Documente Academic
Documente Profesional
Documente Cultură
Dan Boneh
Using block
ciphers
Review: PRPs and
PRFs
Dan Boneh
n bits
CT Block
E, D
Key
k bits
Canonical examples:
1. 3DES: n= 64 bits,
2. AES:
k = 168 bits
Dan Boneh
F: K X Y
such that exists efficient algorithm to evaluate F(k,x)
Pseudo Random Permutation (PRP)
E: K X X
such that:
1. Exists efficient deterministic algorithm to evaluate E(k,x)
2. The function E( k, ) is one-to-one
3. Exists efficient inversion algorithm D(k,x)
Dan Boneh
Secure PRFs
Let F: K X Y be a PRF
Funs[X,Y]:
SF = { F(k, ) s.t. k K }
Funs[X,Y]
Size |Y|
|X|
Dan Boneh
Chal. b=0:
kK, f F(k,)
Adv. A
AdvPRF[A,F] :=
is negligible.
b {0,1}
EXP(b)
|Pr[EXP(0)=1] Pr[EXP(1)=1] |
Dan Boneh
Secure PRP
Chal. b=0:
kK, f E(k,)
b=1: fPerms[X]
Adv. A
x1 ,Xx2,
, xq
f(x,1)f(x2), , f(xq)
AdvPRP[A,E] =
is negligible.
b {0,1}
|Pr[EXP(0)=1] Pr[EXP(1)=1] |
Dan Boneh
et X = {0,1}.
3DES, AES,
where
K=X=
Dan Boneh
it a secure PRF?
Attacker A:
(1)query f() at x=0 and x=1
(2)if f(0) = f(1) output 1, else 0
AdvPRF[A,E] = |0-| =
| AdvPRF [A,E]
AdvPRP[A,E]
< q2 / 2|X|
q 2 / 2|X|
is negligible
Dan Boneh
Final note
Suggestion:
dont think about the inner-workings of AES
and 3DES.
We assume both are secure PRPs and will
see how to use them
Dan Boneh
End of Segment
Dan Boneh
Dan Boneh
Using block
ciphers
Modes of
operation:
one time key
example:
Dan Boneh
one-time keys
1. Adversarys power:
Adv sees only one ciphertext (one-time key)
2. Adversarys goal:
Learn info about PT from CT (semantic security)
Dan Boneh
CT:
c1
Problem:
if m1=m2
c2
then c1=c2
Dan Boneh
In pictures
(courtesy B. Preneel)
Dan Boneh
Chal.
kK
m0 , m 1 M :
|m0| = |m1|
Adv. A
c E(k,m0)
b {0,1}
EXP(1):
Chal.
kK
AdvSS[A,OTP] =
m0 , m 1 M :
|m0| = |m1|
c E(k,m1)
| Pr[ EXP(0)=1 ]
Adv. A
b {0,1}
Pr[ EXP(1)=1 ]
Dan Boneh
b{0,1}
Two blocks
Chal.
kK
m0 = Hello World
m1 = Hello Hello
(c1,c2) E(k,
Adv. A
mb)
Dan Boneh
Secure Construction I
Deterministic counter mode from a PRF F :
EDETCTR (k, m) =
m[0]
m[1]
F(k,0) F(k,1)
c[0]
c[1]
m[L]
F(k,L)
c[L]
Dan Boneh
Dan Boneh
Proof
m0 , m 1
chal.
kK
m0
F(k,0) F(k,L)
adv. A
chal.
m0 , m 1
kK
m1
F(k,0) F(k,L)
b1
adv. A
f(0) f(L)
b1
adv. A
m0
fFuns c
b1
p
chal.
m0 , m 1
m0 , m 1
chal.
r{0,1}nc
m1
f(0) f(L)
adv. A
b1
Dan Boneh
End of Segment
Dan Boneh
Dan Boneh
Using block
ciphers
Security for
many-time key
Example applications:
1. File systems:
Dan Boneh
Dan Boneh
Chal.
kK
For b=0,1
Adv.
m1,0 , m1,1 M :
|m1,0| = |m1,1|
c1 E(k, m1,b)
Dan Boneh
Chal.
kK
For b=0,1
Adv.
m2,0 , m2,1 M :
|m2,0| = |m2,1|
c2 E(k, m2,b)
Dan Boneh
Chal.
for i=1,,q:
kK
mi,0 , mi,1 M :
(CPA security)
Adv.
|mi,0| = |mi,1|
ci E(k, mi,b)
b {0,1}
|Pr[EXP(0)=1] Pr[EXP(1)=1] |
is
Dan Boneh
m0 , m0 M
c0 E(k, m0)
m0 , m1 M
c E(k, mb)
Adv.
output 0
if c = c0
Dan Boneh
m0 , m0 M
c0 E(k, m0)
m0 , m1 M
c E(k, mb)
Adv.
output 0
if c = c0
Dan Boneh
enc
dec
m0
m1
Dan Boneh
et F: K R M be a secure PRF.
R
[ rR,
output
(r, F(k,r)m) ]
Alice
m, n
E
k
E(k,m,n)=c
Bob
c, n
D(k,c,n)=m
Dan Boneh
Chal.
kK
for i=1,,q:
ni
Adv.
ni)
b {0,1}
noncesE{n
nq}
must
1, ,
Def: All
nonce-based
is sem.
sec.
under
CPA be
if fordistinct.
all efficient A:
AdvnCPA [A,E] =
|Pr[EXP(0)=1] Pr[EXP(1)=1] |
is
negligible.
Dan Boneh
et F: K R M be a secure PRF.
or mM define E(k,m) =
[ r++,
Let r = 0 initially.
output
(r, F(k,r)m) ]
End of Segment
Dan Boneh
Dan Boneh
Using block
ciphers
Modes of
operation:
Example applications:
many time key
1. File systems: Same AES key used to encrypt many files.
(CBC)
2. IPsec: Same AES key used to encrypt many packets.
Dan Boneh
IV
m[0]
ECBC(k,m):
choose random
m[1]
m[2]
m[3]
E(k,)
E(k,)
E(k,)
E(k,)
c[0]
c[1]
c[2]
c[3]
ciphertext
Dan Boneh
Decryption circuit
D(k,)
m[0]
c[1]
D(k,)
c[2]
D(k,)
c[3]
D(k,)
c[0]
IV
mbols:
m[1]
m[2]
m[3]
Dan Boneh
CBC:
CBC Theorem:
CPA Analysis
Dan Boneh
An example
AdvCPA [A, ECBC] 2PRP Adv[B, E] + 2 q2 L2 / |X|
q = # messages encrypted with k ,
|X| = 2128
q2 L2 /|X| < 1/
q L < 248
|X| = 264
q L < 216
Dan Boneh
Dan Boneh
m[0]
IV
m[1]
m[2]
m[3]
E(k1,)
E(k,)
E(k,)
E(k,)
E(k,)
nonce
c[0]
c[1]
c[2]
c[3]
ciphertext
Dan Boneh
Dan Boneh
LS:
m[0]
m[1]
m[2]
m[3] ll pad
E(k1,)
E(k,)
E(k,)
E(k,)
E(k,)
IV
c[0]
c[1]
c[2]
c[3]
IV
isn n n
removed
during
decryption
Dan Boneh
End of Segment
Dan Boneh
Dan Boneh
Using block
ciphers
Modes of
operation:
Example applications:
many time key
1. File systems: Same AES key used to encrypt many files.
(CTR)
2. IPsec: Same AES key used to encrypt many packets.
Dan Boneh
IV
msg
m[1]
m[L]
F(k,IV)F(k,IV+1)
F(k,IV+L)
m[0]
c[0]
c[1]
ciphertext
c[L]
Dan Boneh
m[0]
m[1]
F(k,IV)F(k,IV+1)
IV
c[0]
c[1]
m[L]
F(k,IV+L)
c[L]
ciphertext
128 bits
nonce
counter
64 bits
64 bits
starts at 0
for every msg
Dan Boneh
Better
Dan Boneh
An example
AdvCPA [A, ECTR] 2AdvPRF[B, E] + 2 q2 L / |X|
q = # messages encrypted with k ,
|X| = 2128
q2 L /|X| < 1/
So, after 232 CTs each of len 232 , must change key
(total of 264 AES blocks)
Dan Boneh
CBC
PRP
No
q^2 L^2
<< |X|
Yes
ctr mode
PRF
Yes
q^2 L << |X|
No
16x
no expansion
based)
(for CBC, dummy padding blockexpansion
can be solved using ciphertext stealing)
Dan Boneh
Summary
PRPs and PRFs: a useful abstraction of block
ciphers.
We examined two security notions:
(security against
eavesdropping)
det. ctr-mode
rand ctr-mode
later
Dan Boneh
Further reading
A concrete security treatment of symmetric
encryption: Analysis of the DES modes of
operation,
M. Bellare, A. Desai, E. Jokipii and P. Rogaway,
FOCS 1997
Nonce-Based Symmetric Encryption, P. Rogaway,
FSE 2004
Dan Boneh
End of Segment
Dan Boneh