Cryptography CS 555. Topic 11: Encryption Modes and CCA Security. CS555 Spring 2012/Topic 11 1

Similar documents
Computer Security CS 526

Information Security CS526

Cryptography CS 555. Topic 8: Modes of Encryption, The Penguin and CCA security

Paper presentation sign up sheet is up. Please sign up for papers by next class. Lecture summaries and notes now up on course webpage

Block ciphers, stream ciphers

Block ciphers. CS 161: Computer Security Prof. Raluca Ada Popa. February 26, 2016

Introduction to Cryptography. Lecture 3

Block cipher modes. Lecturers: Mark D. Ryan and David Galindo. Cryptography Slide: 75

Introduction to Cryptography. Lecture 3

Katz, Lindell Introduction to Modern Cryptrography

Block ciphers used to encode messages longer than block size Needs to be done correctly to preserve security Will look at five ways of doing this

Lecture 5. Constructions of Block ciphers. Winter 2018 CS 485/585 Introduction to Cryptography

1 Achieving IND-CPA security

Chapter 3 : Private-Key Encryption

Message Authentication ( 消息认证 )

page 1 Introduction to Cryptography Benny Pinkas Lecture 3 November 18, 2008 Introduction to Cryptography, Benny Pinkas

CSC 5930/9010 Modern Cryptography: Public Key Cryptography

Private-Key Encryption

CIS 6930/4930 Computer and Network Security. Topic 3.1 Secret Key Cryptography (Cont d)

Introduction to Modern Cryptography. Lecture 2. Symmetric Encryption: Stream & Block Ciphers

Introduction to Cryptography. Lecture 2. Benny Pinkas. Perfect Cipher. Perfect Ciphers. Size of key space

Cryptology complementary. Symmetric modes of operation

Information Security CS526

Applied Cryptography and Computer Security CSE 664 Spring 2018

ENEE 457: Computer Systems Security 09/12/16. Lecture 4 Symmetric Key Encryption II: Security Definitions and Practical Constructions

Cryptography Lecture 4. Attacks against Block Ciphers Introduction to Public Key Cryptography. November 14, / 39

Lecture 15: Public Key Encryption: I

Cryptography [Symmetric Encryption]

CS 495 Cryptography Lecture 6

Crypto: Symmetric-Key Cryptography

CS 4770: Cryptography. CS 6750: Cryptography and Communication Security. Alina Oprea Associate Professor, CCIS Northeastern University

Private-Key Encryption

Feedback Week 4 - Problem Set

Lecture 3: Symmetric Key Encryption

CS 6903 Modern Cryptography February 14th, Lecture 4: Instructor: Nitesh Saxena Scribe: Neil Stewart, Chaya Pradip Vavilala

Block Cipher Operation. CS 6313 Fall ASU

Secret Key Cryptography

Lecture 4: Symmetric Key Encryption

Authenticated encryption

COS433/Math 473: Cryptography. Mark Zhandry Princeton University Spring 2017

Cryptography. Andreas Hülsing. 6 September 2016

Scanned by CamScanner

Chapter 11 : Private-Key Encryption

COS433/Math 473: Cryptography. Mark Zhandry Princeton University Spring 2017

Information Security

Chapter 4: Private Key Cryptography Encryption and Pseudorandomness

Symmetric Cryptography

Symmetric-Key Cryptography

CHAPTER 6. SYMMETRIC CIPHERS C = E(K2, E(K1, P))

Goals of Modern Cryptography

Course Map. COMP 7/8120 Cryptography and Data Security. Learning Objectives. How to use PRPs (Block Ciphers)? 2/14/18

Cryptography 2017 Lecture 3

symmetric cryptography s642 computer security adam everspaugh

Some Aspects of Block Ciphers

Automated Analysis and Synthesis of Block-Cipher Modes of Operation

CSC 474/574 Information Systems Security

CS 161 Computer Security

AWS Key Management Service (KMS) Handling cryptographic bounds for use of AES-GCM

Chosen-Ciphertext Security (II)

Symmetric-Key Cryptography Part 1. Tom Shrimpton Portland State University

Cryptography (cont.)

