Introduction to Cryptography

Size: px

Start display at page:

Download "Introduction to Cryptography"

Sharyl Norton
6 years ago
Views:

1 B504 / I538: Introduction to Cryptography Spring 2017 Lecture 10

2 Assignment 2 is due on Tuesday! 1

4 Recall: Pseudorandom generator (PRG) Defⁿ: A (fixed-length) pseudorandom generator (PRG) with expansion l is a function G:{0,1} * {0,1} * with two properties: 1. Expansion (output is always longer than input): n N, l(n)>n and x {0,1} *, G(x) =l( x ) 2. Pseudorandom (uniform inputs yield uniform-looking outputs): For every PPT distinguisher A, there exists a negligible function ε:n R+ such that, n N, Pr[A(y)=1 y {0,1} l( ⁿ ) ] Pr[A(G(x))=1 x {0,1}ⁿ] ε(n) 1

5 Recall: Pseudorandom function (PRF) Defⁿ: A (length-preserving) pseudorandom fuction (PRF) is a keyed function F:{0,1} * {0,1} * {0,1} * with three properties: 1. Length-preservation (output is same size as inputs): k {0,1} * and x {0,1} k, F(k,x) = x 2. Uniform PPT (can be evaluated by an efficient algorithm): There exists a (uniform) PPT algorithm A such that, k {0,1} * and x {0,1} k, A(k,x)=F(k,x) 2 3. Pseudorandom (behaves like a random function ): For every PPT distinguisher A, there exists a negligible function ε:n R+ such that, n N, Pr[A F K( ) (1ⁿ)=1 k {0,1}ⁿ] Pr[A f( ) (1ⁿ)=1 f Func(n)] ε(n)

6 Permutations Q: What is a permutation on {0,1}ⁿ? A: A function that rearranges the elements of {0,1}ⁿ More formally, it is a bi jection from {0,1}ⁿ to itself; that is, a function π:{0,1}ⁿ {0,1}ⁿ that is 1. Injective ( one-to-one ): π(x)=π(y) x=y 2. Surjective ( onto ): y {0,1}ⁿ, x {0,1}ⁿ such that π(x)=y 3! permuations of 3 colored circles: 3

fixed) No efficient algorithm can distinguish between a PRP and a random

7 Pseudorandom permutations (PRPs) Intuitively: A pseudorandom permutation (PRP) is a pseudorandom function that is also a permutation (whenever the key is fixed) No efficient algorithm can distinguish between a PRP and a random permutation, except with negligible advantage What in is a random permutation? 4

8 Random permutations Defⁿ: Let Perm(n) denote the set of all permutations on {0,1}ⁿ. A random permutation is the uniform random variable on Perm(n). Q: How big is the sample space of Perm(n)? A: (2ⁿ)! (compare this with 2ⁿ 2ⁿ functions in Func(n)) 5

9 Why permutations? Q: What special property of permutations makes PRPs more useful than PRFs? A: Permutations have unique inverses; that is, given any y {0,1}ⁿ it is possible to find x {0,1}ⁿ such that π(x)=y Permutation Permutation 6

10 Efficient keyed permutation Defⁿ: A permutation family is an infinite sequence {Π k } k {0,1} * where k {0,1} *, Π k :{0,1} k {0,1} k is a permutation on {0,1} k. The family is uniform PPT if there is a PPT algorithm that, given any k {0,1} * and x {0,1} k, outputs f k (x). We typically think of a uniform PPT permutation family as a keyed permutation; that is, as a function Π:{0,1} * {0,1} * {0,1} * such that 7 Π(k,x)=Π k (x) for all k {0,1} * and x {0,1} k

11 Keyed permutation Defⁿ: A keyed permutation Π:{0,1} * {0,1} * {0,1} k is efficient if there exists a PPT algorithm Inv and negligible function ε:n R+ such that, Pr[Π(k,Inv(k,y))=y k,y {0,1}ⁿ] 1 ε(n). Intuitively: a keyed permutation is efficient if both it and its inverse can be evaluated by efficient algorithms 8

12 Formal definition: PRP Defⁿ: An efficient keyed permutation is a pseudorandom permutation (PRP) if, for every PPT algorithm A, there exists a negligible function ε:n R+ such that Pr[A Π k( ) (1ⁿ) k {0,1}ⁿ] Pr[A π( ) (1ⁿ) π Perm(n)] ε(n) 2ⁿ outcomes (2ⁿ)! outcomes 9

1 (A has oracle access to a random permutation oracle): 1ⁿ Challenger (C) π Perms(n) x 1

13 PRP indistinguishability game Game 0 (A has oracle access to a PRP oracle): 1ⁿ Challenger (C) k {0,1}ⁿ x 1 Π k (x 1 ) x q Π k (x q ) X 1 {0,1}ⁿ X q {0,1}ⁿ Attacker (A) 1ⁿ b' Game 1 (A has oracle access to a random permutation oracle): 1ⁿ Challenger (C) π Perms(n) x 1 π(x 1 ) x q π(x q ) X 1 {0,1}ⁿ X q {0,1}ⁿ Attacker (A) 1ⁿ b' 10 Defⁿ: Adv PRP (A) Pr[b b ] ½

14 Strong PRPs Intuitively, a PRP is a strong PRP if it remains difficult to distinguish from a random permutation even when given access to the inverse permutation Defⁿ: An efficient keyed permutation is a strong PRP (SPRP) if, for every PPT algorithm A, there exists a negligible function ε:n R+ such that Pr[A Π k( ),Π k -1 ( ) (1ⁿ) k {0,1}ⁿ] Pr[A π( ),π-1 ( ) (1ⁿ) π Perm(n)] ε(n) 11

1ⁿ Game 1 (A has oracle access to a random permutation oracle and corresponding inverse oracle): Challenger (C) π

15 Strong PRP indistinguishability game 1ⁿ Game 0 (A has oracle access to a PRP oracle and corresponding inverse oracle): Challenger (C) k {0,1}ⁿ x 1 Π k (x 1 ),Π k -1(x 1 ) x q Π k (x q ),Π k -1(x q ) Attacker (A) X 1 {0,1}ⁿ X q {0,1}ⁿ 1ⁿ b' 1ⁿ Game 1 (A has oracle access to a random permutation oracle and corresponding inverse oracle): Challenger (C) π Perms(n) x 1 π(x 1 ),π -1 (x 1 ) x q π(x q ),π -1 (x q ) Attacker (A) X 1 {0,1}ⁿ X q {0,1}ⁿ 1ⁿ b' 12 Defⁿ: Adv SPRP (A) Pr[b b ] ½

16 PRPs versus SPRPs Q: Is every PRP a Strong PRP? A: Nope! I m going to ask you prove this on a3 13

17 PRP versus PRF Q: Is every PRP a PRF? A: Yup! Thm (PRF Switching Lemma): Let Π:{0,1} * {0,1) * {0,1} * be a PRP. Then for any PPT distinguisher A that makes q(n) oracle queries, Pr[A Πk ( ) (1ⁿ) k {0,1}ⁿ] Pr[A f ( ) (1ⁿ) f Func(n)] q(n)²/2ⁿ+¹ 14

18 Fixed-length encryption from SPRPs Let Π be a strong PRP Plaintexts, ciphertexts and keys are all n-bit strings (i.e., M=C=K): Gen(1ⁿ) outputs a uniform random key k {0,1}ⁿ Enc k (m) outputs c Π k (m) Dec k (c) outputs m Π k -1 (c) Q: Is this construction IND-CPA secure? 15 A: Nope! (But it does have indistinguishable encryptions in the presence of an eavesdropper)

19 Modes of operation Goals: 1. Extend block cipher to encrypt arbitrarylength plaintexts 2. Get IND-CPA security (or better!) in the process There are many modes of operation in the literature; for now, we ll focus on a few oldiesbut-goodies: ECB, CBC, OFB, and CTR 16

20 Modes of operation: ECB 17 Electronic codebook (ECB) mode: Split message into n-bit blocks, apply PRP to each one in turn Most common default mode for encryption software Almost always a very bad idea If I find out you use ECB in the future, I will retroactively give you an F and revoke your degree! Seriously. Don t use ECB!

21 Modes of operation: ECB Electronic codebook (ECB) mode encryption: m m 1 m 2 m l m 1 m k k 2 k m l Π k Π k Π k c 1 c 2 c l 17 c c 1 c 2 c l

22 Modes of operation: ECB Electronic codebook (ECB) mode decryption: c c 1 c 2 c l c 1 c k k 2 k c n Π k -1 Π k -1 m 1 m 2 Π k -1 m l 17 m m 1 m 2 m l

23 Modes of operation: ECB Q 1 : Does ECB mode provide IND-CPA security? A 1 : Nope! Q 2 : Does ECB mode provide indistinguishable encryptions in the presence of an eavesdropper? A 2 : Nope! Choose m 0 m m, m 1 m m for any distinct m,m {0,1}ⁿ Retrieve c c 1 c 2 ; output 0 if c 1 c 2 and 1 otherwise 17

Modes of operation: ECB plaintext (bitmap) ECB mode

in 1996 by Larry Ewing (lewing@isc.tamu.

All uses permitted provided that you mention Larry

24 Modes of operation: ECB plaintext (bitmap) ECB mode ciphertext CBC mode ciphertext 17 Tux image created in 1996 by Larry Ewing with The GIMP. All uses permitted provided that you mention Larry Ewing, the owner of the original image, his address and The GIMP,

25 Modes of operation: ECB Take away: Don t use ECB! 17

26 Modes of operation: CBC Cipher block chaining (CBC) mode: Choose uniform random initialization vector IV {0,1}ⁿ XOR first plaintext block with IV before applying PRP For each subsequent plaintext block, XOR with preceding ciphertext block before appliying PRP Output IV as part with ciphertext (l-block plaintext (l+1)-block ciphertext) 18

27 Modes of operation: CBC Cipher block chaining (CBC) mode encryption: m m 1 m 2 m l k k k m 1 m 2 m l Π k Π k Π k IV c 1 c 2 c l 18 c IV c 1 c 2 c l

28 Modes of operation: CBC Cipher block chaining (CBC) mode decryption: c IV c 1 c 2 c l k k k c 1 c 2 c n Π k -1 Π k -1 Π k -1 IV m 1 m 2 m l 18 m m 1 m 2 m l

29 Modes of operation: OFB Output feedback (OFB) mode: Choose uniform random initialization vector IV {0,1}ⁿ Apply PRP to IV to get a pad to XOR with first block For each subsequent plaintext block, apply PRP to preceding pad and XOR result with the plaintext block Output IV as part with ciphertext (l-block plaintext (l+1)-block ciphertext) 19

30 Modes of operation: OFB Output feedback (OFB) mode encryption: m m 1 m 2 m l k IV k k Π k Π k Π k m 1 m 2 m l c 1 c 2 c l c IV c 1 c 2 c l 19

31 Modes of operation: OFB Output feedback (OFB) mode decryption: c IV c 1 c 2 c l k IV k k Π k Π k Π k c 1 c 2 c l m 1 m 2 m l 19 m m 1 m 2 m l

32 Modes of operation: CTR Counter (CTR) mode: Choose uniform random initialization vector IV {0,1}ⁿ Apply PRP to IV to get a pad to XOR with first block For each subsequent increment IV by one (treat as binary string modulo 2ⁿ) and XOR result with the plaintext block Output IV as part with ciphertext (l-block plaintext (l+1)-block ciphertext) 20

33 Modes of operation: CTR Counter (CTR) mode encryption: m m 1 m 2 m l k IV k IV+1 k IV+l 1 Π k Π k Π k m 1 m 2 m l c 1 c 2 c l 20 c IV c 1 c 2 c l

34 Modes of operation: CTR Counter (CTR) mode decryption: c IV c 1 c 2 c l k IV k IV+1 k IV+l 1 Π k Π k Π k c 1 c 2 c l m 1 m 2 m l 20 m m 1 m 2 m l

35 Modes of operation: Comparison 21 Electronic Code Book (ECB) mode Pros: simple, parallelizable Cons: no reasonable security guarantees Cipher Block Chaining (CBC) mode Pros: IND-CPA secure, decryption is parallelizable Cons: encryption is inherently sequential; malleable Output Feedback (OFB) mode Pros: IND-CPA secure Cons: encryption and decryption both inherently sequential; malleable Counter (CTR) mode Pros: IND-CPA secure, encryption and decryption are both fully parallelizable Cons: malleable

36 That s all for today, folks!

Introduction to Cryptography

B504 / I538: Introduction to Cryptography Spring 2017 Lecture 11 * modulo the 1-week extension on problems 3 & 4 Assignment 2 * is due! Assignment 3 is out and is due in two weeks! 1 Secrecy vs. integrity