Chosen Plaintext Attacks (CPA)

Similar documents
CPA-Security. Definition: A private-key encryption scheme

III. Pseudorandom functions & encryption

Modern Cryptography Lecture 4

CS 4770: Cryptography. CS 6750: Cryptography and Communication Security. Alina Oprea Associate Professor, CCIS Northeastern University

CS 282A/MATH 209A: Foundations of Cryptography Prof. Rafail Ostrosky. Lecture 4

ENEE 457: Computer Systems Security 10/3/16. Lecture 9 RSA Encryption and Diffie-Helmann Key Exchange

Cryptography: The Landscape, Fundamental Primitives, and Security. David Brumley Carnegie Mellon University

Lecture 28: Public-key Cryptography. Public-key Cryptography

Solutions for week 1, Cryptography Course - TDA 352/DIT 250

CTR mode of operation

1 Indistinguishability for multiple encryptions

Modern symmetric-key Encryption

Computational security & Private key encryption

ECS 189A Final Cryptography Spring 2011

Scribe for Lecture #5

Lecture 5, CPA Secure Encryption from PRFs

Block ciphers And modes of operation. Table of contents

Lecture 19: Public-key Cryptography (Diffie-Hellman Key Exchange & ElGamal Encryption) Public-key Cryptography

Notes for Lecture A can repeat step 3 as many times as it wishes. We will charge A one unit of time for every time it repeats step 3.

CSA E0 235: Cryptography March 16, (Extra) Lecture 3

Computing on Encrypted Data

U.C. Berkeley CS276: Cryptography Luca Trevisan February 5, Notes for Lecture 6

Lecture 1: Perfect Secrecy and Statistical Authentication. 2 Introduction - Historical vs Modern Cryptography

7 Security Against Chosen Plaintext

Lecture 9 - Symmetric Encryption

Lecture 2: Perfect Secrecy and its Limitations

SYMMETRIC ENCRYPTION. Syntax. Example: OTP. Correct decryption requirement. A symmetric encryption scheme SE = (K, E, D) consists of three algorithms:

PERFECT SECRECY AND ADVERSARIAL INDISTINGUISHABILITY

8 Security against Chosen Plaintext

Pr[C = c M = m] = Pr[C = c] Pr[M = m] Pr[M = m C = c] = Pr[M = m]

MATH3302 Cryptography Problem Set 2

Lectures 2+3: Provable Security

Lecture 5: Pseudorandom functions from pseudorandom generators

Cryptography. Lecture 2: Perfect Secrecy and its Limitations. Gil Segev

SYMMETRIC ENCRYPTION. Mihir Bellare UCSD 1

Notes 10: Public-key cryptography

Introduction. CSC/ECE 574 Computer and Network Security. Outline. Introductory Remarks Feistel Cipher DES AES

Chapter 2. A Look Back. 2.1 Substitution ciphers

CHALMERS GÖTEBORGS UNIVERSITET. TDA352 (Chalmers) - DIT250 (GU) 11 April 2017, 8:30-12:30

Block Ciphers and Feistel cipher

ASYMMETRIC ENCRYPTION

Introduction on Block cipher Yoyo Game Application on AES Conclusion. Yoyo Game with AES. Navid Ghaedi Bardeh. University of Bergen.

CS 4770: Cryptography. CS 6750: Cryptography and Communication Security. Alina Oprea Associate Professor, CCIS Northeastern University

Practice Assignment 2 Discussion 24/02/ /02/2018

The Pseudorandomness of Elastic Block Ciphers

Cryptography 2017 Lecture 2

Lecture 13: Private Key Encryption

You submitted this homework on Wed 31 Jul :50 PM PDT (UTC -0700). You got a score of out of You can attempt again in 10 minutes.

Historical cryptography. cryptography encryption main applications: military and diplomacy

Codes and Cryptography. Jorge L. Villar. MAMME, Fall 2015 PART XII

Information Security

Lecture 7: CPA Security, MACs, OWFs

Lecture 12: Block ciphers

Technische Universität München (I7) Winter 2013/14 Dr. M. Luttenberger / M. Schlund SOLUTION. Cryptography Endterm

CPSC 467b: Cryptography and Computer Security

Attacks on DES , K 2. ) L 3 = R 2 = L 1 f ( R 1, K 2 ) R 4 R 2. f (R 1 = L 1 ) = L 1. ) f ( R 3 , K 4. f (R 3 = L 3

Theory of Computation Chapter 12: Cryptography

5 Pseudorandom Generators

Authentication. Chapter Message Authentication

Solution to Midterm Examination

Lecture 4: Perfect Secrecy: Several Equivalent Formulations

Public-Key Cryptography. Lecture 9 Public-Key Encryption Diffie-Hellman Key-Exchange

Lecture 22: RSA Encryption. RSA Encryption

18733: Applied Cryptography Anupam Datta (CMU) Block ciphers. Dan Boneh

Chapter 2 : Perfectly-Secret Encryption

1 Public-key encryption

BLOCK CIPHERS KEY-RECOVERY SECURITY

Lecture Notes, Week 6

Solutions to the Midterm Test (March 5, 2011)

CPSC 467: Cryptography and Computer Security

Lecture 6. Winter 2018 CS 485/585 Introduction to Cryptography. Constructing CPA-secure ciphers

Practice Exam Winter 2018, CS 485/585 Crypto March 14, 2018

5.4 ElGamal - definition

Shift Cipher. For 0 i 25, the ith plaintext character is. E.g. k = 3

Cryptography Lecture 4 Block ciphers, DES, breaking DES

Dan Boneh. Stream ciphers. The One Time Pad

CS 6260 Applied Cryptography

2 Message authentication codes (MACs)

Introduction to Cryptology. Lecture 3

Introduction to Cybersecurity Cryptography (Part 5)

EXAM IN. TDA352 (Chalmers) - DIT250 (GU) 18 January 2019, 08:

Chapter 11 : Private-Key Encryption

9 Knapsack Cryptography

Block Cipher Cryptanalysis: An Overview

Private-Key Encryption

Perfectly-Secret Encryption

Lecture Notes. Advanced Discrete Structures COT S

Public-Key Encryption

THE UNIVERSITY OF CALGARY FACULTY OF SCIENCE DEPARTMENT OF COMPUTER SCIENCE DEPARTMENT OF MATHEMATICS & STATISTICS MIDTERM EXAMINATION 1 FALL 2018

Block ciphers. Block ciphers. Data Encryption Standard (DES) DES: encryption circuit

Practice Final Exam Winter 2017, CS 485/585 Crypto March 14, 2017

COS433/Math 473: Cryptography. Mark Zhandry Princeton University Spring 2017

Symmetric Crypto Systems

8 Elliptic Curve Cryptography

Introduction to Cybersecurity Cryptography (Part 4)

Foundation of Cryptography, Lecture 4 Pseudorandom Functions

18733: Applied Cryptography Anupam Datta (CMU) Block ciphers. Dan Boneh

Semantic Security of RSA. Semantic Security

Block Ciphers/Pseudorandom Permutations

Introduction to Cryptography. Lecture 8

Transcription:

Chosen Plaintext Attacks (CPA)

Goals New Attacks! Chosen Plaintext Attacks (often CPA) is when Eve can choose to see some messages encoded. Formally she has Black Box for ENC k. We will: 1. Define Chosen Plaintext Attack for perfect security. 2. Define Chosen Plaintext Attack for computational security.

Perfect CPA-Security via a Game Π = (GEN, ENC, DEC) be an enc sch, message space M. Game: Alice and Eve are the players. Alice has full access to Π. Eve has access to ENC k. 1. Alice k K. Eve does NOT know k. 2. Eve picks m 0, m 1 M Eve has black box for ENC k. 3. Alice picks m {m 0, m 1 }, c ENC k (m) 4. Alice sends c to Eve. 5. Eve outputs m 0 or m 1, hoping that her output is DEC k (c). 6. Eve wins if she is right. Note: ENC k is randomized, so Eve can t just compute ENC k (m 0 ) and ENC k (m 1 ) and see which one is c. Does Eve has a strategy that wins over half the time?

Perfect CPA-Security Π is secure against chosen-plaintext attacks (CPA-secure) if for all Eve. Pr[Eve Wins] 1 2

Eve always wins if ENC k is Deterministic 1. Eve picks m 0, m 1. Finds c 0 = ENC k (m 0 ), c 1 = ENC k (m 1 ). 2. Alice sends Eve c = ENC k (m b ). Eve has to determine b. 3. If c = c 0 then Eve sets b = 0, if c = c 1 then Eve sets b = 1. Upshot: ALL deterministic schemes are CPA-insecure.

Comp CPA-Security Π = (GEN, ENC, DEC) be an enc sch, message space M. n is a security parameter. Game: Alice and Eve are the players. Alice has full access to Π. Eve has access to ENC k. 1. Alice k K {0, 1} n. Eve does NOT know k. 2. Eve picks m 0, m 1 M, m 0 = m 1 3. Alice picks m {m 0, m 1 }, c ENC k (m) 4. Alice sends c to Eve. 5. Eve outputs m 0 or m 1, hoping that her output is DEC k (c). 6. Eve wins if she is right. Does Eve has a strategy that wins over half the time?

Comp. CPA-Security Π is CPA-Secure if for all Polynomial Prob Time Eves, there is a neg function ɛ(n) such that Pr[Eve Wins] 1 2 + ɛ(n)

Randomized Encryption 1. Any Deterministic Encryption will NOT be CPA-secure. 2. Hence we have to use Randomized Encryption. 3. The issue is not an artifact of our definition: Even being able to tell if two messages are the same is a leak. 4. Next three slides defines Det Encryption, Keyed Functions, Rand Encryption.

Deterministic Encryption (for contrast) n is a security parameter. A Deterministic Private-Key Encryption Scheme has message space M, Key space K = {0, 1} n, and algorithms (GEN, ENC, DEC): 1. GEN generates keys k K. 2. ENC k encrypts messages, DEC k decrypts messages. 3. ( k K)( m M), DEC k (ENC k (m)) = m

Keyed functions 1. Let F : {0, 1} n {0, 1} n {0, 1} n be an efficient, deterministic algorithm 2. Define F k (x) = F (k, x) 3. The first input is called the key 4. Choosing a uniform k {0, 1} n is equivalent to choosing the function F k : {0, 1} n {0, 1} n Note: In literature and the textbook Keyed functions k, x can be diff sizes, but we never do.

Keyed functions 1. Let F : {0, 1} n {0, 1} n {0, 1} n be an efficient, deterministic algorithm 2. Define F k (x) = F (k, x) 3. The first input is called the key 4. Choosing a uniform k {0, 1} n is equivalent to choosing the function F k : {0, 1} n {0, 1} n Note: In literature and the textbook Keyed functions k, x can be diff sizes, but we never do. They are wrong, we are right.

Randomized Encryption A Randomized Private-Key Encryption Scheme has message space M, Key space K = {0, 1} n, algorithms (GEN,ENC,DEC). 1. GEN generates keys k K (Think: picking an F k rand.) 2. ENC k : on input m it picks a rand r {0, 1} n and outputs (r, m F k (r)). 3. DEC k (r, c) = c F k (r). Note: 1. ENC k (m) is not a function- it can return many different pairs. 2. Easy to see that Encrypt-Decrypt works. 3. Rand Shift is not an example, but is the same spirit. 4. General definition that encompasses Rand Shift: Can replace with any invertible operation.

Pseudorandom functions

Pseudorandom functions Informally, a pseudorandom function looks like a random (i.e. uniform) function Can define formally via a Game. We won t. Might be HW or Exam Question. From now on PRF means Pseudorandom function. Will actually get Psuedorandom Permutations for real world use.

Constructing a CPA-Secure Encryption Theorem: If F k is a PRF then the following encryption scheme is CPA-secure. 1. GEN generates keys k K (Think: picking an F k rand.) 2. ENC k : on input m it picks a rand r {0, 1} n and outputs (r, m F k (r)). 3. DEC k (r, c) = c F k (r). Proof Sketch: If not CPA-secure then F k is not a PRF.

A Real World (probably) PRF: Substitution-Permutation Networks (SPNs)

Recall... Want keyed permutation F : {0, 1} n {0, 1} l {0, 1} l n = key length, l = block length Want F k (for uniform, unknown key k) to be indistinguishable from a uniform permutation over {0, 1} l

Substitution-Permutation Networks (SPNs)

Substitution-Permutation Networks (SPNs) For r-rounds: Key will be k = k 1 k r and k i s will be used along with public S-box to create perms. f ki (x) = S i (k i x), where S i is a public permutation S i are called S-boxes (substitution boxes) XORing the key is called key mixing Note that SPN is invertible (given the key)

S-Boxes are HARD to Create Building them so that an SPN is a PRF is a major challenge. Titles of Papers that tried: The Design of S-Boxes by Simulated Annealing A New Chaotic Substitution Box Design for Block ciphers Perfect Nonlinear S-Boxes

S-Boxes are HARD to Create Building them so that an SPN is a PRF is a major challenge. Titles of Papers that tried: The Design of S-Boxes by Simulated Annealing A New Chaotic Substitution Box Design for Block ciphers Perfect Nonlinear S-Boxes If you type in S-Boxes into Google Scholar how many papers to you find?

S-Boxes are HARD to Create Building them so that an SPN is a PRF is a major challenge. Titles of Papers that tried: The Design of S-Boxes by Simulated Annealing A New Chaotic Substitution Box Design for Block ciphers Perfect Nonlinear S-Boxes If you type in S-Boxes into Google Scholar how many papers to you find? 20,000. Given repeats and conference-journal repeats, there are approx 10,000 papers on S-boxes.

Substitution-Permutation Networks (SPNs) 1) There are attacks on 1-round and 2-round SPN s 2) Can extend attacks to r rounds but time complexity goes up. 3) These attacks are better than naive but still too slow. 4) SPN considered secure if r is large enough. 5) AES, a widely used SPN, uses 8-bit S-boxes and at least 9 rounds (and other things) and is thought to be secure.

Substitution-Permutation Networks (SPNs) 1) There are attacks on 1-round and 2-round SPN s 2) Can extend attacks to r rounds but time complexity goes up. 3) These attacks are better than naive but still too slow. 4) SPN considered secure if r is large enough. 5) AES, a widely used SPN, uses 8-bit S-boxes and at least 9 rounds (and other things) and is thought to be secure. For now. 7) Takeway: AES is a real world SPN that is really used and is believed to be a PRF.

Feistel networks

In SPN Network S-boxes Invertible

SPN: PROS and CONS PRO: With enough rounds secure. CON: Hard to come up with invertible S-boxes. Feistel Networks will not need invertible components but will be secure.

Feistel networks 1) Message length is l. Just like SPN. 2) Key k = k 1 k r of length n. r rounds. Just like SPN. 3) k i = n/r. Need NOT be l. Unlike SPN. 4) Use key k i in ith round. Just like SPN. 5) Instead of S-boxes we have public functions ˆf i. Need not be invertible! Unlike SPN. We derive f i (R) = ˆf i (k i, R) from them. For 1-round: Input: L 0 R 0, L 0 = R 0 = l/2. Output: L 1 R 1 where L 1 = R 0, R 1 = L 0 f 1 (R 0 ) Invertible! The nature of f 1 (R) does not matter. 1) Input(L 1 R 1 ) 2) R 0 = L 1. 3) Can compute f 1 (R 0 ) and hence L 0 = R 1 f 1 (R 0 ).

Feistel Network

r-round Feistel networks 1) Message length is l. Just like SPN. 2) Key k = k 1 k r of length n. r rounds. Just like SPN. 3) k i = n/r. Need NOT be l. Unlike SPN. 4) Use key k i in ith round. Just like SPN. 5) Public functions ˆf i. Need not be invertible! Unlike SPN. f i (R) = ˆf i (k i, R) from Input: L 0 R 0, L 0 = R 0 = l/2. Output or Round 1: L 1 R 1 where L 1 = R 0, R 1 = L 0 f 1 (R 0 ) Output or Round 2: L 2 R 2 where L 2 = R 1, R 2 = L 1 f 2 (R 1 )... Output or Round r: L r R r where L r = R r 1, R r = L r 1 f r (R r 1 )

Data Encryption Standard (DES) Standardized in 1977 56-bit keys, 64-bit block length 16-round Feistel network Same round function in all rounds (but different sub-keys) Basically an SPN design! But easier to build.

DES mangler function is fˆi

Security of DES PRO: DES is extremely well-designed

Security of DES PRO: DES is extremely well-designed PRO: Known attacks brute force or need lots of Plaintext.

Security of DES PRO: DES is extremely well-designed PRO: Known attacks brute force or need lots of Plaintext. BIG CON: Parameters are too small! Brute-force search is feasible

56-bit key length A concern as soon as DES was released. Released in 1975, but that was then, this is now. Brute-force search over 2 56 keys is possible 1997: 1000s of computers, 96 days 1998: distributed.net, 41 days 1999: Deep Crack ($250,000), 56 hours 2018: 48 FPGAs, 1 day 2019: Will do as Classroom demo when teach this course in Fall of 2019.

Increasing key length? DES has a key that is too short How to fix? Design new cipher. HARD! Tweak DES so that it takes a larger key. Since this is Hardware not Software this is HARD! Build a new cipher using DES as a black box. EASY?

Double encryption Let F : {0, 1} n {0, 1} l {0, 1} l (i.e. n=56, l=64 for DES) Define F 2 : {0, 1} 2n {0, 1} l {0, 1} l as follows: (still invertible) F 2 k 1,k 2 (x) = F k1 (F k2 (x)) If best known attack on F takes time 2 n, is it reasonable to assume that the best known attack on F 2 takes time 2 2n? Vote! YES, NO, UNKNOWN TO SCIENCE

Double encryption Let F : {0, 1} n {0, 1} l {0, 1} l (i.e. n=56, l=64 for DES) Define F 2 : {0, 1} 2n {0, 1} l {0, 1} l as follows: (still invertible) F 2 k 1,k 2 (x) = F k1 (F k2 (x)) If best known attack on F takes time 2 n, is it reasonable to assume that the best known attack on F 2 takes time 2 2n? Vote! YES, NO, UNKNOWN TO SCIENCE NO The Meet-in-the-Middle attack takes 2 n time. We omit details.

Triple encryption Define F 3 : {0, 1} 3n {0, 1} l {0, 1} l as follows: F 3 k 1,k 2,k 3 (x) = F k1 (F k2 (F k3 (x))) Can do meet-in-the-middle but would be 2 2n. No better attack known.

Two-key triple encryption Define F 3 : {0, 1} 2n {0, 1} l {0, 1} l as follows: F 3 k 1,k 2 (x) = F k1 (F k2 (F k1 (x))) Best attacks take time 2 2n optimal given the key length! Sames on key length. Good for some backward-compatibility issues

2024 © sciencedocbox.com Privacy Policy | Terms of Service | Feedback