Modes of Operations for Block Ciphers

Modes of Operations for BlockCiphers

Debrup Chakraborty

CINVESTAVemail: [email protected]

Modes of Operation I – p.1/40

To be covered : Lecture I• Cryptanalysis

• Cryptanalytic goals• Adversarial resources

• Block Ciphers: A formal look• Pseudorandom Permutations• Strong Pseudorandom Permutations• Modes of operations

• An informal description• Types of modes• Security notions

• Security Proofs• Sequence of games


To be covered : Lecture II• Some modes of operations

• OCB• AEAD• CMC and EME• PEP, HCTR


CryptanalysisBreaking a crypto-system!Cryptanalytic goals• Total Key Recovery• Partial Key Recovery• Decryption• Partial knowledge of plaintext• Encryption• Distinguishing attacks


Cryptanalysis(Contd.)Crytanalytic Settings (How powerful the adversaryis?)• Ciphertext only• Known plain text• Chosen plain text• Chosen cipher text• Adaptive chosen plain text• Adaptive chosen cipher text


Block CiphersImportant symmetric key cryptographic primitive.

• It works on fixed length group of bits calledblocks.

• It can thus be thought of a permutation from{0, 1}n to {0, 1}n. E : K × {0, 1}n → {0, 1}n.Generally written as EK().

The security notion of a blockcipher:• A block cipher secure against an adaptive chosen

plain text adversary can be viewed as a PRP.• A block cipher secure against a adaptive chosen

cipher text adversay can be viewed as an SPRP.Modes of Operation I – p.6/40

Pseudorandom Permutation• Let Perm(n) denote all n bit to n bit

permutations.• Choose a random K ∈ K and give oracle access

of EK to an adversary.

Informaly E is called pseudorandom if it is “difficult"for a computationaly bounded adversary todistinguish a given function EK from a randomlychosen function π of Perm(n).

EK

A

π


Strong Pseudorandom Permu-tation• Choose a random K ∈ K and give oracle access

of EK and E−1K to an adversary.

EK EK

A

π-1

π -1


The Adversary• The adversay is a polynomial time probabilistic

algorithm with oracle access to the functions andoutputs either 0 or 1.

• The adversary can interact with the function onlythrough valid queries, and the answers to thequeries are always returned if the query is valid.

• An adversary A interacting with an oracle Ooutputs a bit 1 is written as

AO ⇒ 1


PRP-AdvantageThe advantage of an adversary in breaking thepseudorandomness of E(, ) is defined in the followingmanner.

AdvprpE (A) = Pr

[

K$← K : AEK( ) ⇒ 1

]

−

Pr[

π$← Perm(n) : Aπ( ) ⇒ 1

]


SPRP-AdvantageSimilarly, the advantage of an adversary in breakingthe strong pseudorandomness of E(, ) is defined in thefollowing manner.

Adv±prpE (A) = Pr

[

K$← K : AEK( ),E−1

K( ) ⇒ 1

]

−

Pr[

π$← Perm(n) : Aπ( ),π−1( ) ⇒ 1

]


Mode of OperationHow to encrypt a message greater than the blocklength of the block cipher, using the block cipher?

Naive Solution:• Suppose the message length is mn.• Segment the message into m blocks.• Encrypt each block using the block cipher EK

This is called the ECB mode


Mode of Operation (Contd.)

ECB Mode is insecure.


Mode of Operation (Contd.)

The CBC modeC1 C2 Cm−1 Cm

EK EK EK EK

1 2 m−1 mP P P P

IV


Types of ModesNIST’s Standardization Efforts• Encryption only• Authenticated Encryption• Authenticated Encryption with associated data

• Modes for disc encryption


Encryption Only• The security requirement is privacy only• Authentication is not required• CBC with IV used as a nonce is such a mode• Is of limited interest, as only privacy does not

fulfil all security requirements• Is highly susceptible to attacks by active

adversaries.


Authenticated encryption (AE)• The security requirement is both privacy and

authenticity• Authentication is generally achieved by use of a

tag, which can be seen as a MAC of the data (butnot exactly so).

• These schemes leads to ciphertext expansion.• All known AE constructions use a nonce• Schemes providing authenticated encryption are

of utmost importance in the current days.• Constructions of such schemes is an active

research area


AE(contd.)• AE schemes can be classified according to the

number of block cipher calls required to enciphera m block message.

• Schemes that need only m block cipher calls toencrypt an m block message are called singlepass AE schemes.

• There are not many such schemes, the importantamong them are• Integrity Aware Parallel Mode (IAPM) by

Chiranjit Jutla• Offset Code Book (OCB) Mode by Rogaway

et al.• There is a patent hassle with the single pass

modes Modes of Operation I – p.18/40

AE (Contd.)• There are many double pass proposals like:

• CCM: Counter with CBC-MAC• CWC: Carter-Wegman + Counter Mode• GCM: Galois Counter Mode• EAX

• They are patent free but are inefficient. So,though single pass schemes exists still there iscontinued effort to build two pass schemes(seems strange!!)


AEAD• The goal here is to encrypt a message in such a

manner that a part of the message is onlyencrypted but the whole of is authenticated.

• Its use arises in many scenarios, like consider apacket traveling in the network• It is good if the header of the packet is not

encrypted• But the header is authenticated, that is a

change in the header can be easily detected.• Many AE schemes can be converted to AEAD

schemes with some more extra overhead.


Modes for disc encryption• The security requirement is security against a

chosen plain text and chosen cipher textadversary

• These schemes uses a tweak, which is anadditional public quantity.

• But ciphertext expansion is not allowed.• There are not many schemes, the present schemes

are:• CMC (by Rogaway and Halevi)• EME (by Rogaway and Halevi), EME∗ (by

Halevi)• HCTR (by Peng Wang et al.)• PEP (by Chakraborty and Sarkar)


Security NotionsLets first fix notations:• Let Ek : {0, 1}n → {0, 1}n denote the block

cipher• EEEk :M→ C, denote the mode• EEEk : N ×M→ C, denote a mode which uses a

nonce• EEEk : T ×M→ C, denote a mode which uses a

tweak


Security NotionsPrivacy Only• Here the adversary is assumed to be a chosen

plain text adversary.• When an efficient adversary is given oracle

access to the mode of operation and an oraclewhich returns random bits, he should not be ableto distinguish the mode from the oracle whichreturns random bits.

• The advantage of the adversary in such a situationis defined as

Advpriv(A) = Pr[k$← K : AEEEk() ⇒ 1]−

Pr[k$← K : A$$ ⇒ 1]


Security NotionsAuthenticated Encryption• Here both privacy and authenticity are required.• So the requirement of privacy remains the same.• Additionally here after the adversary has received

a set of cipher text after interacting with theoracle it outputs a cipher text and thecorresponding tag.

• For the scheme to be secure the probability thatthe tag matches should be low.


Security NotionsDisc Encryption• Here we need the mode to be a strong

pseudo-random permutation.• The adversary is a chosen plain-text chosen

cipher-text adversary, so it has access to both theencryption and the decryption oracles.

Adv±prpEEE (A) = Pr

[

K$← K : AEK( ),E−1

K( ) ⇒ 1

]

−

Pr[

π$← Perm(n) : Aπ( ),π−1( ) ⇒ 1

]


Security Proofs• Whenever a new construction is proposed one

needs to prove its security in the appropriatesecurity model

• These proofs are in general long and complex• It would not be possible for us to prove security

of a mode in this class• We shall take a dummy example to show how

these proofs works


Security Proofs (Contd.)Pseudo-Random Functions• Let `1 and `2 be positive integers.• Let F = {Fs}s∈S be a keyed family of functions,

where each function Fs maps {0, 1}`1 to {0, 1}`2• Let Γ`1,`2 denote the set of all functions from{0, 1}`1 to {0, 1}`2.

• Informally we say F is pseudo-random if it ishard to distinguish a random function drawn fromF from a random function drawn from Γ`1,`2

given black box access to the functions.


Security Proofs (Contd.)• Formally we define the PRF-advantage of an

adversary A as

Pr[s$← S : AFs ⇒ 1]− Pr[f

$← Γ`1,`2 : Af ⇒ 1]

• We say F as pseudo-random if any efficientadversary’s PRF-advantage is negligible.

Now we shall construct a scheme to stretch the inputlength of a pseudo-random family.


Security Proofs (Contd.)• Let ` be a positive integer with ` > `1.• Let Hk∈K be a family of keyed hash functions

where each Hk maps {0, 1}` to {0, 1}`1• We assume thatH is a εuh-universal family of

hash functions, where εuh is negligible.• This means that for all w,w′ ∈ {0, 1}` with

w 6= w′ we have,

Pr[k$← K : Hk(w) = Hk(w

′)] ≤ εuh


Security Proofs (Contd.)• Now we define the family of functions

F ′ = {F ′k,s}(k,s)∈K×S

• Where F ′k,s is the function from {0, 1}` to {0, 1}`2which sends w ∈ {0, 1}` to Fs(Hk(w).

• We shall now prove that if F is pseudo-randomthen F ′ is pseudo-random


Security Proofs (Contd.)• We shall model the interaction of the adversary

with the function by a sequence of games.• We start with Game 0.• Game 0 represents the computation of any

adversary given oracle access to a function drawnat random from F ′.

• Without loss of generality we assume that theadversary makes q queries and never repeats anyquery.


Security Proofs (Contd.)Game 0

k$← K, s

$← S

r$← R

for i← 1 . . . q, dowi ← A(r, y1, . . . , yi−1) ∈ {0, 1}`

xi ← Hk(wi) ∈ {0, 1}`1

yi ← Fs(xi) ∈ {0, 1}`2

b← A(r, y1, . . . , yq) ∈ {0, 1}output b

Let S0 be the event that the output b = 1 in Game 0.


Security Proofs (Contd.)• We do some small modifications in Game 0 to get

Game 1.• In Game 1 we use a tru random function from `1

bits to `2 bits, in plase of Fs.• Intuitively, the pseudorandom property of F

should guarantee that this modification has only anegligible effect on the behaviour of theadversary.



k$← K, f

$← Γ`1,`2

r$← R

for i← 1 . . . q, dowi ← A(r, y1, . . . , yi−1) ∈ {0, 1}`

xi ← Hk(wi) ∈ {0, 1}`1

yi ← f(xi) ∈ {0, 1}`2

b← A(r, y1, . . . , yq) ∈ {0, 1}output b

Let s1 be the event that the output b = 1 in Game 1.We claim

Pr[S0]− Pr[S1] = εprf


Security Proofs (Contd.)• We now make a purely conceptual change in

Game 1.• Here instead of a fixed function f we construct

the function in the fly and make consistencychecks.



k$← K, Y1, . . . , Yq

$← {0, 1}`2

r$← R

for i← 1 . . . q, dowi ← A(r, y1, . . . , yi−1) ∈ {0, 1}`

xi ← Hk(wi) ∈ {0, 1}`1

if xi = xj for some j < i then yi ← yj else yi ← Yi

b← A(r, y1, . . . , yq) ∈ {0, 1}output b

Let S2 be the event that the output b = 1 in Game 2.We claim

Pr[S2] = Pr[S1]Modes of Operation I – p.36/40


k$← K, Y1, . . . , Yq

$← {0, 1}`2

r$← R

for i← 1 . . . q, dowi ← A(r, y1, . . . , yi−1) ∈ {0, 1}`

xi ← Hk(wi) ∈ {0, 1}`1

yi ← Yi

b← A(r, y1, . . . , yq) ∈ {0, 1}output b


Security Proofs (Contd.)• Let S3 be the event that the output b = 1 in Game

3.• Define F to be the event that in Game 3, xi = xj

for some i, j with i 6= j .• Then Pr[S2]− Pr[S3] ≤ Pr[F ]


Security Proofs (Contd.)• Now we claim Pr[F ] ≤ εuh

q2

2

• For any fixed pair of indices i, j with i 6= j, bythe universal hash property ofH, and by outassumption that the adversary never repeats anyqueries, we have wi 6= wj, and hence

Pr[Hk(wi) = Hk(wj)] ≤ εuh

• As there are q(q − 1)/2 such pairs of indices, itfollows that:

Pr[S2]− Pr[S3] ≤ εuh

q2

2.


Security Proofs (Contd.)• Now it is obvious to see that Game 3 is equivalent

to the computation of an adversary given oracleaccess to a function in Γ`1,`2.

• Thus the PRF advantage of the adversary is

Pr[S0]− Pr[S3]

• Also

Pr[S0]− Pr[S3] ≤ εprf + εuh

q2

2

• So we are done!


Date post:	03-Feb-2022
Category:	Documents
Upload:	others
View:	1 times
Download:	0 times

Modes of Operations for Block Ciphers

Documents