Two New Online Ciphers

# Two New Online Ciphers

## Two New Online Ciphers

- - - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - - -
##### Presentation Transcript

1. Two New Online Ciphers Mridul Nandi National Institute of Standards and Technology, Gaithersburg, MD Indocrypt 2008, Kharagpur

2. Outline of the talk • Introduction to Online Ciphers. • Security Notions for Online Ciphers • Known Examples of Online Ciphers. • Our Constructions. • Conclusion. Indocrypt-2008

3. Online Cipher Indocrypt-2008

4. Online Cipher • Most applications want real time encryption. (i.e., compute ciphertext as soon as a plaintext block arrived to save time and memory both). • Also known as one-pass encryption (in two-pass encryption, whole plaintext is needed to generate some intermediate values (like, a tag) and then the plaintext is again used to compute ciphertext. The first ciphertext block can not be computed unless complete plaintext arrived). Indocrypt-2008

5. Online Cipher • Definition (online cipher): • It is a block number preserving encryption algorithm. • If C = C1 || C2 || … ||Ck is a ciphertext of P = P1 || P2 || … ||Pk then Ci should be computable from P1||…||Pi where Pj’s, Cj’s are blocks (128 bits for AES based design). Indocrypt-2008

6. Online Cipher • Definition (online cipher): • It is a block number preserving encryption algorithm. • If C = C1 || C2 || … ||Ck is a ciphertext of P = P1 || P2 || … ||Pk then Ci should be computable from P1||…||Pi where Pj’s, Cj’s are blocks (128 bits for AES based design). • In other words, there exists an algorithm B, such that B(P1,…, Pi) = Ci, i =1,…,k. • It is real time encryption, But, not necessarily means it requires less memory.Why? Indocrypt-2008

7. Online Cipher Input stream P1 C1 P1 Buffer Indocrypt-2008

8. Online Cipher Input stream P2 C2 P1 P2 Buffer Indocrypt-2008

9. Online Cipher Input stream P3 C3 P1 P2 P3 Buffer Indocrypt-2008

10. Online Cipher Input stream Pk Ck P1 P2 P3 … Pk Buffer Buffer size increases linearly as plaintexts are arriving. So it does not save memory, but it is one-pass and hence once the whole plaintext is arrived the complete cipher text is known. Indocrypt-2008

11. f f f Efficient Online Ciphers Buffer size =3 P2 Pk-1 Pk P1 Plaintext 0 … C1 C2 Ck-1 Ck Ciphertext 0 Indocrypt-2008

12. f f f Efficient Online Ciphers Buffer size =3, when T=1, 0, 0, P1 Buffer P2 Pk-1 Pk P1 Plaintext 0 … C1 C2 Ck-1 Ck Ciphertext 0 Indocrypt-2008

13. f f f Efficient Online Ciphers Buffer size =3, when T=2, P1, C1, P2 Buffer P2 Pk-1 Pk P1 Plaintext 0 … C1 C2 Ck-1 Ck Ciphertext 0 Indocrypt-2008

14. f f f Efficient Online Ciphers Buffer size =3, when T=k, Pk-1, Ck-1, Pk Buffer P2 Pk-1 Pk P1 Plaintext 0 … C1 C2 Ck-1 Ck Ciphertext 0 Indocrypt-2008

15. f f f Is it an Online Cipher? Ci = A(Pi-1, Ci-1, Pi) depends on Ci-1 (not in the definition of online cipher) P2 Pk-1 Pk P1 0 … C1 C2 Ck-1 Ck 0 Indocrypt-2008

16. P2 Pk-1 Pk P1 0 … f f f C1 C2 Ck-1 Ck 0 Is it an Online Cipher? Ci = A(Pi-1, Ci-1, Pi) depends on Ci-1 (not in the definition of online cipher) • Definition(online cipher): • It is a block number preserving encryption algorithm. • If C = C1 || C2 || … ||Ck is a ciphertext of P = P1 || P2 || … ||Pk then Ci should be computable from P1||…||Pi where Pj’s, Cj’s are blocks (128 bits for AES based design). Indocrypt-2008

17. P2 Pk-1 Pk P1 0 … f f f C1 C2 Ck-1 Ck 0 Is it an Online Cipher? But Ci-1 depends on Pi-2, Pi-1 and Ci-2 and so on. So by induction it can be shown that Ci depends only on P1,…,Pi • Definition(online cipher): • It is a block number preserving encryption algorithm. • If C = C1 || C2 || … ||Ck is a ciphertext of P = P1 || P2 || … ||Pk then Ci should be computable from P1||…||Pi where Pj’s, Cj’s are blocks (128 bits for AES based design). Indocrypt-2008

18. f f f It is an Online Cipher. If it is a cipher then it is an online cipher. To be a cipher it should be invertible. In other words, Pi should be computable from Pi-1, Ci-1 and Ci = f(Pi-1, Ci-1, Pi). P2 Pk-1 Pk P1 0 … C1 C2 Ck-1 Ck 0 Indocrypt-2008

19. Inverse of an Online Cipher. If it is a cipher then it is an online cipher. To be a cipher it should be invertible. In other words, Pi should be computable from Pi-1, Ci-1 and Ci = f(Pi-1, Ci-1, Pi). So Pi = g(Pi-1,Ci-1,Ci). P2 Pk-1 Pk P1 0 … g g g C1 C2 Ck-1 Ck 0 Indocrypt-2008

20. Security Notions Indocrypt-2008

21. Security notions for Online Ciphers • (Strong) Pseudo Random Permutation are strongest security notions for an encryption algorithm. • Online cipher can not be (S)PRPsince online property itself can be used to make a distinguishing attack. • Bellare, Boldyreva, Knudsen and Namprempre (in crypto-01) introduced desired security notions (maximum security can be achieved for online ciphers by introducing ideal online cipher). Indocrypt-2008

22. Security notions for Online Ciphers • Chosen-Plaintext Secure or CPA-secure : No feasible attacker can distinguish the designed online cipher from the ideal online cipher by making only encryption queries. • Chosen-Ciphertext Secure or CCA-secure : No feasible attacker can distinguish the designed online cipher from the ideal online cipher by making both encryption and decryption queries. Indocrypt-2008

23. Known Examples Indocrypt-2008

24. Hash-CBC Online Ciphers • Bellare, Boldyreva, Knudsen and Namprempre (in crypto-01) designed Hash-CBC online ciphers HCBC1 (CPA-secure) and HCBC2 (CCA-secure). • Needs a blockcipher and a Almost XOR-universal hash function. • Universal Hash function with CBC mode. Indocrypt-2008

25. AU hash function • Poly hash generates the distinct counter for distinct messages with high probability. Poly-hash is L/2n –AU hash function where L is the max number of blocks of a plaintext. Pr[Hh(M) = Hh(M’)  i]  L/2n where  is either + (modulo addition) or  (xor). Indocrypt-2008

26. P2 P1 Pk Ek Ek Ek H H H Ck C1 C2 Hash-CBC: HCBC1 • CPA-secure but not CCA-secure. • H : {0,1}n{0,1}nis AXU-hash function (n = block size). • Two independent keys (one for H and one for E). n … n Ck-1 0 Indocrypt-2008

27. Hash-CBC: HCBC2 • CCA-secure. • H : {0,1}2n{0,1}nis AXU-hash function. • Two independent keys (H and E). Indocrypt-2008

28. Our Constructions Indocrypt-2008

29. Pk-1 0 P2 P1 Pn … Ek Ek Ek H H H Ck-1 0 Cn C2 C1 Recall HCBC2 n n Hash H takes two n bit inputs and produces n bit output. We can xor the two n bit inputs before feeding into H. Indocrypt-2008

30. MHCBC Indocrypt-2008

31. Pk-1 0 P2 Pk P1 … Ek Ek Ek H H H n n n Ck-1 0 C2 Ck C1 Modified Hash-CBC: MHCBC Indocrypt-2008

32. Modified Hash-CBC: MHCBC • CCA-secure. • H : {0,1}n{0,1}nis AXU-hash function. • Two independent keys (H and E). Indocrypt-2008

33. MCBC-1 Indocrypt-2008

34. Modified CBC: MCBC P1 Pk-1 0 P1 P1 … H Ek H Ek H Ek C1 Ck-1 0 C1 C1 We need a AXU-hash function. EK itself can be a candidate for this. Indocrypt-2008

35. Modified CBC: MCBC-1 P1 Pk-1 0 P1 P1 … Ek2 Ek1 Ek2 Ek1 Ek2 Ek1 C1 Ck-1 0 C1 C1 We need a AXU-hash function. EK itself can be a candidate for this. So we can replace H by Ek2(independently chosen key K2). This is called MCBC-1 Indocrypt-2008

36. Modified CBC: MCBC P1 Pk-1 0 P1 P1 … Ek Ek Ek Ek Ek Ek C1 Ck-1 0 C1 C1 What will happen if we replace H by Ek (same key K)? Is it secure? Indocrypt-2008

37. Modified CBC: MCBC P1 Pk-1 0 P1 P1 … Ek Ek Ek Ek Ek Ek C1 Ck-1 0 C1 C1 NOT SECURE Indocrypt-2008

38. Modified CBC: MCBC Ek(0) 0 1st Decryption query with ciphertext 0, thenplaintext isEk(0) = v0. Ek(0) 0 Ek E-1k Ek(0) Ek(0) 0 0 Indocrypt-2008

39. Modified CBC: MCBC 0 0 1st Decryption query with ciphertext 0, thenplaintext isEk(0) = v0. v0 v0 Ek Ek 1st Encryption query with plaintext 0 Ciphertext will be Ek(v0) + v0 = v2. Let Ek(v0)= v1. v1 v0 v2 0 Indocrypt-2008

40. Modified CBC: MCBC v1 v0 0 2nd Encryption query with plaintext (v0,v1). The ciphertext will be (0,v2) with probability one which is not desired for an ideal random online cipher. v0 v1 0 0 Ek Ek Ek Ek v0 v0 v0 v1 v0 v2 0 0 Indocrypt-2008

41. MCBC-2 Indocrypt-2008

42. K1 K1 K1 Modified CBC: MCBC P1 Pk-1 0 P1 P1 … Ek Ek Ek Ek Ek Ek C1 Ck-1 0 C1 C1 Ek K1 1 K1 protects from the previous attack. In fact, it is CCA-secure. Indocrypt-2008

43. Comparison Indocrypt-2008

44. Conclusion • Revisited Hash-CBC online ciphers. • Modified them by • Reducing key space • Removing universal hash function • having better efficiency. • These are termed MHCBC and MCBC. • A simple modification of MHCBC won’t work. • An unified way of proving security of online ciphers (in the paper). Indocrypt-2008

45. Thank you for your attention Indocrypt-2008