A Fast and Key-Efficient Reduction from Chosen-Ciphertext to Known-Plaintext Security

Size: px

Start display at page:

Download "A Fast and Key-Efficient Reduction from Chosen-Ciphertext to Known-Plaintext Security"

Bryan Patterson
6 years ago
Views:

1 Intrductin wprfs Encryptin frm wprfs Cnclusins A Fast and Key-Efficient Reductin frm Chsen-Ciphertext t Knwn-Plaintext Security Ueli Maurer Jhan Sjödin Department f Cmputer Science ETH Zurich, Switzerland May 24, 2007

2 Intrductin wprfs Encryptin frm wprfs Cnclusins (Cmputatinal) Symmetric Cryptgraphy

3 Intrductin wprfs Encryptin frm wprfs Cnclusins (Cmputatinal) Symmetric Cryptgraphy Efficient

4 Intrductin wprfs Encryptin frm wprfs Cnclusins (Cmputatinal) Symmetric Cryptgraphy Efficient Shrt key

5 Intrductin wprfs Encryptin frm wprfs Cnclusins (Cmputatinal) Symmetric Cryptgraphy Efficient Shrt key Cnditinal security (i.e., security is based n certain primitives)

6 Intrductin wprfs Encryptin frm wprfs Cnclusins (Cmputatinal) Symmetric Cryptgraphy Efficient Shrt key Cnditinal security (i.e., security is based n certain primitives) Pseudrandm Functin (PRF) b =? Y,...,Y i X i Y i key F R b=0 b= Adaptive Chsen-Plaintext Attack Adv CPA t,q (F, R)

7 Intrductin wprfs Encryptin frm wprfs Cnclusins (Cmputatinal) Symmetric Cryptgraphy Efficient Shrt key Cnditinal security (i.e., security is based n certain primitives) Pseudrandm Functin (PRF) b =? Y,...,Y i X i Y i key F R b=0 b= Adaptive Chsen-Plaintext Attack Adv CPA t,q (F, R)...but is AES really a pseudrandm permutatin (and thus als a PRF)?

8 Intrductin wprfs Encryptin frm wprfs Cnclusins (Cmputatinal) Symmetric Cryptgraphy Efficient Shrt key Gal: weaken assumptins, imprve efficiency Cnditinal security (i.e., security is based n certain primitives) Pseudrandm Functin (PRF) b =? Y,...,Y i X i Y i key F R b=0 b= Adaptive Chsen-Plaintext Attack Adv CPA t,q (F, R)...but is AES really a pseudrandm permutatin (and thus als a PRF)?

9 Intrductin wprfs Encryptin frm wprfs Cnclusins This Paper: Weak PRFs b =? (U,...,U q) (Y,...,Y q) key F R b=0 b= Knwn-Plaintext Attack Adv KPA t,q (F, R)

10 Intrductin wprfs Encryptin frm wprfs Cnclusins This Paper: Weak PRFs b =? (U,...,U q) (Y,...,Y q) key F R b=0 b= Knwn-Plaintext Attack Adv KPA t,q (F, R) Hw weak are weak PRFs (under standard assumptins)? E.g., they can: have large fractin f fix-pints, i.e., F k (x) = x fr many x.

11 Intrductin wprfs Encryptin frm wprfs Cnclusins This Paper: Weak PRFs b =? (U,...,U q) (Y,...,Y q) key F R b=0 b= Knwn-Plaintext Attack Adv KPA t,q (F, R) Hw weak are weak PRFs (under standard assumptins)? E.g., they can: have large fractin f fix-pints, i.e., F k (x) = x fr many x. cmmute, i.e., F k (F k (x)) = F k (F k (x)).

12 Intrductin wprfs Encryptin frm wprfs Cnclusins This Paper: Weak PRFs b =? (U,...,U q) (Y,...,Y q) key F R b=0 b= Knwn-Plaintext Attack Adv KPA t,q (F, R) Hw weak are weak PRFs (under standard assumptins)? E.g., they can: have large fractin f fix-pints, i.e., F k (x) = x fr many x. cmmute, i.e., F k (F k (x)) = F k (F k (x)). exp : Z G G G (fr DDH-grupG) (k, x) x k

13 Intrductin wprfs Encryptin frm wprfs Cnclusins This Paper: Weak PRFs b =? (U,...,U q) (Y,...,Y q) key F R b=0 b= Knwn-Plaintext Attack Adv KPA t,q (F, R) Hw weak are weak PRFs (under standard assumptins)? E.g., they can: have large fractin f fix-pints, i.e., F k (x) = x fr many x. cmmute, i.e., F k (F k (x)) = F k (F k (x)). exp : Z G G G (fr DDH-grupG) (k, x) x k be self inverse, i.e., F k (F k (x)) = x.

