Blockcipher Security Notions Martijn Stam Department of Computer - - PowerPoint PPT Presentation

1 / 24

Blockcipher Security Notions

Martijn Stam

Department of Computer Science, University Of Bristol, Merchant Venturers Building, Woodland Road, Bristol, BS8 1UB United Kingdom.

ˇ Sibenik, 7 June 2016

Basic Syntax of Blockciphers DES and AES 2 / 24

Data Encryption Standard (DES)

An Early Blockcipher

1970s: DES provided the first FIPS standard for a blockcipher It takes as input: a 56-bit string k called the key a 64-bit string x called the plaintext or input block. and outputs a 64-bit string y called the ciphertext or output block. The algorithm is stateless, deterministic, and invertible. ∀k,x If y ← DESk(x) then x ← DES−1

k (y)

Basic Syntax of Blockciphers DES and AES 3 / 24

Advanced Encryption Standard (AES)

A Modern Blockcipher

Turn of Century: NIST approves AES as successor of DES. AES-128 takes as input: a 128-bit string k called the key a 128-bit string x called the plaintext or input block. and outputs a 128-bit string y called the ciphertext or output block. The algorithm is stateless, deterministic, and invertible. ∀k,x If y ← AESk(x) then x ← AES−1

k (y)

Basic Syntax of Blockciphers DES and AES 4 / 24

Advanced Encryption Standard (AES)

A Modern Blockcipher

Turn of Century: NIST approves AES as successor of DES. AES-192 takes as input: a 192-bit string k called the key a 128-bit string x called the plaintext or input block. and outputs a 128-bit string y called the ciphertext or output block. The algorithm is stateless, deterministic, and invertible. ∀k,x If y ← AESk(x) then x ← AES−1

k (y)

Basic Syntax of Blockciphers DES and AES 5 / 24

Advanced Encryption Standard (AES)

A Modern Blockcipher

Turn of Century: NIST approves AES as successor of DES. AES-256 takes as input: a 256-bit string k called the key a 128-bit string x called the plaintext or input block. and outputs a 128-bit string y called the ciphertext or output block. The algorithm is stateless, deterministic, and invertible. ∀k,x If y ← AESk(x) then x ← AES−1

k (y)

Basic Syntax of Blockciphers Formal Syntax 6 / 24

Blockciphers

Syntax

A blockcipher is a set of keyed permutations E : K × X → X where K is the set of keys, X the set of plaintext blocks

Basic Syntax of Blockciphers Formal Syntax 6 / 24

Blockciphers

Syntax

A blockcipher is a set of keyed permutations E : K × X → X where K is the set of keys, X the set of plaintext blocks

Notation for blockciphers

Block(K, X) denotes the set of all possible blockciphers of given dimensions Perm(X) denotes the set of all permutations on X.

Basic Syntax of Blockciphers Formal Syntax 6 / 24

Blockciphers

Syntax

A blockcipher is a set of keyed permutations E : K × X → X where K is the set of keys, X the set of plaintext blocks

Notation for E ∈ Block(K, X)

Let k ∈ K we write Ek(·) for E(k, ·). As Ek ∈ Perm(X) it has an inverse E−1

k

• r Dk

x Ek y

Basic Syntax of Blockciphers Formal Syntax 6 / 24

Blockciphers

Syntax

A blockcipher is a set of keyed permutations E : K × X → X where K is the set of keys, X the set of plaintext blocks

Notation for E ∈ Block(K, X)

Let k ∈ K we write Ek(·) for E(k, ·). As Ek ∈ Perm(X) it has an inverse E−1

k

• r Dk

For all k ∈ K, x ∈ X: Dk(Ek(x)) = Ek(Dk(x)) = x x Ek y

Basic Syntax of Blockciphers Formal Syntax 6 / 24

Blockciphers

Syntax

A blockcipher is a set of keyed permutations E : K × X → X where K is the set of keys, X the set of plaintext blocks

Using bitstrings as inputs

K = {0, 1}K for some key-length K ∈ ◆ X = {0, 1}n for some block-length n. x Ek y

Basic Syntax of Blockciphers Formal Syntax 6 / 24

Blockciphers

Syntax

A blockcipher is a set of keyed permutations E : K × X → X where K is the set of keys, X the set of plaintext blocks

Using bitstrings as inputs

K = {0, 1}K for some key-length K ∈ ◆ X = {0, 1}n for some block-length n. DES has n = 64 and k = 56; AES has n = 128 and k ∈ {128, 192, 256} x Ek y

Basic Security of Blockciphers Ideas? 7 / 24

Blockcipher Security

Ideas?

x Ek y What security would you expect from a blockcipher?

Basic Security of Blockciphers Ideas? 7 / 24

Blockcipher Security

Ideas?

x Ek y

Some random thoughts...

It should be hard to recover they key!

Basic Security of Blockciphers Ideas? 7 / 24

Blockcipher Security

Ideas?

x Ek y

Some random thoughts...

It should be hard to recover they key! learn plaintexts!

Basic Security of Blockciphers Ideas? 7 / 24

Blockcipher Security

Ideas?

x Ek y

Some random thoughts...

It should be hard to recover they key! learn plaintexts! predict ciphertexts!

Basic Security of Blockciphers Ideas? 7 / 24

Blockcipher Security

Ideas?

x Ek y

Some random thoughts...

It should be hard to recover they key! learn plaintexts! predict ciphertexts! distinguish its output from random!

Basic Security of Blockciphers Ideas? 7 / 24

Blockcipher Security

Ideas?

x Ek y

Some random thoughts...

It should be hard to recover they key! But when? learn plaintexts! predict ciphertexts! distinguish its output from random!

Basic Security of Blockciphers Ideas? 7 / 24

Blockcipher Security

Ideas?

x Ek y

Some random thoughts...

It should be hard to recover they key! But when? learn plaintexts! Which plaintexts? predict ciphertexts! distinguish its output from random!

Basic Security of Blockciphers Ideas? 7 / 24

Blockcipher Security

Ideas?

x Ek y

Some random thoughts...

It should be hard to recover they key! But when? learn plaintexts! Which plaintexts? predict ciphertexts! In what context? distinguish its output from random!

Basic Security of Blockciphers Ideas? 7 / 24

Blockcipher Security

Ideas?

x Ek y

Some random thoughts...

It should be hard to recover they key! But when? learn plaintexts! Which plaintexts? predict ciphertexts! In what context? distinguish its output from random! Random in what sense?

Basic Security of Blockciphers Ideas? 7 / 24

Blockcipher Security

Ideas?

x Ek y

More precise definitions are needed, that

highlight what an adversary can do and tries to achieve take into account the context in which the blockcipher is used

Basic Security of Blockciphers Ideas? 7 / 24

Blockcipher Security

Ideas?

x Ek y

More precise definitions are needed, that

highlight what an adversary can do and tries to achieve take into account the context in which the blockcipher is used ...so useful conclusions for real world applications can be drawn.

Basic Security of Blockciphers Blockcipher Use Scenario 8 / 24

How are blockciphers used?

Scenario 1: Secure Communication

Ek Ek Anna Bob Hi I’m here Bye Two parties, Anna and Bob want to communicate with each other: Anna wants to send Bob messages;

Basic Security of Blockciphers Blockcipher Use Scenario 8 / 24

How are blockciphers used?

Scenario 1: Secure Communication

Ek Ek Anna Bob Hi I’m here Bye Two parties, Anna and Bob want to communicate with each other: Anna wants to send Bob messages; The content of the messages should remain hidden from Eve;

Basic Security of Blockciphers Blockcipher Use Scenario 8 / 24

How are blockciphers used?

Scenario 1: Secure Communication

Ek Ek Anna Bob yWj s 5Yc6sdf Flan Two parties, Anna and Bob want to communicate with each other: Anna wants to send Bob messages; The content of the messages should remain hidden from Eve;

Basic Security of Blockciphers Blockcipher Use Scenario 8 / 24

How are blockciphers used?

Scenario 1: Secure Communication

Ek Ek Anna Bob yWj s 5Yc6sdf Flan Two parties, Anna and Bob want to communicate with each other: Anna wants to send Bob messages; The content of the messages should remain hidden from Eve; Adversary Eve can see but not modify the transmissions.

Basic Security of Blockciphers Blockcipher Use Scenario 8 / 24

How are blockciphers used?

Scenario 1: Secure Communication

k k Ek Ek Anna Bob yWj s 5Yc6sdf Flan Some enabling assumptions: Anna and Bob already magically share a secret key;

Basic Security of Blockciphers Blockcipher Use Scenario 8 / 24

How are blockciphers used?

Scenario 1: Secure Communication

k k Ek Ek Anna Bob yWj s 5Yc6sdf Flan Some enabling assumptions: Anna and Bob already magically share a secret key; They both like the same blockcipher

Basic Security of Blockciphers Blockcipher Use Scenario 8 / 24

How are blockciphers used?

Scenario 1: Secure Communication

k k Ek Ek Anna Bob yWj s 5Yc6sdf Flan Some enabling assumptions: Anna and Bob already magically share a secret key; They both like the same blockcipher Anna swims in a pool

Basic Security of Blockciphers Blockcipher Use Scenario 8 / 24

How are blockciphers used?

Scenario 1: Secure Communication

k k Ek Ek Anna Bob yWj s 5Yc6sdf Flan Some enabling assumptions: Anna and Bob already magically share a secret key; They both like the same blockcipher Anna swims in a pool of randomness

Basic Security of Blockciphers Blockcipher Use Scenario 9 / 24

Confidentiality of a single 3-block message

CTR Encryption

IV IV + 1 IV + 2 IV + 3 Ek Ek Ek c0 c1 c2 c3 m1 m2 m3

Basic Security of Blockciphers Blockcipher Use Scenario 9 / 24

Confidentiality of a single 3-block message

CTR Encryption

IV IV + 1 IV + 2 IV + 3 Ek Ek Ek c0 c1 c2 c3 m1 m2 m3

Game (informally):

Adversary picks (m1, m2, m3) Receives (c0, · · · , c3) which is either true encryption or random. Needs to guess which.

Basic Security of Blockciphers Blockcipher Use Scenario 9 / 24

Confidentiality of a single 3-block message

CTR Encryption

IV IV + 1 IV + 2 IV + 3 Ek Ek Ek c0 c1 c2 c3 m1 m2 m3

Random secret key k is used repeatedly Blockcipher inputs certainly not jointly random

Basic Security of Blockciphers Blockcipher Use Scenario 9 / 24

Confidentiality of a single 3-block message

CTR Encryption

IV IV + 1 IV + 2 IV + 3 Ek Ek Ek c0 c1 c2 c3 m1 m2 m3

Random secret key k is used repeatedly Blockcipher inputs certainly not jointly random Easiest to give adversary full control over them!

Basic Security of Blockciphers (Strong) Pseudorandom Permutations 10 / 24

Blockcipher Security

Pseudorandom Permutations k ← K y ← Ek(x) A

x y

Basic Security of Blockciphers (Strong) Pseudorandom Permutations 10 / 24

Blockcipher Security

Pseudorandom Permutations k ← K y ← Ek(x) A 0 or 1

x y

Basic Security of Blockciphers (Strong) Pseudorandom Permutations 10 / 24

Blockcipher Security

Pseudorandom Permutations k ← K y ← Ek(x) A 0 or 1

x y

Real blockcipher world

Basic Security of Blockciphers (Strong) Pseudorandom Permutations 10 / 24

Blockcipher Security

Pseudorandom Permutations k ← K y ← Ek(x) A 0 or 1

x y

Real blockcipher world

v

π ← Perm(X)

y ← π(x)

A 0 or 1

x y

Random permutation world

How well can an adversary distinguish?

Basic Security of Blockciphers (Strong) Pseudorandom Permutations 10 / 24

Blockcipher Security

Pseudorandom Permutations k ← K y ← Ek(x) A 0 or 1

x y

Real blockcipher world Expprp-0

E

(A)

v

π ← Perm(X)

y ← π(x)

A 0 or 1

x y

Random permutation world Expprp-1

E

(A)

Advprp

E (A) =

• Pr
• Expprp-0

E

(A) = 0

• − Pr
• Expprp-1

E

(A) = 0

Basic Security of Blockciphers (Strong) Pseudorandom Permutations 11 / 24

Blockcipher Security

Strong Pseudorandom Permutations k ← K y ← Ek(x) x ← Dk(y) A 0 or 1

x y y x

Strong security: Adversary has access to inverse as well

Basic Security of Blockciphers (Strong) Pseudorandom Permutations 11 / 24

Blockcipher Security

Strong Pseudorandom Permutations k ← K y ← Ek(x) x ← Dk(y) A 0 or 1

x y y x

Real blockcipher world Expsprp-0

E

(A)

Strong security: Adversary has access to inverse as well

Basic Security of Blockciphers (Strong) Pseudorandom Permutations 11 / 24

Blockcipher Security

Strong Pseudorandom Permutations k ← K y ← Ek(x) x ← Dk(y) A 0 or 1

x y y x

Real blockcipher world Expsprp-0

E

(A)

v

π ← Perm(X)

y ← πk(x) x ← π−1

k (y)

A 0 or 1

x y y x

Random permutation world Expsprp-1

E

(A)

Basic Security of Blockciphers (Strong) Pseudorandom Permutations 11 / 24

Blockcipher Security

Strong Pseudorandom Permutations k ← K y ← Ek(x) x ← Dk(y) A 0 or 1

x y y x

Real blockcipher world Expsprp-0

E

(A)

v

π ← Perm(X)

y ← πk(x) x ← π−1

k (y)

A 0 or 1

x y y x

Random permutation world Expsprp-1

E

(A)

Advsprp

E

(A) =

• Pr
• Expsprp-0

E

(A) = 0

• − Pr
• Expsprp-1

E

(A) = 0

Basic Security of Blockciphers What it means 12 / 24

(Strong) Pseudorandom Permutations

What it means

Implications 1

Security as a pseudorandom permutation implies ⇒ Key recovery under chosen plaintext attacks is hard ⇒ Some modes-of-operation can be proven secure

Basic Security of Blockciphers What it means 12 / 24

(Strong) Pseudorandom Permutations

What it means

Implications 2

Security as a strong pseudorandom permutation implies ⇒ “Ordinary” pseudorandom permutation ⇒ Key recovery under chosen ciphertext attacks is hard ⇒ Some more modes-of-operation can be proven secure

Basic Security of Blockciphers What it means 12 / 24

(Strong) Pseudorandom Permutations

What it means

Implications 2

Security as a strong pseudorandom permutation implies ⇒ “Ordinary” pseudorandom permutation ⇒ Key recovery under chosen ciphertext attacks is hard ⇒ Some more modes-of-operation can be proven secure Selection of parameters: K: An exhaustive search reveals the key in 2K (offline attacks) n: Typically features in bounds related to construction (online attacks)

Using (s)PRP Security PRP Composition 13 / 24

Using (s)PRPs

Decomposing Security

IV IV + 1 IV + 2 IV + 3 Ek Ek Ek c0 c1 c2 c3 m1 m2 m3

Using (s)PRP Security PRP Composition 13 / 24

Using (s)PRPs

Decomposing Security

IV IV + 1 IV + 2 IV + 3 Ek Ek Ek c0 c1 c2 c3 m1 m2 m3

Game (informally):

Adversary picks (m1, m2, m3) Receives (c0, · · · , c3) which is either true encryption or random. Needs to guess which. Let’s call the advantage Advconf

CTR[E](A)

Using (s)PRP Security PRP Composition 13 / 24

Using (s)PRPs

Decomposing Security

IV IV + 1 IV + 2 IV + 3 Ek Ek Ek c0 c1 c2 c3 m1 m2 m3

Want to analyse the mode independently of the blockcipher!

Using (s)PRP Security PRP Composition 13 / 24

Using (s)PRPs

Decomposing Security

IV IV + 1 IV + 2 IV + 3 π π π c0 c1 c2 c3 m1 m2 m3

Want to analyse the mode independently of the blockcipher! Replace the blockcipher by a truly random permutation instead Advconf

CTR[E](A) ≤ Advconf CTR[π](A)

Using (s)PRP Security PRP Composition 13 / 24

Using (s)PRPs

Decomposing Security

IV IV + 1 IV + 2 IV + 3 π π π c0 c1 c2 c3 m1 m2 m3

Want to analyse the mode independently of the blockcipher! Replace the blockcipher by a truly random permutation instead If A could tell the difference, it could win E’s prp game. Advconf

CTR[E](A) ≤ Advconf CTR[π](A) + Advprp E (A′)

Using (s)PRP Security PRP Composition 13 / 24

Using (s)PRPs

Decomposing Security

IV IV + 1 IV + 2 IV + 3 π π π c0 c1 c2 c3 m1 m2 m3

Finally Advconf

CTR[π](A) ≤ Advconf CTR[π](1)

The latter is the best a computationally unbounded adversary can do with a single query. Advconf

CTR[E](A) ≤ Advconf CTR[π](A) + Advprp E (A′)

Using (s)PRP Security PRP–PRF Switching 14 / 24

PRP–PRF Switching

The Lemma

IV IV + 1 IV + 2 IV + 3 π π π c0 c1 c2 c3 m1 m2 m3

We want to bound Advconf

CTR[π](1)

An information-theoretic problem.

Using (s)PRP Security PRP–PRF Switching 14 / 24

PRP–PRF Switching

The Lemma

IV IV + 1 IV + 2 IV + 3 π π π c0 c1 c2 c3 m1 m2 m3

We want to bound Advconf

CTR[π](1)

An information-theoretic problem.

1 The output from π(IV + 1) is

uniformly random ⇒ the output c1 is uniformly random.

Using (s)PRP Security PRP–PRF Switching 14 / 24

PRP–PRF Switching

The Lemma

IV IV + 1 IV + 2 IV + 3 π π π c0 c1 c2 c3 m1 m2 m3

We want to bound Advconf

CTR[π](1)

An information-theoretic problem.

1 The output from π(IV + 1) is

uniformly random ⇒ the output c1 is uniformly random.

2 The output from

π(IV + 2) = π(IV + 1) ⇒ no longer uniformly random.

Using (s)PRP Security PRP–PRF Switching 14 / 24

PRP–PRF Switching

The Lemma

IV IV + 1 IV + 2 IV + 3 π π π c0 c1 c2 c3 m1 m2 m3

Apart from the first call, the output from any call to π is skewed. How bad can it get?

Using (s)PRP Security PRP–PRF Switching 14 / 24

PRP–PRF Switching

The Lemma

IV IV + 1 IV + 2 IV + 3 f f f c0 c1 c2 c3 m1 m2 m3

Apart from the first call, the output from any call to π is skewed. How bad can it get? Replace the random permutation by a random function instead Advconf

CTR[π](1) ≤ Advconf CTR[f ](1)

Using (s)PRP Security PRP–PRF Switching 14 / 24

PRP–PRF Switching

The Lemma

IV IV + 1 IV + 2 IV + 3 f f f c0 c1 c2 c3 m1 m2 m3

Apart from the first call, the output from any call to π is skewed. How bad can it get? Replace the random permutation by a random function instead If A could tell the difference, it would distinguish these using only three queries. Advconf

CTR[π](1) ≤ Advconf CTR[f ](1) + ∆f π(3)

Using (s)PRP Security PRP–PRF Switching 15 / 24

PRP–PRF Switching

The Bound π ← Perm(X) y ← π(x) A 0 or 1

x y

v

f ← Func(X)

y ← f (x)

A 0 or 1

x y

Random permutation world Random function world

∆f

π =

• Pr [Aπ = 0] − Pr
• Af = 0

Using (s)PRP Security PRP–PRF Switching 15 / 24

PRP–PRF Switching

The Bound π ← Perm(X) y ← π(x) A 0 or 1

x y

F ← ∅

if x ∈ F then return F(x) y ← X add y = F(x) to F return y

A 0 or 1

x y

Random permutation world Random function world

∆f

π =

• Pr [Aπ = 0] − Pr
• Af = 0

Using (s)PRP Security PRP–PRF Switching 15 / 24

PRP–PRF Switching

The Bound F ← ∅ if x ∈ F then return F(x) y ← X\R(F) add y = F(x) to F return y A 0 or 1

x y

F ← ∅

if x ∈ F then return F(x) y ← X add y = F(x) to F return y

A 0 or 1

x y

Random permutation world Random function world

Lazy sampling instead of sampling entire functions

Using (s)PRP Security PRP–PRF Switching 15 / 24

PRP–PRF Switching

The Bound F ← ∅ if x ∈ F then return F(x) y ← X if y ∈ R(F) set bad resample y ← X\R(F) add y = F(x) to F return y A

x y

F ← ∅

if x ∈ F then return F(x) y ← X add y = F(x) to F return y

A 0 or 1

x y

Random permutation world Random function world

The two worlds are identical-until-bad

Using (s)PRP Security PRP–PRF Switching 15 / 24

PRP–PRF Switching

The Bound F ← ∅ if x ∈ F then return F(x) y ← X if y ∈ R(F) set bad resample y ← X\R(F) add y = F(x) to F return y A

x y

F ← ∅

if x ∈ F then return F(x) y ← X add y = F(x) to F return y

A 0 or 1

x y

Random permutation world Random function world

∆f

π = Pr [A sets bad] ≤ q2/2n+1

Using (s)PRP Security The sPRP Analogues 16 / 24

Using PRPs

Brief Recap

IV IV + 1 IV + 2 IV + 3 Ek Ek Ek c0 c1 c2 c3 m1 m2 m3 IV IV + 1 IV + 2 IV + 3 Ek Ek Ek c0 m1 m2 m3 c1 c2 c3

Encryption Decryption Advconf

CTR[E](A)

Using (s)PRP Security The sPRP Analogues 16 / 24

Using PRPs

Brief Recap

IV IV + 1 IV + 2 IV + 3 π π π c0 c1 c2 c3 m1 m2 m3 IV IV + 1 IV + 2 IV + 3 π π π c0 m1 m2 m3 c1 c2 c3

Encryption Decryption Advconf

CTR[E](A) ≤ Advconf CTR[π](qE, qD) + Advprp E (A′)

Using (s)PRP Security The sPRP Analogues 16 / 24

Using PRPs

Brief Recap

IV IV + 1 IV + 2 IV + 3 f f f c0 c1 c2 c3 m1 m2 m3 IV IV + 1 IV + 2 IV + 3 f f f c0 m1 m2 m3 c1 c2 c3

Encryption Decryption Advconf

CTR[E](A) ≤ Advconf CTR[f ](qE, qD) + ∆f π(3qE + 3qD) + Advprp E (A′)

Using (s)PRP Security The sPRP Analogues 16 / 24

Using PRPs

Brief Recap

IV IV + 1 IV + 2 IV + 3 f f f c0 c1 c2 c3 m1 m2 m3 IV IV + 1 IV + 2 IV + 3 f f f c0 m1 m2 m3 c1 c2 c3

Encryption Decryption Advconf

CTR[E](A) ≤ Advconf CTR[f ](qE, qD) + (3qE + 3qD)2/2n+1 + Advprp E (A′)

Using (s)PRP Security The sPRP Analogues 17 / 24

Using strong PRPs

CBC Encryption Case Study

m1 m2 m3 IV Ek Ek Ek c0 c1 c2 c3 c0 c1 c2 c3 Dk Dk Dk m1 m2 m3

Encryption Decryption Advconf

CBC[E](A)

Using (s)PRP Security The sPRP Analogues 17 / 24

Using strong PRPs

CBC Encryption Case Study

m1 m2 m3 IV π π π c0 c1 c2 c3 c0 c1 c2 c3 π−1 π−1 π−1 m1 m2 m3

Encryption Decryption Advconf

CBC[E](A) ≤ Advconf CBC[π](qE, qD) + Advsprp E

(A′)

Using (s)PRP Security The sPRP Analogues 17 / 24

Using strong PRPs

CBC Encryption Case Study

m1 m2 m3 IV f f f c0 c1 c2 c3 c0 c1 c2 c3 f −1 f −1 f −1 m1 m2 m3

Encryption Decryption Advconf

CBC[E](A) ≤ Advconf CBC[f ](qE, qD) + ∆f ,f −1 π,π−1(3qE, 3qD) + Advsprp E

(A′)

Using (s)PRP Security The sPRP Analogues 18 / 24

SPRP–SPRF Switching

Defining an SPRF π ← Perm(X) y ← πk(x) x ← π−1

k (y)

A 0 or 1

x y y x

Random permutation world

Using (s)PRP Security The sPRP Analogues 18 / 24

SPRP–SPRF Switching

Defining an SPRF F ← ∅ if x ∈ F then return F(x) y ← X if y ∈ R(F) set bad resample y ← X\R(F) add y = F(x) to F return y if y ∈ R(F) then return F −1(y) x ← X if x ∈ F set bad resample x ← X\F add y = F(x) to F return x A

x y y x

Random permutation world

A random permutation with inverse using lazy sampling

Using (s)PRP Security The sPRP Analogues 18 / 24

SPRP–SPRF Switching

Defining an SPRF F ← ∅ if x ∈ F then return F(x) y ← X if y ∈ R(F) set bad add y = F(x) to F return y if y ∈ R(F) then return F −1(y) x ← X if x ∈ F set bad add y = F(x) to F return x A

x y y x

Random function world

A random function with inverse defined by lazy sampling

Using (s)PRP Security What it means 19 / 24

Using PRPs

What it all means

We derived the bound Advconf

CTR[E](A) ≤ Advconf CTR[f ](qE, qD) + (3qE + 3qD)2/2n+1 + Advprp E (A′)

Advantages

1 Using PRPs as notion allows modular analysis:

Using (s)PRP Security What it means 19 / 24

Using PRPs

What it all means

We derived the bound Advconf

CTR[E](A) ≤ Advconf CTR[f ](qE, qD) + (3qE + 3qD)2/2n+1 + Advprp E (A′)

Advantages

1 Using PRPs as notion allows modular analysis:

The computational PRP security of the blockcipher

PRP Security depends on K and n; Offline attacks are relevant.

Using (s)PRP Security What it means 19 / 24

Using PRPs

What it all means

We derived the bound Advconf

CTR[E](A) ≤ Advconf CTR[f ](qE, qD) + (3qE + 3qD)2/2n+1 + Advprp E (A′)

Advantages

1 Using PRPs as notion allows modular analysis:

The computational PRP security of the blockcipher The information-theoretic security of the construction

No longer depends on K, still on n; Online attack, number of queries q is important.

