Modes of Operations for BlockCiphers
Debrup Chakraborty
CINVESTAVemail: [email protected]
Modes of Operation I – p.1/40
To be covered : Lecture I• Cryptanalysis
• Cryptanalytic goals• Adversarial resources
• Block Ciphers: A formal look• Pseudorandom Permutations• Strong Pseudorandom Permutations• Modes of operations
• An informal description• Types of modes• Security notions
• Security Proofs• Sequence of games
Modes of Operation I – p.2/40
To be covered : Lecture II• Some modes of operations
• OCB• AEAD• CMC and EME• PEP, HCTR
Modes of Operation I – p.3/40
CryptanalysisBreaking a crypto-system!Cryptanalytic goals• Total Key Recovery• Partial Key Recovery• Decryption• Partial knowledge of plaintext• Encryption• Distinguishing attacks
Modes of Operation I – p.4/40
Cryptanalysis(Contd.)Crytanalytic Settings (How powerful the adversaryis?)• Ciphertext only• Known plain text• Chosen plain text• Chosen cipher text• Adaptive chosen plain text• Adaptive chosen cipher text
Modes of Operation I – p.5/40
Block CiphersImportant symmetric key cryptographic primitive.
• It works on fixed length group of bits calledblocks.
• It can thus be thought of a permutation from{0, 1}n to {0, 1}n. E : K × {0, 1}n → {0, 1}n.Generally written as EK().
The security notion of a blockcipher:• A block cipher secure against an adaptive chosen
plain text adversary can be viewed as a PRP.• A block cipher secure against a adaptive chosen
cipher text adversay can be viewed as an SPRP.Modes of Operation I – p.6/40
Pseudorandom Permutation• Let Perm(n) denote all n bit to n bit
permutations.• Choose a random K ∈ K and give oracle access
of EK to an adversary.
Informaly E is called pseudorandom if it is “difficult"for a computationaly bounded adversary todistinguish a given function EK from a randomlychosen function π of Perm(n).
EK
A
π
Modes of Operation I – p.7/40
Strong Pseudorandom Permu-tation• Choose a random K ∈ K and give oracle access
of EK and E−1K to an adversary.
EK EK
A
π-1
π -1
Modes of Operation I – p.8/40
The Adversary• The adversay is a polynomial time probabilistic
algorithm with oracle access to the functions andoutputs either 0 or 1.
• The adversary can interact with the function onlythrough valid queries, and the answers to thequeries are always returned if the query is valid.
• An adversary A interacting with an oracle Ooutputs a bit 1 is written as
AO ⇒ 1
Modes of Operation I – p.9/40
PRP-AdvantageThe advantage of an adversary in breaking thepseudorandomness of E(, ) is defined in the followingmanner.
AdvprpE (A) = Pr
[
K$← K : AEK( ) ⇒ 1
]
−
Pr[
π$← Perm(n) : Aπ( ) ⇒ 1
]
Modes of Operation I – p.10/40
SPRP-AdvantageSimilarly, the advantage of an adversary in breakingthe strong pseudorandomness of E(, ) is defined in thefollowing manner.
Adv±prpE (A) = Pr
[
K$← K : AEK( ),E−1
K( ) ⇒ 1
]
−
Pr[
π$← Perm(n) : Aπ( ),π−1( ) ⇒ 1
]
Modes of Operation I – p.11/40
Mode of OperationHow to encrypt a message greater than the blocklength of the block cipher, using the block cipher?
Naive Solution:• Suppose the message length is mn.• Segment the message into m blocks.• Encrypt each block using the block cipher EK
This is called the ECB mode
Modes of Operation I – p.12/40
Mode of Operation (Contd.)
The CBC modeC1 C2 Cm−1 Cm
EK EK EK EK
1 2 m−1 mP P P P
IV
Modes of Operation I – p.14/40
Types of ModesNIST’s Standardization Efforts• Encryption only• Authenticated Encryption• Authenticated Encryption with associated data
• Modes for disc encryption
Modes of Operation I – p.15/40
Encryption Only• The security requirement is privacy only• Authentication is not required• CBC with IV used as a nonce is such a mode• Is of limited interest, as only privacy does not
fulfil all security requirements• Is highly susceptible to attacks by active
adversaries.
Modes of Operation I – p.16/40
Authenticated encryption (AE)• The security requirement is both privacy and
authenticity• Authentication is generally achieved by use of a
tag, which can be seen as a MAC of the data (butnot exactly so).
• These schemes leads to ciphertext expansion.• All known AE constructions use a nonce• Schemes providing authenticated encryption are
of utmost importance in the current days.• Constructions of such schemes is an active
research area
Modes of Operation I – p.17/40
AE(contd.)• AE schemes can be classified according to the
number of block cipher calls required to enciphera m block message.
• Schemes that need only m block cipher calls toencrypt an m block message are called singlepass AE schemes.
• There are not many such schemes, the importantamong them are• Integrity Aware Parallel Mode (IAPM) by
Chiranjit Jutla• Offset Code Book (OCB) Mode by Rogaway
et al.• There is a patent hassle with the single pass
modes Modes of Operation I – p.18/40
AE (Contd.)• There are many double pass proposals like:
• CCM: Counter with CBC-MAC• CWC: Carter-Wegman + Counter Mode• GCM: Galois Counter Mode• EAX
• They are patent free but are inefficient. So,though single pass schemes exists still there iscontinued effort to build two pass schemes(seems strange!!)
Modes of Operation I – p.19/40
AEAD• The goal here is to encrypt a message in such a
manner that a part of the message is onlyencrypted but the whole of is authenticated.
• Its use arises in many scenarios, like consider apacket traveling in the network• It is good if the header of the packet is not
encrypted• But the header is authenticated, that is a
change in the header can be easily detected.• Many AE schemes can be converted to AEAD
schemes with some more extra overhead.
Modes of Operation I – p.20/40
Modes for disc encryption• The security requirement is security against a
chosen plain text and chosen cipher textadversary
• These schemes uses a tweak, which is anadditional public quantity.
• But ciphertext expansion is not allowed.• There are not many schemes, the present schemes
are:• CMC (by Rogaway and Halevi)• EME (by Rogaway and Halevi), EME∗ (by
Halevi)• HCTR (by Peng Wang et al.)• PEP (by Chakraborty and Sarkar)
Modes of Operation I – p.21/40
Security NotionsLets first fix notations:• Let Ek : {0, 1}n → {0, 1}n denote the block
cipher• EEEk :M→ C, denote the mode• EEEk : N ×M→ C, denote a mode which uses a
nonce• EEEk : T ×M→ C, denote a mode which uses a
tweak
Modes of Operation I – p.22/40
Security NotionsPrivacy Only• Here the adversary is assumed to be a chosen
plain text adversary.• When an efficient adversary is given oracle
access to the mode of operation and an oraclewhich returns random bits, he should not be ableto distinguish the mode from the oracle whichreturns random bits.
• The advantage of the adversary in such a situationis defined as
Advpriv(A) = Pr[k$← K : AEEEk() ⇒ 1]−
Pr[k$← K : A$$ ⇒ 1]
Modes of Operation I – p.23/40
Security NotionsAuthenticated Encryption• Here both privacy and authenticity are required.• So the requirement of privacy remains the same.• Additionally here after the adversary has received
a set of cipher text after interacting with theoracle it outputs a cipher text and thecorresponding tag.
• For the scheme to be secure the probability thatthe tag matches should be low.
Modes of Operation I – p.24/40
Security NotionsDisc Encryption• Here we need the mode to be a strong
pseudo-random permutation.• The adversary is a chosen plain-text chosen
cipher-text adversary, so it has access to both theencryption and the decryption oracles.
Adv±prpEEE (A) = Pr
[
K$← K : AEK( ),E−1
K( ) ⇒ 1
]
−
Pr[
π$← Perm(n) : Aπ( ),π−1( ) ⇒ 1
]
Modes of Operation I – p.25/40
Security Proofs• Whenever a new construction is proposed one
needs to prove its security in the appropriatesecurity model
• These proofs are in general long and complex• It would not be possible for us to prove security
of a mode in this class• We shall take a dummy example to show how
these proofs works
Modes of Operation I – p.26/40
Security Proofs (Contd.)Pseudo-Random Functions• Let `1 and `2 be positive integers.• Let F = {Fs}s∈S be a keyed family of functions,
where each function Fs maps {0, 1}`1 to {0, 1}`2• Let Γ`1,`2 denote the set of all functions from{0, 1}`1 to {0, 1}`2.
• Informally we say F is pseudo-random if it ishard to distinguish a random function drawn fromF from a random function drawn from Γ`1,`2
given black box access to the functions.
Modes of Operation I – p.27/40
Security Proofs (Contd.)• Formally we define the PRF-advantage of an
adversary A as
Pr[s$← S : AFs ⇒ 1]− Pr[f
$← Γ`1,`2 : Af ⇒ 1]
• We say F as pseudo-random if any efficientadversary’s PRF-advantage is negligible.
Now we shall construct a scheme to stretch the inputlength of a pseudo-random family.
Modes of Operation I – p.28/40
Security Proofs (Contd.)• Let ` be a positive integer with ` > `1.• Let Hk∈K be a family of keyed hash functions
where each Hk maps {0, 1}` to {0, 1}`1• We assume thatH is a εuh-universal family of
hash functions, where εuh is negligible.• This means that for all w,w′ ∈ {0, 1}` with
w 6= w′ we have,
Pr[k$← K : Hk(w) = Hk(w
′)] ≤ εuh
Modes of Operation I – p.29/40
Security Proofs (Contd.)• Now we define the family of functions
F ′ = {F ′k,s}(k,s)∈K×S
• Where F ′k,s is the function from {0, 1}` to {0, 1}`2which sends w ∈ {0, 1}` to Fs(Hk(w).
• We shall now prove that if F is pseudo-randomthen F ′ is pseudo-random
Modes of Operation I – p.30/40
Security Proofs (Contd.)• We shall model the interaction of the adversary
with the function by a sequence of games.• We start with Game 0.• Game 0 represents the computation of any
adversary given oracle access to a function drawnat random from F ′.
• Without loss of generality we assume that theadversary makes q queries and never repeats anyquery.
Modes of Operation I – p.31/40
Security Proofs (Contd.)Game 0
k$← K, s
$← S
r$← R
for i← 1 . . . q, dowi ← A(r, y1, . . . , yi−1) ∈ {0, 1}`
xi ← Hk(wi) ∈ {0, 1}`1
yi ← Fs(xi) ∈ {0, 1}`2
b← A(r, y1, . . . , yq) ∈ {0, 1}output b
Let S0 be the event that the output b = 1 in Game 0.
Modes of Operation I – p.32/40
Security Proofs (Contd.)• We do some small modifications in Game 0 to get
Game 1.• In Game 1 we use a tru random function from `1
bits to `2 bits, in plase of Fs.• Intuitively, the pseudorandom property of F
should guarantee that this modification has only anegligible effect on the behaviour of theadversary.
Modes of Operation I – p.33/40
Security Proofs (Contd.)Game 1
k$← K, f
$← Γ`1,`2
r$← R
for i← 1 . . . q, dowi ← A(r, y1, . . . , yi−1) ∈ {0, 1}`
xi ← Hk(wi) ∈ {0, 1}`1
yi ← f(xi) ∈ {0, 1}`2
b← A(r, y1, . . . , yq) ∈ {0, 1}output b
Let s1 be the event that the output b = 1 in Game 1.We claim
Pr[S0]− Pr[S1] = εprf
Modes of Operation I – p.34/40
Security Proofs (Contd.)• We now make a purely conceptual change in
Game 1.• Here instead of a fixed function f we construct
the function in the fly and make consistencychecks.
Modes of Operation I – p.35/40
Security Proofs (Contd.)Game 2
k$← K, Y1, . . . , Yq
$← {0, 1}`2
r$← R
for i← 1 . . . q, dowi ← A(r, y1, . . . , yi−1) ∈ {0, 1}`
xi ← Hk(wi) ∈ {0, 1}`1
if xi = xj for some j < i then yi ← yj else yi ← Yi
b← A(r, y1, . . . , yq) ∈ {0, 1}output b
Let S2 be the event that the output b = 1 in Game 2.We claim
Pr[S2] = Pr[S1]Modes of Operation I – p.36/40
Security Proofs (Contd.)Game 3
k$← K, Y1, . . . , Yq
$← {0, 1}`2
r$← R
for i← 1 . . . q, dowi ← A(r, y1, . . . , yi−1) ∈ {0, 1}`
xi ← Hk(wi) ∈ {0, 1}`1
yi ← Yi
b← A(r, y1, . . . , yq) ∈ {0, 1}output b
Modes of Operation I – p.37/40
Security Proofs (Contd.)• Let S3 be the event that the output b = 1 in Game
3.• Define F to be the event that in Game 3, xi = xj
for some i, j with i 6= j .• Then Pr[S2]− Pr[S3] ≤ Pr[F ]
Modes of Operation I – p.38/40
Security Proofs (Contd.)• Now we claim Pr[F ] ≤ εuh
q2
2
• For any fixed pair of indices i, j with i 6= j, bythe universal hash property ofH, and by outassumption that the adversary never repeats anyqueries, we have wi 6= wj, and hence
Pr[Hk(wi) = Hk(wj)] ≤ εuh
• As there are q(q − 1)/2 such pairs of indices, itfollows that:
Pr[S2]− Pr[S3] ≤ εuh
q2
2.
Modes of Operation I – p.39/40
Security Proofs (Contd.)• Now it is obvious to see that Game 3 is equivalent
to the computation of an adversary given oracleaccess to a function in Γ`1,`2.
• Thus the PRF advantage of the adversary is
Pr[S0]− Pr[S3]
• Also
Pr[S0]− Pr[S3] ≤ εprf + εuh
q2
2
• So we are done!
Modes of Operation I – p.40/40