Presentation is loading. Please wait.

Presentation is loading. Please wait.

1 PRPs and PRFs CS255: Winter 2008 1.Abstract ciphers: PRPs and PRFs, 2.Security models for encryption, 3.Analysis of CBC and counter mode Dan Boneh, Stanford.

Published byAlayna Gateley Modified over 9 years ago

Similar presentations

Presentation on theme: "1 PRPs and PRFs CS255: Winter 2008 1.Abstract ciphers: PRPs and PRFs, 2.Security models for encryption, 3.Analysis of CBC and counter mode Dan Boneh, Stanford."— Presentation transcript:

1 1 PRPs and PRFs CS255: Winter 2008 1.Abstract ciphers: PRPs and PRFs, 2.Security models for encryption, 3.Analysis of CBC and counter mode Dan Boneh, Stanford University

2 2 PRPs and PRFs Pseudo Random Function (PRF) defined over (K,X,Y): F: K  X  Y such that exists “efficient” algorithm to eval. F(k,x) Pseudo Random Permutation (PRP) defined over (K,X): E: K  X  X such that: 1. Exists “efficient” algorithm to eval. E(k,x) 2. The func E( k,  ) is one-to-one 3. Exists “efficient” algorithm for inverse D(k,x)

3 3 Running example Example PRPs: 3DES, AES, … AES: K  X  X where K = X = {0,1} 128 Functionally, any PRP is also a PRF. –A PRP is a PRF where X=Y and is efficiently invertible.

4 4 Secure PRFs Let F: K  X  Y be a PRF Funs[X,Y]: the set of all functions from X to Y S F = { F(k,  ) s.t. k  K }  Funs[X,Y] Intuition: a PRF is secure if a random function in Funs[X,Y] is indistinguishable from a random function in S F SFSF Size |K| Funs[X,Y] Size |Y| |X|

5 5 Secure PRF: defintion For b=0,1 define experiment EXP(b) as: Def: F is a secure PRF if for all “efficient” A: PRF Adv[A,F] = | Pr[EXP(0)=1] – Pr[EXP(1)=1] | is “negligible.” Chal. b Adv. A b=0: k  K, f  F(k,  ) b=1: f  Funs[X,Y] x i  X f(x i ) b’  {0,1}

6 6 Secure PRP For b=0,1 define experiment EXP(b) as: Def: E is a secure PRP if for all “efficient” A: PRP Adv[A,E] = | Pr[EXP(0)=1] – Pr[EXP(1)=1] | is “negligible.” Chal. b Adv. A b=0: k  K, f  E(k,  ) b=1: f  Perms[X] x i  X f(x i ) b’  {0,1}

7 7 Example secure PRPs Example secure PRPs: 3DES, AES, … AES: K  X  X where K = X = {0,1} 128 AES PRP Assumption: All 2 80 –time algs A have PRP Adv[A, AES] < 2 -40

8 8 PRF Switching Lemma Any secure PRP is also a secure PRF. Lemma: Let E be a PRP over (K,X) Then for any q-query adversary A: | PRF Adv[A,E]  PRP Adv[A,E] | < q 2 / 2|X|  Suppose |X| is large so that q 2 / 2|X| is “negligible” Then PRP Adv[A,E] “negligible”  PRF Adv[A,E] “negligible”

9 9 Using PRPs and PRFs Goal: build “secure” encryption from a PRP. Security is always defined using two parameters: 1. What “power” does adversary have? examples: Adv sees only one ciphertext (one-time key) Adv sees many PT/CT pairs (many-time key, CPA) 2. What “goal” is adversary trying to achieve? examples: Fully decrypt a challenge ciphertext. Learn info about PT from CT (semantic security)

10 10 Modes of Operation for One-time Use Key Example application: Encrypted email. New key for every message.

11 11 Semantic Security for one-time key E = (E,D) a cipher defined over (K,M,C) For b=0,1 define EXP(b) as: Def: E is sem. sec. for one-time key if for all “efficient” A: SS Adv[A, E ] = | Pr[EXP(0)=1] – Pr[EXP(1)=1] | is “negligible.” Chal. b Adv. A kKkK m 0, m 1  M : |m 0 | = |m 1 | C  E(k, m b ) b’  {0,1}

12 12 Adv. B (us) Semantic security (cont.) Sem. Sec.  no “efficient” adversary learns info about PT from a single CT. Example: suppose efficient A can deduce LSB of PT from CT. Then E = (E,D) is not semantically secure. Chal. b  {0,1} Adv. A (given) kKkK C  E(k, m b ) m 0, LSB( m 0 )=0 m 1, LSB( m 1 )=1 C LSB( m b )=b Then SS Adv[B, E ] = 1  E is not sem. sec.

