Using block ciphers Review: PRPs and PRFs

Slides:



Advertisements
Similar presentations
Dan Boneh Using block ciphers Modes of operation: one time key Online Cryptography Course Dan Boneh example: encrypted , new key for every message.
Advertisements

Trusted 3rd parties Basic key exchange
Online Cryptography Course Dan Boneh
CS 483 – SD SECTION BY DR. DANIYAL ALGHAZZAWI (3) Information Security.
Cryptography: Review Day David Brumley Carnegie Mellon University.
1 PRPs and PRFs CS255: Winter Abstract ciphers: PRPs and PRFs, 2.Security models for encryption, 3.Analysis of CBC and counter mode Dan Boneh, Stanford.
Dan Boneh Authenticated Encryption Active attacks on CPA-secure encryption Online Cryptography Course Dan Boneh.
Authenticated Encryption and Cryptographic Network Protocols David Brumley Carnegie Mellon University.
Cryptography: The Landscape, Fundamental Primitives, and Security David Brumley Carnegie Mellon University.
Dan Boneh Message Integrity A Parallel MAC Online Cryptography Course Dan Boneh.
1 Brief PRP-PRF Recap CS255 Winter ‘06. 2 PRPs and PRFs PRF: F: K  X  Y such that: exists “efficient” algorithm to eval. F(k,x) PRP: E: K  X  X such.
Lecture 23 Symmetric Encryption
Dan Boneh Basic key exchange Public-key encryption Online Cryptography Course Dan Boneh.
Cryptography Overview CS155. Cryptography Is A tremendous tool The basis for many security mechanisms Is not The solution to all security problems Reliable.
Dan Boneh Authenticated Encryption Definitions Online Cryptography Course Dan Boneh.
Dan Boneh Authenticated Encryption Chosen ciphertext attacks Online Cryptography Course Dan Boneh.
Dan Boneh Public Key Encryption from trapdoor permutations Public key encryption: definitions and security Online Cryptography Course Dan Boneh.
Dan Boneh Stream ciphers The One Time Pad Online Cryptography Course Dan Boneh.
CS555Spring 2012/Topic 111 Cryptography CS 555 Topic 11: Encryption Modes and CCA Security.
Dan Boneh Using block ciphers Modes of operation: many time key (CTR) Online Cryptography Course Dan Boneh Example applications: 1. File systems: Same.
Dan Boneh Using block ciphers Modes of operation: many time key (CBC) Online Cryptography Course Dan Boneh Example applications: 1. File systems: Same.
Cryptography: Block Ciphers David Brumely Carnegie Mellon University Credits: Slides originally designed by David Brumley. Many other slides are from Dan.
Dan Boneh Message Integrity CBC-MAC and NMAC Online Cryptography Course Dan Boneh.
Cryptography: The Landscape, Fundamental Primitives, and Security David Brumley Carnegie Mellon University.
Lecture 23 Symmetric Encryption
Odds and ends Tweakable encryption
Cryptography: Review Day David Brumley Carnegie Mellon University.
Dan Boneh Odds and ends Deterministic Encryption Online Cryptography Course Dan Boneh.
Block ciphers What is a block cipher?
Cryptography: Block Ciphers David Brumley Carnegie Mellon University Credits: Many slides from Dan Boneh’s June 2012 Coursera crypto class,
Online Cryptography Course Dan Boneh
Dan Boneh Authenticated Encryption CBC paddings attacks Online Cryptography Course Dan Boneh.
Dan Boneh Authenticated Encryption Constructions from ciphers and MACs Online Cryptography Course Dan Boneh.
Cryptography: Block Ciphers David Brumely Carnegie Mellon University Credits: Slides originally designed by David Brumley. Many other slides are from Dan.
Block Cipher Encrypting a large message Electronic Code Book (ECB) message m1 m2 m3 m4 m5 m6 c1 c2 c3 c4 c5 c6 E E E Secret.
Symmetric-Key Cryptography CS 161: Computer Security Prof. Raluca Ada Popa Sept 13, 2016.
Lecture 3 Overview of Cryptography A Practitioner Perspective
Modern symmetric-key Encryption
Secrecy of (fixed-length) stream ciphers
PRPs and PRFs CS255: Winter 2017
Cryptography Lecture 9.
Introduction to modern cryptology
Cryptography Lecture 12.
Topic 5: Constructing Secure Encryption Schemes
B504/I538: Introduction to Cryptography
مروري برالگوريتمهاي رمز متقارن(كليد پنهان)
Cryptography Lecture 6.
Cryptography Lecture 10.
B504/I538: Introduction to Cryptography
Cryptography Lecture 7 Arpita Patra © Arpita Patra.
Block cipher and modes of encryptions
Cryptography Lecture 7 Arpita Patra © Arpita Patra.
Cryptography Lecture 11.
Foundations of Network and Computer Security
Symmetric-Key Encryption
Block vs Stream Ciphers
Foundations of Network and Computer Security
Cryptography Lecture 8.
Cryptography Lecture 11.
Cryptography Lecture 9.
Cryptography Lecture 12.
Padding Oracle Attacks
Topic 13: Message Authentication Code
Cryptography Lecture 7.
Cryptography Lecture 10.
Cryptography Lecture 9.
Cryptography Lecture 11.
Cryptography Lecture 10.
Secret-Key Encryption
Presentation transcript:

Using block ciphers Review: PRPs and PRFs Online Cryptography Course Dan Boneh Using block ciphers Review: PRPs and PRFs

Block ciphers: crypto work horse n bits n bits E, D PT Block CT Block Key k bits Canonical examples: 3DES: n= 64 bits, k = 168 bits AES: n=128 bits, k = 128, 192, 256 bits

Abstractly: PRPs and PRFs Pseudo Random Function (PRF) defined over (K,X,Y): F: K  X  Y such that exists “efficient” algorithm to evaluate F(k,x) Pseudo Random Permutation (PRP) defined over (K,X): E: K  X  X such that: 1. Exists “efficient” deterministic algorithm to evaluate E(k,x) 2. The function E( k,  ) is one-to-one 3. Exists “efficient” inversion algorithm D(k,x)

Secure PRFs Let F: K  X  Y be a PRF Funs[X,Y]: the set of all functions from X to Y SF = { F(k,) s.t. k  K }  Funs[X,Y] Intuition: a PRF is secure if a random function in Funs[X,Y] is indistinguishable from a random function in SF Funs[X,Y] Size |Y||X| SF Size |K|

Secure PRF: definition For b=0,1 define experiment EXP(b) as: Def: F is a secure PRF if for all “efficient” A: AdvPRF[A,F] := |Pr[EXP(0)=1] – Pr[EXP(1)=1] | is “negligible.” b Chal. b=0: kK, f F(k,) b=1: fFuns[X,Y] Adv. A x1  X , x2 , …, xq f f(x1) , f(x2) , …, f(xq) b’  {0,1} EXP(b)

Secure PRP (secure block cipher) For b=0,1 define experiment EXP(b) as: Def: E is a secure PRP if for all “efficient” A: AdvPRP[A,E] = |Pr[EXP(0)=1] – Pr[EXP(1)=1] | is “negligible.” b Chal. b=0: kK, f E(k,) b=1: fPerms[X] Adv. A x1  X , x2, …, xq f f(x1) , f(x2), …, f(xq) b’  {0,1}

Let X = {0,1}. Perms[X] contains two functions Consider the following PRP: key space K={0,1}, input space X = {0,1}, PRP defined as: Is this a secure PRP? E(k,x) = x⨁k Yes No It depends Draw the two functions

Example secure PRPs PRPs believed to be secure: 3DES, AES, … AES-128: K  X  X where K = X = {0,1}128 An example concrete assumption about AES: All 280–time algs. A have AdvPRP[A, AES] < 2-40

Consider the 1-bit PRP from the previous question: Is it a secure PRF? Note that Funs[X,X] contains four functions E(k,x) = x⨁k Yes No Attacker A: query f(⋅) at x=0 and x=1 if f(0) = f(1) output “1”, else “0” AdvPRF[A,E] = |0-½| = ½ It depends Draw the four functions

PRF Switching Lemma Any secure PRP is also a secure PRF, if |X| is sufficiently large. Lemma: Let E be a PRP over (K,X) Then for any q-query adversary A: | AdvPRF [A,E] - AdvPRP[A,E] | < q2 / 2|X|  Suppose |X| is large so that q2 / 2|X| is “negligible” Then AdvPRP [A,E] “negligible”  AdvPRF[A,E] “negligible”

Final note Suggestion: don’t think about the inner-workings of AES and 3DES. We assume both are secure PRPs and will see how to use them

End of Segment

Modes of operation: one time key Online Cryptography Course Dan Boneh Using block ciphers Modes of operation: one time key example: encrypted email, new key for every message.

