Online Cryptography Course

Dan Boneh

Using block
ciphers
Review: PRPs and
PRFs

Dan Boneh

Block ciphers: crypto work

horse
n bits
PT Block

n bits
CT Block

E, D
Key

k bits

Canonical examples:
1. 3DES: n= 64 bits,
2. AES:

k = 168 bits

n=128 bits, k = 128, 192, 256 bits

Dan Boneh

Abstractly: PRPs and PRFs

Pseudo Random Function (PRF)

defined over (K,X,Y):

F: K X Y
such that exists efficient algorithm to evaluate F(k,x)
Pseudo Random Permutation (PRP)

defined over (K,X):

E: K X X
such that:
1. Exists efficient deterministic algorithm to evaluate E(k,x)
2. The function E( k, ) is one-to-one
3. Exists efficient inversion algorithm D(k,x)

Dan Boneh

Secure PRFs
Let F: K X Y be a PRF
Funs[X,Y]:

the set of all functions from X to Y

SF = { F(k, ) s.t. k K }

Funs[X,Y]

Intuition: a PRF is secure if

a random function in Funs[X,Y] is
indistinguishable from
a random function in SF
SF
Funs[X,Y]
Size |K|

Size |Y|

|X|

Dan Boneh

Secure PRF: definition

For b=0,1 define experiment EXP(b) as:

Chal. b=0:

kK, f F(k,)

Adv. A

b=1: fFuns[X,Y] x1 X, x2, , xq

f(x1), f(x2,), f(xq)

Def: F is a secure PRF if for all efficient A:

AdvPRF[A,F] :=
is negligible.

b {0,1}

EXP(b)

|Pr[EXP(0)=1] Pr[EXP(1)=1] |

Dan Boneh

Secure PRP

(secure block cipher)

For b=0,1 define experiment EXP(b) as:

Chal. b=0:

kK, f E(k,)

b=1: fPerms[X]

Adv. A
x1 ,Xx2,

, xq

f(x,1)f(x2), , f(xq)

Def: E is a secure PRP if for all efficient A:

AdvPRP[A,E] =
is negligible.

b {0,1}

|Pr[EXP(0)=1] Pr[EXP(1)=1] |

Dan Boneh

et X = {0,1}.

Perms[X] contains two functions

onsider the following PRP:

key space K={0,1}, input space X = {0,1},
PRP defined as:
E(k,x) = xk
this a secure PRP?
Yes
No
It depends

Example secure PRPs

PRPs believed to be secure:
AES-128: K X X
{0,1}128

3DES, AES,
where

K=X=

An example concrete assumption about AES:

All 280time algs. A have

AdvPRP[A, AES] < 2-40

Dan Boneh

onsider the 1-bit PRP from the previous question:

E(k,x) = xk

it a secure PRF?

ote that Funs[X,X] contains four functions

Yes
No
It depends

Attacker A:
(1)query f() at x=0 and x=1
(2)if f(0) = f(1) output 1, else 0
AdvPRF[A,E] = |0-| =

PRF Switching Lemma

Any secure PRP is also a secure PRF, if |X| is sufficiently
large.
Lemma:
Let E be a PRP over (K,X)
Then for any q-query adversary A:

| AdvPRF [A,E]

AdvPRP[A,E]

Suppose |X| is large so that

Then

< q2 / 2|X|

q 2 / 2|X|

is negligible

AdvPRP [A,E] negligible AdvPRF[A,E] negligible

Dan Boneh

Final note
Suggestion:
dont think about the inner-workings of AES
and 3DES.
We assume both are secure PRPs and will
see how to use them

Dan Boneh

End of Segment

Dan Boneh

Online Cryptography Course

Dan Boneh

Using block
ciphers
Modes of
operation:
one time key
example:

encrypted email, new key for every

Dan Boneh

Using PRPs and PRFs

Goal: build secure encryption from a secure PRP (e.g. AES).
This segment:

one-time keys

1. Adversarys power:
Adv sees only one ciphertext (one-time key)
2. Adversarys goal:
Learn info about PT from CT (semantic security)

Next segment: many-time keys (a.k.a chosen-plaintext

security)

Dan Boneh

Incorrect use of a PRP

Electronic Code Book (ECB):
PT:

CT:

c1

Problem:
if m1=m2

c2

then c1=c2

Dan Boneh

In pictures

(courtesy B. Preneel)

Dan Boneh

Semantic Security (one-time

key)
EXP(0):

