Symmetric Encryption. Adam O Neill based on

Transcription

1 Symmetric Encryption Adam O Neill based on

2 Syntax Eat $ 1 k7 - draw } randomised t ~ m T# c- Do m or Hateful distinguishes from ywckcipter

3 - Correctness Pr [ NCK, Eck,M))=M]=1 fm in the message space where the probability is orer,. K # K and the Coins of { if any.

4 Modes of Operation E : {0, 1} k {0, 1} n! {0, 1}` a family of functions Usually a block cipher, in which case ` = n. Notation: x[i] is the i-th block of a string x, so that x = x[1]...x[m]. Length of blocks varies. Always: Alg K K $ {0, 1} k return K

5 Modes of Operation Block cipher provides parties sharing K with M E K C which enables them to encrypt a 1-block message. How do we encrypt a long message using a primitive that only applies to n-bit blocks?

6 - x[ XID... x[ on ) ECB I Ee d Et t d Electronic code book mode Cfl ] CENT Algorithm E ( k Ecb, x ) Algorikm Dabck,c ) let =xti ]. For it Eklxi m ] let EZD. 1 to m do : For i. - In 1 to m do : ] ei ) xitetlcd Let c=c[ is. ) let x=xfd. - In ] - ctn return C return X

7 Security of ECB leaks input equality!

8 Security of ECB Suppose we know that there are only two possible messages, Y =1 n and N =0 n,forexamplerepresenting FIRE or DON T FIRE a missile BUY or SELL a stock Vote YES or NO Then ECB algorithm will be E K (M) =E K (M). M E K C

9 Voting with ECB Voters *did IIIIIIIO. "

10 Is this avoidable? Let SE =(K, E, D) beany encryption scheme. Suppose M 1, M 2 2 {Y, N} and Sender sends ciphertexts C 1 E K (M 1 )andc 2 E K (M 2 ) Adversary A knows that M 1 = Y Adversary says: If C 2 = C 1 then M 2 must be Y else it must be N. Does this attack work?

11 Randomized Encryption For encryption to be secure it must be randomized That is, algorithm E K flips coins. If the same message is encrypted twice, we are likely to get back di erent answers. That is, if M 1 = M 2 and we let C 1 $ E K (M 1 ) and C 2 $ E K (M 2 ) then Pr[C 1 = C 2 ] will (should) be small, where the probability is over the coins of E.

12 Randomized Encryption A fundamental departure from classical and conventional notions of encryption. Clasically, encryption (e.g., substitution cipher) is a code, associating to each message a unique ciphertext. Now, we are saying no such code is secure, and we look to encryption mechanisms which associate to each message a number of di erent possible ciphertexts.

13 CBLCTR Cipher. CBC$ block Chaining mode SE =(K, E, D) where: Alg E K (M) µ Called initial :ztn C[0] {0, 1} n for i =1,...,m do vector Eu ) C[i] E K (M[i] C[i 1]) return C Alg D K (C) for i =1,...,m do M[i] E 1 K (C[i]) C[i 1] return M Correct decryption relies on E being a block cipher.

14 Voting with CBC$ Voters # tally =) m9e IIon Pink Ek(. Votenotwn : vote, of IV ) Ecrocsilkyoten 5 ) F. ( )

15 Towards a Definition We see CBC$ is better than ECB in some sense. But is it secure? What does secure mean here?

16 Security Requirements Suppose sender computes Adversary A has C 1,...,C q C 1 $ E K (M 1 ); ; C q $ E K (M q ) What if A Retrieves K Retrieves M 1 Bad! Bad! But also we want to hide all partial information about the data stream, such as Does M 1 = M 2? What is first bit of M 1? What is XOR of first bits of M 1, M 2? Something we won t hide: the length of the message

17 What we seek A master property that

18 What we seek A master property that Can be easily specified

19 What we seek A master property that Can be easily specified Allows us to evaluate whether a scheme is secure

20 What we seek A master property that Can be easily specified Allows us to evaluate whether a scheme is secure Implies a ciphertext reveals NO partial information about plaintext

21 What we seek A master property that Can be easily specified Allows us to evaluate whether a scheme is secure Implies a ciphertext reveals NO partial information about plaintext In the case of a blockcipher the master property was PRF-security. Here it is different because encryption should be randomized

22 Intuition The master property MP is called IND-CPA (indistinguishability under chosen plaintext attack). Consider encrypting one of two possible message streams, either M 1 0,...,M q 0 or lmiklmilti M 1 1,...,M q 1 Adversary, given ciphertexts and both data streams, has to figure out which of the two streams was encrypted.

23 In distinguish ability under chosen - plaintext attack IND-CPA Games Let SE =(K, E, D) be an encryption scheme Game Left SE procedure Initialize K $ K procedure LR(M 0, M 1 ) Return C $ E K (M 0 ) Game Right SE procedure Initialize K $ K procedure LR(M 0, M 1 ) Return C $ E K (M 1 ) Associated to SE, A are the probabilities h i Pr Left A SE)1 Pr h i Right A SE)1 that A outputs 1 in each world. The (ind-cpa) advantage of A is h i h i Adv ind-cpa SE (A) =Pr Right A SE)1 Pr Left A SE)1

24 Measure of Success Adv ind-cpa SE (A) 1 means A is doing well and SE is not ind-cpa-secure. Adv ind-cpa SE (A) 0(orapple0) means A is doing poorly and SE resists the attack A is mounting. Adversary resources are its running time t and the number q of its oracle queries, the latter representing the number of messages encrypted. Security: SE is IND-CPA-secure if Adv ind-cpa SE (A) is small for ALL A that use practical amounts of resources. Insecurity: SE is not IND-CPA-secure if we can specify an explicit A that uses few resources yet achieves high ind-cpa-advantage.

25 in IND-CPA security of ECB Adversary ACRC.,. ) M. Met Il ol C LRLM,µ., ) - In LEFT ret LRCM.,m ) C '. RIGHT at It kcmo ) ' ret 0 Even, ) I Else ret.tn#=prtribtteaast7h-prett.t.aenf c=c Added

26 Right Game Analysis Ctapffmbttteni. A=1. Proof Since Mo # M, and EK is determinate we have Ctd. A returns 1$

27 Left Game Analysis Claim. PELEFTEAA, 17 IO Proof Analogous.

28 Conclusion Adviencdjon (a) = 1-0=1 GCB is not IWD - CPA secure!

29 Any deterministic scheme is not IND-CPA The theorem generalizes to show that the same adversary breaks enc scheme ( any deterministic meaning E is deterministic & Stateless )

30 CTR$ CM - C Let E: {0, 1} k {0, 1} n! {0, 1}` be a family of functions. If X 2 {0, 1} n and i 2 N then X + i denotes the n-bit string formed by converting X to an integer, adding i modulo 2 n, and converting the result back to an n-bit string. Below the message is a sequence of `-bit blocks: Alg E K (M) C[0] $ {0, 1} n for i =1,...,m do P[i] E K (C[0] + i) C[i] P[i] M[i] return C Alg D K (C) for i =1,...,m do P[i] E K (C[0] + i) M[i] P[i] C[i] return M Gnline - offline * parwlli table

31 Birthday Attack on CTR$ Let E : {0, 1} k {0, 1} n! {0, 1}` be a family of functions and SE =(K, E, D) the corresponding CTR$ symmetric encryption scheme. Suppose 1-block messages M 0, M 1 are encrypted: C 0 [0]C 0 [1] $ E(K, M 0 ) C 1 [0]C 1 [1] $ E(K, M 1 ) E f Let us say we are lucky If C 0 [0] = C 1 [0]. If so: C 0 [1] = C 1 [1] if and only if M 0 = M 1 So if we are lucky we can detect message equality and violate IND-CPA.

32 - The Adversary Let 1 apple q < 2 n be a parameter and let hii be integer i encoded as an `-bit string. adversary A Birthday Of query q for i =1,...,q do C i [0]C i [1] $ LR(hii, h0i) S {(j, t): C j [0] = C t [0] and j < t} If S 6= ;, then (j, t) $ S If C j [1] = C t [1] then return 1 return 0 birthday adversary attack µ±fpr[rioheaigm D Preening' D Want to know Adviundrjem ( Aida " ) zoisod zl

33 Then Left Game Analysis Ayr ' Prf letters Abadan If = O. Proof Two cases : Case 1. S=f$. CIED ot Cj > A city # ( Since Cite ]=ct 'Ll ] and j t. Case 2 = 5=4. A always oupits O. So in either case A outputs O

34 i Right Game Analysis Claim Pr[Rl6HEAm $M ] } - o.3q proof If s # then we have Cs 'Ll ]=@' Cozy ) goal ettoftlsool =< since C 's 'LoT=ctZo ].

35 Conclusion Adrien :P " CAbi., ) I G 3

36 Security `of CTR$ So far: A q-query adversary can break CTR$ with advantage q2 2 n+1 Question: Is there any better attack? Answer: NO! We can prove that the best q-query attack short of breaking the block cipher has advantage at most where 2(q 1) 2 n is the total number of blocks across all messages encrypted. Example: If q 1-block messages are encrypted then advantage is not more than 2q 2 /2 n. = q so the adversary For E = AES this means up to about 2 64 blocks may be securely encrypted, which is good.

37 The Theorem Theorem: [BDJR97] Let E : {0, 1} k {0, 1} n! {0, 1}` be a family of functions and SE =(K, E, D) the corresponding CTR$ symmetric encryption scheme. Let A be an ind-cpa adversary against SE that has running time t and makes at most q LR queries, the messages across them totaling at most blocks. Then there is a prf-adversary B against E such that Adv ind-cpa SE (A) apple 2 Adv prf 1) E (B)+2(q 2 n - Furthermore, B makes at most oracle queries and has running time t + ( (n + `)). birthday.

38 Intuition. : replace E thought with random function wl same domain and Runge Now LR, if the adversary is lucky - queries such that Cito and makes then it can gain advantage. Otherwise we are encrypting with a )one-tinepad]

39 Interval Intersection Let N, q, m 1 be integers and let Z N = {0, 1,...,N 1}. Let+be addition modulo N. Consider the game For i =1,...,q do c $ i Z N ;. I i {c i +1,...,c i + m} For 1 apple i < j apple q define the events Then let Pvt Av B) I PREAI + PRIB) B i,j : S i \ S j 6= ; and B : W 1applei<jappleq B i,j. IIP(N, q, m) =Pr[B].. Problem: Upper bound IIP(N, q, m) as a function of N, q, m.

40 . i Interval Intersection Claim: IIP(N, q, m) apple q(q 1) 2 (2m 1) N proof. Pr[ apple apple B ] s RIBI, ;) = (E) PIB ; ;] and PVLBI, ;] = PRICE { ci - MH,.., Citm } = Zm PRTB ) e- 9k Kmt

41 Advantage Revisited Let SE =(K, E, D) be a symmetric encryption scheme and A an adversary. Game Guess SE procedure Initialize K $ K ; b $ {0, 1} Proposition: Adv ind-cpa SE (A) =2 Pr procedure LR(M 0, M 1 ) return C $ E K (M b ) procedure Finalize(b 0 ) return (b = b 0 ) h i Guess A SE)true 1. h i

42 Game Chain Game G 0 procedure LR(M 0, M 1 ) Game G 1 procedure LR(M 0, M 1 ) C[0] {0, 1} n C[0] {0, 1} n Code for i =1,...,m do I ] for i =1,...,m do P C[0] + i P C[0] + i if P 62 S then T[P] E K (P) if P /2 S then T[P] $ {0, 1}` C[i] T [P] M b [i] C[i] T[P] M b [i] S S [ {P} S S [ {P} return C return C { no o } Then Adv ind-cpa SE (A) =2 Pr h G A 0 i 1

43 Claims Clearly Pr[G A 0 ]=Pr[G A 1 ]+ Pr[G A 0 ] Pr[G A 1 ]. Claim 1: We can design prf-adversary B so that Claim 2: Pr[G A 1 ] apple 1 2 Pr[G A 0 ] + (q 1) 2 n Pr[G A 1 ] apple Adv prf E (B) }

