Modern Cryptography Lecture 4

Similar documents
Block ciphers And modes of operation. Table of contents

CTR mode of operation

Computational security & Private key encryption

CSA E0 235: Cryptography March 16, (Extra) Lecture 3

CPA-Security. Definition: A private-key encryption scheme

Lecture 5, CPA Secure Encryption from PRFs

III. Pseudorandom functions & encryption

Question 2.1. Show that. is non-negligible. 2. Since. is non-negligible so is μ n +

Symmetric Encryption

CS 6260 Applied Cryptography

Modern symmetric-key Encryption

Lecture 7: CPA Security, MACs, OWFs

U.C. Berkeley CS276: Cryptography Luca Trevisan February 5, Notes for Lecture 6

SYMMETRIC ENCRYPTION. Mihir Bellare UCSD 1

Lecture 6. Winter 2018 CS 485/585 Introduction to Cryptography. Constructing CPA-secure ciphers

Lectures 2+3: Provable Security

Pr[C = c M = m] = Pr[C = c] Pr[M = m] Pr[M = m C = c] = Pr[M = m]

CS 6260 Applied Cryptography

Cryptography: The Landscape, Fundamental Primitives, and Security. David Brumley Carnegie Mellon University

Technische Universität München (I7) Winter 2013/14 Dr. M. Luttenberger / M. Schlund SOLUTION. Cryptography Endterm

Scribe for Lecture #5

CPSC 91 Computer Security Fall Computer Security. Assignment #3 Solutions

Lecture 13: Private Key Encryption

SYMMETRIC ENCRYPTION. Syntax. Example: OTP. Correct decryption requirement. A symmetric encryption scheme SE = (K, E, D) consists of three algorithms:

Notes for Lecture A can repeat step 3 as many times as it wishes. We will charge A one unit of time for every time it repeats step 3.

Cryptography. Lecture 2: Perfect Secrecy and its Limitations. Gil Segev

1 Indistinguishability for multiple encryptions

Private-Key Encryption

Lecture 5: Pseudorandom functions from pseudorandom generators

8 Security against Chosen Plaintext

Lecture 9 - Symmetric Encryption

Chosen Plaintext Attacks (CPA)

CS 4770: Cryptography. CS 6750: Cryptography and Communication Security. Alina Oprea Associate Professor, CCIS Northeastern University

1 Number Theory Basics

Codes and Cryptography. Jorge L. Villar. MAMME, Fall 2015 PART XII

CS 4770: Cryptography. CS 6750: Cryptography and Communication Security. Alina Oprea Associate Professor, CCIS Northeastern University

Solutions for week 1, Cryptography Course - TDA 352/DIT 250

CSA E0 235: Cryptography (19 Mar 2015) CBC-MAC

Lecture 1: Perfect Secrecy and Statistical Authentication. 2 Introduction - Historical vs Modern Cryptography

Block Ciphers/Pseudorandom Permutations

Chapter 11 : Private-Key Encryption

Shift Cipher. For 0 i 25, the ith plaintext character is. E.g. k = 3

ASYMMETRIC ENCRYPTION

El Gamal A DDH based encryption scheme. Table of contents

ECS 189A Final Cryptography Spring 2011

Online Cryptography Course. Using block ciphers. Review: PRPs and PRFs. Dan Boneh

Cristina Nita-Rotaru. CS355: Cryptography. Lecture 9: Encryption modes. AES

Perfectly-Secret Encryption

COS433/Math 473: Cryptography. Mark Zhandry Princeton University Spring 2017

CS 282A/MATH 209A: Foundations of Cryptography Prof. Rafail Ostrosky. Lecture 4

Public Key Cryptography

6.080 / Great Ideas in Theoretical Computer Science Spring 2008

INDIAN INSTITUTE OF TECHNOLOGY KHARAGPUR Stamp / Signature of the Invigilator

Notes on Property-Preserving Encryption

Chapter 2 : Perfectly-Secret Encryption

Lecture 11: Non-Interactive Zero-Knowledge II. 1 Non-Interactive Zero-Knowledge in the Hidden-Bits Model for the Graph Hamiltonian problem

