1. Cryptography
Lecture 7
Arpita Patra
© Arpita Patra

2. Recall >> New definitions for SKE
cpa, cpa-security & cpa-mult-security
>> New assumptions
PRF, PRP, SPRP

3. Today’s Goal cpa-secure scheme from PRF Proof of security
Practical cpa-secure schemes from PRF/PRP/SPRP for long messages
SSL (Secure Sockets Layer) 3.0,
TLS (Transport Layer Security) 1.0

4. Minicrypt Secret Key World: SKE, MAC (3) (2) (4) (1) (5) PRF (6) PRG
(7)
OWF

5. Towards cpa-secure Scheme
c = (xi, m yi)
Enc ??
x1 = 00000…0
y1 R {0,1}n
x2 = 00000…1 …
x2n = 11111… 1
y2n R {0,1}n
y2 R {0,1}n
x1 = 00000…0
y1 R {0,1}n
x2 = 00000…1 …
x2n = 11111… 1
y2n R {0,1}n
y2 R {0,1}n yi
Pad yi is truly random
f: {0,1}n  {0, 1}n
- Instances of OTP
f: {0,1}n  {0, 1}n
>> Problem with the above solution
--- size of f is n2n bits

6. Fixed-length cpa-secure SKE from PRF
Enck(m)
- r in {0, 1}n
- c = (r, m Fk(r))
Deck(c = (c0,c1))
- m = c1  Fk(c0)
m,k c
c,k
Secret PRF-key k
(key-agreement)
K = {0, 1}n M = {0, 1}n C = {0, 1}2n k k
Deck(c = (c0,c1))
- m = c1Fk(c0)
Enck(m)
- r in {0, 1}n
- c = (r, m Fk(r))
k R K
m  M c
c  C m
Gen

7. Security Proof K = {0, 1}n M = {0, 1}n C = {0, 1}2n Enck(m) Gen
Deck(c = (c0,c1))
- m = c1Fk(c0)
Enck(m)
- r in {0, 1}n
- c = (r, m Fk(r))
k R K
m  M c
c  C m
Gen
Theorem. If Fk is a PRF, then  is a CPA-secure scheme.
Proof: On the board.

8. Recall Security Proof of PRG-based Scheme
m,k
Enck(m)
>> c = m G(k) c
c,k
Deck(c)
>> m = c  G(k)
Secret PRG-key k
Theorem. If G is a PRG, then  is a coa-secure scheme.
Proof: Assume  is not secure
A, p(n):
½ + 1/p(n) Pr
PrivK (n)
A, 
coa
= 1
> Pr
PrivK (n)
A, 
coa
= 1 = = =
Pr [D(G(s)) = 1]
Pr [D(y) = 1]
Let us run
PrivK (n)
A, 
coa
PRS or RS?
y{0,1}n D
m0, m1M , |m0| = |m1| A
c = mb  y
1 if b = b’
0 otherwise
b’  {0, 1} b

9. CPA-security for Arbitrary-length Messages (Theoretical Construction)
Let  = (Gen, Enc, Dec) be a fixed-length CPA-secure based on PRP/SPRP/PRF. Supports message of length n m m1 m2 m3
Enck(m)
r in {0, 1}n
c = (r, m Fk(r))
Enck(m)
r in {0, 1}n
c = (r, m Fk(r))
Enck(m)
r in {0, 1}n
c = (r, m Fk(r))
Without compromising CPA security. Nice blend of Practice and Theory c1 c3 c6 k
Gen
c1c2…c6  Enck(m)

10. How Good it is? Assume Message Blocks: l; |m| = l n
Theoretical Construction
n / Block -> ln
2n / Block -> 2ln
Yes No
PRF
Finally
n / Overall = n
l n + n
Yes
PRF
Randomness Usage
Ciphertext Expansion
Ciphertext Computation Parallelizable
Randomness Reusability
Minimal Assumption (PRF/PRP/SPRP)
CPA Security

11. Block-cipher Modes of Operations
Given
- A length-preserving block cipher F (may be a PRF/PRP/SPRP) with block length n
k R {0, 1}n
Fk(x) = F(k, x)  {0, 1}n
x  {0, 1}n
Keyed Algorithm F
Goal
- To encrypt a message m = m1m2 … ml using F with ciphertext length as small as possible and with randomness as less as possible.
- Without loss of generality --- each mi  {0,1}n
{0,1}n
{0,1}n
{0,1}n
{0,1}n
{0,1}n
{0,1}n m m1 m2 m3 m4 … ml

12. Electronic Code Book (ECB) Mode
Gen F
c1 = Fk(m1)
c2 = Fk(m2)
c3 = Fk(m3)
Encryption: compute ci = Fk(mi) – No randomness used at all !
|c| = |m|
Decryption: compute mi = Fk-1(ci)
>> Assumes Fk is SPRP.
Parallelizable!
CPA Security ?
>> Deterministic Encryption
>> No. not even coa security for multi message

13. Current Picture Assume Message Blocks: l; |m| = l n
Theoretical Construction
n / Block -> ln
2n / Block -> 2ln
Yes No
PRF
ECB Mode
No randomness ln
Yes
---
SPRP NO
Randomness Usage
Ciphertext Expansion
Ciphertext Computation Parallizable
Randomness Reusability
Minimal Assumption (PRF/PRP/SPRP)
CPA Security

14. Cipher Block Chaining (CBC) ModeIV    k F F F
Gen c0
c1 = Fk(m1c0)
c2 = Fk(m2c1)
c3 = Fk(m3c2)
Encryption
ci = Fk(mici-1), for i = 1, …, l
Enck(m1 m2 … ml) = (c0 c1… cl)
Decryption:
mi = Fk-1(ci) ci-1, for i = 1, …, l
>> Assumes Fk is SPRP.
>> NO
Blockwise Parallel Computation ?
>> Randomized Encryption. Provides CPA security. HW
CPA Security ?

15. Current Picture Assume Message Blocks: l; |m| = ln
Theoretical Construction
n / Block -> ln
2n / Block -> 2ln
Yes No
PRF
ECB Mode
No randomness ln
Yes
---
SPRP NO
CBC Mode n
ln + n NO
---
SPRP
YES
Randomness Usage
Ciphertext Expansion
Ciphertext Computation Parallizable
Randomness Reusability
Minimal Assumption (PRF/PRP/SPRP)
CPA Security

16. IV Misuse in CBC Mode m m1 m2 m3 IV    k F F F Gen c0
c1 = Fk(m1c0)
c2 = Fk(m2c1)
c3 = Fk(m3c2)
Choosing distinct IV enough ? Can save randomness
Unfortunately this version of CBC mode is not cpa-secure-- Assignment

17. IV misuse in CBC Mode m m1 m2 m3 IV    k F F F Gen c0
c1 = Fk(m1c0)
c2 = Fk(m2c1)
c3 = Fk(m3c2)
Can the last ciphertext of previous block act as the IV for next encryption ?
Bandwidth and randomness saving

18. IV misuse in CBC Mode m1 m2 m3 m4 m5 m6 c4 F  c5    F F F c0 c1 M1k F  c5 c6 c7   
IV1
IV2 k F F F
Gen c0 c1 c2 c3
Ideal way of encrypting two messages via CBC mode
Can the last ciphertext of previous block act as the IV for next encryption ?
Bandwidth and randomness saving

19. IV misuse in CBC Mode- Chained CBC     
IV1 k k F F F F F F
Gen c0 c1 c2 c3 c4 c5 c6
Chained CBC mode
No modifications to crypto schemes even if the modifications look benign
BEAST attack on SSL/TSL
Can the last ciphertext of previous block act as the IV for next encryption ?
>> Bandwidth and randomness saving
Chained CBC mode --- used in SSL 3.0 and TLS 1.0
>> Stateful variant of CBC
CPA security?
>> It is “equivalent” to encrypting a single large message M = M1 || M2 via CBC mode
>> Yet Not CPA-secure

20. Output Feedback (OFB) ModeIV k F F F
Gen y0
y1 = Fk(y0)
y2 = Fk(y1)
y3 = Fk(y2)    m m1 m2 m3 c0
c1 = y1m1
c2 = y2m2
c3 = y3m3
Encryption: Enck(m1 m2 … ml) = (c0 c1… cl)
First generate a pseudorandom stream of pad (independent of m)
Use the pseudorandom stream for masking m

21. Output Feedback (OFB) ModeIV k F F F
Gen y0
y1 = Fk(y0)
y2 = Fk(y1)
y3 = Fk(y2)    m m1 m2 m3 c0
c1 = y1m1
c2 = y2m2
c3 = y3m3
Encryption: Enck(m1 m2 … ml) = (c0 c1… cl)
Decryption: mi = F(yi-1)  ci
PRF Enough !
Not parallalizable but pre-computable
CPA-secure! The chained version too!

