New proofs for old modes

(1)

Mark Wooding

[email protected]

13 March 2008

(2)

List of figures

3.1 Encryption using CBC mode. . . 13 3.2 Encryption and decryption using

CBC mode with ciphertext steal-ing . . . 15 3.3 Garbage emitter W for CBC

mode. . . 17 3.4 Notation for the proof of

theo-rem 3.2.1. . . 18

4.1 Encryption using CFB mode . . . 20 4.2 Adversary S attacking

E-CFBLFℓ,t,0ℓ . . . 21 4.3 Notation for the proof of

lemma 4.4.2. . . 24 5.1 Encryption using OFB mode . . . 26

List of tables

(3)

1 Introduction

1.1 Block cipher modes

Block ciphers – keyed pseudorandom permutations – are essential cryptographic tools, widely used for bulk data encryption and to an increasing extent for message authentication. Because the efficient block ciphers we have operate on fixed and relatively small strings of bits – 64 or 128 bits at a time, one needs a ‘mode of operation’ to explain how to process longer messages.

A collection of encryption modes, named ECB, CBC, CFB and OFB, were defined in [Uni81]. Of these, ECB – simply divide the message into blocks and process them independently with the block cipher – is just insecure and not to be recommended for anything much. We describe the other three, and analyse their security using the standard quantitative provable-security approach. All three require an ‘initialization vector’ or ‘IV’ which diversifies the output making it hard to correlate ciphertexts with plaintexts. We investigate which conditions on these IVs suffice for secure encryption.

1.2 Previous work

The first quantitative security proof for a block cipher mode is the analysis of CBCMAC of [BKR94]. Security proofs for the encryption modes CBC and CTR appeared in [BDJR97], which also defines and relates the standard security notions of symmetric encryption. The authors of [AGPS01] offer a proof of CFB mode, though it is incomplete, as we discuss below.

1.3 Our contribution

We introduce a new security notion for symmetric encryption, named ‘result-or-garbage’, or ‘ROG-CPA’, which generalizes the ‘real-or-random’ notion of [BDJR97] and the ‘random-string’ notion of [RBBK01]. Put simply, it states that an encryption scheme is secure if an adversary has difficulty distinguishing true ciphertexts from strings chosen by an algorithm which is given only thelengthof the adversary’s plaintext. This turns out to be just the right tool for analysing our encryption modes. We relate this notion to the standard ‘left-or-right’ notion and, thereby, all the others.

Our bound for CBC mode improves over the ‘tight’ bound proven in [BDJR97] by almost a factor of two. The difference comes because they analyse the construction as if it were built from a PRF and add in a ‘PRP-used-as-a-PRF’ correction term: our analysis considers the effect of a permutation directly. We prove that CBC mode is still secure if an encrypted counter is used in place of a random string as the IV for each message. Finally, we show that the ‘ciphertext stealing’ technique is secure.

For CFB, we first discuss the work of [AGPS01], who offer a proof for both CFB mode and an optimized variant which enhances the error-recovery properties of standard CFB. We show that their proof is incomplete, as shown in sections4.2. We then offer our own proof. We show that full-width CFB is secure if the IV is any ‘generalized counter’, and that both full-width and truncatedt-bit CFB are secure if the IV is an encrypted counter. We also show that, unlike CBC mode, it is safe to ‘carry over’ the final shift-register value from the previous message as the IV for the next message.

(4)

Mode Section Notion Security with (t, q, ε)-PRF (t, q, ε)-PRP

CBC 3 LOR-CPA — 2ε+q(q−1)

2ℓ₋_q

CFB 4 LOR-CPA 2ε+q(q−1) 2ℓ 2ε+

q(q−1) 2ℓ−1

OFB 5 LOR-CPA 2ε+q(q−1) 2ℓ 2ε+

q(q−1) 2ℓ−1

Table 1.1: Summary of our results. In all cases,qis the number of block cipher applications used in the game.

As a convenient guide, our security bounds are summarized in table1.1.

1.4 The rest of the paper

In section2we define the various bits of notation and terminology we’ll need in the rest of the paper. The formal definitions are given for our new ‘result-or-garbage’ security notion, and for our generalized counters. In section3we study CBC mode, and ciphertext stealing. In section4we study CFB mode. In section5we study OFB mode.

2 Notation and definitions

2.1 Bit strings

Most of our notation for bit strings is standard. The main thing to note is that everything is zero-indexed.

• We writeΣ ={0,1}for the set of binary digits. ThenΣn_{is the set of}_n_{-bit strings, and}_Σ∗ is the set of all (finite) bit strings.

• Ifxis a bit string then|x|is the length ofx. Ifx∈Σn_then_|_x_|₌_n_.

• Ifx, y ∈Σn_{are strings of bits of the same length then}_x_⊕_y_∈_Σn_{is their bitwise XOR.}

• Ifxis a bit string andiis an integer satisfying06i <|x|thenx[i]is theith bit ofx. Ifa

andbare integers satisfying0 6a6b6|x|thenx[a .. b]is the substring ofxbeginning with bitaand ending justbeforebitb. We have|x[i]|= 1and|x[a..b]|=b−a; ify=x[a..b] theny[i] =x[a+i].

• Ifxandy are bit strings thenxy is the result of concatenatingy to x. If z = xythen

|z|=|x|+|y|;z[i] =x[i]if06i <|x|andz[i] =y[i− |x|]if|x|6i <|x|+|y|. Sometimes, for clarity (e.g., to distinguish from integer multiplication) we writexkyinstead ofxy.

• The empty string is denotedλ. We have|λ|= 0, andx=xλ=λxfor all stringsx∈Σ∗.

(5)

• Ifxandyare bit strings,|x|=ℓ, and|y|=t, then we definex≪tyas:

x≪ty= (xy)[t .. t+ℓ] =

(

x[t .. ℓ]ky ift < ℓ, or

y[t−ℓ .. t] ift>ℓ.

Observe that, ifz=x≪tythen|z|=|x|=ℓand

z[i] = (xy)[i+t] =

(

x[i+t] if06i < ℓ−t, or

y[i+t−ℓ] ifmin(0, ℓ−t)6i < ℓ.

Obviouslyx≪0λ=x, and if|x|=|y|=tthenx≪ty=y. Finally, if|y|=tand|z|=t′

then(x≪ty)≪t′z=x≪t₊_t′(yz).

2.2 Other notation

• The symbol⊥(‘bottom’) is a value different from every bit string.

• We write Fl,L _{as the set of all functions from} _Σl _to _ΣL_{, and} _Pl _{as the set of all}

permutations onΣl_.

2.3 Algorithm descriptions

Anadversaryis a probabilistic algorithm which attempts (possibly) to ‘break’ a cryptographic scheme. We will often provide adversaries with oracles which compute values with secret data. Therunning timeof an adversary conventionally includes the size of the adversary’s description: this is an attempt to ‘charge’ the adversary for having large precomputed tables.

Most of the notation used in the algorithm descriptions should be obvious. We briefly note a few features which may be unfamiliar.

• The notationa←xdenotes the action of assigning the valuexto the variablea.

• We write oracles as superscripts, with dots marking where inputs to the oracle go, e.g.,

AO(·)_.

• The notationa R

←X, whereXis a finite set, denotes the action of assigning toaa random valuex∈X according to the uniform probability distribution onX; i.e., followinga←R

X, we havePr[a=x] = 1/|X|for anyx∈X.

The notation is generally quite sloppy about types and scopes. We don’t think these informal-ities cause much confusion, and they greatly simplify the presentation of the algorithms.

2.4 Pseudorandom functions and permutations

Our definitions of pseudorandom functions and permutations are standard. We provide them for the sake of completeness.

2.4.1 Definition (Pseudorandom function family) Apseudorandom function family (PRF)F ={FK}Kis a collection of functionsFK: Σℓ →ΣLindexed by akeyK ∈keysF. IfAis any adversary, we

defineA’sadvantage in distinguishingF from a random functionto be

(6)

where the probability is taken over all choices of keys, random functions, and the internal coin-tosses ofA. Theinsecurity ofFis given by

InSecprf(F;t, q) = max

A Adv

prf

F (A)

where the maximum is taken over all adversaries which run in timet and issue at most q

oracle queries. IfInSecprf(F;t, q)6εthen we say thatF is a(t, q, ε)-PRF.

2.4.2 Definition (Pseudorandom permutation family) A pseudorandom permutation family (PRP) E =

{EK}K is a collection of permutations EK: Σℓ → Σℓ indexed by akeyK ∈ keysE. IfAis

any adversary, we defineA’sadvantage in distinguishingEfrom a random permutationto be

AdvprpF (A) = Pr[K

R

←keysE:AEK(·)_{= 1]}₋_Pr[_P _{← P}R ℓ_:_AP(·)_{= 1]}

where the probability is taken over all choices of keys, random permutations, and the internal coin-tosses of A. Note that the adversary is not allowed to query the inverse permutation

E_K−1(·)orP−1₍_·_{). The}_{insecurity of}_E_{is given by}

InSecprp(E;t, q) = max

A Adv

prf

E(A)

where the maximum is taken over all adversaries which run in timet and issue at most q

oracle queries. IfInSecprp(E;t, q)6εthen we say thatEis a(t, q, ε)-PRP.

The following result is standard; we shall require it for the security proofs of CFB and OFB modes. The proof is given as an introduction to our general approach.

2.4.3 Proposition SupposeEis a PRP overΣℓ_{. Then}

InSecprf(E;t, q)6_InSecprp(E;t, q) +q(q−1) 2ℓ+1 .

Proof We claim

InSecprf(Pℓ;t, q)6q(q−1)

2ℓ+1 ,

i.e., that aperfectℓ-bit random permutation is a PRF with the stated bounds. The proposition follows immediately from this claim and the definition of a PRP.

We now prove the claim. Consider any adversaryA. Letxi beA’s queries, and letyibe the

responses, for0 6i < q. Assume, without loss of generality, that thexiare distinct. LetCn

be the event in the random-function gameExptprf-_Pℓ0(A)thatyi = yj for someiandj where 06i < j < n. Then

Pr[Cn]6

X

06i<n

i

2ℓ =

n(n−1)

2ℓ+1 . (1)

It’s clear that the two games proceed identically ifCq doesn’t occur in the random-function

game. The claim follows.

2.5 Symmetric encryption

(7)

2.5.1 Definition (Symmetric encryption) Asymmetric encryption schemeis a triple of algorithmsE = (G, E, D), with three (implicitly) associated sets: a keyspace, a plaintext space, and a ciphertext space.

• Gis a probabilistickey-generation algorithm. It is invoked with no arguments, and returns a keyKwhich can be used with the other two algorithms. We writeK←G().

• Eis a probabilisticencryption algorithm. It is invoked with a keyKand aplaintextxin the plaintext space, and it returns aciphertextyin the ciphertext space. We writey←EK(x).

• Dis a deterministicdecryption algorithm. It is invoked with a keyK and a ciphertexty, and it returns either a plaintextxor the distinguished symbol⊥. We writex←DK(y).

For correctness, we require that whenevery is a possible result of computingEK(x), then

x=DK(y).

Our primary notion of security isleft-or-right indistinguishability under chosen-plaintext attack

(LOR-CPA), since it offers the best reductions to the other common notions. (We can’t achieve security against chosen ciphertext attack using any of our modes, so we don’t even try.) See [BDJR97] for a complete discussion of LOR-CPA, and how it relates to other security notions for symmetric encryption.

2.5.2 Definition (Left-or-right indistinguishability) LetE= (G, E, D)be a symmetric encryption scheme. Define the function lr(b, x0, x1) = xb. Then for any adversary A, we defineA’s advantage against the LOR-CPA security ofEas

Advlor-cpa_E (A) = Pr[K←G() :AEK(lr(1,·,·))_{= 1]}₋_Pr[_K_←_G_{() :}_AEK(lr(0,·,·))_{= 1]}_.

We define theLOR-CPA insecurity ofEto be

InSeclor-cpa(E;t, qE, µE) = max

A Adv

lor-cpa

E (A)

where the maximum is taken over all adversaries which run in timetand issue at mostqE

encryption queries totalling at mostµEbits. IfInSeclor-cpa(E;t, qE, µE)6εthen we say thatE

is(t, qE, µE, ε)-LOR-CPA.

Our second notion is named result-or-garbage and abbreviated ROG-CPA. It is related to the notion used by [RBBK01], though different in important ways: for example, there are reductions both ways between ROG-CPA and LOR-CPA (and hence the other standard notions of security for symmetric encryption), whereas the notion of [RBBK01] is strictly stronger than LOR-CPA. Our idea is that an encryption scheme is secure if ciphertexts of given plaintexts –results– hard to distinguish from strings constructed independently of any plaintexts –garbage. We formalize this notion in terms of agarbage-emission algorithmWwhich is given only the length of the plaintext. The algorithmW will usually be probabilistic, and may maintain state. Unlike [RBBK01], we don’t require thatW’s output ‘look random’ in any way, just that it be chosen independently of the adversary’s plaintext selection.

2.5.3 Definition (Result-or-garbage indistinguishability) LetE = (G, E, D)be a symmetric encryption scheme, and let W be a possibly-stateful, possibly-probabilistic garbage-emission algorithm. Then for any adversaryA, we defineA’sadvantage against the ROG-CPA-W security ofEas

(8)

We define theROG-CPA insecurity ofEto be

InSeclor-cpa(E;t, qE, µE) = max

A Adv

lor-cpa

E (A)

where the maximum is taken over all adversaries which run in timetand issue at mostqE

encryption queries totalling at mostµE bits. IfInSecrog-cpa-W(E;t, qE, µE) 6 εfor some W

then we say thatEis(t, qE, µE, ε)-ROG-CPA.

The following proposition relates our new notion to the existing known notions of security.

2.5.4 Proposition (ROG⇔LOR) LetEbe a symmetric encryption scheme. Then,

1. for all garbage-emission algorithmsW,

InSeclor-cpa(E;t, qE, µE)62·InSecrog-cpa-W(E;t+tEµE, qE, µE)

and

2. there exists a garbage-emission algorithmWRORfor which

InSecrog-cpa-WROR₍_E_;_{t, q}

E, µE)6InSeclor-cpa(E;t+tEµE, qE, µE)

for some fairly small constanttE.

2.5.5 Remark Note the asymmetry between these two statements. ROG-CPA-W implies LOR-CPA for anygarbage emitter W, but LOR-CPA implies ROG-CPA-WROR for the specific emitter

WRORonly.

Proof of proposition2.5.4 1. LetW andEbe given, and letAbe an adversary attacking the LOR-CPA security ofE. Consider adversaryBattackingE’s ROG-CPA-W security.

AdversaryBE(·):

b∗ R

←Σ;

b←AE(lr(b∗

,·,·))_;

ifb=b∗_{then return}₁_{else return}_0;

Functionlr(b, x0, x1):

ifb= 0then returnx0else returnx1;

IfE(·)is the ‘result’ encryption oracle, thenB simulates the left-or-right game for the benefit of A, and therefore returns 1 with probability (Advlor-cpaE (A) + 1)/2. On the other hand, ifE(·)returns ‘garbage’ then the oracle responses are entirely independent ofb∗_{. This follows because}_A_{is constrained to query only on pairs of plaintexts with} equal lengths, and the responses are dependent only on these (common) lengths and any internal state and coin tosses ofW. Sobis independent ofb∗ _and_Pr[_b ₌ _b∗_{] =} 1

2. The

result follows.

2. LetE = (G, E, D)be given. Our garbage emitter simulates the real-or-random game of [BDJR97]. LetKW =⊥initially: we define our emitterWRORthus:

Garbage emitterWROR(n): ifKW =⊥thenKW ←G();

x←R Σn_;

returnEKW(x);

We now show thatInSecrog-cpa-WROR₍_E_;_{t, q}

E, µE) 6 InSeclor-cpa(E;t+tEµE, qE, µE)for

ourWROR. LetAbe an adversary attacking the ROG-CPA-WRORsecurity ofE. Consider

(9)

AdversaryBE(·,·)_: b←Alorify(·)_;

returnb;

Functionlorify(x):

x′ R

←Σ|x|_; returnE(x′_{, x}_);

The adversary simulates the ROG-CPA-WRORgames perfectly, since the game has chosen

the randomKW for us already: the ‘left’ game returns only the results of encrypting

random ‘garbage’ plaintextsx′_{, while the right game returns correct results of encrypting}

the given plaintextsx. The result follows.

2.6 Initialization vectors and encryption modes

In order to reduce the number of definitions in this paper to a tractable level, we will describe the basic modes independently of how initialization vectors (IVs) are chosen, and then construct the actual encryption schemes by applying various IV selection methods from the modes.

We consider the following IV selection methods.

Random selection An IV is chosen uniformly at random just before encrypting each message.

Counter The IV for each message is ageneralized counter(see discussion below, and definition2.6.1).

Encrypted counter

The IV for a message is the result of applying the block cipher to a generalized counter, using the same key as for message encryption.

Carry-over The IV for the first message is fixed; the IV for subsequent messages is some function of the previous plaintexts or ciphertexts (e.g., the last ciphertext block of the previous message).

Not all of these methods are secure for all of the modes we consider.

2.6.1 Definition (Generalized counters) IfSis a finite set, then ageneralized counter inSis an bijection

c:{0,1, . . . ,|S| −1} ↔S. For brevity, we shall refer simply to ‘counters’, leaving implicit the

generalization.

2.6.2 Remark (Examples of generalized counters)

• There is a ‘natural’ binary representation of the natural numbers{0,1, . . . ,2ℓ ₋₁_} _as

ℓ-bit strings: for anyn ∈ {0,1, . . . ,2ℓ₋₁_}_{, let} _R₍_n₎ _{be the unique}_r _∈ _Σℓ _{such that}

n=P

06i<ℓ2ir[i]. ThenR(·)is a generalized counter inΣℓ.

• We can represent elements of the finite fieldF₂ℓ asℓ-bit strings. Letp(x) ∈ F₂[x]be a primitive polynomial of degreeℓ; then representF₂ℓ byF₂[x]/(p(x)). Now for anya ∈ F₂ℓ, letR(a)be the uniquer∈Σℓsuch thata=P₀₆_i<ℓxir[i]. Becausep(x)is primitive,

xgenerates the multiplicative groupF∗

2ℓ, so definec(n) =R(xn)for06n <2ℓ−1and

c(2ℓ−1_{) = 0}ℓ_{; then}_c₍_·₎_{is a generalized counter in}_Σℓ_{. This counter can be implemented}

efficiently in hardware using a linear feedback shift register.

2.6.3 Definition (Encryption modes) Ablock cipher encryption modemP = (encrypt,decrypt)is a pair of

deterministic oracle algorithms (and implicitly-defined plaintext and ciphertext spaces) which satisfy the following conditions:

(10)

plaintextxand an initialization vectorv ∈ Σℓ_{, it returns a ciphertext}_y _{and a}_chaining valuev′_∈_Σℓ_{. We write}₍_v′_{, y}_{) =}_encryptP(·)₍_{v, x}_).

2. The algorithmdecryptruns with oracle access to a permutationP: Σℓ_↔_Σℓ_{and its inverse}

P−1₍_·_{); on input a ciphertext}_y _{and an initialization vector}_v _∈_Σℓ_{, it returns a plaintext}

x. We write thatx=decryptP(·),P−1(·)(v, y).

3. For all permutationsP: Σℓ_↔_Σℓ_{, all plaintexts}_x_{and all initialization vectors}_v_{, if}₍_v′_{, y}_{) =}

encryptP(·)(v, x)thenx=decryptP(·),P−1(·)(v, y).

Similarly, aPRF encryption modemF = (encrypt,decrypt)is a pair of deterministic oracle

al-gorithms (and implicitly-defined plaintext and ciphertext spaces) which satisfy the following conditions:

1. The algorithm encrypt runs with oracle access to a functionF: Σℓ _→ _ΣL_{; on input a}

plaintextxand an initialization vectorv ∈ Σℓ_{, it returns a ciphertext}_y _{and a}_chaining valuev′_∈_Σℓ_{. We write}₍_v′_{, y}_{) =}_encryptF(·)₍_{v, x}_).

2. The algorithm decrypt runs with oracle access to a function F: Σℓ _→ _ΣL_{; on input a}

ciphertexty and an initialization vectorv ∈ Σℓ_{, it returns a plaintext}_x_{. We write that}

(v′, x) =decryptF(·)(v, y).

3. For all functionsF: Σℓ → ΣL, all plaintextsxand all initialization vectorsv, if(v′, y) =

encryptF(·)₍_{v, x}₎_then_x₌_decryptF(·)

(v, y).

2.6.4 Definition (Symmetric encryption schemes from modes) LetFbe a pseudorandom permutation on Σℓ_{(resp. a pseudorandom function from}_Σℓ_to_ΣL_{); let}_m_{= (}_encrypt_,_decrypt₎_{be a block cipher}

(resp. PRF) encryption mode. (To save on repetition, ifFis a PRF then defineF_K−1(x) =⊥for all keysKand inputsx.) We define the following symmetric encryption schemes according to how IVs are selected.

• Randomized selection: defineE-m$F = (G-m$F, E-m$F, D-m$F), where

AlgorithmG-m$F():

K←R keysF; returnK;

AlgorithmE-m$F(K, x):

v←R Σℓ_;

(v′_{, x}₎_←_encryptFK(·)₍_{v, x}_); return(v, y);

AlgorithmD-m$F(K, y′_); (v, y)←y′_;

(v′_{, x}₎_←

decryptFK(·),F−

1

K (·)₍_{v, y}_); returnx;

• Generalized counters: defineE-mCF,c = (G-mCF,c, E-mCF,c, D-mCF,c), where c is a generalized counter inΣℓ_{, and}

AlgorithmG-mCF,c():

K R

←keysF;

i-msg←0; returnK;

AlgorithmE-mCF,c(K, x):

i←c(i-msg);

(v′_{, x}₎_←_encryptFK(·)₍_{i, x}_);

i-msg←i-msg+ 1; return(i, y);

AlgorithmD-mCF,c(K, y′_); (i, y)←y′_;

(v′_{, x}₎_←

decryptFK(·),FK−1(·)₍_{i, y}_); returnx;

(11)

AlgorithmG-mEF,c():

K R

←keysF;

i-msg←0; returnK;

AlgorithmE-mEF,c(K, x):

i←c(i-msg);

v←FK(i)[0.. ℓ];

(v′_{, x}₎_←_encryptFK(·)₍_{v, x}_);

i-msg←i-msg+ 1; return(i, y);

AlgorithmD-mEF,c(K, y′_); (i, y)←y′_;

v←FK(i)[0.. ℓ];

(v′_{, x}₎_←

decryptFK(·),F−

1

K (·)₍_{v, y}_); returnx;

(We requireL>ℓfor this to be well-defined; otherwise the encrypted counter value is too short.)

• Carry-over: defineE-mLF,V0 = (G-mLF,V0, E-mLF,V0, D-mLF,V0)whereV0 ∈ Σℓ _{is the}

initialization vector for the first message, and

AlgorithmG-mLF,V0():

K R

←keysF;

v-next←V0; returnK;

AlgorithmE-mLF,V0(K, x):

v←v-next;

(v′_{, x}₎_←_encryptFK(·)₍_{v, x}_);

v-next←v′_; return(v, y);

AlgorithmD-mLF,V0(K, y′_); (v, y)←y′_;

(v′_{, x}₎_←

decryptFK(·),FK−1(·)₍_{v, y}_); returnx;

Note that, while the encryption algorithms of the above schemes are either randomized or stateful, the decryption algorithms are simple and deterministic.

The following simple and standard result will be very useful in our proofs.

2.6.5 Proposition

1. Suppose thatEP _{= (}_GP_{, E}P_{, D}P₎_{is one of the symmetric encryption schemes of definition}_2.6.4_, constructed from a pseudorandom permutationP: Σℓ _↔ _Σℓ_{. If} _q _{is an upper bound on the} number of PRP applications required for the encryptionqEmessages totallingµEbits, then there is some small constantt′_{such that}

InSeclor-cpa(EP;t, qE, µE)6InSeclor-cpa(EP

ℓ

;t, qE, µE) + 2·InSecprp(P;t+qt′, q).

2. Similarly, suppose that EF _{= (}_GF_{, E}F_{, D}F₎ _{is one of the symmetric encryption schemes of} definition2.6.4, constructed from a pseudorandom functionF: Σℓ_→_ΣL_{. If}_q_{is an upper bound} on the number of PRP applications required for the encryptionqE messages totallingµE bits, then there is some small constantt′_{such that}

InSeclor-cpa(EF;t, qE, µE)6InSeclor-cpa(EF

ℓ,L

;t, qE, µE) + 2·InSecprf(F;t+qt′, q).

Proof 1. LetAbe an adversary attacking the LOR-CPA security ofEP_{, which takes time}_t

and issuesqEencryption queries totallingµEbits. We construct an adversaryBattacking

the security of the PRPP as follows. B selects a randomb∗ _∈R _{Σ. It then runs} _A_, simulating the LOR-CPA game by usingb∗_{to decide whether to encrypt the left or right} plaintext, and using its oracle access toP to do the encryption. Eventually,Areturns a bitb. Ifb=b∗_,_B_returns₁_{(indicating ‘pseudorandom’); otherwise it returns}_0.

IfB’s oracle is selected from the PRPP, thenB correctly simulates the LOR-CPA game forEP_{, and}_B _returns₁_{with probability precisely}₍_Advlor-cpa

EP (A) + 1)/2. Conversely, if

B’s oracle is a random permutation, thenB correctly simulates the LOR-CPA game for

EPℓ

, soBreturns1with probability(Advlor-cpa_EP (A) + 1)/2. Thus, we have

Advprp_P (B) = (Advlor-cpa_EP (A) + 1)/2−(Adv lor-cpa

(12)

= (Advlor-cpa_EP (A)−Adv lor-cpa

EPℓ (A))/2. (3) Note that the extra work whichBdoes overA– initialization, tidying up and encrypting messages – is bounded by some small constanttP multiplied by the number of oracle

queriesqmade byB, and the required result follows by multiplying through by2and rearranging.

2. The proof for this case is almost identical: merely substituteFforP, ‘PRF’ for ‘PRP’ and

Fℓ,L_for_Pℓ_{in the above.}

Of course, proving theorems about each of the above schemes individually will be very tedious. We therefore define a ‘hybrid’ scheme which switches between the above selection methods. This isn’t a practical encryption scheme – just a ‘trick’ to reduce the number of complicated proofs we need to give.

2.6.6 Definition (Hybrid encryption modes) Let nL, nC andnE be nonnegative integers, with nL+

nC+nE62ℓ; letF be a pseudorandom permutation onΣℓ(resp. a pseudorandom function

from Σℓ _to _ΣL_{); let} _m _{= (}_encrypt_,_decrypt₎ _{be a block cipher (resp. PRF) encryption mode}

let V0 ∈ Σℓ _{be an initialization vector; and let}_c_:_{₀_,₁_{, . . . ,}₂ℓ ₋₁_{} →} _Σℓ _{be a generalized}

counter. (Again, ifF is a PRF, we setFK(x) = ⊥for allK and x.) We define the scheme E-mHF,V0,cnL,nC,nE = (G-mH

F,V0,c

nL,nC,nE, E-mH

F,V0,c

nL,nC,nE, D-mH

F,V0,c

nL,nC,nE)as follows.

AlgorithmG-mHF,V0,cnL,nC,nE():

K←R keysF;

i-msg←0;

v-next←V0; returnK;

AlgorithmD-mHF,V0,cnL,nC,nE(K, y ′_); (v, y)←y′_;

(v′_{, x}₎_←_decryptFK(·),F

−1

K (·)(v, y); returnx;

AlgorithmE-mHF,V0,cnL,nC,nE(K, x): ifi-msg< nLthenv←v-next;

else ifi-msg< nL+nCthenv←c(i-msg);

else ifi-msg< nL+nC+nEthenv←FK(c(i-msg)[0.. ℓ]);

elsev←R Σℓ_;

(v′_{, x}₎_←_encryptFK(·)₍_{v, x}_);

v-next←v′_;

i-msg←i-msg+ 1; return(v, y);

For this to be well-defined, we require thatL>ℓornE= 0– otherwise the encrypted counter

values are too short.

The following proposition relates the security of our artificial hybrid scheme to that of the practical schemes defined in definition2.6.4.

2.6.7 Proposition LetF be a pseudorandom permutation onΣℓ_{(resp. a pseudorandom function from}_Σℓ_to

ΣL_{); let}_m_{be a block cipher (resp. PRF) encryption mode. Then:}

1. InSeclor-cpa(E-m$F;t, qE, µE)6InSeclor-cpa(E-mHF,V0,c0,0,0 ;t, qE, µE)

2. InSeclor-cpa(E-mCF,c;t, qE, µE)6InSeclor-cpa(E-mHF,V0,cqE,0,0;t, qE, µE)

(13)

x0

⊕

v

E

y0 K

x1

⊕

E

y1 K

xi

⊕

E

yi

K

xn−1

⊕

E

yn−1 K

Figure 3.1: Encryption using CBC mode

4. InSeclor-cpa(E-mLF,V0;t, qE, µE)6InSeclor-cpa(E-mHF,V0,c0,0,qE;t, qE, µE)

Proof For 1, it suffices to observe thatE-m$F ≡ E-mHF,V0,c0,0,0 for anyc,V0. For 2, note that E-mCF,cbehaves identically toE-mHF,V0,cqE,0,0 for anyc,V0for the firstqE encryption queries; but no adversary is permitted to exceed this limit, and hence no adversary can distinguish the two. Similarly, for 4, note thatE-mLF,V0 behaves identically toE-mHF,V0,c0,0,qE for anyc,V0 for the firstqEencryption queries.

The case of 3 is slightly more complicated:E-mEF,cbehaves identically toE-mHF,V0,c0,qE,0for the firstqE encryption queries exceptthat the latter returns different initialization vectors from

its encryption oracle. However, since the counterc is fixed public knowledge, it is trivial to construct a fully faithful replica of the mE game given the hybrid oracle, such that no

adversary can distinguish the two.

3 Ciphertext block chaining (CBC) encryption

3.1 Description

Suppose E is an ℓ-bit pseudorandom permutation. CBC mode works as follows. Given a messageX, we divide it intoℓ-bit blocksx0,x1,. . .,xn−1. Choose an initialization vector v ∈ Σℓ_{. Before passing each}_x

i through E, we XOR it with the previous ciphertext, withv

standing in for the first block:

y0=EK(x0⊕v) yi=EK(xi⊕yi−1(for16i < n). (4)

The ciphertext is then the concatenation ofvand theyi. Decryption is simple:

x0=E_K−1(y0)⊕v xi=EK−1(yi)⊕yi−1(for16i < n) (5)

See figure3.1for a diagram of CBC encryption.

3.1.1 Definition (CBC algorithms) For any permutationP: Σℓ _→_Σℓ_{, any initialization vector}_v _∈_Σℓ_,

any plaintextx ∈ ΣℓN

(14)

Algorithmcbc-encryptP(·)(v, x):

y←λ;

fori= 0to|x|/ℓdo

xi←x[ℓi .. ℓ(i+ 1)];

yi←P(xi⊕v);

v←yi;

y←ykyi;

return(v, y);

Algorithmcbc-decryptP(·),P− 1

(·)₍_{v, y}_):

if|y|modℓ6= 0then return⊥;

x←λ;

for1 = 0to|y|/ℓdo

yi←y[ℓi .. ℓ(i+ 1)];

xi ←P−1(yi)⊕v;

v←yi;

x←xkxi;

return(v, x);

Now, let c be a generalized counter in Σℓ_{. We define the encryption schemes} _E_-CBC_$P

,

E-CBCEP,candE-CBCHP,c,0,0,n⊥E, as described in definition2.6.4.

3.2 Security of CBC mode

We now present our main theorem on CBC mode.

3.2.1 Theorem (Security of hybrid CBC mode) LetP: keysP ×Σℓ_→_Σℓ_{be a pseudorandom permutation;} letV0 ∈ Σℓ_{be an initialization vector; let}_n

L ∈ {0,1}; letcbe a generalized counter inΣℓ; and let

nC ∈ Nbe a nonnegative integer; and suppose that at most one ofnL andnC is nonzero. Then, for anyt,qE >nandµE,

InSeclor-cpa(E-CBCHP,c,V0nL,0,nE;t, qE, µE)62·InSec

prp₍_P_;_t₊_qt

P, q) +

q(q−1) 2ℓ₋_q

whereq=nL+nE+µE/ℓandtPis some small constant.

The proof of this theorem we postpone until section 3.4. As promised, the security of our randomized and stateful schemes follow as simple corollaries.

3.2.2 Corollary (Security of practical CBC modes) LetP andcbe as in theorem3.2.1. Then for anyt,qE andµE, and some small constanttP,

InSeclor-cpa(E-CBC$P;t, qE, µE)62·InSecprp(P;t+qtP, q) +

q(q−1) 2ℓ₋_q

InSeclor-cpa(E-CBCEP,c;t, qE, µE)62·InSecprp(P;t+q′tP, q′) +

q′₍_q′₋₁₎ 2ℓ₋_q′

and

InSeclor-cpa(E-CBCLP,V0;t,1, µE)62·InSecprp(P;t+qtP, q) +

q(q−1) 2ℓ₋_q

whereq=µE/ℓ, andq′=q+qE.

Proof Follows from theorem3.2.1and proposition2.6.7.

3.2.3 Remark The insecurity of CBC mode over that inherent in the underlying PRP is essentially a birthday bound: note forq62ℓ/2_{, our denominator}₂ℓ₋_q_≈₂ℓ_{, and for larger}_q_{, the term}

q(q−1)/2ℓ _> ₁_{anyway, so all security is lost (according to the above result). Compared to}

[BDJR97, theorem 17], we gain the tiny extra term in the denominator, but lose the

PRP-as-a-PRF termq2_/₂ℓ−1_.1

1 _{In fact, they don’t prove the stated bound of}_q(3q −2)/2

ℓ+1_{but instead the larger}_q(2q

−1)/2 ℓ

(15)

x0

⊕

v

E

y0 K

x1

⊕

E

y1 K

xi

⊕

E

yi

K

xn−2

⊕

E K

xn−1k0ℓ−t

⊕

yn−1[0.. t] E K

yn−2

y0

D K

⊕ ⊕

v

x0

y1

D K

⊕

x1

yi

D K

⊕

xi

yn−2

D K

z

⊕

0t_k_z_[_t..ℓ_]

⊕

xn−1[0.. t] yn−1k0ℓ−t

D K

xn−2

Figure 3.2: Encryption and decryption using CBC mode with ciphertext stealing

3.3 Ciphertext stealing

Ciphertext stealing [Dae95,Sch96,BR96] allows us to encrypt any message inΣ∗_{without the} need for padding. The trick is to fill in the ‘gap’ at the end of the last block with the end bit of the previous ciphertext, and then to put the remaining short penultimate block at the end. Decryption proceeds by first decrypting the final block to recover the remainder of the penultimate one. See figure3.2.

Encrypting messages shorter than the block involves ‘IV stealing’ – using the IV instead of the ciphertext from the last full-length block – which is a grotty hack but works fine if IVs are random; if the IVs are encrypted counters then there’s nothing (modifiable) to steal from.

We formally present a description of a randomized CBC stealing mode.

3.3.1 Definition (CBC mode with ciphertext stealing) Let P: keysP ×Σℓ _→ _Σℓ _{be a pseudorandom}

permutation. Letc be a generalized counter onΣℓ_{. We define the randomized symmetric}

(16)

AlgorithmG-CBC$-stealP():

K←R keysP; returnK;

AlgorithmE-CBC$-stealP(K, x):

t← |x|modℓ;

ift6= 0thenx←xk0ℓ−t_;

v R

←Σℓ_;

y←vkcbc-encrypt(K, v, x); ift6= 0then

b← |y| −2ℓ;

y←y[0.. b]ky[b+ℓ ..|y|]k

y[b .. b+t]; returny;

AlgorithmD-CBC$-stealP(K, y): if|y|< ℓthen return⊥;

v←y[0.. ℓ];

t=|y|modℓ; ift6= 0then

b← |y| −t−ℓ;

z←PK−1(y[b .. b+ℓ]);

y←y[0.. b]ky[b+ℓ ..|y|]k

z[t .. ℓ];

x←cbc-decrypt(K, v, y[ℓ ..|y|]); ift6= 0then

x←xkz[0.. t]⊕y[b .. b+t]; returnx;

The security of ciphertext stealing follows directly from the definition and the security CBC mode.

3.3.2 Corollary (Security of CBC with ciphertext stealing) LetP: keysP ×Σℓ _→ _Σℓ _{be a pseudorandom} permutation. Then

InSeclor-cpa(E-CBC$-steal;t, qE, µE)6InSeclor-cpa(E-CBC$;t, qE, µE+qE(ℓ−1))

62·InSecprp(P;t+qtP, q) + q(q−1)

2ℓ₋₂ℓ/2

whereq=

µE+qE(ℓ−1)/ℓandtPis some small constant.

Proof From the definition, we see that the encryption algorithmE-CBC-stealsimply pads a plaintext, encrypts it as for standard CBC mode, and postprocesses the ciphertext. Hence, ifA

is any adversary attackingE-CBC-steal, we can construct an adversaryA′_{which simply runs}

Aexcept that, on each query to the encryption oracle, it pads both plaintexts, queries its CBC oracle, postprocesses the ciphertext returned, and gives the result back toA. The fact that plaintexts can now be up toℓ−1bits shorter than the next largest whole number of blocks means thatBsubmits no more thanµE+qE(ℓ−1)bits of plaintext to its oracle. The required

result follows then directly from theorem3.2.1.

3.4 Proof of theorem

3.2.1

The techniques and notation used in this proof will also be found in several of the others. We recommend that readers try to follow this one carefully.

We begin considering CBC mode using a completely random permutation. To simplify notation slightly, we shall writen = nL +nE. Our main goal is to prove the claim that

there exists a garbage-emitterW such that

InSecrog-cpa-W(E-CBCHPnLℓ,c,V0,0,nE;t, qE, µE)6

q(q−1) 2·(2ℓ₋_n₎.

From this, we can apply proposition2.5.4to obtain

InSeclor-cpa(E-CBCHP0,0ℓ,c,,n⊥;t, qE, µE)6 q(q−1)

(17)

Initialization:

i←0;

gone←∅_;

Functionfresh()

x←R Σℓ_\_gone_; gone←gone∪ {x}; returnx;

Garbage emitterW(m): ifi>2ℓ_{then abort}_;

ifi < nLthenv←V0;

else ifi < nthenv←fresh();

i←i+ 1 elsev←R Σℓ_;

y←λ;

forj= 0tom/ℓ;

yj ←fresh();

y←ykyj;

return(v, y);

Figure 3.3: Garbage emitterW for CBC mode

and, noting that there are preciselyq=µE/ℓPRP-applications, we apply proposition2.6.5to

obtain the required result.

Our garbage-emitterW is a bit complicated. It chooses random but distinctblocks for the ‘ciphertext’; for the IVs, it usesV0 for the first message ifnL = 1, and otherwise it chooses

random blocks distinct from each other and the ‘ciphertext’ blocks for the nextnEmessages,

and just random blocks for subsequent ones. The algorithmWis shown in figure3.3.

Fortunately, it doesn’t need to be efficient: the above simulations only need to be able to do the LOR game, not the ROG one. The unpleasant-soundingabortonly occurs after2ℓ_queries.

If that happens we give up and say the adversary won anyway: the claim is trivially true by this point, since the adversary’s maximum advantage is 1.

Now we show that this lash-up is a good imitation of CBC encryption to someone who doesn’t know the key. The intuition works like this: every time we query a random permutation at a new, fresh input value, we get a new, different, random output value; conversely, if we repeat an input, we get the same value out as last time. So, in the real ‘result’ CBC game, if all the permutation inputs are distinct, it looks just like the garbage emitted byW. Unfortunately, that’s not quite enough: the adversary can work out what the permutation inputs ought to be and spot when there ought to have been a collision but wasn’t. So we’ll show that, provided all theP-inputs – values whichwouldbe input to the permutation if we’re playing that game – are distinct, the two games look identical.

We need some notation to describe the values in the game. Letci = c(i)be theith counter

value, for0 6i < nE, and letvibe theith initialization vector, wherev0 = V0 is as given if

nL= 1,vi =P(ci−nL)ifnL6i < n, andvi ∈R Σℓifn6i < qE. Letq′ =µE/ℓ=q−nbe

the total number of plaintext blocks in the adversary’s queries, letxibe theith plaintext block

queried, letyibe theith ciphertext block returned, let

wi=

(

vj if blockiis the first block of thejth query, and

yi−1 otherwise

and letzi=xi⊕wi, all for06i < q′. This is summarized diagrammatically in figure3.4. The

P-inputs are now precisely theciand thezi. We’ll denote probabilities in the ‘result’ game as

(18)

ci E

K

vi

xi ⊕ zi _E

K

yi

wi

vj or yi−1

Figure 3.4: Notation for the proof of theorem3.2.1.

LetCr be the event, in either game, thatzi = zj for some 0 6 i < j < r, or thatzi = cj

for some0 6 i < rand some 0 6 j < nE. We need to bound the probability that Cq′

occurs in both the ‘result’ and ‘garbage’ games. We’ll do this inductively. By the definition, PrR[C0] = PrG[C0] = 0.

Firstly, tweak the games so that all of the IVs corresponding to counters are chosen at the beginning, instead of as we go along. Obviously this doesn’t make any difference to the adversary’s view of the proceedings, but it makes our analysis easier.

Let’s assume thatCrdidn’t happen; we want the probability thatCr+1did, which is obviously

just the probability thatzrcollides with somezifor06i < ror somecifor06i < n. At this

point, the previousziare fixed. So:

Pr[Cr+1|C¯r] =

X

z∈Σℓ

X

06i<n

Pr[z=ci] +

X

06i<r

Pr[z=zi]

·Pr[zr=z] (6)

Now note thatzr=wr⊕xr. We’ve no idea howxrwas chosen; but, one of the following cases

holds.

1. Ifxris the first block of the first plaintext, i.e.,r= 0, andnL= 1, thenwr=v0. However,

in this case we know thatnE = 0by hypothesis. There are noziwhichzrmight collide

with, so the probability of a collision is zero.

2. Ifxr is the first block of plaintexti, and0 6 i < n, thenwr = vi, and was chosen at

random from a set of2ℓ₋_i ₆ ₂ℓ₋_n ₆ ₂ℓ₋_n₋_r_{possibilities, either by our random}

permutation or byW. We knowxris independent ofwrbecause none of the previous

P-inputs were equal toci, by our assumption ofC¯r.

3. Ifxr is the first block of plaintexti, andn 6 i < q′, thenwr = vi, and was chosen at

random from all2ℓpossibleℓ-bit blocks. We knowxris independent ofwrbecause we

just chosewrat random, afterxrwas chosen.

4. Otherwise,xris a subsequent block in some message, andwr=yr−1, and was chosen at

random from a set of2ℓ₋_n₋_r_{possibilities, either by our random permutation or by}_W_.

We knowxris independent ofwrbecausezr−1is a newP-input, by our assumption of

¯

Cr.

So, except in case 1, which isn’t a problem anyway, wr is independent of xr, and chosen

uniformly at random from a set of at least2ℓ₋_r₋_n_{elements, in either game – so we can}

(19)

zi⊕xandci⊕xmust all be distinct, for any fixedx. So:

Pr[Cr+1|C¯r] =

X

x∈Σℓ

X

06i<n

Pr[wr=x⊕ci] +

X

06i<r

Pr[wr=x⊕zi]

·Pr[xr=x] (7)

6 X

x∈Σℓ

r+n

2ℓ₋_r₋_nPr[xr=x] =

r+n

2ℓ₋_r₋_n

X

x∈Σℓ

Pr[xr=x] (8)

= r+n

2ℓ₋_r₋_n. (9)

Now we’re almost home. All theciandziare distinct; all theviandyiare random, assuming

Cq′. We can boundPr[C_q′]thus:

Pr[Cq′]6

X

0<i6q′

Pr[Ci|C¯i−1]6

X

06i6q′

i+n−1

2ℓ₋_i₋_n_{+ 1} (10)

Now, leti′₌_i₊_n₋_{1. Then}

Pr[Cq′]6

X

n−16i′₆_q′₊_n₋₁

i′ 2ℓ₋_i′ 6

X

06i′_<q

i′ 2ℓ₋_q =

q(q−1)

2·(2ℓ₋_q₎ (11)

Finally, letRbe the event that the adversary returned 1 at the end of the game – indicating a guess of ‘result’. Then, noting as we have, thatPrR[Cq′] = Pr_G[C_q′], we get this:

Advrog-cpa-_E_-CBCHWP,c,n(A) = PrR[R]−PrG[R] (12) = (PrR[R|Cq′] Pr_R[C_q′] + Pr_R[R|C¯_q′] Pr_R[ ¯C_q′])−

(PrG[R|Cq′] Pr_R[C_q′] + Pr_G[R|C¯_q′] Pr_G[ ¯C_q′]) (13)

= PrR[R|Cq′] Pr_R[C_q′]−Pr_G[R|C_q′] Pr_G[C_q′] (14)

6Pr[Cq′]6 q(q−1)

2·(2ℓ₋_q₎ (15)

And we’re done!

4 Ciphertext feedback (CFB) encryption

4.1 Description

Suppose F is an ℓ-bit-to-L-bit pseudorandom function, and lett 6 L. CFB mode works as follows. Given a messageX, we divide it into t-bit blocksx0,x1, . . ., xn−1. Choose an

initialization vectorv ∈Σℓ_{. We maintain a}_{shift register}_s

i, whose initial value isv. To encrypt

a blockxi, we XOR it with the result of passing the shift register through the PRF, formingyi,

and then update the shift register by shifting in the ciphertext blockyi. That is,

s0=v yi=xi⊕FK(si) si+1=si≪tyi(for06i < n). (16)

Decryption follows from noting that xi = yi⊕FK(si). See figure 4.1 for a diagrammatic

representation.

(20)

v ≪t ℓ E ℓ K ⊕ t x0 t y0 t t ≪t ℓ E ℓ K ⊕ t x1 t y1 t t ≪t ℓ E ℓ K ⊕ t

xi _t

yi t t E ℓ K ⊕ t

xn−1 _t

yn−1

t

Figure 4.1: Encryption using CFB mode

4.1.1 Definition (CFB algorithms) For any function F: Σℓ _→ _Σt_{, any initialization vector} _v _∈ _Σℓ_,

any plaintextx ∈ Σ∗ _{and any ciphertext}_y _∈ _Σ∗_{, we define PRF encryption mode} _CFB ₌ (cfb-encrypt,cfb-decrypt)as follows:

Algorithmcfb-encrypt(F, v, x):

s←v;

L← |x|;

x←xk0t⌈L/t⌉−L_;

y←λ;

fori= 0to(|x| −t′₎_/t_do

xi←x[ti .. t(i+ 1)];

yi←xi⊕F(s);

s←s≪tyi;

y←ykyi;

return(s, y[0.. L]);

Algorithmcfb-decrypt(F, v, y):

s←v;

L← |y|;

y←yk0t⌈L/t⌉−L_;

x←λ;

fori= 0to(|x| −t′₎_/t_do

yi←y[ti .. t(i+ 1)];

xi←xi⊕F(s);

s←s≪tyi;

x←xkxi;

returnx[0.. L];

We now define the schemes E-CFB$F, E-CFBCF,c, E-CFBEF,c, and E-CFBLF,V0 according to definition 2.6.4; and we define the hybrid scheme E-CFBHF,V0,cnL,nC,nE according to

defini-tion2.6.6.

4.2 Sliding strings

Consider for a moment the mode CFBL, i.e., with carry-over of IV from one plaintext to the next, witht < ℓ. Then we find that some IVs are weak.

Pretend for a moment that we’re an adversary playing the LOR-CPA game using an ideal random function F ∈R Fℓ,t_{, and that the initial IV} _V0 _{= 0}ℓ_{. We choose two distinct 8-bit}

plaintextslandras our first left-or-right query. With probability2−t_{, the result of encrypting}

that first query is0t_{. However, in this case, the IV for the}_next_{query is}_V0_≪t₀t_{= 0}ℓ ₌ _V0_.

If this happens, we have only to submit the pair(l, l)as our second query. If the ciphertext to this second query also comes back zero, we guess that we’re dealing with a left oracle; otherwise we guess right. If we don’t get lucky with our first query, we just guess randomly.

(21)

AdversarySE(·,·)_: l←0t_;_r_←₀t−1_1; y←E(l, r);

ify[ℓ .. ℓ+t] = 0t_then

ifE(l, l) =ythenb←0elseb←1; else

b R

← {0,1}; returnb;

Figure 4.2: AdversarySattackingE-CFBLFℓ,t,0ℓ

is quite good:

AdvLOR-CPA_E_-CFBLFℓ,t,0ℓ(S) = 1 2t

1− 1

2t

.

This attack works becauseV0[t .. ℓ] = V0[0.. ℓ−t]. There are similar attacks for other such relationships. The following definition characterizes these kinds of ‘bad’ IVs.

4.2.1 Definition (Sliding strings) We say that anℓ-bit stringx t-slidesif there exist integersiandjsuch

that06j < i < ℓ/tandx[it .. ℓ] =x[jt .. ℓ−(i−j)t].

4.2.2 Remark For allℓ >0andt < ℓ, the string0ℓ−1₁_{does not}_t_-slide.

Alkassar, Geraldy, Pfitzmann and Sadeghi [AGPS01] offer a proof of security for CFB mode. However, they prove security only for a random initialization vector. There is a cryptic note:

We do this for the case with random initialization vectorIV. (The difference in the other case is negligible).

As we have shown above, some non-random initialization vectors lead to much decreased security. Their proof entirely ignores this possibility.

(Their result is a factor of two better than ours. We’ve lost this factor in passing from ROG-CPA to LOR-ROG-CPA. One can prove LOR-ROG-CPA security directly in more-or-less the same way as section4.4and not lose this factor.)

4.3 Security of CFB mode

4.3.1 Theorem (Security of CFB mode) LetF be a pseudorandom function fromΣℓ_to_Σt_{; let}_V0_∈_Σℓ_{be a} non-t-sliding string; letcbe a generalized counter inΣℓ_{; and let}_n_L,_n_C,_n

EandqE be nonnegative integers; and furthermore suppose that

• nL+nC+nE6qE,

• nL= 0, ornC=nE= 0, orℓ6tandV06=c(i)for anynL6i < nL+nC+nE, and

(22)

Then, for anytEandµE, and whenever we have

InSeclor-cpa(E-CFBHF,V0,cnL,nC,nE;tE, qE, µE)62·InSec prf₍_F_;_t

E+qtF, q) +

q(q−1) 2ℓ

whereq=

µE+qE(t−1)/t+nE, andtF is some small constant.

The proof is a bit involved; we postpone it until section4.4.

4.3.2 Corollary LetF,candV0be as in theorem4.3.1. Then for anytE,qEandµE,

InSeclor-cpa(E-CFB$F;tE, qE, µE)62·InSecprf(F;tE+qtF, q) +q(q−1)

2ℓ

InSeclor-cpa(E-CFBEF,c;tE, qE, µE)62·InSecprf(F;tE+q′tF, q′) +

q′₍_q′₋₁₎ 2ℓ

InSeclor-cpa(E-CFBLF,V0;tE, qE, µE)62·InSecprf(F;tE+qtF, q) +q(q−1)

2ℓ

and, ifℓ6t,

InSeclor-cpa(E-CFBCF,c;tE, qE, µE)62·InSecprf(F;tE+qtF, q) +q(q−1)

2ℓ

whereq=

µE+qE(t−1)/t+nE,q′=q+qE, andtF is some small constant.

Proof Follows from theorem4.3.1and proposition2.6.7.

4.3.3 Corollary LetPbe a pseudorandom permutation onΣℓ_{, and let}_c_and_V0_{be as in theorem}_4.3.1_{. Then} for anytE,qEandµE,

InSeclor-cpa(E-CFB$P;tE, qE, µE)62·InSecprp(P;tE+qtF, q) +q(q−1)

2ℓ−1

InSeclor-cpa(E-CFBEP,c;tE, qE, µE)62·InSecprp(P;tE+q′tF, q′) +

q′₍_q′₋₁₎ 2ℓ−1

InSeclor-cpa(E-CFBLP,V0;tE, qE, µE)62·InSecprp(P;tE+qtF, q) +q(q−1)

2ℓ−1

and, ifℓ6t,

InSeclor-cpa(E-CFBCP,c;tE, qE, µE)62·InSecprp(P;tE+qtF, q) +

q(q−1) 2ℓ−1

whereq=

µE+qE(t−1)/t+nE,q′=q+qE, andtF is some small constant.

Proof Follows from corollary4.3.2and proposition2.4.3.

4.4 Proof of theorem

4.3.1

Our proof follows the same lines as for CBC mode: we show the ROG-CPA security of hybrid-CFB mode using an ideal random function, and then apply our earlier results to complete the proof. However, the ROG-CPA result will be useful later when we consider the security of OFB mode, so we shall be a little more formal about defining it.

(23)

4.4.1 Definition (TheW$garbage emitter) Let natural numbersnL,nC, andV0∈Σℓbe given; then we

define the garbage emitterW$as follows.

Initialization:

i←0;

v←V0;

Garbage emitterW$(m): ifi < nLthenv′←v;

else ifnL6i < nL+nCthenv′←c(i);

else ifnL+nC6ithenv′

R

←Σℓ_;

i←i+ 1;

m′ _←_t_⌊₍_m₊_t₋₁₎_/t_⌋_;

y←R Σm′

;

v←v′_≪m_′_y_;

return(v′_{, y}_[0_{.. m}_])

We now show that CFB mode with a random function is hard to distinguish fromW$.

4.4.2 Lemma (Pseudorandomness of CFB mode) Letℓ,t,nL,nC,nE,qE,c,V0, andqbe as in theorem4.3.1. Then, for anytEandµE,

InSecrog-cpa-W$(E-CFBHFnLℓ,t,n,V0,cC,nE;t, qE, µE)6

q(q−1) 2ℓ+1 .

Theorem4.3.1follows from this result by application of propositions2.5.4and2.6.5. It remains therefore for us to prove lemma4.4.2.

To reduce the weight of notation, let us agree to suppress the adornments onAdvandInSec symbols. Also, letmL=nL; letmC=nL+nC; and letmE=nL+nC+nE. (Remember: the

ms are cumulative.)

The truncation of ciphertext blocks makes matters complicated. Let us say that an adversary isblock-respectingif all of its plaintext queries are a multiple oftbits in length; obviously all of the oracle responses for a block-respecting adversary are also a multiple oftbits in length.

Claim LetA′_{be a block-respecting adversary querying a total of}_µ

Ebits of plaintext queries; then

Adv(A′)6 q(q−1)

2ℓ+1

whereq=µE/t.

Lemma 4.4.2 follows from this claim: if A is any adversary, then we construct a block-respecting adversaryA′_{by padding}_A_{’s plaintext queries and truncating the oracle responses;} and ifAmakesqE queries totallingµEbits, then the total bits queried byA′ is no more than

µE+qE(t−1)bits. We now proceed to the proof of the above claim.

(24)

zi _F

ℓ t wi t ⊕

xi

t

yi t

vj or zi−1≪tyi−1

Figure 4.3: Notation for the proof of lemma4.4.2.

Our notation will be similar to, yet slightly different from, that of section3.4.

Letq′₌_q₋_n

Ebe the number oft-bit plaintext blocks the adversary submits, and for06i <

q′_{, let}_x

ibe theith plaintext block queried, and letyibe theith ciphertext block returned.

FormL 6 i < mE, letci = c(i)be theith counter value. For 0 6 i < qE let vi be theith

initialization vector, i.e.,

vi=

              

V0 ifi= 0andnL>0;

vi−1≪tYi−1 if16i < mLandYi−1was the ciphertext from queryi−1;

ci ifmL6i < mC;

F(ci) if the oracle is ‘result’, andmC6i < mE; or

Ri for someRi∈RΣℓ, otherwise.

Note that the only difference in thevibetween the ‘result’ and ‘garbage’ games occurs in the

encrypted-counters phase. Furthermore, if no otherF-input is equal to anyciformC 6i <

mEthen the IVs are identically distributed.

Now, for06i < q′_{, define}

zi=

(

vj if blockiis the first block of thejth query, or

zi−1≪tyi−1 otherwise

and letwi =xi⊕yi. In the ‘result’ game, we havewi =F(zi), of course. All of this notation

is summarized diagrammatically in figure4.3. TheF-inputs are precisely the zi andci for

mC6i < mE.

We’ll denote probabilities in the ‘result’ game asPrR[·]and in the ‘garbage’ game asPrG[·].

LetCrbe the event, in either game, thatzi = zj for some0 6i < j < r, or thatzi = cj for

some06i < rand somemC 6j < mE.

Let’s assume thatCrdidn’t happen; we want the probability thatCr+1did, which is just the

probability thatzr collides with some zi where 0 6 i < r, or some ci for mC 6 i < mE.

Observe that, under this assumption, all thewi, and hence theyi, are uniformly distributed,

and that therefore the two games are indistinguishable.

One of the following cases holds.

1. Ifr= 0andmL >0thenzr=V0. There is no otherziyet forzrto collide with, though it

might collide with some encrypted counterF(ci), with probabilitynE/2ℓ.

2. Ifzr = ci is the IV for some messageiwheremL 6 i < mC, life is a bit complicated.

(25)

IVs haven’t been chosen yet; and eithernC= 0(in which case there’s nothing to do here

anyway) orℓ6t, so there are nozicontaining partial copies ofV0to worry about. This

leaves non-IVzi: again,ℓ6t, sozi=yi[t−ℓ .. t], which is random by our assumption of

¯

Cr; hence a collision with one of thesezioccurs with probability at mostr/2ℓ.

