1 / 21

Cryptanalysis-tolerant CPA crypt.

Cryptanalysis-tolerant CPA crypt. Suppose E, E’ are two encryption schemes which on of them is CPA - secure E.g., a standard and a proprietary, a new and old Cascade [EG85]: E*=E◦E’ E* is CPA - secure if either E or E’ is CPA – secure We say that cascade is cryptanalysis tolerant. E.

uriel-wolfe
Download Presentation

Cryptanalysis-tolerant CPA crypt.

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Cryptanalysis-tolerant CPA crypt. • Suppose E, E’ are two encryption schemes which on of them is CPA - secure • E.g., a standard and a proprietary, a new and old • Cascade [EG85]: E*=E◦E’ • E* is CPA - secure if eitherE orE’ is CPA – secure We say that cascade is cryptanalysis tolerant E E’

  2. Cascading CPA - question • Given two encryption schemes which one of them is candidate CPA secure, E and E’, define: E*k,k'(x) = Ek(E’k'(x)) • Question: assume either E or E’ is a CPA secure. Is then E* a CPA secure crypto system? • Answer:

  3. Cascading CPA-Secure system • Claim: if either E or E’ is a CPA-Secure, then E* is a CPA-Secure. • Proof: Suppose to contrary there exists adv A* That PrX=EX(Є,ADV)[X.win ^ X.t≤ t|X=EX(E(E',A*,k)]>½+ ε*(k,t,q)i.e. Can distiniguishE* from some random permutation. • Let adv A(for E), A'(for E') use A* (As sub routine) to distinguish. • Prove for A (A and A' are similar).

  4. Cont' • A tries to win test for E while using A* on E*. A uses E as a black box. • Key generation - A generates keys for E'. • Select – A needs to respond to encryption and decryption requests to E* (requests sent from A*). • When A* asks to encrypt m, A asks for encryption by c=E(m) and calculates E'(c) (has keys). • Encrypt – When A* outputs <select,m0,m1>, A outputs same for E and calculates on E' (returns result to A). • When A* outputs guess, b' then A outputs the same. Wins if A* wins since performs only one more computation.

  5. A selects messages to encrypt, e.g. select A controls E’, e.g. Encrypt

  6. Cryptographic ConstructionsDemonstrating insecurity • Usual method: • Let g’ be an arbitrary function for goal G. • Design g which also satisfies G: • Security of g follows (easily?) from security of g’ • But g is not good for the construction… • Namely: the function f whichis constructed using g does not satisfy goal F.

  7. An example of patterns ECB leaves in cipher text When encrypting pixels (pixel by pixel encryption) Encrypted ECB Encrypted Non ECB Plaintext

  8. CBC

  9. OFB

  10. CBC - OFB • CBC • requires padding of message to block size. • Decryption can be parallelized • 1 bit change of plaintext affects all cipher texts • OFB • Does not require message padding • Decryption can't be done in parallel • Bit flips can be detected in many embedded ECC • Both • “Randomization” properties – can't detect same block.

  11. Problem • CBC and OFB are great for creating VIL cipher from FIL blocks, however they have some drawbacks. • Transmission errors. • Parallel computation. • Please describe the drawbacks in detail. • Please suggest a scheme for creating VIL cipher from FIL blocks which has CBC/OFB properties and eliminates the limitations described above.

  12. Solution • Drawbacks • Block dependency causes encryption/decryption to be synchronous (CBC decryption can be parallel) • Decryption (CBC) - In case a block is damaged, its dependent block can't be deciphered as well. • CBC Block damage can be from a single bit. OFB can correct errors with embedded ECC (single bits).

  13. Solution • Instead of chaining to disguise cipher, use counter.(Counter must be kept secret)

  14. Indistinguishability Test • Prove that the following encryption scheme does not pass Ind. Test. • Discrete log – base for several public key crypto systems • Assumption: for known prime p, generator g of Z_p and y it's hard to find x such thatgx mod p = y • For public prime p and generator g (for Z_p), where m< p:Ek(m) = { x = g^m mod p; y = g^(kx) mod p; return x||(y xor m)}

  15. Solution • Adv can calculate x , thus distinguish the message from a random message.

  16. Indistinguishability Test is Strong • Two encryptions of the same message should be indistinguishable • Otherwise adversary can ask for another encryption of known message and identify it • Encryption must be randomized and/or state variable • With state variable, encryption depends on history • In practice: usually encryption is randomized • No assumption about the plaintext • May be just two messages, ‘0’ and ‘1’ • May be biased (90% is ‘0’)

  17. CPA-IND Secure Cryptosystem from KPA-Secure • Let Ckbe a KPA – Secure crypto system • Then encrypt each message m using Ek(m)=r||Ck(mr), where r is random • Observation: this is simply CBC-mode of Ck with a single block! • Proof extends to multiple-block CBC • Theorem [GM89]: Ek(m) is CPA-IND secure.

  18. Question • Let E be a KPA secure crypto system. Consider the following function on {0,1}2n (for any n):E’k(x)= Ek(x[1..n)]) || Ek(Ek(x[1..n)])x[(n+1)..2n]). • Is E'k(x) KPA secure? • Is E'k(x) CPA secure?

  19. Solution • Not CPA Secure - • Choose 2 different input texts, for example 1010||1100, 1010||1001 • Output of MSB is same for both “different” outputs. • This is the case because of Ek(x[1..n)]) • KPA Secure - • Never choose messages with same MSB.

  20. Error Detection • We would like to transmit ciphertext over the wire. Alice suggests to use parity check as error-detection code. • Do we have privacy ? • Do we have integrity ?

  21. Error Detection • Assume OTP encryption, interceptive adversary. • Adversary doesn’t know k, sees c on the wire. • c = m xor k || parity(m) [bit] • Adversary removes c, replace with c’ where any even number of bits can be flipped (notice, that in this example, adversary doesn’t even need to know m). • Ok, no integrity, but maybe privacy ? • What about known domain of messages (money transfer)

More Related