Download presentation
Presentation is loading. Please wait.
Published byHilary Barker Modified over 9 years ago
1
Two New Online Ciphers Mridul Nandi National Institute of Standards and Technology, Gaithersburg, MD Indocrypt 2008, Kharagpur
2
Mridul Nandi Indocrypt-20082 Outline of the talk Introduction to Online Ciphers. Security Notions for Online Ciphers Known Examples of Online Ciphers. Our Constructions. Conclusion.
3
Mridul Nandi Indocrypt-20083 Online Cipher
4
Mridul Nandi Indocrypt-20084 Online Cipher Most applications want real time encryption. ( i.e., compute ciphertext as soon as a plaintext block arrived to save time and memory both ). Also known as one-pass encryption ( in two-pass encryption, whole plaintext is needed to generate some intermediate values (like, a tag) and then the plaintext is again used to compute ciphertext. The first ciphertext block can not be computed unless complete plaintext arrived ).
5
Mridul Nandi Indocrypt-20085 Online Cipher Definition (online cipher): 1.It is a block number preserving encryption algorithm. 2.If C = C 1 || C 2 || … ||C k is a ciphertext of P = P 1 || P 2 || … ||P k then C i should be computable from P 1 ||…||P i where P j ’s, C j ’s are blocks (128 bits for AES based design).
6
Mridul Nandi Indocrypt-20086 Online Cipher Definition (online cipher): 1.It is a block number preserving encryption algorithm. 2.If C = C 1 || C 2 || … ||C k is a ciphertext of P = P 1 || P 2 || … ||P k then C i should be computable from P 1 ||…||P i where P j ’s, C j ’s are blocks (128 bits for AES based design). In other words, there exists an algorithm B, such that B(P 1,…, P i ) = C i, i =1,…,k. It is real time encryption, But, not necessarily means it requires less memory. Why?
7
Mridul Nandi Indocrypt-20087 Online Cipher P1P1 C1C1 Buffer P1P1 Input stream
8
Mridul Nandi Indocrypt-20088 Online Cipher P2P2 C2C2 Buffer P 1 P 2 Input stream
9
Mridul Nandi Indocrypt-20089 Online Cipher P3P3 C3C3 Buffer P 1 P 2 P 3 Input stream
10
Mridul Nandi Indocrypt-200810 Online Cipher PkPk CkCk Buffer P 1 P 2 P 3 … P k Input stream Buffer size increases linearly as plaintexts are arriving. So it does not save memory, but it is one-pass and hence once the whole plaintext is arrived the complete cipher text is known.
11
Mridul Nandi Indocrypt-200811 Efficient Online Ciphers fff … C1C1 P1P1 P2P2 P k-1 PkPk C2C2 C k-1 CkCk 0 0 Buffer size =3 Plaintext Ciphertext
12
Mridul Nandi Indocrypt-200812 Efficient Online Ciphers fff … C1C1 P1P1 P2P2 P k-1 PkPk C2C2 C k-1 CkCk 0 0 Buffer size =3, when T=1, 0, 0, P 1 Buffer Plaintext Ciphertext
13
Mridul Nandi Indocrypt-200813 Efficient Online Ciphers fff … C1C1 P1P1 P2P2 P k-1 PkPk C2C2 C k-1 CkCk 0 0 Buffer size =3, when T=2, P 1, C 1, P 2 Buffer Plaintext Ciphertext
14
Mridul Nandi Indocrypt-200814 Efficient Online Ciphers fff … C1C1 P1P1 P2P2 P k-1 PkPk C2C2 C k-1 CkCk 0 0 Buffer size =3, when T=k, P k-1, C k-1, P k Buffer Plaintext Ciphertext
15
Mridul Nandi Indocrypt-200815 Is it an Online Cipher? fff … C1C1 P1P1 P2P2 P k-1 PkPk C2C2 C k-1 CkCk 0 0 C i = A(P i-1, C i-1, P i ) depends on C i-1 (not in the definition of online cipher)
16
Mridul Nandi Indocrypt-200816 Is it an Online Cipher? ff f … C1C1 P1P1 P2P2 P k-1 PkPk C2C2 C k-1 CkCk 0 0 Definition (online cipher): 1.It is a block number preserving encryption algorithm. 2.If C = C 1 || C 2 || … ||C k is a ciphertext of P = P 1 || P 2 || … ||P k then C i should be computable from P 1 ||…||P i where P j ’s, C j ’s are blocks (128 bits for AES based design). C i = A(P i-1, C i-1, P i ) depends on C i-1 (not in the definition of online cipher)
17
Mridul Nandi Indocrypt-200817 Is it an Online Cipher? ff f … C1C1 P1P1 P2P2 P k-1 PkPk C2C2 C k-1 CkCk 0 0 But C i-1 depends on P i-2, P i-1 and C i-2 and so on. So by induction it can be shown that C i depends only on P 1,…,P i Definition (online cipher): 1.It is a block number preserving encryption algorithm. 2.If C = C 1 || C 2 || … ||C k is a ciphertext of P = P 1 || P 2 || … ||P k then C i should be computable from P 1 ||…||P i where P j ’s, C j ’s are blocks (128 bits for AES based design).
