Professional Documents
Culture Documents
Introduction
Course Overview
Dan Boneh
Welcome
Course objectives:
• Learn how crypto primitives work
• Learn how to use them correctly and reason about security
My recommendations:
• Take notes
• Pause video frequently to think about the material
• Answer the in-video questions
Dan Boneh
Cryptography is everywhere
Secure communication:
– web traffic: HTTPS
– wireless traffic: 802.11i WPA2 (and WEP), GSM, Bluetooth
User authentication
no eavesdropping
no tampering
Dan Boneh
Secure Sockets Layer / TLS
Two main parts
Dan Boneh
Protected files on disk
Disk
No eavesdropping
No tampering
File 2
k k
Cryptography is not:
– The solution to all security problems
– Reliable unless implemented and used properly
– Something you should try to invent yourself
• many many examples of broken ad-hoc designs
Dan Boneh
End of Segment
Dan Boneh
Online Cryptography Course Dan Boneh
Introduction
What is cryptography?
Dan Boneh
Crypto core Talking
to Bob
Talking
to Alice
attacker???
Secure communication: k m1
k
m2
confidentiality and integrity
Dan Boneh
But crypto can do much more
• Digital signatures
• Anonymous communication
Alice
Who did I signature
just talk to?
Alice
Bob
Dan Boneh
But crypto can do much more
• Digital signatures
• Anonymous communication
Dan Boneh
Protocols
• Elections
• Private auctions
trusted
Goal: compute f(x1, x2, x3, x4) authority
“Thm:” anything that can done with trusted auth. can also
be done without
E[ results ]
results
• Propose a construction
Dan Boneh
End of Segment
Dan Boneh
Online Cryptography Course Dan Boneh
Introduction
History
Dan Boneh
History
Dan Boneh
Symmetric Ciphers
Dan Boneh
Few Historic Examples (all badly broken)
1. Substitution cipher
k :=
Dan Boneh
Caesar Cipher (no key)
Dan Boneh
What is the size of key space in the substitution cipher
assuming 26 letters?
Dan Boneh
How to break a substitution cipher?
“X”
“L”
“E”
“H”
Dan Boneh
How to break a substitution cipher?
Dan Boneh
An Example
UKBYBIPOUZBCUFEEBORUKBYBHOBBRFESPVKBWFOFERVNBCVBZPRUBOFERVNBCVBPCYYFVUFO
FEIKNWFRFIKJNUPWRFIPOUNVNIPUBRNCUKBEFWWFDNCHXCYBOHOPYXPUBNCUBOYNRVNIWN
CPOJIOFHOPZRVFZIXUBORJRUBZRBCHNCBBONCHRJZSFWNVRJRUBZRPCYZPUKBZPUNVPWPCYVF
ZIXUPUNFCPWRVNBCVBRPYYNUNFCPWWJUKBYBIPOUZBCUIPOUNVNIPUBRNCHOPYXPUBNCUB
OYNRVNIWNCPOJIOFHOPZRNCRVNBCUNENVVFZIXUNCHPCYVFZIXUPUNFCPWZPUKBZPUNVR
B 36 E NC 11 IN UKB 6 THE
N 34 PU 10 AT RVN 6
U 33 T UB 10 FZI 4
P 32 A UN 9 trigrams
C 26 digrams
Dan Boneh
2. Vigener cipher (16’th century, Rome)
k = C R Y P T O C R Y P T O C R Y P T
(+ mod 26)
m = W H A T A N I C E D A Y T O D A Y
c = Z Z Z J U C L U D T U N W G C Q S
suppose most common = “H” first letter of key = “H” – “E” = “C”
Dan Boneh
3. Rotor Machines (1870-1943)
A K E N
B S K E
C T S K
. . T S
. . . T
X R . .
Y N R .
Z key E N R
Dan Boneh
Rotor Machines (cont.)
Dan Boneh
End of Segment
Dan Boneh
Online Cryptography Course Dan Boneh
Introduction
Discrete Probability
(crash course, cont.)
Dan Boneh
U: finite set (e.g. U = {0,1}n )
Examples:
1. Uniform distribution: for all x∈U: P(x) = 1/|U|
2. Point distribution at x0: P(x0) = 1, ∀x≠x0: P(x) = 0
note: Pr[U]=1
• The set A is called an event
Example: U = {0,1}8
• A = { all x in U such that lsb2(x)=11 } ⊆U
Dan Boneh
The union bound
• For events A1 and A2
Pr[ A1 ∪ A2 ] ≤ Pr[A1] + Pr[A2]
A1
A2
Example:
A1 = { all x in {0,1}n s.t lsb2(x)=11 } ; A2 = { all x in {0,1}n s.t. msb2(x)=11 }
More generally:
rand. var. X induces a distribution on V: Pr[ X=v ] := Pr[ X-1(v) ]
Dan Boneh
The uniform random variable
Let U be some set, e.g. U = {0,1}n
We write r ⟵R
U to denote a uniform random variable over U
Dan Boneh
Let r be a uniform random variable on {0,1}2
Then Pr[X=2] = ¼
Dan Boneh
Randomized algorithms
inputs outputs
• Deterministic algorithm: y ⟵ A(m)
m
• Randomized algorithm A(m)
y ⟵ A( m ; r ) where r ⟵
R
{0,1}n
Dan Boneh
Online Cryptography Course Dan Boneh
Introduction
Discrete Probability
(crash course, cont.)
Dan Boneh
Recap
U: finite set (e.g. U = {0,1}n )
Dan Boneh
Independence
Def: events A and B are independent if Pr[ A and B ] = Pr*A+ ∙ Pr[B]
random variables X,Y taking values in V are independent if
∀a,b∈V: Pr[ X=a and Y=b] = Pr[X=a] ∙ Pr[Y=b]
2
Example: U = {0,1} = {00, 01, 10, 11} and r⟵
R
U
0 1 1 0 1 1 1
⊕
1 0 1 1 0 1 0
Dan Boneh
An important property of XOR
Thm: Y a rand. var. over {0,1}n , X an indep. uniform var. on {0,1}n
Then Z := Y⨁X is uniform var. on {0,1}n
Dan Boneh
The birthday paradox
Let r1, …, rn ∈ U be indep. identically distributed random vars.
# samples n
Dan Boneh
End of Segment
Dan Boneh
Online Cryptography Course Dan Boneh
Stream ciphers
Dan Boneh
Symmetric Ciphers: definition
Def: a cipher defined over
is a pair of “efficient” algs (E, D) where
Dan Boneh
The One Time Pad (Vernam 1917)
Dan Boneh
The One Time Pad (Vernam 1917)
msg: 0 1 1 0 1 1 1
⊕
key: 1 0 1 1 0 1 0
CT:
Dan Boneh
You are given a message (m) and its OTP encryption (c).
Can you compute the OTP key from m and c ?
Dan Boneh
The One Time Pad (Vernam 1917)
Dan Boneh
What is a secure cipher?
Attacker’s abilities: CT only attack (for now)
Shannon’s idea:
CT should reveal no “info” about PT
Dan Boneh
Information Theoretic Security
(Shannon 1949)
Dan Boneh
Information Theoretic Security
Def: A cipher (E,D) over (K,M,C) has perfect secrecy if
∀m0, m1 ∈M ( |m0| = |m1| ) and ∀c∈C
Dan Boneh
Lemma: OTP has perfect secrecy.
Proof:
Dan Boneh
None
1
2
Dan Boneh
Lemma: OTP has perfect secrecy.
Proof:
Dan Boneh
The bad news …
Dan Boneh
End of Segment
Dan Boneh
Online Cryptography Course Dan Boneh
Stream ciphers
Pseudorandom
Generators
Dan Boneh
Review
Cipher over (K,M,C): a pair of “efficient” algs (E, D) s.t.
∀ m∈M, k∈K: D(k, E(k, m) ) = m
Weak ciphers: subs. cipher, Vigener, …
A good cipher: OTP M=C=K={0,1}n
E(k, m) = k ⊕ m , D(k, c) = k ⊕ c
Lemma: OTP has perfect secrecy (i.e. no CT only attacks)
Bad news: perfect-secrecy ⇒ key-len ≥ msg-len
Dan Boneh
Stream Ciphers: making OTP practical
idea: replace “random” key by “pseudorandom” key
Dan Boneh
Stream Ciphers: making OTP practical
Dan Boneh
Can a stream cipher have perfect secrecy?
Dan Boneh
PRG must be unpredictable
Dan Boneh
PRG must be unpredictable
n
We say that G: K ⟶ {0,1} is predictable if:
Is G predictable ??
Dan Boneh
Weak PRGs (do not use for crypto)
glibc random():
r[i+ ← ( r[i-3] + r[i-31] ) % 232
output r[i] >> 1
Dan Boneh
End of Segment
Dan Boneh
Online Cryptography Course Dan Boneh
Stream ciphers
Negligible vs.
non-negligible
Dan Boneh
Negligible and non-negligible
• In practice: ε is a scalar and
– ε non-neg: ε ≥ 1/230 (likely to happen over 1GB of data)
– ε negligible: ε ≤ 1/280 (won’t happen over life of key)
Dan Boneh
Few Examples
ε(λ) = 1/2λ : negligible
ε(λ) = 1/λ1000 : non-negligible
Negligible
Non-negligible
Dan Boneh
PRGs: the rigorous theory view
PRGs are “parameterized” by a security parameter λ
• PRG becomes “more secure” as λ increases
Dan Boneh
End of Segment
Dan Boneh
Online Cryptography Course Dan Boneh
Stream ciphers
Dan Boneh
Review
OTP: E(k,m) = m ⊕ k , D(k,c) = c ⊕ k
Dan Boneh
Attack 1: two time pad is insecure !!
Never use stream cipher key more than once !!
C1 m1 PRG(k)
C2 m2 PRG(k)
Eavesdropper does:
C1 C2 m1 m2
k k
k PRG( IV ll k ) k
IV ciphetext
k PRG( IV ll k ) k
IV ciphetext
Dan Boneh
Two time pad: summary
• Network traffic: negotiate new key for every session (e.g. TLS)
Dan Boneh
Attack 2: no integrity (OTP is malleable)
enc ( ⊕k )
m m⊕k
p
⊕
dec ( ⊕k )
m⊕p (m⊕k)⊕p
⋯
dec ( ⊕k )
From: Eve From: Eve
Dan Boneh
Online Cryptography Course Dan Boneh
Stream ciphers
Real-world Stream
Ciphers
Dan Boneh
Old example (software): RC4 (1987)
2048 bits
128 bits
1 byte
per round
seed
• Weaknesses:
1. Bias in initial output: Pr[ 2nd byte = 0 ] = 2/256
2. Prob. of (0,0) is 1/2562 + 1/2563
3. Related key attacks
Dan Boneh
Old example (hardware): CSS (badly broken)
Dan Boneh
Cryptanalysis of CSS (217 time attack)
E(k, m ; r) = m ⊕ PRG(k ; r)
τ0
k
k τ1
r r
i h ⊕ 64 byte
output
i τ2 (10 rounds)
32 bytes k
τ3 64 bytes 64 bytes
Dan Boneh
Performance: Crypto++ 5.6.0 [ Wei Dai ]
Dan Boneh
Generating Randomness (e.g. keys, IV)
Dan Boneh
Online Cryptography Course Dan Boneh
Stream ciphers
Dan Boneh
Let G:K ⟶ {0,1}n be a PRG
is “indistinguishable” from
Dan Boneh
Statistical Tests
Statistical test on {0,1}n:
an alg. A s.t. A(x) outputs “0” or “1”
Examples:
Dan Boneh
Statistical Tests
More examples:
Dan Boneh
Advantage
Let G:K ⟶{0,1}n be a PRG and A a stat. test on {0,1}n
Define:
Then
Dan Boneh
Secure PRGs: crypto definition
n
Def: We say that G:K ⟶{0,1} is a secure PRG if
Dan Boneh
Easy fact: a secure PRG is unpredictable
Define statistical test B as:
Dan Boneh
Thm (Yao’82): an unpredictable PRG is secure
Let G:K ⟶{0,1}n be PRG
Dan Boneh
Let G:K ⟶{0,1}n be a PRG such that
from the last n/2 bits of G(k)
it is easy to compute the first n/2 bits.
Yes
No
More Generally
Let P1 and P2 be two distributions over {0,1}n
Dan Boneh
Online Cryptography Course Dan Boneh
Stream ciphers
Semantic security
b’ {0,1}
for b=0,1: Wb := [ event that EXP(b)=1 ]
Dan Boneh
Examples
Suppose efficient A can always deduce LSB of PT from CT.
⇒ E = (E,D) is not semantically secure.
b{0,1}
m0, LSB(m0)=0
Chal. Adv. B (us)
m1, LSB(m1)=1
kK
C E(k, mb) C Adv. A
(given)
LSB(mb)=b
identical distributions
Dan Boneh
Online Cryptography Course Dan Boneh
Stream ciphers
Stream ciphers are
semantically secure
AdvSS*A,E+ ≤ 2 ∙ AdvPRG[B,G]
Dan Boneh
Proof: intuition
m0 , m1 m0 , m1
chal. adv. A chal. adv. A
kK c m0 ⊕ G(k) ≈p r{0,1}n c m0 ⊕ r
b’≟1
b’≟1
≈p
m0 , m1 m0 , m1
chal. adv. A chal. adv. A
kK c m1 ⊕ G(k) ≈p r{0,1}n c m1 ⊕ r
b’≟1 b’≟1
Dan Boneh
Proof: Let A be a sem. sec. adversary.
b’ {0,1}
For b=0,1: Wb := * event that b’=1 +.
AdvSS[A,E] = | Pr[ W0 + − Pr[ W1 ] |
Dan Boneh
Proof: Let A be a sem. sec. adversary.
b’ {0,1}
For b=0,1: Wb := * event that b’=1 +.
AdvSS[A,E] = | Pr[ W0 + − Pr[ W1 ] |
Algorithm B:
y ∈ {0,1}n PRG adv. B (us)
m0, m1
Adv. A
c m0⊕y (given)
b’ ∈ {0,1}
AdvPRG[B,G] =
Dan Boneh
End of Segment
Dan Boneh
Online
Cryptography
Course
Dan
Boneh
Block ciphers
Dan
Boneh
Block
ciphers:
crypto
work
horse
n bits n bits
PT Block E, D CT Block
Key k bits
Canonical examples:
1. 3DES: n= 64 bits, k = 168 bits
2. AES: n=128 bits, k = 128, 192, 256 bits
Dan
Boneh
Block
Ciphers
Built
by
Itera<on
key
k
key expansion
k1 k2 k3 kn
R(kn,
⋅)
R(k1,
⋅)
R(k2, ⋅)
R(k3,
⋅)
m
c
Salsa20/12
643
Sosemanuk
727
3DES
64/168
13
block
Security
from
PRF
property:
F(k,
⋅)
indist.
from
random
func<on
f(⋅)
Dan
Boneh
End
of
Segment
Dan
Boneh
Online
Cryptography
Course
Dan
Boneh
Block ciphers
Dan
Boneh
Block
ciphers:
crypto
work
horse
n bits n bits
PT Block E, D CT Block
Key k Bits
Canonical examples:
1. 3DES: n= 64 bits, k = 168 bits
2. AES: n=128 bits, k = 128, 192, 256 bits
Dan
Boneh
Block
Ciphers
Built
by
Itera<on
key
k
key expansion
k1 k2 k3 kn
R(kn,
⋅)
R(k1,
⋅)
R(k2, ⋅)
R(k3,
⋅)
m
c
R0
R1
R2
Rd-‐1
Rd
f1
f2
L0
⊕
L1
⊕
L2
⋯
Ld-‐1
fd
⊕
Ld
input
output
In
symbols:
Dan
Boneh
n-‐bits
n-‐bits
R0
R1
R2
Rd-‐1
Rd
f1
f2
L0
⊕
L1
⊕
L2
⋯
Ld-‐1
fd
⊕
Ld
input
output
Rd
⊕
Rd-‐1
Rd-‐2
R1
R0
Ld
fd
Ld-‐1
fd-‐1
Ld-‐2
⋯
L1
f1
L0
input output
Dan
Boneh
DES:
16
round
Feistel
network
f1,
…,
f16:
{0,1}32
⟶
{0,1}32
,
fi(x)
=
F(
ki,
x
)
k
key
expansion
k1
k2
⋯
k16
64
bits
64
bits
16
round
IP
IP-‐1
Feistel
network
input
output
To
invert,
use
keys
in
reverse
order
Dan
Boneh
The
func<on
F(ki,
x)
S-‐box:
func<on
{0,1}6
⟶
{0,1}4
,
implemented
as
look-‐up
table.
Dan
Boneh
The
S-‐boxes
Si:
{0,1}6
⟶
{0,1}4
Dan
Boneh
Example:
a
bad
S-‐box
choice
Suppose:
Si(x1,
x2,
…,
x6)
=
(
x2⨁x3,
x1⨁x4⨁x5,
x1⨁x6,
x2⨁x3⨁x6
)
⋮
Dan
Boneh
End
of
Segment
Dan
Boneh
Online
Cryptography
Course
Dan
Boneh
Block ciphers
Exhaus<ve
Search
Apacks
Dan
Boneh
Exhaus<ve
Search
for
block
cipher
key
Goal:
given
a
few
input
output
pairs
(mi,
ci
=
E(k,
mi))
i=1,..,3
find
key
k.
Dan
Boneh
Exhaus<ve
Search
for
block
cipher
key
For
two
DES
pairs
(m1,
c1=DES(k,
m1)),
(m2,
c2=DES(k,
m2))
unicity
prob.
≈
1
-‐
1/271
For
AES-‐128:
given
two
inp/out
pairs,
unicity
prob.
≈
1
-‐
1/2128
⇒
two
input/output
pairs
are
enough
for
exhaus<ve
key
search.
Dan
Boneh
DES
challenge
msg
=
“The unknown messages is: XXXX … “
CT
=
c1
c2
c3
c4
Goal:
find
k
∈
{0,1}56
s.t.
DES(k,
mi)
=
ci
for
i=1,2,3
⇒
56-‐bit
ciphers
should
not
be
used
!!
(128-‐bit
key
⇒
272
days)
Dan
Boneh
Strengthening
DES
against
ex.
search
Method
1:
Triple-‐DES
E(k2,⋅)
E(k1,⋅)
m
c
Dan
Boneh
Method
2:
DESX
E
:
K
×
{0,1}n
⟶
{0,1}n
a
block
cipher
Note:
k1
⨁
E(k2,
m)
and
E(k2,
m⨁k1)
does
nothing
!!
Dan
Boneh
End
of
Segment
Dan
Boneh
Online
Cryptography
Course
Dan
Boneh
Block ciphers
Dan
Boneh
Apacks
on
the
implementa<on
1.
Side
channel
apacks:
– Measure
Kme
to
do
enc/dec,
measure
power
for
enc/dec
[
Pr
m[i1]⨁⋯⨁m[ir]
⨁
c[jj]⨁⋯⨁c[jv]
=
k[l1]⨁⋯⨁k[lu]
=
½
+
ε
]
For
some
ε.
For
DES,
this
exists
with
ε
=
1/221
≈
0.0000000477
Dan
Boneh
Linear
apacks
[
Pr
m[i1]⨁⋯⨁m[ir]
⨁
c[jj]⨁⋯⨁c[jv]
=
k[l1]⨁⋯⨁k[lu]
=
½
+
ε
]
Thm:
given
1/ε2
random
(m,
c=DES(k,
m))
pairs
then
Roughly
speaking:
can
find
14
key
“bits”
this
way
in
<me
242
Brute
force
remaining
56−14=42
bits
in
<me
242
Total
apack
<me
≈243
(
<<
256
)
with
242
random
inp/out
pairs
Dan
Boneh
Lesson
A
<ny
bit
of
linearly
in
S5
lead
to
a
242
<me
apack.
⇒
don’t
design
ciphers
yourself
!!
Dan
Boneh
Quantum
apacks
Generic
search
problem:
Let
f:
X
⟶
{0,1}
be
a
func<on.
Goal:
find
x∈X
s.t.
f(x)=1.
Classical
computer:
best
generic
algorithm
<me
=
O(
|X|
)
Quantum
computer
[Grover
’96]
:
<me
=
O(
|X|1/2
)
Can
quantum
computers
be
built:
unknown
Dan
Boneh
Quantum
exhaus<ve
search
Given
m,
c=E(k,m)
define
1 if
E(k,m)
=
c
f(k)
=
0
otherwise
Grover
⇒
quantum
computer
can
find
k
in
<me
O(
|K|1/2
)
DES:
<me
≈228
,
AES-‐128:
<me
≈264
Dan
Boneh
Online
Cryptography
Course
Dan
Boneh
Block ciphers
Dan
Boneh
The
AES
process
• 1997:
NIST
publishes
request
for
proposal
Key
sizes:
128,
192,
256
bits.
Block
size:
128
bits
Dan
Boneh
AES
is
a
Subs-‐Perm
network
(not
Feistel)
k1
k2
kn
S1
S1
S1
S2
S2
S2
S3
S3
S3
output
input
⨁
⨁
⋯
⨁
⋯
⋯
⋯
S8
S8
S8
subs.
perm.
layer
layer
inversion
Dan
Boneh
AES-‐128
schema<c
10
rounds
4
(1) ByteSub
(1) ByteSub
(1) ByteSub
⋯
⨁
⨁
⨁
(2) ShinRow
⨁
inver<ble
k0
k1
k2
k9
⨁
k10
key
key
expansion:
4
output
16
bytes
16
bytes
⟶176
bytes
4
Dan
Boneh
The
round
func<on
• ByteSub:
a
1
byte
S-‐box.
256
byte
table
(easily
computable)
• ShiORows:
• MixColumns:
Dan
Boneh
Code
size/performance
tradeoff
Code
size
Performance
Pre-‐compute
fastest:
round
func<ons
largest
table
lookups
(24KB
or
4KB)
and
xors
Pre-‐compute
smaller
slower
S-‐box
only
(256
bytes)
Dan
Boneh
Example:
Javascript
AES
AES
in
the
browser:
Dan
Boneh
End
of
Segment
Dan
Boneh
Online
Cryptography
Course
Dan
Boneh
Block ciphers
Dan
Boneh
Can
we
build
a
PRF
from
a
PRG?
Let
G:
K
⟶
K2
be
a
secure
PRG
k
G
Define
1-‐bit
PRF
F:
K
×
{0,1}
⟶
K
as
G(k)[0]
G(k)[1]
F(k,
x∈{0,1}
)
=
G(k)[x]
Thm:
If
G
is
a
secure
PRG
then
F
is
a
secure
PRF
k
G1(k)
Dan
Boneh
k
G1
is
a
secure
PRG
G
G(k)[0]
G(k)[1]
r0
r1
G
G
G
G
00
01
10
11
≈p
G1(k)
≈p
r1
G
random
in
K4
≈p
r00
r01
Dan
Boneh
Extending
more
Let
G:
K
⟶
K2
.
define
G2:
K
⟶
K8
as
G2(k)
=
k
G
G(k)[0]
G(k)[1]
We
get
a
3-‐bit
PRF
G
G
G
G
G
G
000
001
010
011
100
101
110
111
Dan
Boneh
Online
Cryptography
Course
Dan
Boneh
Dan
Boneh
Block
ciphers:
crypto
work
horse
n bits n bits
PT Block E, D CT Block
Key k bits
Canonical examples:
1. 3DES: n= 64 bits, k = 168 bits
2. AES: n=128 bits, k = 128, 192, 256 bits
Dan
Boneh
Abstractly:
PRPs
and
PRFs
• Pseudo
Random
FuncAon
(PRF)
defined
over
(K,X,Y):
F:
K
×
X
→
Y
such
that
exists
“efficient”
algorithm
to
evaluate
F(k,x)
b’
∈
{0,1}
• Def:
F
is
a
secure
PRF
if
for
all
“efficient”
A:
EXP(b)
AdvPRF[A,F]
:=
|Pr[EXP(0)=1]
–
Pr[EXP(1)=1]
|
is
“negligible.”
Dan
Boneh
Secure
PRP
(secure
block
cipher)
• For
b=0,1
define
experiment
EXP(b)
as:
b
Yes
No
Akacker
A:
It
depends
(1) query
f(⋅)
at
x=0
and
x=1
(2) if
f(0)
=
f(1)
output
“1”,
else
“0”
AdvPRF[A,E]
=
|0-‐½|
=
½
PRF
Switching
Lemma
Any
secure
PRP
is
also
a
secure
PRF,
if
|X|
is
sufficiently
large.
