Block cipher modes. Lecturers: Mark D. Ryan and David Galindo. Cryptography Slide: 75

Similar documents
Block ciphers used to encode messages longer than block size Needs to be done correctly to preserve security Will look at five ways of doing this

Block ciphers, stream ciphers

Block ciphers. CS 161: Computer Security Prof. Raluca Ada Popa. February 26, 2016

Lecturers: Mark D. Ryan and David Galindo. Cryptography Slide: 24

1 Achieving IND-CPA security

Cryptography CS 555. Topic 11: Encryption Modes and CCA Security. CS555 Spring 2012/Topic 11 1

Computer Security CS 526

Computational Security, Stream and Block Cipher Functions

Cryptography 2017 Lecture 3

CS 161 Computer Security

Introduction to Cryptography. Lecture 3

Cryptography CS 555. Topic 8: Modes of Encryption, The Penguin and CCA security

Stream ciphers. Lecturers: Mark D. Ryan and David Galindo. Cryptography Slide: 91

Cryptography [Symmetric Encryption]

Feedback Week 4 - Problem Set

Cryptography: Symmetric Encryption [continued]

Block Cipher Operation. CS 6313 Fall ASU

CS 161 Computer Security. Week of September 11, 2017: Cryptography I

Information Security CS526

Introduction to Cryptography. Lecture 3

Course Map. COMP 7/8120 Cryptography and Data Security. Learning Objectives. How to use PRPs (Block Ciphers)? 2/14/18

Introduction to cryptology (GBIN8U16)

Symmetric Cryptography

CS 6903 Modern Cryptography February 14th, Lecture 4: Instructor: Nitesh Saxena Scribe: Neil Stewart, Chaya Pradip Vavilala

Symmetric-Key Cryptography

Solutions to exam in Cryptography December 17, 2013

Cryptology complementary. Symmetric modes of operation

page 1 Introduction to Cryptography Benny Pinkas Lecture 3 November 18, 2008 Introduction to Cryptography, Benny Pinkas

Scanned by CamScanner

ENEE 457: Computer Systems Security 09/12/16. Lecture 4 Symmetric Key Encryption II: Security Definitions and Practical Constructions

Cryptography Lecture 4. Attacks against Block Ciphers Introduction to Public Key Cryptography. November 14, / 39

Symmetric-Key Cryptography Part 1. Tom Shrimpton Portland State University

Cryptography (cont.)

Symmetric Cryptography

Paper presentation sign up sheet is up. Please sign up for papers by next class. Lecture summaries and notes now up on course webpage

CHAPTER 6. SYMMETRIC CIPHERS C = E(K2, E(K1, P))

Introduction to Cryptography. Lecture 2. Benny Pinkas. Perfect Cipher. Perfect Ciphers. Size of key space

Information Security

Lecture 4: Symmetric Key Encryption

Crypto: Symmetric-Key Cryptography

ECE 646 Lecture 8. Modes of operation of block ciphers

Some Aspects of Block Ciphers

Lecture 5. Constructions of Block ciphers. Winter 2018 CS 485/585 Introduction to Cryptography

CS 4770: Cryptography. CS 6750: Cryptography and Communication Security. Alina Oprea Associate Professor, CCIS Northeastern University

Understanding Cryptography A Textbook for Students and Practitioners by Christof Paar and Jan Pelzl

Chapter 3 Block Ciphers and the Data Encryption Standard

IND-CCA2 secure cryptosystems, Dan Bogdanov

Cryptography: Symmetric Encryption (finish), Hash Functions, Message Authentication Codes

Lecture 3: Symmetric Key Encryption

Content of this part

Double-DES, Triple-DES & Modes of Operation

Cryptography: Symmetric Encryption (finish), Hash Functions, Message Authentication Codes

Block Cipher Modes of Operation

A Characterization of Authenticated-Encryption as a Form of Chosen-Ciphertext Security. T. Shrimpton October 18, 2004

Cryptography: Symmetric Encryption (finish), Hash Functions, Message Authentication Codes

3 Symmetric Key Cryptography 3.1 Block Ciphers Symmetric key strength analysis Electronic Code Book Mode (ECB) Cipher Block Chaining Mode (CBC) Some

Lecture 8. 1 Some More Security Definitions for Encryption Schemes

Network Security Essentials Chapter 2

CIS 6930/4930 Computer and Network Security. Topic 3.1 Secret Key Cryptography (Cont d)

AWS Key Management Service (KMS) Handling cryptographic bounds for use of AES-GCM

Lecture 1 Applied Cryptography (Part 1)

COS433/Math 473: Cryptography. Mark Zhandry Princeton University Spring 2017

Integrity of messages

symmetric cryptography s642 computer security adam everspaugh

Symmetric Encryption. Thierry Sans

CS408 Cryptography & Internet Security

Automated Analysis and Synthesis of Modes of Operation and Authenticated Encryption Schemes

CS 161 Computer Security

ENEE 459-C Computer Security. Symmetric key encryption in practice: DES and AES algorithms

Block Cipher Modes of Operation

7. Symmetric encryption. symmetric cryptography 1

Advanced Cryptography 1st Semester Symmetric Encryption

Secret Key Cryptography

Lecture 6: Symmetric Cryptography. CS 5430 February 21, 2018

MTAT Applied Cryptography

symmetric cryptography s642 computer security adam everspaugh

Introduction to Modern Cryptography. Lecture 2. Symmetric Encryption: Stream & Block Ciphers

Symmetric Encryption Algorithms

Relaxing IND-CCA: Indistinguishability Against Chosen. Chosen Ciphertext Verification Attack

Authenticated Encryption

Private-Key Encryption

CIS 4360 Secure Computer Systems Symmetric Cryptography

Lecture 2B. RTL Design Methodology. Transition from Pseudocode & Interface to a Corresponding Block Diagram

Homework 2. Out: 09/23/16 Due: 09/30/16 11:59pm UNIVERSITY OF MARYLAND DEPARTMENT OF ELECTRICAL AND COMPUTER ENGINEERING

Practical Symmetric On-line Encryption

ENGI 8868/9877 Computer and Communications Security III. BLOCK CIPHERS. Symmetric Key Cryptography. insecure channel

Chapter 6 Contemporary Symmetric Ciphers

ECE 646 Lecture 7. Modes of Operation of Block Ciphers. Modes of Operation. Required Reading:

Cryptographic Primitives A brief introduction. Ragesh Jaiswal CSE, IIT Delhi

Using block ciphers 1

Chapter 8. Encipherment Using Modern Symmetric-Key Ciphers

Stream Ciphers An Overview

Symmetric Key Encryption. Symmetric Key Encryption. Advanced Encryption Standard ( AES ) DES DES DES 08/01/2015. DES and 3-DES.

ISA 562: Information Security, Theory and Practice. Lecture 1

Computer Security. 08r. Pre-exam 2 Last-minute Review Cryptography. Paul Krzyzanowski. Rutgers University. Spring 2018

Applied Cryptography and Computer Security CSE 664 Spring 2018

1 Defining Message authentication

Lecture 15: Public Key Encryption: I

Introduction to Symmetric Cryptography

Relaxing IND-CCA: Indistinguishability Against Chosen Ciphertext Verification Attack

Transcription:

Block cipher modes Lecturers: Mark D. Ryan and David Galindo. Cryptography 2017. Slide: 75

Lecturers: Mark D. Ryan and David Galindo. Cryptography 2017. Slide: 76 Block cipher modes Block ciphers (like DES and AES) can be used directly only for a single block of plaintext. However, typically we want to encrypt plaintext that is much longer than a single block. How can we use a block cipher to do that securely?

Lecturers: Mark D. Ryan and David Galindo. Cryptography 2017. Slide: 77 ECB Simplest way: Apply the encryption block by block This is called Electronic Codebook mode, ECB. Source: Wikipedia

Lecturers: Mark D. Ryan and David Galindo. Cryptography 2017. Slide: 78 ECB decryption Decryption just does the operations in reverse, and uses the decrypt function of the block cipher. Source: Wikipedia

Lecturers: Mark D. Ryan and David Galindo. Cryptography 2017. Slide: 79 ECB is not secure A good block mode should have the following properties: 1. [Security] Identical plaintexts shouldn t produce identical ciphertexts; and Identical blocks within a plaintext shouldn t produce identical ciphertext blocks 2. [Security] There should be protection against deletion or insertion of blocks 3. [Recovery] Ciphertext transmission errors should affect only the the block containing the error 4. [Efficiency] It should be efficient (e.g., parallelisable) ECB fails properties 1 and 2. It satisfies 3 and 4, but they are not as important as 1 and 2.

Lecturers: Mark D. Ryan and David Galindo. Cryptography 2017. Slide: 80 CBC One solution: Add random initialisation vector (IV) to randomise the first block, and then use the current block to randomise the next block. Source: Wikipedia The IV should be randomly chosen for each encryption. Note that you must store the IV with the ciphertext, otherwise it s not possible to decrypt. Thus, the IV is random, but not secret. Note that, since the ciphertext includes the IV, it is one block longer than the plaintext. So we have a small expansion in size.

