Online
Cryptography
Course
Dan
Boneh
Using
block
ciphers
Modes
of
opera6on:
one
6me
key
example:
encrypted
email,
new
key
for
every
message.
Dan
Boneh
Using
PRPs
and
PRFs
Goal:
build
“secure”
encryp6on
from
a
secure
PRP
(e.g.
AES).
This
segment:
one-‐%me
keys
1. Adversary’s
power:
Adv
sees
only
one
ciphertext
(one-‐6me
key)
3. Adversary’s
goal:
Learn
info
about
PT
from
CT
(seman6c
security)
Next
segment:
many-‐6me
keys
(a.k.a
chosen-‐plaintext
security)
Dan
Boneh
Incorrect
use
of
a
PRP
Electronic
Code
Book
(ECB):
PT:
m1
m2
CT:
c1
c2
Problem:
– if
m1=m2
then
c1=c2
Dan
Boneh
In
pictures
(courtesy
B.
Preneel)
Dan
Boneh
Seman6c
Security
(one-‐6me
key)
EXP(0):
Chal.
k←K
m0
,
m1
∈
M
:
|m0|
=
|m1|
Adv.
A
c
←
E(k,m0)
b’
∈
{0,1}
one
6me
key
⇒
adversary
sees
only
one
ciphertext
EXP(1):
Chal.
k←K
m0
,
m1
∈
M
:
|m0|
=
|m1|
c
←
E(k,m1)
Adv.
A
b’
∈
{0,1}
AdvSS[A,OTP]
=
|
Pr[
EXP(0)=1
]
−
Pr[
EXP(1)=1
]
|
should
be
“neg.”
Dan
Boneh
ECB
is
not
Seman6cally
Secure
ECB
is
not
seman6cally
secure
for
messages
that
contain
more
than
one
block.
b∈{0,1}
Two
blocks
Chal.
k←K
m0 = “Hello World”
m1 = “Hello Hello”
Adv.
A
(c1,c2)
←
E(k,
mb)
Then
AdvSS
[A,
ECB]
=
1
If
c1=c2
output
0,
else
output
1
Dan
Boneh
Secure
Construc6on
I
Determinis6c
counter
mode
from
a
PRF
F
:
• EDETCTR
(k,
m)
=
⊕
m[0]
m[1]
…
m[L]
F(k,0)
F(k,1)
…
F(k,L)
c[0]
c[1]
…
c[L]
⇒
Stream
cipher
built
from
a
PRF
(e.g.
AES,
3DES)
Dan
Boneh
Det.
counter-‐mode
security
Theorem:
For
any
L>0,
If
F
is
a
secure
PRF
over
(K,X,X)
then
EDETCTR
is
sem.
sec.
cipher
over
(K,XL,XL).
In
par6cular,
for
any
eff.
adversary
A
adacking
EDETCTR
there
exists
a
n
eff.
PRF
adversary
B
s.t.:
AdvSS[A,
EDETCTR]
=
2
⋅
AdvPRF[B,
F]
AdvPRF[B,
F]
is
negligible
(since
F
is
a
secure
PRF)
Hence,
AdvSS[A,
EDETCTR]
must
be
negligible.
Dan
Boneh
Proof
m0
,
m1
chal.
k←K
c
←
m0
⊕
F(k,0)
…
F(k,L)
adv.
A
≈p
chal.
f←Funs
c
←
m0
,
m1
b’≟1
k←K
c
←
m1
⊕
F(k,0)
…
F(k,L)
adv.
A
b’≟1
m0
adv.
A
⊕
f(0)
…
f(L)
b’≟1
≈p
≈p
chal.
m0
,
m1
≈p
chal.
r←{0,1}n
c
←
m0
,
m1
m1
f(0)
…
f(L)
adv.
A
⊕
b’≟1
Dan
Boneh
End
of
Segment
Dan
Boneh