SYMMETRIC ENCRYPTION. Mihir Bellare UCSD 1

Transcription

1 SYMMETRIC ENCRYPTION Mihir Bellare UCSD 1

2 Syntax A symmetric encryption scheme SE = (K, E, D) consists of three algorithms: K and E may be randomized, but D must be deterministic. Mihir Bellare UCSD 2

3 Correct decryption requirement Formally: For all K and M we have Pr[D K (E K (M)) = M] = 1, where the probability is over the coins of E Mihir Bellare UCSD 3

4 Modes of operation E : {0, 1} k {0, 1} n {0, 1} l a family of functions Usually a block cipher, in which case l = n. Notation: x[i] is the i-th block of a string x, so that x = x[1]... x[m]. Length of blocks varies. Always: Alg K K $ {0, 1} k return K Mihir Bellare UCSD 4

5 Modes of operation Block cipher provides parties sharing K with M E K C which enables them to encrypt a 1-block message. How do we encrypt a long message using a primitive that only applies to n-bit blocks? Mihir Bellare UCSD 5

6 ECB: Electronic Codebook Mode SE = (K, E, D) where: Alg E K (M) for i = 1,..., m do C[i] E K (M[i]) return C Alg D K (C) for i = 1,..., m do M[i] E 1 K (C[i]) return M Correct decryption relies on E being a block cipher, so that E K is invertible Mihir Bellare UCSD 6

7 Security of ECB Weakness: M 1 = M 2 C 1 = C 2 Why is the above true? Because E K is deterministic: M 1 [1] M 1 [m] M 2 [1] M 2 [m] E K... E K E K... E K C 1 [1] C 1 [m] C 2 [1] C 2 [m] Why does this matter? Mihir Bellare UCSD 7

8 Security of ECB Suppose we know that there are only two possible messages, Y = 1 n and N = 0 n, for example representing FIRE or DON T FIRE a missile BUY or SELL a stock Vote YES or NO Then ECB algorithm will be E K (M) = E K (M). M E K C Mihir Bellare UCSD 8

9 Security of ECB Votes M 1, M 2 {Y, N} are ECB encrypted and adversary sees ciphertexts C 1 = E K (M 1 ) and C 2 = E K (M 2 ) M 1 M 2 E K E K C 1 C 2 Adversary may have cast the first vote and thus knows M 1 ; say M 1 = Y. Then adversary can figure out M 2 : If C 2 = C 1 then M 2 must be Y Else M 2 must be N Mihir Bellare UCSD 9

10 Is this avoidable? Let SE = (K, E, D) be ANY encryption scheme. Suppose M 1, M 2 {Y, N} and Sender sends ciphertexts C 1 E K (M 1 ) and C 2 E K (M 2 ) Adversary A knows that M 1 = Y Adversary says: If C 2 = C 1 then M 2 must be Y else it must be N. Does this attack work? Mihir Bellare UCSD 10

11 Is this avoidable? Let SE = (K, E, D) be ANY encryption scheme. Suppose M 1, M 2 {Y, N} and Sender sends ciphertexts C 1 E K (M 1 ) and C 2 E K (M 2 ) Adversary A knows that M 1 = Y Adversary says: If C 2 = C 1 then M 2 must be Y else it must be N. Does this attack work? Yes, if E is deterministic. Mihir Bellare UCSD 11

12 Randomized encryption For encryption to be secure it must be randomized That is, algorithm E K flips coins. If the same message is encrypted twice, we are likely to get back different answers. That is, if M 1 = M 2 and we let then $ $ C 1 E K (M 1 ) and C 2 E K (M 2 ) Pr[C 1 = C 2 ] will (should) be small, where the probability is over the coins of E. Mihir Bellare UCSD 12

13 Randomized encryption There are many possible ciphertexts corresponding to each message. If so, how can we decrypt? We will see examples soon. C 1 C 2 M E K D K M C s Mihir Bellare UCSD 13

