Symmetric-Key Cryptography Part 1. Tom Shrimpton Portland State University

Transcription

1 Symmetric-Key Cryptography Part 1 Tom Shrimpton Portland State University

2 Building a privacy-providing primitive I want my communication with Bob to be private -- Alice What kind of communication? SMS? Voice? Video? HTML? Javascript? Powerpoint slides? Financial data?

3 Building a privacy-providing primitive What kind of communication? SMS? Voice? Video? HTML? Javascript? Powerpoint slides? Financial data? All of that, and maybe other things, too.

4 Building a privacy-providing primitive What kind of communication? SMS? Voice? Video? HTML? Javascript? Powerpoint slides? Financial data? Private from whom? A nosey eavesdropper, sniffing wireless packets in a coffee shop? A business competitor, who pays an ISP to send your traffic for some analysis? A nation/state agency, with huge computing resources and lots of side information? From the most powerful attacker you can manage.

5 Building a privacy-providing primitive What kind of communication? SMS? Voice? Video? HTML? Javascript? Powerpoint slides? Financial data? Private from whom? A nosey eavesdropper, sniffing wireless packets in a coffee shop? A business competitor, who pays an ISP to send your traffic for some analysis? A nation/state agency, with huge computing resources and lots of side information? What do you mean by private? No one (other than Bob) can recover the full contents of the communication? No one can recover more than 1/2 of the contents? (Does it matter which ½?) No one can determine the type of the communication? (e.g. financial data vs. HTML) You are annoying! Just make it work, and make sure it is fast, too.

6 arbitrary data Alice s Box private data communication Bob s Box recovered data API of Alice s Box Inputs: 1. bitstrings of any length API of Bob s Box Inputs: 1. bitstrings of any length Outputs: bitstrings of any length (but as short as possible to save communication costs) Outputs: bitstrings of any length

7 secret secret arbitrary data Alice s Box private data communication Bob s Box recovered data API of Alice s Box Inputs: 1. bitstrings of any length 2. something that the adversary does not know (the secret ) Outputs: bitstrings of any length (but as short as possible to save communication costs) API of Bob s Box Inputs: 1. bitstrings of any length 2. something that the adversary does not know (the secret ) Outputs: bitstrings of any length

8 secret secret arbitrary data Alice s Box private data communication Bob s Box recovered data API of Alice s Box Inputs: 1. bitstrings of any length 2. something that the adversary does not know (the secret ) Outputs: bitstrings of any length (but as short as possible to save communication costs) API of Bob s Box Inputs: 1. bitstrings of any length 2. something that the adversary does not know (the secret ) Outputs: bitstrings of any length Should we assume that the adversary does not know the algorithms inside of Alice and Bob s boxes? NO.

9 key key arbitrary data Alice s Box private data communication Bob s Box recovered data API of Alice s Box Inputs: 1. bitstrings of any length 2. a (short) secret key Outputs: bitstrings of any length API of Bob s Box Inputs: 1. bitstrings of any length 2. a (short) secret key Outputs: bitstrings of any length

10 key key arbitrary data Encryption E private data communication Decryption D recovered data API of Encryption Inputs: 1. bitstrings of any length 2. a (short) secret key Outputs: bitstrings of any length API of Decryption Inputs: 1. bitstrings of any length 2. a (short) secret key Outputs: bitstrings of any length

11 An Encryption Scheme is a triple of algorithms Key-generation algorithm Encryption algorithm Decryption algorithm key plaintext ciphertext invalid

12 An Encryption Scheme is a triple of algorithms Key-generation algorithm Encryption algorithm May be randomized or stateful Decryption algorithm Always deterministic

13 An Encryption Scheme is a triple of algorithms Key-generation algorithm Encryption algorithm Decryption algorithm Correctness condition: For all K,M, if E K (M)?, then Pr[ D K (E K (M)) = M ] = 1 over coins of encryption alg.

14 Developing a notion of privacy 1. What might the adversary try to achieve? 2. What can the adversary do in its attack? GOAL POWER

15 Developing a notion of privacy 1. What might the adversary try to achieve? GOAL Adversary tries to: recover the key recover the plaintext determine if this plaintext was sent before determine the most significant bit of the plaintext determine if the first and last half of the plaintext are the same 2. What can the adversary do in its attack? POWER

16 Developing a notion of privacy 1. What might the adversary try to achieve? GOAL Adversary tries to: recover the key recover the plaintext determine if this plaintext was sent before determine the most significant bit of the plaintext determine if the first and last half of the plaintext are the same 2. What can the adversary do in its attack? Adversary can: observe ciphertexts observe plaintexts and ciphertexts POWER pick the plaintexts, and then see the corresponding ciphertexts adaptively pick the plaintexts, and see the corresponding ciphertexts + make up ciphertexts and see their decryptions

17 Developing a notion of privacy 1. What might the adversary try to achieve? GOAL Adversary tries to: recover the key recover the plaintext determine if this plaintext was sent before determine the most significant bit of the plaintext determine if the first and last half of the plaintext are the same 2. What can the adversary do in its attack? Adversary can: observe ciphertexts observe plaintexts and ciphertexts POWER pick the plaintexts, and then see the corresponding ciphertexts adaptively pick the plaintexts, and see the corresponding ciphertexts + make up ciphertexts and see their decryptions

18 adaptive chosen-plaintext adversary encryption oracle Communication is private if Adversary can t recover the key

19 adaptive chosen-plaintext adversary encryption oracle Communication is private if Adversary can t recover the key "

20 adaptive chosen-plaintext adversary encryption oracle Communication is private if Adversary can t recover the key " Adversary can t recover the plaintext

21 adaptive chosen-plaintext adversary encryption oracle Communication is private if Adversary can t recover the key " Adversary can t recover the plaintext "

22 adaptive chosen-plaintext adversary encryption oracle Communication is private if Adversary can t recover the key " Adversary can t recover the plaintext " Any information about the plaintexts that an efficient adversary can compute given the ciphertexts, could have been efficiently computed without the ciphertexts.

23 Indistinguishability of ciphertexts under an adaptive chosen-plaintext attack (IND-CPA) These must be the same length b random bit b

24 Indistinguishability of ciphertexts under an adaptive chosen-plaintext attack (IND-CPA) These must be the same length b random bit b Adversarial resources : the number of oracle queries, the total length in bits of the queries, the time-complexity of the adversary,

25 Exploring IND-CPA We say is IND-CPA secure if the IND-CPA advantage is small for all resource efficient adversaries example: adversaries A with achieve advantage at most But what small and reasonable mean is up to the user!

26 Can this scheme be IND-CPA secure? Exploring IND-CPA

27 Exploring IND-CPA Can this scheme be IND-CPA secure? Adversary A: fix distinct strings of the same length ask query if oracle response then return 0 else return 1

28 Exploring IND-CPA Can any deterministic scheme be IND-CPA secure? EXERCISE! If you think yes, then you must give a deterministic scheme and prove it is IND-CPA secure If you think no, then you must show that, for any deterministic scheme, there exists an efficient attack that gains large IND-CPA advantage

29 Exploring IND-CPA Can any deterministic scheme be IND-CPA secure? NO Adversary A: fix distinct strings of the same length ask query, receiving in return ask query, receiving in return if then return 0 else return 1

30 An alternative definition of privacy: Real or Random (RoR-CPA) Adversarial resources : the number of oracle queries, the total length in bits of the queries, the time-complexity of the adversary,

31 Which notion is better : RoR-CPA or IND-CPA?

32 Claim: Any encryption scheme is also RoR-CPA secure that is IND-CPA secure,

33 Claim: Any encryption scheme is also RoR-CPA secure that is IND-CPA secure, Proof idea: show the contrapositive, if a scheme RoR-CPA secure, then it is not IND-CPA secure. is not

