DOCSLIB.ORG

All-Or-Nothing Encryption and the Package Transform

Total Page:16

File Type:pdf, Size:1020Kb

Download full-text PDF Read full-text
All-Or-Nothing Encryption and the Package Transform AllOrNothing Encryption and The Package Transform Ronald L Rivest MIT Lab oratory for Computer Science Technology Square Cambridge Mass rivesttheorylcsmitedu Abstract We present a new mo de of encryption for blo ck ciphers which we call al lornothing encryption This mo de has the interesting dening prop erty that one must decrypt the entire ciphertext b efore one can determine even one message blo ck This means that bruteforce searches against allornothing encryption are slowed down by a factor equal to the numb er of blo cks in the ciphertext We give a sp ecic way of implementing allornothing encryption using a package transform as a prepro cessing step to an ordinary encryption mo de A package transform followed by ordinary co deb o ok encryption also has the inter esting prop erty that it is very eciently implemented in parallel Allor nothing encryption can also provide protection against chosenplaintex t and relatedmessage attacks Intro duction One way in which a cryptosystem may b e attacked is by bruteforce search an adversary tries decrypting an intercepted ciphertext with all p ossible keys until the plaintext makes sense or until it matches a known target plaintext Our primary motivation is to devise means to make bruteforce search more dicult by appropriately prepro cessing a message b efore encrypting it In this pap er we assume that the cipher under discussion is a blo ck cipher with xedlength inputoutput blo cks although our remarks generalize to other kinds of ciphers An encryption mo de is used to extend the encryption function to arbitrary length messages see for example Schneier and Biham In general the work required to search for an unknown k bit key to a known k k 1 blo ck cipher is in the worstcase or on the average Here and through out this pap er we measure the work by the numb er of elementary decryptions attempted where an elementary decryption is a decryption of one blo ck of ci phertext For example in the electronic co deb o ok encryption mo de the ad versary needs to decrypt only the rst blo ck of ciphertext to obtain the rst blo ck of plaintext this is usually sucient to identify the correct key If not the second blo ck can b e decrypted as well Sometimes the size of the key space for ones encryption algorithm is xed marginal and cant b e improved For example one can argue that a bit DES key is marginal see Blaze et al Or one may b e encumb ered by exp ort regulations that restrict one to a bit secret key The question p osed here is is there any way to signicantly increase the diculty for an adversary of performing a bruteforce search while keeping the key size the same and not overly burdening the legitimate communicants We show that the answer to the question is yes Strongly nonseparable encryption The problem with most p opular encryption mo des is that the adversary can obtain one blo ck of plaintext by decrypting just one blo ck of ciphertext We illustrate this p oint with cipherblo ck chaining CBC mo de Let the s blo cks of the message b e denoted m m m The CBC mo de utilizes 1 2 s an initialization vector IV and a key K The algorithm pro duces as output ciphertext c for i s where i c IV 1 and c E K c m for i s i+1 i i Thus m c D K c for i s i i i+1 and so any one of the s message blo cks can b e obtained with the decryption of just one ciphertext blo ck This makes the adversarys keysearch problem relatively easy since decrypting a single ciphertext blo ck is generally enough to test a candidate key Let us say that an encryption mo de for a blo ck cipher is separable if it has the prop erty that an adversary can determine one blo ck of plaintext by decrypting just one blo ck of ciphertext Thus CBC mo de is separable We wish to design nonseparable encryption mo des More precisely we wish to design strongly nonseparable mo des dened as follows Denition Supp ose that a blo ck cipher encryption mo de transforms a sequence m m m 1 2 s of s message blo cks into a sequence c c c 1 2 t of t ciphertext blo cks for some t t s We say that the encryption mo de is strongly nonseparable if it is infeasible to determine even one message blo ck m or any prop erty of a particular message blo ck m without decrypting al l t i i ciphertext blo cks AllOrNothing Transforms We prop ose to achieve strongly nonseparable mo