Lecturers: Mark D. Ryan and David Galindo. Cryptography 2015. Slide: 74 Block ciphers used to encode messages longer than block size Needs to be done correctly to preserve security Will look at five ways of doing this
Lecturers: Mark D. Ryan and David Galindo. Cryptography 2015. Slide: 75 ECB ECB Simplest way: Apply the encryption block by block This is called Electronic Codebook mode, ECB. Source: Wikipedia
ECB decryption Lecturers: Mark D. Ryan and David Galindo. Cryptography 2015. Slide: 76 Decryption just does the operations in reverse, and uses the decrypt function of the block cipher. Source: Wikipedia
ECB is not secure Lecturers: Mark D. Ryan and David Galindo. Cryptography 2015. Slide: 77 A good block mode should have the following properties: 1 Identical blocks shouldn t produce identical ciphertexts 2 There should be protection against deletion or insertion of blocks 3 Ciphertext transmission errors should affect only the the block containing the error 4 It should be efficient (e.g., parallelisable) ECB fails properties 1 and 2. It satisfies 3 and 4, but they are not as important as 1 and 2.
Lecturers: Mark D. Ryan and David Galindo. Cryptography 2015. Slide: 78 ECB One solution: Add random initialisation vector to start off encryption and use previous result Source: Wikipedia
Lecturers: Mark D. Ryan and David Galindo. Cryptography 2015. Slide: 79 Source: Wikipedia Figure out which of properties 1, 2, 3, 4 hold for.
Counter mode () Lecturers: Mark D. Ryan and David Galindo. Cryptography 2015. Slide: 80 In counter mode, we don t chain the blocks together, but still we aim to make identical plaintext blocks have different ciphertext blocks. Choose nonce and increase counter for each block Source: Wikipedia
Lecturers: Mark D. Ryan and David Galindo. Cryptography 2015. Slide: 81 Source: Wikipedia Figure out which of properties 1, 2, 3, 4 hold for.
Proper definition of security for Block Cipher Modes Lecturers: Mark D. Ryan and David Galindo. Cryptography 2015. Slide: 82 Cannot reuse definition for block cipher Reason: A ciphertext bit depends only on some of the plaintext bits. Need a weaker notion of security.
Lecturers: Mark D. Ryan and David Galindo. Cryptography 2015. Slide: 83 Definition Let (E, D) be a pseudorandom permutation over (K, X ), and E be a block cipher mode. We define the indistinguishability under chosen-plaintext-game between challenger and attacker as follows: The challenger generates a key k K at random. The attacker performs a polynomial number of computations, possibly asking the challenger for the encryption by E of a polynomial number of arbitrary messages. The attacker submits two messages m 0 and m 1 to the challenger. The challenger selects a bit b {0, 1} at random. The challenger returns the encryption E(k, m b ) to the attacker The attacker performs a polynomial number of computations, possibly asking the challenger for the encryption of a polynomial number of arbitrary messages. The attacker outputs a bit b. The attacker wins this game if b = b.
Lecturers: Mark D. Ryan and David Galindo. Cryptography 2015. Slide: 84 Challenger Attacker k r K m 1,..., m n E(k, m 1 ),..., E(k, m n ) m 0, m 1 b r {0, 1} E(k, m b ) m 1,..., m d E(k, m 1 ),..., E(k, m d ) b
Lecturers: Mark D. Ryan and David Galindo. Cryptography 2015. Slide: 85 Intuitively, we call a block cipher mode secure if the attacker can only guess the bit b, ie wins the game half the time. Definition Let Pr[b = b ] be the probability that the attacker wins the IND-CPA-game, taken over all encryption keys of length n and all bits b. A block cipher mode satisfies indistinguishability under chosen-plaintext attack (IND-CPA) if Pr[b = b ] 1 2 is negligible. Note that this probability depends on the size of K, since the security of the block cipher E depends on it.
ECB is not secure. Lecturers: Mark D. Ryan and David Galindo. Cryptography 2015. Slide: 86 Let (E, D) be a secure block cipher, and let E be encryption using ECB mode. The attacker can easily win the IND-CPA game. He can get the encryption of m 1 and m 2 in the first part (or even in the last part) of the game, and hence can easily distinguish which one the challenger chose.
Lecturers: Mark D. Ryan and David Galindo. Cryptography 2015. Slide: 87 Theorem If (E, D) is a block cipher with key space X, the advantage of the attacker in the IND-CPA game for is 2q 2 L 2 X + 2Adv where q is the number of messages encrypted with the same key k and L is the maximal length of each message, and Adv is the advantage of the attacker in the game for the secure block cipher. For AES: must change key after using 2 24 message of length 2 24 each to obtain advantage of 1 2 32
Lecturers: Mark D. Ryan and David Galindo. Cryptography 2015. Slide: 88 Theorem If (E, D) is a block cipher with key space X, the advantage of the attacker in the IND-CPA game for counter mode is 2q 2 L X + 2Adv where q is the number of messages encrypted with the same key k and L is the maximal length of each message, and Adv is the advantage of the attacker in the game for the secure block cipher. For AES: must change key after using 2 32 message of length 2 32 each to obtain advantage of 1 2 32.
Comparing the IND-CPA game and the secure block cipher game Lecturers: Mark D. Ryan and David Galindo. Cryptography 2015. Slide: 89 Let E be a secure pseudorandom permutation, and E a secure block cipher mode for E. 1 If you view E as an encryption using a block cipher mode, does it satisfy the IND-CPA condition for a secure mode? 2 If you view E as a pseudorandom permutation, does it satisfy the condition for a secure pseudorandom permutation? The answer to both questions is no.