-------------------------------------------------------------------------- CSE 227 - Lecture 2 - Fall 2001 - Oct 8 -------------------------------------------------------------------------- last time: 1) Introduction 2) Block Ciphers TODAY: 0. one-time pads and Shannon security 1. block-cipher modes: CTR and CBC encryption 2. pseudorandom permutations (PRPs), 3 Their friends, pseudorandom functions (PRFs) 4. one-way functions (OWFs) 5. pseudorandom generators (PRGs) -------------------------------------------------------------------------- 0. One-time pad. Forgot to cover last time. A mechanism for symmetric encryption. Security notion: Message space = set of messages Msgs, M in Msgs -> M' in Msgs for all M' of the same length of M. Also, linear time to decide if M in Msgs. Shannon security: Encryption scheme Pi = (K, E, D) is Shannon-secure if for all equal-length M, M' in Msgs, for all c, Pr [k <- K; C <- E_k(M) : C=c] = Pr [k <- K; C <- E_k(M'): C=c] Haven't covered the syntax of an encryption, but that should still be adequate. -------------------------------------------------------------------------- 1. block-cipher modes CTR and CBC encryption Describe 'em! -------------------------------------------------------------------------- 2. PRPs and PRFs -------------------------------------------------------------------------- a. Key-recovery goal attack: chosen-plaintext attack: interrogate an E_K oracle goal: find the underlying key for the block cipher Let E: \K \times {0,1}^n \rightarrow {0,1}^n be a block cipher. kr Adv (A) = Pr[K <- \K; A^{E_K} = K] E problem: too WEAK a definition -- an inability to recover the key does NOT imply that the scheme is good. E_K(M)=M was a fine example. Look at what happens if you use this in CTR mode. b. New-pair goal attack: chosen-plaintext attack using an E_K oracle goal: find a pair (x, y) for which y = E_K(x) and x was not a prior query. np Adv (A) = Pr[K <- \K; (x,y) <- (A^{E_K}: y=E_K(x) and A made no E query of x in the previous step ] Problem: still too weak. See if students can find problem (a) "weak" argument: "Just because it's hard to find a pair (x,y) doesn't mean that you can't find a pair (x,y) for which you know "a lot" about x and y -- eg., half of their bits. (b) Let E be a "good" block cipher having a n-bit blocks. Define F_K(x x') = x || E_K(x xor E_K(x')) i. verify that this IS a block cipher. ii. that this is a SECURE block cipher follows from work we shall explain do later in the term. c. PRP goal attack: interrogate an oracle that's could either be E_K oracle or a pi oracle. goal: guess which type of oracle Adv^prp (E) = Pr[K\gets K: A^{E_K} = 1 ] - Pr [K\getsr K: A^\pi =1 ] Intuition: making available a family of random permutations. Draw picture. How many possible permutations named by AES: 2^128. How many possible permutations on n bits: 2^128 ! A tiny fraction 2^128 / 2^128 ! = 1 / (2^128-1)! But somehow A can't tell if seeing one of these VERY SPECIAL perms or a random one. Inf theoretically easy: ask two different points, a and b. Random permutation: all 2^128 * (2^128-1) possible answers possible and equally likely Fake: only 2^128 possible answers. Pr [rand perm gives you an answer that is consistent with some E_K is only 2^128 / 2^128*(2^128-1) = 1 / (2^128-1) Answer "1" if one of these "special" values, answer 0 ow. Adv^prp_E(A) = Pr [k <- K: A^E_k(.)=1 ] - Pr [ pi <- Perm(n): A^E_k(.) = 1] = 1 - 1 / (2^128-1) \approx 1 But this adversary uses a 2^128-size table, which we count in her time. Is there a REASONABLE adversary that obtains big advantage? .............................................................................. various other ways to formalize: .............................................................................. PRP goal - version 2 attack: interrogate oracle that's either an E_K oracle or a pi oracle, which one being determined by a random coin flip b. goal: guess which coin flip Adv^prp2 (E)=Pr[K\gets\K; \pi\getsr\Perm(n); b<-{0,1}; if b=0 then g = pi else g=E_K: A^{E_K} = b ] same?? not quite, rescale: Adv^prp2 (E) = 2 Pr[K\gets\K; \pi\getsr\Perm(n); b<-{0,1}; if b=0 then g = pi else g=E_K: A^{E_K} = b ] - 1 NOW the same: Adv^prp2 (E) = 2 Pr[if b=0 then g = pi else g=E_K: A^g = b ] - 1 = 2 (0.5 Pr[A^pi = 0] + 0.5 (Pr[A^E_K=1])) - 1 = 2(0.5 (1-Pr[A^pi = 1) + 0.5 (Pr[A^E_K=1])) - 1 = 1 - Pr[A^pi = 1) + Pr[A^E_K=1] - 1 = Pr[A^E_K=1] + Pr[A^pi = 1) = Adv^prp (E) ------------------------------------------------------------------------------- PRP-security -> KR-security Suppose you had an adversary B that recovers the key for E with probability \delta. Want to construct an adversary A that, using comparable resources to B, does a good job to break E (in the PRP sense) Definition of A^f: Run B^g. When B makes an oracle query g(x), answer with f(x). Eventually B halts, outputting a key K': Let x be the first query not asked by A // assume q < 2^n Let y = f(x) If y = E_{K'}(x) then return 1 else return 0. Pr[A^E_K=1] >= Adv^kr(B) Pr[A^pi=1] <= 2^{-n} so Adv^prp(A) >= Adv^kr(B) - 2^{-n} ------------------------------------------------------------------------------- Our PRP goal is invariant to natural strengthenings: (Gentle introduction to hybrid argument) // re for "real" or "reference"; te for "test" re te Adv^prp'_E(B) = Pr [K <- \K: B^{E_K, E_K}=1] - Pr [K <- \K, \pi <- Perm(n): B^{E_K, \pi}=1] Essentially the same: * Given an adversary A that attacks E in the PRP sense then there is an approx-as-good adversary B that attacks E in the PRP' sense. Trivial: don't use your "first" oracle. * Given an adversary B that attacks E in the PRP' sense then there is an approx-as-good adversary A that attacks E in the PRP sense. Not as trivial. "Hybrid argument" E_K E_K E_K pi B sig diff from B Look at: E_K E_K pi pi E_K pi B vs. B vs B 1 2 3 Triangle inequality: (1) - (3) \ge e: so (1) - (2) \ge e'/2 or (2) - (3) \ge e'/2 Case 1gap2: Build A like this: A^f: Run B. When B makes an oracle query re(x) answer f(x) When B makes an oracle query te(x) answer f(x) When B outputs a bit, b, output b ...... if A's oracle is Real: Pr[A^re=1] = Pr[B^{re,re}=1] if A's oracle is Fake: Pr[A^fa=1] = Pr[B^{fa,fa}=1] So Pr[A^re=1] - Pr[A^fa=1] = Pr[B^{re,re}=1] - Pr[B^{fa,fa}=1] >= e'/2 Case 2gap3: Build A like this: A^f: Run B. Choose K at random. When B makes an oracle query re(x), answer f(x) When B makes an oracle query te(x), answer E_K(x) When B outputs a bit, b, output 1-b ...... if A's oracle if Real: Pr[A^re=1] = 1 - Pr[B^{re,fa}=1] if A's oracle if Fake: Pr[A^fa=1] = 1 - Pr[B^{fa,fa}=1] So Pr[A^re=1] - Pr[A^fa=1] = 1-Pr[B^{re,fa}=1] - 1 + Pr[B^{fa,fa}=1] = Pr[B^fa,fa = 1 - Pr[B^re,fa=1] >= e'/2 ---------------------------------------------------------------- 3. PRFs prf Adv (A) = Pr [ k <- K: A^E_k(.)=1 ] - Pr [ rho <- Rand(n): A^rho(.) = 1] E PRP/PRF Conversion Lemma: ------------------------ Proposition: For any adversary A that makes at most q queries, | Adv_E^prf(A) - Adv_E^prp(A) | - q^2 / 2*2^n Proof: must show q^2 q^2 Adv_E^prp(A) - --- <= Adv_E^prf(A) <= Adv_E^prp(A) + ----- 2*2^n 2*2^n Do RHS; LHS is directly analogous. Adv_E^prf(A) - Adv_E^prp(A) = (Pr[A^E_K=1] - Pr[A^rho=1]) - (Pr[A^E_K=1] - Pr[A^pi=1]) = Pr[A^rho=1] - Pr[A^pi=1] = Pr[A^rho=1|COLL] Pr[COLL] + Pr[A^rho=1|no COLL] Pr[no COLL] - Pr[A^pi = 1] <= Pr[A^rho=1|COLL] Pr[COLL] + Pr[A^rho=1|no COLL] Pr[no COLL] - Pr[A^pi = 1], <= Pr[COLL] + Pr[A^rho=1|no COLL] - Pr[A^pi = 1] <= P[COLL] + Adv_E^prp(A) COLL = Union_{i=1}^q COLL_i Pr[COLL] <= sum_{i=1}^q Pr[COLL_i] <=0 + 1 + 2 + ... + (q-1))/2^n <= q(q-1) / 2*2^n -------------------------------------------------------------------- So far, we've assumed that the domain and range of our PRPs and PRFs are bits^n. More general PRFs and PRPs: let the domain be arbitrary. But if have a string of one length, have all strings of that length. And easy to decide if a string is in the domain or not. And nonempty. ........................................................................ 4. one-way functions (OWFs) Let f: D -> R where D has a distribution on it (usually, finite) Adv^owf(I) = Pr[x <- D; Y=f(x); x'=I(Y): f(x') = Y]. Here I give credit for finding any preimage. Seems only fair. Useful for password-protection problem. Suppose given PRF F: {0,1}^n x {0,1}^n -> {0,1}^n. Let f(x) = E_x(0) one way? I don't know! Open, to the best of my knowledge. But suppose F: {0,1}^k x {0,1}^n -> {0,1}^n with k {0,1}^n in the manner we have described. Assume k= 0.5 Adv^owf(I) ...................................................................... First a bit of preliminaries. "Wlog, I is deterministic" Can usually do this. DE-RANDOMIZATION ARGUMENT. Adv^owf_f(I) = Pr[R <- {0,1}^r; X <- {0,1}^k; Y = f(X): f(I(Y,R))=Y] let alpha_R = Pr[X <- {0,1}^k; Y = f(X): f(I(Y,R))=Y] Then Adv^owf_f(I) = 1/2^r \sum_R \alpha_R is just the average of the different alpha_R values. If you have a bunch of numbers that average out to a, at least one of the number is at least a! Thus there exists an R such that alpha_R >= Adv^owf_f(I). For that particular R, I(Y, R) is a deterministic algorithm: R is "hardwired" into I. Explain the "controversy" about this type of non-constructive argument. ...................................................................... Given: an adversary I for inverting f(X) = F_X(0). Construct: an adversary A for breaking F as a PRF. Definition of A: Ask query 0, getting response Y Run I(Y), getting a value X. if F_K(X)=Y then return 1 else return 0 ...................................................................... Claim: Adv^prf(A) >= 2 Adv^owf(I) Let \e = Adv^owf(I) Adv^prf (A) = Pr [A^{F_K} = 1] - Pr[A^rho = 1] = Pr [I inverts f] - Pr[A^rho=1] = \e - Pr[A^rho=1] =\delta Want to show: delta=Pr[A^rho=1] <= \e / 2 actually, we'll show delta <= 1/(1-2^{k-L}) \e \e = Pr [given a random K and Y=F_K(0), algorithm I(Y) finds K] \delta = Pr [given a random Y, algorithm I(Y) find K s.t. F_K(0)=Y] Let X = {K\in\bits^k: I(f(K))=K} // x-values I succeeds on Let Y = {Y\in\bits^L: f(I(Y))=Y} // y-values I succeeds on \e = |X|/2^k \delta = |Y|/2^L want to show: \delta <= \e/2 |Y| |X| 2^k \e delta = ----- <= ----- <= ------ <= 0.5 \e 2^L 2^L 2^L Why is |Y| <= |X| ?? ----------- ---------------------- | . * | | . * . . . | | * | | . . * . | | . * . | |. * * . | | * * | | . . . | ----------- ---------------------- strings of strings of length L length k a string x is * if a string y is * if its its in X -- I inverts in Y -- I inverts y h(x) Each distinct y in Y has a distinct h-preimage in X, and that preimage is in X.