14 Intrductin wprfs Encryptin frm wprfs Cnclusins KPA vs. CPA: Example I R

15 Intrductin wprfs Encryptin frm wprfs Cnclusins KPA vs. CPA: Example I R

16 Intrductin wprfs Encryptin frm wprfs Cnclusins KPA vs. CPA: Example I R

17 Intrductin wprfs Encryptin frm wprfs Cnclusins KPA vs. CPA: Example I r R under a CPA?

18 Intrductin wprfs Encryptin frm wprfs Cnclusins KPA vs. CPA: Example I r R under a CPA?

19 Intrductin wprfs Encryptin frm wprfs Cnclusins KPA vs. CPA: Example I r R under a CPA?

20 Intrductin wprfs Encryptin frm wprfs Cnclusins KPA vs. CPA: Example I r R under a CPA?

21 Intrductin wprfs Encryptin frm wprfs Cnclusins KPA vs. CPA: Example I r R under a CPA?

22 Intrductin wprfs Encryptin frm wprfs Cnclusins KPA vs. CPA: Example I r R under a CPA? I CPA R

23 Intrductin wprfs Encryptin frm wprfs Cnclusins KPA vs. CPA: Example I r R under a CPA? I CPA R I r R under a KPA?

24 Intrductin wprfs Encryptin frm wprfs Cnclusins KPA vs. CPA: Example I r R under a CPA? I CPA R I r R under a KPA?

25 Intrductin wprfs Encryptin frm wprfs Cnclusins KPA vs. CPA: Example I r R under a CPA? I CPA R I r R under a KPA? I KPA R

26 Intrductin wprfs Encryptin frm wprfs Cnclusins Efficient Symmetric Encryptin based n wprfs? wprf OWF [Luc96,NaRei99,MOPS06] PRF [GGM86,HILL99] ua[lr86] PRP CPA-sec. encryptin CBC [BKR00]

27 Intrductin wprfs Encryptin frm wprfs Cnclusins Efficient Symmetric Encryptin based n wprfs? wprf OWF [Luc96,NaRei99,MOPS06] PRF [GGM86,HILL99] ua[lr86] PRP [WC8,...] CPA-sec. encryptin CBC [BKR00] encrypt-then-mac [BN00] exelna MAC CCA-sec. encryptin

28 Intrductin wprfs Encryptin frm wprfs Cnclusins Feistel-Netwrks? Feistel-Netwrks with PRFs d prduce a PRP. LX F k RX F k 2 F k 3 LY RY

29 Intrductin wprfs Encryptin frm wprfs Cnclusins Feistel-Netwrks? Feistel-Netwrks with wprfs d nt prduce a PRP....even fr infinitely many runds! LX F k RX F k 2 F k 3 LY RY

30 Intrductin wprfs Encryptin frm wprfs Cnclusins Feistel-Netwrks? Feistel-Netwrks with wprfs d nt prduce a PRP....even fr infinitely many runds! Reasn The wprf F can have 0 as fixpint, LX F k RX F k (0) = 0 (fr all keys k) F and hence ψ[ F k3 ](0) = 0. k 2 F k 3 LY RY

31 Intrductin wprfs Encryptin frm wprfs Cnclusins CPA-Secure Encryptin frm any wprf F ] blck f data: Enc k (m ) := [x, (x) m [NaRei98]

32 Intrductin wprfs Encryptin frm wprfs Cnclusins CPA-Secure Encryptin frm any wprf F ] blck f data: Enc k (m ) := [x, (x) m 2 blcks f data: Enc k,k 2 (m, m 2 ) := [ x, (x) m (x) m 2 [NaRei98] ]

33 Intrductin wprfs Encryptin frm wprfs Cnclusins CPA-Secure Encryptin frm any wprf F ] blck f data: Enc k (m ) := [x, (x) m 2 blcks f data: Enc k,k 2 (m, m 2 ) := x [ x, (x) m (x) m 2 [NaRei98] ] y y 2

34 Intrductin wprfs Encryptin frm wprfs Cnclusins CPA-Secure Encryptin frm any wprf F ] blck f data: Enc k (m ) := [x, (x) m 2 blcks f data: Enc k,k 2 (m, m 2 ) := x [ x, (x) m (x) m 2 [NaRei98] ] y y 2 Hw t extend this further (using as few keys as pssible)?

35 Intrductin wprfs Encryptin frm wprfs Cnclusins CPA-Secure Encryptin frm any wprf F ] blck f data: Enc k (m ) := [x, (x) m 2 blcks f data: Enc k,k 2 (m, m 2 ) := [ x, (x) m (x) m 2 [NaRei98] ] x x y y 2 y y 2 y 3 y 4 Hw t extend this further (using as few keys as pssible)?

36 Intrductin wprfs Encryptin frm wprfs Cnclusins CPA-Secure Encryptin frm any wprf F ] blck f data: Enc k (m ) := [x, (x) m 2 blcks f data: Enc k,k 2 (m, m 2 ) := [ x, (x) m (x) m 2 [NaRei98] ] x x y y 2 y y 2 y 3 y 4 Hw t extend this further (using as few keys as pssible)?

37 Intrductin wprfs Encryptin frm wprfs Cnclusins CPA-Secure Encryptin frm any wprf F ] blck f data: Enc k (m ) := [x, (x) m 2 blcks f data: Enc k,k 2 (m, m 2 ) := [ x, (x) m (x) m 2 [NaRei98] ] x x x y y 2 y y 2 y 3 y 4 y y 2 y 3 y 4 Hw t extend this further (using as few keys as pssible)?

38 Intrductin wprfs Encryptin frm wprfs Cnclusins CPA-Secure Encryptin frm any wprf F ] blck f data: Enc k (m ) := [x, (x) m 2 blcks f data: Enc k,k 2 (m, m 2 ) := [ x, (x) m (x) m 2 [NaRei98] ] x x x y y 2 y y 2 y 3 y 4 y y 2 y 3 y 4 Hw t extend this further (using as few keys as pssible)?

39 Intrductin wprfs Encryptin frm wprfs Cnclusins CPA-Secure Encryptin frm any wprf F ] blck f data: Enc k (m ) := [x, (x) m 2 blcks f data: Enc k,k 2 (m, m 2 ) := [ x, (x) m (x) m 2 [NaRei98] ] x x x y y 2 y 3 y y 2 y 3 y 4 y y 2 y 3 y 4 Hw t extend this further (using as few keys as pssible)?

40 Intrductin wprfs Encryptin frm wprfs Cnclusins CPA-Secure Encryptin frm any wprf F ] blck f data: Enc k (m ) := [x, (x) m 2 blcks f data: Enc k,k 2 (m, m 2 ) := [ x, (x) m (x) m 2 [NaRei98] ] x x x y y 2 y 3 y y 2 y 3 y 4 y y 2 y 3 y 4 GOOD BAD UGLY Hw t extend this further (using as few keys as pssible)?

41 Intrductin wprfs Encryptin frm wprfs Cnclusins Prf (f the Gd range extensin fr wprfs) R R R R R C H H 2 R Adv KPA t,q (C, R)?

42 Intrductin wprfs Encryptin frm wprfs Cnclusins Prf (f the Gd range extensin fr wprfs) R R R R R C H H 2 R α β γ Adv KPA t,q (C, R) α + β + γ

43 Intrductin wprfs Encryptin frm wprfs Cnclusins Prf (f the Gd range extensin fr wprfs) R R R R R C H H 2 R Adv KPA t,q (F,R ) Adv KPA t,2q (F,R )+q 2 /2 n+ q 2 /2 n+ Adv KPA t,q (C, R) α + β + γ

44 Intrductin wprfs Encryptin frm wprfs Cnclusins Prf (f the Gd range extensin fr wprfs) R R R R R C H H 2 R Adv KPA t,q (F,R ) Adv KPA t,2q (F,R )+q 2 /2 n+ q 2 /2 n+ Adv KPA t,q (C, R) α + β + γ Hw can the range f F be extended even mre?

