CTR mode of operation

Similar documents
CSA E0 235: Cryptography March 16, (Extra) Lecture 3

Block ciphers And modes of operation. Table of contents

CPA-Security. Definition: A private-key encryption scheme

Modern Cryptography Lecture 4

Computational security & Private key encryption

III. Pseudorandom functions & encryption

Block Ciphers/Pseudorandom Permutations

Lecture 5, CPA Secure Encryption from PRFs

CSA E0 235: Cryptography (19 Mar 2015) CBC-MAC

Lecture 13: Private Key Encryption

U.C. Berkeley CS276: Cryptography Luca Trevisan February 5, Notes for Lecture 6

Scribe for Lecture #5

Symmetric Encryption

Lecture 9 - Symmetric Encryption

Modern symmetric-key Encryption

Lecture 2: Perfect Secrecy and its Limitations

Lecture 6. Winter 2018 CS 485/585 Introduction to Cryptography. Constructing CPA-secure ciphers

Pr[C = c M = m] = Pr[C = c] Pr[M = m] Pr[M = m C = c] = Pr[M = m]

CS 6260 Applied Cryptography

Notes for Lecture A can repeat step 3 as many times as it wishes. We will charge A one unit of time for every time it repeats step 3.

CSA E0 312: Secure Computation September 09, [Lecture 9-10]

Lecture 4: Perfect Secrecy: Several Equivalent Formulations

Public-Key Cryptography. Lecture 9 Public-Key Encryption Diffie-Hellman Key-Exchange

Technische Universität München (I7) Winter 2013/14 Dr. M. Luttenberger / M. Schlund SOLUTION. Cryptography Endterm

SYMMETRIC ENCRYPTION. Mihir Bellare UCSD 1

Question 2.1. Show that. is non-negligible. 2. Since. is non-negligible so is μ n +

CS 282A/MATH 209A: Foundations of Cryptography Prof. Rafail Ostrosky. Lecture 4

Lecture 11: Non-Interactive Zero-Knowledge II. 1 Non-Interactive Zero-Knowledge in the Hidden-Bits Model for the Graph Hamiltonian problem

2 Message authentication codes (MACs)

Lecture 1: Perfect Secrecy and Statistical Authentication. 2 Introduction - Historical vs Modern Cryptography

Lecture 7: CPA Security, MACs, OWFs

Private-Key Encryption

A Generic Hybrid Encryption Construction in the Quantum Random Oracle Model

Solutions for week 1, Cryptography Course - TDA 352/DIT 250

CS 6260 Applied Cryptography

1 Indistinguishability for multiple encryptions

Chapter 2 : Perfectly-Secret Encryption

Lecture 6. 2 Adaptively-Secure Non-Interactive Zero-Knowledge

Cryptography: The Landscape, Fundamental Primitives, and Security. David Brumley Carnegie Mellon University

Lecture 5: Pseudorandom functions from pseudorandom generators

El Gamal A DDH based encryption scheme. Table of contents

1 Number Theory Basics

Lectures 2+3: Provable Security

PERFECT SECRECY AND ADVERSARIAL INDISTINGUISHABILITY

CS 4770: Cryptography. CS 6750: Cryptography and Communication Security. Alina Oprea Associate Professor, CCIS Northeastern University

CS 282A/MATH 209A: Foundations of Cryptography Prof. Rafail Ostrovsky. Lecture 7

Shift Cipher. For 0 i 25, the ith plaintext character is. E.g. k = 3

On the power of non-adaptive quantum chosen-ciphertext attacks

INDIAN INSTITUTE OF TECHNOLOGY KHARAGPUR Stamp / Signature of the Invigilator

SYMMETRIC ENCRYPTION. Syntax. Example: OTP. Correct decryption requirement. A symmetric encryption scheme SE = (K, E, D) consists of three algorithms:

Introduction to Cryptology. Lecture 3

8 Security against Chosen Plaintext

Codes and Cryptography. Jorge L. Villar. MAMME, Fall 2015 PART XII

Notes on Property-Preserving Encryption

CPSC 91 Computer Security Fall Computer Security. Assignment #3 Solutions

G /G Introduction to Cryptography November 4, Lecture 10. Lecturer: Yevgeniy Dodis Fall 2008

Chapter 11 : Private-Key Encryption

Indistinguishability and Pseudo-Randomness

Lecture 28: Public-key Cryptography. Public-key Cryptography

Public Key Cryptography

Cryptography. Lecture 2: Perfect Secrecy and its Limitations. Gil Segev

Lecture 17: Constructions of Public-Key Encryption

Provable-Security Approach begins with [GM82] Classical Approach. Practical Cryptography: Provable Security as a Tool for Protocol Design

Chosen Plaintext Attacks (CPA)

Perfectly-Secret Encryption

A Pseudo-Random Encryption Mode

Lecture 8 Alvaro A. Cardenas Nicholas Sze Yinian Mao Kavitha Swaminathan. 1 Introduction. 2 The Dolev-Dwork-Naor (DDN) Scheme [1]

COS433/Math 473: Cryptography. Mark Zhandry Princeton University Spring 2017

Constructing Variable-Length PRPs and SPRPs from Fixed-Length PRPs

A block cipher enciphers each block with the same key.

A note on the equivalence of IND-CCA & INT-PTXT and IND-CCA & INT-CTXT

Lecture 19: Public-key Cryptography (Diffie-Hellman Key Exchange & ElGamal Encryption) Public-key Cryptography

Homework 7 Solutions

Semantic Security and Indistinguishability in the Quantum World

CS 4770: Cryptography. CS 6750: Cryptography and Communication Security. Alina Oprea Associate Professor, CCIS Northeastern University

On the security of Jhanwar-Barua Identity-Based Encryption Scheme

Lecture 18: Message Authentication Codes & Digital Signa

RSA-OAEP and Cramer-Shoup

The Pseudorandomness of Elastic Block Ciphers

Candidate Differing-Inputs Obfuscation from Indistinguishability Obfuscation and Auxiliary-Input Point Obfuscation

Post-quantum Security of the CBC, CFB, OFB, CTR, and XTS Modes of Operation.

Chapter 11. Asymmetric Encryption Asymmetric encryption schemes

Notes for Lecture 9. 1 Combining Encryption and Authentication

ENEE 457: Computer Systems Security 10/3/16. Lecture 9 RSA Encryption and Diffie-Helmann Key Exchange

Constructing secure MACs Message authentication in action. Table of contents

Models and analysis of security protocols 1st Semester Symmetric Encryption Lecture 5

ID-based Encryption Scheme Secure against Chosen Ciphertext Attacks

Lecture 9 Julie Staub Avi Dalal Abheek Anand Gelareh Taban. 1 Introduction. 2 Background. CMSC 858K Advanced Topics in Cryptography February 24, 2004

Lecture 15: Message Authentication

Lecture 15 & 16: Trapdoor Permutations, RSA, Signatures

COS433/Math 473: Cryptography. Mark Zhandry Princeton University Spring 2017

Provable Security in Symmetric Key Cryptography

Pseudorandom functions and permutations

Impact of ANSI X9.24 1:2009 Key Check Value on ISO/IEC :2011 MACs

CHALMERS GÖTEBORGS UNIVERSITET. TDA352 (Chalmers) - DIT250 (GU) 11 April 2017, 8:30-12:30

TECHNISCHE UNIVERSITEIT EINDHOVEN Faculty of Mathematics and Computer Science Exam Cryptology, Friday 25 January 2019

EXAM IN. TDA352 (Chalmers) - DIT250 (GU) 18 January 2019, 08:

Lecture 4: Computationally secure cryptography

Inaccessible Entropy and its Applications. 1 Review: Psedorandom Generators from One-Way Functions

Provable security. Michel Abdalla

Transcription:

CSA E0 235: Cryptography 13 March, 2015 Dr Arpita Patra CTR mode of operation Divya and Sabareesh 1 Overview In this lecture, we formally prove that the counter mode of operation is secure against chosen-plaintext attack. We begin with a background of the concepts discussed in class - the notion of CPA indistinguishability experiment and formal definition of CPA security. We discuss the randomized counter mode and highlight how it overcomes the shortcomings of the other modes of operation. Finally we shall see a rigorous proof of CPA security of the counter (aka CTR) mode. 2 Chosen Plaintext Attack (CPA) The basic idea behind a chosen-plaintext attack is that the adversary A is allowed to ask for encryptions of multiple messages that it chooses on-the-fly in an adaptive manner. This is formalized by allowing the adversary to interact with an encryption oracle, viewed as a black box that encrypts messages of A s choice. This interaction can be captured in the following experiment. Consider the private-key encryption scheme Π = (Gen, Enc, Dec), any adversary A, and any value n for the security parameter. The CPA indistinguishability experiment PrivK cpa A,Π (n) is as follows: 1. A random key k is generated by running Gen(1 n ). 2. A is given access to the encryption oracle which computes Enc k. A can adaptively submit polynomial number of queries and receive their encryption. 3. Challenge Phase: A submits two equal length challenge plain texts of his/her own choice, one of which is randomly chosen, encrypted and sent to A. A random bit b 0, 1 is chosen, and the ciphertext c = Enc k (m b ) is computed and sent to A. We call c the challenge ciphertext. 4. Post-Challenge Training Phase: A adaptively submits queries and receives their encryption.the adversary A continues to have oracle access to Enc k. 5. Response Phase : A outputs the bit b 0 the guess regarding which plain-text message was encrypted in the challenge phase. A wins if the guess is correct. The output of the experiment is defined to be 1 if b 0 = b, and 0 otherwise. 6. In case PrivK cpa A,Π (n) = 1, we say that A succeeded. 1-1

3 CPA Security The definition of security requires that A should not be able to distinguish the encryption of two arbitrary messages, even when A is given access to an encryption oracle. Definition 1 A private-key encryption scheme Π = (Gen, Enc, Dec) is said to be CPA-secure if for all probabilistic polynomial-time adversaries A, there exists a negligible function negl such that Pr[PrivK cpa A,Π (n) = 1] 1 2 + negl(n) 4 CPA Modes of operation : Given any CPA-secure fixed-length encryption scheme Π = (Gen, Enc, Dec) it is possible to construct a CPA-secure encryption scheme Π = (Gen, Enc, Dec ) for arbitrary-length messages quite easily with Enc k for message m having length l defined as Enc k (m) = Enc k(m 1 ),..., Enc k (m l ) where l = l n where n is the fixed length of encryption scheme Π. m is divided into blocks, m i, having fixed length n. This construction is based on the significant property that CPA security for a single encryption automatically implies CPA security for multiple encryptions. In case of multiple encryptions, the CPA indistinguishability experiment deals with vectors of plaintext messages rather than single message. Thus by dividing the arbitrary length messages into blocks of fixed-length, we can view an arbitrary-length message as a vector of plaintext fixed-length messages. Since Π is CPA secure fixed-length encryption scheme, it is also multi-message secure. This implies Π as constructed above is CPA secure as well. A mode of operation is essentially a way of encrypting arbitrary-length messages using a pseudorandom function. Some modes based on their nature of encryption may work only with psuedorandom permutation (aka PRP) or strong psuedorandom permutation (aka SPRP). Following are some of the CPA modes of operation: Theoretical construction Electronic Code Book (ECB) mode Cipher Block Chaining (CBC) mode Output Feedback (OFB) mode Counter mode 1-2

Counter (CTR) mode Figure 1: Counter mode of encryption In this mode of operation, first, a random string IV of length n is chosen which is denoted as ctr. Then, a stream is generated by computing r i := F k (ctr + i) Cipher text is computed as c = ctr, c 1,..., c k where c i = r i m i. The message is decrypted by computing m = m 1... m l where m i = F k (ctr + i) c i. This mode needs an initial random string of length n. Length of cipher text is n (for IV) + l n (n for each of the l blocks). The ciphertext can be computed in parallel. Thus this mode has desirable properties of less randomness usage, less cipher text length and parallel computable. Now we proceed to the proof of checking whether this mode is CPA secure. 5 Proof of security Let the security parameter be n. So the length of the random string ctr is n. We first consider the scheme Π which uses a truly random function, F in the Enc algorithm. In the training phase, let the adversary have made k queries. Let the random counter chosen in the i th query be ctr i. Let the length of those messages be l i. Now after the training phase, the adversary knows the value of the function F at ctr i + j i k, j l i. Since the adversary runs in polynomial time, k and l i are bounded by polynomials in n, say. Hence, the total number of values in the domain at which the adversary knows the value of F is at most 2. When the adversary wishes to attack the encryption scheme, he sends two messages M 0 and M 1 of length l. We can assume > l by suitably redefining. Now a random counter ctr is chosen and a random bit b is chosen and the message is encrypted. Now the ciphertext is encrypted using the value of the function at ctr + j, 0 j < l. Case 1: Suppose one of the strings ctr + j(j < l) is such that F (ctr + j) is known and m 0,j+1 m 1,j+1. Since ctr is a part of the cipher text and the adversary can see it, he 1-3

can evaluate F (ctr + j) m b,j+1 for b = 0, 1. Using these two different ciphertexts he can distinguish between the cipher text of M 0 and M 1. Hence the adversary wins with probability 1 in this case. Case 2: Suppose for all j such that m 0,j+1 m 1,j+1, the value of F (ctr + j) is not known. Since the function F is truly random, this encryption scheme works exactly like the one time pad for those blocks that differ in the two messages. We already know that the one time pad is perfectly secure. Hence, in this case, the probability of the adversary winning is at most negligibly more than 1/2. Now we try to find the probability that the two cases occur. Since a block with the same message in both M 0 and M 1 does not help the adversary distinguish between the two strings, we shall assume that every block of the messages M 0 and M 1 differ as well. By the union bound we have that, l 1 Pr[ One of the F (ctr + j) is known)] Pr[F (ctr + i) is known] i=0 Since for at most 2 strings, the value of F is known, Also l. So, Pr[F (ctr + i) is known] 2 i Pr[ One of the F (ctr + j is known] 3 Since is a polynomial in n, this probability is negligible. Pr[ A wins the game] = Pr[Case 1 occurs]. Pr[A wins Case 1 occurs] + Pr[Case 2 occurs]. Pr[A wins Case 2 occurs] 3 1 + 1 1 2 1 2 + 3 Hence this encryption scheme Π is CPA secure. An alternative analysis : Now we give an analysis of the security that gives a tighter bound on the probability. Define overlap i to be the event that the challenge cipher text C has at least one counter string in common with those used in the i th query. Let the number of blocks in the two 1-4

messages be. For the event overlap i to occur, the ctr chosen randomly to encrypt the challenge message must be in the range (ctr i + 1, ctr i + 1). The overlap in the two extreme cases is depicted below: When ctr = ctr i + 1 :... ctr i ctr i + 1... ctr i + 1...... ctr ctr + 1... ctr + 1... When ctr = ctr i + 1 :... ctr i ctr i + 1... ctr i + 1...... ctr ctr + 1... ctr + 1... For this event to occur, ctr can be any of the 2 1 values. Thus the probability that overlap i occurs is < 2. The security can be breached only if the value of ctr + j is known for some j, that is overlap i has occured for some i. Once again by the union bound we have that, Pr[ One of the F (ctr + j) is known] Pr[overlap i occured] Pr[ One of the F (ctr + j) is known] Pr[overlap i occured for some i] i=1 Pr[overlap i occured] i=1 i=1 22 2 ] By a similar analysis as above, Pr[ A wins the game] 1 2 + 22 Now we return to the encryption scheme Π. The intuition behind this proof is that replacing a random function with a pseudorandom function should not alter the security guarantee. We prove this by reducing the security of Π to the pseudorandomness of F k. Theorem 1 If F k : {0, 1} n {0, 1} n is a PRF indexed by the key k, then Π = (Gen, Enc, Dec) is a CPA-secure SKE for arbitrary length messages. 1-5

Proof Suppose A is a PPT TM such that for some polynomial and M 0 and M 1 chosen by A, Pr[A(C) = 1 C = Enc(M 0 )] Pr[A(C) = 1 C = Enc(M 1 )] > 1 for infinitely many n Now we construct a distinguisher D for the pseudorandom function F k. D has oracle access to a function f. randomly or pseudorandomly. This function may have been chosen truly D plays the CPA security game with the adversary A. A queries the ciphertext of messages M i =< m i,1, m i,2,..., m 1,l >. D picks a random string ctr i. It uses the function f to evaluate C i =< f(ctr i ) m i,1, f(ctr i + 1) m i,2,..., f(ctr i + l 1) m 1,l >. It sends C i to A. A sends two strings M 0 and M 1 to D. D tosses a bit b, computes Enc(M b ) and sends it to A A can once again query ciphertexts of different messages and D responds as before. A outputs b If b = b, D outputs 1 else it outputs 0. Suppose the function was a truly random function F. Then the game between D and A is based on Π. So Pr[b = b f is truly random] = 1/2. Suppose the function was a pseudorandom function F k, the the game between D and A is based on Π. So Pr[b = b f is pseudorandom] > 1 2 + 1 for infinitely many n. Hence Pr[D F k(1 n ) = 1] Pr[D F (1 n ) = 1] > 1/2 + 1/ 1/2 1/ for infinitely many n. Hence the probability of distinguishing is not negligible. This implies that F k is not a pseudorandom collection of functions. Thus Π is not CPA-Secure = F k is not a PRF. Since F k is a PRF, Π is CPA-secure. 1-6

2024 © sciencedocbox.com Privacy Policy | Terms of Service | Feedback