8
Symmetric-Key Encryption

Chosen-Plaintext Attacks Against Encryption

The encryption schemes we have seen so far have been severely limited. Specifically, they are secure only when each key is used to encrypt a single plaintext. In this chapter, finally, we study real encryption, in which one short key can safely encrypt any number of plaintexts.

8.1. Definitions and leaking the plaintext length

One-time secrecy for encryption (definition 2.5.3) considers an attack scenario in which a new/fresh key is chosen for each ciphertext. With a simple modification, we can write a library that describes an attack scenario where the same key is used for all encryptions:

new/fresh key forevery encryption\begin{array}{c}\text{new/fresh key for} \\ \text{every encryption}\end{array}
enc(M)\subname{enc}(\ptxt):
KΣ.K\hl{\key \gets \Sigma.\K}
C:=Σ.Enc(K,M)\ctxt := \Sigma.\Enc(\key,\ptxt) \quad {}
return C\ctxt
\qquad\leadsto\qquad
same key forevery encryption\begin{array}{c}\text{same key for} \\ \text{every encryption}\end{array}
KΣ.K\hl{\key \gets \Sigma.\K}
enc(M)\subname{enc}(\ptxt):
C:=Σ.Enc(K,M)\ctxt := \Sigma.\Enc(\key,\ptxt) \quad {}
return C\ctxt

Then, we can demand that the adversary sees only random junk in this attack scenario. In other words, the following two libraries must be indistinguishable:

KΣ.K\key \gets \Sigma.\K
enc(M)\subname{enc}(\ptxt):
C:=Σ.Enc(K,M)\ctxt := \Sigma.\Enc(\key,\ptxt)
return C\ctxt
\indist
enc(M)\subname{enc}(\ptxt):
CΣ.C\ctxt \gets \Sigma.\C
return C\ctxt

This is indeed a reasonable security definition for multi-use encryption, but it does contain a subtle problem. To understand why, suppose we have an encryption scheme that supports plaintext of any length, where plaintexts of length \ell are encrypted into ciphertexts of length +λ\ell+\secpar. Several examples of such schemes are described later in this chapter. Then just by looking at the length of a ciphertext, an adversary can learn something about the plaintext! For example, an adversary can easily tell whether you have encrypted a small 1 KB plaintext or a huge 1 GB plaintext; such an attack would be incompatible with the security definition given above (see exercise 8.1).

The problem with this security definition also surfaces in the following way: Suppose an encryption scheme supports an infinite set of possible plaintexts—say, it supports plaintexts of arbitrary length. Then the set of possible ciphertexts C\C must also be infinite. The library above includes a statement “CC\ctxt \gets \C, but what can this mean if C\C is infinite? There is no well-defined uniform distribution over an infinite set!

The issue does not arise for encryption schemes that support only a fixed plaintext length, including all of the schemes we have seen so far. In those cases, C\C was finite, and there is no problem with the security definition above. But in the more general case:

Ciphertexts cannot completely hide the plaintext length.

Ciphertexts must leak (something about) the plaintext's length, so the best we can hope for is that ciphertexts leak nothing more than the plaintext length. We can modify the security definition to reflect this idea as follows. The security definition above says, essentially, “encryptions of M\ptxt are indistinguishable from a uniformly sampled ciphertext (from the space of all possible ciphertexts).” We can instead demand that “encryptions of M\ptxt are indistinguishable from a uniform sample from the set of all encryptions of plaintexts with the same length as M\ptxt.

String Length

We write M|\ptxt| for the length of string M\ptxt. Depending on the context, we might measure string length in bits, bytes, or even (λ\secpar-bit) blocks.

Definition 8.1.1 (CPA security)

Let Σ\Sigma be an encryption scheme, and let Σ.C()\Sigma.\C(\ell) denote the set of possible ciphertexts for plaintexts of length \ell. If Σ\Sigma supports only plaintexts of a single length, we can simply write Σ.C\Sigma.\C to denote the entire set of ciphertexts.

Σ\Sigma has security against chosen-plaintext attacks (CPA security) if the following two libraries are indistinguishable:

Lcpa-realΣ\lib{cpa-real}^\Sigma
KΣ.K\key \gets \Sigma.\K
cpa.enc(M)\cpaenc(\ptxt):
C:=Σ.Enc(K,M)\ctxt := \Sigma.\Enc(\key,\ptxt)
return C\ctxt
\indist
Lcpa-randΣ\lib{cpa-rand}^\Sigma
cpa.enc(M)\cpaenc(\ptxt):
CΣ.C(M)\ctxt \gets \Sigma.\C\bigl( |\ptxt| \bigr)
return C\ctxt

A good way to understand this new definition is to study the Lcpa-rand\lib{cpa-rand} library. The only information it uses about M\ptxt is its length, and it ignores everything else about M\ptxt. So outputs from Lcpa-rand\lib{cpa-rand} simply cannot leak more than the length of M\ptxt. And if the two libraries are indistinguishable, we can conclude that true ciphertexts generated by Lcpa-real\lib{cpa-real} also do not leak more than the length of the plaintext.

8.1.1. The plaintext length side-channel

Encryption cannot completely hide the length of plaintext data. We must accept this fact, even if its consequences are unpleasant. Plaintext length can convey a surprising amount of information and have huge impacts to real-world security! An adversary who observes only the length and timing of your encrypted network traffic can figure out:

  • which pages you visited on Wikipedia, or any website with relatively static content of different sizes;

  • which movie you are streaming, because video formats use variable bit-rate (VBR) encodings, so that “busier” segments of the video require more data per second;

  • or even what you are saying in an encrypted audio call!

See the chapter notes for references about these attacks. Personally speaking, these are the kinds of attacks that give me the most existential dread about cryptography. However, encryption is about more than just hiding the content of communication, as we will see later in section 9.6.

8.1.2. CPA security in the left-or-right paradigm

Recall the discussion in section 2.7. Our default way to define security of encryption is the real-or-random paradigm, but it is also possible to use the left-or-right paradigm. A security definition in the left-or-right style says, essentially, if an adversary provides two plaintexts ML,MR\ptxt_L, \ptxt_R, then they cannot tell which of those two plaintexts is actually encrypted.

However, if ML\ptxt_L and MR\ptxt_R have very different lengths, then we do expect it to be possible to distinguish their encryptions. Only when the plaintexts have the same length can we reasonably expect their ciphertexts to be indistinguishable. Thus, when defining security in the left-or-right paradigm, we limit the adversary to plaintext pairs (ML,MR)(\ptxt_L, \ptxt_R) of equal length. This is achieved by making the library give an error if the adversary provides ML\ptxt_L and MR\ptxt_R of different lengths.

Definition 8.1.2 (Left-or-right flavor of CPA security)

An encryption scheme Σ\Sigma satisfies left-or-right CPA security if the following two libraries are indistinguishable:

Lsk-cpa-left\lib{sk-cpa-left}
KΣ.K\key \gets \Sigma.\K
cpa.enc(ML,MR)\cpaenc(\ptxt_L, \ptxt_R):
if MLMR|\ptxt_L| \ne |\ptxt_R|: return err\myerr
C:=Σ.Enc(K,ML)\ctxt := \Sigma.\Enc(\key,\hl{\ptxt_L})
return C\ctxt
\indist
Lsk-cpa-right\lib{sk-cpa-right}
KΣ.K\key \gets \Sigma.\K
cpa.enc(ML,MR)\cpaenc(\ptxt_L, \ptxt_R):
if MLMR|\ptxt_L| \ne |\ptxt_R|: return err\myerr
C:=Σ.Enc(K,MR)\ctxt := \Sigma.\Enc(\key, \hl{\ptxt_R})
return C\ctxt

This left-or-right flavor of CPA security is commonly called IND-CPA, which stands for “ciphertext indistinguishability, under chosen-plaintext attacks.” The real-or-random flavor (definition 8.1.1) is often called IND$-CPA, which stands for “indistinguishability from random/uniform, under chosen-plaintext attacks.”

8.2. Deterministic encryption

A deterministic encryption scheme cannot have CPA security.

Definition 8.2.1 (Deterministic encryption)

An encryption scheme is deterministic if calling Enc(K,M)\Enc(\key,\ptxt) on the same input twice always produces the same output.

One-time pad is an example of a deterministic encryption scheme. The scheme from construction 2.6.1 was not deterministic.

If an encryption scheme is deterministic and an adversary sees the same ciphertext twice, then he/she can deduce that the same plaintext was sent twice. In other words, the adversary learns something about the plaintexts! We can formulate this attack as a calling program that distinguishes the Lcpa-*\lib{cpa-*} libraries:

A\A
M:=\ptxt := {}arbitrary plaintext
C1:=cpa.enc(M)\ctxt_1 := \cpaenc(\ptxt)
C2:=cpa.enc(M)\ctxt_2 := \cpaenc(\ptxt)
return C1==C2\ctxt_1 == \ctxt_2

When this calling program is linked to Lcpa-real\lib{cpa-real} and the encryption scheme is deterministic, it outputs true\mytrue with probability 1. When linked to Lcpa-rand\lib{cpa-rand}, C1\ctxt_1 and C2\ctxt_2 are distributed uniformly over C()\C(\ell), where =M\ell = |\ptxt|. So C1=C2\ctxt_1 = \ctxt_2 only with probability 1/C()1/\bigl|\C(\ell)\bigr|. The difference between these probabilities is nonnegligible, and so the scheme is not CPA-secure.

You may be thinking, “Of course the same plaintext will result in the same ciphertext! How can this really be a problem?” Be careful that your mental model of encryption has not been “overfitted” to deterministic schemes like OTP and simple toy substitution ciphers (newspaper cryptograms). The problem with deterministic encryption is a direct consequence of definition 8.1.1. The definition has no special exceptions for repeated plaintexts! If you accept definition 8.1.1, then you must accept that encryption cannot be deterministic. Besides, we can achieve this definition of CPA security; encryption can hide whether plaintexts repeat! Since we can hide this information, we should.

8.3. A randomized encryption scheme based on PRFs

Since deterministic encryption cannot be CPA-secure, we will consider schemes whose Enc\Enc algorithm is randomized. (This is not the only way to avoid the limitations of deterministic encryption; see section 8.7.)

In this section we describe an encryption scheme based on a PRF. Each time Alice wants to send a message to Bob, she uniformly samples a value RR. She uses F(K,R)F(\key,R) as a OTP key to encrypt her plaintext, and she also includes RR as part of the ciphertext. Given RR, Bob can compute the same OTP key F(K,R)F(\key,R) and use it to decrypt the plaintext. But an eavesdropper who sees RR will not be able to guess F(K,R)F(\key,R) when FF is a secure PRF.

This encryption scheme supports plaintexts of a single, fixed length. Thus, there are no complications when it comes to leaking the plaintext length—their length is already a public parameter of the scheme.

Construction 8.3.1 (Randomized, PRF-based encryption)

Let FF be a PRF with input length λ\secpar and output length nn. Define the following encryption scheme:

K={0,1}λM={0,1}nC={0,1}λ+n\begin{aligned} \K &= \bits^\secpar \\ \M &= \bits^n \\ \C &= \bits^{\secpar+n} \end{aligned}
Enc(K,M)\Enc(\key, \ptxt):
R{0,1}λR \gets \bits^\secpar
S:=F(K,R)MS := F(\key,R) \oplus \ptxt
return RSR \| S
Dec(K,RS)\Dec(\key, R \| S):
M:=F(K,R)S\ptxt := F(\key,R) \oplus S
return M\ptxt

Claim 8.3.2 (Security of PRF-based encryption)

If FF is a secure PRF, then construction 8.3.1 has CPA security. In other words,

if \quad
Lprf-real\lib{prf-real}
K{0,1}λ\key \gets \bits^\secpar
prf.query(X)\prfquery(X):
return F(K,X)F(\key,X)
\indist
Lprf-rand\lib{prf-rand}
prf.query(X)\prfquery(X):
if L[X]\prftable[X] undefined:
L[X]{0,1}n\prftable[X] \gets \bits^n
return L[X]\prftable[X]
then \quad
Lcpa-real\lib{cpa-real}
K{0,1}λ\key \gets \bits^\secpar
cpa.enc(M)\cpaenc(\ptxt):
// C:=Σ.Enc(K,M)\ctxt := \Sigma.\Enc(\key,\ptxt)
R{0,1}λR \gets \bits^\secpar
S:=F(K,R)MS := F(\key,R) \oplus \ptxt
return RSR \| S
\indist
Lcpa-rand\lib{cpa-rand}
cpa.enc(M)\cpaenc(\ptxt):
// CC\ctxt \gets \C
RS{0,1}λ+nR\|S \gets \bits^{\secpar+n}
return RSR \|S

Proof idea: The goal is to show that ciphertexts in this scheme are pseudorandom. What can we say about how these ciphertexts are generated?

Ciphertexts consist of two parts, RR and SS. RR is clearly sampled uniformly, so there is not much to say about it. But SS is computed as S=F(K,R)MS = F(\key,R) \oplus \ptxt. We can interpret this as a kind of OTP ciphertext, with F(K,R)F(\key,R) acting as the OTP key. But OTP produces uniform ciphertexts only when the key is uniform and used only once. Is that the case with F(K,R)F(\key,R) here?

Since FF is a secure PRF, its outputs are indeed pseudorandom, but only when the PRF's inputs are distinct. Can we argue that these inputs don't repeat?

The inputs in question are the RR-values, which are uniformly sampled λ\secpar-bit strings. Thus, the probability of a repeat is the standard birthday probability, which is negligible. The formal proof is the result of assembling all of these observations, to finally conclude that ciphertexts of the form RSR\|S are pseudorandom.

Proof (details):

Hybrid Sequence:
The starting point is Lcpa-real\lib{cpa-real}.
We can apply the security of the PRF in a standard three-hop maneuver:
Sampling RR uniformly is indistinguishable from sampling without replacement. The standard three-hop maneuver involving lemma 4.5.7 is not shown.
In this hybrid, the RR values can never repeat, so the if-statement is always taken. Thus, we can make its body unconditional.
Each value of L[R]\prftable[R] is sampled uniformly and used only in a single xor expression. As a result, SS is a OTP encryption of M\ptxt, with L[R]\prftable[R] playing the role of the key. In other words, SS is distributed uniformly. The three-hop maneuver involving claim 2.2.2 is not shown.
Finally, we can revert a previous change, so that RR is again sampled uniformly with replacement. The result is Lcpa-rand\lib{cpa-rand}, which completes the proof.
Lcpa-real\lib{cpa-real}
K{0,1}λ\key \gets \bits^\secpar
cpa.enc\cpaenc(M\ptxt):
// RSEnc(K,M)R\|S \gets \Enc(\key,\ptxt)
R{0,1}λR \gets \bits^\secpar
R{} \setminus \mathcal{R}
Y:=Y := {}
F(K,R)F(\key,R)
prf.query(R)\prfquery(R)
SS
:={}:= {}
YMY \oplus \ptxt
L[R]M\prftable[R] \oplus \ptxt
{0,1}n{}\gets \bits^n
return RSR\|S
\link
Lprf-real\lib{prf-real}
K{0,1}λ\key \gets \bits^\secpar
prf.query\prfquery(XX):
return F(K,X)F(\key,X)
Lprf-rand\lib{prf-rand}
prf.query\prfquery(XX):
if L[X]\prftable[X] undefined:
L[X]{0,1}n\prftable[X] \gets \bits^n
return L[X]\prftable[X]

8.4. An example chosen-plaintext attack

As usual, security is a knife's edge, requiring everything to be in a delicate balance. Make one seemingly minor change to a secure scheme, and all security may be lost. Such is indeed the case with the scheme from the previous section. In that scheme, the second part of the ciphertext is computed as F(K,R)MF(\key,R)\oplus\ptxt. Suppose we swap the role of M\ptxt and RR and compute the second part of the ciphertext as F(K,M)RF(\key,\ptxt) \oplus R. The result, as we show below, is totally insecure:

Example 8.4.1 (A chosen-plaintext attack)

The following encryption scheme does not have CPA security, even if FF is a secure PRP:

K={0,1}λM={0,1}λC={0,1}2λ\begin{aligned} \K &= \bits^\secpar \\ \M &= \bits^\secpar \\ \C &= \bits^{2\secpar} \end{aligned}
Enc(K,M)\Enc(\key, \ptxt):
R{0,1}λR \gets \bits^\secpar
S:=F(K,M)RS := F(\key,\hl{\ptxt}) \oplus \hl{R}
return RSR \| S
Dec(K,RS)\Dec(\key, R \| S):
M:=F1(K,RS)\ptxt := F^{-1}(\key,R \oplus S)
return M\ptxt

To show that the scheme is insecure, we must write a calling program that can distinguish the following two libraries:

Lcpa-real\lib{cpa-real}
K{0,1}λ\key \gets \bits^\secpar
cpa.enc(M)\cpaenc(\ptxt):
// Enc(K,M)\Enc(\key,\ptxt):
R{0,1}λR \gets \bits^\secpar
S:=F(K,M)RS := F(\key,\hl{\ptxt}) \oplus \hl{R}
return RSR \| S
\quad
Lcpa-rand\lib{cpa-rand}
cpa.enc(M)\cpaenc(\ptxt):
RS{0,1}2λR\|S \gets \bits^{2\secpar}
return RSR \| S

Following the Golden Rule of PRFs, our attack strategy should be to cause the construction to repeat inputs to the PRF. That's easy in this case, since the scheme uses M\ptxt as the PRF input—a value that the adversary completely controls in the CPA attack scenario.

If the adversary causes two ciphertexts to be generated with repeated M\ptxt values, then the two ciphertexts R1S1R_1 \| S_1 and R2S2R_2\|S_2 satisfy:

S1=F(K,M)R1,S2=F(K,M)R2.\begin{aligned} S_1 &= F(\key,\ptxt) \oplus R_1, \\ S_2 &= F(\key,\ptxt) \oplus R_2.\end{aligned}

Canceling the common term F(K,M)F(\key,\ptxt) gives:

S1S2=(F(K,M)R1)(F(K,M)R2)=R1R2. S_1 \oplus S_2 = \bigl( F(\key,\ptxt) \oplus R_1 \bigr) \oplus \bigl( F(\key,\ptxt) \oplus R_2 \bigr) = R_1 \oplus R_2.

This is a pattern in the ciphertexts that the adversary can detect, since it knows S1,S2,R1,R2S_1, S_2, R_1, R_2. We can combine all of these observations into a formal calling program:

A\A
M:=\ptxt := {}arbitrary plaintext
R1S1:=cpa.enc(M)R_1 \| S_1 := \cpaenc(\ptxt)
R2S2:=cpa.enc(M)R_2 \| S_2 := \cpaenc(\ptxt)
return S1S2==R1R2S_1 \oplus S_2 == R_1 \oplus R_2

When linked to Lcpa-real\lib{cpa-real}, as we just argued above, the calling program outputs true\mytrue with probability 1. When linked to Lcpa-rand\lib{cpa-rand}, it outputs true\mytrue with probability 1/2λ1/2^\secpar since S1,S2,R1,R2S_1, S_2, R_1, R_2 are distributed uniformly and independently.

This example illustrates an important distinction between the values RR and M\ptxt in construction 8.3.1. Its security rests on the fact that M\ptxt is under the complete control of the adversary, while RR is under the complete control of the victim.

8.5. Block cipher modes

Construction 8.3.1 supports plaintexts of a single, fixed length. In this section we discuss how to efficiently encrypt long plaintexts, of variable length, using a single key. These methods are called block cipher modes (sometimes called modes of operation): recipes for using a block cipher (PRP) to process data that is longer than a single block.

In this section we will focus on plaintexts whose length is a multiple of the PRP's blocklength. In other words, we assume that each plaintext can be divided exactly into blocks that are suitable as inputs to the PRP. We call such plaintexts block-aligned and write each M\ptxt as M1M2\ptxt_1 \| \ptxt_2 \| \cdots, where each Mi\ptxt_i is a single block. Later in section 8.6 we discuss how to properly handle non-block-aligned plaintexts.

We will write ({0,1}λ)(\bits^\secpar)^* to denote the set of all block-aligned strings with blocklength λ\secpar: strings consisting of any number of complete blocks. In this section we will also measure the length of plaintexts in units of blocks. For example, security proofs refer to Σ.C()\Sigma.\C(\ell), which in our case will mean the set of ciphertexts obtained by encrypting plaintexts of \ell blocks, not bits.

8.5.1. ECB mode

We start by discussing what not to do: ECB mode is the “obvious” way to apply a block cipher to a long plaintext. It's a horrible idea. The only reason to mention it is to teach you its name so you can recognize it, avoid it, and publicly shame anyone who uses it.

