Clarification about attacker power Block ciphers used to encode - - PowerPoint PPT Presentation

▶

Sep 21, 2022 362 likes •407 views

ECB ECB CBC CBC CTR CTR Cryptomeria cipher Cryptomeria cipher Security for Block ciper modes Security for Block ciper modes Clarification about attacker power Block ciphers used to encode messages longer than block size In security

SLIDE 1

ECB CBC CTR Cryptomeria cipher Security for Block ciper modes

Clarification about attacker power

In security games, attacker can only do efficient operations Importantly: attacker cannot search through all bitstrings, as the number of possible bistrings increases exponentially with the length Formally: attacker is probabibilistic polynomial Turing machine

Eike Ritter Cryptography 2013/14 60 ECB CBC CTR Cryptomeria cipher Security for Block ciper modes

Block ciphers used to encode messages longer than block size Needs to be done correctly to preserve security Will look at five ways of doing this

Eike Ritter Cryptography 2013/14 61 ECB CBC CTR Cryptomeria cipher Security for Block ciper modes

ECB

Simplest way: Apply the encryption block by block (Electronic Codebook mode, ECB)

Source: Wikipedia Eike Ritter Cryptography 2013/14 62 ECB CBC CTR Cryptomeria cipher Security for Block ciper modes Source: Wikipedia

Cipher vulnerable: identical blocks produce identical ciphertexts No protection against deletion or insertion of blocks

Eike Ritter Cryptography 2013/14 63

SLIDE 2

ECB CBC CTR Cryptomeria cipher Security for Block ciper modes

CBC

One solution: Add random initialisation vector to start off encryption and use previous result

Source: Wikipedia Eike Ritter Cryptography 2013/14 64 ECB CBC CTR Cryptomeria cipher Security for Block ciper modes Source: Wikipedia

Secure if correctly used (precise specification: next lecture) encryption cannot be parallelised

Eike Ritter Cryptography 2013/14 65 ECB CBC CTR Cryptomeria cipher Security for Block ciper modes

CTR

Avoids re-use of previous results by careful choice of random element for each block Choose nonce and increase counter for each block

Source: Wikipedia Eike Ritter Cryptography 2013/14 66 ECB CBC CTR Cryptomeria cipher Security for Block ciper modes Source: Wikipedia

Also secure if correctly used (more later) Encryption and decryption parallelisable

Eike Ritter Cryptography 2013/14 67

SLIDE 3

ECB CBC CTR Cryptomeria cipher Security for Block ciper modes

Cryptomeria cipher

used for DVD-Videos successor to CSS algorithm public, except for S-box 10 round Feistel cipher Key size 56 bits, block size 64 bits Brute force attacks have succeeded against it

Eike Ritter Cryptography 2013/14 68 ECB CBC CTR Cryptomeria cipher Security for Block ciper modes

Proper definition of security for Block Cipher Modes

Cannot reuse definition for block cipher Reason: Modes will not swap positions of bits arbitrarily Need weaker notion.

Eike Ritter Cryptography 2013/14 69 ECB CBC CTR Cryptomeria cipher Security for Block ciper modes

Definition Let (E, D) be a block cipher mode with encryption function E and decryption function D. We define the indistinguishability under chosen-plaintext game between the challenger and the attacker as follows: The challenger generates a key k at random. The attacker performs a polynomial number of computations. It may ask the challenger for the encryption of a polynomial number of arbitrary messages The attacker submits two messages m0 and m1 to the challenger The challenger selects a bit b ∈ {0, 1} at random The challenger returns the encryption of mb to the attacker The attacker performs a polynomial number of computations and outputs a bit b′

′

Eike Ritter Cryptography 2013/14 70 ECB CBC CTR Cryptomeria cipher Security for Block ciper modes

m′

1, . . . , m′ n

E(k, m′

1), . . . , E(k, m′ n)

m0, m1 E(k, Mb) Challenger Attacker k

→ K b

→ {0, 1} b′

Eike Ritter Cryptography 2013/14 71

SLIDE 4

ECB CBC CTR Cryptomeria cipher Security for Block ciper modes

Intuitively, we call a block cipher mode secure if the attacker can

nly guess the bit b, ie wins the game half the time.

Definition Let Pr[b = b′] be the probability that the attacker wins the IND-CPA-game, taken over all encryption keys of length n and all bits b. A block cipher mode satisfies indistinguishability under chosen-plaintext attack (IND-CPA) if

Pr[b = b′] − 1

2

is negligible.

Eike Ritter Cryptography 2013/14 72 ECB CBC CTR Cryptomeria cipher Security for Block ciper modes

Theorem If (E, D) is a block cipher with key space X, the advantage of the attacker in the IND-CPA game for CBC is 2q2L2 |X| + 2Adv where q is the number of messages encrypted with the same key k and L is the maximal length of each message, and Adv is the advantage of the attacker in the game for the secure block cipher. For AES: must change key after using 224 message of length 224 each to obtain advantage of

1 232

Eike Ritter Cryptography 2013/14 73 ECB CBC CTR Cryptomeria cipher Security for Block ciper modes

Theorem If (E, D) is a block cipher with key space X, the advantage of the attacker in the IND-CPA game for counter mode is 2q2L |X| + 2Adv where q is the number of messages encrypted with the same key k and L is the maximal length of each message, and Adv is the advantage of the attacker in the game for the secure block cipher. For AES: must change key after using 232 message of length 232 each to obtain advantage of

1 232 .

Eike Ritter Cryptography 2013/14 74