The Security of Ciphertext Stealing

The Security of Ciphertext Stealing

The Security of Ciphertext Stealing Phillip Rogaway1 Mark Wooding2 Haibin Zhang1 1Department of Computer Science University of California at Davis 2Thales e-Security Ltd March 20, 2012 Rogaway, Wooding, Zhang (UC Davis, Thales) The Security of Ciphertext Stealing March 20, 2012 1 / 21 Outline 1 Ciphertext stealing Description Symmetric encryption schemes Security of ciphertext stealing Insecurity of the Meyer–Matyas scheme 2 Online encryption Definitions Delayed CBC Ciphertext stealing redux Rogaway, Wooding, Zhang (UC Davis, Thales) The Security of Ciphertext Stealing March 20, 2012 2 / 21 Outline 1 Ciphertext stealing Description Symmetric encryption schemes Security of ciphertext stealing Insecurity of the Meyer–Matyas scheme 2 Online encryption Definitions Delayed CBC Ciphertext stealing redux Rogaway, Wooding, Zhang (UC Davis, Thales) The Security of Ciphertext Stealing March 20, 2012 3 / 21 ∗ P4 0 IV ⊕ ⊕ ⊕ ⊕ ∗ ∗∗ X4 C3 EK EK EK EK C1 C2 C3 C4 C1 C2 Ciphertext stealing P1 P2 P3 Suppose we have a message to encrypt. We might choose ciphertext block chaining. Rogaway, Wooding, Zhang (UC Davis, Thales) The Security of Ciphertext Stealing March 20, 2012 4 / 21 ∗ P4 0 ⊕ ⊕ ⊕ ⊕ ∗ ∗∗ X4 C3 EK EK EK EK C1 C2 C3 C4 C1 C2 Ciphertext stealing P1 P2 P3 IV We choose a random initialization vector. Rogaway, Wooding, Zhang (UC Davis, Thales) The Security of Ciphertext Stealing March 20, 2012 4 / 21 ∗ P4 0 ⊕ ⊕ ⊕ ∗ ∗∗ X4 C3 EK EK EK EK C1 C2 C3 C4 C1 C2 Ciphertext stealing P1 P2 P3 IV ⊕ We whiten the first plaintext block by XORing with the IV. Rogaway, Wooding, Zhang (UC Davis, Thales) The Security of Ciphertext Stealing March 20, 2012 4 / 21 ∗ P4 0 ⊕ ⊕ ⊕ ∗ ∗∗ X4 C3 EK EK EK C1 C2 C3 C4 C1 C2 Ciphertext stealing P1 P2 P3 IV ⊕ EK We feed the whitened plaintext through the blockcipher. Rogaway, Wooding, Zhang (UC Davis, Thales) The Security of Ciphertext Stealing March 20, 2012 4 / 21 ∗ P4 0 ⊕ ⊕ ⊕ ∗ ∗∗ X4 C3 EK EK EK C2 C3 C4 C1 C2 Ciphertext stealing P1 P2 P3 IV ⊕ EK C1 This gives us a ciphertext block. Rogaway, Wooding, Zhang (UC Davis, Thales) The Security of Ciphertext Stealing March 20, 2012 4 / 21 ∗ P4 0 ⊕ ⊕ ∗ ∗∗ X4 C3 EK EK C3 C4 C1 C2 Ciphertext stealing P1 P2 P3 IV ⊕ ⊕ EK EK C1 C2 We whiten the next plaintext block using that ciphertext block, apply the blockcipher, and get a new ciphertext block. Rogaway, Wooding, Zhang (UC Davis, Thales) The Security of Ciphertext Stealing March 20, 2012 4 / 21 ∗ P4 0 ⊕ ∗ ∗∗ X4 C3 EK C4 C1 C2 Ciphertext stealing P1 P2 P3 IV ⊕ ⊕ ⊕ EK EK EK C1 C2 C3 We repeat this for all of the plaintext blocks. Rogaway, Wooding, Zhang (UC Davis, Thales) The Security of Ciphertext Stealing March 20, 2012 4 / 21 0 ⊕ ∗ ∗∗ X4 C3 EK C4 C1 C2 Ciphertext stealing ∗ P1 P2 P3 P4 IV ⊕ ⊕ ⊕ EK EK EK C1 C2 C3 But wait: what if the plaintext isn’t a whole number of blocks? There’ll be an odd bit left over. Rogaway, Wooding, Zhang (UC Davis, Thales) The Security of Ciphertext Stealing March 20, 2012 4 / 21 ⊕ ∗ ∗∗ X4 C3 EK C4 C1 C2 Ciphertext stealing ∗ P1 P2 P3 P4 0 IV ⊕ ⊕ ⊕ EK EK EK C1 C2 C3 We pad the partial block with zero bits. Rogaway, Wooding, Zhang (UC Davis, Thales) The Security of Ciphertext Stealing March 20, 2012 4 / 21 ∗ ∗∗ X4 C3 EK C4 C1 C2 Ciphertext stealing ∗ P1 P2 P3 P4 0 IV ⊕ ⊕ ⊕ ⊕ EK EK EK C1 C2 C3 And then whiten using the previous ciphertext block, as usual. Rogaway, Wooding, Zhang (UC Davis, Thales) The Security of Ciphertext Stealing March 20, 2012 4 / 21 EK C4 C1 C2 Ciphertext stealing ∗ P1 P2 P3 P4 0 IV ⊕ ⊕ ⊕ ⊕ ∗ ∗∗ X4 C3 EK EK EK ∗ ∗∗ C1 C2 C3 C3 This leaves us with the whitened odd bit of plaintext, and a copy of the rest of the previous ciphertext block. Rogaway, Wooding, Zhang (UC Davis, Thales) The Security of Ciphertext Stealing March 20, 2012 4 / 21 C1 C2 Ciphertext stealing ∗ P1 P2 P3 P4 0 IV ⊕ ⊕ ⊕ ⊕ ∗ ∗∗ X4 C3 EK EK EK EK ∗ ∗∗ C1 C2 C3 C3 C4 It’s the right width, so we can feed it through the blockcipher and get a ciphertext block. Rogaway, Wooding, Zhang (UC Davis, Thales) The Security of Ciphertext Stealing March 20, 2012 4 / 21 C1 C2 Ciphertext stealing ∗ P1 P2 P3 P4 0 IV ⊕ ⊕ ⊕ ⊕ ∗ ∗∗ X4 C3 EK EK EK EK ∗ ∗∗ C1 C2 C3 C3 C4 If we decrypt that last ciphertext, we get the end of the penultimate ciphertext block back. So we don’t need to transmit that part! Rogaway, Wooding, Zhang (UC Davis, Thales) The Security of Ciphertext Stealing March 20, 2012 4 / 21 C1 C2 Ciphertext stealing ∗ P1 P2 P3 P4 0 IV ⊕ ⊕ ⊕ ⊕ ∗ ∗∗ X4 C3 EK EK EK EK ∗ ∗∗ C1 C2 C3 C3 C4 Addendum to NIST SP800–38A describes three variants differing in ci- phertext ordering. Rogaway, Wooding, Zhang (UC Davis, Thales) The Security of Ciphertext Stealing March 20, 2012 4 / 21 CBC-CS3 preserves alignment by swap- ping; CBC-CS2 swaps only when necessary, for compatibility. Ciphertext stealing ∗ P1 P2 P3 P4 0 IV ⊕ ⊕ ⊕ ⊕ ∗ ∗∗ X4 C3 EK EK EK EK ∗ ∗∗ C1 C2 C3 C3 C4 ∗ C1 C2 C3 C4 CBC-CS1 preserves ordering; Rogaway, Wooding, Zhang (UC Davis, Thales) The Security of Ciphertext Stealing March 20, 2012 4 / 21 CBC-CS2 swaps only when necessary, for compatibility. Ciphertext stealing ∗ P1 P2 P3 P4 0 IV ⊕ ⊕ ⊕ ⊕ ∗ ∗∗ X4 C3 EK EK EK EK ∗ ∗∗ C1 C2 C3 C3 C4 ∗ C1 C2 C4 C3 CBC-CS1 preserves ordering; CBC-CS3 preserves alignment by swap- ping; Rogaway, Wooding, Zhang (UC Davis, Thales) The Security of Ciphertext Stealing March 20, 2012 4 / 21 Ciphertext stealing ∗ P1 P2 P3 P4 0 IV ⊕ ⊕ ⊕ ⊕ ∗ ∗∗ X4 C3 EK EK EK EK ∗ ∗∗ C1 C2 C3 C3 C4 ∗ C1 C2 C4 C3 CBC-CS1 preserves ordering; CBC-CS3 preserves alignment by swap- ping; CBC-CS2 swaps only when necessary, for compatibility. Rogaway, Wooding, Zhang (UC Davis, Thales) The Security of Ciphertext Stealing March 20, 2012 4 / 21 (Unfortunately their version is broken.) CBC-CS3 described by Schneier (1996). CBC-CS3 specified in RFC2040 (1996, Baldwin and Rivest). All three standardized in addendum to NIST SP800–38A (2010). Ciphertext stealing: history Basic idea goes back at least to Meyer and Matyas (1982). Rogaway, Wooding, Zhang (UC Davis, Thales) The Security of Ciphertext Stealing March 20, 2012 5 / 21 CBC-CS3 described by Schneier (1996). CBC-CS3 specified in RFC2040 (1996, Baldwin and Rivest). All three standardized in addendum to NIST SP800–38A (2010). Ciphertext stealing: history Basic idea goes back at least to Meyer and Matyas (1982). (Unfortunately their version is broken.) Rogaway, Wooding, Zhang (UC Davis, Thales) The Security of Ciphertext Stealing March 20, 2012 5 / 21 CBC-CS3 specified in RFC2040 (1996, Baldwin and Rivest). All three standardized in addendum to NIST SP800–38A (2010). Ciphertext stealing: history Basic idea goes back at least to Meyer and Matyas (1982). (Unfortunately their version is broken.) CBC-CS3 described by Schneier (1996). Rogaway, Wooding, Zhang (UC Davis, Thales) The Security of Ciphertext Stealing March 20, 2012 5 / 21 All three standardized in addendum to NIST SP800–38A (2010). Ciphertext stealing: history Basic idea goes back at least to Meyer and Matyas (1982). (Unfortunately their version is broken.) CBC-CS3 described by Schneier (1996). CBC-CS3 specified in RFC2040 (1996, Baldwin and Rivest). Rogaway, Wooding, Zhang (UC Davis, Thales) The Security of Ciphertext Stealing March 20, 2012 5 / 21 Ciphertext stealing: history Basic idea goes back at least to Meyer and Matyas (1982). (Unfortunately their version is broken.) CBC-CS3 described by Schneier (1996). CBC-CS3 specified in RFC2040 (1996, Baldwin and Rivest). All three standardized in addendum to NIST SP800–38A (2010). Rogaway, Wooding, Zhang (UC Davis, Thales) The Security of Ciphertext Stealing March 20, 2012 5 / 21 K ⊆ f0; 1g∗ is a finite key space; IV = f0; 1gv is an IV space; P⊆f 0; 1g∗ is the message space. IV Require EK (·) to be a length-preserving permutation on P. Definitions: symmetric encryption Symmetric encryption syntax We take a functional view of symmetric encryption schemes. E : K ×IV×P!P Rogaway, Wooding, Zhang (UC Davis, Thales) The Security of Ciphertext Stealing March 20, 2012 6 / 21 Definitions: symmetric encryption Symmetric encryption syntax We take a functional view of symmetric encryption schemes. E : K ×IV×P!P K ⊆ f0; 1g∗ is a finite key space; IV = f0; 1gv is an IV space; P⊆f 0; 1g∗ is the message space. IV Require EK (·) to be a length-preserving permutation on P. Rogaway, Wooding, Zhang (UC Davis, Thales) The Security of Ciphertext Stealing March 20, 2012 6 / 21 ? IV $ IV m 2 P m 2 P IV $ IV IV $ jmj c EK (m) IV k c IV k c c f0; 1g ind$ Real(·) Fake(·) AdvE (A) = Pr[A ) 1] − Pr[A ) 1] Definitions: symmetric encryption Symmetric encryption security: ind$ We capture an adversary and play one of two games. Rogaway, Wooding, Zhang (UC Davis, Thales) The Security of Ciphertext Stealing March 20, 2012 6 / 21 ? m 2 P IV $ IV $ jmj IV k c c f0; 1g ind$ Real(·) Fake(·) AdvE (A) = Pr[A ) 1] − Pr[A ) 1] Definitions: symmetric encryption Symmetric encryption security: ind$ IV $ IV m 2 P IV c EK (m) IV k c The real game: adversary chooses plaintexts m: we give back cipher- texts with fresh random IVs and a consistent random key. Rogaway, Wooding, Zhang (UC Davis, Thales) The Security of Ciphertext Stealing March 20, 2012 6 / 21 ? IV $ IV m 2 P IV c EK (m) IV k c ind$ Real(·) Fake(·) AdvE (A) = Pr[A ) 1] − Pr[A ) 1] Definitions: symmetric encryption Symmetric encryption security: ind$ m 2 P IV $ IV $ jmj IV k c c f0; 1g The fake game: adversary chooses plaintexts m: we give back fresh random IVs and random fake ciphertexts.

View Full Text

Details

  • File Type
    pdf
  • Upload Time
    -
  • Content Languages
    English
  • Upload User
    Anonymous/Not logged-in
  • File Pages
    105 Page
  • File Size
    -

Download

Channel Download Status
Express Download Enable

Copyright

We respect the copyrights and intellectual property rights of all users. All uploaded documents are either original works of the uploader or authorized works of the rightful owners.

  • Not to be reproduced or distributed without explicit permission.
  • Not used for commercial purposes outside of approved use cases.
  • Not used to infringe on the rights of the original creators.
  • If you believe any content infringes your copyright, please contact us immediately.

Support

For help with questions, suggestions, or problems, please contact us