Lecturers: Mark D. Ryan and David Galindo. Cryptography 2017. Slide: 81 Source: Wikipedia Figure out which of properties 1, 2, 3, 4 hold for CBC.

Lecturers: Mark D. Ryan and David Galindo. Cryptography 2017. Slide: 82 Counter mode (CTR) In counter mode, we don t chain the blocks together, but still we aim to make identical plaintext blocks have different ciphertext blocks. To encrypt a message, we chose a random nonce, and then set up a counter which is incremented for each block. Source: Wikipedia The nonce must be stored with or transmitted with the ciphertext blocks. Thus, similarly to CBC, CTR mode increases the size of the ciphtertext by one block.

Lecturers: Mark D. Ryan and David Galindo. Cryptography 2017. Slide: 83 Source: Wikipedia Figure out which of properties 1, 2, 3, 4 hold for CTR.

Lecturers: Mark D. Ryan and David Galindo. Cryptography 2017. Slide: 84 Proper definition of security for Block Cipher Modes We want to define whether a block mode is secure or not. We could consider reusing the security definition for block cipher. However, that definition isn t well-suited. The block cipher security game implicitly assumes that the block cipher, and the random permutation we are comparing it to, are both deterministic. With secure block cipher modes, the encryptions are randomised. In block cipher modes, a ciphertext bit depends only on some of the plaintext bits. A single bit change is not diffused over the entire ciphertext. So intuitively, we the block cipher security definition is too strong.

Lecturers: Mark D. Ryan and David Galindo. Cryptography 2017. Slide: 85 Definition Let (E, D) be a pseudorandom permutation over (K, X ), and E be a block cipher mode. We define the indistinguishability under chosen-plaintext-game between challenger and attacker as follows: The challenger generates a key k K at random. The attacker performs a polynomial number of computations, possibly asking the challenger for the encryption by E of a polynomial number of arbitrary messages. The attacker submits two messages m 0 and m 1 to the challenger. The challenger selects a bit b {0, 1} at random. The challenger returns the encryption E(k, m b ) to the attacker The attacker performs a polynomial number of computations, possibly asking the challenger for the encryption of a polynomial number of arbitrary messages. The attacker outputs a bit b. The attacker wins this game if b = b.

Lecturers: Mark D. Ryan and David Galindo. Cryptography 2017. Slide: 86 Challenger Attacker k r K m 1,..., m n E(k, m 1 ),..., E(k, m n ) m 0, m 1 b r {0, 1} E(k, m b ) m 1,..., m d E(k, m 1 ),..., E(k, m d ) b

Lecturers: Mark D. Ryan and David Galindo. Cryptography 2017. Slide: 87 Intuitively, we call a block cipher mode secure if the attacker can only guess the bit b, ie wins the game half the time. Definition Let Pr[b = b ] be the probability that the attacker wins the IND-CPA-game, taken over all encryption keys of length n and all bits b. A block cipher mode satisfies indistinguishability under chosen-plaintext attack (IND-CPA) if Pr[b = b ] 1 2 is negligible. Note that this probability depends on the size of K, since the security of the block cipher E depends on it.

Lecturers: Mark D. Ryan and David Galindo. Cryptography 2017. Slide: 88 ECB is not secure. Let (E, D) be a secure block cipher, and let E be encryption using ECB mode. The attacker can easily win the IND-CPA game. He can get the encryption of m 1 and m 2 in the first part (or even in the last part) of the game, and hence can easily distinguish which one the challenger chose.

Lecturers: Mark D. Ryan and David Galindo. Cryptography 2017. Slide: 89 Theorem If (E, D) is a block cipher with key space X, the advantage of the attacker in the IND-CPA game for CBC is 2q 2 L 2 X + 2Adv where q is the number of messages encrypted with the same key k and L is the maximal length of each message, and Adv is the advantage of the attacker in the game for the secure block cipher. For AES: must change key after using 2 24 message of length 2 24 each to obtain advantage of 1 2 32

Lecturers: Mark D. Ryan and David Galindo. Cryptography 2017. Slide: 90 Theorem If (E, D) is a block cipher with key space X, the advantage of the attacker in the IND-CPA game for counter mode is 2q 2 L X + 2Adv where q is the number of messages encrypted with the same key k and L is the maximal length of each message, and Adv is the advantage of the attacker in the game for the secure block cipher. For AES: must change key after using 2 32 message of length 2 32 each to obtain advantage of 1 2 32.

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback