Cryptography

1
Cryptography

• Lecture 3Stefan Dziembowskiwww.dziembowski.net
• stefan_at_dziembowski.net

2
Plan

• Encryption of multiple messages.
• Stream ciphers
• Block ciphers (an introduction)
• Some images in this document are take from From
  Wikipedia, the free encyclopedia.

3
On the previous lecture
cryptographic PRGs
semantically-secure encryption
4
Multiple messages
c0Enc(k,m0)
c1Enc(k,m1)
c2Enc(k,m2)
. . .
k
k
Alice
Bob
m0
c0Enc(k,m0)
m1
c1Enc(k,m1)
Eve
m2
c2Enc(k,m2)
. . .
. . .
5
A chosen-plaintext attack (CPA)
security parameter 1n

1. selects random k Gen(1n)
2. chooses a random b 0,1

chooses m1
m1
oracle
c1 Enc(k,m1)
. . .
chooses mt
mt
ct Enc(mt)
challenge phase
m0,m1
chooses m0,m1
c Enc(k,mb)
the interaction continues . . .
has to guess b
6
CPA-security
Alternative name CPA-secure

• Security definition
• We say that (Gen,Enc,Dec) has indistinguishable
  encryptions under a chosen-plaintext attack (CPA)
  if any
• randomized polynomial time adversary
• guesses b correctly
• with probability at most 0.5 e(n), where e is
  negligible.
• Observation
• Every CPA-secure encryption has to be
• randomized, or
• have a state.

7
CPA in real-life

• Q Arent we too pessimistic?
• A No! CPA can be implemented in practice.

A historical example the battle of Midway (1942)
The Amercans suspected that Enc(Midway island)
NF
we are runningout of water
Midway
BINGO!
8
How to encrypt multiple messages using
pseudorandom generators?

• Of course we cannot just reuse the same seed
• (remember the problem with the one-time pad?)
• It is not just a theoretical problem!

9
Misuse of RC4 in Microsoft OfficeHongjun Wu
2005
RC4 a popular PRG (or a stream cipher)
Microsoft Strong Cryptographic
Provider (encryption in Word and Excel, Office
2003)
The seed s is a function of a password and an
initialization vector. These values do not
change between the different versions of the
document! Suppose Alice and Bob work together on
some document
Enc(k,m)
Enc(k,m)
The adversary can compute m xor m
10
What to do?

• There are two solutions
• The synchronized mode
• The unsynchronized mode

11
Synchronized mode

• G 0,1n ? 0,1very large a PRG.

s
G is computed on fly
. . .
G(s)
m0
m1
m2
m3
xor
c3
c0
c1
c2
Disadvantage Alice and Bob need to know how much
of G(s) was already used.
12
Unsynchronized mode
Idea Randomize the encryption procedure. Assume
that G takes as an additional input an
initialization vector (IV). The Enc algorithm
selects a fresh random IVi for each message
mi. Later, IVi is included in the ciphertext
s
IVi
G(IVi,s)
mi
xor
G(IVi,s)
IVi
Enc(s,mi)
13
We need an augmented PRG

• We need a PRG such that the adversary cannot
  distinguish G(IV,s) from a random string even if
  she knows IV and some pairs
• (IV0,G(IV0,s)), (IV1,G(IV1,s)), (IV2,G(IV2,s)),
  . . .
• where s,IV,IV0,IV1,IV2... are random.

with a non-negligible advantage
s
IV
G
G(IV,s)
R
or
?
IV
(IV0,G(IV0,s)), (IV1,G(IV1,s)), (IV2,G(IV2,s)),
. . .
14
How to construct such a PRG?

• An old-fashioned approach
• take a standard PRG G
• set G(IV,s) G(H(IV,S))
• where H is a hash-function (we will define
  cryptographic hash functions later)
• A more modern approach
• design such a G from scratch.

oftenjust concatenate IV and S
15
Constructions of PRGs

• A theoretical result a PRG can be constructed
  from any one-way functionHåstad, Impagliazzo,
  Levin, Luby A Pseudorandom Generator from any
  One-way Function(very elegant, impractical,
  inefficient)
• Based on hardness of some number-theoretic
  problems, e.g.Lenore Blum, Manuel Blum, and
  Michael Shub. A Simple Unpredictable
  Pseudo-Random Number Generator(elegant, more
  efficient, still rather impractical)
• Stream ciphers(ugly, very efficient, widely
  used in practice)

16
Popular stream ciphers
not very secure

• RC4
• A5/1 and A5/1 (used in GSM)
• ...
• Competitions for new stream ciphers
• NESSIE (New European Schemes for Signatures,
  Integrity and Encryption, 2000 2003) project
  failed to select a new stream cipher (all 6
  candidates were broken)
• (where broken can mean e.g. that one can
  distinguish the output from random after seeing
  236 bytes of output)
• eStream project (November 2004 May 2008) will
  soon announce the winners

completely broken
17
RC4

• Designed by Ron Rivest (RSA Security)in 1987.
  RC4 Rivest Cipher 4, or Ron's Code 4.
• Trade secret, but in September 1994 its
  description leaked to the internet.
• For legal reasons sometimes it is called
  "ARCFOUR" or "ARC4.
• Used in WEP and WPA and TLS.
• Very efficient and simple, but has some security
  flaws

18
RC4 an overview
note no IV
key k
k 40 256 bits
key-schedulingalgorithm(KSA)
indices
array S
i
j
S 256 bytes
in each round this is updatedand1 byte is output
(this is called a pseudo-random generation
algorithm (PRGA))
19
RC4

• KSA
• for i from 0 to 255
• Si i
• end
• for j 0 for i from 0 to 255
• j (j Si keyi mod keylength) mod 256
• swap(Si,Sj)
• endfor

dont read it!
PRGA i 0 j 0 while GeneratingOutput i
(i 1) mod 256 j (j Si) mod 256
swap(Si,Sj) output S(Si Sj) mod 256
endwhile
20
Problems with RC4

1. Doesnt have a separate IV.
2. It was discovered that some bytes of the output
   are biased.Mantin, Shamir, 2001
3. First few bytes of output sometimes leak some
   information about the keyFluhrer, Mantin and
   Shamir, 2001Recommendation discard the first
   768-3072 bytes.
4. Other weaknesses are also known...

21
Use of RC4 in WEP

• WEP Wired Equivalent Privacy
• Introduced in 1999, still widely used to protect
  WiFi communication.
• How RC4 is used
• to get the seed, the key k is concatenated with
  the IV
• old versions k 40 bits, IV 24
  bits(artificially weak because of the US export
  restrictions)
• new versions k 104 bits, IV 24 bits.

22
RC5 in WEP problems with the key length

• k 40 bits is not enough can be cracked
  using a brute-force attack
• IV is changed for each packet.Hence IV 24
  bits is also not enough
• assume that each packet has length 1500 bytes,
• with 5Mbps bandwidth the set of all possible IVs
  will be exhausted in half a day
• Some implementations reset IV 0 after each
  restart this makes things even worse.
• see Nikita Borisov, Ian Goldberg, David Wagner
  (2001). "Intercepting Mobile Communications The
  Insecurity of 802.11"

23
RC5 in WEP the weak IVs

• Fluhrer, Mantin and Shamir, 2001(we mentioned
  this attack already)For so-called weak IVs
  the key stream reveals some information about the
  key.
• In response the vendors started to filter the
  weak IVs.
• But then new weak IVs were discovered.
• see e.g. Bittau, Handley, Lackey The final nail
  in WEP's coffin.

24
This attacks are practical!
Fluhrer, Mantin and Shamir, 2001 attack
Using the Aircrack-ng tool one can break WEP in 1
minute (on a normal PC) see also Tews,
Weinmann, PyshkinBreaking 104 bit WEP in less
than 60 seconds, 2007
25
How bad is the situation?

• RC4 is still rather secure if used in a correct
  way.
• Example
• Wi-Fi Protected Access (WPA) a successor of
  WEP
• several improvements (e.g. 128-bit key and a
  48-bit IV).
• Lets hope the eStream project will be a success!
• List of the eStream finalists
• Profie 1 (ciphers for the software applications)
• CryptMT, Dragon, HC, LEX, NLS, Rabbit, Salsa20,
  SOSEMANUK
• Profile 2 (ciphers for the hardware
  applications)
• DECIM, Edon80, F-FCSR, Grain, MICKEY, Moustique,
  Pomaranch,
• Trivium

26
Is there an alternative to the stream ciphers?

• Yes!
• the block ciphers

27
Lets start from scratch
plaintext m
encryption
key k
ciphertext c
decryption
key k
plaintext m
Problemthe plaintexts m may be extremally long,
and therefore it may be hard to analyse security
of the cipher.
28
An idea!

