introduction to practical cryptography
DESCRIPTION
Introduction to Practical Cryptography. Redaction Proxy Cryptography. Agenda. Redaction Proxy Cryptography. Redaction. Process of removing sensitive or confidential information from a document without distorting the meaning of the document. - PowerPoint PPT PresentationTRANSCRIPT
![Page 1: Introduction to Practical Cryptography](https://reader035.vdocuments.net/reader035/viewer/2022062321/56814073550346895dabf29d/html5/thumbnails/1.jpg)
1
Introduction to Practical Cryptography
RedactionProxy Cryptography
![Page 2: Introduction to Practical Cryptography](https://reader035.vdocuments.net/reader035/viewer/2022062321/56814073550346895dabf29d/html5/thumbnails/2.jpg)
2
Agenda
•Redaction•Proxy Cryptography
![Page 3: Introduction to Practical Cryptography](https://reader035.vdocuments.net/reader035/viewer/2022062321/56814073550346895dabf29d/html5/thumbnails/3.jpg)
3
Redaction
• Process of removing sensitive or confidential information from a document without distorting the meaning of the document.
• Portion of a document may be redactable, others may be non-redactable.
• Should provide indication when something has been redacted; otherwise, meaning of the document can be altered by removing portions of the content.
![Page 4: Introduction to Practical Cryptography](https://reader035.vdocuments.net/reader035/viewer/2022062321/56814073550346895dabf29d/html5/thumbnails/4.jpg)
4
Redaction
• Removal of information from documents, media …
The project involved people with a budget of
•Image with brand name that must be removed
![Page 5: Introduction to Practical Cryptography](https://reader035.vdocuments.net/reader035/viewer/2022062321/56814073550346895dabf29d/html5/thumbnails/5.jpg)
5
Redaction Example
• Original content:– John Doe testified that Al Smith did not commit the crime.
• After redaction:– [REDACTED] testified that Al Smith did not commit the crime.– testified that Al Smith did not commit the crime.
• If redaction is not indicated, the meaning can be changed: – John Doe testified that Al Smith did commit the crime.
![Page 6: Introduction to Practical Cryptography](https://reader035.vdocuments.net/reader035/viewer/2022062321/56814073550346895dabf29d/html5/thumbnails/6.jpg)
6
Redaction - Examples
• Government documents • classified information is removed prior to public release
• Financial documents • mortgage application: different people need subsets of the information -
appraiser doesn’t need to see income• Legal documents
• some information remains under attorney-client privilege• Medical Records
• Different employees access different information• Corporations
• different employees have access to subsets of information• Public records
• towns in US that place mortgage, property tax information online – remove personal information
![Page 7: Introduction to Practical Cryptography](https://reader035.vdocuments.net/reader035/viewer/2022062321/56814073550346895dabf29d/html5/thumbnails/7.jpg)
7
Mistakes
• Changing the background color to match the font color - underlying text is still there, can be retrieved by changing the color
• Changes saved automatically by program as part of revision history
• Drawing a black box over the text – box can be removed
![Page 8: Introduction to Practical Cryptography](https://reader035.vdocuments.net/reader035/viewer/2022062321/56814073550346895dabf29d/html5/thumbnails/8.jpg)
8
Information Leakage
• Length of redacted area• The budget for project is .• The budget for project is .• The first name of the witness is .
• Inferred content • Name• Address• Date• Value
• Human error• Forget to redact/overlook one or more pieces
![Page 9: Introduction to Practical Cryptography](https://reader035.vdocuments.net/reader035/viewer/2022062321/56814073550346895dabf29d/html5/thumbnails/9.jpg)
9
Formatting
• Altering length of redacted area to reduce information leakage changes format • Alters length of document• Re-align paragraphs, page breaks• If alter number of pixels in an image, can garble
display of rest of image
![Page 10: Introduction to Practical Cryptography](https://reader035.vdocuments.net/reader035/viewer/2022062321/56814073550346895dabf29d/html5/thumbnails/10.jpg)
10
Authenticating Document
• How to sign a document?• Hash then encrypt doesn’t work – sign the
original then redact invalidates signature• If document signed after redaction, what
indicates information was not altered in the process?
