Improve SEO forecasting with better CTR curves - Presentation from BrightonSEO September 2014
Lecture 3 Symmetric encryption, IND-CPA, CTR, CBC
Transcript of Lecture 3 Symmetric encryption, IND-CPA, CTR, CBC
Lecture 3 – Symmetric encryption, IND-CPA,
CTR, CBC
TEK4500
08.09.2020
Håkon Jacobsen
Basic goals of cryptography
2
Message privacyMessage integrity /
authentication
Symmetric keys Symmetric encryptionMessage authentication
codes (MAC)
Asymmetric keys
Asymmetric encryption
(a.k.a. public-key
encryption)
Digital signatures
Encryption schemes – syntax
• A symmetric encryption scheme Σ = KeyGen, Enc, Dec consists of three
algorithms:
• Associated to Σ:
• Key space 𝒦
• Message space ℳ
• Ciphertext space 𝒞
• KeyGen and Enc may be randomized ($), but Dec must be deterministic3
Adversary
EncC
M M / ⊥
KeyGen
Dec$
K
$
Correctness requirement: For all
𝐾 ← KeyGen :
Dec 𝐾, Enc 𝐾,𝑀 = 𝑀
Electronic Code Book (ECB) mode
Given a block cipher ℰ: 0,1 𝑘 × 0,1 𝑛 → 0,1 𝑛 how to encrypt a long message?
ECB ℰ = KeyGen, Enc, Dec
4
ℰ𝐾
𝑀1
𝐶1
ℰ𝐾
𝑀2
𝐶2
ℰ𝐾
𝑀3
𝐶3
ℰ𝐾
𝑀4
𝐶4
Alg Enc 𝐾,𝑀---------------------------------1. for 𝑖 = 1,… ,𝑚 do2. 𝐶𝑖 ← ℰ𝐾 𝑀𝑖
3. return 𝐶
Alg Dec 𝐾, 𝐶---------------------------------1. for 𝑖 = 1,… ,𝑚 do2. 𝑀𝑖 ← ℰ𝐾
−1 𝐶𝑖3. return 𝑀
ECB problems
• Weakness: 𝑀1 = 𝑀2 ⟹ 𝐶1 = 𝐶2
• Example: Suppose message space only contains two messages: 𝑋 = 0128
and 𝑌 = 1128; could represent:
• Vote YES or NO
• BUY or SELL a stock
• FIRE or DON'T FIRE a missile
5
Wanted: security definition for symmetric encryption
• Perfect privacy: for any 𝑀0, 𝑀1 ∈ ℳ and any 𝐶 ∈ 𝒞:
Pr ℰ𝐾 𝑀0 = 𝐶 = Pr ℰ𝐾 𝑀1 = 𝐶
• Security holds for any adversary (no limit on resource usage)
• Very strict requirements:
• Keys need to be as long as message
• Key can only be used for one message
7
Wanted: security definition for symmetric encryption
• Perfect privacy: for any 𝑀0, 𝑀1 ∈ ℳ and any 𝐶 ∈ 𝒞:
Pr ℰ𝐾 𝑀0 = 𝐶 = Pr ℰ𝐾 𝑀1 = 𝐶
• Security holds for any adversary (no limit on resource usage)
• Very strict requirements:
• Keys need to be as long as message…want keys to be short
• Key can only be used for one message…want to encrypt many messages
8
Idea
• Computational privacy: for any 𝑀0, 𝑀1 ∈ ℳ and any 𝐶 ∈ 𝒞:
Pr ℰ𝐾 𝑀0 = 𝐶 ≈ Pr ℰ𝐾 𝑀1 = 𝐶
• Security only required to hold for resource bounded adversaries
• Very strict requirements:
• Keys need to be as long as message…want keys to be short
• Key can only be used for one message…want to encrypt many messages
9
IND-CPA – Indistinguishability against chosen-plaintext attacks
10
𝐄𝐱𝐩Σind–cpa
𝐴
1. 𝑏←$
0,1
2. 𝐾←$Σ. KeyGen
3. 𝑀0, 𝑀1 ← 𝐴ℰ𝐾 ⋅ // find stage4.5.6. 𝐶∗ ← Σ. Enc 𝐾,𝑀𝑏
7. 𝑏′ ← 𝐴ℰ𝐾 ⋅ 𝐶∗ // guess stage
8. 𝐫𝐞𝐭𝐮𝐫𝐧 𝑏′ =?𝑏
ℰ𝐾 𝑀---------------------------------1. return Σ. Enc 𝐾,𝑀
Definition: The IND-CPA-advantage of an
adversary 𝐴 is
𝐀𝐝𝐯Σind–cpa
𝐴 = Pr 𝐄𝐱𝐩Σind–cpa
𝐴 ⇒ true − 1/2
Test me on 𝑀0, 𝑀1
𝐶∗
𝑋1, 𝑋2, …
𝐶1, 𝐶2, …
Enc(𝐾,⋅)
𝑋1, 𝑋2, …
𝐶1, 𝐶2, …
Enc(𝐾,⋅)
What if 𝑨 submits 𝑴𝒐 = 𝟎and 𝑴𝟏 = 𝟎𝟏𝟎𝟎𝟎𝟎?
