Chosen-Plaintext Attacks Against Encryption
The encryption schemes we have seen so far have been severely limited. Specifically, they are secure only when each key is used to encrypt a single plaintext. In this chapter, finally, we study real encryption, in which one short key can safely encrypt any number of plaintexts.
8.1. Definitions and leaking the plaintext length
One-time secrecy for encryption (definition 2.5.3) considers an attack scenario in which a new/fresh key is chosen for each ciphertext. With a simple modification, we can write a library that describes an attack scenario where the same key is used for all encryptions:
Then, we can demand that the adversary sees only random junk in this attack scenario. In other words, the following two libraries must be indistinguishable:
This is indeed a reasonable security definition for multi-use encryption, but it does contain a subtle problem. To understand why, suppose we have an encryption scheme that supports plaintext of any length, where plaintexts of length are encrypted into ciphertexts of length . Several examples of such schemes are described later in this chapter. Then just by looking at the length of a ciphertext, an adversary can learn something about the plaintext! For example, an adversary can easily tell whether you have encrypted a small 1 KB plaintext or a huge 1 GB plaintext; such an attack would be incompatible with the security definition given above (see exercise 8.1).
The problem with this security definition also surfaces in the following way: Suppose an encryption scheme supports an infinite set of possible plaintexts—say, it supports plaintexts of arbitrary length. Then the set of possible ciphertexts must also be infinite. The library above includes a statement “”, but what can this mean if is infinite? There is no well-defined uniform distribution over an infinite set!
The issue does not arise for encryption schemes that support only a fixed plaintext length, including all of the schemes we have seen so far. In those cases, was finite, and there is no problem with the security definition above. But in the more general case:
Ciphertexts cannot completely hide the plaintext length.
Ciphertexts must leak (something about) the plaintext's length, so the best we can hope for is that ciphertexts leak nothing more than the plaintext length. We can modify the security definition to reflect this idea as follows. The security definition above says, essentially, “encryptions of are indistinguishable from a uniformly sampled ciphertext (from the space of all possible ciphertexts).” We can instead demand that “encryptions of are indistinguishable from a uniform sample from the set of all encryptions of plaintexts with the same length as .”
We write for the length of string . Depending on the context, we might measure string length in bits, bytes, or even (-bit) blocks.
Let be an encryption scheme, and let denote the set of possible ciphertexts for plaintexts of length . If supports only plaintexts of a single length, we can simply write to denote the entire set of ciphertexts.
has security against chosen-plaintext attacks (CPA security) if the following two libraries are indistinguishable:
A good way to understand this new definition is to study the library. The only information it uses about is its length, and it ignores everything else about . So outputs from simply cannot leak more than the length of . And if the two libraries are indistinguishable, we can conclude that true ciphertexts generated by also do not leak more than the length of the plaintext.
8.1.1. The plaintext length side-channel
Encryption cannot completely hide the length of plaintext data. We must accept this fact, even if its consequences are unpleasant. Plaintext length can convey a surprising amount of information and have huge impacts to real-world security! An adversary who observes only the length and timing of your encrypted network traffic can figure out:
-
which pages you visited on Wikipedia, or any website with relatively static content of different sizes;
-
which movie you are streaming, because video formats use variable bit-rate (VBR) encodings, so that “busier” segments of the video require more data per second;
-
or even what you are saying in an encrypted audio call!
See the chapter notes for references about these attacks. Personally speaking, these are the kinds of attacks that give me the most existential dread about cryptography. However, encryption is about more than just hiding the content of communication, as we will see later in section 9.6.
8.1.2. ☆ CPA security in the left-or-right paradigm
Recall the discussion in section 2.7. Our default way to define security of encryption is the real-or-random paradigm, but it is also possible to use the left-or-right paradigm. A security definition in the left-or-right style says, essentially, if an adversary provides two plaintexts , then they cannot tell which of those two plaintexts is actually encrypted.
However, if and have very different lengths, then we do expect it to be possible to distinguish their encryptions. Only when the plaintexts have the same length can we reasonably expect their ciphertexts to be indistinguishable. Thus, when defining security in the left-or-right paradigm, we limit the adversary to plaintext pairs of equal length. This is achieved by making the library give an error if the adversary provides and of different lengths.
An encryption scheme satisfies left-or-right CPA security if the following two libraries are indistinguishable:
This left-or-right flavor of CPA security is commonly called IND-CPA, which stands for “ciphertext indistinguishability, under chosen-plaintext attacks.” The real-or-random flavor (definition 8.1.1) is often called IND$-CPA, which stands for “indistinguishability from random/uniform, under chosen-plaintext attacks.”
