Lecture Note 05 Date:

Transcription

1 P.Lafourcade Lecture Note 05 Date: Security models 1st Semester 2008/2009 MANGEOT Guillaume ROJAT Antoine THARAUD Jrmie Contents 1 Block Cipher Modes Electronic Code Block (ECB) [Dwo01] Cipher Block Chaining (CBC) [Dwo01] Cipher Feedback Mode (CFB) [Dwo01] Output Feedback Mode (OFB) [Dwo01] Attack on ECB The symmetric encryption scheme Adversary Attack on CBC Security Attack on CBC : Initial value weakness regarding Indinstinguishability Recalls Attack on weak IV Conclusion Hibrid encryption Goals Mechanism Security Hash Functions Main idea OAEP Main idea Description Encryption Decryption Exercise correction 13 1

2 1 Block Cipher Modes A block cipher is a symmetric key cipher operating on fixed-length groups of bits called blocks with an unvarying transformation. Because messages may be of any length, and because encrypting the same plaintext under the same key always produces the same output, it exists several modes of operation which allow block ciphers to provide confidentiality for messages of arbitrary length. 1.1 Electronic Code Block (ECB) [Dwo01] In ECB encryption,the forward cipher function ( Block Cipher Encryption ) is applied directly and independently to each block of the plaintext. The resulting sequence of output blocks is the ciphertext. In ECB decryption, the inverse cipher function ( Block Cipher Decryption ) is applied directly and independently to each block of the ciphertext. The resulting sequence of output blocks is the plaintext. In ECB encryption and ECB decryption, multiple forward cipher functions and inverse cipher functions can be computed in parallel. 2

3 The disadvantage of this method is that identical plaintext blocks are encrypted into identical ciphertext blocks. It is unsecure and should not be used if this property is undesirable. 3

4 1.2 Cipher Block Chaining (CBC) [Dwo01] In the cipher-block chaining mode, each block of plaintext is XORed with the previous ciphertext block before being encrypted. The first block of the message is XORed with an initial value (IV). CBC encryption : C 0 = IV C i = E k (P i C i 1 ) In CBC encryption, the input block to each forward cipher operation (except the first) depends on the result of the previous forward cipher operation, so the forward cipher operations cannot be performed in parallel. CBC decryption : C 0 = IV P i = D k (C i ) C i 1 In CBC decryption, the input blocks for the inverse cipher function are immediately available, so that multiple inverse cipher operations can be performed in parallel. CBC is the most commonly used mode of operation. 4

5 1.3 Cipher Feedback Mode (CFB) [Dwo01] The Cipher Feedback mode is a confidentiality mode that features the feedback of successive ciphertext segments into the input blocks of the forward cipher to generate output blocks that are XORed with the plaintext to produce the ciphertext, and vice versa. This mode is a close relative of CBC : C 0 = IV C i = E k (C i 1 ) P i P i = D k (C i 1 ) C i In CFB encryption, like CBC encryption, the input block to each forward cipher function (except the first) depends on the result of the previous forward cipher function; therefore, multiple forward cipher operations cannot be performed in parallel. In CFB decryption, the required forward cipher operations can be performed in parallel if the input blocks are first constructed (in series) from the IV and the ciphertext. Compared to CBC mode, CFB mode has a better resistance in errors introduction. 5

6 1.4 Output Feedback Mode (OFB) [Dwo01] The output feedback mode makes a block cipher into a synchronous stream cipher: it generates keystream blocks, which are then XORed with the plaintext blocks to get the ciphertext. Algorithm : O 0 = IV O i = E k (O i 1 ) C i = P i O i P i = C i O i Encryption and decryption are the same because of the symmetry of the XOR operation. In both OFB encryption and OFB decryption, each forward cipher function (except the first) depends on the results of the previous forward cipher function; therefore, multiple forward cipher functions cannot be performed in parallel. The OFB mode requires a unique IV for every message that is ever encrypted under the 6

