A Pseudo-Random Encryption Mode

Similar documents
From Unpredictability to Indistinguishability: A Simple. Construction of Pseudo-Random Functions from MACs. Preliminary Version.

On the Construction of Pseudo-Random Permutations: Luby-Rackoff Revisited

From Unpredictability to Indistinguishability: A Simple Construction of Pseudo-Random Functions from MACs

On the Round Security of Symmetric-Key Cryptographic Primitives

Benes and Butterfly schemes revisited

The Indistinguishability of the XOR of k permutations

Introduction to Cryptography Lecture 4

CBC MAC for Real-Time Data Sources. Abstract. The Cipher Block Chaining (CBC) Message Authentication Code (MAC) is an

EME : extending EME to handle arbitrary-length messages with associated data

On Fast and Provably Secure Message Authentication Based on. Universal Hashing. Victor Shoup. December 4, 1996.

Security of Random Feistel Schemes with 5 or more Rounds

Models and analysis of security protocols 1st Semester Symmetric Encryption Lecture 5

A Domain Extender for the Ideal Cipher

Block ciphers And modes of operation. Table of contents

Modes of Operations for Wide-Block Encryption

CTR mode of operation

Permutation Generators Based on Unbalanced Feistel Network: Analysis of the Conditions of Pseudorandomness 1

Distinguishing Attacks on MAC/HMAC Based on A New Dedicated Compression Function Framework

Symmetric Encryption

A block cipher enciphers each block with the same key.

Modern Cryptography Lecture 4

A New Mode of Encryption Providing A Tweakable Strong Pseudo-Random Permutation

CSA E0 235: Cryptography March 16, (Extra) Lecture 3

Badger - A Fast and Provably Secure MAC

Solution of Exercise Sheet 7

Breaking H 2 -MAC Using Birthday Paradox

The Sum of PRPs is a Secure PRF

Public-key Cryptography: Theory and Practice

On the Security of CTR + CBC-MAC

Winter 2008 Introduction to Modern Cryptography Benny Chor and Rani Hod. Assignment #2

U.C. Berkeley CS276: Cryptography Luca Trevisan February 5, Notes for Lecture 6

Tweakable Enciphering Schemes From Stream Ciphers With IV

The Random Oracle Model and the Ideal Cipher Model are Equivalent

Practical and Provably-Secure Commitment Schemes from Collision-Free Hashing

Online Ciphers and the Hash-CBC Construction

Symmetric Crypto Systems

SYMMETRIC ENCRYPTION. Mihir Bellare UCSD 1

Cryptographic Hash Functions

Cristina Nita-Rotaru. CS355: Cryptography. Lecture 9: Encryption modes. AES

Cryptanalysis of a Message Authentication Code due to Cary and Venkatesan

Magic Functions. In Memoriam Bernard M. Dwork

Characterization of EME with Linear Mixing

Improving Upon the TET Mode of Operation

All-Or-Nothing Transforms Using Quasigroups

Simple Pseudorandom Number Generator with Strengthened Double Encryption (Cilia)

The Random Oracle Model and the Ideal Cipher Model Are Equivalent

FRMAC, a Fast Randomized Message Authentication Code

Hash Functions. Ali El Kaafarani. Mathematical Institute Oxford University. 1 of 34

AES-VCM, AN AES-GCM CONSTRUCTION USING AN INTEGER-BASED UNIVERSAL HASH FUNCTION.

Perfect Zero-Knowledge Arguments for NP Using any One-Way Permutation

Lecture 10 - MAC s continued, hash & MAC

Improved security analysis of OMAC

Related-Key Almost Universal Hash Functions: Definitions, Constructions and Applications

From Non-Adaptive to Adaptive Pseudorandom Functions

Differential Attack on Five Rounds of the SC2000 Block Cipher

The Random Oracle Paradigm. Mike Reiter. Random oracle is a formalism to model such uses of hash functions that abound in practical cryptography

The Random Oracle Model and the Ideal Cipher Model are Equivalent

Symmetric Ciphers. Mahalingam Ramkumar (Sections 3.2, 3.3, 3.7 and 6.5)

New Proofs for NMAC and HMAC: Security without Collision-Resistance

A survey on quantum-secure cryptographic systems

On Pseudo Randomness from Block Ciphers

ASYMMETRIC ENCRYPTION

1 Indistinguishability for multiple encryptions

Lecture 4: DES and block ciphers

Improving the Security of MACs via Randomized Message Preprocessing

Gurgen Khachatrian Martun Karapetyan

Eliminating Random Permutation Oracles in the Even-Mansour Cipher

CPA-Security. Definition: A private-key encryption scheme

Symmetric Crypto Systems

A Forgery Attack on the Candidate LTE Integrity Algorithm 128-EIA3 (updated version)

