Cryptography Lecture 12–13

The professor first answered some organizational questions about the midterm.

The midterm exam will look like a normal exam, but shorter. Instead of the two hours available for the main exam, the midterm is compressed to one hour.

The registration for the midterm exams has been opened. The professor recommends taking the first date if possible.

There is no option to take both midterm exams just to improve the grade. The second date is only for students who either

1. were prevented from taking the first midterm, or
2. failed the first midterm.

So students technically have two shots, but only under these conditions.

The professor also asked students not to register for both dates, because this would complicate room planning. For the first date, they are planning with two lecture halls.

The midterm is one hour long, but it takes place inside a two-hour lecture slot. The exam will probably not start exactly at the beginning of the slot. It may start around 15–30 minutes into the slot, so that everyone can find their seat.

The professor then continued from the previous lecture.

The previous topic was authentication. Authentication was motivated as a security goal different from secrecy.

Encryption protects message privacy, but it does not necessarily protect message integrity. An attacker may be unable to learn the plaintext, but may still be able to modify the ciphertext so that the receiver obtains a modified message.

The formal security notion for message authentication codes was introduced via the

\[ \mathsf{EUF\text{-}CMA} \]

experiment.

The acronym means:

\[ \mathsf{EUF} = \text{existential unforgeability}, \]

and

\[ \mathsf{CMA} = \text{chosen-message attack}. \]

The first part describes the adversary’s goal: it wants to produce some valid forgery.

The second part describes the adversary’s resources: it is allowed to query a MAC oracle on messages of its choice.

A message authentication code consists of three algorithms:

\[ (\mathsf{Gen}, \mathsf{Mac}, \mathsf{Verify}). \]

• \(\mathsf{Gen}(1^\lambda)\) generates a secret key \(K\).
• \(\mathsf{Mac}(K,m)\) produces an authentication tag \(t\).
• \(\mathsf{Verify}(K,m,t)\) checks whether \(t\) is a valid tag for \(m\).

Correctness requires that honestly generated tags verify:

\[ \Pr[ \mathsf{Verify}(K,m,\mathsf{Mac}(K,m)) = 1 ] = 1, \]

where

\[ K \leftarrow \mathsf{Gen}(1^\lambda). \]

In the EUF-CMA experiment, the adversary \(\mathcal A\) may query messages

\[ m_1,\dots,m_q \]

to a MAC oracle and receive tags

\[ t_i = \mathsf{Mac}(K,m_i). \]

At the end, it outputs a candidate forgery

\[ (m^*,t^*). \]

The adversary wins if

\[ m^* \notin \{m_1,\dots,m_q\} \]

and

\[ \mathsf{Verify}(K,m^*,t^*) = 1. \]

So the adversary must authenticate a new message.

The MAC is EUF-CMA secure if every PPT adversary wins only with negligible probability.

Formally, for every PPT adversary \(\mathcal A\), there exists a negligible function \(\nu\) such that for all \(\lambda \in \mathbb N\),

\[ \Pr[ \mathsf{EUF\text{-}CMA}_{\mathcal A}(\lambda)=1 ] < \nu(\lambda). \]

The stronger notion is

\[ \mathsf{sEUF\text{-}CMA}. \]

In this experiment, the adversary wins if it outputs a valid pair

\[ (m^*,t^*) \]

such that

\[ (m^*,t^*) \notin \{(m_1,t_1),\dots,(m_q,t_q)\}. \]

Thus, even if \(m^*\) was queried before, the adversary may still win if it finds a different valid tag for the same message.

So the difference is:

\[ \mathsf{EUF\text{-}CMA}: m^* \text{ must be new}, \]

whereas

\[ \mathsf{sEUF\text{-}CMA}: (m^*,t^*) \text{ must be new}. \]

Strong unforgeability is important later for constructing chosen-ciphertext secure encryption.

The previous lecture also introduced the standard construction of MACs from pseudorandom functions.

Let

\[ \mathsf{PRF}:\{0,1\}^{\lambda} \times \{0,1\}^{n} \to \{0,1\}^{\lambda} \]

be a pseudorandom function.

