Symmetric-Key Encryption
CSE 5351: Introduction to Cryptography Reading assignment: • Chapter 3 • Read sections 3.1-3.2 first (skipping 3.2.2)
1 Negligible functions A nonegative function f : is said to be negligible if for every positive polynomial Pn ( ), there is an integer
n0 such that 1 f ( n ) for all n n (i.e., for sufficiently large n ). Pn() 0
Examples: 2n , 2 n , n log n are negligible functions. Negligible functions approach zero faster than the reciprocal of every polynomial. We write negl(n ) to denote an unspecified negligible function.
2 Properties of negligible functions
If negl1 (nn ) and negl2 ( ) are negligible functions, then
negl12 (nn) negl ( ) is negligible. If negl(n ) is a negligible function and p ( n ) a polynomial, then p( n ) negl() n is negligible.
Examples: 2n 2 n and n100n log n are negligible.
3 Relaxing the security requirement In perfect indistinguishability (perfect secrecy), the adversary has unlimited computing power, success rate 1 2; also, message length is hidden .
Now we relax the notion of perfect indistinguishability by limiting adversaries to having poly(n ) computing power, allowing the success rate to be 1 2 negl(n ), not hiding message length.
4 Security Parameter The n in the previous slide is called a security parameter, which indicates the key leng.th We will associate an encryption scheme with a secureity parameter n , and would like to be secure in the sense that any adversary with poly( n) computing power can break with at most negl( n) probability.
5 PPT Algorithms Probabilistic polynomial-time algorithms Polynomial-time : the running time is polynomial in input length . Input length is the number of bits of the input.
What is the length of n in binary, and what is the length of 1n ? What is the difference between these two statements: An ( ) is a PPT algorithm.
A (1n ) is a PPT algorithm.
6 Private-key encryption scheme w. security parameter n A tuple of polynomial-time algorithms: (,,)Gen Enc Dec Key generation algorithm Gen : On input 1n , outputs a key k {0,1}n . We write k Gen(1n ). (n : security parameter.) Encryption algorithm Enc : On input a key k and a message * m {0,1} , outputs a ciphertext c . We write c Enck ( m ). Decryption algorithm Dec : On input a key k and a ciphertext c , Dec outputs a message m or an error symbol .
We write m : Deck ( c ). Correctness requirement: for every k Gen (1n ) and m {0,1}* ,
Deckk Enc ( m ) m . Gen , Enc are probabilistic. Dec , deterministic. 7 If message space M {0,1}()n , then ( Gen , Enc , Dec ) is said to be a fixed-leng th private-key encryption scheme for messages of length (n ).
nn If Gen (1 ) simply outputs ku {0,1} , we omit Gen and simply denote the scheme by (Enc , Dec ). This is almost always the case.
8 eav Ciphertext Indistinguishability Experiment PrivK A, (n) Adversary: PPT eavesdropper with a single ciphertext. (Gen , Enc , Dec ) : an encryption scheme with security parameter n . Imagine a game played by Bob and an adversary A (Eve): n Eve, given input 1 , outputs a pair of messages mm01 ,
with mm01 (i.e., having the same length) . n Bob chooses a key k Gen (1 ) and a bit b u {0,1};
computes c Ek ( mb ); and gives c to Eve. Eve outputs a bit bc , trying to tell whether is an
encryption of mm01 or . eav The output, PrivKA, (n ), of the experiment is 1 iff b b (i.e., Eve succeeds.)
9 Ciphertext Indistinguishability against an eavesdropper Definition: A private-key encryption scheme has indistinguishable encryptions against an eavesdropper (or is EAV-secure) if for all probabilistic polynomial-time adversaries A , there is a negligible function negl ( n ) such that (for all n ) 1 Pr PrivKeav (nn ) 1 negl( ) A, 2 where the probability is taken over the randomness used by A , the randomness used by Bob to choose the key and the bit b , as well as the randomness used by Enc . n eav A1 , m01 , m , Enckb ( m ) b : Pr PrivKA, (n ) 1 Pr n n bu {0,1}, k Gen (1 ), m01 , m A(1 ) 10 An equivalent formulation
eav For b 0 or 1 (fixed), let PrivKA, (n ,b ) denote the previous experiment with the fixed b used.
eav Let output PrivKA, (n ,b ) denote the adversary's output.
