Adversary Model: Adaptive Chosen Ciphertext Attack with Timing Attack

Adversary Model: Adaptive Chosen Ciphertext Attack with Timing Attack

Adversary Model: Adaptive Chosen Ciphertext Attack with Timing Attack Mohd Anuar Mat Isa1, Habibah Hashim2 Faculty of Electrical Engineering, 40450 UiTM Shah Alam, Selangor, Malaysia. [email protected], [email protected]. Abstract—We have introduced a novel adversary model in work, we proposed an enhanced data communication package Chosen-Ciphertext Attack with Timing Attack (CCA2-TA) [1] for DENX-UBOOT [8] firmware to include a secure TFTP and it was a practical model because the model incorporates the protocol. However, our proposal did not suggest a specific timing attack. This paper is an extended paper for “A Secure cryptographic protocol for the successful implementation of the TFTP Protocol with Security Proofs” [1]. secure TFTP protocol [3]. In the effort to further augment the work, a proven secure and practical asymmetric cryptographic scheme, i.e. the Cramer-Shoup (CS) protocol is proposed to be Keywords—Timing Attack, Random Oracle Model, deployed as the underlying cryptographic protocol [9] in the Indistinguishabilit, Chosen Plaintext Attack, CPA, Chosen overall scheme. One may refer to [1]. Ciphertext Attack, IND-CCA1, Adaptive Chosen Ciphertext Attack, IND-CCA2, Trivial File Transfer Protocol, TFTP, Security, Trust, III. RELATED WORK Privacy, Trusted Computing, UBOOT, AES, IOT, Lightweight, Asymmetric, Symmetric, Raspberry Pi. A. Chosen Plaintext Attack (CPA) Goldwasser-Micali (1982) [10] proposed a probabilistic I. INTRODUCTION encryption to replace a trapdoor-function for a better security This paper is a continuation from our previous work in years evaluation in any encryption scheme. The authors argued that, 2012 and 2014 [1]–[3]. The paper was written in a general trapdoor-function do not cover “the possibility of computing 푥 information security terminology with a simple mathematical from 푓(푥) when 푥 is of special form” and “the possibility of notation (semi-formal). It was intended for information security easily computing some partial information about 푥 from practitioner and not for mathematician or cryptographer as the 푓(푥)”[10]. The probabilistic encryption gives a better security main audience. We hope that this paper will give a worthy property with equal to a probability of flipping a coin such that understanding of adversary model in Chosen-Ciphertext Attack 1 1 ℎ푒푎푑 푎푛푑 푡푎푙 in a fair game. An adversary win in a 2 2 with Timing Attack and its security proofs. We have considered 1 1 tossing coin game with probability of + 휀; where 휀 is an this paper as a draft paper . 2 advantage that gives the adversary a better chance to win the II. RESEARCH GOAL game. A. Objectives Goldwasser-Micali proposed an adversary model that gives the adversary a knowledge of encryption protocol and its The purpose of this research work is to facilitate a timing- algorithm, but the adversary cannot obtain any information attack in the random oracle model. We add the timing-attack in about a plaintext when given a ciphertext, except that a length an Adaptive Chosen Ciphertext Attacks (CCA2) model. of plaintext if an encryption scheme ratio was 푥: 푦 for 푥 plaintext to 푦 ciphertext. The knowledge of plaintext’s length B. Motivations is easy to be obtained by the adversary because of the Referring to our previous work [3] [1], we have mentioned knowledge of the cryptographic protocol algorithm. To the need of a secure TFTP protocol particularly in various simulate the Goldwasser-Micali’s adversary model (CPA), we network administrative tasks such as monitoring and upgrading use indistinguishability test by let an adversary to choose two of remote embedded device’s firmware, where a lightweight plaintexts (푚0, 푚1) 휀 ℳ where (푚0 ≠ 푚1) and |푚0| = |푚1|. protocol such as TFTP is usually employed. The security risks The plaintexts either (푚0, 푚1) is randomly choose to be in such situations were also discussed with emphasis on encrypted using encryption scheme Π = (풦, ℰ, 풟) by a concerns due to physical attacks wherein attackers access and Challenger: modify Wi-Fi AP hardware and software[4]–[7]. In a preceding 1 Not complete and not being peer reviewers yet. Everyone is welcome to give any comment/suggestion for further improvements. (푝푘, 푠푘) ← 풦(1푘) Referred to Figure 1, the IND-CCA2 allows the Adversary to 푏 ← {0,1} get a decryption of ciphertext 푐푖 from the oracle in Phase 1 (before) and Phase 2 (after) the challenge messages 푐∗ ∶= ℰ (푚 ) 푝푘 푏 ( 푚0, 푚1 푤ℎ푒푟푒 |푚0| = |푚1| 푎푛푑 푚0 ≠ 푚1 ) are issued to 퐿푒푡 푝(푛) 푑푒푛표푡푒 푡ℎ푒 푠푒푡 표푓 푝푟푚푒 푛 푠푧푒 표푓 푛, Challenger. The Challenger will choose randomly either 푚 표푟 푚 to be encrypted. Ciphertext 푐∗ is send to the 푓표푟 푎푙푙 푠푢푓푓푐푒푛푡푙푦 푙푎푟푔푒 푛. 0 1 Adversary. The Adversary need to distinguish the ciphertext 푐∗ 1 1 is either 푚 표푟 푚 with probability of + 휀. If the probability |푃푟[푠푢푐푐푒푠푠] − 푃푟[푓푎푙푢푟푒]| < 0 1 2 푝(푛) 1 to guess a correct the ciphertext 푐∗ is greater than with non- 2 negligible advantage in PPT; we conclude that the Adversary ∗ A ciphertext 푐 is given to the Adversary for a has an “advantage” and the given protocol Π is consider not distinguishability test wherein the ciphertext 푐∗ is either secure in terms of indistinguishability. encrypted of (푚0, 푚1) . The encryption scheme Π is semantically secure if any probabilistic polynomial-time (PPT) algorithms that are used in the adversary model to determine a correct plaintext from ciphertext 푐∗ with a negligible probability. Goldwasser-Micali (1984) [11] showed that the probabilistic encryption can be implemented under intractability assumption of quadratic residuosity. B. Indistinguishability-Chosen Ciphertext Attack (IND-CCA1) IND-CCA1 is that give an adversary to access decryption function through a decryption oracle. The adversary can ask the ∗ oracle to decrypt any ciphertexts 푐푖휖 풞 except the one (e.g. 