Stateful Authenticated Encryption - Modeling Advanced Security Aspects of Key Exchange and Secu

Beyond confidentiality and integrity of messages, secure channels are supposed to also protect against replay, reordering, and dropping of messages within the sequence of messages sent in a communication. In order to be able to detect such modifications, the encryption and decryption algorithms need to be stateful. Bellare, Kohno, and Namprempre [BKN02, BKN04] introduced this notion formalized as stateful authenticated encryption in their work analyzing, for the first time, a real-world channel protocol (i.e., the Secure Shell (SSH) protocol [YL06a]), establishing the by now widely accepted game-based cryptographic security model for channels.

Formally, in the stateful AE setting the key generation algorithm is replaced with a more generic (probabilistic) initialization algorithm Init, outputting (beyond the shared key) initial sending and receiving states st_S, resp. st_R; we write (K, st_S, stR) ←− Init(1$ λ). Encryption

and decryption then obtain and (independently) update the respective state information, i.e., (st0_S, c) _←_{− Enc}$

K(stS, m) and (st0R, m) ←− Dec$ K(stR, c). Correctness for stateful authenticated

encryption then requires that, starting from any initial output of Init, when Enc is invoked on a sequence of messages m₁, m2, . . . , mn(with updated states) resulting in ciphertexts c1, c2, . . . , cn,

processing these ciphertexts in the same order (with updated states) by Dec yields the original message sequence m₁, m2, . . . , mn again.

As for stateless authenticated encryption, one in principle can readily augment the syntax of stateful AE with associated data (nonces in contrast would usually be subsumed by the updated state). From a structural perspective, associated data however belongs rather to the network layer of a communication (protecting, e.g., routing or other administrative information) and AEAD is hence useful as a core building block for secure channels (as we will also see in Chapters 10–12). Thinking of stateful authenticated encryption as providing a secure-channel interface to the application layer in the network stack, applications in contrast expect to transmit messages only, without distinction of associated data. We hence choose not to add an associated-data component in our formalization of stateful authenticated encryption.

9.3.1 Stateful Notions for Confidentiality and Integrity

The stateful variants of confidentiality and integrity notions for (authenticated) symmetric encryption now need to additionally capture the security guarantees against replay, reordering, and dropping of messages. Moreover, an adversary needs to be able to simulate honest communication (including updating states) up to a certain point at which it launches its attack on the scheme, e.g., by interfering with the communication. On a high level, this is done

9.3. Stateful Authenticated Encryption

ExptIND-sfATK,b_sfAE,A (1λ_):

1 (K, stS, stR)_←_{− Init(1}$ λ ) 2 i, j ← 0

3 sync ← 1

4 b0_←_{− A}$ O_LoR,[O_Dec]ATK=CCA₍₁λ₎ 5 return b0 OLoR(m0, m1): 6 if |m0| 6= |m1| then 7 return 8 i ← i + 1 9 (stS, c)←− EncK$ (stS, mb) 10 ci← c 11 return c ODec(c): 12 j ← j + 1 13 (stR, m) ← DecK(stR, c) 14 if j > i or c 6= cjthen 15 sync ← 0 16 if sync = 0 then 17 return m 18 else 19 return ExptINT-sfATK sfAE,A (1 λ_): 1 (K, stS, stR)_←_{− Init(1}$ λ₎ 2 i, j ← 0 3 sync ← 1 4 win ← 0 5 AOEnc,ODec₍₁λ₎ 6 return win OEnc(m): 7 i ← i + 1 8 (stS, c)_←_{− EncK}$ _(stS_{, m)} 9 ci← c 10 mi← m 11 return c ODec(c): 12 j ← j + 1 13 (stR, m) ← DecK(stR, c) 14 if ATK = PTXT then 15 if m 6= ⊥ and (j > i or m 6= mj) then 16 win ← 1 17 if ATK = CTXT then 18 if j > i or c 6= cjthen 19 sync ← 0

20 if sync = 0 and m 6= ⊥ then 21 win ← 1

22 return m

Figure 9.2: Security experiments for confidentiality (IND-sfATK) and integrity (INT-sfATK) of stateful

authenticated encryption schemes, where ATK is a placeholder for CPA or CCA, resp. PTXT or CTXT. The brackets [ODec]ATK=CCAindicate that only the IND-sfCCA adversary has access to the ODecoracle.

by the experiments keeping a sequence of the ciphertexts sent using the encryption oracle, and consider an adversary passive as long as it simply relays the sent ciphertexts in correct order to the decryption oracle. As soon as it deviates from the sequence of sent ciphertexts, it is considered active in the sense of making the encryption and decryption processes (and states) losing synchronization (we say: they go “out of sync”), and from that point on the experiment considers attacks, e.g., in forging ciphertexts.

