Instructor: Adam O’Neill
[email protected]
COSC530, Georgetown University, Fall 2015
COSC 530: Lecture Notes on Symmetric-Key Encryption
Symmetric-key encryption is the first “higher-level” cryptographic primitive we look at. The
lower-level primitive it is built out of is a blockcipher.
0.1
Syntax and Correctness
A symmetric-key encryption scheme SE = (K, E, D) with message-space M works as follows. The
randomized key generation algorithm K outputs a key K. The randomized or stateful encryption
algorithm K on inputs a key K and message m outputs a ciphertext c. The deterministic decryption
algorithm on inputs a key K and ciphertext c outputs a message m or the special error symbol ⊥
(read as “bottom’). For correctness we require that for all K output by K and all m ∈ M, we have
Pr [ DK (EK (m)) = m ] = 1 .
where the probability is over the coins of the encryption algorithm.
0.2
Indistinguishability under Chosen-Plaintext Attack
As in the case of blockciphers, we want a “master property” that captures security for symmetric-key
encryption. This is called indistinguishability under chosen-plaintext attack or IND-CPA security.
Let SE = (K, E, D) be a symmetric-key encryption scheme. Define games LEFTSE and RIGHTSE
as follows:
Game LEFTSE
proc Initialize
K ←$ K
proc Finalize(b)
Return (b = 1)
proc LR(M0 , M1 )
Return EK (M0 )
Game RIGHTSE
proc Initialize
K ←$ K
proc Finalize(b)
Return (b = 1)
proc LR(M0 , M1 )
Return EK (M1 )
We define the IND-CPA advantage of adversary A against SE as
-cpa (A) = Pr [ RIGHT (A) outputs 1 ] − Pr [ LEFT (A) outputs 1 ] .
Advind
SE
SE
SE
As usual the probability is over any coins used in the game as well as those of the adversary.
1
Instructor: Adam O’Neill
[email protected]
COSC530, Georgetown University, Fall 2015
0.3
Modes of Operation and Their Security
Modes of operation are ways to build a symmetric-key encryption scheme out of a blockcipher.
In class, we defined ECB, CTR-$, CTR-C, CBC-$, and CBC-C. We saw that CTR-$, CTR-C,
and CBC-$ are IND-CPA secure; the rest are not. But IND-CPA security is a qualitative notion;
the quantitative bounds in the associated security theorems differ. As an example let’s state the
associated security theorems for CTR-$ and CTR-C.
Theorem 0.1 Let E : K × {0, 1}n → {0, 1}n be a blockcipher. Let SE be the corresponding CTR-C
mode symmetric-key encryption scheme. Then for any IND-CPA adversary A that runs in time at
most t and makes at most q queries totaling σ blocks, there is a PRF adversary B such that
Advind-cpa (A) ≤ 2 · Advprf (B) .
E
SE
Furthermore, B runs in time t + O(q + nσ) and makes at most σ queries.
Theorem 0.2 Let E : K × {0, 1}n → {0, 1}n be a blockcipher. Let SE be the corresponding CTR-$
mode symmetric-key encryption scheme. Then for any IND-CPA adversary A that runs in time at
most t and makes at most q queries totaling σ blocks, there is a PRF adversary B such that
0.5σ 2
.
2n
Furthermore, B runs in time t + O(q + nσ) and makes at most σ queries.
-cpa (A) ≤ Advprf (B) +
Advind
E
SE
We proved these theorems in class. The idea is to consider a sequence of games, where the first
game corresponds to the “real” game and in the last game the adversary has no advantage. In this
case, the “real” game was formed by combining games LEFT and RIGHT above into a single game
that picks a bit b at random to determine which of these games to run; the game outputs whether
b = b0 where b0 is the adversary’s guess bit. Then we apply security of the PRF to transition to
the next game. The remaining games are information-theoretic, meaning we bound the probability
that b = b0 in them without using any assumption on the adversary. To prove the second theorem
we set flag bad when an input to E repeated across all of the computations done by the adversary’s
encryption oracle and applied the Fundamental Lemma of Game Playing. Finally, in the last game
the probability that b = b0 is exactly 1/2 since the adversary gets no information about b.
One can apply these theorems to bound the probability that the adversary can break the
encryption scheme in a given application. For example, suppose we are encryption 230 1KB messages
using AES in CTR-$ mode, so 236 blocks of data in total. Let A be an adversary attacking this
scheme. Applying the PRF/PRP switching lemma and assuming there is no better attack on AES
under the PRP notion than exhaustive key-search, the above Theorem tells us that A’s advantage
is at most (236 )2 /2128 + 0.5(236 )2 /2128 ≤ 2−55 , which is very small (according to a quick Google
search, there is a much higher probability of an asteroid hitting earth).
Does the fact that the bound is smaller for CTR-C mean we can encrypt more data securely
using this scheme? Not necessarily. As mentioned above, one should apply the PRP/PRF switching
lemma to obtain corresponding theorems under the PRP notion for E. In this case, the bounds are
basically the same same for both. However, an interesting observation is that CTR-C and CTR-$
do not use the fact that E is invertible to be able to decrypt (whereas the CBC modes do). This
means that we could design a family of functions to use in place of E that is not a permutation
and hence the birthday attack does not apply to it. In this case, we would not need to apply the
PRP/PRF switching lemma and the better bound for CTR-C would indeed mean we could encrypt
more data securely using this scheme than CTR-$. Do you have any ideas for how to design such
a function family?
2
Instructor: Adam O’Neill
[email protected]
COSC530, Georgetown University, Fall 2015
0.4
Semantic Security
We have said that IND-CPA is our “master property” that implies everything we could want in
terms of privacy for the message. For example, it implies the first bit is hidden, the XOR of the
bits are hidden, etc. One can prove these things by reduction. Is there some other way of justifying
this definitional choice that is more satisfying? The answer is to appeal to a more complicated but
more natural definition of security called “semantic security” (under chosen-plaintext attack).
Let SE = (K, E, D) be a symmetric-key encryption scheme. For a “distinguisher” D (which
outputs a bit) define games REALSE,D and IDEALSE,D as follows:
Game REALSE
proc Initialize
K ←$ K
proc Enc(M)
i ← i + 1 ; Mi ← M
mi ←$ M ; ci ←$ EK (mi )
Return ci
proc Finalize(St)
b ←$ D(St, m1 , . . . , mi , M1 , . . . , Mi )
Return b
Game IDEALSE,D
proc Initialize
proc Enc(M)
i ← i + 1 ; Mi ← M
mi ← $ M
Return |mi |
proc Finalize(St)
b ←$ D(St, m1 , . . . , mi , M1 , . . . , Mi )
Return b
We define the SS-CPA advantage of adversary A against distinguisher D, simulator S, and SE as
-cpa (A, D, S) = Pr [ REAL
Advss
SE,D (A) outputs 1 ] − Pr [ IDEALSE,D (S) outputs 1 ] .
SE
We say that SE is SS-CPA secure if for every efficient adversary A and every efficient distinguisher
-cpa
D there is an efficient simulator S such that Advss
REAL (A, D, S) is very small.
Above, the input to the encryption oracle ‘M’ is a message sampler, which is the description
of a randomized algorithm that outputs a message (equivalently, one can view M as describing an
efficiently sampleable probability distribution on the message space).
The definition above is quite complex. The idea is that it tests whether the adversary, given the
ciphertexts, can produce some value that the distinguisher recognizes as related to the underlying
messages, which no “simulator” who is not given any ciphertexts can similarly produce. This can
be viewed as a way of formalizing the intuition that the adversary does not “learn” anything about
the messages from the ciphertexts.
One can show that IND-CPA and SS-CPA are equivalent. We gave some intuition for this in
class.
3