns true instead of (m ) if sync = 1. Since sync = 1 implies c = C[j and / M, however, by correctness of the scheme this behavior is equivalent. Consider the game G as depicted in Figure 5. Observe that in the Enc oracle the same message gets encrypted as in G 1. In the VF oracle it sets m to if sync 0. Note however, that in this case the value of m does not matter anymore. Thus, G 1 and G behave equivalently. It is now easy to see that winning G can be reduced to winning IND-sfCCA Ψ as sketched in Figure 6. For every adversary A 0 against G we can build A 1 against IND-sfCCA Ψ that works as follows: it initially flips a bit z and then internally runs A 0 and for every query m of the Enc oracle it queries the LR oracle of IND-sfCCA Ψ with m 0 = m and m 1 = z m. In addition, A 1 keeps track whether A 0 is still in sync, so that on a query c to the VF oracle by () 4
G b {0, 1} sync 1 win 0 m 0 m m 1 z m c E(k, m b ) sync 0 if sync = 0 then m m m if m sync = 0 then win 1 if sync = 0 then return 1. Oracle HasWon return win Input: d {0, 1} return d = b Figure 6: The reduction from G to IND-sfCCA Ψ. The lines with the blue shade and the solid border belong to the IND-sfCCA Ψ game, whereas the green shaded ones with the dashed border belong to the reduction. The uncolored lines are for bookkeeping that is replicated in both the IND-sfCCA Ψ game as well as the reduction. A 0 it can query the decryption oracle on c and then reply correctly to A 0. It is easy to see that A 1 guesses b correctly if and only if A 0 guesses b correctly by simply forwarding the guess. Thus we obtain [ [ [ [ Pr A G0 0 1 = Pr A G1 0 1 = Pr A G 0 1 = Pr A IND-sfCCAΨ 1 1, and combining this with () yields the desired bound Pr [ A INT-sfCTXTΨ 1 Pr [ A H0 1 ( [ = Pr A G0 0 1 1 ) ( [ = Pr A IND-sfCCAΨ 1 1 1 ) =: Adv IND-sfCCA Ψ,A 1, (3) where in the last step we used the definition of the (bit-guessing) advantage of a CCA adversary.. Bounding the first winning probability In the following section we upper bound the probability Pr [ A H0 1 using the hybrids H 1 and H, depicted in Figure 7 and Figure 8, respectively. H 1 The game H 1 replaces the sync and the win flags of H 0 by two pairs of flags (sync 1, sync ) and (win 1, win ), respectively. Note that sync in H 1 is defined exactly equivalent to sync of H 0, and thus win 1 win is true in H 1 if and only if win is true in H 0. Hence, the two games behave equivalently. 5
H 0 and H 1 sync 1 win 0 win 1 0 win 0 sync 0 if m sync = 0 then win 1 if m sync 1 = 0 sync = 0 then win 1 1 if m sync 1 = 1 sync = 0 then win 1 return win return win 1 win Figure 7: The game H 1 is equivalent to H 0, which is best seen by observing that the sync flag is identical to the sync one of H 0. H 1 and H win 1 0 win 0 if m sync 1 = 0 sync = 0 then win 1 1 if m sync 1 = 0 then win 1 1 if m sync 1 = 1 sync = 0 then win 1 return win 1 win Figure 8: The game H is equivalent to H 1 as well. Observe that sync 1 = 0 implies that j > i or m S[j for some j. In the latter case, the correctness of the scheme however implies that c[j C[j and thus sync = 0 as well. 6
P 0 and C 0 win 1 0 win 0 if m sync 1 = 0 then win 1 1 if m sync 1 = 1 sync = 0 then win 1 return win 1 return win Figure 9: The games P 0 and C 0 are identical to H, except that the winning condition win 1 win of the latter has been replaced by checking only one of the respective flags. H The game H is equivalent to H 1 except that the former no longer checks for sync = 0 when setting win 1 to true. Observe however that by the correctness of the scheme we have that m S[j implies c C[j and thus sync 1 = 0 implies sync = 0. Hence, the two games are equivalent as well. Now, consider the two games P 0 and C 0 as depicted in Figure 9. Observe that each of those games is equivalent to H except for the winning condition that only checks for win 1 or win, respectively, instead of win 1 win. Using the union bound we therefore obtain Pr [ A H0 1 = Pr [ A H1 1 = Pr [ A H 1 Pr [ A P0 1 + Pr [ A C0 1. (4) We proceed by bounding those two terms separately in the next sections..3 Upper bounding the advantage on P 0 Consider the game P 1 as shown in Figure 10, which basically corresponds to P 0 with all code related to the two unused flags win and sync removed. Moreover, the