10 Concrete candidates for public key crypto

Public-Key Cryptography. Lecture 9 Public-Key Encryption Diffie-Hellman Key-Exchange

2 Message authentication codes (MACs)

COS433/Math 473: Cryptography. Mark Zhandry Princeton University Spring 2017

Block encryption of quantum messages

Lecture 2: Perfect Secrecy and its Limitations

CS 282A/MATH 209A: Foundations of Cryptography Prof. Rafail Ostrovsky. Lecture 7

Provable-Security Approach begins with [GM82] Classical Approach. Practical Cryptography: Provable Security as a Tool for Protocol Design

Lecture 4: DES and block ciphers

Foundation of Cryptography, Lecture 4 Pseudorandom Functions

Dan Boneh. Stream ciphers. The One Time Pad

Provable security. Michel Abdalla

Symmetric Encryption. Adam O Neill based on

1 Cryptographic hash functions

A Generic Hybrid Encryption Construction in the Quantum Random Oracle Model

The Random Oracle Paradigm. Mike Reiter. Random oracle is a formalism to model such uses of hash functions that abound in practical cryptography

A block cipher enciphers each block with the same key.

Lecture 15 & 16: Trapdoor Permutations, RSA, Signatures

1 Cryptographic hash functions

Lecture 10 - MAC s continued, hash & MAC

CS 290G (Fall 2014) Introduction to Cryptography Oct 23rdd, Lecture 5: RSA OWFs. f N,e (x) = x e modn

Lecture 9 Julie Staub Avi Dalal Abheek Anand Gelareh Taban. 1 Introduction. 2 Background. CMSC 858K Advanced Topics in Cryptography February 24, 2004

G /G Introduction to Cryptography November 4, Lecture 10. Lecturer: Yevgeniy Dodis Fall 2008

Quantum-secure symmetric-key cryptography based on Hidden Shifts

COS433/Math 473: Cryptography. Mark Zhandry Princeton University Spring 2017

Indistinguishability and Pseudo-Randomness

7 Security Against Chosen Plaintext

Problem 1. k zero bits. n bits. Block Cipher. Block Cipher. Block Cipher. Block Cipher. removed

ENEE 457: Computer Systems Security 10/3/16. Lecture 9 RSA Encryption and Diffie-Helmann Key Exchange

Lecture 14 - CCA Security

Cryptography 2017 Lecture 2

Historical cryptography. cryptography encryption main applications: military and diplomacy

A Pseudo-Random Encryption Mode

1 Secure two-party computation

EXAM IN. TDA352 (Chalmers) - DIT250 (GU) 18 January 2019, 08:

Lecture 6. 2 Adaptively-Secure Non-Interactive Zero-Knowledge

Lecture 4 Chiu Yuen Koo Nikolai Yakovenko. 1 Summary. 2 Hybrid Encryption. CMSC 858K Advanced Topics in Cryptography February 5, 2004

Solution of Exercise Sheet 7

Notes for Lecture 9. 1 Combining Encryption and Authentication

Lecture 8 Alvaro A. Cardenas Nicholas Sze Yinian Mao Kavitha Swaminathan. 1 Introduction. 2 The Dolev-Dwork-Naor (DDN) Scheme [1]

Introduction to Cryptology. Lecture 3

Models and analysis of security protocols 1st Semester Symmetric Encryption Lecture 5

Public-Seed Pseudorandom Permutations

Provable Security in Symmetric Key Cryptography

Transcription:

Modern Cryptography Lecture 4 Pseudorandom Functions Block-Ciphers Modes of Operation Chosen-Ciphertext Security 1 October 30th, 2018

2 Webpage Page for first part, Homeworks, Slides http://pub.ist.ac.at/crypto/moderncrypto18.html

3-1 Recall: Security against Chosen-Plaintext Attacks (CPA) security parameter n N A m {0, 1} k Gen(1 n ) Enc k (m) b {0, 1} m 0, m 1 {0, 1} m 0 = m 1 Enc k (m b ) m {0, 1} Enc k (m) b

3-2 Recall: Security against Chosen-Plaintext Attacks (CPA) security parameter n N A m {0, 1} k Gen(1 n ) Enc k (m) b {0, 1} challenge phase guess m 0, m 1 {0, 1} m 0 = m 1 Enc k (m b ) m {0, 1} Enc k (m) b pre- & post-challenge query phase

3-3 Recall: Security against Chosen-Plaintext Attacks (CPA) Definition 3.22 Π = security (Gen, Enc, parameter Dec) is n (adaptively) N ind-cpa secure if for every PPT adversary Pr[PrivK A eav A,Π(n) m = {0, 1] def = 1} Pr[b = b ] 1/2 + negl(n) k Gen(1 n ) b {0, 1} Enc k (m) m 0, m 1 {0, 1} m 0 = m 1 Enc k (m b ) m {0, 1} Enc k (m) b

3-4 Recall: Security against Chosen-Plaintext Attacks (CPA) Definition 3.22 Π = security (Gen, Enc, parameter Dec) is n (adaptively) N ind-cpa secure if for every PPT adversary Pr[PrivK A eav A,Π(n) m = {0, 1] def = 1} Pr[b = b ] 1/2 + negl(n) k Gen(1 n ) b {0, 1} Enc k (m) m 0, m 1 {0, 1} m 0 = m 1 To construct a CPA secure Enc scheme k (m b ) we first need to introduce the notion of pseudorandom functions. But first we ll mention m yet {0, another 1} equivalent security notion. Enc k (m) b

4-1 Left-or-Right CPA Security security parameter n N A m 0, m 1 {0, 1} m 0 = m 1 Enc k (m b ) k Gen(1 n ) b {0, 1} b

4-2 Left-or-Right CPA Security security parameter n N A m 0, m 1 {0, 1} m 0 = m 1 Enc k (m b ) k Gen(1 n ) b {0, 1} b Definition 3.23 Π = (Gen, Enc, Dec) is (adaptively) LR-ind-CPA a secure if for every PPT adversary Pr[b = b ] 1/2 + negl(n) a in the book this is called CPA secure for multiple encryptions.

4-3 Left-or-Right CPA Security security parameter n N A m 0, m 1 {0, 1} m 0 = m 1 Enc k (m b ) k Gen(1 n ) b {0, 1} b security against LR-ind-CPA implies secrity against ind-cpa (trivial, tight reduction). other direction also holds, but reduction is not tight (loses a poly factor, namely # of queries, in advantage).

5 Recall: Pseudorandom Generators Definition 3.14 A (deterministic) poly-time algorithm G : {0, 1} n {0, 1} l(n) is a pseudorandom generator if 1. (Expansion: ) n : l(n) > n 2. (Pseudorandomness: ) {G(U n )} n N is a sequence of pseudorandom distributions, i.e., for all PPT alg. D Pr[D(Ul(n) ) = 1] Pr[D(G(U n )) = 1] = negl(n)

Pseudorandom Functions 3.5.1 Pseudorandom generator: efficiently expands a random seed so the output can t be efficiently distinguished from a uniformly random string. Pseudorandom function: a keyed, efficiently computable function that can t be efficiently distinguished from a random function. 6-1

Pseudorandom Functions 3.5.1 Pseudorandom generator: efficiently expands a random seed so the output can t be efficiently distinguished from a uniformly random string. Pseudorandom function: a keyed, efficiently computable function that can t be efficiently distinguished from a random function. Definition 3.25 F : {0, 1} l key {0, 1} l in {0, 1} l out is a pseudorandom function (PRF) if 1. efficient: The key-length, input-length and output length are polynomial in the security parameter n, say l key (n) = l in (n) = l out (n) = n and F can be computed in polynomial time. 2. secure: F(k, ) with a random key k {0, 1} n cannot be distinguished from a random function {0, 1} n {0, 1} n. How do we actually formalize this? 6-2

Pseudorandom Functions 3.5.1 Let Func n denote the functions {0, 1} n {0, 1} n. Func n = 2 2n n, so f Func n requires 2 n n bits to describe. Can t even read description in poly(n) time (we could set l in = log(n), but that s not interesting). Idea: give distinguisher only oracle access to the function it needs to distinguish! Definition 3.25 F : {0, 1} l key {0, 1} l in {0, 1} l out is a pseudorandom function (PRF) if 1. efficient: The key-length, input-length and output length are polynomial in the security parameter n, say l key (n) = l in (n) = l out (n) = n and F can be computed in polynomial time. 2. secure: F(k, ) with a random key k {0, 1} n cannot be distinguished from a random function {0, 1} n {0, 1} n. How do we actually formalize this? 6-3

7-1 The PRF security game security parameter n N b {0, 1} k {0, 1} n f Func n

7-2 The PRF security game security parameter n N b {0, 1} k {0, 1} n x if b = 0 f Func n (x)

7-3 The PRF security game security parameter n N b {0, 1} k {0, 1} n if b = 1 x f Func n f(x)

7-4 The PRF security game security parameter n N b {0, 1} k {0, 1} n b f Func n

7-5 The PRF security game Definition 3.25 F : {0, 1} l key {0, 1} l in {0, 1} l out is a pseudorandom function (PRF) if 1. efficient: The key-length, input-length and output length l out are polynomial in the security parameter n, say l key (n) = l in (n) = l out (n) = n and F can be computed in polynomial time. 2. secure: for every PPT D Pr[b = 1 b = 0] Pr[b = 1 b = 1] = Pr n[df(k, ) = 1] Pr [D f( ) = 1] k {0,1} f Func n = negl(n)

Pseudorandom Permutations Let Perm n Func n denote all permutations over {0, 1} n. Perm n = 2 n! We can define pseudorandom permutations almost exactly like pseudorandom functions. 8-1

Pseudorandom Permutations Let Perm n Func n denote all permutations over {0, 1} n. Perm n = 2 n! We can define pseudorandom permutations almost exactly like pseudorandom functions. Definition F : {0, 1} l key {0, 1} l in {0, 1} l out is a pseudorandom permutation (PRF) if 1. efficient: defined like for PRFs. 2. ( ) is a permutation (so in particular, l in (n) = l out (n) for all n). 3. secure: for every PPT D Pr [D F(k, ) = 1] Pr [D f( ) = 1] k {0,1} l key (n) f Perm lin (n) = negl(n) 8-2

Pseudorandom Permutations Let Perm n Func n denote all permutations over {0, 1} n. Perm n = 2 n! We can define pseudorandom permutations almost exactly like pseudorandom functions. Proposition 3.27 If F is a pseudorandom permutation and l in (n) n (actually, l in (n) w(log(n)) is sufficient), then F is also a pseudorandom function. Follows from the PRP/PRF switching lemma : the advantage in distinguishing a random permutation over {0, 1} m from a random function {0, 1} m {0, 1} m making q queries is q2 2 m. 8-3

9-1 Strong Pseudorandom Permutations For a permutation also inverse queries are well defined. A PRP that is secure even when allowing inverse queries is called a strong PRP. Definition 3.28 F : {0, 1} l key {0, 1} l in {0, 1} l out is a strong pseudorandom permutation if for every k, F(k, ) is a permutation where ( ) and F 1 k ( ) can be efficiently computed, and for every PPT D Pr [D F(k, ),F 1 (k, ) = 1] k {0,1} l key (n) Pr f Perm lin (n) [D f( ),f 1 ( ) = 1] = negl(n)

9-2 Strong Pseudorandom Permutations For a permutation also inverse queries are well defined. A PRP that is secure even when allowing inverse queries is called a strong PRP. In practice, block-ciphers are designed to be strong PRPs, but not in an asymptotic sense, but for fixed key-lenghts and block-size, and assuming that brute-force is the best attack to distinguish. DES, 1975 l in = 64, l key = 56 AES, 1998 l in = 128, l key {128, 192, 256}

9-3 Strong Pseudorandom Permutations For a permutation also inverse queries are well defined. A PRP that is secure even when allowing inverse queries is called a strong PRP. In practice, block-ciphers are designed to be strong PRPs, but not in an asymptotic sense, but for fixed key-lenghts and block-size, and assuming that brute-force is the best attack to distinguish. DES, 1975 l in = 64, l key = 56 AES, 1998 l in = 128, l key {128, 192, 256}

10-1 CPA secure encryption from PRFn/PRPs 3.5.2 For a strong PRP F : {0, 1} n {0, 1} {0, 1} n consider Enc(m) = (m), Dec k (c) = F 1 k (c)

10-2 CPA secure encryption from PRFn/PRPs 3.5.2 For a strong PRP F : {0, 1} n {0, 1} {0, 1} n consider Enc(m) = (m), Dec k (c) = F 1 k (c) Single encryption (m) doesn t leak anything about m, but not CPA secure because the scheme is deterministic, so m = m implies (m) = (m ).

10-3 CPA secure encryption from PRFn/PRPs 3.5.2 Construction 3.30 F : {0, 1} n {0, 1} n {0, 1} n Enc(k, m {0, 1} n ) : sample r {0, 1} n, output c := r, m (r) Dec(c = r, s ) : output m := (r) s Enc k (m) $ r F k m r s F m k Dec k ( r, s )

10-4 CPA secure encryption from PRFn/PRPs 3.5.2 Construction 3.30 F : {0, 1} n {0, 1} n {0, 1} n Enc(k, m {0, 1} n ) : sample r {0, 1} n, output c := r, m (r) Dec(c = r, s ) : output m := (r) s Enc k (m) $ r F k m F k Dec k ( r, s ) Theorem 3.31 If F is a PRF then Construction 3.30 is a CPA-secure private-key encryption scheme for messages of length m. r s m

Proof of Thm. 3.31 Theorem 3.31 If F is a PRF then Construction 3.30 is a CPA-secure private-key encryption scheme for messages of length m. Enc k (m) $ r F k m r s F k Dec k ( r, s ) m 11-1

11-2 $ r Proof of Thm. 3.31 Theorem 3.31 If F is a PRF then Construction 3.30 is a CPA-secure private-key encryption scheme for messages of length m. Enc k (m) f m r s Dec k ( r, s ) Proof sketch: Consider new scheme Π, where, k {0, 1} n is replaced with a random function f Func n. If F is a PRF then no adversary can distinguish original construction from Π (with non-negligible probability). Π is CPA seucre: let r, s denote the challenge ciphertext. If r is was not used in any other the other q(n) encryptions then challenge ciphertext r, s = f(r ) m b perfectly hides b. Prob. that r has been used before is q(n)/2 n = negl(n). f m

Block-Cipher Modes of Operation 3.6.2 Construction 3.30, where Enc k (m) = r, (r) m, only works for messages of fixed length n. Can encrypt long message m = m 1,..., m l {0, 1} n l as Enc k (m 1 ),..., Enc k (m l ) but the ciphertext is twice as long as the message and it uses a lot of randomness. block-cipher modes of operation provide a way of encrypting arbitrary length messages with less (ciphertext size, randomness) overhead. In general, the term mode of operation refers to a construction which turns a simple building block (e.g. PRF,PRP/block-cipher,hash function) into a useful cryptographic scheme (e.g. encryption/authentication for arbitrary length messages). 12

13-1 Electronic Code Book (ECB) mode Naïve mode of operation where we just apply the block-cipher to each plaintext block. DON T USE, JUST DISCUSSED FOR HISTORIC REASONS m 1 m 2 m 3 c 1 c 2 c 3

13-2 Electronic Code Book (ECB) mode Naïve mode of operation where we just apply the block-cipher to each plaintext block. DON T USE, JUST DISCUSSED FOR HISTORIC REASONS m 1 m 2 m 3 c 1 c 2 c 3 Is deterministic (i.e., encrypting same message twice gives the same ciphertext both times), and thus can t be CPA secure.

13-3 Electronic Code Book (ECB) mode Naïve mode of operation where we just apply the block-cipher to each plaintext block. DON T USE, JUST DISCUSSED FOR HISTORIC REASONS m 1 m 2 m 3 c 1 c 2 c 3 ECB in practice

14-1 IV IV Cipher Block Chaining (CBC) mode m 1 m 2 m 3 c 1 c 2 c 3 Enc k (m 1,..., m l ) random IV {0, 1} n c 0 := IV c i := (c i 1 m i ) c := IV, c 1,..., c l homework: what if IV s are just distinct, not random.

Cipher Block Chaining (CBC) mode Enc k (m 1,..., m l ) m 1 m 2 m 3 random IV {0, 1} n c IV 0 := IV c i := (c i 1 m i ) c := IV, c 1,..., c l homework: what if IV s IV c 1 c 2 c 3 are just distinct, not random. chained CBC (SSL 3.0 and TLS 1.0) reuse last ciphertext block as new IV. Susceptible to CPA attack! m 1 m 2 m 3 m 4 m 5 IV c 3 IV 14-2 c 1 c 2 c 3 c 4 c 5

IV IV c 1 Output Feedback (OFB) mode. c 2 m 1 m 2 m 3 c 3 Enc k (m 1,..., m l ) random IV {0, 1} n y 0 := IV, y i := (y i 1 ) c i := y i m i c := IV, c 1,..., c l 15-1

IV IV 15-2 c 1 Output Feedback (OFB) mode. c 2 m 1 m 2 m 3 c 3 Enc k (m 1,..., m l ) random IV {0, 1} n y 0 := IV, y i := (y i 1 ) c i := y i m i c := IV, c 1,..., c l Comparison to CBC does not need to be invertible, can use any PRF instead of PRP. Plaintext length does not need to be multiple of n, can be capped at any point. Unlike for CBC, the stateful variant (where last y l is used as IV for next encryption) is secure (synchronized stream-cipher mode). Still sequential like CBC, but the y i can be computed before the m i are known. Computing c i from y i, m i is extremely fast and parallelizable.

ctr ctr ctr + 1 c 1 c 2 Counter (CTR) mode ctr + 2 ctr + 3 m 1 m 2 m 3 c 3 Enc k (m 1,..., m l ) random ctr {0, 1} n y i := (ctr + i) c i := y i m i c := ctr, c 1,..., c l 16-1

ctr ctr ctr + 1 c 1 c 2 Counter (CTR) mode ctr + 2 ctr + 3 m 1 m 2 m 3 c 3 Fully parallelizable! Can decode individual blocks. Enc k (m 1,..., m l ) random ctr {0, 1} n y i := (ctr + i) c i := y i m i c := ctr, c 1,..., c l 16-2

ctr 16-3 ctr + 1 c 1 c 2 Counter (CTR) mode ctr + 2 ctr + 3 m 1 m 2 m 3 c 3 Enc k (m 1,..., m l ) random ctr {0, 1} n y i := (ctr + i) c i := y i m i c := ctr, c 1,..., c l ctr Theorem 3.2 If F is a PRF then the CTR mode is CPA-secure. Proof sketch Define scheme Π where we replace, k {0, 1} n with random function f Func n. If adversary can distinguish Π from actual scheme we have a distinguisher for the PRF. The security of Π can now be proven using information theoretic arguments: if the inputs ctr + 1,..., ctr + l used in the challenge ciphertext do not collide with any other inputs ever used, encryption is perfect. So we can bound the advantage by the probability of a collision. The collision probability is q(n) 2 /2 n where q(n) is the total number of encrypted blocks. As q(n) = poly(n) this probability is negligible.

ctr ctr ctr + 1 c 1 c 2 Counter (CTR) mode ctr + 2 ctr + 3 m 1 m 2 m 3 c 3 Enc k (m 1,..., m l ) random ctr {0, 1} n y i := (ctr + i) c i := y i m i c := ctr, c 1,..., c l Concrete Security CTR, CBC, OFB can all be broken with advantage q(n) 2 /2 n by an attacker making q(n) queries. So the concrete security is only around 2 n/2, one thus should use PRFs with large enough blocks size. n = 64 like in DES is not enough as 2 n/2 is only 34GB of plaintexts. AES where n = 128 is plenty. 16-4

17-1 Chosen-Ciphertext Attacks 3.7 A chosen-ciphertext (CCA) attack is defined like a chosen-plaintext attack (CPA), but the attacker is not only given access to an encryption oracle Enc k ( ), but additionally given access to a decryption oracle Dec k ( ).

17-2 Chosen-Ciphertext Attacks 3.7 security parameter n N A m {0, 1} k Gen(1 n ) Enc k (m) b {0, 1} c {0, 1} Dec k (m)

Chosen-Ciphertext Attacks 3.7 security parameter n N A m {0, 1} k Gen(1 n ) Enc k (m) b {0, 1} c {0, 1} Dec k (m) 17-3 m 0, m 1 {0, 1} m 0 = m 1 c := Enc k (m b ) more access to Enc k, Dec k but may not query Dec k on c

Chosen-Ciphertext Attacks 3.7 security parameter n N A m {0, 1} k Gen(1 n ) Enc k (m) b {0, 1} c {0, 1} Dec k (m) 17-4 m 0, m 1 {0, 1} m 0 = m 1 c := Enc k (m b ) more access to Enc k, Dec k but may not query Dec k on c b

Chosen-Ciphertext Attacks 3.7 security parameter n N A m {0, 1} Enc k (m) k Gen(1 n ) b {0, 1} Definition 3.33 Π c = {0, (Gen, 1} Enc, Dec) is (adaptively) ind-cca secure if for every PPT adversary Pr[b Dec = b k ](m) 1/2 + negl(n) 17-5 m 0, m 1 {0, 1} m 0 = m 1 c := Enc k (m b ) more access to Enc k, Dec k but may not query Dec k on c b

18-1 CCA Security of the schemes we ve seen so far None of the schemes we ve seen so far is CCA secure, consider e.g. the simple scheme Enc k (m) := r, (r) m

18-2 CCA Security of the schemes we ve seen so far None of the schemes we ve seen so far is CCA secure, consider e.g. the simple scheme Enc k (m) := r, (r) m Assume adversary is given the challenge ciphertext r, s := (r) m b. For any x 0 n he can ask for s x (r) }{{} =m b x := Dec k ( r, s x ) and learns m b x, and thus b.

CCA Security of the schemes we ve seen so far None of the schemes we ve seen so far is CCA secure, consider e.g. the simple scheme Enc k (m) := r, (r) m Assume adversary is given the challenge ciphertext r, s := (r) m b. For any x 0 n he can ask for s x (r) }{{} =m b x := Dec k ( r, s x ) and learns m b x, and thus b. CCA security implies/requires non-malleability. Very informally, this means that a ciphertext cannot be changed into a ciphertext of a related message. 18-3

19-1 Padding-Oracle Attacks 3.7.2 We ll discuss an attack where the attacker launches a very weak (and realistic) form of chosen-ciphertext attack. He only needs to learn if the chosen ciphertexts are valid or not.

19-2 Padding-Oracle Attacks 3.7.2 We ll discuss an attack where the attacker launches a very weak (and realistic) form of chosen-ciphertext attack. He only needs to learn if the chosen ciphertexts are valid or not. PKCS#5 padding CBC can only encrypt messages whose length is a multiple of the blocksize of the underlying PRP (typically 16 bytes). If the message does not have this property, it needs to be padded to the right length. Assume m is L bytes long and let b := 16 L mod 16 (so L + b is a multiple of 16) To pad m, just append b times the value b to the end (except if b = 0 then add it 16 times) e.g. Hello Hello BBBBBBBBBBB (here B is 11 in hexadecimal). HelloWorld HelloWorld 666666 abcdefghijklmnop abcdefghijklmnop 0000000000000000

Padding-Oracle Attacks 3.7.2 We ll discuss an attack where the attacker launches a very weak (and realistic) form of chosen-ciphertext attack. He only needs to learn if the chosen ciphertexts are valid or not. To remove padding, read last byte 0xb, then check if last b bytes are all 0xb, if yes, remove last b bytes and output remaining string, otherwise output padding error. Hello Hello BBBBBBBBBBB (here B is 11 in hexadecimal). HelloWorld HelloWorld 666666 abcdefghijklmnop abcdefghijklmnop 0000000000000000 19-3

19-4 IV IV c 1 Padding-Oracle Attacks 3.7.2 m 1 m 2 c 2 Encryption of (padded) message m 1 m 2. A observes c := (IV, c 1, c 2 ). m 2 = F 1 k (c 2) c 1 ends in } b {{ b } b times

19-5 IV IV c 1 Padding-Oracle Attacks 3.7.2 m 1 m 2 c 2 Decryption checks if plaintext has correct padding. If not return error. Given access to decryption oracle that just tells if ciphertext is valid allows to recover the entire message!

IV IV Padding-Oracle Attacks 3.7.2 m 1 m 2 c 1 c 2 Decryption checks if plaintext has correct padding. If not return error. Given access to decryption oracle that just tells if ciphertext is valid allows to recover the entire message! If we change c 1 to a c 1 = c 1, the last block will be decoded to m 2 = F 1 k (c 2) c 1 = m 2. An adversary given access to a decryption oracle which only tells if decryption failed can learn b: change first byte of c 1, if decryption fails then b = 16, otherwise change 2nd byte of c 1, if decryption fails b = 15, etc.. Hello BBBBBBBBBBB Xello BBBBBBBBBBB padding ok Hello BBBBBBBBBBB XXXXX XBBBBBBBBBB not ok 19-6

IV IV c 1 Padding-Oracle Attacks 3.7.2 m 1 m 2 c 2 Decryption checks if plaintext has correct padding. If not return error. Given access to decryption oracle that just tells if ciphertext is valid allows to recover the entire message! If we change c 1 to a c 1 = c 1, the last block will be decoded to m 2 = F 1 k (c 2) c 1 = m 2. An adversary given access to a decryption oracle which only tells if decryption failed can learn b: change first byte of c 1, if decryption fails then b = 16, otherwise change 2nd byte of c 1, if decryption fails b = 15, etc.. Hello BBBBBBBBBBB Xello BBBBBBBBBBB padding ok Hello BBBBBBBBBBB XXXXX XBBBBBBBBBB not ok 19-7

19-8 IV IV c 1 Padding-Oracle Attacks 3.7.2 m 1 m 2 c 2 Decryption checks if plaintext has correct padding. If not return error. Given access to decryption oracle that just tells if ciphertext is valid allows to recover the entire message! Once A learned b, he known m 2 ends in β b b }{{} b times define i def = 0... 0i (b + 1)... (b + 1) }{{} b times 0... 0 b... b }{{} b times for some β. Replacing c 2 with c 2 i will return padding error except if the last b + 1 bytes of m 2 i are (b + 1) which holds iff β i = (b + 1). Can learn β in at most 2 8 queries.

2024 © sciencedocbox.com Privacy Policy | Terms of Service | Feedback