Two New Online Ciphers Mridul Nandi National Institute of Standards and Technology, Gaithersburg, MD Indocrypt 2008, Kharagpur.

Two New Online Ciphers

Mridul Nandi

National Institute of Standards and Technology, Gaithersburg, MD

Indocrypt 2008, Kharagpur

Mridul Nandi Indocrypt-2008 2

Outline of the talk

• Introduction to Online Ciphers.

• Security Notions for Online Ciphers

• Known Examples of Online Ciphers.

• Our Constructions.

• Conclusion.


Online Cipher


Online Cipher

• Most applications want real time encryption. (i.e., compute ciphertext as soon as a

plaintext block arrived to save time and memory both).

• Also known as one-pass encryption (in two-pass encryption, whole plaintext is needed to generate some intermediate values (like, a tag) and then the plaintext is again used to compute ciphertext. The first ciphertext block can not be computed unless

complete plaintext arrived).


Online CipherDefinition (online cipher):

1. It is a block number preserving encryption algorithm.

2. If C = C1 || C2 || … ||Ck is a ciphertext of P = P1 || P2 || … ||Pk then Ci should be computable from P1||…||Pi where Pj’s, Cj’s are blocks (128 bits for AES based design).


Online CipherDefinition (online cipher):

1. It is a block number preserving encryption algorithm.

2. If C = C1 || C2 || … ||Ck is a ciphertext of P = P1 || P2 || … ||Pk then Ci should be computable from P1||…||Pi where Pj’s, Cj’s are blocks (128 bits for AES based design).

•In other words, there exists an algorithm B, such that B(P1,…, Pi) = Ci, i =1,…,k.

•It is real time encryption, But, not necessarily means it requires less memory. Why?


Online Cipher

P1 C1

Buffer

P1

Input stream


Online Cipher

P2 C2

Buffer

P1 P2

Input stream


Online Cipher

P3 C3

Buffer

P1 P2 P3

Input stream


Online Cipher

Pk Ck

Buffer

P1 P2 P3 … Pk

Input stream

Buffer size increases linearly as plaintexts are arriving. So it does not save memory, but it is one-pass and hence once the whole plaintext is arrived the complete cipher text is known.


Efficient Online Ciphers

f f f…

C1

P1P2 Pk-1 Pk

C2 Ck-1 Ck0

0

Buffer size =3

Plaintext

Ciphertext



f f f…

C1

P1P2 Pk-1 Pk

C2 Ck-1 Ck0

0

Buffer size =3, when T=1, 0, 0, P1Buffer

Plaintext

Ciphertext



f f f…

C1

P1P2 Pk-1 Pk

C2 Ck-1 Ck0

0

Buffer size =3, when T=2, P1, C1, P2Buffer

Plaintext

Ciphertext



f f f…

C1

P1P2 Pk-1 Pk

C2 Ck-1 Ck0

0

Buffer size =3, when T=k, Pk-1, Ck-1, PkBuffer

Plaintext

Ciphertext


Is it an Online Cipher?

f f f…

C1

P1P2 Pk-1 Pk

C2 Ck-1 Ck0

0

Ci = A(Pi-1, Ci-1, Pi) depends on Ci-1 (not in the definition of online cipher)



f f f…

C1

P1P2 Pk-1 Pk

C2 Ck-1 Ck0

0Definition (online cipher):

1.It is a block number preserving encryption algorithm.

2.If C = C1 || C2 || … ||Ck is a ciphertext of P = P1 || P2 || … ||Pk then Ci should be computable from P1||…||Pi where Pj’s, Cj’s are blocks (128 bits for AES based design).

Ci = A(Pi-1, Ci-1, Pi) depends on Ci-1 (not in the definition of online cipher)



f f f…

C1

P1P2 Pk-1 Pk

C2 Ck-1 Ck0

0

But Ci-1 depends on Pi-2, Pi-1 and Ci-2 and so on. So by induction it can be shown that Ci depends only on P1,…,Pi

Definition (online cipher):

1.It is a block number preserving encryption algorithm.

2.If C = C1 || C2 || … ||Ck is a ciphertext of P = P1 || P2 || … ||Pk then Ci should be computable from P1||…||Pi where Pj’s, Cj’s are blocks (128 bits for AES based design).


It is an Online Cipher.

f f f…

C1

P1P2 Pk-1 Pk

C2 Ck-1 Ck0

0

If it is a cipher then it is an online cipher. To be a cipher it shouldbe invertible. In other words, Pi should be computable from Pi-

1, Ci-1 and Ci = f(Pi-1, Ci-1, Pi).


Inverse of an Online Cipher.

g g g…

C1

P1P2 Pk-1 Pk

C2 Ck-1 Ck0

0

If it is a cipher then it is an online cipher. To be a cipher it shouldbe invertible. In other words, Pi should be computable from Pi-

1, Ci-1 and Ci = f(Pi-1, Ci-1, Pi). So Pi = g(Pi-1,Ci-1,Ci).


Security Notions


Security notions for Online Ciphers• (Strong) Pseudo Random Permutation are

strongest security notions for an encryption algorithm.

• Online cipher can not be (S)PRP since online property itself can be used to make a distinguishing attack.

• Bellare, Boldyreva, Knudsen and Namprempre (in crypto-01) introduced desired security notions (maximum security can be achieved for online ciphers by introducing ideal online cipher).


Security notions for Online Ciphers• Chosen-Plaintext Secure or CPA-secure :

No feasible attacker can distinguish the designed online cipher from the ideal online cipher by making only encryption queries.

• Chosen-Ciphertext Secure or CCA-secure : No feasible attacker can distinguish the designed online cipher from the ideal online cipher by making both encryption and decryption queries.


Known Examples


Hash-CBC Online Ciphers

1. Bellare, Boldyreva, Knudsen and Namprempre (in crypto-01) designed Hash-CBC online ciphers HCBC1 (CPA-secure) and HCBC2 (CCA-secure).

2. Needs a blockcipher and a Almost XOR-universal hash function.

3. Universal Hash function with CBC mode.


AU hash function

Poly hash generates the distinct counter for distinct messages with high probability. Poly-hash is L/2n –AU hash function where L is the max number of blocks of a plaintext.

Pr[Hh(M) = Hh(M’) i] L/2n where is either

+ (modulo addition) or (xor).


Hash-CBC: HCBC1

0

Ek

C1

P1

H Ek

C2

P2

H Ek

Ck

Pk

H

Ck-1

1. CPA-secure but not CCA-secure.2. H : {0,1}n

{0,1}n is AXU-hash function (n = block

size).3. Two independent keys (one for H and one for E).

n

n…


Hash-CBC: HCBC2

1. CCA-secure.2. H : {0,1}2n

{0,1}n is AXU-hash function.

3. Two independent keys (H and E).

0

0

Ek

C1

P1

H

Ek

C2

P2

H

Ek

Cn

Pn

H

Pk-1

Ck-1

…

0

0

Ek

C1

P1

H

Ek

C1

P1

H

Ek

C2

P2

H

Ek

C2

P2

H

Ek

Cn

Pn

H

Ek

Cn

Pn

H

Pk-1

Ck-1

…


Our Constructions


0

0

Ek

C1

P1

H

Ek

C2

P2

H

Ek

Cn

Pn

H

Pk-1

Ck-1

…

Recall HCBC2

n

n

Hash H takes two n bit inputs and produces n bit output.We can xor the two n bit inputs before feeding into H.


MHCBC


Modified Hash-CBC: MHCBC

0

0 Pk-1

Ck-1

Ek

Ck

Pk

H

n Ek

C1

P1

H

n Ek

C2

P2

H

n…


Modified Hash-CBC: MHCBC

0

0 Pk-1

Ck-1

Ek

Ck

Pk

H

n Ek

C1

P1

H

n Ek

C2

P2

H

n…

0

0 Pk-1

Ck-1

Ek

Ck

Pk

H

n Ek

Ck

Pk

H

n Ek

C1

P1

H

n Ek

C1

P1

H

n Ek

C2

P2

H

n…

1. CCA-secure.2. H : {0,1}n

{0,1}n is AXU-hash function.

3. Two independent keys (H and E).


MCBC-1


Modified CBC: MCBC

0

0 Pk-1

Ck-1

C1

P1

…H Ek

C1

P1

H Ek

C1

P1

H Ek

We need a AXU-hash function. EK itself can be a candidate for this.


Modified CBC: MCBC-1

0

0 Pk-1

Ck-1

C1

P1

…Ek2 Ek1

C1

P1

Ek2 Ek1

C1

P1

Ek2 Ek1

We need a AXU-hash function. EK itself can be a candidate for this. So we can replace H by Ek2 (independently chosen key K2). This is called MCBC-1


Modified CBC: MCBC

0

0 Pk-1

Ck-1

C1

P1

…Ek Ek

C1

P1

Ek Ek

C1

P1

Ek Ek

What will happen if we replace H by Ek (same key K)? Is it secure?


Modified CBC: MCBC

0

0 Pk-1

Ck-1

C1

P1

…Ek Ek

C1

P1

Ek Ek

C1

P1

Ek Ek

NOT SECURE


Modified CBC: MCBC

0

0

0

Ek E-1k

1st Decryption query with ciphertext 0, then plaintext is Ek(0) = v0.

Ek(0)Ek(0)

0Ek(0)

Ek(0)


Modified CBC: MCBC

0

0

v2

Ek Ek

v0

0

1st Encryption query with plaintext 0Ciphertext will be Ek(v0) + v0 = v2. Let Ek(v0)= v1.

v0

v0

v1

1st Decryption query with ciphertext 0, then plaintext is Ek(0) = v0.


Modified CBC: MCBC

0

0

Ek Ek

v0

v0v0

v0

0

0

Ek Ek

v1

v1v0

v1

0

v0

v2

2nd Encryption query with plaintext (v0,v1). The ciphertext will be (0,v2) with probability one which is not desired for an ideal random online cipher.


MCBC-2


Modified CBC: MCBC

0

0 Pk-1

Ck-1

C1

P1

…Ek Ek

C1

P1

Ek Ek

C1

P1

Ek Ek

Ek K11

K1

K1

K1

K1 protects from the previous attack. In fact, it is CCA-secure.


Comparison

Mode BC-Calls Key-sch

AXU-Hash

Type of Hash

Keys

HCBC1 m 1 m n n KBC + KH

HCBC2 m 1 m 2n n KBC + KH’

MHCBC m 1 m n n KBC + KH

MCBC-1 2m 2 0 - 2KBC

MCBC-2 2m+1 1 0 - KBC


Conclusion

1. Revisited Hash-CBC online ciphers.2. Modified them by

1. Reducing key space2. Removing universal hash function3. having better efficiency.

3. These are termed MHCBC and MCBC.4. A simple modification of MHCBC won’t work.5. An unified way of proving security of online

ciphers (in the paper).


Thank you for

your attention

Two New Online Ciphers Mridul Nandi National Institute of Standards and Technology, Gaithersburg, MD Indocrypt 2008, Kharagpur.

Documents