Using PRPs and PRFs Goal: build “secure” encryption from a secure PRP (e.g. AES). This segment: one-time keys Adversary’s power: Adv sees only one ciphertext (one-time key) Adversary’s goal: Learn info about PT from CT (semantic security) Next segment: many-time keys (a.k.a chosen-plaintext security) Today: we build ciphers that are semantically secure against one-time use And ciphers that are semantically secure against many-time use

Incorrect use of a PRP Electronic Code Book (ECB): Problem: if m1=m2 then c1=c2 PT: m1 m2 CT: c1 c2

In pictures (courtesy B. Preneel)

Semantic Security (one-time key) Chal. Adv. A kK m0 , m1  M : |m0| = |m1| c  E(k,m0) b’  {0,1} EXP(0): one time key ⇒ adversary sees only one ciphertext Chal. Adv. A kK m0 , m1  M : |m0| = |m1| c  E(k,m1) b’  {0,1} EXP(1): AdvSS[A,OTP] = | Pr[ EXP(0)=1 ] − Pr[ EXP(1)=1 ] | should be “neg.”

ECB is not Semantically Secure ECB is not semantically secure for messages that contain more than one block. b{0,1} Two blocks m0 = “Hello World” m1 = “Hello Hello” Chal. Adv. A kK (c1,c2)  E(k, mb) If c1=c2 output 0, else output 1 Then AdvSS [A, ECB] = 1

Secure Construction I  Deterministic counter mode from a PRF F : EDETCTR (k, m) = ⇒ Stream cipher built from a PRF (e.g. AES, 3DES) m[0] m[1] … m[L]  F(k,0) F(k,1) … F(k,L) c[0] c[1] … c[L]

Det. counter-mode security Theorem: For any L>0, If F is a secure PRF over (K,X,X) then EDETCTR is sem. sec. cipher over (K,XL,XL). In particular, for any eff. adversary A attacking EDETCTR there exists a n eff. PRF adversary B s.t.: AdvSS[A, EDETCTR] = 2  AdvPRF[B, F] AdvPRF[B, F] is negligible (since F is a secure PRF) Hence, AdvSS[A, EDETCTR] must be negligible.

Proof ≈p ≈p ≈p ≈p b’≟1 b’≟1 b’≟1 b’≟1 m0 , m1 c  m0 , m1 c  m0 m0 chal. adv. A kK m0 , m1 c  b’≟1 chal. adv. A fFuns m0 , m1 c  b’≟1  m0 f(0) … f(L) ≈p m0  F(k,0) … F(k,L) ≈p ≈p chal. adv. A kK m0 , m1 c  b’≟1 chal. adv. A r{0,1}n m0 , m1 c  b’≟1  m1 f(0) … f(L) ≈p m1  F(k,0) … F(k,L)

End of Segment

Security for many-time key Online Cryptography Course Dan Boneh Using block ciphers Security for many-time key Example applications: 1. File systems: Same AES key used to encrypt many files. 2. IPsec: Same AES key used to encrypt many packets. In this segment we will see how to use block ciphers encrypt multiple messages using the same key. This comes up in real life, for example in file systems where the same key is used to encrypt multiple files or in networking protocols like Ipsec where the same key is used to encryption multiple packets. So let’s see how to do it. The first thing we need to do is to define what security when encrypting multiple messages with the same key.

Semantic Security for many-time key Key used more than once ⇒ adv. sees many CTs with same key Adversary’s power: chosen-plaintext attack (CPA) Can obtain the encryption of arbitrary messages of his choice (conservative modeling of real life) Adversary’s goal: Break sematic security

Semantic Security for many-time key E = (E,D) a cipher defined over (K,M,C). For b=0,1 define EXP(b) as: b Chal. Adv. kK m1,0 , m1,1  M : |m1,0| = |m1,1| c1  E(k, m1,b)

Semantic Security for many-time key E = (E,D) a cipher defined over (K,M,C). For b=0,1 define EXP(b) as: b Chal. Adv. kK m2,0 , m2,1  M : |m2,0| = |m2,1| c2  E(k, m2,b)

Semantic Security for many-time key (CPA security) E = (E,D) a cipher defined over (K,M,C). For b=0,1 define EXP(b) as: Def: E is sem. sec. under CPA if for all “efficient” A: AdvCPA [A,E] = |Pr[EXP(0)=1] – Pr[EXP(1)=1] | is “negligible.” for i=1,…,q: b Chal. Adv. kK mi,0 , mi,1  M : |mi,0| = |mi,1| ci  E(k, mi,b) b’  {0,1} if adv. wants c = E(k, m) it queries with mj,0= mj,1=m

Ciphers insecure under CPA Suppose E(k,m) always outputs same ciphertext for msg m. Then: So what? an attacker can learn that two encrypted files are the same, two encrypted packets are the same, etc. Leads to significant attacks when message space M is small m0 , m0  M Chal. Adv. c0 E(k, m0) kK m0 , m1  M output 0 if c = c0 c  E(k, mb) Stream ciphers like RC4, DETCTR are not CPA secure

Ciphers insecure under CPA Suppose E(k,m) always outputs same ciphertext for msg m. Then: If secret key is to be used multiple times  given the same plaintext message twice, encryption must produce different outputs. m0 , m0  M Chal. Adv. c0 E(k, m0) kK m0 , m1  M output 0 if c = c0 c  E(k, mb) Stream ciphers like RC4, DETCTR are not CPA secure

Solution 1: randomized encryption E(k,m) is a randomized algorithm: ⇒ encrypting same msg twice gives different ciphertexts (w.h.p) ⇒ ciphertext must be longer than plaintext Roughly speaking: CT-size = PT-size + “# random bits” m0 enc m0 dec m1 m1 Draw picture where two messages map to two disjoint ciphertext clouds. Each cloud maps to original message. Encrypting same message twice results in different ciphertexts.

Let F: K × R ⟶ M be a secure PRF. For m∈M define E(k,m) = [ r⟵R, output (r, F(k,r)⨁m) ] Is E semantically secure under CPA? R Yes, whenever F is a secure PRF No, there is always a CPA attack on this system Yes, but only if R is large enough so r never repeats (w.h.p) It depends on what F is used

Solution 2: nonce-based Encryption Alice Bob m, n E E(k,m,n)=c c, n D D(k,c,n)=m k k nonce n: a value that changes from msg to msg. (k,n) pair never used more than once method 1: nonce is a counter (e.g. packet counter) used when encryptor keeps state from msg to msg if decryptor has same state, need not send nonce with CT method 2: encryptor chooses a random nonce, n  N File encryption: random nonce, no state from file to file SSL encrytpion (in order delivery): counter is fine, no need to send nonce to peer. IP sec (out of order delivery): counter is fine, but need to include nonce in every packet.

CPA security for nonce-based encryption System should be secure when nonces are chosen adversarially. Def: nonce-based E is sem. sec. under CPA if for all “efficient” A: AdvnCPA [A,E] = |Pr[EXP(0)=1] – Pr[EXP(1)=1] | is “negligible.” for i=1,…,q: b Chal. Adv. ni and mi,0 , mi,1 : |mi,0| = |mi,1| c  E(k, mi,b , ni) kK b’  {0,1} All nonces {n1, …, nq} must be distinct.

Let F: K × R ⟶ M be a secure PRF. Let r = 0 initially. For m∈M define E(k,m) = [ r++, output (r, F(k,r)⨁m) ] Is E CPA secure nonce-based encryption? Yes, whenever F is a secure PRF No, there is always a nonce-based CPA attack on this system Yes, but only if R is large enough so r never repeats It depends on what F is used

End of Segment

Modes of operation: many time key (CBC) Online Cryptography Course Dan Boneh Using block ciphers Modes of operation: many time key (CBC) Example applications: 1. File systems: Same AES key used to encrypt many files. 2. IPsec: Same AES key used to encrypt many packets.

Construction 1: CBC with random IV Let (E,D) be a PRP. ECBC(k,m): choose random IV∈X and do: IV m[0] m[1] m[2] m[3]     E(k,) E(k,) E(k,) E(k,) IV c[0] c[1] c[2] c[3] Unlike ECB, same block in different positions gets mapped to different ciphertexts. ciphertext

Decryption circuit In symbols: c[0] = E(k, IV⨁m[0] ) ⇒ m[0] = D(k, c[0]) ⨁ IV D(k,) m[0] m[1] m[2] m[3]  c[0] c[1] c[2] c[3] IV

CBC: CPA Analysis CBC Theorem: For any L>0, If E is a secure PRP over (K,X) then ECBC is a sem. sec. under CPA over (K, XL, XL+1). In particular, for a q-query adversary A attacking ECBC there exists a PRP adversary B s.t.: AdvCPA [A, ECBC]  2AdvPRP[B, E] + 2 q2 L2 / |X| Note: CBC is only secure as long as q2L2 << |X|

An example AdvCPA [A, ECBC]  2PRP Adv[B, E] + 2 q2 L2 / |X| q = # messages encrypted with k , L = length of max message Suppose we want AdvCPA [A, ECBC] ≤ 1/232 ⇐ q2 L2 /|X| < 1/ 232 AES: |X| = 2128 ⇒ q L < 248 So, after 248 AES blocks, must change key 3DES: |X| = 264 ⇒ q L < 216

Warning: an attack on CBC with rand. IV CBC where attacker can predict the IV is not CPA-secure !! Suppose given c ⟵ ECBC(k,m) can predict IV for next message 0  X Chal. c1  [ IV1, E(k, 0⨁IV1) ] Adv. kK predict IV m0=IV⨁IV1 , m1 ≠ m0 c  [ IV, E(k, IV1) ] or output 0 if c[1] = c1[1] c  [ IV, E(k, m1⨁IV) ] Bug in SSL/TLS 1.0: IV for record #i is last CT block of record #(i-1)

Construction 1’: nonce-based CBC Cipher block chaining with unique nonce: key = (k,k1) unique nonce means: (key, n) pair is used for only one message nonce m[0] m[1] m[2] m[3] E(k1,) IV     E(k,) E(k,) E(k,) E(k,) nonce c[0] c[1] c[2] c[3] Unique means non-random, but unique. Note that setting IV = E(k,nonce) is insecure. included only if unknown to decryptor ciphertext

An example Crypto API (OpenSSL) void AES_cbc_encrypt( const unsigned char *in, unsigned char *out, size_t length, const AES_KEY *key, unsigned char *ivec, ⟵ user supplies IV AES_ENCRYPT or AES_DECRYPT); When nonce is non random need to encrypt it before use

A CBC technicality: padding IV m[0] m[1] m[2] m[3] ll pad E(k1,) IV′     E(k,) E(k,) E(k,) E(k,) IV c[0] c[1] c[2] c[3] removed during decryption TLS: for n>0, n byte pad is if no pad needed, add a dummy block n ⋯ Solution: ciphertext stealing, but not discussed here.

End of Segment

Modes of operation: many time key (CTR) Online Cryptography Course Dan Boneh Using block ciphers Modes of operation: many time key (CTR) Example applications: 1. File systems: Same AES key used to encrypt many files. 2. IPsec: Same AES key used to encrypt many packets.

Construction 2: rand ctr-mode Let F: K × {0,1}n ⟶ {0,1}n be a secure PRF. E(k,m): choose a random IV  {0,1}n and do: msg IV m[0] m[1] … m[L]  F(k,IV) F(k,IV+1) … F(k,IV+L) IV c[0] c[1] … c[L] ciphertext note: parallelizable (unlike CBC)

Construction 2’: nonce ctr-mode msg IV m[0] m[1] … m[L]  F(k,IV) F(k,IV+1) … F(k,IV+L) IV c[0] c[1] … c[L] ciphertext To ensure F(k,x) is never used more than once, choose IV as: nonce 128 bits counter IV: Max message length is 2^64 blocks. starts at 0 for every msg 64 bits 64 bits

rand ctr-mode (rand. IV): CPA analysis Counter-mode Theorem: For any L>0, If F is a secure PRF over (K,X,X) then ECTR is a sem. sec. under CPA over (K,XL,XL+1). In particular, for a q-query adversary A attacking ECTR there exists a PRF adversary B s.t.: AdvCPA[A, ECTR]  2AdvPRF[B, F] + 2 q2 L / |X| Note: ctr-mode only secure as long as q2L << |X| . Better than CBC !

An example AdvCPA [A, ECTR]  2AdvPRF[B, E] + 2 q2 L / |X| q = # messages encrypted with k , L = length of max message Suppose we want AdvCPA [A, ECTR] ≤ 1/232 ⇐ q2 L /|X| < 1/ 232 AES: |X| = 2128 ⇒ q L1/2 < 248 So, after 232 CTs each of len 232 , must change key (total of 264 AES blocks)

Comparison: ctr vs. CBC CBC ctr mode PRP PRF No Yes uses PRP PRF parallel processing No Yes Security of rand. enc. q^2 L^2 << |X| q^2 L << |X| dummy padding block 1 byte msgs (nonce-based) 16x expansion no expansion (for CBC, dummy padding block can be solved using ciphertext stealing)

steam-ciphers det. ctr-mode Summary PRPs and PRFs: a useful abstraction of block ciphers. We examined two security notions: (security against eavesdropping) Semantic security against one-time CPA. Semantic security against many-time CPA. Note: neither mode ensures data integrity. Stated security results summarized in the following table: one-time key Many-time key (CPA) CPA and integrity Sem. Sec. steam-ciphers det. ctr-mode rand CBC rand ctr-mode later Power Goal

Further reading A concrete security treatment of symmetric encryption: Analysis of the DES modes of operation, M. Bellare, A. Desai, E. Jokipii and P. Rogaway, FOCS 1997 Nonce-Based Symmetric Encryption, P. Rogaway, FSE 2004

End of Segment