45 Intrductin wprfs Encryptin frm wprfs Cnclusins Range Extensin f wprfs [DN02] x F k x Keying F k Range Extensin F k 2 F k 3 F k 3 F k 4 F k 4 k, k 2, k 3, k 4,... x k k 2 F k3 k 3 k 4

46 Intrductin wprfs Encryptin frm wprfs Cnclusins Range Extensin f wprfs [MT05] x F k x Keying F k Range Extensin F k 2 F k 3 F k 3 F k 4 F k 4 k, k 2, k 3, k 4,... x k k 2 F k3 k 3 F k 3 k 4 F k 4

47 Intrductin wprfs Encryptin frm wprfs Cnclusins Range Extensin f wprfs [this paper] x x Keying F k Range Extensin F k3 F k3 k, k 2, k 3, k 4,... F k3

48 Intrductin wprfs Encryptin frm wprfs Cnclusins Range Extensin f wprfs [this paper] x F k3 x Keying F k Range Extensin F k3 F k3 k, k 2, k 3, k 4,... F k3

49 Intrductin wprfs Encryptin frm wprfs Cnclusins Range Extensin f wprfs [this paper] x F k3 x Keying F k Range Extensin F k3 F k3 F k3 k, k 2, k 3, k 4,... }{{} s generated keys # keys utputs ver- head DN s 2s MT s 2s this 2 s s

50 Intrductin wprfs Encryptin frm wprfs Cnclusins Range Extensin f wprfs [this paper] x F k3 x Keying F k Range Extensin F k3 F k3 F k3 k, k 2, k 3, k 4,... }{{} s generated keys # keys utputs ver- head DN s 2s MT s 2s this 2 s s better n, this is ptimal

51 Intrductin wprfs Encryptin frm wprfs Cnclusins Overview ptimal k [this paper] [DN02,MT05] wprf OWF Range Extended wprf [Luc96,NaRei99,MOPS06] PRF [GGM86,HILL99] ua[lr86] amie[dn02] PRP [WC8,...] CPA-sec. encryptin CBC [BKR00] encrypt-then-mac [BN00] exelna MAC CCA-sec. encryptin

52 Intrductin wprfs Encryptin frm wprfs Cnclusins wprf PRF [this paper] x F k3 F k4 k Keying 0 F k 0 F k3 0 k, k 2, k 3, k 4 All Outputs 0 0 F k Input: 4-bits b b 2 b 3 b 4 Output: blck b b 2 b 3 b 4 0 F k3 0 0

53 Intrductin wprfs Encryptin frm wprfs Cnclusins wprf PRF [this paper] x F k3 F k4 k Keying 0 F k 0 F k3 0 k, k 2, k 3, k 4 All Outputs F k3 F k Input: 4-bits b b 2 b 3 b 4 Output: blck b b 2 b 3 b 4 DDH-based wprf: x x k DDH-based PRF [NaRei97]: (b, b 2, b 3, b 4 ) x Π k i b i =

54 Intrductin wprfs Encryptin frm wprfs Cnclusins Cnclusins ptimal k [this paper] [DN02,MT05] wprf ptimal [this paper] OWF Range Extended wprf [Luc96,NaRei99,MOPS06] PRF [GGM86,HILL99] ua[lr86] amie[dn02] PRP [WC8,...] CPA-sec. encryptin CBC [BKR00] encrypt-then-mac [BN00] exelna MAC CCA-sec. encryptin

55 Intrductin wprfs Encryptin frm wprfs Cnclusins Cnclusins ptimal k [this paper] [DN02,MT05] wprf ptimal [this paper] OWF Range Extended wprf [Luc96,NaRei99,MOPS06] PRF [GGM86,HILL99] ua[lr86] amie[dn02] PRP [WC8,...] CPA-sec. encryptin CBC [BKR00] encrypt-then-wmac wmac CCA-sec. encryptin

56 Intrductin wprfs Encryptin frm wprfs Cnclusins Cnclusins ptimal k wprf ptimal [this paper] [DN02,MT05]? [this paper] OWF Range Extended wprf [Luc96,NaRei99,MOPS06] PRF [GGM86,HILL99] ua[lr86] amie[dn02] PRP [WC8,...] CPA-sec. encryptin CBC [BKR00] encrypt-then-wmac wmac CCA-sec. encryptin

Lecture 12: Block ciphers

Lecture 12: Block ciphers Thomas Johansson T. Johansson (Lund University) 1 / 19 Block ciphers A block cipher encrypts a block of plaintext bits x to a block of ciphertext bits y. The transformation is