SYMMETRIC ENCRYPTION. Mihir Bellare UCSD 1

Transcription

1 SYMMETRIC ENCRYPTION Mihir Bellare UCSD 1

2 Syntax A symmetric encryption scheme SE = (K,E,D) consists of three algorithms: K and E may be randomized, but D must be deterministic. Mihir Bellare UCSD 2

3 Correct decryption requirement Formally: For all K and M we have Pr[D K (E K (M)) = M] = 1, where the probability is over the coins of E Mihir Bellare UCSD 3

4 Block cipher modes of operation E : {0,1} k {0,1} n {0,1} n a block cipher Notation: x[i] is the i-th n-bit block of a string x, so that x = x[1]...x[m] if x = nm. Always: Alg K K $ {0,1} k return K Mihir Bellare UCSD 4

5 Block cipher modes of operation Block cipher provides parties sharing K with M E K C which enables them to encrypt a 1-block message. How do we encrypt a long message using a primitive that only applies to n-bit blocks? Mihir Bellare UCSD 5

6 ECB: Electronic Codebook Mode SE = (K,E,D) where: Alg E K (M) for i = 1,...,m do C[i] E K (M[i]) return C Alg D K (C) for i = 1,...,m do M[i] E 1 K (C[i]) return M Correct decryption relies on E being a block cipher, so that E K is invertible Mihir Bellare UCSD 6

7 Security of ECB Weakness: M 1 = M 2 C 1 = C 2 Why is the above true? Because E K is deterministic: M 1 [1] M 1 [m] M 2 [1] M 2 [m] E K... E K E K... E K C 1 [1] C 1 [m] C 2 [1] C 2 [m] Why does this matter? Mihir Bellare UCSD 7

8 Security of ECB Suppose we know that there are only two possible messages, Y = 1 n and N = 0 n, for example representing FIRE or DON T FIRE a missile BUY or SELL a stock Vote YES or NO Then ECB algorithm will be E K (M) = E K (M). M E K C Mihir Bellare UCSD 8

9 Security of ECB Votes M 1,M 2 {Y,N} are ECB encrypted and adversary sees ciphertexts C 1 = E K (M 1 ) and C 2 = E K (M 2 ) M 1 M 2 E K E K C 1 C 2 Adversary may have cast the first vote and thus knows M 1 ; say M 1 = Y. Then adversary can figure out M 2 : If C 2 = C 1 then M 2 must be Y Else M 2 must be N Mihir Bellare UCSD 9

10 Is this avoidable? Let SE = (K,E,D) be ANY encryption scheme. Suppose M 1,M 2 {Y,N} and Sender sends ciphertexts C 1 E K (M 1 ) and C 2 E K (M 2 ) Adversary A knows that M 1 = Y Adversary says: If C 2 = C 1 then M 2 must be Y else it must be N. Does this attack work? Mihir Bellare UCSD 10

11 Is this avoidable? Let SE = (K,E,D) be ANY encryption scheme. Suppose M 1,M 2 {Y,N} and Sender sends ciphertexts C 1 E K (M 1 ) and C 2 E K (M 2 ) Adversary A knows that M 1 = Y Adversary says: If C 2 = C 1 then M 2 must be Y else it must be N. Does this attack work? Yes, if E is deterministic. Mihir Bellare UCSD 11

12 Randomized encryption For encryption to be secure it must be randomized That is, algorithm E K flips coins. If the same message is encrypted twice, we are likely to get back different answers. That is, if M 1 = M 2 and we let then $ $ C 1 E K (M 1 ) and C 2 E K (M 2 ) Pr[C 1 = C 2 ] will (should) be small, where the probability is over the coins of E. Mihir Bellare UCSD 12

13 Randomized encryption There are many possible ciphertexts corresponding to each message. If so, how can we decrypt? We will see examples soon. C 1 C 2 M E K D K M C s Mihir Bellare UCSD 13

14 Randomized encryption A fundamental departure from classical and conventional notions of encryption. Clasically, encryption (e.g., substitution cipher) is a code, associating to each message a unique ciphertext. Now, we are saying no such code is secure, and we look to encryption mechanisms which associate to each message a number of different possible ciphertexts. Mihir Bellare UCSD 14

15 CBC$: Cipher Block Chaining with random IV mode SE = (K,E,D) where: Alg E K (M) $ C[0] {0,1} n for i = 1,...,m do C[i] E K (M[i] C[i 1]) return C Alg D K (C) for i = 1,...,m do M[i] E 1 K (C[i]) C[i 1] return M Correct decryption relies on E being a block cipher. Mihir Bellare UCSD 15

16 CTR$ mode If X {0,1} n and i N then X +i denotes the n-bit string formed by converting X to an integer, adding i modulo 2 n, and converting the result back to an n-bit string. Alg E K (M) $ C[0] {0,1} n for i = 1,...,m do P[i] E K (C[0]+i) C[i] P[i] M[i] return C Alg D K (C) for i = 1,...,m do P[i] E K (C[0]+i) M[i] P[i] C[i] return M Mihir Bellare UCSD 16

17 CTR$ mode Alg E K (M) $ C[0] {0,1} n for i = 1,...,m do P[i] E K (C[0]+i) C[i] P[i] M[i] return C Alg D K (C) for i = 1,...,m do P[i] E K (C[0]+i) M[i] P[i] C[i] return M D does not use E 1 K! So one can run CTR$ with a PRF that is not a blockcipher. Encryption and Decryption are parallelizable. Mihir Bellare UCSD 17

18 Voting with CBC$ Suppose we encrypt M 1,M 2 {Y,N} with CBC$. M 1 M 2 E K E K {0,1} n $ C 1 [0] C 1 [1] {0,1} n $ C 2 [0] C 2 [1] Adversary A sees C 1 = C 1 [0]C 1 [1] and C 2 = C 2 [0]C 2 [1]. Suppose A knows that M 1 = Y. Can A determine whether M 2 = Y or M 2 = N? Mihir Bellare UCSD 18

19 Voting with CBC$ Suppose we encrypt M 1,M 2 {Y,N} with CBC$. M 1 M 2 E K E K {0,1} n $ C 1 [0] C 1 [1] {0,1} n $ C 2 [0] C 2 [1] Adversary A sees C 1 = C 1 [0]C 1 [1] and C 2 = C 2 [0]C 2 [1]. Suppose A knows that M 1 = Y. Can A determine whether M 2 = Y or M 2 = N? NO! Mihir Bellare UCSD 19

20 Assessing security So CBC$ is better than ECB. But is it secure? CBC$ is widely used so knowing whether it is secure is important To answer this we first need to decide and formalize what we mean by secure. Mihir Bellare UCSD 20

21 Security requirements Suppose sender computes $ $ C 1 E K (M 1 ); ; C q E K (M q ) Adversary A has C 1,...,C q What if A Retrieves K Bad! Retrieves M 1 Bad! But also we want to hide all partial information about the data stream, such as Does M 1 = M 2? What is first bit of M 1? What is XOR of first bits of M 1,M 2? Something we won t hide: the length of the message Mihir Bellare UCSD 21

22 What we seek We want a single master property MP of an encryption scheme such that MP can be easily specified We can evaluate whether a scheme meets it MP implies ALL the security conditions we want: it guarantees that a ciphertext reveals NO partial information about the plaintext. Mihir Bellare UCSD 22

23 Intuition for definition of IND-CPA The master property MP is called IND-CPA (indistinguishability under chosen plaintext attack). Consider encrypting one of two possible message streams, either or M 1 0,...,Mq 0 M 1 1,...,M q 1 Adversary, given ciphertexts and both data streams, has to figure out which of the two streams was encrypted. Mihir Bellare UCSD 23

24 Games for ind-cpa-advantage of an adversary A Let SE = (K,E,D) be an encryption scheme Game Left SE procedure Initialize K $ K procedure LR(M 0,M 1 ) Return C $ E K (M 0 ) Game Right SE procedure Initialize K $ K procedure LR(M 0,M 1 ) Return C $ E K (M 1 ) Associated to SE, A are the probabilities [ ] Pr Left A SE 1 [ ] Pr Right A SE 1 that A outputs 1 in each world. The (ind-cpa) advantage of A is ] ] Adv ind-cpa SE (A) = Pr [Right A SE 1 Pr [Left A SE 1 Mihir Bellare UCSD 24

25 The measure of success Adv ind-cpa SE (A) 1 means A is doing well and SE is not ind-cpa-secure. Adv ind-cpa SE (A) 0 (or 0) means A is doing poorly and SE resists the attack A is mounting. Adversary resources are its running time t and the number q of its oracle queries, the latter representing the number of messages encrypted. Security: SE is IND-CPA-secure if Adv ind-cpa SE (A) is small for ALL A that use practical amounts of resources. Insecurity: SE is not IND-CPA-secure if we can specify an explicit A that uses few resources yet achieves high ind-cpa-advantage. Mihir Bellare UCSD 25

26 ECB is not IND-CPA-secure Let E : {0,1} k {0,1} n {0,1} n be a block cipher. Recall that ECB mode defines symmetric encryption scheme SE = (K,E,D) with Can we design A so that is close to 1? E K (M) = E K (M[1])E K (M[2]) E K (M[m]) ] ] Adv ind-cpa SE (A) = Pr [Right A SE 1 Pr [Left A SE 1 Mihir Bellare UCSD 26

27 ECB is not IND-CPA-secure Let E : {0,1} k {0,1} n {0,1} n be a block cipher. Recall that ECB mode defines symmetric encryption scheme SE = (K,E,D) with Can we design A so that is close to 1? E K (M) = E K (M[1])E K (M[2]) E K (M[m]) ] ] Adv ind-cpa SE (A) = Pr [Right A SE 1 Pr [Left A SE 1 Exploitable weakness of SE: M 1 = M 2 implies E K (M 1 ) = E K (M 2 ). Mihir Bellare UCSD 27

28 ECB is not IND-CPA-secure Let E K (M) = E K (M[1]) E K (M[m]). adversary A C 1 LR(0 n,0 n ); C 2 LR(1 n,0 n ) if C 1 = C 2 then return 1 else return 0 Mihir Bellare UCSD 28

29 Right game analysis E is defined by E K (M) = E K (M[1]) E K (M[m]). adversary A C 1 LR(0 n,0 n ); C 2 LR(1 n,0 n ) if C 1 = C 2 then return 1 else return 0 Game Right SE procedure Initialize K $ K procedure LR(M 0,M 1 ) Return E K (M 1 ) Then [ ] Pr Right A SE 1 = Mihir Bellare UCSD 29

30 Right game analysis E is defined by E K (M) = E K (M[1]) E K (M[m]). adversary A C 1 LR(0 n,0 n ); C 2 LR(1 n,0 n ) if C 1 = C 2 then return 1 else return 0 Game Right SE procedure Initialize K $ K procedure LR(M 0,M 1 ) Return E K (M 1 ) Then [ ] Pr Right A SE 1 = 1 because C 1 = E K (0 n ) and C 2 = E K (0 n ). Mihir Bellare UCSD 30

31 Left game analysis E is defined by E K (M) = E K (M[1]) E K (M[m]). adversary A C 1 LR(0 n,0 n ); C 2 LR(1 n,0 n ) if C 1 = C 2 then return 1 else return 0 Game Left SE procedure Initialize K $ K procedure LR(M 0,M 1 ) Return E K (M 0 ) Then [ ] Pr Left A SE 1 = Mihir Bellare UCSD 31

32 Left game analysis E is defined by E K (M) = E K (M[1]) E K (M[m]). adversary A C 1 LR(0 n,0 n ); C 2 LR(1 n,0 n ) if C 1 = C 2 then return 1 else return 0 Game Left SE procedure Initialize K $ K procedure LR(M 0,M 1 ) Return E K (M 0 ) Then [ ] Pr Left A SE 1 = 0 because C 1 = E K (0 n ) E K (1 n ) = C 2. Mihir Bellare UCSD 32

33 ECB is not IND-CPA secure adversary A C 1 LR(0 n,0 n ); C 2 LR(1 n,0 n ) if C 1 = C 2 then return 1 else return 0 Adv ind-cpa SE (A) = = 1 1 { [ }} ]{ { [ }} ]{ Pr Right A SE = 1 Pr Right A SE = 1 And A is very efficient, making only two queries. Thus ECB is not IND-CPA secure. 0 Mihir Bellare UCSD 33

34 Exercise Let SE = (K,E,D) be any symmetric encryption scheme for which E is deterministic. Show that SE is not IND-CPA secure by giving pseudo-code for an efficient adversary A that achieves Adv ind-cpa SE (A) = 1. Assume the message space is some non-empty subset of {0,1} with the property that if M is a legitimate message then so is any other string of length M. Mihir Bellare UCSD 34

35 Exercise: Setup Let K be the key-generation algorithm that returns a random 128-bit string as the key K. Define Alg E K (M) R $ {0,1} 128 ; M[1]...M[m] M; C[0] R for i = 1,...,m do W[i] (R +i) mod ; C[i] AES K (M[i] W[i]) C C[0]C[1]...C[n]; Return C Above W[i] (R +i) mod means we regard R as an interger, add i to it, take the result modulo 2 128, view this as a 128-bit string, and assign it to W[i]. The message space is the set of all strings whose length is a positive multiple of 128. Mihir Bellare UCSD 35

36 Exercise: Questions 1. Specify a decryption algorithm D such that SE = (K,E,D) is a symmetric encryption scheme satisfying the correct decryption condition. 2. Show that this scheme is insecure by presenting a practical adversary A such that Adv ind-cpa SE (A) is high. State the value of the advantage achieved by your adversary and the number of oracle queries it makes. Your adversary for 2. should as usual be specified in clear pseudo-code, not in a text description. There should be a succinct analysis justifying the claimed advantage. Mihir Bellare UCSD 36

37 Why is IND-CPA the master property? We claim that if encryption scheme SE = (K,E,D) is IND-CPA secure then the ciphertext hides ALL partial information about the plaintext. $ $ For example, from C 1 E K (M 1 ) and C 2 E K (M 2 ) the adversary cannot get M 1 get 1st bit of M 1 get XOR of the 1st bits of M 1,M 2 etc. Exercise: State and prove such claims formally. This could be a quiz question! Mihir Bellare UCSD 37

38 Birthday attack on CTR$ Let E : {0,1} k {0,1} n {0,1} n be a blockcipher and SE = (K,E,D) the corresponding CTR$ symmetric encryption scheme. Suppose 1-block messages M 0,M 1 are encrypted: $ $ C 0 [0]C 0 [1] E(K,M 0 ) C 1 [0]C 1 [1] E(K,M 1 ) Let us say we are lucky If C 0 [0] = C 1 [0]. If so: C 0 [1] = C 1 [1] if and only if M 0 = M 1 So if we are lucky we can detect message equality and violate IND-CPA. Mihir Bellare UCSD 38

39 Birthday attack on CTR$ Let 1 q < 2 n be a parameter and let i be integer i encoded as an n-bit string. adversary A for i = 1,...,q do C i [0]C i $ [1] LR( i, 0 ) S {(j,l): C j [0] = C l [0] and j < l} If S, then (j,l) S $ If C j [1] = C l [1] then return 1 return 0 Mihir Bellare UCSD 39

40 Birthday attack on CTR$: Right game analysis adversary A for i = 1,...,q do C i [0]C i $ [1] LR( i, 0 ) S {(j,l): C j [0] = C l [0] and j < l} If S, then (j,l) S $ If C j [1] = C l [1] then return 1 return 0 Game Right SE procedure Initialize K $ K procedure LR(M 0,M 1 ) $ C[0] {0,1} n P E(K,C[0]+1) C[1] P M 1 Return C[0]C[1] If C j [0] = C l [0] (lucky) then C j [1] = 0 E K (C j [0]+1) = 0 E K (C l [0]+1) = C l [1] so [ ] Pr Right A SE 1 = Pr[S ] = C(2 n,q) Mihir Bellare UCSD 40

41 Birthday attack on CTR$: Left game analysis adversary A for i = 1,...,q do C i [0]C i $ [1] LR( i, 0 ) S {(j,l): C j [0] = C l [0] and j < l} If S, then (j,l) S $ If C j [1] = C l [1] then return 1 return 0 Game Left SE procedure Initialize K $ K procedure LR(M 0,M 1 ) $ C[0] {0,1} n P E(K,C[0]+1) C[1] P M 0 Return C[0]C[1] If C j [0] = C l [0] (lucky) then C j [1] = j E K (C j [0]+1) l E K (C l [0]+1) = C l [1] so [ ] Pr Left A SE 1 = 0. Mihir Bellare UCSD 41

42 Birthday attack on CTR$ ] ] Adv ind-cpa SE (A) = Pr [Right A SE 1 Pr [Left A SE 1 = C(2 n,q) q(q 1) 2 n Conclusion: CTR$ can be broken (in the IND-CPA sense) in about 2 n/2 queries, where n is the block length of the underlying block cipher, regardless of the cryptanalytic strength of the block cipher. Mihir Bellare UCSD 42

43 Exercise The above attack on CTR$ uses 1-block messages. Letting SE be the same scheme, give an adversary A that makes q LR-queries, each consisting of two m-block messages, and achieves ( Adv ind-cpa m 2 q 2 ) SE (A) = Ω The running time of A should be about O(mqn log(mqn)). 2 n Mihir Bellare UCSD 43

44 Security of CTR$ So far: A q-query adversary can break CTR$ with advantage q2 2 n+1 Question: Is there any better attack? Mihir Bellare UCSD 44

45 Security of CTR$ So far: A q-query adversary can break CTR$ with advantage q2 2 n+1 Question: Is there any better attack? Answer: NO! We can prove that the best q-query attack short of breaking the block cipher has advantage at most σ 2 2 n where σ is the total number of blocks encrypted. Example: If q 1-block messages are encrypted then σ = q so the adversary advantage is not more than q 2 /2 n. For E = AES this means up to 2 64 blocks may be securely encrypted, which is good. Mihir Bellare UCSD 45

46 Security of CTR$ Theorem: [BDJR98] Let E : {0,1} k {0,1} n {0,1} n be a block cipher and SE = (K, E, D) the corresponding CTR$ symmetric encryption scheme. Let A be an ind-cpa adversary against SE that has running time t and makes at most q LR queries, these totalling at most σ blocks. Then there is a prf-adversary B against E such that Adv ind-cpa SE (A) 2 Adv prf σ2 E (B)+ 2 n Furthermore, B makes at most σ oracle queries and has running time t +Θ(σ n). Mihir Bellare UCSD 46

47 Intuition and proof We first give some intuition for the proof and then the proof itself. We assume for simplicity that A makes q = σ/m LR queries in each of which both messages are m blocks long. Extending the proof to the general case is an exercise. We let C i = C i [0]C i [1]...C i [m] denote the response of the LR oracle to A s i-th query. Mihir Bellare UCSD 47

48 Intuition for IND-CPA security of CTR$ Consider the CTR$ scheme with E K replaced by a random function Fn. Alg E Fn (M) $ C[0] {0,1} n for i = 1,...,m do P[i] Fn(C[0]+i) C[i] P[i] M[i] return C Analyzing this is a thought experiment, but we can ask whether it is IND-CPA secure. If so, the assumption that E is a PRF says CTR$ with E is IND-CPA secure. Mihir Bellare UCSD 48

49 CTR$ with a random function Let E be the event that the points C 1 [0]+1,...,C 1 [0]+m,...,C q [0]+1,...,C q [0]+m, on which Fn is evaluated across the q encryptions, are all distinct. Case 1: E happens. Then the encryption is a one-time-pad: ciphertexts are random, independent strings, regardless of which message is encrypted. So A has zero advantage. Case 2: E doesn t happen. Then A may have high advantage but it does not matter because Pr[E] doesn t happen is small. (It is the small additive term in the theorem.) Mihir Bellare UCSD 49

50 Alternative formulation of advantage Let SE = (K,E,D) be a symmetric encryption scheme and A an adversary. Game Guess SE procedure Initialize K $ K; b $ {0,1} procedure LR(M 0,M 1 ) return C $ E K (M b ) procedure Finalize(b ) return (b = b ) ] Proposition: Adv ind-cpa SE (A) = 2 Pr [Guess A SE true 1. Proof: Observe Pr [ b = 1 b = 1 ] [ ] = Pr Right A SE 1 Pr [ b = 1 b = 0 ] [ ] = Pr Left A SE 1 Mihir Bellare UCSD 50

51 Proof of Proposition, continued [ ] Pr Guess A SE true = Pr [ b = b ] = Pr [ b = b b = 1 ] Pr[b = 1]+Pr [ b = b b = 0 ] Pr[b = 0] = Pr [ b = b b = 1 ] 1 2 +Pr[ b = b b = 0 ] 1 2 = Pr [ b = 1 b = 1 ] 1 2 +Pr[ b = 0 b = 0 ] 1 2 = Pr [ b = 1 b = 1 ] 1 2 +( 1 Pr [ b = 1 b = 0 ]) 1 2 = (Pr [ b = 1 b = 1 ] Pr [ b = 1 b = 0 ]) 2 = ( [ ] [ ]) 2 Pr Right A SE 1 Pr Left A SE 1 = Advind-cpa SE (A). Mihir Bellare UCSD 51

52 A game-playing proof The proof uses a sequence of games and invokes the fundamental lemma of game playing [BR96]. The games have the following Initialize and Finalize procedures: Initialize // G 0 b $ {0,1}; S K $ {0,1} k Initialize // G 1,G 2,G 3 b $ {0,1}; S Finalize // All games Return (b = b ) For brevity we omit writing these procedures explicitly in the games, but you should remember they are there. Also for brevity if G is a game and A is an adversary then we let Pr[G A ] = Pr[G A true] Mihir Bellare UCSD 52

53 Games G 0,G 1 for the proof Game G 0 procedure LR(M 0,M 1 ) $ C[0] {0,1} n for i = 1,...,m do P C[0]+i if P S then T[P] E K (P) C[i] T[P] M b [i] S S {P} return C Then [ ] Adv ind-cpa SE (A) = 2 Pr G0 A 1 Game G 1 procedure LR(M 0,M 1 ) $ C[0] {0,1} n for i = 1,...,m do P C[0]+i $ if P / S then T[P] {0,1} n C[i] T[P] M b [i] S S {P} return C Mihir Bellare UCSD 53

54 Analysis Clearly Pr[G A 0 ] = Pr[GA 1 ]+( Pr[G A 0 ] Pr[GA 1 ]). Claim 1: We can design prf-adversary B so that Claim 2: Pr[G A 1 ] σ2 2 n+1 Given these, we have Adv ind-cpa SE (A) 2 Pr[G A 0 ] Pr[GA 1 ] Advprf E (B) ( ) σ2 2 n Adv prf E (B) = σ2 2 n +2 Advprf E (B) which proves the theorem. It remains to prove the claims. Mihir Bellare UCSD 54

55 Proof of Claim 1 adversary B b $ {0,1}; S b $ A LRSim if (b = b ) then return 1 else return 0 subroutine LRSim(M 0,M 1 ) $ C[0] {0,1} n for i = 1,...,m do P C[0]+i if P / S then T[P] Fn(P) C[i] T[P] M b [i] S S {P} return C Pr ] Pr [Real B E 1 ] [Rand B {0,1} n 1 [ ] = Pr G0 A [ ] = Pr G1 A Subtracting, we get Claim 1. Mihir Bellare UCSD 55

56 Where we are It remains to prove: Claim 2: Pr[G A 1 ] σ2 2 n+1 Mihir Bellare UCSD 56

57 Introducing the bad flag Game G 1 procedure LR(M 0,M 1) $ C[0] {0,1} n for i = 1,...,m do P C[0] +i If P / S then $ T[P] {0,1} n C[i] T[P] M b [i] S S {P} return C Game G 2, G 3 procedure LR(M 0,M 1) $ C[0] {0,1} n for i = 1,...,m do P C[0]+i $ C[i] {0,1} n If P S then bad true; C[i] T[P] M b [i] T[P] C[i] M b [i] S S {P} return C Pr[G A 1 ] = Pr[GA 2 ] = Pr[GA 3 ]+ ( Pr[G A 2 ] Pr[GA 3 ] ) Mihir Bellare UCSD 57

58 Analysis of G 3 Game G 3 procedure LR(M 0,M 1) $ C[0] {0,1} n for i = 1,...,m do $ P C[0] +i; C[i] {0,1} n If P S then bad true T[P] C[i] M b [i]; S S {P} return C Ciphertext C in G 3 is always random, independently of b, so [ ] Pr G3 A = 1 2. Mihir Bellare UCSD 58

59 Fundamental Lemma of game playing Games G, H are identical-until-bad if their code differs only in statements following the setting of bad to true. Lemma: [BR96] If G,H are identical-until-bad, then for any adversary A and any y [ ] [ ] [ ] Pr G A y Pr H A y Pr H A setsbad Mihir Bellare UCSD 59

60 Using the fundamental lemma Game G 2, G 3 procedure LR(M 0,M 1) $ C[0] {0,1} n for i = 1,...,m do $ P C[0] +i; C[i] {0,1} n If P S then bad true; C[i] T[P] M b [i] T[P] C[i] M b [i]; S S {P} return C G 2 and G 3 are identical-until-bad, so Fundamental Lemma implies [ ] [ ] [ ] Pr G2 A Pr G3 A Pr G3 A setsbad. Mihir Bellare UCSD 60

61 Bounding the probability that G 3 sets bad Game G 3 procedure LR(M 0,M 1) $ C[0] {0,1} n for i = 1,...,m do $ P C[0] +i; C[i] {0,1} n If P S then bad true T[P] C[i] M b [i]; S S {P} return C ] Pr [G3 A setsbad q m i=1 = m2 q(q 1) 2 n+1 σ2 2 n+1 m(i 1) 2 n Mihir Bellare UCSD 61

62 Security of CTR$ Theorem: [BDJR98] Let E : {0,1} k {0,1} n {0,1} n be a block cipher and SE = (K, E, D) the corresponding CTR$ symmetric encryption scheme. Let A be an ind-cpa adversary against SE that has running time t and makes at most q LR queries, these totalling at most σ blocks. Then there is a prf-adversary B against E such that Adv ind-cpa SE (A) 2 Adv prf σ2 E (B)+ 2 n Furthermore, B makes at most σ oracle queries and has running time t +Θ(σ n). Mihir Bellare UCSD 62

63 Security of CBC$ Let E : {0,1} k {0,1} n {0,1} n be a block cipher and SE = (K,E,D) the corresponding CBC$ symmetric encryption scheme. Exercise: Give an adversary A that makes q LR-queries, each consisting of two 1-block messages, and achieves ( ) Adv ind-cpa q 2 SE (A) = Ω The running time of A should be about O(qn log(qn)). Can you generalize this to m-block messages? What is the best advantage you can get? 2 n Mihir Bellare UCSD 63

64 Security of CBC$ Theorem: [BDJR98] Let E : {0,1} k {0,1} n {0,1} n be a block cipher and SE = (K, E, D) the corresponding CBC$ symmetric encryption scheme. Let A be an ind-cpa adversary against SE that has running time t and makes at most q LR queries, these totalling at most σ blocks. Then there is a prf-adversary B against E such that Adv ind-cpa SE (A) 2 Adv prf σ2 E (B)+ 2 n Furthermore, B makes at most σ oracle queries and has running time t +Θ(σ n). Exercise: Prove the above theorem. Mihir Bellare UCSD 64