Conversion Functions for Symmetric Key Ciphers

Transcription

1 Jounal of Infomation Assuance and Secuity 2 (2006) Convesion Functions fo Symmetic Key Ciphes Deba L. Cook and Angelos D. Keomytis Depatment of Compute Science Columbia Univesity, mail code Amstedam Avenue New Yok, NY {dcook,angelos}@cs.columbia.edu Abstact: As a geneal design citeion, a symmetic key ciphe should not be closed unde functional composition due to the implications on the secuity of the ciphe. Howeve, thee ae scenaios in which this popety is desiable and can be obtained without educing the secuity of a ciphe by inceasing the computational wokload of the ciphe. We expand the idea of a symmetic key ciphe being closed unde functional composition to a moe geneal scenaio whee thee exists a function that convets the ciphetext esulting fom encyption unde a specific key to the ciphetext coesponding to encyption with anothe key. We show how to pefom such a convesion without exposing the plaintext. We discuss the tadeoff between the computational wokload and secuity, and the elationship between such convesions and poxy cyptogaphy. We conclude with a discussion of some pactical applications of ou esults. Keywods: Symmetic Key Ciphe Design, Convesion Function, Poxy Cyptogaphy 1 Intoduction We expand the idea of a symmetic key ciphe being closed unde functional composition to a moe geneal scenaio in which thee exists a function that convets the ciphetext esulting fom encypting with a specific key to the ciphetext coesponding to encypting with anothe key. As a geneal design citeion, a symmetic key ciphe should not be closed unde functional composition due to the implications on the secuity of the ciphe. Howeve, thee ae scenaios in which this popety is desiable. Two (sometimes conflicting) goals of such a ciphe ae to povide an efficient convesion between the encyption of data unde two diffeent keys and pefoming the convesion without exposing the unencypted data, as occus when decypting data with one key then encypting it with a second key. Any situation involving multiple paiwise communication between entities with data encypted using symmetic key ciphes can benefit fom a symmetic key ciphe that allows fo efficient convesions between keys while maintaining the secuity of the ciphe. Applications include vitual pivate netwok (VPN) gateways, file distibution systems using encypted files, and online chat pogams. We show how to constuct fom any symmetic key ciphe a ciphe that allows an entity to convet ciphetexts between two keys without exposing the plaintext and how to develop a tadeoff between the computational wokload equied to pefom the convesion and the secuity of the ciphe. We descibe pactical applications of the esults. We also discuss the elationship between such convesions and poxy cyptogaphy. The motivation fo ou wok aises fom a convesion poblem in VPNs: Is it possible to define a symmetic key ciphe that allows fo conveting the encyption of plaintext P, E k1 (P ), unde key k1 to the encyption of the plaintext unde anothe key k2, E k2( P ), with fewe computations than what is equied fo decypting with key k1 then encypting with key k2? Conside the case of a VPN gateway tansmitting data between uses A and B. The gateway shaes k1 with A and k2 with B. A and B do not shae any key mateial. With existing symmetic key ciphes, the gateway must pefom the convesion by decypting with k1 then encypting with k2. Specifically, A computes C1 = E k1 (P ) and sends C1 to the gateway. The gateway computes C2 = E k2 (D k1 (C1)) and sends C2 to B who computes P = D k2 (C2). Is thee a convesion function F taking a key kg such that (I) F kg (E k1 (P )) = E k2 (P ) P whee kg depends on k1 and k2, and F equies less wok than applying both E and D with some acceptable tadeoffs? In this application, the goal is to decease the convesion time. The gateway may have sufficient infomation to obtain P and may o may not expose P duing the convesion. In some situations it is desiable fo pat of P to be obtainable fo inspection, such as when a fiewall needs to examine the packet. The gateway may also need to modify pats of P, such as in application-awae netwok addess tanslation (NAT). The existence of a function F as shown in (I) has significant implications on the secuity of the ciphe, which we will discuss. We ae also inteested in convesions that pohibit the intemediate entity (the gateway in the example) fom obtain- Received Decembe 5, $03.50 c Dynamic Publishes, Inc.

2 42 Cook & Keomytis ing the ciphetext in situations whee thee is no need fo it to have access to the plaintext. This concept is known as poxy cyptogaphy and is a subset of ou geneal convesion concept. We conside poxy cyptogaphy applied to symmetic key ciphes in ode fo the convesion to be applicable in situations involving lage quantities of data and faste pocessing than what can be suppoted with public key ciphes. Okamoto and Mambo intoduced the notion of poxy cyptogaphy [10]. This was futhe exploed by Blaze, et al. in [2]. Pio wok on poxy cyptogaphy has almost exclusively been focused on public key ciphes. When consideing encyption with public key ciphes, poxy cyptogaphy allows fo a public key to be used by a poxy to convet ciphetext eceived fom one paty into ciphetext that can be decypted with anothe paty s pivate key without the poxy being able to decypt the data. The contibutions of ou wok consist of the following analysis egading convesions. Fist, we extend the esults in [9] concening the secuity of a symmetic key ciphe that is closed unde functional composition to the moe geneal scenaio of a symmetic key ciphe fo which thee exists a convesion function. Second, we intoduce the concepts of convesion cypto-systems to efe to a symmetic key ciphe fo which a function exists that pefoms the convesion of E k1 (P ) to E k2 (P ) and secue convesion cypto-system to efe to a symmetic key ciphe with a convesion function which allows conveting between encyptions unde diffeent keys without exposing the plaintext. We define two classes of secue convesion cypto-systems, one in which the entity pefoming the convesion may have sufficient infomation to obtain the plaintext even though the convesion does not expose the plaintext, and one which is a poxy function in that the entity pefoming the convesion cannot obtain the plaintext. Thid, we show how to constuct secue convesion cypto-systems fom any existing symmetic key ciphe. We show that ou convesion cypto-system constuctions ae optimal in tems of the ode of computational wok compaed to the secuity of the undelying ciphe utilized in the constuction, and discuss tadeoffs between the wokload and secuity in tems of the undelying ciphe. Finally, we discuss possible applications of convesion and secue convesion cypto-systems. Pape Oganization: In Section 2 we define ou notation and intoduce the tems fo convesion cypto-systems. In Section 3 we povide backgound infomation on poxy cyptogaphy. In Section 4 we eview the attacks fom [9] on symmetic key ciphes which ae closed unde functional composition. In Section 5 we genealize the attacks fom [9] to symmetic key ciphes fo which convesion functions exist. In Sections 6 and 7 we pesent constuctions and applications of convesion cypto-systems. Section 8 concludes the pape. 2 Convesion Definitions In this section, we intoduce and fomally define the tems convesion function, secue convesion function, convesion cypto-system and secue convesion cypto-system fo symmetic key ciphes. The following notation is used in ou definitions. P denotes plaintext. C denotes ciphetext. K denotes the key space fo a symmetic key ciphe. K denotes the size of the key space, K. k, ki denote keys. i is any alphanumeic symbol. k is the length of key k in bits. E, D denote the encyption and decyption functions of a symmetic key ciphe S, espectively. When encyption is applied using a specific key, k, and plaintext, P, we wite E k (P ). When decyption is applied using a specific key, k, and ciphetext, C, we wite D k (C). When S is a block ciphe, the lengths of P and C ae the block size. S = (E, D, K) is a symmetic key ciphe with encyption function E, decyption function D and key space K. This will be abbeviated as S. Z is the set of all pemutations on b bits. KZ efes to the set of keys by which to index Z. Viewing Z as an enumeated set, the i th key in KZ efes to the i th pemutation in Z. G = {G kg } is a family of pemutations on b bits. A specific pemutation in G is indicated by G kg, whee kg is a key used to index into G. KG is the set of all kg values. KG = G. G kg (X) is the esult of the pemutation G kg applied to a b bit value X. The invese of G kg will be witten as. Notice that G Z and KG KZ. KG can be thought of as an enumeation of the elements fom Z that fom G. G 1 kg F G is a function that pefoms the pemutations in G. F G is used to indicate the convesion function as defined in the definitions below. F G kg(x) efes to F G using key kg and opeating on input X. The invese of F G will be witten as F G 1. We now define (secue) convesion functions, (secue) convesion cypto-systems and elated tems. Definition 1: Convesion Function Given a symmetic key ciphe S = (E, D, K) opeating on b bit inputs, the convesion fo S is the family of pemutations G = {G kg } that convets E k1 (P ) to E k2 (P ) P fo any keys k1, k2 K. Specifically, G kg (E k1 (P )) = E k2 (P ) P whee kg is dependent on k1 and k2. The convesion function fo S is a function F G which takes key kg and b bit input X and computes G kg (X). Thee is no estiction on whethe the convesion function exposes P duing the convesion and on whethe the entity pefoming the convesion has sufficient infomation to obtain P. F G is invetible because G kg is a pemutation and thus is invetible. (E k1 (P )) = Fkg G 1 (E k2 (P )) P. KG K. If not, then the existence of a kg fo evey pai of keys k1, k2 K would equie at least one kg to map a k1 to moe than one k2. If G is unknown, then the numbe of values to ty to detemine KG may be moe than K because S may be defined such that the length of the key is less than numbe of pemutations on a b bit block (which is tue of symmetic key ciphes in pactice). Fo example, if no infomation is known about G othe than the fact that G exists, then any value in KZ potentially maps to an element of KG. The numbe of keys to ty in ode to detemine KG is elevant when tying to attack a ciphe fo which a convesion function exists.

3 Convesion Functions fo Symmetic Key Ciphes 43 Fo any symmetic key ciphe S opeating on b bit inputs, the mapping of E k1 (P ) to E k2 (P ) is a pemutation on b bits. Theefoe, a family of pemutations, G, which coesponds to the convesion fo S exists. This family of pemutations can always be ceated conceptually, if not pactically, in the following manne: Fo evey pai of keys, (k1, k2) K, ceate a table that contains the mapping of E k1 (P ) to E k2 (P ) of evey b bit P. Call the table G kg whee kg = k1 k2. G is the set of pemutations defined by all the esulting tables. Define F G to be the function that pefoms the table lookups. G coesponds to the K 2 tables. Regadless of the exact pemutations in G, the epesentation of G may be simplified at least slightly fom the K 2 tables. Fo example, when k1 = k2, the esulting table coesponds to the identity function and thee will be K such tables. Also, the table fo G k2 k1 is the invese of the table fo G k1 k2. Definition 2: Convesion Cypto-System A convesion cypto-system is a pai (S, F G ) whee F G is the convesion function fo the symmetic key ciphe S. Definition 3: Secue Convesion Function A secue convesion function is a convesion function that does not expose P duing the convesion. Thee is no estiction on whethe o not the entity pefoming the convesion has sufficient infomation to obtain P. F G will indicate the convesion function F G is a secue convesion function. Definition 4: Secue Convesion Cypto-System A secue convesion cypto-system is a pai (S, F G ) whee F G is the secue convesion function fo the symmetic key ciphe S. Definition 5: Poxy Function Given a symmetic key ciphe S = (E, D, K), a poxy function is a convesion function that does not expose P duing the convesion and does not povide the entity pefoming the convesion sufficient infomation to obtain P. A poxy function is a special case of a secue convesion function. F G will indicate the convesion function F G is a poxy function. Definition 6: Poxy Cypto-System A poxy cypto-system is a pai (S, F G ) whee F G is the poxy function fo the symmetic key ciphe S. Poxy cyptosystems ae a subset of secue convesion cypto-systems. Definition 7: Convesion Entity and Convete Convesion entity and convete ae used intechangeably to efe to the entity executing the convesion function F G. Definition 8: Poxy A poxy is an entity executing F G in a poxy cyptosystem. This is a special class of convesion entities. Definition 9: Effective Key Length The effective key length, K eff, of a symmetic key ciphe S = (E, D, K) is a paamete defined in tems of the key length, k fo k K, which indicates the amount of wok equied to successfully attack S compaed to that of an exhaustive seach ove all keys. A ciphe fo which an exhaustive seach of the key space is the best known attack equies O(2 k ) wok and has an effective key length of k. Fo example, if the key length is 128 bits, an exhaustive seach ove K will equie tying half of all keys (2 127 keys) on aveage. If an attack exists which equies tying 2 63 keys on aveage, then K eff = 64. In this case S s effective key length is equivalent to that of a ciphe with a 64 bit key on which an exhaustive seach ove all keys is the best attack even though S uses 128 bit keys. The convesion function, F G, coesponding to G can be constucted (tivially) by defining F G kg(c) to be E k2 (D k1 (C)) to convet E k1 (P ) to E k2 (X). In this case, kg = k1 k2 and KG = 2 2 k vesus K = 2 k. Pefoming the convesion by decypting with k1 then encypting with k2 exposes the plaintext duing the convesion. While both a secue convesion function and a poxy function exists fo evey S (define all of the tables coesponding to the mapping and have F G pefom table lookups), it should not be feasible to compute secue convesion and poxy functions fo a symmetic key ciphe used in pactice by defining the tables due to the memoy and/o computational esouces equied. 3 Poxy Cyptogaphy The concept of convesion functions in geneal has not been discussed pio to ou definition in [4]. Howeve, two specific cases of convesion functions have been addessed peviously. The fist case is whee the symmetic key ciphe s encyption algoithm is the convesion function. The secuity implications of such as ciphe has been analyzed unde the concept of a block ciphe which is closed unde functional composition [9], which we eview in Section 4. The second case is whee the convesion function is a poxy function. The concept of a poxy function has been addessed unde the topic of poxy cyptogaphy, although almost always in the context of public key cyptogaphy. We summaize the pevious wok on poxy cyptogaphy hee. When discussed in tems of encyption, poxy cyptogaphy efes to the concept of conveting plaintext encypted unde one key to the encyption of the same plaintext unde a second key without exposing the plaintext duing the convesion. The entity which pefoms the convesion is efeed to as the poxy and the function used to pefom the convesion is efeed to as the poxy function. The poxy does not have sufficient infomation, (e.g., the appopiate keys) to obtain the plaintext. When applied to public key ciphes, poxy cyptogaphy allows two paties to publish a key that the poxy will use to convet ciphetext eceived fom one paty into ciphetext that can be decypted with the othe paty s pivate key without the poxy being able to decypt the text. The concept of poxy cyptogaphy is also elevant to signatue schemes. If a poxy function exists fo a signatue scheme, an entity A can sign fo an entity B by signing the data as itself then sending the signatue to a poxy which tansfoms A s signatue into B s signatue. The pio wok that exists on poxy cyptogaphy is focused on public key encyption and signatue schemes. Okamoto, Usuda and Mambo intoduced the notion of poxy signatue schemes in [11]. Thei wok addessed the poblem of an entity, A, delegating the signing of messages to a poxy without the poxy needing to know the secet component of the key A uses fo signing. Okamato and Mambo late expanded the concept to encyption with public key ciphes [10]. In addition to the geneal concept, they defined poxy schemes fo El Gamal [5] and RSA [12]. Poxy cyptogaphy was futhe exploed by Blaze, Bleume and Stauss in [2] unde the tem atomic poxy cyptogaphy. [2] discusses poxy cyptogaphy as it elates to public key encyption, signatue

4 44 Cook & Keomytis schemes and identification schemes. In [2], Blaze, et al. also defined asymmetic and symmetic poxy cyptogaphy. We note that this is not to be confused with poxy encyption using symmetic (secet key) and asymmetic (public key) ciphes. Given entities A, B and the poxy, asymmetic poxy cyptogaphy means the use of the poxy only woks in one diection between A and B. Fo example, A can use the poxy to send messages to B without the poxy being able to convet messages fom B into a fom A can decypt. Symmetic poxy cyptogaphy means the use of the poxy woks in both diections between A and B. [1] efes to asymmetic poxy cyptogaphy as uni-diectional poxy cyptogaphy and symmetic poxy cyptogaphy as bi-diectional poxy cyptogaphy. The only place in which poxy cyptogaphy fo symmetic key ciphes has been discussed, albeit biefly, is in [8]. Ivan and Dodis fomally defined in [8] the concepts of symmetic and asymmetic poxy cyptogaphy fom [2] in a manne that can be applied to eithe public o pivate key ciphes, although they only illustate the concepts with public key ciphes. [8] does not analyze the notion of poxy cyptogaphy in elation to pivate key ciphes. Fo example, it does not exploe the applications of symmetic key poxy functions, does not discuss the wokload and does not exploe the elationships between the keys, wokload and secuity of a symmetic key ciphe with a poxy function, all of which we discuss within this pape fo convesion functions. No pio wok has consideed the implications of a symmetic key ciphe which has been defined in a manne that incopoates poxy cyptogaphy, o moe geneally, convesions. In [1], the use of poxy cyptogaphy with public key ciphes was applied to the encyption and shaing of keys used to encypt files in a file system. An entity, A, ceates a file and encypts it with a symmetic key ciphe using secet key, k a. k a is then encypted using a public key ciphe poxy encyption scheme. Let k ap be the key A uses fo the public key ciphe and X be the encyption of k a using k ap. A gives X and a list of uses who can access the file to an access contol seve, which functions as the poxy to convey k a to the uses via the poxy encyption scheme. The access contol seve does not have sufficient infomation to decypt X and obtain k a, but can only convet X into data that an authoized use, B, on the list can decypt to obtain k a. Theefoe, the access contol seve cannot obtain the contents of the files. Poxy cyptogaphy fo public key ciphes has also been called e-encyption since it involves the poxy eencypting ciphetext eceived fom the sending entity to ceate a ciphetext that the eceiving entity can decypt. [6] poposes efficient constuctions of univesal e-encyption schemes using El-Gamal. 