Symmetric Encryption. Adam O Neill based on

Similar documents
SYMMETRIC ENCRYPTION. Mihir Bellare UCSD 1

SYMMETRIC ENCRYPTION. Syntax. Example: OTP. Correct decryption requirement. A symmetric encryption scheme SE = (K, E, D) consists of three algorithms:

CS 6260 Applied Cryptography

CS 6260 Applied Cryptography

Symmetric Encryption

Modern Cryptography Lecture 4

Block ciphers And modes of operation. Table of contents

Lecture 6. Winter 2018 CS 485/585 Introduction to Cryptography. Constructing CPA-secure ciphers

ASYMMETRIC ENCRYPTION

Lecture 9 - Symmetric Encryption

CPA-Security. Definition: A private-key encryption scheme

Lecture 5, CPA Secure Encryption from PRFs

Cryptography: The Landscape, Fundamental Primitives, and Security. David Brumley Carnegie Mellon University

CTR mode of operation

CPSC 91 Computer Security Fall Computer Security. Assignment #3 Solutions

Lectures 2+3: Provable Security

Notes on Property-Preserving Encryption

Solutions for week 1, Cryptography Course - TDA 352/DIT 250

MESSAGE AUTHENTICATION CODES and PRF DOMAIN EXTENSION. Mihir Bellare UCSD 1

U.C. Berkeley CS276: Cryptography Luca Trevisan February 5, Notes for Lecture 6

Question 2.1. Show that. is non-negligible. 2. Since. is non-negligible so is μ n +

Models and analysis of security protocols 1st Semester Symmetric Encryption Lecture 5

Chapter 2. A Look Back. 2.1 Substitution ciphers

CSA E0 235: Cryptography March 16, (Extra) Lecture 3

Introduction to Cybersecurity Cryptography (Part 4)

BLOCK CIPHERS KEY-RECOVERY SECURITY

Chapter 2 : Perfectly-Secret Encryption

Introduction to Cybersecurity Cryptography (Part 4)

Lecture 5: Pseudorandom functions from pseudorandom generators

2 Message authentication codes (MACs)

Codes and Cryptography. Jorge L. Villar. MAMME, Fall 2015 PART XII

Modern symmetric-key Encryption

Lecture 7: CPA Security, MACs, OWFs

Cryptography 2017 Lecture 2

Notes for Lecture A can repeat step 3 as many times as it wishes. We will charge A one unit of time for every time it repeats step 3.

Cryptography. Lecture 2: Perfect Secrecy and its Limitations. Gil Segev

Chapter 11. Asymmetric Encryption Asymmetric encryption schemes

Solution of Exercise Sheet 7

A block cipher enciphers each block with the same key.

Dan Boneh. Stream ciphers. The One Time Pad

1 Indistinguishability for multiple encryptions

ECS 189A Final Cryptography Spring 2011

Online Cryptography Course. Using block ciphers. Review: PRPs and PRFs. Dan Boneh

Identity-based encryption

Provable-Security Approach begins with [GM82] Classical Approach. Practical Cryptography: Provable Security as a Tool for Protocol Design

CS 4770: Cryptography. CS 6750: Cryptography and Communication Security. Alina Oprea Associate Professor, CCIS Northeastern University

Computational security & Private key encryption

FORGERY ON STATELESS CMCC WITH A SINGLE QUERY. Guy Barwell University of Bristol

EXAM IN. TDA352 (Chalmers) - DIT250 (GU) 18 January 2019, 08:

PERFECT SECRECY AND ADVERSARIAL INDISTINGUISHABILITY

Lecture 1: Perfect Secrecy and Statistical Authentication. 2 Introduction - Historical vs Modern Cryptography

Pr[C = c M = m] = Pr[C = c] Pr[M = m] Pr[M = m C = c] = Pr[M = m]

Provable security. Michel Abdalla

III. Pseudorandom functions & encryption

Cristina Nita-Rotaru. CS355: Cryptography. Lecture 9: Encryption modes. AES

A note on the equivalence of IND-CCA & INT-PTXT and IND-CCA & INT-CTXT

Technische Universität München (I7) Winter 2013/14 Dr. M. Luttenberger / M. Schlund SOLUTION. Cryptography Endterm

COS433/Math 473: Cryptography. Mark Zhandry Princeton University Spring 2017

Foundations of Network and Computer Security

Semantic Security of RSA. Semantic Security

6.080 / Great Ideas in Theoretical Computer Science Spring 2008

Provable Security in Symmetric Key Cryptography

Post-quantum Security of the CBC, CFB, OFB, CTR, and XTS Modes of Operation.

8 Security against Chosen Plaintext

Contents 1 Introduction 1 2 Re-keying processes as pseudorandom generators 3 3 Generalization: Tree-based re-keying Construction

COS433/Math 473: Cryptography. Mark Zhandry Princeton University Spring 2017

Computer Science A Cryptography and Data Security. Claude Crépeau

Chosen Plaintext Attacks (CPA)

CLASSICAL ENCRYPTION. Mihir Bellare UCSD 1

ENEE 457: Computer Systems Security 10/3/16. Lecture 9 RSA Encryption and Diffie-Helmann Key Exchange

Lectures 1&2: Introduction to Secure Computation, Yao s and GMW Protocols

Block Ciphers/Pseudorandom Permutations

Shift Cipher. For 0 i 25, the ith plaintext character is. E.g. k = 3

El Gamal A DDH based encryption scheme. Table of contents

COS433/Math 473: Cryptography. Mark Zhandry Princeton University Spring 2017

Problem 1. k zero bits. n bits. Block Cipher. Block Cipher. Block Cipher. Block Cipher. removed

The Random Oracle Paradigm. Mike Reiter. Random oracle is a formalism to model such uses of hash functions that abound in practical cryptography

Scribe for Lecture #5

CS 282A/MATH 209A: Foundations of Cryptography Prof. Rafail Ostrosky. Lecture 4

Outline. The Game-based Methodology for Computational Security Proofs. Public-Key Cryptography. Outline. Introduction Provable Security

Lecture 10 - MAC s continued, hash & MAC

A Pseudo-Random Encryption Mode

CS 4770: Cryptography. CS 6750: Cryptography and Communication Security. Alina Oprea Associate Professor, CCIS Northeastern University

Report on Learning with Errors over Rings-based HILA5 and its CCA Security

Practice Exam Winter 2018, CS 485/585 Crypto March 14, 2018

Searchable encryption & Anonymous encryption

Lecture 17 - Diffie-Hellman key exchange, pairing, Identity-Based Encryption and Forward Security

Topics. Probability Theory. Perfect Secrecy. Information Theory

Digital Signatures. Adam O Neill based on

Perfectly-Secret Encryption

G /G Introduction to Cryptography November 4, Lecture 10. Lecturer: Yevgeniy Dodis Fall 2008

Lecture 12: Block ciphers

Lecture 11: Non-Interactive Zero-Knowledge II. 1 Non-Interactive Zero-Knowledge in the Hidden-Bits Model for the Graph Hamiltonian problem

Leftovers from Lecture 3

Message Authentication. Adam O Neill Based on

Chapter 11 : Private-Key Encryption

Lecture Notes. Advanced Discrete Structures COT S

Lecture 1: Introduction to Public key cryptography

Practice Final Exam Winter 2017, CS 485/585 Crypto March 14, 2017

Hierarchical identity-based encryption

Transcription:

Symmetric Encryption Adam O Neill based on http://cseweb.ucsd.edu/~mihir/cse207/

Syntax Eat $ 1 k7 - draw } randomised t ~ m T# c- Do m or Hateful distinguishes from ywckcipter

- Correctness Pr [ NCK, Eck,M))=M]=1 fm in the message space where the probability is orer,. K # K and the Coins of { if any.

Modes of Operation E : {0, 1} k {0, 1} n! {0, 1}` a family of functions Usually a block cipher, in which case ` = n. Notation: x[i] is the i-th block of a string x, so that x = x[1]...x[m]. Length of blocks varies. Always: Alg K K $ {0, 1} k return K

Modes of Operation Block cipher provides parties sharing K with M E K C which enables them to encrypt a 1-block message. How do we encrypt a long message using a primitive that only applies to n-bit blocks?

- x[ XID... x[ on ) ECB I Ee d Et t d Electronic code book mode Cfl ] CENT Algorithm E ( k Ecb, x ) Algorikm Dabck,c ) let =xti ]. For it Eklxi m ] let EZD. 1 to m do : For i. - In 1 to m do : ] ei ) xitetlcd Let c=c[ is. ) let x=xfd. - In ] - ctn return C return X

Security of ECB leaks input equality!

Security of ECB Suppose we know that there are only two possible messages, Y =1 n and N =0 n,forexamplerepresenting FIRE or DON T FIRE a missile BUY or SELL a stock Vote YES or NO Then ECB algorithm will be E K (M) =E K (M). M E K C

Voting with ECB Voters *did IIIIIIIO. "

Is this avoidable? Let SE =(K, E, D) beany encryption scheme. Suppose M 1, M 2 2 {Y, N} and Sender sends ciphertexts C 1 E K (M 1 )andc 2 E K (M 2 ) Adversary A knows that M 1 = Y Adversary says: If C 2 = C 1 then M 2 must be Y else it must be N. Does this attack work?

Randomized Encryption For encryption to be secure it must be randomized That is, algorithm E K flips coins. If the same message is encrypted twice, we are likely to get back di erent answers. That is, if M 1 = M 2 and we let C 1 $ E K (M 1 ) and C 2 $ E K (M 2 ) then Pr[C 1 = C 2 ] will (should) be small, where the probability is over the coins of E.

Randomized Encryption A fundamental departure from classical and conventional notions of encryption. Clasically, encryption (e.g., substitution cipher) is a code, associating to each message a unique ciphertext. Now, we are saying no such code is secure, and we look to encryption mechanisms which associate to each message a number of di erent possible ciphertexts.

CBLCTR Cipher. CBC$ block Chaining mode SE =(K, E, D) where: Alg E K (M) µ Called initial :ztn C[0] {0, 1} n for i =1,...,m do vector Eu ) C[i] E K (M[i] C[i 1]) return C Alg D K (C) for i =1,...,m do M[i] E 1 K (C[i]) C[i 1] return M Correct decryption relies on E being a block cipher.

Voting with CBC$ Voters # tally =) m9e IIon Pink Ek(. Votenotwn : vote, of IV ) Ecrocsilkyoten 5 ) F. ( )

Towards a Definition We see CBC$ is better than ECB in some sense. But is it secure? What does secure mean here?

Security Requirements Suppose sender computes Adversary A has C 1,...,C q C 1 $ E K (M 1 ); ; C q $ E K (M q ) What if A Retrieves K Retrieves M 1 Bad! Bad! But also we want to hide all partial information about the data stream, such as Does M 1 = M 2? What is first bit of M 1? What is XOR of first bits of M 1, M 2? Something we won t hide: the length of the message

What we seek A master property that

What we seek A master property that Can be easily specified

What we seek A master property that Can be easily specified Allows us to evaluate whether a scheme is secure

What we seek A master property that Can be easily specified Allows us to evaluate whether a scheme is secure Implies a ciphertext reveals NO partial information about plaintext

What we seek A master property that Can be easily specified Allows us to evaluate whether a scheme is secure Implies a ciphertext reveals NO partial information about plaintext In the case of a blockcipher the master property was PRF-security. Here it is different because encryption should be randomized

Intuition The master property MP is called IND-CPA (indistinguishability under chosen plaintext attack). Consider encrypting one of two possible message streams, either M 1 0,...,M q 0 or lmiklmilti M 1 1,...,M q 1 Adversary, given ciphertexts and both data streams, has to figure out which of the two streams was encrypted.

In distinguish ability under chosen - plaintext attack IND-CPA Games Let SE =(K, E, D) be an encryption scheme Game Left SE procedure Initialize K $ K procedure LR(M 0, M 1 ) Return C $ E K (M 0 ) Game Right SE procedure Initialize K $ K procedure LR(M 0, M 1 ) Return C $ E K (M 1 ) Associated to SE, A are the probabilities h i Pr Left A SE)1 Pr h i Right A SE)1 that A outputs 1 in each world. The (ind-cpa) advantage of A is h i h i Adv ind-cpa SE (A) =Pr Right A SE)1 Pr Left A SE)1

Measure of Success Adv ind-cpa SE (A) 1 means A is doing well and SE is not ind-cpa-secure. Adv ind-cpa SE (A) 0(orapple0) means A is doing poorly and SE resists the attack A is mounting. Adversary resources are its running time t and the number q of its oracle queries, the latter representing the number of messages encrypted. Security: SE is IND-CPA-secure if Adv ind-cpa SE (A) is small for ALL A that use practical amounts of resources. Insecurity: SE is not IND-CPA-secure if we can specify an explicit A that uses few resources yet achieves high ind-cpa-advantage.

in IND-CPA security of ECB Adversary ACRC.,. ) M. Met Il ol C LRLM,µ., ) - In LEFT ret LRCM.,m ) C '. RIGHT at It kcmo ) ' ret 0 Even, ) I Else ret.tn#=prtribtteaast7h-prett.t.aenf c=c Added

Right Game Analysis Ctapffmbttteni. A=1. Proof Since Mo # M, and EK is determinate we have Ctd. A returns 1$

Left Game Analysis Claim. PELEFTEAA, 17 IO Proof Analogous.

Conclusion Adviencdjon (a) = 1-0=1 GCB is not IWD - CPA secure!

Any deterministic scheme is not IND-CPA The theorem generalizes to show that the same adversary breaks enc scheme ( any deterministic meaning E is deterministic & Stateless )

CTR$ CM - C Let E: {0, 1} k {0, 1} n! {0, 1}` be a family of functions. If X 2 {0, 1} n and i 2 N then X + i denotes the n-bit string formed by converting X to an integer, adding i modulo 2 n, and converting the result back to an n-bit string. Below the message is a sequence of `-bit blocks: Alg E K (M) C[0] $ {0, 1} n for i =1,...,m do P[i] E K (C[0] + i) C[i] P[i] M[i] return C Alg D K (C) for i =1,...,m do P[i] E K (C[0] + i) M[i] P[i] C[i] return M Gnline - offline * parwlli table

Birthday Attack on CTR$ Let E : {0, 1} k {0, 1} n! {0, 1}` be a family of functions and SE =(K, E, D) the corresponding CTR$ symmetric encryption scheme. Suppose 1-block messages M 0, M 1 are encrypted: C 0 [0]C 0 [1] $ E(K, M 0 ) C 1 [0]C 1 [1] $ E(K, M 1 ) E f Let us say we are lucky If C 0 [0] = C 1 [0]. If so: C 0 [1] = C 1 [1] if and only if M 0 = M 1 So if we are lucky we can detect message equality and violate IND-CPA.

- The Adversary Let 1 apple q < 2 n be a parameter and let hii be integer i encoded as an `-bit string. adversary A Birthday Of query q for i =1,...,q do C i [0]C i [1] $ LR(hii, h0i) S {(j, t): C j [0] = C t [0] and j < t} If S 6= ;, then (j, t) $ S If C j [1] = C t [1] then return 1 return 0 birthday adversary attack µ±fpr[rioheaigm D Preening' D Want to know Adviundrjem ( Aida " ) zoisod zl

Then Left Game Analysis Ayr ' Prf letters Abadan If = O. Proof Two cases : Case 1. S=f$. CIED ot Cj > A city # ( Since Cite ]=ct 'Ll ] and j t. Case 2 = 5=4. A always oupits O. So in either case A outputs O

i Right Game Analysis Claim Pr[Rl6HEAm $M ] } - o.3q proof If s # then we have Cs 'Ll ]=@' Cozy ) goal ettoftlsool =< since C 's 'LoT=ctZo ].

Conclusion Adrien :P " CAbi., ) I G 3

Security `of CTR$ So far: A q-query adversary can break CTR$ with advantage q2 2 n+1 Question: Is there any better attack? Answer: NO! We can prove that the best q-query attack short of breaking the block cipher has advantage at most where 2(q 1) 2 n is the total number of blocks across all messages encrypted. Example: If q 1-block messages are encrypted then advantage is not more than 2q 2 /2 n. = q so the adversary For E = AES this means up to about 2 64 blocks may be securely encrypted, which is good.

The Theorem Theorem: [BDJR97] Let E : {0, 1} k {0, 1} n! {0, 1}` be a family of functions and SE =(K, E, D) the corresponding CTR$ symmetric encryption scheme. Let A be an ind-cpa adversary against SE that has running time t and makes at most q LR queries, the messages across them totaling at most blocks. Then there is a prf-adversary B against E such that Adv ind-cpa SE (A) apple 2 Adv prf 1) E (B)+2(q 2 n - Furthermore, B makes at most oracle queries and has running time t + ( (n + `)). birthday.

Intuition. : replace E thought with random function wl same domain and Runge Now LR, if the adversary is lucky - queries such that Cito ]=ete @ and makes then it can gain advantage. Otherwise we are encrypting with a )one-tinepad]

Interval Intersection Let N, q, m 1 be integers and let Z N = {0, 1,...,N 1}. Let+be addition modulo N. Consider the game For i =1,...,q do c $ i Z N ;. I i {c i +1,...,c i + m} For 1 apple i < j apple q define the events Then let Pvt Av B) I PREAI + PRIB) B i,j : S i \ S j 6= ; and B : W 1applei<jappleq B i,j. IIP(N, q, m) =Pr[B].. Problem: Upper bound IIP(N, q, m) as a function of N, q, m.

. i Interval Intersection Claim: IIP(N, q, m) apple q(q 1) 2 (2m 1) N proof. Pr[ apple apple B ] s RIBI, ;) = (E) PIB ; ;] and PVLBI, ;] = PRICE { ci - MH,.., Citm } = Zm PRTB ) e- 9k Kmt

Advantage Revisited Let SE =(K, E, D) be a symmetric encryption scheme and A an adversary. Game Guess SE procedure Initialize K $ K ; b $ {0, 1} Proposition: Adv ind-cpa SE (A) =2 Pr procedure LR(M 0, M 1 ) return C $ E K (M b ) procedure Finalize(b 0 ) return (b = b 0 ) h i Guess A SE)true 1. h i

Game Chain Game G 0 procedure LR(M 0, M 1 ) Game G 1 procedure LR(M 0, M 1 ) C[0] {0, 1} n C[0] {0, 1} n Code for i =1,...,m do I ] for i =1,...,m do P C[0] + i P C[0] + i if P 62 S then T[P] E K (P) if P /2 S then T[P] $ {0, 1}` C[i] T [P] M b [i] C[i] T[P] M b [i] S S [ {P} S S [ {P} return C return C { no o } Then Adv ind-cpa SE (A) =2 Pr h G A 0 i 1

Claims Clearly Pr[G A 0 ]=Pr[G A 1 ]+ Pr[G A 0 ] Pr[G A 1 ]. Claim 1: We can design prf-adversary B so that Claim 2: Pr[G A 1 ] apple 1 2 Pr[G A 0 ] + (q 1) 2 n Pr[G A 1 ] apple Adv prf E (B) }

Proof of Claim 1 Adversary BFNC. bets { o( 19 Run A ) when A makes ER every no, m, Code ITIP ] FNCP ) ] tf A outputs b then net. 1

Proof of Claim 2

Games Con t Game G 1 procedure LR(M 0, M 1 ) C[0] $ {0, 1} n for i =1,...,m do P C[0] + i If P /2 S then T[P] $ {0, 1}` C[i] T[P] M b [i] S return C S [ {P} Game G 2, G 3 procedure LR(M 0, M 1 ) C[0] $ {0, 1} n for i =1,...,m do P C[i] C[0] + i $ {0, 1}` If P 2 S then bad true ; C[i] T[P] M b [i] T[P] C[i] M b [i] S return C S [ {P} Pr[G A 1 ]=Pr[G A 2 ]=Pr[G A 3 ]+ Pr[G2 A ] Pr[G3 A ]

Using fundamental lemma Game G 2, G 3 procedure LR(M 0, M 1 ) C[0] $ {0, 1} n for i =1,...,m do P C[0] + i; C[i] If P 2 S then $ {0, 1}` bad true ; C[i] T[P] M b [i] T[P] C[i] M b [i]; S S [ {P} return C G 2 and G 3 are identical-until-bad, so Fundamental Lemma implies h i h i h i Pr G2 A Pr G3 A apple Pr G3 A sets bad.

Completing the Proof

Security of CBC$ Theorem: [BDJR97] Let E : {0, 1} k {0, 1} n! {0, 1} n be a block cipher and SE =(K, E, D) the corresponding CBC$ symmetric encryption scheme. Let A be an ind-cpa adversary against SE that has running time t and makes at most q LR queries, the messages across them totaling at most blocks. Then there is a prf-adversary B against E such that Adv ind-cpa SE (A) apple 2 Adv prf 2 E (B)+ 2 n Furthermore, B makes at most t + ( n). oracle queries and has running time

Padding The TLS 1.0 protocol defines the following padding function for encrypting a v-byte message with AES in CBC mode: let p := 16 (v mod 16), then append p bytes to the message m where the content of each byte is value p 1. For example, consider the following two cases: if m is 29 bytes long then p = 3 and the pad consists of the three bytes 222 so that the padded message is 32 bytes long which is exactly two AES blocks. if the length of m is a multiple of the block size, say 32 bytes, then p = 16 and the pad consists of 16 bytes. The padded message is then 48 bytes long which is three AES blocks.

Revocable Broadcast k 15 k 13 k 14 k 9 k 10 k 11 k 12 k 1 k 2 k 3 k 4 k 5 k 6 k 7 k 8 Figure 5.5: The tree of keys for n = 8 devices; shaded nodes are the keys embedded in device 3.

8 >< 9 >= >: >; Definition 5.4. Let T be a complete binary tree with n leaves, where n is a power of two. Let S {1,...,n} be a set of leaves. We say that a set of nodes W {1,...,2n 1} covers the set S if every leaf in S is a descendant of some node in W, and leaves outside of S are not. We use cover(s) to denote the smallest set of nodes that covers S. { } Theorem 5.8. Let T be a complete binary tree with n leaves, where n is a power of two. For every 1 apple r apple n, and every set S of n r leaves, we have cover(s) apple r log 2 (n/r)

Broadcast Encryption movies on a stateless standalone movie player, that has no network connection. The studios are worried about piracy, and do not want to send copyrighted digital content in the clear to millions of users. A simple solution could work as follows. Every authorized manufacturer is given a device key k d 2 K, and it embeds this key in every device that it sells. If there are a hundred authorized device manufacturers, then there are a hundred device keys k (1) d,...,k(100) d.a movie m is encrypted as: c m := 8 >< >: k R K for i =1,...,100 : c i R c R E 0 (k, m) output (c 1,...,c 100, c) E(k (i) d, k) 9 >= 0 0 K >;

2024 © sciencedocbox.com Privacy Policy | Terms of Service | Feedback