Roadmap on symmetric ciphers

Similar documents
CS 758: Cryptography / Network Security

SYMMETRIC ENCRYPTION. Mihir Bellare UCSD 1

Cryptography and Network Security, PART IV: Reviews, Patches, and Theory 1 / 53

Talk announcement please consider attending!

Lecture 10: CPA Encryption, MACs, Hash Functions. 2 Recap of last lecture - PRGs for one time pads

Overview of Symmetric Encryption

Cryptography and Network Security: Summary

Chair for Network Architectures and Services Department of Informatics TU München Prof. Carle. Network Security. Chapter 13

1 Construction of CCA-secure encryption

MAC. SKE in Practice. Lecture 5

Authenticated encryption

1 Message Authentication

Network Security - ISA 656 Introduction to Cryptography

MACs Message authentication and integrity. Table of contents

lundi 1 octobre 2012 In a set of N elements, by picking at random N elements, we have with high probability a collision two elements are equal

Victor Shoup Avi Rubin. Abstract

Cryptography and Network Security Prof. D. Mukhopadhyay Department of Computer Science and Engineering Indian Institute of Technology, Kharagpur

How To Understand And Understand The History Of Cryptography

Lecture 5 - CPA security, Pseudorandom functions

Effective Secure Encryption Scheme [One Time Pad] Using Complement Approach Sharad Patil 1 Ajay Kumar 2

Lecture 3: One-Way Encryption, RSA Example

Cryptography and Network Security

Message Authentication Code

Thinking of a (block) cipher as a permutation (depending on the key) on strings of a certain size, we would not want such a permutation to have many

CIS 6930 Emerging Topics in Network Security. Topic 2. Network Security Primitives

CIS433/533 - Computer and Network Security Cryptography

CS155. Cryptography Overview

Lecture 9 - Message Authentication Codes

Cryptography and Network Security Prof. D. Mukhopadhyay Department of Computer Science and Engineering Indian Institute of Technology, Kharagpur

Yale University Department of Computer Science

Digital Signatures. Prof. Zeph Grunschlag

Overview of Cryptographic Tools for Data Security. Murat Kantarcioglu


The Order of Encryption and Authentication for Protecting Communications (Or: How Secure is SSL?)

CSCE 465 Computer & Network Security

Introduction. Digital Signature

Cryptographic hash functions and MACs Solved Exercises for Cryptographic Hash Functions and MACs

1 Domain Extension for MACs

Paillier Threshold Encryption Toolbox

Cryptographic Hash Functions Message Authentication Digital Signatures

Authentication and Encryption: How to order them? Motivation

SAMPLE EXAM QUESTIONS MODULE EE5552 NETWORK SECURITY AND ENCRYPTION ECE, SCHOOL OF ENGINEERING AND DESIGN BRUNEL UNIVERSITY UXBRIDGE MIDDLESEX, UK

Computer and Network Security. Alberto Marchetti Spaccamela

CIS 5371 Cryptography. 8. Encryption --

Cryptography: Motivation. Data Structures and Algorithms Cryptography. Secret Writing Methods. Many areas have sensitive information, e.g.

SeChat: An AES Encrypted Chat

Cryptography Exercises

Authenticated Encryption: Relations among Notions and Analysis of the Generic Composition Paradigm By Mihir Bellare and Chanathip Namprempre

CPSC 467b: Cryptography and Computer Security

How To Attack A Block Cipher With A Key Key (Dk) And A Key (K) On A 2Dns) On An Ipa (Ipa) On The Ipa 2Ds (Ipb) On Pcode)

Ch.9 Cryptography. The Graduate Center, CUNY.! CSc Theoretical Computer Science Konstantinos Vamvourellis

Computational Soundness of Symbolic Security and Implicit Complexity

Chapter 6 CDMA/802.11i

CSC474/574 - Information Systems Security: Homework1 Solutions Sketch

Introduction to Encryption

Security Aspects of. Database Outsourcing. Vahid Khodabakhshi Hadi Halvachi. Dec, 2012

Cryptography and Network Security Department of Computer Science and Engineering Indian Institute of Technology Kharagpur

Network Security. Modes of Operation. Steven M. Bellovin February 3,

Block encryption. CS-4920: Lecture 7 Secret key cryptography. Determining the plaintext ciphertext mapping. CS4920-Lecture 7 4/1/2015

Hash Functions. Integrity checks

Computational Complexity: A Modern Approach

Key Agreement from Close Secrets over Unsecured Channels Winter 2010

The Misuse of RC4 in Microsoft Word and Excel

Discrete Mathematics, Chapter 4: Number Theory and Cryptography

Error oracle attacks and CBC encryption. Chris Mitchell ISG, RHUL

Network Security: Secret Key Cryptography

Provable-Security Analysis of Authenticated Encryption in Kerberos

Cryptography and Network Security Block Cipher

Chapter 3. Network Domain Security

Proofs in Cryptography

Network Security. Omer Rana

Network Security. Computer Networking Lecture 08. March 19, HKU SPACE Community College. HKU SPACE CC CN Lecture 08 1/23

Network Security. Chapter 3 Symmetric Cryptography. Symmetric Encryption. Modes of Encryption. Symmetric Block Ciphers - Modes of Encryption ECB (1)

Lecture 6 - Cryptography

Symmetric Crypto MAC. Pierre-Alain Fouque

Advanced Cryptography

Overview of Public-Key Cryptography

Developing and Investigation of a New Technique Combining Message Authentication and Encryption

Remotely Keyed Encryption Using Non-Encrypting Smart Cards

1 Step 1: Select... Files to Encrypt 2 Step 2: Confirm... Name of Archive 3 Step 3: Define... Pass Phrase

1 Signatures vs. MACs

The application of prime numbers to RSA encryption

Cryptography and Network Security Prof. D. Mukhopadhyay Department of Computer Science and Engineering Indian Institute of Technology, Kharagpur

Computer Networks. Network Security 1. Professor Richard Harris School of Engineering and Advanced Technology

Client Server Registration Protocol

Solutions to Problem Set 1

Lecture 4 Data Encryption Standard (DES)

Evaluation of the RC4 Algorithm for Data Encryption

Network Security CS 5490/6490 Fall 2015 Lecture Notes 8/26/2015

Network Security. Gaurav Naik Gus Anderson. College of Engineering. Drexel University, Philadelphia, PA. Drexel University. College of Engineering

Network Security. HIT Shimrit Tzur-David

Advanced Topics in Cryptography and Network Security

Ky Vu DeVry University, Atlanta Georgia College of Arts & Science

Outline. CSc 466/566. Computer Security. 8 : Cryptography Digital Signatures. Digital Signatures. Digital Signatures... Christian Collberg

Message Authentication Codes. Lecture Outline

MESSAGE AUTHENTICATION IN AN IDENTITY-BASED ENCRYPTION SCHEME: 1-KEY-ENCRYPT-THEN-MAC

Wireless Networks. Welcome to Wireless

EXAM questions for the course TTM Information Security May Part 1

How To Encrypt With A 64 Bit Block Cipher

Post-Quantum Cryptography #4

Transcription:

Roadmap on symmetric ciphers Lecture 01: Historical ciphers (badly broken) Lecture 02: OTP (the One Time Pad cipher) Perfect Secrecy (first notion of security) Stream ciphers (making OTP practical) PRG (unpredictable Pseudo Random Generators) Attacks! Lecture 03: PRGs, PRFs and PRPs Block Ciphers (definition) Block Ciphers (examples: DES, AES) Block Ciphers (modes of operation: ECB, CBC) 2 34

Symmetric Key Cryptography: intuition the same key is used for both encryption and decryption Let s meet at 10am. Alice Let s meet at 10am. plaintext DECRYPTION Bob secret key ciphertext ENCRYPTION Cx8, 0_? a tgy1 $abk the same (shared) secret key 3 34

Symmetric Ciphers: Definition DEFINITION message space key space ciphertext space A (symmetric) cipher defined over ( K, M, C ) is a pair of efficient algorithms ( E, D ) where: E : K M C and D: K C M, such that, for all the messages m M, for all the keys k K, it holds that: if E ( k, m ) = c, then D ( k, c ) = m. we can re-write this expression as: D ( k, E ( k, m ) ) = m. CORRECTNESS PROPERTY of the cipher 4 34

Symmetric Ciphers: the One Time Pad (OTP) - Vernam 1917 - The OTP cipher: K = M = C = { 0, 1 } n E : K M C, E ( k, m ) = k m D: K C M, D ( k, c ) =? k c Example: msg 0 1 1 0 k 1 0 1 1 C 1 1 0 1 CORRECTNESS of the OTP? D ( k, E ( k, m ) ) = m. k E ( k, m ) = k ( k m ) = m 5 34

Quiz 1 scan this QR code and answer the question or type this code at http:goformative.comjoin CRGP363 Is it possible to obtain the key k given a message m and its OTP encryption c? No. The correct answer is YES! One can retrieve only half of the bits of the key. Yes. why? Yes, but only for certain m c = m ( k values m ) of = k m and m m. k = k Is the OTP a good cipher? 6 34

What is a 'good' cipher? How do we define good? THE FUNDAMENTAL PROPERTIES OF A (GOOD) CIPHER 1. CORRECTNESS : D ( k, E ( k, m ) ) = m. 2. EFFICIENCY : the algorithms E and D run in polynomial time formally: there exists a polynomial p( ) such that the algorithms E and D run in time p(n), where n is the length of the algorithms input. 3. SECURITY : the cipher is secure against some attacks (more details in the next slide) Principles of Modern Cryptography if you don t understand what you want to achieve, how can you possibly know when (or if) you have achieved it? 1. Formal Definitions 2. Precise Assumptions 3. Proof of Security 7 34

Security Definition (Perfect Secrecy) by Shannon 1949 intuition: the ciphertext should revel no info about the plaintext Eve DEFINITION for any A cipher ( E, D ) defined over ( K, M, C ) has perfect secrecy if: 8 m 0,m 1 2 M, len(m 0 )=len(m 1 ) and 8 c 2 C Pr[ E(k, m 0 )=c ]=Pr[ E(k, m 1 )=c ] where k is chosen uniformly at random from K, (i.e., k R K ) this is just one definition of security, in the next lectures we will see more! this implies that the adversary (Eve) who sees only the ciphertext c is not able to determine whether c is an encryption of m 0 or m 1 8 34

What does 'uniformly at random' mean? (a.k.a. uniform distribution at random) DEFINITION A probability distribution P over a finite set X is a function P : X [ 0,1 ] X with the following property: P(x) =1 x2x A uniform distribution U is a distribution where U(x) is the same value for all x in X. Example (other distributions): the sum of the values obtain throwing two dices has a gaussian normal distribution Example (uniform distribution): the probability of getting head when flipping a coin is 12 which is also the probability of getting a tail 9 34

The OTP has perfect secrecy Proof live on the board! Shannon s Theorem Perfect secrecy implies that K M (i.e. the keys must be at least as large as the to-be-encrypted message) Corollary Suppose that K = M = C. We have Perfect Secrecy if and only if each key is used with equal probability 1 K and for any m M and for any c C, there exists a unique key k K such that E( k, m ) = c. 10 34

OTP OTP : has perfect Secrecy Encryption Elk. m ) = Kom Perfect Secrecy : tm., m,.cm lenlmoklenlmi.. P ( Elk, mole ) =P ( E ( k, ttce C m, )=c ) PIE ( k, me Think that mo. > Prob that F )=d a key k that $ c are fixed encrypts the msg Mo into c Kkk How many keys encrypt Mo P ( Eotp ( k, Mo) = c) = into c with the OTP cipher? Et. ON Howmenykeysencryptmotoc Total number of keys = Hk, = Ygn Same reasoning for mn Thus. PIECKMD. - c) = # =P I ECK, MI ē) Omnigo K, implication : Perfect Secrecy KIZ I Ml

Perfect Secrecy IKIZIMI STEP 1 : k I 2 I Cl * check pg. 3 apatite.tn#eryet : all different keys ( far different cipher texts ) 1k 1>-1 Cl STEP 2 ICI? I MI m Ehdh.mtB99tanFnngercmfIenpne@M.a.TIf3HowdeIdecrypt7.RemEMmamthusitdtbeMlPr.b ( ) =Preb( ) [ Perfect Secrecy is asking " how encrypt Mo to c and me to the same c think of k as a variable! " many keys

* Step I : for every message m the function Em :K C is surjective IKHICI this is true by the def. ef Perfect >sfney T.EH.mtd.ua so fixed a message there, otherwise it means exists at least one key that = Pnbf Elk, ml c) = o that maps the tm Hc. message there is no a chosen cipher text encryption into check the additional material for detailed proofs

Quiz 2 scan this QR code and answer the question or type this code at http:goformative.comjoin NTJR437 Let m M and c C, how many OTP keys k K = { 0, 1 } n map m into c? None. Infinitely many. 1. It depends on m. 11 34

The Venona project (1943 1980-ish) a NSA counter-intelligence program to decrypt messages transmitted by the intelligence agencies of the Soviet Union (during World War II ). HOWEVER STRATEGY: used a code to convert words and letters into numbers and encrypt the numbers using OTP When used correctly, OTP encryption is unbreakable. Generating the one-time pads was a slow and labor-intensive process, and the outbreak of world war II caused a sudden increase in the need for coded messages. To keep up with demand, Russia intelligence agencies started to re-use old encryption keys. RESULT: 3,000 messages have been partially or wholly decrypted by NSA. All the duplicate one-time pad pages were produced in 1942, and almost all of them had been used by the end of 1945, with a few being used as late as 1948. 12 34

The Venona project: how did NSA break the Russian's OTP? let c 1 = m 1 k and c 2 = m 2 k consider c 1 c 2 = ( m 1 k ) ( m 2 k ) = ( m 1 m 2 ) ( k k ) = m 1 m 2 Gene Grabeel, the first cryptoanalyst of the Venona project Given m 1 m 2 it is easy to retrieve m 1, m 2 Example given a language L ={00100, 10011, 11100, 10100} m 1 = 00100, m 2 = 10011; then m 1 m 2 = 10111 redundancy in a Language ASCII encoding not all combinations of letter are possiblelikely Never use an OTP key twice and can be obtained only adding m 1 adding m 2 13 34

Is the OTP a good cipher? Pros very fast algorithms for encryptiondecryption perfect secrecy (one time key semantic security) Cons very long key (the secret key is as long as the message) ciphertexts are malleable highly unpractical 14 34

Quiz 3 scan this QR code and answer the question or type this code at http:goformative.comjoin AFMA649 Let m be a message and c = m k be its OTP encryption. If the attacker adds a to manipulate the ciphertext, what does Bob decrypt? m k with OTP modifications to the ciphertext are undetectable, and the attacker can predict what the tampered decrypted message will be (if the attacker knows - part of- the original plaintext) m m a a a k k hint: the new ciphertext is c = c a 15 34

Beyond OTP How can we make the OTP practical? k STREAM CIPHERS 1. replace the long (uniformly) random key k with a short key s s G G ( s ) = k plaintext (message) ciphertext Pseudo Random Generator (PRG) -see next slide- (uniformly) random looking 2. use s (the new k ) to generate a long pseudo-random key k for the OTP cipher 3. encrypt the plaintext one bit (or byte) at the time NOTE: there are a lot of tiny important details behind stream ciphers (especially for their implementation), but I won t focus on these. 16 34

Quiz 4 scan this QR code and answer the question or type this code at http:goformative.comjoin YFMP474 Can a stream cipher have perfect secrecy? Yes, but only if the PRG used in the No, since there exists no cipher with perfect secrecy. Yes, every cipher can have perfect secrecy. stream cipher is really secure. No, since the secret key is shorter than the message. 17 34

Examples of stream ciphers A51: steam cipher used in GSM (Global System for Mobile Communications, originally Groupe SpécialMobile) E0 : stream cipher used in the Bluetooth protocol both are badly broken! 18 34

PRG: Pseudo Random Generators Intuition: a PRG is a function that, on input a seed, outputs a string which looks completely random DEFINITION G : {0, 1}`! {0, 1} n ` n A function with, is a secure Pseudo Random Generator (PRG) if for any efficient statistical test (Distinguisher), it holds that: D P[D(G(s)) = 1] P[D(r) = 1] for every s R {0, 1}`,r R {0, 1} n is negligible picked uniformly at random. important to understand! STATISTICAL TEST (distinguisher) D(x) = 1 if x is a truly random string 0 if x is a pseudo-random output - see examples in the exercise lecture - 19 34

What does it mean that the output of G(s) =k 0 is indistinguishable from random? key space s 1 { 0, 1 } l G output space s 2 k 2.. image x k 1 { 0, 1 } n does x belong to image or not? D An adversary that sees the output of cannot distinguish it from something completely random (i.e. something coming from the uniform distribution.) G 20 34

Unpredictable PRGs given a part of the output of ( s ) = k, it is impossible to predict the remaining part of the output. G A good secure PRG must be unpredictable! G ( s ) = k 0 1 1 1 0 1 0 1 0 0?????? Giving a formal definition for unpredictable is hard. So we give a definition of predictable PRG! DEFINITION G : {0, 1}`! {0, 1} n A PRG is said to be predictable if there exists an efficient algorithm and an index 1 apple i apple n such that: this algorithm will be our Adversary P s R K A apple 1 A(G(s)) 1,...,i = G(s) i+1 1 for some non-negligible value ". 2 30 2 + " you can break a weak PRG in the programming Assignment! In 1982 Yao proved that if unpredictable PRG are secure. But it is still unknown if there exists provably secure PRGs. 21 34

Predictable PRGs, what is the problem? Let A be the algorithm that can efficiently compute G(s) i+1 given G(s)) 1,...,i c m A suppose knows the ciphertext and the beginning of the plaintext (e.g. standard headers). G(k) A Then A can efficiently decrypt! 22 34

Quiz 5 scan this QR code and answer the question or type this code at http:goformative.comjoin JWVZ293 Suppose G: { 0, 1 } l { 0, 1 } n is such that for all s K = { 0, 1 } l, it hold XOR[ G( s ) ] = 1. Is G predictable? No, there exists no efficient algorithm to obtain the last bit from the first one. No, G is unpredictable. Yes, given the first (n 1) bits, I can predict the last bit. Yes, given the first bit, I can predict the second. 23 34

WEP attacks WEP attack - two time pad Length of IV: 24 bits Repeated IV after 2 24 16M frames On some 802.11 cards: IV resets to 0 after power cycle. Repetition after a power cycle or every 16 M frames. There are several solutions (not all of them have been used) Always negotiate new keys for every session (e.g. TLS) 24 34

How to define the security of a cipher? First we need to define the power and the goals of an adversary encrypt change ciphertext tamper with the communication see some ciphertext spoofing get encryption of chosen messages decrypt find the secret key encrypt a chosen message change the content of a ciphertext and to decide what approach to use: information theoretic security mathematics proof that an attacker cannot do better than 1 in producing a forgery something (hard to achieve and bad security values) complexity-based security an attacker that can make a forgery is also able to break a complex hard problem (most cryptographic primitives are of this type. Better security values, but relies on the hope that no one ever solves the hard problem) 25 34

Security: definitions attempts Attacker s power = see cipher texts goals = break the cipher What does break mean? Attempt 1 attacker cannot recover the secret key E ( k, m ) = m Attempt 2 attacker cannot recover the whole plaintext E ( k, m 0 m 1 ) = m 0 ( k m 1 ) this cipher satisfies the requirement but is not really secure this cipher satisfies the requirement but is not really secure it is not easy to give good definition in cryptography 26 34

Security: considerations about Shannon's perfect secrecy DEFINITION seen in slide 8 (SHANNON DEFINITION) A cipher ( E, D ) defined over ( K, M, C ) has perfect secrecy if: 8 m 0,m 1 2 M, len(m 0 )=len(m 1 ) and 8 c 2 C Pr[ E(k, m 0 )=c]=pr[ E(k, m 1 )=c] k R K where k is chosen uniformly at random from K, (i.e., ) What does the definition say? If we pick a random key k and we encrypt a random message m 0, the resulting ciphertext has the same distribution as if we encrypted m 1, i.e., the adversary cannot tell whether we encrypted m 0 or m 1. The truth is: only the OTP has perfect secrecy! Shannon s definition is too strong (strict). 27 34

Security: 'relaxing' the notion of perfect secrecy If the definition is too strict, let s relax it! (i.e. the probability with which E(k,m) equals the given c) Instead of having identical distributions let s require that the distributions are indistinguishable and also that m 0 and m 1 are not completely random, but messages that the attacker can create This definition is called one-time key semantic security (the relaxedrealistic perfect secrecy) - see the security game in the next slide- 28 34

The semantic security game (one time key) Attacker A C Challenger m 0,m 1 D M len(m 0 )=len(m 1 ) Probabilistic Polynomial Time (PPT) Algorithm taken from some appropriate distribution of messages k 2 K m 0,m 1 b R {0, 1} c chosen uniformly at random c = E(k, m b ) output a guess for b b 0 2 {0, 1} DEFINITION A cipher ( E, D ) is semantic secure (with a one time key) if for any PPT adversary, it holds that: P(b = b 0 ) < 1 2 + negligible negligible means < 12 80, non-negligible means > 12 30 29 34

How to use the definition of semantic security? C C Define W 0 as the event that chose b=0, and outputs b =0 and W 1 as the event that chose b=1, and outputs b =0 (e.g. at the exercise sessions exam ) A A Show that P(W 0 ) P(W 1 ) is (non-)negligible Example: Prove that the encryption scheme is not semantically secure We need to show that A E ( k, m 0 m 1 ) = m 0 ( k m 1 ) can win the security game (on the previous slide). Let A choose m 0 = m 00 m 01 = 0 0; If C chose b=0, then c = 0 c 0 m 1 = m 10 m 11 = 1 1. b=1, then c = 1 c 1 A can output b = c[1] as guess for b. With this strategy we have that: P(W 0 ) P(W 1 ) = 1 0 =1 30 34

The 'Advantage' of an adversary The value P(W 0 ) P(W 1 ) is usually called advantage of A and it is denoted as : name of the security notion we are considering Adv sem.sec. [A, E] name of the adversary we are considering name of the scheme function we are considering 31 34

Before Thursday: say what exercises you want to see solved during the exercise lecture next Friday! We opened a questionnaire WMPX442 have a look at the exercises, try to solve them and let us know what you would like that we solve together at the next exercise session 32 34

References Chapters: 2.1,2.2, 7.1 + read up about semantic security Chapters: 1.4, 2, and 3.3.1 e.g. in https:people.eecs.berkeley.edu~lucacs276lecture02.pdf 33 34

What we will see the next time! AES: the Advance Encryption Standard Encryption Decryption 128 bits 4x4 bytes k 0 k key expansion (e.g. PRG) 11 keys of 128-bits k 10 k 1 k i k 9 SubBytes ShiftRow MixColumn AddRoundKey 128-bits 9, 11, 13 rounds depending on the key size 128,192 or 256 bits 16 keys of 48-bits SubBytes ShiftRow lec03 Block Ciphers (DES&AES) blocks of 128-bits ( K, M, C ) ciphertexts 128-bits 128 bits ciphertext 64 bits block DES: the Data Encryption Standard Encryption Decryption plaintext input initial permutation IP Modes of operation: CBC (Cipher Block Chaining) Let ( E, D ) be a cipher. The 20 CBC 35 block cipher is defined as follows. R 0 L 0 think of it as a number string E ( k, m ) : pick a random IV {0,1} nt (Initialisation Vector) and do k 56-bits key expansion (e.g. PRG) 16 keys of 48-bits k 1 k i k 16 16 rounds of Feistel Networks see next slide for the function f i with random IV (Initialisation Vector) 56-bits lec03 Block Ciphers (DES&AES) L 16 R 16 blocks of 64-bits ( K, M, C ) inverse of IP IP -1 ciphertexts of 64 bits 64 bits ciphertext 11 35 Each cipher-block is chained to the previous one. The ciphertext is longer than the plaintext due to of the IV. 34 34

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information