14 Randomized encryption A fundamental departure from classical and conventional notions of encryption. Clasically, encryption (e.g., substitution cipher) is a code, associating to each message a unique ciphertext. Now, we are saying no such code is secure, and we look to encryption mechanisms which associate to each message a number of different possible ciphertexts. Mihir Bellare UCSD 14

15 CBC$: Cipher Block Chaining with random IV mode SE = (K, E, D) where: Alg E K (M) $ C[0] {0, 1} n for i = 1,..., m do C[i] E K (M[i] C[i 1]) return C Alg D K (C) for i = 1,..., m do M[i] E 1 K (C[i]) C[i 1] return M Correct decryption relies on E being a block cipher. Mihir Bellare UCSD 15

16 CTR$ mode Let E: {0, 1} k {0, 1} n {0, 1} l be a family of functions. If X {0, 1} n and i N then X + i denotes the n-bit string formed by converting X to an integer, adding i modulo 2 n, and converting the result back to an n-bit string. Below the message is a sequence of l-bit blocks: Alg E K (M) $ C[0] {0, 1} n for i = 1,..., m do P[i] E K (C[0] + i) C[i] P[i] M[i] return C Alg D K (C) for i = 1,..., m do P[i] E K (C[0] + i) M[i] P[i] C[i] return M Mihir Bellare UCSD 16

17 CTR$ mode Alg E K (M) $ C[0] {0, 1} n for i = 1,..., m do P[i] E K (C[0] + i) C[i] P[i] M[i] return C Alg D K (C) for i = 1,..., m do P[i] E K (C[0] + i) M[i] P[i] C[i] return M D does not use E 1 K! This is why CTR$ can use a family of functions E that is not required to be a blockcipher. Encryption and Decryption are parallelizable. Mihir Bellare UCSD 17

18 Voting with CBC$ Suppose we encrypt M 1, M 2 {Y, N} with CBC$. M 1 M 2 E K E K {0, 1} n $ C 1 [0] C 1 [1] {0, 1} n $ C 2 [0] C 2 [1] Adversary A sees C 1 = C 1 [0]C 1 [1] and C 2 = C 2 [0]C 2 [1]. Suppose A knows that M 1 = Y. Can A determine whether M 2 = Y or M 2 = N? Mihir Bellare UCSD 18

19 Voting with CBC$ Suppose we encrypt M 1, M 2 {Y, N} with CBC$. M 1 M 2 E K E K {0, 1} n $ C 1 [0] C 1 [1] {0, 1} n $ C 2 [0] C 2 [1] Adversary A sees C 1 = C 1 [0]C 1 [1] and C 2 = C 2 [0]C 2 [1]. Suppose A knows that M 1 = Y. Can A determine whether M 2 = Y or M 2 = N? NO! Mihir Bellare UCSD 19

20 Assessing security So CBC$ is better than ECB. But is it secure? CBC$ is widely used so knowing whether it is secure is important To answer this we first need to decide and formalize what we mean by secure. Mihir Bellare UCSD 20

21 Security requirements Suppose sender computes Adversary A has C 1,..., C q $ $ C 1 E K (M 1 ) ; ; C q E K (M q ) What if A Retrieves K Retrieves M 1 Bad! Bad! But also we want to hide all partial information about the data stream, such as Does M 1 = M 2? What is first bit of M 1? What is XOR of first bits of M 1, M 2? Something we won t hide: the length of the message Mihir Bellare UCSD 21

22 What we seek We want a single master property MP of an encryption scheme such that MP can be easily specified We can evaluate whether a scheme meets it MP implies ALL the security conditions we want: it guarantees that a ciphertext reveals NO partial information about the plaintext. Mihir Bellare UCSD 22