Enc-oracle has slightly been rewritten without changing the behavior. It is now easy to reduce any adversary A winning P 1 to another adversary A 3 winning INT-sfPTXT Ψ, as highlighted in Figure 11: A 3 initially flips a bit z and then whenever A queries the Enc oracle on m, A 3 queries the actual Enc-oracle on m = z m. Clearly, A 3 wins INT-sfPTXT Ψ if and only if A wins P 1. As a consequence, we have Pr [ A P0 1 = Pr [ A P1 1 [ = Pr A INT-sfPTXTΨ 3 1 = Adv IND-sfPTXT Ψ,A 3. (5).4 Upper bounding the advantage on C 0 In the following section, we upper bound Pr [ A C0 1 using a sequence of hybrids C 1, C, C 3, C 4, C 5, and C 6. 7
P 0 and P 1 win 1 0 win 0 if m sync 1 = 0 then win 1 1 if m sync 1 = 1 sync = 0 then win 1 return win 1 m z m c E(k, m ) S[i m Figure 10: The game P 1 that is equivalent to P 0. P 1 win 1 0 if m sync 1 = 0 then win 1 1 return win 1 m z m c E(k, m ) S[i m Figure 11: The reduction from P 1 to INT-sfPTXT Ψ. The lines with the blue shade and the solid border belong to the INT-sfPTXT Ψ game, whereas the green shaded ones with the dashed border belong to the reduction. 8
C 0 and C 1 win 1 0 win 0 if m sync 1 = 0 then win 1 1 if m sync 1 = 1 sync = 0 then win 1 return win Figure 1: The game C 1 that is equivalent to C 0. C 1 C C 3 The game C 1, as depicted in Figure 1, corresponds to C 0 with all code related to the unused flag win 1 removed. Hence, the two games behave obviously equivalent. The game C corresponds to C 1 with the winning flag win replaced by a variable d guessing z. It is depicted in Figure 13. Note that sync 1 = 1 implies m = S[j, and thus m = z l for some length l > 0 (we use here that the empty bit-string is not in the message space). Hence, setting d to the first bit of m implies that the game is won, and is thus equivalent to setting the winning flag in C 1. The game C 3, as depicted in Figure 14, corresponds to C but with d initialized to 0 instead of giving an adversary a fifty percent chance of winning the game without setting the win flag. This makes C 3 a bit-guessing game. Observe that Pr AC 3 [win = 1 = Pr AC [win = 1 = Pr [ A C 1 and yielding Pr AC 3 [d = z win = 1 = Pr AC 3 [win = 1, Pr [ A C3 1 = Pr AC 3 [d = z = Pr AC 3 [d = z win = 1 + Pr AC 3 [d = z win = 0 = Pr AC 3 [d = z win = 1 + Pr AC 3 [d = z win = 0 Pr AC 3 [win = 0 = Pr AC 3 [d = z win = 1 + 1 ( ) 1 Pr AC 3 [win = 1 = Pr [ A C 1 + 1 ( 1 Pr [ A C 1 ). Rewriting the last equation we obtain Pr [ A C 1 ( = Pr [ A C3 1 1 ). (6) 9
C 1 and C win 0 d if m sync 1 = 1 sync = 0 then win 1 return win return (d = z) Figure 13: The game C, where m(1) denotes the first bit of m. Note that sync = 1 implies m = S[j = z l for some l > 0 (since λ / M). Hence, we have win = 1 iff d = z. C and C 3 win 0 d d 0 if m sync 1 = 1 sync = 0 then win 1 return (d = z) Figure 14: The bit-guessing game C 3. Observe that in comparison to C, the adversary has a fifty percent chance of winning the game without managing to set the win flag. 10
C 3 and C 4 d 0 bad 0 if m sync 1 = 1 sync = 0 then if m sync = 0 then if sync 1 = 1 then bad 1 return (d = z) Figure 15: The game C 4, that introduces the bad flag. It behaves equivalent to C 3, however, since bad is an internal variable only. C 4 C 5 The game C 4, as depicted in Figure 15, corresponds to C 3 with a bad flag introduced. The two games behave obviously equivalent. The game C 5 is depicted in Figure 16 and is identical until bad to C 5. Hence, by the Fundamental Lemma of game-playing we have Pr [ A C4 1 Pr [ A C5 1 + Pr [ A C4 sets bad. (7) C 6 C 7 We defer bounding the probability of bad being set to the end of the proof and continue bounding Pr [ A C5 1. The game C 6, as depicted in Figure 17, is a version of C 5 with the internal bad flag removed. This, in addition, allows removing all code related to the sync 1 flag without altering the behavior. The game C 7 is depicted in Figure 18. First, compared to C 6 the Enc-oracle has slightly been rewritten without modifying the behavior. Then, in the VF-oracle, in case of sync = 1 we no longer but true. Since sync = 1 implies c = C[j, however, we have by correctness that m M and thus m. Moreover, if sync = 1, we then reset m to without affecting the behavior. Hence, C 7 and C 6 behave equivalently. Now, observe that C 7 can be easily reduced to IND-sfCCA Ψ, as shown in Figure 19. For every adversary A against C 7 we can build A against IND-sfCCA Ψ that works as follows: it internally runs A and for every query m of the Enc oracle it queries the LR oracle of IND-sfCCA Ψ with m 0 = 0 m and m 1 = 1 m. In addition, A keeps track whether A is still in sync, so that on a query c to the VF oracle by A it queries the decryption oracle on c and then replies correctly to A. Moreover, once it detects that A is out of sync and the ciphertext decrypted to a valid ciphertext, it uses the first bit of the decrypted message as the guess of z. It is now easy to see that Pr [ A C7 1 [ = Pr A IND-sfCCAΨ 1. (8) 11
C 4 and C 5 d 0 bad 0 if m sync = 0 then if sync 1 = 1 then bad 1 return (d = z) Figure 16: The game C 4 that is identical until bad to the game C 5. C 5 and C 6 d 0 bad 0 if m sync = 0 then if sync 1 = 1 then bad 1 return (d = z) Figure 17: The game C 6. Since bad is an internal variable only, removing this flag and all then unused code related to setting it does not affect the behavior. 1
C 6 and C 7 d 0 m 0 0 m m 1 1 m c E(k, m z) if sync = 0 then m m m if m sync = 0 then if sync = 0 then return 1 return (d = z) Figure 18: The game C 7. Observe that in the VF oracle, if sync = 1, then we have c = C[j, which by correctness in turn implies that the cyphertext decrypts to the original message that is not equal to. Moreover, if sync = 1, then m is unused for the rest of the oracle call. C 7 d 0 m 0 0 m m 1 1 m c E(k, m z) if sync = 0 then m m m if m sync = 0 then if sync = 0 then return 1 return (d = z) Figure 19: The reduction from C 7 to IND-sfCCA Ψ. The lines with the blue shade and the solid border belong to the IND-sfCCA Ψ game, whereas the green shaded ones with the dashed border belong to the reductions. The uncolored lines are for bookkeeping that is replicated in both the IND-sfCCA Ψ game as well as the reduction. 13
Putting all together especially (6), (7), and (8) we obtain Pr [ A C0 1 = Pr [ A C1 1 = Pr [ A C 1 ( = Pr [ A C3 1 1 ) ( = Pr [ A C4 1 1 ) ( Pr [ A C5 1 + Pr [ A C4 sets bad 1 ) ( = Pr [ A C6 1 + Pr [ A C4 sets bad 1 ) ( = Pr [ A C7 1 + Pr [ A C4 sets bad 1 ) ( [ = Pr A IND-sfCCAΨ 1 + Pr [ A C4 sets bad 1 ) = Adv IND-sfCCA Ψ,A + Pr [ A C4 sets bad. (9) It remains to bound Pr [ A C4 sets bad. To this end, consider the game B 0, depicted in Figure 0, which is identical to C 4 except that the winning condition is no longer win being set, but bad being set. Hence, by definition we have Pr [ A C4 sets bad = Pr [ A B0 1, and moreover, it is easy to see that both B 1 and B behaves equivalently as well, as seen in Figures 0 and 1. Finally, observe that B is almost identical to the game P 1 defined above, as shown in Figure. Thus, using (5) we obtain Pr [ A C4 sets bad [ = Pr A INT-sfPTXTΨ 3 1. (10) Combining (1), (3), (4), (5), (9), and (10) concludes the proof. 14
B 0 and B 1 d 0 bad 0 if m sync = 0 then if sync 1 = 1 then bad 1 if sync 1 = 0 then bad 1 return bad Figure 0: The games B 0 and B 1. The former is identical to C 4 except that in the finalization now the bad flag gets checked. Moreover, B 1 behaves equivalent to B 0, since d is unused. B 1 and B bad 0 if m sync = 0 then if sync 1 = 0 then bad 1 if m sync 1 = 0 then bad 1 return bad Figure 1: The game P. Note that by correctness sync 1 = 0 implies sync = 0, and thus removing the former check does not change the behavior. 15
B and P 1 bad 0 win 1 0 if m sync 1 = 0 then bad 1 win 1 1 return bad return win 1 m z m c E(k, m ) S[i m Figure : It is easy to verify that B is equivalent to the game P 1 that has already been defined above. 16
References [BKN04 [BN08 M. Bellare, T. Kohno, and C. Namprempre, Breaking and provably repairing the SSH authenticated encryption scheme, ACM Transactions on Information and System Security, vol. 7, no., pp. 06 41, 004. doi: 10.1145/996943. 996945. [Online. Available: https://eprint.iacr.org/00/078.pdf. M. Bellare and C. Namprempre, Authenticated encryption: Relations among notions and analysis of the generic composition paradigm, Journal of Cryptology, vol. 1, no. 4, pp. 469 491, 008. doi: 10.1007/s00145-008-906-x. [Online. Available: https://cseweb.ucsd.edu/%7b~%7dmihir/papers/oem. pdf. 17