Encryption Using Pseudorandom Permutations

• There is one (or more) small “random-like” permutations that are hard-wired in the construction, such as p : _{0,1_}8 _{→ {}₀_,₁_}8 _{in AES. Traditionally, those hard-wired}

functions are called “S-boxes.”

• A “key-scheduler” produces several “pseudorandom” strings from the key. (Usually, the scheduler is not a true pseudorandom generator, but does something very simple.) • The construction proceeds in several rounds. At each round there is some combination

of:

– “Confuse:” apply the hard-wired S-boxes locally to the input (Stage 2 in AES) – “Diffuse:” rearrange bits so as to obscure the local nature of the application of

the S-boxes (Stages 3 and 4 in AES)

– “Randomize:” use a string produced by the key-scheduler to add key-dependent

randomness to the input (Stage 1 in AES)

5.3 Encryption Using Pseudorandom Permutations

Here are two ways of using Pseudorandom Functions and Permutations to perform encryption. Both are used in practice.

5.3.1 ECB Mode

The Electronic Code-Book mode of encryption works as follows • Enc(K, M) :=FK(M)

• Dec(K, M) :=IK(M)

Exercise 5 Show that ECB is message-indistinguishable for one-time encryption but not for two encryptions.

5.3.2 CBC Mode

In its simplest instantiation the Cipher Block-Chaining mode works as follows: • Enc(K, M): pick a random string r _{∈ {}0,1_}n_{, output (}_{r, F}

K(r⊕M))

• Dec(K,(C0, C1)) :=C0⊕IK(C1)

Note that this similar to (but a bit different from) the scheme based on pseudorandom functions that we saw last time. In CBC, we take advantage of the fact that FK is now a

permutation that is efficiently invertible given the secret key, and so we are allowed to put the⊕M inside the computation of FK.

There is a generalization in which one can use the same random string to send several messages. (It requires synchronization and state information.)

• Enc(K, M1, . . . , Mc):

– pick a random string C0 ∈ {0,1}n

– output (C0, C1, . . . , Cc) whereCi :=FK(Ci−1⊕Mi)

• Dec(K, C0, C1, . . . , Cc) :=M1, . . . , Mcwhere Mi :=IK(Ci)⊕Ci−1

Exercise 6 This mode achieves CPA security.

Note that CBC overcomes the above problem in which Eve knows a particular block of the message being sent, for if Eve modifiedC1 in the encryption that Bob was sending to Alice

(as in the example above) then the change would be noticeable because C2, . . . , Cc would

Lecture 6

Authentication

Summary

Today we start to talk aboutmessage authentication codes(MACs). The goal of a MAC is to guarantee to the recipient the integrity of a message and the identity of the sender. We provide a very strong definition of security (existential unforgeability under adaptive chosen message attack) and show how to achieve it using pseudorandom functions.

Our solution will be secure, but inefficient in terms of length of the required authentication information.

Next time we shall see a more space-efficient authentication scheme, and we shall prove that given a CPA-secure encryption scheme and a secure MAC, one can get a CCA-secure encryption scheme. (That is, an encryption scheme secure against an adaptive chosen ciphertext and plaintext attack.)

6.1 Message Authentication

The goal of message authentication is for two parties (say, Alice and Bob) who share a secret key to ensure the integrity and authenticity of the messages they exchange. When Alice wants to send a message to Bob, she also computes atag, using the secret key, which she appends to the message. When Bob receives the message, he verifiesthe validity of the tag, again using the secret key.

The syntax of an authentication scheme is the following.

Definition 23 (Authentication Scheme) An authentication scheme is a pair of algo- rithms (T ag, V erif y), where T ag(·,·) takes in input a key K ∈ {0,1}k _{and a message} _M

and outputs a tag T, and V erif y(_·,_·,_·) takes in input a key, a message, and a tag, and outputs a boolean answers. We require that for every key K, and very message M

V erif y(K, M, T ag(K, M)) =T rue 31

if T ag(·,·) is deterministic, and we require

P[V erif y(K, M, T ag(K, M)) =T rue] = 1 if T ag(_·,_·) is randomized.

In defining security, we want to ensure that an adversary who does not know the private key is unable to produce a valid tag. Usually, an adversary may attempt to forge a tag for a message after having seen other tagged messages, so our definition of security must ensure that seeing tagged messages does not help in producing a forgery. We provide a very strong definition of security by making sure that the adversary is able to tag no new messages, even after having seen tags of any other messages ofher choice.

Definition 24 (Existential unforgeability under chosen message attack) We say that an authentication scheme(T ag, V erif y)is(t, )-secure if for every algorithmA of complex- ity at most t

AT ag(K,·)_{= (}_{M, T}_{) : (M}_,_{T) is a forge]}_≤

where a pair(M, T)is a “forge” ifV erif y(K, M, T) =T rueandM is none of the messages thatA queried to the tag oracle.

This definition rules out any possible attack by an active adversary except areplay attack, in which the adversary stores a tagged message it sees on the channel, and later sends a copy of it. We still are guaranteed that any message we see was sent at some time by the right party. To protect against replay attacks, we could include a timestamp with the message, and reject messages that are too old. We’ll assume that replay attacks are handled at a higher level and will not worry about them.

In document Cryptography. Lecture Notes from CS276, Spring Luca Trevisan Stanford University (Page 36-39)