4 Secuity Implications of a Symmetic Key Ciphe that is Closed Unde Functional Composition 4.1 Oveview Befoe descibing convesion cypto-systems, we eview why closue unde functional composition is an undesiable popety fo symmetic key ciphes. A symmetic key ciphe, S = (E, D, K), that is closed unde functional composition is an example of a convesion cypto-system whee the convesion function is S s encyption function, E, using key space K. Specifically, if S = (E, D, K) is closed unde functional composition, then k1, k2 K, k3 K such that: (II) E k3 (E k1 (P )) = E k2 (P ) P Within the context of detemining whethe not DES [7] is a goup, Kaliski, et al. poved in [9] that any symmetic key ciphe with key length k that is closed unde functional composition is vulneable to a known plaintext attack equiing O(2 k /2 ) wok as opposed to O(2 k ) wok equied fo an exhaustive key seach. We will wite O(2 k /2 ) as O( K 1 2 ), whee K is the keyspace. Two methods of known plaintext attacks wee descibed in [9], with a tadeoff between the memoy and the time equied to decypt additional ciphetexts. We povide a bief summay of these attacks. They do not povide the actual secet key, but instead povide a seies of keys which, when encypting o decypting with the keys in ode, poduce the same esults as the secet key. 4.2 Fist Attack - Vaiation of Bithday Paadox The fist attack descibed in [9] poduces a pai of keys, (k1, k3), which can be used in place of k2 as indicated by (II). Let S = (E, D, K) be closed unde functional composition. Choose two sets of keys KA = {k a1, k a2,...k a } and KB = {k b1, k b2,...k b } fom K. Fo all pais (k ai, k bj ), 0 i, j, detemine if (II) holds via a meet in the middle attack. Let C = E k2 (P ). Compute E kai (P ) k ai and D kbj (C) k bj and seach fo matches. Set k1 to the k ai and k3 to the k bj that poduce the match. Test with additional plaintexts to ensue the match does not hold fo only a specific P. This attack will poduce a pai of keys that ae equivalent to the single key k2 as opposed to finding k2. The key pai can be used to decypt additional ciphetexts that have been encypted with k2. Obviously if eithe E kai (P ) = C o D kbj (C) = P is found duing the seach, then k2 has been found. A match will be found in O( K 1 2 ) time and memoy when using = O( K 1 2 ) keys in KA and KB if S is closed unde functional composition. The esult deives fom a meet-in-the-middle vaiation of the Bithday Paadox using two samples X and Y. If X and Y ae of size, and ae dawn at andom fom K elements with each element dawn independently with pobability 1 K, K then thee ae ways to select X and K ways to select Y such that X Y = and K 2 ways to select X and Y. The chance that X and Y do not intesect is: (III) P (X Y = ) = [( K )( K 1)...( K 2+1)] [(( K )( K 1)...( K +1)) 2 ] If = α( K 1 2 ) fo some constant α > 0, then P (X Y = ) e 3α2 fo sufficiently lage K. The ciphe S is tansfomed into this vaiation of the Bithday Paadox by using KA and KB as the two samples and defining intesection to mean thee is a k1 KA and a k3 KB such that E k3 (E k1 (P )) = E k2 (P ) P. The pobability of finding a (k1, k3) is appoximately 1 e 3α2 and appoaches 1 as α inceases. The attack equies O( K 1 2 ) time and memoy.

5 Convesion Functions fo Symmetic Key Ciphes Second Attack - Cycling Attack The second attack in [9] is efeed to as a cycling attack. While it equies less memoy than the fist attack, it poduces a seies of keys that equie O( K 2 1 ) time fo decyption in contast to the two keys poduced by the fist attack. This attack coesponds to taking a pseudoandom walk in the message space coveed by the symmetic key ciphe, with each step coesponding to encypting (o decypting) with anothe key. Encounteing a cycle afte a shot numbe of steps is an indication that the ciphe is likely to be closed unde functional composition. Taking a lage numbe of steps without encounteing a cycle is an indication that the ciphe is not closed unde functional composition. Fo a ciphe which is closed unde functional composition, it is expected that a cycle will be encounteed in K 2 1 steps. Again let S = (E, D, K) be closed unde functional composition. Given the plaintext, ciphetext pai (P, C) whee C = E k2 (P )), the idea is to obtain some seies of encyptions and decyptions that stated with P and C, espectively, and intesect. Stating with L = P on the left and R = C on the ight, andomly pick a key, k fom K and eithe encypt the left side o decypt the ight side. Repeat, each time testing if the left and ight sides ae equal. We use k K to indicate k is andomly selected fom K. This attack is summaized as follows: Set: i = 0; j = 0; L = P ; R = C; while (L R) do { k K; if encypting L{ k ai k; L E kai (L); i = i + 1; } else if decypting R{ k bj k; R D kbj (R); j = j + 1; } } A seies of encyptions and decyption will be poduced such that E kai (E kai 1...(E ka2 (E ka1 (P )))) = D kbj (D kbj 1...(D kb2 (D kb1 (C)))) fo andomly chosen k ai, k bj K. The esult can be veified by testing with a few additional plaintexts. An aveage of K 1 2 steps ae needed befoe the two sides match when S is closed unde functional composition. Like the fist attack, k2 is not found. Howeve, the equivalent key fo k2 that is poduced this time is the seies of k ai s and k bj s. To decypt additional ciphetexts encypted with k2, D ka1 (D ka2...(d kai 1 (D kai (D kbj (D kbj 1... (D kb2 (D kb1 (C))))))) must be computed. If the sequence of keys ae saved, O( k K 2 1 ) space is needed to stoe the keys. Only the cuent value of L and R need to be saved as opposed to all of intemediate esults of the encyptions and decyptions. Time and space tadeoffs allow fo the attack to occu in O(1/w) space and O( K (1+w)/2 ) time whee 0 < w < 1 [3]. 5 Secuity Implications of a Symmetic Key Ciphe with a Convesion Function 5.1 Oveview By definition, evey symmetic key ciphe, S = (E, D, K), has a convesion function, F G, as we mentioned in Section 2. Define Fkg(X) G to be the decyption of X with key k1 followed by the encyption with key k2 when conveting fom E k1 (P ) to E k2 (P ) and kg = k1 k2. If this is the most efficient F G then the effective key length of S is k, fo k K (assuming othe types of attacks do not exist on S). Hee the convesion function will not assist in any attack attempting to find the keys and/o ecove plaintexts. We ae concened with the implications when a convesion function exists fo S that is moe efficient to compute then encypting and decypting. In the emainde of this section, we descibe how the method used in the fist attack fom Section 4 can be used with a convesion function to attack a ciphe and how the wok equied in the attack is elated to the wok of the convesion function. We then define how the pobability of such an attack is elated to the potential set of keys fo the convesion function. In all cases, we deal with convesion functions in geneal, independent of whethe o not the convesion function is also a secue convesion function o a poxy function. 5.2 Application of Bithday Paadox to Symmetic Key Ciphes with a Convesion Function We now genealize the fist attack fom [9] to an attack on a symmetic key ciphe fo which a convesion function exists. Thus we pove why it is undesiable fo a symmetic key ciphe to be a convesion cypto-system if the computational and memoy esouces equied of the convesion function ae less than those equied of decypting then encypting to pefom the convesion. A symmetic key ciphe which is closed unde functional composition (which [9] addessed) is a special case of a symmetic key ciphe fo which a convesion function exists, specifically the case whee the convesion function is the encyption function. In the following, we use the tem wok to efe to the computational and memoy esouces equied. Lemma I: Fo a symmetic key ciphe S with keyspace K and encyption function E, if thee exists a function F G taking paamete kg KG, KG is known and KG = K such that k1, k2 K, a kg fo which Fkg(E G k1 (P )) = E k2 (P ) P and the wok of Fkg G is O(wok of E) then thee exists a O( K 1 2 ) known plaintext attack on S. Poof: The ciphe S is tansfomed as in Section 4 into the vaiation of the Bithday Paadox by using KA and KB as the two samples and defining intesection to mean thee is a k ai in KA and a k bj in KB such that F G k bj (E kai (P )) = E k2 (P ). The set KB is selected fom KG instead of fom K as it was in the fist attack in Section 4. Since KG = K, Equation (III) fom Section 4 holds with X = KA and Y = KB. Lemma I implies that fo any symmetic key ciphe, S = (E, D, K), with a convesion function, F G, taking a key, kg, of the same length as the key length, k, of S, the effective key length of S is equal to 1 2 k when the wok of F G is

6 46 Cook & Keomytis equivalent to E. In this case, to obtain secuity compaable to an exhaustive seach ove all keys of length k, namely O(2 k ) wok, the key length of S must be doubled to 2 k. Let K be the set of the longe keys such that fo k K, k = 2 k. Then K 1 2 = (2 2 k ) 1 2 = 2 k = K and the attack is O( K 2 1 ) = O( K ). We point out that when the most efficient convesion function consists of decypting with k1 and encypting with k2, then kg = 2 k and the effective key length of S is k. It is possible fo the effective key length of S to be less than 1 k if F G povides some speedup aside fom the squae 2 oot eduction in the numbe of keys to ty to the extent that a bute foce attack is O(2 ( 1 2 k w) ) as opposed to O(2 ( 1 2 k ) ) fo some w > 0. As long as the wok in detemining the coect kg and applying Fkg G is geate than o equal to the total wok equied in detemining k1 and k2 then decypting and encypting, the effective key length of S is k. 5.3 Attack Pobability in Relation to Key Space We now conside how the pobability of finding the pai (k1, kg) when F G is not known fo S = (E, D, K) (F G is not known aside fom ceating a complete mapping of all E k1 to E k2 k K). Let U be the potential set of pemutations in G and KU be the coesponding set of keys (indices into U). G U, KG KU, U Z and KU KZ, whee Z is the set of all pemutations on b bits. We again choose two sets of keys, this time with one set ceated fom K and one set ceated fom KU. Let KA be a set of keys chosen fom K and let KB be a set of keys chosen fom KU. When KU K, fo any element in KB, thee may o may not be an element in K that we can combine with it to obtain a key equivalent to k2. Without loss of geneality, choose KA fist. Thee ae elements in KU that can ceate a match with some element of K and KU ways to select elements fom KU such that no match is fomed. Let P [k1, k3] be the pobability of finding a k1 fom KA and a k3 fom KB, and let P [(k1, k3)] denote the pobability of not finding such a pai. (IV) P [k1, k3] = 1 P [(k 1, k 3 )] P [(k 1, k 3 )] = K K KU K K / K / KU / K 2 K with equality holding when KU = K, and P [(k1, k3) KU K ] = 1 P [(k 1, k 3 ) KU K ] 1 P [(k 1, k 3 ) KU = K ] As the expected numbe of keys to ty befoe finding a match inceases fom the O( K 1 2 ) obtained when KU = KG = K (e.g. as the size of KU inceases), the pobability of success deceases. 6 Convesion Cypto-Systems fo Symmetic Key Ciphes 6.1 Secue Convesion Constuctions In this section, we define a geneal constuction fo symmetic key secue convesion cypto-systems. Fist, we conside all symmetic key ciphes and povide two vaiations fo defining the keys in the geneal constuction. The vaiations diffe in the wokload equied of each entity and in which entities shae key mateial. Second, we povide a vaiation that is esticted to steam ciphes and offes advantages ove the geneal constuction. Recall that a convesion function can be constucted fo any symmetic key ciphe, S = (E, D, K), by defining: (V) Fkg(C) G = E k2 (D k1 (C)) k1, k1 K with kg = k1 k2 to convet E k1 (P ) to E k2 (P ). This is not a secue system unde ou definition due to the fact that the plaintext is exposed duing the convesion at the end of the decyption step. Given a symmetic key ciphe S = (E, D, K), we define the following key fomat and function fo use in ou constuctions: Let kg = (k1, k2, flag 1, flag 2 ) fo keys k1, k2 K with k1 = k2 and single bit values flag 1, flag 2. The flag i and ki values will be used to denote whethe to encypt, decypt o do nothing. A flag i value of 0 indicates to encypt with key ki and a value of 1 indicates to decypt with key ki. If ki is null, do nothing. Let H = H k (X) denote H(E, D, X, kg) and be defined as applying E o D, as indicated by kg, to X. Fom kg, k1 and flag 1 ae used fo the fist application of E o D, and k2 and flag 2 ae used fo the second application of E o D. Fo example, given a plaintext P and key kg = (k1, k2, 0, 1), the convesion function will pefom D k2 (E k1 (P )). H itself can be consideed to be a symmetic key ciphe that uses S as a building block. Using the above key fomat, we define two geneal methods fo ceating a secue convesion cypto-system fo any symmetic key ciphe. In both cases the convesion function satisfies ou definition of a poxy function. We also define a method fo ceating a secue convesion cypto-system that is specific to steam ciphes. We assume S is secue in the sense that it has an effective key length of k fo k K so, independent of the convesion functions we define, thee is no pactical attack on S. 6.2 Geneal Methods The following descibes two ways of defining the keys using the 4-item tuple fomat and opeations equied of the sende, eceive and convete to ceate a secue convesion-cypto system. Fist Method: The fist method equies each pai of the thee entities to shae some key mateial. We note that independent of ou initial pape on convesion functions [4], [8] defined this method in a geneal scheme independent of the type of ciphe (public key o pivate key) while illustating it with a public key ciphe, El Gamal. [8] neithe exploed the applications of the method when using symmetic key ciphes no the implications, such as the wokload equied of the entities and the tadeoffs between wokload, key length and secuity.

7 Convesion Functions fo Symmetic Key Ciphes 47 We define the method as the following sets of keys and computations fo the sending entity, eceiving entity and convete: (VI) Method 1: Keys: ka = (k ab, k a, 0, 0) kg = (k a, k b, 1, 0) kb = (k b, k ab, 1, 1) Computations: Sending Entity: Computes C1 = H ka (P ) on plaintext P and sends C1 to the convete. Convete: Computes C2 = H kg (C1) and sends C2 to the eceiving entity. Receiving Entity: Computes H kb (C2) to obtain P. Let A be an entity encypting data using a symmetic key ciphe S = (E, D, K) to send data to entity B. To send plaintext P fom A to B via a convete, A computes C1 = H ka (P ), which is the equivalent of the double encyption E ka (E kab (P )), and sends C1 to the convete. The convete computes C2 = H kg (C1), which is the equivalent of E kb (D ka (C1)), and sends C2 to B. To obtain P, B computes H kb (C2), which is the equivalent of the double decyption D kab (D kb (C2)). Let Fkg(X) G = H kg (X). When H is used in this manne, (H, F G ) is a secue convesion cypto-system that is a poxy cypto-system. Fkg(X) G is a secue convesion function because the convete does not expose P duing the convesion. Fkg(X) G is also a poxy function because the convete does not have sufficient infomation by which to obtain P. The disadvantages of this method ae that each pai of entities (A and B, A and the convete, and B and the convete) must shae patial key mateial and each entity incus two applications of the ciphe. While having the convete decypt and encypt is no wose in tems of wokload then what is equied in the convesion defined in (V) and povides the benefit of being a poxy function, the eceiving and sending entities must also incu two applications of the ciphe compaed to one application each when using the convesion in (V). Thee ae a couple options fo how key mateial can be used in this method when communicating when eithe endpoint, A o B, communicates with othe entities. The key shaed by an endpoint and the convete can be used fo communication between the endpoint and multiple entities. Fo example, A and the convete can use k a as thei shaed key when A sends data to anothe entity, B, though the convete. If k a is not public and B intecepts the message to B, B cannot pefom even one laye of the decyption. If k a is public, B can pefom the same decyption laye as the convete, but cannot obtain the plaintext unless it has the key, k b, belonging to B that is needed fo the second laye of decyption. Likewise, B and the convete can use k b when B sends messages to entities othe than A though the convete. If the keys shaed between the endpoints and the convete ae not public o used in multiple pais, the key, k ab, that shaed between the endpoints can be used fo communicating with multiple entities. Fo example, A can use k ab with B if B uses a key k b k b with the convete if B cannot obtain k b and if B cannot obtain k b. If eithe B o B intecept messages between the convete and the othe that oiginated fom A, neithe can evese the encyption pefomed by the convete. This public use of k ab has a downside in that if it is possible fo an advesay to access memoy within the convete as F G kg(c1) is being computed and obtain D ka (C1), then the advesay can compute D kab (D ka (C1)) and obtain P. Second Method: The second method uses onion outing [13]. This method does not equie any shaed key mateial between the convete and B in ode fo B to eceive messages fom A. (VII) Method 2: Keys: ka = (k ab, k a, 0, 0) kg = (k a, null, 1, 0) kb = (k ab, null, 1, 0) Computations: Sending Entity: Computes C1 = H ka (P ) on plaintext P and sends C1 to the convete. Convete: Computes C2 = H kg (C1) and sends C2 to the eceiving entity. Receiving Entity: Computes H kb (C2) to obtain P. Let A and B be defined as befoe. A pefoms H ka (P ) which is two encyptions to compute C1 = E ka (E kab (P )). The convete pefoms H kg (C1) to poduce C2 = D ka (C1) and B pefoms H kb (C2) to compute P = D kab (C2). Again we set Fkg(X) G = H kg (X) and (H, F G ) is a secue convesion cypto-system that is a poxy cypto-system. In this method, only the sending entity incus two applications of the ciphe. The convete incus one application of the ciphe vesus the two applications the convete pefoms in (V). Acoss the thee entities, the total wokload is equivalent to the wokload of (V). In contast to the fist method, evey pai of entities do not shae key mateial. A and the convete must shae k a. A and B must shae k ab. Even though the fist method imposes twice the wokload on each entity compaed to a single application of a ciphe; wheeas, the second method only inceases the wokload of one entity, the fist method offes a potential advantage in how the key mateial is shaed. While in both cases A and B must shae some key mateial, in the fist method no entity has the entie key of any othe entity. In the second method, A has the entie key used by each of the othe two entities. B must shae some key mateial with A in both methods. The second method does not equie shaed key mateial between B and the convete fo B to eceive messages, but they must shae key mateial if B is also sending messages. The second method povides an advantage ove both method 1 and the basic decypt-encypt appoach in how the wok is distibuted acoss the thee entities. The convete is likely to have a geate wokload than eithe A o B because the convete has to pocess all of the paiwise sessions between the entities it seves; wheeas, neithe A no B will likely be involved in evey session. By deceasing the convete s wok to one application of S, the oveall numbe of simultaneous sessions suppoted by the convete will

