Practical Cryptography: Provable Security as a Tool for Protocol Design Phillip Rogaway UC Davis & Chiang Mai Univ rogaway@csucdavisedu http://wwwcsucdavisedu/~rogaway Summer School on Foundations of Internet Security 17-19 June 2002 Duszniki Zdroj, Poland (three two-hour lectures) Slides modified and tweaked by Dan Wallach, with permission 1 0 Opening comments 1 What is "provably security"? Outline from the paper board 2 Blocks ciphers 21 Syntax 22 Notions of security (prp, prf, kr) 3 Symmetric ncryption 31 Syntax 32 Notions of security (sem, ind, ind, all under CP) 4 Relating the notions (ind, ind, 01) 5 Sample block-cipher-using encryption schemes 6 Security of modes 61 CTR-rand 62 CBC-rand 7 MCs and authenticated encryption 71 Notion of authenticated encryption 72 Notion of MCs 73 Ways to MC (CBC, XCBC, CW (w/ poly-based universal hash, UMC) 74 Ways to achieve auth enc (generic composition, IPM/OCB) Concluding comments 2 Recognize Problem Protocol Bug New Protocol Classical pproach Recognize Problem Definition Definition Protocol Protocol π Proof: reduction Provable-Security pproach begins with [GM82] Bug New Protocol Publish Instantiate Publish Implement Implement Ship Bug 3 Ship Done 4 1
Primitive π Block Cipher Block Cipher Block Cipher OWF Sym enc scheme MC RS primitive Protocol Sym enc scheme MC OWF Block Cipher sym enc scheme Block-Cipher Syntax : {0,1} n {0,1} n where each ( ) = (, ) is a permutation If primitive π is secure then protocol is secure If / a good adv for attacking π then/ no good adv for attacking If a good adv for attacking then a good adv for attacking π / / g: (X)=X (X)=S128 (X) 5 6 Notions of Block-Cipher Security PRP-sense of a block cipher being good ey-recover (kr) under chosen-plaintext attack (CP) dv kr () = Pr [ : (, ) = ] X 1 X 2 X q () (X 1 ) (X 2 ) (X q ) dv kr (t,q) = max {dv kr () } Runs in time t sks q queries 7 () X 1 X2 X q (X 1 ) (X 2 ) X 1 X π() 2 π(x 1 ) (X q ) X q π(x 2 ) π(x q ) 2 n! 8 2
dv prp () = Pr [ : (, ) = 1] Pr [ π Perm(n): π( ) = 1] dv prp (t,q) = max {dv prp () } Runs in time t sks q queries ttacker responds: 0: it s a permutation 1: it s the cipher Breaking (X)=X : sk 0 n, receiving Y if Y=0 n return 1 (cipher returns the identity) else return 0 dv prp () = 1 2 -n (permutation might also) dv prp (t,q) t / 2 128 Strong assumption S dv prp (t,q) 2-40 if t<2 80, q<2 40 Weaker assumption S 9 10 ( ) dv prf () = Pr [ : (, ) = 1] X 1 X2 X q (X 1 ) (X 2 ) Pr [ ρ Rand(n): ρ( ) = 1] X ρ( ) 2 ρ(x 1 ) (X q ) X q ρ(x 2 ) ρ(x q ) X 1 Switching Lemma If asks queries dv prp () dv prf () 2 / 2 n1 1 0 2 n/2 dv prf () = 2Pr [ b {0,1}; if b=1 then, f= else f Rand(n): f( ) =b] 1 Pr[ π( ) = 1] Pr[ ρ( ) = 1] 2 / n1 11 12 3
Def (sym, prob) enc scheme is a 3-tuple = (,, D) Finite set M {0,1}* If M M and M = M then M M : M {0,1}* is a prob function D: {0,1}* M {*} (det funct) M M,, C (M) D (C) =M C = clen( M ) 13 CP Ε Κ () Ε Κ (X 1 ) M q Ε Κ (X 2 ) Ε Κ (X q ) support() only has strings of one length = (,,D) sem dv sem () = Pr [ ; ( f, ) (, ) ( ); M M; C (M): (, ) (C, f ) = f (M)] Pr [ ; ( f, ) (, ) ( ); M,M M; C (M ): (, ) (C, f ) = f (M)] 14 ind dv ind () = Pr [ : (, ) = 1 ] = (,,D) Pr [ : (, 0 ) = 1 ] ind dv ind () = Pr [ : (, ) = 1 ] Pr [ : (, clen( ) ) = 1 ] ( ) Ε Κ (0 ) ( ) clen( ) 15 16 4
Lecture 2 b {0,1} Consider a weak form of semantic security: can t recover the key: C b Def of B f Compute C f(1) Run (C) When halts, outputting b return b dv ind (B) = Pr[B (, ) = 1 ] Pr[B (, 0 ) = 1] = Pr[ ; C (1): (C)=1] Pr[ ; C (0): (C)=1] dv 01 () = 2 Pr[b {0,1}; ; C (b): (C) = b] 1 ssume does well at breaking in the 01-sense Construct B that does well at breaking in the ind-sense = Pr[ ; C (1): (C)=1] (1 Pr[ ; C (0): (C)=0]) = Pr[ ; C (1): (C)=1] Pr[ ; C (0): (C)=0] 1 = 2 (Pr[ ; C (1): (C)=1](05) Pr[ ; C (0): (C)=0](05)) 1 = 2 (Pr[ returns b b=1] Pr[b=1] Pr[ returns b b=0] Pr[b=0]) 1 = 2 Pr[ returns b] 1 17 = dv 01 () 18 ind ind Let be an ind-adversary think of δ=dv ind () as large Construct B that breaks in the ind-sense dv ind (t,q) 2 dv ind (ttiny, µ) tiny = O(µ) ( ) clen( ) (0 ) Hybrid rgument δ/2 δ/2 Case 1: Set B= dv ind (B) δ/2 Case 2: dv B f behaves as follows: Run When asks its oracle x, sk f(0 x ) and return it to When outputs a bit b, return 1 b 19 Suppose an adv that runs in time t and asks queries totaling µ bits and breaks in the ind-sense with advantage δ Then an adv B that runs in time t O(µ) and asks queries totaling µ bits and breaks in the ind-sense with advantage δ/2 20 5
IV M 3 CBC-zero CBC-ctr CBC-zero sk 0 n C 1 sk 1 n C 2 if C 1 = C 2 then return 0 else return 1 violating ind C 1 C 2 C 3 CBC-chain CBC-encctr CBC-rand CBC-ctr sk 0 n C 1 sk 0 n-1 1 C 2 if C 1 = C 2 then return 1 else return 0 CBC-chain sk 0 n IV 1 C 1 sk C 1 IV 2 C 2 sk C 2 IV 3 C 3 if C 2 = C 3 then return 1 else return 0 21 22 ctr ctr1 ctr2 CTR-ctr Claim: CTR-rand is secure if its block cipher is a good PRP: Let be an adv attacking CTR[] Construct B that attacks dversary B f behaves as follows: M 3 C 1 C 2 C 3 CBC-rand Run When asks its oracle to encrypt M= M m ctr {0,1} compute pad = f(ctr) f(ctr1)f(ctrm-1) return to (ctr, padm) When halts, outputting a bit b, return b 23 24 6
dv prp (B) = Pr[B =1] Pr[B π = 1] Pr[B =1] Pr[B ρ = 1] 2 / 2 n1 (switching lemma) = Pr[ CTR[ ] =1] Pr[ CTR[ρ] = 1] 2 / 2 n1 Let C be the event of a collision in the inputs to the blockcipher * * * * * N = 2 n bins * * * m 1 balls m 2 = Pr[ CTR[ ] =1] Pr[ CTR[ρ] = 1 C] Pr[C] Pr[ CTR[ ] =1 C] Pr[ C] 2 / 2 n1 = Pr[ CTR[ ] =1] Pr[ = 1] (1 Pr[C]) Pr[ CTR[ ] =1 C] Pr[ C] 2 / 2 n1 = Pr[ CTR[ ] =1] Pr[ = 1] Pr[C] Pr[ =1] Pr[ CTR[ ] =1 C] Pr[ C] 2 / 2 n1 Pr[ CTR[ ] =1] Pr[ = 1] Pr[C] 2 / 2 n1 = dv ind CTR[] Pr[C] 2 / 2 n1 The problem is now an information theoretic one Claim Pr[C] 2 / 2 n1 (see next slide) We then have dv ind 2 / 2 n CTR[] * * * * * * * dversary wants to create a collision Best way to do this is to toss one ball at a time Pr[C] 1/N 2/N (-1)/N 2 /2N m 3 m 4 Σ m in = 25 26 Lecture 3 Th Let : {0,1} n {0,1} n Let attack CBC[] ssume runs in time t and asks total blocks and achieves advantage δ =dv ind () Then an adv B that attacks and runs in time at most t B and asks at most q B queries and achieves advantage at least δ B = dv prp (B) where t B = t O() q B = δ B = δ Α 2 / 2 n CBC[] Def of B f Run When asks its oracle M= M m Choose IV C 0 {0,1} n for i 1 to m do C i f (C i-1 M i ) return to (IV, C 1 C m ) When outputs a bit, b, return b 27 28 7
dv prp (B) = Pr[B = 1] Pr[B π = 1] dv ind () = Pr[ CBC =1] Pr[ =1 ] CBC[] Pr[ CBC[π] = 1] dv ind () dv prp (B) = Pr[B π = 1] Pr[ = 1] CBC[] = Pr[ CBC[π] = 1] Pr[ = 1] = Pr[ CBC[ρ] = 1] Pr[ = 1] 2 /2 n1 Now a purely inf theoretic question Game-playing to Show first difference at most 2 / 2 n1 uthenticity Ε Κ () M q C 1 C 2 C q C wins if C {C 1,,C q } and D (C) * 29 30 ncrypt-with-redundancy MC Message uth Code MC (M) IV 0 n ttack: sk 0 0 IV C 1 C 2 C 3 Forge IV C 1 C 2 S MC ( ) M MC (M) R Compute = MC (M) Check if = C 1 C 2 C 3 31 M q q 2 1 (M, ) wins if =MC (M) and M {,,M q } forgery dv mac () = Pr[ : MC ( ) forges] 32 8
M 3 M 3 CBC MC To forge: sk 0 1 Forge (0, ) Fixing the CBC MC ncrypted CBC (from RC project) Shown provably secure (when a PRP) by [Petrank, Rackoff] The CBC MC is Incorrect across msgs of Varying lengths [BR] Correct, with bound 3 2 /2 n one fixed length for msgs of some 33 34 M 3 different fix Provably security shown in [Black, R] M h h(m) Carter-Wegman paradigm The key for the MC is (h,) h is a random element of H = {h: M {0,1} n } Def: Family of hash functions H = {h: M {0,1} n } is ε-u (almost universal) if for all M, M M, M M, Pr h [h(m)=h(m )] ε 35 36 9
g construction h h Unlikely for a random h M = M m M 0 M i =128 M(X) = X m M m-1 X m-1 X M 0 ll operations in GF(2 128 ) There are 2 128 elements of H, each described by a 128-bit R: h R (M) = M(R) Can be efficiently evaluated M Claim: H is m/2 128 -U where m upperbounds the number of blocks on any message M in the message space M Proof: Pr [ M(R ) =M (R )] = Pr[poly(R) =0] m/2 128 because poly( ) is a nonzero polynomial of degree at most m and therefore has at most m zeros, and so that chance that a random point in the field is one of these zeros is at most m / the size of the field 37 38 m 1 16 k 1 16 m 2 k 2 m 3 k 3 m 4 k 4 m 5 k 5 m 6 k 6 m 7 k 7 m 8 k 8 uthenticated ncryption via Generic Composition (see [Bellare, Namprempre]) ncrypt-and-mc M C MC 16 16 32 The function NH used in UMC [BHR] This function is 2-15 -U The above can be computed In just four instructions on a Pentium processor, allowing 32 h(m) MC-then-ncrypt one to MC at about 1cpb 39 40 C ncrypt-then-mc O! M MC M MC C 10
uthenticated ncryption via Fancy Modes (see IPM [J] and OCB [RBB)] N M 3 M 3 R 2R 3R 3R * R R 2R 3R C 1 C 2 C 3 41 11