Chal.
kK

m0 , m 1 M :

|m0| = |m1|

Adv. A

c E(k,m0)

b {0,1}

one time key adversary sees only one ciphertext

EXP(1):

Chal.
kK

AdvSS[A,OTP] =

m0 , m 1 M :

|m0| = |m1|

c E(k,m1)

| Pr[ EXP(0)=1 ]

Adv. A

b {0,1}
Pr[ EXP(1)=1 ]

Dan Boneh

ECB is not Semantically

Secure

ECB is not semantically secure for messages that contain

more than one block.

b{0,1}
Two blocks

Chal.
kK

m0 = Hello World
m1 = Hello Hello
(c1,c2) E(k,

Then AdvSS [A, ECB] = 1

Adv. A

mb)

If c1=c2 output 0, else output 1

Dan Boneh

Secure Construction I
Deterministic counter mode from a PRF F :
EDETCTR (k, m) =

m[0]

m[1]

F(k,0) F(k,1)
c[0]

c[1]

m[L]

F(k,L)

c[L]

Stream cipher built from a PRF (e.g. AES,

3DES)

Dan Boneh

Det. counter-mode security

Theorem:

For any L>0,

If F is a secure PRF over (K,X,X) then

EDETCTR is sem. sec. cipher over (K,X L,XL).
In particular, for any eff. adversary A attacking E DETCTR
there exists a n eff. PRF adversary B s.t.:
AdvSS[A, EDETCTR] = 2 AdvPRF[B, F]
AdvPRF[B, F] is negligible (since F is a secure PRF)
Hence, AdvSS[A, EDETCTR] must be negligible.

Dan Boneh

Proof
m0 , m 1

chal.
kK

m0

F(k,0) F(k,L)

adv. A

chal.

m0 , m 1

kK

m1

F(k,0) F(k,L)

b1

adv. A

f(0) f(L)

b1

adv. A

m0

fFuns c

b1

p
chal.

m0 , m 1

m0 , m 1

chal.
r{0,1}nc

m1

f(0) f(L)

adv. A

b1

Dan Boneh

End of Segment

Dan Boneh

Online Cryptography Course

Dan Boneh

Using block
ciphers
Security for
many-time key
Example applications:
1. File systems:

Same AES key used to encrypt many files.

2. IPsec: Same AES key used to encrypt many packets.

Dan Boneh

Semantic Security for many-time key

Key used more than once adv. sees many CTs with
same key
Adversarys power: chosen-plaintext attack (CPA)
Can obtain the encryption of arbitrary messages of
his choice
(conservative modeling of real life)
Adversarys goal:

Break sematic security

Dan Boneh

Semantic Security for many-time key

E = (E,D) a cipher defined over (K,M,C).
define EXP(b) as:

Chal.
kK

For b=0,1
Adv.

m1,0 , m1,1 M :

|m1,0| = |m1,1|

c1 E(k, m1,b)

Dan Boneh

Semantic Security for many-time key

E = (E,D) a cipher defined over (K,M,C).
define EXP(b) as:

Chal.
kK

For b=0,1
Adv.

m2,0 , m2,1 M :

|m2,0| = |m2,1|

c2 E(k, m2,b)

Dan Boneh

Semantic Security for many-time key

E = (E,D) a cipher defined over (K,M,C).
EXP(b) as:

Chal.

For b=0,1 define

for i=1,,q:

kK

mi,0 , mi,1 M :

(CPA security)

Adv.
|mi,0| = |mi,1|

ci E(k, mi,b)

b {0,1}

if adv. wants c = E(k, m) it queries with mj,0= mj,1=m

Def: E is sem. sec. under CPA if for all efficient A:
AdvCPA [A,E] =
negligible.

|Pr[EXP(0)=1] Pr[EXP(1)=1] |

is

Dan Boneh

Ciphers insecure under CPA

Suppose E(k,m) always outputs same ciphertext for msg m.
Then:
Chal.
kK

m0 , m0 M
c0 E(k, m0)
m0 , m1 M
c E(k, mb)

Adv.
output 0
if c = c0

So what? an attacker can learn that two encrypted files are

the same, two encrypted packets are the same, etc.
Leads to significant attacks when message space M is small

Dan Boneh

Ciphers insecure under CPA

Suppose E(k,m) always outputs same ciphertext for msg
m. Then:
Chal.
kK

m0 , m0 M
c0 E(k, m0)
m0 , m1 M
c E(k, mb)

Adv.
output 0
if c = c0

given the same plaintext message twice,

encryption must produce different outputs.

