Block ciphers used to encode messages longer than block size Needs to be done correctly to preserve security Will look at five ways of doing this

Similar documents
Block cipher modes. Lecturers: Mark D. Ryan and David Galindo. Cryptography Slide: 75

Lecturers: Mark D. Ryan and David Galindo. Cryptography Slide: 24

Block ciphers. CS 161: Computer Security Prof. Raluca Ada Popa. February 26, 2016

Block ciphers, stream ciphers

1 Achieving IND-CPA security

Cryptography CS 555. Topic 11: Encryption Modes and CCA Security. CS555 Spring 2012/Topic 11 1

Computational Security, Stream and Block Cipher Functions

Stream ciphers. Lecturers: Mark D. Ryan and David Galindo. Cryptography Slide: 91

CS 6903 Modern Cryptography February 14th, Lecture 4: Instructor: Nitesh Saxena Scribe: Neil Stewart, Chaya Pradip Vavilala

Feedback Week 4 - Problem Set

Computer Security CS 526

Block Cipher Operation. CS 6313 Fall ASU

Symmetric-Key Cryptography Part 1. Tom Shrimpton Portland State University

CS 161 Computer Security

Cryptography CS 555. Topic 8: Modes of Encryption, The Penguin and CCA security

Cryptography 2017 Lecture 3

Introduction to Cryptography. Lecture 3

Information Security CS526

IND-CCA2 secure cryptosystems, Dan Bogdanov

ENEE 457: Computer Systems Security 09/12/16. Lecture 4 Symmetric Key Encryption II: Security Definitions and Practical Constructions

Symmetric-Key Cryptography

Cryptography [Symmetric Encryption]

Scanned by CamScanner

Introduction to Cryptography. Lecture 2. Benny Pinkas. Perfect Cipher. Perfect Ciphers. Size of key space

Introduction to Cryptography. Lecture 3

Cryptography: Symmetric Encryption [continued]

Information Security

Course Map. COMP 7/8120 Cryptography and Data Security. Learning Objectives. How to use PRPs (Block Ciphers)? 2/14/18

Paper presentation sign up sheet is up. Please sign up for papers by next class. Lecture summaries and notes now up on course webpage

Lecture 8. 1 Some More Security Definitions for Encryption Schemes

Introduction to cryptology (GBIN8U16)

Symmetric Cryptography

Crypto: Symmetric-Key Cryptography

A Characterization of Authenticated-Encryption as a Form of Chosen-Ciphertext Security. T. Shrimpton October 18, 2004

Solutions to exam in Cryptography December 17, 2013

Concrete Security of Symmetric-Key Encryption

CS408 Cryptography & Internet Security

Double-DES, Triple-DES & Modes of Operation

Lecture 4: Symmetric Key Encryption

Cryptology complementary. Symmetric modes of operation

Cryptography Lecture 4. Attacks against Block Ciphers Introduction to Public Key Cryptography. November 14, / 39

Integrity of messages

Advanced Cryptography 1st Semester Symmetric Encryption

Cryptography (cont.)

CS 161 Computer Security. Week of September 11, 2017: Cryptography I

Lecture 18 - Chosen Ciphertext Security

page 1 Introduction to Cryptography Benny Pinkas Lecture 3 November 18, 2008 Introduction to Cryptography, Benny Pinkas

Symmetric Cryptography

Lecture 3: Symmetric Key Encryption

CHAPTER 6. SYMMETRIC CIPHERS C = E(K2, E(K1, P))

ECE 646 Lecture 8. Modes of operation of block ciphers

Cryptography: Symmetric Encryption (finish), Hash Functions, Message Authentication Codes

Some Aspects of Block Ciphers

Understanding Cryptography A Textbook for Students and Practitioners by Christof Paar and Jan Pelzl

Lecture 15: Public Key Encryption: I

Lecture 5. Constructions of Block ciphers. Winter 2018 CS 485/585 Introduction to Cryptography

CIS 4360 Secure Computer Systems Symmetric Cryptography

Block Ciphers and Data Encryption Standard. CSS Security and Cryptography

Block Ciphers Tutorial. c Eli Biham - May 3, Block Ciphers Tutorial (5)

Cryptography: Symmetric Encryption (finish), Hash Functions, Message Authentication Codes

AWS Key Management Service (KMS) Handling cryptographic bounds for use of AES-GCM

Cryptography: Symmetric Encryption (finish), Hash Functions, Message Authentication Codes

Network Security Essentials Chapter 2

COS433/Math 473: Cryptography. Mark Zhandry Princeton University Spring 2017

Authenticated encryption

3 Symmetric Key Cryptography 3.1 Block Ciphers Symmetric key strength analysis Electronic Code Book Mode (ECB) Cipher Block Chaining Mode (CBC) Some

symmetric cryptography s642 computer security adam everspaugh

Goals of Modern Cryptography

symmetric cryptography s642 computer security adam everspaugh

Authenticated Encryption

Stream Ciphers An Overview

Applied Cryptography and Computer Security CSE 664 Spring 2018

Automated Analysis and Synthesis of Modes of Operation and Authenticated Encryption Schemes

Symmetric Encryption Algorithms

Practical Symmetric On-line Encryption

Cryptography. Andreas Hülsing. 6 September 2016

Content of this part

Chapter 3 Block Ciphers and the Data Encryption Standard

Homework 2. Out: 09/23/16 Due: 09/30/16 11:59pm UNIVERSITY OF MARYLAND DEPARTMENT OF ELECTRICAL AND COMPUTER ENGINEERING

CS 4770: Cryptography. CS 6750: Cryptography and Communication Security. Alina Oprea Associate Professor, CCIS Northeastern University

Chapter 6 Contemporary Symmetric Ciphers

Distributed Key Management and Cryptographic Agility. Tolga Acar 24 Feb. 2011

2 Secure Communication in Private Key Setting

Relaxing IND-CCA: Indistinguishability Against Chosen. Chosen Ciphertext Verification Attack

7. Symmetric encryption. symmetric cryptography 1

ECE 646 Lecture 7. Modes of Operation of Block Ciphers. Modes of Operation. Required Reading:

Proofs for Key Establishment Protocols

Data Encryption Standard (DES)

Outline. Data Encryption Standard. Symmetric-Key Algorithms. Lecture 4

Chapter 4. Symmetric Encryption. 4.1 Symmetric encryption schemes

CS 161 Computer Security

Lecture Note 05 Date:

Homework 2: Symmetric Crypto Due at 11:59PM on Monday Feb 23, 2015 as a PDF via websubmit.

Introduction to Modern Cryptography. Lecture 2. Symmetric Encryption: Stream & Block Ciphers

Lecture 1 Applied Cryptography (Part 1)

MTAT Research Seminar in Cryptography IND-CCA2 secure cryptosystems

1 Defining Message authentication

Pipelineable On-Line Encryption (POE)

Symmetric Encryption. Thierry Sans

Block Cipher Operation

Transcription:

Lecturers: Mark D. Ryan and David Galindo. Cryptography 2015. Slide: 74 Block ciphers used to encode messages longer than block size Needs to be done correctly to preserve security Will look at five ways of doing this

Lecturers: Mark D. Ryan and David Galindo. Cryptography 2015. Slide: 75 ECB ECB Simplest way: Apply the encryption block by block This is called Electronic Codebook mode, ECB. Source: Wikipedia

ECB decryption Lecturers: Mark D. Ryan and David Galindo. Cryptography 2015. Slide: 76 Decryption just does the operations in reverse, and uses the decrypt function of the block cipher. Source: Wikipedia

ECB is not secure Lecturers: Mark D. Ryan and David Galindo. Cryptography 2015. Slide: 77 A good block mode should have the following properties: 1 Identical blocks shouldn t produce identical ciphertexts 2 There should be protection against deletion or insertion of blocks 3 Ciphertext transmission errors should affect only the the block containing the error 4 It should be efficient (e.g., parallelisable) ECB fails properties 1 and 2. It satisfies 3 and 4, but they are not as important as 1 and 2.

Lecturers: Mark D. Ryan and David Galindo. Cryptography 2015. Slide: 78 ECB One solution: Add random initialisation vector to start off encryption and use previous result Source: Wikipedia

Lecturers: Mark D. Ryan and David Galindo. Cryptography 2015. Slide: 79 Source: Wikipedia Figure out which of properties 1, 2, 3, 4 hold for.