𝐶∗ was an
encryption of 𝑀1
IND-CPA – Indistinguishability against chosen-plaintext attacks
11
𝐄𝐱𝐩Σind–cpa
𝐴
1. 𝑏←$
0,1
2. 𝐾←$Σ. KeyGen
3. 𝑀0, 𝑀1 ← 𝐴ℰ𝐾 ⋅ // find stage4. if 𝑀0 ≠ 𝑀1 then5. return⊥6. 𝐶∗ ← Σ. Enc 𝐾,𝑀𝑏
7. 𝑏′ ← 𝐴ℰ𝐾 ⋅ 𝐶∗ // guess stage
8. 𝐫𝐞𝐭𝐮𝐫𝐧 𝑏′ =?𝑏
ℰ𝐾 𝑀---------------------------------1. return Σ. Enc 𝐾,𝑀
Definition: The IND-CPA-advantage of an
adversary 𝐴 is
𝐀𝐝𝐯Σind–cpa
𝐴 = Pr 𝐄𝐱𝐩Σind–cpa
𝐴 ⇒ true − 1/2
Test me on 𝑀0, 𝑀1
𝐶∗
𝑋1, 𝑋2, …
𝐶1, 𝐶2, …
Enc(𝐾,⋅)
𝑋1, 𝑋2, …
𝐶1, 𝐶2, …
Enc(𝐾,⋅)
𝐶∗ was an
encryption of 𝑀1
IND-CPA – Indistinguishability against chosen-plaintext attacks
12
𝐄𝐱𝐩Σind–cpa
𝐴
1. 𝑏←$
0,1
2. 𝐾←$Σ. KeyGen
3. 𝑀0, 𝑀1 ← 𝐴ℰ𝐾 ⋅ // find stage4. if 𝑀0 ≠ 𝑀1 then5. return⊥6. 𝐶∗ ← Σ. Enc 𝐾,𝑀𝑏
7. 𝑏′ ← 𝐴ℰ𝐾 ⋅ 𝐶∗ // guess stage
8. 𝐫𝐞𝐭𝐮𝐫𝐧 𝑏′ =?𝑏
ℰ𝐾 𝑀---------------------------------1. return Σ. Enc 𝐾,𝑀
Definition: The IND-CPA-advantage of an
adversary 𝐴 is
𝐀𝐝𝐯Σind–cpa
𝐴 = 2 ⋅ Pr 𝐄𝐱𝐩Σind–cpa
𝐴 ⇒ true − 1
Test me on 𝑀0, 𝑀1
𝐶∗
𝑋1, 𝑋2, …
𝐶1, 𝐶2, …
Enc(𝐾,⋅)
𝑋1, 𝑋2, …
𝐶1, 𝐶2, …
Enc(𝐾,⋅)
𝐶∗ was an
encryption of 𝑀1
𝐀𝐝𝐯Σind–cpa
𝐴 ≈ 1 = adversary is doing well
𝐀𝐝𝐯Σind–cpa
𝐴 ≈ 0 = adversary is doing poorly
ECB IND-CPA insecurity
13
𝐄𝐱𝐩ECB[ℰ]ind–cpa
𝐴
1. 𝑏←$
0,1
2. 𝐾←$ECB. KeyGen
3. 𝑀0, 𝑀1 ← 𝐴ℰ𝐾 ⋅ // find stage4. if 𝑀0 ≠ 𝑀1 then5. return⊥6. 𝐶∗ ← ECB. Enc 𝐾,𝑀𝑏
7. 𝑏′ ← 𝐴ℰ𝐾 ⋅ 𝐶∗ // guess stage
8. 𝐫𝐞𝐭𝐮𝐫𝐧 𝑏′ =?𝑏
ℰ𝐾 𝑀---------------------------------1. return ECB. Enc 𝐾,𝑀
Adversary 𝑨
1. Query 𝐶 ← ℰ𝐾 0128 in find stage 2. Submit 𝑀0 = 0128 and 𝑀1 = 1128
3. Receive challenge 𝐶∗
4. if 𝐶∗ = 𝐶 output 05. else, output 1
Pr 𝐄𝐱𝐩ECB[ℰ]ind–cpa
𝐴 ⇒ true
= 1
= Pr 𝑏′ = 0 𝑏 = 0 ⋅ 1/2 + Pr 𝑏′ = 1 𝑏 = 1 ⋅ 1/2
= Pr ℰ𝐾 0128 = ℰ𝐾 0128 𝑏 = 0 + Pr ℰ𝐾 0128 ≠ ℰ𝐾 1128 𝑏 = 1 ⋅ 1/ 2
1
= Pr 𝑏′ = 𝑏
1
𝐀𝐝𝐯Σind–cpa
𝐴 = 2 ⋅ Pr 𝐄𝐱𝐩Σind–cpa
𝐴 ⇒ true − 1 = 1
Consequences of the definition
• An IND-CPA secure scheme cannot be deterministic
• IND-CPA security implies other properties that we want:
• P1: Should be hard to obtain 𝐾 from 𝑌 ← 𝐸𝐾(𝑋) for secret 𝐾
• P2: Should be hard to obtain 𝐾 from 𝑌1, 𝑌2, … where 𝑌𝑖 ← 𝐸𝐾 𝑋𝑖• P3: Should be hard to obtain 𝑋 from 𝑌 ← 𝐸𝐾(𝑋)
• P4: Should be hard to obtain any 𝑋𝑖 from 𝑌1, 𝑌2 , … where 𝑌𝑖 ← 𝐸𝐾 𝑋𝑖• P5: Should be hard to learn any bit of 𝑋 from 𝑌 ← 𝐸𝐾(𝑋)
• P6: Should be hard to detect repetitions among 𝑋1, 𝑋2, … from 𝑌1, 𝑌2, …
•
• But does it give us all the properties we want? I.e., is IND-CPA the "master property"?
14
Semantic security
• The conceptually "right" definition
• High level idea: an encryption scheme is semantically secure if by observing
a ciphertext 𝐶 the adversary learns nothing about the plaintext (except its
length)
• Harder to formalize + IND-CPA is easier to work with
15
Theorem: (Goldwasser & Micali '83)
An encryption scheme Σ is IND-CPA secure ⟺ Σ is semantically secure.
Length-leaking attacks
• Google maps
• World regions have unique "fingerprints" based on length of data (based on map tiles)
• Variable-bitrate encoding
• Can e.g., fingerprint movies streamed over Netflix
• To combat length-leaking attacks: message padding
• Can be expensive
• Supported in TLS, but seldom used
• Used by TOR
16
How to achieve non-deterministic encryption?
• Randomized encryption
• Coins flipped internally by the algorithm
• Nonce-based encryption
• Encryption scheme itself is deterministic
• Non-determinism injected from the outside
18
𝑀
Ciphertext
𝑀′
Plaintext
CTR$ mode
Block cipher ℰ: 0,1 𝑘 × 0,1 𝑛 → 0,1 𝑛
CTR$ ℰ = KeyGen, Enc, Dec :
19
Alg Enc 𝐾,𝑀---------------------------------
1. ctr←$
0,1 𝑛
2. 𝐶0 ← ctr3. for 𝑖 = 1,… ,𝑚 do4. 𝐶𝑖 ← ℰ𝐾 ctr + 𝑖 ⊕𝑀𝑖
5. return 𝐶0||𝐶1||⋯ ||𝐶𝑚
Alg Dec 𝐾, 𝐶---------------------------------1. ctr ← 𝐶02. for 𝑖 = 1,… ,𝑚 do3. 𝑀𝑖 ← ℰ𝐾 ctr + 𝑖 ⊕ 𝐶𝑖4. return𝑀1||𝑀2||⋯ ||𝑀𝑚
ctr + 1
𝐶1
ctr
𝐶0
ℰ𝐾
𝑀1
ctr + 2
𝐶2
ℰ𝐾
𝑀2
ctr + 3
𝐶3
ℰ𝐾
𝑀3
CTR properties
• Fully parallelizable
• Inverse direction of ℰ𝐾 not needed
• Can use a PRF instead of a PRP
• Key stream can be generated in advance
• No padding needed for messages not a multiple of block length
• What about security?