![Page 11: Introduction to Practical Cryptography](https://reader035.vdocuments.net/reader035/viewer/2022062321/56814073550346895dabf29d/html5/thumbnails/11.jpg)
11
Authenticating a Document
• How to sign a document?• “The witness is John Smith”
• Hash: 07ed235678a3b4de0075• Encrypt with RSA: 453872907
• Redact• The witness is
• Send redacted documented and signature
![Page 12: Introduction to Practical Cryptography](https://reader035.vdocuments.net/reader035/viewer/2022062321/56814073550346895dabf29d/html5/thumbnails/12.jpg)
12
Authenticating a Document
• Recipient receives• The witness is • Signature 453872907
• Recipient tries to verify signature• Decrypt signature: 07ed235678a3b4de0075• Hash received text:
3245cea1eded01821111• Doesn’t match decrypted signature
![Page 13: Introduction to Practical Cryptography](https://reader035.vdocuments.net/reader035/viewer/2022062321/56814073550346895dabf29d/html5/thumbnails/13.jpg)
13
Authenticating a Document
• How to verify information that was not suppose to be redacted was left intact?
• The problem is not only how to authenticate what remains in the clear, but that information that was suppose to remain in the clear was not redacted
![Page 14: Introduction to Practical Cryptography](https://reader035.vdocuments.net/reader035/viewer/2022062321/56814073550346895dabf29d/html5/thumbnails/14.jpg)
14
Authenticating a Document
• Need to authenticate non-redacted information is unchanged from the original
• How?• Need to authenticate that information was not
improperly removed• How?
![Page 15: Introduction to Practical Cryptography](https://reader035.vdocuments.net/reader035/viewer/2022062321/56814073550346895dabf29d/html5/thumbnails/15.jpg)
15
Authenticating a Document
• Hash tree – also called Merkle tree
H
H23H01
H1H0
H3H2
D0 D1 D2 D3
![Page 16: Introduction to Practical Cryptography](https://reader035.vdocuments.net/reader035/viewer/2022062321/56814073550346895dabf29d/html5/thumbnails/16.jpg)
16
Algorithm
• Uses 4 binary trees• Roots of two trees are used for the signature• Retain nodes which allow the roots to be
recomputed.• Nodes retained depends on which
subdocuments are redacted and which ones are non-redactable.
• Easiest way to explain is via diagrams …
![Page 17: Introduction to Practical Cryptography](https://reader035.vdocuments.net/reader035/viewer/2022062321/56814073550346895dabf29d/html5/thumbnails/17.jpg)
17
R and X Treesr11
r21 r22
r31 r32
r41 r42 r43 r44
r33 r34
r45 r46 r47 r48
seed
m1 m2 m3 m4 m5 m6 m7 m8
x21
x11
root
x11
x32x31
x42x41
x34x33
x46 x48x47x45x44x43
hash (mi || r4i)
x’s formed by hashing children
r’s formed by random bit generation using parent node as seed
![Page 18: Introduction to Practical Cryptography](https://reader035.vdocuments.net/reader035/viewer/2022062321/56814073550346895dabf29d/html5/thumbnails/18.jpg)
18
s11
s21 s22
s31 s32
s41 s42 s43 s44
s33 s34
s45 s46 s47 s48
seed
y21
y11
root
y22
y32y31
y42y41
y34y33
y46 y48y47y45y44y43
y’s formed by hashing children
s’s formed by random bit generation using parent node as seed
y4i = hash (s4i)
S and Y Trees
![Page 19: Introduction to Practical Cryptography](https://reader035.vdocuments.net/reader035/viewer/2022062321/56814073550346895dabf29d/html5/thumbnails/19.jpg)
19
How Trees are Used• Sign(x root || y root)• Original document: include r seed and s seed.
– Recipient can recompute all xi,yi to verify signature.
• Redact mi: delete path of r nodes to xi, include xi and siblings of deleted r nodes.
• Non-redactable mi: delete path of s nodes to yi , include yi and siblings of deleted s nodes.
• If both children of an x node are included, save parent node instead; likewise for y nodes.