If secret key is to be used multiple times

Dan Boneh

Solution 1: randomized encryption

E(k,m) is a randomized algorithm:
m0
m1

enc

dec

m0
m1

encrypting same msg twice gives different

ciphertexts (w.h.p)
ciphertext must be longer than plaintext

Dan Boneh

et F: K R M be a secure PRF.

For mM define E(k,m) =

R
[ rR,

output

(r, F(k,r)m) ]

s E semantically secure under CPA?

Yes, whenever F is a secure PRF

No, there is always a CPA attack on this system
Yes, but only if R is large enough so r never repeats (w.h
It depends on what F is used

Solution 2: nonce-based Encryption

nonce

Alice
m, n

E
k

E(k,m,n)=c

Bob
c, n

D(k,c,n)=m

nonce n: a value that changes from msg to msg.

(k,n) pair never used more than once
method 1: nonce is a counter (e.g. packet counter)
used when encryptor keeps state from msg to msg
if decryptor has same state, need not send nonce with CT
method 2: encryptor chooses a random nonce, n N

Dan Boneh

CPA security for nonce-based encryption

System should be secure when nonces are chosen adversarially.

Chal.
kK

for i=1,,q:

ni

and mi,0 , mi,1 : |mi,0| = |mi,1|

c E(k, mi,b ,

Adv.

ni)

b {0,1}

noncesE{n
nq}
must
1, ,
Def: All
nonce-based
is sem.
sec.
under
CPA be
if fordistinct.
all efficient A:
AdvnCPA [A,E] =

|Pr[EXP(0)=1] Pr[EXP(1)=1] |

is

negligible.

Dan Boneh

et F: K R M be a secure PRF.

or mM define E(k,m) =

[ r++,

Let r = 0 initially.

output

(r, F(k,r)m) ]

s E CPA secure nonce-based encryption?

Yes, whenever F is a secure PRF

No, there is always a nonce-based CPA attack on this sys
Yes, but only if R is large enough so r never repeats
It depends on what F is used

End of Segment

Dan Boneh

Online Cryptography Course

Dan Boneh

Using block
ciphers
Modes of
operation:
Example applications:
many time key
1. File systems: Same AES key used to encrypt many files.
(CBC)
2. IPsec: Same AES key used to encrypt many packets.

Dan Boneh

Construction 1: CBC with random IV

Let (E,D) be a PRP.
IVX and do:
IV

IV

m[0]

ECBC(k,m):

choose random

m[1]

m[2]

m[3]

E(k,)

E(k,)

E(k,)

E(k,)

c[0]

c[1]

c[2]

c[3]

ciphertext

Dan Boneh

Decryption circuit

D(k,)

m[0]

c[1]

D(k,)

m[0] = D(k, c[0])

c[2]

D(k,)

c[3]

D(k,)

c[0]

IV

c[0] = E(k, IVm[0]

mbols:

m[1]

m[2]

m[3]

Dan Boneh

CBC:
CBC Theorem:

CPA Analysis

For any L>0,

If E is a secure PRP over (K,X) then

ECBC is a sem. sec. under CPA over (K, X L, XL+1).
In particular, for a q-query adversary A attacking E CBC
there exists a PRP adversary B s.t.:
AdvCPA [A, ECBC] 2AdvPRP[B, E] + 2 q2 L2 / |X|
Note:

CBC is only secure as long as q2L2 << |X|

Dan Boneh

An example
AdvCPA [A, ECBC] 2PRP Adv[B, E] + 2 q2 L2 / |X|
q = # messages encrypted with k ,

L = length of max message

Suppose we want AdvCPA [A, ECBC] 1/232

232
AES:

|X| = 2128

q2 L2 /|X| < 1/

q L < 248

So, after 248 AES blocks, must change key

3DES:

|X| = 264

q L < 216

Dan Boneh

Warning: an attack on CBC with rand. IV

CBC where attacker can predict the IV is not CPA-secure !!
Suppose given c ECBC(k,m) can predict IV for next
message
0X
Chal.
c1 [ IV1, E(k, 0IV1) ] Adv.
kK
predict IV
m0=IVIV1 , m1 m0

[ IV, E(k, IV1) ] or output 0

if c[1] = c1[1]
c [ IV, E(k, m1IV) ]

n SSL/TLS 1.0: IV for record #i is last CT block of record #(i-1

Dan Boneh

Construction 1: nonce-based CBC

Cipher block chaining with unique nonce: key =

nonce means: (key, n) pair is used for only one messa
(k,kunique
1)
nonce

m[0]
IV

m[1]

m[2]

m[3]

E(k1,)

E(k,)

E(k,)

E(k,)

E(k,)

nonce

c[0]

c[1]

c[2]

c[3]
ciphertext

included only if unknown to decryptor

Dan Boneh

An example Crypto API

(OpenSSL)
void AES_cbc_encrypt(
const unsigned char *in,
unsigned char *out,
size_t length,
const AES_KEY *key,
unsigned char *ivec,
user supplies
IV
AES_ENCRYPT or AES_DECRYPT);

When nonce is non random need to encrypt it before use

Dan Boneh

LS:

A CBC technicality: padding

IV

m[0]

m[1]

m[2]

m[3] ll pad

E(k1,)

E(k,)

E(k,)

E(k,)

E(k,)

IV

c[0]

c[1]

c[2]

c[3]

IV

for n>0, n byte pad

isn n n

if no pad needed, add a dummy block

removed
during
decryption

Dan Boneh

End of Segment

Dan Boneh

Online Cryptography Course

Dan Boneh

Using block
ciphers
Modes of
operation:
Example applications:
many time key
1. File systems: Same AES key used to encrypt many files.
(CTR)
2. IPsec: Same AES key used to encrypt many packets.

Dan Boneh

Construction 2: rand ctrmode

Let F: K {0,1}n {0,1}n be a secure PRF.

E(k,m): choose a random IV {0,1}n and do:

IV

IV

msg
m[1]

m[L]

F(k,IV)F(k,IV+1)

F(k,IV+L)

m[0]

c[0]

c[1]

ciphertext

c[L]

note: parallelizable (unlike CBC)

Dan Boneh

Construction 2: nonce ctr-mode

msg
IV

m[0]

m[1]

F(k,IV)F(k,IV+1)
IV

c[0]

c[1]

m[L]

F(k,IV+L)

c[L]

ciphertext

nsure F(k,x) is never used more than once, choose IV as:

IV:

128 bits
nonce
counter
64 bits

64 bits

starts at 0
for every msg

Dan Boneh

rand ctr-mode (rand. IV): CPA analysis

Counter-mode Theorem:

For any L>0,

If F is a secure PRF over (K,X,X) then

ECTR is a sem. sec. under CPA over (K,XL,XL+1).
In particular, for a q-query adversary A attacking E CTR
there exists a PRF adversary B s.t.:
AdvCPA[A, ECTR] 2AdvPRF[B, F] + 2 q2 L / |X|
Note: ctr-mode only secure as long as q2L << |X| .
than CBC !

Better

Dan Boneh

An example
AdvCPA [A, ECTR] 2AdvPRF[B, E] + 2 q2 L / |X|
q = # messages encrypted with k ,

L = length of max message

Suppose we want AdvCPA [A, ECTR] 1/232

232
AES:

|X| = 2128

q2 L /|X| < 1/

q L1/2 < 248

So, after 232 CTs each of len 232 , must change key
(total of 264 AES blocks)

Dan Boneh

Comparison: ctr vs. CBC

uses
parallel processing
Security of rand.
enc.
dummy padding
block
1 byte msgs (nonce-

CBC
PRP
No
q^2 L^2
<< |X|
Yes

ctr mode
PRF
Yes
q^2 L << |X|
No

16x
no expansion
based)
(for CBC, dummy padding blockexpansion
can be solved using ciphertext stealing)

Dan Boneh

Summary
PRPs and PRFs: a useful abstraction of block
ciphers.
We examined two security notions:

(security against

eavesdropping)

1. Semantic security against one-time CPA.

2. Semantic security against many-time CPA.
Note: neither mode ensures data integrity.
CPA and
one-time
key summarized
Many-time key (CPA)
StatedPower
security
results
in
the
following
integrity
Goal
table:
steam-ciphers
rand CBC
Sem. Sec.

det. ctr-mode

rand ctr-mode

later

Dan Boneh

Further reading
A concrete security treatment of symmetric
encryption: Analysis of the DES modes of
operation,
M. Bellare, A. Desai, E. Jokipii and P. Rogaway,
FOCS 1997
Nonce-Based Symmetric Encryption, P. Rogaway,
FSE 2004

Dan Boneh

End of Segment

Dan Boneh