For fixed-length messages \(m \in \{0,1\}^n\), define:

\[ \mathsf{Gen}(1^\lambda): K \leftarrow_{\$} \{0,1\}^{\lambda}. \]

\[ \mathsf{Mac}(K,m): t := \mathsf{PRF}(K,m). \]

\[ \mathsf{Verify}(K,m,t): \text{ output }1 \text{ iff } t=\mathsf{PRF}(K,m). \]

This construction has canonical verification: to verify a tag, recompute the expected tag and compare.

The theorem from the previous lecture was:

If \(\mathsf{PRF}\) is a secure pseudorandom function, then the above construction is a strongly EUF-CMA secure MAC.

The construction above is for fixed-length messages.

One possible extension would be to use a PRF with domain

\[ \{0,1\}^* \]

instead of

\[ \{0,1\}^n. \]

Then the PRF could directly authenticate arbitrary-length messages.

However, in practice this would be slow. PRFs are a central workhorse in symmetric-key cryptography, but they are also relatively expensive. Therefore, we want to minimize the number of PRF calls.

This motivates a simpler domain-extension method for MACs.

The idea is to use a collision-resistant hash function.

Let

\[ H_s:\{0,1\}^* \to \{0,1\}^{\lambda} \]

be a collision-resistant hash function.

Let

\[ \mathsf{MAC} = (\mathsf{Gen},\mathsf{Mac},\mathsf{Verify}) \]

be a MAC for messages of length \(\lambda\).

We construct a new MAC

\[ \mathsf{MAC}' = (\mathsf{Gen}',\mathsf{Mac}',\mathsf{Verify}') \]

for arbitrary-length messages.

The theorem is:

If \(H\) is collision-resistant and

\[ \mathsf{MAC} = (\mathsf{Gen},\mathsf{Mac},\mathsf{Verify}) \]

is a strongly EUF-CMA secure MAC, then

\[ \mathsf{MAC}' = (\mathsf{Gen}',\mathsf{Mac}',\mathsf{Verify}') \]

is also strongly EUF-CMA secure.

The professor noted that the strong part is optional in the following sense:

• If the underlying MAC is EUF-CMA secure, then the resulting MAC is EUF-CMA secure.
• If the underlying MAC is strongly EUF-CMA secure, then the resulting MAC is strongly EUF-CMA secure.

The proof is by contraposition.

As usual in computational cryptography, the idea is:

Assume there exists a PPT adversary \(\mathcal A\) that breaks the constructed MAC \(\mathsf{MAC}'\) with non-negligible probability. Then use \(\mathcal A\) to break one of the assumptions.

The construction has two ingredients:

1. the collision-resistant hash function \(H\);
2. the underlying MAC.

So there are two possible failure modes.

The professor introduced a modified experiment \(X'\).

The original EUF-CMA experiment for \(\mathsf{MAC}'\) accepts if

\[ m^* \notin \{m_1,\dots,m_q\} \]

and

\[ \mathsf{Verify}'(K,m^*,t^*)=1. \]

The modified experiment \(X'\) makes the adversary’s life harder. It additionally requires that the forgery does not collide under the hash function with any previous query:

\[ H_s(m^*) \neq H_s(m_i) \quad \text{for all } i \in \{1,\dots,q\}. \]

So the winning condition in \(X'\) is:

\[ m^* \notin \{m_1,\dots,m_q\}, \]

\[ \mathsf{Verify}'(K,m^*,t^*)=1, \]

and

\[ H_s(m^*) \neq H_s(m_i) \quad \forall i. \]

Clearly, winning \(X'\) implies winning the original EUF-CMA experiment.

But an adversary may win the original experiment without winning \(X'\), namely by using a hash collision.

The professor’s intended claim is:

If \(H\) is collision-resistant, then

\begin{equation*} \Pr[\mathcal A \text{ wins EUF-CMA against } \mathsf{MAC}'] - \Pr[\mathcal A \text{ wins } X'] \end{equation*}

is negligible.

Equivalently,

\begin{equation*} \Pr[\mathcal A \text{ wins } X'] \ge \Pr[\mathcal A \text{ wins EUF-CMA}] - \mathsf{negl}(\lambda). \end{equation*}

The professor explicitly corrected the inequality direction during the lecture.

The reason is:

The only way for the adversary to win EUF-CMA but not \(X'\) is to output \(m^*\) such that

\[ H_s(m^*) = H_s(m_i) \]

for some previous query \(m_i\), while

\[ m^* \neq m_i. \]

That is exactly a hash collision.

So if the difference between the two probabilities were non-negligible, we could build a collision-finding adversary against \(H\).

Now assume the adversary wins \(X'\) with non-negligible probability.

We build an adversary \(\mathcal A''\) against the underlying MAC.

The reduction works as follows.

When \(\mathcal A\) asks a MAC query \(m_i\), the reduction computes

\[ h_i := H_s(m_i) \]

and forwards \(h_i\) to its own MAC oracle.

The underlying MAC oracle returns

\[ t_i = \mathsf{Mac}(K',h_i). \]

The reduction gives \(t_i\) back to \(\mathcal A\).

When \(\mathcal A\) outputs a forgery

\[ (m^*,t^*), \]

the reduction computes

\[ h^* := H_s(m^*) \]

and outputs

\[ (h^*,t^*) \]

as its own forgery against the underlying MAC.

Because we are in experiment \(X'\), we know

\[ h^* \notin \{h_1,\dots,h_q\}. \]

Also, because \(\mathcal A\)’s tag verifies for \(\mathsf{MAC}'\), we have

\[ \mathsf{Verify}(K',h^*,t^*)=1. \]

Thus \((h^*,t^*)\) is a valid forgery against the underlying MAC.

So

\[ \Pr[\mathcal A'' \text{ wins EUF-CMA against } \mathsf{MAC}] = \Pr[\mathcal A \text{ wins } X']. \]

Combining this with the previous claim, if \(\mathcal A\) breaks \(\mathsf{MAC}'\) with non-negligible probability, then either:

1. \(\mathcal A\) gives a collision for \(H\), or
2. \(\mathcal A\) breaks the underlying MAC.

Both contradict the assumptions.

Therefore, the hash-then-MAC construction is secure.

The professor summarized the authentication part.

Message secrecy and message integrity are fundamentally different goals.

Encryption does not guarantee integrity.

Most encryption schemes seen so far are conceptually similar to the one-time pad: they generate some pseudorandom mask and use it to hide the message.

But the one-time pad itself does not provide integrity. An attacker can flip bits in the ciphertext and thereby flip corresponding bits in the plaintext.

The correct cryptographic tool for message integrity is a message authentication code.

However, MACs do not by themselves prevent replay attacks.

For example, if an attacker sees a valid authenticated message

\[ (m,t), \]

the attacker may resend the same pair later.

To prevent replay attacks, one needs extra mechanisms, such as timestamps, counters, nonces, or sequence numbers.

The next topic is chosen-ciphertext security.

The professor first emphasized that encryption and authentication are different goals, but in real systems the separation is not always so clean.

In particular, active attacks often exploit interactions between encryption, decryption, and error behavior.

Consider a user communicating with a server using encryption.

The user sends a ciphertext

\[ c \]

to the server.

A man-in-the-middle attacker intercepts \(c\), modifies it slightly, and sends a modified ciphertext

\[ c' \]

to the server.

The server tries to decrypt \(c'\). If decryption fails, the server may return an error message, such as:

\[ \text{error} \]

or

\[ \text{please resend}. \]

Even if the server does not reveal the key, the mere fact that decryption succeeded or failed can leak useful information.

The professor mentioned that real-world systems repeatedly make this mistake. Developers may think that returning an error message is harmless, because it does not directly reveal the key. But the error behavior may still help an attacker recover information about the plaintext.

The professor mentioned Bleichenbacher-type attacks against RSA encryption standards as an example in public-key cryptography. In such attacks, the attacker modifies ciphertexts and learns from the server’s response whether decryption or padding validation succeeded.

The important lesson is:

An attacker may learn information not only from ciphertexts, but also from how a receiver behaves when asked to decrypt modified ciphertexts.

In previous security notions:

• in basic indistinguishability, the adversary only gets a challenge ciphertext;
• in IND-CPA security, the adversary also gets an encryption oracle.

But decryption did not appear in these experiments.

Chosen-ciphertext security models a stronger adversary. The adversary gets access not only to an encryption oracle, but also to a decryption oracle.

This captures active attacks where the adversary can feed chosen ciphertexts to some receiver and observe the result.

CCA stands for chosen-ciphertext attack.

In the IND-CCA experiment, the challenger generates a key:

\[ K \leftarrow \mathsf{KeyGen}(1^\lambda). \]

The adversary gets access to an encryption oracle

\[ \mathsf{Enc}(K,\cdot) \]

and a decryption oracle

\[ \mathsf{Dec}(K,\cdot). \]

The adversary may query both oracles polynomially many times.

Then the adversary chooses two messages

\[ m_0,m_1. \]

The challenger samples a random bit

\[ b \leftarrow_{\$} \{0,1\} \]

and returns the challenge ciphertext

\[ c^* \leftarrow \mathsf{Enc}(K,m_b). \]

After seeing \(c^*\), the adversary again gets access to encryption and decryption oracles.

However, the post-challenge decryption oracle refuses to decrypt \(c^*\) itself.

That is, if the adversary queries \(c\), then:

\[ c \neq c^* \]

is required for decryption. If \(c=c^*\), the oracle returns \(\bot\) or refuses.

Finally, the adversary outputs a guess

\[ b'. \]

It wins if

\[ b'=b. \]

The encryption scheme is IND-CCA secure if every PPT adversary wins with probability at most negligibly better than \(1/2\):

\[ \Pr[ \mathsf{IND\text{-}CCA}_{\mathcal A}(\lambda)=1 ] \le \frac12 + \nu(\lambda), \]

for some negligible function \(\nu\).

The professor asked why the post-challenge decryption oracle must be different from the pre-challenge one.

If the adversary were allowed to query

\[ c^* \]

to the decryption oracle, then no encryption scheme could be secure.

The adversary would simply ask:

\[ \mathsf{Dec}(K,c^*) \]

and receive

\[ m_b. \]

Then it could immediately determine whether the plaintext is \(m_0\) or \(m_1\).

So the restriction

\[ c \neq c^* \]

is necessary to avoid a trivial attack.

The professor emphasized that real-world attackers may not literally have a full decryption oracle.

For example, they may only learn whether decryption succeeded or failed.

But if a scheme is secure even when the adversary gets the full decryption output, then it is also secure against weaker forms of leakage, such as a simple success/failure bit.

Thus the decryption oracle is a conservative model of active attacks.

The professor summarized this idea as:

Not every real-world attack is literally a chosen-ciphertext attack, but many real-world active attacks can be modeled as chosen-ciphertext attacks.

The professor also noted that any IND-CCA secure scheme must be IND-CPA secure.

Reason:

An IND-CCA adversary has all the resources of an IND-CPA adversary, plus an extra decryption oracle.

So if a scheme were IND-CPA insecure, then it would also be IND-CCA insecure: the adversary could simply ignore the decryption oracle.

Thus,

\[ \mathsf{IND\text{-}CCA} \implies \mathsf{IND\text{-}CPA}. \]

The idea is to combine encryption with authentication.

Suppose we have:

1. an IND-CPA secure encryption scheme;
2. a secure MAC.

How should we combine them to obtain IND-CCA security?

The professor considered three natural possibilities.

Let

\[ (\mathsf{KeyGen},\mathsf{Enc},\mathsf{Dec}) \]

be an encryption scheme.

Let

\[ (\mathsf{Gen},\mathsf{Mac},\mathsf{Verify}) \]

be a MAC.

We define a new encryption scheme

\[ (\mathsf{KeyGen}',\mathsf{Enc}',\mathsf{Dec}'). \]

Correctness follows from correctness of the encryption scheme and the MAC.

If

\[ c \leftarrow \mathsf{Enc}(K_E,m) \]

and

\[ t \leftarrow \mathsf{Mac}(K_M,c), \]

then by MAC correctness,

\[ \mathsf{Verify}(K_M,c,t)=1. \]

So decryption proceeds to

\[ \mathsf{Dec}(K_E,c). \]

By encryption correctness,

\[ \mathsf{Dec}(K_E,c)=m. \]

Therefore,

\[ \mathsf{Dec}'(K,\mathsf{Enc}'(K,m))=m. \]

The theorem is:

If

\[ (\mathsf{KeyGen},\mathsf{Enc},\mathsf{Dec}) \]

is IND-CPA secure, and

\[ (\mathsf{Gen},\mathsf{Mac},\mathsf{Verify}) \]

is a strongly EUF-CMA secure MAC, then the encrypt-then-MAC construction

\[ (\mathsf{KeyGen}',\mathsf{Enc}',\mathsf{Dec}') \]

is IND-CCA secure.

The professor emphasized that strong unforgeability is important here.

In CCA security, the adversary is forbidden only from querying the exact challenge ciphertext

\[ c^*. \]

If it can create a different ciphertext

\[ \tilde c^* \neq c^* \]

that still decrypts successfully to the same plaintext, then it can query \(\tilde c^*\) to the decryption oracle.

In encrypt-then-MAC, the full ciphertext is

\[ (c,t). \]

If the adversary can change only the tag \(t\) to a new valid tag \(\tilde t\) for the same ciphertext \(c\), then it obtains

\[ (c,\tilde t) \neq (c,t), \]

but this modified ciphertext still verifies.

Ordinary EUF-CMA security does not necessarily rule this out, because ordinary EUF-CMA only forbids valid tags for new messages. It may still allow producing a different valid tag for an already authenticated message.

Strong EUF-CMA security rules this out, because it forbids producing any new valid pair

\[ (c,\tilde t) \]

different from previously seen pairs.

The professor said this is why strong unforgeability is needed for the clean theorem.

He also noted that this is not a serious practical obstacle, because the MACs constructed from PRFs in the course are already strongly EUF-CMA secure.

At the beginning of the lecture, the professor mentioned an organizational issue with the lecture hall before the midterm. The previous lecture in the room might run until 4 p.m., but this should still be fine because the midterm is only one hour and there is buffer time in the slot.

Later, near the end of the lecture, the professor said that students should be there by around 4:15 for the midterm. He also mentioned that there is no lecture on the holiday Monday.

The professor resumed exactly where the previous lecture ended.

The goal was to construct IND-CCA secure encryption from:

1. an IND-CPA secure encryption scheme;
2. a MAC.

The correct construction is encrypt-then-MAC.

First encrypt the message:

\[ c \leftarrow \mathsf{Enc}(K_E,m). \]

Then authenticate the ciphertext:

\[ t \leftarrow \mathsf{Mac}(K_M,c). \]

The final ciphertext is

\[ c'=(c,t). \]

To decrypt, first verify the MAC. Only if verification succeeds do we decrypt.

The reason this construction works is that CCA security requires protecting the integrity of the ciphertext, not merely the plaintext.

The other two approaches are not generally secure:

1. authenticate-and-encrypt is bad because MACs do not provide privacy;
2. authenticate-then-encrypt is bad because IND-CPA encryption does not necessarily provide ciphertext integrity.

Let

\[ (\mathsf{KeyGen},\mathsf{Enc},\mathsf{Dec}) \]

be an encryption scheme.

Let

\[ (\mathsf{Gen},\mathsf{Mac},\mathsf{Verify}) \]

be a MAC.

Define:

\[ \mathsf{KeyGen}'(1^\lambda): \]

\[ K_E \leftarrow \mathsf{KeyGen}(1^\lambda), \]

\[ K_M \leftarrow \mathsf{Gen}(1^\lambda), \]

\[ K=(K_E,K_M). \]

Encryption:

\[ \mathsf{Enc}'(K,m): \]

\[ c \leftarrow \mathsf{Enc}(K_E,m), \]

\[ t \leftarrow \mathsf{Mac}(K_M,c), \]

\[ c'=(c,t). \]

Decryption:

\[ \mathsf{Dec}'(K,c'): \]

Parse

\[ c'=(c,t). \]

If

\[ \mathsf{Verify}(K_M,c,t)=1, \]

return

\[ \mathsf{Dec}(K_E,c). \]

Otherwise return

\[ \bot. \]

The theorem is:

If

\[ (\mathsf{KeyGen},\mathsf{Enc},\mathsf{Dec}) \]

is IND-CPA secure and

\[ (\mathsf{Gen},\mathsf{Mac},\mathsf{Verify}) \]

is strongly EUF-CMA secure, then

\[ (\mathsf{KeyGen}',\mathsf{Enc}',\mathsf{Dec}') \]

is IND-CCA secure.

The professor then gave a more detailed proof idea than in the previous year.

The proof again proceeds by contraposition.

Assume there exists a PPT adversary \(\mathcal A\) that breaks the IND-CCA security of the encrypt-then-MAC scheme.

The goal is to show that this would imply either:

1. a break of the MAC’s strong unforgeability; or
2. a break of the IND-CPA security of the underlying encryption scheme.

The proof uses a hybrid experiment.

In the real experiment, the challenger generates:

\[ K_E \leftarrow \mathsf{KeyGen}(1^\lambda), \]

\[ K_M \leftarrow \mathsf{Gen}(1^\lambda). \]

The adversary \(\mathcal A\) gets access to encryption and decryption oracles.

For an encryption query \(m_i\), the oracle computes:

\[ c_i \leftarrow \mathsf{Enc}(K_E,m_i), \]

\[ t_i \leftarrow \mathsf{Mac}(K_M,c_i), \]

and returns

\[ c_i'=(c_i,t_i). \]

For a decryption query

\[ c_j'=(c_j,t_j), \]

the oracle checks:

\[ \mathsf{Verify}(K_M,c_j,t_j)=1. \]

If yes, it returns:

\[ m_j = \mathsf{Dec}(K_E,c_j). \]

Otherwise it returns:

\[ \bot. \]

At challenge time, the adversary submits

\[ m_0,m_1. \]

The challenger chooses

\[ b \leftarrow_{\$} \{0,1\}, \]

computes

\[ c^* \leftarrow \mathsf{Enc}(K_E,m_b), \]

\[ t^* \leftarrow \mathsf{Mac}(K_M,c^*), \]

and returns

\[ c^{*'}=(c^*,t^*). \]

Post-challenge, the adversary again gets encryption and decryption oracle access, except it may not ask the exact challenge ciphertext \(c^{*'}\) to the decryption oracle.

To reduce IND-CCA security to IND-CPA security, we would like to simulate the CCA adversary using only an IND-CPA encryption oracle.

But an IND-CPA challenger gives only an encryption oracle, not a decryption oracle.

So the main question is:

How can the reduction simulate the decryption oracle without knowing the encryption secret key \(K_E\)?

The professor emphasized that this is the key conceptual point.

Suppose the adversary asks the decryption oracle on a ciphertext \(c'\) that was previously returned by the encryption oracle.

For example, the adversary earlier asked the encryption oracle for \(m_i\) and received

\[ c_i'=(c_i,t_i). \]

Later it asks the decryption oracle to decrypt the same \(c_i'\).

Then the simulator does not need \(K_E\) to answer.

It already knows the plaintext:

\[ m_i. \]

So it can simply return \(m_i\).

This is the first key idea.

In other words, for ciphertexts that the simulator itself produced through the encryption oracle, decryption can be answered by table lookup.

The problem is that the adversary might ask the decryption oracle on a valid ciphertext that was not previously returned by the encryption oracle.

If the adversary can produce such a fresh valid ciphertext

\[ (c,t), \]

then the simulator would need to decrypt \(c\). But the simulator does not know \(K_E\).

So this event must be shown to occur only with negligible probability.

This is exactly where MAC security is used.

If the adversary produces a fresh ciphertext-tag pair

\[ (c,t) \]

that verifies, and this pair was not previously output by the encryption oracle, then the adversary has produced a new valid MAC pair.

This breaks strong EUF-CMA security of the MAC.

The professor defined a modified experiment \(X'\).

In the real experiment, the decryption oracle checks the MAC:

\[ \mathsf{Verify}(K_M,c,t)=1. \]

If verification succeeds, it decrypts \(c\).

In \(X'\), the decryption oracle is replaced by a table-lookup oracle.

The experiment keeps a list \(Q\) of all encryption query-response pairs:

\[ Q = \{(m_i,c_i')\}_{i=1}^{q}, \]

where

\[ c_i'=(c_i,t_i). \]

When the adversary asks a decryption query \(c_j'\), the modified oracle checks whether there exists a pair

\[ (m_i,c_i') \in Q \]

such that

\[ c_i' = c_j'. \]

If such a pair exists, return

\[ m_i. \]

Otherwise return

\[ \bot. \]

So in \(X'\), the decryption oracle only decrypts ciphertexts that were previously output by the encryption oracle. All fresh ciphertexts are rejected.

The professor stated the claim:

\begin{equation*} \left| \Pr[\mathcal A \text{ wins real IND-CCA}] - \Pr[\mathcal A \text{ wins } X'] \right| \le \mathsf{negl}(\lambda). \end{equation*}

The proof is by contraposition.

If the adversary can distinguish the real experiment from \(X'\) with non-negligible probability, then there must be a decryption query

\[ (c_j,t_j) \]

such that:

1. the MAC verifies:

   \[ \mathsf{Verify}(K_M,c_j,t_j)=1, \]

2. but the pair was not previously output by the encryption oracle:

   \[ (c_j,t_j) \notin \{(c_i,t_i)\}. \]

This is precisely a strong MAC forgery.

Therefore, a non-negligible difference between the experiments would break strong EUF-CMA security.

So, under strong EUF-CMA security, the real IND-CCA experiment and \(X'\) are indistinguishable up to negligible error.

Ordinary EUF-CMA only says the adversary cannot produce a valid tag for a new message.

Here the MAC message is the underlying CPA ciphertext \(c\).

The full CCA ciphertext is

\[ (c,t). \]

If the adversary keeps \(c\) the same but changes \(t\) to a different valid tag, then it creates a new full ciphertext

\[ (c,\tilde t) \neq (c,t). \]

This may be enough to query the CCA decryption oracle, because the query is not identical to the original ciphertext.

Strong EUF-CMA prevents this because it forbids producing a new valid message-tag pair even for an old message.

The professor mentioned that maybe one could still prove something under weaker conditions with many more cases, but the clean theorem uses strong unforgeability.

Once we are in \(X'\), the decryption oracle no longer needs the encryption secret key.

It only needs to remember previous encryption queries and their answers.

This means that an IND-CPA adversary can simulate the whole \(X'\) experiment for \(\mathcal A\).

The reduction \(\mathcal A''\) against the underlying IND-CPA encryption scheme does the following.

For encryption queries \(m_i\) from \(\mathcal A\):

1. Forward \(m_i\) to its own IND-CPA encryption oracle.
2. Receive \(c_i\).

3. Compute

   \[ t_i := \mathsf{Mac}(K_M,c_i), \]

   because the reduction can generate \(K_M\) itself.

4. Return

   \[ c_i'=(c_i,t_i) \]

   to \(\mathcal A\).

5. Store

   \[ (m_i,c_i') \]

   in the table \(Q\).

For decryption queries \(c'\) from \(\mathcal A\):

• if \(c'\) appears in \(Q\), return the corresponding \(m\);
• otherwise return \(\bot\).

No knowledge of \(K_E\) is needed.

For the challenge:

1. \(\mathcal A\) submits

   \[ m_0,m_1. \]

2. The reduction forwards \(m_0,m_1\) to its own IND-CPA challenger.

3. It receives

   \[ c^* = \mathsf{Enc}(K_E,m_b). \]

4. It computes

   \[ t^* := \mathsf{Mac}(K_M,c^*). \]

5. It returns

   \[ c^{*'}=(c^*,t^*) \]

   to \(\mathcal A\).

Post-challenge encryption queries are handled the same way, because the IND-CPA experiment also provides encryption oracle access after the challenge.

Post-challenge decryption queries are still handled by the table lookup rule.

Finally, when \(\mathcal A\) outputs \(b'\), the reduction outputs the same guess \(b'\).

Therefore, if \(\mathcal A\) wins \(X'\) with non-negligible advantage, then the reduction breaks IND-CPA security of the underlying encryption scheme.

The proof has two major steps.

First, replace the real decryption oracle by a fake decryption oracle that only answers ciphertexts previously returned by the encryption oracle.

This modification is secure because any successful fresh decryption query would give a strong MAC forgery.

Second, after this replacement, the decryption oracle can be simulated without knowing the encryption key. Therefore, the remaining experiment reduces to IND-CPA security.

The high-level intuition is:

If the MAC prevents the adversary from creating new valid ciphertexts, then the decryption oracle is useless. It can only decrypt things the adversary already knows. Once the decryption oracle is useless, the attack reduces to an IND-CPA attack.

CCA security protects against active adversaries.

Active adversaries may intercept ciphertexts, modify them, forward them, and observe how honest parties behave.

Such behavior is modeled by giving the adversary access to a decryption oracle.

IND-CCA security is therefore stronger than IND-CPA security.

The main construction from the lecture is:

\begin{equation*} \text{IND-CCA encryption} = \text{IND-CPA encryption} + \text{strong MAC} \end{equation*}

via encrypt-then-MAC.

The professor said that this wraps up the course’s excursion into symmetric-key cryptography.

The constructions so far used pseudorandom functions as a central primitive.

The professor noted that:

• IND-CPA encryption can be constructed from PRFs.
• MACs can be constructed from PRFs.
• IND-CCA encryption can be constructed from IND-CPA encryption and MACs.
• Therefore, IND-CCA encryption can also be built from PRFs.

He then briefly discussed the complexity-theoretic foundations.

In symmetric-key cryptography, a minimal assumption is the existence of one-way functions.

One-way functions are not directly used to encrypt or authenticate messages, but they can be used to build pseudorandom generators.

The hard step is:

\[ \text{one-way functions} \Longrightarrow \text{pseudorandom generators}. \]

This uses the notion of hardcore bits.

The professor mentioned the 1989 result of Håstad, Impagliazzo, Levin, and Luby as a deep result showing how to build PRGs from one-way functions.

Then, going from PRGs to PRFs is easier. Earlier in the course, the professor mentioned the Goldreich-Goldwasser-Micali construction, which builds PRFs from PRGs in a tree-like way.

The professor described these results as one of the crown jewels of 1980s cryptography.

After the midterm, the next lectures will move to public-key cryptography.

The professor said that symmetric-key cryptography has a mostly combinatorial flavor.

Public-key cryptography requires more algebraic structure.

To break the symmetry between encryption and decryption, public-key cryptography needs ideas from number theory and group theory.

So the next part of the course will begin with basic algebra and number theory.

A student asked whether the proof of the encrypt-then-MAC theorem is relevant for the exam.

The professor said that the full multi-stage proof is probably too complex for an exam question.

He emphasized that something taking half an hour to develop in lecture would not fit into a 20-minute exam question.

The main exam usually has six topics or pages with subquestions, and each part roughly corresponds to about 20 minutes of work.

So students are not expected to reproduce the full proof diagrams.

However, students should understand the conceptual ideas:

1. why encrypt-then-MAC is the correct combination;
2. why the MAC must protect the ciphertext;
3. why the decryption oracle becomes useless if the adversary cannot forge MACs;
4. why the remaining problem reduces to IND-CPA security.

The professor also mentioned that the diagrams he draws are a teaching device. Textbooks often write these reductions in prose instead of diagrams.

The professor restated the main proof idea in response to a student question.

If the adversary queries the decryption oracle on a ciphertext that came from the encryption oracle, the simulator can answer without the secret key, because it already knows the corresponding plaintext.

If the adversary successfully queries the decryption oracle on a ciphertext that did not come from the encryption oracle, then it must have created a valid new MAC-protected ciphertext.

That would break the MAC.

Therefore, except with negligible probability, the adversary only decrypts ciphertexts whose plaintexts it already knows.

Thus the decryption oracle gives no new information.

Once decryption queries are useless, the experiment is essentially an IND-CPA experiment.

The professor then answered questions about an exercise concerning PRPs, PRFs, and truncation.

The exercise considered a construction of a PRF from a PRP by truncating the output.

Let

\[ \mathsf{PRP}_K:\{0,1\}^n \to \{0,1\}^n \]

be a pseudorandom permutation.

Define

\[ F_K(x) = \mathsf{Trunc}(\mathsf{PRP}_K(x)), \]

where \(\mathsf{Trunc}\) keeps only the first \(n/2\) bits.

The goal of part A was to show that \(F_K\) is a secure PRF.

The professor then discussed why this construction, although a PRF, is not a collision-resistant hash function when the key is known.

This highlights an important distinction between PRFs/PRPs and collision-resistant hash functions.

For PRFs and PRPs, the adversary does not get the key. It only gets black-box access.

For collision-resistant hash functions, the adversary does get the seed/key \(s\). Collision resistance must hold even when everything about the function is public.

This gives hash functions a slightly public-key-like flavor: there is no secret hidden from the adversary.

The final important distinction is:

\[ \text{PRF/PRP security} \]

is a secret-key, black-box notion. The adversary does not know the key.

But

\[ \text{collision resistance} \]

is a public notion. The adversary knows the hash seed and must still be unable to find collisions.

Therefore, pseudorandomness and collision resistance are fundamentally different properties.