key uerlvauon Cnllne CrypLography Course uan 8oneh uan 8oneh uerlvlng many keys from one 1yp|ca| scenar|o. a slngle source key (Sk) ls sampled from: Pardware random number generaLor A key exchange proLocol (dlscussed laLer) need many keys Lo secure sesslon: unldlrecuonal keys, muluple keys for nonce-based C8C. Goa|: generaLe many keys from Lhls one source key Sk k 1 , k 2 , k 3 , . kDI uan 8oneh When source key ls unlform l: a 8l wlLh key space k and ouLpuLs ln [0,1} n
Suppose source key Sk ls unlform ln k uene key uerlvauon luncuon (kul) as:
C1k: a sLrlng LhaL unlquely ldenues Lhe appllcauon kDI( Sk, C1x, L) := l(Sk, (C1k || 0)) ll l(Sk, (C1k || 1)) ll ll l(Sk, (C1k || L)) 1emplaLe verLLeWhlLe2 WhaL ls Lhe purpose of C1x? kDI( Sk, C1x, L) := l(Sk, (C1k || 0)) ll l(Sk, (C1k || 1)) ll ll l(Sk, (C1k || L)) Lven lf Lwo apps sample same Sk Lhey geL lndep. keys lL's good pracuce Lo label sLrlngs wlLh Lhe app. name lL serves no purpose uan 8oneh WhaL lf source key ls noL unlform? 8ecall: 8ls are pseudo random only when key ls unlform ln k Sk noL unlform 8l ouLpuL may noL look random Source key oen noL unlformly random:
key exchange proLocol: key unlform ln some subseL of k Pardware 8nC: may produce blased ouLpuL uan 8oneh LxLracL-Lhen-Lxpand paradlgm Step 1: extract pseudo-random key k from source key Sk
step 2: expand k by uslng lL as a 8l key as before p r o b
Sk p r o b
k exLracLor salL salL: a xed non-secreL sLrlng chosen aL random uan 8oneh Pkul: a kul from PMAC
lmplemenLs Lhe exLracL-Lhen-expand paradlgm:
exLracL: use k ! nMAC( sa|t, Sk ) 1hen expand uslng PMAC as a 8l wlLh key k uan 8oneh assword-8ased kul (8kul) uerlvlng keys from passwords: uo noL use Pkul: passwords have lnsumclenL enLropy uerlved keys wlll be vulnerable Lo dlcuonary auacks 8kul defenses: sa|t and a s|ow hash funcnon
SLandard approach: kCS#S (8kul1) n (c) (pwd || sa|t): lLeraLe hash funcuon c umes
(more on Lhls laLer) uan 8oneh Lnd of SegmenL uan 8oneh Cdds and ends ueLermlnlsuc Lncrypuon Cnllne CrypLography Course uan 8oneh uan 8oneh 1he need for deL. Lncrypuon (no nonce) encrypLed daLabase Allce daLa k 1 , k 2 Allce daLa 8ob daLa
?? uan 8oneh 1he need for deL. Lncrypuon (no nonce) encrypLed daLabase Allce daLa k 1 , k 2 8ob daLa
?? LaLer: 8 e L r le v e r e c o r d L ( k 1 , " A | | c e " )
A l l c e
d a L a
deL. enc. enables laLer lookup uan 8oneh roblem: deL. enc. cannoL be CA secure 1he problem: auacker can Lell when Lwo clpherLexLs encrypL Lhe same message leaks lnformauon Leads Lo slgnlcanL auacks when message space M ls small. equal clpherLexLs means same lndex uan 8oneh roblem: deL. enc. cannoL be CA secure 1he problem: auacker can Lell when Lwo clpherLexLs encrypL Lhe same message leaks lnformauon Chal. Adv. k!k m 0 , m 1 " M c ! L(k, m b ) m 0 ,
m 0 " M c 0 !L(k, m 0 ) ouLpuL 0 lf c = c 0
Auacker wlns CA game: b uan 8oneh A soluuon: Lhe case of unlque messages Suppose encrypLor never encrypLs same message Lwlce: Lhe palr (k , m) never repeaLs
1hls happens when encrypLor: Chooses messages aL random from a large msg space (e.g. keys) Message sLrucLure ensures unlqueness (e.g. unlque user lu) uan 8oneh ueLermlnlsuc CA securlLy E = (L,u) a clpher dened over (k,M,C). lor b=0,1 dene Lx(b) as: uef: E ls sem. sec. under det. CA lf for all emclenL A: Adv dCA [A,E] = |r[Lx(0)=1] - r[Lx(1)=1] | ls negllglble. Chal. b Adv. k!k b' " [0,1} m l,0 , m l,1 " M : |m l,0 | = |m l,1 | c l ! L(k, m |,b ) where m 1,0 , ., m q,0 are dlsuncL and m 1,1 , ., m q,1 are dlsuncL
for l=1,.,q: uan 8oneh A Common MlsLake C8C w|th hxed IV |s not det. CA secure. LeL L: k [0,1} n " [0,1} n be a secure 8 used ln C8C
Chal. Adv. k!k m 0 =0 n , m 1 = 1 n c ! [ IIV, L(k, IIV) ] or 0 n 1 n , 0 n 1 n
c 1 ! [ IIV, L(k, 0 n !IIV) , .] ouLpuL 0 lf c[1] = c 1 [1] c ! [ IIV, L(k, 1 n !IIV) ] Leads Lo slgnlcanL auacks ln pracuce. b 1emplaLe verLLeWhlLe2 ls counLer mode wlLh a xed lv deL. CA secure? ?es no lL depends message l(k, llv) ll l(k, llv+1) ll . ll l(k, llv+L) clpherLexL ! Chal. Adv. k!k m 0 , m 1
c' ! m b !l(k, llv) m
,
m c !m!l(k, llv) ouLpuL 0 lf c!c'=m!m 0 b uan 8oneh Lnd of SegmenL uan 8oneh Cdds and ends ueLermlnlsuc Lncrypuon ConsLrucuons: Slv and wlde 8 Cnllne CrypLography Course uan 8oneh uan 8oneh ueLermlnlsuc encrypuon needed for malnLalnlng an encrypLed daLabase lndex Lookup records by encrypLed lndex ueLermlnlsuc CA securlLy: SecurlLy lf never encrypL same message Lwlce uslng same key: Lhe palr (key , msg) ls unlque
lormally: we dened deLermlnlsuc CA securlLy game
uan 8oneh ConsLrucuon 1: SynLheuc lv (Slv) LeL (L, u) be a CA-secure encrypuon. L(k, m , r) " c LeL l:k M " 8 be a secure 8l uene: L det ( (k 1 ,k 2 ) , m) = 1hm: L det ls sem. sec. under deL. CA . roof skeLch: dlsuncL msgs. all r's are lndlsL. from random
Well sulLed for messages longer Lhan one ALS block (16 byLes)
uan 8oneh Lnsurlng clpherLexL lnLegrlLy Goa|: deL. CA securlLy and clpherLexL lnLegrlLy DAL: determ|n|snc authenncated encrypnon Conslder a Slv speclal case: Slv-C18 Slv where clpher ls counLer mode wlLh rand. lv message 8l l k 1 C1k mode w|th kI I ctr l cLr (k 2 , lv) ll l cLr (k 2 , lv+1) ll . ll l cLr (k 2 , lv+L) lv k 2 clpherLexL uan 8oneh ueL. AuLh. Lnc. (uAL) for free Decrypnon:
1hm: lf l ls a secure 8l and C18 from l cLr ls CA-secure Lhen Slv-C18 from l, l cLr provldes uAL message C1k mode w|th kI I ctr l cLr (k 2 ,lv) ll l cLr (k 2 , lv+1) ll . ll l cLr (k 2 ,lv+L) lv k 2 clpherLexL 8l l k 1 lf =lv ouLpuL uan 8oneh ConsLrucuon 2: [usL use a 8 LeL (L, u) be a secure 8. L: k x " x 1hm: (L,u) ls sem. sec. under deL. CA . roof skeLch: leL f: x " x be a Lruly random lnveruble func. ln Lx(0) adv. sees: f(m 1,0 ), ., f(m q,0 ) ln Lx(1) adv. sees: f(m 1,1 ), ., f(m q,1 )
Us|ng ALS: ueL. CA secure encrypuon for 16 byLe messages. Longer messages?? need 8s on larger msg spaces . q random values ln x uan 8oneh LML: consLrucung a wlde block 8 LeL (L, u) be a secure 8. L: k [0,1} n " [0,1} n LML: a 8 on [0,1} n for n " n
erformance: can be 2x slower Lhen Slv x[0] x[1] x[2] y[0] y[1] y[2] L L L L L L L ! ! ! ! ! ! ! ! ! uan 8oneh 8-based ueL. AuLhenucaLed Lnc. Goa|: deL. CA securlLy and clpherLexL lnLegrlLy DAL: determ|n|snc authenncated encrypnon Lncrypnon: Decrypnon:
message 00000 80 L(k, ) clpherLexL message ... u(k, ) clpherLexL lf =0 80 ouLpuL uan 8oneh 8-based ueL. AuLhenucaLed Lnc. LeL (L, u) be a secure 8. L: k (x[0,1} n ) " x[0,1} n
1hm: 1/2 n ls negllglble 8-based enc. provldes uAL roof skeLch: sumces Lo prove clpherLexL lnLegrlLy
Adv. Chal. n!erms[x[0,1} n ] x 1 , . , x q x
n (x 1 0 n ), ., n(x q 0 n ) c { n (x 1 0 n ), ., n(x q 0 n ) } 8uL Lhen r[ LS8 n ( n -1 (c) ) = 0 n ] s 1]2 n uan 8oneh Lnd of SegmenL uan 8oneh Cdds and ends 1weakable encrypuon Cnllne CrypLography Course uan 8oneh uan 8oneh ulsk encrypuon: no expanslon SecLors on dlsk are xed slze (e.g. 4k8) encrypuon cannoL expand plalnLexL (l.e. M = C) musL use deLermlnlsuc encrypuon, no lnLegrlLy
Lemma: lf (L, u) ls a deL. CA secure clpher wlLh M=C Lhen (L, u) ls a 8.
every secLor wlll need Lo be encrypLed wlLh a 8 uan 8oneh roblem: secLor 1 and secLor 3 may have same conLenL Leaks same lnformauon as LC8 mode
Can we do beuer? secLor 1 secLor 2 secLor 3 8(k, ) 8(k, ) 8(k, ) secLor 1 secLor 2 secLor 3 uan 8oneh Avolds prevlous leakage problem . buL auacker can Lell lf a secLor ls changed and Lhen reverLed Managlng keys: Lhe Lrlvlal consLrucuon k t = kI(k, t) , L=1,.,L secLor 1 secLor 2 secLor 3 8(k 1 , ) 8(k 2 , ) 8(k 3 , ) secLor 1 secLor 2 secLor 3 Can we do beuer? uan 8oneh 1weakable block clphers Coal: consLrucL many 8s from a key kk . SynLax: L , D : k 1 k " k for every L1 and k!k: L(k, t, ) ls an lnveruble func. on x, lndlsL. from random
Appllcauon: use secLor number as Lhe Lweak every secLor geLs lLs own lndependenL 8 uan 8oneh Secure tweakab|e block clphers L , D : k 1 k " k . lor b=0,1 dene experlmenL Lx(b) as: uef: L ls a secure Lweakable 8 lf for all emclenL A: Adv L8 [A,L] = |r[Lx(0)=1] - r[Lx(1)=1] | ls negllglble. Chal. b Adv. A b=1: n!(erms[k]) |1| b=0: k!k, n[L] !L(k,L,#) L 1 , x 1
n[L 1 ](x 1 ) b' " [0,1} n L 2 , x 2 . L q , x q n[L 2 ](x 2 ) . n[L q ](x q ) uan 8oneh Lxample 1: Lhe Lrlvlal consLrucuon LeL (L,u) be a secure 8, L: k k " k . 1he Lrlvlal Lweakable consLrucuon: (suppose k = x) L tweak (k, t, x) = L( L(k, t), x)
