CS 6260 Applied Cryptography

Similar documents
CS 6260 Applied Cryptography

Symmetric Encryption

SYMMETRIC ENCRYPTION. Mihir Bellare UCSD 1

SYMMETRIC ENCRYPTION. Syntax. Example: OTP. Correct decryption requirement. A symmetric encryption scheme SE = (K, E, D) consists of three algorithms:

Modern Cryptography Lecture 4

CTR mode of operation

CPA-Security. Definition: A private-key encryption scheme

Chapter 11. Asymmetric Encryption Asymmetric encryption schemes

U.C. Berkeley CS276: Cryptography Luca Trevisan February 5, Notes for Lecture 6

Symmetric Encryption. Adam O Neill based on

Notes on Property-Preserving Encryption

Block ciphers And modes of operation. Table of contents

Lecture 9 - Symmetric Encryption

Models and analysis of security protocols 1st Semester Symmetric Encryption Lecture 5

Lecture 6. Winter 2018 CS 485/585 Introduction to Cryptography. Constructing CPA-secure ciphers

Computational security & Private key encryption

Lectures 2+3: Provable Security

Cryptography. Lecture 2: Perfect Secrecy and its Limitations. Gil Segev

Lecture 7: CPA Security, MACs, OWFs

ASYMMETRIC ENCRYPTION

Block Ciphers/Pseudorandom Permutations

2 Message authentication codes (MACs)

CPSC 91 Computer Security Fall Computer Security. Assignment #3 Solutions

Lecture 5, CPA Secure Encryption from PRFs

Provable security. Michel Abdalla

CSA E0 235: Cryptography March 16, (Extra) Lecture 3

Question 2.1. Show that. is non-negligible. 2. Since. is non-negligible so is μ n +

III. Pseudorandom functions & encryption

Codes and Cryptography. Jorge L. Villar. MAMME, Fall 2015 PART XII

Solution of Exercise Sheet 7

Cryptography: The Landscape, Fundamental Primitives, and Security. David Brumley Carnegie Mellon University

Introduction to Cybersecurity Cryptography (Part 4)

CS 4770: Cryptography. CS 6750: Cryptography and Communication Security. Alina Oprea Associate Professor, CCIS Northeastern University

Introduction to Cybersecurity Cryptography (Part 4)

Outline. The Game-based Methodology for Computational Security Proofs. Public-Key Cryptography. Outline. Introduction Provable Security

Lecture 11: Non-Interactive Zero-Knowledge II. 1 Non-Interactive Zero-Knowledge in the Hidden-Bits Model for the Graph Hamiltonian problem

Solutions for week 1, Cryptography Course - TDA 352/DIT 250

Lecture Note 3 Date:

8 Security against Chosen Plaintext

Lecture 5: Pseudorandom functions from pseudorandom generators

COS433/Math 473: Cryptography. Mark Zhandry Princeton University Spring 2017

MESSAGE AUTHENTICATION CODES and PRF DOMAIN EXTENSION. Mihir Bellare UCSD 1

1 Indistinguishability for multiple encryptions

Semantic Security of RSA. Semantic Security

Chapter 2 : Perfectly-Secret Encryption

The Random Oracle Paradigm. Mike Reiter. Random oracle is a formalism to model such uses of hash functions that abound in practical cryptography

Notes for Lecture A can repeat step 3 as many times as it wishes. We will charge A one unit of time for every time it repeats step 3.

Technische Universität München (I7) Winter 2013/14 Dr. M. Luttenberger / M. Schlund SOLUTION. Cryptography Endterm

CPSC 91 Computer Security Fall Computer Security. Assignment #2

An Uninstantiable Random-Oracle-Model Scheme for a Hybrid-Encryption Problem

A block cipher enciphers each block with the same key.

CS 282A/MATH 209A: Foundations of Cryptography Prof. Rafail Ostrosky. Lecture 4

Lecture 6. 2 Adaptively-Secure Non-Interactive Zero-Knowledge

Identity-based encryption

Practice Exam Winter 2018, CS 485/585 Crypto March 14, 2018

Pr[C = c M = m] = Pr[C = c] Pr[M = m] Pr[M = m C = c] = Pr[M = m]

Online Cryptography Course. Using block ciphers. Review: PRPs and PRFs. Dan Boneh

Lecture 9 Julie Staub Avi Dalal Abheek Anand Gelareh Taban. 1 Introduction. 2 Background. CMSC 858K Advanced Topics in Cryptography February 24, 2004

A note on the equivalence of IND-CCA & INT-PTXT and IND-CCA & INT-CTXT

ECS 189A Final Cryptography Spring 2011

Efficient Constructions of Deterministic Encryption from Hybrid Encryption and Code-Based PKE

Models and analysis of security protocols 1st Semester Symmetric Encryption Lecture 5

Lecture 10 - MAC s continued, hash & MAC

BLOCK CIPHERS KEY-RECOVERY SECURITY

Lecture 13: Private Key Encryption

Provable Security for Public-Key Schemes. Outline. I Basics. Secrecy of Communications. Outline. David Pointcheval

Perfectly-Secret Encryption

CSA E0 235: Cryptography (19 Mar 2015) CBC-MAC

Chosen-Ciphertext Security (I)

Public-Key Cryptography. Lecture 9 Public-Key Encryption Diffie-Hellman Key-Exchange

Practice Final Exam Winter 2017, CS 485/585 Crypto March 14, 2017

Lecture 2: Perfect Secrecy and its Limitations

EXAM IN. TDA352 (Chalmers) - DIT250 (GU) 18 January 2019, 08:

PERFECT SECRECY AND ADVERSARIAL INDISTINGUISHABILITY

Provable-Security Approach begins with [GM82] Classical Approach. Practical Cryptography: Provable Security as a Tool for Protocol Design

Relations Among Notions of Security for Public-Key Encryption Schemes. Debdeep Mukhopadhyay IIT Kharagpur. Notions

Lecture 17 - Diffie-Hellman key exchange, pairing, Identity-Based Encryption and Forward Security

Analysis of Random Oracle Instantiation Scenarios for OAEP and other Practical Schemes

Lecture 1: Perfect Secrecy and Statistical Authentication. 2 Introduction - Historical vs Modern Cryptography

5199/IOC5063 Theory of Cryptology, 2014 Fall

On The Security of The ElGamal Encryption Scheme and Damgård s Variant

Non-Malleable Encryption: Equivalence between Two Notions, and an Indistinguishability-Based Characterization

G /G Introduction to Cryptography November 4, Lecture 10. Lecturer: Yevgeniy Dodis Fall 2008

Notes for Lecture 9. 1 Combining Encryption and Authentication

Building Secure Cryptographic Transforms, or How to Encrypt and MAC

CLASSICAL ENCRYPTION. Mihir Bellare UCSD 1

FORGERY ON STATELESS CMCC WITH A SINGLE QUERY. Guy Barwell University of Bristol

Modern symmetric-key Encryption

Dan Boneh. Stream ciphers. The One Time Pad

El Gamal A DDH based encryption scheme. Table of contents

Solution of Exercise Sheet 6

Cryptography CS 555. Topic 24: Finding Prime Numbers, RSA

Non-malleability under Selective Opening Attacks: Implication and Separation

Foundations of Network and Computer Security

Advanced Cryptography 1st Semester Public Encryption

Contents 1 Introduction 1 2 Re-keying processes as pseudorandom generators 3 3 Generalization: Tree-based re-keying Construction

Chapter 11 : Private-Key Encryption

Scribe for Lecture #5

REMARKS ON IBE SCHEME OF WANG AND CAO

Cryptography 2017 Lecture 2

Transcription:

CS 6260 Applied Cryptography Symmetric encryption schemes A scheme is specified by a key generation algorithm K, an encryption algorithm E, and a decryption algorithm D. K K =(K,E,D) MsgSp-message space Alexandra (Sasha) Boldyreva Symmetric encryption, encryption modes, security notions. M K E C or A C K D M or Sender S Receiver R It is required that for every M MsgSp and every K that can be output by K, D(K,E(K,M))=M 1 2 Often the key generation algorithm simply picks a random string from some key space KeySp (e.g. {0,1} k for some integer k). In this case we will say that a scheme is defined by KeySp and two algorithms: =(KeySp,E,D) The encryption algorithm can be either randomized (take as input a random string) or stateful (take as input some state (e.g. counter) that it can update) Block cipher modes of operation Modes of operation define how to use a block cipher to encrypt long messages We will often assume that the message space consists of messages whose length is multiple of a block length 3 4

Eleonic Code Book (ECB) mode Let E:{0,1} k!{0,1} n!{0,1} n be a block cipher. ECB=({0,1} k,e,d): Encryption algorithm E M2 Mm Eleonic Code Book (ECB) mode algorithm (M) if ( M mod n 0 or M = 0) then return Break M into n-bit blocks Mm Ci (Mi) C return C Decryption algorithm D C2 C2-1 -1-1 algorithm D K (C) if ( C mod n 0 or C = 0) then return Break C into n-bit blocks Mi EK 1 (Ci) M Mm return M M2 Mm 5 6 Cipher-block chaining (CBC) mode with random IV Let E:{0,1} k!{0,1} n!{0,1} n be a block cipher. CBC=({0,1} k,e,d): IV"{0,1} n IV M2 Mm Cipher-block chaining (CBC) mode with random IV algorithm (M) if ( M mod n 0 or M = 0) then return Break M into n-bit blocks Mm C0 IV {0, 1} n Ci (Ci 1 Mi) C return IV, C Decryption algorithm D IV IV C2 C2-1 -1-1 algorithm D K ( IV, C ) if ( C mod n 0 or M = 0) then return Break C into n-bit blocks C0 IV Mi EK 1 (Ci) Ci 1) M Mm return M M2 Mm 7 8

Stateful Cipher-block chaining (CBC) mode with counter IV Stateful Cipher-block chaining (CBC) mode with counter IV Let E:{0,1} k!{0,1} n!{0,1} n be a block cipher. CBCC=({0,1} k,e,d): "0 n The counter is incremented for each new message Decryption algorithm D M2 C2 C2 Mm -1-1 -1 algorithm (M) static 0 if ( M mod n 0 or M = 0) then return Break M into n-bit blocks Mm if 2 n then return C0 IV n Ci (Ci 1 Mi) C + 1 return IV, C algorithm D K( IV, C ) if ( C mod n 0 or C = 0) then return Break C into n-bit blocks if IV + m > 2 n then return C0 IV Mi EK 1 (Ci) Ci 1) M Mm return M M2 Mm 9 10 Randomized counter mode (CTR) Let F:{0,1} k!{0,1} l!{0,1} L be a function family. CBC=({0,1} k,e,d): R"{0,1} l Decryption algorithm D R R R+1 R+2 R+m C2 M2 Mm R+1 R+2 R+m Randomized counter mode (CTR) algorithm (M) m M /L R {0, 1} l Pad (R + 1) (R + 2) (R + m) Pad the first M bits of Pad C M Pad C R C return C algorithm D K (C) if C < l then return Parse C into R C where R = l m C /L Pad (R + 1) (R + 2) (R + m) Pad the first C bits of Pad M C Pad return M C2 M2 Mm 11 12

Stateful counter mode (CTRC) Let F:{0,1} k!{0,1} l!{0,1} L be a function family. CBC=({0,1} k,e,d): is initially 0 l A current counter is maintained as a state +1 +2 +m M2 Mm Stateful counter mode (CTRC) algorithm (M) static 0 m M /L If + m 2 l then return Pad ( + 1) ( + 2) ( + m) Pad the first M bits of Pad C M Pad + m return m, C Decryption algorithm D C2 +1 +2 +m algorithm D K( i, C ) m C /L Pad (i + 1) (i + 2) (i + m) Pad the first C bits of Pad M Pad C return M C2 M2 Mm 13 14 What is a secure encryption scheme? Recall, perfectly secure schemes are impractical We assume that adversaries are computationally bounded A scheme is secure when it is not insecure. Insecure = adversaries can do bad things. Bad things: an adversary, who sees ciphertexts can compute the secret key can compute some plaintexts can compute the first bit of a plaintext can compute the sum of the bits of a plaintext can see when equal messages are encrypted can compute... So what is a secure encryption scheme? Informally, an encryption scheme is secure if no adversary with reasonable resources who sees several ciphertexts can compute any* partial information about the plaintexts, besides some a-priori information. * Any information, except the length of the plaintexts. We assume the length of the plaintexts is public. Note, that the above implies that the bad things we mentioned do not happen. And the other bad things. While the above definition captures the right intuition, it s too informal to be useful. 15 16

Indistinguishability under chosen-plaintext attacks Fix =(KeySp,E,D) K"KeySp For an adversary A and a bit b consider an experiment Exp ind-cpa-b (A) b d A M 0,M 1 Adv ind-cpa (A) = Pr LR(!,!,!) The experiment returns d The IND-CPA advantage of A is: Mb (LR(!,!,!)) A symmetric encryption scheme is indistinguishable under chosenplaintext attacks (IND-CPA secure) if for any adversary A with reasonable resources Adv ind-cpa (A) is small (close to 0). C=(Mb ) () Exp ind-cpa-1 (A) = 1 Experiment Exp ind-cpa-1 (A) K K d A EK(LR(,,1)) Return d Pr Exp ind-cpa-0 (A) = 1 Experiment Exp ind-cpa-0 (A) K K d A EK(LR(,,0)) Return d 17 Fix =(KeySp,E,D) K"KeySp A M 0,M 1 Alternative interpretation For an adversary A consider an experiment Exp ind-cpa-cg (A) Claim. b b LR(!,!,!) M b The experiment returns 1 iff A b =b EK() Adv ind-cpa (A) = 2 Pr Exp ind-cpa-cg (A) = 1 1. experiment, adversary is run with an oracle for wor Experiment Exp ind-cpa-cg (A) b {0, 1} ; K K b A EK(LR(,,b)) if b = b then return 1 else return 0 18 Proof of the claim Pr Exp ind-cpa-cg (A) = 1 = Pr = Pr = b = b = Pr b = b b = 1 Pr b = 1 + Pr b = b b = 0 Pr b = 0 1 1 = Pr b = b b = 1 1 2 + Pr b = b b = 0 1 2 1 1 = Pr b = 1 b = 1 1 2 + Pr b = 0 b = 0 1 2 ) = Pr b = 1 b = 1 1 2 + ( 1 Pr b ) = 1 b = 0 ) 1 ( ) 2 ) = 1 + 1 (Pr b = 1 b = 1 Pr b = 1 b = 0 ) 2 2 ( ) ( ( - - - = 1 2 + 1 ) 2 ( Pr Exp ind-cpa-1 (A) = 1 Pr Exp ind-cpa-0 (A) = 1 = 1 2 + 1 2 Advind-cpa (A) Why IND-CPA ensures that no partial information is leaked? Fix =(KeySp,E,D) with MsgSp={0,1} m. Assume there exists an adversary B that after seeing a few plaintexts-cipertexts pairs and a challenge ciphertext can compute the challenge plaintext. Namely, in Experiment Exp pr-cpa (B) K K M {0, 1} m C (M ) M B EK( ) (C) If M = M then return 1 else return 0 Then is not IND-CPA secure. Claim. IND-CPA Fix =(KeySp,E,D) with MsgSp={0,1} m. Then for every adversary B there exists an adversary A such that Adv pr-cpa (B) Adv ind-cpa (A) + 1 2 m and q A = q B + 1,µ A = µ B + m,t A = t B = O(µ+ m + c) Adv pr-cpa (B) = Pr Exp pr-cpa (B) = 1 is non-negligible 19 20

Proof. We define A as follows: Adversary A EK(LR(,,b)) E We now analyze the adversary: Pr Pr M 0 {0, 1} m ; M 1 {0, 1} m C (LR(M 0, M 1, b)) Run adversary B on input C, replying to its oracle queries as follows When B makes an oracle query X to g do When B makes an oracle query X do Y (LR(X, X, b)) return Y to B as the answer When halts and outputs plaint When B halts and outputs a plaintext M If M = M 1 then return 1 else return 0 Exp ind-cpa-1 (A) = 1 Adv pr-cpa (B) S - - Exp ind-cpa-0 (A) = 1 2 m. Adv ind-cpa (A) = Pr Exp ind-cpa-1 (A) = 1 Pr Exp ind-cpa-0 (A) = 1 Adv pr-cpa (B) 2 m. The resources of A are justified by the description of A. Analysis of the ECB mode. Let E:{0,1} k!{0,1} n!{0,1} n be a block cipher. ECB=({0,1} k,e,d): Encryption algorithm E M2 C2 Conjecture. ECB is PR-CPA secure. Is ECB a good encryption scheme? Is ECB IND-CPA secure? Mm 21 22 ECB is not IND-CPA Adversary A EK(LR(,,b)) M 1 0 2n ; M 0 0 n 1 n C2 (LR(M 0, M 1, b)) If = C2 then return 1 else return 0 Claim. Any deterministic, stateless scheme is not IND-CPA Why? Above, denotes the -th block of a string, a Adv ind cpa ECB (A) = Pr Exp ind cpa 1 ECB (A) = 1 Pr Exp ind cpa 0 ECB (A) = 1 = 1 0 = 1 23 24

Analysis of the CTRC Let F:{0,1} k!{0,1} l!{0,1} L be a function family. CBC=({0,1} k,e,d): is initially 0 l A current counter is maintained as a state +1 +2 +m C2 M2 Mm The scheme is used to encrypt at most 2 l blocks (so that the counter does not wrap around) Security of CTRC Theorem. For any adversary A there exists an adversary B such that Adv ind cpa where Proof idea. We present an adversary B who needs to distinguish whether it is given an oracle access to a truly random function or an instance of F. B will use A s ability to break the CTRC encryption scheme. B will run A as a subroutine, simulating the ind-cpa experiment for it. B will answer A s oracle queries using its own oracle. Finally, if A wins, B will win. CT RC f (A) 2 Advpr (B) F t B = t A + O(q A + (l + L) µ A l ),q B = µ A l,µ B = µ A How good is the scheme? The flaws seem hard to find. Q. But may be they exist and we just don t see them? A. The mode is as good as it can be and we can prove it. 25 26 Proof. Let A be any ind-cpa adversary attacking CTRC. We present a prf adversary B: b R {0,1} M 0,M 1 M b A E (!) g/ b B g / B can simulate the CTRC encryption algorithm because it makes only oracle use of the underlying function F. 1 iff b =b Adversary B g b {0, 1} Run adversary A, replying to its oracle queries as follows When A makes an oracle query (M 0, M 1 ) do C E g (M b ) Return C to A as the answer Until A stops and outputs a bit b If b = b then return 1 else return 0 g is a random instance of Func(l,L) Let us analyze B. Note that Pr Exp prf-1 F (B) = 1 = Pr Exp ind-cpa-cg F (A) = 1 Pr Exp prf-0 F (B) = 1 = Pr Exp ind-cpa-cg Func(l,L) (A) = 1 Equations (4.4) and (4.5) we can now apply Proposition 4. and thus Adv prf F (B) = Pr Exp prf-1 F (B) = 1 Pr Exp prf-0 F (B) = 1 We will show that = 1 2 Advind-cpa F (A) 1 2 Advind-cpa Func(l,L) (A) 1 Adv ind-cpa Func(l,L) (A) = 0 = 1 2 + 1 2 Advind-cpa F (A) = 1 2 + 1 2 Advind-cpa Func(l,L) (A) and the statement of the theorem follows.finally the resources of B are justified by the algorithm for B. 27 28

Adv ind-cpa Func(l,L) (A) = 0 because all the values corresponding to the red dots on the picture below are random and independent (since they are the results of a random function applied to distinct points) and thus,..., are also random values, independent from the adversary A s challenge bit. Analysis of the CTR Let F:{0,1} k!{0,1} l!{0,1} L be a function family. CBC=({0,1} k,e,d): R"{0,1} l R+1 R+2 R+m +1 +2 +m F K M2 Mm g g g R C2 M2 Mm C2 29 30 Theorem. For any adversary A there exists an adversary B such that Adv ind cpa CT R where What does the security statement tell us? Let F be AES, l=l=128. Assume one encrypts q=2 30 messages, 1 Kb each (2 13 bits), recall Adv ind cpa CT R (A) 2 q2 AES 2 128 + µ2 A L 2 2 l = 3 µ2 L 2 2 128 (A) 2 Adv pr f Security of CTR F (B) + µ2 A l 2 2 l t B = t A + O(q A + (l + L) µ A l ),q B = µ A l,µ B = µ A 4 243 2 128 2 2 128 = 1 2 54 Adv pr f AES (A) q2 AES 2 128 Proof idea. As in the proof of the previous theorem. Proof. The adversary B is exactly like one in the proof of the previous theorem. But now we claim that Adv ind cpa Given this and the previous proof, the statement of the theorem follows. To prove the claim note that after q queries A made the inputs to the random function are r 1 + 1, r 1 + 2,, r 1 + m 1 r 2 + 1, r 2 + 2,, r 2 + m 2. r q + 1, r q + 2,, r q + m q Adv ind cpa CT RFunc(l,L) (A) = Pr 1 A = 1 Pr 0 A = 1 = Pr 1 A = 1 Col Pr 1 Col + Pr 1 A = 1 NoCol Pr 1 NoCol Pr 0 A = 1 Col Pr 0 Col Pr 0 A = 1 NoCol Pr 0 NoCol = (Pr 1 A = 1 Col Pr 0 A = 1 Col) Pr 0 Col Pr 0 Col.. µ2 A CT RFunc(l,L) (A) 2 l 2 2 l Let NoCol be the event that these values are all distinct, and Col is the complement of NoCol. Then 31 32

It remains to calculate Pr Col Pr Col = Pr Col q (we drop the subscript 0 in the notation) (Col i is the event that there is is collision in the first i rows) = Pr Col q 1 + Pr Col q NoCol q 1 Pr NoCol q 1 Pr Col q 1 + Pr Col q NoCol q 1 Security of CBCC Let E:{0,1} k!{0,1} n!{0,1} n be a block cipher. CBCC=({0,1} k,e,d): Stateful. q Pr Col 1 + Pr Col i NoCol i 1 i=2 q = Pr Col i NoCol i 1. i=2 Pr Col i NoCol i 1 (m i + m 1 1) + (m i + m 2 1) + + (m i + m i 1 1) 2 l Pr Col = (i 1)m i + m i 1 + + m 1 (i 1) 2 l, q Pr Col i NoCol i 1 i=2 q (i 1)m i + m i 1 + + m 1 2 i=2 l = (q 1)(m1 + + mq) 2 l. The statement follows after we note that m 1 +... + m q = µ A /l "0 n incremented for each new message M2 C2 Mm Theorem. There exists an adversary A such that Proof idea. Adversary A EK(LR(,,b)) M 0,1 0 n ; M 1,1 0 n M 0,2 0 n ; M 1,2 0 n 1 1 IV 1, C 1 (LR(M 0,1, M 1,1, b)) IV 2, C 2 (LR(M 0,2, M 1,2, b)) If C 1 = C 2 then return 1 else return 0 Adv ind cpa CBCC (A) = 1 33 We claim that 34 Security of CBC Did we get all we wanted? Let E:{0,1} k!{0,1} n!{0,1} n be a block cipher. CBC=({0,1} k,e,d): Is IND-CPA security definition strong enough (does it take into account all the bad things that can happen?) IV"{0,1} n IV M2 Mm An adversary wants to win: to get some partial information about the plaintext from a challenge ciphertext IV C2 What if the adversary can make the receiver to decrypt other ciphertexts of the adversary s choice, learn the plaintexts and this helps it to win? Theorem. For any adversary A there exists an adversary B such that Our definition didn t consider such chosen-ciphertext attacks Adv ind cpa CBC (A) 2 Adv pr f E (B) + µ2 A n 2 2 n where t B = t A + O(q A + µ A ), q B = µ A n, µ B = µ A 35 36

Indistinguishability under chosen-ciphertext attacks Fix =(KeySp,E,D) K"KeySp For an adversary A and a bit b consider an experiment b d A M 0,M 1 C M LR(!,!,!) C=(Mb ) D K () The experiment returns d The IND-CCA advantage of A is: Adv ind cca M b () (LR(!,!,!)) Exp ind cca b (A) A is not allowed to query its decryption oracle on ciphertexts returned by its LR encryption oracle (A) = Pr Exp ind cca 1 (A) = 1 Pr Exp ind cca 0 (A) = 1 A symmetric encryption scheme is indistinguishable under chosenciphertext attacks (IND-CCA secure) if for any adversary A with reasonable resources Adv ind cca (A) is small (close to 0). 37

2024 © sciencedocbox.com Privacy Policy | Terms of Service | Feedback