푐 ) that being use for indistinguishability test. This adversary model gives the Adversary more knowledge than CPA’s model. However, the decryption oracle can be used by the adversary before the indistinguishability test is happen. Naor-Yung (1990) [12] was the leading that succeed in the IND-CCA1 to prove their public key cryptosystem is secure when the adversary is allow to access decryption oracle before execution of indistinguishability test. The scheme [12] use a non-interactive zero-knowledge (NIZK) with proofs that their protocol satisfied Figure 1: IND-CCA2’s Experiment the completeness, soundness and zero-knowledge properties in PPT for a sufficient large 푛 in the 푝(푛). C. Indistinguishability-Adaptive Chosen Ciphertext Attack IV. PROPOSED SECURITY MODEL (IND-CCA2) We propose an attack model of Adaptive Chosen-Ciphertext Rackoff-Simon (1991) [13] argued that an adversary in Attack with Timing Attack (CCA2-TA) is that gives an CCA1 may get an access to a decryption oracle even after the adversary to access identical computing resources in term of challenge’s ciphertext 푐∗ was issued. This attack is a practical computing power (e.g. CPU). The adversary is given the security problem because it can be happen in a real-world. A knowledge of time to perform cryptographic computations (e.g. security property for this kind of attack is that prevent the primitive computation and protocol execution) in polynomial adversary from getting any useful information from other time. These were included that the adversary know the delay of network transmission for all transaction in the Phase 1, Phase 2 ciphertext 푐푖 that can helps to get a non-negligible advantage to distinguish the challenge’s ciphertext 푐∗ in a polynomial time. and Challenge (refer to Figure 2).The adversary is also has the The authors [13] stressed that it is important to secure against knowledge of CCA2. We defined the proposed security model this attack because a digital signature scheme (practical scheme in general terminology as below: in the real-world) that is vulnerable to this attack. The digital signature scheme is secure “if any such attacker succeeds in Definition 1.0: An Adversary Model CCA2-TA allows an generating a valid signature for this last document with attacker to access runtime for cryptosystem Π = (풦, ℰ, 풟) to negligible probability” [13]. perform ℰ ≝ encryption and 풟 ≝ 푑푒푐푟푦푝푡표푛 in a computing IND-CCA2 model is that give an adversary to access machine. The CCA2-TA has the corollary knowledge of CCA2’s decryption function through decryption oracle. The adversary Adversary Model in the computing machine. can ask the oracle to decrypt any ciphertext 푐 except the one 푖 (ciphertext 푐∗ ) that being use for indistinguishability test. Definition 2.0: An Adversary Model CCA2-TA allows an The authors would like to acknowledge the Ministry of attacker to access runtime for cryptosystem 훱 = (풦, ℰ, 풟) to Education (MOE) Malaysia for providing the grant 600- perform ℰ ≝ encryption and 풟 ≝ 푑푒푐푟푦푝푡표푛 in a RMI/NRGS 5/3 (5/2013), and Universiti Teknologi MARA polynomial-time machine using random oracle model. The (UiTM) for supporting this research work. CCA2-TA has the corollary knowledge of CCA2’s Adversary REFERENCES Model for the polynomial-time machine. [1] Mohd Anuar Mat Isa, Habibah Hashim, Syed Farid Syed Adnan, Jamalul- lail Ab Manan, and Ramlan Mahmod, “A Secure TFTP Protocol with Security Proofs,” in Lecture Notes in Engineering and Computer Science: Theorem 1.0: The cryptosystem Π as defined in the Definition Proceedings of The World Congress on Engineering 2014, (WCE 2014), 1.0 and 2.0 are secure from the CCA2-TA if the runtime to 2014, vol. 1. perform ℰ and 풟 are fixed-time 푡푓푡 for all valid inputs and for [2] Mohd Anuar Mat Isa, Habibah Hashim, Syed Farid Syed Adnan, Jamalul- all invalid inputs into the function ℰ and 풟 with an adversary lail Ab Manan, and Ramlan Mahmod, “An Experimental study of advantage is negligible.

View Full Text

Details

  • File Type
    pdf
  • Upload Time
    -
  • Content Languages
    English
  • Upload User
    Anonymous/Not logged-in
  • File Pages
    3 Page
  • File Size
    -

Download

Channel Download Status
Express Download Enable

Copyright

We respect the copyrights and intellectual property rights of all users. All uploaded documents are either original works of the uploader or authorized works of the rightful owners.

  • Not to be reproduced or distributed without explicit permission.
  • Not used for commercial purposes outside of approved use cases.
  • Not used to infringe on the rights of the original creators.
  • If you believe any content infringes your copyright, please contact us immediately.

Support

For help with questions, suggestions, or problems, please contact us