Introduction to Cryptography. Lecture 3

Similar documents
Introduction to Cryptography. Lecture 3

page 1 Introduction to Cryptography Benny Pinkas Lecture 3 November 18, 2008 Introduction to Cryptography, Benny Pinkas

Introduction to Cryptography. Lecture 2. Benny Pinkas. Perfect Cipher. Perfect Ciphers. Size of key space

Cryptography CS 555. Topic 11: Encryption Modes and CCA Security. CS555 Spring 2012/Topic 11 1

1 Achieving IND-CPA security

Introduction to Modern Cryptography. Lecture 2. Symmetric Encryption: Stream & Block Ciphers

Block ciphers, stream ciphers

Information Security CS526

Block cipher modes. Lecturers: Mark D. Ryan and David Galindo. Cryptography Slide: 75

Cryptography CS 555. Topic 8: Modes of Encryption, The Penguin and CCA security

Course Map. COMP 7/8120 Cryptography and Data Security. Learning Objectives. How to use PRPs (Block Ciphers)? 2/14/18

Paper presentation sign up sheet is up. Please sign up for papers by next class. Lecture summaries and notes now up on course webpage

Cryptography Lecture 4. Attacks against Block Ciphers Introduction to Public Key Cryptography. November 14, / 39

Information Security CS526

Computer Security CS 526

Cryptography 2017 Lecture 3

Double-DES, Triple-DES & Modes of Operation

Block ciphers. CS 161: Computer Security Prof. Raluca Ada Popa. February 26, 2016

Block ciphers used to encode messages longer than block size Needs to be done correctly to preserve security Will look at five ways of doing this

Content of this part

Feedback Week 4 - Problem Set

Symmetric Encryption. Thierry Sans

Chapter 3 : Private-Key Encryption

Cryptology complementary. Symmetric modes of operation

Stream ciphers. Lecturers: Mark D. Ryan and David Galindo. Cryptography Slide: 91

Crypto: Symmetric-Key Cryptography

Introduction to Cryptography Lecture 7

Introduction to Cryptography Lecture 7

Understanding Cryptography A Textbook for Students and Practitioners by Christof Paar and Jan Pelzl

Chapter 6 Contemporary Symmetric Ciphers

3 Symmetric Key Cryptography 3.1 Block Ciphers Symmetric key strength analysis Electronic Code Book Mode (ECB) Cipher Block Chaining Mode (CBC) Some

Introduction to Cryptography. Lecture 6

Network Security Essentials Chapter 2

CIS 6930/4930 Computer and Network Security. Topic 3.1 Secret Key Cryptography (Cont d)

Bob k. Alice. CS 558 Lecture Deck(c) = c k. Continuation of Encryption

Lecture 15: Public Key Encryption: I

Cryptographic Primitives A brief introduction. Ragesh Jaiswal CSE, IIT Delhi

CHAPTER 6. SYMMETRIC CIPHERS C = E(K2, E(K1, P))

Chapter 4: Private Key Cryptography Encryption and Pseudorandomness

CS 161 Computer Security. Week of September 11, 2017: Cryptography I

CSC574: Computer & Network Security

Some Aspects of Block Ciphers

CPSC 467b: Cryptography and Computer Security

ENGI 8868/9877 Computer and Communications Security III. BLOCK CIPHERS. Symmetric Key Cryptography. insecure channel

Block Cipher Operation. CS 6313 Fall ASU

CS 4770: Cryptography. CS 6750: Cryptography and Communication Security. Alina Oprea Associate Professor, CCIS Northeastern University

Symmetric-Key Cryptography Part 1. Tom Shrimpton Portland State University

Introduction to Cryptographic Systems. Asst. Prof. Mihai Chiroiu

symmetric cryptography s642 computer security adam everspaugh

Lecture 5. Constructions of Block ciphers. Winter 2018 CS 485/585 Introduction to Cryptography

Security and Cryptography 1. Stefan Köpsell, Thorsten Strufe. Module 5: Pseudo Random Permutations and Block Ciphers

3 Symmetric Cryptography

CSCI 454/554 Computer and Network Security. Topic 3.2 Secret Key Cryptography Modes of Operation

ECE596C: Handout #7. Analysis of DES and the AES Standard. Electrical and Computer Engineering, University of Arizona, Loukas Lazos

COS433/Math 473: Cryptography. Mark Zhandry Princeton University Spring 2017

7. Symmetric encryption. symmetric cryptography 1

Lecture 2: Secret Key Cryptography

Computer Security. 08r. Pre-exam 2 Last-minute Review Cryptography. Paul Krzyzanowski. Rutgers University. Spring 2018

Chapter 6: Contemporary Symmetric Ciphers

Applied Cryptography and Computer Security CSE 664 Spring 2018

6 Block Ciphers. 6.1 Block Ciphers CA642: CRYPTOGRAPHY AND NUMBER THEORY 1

Lecture 1 Applied Cryptography (Part 1)

Stream Ciphers An Overview

Comp527 status items. Crypto Protocols, part 2 Crypto primitives. Bart Preneel July Install the smart card software. Today

Scanned by CamScanner

COS433/Math 473: Cryptography. Mark Zhandry Princeton University Spring 2017

Relaxing IND-CCA: Indistinguishability Against Chosen. Chosen Ciphertext Verification Attack

CSC 474/574 Information Systems Security

CPSC 467: Cryptography and Computer Security

Basic Probability Theory

Cryptography [Symmetric Encryption]

Network Security Essentials

CS155. Cryptography Overview

COS433/Math 473: Cryptography. Mark Zhandry Princeton University Spring 2018

Summary on Crypto Primitives and Protocols

ENEE 457: Computer Systems Security 09/12/16. Lecture 4 Symmetric Key Encryption II: Security Definitions and Practical Constructions

CPSC 467b: Cryptography and Computer Security

CS 495 Cryptography Lecture 6

CS408 Cryptography & Internet Security

Outline. Data Encryption Standard. Symmetric-Key Algorithms. Lecture 4

Lecture 6: Symmetric Cryptography. CS 5430 February 21, 2018

Solutions to exam in Cryptography December 17, 2013

Private-Key Encryption

Cryptography (cont.)

CSE 127: Computer Security Cryptography. Kirill Levchenko

SECRET KEY: STREAM CIPHERS & BLOCK CIPHERS

Lecture 4: Authentication and Hashing

PRNGs & DES. Luke Anderson. 16 th March University Of Sydney.

Secret Key Cryptography

Processing with Block Ciphers

CSC/ECE 574 Computer and Network Security. Processing with Block Ciphers. Issues for Block Chaining Modes

CS155. Cryptography Overview

New Kid on the Block Practical Construction of Block Ciphers. Table of contents

CPS2323. Symmetric Ciphers: Stream Ciphers

Symmetric Cryptography

ISA 562: Information Security, Theory and Practice. Lecture 1

Stream Ciphers. Stream Ciphers 1

Symmetric-Key Cryptography

CS6701- CRYPTOGRAPHY AND NETWORK SECURITY UNIT 2 NOTES

CS 161 Computer Security

Transcription:

Introduction to Cryptography Lecture 3 Benny Pinkas March 6, 2011 Introduction to Cryptography, Benny Pinkas page 1

Pseudo-random generator seed s (random, s =n) Pseudo-random generator G Deterministic function of s, publicly known output G(s) G(s) = 2n Distinguisher D random u u =2n D???? March 6, 2011 Introduction to Cryptography, Benny Pinkas page 2

Pseudo-random generators Pseudo-random generator (PRG) G: {0,1} n {0,1} m A deterministic function, computable in polynomial time. It must hold that m > n. Let us assume m=2n. The function has only 2 n possible outputs. Pseudo-random property: polynomial time adversary D, (whose output is 0/1) if we choose inputs s R {0,1} n, u R {0,1} m, (in other words, choose s and u uniformly at random), then it holds that D(G(s)) is similar to D(u) namely, Pr[D(G(s))=1] - Pr[D(u)=1] is negligible

Do PRGs exist? If P=NP then PRGs do not exist (why?) So their existence can only be conjectured until the P=NP question is resolved.

Using a PRG for Encryption Replace the one-time-pad with the output of the PRG Key: a (short) random key k {0,1} k. Message m= m 1,,m m. Use a PRG G : {0,1} k {0,1} m Key generation: choose k {0,1} k uniformly at random. Encryption: Use the output of the PRG as a one-time pad. Namely, Generate G(k) = g 1,,g m Ciphertext C = g 1 m 1,, g m m m This is an example of a stream cipher.

Security of encryption against polynomial adversaries Perfect security (previous equivalent defs): (indistinguishability) m 0,m 1 M, c, the probability that c is an encryption of m 0 is equal to the probability that c is an encryption of m 1. (semantic security) The distribution of m given the encryption of m is the same as the a-priori distribution of m. Security of pseudo-random encryption (equivalent defs): (indistinguishability) m 0,m 1 M, no polynomial time adversary D can distinguish between the encryptions of m 0 and of m 1. Namely, Pr[D(E(m 0 ))=1] Pr[D(E(m 1 ))=1) (semantic security) m 0,m 1 M, a polynomial time adversary which is given E(m b ), where b r {0,1}, succeeds in finding b with probability ½.

Proofs by reduction We don t know how to prove unconditional proofs of computational security; we must rely on assumptions. We can simply assume that the encryption scheme is secure. This is bad. Instead, we will assume that some low-level problem is hard to solve, and then prove that the cryptosystem is secure under this assumption. (For example, the assumption might be that a certain function G is a pseudo-random generator.) Advantages of this approach: It is easier to design a low-level function. There are (very few) established assumptions in cryptography, and people prove the security of cryptosystem based on these assumptions.

Using a PRG for Encryption: Security The output of a pseudo-random generator is used instead of a one-time pad. Proof of security by reduction: The assumption is that the PRG is strong (its output is indistinguishable from random). We want to prove that in this case the encryption is strong (it satisfies the indistinguishability definition above). In other words, prove that if one can break the security of the encryption (distinguish between encryptions of m 0 and of m 1 ), then it is also possible to break the security of the PRG (distinguish its output from random).

Proof of Security Polynomially indistinguishable? Same distribution (1) (2) (3) (4) Enc(m 0 ) with PRG Enc(m 1 ) with PRG Enc(m 0 ) with one-time pad Enc(m 1 ) with one-time pad Suppose that there is a distinguisher algorithm D () which distinguishes between (1) and (2) We know that no D () can distinguish between (3) and (4) We are given a string S and need to decide whether it is drawn from a pseudorandom distribution or from a uniformly random distribution We will use S as a pad to encrypt a message. March 6, 2011 Introduction to Cryptography, Benny Pinkas page 9

Proof of Security Polynomially indistinguishable? Same distribution (1) (2) (3) (4) Enc(m 0 ) with PRG Enc(m 1 ) with PRG Enc(m 0 ) with one-time pad Enc(m 1 ) with one-time pad Recall: we assume that there is a D () which always distinguishes between (1) and (2), and which distinguishes between (3) and (4) with probability ½. Choose a random b {0,1} and compute m b S. Give the result to D (). if S was chosen uniformly, D () must distinguish (3) from (4). (prob=½) if S is pseudorandom, D () must distinguish (1) from (2). (prob=1) If D () outputs b then declare pseudorandom, otherwise declare random. if S was chosen uniformly we output pseudorandom with prob ½. if S is pseudorandom we output pseudorandom with prob 1. March 6, 2011 Introduction to Cryptography, Benny Pinkas page 10

Proof of Security Polynomially indistinguishable? Same distribution (1) (2) (3) (4) Enc(m 0 ) with PRG Enc(m 1 ) with PRG Enc(m 0 ) with one-time pad Enc(m 1 ) with one-time pad Recall: we assume that there is a D () which always distinguishes between (1) and (2), and which distinguishes between (3) and (4) with probability ½. Choose a random b {0,1} and compute m b S. Give the result to D (). if S was chosen uniformly, D () must distinguish (3) from (4). (prob=½) if S is pseudorandom, D () must distinguish (1) from (2). (prob=½+δ) If D () outputs b then declare pseudorandom, otherwise declare random. if S was chosen uniformly we output pseudorandom with prob ½. if S is pseudorandom we output pseudorandom with prob ½+δ. March 6, 2011 Introduction to Cryptography, Benny Pinkas page 11

Stream ciphers Stream ciphers are based on pseudo-random generators. Usually used for encryption in the same way as OTP Examples: A5, SEAL, RC4. Very fast implementations. RC4 is popular and secure when used correctly, but it was shown that its first output bytes are biased. This resulted in breaking WEP encryption in 802.11. Some technical issues: Stream ciphers require synchronization (for example, if some packets are lost in transit).

RC4 A stream cipher designed by Ron Rivest. Intellectual property belongs to RSA Inc. Designed in 1987. Kept secret until the design was leaked in 1994. Used in many protocols (SSL, WEP, etc.) Byte oriented operations. 8-16 machine operations per output byte. First output bytes are biased

RC4 initialization Word size is a single byte. Input: k 0 ; ;k 255 (if key has fewer bits, pad it to itself sufficiently many times) 1. j = 0 2. S 0 = 0; S 1 = 1; ; S 255 = 255 3. Let the key be k 0 ; ;k 255 4. For i = 0 to 255 j = (j + S i + k i ) mod 256 Swap S i and S j (note that S is a permutation of 0,,255)

