Two New Online Ciphers Mridul Nandi National Institute of Standards and Technology, Gaithersburg, MD Indocrypt 2008, Kharagpur

Mridul Nandi Indocrypt Outline of the talk Introduction to Online Ciphers. Security Notions for Online Ciphers Known Examples of Online Ciphers. Our Constructions. Conclusion.

Mridul Nandi Indocrypt Online Cipher

Mridul Nandi Indocrypt Online Cipher Most applications want real time encryption. ( i.e., compute ciphertext as soon as a plaintext block arrived to save time and memory both ). Also known as one-pass encryption ( in two-pass encryption, whole plaintext is needed to generate some intermediate values (like, a tag) and then the plaintext is again used to compute ciphertext. The first ciphertext block can not be computed unless complete plaintext arrived ).

Mridul Nandi Indocrypt Online Cipher Definition (online cipher): 1.It is a block number preserving encryption algorithm. 2.If C = C 1 || C 2 || … ||C k is a ciphertext of P = P 1 || P 2 || … ||P k then C i should be computable from P 1 ||…||P i where P j ’s, C j ’s are blocks (128 bits for AES based design).

Mridul Nandi Indocrypt Online Cipher Definition (online cipher): 1.It is a block number preserving encryption algorithm. 2.If C = C 1 || C 2 || … ||C k is a ciphertext of P = P 1 || P 2 || … ||P k then C i should be computable from P 1 ||…||P i where P j ’s, C j ’s are blocks (128 bits for AES based design). In other words, there exists an algorithm B, such that B(P 1,…, P i ) = C i, i =1,…,k. It is real time encryption, But, not necessarily means it requires less memory. Why?

Mridul Nandi Indocrypt Online Cipher P1P1 C1C1 Buffer P1P1 Input stream

Mridul Nandi Indocrypt Online Cipher P2P2 C2C2 Buffer P 1 P 2 Input stream

Mridul Nandi Indocrypt Online Cipher P3P3 C3C3 Buffer P 1 P 2 P 3 Input stream

Mridul Nandi Indocrypt Online Cipher PkPk CkCk Buffer P 1 P 2 P 3 … P k Input stream Buffer size increases linearly as plaintexts are arriving. So it does not save memory, but it is one-pass and hence once the whole plaintext is arrived the complete cipher text is known.

Mridul Nandi Indocrypt Efficient Online Ciphers fff … C1C1 P1P1 P2P2 P k-1 PkPk C2C2 C k-1 CkCk 0 0 Buffer size =3 Plaintext Ciphertext

Mridul Nandi Indocrypt Efficient Online Ciphers fff … C1C1 P1P1 P2P2 P k-1 PkPk C2C2 C k-1 CkCk 0 0 Buffer size =3, when T=1, 0, 0, P 1 Buffer Plaintext Ciphertext

Mridul Nandi Indocrypt Efficient Online Ciphers fff … C1C1 P1P1 P2P2 P k-1 PkPk C2C2 C k-1 CkCk 0 0 Buffer size =3, when T=2, P 1, C 1, P 2 Buffer Plaintext Ciphertext

Mridul Nandi Indocrypt Efficient Online Ciphers fff … C1C1 P1P1 P2P2 P k-1 PkPk C2C2 C k-1 CkCk 0 0 Buffer size =3, when T=k, P k-1, C k-1, P k Buffer Plaintext Ciphertext

Mridul Nandi Indocrypt Is it an Online Cipher? fff … C1C1 P1P1 P2P2 P k-1 PkPk C2C2 C k-1 CkCk 0 0 C i = A(P i-1, C i-1, P i ) depends on C i-1 (not in the definition of online cipher)

Mridul Nandi Indocrypt Is it an Online Cipher? ff f … C1C1 P1P1 P2P2 P k-1 PkPk C2C2 C k-1 CkCk 0 0 Definition (online cipher): 1.It is a block number preserving encryption algorithm. 2.If C = C 1 || C 2 || … ||C k is a ciphertext of P = P 1 || P 2 || … ||P k then C i should be computable from P 1 ||…||P i where P j ’s, C j ’s are blocks (128 bits for AES based design). C i = A(P i-1, C i-1, P i ) depends on C i-1 (not in the definition of online cipher)

Mridul Nandi Indocrypt Is it an Online Cipher? ff f … C1C1 P1P1 P2P2 P k-1 PkPk C2C2 C k-1 CkCk 0 0 But C i-1 depends on P i-2, P i-1 and C i-2 and so on. So by induction it can be shown that C i depends only on P 1,…,P i Definition (online cipher): 1.It is a block number preserving encryption algorithm. 2.If C = C 1 || C 2 || … ||C k is a ciphertext of P = P 1 || P 2 || … ||P k then C i should be computable from P 1 ||…||P i where P j ’s, C j ’s are blocks (128 bits for AES based design).

Mridul Nandi Indocrypt It is an Online Cipher. fff … C1C1 P1P1 P2P2 P k-1 PkPk C2C2 C k-1 CkCk 0 0 If it is a cipher then it is an online cipher. To be a cipher it should be invertible. In other words, P i should be computable from P i-1, C i-1 and C i = f(P i-1, C i-1, P i ).

Mridul Nandi Indocrypt Inverse of an Online Cipher. gg g … C1C1 P1P1 P2P2 P k-1 PkPk C2C2 C k-1 CkCk 0 0 If it is a cipher then it is an online cipher. To be a cipher it should be invertible. In other words, P i should be computable from P i-1, C i-1 and C i = f(P i-1, C i-1, P i ). So P i = g(P i-1,C i-1,C i ).

Mridul Nandi Indocrypt Security Notions

Mridul Nandi Indocrypt Security notions for Online Ciphers (Strong) Pseudo Random Permutation are strongest security notions for an encryption algorithm. Online cipher can not be (S)PRP since online property itself can be used to make a distinguishing attack. Bellare, Boldyreva, Knudsen and Namprempre (in crypto-01) introduced desired security notions (maximum security can be achieved for online ciphers by introducing ideal online cipher).

Mridul Nandi Indocrypt Security notions for Online Ciphers Chosen-Plaintext Secure or CPA-secure : No feasible attacker can distinguish the designed online cipher from the ideal online cipher by making only encryption queries. Chosen-Ciphertext Secure or CCA-secure : No feasible attacker can distinguish the designed online cipher from the ideal online cipher by making both encryption and decryption queries.

Mridul Nandi Indocrypt Known Examples

Mridul Nandi Indocrypt Hash-CBC Online Ciphers 1.Bellare, Boldyreva, Knudsen and Namprempre (in crypto-01) designed Hash-CBC online ciphers HCBC1 (CPA-secure) and HCBC2 (CCA- secure). 2.Needs a blockcipher and a Almost XOR- universal hash function. 3.Universal Hash function with CBC mode.

Mridul Nandi Indocrypt AU hash function Poly hash generates the distinct counter for distinct messages with high probability. Poly-hash is L/2 n –AU hash function where L is the max number of blocks of a plaintext. Pr[H h (M) = H h (M’)  i]  L/2 n where  is either + (modulo addition) or  (xor).

Mridul Nandi Indocrypt Hash-CBC: HCBC1 0 EkEk C1C1 P1P1 H EkEk C2C2 P2P2 H EkEk CkCk PkPk H C k-1 1.CPA-secure but not CCA-secure. 2.H : {0,1} n  {0,1} n is AXU-hash function (n = block size). 3.Two independent keys (one for H and one for E). n n …

Mridul Nandi Indocrypt Hash-CBC: HCBC2 1.CCA-secure. 2.H : {0,1} 2n  {0,1} n is AXU-hash function. 3.Two independent keys (H and E).

Mridul Nandi Indocrypt Our Constructions

Mridul Nandi Indocrypt EkEk C1C1 P1P1 H EkEk C2C2 P2P2 H EkEk CnCn PnPn H P k-1 C k-1 … Recall HCBC2 n n Hash H takes two n bit inputs and produces n bit output. We can xor the two n bit inputs before feeding into H.

Mridul Nandi Indocrypt MHCBC

Mridul Nandi Indocrypt Modified Hash-CBC: MHCBC 0 0 P k-1 C k-1 EkEk CkCk PkPk H n EkEk C1C1 P1P1 H n EkEk C2C2 P2P2 H n …

Mridul Nandi Indocrypt Modified Hash-CBC: MHCBC 1.CCA-secure. 2.H : {0,1} n  {0,1} n is AXU-hash function. 3.Two independent keys (H and E).

Mridul Nandi Indocrypt MCBC-1

Mridul Nandi Indocrypt Modified CBC: MCBC 0 0 P k-1 C k-1 C1C1 P1P1 … HEkEk C1C1 P1P1 HEkEk C1C1 P1P1 HEkEk We need a AXU-hash function. E K itself can be a candidate for this.

Mridul Nandi Indocrypt Modified CBC: MCBC P k-1 C k-1 C1C1 P1P1 … E k2 E k1 C1C1 P1P1 E k2 E k1 C1C1 P1P1 E k2 E k1 We need a AXU-hash function. E K itself can be a candidate for this. So we can replace H by E k2 (independently chosen key K2). This is called MCBC-1

Mridul Nandi Indocrypt Modified CBC: MCBC 0 0 P k-1 C k-1 C1C1 P1P1 … EkEk EkEk C1C1 P1P1 EkEk EkEk C1C1 P1P1 EkEk EkEk What will happen if we replace H by E k (same key K)? Is it secure?

Mridul Nandi Indocrypt Modified CBC: MCBC 0 0 P k-1 C k-1 C1C1 P1P1 … EkEk EkEk C1C1 P1P1 EkEk EkEk C1C1 P1P1 EkEk EkEk NOT SECURE

Mridul Nandi Indocrypt Modified CBC: MCBC EkEk E -1 k 1 st Decryption query with ciphertext 0, then plaintext is E k (0) = v 0. E k (0) 0

Mridul Nandi Indocrypt Modified CBC: MCBC 0 0 v2v2 EkEk EkEk v0v0 0 1 st Encryption query with plaintext 0 Ciphertext will be E k (v 0 ) + v 0 = v 2. Let E k (v 0 )= v 1. v0v0 v0v0 v1v1 1 st Decryption query with ciphertext 0, then plaintext is E k (0) = v 0.

Mridul Nandi Indocrypt Modified CBC: MCBC 0 0 EkEk EkEk v0v0 v0v0 v0v0 v0v0 0 0 EkEk EkEk v1v1 v1v1 v0v0 v1v1 0 v0v0 v2v2 2 nd Encryption query with plaintext (v 0,v 1 ). The ciphertext will be (0,v 2 ) with probability one which is not desired for an ideal random online cipher.

Mridul Nandi Indocrypt MCBC-2

Mridul Nandi Indocrypt Modified CBC: MCBC 0 0 P k-1 C k-1 C1C1 P1P1 … EkEk EkEk C1C1 P1P1 EkEk EkEk C1C1 P1P1 EkEk EkEk EkEk K1K1 1 K1K1 K1K1 K1K1 K1 protects from the previous attack. In fact, it is CCA-secure.

Mridul Nandi Indocrypt Comparison ModeBC-Calls Key-sch AXU- Hash Type of Hash Keys HCBC1m1mn  nK BC + K H HCBC2m1m2n  nK BC + K H’ MHCBCm1mn  nK BC + K H MCBC-12m20-2K BC MCBC-22m+110-K BC

Mridul Nandi Indocrypt Conclusion 1. Revisited Hash-CBC online ciphers. 2. Modified them by 1. Reducing key space 2. Removing universal hash function 3. having better efficiency. 3. These are termed MHCBC and MCBC. 4. A simple modification of MHCBC won’t work. 5. An unified way of proving security of online ciphers (in the paper).

Mridul Nandi Indocrypt Thank you for your attention