Lo encrypL n blocks need 2n evals of L(.,.) uan 8oneh 2. Lhe x1S Lweakable block clpher [8'04] LeL (L,u) be a secure 8, L: k {0,1} n " {0,1} n . x1S: L tweak ( (k 1 ,k 2 ), (t,|), x) = n !L(k 2 , L) x Lo encrypL n blocks need n+1 evals of L(.,.) 1emplaLe verLLeWhlLe2 ls lL necessary Lo encrypL Lhe Lweak before uslng lL? 1haL ls, ls Lhe followlng a secure Lweakable 8? x no: L(k, (L,1), (L,1)) ! L(k, (L,2), (L,2)) = (L,1) ! (L,2) no: L(k, (L,1), (L,2)) ! L(k, (L,2), (L,1)) = (L,1) ?es, lL ls secure no: L(k, (L,1), (L,1)) ! L(k, (L,2), (L,2)) = 0 c uan 8oneh ulsk encrypuon uslng x1S noLe: block-level 8, noL secLor-level 8. opular ln dlsk encrypuon producLs: Mac CS x-Llon, 1rueCrypL, 8esLCrypL, . block 1 block 2 block n secLor # L: Lweak: (t,1) Lweak: (t,2) Lweak: (t,n) uan 8oneh Summary use Lweakable encrypuon when you need many lndependenL 8s from one key x1S ls more emclenL Lhan Lhe Lrlvlal consLrucuon 8oLh are narrow block: 16 byLes for ALS LML (prevlous segmenL) ls a Lweakable mode for wlde block 2x slower Lhan x1S uan 8oneh Lnd of SegmenL uan 8oneh Cdds and ends lormaL preservlng encrypuon Cnllne CrypLography Course uan 8oneh uan 8oneh Lncrypung credlL card numbers Coal: end-Lo-end encrypuon lnLermedlaLe processors expecL Lo see a credlL card number encrypLed credlL card should look llke a credlL card CredlL card formaL: bbbb bbnn nnnn nnnc ( = 42 blLs ) processor #1 processor #2 processor #3 acqulrlng bank k k CS Lermlnal uan 8oneh lormaL preservlng encrypuon (lL) 1hls segmenL: glven 0 < s < 2 n , bulld a 8 on [0,.,s-1} from a secure 8l I: k {0,1} n " {0,1} n (e.g. ALS)
1hen Lo encrypL a credlL card number: (s = LoLal # credlL cards) 1. map glven CC# Lo [0,.,s-1} 2. apply 8 Lo geL an ouLpuL ln [0,.,s-1} 3. map ouLpuL back a Lo CC# uan 8oneh SLep 1: from [0,1} n Lo
[0,1} t (L<n) WanL 8 on {0,.,s-1} . LeL L be such LhaL 2 L-1 < s < 2 L . MeLhod: Luby-8acko wlLh I': k {0,1} t]2 " {0,1} t]2 (LruncaLe l) 8 3 L 3 8 0 L 0 lnpuL 8 1 L 1
l'(k 1 , )
8 2 L 2
l'(k 2 , )
l'(k 3 , )
ouLpuL L/2 blLs L/2 blLs (beuer Lo use 7 rounds a la aLarln, CrypLo'03) uan 8oneh SLep 2: from {0,1} t Lo {0,.,s-1} Clven 8 (L,D): k {0,1} t " {0,1} t
we bulld (L',D'): k {0,.,s-1} " {0,.,s-1}
L'(k, x): on lnpuL x [0,.,s-1} do: y!x, do [ y ! L(k, y) } unul y [0,.,s-1}, ouLpuL y {0,.,s-1}
{0,1} t
LxpecLed # lLerauons: 2 uan 8oneh SecurlLy SLep 2 ls ughL: A 8: 8 adv [A,L] = 8 adv [8,L']
lnLuluon: seLs ? x, applylng Lhe Lransformauon Lo a random perm. n: k" k glves a random perm. n': "
SLep 1: same securlLy as Luby-8acko consLrucuon
noLe: no lnLegrlLy (acLually uslng analysls of aLarln, CrypLo'03) uan 8oneh lurLher readlng CrypLographlc LxLracuon and key uerlvauon: 1he Pkul Scheme. P. krawczyk, CrypLo 2010 ueLermlnlsuc AuLhenucaLed-Lncrypuon: A rovable-SecurlLy 1reaLmenL of Lhe keywrap roblem. . 8ogaway, 1. Shrlmpuon, LurocrypL 2006 A arallellzable Lnclpherlng Mode. S. Palevl, . 8ogaway, C1-8SA 2004 LmclenL lnsLanuauons of 1weakable 8lockclphers and 8enemenLs Lo Modes CC8 and MAC. . 8ogaway, AslacrypL 2004 Pow Lo Lnclpher Messages on a Small uomaln: ueLermlnlsuc Lncrypuon and Lhe 1horp ShuMe. 8. Morrls, . 8ogaway, 1. SLegers, CrypLo 2009 uan 8oneh Lnd of SegmenL