Construction 8.5.1 (ECB mode (never use this!))

Let FF be a PRP with blocklength λ\secpar. ECB mode (for electronic codebook) is defined by the following algorithms:

Enc(K,M1M)\Enc(\key, \ptxt_1 \| \cdots \| \ptxt_\ell):
for i=1i = 1 to \ell:
Ci:=F(K,Mi)\ctxt_i := F(\key, \ptxt_i)
return C1C \ctxt_1 \| \cdots \| \ctxt_\ell
Dec(K,C1C)\Dec(\key, \ctxt_1 \| \cdots \| \ctxt_\ell):
for i=1i = 1 to \ell:
Mi:=F1(K,Ci)\ptxt_i := F^{-1}(\key, \ctxt_i)
return M1M\ptxt_1 \| \cdots \| \ptxt_\ell

NEVER USE ECB MODE!

ECB is deterministic, so of course it is insecure! Please don't use ECB mode.

Example 8.5.2 (ECB penguin)

The cryptography world has only two persistent inside jokes: One is our bizarre obsession with naming people Alice and Bob, and the other is the ECB penguin. It was created by Wikipedia user Lunkwill to illustrate the result of encrypting a picture of Tux the penguin (the Linux mascot) under ECB mode:

ECB mode encrypts identical plaintext blocks to identical ciphertext blocks. The original Tux image has many large areas of a solid color, which lead to identical plaintext blocks in the image file (of course, this depends on the specifics of the image file format). As a result, the ghost of Tux is clear in the ciphertext. Needless to say, seeing penguins in your ciphertexts is a Very Bad Thing indeed.

The ECB penguin is one of the rare instances where insecurity can be seen visually.

8.5.2. CBC and CTR modes

Quickly moving past ECB mode, let's now see two good block cipher modes.

Construction 8.5.3 (CBC mode)

Let FF be a PRP with blocklength λ\secpar. CBC mode (for cipher block chaining) is defined by the following algorithms:

K={0,1}λM=({0,1}λ)C()={0,1}λ(+1)\begin{aligned} \K &= \bits^\secpar \\ \M &= (\bits^\secpar)^* \\ \C(\ell) &= \bits^{\secpar (\ell+1)} \end{aligned}
Enc(K,M1M)\Enc(\key, \ptxt_1 \| \cdots \| \ptxt_\ell):
C0{0,1}λ\ctxt_0 \gets \bits^\secpar
for i=1i = 1 to \ell:
Ci:=F(K,Ci1Mi)\ctxt_i := F(\key, \ctxt_{i-1} \oplus \ptxt_i)
return C0C1C\ctxt_0 \| \ctxt_1 \| \cdots \| \ctxt_\ell
Dec(K,C0C)\Dec(\key, \ctxt_0 \| \cdots \| \ctxt_\ell):
for i=1i = 1 to \ell:
Mi:=Ci1F1(K,Ci)\ptxt_i := \ctxt_{i-1} \oplus F^{-1}(\key, \ctxt_i)
return M1M\ptxt_1 \| \cdots \| \ptxt_\ell

The first ciphertext block C0\ctxt_0 is called the initialization vector (IV). The scheme is defined only for block-aligned plaintexts (M=({0,1}λ)\M = (\bits^\secpar)^*).

Construction 8.5.4 (CTR mode)

Let FF be a PRF with input and output length λ\secpar. CTR mode (or counter mode) is defined by the following algorithms:

K={0,1}λM=({0,1}λ)C()={0,1}λ(+1)\begin{aligned} \K &= \bits^\secpar \\ \M &= (\bits^\secpar)^* \\ \C(\ell) &= \bits^{\secpar(\ell+1)} \end{aligned}
Enc(K,M1M)\Enc(\key, \ptxt_1 \| \cdots \| \ptxt_\ell):
C0{0,1}λ\ctxt_0 \gets \bits^\secpar
for i=1i = 1 to \ell:
Ci:=F(K,C0+i1)Mi\ctxt_i := F(\key, \ctxt_0 + i-1) \oplus \ptxt_i
return C0C1C\ctxt_0 \| \ctxt_1 \| \cdots \| \ctxt_\ell
Dec(K,C0C)\Dec(\key, \ctxt_0 \| \cdots \| \ctxt_\ell):
for i=1i = 1 to \ell:
Mi:=F(K,C0+i1)Ci\ptxt_i := F(\key, \ctxt_0 + i-1) \oplus \ctxt_i
return M1M\ptxt_1 \| \cdots \| \ptxt_\ell

The addition operation in “C0+i1\ctxt_0 + i - 1” refers to addition mod 2λ2^\secpar, which is the standard unsigned addition of λ\secpar-bit numbers.

Both CBC and CTR modes are randomized; they each start by uniformly sampling the initialization vector. In both modes the ciphertext is one block longer than the plaintext.

Comparison: CBC and CTR modes are essentially the only two modes that are ever used in practice for CPA security. Both provide the same qualitative security guarantee, and so any comparison between the two must be based on things outside of the CPA security definition. Here are a few properties that are often considered when choosing between these modes:

  • CTR mode does not use the block cipher's inverse F1F^{-1}, even for decryption. Thus, CTR requires only a PRF rather than a PRP. However it is rare to encounter an efficient PRF in practice that is not also a PRP.

  • Both CBC and CTR modes have a parallelizable decryption algorithm, meaning that you can directly decrypt any plaintext block without first decrypting all previous ones. However, only CTR has a parallelizable encryption algorithm. After choosing the IV in CTR mode, you can generate any ciphertext block directly without first encrypting all previous blocks. CBC mode encryption is inherently sequential.

  • If the block cipher is expensive, you might want to precompute block cipher evaluations and store the results early, even before the plaintext is chosen. CTR mode allows this, since only the IV affects the input given to the block cipher. In CBC mode, the plaintext influences the inputs to the block cipher, so these calls cannot be precomputed.

  • It is relatively easy to modify CTR to support plaintexts that are not an exact multiple of the blocklength. It is less straightforward (although not difficult) to make CBC support such plaintexts. We discuss these issues later in section 8.6.

  • So far all of the comparisons have favored CTR mode, so here is one important property that favors CBC mode. It is common for implementers to misunderstand the security implications of the IV in these modes. Many careless implementations may allow an IV to be reused. Rather than dumping the blame on the developer for an incorrect implementation, it is good design practice to anticipate likely misuses of a system and, when possible, make them noncatastrophic.

    CTR mode fails catastrophically when an IV is reused: It leaks the xor of the two plaintexts. CBC mode is more resilient to IV reuse: Depending on the specifics of the attack scenario, it can leak nothing in the case that the plaintexts have different first blocks (see exercise 8.30).

Proof of Security:

Both CBC and CTR modes have CPA security. Below we prove security of CBC mode:

Claim 8.5.5 (Security of CBC mode)

If FF is a secure PRP (and thus a secure PRF by lemma 7.2.1), then CBC mode (construction 8.5.3) satisfies CPA security. In other words,

if \quad
Lprf-real\lib{prf-real}
K{0,1}λ\key \gets \bits^\secpar
prf.query(X)\prfquery(X):
return F(K,X)F(\key,X)
\indist
Lprf-rand\lib{prf-rand}
prf.query(X)\prfquery(X):
if L[X]\prftable[X] undefined:
L[X]{0,1}λ\prftable[X] \gets \bits^\secpar
return L[X]\prftable[X]
then \quad
Lcpa-real\lib{cpa-real}
K{0,1}λ\key \gets \bits^\secpar
cpa.enc(M1M)\cpaenc(\ptxt_1 \| \cdots \| \ptxt_\ell):
// C:=Enc(K,M)\ctxt := \Enc(\key,\ptxt):
C0{0,1}λ\ctxt_0 \gets \bits^\secpar
for i=1i = 1 to \ell:
Ci:=F(K,Ci1Mi)\ctxt_i := F(\key, \ctxt_{i-1} \oplus \ptxt_i)
return C0C1C\ctxt_0 \| \ctxt_1 \| \cdots \| \ctxt_\ell
\indist
Lcpa-rand\lib{cpa-rand}
cpa.enc(M1M)\cpaenc(\ptxt_1 \| \cdots \| \ptxt_\ell):
// CC()\ctxt \gets \C(\ell):
for i=0i = 0 to \ell:
Ci{0,1}λ\ctxt_i \gets \bits^\secpar
return C0C1C\ctxt_0 \| \ctxt_1 \| \cdots \| \ctxt_\ell
Proof:

In CBC mode, each block of ciphertext is a direct output of the PRP. Thus, the main idea of the security proof is to show that inputs to the PRP don't repeat, except with negligible probability. Showing this involves two important conceptual steps:

  • First, we give a variable name to the PRP input: Set Xi:=Ci1MiX_i := \ctxt_{i-1} \oplus \ptxt_i, the iith input to the PRP.

  • Consider the expression Xi:=Ci1MiX_i := \ctxt_{i-1} \oplus \ptxt_i, where Ci1\ctxt_{i-1} is sampled uniformly. We obtain the same distribution by instead sampling XiX_i uniformly and then solving for Ci1=XiMi\ctxt_{i-1} = X_i \oplus \ptxt_i (claim 2.4.2). After making such a change, we will have a hybrid in which the XiX_i values are chosen uniformly and also used as PRP inputs. It is now easy to argue that these PRP inputs don't repeat.

Hybrid Sequence:
The starting point is Lcpa-real\lib{cpa-real}.
As discussed above, it is convenient to name the PRP/PRF inputs (as XiX_i).
Compute the next XiX_i value as soon as possible, instead of just before using it as input to FF. The last iteration of the for-loop has no “next” XiX_i value, so we unroll that iteration from the loop and treat it separately.
Replace the PRF FF with a lazy random table. The three-hop maneuver involving Lprf-*\lib{prf-*} is standard and omitted to save space.
We can make the bodies of the if-statements unconditional. This changes the library's behavior only when there is a repeat among the XiX_i values—an event that we expect to be rare. We can trigger a bad event in that case, and in a future step of the proof argue that the bad event has negligible probability.
Instead of sampling Ci\ctxt_i uniformly and computing the next Xi+1X_{i+1}, we can sample Xi+1X_{i+1} uniformly and solve for Ci\ctxt_i. There is no effect on the library's behavior. The three-hop maneuver involving claim 2.4.2 is not shown.
In this hybrid, every XiX_i is sampled uniformly, and a bad event is triggered only when there is a repeat among these XiX_i's. Thus, the probability of the bad event is the birthday probability Birthday(q,2λ)\Birthday(q,2^\secpar), where qq is the total number of ciphertext blocks generated during the library's execution. Since qq is a polynomial in the security parameter, this bad-event probability is negligible. Now that we have fulfilled our promise to show that the bad event has negligible probability, the bad event logic is no longer needed and can be removed.
Now the library never reads from L[]\prftable[\cdot], so it can be removed. Also, each Ci\ctxt_i block is generated as a OTP encryption with Xi+1X_{i+1} acting as the key. Therefore, each Ci\ctxt_i is uniformly distributed. The result of a standard three-hop maneuver involving Lotp-*\lib{otp-*} (not shown) gives us Lcpa-rand\lib{cpa-rand}, completing the proof.
Lcpa-real\lib{cpa-real}
K{0,1}λ\key \gets \bits^\secpar
cpa.enc\cpaenc(M1M\ptxt_1 \| \cdots \| \ptxt_\ell):
C0\ctxt_0
{0,1}λ{}\gets \bits^\secpar
:=X1M1{}:= X_1 \oplus \ptxt_1
{0,1}λ{}\gets \bits^\secpar
for i=1i = 1 to
\ell:
1\ell-1:
Ci\ctxt_i
:={}:= {}
F(K,F(\key, {}
Ci1Mi)\ctxt_{i-1} \oplus \ptxt_i)
Xi)X_i)
L[Xi]\prftable[X_i]
{0,1}λ{}\gets \bits^\secpar
:=Xi+1Mi+1{}:= X_{i+1} \oplus \ptxt_{i+1}
{0,1}λ{}\gets \bits^\secpar
return C0C1C\ctxt_0 \| \ctxt_1 \| \cdots \| \ctxt_\ell

8.6. Non-block-aligned plaintexts

So far we have been assuming that all plaintexts are an exact multiple of the blocklength, but this may not always be the case in practice. How can we adapt these encryption methods to support plaintexts of any length?

8.6.1. CTR mode

CTR requires almost no changes to support arbitrary plaintext lengths. The main idea behind CTR mode is to xor the plaintext with the long string:

F(K,C0)  F(K,C0+1)  F(K,C0+2)   F(\key, \ctxt_0) ~\big\|~ F(\key, \ctxt_0 + 1) ~\big\|~ F(\key, \ctxt_0 + 2) ~\big\|~ \cdots

To support plaintexts of arbitrary length, we can therefore simply truncate this long string to the correct length.

To be more precise, let us divide the plaintext M\ptxt as before into blocks M1M\ptxt_1 \| \cdots \| \ptxt_\ell, except now the last piece M\ptxt_\ell may be only a partial block. We then truncate the last PRF output F(K,C0+1)F(\key,\ctxt_0 + \ell-1) to the same length as M\ptxt_\ell, so the two strings can be xor'ed. These changes to CTR mode encryption are highlighted below:

Enc(K,M1M)\Enc(\key, \ptxt_1 \| \cdots \| \ptxt_\ell):
// M\ptxt_\ell may be less than λ\secpar bits
C0{0,1}λ\ctxt_0 \gets \bits^\secpar
for i=1i = 1 to 1\ell-1:
Ci:=F(K,C0+i1)Mi\ctxt_i := F(\key, \ctxt_0 + i-1) \oplus \ptxt_i
Y:=F(K,C0+1)Y := F(\key,\ctxt_0 + \ell-1)
truncate YY to length M|\ptxt_\ell|
C:=YM\ctxt_\ell := Y \oplus \ptxt_\ell
return C0C1C\ctxt_0 \| \ctxt_1 \| \cdots \| \ctxt_\ell

The ciphertext will always be exactly one block longer than the plaintext, from the addition of the IV C0\ctxt_0.

8.6.2. CBC mode

CTR mode uses its plaintext blocks only for xor, an operation that can be performed on strings of any length. On the other hand, CBC mode processes plaintexts as F(K,Ci1Mi)F(\key, \ctxt_{i-1} \oplus \hl{\ptxt_i}), which makes sense only when Mi\ptxt_i is an entire block.

Hence, the easiest way to adapt CBC mode to arbitrary-length plaintexts is to encode all plaintexts into block-aligned data. This process is called padding, and there are many reasonable ways to do it.

Definition 8.6.1 (Padding)

A padding method consists of two functions Pad,Pad1\textsf{Pad}, \textsf{Pad}^{-1}, which satisfy the following properties:

  • For all strings XX, the length of Pad(X)\textsf{Pad}(X) is an exact multiple of the blocklength.

  • Padding can be reversed. For all strings XX, we have Pad1(Pad(X))=X\textsf{Pad}^{-1}(\textsf{Pad}(X)) = X.

When we augment CBC mode with a padding method, we obtain an encryption scheme that supports plaintexts of arbitrary length.

Enc(K,M)\Enc(\key, \ptxt):
M:=Pad(M)\ptxt^* := \textsf{Pad}(\ptxt)
return CBC.Enc(K,M)\textsf{CBC}.\Enc(\key, \ptxt^*)
Dec(K,C)\Dec(\key, \ctxt):
M:=CBC.Dec(K,C)\ptxt^* := \textsf{CBC}.\Dec(\key,\ctxt)
return Pad1(M)\textsf{Pad}^{-1}(\ptxt^*)

Below are a few possible padding methods. In the real world, data nearly always consists of bytes; when was the last time you needed to encrypt 5 bits? Thus, the standard padding methods below are described assuming that the input is a string of bytes.

Example 8.6.2 (Null padding)

Null padding simply appends all-0\bit0s bytes to the plaintext until its length is a multiple of the blocklength. In the code below, the blocklength is nn (in bytes), and 00\bit{00} represents the null byte (written in hex):

Pad(X)\textsf{Pad}(X):
// pp = length of last block, in bytes
p:=X%np := |X| \pct n
return X(00)npX \| (\bit{00})^{n-p}

Unfortunately, null padding doesn't work because it cannot be reversed. As an example, for a blocklength of 4 bytes, the hexadecimal strings 1cff00\bit{1c\,ff\,00} and 1cff\bit{1c\,ff} both get padded to 1cff0000\bit{1c\,ff\,00\,00}, and there is no way to know which original string was intended.

Example 8.6.3 (PKCS#7)

PKCS#7 is a common and standard padding method. First, determine how many bytes need to be added to fill the last block. If dd bytes are needed, then append dd copies of byte “dd to the original plaintext.

For example, with blocklength 8 bytes (and bytes written in hex),

013411d981 becomes 013411d981030303,73c550b581d596 becomes 73c550b581d59601\begin{aligned} \bit{01\,34\,11\,d9\,81} & \quad \text{ becomes } \quad \bit{01\,34\,11\,d9\,81}\,\hl{\bit{03\,03\,03}}, \\ \bit{73\,c5\,50\,b5\,81\,d5\,96} & \quad \text{ becomes } \quad \bit{73\,c5\,50\,b5\,81\,d5\,96}\,\hl{\bit{01}}\end{aligned}

The last byte of the padded data signals how many bytes of padding were added, and thus how many need to be removed to reverse the padding.

Example 8.6.4 (ANSI X.923)

ANSI X.923 is similar to PKCS#7, except that the padding consists of d1d-1 zero-bytes followed by one “dd byte:

013411d981 becomes 013411d981000003\begin{aligned} \bit{01\,34\,11\,d9\,81} & \quad \text{ becomes } \quad \bit{01\,34\,11\,d9\,81}\,\hl{\bit{00\,00\,03}}\end{aligned}

What do you do if the plaintext is already a multiple of the blocklength?
You might hope that padding is not necessary in this case, and that we can leave the plaintext alone. However, this will not work because the original plaintext might already end with bytes that look like the padding bytes. In that case, there is ambiguity when attempting to reverse the padding.

Thus, every padding method will add an entire block of padding, when the plaintext is already a multiple of the blocklength. For example, PKCS#7 with 8-byte blocklength will add padding as follows:

d87b5324c6d1af5f becomes d87b5324c6d1af5f0808080808080808\begin{aligned} \bit{d8\,7b\,53\,24\,c6\,d1\,af\,5f} & \quad \text{ becomes } \quad \bit{d8\,7b\,53\,24\,c6\,d1\,af\,5f}\,\hl{\bit{08\,08\,08\,08\,08\,08\,08\,08}}\end{aligned}

What does Pad1\textsf{Pad}^{-1} return on strings that don't have valid padding?
It's true that we have not defined what Pad1\textsf{Pad}^{-1} should do in this case. This uncertainty has led to real-world attacks, which are discussed in the next chapter.

8.7. ☆ Nonce-based encryption

We argued in section 8.2 that encryption cannot be deterministic; calling Enc(K,M)\Enc(\key,\ptxt) twice with the same key and plaintext should not produce the same output. Something needs to be different each time Enc\Enc is called, even with the same key and plaintext. In a randomized encryption scheme, the Enc\Enc algorithm samples fresh random values each time it is called.

However, randomization is not the only way to make an encryption scheme “not deterministic.” Another alternative involves rethinking how we formally define what “encryption” is. We can insist that the encryption and decryption algorithms take an additional argument called a nonce, which is shorthand for “number used [only] once.” To use nonce-based encryption properly, you should use a different nonce each time Enc\Enc is called. The nonce therefore provides the necessary variability to overcome the limitations of deterministic encryption, even when plaintexts are repeated.

Definition 8.7.1 (Nonce-based encryption)

A nonce-based symmetric-key encryption scheme consists of the following algorithms:

  • Enc\Enc: a deterministic algorithm that takes a key KK\key \in \K, nonce NN\nonce \in \N, and plaintext MM\ptxt \in \M as input, and outputs a ciphertext CC\ctxt \in \C.

  • Dec\Dec: a deterministic algorithm that takes a key KK\key \in \K, nonce NN\nonce \in \N, and ciphertext CC\ctxt \in \C as input, and outputs a plaintext MM\ptxt \in \M.

The scheme is correct if, for all KK\key \in \K, NN\nonce \in \N, and MM\ptxt \in \M we have:

Dec(K,N,Enc(K,N,M))=M. \Dec\bigl(\key, \nonce, \Enc(\key, \nonce, \ptxt)\bigr) = \ptxt.

We can write the correctness condition without a probability because both Enc\Enc and Dec\Dec are deterministic.