23 Intuition for definition of IND-CPA The master property MP is called IND-CPA (indistinguishability under chosen plaintext attack). Consider encrypting one of two possible message streams, either or M 1 0,..., M q 0 M 1 1,..., M q 1 Adversary, given ciphertexts and both data streams, has to figure out which of the two streams was encrypted. Mihir Bellare UCSD 23

24 Games for ind-cpa-advantage of an adversary A Let SE = (K, E, D) be an encryption scheme Game Left SE procedure Initialize K $ K procedure LR(M 0, M 1 ) Return C $ E K (M 0 ) Game Right SE procedure Initialize K $ K procedure LR(M 0, M 1 ) Return C $ E K (M 1 ) Associated to SE, A are the probabilities [ ] Pr Left A SE 1 [ ] Pr Right A SE 1 that A outputs 1 in each world. The (ind-cpa) advantage of A is [ ] [ ] Adv ind-cpa SE (A) = Pr Right A SE 1 Pr Left A SE 1 Mihir Bellare UCSD 24

25 The measure of success Adv ind-cpa SE (A) 1 means A is doing well and SE is not ind-cpa-secure. Adv ind-cpa SE (A) 0 (or 0) means A is doing poorly and SE resists the attack A is mounting. Adversary resources are its running time t and the number q of its oracle queries, the latter representing the number of messages encrypted. Security: SE is IND-CPA-secure if Adv ind-cpa SE (A) is small for ALL A that use practical amounts of resources. Insecurity: SE is not IND-CPA-secure if we can specify an explicit A that uses few resources yet achieves high ind-cpa-advantage. Mihir Bellare UCSD 25

26 ECB is not IND-CPA-secure Let E : {0, 1} k {0, 1} n {0, 1} n be a block cipher. Recall that ECB mode defines symmetric encryption scheme SE = (K, E, D) with Can we design A so that is close to 1? E K (M) = E K (M[1])E K (M[2]) E K (M[m]) [ ] [ ] Adv ind-cpa SE (A) = Pr Right A SE 1 Pr Left A SE 1 Mihir Bellare UCSD 26

27 ECB is not IND-CPA-secure Let E : {0, 1} k {0, 1} n {0, 1} n be a block cipher. Recall that ECB mode defines symmetric encryption scheme SE = (K, E, D) with Can we design A so that is close to 1? E K (M) = E K (M[1])E K (M[2]) E K (M[m]) [ ] [ ] Adv ind-cpa SE (A) = Pr Right A SE 1 Pr Left A SE 1 Exploitable weakness of SE: M 1 = M 2 implies E K (M 1 ) = E K (M 2 ). Mihir Bellare UCSD 27

28 ECB is not IND-CPA-secure Let E K (M) = E K (M[1]) E K (M[m]). adversary A C 1 LR(0 n, 0 n ) ; C 2 LR(1 n, 0 n ) if C 1 = C 2 then return 1 else return 0 Mihir Bellare UCSD 28

29 Right game analysis E is defined by E K (M) = E K (M[1]) E K (M[m]). adversary A C 1 LR(0 n, 0 n ) ; C 2 LR(1 n, 0 n ) if C 1 = C 2 then return 1 else return 0 Game Right SE procedure Initialize K $ K procedure LR(M 0, M 1 ) Return E K (M 1 ) Then [ ] Pr Right A SE 1 = Mihir Bellare UCSD 29

30 Right game analysis E is defined by E K (M) = E K (M[1]) E K (M[m]). adversary A C 1 LR(0 n, 0 n ) ; C 2 LR(1 n, 0 n ) if C 1 = C 2 then return 1 else return 0 Game Right SE procedure Initialize K $ K procedure LR(M 0, M 1 ) Return E K (M 1 ) Then [ ] Pr Right A SE 1 = 1 because C 1 = E K (0 n ) and C 2 = E K (0 n ). Mihir Bellare UCSD 30