⇒
Suppose
|X|
is
large
so
that
q2
/
2|X|
is
“negligible”
Then
AdvPRP
[A,E]
“negligible”
⇒
AdvPRF[A,E]
“negligible”
Dan
Boneh
Final
note
• SuggesAon:
– don’t
think
about
the
inner-‐workings
of
AES
and
3DES.
Dan
Boneh
End
of
Segment
Dan
Boneh
Online
Cryptography
Course
Dan
Boneh
CT: c1 c2
Problem:
– if
m1=m2
then
c1=c2
Dan
Boneh
In
pictures
Dan
Boneh
Online
Cryptography
Course
Dan
Boneh
Security
for
many-‐Ame
key
Example
applicaAons:
1.
File
systems:
Same
AES
key
used
to
encrypt
many
files.
2.
IPsec:
Same
AES
key
used
to
encrypt
many
packets.
Dan
Boneh
SemanAc
Security
for
many-‐Ame
key
Key
used
more
than
once
⇒
adv.
sees
many
CTs
with
same
key
Adversary’s
power:
chosen-‐plaintext
akack
(CPA)
• Can
obtain
the
encrypAon
of
arbitrary
messages
of
his
choice
(conservaAve
modeling
of
real
life)
Adversary’s
goal:
Break
semaAc
security
Dan
Boneh
SemanAc
Security
for
many-‐Ame
key
E =
(E,D)
a
cipher
defined
over
(K,M,C). For
b=0,1
define
EXP(b)
as:
b
Chal.
Adv.
k←K
m1,0
,
m1,1
∈
M
:
|m1,0|
=
|m1,1|
c1 ← E(k, m1,b)
Dan
Boneh
SemanAc
Security
for
many-‐Ame
key
E =
(E,D)
a
cipher
defined
over
(K,M,C). For
b=0,1
define
EXP(b)
as:
b
Chal.
Adv.
k←K
m2,0
,
m2,1
∈
M
:
|m2,0|
=
|m2,1|
c2 ← E(k, m2,b)
Dan
Boneh
SemanAc
Security
for
many-‐Ame
key
(CPA
security)
E =
(E,D)
a
cipher
defined
over
(K,M,C). For
b=0,1
define
EXP(b)
as:
for
i=1,…,q:
b
Chal.
Adv.
k←K
mi,0
,
mi,1
∈
M
:
|mi,0|
=
|mi,1|
ci
←
E(k,
mi,b)
b’
∈
{0,1}
Def:
E
is
sem.
sec.
under
CPA
if
for
all
“efficient”
A:
AdvCPA
[A,E]
=
|Pr[EXP(0)=1]
–
Pr[EXP(1)=1]
|
is
“negligible.”
Dan
Boneh
Ciphers
insecure
under
CPA
Suppose
E(k,m)
always
outputs
same
ciphertext
for
msg
m.
Then:
m0
,
m0
∈
M
Chal.
Adv.
c0
←E(k,
m0)
k←K
m0
,
m1
∈
M
output
0
c
←
E(k,
mb)
if
c
=
c0
So
what?
an
akacker
can
learn
that
two
encrypted
files
are
the
same,
two
encrypted
packets
are
the
same,
etc.
• Leads
to
significant
akacks
when
message
space
M
is
small
Dan
Boneh
Ciphers
insecure
under
CPA
Suppose
E(k,m)
always
outputs
same
ciphertext
for
msg
m.
Then:
m0
,
m0
∈
M
Chal.
Adv.
c0
←E(k,
m0)
k←K
m0
,
m1
∈
M
output
0
c
←
E(k,
mb)
if
c
=
c0
m1 m1
k
k
• nonce
n:
a
value
that
changes
from
msg
to
msg.
(k,n)
pair
never
used
more
than
once
• method
1:
nonce
is
a
counter
(e.g.
packet
counter)
– used
when
encryptor
keeps
state
from
msg
to
msg
– if
decryptor
has
same
state,
need
not
send
nonce
with
CT
• method
2:
encryptor
chooses
a
random
nonce,
n
←
N
Dan
Boneh
CPA
security
for
nonce-‐based
encrypAon
System
should
be
secure
when
nonces
are
chosen
adversarially.
for
i=1,…,q:
b
Chal.
Adv.
k←K
ni
and
mi,0
,
mi,1
:
|mi,0|
=
|mi,1|
c
←
E(k,
mi,b
,
ni)
b’
∈
{0,1}
Dan
Boneh
Online
Cryptography
Course
Dan
Boneh
⊕
⊕
⊕
⊕
E(k,⋅)
E(k,⋅)
E(k,⋅)
E(k,⋅)
ciphertext
Dan
Boneh
DecrypAon
circuit
In
symbols:
c[0]
=
E(k,
IV⨁m[0]
)
⇒
m[0]
=
D(k,
c[0])
⨁
IV
Dan
Boneh
CBC:
CPA
Analysis
CBC
Theorem:
For
any
L>0,
If
E
is
a
secure
PRP
over
(K,X)
then
ECBC
is
a
sem.
sec.
under
CPA
over
(K,
XL,
XL+1).
Note:
CBC
is
only
secure
as
long
as
q2L2
<<
|X|
Dan
Boneh
An
example
AdvCPA
[A,
ECBC]
≤
2⋅PRP
Adv[B,
E]
+
2
q2
L2
/
|X|
Suppose
we
want
AdvCPA
[A,
ECBC]
≤
1/232
⇐
q2
L2
/|X|
<
1/
232
• AES:
|X|
=
2128
⇒
q
L
<
248
So,
ader
248
AES
blocks,
must
change
key
Bug
in
SSL/TLS
1.0:
IV
for
record
#i
is
last
CT
block
of
record
#(i-‐1)
Dan
Boneh
ConstrucAon
1’:
nonce-‐based
CBC
• Cipher
block
chaining
with
unique
nonce:
key
=
(k,k1)
unique
nonce
means:
(key,
n)
pair
is
used
for
only
one
message
When
nonce
is
non
random
need
to
encrypt
it
before
use
Dan
Boneh
A
CBC
technicality:
padding
IV m[0] m[1] m[2] m[3] ll pad
IVʹ′
⊕ ⊕ ⊕ ⊕
E(k1,⋅) E(k,⋅) E(k,⋅) E(k,⋅) E(k,⋅)
removed
TLS:
for
n>0,
n
byte
pad
is
n n n ⋯ n during
decrypAon
if
no
pad
needed,
add
a
dummy
block
Dan
Boneh
End
of
Segment
Dan
Boneh
Online
Cryptography
Course
Dan
Boneh
msg
IV
m[0]
m[1]
…
m[L]
To
ensure
F(k,x)
is
never
used
more
than
once,
choose
IV
as:
128
bits
IV:
nonce counter
starts
at
0
64
bits
64
bits
for
every
msg
Dan
Boneh
rand
ctr-‐mode
(rand.
IV):
CPA
analysis
• Counter-‐mode
Theorem:
For
any
L>0,
If
F
is
a
secure
PRF
over
(K,X,X)
then
ECTR
is
a
sem.
sec.
under
CPA
over
(K,XL,XL+1).
Note:
ctr-‐mode
only
secure
as
long
as
q2L
<<
|X|
.
Beker
than
CBC
!
Dan
Boneh
An
example
AdvCPA
[A,
ECTR]
≤
2⋅AdvPRF[B,
E]
+
2
q2
L
/
|X|
Suppose we want AdvCPA [A, ECTR] ≤ 1/232 ⇐ q2 L /|X| < 1/ 232
(for
CBC,
dummy
padding
block
can
be
solved
using
ciphertext
stealing)
Dan
Boneh
Summary
• PRPs
and
PRFs:
a
useful
abstracAon
of
block
ciphers.
Dan
Boneh
End
of
Segment
Dan
Boneh
Online
Cryptography
Course
Dan
Boneh
Message integrity
Dan
Boneh
Message
Integrity
Goal:
integrity,
no
confiden>ality.
Examples:
– Protec>ng
public
binaries
on
disk.
– Protec>ng
banner
ads
on
web
pages.
Dan
Boneh
Message
integrity:
MACs
k
message
m
tag
k
Alice
Bob
Def:
MAC
I
=
(S,V)
defined
over
(K,M,T)
is
a
pair
of
algs:
– S(k,m)
outputs
t
in
T
– V(k,m,t)
outputs
`yes’
or
`no’
Dan
Boneh
Integrity
requires
a
secret
key
message
m
tag
Alice
Bob
m1
∈
M
m2
,
…,
mq
Chal.
Adv.
k←K
t1
←
S(k,m1)
t2
,
…,
tq
(m,t)
b
b=1
if
V(k,m,t)
=
`yes’
and
(m,t)
∉
{
(m1,t1)
,
…
,
(mq,tq)
}
b=0
otherwise
Def:
I=(S,V)
is
a
secure
MAC
if
for
all
“efficient”
A:
AdvMAC[A,I]
=
Pr[Chal.
outputs
1]
is
“negligible.”
Dan
Boneh
Let
I
=
(S,V)
be
a
MAC.
Suppose
an
aRacker
is
able
to
find
m0
≠
m1
such
that
S(k,
m0)
=
S(k,
m1)
for
½
of
the
keys
k
in
K
Yes,
the
aRacker
cannot
generate
a
valid
tag
for
m0
or
m1
No,
this
MAC
can
be
broken
using
a
chosen
msg
aRack
It
depends
on
the
details
of
the
MAC
Let
I
=
(S,V)
be
a
MAC.
Suppose
S(k,m)
is
always
5
bits
long
Can
this
MAC
be
secure?
No,
an
aRacker
can
simply
guess
the
tag
for
messages
It
depends
on
the
details
of
the
MAC
Yes,
the
aRacker
cannot
generate
a
valid
tag
for
any
message
Example:
protec>ng
system
files
Suppose
at
install
>me
the
system
computes:
filename
filename
filename
k
derived
from
F1
F2
⋯
Fn
user’s
password
Dan
Boneh
Online
Cryptography
Course
Dan
Boneh
Message Integrity
Dan
Boneh
Review:
Secure
MACs
MAC:
signing
alg.
S(k,m)⟶t
and
verifica>on
alg.
V(k,m,t)
⟶0,1
message
m
tag
Alice
Bob
Dan
Boneh
End
of
Segment
Dan
Boneh
Online
Cryptography
Course
Dan
Boneh
Message Integrity
Dan
Boneh
MACs
and
PRFs
Recall:
secure
PRF
F
⇒
secure
MAC,
as
long
as
|Y|
is
large
S(k,
m)
=
F(k,
m)
Our
goal:
given
a
PRF
for
short
messages
(AES)
construct
a
PRF
for
long
messages
From
here
on
let
X
=
{0,1}n
(e.g.
n=128)
Dan
Boneh
Construc>on
1:
encrypted
CBC-‐MAC
raw
CBC
m[0]
m[1]
m[3]
m[4]
⊕
⊕
⊕
F(k,⋅)
F(k,⋅)
F(k,⋅)
F(k,⋅)
k
t
>
F
>
F
>
F
>
F
t
ll
fpad
>
F
Let
F:
K
×
X
⟶
K
be
a
PRF
k1
tag
Define
new
PRF
FNMAC
:
K2
×
X≤L
⟶
K
Dan
Boneh
Why
the
last
encryp>on
step
in
ECBC-‐MAC
and
NMAC?
S(k,m) = rawCBC(k,m)
Suppose
we
want
AdvPRF[A,
FECBC]
≤
1/232
⇐
q2
/|X|
<
1/
232
• AES:
|X|
=
2128
⇒
q
<
248
So,
acer
248
messages
must,
must
change
key
>
rawCBC
tag
r
rand.
r
in
X
Let
F:
K
×
X
⟶
X
be
a
PRF.
Result:
MAC
with
tags
in
X2.
⇒
For
3DES:
can
sign
q=232
msgs
with
one
key
Dan
Boneh
Comparison
ECBC-‐MAC
is
commonly
used
as
an
AES-‐based
MAC
• CCM
encryp>on
mode
(used
in
802.11i)
• NIST
standard
called
CMAC
Dan
Boneh
End
of
Segment
Dan
Boneh
Online
Cryptography
Course
Dan
Boneh
Message Integrity
MAC padding
Dan
Boneh
Recall:
ECBC-‐MAC
⊕
⊕
⊕
F(k,⋅)
F(k,⋅)
F(k,⋅)
F(k,⋅)
⊕
⊕
⊕
F(k,⋅)
F(k,⋅)
F(k,⋅)
F(k,⋅)
tag
F(k1,⋅)
Dan
Boneh
CBC
MAC
padding
Bad
idea:
pad
m
with
0’s
m[0]
m[1]
m[0]
m[1]
0000
ISO:
pad
with
“1000…00”.
Add
new
dummy
block
if
needed.
– The
“1”
indicates
beginning
of
pad.
Dan
Boneh
CMAC
(NIST
standard)
Variant
of
CBC-‐MAC
where
key
=
(k,
k1,
k2)
• No
final
encryp>on
step
(extension
aRack
thwarted
by
last
keyed
xor)
• No
dummy
block
(ambiguity
resolved
by
use
of
k1
or
k2)
⊕ ⊕ k1 ⊕ ⊕ k2
Dan
Boneh
End
of
Segment
Dan
Boneh
Online
Cryptography
Course
Dan
Boneh
Message Integrity
PMAC
and
Carter-‐Wegman
MAC
Dan
Boneh
• ECBC
and
NMAC
are
sequen>al.
Dan
Boneh
Construc>on
3:
PMAC
–
parallel
MAC
P(k,
i):
an
easy
to
compute
func>on
m[0]
m[1]
m[2]
m[3]
key
=
(k,
k1)
P(k,0)
⊕
P(k,1)
⊕
P(k,2)
⊕
P(k,3)
⊕
Padding
similar
to
CMAC
F(k1,⋅)
F(k1,⋅)
F(k1,⋅)
⊕
Let
F:
K
×
X
⟶
X
be
a
PRF
Define
new
PRF
FPMAC
:
K2
×
X≤L
⟶
X
F(k1,⋅)
tag
Dan
Boneh
PMAC:
Analysis
PMAC
Theorem:
For
any
L>0,
If
F
is
a
secure
PRF
over
(K,X,X)
then
FPMAC
is
a
secure
PRF
over
(K,
X≤L,
X).
m1
∈
M
Chal.
Adv.
k←K
t1
←
S(k,m1)
(m,t)
b
b=1
if
V(k,m,t)
=
`yes’
and
(m,t)
≠
(m1,t1)
b=0
otherwise
Def:
I=(S,V)
is
a
secure
MAC
if
for
all
“efficient”
A:
Adv1MAC[A,I]
=
Pr[Chal.
outputs
1]
is
“negligible.”
Dan
Boneh
One-‐>me
MAC:
an
example
Can
be
secure
against
all
adversaries
and
faster
than
PRF-‐based
MACs
msg = ( m[1], …, m[L] ) where each block is 128 bit int.
where Pmsg(x) = xL+1 + m[L]⋅xL + … + m[1]⋅x is a poly. of deg L+1
We
show:
given
S(
key,
msg1
)
adv.
has
no
info
about
S(
key,
msg2
)
Dan
Boneh
One-‐>me
security
(uncondi>onal)
Thm:
the
one-‐>me
MAC
on
the
previous
slide
sa>sfies
(L=msg-‐len)
∀m1≠m2,t1,t2: Pra,b[ S( (a,b), m1) = t1 | S( (a,b), m2) = t2] ≤ L/q
(2) Pra,b[ S( (a,b), m1) = t1 and S( (a,b), m2) = t2] =
How
would
you
verify
a
CW
tag
(r,
t)
on
message
m
?
Recall
that
V(k2,m,.)
is
the
verifica>on
alg.
for
the
one
>me
MAC.
Dan
Boneh
Further
reading
• J.
Black,
P.
Rogaway:
CBC
MACs
for
Arbitrary-‐Length
Messages:
The
Three-‐
Key
Construc>ons.
J.
Cryptology
18(2):
111-‐131
(2005)
• M.
Bellare:
New
Proofs
for
NMAC
and
HMAC:
Security
Without
Collision-‐
Resistance.
CRYPTO
2006:
602-‐619
• Y.
Dodis,
K.
Pietrzak,
P.
Puniya:
A
New
Mode
of
Opera>on
for
Block
Ciphers
and
Length-‐Preserving
MACs.
EUROCRYPT
2008:
198-‐219
Dan
Boneh
End
of
Segment
Dan
Boneh
Online
Cryptography
Course
Dan
Boneh
Collision resistance
Introduc3on
Dan
Boneh
Recap:
message
integrity
So
far,
four
MAC
construc3ons:
ECBC-‐MAC,
CMAC
:
commonly
used
with
AES
(e.g.
802.11i)
PRFs
NMAC
:
basis
of
HMAC
(this
segment)
PMAC:
a
parallel
MAC
randomized
MAC
Carter-‐Wegman
MAC:
built
from
a
fast
one-‐3me
MAC
A
func3on
H
is
collision
resistant
if
for
all
(explicit)
“eff” algs.
A:
AdvCR[A,H]
=
Pr[
A
outputs
collision
for
H]
is
“neg”.
H(Fn)
When
user
downloads
package,
can
verify
that
contents
are
valid
H
collision
resistant
⇒
a]acker
cannot
modify
package
without
detec3on
no
key
needed
(public
verifiability),
but
requires
read-‐only
space
Dan
Boneh
End
of
Segment
Dan
Boneh
Online
Cryptography
Course
Dan
Boneh
Collision resistance
Dan
Boneh
Generic
a]ack
on
C.R.
func3ons
Let
H:
M
→
{0,1}n
be
a
hash
func3on
(
|M|
>>
2n
)
Algorithm:
1. Choose
2n/2
random
messages
in
M:
m1,
…,
m2n/2
(dis3nct
w.h.p
)
2. For
i
=
1,
…,
2n/2
compute
ti
=
H(mi)
∈{0,1}n
3. Look
for
a
collision
(ti
=
tj).
If
not
found,
got
back
to
step
1.
Thm:
when
n=
1.2
×
B1/2
then
Pr[
∃i≠j:
ri
=
rj
]
≥
½
Proof:
(for
uniform
indep.
r1,
…,
rn
)
Dan
Boneh
B=106
#
samples
n
Dan
Boneh
Generic
a]ack
H:
M
→
{0,1}n
.
Collision
finding
algorithm:
1. Choose
2n/2
random
elements
in
M:
m1,
…,
m2n/2
2. For
i
=
1,
…,
2n/2
compute
ti
=
H(mi)
∈{0,1}n
3. Look
for
a
collision
(ti
=
tj).
If
not
found,
got
back
to
step
1.
Expected
number
of
itera3on
≈
2
Running
3me:
O(2n/2)
(space
O(2n/2)
)
Dan
Boneh
Sample
C.R.
hash
func3ons:
Crypto++
5.6.0
[
Wei
Dai
]
digest
generic
func3on
size
(bits)
Speed
(MB/sec)
a]ack
3me
NIST
standards
*
best
known
collision
finder
for
SHA-‐1
requires
251
hash
evalua3ons
Dan
Boneh
Quantum
Collision
Finder
Classical
Quantum
algorithms
algorithms
Block
cipher
E:
K
×
X
⟶
X
O(
|K|
)
O(
|K|1/2
)
exhaus3ve
search
Hash
func3on
H:
M
⟶
T
O(
|T|1/2
)
O(
|T|1/3
)
collision
finder
Dan
Boneh
End
of
Segment
Dan
Boneh
Online
Cryptography
Course
Dan
Boneh
Collision resistance
The
Merkle-‐Damgard
Paradigm
Dan
Boneh
Collision
resistance:
review
Let
H:
M
→T
be
a
hash
func3on
(
|M|
>>
|T|
)
IV
H(m)
(fixed)
H0
h H1
h H2
h H3
h H4
h(
Ht,
Mt
ll
PB)
=
Ht+1
=
H’r+1
=
h(H’r,
M’r
ll
PB’)
Dan
Boneh
Suppose
Ht
=
H’r
and
Mt
=
M’r
and
PB
=
PB’
Dan
Boneh
⇒
To
construct
C.R.
func3on,
suffices
to
construct
compression
func3on
Dan
Boneh
Online
Cryptography
Course
Dan
Boneh
Collision resistance
Construc3ng
Compression
Func3ons
Dan
Boneh
The
Merkle-‐Damgard
iterated
construc3on
m[0] m[1] m[2] m[3] ll PB
IV
H(m)
(fixed)
h h h h
Dan
Boneh
Compr.
func.
from
a
block
cipher
E:
K×
{0,1}n
⟶
{0,1}n
a
block
cipher.
Thm:
Suppose
E
is
an
ideal
cipher
(collec3on
of
|K|
random
perms.).
Finding
a
collision
h(H,m)=h(H’,m’)
takes
O(2n/2)
evalua3ons
of
(E,D).
H’=D(m’,
E(m,H))
H’=E(m’,
D(m,H))
H’=E(m’,
E(m,H))
H’=D(m’,
D(m,H))
Other
block
cipher
construc3ons
Let
E:
{0,1}n
×
{0,1}n
⟶
{0,1}n
for
simplicity
512-‐bit key
>
SHACAL-‐2
256-‐bit
block
256-‐bit
block
Dan
Boneh
Provable
compression
func3ons
Choose
a
random
2000-‐bit
prime
p
and
random
1
≤
u,
v
≤
p
.
For
m,h
∈
{0,…,p-‐1}
define
h(H,m)
=
uH
⋅
vm
(mod
p)
Dan
Boneh
Online
Cryptography
Course
Dan
Boneh
Collision resistance
HMAC:
a
MAC
from
SHA-‐256
Dan
Boneh
The
Merkle-‐Damgard
iterated
construc3on
m[0] m[1] m[2] m[3] ll PB
IV
H(m)
(fixed)
h h h h
Dan
Boneh
MAC
from
a
Merkle-‐Damgard
Hash
Func3on
H:
X≤L
⟶
T
a
C.R.
Merkle-‐Damgard
Hash
Func3on
IV
>
h >
h >
h >
h
(fixed)
k⨁opad
>
tag
h >
h
IV
(fixed)
Dan
Boneh
End
of
Segment
Dan
Boneh
Online
Cryptography
Course
Dan
Boneh
Collision resistance
Dan
Boneh
Warning:
verifica3on
3ming
a]acks
[L’09]
Example:
Keyczar
crypto
library
(Python)
[simplified]
Dan
Boneh
Warning:
verifica3on
3ming
a]acks
[L’09]
m
,
tag
target
k
msg
m
accept
or
reject
Dan
Boneh
Defense
#1
Make
string
comparator
always
take
same
3me
(Python)
:
Dan
Boneh
Lesson
Don’t
implement
crypto
yourself
!
Dan
Boneh
End
of
Segment
Dan
Boneh
Online
Cryptography
Course
Dan
Boneh
Authen,cated Encryp,on
Dan
Boneh
Recap:
the
story
so
far
Confiden'ality:
seman,c
security
against
a
CPA
a4ack
• Encryp,on
secure
against
eavesdropping
only
Integrity:
• Existen,al
unforgeability
under
a
chosen
message
a4ack
• CBC-‐MAC,
HMAC,
PMAC,
CW-‐MAC
Dan
Boneh
Sample
tampering
a4acks
TCP/IP:
(highly
abstracted)
WWW
port
=
80
packet
dest
=
80
data
source
machine
TCP/IP
stack
Bob
port
=
25
des,na,on
machine
Dan
Boneh
Sample
tampering
a4acks
IPsec:
(highly
abstracted)
WWW
TCP/IP
port
=
80
packet
stack
dest
=
80
data
stuff
Bob:
k
IV’,
dest
=
25
data
k
Bob
Easy
to
do
for
CBC
with
rand.
IV
port
=
25
Dan
Boneh
End
of
Segment
Dan
Boneh
Online
Cryptography
Course
Dan
Boneh
Authen,cated Encryp,on
Defini,ons
Dan
Boneh
Goals
An
authen'cated
encryp'on
system
(E,D)
is
a
cipher
where
As
usual:
E:
K
×
M
×
N
⟶
C
but
D:
K
×
C
×
N
⟶
M
∪{⊥}
ciphertext
Security:
the
system
must
provide
is
rejected
• sem.
security
under
a
CPA
a4ack,
and
• ciphertext
integrity:
a4acker
cannot
create
new
ciphertexts
that
decrypt
properly
Dan
Boneh
Ciphertext
integrity
Let
(E,D)
be
a
cipher
with
message
space
M.
m1
∈
M
m2
,
…,
mq
Chal.
Adv.
k←K
c1
←
E(k,m1)
c2
,
…,
cq
c
b
b=1
if
D(k,c)
≠⊥
and
c
∉
{
c1
,
…
,
cq
}
b=0
otherwise
Def:
(E,D)
has
ciphertext
integrity
if
for
all
“efficient”
A:
AdvCI[A,E]
=
Pr[Chal.
outputs
1]
is
“negligible.”
Dan
Boneh
Authen,cated
encryp,on
Def:
cipher
(E,D)
provides
authen'cated
encryp'on
(AE)
if
it
is
(1)
seman,cally
secure
under
CPA,
and
(2)
has
ciphertext
integrity
Bad
example:
CBC
with
rand.
IV
does
not
provide
AE
• D(k,⋅)
never
outputs
⊥,
hence
adv.
easily
wins
CI
game
Dan
Boneh
Implica,on
1:
authen,city
A4acker
cannot
fool
Bob
into
thinking
a
message
was
sent
from
Alice
m1
,
…,
mq
c
Alice
Bob
ci
=
E(k,
mi)
k
k
Cannot
create
valid
c
∉
{
c1,
…,
cq
}
⇒
if
D(k,c)
≠⊥
Bob
knows
message
is
from
someone
who
knows
k
(but
message
could
be
a
replay)
Dan
Boneh
Implica,on
2
Authen,cated
encryp,on
⇒
Security
against
chosen
ciphertext
aCacks
(next
segment)
Dan
Boneh
End
of
Segment
Dan
Boneh
Online
Cryptography
Course
Dan
Boneh
Authen,cated Encryp,on
Chosen
ciphertext
a4acks
Dan
Boneh
Example
chosen
ciphertext
a4acks
Adversary
has
ciphertext
c
that
it
wants
to
decrypt
• O]en,
adv.
can
fool
server
into
decryp,ng
certain
ciphertexts
(not
c)
dest
=
25
data
data
Dan
Boneh
Chosen
ciphertext
security:
defini,on
E =
(E,D)
cipher
defined
over
(K,M,C). For
b=0,1
define
EXP(b):
Dan
Boneh
Proof
by
pictures
Chal.
CPA
query:
mi,0
,
mi,1
Adv.
Chal.
CPA
query:
mi,0
,
mi,1
Adv.
ci=E(k,mi,0)
ci=E(k,mi,0)
k←K
k←K
CCA
query:
ci
≈p
CCA
query:
ci
D(k,ci)
⊥
≈p
≈p
Chal.
CPA
query:
mi,0
,
mi,1
Adv.
Chal.
CPA
query:
mi,0
,
mi,1
Adv.
k←K
ci=E(k,mi,1)
≈p
k←K
ci=E(k,mi,1)
Dan
Boneh
End
of
Segment
Dan
Boneh
Online
Cryptography
Course
Dan
Boneh
Authen,cated Encryp,on
Construc,ons
from
ciphers
and
MACs
Dan
Boneh
…
but
first,
some
history
Authen,cated
Encryp,on
(AE):
introduced
in
2000
[KY’00,
BN’00]
Crypto
APIs
before
then:
(e.g.
MS-‐CAPI)
• Provide
API
for
CPA-‐secure
encryp,on
(e.g.
CBC
with
rand.
IV)
• Provide
API
for
MAC
(e.g.
HMAC)
Every
project
had
to
combine
the
two
itself
without
a
well
defined
goal
• Not
all
combina,ons
provide
AE
…
Dan
Boneh
Combining
MAC
and
ENC
(CCA)
Encryption key kE. MAC key = kI
All
support
AEAD:
(auth.
enc.
with
associated
data).
All
are
nonce-‐based.
encrypted
m0,
m1
Chal.
Adv.
b
c
←
E(k,
mb)
=
(c0,
t)
(c0,
t)
k←K
c’
=
(c0
,
t’
)
≠
c
(c0,
t’)
b
D(k,
c’)
=
mb
Dan
Boneh
OCB:
a
direct
construc,on
from
a
PRP
More efficient authenticated encryption: one E() op. per block.
Dan
Boneh
Performance:
Crypto++
5.6.0
[
Wei
Dai
]
code
Speed
Cipher
size
(MB/sec)
AES/GCM
large
**
108
AES/CTR
139
AES/CCM
smaller
61
AES/CBC
109
AES/EAX
smaller
61
AES/CMAC
109
AES/OCB
129*
HMAC/SHA1
147
*
extrapolated
from
Ted
Kravitz’s
results
**
non-‐Intel
machines
Dan
Boneh
End
of
Segment
Dan
Boneh
Online
Cryptography
Course
Dan
Boneh
Authen,cated Encryp,on
Dan
Boneh
The
TLS
Record
Protocol
(TLS
1.2)
HDR
TLS
record
Stateful
encryp,on:
• Each
side
maintains
two
64-‐bit
counters:
ctrb⇾s
,
ctrs⇾b
• Init.
to
0
when
session
started.
ctr++
for
every
record.
• Purpose:
replay
defense
Dan
Boneh
TLS
record:
encryp,on
(CBC
AES-‐128,
HMAC-‐SHA1)
type
ll
ver
ll
len
kb⇾s
=
(kmac
,
kenc)
data
tag
pad
No
easy
solu,on
Dan
Boneh
802.11b
WEP:
how
not
to
do
it
802.11b
WEP:
m
CRC(m)
k
PRG(
IV
ll
k
)
k
IV
ciphetext
Previously
discussed
problems:
two
,me
pad
and
related
PRG
seeds
Dan
Boneh
Ac,ve
a4acks
Fact:
CRC
is
linear,
i.e.
∀m,p:
CRC(
m
⨁
p)
=
CRC(m)
⨁
F(p)
Upon
decryp,on:
CRC
is
valid,
but
ciphertext
is
changed
!!
Dan
Boneh
End
of
Segment
Dan
Boneh
Online
Cryptography
Course
Dan
Boneh
Authen,cated Encryp,on
Dan
Boneh
Recap
Authen'cated
encryp'on:
CPA
security
+
ciphertext
integrity
• Confiden,ality
in
presence
of
ac've
adversary
• Prevents
chosen-‐ciphertext
a4acks
step
3:
check
tag
on
[
++ctrb⇾s
ll
header
ll
data]
abort
if
invalid
type
ll
ver
ll
len
Two
types
of
error:
data
• padding
error
• MAC
error
tag
pad
Dan
Boneh
Padding
oracle
Suppose
a4acker
can
differen,ate
the
two
errors
(pad
error,
MAC
error):
⇒
Padding
oracle:
a4acker
submits
ciphertext
and
learns
if
last
bytes
of
plaintext
are
a
valid
pad
type
ll
ver
ll
len
In
older
TLS
1.0:
padding
oracle
due
to
different
alert
messages.
Dan
Boneh
Using
a
padding
oracle
(CBC
encryp,on)
A4acker
has
ciphertext
c
=
(c[0],
c[1],
c[2])
and
it
wants
m[1]
Dan
Boneh
Using
a
padding
oracle
(CBC
encryp,on)
step
1:
let
g
be
a
guess
for
the
last
byte
of
m[1]
IV
c[0]
c[1]
⨁
g
⨁
0x01
D(k,⋅)
D(k,⋅)
=
last-‐byte
⨁
g
⨁
0x01
⊕
⊕
m[0]
m[1]
if
last-‐byte
=
g:
valid
pad
otherwise:
invalid
pad
Dan
Boneh
Using
a
padding
oracle
(CBC
encryp,on)
A4ack:
submit
(
IV,
c’[0],
c[1]
)
to
padding
oracle
⇒
a4acker
learns
if
last-‐byte
=
g
Repeat
with
g
=
0,1,
…,
255
to
learn
last
byte
of
m[1]
Then
use
a
(02,
02)
pad
to
learn
the
next
byte
and
so
on
…
Dan
Boneh
IMAP
over
TLS
Problem:
TLS
renego,ates
key
when
an
invalid
record
is
received
Enter
IMAP
over
TLS:
(protocol
for
reading
email)
Dan
Boneh
Lesson
1.
Encrypt-‐then-‐MAC
would
completely
avoid
this
problem:
MAC
is
checked
first
and
ciphertext
discarded
if
invalid
2.
MAC-‐then-‐CBC
provides
A.E.,
but
padding
oracle
destroys
it
Dan
Boneh
Will
this
a4ack
work
if
TLS
used
counter
mode
instead
of
CBC?
(i.e.
use
MAC-‐then-‐CTR
)
Dan
Boneh
Online
Cryptography
Course
Dan
Boneh
Authen,cated Encryp,on
A4acking
non-‐atomic
decryp,on
SSH
Binary
Packet
Protocol
CBC
encryp,on
(chained
IV)
seq.
packet
pad
MAC
payload
pad
num.
len.
len.
tag
MAC
computed
over
plaintext
Decryp,on:
• step
1:
decrypt
packet
length
field
only
(!)
• step
2:
read
as
many
packets
as
length
specifies
• step
3:
decrypt
remaining
ciphertext
blocks
• step
4:
check
MAC
tag
and
send
error
response
if
invalid
Dan
Boneh
An
a4ack
on
the
enc.
length
field
(simplified)
A4acker
has
one
ciphertext
block
c
=
AES(k,
m)
and
it
wants
m
one
AES
block
seq.
num.
c
k
decrypt
and
obtain
len
“len”
field
Dan
Boneh
Online
Cryptography
Course
Dan
Boneh
Key Deriva1on
Dan
Boneh
Deriving
many
keys
from
one
Typical
scenario.
a
single
source
key
(SK)
is
sampled
from:
• Hardware
random
number
generator
• A
key
exchange
protocol
(discussed
later)
Even
if
two
apps
sample
same
SK
they
get
indep.
keys
It’s
good
prac1ce
to
label
strings
with
the
app.
name
It
serves
no
purpose
What
if
source
key
is
not
uniform?
Recall:
PRFs
are
pseudo
random
only
when
key
is
uniform
in
K
•
SK
not
uniform
⇒
PRF
output
may
not
look
random
Dan
Boneh
Extract-‐then-‐Expand
paradigm
Step
1:
extract
pseudo-‐random
key
k
from
source
key
SK
prob
prob
extractor
SK
k
salt
salt:
a
fixed
non-‐secret
string
chosen
at
random
step
2:
expand
k
by
using
it
as
a
PRF
key
as
before
Dan
Boneh
HKDF:
a
KDF
from
HMAC
Implements
the
extract-‐then-‐expand
paradigm:
• extract:
use
k
⟵
HMAC(
salt,
SK
)
Dan
Boneh
Password-‐Based
KDF
(PBKDF)
Deriving
keys
from
passwords:
• Do
not
use
HKDF:
passwords
have
insufficient
entropy
• Derived
keys
will
be
vulnerable
to
dic1onary
aaacks
(more
on
this
later)
Dan
Boneh
Online
Cryptography
Course
Dan
Boneh
Determinis1c Encryp1on
Dan
Boneh
The
need
for
det.
Encryp1on
(no
nonce)
Alice data ??
Dan
Boneh
The
need
for
det.
Encryp1on
(no
nonce)
??
Alice
data
k1,
k2
Bob
data
,
“A lic e ”)
⋮
Later:
o rd
E(k 1
i eve
rec encrypted
Retr database
data
Alice
det.
enc.
enables
later
lookup
Dan
Boneh
Problem:
det.
enc.
cannot
be
CPA
secure
The
problem:
aaacker
can
tell
when
two
ciphertexts
encrypt
the
same
message
⇒
leaks
informa1on
equal
ciphertexts
means
same
index
Dan
Boneh
Problem:
det.
enc.
cannot
be
CPA
secure
The
problem:
aaacker
can
tell
when
two
ciphertexts
encrypt
the
same
message
⇒
leaks
informa1on
b
Chal.
m0
,
m0
∈
M
Adv.
c0
←E(k,
m0)
k←K
m0
,
m1
∈
M
output
0
c
←
E(k,
mb)
if
c
=
c0
Dan
Boneh
A
solu1on:
the
case
of
unique
messages
Suppose
encryptor
never
encrypts
same
message
twice:
the
pair
(k
,
m)
never
repeats
This
happens
when
encryptor:
• Chooses
messages
at
random
from
a
large
msg
space
(e.g.
keys)
• Message
structure
ensures
uniqueness
(e.g.
unique
user
ID)
Dan
Boneh
Determinis1c
CPA
security
E =
(E,D)
a
cipher
defined
over
(K,M,C). For
b=0,1
define
EXP(b)
as:
for
i=1,…,q:
b
Chal.
Adv.
k←K
mi,0
,
mi,1
∈
M
:
|mi,0|
=
|mi,1|
where m1,0, …, mq,0 are dis1nct and m1,1, …, mq,1 are dis1nct
Def:
E
is
sem.
sec.
under
det.
CPA
if
for
all
efficient
A:
AdvdCPA
[A,E]
=
|Pr[EXP(0)=1]
–
Pr[EXP(1)=1]
|
is
negligible.
Dan
Boneh
A
Common
Mistake
CBC
with
fixed
IV
is
not
det.
CPA
secure.
Let
E:
K
×
{0,1}n
⟶
{0,1}n
be
a
secure
PRP
used
in
CBC
ciphertext
Yes
b
No
m
,
m
Adv.
Chal.
c
←m⨁F(k,
FIV)
It
depends
k←K
m0
,
m1
output
0
if
c’
←
mb⨁F(k,
FIV)
c⨁c’=m⨁m0
End
of
Segment
Dan
Boneh
Online
Cryptography
Course
Dan
Boneh
Determinis1c
Encryp1on
Construc1ons:
SIV
and
wide
PRP
Dan
Boneh
Determinis1c
encryp1on
Needed
for
maintaining
an
encrypted
database
index
• Lookup
records
by
encrypted
index
PRF
F
message
k1
CTR
mode
with
PRF
Fctr
k2
Fctr(k2,
IV)
ll
Fctr(k2,
IV+1)
ll
…
ll
Fctr(k2,
IV+L)
IV
ciphertext
Dan
Boneh
Det.
Auth.
Enc.
(DAE)
for
free
DecrypJon:
IV
ciphertext
CTR
mode
with
PRF
Fctr
k2
Fctr(k2,IV)
ll
Fctr(k2,
IV+1)
ll
…
ll
Fctr(k2,IV+L)
k1
PRF
F
message
if
≠IV
output
⊥
Thm:
if
F
is
a
secure
PRF
and
CTR
from
Fctr
is
CPA-‐secure
then
SIV-‐CTR
from
F,
Fctr
provides
DAE
Dan
Boneh
Construc1on
2:
just
use
a
PRP
Let
(E,
D)
be
a
secure
PRP.
E:
K
×
X
⟶
X
E
E
E
E
⨁
⨁
⨁
E
E
E
⨁
⨁
⨁
Dan
Boneh
PRP-‐based
Det.
Authen1cated
Enc.
Let
(E,
D)
be
a
secure
PRP.
E:
K
×
(X×{0,1}n)
⟶
X×{0,1}n
Dan
Boneh
Online
Cryptography
Course
Dan
Boneh
Tweakable encryp1on
Dan
Boneh
Disk
encryp1on:
no
expansion
Sectors
on
disk
are
fixed
size
(e.g.
4KB)
⇒
encryp1on
cannot
expand
plaintext
(i.e.
M
=
C)
⇒
must
use
determinis1c
encryp1on,
no
integrity
Lemma:
if
(E,
D)
is
a
det.
CPA
secure
cipher
with
M=C
then
(E,
D)
is
a
PRP.
⇒
every
sector
will
need
to
be
encrypted
with
a
PRP
Dan
Boneh
sector
1
sector
2
sector
3
Dan
Boneh
sector
1
sector
2
sector
3
Syntax: E , D : K × T × X ⟶ X
Dan
Boneh
Secure
tweakable
block
ciphers
E
,
D
:
K
×
T
×
X
⟶
X
.
For
b=0,1
define
experiment
EXP(b)
as:
b
b=1:
π←(Perms[X])|T|
Chal.
Adv.
A
b=0:
k←K,
π[t]
←E(k,t,⋅)
t1,
x1
t2,
x2
…
tq,
xq
π
π[t1](x1)
π[t2](x2)
…
π[tq](xq)
b’
∈
{0,1}
• Def:
E
is
a
secure
tweakable
PRP
if
for
all
efficient
A:
AdvtPRP[A,E]
=
|Pr[EXP(0)=1]
–
Pr[EXP(1)=1]
|
is
negligible.
Dan
Boneh
Example
1:
the
trivial
construc1on
Let
(E,D)
be
a
secure
PRP,
E:
K
×
X
⟶
X
.
⇒
to
encrypt
n
blocks
need
2n
evals
of
E(.,.)
Dan
Boneh
2.
the
XTS
tweakable
block
cipher
[R’04]
Let
(E,D)
be
a
secure
PRP,
E:
K
×
{0,1}n
⟶
{0,1}n
.
x
x c
Dan
Boneh
End
of
Segment
Dan
Boneh
Online
Cryptography
Course
Dan
Boneh
Format
preserving
encryp1on
Dan
Boneh
Encryp1ng
credit
card
numbers
Credit
card
format:
bbbb
bbnn
nnnn
nnnc
(
≈
42
bits
)
k
k
POS
terminal
Then
to
encrypt
a
credit
card
number:
(s
=
total
#
credit
cards)
1. map
given
CC#
to
{0,…,s-‐1}
2. apply
PRP
to
get
an
output
in
{0,…,s-‐1}
3. map
output
back
a
to
CC#
Dan
Boneh
Step
1:
from
{0,1}n
to
{0,1}t
(t<n)
Want
PRP
on
{0,…,s-‐1}
.
Let
t
be
such
that
2t-‐1
<
s
≤
2t
.
t/2
bits
R0
R1
R2
R3
F’(k1,⋅ F’(k2,⋅ F’(k3,⋅
)
)
)
t/2
bits
L0
⊕
L1
⊕
L2
⊕
L3
input
output
(beaer
to
use
7
rounds
a
la
Patarin,
Crypto’03)
Dan
Boneh
Step
2:
from
{0,1}t
to
{0,…,s-‐1}
Given
PRP
(E,D):
K
×
{0,1}t
⟶
{0,1}t
we
build
(E’,D’):
K
×
{0,…,s-‐1}
⟶
{0,…,s-‐1}
E’(k,
x):
on
input
x
∈
{0,…,s-‐1}
do:
y⟵x;
do
{
y
⟵
E(k,
y)
}
un1l
y∈
{0,…,s-‐1};
output
y
Expected
#
itera1ons:
2
{0,…,s-‐1}
{0,1}t
Dan
Boneh
Security
Step
2
is
1ght:
∀A
∃B:
PRPadv[A,E]
=
PRPadv[B,E’]
Intui1on:
∀sets
Y
⊆
X,
applying
the
transforma1on
to
a
random
perm.
π:
X⟶
X
gives
a
random
perm.
π':
Y
⟶
Y
Step
1:
same
security
as
Luby-‐Rackoff
construc1on
(actually
using
analysis
of
Patarin,
Crypto’03)
note:
no
integrity
Dan
Boneh
Further
reading
• Cryptographic
Extrac1on
and
Key
Deriva1on:
The
HKDF
Scheme.
H.
Krawczyk,
Crypto
2010
• Determinis1c
Authen1cated-‐Encryp1on:
A
Provable-‐Security
Treatment
of
the
Keywrap
Problem.
P.
Rogaway,
T.
Shrimp1on,
Eurocrypt
2006
• A
Parallelizable
Enciphering
Mode.
S.
Halevi,
P.
Rogaway,
CT-‐RSA
2004
• Efficient
Instan1a1ons
of
Tweakable
Blockciphers
and
Refinements
to
Modes
OCB
and
PMAC.
P.
Rogaway,
Asiacrypt
2004
• How
to
Encipher
Messages
on
a
Small
Domain:
Determinis1c
Encryp1on
and
the
Thorp
Shuffle.
B.
Morris,
P.
Rogaway,
T.
Stegers,
Crypto
2009
Dan
Boneh
End
of
Segment
Dan
Boneh
Online
Cryptography
Course
Dan
Boneh
Dan
Boneh
Key
management
Problem:
n
users.
Storing
mutual
secret
keys
is
difficult
Total:
O(n)
keys
per
user
Dan
Boneh
A
beFer
solu7on
Online
Trusted
3rd
Party
(TTP)
TTP
Dan
Boneh
Genera7ng
keys:
a
toy
protocol
Alice
wants
a
shared
key
with
Bob.
Eavesdropping
security
only.
Bob
(kB)
Alice
(kA)
TTP
“Alice
wants
key
with
Bob”
choose
random
kAB
7cket
Note: TTP needed for every key exchange, knows all session keys.
Dan
Boneh
Key
ques7on
Can
we
generate
shared
keys
without
an
online
trusted
3rd
party?
Answer:
yes!
Star7ng
point
of
public-‐key
cryptography:
• Merkle
(1974),
Diffie-‐Hellman
(1976),
RSA
(1977)
• More recently: ID-‐based enc. (BF 2001), Func7onal enc. (BSW 2011)
Dan
Boneh
End
of
Segment
Dan
Boneh
Online
Cryptography
Course
Dan
Boneh
Merkle Puzzles
Dan
Boneh
Key
exchange
without
an
online
TTP?
Goal:
Alice
and
Bob
want
shared
key,
unknown
to
eavesdropper
• For
now:
security
against
eavesdropping
only
(no
tampering)
Alice Bob
eavesdropper ??
Dan
Boneh
Merkle
puzzles
Alice:
prepare
232
puzzles
• For
i=1,
…,
232
choose
random
Pi
∈{0,1}32
and
xi,
ki
∈{0,1}128
set
puzzlei
⟵
E(
096
ll
Pi
,
“Puzzle
#
xi”
ll
ki
)
• Send
puzzle1
,
…
,
puzzle232
to
Bob
Bob:
choose
a
random
puzzlej
and
solve
it.
Obtain
(
xj,
kj
)
.
• Send
xj
to
Alice
Alice:
lookup
puzzle
with
number
xj
.
Use
kj
as
shared
secret
Dan
Boneh
In
a
figure
puzzle1
,
…
,
puzzlen
Alice
Bob
xj
kj
kj
Dan
Boneh
Online
Cryptography
Course
Dan
Boneh
The
Diffie-‐Hellman
protocol
Dan
Boneh
Key
exchange
without
an
online
TTP?
Goal:
Alice
and
Bob
want
shared
secret,
unknown
to
eavesdropper
• For
now:
security
against
eavesdropping
only
(no
tampering)
Alice Bob
eavesdropper ??
Alice
Bob
choose
random
a
in
{1,…,p-‐1}
choose
random
b
in
{1,…,p-‐1}
a b
Ba
(mod
p)
=
(gb)
=
=
gab
(mod
p)
kAB
=
(ga)
=
Ab
(mod
p)
Dan
Boneh
Security
(much
more
on
this
later)
Eavesdropper
sees:
p,
g,
A=ga
(mod
p),
and
B=gb
(mod
p)
Can
she
compute
gab
(mod
p)
??
More
generally:
define
DHg(ga,
gb)
=
gab
(mod
p)
Dan
Boneh
How
hard
is
the
DH
func7on
mod
p?
Suppose
prime
p
is
n
bits
long.
Best
known
algorithm
(GNFS):
run
7me
exp(
)
Ellip7c
Curve
cipher
key
size
modulus
size
size
80
bits
1024
bits
bits
160
128
bits
3072
bits
256
bits
256
bits
(AES)
15360
bits
bits
512
As
a
result:
slow
transi7on
away
from
(mod
p)
to
ellip7c
curves
Dan
Boneh
Ellip7c
curve
Diffie-‐Hellman
Dan
Boneh
Insecure
against
man-‐in-‐the-‐middle
As
described,
the
protocol
is
insecure
against
acJve
aFacks
Dan
Boneh
Another
look
at
DH
Facebook
ga gb gc gd
Dan
Boneh
An
open
problem
Facebook
ga gb gc gd
Dan
Boneh
Online
Cryptography
Course
Dan
Boneh
Public-‐key encryp7on
Dan
Boneh
Establishing
a
shared
secret
Goal:
Alice
and
Bob
want
shared
secret,
unknown
to
eavesdropper
• For
now:
security
against
eavesdropping
only
(no
tampering)
Alice Bob
eavesdropper ??
Alice Bob
E D
Dan
Boneh
Public
key
encryp7on
Def:
a
public-‐key
encryp7on
system
is
a
triple
of
algs.
(G,
E,
D)
• G():
randomized
alg.
outputs
a
key
pair
(pk,
sk)
• E(pk,
m):
randomized
alg.
that
takes
m∈M
and
outputs
c
∈C
• D(sk,c):
det.
alg.
that
takes
c∈C
and
outputs
m∈M
or
⊥
pk
b
Chal.
Adv.
A
m0
,
m1
∈
M
:
|m0|
=
|m1|
(pk,sk)←G()
c
←
E(pk,
mb)
b’
∈
{0,1}
EXP(b)
Def: E =(G,E,D) is sem. secure (a.k.a IND-‐CPA) if for all efficient A:
Dan
Boneh
Security
(eavesdropping)
Adversary
sees
pk,
E(pk,
x)
and
wants
x
∈M
Seman7c
security
⇒
adversary
cannot
dis7nguish
{
pk,
E(pk,
x),
x
}
from
{
pk,
E(pk,
x),
rand∈M
}
⇒
can
derive
session
key
from
x.
Dan
Boneh
Public
key
encryp7on:
construc7ons
Construc7ons
generally
rely
on
hard
problems
from
number
theory
and
algebra
Next
module:
• Brief
detour
to
catch
up
on
the
relevant
background
Dan
Boneh
Further
readings
• Merkle
Puzzles
are
Op7mal,
B.
Barak,
M.
Mahmoody-‐Ghidary,
Crypto
’09
Dan
Boneh
End
of
Segment
Dan
Boneh
Online
Cryptography
Course
Dan
Boneh
Nota3on
Dan
Boneh
Background
We
will
use
a
bit
of
number
theory
to
construct:
• Key
exchange
protocols
• Digital
signatures
• Public-‐key
encryp3on
Nota3on:
Can
do
addi3on
and
mul3plica3on
modulo
N
Dan
Boneh
Modular
arithme3c
Examples:
let
N
=
12
9
+
8
=
5
in
5
×
7
=
11
in
5
−
7
=
10
in
Arithme3c
in
works
as
you
expect,
e.g
x⋅(y+z)
=
x⋅y
+
x⋅z
in
Dan
Boneh
Greatest
common
divisor
Def:
For
ints.
x,y:
gcd(x,
y)
is
the
greatest
common
divisor
of
x,y
Fact:
for
all
ints.
x,y
there
exist
ints.
a,b
such
that
a⋅x
+
b⋅y
=
gcd(x,y)
a,b
can
be
found
efficiently
using
the
extended
Euclid
alg.
Example: let N be an odd integer. The inverse of 2 in is
Dan
Boneh
Modular
inversion
Which
elements
have
an
inverse
in
?
Lemma:
x
in
has
an
inverse
if
and
only
if
gcd(x,N)
=
1
Proof:
gcd(x,N)=1
⇒
∃
a,b:
a⋅x
+
b⋅N
=
1
gcd(x,N)
>
1
⇒
∀a:
gcd(
a⋅x,
N
)
>
1
⇒
a⋅x
≠
1
in
Dan
Boneh
More
nota3on
Def:
=
(set
of
inver3ble
elements
in
)
=
= { x∈ : gcd(x,N) = 1 }
Examples:
1. for
prime
p,
2.
=
{
1,
5,
7,
11}
Dan
Boneh
End
of
Segment
Dan
Boneh
Online
Cryptography
Course
Dan
Boneh
Dan
Boneh
Review
N
denotes
an
n-‐bit
posi3ve
integer.
p
denotes
a
prime.
=
{
x∈ZN
:
gcd(x,N)
=
1
}
Can
find
inverses
efficiently
using
Euclid
alg.:
3me
=
O(n2)
Dan
Boneh
Fermat’s
theorem
(1640)
Thm:
Let
p
be
a
prime
∀
x
∈
(Zp)*
:
xp-‐1
=
1
in
Zp
Example:
p=5.
34
=
81
=
1
in
Z5
So:
x
∈
(Zp)*
⇒
x⋅xp-‐2
=
1
⇒
x−1
=
xp-‐2
in
Zp
another
way
to
compute
inverses,
but
less
efficient
than
Euclid
Dan
Boneh
Applica3on:
genera3ng
random
primes
Suppose
we
want
to
generate
a
large
random
prime
say,
prime
p
of
length
1024
bits
(
i.e.
p
≈
21024
)
Step
1:
choose
a
random
integer
p
∈
[
21024
,
21025-‐1
]
Step
2:
test
if
2p-‐1
=
1
in
Zp
If
so,
output
p
and
stop.
If
not,
goto
step
1
.
Simple
algorithm
(not
the
best).
Pr[
p
not
prime
]
<
2-‐60
Dan
Boneh
The
structure
of
(Zp)*
Thm
(Euler):
(Zp)*
is
a
cyclic
group,
that
is
∃ g∈(Zp)* such that {1, g, g2, g3, …, gp-‐2} = (Zp)*
Example: p=7. {1, 3, 32, 33, 34, 35} = {1, 3, 2, 6, 4, 5} = (Z7)*
Not
every
elem.
is
a
generator:
{1,
2,
22,
23,
24,
25}
=
{1,
2,
4}
Dan
Boneh
Order
For
g∈(Zp)*
the
set
{1
,
g
,
g2,
g3,
…
}
is
called
the
group
generated
by
g,
denoted
<g>
Def: the order of g∈(Zp)* is the size of <g>
Dan
Boneh
Online
Cryptography
Course
Dan
Boneh
Dan
Boneh
Modular
e’th
roots
We
know
how
to
solve
modular
linear
equa3ons:
a⋅x
+
b
=
0
in
ZN
Solu3on:
x
=
−b⋅a-‐1
in
ZN
What
about
higher
degree
polynomials?
Example:
let
p
be
a
prime
and
c∈Zp
.
Can
we
solve:
x2
–
c
=
0
,
y3
–
c
=
0
,
z37
–
c
=
0
in
Zp
Dan
Boneh
Modular
e’th
roots
Let
p
be
a
prime
and
c∈Zp
.
Def:
x∈Zp
s.t.
xe
=
c
in
Zp
is
called
an
e’th
root
of
c
.
Examples:
71/3
=
6
in
31/2
=
5
in
21/2
does
not
exist
in
11/3
=
1
in
Dan
Boneh
The
easy
case
When
does
c1/e
in
Zp
exist?
Can
we
compute
it
efficiently?
Dan
Boneh
The
case
e=2:
square
roots
If
p
is
an
odd
prime
then
gcd(
2,
p-‐1)
≠
1
x
−x
Fact:
in
,
x
⟶
x2
is
a
2-‐to-‐1
func3on
x2
Example:
in
:
1
10
2
9
3
8
4
7
5
6
1
4
9
5
3
Def:
x
in
is
a
quadra5c
residue
(Q.R.)
if
it
has
a
square
root
in
p
odd
prime
⇒
the
#
of
Q.R.
in
is
(p-‐1)/2
+
1
Dan
Boneh
Euler’s
theorem
Thm:
x
in
(Zp)*
is
a
Q.R.
⟺
x(p-‐1)/2
=
1
in
Zp
(p
odd
prime)
Example:
in
:
15,
25,
35,
45,
55,
65,
75,
85,
95,
105
=
1
-‐1
1
1
1,
-‐1,
-‐1,
-‐1,
1,
-‐1
1/2
Note:
x≠0
⇒
x(p-‐1)/2
=
(x ) =
11/2
∈
{
1,
-‐1
}
in
Z
p-‐1
p
Def:
x(p-‐1)/2
is
called
the
Legendre
Symbol
of
x
over
p
(1798)
Dan
Boneh
Compu3ng
square
roots
mod
p
Suppose
p
=
3
(mod
4)
Lemma:
if
c∈(Zp)*
is
Q.R.
then
√c
=
c(p+1)/4
in
Zp
Proof:
When
p
=
1
(mod
4),
can
also
be
done
efficiently,
but
a
bit
harder
Dan
Boneh
End
of
Segment
Dan
Boneh
Online
Cryptography
Course
Dan
Boneh
Arithme3c algorithms
Dan
Boneh
Represen3ng
bignums
Represen3ng
an
n-‐bit
integer
(e.g.
n=2048)
on
a
64-‐bit
machine
32
bits
32
bits
32
bits
⋯
32
bits
n/32
blocks
Note:
some
processors
have
128-‐bit
registers
(or
more)
and
support
mul3plica3on
on
them
Dan
Boneh
Arithme3c
Given:
two
n-‐bit
integers
Dan
Boneh
End
of
Segment
Dan
Boneh
Online
Cryptography
Course
Dan
Boneh
Intractable problems
Dan
Boneh
Easy
problems
• Given
composite
N
and
x
in
ZN
find
x-‐1
in
ZN
Def: We say that DLOG is hard in G if for all efficient alg. A:
Pr
g⟵G,
x
⟵Z
[
A(
G,
q,
g,
gx
)
=
x
]
<
negligible
q
Example
candidates:
(1)
(Zp)*
for
large
p,
(2)
Ellip3c
curve
groups
mod
p
Dan
Boneh
Compu3ng
Dlog
in
(Zp)*
(n-‐bit
prime
p)
Best
known
algorithm
(GNFS):
run
3me
exp(
)
Ellip3c
Curve
cipher
key
size
modulus
size
group
size
80
bits
1024
bits
160
bits
128
bits
3072
bits
256
bits
256
bits
(AES)
15360
bits
512
bits
As a result: slow transi3on away from (mod p) to ellip3c curves
Dan
Boneh
An
applica3on:
collision
resistance
Choose
a
group
G
where
Dlog
is
hard
(e.g.
(Zp)*
for
large
p)
Let
q
=
|G|
be
a
prime.
Choose
generators
g,
h
of
G
For
x,y
∈
{1,…,q}
define
H(x,y)
=
gx
⋅
hy
in
G
Lemma: finding collision for H(.,.) is as hard as compu3ng Dlogg(h)
Best known alg. (NFS): run 3me exp( ) for n-‐bit integer
Dan
Boneh
End
of
Segment
Dan
Boneh
Online
Cryptography
Course
Dan
Boneh
Dan
Boneh
Public
key
encryp4on
Bob:
generates
(PK,
SK)
and
gives
PK
to
Alice
Alice Bob
m c c m
E
D
pk sk
Dan
Boneh
Applica4ons
Session
setup
(for
now,
only
eavesdropping
security)
Alice
pk
Bob
Generate
(pk,
sk)
choose
random
x
E(pk,
x)
(e.g.
48
bytes)
x
pk
b
Chal.
Adv.
A
m0
,
m1
∈
M
:
|m0|
=
|m1|
(pk,sk)←G()
c
←
E(pk,
mb)
b’
∈
{0,1}
EXP(b)
Def: E =(G,E,D) is sem. secure (a.k.a IND-‐CPA) if for all efficient A:
Dan
Boneh
Security
against
ac4ve
aaacks
What
if
aaacker
can
tamper
with
ciphertext?
aaacker:
pkserver
to:
aaacker@gmail
body
skserver
aaacker
Aaacker
is
given
decryp4on
of
msgs
that
start
with
“to:
a;acker”
Dan
Boneh
(pub-‐key)
Chosen
Ciphertext
Security:
defini4on
E =
(G,E,D)
public-‐key
enc.
over
(M,C). For
b=0,1
define
EXP(b):
pk
Chal.
Adv.
A
(pk,sk)←G()
b
CCA
phase
1:
ci
∈
C
mi
←
D(k,
ci)
challenge:
m0
,
m1
∈
M
:
|m0|
=
|m1|
c
←
E(pk,
mb)
In
public-‐key
sefngs:
• Aaacker
can
create
new
ciphertexts
using
pk
!!
• So
instead:
we
directly
require
chosen
ciphertext
security
Dan
Boneh
This
and
next
module:
construc4ng
CCA
secure
pub-‐key
systems
Dan
Boneh
Online
Cryptography
Course
Dan
Boneh
Construc4ons
Dan
Boneh
Public-‐key
encryp4on
from
TDFs
• (G,
F,
F-‐1):
secure
TDF
X
⟶
Y
• (Es,
Ds)
:
symmetric
auth.
encryp4on
defined
over
(K,M,C)
• H:
X
⟶
K
a
hash
func4on
Security
Theorem:
If
(G,
F,
F-‐1)
is
a
secure
TDF,
(Es,
Ds)
provides
auth.
enc.
and
H:
X
⟶
K
is
a
“random
oracle”
then
(G,E,D)
is
CCAro
secure.
Dan
Boneh
Incorrect
use
of
a
Trapdoor
Func4on
(TDF)
Never
encrypt
by
applying
F
directly
to
plaintext:
E(
pk,
m)
:
D(
sk,
c
)
:
output
c
⟵
F(pk,
m)
output
F-‐1(sk,
c)
Problems:
• Determinis4c:
cannot
be
seman4cally
secure
!!