Counter mode () Lecturers: Mark D. Ryan and David Galindo. Cryptography 2015. Slide: 80 In counter mode, we don t chain the blocks together, but still we aim to make identical plaintext blocks have different ciphertext blocks. Choose nonce and increase counter for each block Source: Wikipedia

Lecturers: Mark D. Ryan and David Galindo. Cryptography 2015. Slide: 81 Source: Wikipedia Figure out which of properties 1, 2, 3, 4 hold for.

Proper definition of security for Block Cipher Modes Lecturers: Mark D. Ryan and David Galindo. Cryptography 2015. Slide: 82 Cannot reuse definition for block cipher Reason: A ciphertext bit depends only on some of the plaintext bits. Need a weaker notion of security.

Lecturers: Mark D. Ryan and David Galindo. Cryptography 2015. Slide: 83 Definition Let (E, D) be a pseudorandom permutation over (K, X ), and E be a block cipher mode. We define the indistinguishability under chosen-plaintext-game between challenger and attacker as follows: The challenger generates a key k K at random. The attacker performs a polynomial number of computations, possibly asking the challenger for the encryption by E of a polynomial number of arbitrary messages. The attacker submits two messages m 0 and m 1 to the challenger. The challenger selects a bit b {0, 1} at random. The challenger returns the encryption E(k, m b ) to the attacker The attacker performs a polynomial number of computations, possibly asking the challenger for the encryption of a polynomial number of arbitrary messages. The attacker outputs a bit b. The attacker wins this game if b = b.

Lecturers: Mark D. Ryan and David Galindo. Cryptography 2015. Slide: 84 Challenger Attacker k r K m 1,..., m n E(k, m 1 ),..., E(k, m n ) m 0, m 1 b r {0, 1} E(k, m b ) m 1,..., m d E(k, m 1 ),..., E(k, m d ) b

Lecturers: Mark D. Ryan and David Galindo. Cryptography 2015. Slide: 85 Intuitively, we call a block cipher mode secure if the attacker can only guess the bit b, ie wins the game half the time. Definition Let Pr[b = b ] be the probability that the attacker wins the IND-CPA-game, taken over all encryption keys of length n and all bits b. A block cipher mode satisfies indistinguishability under chosen-plaintext attack (IND-CPA) if Pr[b = b ] 1 2 is negligible. Note that this probability depends on the size of K, since the security of the block cipher E depends on it.

ECB is not secure. Lecturers: Mark D. Ryan and David Galindo. Cryptography 2015. Slide: 86 Let (E, D) be a secure block cipher, and let E be encryption using ECB mode. The attacker can easily win the IND-CPA game. He can get the encryption of m 1 and m 2 in the first part (or even in the last part) of the game, and hence can easily distinguish which one the challenger chose.

Lecturers: Mark D. Ryan and David Galindo. Cryptography 2015. Slide: 87 Theorem If (E, D) is a block cipher with key space X, the advantage of the attacker in the IND-CPA game for is 2q 2 L 2 X + 2Adv where q is the number of messages encrypted with the same key k and L is the maximal length of each message, and Adv is the advantage of the attacker in the game for the secure block cipher. For AES: must change key after using 2 24 message of length 2 24 each to obtain advantage of 1 2 32

Lecturers: Mark D. Ryan and David Galindo. Cryptography 2015. Slide: 88 Theorem If (E, D) is a block cipher with key space X, the advantage of the attacker in the IND-CPA game for counter mode is 2q 2 L X + 2Adv where q is the number of messages encrypted with the same key k and L is the maximal length of each message, and Adv is the advantage of the attacker in the game for the secure block cipher. For AES: must change key after using 2 32 message of length 2 32 each to obtain advantage of 1 2 32.

Comparing the IND-CPA game and the secure block cipher game Lecturers: Mark D. Ryan and David Galindo. Cryptography 2015. Slide: 89 Let E be a secure pseudorandom permutation, and E a secure block cipher mode for E. 1 If you view E as an encryption using a block cipher mode, does it satisfy the IND-CPA condition for a secure mode? 2 If you view E as a pseudorandom permutation, does it satisfy the condition for a secure pseudorandom permutation? The answer to both questions is no.

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback