Application of Cryptography (IY3660)
Motivation for modes of operation
- A block cipher encrypts a message of exactly n bits; but what if the message is not a multiple of n bits or if the message is not of a fixed length but actually a TCP-like stream? - Modes of operation provide different ways of using a block cipher to encrypt flexible amounts of data. • Different performance characteristics. • Different error-propagation properties. • Different suitability for different applications
Unforgeability
- Weak unforgeability: the adversary wins if m* is distinct from all the m values involved in its tag oracle queries and if Vrf_K(m∗, τ∗) = 1 - Strong unforgeability: the adversary wins if (m∗, τ∗) is distinct from all the pairs (m, τ) used in its tag oracle queries and if Vrf_K(m∗, τ∗) = 1
Relative primes
2 numbers which have a GCD of 1
RC4
A byte-oriented stream ciphers with variable length key. It has serious security vulnerabilities and should not be used in any new applications
Key Management System
Any system for managing keys throughout their life
INT-CTXT
Attacker has repeated access to an encryption oracle and a "Try" oracle. - Encryption oracle takes any m as input, and outputs Enc_K(m) - Try oracle takes any c* as input (and has no output) Adversary's task is to submit c* to its Try oracle such that: 1. c* is distinct from all the ciphertexts c output by the encryption oracle; and 2. Dec_K(c∗) decrypts to message m* ≠ ⊥. Hence the adversary wins if he can create a "ciphertext forgery" (new ciphertext that it did not get from its encryption oracle). A Symmetric Encryption scheme is said to be INT-CTXT secure if the success probability of any adversary using reasonable resources is small
CFB
Cipher Feedback: it turns a block cipher into a stream cipher. But it's not as efficient as a dedicated stream cipher and gives a self-synchronising stream cipher
DEM
Data Encapsulation Mechanism
Pollard-ρ algorithm
It has a complexity of the form: O(q^0.5), which is exponential in log q
Near-collision resistance
It is infeasible to find m1 ≠ m2 such that H(m1) ≈ H(m2)
KEM
Key Encapsulation Mechanism: PKE used to transport symmetric keys (used to encrypt the actual data)
Universal hashing
Let H = {h : A → B} be a set of hash functions. We say that H is universal if: ∀m, m' ∈ A, m ≠ m': Pr_{h ∈ H} [h(m) = h(m')] ≤ 1/|B| In other words, any two messages collide with probability at most 1/|B| when the hash function h is drawn randomly from H *Construction* (polynomial-based universal hashing): - Let *F* be a finite field, e.g. F = GF(p) ≈ [0, p - 1] for prime p. - Let *H* = F x F: each h ∈ H is described by two field elements h0 and h1. - Identify (fixed-length) messages with (fixed-length) vectors over F (e.g. m = (m1, ..., mL) ∈ F^L. - Understand m1, ..., mL as coefficients of a polynomial in F - Set (cf. image) - If L << |F|, the described hash function is almost universal
HMAC
MAC Based on hash functions. Tag_(K, K')(m) = H((K ⊕ opad) || H((K ⊕ ipad) || m)) Where ipad and opad are constants. HMAC is provably (strongly) UF-CMA-secure under some reasonable assumptions about the compression function. Design rationale: - Prepending keys to messages thwarts attacks based on hash collisions - Separation into inner and outer hash prevents length extension attacks Implementation: - *i*nitialised computation - then *u*pdated - *f*inalisation
Davies-Meyer
Message blocks → key; Chaining variable → message
OFB
Output Feedback: it turns a block cipher into a stream cipher. But it doesn't automatically resynchronise and external markers are needed for synchronisation
UF-CMA
Unforgeability (goal) under Chosen Message Attack. If there's no efficient (amount of time and memory used by the adversary and the number of queries it makes to its oracles) adversary that wins the relevant game with a significant probability.
Textbook RSA
*KGen*: 1. Generates: - random primes p and q of some bit-size k / 2, with N = pq (so bit-size of N is k) - integers d and e such that: de = 1 mod (p - 1)(q - 1) 2. Outputs key pair (sk, pk) where sk = d, pk = (e, N) *Enc*: Inputs public key pk = (e, N), plaintext m ∈ [1, N - 1]; outputs c = m^e mod N *Dec*: Inputs private key sk = d, ciphertext c; outputs m = c^d mod N *Correctness*: Follows from property that if de = 1 mod (p - 1)(q - 1) then m^de = m mod N ∀ m ∈ [1, N - 1] Problem: distribution of authentic public keys Attack: - Public key is (e, N); we can try to factorise N into its factors p and q. Then solve ed = 1 mod (p - 1)(q - 1) to recover d (no harder than factoring a k-bit integer that is a product of two k / 2-bit primes - Malleability: c = m e mod N, s ∈ [1, N - 1] Leading to s^e ∗ c = s^e ∗ m^e = (sm)^e mod N hence s^e ∗ c is an encryption of sm mod N - Small e - *Weiner's attack*: small d such that d ≈ N^(1 / 4) *Security*: An adversary has access to an encryption oracle and a decryption oracle for key pair (sk, pk). He can submit arbitrary pairs of messages (m0, m1) to the encryption oracle, and receives Enc_pk(m_b). He can submit arbitrary* bit-strings c' to the decryption oracle, and receives Dec_sk(c').. He has to recover the bit b.
IP header
*Protocol* field (8 bits): - indicates upper layer protocol in IP payload - possible values are dependent on the IP implementation and protocols it supports - typical values: 0x01 for ICMP, 0x06 for TCP, 0x17 for UDP *Header checksum* (16 bits): - 1's complement sum of 16 bit words in the header - an incorrect checksum leads to datagram being silently dropped - provides error detection for IP headers *Source address* (32 bits): - contains the IP address of the host originating the datagram - needed so any replies or error messages can be delivered back to source
Padding oracle attacks
- After a CBC mode decryption, the message handling code needs to parse plaintext as: *message | | padding*, then remove *padding*, and finally pass *message* to application. Padding is one of 16 possibilities: "0x00", "0x01 0x01", ... "0x0f ... 0x0f". - Typical implementation behaviour: throw an exception with a helpful error message if padding is not one of the expected values. An adversary may be able to detect when this happens, either because the error message is visible on the network or through logs, or through timing behaviour. So padding errors can be exploited for full plaintext recovery attacks. An Adversary can submit arbitrary ciphertexts C and learn whether the underlying plaintexts have valid or invalid padding
Cryptography
- Art of secret writing. Derived from the Greek: kryptos (hidden) and grafo (write) - The study of mathematical techniques related to aspects of information security such as confidentiality, data integrity, entity authentication, and data origin authentication
Signature verification
- Bob uses an algorithm Vrf (which outputs 0 or 1) along with the verification key vk to verify the signature. - Bob accepts m as coming from Alice if Vrf(vk, m, σ) = 1 and rejects m otherwise. - We need it to be hard for the adversary to find messages m and values σ such that Vfy(vk, m, σ) = 1 (so it would be hard for signature to be forged)
Dedicated hash functions
- MD5: 128-bit hash (RFC1321, used for file integrity checking) - SHA-1: 160-bit hash (used in TLS/SSL, PGP, SSH, S/MIME, IPSec) - SHA-2: recommended for government use - SHA-3: recently standardised - Whirlpool: 512-bit hash (based on modified AES and used in TrueCrypt) - RIPEMD-160, BLAKE2
PKCS#1 v1.5