8.2. Deterministic encryption
A deterministic encryption scheme cannot have CPA security.
An encryption scheme is deterministic if calling on the same input twice always produces the same output.
One-time pad is an example of a deterministic encryption scheme. The scheme from construction 2.6.1 was not deterministic.
If an encryption scheme is deterministic and an adversary sees the same ciphertext twice, then he/she can deduce that the same plaintext was sent twice. In other words, the adversary learns something about the plaintexts! We can formulate this attack as a calling program that distinguishes the libraries:
When this calling program is linked to and the encryption scheme is deterministic, it outputs with probability 1. When linked to , and are distributed uniformly over , where . So only with probability . The difference between these probabilities is nonnegligible, and so the scheme is not CPA-secure.
You may be thinking, “Of course the same plaintext will result in the same ciphertext! How can this really be a problem?” Be careful that your mental model of encryption has not been “overfitted” to deterministic schemes like OTP and simple toy substitution ciphers (newspaper cryptograms). The problem with deterministic encryption is a direct consequence of definition 8.1.1. The definition has no special exceptions for repeated plaintexts! If you accept definition 8.1.1, then you must accept that encryption cannot be deterministic. Besides, we can achieve this definition of CPA security; encryption can hide whether plaintexts repeat! Since we can hide this information, we should.
8.3. A randomized encryption scheme based on PRFs
Since deterministic encryption cannot be CPA-secure, we will consider schemes whose algorithm is randomized. (This is not the only way to avoid the limitations of deterministic encryption; see section 8.7.)
In this section we describe an encryption scheme based on a PRF. Each time Alice wants to send a message to Bob, she uniformly samples a value . She uses as a OTP key to encrypt her plaintext, and she also includes as part of the ciphertext. Given , Bob can compute the same OTP key and use it to decrypt the plaintext. But an eavesdropper who sees will not be able to guess when is a secure PRF.
This encryption scheme supports plaintexts of a single, fixed length. Thus, there are no complications when it comes to leaking the plaintext length—their length is already a public parameter of the scheme.
Let be a PRF with input length and output length . Define the following encryption scheme:
If is a secure PRF, then construction 8.3.1 has CPA security. In other words,
Proof idea: The goal is to show that ciphertexts in this scheme are pseudorandom. What can we say about how these ciphertexts are generated?
Ciphertexts consist of two parts, and . is clearly sampled uniformly, so there is not much to say about it. But is computed as . We can interpret this as a kind of OTP ciphertext, with acting as the OTP key. But OTP produces uniform ciphertexts only when the key is uniform and used only once. Is that the case with here?
Since is a secure PRF, its outputs are indeed pseudorandom, but only when the PRF's inputs are distinct. Can we argue that these inputs don't repeat?
The inputs in question are the -values, which are uniformly sampled -bit strings. Thus, the probability of a repeat is the standard birthday probability, which is negligible. The formal proof is the result of assembling all of these observations, to finally conclude that ciphertexts of the form are pseudorandom.
8.4. An example chosen-plaintext attack
As usual, security is a knife's edge, requiring everything to be in a delicate balance. Make one seemingly minor change to a secure scheme, and all security may be lost. Such is indeed the case with the scheme from the previous section. In that scheme, the second part of the ciphertext is computed as . Suppose we swap the role of and and compute the second part of the ciphertext as . The result, as we show below, is totally insecure:
The following encryption scheme does not have CPA security, even if is a secure PRP:
To show that the scheme is insecure, we must write a calling program that can distinguish the following two libraries:
Following the Golden Rule of PRFs, our attack strategy should be to cause the construction to repeat inputs to the PRF. That's easy in this case, since the scheme uses as the PRF input—a value that the adversary completely controls in the CPA attack scenario.
If the adversary causes two ciphertexts to be generated with repeated values, then the two ciphertexts and satisfy:
Canceling the common term gives:
This is a pattern in the ciphertexts that the adversary can detect, since it knows . We can combine all of these observations into a formal calling program:
When linked to , as we just argued above, the calling program outputs with probability 1. When linked to , it outputs with probability since are distributed uniformly and independently.
This example illustrates an important distinction between the values and in construction 8.3.1. Its security rests on the fact that is under the complete control of the adversary, while is under the complete control of the victim.
