1. Cryptography
Lecture 7
Arpita Patra
© Arpita Patra

2. Recall >> New definitions for SKE
cpa, cpa-security & cpa-mult-security
>> New assumptions
PRF, PRP, SPRP

3. Today’s Goal cpa-secure scheme from PRF Proof of security
Practical cpa-secure schemes from PRF/PRP/SPRP for long messages
SSL (Secure Sockets Layer) 3.0,
TLS (Transport Layer Security) 1.0

4. Towards cpa-secure Scheme
c = (xi, m yi)
Enc ??
x1 = 00000…0
y1 R {0,1}n
x2 = 00000…1 …
x2n = 11111… 1
y2n R {0,1}n
y2 R {0,1}n
x1 = 00000…0
y1 R {0,1}n
x2 = 00000…1 …
x2n = 11111… 1
y2n R {0,1}n
y2 R {0,1}n yi
Pad yi is truly random
f: {0,1}n  {0, 1}n
- Instances of OTP
f: {0,1}n  {0, 1}n
>> Problem with the above solution
--- size of f is n2n bits

5. Fixed-length cpa-secure SKE from PRF
Enck(m)
- r in {0, 1}n
- c = (r, m Fk(r))
Deck(c = (c0,c1))
- m = c1  Fk(c0)
m,k c
c,k
Secret PRF-key k
(key-agreement)
K = {0, 1}n M = {0, 1}n C = {0, 1}2n k k
Deck(c = (c0,c1))
- m = c1Fk(c0)
Enck(m)
- r in {0, 1}n
- c = (r, m Fk(r))
k R K
m  M c
c  C m
Gen

6. Recall Security Proof of PRG-based Scheme
m,k
Enck(m)
>> c = m G(k) c
c,k
Deck(c)
>> m = c  G(k)
Secret PRG-key k
Theorem. If G is a PRG, then  is a coa-secure scheme.
Proof: Assume  is NOT secure
A, p(n):
½ + 1/p(n) Pr
PrivK (n)
A, 
coa
= 1
> Pr
PrivK (n)
A, 
coa
= 1 = = =
Pr [D(G(s)) = 1]
Pr [D(y) = 1]
Let us run
PrivK (n)
A, 
coa
PRS or RS?
y{0,1}n D
m0, m1M , |m0| = |m1| A
c = mb  y
1 if b = b’
0 otherwise
b’  {0, 1} b

7. Security Proof ½ + 1/p(n) = ?
Theorem. If Fk is a PRF, then  is a CPA-secure scheme.
Proof: Assume  is NOT secure
A, p(n):
½ + 1/p(n) Pr
PrivK (n)
A, 
cpa
= 1
> Pr
PrivK (n)
A, 
cpa
= 1
= ? D A r1 m1 y1
(r1, y1  m1)
Fk(PRF)
f (TRF)
Repeat
Repeat r
m0,m1  M, |m0| = |m1| y
(r, y  mb) b ri mi yi
(ri, yi  mi)
Repeat
Repeat
b’  {0, 1}

8. Security Proof = 1/2 Pr PrivK (n) A,  cpa = 1
Repeat= Event that r ∈ {r1,…..,rt}
PrivK (n)
A, 
cpa Pr
= 1
Repeat
= 1/2 D A r1 m1 y1
(r1, y1  m1)
Fk(PRF)
f (TRF)
Repeat
Repeat r
m0,m1  M, |m0| = |m1| y
(r, y  mb) b ri mi yi
(ri, yi  mi)
Repeat
Repeat
b’  {0, 1}

9. Security Proof = 1/2 = 1/2 Pr PrivK (n) A,  cpa = 1 ≤ ½ + t/2n
Repeat
Pr (Repeat) + Pr
= 1
Repeat
Pr (Repeat)
PrivK (n)
A, 
cpa
≤ Pr (Repeat)
≤ Pr
= 1
Repeat
≤ t/2n
= 1/2
PrivK (n)
A, 
cpa Pr
= 1
Repeat
= 1/2
Repeat= Event that r ∈ {r1,…..,rt}

10. Security Proof ½ + 1/p(n)
Theorem. If Fk: is a PRF, then  is a CPA-secure scheme.
Proof: Assume  is not secure
A, p(n):
½ + 1/p(n) Pr
PrivK (n)
A, 
cpa
= 1
> Pr
PrivK (n)
A, 
cpa
= 1
≤ ½ + t/2n = Fk = f
Pr [D () = 1]
Pr [D () = 1] D A r1 m1 y1
(r1, y1  m1)
Fk(PRF)
f (TRF)
Repeat
Repeat r
m0,m1  M, |m0| = |m1| y
(r, y  mb) b ri mi yi
(ri, yi  mi)
Repeat
Repeat
1 if b = b’
0 otherwise
b’  {0, 1}

11. CPA-security for Arbitrary-length Messages (Theoretical Construction)
Let  = (Gen, Enc, Dec) be a fixed-length CPA-secure based on PRP/SPRP/PRF. Supports message of length n m m1 m2 m3
Enck(m)
r in {0, 1}n
c = (r, m Fk(r))
Enck(m)
r in {0, 1}n
c = (r, m Fk(r))
Enck(m)
r in {0, 1}n
c = (r, m Fk(r))
Without compromising CPA security. Nice blend of Practice and Theory c1 c3 c6 k
Gen
c1c2…c6  Enck(m)

12. How Good it is? Assume Message Blocks: l; |m| = l n
Theoretical Construction
n / Block -> ln
2n / Block -> 2ln
Yes No
PRF
Finally
n / Overall = n
l n + n
Yes
PRF
Randomness Usage
Ciphertext Expansion
Ciphertext Computation Parallelizable
Randomness Reusability
Minimal Assumption (PRF/PRP/SPRP)
CPA Security

13. Block-cipher Modes of Operations
Given
- A length-preserving block cipher F (may be a PRF/PRP/SPRP) with block length n
k R {0, 1}n
Fk(x) = F(k, x)  {0, 1}n
x  {0, 1}n
Keyed Algorithm F
Goal
- To encrypt a message m = m1m2 … ml using F with ciphertext length as small as possible and with randomness as less as possible.
- Without loss of generality --- each mi  {0,1}n
{0,1}n
{0,1}n
{0,1}n
{0,1}n
{0,1}n
{0,1}n m m1 m2 m3 m4 … ml

14. Electronic Code Book (ECB) Mode
Gen F
c1 = Fk(m1)
c2 = Fk(m2)
c3 = Fk(m3)
Encryption: compute ci = Fk(mi) – No randomness used at all !
|c| = |m|
Decryption: compute mi = Fk-1(ci)
>> Assumes Fk is SPRP.
Parallelizable!
CPA Security ?
>> Deterministic Encryption
>> No. not even coa security for multi message

15. Current Picture Assume Message Blocks: l; |m| = l n
Theoretical Construction
n / Block -> ln
2n / Block -> 2ln
Yes No
PRF
ECB Mode
No randomness ln
Yes
---
SPRP NO
Randomness Usage
Ciphertext Expansion
Ciphertext Computation Parallizable
Randomness Reusability
Minimal Assumption (PRF/PRP/SPRP)
CPA Security

16. Cipher Block Chaining (CBC) ModeIV    k F F F
Gen c0
c1 = Fk(m1c0)
c2 = Fk(m2c1)
c3 = Fk(m3c2)
Encryption
ci = Fk(mici-1), for i = 1, …, l
Enck(m1 m2 … ml) = (c0 c1… cl)
Decryption:
mi = Fk-1(ci) ci-1, for i = 1, …, l
>> Assumes Fk is SPRP.
>> NO
Blockwise Parallel Computation ?
>> Randomized Encryption. Provides CPA security. HW
CPA Security ?

17. Current Picture Assume Message Blocks: l; |m| = ln
Theoretical Construction
n / Block -> ln
2n / Block -> 2ln
Yes No
PRF
ECB Mode
No randomness ln
Yes
---
SPRP NO
CBC Mode n
ln + n NO
---
SPRP
YES
Randomness Usage
Ciphertext Expansion
Ciphertext Computation Parallizable
Randomness Reusability
Minimal Assumption (PRF/PRP/SPRP)
CPA Security

18. IV Misuse in CBC Mode m m1 m2 m3 IV    k F F F Gen c0
c1 = Fk(m1c0)
c2 = Fk(m2c1)
c3 = Fk(m3c2)
Choosing distinct IV enough ? Can save randomness
Unfortunately this version of CBC mode is not cpa-secure.
Attack?
Send m0+1 in the post-challenge training phase

19. IV misuse in CBC Mode m m1 m2 m3 IV    k F F F Gen c0
c1 = Fk(m1c0)
c2 = Fk(m2c1)
c3 = Fk(m3c2)
Can the last ciphertext of previous block act as the IV for next encryption ?
Bandwidth and randomness saving

20. IV misuse in CBC Mode m1 m2 m3 m4 m5 m6 c4 F  c5    F F F c0 c1 M1k F  c5 c6 c7   
IV1
IV2 k F F F
Gen c0 c1 c2 c3
Ideal way of encrypting two messages via CBC mode
Can the last ciphertext of previous block act as the IV for next encryption ?
Bandwidth and randomness saving

21. IV misuse in CBC Mode- Chained CBC     
IV1 k k
No modifications to crypto schemes even if the modifications look benign F F F F F F
Gen c0 c1 c2 c3 c4 c5 c6
Chained CBC mode
Chained CBC mode --- used in SSL 3.0 and TLS 1.0
BEAST attack on SSL/TSL
>> Stateful variant of CBC
CPA security?
>> It is “equivalent” to encrypting a single large message M = M1 || M2 via CBC mode
>> Yet NOT CPA-secure
>> Send m0 + IV + c in the post-challenge training phase

22. Output Feedback (OFB) ModeIV k F F F
Gen y0
y1 = Fk(y0)
y2 = Fk(y1)
y3 = Fk(y2)    m m1 m2 m3 c0
c1 = y1m1
c2 = y2m2
c3 = y3m3
Encryption: Enck(m1 m2 … ml) = (c0 c1… cl)
First generate a pseudorandom stream of pad (independent of m)
Use the pseudorandom stream for masking m

23. Output Feedback (OFB) ModeIV k F F F
Gen y0
y1 = Fk(y0)
y2 = Fk(y1)
y3 = Fk(y2)    m m1 m2 m3 c0
c1 = y1m1
c2 = y2m2
c3 = y3m3
Encryption: Enck(m1 m2 … ml) = (c0 c1… cl)
Decryption: mi = F(yi-1)  ci
PRF Enough !
Not parallalizable but pre-computable
CPA-secure! The chained version too!

24. Current Picture Assume Message Blocks: l; |m| = ln
Theoretical Construction
n / Block -> ln
2n / Block -> 2ln
Yes No
PRF
ECB Mode
No randomness ln
Yes
---
SPRP NO
CBC Mode n
ln + n NO
---
SPRP
YES
OFB Mode n
ln + n
NO (But pre-computable)
YES
PRF
Randomness Usage
Ciphertext Expansion
Ciphertext Computation Parallizable
Randomness Reusability
Minimal Assumption (PRF/PRP/SPRP)
CPA Security

25. Counter (CTR) Mode k F F F Gen    m m1 m2 m3 c0 y2 y3 y1 c1 = y1m1
CTR  {0, 1}n k
mod 2n F F F
Gen y2 y3 y1   
Pseudorandom stream m m1 m2 m3 c0
c1 = y1m1
c2 = y2m2
c3 = y3m3
Encryption: Enck(m1 m2 … ml) = (c0 c1… cl)
Same idea as in OFB modes : pseudorandom stream followed by masking
However everything can be now parallelized

26. Counter (CTR) Mode k F F F Gen    m m1 m2 m3 c0 y2 y3 y1 c1 = y1m1
CTR  {0, 1}n k
mod 2n F F F
Gen y2 y3 y1   
Pseudorandom stream m m1 m2 m3 c0
c1 = y1m1
c2 = y2m2
c3 = y3m3
Highly attractive features
Encryption: Enck(m1 m2 … ml) = (c0 c1… cl); Decryption: Easy; PRF enough!
Encryption / decryption can be parallelized
Can decrypt a specific ciphertext block by just one invocation of F
Chained/Statefull variant is CPA-secure

27. Current Picture Assume Message Blocks: l; |m| = ln
Theoretical Construction
n / Block -> ln
2n / Block -> 2ln
Yes No
PRF
ECB Mode
No randomness ln
Yes
---
SPRP NO
CBC Mode n
ln + n NO
---
SPRP
YES
OFB Mode n
ln + n
NO (But pre-computable)
YES
PRF
CTR Mode n
ln + n
YES
PRF
Randomness Usage
Ciphertext Expansion
Ciphertext Computation Parallizable
Randomness Reusability
Minimal Assumption (PRF/PRP/SPRP)
CPA Security

28. Some Practical Issues Block length in practice
CBC, OFB, CTR mode uses a random IV as the starting point
For randomizing the encryption process
Ensures that each invocation of F is on a “fresh” input (w.h.p)
If two invocations of F are on the same input --- security issues
Ideal size of IV ? --- depends on block length supported by F
Birthday paradox
Say the block length supported by F is l
In CTR mode, IV will be a uniform string of l bits
After 2l/2 encryptions, IV will repeat with a constant probability
If l is too short, then impractical security (even if F is a SPRP)
DES with l = IV repetition after 232  4, 300, 000, 000 encryptions
Approximately 32 GB of plaintexts --- may not be too large for all applications

29. Some Practical Issues IV misuse
Assumption made: a uniform IV selected as the starting point
What if the assumption goes wrong (say due to poor randomness generation, incorrect implementation, etc) ?
Problems if IV is repeated
In the CTR and OFB modes, the same pseudorandom stream will be generated
Two messages XORed with the same stream --- serious security breach
In the CBC mode, the effect is not that serious
After few blocks, inputs to F will “diverge” (blocks of m are also part of the input)
Solution against IV misuse
Use CBC mode
Or stateful OFB / CTR mode

30. Scribe?