18
Mridul Nandi Indocrypt-200818 It is an Online Cipher. fff … C1C1 P1P1 P2P2 P k-1 PkPk C2C2 C k-1 CkCk 0 0 If it is a cipher then it is an online cipher. To be a cipher it should be invertible. In other words, P i should be computable from P i-1, C i-1 and C i = f(P i-1, C i-1, P i ).
19
Mridul Nandi Indocrypt-200819 Inverse of an Online Cipher. gg g … C1C1 P1P1 P2P2 P k-1 PkPk C2C2 C k-1 CkCk 0 0 If it is a cipher then it is an online cipher. To be a cipher it should be invertible. In other words, P i should be computable from P i-1, C i-1 and C i = f(P i-1, C i-1, P i ). So P i = g(P i-1,C i-1,C i ).
20
Mridul Nandi Indocrypt-200820 Security Notions
21
Mridul Nandi Indocrypt-200821 Security notions for Online Ciphers (Strong) Pseudo Random Permutation are strongest security notions for an encryption algorithm. Online cipher can not be (S)PRP since online property itself can be used to make a distinguishing attack. Bellare, Boldyreva, Knudsen and Namprempre (in crypto-01) introduced desired security notions (maximum security can be achieved for online ciphers by introducing ideal online cipher).
22
Mridul Nandi Indocrypt-200822 Security notions for Online Ciphers Chosen-Plaintext Secure or CPA-secure : No feasible attacker can distinguish the designed online cipher from the ideal online cipher by making only encryption queries. Chosen-Ciphertext Secure or CCA-secure : No feasible attacker can distinguish the designed online cipher from the ideal online cipher by making both encryption and decryption queries.
23
Mridul Nandi Indocrypt-200823 Known Examples
24
Mridul Nandi Indocrypt-200824 Hash-CBC Online Ciphers 1.Bellare, Boldyreva, Knudsen and Namprempre (in crypto-01) designed Hash-CBC online ciphers HCBC1 (CPA-secure) and HCBC2 (CCA- secure). 2.Needs a blockcipher and a Almost XOR- universal hash function. 3.Universal Hash function with CBC mode.
25
Mridul Nandi Indocrypt-200825 AU hash function Poly hash generates the distinct counter for distinct messages with high probability. Poly-hash is L/2 n –AU hash function where L is the max number of blocks of a plaintext. Pr[H h (M) = H h (M’) i] L/2 n where is either + (modulo addition) or (xor).
26
Mridul Nandi Indocrypt-200826 Hash-CBC: HCBC1 0 EkEk C1C1 P1P1 H EkEk C2C2 P2P2 H EkEk CkCk PkPk H C k-1 1.CPA-secure but not CCA-secure. 2.H : {0,1} n {0,1} n is AXU-hash function (n = block size). 3.Two independent keys (one for H and one for E). n n …
27
Mridul Nandi Indocrypt-200827 Hash-CBC: HCBC2 1.CCA-secure. 2.H : {0,1} 2n {0,1} n is AXU-hash function. 3.Two independent keys (H and E).
28
Mridul Nandi Indocrypt-200828 Our Constructions
29
Mridul Nandi Indocrypt-200829 0 0 EkEk C1C1 P1P1 H EkEk C2C2 P2P2 H EkEk CnCn PnPn H P k-1 C k-1 … Recall HCBC2 n n Hash H takes two n bit inputs and produces n bit output. We can xor the two n bit inputs before feeding into H.
