Online Cryptography Course Dan Boneh Using block ciphers Modes of opera6on: one 6me key example: encrypted email, new key for every message Dan Boneh Using PRPs and PRFs Goal: build “secure” encryp6on from a secure PRP (e.g AES) This segment: one-‐%me keys 1. Adversary’s power: Adv sees only one ciphertext (one-‐6me key) 3. Adversary’s goal: Learn info about PT from CT (seman6c security) Next segment: many-‐6me keys (a.k.a chosen-‐plaintext security) Dan Boneh Incorrect use of a PRP Electronic Code Book (ECB): PT: m1 m2 CT: c1 c2 Problem: – if m1=m2 then c1=c2 Dan Boneh In pictures (courtesy B Preneel) Dan Boneh Seman6c Security (one-‐6me key) EXP(0): Chal k←K m0 , m1 ∈ M : |m0| = |m1| Adv A c ← E(k,m0) b’ ∈ {0,1} one 6me key ⇒ adversary sees only one ciphertext EXP(1): Chal k←K m0 , m1 ∈ M : |m0| = |m1| c ← E(k,m1) Adv A b’ ∈ {0,1} AdvSS[A,OTP] = | Pr[ EXP(0)=1 ] − Pr[ EXP(1)=1 ] | should be “neg.” Dan Boneh ECB is not Seman6cally Secure ECB is not seman6cally secure for messages that contain more than one block b∈{0,1} Two blocks Chal k←K m0 = “Hello World” m1 = “Hello Hello” Adv A (c1,c2) ← E(k, mb) Then AdvSS [A, ECB] = 1 If c1=c2 output 0, else output 1 Dan Boneh Secure Construc6on I Determinis6c counter mode from a PRF F : • EDETCTR (k, m) = ⊕ m[0] m[1] … m[L] F(k,0) F(k,1) … F(k,L) c[0] c[1] … c[L] ⇒ Stream cipher built from a PRF (e.g AES, 3DES) Dan Boneh Det counter-‐mode security Theorem: For any L>0, If F is a secure PRF over (K,X,X) then EDETCTR is sem sec cipher over (K,XL,XL) In par6cular, for any eff adversary A adacking EDETCTR there exists a n eff PRF adversary B s.t.: AdvSS[A, EDETCTR] = 2 ⋅ AdvPRF[B, F] AdvPRF[B, F] is negligible (since F is a secure PRF) Hence, AdvSS[A, EDETCTR] must be negligible Dan Boneh Proof m0 , m1 chal k←K c ← m0 ⊕ F(k,0) … F(k,L) adv A ≈p chal f←Funs c ← m0 , m1 b’≟1 k←K c ← m1 ⊕ F(k,0) … F(k,L) adv A b’≟1 m0 adv A ⊕ f(0) … f(L) b’≟1 ≈p ≈p chal m0 , m1 ≈p chal r←{0,1}n c ← m0 , m1 m1 f(0) … f(L) adv A ⊕ b’≟1 Dan Boneh End of Segment Dan Boneh