08 Odds and Ends v2 Annotated

uan 8oneh
Cdds and ends

key uerlvauon
Cnllne CrypLography Course uan 8oneh
uan 8oneh
uerlvlng many keys from one
1yp|ca| scenar|o. a slngle source key (Sk) ls sampled from:
Pardware random number generaLor
A key exchange proLocol (dlscussed laLer)
need many keys Lo secure sesslon:
unldlrecuonal keys, muluple keys for nonce-based C8C.
Goa|: generaLe many keys from Lhls one source key
Sk k
1
, k
2
, k
3
, .
kDI
uan 8oneh
When source key ls unlform
l: a 8l wlLh key space k and ouLpuLs ln [0,1}
n

Suppose source key Sk ls unlform ln k
uene key uerlvauon luncuon (kul) as:

C1k: a sLrlng LhaL unlquely ldenues Lhe appllcauon
kDI( Sk, C1x, L) :=
l(Sk, (C1k || 0)) ll l(Sk, (C1k || 1)) ll ll l(Sk, (C1k || L))
1emplaLe
verLLeWhlLe2
WhaL ls Lhe purpose of C1x?
kDI( Sk, C1x, L) :=
l(Sk, (C1k || 0)) ll l(Sk, (C1k || 1)) ll ll l(Sk, (C1k || L))
Lven lf Lwo apps sample same Sk Lhey geL lndep. keys
lL's good pracuce Lo label sLrlngs wlLh Lhe app. name
lL serves no purpose
uan 8oneh
WhaL lf source key ls noL unlform?
8ecall: 8ls are pseudo random only when key ls unlform ln k
Sk noL unlform 8l ouLpuL may noL look random
Source key oen noL unlformly random:

key exchange proLocol: key unlform ln some subseL of k
Pardware 8nC: may produce blased ouLpuL
uan 8oneh
LxLracL-Lhen-Lxpand paradlgm
Step 1: extract pseudo-random key k from source key Sk

step 2: expand k by uslng lL as a 8l key as before
p
r
o
b

Sk
p
r
o
b

k
exLracLor
salL
salL: a xed non-secreL sLrlng chosen aL random
uan 8oneh
Pkul: a kul from PMAC

lmplemenLs Lhe exLracL-Lhen-expand paradlgm:

exLracL: use k ! nMAC( sa|t, Sk )
1hen expand uslng PMAC as a 8l wlLh key k
uan 8oneh
assword-8ased kul (8kul)
uerlvlng keys from passwords:
uo noL use Pkul: passwords have lnsumclenL enLropy
uerlved keys wlll be vulnerable Lo dlcuonary auacks
8kul defenses: sa|t and a s|ow hash funcnon

SLandard approach: kCS#S (8kul1)
n
(c)
(pwd || sa|t): lLeraLe hash funcuon c umes

(more on Lhls laLer)
uan 8oneh
Lnd of SegmenL
uan 8oneh
Cdds and ends
ueLermlnlsuc Lncrypuon
uan 8oneh
1he need for deL. Lncrypuon (no nonce)
encrypLed
daLabase
Allce daLa
k
1
, k
2
Allce daLa
8ob daLa

??
uan 8oneh
1he need for deL. Lncrypuon (no nonce)
encrypLed
daLabase
Allce daLa
k
1
, k
2
8ob daLa

??
LaLer:
8
e
L
r
le
v
e
r
e
c
o
r
d
L
(
k
1
,
"
A
|
|
c
e
"
)

A
l
l
c
e

d
a
L
a

deL. enc. enables laLer lookup
uan 8oneh
roblem: deL. enc. cannoL be CA secure
1he problem: auacker can Lell when Lwo clpherLexLs
encrypL Lhe same message leaks lnformauon
Leads Lo slgnlcanL auacks when message space M ls small.
equal clpherLexLs
means same lndex
uan 8oneh
roblem: deL. enc. cannoL be CA secure
1he problem: auacker can Lell when Lwo clpherLexLs
encrypL Lhe same message leaks lnformauon
Chal. Adv.
k!k
m
0
, m
1
" M
c ! L(k, m
b
)
m
0
,

m
0
" M
c
0
!L(k, m
0
)
ouLpuL 0
lf c = c
0

Auacker wlns CA game:
b
uan 8oneh
A soluuon: Lhe case of unlque messages
Suppose encrypLor never encrypLs same message Lwlce:
Lhe palr (k , m) never repeaLs

