Online Cryptography Course Dan Boneh

Odds and ends

Key Derivation

Dan Boneh
 Deriving many keys from one
Typical scenario. a single source key (SK) is sampled from:
• Hardware random number generator
• A key exchange protocol (discussed later)

Need many keys to secure session:

• unidirectional keys; multiple keys for nonce-based CBC.

Goal: generate many keys from this one source key

SK k1 , k 2 , k3 , …
KDF
Dan Boneh
 When source key is uniform
F: a PRF with key space K and outputs in {0,1}n

Suppose source key SK is uniform in K

• Define Key Derivation Function (KDF) as:
KDF( SK, CTX, L) :=
F(SK, (CTX ll 0)) ll F(SK, (CTX ll 1)) ll ⋯ ll F(SK, (CTX ll L))

CTX: a string that uniquely identifies the application

Dan Boneh
KDF( SK, CTX, L) :=
F(SK, (CTX ll 0)) ll F(SK, (CTX ll 1)) ll ⋯ ll F(SK, (CTX ll L))

What is the purpose of CTX?

Even if two apps sample same SK they get indep. keys

It’s good practice to label strings with the app. name
It serves no purpose
 What if source key is not uniform?
Recall: PRFs are pseudo random only when key is uniform in K
• SK not uniform ⇒ PRF output may not look random

Source key often not uniformly random:

• Key exchange protocol: key uniform in some subset of K

• Hardware RNG: may produce biased output

Dan Boneh
 Extract-then-Expand paradigm
Step 1: extract pseudo-random key k from source key SK
prob

prob
extractor

SK k

salt

salt: a fixed non-secret string chosen at random

step 2: expand k by using it as a PRF key as before

Dan Boneh
 HKDF: a KDF from HMAC

Implements the extract-then-expand paradigm:

• extract: use k ⟵ HMAC( salt, SK )

• Then expand using HMAC as a PRF with key k

Dan Boneh
 Password-Based KDF (PBKDF)
Deriving keys from passwords:
• Do not use HKDF: passwords have insufficient entropy
• Derived keys will be vulnerable to dictionary attacks
(more on this later)

PBKDF defenses: salt and a slow hash function

Standard approach: PKCS#5 (PBKDF1)

H(c)(pwd ll salt): iterate hash function c times

Dan Boneh
End of Segment

Dan Boneh
Online Cryptography Course Dan Boneh

Odds and ends

Deterministic Encryption

Dan Boneh
 The need for det. Encryption (no nonce)

Alice data ??

k1, k2 Bob data

⋮
encrypted
database

Dan Boneh
 The need for det. Encryption (no nonce)

??
Alice data
k1, k2 Bob data

E(k 1, “A lic e”) ⋮

Later: re cord encrypted
ve
Retrie database
data
Alice
det. enc. enables later lookup
Dan Boneh
Problem: det. enc. cannot be CPA secure
The problem: attacker can tell when two ciphertexts
encrypt the same message ⇒ leaks information

Leads to significant attacks when message space M is small.

equal ciphertexts
means same index

Dan Boneh
Problem: det. enc. cannot be CPA secure
The problem: attacker can tell when two ciphertexts
encrypt the same message ⇒ leaks information

Attacker wins CPA game:

b m0 , m0  M
Chal. Adv.
c0 E(k, m0)
kK
m 0 , m1  M
output 0
c  E(k, mb) if c = c0

Dan Boneh
A solution: the case of unique messages
Suppose encryptor never encrypts same message twice:
the pair (k , m) never repeats

This happens when encryptor:

• Chooses messages at random from a large msg space (e.g. keys)
• Message structure ensures uniqueness (e.g. unique user ID)

Dan Boneh
 Deterministic CPA security
E = (E,D) a cipher defined over (K,M,C). For b=0,1 define EXP(b) as:

for i=1,…,q:
b Chal. Adv.
kK mi,0 , mi,1  M : |mi,0| = |mi,1|

ci  E(k, mi,b) b’  {0,1}

where m1,0, …, mq,0 are distinct and m1,1, …, mq,1 are distinct

Def: E is sem. sec. under det. CPA if for all efficient A:

AdvdCPA [A,E] = |Pr[EXP(0)=1] – Pr[EXP(1)=1] | is negligible.
Dan Boneh
 A Common Mistake
CBC with fixed IV is not det. CPA secure.
Let E: K × {0,1}n ⟶ {0,1}n be a secure PRP used in CBC
b 0n 1n , 0n 1n
Chal. Adv.
c1  [ FIV, E(k, 0n⨁FIV) , …]
kK
m0=0n , m1 = 1n
output 0
c  [ FIV, E(k, FIV) ] or
if c[1] = c1[1]
c  [ FIV, E(k, 1n⨁FIV) ]

Leads to significant attacks in practice.

Dan Boneh
Is counter mode with a fixed IV det. CPA secure?
message
⨁
F(k, FIV) ll F(k, FIV+1) ll … ll F(k, FIV+L)

ciphertext

Yes
b
No m,m
Adv.
Chal.
c m⨁F(k, FIV)
It depends kK
m0 , m1 output 0 if
c’  mb⨁F(k, FIV) c⨁c’=m⨁m0
End of Segment

Dan Boneh
Online Cryptography Course Dan Boneh

Odds and ends

Deterministic Encryption
Constructions:
SIV and wide PRP

Dan Boneh
 Deterministic encryption
Needed for maintaining an encrypted database index
• Lookup records by encrypted index

Deterministic CPA security:

• Security if never encrypt same message twice using same key:
the pair (key , msg) is unique

Formally: we defined deterministic CPA security game

Dan Boneh
 Construction 1: Synthetic IV (SIV)
Let (E, D) be a CPA-secure encryption. E(k, m ; r) ⟶ c
Let F:K × M ⟶ R be a secure PRF

Define: Edet( (k1,k2) , m) =

Thm: Edet is sem. sec. under det. CPA .

Proof sketch: distinct msgs. ⇒ all r’s are indist. from random

Well suited for messages longer than one AES block (16 bytes)
Dan Boneh
 Ensuring ciphertext integrity
Goal: det. CPA security and ciphertext integrity
⇒ DAE: deterministic authenticated encryption
Consider a SIV special case: SIV-CTR
SIV where cipher is counter mode with rand. IV

PRF F message
k1
CTR mode with PRF Fctr k2
Fctr(k2, IV) ll Fctr(k2, IV+1) ll … ll Fctr(k2, IV+L)

IV ciphertext
Dan Boneh
 Det. Auth. Enc. (DAE) for free
Decryption: IV ciphertext

CTR mode with PRF Fctr k2

k1 PRF F Fctr(k2,IV) ll Fctr(k2, IV+1) ll … ll Fctr(k2,IV+L)

message
if ≠IV output ⊥

Thm: if F is a secure PRF and CTR from Fctr is CPA-secure

then SIV-CTR from F, Fctr provides DAE
Dan Boneh
 Construction 2: just use a PRP
Let (E, D) be a secure PRP. E: K × X ⟶ X

Thm: (E,D) is sem. sec. under det. CPA .

Proof sketch: let f: X ⟶ X be a truly random invertible func.
in EXP(0) adv. sees: f(m1,0), …, f(mq,0) q random values in X
in EXP(1) adv. sees: f(m1,1), …, f(mq,1)

Using AES: Det. CPA secure encryption for 16 byte messages.

