lecture 3 symmetric encryption, ind-cpa, ctr, cbc

Lecture 3 – Symmetric encryption, IND-CPA,

CTR, CBC

TEK4500

08.09.2020

Håkon Jacobsen

[email protected]

mailto:[email protected]

Basic goals of cryptography

2

Message privacyMessage integrity /

authentication

Symmetric keys Symmetric encryptionMessage authentication

codes (MAC)

Asymmetric keys

Asymmetric encryption

(a.k.a. public-key

encryption)

Digital signatures

Encryption schemes – syntax

• A symmetric encryption scheme Σ = KeyGen, Enc, Dec consists of three

algorithms:

• Associated to Σ:

• Key space 𝒦

• Message space ℳ

• Ciphertext space 𝒞

• KeyGen and Enc may be randomized ($), but Dec must be deterministic3

Adversary

EncC

M M / ⊥

KeyGen

Dec$

K

$

Correctness requirement: For all

𝐾 ← KeyGen :

Dec 𝐾, Enc 𝐾,𝑀 = 𝑀

Electronic Code Book (ECB) mode

Given a block cipher ℰ: 0,1 𝑘 × 0,1 𝑛 → 0,1 𝑛 how to encrypt a long message?

ECB ℰ = KeyGen, Enc, Dec

4

ℰ𝐾

𝑀1

𝐶1

ℰ𝐾

𝑀2

𝐶2

ℰ𝐾

𝑀3

𝐶3

ℰ𝐾

𝑀4

𝐶4

Alg Enc 𝐾,𝑀---------------------------------1. for 𝑖 = 1,… ,𝑚 do2. 𝐶𝑖 ← ℰ𝐾 𝑀𝑖

3. return 𝐶

Alg Dec 𝐾, 𝐶---------------------------------1. for 𝑖 = 1,… ,𝑚 do2. 𝑀𝑖 ← ℰ𝐾

−1 𝐶𝑖3. return 𝑀

ECB problems

• Weakness: 𝑀1 = 𝑀2 ⟹ 𝐶1 = 𝐶2

• Example: Suppose message space only contains two messages: 𝑋 = 0128

and 𝑌 = 1128; could represent:

• Vote YES or NO

• BUY or SELL a stock

• FIRE or DON'T FIRE a missile

5

ECB penguin

6

Plaintext ECB encrypted Properly encrypted

Wanted: security definition for symmetric encryption

• Perfect privacy: for any 𝑀0, 𝑀1 ∈ ℳ and any 𝐶 ∈ 𝒞:

Pr ℰ𝐾 𝑀0 = 𝐶 = Pr ℰ𝐾 𝑀1 = 𝐶

• Security holds for any adversary (no limit on resource usage)

• Very strict requirements:

• Keys need to be as long as message

• Key can only be used for one message

7

Wanted: security definition for symmetric encryption

• Perfect privacy: for any 𝑀0, 𝑀1 ∈ ℳ and any 𝐶 ∈ 𝒞:

Pr ℰ𝐾 𝑀0 = 𝐶 = Pr ℰ𝐾 𝑀1 = 𝐶

• Security holds for any adversary (no limit on resource usage)


• Keys need to be as long as message…want keys to be short

• Key can only be used for one message…want to encrypt many messages

8

Idea

• Computational privacy: for any 𝑀0, 𝑀1 ∈ ℳ and any 𝐶 ∈ 𝒞:

Pr ℰ𝐾 𝑀0 = 𝐶 ≈ Pr ℰ𝐾 𝑀1 = 𝐶

• Security only required to hold for resource bounded adversaries


• Keys need to be as long as message…want keys to be short

• Key can only be used for one message…want to encrypt many messages

9

IND-CPA – Indistinguishability against chosen-plaintext attacks

10

𝐄𝐱𝐩Σind–cpa

𝐴

1. 𝑏←$

0,1

2. 𝐾←$Σ. KeyGen

3. 𝑀0, 𝑀1 ← 𝐴ℰ𝐾 ⋅ // find stage4.5.6. 𝐶∗ ← Σ. Enc 𝐾,𝑀𝑏

7. 𝑏′ ← 𝐴ℰ𝐾 ⋅ 𝐶∗ // guess stage

8. 𝐫𝐞𝐭𝐮𝐫𝐧 𝑏′ =?𝑏

ℰ𝐾 𝑀---------------------------------1. return Σ. Enc 𝐾,𝑀

Definition: The IND-CPA-advantage of an

adversary 𝐴 is

𝐀𝐝𝐯Σind–cpa

𝐴 = Pr 𝐄𝐱𝐩Σind–cpa

𝐴 ⇒ true − 1/2

Test me on 𝑀0, 𝑀1

𝐶∗

𝑋1, 𝑋2, …

𝐶1, 𝐶2, …

Enc(𝐾,⋅)

𝑋1, 𝑋2, …

𝐶1, 𝐶2, …

Enc(𝐾,⋅)

What if 𝑨 submits 𝑴𝒐 = 𝟎and 𝑴𝟏 = 𝟎𝟏𝟎𝟎𝟎𝟎?