des as follows Transform the message sequence m m m into a pseudomessage 1 2 s 0 0 0 0 sequence m m m for some s s with an allornothing trans 0 1 2 s form and Encrypt the pseudomessage with an ordinary encryption mo de eg co de b o ok mo de with the given cryptographic key K to obtain the ciphertext sequence c c c 1 2 t We call encryption mo des of this typ e allornothing encryption mo des A sp ecic instance of this mo de would b e allornothing co deb o ok mo de when the encryption mo de used is co deb o ok mo de or allornothing CBC mo de etc To make this work the allornothing transform has to have certain prop er ties Denition A transformation f mapping a message sequence m m m 1 2 s 0 0 0 into a pseudomessage sequence m m m is said to b e an al lornothing 0 1 2 s transform if The transformation f is reversible given the pseudomessage sequence one can obtain the original message sequence Both the transformation f and its inverse are eciently computable that is computable in p olynomial time It is computationally infeasible to compute any function of any message blo ck if any one of the pseudomessage blo cks is unknown We note that an allornothing transformation must really b e randomized so that a chosen or known message attack do es not yield a known pseudomessage and so that a deterministic function which computes the rst pseudomessage blo ck is not available as a function to contradict the last requirement ab ove We note that the allornothing transformation is not itself encryption since it makes no use of any secret key information It is merely an invertible pre pro cessing step that has certain interesting prop erties The actual encryption in an allornothing encryption mo de is the op eration that encrypts the pseudo message resulting from the allornothing transform An allornothing transform is a xed public transform that anyone can p erform on the message to obtain the pseudomessage or invert given the pseudomessage to obtain the message Theorem An al lornothing encryption mode is strongly nonseparable Pro of We assume that the underlying encryption mo de is such that all ciphertext blo cks must b e decrypted in order to obtain all pseudomessage blo cks If this were not the case the encryption mo de would not b e ecient and a more ecient reduced mo de could b e derived from it Thus all ciphertext blo cks must b e decrypted in order to determine any prop erty of any message blo ck ut The Package Transform The allornothing scheme we prop ose here the package transform is quite ecient particularly when the message is long the cost of an allornothing transform is approximately twice the cost of the actual encryption We shall also see that allornothing encryption admits fast parallel implementations The legitimate communicants thus pay a p enalty of approximately a factor of three in the time it takes them to encrypt or decrypt in allornothing mo de compared to an ordinary separable encryption mo de However an adversary attempting a bruteforce attack pays a p enalty of a factor of t where t is the numb er of blo cks in the ciphertext As an example if I send you a eightmegabyte message encrypted in allor nothing CBC mo de with a bit DES key the adversary must decrypt the entire eightmegabyte le in order to test a single candidate bit key This expands the workfactor by a factor of onemillion compared to breaking ordinary CBC 20 mo de Since one million is approximately to the adversary this feels like having to break a bit key instead of a bit key Using this scheme it can clearly b e advantageous for the communicants to pad the message with random data as it makes the adversarys job harder We prop ose here a particular allornothing transform which we call the package transform We note that while it uses a blo ck cipher itself as a prim itive no secret keys are used Instead a randomly chosen key is used and this key can b e easily determined from the pseudomessage sequence The blo ck ci pher used in the package transform need not b e the same as the blo ck cipher used to encipher the pseudomessage the package transform output although it may b e If it is the same encryption algorithm note that we assume b elow that the key space for the package transform blo ck cipher is suciently large that brute force search is infeasible while the motivation for the use of an allornothing encryption mo de was that the key space for the outer encryption algorithm was marginal This situation can arise for variablekeylength blo ck ciphers such as RC For concreteness the reader may imagine that we are working with RC for b oth the package transform encryption algorithm and the outer encryption algorithm with bit inputoutput blo cks a bit encryption key for the package transform and a bit key for the outer encryption transform For this exp osition then we assume that the key size of the package trans form blo ck cipher is the same as its blo ck size this assumption can easily b e removed and is made here only for convenience in exp osition We also assume that the key space for the package transform blo ck cipher is suciently large that bruteforce searching for a key is infeasible The scheme also uses a xed publicallyknown
Load more

Recommended publications
  • Mihir Bellare Curriculum Vitae Contents
    Mihir Bellare Curriculum vitae August 2018 Department of Computer Science & Engineering, Mail Code 0404 University of California at San Diego 9500 Gilman Drive, La Jolla, CA 92093-0404, USA. Phone: (858) 534-4544 ; E-mail: [email protected] Web Page: http://cseweb.ucsd.edu/~mihir Contents 1 Research areas 2 2 Education 2 3 Distinctions and Awards 2 4 Impact 3 5 Grants 4 6 Professional Activities 5 7 Industrial relations 5 8 Work Experience 5 9 Teaching 6 10 Publications 6 11 Mentoring 19 12 Personal Information 21 2 1 Research areas ∗ Cryptography and security: Provable security; authentication; key distribution; signatures; encryp- tion; protocols. ∗ Complexity theory: Interactive and probabilistically checkable proofs; approximability ; complexity of zero-knowledge; randomness in protocols and algorithms; computational learning theory. 2 Education ∗ Massachusetts Institute of Technology. Ph.D in Computer Science, September 1991. Thesis title: Randomness in Interactive Proofs. Thesis supervisor: Prof. S. Micali. ∗ Massachusetts Institute of Technology. Masters in Computer Science, September 1988. Thesis title: A Signature Scheme Based on Trapdoor Permutations. Thesis supervisor: Prof. S. Micali. ∗ California Institute of Technology. B.S. with honors, June 1986. Subject: Mathematics. GPA 4.0. Class rank 4 out of 227. Summer Undergraduate Research Fellow 1984 and 1985. ∗ Ecole Active Bilingue, Paris, France. Baccalauréat Série C, June 1981. 3 Distinctions and Awards ∗ PET (Privacy Enhancing Technologies) Award 2015 for publication [154]. ∗ Fellow of the ACM (Association for Computing Machinery), 2014. ∗ ACM Paris Kanellakis Theory and Practice Award 2009. ∗ RSA Conference Award in Mathematics, 2003. ∗ David and Lucille Packard Foundation Fellowship in Science and Engineering, 1996. (Twenty awarded annually in all of Science and Engineering.) ∗ Test of Time Award, ACM CCS 2011, given for [81] as best paper from ten years prior.
    [Show full text]
  • Design and Analysis of Secure Encryption Schemes
    UNIVERSITY OF CALIFORNIA, SAN DIEGO Design and Analysis of Secure Encryption Schemes A dissertation submitted in partial satisfaction of the requirements for the degree Doctor of Philosophy in Computer Science by Michel Ferreira Abdalla Committee in charge: Professor Mihir Bellare, Chairperson Professor Yeshaiahu Fainman Professor Adriano Garsia Professor Mohan Paturi Professor Bennet Yee 2001 Copyright Michel Ferreira Abdalla, 2001 All rights reserved. The dissertation of Michel Ferreira Abdalla is approved, and it is acceptable in quality and form for publication on micro¯lm: Chair University of California, San Diego 2001 iii DEDICATION To my father (in memorian) iv TABLE OF CONTENTS Signature Page . iii Dedication . iv Table of Contents . v List of Figures . vii List of Tables . ix Acknowledgements . x Vita and Publications . xii Fields of Study . xiii Abstract . xiv I Introduction . 1 A. Encryption . 1 1. Background . 2 2. Perfect Privacy . 3 3. Modern cryptography . 4 4. Public-key Encryption . 5 5. Broadcast Encryption . 5 6. Provable Security . 6 7. Concrete Security . 7 B. Contributions . 8 II E±cient public-key encryption schemes . 11 A. Introduction . 12 B. De¯nitions . 17 1. Represented groups . 17 2. Message Authentication Codes . 17 3. Symmetric Encryption . 19 4. Asymmetric Encryption . 21 C. The Scheme DHIES . 23 D. Attributes and Advantages of DHIES . 24 1. Encrypting with Di±e-Hellman: The ElGamal Scheme . 25 2. De¯ciencies of ElGamal Encryption . 26 3. Overcoming De¯ciencies in ElGamal Encryption: DHIES . 29 E. Di±e-Hellman Assumptions . 31 F. Security against Chosen-Plaintext Attack . 38 v G. Security against Chosen-Ciphertext Attack . 41 H. ODH and SDH .