Randomized encryption is the more traditional way to define encryption. Nonce-based encryption is a newer paradigm, but is becoming more common because nonces are much less fragile than randomness.

The security of a randomized encryption scheme depends on its randomness being uniform and unpredictable. This is easy to get wrong in practice: Implementers may use poor randomness; they may use randomness that an adversary can predict; they may repeat randomness by accident. Even worse, they may leave this randomness up to the end-user, like many cryptography software libraries that require the end-user to provide IVs. In any of these cases, an ostensibly secure scheme could be catastrophically insecure in practice, since the reality of the implementation no longer reflects the CPA attack scenario.

The security of a nonce-based scheme depends only on the fact that nonces don't repeat—that's all. Nonces can be predictable; they can even be chosen by the adversary; all that matters is that they don't repeat.

In the formal security definition for nonce-based encryption, the adversary indeed gets to choose each nonce, just as it can choose each plaintext. The victim records the nonces it has seen previously, and refuses to use any nonce more than once. In this way, the security definition is limited to scenarios where nonces are distinct.

Definition 8.7.2 (CPA security for nonce-based encryption)

A nonce-based encryption scheme Σ\Sigma has CPA security if the following two libraries are indistinguishable:

Lncpa-realΣ\lib{ncpa-real}^\Sigma
KK\key \gets \K
cpa.enc(N,M)\cpaenc(\nonce,\ptxt):
if NE\nonce \in \mathcal{E}: return err\myerr
E:=E{N}\mathcal{E} := \mathcal{E} \cup \{\nonce\}
C:=Σ.Enc(K,N,M)\ctxt := \Sigma.\Enc(\key,\nonce,\ptxt)
return C\ctxt
\indist
Lncpa-randΣ\lib{ncpa-rand}^\Sigma
cpa.enc(N,M)\cpaenc(\nonce,\ptxt):
if NE\nonce \in \mathcal{E}: return err\myerr
E:=E{N}\mathcal{E} := \mathcal{E} \cup \{\nonce\}
CΣ.C(M)\ctxt \gets \Sigma.\C\bigl( |\ptxt| \bigr)
return C\ctxt

Nonce-based encryption has additional advantages:

  • It can be deterministic by definition. Deterministic algorithms are easier to test and also harder to get wrong.

  • The nonce can be included in the ciphertext (like an IV), but it does not need to be. In many settings the nonce is a value that both the sender and receiver already know. For example, the nonce might be a simple counter, or packet sequence number. In fact, it's preferable to not consider the nonce as part of the ciphertext for the purposes of the security definition, since the nonce need not look pseudorandom.

  • Nonce-based encryption can avoid ciphertext expansion. If we don't consider the nonce as part of the ciphertext, then ciphertexts can be exactly as long as the plaintexts. This is not possible with randomized encryption.

  • Nonce-reuse can be detected. A poor source of randomness can be difficult or even impossible to detect.

Finally, you can always choose to use uniformly sampled bits as the nonce if you like, and send this nonce along with the ciphertext. In other words, it is always safe to implement the nonce as an IV. Implementing a nonce-based scheme still leaves open the possibility of providing a randomized scheme.

However, the converse is not true; it is not always safe to treat the IV of a randomized encryption scheme as a nonce. Indeed, both CTR and CBC modes (as defined in this chapter) are insecure if their IV is treated as a nonce. Their security proofs rely crucially on the IV being sampled uniformly and unpredictable to the adversary, whereas a nonce can be chosen by the adversary.

The exercises explore these and other aspects of nonce-based encryption in greater depth.

Exercises

  1. h\star Suppose Σ\Sigma is an encryption scheme with Σ.M={0,1}\Sigma.\M = \bits^*. Show that it is not possible for Σ\Sigma to hide the length of the plaintext.

    More formally, show that the following two libraries are not indistinguishable:

    Lsk-cpa-left\lib{sk-cpa-left}
    KΣ.K\key \gets \Sigma.\K
    cpa.enc(ML,MR)\cpaenc(\ptxt_L, \ptxt_R):
    // if MLMR|\ptxt_L| \ne |\ptxt_R|: return err\myerr
    C:=Σ.Enc(K,ML)\ctxt := \Sigma.\Enc(\key,\hl{\ptxt_L})
    return C\ctxt
    \indist
    Lsk-cpa-right\lib{sk-cpa-right}
    KΣ.K\key \gets \Sigma.\K
    cpa.enc(ML,MR)\cpaenc(\ptxt_L, \ptxt_R):
    // if MLMR|\ptxt_L| \ne |\ptxt_R|: return err\myerr
    C:=Σ.Enc(K,MR)\ctxt := \Sigma.\Enc(\key, \hl{\ptxt_R})
    return C\ctxt

    Note: These libraries allow ML\ptxt_L and MR\ptxt_R to have different lengths.

    Fix a string ML\ptxt_L, and suppose \ell is an integer that satisfies Pr[Enc(K,ML)<]1/2.\PR{ | \Enc(\key,\ptxt_L) | < \ell } \ge 1/2. Although you might not know \ell, you can define a calling program for each possible \ell and argue that one of them succeeds in the attack.

    For a particular K\key, how many possible values are there for Dec(K,C)\Dec(\key,\ctxt), over all C\ctxt that are shorter than \ell bits? If MR\ptxt_R is not among these values, then MR\ptxt_R can never be encrypted to a string shorter to \ell bits, under this key. Now suppose MR\ptxt_R is chosen uniformly from {0,1}2\bits^{2\ell}; what is the probability that MR\ptxt_R is encrypted to a ciphertext shorter than \ell bits?

  2. Find a website with a moderate amount of static content, of varying lengths. Write a program to determine which page is being viewed when a victim browses this website over TLS, just by seeing a log/dump of the encrypted traffic.

  3. Let Σ1\Sigma_1 and Σ2\Sigma_2 be encryption schemes with Σ1.M=Σ2.M={0,1}n\Sigma_1.\M = \Sigma_2.\M = \bits^n. Define the following new scheme Σ\Sigma^*:

    Σ.K=Σ1.K×Σ2.KΣ.M={0,1}nΣ.C=Σ1.C×Σ2.C\begin{aligned} \Sigma^*.\K &= \Sigma_1.\K \times \Sigma_2.\K \\ \Sigma^*.\M &= \bits^n \\ \Sigma^*.\C &= \Sigma_1.\C \times \Sigma_2.\C \end{aligned}
    \quad
    Σ.Enc((K1,K2),M)\Sigma^*.\Enc\bigl( (\key_1, \key_2), \ptxt \bigr):
    R{0,1}nR \gets \bits^n
    C1:=Σ1.Enc(K1,R)\ctxt_1 := \Sigma_1.\Enc(\key_1, R)
    C2:=Σ2.Enc(K2,RM)\ctxt_2 := \Sigma_2.\Enc(\key_2, R \oplus \ptxt)
    return (C1,C2)(\ctxt_1, \ctxt_2)
    Σ.Dec((K1,K2),(C1,C2))\Sigma^*.\Dec\bigl( (\key_1, \key_2), (\ctxt_1,\ctxt_2) \bigr):
    M1:=Σ1.Dec(K1,C1)\ptxt_1 := \Sigma_1.\Dec(\key_1, \ctxt_1)
    M2:=Σ2.Dec(K2,C2)\ptxt_2 := \Sigma_2.\Dec(\key_2, \ctxt_2)
    return M1M2\ptxt_1 \oplus \ptxt_2

    Prove that Σ\Sigma^* is CPA-secure if one of Σ1\Sigma_1 and Σ2\Sigma_2 is CPA-secure. The proof should have two cases: one assuming Σ1\Sigma_1 is secure, and assuming nothing about Σ2\Sigma_2 except for its correctness; and vice versa.

  4. Let Σ\Sigma be a CPA-secure encryption scheme such that Σ.CΣ.M\Sigma.\C \subseteq \Sigma.\M, so that any ciphertext in Σ\Sigma can be used as a plaintext as well. Prove that the scheme given by the following encryption algorithm is also CPA-secure:

    Σ.Enc(K,Σ.Enc(K,M)). \Sigma.\Enc\Bigl(\key, \Sigma.\Enc(\key, \ptxt)\Bigr).

    Note that both calls to Σ.Enc\Sigma.\Enc use the same key.

  5. Let Σ\Sigma be a CPA-secure encryption scheme with allowable plaintexts Σ.M={0,1}n\Sigma.\M = \bits^n. Define the following scheme Σ2\Sigma_2 that supports plaintexts of length 2n2n:

    Σ2.K=Σ.KΣ2.M={0,1}2nΣ2.C=Σ.C×Σ.C\begin{aligned} \Sigma_2.\K &= \Sigma.\K \\ \Sigma_2.\M &= \bits^{2n} \\ \Sigma_2.\C &= \Sigma.\C \times \Sigma.\C \end{aligned}
    \quad
    Σ2.Enc(K,M1M2)\Sigma_2.\Enc( \key, \ptxt_1 \| \ptxt_2 ):
    C1:=Σ.Enc(K,M1)\ctxt_1 := \Sigma.\Enc(\key, \ptxt_1)
    C2:=Σ.Enc(K,M2)\ctxt_2 := \Sigma.\Enc(\key, \ptxt_2)
    return (C1,C2)(\ctxt_1, \ctxt_2)
    \quad
    Σ2.Dec(K,(C1,C2))\Sigma_2.\Dec( \key, (\ctxt_1,\ctxt_2)):
    M1:=Σ.Dec(K,C1)\ptxt_1 := \Sigma.\Dec(\key, \ctxt_1)
    M2:=Σ.Dec(K,C2)\ptxt_2 := \Sigma.\Dec(\key, \ctxt_2)
    return M1M2\ptxt_1 \| \ptxt_2

    Prove that Σ2\Sigma_2 is also CPA-secure.

    In other words, it is safe to separately and independently encrypt different pieces of a plaintext. (You may wonder why such an “obvious” statement requires proof, but later in the book we study security definitions for encryption in which this modification of an encryption scheme is not safe.)

  6. Give an example of an encryption scheme that satisfies left-or-right CPA security (definition 8.1.2) but not real-or-random CPA security (definition 8.1.1), and justify both properties of your answer. Your scheme does not need to be a natural/useful encryption scheme.

  7. Prove that an encryption scheme Σ\Sigma achieves left-or-right CPA security (definition 8.1.2) if and only if the following two libraries are indistinguishable:

    L1\lib{1}
    KΣ.K\key \gets \Sigma.\K
    cpa.enc(M)\cpaenc(\ptxt):
    C:=Σ.Enc(K,M)\ctxt := \Sigma.\Enc(\key,\ptxt)
    return C\ctxt
    \quad
    L2\lib{2}
    KΣ.K\key \gets \Sigma.\K
    cpa.enc(M)\cpaenc(\ptxt):
    C:=Σ.Enc(K,0M)\ctxt := \Sigma.\Enc(\key, \bit0^{|\ptxt|})
    return C\ctxt

    In other words, encryptions of a chosen M\ptxt are indistinguishable from encryptions of the all-zeros plaintext (of the same length).

  8. Let Σ\Sigma be an encryption scheme, and write Σ.M()\Sigma.\M(\ell) as shorthand for Σ.M{0,1}\Sigma.\M \cap \bits^\ell, the plaintexts of length \ell. Prove that an encryption scheme Σ\Sigma achieves left-or-right CPA security (definition 8.1.2) if and only if the following two libraries are indistinguishable:

    L1\lib{1}
    KΣ.K\key \gets \Sigma.\K
    cpa.enc(M)\cpaenc(\ptxt):
    C:=Σ.Enc(K,M)\ctxt := \Sigma.\Enc(\key,\ptxt)
    return C\ctxt
    \quad
    L2\lib{2}
    KΣ.K\key \gets \Sigma.\K
    cpa.enc(M)\cpaenc(\ptxt):
    MΣ.M(M)\ptxt^* \gets \Sigma.\M(|\ptxt|)
    C:=Σ.Enc(K,M)\ctxt := \Sigma.\Enc(\key,\ptxt^*)
    return C\ctxt

    In other words, encryptions of a chosen M\ptxt are indistinguishable from encryptions of a uniformly chosen plaintext (of the same length).

  9. h\star For the purposes of this exercise, a (randomized) encryption scheme is called IV-based if there is a deterministic function EE such that encryption can be written as:

    Enc(K,M)\Enc(\key,\ptxt):
    R{0,1}λR \gets \bits^\secpar
    C:=E(K,R,M)C := E(\key,R,\ptxt)
    return RCR\|C

    We call the scheme compact if E(K,R,M)E(\key,R,\ptxt) always has the same length as M\ptxt.

    Prove that if an encryption scheme is IV-based, compact, satisfies correctness, and achieves left-or-right CPA security (definition 8.1.2), then it also achieves real-or-random CPA security (definition 8.1.1). Usually the implication holds only in the other direction (real-or-random implies left-or-right).

    How are ciphertexts distributed when M\ptxt is chosen uniformly?

  10. h In chapter 3, we defined security for secret sharing schemes using two interchangeable libraries. Furthermore, if the secret is \ell bits, then shares must also be at least \ell bits (exercise 3.4).

    Suppose we allow secret sharing schemes where the two libraries in definition 3.1.1 are merely indistinguishable. Construct a tt-out-of-nn secret sharing scheme that can share an \ell-bit secret with shares of length /t+O(λ)\ell/t + O(\secpar) bits. Prove that your scheme is secure.

    Start with the “sharing scheme” of exercise 3.17, which provides no secrecy, and encrypt its shares under a suitable key.

  11. Suppose an encryption scheme Σ\Sigma satisfies correctness and has Σ.M=Σ.C| \Sigma.\M | = | \Sigma.\C |. Prove that Σ\Sigma cannot be CPA-secure.

  12. Suppose an encryption scheme Σ\Sigma satisfies correctness and has Σ.M={0,1}n\Sigma.\M = \bits^n and Σ.C={0,1}n+\Sigma.\C = \bits^{n +\ell}. The parameter \ell measures the ciphertext expansion of the scheme. In this exercise you will prove that the expansion of a CPA-secure scheme cannot be too small.

    Consider the following calling program:

    A\A
    MM\ptxt \gets \M
    C1:=cpa.enc(M)\ctxt_1 := \cpaenc(\ptxt)
    C2:=cpa.enc(M)\ctxt_2 := \cpaenc(\ptxt)
    return C1==C2\ctxt_1 == \ctxt_2

    Say that “C\ctxt decrypts to M\ptxt under K\key if Dec(K,C)=M\Dec(\key,\ctxt) = \ptxt.

    1. Assume that for any K\key and any M\ptxt, there are exactly 22^\ell values C\ctxt that decrypt to M\ptxt under K\key. In this case, what is the advantage of A\A in distinguishing the Lcpa-*\lib{cpa-*} libraries?

    2. The previous part considers an optimistic case. In general, different keys and plaintexts can be associated with a different number of ciphertexts. Say that a plaintext M\ptxt is heavy with respect to key K\key if there are more than 2+12^{\ell+1} ciphertext values C\ctxt that decrypt to M\ptxt under keykey. What is the most number of heavy plaintexts there can be under one key? When A\A is linked to Lcpa-real\lib{cpa-real}, A\A samples a plaintext M\ptxt and Lcpa-real\lib{cpa-real} samples a key K\key. What is the maximum probability that M\ptxt is heavy with respect to K\key?

    3. Assume that nλn \ge \secpar. Show that the advantage of A\A is at least 12+212λ\frac{1}{2^{\ell+2}} - \frac{1}{2^\secpar}.

  13. Suppose FF is a secure PRP with blocklength n+λn + \secpar. Prove that the following encryption scheme is CPA-secure and write its decryption algorithm:

    K={0,1}λM={0,1}nC={0,1}n+λ\begin{aligned} \K &= \bits^\secpar \\ \M &= \bits^n \\ \C &= \bits^{n+\secpar} \end{aligned}
    \qquad
    Enc(K,M)\Enc(\key,\ptxt):
    R{0,1}λR \gets \bits^\secpar
    C:=F(K,MR)C := F(\key, \ptxt \| R)
    return CC
  14. Suppose FF is a secure PRP with blocklength λ\secpar. Prove that the following encryption scheme is CPA-secure and write its decryption algorithm:

    K={0,1}λM={0,1}λC={0,1}3λ\begin{aligned} \K &= \bits^\secpar \\ \M &= \bits^\secpar \\ \C &= \bits^{3\secpar} \end{aligned}
    \qquad
    Enc(K,M)\Enc(\key,\ptxt):
    R{0,1}λR \gets \bits^\secpar
    S{0,1}λS \gets \bits^\secpar
    X:=F(K,RM)X := F(\key, R \oplus \ptxt)
    Y:=F(K,RS)Y := F(\key, R \oplus S)
    return SXYS \| X \| Y
  15. Suppose FF is a secure PRP with blocklength λ\secpar. Prove that the following encryption scheme is CPA-secure and write its decryption algorithm:

    K={0,1}λM={0,1}λC={0,1}2λ\begin{aligned} \K &= \bits^\secpar \\ \M &= \bits^\secpar \\ \C &= \bits^{2\secpar} \end{aligned}
    \qquad
    Enc(K,M)\Enc(\key,\ptxt):
    R{0,1}λR \gets \bits^\secpar
    S:=RMS := R \oplus \ptxt
    X:=F(K,S)MX := F(\key, S) \oplus \ptxt
    return SXS \| X
  16. Let FF be a secure PRP with blocklength λ\secpar. Prove that the following encryption scheme is CPA-secure and write its decryption algorithm:

    K={0,1}2λM={0,1}λC={0,1}2λ\begin{aligned} \K &= \bits^{2\secpar} \\ \M &= \bits^{\secpar} \\ \C &= \bits^{2\secpar} \end{aligned}
    \qquad
    Enc(K1K2,M)\Enc(\key_1 \| \key_2,\ptxt):
    R{0,1}λR \gets \bits^\secpar
    X:=F(K1,R)X := F(\key_1, R)
    Y:=F(K2,RM)Y := F(\key_2, R \oplus \ptxt)
    return XYX \| Y

    (Compare to exercise 8.21.)

  17. \star Let FF be a secure PRP with blocklength λ\secpar. Prove that the following encryption scheme is CPA-secure and write its decryption algorithm:

    K={0,1}λM={0,1}λC={0,1}2λ\begin{aligned} \K &= \bits^{\secpar} \\ \M &= \bits^{\secpar} \\ \C &= \bits^{2\secpar} \end{aligned}
    \qquad
    Enc(K,M)\Enc(\key,\ptxt):
    R{0,1}λR \gets \bits^\secpar
    X:=F(K,R)X := F(\key, R)
    Y:=F(K,RF(K,M))Y := F\bigl(\key, R \oplus F(\key,\ptxt) \bigr)
    return XYX \| Y
  18. \star Let FF be a secure PRP with blocklength λ\secpar. Prove that the following encryption scheme is CPA-secure and write its decryption algorithm:

    K={0,1}2λM={0,1}λC={0,1}2λ\begin{aligned} \K &= \bits^{2\secpar} \\ \M &= \bits^{\secpar} \\ \C &= \bits^{2\secpar} \end{aligned}
    \qquad
    Enc(K1K2,M)\Enc(\key_1 \| \key_2,\ptxt):
    R{0,1}λR \gets \bits^\secpar
    X:=F(K1,R)X := F(\key_1, R)
    Y:=F(K1,RMK2)Y := F(\key_1, R \oplus \ptxt \oplus \key_2)
    return XYX \| Y
  19. In exercise 7.8 we defined security for a weak PRF. Prove that construction 8.3.1 is CPA-secure when its underlying block cipher FF is a weak PRF.

  20. Let GG be a PRG with stretch \ell. Write the decryption algorithm for the following encryption scheme, then show that it is not CPA-secure, even if GG is a secure PRG:

    K={0,1}λ+M={0,1}λ+C={0,1}2λ+\begin{aligned} \K &= \bits^{\secpar+\ell} \\ \M &= \bits^{\secpar+\ell} \\ \C &= \bits^{2\secpar+\ell} \end{aligned}
    \qquad
    Enc(K,M)\Enc(\key,\ptxt):
    R{0,1}λR \gets \bits^\secpar
    C:=G(R)KMC := G(R) \oplus \key \oplus \ptxt
    return RCR \| C
  21. Let FF be a secure PRP with blocklength λ\secpar. Write the decryption algorithm for the following encryption scheme, then show that it is not CPA-secure, even if FF is a secure PRP:

    K={0,1}λM={0,1}λC={0,1}2λ\begin{aligned} \K &= \bits^\secpar \\ \M &= \bits^{\secpar} \\ \C &= \bits^{2\secpar} \end{aligned}
    \qquad
    Enc(K,M)\Enc(\key,\ptxt):
    R{0,1}λR \gets \bits^\secpar
    C1:=F(K,R)\ctxt_1 := F(\key, R)
    C2:=F(K,RM)\ctxt_2 := F(\key, R \oplus \ptxt)
    return C1C2\ctxt_1 \| \ctxt_2

    (Compare to exercise 8.16.)

  22. \star Let FF be a PRP with blocklength λ\secpar. Write the decryption algorithm for the following encryption scheme, then show that it is not CPA-secure, even if FF is a secure PRP:

    K={0,1}λM={0,1}2λC={0,1}3λ\begin{aligned} \K &= \bits^\secpar \\ \M &= \bits^{2\secpar} \\ \C &= \bits^{3\secpar} \end{aligned}
    \qquad
    Enc(K,M1M2)\Enc(\key,\ptxt_1 \| \ptxt_2):
    R{0,1}λR \gets \bits^\secpar
    S:=F(K,RM1)S := F(\key, R \oplus \ptxt_1)
    T:=F(K,M1)T := F(\key, \ptxt_1)
    C:=F(K,RM1M2T)C := F(\key, R \oplus \ptxt_1 \oplus \ptxt_2 \oplus T)
    return RSCR\|S\|C
  23. Let FF be a secure PRP with blocklength λ\secpar. Write the decryption algorithm for the following encryption scheme. Is the scheme CPA-secure or not? Either give an attack or security proof.

    K={0,1}λM={0,1}λC={0,1}2λ\begin{aligned} \K &= \bits^\secpar \\ \M &= \bits^{\secpar} \\ \C &= \bits^{2\secpar} \end{aligned}
    \qquad
    Enc(K,M)\Enc(\key,\ptxt):
    R{0,1}λR \gets \bits^\secpar
    C:=F(K,RM)\ctxt := F(\key, R \oplus \ptxt)
    return RCR \| \ctxt
  24. Let FF be a secure PRP with blocklength λ\secpar. Write the decryption algorithm for the following encryption scheme. Is the scheme CPA-secure or not? Either give an attack or security proof.

    K={0,1}λM={0,1}λC={0,1}2λ\begin{aligned} \K &= \bits^\secpar \\ \M &= \bits^{\secpar} \\ \C &= \bits^{2\secpar} \end{aligned}
    \qquad
    Enc(K,M)\Enc(\key,\ptxt):
    R{0,1}λR \gets \bits^\secpar
    C:=F(K,RM)R\ctxt := F(\key, R \oplus \ptxt) \oplus R
    return RCR \| \ctxt
  25. Let FF be a secure PRP with blocklength λ\secpar. Write the decryption algorithm for the following encryption scheme. Is the scheme CPA-secure or not? Either give an attack or security proof.

    K={0,1}λM={0,1}λC={0,1}2λ\begin{aligned} \K &= \bits^\secpar \\ \M &= \bits^{\secpar} \\ \C &= \bits^{2\secpar} \end{aligned}
    \qquad
    Enc(K,M)\Enc(\key,\ptxt):
    R{0,1}λR \gets \bits^\secpar
    X:=F(K,R)X := F(\key, R)
    Y:=RMY := R \oplus \ptxt
    return XYX \| Y
  26. Let FF be a secure PRP with blocklength λ\secpar. Write the decryption algorithm for the following encryption scheme. Is the scheme CPA-secure or not? Either give an attack or security proof.

    K={0,1}λM={0,1}λC={0,1}2λ\begin{aligned} \K &= \bits^\secpar \\ \M &= \bits^{\secpar} \\ \C &= \bits^{2\secpar} \end{aligned}
    \qquad
    Enc(K,M)\Enc(\key,\ptxt):
    R{0,1}λR \gets \bits^\secpar
    X:=F(K,R)X := F(\key, R)
    Y:=RF(K,M)Y := R \oplus F(\key,\ptxt)
    return XYX \| Y
  27. Suppose a victim encrypts two different ciphertexts with the same IV, either by chance or through some systematic problem with their implementation. What can the adversary infer about the two plaintexts \ldots

    1. \ldots if the victim is using CBC mode encryption?

    2. \ldots if the victim is using CTR mode encryption?

  28. Suppose that a single bit of a valid ciphertext is flipped during transmission. How does this bit-flip affect the result of decryption \ldots

    1. \ldots in CBC mode?

    2. \ldots in CTR mode?

  29. Suppose we instantiate CBC mode not with a secure PRP but with OTP. In other words, replace each expression F(K,X)F(\key,X) in the description of CBC mode with KX\key \oplus X. Show that the resulting encryption scheme is not CPA-secure.

  30. Consider a victim who uses CBC mode with a fixed but uniformly chosen and secret IV.

    1. \star Prove that if this victim encrypts plaintexts with distinct first blocks, then the resulting ciphertexts (excluding the IV) are pseudorandom. In other words, prove that the following two libraries are indistinguishable, if the underlying PRP FF is secure.

      K{0,1}λ\key \gets \bits^\secpar
      C0{0,1}λ\ctxt_0 \gets \bits^\secpar // static IV
      cpa.enc(M1M)\cpaenc(\ptxt_1 \| \cdots \| \ptxt_\ell):
      if M1E\ptxt_1 \in \mathcal{E}: return err\myerr
      E:=E{M1}\mathcal{E} := \mathcal{E} \cup \{ \ptxt_1 \}
      // CBC mode with IV = C0\ctxt_0
      for i=1i = 1 to \ell:
      Ci:=F(K,Ci1Mi)\ctxt_i := F(\key, \ctxt_{i-1} \oplus \ptxt_i)
      // does not return IV:
      return C1C\ctxt_1 \| \cdots \| \ctxt_\ell
      \indist
      cpa.enc(M1M)\cpaenc(\ptxt_1 \| \cdots \| \ptxt_\ell):
      if M1E\ptxt_1 \in \mathcal{E}: return err\myerr
      E:=E{M1}\mathcal{E} := \mathcal{E} \cup \{ \ptxt_1 \}
      for i=1i = 1 to \ell:
      Ci{0,1}λ\ctxt_i \gets \bits^\secpar
      return C1C\ctxt_1 \| \cdots \| \ctxt_\ell

      These libraries use a guard condition to enforce that M1\ptxt_1 values are globally distinct.

    2. What happens if the static IV is revealed to the adversary, for example, by another subroutine that returns C0\ctxt_0? Are the resulting libraries also indistinguishable?

  31. Output feedback mode (OFB) is defined below. Prove that it is CPA-secure if FF is a secure PRF:

    Enc(K,M1M)\Enc(\key, \ptxt_1 \| \cdots \| \ptxt_\ell):
    R:=C0{0,1}λR := \ctxt_0 \gets \bits^\secpar
    for i=1i = 1 to \ell:
    R:=F(K,R)R := F(\key, R)
    Ci:=RMi\ctxt_i := R \oplus \ptxt_i
    return C0C1C\ctxt_0 \| \ctxt_1 \| \cdots \| \ctxt_\ell
    Dec(K,C0C)\Dec(\key, \ctxt_0 \| \cdots \| \ctxt_\ell):
    R:=C0R := \ctxt_0
    for i=1i = 1 to \ell:
    R:=F(K,R)R := F(\key, R)
    Mi:=RCi\ptxt_i := R \oplus \ctxt_i
    return M1M\ptxt_1 \| \cdots \| \ptxt_\ell

  32. h Below is a variant of CBC encryption called propagating CBC (PCBC) mode. Give its decryption algorithm and prove that it is CPA-secure.

    Enc(K,M1M)\Enc(\key, \ptxt_1 \| \cdots \| \ptxt_\ell):
    C0{0,1}λ\ctxt_0 \gets \bits^\secpar
    M0:=0λ\hl{\ptxt_0 := \bit0^\secpar}
    for i=1i = 1 to \ell:
    Ci:=F(K,Ci1MiMi1)\ctxt_i := F(\key, \ctxt_{i-1} \oplus \ptxt_i \hl{\oplus \ptxt_{i-1}})
    return C0C1C\ctxt_0 \| \ctxt_1 \| \cdots \| \ctxt_\ell

    There is a “one-line proof” that uses the fact that regular CBC mode is secure.

  33. Prove that if the IV is fixed to the all-zeros string 0λ\bit 0^\secpar, then CBC mode still has (computational) one-time secrecy (definition 5.3.2).

  34. Prove that CTR mode (construction 8.5.4) is a CPA-secure encryption scheme, when its underlying block cipher FF is a secure PRF.

  35. \star Suppose a victim uses both CBC and CTR modes with the same key. Formalize an attack scenario in which a victim encrypts plaintexts of the adversary's choice, under the scheme (either CBC or CTR) of the adversary's choice, with a single key. Prove that the ciphertexts are pseudorandom in this scenario.

  36. Consider the following unholy amalgamation of CBC and CTR modes:

    Enc(K,M1M)\Enc(\key, \ptxt_1 \| \cdots \| \ptxt_\ell):
    C0{0,1}λ\ctxt_0 \gets \bits^\secpar
    for i=1i = 1 to \ell:
    Ci:=F(K,[C0+i]Mi)\ctxt_i := F\bigl(\key, [\ctxt_0 + i] \oplus \ptxt_i \bigr)
    return C0C1C\ctxt_0 \| \ctxt_1 \| \cdots \| \ctxt_\ell

    The expression “[C0+i]Mi[\ctxt_0+i] \oplus \ptxt_i” means: treat C0\ctxt_0 as a λ\secpar-bit integer, add integer ii (with unsigned addition), treat the result as a λ\secpar-bit string, and xor with Mi\ptxt_i. Describe the corresponding decryption algorithm and show that the scheme is not CPA-secure.

