1 Cryptanalysis-tolerant CPA crypt. ● Suppose E, E’ are two encryption schemes which on of them is CPA - secure  E.g., a standard and a proprietary, a new and old ● Cascade [EG85]: E*=E◦E’ ● E* is CPA - secure if either E or E’ is CPA – secure We say that cascade is cryptanalysis tolerant E E’

2 Cascading CPA - question ● Given two encryption schemes which one of them is candidate CPA secure, E and E’, define: E* k,k' (x) = E k (E’ k' (x)) ● Question: assume either E or E’ is a CPA secure. Is then E* a CPA secure crypto system? ● Answer:

3 Cascading CPA-Secure system ● Claim: if either E or E’ is a CPA-Secure, then E* is a CPA-Secure. ● Proof: Suppose to contrary there exists adv A* That Pr X=EX(Є,ADV) [X.win ^ X.t≤ t|X=EX(E(E',A*,k)]>½+ ε*(k,t,q) i.e. Can distiniguishE* from some random permutation. ● Let adv A(for E), A'(for E') use A* (As sub routine) to distinguish. ● Prove for A (A and A' are similar).

4 Cont' ● A tries to win test for E while using A* on E*. A uses E as a black box. ● Key generation - A generates keys for E'. ● Select – A needs to respond to encryption and decryption requests to E* (requests sent from A*).  When A* asks to encrypt m, A asks for encryption by c=E(m) and calculates E'(c) (has keys). ● Encrypt – When A* outputs, A outputs same for E and calculates on E' (returns result to A). ● When A* outputs guess, b' then A outputs the same. Wins if A* wins since performs only one more computation.

5 A controls E’, e.g. Encrypt A selects messages to encrypt, e.g. select

6 Cryptographic Constructions Demonstrating insecurity ● Usual method:  Let g’ be an arbitrary function for goal G.  Design g which also satisfies G: Security of g follows (easily?) from security of g’ But g is not good for the construction… Namely: the function f which is constructed using g does not satisfy goal F.

7 Plaintext Encrypted ECBEncrypted Non ECB An example of patterns ECB leaves in cipher text When encrypting pixels (pixel by pixel encryption)

8 CBC

9 OFB

10 CBC - OFB ● CBC  requires padding of message to block size.  Decryption can be parallelized  1 bit change of plaintext affects all cipher texts ● OFB  Does not require message padding  Decryption can't be done in parallel  Bit flips can be detected in many embedded ECC ● Both  “Randomization” properties – can't detect same block.

11 Problem ● CBC and OFB are great for creating VIL cipher from FIL blocks, however they have some drawbacks. ● Transmission errors. ● Parallel computation. ● Please describe the drawbacks in detail. ● Please suggest a scheme for creating VIL cipher from FIL blocks which has CBC/OFB properties and eliminates the limitations described above.

12 Solution ● Drawbacks  Block dependency causes encryption/decryption to be synchronous (CBC decryption can be parallel)  Decryption (CBC) - In case a block is damaged, its dependent block can't be deciphered as well.  CBC Block damage can be from a single bit. OFB can correct errors with embedded ECC (single bits).

13 Solution ● Instead of chaining to disguise cipher, use counter.(Counter must be kept secret)

14 Indistinguishability Test ● Prove that the following encryption scheme does not pass Ind. Test. ● Discrete log – base for several public key crypto systems ● Assumption: for known prime p, generator g of Z_p and y it's hard to find x such that g x mod p = y ● For public prime p and generator g (for Z_p), where m< p: Ek(m) = { x = g^m mod p; y = g^(kx) mod p; return x||(y xor m) }

15 Solution ● Adv can calculate x, thus distinguish the message from a random message.

16 Indistinguishability Test is Strong ● Two encryptions of the same message should be indistinguishable  Otherwise adversary can ask for another encryption of known message and identify it  Encryption must be randomized and/or state variable With state variable, encryption depends on history  In practice: usually encryption is randomized ● No assumption about the plaintext  May be just two messages, ‘0’ and ‘1’  May be biased (90% is ‘0’)

17 CPA-IND Secure Cryptosystem from KPA-Secure ● Let C k be a KPA – Secure crypto system ● Then encrypt each message m using E k (m)=r||C k (m  r), where r is random ● Observation: this is simply CBC-mode of C k with a single block!  Proof extends to multiple-block CBC ● Theorem [GM89]: E k (m) is CPA-IND secure.

18 Question ● Let E be a KPA secure crypto system. Consider the following function on {0,1} 2n (for any n): E’ k (x)= E k (x[1..n)]) || E k (E k (x[1..n)])  x[(n+1)..2n]). ● Is E'k(x) KPA secure? ● Is E'k(x) CPA secure?

19 Solution ● Not CPA Secure -  Choose 2 different input texts, for example 1010||1100, 1010||1001  Output of MSB is same for both “different” outputs.  This is the case because of E k (x[1..n)]) ● KPA Secure -  Never choose messages with same MSB.

20 Error Detection ● We would like to transmit ciphertext over the wire. Alice suggests to use parity check as error-detection code. ● Do we have privacy ? ● Do we have integrity ?

21 Error Detection ● Assume OTP encryption, interceptive adversary. ● Adversary doesn’t know k, sees c on the wire. ● c = m xor k || parity(m) [bit] ● Adversary removes c, replace with c’ where any even number of bits can be flipped (notice, that in this example, adversary doesn’t even need to know m). ● Ok, no integrity, but maybe privacy ? ● What about known domain of messages (money transfer)