Construction of universal one-way hash functions: Tree hashing revisited

From Fixed-Length Messages to Arbitrary-Length Messages Practical RSA Signature Padding Schemes

New Attacks against Standardized MACs

Lecture 9 - Symmetric Encryption

Lecture 28: Public-key Cryptography. Public-key Cryptography

Foundations of Network and Computer Security

A Composition Theorem for Universal One-Way Hash Functions

A Tweakable Enciphering Mode

A New Paradigm of Hybrid Encryption Scheme

ECS 189A Final Cryptography Spring 2011

A Lower Bound on the Key Length of Information-Theoretic Forward-Secure Storage Schemes

CPSC 467: Cryptography and Computer Security

An Implementation of Ecient Pseudo-Random Functions. Michael Langberg. March 25, Abstract

Tweakable Block Ciphers

A Parallelizable Enciphering Mode

Synthesizers and Their Application to the Parallel Construction of Pseudo-Random Functions*

Lecture 19: Public-key Cryptography (Diffie-Hellman Key Exchange & ElGamal Encryption) Public-key Cryptography

Lecture 5: Pseudorandom functions from pseudorandom generators

Message Authentication Codes (MACs)

Impossibility and Feasibility Results for Zero Knowledge with Public Keys

Merkle-Damgård Revisited : how to Construct a Hash Function

ENEE 457: Computer Systems Security 09/19/16. Lecture 6 Message Authentication Codes and Hash Functions

Lecture 17 - Diffie-Hellman key exchange, pairing, Identity-Based Encryption and Forward Security

On the provable security of BEAR/LION schemes

1 Cryptographic hash functions

Problem 1. k zero bits. n bits. Block Cipher. Block Cipher. Block Cipher. Block Cipher. removed

Concurrent Error Detection in S-boxes 1

COS433/Math 473: Cryptography. Mark Zhandry Princeton University Spring 2017

Semantic Security of RSA. Semantic Security

The Pseudorandomness of Elastic Block Ciphers

Transcription:

A Pseudo-Random Encryption Mode Moni Naor Omer Reingold Block ciphers are length-preserving private-key encryption schemes. I.e., the private key of a block-cipher determines a permutation on strings of the length of its input. This permutation is used for encryption while the inverse permutation is used for decryption. Using a length-preserving encryption scheme saves on memory and prevents wasting communication bandwidth. Furthermore, it enables the easy incorporation of the encryption scheme into existing protocols or hardware components. Often, block-ciphers have fixed (and relatively small) input length. This is especially true for hardware implementations. For example, the highly influential Data Encryption Standard (DES) has input length of 64 bits. 1 In such a case, the block-cipher is used in some mode of operation that enables the encryption of longer messages. The standard modes of operation (proposed in the context of DES) are ECB, CBC, CFB and OFB. Unfortunately, all these modes reveal information on their inputs or on relations between different inputs. For instance, when using the CBC-mode, the encryptions of two messages with identical prefix will also have an identical prefix. The ECBmode reveals even more information (i.e., equalities between any pair of plain-text blocks). For some applications it is essential to have better security than that of the standard modes of operation. Such security is formalized by the concept of a pseudo-random permutation: Let f be a pseudo-random permutation, then if the encryption of a message M is f(m) then the only information this encryption leaks on M is whether or not M is equal to a previously encrypted message. For further discussion on the usage of pseudo-random permutations for encryption (and on the usage of length-preserving encryption in general) see [3, 5, 9]. This note describes a mode of operation for block-ciphers that achieves a strong notion of security: If the original block-cipher is a pseudo-random permutation then we get a pseudo-random permutation on the entire message (see a more quantitative statement below). The description is extracted from [9] where a framework for constructing and proving the security of pseudorandom permutations is introduced. In such a construction a pseudo-random permutation Π is defined to be the composition of three permutations: Π h 1 2 A h 1. In general, h 1 and h 1 2 are lightweight, and A is where most of the work is done. Intuitively, there are only a few bad inputs for A and the role of h 1 and h 1 2 is to filter out these inputs. The Mode Let E : {0, 1} l {0, 1} l denote an encryption permutation on l bits and let E 1 be its inverse permutation. We define an encryption permutation Π : {0, 1} b l {0, 1} b l on b blocks of l bits. In Dept. of Applied Mathematics and Computer Science, Weizmann Institute of Science, Rehovot 76100, Israel. Research supported by a grant from the Israel Science Foundation administered by the Israeli Academy of Sciences. E-mail: naor@wisdom.weizmann.ac.il. Dept. of Applied Mathematics and Computer Science, Weizmann Institute of Science, Rehovot 76100, Israel. Research supported by a Clore Scholars award. E-mail: reingold@wisdom.weizmann.ac.il. 1 RC5 may be considered as a counter example though there the block size is directly related to the word-size.

Input Figure 1: The Constructions of Π for b = 6. fact, Π can be defined to get an input with arbitrary number of blocks. In the definition of Π we use two non-cryptographic (but secret) permutations, h 1 and h 2, on b l bits that will be defined in the subsequent. Definition of Π : P 1, P 2,..., P b C 1, C 2..., C b (see Figure 1 for an illustration): Given b blocks of l bits P 1, P 2,..., P b as input, Π executes the following algorithm: 1. Compute (I 1, I 2..., I b ) = h 1 (P 1, P 2,..., P b ), where each I j is an l-bit string. 2. For 1 j b compute O j = E(I j ). 3. Output (C 1, C 2..., C b ) = h 1 2 (O 1, O 2,..., O b ). Inversion is just as simple: 1. Compute (O 1, O 2..., O b ) = h 2 (C 1, C 2,..., C b ), where each I j is an l-bit string. 2. For 1 j b compute I j = E 1 (O j ). 3. Output (P 1, P 2..., P b ) = h 1 1 (I 1, I 2,..., I b ). Implementing h 1 and h 2 The crucial point for the application of the mode are the requirements from h 1 and h 2 (which are formally defined in [9]). We now describe one efficient way to construct h 1 and h 2. In this 2

Figure 2: The Constructions of h 1. Each z i denotes the string u 2 (i) construction we apply the concept of ϵ-axu 2 functions originally defined by Carter and Wegman [6]; We use the terminology of Rogaway [10]: Definition 1 A distribution on {0, 1} m {0, 1} n functions H is ϵ-axu 2 if for every pair of m-bit strings x y and every z {0, 1} n where denotes bit-by-bit exclusive-or. Pr [h(x) h(y) = z] ϵ h H For constructions of ϵ-axu 2 functions see e.g. [6, 7, 8, 10, 11, 12]. We note that some of these constructions are extremely efficient (both in computation and in key-size). We are mainly interested in ϵ-axu 2 functions with domain {0, 1} m and range {0, 1} n, where m n. In this case, a very attractive construction can be based on the functions of Halevi and Krawczyk [7]. Their functions are based on an inner product with a random vector over a moderate size field. The rate their implementation achieves is a few machine cycles per word. The functions h 1 and h 2 can be implemented in the same way. Therefore, it is sufficient to concentrate on the definition of h 1. In this definition we use three ϵ -AXU 2 functions: g : {0, 1} l (b 1) {0, 1} l, u 1 : {0, 1} l {0, 1} l and u 2 : {0, 1} log b {0, 1} l 3

Definition of h 1 : x 1, x 2,..., x b y 1, y 2,..., y b (see Figure 2 for an illustration): Given b blocks of l bits x 1, x 2,..., x b, the value h 1 (x 1, x 2,..., x b ) is computed as follows: 1. Compute x b = x b g(x 1, x 2,..., x b 1 ), where denotes bit-by-bit exclusive-or. 2. Output y 1, y 2,..., y b, where for every 1 i b 1 the string y i is defined as x i u 1 (x b ) u 2(i) and y b is defined to be x b u 2(b). Inversion is also simple: 1. Compute x b = y b u 2 (b). 2. For every 1 i b 1 compute x i = y i u 1 (x b ) u 2(i). 3. Compute x b = x b g(x 1, x 2,..., x b 1 ) 4. Output x 1, x 2,..., x b. A Few Words on Efficiency Evaluating h 1 (or h 1 1 ) is essentially equivalent to one computation of g (a {0, 1}l (b 1) {0, 1} l function), one computation of u 1 (a {0, 1} l {0, 1} l function) and a few additional XOR operations per block. The values u 2 (i) are independent of the input and can therefore be computed in advance. Furthermore, computing u 2 (i + 1) from u 2 (i) can be done easily. Therefore, the dominant factor seems to be the computation of g. Using efficient constructions of ϵ-axu 2 functions from large inputs to small outputs (e.g. those of [7]), we get an efficient function h 1. Since apart from evaluating h 1 and h 1 2, computing Π consists of one invocation of E per block we get a very efficient mode of operation. An important feature of this mode is that Π is highly parallelizable. The only global operation is the computation of g (and its parallelism depends on the exact choice of g). This is obviously important for implementation on parallel machines or in hardware but also has an additional advantage: It is possible that even on a sequential machine b parallel evaluations of E would be faster than b sequential evaluations. An interesting way to amortize several (e.g., 64) evaluation of DES was proposed by Biham [4]. A Few Words on Security In [9] it is proven that if E is a pseudo-random permutation then so is Π. As noted above, this gives a strong notion of security. The only other place we are aware of that explicitly refers to the problem of constructing a pseudo-random permutation on the entire message is an unpublished work of Bellare and Rogaway [3]. They show how to convert the CBC-mode in order to get such a construction. The amount of work in their construction is comparable with two applications of the original CBC-mode (approximately twice the work of our construction). It should be noted that Π in our construction is vulnerable to a birthday attack on the size of the original block. In a sense, this is the best attack on Π. Moreover, most of the known modes of operation share this vulnerability (see [2] for the CBC-mode). More quantitatively, the best 4

advantage in distinguishing Π from a random permutation with q queries is essentially bounded by the best advantage in distinguishing E from a random permutation with q b queries plus ( ) 1 (q b) 2 2 l 1 + ϵ where ϵ = 2 l ϵ can be made as small as we wish. Therefore, in order for Π to be secure, it should be infeasible to make queries with a total number of 2 l/2 blocks. Even if the original block-size, l, is too small (e.g., l = 80) we can still use our mode in the following way: first apply a more secure transformation (see [1] for work in this direction) on E to get a permutation E on 2 blocks and then apply our construction with E instead of E. Such an application makes sense since it retains most of the simplicity and efficiency of our mode. Discussion This note describes a simple mode of operation that is pseudo-random. I.e., it achieves security in a very strong sense: if the original block-cipher hides all information on the input (apart of equality between messages) than so does the resulting block-cipher. As described above, the standard modes of operation such as ECB and CBC leak additional information on their inputs. However, there is an inherent price to pay for such strong security: For any pseudo-random permutation, no part of its output can be computed before getting the entire input. This might be a problem when encrypting long data streams (since it requires memory space which is as large as the entire message and since it introduces additional latency to the system). Nevertheless, there are other scenarios where using this mode seems both feasible and desirable. For example, when encrypting data files the whole plaintext is available beforehand. Moreover, it might be important not to give an adversary that monitors the disc any information about locations of changes in files (or about the content of these changes). An additional way of using the mode of operation proposed here is by combining it with another mode such as CBC. The idea is to use the pseudo-random mode for increasing the block-length (e.g., from 64 bits to 1000 bytes) and then to apply the CBC-mode to the resulting block-cipher. Such a combined-mode is better than the pseudo-random mode in terms of latency and storage and better than the CBC-mode in terms of the information revealed on the input. Acknowledgments We thank Ran Canetti and Shai Halevi for many helpful comments. References [1] W. Aiello and R. Venkatesan, Foiling Birthday Attacks in Length-Doubling Transformations, Advances in Cryptology - EUROCRYPT 96, Lecture Notes in Computer Science, Springer- Verlag, 1996, pp. 307-320. [2] M. Bellare, J. Kilian and P. Rogaway, The security of cipher block chaining, Advances in Cryptology - CRYPTO 94, Lecture Notes in Computer Science, vol. 839, Springer-Verlag, 1994, pp. 341-358. 5

[3] M. Bellare and P. Rogaway, Block cipher mode of operation for secure, length-preserving encryption, manuscript. [4] E. Biham, A fast new DES implementation in software, Proc. Fast Software Encryption, Lecture Notes in Computer Science, Springer-Verlag, 1997. [5] M. Blaze, J. Feigenbaum and M. Naor, A formal treatment of remotely keyed encryption, manuscript. [6] L. Carter and M. Wegman, Universal hash functions, J. of Computer and System Sciences, vol. 18, 1979, pp. 143-154. [7] S. Halevi and H. Krawczyk, MMH: message authentication in software in the Gbit/second rates, Proc. Fast Software Encryption, Lecture Notes in Computer Science, Springer-Verlag, 1997. [8] H. Krawczyk, LFSR-based hashing and authentication, Advances in Cryptology - CRYPTO 94, Lecture Notes in Computer Science, vol. 839, Springer-Verlag, 1994, pp. 129-139. [9] M. Naor and O. Reingold, On the construction of pseudo-random permutations: Luby-Rackoff revisited, To appear in: J. of Cryptology. Preliminary version in: Proc. 29th Ann. ACM Symp. on Theory of Computing, 1997. pp. 189-199. [10] P. Rogaway, Bucket hashing and its application to fast message authentication, Advances in Cryptology - CRYPTO 95, Lecture Notes in Computer Science, vol. 963, Springer-Verlag, 1995, pp. 74-85. [11] D. Stinson, Universal hashing and authentication codes, Designs, Codes and Cryptography, vol. 4 (1994), pp. 369-380. [12] M. Wegman and L. Carter, New hash functions and their use in authentication and set equality, J. of Computer and System Sciences, vol. 22, 1981, pp. 265-279. 6

2024 © sciencedocbox.com Privacy Policy | Terms of Service | Feedback