ECB ECB CBC CBC CTR CTR Cryptomeria cipher Cryptomeria cipher Security for Block ciper modes Security for Block ciper modes Clarification about attacker power Block ciphers used to encode messages longer than block size In security games, attacker can only do efficient operations Needs to be done correctly to preserve security Importantly: attacker cannot search through all bitstrings, as the Will look at five ways of doing this number of possible bistrings increases exponentially with the length Formally: attacker is probabibilistic polynomial Turing machine Eike Ritter Cryptography 2013/14 60 Eike Ritter Cryptography 2013/14 61 ECB ECB CBC CBC CTR CTR Cryptomeria cipher Cryptomeria cipher Security for Block ciper modes Security for Block ciper modes ECB Simplest way: Apply the encryption block by block (Electronic Codebook mode, ECB) Source: Wikipedia Cipher vulnerable: identical blocks produce identical ciphertexts No protection against deletion or insertion of blocks Source: Wikipedia Eike Ritter Cryptography 2013/14 62 Eike Ritter Cryptography 2013/14 63
ECB ECB CBC CBC CTR CTR Cryptomeria cipher Cryptomeria cipher Security for Block ciper modes Security for Block ciper modes CBC One solution: Add random initialisation vector to start off encryption and use previous result Source: Wikipedia Secure if correctly used (precise specification: next lecture) encryption cannot be parallelised Source: Wikipedia Eike Ritter Cryptography 2013/14 64 Eike Ritter Cryptography 2013/14 65 ECB ECB CBC CBC CTR CTR Cryptomeria cipher Cryptomeria cipher Security for Block ciper modes Security for Block ciper modes CTR Avoids re-use of previous results by careful choice of random element for each block Choose nonce and increase counter for each block Source: Wikipedia Also secure if correctly used (more later) Encryption and decryption parallelisable Source: Wikipedia Eike Ritter Cryptography 2013/14 66 Eike Ritter Cryptography 2013/14 67
ECB ECB CBC CBC CTR CTR Cryptomeria cipher Cryptomeria cipher Security for Block ciper modes Security for Block ciper modes Cryptomeria cipher Proper definition of security for Block Cipher Modes used for DVD-Videos Cannot reuse definition for block cipher successor to CSS Reason: Modes will not swap positions of bits arbitrarily algorithm public, except for S-box Need weaker notion. 10 round Feistel cipher Key size 56 bits, block size 64 bits Brute force attacks have succeeded against it Eike Ritter Cryptography 2013/14 68 Eike Ritter Cryptography 2013/14 69 ECB ECB CBC CBC CTR CTR Cryptomeria cipher Cryptomeria cipher Security for Block ciper modes Security for Block ciper modes Attacker Definition Challenger Let ( E , D ) be a block cipher mode with encryption function E and r → K k decryption function D . We define the indistinguishability under m ′ 1 , . . . , m ′ n chosen-plaintext game between the challenger and the attacker as follows: E ( k , m ′ 1 ) , . . . , E ( k , m ′ n ) The challenger generates a key k at random. The attacker performs a polynomial number of computations. It may ask the challenger for the encryption of a polynomial m 0 , m 1 number of arbitrary messages The attacker submits two messages m 0 and m 1 to the r b → { 0 , 1 } challenger The challenger selects a bit b ∈ { 0 , 1 } at random E ( k , M b ) The challenger returns the encryption of m b to the attacker b ′ The attacker performs a polynomial number of computations and outputs a bit b ′ Eike Ritter Cryptography 2013/14 70 Eike Ritter Cryptography 2013/14 71 ′
ECB ECB CBC CBC CTR CTR Cryptomeria cipher Cryptomeria cipher Security for Block ciper modes Security for Block ciper modes Intuitively, we call a block cipher mode secure if the attacker can Theorem only guess the bit b , ie wins the game half the time. If ( E , D ) is a block cipher with key space X, the advantage of the Definition attacker in the IND-CPA game for CBC is Let Pr [ b = b ′ ] be the probability that the attacker wins the 2 q 2 L 2 IND-CPA-game, taken over all encryption keys of length n and all + 2 Adv | X | bits b . A block cipher mode satisfies indistinguishability under chosen-plaintext attack (IND-CPA) if where q is the number of messages encrypted with the same key k and L is the maximal length of each message, and Adv is the � � Pr [ b = b ′ ] − 1 � � � advantage of the attacker in the game for the secure block cipher. � � 2 � For AES: must change key after using 2 24 message of length 2 24 is negligible. 1 each to obtain advantage of 2 32 Eike Ritter Cryptography 2013/14 72 Eike Ritter Cryptography 2013/14 73 ECB CBC CTR Cryptomeria cipher Security for Block ciper modes Theorem If ( E , D ) is a block cipher with key space X, the advantage of the attacker in the IND-CPA game for counter mode is 2 q 2 L | X | + 2 Adv where q is the number of messages encrypted with the same key k and L is the maximal length of each message, and Adv is the advantage of the attacker in the game for the secure block cipher. For AES: must change key after using 2 32 message of length 2 32 1 each to obtain advantage of 2 32 . Eike Ritter Cryptography 2013/14 74
Recommend
More recommend