  37. In each block of CBC encryption, we call FF on the result of an xor. In CBC decryption, we xor the result of a call to FF. Show that the following modification of CBC encryption, in which the xor and FF are reversed, is not CPA-secure:

    Enc(K,M1M)\Enc(\key, \ptxt_1 \| \cdots \| \ptxt_\ell):
    C0{0,1}λ\ctxt_0 \gets \bits^\secpar
    for i=1i = 1 to \ell:
    Ci:=F(K,Mi)Ci1\ctxt_i := F(\key, \ptxt_i ) \oplus \ctxt_{i-1}
    return C0C1C\ctxt_0 \| \ctxt_1 \| \cdots \| \ctxt_\ell
  38. Some implementers may be unclear about the distinction between a key and an IV, and therefore may be hesitant to include the IV in the ciphertext. Suppose someone has modified CBC mode so that the IV is passed through the PRP before being included in the ciphertext:

    Enc(K,M1M)\Enc(\key, \ptxt_1 \| \cdots \| \ptxt_\ell):
    C0{0,1}λ\ctxt_0 \gets \bits^\secpar
    for i=1i = 1 to \ell:
    Ci:=F(K,MiCi1)\ctxt_i := F(\key, \ptxt_i \oplus \ctxt_{i-1} )
    C0:=F(K,C0)\hl{\ctxt^*_0 := F(\key,\ctxt_0)}
    return C0C1C\hl{\ctxt^*_0} \| \ctxt_1 \| \cdots \| \ctxt_\ell
    1. Show that the resulting scheme is no longer CPA-secure.

    2. What if an independent PRP key is used for this step? In other words, C0\ctxt^*_0 is computed as F(K,C0)F(\hl{\key'},\ctxt_0). Is this modification to CBC mode CPA-secure?

  39. In CBC encryption, we use the previous ciphertext block as the IV for the next block. But we always use a new/fresh IV to begin each separate ciphertext. It seems reasonable to instead use the last block of the previous ciphertext as the IV for the next ciphertext: This is what you would get if you encrypted both plaintexts at the same time, and it would also save an extra block of communication.

    Unfortunately, this optimization is insecure. The attack scenario could be formalized as follows:

    K{0,1}λ\key \gets \bits^\secpar
    V{0,1}λV \gets \bits^\secpar // “next IV
    cpa.enc(M1M)\cpaenc(\ptxt_1 \| \cdots \| \ptxt_\ell):
    C0:=V\ctxt_0 :=V
    for i=1i = 1 to \ell:
    Ci:=F(K,MiCi1)\ctxt_i := F(\key, \ptxt_i \oplus \ctxt_{i-1})
    V:=CV:= \ctxt_{\ell}
    // do not include IV = C0\ctxt_0 in output
    return C1C\ctxt_1 \| \cdots \| \ctxt_\ell

    Show that ciphertexts are no longer pseudorandom in this attack scenario.

  40. We proved the security of CBC mode assuming its block cipher is a secure PRP. A two-round Feistel cipher is not a secure PRP. Despite this, prove that CBC mode is CPA-secure, when its underlying block cipher is a 2-round Feistel cipher (whose round function is a secure PRF). A Feistel cipher has blocklength of 2λ2\secpar bits, and its round function needs λ\secpar bits of input and output. Therefore the CBC mode in this problem has blocks of length 2λ2\secpar bits.

  41. Formally specify the decryption algorithm for CTR mode corresponding to the encryption algorithm in section 8.6 that supports plaintexts of arbitrary length.

  42. Prove that CTR mode for arbitrary plaintext lengths (section 8.6) has CPA security. Try to structure your proof so it uses the fact that CTR mode for block-aligned plaintexts (construction 8.5.4) has CPA security.

  43. Prove that augmenting CBC mode with any padding method (definition 8.6.1) results in a CPA-secure encryption scheme that supports arbitrary plaintext length. Try to structure your proof so it uses the fact that CPA mode for block-aligned plaintexts (construction 8.5.3) has CPA security.

  44. Propose a padding method that works for strings of bits, not just strings of bytes.

  45. CBC-MAC (construction 6.6.1) is defined for strings whose length is an exact multiple of the blocklength. Explain how to modify CBC-MAC to support strings of any length, and argue why the modification retains its security. CBC-MAC also has a disclaimer about fixed vs variable input lengths; how does this disclaimer change with your modification?

  46. In PKCS#7 padding for example, Pad(X)\textsf{Pad}(X) never outputs any string whose last byte is ff\byte{ff}. Design a padding scheme in which every possible (block-aligned) string is a possible output of Pad\textsf{Pad}.

  47. Prove that CBC mode does not achieve nonce-based CPA security if we treat the IV as a nonce.

  48. Prove that CTR mode does not achieve nonce-based CPA security if we treat the IV as a nonce.

  49. Consider the following nonce-based variant of CTR mode, in which nonces are from the set N={0,1}λ/2\N = \bits^{\secpar/2}, and plaintexts are restricted to be less than 2λ/22^{\secpar/2} blocks (so that a counter of blocks can be represented in λ/2\secpar/2 bits). Prove that this variant achieves nonce-based CPA security (definition 8.7.2).

    Enc(K,N,M1M)\Enc(\key, \nonce, \ptxt_1 \| \cdots \| \ptxt_\ell):
    for i=1i = 1 to \ell:
    Ci:=F(K,Ni)Mi\ctxt_i := F\bigl(\key, \nonce \| i\bigr) \oplus \ptxt_i
    return C1C\ctxt_1 \| \cdots \| \ctxt_\ell

    The expression “Ni\nonce \| i” means: Write ii as a λ/2\secpar/2-bit integer and append it to the string N\nonce.

  50. Consider the following nonce-based variant of CBC mode which uses a PRF to convert the nonce to an IV.

    Enc(K1K2,N,M1M)\Enc\Bigl(\key_1\|\key_2, \nonce, \ptxt_1 \| \cdots \| \ptxt_\ell\Bigr):
    C0:=F(K1,N)\ctxt_0 \hl{:= F(\key_1, \nonce)}
    for i=1i = 1 to \ell:
    Ci:=F(K2,Ci1Mi)\ctxt_i := F(\key_2, \ctxt_{i-1} \oplus \ptxt_i)
    // C0\ctxt_0 not needed in the output
    return C1C\ctxt_1 \| \cdots \| \ctxt_\ell

    Prove that this variant achieves nonce-based CPA security (definition 8.7.2). You may use the fact that standard CBC mode is CPA-secure as a randomized scheme.

  51. In the previous exercise, we used separate PRF keys to derive the IV and for CBC encryption. Show that if the same key is used, the result is no longer secure:

    Enc(K,N,M1M)\Enc(\key, \nonce, \ptxt_1 \| \cdots \| \ptxt_\ell):
    C0:=F(K,N)\ctxt_0 := F(\hl{\key}, \nonce)
    for i=1i = 1 to \ell:
    Ci:=F(K,Ci1Mi)\ctxt_i := F(\hl{\key}, \ctxt_{i-1} \oplus \ptxt_i)
    // C0\ctxt_0 not needed in the output
    return C1C \ctxt_1 \| \cdots \| \ctxt_\ell

    Show that this encryption scheme does not achieve nonce-based CPA security.

  52. Continuing the theme of the last few exercises: It can be awkward to invoke a PRF/PRP with different keys. Below is a nonce-based variant of CBC mode that only invokes its PRP on a single key. Prove that this variant achieves nonce-based CPA security (definition 8.7.2):

    Enc(K1K2,N,M1M)\Enc\Bigl(\key_1 \| \key_2, \nonce, \ptxt_1 \| \cdots \| \ptxt_\ell\Bigr):
    C0:=F(K1,NK2)\ctxt_0 := F(\key_1, \nonce \hl{\oplus \key_2})
    for i=1i = 1 to \ell:
    Ci:=F(K1,Ci1Mi)\ctxt_i := F(\key_1, \ctxt_{i-1} \oplus \ptxt_i)
    return C0C1C\ctxt_0 \| \ctxt_1 \| \cdots \| \ctxt_\ell
  53. Let Σ\Sigma be an encryption scheme that achieves nonce-based CPA security, and has allowable nonces Σ.N={0,1}λ\Sigma.\N = \bits^\secpar. We can convert Σ\Sigma into a randomized encryption scheme by sampling the nonce uniformly for each call to Enc\Enc. Formalize the resulting randomized encryption scheme and prove that it satisfies standard CPA security.

  54. \star Design a nonce-based encryption scheme that achieves nonce-based security, but which fails catastrophically when any nonce is repeated just twice. Use your own interpretation of “catastrophic failure,” but often this means that the adversary can recover the key.

Chapter Notes

Goldwasser and Micali were the first to propose that encryption should be randomized, and were the first to provide a formal security definition for encryption (although in the context of public-key encryption) [115].

Wright, Ballard, Coull, Monrose, and Masson use a sophisticated language model to decode spoken phrases from encrypted audio conversations [219]. Schuster, Shmatikov, and Tromer use very coarse traffic data to accurately identify encrypted video streams [199]. For a comprehensive survey of analysis techniques for encrypted network traffic, see Papadogiannaki and Ioannidis [175].

There are several natural countermeasures to avoid leaking the length of encrypted data. Compression and padding can decrease the amount of information leaked in encrypted communications, in a way that can be quantified (see Gellert, Jager, Lyu, and Neuschulten [107]; also Paterson, Ristenpart, and Shrimpton [177]). Dyer, Coull, Ristenpart, and Shrimpton survey several countermeasures to length-side-channel attacks and explain why none are particularly effective [92].

Exercise 8.10 is due to Krawczyk [139].

The original ECB penguin was created by Wikipedia user Lunkwill in 2004, and the original Tux penguin mascot was created by Larry Ewing in 1996. Both images are recreated here under the license terms of their respective authors. Valsorda [213] has documented the history of the ECB penguin, and provides a higher-resolution version.

CBC mode is due to Ehrsam, Meyer, Smith, and Tuchman [95]. Its CPA security was first proven by Bellare, Desai, Jokipii, and Rogaway [15]. CTR mode is due to Diffie and Hellman [84].

Dai [77] was the first to point out the attack against implicitly chained IVs in CBC mode (exercise 8.39), in the context of the SSH protocol. Bellare, Kohno, and Namprempre [21] elaborate on the attack. The observation was later extended to a full attack on the TLS protocol by Duong and Rizzo [91], called BEAST (Browser Exploit Against SSL/TLS).

Nonce-based encryption was first proposed as an alternative to randomized encryption by Rogaway [191]. Our security definition for nonce-based encryption (definition 8.7.2) says nothing about what happens in the event that a nonce is repeated. A scheme that fulfills definition 8.7.2 may fail catastrophically if the nonce is repeated. Rogaway and Shrimpton [195] define a security goal called nonce misuse-resistance, which requires the scheme to provide reasonable security guarantees even in the presence of repeated nonces.

  1. Previous Chapter7. Pseudorandom Permutations
  2. Next Chapter9. Chosen-Ciphertext Attacks Against Encryption