1 cryptanalysis-tolerant cpa crypt. ● suppose e, e’ are two encryption schemes which on of them...
TRANSCRIPT
1
Cryptanalysis-tolerant CPA crypt.● Suppose E, E’ are two encryption schemes
which on of them is CPA - secure E.g., a standard and a proprietary, a new and old
● Cascade [EG85]: E*=E◦E’● E* is CPA - secure if either E or E’ is CPA –
secure We say that cascade is cryptanalysis tolerant
EE’
2
Cascading CPA - question
● Given two encryption schemes which one of them is candidate CPA secure, E and E’, define: E*k,k'(x) = Ek(E’k'(x))
● Question: assume either E or E’ is a CPA secure. Is then E* a CPA secure crypto system?
● Answer:
3
Cascading CPA-Secure system
● Claim: if either E or E’ is a CPA-Secure, then E* is a CPA-Secure.
● Proof: Suppose to contrary there exists adv A* That Pr
X=EX(Є,ADV)[X.win ^ X.t≤ t|X=EX(E(E',A*,k)]>½+ ε*(k,t,q)
i.e. Can distiniguishE* from some random permutation.
● Let adv A(for E), A'(for E') use A* (As sub routine) to distinguish.
● Prove for A (A and A' are similar).
4
Cont'● A tries to win test for E while using A* on E*. A
uses E as a black box.● Key generation - A generates keys for E'.● Select – A needs to respond to encryption and
decryption requests to E* (requests sent from A*). When A* asks to encrypt m, A asks for encryption
by c=E(m) and calculates E'(c) (has keys).● Encrypt – When A* outputs <select,m0,m1>, A
outputs same for E and calculates on E' (returns result to A).
● When A* outputs guess, b' then A outputs the same. Wins if A* wins since performs only one more computation.
5
A A* E E'
Begin
generate keys
Begin
Select(m1)
Select (m1)
c1
Encrypt(c1)
c1' = E'<k'>(c1)
c1'
...
Select(m1,m2)
Encrypt Phase
Select/Guess Phase
Select(m1,m2)
C
Encrypt(c)
c' = E'<k'>(c)
c'
Outputb
b
win/lose
A controls E’, e.g. Encrypt
A selects messagesto encrypt, e.g. select
6
Cryptographic Constructions Demonstrating insecurity
● Usual method: Let g’ be an arbitrary function for goal G. Design g which also satisfies G:
Security of g follows (easily?) from security of g’ But g is not good for the construction… Namely: the function f which
is constructed using g does not satisfy goal F.
7
Plaintext Encrypted ECB Encrypted Non ECB
An example of patterns ECB leaves in cipher textWhen encrypting pixels (pixel by pixel encryption)
8
CBC
9
OFB
10
CBC - OFB● CBC
requires padding of message to block size. Decryption can be parallelized 1 bit change of plaintext affects all cipher texts
● OFB Does not require message padding Decryption can't be done in parallel Bit flips can be detected in many embedded ECC
● Both “Randomization” properties – can't detect same
block.
11
Problem
● CBC and OFB are great for creating VIL cipher from FIL blocks, however they have some
drawbacks. ● Transmission errors.● Parallel computation. ● Please describe the drawbacks in detail.● Please suggest a scheme for creating VIL
cipher from FIL blocks which has CBC/OFB properties and eliminates the limitations described above.
12
Solution
● Drawbacks Block dependency causes encryption/decryption to
be synchronous (CBC decryption can be parallel) Decryption (CBC) - In case a block is damaged, its
dependent block can't be deciphered as well. CBC Block damage can be from a single bit. OFB
can correct errors with embedded ECC (single bits).
13
Solution
● Instead of chaining to disguise cipher, use counter.(Counter must be kept secret)
14
Indistinguishability Test● Prove that the following encryption scheme does
not pass Ind. Test.● Discrete log – base for several public key crypto
systems● Assumption: for known prime p, generator g of
Z_p and y it's hard to find x such thatgx mod p = y
● For public prime p and generator g (for Z_p), where m< p:Ek(m) = {
x = g^m mod p;y = g^(kx) mod p;return x||(y xor m)
}
15
Solution
● Adv can calculate x , thus distinguish the message from a random message.
16
Indistinguishability Test is Strong
● Two encryptions of the same message should be indistinguishable Otherwise adversary can ask for another encryption of known
message and identify it Encryption must be randomized and/or state variable
With state variable, encryption depends on history In practice: usually encryption is randomized
● No assumption about the plaintext May be just two messages, ‘0’ and ‘1’ May be biased (90% is ‘0’)
17
CPA-IND Secure Cryptosystem from KPA-Secure
● Let Ck be a KPA – Secure crypto system● Then encrypt each message m using Ek(m)=r||
Ck(mr), where r is random● Observation: this is simply CBC-mode of Ck
with a single block! Proof extends to multiple-block CBC
● Theorem [GM89]: Ek(m) is CPA-IND secure.
18
Question
●Let E be a KPA secure crypto system. Consider the following function on {0,1}2n (for any n):E’
k(x)= E
k(x[1..n)]) ||
Ek(E
k(x[1..n)])x[(n+1)..2n]).
●Is E'k(x) KPA secure?●Is E'k(x) CPA secure?
19
Solution
● Not CPA Secure - Choose 2 different input texts, for example
1010||1100, 1010||1001 Output of MSB is same for both “different” outputs. This is the case because of E
k(x[1..n)])
● KPA Secure - Never choose messages with same MSB.
20
Error Detection● We would like to transmit ciphertext over the
wire. Alice suggests to use parity check as error-detection code.
● Do we have privacy ?● Do we have integrity ?
21
Error Detection● Assume OTP encryption, interceptive adversary.● Adversary doesn’t know k, sees c on the wire.● c = m xor k || parity(m) [bit]● Adversary removes c, replace with c’ where any
even number of bits can be flipped (notice, that in this example, adversary doesn’t even need to know m).
● Ok, no integrity, but maybe privacy ?● What about known domain of messages (money
transfer)