34 Claim: Any encryption scheme is also RoR-CPA secure that is IND-CPA secure, Proof idea: show the contrapositive, if a scheme RoR-CPA secure, then it is not IND-CPA secure. is not Let A be an efficient RoR-CPA adversary, gaining advantage We build an efficient IND-CPA adversary B, that runs A as a black-box subroutine, that gains advantage

35 Claim: Any encryption scheme is also RoR-CPA secure that is IND-CPA secure, Proof idea: show the contrapositive, if a scheme RoR-CPA secure, then it is not IND-CPA secure. is not Let A be an efficient RoR-CPA adversary, gaining advantage We build an efficient IND-CPA adversary B, that runs A as a black-box subroutine, that gains advantage Conclusion: if is small for all efficient B, then must be small, too

36 So, we start with an RoR-adversary A that gains some RoR advantage

37

38 A! B! Want to build a good IND-CPA adversary B! by running A and simulating its expected experiment

39 M! A! B!

40 M! A! B!

41 M! A! B!

42 C! M! A! B!

43 d! A! B!

44 d! A! B! d! Thus, B perfectly simulates A s expected experiment and will win whenever A wins

45 And hence, as we claimed.

46 So we say IND-CPA security implies RoR-CPA security What about the other way around?

47 Claim: Any encryption scheme is also IND-CPA secure that is RoR-CPA secure, Proof idea: show the contrapositive, if a scheme IND-CPA secure, then it is not RoR-CPA secure. is not

48 Claim: Any encryption scheme is also IND-CPA secure that is RoR-CPA secure, Proof idea: show the contrapositive, if a scheme IND-CPA secure, then it is not RoR-CPA secure. is not Let A be an efficient IND-CPA adversary, gaining advantage We build an efficient RoR-CPA adversary B, that runs A as a black-box subroutine, that gains advantage Conclusion: if is small for all efficient B, then must be small, too

49 Claim: Any encryption scheme is also IND-CPA secure that is RoR-CPA secure, Proof idea: show the contrapositive, if a scheme IND-CPA secure, then it is not RoR-CPA secure. is not Let A be an efficient IND-CPA adversary, gaining advantage We build an efficient RoR-CPA adversary B, that runs A as a black-box subroutine, that gains advantage AT HOME EXERCISE: try to write the proof Conclusion: if is small for all efficient B, then must be small, too

50 So we say IND-CPA security implies RoR-CPA security And RoR-CPA security implies IND-CPA security, too (Although the two directions are not equally tight )

51 There are a variety of definitions of IND-CPA that are all qualitatively equivalent: Left-or-Right IND-CPA Real-or-Random IND-CPA Real-or-0s IND-CPA Find-then-Guess IND-CPA Semantic security Although not all of the reductions have the same quantitative tightness Check out [Bellare, Desai, Pointcheval, Rogaway]

52 So, now we have -- a precise syntax for the object we want to build -- a precise target security notion, left-or-right IND-CPA How should we build this thing?

53 Perfect encryption There does exist one perfect symmetric encryption scheme: One Time Pad random bits (key) plaintext message random ciphertext bits (independent of message) all ciphertexts are equally likely Sadly, requires a stream of secret random bits as long as the length of all messages you want to send.

54 Approximating One-Time Pad Perhaps we can turn a short secret key into computationally indistinguishable from random bits plaintext message computationally indistinguishable from random bits

55 Intuitively, making small blocks of random-looking bits should be easier (at least, not harder) than making a long string all at once computationally indistinguishable from random bits plaintext message computationally indistinguishable from random bits So we need a function that outputs small blocks of random looking bits

56 Consider the set, the family of all functions mapping n-bit strings to n-bit strings

57 Consider the set, the family of all functions mapping n-bit strings to n-bit strings Two equivalent viewpoints on picking a random function 1. Sampling an element of everything-to-zero map identity map f

58 Consider the set, the family of all functions mapping n-bit strings to n-bit strings Two equivalent viewpoints on picking a random function 1. Sampling an element of It s not hard to see that everything-to-zero map identity map f

59 Consider the set, the family of all functions mapping n-bit strings to n-bit strings Two equivalent viewpoints on picking a random function 1. Sampling an element of 2. fill in the function table lazily everything-to-zero map identity map f

60 Imagine we could sample and then encrypt via plaintext message ciphertext we get one-time pad! But there s still a catch. (What is the size of the key for this encryption scheme?)

61 Imagine we could sample and then encrypt via plaintext message ciphertext we get one-time pad! But there s still a catch. bits of key

62 Pseudorandom Functions (PRFs) Let be viewed as a keyed function family F K! or f! X Y My oracle is

63 Counter-mode encryption over a function family F (CTR[F]) Initialization: means: add 2 to ctr, encode as an n-bit string hctri n hctr+1i n hctr+2i n hctr+(b-1)i n F K! F K! F K! F K! M 1 M 2 M 3 M b C 0 C 1 C 2 C 3 C b For the next message, update the encryption scheme state: ctr ctr + b

64 Claim: If (counter-mode over F) is IND-CPA secure. is a secure PRF, then hctri n hctr+1i n hctr+2i n hctr+(b-1)i n F K! F K! F K! F K! M 1 M 2 M 3 M b C 0 C 1 C 2 C 3 C b

65 Claim: If (counter-mode over F) is IND-CPA secure. is a secure PRF, then Proof idea: break the proof into two steps 1. replace F K with a random function f, and argue that any adversary that can detect this can break PRF-security of F hctri n hctr+1i n hctr+2i n hctr+(b-1)i n F K! F K! F K! F K! M 1 M 2 M 3 M b C 0 C 1 C 2 C 3 C b

66 Claim: If (counter-mode over F) is IND-CPA secure. is a secure PRF, then Proof idea: break the proof into two steps 1. replace F K with a random function f, and argue that any adversary that can detect this can break PRF-security of F hctri n hctr+1i n hctr+2i n hctr+(b-1)i n f! f! f! f! M 1 M 2 M 3 M b C 0 C 1 C 2 C 3 C b

67 Claim: If (counter-mode over F) is IND-CPA secure. is a secure PRF, then Proof idea: break the proof into two steps 1. replace F K with a random function f, and argue that any adversary that can detect this can break PRF-security of F 2. analyze IND-CPA security of

68 (for reference)

69 So, we start with an IND-CPA adversary that gains some IND-CPA advantage in attacking CTR[F]

70 Now we add a useful version of 0 to the right side

71

72 I claim that:

73 I claim that:

74 I claim that: If PRF bit b=1: B simulates IND-CPA experiment for CTR[F],! And outputs 1 if A guesses the bit

75 I claim that: If PRF bit b=1: B simulates IND-CPA experiment for CTR[F],! And outputs 1 if A guesses the bit If PRF bit b=0: B simulates IND-CPA experiment for CTR[Func(n,n)],! And outputs 1 if A guesses the bit

76 I claim that: If PRF bit b=1: B simulates IND-CPA experiment for CTR[F],! And outputs 1 if A guesses the bit If PRF bit b=0: B simulates IND-CPA experiment for CTR[Func(n,n)],! And outputs 1 if A guesses the bit

77 I claim that: So by subtracting probabilities on the left side Adv prf F Pr(Exp ind-cpa CTR[F ](A) = 1) Pr(Expind-cpa =Pr(Exp prf F = (Pr(Expprf F CTR[Func(n,n)] (A) = 1) (B) =1 b = 1) + Pr(Expprf(B) =1 b = 0) 1 (B) =2Pr(Expprf(B) = 1) 1 F (B) =1 ^ b = 1) + Pr(Expprf F (B) =1 ^ b = 0)) 1/2 F 1

78

79

80 I claim: Proof sketch: all ciphertexts are independent of the IND-CPA experiment bit! So probability of guessing the bit is at most 1/2

81 And we re done.

82 I want to implement this. What should I use for F K? CTR[F] hctri n hctr+1i n hctr+2i n hctr+(b-1)i n F K! F K! F K! F K! M 1 M 2 M 3 M b C 0 C 1 C 2 C 3 C b Recall So any keyed, n-bit to n-bit function will do

83 Use a blockcipher, like AES. CTR[AES] hctri 128 hctr+1i 128 hctr+2i 128 hctr+(b-1)i 128 AES K! AES K! AES K! AES K! M 1 M 2 M 3 M b C 0 C 1 C 2 C 3 C b Recall: AES: {0, 1} 128 {0, 1} 128! {0, 1} 128

84 Wait blockciphers are not just function families, they are permutation families How does relate to?

85 Consider the set, the family of all permutations over n-bit strings Two equivalent viewpoints on picking a random permutation 1. Sampling an element of 2. fill in the permutation table lazily identity map π

86 Pseudorandom Permutations (PRPs) Let be viewed as a keyed function family E K! or π X Y My oracle is

87 The PRP-PRF Switching Lemma Let be viewed as a keyed function family Let A be an adversary, asking q queries to its single oracle. Then

88 The PRP-PRF Switching Lemma Let be viewed as a keyed function family Let A be an adversary, asking q queries to its single oracle. Then So, for example,

89 What about cipher-block-chaining (CBC) mode? CBC mode appears in IPSec, SSH, TLS, M 1 M 2 M 3 IV E K E K E K C 0 C 1 C 2 C 3 How to handle the IV? Fixed IV? Counter IV? Random IV?

90 CBC with a fixed IV b,(m 0,M 1 ),(M 0,M, 1 ) (Parse message M b into blocks) 0 n f f f b CBC f (M b ), CBC f (M b ), C 0 C 1 C 2 C 3 Can the adversary easily guess the bit?

91 CBC with a counter IV b,(m 0,M 1 ),(M 0,M, 1 ) (Parse message M b into blocks) hctri f f f b CBC f (M b ), CBC f (M b ), C 0 C 1 C 2 C 3 Can the adversary easily guess the bit?

92 Claim: If is a secure PRF, then (CBC-mode, with a random IV, over F) is IND-CPA secure. Proof idea: break the proof into two steps 1. replace F K with a random function f, and argue that any adversary that can detect this, can break PRF-security of F 2. analyze IND-CPA security of

93 (Proof Sketch) M 1 M 2 M 3 $ f f f C 0 C 1 C 2 C 3 Until f is called on the same value twice, the ciphertext blocks are random and independent of the message blocks. There are µ/n chances for an f-domain collision

94 Privacy? " What about authenticity? Authenticity: Alice wants to be sure she s received Bob s message K K M C C M C C Is C an authentic ctxt from Bob? Might alter the ciphertext Is M an authentic ptxt from Bob?

95 Privacy? " What about authenticity? Authenticity: Alice wants to be sure she s received Bob s message K K M C C M C C Is C an authentic ctxt from Bob? Might alter the ciphertext Is M an authentic ptxt from Bob?

96 First of all, we need a syntactic addition (New primitive, new syntax!) Key-generation algorithm Encryption algorithm Decryption algorithm Decryption now has the ability to complain

97 Folklore idea: add redundancy to encryption append a block of all zeros to every message M 1 M 2 M 3 0 n random IV E K E K E K E K C 0 C 1 C 2 C 3 C 4 Decryption: just like CBC, except return? if last block isn t all zeros

98 M 1 = 0 n M 2 = 0 n M 3 = 0 n 0 n random IV E K E K E K E K C 0 C 1 C 2 C 3 C 4 Can you forge an authentic ciphertext? C 0 C 1 C 2 C 3 decrypts properly, and so is authentic by the if-it-decrypts-the-authentic measure

99 So what s wrong? It s not that CBC-mode is bad, it s just that traditional encryption schemes have been designed to provide PRIVACY ONLY

100 ( This can be made to work (more later) M 1 M 2 M ??? C 1 C 2 C 3 C 4 )

101 A notion of authenticity : Integrity of Ciphertexts (INT-CTXT) random bit b M C

102 A notion of authenticity : Integrity of Ciphertexts (INT-CTXT) random bit b M C Adversarial resources : the number of oracle queries, the total length in bits of the queries, the time-complexity of the adversary,

