This preview has intentionally blurred sections. Sign up to view the full version.
View Full DocumentThis preview has intentionally blurred sections. Sign up to view the full version.
View Full DocumentThis preview has intentionally blurred sections. Sign up to view the full version.
View Full DocumentThis preview has intentionally blurred sections. Sign up to view the full version.
View Full DocumentThis preview has intentionally blurred sections. Sign up to view the full version.
View Full Document
Unformatted text preview: AUTHENTICATED ENCRYPTION 1 / 55 So Far ... We have looked at methods to provide privacy and integrity/authenticity separately: Goal Primitive Security notions Data privacy symmetric encryption INDCPA, INDCCA Data integrity/authenticity MA scheme/MAC UFCMA, SUFCMA 2 / 55 Authenticated Encryption In practice we often want both privacy and integrity/authenticity. Example: A doctor wishes to send medical information M about Alice to the medical database. Then • We want data privacy to ensure Alice’s medical records remain confidential. • We want integrity/authenticity to ensure the person sending the information is really the doctor and the information was not modified in transit. We refer to this as authenticated encryption. 3 / 55 Authenticated Encryption Schemes Syntactically, an authenticated encryption scheme is just a symmetric encryption scheme AE = ( K , E , D ) where 4 / 55 Privacy of Authenticated Encryption Schemes The notions of privacy for symmetric encryption carry over: • INDCPA • INDCCA 5 / 55 Integrity of Authenticated Encryption Schemes Adversary’s goal is to get the receiver to accept a “nonauthentic” ciphertext C . Two possible interpretations of “nonauthentic:” • Integrity of plaintexts: M = D K ( C ) was never encrypted by the sender • Integrity of ciphertexts: C was never transmitted by the sender 6 / 55 INTPTXT Let AE = ( K , E , D ) be a symmetric encryption scheme and A an adversary. Game INTPTXT AE procedure Initialize K $ ← K ; S ← ∅ procedure Enc ( M ) C $ ← E K ( M ) S ← S ∪ { M } return C procedure Dec ( C ) M ← D K ( C ) if ( M negationslash∈ S ∧ M negationslash = ⊥ ) then win ← true return win procedure Finalize return win The intptxt advantage of A is Adv int ptxt AE ( A ) = Pr[INTPTXT A AE ⇒ true] 7 / 55 INTCTXT Let AE = ( K , E , D ) be a symmetric encryption scheme and A an adversary. Game INTCTXT AE procedure Initialize K $ ← K ; S ← ∅ procedure Enc ( M ) C $ ← E K ( M ) S ← S ∪ { C } return C procedure Dec ( C ) M ← D K ( C ) if ( C negationslash∈ S ∧ M negationslash = ⊥ ) then win ← true return win procedure Finalize return win The intctxt advantage of A is Adv int ctxt AE ( A ) = Pr[INTCTXT A AE ⇒ true] 8 / 55 INTCTXT ⇒ INTPTXT If AE = ( K , E , D ) is INTCTXT secure then it is also INTPTXT secure. Why? Suppose A makes Enc queries M 1 , . . . , M q resulting in ciphertexts C 1 $ ← E K ( M 1 ) , . . . , C q $ ← E K ( M q ) suppose A makes query Dec ( C ), and let M = D K ( C ). Fact: M negationslash∈ { M 1 , . . . , M q } ⇒ C negationslash∈ { C 1 , . . . , C q } So if A wins INTPTXT AE it also wins INTCTXT AE . Theorem: For any adversary A, Adv int ptxt AE ( A ) ≤ Adv int ctxt AE ( A ) ....
View
Full Document
 Winter '08
 daniele
 Cryptography, Block cipher, Block cipher modes of operation, ek

Click to edit the document details