• Many
aaacks
exist
(next
segment)
Dan
Boneh
Next
step:
construct
a
TDF
Dan
Boneh
Online
Cryptography
Course
Dan
Boneh
Dan
Boneh
Review:
trapdoor
permuta4ons
Three
algorithms:
(G,
F,
F-‐1)
• G:
outputs
pk,
sk.
pk
defines
a
func4on
F(pk,
⋅):
X
→
X
Dan
Boneh
The
RSA
trapdoor
permuta4on
G():
choose
random
primes
p,q
≈1024
bits.
Set
N=pq.
kϕ(N)+1
ϕ(N) k
-‐1 d d d ed
F (
sk,
y)
=
y
;
y
=
RSA(x)
=
x
=
x
=
(x ) ⋅
x
=
x
Dan
Boneh
The
RSA
assump4on
RSA
assump4on:
RSA
is
one-‐way
permuta4on
[ ]
Pr
A(N,e,y)
=
y1/e
<
negligible
where
p,q
←
R
n-‐bit
primes,
N←pq,
y←Z
R
N
*
Dan
Boneh
Review:
RSA
pub-‐key
encryp4on
(ISO
std)
(Es,
Ds):
symmetric
enc.
scheme
providing
auth.
encryp4on.
H:
ZN
→
K
where
K
is
key
space
of
(Es,Ds)
Suppose k is 64 bits: k ∈ {0,…,264}. Eve sees: c= ke in ZN
If k = k1⋅k2 where k1, k2 < 234 (prob. ≈20%) then c/k1e = k2e in ZN
Step
1:
build
table:
c/1e,
c/2e,
c/3e,
…,
c/234e
.
4me:
234
Step
2:
for
k2
=
0,…,
234
test
if
k2e
is
in
table.
4me:
234
Output
matching
(k1,
k2).
Total
aaack
4me:
≈240
<<
264
Dan
Boneh
End
of
Segment
Dan
Boneh
Online
Cryptography
Course
Dan
Boneh
PKCS 1
Dan
Boneh
RSA
encryp4on
in
prac4ce
Never
use
textbook
RSA.
ciphertext
msg
Preprocessing
RSA
key
Main
ques4ons:
– How
should
the
preprocessing
be
done?
– Can
we
argue
about
security
of
resul4ng
system?
Dan
Boneh
PKCS1
v1.5
PKCS1
mode
2:
(encryp4on)
16
bits
02
random
pad
FF
msg
Dan
Boneh
m
W(m,r)
r
+
H
How
would
you
decrypt
an
SAEP
ciphertext
ct
?
x
r
RSA
ciphertext
if ( pad(OAEP-1(RSA-1(ct))) != “01000” )
{ error = 1; goto exit; }
Dan
Boneh
Online
Cryptography
Course
Dan
Boneh
Is
RSA
a
one-‐way
func4on?
Dan
Boneh
Is
RSA
a
one-‐way
permuta4on?
To
invert
the
RSA
one-‐way
func.
(without
d)
aaacker
must
compute:
x
from
c
=
xe
(mod
N).
Dan
Boneh
Shortcuts?
Must
one
factor
N
in
order
to
compute
e’th
roots?
d ≤ N0.25/3 ⇒
Dan
Boneh
Online
Cryptography
Course
Dan
Boneh
Dan
Boneh
RSA
With
Low
public
exponent
To
speed
up
RSA
encryp4on
use
a
small
e:
c
=
me
(mod
N)
Suppose error occurs when compu4ng xq , but no error in xp
Then: output is x’ where x’ = cd in Zp but x’ ≠ cd in Zq
⇒
(x’)e
=
c
in
Zp
but
(x’)e
≠
c
in
Zq
⇒
gcd(
(x’)e
-‐
c
,
N)
=
p
Dan
Boneh
RSA
Key
Genera4on
Trouble
[Heninger
et
al./Lenstra
et
al.]
OpenSSL
RSA
key
genera4on
(abstract):
prng.seed(seed)
p = prng.generate_random_prime()
prng.add_randomness(bits)
q = prng.generate_random_prime()
N = p*q
Lesson:
Dan
Boneh
Further
reading
• Why
chosen
ciphertext
security
maaers,
V.
Shoup,
1998
Dan
Boneh
End
of
Segment
Dan
Boneh
Online
Cryptography
Course
Dan
Boneh
The
ElGamal
Public-‐key
System
Dan
Boneh
Recap:
public
key
encryp3on:
(Gen,
E,
D)
Gen
pk sk
m c c m
E
D
Dan
Boneh
Recap:
public-‐key
encryp3on
applica3ons
Key
exchange
(e.g.
in
HTTPS)
Encryp3on
in
non-‐interac3ve
seKngs:
• Secure
Email:
Bob
has
Alice’s
pub-‐key
and
sends
her
an
email
• Encrypted
File
Systems
skA
write
read
Alice
E(pkA,
KF)
Bob
File
E(kF,
File)
E(pkB,
KF)
Dan
Boneh
Recap:
public-‐key
encryp3on
applica3ons
Key
exchange
(e.g.
in
HTTPS)
Encryp3on
in
non-‐interac3ve
seKngs:
• Secure
Email:
Bob
has
Alice’s
pub-‐key
and
sends
her
an
email
• Encrypted
File
Systems
• Key
escrow:
data
recovery
without
Bob’s
key
Escrow
Service
write
skescrow
E(pkescrow,
KF)
Bob
E(kF,
File)
E(pkB,
KF)
Dan
Boneh
Construc3ons
This
week:
two
families
of
public-‐key
encryp3on
schemes
A
=
ga
B
=
gb
a
b
B
=
(g )
=
a
b
kAB
=
gab
=
(g )
=
Ab
a
Dan
Boneh
ElGamal:
conver3ng
to
pub-‐key
enc.
(1984)
Fix
a
finite
cyclic
group
G
(e.g
G
=
(Zp)*
)
of
order
n
Fix
a
generator
g
in
G
(i.e.
G
=
{1,
g,
g2,
g3,
…
,
gn-‐1}
)
Alice
Bob
Treat
as
a
choose
random
a
in
{1,…,n}
key
random
b
in
{1,…,n}
choose
public
A
=
ga
compute
gab
=
Ab
,
derive
symmetric
key
k
,
[
ct
=
B
=
g
b
,
encrypt
m
essage
m
w
ith
]
k
Dan
Boneh
ElGamal:
conver3ng
to
pub-‐key
enc.
(1984)
Fix
a
finite
cyclic
group
G
(e.g
G
=
(Zp)*
)
of
order
n
Fix
a
generator
g
in
G
(i.e.
G
=
{1,
g,
g2,
g3,
…
,
gn-‐1}
)
Alice
Bob
Treat
as
a
choose
random
a
in
{1,…,n}
key
random
b
in
{1,…,n}
choose
public
A
=
ga
compute
gab
=
Ab
,
derive
symmetric
key
k
,
To
decrypt:
compute
gab
=
Ba
,
[
ct
=
B
=
g
b
,
encrypt
m
essage
m
w
ith
]
k
derive
k,
and
decrypt
Dan
Boneh
The
ElGamal
system
(a
modern
view)
• G:
finite
cyclic
group
of
order
n
• (Es,
Ds)
:
symmetric
auth.
encryp3on
defined
over
(K,M,C)
• H:
G2
⟶
K
a
hash
func3on
Dan
Boneh
Online
Cryptography
Course
Dan
Boneh
ElGamal Security
Dan
Boneh
Computa3onal
Diffie-‐Hellman
Assump3on
G:
finite
cyclic
group
of
order
n
Comp. DH (CDH) assump3on holds in G if: g, ga , gb ⇏ gab
[ ]
Pr
A(g,
ga,
gb
)
=
gab
<
negligible
H
acts
as
an
extractor:
strange
distribu3on
on
G2
⇒
uniform
on
K
Dan
Boneh
Suppose
K
=
{0,1}128
and
H:
G2
⟶
K
only
outputs
strings
in
K
that
begin
with
0
(
i.e.
for
all
x,y:
msb(H(x,y))=0
)
Can
Hash-‐DH
hold
for
(G,
H)
?
Dan
Boneh
Online
Cryptography
Course
Dan
Boneh
ElGamal
Variants
With
Berer
Security
Dan
Boneh
Review:
ElGamal
encryp3on
KeyGen:
g
⟵
{generators
of
G}
,
a
⟵
Zn
Can
we
prove
CCA
security
based
on
CDH
(g,
ga
,
gb
↛
gab
)
?
• Op3on
1:
use
group
G
where
CDH
=
IDH
(a.k.a
bilinear
group)
• Op3on
2:
change
the
ElGamal
system
Dan
Boneh
Variants:
twin
ElGamal
[CKS’08]
KeyGen:
g
⟵
{generators
of
G}
,
a1,
a2
⟵
Zn
Dan
Boneh
ElGamal
security
w/o
random
oracles?
Can
we
prove
CCA
security
without
random
oracles?
Dan
Boneh
Further
Reading
• The
Decision
Diffie-‐Hellman
problem.
D.
Boneh,
ANTS
3,
1998
• Universal
hash
proofs
and
a
paradigm
for
chosen
ciphertext
secure
public
key
encryp3on.
R.
Cramer
and
V.
Shoup,
Eurocrypt
2002
A Unifying Theme
Dan
Boneh
One-‐way
func3ons
(informal)
A
func3on
f:
X
⟶
Y
is
one-‐way
if
Generic:
no
special
proper3es.
Difficult
to
use
for
key
exchange.
Dan
Boneh
Ex
2:
The
DLOG
one-‐way
func3on
Fix
a
finite
cyclic
group
G
(e.g
G
=
(Zp)*
)
of
order
n
g:
a
random
generator
in
G
(i.e.
G
=
{1,
g,
g2,
g3,
…
,
gn-‐1}
)
Define:
f:
Zn
⟶
G
as
f(x)
=
gx
∈
G
Lemma:
Dlog
hard
in
G
⇒
f
is
one-‐way
Proper=es:
f(x),
f(y)
⇒
f(x+y)
=
f(x)
⋅
f(y)
⇒
key-‐exchange
and
public-‐key
encryp3on
Dan
Boneh
Ex.
3:
The
RSA
one-‐way
func3on
• choose
random
primes
p,q
≈1024
bits.
Set
N=pq.
Dan
Boneh
End
of
Segment
Dan
Boneh
Online
Cryptography
Course
Dan
Boneh
Dan
Boneh
Quick
Review:
primi3ves
CTR
CMAC,
HMAC
PRG
PRF,
PRP
MAC
GGM
PMAC
Collision
resistance
key
exchange
Dan
Boneh
Quick
Review:
primi3ves
To
protect
non-‐secret
data:
(data
integrity)
– using
small
read-‐only
storage:
use
collision
resistant
hash
– no
read-‐only
space:
use
MAC
…
requires
secret
key
To
protect
sensi=ve
data:
only
use
authen3cated
encryp3on
(eavesdropping
security
by
itself
is
insufficient)
Session
setup:
• Interac3ve
seKngs:
use
authen3cated
key-‐exchange
protocol
• When
no-‐interac3on
allowed:
use
public-‐key
encryp3on
Dan
Boneh
Remaining
Core
Topics
(part
II)
• Digital
signatures
and
cer3ficates
• Authen3cated
key
exchange
• User
authen3ca3on:
passwords,
one-‐3me
passwords,
challenge-‐response
• Privacy
mechanisms
• Zero-‐knowledge
protocols
Dan
Boneh
Many
more
topics
to
cover
…
• Ellip3c
Curve
Crypto
• Quantum
compu3ng
• New
key
management
paradigms:
iden3ty
based
encryp3on
and
func3onal
encryp3on
• Anonymous
digital
cash
• Private
vo3ng
and
auc3on
systems
• Compu3ng
on
ciphertexts:
fully
homomorphic
encryp3on
• LaKce-‐based
crypto
• Two
party
and
mul3-‐party
computa3on
Dan
Boneh
Final
Words
Be
careful
when
using
crypto:
• A
tremendous
tool,
but
if
incorrectly
implemented:
system
will
work,
but
may
be
easily
aracked
Make
sure
to
have
others
review
your
designs
and
code
Don’t
invent
your
own
ciphers
or
modes
Dan
Boneh
End
of
part
I
Dan Boneh