31 Left game analysis E is defined by E K (M) = E K (M[1]) E K (M[m]). adversary A C 1 LR(0 n, 0 n ) ; C 2 LR(1 n, 0 n ) if C 1 = C 2 then return 1 else return 0 Game Left SE procedure Initialize K $ K procedure LR(M 0, M 1 ) Return E K (M 0 ) Then [ ] Pr Left A SE 1 = Mihir Bellare UCSD 31

32 Left game analysis E is defined by E K (M) = E K (M[1]) E K (M[m]). adversary A C 1 LR(0 n, 0 n ) ; C 2 LR(1 n, 0 n ) if C 1 = C 2 then return 1 else return 0 Game Left SE procedure Initialize K $ K procedure LR(M 0, M 1 ) Return E K (M 0 ) Then [ ] Pr Left A SE 1 = 0 because C 1 = E K (0 n ) E K (1 n ) = C 2. Mihir Bellare UCSD 32

33 ECB is not IND-CPA secure adversary A C 1 LR(0 n, 0 n ) ; C 2 LR(1 n, 0 n ) if C 1 = C 2 then return 1 else return 0 Adv ind-cpa SE (A) = = 1 1 { [ }} ]{{ [ }} ]{ Pr Right A SE = 1 Pr Right A SE = 1 And A is very efficient, making only two queries. Thus ECB is not IND-CPA secure. 0 Mihir Bellare UCSD 33

34 Exercise Let SE = (K, E, D) be any symmetric encryption scheme for which E is deterministic. Show that SE is not IND-CPA secure by giving pseudo-code for an efficient adversary A that achieves Adv ind-cpa SE (A) = 1. Assume the message space is {0, 1}, meaning any string is a legitimate message. Mihir Bellare UCSD 34

35 Exercise Let K be the key-generation algorithm that returns a random 128-bit string as the key K. Define Alg E K (M) R $ {0, 1} 128 ; M[1]... M[m] M; C[0] R for i = 1,..., m do W [i] (R + i) mod ; C[i] AES K (M[i] W [i]) C C[0]C[1]... C[n]; Return C Above W [i] (R + i) mod means we regard R as an interger, add i to it, take the result modulo 2 128, view this as a 128-bit string, and assign it to W [i]. A message must be a string whose length is a positive multiple of 128. Mihir Bellare UCSD 35

36 Exercise 1. Specify a decryption algorithm D such that SE = (K, E, D) is a symmetric encryption scheme satisfying the correct decryption condition. 2. Present in pseudocode a practical adversary A making one LR query and achieving Adv ind-cpa SE (A) = 1. There should be a succinct analysis justifying the claimed advantage. Mihir Bellare UCSD 36

37 Why is IND-CPA the master property? We claim that if encryption scheme SE = (K, E, D) is IND-CPA secure then the ciphertext hides ALL partial information about the plaintext. $ $ For example, from C 1 E K (M 1 ) and C 2 E K (M 2 ) the adversary cannot get M 1 get 1st bit of M 1 get XOR of the 1st bits of M 1, M 2 etc. Exercise: State and prove such claims formally. This could be a quiz question! Mihir Bellare UCSD 37

38 Birthday attack on CTR$ Let E : {0, 1} k {0, 1} n {0, 1} l be a family of functions and SE = (K, E, D) the corresponding CTR$ symmetric encryption scheme. Suppose 1-block messages M 0, M 1 are encrypted: $ $ C 0 [0]C 0 [1] E(K, M 0 ) C 1 [0]C 1 [1] E(K, M 1 ) Let us say we are lucky If C 0 [0] = C 1 [0]. If so: C 0 [1] = C 1 [1] if and only if M 0 = M 1 So if we are lucky we can detect message equality and violate IND-CPA. Mihir Bellare UCSD 38

39 Birthday attack on CTR$ Let 1 q < 2 n be a parameter and let i be integer i encoded as an l-bit string. adversary A for i = 1,..., q do C i [0]C i $ [1] LR( i, 0 ) S {(j, t): C j [0] = C t [0] and j < t} If S, then (j, t) $ S If C j [1] = C t [1] then return 1 return 0 Mihir Bellare UCSD 39