8.5. Block cipher modes
Construction 8.3.1 supports plaintexts of a single, fixed length. In this section we discuss how to efficiently encrypt long plaintexts, of variable length, using a single key. These methods are called block cipher modes (sometimes called modes of operation): recipes for using a block cipher (PRP) to process data that is longer than a single block.
In this section we will focus on plaintexts whose length is a multiple of the PRP's blocklength. In other words, we assume that each plaintext can be divided exactly into blocks that are suitable as inputs to the PRP. We call such plaintexts block-aligned and write each as , where each is a single block. Later in section 8.6 we discuss how to properly handle non-block-aligned plaintexts.
We will write to denote the set of all block-aligned strings with blocklength : strings consisting of any number of complete blocks. In this section we will also measure the length of plaintexts in units of blocks. For example, security proofs refer to , which in our case will mean the set of ciphertexts obtained by encrypting plaintexts of blocks, not bits.
8.5.1. ECB mode
We start by discussing what not to do: ECB mode is the “obvious” way to apply a block cipher to a long plaintext. It's a horrible idea. The only reason to mention it is to teach you its name so you can recognize it, avoid it, and publicly shame anyone who uses it.
Let be a PRP with blocklength . ECB mode (for electronic codebook) is defined by the following algorithms:
NEVER USE ECB MODE!
ECB is deterministic, so of course it is insecure! Please don't use ECB mode.
The cryptography world has only two persistent inside jokes: One is our bizarre obsession with naming people Alice and Bob, and the other is the ECB penguin. It was created by Wikipedia user Lunkwill to illustrate the result of encrypting a picture of Tux the penguin (the Linux mascot) under ECB mode:
ECB mode encrypts identical plaintext blocks to identical ciphertext blocks. The original Tux image has many large areas of a solid color, which lead to identical plaintext blocks in the image file (of course, this depends on the specifics of the image file format). As a result, the ghost of Tux is clear in the ciphertext. Needless to say, seeing penguins in your ciphertexts is a Very Bad Thing indeed.
The ECB penguin is one of the rare instances where insecurity can be seen visually.
8.5.2. CBC and CTR modes
Quickly moving past ECB mode, let's now see two good block cipher modes.
Let be a PRP with blocklength . CBC mode (for cipher block chaining) is defined by the following algorithms:
The first ciphertext block is called the initialization vector (IV). The scheme is defined only for block-aligned plaintexts ().
Let be a PRF with input and output length . CTR mode (or counter mode) is defined by the following algorithms:
The addition operation in “” refers to addition mod , which is the standard unsigned addition of -bit numbers.
Both CBC and CTR modes are randomized; they each start by uniformly sampling the initialization vector. In both modes the ciphertext is one block longer than the plaintext.
Comparison: CBC and CTR modes are essentially the only two modes that are ever used in practice for CPA security. Both provide the same qualitative security guarantee, and so any comparison between the two must be based on things outside of the CPA security definition. Here are a few properties that are often considered when choosing between these modes:
-
CTR mode does not use the block cipher's inverse , even for decryption. Thus, CTR requires only a PRF rather than a PRP. However it is rare to encounter an efficient PRF in practice that is not also a PRP.
-
Both CBC and CTR modes have a parallelizable decryption algorithm, meaning that you can directly decrypt any plaintext block without first decrypting all previous ones. However, only CTR has a parallelizable encryption algorithm. After choosing the IV in CTR mode, you can generate any ciphertext block directly without first encrypting all previous blocks. CBC mode encryption is inherently sequential.
-
If the block cipher is expensive, you might want to precompute block cipher evaluations and store the results early, even before the plaintext is chosen. CTR mode allows this, since only the IV affects the input given to the block cipher. In CBC mode, the plaintext influences the inputs to the block cipher, so these calls cannot be precomputed.
-
It is relatively easy to modify CTR to support plaintexts that are not an exact multiple of the blocklength. It is less straightforward (although not difficult) to make CBC support such plaintexts. We discuss these issues later in section 8.6.
-
So far all of the comparisons have favored CTR mode, so here is one important property that favors CBC mode. It is common for implementers to misunderstand the security implications of the IV in these modes. Many careless implementations may allow an IV to be reused. Rather than dumping the blame on the developer for an incorrect implementation, it is good design practice to anticipate likely misuses of a system and, when possible, make them noncatastrophic.
CTR mode fails catastrophically when an IV is reused: It leaks the xor of the two plaintexts. CBC mode is more resilient to IV reuse: Depending on the specifics of the attack scenario, it can leak nothing in the case that the plaintexts have different first blocks (see exercise 8.30).
Proof of Security:
Both CBC and CTR modes have CPA security. Below we prove security of CBC mode:
If is a secure PRP (and thus a secure PRF by lemma 7.2.1), then CBC mode (construction 8.5.3) satisfies CPA security. In other words,
In CBC mode, each block of ciphertext is a direct output of the PRP. Thus, the main idea of the security proof is to show that inputs to the PRP don't repeat, except with negligible probability. Showing this involves two important conceptual steps:
-
First, we give a variable name to the PRP input: Set , the th input to the PRP.
-
Consider the expression , where is sampled uniformly. We obtain the same distribution by instead sampling uniformly and then solving for (claim 2.4.2). After making such a change, we will have a hybrid in which the values are chosen uniformly and also used as PRP inputs. It is now easy to argue that these PRP inputs don't repeat.
8.6. Non-block-aligned plaintexts
So far we have been assuming that all plaintexts are an exact multiple of the blocklength, but this may not always be the case in practice. How can we adapt these encryption methods to support plaintexts of any length?
8.6.1. CTR mode
CTR requires almost no changes to support arbitrary plaintext lengths. The main idea behind CTR mode is to xor the plaintext with the long string:
To support plaintexts of arbitrary length, we can therefore simply truncate this long string to the correct length.
To be more precise, let us divide the plaintext as before into blocks , except now the last piece may be only a partial block. We then truncate the last PRF output to the same length as , so the two strings can be xor'ed. These changes to CTR mode encryption are highlighted below:
The ciphertext will always be exactly one block longer than the plaintext, from the addition of the IV .
8.6.2. CBC mode
CTR mode uses its plaintext blocks only for xor, an operation that can be performed on strings of any length. On the other hand, CBC mode processes plaintexts as , which makes sense only when is an entire block.
Hence, the easiest way to adapt CBC mode to arbitrary-length plaintexts is to encode all plaintexts into block-aligned data. This process is called padding, and there are many reasonable ways to do it.
A padding method consists of two functions , which satisfy the following properties:
-
For all strings , the length of is an exact multiple of the blocklength.
-
Padding can be reversed. For all strings , we have .
When we augment CBC mode with a padding method, we obtain an encryption scheme that supports plaintexts of arbitrary length.
Below are a few possible padding methods. In the real world, data nearly always consists of bytes; when was the last time you needed to encrypt 5 bits? Thus, the standard padding methods below are described assuming that the input is a string of bytes.
Null padding simply appends all-s bytes to the plaintext until its length is a multiple of the blocklength. In the code below, the blocklength is (in bytes), and represents the null byte (written in hex):
Unfortunately, null padding doesn't work because it cannot be reversed. As an example, for a blocklength of 4 bytes, the hexadecimal strings and both get padded to , and there is no way to know which original string was intended.
PKCS#7 is a common and standard padding method. First, determine how many bytes need to be added to fill the last block. If bytes are needed, then append copies of byte “” to the original plaintext.
For example, with blocklength 8 bytes (and bytes written in hex),
The last byte of the padded data signals how many bytes of padding were added, and thus how many need to be removed to reverse the padding.
ANSI X.923 is similar to PKCS#7, except that the padding consists of zero-bytes followed by one “” byte:
What do you do if the plaintext is already a multiple of the blocklength?
You might hope that padding is not necessary in this case, and that we can leave the plaintext alone.
However, this will not work because the original plaintext might already end with bytes that look like the padding bytes.
In that case, there is ambiguity when attempting to reverse the padding.
Thus, every padding method will add an entire block of padding, when the plaintext is already a multiple of the blocklength. For example, PKCS#7 with 8-byte blocklength will add padding as follows:
What does return on strings that don't have valid padding?
It's true that we have not defined what should do in this case.
This uncertainty has led to real-world attacks, which are discussed in the next chapter.
8.7. ☆ Nonce-based encryption
We argued in section 8.2 that encryption cannot be deterministic; calling twice with the same key and plaintext should not produce the same output. Something needs to be different each time is called, even with the same key and plaintext. In a randomized encryption scheme, the algorithm samples fresh random values each time it is called.
However, randomization is not the only way to make an encryption scheme “not deterministic.” Another alternative involves rethinking how we formally define what “encryption” is. We can insist that the encryption and decryption algorithms take an additional argument called a nonce, which is shorthand for “number used [only] once.” To use nonce-based encryption properly, you should use a different nonce each time is called. The nonce therefore provides the necessary variability to overcome the limitations of deterministic encryption, even when plaintexts are repeated.
A nonce-based symmetric-key encryption scheme consists of the following algorithms:
-
: a deterministic algorithm that takes a key , nonce , and plaintext as input, and outputs a ciphertext .
-
: a deterministic algorithm that takes a key , nonce , and ciphertext as input, and outputs a plaintext .
The scheme is correct if, for all , , and we have:
We can write the correctness condition without a probability because both and are deterministic.
Randomized encryption is the more traditional way to define encryption. Nonce-based encryption is a newer paradigm, but is becoming more common because nonces are much less fragile than randomness.
The security of a randomized encryption scheme depends on its randomness being uniform and unpredictable. This is easy to get wrong in practice: Implementers may use poor randomness; they may use randomness that an adversary can predict; they may repeat randomness by accident. Even worse, they may leave this randomness up to the end-user, like many cryptography software libraries that require the end-user to provide IVs. In any of these cases, an ostensibly secure scheme could be catastrophically insecure in practice, since the reality of the implementation no longer reflects the CPA attack scenario.
The security of a nonce-based scheme depends only on the fact that nonces don't repeat—that's all. Nonces can be predictable; they can even be chosen by the adversary; all that matters is that they don't repeat.
In the formal security definition for nonce-based encryption, the adversary indeed gets to choose each nonce, just as it can choose each plaintext. The victim records the nonces it has seen previously, and refuses to use any nonce more than once. In this way, the security definition is limited to scenarios where nonces are distinct.
A nonce-based encryption scheme has CPA security if the following two libraries are indistinguishable:
Nonce-based encryption has additional advantages:
-
It can be deterministic by definition. Deterministic algorithms are easier to test and also harder to get wrong.
-
The nonce can be included in the ciphertext (like an IV), but it does not need to be. In many settings the nonce is a value that both the sender and receiver already know. For example, the nonce might be a simple counter, or packet sequence number. In fact, it's preferable to not consider the nonce as part of the ciphertext for the purposes of the security definition, since the nonce need not look pseudorandom.
-
Nonce-based encryption can avoid ciphertext expansion. If we don't consider the nonce as part of the ciphertext, then ciphertexts can be exactly as long as the plaintexts. This is not possible with randomized encryption.
-
Nonce-reuse can be detected. A poor source of randomness can be difficult or even impossible to detect.
Finally, you can always choose to use uniformly sampled bits as the nonce if you like, and send this nonce along with the ciphertext. In other words, it is always safe to implement the nonce as an IV. Implementing a nonce-based scheme still leaves open the possibility of providing a randomized scheme.
However, the converse is not true; it is not always safe to treat the IV of a randomized encryption scheme as a nonce. Indeed, both CTR and CBC modes (as defined in this chapter) are insecure if their IV is treated as a nonce. Their security proofs rely crucially on the IV being sampled uniformly and unpredictable to the adversary, whereas a nonce can be chosen by the adversary.
The exercises explore these and other aspects of nonce-based encryption in greater depth.
Exercises
-
h Suppose is an encryption scheme with . Show that it is not possible for to hide the length of the plaintext.
More formally, show that the following two libraries are not indistinguishable:
:// if : returnreturn:// if : returnreturnNote: These libraries allow and to have different lengths.
Fix a string , and suppose is an integer that satisfies Although you might not know , you can define a calling program for each possible and argue that one of them succeeds in the attack.
For a particular , how many possible values are there for , over all that are shorter than bits? If is not among these values, then can never be encrypted to a string shorter to bits, under this key. Now suppose is chosen uniformly from ; what is the probability that is encrypted to a ciphertext shorter than bits?
-
Find a website with a moderate amount of static content, of varying lengths. Write a program to determine which page is being viewed when a victim browses this website over TLS, just by seeing a log/dump of the encrypted traffic.
-
Let and be encryption schemes with . Define the following new scheme :
Prove that is CPA-secure if one of and is CPA-secure. The proof should have two cases: one assuming is secure, and assuming nothing about except for its correctness; and vice versa.
-
Let be a CPA-secure encryption scheme such that , so that any ciphertext in can be used as a plaintext as well. Prove that the scheme given by the following encryption algorithm is also CPA-secure:
Note that both calls to use the same key.
-
Let be a CPA-secure encryption scheme with allowable plaintexts . Define the following scheme that supports plaintexts of length :
Prove that is also CPA-secure.
In other words, it is safe to separately and independently encrypt different pieces of a plaintext. (You may wonder why such an “obvious” statement requires proof, but later in the book we study security definitions for encryption in which this modification of an encryption scheme is not safe.)
-
Give an example of an encryption scheme that satisfies left-or-right CPA security (definition 8.1.2) but not real-or-random CPA security (definition 8.1.1), and justify both properties of your answer. Your scheme does not need to be a natural/useful encryption scheme.
-
Prove that an encryption scheme achieves left-or-right CPA security (definition 8.1.2) if and only if the following two libraries are indistinguishable:
:return:returnIn other words, encryptions of a chosen are indistinguishable from encryptions of the all-zeros plaintext (of the same length).
-
Let be an encryption scheme, and write as shorthand for , the plaintexts of length . Prove that an encryption scheme achieves left-or-right CPA security (definition 8.1.2) if and only if the following two libraries are indistinguishable:
:return:returnIn other words, encryptions of a chosen are indistinguishable from encryptions of a uniformly chosen plaintext (of the same length).
-
h For the purposes of this exercise, a (randomized) encryption scheme is called IV-based if there is a deterministic function such that encryption can be written as:
We call the scheme compact if always has the same length as .
Prove that if an encryption scheme is IV-based, compact, satisfies correctness, and achieves left-or-right CPA security (definition 8.1.2), then it also achieves real-or-random CPA security (definition 8.1.1). Usually the implication holds only in the other direction (real-or-random implies left-or-right).
How are ciphertexts distributed when is chosen uniformly?
-
h In chapter 3, we defined security for secret sharing schemes using two interchangeable libraries. Furthermore, if the secret is bits, then shares must also be at least bits (exercise 3.4).
Suppose we allow secret sharing schemes where the two libraries in definition 3.1.1 are merely indistinguishable. Construct a -out-of- secret sharing scheme that can share an -bit secret with shares of length bits. Prove that your scheme is secure.
Start with the “sharing scheme” of exercise 3.17, which provides no secrecy, and encrypt its shares under a suitable key.
-
Suppose an encryption scheme satisfies correctness and has . Prove that cannot be CPA-secure.
-
Suppose an encryption scheme satisfies correctness and has and . The parameter measures the ciphertext expansion of the scheme. In this exercise you will prove that the expansion of a CPA-secure scheme cannot be too small.
Consider the following calling program:
returnSay that “ decrypts to under ” if .
-
Assume that for any and any , there are exactly values that decrypt to under . In this case, what is the advantage of in distinguishing the libraries?
-
The previous part considers an optimistic case. In general, different keys and plaintexts can be associated with a different number of ciphertexts. Say that a plaintext is heavy with respect to key if there are more than ciphertext values that decrypt to under . What is the most number of heavy plaintexts there can be under one key? When is linked to , samples a plaintext and samples a key . What is the maximum probability that is heavy with respect to ?
-
Assume that . Show that the advantage of is at least .
-
-
Suppose is a secure PRP with blocklength . Prove that the following encryption scheme is CPA-secure and write its decryption algorithm:
-
Suppose is a secure PRP with blocklength . Prove that the following encryption scheme is CPA-secure and write its decryption algorithm:
-
Suppose is a secure PRP with blocklength . Prove that the following encryption scheme is CPA-secure and write its decryption algorithm:
-
Let be a secure PRP with blocklength . Prove that the following encryption scheme is CPA-secure and write its decryption algorithm:
-
Let be a secure PRP with blocklength . Prove that the following encryption scheme is CPA-secure and write its decryption algorithm:
-
In exercise 7.8 we defined security for a weak PRF. Prove that construction 8.3.1 is CPA-secure when its underlying block cipher is a weak PRF.
-
Let be a PRG with stretch . Write the decryption algorithm for the following encryption scheme, then show that it is not CPA-secure, even if is a secure PRG:
-
Let be a PRP with blocklength . Write the decryption algorithm for the following encryption scheme, then show that it is not CPA-secure, even if is a secure PRP:
-
Let be a secure PRP with blocklength . Write the decryption algorithm for the following encryption scheme. Is the scheme CPA-secure or not? Either give an attack or security proof.
-
Let be a secure PRP with blocklength . Write the decryption algorithm for the following encryption scheme. Is the scheme CPA-secure or not? Either give an attack or security proof.
-
Let be a secure PRP with blocklength . Write the decryption algorithm for the following encryption scheme. Is the scheme CPA-secure or not? Either give an attack or security proof.
-
Let be a secure PRP with blocklength . Write the decryption algorithm for the following encryption scheme. Is the scheme CPA-secure or not? Either give an attack or security proof.
