Security of Symmetric Encryption against Mass Surveillance

Gihyuk Ko Carnegie Mellon University

slides from Kyle Soska Today’s Lecture

• Consider new type of adversary in the form of a ‘Big Brother’ that wants to perform surveillance at a large scale

• Discuss constructions that could be used by a ‘Big Brother’ for symmetric encryption

• Discuss mitigations and solutions against these constructions Traditional Adversary Model

Alice Bob

ENC(K, M) DEC(K, C)

DEC(K, C’) ENC(K, M’) Example: IND-CPA

퐸푛푐 푘, 푚0 b = 0

(푚0, 푚1) 푛 b ←푅 {0, 1}, k ←푅 0, 1

퐸푛푐(푘, 푚푏)

퐸푛푐 푘, 푚1 b = 1

퐴푑푣 퐴 = Pr 퐴 퐸푛푐 푘, 푚0 = 1 − Pr 퐴 퐸푛푐 푘, 푚1 = 1 Example: Secure PRNG

• Ideal: Sequence of truly random bits • Actual: Pseudorandom sequence of bits Random b = 0

푛 01001110101…. b ←푅 {0, 1}, k ←푅 0, 1

퐺(푘) b = 1 퐴푑푣 퐴 = Pr 퐴 퐺 푘 = 1 − Pr 퐴 푟 = 1 Traditional Adversary Model

Bob

ENC(K, M) DEC(K, C)

DEC(K, C’) ENC(K, M’) Terrorism Adversary Model

Potential Terrorist Or Criminal

DEC(K, C)

ENC(K, M’)

ENC(K, M)

DEC(K, C’) Potential Terrorist Or Criminal

DEC(K, C)

ENC(K, M’) Terrorism and Large Internet Companies Terrorism Adversary Model Potential Terrorist Or Criminal

DEC(K, C)

ENC(K, M’)

ENC(K, M)

DEC(K, C’) Potential Terrorist Or Criminal

DEC(K, C) I would like to eavesdrop in order to prevent terrorism and other crime ENC(K, M’) Spying Government Adversary Model Alice

DEC(K, C)

ENC(K, M’)

ENC(K, M)

DEC(K, C’) Bob

DEC(K, C) All your privacy are belong to us ENC(K, M’) Spying Government Best of Both Worlds Potential Terrorist Or Criminal

DEC(K, C)

ENC(K, M’)

ENC(K, M)

DEC(K, C’) Potential Terrorist Or Criminal

DEC(K, C)

I will always do the ‘right’ thing ENC(K, M’) The Rest of the Lecture

• How could a company allow a third party such as the government to eavesdrop in an undetectable way?

• What can we as users do to prevent such things from happening? Goals - Informal

• Big Brother (푩) • Wants to eavesdrop on communication • Does not want its eavesdropping to be detected

• Users (푼) • Wants to detect when eavesdropping is taking place • Want to prevent eavesdropping from taking place Recall CBC Encryption

M1 M2 M3

IV ⊕ ⊕ ⊕

퐸푛푐퐾 퐸푛푐퐾 퐸푛푐퐾

C1 C2 C3 Recall CBC Decryption

C1 C2 C3

퐷푒푐퐾 퐷푒푐퐾 퐷푒푐푘

IV ⊕ ⊕ ⊕

M1 M2 M3 Encryption Schemes More Formally

• Π = (퐾, 퐸, 퐷) • 풦 = 0, 1 푘 the keyspace • 퐾: Secret symmetric key • 푀: Message • 퐴: Associated Data (Supplementary information such as padding) • 휎: state (ex. A counter for CBC counter mode)

• 퐸 is a possibly randomized encryption routine such that 퐶, 휎′ ← 퐸(퐾, 푀, 퐴, 휎)

• 퐷 is a deterministic decryption routine such that 푀, 휎′ ← 퐷(퐾, 퐶, 퐴, 휎) How to subvert Π?

• Transfer all symmetric keys 퐾 to 퐵 • Keys would be observed by an eavesdropper and surveillance would be detected

• If the company ever wanted to stop sending keys to 퐵, then 퐵 would no longer be able to eavesdrop Spying Government Adversary Model Alice

DEC(K, C)

ENC(K, M) ENC(K, M’)

DEC(K, C’) Bob

Client keys = {퐾1, K2, … } DEC(K, C)

ENC(K, M’) How to backdoor Π?