44 Proof of Claim 1 Adversary BFNC. bets { o( 19 Run A ) when A makes ER every no, m, Code ITIP ] FNCP ) ] tf A outputs b then net. 1

45 Proof of Claim 2

46 Games Con t Game G 1 procedure LR(M 0, M 1 ) C[0] $ {0, 1} n for i =1,...,m do P C[0] + i If P /2 S then T[P] $ {0, 1}` C[i] T[P] M b [i] S return C S [ {P} Game G 2, G 3 procedure LR(M 0, M 1 ) C[0] $ {0, 1} n for i =1,...,m do P C[i] C[0] + i $ {0, 1}` If P 2 S then bad true ; C[i] T[P] M b [i] T[P] C[i] M b [i] S return C S [ {P} Pr[G A 1 ]=Pr[G A 2 ]=Pr[G A 3 ]+ Pr[G2 A ] Pr[G3 A ]

47 Using fundamental lemma Game G 2, G 3 procedure LR(M 0, M 1 ) C[0] $ {0, 1} n for i =1,...,m do P C[0] + i; C[i] If P 2 S then $ {0, 1}` bad true ; C[i] T[P] M b [i] T[P] C[i] M b [i]; S S [ {P} return C G 2 and G 3 are identical-until-bad, so Fundamental Lemma implies h i h i h i Pr G2 A Pr G3 A apple Pr G3 A sets bad.

48 Completing the Proof

49 Security of CBC$ Theorem: [BDJR97] Let E : {0, 1} k {0, 1} n! {0, 1} n be a block cipher and SE =(K, E, D) the corresponding CBC$ symmetric encryption scheme. Let A be an ind-cpa adversary against SE that has running time t and makes at most q LR queries, the messages across them totaling at most blocks. Then there is a prf-adversary B against E such that Adv ind-cpa SE (A) apple 2 Adv prf 2 E (B)+ 2 n Furthermore, B makes at most t + ( n). oracle queries and has running time

50

51 Padding The TLS 1.0 protocol defines the following padding function for encrypting a v-byte message with AES in CBC mode: let p := 16 (v mod 16), then append p bytes to the message m where the content of each byte is value p 1. For example, consider the following two cases: if m is 29 bytes long then p = 3 and the pad consists of the three bytes 222 so that the padded message is 32 bytes long which is exactly two AES blocks. if the length of m is a multiple of the block size, say 32 bytes, then p = 16 and the pad consists of 16 bytes. The padded message is then 48 bytes long which is three AES blocks.

52 Revocable Broadcast k 15 k 13 k 14 k 9 k 10 k 11 k 12 k 1 k 2 k 3 k 4 k 5 k 6 k 7 k 8 Figure 5.5: The tree of keys for n = 8 devices; shaded nodes are the keys embedded in device 3.

53 8 >< 9 >= >: >; Definition 5.4. Let T be a complete binary tree with n leaves, where n is a power of two. Let S {1,...,n} be a set of leaves. We say that a set of nodes W {1,...,2n 1} covers the set S if every leaf in S is a descendant of some node in W, and leaves outside of S are not. We use cover(s) to denote the smallest set of nodes that covers S. { } Theorem 5.8. Let T be a complete binary tree with n leaves, where n is a power of two. For every 1 apple r apple n, and every set S of n r leaves, we have cover(s) apple r log 2 (n/r)

54 Broadcast Encryption movies on a stateless standalone movie player, that has no network connection. The studios are worried about piracy, and do not want to send copyrighted digital content in the clear to millions of users. A simple solution could work as follows. Every authorized manufacturer is given a device key k d 2 K, and it embeds this key in every device that it sells. If there are a hundred authorized device manufacturers, then there are a hundred device keys k (1) d,...,k(100) d.a movie m is encrypted as: c m := 8 >< >: k R K for i =1,...,100 : c i R c R E 0 (k, m) output (c 1,...,c 100, c) E(k (i) d, k) 9 >= 0 0 K >;