0:00
In this segment we're gonna look at another method to achieve chosen plain
text security that's actually superior to CBC. And this method is called randomized
counter mode. Unlike CBC. Randomized counter mode uses a secure PRF. It doesn't
need a block cypher. It's enough for counter mode to just use a PRF because
we're never going to be inverting this function F. So we're going to let F be the
secure PRF and it acts on N byte blocks. Again if we use AES, N will be 128. And
the way the encryption algorithm works in counter mode is it starts off by choosing
a random IV, that's 128 bytes random IV in the case of AES, and the essentially we
start counting. From this random IV, so you notice the first encryption is of IV
then IV+1 up to IV+L. So we generate this random pad. We XOR the result with the
message, and that gives us the cipher text. And, as usual, you notice that the
IV here is included along with the cipher text. So that, in fact, the cipher text is
a little longer than the original plain text. And the point, of course, is that,
encryption algorithm chooses a new IV for every message. And so even if I encrypt
the same message twice, I'm gonna get different resulting cipher texts. One
thing to notice that this mode is completely paralyzable, unlike CBC. CBC
was sequential. In other words, you couldn't encrypt block #5 until you've
encrypted blocks ##1 to 4, so hardware companies who might have multiple
AES engines working in parallel cannot actually use those AES engines when using
CBC because CBCs inherently sequential. So even though you might have two or three of
four AES engines, you could only use one of them when doing CBC encryption. With
counter mode, everything is completely paralyzable. If you have three AES engines
encryption basically will work three times as fast. So that's the beauty of counter
mode. And counter mode also has a corresponding nonce based counter mode.
Where the IV is not truly random, but rather, is just a nonce which could
be a counter. And the way you would implement nonce based counter mode, is you
would take the 128 bits block that used in AES. And then you would split it in two.
You would use the left 64 bits as the nonce, so the counter say would count from
zero to 2 to the 64. And then, that will be the nonce part of it. And then once you
specify the nonce, the lower order, 64 bits, would be doing the counting inside
of the counter modes encryption. Okay, so nonce goes on the left, and the
counter mode encryption counter goes on the right. And it's perfectly fine if this
nonce is unpredictable. The only restriction is that you encrypt at most
2 to the 64 blocks using one particular nonce. The danger is that you don't
want this counter to reset to zero so that, then, you will have two blocks. Say,
this guy, this guy, and this guy that are encrypted using the same one time pad.
Namely this one and this one. So lets quickly state the security theorem for a
randomized counter mode . By now you should be used to these kind of theorems.
Basically we are given a secure PRF. What we end up with is an encryption scheme.
We'll call it E sub CTR, E sub counter mode, which is semantically secure under a
chosen plain text attack. It encrypts messages that are L blocks long, and
produces cipher text that are L+1 blocks long because the IV has to be included in
the cipher text. This is for randomized counter mode. And the error bounds
are stated over here. It's basically the same bounds as in the case of CBC
encryption. As usual, we argue that this term is negligible because the PRF F is
secure and we would like to deduce from that, that this term is negligible so that
E<u>CTR is secure. Unfortunately we have this error term here and so we have to make</u>
sure this error term is negligible. And for that we have to make sure Q squared L
is less than the size of a block. And remember, Q is the number of messages
encrypted under a particular key. And L is the maximum length of those messages. Now
interestingly in the case of CBC we have Q squared L squared. Has to be less than x.
Which is actually worse than we have for counter modes. In other words, counter
modes can actually be used for more. Blocks than CBC could. Lets see a quick
example of that. So here is, again, the error term for counter-node, and remember
Q is again the number of messages encrypted with a key, and L is the length
of those messages. And as before, just as in the case of CBC, suppose we want the
adversary's advantage to be at most, one over 2 to the 32. That basically requires
that this Q-squared, L over X be less than 1 over 2 to the 32. So for AES what
happens is, if you plug in the values X is 2 to 128, 128 bit blocks. So Q times
square root of L should be less than 2 to the 48. This is basically the bound you
get from plugging in 2 to the 128 into this bound here. And as a result, you can
see if you're encrypting messages that are each, 2 to the 32 blocks. Then after 2
to the 32 such messages you have to replace your secret key otherwise
randomized counter mode is no longer CPA secure. So this means we could encrypt a
total of 2 to the 64 AES blocks using a single secret key. Remember, for CBC the
corresponding value was 2 to the 48 blocks so in fact because counter mode has
a better security parameterization in fact we can use the same key to encrypt more
blocks with counter mode than we could with CBC. So I wanted to do a quick
comparison of counter mode and CBC. And argue that in every single aspect, counter
mode is superior to CBC. And that's actually why most modern encryption
schemes actually are starting to migrate to counter mode, and abandoned CBC. Even
though CBC is still quite widely used. So let's look at the comparison. First of
all, recall that CBC actually had to use a block cypher because if you look at the
decryption circuit, the decryption circuit actually ran the block cypher in reverse.
It was actually using the decryption capabilities of the block cypher. Whereas
in counter mode, we only use a PRF. We never ever, ever use the decryption
capabilities of the block cypher. We only use it in the forward direction, only
encrypt with it. Because of this, counter mode is actually more general and you can
use primitives like Salsa, for example, Salsa20, if you remember, as a PRF.
But is not a PRP. So counter mode can Salsa but CBC cannot. And in essence,
counter mode is more general than CBC. Counter mode, as we said, is actually
parallel, whereas CBC is a very sequential process. We said that counter mode is more
secure. The security bounds, the error terms are better for counter mode than
they are for CBC. And as a result, you can use a key to encrypt more blocks in
counter mode than you could with CBC. The other issue is, remember in CBC we talked
about the dummy padding block. If you had a message that's a multiple of the block
length. In CBC we said that we had to add a dummy block whereas in counter mode this
wasn't necessary. Although, I did want to mention that there is a variation of
CBC called CBC with cipher text tiling, that actually avoids the dummy block issue. So
for standardized CBC, we actually need a dummy block. But in fact there is a
modification to CBC that doesn't need a dummy block. Just like counter mode.
Finally, suppose you're encrypting just a stream of one byte messages, and using
nonce encryption with an implicit nonce. So, the nonce is not
included in the cipher text. In this case. Every single one byte message would have
to be expanded into a sixteen byte block and then encrypted, and the result would
be a sixteen byte block. So if you have, like, a stream of 100 one byte messages,
each one separately would have to become a sixteen byte block. And you'll end up.
With a stream of 116 byte cipher texts. So you get a 16x expansion on the length of
the cipher text, compared to the length of the plain text. In counter mode, of
course, this is not a problem. You would just encrypt each one byte message by
XORing with the first bytes of the stream that's generated in the counter mode. So
every cipher text would just be one byte, just like the corresponding plain text.
And so no expansion at all, using counter mode. So you see that essentially, every
single aspect counter mode dominates CBC. And that's why it's actually the
recommended mode to be using today. Okay, so this concludes our discussion of chosen
plaintext security. I wanted to just quickly summarize and remind you that
we're going to be using these PRP and PRF abstractions of block ciphers.
This is actually the correct way of thinking of block ciphers and so we'll
always think of them as either pseudorandom permutations or pseudorandom
functions. And then I wanted to remind you again that, so far, we saw two notions of
security. Both only provide security against eavesdropping. They don't provide
security against tampering with the cipher text. One was used when the key is only
used to encrypt a single message. The other one was used when the key was used
to encrypt multiple messages. And as we said, because neither one is designed to
defend against tampering, neither one provides data integrity. And we're going
to see this as a real problem. And as a result, in fact, I'm going to say in the
next segment that these modes actually should never, ever be used. You should
only be using these modes in addition to an integrity mechanism, which is our next
topic. Okay, so, so far we've seen basically for using a, the key once, you
can use stream ciphers or you can use deterministic counter mode. If you're
gonna use the key many times you could use randomize CBC or randomize counter mode
and we're gonna talk about how to provide integrity and confidentiality. Once we
cover the topic of integrity, which is our next module.