![Page 20: Introduction to Practical Cryptography](https://reader035.vdocuments.net/reader035/viewer/2022062321/56814073550346895dabf29d/html5/thumbnails/20.jpg)
20
Redacted Subdocument r11
r21 r22
r31 r32
r41 r42 r43 r44
r33 r34
r45 r46 r47 r48
seed
m1 m1 m3 m4 m5 m6 m7 m8
x21
x11
root
x22
x32x31
x42x41
x34x33
x46 x48x47x45x44x43
m2 is redacted
r42 must be
“removed”
![Page 21: Introduction to Practical Cryptography](https://reader035.vdocuments.net/reader035/viewer/2022062321/56814073550346895dabf29d/html5/thumbnails/21.jpg)
21
Adjacent Redacted Subdocumentsr11
r21 r22
r31 r32
r41 r42 r43 r44
r33 r34
r45 r46 r47 r48
seed
m0 m1 m3 m4 m5 m6 m7 m8
x21
x11
root
x22
x32x31
x42x41
x34x33
x46 x48x47x45x44x43
m1 and m2
are redacted
![Page 22: Introduction to Practical Cryptography](https://reader035.vdocuments.net/reader035/viewer/2022062321/56814073550346895dabf29d/html5/thumbnails/22.jpg)
22
Non-Redactable Subdocument
s11
s21 s22
s31 s32
s41 s42 s43 s44
s33 s11
s45 s46 s47 s48
seed
y21
y11
root
y22
y32y31
y42y41
y34y33
y46 y48y47y45y44y43
m5 is non-redactable
s45 must be “removed”
![Page 23: Introduction to Practical Cryptography](https://reader035.vdocuments.net/reader035/viewer/2022062321/56814073550346895dabf29d/html5/thumbnails/23.jpg)
23
Adjacent Non-Redactable Subdocuments
s11
s21 s22
s31 s32
s41 s42 s43 s44
s33 s34
s45 s46 s47 s48
seed
y21
y11
root
y22
y32y31
y42y41
y34y33
y46 y47y46y45y44y43
m5 and m6 are non-redactable
![Page 24: Introduction to Practical Cryptography](https://reader035.vdocuments.net/reader035/viewer/2022062321/56814073550346895dabf29d/html5/thumbnails/24.jpg)
24
Architecture
• Allow different document processing applications (document editors and viewers) to utilize the redaction software through a common API.
• Permit the application to decide what information must be signed and verified – e.g. content only, content and some formatting, content and all
formatting
• Permit the application to decide what constitutes a subdocument
![Page 25: Introduction to Practical Cryptography](https://reader035.vdocuments.net/reader035/viewer/2022062321/56814073550346895dabf29d/html5/thumbnails/25.jpg)
25
Issues
• Format converter– Difficulty varies per editor/viewer - pdf vs ASCII– Opening file of same format in different editors can
unintentionally modify the content
• User interface– What should be a subdocument?– Should white space matter?– How to indicate to the user a subdocument has been redacted
and a subdocument is non-redactable?– If redaction is indicated, length provides hint to the user about
the deleted content. However, changing the length can alter the appearance and any white space in the content.
![Page 26: Introduction to Practical Cryptography](https://reader035.vdocuments.net/reader035/viewer/2022062321/56814073550346895dabf29d/html5/thumbnails/26.jpg)
26
Original Text
"Did you ever see an unhappy horse? Did you ever see a bird that has the blues? One reason why birds and horses are not unhappy is because they are not trying to impress other birds and horses." Dale Carnegie
![Page 27: Introduction to Practical Cryptography](https://reader035.vdocuments.net/reader035/viewer/2022062321/56814073550346895dabf29d/html5/thumbnails/27.jpg)
27
Subdocuments
<"Did><you><ever><see><an><unhappy><horse?><Did><you><ever><see><a> <bird><that><has><the><blues?><One><reason><why><birds><and><horses> <are><not><unhappy><is><because><they><are><not><trying><to><impress><other><birds><and><horses.“><Dale> <Carnegie>
![Page 28: Introduction to Practical Cryptography](https://reader035.vdocuments.net/reader035/viewer/2022062321/56814073550346895dabf29d/html5/thumbnails/28.jpg)
28
Redact Author’s Name
"Did you ever see an unhappy horse? Did you ever see a bird that has the blues? One reason why birds and horses are not unhappy is because they are not trying to impress other birds and horses." [R] [R]
![Page 29: Introduction to Practical Cryptography](https://reader035.vdocuments.net/reader035/viewer/2022062321/56814073550346895dabf29d/html5/thumbnails/29.jpg)
29
Make Two Words Non-Redactable
"Did you ever see an unhappy [N]horse? Did you ever see a [N]bird that has the blues? One reason why birds and horses are not unhappy is because they are not trying to impress other birds and horses." [R] [R]
![Page 30: Introduction to Practical Cryptography](https://reader035.vdocuments.net/reader035/viewer/2022062321/56814073550346895dabf29d/html5/thumbnails/30.jpg)
30
Alter Content
"Did you ever see an unhappy [N]horse? Did you ever see a [N]bird that has the blues? One reason why birds and horses are not unhappy is because they are not trying to impress other people and horses." [R] [R]
![Page 31: Introduction to Practical Cryptography](https://reader035.vdocuments.net/reader035/viewer/2022062321/56814073550346895dabf29d/html5/thumbnails/31.jpg)
31
Examples
http://www.nsa.gov/public/crypt_spectrum.cfm
![Page 32: Introduction to Practical Cryptography](https://reader035.vdocuments.net/reader035/viewer/2022062321/56814073550346895dabf29d/html5/thumbnails/32.jpg)
32
Proxy Cryptography
![Page 33: Introduction to Practical Cryptography](https://reader035.vdocuments.net/reader035/viewer/2022062321/56814073550346895dabf29d/html5/thumbnails/33.jpg)
33
Proxy Cryptography
• Convert ciphertext from encryption with one key to encryption with another key:– Encrypt with one key, let recipient decrypt
with some other key
• Similar notion for signatures: sign with one key, let recipient verify with another key.
![Page 34: Introduction to Practical Cryptography](https://reader035.vdocuments.net/reader035/viewer/2022062321/56814073550346895dabf29d/html5/thumbnails/34.jpg)
34
Proxy Cryptography
• Proxy converts C1 to C2– A,B publish kab – ka, kb private keys
ProxyA B
C1 = Eka(P)
C1 C2
P = Dkb(C2)C2 = Hkab(C1)
• Allows an intermediate entity (proxy) to convert ciphertext between two keys without exposing the plaintext
![Page 35: Introduction to Practical Cryptography](https://reader035.vdocuments.net/reader035/viewer/2022062321/56814073550346895dabf29d/html5/thumbnails/35.jpg)
35
Proxy Cryptography
• VPNs
• File servers
• Transform A’s signature into B’s signature
![Page 36: Introduction to Practical Cryptography](https://reader035.vdocuments.net/reader035/viewer/2022062321/56814073550346895dabf29d/html5/thumbnails/36.jpg)
36
Proxy Cryptography
•Applied to public key ciphers
•El Gamal, RSA [Okamoto, Mambo, ‘97; Blaze, et.al. ‘98]
![Page 37: Introduction to Practical Cryptography](https://reader035.vdocuments.net/reader035/viewer/2022062321/56814073550346895dabf29d/html5/thumbnails/37.jpg)
37
Blaze, et. al
• similar in structure to ElGamal encryption• but with the parameters used differently
and the inverse of the secret used to recover the message
• the speed of the scheme is comparable to standard ElGamal encryption, although initial key generation requires the additional calculation and storage of a parameter a-1
![Page 38: Introduction to Practical Cryptography](https://reader035.vdocuments.net/reader035/viewer/2022062321/56814073550346895dabf29d/html5/thumbnails/38.jpg)
38
Cryptosystem X (encryption)
• Parameters• p is a prime of the form 2q + 1 for a prime q
• g is a generator in Z*p
• p and g are public • A’s private key
– A's private key: a, 0 < a < p -1, randomly picked from Z*2q (a is relatively prime to p-1)
– A calculates inverse: a-1 mod 2q. – A’s public key: (ga mod p, g, p)
![Page 39: Introduction to Practical Cryptography](https://reader035.vdocuments.net/reader035/viewer/2022062321/56814073550346895dabf29d/html5/thumbnails/39.jpg)
39
Cryptosystem X (encryption)
• Encryption – Select a unique random k from Z*2q , k is secret
– To encrypt message m with A's key, compute and send ciphertext values (c1, c2):
• c1 = mgk mod p • c2 = (ga)k mod p
• Decryption: – A (knows a-1) calculates gk and recovers m:
• c2(a)-1= gk (mod p), solve for gk • Compute (gk) -1 mod p• m = c1 ((c2(a)-1)-1 ) mod p
![Page 40: Introduction to Practical Cryptography](https://reader035.vdocuments.net/reader035/viewer/2022062321/56814073550346895dabf29d/html5/thumbnails/40.jpg)
40
Example• Parameters
– p = 23 = 2x11 + 1– g = 5 (generates {5,2,10,4,20,8,17,16,11,9,22,18,21, 13,19,3,15,6,7,12,14,1})– a = 3– a-1 = 15 (15*3 = 45 = 1 mod 22)– ga mod p = 53 mod 23 = 10
• Encrypt m = 2 using k = 7• gk mod 23 = 17• c1 = mgk = 2*57 mod 23 = 11• c2 = (ga)k = 107 mod 23 = 14
• Decrypt• c2 ^ ((a^-1)) = 1415 mod 23 (142 mod 23 = 12, 127 * 14 mod 23, 122 = 6 mod 23)• = 63*12*14 mod 23 = 17• c1 = m*g^k mod 23: • 11 = m*17 mod 23• 11*17-1 mod 23 = m (17-1 mod 23 = 19)• 11*19 mod 23 = 2
![Page 41: Introduction to Practical Cryptography](https://reader035.vdocuments.net/reader035/viewer/2022062321/56814073550346895dabf29d/html5/thumbnails/41.jpg)
41
Proxy Function for X
• c1 ciphertext component produced by Cryptosystem X is independent of the recipient's public key.
• Recipient A's key is embedded only in the c2 exponent• Proxy function to convert ciphertext for A into ciphertext for B
– remove A's key a from c2 and replace it with B's key b. – similar to the first step of the decryption function, raising c2 to a-1 to
remove a. – then contribute a factor of b to the exponent.
• simply raising c2 to a-1 and then to b would accomplish this• but does not qualify as a secure proxy function; anyone who examines the
proxy key learns the secret keys for both A and B. • This problem is avoided by combining the two steps into one. Hence, the
proxy key AB: (a-1)b
– the proxy function is simply c2AB
![Page 42: Introduction to Practical Cryptography](https://reader035.vdocuments.net/reader035/viewer/2022062321/56814073550346895dabf29d/html5/thumbnails/42.jpg)
42
Symmetric proxy function for X
• Note that this is a “symmetric” proxy function; – A and B must trust one another bilaterally.
– B can learn A's secret (by multiplying the proxy key by b-1 )
– A can similarly discover B's key.
• This proxy function is also translucent– the proxy key does not directly reveal A or B, but anyone can verify a
guess by encrypting a message with A's public key, applying the proxy function, and comparing the result with the encryption of the same message (with the same k) with B's public key.
• Applying the proxy function is more efficient than decryption and re encryption, in that only one exponentiation is required.