- Most widely-deployed RSA padding scheme which byte-oriented encoding scheme for RSA. - Message m placed in least significant bytes. - Force first two most significant bytes to 0x00 0x02; this ensures resulting encoded message lies between 0 and N. - Follow with at least 8 non-0x00 random bytes, then a 0x00 byte. - Maximum message size is k - 11 bytes. *Dec_d(c)*: - Compute m' = c^d mod N. - Check that m' begins with 0x00 0x02, reject if not. - Check that m' then has at least 8 non-0x00 bytes, reject if not. - Check that m' then has a 0x00 byte; reject if least significant byte is reached. - Return as m all the bytes to the right of the 0x00 bytes. *Attack*: - *Bleichenbacher's attack*: If an attacker sends a random string of bytes for decryption, then it has probability roughly 2^−16 of having a valid padding format (the probability that the first two bytes are 0x00 0x02; and there are at least 8 non-0x00 bytes; and there is at least one 0x00 byte before the end is reached). This gives an inequality over the integers: 2 ∗ 256^(k - 2) ≤ s ∗ p mod N ≤ 3 * 256^(k - 2). By gathering many such inequalities for different and carefully chosen values of s, the attacker can recover p, and thence m. This attack requires 2^20 decryption attempts
SHA-2
- SHA-256: similar in design to SHA-1, but now using 256-bit block cipher (SHACAL-2) in Davies-Meyer mode to build compression function. • So n = 256, k = 512 • 64 rounds, operating on 8 x 32-bit words using simple operations. • Slower than SHA-1 (150 MB/s on modern CPU instead of 200 MB/s for SHA-1). • No attack faster than generic birthday attack (2^128) currently known. -SHA-224, SHA-384 and SHA-512 also available (but less widely deployed/used)
Protocol field manipulation
- The attacker intercepts packet, does a bit flipping needed to manipulate the protocol field and source address, and to correct checksum. - The attacker than injects modified datagram into the network. Inner packets are then decrypted by gateway and forwarded to end-host. - The end-host generates ICMP "protocol unreachable" message in response to modified protocol field in header. - The ICMP payload carries inner packet header and 528 bytes of inner packet's payload (now in plaintext form). We have modified this address so that ICMP message does not pass through IPsec tunnel. - The Attacker intercepts ICMP message to get plaintext bytes. These ideas were used in [PY06] to build an attack client that can efficiently extract all plaintext from an IPsec encryption-only tunnel
Hash based RSA signatures
2nd attempt at RSA-based signatures. - *KGen*: as in RSA encryption, we set vk = (N, e) and sk = d, where N = pq is a product of two large primes and ed = 1 mod (p - 1)(q - 1) - *Sign*: we use the "private key" sk = d to sign: σ = H(m)^d mod N where H is a hash function. - *Vrf*: given (m, σ), we check whether σ^e = H(m) mod N *Security?* Use of a hash function destroys the multiplicative structure that enabled the previous attack. Also allows signing of long messages. What if we can find a hash collision? That is, a pair of messages m1, m2 such that H(m1) = H(m2)? Then σ_1 = H(m1)^d = H(m2)^d = σ_2 mod N. Hence a signature σ_1 on m1 is also a valid signature on m2
DES - f function
32-bits to 32-bits map consisting of 4 steps: - *E*xpansion (from 32 bits up to 48 bits by repeating certain bits). - XOR with 48-bit round key Ki. - S-boxes (8 different S boxes named S1, ..., S8; each is 6-bits to 4-bits; small and implementable via table look-ups). - P: Bit permutation (permuting the 32 bits, tricky in software)
Full domain hash based RSA signatures
3rd attempt at RSA-based signatures. - *KGen*: as in RSA encryption, we set vk = (N, e) and sk = d, where N = pq is a product of two large primes and ed = 1 mod (p - 1)(q - 1). - *Sign*: we use the "private key" sk = d to sign: σ = H(m)^d mod N where H is a hash function with outputs in {0, 1, ..., N - 1} - *Vrf*: given (m, σ), we check whether σ^e = H(m) mod N *Security?* If we regard H as being a random function, then we can prove that this scheme is UF-CMA secure under the assumption that RSA inversion is hard
Hash based RSA signatures with padding
4th attempt at RSA-based signatures. - *Sign*: We use the "private key" sk = d to sign σ = pad(H(m))^d mod N where H is a hash function and pad(.) is some _deterministic_ padding scheme - *Vrf*: given (m, σ), we check whether σ^e = pad(H(m)) mod N *Security?* • No security proof for the scheme with PKCS#1 v.1.5 padding is known. • Signatures can be forged if the constant part of the padding is too short. • Padding check/removal often wrongly implemented.
AES - ShiftRows
A permutation of the bytes, obtained by cyclically shifting rows by 0 places, 1 place, 2 places and 3 places.
Signature scheme
A signature scheme consists of a triple of algorithms (KGen, Sign, Vrf): - *KGen* is a randomised algorithm that outputs key pairs (vk, sk) - *Sign* takes as input sk and a message m ∈ {0, 1}*, and outputs a signature σ - *Vrf* takes as input a triple (vk, m, σ) and outputs 0 or 1 - *Correctness*: ∀ key pairs (vk, sk) output by KGen, ∀ m ∈ {0, 1}*, if σ = Sign(sk, m) then Vfy(vk, m, σ) = 1 N.b: both Sign and Vrf may be randomised algorithms *Security game*: 1. Challenger generates a key pair (vk, sk) by running KGen 2. Challenger gives vk to adversary 3. Adversary runs, with access to a signing oracle: adversary sends m and gets back σ = Sign(sk, m) 4. Adversary finally outputs (m∗, σ∗) 5. Adversary wins if m* is distinct from all the m queried to the signing oracle AND if Vfy(vk, m∗, σ∗) = 1 It's said to be (E)UF-CMA secure if no adversary consuming reasonable resources (running time, number of messages it queries to signing oracle) wins with significant probability
Salting
Adding a random, account-specific value (called a salt), in each hash function. This means that each account has to be attacked individually (via password hashing). Store the salt values as a field in the database of usernames and password hashes. 64 bits of salt is typical: enough to prevent collisions in random choices of salt values (birthday paradox again) and to devalue pre-computation by an attacker
AES
Advanced Encryption Standard: result of a multi-year competition to search for a DES replacement (run by NIST and designed by Joan Daemen and Vincent Rijmen). It provides a single block cipher, it's: - available royalty-free worldwide - public and flexible (in design) - at least as secure and fast as 2-key 3DES *Properties*: - block and key size of 16 bytes (byte-oriented cipher) Design principle: it's a Substitution-Permutation Network *Structure*: - AES internal states has 16 bytes - AES round applies 4 distinct operations on the array: SubBytes operation (byte-wise substitution), ShiftRows operation (shifts rows of array), MixColumns operation (linear transformation to mix columns), AddRoundKey operation (byte-by-byte XOR of round key) - AES (128-bits key) has 10 rounds: Initial AddRoundKey, No MixColumns in last round, 12 rounds for AES-192 and 14 rounds AES-256, Round key schedule is quite slow, so rekeying is somewhat painful *Security*: NSA reviewed: - Approved for SECRET with any key length - Approved for TOP SECRET with 192 or 256 bit keys Cryptanalysis: - AES subject to intense analysis - Several attacks in related key setting or against reduced-round variants - First key recovery attack in 2011: workload of 2^126.1 against 128-bit key version Side-channel analysis: - Bernstein 2005: remote cache timing analysis against AES implementation in OpenSSL, requiring 200M chosen plaintexts and precise timing information - Osvik, Shamir, Tromer 2005: same-machine (co-resident) cache-timing analysis requiring 800 chosen plaintexts
RSA-OAEP
Alternative encoding scheme for RSA due to Bellare and Rogaway and stands for Optimal Asymmetric Encryption Padding (which can be proven to be IND-CCA secure) *Setup*: - Suppose we are using λ-bit RSA moduli (e.g. λ = 2048). - Let λ0 and λ1 be chosen so that no adversary can perform 2^λ operations for λ = λ0 or λ1 , e.g. λ0 = λ1 = 128. - Set n = λ - λ0 - λ1. - Messages in RSA-OAEP are assumed to be n-bit strings. - Let G be a hash function mapping λ0 bit strings to n + λ1 bit strings. - Let H be a hash function from n + λ1 bit strings to λ0 bit strings *Process*: - Let m be an n-bit string - Choose a random λ0-bit string R. - Set: S1 = (m || 0^λ1) ⊕ G(R). S2 = R ⊕ H(S1). - Form the bit-string: S = S1 || S2. - Interpret S as a λ-bit integer and compute c = S^e mod N. Decryption is just the reverse of these steps
MITM on DHKE
An active man-in-the-middle attacker can modify the public values in transit! - For example, the attacker can change Yi to a value g^z mod p for which he knows z. - The attacker can then compute the key that user j would compute on receipt of g^z mod p, namely, (g^z)^x_j = (g^x_j)^z = (Y_j)^z mod p. - And similarly in the other direction. - So an active attacker can completely compromise the security of "modern" Diffie-Hellman key exchange. To prevent that: We ensure the authenticity of the public keys using a MAC or a digital signature
Padding oracle attack for simplified TLS padding
An average of 128 calls to the padding oracle are needed to extract the last byte of each plaintext block. It can extend to the entire block, with an average of 128 trials per byte (targetting bytes from right to left in block and gradually increasing length of valid padding pattern). It can extend to an entire ciphertext with many blocks (because an attacker can place any target block Ct as last block of ciphertext
Hash functions
An n-bit (cryptographic) hash function is an efficiently computable function: H: {0, 1}*→ {0, 1}^n It maps an arbitrary length input string to a fixed-length hash value (sometimes called a *message digest*). *Applications*: - message fingerprinting (file integrity checking, file sharing) - signature schemes (hash-then-sign paradigm) - MAC - key derivation - password hashing - commitment schemes - pseudorandom number generators - stream ciphers (hash function in CTR) - Bitcoin - post-quantum signatures ... *Standards*: - NIST: SHA-1, SHA-2 (includes: SHA-224, SHA-256, SHA-384, SHA-512), SHA-3 (Keccak) - NESSIE: SHA-256, SHA-384, SHA-512, WHIRLPOOL - CRYPTREC: SHA-256, SHA-384, SHA-512 *Primary security goals*: - pre-image resistance (1-wayness) - 2nd pre-image resistance - collision resistance *Secondary security goals*: - non-correlation - near-collision resistance - partial pre-image resistance *Designer's goal*: ensure there are no better attacks on pre-image resistance and second pre-image resistance than these generic attacks
AES - SubBytes
Application of an S-box to each byte. The S-box is a carefully chosen 8-bit to 8-bit invertible mapping.
Message padding
Applies an injective map pad() to messages prior to CBC mode encryption, remove padding after decryption. • pad() takes inputs in {0, 1}* (a bit-string of arbitrary bit-length). • pad() has outputs in {{0, 1}^n}*, that is, the set of all bit-strings that are multiples of n in length. • pad() is necessarily expanding. • pad() and its inverse both need to be efficiently computable. • pad() may be *randomised* or *deterministic*. Generally, at least 1 byte is always added
Caesar cipher
Assume letters of plaintext are A, B, ..., Z, no spaces. Key *K* is a number between 0 and 25 (inclusive). Encryption algorithm: shift forward by K letters Decryption algorithm: shift back by K letters *Security*: - Exhaustive key search on only 25 possible keys Mathematical form: *Plaintext P* = P0, P1, P2, ... : a sequence of ints between 0 and 25 *Key K* = an int between 0 and 25. *Encryption*: Ci = Pi + K mod 26 *Decryption*: Pi = Ci - K mod 26
Discrete Log Setting
Assume p and q are large primes and q divides p - 1. So p = kq + 1 for some integer k. Now we pick h, a random integer mod p, and compute g = h^{(p - 1) / q} mod p (= h^k mod p) Fact 1: if g ≠ 1 mod p, then the q powers of g, namely Gq = {g, g^2, g^3, ..., g^q} are all distinct mod p. Fact 2: g^q = 1 mod p. Fact 3: if we multiply together 2 elements in the set Gq, we obtain a 3rd element that is also in the set Gq. In combination, these facts mean that the set Gq forms a *group* under multiplication mod p. - Gq is a cyclic group (everything is a power of g) - We say that g is a generator of Gq. - The number of elements in Gq is q (a prime).
Attack on CBC mode with non-random IVs
Attacker receives ciphertext C = C0, C1 for message Pb, where b is a bit that the adversary wants to determine. Attacker predicts that C0' will be used as the IV for the next encryption. Attacker now requests encryption of block P0 ⊕ C0 ⊕ C0'. Attacker receives as ciphertext C0' and C1'. If Pb = P0, then the inputs to block cipher are the same in both encryptions (red arrows), otherwise, they are different. Hence, if Pb = P0, then C1 = C1'. Otherwise, If Pb = P1, then C1 ≠ C1'. So comparing C1 and C1' gives the adversary a test to decide whether P0 was encrypted or whether P1 was.
AEAD
Authenticated Encryption with Associated Data. In practical applications, we often require confidentiality and integrity for some data fields and only integrity for others. An AEAD scheme consists of a triple of algorithms (KGen, Enc, Dec): - KGen: key generation, selects a key K uniformly at random from {0, 1}^k. - Enc: encryption, takes as input key K, *associated data AD* ∈ {0, 1}*, plaintext m ∈ {0, 1}∗, and produces an output c ∈ {0, 1}∗ - Dec: decryption, takes as input key K, *associated data AD* ∈ {0, 1}*, ciphertext c ∈ {0, 1}∗, and produces an output m ∈ {0, 1}∗ or an error message, denoted ┴. - Correctness: ∀ keys K, associated data strings AD and plaintexts m: Dec_K(AD, Enc_K(AD, m)) = m. *N.b*: the ciphertext c doesn't "contain" AD - may need to be sent along with c or reconstructed by receiver. Informally, IND-CPA security for messages m, integrity for combination of associated data AD and ciphertext c
AE
Authenticated Encryption. Security goals: Confidentiality and integrity of messages exchanged Adversarial capabilities: An adversary can arbitrarily delete/reorder/modify/... bits on the wire and can mount CPA and CCA; formalised via encryption and decryption oracles *Informal definition*: A symmetric encryption scheme is said to offer Authenticated Encryption security if: *A chosen plaintext attacker (i.e. an attacker with access to an encryption oracle) can learn nothing about plaintexts from ciphertexts except their lengths. AND an attacker with access to an encryption oracle cannot forge any new ciphertexts.* Formally: *AE = IND-CPA + INT-CTXT* So it implies a security against CCAs In part because AE security implies IND-CCA security and INT- PTXT security, AE security has emerged as the natural target security notion for symmetric encryption: AE = IND-CPA + INT-CTXT = IND-CCA + INT-CTXT INT-CTXT ⟹ INT-PTXT So AE ⟹ IND-CPA, IND-CCA, INT-PTXT and INT-CTXT *Generic composition*: With a MAC key KM and an encryption key KE - *E*ncrypt *& M*AC (used in SSH): compute c'← Enc_KE(m) and τ ←Tag_KM(m) and output c = (c', τ) - *M*AC *t*hen *E*ncrypt (used in TLS but vulnerable to oracle attacks): compute τ ←Tag_KM(m) and output c = Enc_KE(m || τ) - *E*ncrypt *t*hen *M*AC (used in IPsec ESP): compute c'←Enc_KE(m) and τ ←Tag_KM(c') and output c = (c', τ). From those, EtM, in general, only gives AE security. AE security assumes that the encryption is IND-CPA secure and that the MAC is SUF-CMA secure.
Stream cipher
Basically like the OTP, but using only a short key Key *K* = K0, K1, K2, ... : a sequence of pseudorandom ints between 0 and 25 *Definition*: A *keystream generator* takes as input a key K (and possibly an initialisation vector IV), performs some initialisation, and then generates as output an (infinite) stream of *bits* K0, K1, ... - called the *keystream* *Encryption*: - Decompose the plaintext P into a sequence of bits P0, P1, ... - XOR the plaintext and keystream in a bitwise fashion to create the ciphertext bits C = C0, C1, ... *Decryption*: - Decompose the plaintext C into a sequence of bits C0, C1, ... - XOR the ciphertext stream and keystream in a bitwise fashion to recover the plaintext bits P = P0, P1, P2, ... - Decryption undoes encryption because for every i, we have: (Pi ⊕ Ki) ⊕ Ki = Pi ⊕ (Ki ⊕ Ki) = Pi ⊕ 0 = Pi *Security issue*: - Keystream reuse: Suppose plaintexts P1, P2 are encrypted with the same keystream KS. So C1 = P1 ⊕ KS and C2 = P2 ⊕ KS Then C1 ⊕ C2 = (P1 ⊕ KS) ⊕ (P2 ⊕ KS) = ... = P1 ⊕ P2 So the adversary can learn the XOR of the plaintexts from the XOR of the ciphertexts. From P1 ⊕ P2, it may be possible to learn the individual P1, P2 - Statistical weaknesses in keystreams (some keystreams may not appear random) - Lack of integrity: Flipping a bit (0<->1) in the ciphertext stream has the effect of producing a bit-flip in the plaintext in the same position: Ci = Pi ⊕ Ki so Ci ⊕ 1 = (Pi ⊕ 1) ⊕ Ki. Those modifications are undetectable - Exhaustive key search
CBC
Cipher Block Chaining: aims to hinder information leakage of ECB mode. It uses previous ciphertext block (or IV) to randomise the input to the block cipher at each application and it isn't parallelisable. *Encryption*: C0 = IV Ci = E_K(Pi ⊕ C_{i - 1}) *Decryption*: So: D_K(Ci) = Pi ⊕ C_{i - 1} hence Pi = D_K(Ci) ⊕ C_{i - 1} IV is needed for decryption; often written as C0 to emphasize this (leading to ciphertext expansion: ciphertext will be at least one block larger than plaintext). IV needs to be random and unpredictable for each message encrypted (requires a good source of randomness). Padding may be needed to make plaintext into a whole number of blocks. CBC mode is problematic if the block size (n) is too small - issue of block collisions (see https://sweet32.info/ for example).
Freestart collision
Collision attack that is significantly weaker than full collision
AES - MixColumns
Column mixed by multiplying by matrix M - a linear transformation of each column, with good diffusion properties.
CTR
Counter Mode: stream cipher which relies on pseudo-randomness of block ciphers. *Encryption*: - ctr_i is set to be an incrementing counter: ctr_i = ctr_0 + i - No padding is needed since last block of output (last mask) can be truncated to required length - It's parallelisable, can also pre-compute encryption masks before plaintext is known Error propagation: a bit-flip in the ciphertext leads to a bit-flip in the plaintext. - More generally, XOR of a mask Δ with the ciphertext leads to the same mask Δ being XORed onto the plaintext *Security requirement*: For a fixed key K, the counter values used must not repeat - Can achieve non-repeating property by using one of the following methods: • Starting with ctr_0 = 0 and changing key for every plaintext (often impractical). • Starting with a random value for ctr_0 for each plaintext (requires a good source of randomness, need to limit key use to prevent colliding counters). • Maintaining a record of the last value of ctr_i used (requires state in encryption algorithm, state needs to survive across power cycles). • Constructing ctr_i by concatenating a per plaintext nonce supplied by the calling application and an internal counter (starting from zero for each new plaintext), so: ctr_i = N || i (requires per plaintext nonce to not repeat, hence some kind of state needed in application).
CCM
Counter with CBC MAC. Basically, an instantiation of *MtE* with *M = CBC-MAC* and *E = CTR mode*, using a 128-bit block cipher (e.g. AES). It's quite slow as it needs 1 pass over associated data AD in CBC-MAC and two passes over the message m, one in CBC-MAC and one in CTR-mode encryption. It doesn't use any decryption (only encryption). It has as a security proof based on block cipher being a pseudo-random permutation and uses WPA2.
Kerchoffs' principles
Cryptosystem requirements: - System should be, if not theoretically unbreakable, unbreakable in practice - Compromise of system details should not inconvenience the correspondents - Key should be memorable without notes and easily changed - Cryptogram (ciphertext) should be transmissible by telegraph - Encryption apparatus should be portable, operable by a single person - System should be easy, requiring neither the knowledge of a long list of rules nor mental strain *Modern Interpretation*: The security of a cryptosystem should only rely on the (secrecy of) keys used. It should not depend on the secrecy of the system details *Wrong one*: No security through obscurity *Right one*: Obscurity can help improve security, but systems can and will be reverse-engineered. The system should still be secure even when its specification is completely known. Furthermore, open specification may encourage review and analysis, improving our confidence in the system's security
DES
Data Encryption Standard: a very widely used block cipher which is essentially unbroken. But DES exhaustive key search has become feasible and the block size (64-bits) is too small. It uses the Feistel construction: - split block into 2 32-bits halves L and R - 56-bits key size (with 8 parity bits) - 16 rounds - Key K is manipulated to produce 16 round keys: K1, K2, ..., K16 - 32-bit-to-32-bit function f is composed of expansion, substitution and permutation operations - Use of Feistel with no swap in last round means same hardware/code can be used for encryption and decryption (with round keys in reverse order) The design is based on bit manipulation which tends to give good hardware performance and generally slower software performance - Basis for other block ciphers. Variants: 2DES, 3DES Attacks: - EKS requiring 2^55 block cipher operations
DHIES
Diffie-Hellman Integrated Encryption Scheme: it addresses ElGamal's problem with a lack of IND-CCA security and the inconvenience to work with messages that are encoded as elements of Gq. Public parameters (p, q, g) as usual, H a hash function. - *KGen*: pick x uniformly at random from {0, 1, ..., q - 1}. Set public key to be X = g^x mod p and private key to be x. - *Enc*: given public key X and message M (a bit-string). 1. Pick r uniformly at random from {0, 1, ..., q - 1}. Set Y = g^r mod p. 2. Compute Z = X^r mod p. 3. Set K = H(Z, X, Y). 4. Split K into Ke and Km. 5. Compute C' = EtM(M) using keys Ke and Km for encryption and MAC, respectively. 6. Output the ciphertext C = (Y, C'). - *Dec*: given private key x and ciphertext C = (Y, C'): 1. Check that Y is in Gq, return "fail" if not. 2. Compute Z = Y^x mod p. 3. Set K = H(Z, X, Y). 4. Split K into Ke and Km. 5. Decrypt C' using keys Ke and Km for encryption and MAC, respectively. 6. Output "fail" if step 5 fails, otherwise output the message returned in step 5. - *Correctness*: X^r = Z = Y^x mod p. We could replace EtM with any AE schemes.
DSA
Digital Signature Algorithm: - it requires the use of SHA-1 - it's close to Schnorr signature scheme but worst in several aspects (issue of patents) - it has a very different set of functional capabilities compared to RSA *Setup*: - 160-bit prime q - 1024-bit prime p so that q | p - 1 - Find g that generates Gq *KGen*: 1. Select random signing key x, 1 ≤ x ≤ q - 1. 2. Compute verification key y = g^x mod p. 3. Output (vk = y, sk = x) *Signing*: To sign a message m 1. hash message m to get H(m) 2. generate random value k, 1 ≤ k ≤ q - 1 3. compute r = (g^k mod p) mod q 4. compute k^-1 mod q 5. compute s = k^-1 (H(m) + xr) mod q 6. output σ = (r, s) *Verification*: To verify that σ = (r, s) is a signature for message m 1. check that 1 ≤ r ≤ q-1 and 1 ≤ s ≤ q - 1 2. compute w = s^-1 mod q 3. compute u1 = wH(m) mod q and u2 = rw mod q 4. accept signature if the following equation holds (g^u1 * y^u2 mod p) mod q = r *Correctness*: Suppose σ = (r, s) is a signature for message m. Then g^u1 ∗ y^u2 = g^(s^-1 ∗ H(m)) ∗ y^(r ∗ s^-1) = g^[s^-1 ∗ (H(m) + xr)] = g^k mod p and so (g^u1 * y^u2 mod p) mod q = (g^k mod p) mod q = r *Informal*: - Possible attacks: solving DLP mod p, O(q^1/2) attacks in the subgroup Gq of order q. - Need to choose p and q both large enough to prevent these attacks. *Formal*: No clean security proof for DSA is known. There are various proofs under different assumptions and heuristics of varying strength; none is really satisfactory When a failure occurs in the randomness, DSA has a poor security. Related, but more sophisticated attacks are possible if some bits of the random values k can be predicted. Similarly, if one uses certain weak generators to produce k, or if some relations between the bits of k are known. We can hedge against attacks by derandomising: • Generate k in signing using a pseudo-random function F with a key K: k = F_K (vk || m). • Ensures different random(-looking) values for different verification keys and messages.
DLP
Discrete Logarithm Problem: Let p, q be two prime numbers such that q divides p - 1, and let g be an integer such that g, g^2, g^3, ... g^q are distinct modulo p, and g^q = 1 mod p. In Gq: Given p, q, g and an element y = g^x mod p from Gq, for a random value x in {0, 1, ..., q - 1}: find x
SP network
Each round function is built from a *substitution* step followed by a *permutation* step. Directly implements Shannon's confusion and diffusion principles.
ECB
Electronic Code Book: the simplest way to use a block cipher to encrypt longer messages. It splits the message into blocks. Encryption can be parallelized. Any error in a ciphertext block affects the decryption of a single block. *Information leakage*: For a fixed key K, a given block of plaintext is always encrypted in the same way to produce the same ciphertext block (since the process is deterministic)
(E)UF-CMA
Existentially Unforgeable Chosen Message Attack
GCM
Galois Counter Mode. Basically, an instantiation of *EtM* with *E = CTR mode* using a 128-bit block cipher (e.g. AES) and *M = Wegman-Carter MAC*. Nonces N can be of arbitrary length, special processing for 96-bit case for speed. It's faster than CCM: speed up comes from the use of fast MAC algorithm built from universal hash function family called GHASH. It only works forward (i.e. only "E", no "D"). AD and m can be processed in block-wise fashion, no buffering required. It has a security proof based on block cipher being a pseudo-random permutation. Security fails very badly if nonces are ever re-used with same key K.
RSA inversion problem
Given (N, e) and random x modulo N, compute x^d mod N (where de = 1 mod (p - 1)(q - 1))
Partial pre-image resistance
Given H(m), it is infeasible to recover any partial information about m
Pre-image resistance
Given a hash h, it is infeasible to find m ∈ {0, 1}* such that H(m) = h. Generic attack on that: given h ∈ {0, 1}^n, if H behaves like a random function, then by iterating over 2^n different messages m and for each one evaluating H(m), we should find m such that H(m) = h
2nd pre-image resistance
Given m1, it is infeasible to find m2 ≠ m1 such that H(m1) = H(m2) Generic attack on that: given m1, if H behaves like a random function, by iterating over 2^n different messages m2 and for each one evaluating H(m2), we should find m2 such that H(m1) = H(m2)
Birthday paradox
If elements are drawn at random from a set of size *s*, then after *√s* trials, we expect a collision in the sampled elements with about *50%* probability
Key recovery
If the attacker can recover the key K, then he can decrypt any other ciphertext C encrypted using K
IND-CPA
Indistinguishable Chosen Plaintext Attack. The adversary has repeated access to Left-or-Right encryption oracle. In each query, the adversary submits pairs of equal length plaintexts (m0, m1) to the oracle (where m0 can be m1). The adversary gets back c, an encryption of m_b, where b is a fixed but random bit. After all queries are made, the adversary outputs its estimate b' for bit b and win if he decided correctly. Adversary advantage: |Pr(b = b') - .5| (-.5 is due to the guess). A Symmetric Encryption scheme is said to be IND-CPA secure if the advantage is "small" for any adversary using "reasonable" resources. On the other hand, deterministic schemes aren't IND-CPA secure because an adversary can submit two plaintext pairs (m0, m0) and (m0, m1) and see if the returned c0 and c1 are the same (=> b' = 0)
Pseudorandomness (PRP)
Indistinguishable from random to an adversary who is computationally bounded. In block ciphers: Each key K gives a different pair of bijections (E_K, D_K) so: - So a block cipher gives us 2^k bijections from n bits to n bits - But here are a total of (2^n)! bijections from n bits to n bits - And (2^n)! >> 2 k for typical block cipher parameters Formally: - A distinguisher D interacts either with (E_K, D_K) for a random choice of K, or with a random bijection and its inverse (π, π^-1) - The block cipher is said to be a *strong-PRP* if there is no efficient D that can tell the difference between (E_K , D_K) and (π, π^-1) - The block cipher is said to be a *PRP* if there is no efficient D that can tell the difference between E_K and π - Difference between *strong-PRP* and *PRP* security: whether adversary has access to (E_K, D_K) / (π, π^-1) or just E_K / π - Efficiency of D can be quantified by the resources consumed by D: number of queries to (E_K, D_K) / (π, π^-1) and its running time
IV
Initialisation vector, enables many different key streams to be produced for a single key K. It's usually a fixed-width field and typically set to be a counter in applications.
Non-correlation
Inputs and outputs of H should not be correlated
Block cipher
It encrypts/decrypts blocks of bits (n bits at a time, usually n = 64). The encryption is under the control of a key K of size k bits (typically 64 or 128). *Definition*: A block cipher with *key length k* and *block size n* consists of two sets of *efficiently computable* bijections: E_K (*encipher*): {0, 1}^n -> {0, 1}^n D_K (*decipher*): {0, 1}^n -> {0, 1}^n Where {0, 1}^n is a set of n-bit strings Such that D_K is the inverse of E_K for each K in {0, 1}^k where K is a key (there's 2^k possible keys). *Applications of block cipher*: They are versatile cryptographic primitives, used to construct: - other block ciphers (e.g. E-D-E) - encryption schemes (e.g. OCB, GCM) - hash functions (e.g. Davies-Meyer mode) - stream ciphers (e.g. CTR mode) - message authentication codes (e.g. CMAC) - pseudo-random bit generators (e.g. Fortuna) Standards: - NIST: AES, 3DES, Skipjack - NESSIE: AES, MISTY1, Camellia, SHACAL-2 - Cryptrec: AES, 3DES, Camellia *Factors to choose one*: - Key size (primary indicator of security level) - Block size (secondary indicator of security level) - Results of cryptanalysis - Standardisation and support in crypto libraries - Cost of implementation (code size, number of transistors, state size, potential for sharing code with other crypto primitives) - Runtime costs (energy consumption, power consumption, throughput, key agility, hardware support) - Implementation security (resistance to side-channel attack) *Rule of thumb*: If you need a block cipher, use AES Traditional design: there should be no attack faster than exhaustive search. A block cipher is said to be PRP if there's no efficient D that can tell the difference between E_K and π. More formally, for any efficient D, the advantage of D in distinguishing E from a random permutation, defined via Adv_E(D) := Pr[b'=b] - .5 Construction methods: - Iteration of a simpler, keyed round function is almost universal (Gain cryptographic strength through iteration - more rounds = stronger algorithm) - Feistel cipher - SP network
Function Field Sieve
It has a complexity of the form: exp[(1 + O(1)) ∗ (32 / 9)^(1 / 3) ∗ (log p)^(1 / 3) (loglog p)^(2 / 3)]; which is sub-exponential (but super-polynomial) in log p. To achieve 80-bit security against both algorithms, we need q to have 160 bits and p to have 1024 bits. To achieve 128-bit security against both algorithms, we need q to have 256 bits and p to have about 3072 bits.
Collision resistance
It is infeasible to find collisions, i.e., a pair of messages m1 ≠ m2 such that H(m1) = H(m2). *N.b*: collisions must exist, because the input space of the hash function is much larger than the output space. Collision resistance says that we can't find them efficiently. *Theorem*: it implies a 2nd pre-image resistance (since any collision resistant hash functions are also 2nd pre-image resistant) *but not* pre-image resistance. *Proof*: Assume H was collision-resistant but not second pre-image-resistant. By the latter property one could pick a message m1, find a message m2 ≠ m1 such that H(m1) = H(m2), and output hash collision (m1, m2), contradicting the assumed collision resistance of H. Generic attack on that: given h ∈ {0, 1}^n , if H behaves like a random function, then by iterating over 2^(n / 2) different messages m and for each one evaluating H(m), we should find m1 and m2 such that H(m1) = H(m2)
Feistel cipher
It splits block into two halves of n/2 bits each, and uses a particular method for operating on the halves to build the round function
3-DES (Triple-DES)
It typically uses 2-key or 3-key EDE and doesn't offer much additional security over single DES and which is usually slow.
Merkle-Damgård
Iterated hashing that uses a *compression function*. - Let k be block length, n be output length, IV ∈ {0, 1}^n be constant. - Assume we have a compression function h: {0, 1}^(n + k) -> {0, 1}^n. - Assume we have a padding scheme pad(.) such that length of m' = pad(m) is a multiple of k in bits - Break-up m' into blocks m1', ..., m'_l each of length k. - Process blocks to compute hash value H(m) - Each step processes a chunk of k input bits; the final result is n bits in size. - Prominent instantiations: MD5, SHA-1, SHA-2, WHIRLPOOL *Theorem* (for its construction): Suppose pad(m) transforms m into *m' = m || 10^t || [len(m)_k]* where 0 ≤ t < k is minimal such that k divides len(m') and "[...]" denotes the k-bit representation of a number. Then if the compression function h is collision-resistant, so is H. *Length extension property*: If we know y = H(m), then we can compute *y' = H(pad(m) || m")* for any m", even without knowing m! Constructions from block ciphers: Davies-Meyer, Matyas-Meyer-Oseas, Miyaguchi-Preneel
SHA-3
Keccak (pronounced "Ketchak"), based on a new design approach ("sponge" construction, unrelated to MD4/5, SHA-1/2 families) and which has a variable length output and a variable throughput (allowing efficiency/security trade-offs). It uses a "giant bit permutation" as a key element in the construction. It was chosen for elegance, security margins, performance and flexibility. It's intended to complement SHA-2 (not replacing it)
Key management
Key management refers to the secure administration of cryptographic keys. Techniques include: • Technical controls, e.g. special hardware devices • Process controls, e.g. dealing with lost keys • Environmental controls: controls depending on physical location • Human factors The importance of key management stems from the fact that no cryptographic system can perform its task properly if its keys are not properly managed. - The main requirement for the management of keys used with symmetric algorithms is that the keys remain secret. - The main requirement for the management of keys used with public key algorithms are that the private keys remain secret and the public keys are authentic. - An equally important requirement is to provide assurance of purpose of keys. Main goal: to maintain keying relationships and key material in such a way that threats such as compromise and unauthorised use of cryptographic keys are countered. Aspects covered by key management techniques: key generation, key storage, key distribution and initialisation, key usage and scope, key replacement (key rollover), key backup and recovery, key revocation and destruction.
A5/1
LFSR-based design with stuttered clocking which has to be very fast and have a low gate-count in hardware (114 bits every 4.615ms). It's subjected to significant amount of cryptanalysis. Now considered insecure: attacks recovering key in a few seconds given a few hundred known plaintext bits (achievable in practice)
CBC-MAC
Let E be an n-bit block cipher with fixed key K. Split message m into n-bit chunks m1, ..., m_l (might require padding). Compute τ = Tag_K(m) from m1, ..., m_l (cf. top diagram). It's provably UF-*CMA*-secure *if all messages m have the same length*. We can also resolve length-related security issues using various tweaks. For example, prepend the message length to the the message before CBC-MAC
Nonce-based MAC
MAC with a *key length k*, *nonce space N* and *tag length t* consisting of 2 keyed efficient algorithms: Tag_K: N x {0, 1}* -> {0, 1}^t And Vrf_K: N x {0, 1}* -> {0, 1}^t -> {0, 1} Such that Vrf_K(n, m, Tag_K(N, m)) = 1 ∀ K ∈ {0, 1}^k, n ∈ N, m ∈ {0, 1}*.
MD5
MD hash with output size n equal to 128. A Compression function uses (implicitly) a special block cipher in Davis-Meyer mode, k = 512. The block cipher has a round function operating on 4 x 32-bit words. The round function is iterated 64 times. It uses mod 2^32 additions, bit shifts, other simple bit operations (F).
SHA-1
MD hash with output size n equal to 160 (20 byte output). Should provide 2^80 security against collision attacks. The block cipher has a round function operating on 5 x 32-bit words. The round function is iterated 80 times. It uses mod 2^32 additions, bit shifts, other simple bit operations (F). Attackers gets to choose two different IVs in MD construction (in reality, the IVs are fixed to a single value)
*O*ne *T*ime *P*ad
Mathematical form: *Plaintext P* = P0, P1, P2, ... : a sequence of ints between 0 and 25 *Key K* = K0, K1, K2, ... : a sequence of ints between 0 and 25 *Encryption*: Ci = Pi + Ki mod 26 *Decryption*: Pi = Ci - Ki mod 26 *Security*: *If* each Ki is a uniformly random value *and* if we use each Ki only once *then* the ciphertext C leaks nothing more about the plaintext P than what was known beforehand except for its length Formally: Pr(P = p | C = c) = Pr(P = p) It's an unbreakable algorithm but: - The key K needs to be as long as the message - The key K needs to be distributed in advance to the communicating parties (key management problem) - No keys should be used more than once - "Subtracting the ciphertexts" removes the key K, leaving the difference of the plaintexts; making it possible to recover the individual plaintexts
MAC
Message Authentication Code: primitive that provides *integrity* and *data origin authentication* of messages. *Definition*: A MAC algorithm with *key length k* and *tag length t* consists of 2 efficient, keyed algorithms: - Tag: {0, 1}^k ∗ {0, 1}* -> {0, 1}^t, - Vrf: {0, 1}^k ∗ {0, 1}* ∗ {0, 1}^t -> {0, 1} For *correctness*, we require that ∀ K and m, if τ <- Tag(K, m), then Vrf(K, m, τ) = 1 We assume that Alice and Bob share a common secret key K (so a MAC is a symmetric cryptographic primitive). 1. Using a dedicated algorithm Tag, Alice computes an *authentication tag* τ ← Tag_K(m) for each message m that she wishes to send to Bob (tag is often referred as MAC or MAC value). 2. Alice now sends (m, τ) to Bob, instead of just m. 3. Bob verifies the integrity and data origin authenticity of the received message/tag pair (m', τ') by using a corresponding Vrf algorithm. He only accepts pairs for which Vrf_K(m', τ') = 1. *Security*: - Without knowing K, it should be hard for any adversary to create a pair (m', τ') such that Vrf_K(m', τ') = 1. - The security definition means that the MAC tag τ must depend on every bit of the message m - The security definition also means that it must be hard to recover K given some pairs (m, τ) (otherwise attacker can recover K, and then forgery is trivial). - There can be attacks on MACs that forge MAC tags without recovering the key. - We need to be careful about length extension attacks. MAC unforgeability: It should be hard for an adversary who does not know the key K to forge a valid tag on a message, that is, to come up with a pair (m', τ') for which Vrf(K, m', τ') = 1 *Formally*, a MAC scheme (Tag, Vrf) is formalised as a game between an adversary and a challenger (who begins by choosing a uniformly random key K) and has access to a tag oracle and a verify oracle: • The tag oracle accepts messages as input and returns corresponding tag values: τ ← Tag_K(m). • Using the tag oracle, the adversary can obtain MAC tags for messages of its choice: a chosen message attack. • The verify oracle accepts pairs (m, τ) and returns Vrf_K(m, τ). Using the verify oracle, the adversary can test whether a given message/tag pair is valid or not. After accessing the tag and verify oracles as much as it likes (and doing any computation it desires), the adversary outputs a final pair (m∗, τ∗). Typically: - Key length k: usually larger than 80 to prevent offline exhaustive key search attacks (k = 128 for a comfortable security margin) - Tag length t: it needs to be large enough to make guessing probability q.2^-t sufficiently small, where q is number of verify queries
IND-CCA
Notion that is stronger than IND-CPA. The adversary has access to both an LoR encryption oracle and a decryption oracle
Nonce
Number used once.
Extended Euclidean algorithm
Outputs integers r, s, t where r = gcd(a, b) and sa + tb = r. For example, running the extended Euclid's algorithm on a with 0 < a < p and a prime p gives s and t such that: as + pt = 1 Reducing this equation mod p, we get: a * s = 1 mod p. So it allows us to find the inverse of a mod p. Recall that in RSA key generation, we need to a pair (e, d) such that: e * d = 1 mod (p - 1)(q - 1). • This can also be done using the extended Euclidean algorithm: • Choose e at random in the range [1, (p - 1)(q - 1)]. • With high probability, gcd(e, (p - 1)(q - 1)) = 1 and then running Euclid's algorithm gives us the required d
Key lifecycle
Phases of cryptographic keys during their lifecycle: Pre-operational phase: • key material not yet available for normal cryptographic operations. Operational phase: • key material is utilised for its intended usage. Post-operational phase: • (Inactive) key is available to authorised parties for access to the information that was protected under it. Destroyed phase: • all key records have been deleted and the key becomes inaccessible
Non-repudiation
Preventing the denial of previous commitments or actions
Infrastructure
Procedures, plans, policies, and management to make sure that any deployment actually does the job for which it was intended
PKE
Public Key Encryption (Asymmetric encryption). We use different keys for encryption and decryption. Bob generates a public/private key pair. Alice uses Bob's public key to encrypt to Bob. Bob uses his private key to decrypt. A PKE scheme consists of a triple of algorithms (KGen, Enc, Dec): - *KGen*: key generation, generates a key pair (sk, pk). (sk is the private key, pk the public key) - *Enc*: encryption, takes as input a public key pk, plaintext m ∈ {0, 1}∗ and produces an output c ∈ {0, 1}∗ - *Dec*: decryption, takes as input a private key sk, ciphertext c ∈ {0, 1}∗ and produces an output m ∈ {0, 1}∗, or an error message denoted ⊥ - *Correctness*: ∀ key pairs (sk, pk) output by KGen and plaintext m: Dec_sk(Enc_pk(m)) = m
Diffie-Hellman Key Exchange
Public key method for agreeing on a shared secret (which can be used as a session key, for example). We have n users, all of which make use of the same set of public parameters (p, q, g). Each of the n users Ui picks x_i (his private key) uniformly at random from {0, 1, ..., q - 1} and then get their public key Yi = g^x_i mod p. All the public keys Yi, ..., Yn are assumed to be available in a public, authentic database. To set up a shared, symmetric key between user Ui and user Uj: • User Ui computes K_ij = (Yj)^x_i = g^(x_j ∗ x_i) = g^(x_j ∗ x_i) mod p; • User U j computes K_ji = (Yi)^x_j = g^(x_i * x_j) mod p. • Critical point: the keys are the same for the two users *Security*: - Notice that no communication is needed between any pair of users in order to establish a key! - Instead the users are assumed to have access to the public, authentic database of public keys Y1, ..., Yn. - An attacker can also learn public keys and would like to compute shared keys K_ij. - The underlying algorithmic problem (known as the Computational Diffie-Hellman Problem (CDHP)) can be stated as follows: *Given (p, q, g), and the values g^a mod p, g^b mod p, find g^ab mod p*
RSA-PSS
RSA Probabilistic Signature Scheme (5th attempt at RSA-based signatures). - *KGen*: as in RSA encryption, we set vk = (N, e) and sk = d, where N = pq is a product of two large primes and ed = 1 mod (p - 1)(q - 1) - *Sign* (simplified): 1. Generate a random value r (with 256 bits, say). 2. Compute s = H(m || r), t = G1(s) ⊕ r, u = G2(s) where G1, G2 and H are suitable hash functions (sum of their output lengths should be λ-1, where λ is bit-length of N). 3. Return as the signature: σ = (0 || s || t || u)^d mod N - *Vrf* (simplified): given (m, σ): 1. Compute σ^e mod N and parse the result as b || s || t || u where b is a bit and s, t, u have the correct lengths (determined by output lengths of H, G1, G2). 2. Output "0" if b = 1. 3. Compute r' by inverting the equations for s, t: r' = G1(s) ⊕ t 4. Re-encode r' and m and check for correctness: - compute s' = H(m || r'), t' = G1(s') ⊕ r', u' = G2(s') - check that s' = s && u' = u; output "0" if this fails otherwise "1" *Security*: Assuming G and H behave like random functions, the UF-CMA security of RSA-PSS can be tightly related to the hardness of the RSA inversion problem. *It's the right choice of scheme for RSA signatures*
a mod b
Remainder of a on division by b. I.e. r in {0, ..., b − 1} and r = a = q * b + r
Sponge construction - Squeezing phase
SHA-3(m) = o_1 o_2 o_3 ...
INT-PTXT
Same as INT-CTXT, but now adversary needs to come up with a ciphertext c∗ that encrypts a message m∗ such that m∗ was never queried to the encryption oracle. Informally, its security means that the adversary can't force a new plaintext to be accepted by the receiver. If a scheme is INT-CTXT secure, then it is also INT-PTXT secure
Nonced-based AEAD
Scheme that consists of a triple of algorithms (KGen, Enc, Dec): - KGen: key generation, selects a key K uniformly at random from {0, 1}^k - Enc: encryption, takes as input key K, *nonce N* ∈ {0, 1}^n, *associated data AD* ∈ {0, 1}∗, plaintext m ∈ {0, 1}∗, and produces output c ∈ {0, 1}∗ - Dec: decryption, takes as input key K, *nonce N* ∈ {0, 1}^n, *associated data AD* ∈ {0, 1}∗, ciphertext c ∈ {0, 1}∗, and produces output m ∈ {0, 1}∗ or an error message, denoted ⊥ - Correctness: ∀ keys K, nonces N, associated data strings AD and plaintexts m: Dec_K(N, AD, Enc_K(N, AD, m)) = m. *N.b*: as with AEAD, the ciphertext c does not "contain" AD. It also does not contain the nonce Informally, IND-CPA security for messages m, integrity for combination of associated data AD and ciphertext c, for adversaries that never repeat the nonce in encryption queries
Signature
Signature schemes are a public key analogue of MAC algorithms. Alice has a signing key sk and a verification key vk and uses an algorithm Sign to compute signatures on messages m: σ = Sign(sk, m) and sends (m, σ) to Bob in place of m. Bob is assumed to have an authentic copy of vk.
Hash iteration for password protection
Slow down password cracking via dictionaries by iterating the hashing. Choose an iteration method that makes parallelisation of attacks/time-memory trade offs hard to do. Winning proposals: scrypt and Argon2. Obtain a trade-off between security and performance of authentication system
SUF-CMA
Strong Unforgeability Chosen Message Attack. For signatures: Adversary wins if *(m***, σ***)* is distinct from all the pairs (m, σ) appearing in the security game AND if *Vfy(vk, m***, σ***) = 1*
CBC error propagation
Suppose an error arises in ciphertext block C2. Then the error propagates to P3, and P2 gets randomised. If we replace C2 by C2 ⊕ Δ then the effect is to replace P3 by P3 ⊕ Δ
*C*hosen *C*iphertext *A*ttack
The adversary gets to choose many ciphertexts C and is given the corresponding plaintexts P under a fixed key K, so: P = D_K(C)
*C*hosen *P*laintext *A*ttack
The adversary gets to choose many plaintexts P and is given the corresponding ciphertexts C under a fixed key K, so: C = E_K(P)
*K*nown *P*laintext *A*ttack
The adversary gets to observe many plaintext/ciphertext pairs (P, C) for a fixed key K, so: C = E_K(P)
Entity authentication
The assurance that a given entity is involved and currently active in a communication session (sometimes referred to as *identification*)
Data origin authentication
The assurance that a given entity was the original source of some data (sometimes referred to as *message authentication*)
Confidentiality
The assurance that data cannot be viewed by an unauthorised entity (sometimes referred to as *secrecy*)
Integrity
The assurance that data has not been altered in an unauthorised (which includes accidental) manner since the time that the data was last created, transmitted or stored by an authorised entity
Symmetric key cryptography
The encryption key and decryption key are the same so it's just referred as the key (usually denoted *K*). *Formally*: A symmetric encryption scheme consists of a triple of algorithms *(KGen, Enc, Dec)*: - KGen: key generation, selects a key K uniformly at random from {0,1}^k - Enc: encryption, takes as input key K, plaintext m ∈ {0, 1}∗ and produces output c ∈ {0, 1}∗ - Dec: decryption, takes as input key K, plaintext c ∈ {0, 1}∗ and produces output m ∈ {0, 1}∗ or an error message, denoted ⊥. - Correctness: ∀ keys K and plaintext m: Dec_K(Enc_K(m)) = m
ElGamal Encryption
The scheme is a follows: - Public parameters (p, q, g) as usual - *KGen*: pick x uniformly at random from {0, 1, ..., q - 1}. Set public key to be X = g^x mod p and private key to be x - *Enc*: given public key X and message M (encoded as an element of Gq): 1. Pick r uniformly at random from {0, 1, ..., q - 1}. Set Y = g^r mod p. 2. Compute Z = X^r mod p. 3. Output the ciphertext C = (Y, M * Z mod p) - *Dec*: given private key x and ciphertext C = (Y, C'): 1. Check that Y is in Gq, return "fail" if not. 2. Compute Z' = Y^x mod p. 3. Output M = C' * (Z')^-1 mod p - *Correctness*: C' ∗ (Z')^-1 = MZ ∗ (Z')^-1 = M ∗ X^r ∗ (Y^x)^-1 mod p = M ∗ (g^x)^r ∗ ((g^r)^x)^-1 mod p = M ∗ g^xr ∗ g^-xr mod p = M *Security*: - IND-CPA secure but not IND-CCA secure. *Informally*: • Ciphertext includes MZ mod p where Z = g^xr mod p. • If (g^x, g^r, g^xr) is indistinguishable from (g^x, g^r, g^c), then we can replace Z = g^xr by Z = g^c. • But, since g^c can take any value in Gq, it follows that M * Z mod p is uniformly random in Gq. • Hence M is perfectly hidden!
Discrete Log Problem
The set Gq = {g, g^2, g^3, ..., g^q} of powers of g mod p is a cyclic group of prime order q with generator g. We can write g^q = 1 = g^0 and so take Gq = {g^0, g^1, g^2, ..., g^(q - 1)}. *Given q, p, g and an element y = g^x mod p from Gq , where x is a random value in {0, 1, ..., q - 1}, find x* It can be solved using the FFS (Function Field Sieve) and the Pollard-ρ algorithm
Quantum Insert
Useful for getting at machines that can't be reached through phishing attacks. It works by hijacking a browser as it's trying to access web pages and forcing it to visit a malicious web page, rather than the page the target intend to visit. The attackers can then surreptitiously download malware onto the target's machine from the rogue web page
Wegman-Carter MAC
Uses an universal hash to construct a MAC. Uses a *secret h ∈ H as MAC key* and define Tag_h(m) = h(m). Problem: observed valid tags leak information about h. Solution: mask h(m) to hide deployed hash function h Keys have the form (h, K) consisting of a hash function and block cipher key. Tags are of the form: τ = Tag_{h, K}(N, m) = h(m) ⊕ F_K(N) for nonce N. Advantages (in comparison to HMAC, CBC-MAC): - efficiency (universal hash functions are typically very fast) - security (universal hash functions are unconditionally secure, i.e. MAC forging probability depends nearly exclusively on block cipher)
*E*xhaustive *K*ey *S*earch
Using a few plaintext/ciphertext block pairs (P, C): For each candidate key K, test if C1 = E_K(P1) using pair (P1, C1); reject as wrong all keys that do not satisfy the test. For the remaining keys, test if C2 = E_K(P2) using pair (P2 , C2); reject as wrong all keys that do not satisfy the test This can be applied to the ciphertext-only attack setting if the plaintexts are meaningful (filter keys based on whether plaintext produced makes sense or not). It's embarrassingly *parallelisable*
AES - AddRoundKey
XORs an array of round key bytes.
a || b
a concatenated with b