103 A notion of authenticity : Integrity of Ciphertexts (INT-CTXT) random bit b M C To prevent trivial wins of the game, adversary is forbidden to ask C of the right oracle if C was returned by the left oracle

104 Folklore idea: add redundancy to encryption append a block of all zeros to every message M 1 M 2 M 3 0 n random IV E K E K E K E K C 0 C 1 C 2 C 3 C 4 Decryption: just like CBC, except return? if last block isn t all zeros

105 Folklore idea: add redundancy to encryption append a block of all zeros to every message M 1 M 2 M 3 0 n random IV E K E K E K E K C 0 C 1 C 2 C 3 C 4 Decryption: just like CBC, except return? if last block isn t all zeros EXERCISE: Can you forge an authentic ciphertext, and win the INT-CTXT game?

106 Building a simple INT-CTXT secure encryption scheme Let be a function family. Define an encryption scheme Π[ F ] as follows:

107 Claim: if is a secure PRF, then Π[F] is an INT-CTXT secure encryption scheme Proof idea: break the proof into two steps 1. replace F K with a random function f, and argue that any adversary that can detect this can break PRF-security of F! 2. analyze INT-CTXT security of

108

109 If the bit b in the PRF experiment is 1 (resp. 0), then B simulates the INT-CTXT experiment for Π[F] (resp. Π[Func(*,n)]

110

111 Consider f is a random function

112 Consider f is a random function Decryption cases 0. (X, T) old: not allowed (i.e. T not the tag previously returned with X) 1. X old, T new : returns because f is deterministic 2. X new, T old: f(x) uniformly random, 3. X new, T new: f(x) uniformly random,

113 Consider f is a random function Decryption cases 0. (X, T) old: not allowed (i.e. T not the tag previously returned with X) 1. X old, T new : returns because f is deterministic 2. X new, T old: f(x) uniformly random, 3. X new, T new: f(x) uniformly random,

114 Consider f is a random function Decryption cases 0. (X, T) old: not allowed (i.e. T not the tag previously returned with X) 1. X old, T new : returns because f is deterministic 2. X new, T old: f(x) uniformly random, 3. X new, T new: f(x) uniformly random,

115

116 Adding IND-CPA Let Let be a function family. be an encryption scheme Define an encryption scheme as follows: This is called Encrypt-then-PRF

117 Claim: if is a secure PRF, and is IND-CPA secure, then is both IND-CPA and INT-CTXT secure

118 Claim: if is a secure PRF, and is IND-CPA secure, then is both IND-CPA and INT-CTXT secure Let s do the easy part first: INT-CTXT

119 Claim: if is a secure PRF, and is IND-CPA secure, then is both IND-CPA and INT-CTXT secure Let s do the easy part first: INT-CTXT If the bit b in the PRF experiment is 1 (resp. 0), then B simulates the INT-CTXT experiment for Π[F] (resp. Π[Func(*,n)])

120 Claim: if is a secure PRF, and is IND-CPA secure, then is both IND-CPA and INT-CTXT secure Let s do the easy part first: INT-CTXT

121 Claim: if is a secure PRF, and is IND-CPA secure, then is both IND-CPA and INT-CTXT secure Now the new part: IND-CPA. But this is even easier! Where this reduction B simulates the F K2 part of encryption

122 The three Generic Composition authenticated encryption schemes Encrypt-then-PRF: " " IND-CPA INT-CTXT (IPSec)

123 The three Generic Composition authenticated encryption schemes Encrypt-then-PRF: " " IND-CPA INT-CTXT PRF-then-Encrypt: (IPSec) (SSL/TLS)

124 The three Generic Composition authenticated encryption schemes Encrypt-then-PRF: " " IND-CPA INT-CTXT PRF-then-Encrypt: (IPSec) (SSL/TLS) IND-CPA INT-CTXT " "

125 The three Generic Composition authenticated encryption schemes Encrypt-then-PRF: " " IND-CPA INT-CTXT PRF-then-Encrypt: (IPSec) (SSL/TLS) " " IND-CPA INT-CTXT PRF and Encrypt: (or Encrypt and PRF) (SSH)

