uan 8oneh

uslng block clphers

8evlew: 8s and 8ls
Cnllne CrypLography Course uan 8oneh
uan 8oneh
8lock clphers: crypLo work horse
E, D
CT Block
n bits
PT Block
n bits
Key
k bits
Canonical examples:
1. 3DES: n= 64 bits, k = 168 bits
2. AES: n=128 bits, k = 128, 192, 256 bits
uan 8oneh
AbsLracLly: 8s and 8ls
seudo 8andom luncuon (kI) dened over (k,x,?):
l: k ! x " ?
such LhaL exlsLs emclenL" algorlLhm Lo evaluaLe l(k,x)
seudo 8andom ermuLauon (k) dened over (k,x):
L: k ! x " x
such LhaL:
1. LxlsLs emclenL" deLermlnlsuc algorlLhm Lo evaluaLe L(k,x)
2. 1he funcuon L( k, # ) ls one-Lo-one
3. LxlsLs emclenL" lnverslon algorlLhm u(k,x)
uan 8oneh
Secure 8ls
LeL l: k ! x " ? be a 8l
luns[x,?]: Lhe seL of a|| funcuons from x Lo ?
S
l
= [ l(k,#) s.L. k $ k } % luns[x,?]
lnLuluon: a 8l ls secure lf
a random funcuon ln luns[x,?] ls lndlsungulshable from
a random funcuon ln S
l

S
l

Slze |k|
luns[x,?]
Slze |?|
|x|
uan 8oneh
Secure 8l: denluon
lor b=0,1 dene experlmenL Lx(b) as:
uef: l ls a secure 8l lf for all emclenL" A:
Adv
8l
[A,l] := |r[Lx(0)=1] - r[Lx(1)=1] |
ls negllglble."
Chal.
b
Adv. A
b=0: k&k, f &l(k,#)
b=1: f&Iuns[k,]
x
1
$ x
f(x
1
)
b' $ [0,1}
f
, ., x
q
, ., f(x
q
)
, x
2

, f(x
2
)
Lx(b)
uan 8oneh
Secure 8 (secure block clpher)
lor b=0,1 dene experlmenL Lx(b) as:
uef: L ls a secure 8 lf for all emclenL" A:
Adv
8
[A,L] = |r[Lx(0)=1] - r[Lx(1)=1] |
ls negllglble."
Chal.
b
Adv. A
b=0: k&k, f &L(k,#)
b=1: f&erms[k]
x
1
$ x
f(x
1
)
b' $ [0,1}
f
, x
2
, ., x
q
, f(x
2
), ., f(x
q
)
1emplaLe
verLLeWhlLe2
LeL x = [0,1}. erms[x] conLalns Lwo funcuons

Conslder Lhe followlng 8:
key space k=[0,1}, lnpuL space x = [0,1},
8 dened as:

ls Lhls a secure 8?
L(k,x) = x!k
?es
no
lL depends
uan 8oneh
Lxample secure 8s
8s belleved Lo be secure: 3uLS, ALS, .


ALS-128: k ! x " x where k = x = [0,1}
128


An example concreLe assumpuon abouL ALS:
All 2
80
-ume algs. A have Adv
8
[A, ALS] < 2
-40

1emplaLe
verLLeWhlLe2
Conslder Lhe 1-blL 8 from Lhe prevlous quesuon:

ls lL a secure 8l?

noLe LhaL luns[x,x] conLalns four funcuons
L(k,x) = x!k
?es
no
lL depends
Auacker A:
(1) query f() aL x=0 and x=1
(2) lf f(0) = f(1) ouLpuL 1", else 0"
Adv
8l
[A,L] = |0-x| = x
uan 8oneh
8l SwlLchlng Lemma
Any secure 8 ls also a secure 8l, lf |x| ls sumclenLly large.
Lemma: LeL L be a 8 over (k,x)
1hen for any q-query adversary A:
| Adv
8l
[A,L] - Adv
8
[A,L] | < q
2
/ 2|x|
' Suppose |x| ls large so LhaL q
2
/ 2|x| ls negllglble"
1hen Adv
8
[A,L] negllglble" ' Adv
8l
[A,L] negllglble"
uan 8oneh
llnal noLe
Suggesuon:
don'L Lhlnk abouL Lhe lnner-worklngs of ALS and 3uLS.
We assume boLh are secure 8s and wlll
see how Lo use Lhem
uan 8oneh
Lnd of SegmenL
uan 8oneh
uslng block clphers
Modes of operauon:
one ume key
Cnllne CrypLography Course uan 8oneh
example: encrypLed emall, new key for every message.
uan 8oneh
uslng 8s and 8ls
Coal: bulld secure" encrypuon from a secure 8 (e.g. ALS).
1hls segmenL: one-nme keys
1. Adversary's power:
Adv sees only one clpherLexL (one-ume key)
2. Adversary's goal:
Learn lnfo abouL 1 from C1 (semanuc securlLy)

nexL segmenL: many-ume keys (a.k.a chosen-plalnLexL securlLy)
uan 8oneh
lncorrecL use of a 8
LlecLronlc Code 8ook (LC8):
roblem:
lf m
1
=m
2
Lhen c
1
=c
2
PT:
CT:
m
1
m
2

c
1
c
2

uan 8oneh
ln plcLures
(courLesy 8. reneel)
uan 8oneh
Semanuc SecurlLy (one-ume key)
Adv
SS
[A,C1] = | r[ Lk(0)=1 ] - r[ Lk(1)=1 ] | should be neg."
Chal. Adv. A
k&k
m
0
, m
1
$ M : |m
0
| = |m
1
|
c & L(k,m
0
)
b' $ [0,1}
Lx(0):
Chal. Adv. A
k&k
m
0
, m
1
$ M : |m
0
| = |m
1
|
c & L(k,m
1
)
b' $ [0,1}
Lx(1):
one ume key adversary sees only one clpherLexL
uan 8oneh
LC8 ls noL Semanucally Secure
LC8 ls noL semanucally secure for messages LhaL conLaln
more Lhan one block.
1wo blocks
Chal.
b$[0,1}
Adv. A
k&k
(c
1
,c
2
) & L(k, m
b
)
m
0
= Hello World
m
1
= Hello Hello
If c
1
=c
2
output 0, e|se output 1
1hen Adv
SS
[A, LC8] = 1
uan 8oneh
Secure ConsLrucuon l
ueLermlnlsuc counLer mode from a 8l l :
L
uL1C18
(k, m) =

SLream clpher bullL from a 8l (e.g. ALS, 3uLS)
m[0] m[1] .
I(k,0) I(k,1) .
m[L]
I(k,L)
(
c[0] c[1] . c[L]
uan 8oneh
ueL. counLer-mode securlLy
1heorem: lor any L>0,
lf l ls a secure 8l over (k,x,x) Lhen
L
uL1C18
ls sem. sec. clpher over (k,x
L
,x
L
).
ln parucular, for any e. adversary A auacklng L
uL1C18


Lhere exlsLs a n e. 8l adversary 8 s.L.:
Adv
SS
[A, L
uL1C18
] = 2 # Adv
8l
[8, l]
Adv
8l
[8, l] ls negllglble (slnce l ls a secure 8l)
Pence, Adv
SS
[A, L
uL1C18
] musL be negllglble.
uan 8oneh
roof
chal.
adv. A
k&k
m
0
, m
1

c &
b'1
chal.
adv. A
k&k
m
0
, m
1

c &
b'1
=
p

=
p

=
p

(
m0
l(k,0) . l(k,L)
(
m1
l(k,0) . l(k,L)
chal.
adv. A
f&luns

m
0
, m
1

c &
b'1
(
m0
f(0) . f(L)
chal.
adv. A
r&[0,1}
n
m
0
, m
1

c &
b'1
(
m1
f(0) . f(L)
=
p

uan 8oneh
Lnd of SegmenL
uan 8oneh
uslng block clphers
SecurlLy for
many-ume key
Cnllne CrypLography Course uan 8oneh
Lxample appllcauons:
1. llle sysLems: Same ALS key used Lo encrypL many les.
2. lsec: Same ALS key used Lo encrypL many packeLs.
uan 8oneh
Semanuc SecurlLy for many-ume key
key used more Lhan once adv. sees many C1s wlLh same key

Adversary's power: chosen-plalnLexL auack (CA)
Can obLaln Lhe encrypuon of arblLrary messages of hls cholce
(conservauve modellng of real llfe)