Solutions to exam in Cryptography December 17, 2013

Message authentication codes

CS408 Cryptography & Internet Security

Chapter 8. Encipherment Using Modern Symmetric-Key Ciphers

ECE 646 Lecture 8. Modes of operation of block ciphers

Block Cipher Modes of Operation

Symmetric Encryption 2: Integrity

Symmetric Encryption. Thierry Sans

Double-DES, Triple-DES & Modes of Operation

Homework 2. Out: 09/23/16 Due: 09/30/16 11:59pm UNIVERSITY OF MARYLAND DEPARTMENT OF ELECTRICAL AND COMPUTER ENGINEERING

CS 161 Computer Security. Week of September 11, 2017: Cryptography I

Chapter 6 Contemporary Symmetric Ciphers

Automated Analysis and Synthesis of Modes of Operation and Authenticated Encryption Schemes

Cryptography: Symmetric Encryption [continued]

Understanding Cryptography A Textbook for Students and Practitioners by Christof Paar and Jan Pelzl

Homework 3: Solution

On Compression of Data Encrypted with Block Ciphers

Cryptography: Symmetric Encryption (finish), Hash Functions, Message Authentication Codes

Introduction to cryptology (GBIN8U16)

Stream Ciphers. Stream Ciphers 1

Cryptography: Symmetric Encryption (finish), Hash Functions, Message Authentication Codes

Relaxing IND-CCA: Indistinguishability Against Chosen Ciphertext Verification Attack

MTAT Applied Cryptography

Computational Security, Stream and Block Cipher Functions

Block Cipher Modes of Operation

Public-Key Encryption

Content of this part

10 Chosen Ciphertext Attacks

Summary on Crypto Primitives and Protocols

Lecturers: Mark D. Ryan and David Galindo. Cryptography Slide: 24

Lecture 2B. RTL Design Methodology. Transition from Pseudocode & Interface to a Corresponding Block Diagram

CSCI 454/554 Computer and Network Security. Topic 3.2 Secret Key Cryptography Modes of Operation

Network Security Essentials Chapter 2

Modern Symmetric Block cipher

CSE 127: Computer Security Cryptography. Kirill Levchenko

Relaxing IND-CCA: Indistinguishability Against Chosen. Chosen Ciphertext Verification Attack

c ACM, This is the author s version of the work. It is posted here by permission of ACM for your personal use. Not for redistribution.

3 Symmetric Key Cryptography 3.1 Block Ciphers Symmetric key strength analysis Electronic Code Book Mode (ECB) Cipher Block Chaining Mode (CBC) Some

CSC574: Computer & Network Security

Transcription:

Cryptography CS 555 Topic 11: Encryption Modes and CCA Security CS555 Spring 2012/Topic 11 1

Outline and Readings Outline Encryption modes CCA security Readings: Katz and Lindell: 3.6.4, 3.7 CS555 Spring 2012/Topic 11 2

Review: IND Security An encryption scheme = (Gen, Enc, Dec) has indistinguishable encryptions in the presence of an eavesdropper if for all PPT adversary A, there exists a negligible function negl such that Pr[PrivK eav A, =1] ½ + negl(n) A outputs a pair of equal-length messages m 0 and m 1 A is given the challenge ciphertext Enc k (m b ) Where b is chosen at uniform random from {0,1} A outputs b PrivK eav A, =1 when b=b CS555 Spring 2012/Topic 11 3

Review: CPA-secure (aka IND- CPA security) has indistinguishable encryption under a chosen-plaintext attack iff. for all PPT adversary A, there exists a negligible function negl Pr[PrivK cpa A, =1] ½ + negl(n) A is given oracle access to Enc k ( ), and outputs a pair of equal-length messages m 0 and m 1 A is given the challenge ciphertext Enc k (m b ) Where b is chosen at uniform random from {0,1} A still has oracle access to Enc k ( ), and (after some time) outputs b PrivK cpa A, =1 when b=b CS555 Spring 2012/Topic 11 4

Review: Pseudorandom Permutations (PRP) We say that a length-preserving keyed function F: {0,1} k {0,1}* {0,1}*, is a keyed permutation if and only if each F k is a bijection A Pseudorandom Permutation (PRP) is a keyed permutation that is indistinguishable from a random permutation A Strong PRP is a keyed permutation is indistinguishable from a random permutation when the distinguisher is given access to both the function and its inverse We assume block ciphers are PRP. CS555 Spring 2012/Topic 11 5

Need for Encryption Modes A block cipher encrypts only one block Needs a way to extend it to encrypt an arbitrarily long message Want to ensure that if the block cipher is secure, then the encryption is secure Aims at providing CPA security assuming that the underlying block ciphers are strong CS555 Spring 2012/Topic 11 6

Block Cipher Encryption Modes: ECB Message is broken into independent blocks; Electronic Code Book (ECB): each block encrypted separately. Encryption: c i = E k (x i ) Decrytion: x i = D k (c i ) CS555 Spring 2012/Topic 11 7