40 Birthday attack on CTR$: Right game analysis adversary A for i = 1,..., q do C i [0]C i $ [1] LR( i, 0 ) S {(j, t): C j [0] = C t [0] and j < t} If S, then (j, t) $ S If C j [1] = C t [1] then return 1 return 0 Game Right SE procedure Initialize K $ K procedure LR(M 0, M 1 ) $ C[0] {0, 1} n P E(K, C[0] + 1) C[1] P M 1 Return C[0]C[1] If C j [0] = C t [0] (lucky) then C j [1] = 0 E K (C j [0] + 1) = 0 E K (C t [0] + 1) = C t [1] so [ ] Pr Right A SE 1 = Pr [S ] = C(2 n, q) Mihir Bellare UCSD 40

41 Birthday attack on CTR$: Left game analysis adversary A for i = 1,..., q do C i [0]C i $ [1] LR( i, 0 ) S {(j, t): C j [0] = C t [0] and j < t} If S, then (j, t) $ S If C j [1] = C t [1] then return 1 return 0 Game Left SE procedure Initialize K $ K procedure LR(M 0, M 1 ) $ C[0] {0, 1} n P E(K, C[0] + 1) C[1] P M 0 Return C[0]C[1] If C j [0] = C t [0] (lucky) then C j [1] = j E K (C j [0] + 1) t E K (C t [0] + 1) = C t [1] so [ ] Pr Left A SE 1 = 0. Mihir Bellare UCSD 41

42 Birthday attack on CTR$ [ ] [ ] Adv ind-cpa SE (A) = Pr Right A SE 1 Pr Left A SE 1 = C(2 n, q) q(q 1) 2 n Conclusion: CTR$ can be broken (in the IND-CPA sense) in about 2 n/2 queries, where n is the block length of the underlying block cipher, regardless of the cryptanalytic strength of the block cipher. Mihir Bellare UCSD 42

43 Exercise The above attack on CTR$ uses 1-block messages. Letting SE be the same scheme, give an adversary A that makes q LR-queries, each consisting of two m-block messages, and achieves ( ) Adv ind-cpa mq 2 SE (A) = Ω The running time of A should be about O(mq(n + l) log(mq(n + l))). 2 n Mihir Bellare UCSD 43

44 Security of CTR$ So far: A q-query adversary can break CTR$ with advantage q2 2 n+1 Question: Is there any better attack? Mihir Bellare UCSD 44

45 Security of CTR$ So far: A q-query adversary can break CTR$ with advantage q2 2 n+1 Question: Is there any better attack? Answer: NO! We can prove that the best q-query attack short of breaking the block cipher has advantage at most 2(q 1)σ 2 n where σ is the total number of blocks across all messages encrypted. Example: If q 1-block messages are encrypted then σ = q so the adversary advantage is not more than 2q 2 /2 n. For E = AES this means up to about 2 64 blocks may be securely encrypted, which is good. Mihir Bellare UCSD 45

46 Security of CTR$ Theorem: [BDJR97] Let E : {0, 1} k {0, 1} n {0, 1} l be a family of functions and SE = (K, E, D) the corresponding CTR$ symmetric encryption scheme. Let A be an ind-cpa adversary against SE that has running time t and makes at most q LR queries, the messages across them totaling at most σ blocks. Then there is a prf-adversary B against E such that Adv ind-cpa SE (A) 2 Adv prf 2(q 1)σ E (B) + 2 n Furthermore, B makes at most σ oracle queries and has running time t + Θ(σ (n + l)). Mihir Bellare UCSD 46

47 Intuition and proof We first give some intuition for the proof and then the proof itself. We assume for simplicity that both messages in each LR query of A are m blocks long. Thus σ = mq. Note a block is l bits, so each message in a query is ml bits. Extending the proof to the general case is an exercise. We let C i = C i [0]C i [1]... C i [m] denote the response of the LR oracle to A s i-th query. Mihir Bellare UCSD 47

48 Intuition for IND-CPA security of CTR$ Consider the CTR$ scheme with E K replaced by a random function Fn with range {0, 1} l. Alg E Fn (M) $ C[0] {0, 1} n for i = 1,..., m do P[i] Fn(C[0] + i) C[i] P[i] M[i] return C Analyzing this is a thought experiment, but we can ask whether it is IND-CPA secure. If so, the assumption that E is a PRF says CTR$ with E is IND-CPA secure. Mihir Bellare UCSD 48

49 CTR$ with a random function Let E be the event that the points C 1 [0] + 1,..., C 1 [0] + m,..., C q [0] + 1,..., C q [0] + m, on which Fn is evaluated across the q encryptions, are all distinct. Case 1: E happens. Then the encryption is a one-time-pad: ciphertexts are random, independent strings, regardless of which message is encrypted. So A has zero advantage. Case 2: E doesn t happen. Then A may have high advantage but it does not matter because Pr[E] doesn t happen is small. (It is the small additive term in the theorem.) Mihir Bellare UCSD 49

50 The Union bound Let E 1,..., E n be events in a probability space. Then Pr[ n 1 i n E i] Pr[E i ]. Example: In the case n = 2 we have Pr[E 1 E 2 ] = Pr[E 1 ] + Pr[E 2 ] Pr[E 1 E 2 ] Pr[E 1 ] + Pr[E 2 ]. i=1 Mihir Bellare UCSD 50

51 Interval intersection probability Let N, q, m 1 be integers and let Z N = {0, 1,..., N 1}. Let + be addition modulo N. Consider the game For i = 1,..., q do c i $ Z N ; I i {c i + 1,..., c i + m} For 1 i < j q define the events Then let B i,j : S i S j and B : 1 i<j q B i,j. IIP(N, q, m) = Pr[B]. Problem: Upper bound IIP(N, q, m) as a function of N, q, m. Mihir Bellare UCSD 51

52 Interval intersection probability Claim: IIP(N, q, m) q(q 1) (2m 1) 2 N Why? For any 1 i < j q we have Pr[B i,j ] = Pr[S i S j ] Then by the Union bound = Pr[c j {c i m + 1,..., c i + m 1}] = 2m 1 N IIP(N, q, m) = Pr[ 1 i<j q ] = ( ) q 2m 1. 2 N 1 i<j q Pr[B i,j ]. Mihir Bellare UCSD 52

53 Alternative formulation of advantage Let SE = (K, E, D) be a symmetric encryption scheme and A an adversary. Game Guess SE procedure Initialize K $ K ; b $ {0, 1} procedure LR(M 0, M 1 ) return C $ E K (M b ) procedure Finalize(b ) return (b = b ) [ ] Proposition: Adv ind-cpa SE (A) = 2 Pr Guess A SE true 1. Proof: Observe Pr [ b = 1 b = 1 ] = [ ] Pr Right A SE 1 Pr [ b = 1 b = 0 ] = [ ] Pr Left A SE 1 Mihir Bellare UCSD 53

54 Proof of Proposition, continued [ ] Pr Guess A SE true = Pr [ b = b ] = Pr [ b = b b = 1 ] Pr [b = 1] + Pr [ b = b b = 0 ] Pr [b = 0] = Pr [ b = b b = 1 ] Pr [ b = b b = 0 ] 1 2 = Pr [ b = 1 b = 1 ] Pr [ b = 0 b = 0 ] 1 2 = Pr [ b = 1 b = 1 ] ( 1 Pr [ b = 1 b = 0 ]) 1 2 = (Pr [ b = 1 b = 1 ] Pr [ b = 1 b = 0 ]) = ( ] [ ]) 2 Pr [Right ASE 1 Pr Left A SE 1 = Advind-cpa SE (A). Mihir Bellare UCSD 54