𝐶∗ was an

encryption of 𝑀1


11


𝐴

1. 𝑏←$

0,1


3. 𝑀0, 𝑀1 ← 𝐴ℰ𝐾 ⋅ // find stage4. if 𝑀0 ≠ 𝑀1 then5. return⊥6. 𝐶∗ ← Σ. Enc 𝐾,𝑀𝑏





adversary 𝐴 is


𝐴 = Pr 𝐄𝐱𝐩Σind–cpa

𝐴 ⇒ true − 1/2


𝐶∗

𝑋1, 𝑋2, …

𝐶1, 𝐶2, …

Enc(𝐾,⋅)

𝑋1, 𝑋2, …

𝐶1, 𝐶2, …

Enc(𝐾,⋅)

𝐶∗ was an

encryption of 𝑀1


12


𝐴

1. 𝑏←$

0,1







adversary 𝐴 is


𝐴 = 2 ⋅ Pr 𝐄𝐱𝐩Σind–cpa

𝐴 ⇒ true − 1


𝐶∗

𝑋1, 𝑋2, …

𝐶1, 𝐶2, …

Enc(𝐾,⋅)

𝑋1, 𝑋2, …

𝐶1, 𝐶2, …

Enc(𝐾,⋅)

𝐶∗ was an

encryption of 𝑀1


𝐴 ≈ 1 = adversary is doing well


𝐴 ≈ 0 = adversary is doing poorly

ECB IND-CPA insecurity

13

𝐄𝐱𝐩ECB[ℰ]ind–cpa

𝐴

1. 𝑏←$

0,1

2. 𝐾←$ECB. KeyGen

3. 𝑀0, 𝑀1 ← 𝐴ℰ𝐾 ⋅ // find stage4. if 𝑀0 ≠ 𝑀1 then5. return⊥6. 𝐶∗ ← ECB. Enc 𝐾,𝑀𝑏



ℰ𝐾 𝑀---------------------------------1. return ECB. Enc 𝐾,𝑀

Adversary 𝑨

1. Query 𝐶 ← ℰ𝐾 0128 in find stage 2. Submit 𝑀0 = 0128 and 𝑀1 = 1128

3. Receive challenge 𝐶∗

4. if 𝐶∗ = 𝐶 output 05. else, output 1

Pr 𝐄𝐱𝐩ECB[ℰ]ind–cpa

𝐴 ⇒ true

= 1

= Pr 𝑏′ = 0 𝑏 = 0 ⋅ 1/2 + Pr 𝑏′ = 1 𝑏 = 1 ⋅ 1/2

= Pr ℰ𝐾 0128 = ℰ𝐾 0128 𝑏 = 0 + Pr ℰ𝐾 0128 ≠ ℰ𝐾 1128 𝑏 = 1 ⋅ 1/ 2

1

= Pr 𝑏′ = 𝑏

1



𝐴 ⇒ true − 1 = 1

Consequences of the definition

• An IND-CPA secure scheme cannot be deterministic

• IND-CPA security implies other properties that we want:

• P1: Should be hard to obtain 𝐾 from 𝑌 ← 𝐸𝐾(𝑋) for secret 𝐾

• P2: Should be hard to obtain 𝐾 from 𝑌1, 𝑌2, … where 𝑌𝑖 ← 𝐸𝐾 𝑋𝑖• P3: Should be hard to obtain 𝑋 from 𝑌 ← 𝐸𝐾(𝑋)

• P4: Should be hard to obtain any 𝑋𝑖 from 𝑌1, 𝑌2 , … where 𝑌𝑖 ← 𝐸𝐾 𝑋𝑖• P5: Should be hard to learn any bit of 𝑋 from 𝑌 ← 𝐸𝐾(𝑋)

• P6: Should be hard to detect repetitions among 𝑋1, 𝑋2, … from 𝑌1, 𝑌2, …

•

• But does it give us all the properties we want? I.e., is IND-CPA the "master property"?

14

Semantic security

• The conceptually "right" definition

• High level idea: an encryption scheme is semantically secure if by observing

a ciphertext 𝐶 the adversary learns nothing about the plaintext (except its

length)

• Harder to formalize + IND-CPA is easier to work with

15

Theorem: (Goldwasser & Micali '83)

An encryption scheme Σ is IND-CPA secure ⟺ Σ is semantically secure.

Length-leaking attacks

• Google maps

• World regions have unique "fingerprints" based on length of data (based on map tiles)

• Variable-bitrate encoding

• Can e.g., fingerprint movies streamed over Netflix

• To combat length-leaking attacks: message padding

• Can be expensive

• Supported in TLS, but seldom used

• Used by TOR

16

CONSTRUCTING SYMMETRIC ENCRYPTION

SCHEMES

17

How to achieve non-deterministic encryption?

• Randomized encryption

• Coins flipped internally by the algorithm

• Nonce-based encryption

• Encryption scheme itself is deterministic

• Non-determinism injected from the outside

18

𝑀

Ciphertext

𝑀′

Plaintext

CTR$ mode

Block cipher ℰ: 0,1 𝑘 × 0,1 𝑛 → 0,1 𝑛

CTR$ ℰ = KeyGen, Enc, Dec :

19

Alg Enc 𝐾,𝑀---------------------------------

1. ctr←$

0,1 𝑛

2. 𝐶0 ← ctr3. for 𝑖 = 1,… ,𝑚 do4. 𝐶𝑖 ← ℰ𝐾 ctr + 𝑖 ⊕𝑀𝑖

5. return 𝐶0||𝐶1||⋯ ||𝐶𝑚

Alg Dec 𝐾, 𝐶---------------------------------1. ctr ← 𝐶02. for 𝑖 = 1,… ,𝑚 do3. 𝑀𝑖 ← ℰ𝐾 ctr + 𝑖 ⊕ 𝐶𝑖4. return𝑀1||𝑀2||⋯ ||𝑀𝑚

ctr + 1

𝐶1

ctr

𝐶0

ℰ𝐾

𝑀1

ctr + 2

𝐶2

ℰ𝐾

𝑀2

ctr + 3

𝐶3

ℰ𝐾

𝑀3

CTR properties

• Fully parallelizable

• Inverse direction of ℰ𝐾 not needed

• Can use a PRF instead of a PRP

• Key stream can be generated in advance

• No padding needed for messages not a multiple of block length

• What about security?

20

ctr + 1

𝐶1

ctr

𝐶0

ℰ𝐾

𝑀1

ctr + 2

𝐶2

ℰ𝐾

𝑀2

ctr + 3

𝐶3

ℰ𝐾

𝑀3

Modern approach to cryptography

• Trying to make cryptography more a science than an art

• Focus on formal definitions of security (and insecurity)

• Clearly stated assumptions

• Analysis supported by mathematical proofs

21

Security of CTR$

22

Theorem (idea):

If 𝐹: 0,1 𝑘 × 0,1 𝑛 → 0,1 𝑛 is a secure PRF then CTR$[𝐹] is IND-CPA secure.

Logic 101

is equivalent to:

Theorem (idea):

If CTR$[𝐹] is not IND-CPA secure then 𝐹 is not a secure PRF.

⟺ equivalent!

Security of CTR$

Proof idea:

• CTR$[𝐹] not IND-CPA secure ⟹ there exists adversary 𝐴 with good advantage 𝐀𝐝𝐯CTR$ 𝐹ind–cpa

𝐴

• Can use 𝐴 to create a new adversary 𝐵 that has good advantage 𝐀𝐝𝐯𝐹prf

𝐵 against 𝐹

⟹ 𝐹 is not a secure PRF!

23

Theorem (idea):

If CTR$[𝐹] is not IND-CPA secure then 𝐹 is not a secure PRF.

Security of CTR$

24

Theorem (actual): For any IND-CPA adversary 𝐴 against CTR$ 𝐹 that runs in time 𝑡𝐴and asks at most 𝑞 queries (each of max length 𝑞 𝑛-bit blocks), there exists an PRF-

adversary 𝐵 such that

𝐀𝐝𝐯CTR$ 𝐹ind–cpa

𝐴 ≤ 𝐀𝐝𝐯𝐹prf

𝐵 +2𝑞2

2𝑛

where 𝐵 runs in time 𝑡𝐵 = 𝑡𝐴 + 𝑂(𝑞2) and asks at most 𝑞𝐵 = 𝑞2 PRF-queries.