Using (s)PRP Security What it means 19 / 24

Using PRPs

What it all means

We derived the bound Advconf

CTR[E](A) ≤ Advconf CTR[f ](qE, qD) + (3qE + 3qD)2/2n+1 + Advprp E (A′)

Advantages

1 Using PRPs as notion allows modular analysis:

The computational PRP security of the blockcipher The information-theoretic security of the construction A combinatorial birthday-bound

2 The birthday bound implies 64-bit blocks (DES) require care

No longer depends on K, still on n; Online attack, number of blockcipher calls is important. Often bounded loosely by q · L.

Using (s)PRP Security What it means 19 / 24

Using PRPs

What it all means

We derived the bound Advconf

CTR[E](A) ≤ Advconf CTR[f ](qE, qD) + (3qE + 3qD)2/2n+1 + Advprp E (A′)

Advantages

1 Using PRPs as notion allows modular analysis:

The computational PRP security of the blockcipher The information-theoretic security of the construction A combinatorial birthday-bound

2 The birthday bound implies 64-bit blocks (DES) require care 3 SPRP security is needed when inverse blockcipher calls are made

Advanced Syntax Ciphers 20 / 24

Ciphers

Syntax

A blockcipher is a set of keyed permutations E : K × X → X where K = {0, 1}K is the set of keys, X = {0, 1}n the set of plaintext blocks

Advanced Syntax Ciphers 20 / 24

Ciphers

Syntax

A blockcipher is a set of keyed permutations E : K × X → X where K = {0, 1}K is the set of keys, X = {0, 1}n the set of plaintext blocks

Ciphers

For a cipher, X = {0, 1}∗ instead

1 Still require that |Ek(x)| = |x| 2 Some ciphers only support a subset of lengths 3 For (s)PRP security, adversary is not bound to particular input length.

Advanced Syntax Tweakable Blockciphers 21 / 24

Tweakable blockciphers

Syntax

A blockcipher is a set of keyed permutations E : K × X → X where K = {0, 1}K is the set of keys, X = {0, 1}n the set of plaintext blocks

Advanced Syntax Tweakable Blockciphers 21 / 24

Tweakable blockciphers

Syntax

A blockcipher is a set of keyed permutations E : K × X → X where K = {0, 1}K is the set of keys, X = {0, 1}n the set of plaintext blocks

Tweakable Blockciphers

For a cipher, E : K × T X → X instead

1 The input T ∈ T is called a tweak 2 Now require that ET

k (·) a permutation

3 For (s)PRP security, adversary has full control of tweak

Advanced Syntax Tweakable Blockciphers 22 / 24

Tweakable blockciphers

Advantages

A tweakable blockcipher is a family of keyed permutations E : K × T X → X where K = {0, 1}K is the set of keys, T ⊆ {0, 1}∗ is the set of tweaks, X = {0, 1}n the set of plaintext blocks

Main benefits of tweaks

Efficiency: retweaking is faster than rekeying Security: retweaking is cleaner than rekeying Tightness: Uniqueness of tweaks means no PRP–PRF switching needed

Advanced Security Notions The key is not secret at all 23 / 24

Advanced Standard Notions

When the key is not secret

ICM Ideal Cipher Model Give adversary control over key and plaintext; compare with family of random permutations. Used to prove heuristic properties of blockcipher-based hashing. IPM Ideal Permutation Model Fix a public key, compare with random permutation; Used to prove heuristic properties of sponge constructions. KKA Known Key Attacks AES0 strictly speaking is not a random permutation (e.g. it has no entropy) but what kind of behaviour would be atypical? Relevant to compare (theoretical) attacks on AES.

Advanced Security Notions The secret key is (re)used elsewhere 24 / 24

Advanced Standard Notions

When the key is (re)used elsewhere

RKA Related Key Attacks Relevant when for instance using both Ek and Ek⊕1; Some protocols might trigger this behaviour. KDM Key Dependent Message Attacks Relevant when (parts of) the key get encrypted under itself; can happen in modes-of-operation for disk-encryption. SCA Side Channel Attacks Implementations might leak partial information about the key, the goal of SCA is usually key-recovery; effect on PRP strength unclear.