Adversary's goa|: 8reak semauc securlLy
uan 8oneh
Semanuc SecurlLy for many-ume key
E = (L,u) a clpher dened over (k,M,C). lor b=0,1 dene Lx(b) as:
Chal. b Adv.
k&k
m
1,0
, m
1,1
$ M : |m
1,0
| = |m
1,1
|
c
1
& L(k, m
1,b
)
uan 8oneh
Semanuc SecurlLy for many-ume key
E = (L,u) a clpher dened over (k,M,C). lor b=0,1 dene Lx(b) as:
Chal. b Adv.
k&k
m
2,0
, m
2,1
$ M : |m
2,0
| = |m
2,1
|
c
2
& L(k, m
2,b
)
uan 8oneh
Semanuc SecurlLy for many-ume key (CA securlLy)
E = (L,u) a clpher dened over (k,M,C). lor b=0,1 dene Lx(b) as:
uef: E ls sem. sec. under CA lf for all emclenL" A:
Adv
CA
[A,E] = |r[Lx(0)=1] - r[Lx(1)=1] | ls negllglble."
Chal. b Adv.
k&k
b' $ [0,1}
m
l,0
, m
l,1
$ M : |m
l,0
| = |m
l,1
|
c
l
& L(k, m
|,b
)
lf adv. wanLs c = L(k, m) lL querles wlLh m
[,0
= m
[,1
=m





for l=1,.,q:
uan 8oneh
Clphers lnsecure under CA
Suppose L(k,m) always ouLpuLs same clpherLexL for msg m. 1hen:




So whaL? an auacker can learn LhaL Lwo encrypLed les are
Lhe same, Lwo encrypLed packeLs are Lhe same, eLc.
Leads Lo slgnlcanL auacks when message space M ls small
Chal. Adv.
k&k
m
0
, m
1
$ M
c & L(k, m
b
)
m
0
, m
0
$ M
c
0
&L(k, m
0
)
ouLpuL 0
lf c = c
0

uan 8oneh
Clphers lnsecure under CA
Suppose L(k,m) always ouLpuLs same clpherLexL for msg m. 1hen:




lf secreL key ls Lo be used muluple umes '
glven Lhe same plalnLexL message Lwlce,
encrypuon musL produce dlerenL ouLpuLs.
Chal. Adv.
k&k
m
0
, m
1
$ M
c & L(k, m
b
)
m
0
, m
0
$ M
c
0
&L(k, m
0
)
ouLpuL 0
lf c = c
0

uan 8oneh
Soluuon 1: randomlzed encrypuon
L(k,m) ls a randomlzed algorlLhm:
encrypung same msg Lwlce glves dlerenL clpherLexLs (w.h.p)
clpherLexL musL be longer Lhan plalnLexL
8oughly speaklng: C1-slze = 1-slze + # random blLs"
m
1
m
0
enc
m
0
dec
m
1
1emplaLe
verLLeWhlLe2
LeL l: k 8 ! M be a secure 8l.

lor mM dene L(k,m) = [ r"8, ouLpuL (r, I(k,r)!m) ]

ls L semanucally secure under CA?
8
?es, whenever l ls a secure 8l
no, Lhere ls always a CA auack on Lhls sysLem
?es, buL only lf 8 ls large enough so r never repeaLs (w.h.p)
lL depends on whaL l ls used
uan 8oneh
Soluuon 2: nonce-based Lncrypuon
nonce n: a value LhaL changes from msg Lo msg.
(k,n) palr never used more Lhan once
meLhod 1: nonce ls a counter (e.g. packeL counLer)
used when encrypLor keeps sLaLe from msg Lo msg
lf decrypLor has same sLaLe, need noL send nonce wlLh C1
meLhod 2: encrypLor chooses a random nonce, n & N
Alice
E
m, n
E(k,m,n)=c
Bob
D
c, n
D(k,c,n)=m
k k
nonce
uan 8oneh
CA securlLy for nonce-based encrypuon
SysLem should be secure when nonces are chosen adversarlally.

uef: nonce-based E ls sem. sec. under CA lf for all emclenL" A:
Adv
nCA
[A,E] = |r[Lx(0)=1] - r[Lx(1)=1] | ls negllglble."
Chal. b Adv.
k&k
n
|
and m
l,0
, m
l,1
: |m
l,0
| = |m
l,1
|
c & L(k, m
|,b
, n
|
)
b' $ [0,1}
A|| nonces {n
1
, ., n
q
} must be d|snnct.
for l=1,.,q:
1emplaLe
verLLeWhlLe2
LeL l: k 8 ! M be a secure 8l. LeL r = 0 lnlually.

lor mM dene L(k,m) = [ r++, ouLpuL (r, I(k,r)!m) ]

ls L CA secure nonce-based encrypuon?
?es, whenever l ls a secure 8l
no, Lhere ls always a nonce-based CA auack on Lhls sysLem
?es, buL only lf 8 ls large enough so r never repeaLs
lL depends on whaL l ls used
uan 8oneh
Lnd of SegmenL
uan 8oneh
uslng block clphers
Modes of operauon:
many ume key (C8C)
Cnllne CrypLography Course uan 8oneh
Lxample appllcauons:
1. llle sysLems: Same ALS key used Lo encrypL many les.
2. lsec: Same ALS key used Lo encrypL many packeLs.
uan 8oneh
ConsLrucuon 1: C8C wlLh random lv
LeL (L,u) be a 8. L
C8C
(k,m): choose random lvx and do:

L(k,#) L(k,#) L(k,#)
m[0] m[1] m[2] m[3] lv
( ( (
L(k,#)
(
c[0] c[1] c[2] c[3] lv
clpherLexL
uan 8oneh
uecrypuon clrculL
u(k,#) u(k,#) u(k,#)
m[0] m[1] m[2] m[3]
( ( (
u(k,#)
(
c[0] c[1] c[2] c[3] lv
ln symbols: c[0] = L(k, lv!m[0] ) m[0] = u(k, c[0]) ! lv
uan 8oneh
C8C: CA Analysls
C8C 1heorem: lor any L>0,
lf L ls a secure 8 over (k,x) Lhen
L
C8C
ls a sem. sec. under CA over (k, x
L
, x
L+1
).
ln parucular, for a q-query adversary A auacklng L
C8C
Lhere exlsLs a 8 adversary 8 s.L.:
Adv
CA
[A, L
C8C
] ) 2#Adv
8
[8, L] + 2 q
2
L
2
] |k|
noLe: C8C ls only secure as long as q
2
L
2
<< |k|

uan 8oneh
An example
q = # messages encrypLed wlLh k , L = lengLh of max message
Suppose we wanL Adv
CA
[A, L
C8C
] < 1/2
32


q
2
L
2
/|x| < 1/ 2
32


ALS: |x| = 2
128
q L < 2
48
So, aer 2
48
ALS blocks, musL change key
3uLS: |x| = 2
64
q L < 2
16
Adv
CA
[A, L
C8C
] ) 2#8 Adv[8, L] + 2 q
2
L
2
] |k|
uan 8oneh
Warnlng: an auack on C8C wlLh rand. lv
C8C where auacker can predlcL Lhe lv ls noL CA-secure !!

Suppose glven c " L
C8C
(k,m) can predlcL lv for nexL message
Chal. Adv.
k&k
m
0
=lv!lv
1
, m
1
= m
0

c & [ IV, L(k, IV
1
) ] or
0 $ x
c
1
& [ IV
1
, L(k, 0!IV
1
) ]
ouLpuL 0
lf c[1] = c
1
[1]
predlcL lv
8ug ln SSL/1LS 1.0: lv for record #l ls lasL C1 block of record #(l-1)
c & [ IV, L(k, m
1
!IV) ]
uan 8oneh
ConsLrucuon 1': nonce-based C8C
Clpher block chalnlng wlLh unlque nonce: key = (k,k
1
)
E(k,#) E(k,#) E(k,#)
m[0] m[1] m[2] m[3]
( ( (
E(k,#)
(
c[0] c[1] c[2] c[3] nonce
ciphertext
nonce
E(k
1
,#)
lv
unlque nonce means: (key, n) palr ls used for only one message
lncluded only lf unknown Lo decrypLor
uan 8oneh
An example CrypLo Al (CpenSSL)
vold ALS_cbc_encrypL(
consL unslgned char ln,
unslgned char ouL,
slze_L lengLh,
consL ALS_kL? key,
uns|gned char *|vec, " user supp||es IV
ALS_LnC8?1 or ALS_uLC8?1)
When nonce ls non random need Lo encrypL lL before use
uan 8oneh
A C8C LechnlcallLy: paddlng
E(k,#) E(k,#) E(k,#)
m[0] m[1] m[2] m[3] ll pad
( ( (
E(k,#)
(
c[0] c[1] c[2] c[3] IV
IV
E(k
1
,#)
lv'
1LS: for n>0, n byLe pad ls
lf no pad needed, add a dummy block
n n

