In the last segment we defined authenticated encryption, but I didn't really show you why authenticated encryption is the right notion of security. In this segment I want to show you that authenticated encryption in fact is a very natural notion of security and I'll do it by showing you that it defends against a very powerful attack called a chosen cipher text attack. So in fact we already saw a number of examples of a chosen cipher text attack so imagine the adversary has some cipher text C that it wants to decrypt. And what it can do is, for example, fool the decryption server into decrypting some cipher text but not actually the cipher text c. So we already saw some examples of that. If you remember in the first segment, we looked at an adversary that can submit arbitrary cipher text, and if the plaintext happened to start with destination equals 25, then the adversary is actually given the plaintext in the clear. So that's an example of an adversary that can obtain the decryption of certain cipher texts but not all cipher texts. Another example we saw is an adversary that can learn something about the plaintext by submitting cipher texts to the decrypter. So we have this example where the adversary submits encrypted TCP/IP packets to the decryption server, and if the decryption server sends back an ACK, the adversary learns that the decrypted plain text had a valid check sum. And otherwise, the decrypted plain text didn't have a valid check sum. So this is, again, an example of a chosen cipher text attack, where the attacker submits cipher text, and learns something about the decryption of that cipher text. So to address this type of threats, we're gonna define a very general notion of security, called chosen cipher text security. So here, we're gonna give the adversary a lot of power, okay? So he can do both chosen plain text attack, and a chosen cipher text attack. In other words, he can obtain the encryption of arbitrary messages of his choice. And he can decrypt any cipher text of his choice, other than some challenge cipher texts. And as I showed you before, this is actually a fairly conservative modeling of real life. In real life, often, the attacker can fool the, the decrypter, into decrypting certain cipher texts for the attacker, but not all cipher texts. So the model here is that the attacker has a certain cipher text that it wants to decrypt. It can interact with the decrypter by issuing these chosen cipher text queries to the decrypter. Namely, to decrypt various cipher text other than the challenge cipher text. And then the adversary's goal is to break semantic security of the challenge cipher text. So you notice that we're giving the adversary a lot of power. And all we're asking you to do is break semantic security. So it's going to be fairly difficult to design systems that are secure against such adversaries. Nevertheless, we're going to do it. So let's define the chosen cipher text security model more precisely. So, as usual, we have a cipher (E, D). And we're gonna define two experiments, experiment zero and experiment one. So this should look somewhat familiar by now. The challenger is gonna start off by choosing a random key. And now the adversary is gonna submit queries to this challenger. Every query can be one of two types. It can be a chosen plain text query, or it can be a chosen cipher text query. So a chosen plain text query, as we already know. Basically, the adversary submits two messages, M zero and M1. They have to be the same length. And the adversary receives the encryption of either M zero if we're in experiment zero, or M1, if we're in experiment one. So he receives the encryption of the left or the right depending on whether we were in experiment zero or in experiment one. The second type of query is the more interesting one. This is where the adversary submits an arbitrary cipher text of his choice and what he gets back is the decryption of that cipher text. So you notice the adverary's allowed to decrypt arbitrary cipher texts of his choice. The only restriction is that the cipher text is not one of the cipher texts that were obtained as a result of a CPA query. And of course this wouldn't be fair otherwise, because the attacker can simply take one cipher text that was obtained from a CPA query. That's gonna to be either the encryption of M0 or the encryption of M1. If he could submit a CCA query for that particular cipher text, he will in response either obtain M0 or M1, and then he'll know whether he is in experiment zero or experiment one. So this wouldn't be fair. So we say that the CPA cipher texts that he received are the challenge cipher texts. And he's allowed to decrypt any cipher texts of his choice, other than these challenge cipher texts. And as usual, his goal is to determine whether he's in experiment zero, or in experiment one. So I'm gonna emphasize again, that this is an extremely powerful adversary. One that can decrypt any cipher text of his choice, other than the challenge cipher text. And still, he can't distinguish whether he is in experiment zero, or in experiment one. So, as usual, we say that the cipher is CCA secure, chosen cipher text secure, if the adversary behaves the same in experiment zero as it does in experiment one. Namely, it cannot distinguish the two experiments. So let's start with a simple example, and show that, in fact, CBC with a random IV, is not CCA secure, is not secure against chosen cipher text attacks. So let's see why that's the case. So what the adversary's gonna start by doing, he's gonna simply submit two distinct messages, M0 and M1. And let's just pretend that these messages are one block messages. And what he's gonna get back is the CBC encryption of either M0 or M1. You notice the cipher text only has one block, because the plain texts were only one block long. Now what is the attacker gonna do? Well, he's gonna modify this cipher text C that he was given into C prime simply by changing the IV. Okay? So he just takes the IV and XORs it with one. That's it. This gives a new cipher text, C prime, which is different from C and as a result it's perfectly valid for the adversary to submit C prime as its chosen cipher text query. So he asks the challenger please decrypt this C prime for me. The challenger, because c prime is not equal to c, must decrypt c prime. And now let's see, what happens when he decrypts c prime? Well, what's the decryption of c prime, let me ask you. So you probably remember from the first segment that if we xor the IV by one, that simply xors the plaintext by one. So now that adversary received M0 xor one, or M1 xor one, and now he can perfectly tell whether he's in experiment zero and, or in experiment one. So the advantage of this adversary is basically one, because he can very easily tell which experiment he's in. And as a result he can win the chosen cipher text security game. So if you think about it for a second, you'll see that this attack game exactly captured the first active attack that we saw, where the adversary slightly changed the cipher text that he was given. And then he got the decrypter to decrypt it for him. And therefore, he was able to eavesdrop on messages that were not intended for the adversary. So I wanna emphasize again that this chosen cipher text game really does come up in real life, where the adversary can submit cipher texts to the decrypter and the decrypter can reveal information about the plain text, or it can give the plain text outright to the adversary for certain cipher texts but not others. So this is a very natural notion of security, and the question is, how do we design crypto-systems that are CCA secure? So I claim that this authenticated encryption notion that we defined before actually implies chosen cipher text security, and this is why authenticated encryption is such a natural concept. Okay? So the theorem basically says, well, if you give me a cipher that provides authenticated encryption, the cipher can withstand chosen cipher text attacks. And more precisely, the theorem says the following. If we have an adversary that issues Q queries, in other words, at most, q CPA queries and q chosen cipher text queries, then there are two efficient adversaries, B1 and B2, that satisfy this inequality here. So since the scheme has authenticated encryption, we know that this quantity is negligible because it's CPA secure. And we know that this quantity is negligible because the encryption scheme has cipher text integrity. And as a result, since both terms are negligible we know that adversary's advantage in winning the CCA game is also negligible. So let's prove this theorem. It's actually a very simple theorem to prove. And so let's just do it as proof by pictures. Okay, so here we have two copies of the CCA game, so this would be experiment zero. And the bottom one is experiment one. You can see the adversary's issuing CPA queries, and he's issuing CCA queries, and at the end he outputs, you know, a certain guess b, let's call it b prime, and our goal is to show that this b prime is indistinguishable in both cases. In other words, probability that b prime is equal to one in the top game is the same as the probability that b prime is equal to one in the bottom game. Okay, so the way we're gonna do it is the following. Well, first of all, we're gonna change the challenger a little bit, so that instead of actually outputting the decryption of CCA queries, the challenger is just gonna always output bottom. So every time the adversary submits a CCA query, the challenger says bottom. And I claim that these two games are, in fact, indistinguishable. In other words, the adversary can't distinguish these two games, for the simple reason that, because the scheme has cipher text integrity, the adversary simply cannot create a cipher text that's not in C1 to CI-1 that decrypts to anything other than bottom. That is the definition of cipher text integrity. And as a result, again, because of cipher text integrity, it must be the case that every chosen cipher text query that the adversary issues results in bottom. If the adversary, in fact, could distinguish between the left game and the right game, that would mean that at some point he issued a query that decrypted to something other than bottom. And that we could use to then break cipher text integrity of the scheme. And since the scheme has cipher-text integrity, these left and right games are indistinguishable. Okay, so that's kind of a cute argument that shows that it's very easy to respond to chosen cipher-text queries when you have cipher-text integrity. And the same thing exactly applies on the bottom, where we can simply replace the chosen cipher-text responses by just always saying bottom. Okay, very good. But now, since the chosen cipher text queries always respond in the same way, they're not giving the adversary any information. The adversary always knows that we're always gonna just respond with bottom. So we might as well just remove these queries, 'cause they don't contribute any information to the adversary. But now, once we remove these queries, the resulting game should look fairly familiar. The top right game, and the [bottom right] game are basically the two games that come up in the definition of CPA security. And as a result, because the scheme is CPA secure, we know that the adversary can't distinguish the top from the bottom. And so now, by this change of reasoning, we've proven that all of these games are equivalent. And in particular, the original two games that we started with are also equivalent, and therefore, the adversary can't distinguish the top left from the bottom left. And therefore, the scheme is CCA secure. So this gives you the intuition as to why authenticated encryption is such a cool concept. Because primarily it implies security against chosen cipher test attacks. Okay, so as we said authenticated encryption ensures confidentiality. Even if the adversary can decrypt a subset of the cipher text, and more generally, even if he can mount a general chosen cipher text attack, he still is not going to be able to break semantic security of the system. However, it is important to remember the two limitations. First of all, it does not prevent replay attacks on its own. We're going to have to do something in addition to defend against replay attacks. We're going to see several examples where if the decryption engine reveals more information about why a cipher text is rejected, it doesn't just output bottom, but it actually outputs more information, say, by timing attacks. And that explains why the cipher text is rejected. Then in fact that can completely destroy security of the authenticated encryption system. So we'll see some cute attacks like this in a later segment. Okay. So, in the next segment we're gonna turn to constructing authenticated encryption systems.