two new online ciphers mridul nandi national institute of standards and technology, gaithersburg, md...
TRANSCRIPT
Two New Online Ciphers
Mridul Nandi
National Institute of Standards and Technology, Gaithersburg, MD
Indocrypt 2008, Kharagpur
Mridul Nandi Indocrypt-2008 2
Outline of the talk
• Introduction to Online Ciphers.
• Security Notions for Online Ciphers
• Known Examples of Online Ciphers.
• Our Constructions.
• Conclusion.
Mridul Nandi Indocrypt-2008 3
Online Cipher
Mridul Nandi Indocrypt-2008 4
Online Cipher
• Most applications want real time encryption. (i.e., compute ciphertext as soon as a
plaintext block arrived to save time and memory both).
• Also known as one-pass encryption (in two-pass encryption, whole plaintext is needed to generate some intermediate values (like, a tag) and then the plaintext is again used to compute ciphertext. The first ciphertext block can not be computed unless
complete plaintext arrived).
Mridul Nandi Indocrypt-2008 5
Online CipherDefinition (online cipher):
1. It is a block number preserving encryption algorithm.
2. If C = C1 || C2 || … ||Ck is a ciphertext of P = P1 || P2 || … ||Pk then Ci should be computable from P1||…||Pi where Pj’s, Cj’s are blocks (128 bits for AES based design).
Mridul Nandi Indocrypt-2008 6
Online CipherDefinition (online cipher):
1. It is a block number preserving encryption algorithm.
2. If C = C1 || C2 || … ||Ck is a ciphertext of P = P1 || P2 || … ||Pk then Ci should be computable from P1||…||Pi where Pj’s, Cj’s are blocks (128 bits for AES based design).
•In other words, there exists an algorithm B, such that B(P1,…, Pi) = Ci, i =1,…,k.
•It is real time encryption, But, not necessarily means it requires less memory. Why?
Mridul Nandi Indocrypt-2008 7
Online Cipher
P1 C1
Buffer
P1
Input stream
Mridul Nandi Indocrypt-2008 8
Online Cipher
P2 C2
Buffer
P1 P2
Input stream
Mridul Nandi Indocrypt-2008 9
Online Cipher
P3 C3
Buffer
P1 P2 P3
Input stream
Mridul Nandi Indocrypt-2008 10
Online Cipher
Pk Ck
Buffer
P1 P2 P3 … Pk
Input stream
Buffer size increases linearly as plaintexts are arriving. So it does not save memory, but it is one-pass and hence once the whole plaintext is arrived the complete cipher text is known.
Mridul Nandi Indocrypt-2008 11
Efficient Online Ciphers
f f f…
C1
P1P2 Pk-1 Pk
C2 Ck-1 Ck0
0
Buffer size =3
Plaintext
Ciphertext
Mridul Nandi Indocrypt-2008 12
Efficient Online Ciphers
f f f…
C1
P1P2 Pk-1 Pk
C2 Ck-1 Ck0
0
Buffer size =3, when T=1, 0, 0, P1Buffer
Plaintext
Ciphertext
Mridul Nandi Indocrypt-2008 13
Efficient Online Ciphers
f f f…
C1
P1P2 Pk-1 Pk
C2 Ck-1 Ck0
0
Buffer size =3, when T=2, P1, C1, P2Buffer
Plaintext
Ciphertext
Mridul Nandi Indocrypt-2008 14
Efficient Online Ciphers
f f f…
C1
P1P2 Pk-1 Pk
C2 Ck-1 Ck0
0
Buffer size =3, when T=k, Pk-1, Ck-1, PkBuffer
Plaintext
Ciphertext
Mridul Nandi Indocrypt-2008 15
Is it an Online Cipher?
f f f…
C1
P1P2 Pk-1 Pk
C2 Ck-1 Ck0
0
Ci = A(Pi-1, Ci-1, Pi) depends on Ci-1 (not in the definition of online cipher)
Mridul Nandi Indocrypt-2008 16
Is it an Online Cipher?
f f f…
C1
P1P2 Pk-1 Pk
C2 Ck-1 Ck0
0Definition (online cipher):
1.It is a block number preserving encryption algorithm.
2.If C = C1 || C2 || … ||Ck is a ciphertext of P = P1 || P2 || … ||Pk then Ci should be computable from P1||…||Pi where Pj’s, Cj’s are blocks (128 bits for AES based design).
Ci = A(Pi-1, Ci-1, Pi) depends on Ci-1 (not in the definition of online cipher)
Mridul Nandi Indocrypt-2008 17
Is it an Online Cipher?
f f f…
C1
P1P2 Pk-1 Pk
C2 Ck-1 Ck0
0
But Ci-1 depends on Pi-2, Pi-1 and Ci-2 and so on. So by induction it can be shown that Ci depends only on P1,…,Pi
Definition (online cipher):
1.It is a block number preserving encryption algorithm.
2.If C = C1 || C2 || … ||Ck is a ciphertext of P = P1 || P2 || … ||Pk then Ci should be computable from P1||…||Pi where Pj’s, Cj’s are blocks (128 bits for AES based design).
Mridul Nandi Indocrypt-2008 18
It is an Online Cipher.
f f f…
C1
P1P2 Pk-1 Pk
C2 Ck-1 Ck0
0
If it is a cipher then it is an online cipher. To be a cipher it shouldbe invertible. In other words, Pi should be computable from Pi-
1, Ci-1 and Ci = f(Pi-1, Ci-1, Pi).
Mridul Nandi Indocrypt-2008 19
Inverse of an Online Cipher.
g g g…
C1
P1P2 Pk-1 Pk
C2 Ck-1 Ck0
0
If it is a cipher then it is an online cipher. To be a cipher it shouldbe invertible. In other words, Pi should be computable from Pi-
1, Ci-1 and Ci = f(Pi-1, Ci-1, Pi). So Pi = g(Pi-1,Ci-1,Ci).
Mridul Nandi Indocrypt-2008 20
Security Notions
Mridul Nandi Indocrypt-2008 21
Security notions for Online Ciphers• (Strong) Pseudo Random Permutation are
strongest security notions for an encryption algorithm.
• Online cipher can not be (S)PRP since online property itself can be used to make a distinguishing attack.
• Bellare, Boldyreva, Knudsen and Namprempre (in crypto-01) introduced desired security notions (maximum security can be achieved for online ciphers by introducing ideal online cipher).
Mridul Nandi Indocrypt-2008 22
Security notions for Online Ciphers• Chosen-Plaintext Secure or CPA-secure :
No feasible attacker can distinguish the designed online cipher from the ideal online cipher by making only encryption queries.
• Chosen-Ciphertext Secure or CCA-secure : No feasible attacker can distinguish the designed online cipher from the ideal online cipher by making both encryption and decryption queries.
Mridul Nandi Indocrypt-2008 23
Known Examples
Mridul Nandi Indocrypt-2008 24
Hash-CBC Online Ciphers
1. Bellare, Boldyreva, Knudsen and Namprempre (in crypto-01) designed Hash-CBC online ciphers HCBC1 (CPA-secure) and HCBC2 (CCA-secure).
2. Needs a blockcipher and a Almost XOR-universal hash function.
3. Universal Hash function with CBC mode.
Mridul Nandi Indocrypt-2008 25
AU hash function
Poly hash generates the distinct counter for distinct messages with high probability. Poly-hash is L/2n –AU hash function where L is the max number of blocks of a plaintext.
Pr[Hh(M) = Hh(M’) i] L/2n where is either
+ (modulo addition) or (xor).
Mridul Nandi Indocrypt-2008 26
Hash-CBC: HCBC1
0
Ek
C1
P1
H Ek
C2
P2
H Ek
Ck
Pk
H
Ck-1
1. CPA-secure but not CCA-secure.2. H : {0,1}n
{0,1}n is AXU-hash function (n = block
size).3. Two independent keys (one for H and one for E).
n
n…
Mridul Nandi Indocrypt-2008 27
Hash-CBC: HCBC2
1. CCA-secure.2. H : {0,1}2n
{0,1}n is AXU-hash function.
3. Two independent keys (H and E).
0
0
Ek
C1
P1
H
Ek
C2
P2
H
Ek
Cn
Pn
H
Pk-1
Ck-1
…
0
0
Ek
C1
P1
H
Ek
C1
P1
H
Ek
C2
P2
H
Ek
C2
P2
H
Ek
Cn
Pn
H
Ek
Cn
Pn
H
Pk-1
Ck-1
…
Mridul Nandi Indocrypt-2008 28
Our Constructions
Mridul Nandi Indocrypt-2008 29
0
0
Ek
C1
P1
H
Ek
C2
P2
H
Ek
Cn
Pn
H
Pk-1
Ck-1
…
Recall HCBC2
n
n
Hash H takes two n bit inputs and produces n bit output.We can xor the two n bit inputs before feeding into H.
Mridul Nandi Indocrypt-2008 30
MHCBC
Mridul Nandi Indocrypt-2008 31
Modified Hash-CBC: MHCBC
0
0 Pk-1
Ck-1
Ek
Ck
Pk
H
n Ek
C1
P1
H
n Ek
C2
P2
H
n…
Mridul Nandi Indocrypt-2008 32
Modified Hash-CBC: MHCBC
0
0 Pk-1
Ck-1
Ek
Ck
Pk
H
n Ek
C1
P1
H
n Ek
C2
P2
H
n…
0
0 Pk-1
Ck-1
Ek
Ck
Pk
H
n Ek
Ck
Pk
H
n Ek
C1
P1
H
n Ek
C1
P1
H
n Ek
C2
P2
H
n…
1. CCA-secure.2. H : {0,1}n
{0,1}n is AXU-hash function.
3. Two independent keys (H and E).
Mridul Nandi Indocrypt-2008 33
MCBC-1
Mridul Nandi Indocrypt-2008 34
Modified CBC: MCBC
0
0 Pk-1
Ck-1
C1
P1
…H Ek
C1
P1
H Ek
C1
P1
H Ek
We need a AXU-hash function. EK itself can be a candidate for this.
Mridul Nandi Indocrypt-2008 35
Modified CBC: MCBC-1
0
0 Pk-1
Ck-1
C1
P1
…Ek2 Ek1
C1
P1
Ek2 Ek1
C1
P1
Ek2 Ek1
We need a AXU-hash function. EK itself can be a candidate for this. So we can replace H by Ek2 (independently chosen key K2). This is called MCBC-1
Mridul Nandi Indocrypt-2008 36
Modified CBC: MCBC
0
0 Pk-1
Ck-1
C1
P1
…Ek Ek
C1
P1
Ek Ek
C1
P1
Ek Ek
What will happen if we replace H by Ek (same key K)? Is it secure?
Mridul Nandi Indocrypt-2008 37
Modified CBC: MCBC
0
0 Pk-1
Ck-1
C1
P1
…Ek Ek
C1
P1
Ek Ek
C1
P1
Ek Ek
NOT SECURE
Mridul Nandi Indocrypt-2008 38
Modified CBC: MCBC
0
0
0
Ek E-1k
1st Decryption query with ciphertext 0, then plaintext is Ek(0) = v0.
Ek(0)Ek(0)
0Ek(0)
Ek(0)
Mridul Nandi Indocrypt-2008 39
Modified CBC: MCBC
0
0
v2
Ek Ek
v0
0
1st Encryption query with plaintext 0Ciphertext will be Ek(v0) + v0 = v2. Let Ek(v0)= v1.
v0
v0
v1
1st Decryption query with ciphertext 0, then plaintext is Ek(0) = v0.
Mridul Nandi Indocrypt-2008 40
Modified CBC: MCBC
0
0
Ek Ek
v0
v0v0
v0
0
0
Ek Ek
v1
v1v0
v1
0
v0
v2
2nd Encryption query with plaintext (v0,v1). The ciphertext will be (0,v2) with probability one which is not desired for an ideal random online cipher.
Mridul Nandi Indocrypt-2008 41
MCBC-2
Mridul Nandi Indocrypt-2008 42
Modified CBC: MCBC
0
0 Pk-1
Ck-1
C1
P1
…Ek Ek
C1
P1
Ek Ek
C1
P1
Ek Ek
Ek K11
K1
K1
K1
K1 protects from the previous attack. In fact, it is CCA-secure.
Mridul Nandi Indocrypt-2008 43
Comparison
Mode BC-Calls Key-sch
AXU-Hash
Type of Hash
Keys
HCBC1 m 1 m n n KBC + KH
HCBC2 m 1 m 2n n KBC + KH’
MHCBC m 1 m n n KBC + KH
MCBC-1 2m 2 0 - 2KBC
MCBC-2 2m+1 1 0 - KBC
Mridul Nandi Indocrypt-2008 44
Conclusion
1. Revisited Hash-CBC online ciphers.2. Modified them by
1. Reducing key space2. Removing universal hash function3. having better efficiency.
3. These are termed MHCBC and MCBC.4. A simple modification of MHCBC won’t work.5. An unified way of proving security of online
ciphers (in the paper).
Mridul Nandi Indocrypt-2008 45
Thank you for
your attention