Understanding Secure PRFs and PRPs in Cryptography

Slide Note
Embed
Share

Dive into the world of secure Pseudo-Random Functions (PRFs) and Pseudo-Random Permutations (PRPs) in cryptography. Learn about the definitions, security criteria, and examples of secure PRFs and PRPs such as 3DES and AES. Explore the concepts of secure block ciphers and key principles behind these cryptographic techniques.

tanyah
tanyah Follow

Uploaded on Sep 20, 2024 | 0 Views

Download Presentation

Please find below an Image/Link to download the presentation.

The content on the website is provided AS IS for your information and personal use only. It may not be sold, licensed, or shared on other websites without obtaining consent from the author. Download presentation by click this link. If you encounter any issues during the download, it is possible that the publisher has removed the file from their server.

E N D

Presentation Transcript

  1. Online Cryptography Course Dan Boneh Using block ciphers Review: PRPs and PRFs Dan Boneh

  2. Block ciphers: crypto work horse n bits n bits E, D PT Block CT Block Key k bits Canonical examples: 1. 3DES: n= 64 bits, k = 168 bits 2. AES: n=128 bits, k = 128, 192, 256 bits Dan Boneh

  3. Abstractly: PRPs and PRFs Pseudo Random Function (PRF) defined over (K,X,Y): F: K X Y such that exists efficient algorithm to evaluate F(k,x) Pseudo Random Permutation (PRP) defined over (K,X): E: K X X such that: 1. Exists efficient deterministic algorithm to evaluate E(k,x) 2. The function E( k, ) is one-to-one 3. Exists efficient inversion algorithm D(k,x) Dan Boneh

  4. Secure PRFs Let F: K X Y be a PRF Funs[X,Y]: the set of all functions from X to Y SF = { F(k, ) s.t. k K } Funs[X,Y] Intuition: a PRF is secure if a random function in Funs[X,Y] is indistinguishable from a random function in SF SF Funs[X,Y] |X| Size |Y| Size |K| Dan Boneh

  5. Secure PRF: definition For b=0,1 define experiment EXP(b) as: b b=0: k K, f F(k, ) b=1: f Funs[X,Y] Chal. Adv. A x1 X , x2 , , xq f , , f(xq) f(x1) , f(x2) b {0,1} EXP(b) Def: F is a secure PRF if for all efficient A: AdvPRF[A,F] := |Pr[EXP(0)=1] Pr[EXP(1)=1] | is negligible. Dan Boneh

  6. Secure PRP (secure block cipher) For b=0,1 define experiment EXP(b) as: b b=0: k K, f E(k, ) b=1: f Perms[X] Chal. Adv. A x1 X , x2, , xq f f(x1) , f(x2), , f(xq) b {0,1} Def: E is a secure PRP if for all efficient A: AdvPRP[A,E] = |Pr[EXP(0)=1] Pr[EXP(1)=1] | is negligible. Dan Boneh

  7. Let X = {0,1}. Perms[X] contains two functions Consider the following PRP: key space K={0,1}, input space X = {0,1}, PRP defined as: Is this a secure PRP? E(k,x) = x k Yes No It depends

  8. Example secure PRPs PRPs believed to be secure: 3DES, AES, AES-128: K X X where K = X = {0,1}128 An example concrete assumption about AES: All 280 time algs. A have AdvPRP[A, AES] < 2-40 Dan Boneh

  9. Consider the 1-bit PRP from the previous question: E(k,x) = x k Is it a secure PRF? Note that Funs[X,X] contains four functions Yes No Attacker A: (1) query f( ) at x=0 and x=1 (2) if f(0) = f(1) output 1 , else 0 AdvPRF[A,E] = |0- | = It depends

  10. PRF Switching Lemma Any secure PRP is also a secure PRF, if |X| is sufficiently large. Lemma: Let E be a PRP over (K,X) Then for any q-query adversary A: | AdvPRF [A,E] AdvPRP[A,E] | < q2 / 2|X| Suppose |X| is large so that q2/ 2|X| is negligible Then AdvPRP [A,E] negligible AdvPRF[A,E] negligible Dan Boneh

  11. Final note Suggestion: don t think about the inner-workings of AES and 3DES. We assume both are secure PRPs and will see how to use them Dan Boneh

  12. End of Segment Dan Boneh

  13. Online Cryptography Course Dan Boneh Using block ciphers Modes of operation: one time key example: encrypted email, new key for every message. Dan Boneh

  14. Using PRPs and PRFs Goal: build secure encryption from a secure PRP (e.g. AES). This segment: one-time keys 1. Adversary s power: Adv sees only one ciphertext (one-time key) 2. Adversary s goal: Learn info about PT from CT (semantic security) Next segment: many-time keys (a.k.a chosen-plaintext security) Dan Boneh

  15. Incorrect use of a PRP Electronic Code Book (ECB): PT: m1 m2 CT: c2 c1 Problem: if m1=m2 then c1=c2 Dan Boneh

  16. In pictures (courtesy B. Preneel) Dan Boneh

  17. Semantic Security (one-time key) m0 , m1 M : |m0| = |m1| c E(k,m0) EXP(0): Chal. k K Adv. A b {0,1} one time key adversary sees only one ciphertext m0 , m1 M : |m0| = |m1| c E(k,m1) Chal. k K Adv. A EXP(1): b {0,1} AdvSS[A,OTP] = | Pr[ EXP(0)=1] Pr[ EXP(1)=1 ] |should be neg. Dan Boneh

  18. ECB is not Semantically Secure ECB is not semantically secure for messages that contain more than one block. b {0,1} Two blocks m0= Hello World m1= Hello Hello Chal. k K Adv. A (c1,c2) E(k, mb) If c1=c2 output 0, else output 1 Then AdvSS [A, ECB] = 1 Dan Boneh

  19. Secure Construction I Deterministic counter mode from a PRF F : EDETCTR (k, m) = m[0] m[1] m[L] F(k,0) F(k,1) F(k,L) c[0] c[1] c[L] Stream cipher built from a PRF (e.g. AES, 3DES) Dan Boneh

  20. Det. counter-mode security Theorem: For any L>0, If F is a secure PRF over (K,X,X) then EDETCTR is sem. sec. cipher over (K,XL,XL). In particular, for any eff. adversary A attacking EDETCTR there exists a n eff. PRF adversary B s.t.: AdvSS[A, EDETCTR] = 2 AdvPRF[B, F] AdvPRF[B, F] is negligible (since F is a secure PRF) Hence, AdvSS[A, EDETCTR] must be negligible. Dan Boneh

  21. Proof m0 , m1 m0 , m1 chal. adv. A chal. adv. A p m0 c m0 k K c f Funs F(k,0) F(k,L) f(0) f(L) b 1 b 1 p p m0 , m1 m0 , m1 chal. chal. adv. A adv. A p m1 m1 c c r {0,1}n k K F(k,0) F(k,L) f(0) f(L) b 1 b 1 Dan Boneh

  22. End of Segment Dan Boneh

  23. Online Cryptography Course Dan Boneh Using block ciphers Security for many-time key Example applications: 1. File systems: Same AES key used to encrypt many files. 2. IPsec: Same AES key used to encrypt many packets. Dan Boneh

  24. Semantic Security for many-time key Key used more than once adv. sees many CTs with same key Adversary s power: chosen-plaintext attack (CPA) Can obtain the encryption of arbitrary messages of his choice (conservative modeling of real life) Adversary s goal: Break sematic security Dan Boneh

  25. Semantic Security for many-time key E = (E,D) a cipher defined over (K,M,C). For b=0,1 define EXP(b) as: b Chal. k K Adv. m1,0 , m1,1 M : |m1,0| = |m1,1| c1 E(k, m1,b) Dan Boneh

  26. Semantic Security for many-time key E = (E,D) a cipher defined over (K,M,C). For b=0,1 define EXP(b) as: b Chal. k K Adv. m2,0 , m2,1 M : |m2,0| = |m2,1| c2 E(k, m2,b) Dan Boneh

  27. Semantic Security for many-time key (CPA security) E = (E,D) a cipher defined over (K,M,C). For b=0,1 define EXP(b) as: for i=1, ,q: b Chal. k K Adv. mi,0 , mi,1 M : |mi,0| = |mi,1| ci E(k, mi,b) b {0,1} if adv. wants c = E(k, m) it queries with mj,0= mj,1=m Def: Eis sem. sec. under CPA if for all efficient A: AdvCPA [A,E] = |Pr[EXP(0)=1] Pr[EXP(1)=1] | is negligible. Dan Boneh

  28. Ciphers insecure under CPA Suppose E(k,m) always outputs same ciphertext for msg m. Then: m0 , m0 M c0 E(k, m0) Chal. k K Adv. m0 , m1 M c E(k, mb) output 0 if c = c0 So what? an attacker can learn that two encrypted files are the same, two encrypted packets are the same, etc. Leads to significant attacks when message space M is small Dan Boneh

  29. Ciphers insecure under CPA Suppose E(k,m) always outputs same ciphertext for msg m. Then: m0 , m0 M c0 E(k, m0) Chal. k K Adv. m0 , m1 M c E(k, mb) output 0 if c = c0 If secret key is to be used multiple times given the same plaintext message twice, encryption must produce different outputs. Dan Boneh

  30. Solution 1: randomized encryption E(k,m) is a randomized algorithm: dec enc m0 m0 m1 m1 encrypting same msg twice gives different ciphertexts (w.h.p) ciphertext must be longer than plaintext Roughly speaking: CT-size = PT-size + # random bits Dan Boneh

  31. Let F: K R M be a secure PRF. For m M define E(k,m) = [ r R, output (r, F(k,r) m)] R Is E semantically secure under CPA? Yes, whenever F is a secure PRF No, there is always a CPA attack on this system Yes, but only if R is large enough so r never repeats (w.h.p) It depends on what F is used

  32. Solution 2: nonce-based Encryption nonce Alice Bob E(k,m,n)=c m, n D(k,c,n)=m c, n E D k k nonce n: a value that changes from msg to msg. (k,n) pair never used more than once method 1: nonce is a counter (e.g. packet counter) used when encryptor keeps state from msg to msg if decryptor has same state, need not send nonce with CT method 2: encryptor chooses a random nonce, n N Dan Boneh

  33. CPA security for nonce-based encryption System should be secure when nonces are chosen adversarially. for i=1, ,q: b Chal. k K Adv. niand mi,0 , mi,1 : |mi,0| = |mi,1| c E(k, mi,b , ni) b {0,1} All nonces {n1, , nq} must be distinct. Def: nonce-based Eis sem. sec. under CPA if for all efficient A: AdvnCPA [A,E] = |Pr[EXP(0)=1] Pr[EXP(1)=1] | is negligible. Dan Boneh

  34. Let F: K R M be a secure PRF. Let r = 0 initially. For m M define E(k,m) = [ r++, output (r, F(k,r) m)] Is E CPA secure nonce-based encryption? Yes, whenever F is a secure PRF No, there is always a nonce-based CPA attack on this system Yes, but only if R is large enough so r never repeats It depends on what F is used

  35. End of Segment Dan Boneh

  36. Online Cryptography Course Dan Boneh Using block ciphers Modes of operation: many time key (CBC) Example applications: 1. File systems: Same AES key used to encrypt many files. 2. IPsec: Same AES key used to encrypt many packets. Dan Boneh

  37. Construction 1: CBC with random IV Let (E,D) be a PRP. ECBC(k,m): choose random IV X and do: IV m[0] m[1] m[2] m[3] E(k, ) E(k, ) E(k, ) E(k, ) IV c[0] c[1] c[2] c[3] ciphertext Dan Boneh

  38. Decryption circuit In symbols: c[0] = E(k, IV m[0] ) m[0] = D(k, c[0]) IV IV c[0] c[1] c[2] c[3] D(k, ) D(k, ) D(k, ) D(k, ) m[0] m[1] m[2] m[3] Dan Boneh

  39. CBC: CPA Analysis CBC Theorem: For any L>0, If E is a secure PRP over (K,X) then ECBC is a sem. sec. under CPA over (K, XL, XL+1). In particular, for a q-query adversary A attacking ECBC there exists a PRP adversary B s.t.: AdvCPA [A, ECBC] 2 AdvPRP[B, E] + 2 q2 L2 / |X| Note: CBC is only secure as long as q2L2 << |X| Dan Boneh

  40. An example AdvCPA [A, ECBC] 2 PRP Adv[B, E] + 2 q2 L2 / |X| q = # messages encrypted with k , L = length of max message Suppose we want AdvCPA [A, ECBC] 1/232 q2 L2 /|X| < 1/ 232 AES: |X| = 2128 q L < 248 So, after 248 AES blocks, must change key 3DES: |X| = 264 q L < 216 Dan Boneh

  41. Warning: an attack on CBC with rand. IV CBC where attacker can predict the IV is not CPA-secure !! Suppose given c ECBC(k,m) can predict IV for next message 0 X c1 [IV1, E(k, 0 IV1)] Chal. k K Adv. predict IV m0=IV IV1 , m1 m0 c [IV, E(k, IV1) ] or c [IV, E(k, m1 IV) ] output 0 if c[1] = c1[1] Bug in SSL/TLS 1.0: IV for record #i is last CT block of record #(i-1) Dan Boneh

  42. Construction 1: nonce-based CBC Cipher block chaining with unique nonce: key = (k,k1) unique nonce means: (key, n) pair is used for only one message nonce m[0] m[1] m[2] m[3] IV E(k, ) E(k, ) E(k, ) E(k, ) E(k1, ) nonce c[0] c[1] c[2] c[3] ciphertext included only if unknown to decryptor Dan Boneh

  43. An example Crypto API (OpenSSL) void AES_cbc_encrypt( const unsigned char *in, unsigned char *out, size_t length, const AES_KEY *key, unsigned char *ivec, AES_ENCRYPT or AES_DECRYPT); user supplies IV When nonce is non random need to encrypt it before use Dan Boneh

  44. A CBC technicality: padding m[3] ll pad IV m[0] m[1] m[2] IV E(k, ) E(k, ) E(k, ) E(k, ) E(k1, ) IV c[0] c[1] c[2] c[3] removed during decryption n n n n TLS: for n>0, n byte pad is if no pad needed, add a dummy block Dan Boneh

  45. End of Segment Dan Boneh

  46. Online Cryptography Course Dan Boneh Using block ciphers Modes of operation: many time key (CTR) Example applications: 1. File systems: Same AES key used to encrypt many files. 2. IPsec: Same AES key used to encrypt many packets. Dan Boneh

  47. Construction 2: rand ctr-mode Let F: K {0,1}n {0,1}n be a secure PRF. E(k,m): choose a random IV {0,1}n and do: msg IV m[0] m[1] m[L] F(k,IV) F(k,IV+1) F(k,IV+L) IV c[0] c[1] ciphertext c[L] note: parallelizable (unlike CBC) Dan Boneh

  48. Construction 2: nonce ctr-mode msg IV m[0] m[1] m[L] F(k,IV) F(k,IV+1) F(k,IV+L) IV c[0] c[1] c[L] ciphertext To ensure F(k,x) is never used more than once, choose IV as: 128 bits IV: nonce counter starts at 0 for every msg 64 bits 64 bits Dan Boneh

  49. rand ctr-mode (rand. IV): CPA analysis Counter-mode Theorem: For any L>0, If F is a secure PRF over (K,X,X) then ECTR is a sem. sec. under CPA over (K,XL,XL+1). In particular, for a q-query adversary A attacking ECTR there exists a PRF adversary B s.t.: AdvCPA[A, ECTR] 2 AdvPRF[B, F] + 2 q2 L / |X| Note: ctr-mode only secure as long as q2L << |X| . Better than CBC ! Dan Boneh

  50. An example AdvCPA [A, ECTR] 2 AdvPRF[B, E] + 2 q2 L / |X| q = # messages encrypted with k , L = length of max message Suppose we want AdvCPA [A, ECTR] 1/232 q2 L /|X| < 1/ 232 AES: |X| = 2128 q L1/2 < 248 So, after 232 CTs each of len 232 , must change key (total of 264 AES blocks) Dan Boneh

Related


Cryptography,.Quantum-safe Cryptography& Quantum Cryptography

Cryptography,.Quantum-safe Cryptography& Quantum Cryptography

pendragon
Evolution of Cryptography: From Ancient Techniques to Modern Security Mechanisms

Evolution of Cryptography: From Ancient Techniques to Modern Security Mechanisms

damari
Exploring Cloud Cryptography for Secure Data Processing

Exploring Cloud Cryptography for Secure Data Processing

vespera
Introduction to Cryptography: The Science of Secure Communication

Introduction to Cryptography: The Science of Secure Communication

catt504
Overview of Basic Security Properties and Cryptography Fundamentals

Overview of Basic Security Properties and Cryptography Fundamentals

kawhi
Foundations of Cryptography: MIT Course Overview and Key Concepts

Foundations of Cryptography: MIT Course Overview and Key Concepts

dherb
Understanding Public-Key Cryptography and Its Applications

Understanding Public-Key Cryptography and Its Applications

nbull
Introduction to Cryptography, Cryptanalysis, and Cryptology

Introduction to Cryptography, Cryptanalysis, and Cryptology

waverly
Understanding Public Key Cryptography in Network Security

Understanding Public Key Cryptography in Network Security

mwasd
Exploring Public-Key Cryptography and Ancient Mathematical Techniques

Exploring Public-Key Cryptography and Ancient Mathematical Techniques

kbre
Overview of Public-Key Cryptography and Knapsack Problem in Cryptology

Overview of Public-Key Cryptography and Knapsack Problem in Cryptology

dhrn907
Introduction to Cryptography: Basics, Terminology, and Significance

Introduction to Cryptography: Basics, Terminology, and Significance

lucius
Understanding Secure Information Transmission in Cryptography

Understanding Secure Information Transmission in Cryptography

rene_1
Evolution of Proofs in Cryptography

Evolution of Proofs in Cryptography

ahmari
Understanding Cryptography: Basic Concepts in Number Theory and Divisibility

Understanding Cryptography: Basic Concepts in Number Theory and Divisibility

hoon_ynn
Understanding Cryptography in the Digital World

Understanding Cryptography in the Digital World

oona
Exploring the World of Quantum Money and Cryptography

Exploring the World of Quantum Money and Cryptography

guinevere
Key Distribution and Management in Cryptography

Key Distribution and Management in Cryptography

kreitzer_k
The Fascinating World of Cryptography

The Fascinating World of Cryptography

solveig
Formal Verification of Quantum Cryptography by Dominique Unruh

Formal Verification of Quantum Cryptography by Dominique Unruh

aslan
Exploring Post-Quantum Cryptography and Constructive Reductions

Exploring Post-Quantum Cryptography and Constructive Reductions

spradlin_g
Post-Quantum Cryptography Security Proofs and Models Overview

Post-Quantum Cryptography Security Proofs and Models Overview

siddhi
Understanding Provable Security Models in Cryptography

Understanding Provable Security Models in Cryptography

donoghue_e
Understanding the Importance of Web Cryptography API and Its Application

Understanding the Importance of Web Cryptography API and Its Application

denis

More Related Content

Introduction to Public Key Cryptography
Introduction to Public Key Cryptography
Cryptography and Information Security Fundamentals
Cryptography and Information Security Fundamentals
Key Management and Distribution Techniques in Cryptography
Key Management and Distribution Techniques in Cryptography
STM32WB BLE Secure Connections Overview
STM32WB BLE Secure Connections Overview
Overview of Cryptography Techniques and Algorithms
Overview of Cryptography Techniques and Algorithms
Basic Concepts in Number Theory and Finite Fields for Cryptography
Basic Concepts in Number Theory and Finite Fields for Cryptography
Understanding Cryptography: Basics of Encryption and Padding
Understanding Cryptography: Basics of Encryption and Padding
Key Principles in Cryptography: Kerckhoff's and Key Space
Key Principles in Cryptography: Kerckhoff's and Key Space
Introduction to RSA Cryptography and Public Key Encryption
Introduction to RSA Cryptography and Public Key Encryption
Ascon: The Lightweight Cryptography Standard for IoT
Ascon: The Lightweight Cryptography Standard for IoT
Secure Two-Party Computation and Basic Secret-Sharing Concepts
Secure Two-Party Computation and Basic Secret-Sharing Concepts
Tamper-Evident Pairing (TEP) Protocol for Secure Wireless Pairing Without Passwords
Tamper-Evident Pairing (TEP) Protocol for Secure Wireless Pairing Without Passwords
Understanding Cryptography Basics and Toolbox
Understanding Cryptography Basics and Toolbox
Cryptographic Reductions and Learning in Computational Complexity
Cryptographic Reductions and Learning in Computational Complexity
Understanding Block Ciphers in Cryptography
Understanding Block Ciphers in Cryptography
Understanding Number Theory and Cryptography for Security
Understanding Number Theory and Cryptography for Security
Introduction to Cryptography and Its Applications in Computer Science
Introduction to Cryptography and Its Applications in Computer Science
Leakage-Resilient Key Exchange and Seed Extractors in Cryptography
Leakage-Resilient Key Exchange and Seed Extractors in Cryptography
Cryptography Concepts and Encryption Methods Overview
Cryptography Concepts and Encryption Methods Overview
Advanced Cryptography Techniques: PKE/KEM Constructions
Advanced Cryptography Techniques: PKE/KEM Constructions
Lightweight Cryptography Standard for IoT - November 2023 IEEE Presentation
Lightweight Cryptography Standard for IoT - November 2023 IEEE Presentation
Steganography: Hiding Secrets in Plain Sight
Steganography: Hiding Secrets in Plain Sight
Overview of Modern Cryptography and Data Encryption Standard (DES)
Overview of Modern Cryptography and Data Encryption Standard (DES)
Cryptography in the Bounded Storage Model: Revisited - Eurocrypt 2023
Cryptography in the Bounded Storage Model: Revisited - Eurocrypt 2023