Longer messages?? Need PRPs on larger msg spaces …
Dan Boneh
 EME: constructing a wide block PRP
Let (E, D) be a secure PRP. E: K × {0,1}n ⟶ {0,1}n
EME: a PRP on {0,1}N for N ⨠ n x[0] x[1] x[2]
⨁ ⨁ ⨁

E E E
E ⨁ ⨁

⨁
E E E
⨁ ⨁ ⨁

Performance: y[0] y[1] y[2]

• can be 2x slower then SIV
Dan Boneh
 PRP-based Det. Authenticated Enc.
Goal: det. CPA security and ciphertext integrity
⇒ DAE: deterministic authenticated encryption
Encryption: Decryption:
80
message 00000 ciphertext

E(k, ⋅) D(k, ⋅) if ≠080 output ⊥

ciphertext message ………

Dan Boneh
PRP-based Det. Authenticated Enc.
Let (E, D) be a secure PRP. E: K × (X×{0,1}n) ⟶ X×{0,1}n

Thm: 1/2n is negligible ⇒ PRP-based enc. provides DAE

Proof sketch: suffices to prove ciphertext integrity

x1, … , x q ∈ X
Chal. Adv.
π (x1 0n), …, π(xq 0n)
π⟵Perms[X×{0,1}n]

c ∉ { π (x1 0n), …, π(xq 0n) }

But then Pr[ LSBn( π-1(c) ) = 0n ] ≤ 1/2n Dan Boneh

End of Segment

Dan Boneh
Online Cryptography Course Dan Boneh

Odds and ends

Tweakable encryption

Dan Boneh
 Disk encryption: no expansion
Sectors on disk are fixed size (e.g. 4KB)
⇒ encryption cannot expand plaintext (i.e. M = C)
⇒ must use deterministic encryption, no integrity

Lemma: if (E, D) is a det. CPA secure cipher with M=C

then (E, D) is a PRP.

⇒ every sector will need to be encrypted with a PRP

Dan Boneh
 sector 1 sector 2 sector 3

PRP(k, ⋅) PRP(k, ⋅) PRP(k, ⋅)

sector 1 sector 2 sector 3

Problem: sector 1 and sector 3 may have same content

• Leaks same information as ECB mode

Can we do better?
Dan Boneh
 sector 1 sector 2 sector 3

PRP(k1, ⋅) PRP(k2, ⋅) PRP(k3, ⋅)

sector 1 sector 2 sector 3

Avoids previous leakage problem

• … but attacker can tell if a sector is changed and then reverted

Managing keys: the trivial construction kt = PRF(k, t) , t=1,…,L

Can we do better?
Dan Boneh
 Tweakable block ciphers
Goal: construct many PRPs from a key k∈K .

Syntax: E , D : K × T × X ⟶ X

for every t∈T and k⟵K:

E(k, t, ⋅) is an invertible func. on X, indist. from random

Application: use sector number as the tweak

⇒ every sector gets its own independent PRP

Dan Boneh
 Secure tweakable block ciphers
E , D : K × T × X ⟶ X . For b=0,1 define experiment EXP(b) as:
b
b=1: π(Perms[X])|T|
Chal. Adv. A
b=0: kK, π[t] E(k,t,)
t1, x1 t2, x2 … tq, xq
π
π[t1](x1) π[t2](x2) … π[tq](xq)

b’  {0,1}
• Def: E is a secure tweakable PRP if for all efficient A:
AdvtPRP[A,E] = |Pr[EXP(0)=1] – Pr[EXP(1)=1] | is negligible. Dan Boneh
Example 1: the trivial construction
Let (E,D) be a secure PRP, E: K × X ⟶ X .

• The trivial tweakable construction: (suppose K = X)

Etweak(k, t, x) = E( E(k, t), x)

⇒ to encrypt n blocks need 2n evals of E(.,.)

Dan Boneh
 2. the XTS tweakable block cipher [R’04]

Let (E,D) be a secure PRP, E: K × {0,1}n ⟶ {0,1}n .

• XTS: Etweak( (k1,k2), (t,i), x) =

N ⟵E(k2, t)

⇒ to encrypt n blocks need n+1 evals of E(.,.)

Dan Boneh
Is it necessary to encrypt the tweak before using it?
That is, is the following a secure tweakable PRP?

x c

Yes, it is secure
No: E(k, (t,1), P(t,2)) ⨁ E(k, (t,2), P(t,1)) = P(t,1)
No: E(k, (t,1), P(t,1)) ⨁ E(k, (t,2), P(t,2)) = P(t,1) ⨁ P(t,2)
No: E(k, (t,1), P(t,1)) ⨁ E(k, (t,2), P(t,2)) = 0
 Disk encryption using XTS
sector # t: block 1 block 2 block n

tweak: tweak: tweak:

(t,1) (t,2) (t,n)

• note: block-level PRP, not sector-level PRP.

• Popular in disk encryption products:
Mac OS X-Lion, TrueCrypt, BestCrypt, …
Dan Boneh
 Summary
• Use tweakable encryption when you need many
independent PRPs from one key

• XTS is more efficient than the trivial construction

– Both are narrow block: 16 bytes for AES

• EME (previous segment) is a tweakable mode for wide block

– 2x slower than XTS

Dan Boneh
End of Segment

Dan Boneh
Online Cryptography Course Dan Boneh

Odds and ends

Format preserving
encryption

Dan Boneh
 Encrypting credit card numbers
Credit card format: bbbb bbnn nnnn nnnc ( ≈ 42 bits )
k
k
POS
terminal

processor #1 processor #2 processor #3 acquiring

bank
Goal: end-to-end encryption
Intermediate processors expect to see a credit card number
⇒ encrypted credit card should look like a credit card
Dan Boneh
Format preserving encryption (FPE)
This segment: given 0 < s ≤ 2n, build a PRP on {0,…,s-1}

from a secure PRF F: K × {0,1}n ⟶ {0,1}n (e.g. AES)

Then to encrypt a credit card number: (s = total # credit cards)

1. map given CC# to {0,…,s-1}
2. apply PRP to get an output in {0,…,s-1}
3. map output back a to CC#

Dan Boneh
 Step 1: from {0,1}n to {0,1}t (t<n)
Want PRP on {0,…,s-1} . Let t be such that 2t-1 < s ≤ 2t .

Method: Luby-Rackoff with F’: K × {0,1}t/2 ⟶ {0,1}t/2 (truncate F)

t/2 bits R0 R1 R2 R3
F’(k1,⋅) F’(k2,⋅) F’(k3,⋅)

t/2 bits L0 ⊕ L1 ⊕ L2 ⊕ L3

input output
(better to use 7 rounds a la Patarin, Crypto’03)
Dan Boneh
Step 2: from {0,1}t to {0,…,s-1}
Given PRP (E,D): K × {0,1}t ⟶ {0,1}t
we build (E’,D’): K × {0,…,s-1} ⟶ {0,…,s-1}

E’(k, x): on input x ∈ {0,…,s-1} do:

y⟵x; do { y ⟵ E(k, y) } until y∈ {0,…,s-1}; output y

Expected # iterations: 2
{0,…,s-1} {0,1}t
Dan Boneh
 Security
Step 2 is tight: ∀A ∃B: PRPadv[A,E] = PRPadv[B,E’]

Intuition: ∀sets Y ⊆ X, applying the transformation to a

random perm. π: X⟶ X
gives a random perm. π': Y ⟶ Y

Step 1: same security as Luby-Rackoff construction

(actually using analysis of Patarin, Crypto’03)
note: no integrity
Dan Boneh
 Further reading
• Cryptographic Extraction and Key Derivation: The HKDF Scheme.
H. Krawczyk, Crypto 2010
• Deterministic Authenticated-Encryption:
A Provable-Security Treatment of the Keywrap Problem.
P. Rogaway, T. Shrimption, Eurocrypt 2006
• A Parallelizable Enciphering Mode. S. Halevi, P. Rogaway, CT-RSA 2004
• Efficient Instantiations of Tweakable Blockciphers and Refinements to
Modes OCB and PMAC. P. Rogaway, Asiacrypt 2004
• How to Encipher Messages on a Small Domain:
Deterministic Encryption and the Thorp Shuffle.
B. Morris, P. Rogaway, T. Stegers, Crypto 2009
Dan Boneh
End of Segment

Dan Boneh