the security of ciphertext stealing
play

The Security of Ciphertext Stealing Phillip Rogaway 1 Mark Wooding 2 - PowerPoint PPT Presentation

Nov 13, 2023 •134 likes •1.19k views

The Security of Ciphertext Stealing Phillip Rogaway 1 Mark Wooding 2 Haibin Zhang 1 1 Department of Computer Science University of California at Davis 2 Thales e-Security Ltd March 20, 2012 Rogaway, Wooding, Zhang (UC Davis, Thales) The Security

  1. Security of ciphertext stealing Theorem Let E be any of CBC - CS 1 [Perm( b )] , CBC - CS 2 [Perm( b )] , or CBC - CS 3 [Perm( b )] and suppose adversary A asks queries totalling at most σ blocks. Then Adv ind$ ( A ) ≤ σ 2 / 2 b E Proof idea Factor CBC - CS n IV � | m | , CBC IV � K ( m ) = POST n K ( PRE ( m )) Rogaway, Wooding, Zhang (UC Davis, Thales) The Security of Ciphertext Stealing March 20, 2012 7 / 21

  2. Security of ciphertext stealing Theorem Let E be any of CBC - CS 1 [Perm( b )] , CBC - CS 2 [Perm( b )] , or CBC - CS 3 [Perm( b )] and suppose adversary A asks queries totalling at most σ blocks. Then Adv ind$ ( A ) ≤ σ 2 / 2 b E Proof idea Factor CBC - CS n IV � | m | , CBC IV � K ( m ) = POST n K ( PRE ( m )) Observe that POST n preserves uniform distribution. Rogaway, Wooding, Zhang (UC Davis, Thales) The Security of Ciphertext Stealing March 20, 2012 7 / 21

  3. Security of ciphertext stealing Theorem Let E be any of CBC - CS 1 [Perm( b )] , CBC - CS 2 [Perm( b )] , or CBC - CS 3 [Perm( b )] and suppose adversary A asks queries totalling at most σ blocks. Then Adv ind$ ( A ) ≤ σ 2 / 2 b E Proof idea Factor CBC - CS n IV � | m | , CBC IV � K ( m ) = POST n K ( PRE ( m )) Observe that POST n preserves uniform distribution. Show reduction from CBC security. Rogaway, Wooding, Zhang (UC Davis, Thales) The Security of Ciphertext Stealing March 20, 2012 7 / 21

  4. Insecurity of the Meyer–Matyas scheme P ∗ P 1 P 2 P 3 0 4 ⊕ ⊕ ⊕ ⊕ IV E K E K E K E K C ∗ C ∗∗ C 1 C 2 C 4 3 3 The NIST CBC ciphertext stealing schemes, for comparison. Rogaway, Wooding, Zhang (UC Davis, Thales) The Security of Ciphertext Stealing March 20, 2012 8 / 21

  5. Insecurity of the Meyer–Matyas scheme C ∗∗ P ∗ P 1 P 2 P 3 3 4 ⊕ ⊕ ⊕ IV E K E K E K E K C ∗ C ∗∗ C 1 C 2 C 4 3 3 The Meyer–Matyas ciphertext stealing scheme. There’s no chaining into the final partial block. Rogaway, Wooding, Zhang (UC Davis, Thales) The Security of Ciphertext Stealing March 20, 2012 8 / 21

  6. Insecurity of the Meyer–Matyas scheme b − 1 P ∗ P 1 2 Start with a message m which is 1 bit short of two whole blocks. Rogaway, Wooding, Zhang (UC Davis, Thales) The Security of Ciphertext Stealing March 20, 2012 8 / 21

  7. Insecurity of the Meyer–Matyas scheme b − 1 P ∗ P 1 2 ⊕ IV E K C 1 The first block is whitened with a fresh random IV and fed through the blockcipher. Rogaway, Wooding, Zhang (UC Davis, Thales) The Security of Ciphertext Stealing March 20, 2012 8 / 21

  8. Insecurity of the Meyer–Matyas scheme b − 1 1 P ∗ P 1 r 2 ⊕ IV E K C ∗ r 1 The second block is padded by prefixing with the final bit r of the pre- vious ciphertext. Rogaway, Wooding, Zhang (UC Davis, Thales) The Security of Ciphertext Stealing March 20, 2012 8 / 21

  9. Insecurity of the Meyer–Matyas scheme b − 1 1 P ∗ P 1 r 2 ⊕ IV E K E K C ∗ r C 2 1 And then fed through the blockcipher. Rogaway, Wooding, Zhang (UC Davis, Thales) The Security of Ciphertext Stealing March 20, 2012 8 / 21

  10. Insecurity of the Meyer–Matyas scheme b − 1 1 P ∗ P 1 r 2 ⊕ IV E K E K C ∗ r C 2 1 But there are only two possible values for r . If we do this twice, we expect the C 2 values to be equal with probability at least 1 2 . Rogaway, Wooding, Zhang (UC Davis, Thales) The Security of Ciphertext Stealing March 20, 2012 8 / 21

  11. Insecurity of the Meyer–Matyas scheme m = 1 b � 0 b − 1 Our adversary starts with such a message. Rogaway, Wooding, Zhang (UC Davis, Thales) The Security of Ciphertext Stealing March 20, 2012 8 / 21

  12. Insecurity of the Meyer–Matyas scheme m = 1 b � 0 b − 1 m $ IV � c ← IV IV c ← E IV K ( m ) And asks its encryption oracle to encrypt it, getting a ciphertext c . Rogaway, Wooding, Zhang (UC Davis, Thales) The Security of Ciphertext Stealing March 20, 2012 8 / 21

  13. Insecurity of the Meyer–Matyas scheme m = 1 b � 0 b − 1 m $ IV � c ← IV IV c ← E IV K ( m ) m IV ′ � c ′ Then it asks to encrypt the same message again, getting a new cipher- text c ′ . Rogaway, Wooding, Zhang (UC Davis, Thales) The Security of Ciphertext Stealing March 20, 2012 8 / 21

  14. Insecurity of the Meyer–Matyas scheme m = 1 b � 0 b − 1 LSB b ( c ) = LSB b ( c ′ ) ? m $ IV � c ← IV IV c ← E IV K ( m ) m IV ′ � c ′ CBC - CSX ( A ) = Pr[ A Real( · ) ⇒ 1] − Pr[ A Fake( · ) ⇒ 1] Adv ind$ The adversary declares ‘real’ if the last b bits of c and c ′ are equal. Rogaway, Wooding, Zhang (UC Davis, Thales) The Security of Ciphertext Stealing March 20, 2012 8 / 21

  15. Insecurity of the Meyer–Matyas scheme m = 1 b � 0 b − 1 LSB b ( c ) = LSB b ( c ′ ) ? m $ IV � c ← IV IV c ← E IV K ( m ) m IV ′ � c ′ CBC - CSX ( A ) ≥ 1 2 − Pr[ A Fake( · ) ⇒ 1] Adv ind$ If this is indeed the real game, we’ve just seen that they’re equal with probability at least 1 2 . Rogaway, Wooding, Zhang (UC Davis, Thales) The Security of Ciphertext Stealing March 20, 2012 8 / 21

  16. Insecurity of the Meyer–Matyas scheme m = 1 b � 0 b − 1 LSB b ( c ) = LSB b ( c ′ ) ? m m $ IV � c IV � c $ ← IV ← IV IV IV $ c ← E IV ← { 0 , 1 } | m | K ( m ) c m m IV ′ � c ′ IV ′ � c ′ CBC - CSX ( A ) ≥ 1 2 − Pr[ A Fake( · ) ⇒ 1] Adv ind$ If this is the fake game, then the ciphertexts are simply random strings. Rogaway, Wooding, Zhang (UC Davis, Thales) The Security of Ciphertext Stealing March 20, 2012 8 / 21

  17. Insecurity of the Meyer–Matyas scheme m = 1 b � 0 b − 1 LSB b ( c ) = LSB b ( c ′ ) ? m m $ IV � c IV � c $ ← IV ← IV IV IV $ c ← E IV ← { 0 , 1 } | m | K ( m ) c m m IV ′ � c ′ IV ′ � c ′ CBC - CSX ( A ) ≥ 1 2 − 1 Adv ind$ 2 b So they’re equal with probability exactly 1 / 2 b . Rogaway, Wooding, Zhang (UC Davis, Thales) The Security of Ciphertext Stealing March 20, 2012 8 / 21

  18. Outline Ciphertext stealing 1 Description Symmetric encryption schemes Security of ciphertext stealing Insecurity of the Meyer–Matyas scheme Online encryption 2 Definitions Delayed CBC Ciphertext stealing redux Rogaway, Wooding, Zhang (UC Davis, Thales) The Security of Ciphertext Stealing March 20, 2012 9 / 21

  19. Background Idea Conventional definitions treat encryption as processing an entire message in one go. Rogaway, Wooding, Zhang (UC Davis, Thales) The Security of Ciphertext Stealing March 20, 2012 10 / 21

  20. Background Idea Conventional definitions treat encryption as processing an entire message in one go. In real life, messages are often processed in chunks. Rogaway, Wooding, Zhang (UC Davis, Thales) The Security of Ciphertext Stealing March 20, 2012 10 / 21

  21. Background Idea Conventional definitions treat encryption as processing an entire message in one go. In real life, messages are often processed in chunks. Keys held by memory-constrained devices. Rogaway, Wooding, Zhang (UC Davis, Thales) The Security of Ciphertext Stealing March 20, 2012 10 / 21

  22. Background Idea Conventional definitions treat encryption as processing an entire message in one go. In real life, messages are often processed in chunks. Keys held by memory-constrained devices. Reducing end-to-end latency. Rogaway, Wooding, Zhang (UC Davis, Thales) The Security of Ciphertext Stealing March 20, 2012 10 / 21

  23. Background Idea Conventional definitions treat encryption as processing an entire message in one go. In real life, messages are often processed in chunks. Keys held by memory-constrained devices. Reducing end-to-end latency. We should have definitions which capture this behaviour so that we can analyse the security of schemes. Rogaway, Wooding, Zhang (UC Davis, Thales) The Security of Ciphertext Stealing March 20, 2012 10 / 21

  24. Background Idea Conventional definitions treat encryption as processing an entire message in one go. In real life, messages are often processed in chunks. Keys held by memory-constrained devices. Reducing end-to-end latency. We should have definitions which capture this behaviour so that we can analyse the security of schemes. History Rogaway, Wooding, Zhang (UC Davis, Thales) The Security of Ciphertext Stealing March 20, 2012 10 / 21

  25. Background Idea Conventional definitions treat encryption as processing an entire message in one go. In real life, messages are often processed in chunks. Keys held by memory-constrained devices. Reducing end-to-end latency. We should have definitions which capture this behaviour so that we can analyse the security of schemes. History Blockwise-adaptive attacks: [Bellare, Kohno, Namprempre 2002], [Joux, Martinet, Valette 2002], [Fouque, Martinet, Poupard 2003], [Fouque, Joux, Poupard 2004], [Bard 2007]. Rogaway, Wooding, Zhang (UC Davis, Thales) The Security of Ciphertext Stealing March 20, 2012 10 / 21

  26. Background Idea Conventional definitions treat encryption as processing an entire message in one go. In real life, messages are often processed in chunks. Keys held by memory-constrained devices. Reducing end-to-end latency. We should have definitions which capture this behaviour so that we can analyse the security of schemes. History Blockwise-adaptive attacks: [Bellare, Kohno, Namprempre 2002], [Joux, Martinet, Valette 2002], [Fouque, Martinet, Poupard 2003], [Fouque, Joux, Poupard 2004], [Bard 2007]. Our stream-based approach from [Gennaro, Rohatgi 1997]. Rogaway, Wooding, Zhang (UC Davis, Thales) The Security of Ciphertext Stealing March 20, 2012 10 / 21

  27. How it looks P Suppose we have a plaintext message P . Maybe we don’t even know all of it yet. Rogaway, Wooding, Zhang (UC Davis, Thales) The Security of Ciphertext Stealing March 20, 2012 11 / 21

  28. How it looks P 1 P 2 P 3 Split it into chunks P 1 , P 2 , . . . of arbitrary sizes. Rogaway, Wooding, Zhang (UC Davis, Thales) The Security of Ciphertext Stealing March 20, 2012 11 / 21

  29. How it looks P 1 P 2 P 3 V 0 Sample an initial state (‘initialization vector’) V 0 appropriate for the en- cryption scheme. Rogaway, Wooding, Zhang (UC Davis, Thales) The Security of Ciphertext Stealing March 20, 2012 11 / 21

  30. How it looks P 1 P 2 P 3 E 0 V 0 K C 1 Feed the first plaintext chunk to the encryption scheme. It gives us a ciphertext chunk C 1 . In general, C 1 might not be the same length as P 1 . Rogaway, Wooding, Zhang (UC Davis, Thales) The Security of Ciphertext Stealing March 20, 2012 11 / 21

  31. How it looks P 1 P 2 P 3 E 0 V 0 V 1 K C 1 It also gives us a state V 1 . Rogaway, Wooding, Zhang (UC Davis, Thales) The Security of Ciphertext Stealing March 20, 2012 11 / 21

  32. How it looks P 1 P 2 P 3 E 0 E 0 V 0 V 1 V 2 K K C 1 C 2 We can feed the next plaintext P 2 to the encryption scheme, along with the previous state V 1 . We get a ciphertext chunk C 2 and a new state V 2 . Rogaway, Wooding, Zhang (UC Davis, Thales) The Security of Ciphertext Stealing March 20, 2012 11 / 21

  33. How it looks P 1 P 2 P 3 E 0 E 0 E 1 V 0 V 1 V 2 K K K C 1 C 2 C 3 And so on. . . Indicate to the encryption scheme when there are no more chunks to process. Rogaway, Wooding, Zhang (UC Davis, Thales) The Security of Ciphertext Stealing March 20, 2012 11 / 21

  34. What’s new about our definition We don’t depend on chunks being single blocks, or aligned to block boundaries. Rogaway, Wooding, Zhang (UC Davis, Thales) The Security of Ciphertext Stealing March 20, 2012 12 / 21

  35. What’s new about our definition We don’t depend on chunks being single blocks, or aligned to block boundaries. Indeed, we don’t assume there’s a blockcipher involved at all. Rogaway, Wooding, Zhang (UC Davis, Thales) The Security of Ciphertext Stealing March 20, 2012 12 / 21

  36. What’s new about our definition We don’t depend on chunks being single blocks, or aligned to block boundaries. Indeed, we don’t assume there’s a blockcipher involved at all. Security is defined in terms of indistinguishability from random strings of appropriate lengths. Rogaway, Wooding, Zhang (UC Davis, Thales) The Security of Ciphertext Stealing March 20, 2012 12 / 21

  37. Definitions: online encryption Online encryption syntax We define online encryption schemes as functions: E : K × V × { 0 , 1 } × { 0 , 1 } ∗ → { 0 , 1 } ∗ × V ( C i , V i ) ← E V i − 1 ,δ ( P i ) K Rogaway, Wooding, Zhang (UC Davis, Thales) The Security of Ciphertext Stealing March 20, 2012 13 / 21

  38. Definitions: online encryption Online encryption syntax We define online encryption schemes as functions: E : K × V × { 0 , 1 } × { 0 , 1 } ∗ → { 0 , 1 } ∗ × V ( C i , V i ) ← E V i − 1 ,δ ( P i ) K K is the key space. We require that it be finite. Rogaway, Wooding, Zhang (UC Davis, Thales) The Security of Ciphertext Stealing March 20, 2012 13 / 21

  39. Definitions: online encryption Online encryption syntax We define online encryption schemes as functions: E : K × V × { 0 , 1 } × { 0 , 1 } ∗ → { 0 , 1 } ∗ × V ( C i , V i ) ← E V i − 1 ,δ ( P i ) K K is the key space. We require that it be finite. 0 ≤ i<v { 0 , 1 } i is the state space. V ⊆ � Rogaway, Wooding, Zhang (UC Davis, Thales) The Security of Ciphertext Stealing March 20, 2012 13 / 21

  40. Definitions: online encryption Online encryption syntax We define online encryption schemes as functions: E : K × V × { 0 , 1 } × { 0 , 1 } ∗ → { 0 , 1 } ∗ × V ( C i , V i ) ← E V i − 1 ,δ ( P i ) K K is the key space. We require that it be finite. 0 ≤ i<v { 0 , 1 } i is the state space. V ⊆ � δ ∈ { 0 , 1 } is the end-of-message indicator : 0 means more chunks are coming; 1 means this is the last one. Rogaway, Wooding, Zhang (UC Davis, Thales) The Security of Ciphertext Stealing March 20, 2012 13 / 21

  41. Definitions: online encryption Online encryption syntax We define online encryption schemes as functions: E : K × V × { 0 , 1 } × { 0 , 1 } ∗ → { 0 , 1 } ∗ × V ( C i , V i ) ← E V i − 1 ,δ ( P i ) K K is the key space. We require that it be finite. 0 ≤ i<v { 0 , 1 } i is the state space. V ⊆ � δ ∈ { 0 , 1 } is the end-of-message indicator : 0 means more chunks are coming; 1 means this is the last one. Also a message space P ⊆ { 0 , 1 } ∗ and IV space IV ⊆ V . Rogaway, Wooding, Zhang (UC Davis, Thales) The Security of Ciphertext Stealing March 20, 2012 13 / 21

  42. Definitions: online encryption Online encryption syntax We define online encryption schemes as functions: E : K × V × { 0 , 1 } × { 0 , 1 } ∗ → { 0 , 1 } ∗ × V ( C i , V i ) ← E V i − 1 ,δ ( P i ) K Well-formedness requirements Ciphertexts The ciphertext is always the same whichever way you split up the plaintext. Rogaway, Wooding, Zhang (UC Davis, Thales) The Security of Ciphertext Stealing March 20, 2012 13 / 21

  43. Definitions: online encryption Online encryption syntax We define online encryption schemes as functions: E : K × V × { 0 , 1 } × { 0 , 1 } ∗ → { 0 , 1 } ∗ × V ( C i , V i ) ← E V i − 1 ,δ ( P i ) K Well-formedness requirements Ciphertexts The ciphertext is always the same whichever way you split up the plaintext. Invertibility Ciphertexts can be decrypted uniquely. Rogaway, Wooding, Zhang (UC Davis, Thales) The Security of Ciphertext Stealing March 20, 2012 13 / 21

  44. Definitions: online encryption Online encryption syntax We define online encryption schemes as functions: E : K × V × { 0 , 1 } × { 0 , 1 } ∗ → { 0 , 1 } ∗ × V ( C i , V i ) ← E V i − 1 ,δ ( P i ) K Well-formedness requirements Ciphertexts The ciphertext is always the same whichever way you split up the plaintext. Invertibility Ciphertexts can be decrypted uniquely. Lengths The lengths of ciphertext chunks depend only on the history of plaintext lengths. Rogaway, Wooding, Zhang (UC Davis, Thales) The Security of Ciphertext Stealing March 20, 2012 13 / 21

  45. Online encryption security: IND$ Initialization: $ V ← IV m, δ ( c, V ) ← E V,δ K ( m ) c Adversary submits message chunks and a ‘done’ flag to an oracle, which returns ciphertext chunks. Rogaway, Wooding, Zhang (UC Davis, Thales) The Security of Ciphertext Stealing March 20, 2012 14 / 21

  46. Online encryption security: IND$ Initialization: $ V ← IV m, δ ( c, V ) ← E V,δ K ( m ) c ′ ← { 0 , 1 } | c | $ c ′ . . . or maybe it just returns random strings of the right length. Rogaway, Wooding, Zhang (UC Davis, Thales) The Security of Ciphertext Stealing March 20, 2012 14 / 21

  47. Online encryption security: IND$ Initialization: $ V ← IV m, δ m, δ ( c, V ) ← E V,δ K ( m ) ( c, V ) ← E V,δ K ( m ) c ′ ← { 0 , 1 } | c | $ c c ′ We’d like these to be hard to distinguish. Rogaway, Wooding, Zhang (UC Davis, Thales) The Security of Ciphertext Stealing March 20, 2012 14 / 21

  48. Online encryption security: IND$ Initialization: $ V i ← IV for i ∈ N i, m, δ i, m, δ ( c, V i ) ← E V i ,δ ( m ) ( c, V i ) ← E V i ,δ K ( m ) K c ′ ← { 0 , 1 } | c | $ c c ′ . . . even when the adversary can contribute to multiple messages con- currently. Rogaway, Wooding, Zhang (UC Davis, Thales) The Security of Ciphertext Stealing March 20, 2012 14 / 21

  49. Online encryption security: IND$ Initialization: ? $ V i ← IV for i ∈ N m, δ m, δ ( c, V i ) ← E V i ,δ ( m ) ( c, V i ) ← E V i ,δ K ( m ) K c ′ ← { 0 , 1 } | c | $ c c ′ ( A ) = Pr[ A Real( · ) ⇒ 1] − Pr[ A Fake( · ) ⇒ 1] Adv IND$ E The adversary’s advantage measures how well he can distinguish be- tween these two games. Rogaway, Wooding, Zhang (UC Davis, Thales) The Security of Ciphertext Stealing March 20, 2012 14 / 21

  50. CBC online – wrong version P We’re given a plaintext chunk. Rogaway, Wooding, Zhang (UC Davis, Thales) The Security of Ciphertext Stealing March 20, 2012 15 / 21

  51. CBC online – wrong version P 0 P 0 P In general, we have a partial plaintext left over from the previous call. Tack this on the front. Rogaway, Wooding, Zhang (UC Davis, Thales) The Security of Ciphertext Stealing March 20, 2012 15 / 21

  52. CBC online – wrong version P 0 P ∗ P 1 P 2 P 3 And split the plaintext into blocks. There’ll be a bit left over. Rogaway, Wooding, Zhang (UC Davis, Thales) The Security of Ciphertext Stealing March 20, 2012 15 / 21

  53. CBC online – wrong version C 0 P 0 P ∗ P 1 P 2 P 3 ⊕ ⊕ ⊕ E K E K E K C 1 C 2 C 3 Encrypt the whole blocks using CBC mode, using an IV maintained in the state. Rogaway, Wooding, Zhang (UC Davis, Thales) The Security of Ciphertext Stealing March 20, 2012 15 / 21

  54. CBC online – wrong version C 0 P 0 P ∗ P 1 P 2 P 3 ⊕ ⊕ ⊕ E K E K E K P ∗ C 1 C 2 C 3 C 3 The new state is the last ciphertext block, and the leftover bit of plain- text. Rogaway, Wooding, Zhang (UC Davis, Thales) The Security of Ciphertext Stealing March 20, 2012 15 / 21

  55. CBC online – insecurity of the wrong version Of course, this is insecure. The adversary learns the IV to be used to encrypt the next plaintext chunk as part of this ciphertext. Rogaway, Wooding, Zhang (UC Davis, Thales) The Security of Ciphertext Stealing March 20, 2012 16 / 21

  56. CBC online – insecurity of the wrong version Of course, this is insecure. The adversary learns the IV to be used to encrypt the next plaintext chunk as part of this ciphertext. Suppose this is V ; suppose also that the adversary guesses that the plaintext corresponding to some ciphertext C i is P ∗ , i.e., that C i = E K ( P ∗ ⊕ C i − 1 ) . Rogaway, Wooding, Zhang (UC Davis, Thales) The Security of Ciphertext Stealing March 20, 2012 16 / 21

  57. CBC online – insecurity of the wrong version Of course, this is insecure. The adversary learns the IV to be used to encrypt the next plaintext chunk as part of this ciphertext. Suppose this is V ; suppose also that the adversary guesses that the plaintext corresponding to some ciphertext C i is P ∗ , i.e., that C i = E K ( P ∗ ⊕ C i − 1 ) . So he arranges for the first block encrypted as part of the next plaintext chunk to be P ∗ ⊕ V ⊕ C i − 1 . If the resulting ciphertext is C i then his guess is confirmed. Rogaway, Wooding, Zhang (UC Davis, Thales) The Security of Ciphertext Stealing March 20, 2012 16 / 21

  58. CBC online – insecurity of the wrong version Of course, this is insecure. The adversary learns the IV to be used to encrypt the next plaintext chunk as part of this ciphertext. Suppose this is V ; suppose also that the adversary guesses that the plaintext corresponding to some ciphertext C i is P ∗ , i.e., that C i = E K ( P ∗ ⊕ C i − 1 ) . So he arranges for the first block encrypted as part of the next plaintext chunk to be P ∗ ⊕ V ⊕ C i − 1 . If the resulting ciphertext is C i then his guess is confirmed. It’s sufficient to hold one block back [FMP03]. Rogaway, Wooding, Zhang (UC Davis, Thales) The Security of Ciphertext Stealing March 20, 2012 16 / 21

  59. CBC online – insecurity of the wrong version Of course, this is insecure. The adversary learns the IV to be used to encrypt the next plaintext chunk as part of this ciphertext. Suppose this is V ; suppose also that the adversary guesses that the plaintext corresponding to some ciphertext C i is P ∗ , i.e., that C i = E K ( P ∗ ⊕ C i − 1 ) . So he arranges for the first block encrypted as part of the next plaintext chunk to be P ∗ ⊕ V ⊕ C i − 1 . If the resulting ciphertext is C i then his guess is confirmed. It’s sufficient to hold one block back [FMP03]. Intuition: CBC output is indistinguishable from random data, so the last block should be unpredictable, which is sufficient for security. Rogaway, Wooding, Zhang (UC Davis, Thales) The Security of Ciphertext Stealing March 20, 2012 16 / 21

  60. Delayed CBC [FMP03] C 0 P 0 P The state looks the same: previous ciphertext, and leftover plaintext. Rogaway, Wooding, Zhang (UC Davis, Thales) The Security of Ciphertext Stealing March 20, 2012 17 / 21

  61. Delayed CBC [FMP03] C 0 P 0 P ∗ P 1 P 2 P 3 ⊕ ⊕ ⊕ E K E K E K C 1 C 2 C 3 Prefix the leftover plaintext to the new chunk, split into blocks, and encrypt. Rogaway, Wooding, Zhang (UC Davis, Thales) The Security of Ciphertext Stealing March 20, 2012 17 / 21

  62. Delayed CBC [FMP03] C 0 P 0 P ∗ P 1 P 2 P 3 ⊕ ⊕ ⊕ E K E K E K C 0 C 1 C 2 C 3 We must output the previous-ciphertext block. We shouldn’t output the last new ciphertext block, just store it for later. Rogaway, Wooding, Zhang (UC Davis, Thales) The Security of Ciphertext Stealing March 20, 2012 17 / 21

  63. Delayed CBC [FMP03] C 0 P 0 P ∗ P 1 P 2 P 3 ⊕ ⊕ ⊕ E K E K E K P ∗ C 0 C 1 C 2 C 3 And we keep the leftover piece of plaintext. Rogaway, Wooding, Zhang (UC Davis, Thales) The Security of Ciphertext Stealing March 20, 2012 17 / 21

  64. Delayed CBC with ciphertext stealing C 0 P 0 P ∗ P 1 P 2 P 3 ⊕ ⊕ ⊕ E K E K E K C 0 C 1 C 2 C 3 So, we’ve got to the end of a message, and we’ve not filled up the last block. Rogaway, Wooding, Zhang (UC Davis, Thales) The Security of Ciphertext Stealing March 20, 2012 18 / 21

  65. Delayed CBC with ciphertext stealing C 0 P 0 P ∗ P 1 P 2 P 3 0 ⊕ ⊕ ⊕ ⊕ E K E K E K E K C 0 C 1 C 2 C 3 C 4 So we pad it with zero bits. Rogaway, Wooding, Zhang (UC Davis, Thales) The Security of Ciphertext Stealing March 20, 2012 18 / 21

  66. Delayed CBC with ciphertext stealing C 0 P 0 P ∗ P 1 P 2 P 3 0 ⊕ ⊕ ⊕ ⊕ E K E K E K E K C ∗ C ∗∗ C 0 C 1 C 2 C 4 3 3 The recipient can recover the tail of the next-to-last ciphertext block by decrypting the final one. Rogaway, Wooding, Zhang (UC Davis, Thales) The Security of Ciphertext Stealing March 20, 2012 18 / 21

  67. Delayed CBC with ciphertext stealing C 0 P 0 P ∗ P 1 P 2 P 3 0 ⊕ ⊕ ⊕ ⊕ E K E K E K E K C ∗ C ∗∗ C 0 C 1 C 2 C 4 3 3 Again, there are variants which differ in how they order the last two ciphertext blocks. Rogaway, Wooding, Zhang (UC Davis, Thales) The Security of Ciphertext Stealing March 20, 2012 18 / 21

  68. Delayed CBC with ciphertext stealing Actually the natural implementation. You have to hold back the last ciphertext block anyway, because you might have to truncate it. Indeed, for DCBC-CS3, you sometimes have to hold back two ciphertexts blocks. Rogaway, Wooding, Zhang (UC Davis, Thales) The Security of Ciphertext Stealing March 20, 2012 19 / 21

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Chosen-Ciphertext Security Chosen-Ciphertext Security without Redundancy without Redundancy

Chosen-Ciphertext Security Chosen-Ciphertext Security without Redundancy without Redundancy

Chosen-Ciphertext Security Chosen-Ciphertext Security without Redundancy without Redundancy Duong Hieu Phan David Pointcheval ENS France CNRS-ENS France Asiacrypt '03 Taipei - Taiwan December 1 st 2003 Summary Summary Asymmetric

235 views • 21 slides
Security of Symmetric Encryption in the Presence of Ciphertext Fragmentation Alexandra Boldyreva,

Security of Symmetric Encryption in the Presence of Ciphertext Fragmentation Alexandra Boldyreva,

Ciphertext Fragmentation and Related Problems Formalizing Fragmentation Security Notions Constructions and Comparison Security of Symmetric Encryption in the Presence of Ciphertext Fragmentation Alexandra Boldyreva, Jean Paul Degabriele , Kenny

924 views • 43 slides
RSA Cryptography basics of security / cryptography Bob encrypts message M into ciphertext

RSA Cryptography basics of security / cryptography Bob encrypts message M into ciphertext

RSA Cryptography basics of security / cryptography Bob encrypts message M into ciphertext C=P(M) using a public key; Bob sends C to Alice Alice decrypts ciphertext back into M using a private key (secret) M = S(C) anyone else

796 views • 16 slides
Efficient Conditional Proxy Re-Encryption with Chosen-Ciphertext Security Jian Weng, Yanjiang

Efficient Conditional Proxy Re-Encryption with Chosen-Ciphertext Security Jian Weng, Yanjiang

Introduction Model of C-PRE Our proposed C-PRE Scheme Conclusion Efficient Conditional Proxy Re-Encryption with Chosen-Ciphertext Security Jian Weng, Yanjiang Yang, Qiang Tang, Robert H. Deng, Feng Bao Institute for Infocomm Research (I2R),

1.04k views • 15 slides
CO 445H BLOCKCHAIN SECURITY Dr. Benjamin Livshits Apps Stealing Your Data 2 What are they

CO 445H BLOCKCHAIN SECURITY Dr. Benjamin Livshits Apps Stealing Your Data 2 What are they

CO 445H BLOCKCHAIN SECURITY Dr. Benjamin Livshits Apps Stealing Your Data 2 What are they doing with this data? We dont know what is happening with this data once it is collected. Its conceivable that this information could be analysed

959 views • 59 slides
Chosen-Ciphertext Security from Subset Sum PKC 2016, 07.03.2016 Sebastian Faust 1 Daniel Masny 1

Chosen-Ciphertext Security from Subset Sum PKC 2016, 07.03.2016 Sebastian Faust 1 Daniel Masny 1

Chosen-Ciphertext Security from Subset Sum PKC 2016, 07.03.2016 Sebastian Faust 1 Daniel Masny 1 Daniele Venturi 2 1 Ruhr Universitt Bochum 2 Sapienza University of Rome 1 Outline 1 Our Contribution 2 Subset Sum 3 CCA secure PKE 4 Tag-Based

965 views • 80 slides
How to be a paranoid or just think like one 1 2 Leaking information Stealing 26.5 million

How to be a paranoid or just think like one 1 2 Leaking information Stealing 26.5 million

Pro rotection a and S d Securi rity How to be a paranoid or just think like one 1 2 Leaking information Stealing 26.5 million veteran s data Data on laptop stolen from employee s home (5/06) Veterans names Social Security

580 views • 30 slides
How to be a paranoid or just think like one 1 2 Leaking information Stealing 26.5 million

How to be a paranoid or just think like one 1 2 Leaking information Stealing 26.5 million

Protection tion and Se Secur urity ity How to be a paranoid or just think like one 1 2 Leaking information Stealing 26.5 million veterans data Data on laptop stolen from employees home (5/06) Veterans names Social Security

619 views • 27 slides
Leaky Processors: Stealing Your Secrets with Foreshadow Jo Van Bulck imec-DistriNet, KU Leuven

Leaky Processors: Stealing Your Secrets with Foreshadow Jo Van Bulck imec-DistriNet, KU Leuven

Leaky Processors: Stealing Your Secrets with Foreshadow Jo Van Bulck imec-DistriNet, KU Leuven jo.vanbulck@cs.kuleuven.be jovanbulck OWASP BeNeLux-Days, November 30, 2018 A primer on software security Secure program: convert all input

1.27k views • 77 slides
WORK STEALING SCHEDULER 2 6/16/2010 Work Stealing Scheduler

WORK STEALING SCHEDULER 2 6/16/2010 Work Stealing Scheduler

1 6/16/2010 Work Stealing Scheduler WORK STEALING SCHEDULER 2 6/16/2010 Work Stealing Scheduler Announcements Text books Assignment 1 Assignment

476 views • 32 slides
Stealing Machine Learning Models via Prediction APIs Florian Tramr, Fan Zhang, Ari Juels,

Stealing Machine Learning Models via Prediction APIs Florian Tramr, Fan Zhang, Ari Juels,

Stealing Machine Learning Models via Prediction APIs Florian Tramr, Fan Zhang, Ari Juels, Michael K. Reiter, Thomas Ristenpart Usenix Security Symposium Austin, Texas, USA August, 11 th 2016 Machine Learning (ML) Systems (1) Gather labeled

213 views • 17 slides
Adaptive partitioning Dennis Hofheinz (KIT, Karlsruhe) Public-Key Encryption Public-Key

Adaptive partitioning Dennis Hofheinz (KIT, Karlsruhe) Public-Key Encryption Public-Key

Adaptive partitioning Dennis Hofheinz (KIT, Karlsruhe) Public-Key Encryption Public-Key Encryption Accepted security notion: chosen-ciphertext security (IND-CCA) Public-Key Encryption Accepted security notion: chosen-ciphertext security

1.16k views • 83 slides
Security CSC 249 April 10, 2018 Network Security Symmetric Key Cryptography Caesar cipher DES

Security CSC 249 April 10, 2018 Network Security Symmetric Key Cryptography Caesar cipher DES

Security CSC 249 April 10, 2018 Network Security Symmetric Key Cryptography Caesar cipher DES and AES Public Key Cryptography 2 1 Cryptographic Keys Alices Bobs K A encryption decryption K B key key ciphertext encryption

381 views • 12 slides
+ Cyber Security CS301 Fundamentals of Computer Science United States Military Academy + An

+ Cyber Security CS301 Fundamentals of Computer Science United States Military Academy + An

+ Cyber Security CS301 Fundamentals of Computer Science United States Military Academy + An Exercise in Cyber Security n Your identity is a valuable thing that is worth stealing. n Previous courses: how to protect yourself n This

324 views • 15 slides
Caesar Cipher Example plaintext: Z O O plaintext as numbers: 25 14 14 use key = 3

Caesar Cipher Example plaintext: Z O O plaintext as numbers: 25 14 14 use key = 3

Caesar Cipher Example plaintext: Z O O plaintext as numbers: 25 14 14 use key = 3 ciphertext as numbers: 28 17 17 ciphertext: C R R Groupwork 1. Log into our discord server. 2. Leave yourself muted on the main zoom call; I

434 views • 31 slides
Stealing From Thieves: Breaking IonCube VM to RE Exploit Kits

Stealing From Thieves: Breaking IonCube VM to RE Exploit Kits

Stealing From Thieves: Breaking IonCube VM to RE Exploit Kits Mohamed Saher (@halsten) About @halsten Reverse Engineering Automa5on of RE tasks

687 views • 52 slides
Positively Disruptive - Next Frontier in Point of Care Stuart C. Ray, MD Professor of Medicine,

Positively Disruptive - Next Frontier in Point of Care Stuart C. Ray, MD Professor of Medicine,

Positively Disruptive - Next Frontier in Point of Care Stuart C. Ray, MD Professor of Medicine, Oncology, and Health Sciences Informatics Vice Chair of Medicine for Data Integrity and Analytics Johns Hopkins Medical Institutions sray@jhmi.edu

576 views • 25 slides
So Far ... AUTHENTICATED ENCRYPTION We have looked at methods to provide privacy and authenticity

So Far ... AUTHENTICATED ENCRYPTION We have looked at methods to provide privacy and authenticity

So Far ... AUTHENTICATED ENCRYPTION We have looked at methods to provide privacy and authenticity separately: Goal Primitive Security notion Data privacy symmetric encryption IND-CPA Data authenticity MAC UF-CMA Mihir Bellare UCSD 1

105 views • 9 slides
MESSAGE AUTHENTICATION CODES and PRF DOMAIN EXTENSION Mihir Bellare UCSD 1 Integrity and

MESSAGE AUTHENTICATION CODES and PRF DOMAIN EXTENSION Mihir Bellare UCSD 1 Integrity and

MESSAGE AUTHENTICATION CODES and PRF DOMAIN EXTENSION Mihir Bellare UCSD 1 Integrity and authenticity The goal is to ensure that M really originates with Alice and not someone else M has not been modified in transit Mihir Bellare

989 views • 46 slides
Clarification about attacker power Block ciphers used to encode messages longer than block size

Clarification about attacker power Block ciphers used to encode messages longer than block size

ECB ECB CBC CBC CTR CTR Cryptomeria cipher Cryptomeria cipher Security for Block ciper modes Security for Block ciper modes Clarification about attacker power Block ciphers used to encode messages longer than block size In security

405 views • 4 slides
A Perfect CRIME? TIME Will Tell Tal Beery, Web research TL Agenda BEAST + Modes of

A Perfect CRIME? TIME Will Tell Tal Beery, Web research TL Agenda BEAST + Modes of

A Perfect CRIME? TIME Will Tell Tal Beery, Web research TL Agenda BEAST + Modes of operation CRIME + Gzip compression + Compression + encryption leak data TIME + Timing + compression leak data Attacking responses 2

425 views • 41 slides
Protect Sensitive Data with Ada Keystore Stphane Carrez FOSDEM 2020 Why Ada Keystore?

Protect Sensitive Data with Ada Keystore Stphane Carrez FOSDEM 2020 Why Ada Keystore?

Protect Sensitive Data with Ada Keystore Stphane Carrez FOSDEM 2020 Why Ada Keystore? Store sensitive parameters of an Ada server : Database connection passwords API secret keys Tool to store sensitive information :

266 views • 24 slides
Impossible plaintext cryptanalysis and probable-plaintext collision attacks of 64-bit block

Impossible plaintext cryptanalysis and probable-plaintext collision attacks of 64-bit block

Background Collision attack on CBC and CFB Impossible plaintext cryptanalysis of CTR Conclusions Impossible plaintext cryptanalysis and probable-plaintext collision attacks of 64-bit block cipher modes David McGrew mcgrew@cisco.com Fast

554 views • 43 slides
CBC Steering Committee Virtual meeting, 15 September 2020 Please write your name, organization

CBC Steering Committee Virtual meeting, 15 September 2020 Please write your name, organization

CBC Steering Committee Virtual meeting, 15 September 2020 Please write your name, organization and country in the chat Function: Example: Peter Pan, Office of the Auditor General, Never Never Land Please use the chat function to communicate

373 views • 34 slides

More recommend