SYMMETRIC ENCRYPTION. Syntax. Example: OTP. Correct decryption requirement. A symmetric encryption scheme SE = (K, E, D) consists of three algorithms:

Transcription

1 Syntax symmetric encryption scheme = (K, E, D) consists of three algorithms: SYMMETRIC ENCRYPTION K is randomized E can be randomized or stateful D is deterministic 1/ 116 2/ 116 Correct decryption requirement Example: OTP Formally: For all K and M we have [D K ( (M)) = M = 1, where the probability is over the coins of E = (K, E, D) where: lg K K {0,1} k return K Correct decryption: D K ( (M)) = D K (K M) = K (K M) = M lg (M) C K M lg D K (C) M K C return M 3/ 116 4/ 116

2 Block cipher modes of operation Block cipher modes of operation Block cipher provides parties sharing K with E : {0,1} k {0,1} n {0,1} n a block cipher Notation: x[i is the i-th n-bit block of a string x, so that x = x[1... x[m if x = nm. lways: lg K K {0,1} k return K M C which enables them to encrypt a 1-block message. 5/ 116 How do we encrypt a long message using a primitive that only applies to n-bit blocks? 6/ 116 ECB: Electronic Codebook Mode = (K, E, D) where: Evaluating Security Sender encrypts some messages M 1,...,M q, namely lg (M) for i = 1,...,m do C[i (M[i) lg D K (C) for i = 1,...,m do M[i E 1 K (C[i) return M and transmits C 1,...,C q to receiver. dversary Knows = (K, E, D) Knows C 1,...,C q Is not given K! Possible adversary goals: Recover K C 1 (M 1 ),...,C q (M q ) Correct decryption relies on E being a block cipher, so that is invertible Recover M 1 But we will need to look beyond these 7/ 116 8/ 116

3 Security of ECB Security of ECB Weakness: M 1 = M 2 C 1 = C 2 Why is the above true? Because is deterministic: M 1 [1 M 1 [m M 2 [1 M 2 [m dversary has ciphertext C = C[1 C[m C 1 [1 C 1 [m C 2 [1 C 2 [m dversary task ssessment Why? Compute K seems hard E is secure Compute M[1 seems hard E is secure Why does this matter? 9/ / 116 Security of ECB Suppose we know that there are only two possible messages, Y = 1 n and N = 0 n, for example representing FIRE or DON T FIRE a missile BUY or LL a stock Vote YES or NO Security of ECB Votes M 1,M 2 {Y,N} are ECB encrypted and adversary sees ciphertexts C 1 = (M 1 ) and C 2 = (M 2 ) M 1 M 2 Then ECB algorithm will be (M) = (M). M C 1 C 2 C dversary may have cast the first vote and thus knows M 1 ; say M 1 = Y. Then adversary can figure out M 2 : If C 2 = C 1 then M 2 must be Y Else M 2 must be N 11 / / 116

4 Is this avoidable? Randomized encryption Let = (K, E, D) be NY encryption scheme. Suppose M 1,M 2 {Y,N} and Sender sends ciphertexts C 1 (M 1 ) and C 2 (M 2 ) dversary knows that M 1 = Y dversary says: If C 2 = C 1 then M 2 must be Y else it must be N. For encryption to be secure it must be randomized That is, algorithm flips coins. If the same message is encrypted twice, we are likely to get back different answers. That is, if M 1 = M 2 and we let C 1 (M 1 ) and C 2 (M 2 ) Does this attack work? then [C 1 = C 2 Yes, if E is deterministic. will (should) be small, where the probability is over the coins of E. 13 / / 116 Randomized encryption Randomized encryption There are many possible ciphertexts corresponding to each message. If so, how can we decrypt? We will see examples soon. fundamental departure from classical and conventional notions of encryption. M C 1 C 2 D K M Clasically, encryption (e.g., substitution cipher) is a code, associating to each message a unique ciphertext. Now, we are saying no such code is secure, and we look to encryption mechanisms which associate to each message a number of different possible ciphertexts. C s 15 / / 116

5 Stateful encryption More Modes of Operation n alternative to randomization is to allow the encryption algorithm to maintain state. This might be a counter encrypt depending on counter value then update counter We will see schemes that use this paradigm to get around the security weaknesses of deterministic encryption without using randomness. Randomized CBC, CTR Stateful CBCC,CTRC 17 / / 116 CBC: Cipher Block Chaining with random IV mode CTRC mode = (K, E, D) where: lg (M) C[0 {0,1} n for i = 1,...,m do C[i (M[i C[i 1) lg D K (C) for i = 1,...,m do M[i E 1 K (C[i) C[i 1 return M Sender maintains a counter ctr that is initially 0 and is updated by E j = the n-bit binary representation of integerj (0 j < 2 n ) lg (M) C[0 ctr for i = 1,...,m do P[i ( ctr + i ) C[i P[i M[i ctr ctr + m lg D K (C) ctr C[0 for i = 1,...,m do P[i ( ctr + i ) M[i P[i C[i return M Correct decryption relies on E being a block cipher so that is invertible 19 / 116 Decryptor does not maintain a counter 20 / 116

6 Security of CBC against key recovery Voting with CBC If adversary has a plaintext M and corresponding ciphertext C (M) then it has input-output examples (M[1 C[0,C[1),(M[2 C[1,C[2) of. Suppose we encrypt M 1,M 2 {Y,N} with CBC. M 1 M 2 M[1 M[2 {0,1} n C 1 [0 C 1 [1 {0,1} n C 2 [0 C 2 [1 C[0 C[1 C[2 So chosen-message key recovery attacks on E can be mounted to recover K. Conclusion: Security of CBC against key recovery is no better than that of the underlying block cipher. dversary sees C 1 = C 1 [0C 1 [1 and C 2 = C 2 [0C 2 [1. Suppose knows that M 1 = Y. Can determine whether M 2 = Y or M 2 = N? NO! 21 / / 116 Voting with CBC ssessing security If M 1 = Y we have C 1 [0 Y C 2 [0 M 2 C 1 [1 C 2 [1 So CBC is better than ECB. But is it secure? CBC is the world s most widely used encryption scheme (SSL, SSH, TLS,...) so knowing whether it is secure is important To answer this we first need to decide and formalize what we mean by secure. knows C 1 [0C 1 [1 and C 2 [0C 2 [1. Now If C 1 [0 = C 2 [0 then can deduce that If C 2 [1 = C 1 [1 then M 2 = Y If C 2 [1 C 1 [1 then M 2 = N But the probability that C 1 [0 = C 2 [0 is very small. 23 / / 116

7 Types of encryption schemes Security requirements Special purpose: Used in a specific setting, to encrypt data of some known format or distribution. Comes with a WRNING! only use under conditions X. General purpose: Used to encrypt in many different settings, where the data format and distribution are not known in advance. We want general purpose schemes because They can be standardized and broadly used. Once a scheme is out there, it gets used for everything anyway. General purpose schemes are easier to use and less subject to mis-use: it is hard for application designers to know whether condition X is met. priori information: What the adversary already knows about the data from the context. For example, it is drawn from {Y,N} Data distribution or format: The data may be English or not; may have randomness or not;... Security should not rely on assumptions about these things. 25 / / 116 encryption Security requirements Suppose sender computes data could be English text pdf or executable file Votes Want security in all these cases. dversary has C 1,...,C q C 1 (M 1 ); ; C q (M q ) What if Retrieves K Retrieves M 1 Bad! Bad! But also / / 116

8 Security requirements What we seek We want to hide all partial information about the data stream. Examples of partial information: Does M 1 = M 2? What is first bit of M 1? What is XOR of first bits of M 1,M 2? Something we won t hide: the length of the message We want a single master property MP of an encryption scheme such that MP can be easily specified We can evaluate whether a scheme meets it MP implies LL the security conditions we want: it guarantees that a ciphertext reveals NO partial information about the plaintext. Thus a scheme having MP means not only that if adversary has (M 1 ) and C 2 (M 2 ) then C 1 It can t get M 1 It can t get 1st bit of M 1 It can t get XOR 1st bits of M 1,M 2 but in fact implies all such information about M 1,M 2 is protected. 29 / / 116 Seeking MP Plan So what is the master property MP? It is a notion we call indistinguishability (IND). We will define IND-CP: Indistinguishability under chosen-plaintext attack IND-CC: Indistinguishability under chosen-ciphertext attack Define IND-CP Examples of non-ind-cp schemes See why IND-CP is a master property, namely why it implies that ciphertexts leak no partial information about plaintexts Examples of IND-CP schemes IND-CC 31 / / 116

9 Intuition for definition of IND Consider encrypting one of two possible message streams, either or M 1 0,...,M q 0 M 1 1,...,M q 1 dversary, given ciphertexts and both data streams, has to figure out which of the two streams was encrypted. ind-cpa-adversaries Let = (K, E, D) be an encryption scheme n ind-cpa has an oracle It can make a query M 0,M 1 consisting of any two equal-length messages It can do this many times Each time it gets back a ciphertext It eventually outputs a bit d M 1 0,M1 1 C 1. M q 0,Mq 1 C q 33 / / 116 ind-cpa-adversaries Let = (K, E, D) be an encryption scheme The games Let = (K, E, D) be an encryption scheme Left world M 0,M 1 C (M 0 ) Right world M 0,M 1 C (M 1 ) Game Left K K procedure (M 0,M 1 ) Return C (M 0 ) Game Right K K procedure (M 0,M 1 ) Return C (M 1 ) s output d Intended meaning: I think I am in the 1 Right world 0 Left world The harder it is for to guess world it is in, the more secure is as an encryption scheme. ssociated to, are the probabilities [Left 1 [Right 1 that outputs 1 in each world. The (ind-cpa) advantage of is [ [ dv ind-cpa () = Right 1 Left 1 35 / / 116

10 Example Example Let (M) = (M) and let be the following ind-cpa adversary Let E: {0,1} k {0,1} 128 {0,1} 128 be a block cipher and let = (K, E, D) be defined by lg K K {0,1} k return K lg (M) return (M) This scheme encrypts only 1-block messages. Succinctly: (M) = (M) lg D K (M) return E 1 K (M) C 1 (0 n,0 n ); C 2 (1 n,0 n ) if C 1 = C 2 then return 1 else return 0 M 0,M 1 Then Left world C (M 0 ) M 0,M 1 Right world [Left 1 = [Right 1 = C (M 1 ) 37 / / 116 Example Example Let (M) = (M) Let (M) = (M) M 0,M 1 Left world C (M 0 ) C 1 (0 n,0 n ); C 2 (1 n,0 n ) if C 1 = C 2 then return 1 else return 0 C 1 (0 n,0 n ); C 2 (1 n,0 n ) if C 1 = C 2 then return 1 else return 0 M 0,M 1 Right world C (M 1 ) What happens so C 1 = (0 n ) = (0 n ) C 2 = (1 n ) = (1 n ) (0 n ) so C 1 C 2 and returns 0 [Left 1 = 0 What happens so C 1 = (0 n ) = (0 n ) C 2 = (0 n ) = (0 n ) so C 1 = C 2 and returns 1 [ Right 1 = 1 39 / / 116

11 Example The measure of success Let (M) = (M) C 1 (0 n,0 n ); C 2 (1 n,0 n ) if C 1 = C 2 then return 1 else return 0 dv ind-cpa () = [Right 1 [Left 1 = 1 0 = 1 Let = (K, E, D) be an encryption scheme and be an ind-cpa adversary. Then dv ind-cpa () = [Right 1 [Left 1 is a number between 1 and 1. large (close to 1) advantage means is doing well is not secure small (close to 0 or 0) advantage means is doing poorly resists the attack is mounting 41 / / 116 IND-CP security dversary advantage depends on its strategy resources: Running time t and number q of oracle queries Security: is IND-CP (i.e. secure) if dv ind-cpa () is small for LL that use practical amounts of resources. ECB is not IND-CP-secure Let E : {0,1} k {0,1} n {0,1} n be a block cipher. Recall that ECB mode defines symmetric encryption scheme = (K, E, D) with (M) = (M[1) (M[2) (M[m) Example: 80-bit security could mean that for all n = 1,...,80 we have dv ind-cpa () 2 n for any with time and number of oracle queries at most 2 80 n. Insecurity: is not IND-CP (i.e. insecure) if there exists using few resources that achieves high advantage. 43 / / 116

12 ECB is not IND-CP-secure ECB is not IND-CP-secure Let (M) = (M[1) (M[m) Left world M 0,M 1 C (M 0 ) Right world M 0,M 1 C (M 1 ) Let (M) = (M[1) (M[m). Left world M 0,M 1 C (M 0 ) M 0,M 1 Right world C (M 1 ) Can we design so that dv ind-cpa () = [Right 1 is close to 1? [Left 1 Exploitable weakness of : M 1 = M 2 implies (M 1 ) = (M 2 ). C 1 (0 n,0 n ); C 2 (1 n,0 n ) if C 1 = C 2 then return 1 else return 0 45 / / 116 ECB is not IND-CP-secure: Right world analysis E is defined by (M) = (M[1) (M[m). C 1 (0 n,0 n ); C 2 (1 n,0 n ) if C 1 = C 2 then return 1 else return 0 ECB is not IND-CP-secure: Left world analysis E is defined by (M) = (M[1) (M[m). C 1 (0 n,0 n ); C 2 (1 n,0 n ) if C 1 = C 2 then return 1 else return 0 Game Right K K procedure (M 0,M 1 ) Return (M 1 ) Then [Right 1 = 1 because C 1 = (0 n ) = (0 n ) = C 2. Right world M 0,M 1 C (M 1 ) 47 / 116 Game Left K K procedure (M 0,M 1 ) Return (M 0 ) Then [ Left 1 = 0 because C 1 = (0 n ) (1 n ) = C 2. Left world M 0,M 1 C (M 0 ) 48 / 116

13 ECB is not IND-CP secure Why is IND-CP the master property? C 1 (0 n,0 n ); C 2 (1 n,0 n ) if C 1 = C 2 then return 1 else return 0 dv ind-cpa () = = 1 1 { [ }} {{ [ }} { Right = 1 Right = 1 nd is very efficient, making only two queries. Thus ECB is not IND-CP secure. 0 We claim that if encryption scheme = (K, E, D) is IND-CP secure then the ciphertext hides LL partial information about the plaintext. For example, from C 1 (M 1 ) and C 2 (M 2 ) the adversary cannot get M 1 get 1st bit of M 1 get XOR of the 1st bits of M 1,M 2 etc. Why is this true? 49 / / 116 XOR-insecurity implies IND-CP-insecurity Let lsb(m) denote the last bit of M Suppose we are given an adversary B such that (M 1 ) C 1 (M 2 ) C 2 B lsb(m 1 ) lsb(m 2 ) for all M 1,M 2. Then we claim we can design an ind-cpa such that dv ind-cpa () = 1, meaning is not IND-CP secure. Thus: XOR-insecurity IND-CP-security IND-CP-insecurity XOR-security 51 / 116 XOR-insecurity implies IND-CP-insecurity M 0,M 1 Left world C (M 0 ) M 0,M 1 Right world C (M 1 ) Makes two queries The left messages are M0 1 = 0n and M0 2 = 0n. Why? Because lsb(0 n ) lsb(0 n ) = 0 The right messages are M1 1 = 0n and M1 2 = 1n. Why? Because lsb(0 n ) lsb(1 n ) = 1 Gets back 2 ciphertexts C 1,C 2 Runs B(C 1,C 2 ) to compute lsb(mb 1) lsb(m2 b ) which equals b, indiciating whether Left or Right world C 1 (0 n,0 n ); C 2 (0 n,1 n ) d B(C 1,C 2 ); return d 52 / 116

14 XOR-insecurity implies IND-CP-insecurity XOR-insecurity implies IND-CP-insecurity M 0,M 1 Left world C (M 0 ) C 1 (0 n,0 n ); C 2 (0 n,1 n ) d B(C 1,C 2 ); return d C 1 (0 n,0 n ); C 2 (0 n,1 n ) d B(C 1,C 2 ); return d M 0,M 1 Right world C (M 1 ) What happens: so C 1 (0 n ) and C 2 (0 n ) The first bits of the encrypted messages XOR to 0 so B returns 0 [ Left 1 = 0 What happens: so C 1 (0 n ) and C 2 (1 n ) The first bits of the encrypted messages XOR to 1 so B returns 1 [Right 1 = 1 53 / / 116 XOR-insecurity implies IND-CP-insecurity lternative formulation of advantage Let = (K, E, D) be a symmetric encryption scheme and an adversary. So as claimed [ [ dv ind-cpa () = Right 1 Left 1 = 1 0 = 1 Game Guess K K ; b {0,1} procedure (M 0,M 1 ) (M b ) procedure Finalize(b ) return (b = b ) oposition: dv ind-cpa () = 2 [Guess true 1. oof: Observe [ b = 1 b = 1 [ = Right 1 [ b = 1 b = 0 [ = Left 1 55 / / 116

15 oof (continued) Security of CTRC h i Guess true = ˆb = b = ˆb = b b = 1 [b = 1 + ˆb = b b = 0 [b = 0 = ˆb = b b = ˆb = b b = = ˆb = 1 b = ˆb = 0 b = = ˆb = 1 b = `1 ˆb = 1 b = = ` ˆb = 1 b = 1 ˆb = 1 b = 0 = i h i 2 hright 1 Left 1 = dvind-cpa (). Let E : {0,1} k {0,1} n {0,1} n be a block cipher. Sender maintains a counter ctr, initially 0. The scheme is = (K, E, D) where lg (M) C[0 ctr for i = 1,...,m do P[i ( ctr + i ) C[i P[i M[i ctr ctr + m Question: Is IND-CP secure? We cannot expect so if E is bad. So, let s ask: Question: ssuming E is good (a PRF) is IND-CP secure? 57 / / 116 IND-CP security of CTRC Implications = (K, E, D) CTRC mode relative to block cipher E. Question: If E is a PRF then is ind-cpa CURE? nswer: YES nd we can prove that the above answer is correct. The above means CTRC has no structural weaknesses. Is not a triviality because it was not true for ECB. Fact: If E is secure (PRF) then CTRC mode is a secure (IND-CP) encryption scheme. This means CTRC is a good, general purpose encryption scheme. Ciphertexts leak NO partial information about messages. ovides security regardless of message distribution. Votes can be securely encrypted. We do not need to look for attacks on the scheme. We are guaranteed there are no attacks as long as E is secure. 59 / / 116

16 Intuition for IND-CP security of CTRC CTRC with a random function Consider the CTRC scheme with replaced by a random function Fn. lg E Fn (M) C[0 ctr for i = 1,...,m do P[i Fn( ctr + i ) C[i P[i M[i ctr ctr + m lg D Fn (C) ctr C[0 for i = 1,...,m do P[i Fn( ctr + i ) M[i P[i C[i return M nalyzing this is a thought experiment, but we can ask whether it is IND-CP secure. If so, the assumption that E is a PRF says the real CTRC is IND-CP secure. lg E Fn (M) C[0 ctr for i = 1,...,m do P[i Fn( ctr + i ) C[i P[i M[i ctr ctr + m Since Fn is random, the sequence P[1 P[m is random and the above is just one-time pad encryption, which is certainly IND-CP secure. So CTRC with a random function is IND-CP secure. 61 / / 116 IND-CP security of CTRC Theorem: Let E : {0,1} k {0,1} n {0,1} n be a family of functions and let = (K, E, D) be the corresponding CTRC mode symmetric encryption scheme. Let be an ind-cpa adversary making at most q queries totalling at most σ blocks. Then there is a prf-adversary B such that dv ind-cpa () 2 dv prf E (B). Furthermore B makes at most σ oracle queries and runs in time at most t + Θ(q + nσ). oof by reduction s world B runs, itself replying to s oracle queries Implication: E a PRF dv prf E (B) small dv ind-cpa () small IND-CP secure 63 / / 116

17 Some notation Games for CTRC security proof M n = number of n-bit blocks in M. That is, M = M[1...M[m where m = M n. j denotes the n-bit binary encoding of integer j {0,...,2 n 1}. Game G 0 K {0,1} k ;b {0,1} ctr 0 procedure (M 0,M 1 ) C[0 ctr;m M b n for i = 1,...,m do P[ ctr + i ( ctr + i ) C[i P[ ctr + i M b [i ctr ctr + m procedure Finalize(b ) return (b = b ) Game G 1 b {0,1};ctr 0 procedure (M 0,M 1 ) C[0 ctr;m M b n for i = 1,...,m do P[ ctr + i {0,1} n C[i P[ ctr + i M b [i ctr ctr + m procedure Finalize(b ) return (b = b ) 65 / / 116 nalysis Claim 1: There is a prf-adversary B such that [ [ G0 true G1 true adversary B b {0,1}; ctr 0; b If (b = b ) then return 1 Else return 0 dv prf E (B). subroutine (M 0,M 1 ) C[0 ctr;m M b n for i = 1,...,m do P[ ctr + i Fn( ctr + i ) C[i P[ ctr + i M b [i ctr ctr + m If Fn = then B is providing the environment of game G 0 so [Real B E 1 = [G 0 true If Fn is random then B is providing the environment of game G 1 so [Rand B E 1 = [G 1 true 67 / 116 nalysis Claim 1: There is a prf-adversary B such that [ [ G0 true G1 true adversary B b {0,1}; ctr 0; b If (b = b ) then return 1 Else return 0 Thus dv prf E (B). subroutine (M 0,M 1 ) C[0 ctr;m M b n for i = 1,...,m do P[ ctr + i Fn( ctr + i ) C[i P[ ctr + i M b [i ctr ctr + m [ dv prf E (B) = Real B E 1 1 [Rand B E 1 = [G0 true [G1 true which proves Claim / 116

18 nalysis ( ) [G0 true = [G1 true + [G0 true [G1 true }{{} So, dv ind-cpa dv prf E (B) () = 2 [G0 true 1 ( ) 2 [G1 true + dv prf E (B) 1 Claim 2: [G 1 true = 1 2 = 2 dv prf E (B) + 2[G 1 true 1 So, dv ind-cpa () 2 dv prf E (B) 69 / 116 oof of Claim 2 in CTRC analysis Game G 1 b {0, 1};ctr 0 procedure (M 0,M 1) C[0 ctr;m M b n for i = 1,..., m do P[ ctr + i {0, 1} n C[i P[ ctr + i M b [i ctr ctr + m procedure Finalize(b ) return (b = b ) Claim 2: [G 1 true = 1 2. oof: in G 2 does not use bit b so Game G 2 b {0, 1}; ctr 0 procedure (M 0,M 1) C[0 ctr;m M 0 n for i = 1,..., m do C[i {0, 1} n procedure Finalize(b ) return (b = b ) [G 1 true = [G 2 true = / 116 IND-CP security of CTRC Theorem: Let E : {0,1} k {0,1} n {0,1} n be a family of functions and let = (K, E, D) be the corresponding CTRC mode symmetric encryption scheme. Let be an ind-cpa adversary making at most q queries totalling at most σ blocks. Then there is a prf-adversary B such that dv ind-cpa () 2 dv prf E (B). Furthermore B makes at most σ oracle queries and runs in time at most t + Θ(q + nσ). Birthday attack on CBC Let E : {0,1} k {0,1} n {0,1} n be a block cipher. Let = (K, E, D) be the CBC mode. Suppose we are encrypting 1 block messages M,M : M {0,1} n C[0 C[1 Observation: If C[0 = C [0 then {0,1} n C [0 C[1 = C [1 iff M = M M C [1 71 / / 116

19 Birthday attack on CBC Birthday attack on CBC If 1 block messages are encrypted under CBC, then message equality can be detected whenever the IVs are the same. But if 2 n/2 messages are encrypted, we expect by the birthday paradox to see collisions in IVs, so we will be able to break the scheme. Left world M 0,M 1 C (M 0 ) Right world M 0,M 1 for i = 1,...,q do C i [0C i [1 ( i, 0 ) S {(j,l): C j [0 = C l [0 and 1 j < l q} If S, then (j,l) S If C j [1 = C l [1 then return 1 return 0 C (M 1 ) 73 / / 116 Birthday attack on CBC: Right world analysis for i = 1,...,q do C i [0C i [1 ( i, 0 ) S {(j,l): C j [0 = C l [0 and 1 j < l q} If S, then (j,l) S If C j [1 = C l [1 then return 1 return 0 If C j [0 = C l [0 then Right world M 0,M 1 C j [1 = ( 0 C j [0) = ( 0 C l [0) = C l [1 C (M 1 ) Birthday attack on CBC: Left world analysis for i = 1,...,q do C i [0C i [1 ( i, 0 ) S {(j,l): C j [0 = C l [0 and 1 j < l q} If S, then (j,l) S If C j [1 = C l [1 then return 1 return 0 If C j [0 = C l [0 then Left world M 0,M 1 C j [1 = ( j C j [0) ( l C l [0) = C l [1 C (M 0 ) so [ Right 1 = [S = C(2 n,q) so [Left 1 = / / 116

20 Birthday attack on CBC for i = 1,...,q do C i [0C i [1 ( i, 0 ) S {(j,l): C j [0 = C l [0 and 1 j < l q} If S, then (j,l) S If C j [1 = C l [1 then return 1 return 0 dv ind-cpa () = [Right 1 [Left 1 = C(2 n,q) q(q 1) 2 n Birthday attack on CBC Conclusion: CBC can be broken (in the IND-CP sense) in about 2 n/2 queries, where n is the block length of the underlying block cipher, regardless of the cryptanalytic strength of the block cipher. 77 / / 116 Security of CBC Security of CBC So far: q-query adversary can break CBC with advantage q2 2 n+1 Question: Is there any better attack? nswer: NO! We can prove that the best q-query attack short of breaking the block cipher has advantage at most σ 2 2 n where σ is the total number of blocks encrypted. Example: If q 1-block messages are encrypted then σ = q so the adversary advantage is not more than q 2 /2 n. Fact: If E is secure (PRF) then CBC mode can be used to securely encrypt up to 2 n/2 blocks, where n is the block length of the block cipher. This is not much for DES (n = 64, 2 n/2 = 2 32 ) but a lot for ES (n = 128, 2 n/2 = 2 64 ) This means CBC is a good, general purpose encryption scheme. Ciphertexts leak NO partial information about messages. ovides security regardless of message distribution. Votes can be securely encrypted. We do not need to look for attacks on the scheme. We are guaranteed there are no attacks as long as E is secure. 79 / / 116

21 Security of CBC Games for CBC Security oof Theorem: Let E : {0,1} k {0,1} n {0,1} n be a block cipher and = (K, E, D) the corresponding CBC symmetric encryption scheme. Let be an ind-cpa adversary against that has running time t and makes at most q queries, these totalling at most σ blocks. Then there is a prf-adversary B against E such that dv ind-cpa () 2 dv prf σ2 E (B) + 2 n Furthermore, B makes at most σ oracle queries and has running time t + Θ(σ n). Game G 0 K {0,1} k ;b {0,1};S procedure (M 0,M 1 ) m M b n ; C[0 {0,1} n for i = 1,...,n do P C[i 1 M b [i if P S then T[P (P) C[i T[P S S {P} procedure Finalize(b ) return (b = b ) Game G 1 b {0,1}; S procedure (M 0,M 1 ) m M b n ; C[0 {0,1} n for i = 1,...,n do P C[i 1 M b [i if P / S then T[P {0,1} n C[i T[P S S {P} procedure Finalize(b ) return (b = b ) 81 / / 116 Security of CBC nalysis Then But [ G0 true [ dv ind-cpa () = 2 G0 true 1 [ ( [ [ ) = G1 true + G0 true G1 true Claim 1: We can design prf-adversary B so that [ [ G0 true G1 true dv prf E (B) [ Claim 2: G1 true σ2 2 n 1 So ( ) dv ind-cpa 1 () σ2 2 n dv prf E (B) = σ2 2 n + 2 dvprf E (B) 83 / 116 Claim 1: We can design prf-adversary B so that: [ [ G0 true G1 true dv prf E (B) adversary B b {0,1}; S b if (b = b ) then return 1 else return 0 [Real B E 1 [Rand B E 1 subroutine (M 0,M 1 ) m M b n ; C[0 {0,1} n for i = 1,...,m do P C[i 1 M b [i if P / S then T[P Fn(P) C[i T[P S S {P} [ = G0 true [ = G1 true 84 / 116

22 nalysis Introducing bad Game G 2, G 3 [ Claim 2: G1 true σ2 2 n+1 85 / 116 Game G 1 b {0, 1}; S procedure (M 0,M 1) m M b n; C[0 {0, 1} n for i = 1,..., n do P C[i 1 M b [i If P / S then T[P {0, 1} n C[i T[P S S {P} procedure Finalize(b ) return (b = b ) b {0, 1}; S procedure (M 0,M 1) m M b n; C[0 {0, 1} n for i = 1,..., n do P C[i 1 M b [i C[i {0, 1} n If P S then bad true ; C[i T[P T[P C[i S S {P} procedure Finalize(b ) [ return (b = b ) [ G1 true = G2 true 86 / 116 So far.. nalysis of G 3 Claim 2: [G 1 true σ2 2 n+1 [G 1 true = [G 2 true Will show: = [G 3 true + ([G 2 true [G 3 true) Game G 3 b {0, 1}; S procedure Finalize(b ) return (b = b ) procedure (M 0,M 1) m M b n; C[0 {0, 1} n for i = 1,..., n do P C[i 1 M b [i C[i {0, 1} n If P S then bad true T[P C[i S S {P} [G 3 true = 1 2 [G 2 true [G 3 true σ2 2 n+1 Ciphertext C in G 3 is always random, independently of b, so [ G3 true = / / 116

23 Fundamental Lemma of game playing Using the fundamental lemma Games G,H are identical-until-bad if their code differs only in statements following the setting of bad to true. Lemma: If G,H are identical-until-bad, then for any and any y [ [ [ G y H y H sets bad Game G 2, G 3 b {0, 1}; S procedure Finalize(b ) return (b = b ) procedure (M 0,M 1) m M b n; C[0 {0, 1} n for i = 1,..., n do P C[i 1 M b [i C[i {0, 1} n If P S then bad true ; C[i T[P T[P C[i S S {P} G 2 and G 3 are identical-until-bad, so Fundamental Lemma implies [ [ [ G2 true G3 true G3 sets bad. 89 / / 116 Bounding the probability of bad in G 3 Game G 3 b {0, 1}; S procedure (M 0,M 1) m M b n; C[0 {0, 1} n for i = 1,..., m do P C[i 1 M b [i C[i {0, 1} n If P S then bad true T[P C[i S S {P} procedure Finalize(b ) return (b = b ) Game G 4 b {0, 1}; S procedure (M 0,M 1) m M 0 n for i = 1,..., m do P {0, 1} n C[i 1 P M b [i If P S then bad true S S {P} C[m {0,1} n procedure Finalize(b ) return (b = b ) [ [ G3 sets bad = G4 sets bad Bounding the probability of bad in G 4 The l-th time the if-statement is executed, it has probability of setting bad. Thus l 1 2 n [ G4 sets bad = σ l=1 l 1 2 n σ(σ 1) 2 n+1 σ2 2 n+1 91 / / 116

24 How many queries? Find-then-guess The IND-CP definition allows the adversary multiple queries to its oracle. This models the adversary distinguishing between whether the messages encrypted were one stream or another stream M 1 0,...,M q 0 M 1 1,...,M q 1 It turns out that allowing only one query captures the same security requirement up to a factor q in the advantage, as long as the adversary has a (plain) encryption oracle as well. This can simplify analyses and the proof will illustrate the hybrid technique. Let = (K, E, D) be a symmetric encryption scheme. Game FTGLeft K K procedure (M 0,M 1 ) (M 0 ) procedure Enc(M) (M) Game FTGRight K K procedure (M 0,M 1 ) (M 1 ) procedure Enc(M) (M) dversary B is allowed only one query to its oracle. [ dv ftg (B) = FTGRight B 1 [FTGLeft B 1 93 / / 116 Find-then-guess Hybrid Technique: illustration Suppose makes queries oposition: Let = (K, E, D) be a symmetric encryption scheme and an ind-cpa adversary making q oracle queries and having running time at most t. Then there is a ftg adversary B making one query to its oracle and q queries to its encryption oracle, such that dv ind-cpa () q dv ftg (B). Furthermore, the running time of B is that of. (M 1 0,M1 1 ),(M2 0,M2 1 ),(M3 0,M3 1 ),(M4 0,M4 1 ) Then we will define games G 0,G 1,G 2,G 3,G 4 so that i Messages encrypted in Gi 0 M1 1,M2 1,M3 1,M4 1 1 M0 1,M2 1,M3 1,M4 1 2 M0 1,M2 0,M3 1,M4 1 3 M0 1,M2 0,M3 0,M4 1 4 M0 1,M2 0,M3 0,M / / 116

25 Hybrid Technique Game G i (0 i q) K K;l 0 procedure (M 0,M 1 ) l l + 1 If l > i then C (M 1 ) else C (M 0 ) Return C Suppose makes queries (M0 1,M1 1 ),...,(Mq 0,Mq 1 ). Then in G i messages encrypted are Let M 1 0,...,M i 0,M i+1 1,...,M q 1 [ P i = Gi 1. the 97 / 116 operties of the hybrid games In G0 the messages encrypted are M1 1,...,Mq 1, so [ Right 1 = P 0. In G q the messages encrypted are M 1 0,...,Mq 0, so So, dv ind-cpa () = P 0 P q [Left 1 = P q. = (P 0 P 1 ) + (P 1 P 2 ) (P q 1 P q ) If P 0 P q is large, so is at least one term in the sum. We design B to have advantage that term. 98 / 116 Design of B adversary B l 0 g {1,...,q} b E(, ) Return b subroutine E l l + 1 If l > g then c (M 1 ) If l = g then c (M 0,M 1 ) If l < g then c (M 0 ) Suppose s queries are (M0 1,M1 1 ),...,(Mq 0,Mq 1 ) and suppose B picks g = i. Then the messages encrypted are so M 1 0,...,M i 1 0,M i b,mi+1 1,...,M q 1 [FTGRight B 1 g = i [FTGLeft B 1 g = i = P i 1 = P i 99 / 116 nalysis of B [ dv ftg [FTGRight (B) = B 1 FTGLeft B 1 as desired. = = q i=1 i=1 [FTGRight B g = i [g = i q i=1 [FTGLeft B 1 g = i [g = i q P i 1 1 q q P i 1 q = 1 q i=1 = 1 q (P 0 P q ) = 1 q dvind-cpa () q (P i 1 P i ) i=1 100 / 116