-
Suppose a victim encrypts two different ciphertexts with the same IV, either by chance or through some systematic problem with their implementation. What can the adversary infer about the two plaintexts
-
if the victim is using CBC mode encryption?
-
if the victim is using CTR mode encryption?
-
-
Suppose that a single bit of a valid ciphertext is flipped during transmission. How does this bit-flip affect the result of decryption
-
in CBC mode?
-
in CTR mode?
-
-
Suppose we instantiate CBC mode not with a secure PRP but with OTP. In other words, replace each expression in the description of CBC mode with . Show that the resulting encryption scheme is not CPA-secure.
-
Consider a victim who uses CBC mode with a fixed but uniformly chosen and secret IV.
-
Prove that if this victim encrypts plaintexts with distinct first blocks, then the resulting ciphertexts (excluding the IV) are pseudorandom. In other words, prove that the following two libraries are indistinguishable, if the underlying PRP is secure.
// static IV:if : return// CBC mode with IV =for to :// does not return IV:return:if : returnfor to :returnThese libraries use a guard condition to enforce that values are globally distinct.
-
What happens if the static IV is revealed to the adversary, for example, by another subroutine that returns ? Are the resulting libraries also indistinguishable?
-
-
Output feedback mode (OFB) is defined below. Prove that it is CPA-secure if is a secure PRF:
-
h Below is a variant of CBC encryption called propagating CBC (PCBC) mode. Give its decryption algorithm and prove that it is CPA-secure.
There is a “one-line proof” that uses the fact that regular CBC mode is secure.
-
Prove that if the IV is fixed to the all-zeros string , then CBC mode still has (computational) one-time secrecy (definition 5.3.2).
-
Prove that CTR mode (construction 8.5.4) is a CPA-secure encryption scheme, when its underlying block cipher is a secure PRF.
-
Suppose a victim uses both CBC and CTR modes with the same key. Formalize an attack scenario in which a victim encrypts plaintexts of the adversary's choice, under the scheme (either CBC or CTR) of the adversary's choice, with a single key. Prove that the ciphertexts are pseudorandom in this scenario.
-
Consider the following unholy amalgamation of CBC and CTR modes:
The expression “” means: treat as a -bit integer, add integer (with unsigned addition), treat the result as a -bit string, and xor with . Describe the corresponding decryption algorithm and show that the scheme is not CPA-secure.
-
In each block of CBC encryption, we call on the result of an xor. In CBC decryption, we xor the result of a call to . Show that the following modification of CBC encryption, in which the xor and are reversed, is not CPA-secure:
-
Some implementers may be unclear about the distinction between a key and an IV, and therefore may be hesitant to include the IV in the ciphertext. Suppose someone has modified CBC mode so that the IV is passed through the PRP before being included in the ciphertext:
-
Show that the resulting scheme is no longer CPA-secure.
-
What if an independent PRP key is used for this step? In other words, is computed as . Is this modification to CBC mode CPA-secure?
-
-
In CBC encryption, we use the previous ciphertext block as the IV for the next block. But we always use a new/fresh IV to begin each separate ciphertext. It seems reasonable to instead use the last block of the previous ciphertext as the IV for the next ciphertext: This is what you would get if you encrypted both plaintexts at the same time, and it would also save an extra block of communication.
Unfortunately, this optimization is insecure. The attack scenario could be formalized as follows:
// “next IV”:for to :// do not include IV = in outputreturnShow that ciphertexts are no longer pseudorandom in this attack scenario.
-
We proved the security of CBC mode assuming its block cipher is a secure PRP. A two-round Feistel cipher is not a secure PRP. Despite this, prove that CBC mode is CPA-secure, when its underlying block cipher is a 2-round Feistel cipher (whose round function is a secure PRF). A Feistel cipher has blocklength of bits, and its round function needs bits of input and output. Therefore the CBC mode in this problem has blocks of length bits.
-
Formally specify the decryption algorithm for CTR mode corresponding to the encryption algorithm in section 8.6 that supports plaintexts of arbitrary length.
-
Prove that CTR mode for arbitrary plaintext lengths (section 8.6) has CPA security. Try to structure your proof so it uses the fact that CTR mode for block-aligned plaintexts (construction 8.5.4) has CPA security.
-
Prove that augmenting CBC mode with any padding method (definition 8.6.1) results in a CPA-secure encryption scheme that supports arbitrary plaintext length. Try to structure your proof so it uses the fact that CPA mode for block-aligned plaintexts (construction 8.5.3) has CPA security.
-
Propose a padding method that works for strings of bits, not just strings of bytes.
-
CBC-MAC (construction 6.6.1) is defined for strings whose length is an exact multiple of the blocklength. Explain how to modify CBC-MAC to support strings of any length, and argue why the modification retains its security. CBC-MAC also has a disclaimer about fixed vs variable input lengths; how does this disclaimer change with your modification?
-
In PKCS#7 padding for example, never outputs any string whose last byte is . Design a padding scheme in which every possible (block-aligned) string is a possible output of .
-
Prove that CBC mode does not achieve nonce-based CPA security if we treat the IV as a nonce.
-
Prove that CTR mode does not achieve nonce-based CPA security if we treat the IV as a nonce.
-
Consider the following nonce-based variant of CTR mode, in which nonces are from the set , and plaintexts are restricted to be less than blocks (so that a counter of blocks can be represented in bits). Prove that this variant achieves nonce-based CPA security (definition 8.7.2).
The expression “” means: Write as a -bit integer and append it to the string .
-
Consider the following nonce-based variant of CBC mode which uses a PRF to convert the nonce to an IV.
Prove that this variant achieves nonce-based CPA security (definition 8.7.2). You may use the fact that standard CBC mode is CPA-secure as a randomized scheme.
-
In the previous exercise, we used separate PRF keys to derive the IV and for CBC encryption. Show that if the same key is used, the result is no longer secure:
Show that this encryption scheme does not achieve nonce-based CPA security.
-
Continuing the theme of the last few exercises: It can be awkward to invoke a PRF/PRP with different keys. Below is a nonce-based variant of CBC mode that only invokes its PRP on a single key. Prove that this variant achieves nonce-based CPA security (definition 8.7.2):
-
Let be an encryption scheme that achieves nonce-based CPA security, and has allowable nonces . We can convert into a randomized encryption scheme by sampling the nonce uniformly for each call to . Formalize the resulting randomized encryption scheme and prove that it satisfies standard CPA security.
-
Design a nonce-based encryption scheme that achieves nonce-based security, but which fails catastrophically when any nonce is repeated just twice. Use your own interpretation of “catastrophic failure,” but often this means that the adversary can recover the key.
Chapter Notes
Goldwasser and Micali were the first to propose that encryption should be randomized, and were the first to provide a formal security definition for encryption (although in the context of public-key encryption) [115].
Wright, Ballard, Coull, Monrose, and Masson use a sophisticated language model to decode spoken phrases from encrypted audio conversations [219]. Schuster, Shmatikov, and Tromer use very coarse traffic data to accurately identify encrypted video streams [199]. For a comprehensive survey of analysis techniques for encrypted network traffic, see Papadogiannaki and Ioannidis [175].
There are several natural countermeasures to avoid leaking the length of encrypted data. Compression and padding can decrease the amount of information leaked in encrypted communications, in a way that can be quantified (see Gellert, Jager, Lyu, and Neuschulten [107]; also Paterson, Ristenpart, and Shrimpton [177]). Dyer, Coull, Ristenpart, and Shrimpton survey several countermeasures to length-side-channel attacks and explain why none are particularly effective [92].
Exercise 8.10 is due to Krawczyk [139].
The original ECB penguin was created by Wikipedia user Lunkwill in 2004, and the original Tux penguin mascot was created by Larry Ewing in 1996. Both images are recreated here under the license terms of their respective authors. Valsorda [213] has documented the history of the ECB penguin, and provides a higher-resolution version.
CBC mode is due to Ehrsam, Meyer, Smith, and Tuchman [95]. Its CPA security was first proven by Bellare, Desai, Jokipii, and Rogaway [15]. CTR mode is due to Diffie and Hellman [84].
Dai [77] was the first to point out the attack against implicitly chained IVs in CBC mode (exercise 8.39), in the context of the SSH protocol. Bellare, Kohno, and Namprempre [21] elaborate on the attack. The observation was later extended to a full attack on the TLS protocol by Duong and Rizzo [91], called BEAST (Browser Exploit Against SSL/TLS).
Nonce-based encryption was first proposed as an alternative to randomized encryption by Rogaway [191]. Our security definition for nonce-based encryption (definition 8.7.2) says nothing about what happens in the event that a nonce is repeated. A scheme that fulfills definition 8.7.2 may fail catastrophically if the nonce is repeated. Rogaway and Shrimpton [195] define a security goal called nonce misuse-resistance, which requires the scheme to provide reasonable security guarantees even in the presence of repeated nonces.