n eav A1 , m01 , m , Enck (mb ) 1: Pr output PrivKA, (n ,b ) 1 Pr nn k Gen(1 ), m01 , m A (1 ) Theorem: A private-key encryption scheme is EAV-secure if and only if for all PPT adversaries A , there is a negligible function negl ( n ) such that
Pr output PrivKeav (nn ,0 ) 1 Pr output PrivK eav ( ,1 ) 1 AA, , negl()n . 11 That is,
nn A1,,, m0 m 1 Enckk ()1:mm01 A 1,,, m 0 m 1 Enc ()1: Pr Pr n n n n k Gen(1 ), m01 , m A (1 ) k Gen (1 ), m01 , m A (1 ) negl ( n )
12 Adversaries cannot learn any bit of the plaintext
Let mi denote the i th bit of m . If an encryption scheme is EAV-secure, then from a ciphertext i c Enck ( m ), it is infeasible for the adversary to recover m . Theorem: If a fixed-length private-key encryption scheme with MA {0,1}()n is EAV-secure, then for all PPT adversaries and any in 1, , ( ) , it holds: 1 n i n ()n Pr A1 , Encku ( m ) m : k {0,1} , mnu {0,1} negl( ). 2
13 Secure Encryption Schemes Secure: EAV-secure, CPA-secure, or CCA-secure. Secure private-key encryption schemes may be constructed from: Pseudorandom generators Pseudorandom functions Pseudorandom permutations.
14 Pseudorandom Generators and Stream Ciphers
Encryption schemes using pseudorandom generators K&L: Section 3.3
15 Motivation Vernam's one-time pad scheme is perfectly secure against single-ciphertext eavesdropper. Drawback: it requires a random key as long as the message. Solution: use a short key as seed to generate a "pseudorandom" key that is as long as needed. This is the basic idea of stream ciphers.
16 Stream ciphers The term "stream cipher" may refer to the entire encryption scheme or just the pseudorandom generator.
17 What is a pseudorandom generator? Informally, a pseudorandom generator is an algorithm G that given a ()short string truly , outputs randomra a "" s ndom-like (i.e.,pseudorandom) string longer than s . Informally, a string r is ""random-likehard if it is to tell whether or not r is generated by a truly-rag ndom enerator. n Loosely speaking, two sets ABnn , {0,1} are said to be polynomially indistinguishable if for every polynomial distinguish er D ,
| Pr(D ) rr 1: u An
neglPrDr( ) 1: r u Bn | ()n
18 In the above, we were actually talking about the indistinguishability between two ensembles (sequences) of sets: AB and . nnnn Definition: Two ensembles of sets AB and are nnnn polynomially indistinguishable if for every polynomial-time distinguisher D , it holds that
| PrD ( r ) 1: run A
PrD ( r ) 1: run B | negl( n )
Which of the following are polynomially indistinguishable?
n n n ABnn {0,1} , {0,1} 0 nn100 Ann {0,1} , B s {0,1} : s 2 as a binary integer nn1 ABnn {0,1} , 0 {0,1}
19 n n n ABn {0,1} and n {0,1} 0 are polynomially indistinguishable.
PrD() r1: r u An Prr Pr D ( r ) 1 rAn 1 PrDr ( ) 1 n 2 rAn 1 1 PrD (0n ) 1 PrDr ( ) 1 n n 2 2 rBn
PrD ( r ) 1: r u Bn PrrD Pr (r ) 1 rBn 1 n PrD(r ) 1 21 rBn
|| PrD ( r ) 1: r u ABn PrD ( r ) 1: r u n negl)(n
20 Definition of pseudorandom generator Let ( ) be a polynomial such that (n ) n for all n 0. Let G be a deterministic polynomial-time algorithm that, for any input string s {0,1}n , outputs a string Gs ( ) {0,1}()n . G is said to be a pseudorandom generator with expansion factor ( ) if for every polynomial-time distinguisher D , n | PrD ( G ()) s 1: s u {0,1} ()n PrD ( r ) 1: r u {0,1} | negl( n ) That is, the two ensembles AB and , are polynomially nnn N n N n ()n indistinguishable, where Ann G ( s ) : s {0,1} and B 0,1 .
21 Example: insecurepseudorandom genera tor
n Let G ( sssssss )() for {0,1}11 . nn Expansion factor l ( nn )1. G is nota pseudorandom generator:
1if rrr11 nn For {0,1},rD r letn 1 ( ) 0 otherwise n Pr(D ( G ))1: ss {0,1}1 u n1 Pr(D )1: rr {0,1}1 2 u Difference between the two probabilities is not negligible.
22 Remarks A string r is said to be a random string if it is generated
by a true random generator (i.e., rru {0,1} , where ). A string r is said to be a pseudorandom string if it is generated by a pseudorandom generator. What if the distinguisher D has unlimited (or exponential) time? 1 if r G ( s ) for some s {0,1}n Given r {0,1}()n , let D ( r ) 0 otherwise n PrD ( G ( s )) 1: s u {0,1} 1 ()()()n n n n n PrD ( r ) 1: r u {0,1} 2 2 1 2 Difference between the two probabilities is not negligible.
23 Existence of pseudorandom generators If one-way functions exist, then pseudorandom generators exist. That is, pseudorandom generators can be constructed from one-way functions. Chapter 7 of the K&L book shows how to construct pseudorandom generators from one-way permutations. True pseudorandom generators are slow for applications. In practice, algorithms such as RC4 are used.
24 Existence of pseudorandom generators (basic idea)
Let f :{0,1}nn {0,1} be a one-way function. Let bf:{0,1}n {0,1} be a hard-core predicate of . A boolean function defined on the domain of f . Easy to compute b ( x ) from x . But hard to compute b ( x ) from f ( x ).
Given seed x , let x0 x .
Starting from xf0 , apply repeatedly:
f f f f x0 x 1 x 2 xln ( ) 1
Let G ( x ) b (x0), b x 1 , b x 2 , , b xln ( ) 1 . G is a pseudorandom generator with expansion factor l ( n ).
25 Example: Blum-Blum-Shub pseudorandom generator Let n pq for two large primes p , q .
Let f ( x ) x2 mod n . //one-way function// Let bx ( ) the least significant bit of x //hard-core predicate//
f f f f x0 x 1 x 2 xln ( ) 1
Let G ( x ) b ( x0 ), b x 1 , b x 2 , , b xln ( ) 1 . G is a pseudorandom generator with expansion factor l ( n ).
26 Example: Blum-Blum-Shub pseudorandom generator Suppose n pq 29 31 899.
Suppose x0 100. Then we have the sequence 100, 111, 634, 103, 720, 576, 45, 227, 286, 886, 169, 692, 596, 111, 634, 103, 720, The generated bits are 01010011001001010
27 Encryption schemes based on pseudorandom generators From a pseudorandom generator with expansion factor (n ), we can easily construct an EAV-secure (n)-bit encryption scheme. G : a pseudorandom generator with expansion factor (n ).
n n Key generation: on input 1 , outputs a key k u 0,1 . Encryption: on input a key km 0,1nn and a message 0,1 () , outputs the ciphertext c : m G ( k ). Decryption: on input a key kc 0,1nn and a ciphertext 0,1 () , outputs the m : c G ( k ). Denote this scheme by .
28 Security Theorem. The scheme constructed above is EAV-secure (i.e. has indistinguishable encryptions against eavesdroppers).
Intuition : If encrypting with a truely random string r :
c00 m r perfectly indistinguishable c1 m1 r If a pseudorandom string Gs() is used instead:
cm00Gs() polynomially indistinguishable cm11Gs()
29 Proof sketch By reduction. We will show:
Distinguishing between Breaking encryption scheme
random strings r and P (distinguishing between
pseudorandom strings G ( s ) ciphertexts c01 and c )
Notation. AP B: A reduces to B in polynomial time. Roughly meaning that we can solve A using an algorithm for B as a subroutine. Hardness of A hardness of B. Example?
30 Let A be an arbitrary PPT adversary against encryption scheme . Construct a distinguisher D : Dw , given as input a string 0,1ln() , wants to determine whether w is random or pseudorandom.
eav ln() D runs PrivKA, ( n ) to obtain a pair of messages m 0 , m 1 0,1 .
D chooses bub {0,1}, sets c : m w , gives c to A, and obtains bA from . D outputs 1 if b b , and outputs 0 otherwise.
31 Distinguisher D
eav w Run PrivK A, 1n adversary A against mm01, encryption scheme
b u {0,1} c c: mb w b ans ans:() b b
32 PrD () w 1: w {0,1}ln( ) PrPrivK eav 1 1 2 u A, * where * is Vernan's one-time pad.
n eav PrD () w 1: w : G (), s s u {0,1} Pr PrivKA, 1
ln() | PrD ( w ) 1: w u {0,1} n PrDw ( ) 1: w : G ( s ), s u {0,1} | negl ( n ) (Why?)
eav So, || 1 2 Pr PrivKA, 1 negl ( n )
eav Pr PrivKA, 1 1 2 negl ( n ) is EAV-secure
33 Encrypting multiple messages with a single key Stream ciphers require a new key for each message. In practice, Alice and Bob wish to share a permanent key k and use it to encrypt multiple messages. One possible strategy: For each message mr , generate a random string and use s k r as a seed to the pseudorandom generator G .
Include r in the ciphertext, i.e., c:(): Enck m r, m G ( k r ). It is probabilistic! Unfortunately, the resulting scheme is not necessarily EAV-secure . It requires G to be more than a pseudorandom generator for the scheme to be EAV-secure.
34 Using stream ciphers in a session At the beginning of a session, Alice and Bob agree on two keys
kk12 and (called session keys).
Alice and Bob each run G ( k12 ) and G ( k ) to get two (long enough)
pseudorandom strings, say PS12 and PS .
Alice encrypts her sequence of messeges m1 , m 2 , m 3 , ... as
c1 , c 2 , c 3 , ... : m1 , m 2 , m 3 , ... PS1 .
Bob uses PS2 for encryption in a similar way. In practice, a stream cipher is designed to generate a random string of desired length bit/byte by bit/byte byte on demand.
35 The RC4 Stream Cipher (K&L: Section 6.1.4) • Most popular stream cipher • Simple and fast • Used in many standards • Actually not a cipher, but a practical, approximate pseudorandom generator. Nto truely pseudorandom. • Designed by Ron Rivest in 1987 for RSA Security, and kept as a trade secret until leaked out in 1994.
36 RC4 Two vectors of bytes : SSSS [0], [1], [2], , [255] TTTT [0], [1], [2], , [255] Input Key (seed) K : variable length, 1 to 256 bytes Initialization: 1. S [ i ] i , for 0 i 255 2. TKK [0..255] , , ... (until filled up)
37 RC4:Initial Permutation Initial Permutation of S : j 0 for i 0 to 255 do j ( j S [ i ] T [ i ] ) mod 256 Swap S [ i ], S [ j ] Idea: swapping bytes dependently of the input key. After this step, the input key will not be used.
38 RC4:Key StreamGeneration Key stream generation: ij , 0 while (true) ii ( 1 ) mod 256 j ( j S [ i ] ) mod 256 Swap S [ i ], S [ j ] t ( S [ i ] S [ j ] ) mod 256 output St [ ] Idea: systematically keep swapping and producing output bytes 39 Security of RC4
• RC4 is not a truly pseudorandom generator. • The key stream generated by RC4 is biased. – The second byte is biased toward zero with high probability. – The first few bytes are strongly non-random and leak information about the input key. • Defense: discard the initial n bytes of the keystream. – Called “RC4-drop[n-bytes]”. – Recommended values for n = 256, 768, or 3072 bytes. • Efforts are under way (e.g. the eSTREAM project) to develop more secure stream ciphers.
40 The Use of RC4 in WEP
• WEP is an RC4-based protocol for encrypting data transmitted over an IEEE 802.11 wireless LAN. • WEP requires each packet to be encrypted with a separate RC4 key. • The RC4 key for each packet is a concatenation of a 40-bit or 104-bit long-term key and a random 24-bit R.
RC4 key: Long-term key (40 orl 104 bits) R (24)
802.11 Header R lMessage CRC Frame: encrypted
41 WEP is not secure
• Mainly because of its way of constructing the key • Can be cracked in a minute • http://eprint.iacr.org/2007/120.pdf
42 Stronger Security Notions
K&L: Section 3.4
43 Different levels of security EAV-security (against eavedroppers, ciphertext-only-attacks) one encryption multiple encryptions CPA-security (against chosen-plaintext attacks) one encryption multiple encryptions CCA-security (against chosen-ciphertext attacks) one encryption multiple encryptions
44 mult Multiple-ciphertext indist. experiment PrivK A, ()n Adversary: eavesdropper with multiple ciphertexts A game between Bob and an adversary A : The adversary, given input 1n , selects two lists of messages 1 2tt 1 2 M0 ( m 0 , m 0 , ..., m 0 ) and M 1 ( m 1 , m 1 , ..., m 1 ) ii such that m01 m for all i . n Bob chooses a key k Gen (1 ) and a bit b u {0,1}; ii computes c Enckb ( m ) for all i , and gives the challenge ciphertext list C ( c12 , c , ..., ct ) to the adversary. The adversary outputs a bit b . The output of the experiment is 1 iff bb .
45 Multiple-ciphertext indist. against an eavesdropper DAef private-keyinition: encryption scheme has indistinguishable muenltiple cryptions against an eavesdropper if for all PPT adversaries Anegl , there n is a negligible function ( ) such that (for all n ) 1 Pr PrivK(mult )nn 1 negl( ) A, 2 where the probability is taken over the randomness used by A , by Bob, by Gen, an d by Enc. AM(1n ,,,()): M Enc Mb Pr PrivK(mult )n 1Pr 01 kb A, nn bkGenMu {0,1}, MA (1 ), ,(1 ) 01
46 Deterministic encryption schemes are not multiple-ciphertext indistinguishable Theorem: If the Enc of an encryption scheme (Gen,Enc,Dec) is deterministic, then the scheme cannot have indistinguishable multiple encryptions against an eavesdropper. Proof. Suppose Enc is deterministic. n n n n Let MM01 (0 , 0 ) and (0 , 1 ). Let the challenge ciphertext
list be C ( c12 , c ).
What can A say if c1 c 2 (or if c 1 c 2 )? For example, Vernam's one-time pad (for a fixed n ) is single-ciphertext indistinguishable, but not multiple-ciphertext indistinguishable.
47 Chosen-Plaintext Attacks (CPA) The adversary is capable of adaptively obtaining samples
(m11 , c ), , ( mt , c t ), where m i is chosen by the adversary
and ci Enc k ( m i ) for all i . We model such an adversary by giving it access to an encryption
oracle Enck (), viewed as a "black box" that on query m returns a
ciphertext c Enck ( m ).
m Oracle Enck ( ) Enck ( m)
48 cpa CPA indistinguishability experiment PrivK A, (n)
1. A key k Gen (1n ) is generated. n 2. The adversary is given input 1 and oracle access to Enck ( ). It may request the oracle to encrypt messages of its choice.
3. The adversary chooses two message m0 , m 1 with m 0 m 1 ; and
is given a challenge ciphertext c Enck ( m b ), where b u {0,1}.
4. The adversary continues to have oracle access to Enck ( ) and may
even request the encryptions of mm01 and . 5. The adversary finally outputs a bit b . 6. The output of the experiment is 1 iff b b. Note: The CPA here is an adaptive CPA.
49 CPA-security Definition: A private-key encryption scheme has indistinguishable encryptions under a chosen-plaintext attack, or is CPA-secure, if for all PPT adversaries A , there is a negligible function negl ( n ) such that (for all n ) 1 Pr PrivKcpa (nn ) 1 negl( ) A, 2 where the probability is taken over the randomness used by A as well as the randomness used in the experiment.
AEnck () (1n , m , m , Enc ( m )) b : Pr PrivKcpa (n ) 1 Pr 01 kb A, nn bu {0,1}, k Gen (1 ), m01 , m A (1 )
50 CPA-security for multiple encryptions One approach is to model the adversary as having oracle access
to Enc( ) andk having it produce two mess age lists 121 t 2 t MmmmMm(, 000011, ..., ) and (, mm, ...,11 )
Alternatively, we use an oracle LR-Enckb, ( ), where k is a key
and b{0,1}. (LR-Enc( ) is kdenoted,, bk b by LR( ) in the book.)
mm, 01 Oracle LR-Enc(kb, ) Enckb() m
The adversary is to guess the value of b .
51 LR-cpa The LR-oracle experiment PrivK A, (n)
1. A key k Gen (1n ) is generated.
2. A bit b u {0,1} is chosen. n 3. The adversary A is given input 1 and oracle access to LR-Enck,b ( ). 4. The adversary A outputs a bit b . 5. The output of the experiment is 1 iff bb .
52 CPA-security for multiple encryptions Definition: A private-key encryption scheme has indistinguishable multiple encryptions under a chosen-plaintext attack, or is CPA-secure for multiple encryptions, if for all PPT adversaries A , there is a negligible function negl ( n ) such that (for all n ) 1 Pr PrivKLR-cpa (nn ) 1 negl( ) A, 2 where the probability is taken over the randomness used by A as well as the randomness used in the experiment.
Theorem: For any private-key encryption scheme, CPA-security CPA-security for multiple encryp.tions
53 Constructing CPA-Secure Encryption Schemes
K&L: Section 3.5
54 Pseudorandom generator
55 A CPA-secure encryption scheme (inefficient)
nn Let Funcn be the set of all functions f :{0,1} {0,1} .
Construct an encryption scheme as follows.
Key generation: uniformly choose a function f u Funcn. To encrypt a message m {0,1}n , uniformly choose a n string rmu {0,1} , and encrypt as c:, r m f ()r .
To decrypt a ciphertext c r , s , compute m : s f (r ).
56 Theorem: The encryption scheme is CPA-secure. Proof (sketch.) Consider any arbitrary adversary A . cpa
In the experiment PrivKA, (n ), let c : r , mb f (r ) be the challenge ciphertext. Since f ( r ) is uniformly random, c is indistinguishable unless , on Am 's query , the oracle happens
to return cmm :r , f ( r ) , in which case A will learn f ( r ). This may occur with probability at most poly(n ) 2n , where poly(nA ) is an upper bound on the number of queries may make to the oracle. Thus, 11 Pr PrivKcpa (n ) 1 poly( n ) 2n negl( n ). A, 22
57 The secret key here is f . Q: What's its length?
Suppose we label the elements/functions in Funcn with strings
key k {0,1} . What's the key length key ?
How many elements/functions are there in Funcn ? View each function as a table of 2n strings of length n . There are 2 choices (0 or 1) for each of the n 2n bits. n2n n2n So, there are 2 different functions. I.e., Func.n 2 n2n n Thus, key log 2 2 n 2 , which is infeasible.
58 Solution:
Choose a "small" subset of Funcnn , say Func , such that
Funcnn and Func are indistinguishable .
Then, randomly picking a function from Funcn (as the key) will be almost as good as randomly picking a function from
Funcn . n If we choose Funcn to contain no more than 2 elements, the key length will be at most n.
We will describe Funcn (which is a set of functions) as a single function with two parameters, called a keyed function.
59 Keyed functions
A keyed function Fn : {0,1}a()()() n {0,1} b n {0,1} c n for all 1, has two inputs. The first one is called the key and denoted k. Each key k {0,1}an() induces a single-input function: b()() n c n Fk :{0,1} {0,1}
Fk ( x ) F ( k , x ) F is associated with three functions, a ( n), b ( n ), c ( n ) (often written as
lkey ( n ), l in ( n ), l out ( n )) which indicate the lengths of k , x , and Fk ( x ).
F is length-preservi ng if lkey ( n ) l in ( n ) l out ( n ) n . If F is length-preserving, F induces a set of functions for each n :
n n n Fkk :{0,1} {0,1} | {0,1} Q: In general, what set of functions does F induce?
60 Keyed Length-Preserving functions
A keyed length-preserving function F : {0,1}n {0,1} n {0,1} n has two inputs. The first one is called the key and denoted k . Each key k {0,1}n induces a single-input function: nn Fk :{0,1} {0,1}
Fk ( x ) F ( k , x )
That is, Fn induces a set of functions for each :
n n n Fkk :{0,1} {0,1} | {0,1}
61 Pseudorandom functions Let F be a keyed length-preserving function.
nn Recall Funcn the set of all functions f :{0,1} {0,1} . F is a pseudorandom function if the two ensembles of sets
n Fkkn | {0,1} and Func n n are polynomially indistinguishable, i.e., if for every PPT distinguisher D , it holds:
Fk () nn | PrDk (1 ) 1: u {0,1} f () n PrD (1 ) 1: f un Func | negl( n )
62 General pseudorandom functions
ln() Let F : {0,1}key {0,1}lnin () {0,1}lnout () be a keyed function.
lnin () lnout () Define Funcn the set of all functions f :{0,1} {0,1} . F is a pseudorandom function if the two ensembles of sets
lnkey () Fkk | {0,1} and Funcn n n are polynomially indistinguishable, i.e., if for every PPT distinguisher D , it holds:
ln() PrDkFk () (1n ) 1: {0,1} key | u f () n PrD (1 ) 1: f Funcn negl( n ) u |
63 Example keyed length-preserving function Suppose F ( k , x ) k x .
Then, Fk ( x ) k x . Is F a pseudorandom function?
n For any k and x , Fkk ( x ) F ( x ) k x k x 1 . Based on this, we design a distinguisher D as follows. Given a function hD (as an oracle), asks the oracle to compute h ( x ) and h ( x ) for some x {0,1}nn , say x 0 . If h ( x ) h ( x ) 1n , D returns 1, else returns 0. We have
Fk () nn PrDk (1 ) 1: u {0,1} 1 f() n n PrDf (1 ) 1: un Func 2
64 fn() PrDf (1 ) 1: un Func
fn() Pr fD is picked Pr (1 ) 1 f 1 Prf ( x ) f ( x ) 1n n2n 2 f
n 12n2 n 2n2 2n 1 2n
65 Permutations A function f : X X is called a permutation if it is bijective (one-to-one and onto). We are interested in permutations f :{0,1}l()() n {0,1} l n , especially with l ( n ) n .
66 Pseudorandom permutations A keyed permutation is a keyed function F for which
each Fk is a permutation.
nn Permn , the set of all permutations f :{0,1} {0,1} . A length-preserving keyed permutation F is a pseudorandom permutation if for every PPT distinguisher D , it holds:
Fk () nn | PrDk (1 ) 1: u {0,1} fn() PrD (1 ) 1: f un Perm | negl( n ) Theorem: A pseudorandom permutation is also a pseudorandom function (assuming l(). n n)
67 CPA-secure encryption using pseudorandom functions Let F be a pseudorandom function. Construct an encryption scheme for messages of length n as follows.
n n Gen : on input 1 , output a key k u {0,1} . Enc : on input a key k {0,1}nn and a message m {0,1} , n choose uniformly a string r u {0,1} and output the ciphertext
c : r , Fk ( r ) m .
n Dec : on input a key k {0,1} and a ciphertext c r , s , output
the plaintext message m : Fk ( r ) s .
68 Fk
69 Theorem: The encryption scheme is CPA-secure. Proof (basic idea).
In scheme , a function f Funcn is used as a key. n In scheme , a function Fkk F : k {0,1} is used as a key. n Since Funcnk and F : k {0,1} are indistinguishable, it can be shown by reduction that Pr PrivKcpa (n ) 1 Pr PrivK cpa ( n ) 1 negl( n ) A, A, We already know 1 Pr PrivKcpa (nn ) 1 negl( ). A, 2 1 Thus, Pr PrivKcpa (nn ) 1 negl.() A, 2
70 If Fis a pseudorando m permutation Since F is also a pseudorandom function, we may encrypt a message {0,1}m as nbefore: n 1) crr :, , whereFrk ( ){0,1} m . //CPA-secure/u /
1 If Fk ()m is efficiently computable, we may also encrypt m as
2) cF :( )k m //deterministic, so not CPA-secure//
n 3) cr :, , rwhereFrk () {0,1} m . //CPA-secure//u Q: How to decrypt a ciphertext ,cr ? s
(Assume that F isk effici ently computable.)
71 Modes of Operations
K&L: Section 3.6.2
72 Encrypting long messages Now let's see how to encrypt a message of arbitrary length using a pseudorandom function or permutation. Encryption algorithm: On input mk {0,1}* and key , Pad the message so that its length is a multiple of n (block size). Divide the padded message m into blocks, say
m m1 , m 2 , m 3 , , mt
Individually encrypt each block mi : n ri u {0,1} and c i:() F k r i m i The final ciphertext is
c : ( r1 , c 1 ), ( r 2 , c 2 ), , ( rtt , c ) The ciphertext is twice as long as the message. Inefficient!
73 Modes of operation More efficient ways to do it are traditionaly called modes of operation (of block ciphers).
n Main idea: generate a single random string IV u {0,1} and
derive r12 , r, , rt from IV . ( IV : Initialization Vector) The ciphertext will be of the form
cI Vc , cc12 , , , t Important modes of operation:
Counter mode (CTR): ri IV i
Output feedback mode OFB : r11 IV , ri F k ( r i )
Cipher feedback mode CFB : c01 IV , rii : c
Cipher block chaining mode CBC : c01 IV, rii : c 74 Counter mode (CTR)
Idea: The strings r12 , rrrIViit , , areti for 1.
Thus, to encrypt a message ,,,,mm with mmmk123 k t ey n Choose a random string {0,1}IV u . Encrypt m as
cIV :, ccccF , ,,12 , where rm tik :( ) ii
rIVii :
Strength: Blocks can be encrypted or decrypted in parallel or in a “random access” fashion.
75 Counter Mode (CTR)
r1 r 2 r 3
76 Output feedback mode (OFB)
Idea: The strings r1 , r 2 , , rt are r 1 IV and r i F k ( r i 1 )
Thus, to encrypt a message m m1 , m 2 , m 3 , , mt with key k n Choose a random string IV u {0,1} .
Encrypt m as c : IV , c12 , c , , ct
where ci : F k ( r i ) m i
r11 : IV , and ri : F k ( r i ) for 2 i t
77 Output feedback
r1 r 2 r 3
78 Cipher feedback mode (CFB)
Idea: The strings r12 , rr , , aret chosen t o be rii : , c 1
where cIVcand01 is the previousi cipher b lock.
Thus, the ciphertext of mmmm, , , , is132 mt
ccccc : , , 012, , t
where :cIV 0
cc forikii:() 1.Fm1 it
79 How is Cipher Feedback (CFB) different from OFB?
r1 r 2 r 3
80 Cipher block chaining mode (CBC)
1 Assume FF is a pseudorandom permutation and k is efficiently computable.
Each block mi is encrypted as c i F k r i mi .
The strings r12 , rr , , t are chosen to be ri ci1 for 1it ,
with c01 IV , and ci being the previous cipher block.
Thus, the ciphertext of m m1 , m23 , m , , mt is
c : c02 , c1 , c , , ct
where c0 : IV
ci : Fk (cii1 m) for 1 i t .
81 Cipher block chaining (CBC)
82 Chained CBC CBC Used in SSL 3.0 and TLS 1.0, but is not CPA-secure .
Message 1: (m1 , m 2 , m 3 ) Message 2: ( m 4 , m 5 )
IV’
83 Chained CBC Used in SSL 3.0 and TLS 1.0, but is not CPA-secure .
Message 1: (m1 , m 2 , m 3 ) Message 2: ( m 4 , m 5 )
84 Insecurity of Chained CBC
Let adversary A chooses two messages M m1 , m 2, m 3 ,
M m1 , m 2 , m 3 such that m 1 m 1 .
Let C IV , c1 , c 2 , c 3 be the challenge ciphertext.
A knows the oracle is going to use c3 in the next encryption.
So, A prepares m4 such that IV m 1 c 3 m 4 , and asks
the oracle to encrypt it. Suppose Ac receives 4 from the oracle.
Depending on whether c14 c , A knows whether C is the encryption of MM or .
85 Is C ( IV , c1 , c 2 , c 3 ) the encryption of M ( m 1 , m 2 , m 3 )
or M ( m1 , m 2, m 3 )?
IV m13c m4
mm11 or ?
cc14 ?
86 Electronic codebook mode (ECB) Use a pseudorandom permutation F .
m m1 , m 2 , m 3 , , mt
Each block mi is encrypted as c i F k m i . The resulting scheme is deterministic and nto CPA secure. Used only for sending a short message (in a single block).
87 Electronic Code Book (ECB)
88 Security of CBC, OFB, CFB, CTR If F is a pseudorandom function or permutation, then OFB, CFB, CTR are CPA-secure.
If F is a pseudorandom permutation , then CBC is CPA-secure.
89 Chosen-Ciphertext Attacks
K&L Section 3.7
90 cca CCA indistinguishability experiment PrivK A, ()n
1. A key k Gen (1n ) is generated. n 2. The adversary is given input 1 and oracle access to Enck () and
Deck () .
3. The adversary chooses two message m0, m 1 with m 0 m 1 ; and
is given a challenge ciphertext c Enck ( m b ), where b u {0,1}.
4. The adversary continues to have oracle access to Enckk( ) and Dec () , but is not allowed to request the decryption of c itself. 5. The adversary finally outputs a bit b . 6. The output of the experiment is 1 iff bb . Note: The CCA defined here has the capabilities of both CPA and "pure CCA". 91 CCA-security Definition: A private-key encryption scheme has indistinguishable encryptions under a chosen-ciphertext attack, or is CCA-secure, if for all PPT adversaries A , there is a negligible function negl ( n ) such that (for all n ) 1 Pr PrivKcca (nn ) 1 negl( ) A, 2 where the probability is taken over the randomness used by A as well as the randomness used in the experiment.
AEnckk( ), Dec ( ) (1n , m , m , Enc ( m )) b : Pr PrivKcca (n ) 1 Pr 01 kb A, nn bu {0,1}, k Gen (1 ), m01 , m A(1 )
92 CCA-security for multiple encryptions
LR-cca LR-cpa Experiment PrivKA, (n ) : same as PrivKA, (n ) except ... (what?) Definition: A private-key encryption scheme has indistinguishable multiple encryptions under a chosen-ciphertext attack, or is CCA-secure for multiple encryptions, if for all PPT adversaries A , there is a negligible function negl ( n ) such that (for all n) 1 Pr PrivKLR-cca (nn ) 1 negl( ) A, 2 where the probability is taken over the randomness used by A as well as the randomness used in the experiment.
Theorem: For any private-key encryption sc heme, CCA-security CCA-security for multiple encryptions. 93 CCA insecurity The encryption schemes we have seen so far are not CCA-secure .
If a ciphertext c Enck ( m ) can be manipulated in a controlled way , then the encryption scheme is not CCA-secure.
Example: consider the scheme Enckk ( m ) r , F ( r ) m .
The adversary chooses any two messages mm01 , of equal length. Let the challenge ciphertext be rc , where
c : Fkb ( r ) m , with b {0,1}.
The adversary modifies r , c to r , c r , fkb ( r ) m , which
is a legitimate ciphertext of mb .
Requesting the oracle to decrypt r , c , the adversary will get mb and hence know the value of b . 94 Constructing a CCA-secure encryption scheme We will see that: CPA-secure encryption secure MAC CCA-secure encryption
95 Padding-Oracle Attack: a concrete example of (partial) chosen-ciphertext attacks
K&L Section 3.7.2
96 The Setting We will attack the CBC-mode encryption scheme that uses PKCS#5 padding. L : block length (in bytes). b : pad length (in bytes). 1255bL PKCS#5 padding: The value of bb (as an 8-bit binary) is repeated times. Examples: 0x01, 0x0202, 0x030303, 0x04040404. Messageoriginal refers to the (w/o message padding). Encoded datapadded refers to message the . The encoded data is encrypted using CBC-mode encryption. 97 A Padding Oracle On receiving a ciphertext, the receiver decrypts it to recover the encoded data and checks if the padding is correct. If not correct, the receiver typically sends back a "bad padding" error message (e.g., in Java, javax.crypto.BadPaddingException). Such receivers provide the adversary with a padding oracle which may be viewed as a partial decryption oracle .
ciphertext Padding Oracle error (if padding incorrect) Using such a padding oracle, the adversary can recover the original messa ge.
98 Modify the encoded data in a controlled fashion
Suppose the encoded data is mm12 , , unknown to the adversary;
and the ciphertext is IV , c12 , c , known to the adversary.
1 Recall: c2 Fk ( m 2 c 1 ) and so m2 Fk ( c 2 ) c 1 .
1 Thus, m2 Fk ( c 2 ) c 1 . That is,
Dec IV , c1 , c 2 m 1 , m 2 Dec IV, c1 , c 2 m 1 , m 2 By modifying the ciphertext, the adversary can modify the encoded data in a controlled fashion and then ask the oracle if the padding (of the modified encoded data) is correct.
99 Cipher block chaining (CBC)
m1 =
100 Find out the pad length b Example: modifying the 5th byte will result in a padding error.
m2 = 0x33 0x22 0x11 0x44 0x03 0x03 0x03
In general, to find the pad length, the adversary runs: for iL 1 to do
modify the ic th byte of 1 send the resulting ciphertext to the receiver/oracle if receiving a padding error then return b : L ( i 1)
101 Recover the message byte by byte Having known b 3, how to recover the byte w?
m2 = x y z w 0x03 0x03 0x03
mx2 = yz wi 0x044 0x0 0x04
Try (how?) every string i {0,1}8 until there is no padding error, for which i , w i 0x04 w 0x04 i
888 3 How: modify c11 to c ii , with 0 0 0i 0x03 0x04
and present the resulting ciphertext IV , c12i , c to the
oracle, which after decryption will see mm12 , .
102 Recover the message byte by byte Having recovered w , how to recover z ?
m2 = x y z w 0x03 0x03 0x03
m2 = xy zi 0x05 0x05 0x05 0x05
Try every string i {0,1}8 until no padding error, then z i 0x05 z 0x05 i
88 3 How: modify c11 to c ii , with 0 0i w 0x05 0x03 0x05
and present the resulting ciphertext IV , c12i , c to the
oracle, which after decryption will see mm12 , .
103