Create Presentation
Download Presentation

Download Presentation
## Two New Online Ciphers

- - - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - - -

**Two New Online Ciphers**Mridul Nandi National Institute of Standards and Technology, Gaithersburg, MD Indocrypt 2008, Kharagpur**Outline of the talk**• Introduction to Online Ciphers. • Security Notions for Online Ciphers • Known Examples of Online Ciphers. • Our Constructions. • Conclusion. Indocrypt-2008**Online Cipher**Indocrypt-2008**Online Cipher**• Most applications want real time encryption. (i.e., compute ciphertext as soon as a plaintext block arrived to save time and memory both). • Also known as one-pass encryption (in two-pass encryption, whole plaintext is needed to generate some intermediate values (like, a tag) and then the plaintext is again used to compute ciphertext. The first ciphertext block can not be computed unless complete plaintext arrived). Indocrypt-2008**Online Cipher**• Definition (online cipher): • It is a block number preserving encryption algorithm. • If C = C1 || C2 || … ||Ck is a ciphertext of P = P1 || P2 || … ||Pk then Ci should be computable from P1||…||Pi where Pj’s, Cj’s are blocks (128 bits for AES based design). Indocrypt-2008**Online Cipher**• Definition (online cipher): • It is a block number preserving encryption algorithm. • If C = C1 || C2 || … ||Ck is a ciphertext of P = P1 || P2 || … ||Pk then Ci should be computable from P1||…||Pi where Pj’s, Cj’s are blocks (128 bits for AES based design). • In other words, there exists an algorithm B, such that B(P1,…, Pi) = Ci, i =1,…,k. • It is real time encryption, But, not necessarily means it requires less memory.Why? Indocrypt-2008**Online Cipher**Input stream P1 C1 P1 Buffer Indocrypt-2008**Online Cipher**Input stream P2 C2 P1 P2 Buffer Indocrypt-2008**Online Cipher**Input stream P3 C3 P1 P2 P3 Buffer Indocrypt-2008**Online Cipher**Input stream Pk Ck P1 P2 P3 … Pk Buffer Buffer size increases linearly as plaintexts are arriving. So it does not save memory, but it is one-pass and hence once the whole plaintext is arrived the complete cipher text is known. Indocrypt-2008**f**f f Efficient Online Ciphers Buffer size =3 P2 Pk-1 Pk P1 Plaintext 0 … C1 C2 Ck-1 Ck Ciphertext 0 Indocrypt-2008**f**f f Efficient Online Ciphers Buffer size =3, when T=1, 0, 0, P1 Buffer P2 Pk-1 Pk P1 Plaintext 0 … C1 C2 Ck-1 Ck Ciphertext 0 Indocrypt-2008**f**f f Efficient Online Ciphers Buffer size =3, when T=2, P1, C1, P2 Buffer P2 Pk-1 Pk P1 Plaintext 0 … C1 C2 Ck-1 Ck Ciphertext 0 Indocrypt-2008**f**f f Efficient Online Ciphers Buffer size =3, when T=k, Pk-1, Ck-1, Pk Buffer P2 Pk-1 Pk P1 Plaintext 0 … C1 C2 Ck-1 Ck Ciphertext 0 Indocrypt-2008**f**f f Is it an Online Cipher? Ci = A(Pi-1, Ci-1, Pi) depends on Ci-1 (not in the definition of online cipher) P2 Pk-1 Pk P1 0 … C1 C2 Ck-1 Ck 0 Indocrypt-2008**P2**Pk-1 Pk P1 0 … f f f C1 C2 Ck-1 Ck 0 Is it an Online Cipher? Ci = A(Pi-1, Ci-1, Pi) depends on Ci-1 (not in the definition of online cipher) • Definition(online cipher): • It is a block number preserving encryption algorithm. • If C = C1 || C2 || … ||Ck is a ciphertext of P = P1 || P2 || … ||Pk then Ci should be computable from P1||…||Pi where Pj’s, Cj’s are blocks (128 bits for AES based design). Indocrypt-2008**P2**Pk-1 Pk P1 0 … f f f C1 C2 Ck-1 Ck 0 Is it an Online Cipher? But Ci-1 depends on Pi-2, Pi-1 and Ci-2 and so on. So by induction it can be shown that Ci depends only on P1,…,Pi • Definition(online cipher): • It is a block number preserving encryption algorithm. • If C = C1 || C2 || … ||Ck is a ciphertext of P = P1 || P2 || … ||Pk then Ci should be computable from P1||…||Pi where Pj’s, Cj’s are blocks (128 bits for AES based design). Indocrypt-2008**f**f f It is an Online Cipher. If it is a cipher then it is an online cipher. To be a cipher it should be invertible. In other words, Pi should be computable from Pi-1, Ci-1 and Ci = f(Pi-1, Ci-1, Pi). P2 Pk-1 Pk P1 0 … C1 C2 Ck-1 Ck 0 Indocrypt-2008**Inverse of an Online Cipher.**If it is a cipher then it is an online cipher. To be a cipher it should be invertible. In other words, Pi should be computable from Pi-1, Ci-1 and Ci = f(Pi-1, Ci-1, Pi). So Pi = g(Pi-1,Ci-1,Ci). P2 Pk-1 Pk P1 0 … g g g C1 C2 Ck-1 Ck 0 Indocrypt-2008**Security Notions**Indocrypt-2008**Security notions for Online Ciphers**• (Strong) Pseudo Random Permutation are strongest security notions for an encryption algorithm. • Online cipher can not be (S)PRPsince online property itself can be used to make a distinguishing attack. • Bellare, Boldyreva, Knudsen and Namprempre (in crypto-01) introduced desired security notions (maximum security can be achieved for online ciphers by introducing ideal online cipher). Indocrypt-2008**Security notions for Online Ciphers**• Chosen-Plaintext Secure or CPA-secure : No feasible attacker can distinguish the designed online cipher from the ideal online cipher by making only encryption queries. • Chosen-Ciphertext Secure or CCA-secure : No feasible attacker can distinguish the designed online cipher from the ideal online cipher by making both encryption and decryption queries. Indocrypt-2008**Known Examples**Indocrypt-2008**Hash-CBC Online Ciphers**• Bellare, Boldyreva, Knudsen and Namprempre (in crypto-01) designed Hash-CBC online ciphers HCBC1 (CPA-secure) and HCBC2 (CCA-secure). • Needs a blockcipher and a Almost XOR-universal hash function. • Universal Hash function with CBC mode. Indocrypt-2008**AU hash function**• Poly hash generates the distinct counter for distinct messages with high probability. Poly-hash is L/2n –AU hash function where L is the max number of blocks of a plaintext. Pr[Hh(M) = Hh(M’) i] L/2n where is either + (modulo addition) or (xor). Indocrypt-2008**P2**P1 Pk Ek Ek Ek H H H Ck C1 C2 Hash-CBC: HCBC1 • CPA-secure but not CCA-secure. • H : {0,1}n{0,1}nis AXU-hash function (n = block size). • Two independent keys (one for H and one for E). n … n Ck-1 0 Indocrypt-2008**Hash-CBC: HCBC2**• CCA-secure. • H : {0,1}2n{0,1}nis AXU-hash function. • Two independent keys (H and E). Indocrypt-2008**Our Constructions**Indocrypt-2008**Pk-1**0 P2 P1 Pn … Ek Ek Ek H H H Ck-1 0 Cn C2 C1 Recall HCBC2 n n Hash H takes two n bit inputs and produces n bit output. We can xor the two n bit inputs before feeding into H. Indocrypt-2008**MHCBC**Indocrypt-2008**Pk-1**0 P2 Pk P1 … Ek Ek Ek H H H n n n Ck-1 0 C2 Ck C1 Modified Hash-CBC: MHCBC Indocrypt-2008**Modified Hash-CBC: MHCBC**• CCA-secure. • H : {0,1}n{0,1}nis AXU-hash function. • Two independent keys (H and E). Indocrypt-2008**MCBC-1**Indocrypt-2008**Modified CBC: MCBC**P1 Pk-1 0 P1 P1 … H Ek H Ek H Ek C1 Ck-1 0 C1 C1 We need a AXU-hash function. EK itself can be a candidate for this. Indocrypt-2008**Modified CBC: MCBC-1**P1 Pk-1 0 P1 P1 … Ek2 Ek1 Ek2 Ek1 Ek2 Ek1 C1 Ck-1 0 C1 C1 We need a AXU-hash function. EK itself can be a candidate for this. So we can replace H by Ek2(independently chosen key K2). This is called MCBC-1 Indocrypt-2008**Modified CBC: MCBC**P1 Pk-1 0 P1 P1 … Ek Ek Ek Ek Ek Ek C1 Ck-1 0 C1 C1 What will happen if we replace H by Ek (same key K)? Is it secure? Indocrypt-2008**Modified CBC: MCBC**P1 Pk-1 0 P1 P1 … Ek Ek Ek Ek Ek Ek C1 Ck-1 0 C1 C1 NOT SECURE Indocrypt-2008**Modified CBC: MCBC**Ek(0) 0 1st Decryption query with ciphertext 0, thenplaintext isEk(0) = v0. Ek(0) 0 Ek E-1k Ek(0) Ek(0) 0 0 Indocrypt-2008**Modified CBC: MCBC**0 0 1st Decryption query with ciphertext 0, thenplaintext isEk(0) = v0. v0 v0 Ek Ek 1st Encryption query with plaintext 0 Ciphertext will be Ek(v0) + v0 = v2. Let Ek(v0)= v1. v1 v0 v2 0 Indocrypt-2008**Modified CBC: MCBC**v1 v0 0 2nd Encryption query with plaintext (v0,v1). The ciphertext will be (0,v2) with probability one which is not desired for an ideal random online cipher. v0 v1 0 0 Ek Ek Ek Ek v0 v0 v0 v1 v0 v2 0 0 Indocrypt-2008**MCBC-2**Indocrypt-2008**K1**K1 K1 Modified CBC: MCBC P1 Pk-1 0 P1 P1 … Ek Ek Ek Ek Ek Ek C1 Ck-1 0 C1 C1 Ek K1 1 K1 protects from the previous attack. In fact, it is CCA-secure. Indocrypt-2008**Comparison**Indocrypt-2008**Conclusion**• Revisited Hash-CBC online ciphers. • Modified them by • Reducing key space • Removing universal hash function • having better efficiency. • These are termed MHCBC and MCBC. • A simple modification of MHCBC won’t work. • An unified way of proving security of online ciphers (in the paper). Indocrypt-2008**Thank you for your attention**Indocrypt-2008