• Transfer all symmetric keys 퐾 to 퐵 • Keys would be observed by an eavesdropper and surveillance would be detected

• Transfer all symmetric keys encrypted under key 퐾′ • Still high bandwidth communication channel between company and surveillance body, suspicious Spying Government Adversary Model Alice

DEC(K, C)

ENC(K, M) ENC(K, M’)

DEC(K, C’) Bob

Client keys = EncK′ 퐾1, K2, … DEC(K, C)

Something is ENC(K, M’) fishy…. Algorithm Substitution Attack (ASA)

• Suppose the servers replaced their implementation of encryption scheme Π with a modified version Π′

• Π′ could be specially designed to leak information about the messages or secret keys to an eavesdropper who holds secret information 퐾′ • Eavesdroppers that do not know this secret information would not be able to learn the messages or 퐾

• The server’s implementation of Π is a black box from the point of view of a regular user

• Π′ has all the information Π has as well as a key 퐾′ called the escrow key or big-brother key, and possibly more state How to backdoor Π?

• Derive a modified Π′ from Π, what properties must Π′ have?

Decryptability (Informal) • The modified 훱′ = (퐾′, 퐸′, 퐷′) must produce encryptions that are correctly decrypted by the unmodified Π = (퐾, 퐸, 퐷)

Decryptability (Formal) • Π′ = (퐾′, 퐸′, 퐷′) satisfies decryptability relative to Π = (퐾, 퐸, 퐷) if (퐾′, 퐾, 퐸′, 퐷′) is a correct encryption scheme where 퐷′ is defined by 퐷′ 퐾′, 퐾 , 퐶, 퐴, 휎 = 퐷(퐾, 퐶, 퐴, 휎) If decryptability does not hold Alice ??? This decryption makes no sense! DEC(K, C)

ENC’(K’, K, M) ENC(K, M’)

DEC’(K’, K, C’) Bob ??? This decryption Shared 퐾′ makes no sense! DEC(K, C)

DEC’(K’, C) ENC(K, M’) How to backdoor Π?

• Derive a modified Π′ from Π, what properties must Π′ have?

Decryptability (Informal) • The modified 훱′ = (퐾′, 퐸′, 퐷′) must produce encryptions that are correctly decrypted by the unmodified Π = (퐾, 퐸, 퐷) Decryptability (Formal) • Π′ = (퐾′, 퐸′, 퐷′) satisfies decryptability relative to Π = (퐾, 퐸, 퐷) if (퐾′, 퐾, 퐸′, 퐷′) is a correct encryption scheme where 퐷′ is defined by 퐷′ 퐾′, 퐾 , 퐶, 퐴, 휎 = 퐷(퐾, 퐶, 퐴, 휎)

• Needs to ‘look like’ a regular ciphertext, can’t have anything abnormal such as ciphertexts always start with a ‘0’ If ciphertexts are distinguishable Alice

DEC(K, C)

ENC(K’, K, M) ENC(K, M’)

DEC(K’, K, C’) Bob

Shared 퐾′ Every ciphertext DEC(K, C) from server starts DEC’(K’, C) with 0, something is ENC(K, M’) fishy…. Detection Game

• Can a user with secret key 퐾 tell the difference between encryptions with 퐸 and 퐸′?

Π → 퐸(푚) b = 0 K

푛 푚 b ←푅 {0, 1}, K’ ←푅 0, 1 , K 퐶 User 푈 Π′ → 퐸′(푚) b = 1

퐴푑푣 푈 = Pr 푈 퐾, 퐸′ 푚 = 1 − Pr 푈 퐾, 퐸 푚 = 1 Surveillance Game

• Can Big brother with escrow key 퐾′ tell the difference between 퐸 and 퐸′?

