Cryptography
Lecture 7
Arpita Patra
© Arpita Patra
Recall
>> New definitions for SKE
o cpa, cpa-security & cpa-mult-security
>> New assumptions
o PRF, PRP, SPRP
Today’s Goal
- cpa-secure scheme from PRF
- Proof of security
- Practical cpa-secure schemes from PRF/PRP/SPRP for long messages
o SSL (Secure Sockets Layer) 3.0,
o TLS (Transport Layer Security) 1.0
Minicrypt
Secret Key World: SKE, MAC
(4) (3) (2)
(1)
(5)
PRF
(6)
PRG
OWF
(7)
Towards cpa-secure Scheme
m
x1 = 00000…0
y1 R {0,1}n
x2 = 00000…1
y2 R {0,1}n
…
x2n = 11111… 1
…
y2n R {0,1}n
f: {0,1}n  {0, 1}n
Enc
c = (xi, m yi)
??
yi
x1 = 00000…0
y1 R {0,1}n
x2 = 00000…1
y2 R {0,1}n
x2n = 11111… 1
y2n R {0,1}n
…
Pad yi is truly random
- Instances of OTP
>> Problem with the above solution
--- size of f is n2n bits
…
f: {0,1}n  {0, 1}n
Fixed-length cpa-secure SKE from PRF
m,k
Enck(m)
- r in {0,
1}n
c
c,k
Deck(c = (c0,c1))
- m = c1  Fk(c0)
- c = (r, m Fk(r))
Secret PRF-key k
(key-agreement)
K = {0, 1}n M = {0, 1}n C = {0, 1}2n
k
k
Gen
k R K
mM
Enck(m)
- r in {0, 1}n
- c = (r, m Fk(r))
c
cC
Deck(c = (c0,c1))
- m = c1Fk(c0)
m
Security Proof
K = {0, 1}n M = {0, 1}n C = {0, 1}2n
k
k
Gen
k R K
mM
Enck(m)
c
- r in {0, 1}n
- c = (r, m Fk(r))
Theorem. If Fk is a PRF, then  is a CPA-secure scheme.
Proof: On the board.
cC
Deck(c = (c0,c1))
- m = c1Fk(c0)
m
Recall Security Proof of PRG-based Scheme
m,k
c
Enck(m)
Deck(c)
c,k
>> m = c  G(k)
>> c = m G(k)
Secret PRG-key k
Theorem. If G is a PRG, then  is a coa-secure scheme.
Proof: Assume  is not secure
A, p(n):
coa
Pr PrivK (n) = 1
A, 
>
½ + 1/p(n)
coa
Pr PrivK (n) = 1
A, 
=
=
Pr [D(G(s)) = 1]
Pr [D(y) = 1]
coa
Let us run PrivK (n)
A, 
PRS or RS?
y{0,1}n
D
c = mb  y
1 if b = b’
0 otherwise
m0, m1M , |m0| = |m1|
b’  {0, 1}
b
A
=
½
CPA-security for Arbitrary-length Messages
(Theoretical Construction)

Let  = (Gen, Enc, Dec) be a fixed-length CPA-secure based on PRP/SPRP/PRF.
Supports message of length
n
m
Gen
m1
k
n
m2
n
m3
Enck(m)
Enck(m)
Enck(m)
r in {0, 1}n
r in {0, 1}n
r in {0, 1}n
c = (r, m Fk(r))
c = (r, m Fk(r))
c = (r, m Fk(r))
c1
c3
c1c2…c6  Enck(m)
c6
How Good it is?
Assume Message Blocks: l; |m| = l n
Theoretical
Construction
Finally
Randomness
Usage
n / Block -> ln
n / Overall = n
Ciphertext
Expansion
2n / Block ->
2ln
ln+n
Yes
Yes
No
Yes
PRF
PRF
Yes
Yes
Ciphertext
Computation
Parallelizabl
e
Randomness
Reusability
Minimal
Assumption
(PRF/PRP/S
PRP)
CPA
Security
Block-cipher Modes of Operations

Given
- A length-preserving block cipher F (may be a PRF/PRP/SPRP) with block length n
k R {0, 1}n
Fk(x) = F(k, x)  {0, 1}n
x  {0, 1}n
Keyed Algorithm F

Goal
- To encrypt a message m = m1m2 … ml using F with ciphertext length as small as possible and
with randomness as less as possible.
- Without loss of generality --- each mi  {0,1}n
{0,1}n
m
m1
{0,1}n
{0,1}n
{0,1}n
{0,1}n
{0,1}n
m2
m3
m4
…
ml
Electronic Code Book (ECB) Mode
m
m2
m1
m3
k
Gen
F
c1 = Fk(m1)
F
c2 = Fk(m2)
F
c3 = Fk(m3)

Encryption: compute ci = Fk(mi) – No randomness used at all !

Decryption: compute mi = Fk-1(ci)

Parallelizable!

CPA Security ?
|c| = |m|
>> Assumes Fk is SPRP.
>> Deterministic Encryption
>> No. not even coa security for multi message
Current Picture
Assume Message Blocks: l; |m| = l n
Theoretical
Construction
ECB Mode
Randomness
Usage
n / Block -> ln
No randomness
Ciphertext
Expansion
2n / Block ->
2ln
ln
Ciphertext
Computation
Parallizable
Yes
Yes
No
---
PRF
SPRP
Yes
NO
Randomness
Reusability
Minimal
Assumption
(PRF/PRP/S
PRP)
CPA
Security
Cipher Block Chaining (CBC) Mode
m
IV
m1
m2


m3

k
F
Gen
c0
Encryption
Decryption:
c1 = Fk(m1c0)
c2 = Fk(m2c1)
ci = Fk(mici-1), for i = 1, …, l
mi = Fk-1(ci) ci-1, for i = 1, …, l
Blockwise Parallel Computation ?
CPA Security ?
F
F
c3 = Fk(m3c2)
Enck(m1 m2 … ml) = (c0 c1… cl)
>> Assumes Fk is SPRP.
>> NO
>> Randomized Encryption. Provides CPA security. HW
Current Picture
Assume Message Blocks: l; |m| = ln
Theoretical
Construction
ECB Mode
CBC Mode
Randomness
Usage
n / Block -> ln
No randomness
n
Ciphertext
Expansion
2n / Block ->
2ln
ln
ln + n
Ciphertext
Computation
Parallizable
Yes
Yes
NO
No
---
---
PRF
SPRP
SPRP
Yes
NO
YES
Randomness
Reusability
Minimal
Assumption
(PRF/PRP/S
PRP)
CPA
Security
IV Misuse in CBC Mode
m
IV
m1
m2


m3

k
Gen
c0
F
c1 = Fk(m1c0)
F
c2 = Fk(m2c1)
F
c3 = Fk(m3c2)
 Choosing distinct IV enough ? Can save randomness
 Unfortunately this version of CBC mode is not cpa-secure-- Assignment
IV misuse in CBC Mode
m
IV
m1
m2


m3

k
Gen
c0
F
c1 = Fk(m1c0)
F
c2 = Fk(m2c1)
F
c3 = Fk(m3c2)
 Can the last ciphertext of previous block act as the IV for next encryption ?
 Bandwidth and randomness saving
IV misuse in CBC Mode
M1
IV1
m1
m2
m3



M2
IV2
k
m5
m6



k
F
Gen
c0
m4
c1
F
c2
F
c3
F
c4
c5
Ideal way of encrypting two messages via CBC mode
 Can the last ciphertext of previous block act as the IV for next encryption ?
 Bandwidth and randomness saving
F
c6
F
c7
IV misuse in CBC Mode- Chained CBC
M1
IV1
m1
m2
m3



M2
k
F
Gen
c0
c1
F
c2
F
c3
m4
m5
m6



k
F
c4
F
c5
F
c6
Chained CBC mode
 Can the last ciphertext of previous block act as the IV for next encryption ?
BEAST
on SSL/TSL
>> Bandwidth
and attack
randomness
saving
No modifications to crypto
schemes even if the
 Chained CBC mode --- used in SSL 3.0 and TLS 1.0
modifications look benign
>> Stateful variant of CBC
 CPA security?
>> It is “equivalent” to encrypting a single large message M = M1 || M2 via CBC mode
>> Yet Not CPA-secure
Output Feedback (OFB) Mode
IV
k
F
F
y1 = Fk(y0)
y2 = Fk(y1)
y3 = Fk(y2)



m1
m2
c1 = y1m1
c2 = y2m2
Gen
y0
m
c0
F
m3
c3 = y3m3
Encryption: Enck(m1 m2 … ml) = (c0 c1… cl)
 First generate a pseudorandom stream of pad (independent of m)
 Use the pseudorandom stream for masking m
Output Feedback (OFB) Mode
IV
k
F
F
F
y1 = Fk(y0)
y2 = Fk(y1)
y3 = Fk(y2)



m1
m2
Gen
y0
m
c0
c1 = y1m1
Encryption: Enck(m1 m2 … ml) = (c0 c1… cl)
Decryption: mi = F(yi-1)  ci
PRF Enough !
Not parallalizable but pre-computable
CPA-secure! The chained version too!
c2 = y2m2
m3
c3 = y3m3
Current Picture
Assume Message Blocks: l; |m| = ln
Theoretical
Construction
ECB Mode
CBC Mode
OFB Mode
Randomness
Usage
n / Block -> ln
No randomness
n
n
Ciphertext
Expansion
2n / Block ->
2ln
ln
ln + n
ln + n
Ciphertext
Computation
Parallizable
Yes
Yes
NO
NO (But precomputable)
No
---
---
YES
PRF
SPRP
SPRP
PRF
Yes
NO
YES
YES
Randomness
Reusability
Minimal
Assumption
(PRF/PRP/S
PRP)
CPA
Security
Counter (CTR) Mode
CTR
+1
CTR  {0, 1}n
CTR
+2
CTR
+3
mod 2n
k
F
Gen
m
c0
F
F
y1
y2
y3



m1
m2
c1 = y1m1
c2 = y2m2
m3
c3 = y3m3
Encryption: Enck(m1 m2 … ml) = (c0 c1…
c l)
 Same idea as in OFB modes : pseudorandom stream followed by masking
 However everything can be now parallelized
Pseudorando
m stream
Counter (CTR) Mode
CTR
+1
CTR  {0, 1}n
CTR
+2
CTR
+3
mod 2n
k
F
Gen
m
c0
F
F
y1
y2
y3



m1
m2
c1 = y1m1
c2 = y2m2
Pseudorando
m stream
m3
c3 = y3m3
 Encryption: Enck(m1 m2 … ml) = (c0 c1… cl); Decryption: Easy; PRF enough!
Highly attractive
features
 Encryption / decryption can be parallelized
 Can decrypt a specific ciphertext block by just one invocation of F
 Chained/Statefull variant is CPA-secure
Current Picture
Assume Message Blocks: l; |m| = ln
Theoretical
Construction
ECB Mode
CBC Mode
OFB Mode
CTR Mode
Randomness
Usage
n / Block -> ln
No randomness
n
n
n
Ciphertext
Expansion
2n / Block ->
2ln
ln
ln + n
ln + n
ln + n
Ciphertext
Computation
Parallizable
Yes
Yes
NO
NO (But precomputable)
YES
No
---
---
YES
YES
PRF
SPRP
SPRP
PRF
PRF
Yes
NO
YES
YES
YES
Randomness
Reusability
Minimal
Assumption
(PRF/PRP/S
PRP)
CPA
Security
Some Practical Issues
 Block length in practice
 CBC, OFB, CTR mode uses a random IV as the starting point
 For randomizing the encryption process
 Ensures that each invocation of F is on a “fresh” input (w.h.p)
 If two invocations of F are on the same input --- security issues
 Ideal size of IV ? --- depends on block length supported by F
 Say the block length supported by F is l
Birthday paradox
 In CTR mode, IV will be a uniform string of l bits
 After 2l/2 encryptions, IV will repeat with a constant probability
 If l is too short, then impractical security (even if F is a SPRP)
 DES with l = 64 --- IV repetition after 232  4, 300, 000, 000 encryptions
 Approximately 32 GB of plaintexts --- may not be too large for all applications
Some Practical Issues
 IV misuse
 Assumption made: a uniform IV selected as the starting point
 What if the assumption goes wrong (say due to poor randomness generation, incorrect
implementation, etc) ?
 Problems if IV is repeated
 In the CTR and OFB modes, the same pseudorandom stream will be generated
 Two messages XORed with the same stream --- serious security breach
 In the CBC mode, the effect is not that serious
 After few blocks, inputs to F will “diverge” (blocks of m are also part of the input)
 Solution against IV misuse
 Use CBC mode
 Or stateful OFB / CTR mode
Insecurity of ECB Mode: A practical Example

Think of some practical situation where encrypting using ECB mode is
indeed dangerous

Suppose you want to encrypt a black and white image using ECB mode

Say a group of pixels in the image corresponds to one block of F
ECB mode
Secure
mode
Image to be
encrypted

Encrypted image (via a
secure mode)
Source: Wikipedia with imaged derived from Larry Ewing using GIMP
Block-cipher Modes of Operations : Some
Practical Issues
 Message transmission errors (non-adversarial)
 Dropped packets, changed bits, etc
 Different modes of operations have different effect
 Standard solutions --- error-correction, re-transmission
 Message transmission errors (adversarial)
 What if the adversary “changes” ciphertext contents ?
 Issue of message integrity / authentication
 Will be discussed in detail later