Abstract image of a woman sitting on books and studying on a laptop

14_526_topic04.ppt

Download as PPT, PDF
W
wwww63

This document provides a 3-paragraph summary of a lecture on cryptography: Block ciphers encrypt blocks of plaintext into ciphertext using symmetric encryption algorithms and cryptographic keys. The lecture discusses block cipher modes of operation like Electronic Codebook (ECB), Cipher Block Chaining (CBC), and Counter mode (CTR) that extend block ciphers to encrypt arbitrarily long messages. ECB encrypts each block independently while CBC and CTR introduce dependencies between blocks to provide semantic security and prevent patterns in the ciphertext from revealing the plaintext. The lecture also covers cryptographic primitives like the Data Encryption Standard (DES) and the Advanced Encryption Standard (AES) and analyzes their security and performance.

Data & Analytics
1 of 29
Download to read offline
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
CS555 Topic 4 1 Computer Security CS 526 Topic 4 Cryptography: Semantic Security, Block Ciphers and Encryption Modes
CS555 Topic 4 2 Readings for This Lecture • Required reading from wikipedia • Block Cipher • Ciphertext Indistinguishability • Block cipher modes of operation
Notation for Symmetric-key Encryption • A symmetric-key encryption scheme is comprised of three algorithms – Gen the key generation algorithm • The algorithm must be probabilistic/randomized • Output: a key k – Enc the encryption algorithm • Input: key k, plaintext m • Output: ciphertext c := Enck(m) – Dec the decryption algorithm • Input: key k, ciphertext c • Output: plaintext m := Deck(m) CS555 Topic 4 3 Requirement: k m [ Deck(Enck(m)) = m ]
Randomized vs. Deterministic Encryption • Encryption can be randomized, – i.e., same message, same key, running the encryption algorithm twice results in two different ciphertexts – E.g, Enck[m] = (r, PRNG[k||r]m), i.e., the ciphertext includes two parts, a randomly generated r, and a second part • Decryption is deterministic in the sense that – For the same ciphertext and same key, running decryption algorithm twice always results in the same plaintext • Each key induces a one-to-many mapping from plaintext space to ciphertext space – Corollary: ciphertext space must be equal to or larger than plaintext space CS555 Topic 4 4
Towards Computational Security • Perfect secrecy is too difficult to achieve. • Computational security uses two relaxations: – Security is preserved only against efficient (computationally bounded) adversaries • Adversary can only run in feasible amount of time – Adversaries can potentially succeed with some very small probability (that we can ignore the case it actually happens) • Two approaches to formalize computational security: concrete and asymptotic CS555 Topic 4 5
The Concrete Approach • Quantifies the security by explicitly bounding the maximum success probability of adversary running with certain time: – “A scheme is (t,)-secure if every adversary running for time at most t succeeds in breaking the scheme with probability at most ” – Example: a strong encryption scheme with n-bit keys may be expected to be (t, t/2n)-secure. • N=128, t=260, then = 2-68. (# of seconds since big bang is 258) • Makes more sense with symmetric encryption schemes because they use fixed key lengths. CS555 Topic 4 6
The Asymptotic Approach • A cryptosystem has a security parameter – E.g., number of bits in the RSA algorithm (1024,2048,…) • Typically, the key length depends on the security parameter – The bigger the security parameter, the longer the key, the more time it takes to use the cryptosystem, and the more difficult it is to break the scheme • The crypto system must be efficient, i.e., runs in time polynomial in the security parameter • “A scheme is secure if every Probabilistic Polynomial Time (PPT) algorithm succeeds in breaking the scheme with only negligible probability” – “negligible” roughly means goes to 0 exponentially fast as the security parameter increases CS555 Topic 4 7
Defining Security • Desire “semantic security”, i.e., having access to the ciphertext does not help adversary to compute any function of the plaintext. – Difficult to use • Equivalent notion: Adversary cannot distinguish between the ciphertexts of two plaintexts CS555 Topic 4 11
Towards IND-CPA Security: • Ciphertext Indistinguishability under a Chosen-Plaintext Attack: Define the following IND-CPA experiment : – Involving an Adversary and a Challenger – Instantiated with an Adversary algorithm A, and an encryption scheme  = (Gen, Enc, Dec) CS555 Topic 4 12 Challenger Adversary k  Gen() b R {0,1} chooses m0, m1 M m0, m1 C=Enck[mb] b’ {0,1} Adversary wins if b=b’ Enck[]
The IND-CPA Experiment Explained • A k is generated by Gen() • Adversary is given oracle access to Enck(), – Oracle access: one gets its question answered without knowing any additional information • Adversary outputs a pair of equal-length messages m0 and m1 • A random bit b is chosen, and adversary is given Enck(mb) – Called the challenge ciphertext • Adversary does any computation it wants, while still having oracle access to Enck(), and outputs b’ • Adversary wins if b=b’ CS555 Topic 4 13
CPA-secure (aka IND-CPA security) • A encryption scheme  = (Gen, Enc, Dec) has indistinguishable encryption under a chosen- plaintext attack (i.e., is IND-CPA secure) iff. for all PPT adversary A, there exists a negligible function negl such that • Pr[A wins in IND-CPA experiment]  ½ + negl(n) • No deterministic encryption scheme is CPA- secure. Why? CS555 Topic 4 14
Another (Equivalent) Explanation of IND-CPA Security • Ciphertext indistinguishability under chosen plaintext attack (IND-CPA) – Challenger chooses a random key K – Adversary chooses a number of messages and obtains their ciphertexts under key K – Adversary chooses two equal-length messages m0 and m1, sends them to a Challenger – Challenger generates C=EK[mb], where b is a uniformly randomly chosen bit, and sends C to the adversary – Adversary outputs b’ and wins if b=b’ – Adversary advantage is | Pr[Adv wins] – ½ | – Adversary should not have a non-negligible advantage • E.g, Less than, e.g., 1/280 when the adversary is limited to certain amount of computation; • decreases exponentially with the security parameter (typically length of the key) CS555 Topic 4 15
Intuition of IND-CPA security • Perfect secrecy means that any plaintext is encrypted to a given ciphertext with the same probability, i.e., given any pair of M0 and M1, the probabilities that they are encrypted into a ciphertext C are the same – Hence no adversary can tell whether C is ciphertext of M0 or M1. • IND-CPA means – With bounded computational resources, the adversary cannot tell which of M0 and M1 is encrypted in C • Stream ciphers can be used to achieve IND-CPA security when the underlying PRNG is cryptographically strong – (i.e., generating sequences that cannot be distinguished from random, even when related seeds are used) CS555 Topic 4 16
Computational Security vs. Information Theoretic Security • If a cipher has only computational security, then it can be broken by a brute force attack, e.g., enumerating all possible keys – Weak algorithms can be broken with much less time • How to prove computational security? – Assume that some problems are hard (requires a lot of computational resources to solve), then show that breaking security means solving the problem • Computational security is foundation of modern cryptography. CS555 Topic 4 17
CS555 Topic 4 20 Why Block Ciphers? • One thread of defeating frequency analysis – Use different keys in different locations – Example: one-time pad, stream ciphers • Another way to defeat frequency analysis – Make the unit of transformation larger, rather than encrypting letter by letter, encrypting block by block – Example: block cipher
CS555 Topic 4 21 Block Ciphers • An n-bit plaintext is encrypted to an n-bit ciphertext – P : {0,1}n – C : {0,1}n – K : {0,1}s – E: K ×P  C : Ek: a permutation on {0,1} n – D: K ×C  P : Dk is Ek -1 – Block size: n – Key size: s
CS555 Topic 4 22 Data Encryption Standard (DES) • Designed by IBM, with modifications proposed by the National Security Agency • US national standard from 1977 to 2001 • De facto standard • Block size is 64 bits; • Key size is 56 bits • Has 16 rounds • Designed mostly for hardware implementations – Software implementation is somewhat slow • Considered insecure now – vulnerable to brute-force attacks • Triple DES: Ek3Dk2EK1(M) has 112-bit strength, but slow
CS555 Topic 4 23 Attacking Block Ciphers • Types of attacks to consider – known plaintext: given several pairs of plaintexts and ciphertexts, recover the key (or decrypt another block encrypted under the same key) – how would chosen plaintext and chosen ciphertext be defined? • Standard attacks – exhaustive key search – dictionary attack – differential cryptanalysis, linear cryptanalysis • Side channel attacks. DES’s main vulnerability is short key size.
Chosen-Plaintext Dictionary Attacks Against Block Ciphers • Construct a table with the following entries – (K, EK[0]) for all possible key K – Sort based on the second field (ciphertext) – How much time does this take? • To attack a new key K (under chosen message attacks) – Choose 0, obtain the ciphertext C, looks up in the table, and finds the corresponding key – How much time does this step take? • Trade off space for time CS555 Topic 4 24
CS555 Topic 4 25 Advanced Encryption Standard • In 1997, NIST made a formal call for algorithms stipulating that the AES would specify an unclassified, publicly disclosed encryption algorithm, available royalty-free, worldwide. • Goal: replace DES for both government and private-sector encryption. • The algorithm must implement symmetric key cryptography as a block cipher and (at a minimum) support block sizes of 128-bits and key sizes of 128-, 192-, and 256-bits. • In 1998, NIST selected 15 AES candidate algorithms. • On October 2, 2000, NIST selected Rijndael (invented by Joan Daemen and Vincent Rijmen) to as the AES.
CS555 Topic 4 26 AES Features • Designed to be efficient in both hardware and software across a variety of platforms. • Block size: 128 bits • Variable key size: 128, 192, or 256 bits. • No known weaknesses
Need for Encryption Modes • A block cipher encrypts only one block • Needs a way to extend it to encrypt an arbitrarily long message • Want to ensure that if the block cipher is secure, then the encryption is secure • Aims at providing Semantic Security (IND-CPA) assuming that the underlying block ciphers are strong CS555 Topic 4 27
CS555 Topic 4 28 Block Cipher Encryption Modes: ECB • Message is broken into independent blocks; • Electronic Code Book (ECB): each block encrypted separately. • Encryption: ci = Ek(xi) • Decrytion: xi = Dk(ci)
CS555 Topic 4 29 Properties of ECB • Deterministic: – the same data block gets encrypted the same way, • reveals patterns of data when a data block repeats – when the same key is used, the same message is encrypted the same way • Usage: not recommended to encrypt more than one block of data • How to break the semantic security (IND-CPA) of a block cipher with ECB?
CS555 Topic 4 30 DES Encryption Modes: CBC • Cipher Block Chaining (CBC): – Uses a random Initial Vector (IV) – Next input depends upon previous output Encryption: Ci= Ek (MiCi-1), with C0=IV Decryption: Mi= Ci-1Dk(Ci), with C0=IV M1 M2 M3 IV   Ek C1 Ek C2 Ek  C3 C0
CS555 Topic 4 31 Properties of CBC • Randomized encryption: repeated text gets mapped to different encrypted data. – can be proven to provide IND-CPA assuming that the block cipher is secure (i.e., it is a Pseudo Random Permutation (PRP)) and that IV’s are randomly chosen and the IV space is large enough (at least 64 bits) • Each ciphertext block depends on all preceding plaintext blocks. • Usage: chooses random IV and protects the integrity of IV – The IV is not secret (it is part of ciphertext) – The adversary cannot control the IV
Encryption Modes: CTR • Counter Mode (CTR): Defines a stream cipher using a block cipher – Uses a random IV, known as the counter – Encryption: C0=IV, Ci =Mi  Ek[IV+i] – Decryption: IV=C0, Mi =Ci  Ek[IV+i] CS555 Topic 4 32 M2 IV Ek  C2 C0 IV+2 M3 Ek  C3 IV+3 M1 Ek  C1 IV+1
CS555 Topic 4 33 Properties of CTR • Gives a stream cipher from a block cipher • Randomized encryption: – when starting counter is chosen randomly • Random Access: encryption and decryption of a block can be done in random order, very useful for hard-disk encryption. – E.g., when one block changes, re-encryption only needs to encrypt that block. In CBC, all later blocks also need to change
CS555 Topic 4 34 Coming Attractions … • Cryptography: Cryptographic Hash Functions and Message Authentication

More Related Content

PPT
CS555_Spring12_Topic_04_Cryptography_CS555_Spring12_Topic_04_Cryptography
HoangDungNguyen17
 
PPT
ppt presentation 555_Spring12_topic01.ppt
AnkitaVerma776806
 
PPT
Spring12_topic01.ppt
DakshPrajapati23
 
PPT
555_Spring12_topic01222222222222222222.ppt
ProfVMGawde
 
PPT
555_Spring12_topic01 lecture of crip.ppt
FarooqKhurshid1
 
PPT
555_Spring12_topic01 lecture of crip.ppt
FarooqKhurshid1
 
PPT
Introduction on the cryptographic techniques B.ppt
dineshgawanden
 
PPT
CISSP EXAM PREPARATION FOR A PASSED SCORE
rinelaam
 
CS555_Spring12_Topic_04_Cryptography_CS555_Spring12_Topic_04_Cryptography
HoangDungNguyen17
 
ppt presentation 555_Spring12_topic01.ppt
AnkitaVerma776806
 
Spring12_topic01.ppt
DakshPrajapati23
 
555_Spring12_topic01222222222222222222.ppt
ProfVMGawde
 
555_Spring12_topic01 lecture of crip.ppt
FarooqKhurshid1
 
555_Spring12_topic01 lecture of crip.ppt
FarooqKhurshid1
 
Introduction on the cryptographic techniques B.ppt
dineshgawanden
 
CISSP EXAM PREPARATION FOR A PASSED SCORE
rinelaam
 

Similar to 14_526_topic04.ppt (20)

PDF
CNIT 125 Ch 4. Security Engineering (Part 2)
Sam Bowne
 
PPTX
IEDA 3302 e-commerce_secure-communications.pptx
ssuser6d0da2
 
PDF
Dr Shivu_GAT_Computer Network_Module 5.pdf
Dr. Shivashankar
 
PDF
CyberSecurity_Cryptography and its fundamentals
Priyank974941
 
PPTX
moudule-1classical Encyption Techniques.pptx
AmbikaVenkatesh4
 
PPTX
CH02-CompSec4e.pptx
ams1ams11
 
PPTX
Cryptography
Pratiksha Patil
 
PPTX
CISSP - Chapter 3 - Cryptography
Karthikeyan Dhayalan
 
PPT
15_526_topic02.ppt
Meera357768
 
PDF
CH2 Stallings,_William_Computer_Security_Principles_and_Practice_Pearson [54-...
ams1ams11
 
PPT
symet.crypto.hill.cipher.2023.ppt
halosidiq1
 
PPTX
Security - ch3.pptx
GebrehanaAlemaw
 
PPTX
Cryptography Introduction
indupps
 
PDF
CNIT 123 12: Cryptography
Sam Bowne
 
PDF
CISSP Prep: Ch 4. Security Engineering (Part 2)
Sam Bowne
 
PDF
3 Basics of Cryptography Basics of Cryptography
MohammedMorhafJaely
 
PPT
Cryptography cse,ru
Hossain Md Shakhawat
 
PDF
Implementation of aes and blowfish algorithm
eSAT Publishing House
 
PPT
Lecture6 rsa
Nghique Nguyen
 
PPTX
NS Classical Encryption Techniqnbbghghgues.pptx
HumaKashafKhan
 
CNIT 125 Ch 4. Security Engineering (Part 2)
Sam Bowne
 
IEDA 3302 e-commerce_secure-communications.pptx
ssuser6d0da2
 
Dr Shivu_GAT_Computer Network_Module 5.pdf
Dr. Shivashankar
 
CyberSecurity_Cryptography and its fundamentals
Priyank974941
 
moudule-1classical Encyption Techniques.pptx
AmbikaVenkatesh4
 
CH02-CompSec4e.pptx
ams1ams11
 
Cryptography
Pratiksha Patil
 
CISSP - Chapter 3 - Cryptography
Karthikeyan Dhayalan
 
15_526_topic02.ppt
Meera357768
 
CH2 Stallings,_William_Computer_Security_Principles_and_Practice_Pearson [54-...
ams1ams11
 
symet.crypto.hill.cipher.2023.ppt
halosidiq1
 
Security - ch3.pptx
GebrehanaAlemaw
 
Cryptography Introduction
indupps
 
CNIT 123 12: Cryptography
Sam Bowne
 
CISSP Prep: Ch 4. Security Engineering (Part 2)
Sam Bowne
 
3 Basics of Cryptography Basics of Cryptography
MohammedMorhafJaely
 
Cryptography cse,ru
Hossain Md Shakhawat
 
Implementation of aes and blowfish algorithm
eSAT Publishing House
 
Lecture6 rsa
Nghique Nguyen
 
NS Classical Encryption Techniqnbbghghgues.pptx
HumaKashafKhan
 
Ad

Recently uploaded (20)

PDF
Navigating the Thai Supplements Landscape.pdf
TumNana
 
PDF
Tetra Pak Index 2023 - The future of health and nutrition - Full report.pdf
PhmK5
 
PPT
expt-design-lecture-12 hghhgfggjhjd (1).ppt
n02428295w
 
PPTX
ai agent creaction with langgraph_presentation_
RithikLogu1
 
PPTX
MBA JAPAN: 2025 the University of Waseda
lethuhahelen
 
PPTX
chuitkarjhanbijunsdivndsijvndiucbhsaxnmzsicvjsd
siddi1404
 
PPTX
retention in jsjsksksksnbsndjddjdnFPD.pptx
JayeshTaneja4
 
PDF
A biomechanical Functional analysis of the masitary muscles in man
AnkitNayak56
 
PPT
lectureusjsjdhdsjjshdshshddhdhddhhd1.ppt
dipa69
 
PDF
Jean-Georges Perrin - Spark in Action, Second Edition (2020, Manning Publicat...
Pablo Jose Prieto Entenza
 
PDF
©️ 02_SKU Automatic SW Robotics for Microsoft PC.pdf
none
 
PPTX
Statisticsccdxghbbnhhbvvvvvvvvvv. Dxcvvvhhbdzvbsdvvbbvv ccc
DibyenduRoy49
 
PPTX
DS-40-Pre-Engagement and Kickoff deck - v8.0.pptx
GuillermoIgnacioAlva
 
PPTX
Crypto_Trading_Beginners.pptxxxxxxxxxxxxxx
bbahu5761
 
PPTX
Phase1_final PPTuwhefoegfohwfoiehfoegg.pptx
udayashankark9
 
PDF
OneRead_20250728_1808.pdfhdhddhshahwhwwjjaaja
DivyanshChauhan66
 
PPTX
statsppt this is statistics ppt for giving knowledge about this topic
MADHUSINGH729475
 
PPTX
FMIS 108 and AISlaudon_mis17_ppt_ch11.pptx
SadihaAfrose
 
PDF
Session 11 - Data Visualization Storytelling (2).pdf
VNgcUynPhng
 
PDF
ahaaaa shbzjs yaiw jsvssv bdjsjss shsusus s
elisafebrianipasarib1
 
Navigating the Thai Supplements Landscape.pdf
TumNana
 
Tetra Pak Index 2023 - The future of health and nutrition - Full report.pdf
PhmK5
 
expt-design-lecture-12 hghhgfggjhjd (1).ppt
n02428295w
 
ai agent creaction with langgraph_presentation_
RithikLogu1
 
MBA JAPAN: 2025 the University of Waseda
lethuhahelen
 
chuitkarjhanbijunsdivndsijvndiucbhsaxnmzsicvjsd
siddi1404
 
retention in jsjsksksksnbsndjddjdnFPD.pptx
JayeshTaneja4
 
A biomechanical Functional analysis of the masitary muscles in man
AnkitNayak56
 
lectureusjsjdhdsjjshdshshddhdhddhhd1.ppt
dipa69
 
Jean-Georges Perrin - Spark in Action, Second Edition (2020, Manning Publicat...
Pablo Jose Prieto Entenza
 
©️ 02_SKU Automatic SW Robotics for Microsoft PC.pdf
none
 
Statisticsccdxghbbnhhbvvvvvvvvvv. Dxcvvvhhbdzvbsdvvbbvv ccc
DibyenduRoy49
 
DS-40-Pre-Engagement and Kickoff deck - v8.0.pptx
GuillermoIgnacioAlva
 
Crypto_Trading_Beginners.pptxxxxxxxxxxxxxx
bbahu5761
 
Phase1_final PPTuwhefoegfohwfoiehfoegg.pptx
udayashankark9
 
OneRead_20250728_1808.pdfhdhddhshahwhwwjjaaja
DivyanshChauhan66
 
statsppt this is statistics ppt for giving knowledge about this topic
MADHUSINGH729475
 
FMIS 108 and AISlaudon_mis17_ppt_ch11.pptx
SadihaAfrose
 
Session 11 - Data Visualization Storytelling (2).pdf
VNgcUynPhng
 
ahaaaa shbzjs yaiw jsvssv bdjsjss shsusus s
elisafebrianipasarib1
 
Ad

14_526_topic04.ppt

  • 1. CS555 Topic 4 1 Computer Security CS 526 Topic 4 Cryptography: Semantic Security, Block Ciphers and Encryption Modes
  • 2. CS555 Topic 4 2 Readings for This Lecture • Required reading from wikipedia • Block Cipher • Ciphertext Indistinguishability • Block cipher modes of operation
  • 3. Notation for Symmetric-key Encryption • A symmetric-key encryption scheme is comprised of three algorithms – Gen the key generation algorithm • The algorithm must be probabilistic/randomized • Output: a key k – Enc the encryption algorithm • Input: key k, plaintext m • Output: ciphertext c := Enck(m) – Dec the decryption algorithm • Input: key k, ciphertext c • Output: plaintext m := Deck(m) CS555 Topic 4 3 Requirement: k m [ Deck(Enck(m)) = m ]
  • 4. Randomized vs. Deterministic Encryption • Encryption can be randomized, – i.e., same message, same key, running the encryption algorithm twice results in two different ciphertexts – E.g, Enck[m] = (r, PRNG[k||r]m), i.e., the ciphertext includes two parts, a randomly generated r, and a second part • Decryption is deterministic in the sense that – For the same ciphertext and same key, running decryption algorithm twice always results in the same plaintext • Each key induces a one-to-many mapping from plaintext space to ciphertext space – Corollary: ciphertext space must be equal to or larger than plaintext space CS555 Topic 4 4
  • 5. Towards Computational Security • Perfect secrecy is too difficult to achieve. • Computational security uses two relaxations: – Security is preserved only against efficient (computationally bounded) adversaries • Adversary can only run in feasible amount of time – Adversaries can potentially succeed with some very small probability (that we can ignore the case it actually happens) • Two approaches to formalize computational security: concrete and asymptotic CS555 Topic 4 5
  • 6. The Concrete Approach • Quantifies the security by explicitly bounding the maximum success probability of adversary running with certain time: – “A scheme is (t,)-secure if every adversary running for time at most t succeeds in breaking the scheme with probability at most ” – Example: a strong encryption scheme with n-bit keys may be expected to be (t, t/2n)-secure. • N=128, t=260, then = 2-68. (# of seconds since big bang is 258) • Makes more sense with symmetric encryption schemes because they use fixed key lengths. CS555 Topic 4 6
  • 7. The Asymptotic Approach • A cryptosystem has a security parameter – E.g., number of bits in the RSA algorithm (1024,2048,…) • Typically, the key length depends on the security parameter – The bigger the security parameter, the longer the key, the more time it takes to use the cryptosystem, and the more difficult it is to break the scheme • The crypto system must be efficient, i.e., runs in time polynomial in the security parameter • “A scheme is secure if every Probabilistic Polynomial Time (PPT) algorithm succeeds in breaking the scheme with only negligible probability” – “negligible” roughly means goes to 0 exponentially fast as the security parameter increases CS555 Topic 4 7
  • 8. Defining Security • Desire “semantic security”, i.e., having access to the ciphertext does not help adversary to compute any function of the plaintext. – Difficult to use • Equivalent notion: Adversary cannot distinguish between the ciphertexts of two plaintexts CS555 Topic 4 11
  • 9. Towards IND-CPA Security: • Ciphertext Indistinguishability under a Chosen-Plaintext Attack: Define the following IND-CPA experiment : – Involving an Adversary and a Challenger – Instantiated with an Adversary algorithm A, and an encryption scheme  = (Gen, Enc, Dec) CS555 Topic 4 12 Challenger Adversary k  Gen() b R {0,1} chooses m0, m1 M m0, m1 C=Enck[mb] b’ {0,1} Adversary wins if b=b’ Enck[]
  • 10. The IND-CPA Experiment Explained • A k is generated by Gen() • Adversary is given oracle access to Enck(), – Oracle access: one gets its question answered without knowing any additional information • Adversary outputs a pair of equal-length messages m0 and m1 • A random bit b is chosen, and adversary is given Enck(mb) – Called the challenge ciphertext • Adversary does any computation it wants, while still having oracle access to Enck(), and outputs b’ • Adversary wins if b=b’ CS555 Topic 4 13
  • 11. CPA-secure (aka IND-CPA security) • A encryption scheme  = (Gen, Enc, Dec) has indistinguishable encryption under a chosen- plaintext attack (i.e., is IND-CPA secure) iff. for all PPT adversary A, there exists a negligible function negl such that • Pr[A wins in IND-CPA experiment]  ½ + negl(n) • No deterministic encryption scheme is CPA- secure. Why? CS555 Topic 4 14
  • 12. Another (Equivalent) Explanation of IND-CPA Security • Ciphertext indistinguishability under chosen plaintext attack (IND-CPA) – Challenger chooses a random key K – Adversary chooses a number of messages and obtains their ciphertexts under key K – Adversary chooses two equal-length messages m0 and m1, sends them to a Challenger – Challenger generates C=EK[mb], where b is a uniformly randomly chosen bit, and sends C to the adversary – Adversary outputs b’ and wins if b=b’ – Adversary advantage is | Pr[Adv wins] – ½ | – Adversary should not have a non-negligible advantage • E.g, Less than, e.g., 1/280 when the adversary is limited to certain amount of computation; • decreases exponentially with the security parameter (typically length of the key) CS555 Topic 4 15
  • 13. Intuition of IND-CPA security • Perfect secrecy means that any plaintext is encrypted to a given ciphertext with the same probability, i.e., given any pair of M0 and M1, the probabilities that they are encrypted into a ciphertext C are the same – Hence no adversary can tell whether C is ciphertext of M0 or M1. • IND-CPA means – With bounded computational resources, the adversary cannot tell which of M0 and M1 is encrypted in C • Stream ciphers can be used to achieve IND-CPA security when the underlying PRNG is cryptographically strong – (i.e., generating sequences that cannot be distinguished from random, even when related seeds are used) CS555 Topic 4 16
  • 14. Computational Security vs. Information Theoretic Security • If a cipher has only computational security, then it can be broken by a brute force attack, e.g., enumerating all possible keys – Weak algorithms can be broken with much less time • How to prove computational security? – Assume that some problems are hard (requires a lot of computational resources to solve), then show that breaking security means solving the problem • Computational security is foundation of modern cryptography. CS555 Topic 4 17
  • 15. CS555 Topic 4 20 Why Block Ciphers? • One thread of defeating frequency analysis – Use different keys in different locations – Example: one-time pad, stream ciphers • Another way to defeat frequency analysis – Make the unit of transformation larger, rather than encrypting letter by letter, encrypting block by block – Example: block cipher
  • 16. CS555 Topic 4 21 Block Ciphers • An n-bit plaintext is encrypted to an n-bit ciphertext – P : {0,1}n – C : {0,1}n – K : {0,1}s – E: K ×P  C : Ek: a permutation on {0,1} n – D: K ×C  P : Dk is Ek -1 – Block size: n – Key size: s
  • 17. CS555 Topic 4 22 Data Encryption Standard (DES) • Designed by IBM, with modifications proposed by the National Security Agency • US national standard from 1977 to 2001 • De facto standard • Block size is 64 bits; • Key size is 56 bits • Has 16 rounds • Designed mostly for hardware implementations – Software implementation is somewhat slow • Considered insecure now – vulnerable to brute-force attacks • Triple DES: Ek3Dk2EK1(M) has 112-bit strength, but slow
  • 18. CS555 Topic 4 23 Attacking Block Ciphers • Types of attacks to consider – known plaintext: given several pairs of plaintexts and ciphertexts, recover the key (or decrypt another block encrypted under the same key) – how would chosen plaintext and chosen ciphertext be defined? • Standard attacks – exhaustive key search – dictionary attack – differential cryptanalysis, linear cryptanalysis • Side channel attacks. DES’s main vulnerability is short key size.
  • 19. Chosen-Plaintext Dictionary Attacks Against Block Ciphers • Construct a table with the following entries – (K, EK[0]) for all possible key K – Sort based on the second field (ciphertext) – How much time does this take? • To attack a new key K (under chosen message attacks) – Choose 0, obtain the ciphertext C, looks up in the table, and finds the corresponding key – How much time does this step take? • Trade off space for time CS555 Topic 4 24
  • 20. CS555 Topic 4 25 Advanced Encryption Standard • In 1997, NIST made a formal call for algorithms stipulating that the AES would specify an unclassified, publicly disclosed encryption algorithm, available royalty-free, worldwide. • Goal: replace DES for both government and private-sector encryption. • The algorithm must implement symmetric key cryptography as a block cipher and (at a minimum) support block sizes of 128-bits and key sizes of 128-, 192-, and 256-bits. • In 1998, NIST selected 15 AES candidate algorithms. • On October 2, 2000, NIST selected Rijndael (invented by Joan Daemen and Vincent Rijmen) to as the AES.
  • 21. CS555 Topic 4 26 AES Features • Designed to be efficient in both hardware and software across a variety of platforms. • Block size: 128 bits • Variable key size: 128, 192, or 256 bits. • No known weaknesses
  • 22. Need for Encryption Modes • A block cipher encrypts only one block • Needs a way to extend it to encrypt an arbitrarily long message • Want to ensure that if the block cipher is secure, then the encryption is secure • Aims at providing Semantic Security (IND-CPA) assuming that the underlying block ciphers are strong CS555 Topic 4 27
  • 23. CS555 Topic 4 28 Block Cipher Encryption Modes: ECB • Message is broken into independent blocks; • Electronic Code Book (ECB): each block encrypted separately. • Encryption: ci = Ek(xi) • Decrytion: xi = Dk(ci)
  • 24. CS555 Topic 4 29 Properties of ECB • Deterministic: – the same data block gets encrypted the same way, • reveals patterns of data when a data block repeats – when the same key is used, the same message is encrypted the same way • Usage: not recommended to encrypt more than one block of data • How to break the semantic security (IND-CPA) of a block cipher with ECB?
  • 25. CS555 Topic 4 30 DES Encryption Modes: CBC • Cipher Block Chaining (CBC): – Uses a random Initial Vector (IV) – Next input depends upon previous output Encryption: Ci= Ek (MiCi-1), with C0=IV Decryption: Mi= Ci-1Dk(Ci), with C0=IV M1 M2 M3 IV   Ek C1 Ek C2 Ek  C3 C0
  • 26. CS555 Topic 4 31 Properties of CBC • Randomized encryption: repeated text gets mapped to different encrypted data. – can be proven to provide IND-CPA assuming that the block cipher is secure (i.e., it is a Pseudo Random Permutation (PRP)) and that IV’s are randomly chosen and the IV space is large enough (at least 64 bits) • Each ciphertext block depends on all preceding plaintext blocks. • Usage: chooses random IV and protects the integrity of IV – The IV is not secret (it is part of ciphertext) – The adversary cannot control the IV
  • 27. Encryption Modes: CTR • Counter Mode (CTR): Defines a stream cipher using a block cipher – Uses a random IV, known as the counter – Encryption: C0=IV, Ci =Mi  Ek[IV+i] – Decryption: IV=C0, Mi =Ci  Ek[IV+i] CS555 Topic 4 32 M2 IV Ek  C2 C0 IV+2 M3 Ek  C3 IV+3 M1 Ek  C1 IV+1
  • 28. CS555 Topic 4 33 Properties of CTR • Gives a stream cipher from a block cipher • Randomized encryption: – when starting counter is chosen randomly • Random Access: encryption and decryption of a block can be done in random order, very useful for hard-disk encryption. – E.g., when one block changes, re-encryption only needs to encrypt that block. In CBC, all later blocks also need to change
  • 29. CS555 Topic 4 34 Coming Attractions … • Cryptography: Cryptographic Hash Functions and Message Authentication