Security of CTR$

• Logic 101: 𝐹 secure PRF ⟹𝐀𝐝𝐯𝐹prf

𝐵 ≈ 0

⟹𝐀𝐝𝐯CTR$ 𝐹ind–cpa

𝐴 ≤2𝑞2

2𝑛

⟹𝐀𝐝𝐯CTR$ 𝐹ind–cpa

𝐴 ≈ 0

⟹ CTR$[𝐹] is IND-CPA secure!

25

Theorem (actual): For any IND-CPA adversary 𝐴 against CTR$ 𝐹 that runs in time 𝑡𝐴and asks at most 𝑞 queries (each of max length 𝑞 𝑛-bit blocks), there exists an PRF-

adversary 𝐵 such that



𝐵 +2𝑞2

2𝑛

where 𝐵 runs in time 𝑡𝐵 = 𝑡𝐴 + 𝑂(𝑞2) and asks at most 𝑞𝐵 = 𝑞2 PRF-queries.

𝑞 ≪ 2𝑛/2

Example:

AES: 𝑛 = 128𝑞 = 240 ≈ 17.5 TB of data

Security of CTR$ – proof idea

26

𝐄𝐱𝐩CTR$ ℰind–cpa

𝐴

1. 𝑏←$

0,1

2. 𝐾←$CTR$ 𝐹 . KeyGen

3. 𝑀0,𝑀1 ← 𝐴ℰ𝐾 ⋅ // find stage4. if 𝑀0 ≠ 𝑀1 then5. return⊥6. 𝐶∗ ← CTR$ ℰ . Enc 𝐾,𝑀𝑏



ℰ𝐾 𝑀---------------------------------1. return CTR$ 𝐹 . Enc 𝐾,𝑀

𝑀1 𝑀2 𝑀3 ⋯ 𝑀𝐿

𝐹𝐾(𝑅∗ + 1) 𝐹𝐾(𝑅

∗ + 2) 𝐹𝐾(𝑅∗ + 3) ⋯ 𝐹𝐾(𝑅

∗ + 𝐿) Alg CTR 𝐹 . Enc 𝐾,𝑀---------------------------------

1. ctr←$

0,1 𝑛

2. 𝐶0 ← ctr3. for 𝑖 = 1,… ,𝑚 do4. 𝐶𝑖 ← 𝐹𝐾 ctr + 𝑖 ⊕𝑀𝑖

5. return𝐶0||𝐶1||⋯ ||𝐶𝑚

𝐶1∗ 𝐶2

∗ 𝐶3∗ ⋯ 𝐶𝐿

∗

=

𝑀𝑏

𝐶∗

Theorem: For any 𝐴 … there exists 𝐵 such that



𝐵 +2𝑞2

2𝑛


27




𝐵 +2𝑞2

2𝑛


𝐴

1. 𝑏←$

0,1






Alg CTR 𝐹 . Enc 𝐾,𝑀---------------------------------

1. ctr←$

0,1 𝑛



𝑀1 𝑀2 𝑀3 ⋯ 𝑀𝐿

=

𝑀𝑏

𝐶∗ 𝜌←$Func[𝑛, 𝑛] ≈ 𝐹𝐾 by PRF-security

𝜌(𝑅∗ + 1) 𝜌(𝑅∗ + 2) 𝜌(𝑅∗ + 3) ⋯ 𝜌(𝑅∗ + 𝐿)

𝐶1∗ 𝐶2

∗ 𝐶3∗ ⋯ 𝐶𝐿

∗


28




𝐵 +2𝑞2

2𝑛


𝐴

1. 𝑏←$

0,1






Alg CTR 𝐹 . Enc 𝐾,𝑀---------------------------------

1. ctr←$

0,1 𝑛



𝑀1 𝑀2 𝑀3 ⋯ 𝑀𝐿

=

𝑀𝑏


𝜌(𝑅∗ + 1) 𝜌(𝑅∗ + 2) 𝜌(𝑅∗ + 3) ⋯ 𝜌(𝑅∗ + 𝐿)