Properties of ECB Deterministic: the same data block gets encrypted the same way, reveals patterns of data when a data block repeats when the same key is used, the same message is encrypted the same way How to show that ECB is not CPA-secure? How to show that ECB is not IND-secure (even in a ciphertext only attack)? Usage: Should not be used. CS555 Spring 2012/Topic 11 8

Encryption Modes: CBC Cipher Block Chaining (CBC): Uses a random Initial Vector (IV) Next input depends upon previous output Encryption: C i = E k (M i C i-1 ), with C 0 =IV Decryption: M i = C i-1 D k (C i ), with C 0 =IV M 1 M 2 M 3 IV E k E k E k C 0 C 1 C 2 C 3 CS555 Spring 2012/Topic 11 9

Properties of CBC Randomized encryption: repeated text gets mapped to different encrypted data. Is CPA secure assuming that the block cipher is secure (i.e., it is a Pseudo Random Permutation (PRP)) Each ciphertext block depends on all preceding plaintext blocks. Usage: chooses random IV and protects the integrity of IV The IV is not secret (it is part of ciphertext) The adversary cannot control the IV CS555 Spring 2012/Topic 11 10

Encryption Modes: OFB Output feedback (OFB): construct a PRNG using a Block Cipher IV is randomly chosen y 0 =IV y i = E k [y i-1 ] Use the stream y 1, y 2, to XOR with message Randomized encryption Provides CPA-secure encryption with a PRF Sequential encryption, can preprocess CS555 Spring 2012/Topic 11 11

Encryption Modes: CTR Counter Mode (CTR): Defines a stream cipher using a block cipher Uses a random IV, known as the counter Encryption: C 0 =IV, C i =M i E k [IV+i] Decryption: IV=C 0, M i =C i E k [IV+i] M 1 M 2 M 3 IV IV+1 IV+2 IV+3 E k E k E k C 0 C 1 C 2 C 3 CS555 Spring 2012/Topic 11 12

Properties of CTR Gives a stream cipher from a block cipher Randomized encryption: when starting counter is chosen randomly Random Access: encryption and decryption of a block can be done in random order, very useful for hard-disk encryption. E.g., when one block changes, re-encryption only needs to encrypt that block. In CBC, all later blocks also need to change CS555 Spring 2012/Topic 11 13

Theorem 3.29: CTR mode provides CPA-secure encryption with a block cipher that is a PRF. Proof. When a true random function is used, ciphertext leaks no information about plaintext unless some string in the sequence IV+1, IV+l overlaps with some sequence used for encrypting other messages. Let q(n) be the bound on number of messages encrypted, as well as bound on size of messages. Prob that an overlap occurs is less than 2q(n) 2 /2 n, which is negligible CS555 Spring 2012/Topic 11 14

Block Length and Security Adversary success probability depends on block size For block size 64, this is ½ + q 2 /2 63, The advantage q 2 /2 63 can be significant CS555 Spring 2012/Topic 11 15

Stream Cipher vs Block Cipher Stream cipher (e.g., RC4) Block cipher (AES) In software encryption, RC4 is twice as fast as AES Security for Block cipher (AES) is much better understood than stream cipher (RC4) Use AES unless in really constrained environment CS555 Spring 2012/Topic 11 16

The CCA Indistinguishablility Experiment: PrivK cca (n) A k is generated by Gen(1 n ) Adversary is given oracle access to Enc k ( ) and Dec k ( ), and outputs a pair of equal-length messages m 0 and m 1 A random bit b is chosen, and adversary is given c Enc k (m b ) Called the challenge ciphertext Adversary still has oracle access to Enc k ( ) and Dec k ( ); however, Adversary cannot ask for Dec k (c). Adversary outputs b PrivK cca (n) = 1 if b=b (adversary wins) and =0 otherwise CS555 Spring 2012/Topic 11 17

Existing Schemes are not CCA Secure How to break CTR mode s CCA security? How to break CBC mode s CCA security? Non-malleability Cannot change the ciphertext while predicting what changes in decrypted plaintext will be. CCA-secure implies non-malleability How to build CCA-secure encryption scheme? Make sure that ciphertext cannot be changed. Any change will result in decryption not outputing the message. CS555 Spring 2012/Topic 11 18

Coming Attractions More on Number Theory Reading: Katz & Lindell: 7.1.3, 7.1.4, 7.1.5, 7.2 CS555 Spring 2012/Topic 11 19

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback