saarland Foundations of Cybersecurity (Winter 16/17) Prof. Dr. Michael Backes CISPA / Saarland University university computer science Solution of Exercise Sheet 7 1 Variants of Modes of Operation Let (K, E, D) be a block cipher. Consider the following modes of operation: m1 m2 m1 m2 c1 c2 + c1 (5 points) c2 Encryption of CBC* Encryption of ECB (a) Show how decryption is done for the CBC* (showing by picture is fine). The solution is shown in Figure 1. Figure 1: Decryption of CBC* (10 points) (b) Given a ciphertext c = c1... cn that was created for a message m using ECB mode, show how to compute a ciphertext c that corresponds to a ciphertext of m encrypted under CBC* mode only given input c. Show that your construction is correct. 1/7
For an ECB ciphertext c = c 1... c n compute c = c 1... c n by Proof by induction over i. { c ci, if i = 1 i = c i 1 c i, otherwise Induction Basis: The construction is correct for i = 1. Induction Hypothesis: The construction is correct for all i n. Induction Step: computed by By the above construction, the n + 1st ciphertext is c n+1 = c n c n+1. Since by the induction hypothesis, c n was computed correctly, this exactly corresponds to the encryption in CBC* mode. The construction is therefore correct. (5 points) (c) Compared to ECB, is CBC* more, less or equally secure? Explain your answer. Makes both equally secure. If I can break ECB mode, I can use the transformation above and break CBC*. So it is at most as secure as ECB. The transformation can be inverted, so we can transform ECB ciphertexts to CBC* ciphertexts, i.e., the argument is symmetric giving us equal security. (5 points) (d) Show how you can construct two messages m 0 and m 1 such that you can always determine which of these two messages was encrypted by CBC* just given the ciphertext c of that message. Consider the messages m 0 = 0 n 0 n and m 1 = 0 n 1 n. CBC* encrypts m 0 to c 0 = c 00 0 n where c 00 = E(K, 0 n ) and encrypts m 1 to c 1 = c 00 c 11 where c 11 = c 00 E(K, 1 n ). In particular, E(K, 1 n ) c 00 (otherwise (K, E, D) is not a correct encryption scheme). Thus c 11 0 n. An adversary can thus always distinguish the cases whether m 0 or m 1 is encrypted. 2 Insecure MACs Let F : {0, 1} n {0, 1} n {0, 1} n be a pseudorandom function. Show that each of the following message authentication codes is insecure, i.e. show that, given a finite 2/7
number of valid message/tag pairs {(m i, t i )} n i=1 for messages m i chosen by yourself, you can forge a message/tag pair (m, t ) (m i, t i ) that is valid. (5 points) (a) To authenticate a message m = m 1 m 2 with m i {0, 1} n, compute the tag t = S(K, m) via S(K, m) := F (K, F (K, m 2 )) F (K, m 1 ) The following adversary A wins with probability 1: First, A queries a random message m = m 1 m 2 getting back a tag t = t 2 t 1 = F (K, F (K, m 2 )) F (K, m 1 ). Second, A queries the random message m = m 3 m 4 yielding t = t 4 t 3 = F (K, F (K, m4)) F (K, m 3 ). Finally, A outputs a message / tag pair (m 1 m 4, t 4 t 1 ) which is valid and has not been queried before. (5 points) (b) To authenticate a message m = m 1... m l with m i {0, 1} n, compute the tag t = S(K, m) via S(K, m) := i l K F (K, m i ) Consider the adversary B that queries the message m = 0 (l 2)n 1 2n for an even l yielding a tag t = K F (K, 0 n )... K F (K, 0 n ) F (K, 1 n ) F (K, 1 n ) }{{} l 2 = K }. {{.. K } F (K, 0 n )... F (K, 0 n ) F (K, 1 n ) F (K, 1 n ) }{{} l 2 l 2 = 0 n F (K, 0 n )... F (K, 0 n ) 0 n = F (K, 0 n )... F (K, 0 n ) B finally outputs (0 ln, t) which has not been queried before and is indeed valid: t = F (K, 0 n )... F (K, 0 n ) = F (K, 0 n )... F (K, 0 n ) 0 n = F (K, 0 n )... F (K, 0 n ) F (K, 0 n ) F (K, 0 n ) = F (K, 0 n )... F (K, 0 n ) K }{{}}. {{.. K } l l = K F (K, 0 n )... K F (K, 0 n ) }{{} l 3/7
3 Combining Hash Functions (5 points) (a) Let H 1 : {0, 1} {0, 1} n, H 2 : {0, 1} {0, 1} m and H 3 : {0, 1} {0, 1} m be hash functions. Prove that if at least one of them is collision resistant, then G : {0, 1} {0, 1} n+m defined as G(x) := H 3 (x) H 1 (x) H 2 (x) is collision resistant. Assume (without loss of generality) H 1 to be collision resistant. We show by reduction that if an adversary finds a collision for G, then it also finds a collision for H 1. Let g 0 g 1 be a collision for G, hence G(g 0 ) = G(g 1 ). This implies H 3 (g 0 ) H 1 (g 0 ) H 2 (g 0 ) = H 3 (g 1 ) H 1 (g 1 ) H 2 (g 1 ). In particular, H 1 (g 0 ) = H 1 (g 1 ). Thus, g 0, g 1 is also a collision for H 1. We conclude that G is collision resistant if H 1 is collision resistant. The same argumentation holds for H 2. (10 points) (b) Let H 1, H 2 : {0, 1} {0, 1} n be two collision resistant hash functions. For each i, prove or disprove that G i is a collision resistant hash function. b 1 ) G 1 : {0, 1} {0, 1} n defined as G 1 (x) := H 1 (H 2 (x)) b 2 ) G 2 : {0, 1} {0, 1} n defined as G 2 (0 n 1 y) := H n 1 (y) b 3 ) G 3 : {0, 1} {0, 1} n defined as G 3 (0 n 1 y) := H 1 (y H 2 (0 n )) b 1 ) G 1 is collision resistant. Assume for contradiction, an adversary is known that outputs a collision x 1, x 2 with x 1 x 2 and H 1 (H 2 (x 1 )) = H 1 (H 2 (x 2 )). This means that either H 2 (x 1 ) = H 2 (x 2 ), hence x 1, x 2 is a collision for H 2, a contradiction. Or, H(x 1 ) H(x 2 ), hence H(x 1 ), H(x 2 ) is a collision for H 1, a contradiction. Both cases violate the assumption that H 1 and H 2 are collision resistant. We conclude that G 1 is indeed collision resistant. b 2 ) G 2 is not collision resistant. Consider the collision x 1, x 2 {0, 1} n with x 1 = 001 0 n and x 2 = 01 H 1 (0 n ). Indeed, we see that G 2 (x 1 ) = G 2 (001 0 n ) = H 2 1 (0 n ) = H 1 (H 1 (0 n )) = G 2 (01 H 1 (0 n )) = G 2 (x 2 ) 4/7
b 3 ) G 3 is indeed collision resistant. Assume for contradiction, an adversary is known that outputs a collision x 1 = 0 m 1 y 1 and x 2 = 0 n 1 y 2 with x 1 x 2 and G 3 (x 1 ) = G 3 (x 2 ). This implies that y 1 y 2 or n m. Now, since x 1 and x 2 are a collision for G 3, we have that H 1 (y 1 H 2 (0 m )) = H 1 (y 2 H 2 (0 n )). Since H 1 is collision-resistant, however, we have that y 1 H 2 (0 m ) = y 2 H 2 (0 n ). By definition, H 2 returns a bit-string of length n. Hence y 1 = y 2 and H 2 (0 m ) = H 2 (0 n ). But since H 2 is collision resistant as well, we get that m = n. We thus contradict our initial condition that y 1 y 2 or n m. Hence G 3 is collision-resistant. 4 BONUS: Key Complementarity of DES (+10 bonus) (a) Show that in the DES structure, E DES (K, m) = E DES (K, m), where x denotes the bitwise complement of x and E DES (K, m) is the DES encryption function using key K and message m. (Note: The complement of a bit b is defined as b 1.) Given m {0, 1} 2 32 and K {0, 1} 56. We have to show E DES (K, m) = E DES (K, m). Let us first note that the initial permutation preserves the bitwise complement. Furthermore, by inspection of the algorithm, we see that the key schedule preserves bitwise complement as well, as it consists of permutations and shifts only. So it is sufficient if we examine a single round and prove E i (K, m) = E i (K, m) for the i-th round of DES. Let us consider the application of the i-th round of DES with key K and input message L i 1 R i 1, written E i (K, L i 1 R i 1 ) = L i R i. We want to show that E i (K, L i 1 R i 1 ) = L i R i. Since R i 1 = L i, we immediately know that E i (K, L i 1 R i 1 ) = L i R i. So it suffices to show that R i = R i. Let us take a look on the round function f i which is used in the computation of R i as R i = L i 1 f i (R i 1 ). It is easy to see that if the Expansion Permutation E applied to R i 1 yields V i, then E applied to R i 1 yields V i. As the round key results in K i, this leads to the equation V K i. 5/7
Using the associativity and the commutativity of and X = X 1 we get (V i 1) (K i 1) = (V i K i ) (1 1) = V i K i So the input to the remaining parts of the round function is identical in both cases, so the final output of the round function W i is identical in both cases f i (K i, R i 1 ) = f i (K i, R i 1 ). Using this property we get L i 1 f i (K i, R i 1 ) = L i 1 f i (K i, R i 1 ) = 1 (L i 1 f i (K i, R i 1 )) = R }{{} i R i We get that after one round, the output is inverted. By a trivial induction, it follows that after an arbitrary number of rounds the output is inverted as well. This proves the claim. (+5 bonus) (b) Show how an attacker can use the above property to perform an exhaustive key search by only performing half the number of DES encryptions you would need for the regular exhaustive key search. Try to be precise in which assumptions you make (on the capabilities of the attacker, speed of DES as opposed to other operations, etc.). More precisely, assume you are given one plaintext/ciphertext pairs (m, c m ) for which you want to determine the key used for encryption using exhaustive key search. (Note: You might still need additional operations (such as complementations or xors), but may only use half as many DES encryption operations as used in the regular exhaustive key search.) The goal is to reduce the amount of DES operations by 1/2 using the insights from part (a). In order to achieve this, we half the number of keys that we need to try for the exhaustive key search. If K = {0, 1} k, it suffices to use all keys in K = {0 k : k {0, 1} k 1 }. This is the case because K K = K and we can try two keys with one DES operation as follows: For each k for which we compute E(k, m) we get E(k, m) almost for free by just flipping each bit, i.e., computing 1. Thus for the m we know, we compute E(k, m) and check whether it is equal to c m and we check whether E(k, m) = E(k, m) is equal to c m. So we have tried the keys k and k with only one DES operation. It is only roughly a factor of two because we need to two (fast) operations 6/7
to check the second key k in addition to checking k. 7/7