1

Cryptanalysis-tolerant CPA crypt.● Suppose E, E’ are two encryption schemes

which on of them is CPA - secure E.g., a standard and a proprietary, a new and old

● Cascade [EG85]: E*=E◦E’● E* is CPA - secure if either E or E’ is CPA –

secure We say that cascade is cryptanalysis tolerant

EE’

2

Cascading CPA - question

● Given two encryption schemes which one of them is candidate CPA secure, E and E’, define: E*k,k'(x) = Ek(E’k'(x))

● Question: assume either E or E’ is a CPA secure. Is then E* a CPA secure crypto system?

● Answer:

3

Cascading CPA-Secure system

● Claim: if either E or E’ is a CPA-Secure, then E* is a CPA-Secure.

● Proof: Suppose to contrary there exists adv A* That Pr

X=EX(Є,ADV)[X.win ^ X.t≤ t|X=EX(E(E',A*,k)]>½+ ε*(k,t,q)

i.e. Can distiniguishE* from some random permutation.

● Let adv A(for E), A'(for E') use A* (As sub routine) to distinguish.

● Prove for A (A and A' are similar).

4

Cont'● A tries to win test for E while using A* on E*. A

uses E as a black box.● Key generation - A generates keys for E'.● Select – A needs to respond to encryption and

decryption requests to E* (requests sent from A*). When A* asks to encrypt m, A asks for encryption

by c=E(m) and calculates E'(c) (has keys).● Encrypt – When A* outputs <select,m0,m1>, A

outputs same for E and calculates on E' (returns result to A).

● When A* outputs guess, b' then A outputs the same. Wins if A* wins since performs only one more computation.

5

A A* E E'

Begin

generate keys

Begin

Select(m1)

Select (m1)

c1

Encrypt(c1)

c1' = E'<k'>(c1)

c1'

...

Select(m1,m2)

Encrypt Phase

Select/Guess Phase

Select(m1,m2)

C

Encrypt(c)

c' = E'<k'>(c)

c'

Outputb

b

win/lose

A controls E’, e.g. Encrypt

A selects messagesto encrypt, e.g. select

6

Cryptographic Constructions Demonstrating insecurity

● Usual method: Let g’ be an arbitrary function for goal G. Design g which also satisfies G:

Security of g follows (easily?) from security of g’ But g is not good for the construction… Namely: the function f which

is constructed using g does not satisfy goal F.

7

Plaintext Encrypted ECB Encrypted Non ECB

An example of patterns ECB leaves in cipher textWhen encrypting pixels (pixel by pixel encryption)

8

CBC

9

OFB

10

CBC - OFB● CBC

requires padding of message to block size. Decryption can be parallelized 1 bit change of plaintext affects all cipher texts

● OFB Does not require message padding Decryption can't be done in parallel Bit flips can be detected in many embedded ECC

● Both “Randomization” properties – can't detect same

block.

11

Problem

● CBC and OFB are great for creating VIL cipher from FIL blocks, however they have some

drawbacks. ● Transmission errors.● Parallel computation. ● Please describe the drawbacks in detail.● Please suggest a scheme for creating VIL

cipher from FIL blocks which has CBC/OFB properties and eliminates the limitations described above.

12

Solution

● Drawbacks Block dependency causes encryption/decryption to

be synchronous (CBC decryption can be parallel) Decryption (CBC) - In case a block is damaged, its

dependent block can't be deciphered as well. CBC Block damage can be from a single bit. OFB

can correct errors with embedded ECC (single bits).

13

Solution

● Instead of chaining to disguise cipher, use counter.(Counter must be kept secret)

14

Indistinguishability Test● Prove that the following encryption scheme does

not pass Ind. Test.● Discrete log – base for several public key crypto

systems● Assumption: for known prime p, generator g of

Z_p and y it's hard to find x such thatgx mod p = y

● For public prime p and generator g (for Z_p), where m< p:Ek(m) = {

x = g^m mod p;y = g^(kx) mod p;return x||(y xor m)

}

15

Solution

● Adv can calculate x , thus distinguish the message from a random message.

16

Indistinguishability Test is Strong

● Two encryptions of the same message should be indistinguishable Otherwise adversary can ask for another encryption of known

message and identify it Encryption must be randomized and/or state variable

With state variable, encryption depends on history In practice: usually encryption is randomized

● No assumption about the plaintext May be just two messages, ‘0’ and ‘1’ May be biased (90% is ‘0’)

17

CPA-IND Secure Cryptosystem from KPA-Secure

● Let Ck be a KPA – Secure crypto system● Then encrypt each message m using Ek(m)=r||

Ck(mr), where r is random● Observation: this is simply CBC-mode of Ck

with a single block! Proof extends to multiple-block CBC

● Theorem [GM89]: Ek(m) is CPA-IND secure.

18

Question

●Let E be a KPA secure crypto system. Consider the following function on {0,1}2n (for any n):E’

k(x)= E

k(x[1..n)]) ||

Ek(E

k(x[1..n)])x[(n+1)..2n]).

●Is E'k(x) KPA secure?●Is E'k(x) CPA secure?

19

Solution

● Not CPA Secure - Choose 2 different input texts, for example

1010||1100, 1010||1001 Output of MSB is same for both “different” outputs. This is the case because of E

k(x[1..n)])

● KPA Secure - Never choose messages with same MSB.

20

Error Detection● We would like to transmit ciphertext over the

wire. Alice suggests to use parity check as error-detection code.

● Do we have privacy ?● Do we have integrity ?

21

Error Detection● Assume OTP encryption, interceptive adversary.● Adversary doesn’t know k, sees c on the wire.● c = m xor k || parity(m) [bit]● Adversary removes c, replace with c’ where any

even number of bits can be flipped (notice, that in this example, adversary doesn’t even need to know m).

● Ok, no integrity, but maybe privacy ?● What about known domain of messages (money

transfer)