Cryptography Lecture 7 Arpita Patra © Arpita Patra

Recall >> New definitions for SKE cpa, cpa-security & cpa-mult-security >> New assumptions PRF, PRP, SPRP

Today’s Goal cpa-secure scheme from PRF Proof of security Practical cpa-secure schemes from PRF/PRP/SPRP for long messages SSL (Secure Sockets Layer) 3.0, TLS (Transport Layer Security) 1.0

Minicrypt Secret Key World: SKE, MAC (3) (2) (4) (1) (5) PRF (6) PRG (7) OWF

Towards cpa-secure Scheme c = (xi, m yi) Enc ?? x1 = 00000…0 y1 R {0,1}n x2 = 00000…1 … x2n = 11111… 1 y2n R {0,1}n y2 R {0,1}n x1 = 00000…0 y1 R {0,1}n x2 = 00000…1 … x2n = 11111… 1 y2n R {0,1}n y2 R {0,1}n yi Pad yi is truly random f: {0,1}n  {0, 1}n - Instances of OTP f: {0,1}n  {0, 1}n >> Problem with the above solution --- size of f is n2n bits

Fixed-length cpa-secure SKE from PRF Enck(m) - r in {0, 1}n - c = (r, m Fk(r)) Deck(c = (c0,c1)) - m = c1  Fk(c0) m,k c c,k Secret PRF-key k (key-agreement) K = {0, 1}n M = {0, 1}n C = {0, 1}2n k k Deck(c = (c0,c1)) - m = c1Fk(c0) Enck(m) - r in {0, 1}n - c = (r, m Fk(r)) k R K m  M c c  C m Gen

Security Proof K = {0, 1}n M = {0, 1}n C = {0, 1}2n Enck(m) Gen Deck(c = (c0,c1)) - m = c1Fk(c0) Enck(m) - r in {0, 1}n - c = (r, m Fk(r)) k R K m  M c c  C m Gen Theorem. If Fk is a PRF, then  is a CPA-secure scheme. Proof: On the board.

Recall Security Proof of PRG-based Scheme m,k Enck(m) >> c = m G(k) c c,k Deck(c) >> m = c  G(k) Secret PRG-key k Theorem. If G is a PRG, then  is a coa-secure scheme. Proof: Assume  is not secure A, p(n): ½ + 1/p(n) Pr PrivK (n) A,  coa = 1 > ½ Pr PrivK (n) A,  coa = 1 = = = Pr [D(G(s)) = 1] Pr [D(y) = 1] Let us run PrivK (n) A,  coa PRS or RS? y{0,1}n D m0, m1M , |m0| = |m1| A c = mb  y 1 if b = b’ 0 otherwise b’  {0, 1} b

CPA-security for Arbitrary-length Messages (Theoretical Construction) Let  = (Gen, Enc, Dec) be a fixed-length CPA-secure based on PRP/SPRP/PRF. Supports message of length n m m1 m2 m3 Enck(m) r in {0, 1}n c = (r, m Fk(r)) Enck(m) r in {0, 1}n c = (r, m Fk(r)) Enck(m) r in {0, 1}n c = (r, m Fk(r)) Without compromising CPA security. Nice blend of Practice and Theory c1 c3 c6 k Gen c1c2…c6  Enck(m)

How Good it is? Assume Message Blocks: l; |m| = l n Theoretical Construction n / Block -> ln 2n / Block -> 2ln Yes No PRF Finally n / Overall = n l n + n Yes PRF Randomness Usage Ciphertext Expansion Ciphertext Computation Parallelizable Randomness Reusability Minimal Assumption (PRF/PRP/SPRP) CPA Security

Block-cipher Modes of Operations Given - A length-preserving block cipher F (may be a PRF/PRP/SPRP) with block length n k R {0, 1}n Fk(x) = F(k, x)  {0, 1}n x  {0, 1}n Keyed Algorithm F Goal - To encrypt a message m = m1m2 … ml using F with ciphertext length as small as possible and with randomness as less as possible. - Without loss of generality --- each mi  {0,1}n {0,1}n {0,1}n {0,1}n {0,1}n {0,1}n {0,1}n m m1 m2 m3 m4 … ml

Electronic Code Book (ECB) Mode Gen F c1 = Fk(m1) c2 = Fk(m2) c3 = Fk(m3) Encryption: compute ci = Fk(mi) – No randomness used at all ! |c| = |m| Decryption: compute mi = Fk-1(ci) >> Assumes Fk is SPRP. Parallelizable! CPA Security ? >> Deterministic Encryption >> No. not even coa security for multi message

Current Picture Assume Message Blocks: l; |m| = l n Theoretical Construction n / Block -> ln 2n / Block -> 2ln Yes No PRF ECB Mode No randomness ln Yes --- SPRP NO Randomness Usage Ciphertext Expansion Ciphertext Computation Parallizable Randomness Reusability Minimal Assumption (PRF/PRP/SPRP) CPA Security

Cipher Block Chaining (CBC) Mode IV    k F F F Gen c0 c1 = Fk(m1c0) c2 = Fk(m2c1) c3 = Fk(m3c2) Encryption ci = Fk(mici-1), for i = 1, …, l Enck(m1 m2 … ml) = (c0 c1… cl) Decryption: mi = Fk-1(ci) ci-1, for i = 1, …, l >> Assumes Fk is SPRP. >> NO Blockwise Parallel Computation ? >> Randomized Encryption. Provides CPA security. HW CPA Security ?

Current Picture Assume Message Blocks: l; |m| = ln Theoretical Construction n / Block -> ln 2n / Block -> 2ln Yes No PRF ECB Mode No randomness ln Yes --- SPRP NO CBC Mode n ln + n NO --- SPRP YES Randomness Usage Ciphertext Expansion Ciphertext Computation Parallizable Randomness Reusability Minimal Assumption (PRF/PRP/SPRP) CPA Security

IV Misuse in CBC Mode m m1 m2 m3 IV    k F F F Gen c0 c1 = Fk(m1c0) c2 = Fk(m2c1) c3 = Fk(m3c2) Choosing distinct IV enough ? Can save randomness Unfortunately this version of CBC mode is not cpa-secure-- Assignment

IV misuse in CBC Mode m m1 m2 m3 IV    k F F F Gen c0 c1 = Fk(m1c0) c2 = Fk(m2c1) c3 = Fk(m3c2) Can the last ciphertext of previous block act as the IV for next encryption ? Bandwidth and randomness saving

IV misuse in CBC Mode m1 m2 m3 m4 m5 m6 c4 F  c5    F F F c0 c1 M1 k F  c5 c6 c7    IV1 IV2 k F F F Gen c0 c1 c2 c3 Ideal way of encrypting two messages via CBC mode Can the last ciphertext of previous block act as the IV for next encryption ? Bandwidth and randomness saving

IV misuse in CBC Mode- Chained CBC       IV1 k k F F F F F F Gen c0 c1 c2 c3 c4 c5 c6 Chained CBC mode No modifications to crypto schemes even if the modifications look benign BEAST attack on SSL/TSL Can the last ciphertext of previous block act as the IV for next encryption ? >> Bandwidth and randomness saving Chained CBC mode --- used in SSL 3.0 and TLS 1.0 >> Stateful variant of CBC CPA security? >> It is “equivalent” to encrypting a single large message M = M1 || M2 via CBC mode >> Yet Not CPA-secure

Output Feedback (OFB) Mode IV k F F F Gen y0 y1 = Fk(y0) y2 = Fk(y1) y3 = Fk(y2)    m m1 m2 m3 c0 c1 = y1m1 c2 = y2m2 c3 = y3m3 Encryption: Enck(m1 m2 … ml) = (c0 c1… cl) First generate a pseudorandom stream of pad (independent of m) Use the pseudorandom stream for masking m

Output Feedback (OFB) Mode IV k F F F Gen y0 y1 = Fk(y0) y2 = Fk(y1) y3 = Fk(y2)    m m1 m2 m3 c0 c1 = y1m1 c2 = y2m2 c3 = y3m3 Encryption: Enck(m1 m2 … ml) = (c0 c1… cl) Decryption: mi = F(yi-1)  ci PRF Enough ! Not parallalizable but pre-computable CPA-secure! The chained version too!

Current Picture Assume Message Blocks: l; |m| = ln Theoretical Construction n / Block -> ln 2n / Block -> 2ln Yes No PRF ECB Mode No randomness ln Yes --- SPRP NO CBC Mode n ln + n NO --- SPRP YES OFB Mode n ln + n NO (But pre-computable) YES PRF Randomness Usage Ciphertext Expansion Ciphertext Computation Parallizable Randomness Reusability Minimal Assumption (PRF/PRP/SPRP) CPA Security

Counter (CTR) Mode k F F F Gen    m m1 m2 m3 c0 y2 y3 y1 c1 = y1m1 CTR  {0, 1}n k mod 2n F F F Gen y2 y3 y1    Pseudorandom stream m m1 m2 m3 c0 c1 = y1m1 c2 = y2m2 c3 = y3m3 Encryption: Enck(m1 m2 … ml) = (c0 c1… cl) Same idea as in OFB modes : pseudorandom stream followed by masking However everything can be now parallelized

Counter (CTR) Mode k F F F Gen    m m1 m2 m3 c0 y2 y3 y1 c1 = y1m1 CTR  {0, 1}n k mod 2n F F F Gen y2 y3 y1    Pseudorandom stream m m1 m2 m3 c0 c1 = y1m1 c2 = y2m2 c3 = y3m3 Highly attractive features Encryption: Enck(m1 m2 … ml) = (c0 c1… cl); Decryption: Easy; PRF enough! Encryption / decryption can be parallelized Can decrypt a specific ciphertext block by just one invocation of F Chained/Statefull variant is CPA-secure

Current Picture Assume Message Blocks: l; |m| = ln Theoretical Construction n / Block -> ln 2n / Block -> 2ln Yes No PRF ECB Mode No randomness ln Yes --- SPRP NO CBC Mode n ln + n NO --- SPRP YES OFB Mode n ln + n NO (But pre-computable) YES PRF CTR Mode n ln + n YES PRF Randomness Usage Ciphertext Expansion Ciphertext Computation Parallizable Randomness Reusability Minimal Assumption (PRF/PRP/SPRP) CPA Security

Some Practical Issues Block length in practice CBC, OFB, CTR mode uses a random IV as the starting point For randomizing the encryption process Ensures that each invocation of F is on a “fresh” input (w.h.p) If two invocations of F are on the same input --- security issues Ideal size of IV ? --- depends on block length supported by F Birthday paradox Say the block length supported by F is l In CTR mode, IV will be a uniform string of l bits After 2l/2 encryptions, IV will repeat with a constant probability If l is too short, then impractical security (even if F is a SPRP) DES with l = 64 --- IV repetition after 232  4, 300, 000, 000 encryptions Approximately 32 GB of plaintexts --- may not be too large for all applications

Some Practical Issues IV misuse Assumption made: a uniform IV selected as the starting point What if the assumption goes wrong (say due to poor randomness generation, incorrect implementation, etc) ? Problems if IV is repeated In the CTR and OFB modes, the same pseudorandom stream will be generated Two messages XORed with the same stream --- serious security breach In the CBC mode, the effect is not that serious After few blocks, inputs to F will “diverge” (blocks of m are also part of the input) Solution against IV misuse Use CBC mode Or stateful OFB / CTR mode

Insecurity of ECB Mode: A practical Example Think of some practical situation where encrypting using ECB mode is indeed dangerous Suppose you want to encrypt a black and white image using ECB mode Say a group of pixels in the image corresponds to one block of F Secure mode ECB mode Image to be encrypted Encrypted image (via a secure mode) Encrypted image Source: Wikipedia with imaged derived from Larry Ewing using GIMP

Block-cipher Modes of Operations : Some Practical Issues Message transmission errors (non-adversarial) Dropped packets, changed bits, etc Different modes of operations have different effect Standard solutions --- error-correction, re-transmission Message transmission errors (adversarial) What if the adversary “changes” ciphertext contents ? Issue of message integrity / authentication Will be discussed in detail later