13 13 Note: ECB is not Sem. Sec. Electronic Code Book (ECB): –Not semantically secure for messages that contain more than one block. Two blocks Chal. b  {0,1} Adv. A kKkK (C 1,C 2 )  E(k, m b ) m 0 = “Hello World” m 1 = “Hello Hello” If C 1 =C 2 output 0, else output 1 Then SS Adv[A, ECB] = 1

14 14 Secure Constructions Examples of sem. sec. systems: 1. SS Adv[A, OTP] = 0 for all A 2. Deterministic counter mode from a PRF F : E DETCTR (k,m) = Stream cipher built from PRF (e.g. AES, 3DES) m[0]m[1]… F(k,0)F(k,1)… m[L] F(k,L)  c[0]c[1]…c[L]

15 15 Det. counter-mode security Theorem:For any L>0. If F is a secure PRF over (K,X,X) then E DETCTR is sem. sec. cipher over (K,X L,X L ). In particular, for any adversary A attacking E DETCTR there exists a PRF adversary B s.t.: SS Adv[A, E DETCTR ] = 2  PRF Adv[B, F] PRF Adv[B, F] is negligible (since F is a secure PRF) Hence, SS Adv[A, E DETCTR ] must be negligible.

16 16 Proof (as a reduction) PRF Chal b  {0,1} SS Adv A (given) PRF Adv B (us) m 0, m 1  X L Choose f r  {0,1} 0, 1, …, L f(0), f(1), …, f(L) c i  m r [i]  f(i)  X (c 0, c 1, …, c L )  X L r’  {0,1} If r=r’ output 0, else output 1 b=1: f  Funs[X,X]  Pr[EXP(1)=0] = Pr[r=r’] = ½ b=0: f  F(k,  )  Pr[EXP(0)=0] = ½  ½  SS Adv[A, E DETCTR ] Hence, PRF Adv[F, B] = ½  SS Adv[A, DETCTR] b=0: k  K, f  F(k,  ) b=1: f  Funs[X,Y]

17 17 Modes of Operation for Many-time Key Example applications: 1. File systems: Same AES key used to encrypt many files. 2. IPsec: Same AES key used to encrypt many packets.

18 18 Semantic Security for many-time key E = (E,D) a cipher defined over (K,M,C) For b=0,1 define EXP(b) as: (simplified CPA) Def: E is sem. sec. under CPA if for all “efficient” A: SS CPA Adv[A, E ] = | Pr[EXP(0)=1] – Pr[EXP(1)=1] | is “negligible.” Chal. b Adv. kKkK m 0, m 1  M : |m 0 | = |m 1 | C  E(k, m b ) b’  {0,1} x i  M E(k, x i )

19 19 Randomized Encryption Fact: stream ciphers are insecure under CPA. Fact: No deterministic encryption can be secure under CPA. If secret key is to be used multiple times  encryption algorithm must be randomized !!

20 20 Construction 1: CBC Cipher block chaining with a random IV. E(k,  ) m[0]m[1]m[3]m[4]IV  E(k,  )  c[0]c[1]c[3]c[4]IV ciphertext

21 21 CBC: CPA Analysis CBC Theorem: For any L>0, If E is a secure PRP over (K,X) then E CBC is a sem. sec. under CPA over (K, X L, X L+1 ). In particular, for a q-query adversary A attacking E CBC there exists a PRP adversary B s.t.: SS CPA Adv[A, E CBC ]  2  PRP Adv[B, E] + 2 q 2 L 2 / |X| Note: CBC is only secure as long as q 2 L 2 << |X|

22 22 Construction 2: rand ctr-mode m[0]m[1]… F(k,IV)F(k,IV+1)… m[L] F(k,IV+L)  c[0]c[1]…c[L] IV IV - Picked fresh at random for every encryption msg ciphertext

23 23 rand ctr-mode: CPA analysis Randomized counter mode: random IV. Counter-mode Theorem: For any L>0, If F is a secure PRF over (K,X,X) then E CTR is a sem. sec. under CPA over (K,X L,X L+1 ). In particular, for a q-query adversary A attacking E CTR there exists a PRF adversary B s.t.: SS CPA Adv[A, E CTR ]  2  PRF Adv[B, F] + 2 q 2 L / |X| Note: ctr-mode only secure as long as q 2 L << |X| Better then CBC !

24 24 Summary PRPs and PRFs: a useful abstraction of block ciphers. We examined two security notions: 1.Semantic security against one-time CPA. 2.Semantic security against many-time CPA. Note: neither mode ensures data integrity. Stated security results summarized in the following table: one-time key Many-time key (CPA) CPA and CT integrity Sem. Sec. Steam-ciphers Det. ctr-mode rand CBC rand ctr-mode Later Goal Power

Download ppt "1 PRPs and PRFs CS255: Winter 2008 1.Abstract ciphers: PRPs and PRFs, 2.Security models for encryption, 3.Analysis of CBC and counter mode Dan Boneh, Stanford."

Similar presentations

Dan Boneh Using block ciphers Modes of operation: one time key Online Cryptography Course Dan Boneh example: encrypted email, new key for every message.

Dan Boneh Using block ciphers Modes of operation: one time key Online Cryptography Course Dan Boneh example: encrypted , new key for every message.
Online Cryptography Course Dan Boneh

Online Cryptography Course Dan Boneh
Cryptography: Review Day David Brumley Carnegie Mellon University.

Cryptography: Review Day David Brumley Carnegie Mellon University.
Authenticated Encryption and Cryptographic Network Protocols David Brumley Carnegie Mellon University.

Authenticated Encryption and Cryptographic Network Protocols David Brumley Carnegie Mellon University.
Cryptography: The Landscape, Fundamental Primitives, and Security David Brumley Carnegie Mellon University.

Cryptography: The Landscape, Fundamental Primitives, and Security David Brumley Carnegie Mellon University.
Dan Boneh Message Integrity A Parallel MAC Online Cryptography Course Dan Boneh.

Dan Boneh Message Integrity A Parallel MAC Online Cryptography Course Dan Boneh.
1 Brief PRP-PRF Recap CS255 Winter ‘06. 2 PRPs and PRFs PRF: F: K  X  Y such that: exists “efficient” algorithm to eval. F(k,x) PRP: E: K  X  X such.

1 Brief PRP-PRF Recap CS255 Winter ‘06. 2 PRPs and PRFs PRF: F: K  X  Y such that: exists “efficient” algorithm to eval. F(k,x) PRP: E: K  X  X such.
1 Message Integrity CS255 Winter ‘06. 2 Message Integrity Goal: provide message integrity. No confidentiality. –ex: Protecting public binaries on disk.

1 Message Integrity CS255 Winter ‘06. 2 Message Integrity Goal: provide message integrity. No confidentiality. –ex: Protecting public binaries on disk.
CMSC 414 Computer and Network Security Lecture 4 Jonathan Katz.

CMSC 414 Computer and Network Security Lecture 4 Jonathan Katz.
Modes of Operation CS 795. Electronic Code Book (ECB) Each block of the message is encrypted with the same secret key Problems: If two identical blocks.

Modes of Operation CS 795. Electronic Code Book (ECB) Each block of the message is encrypted with the same secret key Problems: If two identical blocks.
1 CS 255 Lecture 4 Attacks on Block Ciphers Brent Waters.

1 CS 255 Lecture 4 Attacks on Block Ciphers Brent Waters.
CMSC 414 Computer and Network Security Lecture 4 Jonathan Katz.

CMSC 414 Computer and Network Security Lecture 4 Jonathan Katz.
1 CS 255 Lecture 6 Hash Functions Brent Waters. 2 Recap-Notions of Security What attacker can do Random plaintext attack Chosen plaintext attack Chosen.

1 CS 255 Lecture 6 Hash Functions Brent Waters. 2 Recap-Notions of Security What attacker can do Random plaintext attack Chosen plaintext attack Chosen.
Lecture 23 Symmetric Encryption

Lecture 23 Symmetric Encryption
Foundations of Cryptography Lecture 10: Pseudo-Random Permutations and the Security of Encryption Schemes Lecturer: Moni Naor Announce home )deadline.

Foundations of Cryptography Lecture 10: Pseudo-Random Permutations and the Security of Encryption Schemes Lecturer: Moni Naor Announce home )deadline.
Dan Boneh Basic key exchange Public-key encryption Online Cryptography Course Dan Boneh.

Dan Boneh Basic key exchange Public-key encryption Online Cryptography Course Dan Boneh.
Dan Boneh Public Key Encryption from trapdoor permutations The RSA trapdoor permutation Online Cryptography Course Dan Boneh.

Dan Boneh Public Key Encryption from trapdoor permutations The RSA trapdoor permutation Online Cryptography Course Dan Boneh.
Cryptography Overview CS155. Cryptography Is A tremendous tool The basis for many security mechanisms Is not The solution to all security problems Reliable.

Cryptography Overview CS155. Cryptography Is A tremendous tool The basis for many security mechanisms Is not The solution to all security problems Reliable.
Dan Boneh Authenticated Encryption Definitions Online Cryptography Course Dan Boneh.

Dan Boneh Authenticated Encryption Definitions Online Cryptography Course Dan Boneh.
Dan Boneh Authenticated Encryption Chosen ciphertext attacks Online Cryptography Course Dan Boneh.

Dan Boneh Authenticated Encryption Chosen ciphertext attacks Online Cryptography Course Dan Boneh.

Similar presentations

Ads by Google