3. Ifzris the IV for some messageiwheremC6i < mE, then it can collide with previous

zior either previous or futureci. We know, however, that noF-input has collided with

ci, so in the ‘result’ game, zr = F(cr)is uniformly distributed; in the ‘garbage’ game,

W$generateszrat random anyway. It collides, therefore, with probability at most(r+

nE)/2ℓ.

4. Ifzris the IV for some messageiwheremE 6 i < q′ thenzrwas chosen uniformly at

random. Hence it collides with probability at most(r+nE)/2ℓ.

5. Finally, eitherzris not the IV for a message, or it is, but the message numberi < nL, so

in either case,zr=zr−1≪tyr−1. We have two subcases to consider.

(a) If1 6r < ℓ/t(we dealt with the caser = 0above) then some ofV0 remains in the shift register. Ifzrcollides with somezi, for06i < r, then we must havezr[0.. ℓ−

tr] =zi[0.. ℓ−tr]; butzr[0.. ℓ−tr] =V0[tr .. ℓ], andzi[0.. ℓ−tr] =V0[ti .. ℓ−t(r−i)],

i.e., we have found at-sliding ofV0, which is impossible by hypothesis. Hence,zr

cannot collide with any earlierzi. Also by hypothesis,nC =nE = 0ifℓ > t, sozr

cannot collide with any countersci.

(b) Suppose, then, thatr>ℓ/t. For06j < ℓ/t, letHj=ℓ−tj,Lj= max(0, Hj−t), and

Nj=Hj−Lj. (Note thatP06j<ℓ/tNj=ℓ.) Thenzr[Lj..Hj] =yr−j−1[t−Nj..t]; but

theyifori < rare uniformly distributed. Thus,zrcollides with some specific other

valuez′only with probability1/2PjNj _{= 1}_/₂ℓ_{. The overall collision probability for}

zris then at most(r+nE)/2ℓ.

In all these cases, it’s clear that the collision probability is no more than(r+nE)/2ℓ.

The probability that there is a collision during the course of the game isPr[Cq′], which we can

now bound thus:

Pr[Cq′]6

X

0<i6q′

Pr[Ci|C¯i−1]6

X

0<i6q′

i+nE

2ℓ . (17)

If we seti′₌_i₊_n

E, then we get

Pr[Cq′]6

X

06i′₆_q

i′ 2ℓ =

q(q−1)

2ℓ+1 . (18)

Finally, then, we can apply the same argument as we used at the end of section3.4to show that

Adv(A′)6 q(q−1)

2ℓ+1 (19)

(26)

v ≪t ℓ E ℓ K ⊕ t x0 t y0 t t ≪t ℓ E ℓ K ⊕ t x1 t y1 t t ≪t ℓ E ℓ K ⊕ t

xi _t

yi t t E ℓ K ⊕ t

xn−1 _t

yn−1

t

Figure 5.1: Encryption using OFB mode

5 OFB mode encryption

5.1 Description

Suppose F is anℓ-bit-to-L-bit pseudorandom function, and let t 6 L. OFB mode works as follows. Given a messageX, we divide it into t-bit blocksx0,x1, . . ., xn−1. Choose an

initialization vectorv ∈Σℓ_{. We maintain a}_{shift register}_s

i, whose initial value isv. To encrypt

a blockxi, we XOR it with the resultziof passing the shift register through the PRF, forming

yi, and then update the shift register by shifting in the PRF outputzi. That is,

s0=v zi=FK(si) yi=xi⊕zi si+1 =si≪tzi(for06i < n). (20)

Decryption is precisely the same operation.

Also, we observe that the final plaintext block needn’t betbits long: we can pad it out totbits and truncate the result without affecting our ability to decrypt.

5.1.1 Definition (OFB algorithms) For any functionF: Σℓ _→ _Σt_{, any initialization vector} _v _∈ _Σℓ_,

any plaintextx ∈ Σ∗ _{and any ciphertext}_y _∈ _Σ∗_{, we define PRF encryption mode} _OFB ₌ (ofb-encrypt,ofb-decrypt)as follows:

Algorithmofb-encrypt(F, v, x):

s←v;

L← |x|;

x←xk0t⌈L/t⌉−L_;

y←λ;

fori= 0to(|x| −t′₎_/t_do

xi←x[ti .. t(i+ 1)];

zi←F(s);

yi←xi⊕zi;

s←s≪tzi;

y←ykyi;

return(s, y[0.. L]);

Algorithmofb-decrypt(F, v, y): returnofb-encrypt(F, v, y);

We now define the schemes E-OFB$F, E-OFBCF,c, E-OFBEF,c, and E-OFBLF,V0 according to definition 2.6.4; and we define the hybrid scheme E-OFBHF,V0,cnL,nC,nE according to

defini-tion2.6.6.

(27)

encrypt a messagexbyCFB-encryptingthe all-zero string0|x|_{with the same key and IV. That} is, we could have writtenofb-encryptandofb-decryptlike this:

Algorithmofb-encrypt(F, v, x): (s, z)←cfb-encrypt(F, v,0|x|_); return(s, x⊕z);

Algorithmofb-decrypt(F, v, y): returnofb-encrypt(F, v, y);

We shall use this fact to prove the security of OFB mode in the next section.

5.2 Security of OFB mode

5.2.1 Theorem (Security of OFB mode) LetFbe a pseudorandom function fromΣℓ_to_Σt_{; let}_V0_∈_Σℓ_{be a} non-t-sliding string; letcbe a generalized counter inΣℓ_{; and let}_n_L,_n_C,_n

EandqE be nonnegative integers; and furthermore suppose that

• nL+nC+nE6qE,

• nL= 0, ornC=nE= 0, orℓ6tandV06=c(i)for anynL6i < nL+nC+nE, and

• eithernC = 0orℓ6t.

Then, for anytEandµE, and whenever we have

InSeclor-cpa(E-OFBHF,V0,cnL,nC,nE;tE, qE, µE)62·InSec prf₍_F_;_t

E+qtF, q) +

q(q−1) 2ℓ whereq=

µE+qE(t−1)/t+nE, andtF is some small constant.

Proof We claim that

InSecrog-cpa-W$(E-OFBHFnLℓ,t,n,V0,cC,nE;t, qE, µE)6

q(q−1) 2ℓ+1 .

This follows from lemma4.4.2, which makes the same statement about CFB mode, and the observation in remark5.1.2. SupposeAattempts to distinguish OFBH encryption fromW$. We define the adversaryBwhich usesAto attack CFBH encryption, as follows:

AdversaryBE(·)_:

returnAofb(·)_;

Functionofb(x): (v, z)←E(0|x|_); return(v, x⊕z);

Now we apply proposition2.5.4; the theorem follows.

5.2.2 Corollary LetF,candV0be as in theorem5.2.1. Then for anytE,qEandµE,

InSeclor-cpa(E-OFB$F;tE, qE, µE)62·InSecprf(F;tE+qtF, q) +q(q−1)

2ℓ

InSeclor-cpa(E-OFBEF,c;tE, qE, µE)62·InSecprf(F;tE+q′tF, q′) +

q′₍_q′₋₁₎ 2ℓ

InSeclor-cpa(E-OFBLF,V0;tE, qE, µE)62·InSecprf(F;tE+qtF, q) +q(q−1)

2ℓ

and, ifℓ6t,

InSeclor-cpa(E-OFBCF,c;tE, qE, µE)62·InSecprf(F;tE+qtF, q) +

q(q−1) 2ℓ whereq=

New proofs for old modes

Mark Wooding

[email protected]

13 March 2008

Contents

List of figures

List of tables

1 Introduction

1.1 Block cipher modes

1.2 Previous work

1.3 Our contribution

1.4 The rest of the paper

2 Notation and definitions

2.1 Bit strings

2.2 Other notation

2.3 Algorithm descriptions

2.4 Pseudorandom functions and permutations

2.5 Symmetric encryption

2.6 Initialization vectors and encryption modes

3 Ciphertext block chaining (CBC) encryption

3.1 Description

3.2 Security of CBC mode

3.3 Ciphertext stealing

3.4 Proof of theorem

3.2.1

4 Ciphertext feedback (CFB) encryption

4.1 Description

4.2 Sliding strings

4.3 Security of CFB mode

4.4 Proof of theorem

4.3.1

5 OFB mode encryption

5.1 Description

5.2 Security of OFB mode