1hls happens when encrypLor:
Chooses messages aL random from a large msg space (e.g. keys)
Message sLrucLure ensures unlqueness (e.g. unlque user lu)
uan 8oneh
ueLermlnlsuc CA securlLy
E = (L,u) a clpher dened over (k,M,C). lor b=0,1 dene Lx(b) as:
uef: E ls sem. sec. under det. CA lf for all emclenL A:
Adv
dCA
[A,E] = |r[Lx(0)=1] - r[Lx(1)=1] | ls negllglble.
Chal. b Adv.
k!k
b' " [0,1}
m
l,0
, m
l,1
" M : |m
l,0
| = |m
l,1
|
c
l
! L(k, m
|,b
)
where m
1,0
, ., m
q,0
are dlsuncL and m
1,1
, ., m
q,1
are dlsuncL

for l=1,.,q:
uan 8oneh
A Common MlsLake
C8C w|th hxed IV |s not det. CA secure.
LeL L: k [0,1}
n
" [0,1}
n
be a secure 8 used ln C8C

Chal. Adv.
k!k
m
0
=0
n
, m
1
= 1
n
c ! [ IIV, L(k, IIV) ] or
0
n
1
n
, 0
n
1
n

c
1
! [ IIV, L(k, 0
n
!IIV) , .]
ouLpuL 0
lf c[1] = c
1
[1]
c ! [ IIV, L(k, 1
n
!IIV) ]
Leads Lo slgnlcanL auacks ln pracuce.
b
1emplaLe
verLLeWhlLe2
ls counLer mode wlLh a xed lv deL. CA secure?
?es
no
lL depends
message
l(k, llv) ll l(k, llv+1) ll . ll l(k, llv+L)
clpherLexL
!
Chal.
Adv.
k!k
m
0
, m
1

c' ! m
b
!l(k, llv)
m

,

m
c !m!l(k, llv)
ouLpuL 0 lf
c!c'=m!m
0
b
uan 8oneh
Lnd of SegmenL
uan 8oneh
Cdds and ends
ueLermlnlsuc Lncrypuon
ConsLrucuons:
Slv and wlde 8
uan 8oneh
ueLermlnlsuc encrypuon
needed for malnLalnlng an encrypLed daLabase lndex
Lookup records by encrypLed lndex
ueLermlnlsuc CA securlLy:
SecurlLy lf never encrypL same message Lwlce uslng same key:
Lhe palr (key , msg) ls unlque

lormally: we dened deLermlnlsuc CA securlLy game

uan 8oneh
ConsLrucuon 1: SynLheuc lv (Slv)
LeL (L, u) be a CA-secure encrypuon. L(k, m , r) " c
LeL l:k M " 8 be a secure 8l
uene: L
det
( (k
1
,k
2
) , m) =
1hm: L
det
ls sem. sec. under deL. CA .
roof skeLch: dlsuncL msgs. all r's are lndlsL. from random

Well sulLed for messages longer Lhan one ALS block (16 byLes)

uan 8oneh
Lnsurlng clpherLexL lnLegrlLy
Goa|: deL. CA securlLy and clpherLexL lnLegrlLy
DAL: determ|n|snc authenncated encrypnon
Conslder a Slv speclal case: Slv-C18
Slv where clpher ls counLer mode wlLh rand. lv
message 8l l
k
1
C1k mode w|th kI I
ctr
l
cLr
(k
2
, lv) ll l
cLr
(k
2
, lv+1) ll . ll l
cLr
(k
2
, lv+L)
lv
k
2
clpherLexL
uan 8oneh
ueL. AuLh. Lnc. (uAL) for free
Decrypnon:

1hm: lf l ls a secure 8l and C18 from l
cLr
ls CA-secure
Lhen Slv-C18 from l, l
cLr
provldes uAL
message
C1k mode w|th kI I
ctr
l
cLr
(k
2
,lv) ll l
cLr
(k
2
, lv+1) ll . ll l
cLr
(k
2
,lv+L)
lv
k
2
clpherLexL
8l l
k
1
lf =lv ouLpuL
uan 8oneh
ConsLrucuon 2: [usL use a 8
LeL (L, u) be a secure 8. L: k x " x
1hm: (L,u) ls sem. sec. under deL. CA .
roof skeLch: leL f: x " x be a Lruly random lnveruble func.
ln Lx(0) adv. sees: f(m
1,0
), ., f(m
q,0
)
ln Lx(1) adv. sees: f(m
1,1
), ., f(m
q,1
)

Us|ng ALS: ueL. CA secure encrypuon for 16 byLe messages.
Longer messages?? need 8s on larger msg spaces .
q random values ln x
uan 8oneh
LML: consLrucung a wlde block 8
LeL (L, u) be a secure 8. L: k [0,1}
n
" [0,1}
n
LML: a 8 on [0,1}
n
for n " n

erformance:
can be 2x slower Lhen Slv
x[0] x[1] x[2]
y[0] y[1] y[2]
L
L
L L
L L
L
! ! !
! !
! ! !
!
uan 8oneh
8-based ueL. AuLhenucaLed Lnc.
Goa|: deL. CA securlLy and clpherLexL lnLegrlLy
DAL: determ|n|snc authenncated encrypnon
Lncrypnon: Decrypnon:

message 00000
80
L(k, )
clpherLexL
message
...
u(k, )
clpherLexL
lf =0
80
ouLpuL
uan 8oneh
8-based ueL. AuLhenucaLed Lnc.
LeL (L, u) be a secure 8. L: k (x[0,1}
n
) " x[0,1}
n

1hm: 1/2
n
ls negllglble 8-based enc. provldes uAL
roof skeLch: sumces Lo prove clpherLexL lnLegrlLy

Adv. Chal.
n!erms[x[0,1}
n
]
x
1
, . , x
q
x

n (x
1
0
n
), ., n(x
q
0
n
)
c { n (x
1
0
n
), ., n(x
q
0
n
) }
8uL Lhen r[ LS8
n
( n
-1
(c) ) = 0
n
] s 1]2
n
uan 8oneh
Lnd of SegmenL
uan 8oneh
Cdds and ends
1weakable encrypuon
uan 8oneh
ulsk encrypuon: no expanslon
SecLors on dlsk are xed slze (e.g. 4k8)
encrypuon cannoL expand plalnLexL (l.e. M = C)
musL use deLermlnlsuc encrypuon, no lnLegrlLy

Lemma: lf (L, u) ls a deL. CA secure clpher wlLh M=C
Lhen (L, u) ls a 8.

every secLor wlll need Lo be encrypLed wlLh a 8
uan 8oneh
roblem: secLor 1 and secLor 3 may have same conLenL
Leaks same lnformauon as LC8 mode

Can we do beuer?
secLor 1 secLor 2 secLor 3
8(k, ) 8(k, ) 8(k, )
uan 8oneh
Avolds prevlous leakage problem
. buL auacker can Lell lf a secLor ls changed and Lhen reverLed
Managlng keys: Lhe Lrlvlal consLrucuon k
t
= kI(k, t) , L=1,.,L
8(k
1
, ) 8(k
2
, ) 8(k
3
, )
Can we do beuer?
uan 8oneh
1weakable block clphers
Coal: consLrucL many 8s from a key kk .
SynLax: L , D : k 1 k " k
for every L1 and k!k:
L(k, t, ) ls an lnveruble func. on x, lndlsL. from random

Appllcauon: use secLor number as Lhe Lweak
every secLor geLs lLs own lndependenL 8
uan 8oneh
Secure tweakab|e block clphers
L , D : k 1 k " k . lor b=0,1 dene experlmenL Lx(b) as:
uef: L ls a secure Lweakable 8 lf for all emclenL A:
Adv
L8
[A,L] = |r[Lx(0)=1] - r[Lx(1)=1] | ls negllglble.
Chal.
b
Adv. A
b=1: n!(erms[k])
|1|
b=0: k!k, n[L] !L(k,L,#)
L
1
, x
1

n[L
1
](x
1
)
b' " [0,1}
n
L
2
, x
2
. L
q
, x
q
n[L
2
](x
2
) . n[L
q
](x
q
)
uan 8oneh
Lxample 1: Lhe Lrlvlal consLrucuon
LeL (L,u) be a secure 8, L: k k " k .
1he Lrlvlal Lweakable consLrucuon: (suppose k = x)
L
tweak
(k, t, x) = L( L(k, t), x)

Lo encrypL n blocks need 2n evals of L(.,.)
uan 8oneh
2. Lhe x1S Lweakable block clpher [8'04]
LeL (L,u) be a secure 8, L: k {0,1}
n
" {0,1}
n
.
x1S: L
tweak
( (k
1
,k
2
), (t,|), x) =
n !L(k
2
, L)
x
Lo encrypL n blocks need n+1 evals of L(.,.)
1emplaLe
verLLeWhlLe2
ls lL necessary Lo encrypL Lhe Lweak before uslng lL?
1haL ls, ls Lhe followlng a secure Lweakable 8?
x
no: L(k, (L,1), (L,1)) ! L(k, (L,2), (L,2)) = (L,1) ! (L,2)
no: L(k, (L,1), (L,2)) ! L(k, (L,2), (L,1)) = (L,1)
?es, lL ls secure
no: L(k, (L,1), (L,1)) ! L(k, (L,2), (L,2)) = 0
c
uan 8oneh
ulsk encrypuon uslng x1S
noLe: block-level 8, noL secLor-level 8.
opular ln dlsk encrypuon producLs:
Mac CS x-Llon, 1rueCrypL, 8esLCrypL, .
block 1 block 2 block n
secLor # L:
Lweak:
(t,1)
Lweak:
(t,2)
Lweak:
(t,n)
uan 8oneh
Summary
use Lweakable encrypuon when you need many
lndependenL 8s from one key
x1S ls more emclenL Lhan Lhe Lrlvlal consLrucuon
8oLh are narrow block: 16 byLes for ALS
LML (prevlous segmenL) ls a Lweakable mode for wlde block
2x slower Lhan x1S
uan 8oneh
Lnd of SegmenL
uan 8oneh
Cdds and ends
lormaL preservlng
encrypuon
uan 8oneh
Lncrypung credlL card numbers
Coal: end-Lo-end encrypuon
lnLermedlaLe processors expecL Lo see a credlL card number
encrypLed credlL card should look llke a credlL card
CredlL card formaL: bbbb bbnn nnnn nnnc ( = 42 blLs )
processor #1 processor #2 processor #3 acqulrlng
bank
k
k
CS
Lermlnal
uan 8oneh
lormaL preservlng encrypuon (lL)
1hls segmenL: glven 0 < s < 2
n
, bulld a 8 on [0,.,s-1}
from a secure 8l I: k {0,1}
n
" {0,1}
n
(e.g. ALS)

1hen Lo encrypL a credlL card number: (s = LoLal # credlL cards)
1. map glven CC# Lo [0,.,s-1}
2. apply 8 Lo geL an ouLpuL ln [0,.,s-1}
3. map ouLpuL back a Lo CC#
uan 8oneh
SLep 1: from [0,1}
n
Lo

[0,1}
t
(L<n)
WanL 8 on {0,.,s-1} . LeL L be such LhaL 2
L-1
< s < 2
L
.
MeLhod: Luby-8acko wlLh I': k {0,1}
t]2
" {0,1}
t]2
(LruncaLe l)
8
3
L
3
8
0
L
0
lnpuL
8
1
L
1

l'(k
1
,
)

8
2
L
2

l'(k
2
,
)

l'(k
3
,
)

ouLpuL
L/2 blLs
L/2 blLs
(beuer Lo use 7 rounds a la aLarln, CrypLo'03)
uan 8oneh
SLep 2: from {0,1}
t
Lo {0,.,s-1}
Clven 8 (L,D): k {0,1}
t
" {0,1}
t

we bulld (L',D'): k {0,.,s-1} " {0,.,s-1}

L'(k, x): on lnpuL x [0,.,s-1} do:
y!x, do [ y ! L(k, y) } unul y [0,.,s-1}, ouLpuL y
{0,.,s-1}

{0,1}
t

LxpecLed # lLerauons: 2
uan 8oneh
SecurlLy
SLep 2 ls ughL: A 8: 8
adv
[A,L] = 8
adv
[8,L']

lnLuluon: seLs ? x, applylng Lhe Lransformauon Lo a
random perm. n: k" k
glves a random perm. n': "

SLep 1: same securlLy as Luby-8acko consLrucuon

noLe: no lnLegrlLy
(acLually uslng analysls of aLarln, CrypLo'03)
uan 8oneh
lurLher readlng
CrypLographlc LxLracuon and key uerlvauon: 1he Pkul Scheme.
P. krawczyk, CrypLo 2010
ueLermlnlsuc AuLhenucaLed-Lncrypuon:
A rovable-SecurlLy 1reaLmenL of Lhe keywrap roblem.
. 8ogaway, 1. Shrlmpuon, LurocrypL 2006
A arallellzable Lnclpherlng Mode. S. Palevl, . 8ogaway, C1-8SA 2004
LmclenL lnsLanuauons of 1weakable 8lockclphers and 8enemenLs Lo
Modes CC8 and MAC. . 8ogaway, AslacrypL 2004
Pow Lo Lnclpher Messages on a Small uomaln:
ueLermlnlsuc Lncrypuon and Lhe 1horp ShuMe.
8. Morrls, . 8ogaway, 1. SLegers, CrypLo 2009
uan 8oneh
Lnd of SegmenL

08 Odds and Ends v2 Annotated

Uploaded by

Document Information

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

08 Odds and Ends v2 Annotated

Uploaded by

Copyright:

Available Formats

uan 8oneh

Cdds and ends

You might also like