26 Identification ttack Setting TM card contains a key K K known also to Bank, where = (K, E, D) is a symmetric encryption scheme. dversary transmits lice s identity, but how can it answer the challenge (meaning decrypt C ) without knowing lice s key? 101 / 116 ctive ttack 102 / 116 Chosen-ciphertext attacks New capability: dversary has access to a decryption oracle C M Dec What is the adversary s goal? In our example it was to get the key K, but based on the principles we have discussed before we would like to ask for more: no partial information on un-decrypted messages is leaked by the ciphertexts. Tries to get K or learn how to decrypt by creating ciphertexts and getting the card to decrypt them. This is called a chosen ciphertext attack. 103 / / 116

27 ind-cca adversaries Let = (K, E, D) be an encryption scheme. n ind-cca Has access to a oracle Has access to a decryption oracle Dec Outputs a bit M 0,M 1 C IND-CC d Let = (K, E, D) be an encryption scheme and an ind-cca adversary. Left world Right world M 0,M 1 C C M C (M 0 ) Dec d M 0,M 1 C C M C (M 1 ) Dec d C M Dec s output d Intended meaning: I think I am in the 1 Right world 0 Left world 105 / 116 The harder it is for to guess world it is in, the more secure is as an encryption scheme. 106 / 116 The games Let = (K, E, D) be a symmetric encryption scheme and let be an adversary. Consider Game Left K K procedure (M 0,M 1 ) Return C (M 0 ) procedure Dec(C) return M D K (C) ssociated to, are the probabilities [Left 1 Game Right K K procedure (M 0,M 1 ) Return C (M 1 ) procedure Dec(C) return M D K (C) [Right 1 that outputs 1 in each world. The (ind-cca) advantage of is dv ind-cca () = [Right 1 [Left / 116 problem Game Left K K procedure (M 0,M 1 ) Return C (M 0 ) procedure Dec(C) return M D K (C) Game Right K K procedure (M 0,M 1 ) Return C (M 1 ) procedure Dec(C) return M D K (C) We can LWYS design with advantage 1, meaning LL schemes are insecure. C (0 n,1 n ); M Dec(C) if M = 0 n then return 0 else return 1 Then [Left 1 = 0 [Right 1 = / 116

28 voiding the problem Encryption can only hide information about un-decrypted messages! We address this by making the following rule: n ind-cca is not allowed to query Dec on a ciphertext previously returned by dversary from before breaks rule: C (0 n,1 n ); M Dec(C) if M = 0 n then return 0 else return / 116 IND-CC attack on CBC d Let E : {0,1} k {0,1} n {0,1} n be a block cipher. lg (M) C[0 {0,1} n ; for i = 1,...,m do C[i (M[i C[i 1) Left world Right world M 0,M 1 C C M C (M 0 ) Dec d M 0,M 1 C C M C (M 1 ) Dec Can we design so that dv ind-cca () = [Right 1 [Left 1 is close to 1? 110 / 116 IND-CC attack on CBC What we would like to do: C (0 n,1 n ); M Dec(C) if M = 0 n then return 0 else return 1 but querying C is not allowed. Instead we will C ModifyC C Dec M ModifyM M so that M = D K (C) but C C. Then C (0 n,1 n ) C ModifyC(C); M Dec(C ); M ModifyM(M ) if M = 0 n then return 0 else return / 116 The Modify process Let 0 n be some block. M C[0 C[1 C[0C[1 C[0 ModifyC C [0 C[0 C [0C[1 C [0C[1 Dec M = M M ModifyM M M M M C[1 112 / 116

29 IND-CC attack on CBC: Right world analysis C[0C[1 (0 n,1 n ); 1 n C [0 C[0 ; M Dec(C [0C[1); M M if M = 0 n then return 0 else return 1 IND-CC attack on CBC: Left world analysis C[0C[1 (0 n,1 n ); 1 n C [0 C[0 ; M Dec(C [0C[1); M M if M = 0 n then return 0 else return 1 Game Right K K procedure (M 0,M 1 ) Return C (M 0 ) procedure Dec(C) return M D K (C) d M 0,M 1 C C M C (M 1 ) Dec Game Left K K procedure (M 0,M 1 ) Return C (M 0 ) procedure Dec(C) return M D K (C) d M 0,M 1 C C M C (M 0 ) Dec Then [ Right 1 = 1 Then [ Left 1 = 0 because C[0C[1 (1 n ) so M = 1 n 0 n. because C[0C[1 (1 n ) so M = 0 n. 113 / / 116 IND-CC attack on CBC otecting against CCs C[0C[1 (0 n,1 n ); 1 n C [0 C[0 ; M Dec(C [0C[1); M M if M = 0 n then return 0 else return 1 dv ind-cca () = = 1 1 { [ }} {{ [ }} { Right 1 Left 1 0 Can you think of a way to design a scheme that is IND-CC secure? We will see such a scheme later, after we have some more tools. nd is very efficient, making only two queries. Thus CBC is not IND-CC secure. 115 / / 116