126 The three Generic Composition authenticated encryption schemes Encrypt-then-PRF: " " IND-CPA INT-CTXT PRF-then-Encrypt: (IPSec) (SSL/TLS) " " IND-CPA INT-CTXT PRF and Encrypt: (or Encrypt and PRF) (SSH) " " IND-CPA INT-CTXT

127 The three Generic Composition authenticated encryption schemes Encrypt-then-PRF: " " IND-CPA INT-CTXT PRF-then-Encrypt: (IPSec) (SSL/TLS) " " IND-CPA INT-CTXT PRF and Encrypt: (or Encrypt and PRF) (SSH) " " IND-CPA INT-CTXT EXERCISE: Explain why PRF and Encrypt is not generically IND-CPA

128 (Violating INT-CTXT) Consider which is IND-CPA if is PRF-then-Encrypt: " " IND-CPA INT-CTXT PRF and Encrypt: (or Encrypt and PRF) " " IND-CPA INT-CTXT

129 Privacy? " What about authenticity? Authenticity: Alice wants to be sure she s received Bob s message K K M C C M C C Is C an authentic ctxt from Bob? Is M an authentic ptxt from Bob?

130 Privacy? " What about authenticity? Authenticity: Alice wants to be sure she s received Bob s message K K M C C M C C Is C an authentic ctxt from Bob? Is M an authentic ptxt from Bob?

131 Another notion of authenticity : Integrity of Plaintexts (INT-PTXT) Adversary wins if it asks C such that M C 0 or Achieved (generically) by PRF-then-Encrypt Strictly weaker security goal Requires calling applications to be aware of repeated plaintexts Efficient schemes achieve INT-CTXT already Stick with INT-CTXT if possible!

132 Let s return to this idea M 1 M 2 M 3 Redundancy(M)??? C 1 C 2 C 3 C 4

133 Strong PRPs Let be a permutation family It s easy to extend this to the VIL setting, by considering, with,to be length-preserving.

134 Intuition: if you encrypt new messages, with redundancy M 0 80 π Y then outputs look like random bitstrings (subject to permutivity)

135 Intuition: if you flip any bit of the output and decrypt " M 0 80 π -1 Y then plaintexts random, and unlikely to have correct redundancy

136 Of course, we re not guaranteed that messages are new, so we add a per-message nonce (number used once) N M 0 80 π Y This is the Encode-Encipher paradigm, due to Bellare and Rogaway

137 New object, new syntax! A nonce-based encryption scheme is a triple of algorithms Key-generation algorithm Encryption algorithm Decryption algorithm (See Rogaway s Nonce-Based Encryption Paper)

138 New object, new syntax! A nonce-based encryption scheme is a triple of algorithms Key-generation algorithm Encryption algorithm Decryption algorithm the nonce space

139 New object, new syntax! A nonce-based encryption scheme is a triple of algorithms Key-generation algorithm Encryption algorithm Deterministic! Decryption algorithm

140 IND-CPA in the nonce-based setting Restrictions: No nonce-message pair repeated Nonces are meant to be used once. An adversary that never repeats a nonce is called nonce-respecting

141 Let s define a nonce-based encryption scheme from an SPRP. Let and let contain all strings up to length L for some L > 0!

142 Let s define a nonce-based encryption scheme from an SPRP. Let and let contain all strings up to length L for some L > 0! Let be a length-preserving permutation family. N M 0 80 E K! C

143 Let s define a nonce-based encryption scheme from an SPRP. Let and let contain all strings up to length L for some L > 0! Let be a length-preserving permutation family. N M 0 80 E K! C Claim: if is a secure SPRP, then this scheme is both (nonce-based) IND-CPA and (nonce-based) INT-CTXT secure Proof: exercise (you might need a bi-directional version of the PRP-PRF switching lemma )

144 Proof intuition: N M Replace with E K! C

145 Proof intuition: N M Replace with 2. Replace with two independent random functions E K! C

146 Proof intuition: N M Replace with 2. Replace with two independent random functions 3. Now uniform random strings in both directions if nonces are respected E K! C

147 What makes this work is that SPRPs are (so of) all-or-nothing objects N M 0 80 Change any bit of input = randomize entire output E K! C Change any bit of output = randomize entire input But this comes with a cost: Loosely, every bit of output (input) must depend on every bit of input (output).

148 X 1 X 2 X 3 X 4 N Definitely NOT an SPRP, even if E K is. E K E K E K E K C 1 C 2 C 3 C 4 SPRPs generally seem to require two full cryptographic passes

149 X 1 X 2 X 3 X n N E K E K E K E K mask CMC mode (Halevi and Rogway) E K E K E K E K N C 1 C 2 C 3 C 4

150 Nonce-based encryption is interesting area X 1 X 2 X 3 X 4 N E K E K E K E K C 1 C 2 C 3 C 4 This is not IND-CPA secure in the nonce-based setting, even if nonces are respected.

151 Nonce-based encryption is interesting area N X 1 X 2 X 3 X 4 E K1 E K2 E K2 E K2 E K2 C 1 C 2 C 3 C 4 But this should work...

152 Nonce-based encryption is interesting area N X 1 X 2 X 3 X 4 f1 f2 f2 f2 f2 C 1 C 2 C 3 C 4 If f1 and f2 are independent random functions (so we need E to be a PRF under two random keys) then all f2 inputs are random what type of bound do you expect?

153 Yet more: Deterministic (Nonce-based) AE with Associated Data (AEAD) Key-generation algorithm Encryption algorithm Decryption algorithm The header or associated data space (See Rogaway s AEAD Paper) (See Rogaway and Shrimpton s Keywrap Paper)

154 Here s one way to build a deterministic AEAD scheme: SIV mode Header components (take one and use it for N) plaintext synthetic IV

155 Here s one way to build a DAE scheme: SIV mode Header components (take one and use it for N) plaintext synthetic IV If F is a secure PRF, and is IND-CPA against nonce-respecting adversaries, then this is a secure DAE scheme (IND-CPA and INT-CTXT) (also provides nonce-misuse resistance )

156 This is NOT the whole story of symmetric encryption! Many other interesting kinds of symmetric encryption to explore Message-locked encryption Format-preserving encryption Format-transforming encryption Length-hiding AEAD Online encryption Key-dependent message encryption Thanks!

157 Exercises, once more

158 Claim: Any encryption scheme is also IND-CPA secure that is RoR-CPA secure, Proof idea: show the contrapositive, if a scheme IND-CPA secure, then it is not RoR-CPA secure. is not Let A be an efficient IND-CPA adversary, gaining advantage We build an efficient RoR-CPA adversary B, that runs A as a black-box subroutine, that gains advantage AT HOME EXERCISE: try to write the proof Conclusion: if is small for all efficient B, then must be small, too

159 Folklore idea: add redundancy to encryption append a block of all zeros to every message M 1 M 2 M 3 0 n random IV E K E K E K E K C 0 C 1 C 2 C 3 C 4 Decryption: just like CBC, except return? if last block isn t all zeros EXERCISE: Can you forge an authentic ciphertext, and win the INT-CTXT game?

160 The three Generic Composition authenticated encryption schemes Encrypt-then-PRF: " " IND-CPA INT-CTXT PRF-then-Encrypt: (IPSec) (SSL/TLS) " " IND-CPA INT-CTXT PRF and Encrypt: (or Encrypt and PRF) (SSH) " " IND-CPA INT-CTXT EXERCISE: Explain why PRF and Encrypt is not generically IND-CPA

161 Proof of the PRP-PRF Switching Lemma

162 Requires care, but the reason for the birthday term is obvious!

163 all values already assigned as outputs of the oracle all values still free to be assigned as outputs

164

165 Fundamental lemma of game-playing (Bellare, Rogaway)

166 Fundamental lemma of game-playing (Bellare, Rogaway) union bound