Professional Documents
Culture Documents
04 - Using Block Ciphers
04 - Using Block Ciphers
Dan Boneh
n bits
CT Block
E, D
Key
k bits
Canonical examples:
1. 3DES: n= 64 bits,
2. AES:
k = 168 bits
Secure
PRFs
Let
F:
K
X
Y
be
a
PRF
Funs[X,Y]
Size
|K|
Size |Y|
|X|
Dan
Boneh
Chal.
Adv.
A
x1
X
,
x2
,
,
xq
b {0,1}
is negligible.
Dan Boneh
Chal.
Adv.
A
x1
X
,
x2,
,
xq
is negligible.
b {0,1}
Dan Boneh
Dan Boneh
Akacker
A:
(1) query
f()
at
x=0
and
x=1
(2) if
f(0)
=
f(1)
output
1,
else
0
AdvPRF[A,E]
=
|0-|
=
Final
note
SuggesAon:
dont
think
about
the
inner-workings
of
AES
and
3DES.
We
assume
both
are
secure
PRPs
and
will
see
how
to
use
them
Dan Boneh
End of Segment
Dan Boneh
m1
m2
CT:
c1
c2
Problem:
if
m1=m2
then
c1=c2
Dan
Boneh
In pictures
(courtesy B. Preneel)
Dan Boneh
Chal.
kK
m0 , m1 M : |m0| = |m1|
Adv. A
c E(k,m0)
b {0,1}
Chal.
kK
m0
,
m1
M
:
|m0|
=
|m1|
c
E(k,m1)
Adv. A
b {0,1}
Chal.
kK
m0 = Hello World
m1 = Hello Hello
Adv. A
Secure
ConstrucAon
I
DeterminisAc
counter
mode
from
a
PRF
F
:
EDETCTR
(k,
m)
=
m[0]
m[1]
m[L]
F(k,0)
F(k,1)
F(k,L)
c[0]
c[1]
c[L]
Dan Boneh
Proof
m0
,
m1
chal.
kK
m0
F(k,0)
F(k,L)
adv. A
chal.
fFuns
c
m0 , m1
b1
kK
m1
F(k,0)
F(k,L)
adv. A
b1
m0
adv.
A
f(0) f(L)
b1
chal.
m0 , m1
chal.
r{0,1}n
c
m0
,
m1
m1
f(0)
f(L)
adv.
A
b1
Dan
Boneh
End of Segment
Dan Boneh
Dan Boneh
Dan Boneh
Chal.
kK
Adv.
Dan Boneh
Chal.
kK
Adv.
Dan Boneh
Chal.
kK
for i=1,,q:
Adv.
b {0,1}
So
what?
Dan Boneh
enc
dec
m1
m0
m1
Dan Boneh
Alice
m, n
E
k
E(k,m,n)=c
Bob
c, n
D(k,c,n)=m
Dan Boneh
Chal.
kK
for i=1,,q:
Adv.
b {0,1}
End of Segment
Dan Boneh
Dan Boneh
IV
m[0]
m[1]
m[2]
m[3]
E(k,)
E(k,)
E(k,)
E(k,)
c[1]
c[2]
c[3]
c[0]
ciphertext
Dan
Boneh
DecrypAon
circuit
In
symbols:
c[0]
=
E(k,
IVm[0]
)
m[0]
=
D(k,
c[0])
IV
m[0]
D(k,)
c[2]
D(k,)
c[3]
D(k,)
D(k,)
c[1]
c[0]
IV
m[1]
m[2]
m[3]
Dan
Boneh
Dan Boneh
An
example
AdvCPA
[A,
ECBC]
2PRP
Adv[B,
E]
+
2
q2
L2
/
|X|
q
=
#
messages
encrypted
with
k
,
L
=
length
of
max
message
Suppose
we
want
AdvCPA
[A,
ECBC]
1/232
q2
L2
/|X|
<
1/
232
AES:
|X|
=
2128
q
L
<
248
So,
ader
248
AES
blocks,
must
change
key
0
X
c1
[
IV1,
E(k,
0IV1)
]
m0=IVIV1
,
m1
m0
c
[
IV,
E(k,
IV1)
]
or
c
[
IV,
E(k,
m1IV)
]
Adv.
predict
IV
output
0
if
c[1]
=
c1[1]
Dan Boneh
unique nonce means: (key, n) pair is used for only one message
nonce
m[0]
IV
m[1]
m[2]
m[3]
E(k1,)
E(k,)
E(k,)
E(k,)
E(k,)
nonce
c[0]
c[1]
c[2]
c[3]
ciphertext
Dan Boneh
m[0]
IV
m[1]
m[2]
m[3] ll pad
E(k1,)
E(k,)
E(k,)
E(k,)
E(k,)
IV
c[0]
c[1]
c[2]
c[3]
n n n
removed
during
decrypAon
Dan
Boneh
End of Segment
Dan Boneh
Dan Boneh
m[0]
F(k,IV)
IV
c[0]
msg
m[1]
F(k,IV+1)
c[1]
ciphertext
m[L]
F(k,IV+L)
c[L]
IV
m[0]
m[1]
m[L]
F(k,IV)
F(k,IV+1)
F(k,IV+L)
c[0]
c[1]
c[L]
ciphertext
128
bits
nonce
counter
64
bits
64 bits
starts
at
0
for
every
msg
Dan Boneh
Note:
ctr-mode
only
secure
as
long
as
q2L
<<
|X|
.
Beker
than
CBC
!
Dan
Boneh
An
example
AdvCPA
[A,
ECTR]
2AdvPRF[B,
E]
+
2
q2
L
/
|X|
q
=
#
messages
encrypted
with
k
,
L
=
length
of
max
message
Suppose
we
want
AdvCPA
[A,
ECTR]
1/232
q2
L
/|X|
<
1/
232
AES:
|X|
=
2128
q
L1/2
<
248
So,
ader
232
CTs
each
of
len
232
,
must
change
key
ctr
mode
PRF
Yes
q^2
L
<<
|X|
No
no
expansion
(for
CBC,
dummy
padding
block
can
be
solved
using
ciphertext
stealing)
Dan
Boneh
Summary
PRPs
and
PRFs:
a
useful
abstracAon
of
block
ciphers.
We
examined
two
security
noAons:
(security
against
eavesdropping)
1. SemanAc
security
against
one-Ame
CPA.
2. SemanAc
security
against
many-Ame
CPA.
Note:
neither
mode
ensures
data
integrity.
Stated
security
results
summarized
in
the
following
table:
Goal
Power
Sem. Sec.
one-time key
CPA and
integrity
steam-ciphers
det. ctr-mode
rand CBC
rand ctr-mode
later
Dan
Boneh
Further
reading
A
concrete
security
treatment
of
symmetric
encrypAon:
Analysis
of
the
DES
modes
of
operaAon,
M.
Bellare,
A.
Desai,
E.
Jokipii
and
P.
Rogaway,
FOCS
1997
Nonce-Based
Symmetric
EncrypAon,
P.
Rogaway,
FSE
2004
Dan Boneh
End of Segment
Dan Boneh