Π → 퐸(푚) b = 0 K’

푛 푚 b ←푅 {0, 1}, K ←푅 0, 1 , K’ 퐶

Big Brother 퐵 Π′ → 퐸′(푚) b = 1

퐴푑푣 퐵 = Pr 퐵 퐾′, 퐸′ 푚 = 1 − Pr 퐵 퐾′, 퐸 푚 = 1 Additional Comments

• Practically, Big Brother would want to be able to do more than simply distinguish encryptions from 퐸 and 퐸′ with non-negligible probability • We will be looking at schemes that allow Big Brother to either completely learn each message, or learn the session key so that he can decrypt each message with advantage nearly 1 • Big brother wants to win surveillance game with advantage 1 and for users to win detection game with negligible probability • Users want to win detection game with advantage 1, and for big brother to win surveillance game with negligible probability IV Replacement Attacks

• Lots of encryption schemes flip coins (generate random information) • Turing machine with a random tape

• Idea: when Π′ needs to generate random information, it will instead select the values specifically for the purpose of leaking information • Nonces • Initialization Vectors (IV) • Variable Length Padding

• Can a user detect this type of attack?

• Let 푋 be some efficient algorithm that extracts 퐼푉 ← 푋(퐶) from ciphertext 퐶, if such an algorithm exists then the 퐼푉 is said to be ‘surfaced’ or the encryption scheme ‘surfaces’ its 퐼푉 Stateful IV Attack

M1 M2 M3

푘 IV = ←푅 0, 1

IV = 퐸푛푐퐾′(퐾) ⊕ ⊕ ⊕

퐸푛푐퐾 퐸푛푐퐾 퐸푛푐퐾

C1 C2 C3 An Example Problem – part (a)

• Question Suppose for all messages m and keys k, |E(m,k)| = |m|, that is, the size of the encryption of m (in bits) is the same as the size of m. Argue that (E,D) cannot be CPA-secure.

• Answer • Domain and Range of the encryption is the same: it has to be deterministic! • Deterministic encryption cannot be secure against CPA adversary! Fixed IV attack

Question

• Can we just set a fixed IV = 퐸푛푐퐾′(퐾) for every message? What is the problem with this scheme?

Answer • IV will always be the same, this is easily detectable by a user!

• How can we modify this to make the attack work? Stateful IV Attack

• 푬′ 푲′, 퐊, 퐌, 퐀, 흈 Algorithm: • Let 휎 be a counter initialized to 0

• If 휎 = 0 then 퐼푉 ← 퐸푛푐퐾′ 퐾 푘 • Else 퐼푉 ←푅 0, 1 • 퐶 = 퐸퐾 푀, 퐴, 퐼푉 • 휎 = 휎 + 1; Return 퐶

• 푫′ 푲′, 푪, 푨 Algorithm (푪 is an indexed array of ciphertexts): • 퐼푉 ← 푋 퐶 1

• 퐾 ← 퐷푒푐퐾′(퐼푉) • 푀 1 ← 퐷퐾 퐶 1 , 퐴 1 • Return 푀 Stateful IV Attack Alice

퐶 = 퐸퐾′ 퐾 ||퐸퐾 푀 DEC(K, C)

ENC(K, M’)

ENC(K’, K, M)

DEC(K’, K, C’) Bob

Shared 퐾′ DEC(K, C)

DEC’(K’, C) ENC(K, M’) Attack Against Stateful IV Attack

• State reset attack • If the state could get reset to 휎 = 0 then the IV would repeat, highly unlikely to happen if the IV is truly random or pseudorandom

• Solution • Use a probabilistic / combinatorial version of Π instead of a stateful version of Π Stateless IV Attack

• The intuition is that we will randomly select a single bit of the Key 퐾 and leak it in an IV

• 퐼푉 = 퐸푛푐퐾′ (푏푖푡, 푖푛푑푒푥, 푟푎푛푑표푚 푝푎푑) Stateless IV Attack

• Let 푘 be the size of the key (ex. 128 bits), and let 푣 = log2 푘 • Notation: 퐾[푖] refers to a single bit of 퐾 at index i

• 퐸′ K′, K, M, A, 휎 Algorithm:

• 푙 ←푅 {1, 2, … , 푘} 푛−푣−1 • 푅 ←푅 0, 1

• 퐼푉 ← 퐸푛푐퐾′ 퐾 푙 | 푙 |푅 • 퐶 = 퐸퐾 푀, 퐴, 퐼푉 • Return 퐶

• 퐷′ 퐾′, 푪, 퐴 Algorithm (푪 is an indexed array of ciphertexts): • For 푗 = 1, … , |푪| do

