450 likes | 589 Views
Two New Online Ciphers. Mridul Nandi National Institute of Standards and Technology, Gaithersburg, MD Indocrypt 2008, Kharagpur. Outline of the talk. Introduction to Online Ciphers. Security Notions for Online Ciphers Known Examples of Online Ciphers. Our Constructions. Conclusion.
E N D
Two New Online Ciphers Mridul Nandi National Institute of Standards and Technology, Gaithersburg, MD Indocrypt 2008, Kharagpur
Outline of the talk • Introduction to Online Ciphers. • Security Notions for Online Ciphers • Known Examples of Online Ciphers. • Our Constructions. • Conclusion. Indocrypt-2008
Online Cipher Indocrypt-2008
Online Cipher • Most applications want real time encryption. (i.e., compute ciphertext as soon as a plaintext block arrived to save time and memory both). • Also known as one-pass encryption (in two-pass encryption, whole plaintext is needed to generate some intermediate values (like, a tag) and then the plaintext is again used to compute ciphertext. The first ciphertext block can not be computed unless complete plaintext arrived). Indocrypt-2008
Online Cipher • Definition (online cipher): • It is a block number preserving encryption algorithm. • If C = C1 || C2 || … ||Ck is a ciphertext of P = P1 || P2 || … ||Pk then Ci should be computable from P1||…||Pi where Pj’s, Cj’s are blocks (128 bits for AES based design). Indocrypt-2008
Online Cipher • Definition (online cipher): • It is a block number preserving encryption algorithm. • If C = C1 || C2 || … ||Ck is a ciphertext of P = P1 || P2 || … ||Pk then Ci should be computable from P1||…||Pi where Pj’s, Cj’s are blocks (128 bits for AES based design). • In other words, there exists an algorithm B, such that B(P1,…, Pi) = Ci, i =1,…,k. • It is real time encryption, But, not necessarily means it requires less memory.Why? Indocrypt-2008
Online Cipher Input stream P1 C1 P1 Buffer Indocrypt-2008
Online Cipher Input stream P2 C2 P1 P2 Buffer Indocrypt-2008
Online Cipher Input stream P3 C3 P1 P2 P3 Buffer Indocrypt-2008
Online Cipher Input stream Pk Ck P1 P2 P3 … Pk Buffer Buffer size increases linearly as plaintexts are arriving. So it does not save memory, but it is one-pass and hence once the whole plaintext is arrived the complete cipher text is known. Indocrypt-2008
f f f Efficient Online Ciphers Buffer size =3 P2 Pk-1 Pk P1 Plaintext 0 … C1 C2 Ck-1 Ck Ciphertext 0 Indocrypt-2008
f f f Efficient Online Ciphers Buffer size =3, when T=1, 0, 0, P1 Buffer P2 Pk-1 Pk P1 Plaintext 0 … C1 C2 Ck-1 Ck Ciphertext 0 Indocrypt-2008
f f f Efficient Online Ciphers Buffer size =3, when T=2, P1, C1, P2 Buffer P2 Pk-1 Pk P1 Plaintext 0 … C1 C2 Ck-1 Ck Ciphertext 0 Indocrypt-2008
f f f Efficient Online Ciphers Buffer size =3, when T=k, Pk-1, Ck-1, Pk Buffer P2 Pk-1 Pk P1 Plaintext 0 … C1 C2 Ck-1 Ck Ciphertext 0 Indocrypt-2008
f f f Is it an Online Cipher? Ci = A(Pi-1, Ci-1, Pi) depends on Ci-1 (not in the definition of online cipher) P2 Pk-1 Pk P1 0 … C1 C2 Ck-1 Ck 0 Indocrypt-2008
P2 Pk-1 Pk P1 0 … f f f C1 C2 Ck-1 Ck 0 Is it an Online Cipher? Ci = A(Pi-1, Ci-1, Pi) depends on Ci-1 (not in the definition of online cipher) • Definition(online cipher): • It is a block number preserving encryption algorithm. • If C = C1 || C2 || … ||Ck is a ciphertext of P = P1 || P2 || … ||Pk then Ci should be computable from P1||…||Pi where Pj’s, Cj’s are blocks (128 bits for AES based design). Indocrypt-2008
P2 Pk-1 Pk P1 0 … f f f C1 C2 Ck-1 Ck 0 Is it an Online Cipher? But Ci-1 depends on Pi-2, Pi-1 and Ci-2 and so on. So by induction it can be shown that Ci depends only on P1,…,Pi • Definition(online cipher): • It is a block number preserving encryption algorithm. • If C = C1 || C2 || … ||Ck is a ciphertext of P = P1 || P2 || … ||Pk then Ci should be computable from P1||…||Pi where Pj’s, Cj’s are blocks (128 bits for AES based design). Indocrypt-2008
f f f It is an Online Cipher. If it is a cipher then it is an online cipher. To be a cipher it should be invertible. In other words, Pi should be computable from Pi-1, Ci-1 and Ci = f(Pi-1, Ci-1, Pi). P2 Pk-1 Pk P1 0 … C1 C2 Ck-1 Ck 0 Indocrypt-2008
Inverse of an Online Cipher. If it is a cipher then it is an online cipher. To be a cipher it should be invertible. In other words, Pi should be computable from Pi-1, Ci-1 and Ci = f(Pi-1, Ci-1, Pi). So Pi = g(Pi-1,Ci-1,Ci). P2 Pk-1 Pk P1 0 … g g g C1 C2 Ck-1 Ck 0 Indocrypt-2008
Security Notions Indocrypt-2008
Security notions for Online Ciphers • (Strong) Pseudo Random Permutation are strongest security notions for an encryption algorithm. • Online cipher can not be (S)PRPsince online property itself can be used to make a distinguishing attack. • Bellare, Boldyreva, Knudsen and Namprempre (in crypto-01) introduced desired security notions (maximum security can be achieved for online ciphers by introducing ideal online cipher). Indocrypt-2008
Security notions for Online Ciphers • Chosen-Plaintext Secure or CPA-secure : No feasible attacker can distinguish the designed online cipher from the ideal online cipher by making only encryption queries. • Chosen-Ciphertext Secure or CCA-secure : No feasible attacker can distinguish the designed online cipher from the ideal online cipher by making both encryption and decryption queries. Indocrypt-2008
Known Examples Indocrypt-2008
Hash-CBC Online Ciphers • Bellare, Boldyreva, Knudsen and Namprempre (in crypto-01) designed Hash-CBC online ciphers HCBC1 (CPA-secure) and HCBC2 (CCA-secure). • Needs a blockcipher and a Almost XOR-universal hash function. • Universal Hash function with CBC mode. Indocrypt-2008
AU hash function • Poly hash generates the distinct counter for distinct messages with high probability. Poly-hash is L/2n –AU hash function where L is the max number of blocks of a plaintext. Pr[Hh(M) = Hh(M’) i] L/2n where is either + (modulo addition) or (xor). Indocrypt-2008
P2 P1 Pk Ek Ek Ek H H H Ck C1 C2 Hash-CBC: HCBC1 • CPA-secure but not CCA-secure. • H : {0,1}n{0,1}nis AXU-hash function (n = block size). • Two independent keys (one for H and one for E). n … n Ck-1 0 Indocrypt-2008
Hash-CBC: HCBC2 • CCA-secure. • H : {0,1}2n{0,1}nis AXU-hash function. • Two independent keys (H and E). Indocrypt-2008
Our Constructions Indocrypt-2008
Pk-1 0 P2 P1 Pn … Ek Ek Ek H H H Ck-1 0 Cn C2 C1 Recall HCBC2 n n Hash H takes two n bit inputs and produces n bit output. We can xor the two n bit inputs before feeding into H. Indocrypt-2008
MHCBC Indocrypt-2008
Pk-1 0 P2 Pk P1 … Ek Ek Ek H H H n n n Ck-1 0 C2 Ck C1 Modified Hash-CBC: MHCBC Indocrypt-2008
Modified Hash-CBC: MHCBC • CCA-secure. • H : {0,1}n{0,1}nis AXU-hash function. • Two independent keys (H and E). Indocrypt-2008
MCBC-1 Indocrypt-2008
Modified CBC: MCBC P1 Pk-1 0 P1 P1 … H Ek H Ek H Ek C1 Ck-1 0 C1 C1 We need a AXU-hash function. EK itself can be a candidate for this. Indocrypt-2008
Modified CBC: MCBC-1 P1 Pk-1 0 P1 P1 … Ek2 Ek1 Ek2 Ek1 Ek2 Ek1 C1 Ck-1 0 C1 C1 We need a AXU-hash function. EK itself can be a candidate for this. So we can replace H by Ek2(independently chosen key K2). This is called MCBC-1 Indocrypt-2008
Modified CBC: MCBC P1 Pk-1 0 P1 P1 … Ek Ek Ek Ek Ek Ek C1 Ck-1 0 C1 C1 What will happen if we replace H by Ek (same key K)? Is it secure? Indocrypt-2008
Modified CBC: MCBC P1 Pk-1 0 P1 P1 … Ek Ek Ek Ek Ek Ek C1 Ck-1 0 C1 C1 NOT SECURE Indocrypt-2008
Modified CBC: MCBC Ek(0) 0 1st Decryption query with ciphertext 0, thenplaintext isEk(0) = v0. Ek(0) 0 Ek E-1k Ek(0) Ek(0) 0 0 Indocrypt-2008
Modified CBC: MCBC 0 0 1st Decryption query with ciphertext 0, thenplaintext isEk(0) = v0. v0 v0 Ek Ek 1st Encryption query with plaintext 0 Ciphertext will be Ek(v0) + v0 = v2. Let Ek(v0)= v1. v1 v0 v2 0 Indocrypt-2008
Modified CBC: MCBC v1 v0 0 2nd Encryption query with plaintext (v0,v1). The ciphertext will be (0,v2) with probability one which is not desired for an ideal random online cipher. v0 v1 0 0 Ek Ek Ek Ek v0 v0 v0 v1 v0 v2 0 0 Indocrypt-2008
MCBC-2 Indocrypt-2008
K1 K1 K1 Modified CBC: MCBC P1 Pk-1 0 P1 P1 … Ek Ek Ek Ek Ek Ek C1 Ck-1 0 C1 C1 Ek K1 1 K1 protects from the previous attack. In fact, it is CCA-secure. Indocrypt-2008
Comparison Indocrypt-2008
Conclusion • Revisited Hash-CBC online ciphers. • Modified them by • Reducing key space • Removing universal hash function • having better efficiency. • These are termed MHCBC and MCBC. • A simple modification of MHCBC won’t work. • An unified way of proving security of online ciphers (in the paper). Indocrypt-2008
Thank you for your attention Indocrypt-2008