20
ctr + 1
𝐶1
ctr
𝐶0
ℰ𝐾
𝑀1
ctr + 2
𝐶2
ℰ𝐾
𝑀2
ctr + 3
𝐶3
ℰ𝐾
𝑀3
Modern approach to cryptography
• Trying to make cryptography more a science than an art
• Focus on formal definitions of security (and insecurity)
• Clearly stated assumptions
• Analysis supported by mathematical proofs
21
Security of CTR$
22
Theorem (idea):
If 𝐹: 0,1 𝑘 × 0,1 𝑛 → 0,1 𝑛 is a secure PRF then CTR$[𝐹] is IND-CPA secure.
Logic 101
is equivalent to:
Theorem (idea):
If CTR$[𝐹] is not IND-CPA secure then 𝐹 is not a secure PRF.
⟺ equivalent!
Security of CTR$
Proof idea:
• CTR$[𝐹] not IND-CPA secure ⟹ there exists adversary 𝐴 with good advantage 𝐀𝐝𝐯CTR$ 𝐹ind–cpa
𝐴
• Can use 𝐴 to create a new adversary 𝐵 that has good advantage 𝐀𝐝𝐯𝐹prf
𝐵 against 𝐹
⟹ 𝐹 is not a secure PRF!
23
Theorem (idea):
If CTR$[𝐹] is not IND-CPA secure then 𝐹 is not a secure PRF.
Security of CTR$
24
Theorem (actual): For any IND-CPA adversary 𝐴 against CTR$ 𝐹 that runs in time 𝑡𝐴and asks at most 𝑞 queries (each of max length 𝑞 𝑛-bit blocks), there exists an PRF-
adversary 𝐵 such that
𝐀𝐝𝐯CTR$ 𝐹ind–cpa
𝐴 ≤ 𝐀𝐝𝐯𝐹prf
𝐵 +2𝑞2
2𝑛
where 𝐵 runs in time 𝑡𝐵 = 𝑡𝐴 + 𝑂(𝑞2) and asks at most 𝑞𝐵 = 𝑞2 PRF-queries.
Security of CTR$
• Logic 101: 𝐹 secure PRF ⟹𝐀𝐝𝐯𝐹prf
𝐵 ≈ 0
⟹𝐀𝐝𝐯CTR$ 𝐹ind–cpa
𝐴 ≤2𝑞2
2𝑛
⟹𝐀𝐝𝐯CTR$ 𝐹ind–cpa
𝐴 ≈ 0
⟹ CTR$[𝐹] is IND-CPA secure!
25
Theorem (actual): For any IND-CPA adversary 𝐴 against CTR$ 𝐹 that runs in time 𝑡𝐴and asks at most 𝑞 queries (each of max length 𝑞 𝑛-bit blocks), there exists an PRF-
adversary 𝐵 such that
𝐀𝐝𝐯CTR$ 𝐹ind–cpa
𝐴 ≤ 𝐀𝐝𝐯𝐹prf
𝐵 +2𝑞2
2𝑛
where 𝐵 runs in time 𝑡𝐵 = 𝑡𝐴 + 𝑂(𝑞2) and asks at most 𝑞𝐵 = 𝑞2 PRF-queries.
𝑞 ≪ 2𝑛/2
Example:
AES: 𝑛 = 128𝑞 = 240 ≈ 17.5 TB of data
Security of CTR$ – proof idea
26
𝐄𝐱𝐩CTR$ ℰind–cpa
𝐴
1. 𝑏←$
0,1
2. 𝐾←$CTR$ 𝐹 . KeyGen
3. 𝑀0,𝑀1 ← 𝐴ℰ𝐾 ⋅ // find stage4. if 𝑀0 ≠ 𝑀1 then5. return⊥6. 𝐶∗ ← CTR$ ℰ . Enc 𝐾,𝑀𝑏
7. 𝑏′ ← 𝐴ℰ𝐾 ⋅ 𝐶∗ // guess stage
8. 𝐫𝐞𝐭𝐮𝐫𝐧 𝑏′ =?𝑏
ℰ𝐾 𝑀---------------------------------1. return CTR$ 𝐹 . Enc 𝐾,𝑀
𝑀1 𝑀2 𝑀3 ⋯ 𝑀𝐿
𝐹𝐾(𝑅∗ + 1) 𝐹𝐾(𝑅
∗ + 2) 𝐹𝐾(𝑅∗ + 3) ⋯ 𝐹𝐾(𝑅
∗ + 𝐿) Alg CTR 𝐹 . Enc 𝐾,𝑀---------------------------------
1. ctr←$
0,1 𝑛
2. 𝐶0 ← ctr3. for 𝑖 = 1,… ,𝑚 do4. 𝐶𝑖 ← 𝐹𝐾 ctr + 𝑖 ⊕𝑀𝑖
5. return𝐶0||𝐶1||⋯ ||𝐶𝑚
𝐶1∗ 𝐶2
∗ 𝐶3∗ ⋯ 𝐶𝐿
∗
=
𝑀𝑏
𝐶∗
Theorem: For any 𝐴 … there exists 𝐵 such that
𝐀𝐝𝐯CTR$ 𝐹ind–cpa
𝐴 ≤ 𝐀𝐝𝐯𝐹prf
𝐵 +2𝑞2
2𝑛
Security of CTR$ – proof idea
27
Theorem: For any 𝐴 … there exists 𝐵 such that
𝐀𝐝𝐯CTR$ 𝐹ind–cpa
𝐴 ≤ 𝐀𝐝𝐯𝐹prf
𝐵 +2𝑞2
2𝑛
𝐄𝐱𝐩CTR$ ℰind–cpa
𝐴
1. 𝑏←$
0,1
2. 𝐾←$CTR$ 𝐹 . KeyGen
3. 𝑀0,𝑀1 ← 𝐴ℰ𝐾 ⋅ // find stage4. if 𝑀0 ≠ 𝑀1 then5. return⊥6. 𝐶∗ ← CTR$ ℰ . Enc 𝐾,𝑀𝑏
7. 𝑏′ ← 𝐴ℰ𝐾 ⋅ 𝐶∗ // guess stage
8. 𝐫𝐞𝐭𝐮𝐫𝐧 𝑏′ =?𝑏
ℰ𝐾 𝑀---------------------------------1. return CTR$ 𝐹 . Enc 𝐾,𝑀
Alg CTR 𝐹 . Enc 𝐾,𝑀---------------------------------
1. ctr←$
0,1 𝑛
2. 𝐶0 ← ctr3. for 𝑖 = 1,… ,𝑚 do4. 𝐶𝑖 ← 𝐹𝐾 ctr + 𝑖 ⊕𝑀𝑖
5. return𝐶0||𝐶1||⋯ ||𝐶𝑚
𝑀1 𝑀2 𝑀3 ⋯ 𝑀𝐿
=
𝑀𝑏
𝐶∗ 𝜌←$Func[𝑛, 𝑛] ≈ 𝐹𝐾 by PRF-security
𝜌(𝑅∗ + 1) 𝜌(𝑅∗ + 2) 𝜌(𝑅∗ + 3) ⋯ 𝜌(𝑅∗ + 𝐿)
𝐶1∗ 𝐶2
∗ 𝐶3∗ ⋯ 𝐶𝐿
∗
Security of CTR$ – proof idea
28
Theorem: For any 𝐴 … there exists 𝐵 such that
𝐀𝐝𝐯CTR$ 𝐹ind–cpa
𝐴 ≤ 𝐀𝐝𝐯𝐹prf
𝐵 +2𝑞2
2𝑛
𝐄𝐱𝐩CTR$ ℰind–cpa
𝐴
1. 𝑏←$
0,1
2. 𝐾←$CTR$ 𝐹 . KeyGen
3. 𝑀0,𝑀1 ← 𝐴ℰ𝐾 ⋅ // find stage4. if 𝑀0 ≠ 𝑀1 then5. return⊥6. 𝐶∗ ← CTR$ ℰ . Enc 𝐾,𝑀𝑏
7. 𝑏′ ← 𝐴ℰ𝐾 ⋅ 𝐶∗ // guess stage
8. 𝐫𝐞𝐭𝐮𝐫𝐧 𝑏′ =?𝑏
ℰ𝐾 𝑀---------------------------------1. return CTR$ 𝐹 . Enc 𝐾,𝑀
Alg CTR 𝐹 . Enc 𝐾,𝑀---------------------------------
1. ctr←$
0,1 𝑛
2. 𝐶0 ← ctr3. for 𝑖 = 1,… ,𝑚 do4. 𝐶𝑖 ← 𝐹𝐾 ctr + 𝑖 ⊕𝑀𝑖
5. return𝐶0||𝐶1||⋯ ||𝐶𝑚
𝑀1 𝑀2 𝑀3 ⋯ 𝑀𝐿
=
𝑀𝑏
𝐶∗ 𝜌←$Func[𝑛, 𝑛] ≈ 𝐹𝐾 by PRF-security
𝜌(𝑅∗ + 1) 𝜌(𝑅∗ + 2) 𝜌(𝑅∗ + 3) ⋯ 𝜌(𝑅∗ + 𝐿)
𝐶1∗ 𝐶2
∗ 𝐶3∗ ⋯ 𝐶𝐿
∗
𝐶1∗ 𝐶2
∗ 𝐶3∗ ⋯ 𝐶𝐿
∗
Security of CTR$ – proof idea
29
Theorem: For any 𝐴 … there exists 𝐵 such that
𝐀𝐝𝐯CTR$ 𝐹ind–cpa
𝐴 ≤ 𝐀𝐝𝐯𝐹prf
𝐵 +2𝑞2
2𝑛
𝐄𝐱𝐩CTR$ ℰind–cpa
𝐴
1. 𝑏←$
0,1
2. 𝐾←$CTR$ 𝐹 . KeyGen
3. 𝑀0,𝑀1 ← 𝐴ℰ𝐾 ⋅ // find stage4. if 𝑀0 ≠ 𝑀1 then5. return⊥6. 𝐶∗ ← CTR$ ℰ . Enc 𝐾,𝑀𝑏
7. 𝑏′ ← 𝐴ℰ𝐾 ⋅ 𝐶∗ // guess stage
8. 𝐫𝐞𝐭𝐮𝐫𝐧 𝑏′ =?𝑏
ℰ𝐾 𝑀---------------------------------1. return CTR$ 𝐹 . Enc 𝐾,𝑀
Alg CTR 𝐹 . Enc 𝐾,𝑀---------------------------------
1. ctr←$
0,1 𝑛
2. 𝐶0 ← ctr3. for 𝑖 = 1,… ,𝑚 do4. 𝐶𝑖 ← 𝐹𝐾 ctr + 𝑖 ⊕𝑀𝑖
5. return𝐶0||𝐶1||⋯ ||𝐶𝑚
𝑀1 𝑀2 𝑀3 ⋯ 𝑀𝐿
=
𝑀𝑏
𝐶∗ 𝜌←$Func[𝑛, 𝑛] ≈ 𝐹𝐾 by PRF-securityOTP
𝜌(𝑅∗ + 1) 𝜌(𝑅∗ + 2) 𝜌(𝑅∗ + 3) ⋯ 𝜌(𝑅∗ + 𝐿)
𝐶1∗ 𝐶2
∗ 𝐶3∗ ⋯ 𝐶𝐿
∗
Security of CTR$ – proof idea
30
Theorem: For any 𝐴 … there exists 𝐵 such that
𝐀𝐝𝐯CTR$ 𝐹ind–cpa
𝐴 ≤ 𝐀𝐝𝐯𝐹prf
𝐵 +2𝑞2
2𝑛
𝐄𝐱𝐩CTR$ ℰind–cpa
𝐴
1. 𝑏←$
0,1
2. 𝐾←$CTR$ 𝐹 . KeyGen
3. 𝑀0,𝑀1 ← 𝐴ℰ𝐾 ⋅ // find stage4. if 𝑀0 ≠ 𝑀1 then5. return⊥6. 𝐶∗ ← CTR$ ℰ . Enc 𝐾,𝑀𝑏
7. 𝑏′ ← 𝐴ℰ𝐾 ⋅ 𝐶∗ // guess stage
8. 𝐫𝐞𝐭𝐮𝐫𝐧 𝑏′ =?𝑏
ℰ𝐾 𝑀---------------------------------1. return CTR$ 𝐹 . Enc 𝐾,𝑀
Alg CTR 𝐹 . Enc 𝐾,𝑀---------------------------------
1. ctr←$
0,1 𝑛
2. 𝐶0 ← ctr3. for 𝑖 = 1,… ,𝑚 do4. 𝐶𝑖 ← 𝐹𝐾 ctr + 𝑖 ⊕𝑀𝑖
5. return𝐶0||𝐶1||⋯ ||𝐶𝑚
𝑀1 𝑀2 𝑀3 ⋯ 𝑀𝐿
=
𝑀𝑏
𝐶∗ 𝜌←$Func[𝑛, 𝑛] ≈ 𝐹𝐾 by PRF-security
𝑀(1)ℰ𝐾
𝑅1||𝐶11||𝐶2
(1)…
𝑀(2)ℰ𝐾
𝑅2||𝐶12||𝐶2
(2)…
⋮
𝑀(𝑞)ℰ𝐾
𝑅𝑞||𝐶1𝑞||𝐶2
(𝑞)…
𝜌(𝑅∗ + 1) 𝜌(𝑅∗ + 2) 𝜌(𝑅∗ + 3) ⋯ 𝜌(𝑅∗ + 𝐿)
𝐶1∗ 𝐶2
∗ 𝐶3∗ ⋯ 𝐶𝐿
∗
Security of CTR$ – proof idea
31
Theorem: For any 𝐴 … there exists 𝐵 such that
𝐀𝐝𝐯CTR$ 𝐹ind–cpa
𝐴 ≤ 𝐀𝐝𝐯𝐹prf
𝐵 +2𝑞2
2𝑛
𝐄𝐱𝐩CTR$ ℰind–cpa
𝐴
1. 𝑏←$
0,1
2. 𝐾←$CTR$ 𝐹 . KeyGen
3. 𝑀0,𝑀1 ← 𝐴ℰ𝐾 ⋅ // find stage4. if 𝑀0 ≠ 𝑀1 then5. return⊥6. 𝐶∗ ← CTR$ ℰ . Enc 𝐾,𝑀𝑏
7. 𝑏′ ← 𝐴ℰ𝐾 ⋅ 𝐶∗ // guess stage
8. 𝐫𝐞𝐭𝐮𝐫𝐧 𝑏′ =?𝑏
ℰ𝐾 𝑀---------------------------------1. return CTR$ 𝐹 . Enc 𝐾,𝑀
Alg CTR 𝐹 . Enc 𝐾,𝑀---------------------------------
1. ctr←$
0,1 𝑛
2. 𝐶0 ← ctr3. for 𝑖 = 1,… ,𝑚 do4. 𝐶𝑖 ← 𝐹𝐾 ctr + 𝑖 ⊕𝑀𝑖
5. return𝐶0||𝐶1||⋯ ||𝐶𝑚
𝑀1 𝑀2 𝑀3 ⋯ 𝑀𝐿
=
𝑀𝑏
𝐶∗ 𝜌←$Func[𝑛, 𝑛] ≈ 𝐹𝐾 by PRF-security
𝑀(1)ℰ𝐾
𝑅1||𝐶11||𝐶2
1… = 𝑅1||𝜌(𝑅1 + 1)⊕𝑀1
1||𝜌(𝑅1 + 2)⊕𝑀2
1|| …
𝑀(2)ℰ𝐾
𝑅2||𝐶12||𝐶2
(2)… = 𝑅2||𝜌(𝑅2 + 1)⊕𝑀1
2||𝜌(𝑅2 + 2)⊕𝑀2
2|| …
⋮
𝑀(𝑞)ℰ𝐾
𝑅𝑞||𝐶1𝑞||𝐶2
(𝑞)… = 𝑅𝑞||𝜌(𝑅𝑞 + 1)⊕𝑀1
𝑞||𝜌(𝑅𝑞 + 2)⊕𝑀2
𝑞|| …
𝜌(𝑅∗ + 1) 𝜌(𝑅∗ + 2) 𝜌(𝑅∗ + 3) ⋯ 𝜌(𝑅∗ + 𝐿)
𝐶1∗ 𝐶2
∗ 𝐶3∗ ⋯ 𝐶𝐿
∗
Security of CTR$ – proof idea
32
Theorem: For any 𝐴 … there exists 𝐵 such that
𝐀𝐝𝐯CTR$ 𝐹ind–cpa
𝐴 ≤ 𝐀𝐝𝐯𝐹prf
𝐵 +2𝑞2
2𝑛
𝐄𝐱𝐩CTR$ ℰind–cpa
𝐴
1. 𝑏←$
0,1
2. 𝐾←$CTR$ 𝐹 . KeyGen
3. 𝑀0,𝑀1 ← 𝐴ℰ𝐾 ⋅ // find stage4. if 𝑀0 ≠ 𝑀1 then5. return⊥6. 𝐶∗ ← CTR$ ℰ . Enc 𝐾,𝑀𝑏
7. 𝑏′ ← 𝐴ℰ𝐾 ⋅ 𝐶∗ // guess stage
8. 𝐫𝐞𝐭𝐮𝐫𝐧 𝑏′ =?𝑏
ℰ𝐾 𝑀---------------------------------1. return CTR$ 𝐹 . Enc 𝐾,𝑀
Alg CTR 𝐹 . Enc 𝐾,𝑀---------------------------------
1. ctr←$
0,1 𝑛
2. 𝐶0 ← ctr3. for 𝑖 = 1,… ,𝑚 do4. 𝐶𝑖 ← 𝐹𝐾 ctr + 𝑖 ⊕𝑀𝑖
5. return𝐶0||𝐶1||⋯ ||𝐶𝑚
𝑀1 𝑀2 𝑀3 ⋯ 𝑀𝐿
𝜌(𝑅∗ + 1) 𝜌(𝑅∗ + 2) 𝜌(𝑅∗ + 3) ⋯ 𝜌(𝑅∗ + 𝐿)
=
𝑀𝑏
𝐶∗ 𝜌←$Func[𝑛, 𝑛] ≈ 𝐹𝐾 by PRF-security
𝑀(1)ℰ𝐾
𝑅1||𝐶11||𝐶2
1… = 𝑅1||𝜌(𝑅1 + 1)⊕𝑀1
1||𝜌(𝑅1 + 2)⊕𝑀2
1|| …
𝑀(2)ℰ𝐾
𝑅2||𝐶12||𝐶2
(2)… = 𝑅2||𝜌(𝑅2 + 1)⊕𝑀1
2||𝜌(𝑅2 + 2)⊕𝑀2
2|| …
⋮
𝑀(𝑞)ℰ𝐾
𝑅𝑞||𝐶1𝑞||𝐶2
(𝑞)… = 𝑅𝑞||𝜌(𝑅𝑞 + 1)⊕𝑀1
𝑞||𝜌(𝑅𝑞 + 2)⊕𝑀2
𝑞|| …
Event 𝐂𝐨𝐥𝐥𝒊:
𝑅𝑖 + 𝑗 = 𝑅∗ + 𝑗′ ⟹ 𝜌 𝑅𝑖 + 𝑗 = 𝜌 𝑅∗ + 𝑗′ = 𝑃
⟹ 𝐶𝑗𝑖⊕𝐶𝑗′
∗ = 𝑃 ⊕𝑀𝑗𝑖
⊕ 𝑃 ⊕𝑀𝑗′∗ = 𝑀𝑗
𝑖⊕𝑀𝑗′
∗
Security of CTR$ – proof idea
34
𝑅∗, 𝑅∗ + 1,… 𝑅𝑗 , 𝑅𝑗+1,…𝑅𝑖 , 𝑅𝑖+1,… 𝑅𝑘, 𝑅𝑘+1,…
0 1 … 2𝑛 − 1Coll𝑗
Coll = Coll1 ∨ Coll2 ∨ ⋯∨ Coll𝑞
Pr Coll = Pr Coll1 ∨ Coll2 ∨ ⋯∨ Coll𝑞 ≤
𝑗=1
𝑞
Pr Coll𝑗
Pr Coll𝑗 = Pr 𝑅∗ + 1 − 𝐿 ≤ 𝑅𝑗 ≤ 𝑅∗ + 𝐿 − 1
Security of CTR$ – proof idea
35
𝑅∗, 𝑅∗ + 1,… 𝑅𝑗 , 𝑅𝑗+1,…𝑅𝑖 , 𝑅𝑖+1,… 𝑅𝑘, 𝑅𝑘+1,…
0 1 … 2𝑛 − 1
Coll = Coll1 ∨ Coll2 ∨ ⋯∨ Coll𝑞
Pr Coll = Pr Coll1 ∨ Coll2 ∨ ⋯∨ Coll𝑞 ≤
𝑗=1
𝑞
Pr Coll𝑗
Pr Coll𝑗 = Pr 𝑅∗ + 1 − 𝐿 ≤ 𝑅𝑗 ≤ 𝑅∗ + 𝐿 − 1
Coll𝑗
Security of CTR$ – proof idea
36
𝑅∗, 𝑅∗ + 1,…𝑅𝑗 , 𝑅𝑗+1,…𝑅𝑖 , 𝑅𝑖+1,… 𝑅𝑘, 𝑅𝑘+1,…
0 1 … 2𝑛 − 1
Coll = Coll1 ∨ Coll2 ∨ ⋯∨ Coll𝑞
Pr Coll = Pr Coll1 ∨ Coll2 ∨ ⋯∨ Coll𝑞 ≤
𝑗=1
𝑞
Pr Coll𝑗
Pr Coll𝑗 = Pr 𝑅∗ + 1 − 𝐿 ≤ 𝑅𝑗 ≤ 𝑅∗ + 𝐿 − 1
Coll𝑗
Security of CTR$ – proof idea
37
Coll = Coll1 ∨ Coll2 ∨ ⋯∨ Coll𝑞
Pr Coll = Pr Coll1 ∨ Coll2 ∨ ⋯∨ Coll𝑞 ≤
𝑗=1
𝑞
Pr Coll𝑗
Pr Coll𝑗 = Pr 𝑅∗ + 1 − 𝐿 ≤ 𝑅𝑗 ≤ 𝑅∗ + 𝐿 − 1 ≤2𝐿
2𝑛
𝑅∗, 𝑅∗ + 1,…𝑅𝑗 , 𝑅𝑗+1,…𝑅𝑖 , 𝑅𝑖+1,… 𝑅𝑘, 𝑅𝑘+1,…
0 1 … 2𝑛 − 1
≤ 𝑞 ⋅2𝐿
2𝑛=2𝑞2
2𝑛
Coll𝑗
Security of CTR$ – proof idea
38
Theorem: For any 𝐴 … there exists 𝐵 such that
𝐀𝐝𝐯CTR$ 𝐹ind–cpa
𝐴 ≤ 𝐀𝐝𝐯𝐹prf
𝐵 +2𝑞2
2𝑛
𝐄𝐱𝐩CTR$ ℰind–cpa
𝐴
1. 𝑏←$
0,1
2. 𝐾←$CTR$ 𝐹 . KeyGen
3. 𝑀0,𝑀1 ← 𝐴ℰ𝐾 ⋅ // find stage4. if 𝑀0 ≠ 𝑀1 then5. return⊥6. 𝐶∗ ← CTR$ ℰ . Enc 𝐾,𝑀𝑏
7. 𝑏′ ← 𝐴ℰ𝐾 ⋅ 𝐶∗ // guess stage
8. 𝐫𝐞𝐭𝐮𝐫𝐧 𝑏′ =?𝑏
ℰ𝐾 𝑀---------------------------------1. return CTR$ 𝐹 . Enc 𝐾,𝑀
Alg CTR 𝐹 . Enc 𝐾,𝑀---------------------------------
1. ctr←$
0,1 𝑛
2. 𝐶0 ← ctr3. for 𝑖 = 1,… ,𝑚 do4. 𝐶𝑖 ← 𝐹𝐾 ctr + 𝑖 ⊕𝑀𝑖
5. return𝐶0||𝐶1||⋯ ||𝐶𝑚
𝑀1 𝑀2 𝑀3 ⋯ 𝑀𝐿
=
𝑀𝑏
𝐶∗ 𝜌←$Func[𝑛, 𝑛] ≈ 𝐹𝐾 by PRF-security
𝜌(𝑅∗ + 1) 𝜌(𝑅∗ + 2) 𝜌(𝑅∗ + 3) ⋯ 𝜌(𝑅∗ + 𝐿)
𝐶1∗ 𝐶2
∗ 𝐶3∗ ⋯ 𝐶𝐿
∗
Nonce-based encryption
• Initial value in CTR$ chosen at random
• Not actually neccessary; sufficient that no inputs to underlying PRF/PRP
repeat
• A simple counter works
• More generally: any number not used more than once – a nonce (number
used once)
• CTR: nonce-based counter-mode
39
Nonce-based encryption – new syntax
• Enc is now a deterministic function
• Non-determinism comes from varying 𝑁
• Choose 𝑁 at random ⟹ recover probabilistic notion
40
Enc ∶ 𝒦 ×𝒩 ×ℳ → 𝒞
Enc 𝐾,𝑁,𝑀 = Enc𝐾 𝑁,𝑀 = Enc𝐾𝑁 𝑀 Enc
𝐾𝑀 𝐶
