\documentclass[11pt]{article}
\usepackage{amssymb,amsmath,amsthm,url}
\usepackage{graphicx}
%uncomment to get hyperlinks
%\usepackage{hyperref}
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
%Some macros (you can ignore everything until "end of macros")
\def\class{0}
\topmargin 0pt \advance \topmargin by -\headheight \advance
\topmargin by -\headsep
\textheight 8.9in
\oddsidemargin 0pt \evensidemargin \oddsidemargin \marginparwidth
0.5in
\textwidth 6.5in
%%%%%%
\newcommand{\getsr}{\gets_{\mbox{\tiny R}}}
\newcommand{\bits}{\{0,1\}}
\newcommand{\Ex}{\mathbb{E}}
\newcommand{\To}{\rightarrow}
\newcommand{\e}{\epsilon}
\newcommand{\R}{\mathbb{R}}
\newcommand{\N}{\mathbb{N}}
\newcommand{\Z}{\mathbb{Z}}
\newcommand{\maxpr}{\text{\rm max-pr}}
\newenvironment{summary}{\begin{quote}\textbf{Summary.}}{\end{quote}}
\newtheorem{theorem}{Theorem}
\newtheorem{axiom}{Axiom}
\newtheorem{lemma}[theorem]{Lemma}
\newtheorem{claim}[theorem]{Claim}
\newtheorem{corollary}[theorem]{Corollary}
\theoremstyle{definition}
\newtheorem{exercise}{Exercise}
\newtheorem{definition}[theorem]{Definition}
\newcommand{\sstart}{\triangleright}
\newcommand{\send}{\triangleleft}
\newcommand{\cclass}[1]{\mathbf{#1}}
\renewcommand{\P}{\cclass{P}}
\newcommand{\NP}{\cclass{NP}}
\newcommand{\Time}{\cclass{Time}}
\newcommand{\BPP}{\cclass{BPP}}
\newcommand{\Size}{\cclass{Size}}
\newcommand{\Ppoly}{\cclass{P_{/poly}}}
\newcommand{\CSAT}{\ensuremath{\mathsf{CSAT}}}
\newcommand{\SAT}{\ensuremath{\mathsf{3SAT}}}
\newcommand{\IS}{\mathsf{INDSET}}
\newcommand{\poly}{\mathrm{poly}}
\newcommand{\inp}{\mathsf{in}}
\newcommand{\outp}{\mathsf{out}}
\newcommand{\Adv}{\mathsf{Adv}}
\newcommand{\Supp}{\mathsf{Supp}}
\newcommand{\dist}{\Delta}
\newcommand{\indist}{\approx}
\newcommand{\PRG}{\mathsf{G}}
\newcommand{\Gen}{\mathsf{Gen}}
\newcommand{\Enc}{\mathsf{E}}
\newcommand{\Dec}{\mathsf{D}}
\newcommand{\Com}{\mathsf{C}}
\newcommand{\Sign}{\mathsf{Sign}}
\newcommand{\Ver}{\mathsf{Ver}}
\newcommand{\eqdef}{\stackrel{\text{\tiny def}}{=}}
\newcommand{\set}[1]{ \{ #1 \} }
\newcommand{\cF}{\mathcal{F}}
\newcommand{\angles}[1]{\langle #1 \rangle}
\newcommand{\iprod}[1]{\angles{#1}}
\newcommand{\floor}[1]{\lfloor #1 \rfloor}
% end of macros
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
\title{Lecture 16 - CCA Security}
\author{Boaz Barak}
\begin{document}
\maketitle
{ \ifnum\class=1 \fontsize{14pt}{16pt} \selectfont \fi
\begin{description}
\item[Reading] Boneh-Shoup 12.1,12.2,12.3,12.6
\item[Review - hardcore bits]
\item[Key exchange] Suppose we have following situation:
Alice wants to buy something from the well known
website Bob.com
Since they will exchange private information (Alice's
credit card, address etc.) they want to use encryption.
However, they do not share a key between them.
\item[Using a key exchange protocol.] It seems that we
already learned a protocol to do that: Alice and Bob
can run a \emph{key exchange protocol}. One such
protocol is the Diffie-Hellman protocol, but they
can also run the following RSA-based protocol:
\begin{description}
\item[$A \leftarrow B$] Bob chooses a pair of RSA
keys $(e,d)$ and sends $e$ to Alice.
\item[$A \rightarrow B$] Alice chooses a key $k
\getsr \bits^n$ and sends $\Enc_e(k)$ to Bob.
\item[$A \leftrightarrows B$] Bob and Alice can now
can now continue their interaction with the
shared secret key $k$.
\end{description}
\item[Insecurity of basic key exchange protocol:] This
protocol is secure for a \emph{passive /
eavesdropping} adversary, but it is not secure
against an \emph{active} adversary. Indeed, a
man-in-the-middle Charlie can play Bob to Alice and
Alice to Bob. That is, Charlie will receive $(e,d)$
from Bob but will not pass this on to Alice. Rather
he will choose his own RSA pair $(e',d')$ and send
$e'$ to Alice. Alice will then send $\Enc_{e'}(k)$
to Charlie. Charlie can decrypt to find $k$ and then
send $\Enc_e(k)$ to Bob.\footnote{He can also
choose his own key $k'$ and send $\Enc_e(k')$ to
Bob.} From now on Charlie will be able to listen in
to all of Alice and Bob's communication.
\item[Obvious fix.] This attack is inherent since if Bob
and Alice don't know anything about each other then
of course Charlie can impersonate them to one
another. However, we are in a setting where Bob is a
well known web site, and hence we can assume that
Alice already has Bob's public key. This prevents
this attack but it is not clear that it is secure.
\item[Example: SSL protocol.] The SSL protocol is the
most widely used protocol for such transactions
(this is the protocol used to access encrypted web
sites, and is the standard for all transactions
involving credit card etc.). However, in V3.0, the
heart of the protocol was the following interaction:
\begin{itemize}
\item Client sends $\Enc_e(k)$ to the server where
$\Enc_e(\cdot)$ is padded RSA according to
standard PKCS \#1 V1.5 (a scheme believed to be
semantically secure).
\item Server validates decryption is according to
standard, otherwise sending \texttt{invalid
decryption}, and if so, uses $k$ as the key.
\end{itemize}
The padding scheme is the following: if $\{ f_e \}$ is
the RSA trapdoor permutation collection then to encrypt
$x$ choose $r$ to be a random string (of length at least
$8$ bytes) conditioned on not having any zero byte, and
let $x' = 0\circ 2 \circ r \circ 0 \circ x$. Define the
function $PKCS(x')$ to output $1$ iff $x'$ is of this
form. For a random $x'$, the probability that
$PKCS(x')=1$ is about $2^{-16}$.
In a surprising paper, Bleichenbacher proved that the
function $PKCS(\cdot)$ is some kind of a \emph{hard
core} of RSA.\footnote{Actually, there were several
previous results about very related hard-core functions
for RSA, but people always thought about these results
as establishing theoretical security and not practical
insecurity.} That is, he showed that if you have an
oracle that given $y$ outputs $1$ iff
$PKCS(f^{-1}_e(y))=1$, then you can use it to invert the
one-way permutation $f_e(\cdot)$ using not too many
queries. It follows that SSL protocol is insecure, since
an attacker can open as many sessions with the server as
it likes, essentially using the server as this oracle.
(Note that no matter what happens later in the protocol,
once the attacker received this error message, she got
the response she needed, even if the server will abort
later.)
\noindent\textbf{Reflection:} In retrospect, it should
have been clear that it is a bad idea to use a scheme
that is only CPA secure and not a CCA secure scheme. In
fact, if the designers of SSL had tried to \emph{prove}
security of their protocol, they would have seen that
CCA (or a close variant) is an essential condition for
such a proof to go through.
More details on the actual SSL protocol appear in the BS book. Some other attacks on SSL include Goldberg-Wagner
attack on the pseudorandom generation, Version-rollback attack, Protocol changing attack, Variations/extensions of
the Bleichenbacher attack.
\item[Constructions of CCA secure public key encryption] Constructing CCA secure public key encryption is more
challenging than the private key case. In this lecture we'll do so only in the random oracle model. We start
with a CPA secure scheme in the random oracle model (we've already seen such an encryption but this one has has
some efficiency advantages over the Goldreich-Levin hardcore based one)
\end{description}
}
\end{document}