RC4 keying stream generation An output byte B is generated as follows: i = i + 1 mod 256 j = j + S i mod 256 Swap S i and S j r = S i + S j mod 256 Output: B = S r B is xored to the next byte of the plaintext. (since S is a permutation, we want that B is uniformly distributed) Bias: The probability that the first two output bytes are 0 is 2-16 +2-23

Block Ciphers Plaintexts, ciphertexts of fixed length, m. Usually, m =64 or 128 bits. The encryption algorithm E k is a permutation over {0,1} m, and the decryption D k is its inverse. (They are not permutations of the bit order, but rather of the entire string.) Ideally, use a random permutation. Implemented using a table with 2 m entries Instead, use a pseudo-random permutation *, keyed by a key k. Implemented by a computer program whose input is m,k. m 1,,m m Block cipher c 1,,c m (*) will be explained shortly March 6, 2011 Introduction to Cryptography, Benny Pinkas page 16

Block Ciphers Modeled as a pseudo-random permutation. Encrypt/decrypt whole blocks of bits Might provide better encryption by simultaneously working on a block of bits One error in ciphertext affects whole block Delay in encryption/decryption There was more research on the security of block ciphers than on the security of stream ciphers. Avoids the synchronization problem of stream cipher usage. m 1,,m m Block cipher c 1,,c m Different modes of operation (for encrypting longer inputs) March 6, 2011 Introduction to Cryptography, Benny Pinkas page 17

Block ciphers A block cipher is a function F k (x) of a key k and an m bit input x. It has an m bit output. F k (x) is a keyed permutation How can we encrypt plaintexts longer than m? Different modes of operation were designed for this task.

ECB Encryption Mode (Electronic Code Book) P 1 P 2 P 3 E k E k E k C 1 C 2 C 3 Namely, encrypt each plaintext block separately. March 6, 2011 Introduction to Cryptography, Benny Pinkas page 19

Properties of ECB Simple and efficient Parallel implementation is possible Does not conceal plaintext patterns Enc(P 1, P 2, P 1, P 3 ) Active attacks are easy (plaintext can be easily manipulated by removing, repeating, or interchanging blocks).

Encrypting bitmap images in ECB mode original encrypted using ECB mode encrypted using a secure mode

CBC Encryption Mode (Cipher Block Chaining) IV P 1 P 2 P 3 E k E k E k C 1 C 2 C 3 Previous ciphertext is XORed with current plaintext before encrypting current block. An initialization vector IV is used as a seed for the process. IV can be transmitted in the clear (unencrypted). March 6, 2011 Introduction to Cryptography, Benny Pinkas page 22

CBC Mode Encryption: IV P 1 P 2 P 3 E k E k E k C 1 C 2 C 3 Decryption: IV P 1 P 2 P 3 D k D k D k C 1 C 2 C 3

Properties of CBC Asynchronous: the receiver can start decrypting from any block in the ciphertext. Errors in one ciphertext block propagate to the decryption of the next block (but that s it). Conceals plaintext patterns (same block different ciphertext blocks) If IV is chosen at random, and E K is a pseudo-random permutation, CBC provides chosen-plaintext security. But if IV is fixed, CBC does not even hide not common prefixes. No parallel implementation of encryption is known Plaintext cannot be easily manipulated Standard in most systems: SSL, IPSec, etc.

A chosen-plaintext attack on CBC if IV is known Suppose that adversary can predict IV for next message Bug in SSL/TLS 1.0: IV for record #i is the last ciphertext block of record #(i-1) Attacker Asks to receive encryption of X=0 Receives (IV, E(k, 0 IV )) = (IV, E(k,IV ) Attacker knows IV for next ciphertext Attacker can now distinguish between encryption of m 0 =IV IV and any other m 1. Encryption of m 0 is (IV, E(k, IV (IV IV ))) = (IV, E(k, IV )) March 6, 2011 Introduction to Cryptography, Benny Pinkas page 25

OFB Mode (Output FeedBack) IV E k E k E k P 1 P 2 P 3 C 1 C 2 C 3 An initialization vector IV is used as a seed for generating a sequence of pad blocks E k (IV), E k (E k (IV)), E k (E k (E k (IV))), Essentially a stream cipher. IV can be sent in the clear. Must never be repeated. March 6, 2011 Introduction to Cryptography, Benny Pinkas page 26