55 A game-playing proof The proof uses a sequence of games and invokes the fundamental lemma of game playing [BR96]. The games have the following Initialize and Finalize procedures: Initialize // G 0 b $ {0, 1} ; S K $ {0, 1} k Initialize // G 1, G 2, G 3 b $ {0, 1} ; S Finalize // All games Return (b = b ) For brevity we omit writing these procedures explicitly in the games, but you should remember they are there. Also for brevity if G is a game and A is an adversary then we let Pr[G A ] = Pr[G A true] Mihir Bellare UCSD 55

56 Games G 0, G 1 for the proof Game G 0 procedure LR(M 0, M 1 ) $ C[0] {0, 1} n for i = 1,..., m do P C[0] + i if P S then T[P] E K (P) C[i] T [P] M b [i] S S {P} return C Then [ ] Adv ind-cpa SE (A) = 2 Pr G0 A 1 Game G 1 procedure LR(M 0, M 1 ) $ C[0] {0, 1} n for i = 1,..., m do P C[0] + i $ if P / S then T[P] {0, 1} l C[i] T[P] M b [i] S S {P} return C Mihir Bellare UCSD 56

57 Analysis Clearly Pr[G A 0 ] = Pr[G A 1 ] + ( Pr[G A 0 ] Pr[G A 1 ]). Claim 1: We can design prf-adversary B so that Claim 2: Pr[G A 1 ] 1 2 Given these, we have Adv ind-cpa SE (A) 2 Pr[G0 A ] Pr[G1 A ] Adv prf E (B) (q 1)σ + 2 n = ( ) 1 (q 1)σ n 2(q 1)σ 2 n + 2 Adv prf E (B) which proves the theorem. It remains to prove the claims Adv prf E (B) Mihir Bellare UCSD 57

58 Proof of Claim 1 adversary B b $ {0, 1} ; S b $ A LRSim if (b = b ) then return 1 else return 0 subroutine LRSim(M 0, M 1 ) $ C[0] {0, 1} n for i = 1,..., m do P C[0] + i if P / S then T [P] Fn(P) C[i] T [P] M b [i] S S {P} return C Pr ] Pr [Real B E 1 ] [Rand B {0,1} n 1 [ ] = Pr G0 A [ ] = Pr G1 A Subtracting, we get Claim 1. Mihir Bellare UCSD 58

59 Where we are It remains to prove: Claim 2: Pr[G A 1 ] (q 1)σ 2 n Mihir Bellare UCSD 59

60 Introducing the bad flag Game G 1 procedure LR(M 0, M 1) $ C[0] {0, 1} n for i = 1,..., m do P C[0] + i If P / S then $ T[P] {0, 1} l C[i] T[P] M b [i] S S {P} return C Game G 2, G 3 procedure LR(M 0, M 1) $ C[0] {0, 1} n for i = 1,..., m do P C[0] + i $ C[i] {0, 1} l If P S then bad true ; T[P] C[i] M b [i] S S {P} return C Pr[G A 1 ] = Pr[G A 2 ] = Pr[G A 3 ] + C[i] T[P] M b [i] ( ) Pr[G2 A ] Pr[G3 A ] Mihir Bellare UCSD 60

61 Analysis of G 3 Game G 3 procedure LR(M 0, M 1) $ C[0] {0, 1} n for i = 1,..., m do $ P C[0] + i; C[i] {0, 1} l If P S then bad true T[P] C[i] M b [i]; S S {P} return C Ciphertext C in G 3 is always random, independently of b, so [ ] Pr G3 A = 1 2. Mihir Bellare UCSD 61

62 Fundamental Lemma of game playing Games G, H are identical-until-bad if their code differs only in statements following the setting of bad to true. Lemma: [BR96] If G, H are identical-until-bad, then for any adversary A and any y [ ] [ ] [ ] Pr G A y Pr H A y Pr H A sets bad Mihir Bellare UCSD 62