![Page 43: Introduction to Practical Cryptography](https://reader035.vdocuments.net/reader035/viewer/2022062321/56814073550346895dabf29d/html5/thumbnails/43.jpg)
43
Proxy Signature
• Signature will verify with key other than that of the original signer
![Page 44: Introduction to Practical Cryptography](https://reader035.vdocuments.net/reader035/viewer/2022062321/56814073550346895dabf29d/html5/thumbnails/44.jpg)
44
Conversion and Proxy Functions for Symmetric Key Ciphers
![Page 45: Introduction to Practical Cryptography](https://reader035.vdocuments.net/reader035/viewer/2022062321/56814073550346895dabf29d/html5/thumbnails/45.jpg)
45
why a symmetric key cipher that is closed under functional composition is useful for applications but undesirable
from a security perspective
Or more appropriately …
![Page 46: Introduction to Practical Cryptography](https://reader035.vdocuments.net/reader035/viewer/2022062321/56814073550346895dabf29d/html5/thumbnails/46.jpg)
46
Motivation
Pair-wise establishment or sharing of keys
Gateway converting ciphertext between keys
A1
A2A3
A4
A5
A6A7A8
A1
A2A3
A4
A5
A6A7
A8
• Each Ai wants to exchange ciphertext with each Aj• Size of data requires use of a symmetric key cipher• Collectively, the Ai’s do not share a key
![Page 47: Introduction to Practical Cryptography](https://reader035.vdocuments.net/reader035/viewer/2022062321/56814073550346895dabf29d/html5/thumbnails/47.jpg)
47
Motivation
• Converting from encryption under one key,k1, to encryption under another key, k2:– For example, VPN gateways
• Is there a way to perform the conversion that – Is faster than decrypting with k1 and encrypting with k2?– Avoids exposing the plaintext during the conversion?
GatewayA B
C1 = Ek1(P)
C1 C2
P = Dk2(C2)C2 = Ek2(Dk1(C1))
![Page 48: Introduction to Practical Cryptography](https://reader035.vdocuments.net/reader035/viewer/2022062321/56814073550346895dabf29d/html5/thumbnails/48.jpg)
48
Notation
• S: a symmetric key cipher• K: key space of S• |K|: size of K• k,ki: element of K• E: encryption function of S• D: decryption function of S• Ek: encryption using key k• Dk: decryption using key k• Gkg: conversion function using key kg• P: plaintext• C: ciphertext
![Page 49: Introduction to Practical Cryptography](https://reader035.vdocuments.net/reader035/viewer/2022062321/56814073550346895dabf29d/html5/thumbnails/49.jpg)
49
Overview
• Conversion function G for symmetric key cipher S– Gkg(Ek1(P)) = Ek2(P) plaintext P
• Such that – kg dependent on k1 and k2– P may or may not be exposed during the conversion– G is a secure conversion function if P is not exposed
• G exists: (trivially) use Ek2(Dk1(C)) • Existence of G requiring less work than
Ek2(Dk1(C)) has implications on security of S
![Page 50: Introduction to Practical Cryptography](https://reader035.vdocuments.net/reader035/viewer/2022062321/56814073550346895dabf29d/html5/thumbnails/50.jpg)
50
Proxy Cryptography and Symmetric Key Ciphers
• Can a proxy exist for symmetric key ciphers?– Trivial construction – “onion routing” [Ivan, Dodis, ‘03]– Subset of secure conversion functions
• Workload– Total work across 3 entities is same as if proxy decrypted then
encrypted– Reallocates work to A
• But … – notice that A, B share key material and A has B’s entire key
ProxyA B
C1 = Ek2(Ek1(P))
C1 C2
P = Dk1(C2)C2 = Dk2(C1)
![Page 51: Introduction to Practical Cryptography](https://reader035.vdocuments.net/reader035/viewer/2022062321/56814073550346895dabf29d/html5/thumbnails/51.jpg)
51
Proxy Cryptography and Symmetric Key Ciphers
• Suppose a proxy function exists for a symmetric key cipher and requires one application of the cipher
• Implies closure under functional composition
ProxyA B
C1 = Eka(P)
C1 C2
P = Dkb(C2)C2 = Ekab(C1)
![Page 52: Introduction to Practical Cryptography](https://reader035.vdocuments.net/reader035/viewer/2022062321/56814073550346895dabf29d/html5/thumbnails/52.jpg)
52
Implications of Group Property
• Proof that DES is not a group [Kaliski, et.al. ‘88]• Recall - a group is closed under functional
composition• For a block cipher, this implies
– for every k1,k2, a k3 such that
Ek3(Ek2(P)) = Ek1(P) P
– O(2n/2) time required for a key search vs. O(2n) for non-group (n = key length)
![Page 53: Introduction to Practical Cryptography](https://reader035.vdocuments.net/reader035/viewer/2022062321/56814073550346895dabf29d/html5/thumbnails/53.jpg)
53
Attack Overview [Kaliski, et.al.]