n n
removed
durlng
decrypuon
uan 8oneh
Lnd of SegmenL
uan 8oneh
uslng block clphers
Modes of operauon:
many ume key (C18)
Cnllne CrypLography Course uan 8oneh
Lxample appllcauons:
1. llle sysLems: Same ALS key used Lo encrypL many les.
2. lsec: Same ALS key used Lo encrypL many packeLs.
uan 8oneh
ConsLrucuon 2: rand cLr-mode
m[0] m[1] .
I(k,IV) I(k,IV+1) .
m[L]
I(k,IV+L)
(
c[0] c[1] . c[L]
lv
lv
noLe: parallellzable (unllke C8C)
msg
clpherLexL
LeL l: k [0,1}
n
! [0,1}
n
be a secure 8l.
L(k,m): choose a random lv $ [0,1}
n
and do:
uan 8oneh
ConsLrucuon 2': nonce cLr-mode
m[0] m[1] .
I(k,IV) I(k,IV+1) .
m[L]
I(k,IV+L)
(
c[0] c[1] . c[L]
lv
lv
msg
clpherLexL
nonce
128 blLs
counLer
lv:
64 blLs 64 blLs
1o ensure l(k,x) ls never used more Lhan once, choose lv as:
sLarLs aL 0
for every msg
uan 8oneh
rand cLr-mode (rand. lv): CA analysls
CounLer-mode 1heorem: lor any L>0,
lf l ls a secure 8l over (k,x,x) Lhen
L
C18
ls a sem. sec. under CA over (k,x
L
,x
L+1
).
ln parucular, for a q-query adversary A auacklng L
C18
Lhere exlsLs a 8l adversary 8 s.L.:
Adv
CA
[A, L
C18
] ) 2#Adv
8l
[8, l] + 2 q
2
L ] |k|
noLe: cLr-mode only secure as long as q
2
L << |x| . 8euer Lhan C8C !
uan 8oneh
An example
q = # messages encrypLed wlLh k , L = lengLh of max message
Suppose we wanL Adv
CA
[A, L
C18
] < 1/2
32


q
2
L /|x| < 1/ 2
32


ALS: |x| = 2
128
q L
1/2
< 2
48
So, aer 2
32
C1s each of len 2
32
, musL change key
(LoLal of 2
64
ALS blocks)
Adv
CA
[A, L
C18
] ) 2#Adv
8l
[8, L] + 2 q
2
L ] |k|
uan 8oneh
Comparlson: cLr vs. C8C
C8C ctr mode
uses
8 8l
parallel processlng
no ?es
SecurlLy of rand. enc.
q2 L2 << |x|

q2 L << |x|

dummy paddlng block
?es no
1 byLe msgs (nonce-based)
16x expanslon no expanslon
(for C8C, dummy paddlng block can be solved uslng clpherLexL sLeallng)
uan 8oneh
Summary
8s and 8ls: a useful absLracuon of block clphers.
We examlned Lwo securlLy nouons: (securlLy agalnsL eavesdropplng)
1. Semanuc securlLy agalnsL one-ume CA.
2. Semanuc securlLy agalnsL many-ume CA.
noLe: nelLher mode ensures daLa lnLegrlLy.
SLaLed securlLy resulLs summarlzed ln Lhe followlng Lable:
one-time key Many-time key (CPA)
CPA and
integrity
Sem. Sec.
steam-ciphers
det. ctr-mode
rand CBC
rand ctr-mode
later
Coal
ower
uan 8oneh
lurLher readlng
A concreLe securlLy LreaLmenL of symmeLrlc encrypuon:
Analysls of Lhe uLS modes of operauon,
M. 8ellare, A. uesal, L. oklpll and . 8ogaway, lCCS 1
nonce-8ased SymmeLrlc Lncrypuon, . 8ogaway, lSL 2004
uan 8oneh
Lnd of SegmenL