Date post: | 03-Jan-2016 |
Category: |
Documents |
Upload: | hilary-barker |
View: | 216 times |
Download: | 2 times |
Two New Online Ciphers
Mridul Nandi
National Institute of Standards and Technology, Gaithersburg, MD
Indocrypt 2008, Kharagpur
Mridul Nandi Indocrypt-2008 2
Outline of the talk
• Introduction to Online Ciphers.
• Security Notions for Online Ciphers
• Known Examples of Online Ciphers.
• Our Constructions.
• Conclusion.
Mridul Nandi Indocrypt-2008 3
Online Cipher
Mridul Nandi Indocrypt-2008 4
Online Cipher
• Most applications want real time encryption. (i.e., compute ciphertext as soon as a
plaintext block arrived to save time and memory both).
• Also known as one-pass encryption (in two-pass encryption, whole plaintext is needed to generate some intermediate values (like, a tag) and then the plaintext is again used to compute ciphertext. The first ciphertext block can not be computed unless
complete plaintext arrived).
Mridul Nandi Indocrypt-2008 5
Online CipherDefinition (online cipher):
1. It is a block number preserving encryption algorithm.
2. If C = C1 || C2 || … ||Ck is a ciphertext of P = P1 || P2 || … ||Pk then Ci should be computable from P1||…||Pi where Pj’s, Cj’s are blocks (128 bits for AES based design).
Mridul Nandi Indocrypt-2008 6
Online CipherDefinition (online cipher):
1. It is a block number preserving encryption algorithm.
2. If C = C1 || C2 || … ||Ck is a ciphertext of P = P1 || P2 || … ||Pk then Ci should be computable from P1||…||Pi where Pj’s, Cj’s are blocks (128 bits for AES based design).
•In other words, there exists an algorithm B, such that B(P1,…, Pi) = Ci, i =1,…,k.
•It is real time encryption, But, not necessarily means it requires less memory. Why?
Mridul Nandi Indocrypt-2008 7
Online Cipher
P1 C1
Buffer
P1
Input stream
Mridul Nandi Indocrypt-2008 8
Online Cipher
P2 C2
Buffer
P1 P2
Input stream
Mridul Nandi Indocrypt-2008 9
Online Cipher
P3 C3
Buffer
P1 P2 P3
Input stream
Mridul Nandi Indocrypt-2008 10
Online Cipher
Pk Ck
Buffer
P1 P2 P3 … Pk
Input stream
Buffer size increases linearly as plaintexts are arriving. So it does not save memory, but it is one-pass and hence once the whole plaintext is arrived the complete cipher text is known.
Mridul Nandi Indocrypt-2008 11
Efficient Online Ciphers
f f f…
C1
P1P2 Pk-1 Pk
C2 Ck-1 Ck0
0
Buffer size =3
Plaintext
Ciphertext
Mridul Nandi Indocrypt-2008 12
Efficient Online Ciphers
f f f…
C1
P1P2 Pk-1 Pk
C2 Ck-1 Ck0
0
Buffer size =3, when T=1, 0, 0, P1Buffer
Plaintext
Ciphertext
Mridul Nandi Indocrypt-2008 13
Efficient Online Ciphers
f f f…
C1
P1P2 Pk-1 Pk
C2 Ck-1 Ck0
0
Buffer size =3, when T=2, P1, C1, P2Buffer
Plaintext
Ciphertext
Mridul Nandi Indocrypt-2008 14
Efficient Online Ciphers
f f f…
C1
P1P2 Pk-1 Pk
C2 Ck-1 Ck0
0
Buffer size =3, when T=k, Pk-1, Ck-1, PkBuffer
Plaintext
Ciphertext
Mridul Nandi Indocrypt-2008 15
Is it an Online Cipher?
f f f…
C1
P1P2 Pk-1 Pk
C2 Ck-1 Ck0
0
Ci = A(Pi-1, Ci-1, Pi) depends on Ci-1 (not in the definition of online cipher)
Mridul Nandi Indocrypt-2008 16
Is it an Online Cipher?
f f f…
C1
P1P2 Pk-1 Pk
C2 Ck-1 Ck0
0Definition (online cipher):
1.It is a block number preserving encryption algorithm.
2.If C = C1 || C2 || … ||Ck is a ciphertext of P = P1 || P2 || … ||Pk then Ci should be computable from P1||…||Pi where Pj’s, Cj’s are blocks (128 bits for AES based design).
Ci = A(Pi-1, Ci-1, Pi) depends on Ci-1 (not in the definition of online cipher)
Mridul Nandi Indocrypt-2008 17
Is it an Online Cipher?
f f f…
C1
P1P2 Pk-1 Pk
C2 Ck-1 Ck0
0
But Ci-1 depends on Pi-2, Pi-1 and Ci-2 and so on. So by induction it can be shown that Ci depends only on P1,…,Pi
Definition (online cipher):
1.It is a block number preserving encryption algorithm.
2.If C = C1 || C2 || … ||Ck is a ciphertext of P = P1 || P2 || … ||Pk then Ci should be computable from P1||…||Pi where Pj’s, Cj’s are blocks (128 bits for AES based design).
Mridul Nandi Indocrypt-2008 18
It is an Online Cipher.
f f f…
C1
P1P2 Pk-1 Pk
C2 Ck-1 Ck0
0
If it is a cipher then it is an online cipher. To be a cipher it shouldbe invertible. In other words, Pi should be computable from Pi-
1, Ci-1 and Ci = f(Pi-1, Ci-1, Pi).
Mridul Nandi Indocrypt-2008 19
Inverse of an Online Cipher.
g g g…
C1
P1P2 Pk-1 Pk
C2 Ck-1 Ck0
0
If it is a cipher then it is an online cipher. To be a cipher it shouldbe invertible. In other words, Pi should be computable from Pi-
1, Ci-1 and Ci = f(Pi-1, Ci-1, Pi). So Pi = g(Pi-1,Ci-1,Ci).
Mridul Nandi Indocrypt-2008 20
Security Notions
Mridul Nandi Indocrypt-2008 21
Security notions for Online Ciphers• (Strong) Pseudo Random Permutation are
strongest security notions for an encryption algorithm.
• Online cipher can not be (S)PRP since online property itself can be used to make a distinguishing attack.
• Bellare, Boldyreva, Knudsen and Namprempre (in crypto-01) introduced desired security notions (maximum security can be achieved for online ciphers by introducing ideal online cipher).
Mridul Nandi Indocrypt-2008 22
Security notions for Online Ciphers• Chosen-Plaintext Secure or CPA-secure :
No feasible attacker can distinguish the designed online cipher from the ideal online cipher by making only encryption queries.
• Chosen-Ciphertext Secure or CCA-secure : No feasible attacker can distinguish the designed online cipher from the ideal online cipher by making both encryption and decryption queries.
Mridul Nandi Indocrypt-2008 23
Known Examples
Mridul Nandi Indocrypt-2008 24
Hash-CBC Online Ciphers
1. Bellare, Boldyreva, Knudsen and Namprempre (in crypto-01) designed Hash-CBC online ciphers HCBC1 (CPA-secure) and HCBC2 (CCA-secure).
2. Needs a blockcipher and a Almost XOR-universal hash function.
3. Universal Hash function with CBC mode.
Mridul Nandi Indocrypt-2008 25
AU hash function
Poly hash generates the distinct counter for distinct messages with high probability. Poly-hash is L/2n –AU hash function where L is the max number of blocks of a plaintext.
Pr[Hh(M) = Hh(M’) i] L/2n where is either
+ (modulo addition) or (xor).
Mridul Nandi Indocrypt-2008 26
Hash-CBC: HCBC1
0
Ek
C1
P1
H Ek
C2
P2
H Ek
Ck
Pk
H
Ck-1
1. CPA-secure but not CCA-secure.2. H : {0,1}n
{0,1}n is AXU-hash function (n = block
size).3. Two independent keys (one for H and one for E).
n
n…
Mridul Nandi Indocrypt-2008 27
Hash-CBC: HCBC2
1. CCA-secure.2. H : {0,1}2n
{0,1}n is AXU-hash function.
3. Two independent keys (H and E).
0
0
Ek
C1
P1
H
Ek
C2
P2
H
Ek
Cn
Pn
H
Pk-1
Ck-1
…
0
0
Ek
C1
P1
H
Ek
C1
P1
H
Ek
C2
P2
H
Ek
C2
P2
H
Ek
Cn
Pn
H
Ek
Cn
Pn
H
Pk-1
Ck-1
…
Mridul Nandi Indocrypt-2008 28
Our Constructions
Mridul Nandi Indocrypt-2008 29
0
0
Ek
C1
P1
H
Ek
C2
P2
H
Ek
Cn
Pn
H
Pk-1
Ck-1
…
Recall HCBC2
n
n
Hash H takes two n bit inputs and produces n bit output.We can xor the two n bit inputs before feeding into H.
Mridul Nandi Indocrypt-2008 30
MHCBC
Mridul Nandi Indocrypt-2008 31
Modified Hash-CBC: MHCBC
0
0 Pk-1
Ck-1
Ek
Ck
Pk
H
n Ek
C1
P1
H
n Ek
C2
P2
H
n…
Mridul Nandi Indocrypt-2008 32
Modified Hash-CBC: MHCBC
0
0 Pk-1
Ck-1
Ek
Ck
Pk
H
n Ek
C1
P1
H
n Ek
C2
P2
H
n…
0
0 Pk-1
Ck-1
Ek
Ck
Pk
H
n Ek
Ck
Pk
H
n Ek
C1
P1
H
n Ek
C1
P1
H
n Ek
C2
P2
H
n…
1. CCA-secure.2. H : {0,1}n
{0,1}n is AXU-hash function.
3. Two independent keys (H and E).
Mridul Nandi Indocrypt-2008 33
MCBC-1
Mridul Nandi Indocrypt-2008 34
Modified CBC: MCBC
0
0 Pk-1
Ck-1
C1
P1
…H Ek
C1
P1
H Ek
C1
P1
H Ek
We need a AXU-hash function. EK itself can be a candidate for this.
Mridul Nandi Indocrypt-2008 35
Modified CBC: MCBC-1
0
0 Pk-1
Ck-1
C1
P1
…Ek2 Ek1
C1
P1
Ek2 Ek1
C1
P1
Ek2 Ek1
We need a AXU-hash function. EK itself can be a candidate for this. So we can replace H by Ek2 (independently chosen key K2). This is called MCBC-1
Mridul Nandi Indocrypt-2008 36
Modified CBC: MCBC
0
0 Pk-1
Ck-1
C1
P1
…Ek Ek
C1
P1
Ek Ek
C1
P1
Ek Ek
What will happen if we replace H by Ek (same key K)? Is it secure?
Mridul Nandi Indocrypt-2008 37
Modified CBC: MCBC
0
0 Pk-1
Ck-1
C1
P1
…Ek Ek
C1
P1
Ek Ek
C1
P1
Ek Ek
NOT SECURE
Mridul Nandi Indocrypt-2008 38
Modified CBC: MCBC
0
0
0
Ek E-1k
1st Decryption query with ciphertext 0, then plaintext is Ek(0) = v0.
Ek(0)Ek(0)
0Ek(0)
Ek(0)
Mridul Nandi Indocrypt-2008 39
Modified CBC: MCBC
0
0
v2
Ek Ek
v0
0
1st Encryption query with plaintext 0Ciphertext will be Ek(v0) + v0 = v2. Let Ek(v0)= v1.
v0
v0
v1
1st Decryption query with ciphertext 0, then plaintext is Ek(0) = v0.
Mridul Nandi Indocrypt-2008 40
Modified CBC: MCBC
0
0
Ek Ek
v0
v0v0
v0
0
0
Ek Ek
v1
v1v0
v1
0
v0
v2
2nd Encryption query with plaintext (v0,v1). The ciphertext will be (0,v2) with probability one which is not desired for an ideal random online cipher.
Mridul Nandi Indocrypt-2008 41
MCBC-2
Mridul Nandi Indocrypt-2008 42
Modified CBC: MCBC
0
0 Pk-1
Ck-1
C1
P1
…Ek Ek
C1
P1
Ek Ek
C1
P1
Ek Ek
Ek K11
K1
K1
K1
K1 protects from the previous attack. In fact, it is CCA-secure.
Mridul Nandi Indocrypt-2008 43
Comparison
Mode BC-Calls Key-sch
AXU-Hash
Type of Hash
Keys
HCBC1 m 1 m n n KBC + KH
HCBC2 m 1 m 2n n KBC + KH’
MHCBC m 1 m n n KBC + KH
MCBC-1 2m 2 0 - 2KBC
MCBC-2 2m+1 1 0 - KBC
Mridul Nandi Indocrypt-2008 44
Conclusion
1. Revisited Hash-CBC online ciphers.2. Modified them by
1. Reducing key space2. Removing universal hash function3. having better efficiency.
3. These are termed MHCBC and MCBC.4. A simple modification of MHCBC won’t work.5. An unified way of proving security of online
ciphers (in the paper).
Mridul Nandi Indocrypt-2008 45
Thank you for
your attention