• Attack due to Birthday Paradox:– Given a known (P,C) pair with C = Ek2(P), finds k1,k3 to use in place of k2– Divide K into two subsets KA, KB– Randomly choose k1 from KA, k3 from KB– Check if Ek3(Ek1(P)) = C (i.e. Ek1(P) = Dk3(C) )– O(2n/2) time
• Cycling attack:– Given P and C, randomly choose keys from K to form
Ekai(… Eka2(Eka1(P))…) = Dkbj(… Dkb2(Dkb1(C)…)– Finds a series of keys to use in place of k2– O(2n/2 +) time for small
![Page 54: Introduction to Practical Cryptography](https://reader035.vdocuments.net/reader035/viewer/2022062321/56814073550346895dabf29d/html5/thumbnails/54.jpg)
54
Extension to Conversions
• Lemma: For a symmetric key cipher S with key space K and
encryption function E, if there exists a function G taking parameter kg KG, |KG| = |K| = 2n, and k1,k2 K, a kg for which Gkg(Ek1(P)) = Ek2(P) P then there exists a O(2n/2) known plaintext attack on S.
• To obtain security comparable to an exhaustive key search, need to double key length of S
• Assumes workload of G is O(workload of S)
![Page 55: Introduction to Practical Cryptography](https://reader035.vdocuments.net/reader035/viewer/2022062321/56814073550346895dabf29d/html5/thumbnails/55.jpg)
55
Constructions – Double Encryption
• Converter cannot obtain P• Key material
– Pairwise sharing of partial key material, but no one has another’s entire key– kab can be used with other parties
• Workload– converter is decrypting and encrypting– A, B incur two applications of the cipher
ConverterA B
C1 = Eka(Ekab(P))
C1 C2
P = Dkab(Dkb(C2))C2 = Ekb(Dka(C1))
![Page 56: Introduction to Practical Cryptography](https://reader035.vdocuments.net/reader035/viewer/2022062321/56814073550346895dabf29d/html5/thumbnails/56.jpg)
56
“Double Encryption” - Alternate View
• A encrypts r1 rounds using kab, r2 rounds using ka• Converter decrypts r2 rounds using ka, encrypts r2 rounds
using kb• B decrypts r2 rounds using kb, r1 rounds using kab
ConverterA B
C1 = Ekab,ka(P)
C1 C2
P = Dkb,kab(C2)C2 = Ekb(Dka(C1))r1,r2 r2 r2 r2,r1
Assuming a round based block cipher …
![Page 57: Introduction to Practical Cryptography](https://reader035.vdocuments.net/reader035/viewer/2022062321/56814073550346895dabf29d/html5/thumbnails/57.jpg)
57
Alternate View continued
• Workload– Dependent on number of rounds
• Security– If r rounds in cipher …– Require r1+r2 = r to eliminate potential of a reduced
round attack at A, B
– Security of intermediate result Dka(C1), at converter depends on r1,r2
ConverterA B
C1 = Ekab,ka(P)
C1 C2
P = Dkb,kab(C2)C2 = Ekb(Dka(C1))r1,r2 r2 r2 r2,r1
![Page 58: Introduction to Practical Cryptography](https://reader035.vdocuments.net/reader035/viewer/2022062321/56814073550346895dabf29d/html5/thumbnails/58.jpg)
58
Constructions – Stream Cipher
• Workload– No extra work required of A, B
• Security– A, B do not share key material– Converter does not expose P, but may have sufficient
information to do so depending on how combined key streams are created
– KSa, KSb can be computed in parallel
Converter
A B
C1 = KSa (P)
C1 C2
P = KSb (C2)
C2 = KSa (KSb (C1)) or (KSa KSb) C1
![Page 59: Introduction to Practical Cryptography](https://reader035.vdocuments.net/reader035/viewer/2022062321/56814073550346895dabf29d/html5/thumbnails/59.jpg)
59
Constructions – Onion Routing
• Workload– Total same as decrypting then encrypting– Moves work from converter to A
• A, B share a key• Converter cannot obtain P
ConverterA B
C1 = Eka(Ekab(P))
C1 C2
P = Dkab(C2)C2 = Dka(C1)