1 / 45

Two New Online Ciphers

This talk provides an overview of online ciphers, their security notions, known examples, and constructions. It discusses the efficiency and memory requirements of online ciphers.

edanforth
Download Presentation

Two New Online Ciphers

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Two New Online Ciphers Mridul Nandi National Institute of Standards and Technology, Gaithersburg, MD Indocrypt 2008, Kharagpur

  2. Outline of the talk • Introduction to Online Ciphers. • Security Notions for Online Ciphers • Known Examples of Online Ciphers. • Our Constructions. • Conclusion. Indocrypt-2008

  3. Online Cipher Indocrypt-2008

  4. Online Cipher • Most applications want real time encryption. (i.e., compute ciphertext as soon as a plaintext block arrived to save time and memory both). • Also known as one-pass encryption (in two-pass encryption, whole plaintext is needed to generate some intermediate values (like, a tag) and then the plaintext is again used to compute ciphertext. The first ciphertext block can not be computed unless complete plaintext arrived). Indocrypt-2008

  5. Online Cipher • Definition (online cipher): • It is a block number preserving encryption algorithm. • If C = C1 || C2 || … ||Ck is a ciphertext of P = P1 || P2 || … ||Pk then Ci should be computable from P1||…||Pi where Pj’s, Cj’s are blocks (128 bits for AES based design). Indocrypt-2008

  6. Online Cipher • Definition (online cipher): • It is a block number preserving encryption algorithm. • If C = C1 || C2 || … ||Ck is a ciphertext of P = P1 || P2 || … ||Pk then Ci should be computable from P1||…||Pi where Pj’s, Cj’s are blocks (128 bits for AES based design). • In other words, there exists an algorithm B, such that B(P1,…, Pi) = Ci, i =1,…,k. • It is real time encryption, But, not necessarily means it requires less memory.Why? Indocrypt-2008

  7. Online Cipher Input stream P1 C1 P1 Buffer Indocrypt-2008

  8. Online Cipher Input stream P2 C2 P1 P2 Buffer Indocrypt-2008

  9. Online Cipher Input stream P3 C3 P1 P2 P3 Buffer Indocrypt-2008

  10. Online Cipher Input stream Pk Ck P1 P2 P3 … Pk Buffer Buffer size increases linearly as plaintexts are arriving. So it does not save memory, but it is one-pass and hence once the whole plaintext is arrived the complete cipher text is known. Indocrypt-2008

  11. f f f Efficient Online Ciphers Buffer size =3 P2 Pk-1 Pk P1 Plaintext 0 … C1 C2 Ck-1 Ck Ciphertext 0 Indocrypt-2008

  12. f f f Efficient Online Ciphers Buffer size =3, when T=1, 0, 0, P1 Buffer P2 Pk-1 Pk P1 Plaintext 0 … C1 C2 Ck-1 Ck Ciphertext 0 Indocrypt-2008

  13. f f f Efficient Online Ciphers Buffer size =3, when T=2, P1, C1, P2 Buffer P2 Pk-1 Pk P1 Plaintext 0 … C1 C2 Ck-1 Ck Ciphertext 0 Indocrypt-2008

  14. f f f Efficient Online Ciphers Buffer size =3, when T=k, Pk-1, Ck-1, Pk Buffer P2 Pk-1 Pk P1 Plaintext 0 … C1 C2 Ck-1 Ck Ciphertext 0 Indocrypt-2008

  15. f f f Is it an Online Cipher? Ci = A(Pi-1, Ci-1, Pi) depends on Ci-1 (not in the definition of online cipher) P2 Pk-1 Pk P1 0 … C1 C2 Ck-1 Ck 0 Indocrypt-2008

  16. P2 Pk-1 Pk P1 0 … f f f C1 C2 Ck-1 Ck 0 Is it an Online Cipher? Ci = A(Pi-1, Ci-1, Pi) depends on Ci-1 (not in the definition of online cipher) • Definition(online cipher): • It is a block number preserving encryption algorithm. • If C = C1 || C2 || … ||Ck is a ciphertext of P = P1 || P2 || … ||Pk then Ci should be computable from P1||…||Pi where Pj’s, Cj’s are blocks (128 bits for AES based design). Indocrypt-2008

  17. P2 Pk-1 Pk P1 0 … f f f C1 C2 Ck-1 Ck 0 Is it an Online Cipher? But Ci-1 depends on Pi-2, Pi-1 and Ci-2 and so on. So by induction it can be shown that Ci depends only on P1,…,Pi • Definition(online cipher): • It is a block number preserving encryption algorithm. • If C = C1 || C2 || … ||Ck is a ciphertext of P = P1 || P2 || … ||Pk then Ci should be computable from P1||…||Pi where Pj’s, Cj’s are blocks (128 bits for AES based design). Indocrypt-2008

  18. f f f It is an Online Cipher. If it is a cipher then it is an online cipher. To be a cipher it should be invertible. In other words, Pi should be computable from Pi-1, Ci-1 and Ci = f(Pi-1, Ci-1, Pi). P2 Pk-1 Pk P1 0 … C1 C2 Ck-1 Ck 0 Indocrypt-2008

  19. Inverse of an Online Cipher. If it is a cipher then it is an online cipher. To be a cipher it should be invertible. In other words, Pi should be computable from Pi-1, Ci-1 and Ci = f(Pi-1, Ci-1, Pi). So Pi = g(Pi-1,Ci-1,Ci). P2 Pk-1 Pk P1 0 … g g g C1 C2 Ck-1 Ck 0 Indocrypt-2008

  20. Security Notions Indocrypt-2008

  21. Security notions for Online Ciphers • (Strong) Pseudo Random Permutation are strongest security notions for an encryption algorithm. • Online cipher can not be (S)PRPsince online property itself can be used to make a distinguishing attack. • Bellare, Boldyreva, Knudsen and Namprempre (in crypto-01) introduced desired security notions (maximum security can be achieved for online ciphers by introducing ideal online cipher). Indocrypt-2008

  22. Security notions for Online Ciphers • Chosen-Plaintext Secure or CPA-secure : No feasible attacker can distinguish the designed online cipher from the ideal online cipher by making only encryption queries. • Chosen-Ciphertext Secure or CCA-secure : No feasible attacker can distinguish the designed online cipher from the ideal online cipher by making both encryption and decryption queries. Indocrypt-2008

  23. Known Examples Indocrypt-2008

  24. Hash-CBC Online Ciphers • Bellare, Boldyreva, Knudsen and Namprempre (in crypto-01) designed Hash-CBC online ciphers HCBC1 (CPA-secure) and HCBC2 (CCA-secure). • Needs a blockcipher and a Almost XOR-universal hash function. • Universal Hash function with CBC mode. Indocrypt-2008

  25. AU hash function • Poly hash generates the distinct counter for distinct messages with high probability. Poly-hash is L/2n –AU hash function where L is the max number of blocks of a plaintext. Pr[Hh(M) = Hh(M’)  i]  L/2n where  is either + (modulo addition) or  (xor). Indocrypt-2008

  26. P2 P1 Pk Ek Ek Ek H H H Ck C1 C2 Hash-CBC: HCBC1 • CPA-secure but not CCA-secure. • H : {0,1}n{0,1}nis AXU-hash function (n = block size). • Two independent keys (one for H and one for E). n … n Ck-1 0 Indocrypt-2008

  27. Hash-CBC: HCBC2 • CCA-secure. • H : {0,1}2n{0,1}nis AXU-hash function. • Two independent keys (H and E). Indocrypt-2008

  28. Our Constructions Indocrypt-2008

  29. Pk-1 0 P2 P1 Pn … Ek Ek Ek H H H Ck-1 0 Cn C2 C1 Recall HCBC2 n n Hash H takes two n bit inputs and produces n bit output. We can xor the two n bit inputs before feeding into H. Indocrypt-2008

  30. MHCBC Indocrypt-2008

  31. Pk-1 0 P2 Pk P1 … Ek Ek Ek H H H n n n Ck-1 0 C2 Ck C1 Modified Hash-CBC: MHCBC Indocrypt-2008

  32. Modified Hash-CBC: MHCBC • CCA-secure. • H : {0,1}n{0,1}nis AXU-hash function. • Two independent keys (H and E). Indocrypt-2008

  33. MCBC-1 Indocrypt-2008

  34. Modified CBC: MCBC P1 Pk-1 0 P1 P1 … H Ek H Ek H Ek C1 Ck-1 0 C1 C1 We need a AXU-hash function. EK itself can be a candidate for this. Indocrypt-2008

  35. Modified CBC: MCBC-1 P1 Pk-1 0 P1 P1 … Ek2 Ek1 Ek2 Ek1 Ek2 Ek1 C1 Ck-1 0 C1 C1 We need a AXU-hash function. EK itself can be a candidate for this. So we can replace H by Ek2(independently chosen key K2). This is called MCBC-1 Indocrypt-2008

  36. Modified CBC: MCBC P1 Pk-1 0 P1 P1 … Ek Ek Ek Ek Ek Ek C1 Ck-1 0 C1 C1 What will happen if we replace H by Ek (same key K)? Is it secure? Indocrypt-2008

  37. Modified CBC: MCBC P1 Pk-1 0 P1 P1 … Ek Ek Ek Ek Ek Ek C1 Ck-1 0 C1 C1 NOT SECURE Indocrypt-2008

  38. Modified CBC: MCBC Ek(0) 0 1st Decryption query with ciphertext 0, thenplaintext isEk(0) = v0. Ek(0) 0 Ek E-1k Ek(0) Ek(0) 0 0 Indocrypt-2008

  39. Modified CBC: MCBC 0 0 1st Decryption query with ciphertext 0, thenplaintext isEk(0) = v0. v0 v0 Ek Ek 1st Encryption query with plaintext 0 Ciphertext will be Ek(v0) + v0 = v2. Let Ek(v0)= v1. v1 v0 v2 0 Indocrypt-2008

  40. Modified CBC: MCBC v1 v0 0 2nd Encryption query with plaintext (v0,v1). The ciphertext will be (0,v2) with probability one which is not desired for an ideal random online cipher. v0 v1 0 0 Ek Ek Ek Ek v0 v0 v0 v1 v0 v2 0 0 Indocrypt-2008

  41. MCBC-2 Indocrypt-2008

  42. K1 K1 K1 Modified CBC: MCBC P1 Pk-1 0 P1 P1 … Ek Ek Ek Ek Ek Ek C1 Ck-1 0 C1 C1 Ek K1 1 K1 protects from the previous attack. In fact, it is CCA-secure. Indocrypt-2008

  43. Comparison Indocrypt-2008

  44. Conclusion • Revisited Hash-CBC online ciphers. • Modified them by • Reducing key space • Removing universal hash function • having better efficiency. • These are termed MHCBC and MCBC. • A simple modification of MHCBC won’t work. • An unified way of proving security of online ciphers (in the paper). Indocrypt-2008

  45. Thank you for your attention Indocrypt-2008

More Related