63 Using the fundamental lemma Game G 2, G 3 procedure LR(M 0, M 1) $ C[0] {0, 1} n for i = 1,..., m do $ P C[0] + i; C[i] {0, 1} l If P S then bad true ; C[i] T[P] M b [i] T[P] C[i] M b [i]; S S {P} return C G 2 and G 3 are identical-until-bad, so Fundamental Lemma implies [ ] [ ] [ ] Pr G2 A Pr G3 A Pr G3 A sets bad. Mihir Bellare UCSD 63

64 Bounding the probability that G 3 sets bad Game G 3 procedure LR(M 0, M 1) $ C[0] {0, 1} n for i = 1,..., m do $ P C[0] + i; C[i] {0, 1} l If P S then bad true T[P] C[i] M b [i]; S S {P} return C [ ] Pr G3 A sets bad IIP(2 n, q, m) mq(q 1) 2 n (q 1)σ 2 n. q(q 1) 2m n Mihir Bellare UCSD 64

65 Security of CTR$ Theorem: [BDJR97] Let E : {0, 1} k {0, 1} n {0, 1} l be a family of functions and SE = (K, E, D) the corresponding CTR$ symmetric encryption scheme. Let A be an ind-cpa adversary against SE that has running time t and makes at most q LR queries, the messages across them totaling at most σ blocks. Then there is a prf-adversary B against E such that Adv ind-cpa SE (A) 2 Adv prf 2(q 1)σ E (B) + 2 n Furthermore, B makes at most σ oracle queries and has running time t + Θ(σ (n + l)). Mihir Bellare UCSD 65

66 Security of CBC$ Let E : {0, 1} k {0, 1} n {0, 1} n be a block cipher and SE = (K, E, D) the corresponding CBC$ symmetric encryption scheme. Exercise: Give an adversary A that makes q LR-queries, each consisting of two 1-block messages, and achieves ( ) Adv ind-cpa q 2 SE (A) = Ω The running time of A should be about O(qn log(qn)). Can you generalize this to m-block messages? What is the best advantage you can get? 2 n Mihir Bellare UCSD 66

67 Security of CBC$ Theorem: [BDJR97] Let E : {0, 1} k {0, 1} n {0, 1} n be a block cipher and SE = (K, E, D) the corresponding CBC$ symmetric encryption scheme. Let A be an ind-cpa adversary against SE that has running time t and makes at most q LR queries, the messages across them totaling at most σ blocks. Then there is a prf-adversary B against E such that Adv ind-cpa SE (A) 2 Adv prf E (B) + σ2 Furthermore, B makes at most σ oracle queries and has running time t + Θ(σ n). Exercise: Prove the above theorem. 2 n Mihir Bellare UCSD 67

68 Exercise You are hired at a top company with an extravagant salary. Your boss asks you how secure is CBC$ based on AES. Give a clear and full answer which includes an explanation of security metrics, their relative merits, attacks and proofs. This should include an interpretation of the theorem we just saw. Your description should cover both the value and the limitations of this theorem and give a realistic picture of security aimed at someone with little understanding of cryptography. Have a friend play the role of boss and make this a conversation. Your friend should be critical and curious about what you say. Mihir Bellare UCSD 68

69 Exercise In CTR$ and CBC$ based on a family of functions E: {0, 1} k {0, 1} n {0, 1} l, the message must have length a positive multiple of l. Specify by giving clear pseudocode for all three algorithms a symmetric encryption scheme SE = (K, E, D) based on E in which the message M can be a string of arbitrary length. Encryption and decryption should use at most M /l applications of E or E 1 and the length of the ciphertext should be M + n. The scheme should achieve IND-CPA with the same kinds of bounds as in the theorems about CTR$ and CBC$. You may assume E is a block cipher if needed. Mihir Bellare UCSD 69