𝑁
Nonce-based
Enc𝐾𝑀 𝐶
$
Randomized
IND-CPA – Indistinguishability against chosen-plaintext attacks
41
𝐄𝐱𝐩Σind–cpa
𝐴
1. 𝑏←$
0,1
2. 𝐾←$Σ. KeyGen
3. 𝑀0, 𝑀1 ← 𝐴ℰ𝐾 ⋅ // find stage4. if 𝑀0 ≠ 𝑀1 then5. return⊥6. 𝐶∗ ← Σ. Enc 𝐾,𝑀𝑏
7. 𝑏′ ← 𝐴ℰ𝐾 ⋅ 𝐶∗ // guess stage
8. 𝐫𝐞𝐭𝐮𝐫𝐧 𝑏′ =?𝑏
ℰ𝐾 𝑀---------------------------------1.2.3. return Σ. Enc 𝐾,𝑀
IND-CPA – Indistinguishability against chosen-plaintext attacks
42
𝐄𝐱𝐩Σind–cpa
𝐴
1. 𝑏←$
0,1
2. 𝐾←$Σ. KeyGen
3. 𝑁,𝑀0, 𝑀1 ← 𝐴ℰ𝐾 ⋅,⋅ // find stage4. if 𝑀0 ≠ 𝑀1 then5. return⊥6. 𝐶∗ ← Σ. Enc 𝐾,𝑁,𝑀𝑏
7. 𝑏′ ← 𝐴ℰ𝐾 ⋅,⋅ 𝐶∗ // guess stage
8. 𝐫𝐞𝐭𝐮𝐫𝐧 𝑏′ =?𝑏
ℰ𝐾 𝑁,𝑀---------------------------------1.2.3. return Σ. Enc 𝐾,𝑁,𝑀
IND-CPA – Indistinguishability against chosen-plaintext attacks
43
𝐄𝐱𝐩Σind–cpa
𝐴
1. 𝑏←$
0,1
2. 𝐾←$Σ. KeyGen
3. 𝑁,𝑀0, 𝑀1 ← 𝐴ℰ𝐾 ⋅,⋅ // find stage4. if 𝑀0 ≠ 𝑀1 then5. return⊥6. 𝐶∗ ← Σ. Enc 𝐾,𝑁,𝑀𝑏
7. 𝑏′ ← 𝐴ℰ𝐾 ⋅,⋅ 𝐶∗ // guess stage
8. 𝐫𝐞𝐭𝐮𝐫𝐧 𝑏′ =?𝑏
ℰ𝐾 𝑁,𝑀---------------------------------1. if 𝑁 queried before:2. return⊥3. return Σ. Enc 𝐾,𝑁,𝑀
Definition: The (nonce-based) IND-CPA-advantage
of an adversary 𝐴 is
𝐀𝐝𝐯Σind–cpa
𝐴 = 2 ⋅ Pr 𝐄𝐱𝐩Σind–cpa
𝐴 ⇒ true − 1
(𝑁1, 𝑋1), (𝑁2, 𝑋2), …
𝐶1, 𝐶2, …
Enc(𝐾,⋅)
𝐶1, 𝐶2, …
Enc(𝐾,⋅)
Test me on 𝑁,𝑀0 , (𝑁,𝑀1)
𝐶∗
(𝑁1, 𝑋1), (𝑁2, 𝑋2), …
𝐶∗ was an
encryption of 𝑀1
Nonce-based CTR
• Nonce value must be updated and stored by sender
• Stateful encryption
• Receiver doesn't need to store state
• Alternatively: pick nonce at random
• Gives CTR$
• Common in practice:
• pick some parts of N at random and let the rest be a counter
(always starting at 0)
• e.g., 96 bits random and 32 bits counter for 128-bits N
44
Alg Enc 𝐾,𝑁,𝑀---------------------------------1. for 𝑖 = 1, … ,𝑚 do2. 𝐶𝑖 ← ℰ𝐾 𝑁 + 𝑖 ⊕𝑀𝑖
3. return 𝐶1||𝐶2||⋯ ||𝐶𝑚
AlgDec 𝐾,𝑁, 𝐶---------------------------------1. for 𝑖 = 1, … ,𝑚 do2. 𝑀𝑖 ← ℰ𝐾 𝑁 + 𝑖 ⊕ 𝐶𝑖3. return𝑀1||𝑀2||⋯ ||𝑀𝑚
Nonce-based CTR – IND-CPA security
45
Theorem: For any IND-CPA adversary 𝐴 against CTR 𝐹 that runs in time 𝑡𝐴 and asks
at most 𝑞𝐴 queries (each of at most 𝜎𝑛-bits) – such that no input values to 𝐹 are
identical – there exists an PRF-adversary 𝐵 such that
𝐀𝐝𝐯CTR 𝐹ind–cpa
𝐴 ≤ 𝐀𝐝𝐯𝐹prf
𝐵
where 𝐵 runs in time 𝑡𝐵 = 𝑡𝐴 + 𝑂(𝑞𝐴 + 𝑛𝜎) and asks at most 𝑞𝐵 = 𝜎 PRF-queries.
CBC
• IND-CPA secure for random IV
• Not IND-CPA secure for nonce-based IV (exercise: show this)
• Not parallelizable; cannot precompute values
• Inverse of block cipher ℰ needed for decryption
• Padding needed for messages not a multiple of block length
• …historically one of the most used modes-of-operation
47
Alternative definition I – Left-or-Right CPA
48
𝐄𝐱𝐩Σlor–cpa
𝐴
1. 𝑏←$
0,1
2. 𝐾←$Σ. KeyGen
3. 𝑏′ ← 𝐴LR𝑏 ⋅,⋅
4. 𝐫𝐞𝐭𝐮𝐫𝐧 𝑏′ =?𝑏
LR𝑏 𝑀0, 𝑀1
---------------------------------1. if 𝑀0 ≠ 𝑀1 then2. return⊥3.4. return Σ. Enc 𝐾,𝑀𝑏
Definition: The LOR-CPA-advantage of an
adversary 𝐴 is
𝐀𝐝𝐯Σlor–cpa
𝐴 = 2 ⋅ Pr 𝐄𝐱𝐩Σlor–cpa
𝐴 ⇒ true − 1
Theorem: Σ is IND-CPA secure ⟺ Σ is LOR-CPA
secure.
Alternative definition II – Real-or-random CPA
49
𝐄𝐱𝐩Σror–cpa
𝐴
1. 𝑏←$
0,1
2. 𝐾←$Σ. KeyGen
3. 𝑏′ ← 𝐴RoR𝑏 ⋅
4. 𝐫𝐞𝐭𝐮𝐫𝐧 𝑏′ =?𝑏
RoR𝑏 𝑀---------------------------------
1. 𝑀0←$
0,1 𝑀
2. 𝑀1 ← 𝑀3. return Σ. Enc 𝐾,𝑀𝑏
Definition: The ROR-CPA-advantage of an
adversary 𝐴 is
𝐀𝐝𝐯Σror–cpa
𝐴 = 2 ⋅ Pr 𝐄𝐱𝐩Σror–cpa
𝐴 ⇒ true − 1
Theorem: Σ is IND-CPA secure ⟺ Σ is ROR-CPA
secure.
Alternative definition III – Real-or-random ciphertext CPA
50
𝐄𝐱𝐩Σind$–cpa
𝐴
1. 𝑏←$
0,1
2. 𝐾←$Σ. KeyGen
3. 𝑏′ ← 𝐴$𝑏 ⋅
4. 𝐫𝐞𝐭𝐮𝐫𝐧 𝑏′ =?𝑏
$𝑏 𝑀---------------------------------1. 𝐶1 ← Σ. Enc 𝐾,𝑀
2. 𝐶0←$
0,1 𝐶1
3. return 𝐶𝑏
Definition: The IND$-CPA-advantage of an
adversary 𝐴 is
𝐀𝐝𝐯Σind$–cpa
𝐴 = 2 ⋅ Pr 𝐄𝐱𝐩Σind$–cpa
𝐴 ⇒ true − 1
Theorem:
Σ is IND-CPA$ secure ⟹ Σ is IND-CPA secure.
Σ is IND-CPA$ secure ⟸ Σ is IND-CPA secure.
Relations between notions
51
LOR-CPA ⟺ IND-CPA ⟺ ROR-CPA
IND$-CPA
⟹
Semantic security⟺
When we say "IND-CPA" without
further qualification, we think of any
of these (equivalent) definitions
IND-CPA – Indistinguishability against chosen-plaintext attacks
52
𝐄𝐱𝐩Σind–cpa
𝐴
1. 𝑏←$
0,1
2. 𝐾←$Σ. KeyGen
3. 𝑀0, 𝑀1 ← 𝐴ℰ𝐾 ⋅ // find stage4. if 𝑀0 ≠ 𝑀1 then5. return⊥6. 𝐶∗ ← Σ. Enc 𝐾,𝑀𝑏
7. 𝑏′ ← 𝐴ℰ𝐾 ⋅ 𝐶∗ // guess stage
8. 𝐫𝐞𝐭𝐮𝐫𝐧 𝑏′ =?𝑏
ℰ𝐾 𝑀---------------------------------1. return Σ. Enc 𝐾,𝑀
IND-CCA – Indistinguishability against chosen-ciphertext attacks
53
𝐄𝐱𝐩Σind–cca 𝐴
1. 𝑏←$
0,1
2. 𝐾←$Σ. KeyGen
3. 𝑀0, 𝑀1 ← 𝐴ℰ𝐾 ⋅ ,𝒟𝐾 ⋅ // find stage4. if 𝑀0 ≠ 𝑀1 then5. return⊥6. 𝐶∗ ← Σ. Enc 𝐾,𝑀𝑏
7. 𝑏′ ← 𝐴ℰ𝐾 ⋅ ,𝒟𝐾(⋅) 𝐶∗ // guess stage
8. 𝐫𝐞𝐭𝐮𝐫𝐧 𝑏′ =?𝑏
ℰ𝐾 𝑀---------------------------------1. return Σ. Enc 𝐾,𝑀
𝒟𝐾 𝐶---------------------------------1. if 𝐶 = 𝐶∗ then2. return⊥3. return Σ. Dec 𝐾,𝑀
𝐄𝐱𝐩Σind–cca 𝐴
1. 𝑏←$
0,1
2. 𝐾←$Σ. KeyGen
3. 𝑀0, 𝑀1 ← 𝐴ℰ𝐾 ⋅ ,𝒟𝐾 ⋅ // find stage4. if 𝑀0 ≠ 𝑀1 then5. return⊥6. 𝐶∗ ← Σ. Enc 𝐾,𝑀𝑏
7. 𝑏′ ← 𝐴ℰ𝐾 ⋅ ,𝒟𝐾(⋅) 𝐶∗ // guess stage
8. 𝐫𝐞𝐭𝐮𝐫𝐧 𝑏′ =?𝑏
ℰ𝐾 𝑀---------------------------------1. return Σ. Enc 𝐾,𝑀
𝒟𝐾 𝐶---------------------------------1. if 𝐶 = 𝐶∗ then2. return⊥3. return Σ. Dec 𝐾,𝑀
IND-CCA – Indistinguishability against chosen-ciphertext attacks
54
Definition: The IND-CCA-advantage of an
adversary 𝐴 is
𝐀𝐝𝐯Σind–cca 𝐴 = 2 ⋅ Pr 𝐄𝐱𝐩Σ
ind–cca 𝐴 ⇒ true − 1
Test me on 𝑀0, 𝑀1
𝐶∗
𝑋1, 𝑋2, …
𝐶1, 𝐶2, …
Enc(𝐾,⋅)
𝑋1, 𝑋2, …
𝐶1, 𝐶2, …
Enc(𝐾,⋅)Dec(𝐾,⋅)
Dec(𝐾,⋅)
𝐶∗ was an
encryption of 𝑀1