𝐶1∗ 𝐶2

∗ 𝐶3∗ ⋯ 𝐶𝐿

∗

𝐶1∗ 𝐶2

∗ 𝐶3∗ ⋯ 𝐶𝐿

∗


29




𝐵 +2𝑞2

2𝑛


𝐴

1. 𝑏←$

0,1






Alg CTR 𝐹 . Enc 𝐾,𝑀---------------------------------

1. ctr←$

0,1 𝑛



𝑀1 𝑀2 𝑀3 ⋯ 𝑀𝐿

=

𝑀𝑏

𝐶∗ 𝜌←$Func[𝑛, 𝑛] ≈ 𝐹𝐾 by PRF-securityOTP

𝜌(𝑅∗ + 1) 𝜌(𝑅∗ + 2) 𝜌(𝑅∗ + 3) ⋯ 𝜌(𝑅∗ + 𝐿)

𝐶1∗ 𝐶2

∗ 𝐶3∗ ⋯ 𝐶𝐿

∗


30




𝐵 +2𝑞2

2𝑛


𝐴

1. 𝑏←$

0,1






Alg CTR 𝐹 . Enc 𝐾,𝑀---------------------------------

1. ctr←$

0,1 𝑛



𝑀1 𝑀2 𝑀3 ⋯ 𝑀𝐿

=

𝑀𝑏


𝑀(1)ℰ𝐾

𝑅1||𝐶11||𝐶2

(1)…

𝑀(2)ℰ𝐾

𝑅2||𝐶12||𝐶2

(2)…

⋮

𝑀(𝑞)ℰ𝐾

𝑅𝑞||𝐶1𝑞||𝐶2

(𝑞)…

𝜌(𝑅∗ + 1) 𝜌(𝑅∗ + 2) 𝜌(𝑅∗ + 3) ⋯ 𝜌(𝑅∗ + 𝐿)

𝐶1∗ 𝐶2

∗ 𝐶3∗ ⋯ 𝐶𝐿

∗


31




𝐵 +2𝑞2

2𝑛


𝐴

1. 𝑏←$

0,1






Alg CTR 𝐹 . Enc 𝐾,𝑀---------------------------------

1. ctr←$

0,1 𝑛



𝑀1 𝑀2 𝑀3 ⋯ 𝑀𝐿

=

𝑀𝑏


𝑀(1)ℰ𝐾

𝑅1||𝐶11||𝐶2

1… = 𝑅1||𝜌(𝑅1 + 1)⊕𝑀1

1||𝜌(𝑅1 + 2)⊕𝑀2

1|| …

𝑀(2)ℰ𝐾

𝑅2||𝐶12||𝐶2

(2)… = 𝑅2||𝜌(𝑅2 + 1)⊕𝑀1

2||𝜌(𝑅2 + 2)⊕𝑀2

2|| …

⋮

𝑀(𝑞)ℰ𝐾


(𝑞)… = 𝑅𝑞||𝜌(𝑅𝑞 + 1)⊕𝑀1

𝑞||𝜌(𝑅𝑞 + 2)⊕𝑀2

𝑞|| …

𝜌(𝑅∗ + 1) 𝜌(𝑅∗ + 2) 𝜌(𝑅∗ + 3) ⋯ 𝜌(𝑅∗ + 𝐿)

𝐶1∗ 𝐶2

∗ 𝐶3∗ ⋯ 𝐶𝐿

∗


32




𝐵 +2𝑞2

2𝑛


𝐴

1. 𝑏←$

0,1






Alg CTR 𝐹 . Enc 𝐾,𝑀---------------------------------

1. ctr←$

0,1 𝑛



𝑀1 𝑀2 𝑀3 ⋯ 𝑀𝐿

𝜌(𝑅∗ + 1) 𝜌(𝑅∗ + 2) 𝜌(𝑅∗ + 3) ⋯ 𝜌(𝑅∗ + 𝐿)

=

𝑀𝑏


𝑀(1)ℰ𝐾

𝑅1||𝐶11||𝐶2

1… = 𝑅1||𝜌(𝑅1 + 1)⊕𝑀1

1||𝜌(𝑅1 + 2)⊕𝑀2

1|| …

𝑀(2)ℰ𝐾

𝑅2||𝐶12||𝐶2

(2)… = 𝑅2||𝜌(𝑅2 + 1)⊕𝑀1

2||𝜌(𝑅2 + 2)⊕𝑀2

2|| …

⋮

𝑀(𝑞)ℰ𝐾


(𝑞)… = 𝑅𝑞||𝜌(𝑅𝑞 + 1)⊕𝑀1

𝑞||𝜌(𝑅𝑞 + 2)⊕𝑀2

𝑞|| …

Event 𝐂𝐨𝐥𝐥𝒊:

𝑅𝑖 + 𝑗 = 𝑅∗ + 𝑗′ ⟹ 𝜌 𝑅𝑖 + 𝑗 = 𝜌 𝑅∗ + 𝑗′ = 𝑃

⟹ 𝐶𝑗𝑖⊕𝐶𝑗′

∗ = 𝑃 ⊕𝑀𝑗𝑖

⊕ 𝑃 ⊕𝑀𝑗′∗ = 𝑀𝑗

𝑖⊕𝑀𝑗′

∗


33

𝑅∗, 𝑅∗ + 1,… 𝑅𝑗 , 𝑅𝑗+1,…𝑅𝑖 , 𝑅𝑖+1,… 𝑅𝑘, 𝑅𝑘+1,…

0 1 … 2𝑛 − 1


34

𝑅∗, 𝑅∗ + 1,… 𝑅𝑗 , 𝑅𝑗+1,…𝑅𝑖 , 𝑅𝑖+1,… 𝑅𝑘, 𝑅𝑘+1,…

0 1 … 2𝑛 − 1Coll𝑗

Coll = Coll1 ∨ Coll2 ∨ ⋯∨ Coll𝑞

Pr Coll = Pr Coll1 ∨ Coll2 ∨ ⋯∨ Coll𝑞 ≤

𝑗=1

𝑞

Pr Coll𝑗

Pr Coll𝑗 = Pr 𝑅∗ + 1 − 𝐿 ≤ 𝑅𝑗 ≤ 𝑅∗ + 𝐿 − 1


35

𝑅∗, 𝑅∗ + 1,… 𝑅𝑗 , 𝑅𝑗+1,…𝑅𝑖 , 𝑅𝑖+1,… 𝑅𝑘, 𝑅𝑘+1,…

0 1 … 2𝑛 − 1



𝑗=1

𝑞

Pr Coll𝑗


Coll𝑗


36

𝑅∗, 𝑅∗ + 1,…𝑅𝑗 , 𝑅𝑗+1,…𝑅𝑖 , 𝑅𝑖+1,… 𝑅𝑘, 𝑅𝑘+1,…

0 1 … 2𝑛 − 1



𝑗=1

𝑞

Pr Coll𝑗


Coll𝑗


37



𝑗=1

𝑞

Pr Coll𝑗

Pr Coll𝑗 = Pr 𝑅∗ + 1 − 𝐿 ≤ 𝑅𝑗 ≤ 𝑅∗ + 𝐿 − 1 ≤2𝐿

2𝑛

𝑅∗, 𝑅∗ + 1,…𝑅𝑗 , 𝑅𝑗+1,…𝑅𝑖 , 𝑅𝑖+1,… 𝑅𝑘, 𝑅𝑘+1,…

0 1 … 2𝑛 − 1

≤ 𝑞 ⋅2𝐿

2𝑛=2𝑞2

2𝑛

Coll𝑗


38




𝐵 +2𝑞2

2𝑛


𝐴

1. 𝑏←$

0,1






Alg CTR 𝐹 . Enc 𝐾,𝑀---------------------------------

1. ctr←$

0,1 𝑛



𝑀1 𝑀2 𝑀3 ⋯ 𝑀𝐿

=

𝑀𝑏


𝜌(𝑅∗ + 1) 𝜌(𝑅∗ + 2) 𝜌(𝑅∗ + 3) ⋯ 𝜌(𝑅∗ + 𝐿)

𝐶1∗ 𝐶2

∗ 𝐶3∗ ⋯ 𝐶𝐿

∗

Nonce-based encryption

• Initial value in CTR$ chosen at random

• Not actually neccessary; sufficient that no inputs to underlying PRF/PRP

repeat

• A simple counter works

• More generally: any number not used more than once – a nonce (number

used once)

• CTR: nonce-based counter-mode

39

Nonce-based encryption – new syntax

• Enc is now a deterministic function

• Non-determinism comes from varying 𝑁

• Choose 𝑁 at random ⟹ recover probabilistic notion

40

Enc ∶ 𝒦 ×𝒩 ×ℳ → 𝒞

Enc 𝐾,𝑁,𝑀 = Enc𝐾 𝑁,𝑀 = Enc𝐾𝑁 𝑀 Enc

𝐾𝑀 𝐶

𝑁

Nonce-based

Enc𝐾𝑀 𝐶

$

Randomized


41


𝐴

1. 𝑏←$

0,1





ℰ𝐾 𝑀---------------------------------1.2.3. return Σ. Enc 𝐾,𝑀


42


𝐴

1. 𝑏←$

0,1


3. 𝑁,𝑀0, 𝑀1 ← 𝐴ℰ𝐾 ⋅,⋅ // find stage4. if 𝑀0 ≠ 𝑀1 then5. return⊥6. 𝐶∗ ← Σ. Enc 𝐾,𝑁,𝑀𝑏