30
Mridul Nandi Indocrypt-200830 MHCBC
31
Mridul Nandi Indocrypt-200831 Modified Hash-CBC: MHCBC 0 0 P k-1 C k-1 EkEk CkCk PkPk H n EkEk C1C1 P1P1 H n EkEk C2C2 P2P2 H n …
32
Mridul Nandi Indocrypt-200832 Modified Hash-CBC: MHCBC 1.CCA-secure. 2.H : {0,1} n {0,1} n is AXU-hash function. 3.Two independent keys (H and E).
33
Mridul Nandi Indocrypt-200833 MCBC-1
34
Mridul Nandi Indocrypt-200834 Modified CBC: MCBC 0 0 P k-1 C k-1 C1C1 P1P1 … HEkEk C1C1 P1P1 HEkEk C1C1 P1P1 HEkEk We need a AXU-hash function. E K itself can be a candidate for this.
35
Mridul Nandi Indocrypt-200835 Modified CBC: MCBC-1 0 0 P k-1 C k-1 C1C1 P1P1 … E k2 E k1 C1C1 P1P1 E k2 E k1 C1C1 P1P1 E k2 E k1 We need a AXU-hash function. E K itself can be a candidate for this. So we can replace H by E k2 (independently chosen key K2). This is called MCBC-1
36
Mridul Nandi Indocrypt-200836 Modified CBC: MCBC 0 0 P k-1 C k-1 C1C1 P1P1 … EkEk EkEk C1C1 P1P1 EkEk EkEk C1C1 P1P1 EkEk EkEk What will happen if we replace H by E k (same key K)? Is it secure?
37
Mridul Nandi Indocrypt-200837 Modified CBC: MCBC 0 0 P k-1 C k-1 C1C1 P1P1 … EkEk EkEk C1C1 P1P1 EkEk EkEk C1C1 P1P1 EkEk EkEk NOT SECURE
38
Mridul Nandi Indocrypt-200838 Modified CBC: MCBC 0 0 0 EkEk E -1 k 1 st Decryption query with ciphertext 0, then plaintext is E k (0) = v 0. E k (0) 0
39
Mridul Nandi Indocrypt-200839 Modified CBC: MCBC 0 0 v2v2 EkEk EkEk v0v0 0 1 st Encryption query with plaintext 0 Ciphertext will be E k (v 0 ) + v 0 = v 2. Let E k (v 0 )= v 1. v0v0 v0v0 v1v1 1 st Decryption query with ciphertext 0, then plaintext is E k (0) = v 0.
40
Mridul Nandi Indocrypt-200840 Modified CBC: MCBC 0 0 EkEk EkEk v0v0 v0v0 v0v0 v0v0 0 0 EkEk EkEk v1v1 v1v1 v0v0 v1v1 0 v0v0 v2v2 2 nd Encryption query with plaintext (v 0,v 1 ). The ciphertext will be (0,v 2 ) with probability one which is not desired for an ideal random online cipher.
41
Mridul Nandi Indocrypt-200841 MCBC-2
42
Mridul Nandi Indocrypt-200842 Modified CBC: MCBC 0 0 P k-1 C k-1 C1C1 P1P1 … EkEk EkEk C1C1 P1P1 EkEk EkEk C1C1 P1P1 EkEk EkEk EkEk K1K1 1 K1K1 K1K1 K1K1 K1 protects from the previous attack. In fact, it is CCA-secure.
43
Mridul Nandi Indocrypt-200843 Comparison ModeBC-Calls Key-sch AXU- Hash Type of Hash Keys HCBC1m1mn nK BC + K H HCBC2m1m2n nK BC + K H’ MHCBCm1mn nK BC + K H MCBC-12m20-2K BC MCBC-22m+110-K BC
44
Mridul Nandi Indocrypt-200844 Conclusion 1. Revisited Hash-CBC online ciphers. 2. Modified them by 1. Reducing key space 2. Removing universal hash function 3. having better efficiency. 3. These are termed MHCBC and MCBC. 4. A simple modification of MHCBC won’t work. 5. An unified way of proving security of online ciphers (in the paper).
45
Mridul Nandi Indocrypt-200845 Thank you for your attention
Similar presentations
© 2024 SlidePlayer.com. Inc.
All rights reserved.