    [Show full text]
  • Compact E-Cash and Simulatable Vrfs Revisited
    Compact E-Cash and Simulatable VRFs Revisited Mira Belenkiy1, Melissa Chase2, Markulf Kohlweiss3, and Anna Lysyanskaya4 1 Microsoft, [email protected] 2 Microsoft Research, [email protected] 3 KU Leuven, ESAT-COSIC / IBBT, [email protected] 4 Brown University, [email protected] Abstract. Efficient non-interactive zero-knowledge proofs are a powerful tool for solving many cryptographic problems. We apply the recent Groth-Sahai (GS) proof system for pairing product equations (Eurocrypt 2008) to two related cryptographic problems: compact e-cash (Eurocrypt 2005) and simulatable verifiable random functions (CRYPTO 2007). We present the first efficient compact e-cash scheme that does not rely on a ran- dom oracle. To this end we construct efficient GS proofs for signature possession, pseudo randomness and set membership. The GS proofs for pseudorandom functions give rise to a much cleaner and substantially faster construction of simulatable verifiable random functions (sVRF) under a weaker number theoretic assumption. We obtain the first efficient fully simulatable sVRF with a polynomial sized output domain (in the security parameter). 1 Introduction Since their invention [BFM88] non-interactive zero-knowledge proofs played an important role in ob- taining feasibility results for many interesting cryptographic primitives [BG90,GO92,Sah99], such as the first chosen ciphertext secure public key encryption scheme [BFM88,RS92,DDN91]. The inefficiency of these constructions often motivated independent practical instantiations that were arguably conceptually less elegant, but much more efficient ([CS98] for chosen ciphertext security). We revisit two important cryptographic results of pairing-based cryptography, compact e-cash [CHL05] and simulatable verifiable random functions [CL07], that have very elegant constructions based on non-interactive zero-knowledge proof systems, but less elegant practical instantiations.
    [Show full text]
  • Transferable Constant-Size Fair E-Cash
    Transferable Constant-Size Fair E-Cash Georg Fuchsbauer, David Pointcheval, and Damien Vergnaud Ecole´ normale sup´erieure,LIENS - CNRS - INRIA, Paris, France http://www.di.ens.fr/f~fuchsbau,~pointche,~vergnaudg Abstract. We propose an efficient blind certification protocol with interesting properties. It falls in the Groth-Sahai framework for witness-indistinguishable proofs, thus extended to a certified signature it immediately yields non-frameable group signatures. We use blind certification to build an efficient (offline) e-cash system that guarantees user anonymity and transferability of coins without increasing their size. As required for fair e-cash, in case of fraud, anonymity can be revoked by an authority, which is also crucial to deter from double spending. 1 Introduction 1.1 Motivation The issue of anonymity in electronic transactions was introduced for e-cash and e-mail in the early 1980's by Chaum, with the famous primitive of blind signatures [Cha83,Cha84]: a signer accepts to sign a message, without knowing the message itself, and without being able to later link a message- signature pair to the transaction it originated from. In e-cash systems, the message is a serial number to make a coin unique. The main security property is resistance to \one-more forgeries" [PS00], which guarantees the signer that after t transactions a user cannot have more than t valid signatures. Blind signatures have thereafter been widely used for many variants of e-cash systems; in particular fair blind signatures [SPC95], which allow to provide revocable anonymity. They deter from abuse since in such a case the signer can ask an authority to reveal the identity of the defrauder.
    [Show full text]
  • Two Practical and Provably Secure Block Ciphers: BEAR and LION
    Two Practical and Provably Secure Block Ciphers: BEAR and LION Ross Anderson 1 and Eh Biham 2 Cambridge University, England; emall rja14~cl.cmn.ar .uk 2 Technion, Haifa, Israel; email biham~cs .teclmion.ac.il Abstract. In this paper we suggest two new provably secure block ci- phers, called BEAR and LION. They both have large block sizes, and are based on the Luby-Rackoff construction. Their underlying components are a hash function and a stream cipher, and they are provably secure in the sense that attacks which find their keys would yield attacks on one or both of the underlying components. They also have the potential to be much faster than existing block ciphers in many applications. 1 Introduction There are a number of ways in which cryptographic primitives can be trans- formed by composition, such as output feedback mode which transforms a block cipher into a stream cipher, and feedforward mode which transforms it into a hash function [P]. A number of these reductions are provable, in the sense that certain kinds of attack on the composite function would yield an attack on the underlying primitive; a recent example is the proof that the ANSI message au- thentication code is as secure as the underlying block cipher [BKR]. One construction which has been missing so far is a means of building a block cipher out of a stream cipher. In this paper, we show provably secure ways to construct a block cipher from a stream cipher and a hash function. Given that ways of constructing keyed hash functions from stream ciphers already exist [LRW] [K], this enables block ciphers to be constructed from stream ciphers.