• 푏 | 푙 |푅 ← 퐷푒푐퐾′ 푋 푪 푗 ; 퐾 푙 ← 푏 • For 푗 = 1, … , 푪 do

• 푴 푗 ← 퐷퐾 퐶 푗 ,퐴 푗 • Return 푴 Stateless IV Attack Alice 퐶1 = 퐸푛푐퐾′ 퐾 ||퐸퐾 푀1 퐶2 = 퐸푛푐퐾′ 퐾 ||퐸퐾 푀2

퐶 = 퐸푛푐 ′ 퐾 ||퐸 푀 푛 퐾 퐾 푛 DEC(K, C)

ENC(K, M’)

ENC(K’, K, M)

DEC(K’, K, C’) Bob

Shared 퐾′ DEC(K, C)

DEC’(K’, C) ENC(K, M’) Comments

• Stateless attack requires some amount of messages to recover the key

• ≈ 푘푙푛(푘) messages to recover a key with length 푘 • 푘 = 256 →≈ 616 IVs

• Once the key is recovered, can go back and decrypt all previous conversations Biased Ciphertext Attack

• What if the encryption algorithm does not surface an IV? • CBC2, IACBC, XCBC$,…. Do not source IVs

• We can use a biased ciphertext attack instead ∗ • Let 퐹퐾′ 0, 1 → 0, 1 be a secure PRF • Select any randomness in such a way that 퐹퐾′ 퐶 = 퐾[푗] where 퐾 푗 is the j’th bit of the key 퐾 • Let j be some stateful counter 휎 maintained by Big Brother and Π′ • This will require 푘 messages for Big Brother to recover 퐾 Biased Ciphertext Attack

• Let 푘 be the size of the key (ex. 128 bits), and let 푣 = log2 푘 • Notation: 퐾[푖] refers to a single bit of 퐾 at index i

• 퐸′ K′, K, M, A, 휎 Algorithm: • 푗 ← 휎 푚표푑 푘; 푗 ← 푗 + 1 • While True

• 훿 ←푅; 퐶 = 퐸퐾 푀, 퐴, 훿 ||휎 • If 퐹퐾′ 퐶 == 퐾 푗 break • 퐶 = 퐸퐾 푀, 퐴, 훿 • Return 퐶

• 퐷′ 퐾′, 푪, 푨 Algorithm (푪, 푨 is an indexed array of ciphertexts and associated data): • For 푗 = 1, … , |푪| do

• 퐾 푗 ← 퐹퐾′ 퐶 푗 • For 푗 = 1, … , 푪 do

• 푴 푗 ← 퐷퐾 퐶 푗 , 퐴 푗 • Return 푴 Comments

• The biased ciphertext attack will work on every randomized and stateless encryption scheme • Why? Solutions

• These attacks have worked because Π′ has a lot of flexibility when it comes to generating its own randomness

• There are several different values of 퐶 that will be correctly decrypted by the user, so can select a particular value of 퐶′ to leak information

• All of the power of Π′ is in its ability to choose a particular 퐶′ out of many candidates An Example Problem – part (a)

• (퐸, 퐷) symmetric encryption scheme • 퐸 푚, 푘 = 푚 : one-to-one mapping between image and preimage

푀 = ∀푚 푚} 퐶 = {∀푚, ∀푘 |퐸 푚, 푘 } An Example Problem – part (b)

• If 퐸 푚, 푘 = 푚 + l

푀 = ∀푚 푚} 퐶 = {∀푚, ∀푘 |퐸 푚, 푘 }

E is no longer one-to-one. Each pre-image under E has 2l images An Example Problem – part (b)

• Question Suppose for all messages m and keys k, |E(m,k)| = |m|+l for some positive l. Show that an attacker can win the CPA security game if they are allowed to make 2l/2 queries. This result demonstrates that the keys for such encryption schemes have a finite number of uses before they must be changed. • Hints • Each plaintext m maps into 2l ciphertexts in average • Birthday Bound • The advantage of this adversary should be close to 1/2 • Solution? Unique Ciphertexts

• If Π were such that, given a particular state 휏 of the user’s decryption 퐷, there existed a single unique 퐶 such that 퐷퐾 퐶 = 푀, then we would say Π has unique ciphertexts

• Corollary: If Π′ wanted to send the encryption of a particular message 푀 to a user 푈 running 퐷K with internal state 휏, then Π′ would have no freedom to pick which ciphertext 퐶 to send, since there is a unique ciphertext that will work

• Corollary: 퐸퐾 is deterministic since it can only produce a single unique ciphertext in this case

• Corollary: 퐸퐾 must be stateful and keep state 휏 Unique Ciphertext Defense

• E K, M, A, 휎 Algorithm: • 퐷 퐾, 푪, 푨, 휏 Algorithm • If 휎 = 2푙 return ⊥, 휎 • If (휏 2푙) then return ⊥, 휏 −1 • 퐾1||퐾2 ← 퐾 • 퐾1||퐾2 ← 퐾; 푊, 푇 ← 퐶; 푥 ← 푃 퐾1, 푊 • 푊 ← 푃 퐾1, < 휎 > || 푀 • If ( 푥 < 푙) then return ⊥, 휏 • 푇 ← 퐹 퐾2, 푊||퐴 • < 휎 > || 푀 ← 푥 • 퐶 ← (푊, 푇) • If 푇 ≠ 퐹 퐾2, 푊||퐴 then return ⊥, 휏 • 휎 ← 휎 + 1 • If (휎 ≠ 휏) then return ⊥, 휏 • Return 퐶, 휎 • 휏 ← 휏 + 1; Return 푀, 휏 P: family of keyed permutations, F: family of keyed functions • It can be shown that Surveillance game advantage of B is zero! Other Kinds of Attacks

• ASA’s on public key encryption • RSA, DH, Signature Schemes • Elliptic Curves

• Attacks on hardware implementation of crypto • Intel AES instruction set • Specialized hardware

• Attacks on compilers / runtime state

• Side channel attacks using timing information

• Etc. Family of Elliptic Curves

푥, 푦 ∈ 픽 2: 푦2 = 푥3 + 푎푥 + 푏 푚표푑 푝 • 퐺 = 푃 ∪ {0} 4푎3 + 27푏2 ≠ 0 푚표푑 푝 ٿ

• Suppose a user 푈 contacts a server, and the server suggests that they do key exchange (퐸퐶퐷퐻) using a particular curve from the family 퐺 where 푎 = 718173919285810138 and 푏 = 12134012348710756

• How should the user feel about this? Could it be the case that the server actually found a clever attack and then picked the group parameters specifically so that the attack would work?

• Could it be the case that standardizations of elliptic curve groups are of this form? Family of Elliptic Curves

• Idea: Instead of just suggesting (푎, 푏), suggest (푠, 푎, 푏) where 푎, 푏 = 퐻(푠) and 퐻 is a collision resistant hash function

• Now an (푎, 푏) cannot be chosen directly, instead an 푠 must be chosen such that its hash is (푎, 푏). If there was a very clever attack against the group with a particular (푎, 푏), the collision resistant and 1-way properties of a hash function make it difficult to find 푠′ such that 푎, 푏 = 퐻(푠′)

• Could still be the case that a large family of parameters 푎, 푏 are vulnerable, and select 푠 randomly until it hashes to a vulnerable group Big Key Cryptography

• PRGs can expand a small seed into a large string of pseudo random bits (say, 280 bit long)

• Idea: Use the entire output of the PRG as a key

• Corollary: Nobody can steal the key because nobody can even read the entire thing! Big Key Cryptography

128 • Every time a user 푈 wants to send a message, he computes 푅 ←푅 0, 1 (128 is a parameter)

• Compute I 1 = 퐻 푅, 1 , 퐼 2 = 퐻 푅, 2 …

• Compute key as 퐾푠 = 퐻 푅, 퐾 퐼 1 , 퐾 퐼 2 , … where 퐾 is a key of very long length, like 280 or 2128

• Need a way to compute an index of 퐾 without computing the whole thing • Blum-Blum-Shub PRG has this property Thanks!