one-â me keys
Online Cryptography Course Dan Boneh
Using block ciphers Modes of opera6on: one 6me key example: encrypted email, new key for every message. Dan Boneh
Using PRPs and PRFs Goal: build “secure” encryp6on from a secure PRP (e.g. AES). This segment: one-‐%me keys 1. Adversary’s power: Adv sees only one ciphertext (one-‐6me key) 3. Adversary’s goal: Learn info about PT from CT (seman6c security) Next segment: many-‐6me keys (a.k.a chosen-‐plaintext security) Dan Boneh
Incorrect use of a PRP Electronic Code Book (ECB): PT:
m1
m2
CT:
c1
c2
Problem: – if m1=m2 then c1=c2 Dan Boneh
In pictures
(courtesy B. Preneel)
Dan Boneh
Seman6c Security (one-‐6me key) EXP(0):
Chal. k←K
m0 , m1 ∈ M : |m0| = |m1|
Adv. A
c ← E(k,m0)
b’ ∈ {0,1}
one 6me key ⇒ adversary sees only one ciphertext EXP(1):
Chal. k←K
m0 , m1 ∈ M : |m0| = |m1| c ← E(k,m1)
Adv. A
b’ ∈ {0,1}
AdvSS[A,OTP] = | Pr[ EXP(0)=1 ] − Pr[ EXP(1)=1 ] | should be “neg.” Dan Boneh
ECB is not Seman6cally Secure ECB is not seman6cally secure for messages that contain more than one block. b∈{0,1} Two blocks
Chal. k←K
m0 = “Hello World” m1 = “Hello Hello”
Adv. A
(c1,c2) ← E(k, mb)
Then AdvSS [A, ECB] = 1
If c1=c2 output 0, else output 1 Dan Boneh
Secure Construc6on I Determinis6c counter mode from a PRF F : • EDETCTR (k, m) =
⊕
m[0]
m[1]
…
m[L]
F(k,0)
F(k,1)
…
F(k,L)
c[0]
c[1]
…
c[L]
⇒ Stream cipher built from a PRF (e.g. AES, 3DES) Dan Boneh
Det. counter-‐mode security Theorem: For any L>0, If F is a secure PRF over (K,X,X) then EDETCTR is sem. sec. cipher over (K,XL,XL).
In par6cular, for any eff. adversary A adacking EDETCTR
there exists a n eff. PRF adversary B s.t.:
AdvSS[A, EDETCTR] = 2 ⋅ AdvPRF[B, F]
AdvPRF[B, F] is negligible (since F is a secure PRF) Hence, AdvSS[A, EDETCTR] must be negligible.
Dan Boneh
Proof m0 , m1
chal. k←K
c ←
m0
⊕ F(k,0) … F(k,L)
adv. A
≈p
chal. f←Funs c ←
m0 , m1
b’≟1
k←K
c ←
m1
⊕ F(k,0) … F(k,L)
adv. A
b’≟1
m0
adv. A ⊕
f(0) … f(L)
b’≟1
≈p
≈p
chal.
m0 , m1
≈p
chal. r←{0,1}n c ←
m0 , m1 m1 f(0) … f(L)
adv. A ⊕
b’≟1 Dan Boneh
End of Segment
Dan Boneh
Using block ciphers Modes of opera6on: one 6me key example: encrypted email, new key for every message. Dan Boneh
Using PRPs and PRFs Goal: build “secure” encryp6on from a secure PRP (e.g. AES). This segment: one-‐%me keys 1. Adversary’s power: Adv sees only one ciphertext (one-‐6me key) 3. Adversary’s goal: Learn info about PT from CT (seman6c security) Next segment: many-‐6me keys (a.k.a chosen-‐plaintext security) Dan Boneh
Incorrect use of a PRP Electronic Code Book (ECB): PT:
m1
m2
CT:
c1
c2
Problem: – if m1=m2 then c1=c2 Dan Boneh
In pictures
(courtesy B. Preneel)
Dan Boneh
Seman6c Security (one-‐6me key) EXP(0):
Chal. k←K
m0 , m1 ∈ M : |m0| = |m1|
Adv. A
c ← E(k,m0)
b’ ∈ {0,1}
one 6me key ⇒ adversary sees only one ciphertext EXP(1):
Chal. k←K
m0 , m1 ∈ M : |m0| = |m1| c ← E(k,m1)
Adv. A
b’ ∈ {0,1}
AdvSS[A,OTP] = | Pr[ EXP(0)=1 ] − Pr[ EXP(1)=1 ] | should be “neg.” Dan Boneh
ECB is not Seman6cally Secure ECB is not seman6cally secure for messages that contain more than one block. b∈{0,1} Two blocks
Chal. k←K
m0 = “Hello World” m1 = “Hello Hello”
Adv. A
(c1,c2) ← E(k, mb)
Then AdvSS [A, ECB] = 1
If c1=c2 output 0, else output 1 Dan Boneh
Secure Construc6on I Determinis6c counter mode from a PRF F : • EDETCTR (k, m) =
⊕
m[0]
m[1]
…
m[L]
F(k,0)
F(k,1)
…
F(k,L)
c[0]
c[1]
…
c[L]
⇒ Stream cipher built from a PRF (e.g. AES, 3DES) Dan Boneh
Det. counter-‐mode security Theorem: For any L>0, If F is a secure PRF over (K,X,X) then EDETCTR is sem. sec. cipher over (K,XL,XL).
In par6cular, for any eff. adversary A adacking EDETCTR
there exists a n eff. PRF adversary B s.t.:
AdvSS[A, EDETCTR] = 2 ⋅ AdvPRF[B, F]
AdvPRF[B, F] is negligible (since F is a secure PRF) Hence, AdvSS[A, EDETCTR] must be negligible.
Dan Boneh
Proof m0 , m1
chal. k←K
c ←
m0
⊕ F(k,0) … F(k,L)
adv. A
≈p
chal. f←Funs c ←
m0 , m1
b’≟1
k←K
c ←
m1
⊕ F(k,0) … F(k,L)
adv. A
b’≟1
m0
adv. A ⊕
f(0) … f(L)
b’≟1
≈p
≈p
chal.
m0 , m1
≈p
chal. r←{0,1}n c ←
m0 , m1 m1 f(0) … f(L)
adv. A ⊕
b’≟1 Dan Boneh
End of Segment
Dan Boneh
