This course will introduce you to the foundations of modern cryptography, with an eye toward practical applications.

Loading...

来自 University of Maryland, College Park 的课程

Cryptography

511 个评分

This course will introduce you to the foundations of modern cryptography, with an eye toward practical applications.

从本节课中

Week 3

Private-Key Encryption

- Jonathan KatzProfessor, University of Maryland, and Director, Maryland Cybersecurity Center

Maryland Cybersecurity Center

[SOUND] In the last lecture,

we saw an example of a CPA-secure encryption

scheme based on any block cipher or PRF.

And just to remind you of what that scheme looked like.

There we had the encryption of a message m, using a key k,

being done by having the sender first choose a random value r,

and then send r, along with Fk of r, XORed with m.

And note here that m, is a one block plain text where the block here refers

to the block length of the pseudorandom function F, and this results in

a two-block ciphertext, that is, if we let the block length of F be n bits,

then the message m is an n-bit string, and the ciphertext is a 2n-bit string.

And in fact, as we defined it encryption was only defined for n-bit messages.

Now, in general, we'd like to have a scheme that can support encryption of

messages of arbitrary length, not just n-bit messages.

And we can do that very easily.

So remember that CPA-security, implies secrecy for

the encryption of multiple messages.

This is something that we stated in a previous lecture,

even though we didn't prove it.

Now, what that means is that we can encrypt a long message,

by simply breaking it up into a sequence of n-bit chunks, and

then applying the encryption scheme from the previous slide to each chunk.

That is, we'll take our message, and we'll split it into a sequence of blocks m1,

m2 et cetera up to mt.

And then we take each block, and encrypt it using the CPA secure encryption scheme

from last time, and it follows because the encryption scheme is CPA secure.

And therefore, is secure even when used to encrypt multiple messages.,

using the same key, that this new encryption scheme defined now for

arbitrary length messages is also CPA secure.

It might be easier to think about what's going on by looking at a figure.

So here, we have our sender and receiver sharing a key k,

and the way I've depicted it here, we have the sender sending different messages

m1 through mt by encrypting each one using the encryption scheme, and

then sending the corresponding cypher text c1 through ct.

And again, because the encryption scheme is CPA secure, that means that

the encryption scheme is also secure when used to encrypt multiple messages,.

And therefore that an attacker, who observes all the cypher texts being sent

across the channel, doesn't learn any information about m1 through mt.

Now all we need to do here is to change our viewpoint.

And rather than viewing the m1 through mt as messages in their own right,

we view them simply as blocks that comprise one longer message,

composed of the blocks m1 through mt.

And then the cipher text that the attacker sees now becomes just one

long cipher text containing t cipher text blocks, rather than t different cipher

texts each corresponding to a different underlying message.

But intuitively this still hides all information about m1 through mt,

and is therefore secure as an arbitrary lang-,

encryption scheme, that is,

as an encryption scheme, that can encrypt arbitrary length messages.

Now we can do that to encrypt messages as long as we like, but there's a drawback.

So remember that in the underlying encryption scheme, the one that's applied

to each block of plaintext, the ciphertext is twice the length of a plaintext.

And what that means,

is that when we encrypt this longer message, composed of these many blocks,

we get a ciphertext twice the length of the underlying plaintext.

That is, the ciphertext expansion, with the amount by

which the ciphertext is longer than the plaintext is a factor of two.

The ciphertext is twice as long as the plaintext.

And the natural question is, can we do better?

And this brings us to the topic of modes of operation,

which are more efficient mechanisms for encrypting arbitrary-length messages.

Now just to be clear on the terminology, there are stream cipher modes of

operation that are based on an underlying stream cipher, or pseudorandom generator.

There are two flavors of stream cipher modes of operation

synchronized and unsynchronized.

But unfortunately due to lack of time we're not going to cover any of these,

instead we're going to just look at block cipher modes of operation.

These are modes of operation that of course are built on some underlying block

cipher, or pseudorandom function.

The first one I want to introduce you to, is called counter mode, or CTR mode.

We're going to assume for simplicity, that all messages we want to encrypt,

are exact multiples of the block length of our block cipher.

And in practice, they may, that may not need, that may not be the case, and

it can be handled, but we're just assuming that for simplicity here.

So counter mode is defined in the following way.

To encrypt a message composed of a sequence of blocks, m1 thought mt,

what we do is we first choose a uniform n bit string as a counter.

And we set c0, which is going to be the initial block of our ciphertext,

equal to that initial counter value.

Then, for i equals 1 to t, where t denotes the number of blocks of plaintext that we

have, we compute the ith block of the ciphertext to be equal to,

the XOR of the ith block of plaintext with fk evaluated on counter plus i.

So basically what we're doing is we're simply incrementing this counter, and

applying our PRF F sub k, to the values counter plus

1 counter plus 2 et cetera, all the way up to counter plus t.

And then taking those results and

XORing each of those with a corresponding block of plain text.

The ciphertext that we output, contains all the blocks C0 though CT.

Note that the ciphertext expansion here, is just a single block.

So rather than doubling the length of the plain text,

we simply increase the length of the plain text, by n bits.

It may be easier to think about counter mode by looking at a picture, and

here I've depicted such, such a, the operation of counter mode.

Where, at the top I've listed the value that

are passed into the pseudorandom function that is counter one

through counter sorry counter plus one through counter plus t.

Each of those values has passed its input to the pseudorandom function, and

the output is then XORed with the corresponding message block,

to give the cypher text block.

In addition, we include the value c0,

which is equal to the initial counter value, to allow the receiver to decrypt.

What can we say about the security of Counter mode?

Well in fact, it's possible to prove that if F is a pseudorandom function,

then Counter mode is CPA-secure.

We could actually give a quick proof sketch of this.

I'm not going to go through the details of the proof,

but the proof sketch is actually very similar to what we've seen before, for

the proof of CPA security of this scheme last time.

So, for simplicity in the proof,

let's just assume that all messages that are being encrypted have length t.

This is not at all necessary, it just simplifies the exposition here.

Now, when we encrypt the ith message, what the sender does is to choose a counter,

that I'll refer to as counter i, and then use the values counter i

plus 1 up to counter i plus t, as inputs to the pseudorandom function.

And what you can observe is that the sequence of outputs,

the values Fk of counter i plus 1 up to Fk of counter i plus t,

that sequence is pseudorandom, when looked at in isolation.

And this is just because we're applying the pseudorandom function to a sequence of

distinct inputs.

Note here that it's important that the length of our counter is n bits, and so

it can support up to two to the n values,

ranging from zero up to two to the n minus 1.

And so because t is going to be much, much smaller than two to the t,

we're not going to get any wrap around so we're not going to

get any two equal values being passed as input to the pseudorandom function.

Now the important thing to note here, is that this pseudo random sequence is

going to be independent for every message being encrypted.

Unless it happens to be the case, that there are two inputs to

the pseudorandom function that happen to be equal.

That will occur if and

only if counter i plus j is equal to counter i prime, the counter chosen for

some other message plus j prime, for some values i, j, i prime j prime.

You can do the calculation and

show that that will occur only with negligible probability.

And again here, it's important for that that our block length if n gets long, and

so the probability of such a collision occurring,

is going to be exponentially small in n.

Another mode that's quite popular and used a lot in the real world is CBC mode.

This stands for cipher block chaining mode.

And this mode works in the following way.

So now to encrypt a message consisting of blocks m1 through mt as before,

what the sender then does is choose a random value, c0,

that's sometimes also called the IV, or initialization vector.

And then for i equals 1 to t, the sender computes the ith block of the cipher text,

to be equal to F K, applied to the next message block,

mi, XORed with the previous ciphertext blocks, ci minus 1.

The resulting ciphertext consists of the t plus 1 blocks, c0 through ct.

And note that the ciphertext expansion again, here,

is just a single block, so we've only increased our plaintext by end bits.

One thing to note here, is that decryption requires F to be invertible.

This was not the case for counter mode, where the receiver only needed to

evaluate F in the forward direction to decrypt for CBC mode,

the receiver is also required to evaluate F in the reverse direction as well.

Fortunately blockcyphers are invertible and

so they can be run in the reverse direction, and so

CBC mode can be decrypted when using a pseudorandom permutation.

Here it is in pictures, which especially for

CBC mode, makes things easier to understand.

So I've just indicated here that we choose this random IV, or initialization vector,

and that becomes the first block of the cypher text, and then we simply

chain every preceding cipher text block, and XORed with the next message block.

So you can see that C0 for example is XORed with M1, and

the result is then passed as input to Fk to give the cipher text block C1.

And so on up through the final block of plaintext.

The theorem that we can show about CBC mode,

is that if F is a pseudorandom function, then CBC mode is CPA-secure.

I will say that the proof here is much more complicated than for the case of

counter mode, nevertheless, this is something that we can that can be shown.

Now I wanted to look next at an example of an insecure mode of

encrypt by mode of operation, and that's ECB mode or electronic code book mode.

I mentioned this one because it's a mode that was standardized in 1977, before

people really had a good idea of the security notions that are used nowadays.

Never the less, you, sometimes you want to counter this mode in proactice and,

I want to warn you agaisnt using it.

So in ECB mode, the encription of a message again consisting of blogs and

one to m t, is done by simply applying the pseudorandom function,

to each message block individualy.

That is, the encription of m-1 through mt, is just given by Fk of m1 up to Fk of mt.

Now this might look great because there's no cypher text expansion at all, but

of course we know, that because this scheme is deterministic, right?

There's no randomness here, this scheme cannot possibly be CPA secure.

In fact it's even worse than that, right?

If you look at the way encryption is done,

you can see very clearly that if two plain text blocks, mi and

mj are equal, then that will show up as two equal blocks of ciphertext.

That is, given a long ciphertext,

an attacker can tell when there are repeated blocks in the plain text.

So that means that ECB mode encryption will not even

satisfy our original notion of indistinguishable encryptions, that is,

it won't even be secure for the encryption of a single message.

Now you might wonder whether this is just an academic issue and

whether perhaps ECB mode is okay, if used in practice.

I'll warn you now that that's not the case.

And here's a really great demonstration of that.

So here we have an image that we're going to encrypt using ECB mode.

Each pixel of that image is going to be represented

by a a one block value, that is, what we're going to be doing to encrypt this,

is we're going to be flattening the image, and taking each pixel as it were and

viewing that as a block.

And then passing that block through our,

through our pseudorandom function to give us a cypher text block.

If we do that we get something like the following.

Now, you'll notice that although parts of the image are obscured, and

you certainly could not reconstruct the entire image from the ciphertext, you can

also clearly see that the image itself is not being hidden completely, there's

a lot of information about the original image being revealed in a ciphertext.

And this is just an indication of the problems that can arise from the fact that

repeated blocks of plain text, can be detected as repeated blocks of ciphertext.