Properties of OFB Essentially implements a synchronous stream cipher. I.e., the two parties must know s 0 and the current bit position. A block cipher can be used instead of a PRG. The parties must synchronize the location they are encrypting/decrypting. Conceals plaintext patterns. If IV is chosen at random, and E K is a pseudo-random permutation, OFB provides chosen-plaintext security. Errors in ciphertext do not propagate Implementation: Pre-processing is possible No parallel implementation is known Active attacks (by manipulating the plaintext) are possible

CTR (counter) Encryption Mode P 1 P 2 P 3 IV is selected as a random value IV E k IV+1 E k IV+2 E k easy parallel implementation random access preprocessing C 1 C 2 C 3 no message expansion if E is a PRF then E CTR provides chosen plaintext security March 6, 2011 Introduction to Cryptography, Benny Pinkas page 28

Pseudo-random functions

Pseudo-random functions - definition F : {0,1} * {0,1} * {0,1} * The first input is the key, and once chosen it is kept fixed. For simplicity, assume F : {0,1} n {0,1} n {0,1} n F(k,x) is written as F k (x) F is pseudo-random if F k () (where k is chosen uniformly at random) is indistinguishable (to a polynomial distinguisher D) from a function f chosen at random from all functions mapping {0,1} n to {0,1} n There are 2 n choices of F k, whereas there are (2 n ) 2n choices for f. The distinguisher D s task: We choose a function G. With probability ½ G is F k (where k R {0,1} n ), and with probability ½ it is a random function f. D can ask to compute G(x 1 ),G(x 2 ), for any x 1,x 2, it chooses. D must then output 1 if G=F k. F k is pseudo-random if Pr(D(F k )=1)-Pr(D(f)=1) negligible.

Pseudo-random permutations F k (x) is a keyed permutation if for every choice of k, F k () is one-to-one. Note that in this case F k (x) has an inverse, namely for every y there is exactly one x for which F k (x)=y. F k (x) is a pseudo-random permutation if It is a keyed permutation It is indistinguishable (to a polynomial distinguisher D) from a permutation f chosen at random from all permutations mapping {0,1} n to {0,1} n. 2 n possible values for F k (2 n )! possible values for a random permutation

A PRF can be used to construct a PRG Given a PRF F(k,x), F : {0,1} n {0,1} n {0,1} n The following G:{0,1} n {0,1} n t is a secure PRG: G(k) = F(k,0) F(k,1) F(k,t-1) (This is a parallelizable construction) Proof: Suppose that an adversary can distinguish G(k) from a random string from {0,1} n t. Then after asking to compute F(k,0),F(k,1),,F(k,t) it can distinguish F() from a random function. March 6, 2011 Introduction to Cryptography, Benny Pinkas page 32

Block ciphers are modeled as pseudo-random permutations. However, even a random permutation leaks some information if it is used to encrypt longer messages Identical blocks result in identical ciphertexts. A stronger definition of security, and an appropriate construction are needed to prevent this information leakage.

CPA security of block ciphers

Constructing CPA-secure encryption

Observations The encryption is probabilistic Encrypting the same message twice is likely to result in different ciphertexts, since different r values will be used. This is secure as long it is unlikely that the same value of r will be used twice. Instead of using a random r, one could use a nonce: a value that changes from message to message. For example, a counter. Ciphertext is longer than plaintext, since it must also include the randomness March 6, 2011 Introduction to Cryptography, Benny Pinkas page 36

Security Theorem: If F k is a pseudo-random function then the encryption scheme is (t,ε)-cpa-indistinguishable. Proof sketch: Lemma: If F k is random, then the adversary can distinguish between E(m 0 ),E(m 1 ) only if the challenge ciphertext is (r, F k (r) m b ), and r was used in one of the encryptions asked by the adversary. The prob. of r being used in a previous encryption is t / 2 n. Proof: If r was not used in one of these encryptions than m b is encrypted with a random one-time pad. Replace the random function with a pseudo-random one. Need to show that this change does not affect the probability of success in more than a negligible ε. (see next page) Therefore total success probability is < ½ + t/2 n + ε.

Security (contd.) Background: If F k is random, then the adversary succeeds with prob t / 2 n. Replace the random function with a pseudo-random F k. Suppose that now success probability is > ½ + t/2 n + p(n). Then we found a distinguisher D between F k and a random function, which succeeds with prob > p(n). D has oracle access to a function G which is either random or is the prf F k, and to an attacker A against the encryption. D constructs an encryption according to the construction, and lets A attack it. Whenever A asks for an encryption, D asks for a value of G and encrypts. If A succeeds in decryption, D claims that G is the prf. Otherwise D claims that G is random. Pr(D(Fk)=1)-Pr(D(G)=1) = p(n) > neg.

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback