1 / 10

Deterministic Encryption

Online Cryptography Course Dan Boneh. Odds and ends. Deterministic Encryption. The need for det. Encryption (no nonce). ??. Alice. Alice. Bob. data. data. data. k 1 , k 2. ⋮. e ncrypted database. The need for det. Encryption (no nonce). ??.

kateb
Télécharger la présentation

Deterministic Encryption

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Online Cryptography Course Dan Boneh Odds and ends Deterministic Encryption

  2. The need for det. Encryption (no nonce) ?? Alice Alice Bob data data data k1, k2 ⋮ encrypted database

  3. The need for det. Encryption (no nonce) ?? Alice Bob Alice data data data k1, k2 ⋮ Later: Retrieve record E(k1, “Alice”) encrypted database det. enc. enables later lookup

  4. Problem: det. enc. cannot be CPA secure The problem: attacker can tell when two ciphertexts encrypt the same message ⇒ leaks information Leads to significant attacks when message space M is small. equal ciphertextsmeans same index

  5. Problem: det. enc. cannot be CPA secure m0 ,m0 M c E(k,mb) c0E(k, m0) The problem: attacker can tell when two ciphertexts encrypt the same message ⇒ leaks information Attacker wins CPA game: b Chal. Adv. kK m0 , m1  M output 0 if c = c0

  6. A solution: the case of unique messages Suppose encryptor never encrypts same message twice: the pair (k , m) never repeats This happens when encryptor: • Chooses messages at random from a large msg space (e.g. keys) • Message structure ensures uniqueness (e.g. unique user ID)

  7. Deterministic CPA security ci E(k,mi,b) E = (E,D) a cipher defined over (K,M,C). For b=0,1 define EXP(b) as: Def: E is sem. sec. under det. CPA if for all efficient A:AdvdCPA [A,E] = |Pr[EXP(0)=1] – Pr[EXP(1)=1] | is negligible. for i=1,…,q: b Chal. Adv. kK mi,0, mi,1  M : |mi,0| = |mi,1| b’  {0,1} where m1,0, …, mq,0are distinct and m1,1, …, mq,1 are distinct

  8. A Common Mistake 0n 1n , 0n 1n c1[FIV, E(k, 0n⨁FIV) , …] CBC with fixed IV is not det. CPA secure. Let E: K × {0,1}n⟶ {0,1}n be a secure PRP used in CBC b Chal. Adv. kK m0=0n, m1 = 1n output 0 if c[1] = c1[1] c [FIV, E(k, FIV) ] or c [FIV, E(k, 1n⨁FIV) ] Leads to significant attacks in practice.

  9. m,m c’  mb⨁F(k, FIV) c m⨁F(k, FIV) Is counter mode with a fixed IV det. CPA secure? message ⨁ F(k, FIV) ll F(k, FIV+1) ll … ll F(k, FIV+L) Yes ciphertext b No Adv. Chal. It depends kK m0 , m1 output 0 if c⨁c’=m⨁m0

  10. End of Segment

More Related