the security of ciphertext stealing
play

The Security of Ciphertext Stealing Phillip Rogaway 1 Mark Wooding 2 - PowerPoint PPT Presentation

The Security of Ciphertext Stealing Phillip Rogaway 1 Mark Wooding 2 Haibin Zhang 1 1 Department of Computer Science University of California at Davis 2 Thales e-Security Ltd March 20, 2012 Rogaway, Wooding, Zhang (UC Davis, Thales) The Security


  1. Security of ciphertext stealing Theorem Let E be any of CBC - CS 1 [Perm( b )] , CBC - CS 2 [Perm( b )] , or CBC - CS 3 [Perm( b )] and suppose adversary A asks queries totalling at most σ blocks. Then Adv ind$ ( A ) ≤ σ 2 / 2 b E Proof idea Factor CBC - CS n IV � | m | , CBC IV � K ( m ) = POST n K ( PRE ( m )) Rogaway, Wooding, Zhang (UC Davis, Thales) The Security of Ciphertext Stealing March 20, 2012 7 / 21

  2. Security of ciphertext stealing Theorem Let E be any of CBC - CS 1 [Perm( b )] , CBC - CS 2 [Perm( b )] , or CBC - CS 3 [Perm( b )] and suppose adversary A asks queries totalling at most σ blocks. Then Adv ind$ ( A ) ≤ σ 2 / 2 b E Proof idea Factor CBC - CS n IV � | m | , CBC IV � K ( m ) = POST n K ( PRE ( m )) Observe that POST n preserves uniform distribution. Rogaway, Wooding, Zhang (UC Davis, Thales) The Security of Ciphertext Stealing March 20, 2012 7 / 21

  3. Security of ciphertext stealing Theorem Let E be any of CBC - CS 1 [Perm( b )] , CBC - CS 2 [Perm( b )] , or CBC - CS 3 [Perm( b )] and suppose adversary A asks queries totalling at most σ blocks. Then Adv ind$ ( A ) ≤ σ 2 / 2 b E Proof idea Factor CBC - CS n IV � | m | , CBC IV � K ( m ) = POST n K ( PRE ( m )) Observe that POST n preserves uniform distribution. Show reduction from CBC security. Rogaway, Wooding, Zhang (UC Davis, Thales) The Security of Ciphertext Stealing March 20, 2012 7 / 21

  4. Insecurity of the Meyer–Matyas scheme P ∗ P 1 P 2 P 3 0 4 ⊕ ⊕ ⊕ ⊕ IV E K E K E K E K C ∗ C ∗∗ C 1 C 2 C 4 3 3 The NIST CBC ciphertext stealing schemes, for comparison. Rogaway, Wooding, Zhang (UC Davis, Thales) The Security of Ciphertext Stealing March 20, 2012 8 / 21

  5. Insecurity of the Meyer–Matyas scheme C ∗∗ P ∗ P 1 P 2 P 3 3 4 ⊕ ⊕ ⊕ IV E K E K E K E K C ∗ C ∗∗ C 1 C 2 C 4 3 3 The Meyer–Matyas ciphertext stealing scheme. There’s no chaining into the final partial block. Rogaway, Wooding, Zhang (UC Davis, Thales) The Security of Ciphertext Stealing March 20, 2012 8 / 21

  6. Insecurity of the Meyer–Matyas scheme b − 1 P ∗ P 1 2 Start with a message m which is 1 bit short of two whole blocks. Rogaway, Wooding, Zhang (UC Davis, Thales) The Security of Ciphertext Stealing March 20, 2012 8 / 21

  7. Insecurity of the Meyer–Matyas scheme b − 1 P ∗ P 1 2 ⊕ IV E K C 1 The first block is whitened with a fresh random IV and fed through the blockcipher. Rogaway, Wooding, Zhang (UC Davis, Thales) The Security of Ciphertext Stealing March 20, 2012 8 / 21

  8. Insecurity of the Meyer–Matyas scheme b − 1 1 P ∗ P 1 r 2 ⊕ IV E K C ∗ r 1 The second block is padded by prefixing with the final bit r of the pre- vious ciphertext. Rogaway, Wooding, Zhang (UC Davis, Thales) The Security of Ciphertext Stealing March 20, 2012 8 / 21

  9. Insecurity of the Meyer–Matyas scheme b − 1 1 P ∗ P 1 r 2 ⊕ IV E K E K C ∗ r C 2 1 And then fed through the blockcipher. Rogaway, Wooding, Zhang (UC Davis, Thales) The Security of Ciphertext Stealing March 20, 2012 8 / 21

  10. Insecurity of the Meyer–Matyas scheme b − 1 1 P ∗ P 1 r 2 ⊕ IV E K E K C ∗ r C 2 1 But there are only two possible values for r . If we do this twice, we expect the C 2 values to be equal with probability at least 1 2 . Rogaway, Wooding, Zhang (UC Davis, Thales) The Security of Ciphertext Stealing March 20, 2012 8 / 21

  11. Insecurity of the Meyer–Matyas scheme m = 1 b � 0 b − 1 Our adversary starts with such a message. Rogaway, Wooding, Zhang (UC Davis, Thales) The Security of Ciphertext Stealing March 20, 2012 8 / 21

  12. Insecurity of the Meyer–Matyas scheme m = 1 b � 0 b − 1 m $ IV � c ← IV IV c ← E IV K ( m ) And asks its encryption oracle to encrypt it, getting a ciphertext c . Rogaway, Wooding, Zhang (UC Davis, Thales) The Security of Ciphertext Stealing March 20, 2012 8 / 21

  13. Insecurity of the Meyer–Matyas scheme m = 1 b � 0 b − 1 m $ IV � c ← IV IV c ← E IV K ( m ) m IV ′ � c ′ Then it asks to encrypt the same message again, getting a new cipher- text c ′ . Rogaway, Wooding, Zhang (UC Davis, Thales) The Security of Ciphertext Stealing March 20, 2012 8 / 21

  14. Insecurity of the Meyer–Matyas scheme m = 1 b � 0 b − 1 LSB b ( c ) = LSB b ( c ′ ) ? m $ IV � c ← IV IV c ← E IV K ( m ) m IV ′ � c ′ CBC - CSX ( A ) = Pr[ A Real( · ) ⇒ 1] − Pr[ A Fake( · ) ⇒ 1] Adv ind$ The adversary declares ‘real’ if the last b bits of c and c ′ are equal. Rogaway, Wooding, Zhang (UC Davis, Thales) The Security of Ciphertext Stealing March 20, 2012 8 / 21

  15. Insecurity of the Meyer–Matyas scheme m = 1 b � 0 b − 1 LSB b ( c ) = LSB b ( c ′ ) ? m $ IV � c ← IV IV c ← E IV K ( m ) m IV ′ � c ′ CBC - CSX ( A ) ≥ 1 2 − Pr[ A Fake( · ) ⇒ 1] Adv ind$ If this is indeed the real game, we’ve just seen that they’re equal with probability at least 1 2 . Rogaway, Wooding, Zhang (UC Davis, Thales) The Security of Ciphertext Stealing March 20, 2012 8 / 21

  16. Insecurity of the Meyer–Matyas scheme m = 1 b � 0 b − 1 LSB b ( c ) = LSB b ( c ′ ) ? m m $ IV � c IV � c $ ← IV ← IV IV IV $ c ← E IV ← { 0 , 1 } | m | K ( m ) c m m IV ′ � c ′ IV ′ � c ′ CBC - CSX ( A ) ≥ 1 2 − Pr[ A Fake( · ) ⇒ 1] Adv ind$ If this is the fake game, then the ciphertexts are simply random strings. Rogaway, Wooding, Zhang (UC Davis, Thales) The Security of Ciphertext Stealing March 20, 2012 8 / 21

  17. Insecurity of the Meyer–Matyas scheme m = 1 b � 0 b − 1 LSB b ( c ) = LSB b ( c ′ ) ? m m $ IV � c IV � c $ ← IV ← IV IV IV $ c ← E IV ← { 0 , 1 } | m | K ( m ) c m m IV ′ � c ′ IV ′ � c ′ CBC - CSX ( A ) ≥ 1 2 − 1 Adv ind$ 2 b So they’re equal with probability exactly 1 / 2 b . Rogaway, Wooding, Zhang (UC Davis, Thales) The Security of Ciphertext Stealing March 20, 2012 8 / 21

  18. Outline Ciphertext stealing 1 Description Symmetric encryption schemes Security of ciphertext stealing Insecurity of the Meyer–Matyas scheme Online encryption 2 Definitions Delayed CBC Ciphertext stealing redux Rogaway, Wooding, Zhang (UC Davis, Thales) The Security of Ciphertext Stealing March 20, 2012 9 / 21

  19. Background Idea Conventional definitions treat encryption as processing an entire message in one go. Rogaway, Wooding, Zhang (UC Davis, Thales) The Security of Ciphertext Stealing March 20, 2012 10 / 21

  20. Background Idea Conventional definitions treat encryption as processing an entire message in one go. In real life, messages are often processed in chunks. Rogaway, Wooding, Zhang (UC Davis, Thales) The Security of Ciphertext Stealing March 20, 2012 10 / 21

  21. Background Idea Conventional definitions treat encryption as processing an entire message in one go. In real life, messages are often processed in chunks. Keys held by memory-constrained devices. Rogaway, Wooding, Zhang (UC Davis, Thales) The Security of Ciphertext Stealing March 20, 2012 10 / 21

  22. Background Idea Conventional definitions treat encryption as processing an entire message in one go. In real life, messages are often processed in chunks. Keys held by memory-constrained devices. Reducing end-to-end latency. Rogaway, Wooding, Zhang (UC Davis, Thales) The Security of Ciphertext Stealing March 20, 2012 10 / 21

  23. Background Idea Conventional definitions treat encryption as processing an entire message in one go. In real life, messages are often processed in chunks. Keys held by memory-constrained devices. Reducing end-to-end latency. We should have definitions which capture this behaviour so that we can analyse the security of schemes. Rogaway, Wooding, Zhang (UC Davis, Thales) The Security of Ciphertext Stealing March 20, 2012 10 / 21

  24. Background Idea Conventional definitions treat encryption as processing an entire message in one go. In real life, messages are often processed in chunks. Keys held by memory-constrained devices. Reducing end-to-end latency. We should have definitions which capture this behaviour so that we can analyse the security of schemes. History Rogaway, Wooding, Zhang (UC Davis, Thales) The Security of Ciphertext Stealing March 20, 2012 10 / 21

  25. Background Idea Conventional definitions treat encryption as processing an entire message in one go. In real life, messages are often processed in chunks. Keys held by memory-constrained devices. Reducing end-to-end latency. We should have definitions which capture this behaviour so that we can analyse the security of schemes. History Blockwise-adaptive attacks: [Bellare, Kohno, Namprempre 2002], [Joux, Martinet, Valette 2002], [Fouque, Martinet, Poupard 2003], [Fouque, Joux, Poupard 2004], [Bard 2007]. Rogaway, Wooding, Zhang (UC Davis, Thales) The Security of Ciphertext Stealing March 20, 2012 10 / 21

  26. Background Idea Conventional definitions treat encryption as processing an entire message in one go. In real life, messages are often processed in chunks. Keys held by memory-constrained devices. Reducing end-to-end latency. We should have definitions which capture this behaviour so that we can analyse the security of schemes. History Blockwise-adaptive attacks: [Bellare, Kohno, Namprempre 2002], [Joux, Martinet, Valette 2002], [Fouque, Martinet, Poupard 2003], [Fouque, Joux, Poupard 2004], [Bard 2007]. Our stream-based approach from [Gennaro, Rohatgi 1997]. Rogaway, Wooding, Zhang (UC Davis, Thales) The Security of Ciphertext Stealing March 20, 2012 10 / 21

  27. How it looks P Suppose we have a plaintext message P . Maybe we don’t even know all of it yet. Rogaway, Wooding, Zhang (UC Davis, Thales) The Security of Ciphertext Stealing March 20, 2012 11 / 21

  28. How it looks P 1 P 2 P 3 Split it into chunks P 1 , P 2 , . . . of arbitrary sizes. Rogaway, Wooding, Zhang (UC Davis, Thales) The Security of Ciphertext Stealing March 20, 2012 11 / 21

  29. How it looks P 1 P 2 P 3 V 0 Sample an initial state (‘initialization vector’) V 0 appropriate for the en- cryption scheme. Rogaway, Wooding, Zhang (UC Davis, Thales) The Security of Ciphertext Stealing March 20, 2012 11 / 21

  30. How it looks P 1 P 2 P 3 E 0 V 0 K C 1 Feed the first plaintext chunk to the encryption scheme. It gives us a ciphertext chunk C 1 . In general, C 1 might not be the same length as P 1 . Rogaway, Wooding, Zhang (UC Davis, Thales) The Security of Ciphertext Stealing March 20, 2012 11 / 21

  31. How it looks P 1 P 2 P 3 E 0 V 0 V 1 K C 1 It also gives us a state V 1 . Rogaway, Wooding, Zhang (UC Davis, Thales) The Security of Ciphertext Stealing March 20, 2012 11 / 21

  32. How it looks P 1 P 2 P 3 E 0 E 0 V 0 V 1 V 2 K K C 1 C 2 We can feed the next plaintext P 2 to the encryption scheme, along with the previous state V 1 . We get a ciphertext chunk C 2 and a new state V 2 . Rogaway, Wooding, Zhang (UC Davis, Thales) The Security of Ciphertext Stealing March 20, 2012 11 / 21

  33. How it looks P 1 P 2 P 3 E 0 E 0 E 1 V 0 V 1 V 2 K K K C 1 C 2 C 3 And so on. . . Indicate to the encryption scheme when there are no more chunks to process. Rogaway, Wooding, Zhang (UC Davis, Thales) The Security of Ciphertext Stealing March 20, 2012 11 / 21

  34. What’s new about our definition We don’t depend on chunks being single blocks, or aligned to block boundaries. Rogaway, Wooding, Zhang (UC Davis, Thales) The Security of Ciphertext Stealing March 20, 2012 12 / 21

  35. What’s new about our definition We don’t depend on chunks being single blocks, or aligned to block boundaries. Indeed, we don’t assume there’s a blockcipher involved at all. Rogaway, Wooding, Zhang (UC Davis, Thales) The Security of Ciphertext Stealing March 20, 2012 12 / 21

  36. What’s new about our definition We don’t depend on chunks being single blocks, or aligned to block boundaries. Indeed, we don’t assume there’s a blockcipher involved at all. Security is defined in terms of indistinguishability from random strings of appropriate lengths. Rogaway, Wooding, Zhang (UC Davis, Thales) The Security of Ciphertext Stealing March 20, 2012 12 / 21

  37. Definitions: online encryption Online encryption syntax We define online encryption schemes as functions: E : K × V × { 0 , 1 } × { 0 , 1 } ∗ → { 0 , 1 } ∗ × V ( C i , V i ) ← E V i − 1 ,δ ( P i ) K Rogaway, Wooding, Zhang (UC Davis, Thales) The Security of Ciphertext Stealing March 20, 2012 13 / 21

  38. Definitions: online encryption Online encryption syntax We define online encryption schemes as functions: E : K × V × { 0 , 1 } × { 0 , 1 } ∗ → { 0 , 1 } ∗ × V ( C i , V i ) ← E V i − 1 ,δ ( P i ) K K is the key space. We require that it be finite. Rogaway, Wooding, Zhang (UC Davis, Thales) The Security of Ciphertext Stealing March 20, 2012 13 / 21

  39. Definitions: online encryption Online encryption syntax We define online encryption schemes as functions: E : K × V × { 0 , 1 } × { 0 , 1 } ∗ → { 0 , 1 } ∗ × V ( C i , V i ) ← E V i − 1 ,δ ( P i ) K K is the key space. We require that it be finite. 0 ≤ i<v { 0 , 1 } i is the state space. V ⊆ � Rogaway, Wooding, Zhang (UC Davis, Thales) The Security of Ciphertext Stealing March 20, 2012 13 / 21

  40. Definitions: online encryption Online encryption syntax We define online encryption schemes as functions: E : K × V × { 0 , 1 } × { 0 , 1 } ∗ → { 0 , 1 } ∗ × V ( C i , V i ) ← E V i − 1 ,δ ( P i ) K K is the key space. We require that it be finite. 0 ≤ i<v { 0 , 1 } i is the state space. V ⊆ � δ ∈ { 0 , 1 } is the end-of-message indicator : 0 means more chunks are coming; 1 means this is the last one. Rogaway, Wooding, Zhang (UC Davis, Thales) The Security of Ciphertext Stealing March 20, 2012 13 / 21

  41. Definitions: online encryption Online encryption syntax We define online encryption schemes as functions: E : K × V × { 0 , 1 } × { 0 , 1 } ∗ → { 0 , 1 } ∗ × V ( C i , V i ) ← E V i − 1 ,δ ( P i ) K K is the key space. We require that it be finite. 0 ≤ i<v { 0 , 1 } i is the state space. V ⊆ � δ ∈ { 0 , 1 } is the end-of-message indicator : 0 means more chunks are coming; 1 means this is the last one. Also a message space P ⊆ { 0 , 1 } ∗ and IV space IV ⊆ V . Rogaway, Wooding, Zhang (UC Davis, Thales) The Security of Ciphertext Stealing March 20, 2012 13 / 21

  42. Definitions: online encryption Online encryption syntax We define online encryption schemes as functions: E : K × V × { 0 , 1 } × { 0 , 1 } ∗ → { 0 , 1 } ∗ × V ( C i , V i ) ← E V i − 1 ,δ ( P i ) K Well-formedness requirements Ciphertexts The ciphertext is always the same whichever way you split up the plaintext. Rogaway, Wooding, Zhang (UC Davis, Thales) The Security of Ciphertext Stealing March 20, 2012 13 / 21

  43. Definitions: online encryption Online encryption syntax We define online encryption schemes as functions: E : K × V × { 0 , 1 } × { 0 , 1 } ∗ → { 0 , 1 } ∗ × V ( C i , V i ) ← E V i − 1 ,δ ( P i ) K Well-formedness requirements Ciphertexts The ciphertext is always the same whichever way you split up the plaintext. Invertibility Ciphertexts can be decrypted uniquely. Rogaway, Wooding, Zhang (UC Davis, Thales) The Security of Ciphertext Stealing March 20, 2012 13 / 21

  44. Definitions: online encryption Online encryption syntax We define online encryption schemes as functions: E : K × V × { 0 , 1 } × { 0 , 1 } ∗ → { 0 , 1 } ∗ × V ( C i , V i ) ← E V i − 1 ,δ ( P i ) K Well-formedness requirements Ciphertexts The ciphertext is always the same whichever way you split up the plaintext. Invertibility Ciphertexts can be decrypted uniquely. Lengths The lengths of ciphertext chunks depend only on the history of plaintext lengths. Rogaway, Wooding, Zhang (UC Davis, Thales) The Security of Ciphertext Stealing March 20, 2012 13 / 21

  45. Online encryption security: IND$ Initialization: $ V ← IV m, δ ( c, V ) ← E V,δ K ( m ) c Adversary submits message chunks and a ‘done’ flag to an oracle, which returns ciphertext chunks. Rogaway, Wooding, Zhang (UC Davis, Thales) The Security of Ciphertext Stealing March 20, 2012 14 / 21

  46. Online encryption security: IND$ Initialization: $ V ← IV m, δ ( c, V ) ← E V,δ K ( m ) c ′ ← { 0 , 1 } | c | $ c ′ . . . or maybe it just returns random strings of the right length. Rogaway, Wooding, Zhang (UC Davis, Thales) The Security of Ciphertext Stealing March 20, 2012 14 / 21

  47. Online encryption security: IND$ Initialization: $ V ← IV m, δ m, δ ( c, V ) ← E V,δ K ( m ) ( c, V ) ← E V,δ K ( m ) c ′ ← { 0 , 1 } | c | $ c c ′ We’d like these to be hard to distinguish. Rogaway, Wooding, Zhang (UC Davis, Thales) The Security of Ciphertext Stealing March 20, 2012 14 / 21

  48. Online encryption security: IND$ Initialization: $ V i ← IV for i ∈ N i, m, δ i, m, δ ( c, V i ) ← E V i ,δ ( m ) ( c, V i ) ← E V i ,δ K ( m ) K c ′ ← { 0 , 1 } | c | $ c c ′ . . . even when the adversary can contribute to multiple messages con- currently. Rogaway, Wooding, Zhang (UC Davis, Thales) The Security of Ciphertext Stealing March 20, 2012 14 / 21

  49. Online encryption security: IND$ Initialization: ? $ V i ← IV for i ∈ N m, δ m, δ ( c, V i ) ← E V i ,δ ( m ) ( c, V i ) ← E V i ,δ K ( m ) K c ′ ← { 0 , 1 } | c | $ c c ′ ( A ) = Pr[ A Real( · ) ⇒ 1] − Pr[ A Fake( · ) ⇒ 1] Adv IND$ E The adversary’s advantage measures how well he can distinguish be- tween these two games. Rogaway, Wooding, Zhang (UC Davis, Thales) The Security of Ciphertext Stealing March 20, 2012 14 / 21

  50. CBC online – wrong version P We’re given a plaintext chunk. Rogaway, Wooding, Zhang (UC Davis, Thales) The Security of Ciphertext Stealing March 20, 2012 15 / 21

  51. CBC online – wrong version P 0 P 0 P In general, we have a partial plaintext left over from the previous call. Tack this on the front. Rogaway, Wooding, Zhang (UC Davis, Thales) The Security of Ciphertext Stealing March 20, 2012 15 / 21

  52. CBC online – wrong version P 0 P ∗ P 1 P 2 P 3 And split the plaintext into blocks. There’ll be a bit left over. Rogaway, Wooding, Zhang (UC Davis, Thales) The Security of Ciphertext Stealing March 20, 2012 15 / 21

  53. CBC online – wrong version C 0 P 0 P ∗ P 1 P 2 P 3 ⊕ ⊕ ⊕ E K E K E K C 1 C 2 C 3 Encrypt the whole blocks using CBC mode, using an IV maintained in the state. Rogaway, Wooding, Zhang (UC Davis, Thales) The Security of Ciphertext Stealing March 20, 2012 15 / 21

  54. CBC online – wrong version C 0 P 0 P ∗ P 1 P 2 P 3 ⊕ ⊕ ⊕ E K E K E K P ∗ C 1 C 2 C 3 C 3 The new state is the last ciphertext block, and the leftover bit of plain- text. Rogaway, Wooding, Zhang (UC Davis, Thales) The Security of Ciphertext Stealing March 20, 2012 15 / 21

  55. CBC online – insecurity of the wrong version Of course, this is insecure. The adversary learns the IV to be used to encrypt the next plaintext chunk as part of this ciphertext. Rogaway, Wooding, Zhang (UC Davis, Thales) The Security of Ciphertext Stealing March 20, 2012 16 / 21

  56. CBC online – insecurity of the wrong version Of course, this is insecure. The adversary learns the IV to be used to encrypt the next plaintext chunk as part of this ciphertext. Suppose this is V ; suppose also that the adversary guesses that the plaintext corresponding to some ciphertext C i is P ∗ , i.e., that C i = E K ( P ∗ ⊕ C i − 1 ) . Rogaway, Wooding, Zhang (UC Davis, Thales) The Security of Ciphertext Stealing March 20, 2012 16 / 21

  57. CBC online – insecurity of the wrong version Of course, this is insecure. The adversary learns the IV to be used to encrypt the next plaintext chunk as part of this ciphertext. Suppose this is V ; suppose also that the adversary guesses that the plaintext corresponding to some ciphertext C i is P ∗ , i.e., that C i = E K ( P ∗ ⊕ C i − 1 ) . So he arranges for the first block encrypted as part of the next plaintext chunk to be P ∗ ⊕ V ⊕ C i − 1 . If the resulting ciphertext is C i then his guess is confirmed. Rogaway, Wooding, Zhang (UC Davis, Thales) The Security of Ciphertext Stealing March 20, 2012 16 / 21

  58. CBC online – insecurity of the wrong version Of course, this is insecure. The adversary learns the IV to be used to encrypt the next plaintext chunk as part of this ciphertext. Suppose this is V ; suppose also that the adversary guesses that the plaintext corresponding to some ciphertext C i is P ∗ , i.e., that C i = E K ( P ∗ ⊕ C i − 1 ) . So he arranges for the first block encrypted as part of the next plaintext chunk to be P ∗ ⊕ V ⊕ C i − 1 . If the resulting ciphertext is C i then his guess is confirmed. It’s sufficient to hold one block back [FMP03]. Rogaway, Wooding, Zhang (UC Davis, Thales) The Security of Ciphertext Stealing March 20, 2012 16 / 21

  59. CBC online – insecurity of the wrong version Of course, this is insecure. The adversary learns the IV to be used to encrypt the next plaintext chunk as part of this ciphertext. Suppose this is V ; suppose also that the adversary guesses that the plaintext corresponding to some ciphertext C i is P ∗ , i.e., that C i = E K ( P ∗ ⊕ C i − 1 ) . So he arranges for the first block encrypted as part of the next plaintext chunk to be P ∗ ⊕ V ⊕ C i − 1 . If the resulting ciphertext is C i then his guess is confirmed. It’s sufficient to hold one block back [FMP03]. Intuition: CBC output is indistinguishable from random data, so the last block should be unpredictable, which is sufficient for security. Rogaway, Wooding, Zhang (UC Davis, Thales) The Security of Ciphertext Stealing March 20, 2012 16 / 21

  60. Delayed CBC [FMP03] C 0 P 0 P The state looks the same: previous ciphertext, and leftover plaintext. Rogaway, Wooding, Zhang (UC Davis, Thales) The Security of Ciphertext Stealing March 20, 2012 17 / 21

  61. Delayed CBC [FMP03] C 0 P 0 P ∗ P 1 P 2 P 3 ⊕ ⊕ ⊕ E K E K E K C 1 C 2 C 3 Prefix the leftover plaintext to the new chunk, split into blocks, and encrypt. Rogaway, Wooding, Zhang (UC Davis, Thales) The Security of Ciphertext Stealing March 20, 2012 17 / 21

  62. Delayed CBC [FMP03] C 0 P 0 P ∗ P 1 P 2 P 3 ⊕ ⊕ ⊕ E K E K E K C 0 C 1 C 2 C 3 We must output the previous-ciphertext block. We shouldn’t output the last new ciphertext block, just store it for later. Rogaway, Wooding, Zhang (UC Davis, Thales) The Security of Ciphertext Stealing March 20, 2012 17 / 21

  63. Delayed CBC [FMP03] C 0 P 0 P ∗ P 1 P 2 P 3 ⊕ ⊕ ⊕ E K E K E K P ∗ C 0 C 1 C 2 C 3 And we keep the leftover piece of plaintext. Rogaway, Wooding, Zhang (UC Davis, Thales) The Security of Ciphertext Stealing March 20, 2012 17 / 21

  64. Delayed CBC with ciphertext stealing C 0 P 0 P ∗ P 1 P 2 P 3 ⊕ ⊕ ⊕ E K E K E K C 0 C 1 C 2 C 3 So, we’ve got to the end of a message, and we’ve not filled up the last block. Rogaway, Wooding, Zhang (UC Davis, Thales) The Security of Ciphertext Stealing March 20, 2012 18 / 21

  65. Delayed CBC with ciphertext stealing C 0 P 0 P ∗ P 1 P 2 P 3 0 ⊕ ⊕ ⊕ ⊕ E K E K E K E K C 0 C 1 C 2 C 3 C 4 So we pad it with zero bits. Rogaway, Wooding, Zhang (UC Davis, Thales) The Security of Ciphertext Stealing March 20, 2012 18 / 21

  66. Delayed CBC with ciphertext stealing C 0 P 0 P ∗ P 1 P 2 P 3 0 ⊕ ⊕ ⊕ ⊕ E K E K E K E K C ∗ C ∗∗ C 0 C 1 C 2 C 4 3 3 The recipient can recover the tail of the next-to-last ciphertext block by decrypting the final one. Rogaway, Wooding, Zhang (UC Davis, Thales) The Security of Ciphertext Stealing March 20, 2012 18 / 21

  67. Delayed CBC with ciphertext stealing C 0 P 0 P ∗ P 1 P 2 P 3 0 ⊕ ⊕ ⊕ ⊕ E K E K E K E K C ∗ C ∗∗ C 0 C 1 C 2 C 4 3 3 Again, there are variants which differ in how they order the last two ciphertext blocks. Rogaway, Wooding, Zhang (UC Davis, Thales) The Security of Ciphertext Stealing March 20, 2012 18 / 21

  68. Delayed CBC with ciphertext stealing Actually the natural implementation. You have to hold back the last ciphertext block anyway, because you might have to truncate it. Indeed, for DCBC-CS3, you sometimes have to hold back two ciphertexts blocks. Rogaway, Wooding, Zhang (UC Davis, Thales) The Security of Ciphertext Stealing March 20, 2012 19 / 21

Recommend


More recommend