7 given key. If not, the confidentiality of those messages may be compromised.confidentiality may also be compromised if any of the input blocks to the forward cipher function for the encryption of a message is designated as the IV for the encryption of another message under the given key. Changing a bit in the ciphertext changes a bit in the plaintext at the same location, so many error correcting codes function normally, even when applied before encryption. 2 Attack on ECB 2.1 The symmetric encryption scheme The encryption fonction of the scheme is the following : E : K (0, 1) n (0, 1) n. The symmetric encryption scheme is (K, E, D). This scheme encrypts block of size n bits. 2.2 Adversary The left-right function LR(x, y, b) = { x if b=1 y if b=0 We will build an adversary A with a high IND-CPA advantage. According to the description of ECB, if we have two similar block in the plain text, ECB will produce two similar cipher texts. So if we choose two messages as follows : 0 n 0 n and 0 n 1 n. The adversary is the following : Adversary : A E K(LR(..,..,b)) m 0 0 n 0 n m 1 0 n 1 n C E K (LR(m 0, m 1, b)) {The message C is composed by two blocks of n bits : C 0 and C 1 } if C 0 = C 1 then b 0 else b 1 end if return b We will now prove the following assertion : Adv IND-CPA (A) = 1. By definition we have : Adv IND-CPA (A) = Pr[Exp IND CP A 0 (A) = 1] Pr[Exp IND CP A 1 (A) = 1] If b = 1 then the encryption returns C = E K (0 n ) E K (0 n ). So we have C 0 = C 1 and the adversary will return 1. 7

8 If b = 0 then the encryption returns C = E K (0 n ) E K (1 n ). So we have C 0 C 1 and the adversary will return 0. That is why we have Pr[Exp IND CP A 1 (A) = 1] = 1 Pr[Exp IND CP A 0 (A) = 1] = 0. The previous assertion shows that the ECB scheme is insecure. That is why it should not be used for designing crypto-systems. For a funny example of ECB weakness see sharmaarchive blockciphers-simple-attack-on-ecb-mode.aspx. 3 Attack on CBC 3.1 Security The CBC design for symmetric encryption seems more secure than ECB. Indeed, there is a mix between what has been enrypted before, the key and the current plain text block. More or less this ensure that a given cipher text block depends on every previous block. But for the first step of the encryption, we need to chose an initial value (IV). This choice has to be done very carefully. Indeed, in the next section will describe an attack based on the property of IV. 3.2 Attack on CBC : Initial value weakness regarding Indinstinguishability Recalls The CBC scheme for encryption works as follows : A cipher block is encrypted as follows : C i = E k (P i C i 1 ) for i 0, and C 0 = IV 8

9 3.2.2 Attack on weak IV The attack is based on a predictible initial value. In order to simplify, we will consider that the first IV (IV 0 ) is 0 and then each time we encrypt a new message, IV i+1 IV i + 1. The plain texts will be of size 2n : M i = M i,0.m i,1. The Adversary we will used is the following : Adversary : AE K (LR(..,.., b)) m 1,0 0 n m 1,1 0 n m 2,0 0 n m 2,1 0 n 1 1 < IV 1, C 1 > r E K (LR(m 1,0, m 2,0, b)) < IV 2, C 2 > r E K (LR(m 1,1, m 2,1, b)) if C 1 = C 2 then b 0 else b 1 end if return b We will now prove that : Adv IND-CPA (A) = 1. Remark We need to prove that the algorithm of the attacker is deterministic and that it outputs the correct answer. Let s compute the two following probabilities : Pr[Exp IND CP A 1 (A) = 1]. Pr[Exp IND CP A 2 (A) = 1]. Pr[Exp IND CP A 1 (A) = 1] this is b = 1: So we will encrypt m 1,0 and then m 1,1 : C 1 = E K (IV 1 m 1,0 ) = E K (0 0) = E K (0) C 2 = E K (IV 2 m 1,1 ) = E K (1 0) = E K (1) So we obtain : C 1 C 2 and the adversary will answer 1. Pr[Exp IND CP A 2 (A) = 1] this is b = 0: So we will encrypt m 1,0 and then m 1,1 : C 1 = E K (IV 1 m 2,0 ) = E K (0 0) = E K (0) C 2 = E K (IV 2 m 2,1 ) = E K (1 1) = E K (0) So we obtain : C 1 = C 2 and the adversary will answer 0. We can conclued that : Pr[Exp IND CP A 1 (A) = 1] = 1 and Pr[Exp IND CP A 2 (A) = 1] = 0. This proves the assertion. 9

10 3.2.3 Conclusion The mechanism of this attack can be generalized : we only need to know how the IV evolves and we perform some modifications on the chosen plaintexts. That is why we need to choose very carefully the IV. 4 Hibrid encryption 4.1 Goals The idea of the hibrid encryption schemes is to combine the advantages of the symmetric and the assymetric cryptosystems : Speed for the symmetric cryptosystems Security for the assymetric cryptosystems 4.2 Mechanism We consider two cryptosystem : E S K = (KS, E S K, DS K ) and E A K=p k,s k = (K A, E A p k, D A s k ). And we use those two cryptosystems to build HE : Encryption :E HE Input :E HE K K S C S E S K (M) C A E A p k (K) C (C A, C S ) return C The symmetric key used for fast encryption is encrypted using a assymetric (secure) cryptosystem. And then the plaintext is encrypted using a symmetric encryption scheme (fast). Decryption :D HE Input :C (C A, C S ) parse(c) K D A s k (C A ) M D S K (CS ) return M The receiver can reteive the key used for fast encryption/decryption by decrypting the assymetric block of the cipher text. Then the receiver is able to decrypt efficiently the cipher text using a symmetric cryptosystem. Remark The receiver and the sender nee to agree on the size of the assymetric part of the ciphertext. 10

11 4.3 Security The security of the hibrid encryption scheme releies on the security of the symmetric and the assymetric encryption schemes used for building it. The idea of the formalism regarding the security of such schemes is the following : Security(HE) Security(HE S ) + Security(HE A ) For example, we can prove the following property : If A and S are both secure against chosen-plain-text attack, then HE is also secure against chosen-plain-text attack. Let B be an IND-CPA adversary attacking HE. Then there exist IND-CPA adversaries A 00,01, A 11,10 attacking AE, and an adversary A attacking, such that: We will use the following notation : P (α, β) = P r[exp αβ HE (B) = 1]. We have : Adv IND-CPA HE (B) = P (1, 0) P (0, 0) And P (1, 0) P (0, 0) = [P (1, 0) P (1, 1)] + [P (1, 1) P (0, 1)] + [P (0, 1) P (0, 0)]. Using the definition of the different advantages, we obtain : 1. Adv IND-CPA A (A 11,10 ) P (1, 0) P (1, 1) 2. Adv IND-CPA S (A) P (1, 1) P (0, 1) 3. Adv IND-CPA A (A 00,01 ) P (0, 1) P (0, 0) This leads to the conclusion. From the previous inequalities we have Adv IND-CPA HE (B) Adv IND-CPA A (A 11,10 ) + Adv IND-CPA S (A) + Adv IND-CPA A (A 00,01 ) As we supposed that A and S were secure, Adv IND-CPA HE (B) is negligeable and HE is secure. If you want further details you may look at [HK07] and [EHHA99] (the second one is not freely available). 5 Hash Functions 5.1 Main idea A cryptographic hash function takes as input an arbitrary block of data and returns a fixed-size bit string with two means: padding compressing A cryptographic hash function should respect: 11

12 can t be inversed (Preimage resistance) can t find another source for the same image (Second preimage resistance) without collision (Collision resistance) non malleable, doesn t keep the structure of the source Cryptographic hash functions are useful to: build an all-or-nothing transform zero-knowledge protocol oneway algorithm in general signing 6 OAEP 6.1 Main idea First of all as Padding algorithm, its first aim is to complete the message length to the maximum determined size with random adds. It s useful to be used by an algorithm which need a fixed size to be computed, without adding redundancy in the plaintext. Its scheme look likes a feistel scheme using two hash function But there are two other great properties: 1. the adding of randomness, convert the deterministic encryption scheme into a probabilistic scheme 2. prevent partial decryption of ciphertexts or other information by ensuring that nobody can recover any portion of the plaintext without being able to invert the trapdoor one-way permutation This last property, allows the OAEP algorithm to be used to build an all-or-nothing transform 6.2 Description M is the plaintext message G and H are two hash function r is a random nonce seed 12

13 6.2.1 Encryption OAEP(M) = [(M + G(r)) ((r + H(M + G(r)))] Decryption OAEP(M) = c1 c2 M = c1 + G(H(c1) + c2) To get more information, you sould see: [BR95] [Sho01] [FOPS00] [PV06]. 7 Exercise correction Soon available 13

14 References [BR95] [Dwo01] M. Bellare and P. Rogaway. Optimal Asymmetric Encryption How to encrypt with RSA. Extended abstract in Advances in Cryptology - Eurocrypt 94 Proceedings, LNCS Vol. 950, A. Springer-Verlag, Morris Dworkin. Recommendation for block cipher modes of operation. NIST Special Publication, A:66, [EHHA99] Mahmoud Taher El-Hadidi, Nadia Hamed Hegazi, and Heba Kamal Aslan. Performance evaluation of a new hybrid encryption protocol for authentication and key distribution. Computers and Communications, IEEE Symposium on, [FOPS00] [HK07] [PV06] Eiichiro Fujisaki, Tatsuaki Okamoto, David Pointcheval, and Jacques Stern. Rsa-oaep is secure under the rsa assumption. Cryptology eprint Archive, Report 2000/061, Dennis Hofheinz and Eike Kiltz. Secure hybrid encryption from weakened key encapsulation. In Alfred Menezes, editor, CRYPTO, Lecture Notes in Computer Science. Springer, P. Paillier and J. Villar. Trading one-wayness against chosen-ciphertext security in factoring-based encryption [Sho01] Victor Shoup. Oaep reconsidered. september