1 / 45

450 likes | 585 Vues

Two New Online Ciphers. Mridul Nandi National Institute of Standards and Technology, Gaithersburg, MD Indocrypt 2008, Kharagpur. Outline of the talk. Introduction to Online Ciphers. Security Notions for Online Ciphers Known Examples of Online Ciphers. Our Constructions. Conclusion.

Télécharger la présentation
## Two New Online Ciphers

**An Image/Link below is provided (as is) to download presentation**
Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.
Content is provided to you AS IS for your information and personal use only.
Download presentation by click this link.
While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.
During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

**Two New Online Ciphers**Mridul Nandi National Institute of Standards and Technology, Gaithersburg, MD Indocrypt 2008, Kharagpur**Outline of the talk**• Introduction to Online Ciphers. • Security Notions for Online Ciphers • Known Examples of Online Ciphers. • Our Constructions. • Conclusion. Indocrypt-2008**Online Cipher**Indocrypt-2008**Online Cipher**• Most applications want real time encryption. (i.e., compute ciphertext as soon as a plaintext block arrived to save time and memory both). • Also known as one-pass encryption (in two-pass encryption, whole plaintext is needed to generate some intermediate values (like, a tag) and then the plaintext is again used to compute ciphertext. The first ciphertext block can not be computed unless complete plaintext arrived). Indocrypt-2008**Online Cipher**• Definition (online cipher): • It is a block number preserving encryption algorithm. • If C = C1 || C2 || … ||Ck is a ciphertext of P = P1 || P2 || … ||Pk then Ci should be computable from P1||…||Pi where Pj’s, Cj’s are blocks (128 bits for AES based design). Indocrypt-2008**Online Cipher**• Definition (online cipher): • It is a block number preserving encryption algorithm. • If C = C1 || C2 || … ||Ck is a ciphertext of P = P1 || P2 || … ||Pk then Ci should be computable from P1||…||Pi where Pj’s, Cj’s are blocks (128 bits for AES based design). • In other words, there exists an algorithm B, such that B(P1,…, Pi) = Ci, i =1,…,k. • It is real time encryption, But, not necessarily means it requires less memory.Why? Indocrypt-2008**Online Cipher**Input stream P1 C1 P1 Buffer Indocrypt-2008**Online Cipher**Input stream P2 C2 P1 P2 Buffer Indocrypt-2008**Online Cipher**Input stream P3 C3 P1 P2 P3 Buffer Indocrypt-2008**Online Cipher**Input stream Pk Ck P1 P2 P3 … Pk Buffer Buffer size increases linearly as plaintexts are arriving. So it does not save memory, but it is one-pass and hence once the whole plaintext is arrived the complete cipher text is known. Indocrypt-2008**f**f f Efficient Online Ciphers Buffer size =3 P2 Pk-1 Pk P1 Plaintext 0 … C1 C2 Ck-1 Ck Ciphertext 0 Indocrypt-2008**f**f f Efficient Online Ciphers Buffer size =3, when T=1, 0, 0, P1 Buffer P2 Pk-1 Pk P1 Plaintext 0 … C1 C2 Ck-1 Ck Ciphertext 0 Indocrypt-2008**f**f f Efficient Online Ciphers Buffer size =3, when T=2, P1, C1, P2 Buffer P2 Pk-1 Pk P1 Plaintext 0 … C1 C2 Ck-1 Ck Ciphertext 0 Indocrypt-2008**f**f f Efficient Online Ciphers Buffer size =3, when T=k, Pk-1, Ck-1, Pk Buffer P2 Pk-1 Pk P1 Plaintext 0 … C1 C2 Ck-1 Ck Ciphertext 0 Indocrypt-2008**f**f f Is it an Online Cipher? Ci = A(Pi-1, Ci-1, Pi) depends on Ci-1 (not in the definition of online cipher) P2 Pk-1 Pk P1 0 … C1 C2 Ck-1 Ck 0 Indocrypt-2008**P2**Pk-1 Pk P1 0 … f f f C1 C2 Ck-1 Ck 0 Is it an Online Cipher? Ci = A(Pi-1, Ci-1, Pi) depends on Ci-1 (not in the definition of online cipher) • Definition(online cipher): • It is a block number preserving encryption algorithm. • If C = C1 || C2 || … ||Ck is a ciphertext of P = P1 || P2 || … ||Pk then Ci should be computable from P1||…||Pi where Pj’s, Cj’s are blocks (128 bits for AES based design). Indocrypt-2008**P2**Pk-1 Pk P1 0 … f f f C1 C2 Ck-1 Ck 0 Is it an Online Cipher? But Ci-1 depends on Pi-2, Pi-1 and Ci-2 and so on. So by induction it can be shown that Ci depends only on P1,…,Pi • Definition(online cipher): • It is a block number preserving encryption algorithm. • If C = C1 || C2 || … ||Ck is a ciphertext of P = P1 || P2 || … ||Pk then Ci should be computable from P1||…||Pi where Pj’s, Cj’s are blocks (128 bits for AES based design). Indocrypt-2008**f**f f It is an Online Cipher. If it is a cipher then it is an online cipher. To be a cipher it should be invertible. In other words, Pi should be computable from Pi-1, Ci-1 and Ci = f(Pi-1, Ci-1, Pi). P2 Pk-1 Pk P1 0 … C1 C2 Ck-1 Ck 0 Indocrypt-2008**Inverse of an Online Cipher.**If it is a cipher then it is an online cipher. To be a cipher it should be invertible. In other words, Pi should be computable from Pi-1, Ci-1 and Ci = f(Pi-1, Ci-1, Pi). So Pi = g(Pi-1,Ci-1,Ci). P2 Pk-1 Pk P1 0 … g g g C1 C2 Ck-1 Ck 0 Indocrypt-2008**Security Notions**Indocrypt-2008**Security notions for Online Ciphers**• (Strong) Pseudo Random Permutation are strongest security notions for an encryption algorithm. • Online cipher can not be (S)PRPsince online property itself can be used to make a distinguishing attack. • Bellare, Boldyreva, Knudsen and Namprempre (in crypto-01) introduced desired security notions (maximum security can be achieved for online ciphers by introducing ideal online cipher). Indocrypt-2008**Security notions for Online Ciphers**• Chosen-Plaintext Secure or CPA-secure : No feasible attacker can distinguish the designed online cipher from the ideal online cipher by making only encryption queries. • Chosen-Ciphertext Secure or CCA-secure : No feasible attacker can distinguish the designed online cipher from the ideal online cipher by making both encryption and decryption queries. Indocrypt-2008**Known Examples**Indocrypt-2008**Hash-CBC Online Ciphers**• Bellare, Boldyreva, Knudsen and Namprempre (in crypto-01) designed Hash-CBC online ciphers HCBC1 (CPA-secure) and HCBC2 (CCA-secure). • Needs a blockcipher and a Almost XOR-universal hash function. • Universal Hash function with CBC mode. Indocrypt-2008**AU hash function**• Poly hash generates the distinct counter for distinct messages with high probability. Poly-hash is L/2n –AU hash function where L is the max number of blocks of a plaintext. Pr[Hh(M) = Hh(M’) i] L/2n where is either + (modulo addition) or (xor). Indocrypt-2008**P2**P1 Pk Ek Ek Ek H H H Ck C1 C2 Hash-CBC: HCBC1 • CPA-secure but not CCA-secure. • H : {0,1}n{0,1}nis AXU-hash function (n = block size). • Two independent keys (one for H and one for E). n … n Ck-1 0 Indocrypt-2008**Hash-CBC: HCBC2**• CCA-secure. • H : {0,1}2n{0,1}nis AXU-hash function. • Two independent keys (H and E). Indocrypt-2008**Our Constructions**Indocrypt-2008**Pk-1**0 P2 P1 Pn … Ek Ek Ek H H H Ck-1 0 Cn C2 C1 Recall HCBC2 n n Hash H takes two n bit inputs and produces n bit output. We can xor the two n bit inputs before feeding into H. Indocrypt-2008**MHCBC**Indocrypt-2008**Pk-1**0 P2 Pk P1 … Ek Ek Ek H H H n n n Ck-1 0 C2 Ck C1 Modified Hash-CBC: MHCBC Indocrypt-2008**Modified Hash-CBC: MHCBC**• CCA-secure. • H : {0,1}n{0,1}nis AXU-hash function. • Two independent keys (H and E). Indocrypt-2008**MCBC-1**Indocrypt-2008**Modified CBC: MCBC**P1 Pk-1 0 P1 P1 … H Ek H Ek H Ek C1 Ck-1 0 C1 C1 We need a AXU-hash function. EK itself can be a candidate for this. Indocrypt-2008**Modified CBC: MCBC-1**P1 Pk-1 0 P1 P1 … Ek2 Ek1 Ek2 Ek1 Ek2 Ek1 C1 Ck-1 0 C1 C1 We need a AXU-hash function. EK itself can be a candidate for this. So we can replace H by Ek2(independently chosen key K2). This is called MCBC-1 Indocrypt-2008**Modified CBC: MCBC**P1 Pk-1 0 P1 P1 … Ek Ek Ek Ek Ek Ek C1 Ck-1 0 C1 C1 What will happen if we replace H by Ek (same key K)? Is it secure? Indocrypt-2008**Modified CBC: MCBC**P1 Pk-1 0 P1 P1 … Ek Ek Ek Ek Ek Ek C1 Ck-1 0 C1 C1 NOT SECURE Indocrypt-2008**Modified CBC: MCBC**Ek(0) 0 1st Decryption query with ciphertext 0, thenplaintext isEk(0) = v0. Ek(0) 0 Ek E-1k Ek(0) Ek(0) 0 0 Indocrypt-2008**Modified CBC: MCBC**0 0 1st Decryption query with ciphertext 0, thenplaintext isEk(0) = v0. v0 v0 Ek Ek 1st Encryption query with plaintext 0 Ciphertext will be Ek(v0) + v0 = v2. Let Ek(v0)= v1. v1 v0 v2 0 Indocrypt-2008**Modified CBC: MCBC**v1 v0 0 2nd Encryption query with plaintext (v0,v1). The ciphertext will be (0,v2) with probability one which is not desired for an ideal random online cipher. v0 v1 0 0 Ek Ek Ek Ek v0 v0 v0 v1 v0 v2 0 0 Indocrypt-2008**MCBC-2**Indocrypt-2008**K1**K1 K1 Modified CBC: MCBC P1 Pk-1 0 P1 P1 … Ek Ek Ek Ek Ek Ek C1 Ck-1 0 C1 C1 Ek K1 1 K1 protects from the previous attack. In fact, it is CCA-secure. Indocrypt-2008**Comparison**Indocrypt-2008**Conclusion**• Revisited Hash-CBC online ciphers. • Modified them by • Reducing key space • Removing universal hash function • having better efficiency. • These are termed MHCBC and MCBC. • A simple modification of MHCBC won’t work. • An unified way of proving security of online ciphers (in the paper). Indocrypt-2008**Thank you for your attention**Indocrypt-2008

More Related