7. 𝑏′ ← 𝐴ℰ𝐾 ⋅,⋅ 𝐶∗ // guess stage


ℰ𝐾 𝑁,𝑀---------------------------------1.2.3. return Σ. Enc 𝐾,𝑁,𝑀


43


𝐴

1. 𝑏←$

0,1


3. 𝑁,𝑀0, 𝑀1 ← 𝐴ℰ𝐾 ⋅,⋅ // find stage4. if 𝑀0 ≠ 𝑀1 then5. return⊥6. 𝐶∗ ← Σ. Enc 𝐾,𝑁,𝑀𝑏

7. 𝑏′ ← 𝐴ℰ𝐾 ⋅,⋅ 𝐶∗ // guess stage


ℰ𝐾 𝑁,𝑀---------------------------------1. if 𝑁 queried before:2. return⊥3. return Σ. Enc 𝐾,𝑁,𝑀

Definition: The (nonce-based) IND-CPA-advantage

of an adversary 𝐴 is



𝐴 ⇒ true − 1

(𝑁1, 𝑋1), (𝑁2, 𝑋2), …

𝐶1, 𝐶2, …

Enc(𝐾,⋅)

𝐶1, 𝐶2, …

Enc(𝐾,⋅)

Test me on 𝑁,𝑀0 , (𝑁,𝑀1)

𝐶∗

(𝑁1, 𝑋1), (𝑁2, 𝑋2), …

𝐶∗ was an

encryption of 𝑀1

Nonce-based CTR

• Nonce value must be updated and stored by sender

• Stateful encryption

• Receiver doesn't need to store state

• Alternatively: pick nonce at random

• Gives CTR$

• Common in practice:

• pick some parts of N at random and let the rest be a counter

(always starting at 0)

• e.g., 96 bits random and 32 bits counter for 128-bits N

44

Alg Enc 𝐾,𝑁,𝑀---------------------------------1. for 𝑖 = 1, … ,𝑚 do2. 𝐶𝑖 ← ℰ𝐾 𝑁 + 𝑖 ⊕𝑀𝑖

3. return 𝐶1||𝐶2||⋯ ||𝐶𝑚

AlgDec 𝐾,𝑁, 𝐶---------------------------------1. for 𝑖 = 1, … ,𝑚 do2. 𝑀𝑖 ← ℰ𝐾 𝑁 + 𝑖 ⊕ 𝐶𝑖3. return𝑀1||𝑀2||⋯ ||𝑀𝑚

Nonce-based CTR – IND-CPA security

45

Theorem: For any IND-CPA adversary 𝐴 against CTR 𝐹 that runs in time 𝑡𝐴 and asks

at most 𝑞𝐴 queries (each of at most 𝜎𝑛-bits) – such that no input values to 𝐹 are

identical – there exists an PRF-adversary 𝐵 such that

𝐀𝐝𝐯CTR 𝐹ind–cpa


𝐵

where 𝐵 runs in time 𝑡𝐵 = 𝑡𝐴 + 𝑂(𝑞𝐴 + 𝑛𝜎) and asks at most 𝑞𝐵 = 𝜎 PRF-queries.

CBC$ – Cipher Block Chaining mode

46

CBC

• IND-CPA secure for random IV

• Not IND-CPA secure for nonce-based IV (exercise: show this)

• Not parallelizable; cannot precompute values

• Inverse of block cipher ℰ needed for decryption

• Padding needed for messages not a multiple of block length

• …historically one of the most used modes-of-operation

47

Alternative definition I – Left-or-Right CPA

48

𝐄𝐱𝐩Σlor–cpa

𝐴

1. 𝑏←$

0,1


3. 𝑏′ ← 𝐴LR𝑏 ⋅,⋅


LR𝑏 𝑀0, 𝑀1

---------------------------------1. if 𝑀0 ≠ 𝑀1 then2. return⊥3.4. return Σ. Enc 𝐾,𝑀𝑏

Definition: The LOR-CPA-advantage of an

adversary 𝐴 is

𝐀𝐝𝐯Σlor–cpa

𝐴 = 2 ⋅ Pr 𝐄𝐱𝐩Σlor–cpa

𝐴 ⇒ true − 1

Theorem: Σ is IND-CPA secure ⟺ Σ is LOR-CPA

secure.

Alternative definition II – Real-or-random CPA

49

𝐄𝐱𝐩Σror–cpa

𝐴

1. 𝑏←$

0,1


3. 𝑏′ ← 𝐴RoR𝑏 ⋅


RoR𝑏 𝑀---------------------------------

1. 𝑀0←$

0,1 𝑀

2. 𝑀1 ← 𝑀3. return Σ. Enc 𝐾,𝑀𝑏

Definition: The ROR-CPA-advantage of an

adversary 𝐴 is

𝐀𝐝𝐯Σror–cpa

𝐴 = 2 ⋅ Pr 𝐄𝐱𝐩Σror–cpa

𝐴 ⇒ true − 1

Theorem: Σ is IND-CPA secure ⟺ Σ is ROR-CPA

secure.

Alternative definition III – Real-or-random ciphertext CPA

50

𝐄𝐱𝐩Σind$–cpa

𝐴

1. 𝑏←$

0,1


3. 𝑏′ ← 𝐴$𝑏 ⋅


$𝑏 𝑀---------------------------------1. 𝐶1 ← Σ. Enc 𝐾,𝑀

2. 𝐶0←$

0,1 𝐶1

3. return 𝐶𝑏

Definition: The IND$-CPA-advantage of an

adversary 𝐴 is

𝐀𝐝𝐯Σind$–cpa

𝐴 = 2 ⋅ Pr 𝐄𝐱𝐩Σind$–cpa

𝐴 ⇒ true − 1

Theorem:

Σ is IND-CPA$ secure ⟹ Σ is IND-CPA secure.

Σ is IND-CPA$ secure ⟸ Σ is IND-CPA secure.

Relations between notions

51

LOR-CPA ⟺ IND-CPA ⟺ ROR-CPA

IND$-CPA

⟹

Semantic security⟺

When we say "IND-CPA" without

further qualification, we think of any

of these (equivalent) definitions


52


𝐴

1. 𝑏←$

0,1






IND-CCA – Indistinguishability against chosen-ciphertext attacks

53

𝐄𝐱𝐩Σind–cca 𝐴

1. 𝑏←$

0,1


3. 𝑀0, 𝑀1 ← 𝐴ℰ𝐾 ⋅ ,𝒟𝐾 ⋅ // find stage4. if 𝑀0 ≠ 𝑀1 then5. return⊥6. 𝐶∗ ← Σ. Enc 𝐾,𝑀𝑏

7. 𝑏′ ← 𝐴ℰ𝐾 ⋅ ,𝒟𝐾(⋅) 𝐶∗ // guess stage



𝒟𝐾 𝐶---------------------------------1. if 𝐶 = 𝐶∗ then2. return⊥3. return Σ. Dec 𝐾,𝑀

𝐄𝐱𝐩Σind–cca 𝐴

1. 𝑏←$

0,1


3. 𝑀0, 𝑀1 ← 𝐴ℰ𝐾 ⋅ ,𝒟𝐾 ⋅ // find stage4. if 𝑀0 ≠ 𝑀1 then5. return⊥6. 𝐶∗ ← Σ. Enc 𝐾,𝑀𝑏

7. 𝑏′ ← 𝐴ℰ𝐾 ⋅ ,𝒟𝐾(⋅) 𝐶∗ // guess stage



𝒟𝐾 𝐶---------------------------------1. if 𝐶 = 𝐶∗ then2. return⊥3. return Σ. Dec 𝐾,𝑀

IND-CCA – Indistinguishability against chosen-ciphertext attacks

54

Definition: The IND-CCA-advantage of an

adversary 𝐴 is

𝐀𝐝𝐯Σind–cca 𝐴 = 2 ⋅ Pr 𝐄𝐱𝐩Σ

ind–cca 𝐴 ⇒ true − 1


𝐶∗

𝑋1, 𝑋2, …

𝐶1, 𝐶2, …

Enc(𝐾,⋅)

𝑋1, 𝑋2, …

𝐶1, 𝐶2, …

Enc(𝐾,⋅)Dec(𝐾,⋅)

Dec(𝐾,⋅)

𝐶∗ was an

encryption of 𝑀1

IND-CCA

• None of the schemes we have looked at today are IND-CCA secure

• Attacks are easy to demonstrate (exercise)

• New techniques are needed

• Next week: message authentication codes

55

lecture 3 symmetric encryption, ind-cpa, ctr, cbc

Documents