22. Current Picture Assume Message Blocks: l; |m| = ln
Theoretical Construction
n / Block -> ln
2n / Block -> 2ln
Yes No
PRF
ECB Mode
No randomness ln
Yes
---
SPRP NO
CBC Mode n
ln + n NO
---
SPRP
YES
OFB Mode n
ln + n
NO (But pre-computable)
YES
PRF
Randomness Usage
Ciphertext Expansion
Ciphertext Computation Parallizable
Randomness Reusability
Minimal Assumption (PRF/PRP/SPRP)
CPA Security

23. Counter (CTR) Mode k F F F Gen    m m1 m2 m3 c0 y2 y3 y1 c1 = y1m1
CTR  {0, 1}n k
mod 2n F F F
Gen y2 y3 y1   
Pseudorandom stream m m1 m2 m3 c0
c1 = y1m1
c2 = y2m2
c3 = y3m3
Encryption: Enck(m1 m2 … ml) = (c0 c1… cl)
Same idea as in OFB modes : pseudorandom stream followed by masking
However everything can be now parallelized

24. Counter (CTR) Mode k F F F Gen    m m1 m2 m3 c0 y2 y3 y1 c1 = y1m1
CTR  {0, 1}n k
mod 2n F F F
Gen y2 y3 y1   
Pseudorandom stream m m1 m2 m3 c0
c1 = y1m1
c2 = y2m2
c3 = y3m3
Highly attractive features
Encryption: Enck(m1 m2 … ml) = (c0 c1… cl); Decryption: Easy; PRF enough!
Encryption / decryption can be parallelized
Can decrypt a specific ciphertext block by just one invocation of F
Chained/Statefull variant is CPA-secure

25. Current Picture Assume Message Blocks: l; |m| = ln
Theoretical Construction
n / Block -> ln
2n / Block -> 2ln
Yes No
PRF
ECB Mode
No randomness ln
Yes
---
SPRP NO
CBC Mode n
ln + n NO
---
SPRP
YES
OFB Mode n
ln + n
NO (But pre-computable)
YES
PRF
CTR Mode n
ln + n
YES
PRF
Randomness Usage
Ciphertext Expansion
Ciphertext Computation Parallizable
Randomness Reusability
Minimal Assumption (PRF/PRP/SPRP)
CPA Security

26. Some Practical Issues Block length in practice
CBC, OFB, CTR mode uses a random IV as the starting point
For randomizing the encryption process
Ensures that each invocation of F is on a “fresh” input (w.h.p)
If two invocations of F are on the same input --- security issues
Ideal size of IV ? --- depends on block length supported by F
Birthday paradox
Say the block length supported by F is l
In CTR mode, IV will be a uniform string of l bits
After 2l/2 encryptions, IV will repeat with a constant probability
If l is too short, then impractical security (even if F is a SPRP)
DES with l = IV repetition after 232  4, 300, 000, 000 encryptions
Approximately 32 GB of plaintexts --- may not be too large for all applications

27. Some Practical Issues IV misuse
Assumption made: a uniform IV selected as the starting point
What if the assumption goes wrong (say due to poor randomness generation, incorrect implementation, etc) ?
Problems if IV is repeated
In the CTR and OFB modes, the same pseudorandom stream will be generated
Two messages XORed with the same stream --- serious security breach
In the CBC mode, the effect is not that serious
After few blocks, inputs to F will “diverge” (blocks of m are also part of the input)
Solution against IV misuse
Use CBC mode
Or stateful OFB / CTR mode

29. Insecurity of ECB Mode: A practical Example
Think of some practical situation where encrypting using ECB mode is indeed dangerous
Suppose you want to encrypt a black and white image using ECB mode
Say a group of pixels in the image corresponds to one block of F
Secure mode
ECB mode
Image to be encrypted
Encrypted image (via a secure mode)
Encrypted image
Source: Wikipedia with imaged derived from Larry Ewing using GIMP

30. Block-cipher Modes of Operations : Some Practical Issues
Message transmission errors (non-adversarial)
Dropped packets, changed bits, etc
Different modes of operations have different effect
Standard solutions --- error-correction, re-transmission
Message transmission errors (adversarial)
What if the adversary “changes” ciphertext contents ?
Issue of message integrity / authentication
Will be discussed in detail later