Presentation is loading. Please wait.

Presentation is loading. Please wait.

Two New Online Ciphers Mridul Nandi National Institute of Standards and Technology, Gaithersburg, MD Indocrypt 2008, Kharagpur.

Published byHilary Barker Modified over 9 years ago

Similar presentations

Presentation on theme: "Two New Online Ciphers Mridul Nandi National Institute of Standards and Technology, Gaithersburg, MD Indocrypt 2008, Kharagpur."— Presentation transcript:

1 Two New Online Ciphers Mridul Nandi National Institute of Standards and Technology, Gaithersburg, MD Indocrypt 2008, Kharagpur

2 Mridul Nandi Indocrypt-20082 Outline of the talk Introduction to Online Ciphers. Security Notions for Online Ciphers Known Examples of Online Ciphers. Our Constructions. Conclusion.

3 Mridul Nandi Indocrypt-20083 Online Cipher

4 Mridul Nandi Indocrypt-20084 Online Cipher Most applications want real time encryption. ( i.e., compute ciphertext as soon as a plaintext block arrived to save time and memory both ). Also known as one-pass encryption ( in two-pass encryption, whole plaintext is needed to generate some intermediate values (like, a tag) and then the plaintext is again used to compute ciphertext. The first ciphertext block can not be computed unless complete plaintext arrived ).

5 Mridul Nandi Indocrypt-20085 Online Cipher Definition (online cipher): 1.It is a block number preserving encryption algorithm. 2.If C = C 1 || C 2 || … ||C k is a ciphertext of P = P 1 || P 2 || … ||P k then C i should be computable from P 1 ||…||P i where P j ’s, C j ’s are blocks (128 bits for AES based design).

6 Mridul Nandi Indocrypt-20086 Online Cipher Definition (online cipher): 1.It is a block number preserving encryption algorithm. 2.If C = C 1 || C 2 || … ||C k is a ciphertext of P = P 1 || P 2 || … ||P k then C i should be computable from P 1 ||…||P i where P j ’s, C j ’s are blocks (128 bits for AES based design). In other words, there exists an algorithm B, such that B(P 1,…, P i ) = C i, i =1,…,k. It is real time encryption, But, not necessarily means it requires less memory. Why?

7 Mridul Nandi Indocrypt-20087 Online Cipher P1P1 C1C1 Buffer P1P1 Input stream

8 Mridul Nandi Indocrypt-20088 Online Cipher P2P2 C2C2 Buffer P 1 P 2 Input stream

9 Mridul Nandi Indocrypt-20089 Online Cipher P3P3 C3C3 Buffer P 1 P 2 P 3 Input stream

10 Mridul Nandi Indocrypt-200810 Online Cipher PkPk CkCk Buffer P 1 P 2 P 3 … P k Input stream Buffer size increases linearly as plaintexts are arriving. So it does not save memory, but it is one-pass and hence once the whole plaintext is arrived the complete cipher text is known.

11 Mridul Nandi Indocrypt-200811 Efficient Online Ciphers fff … C1C1 P1P1 P2P2 P k-1 PkPk C2C2 C k-1 CkCk 0 0 Buffer size =3 Plaintext Ciphertext

12 Mridul Nandi Indocrypt-200812 Efficient Online Ciphers fff … C1C1 P1P1 P2P2 P k-1 PkPk C2C2 C k-1 CkCk 0 0 Buffer size =3, when T=1, 0, 0, P 1 Buffer Plaintext Ciphertext

13 Mridul Nandi Indocrypt-200813 Efficient Online Ciphers fff … C1C1 P1P1 P2P2 P k-1 PkPk C2C2 C k-1 CkCk 0 0 Buffer size =3, when T=2, P 1, C 1, P 2 Buffer Plaintext Ciphertext

14 Mridul Nandi Indocrypt-200814 Efficient Online Ciphers fff … C1C1 P1P1 P2P2 P k-1 PkPk C2C2 C k-1 CkCk 0 0 Buffer size =3, when T=k, P k-1, C k-1, P k Buffer Plaintext Ciphertext

15 Mridul Nandi Indocrypt-200815 Is it an Online Cipher? fff … C1C1 P1P1 P2P2 P k-1 PkPk C2C2 C k-1 CkCk 0 0 C i = A(P i-1, C i-1, P i ) depends on C i-1 (not in the definition of online cipher)

16 Mridul Nandi Indocrypt-200816 Is it an Online Cipher? ff f … C1C1 P1P1 P2P2 P k-1 PkPk C2C2 C k-1 CkCk 0 0 Definition (online cipher): 1.It is a block number preserving encryption algorithm. 2.If C = C 1 || C 2 || … ||C k is a ciphertext of P = P 1 || P 2 || … ||P k then C i should be computable from P 1 ||…||P i where P j ’s, C j ’s are blocks (128 bits for AES based design). C i = A(P i-1, C i-1, P i ) depends on C i-1 (not in the definition of online cipher)

17 Mridul Nandi Indocrypt-200817 Is it an Online Cipher? ff f … C1C1 P1P1 P2P2 P k-1 PkPk C2C2 C k-1 CkCk 0 0 But C i-1 depends on P i-2, P i-1 and C i-2 and so on. So by induction it can be shown that C i depends only on P 1,…,P i Definition (online cipher): 1.It is a block number preserving encryption algorithm. 2.If C = C 1 || C 2 || … ||C k is a ciphertext of P = P 1 || P 2 || … ||P k then C i should be computable from P 1 ||…||P i where P j ’s, C j ’s are blocks (128 bits for AES based design).

18 Mridul Nandi Indocrypt-200818 It is an Online Cipher. fff … C1C1 P1P1 P2P2 P k-1 PkPk C2C2 C k-1 CkCk 0 0 If it is a cipher then it is an online cipher. To be a cipher it should be invertible. In other words, P i should be computable from P i-1, C i-1 and C i = f(P i-1, C i-1, P i ).

19 Mridul Nandi Indocrypt-200819 Inverse of an Online Cipher. gg g … C1C1 P1P1 P2P2 P k-1 PkPk C2C2 C k-1 CkCk 0 0 If it is a cipher then it is an online cipher. To be a cipher it should be invertible. In other words, P i should be computable from P i-1, C i-1 and C i = f(P i-1, C i-1, P i ). So P i = g(P i-1,C i-1,C i ).

20 Mridul Nandi Indocrypt-200820 Security Notions

21 Mridul Nandi Indocrypt-200821 Security notions for Online Ciphers (Strong) Pseudo Random Permutation are strongest security notions for an encryption algorithm. Online cipher can not be (S)PRP since online property itself can be used to make a distinguishing attack. Bellare, Boldyreva, Knudsen and Namprempre (in crypto-01) introduced desired security notions (maximum security can be achieved for online ciphers by introducing ideal online cipher).

22 Mridul Nandi Indocrypt-200822 Security notions for Online Ciphers Chosen-Plaintext Secure or CPA-secure : No feasible attacker can distinguish the designed online cipher from the ideal online cipher by making only encryption queries. Chosen-Ciphertext Secure or CCA-secure : No feasible attacker can distinguish the designed online cipher from the ideal online cipher by making both encryption and decryption queries.

23 Mridul Nandi Indocrypt-200823 Known Examples

24 Mridul Nandi Indocrypt-200824 Hash-CBC Online Ciphers 1.Bellare, Boldyreva, Knudsen and Namprempre (in crypto-01) designed Hash-CBC online ciphers HCBC1 (CPA-secure) and HCBC2 (CCA- secure). 2.Needs a blockcipher and a Almost XOR- universal hash function. 3.Universal Hash function with CBC mode.

25 Mridul Nandi Indocrypt-200825 AU hash function Poly hash generates the distinct counter for distinct messages with high probability. Poly-hash is L/2 n –AU hash function where L is the max number of blocks of a plaintext. Pr[H h (M) = H h (M’)  i]  L/2 n where  is either + (modulo addition) or  (xor).

26 Mridul Nandi Indocrypt-200826 Hash-CBC: HCBC1 0 EkEk C1C1 P1P1 H EkEk C2C2 P2P2 H EkEk CkCk PkPk H C k-1 1.CPA-secure but not CCA-secure. 2.H : {0,1} n  {0,1} n is AXU-hash function (n = block size). 3.Two independent keys (one for H and one for E). n n …

27 Mridul Nandi Indocrypt-200827 Hash-CBC: HCBC2 1.CCA-secure. 2.H : {0,1} 2n  {0,1} n is AXU-hash function. 3.Two independent keys (H and E).

28 Mridul Nandi Indocrypt-200828 Our Constructions

29 Mridul Nandi Indocrypt-200829 0 0 EkEk C1C1 P1P1 H EkEk C2C2 P2P2 H EkEk CnCn PnPn H P k-1 C k-1 … Recall HCBC2 n n Hash H takes two n bit inputs and produces n bit output. We can xor the two n bit inputs before feeding into H.

30 Mridul Nandi Indocrypt-200830 MHCBC

31 Mridul Nandi Indocrypt-200831 Modified Hash-CBC: MHCBC 0 0 P k-1 C k-1 EkEk CkCk PkPk H n EkEk C1C1 P1P1 H n EkEk C2C2 P2P2 H n …

32 Mridul Nandi Indocrypt-200832 Modified Hash-CBC: MHCBC 1.CCA-secure. 2.H : {0,1} n  {0,1} n is AXU-hash function. 3.Two independent keys (H and E).

33 Mridul Nandi Indocrypt-200833 MCBC-1

34 Mridul Nandi Indocrypt-200834 Modified CBC: MCBC 0 0 P k-1 C k-1 C1C1 P1P1 … HEkEk C1C1 P1P1 HEkEk C1C1 P1P1 HEkEk We need a AXU-hash function. E K itself can be a candidate for this.

35 Mridul Nandi Indocrypt-200835 Modified CBC: MCBC-1 0 0 P k-1 C k-1 C1C1 P1P1 … E k2 E k1 C1C1 P1P1 E k2 E k1 C1C1 P1P1 E k2 E k1 We need a AXU-hash function. E K itself can be a candidate for this. So we can replace H by E k2 (independently chosen key K2). This is called MCBC-1

36 Mridul Nandi Indocrypt-200836 Modified CBC: MCBC 0 0 P k-1 C k-1 C1C1 P1P1 … EkEk EkEk C1C1 P1P1 EkEk EkEk C1C1 P1P1 EkEk EkEk What will happen if we replace H by E k (same key K)? Is it secure?

37 Mridul Nandi Indocrypt-200837 Modified CBC: MCBC 0 0 P k-1 C k-1 C1C1 P1P1 … EkEk EkEk C1C1 P1P1 EkEk EkEk C1C1 P1P1 EkEk EkEk NOT SECURE

38 Mridul Nandi Indocrypt-200838 Modified CBC: MCBC 0 0 0 EkEk E -1 k 1 st Decryption query with ciphertext 0, then plaintext is E k (0) = v 0. E k (0) 0

39 Mridul Nandi Indocrypt-200839 Modified CBC: MCBC 0 0 v2v2 EkEk EkEk v0v0 0 1 st Encryption query with plaintext 0 Ciphertext will be E k (v 0 ) + v 0 = v 2. Let E k (v 0 )= v 1. v0v0 v0v0 v1v1 1 st Decryption query with ciphertext 0, then plaintext is E k (0) = v 0.

40 Mridul Nandi Indocrypt-200840 Modified CBC: MCBC 0 0 EkEk EkEk v0v0 v0v0 v0v0 v0v0 0 0 EkEk EkEk v1v1 v1v1 v0v0 v1v1 0 v0v0 v2v2 2 nd Encryption query with plaintext (v 0,v 1 ). The ciphertext will be (0,v 2 ) with probability one which is not desired for an ideal random online cipher.

41 Mridul Nandi Indocrypt-200841 MCBC-2

42 Mridul Nandi Indocrypt-200842 Modified CBC: MCBC 0 0 P k-1 C k-1 C1C1 P1P1 … EkEk EkEk C1C1 P1P1 EkEk EkEk C1C1 P1P1 EkEk EkEk EkEk K1K1 1 K1K1 K1K1 K1K1 K1 protects from the previous attack. In fact, it is CCA-secure.

43 Mridul Nandi Indocrypt-200843 Comparison ModeBC-Calls Key-sch AXU- Hash Type of Hash Keys HCBC1m1mn  nK BC + K H HCBC2m1m2n  nK BC + K H’ MHCBCm1mn  nK BC + K H MCBC-12m20-2K BC MCBC-22m+110-K BC

44 Mridul Nandi Indocrypt-200844 Conclusion 1. Revisited Hash-CBC online ciphers. 2. Modified them by 1. Reducing key space 2. Removing universal hash function 3. having better efficiency. 3. These are termed MHCBC and MCBC. 4. A simple modification of MHCBC won’t work. 5. An unified way of proving security of online ciphers (in the paper).

45 Mridul Nandi Indocrypt-200845 Thank you for your attention

Download ppt "Two New Online Ciphers Mridul Nandi National Institute of Standards and Technology, Gaithersburg, MD Indocrypt 2008, Kharagpur."

Similar presentations

6.1.2 Overview DES is a block cipher, as shown in Figure 6.1.

6.1.2 Overview DES is a block cipher, as shown in Figure 6.1.
DES The Data Encryption Standard (DES) is a classic symmetric block cipher algorithm. DES was developed in the 1970’s as a US government standard The block.

DES The Data Encryption Standard (DES) is a classic symmetric block cipher algorithm. DES was developed in the 1970’s as a US government standard The block.
Merkle Damgard Revisited: how to Construct a hash Function

Merkle Damgard Revisited: how to Construct a hash Function
“Advanced Encryption Standard” & “Modes of Operation”

“Advanced Encryption Standard” & “Modes of Operation”
CS470, A.SelcukStream Ciphers1 CS 470 Introduction to Applied Cryptography Instructor: Ali Aydin Selcuk.

CS470, A.SelcukStream Ciphers1 CS 470 Introduction to Applied Cryptography Instructor: Ali Aydin Selcuk.
Encipherment Using Modern Symmetric-Key Ciphers. 8.2 Objectives ❏ To show how modern standard ciphers, such as DES or AES, can be used to encipher long.

Encipherment Using Modern Symmetric-Key Ciphers. 8.2 Objectives ❏ To show how modern standard ciphers, such as DES or AES, can be used to encipher long.
Modern Symmetric-Key Ciphers

Modern Symmetric-Key Ciphers
Modern Symmetric-Key Ciphers

Modern Symmetric-Key Ciphers
CS 483 – SD SECTION BY DR. DANIYAL ALGHAZZAWI (3) Information Security.

CS 483 – SD SECTION BY DR. DANIYAL ALGHAZZAWI (3) Information Security.
1 CIS 5371 Cryptography 5b. Pseudorandom Objects in Practice Block Ciphers.

1 CIS 5371 Cryptography 5b. Pseudorandom Objects in Practice Block Ciphers.
CMSC 414 Computer (and Network) Security Lecture 4 Jonathan Katz.

CMSC 414 Computer (and Network) Security Lecture 4 Jonathan Katz.
Symmetric Encryption Example: DES Weichao Wang. 2 Overview of the DES A block cipher: – encrypts blocks of 64 bits using a 64 bit key – outputs 64 bits.

Symmetric Encryption Example: DES Weichao Wang. 2 Overview of the DES A block cipher: – encrypts blocks of 64 bits using a 64 bit key – outputs 64 bits.
Cryptography1 CPSC 3730 Cryptography Chapter 6 Triple DES, Block Cipher Modes of Operation.

Cryptography1 CPSC 3730 Cryptography Chapter 6 Triple DES, Block Cipher Modes of Operation.
CMSC 414 Computer (and Network) Security Lecture 5 Jonathan Katz.

CMSC 414 Computer (and Network) Security Lecture 5 Jonathan Katz.
1 The AES block cipher Niels Ferguson. 2 What is it? Block cipher: encrypts fixed-size blocks. Design by two Belgians. Chosen from 15 entries in a competition.

1 The AES block cipher Niels Ferguson. 2 What is it? Block cipher: encrypts fixed-size blocks. Design by two Belgians. Chosen from 15 entries in a competition.
CMSC 414 Computer and Network Security Lecture 4 Jonathan Katz.

CMSC 414 Computer and Network Security Lecture 4 Jonathan Katz.
CMSC 414 Computer and Network Security Lecture 3 Jonathan Katz.

CMSC 414 Computer and Network Security Lecture 3 Jonathan Katz.
FEAL FEAL 1.

FEAL FEAL 1.
CMSC 414 Computer and Network Security Lecture 4 Jonathan Katz.

CMSC 414 Computer and Network Security Lecture 4 Jonathan Katz.
Practical Techniques for Searches on Encrypted Data Author: Dawn Xiaodong Song, David Wagner, Adrian Perrig Presenter: 紀銘偉.

Practical Techniques for Searches on Encrypted Data Author: Dawn Xiaodong Song, David Wagner, Adrian Perrig Presenter: 紀銘偉.

Similar presentations

Ads by Google