    [Show full text]
  • Proving Tight Security for Rabin/Williams Signatures
    Proving tight security for Rabin/Williams signatures Daniel J. Bernstein Department of Mathematics, Statistics, and Computer Science (M/C 249) The University of Illinois at Chicago, Chicago, IL 60607–7045 [email protected] Date of this document: 2007.10.07. Permanent ID of this document: c30057d690a8fb42af6a5172b5da9006. Abstract. This paper proves “tight security in the random-oracle model relative to factorization” for the lowest-cost signature systems available today: every hash-generic signature-forging attack can be converted, with negligible loss of efficiency and effectiveness, into an algorithm to factor the public key. The most surprising system is the “fixed unstructured B = 0 Rabin/Williams” system, which has a tight security proof despite hashing unrandomized messages. At a lower level, the three main accomplishments of the paper are (1) a “B ≥ 1” proof that handles some of the lowest-cost signature systems by pushing an idea of Katz and Wang beyond the “claw-free permutation pair” context; (2) a new expository structure, elaborating upon an idea of Koblitz and Menezes; and (3) a proof that uses a new idea and that breaks through the “B ≥ 1” barrier. B, number of bits of hash randomization large B B = 1 B = 0: no random bits in hash input Variable unstructured tight security no security no security Rabin/Williams (1996 Bellare/Rogaway) (easy attack) (easy attack) Variable principal tight security loose security loose security∗ Rabin/Williams (this paper) Variable RSA tight security loose security loose security (1996 Bellare/Rogaway) (1993 Bellare/Rogaway) (1993 Bellare/Rogaway) Fixed RSA tight security tight security loose security (1996 Bellare/Rogaway) (2003 Katz/Wang) (1993 Bellare/Rogaway) Fixed principal tight security tight security loose security∗ Rabin/Williams (this paper) (this paper) Fixed unstructured tight security tight security tight security Rabin/Williams (1996 Bellare/Rogaway) (this paper) (this paper) Table 1.
    [Show full text]
  • Identifying Open Research Problems in Cryptography by Surveying Cryptographic Functions and Operations 1
    International Journal of Grid and Distributed Computing Vol. 10, No. 11 (2017), pp.79-98 http://dx.doi.org/10.14257/ijgdc.2017.10.11.08 Identifying Open Research Problems in Cryptography by Surveying Cryptographic Functions and Operations 1 Rahul Saha1, G. Geetha2, Gulshan Kumar3 and Hye-Jim Kim4 1,3School of Computer Science and Engineering, Lovely Professional University, Punjab, India 2Division of Research and Development, Lovely Professional University, Punjab, India 4Business Administration Research Institute, Sungshin W. University, 2 Bomun-ro 34da gil, Seongbuk-gu, Seoul, Republic of Korea Abstract Cryptography has always been a core component of security domain. Different security services such as confidentiality, integrity, availability, authentication, non-repudiation and access control, are provided by a number of cryptographic algorithms including block ciphers, stream ciphers and hash functions. Though the algorithms are public and cryptographic strength depends on the usage of the keys, the ciphertext analysis using different functions and operations used in the algorithms can lead to the path of revealing a key completely or partially. It is hard to find any survey till date which identifies different operations and functions used in cryptography. In this paper, we have categorized our survey of cryptographic functions and operations in the algorithms in three categories: block ciphers, stream ciphers and cryptanalysis attacks which are executable in different parts of the algorithms. This survey will help the budding researchers in the society of crypto for identifying different operations and functions in cryptographic algorithms. Keywords: cryptography; block; stream; cipher; plaintext; ciphertext; functions; research problems 1. Introduction Cryptography [1] in the previous time was analogous to encryption where the main task was to convert the readable message to an unreadable format.
    [Show full text]
  • Implementation of Secure Image Transferring by Using Rsa and Sha-1
    © IJCIRAS | ISSN (O) - 2581-5334 April 2020 | Vol. 2 Issue. 11 IMPLEMENTATION OF SECURE IMAGE TRANSFERRING BY USING RSA AND SHA-1 Khet Khet Khaing Oo1, Yan Naung Soe2 Faculty of Computer System and Technologies, University of Computer Studies, Myitkyina and 1011, Myanmar encryption. A public key which encrypted data only be Abstract decrypted key but it requires a private key which is Nowadays, security is an important thing that needs associated together. It must be careful that the to transfer data from admin to user safely. encrypted public key and decrypted public key must not Communication security requires the integration of be the same. people, process, and technology. There are so many different techniques should be used to safe 2.PUBLIC KEY CRYPTOSYSTEM confidential image data from unauthorized access. Information security is becoming more in data RSA cryptosystem was invented by Ron Rivest, Adi storage and transmission from data exchange in Shamir, and Leonard Adleman at MIT in 1978. [4,6] RSA electronic way. Industrial process is used to images, (Rivest–Shamir–Adleman) algorithm is a public-key this is useful to protect the secure image data files cryptography system. These algorithm is profoundly from unauthorized access. To implement this system used in electronic commerce protocols, and is confided RSA ( Rivest Shamir Adelman) public key to be secure given enough long keys and the use of up- cryptography with OAEP (Optimal Asymmetric to-date implementations. They went on to patent the Encryption Padding ) and SHA-1 hash algorithms are system and to form a company of the same name— used.
    [Show full text]
  • Design Principles and Patterns for Computer Systems That Are
    Bibliography [AB04] Tom Anderson and David Brady. Principle of least astonishment. Ore- gon Pattern Repository, November 15 2004. http://c2.com/cgi/wiki? PrincipleOfLeastAstonishment. [Acc05] Access Data. Forensic toolkit—overview, 2005. http://www.accessdata. com/Product04_Overview.htm?ProductNum=04. [Adv87] Display ad 57, February 8 1987. [Age05] US Environmental Protection Agency. Wastes: The hazardous waste mani- fest system, 2005. http://www.epa.gov/epaoswer/hazwaste/gener/ manifest/. [AHR05a] Ben Adida, Susan Hohenberger, and Ronald L. Rivest. Fighting Phishing Attacks: A Lightweight Trust Architecture for Detecting Spoofed Emails (to appear), 2005. Available at http://theory.lcs.mit.edu/⇠rivest/ publications.html. [AHR05b] Ben Adida, Susan Hohenberger, and Ronald L. Rivest. Separable Identity- Based Ring Signatures: Theoretical Foundations For Fighting Phishing Attacks (to appear), 2005. Available at http://theory.lcs.mit.edu/⇠rivest/ publications.html. [AIS77] Christopher Alexander, Sara Ishikawa, and Murray Silverstein. A Pattern Lan- guage: towns, buildings, construction. Oxford University Press, 1977. (with Max Jacobson, Ingrid Fiksdahl-King and Shlomo Angel). [AKM+93] H. Alvestrand, S. Kille, R. Miles, M. Rose, and S. Thompson. RFC 1495: Map- ping between X.400 and RFC-822 message bodies, August 1993. Obsoleted by RFC2156 [Kil98]. Obsoletes RFC987, RFC1026, RFC1138, RFC1148, RFC1327 [Kil86, Kil87, Kil89, Kil90, HK92]. Status: PROPOSED STANDARD. [Ale79] Christopher Alexander. The Timeless Way of Building. Oxford University Press, 1979. 429 430 BIBLIOGRAPHY [Ale96] Christopher Alexander. Patterns in architecture [videorecording], October 8 1996. Recorded at OOPSLA 1996, San Jose, California. [Alt00] Steven Alter. Same words, different meanings: are basic IS/IT concepts our self-imposed Tower of Babel? Commun. AIS, 3(3es):2, 2000.
    [Show full text]
  • All-Or-Nothing Encryption and the Package Transform
    All-or-Nothing Encryption and the Package Transform Ronald L. Rivest MIT Laboratory for Computer Science 545 Technology Square, Cambridge, Mass. 02139 rivest@theory, ics.mit, edu Abstract. We present a new mode of encryption for block ciphers, which we call all-or-nothing encryption. This mode has the interesting defining property that one must decrypt the entire ciphertext before one can de- termine even one message block. This means that brute-force searches against all-or-nothing encryption are slowed down by a factor equal to the number of blocks in the ciphertext. We give a specific way of im- plementing all-or-nothing encryption using a "package transform" as a pre-processing step to an ordinary encryption mode. A package trans- form followed by ordinary codebook encryption also has the interest- ing property that it is very efficiently implemented in parallel. All-or- nothing encryption can also provide protection against chosen-plaintext and related-message attacks. 1 Introduction One way in which a cryptosystem may be attacked is by brute-force search: an adversary tries decrypting an intercepted ciphertext with all possible keys until the plaintext "makes sense" or until it matches a known target plaintext. Our primary motivation is to devise means to make brute-force search more difficult, by appropriately pre-processing a message before encrypting it. In this paper, we assume that the cipher under discussion is a block cipher with fixed-length input/output blocks, although our remarks generalize to other kinds of ciphers. An "encryption mode" is used to extend the encryption function to arbitrary length messages (see, for example, Schneier [9] and Biham [3]).
    [Show full text]
  • The Key-Dependent Message Security of Key-Alternating Feistel Ciphers
    The Key-Dependent Message Security of Key-Alternating Feistel Ciphers Pooya Farshim1, Louiza Khati2, Yannick Seurin2, and Damien Vergnaud3 1 University of York, Department of Computer Science, York, United Kingdom 2 ANSSI, Paris, France 3 Sorbonne Université, LIP6, Paris, France and Institut Universitaire de France Abstract. Key-Alternating Feistel (KAF) ciphers are a popular variant of Feistel ciphers whereby the round functions are defined as x 7→ F(ki ⊕x), where ki are the round keys and F is a public random function. Most Feistel ciphers, such as DES, indeed have such a structure. However, the security of this construction has only been studied in the classical CPA/CCA models. We provide the first security analysis of KAF ciphers in the key-dependent message (KDM) attack model, where plaintexts can be related to the private key. This model is motivated by cryptographic schemes used within application scenarios such as full-disk encryption or anonymous credential systems. We show that the four-round KAF cipher, with a single function F reused across the rounds, provides KDM security for a non-trivial set of KDM functions. To do so, we develop a generic proof methodology, based on the H-coefficient technique, that can ease the analysis of other block ciphers in such strong models of security. 1 Introduction The notion of key-dependent message (KDM) security for block ciphers was intro- duced by Black, Rogaway, and Shrimpton [5]. It guarantees strong confidentiality of communicated ciphertexts, i.e., the infeasibility of learning anything about plaintexts from the ciphertexts, even if an adversary has access to encryptions of messages that may depend on the secret key.
    [Show full text]
  • Building Provably Secure Block Ciphers from Cryptographic Hash Functions
    International Journal of Computer Applications (0975 - 8887) Volume 176 - No.16, April 2020 Building Provably Secure Block Ciphers from Cryptographic Hash Functions Charles F. de Barros Department of Computer Science Federal University of Sao˜ Joao˜ del Rei Minas Gerais, Brazil ABSTRACT The former must satisfy certain criteria, such as confusion and diffusion, while the latter should have properties like collision This paper presents a proposal for the construction of provably resistance. It can be said that these primitives are inherently secure block ciphers based on cryptographic hash functions. different, mainly because block ciphers are reversible (it is always The core idea consists of using a hash function to generate possible to decrypt an encrypted message, given the proper key), pseudorandom strings to be combined with the message blocks. while hash functions are, by design, irreversible. Each one of these strings depend on the previous ciphertext block Nevertheless, there is a certain similarity in the way block ciphers (or the initialization vector, in the case of the first message block), and hash functions are built. In fact, both are based on iterations: the secret key k and a block key derived from k. One of the block ciphers consist of iterations of a round function, while hash main features of the proposed construction is that it allows keys of algorithms are built upon iterations of a compression function. As arbitrary length, since the key itself is never directly combined with a matter of fact, it is possible to build hash functions from block the message. Furthermore, even if an adversary manages to guess ciphers, due to the fact that block ciphers are natural compression all of the block keys, he can’t efficiently retrieve the master secret functions, which makes them suitable to be used at the core of key or the message, provided that the underlying hash function the so-called Merkle-Damgard˚ [1] construction for cryptographic is cryptographically secure.
    [Show full text]