CS555Spring 2012/Topic 111 Cryptography CS 555 Topic 11: Encryption Modes and CCA Security.

Slides:



Advertisements
Similar presentations
“Advanced Encryption Standard” & “Modes of Operation”
Advertisements

Modern Symmetric-Key Ciphers
Modern Symmetric-Key Ciphers
CS 483 – SD SECTION BY DR. DANIYAL ALGHAZZAWI (3) Information Security.
CS555Topic 191 Cryptography CS 555 Topic 19: Formalization of Public Key Encrpytion.
1 Cryptanalysis-tolerant CPA crypt. ● Suppose E, E’ are two encryption schemes which on of them is CPA - secure  E.g., a standard and a proprietary, a.
CIS 5371 Cryptography 3b. Pseudorandomness.
CMSC 414 Computer (and Network) Security Lecture 5 Jonathan Katz.
CMSC 414 Computer and Network Security Lecture 4 Jonathan Katz.
1 Overview of the DES A block cipher: –encrypts blocks of 64 bits using a 64 bit key –outputs 64 bits of ciphertext A product cipher –basic unit is the.
Modes of Operation CS 795. Electronic Code Book (ECB) Each block of the message is encrypted with the same secret key Problems: If two identical blocks.
Practical Techniques for Searches on Encrypted Data Author:Dawn Xiaodong Song, David Wagner, Adrian Perrig Presenter: 紀汶承.
CMSC 414 Computer and Network Security Lecture 4 Jonathan Katz.
Lecture 23 Symmetric Encryption
CS555Spring 2012/Topic 41 Cryptography CS 555 Topic 4: Computational Approach to Cryptography.
CS470, A.SelcukModes of Operation1 Encrypting with Block Ciphers CS 470 Introduction to Applied Cryptography Instructor: Ali Aydin Selcuk.
Computer Security CS 426 Lecture 3
Cryptography Lecture 3 Arpita Patra.
Cryptography Lecture 10 Arpita Patra. Quick Recall and Today’s Roadmap >> CPA & CPA-mult security >> Equivalence of CPA and CPA-mult security >> El Gamal.
CS555Spring 2012/Topic 51 Cryptography CS 555 Topic 5: Pseudorandomness and Stream Ciphers.
Lecture 4: Using Block Ciphers
CS526: Information Security Prof. Sam Wagstaff September 16, 2003 Cryptography Basics.
CMSC 414 Computer and Network Security Lecture 5 Jonathan Katz.
Modes of Usage Dan Fleck CS 469: Security Engineering These slides are modified with permission from Bill Young (Univ of Texas) 11 Coming up: Modes of.
Modes of Operation INSTRUCTOR: DANIA ALOMAR. Modes of Operation A block cipher can be used in various methods for data encryption and decryption; these.
1 Symmetric-Key Encryption CSE 5351: Introduction to Cryptography Reading assignment: Chapter 3 Read sections first (skipping 3.2.2)
Two New Online Ciphers Mridul Nandi National Institute of Standards and Technology, Gaithersburg, MD Indocrypt 2008, Kharagpur.
Cryptography Lecture 2 Arpita Patra. Summary of Last Class  Introduction  Secure Communication in Symmetric Key setting >> SKE is the required primitive.
Lecture 23 Symmetric Encryption
CS555Spring 2012/Topic 31 Cryptography CS 555 Topic 3: One-time Pad and Perfect Secrecy.
CS555Spring 2012/Topic 71 Cryptography CS 555 Topic 7: Stream Ciphers and CPA Security.
Cryptography Lecture 6 Arpita Patra © Arpita Patra.
CS555Spring 2012/Topic 81 Cryptography CS 555 Topic 8: Pseudorandom Functions and CPA Security.
Cipher Transmission and Storage Modes Part 2: Stream Cipher Modes CSCI 5857: Encoding and Encryption.
Cryptography Lecture 8 Arpita Patra © Arpita Patra.
CS555Spring 2012/Topic 151 Cryptography CS 555 Topic 15: HMAC, Combining Encryption & Authentication.
Cryptography Lecture 10 Arpita Patra © Arpita Patra.
Cryptography Lecture 6 Arpita Patra. Quick Recall and Today’s Roadmap >> MAC for fixed-length messages >> Domain Extension for MAC >> Authenticated Encryption:
Block Cipher Modes Last Updated: Aug 25, ECB Mode Electronic Code Book Divide the plaintext into fixed-size blocks Encrypt/Decrypt each block independently.
Cryptography Lecture 5 Arpita Patra © Arpita Patra.
Authenticated encryption
Secrecy of (fixed-length) stream ciphers
PRPs and PRFs CS255: Winter 2017
Cryptography Lecture 9.
Topic 11: Authenticated Encryption + CCA-Security
Cryptography Lecture 12.
Topic 5: Constructing Secure Encryption Schemes
B504/I538: Introduction to Cryptography
Topic 30: El-Gamal Encryption
Cryptography Lecture 10.
Topic 7: Pseudorandom Functions and CPA-Security
Cryptography Lecture 7 Arpita Patra © Arpita Patra.
Cryptography Lecture 7 Arpita Patra © Arpita Patra.
Cryptography Lecture 11.
Symmetric-Key Encryption
Cryptography Lecture 5 Arpita Patra © Arpita Patra.
Cryptography Lecture 8.
Cryptography Lecture 9.
Cryptography Lecture 12.
Topic 13: Message Authentication Code
Cryptography Lecture 9.
Cryptography Lecture 11.
Cryptography Lecture 10.
Elect. Codebook, Cipher Block Chaining
Secret-Key Encryption
Presentation transcript:

CS555Spring 2012/Topic 111 Cryptography CS 555 Topic 11: Encryption Modes and CCA Security

CS555Spring 2012/Topic 112 Outline and Readings Outline Encryption modes CCA security Readings: Katz and Lindell: 3.6.4, 3.7

Review: IND Security An encryption scheme  = (Gen, Enc, Dec) has indistinguishable encryptions in the presence of an eavesdropper if for all PPT adversary A, there exists a negligible function negl such that Pr[PrivK eav A,  =1]  ½ + negl(n) –A outputs a pair of equal-length messages m 0 and m 1 –A is given the challenge ciphertext Enc k (m b ) Where b is chosen at uniform random from {0,1} –A outputs b’ –PrivK eav A,  =1 when b=b’ CS555Spring 2012/Topic 113

Review: CPA-secure (aka IND- CPA security)  has indistinguishable encryption under a chosen-plaintext attack iff. for all PPT adversary A, there exists a negligible function negl Pr[PrivK cpa A,  =1]  ½ + negl(n) –A is given oracle access to Enc k (  ), and outputs a pair of equal-length messages m 0 and m 1 –A is given the challenge ciphertext Enc k (m b ) Where b is chosen at uniform random from {0,1} –A still has oracle access to Enc k (  ), and (after some time) outputs b’ –PrivK cpa A,  =1 when b=b’ CS555Spring 2012/Topic 114

Review: Pseudorandom Permutations (PRP) We say that a length-preserving keyed function F: {0,1} k  {0,1}*  {0,1}*, is a keyed permutation if and only if each F k is a bijection A Pseudorandom Permutation (PRP) is a keyed permutation that is indistinguishable from a random permutation A Strong PRP is a keyed permutation is indistinguishable from a random permutation when the distinguisher is given access to both the function and its inverse We assume block ciphers are PRP. CS555Spring 2012/Topic 115

Need for Encryption Modes A block cipher encrypts only one block Needs a way to extend it to encrypt an arbitrarily long message Want to ensure that if the block cipher is secure, then the encryption is secure Aims at providing CPA security assuming that the underlying block ciphers are strong CS555Spring 2012/Topic 116

CS555Spring 2012/Topic 117 Block Cipher Encryption Modes: ECB Message is broken into independent blocks; Electronic Code Book (ECB) : each block encrypted separately. Encryption: c i = E k (x i ) Decrytion: x i = D k (c i )

CS555Spring 2012/Topic 118 Properties of ECB Deterministic: –the same data block gets encrypted the same way, reveals patterns of data when a data block repeats –when the same key is used, the same message is encrypted the same way How to show that ECB is not CPA-secure? How to show that ECB is not IND-secure (even in a ciphertext only attack)? Usage: Should not be used.

CS555Spring 2012/Topic 119 Encryption Modes: CBC Cipher Block Chaining (CBC): –Uses a random Initial Vector (IV) –Next input depends upon previous output Encryption: C i = E k (M i  C i-1 ), with C 0 =IV Decryption: M i = C i-1  D k (C i ), with C 0 =IV M1M1 M2M2 M3M3 IV  EkEk C1C1 EkEk C2C2 EkEk  C3C3 C0C0

CS555Spring 2012/Topic 1110 Properties of CBC Randomized encryption: repeated text gets mapped to different encrypted data. –Is CPA secure assuming that the block cipher is secure (i.e., it is a Pseudo Random Permutation (PRP)) Each ciphertext block depends on all preceding plaintext blocks. Usage: chooses random IV and protects the integrity of IV –The IV is not secret (it is part of ciphertext) –The adversary cannot control the IV

Spring 2012/Topic 1111 Encryption Modes: OFB Output feedback (OFB) : –construct a PRNG using a Block Cipher –IV is randomly chosen –y 0 =IV y i = E k [y i-1 ] –Use the stream y 1, y 2,… to XOR with message –Randomized encryption –Provides CPA-secure encryption with a PRF –Sequential encryption, can preprocess CS555

Encryption Modes: CTR Counter Mode (CTR): Defines a stream cipher using a block cipher –Uses a random IV, known as the counter –Encryption: C 0 =IV, C i =M i  E k [IV+i] –Decryption: IV=C 0, M i =C i  E k [IV+i] CS555Spring 2012/Topic 1112 M2M2 IV EkEk  C2C2 C0C0 IV+2 M3M3 EkEk  C3C3 IV+3 M1M1 EkEk  C1C1 IV+1

CS555Spring 2012/Topic 1113 Properties of CTR Gives a stream cipher from a block cipher Randomized encryption: –when starting counter is chosen randomly Random Access: encryption and decryption of a block can be done in random order, very useful for hard-disk encryption. –E.g., when one block changes, re-encryption only needs to encrypt that block. In CBC, all later blocks also need to change

Theorem 3.29: CTR mode provides CPA-secure encryption with a block cipher that is a PRF. Proof. –When a true random function is used, ciphertext leaks no information about plaintext unless some string in the sequence IV+1,…IV+ l overlaps with some sequence used for encrypting other messages. –Let q(n) be the bound on number of messages encrypted, as well as bound on size of messages. –Prob that an overlap occurs is less than 2q(n) 2 /2 n, which is negligible CS555Spring 2012/Topic 1114

Block Length and Security Adversary success probability depends on block size For block size 64, this is ½ + q 2 /2 63, The advantage q 2 /2 63 can be significant CS555Spring 2012/Topic 1115

Stream Cipher vs Block Cipher Stream cipher (e.g., RC4) Block cipher (AES) In software encryption, RC4 is twice as fast as AES Security for Block cipher (AES) is much better understood than stream cipher (RC4) Use AES unless in really constrained environment CS555Spring 2012/Topic 1116

The CCA Indistinguishablility Experiment: PrivK cca (n) A k is generated by Gen(1 n ) Adversary is given oracle access to Enc k (  ) and Dec k (  ), and outputs a pair of equal-length messages m 0 and m 1 A random bit b is chosen, and adversary is given c  Enc k (m b ) –Called the challenge ciphertext Adversary still has oracle access to Enc k (  ) and Dec k (  ); however, Adversary cannot ask for Dec k (c). Adversary outputs b’ PrivK cca (n) = 1 if b=b’ (adversary wins) and =0 otherwise CS555Spring 2012/Topic 1117

Existing Schemes are not CCA Secure How to break CTR mode’s CCA security? How to break CBC mode’s CCA security? Non-malleability –Cannot change the ciphertext while predicting what changes in decrypted plaintext will be. CCA-secure implies non-malleability How to build CCA-secure encryption scheme? –Make sure that ciphertext cannot be changed. –Any change will result in decryption not outputing the message. CS555Spring 2012/Topic 1118

CS555Spring 2012/Topic 1119 Coming Attractions … More on Number Theory Reading: Katz & Lindell: 7.1.3, 7.1.4, 7.1.5, 7.2

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.