Confidentiality. Confidentiality is again modeled as indistinguishability of the outputs a left-or-right encryption oracle, for the CCA variant again given a decryption oracle O_Dec, see the formal experiment definitions in Figure 9.2. Beyond the obvious syntactical changes, the resulting IND-sfCPA is essentially the same as the IND-CPA one, the CCA decryption oracle however needs a substantial modification in order to reflect (protection against) replays, reordering, and dropping of messages.

In the stateless setting, the decryption oracle would reject on any previously ciphertext output by the O_LoR encryption oracle (independent of the ordering) to prevent trivial attacks. Now, we want to suppress the output of decryption only as long as the ciphertext sequence received (including the queried one) exactly match the sequence of ciphertexts produced by OLoR;

otherwise the adversary is given the decryption output. This captures the following intuition: as long as the adversary relays ciphertexts in their original ordering, decryption will yield the (challenge) messages input to OLoR by correctness, and hence its output must be suppressed

to avoid trivial wins. However, as soon as the adversary deviates from the original ciphertext sequence (indicated by the synchronization flag sync being set to 0), the decryption algorithm should be able to detect this and its output should not yield any information on the original messages, which is modeled by providing this output to the adversary. Note that deviation is

persistent: once the adversary deviates from the original sequence, all follow-up queries—even relaying original ciphertexts again—will be considered “out of sync” as well and output be provided to the adversary.

Integrity. Integrity as before comes in two flavors, where INT-sfPTXT straightforwardly calls an adversary successful if it manages to feed a sequence of ciphertexts into the decryption oracle such that the resulting sequence of messages deviates from the one encrypted using the OEnc oracle. Ciphertext integrity again formalizes a stronger demand, namely that it should

be impossible for an adversary to come up with a deviating sequence of ciphertexts leading to valid (i.e., non-error) outputs on the decryption side. For the latter notion, the same concept of (losing) synchronization is applied as for IND-sfCCA security: decrypted messages are considered (i.e., checked for being non-errors) from the point on where synchronization is lost (sync = 0) in terms of the adversary deviating from the original ciphertext series produced by O_Enc. Both notions hence in particular encode protection against replay, reordering, or dropping of messages, resp. ciphertexts, as an adversary wins if a stateful AE scheme does not detect such attacks by outputting error messages ⊥.

We can now also formalize the different notions of confidentiality and integrity for stateful AE schemes. Their relation is as for the stateless setting: Again, the implication IND-sfCCA =⇒ IND-sfCPA holds directly by omitting the ODec oracle. Also, a (non-error) deviation in the

message sequence decrypted in O_Dec requires a deviation in the ciphertext and hence INT-sfCTXT implies INT-sfPTXT.

Definition 9.2 (Security for stateful AE schemes). Let sfAE = (Init, Enc, Dec) be a stateful AE

scheme.

Let experiment ExptIND-sfATK,b_sfAE,A (1λ) for an adversary A and a bit b ∈ {0, 1} be defined as

in Figure 9.2, where ATK is a placeholder for either CPA or CCA. We say that sfAE provides

stateful indistinguishability under chosen-plaintext attacks, respectively, chosen-ciphertext attacks ( IND-sfCPA, resp. IND-sfCCA) if for all PPT adversaries A the following advantage

function is negligible in the security parameter:

AdvIND-sfATK_sfAE,A (λ) := Pr

ExptIND-sfATK,1_sfAE,A (1λ) = 1i− PrhExptIND-sfATK,0_sfAE,A (1λ) = 1i .

Likewise, let experiment ExptINT-sfATK,b_AEAD,A (1λ) for an adversary A be defined as in Figure 9.2,

where ATK is a placeholder for either PTXT or CTXT. We say that sfAE provides stateful

integrity of plaintexts, respectively, ciphertexts ( INT-sfPTXT, resp. INT-sfCTXT) if for all PPT

adversaries A the following advantage function is negligible in the security parameter:

AdvINT-sfATK_sfAE,A (λ) := PrhExptINT-sfATK_sfAE,A (1λ) = 1i.

In document Modeling Advanced Security Aspects of Key Exchange and Secure Channel Protocols (Page 158-160)