8 48 Cook & Keomytis likely incease in compaison to when the convete must pefom two applications of S. In most applications, inceasing A s wokload fom the one encyption incued in the basic decypt-encypt appoach to two encyptions will have less of an impact on the numbe of simultaneous sessions suppoted than when the convete must pefom an encyption and decyption. 6.3 Altenate Intepetation of Method 1 An altenative way of viewing the fist method equies a symmetic key ciphe, S, that has is stuctued as a seies of ounds. This is typical of block ciphes used in pactice. Let be the numbe of ounds in S. In the fist method, let denote unning 1 ounds of encyption using key k1 followed by 2 ounds of encyption using key k2. Let the keys be defined as befoe in Method 1. Each entity will compute two key expansions, one fo each pat of its key, use the fist key expansion fo a specified numbe of ounds and use the second key expansion fo the emaining numbe of ounds. Fo example, A will un 1 ounds of encyption with the expanded k ab and 2 = 1 ounds of encyption with the expanded k a. The convete will un 2 ounds of decyption E 1,2 k1,k2 using the expanded k a and 2 ounds of encyption using the expanded k b. B will decypt by unning 2 ounds with the expanded k b and 1 ounds with the expanded k ab. The convete equies a total of 2 (2) ounds. Setting 1 = 2 esults in each entity unning ounds. Specifically, (VIII) Altenative Vesion of Method 1: Keys: ka = (k ab, k a, 0, 0) kg = (k a, k b, 1, 0) kb = (k b, k ab, 1, 1) Computations: A computes C1 = E 1,2 k ab,k a (P ). The convete computes C2 = E 2 k b (D 2 k a (C1)). B computes P = D 2,1 k b,k ab (C2). This method is equivalent to using two applications of a educed ound vesion of the undelying ciphe, S, thus the numbe of ounds chosen fo each step must be lage enough avoid making the educed ound vesion susceptible to othe attacks. A tadeoff can be established between the wokload and secuity by adjusting the numbe of ounds. To obtain an effective key length equal to k, the effective key length of the ciphe S, set 1 = 2 =. This esults in the method being equivalent to Method 1. If the wokload of each entity is set to that of S (1 = 2 = /2 so the wok is equivalent to a single encyption o decyption of ounds), Lemma I applies and the effective key length is 1 2 k. We note that if 1 = 2 = /2 and S s key schedule ceates keys coesponding to the following: k1 : The ound keys fo the fist /2 ounds ae the same as in k ab and the ound keys fo the second /2 ounds ae the same as in k a. k2: The ound keys fo the fist /2 ounds ae the same as in k b and the ound keys fo the second /2 ounds ae the same as in k ab. k3 : The ound keys fo the fist /2 ounds poduce the same esult as when decypting /2 ounds with k a and the ound keys fo the second /2 ounds poduce the same esult as when encypting with k b. Then E k3 (E k1 (P )) = E k2 (P ) and S is closed unde functional composition. 6.4 Steam Ciphes We now define a thid method that is a constuction of a secue convesion cypto-system that is specific to steam ciphes. Let S = (E, D, K) be a steam ciphe (o a block ciphe un in a steam ciphe mode, fo example, OFB o CTR) and C = KS P, whee KS is the key steam. Then, unlike the fist two methods, it is not necessay fo A and B to shae any key mateial. (IX) Method 3: Keys: ka = (k a, null, 0, 0) kg = (k b, k a, 1, 1) kb = (k b, null, 1, 0) Computations: Sending Entity: Computes C1 = H ka (P ) on plaintext P and sends C1 to the convete. Convete: Computes C2 = H kg (C1) and sends C2 to the eceiving entity. Receiving Entity: Computes H kb (C2) to obtain P. Let KS a and KS b denote the key steams poduced by E when using k a and k b espectively. A computes C1 = H ka (P ), which is the equivalent of KS a P. The convete computes C2 = H kg (C1), which is the equivalent of KS a KS b C1. B computes H kb (P ), which is the equivalent to KS b C2. The convete can compute KS a KS b C1 without exposing the plaintext by eithe computing KS b C1 o KS a KS b fist. Thee ae seveal advantages to this constuction. Fist, A and B do not shae any key mateial. Second, P is not evealed duing the convesion. Howeve, the convete does have the infomation needed to obtain P and theefoe can be used in applications whee it needs to inspect P (such as a fiewall) and/o modify P (such as application awae NAT). To obtain P, the convete pefoms the convesion by computing KS b (KS a C), in which case this is the same as the basic method of decypting then encypting stated in (V). Thid, it is not necessay that A and B incu any ovehead elated to utilizing H in place of the undelying steam ciphe. H may be un only by the convete. A and B can just apply the steam ciphe diectly. Let Fkg(X) G = H kg (X), then (H, F G ) is a secue convesion cypto-system when the convesion is pefomed by as stated and not by computing KS a C then XORing the esult with KS b. The F G does not satisfy the definition of a poxy function because the convete has enough infomation to obtain the plaintext even though it does not do so by definition of the cypto-system. The convete is a poxy if it can only geneate the combined keysteam without knowing ka and/o kb and without knowing eithe of the individual keysteams, KS a o KS b. This may be possible if, though the use of

