Other methods for symmetric encryption

6.12.1 Generic encryption with pseudorandom functions

There is a general way to encrypt with pseudorandom functions. Suppose you want to encrypt m bit messages. (Think ofmas large.) Suppose we have a pseudorandom function familyF in which each keyK specifies a functionF_Kmappinglbits tombits, for some fixed but quite large valuel. Then we can encrypt M viaEK(M) = (r, FK(r)⊕M) for randomr. We decrypt (r, C) by computing M =FK(r)⊕C. This is the method of [92].

Theorem 6.28 [92] SupposeF is a pseudorandom function family with output lengthm. Then the scheme (E,D) define above is a secure private key encryption scheme form-bit messages.

The difference between this and the CBC and XOR methods is that in the latter, we only needed a PRF mapping l bits to l bits for some fixed l independent of the message length. One way to get such a PRF is to use DES or some other block cipher. Thus the CBC and XOR methods result in efficient encryption.

To use the general scheme we have just defined we need to constructing PRFs that mapl bits tombits for largem.

There are several approaches to constructing “large” PRFs, depending on the efficiency one wants and what assumptions one wants to make. We have seen in Chapter 5 that pseudorandom function families can be built given one-way functions. Thus we could go this way, but it is quite inefficient. Alternatively, we could try to build these length extending PRFs out of given fixed length PRFs. See Section 5.11.

6.12.2 Encryption with pseudorandom bit generators

A pseudorandom bit generator is a deterministic functionGwhich takes ak-bit seed and produces ap(k)> k bit sequence of bits that looks pseudorandom. These object were defined and studied in Chapter 3. Recall the property they have is that no efficient algorithm can distinguish between a randomp(k) bit string and the stringG(K) with randomK.

Recall the one-time pad encryption scheme: we just XOR the message bits with the pad bits. The problem is we run out of pad bits very soon. Pseudorandom bit generators provide probably the most natural way to get around this. If Gis a pseudorandom bit generator and Kis the k-bit shared key, the parties implicitly share the long sequenceG(K). Now, XOR message bits with the bits ofG(K). Never use an output bit of G(K) more than once. Since we can stretch to any polynomial length, we have enough bits to encrypt.

More precisely, the parties maintain a counter N, initially 0. Let G_i(K) denote thei-th bit of the output of G(K). Let M be the message to encrypt. Let M_i be its i-th bit, and let n be its length. The sender computesC_i=G_N+i(K)⊕M_i fori= 1, . . . , nand lets C=C₁. . . C_n be the ciphertext. This is transmitted to the receiver. Now the parties update the counter viaN ←N+n. The total number of bits that can be encrypted is the numberp(k) of bits output by the generator. One can show, using the definition of PRBGs, that this works:

Theorem 6.29 IfGis a secure pseudorandom bit generator then the above is a secure encryption scheme.

Cryptography: Lecture Notes 117

One seeming disadvantage of using a PRBG is that the parties must maintain a common, synchronized counter, since both need to know where they are in the sequence G(K). (Note that the schemes we have discussed above avoid this. Although some of the schemes above may optionally use a counter instead of a random value, this counter is not a synchronized one: the sender maintains a counter, but the receiver does not, and doesn’t care that the sender thinks of counters.) To get around this, we might have the sender send the current counter valueN (in the clear) with each message. If authentication is being used, the valueN should be authenticated.

The more major disadvantage is that the pseudorandom sequenceG(K) may not have random access. To produce thei-th bit one may have to start from the beginning and produce all bits up to thei-th one. (This means the time to encryptM depends on the number and length of message encrypted in the past, not a desirable feature.) Alternatively the sequenceG(K) may be pre-computed and stored, but this uses a lot of storage. Whether this drawback exists or not depends of course on the choice of PRBGG.

So how do we get pseudorandom bit generators? We saw some number theoretic constructions in Chapter 3.

These are less efficient than block cipher based methods, but are based on different kinds of assumptions which might be preferable. More importantly, though, these constructions have the drawback that random access is not possible. Alternatively, one could build pseudorandom bit generators out of finite PRFs. This can be done so that random access is possible. However the resulting encryption scheme ends up being not too different from the XOR scheme with a counter so it isn’t clear it is worth a separate discussion.

6.12.3 Encryption with one-way functions

We saw in Chapter 3 that pseudorandom bit generators exist if one-way functions exist [109]. It is also known that given any secure private key encryption scheme one can construct a one-way function [110].

Thus we have the following.

Theorem 6.30 There exists a secure private key encryption scheme if and only if there exists a one-way function.

We will see later that the existence of secure public key encryption schemes requires different kinds of assumptions, namely the existence of primitives with “trapdoors.”

6.13 Historical Notes

The pioneering work on the theory of encryption is that of Goldwasser and Micali [98], with refinements by [141, 91]. This body of work is however in the asymmetric (ie. public key) setting, and uses the asymptotic framework of polynomial-time adversaries and negligible success probabilities. The treatment of symmetric encryption we are using is from citeBellareRo:symmetric. In particular Definition 6.1 and the concrete secu-rity framework are from [20]. The analysis of the CTR mode encryption schemes, as given in Theorems 6.17 and 6.18, is also from [20].

6.14 Exercises and Problems

Problem 6.31 Formalize a notion of security against key-recovery for symmstric encryption schemes, and prove an analogue of Proposition 6.16.

Problem 6.32 Letl≥1 andm≥2 be integers, and letSE = (K,E,D) be a given symmetric encryption scheme whose associated plaintext space is {0,1}^l, meaning one can safely encrypt only messages of length l. In order to be able to encrypt longer messages, we define a new symmetric encryption schemeSE^(m)= (K,E^(m),D^(m)) having the same key generation algorithm as that of SE, plaintext space {0,1}^lm, and encryption and decryption algorithms as follows:

AlgorithmE_K^(m)(M) block beingl-bits long. For decryption, C is parsed as a sequence ofm strings, each c bits long, where c denotes the length of a ciphertext in schemeSE. If any component ciphertextsC[i] is invalid (meaningDK

returns⊥for it) then the entire ciphertext (C[1], . . . , C[m]) is declared invalid.

(a) Show that

Part (a) says that SE^(m) is insecure against chosen-ciphertext attack. Note this is true regardless of the security properties ofSE, which may itself be secure against chosen-ciphertext attack. Part(b)says that if SE is secure against chosen-plaintext attack, then so isSE^(m).

Problem 6.33 Let E:{0,1}^k × {0,1}^l → {0,1}^l be a block cipher. Operating it in CBC mode with IV a counter yields a stateful symmetric encryption scheme, SE = (K,E,D). The key generation algorithm simply returns a random key for the block cipher, meaning it picks a randomk-bit string key and returns it, so that the key space is{0,1}^k. The encryption and decryption algorithms are as follows:

AlgorithmEK(M)

Parsing M means that we divide it into l-bit blocks and let M[i] denote the i-th such block. In parsing C we also divide it into l-bit blocks, but this time the blocks are numbered starting at 0. The encrypter maintains a counterctr, initially zero. The IV isC[0], which is chosen to be thel-bit binary representation of the integerctr. The counter is updated by the encryption algorithm as indicated.

Show thatSEis insecure against chosen-plaintext attack. Namely, present a lower bound onAdv^ind-cpa SE (t, q, µ) for certain specific, small values of t, q, µthat you will specify, along with a certain large (ie. close to one)

Cryptography: Lecture Notes 119

value of the lower bound itself. Prove your claim correct by presenting and analyzing the corresponding adversary.

Your attack can assume that the initial value of the counter used by the LR-encryption oracle is is zero.

(This corresponds to a setting in which the attacker is present right from the moment the encrypter starts using the scheme.) Once you have solved the problem in this setting, however, try to also find an attack in which the initial value of the counter used by the LR-encryption oracle is not known to the attacker. (This corresponds to the more realistic setting in which the attacker enters the picture after the scheme has been in use for some time.)

Problem 6.34 Let P:{0,1}^k × {0,1}^2l → {0,1}^2l be a family of permutations. We define a symmetric encryption scheme SE = (K,E,D). The key generation algorithm simply returns a random key for P, meaning it picks a random k-bit string key and returns it, so that the key space is{0,1}^k. The message space is{0,1}^ln wheren >1 is some fixed, given integer. The encryption and decryption algorithms are as follows:

Show that this scheme is secure against chosen-plaintext attack as long asP is a secure PRP. More precisely show that

Hint: Proceed in analogy to the analysis of CTR mode encryption done above. First analyze the scheme which uses in place of P the family Perm^2l of random permutations on 2l bits. Then turn to the scheme using the given PRPP.

Problem 6.35 Letl≥64 be an integer, and let P:{0,1}^k× {0,1}^l→ {0,1}^l be a pseudorandom permu-tation. We define a symmetric encryption scheme S as follows. The key is a randomly chosenk-bit string K, meaning a key for the PRP. The encryption and decryption algorithms are as follows:

AlgorithmEK(x1. . . xn)

Here the encryption algorithm takes as input a message x of length a multiple of l, which it views as divided into l bit blocks, x=x₁. . . x_n. It returns a string y of length l(n+ 1), computed as shown. The decryption algorithm takesy to returnx. Here “+” denotes addition modulo 2^l, andhjidenotes the binary representation of integerj as anl-bit string.

Show that this scheme is insecure. More precisely, show that Adv^ind-cpa

SE (t, q, µ) ≥ 1 3 ,

wheret, q, µare values that you will specify, and should be as small as possible.

The idea of a public-key cryptosystem (PKC) was proposed by Diffie and Hellman in their pioneering paper [68] in 1976. Their revolutionary idea was to enable secure message exchange between sender and receiver without ever having to meet in advance to agree on a common secret key. They proposed the concept of a trapdoor function and how it can be used to achieve a public-key cryptosystem. Shortly there after Rivest, Shamir and Adelman proposed the first candidate trapdoor function, the RSA. The story of modern cryptography followed.

The setup for a public-key cryptosystem is of a network of usersu₁· · ·u_nrather than an single pair of users.

Each user uin the network has a pair of keys< P_u, S_u >associated with him, the public keyP_u which is published under the users name in a “public directory” accessible for everyone to read, and the private-key S_u which is known only tou. The pairs of keys are generated by running akey-generation algorithm. To send a secret messagemtoueveryone in the network uses thesameexact method, which involves looking up Pu, computingE(Pu, m) whereEis a public encryption algorithm, and sending the resulting ciphertextcto u. Upon receiving ciphertextc, userucan decrypt by looking up his private keySu and computingD(Su, c) whereD is a public decryption algorithm. Clearly, for this to work we need thatD(Su, E(Pu, m)) =m.

A particular PKC is thus defined by a triplet of public algorithms (G, E, D), the key generation, encryption, and decryption algorithms.