Modern Cryptography Lecture 4 Pseudorandom Functions Block-Ciphers Modes of Operation Chosen-Ciphertext Security 1 October 30th, 2018
2 Webpage Page for first part, Homeworks, Slides http://pub.ist.ac.at/crypto/moderncrypto18.html
3-1 Recall: Security against Chosen-Plaintext Attacks (CPA) security parameter n N A m {0, 1} k Gen(1 n ) Enc k (m) b {0, 1} m 0, m 1 {0, 1} m 0 = m 1 Enc k (m b ) m {0, 1} Enc k (m) b
3-2 Recall: Security against Chosen-Plaintext Attacks (CPA) security parameter n N A m {0, 1} k Gen(1 n ) Enc k (m) b {0, 1} challenge phase guess m 0, m 1 {0, 1} m 0 = m 1 Enc k (m b ) m {0, 1} Enc k (m) b pre- & post-challenge query phase
3-3 Recall: Security against Chosen-Plaintext Attacks (CPA) Definition 3.22 Π = security (Gen, Enc, parameter Dec) is n (adaptively) N ind-cpa secure if for every PPT adversary Pr[PrivK A eav A,Π(n) m = {0, 1] def = 1} Pr[b = b ] 1/2 + negl(n) k Gen(1 n ) b {0, 1} Enc k (m) m 0, m 1 {0, 1} m 0 = m 1 Enc k (m b ) m {0, 1} Enc k (m) b
3-4 Recall: Security against Chosen-Plaintext Attacks (CPA) Definition 3.22 Π = security (Gen, Enc, parameter Dec) is n (adaptively) N ind-cpa secure if for every PPT adversary Pr[PrivK A eav A,Π(n) m = {0, 1] def = 1} Pr[b = b ] 1/2 + negl(n) k Gen(1 n ) b {0, 1} Enc k (m) m 0, m 1 {0, 1} m 0 = m 1 To construct a CPA secure Enc scheme k (m b ) we first need to introduce the notion of pseudorandom functions. But first we ll mention m yet {0, another 1} equivalent security notion. Enc k (m) b
4-1 Left-or-Right CPA Security security parameter n N A m 0, m 1 {0, 1} m 0 = m 1 Enc k (m b ) k Gen(1 n ) b {0, 1} b
4-2 Left-or-Right CPA Security security parameter n N A m 0, m 1 {0, 1} m 0 = m 1 Enc k (m b ) k Gen(1 n ) b {0, 1} b Definition 3.23 Π = (Gen, Enc, Dec) is (adaptively) LR-ind-CPA a secure if for every PPT adversary Pr[b = b ] 1/2 + negl(n) a in the book this is called CPA secure for multiple encryptions.
4-3 Left-or-Right CPA Security security parameter n N A m 0, m 1 {0, 1} m 0 = m 1 Enc k (m b ) k Gen(1 n ) b {0, 1} b security against LR-ind-CPA implies secrity against ind-cpa (trivial, tight reduction). other direction also holds, but reduction is not tight (loses a poly factor, namely # of queries, in advantage).
5 Recall: Pseudorandom Generators Definition 3.14 A (deterministic) poly-time algorithm G : {0, 1} n {0, 1} l(n) is a pseudorandom generator if 1. (Expansion: ) n : l(n) > n 2. (Pseudorandomness: ) {G(U n )} n N is a sequence of pseudorandom distributions, i.e., for all PPT alg. D Pr[D(Ul(n) ) = 1] Pr[D(G(U n )) = 1] = negl(n)
Pseudorandom Functions 3.5.1 Pseudorandom generator: efficiently expands a random seed so the output can t be efficiently distinguished from a uniformly random string. Pseudorandom function: a keyed, efficiently computable function that can t be efficiently distinguished from a random function. 6-1
Pseudorandom Functions 3.5.1 Pseudorandom generator: efficiently expands a random seed so the output can t be efficiently distinguished from a uniformly random string. Pseudorandom function: a keyed, efficiently computable function that can t be efficiently distinguished from a random function. Definition 3.25 F : {0, 1} l key {0, 1} l in {0, 1} l out is a pseudorandom function (PRF) if 1. efficient: The key-length, input-length and output length are polynomial in the security parameter n, say l key (n) = l in (n) = l out (n) = n and F can be computed in polynomial time. 2. secure: F(k, ) with a random key k {0, 1} n cannot be distinguished from a random function {0, 1} n {0, 1} n. How do we actually formalize this? 6-2
Pseudorandom Functions 3.5.1 Let Func n denote the functions {0, 1} n {0, 1} n. Func n = 2 2n n, so f Func n requires 2 n n bits to describe. Can t even read description in poly(n) time (we could set l in = log(n), but that s not interesting). Idea: give distinguisher only oracle access to the function it needs to distinguish! Definition 3.25 F : {0, 1} l key {0, 1} l in {0, 1} l out is a pseudorandom function (PRF) if 1. efficient: The key-length, input-length and output length are polynomial in the security parameter n, say l key (n) = l in (n) = l out (n) = n and F can be computed in polynomial time. 2. secure: F(k, ) with a random key k {0, 1} n cannot be distinguished from a random function {0, 1} n {0, 1} n. How do we actually formalize this? 6-3
7-1 The PRF security game security parameter n N b {0, 1} k {0, 1} n f Func n
7-2 The PRF security game security parameter n N b {0, 1} k {0, 1} n x if b = 0 f Func n (x)
7-3 The PRF security game security parameter n N b {0, 1} k {0, 1} n if b = 1 x f Func n f(x)
7-4 The PRF security game security parameter n N b {0, 1} k {0, 1} n b f Func n
7-5 The PRF security game Definition 3.25 F : {0, 1} l key {0, 1} l in {0, 1} l out is a pseudorandom function (PRF) if 1. efficient: The key-length, input-length and output length l out are polynomial in the security parameter n, say l key (n) = l in (n) = l out (n) = n and F can be computed in polynomial time. 2. secure: for every PPT D Pr[b = 1 b = 0] Pr[b = 1 b = 1] = Pr n[df(k, ) = 1] Pr [D f( ) = 1] k {0,1} f Func n = negl(n)
Pseudorandom Permutations Let Perm n Func n denote all permutations over {0, 1} n. Perm n = 2 n! We can define pseudorandom permutations almost exactly like pseudorandom functions. 8-1
Pseudorandom Permutations Let Perm n Func n denote all permutations over {0, 1} n. Perm n = 2 n! We can define pseudorandom permutations almost exactly like pseudorandom functions. Definition F : {0, 1} l key {0, 1} l in {0, 1} l out is a pseudorandom permutation (PRF) if 1. efficient: defined like for PRFs. 2. ( ) is a permutation (so in particular, l in (n) = l out (n) for all n). 3. secure: for every PPT D Pr [D F(k, ) = 1] Pr [D f( ) = 1] k {0,1} l key (n) f Perm lin (n) = negl(n) 8-2
Pseudorandom Permutations Let Perm n Func n denote all permutations over {0, 1} n. Perm n = 2 n! We can define pseudorandom permutations almost exactly like pseudorandom functions. Proposition 3.27 If F is a pseudorandom permutation and l in (n) n (actually, l in (n) w(log(n)) is sufficient), then F is also a pseudorandom function. Follows from the PRP/PRF switching lemma : the advantage in distinguishing a random permutation over {0, 1} m from a random function {0, 1} m {0, 1} m making q queries is q2 2 m. 8-3
9-1 Strong Pseudorandom Permutations For a permutation also inverse queries are well defined. A PRP that is secure even when allowing inverse queries is called a strong PRP. Definition 3.28 F : {0, 1} l key {0, 1} l in {0, 1} l out is a strong pseudorandom permutation if for every k, F(k, ) is a permutation where ( ) and F 1 k ( ) can be efficiently computed, and for every PPT D Pr [D F(k, ),F 1 (k, ) = 1] k {0,1} l key (n) Pr f Perm lin (n) [D f( ),f 1 ( ) = 1] = negl(n)
9-2 Strong Pseudorandom Permutations For a permutation also inverse queries are well defined. A PRP that is secure even when allowing inverse queries is called a strong PRP. In practice, block-ciphers are designed to be strong PRPs, but not in an asymptotic sense, but for fixed key-lenghts and block-size, and assuming that brute-force is the best attack to distinguish. DES, 1975 l in = 64, l key = 56 AES, 1998 l in = 128, l key {128, 192, 256}
9-3 Strong Pseudorandom Permutations For a permutation also inverse queries are well defined. A PRP that is secure even when allowing inverse queries is called a strong PRP. In practice, block-ciphers are designed to be strong PRPs, but not in an asymptotic sense, but for fixed key-lenghts and block-size, and assuming that brute-force is the best attack to distinguish. DES, 1975 l in = 64, l key = 56 AES, 1998 l in = 128, l key {128, 192, 256}
10-1 CPA secure encryption from PRFn/PRPs 3.5.2 For a strong PRP F : {0, 1} n {0, 1} {0, 1} n consider Enc(m) = (m), Dec k (c) = F 1 k (c)
10-2 CPA secure encryption from PRFn/PRPs 3.5.2 For a strong PRP F : {0, 1} n {0, 1} {0, 1} n consider Enc(m) = (m), Dec k (c) = F 1 k (c) Single encryption (m) doesn t leak anything about m, but not CPA secure because the scheme is deterministic, so m = m implies (m) = (m ).
10-3 CPA secure encryption from PRFn/PRPs 3.5.2 Construction 3.30 F : {0, 1} n {0, 1} n {0, 1} n Enc(k, m {0, 1} n ) : sample r {0, 1} n, output c := r, m (r) Dec(c = r, s ) : output m := (r) s Enc k (m) $ r F k m r s F m k Dec k ( r, s )
10-4 CPA secure encryption from PRFn/PRPs 3.5.2 Construction 3.30 F : {0, 1} n {0, 1} n {0, 1} n Enc(k, m {0, 1} n ) : sample r {0, 1} n, output c := r, m (r) Dec(c = r, s ) : output m := (r) s Enc k (m) $ r F k m F k Dec k ( r, s ) Theorem 3.31 If F is a PRF then Construction 3.30 is a CPA-secure private-key encryption scheme for messages of length m. r s m
Proof of Thm. 3.31 Theorem 3.31 If F is a PRF then Construction 3.30 is a CPA-secure private-key encryption scheme for messages of length m. Enc k (m) $ r F k m r s F k Dec k ( r, s ) m 11-1
11-2 $ r Proof of Thm. 3.31 Theorem 3.31 If F is a PRF then Construction 3.30 is a CPA-secure private-key encryption scheme for messages of length m. Enc k (m) f m r s Dec k ( r, s ) Proof sketch: Consider new scheme Π, where, k {0, 1} n is replaced with a random function f Func n. If F is a PRF then no adversary can distinguish original construction from Π (with non-negligible probability). Π is CPA seucre: let r, s denote the challenge ciphertext. If r is was not used in any other the other q(n) encryptions then challenge ciphertext r, s = f(r ) m b perfectly hides b. Prob. that r has been used before is q(n)/2 n = negl(n). f m
Block-Cipher Modes of Operation 3.6.2 Construction 3.30, where Enc k (m) = r, (r) m, only works for messages of fixed length n. Can encrypt long message m = m 1,..., m l {0, 1} n l as Enc k (m 1 ),..., Enc k (m l ) but the ciphertext is twice as long as the message and it uses a lot of randomness. block-cipher modes of operation provide a way of encrypting arbitrary length messages with less (ciphertext size, randomness) overhead. In general, the term mode of operation refers to a construction which turns a simple building block (e.g. PRF,PRP/block-cipher,hash function) into a useful cryptographic scheme (e.g. encryption/authentication for arbitrary length messages). 12
13-1 Electronic Code Book (ECB) mode Naïve mode of operation where we just apply the block-cipher to each plaintext block. DON T USE, JUST DISCUSSED FOR HISTORIC REASONS m 1 m 2 m 3 c 1 c 2 c 3
13-2 Electronic Code Book (ECB) mode Naïve mode of operation where we just apply the block-cipher to each plaintext block. DON T USE, JUST DISCUSSED FOR HISTORIC REASONS m 1 m 2 m 3 c 1 c 2 c 3 Is deterministic (i.e., encrypting same message twice gives the same ciphertext both times), and thus can t be CPA secure.
13-3 Electronic Code Book (ECB) mode Naïve mode of operation where we just apply the block-cipher to each plaintext block. DON T USE, JUST DISCUSSED FOR HISTORIC REASONS m 1 m 2 m 3 c 1 c 2 c 3 ECB in practice
14-1 IV IV Cipher Block Chaining (CBC) mode m 1 m 2 m 3 c 1 c 2 c 3 Enc k (m 1,..., m l ) random IV {0, 1} n c 0 := IV c i := (c i 1 m i ) c := IV, c 1,..., c l homework: what if IV s are just distinct, not random.
Cipher Block Chaining (CBC) mode Enc k (m 1,..., m l ) m 1 m 2 m 3 random IV {0, 1} n c IV 0 := IV c i := (c i 1 m i ) c := IV, c 1,..., c l homework: what if IV s IV c 1 c 2 c 3 are just distinct, not random. chained CBC (SSL 3.0 and TLS 1.0) reuse last ciphertext block as new IV. Susceptible to CPA attack! m 1 m 2 m 3 m 4 m 5 IV c 3 IV 14-2 c 1 c 2 c 3 c 4 c 5
IV IV c 1 Output Feedback (OFB) mode. c 2 m 1 m 2 m 3 c 3 Enc k (m 1,..., m l ) random IV {0, 1} n y 0 := IV, y i := (y i 1 ) c i := y i m i c := IV, c 1,..., c l 15-1
IV IV 15-2 c 1 Output Feedback (OFB) mode. c 2 m 1 m 2 m 3 c 3 Enc k (m 1,..., m l ) random IV {0, 1} n y 0 := IV, y i := (y i 1 ) c i := y i m i c := IV, c 1,..., c l Comparison to CBC does not need to be invertible, can use any PRF instead of PRP. Plaintext length does not need to be multiple of n, can be capped at any point. Unlike for CBC, the stateful variant (where last y l is used as IV for next encryption) is secure (synchronized stream-cipher mode). Still sequential like CBC, but the y i can be computed before the m i are known. Computing c i from y i, m i is extremely fast and parallelizable.
ctr ctr ctr + 1 c 1 c 2 Counter (CTR) mode ctr + 2 ctr + 3 m 1 m 2 m 3 c 3 Enc k (m 1,..., m l ) random ctr {0, 1} n y i := (ctr + i) c i := y i m i c := ctr, c 1,..., c l 16-1
ctr ctr ctr + 1 c 1 c 2 Counter (CTR) mode ctr + 2 ctr + 3 m 1 m 2 m 3 c 3 Fully parallelizable! Can decode individual blocks. Enc k (m 1,..., m l ) random ctr {0, 1} n y i := (ctr + i) c i := y i m i c := ctr, c 1,..., c l 16-2
ctr 16-3 ctr + 1 c 1 c 2 Counter (CTR) mode ctr + 2 ctr + 3 m 1 m 2 m 3 c 3 Enc k (m 1,..., m l ) random ctr {0, 1} n y i := (ctr + i) c i := y i m i c := ctr, c 1,..., c l ctr Theorem 3.2 If F is a PRF then the CTR mode is CPA-secure. Proof sketch Define scheme Π where we replace, k {0, 1} n with random function f Func n. If adversary can distinguish Π from actual scheme we have a distinguisher for the PRF. The security of Π can now be proven using information theoretic arguments: if the inputs ctr + 1,..., ctr + l used in the challenge ciphertext do not collide with any other inputs ever used, encryption is perfect. So we can bound the advantage by the probability of a collision. The collision probability is q(n) 2 /2 n where q(n) is the total number of encrypted blocks. As q(n) = poly(n) this probability is negligible.
ctr ctr ctr + 1 c 1 c 2 Counter (CTR) mode ctr + 2 ctr + 3 m 1 m 2 m 3 c 3 Enc k (m 1,..., m l ) random ctr {0, 1} n y i := (ctr + i) c i := y i m i c := ctr, c 1,..., c l Concrete Security CTR, CBC, OFB can all be broken with advantage q(n) 2 /2 n by an attacker making q(n) queries. So the concrete security is only around 2 n/2, one thus should use PRFs with large enough blocks size. n = 64 like in DES is not enough as 2 n/2 is only 34GB of plaintexts. AES where n = 128 is plenty. 16-4
17-1 Chosen-Ciphertext Attacks 3.7 A chosen-ciphertext (CCA) attack is defined like a chosen-plaintext attack (CPA), but the attacker is not only given access to an encryption oracle Enc k ( ), but additionally given access to a decryption oracle Dec k ( ).
17-2 Chosen-Ciphertext Attacks 3.7 security parameter n N A m {0, 1} k Gen(1 n ) Enc k (m) b {0, 1} c {0, 1} Dec k (m)
Chosen-Ciphertext Attacks 3.7 security parameter n N A m {0, 1} k Gen(1 n ) Enc k (m) b {0, 1} c {0, 1} Dec k (m) 17-3 m 0, m 1 {0, 1} m 0 = m 1 c := Enc k (m b ) more access to Enc k, Dec k but may not query Dec k on c
Chosen-Ciphertext Attacks 3.7 security parameter n N A m {0, 1} k Gen(1 n ) Enc k (m) b {0, 1} c {0, 1} Dec k (m) 17-4 m 0, m 1 {0, 1} m 0 = m 1 c := Enc k (m b ) more access to Enc k, Dec k but may not query Dec k on c b
Chosen-Ciphertext Attacks 3.7 security parameter n N A m {0, 1} Enc k (m) k Gen(1 n ) b {0, 1} Definition 3.33 Π c = {0, (Gen, 1} Enc, Dec) is (adaptively) ind-cca secure if for every PPT adversary Pr[b Dec = b k ](m) 1/2 + negl(n) 17-5 m 0, m 1 {0, 1} m 0 = m 1 c := Enc k (m b ) more access to Enc k, Dec k but may not query Dec k on c b
18-1 CCA Security of the schemes we ve seen so far None of the schemes we ve seen so far is CCA secure, consider e.g. the simple scheme Enc k (m) := r, (r) m
18-2 CCA Security of the schemes we ve seen so far None of the schemes we ve seen so far is CCA secure, consider e.g. the simple scheme Enc k (m) := r, (r) m Assume adversary is given the challenge ciphertext r, s := (r) m b. For any x 0 n he can ask for s x (r) }{{} =m b x := Dec k ( r, s x ) and learns m b x, and thus b.
CCA Security of the schemes we ve seen so far None of the schemes we ve seen so far is CCA secure, consider e.g. the simple scheme Enc k (m) := r, (r) m Assume adversary is given the challenge ciphertext r, s := (r) m b. For any x 0 n he can ask for s x (r) }{{} =m b x := Dec k ( r, s x ) and learns m b x, and thus b. CCA security implies/requires non-malleability. Very informally, this means that a ciphertext cannot be changed into a ciphertext of a related message. 18-3
19-1 Padding-Oracle Attacks 3.7.2 We ll discuss an attack where the attacker launches a very weak (and realistic) form of chosen-ciphertext attack. He only needs to learn if the chosen ciphertexts are valid or not.
19-2 Padding-Oracle Attacks 3.7.2 We ll discuss an attack where the attacker launches a very weak (and realistic) form of chosen-ciphertext attack. He only needs to learn if the chosen ciphertexts are valid or not. PKCS#5 padding CBC can only encrypt messages whose length is a multiple of the blocksize of the underlying PRP (typically 16 bytes). If the message does not have this property, it needs to be padded to the right length. Assume m is L bytes long and let b := 16 L mod 16 (so L + b is a multiple of 16) To pad m, just append b times the value b to the end (except if b = 0 then add it 16 times) e.g. Hello Hello BBBBBBBBBBB (here B is 11 in hexadecimal). HelloWorld HelloWorld 666666 abcdefghijklmnop abcdefghijklmnop 0000000000000000
Padding-Oracle Attacks 3.7.2 We ll discuss an attack where the attacker launches a very weak (and realistic) form of chosen-ciphertext attack. He only needs to learn if the chosen ciphertexts are valid or not. To remove padding, read last byte 0xb, then check if last b bytes are all 0xb, if yes, remove last b bytes and output remaining string, otherwise output padding error. Hello Hello BBBBBBBBBBB (here B is 11 in hexadecimal). HelloWorld HelloWorld 666666 abcdefghijklmnop abcdefghijklmnop 0000000000000000 19-3
19-4 IV IV c 1 Padding-Oracle Attacks 3.7.2 m 1 m 2 c 2 Encryption of (padded) message m 1 m 2. A observes c := (IV, c 1, c 2 ). m 2 = F 1 k (c 2) c 1 ends in } b {{ b } b times
19-5 IV IV c 1 Padding-Oracle Attacks 3.7.2 m 1 m 2 c 2 Decryption checks if plaintext has correct padding. If not return error. Given access to decryption oracle that just tells if ciphertext is valid allows to recover the entire message!
IV IV Padding-Oracle Attacks 3.7.2 m 1 m 2 c 1 c 2 Decryption checks if plaintext has correct padding. If not return error. Given access to decryption oracle that just tells if ciphertext is valid allows to recover the entire message! If we change c 1 to a c 1 = c 1, the last block will be decoded to m 2 = F 1 k (c 2) c 1 = m 2. An adversary given access to a decryption oracle which only tells if decryption failed can learn b: change first byte of c 1, if decryption fails then b = 16, otherwise change 2nd byte of c 1, if decryption fails b = 15, etc.. Hello BBBBBBBBBBB Xello BBBBBBBBBBB padding ok Hello BBBBBBBBBBB XXXXX XBBBBBBBBBB not ok 19-6
IV IV c 1 Padding-Oracle Attacks 3.7.2 m 1 m 2 c 2 Decryption checks if plaintext has correct padding. If not return error. Given access to decryption oracle that just tells if ciphertext is valid allows to recover the entire message! If we change c 1 to a c 1 = c 1, the last block will be decoded to m 2 = F 1 k (c 2) c 1 = m 2. An adversary given access to a decryption oracle which only tells if decryption failed can learn b: change first byte of c 1, if decryption fails then b = 16, otherwise change 2nd byte of c 1, if decryption fails b = 15, etc.. Hello BBBBBBBBBBB Xello BBBBBBBBBBB padding ok Hello BBBBBBBBBBB XXXXX XBBBBBBBBBB not ok 19-7
19-8 IV IV c 1 Padding-Oracle Attacks 3.7.2 m 1 m 2 c 2 Decryption checks if plaintext has correct padding. If not return error. Given access to decryption oracle that just tells if ciphertext is valid allows to recover the entire message! Once A learned b, he known m 2 ends in β b b }{{} b times define i def = 0... 0i (b + 1)... (b + 1) }{{} b times 0... 0 b... b }{{} b times for some β. Replacing c 2 with c 2 i will return padding error except if the last b + 1 bytes of m 2 i are (b + 1) which holds iff β i = (b + 1). Can learn β in at most 2 8 queries.