1. Desing ciphers that work on small blocks(e.g. of
   length 128 bits)
2. Then, build the real encryption schemes out of
   them.

plaintext m
this will be called a block cipher warning of
course, as a stand-alone cipher it is not
CPA-secure
encryption
key k
ciphertext c
decryption
key k
plaintext m
29
Block ciphers an intuition

• For F 0,1 0,1? 0,1
• let Fk(m) denote F(k,m).
• A block cipher is a function F such that
• It is a keyed-permutation, i.e.
• for every k function Fk is a permutation on some
  0,1n (for simplicity assume n k).
• for every k functions Fk and Fk-1 are
  efficiently computable.
• for a random k and any m1,...,mt the values
  Fk(m1),...,Fk(mt) look random

30
How to formalize it?

• Remember
• stream ciphers pseudorandom generators
• We will have
• block ciphers pseudorandom permutations
• Intuition
• a pseudorandom permutation
• should not be distinguishable from
• a completely random permutation.

31
Scenario 1
security parameter 1n
oracle chooses a random k ? 0,1n.
distinguisher D
m1 ? 0,1n
Fk(m1)
m2 ? 0,1n
Fk(m2)
. . .
mt ? 0,1n
Fk(mt)
outputs b ? 0,1
32
Scenario 2
security parameter 1n
oracle chooses a random function F 0,1n?
0,1n
distinguisher D
m1 ? 0,1n
Fk(m1)
m2 ? 0,1n
Fk(m2)
. . .
mt ? 0,1n
This of course cannot be done efficiently, but it
doesnt matter
Fk(mt)
outputs b ? 0,1
33
Pseudorandom permutations the definition

• We say that a keyed-permutation
• F 0,1 0,1? 0,1
• is a pseudorandom permutation if
• any polynomial-time randomized distinguisher D
• cannot distinguish scenario 1 from scenario 2
  with a non-negligible advantage
• That is
• P(D outputs 1 in scenario 1) - P(D outputs 1
  in scenario 2)
• is negligible in n

34
How to construct such pseudorandom permutations?

• Theoretical constructionsA pseudorandom
  permutation can be constructed from any one-way
  function.
• Practical constructions block ciphers.
• Famous block ciphers

key length block length
DES (1976)(Data Encryption Standard) 56 64
IDEA (1991) (International Data Encryption Algorithm) 128 64
AES (1998)(Advanced Encryption Standard) 128, 192 or 256 128
Other Blowfish, Twofish, Serpent,...
Practical security requirement the best attack
should be the brute-force attack.
We will discuss these constructions on the next
lecture.
35
Block cipher modes of operation

• Block ciphers cannot be used directly for
  encryption.
• They are always used in some modes of
  operation
• Electronic Codebook (ECB) mode ? not secure,
• Cipher-Block Chaining (CBC) mode,
• Output Feedback (OFB) mode,
• Counter (CTR) mode,
• . . .

36
Electronic Codebook mode
encryption
decryption
37
Electronic Codebook mode should not be used!

• This mode was used in the past.
• It is not secure, and should not be used.
• Example

ECB
38
Cipher-Block Chaining (CBC)
random value that becomes part of a plaintext

encryption
decryption
39
CBC mode properties

• Error propagation?
• Error in block ci affects only ci and ci1.So,
  errors dont propagate (This mode is
  self-synchronizing)
• Can encryption be parallelized?
• No
• Can decryption be parallelized?
• Yes
• What if one bit of plaintext is changed
  (somewhere at the beginning)?
• Everything needs to be recomputed (not so good
  e.g. for disc encryption)

40
Output Feedback (OFB) mode
encryption
decryption
41
CBC mode properties

• Error propagation?
• Error in block ci affects only ci and ci1.
• but this mode is not self-synchronizing
• Can encryption be parallelized?
• No
• (but we can we can use precomputation)
• Can decryption be parallelized?
• The same answer
• What if one bit of plaintext is changed
  (somewhere at the beginning)?
• Only one block needs to be recomputed

42
Counter (CTR) mode
encryption
decryption
43
Properties of CTR

• CTR has all advantages of OFB.
• Additionally it has the following property
• random access it is possible to decrypt one
  block without decrypting anything else.

44
Provable security

• Remember the provable security idea?

Suppose that some computational assumption A
holds
scheme X is secure.
45
The following can be proven
Suppose that X is a pseudorandom permutation
scheme X-CBC is secure.
scheme X-CTR is secure.
scheme X-OFB is secure.
Of course, to get any information about practical
relevance of these results one needs to look at
the concrete parameters hidden in the
asymptotics.
46
Stream ciphers vs. block ciphers

• Stream ciphers are a bit more efficient.
• But they appear to be less secure.
• It is easier to misuse them (use the same stream
  twice).
• If you encrypt a stream of data you can always
  use a block cipher in a CTR mode.
• Probably at the moment block ciphers are a better
  choice.