4

Given: F is a pseudorandom function, G is a pseudorandom generator with $l(n) = n+1$. The following schemes should be classified as being insecure, IND-COA secure, IND-CPA secure.

  1. To encrypt $m \in \{0, 1\}^{n+1}$ choose a random $r \leftarrow \{0, 1\}^n$ and output $[r, G(r) \oplus m]$

  2. To encrypt $m \in \{0, 1\}^{n}$ output $m \oplus F_k(0^n)$

  3. To encrypt $m \in \{0, 1\}^{2n}$ choose a random $r \leftarrow \{0, 1\}^n$ and send $[r, m \oplus (F_k(r) \; | \; F_k(r + 1))]$

My guesses are that:

  1. Insecure, since an attacker A is not only given the ciphertext c, but also the key $r$ with which the message was encrypted. Thus, it can easily decrypt the ciphertext.

  2. I would say that it's not IND-CPA secure, since it's deterministic. But how can I prove/determine whether it's IND-COA secure? I would usually do proof a by contraposition, but I don't know how to start.

  3. I have no idea whether this scheme is IND-COA or IND-CPA secure, since I don't know whether $(F_k(r) \; | \; F_k(r + 1))$ is a pseudorandom function.

Any hints or ideas? I appreciate any help!

Lemon
  • 391
  • 5
  • 13
  • 1
    "Could A maybe learn [...] how the generator G works?" Under Kerckhoff's principle, information about the algorithms used is assumed to be public and available to attackers. – Tim McLean Dec 15 '15 at 21:33
  • In 2 and 3, where does $k$ come from? – fkraiem Dec 15 '15 at 21:47
  • @user595228: I just realized that myself and have changed the question accordingly! – Lemon Dec 16 '15 at 08:03
  • @fkraiem: k is chosen uniformly at random, $k \in {0,1}^n$ – Lemon Dec 16 '15 at 08:06
  • Then certainly 2 is not deterministic. However, how does the recipient decrypt? Is $k$ pre-shared? – fkraiem Dec 16 '15 at 08:07
  • Ok. But it's still not IND-CPA secure, right? If I understood PRF's correctly, $k$ is chosen, fixed and then the n-bit input is mapped to an n-bit output. In our case the input is fixed, since it's always $0^n$. – Lemon Dec 16 '15 at 08:14
  • $k$ is fixed, actually, since it is the key. So yes, 2 is deterministic. – fkraiem Dec 16 '15 at 08:15
  • Now I'm confused. So my initial guess that it's deterministic and therefore not CPA-secure is right? But what about the IND-COA security then? – Lemon Dec 16 '15 at 08:17
  • Yes, you were correct, sorry. Then it is not COA secure either. And for 3, yes, $F_k(r) | F_k(r+1)$ is pseudorandom, since if $f$ is a true random function, $f(r)$ and $f(r+1)$ are independently distributed. (This is basically a block cipher in CTR mode.) – fkraiem Dec 16 '15 at 08:22
  • @fkraiem: Could you explain why it's not COA secure? Isn't the output of Fk(0n) still pseudorandom? So how could an attacker distinguish the encryption of one message from another? – Lemon Dec 16 '15 at 08:48
  • Do you define "COA secure" for a single message or multiple messages? For a single message, yes, it is secure. – fkraiem Dec 16 '15 at 08:49
  • In our case IND-COA security is defined with respect to the eavesdropping indistinguishability experiment. So the attacker $A$ outputs two messages $m_0, m_1$ and receives back the encryption of one of them. $A$ then guesses which of the messages was encrypted. If it's advantage in winning the game is negligible (i.e. $A$'s success probability is only negligibly greater than $\frac{1}{2}$), the scheme is IND-COA secure. – Lemon Dec 16 '15 at 08:59
  • Okay, single messages then. – fkraiem Dec 16 '15 at 09:04
  • Sorry, I'm still new to this stuff and need a bit longer to figure it out. Is my reasoning right that it's COA secure since the output of $F_k(0^n)$ is pseudorandom and therefore, $A$ cannot distinguish the encryption of $m_0$ from the encryption of $m_1$? If I understood it correctly this would change (as you said) if we had access to $F_k(\cdot)$ since we could just request the encryption of both $m_0, m_1$ and compare it to the challenge ciphertext. As the encryption is deterministic, the encryption of e.g. $m_0$ would always correspond to the same ciphertext. Correct? – Lemon Dec 16 '15 at 09:11

2 Answers2

3

  1. This scheme does not have indistinguishable encryptions since the encryption function does not use the key, so an adversary can run the decryption function in the same way as the intended recipient.

  2. This scheme is not CPA-secure because it is deterministic (so it does not even have indistinguishable encryptions for multiple messages). To show that it has indistinguishable encryptions for a single message, we first note that if $f$ is a random function, $f(0^n)$ is uniformly distributed and we get a one-time pad. Now, if a distinguisher $D$ can distinguish $m_0\oplus F_k(0^n)$ from $m_1\oplus F_k(0^n)$, we can distinguish $F_k$ from a random function as follows. A distinguisher $D'$ chooses at random $b\in \{0,1\}$ and runs $D$ on $m_b\oplus O_{D'}(0^n)$. $D'$ outputs $1$ if $D$ answers correctly, and $0$ otherwise. If $O_{D'}$ is a true random function, $D$ answers correctly with probability exactly $1/2$. On the other hand, if $O_{D'}$ is $F_k$ for a uniformly chosen $k$, then by hypothesis $D$ answers correctly with probability non-negligibly higher than $1/2$, which translates to a distinguishing advantage for $D'$.

  3. This scheme is CPA-secure, try to apply the idea of the previous one to transform a distinguisher for the encryption scheme into a distinguisher for $F$.

fkraiem
  • 8,112
  • 2
  • 27
  • 38
  • I don't see how 2. proves that the scheme is COA secure for a single message. Don't I have to explain somehow, that I can't distinguish $F_k$ from a truly random function? Otherwise I don't get a contradiction in the proof. – Lemon Dec 16 '15 at 09:49
  • The point is that if you can distinguish encryptions, then you can distinguish $F_k$ from a true random function, which contradicts the hypothesis that it is pseudorandom. – fkraiem Dec 16 '15 at 09:52
  • Now I get it. Thanks! I learned a lot from this discussion. – Lemon Dec 16 '15 at 09:58
3
  1. Insecure, since an attacker A is not only given the ciphertext $c$, but also the key $r$ with which the message was encrypted. Thus, it can easily decrypt the ciphertext.

Correct, there is no encryption here.

  1. I would say that it's not IND-CPA secure, since it's deterministic. Is that true? And how can I prove/determine whether it's IND-COA secure? I would usually do proof by contraposition, but I don't know how to start.

Since it is deterministic, it cannot be IND-CPA, but it is worse than that. This is at least as insecure as the many-time pad. Every message encrypted with the same key is XORed with the same value.

  1. I have no idea whether this scheme is IND-COA or IND-CPA secure, since I don't know whether $(F_k(r) \; | \; F_k(r + 1))$ is a pseudorandom function.

This is equivalent to using CTR mode with $F_k$ as a PRF, which is IND-CPA secure (and thus COA).

otus
  • 32,132
  • 5
  • 70
  • 165
  • But even the many-time pad is secure in the IND-COA game (as described in the comments). What this actually shows: How bad the IND-COA definition is. – tylo Nov 04 '16 at 17:40