9 Convesion Functions fo Symmetic Key Ciphes 49 an extenal device, such as a smat cad o a secue cypto pocesso, which given ka and kb poduces the keysteam coesponding to kg, then it is possible to pefom the convesion without the convete having sufficient infomation to obtain P. Anothe option is a hadwae implementation that uns two instances of the key steam geneato and XORs thei outputs then makes the esulting key steam available fo XORing with the data. The keys may be configuable in hadwae and not accessible by any softwae applications on the convete. 6.5 Effective Key Length When designing a convesion function we do not want to educe the effective key length of the ciphe. In ou two geneal methods and the method steam ciphe specific method, the effective key length is that of the ciphe S. The wok equied of the convete in methods 1 and 3 is equal to that of encypting and decypting with the ciphe, S = (E, D, K). Assuming the wok equied when decypting is equal to the wok equied when encyption, the wokload of the convete is twice that of encyption. The length of the key, kg, used in the convesion is also twice that of S s key length. The two flag bits in kg can be consideed to be known as pat of the algoithm and do not count as key bits which an attacke will need to detemine. Even though we fomally define H as the ciphe in the cypto-system, we want the effective key length to be that of the undelying ciphe S since ou pupose of defining the cypto-system is to povide a mechanism fo a secue convesion (and poxy function) fo S. By Lemma I, fo the cypto-systems defined in the fist and thid methods, thee exists an attack which is 2( K 2 ) 1 2 = 2 K and thus K eff = k. Theefoe, both methods 1 and 3 ae the best possible in tems of secuity vesus key length. In the second method, the convete will need a key of length 2 k to obtain the plaintext because of the double encyption by A. By the definition of method 2, we ae using onion outing and not poviding a function which deceases the amount of wok needed to convet between keys k1 and k2. The actual computations that allow the convesion in method 2 can be viewed as being split between A and the convete, with each pefoming one of the two applications of S needed fo the convesion. Thus the wokload is no diffeent than if the convesion was pefomed by decypting with k1 then encypting with k2. 7 Applications In existing applications that convet ciphetext via the basic mode of decypting then encypting, whethe o not the plaintext is accessible tempoaily duing the convesion (in pat due to intemediate esults being witten to memoy) depends on the application and implementation. With a secue convesion cypto-system, it is not a concen if intemediate esults ae witten to tempoay files o insecue memoy duing the convesion because it is still encypted unde one key. Applications whee a convesion that is faste than decypting and encypting would be valuable include VPN gateways and cases whee an entity needs to distibute data o communicate with multiple uses without establishing paiwise keys o shaing the same key with multiple entities. Examples of this latte case include file distibution systems, and online chat. In cases whee the convete is tusted o equies access to the plaintext, a basic convesion cypto-system in which the convete can access the plaintext is beneficial ove pefoming the convesion by decypting then encypting only if the convesion function is moe computationally efficient then decypting and encypting. Fo the convete to be tusted, in must be ensued that the convete does not pemit access to the plaintext by any pocess o fo any eason othe than that equied by the convesion pocess. Fo example, thee must not be a theat of malwae on the convete accessing memoy to which the plaintext is witten as an intemediate esult duing the convesion. Howeve, as we showed, any gains in efficiency that a convesion cypto-system offes ove decypting then encypting imply a decease in secuity. Even without efficiency gains, a convesion cypto-system is useful if the application involves a convete which must seve as a secue convete o poxy in some cases while equiing access to the plaintext in othe cases. This can be accomplished by defining the entities accoding to one of the methods which povides a secue convesion o poxy and poviding the full key mateial used by the sending entity to the convete when needed to allow the convete access to the plaintext. Scenaios whee a convete may need to inspect packets include gateways poviding fiewall and/o application-awae NAT functionality. In the case of a fiewall, packet inspection is needed and the plaintext may be alteed if malicious content must be emoved. In application-awae NAT, IP addesses embedded in the application s data ae eplaced. Fo example, in VoIP sevices, NAT may be pefomed by the sevice povide on the IP addesses of the calle and called paty contained within the VoIP potocol (such as SIP). A scenaio whee the convete does not need to inspect packets is a file system in which the files ae encypted unde one key and sent to a equesting use encypted with the use s key. In such an application, a poxy function is useful even if it incus ovehead not pesent in the basic decypting then encypting appoach because it ensues the file contents ae not obtained by unauthoized uses fom the convete. Given that the convete may be using the same esouces as the uses who stoe and access the files, the chances of malicious activity can be highe than fo a convete executing on a system to which no uses have access, thus inceasing the need fo a poxy function. The main disadvantage of ou two geneal methods in Section 6 is that the sending entity, A, and eceiving entity, B, must shae key mateial, which esults in implementation issues. If the convete needs to inspect some of the packets (thus a basic convesion cypto-system is needed instead of a secue convesion cypto-system), eithe the convete must establish the key mateial shaed between A and B, o A and B must establish shaed key mateial on thei own and then send the necessay key mateial to the convete. If the convete must be secue o act as a poxy, then if A and B can establish a shaed key, it can be agued thee is no need fo a convesion entity unless it is used in peventing taffic analysis since now the convete does not inspect o alte the data but just convets it to ciphetext which B can decypt. In such cases it is not advisable fo the convete to establish the key mateial and send it to A and B because then the convete has all of the key mateial and can obtain the plaintext even though it may not do so if the algoithm is