Post on 08-Sep-2018
Outline Introduction The Improbable Differential Attack CLEFIA Conclusion
The Improbable Differential Attack:Cryptanalysis of Reduced Round CLEFIA
Cihangir TEZCAN
Ecole Polytechnique Federale de Lausanne, Switzerland
July 20, 2011Bilkent University, Ankara, Turkey
Cihangir TEZCAN The Improbable Differential Attack
Outline Introduction The Improbable Differential Attack CLEFIA Conclusion
Outline
1 Introduction
2 The Improbable Differential Attack
IntroductionTwo Techniques to Obtain Improbable Differentials
3 CLEFIA
Specifications13-round Improbable Differential Attack
4 Conclusion
Cihangir TEZCAN The Improbable Differential Attack
Outline Introduction The Improbable Differential Attack CLEFIA Conclusion
A (Very) Short Introduction to Differential Cryptanalysis
Differential Cryptanalysis
Discovered by E. Biham and A. Shamir, early 1980s
Find a path (characteristic) so that when the input differenceis α, output difference is β with high probability
Truncated Differential Cryptanalysis
Discovered by L. Knudsen, 1994Find a path (differential) so that when the input difference isα, output difference is β with high probabilityOnly parts of the differences α and β are specified
Impossible Differential Cryptanalysis
Discovered by E. Biham, A. Biryukov, A. Shamir, 1998Find a path (impossible differential) so that when the inputdifference is α, the output difference is never β
And others (Higher-order Differential, Boomerang,...)
Cihangir TEZCAN The Improbable Differential Attack
Outline Introduction The Improbable Differential Attack CLEFIA Conclusion
A (Very) Short Introduction to Differential Cryptanalysis
Differential Cryptanalysis
Discovered by E. Biham and A. Shamir, early 1980sFind a path (characteristic) so that when the input differenceis α, output difference is β with high probability
Truncated Differential Cryptanalysis
Discovered by L. Knudsen, 1994Find a path (differential) so that when the input difference isα, output difference is β with high probabilityOnly parts of the differences α and β are specified
Impossible Differential Cryptanalysis
Discovered by E. Biham, A. Biryukov, A. Shamir, 1998Find a path (impossible differential) so that when the inputdifference is α, the output difference is never β
And others (Higher-order Differential, Boomerang,...)
Cihangir TEZCAN The Improbable Differential Attack
Outline Introduction The Improbable Differential Attack CLEFIA Conclusion
A (Very) Short Introduction to Differential Cryptanalysis
Differential Cryptanalysis
Discovered by E. Biham and A. Shamir, early 1980sFind a path (characteristic) so that when the input differenceis α, output difference is β with high probability
Truncated Differential Cryptanalysis
Discovered by L. Knudsen, 1994
Find a path (differential) so that when the input difference isα, output difference is β with high probabilityOnly parts of the differences α and β are specified
Impossible Differential Cryptanalysis
Discovered by E. Biham, A. Biryukov, A. Shamir, 1998Find a path (impossible differential) so that when the inputdifference is α, the output difference is never β
And others (Higher-order Differential, Boomerang,...)
Cihangir TEZCAN The Improbable Differential Attack
Outline Introduction The Improbable Differential Attack CLEFIA Conclusion
A (Very) Short Introduction to Differential Cryptanalysis
Differential Cryptanalysis
Discovered by E. Biham and A. Shamir, early 1980sFind a path (characteristic) so that when the input differenceis α, output difference is β with high probability
Truncated Differential Cryptanalysis
Discovered by L. Knudsen, 1994Find a path (differential) so that when the input difference isα, output difference is β with high probability
Only parts of the differences α and β are specified
Impossible Differential Cryptanalysis
Discovered by E. Biham, A. Biryukov, A. Shamir, 1998Find a path (impossible differential) so that when the inputdifference is α, the output difference is never β
And others (Higher-order Differential, Boomerang,...)
Cihangir TEZCAN The Improbable Differential Attack
Outline Introduction The Improbable Differential Attack CLEFIA Conclusion
A (Very) Short Introduction to Differential Cryptanalysis
Differential Cryptanalysis
Discovered by E. Biham and A. Shamir, early 1980sFind a path (characteristic) so that when the input differenceis α, output difference is β with high probability
Truncated Differential Cryptanalysis
Discovered by L. Knudsen, 1994Find a path (differential) so that when the input difference isα, output difference is β with high probabilityOnly parts of the differences α and β are specified
Impossible Differential Cryptanalysis
Discovered by E. Biham, A. Biryukov, A. Shamir, 1998Find a path (impossible differential) so that when the inputdifference is α, the output difference is never β
And others (Higher-order Differential, Boomerang,...)
Cihangir TEZCAN The Improbable Differential Attack
Outline Introduction The Improbable Differential Attack CLEFIA Conclusion
A (Very) Short Introduction to Differential Cryptanalysis
Differential Cryptanalysis
Discovered by E. Biham and A. Shamir, early 1980sFind a path (characteristic) so that when the input differenceis α, output difference is β with high probability
Truncated Differential Cryptanalysis
Discovered by L. Knudsen, 1994Find a path (differential) so that when the input difference isα, output difference is β with high probabilityOnly parts of the differences α and β are specified
Impossible Differential Cryptanalysis
Discovered by E. Biham, A. Biryukov, A. Shamir, 1998
Find a path (impossible differential) so that when the inputdifference is α, the output difference is never β
And others (Higher-order Differential, Boomerang,...)
Cihangir TEZCAN The Improbable Differential Attack
Outline Introduction The Improbable Differential Attack CLEFIA Conclusion
A (Very) Short Introduction to Differential Cryptanalysis
Differential Cryptanalysis
Discovered by E. Biham and A. Shamir, early 1980sFind a path (characteristic) so that when the input differenceis α, output difference is β with high probability
Truncated Differential Cryptanalysis
Discovered by L. Knudsen, 1994Find a path (differential) so that when the input difference isα, output difference is β with high probabilityOnly parts of the differences α and β are specified
Impossible Differential Cryptanalysis
Discovered by E. Biham, A. Biryukov, A. Shamir, 1998Find a path (impossible differential) so that when the inputdifference is α, the output difference is never β
And others (Higher-order Differential, Boomerang,...)
Cihangir TEZCAN The Improbable Differential Attack
Outline Introduction The Improbable Differential Attack CLEFIA Conclusion
A (Very) Short Introduction to Differential Cryptanalysis
Differential Cryptanalysis
Discovered by E. Biham and A. Shamir, early 1980sFind a path (characteristic) so that when the input differenceis α, output difference is β with high probability
Truncated Differential Cryptanalysis
Discovered by L. Knudsen, 1994Find a path (differential) so that when the input difference isα, output difference is β with high probabilityOnly parts of the differences α and β are specified
Impossible Differential Cryptanalysis
Discovered by E. Biham, A. Biryukov, A. Shamir, 1998Find a path (impossible differential) so that when the inputdifference is α, the output difference is never β
And others (Higher-order Differential, Boomerang,...)
Cihangir TEZCAN The Improbable Differential Attack
Outline Introduction The Improbable Differential Attack CLEFIA Conclusion
A (Very) Short Introduction to Differential Cryptanalysis
Statistical attacks on block ciphers make use of a property ofthe cipher so that an incident (characteristic, differential,...)occurs with different probabilities depending on whether thecorrect key is used or not.
Probability of the probability of theAttack Type incident for incident for Note
a wrong key the correct keyStatistical Attacks p p0 p0 > p
(Differential, Truncated,...)Impossible Differential p 0 p0 = 0Improbable Differential p p0 p0 < p
Cihangir TEZCAN The Improbable Differential Attack
Outline Introduction The Improbable Differential Attack CLEFIA Conclusion
A (Very) Short Introduction to Differential Cryptanalysis
Statistical attacks on block ciphers make use of a property ofthe cipher so that an incident (characteristic, differential,...)occurs with different probabilities depending on whether thecorrect key is used or not.
Probability of the probability of theAttack Type incident for incident for Note
a wrong key the correct keyStatistical Attacks p p0 p0 > p
(Differential, Truncated,...)
Impossible Differential p 0 p0 = 0Improbable Differential p p0 p0 < p
Cihangir TEZCAN The Improbable Differential Attack
Outline Introduction The Improbable Differential Attack CLEFIA Conclusion
A (Very) Short Introduction to Differential Cryptanalysis
Statistical attacks on block ciphers make use of a property ofthe cipher so that an incident (characteristic, differential,...)occurs with different probabilities depending on whether thecorrect key is used or not.
Probability of the probability of theAttack Type incident for incident for Note
a wrong key the correct keyStatistical Attacks p p0 p0 > p
(Differential, Truncated,...)Impossible Differential p 0 p0 = 0
Improbable Differential p p0 p0 < p
Cihangir TEZCAN The Improbable Differential Attack
Outline Introduction The Improbable Differential Attack CLEFIA Conclusion
A (Very) Short Introduction to Differential Cryptanalysis
Statistical attacks on block ciphers make use of a property ofthe cipher so that an incident (characteristic, differential,...)occurs with different probabilities depending on whether thecorrect key is used or not.
Probability of the probability of theAttack Type incident for incident for Note
a wrong key the correct keyStatistical Attacks p p0 p0 > p
(Differential, Truncated,...)Impossible Differential p 0 p0 = 0Improbable Differential p p0 p0 < p
Cihangir TEZCAN The Improbable Differential Attack
Outline Introduction The Improbable Differential Attack CLEFIA Conclusion
Improbable Differentials
Assume that α and β differences are observed with probabilityp for a random key.
Obtain a nontrivial differential so that a pair having α inputdifference have β′ output difference with probability p′ whereβ′ is different than β.
Hence for the correct key, probability of observing thesedifferences becomes p0 = p · (1− p′).
Caution
If there are nontrivial differentials from α to β, p0 becomes biggerthan p · (1− p′).
Cihangir TEZCAN The Improbable Differential Attack
Outline Introduction The Improbable Differential Attack CLEFIA Conclusion
Improbable Differentials
Assume that α and β differences are observed with probabilityp for a random key.
Obtain a nontrivial differential so that a pair having α inputdifference have β′ output difference with probability p′ whereβ′ is different than β.
Hence for the correct key, probability of observing thesedifferences becomes p0 = p · (1− p′).
Caution
If there are nontrivial differentials from α to β, p0 becomes biggerthan p · (1− p′).
Cihangir TEZCAN The Improbable Differential Attack
Outline Introduction The Improbable Differential Attack CLEFIA Conclusion
Improbable Differentials
Assume that α and β differences are observed with probabilityp for a random key.
Obtain a nontrivial differential so that a pair having α inputdifference have β′ output difference with probability p′ whereβ′ is different than β.
Hence for the correct key, probability of observing thesedifferences becomes p0 = p · (1− p′).
Caution
If there are nontrivial differentials from α to β, p0 becomes biggerthan p · (1− p′).
Cihangir TEZCAN The Improbable Differential Attack
Outline Introduction The Improbable Differential Attack CLEFIA Conclusion
Improbable Differentials
Assume that α and β differences are observed with probabilityp for a random key.
Obtain a nontrivial differential so that a pair having α inputdifference have β′ output difference with probability p′ whereβ′ is different than β.
Hence for the correct key, probability of observing thesedifferences becomes p0 = p · (1− p′).
Caution
If there are nontrivial differentials from α to β, p0 becomes biggerthan p · (1− p′).
Cihangir TEZCAN The Improbable Differential Attack
Outline Introduction The Improbable Differential Attack CLEFIA Conclusion
Two Techniques to Obtain Improbable Differentials
Two methods to obtain improbable differentials:
1 Use two differentials that miss in the middle with highprobability (almost miss in the middle technique)
2 Expand impossible differentials to improbable diffrentials byadding a differential to the top and/or below the impossibledifferential (expansion technique)
Cihangir TEZCAN The Improbable Differential Attack
Outline Introduction The Improbable Differential Attack CLEFIA Conclusion
Almost Miss-in-the-Middle Technique
α
δ
γ
β
p1
p2
p’=p1.p2
Cihangir TEZCAN The Improbable Differential Attack
Outline Introduction The Improbable Differential Attack CLEFIA Conclusion
Improbable Differentials
Two methods to obtain improbable differentials:
1 Use two differentials that miss in the middle with highprobability (almost miss in the middle technique)
2 Expand impossible differentials to improbable diffrentials byadding a differential to the top and/or below the impossibledifferential (expansion technique)
Cihangir TEZCAN The Improbable Differential Attack
Outline Introduction The Improbable Differential Attack CLEFIA Conclusion
Improbable Differentials from Impossible Differentials
δ
γ
p’=1
Cihangir TEZCAN The Improbable Differential Attack
Outline Introduction The Improbable Differential Attack CLEFIA Conclusion
Improbable Differentials from Impossible Differentials
δ
γ
αp1
p’=p1
Cihangir TEZCAN The Improbable Differential Attack
Outline Introduction The Improbable Differential Attack CLEFIA Conclusion
Improbable Differentials from Impossible Differentials
δ
γ
α
β
p1
p2
p’=p1.p2
Cihangir TEZCAN The Improbable Differential Attack
Outline Introduction The Improbable Differential Attack CLEFIA Conclusion
Pros and Cons of the Expansion Method
Pros:
Longer differentials
Attack on more rounds
Cons:
Data complexity increases (because p0 increases)
Time complexity increases (since we use more data)
Memory complexity increases (we need to keep counters forthe guessed keys)
Cihangir TEZCAN The Improbable Differential Attack
Outline Introduction The Improbable Differential Attack CLEFIA Conclusion
Pros and Cons of the Expansion Method
Pros:
Longer differentials
Attack on more rounds
Cons:
Data complexity increases (because p0 increases)
Time complexity increases (since we use more data)
Memory complexity increases (we need to keep counters forthe guessed keys)
Cihangir TEZCAN The Improbable Differential Attack
Outline Introduction The Improbable Differential Attack CLEFIA Conclusion
Data Complexity and Success Probability
Blondeau et al. proposed acurate estimates of the data complexityand success probability for many statistical attacks includingdifferential and truncated differential attacks.
By making appropriate changes, these estimates can be used forimprobable differential attacks, too.
Cihangir TEZCAN The Improbable Differential Attack
Outline Introduction The Improbable Differential Attack CLEFIA Conclusion
Data Complexity and Success Probability
Blondeau et al. proposed acurate estimates of the data complexityand success probability for many statistical attacks includingdifferential and truncated differential attacks.
By making appropriate changes, these estimates can be used forimprobable differential attacks, too.
Cihangir TEZCAN The Improbable Differential Attack
Outline Introduction The Improbable Differential Attack CLEFIA Conclusion
Previous attacks where p0 < p
Early examples of improbable differential attack:
J. Borst, L. Knudsen, V. Rijmen: ”Two Attacks on ReducedIDEA”
L. Knudsen, V. Rijmen: ”On the Decorrelated Fast Cipher(DFC) and Its Theory”
Cihangir TEZCAN The Improbable Differential Attack
Outline Introduction The Improbable Differential Attack CLEFIA Conclusion
CLEFIA
Developed by Sony in 2007
Clef means key in French.
Block length: 128 bits
Key lengths: 128, 192, and 256 bits
Number of rounds: 18, 22, or 26
Previous best attacks: Impossible differential attacks on 12,13, 14 rounds for 128, 192, 256-bit key lengths by Tsunoo etal.
We converted these attacks to improbable differential attacksusing the expansion technique
Current best attacks: Improbable differential attacks on 13,14, 15 rounds for 128, 192, 256-bit key lengths
Cihangir TEZCAN The Improbable Differential Attack
Outline Introduction The Improbable Differential Attack CLEFIA Conclusion
CLEFIA
Developed by Sony in 2007
Clef means key in French.
Block length: 128 bits
Key lengths: 128, 192, and 256 bits
Number of rounds: 18, 22, or 26
Previous best attacks: Impossible differential attacks on 12,13, 14 rounds for 128, 192, 256-bit key lengths by Tsunoo etal.
We converted these attacks to improbable differential attacksusing the expansion technique
Current best attacks: Improbable differential attacks on 13,14, 15 rounds for 128, 192, 256-bit key lengths
Cihangir TEZCAN The Improbable Differential Attack
Outline Introduction The Improbable Differential Attack CLEFIA Conclusion
CLEFIA: Encryption Function
F0 F1
RK0 RK1
X{0,0} X{0,1} X{0,2} X{0,3}
WK0 WK1
F0 F1
RK2 RK3
.
.
....
.
.
....
F0 F1
RK2r-2 RK2r-1
WK2 WK3
C0 C1 C2 C3
Cihangir TEZCAN The Improbable Differential Attack
Outline Introduction The Improbable Differential Attack CLEFIA Conclusion
CLEFIA: F0 and F1 Functions
k0 k3k2k1
x0x1x2x3
y0y1y2y3
k0 k3k2k1
x0x1x2x3
y0y1y2y3
S0S1S0S1
S1S0S1S0
M0
M1
F0
F1
Cihangir TEZCAN The Improbable Differential Attack
Outline Introduction The Improbable Differential Attack CLEFIA Conclusion
10-round Improbable Differential
We will use the following two 9-round impossible differentials thatare introduced by Tsunoo et al.,
[0(32), 0(32), 0(32), [X , 0, 0, 0](32)] 99r [0(32), 0(32), 0(32), [0,Y , 0, 0](32)][0(32), 0(32), 0(32), [0, 0,X , 0](32)] 99r [0(32), 0(32), 0(32), [0,Y , 0, 0](32)]
where X(8) and Y(8) are non-zero differences.
Cihangir TEZCAN The Improbable Differential Attack
Outline Introduction The Improbable Differential Attack CLEFIA Conclusion
10-round Improbable Differential
We obtain 10-round improbable differentials by adding thefollowing one-round differentials to the top of these 9-roundimpossible differentials,
[[ψ, 0, 0, 0](32), ζ(32), 0(32), 0(32)]→1r [0(32), 0(32), 0(32), [ψ, 0, 0, 0](32)][[0, 0, ψ, 0](32), ζ
′(32), 0(32), 0(32)]→1r [0(32), 0(32), 0(32), [0, 0, ψ, 0](32)]
which hold when the output difference of the F0 function is ζ(resp. ζ ′) when the input difference is [ψ, 0, 0, 0] (resp. [0, 0, ψ, 0]).
Cihangir TEZCAN The Improbable Differential Attack
Outline Introduction The Improbable Differential Attack CLEFIA Conclusion
13-round Improbable Differential Attack
We choose ψ and corresponding ζ and ζ ′ depending on thedifference distribution table (DDT) of S0 in order to increase theprobability of the differential. In this way we get p′ ≈ 2−5.87.
We put one additional round on the plaintext side and twoadditional rounds on the ciphertext side of the 10-roundimprobable differentials to attack first 13 rounds of CLEFIA thatcaptures RK1, RK23,1 ⊕WK2,1, RK24, and RK25.
Cihangir TEZCAN The Improbable Differential Attack
Outline Introduction The Improbable Differential Attack CLEFIA Conclusion
13-round Improbable Differential Attack
We choose ψ and corresponding ζ and ζ ′ depending on thedifference distribution table (DDT) of S0 in order to increase theprobability of the differential. In this way we get p′ ≈ 2−5.87.
We put one additional round on the plaintext side and twoadditional rounds on the ciphertext side of the 10-roundimprobable differentials to attack first 13 rounds of CLEFIA thatcaptures RK1, RK23,1 ⊕WK2,1, RK24, and RK25.
Cihangir TEZCAN The Improbable Differential Attack
Outline Introduction The Improbable Differential Attack CLEFIA Conclusion
13-round Improbable Differential Attack
∆x{0,0}=0 ∆x{0,1}=[ψ,0,0,0] ∆x{0,2}=ζ ∆x{0,3}=X
∆x{1,0}=[ψ,0,0,0] ∆x{1,1}=ζ ∆x{1,2}=0 ∆x{1,3}=0
∆x{11,3}=0∆x{11,2}=[0,Y,0,0]∆x{11,1}=0∆x{11,0}=0
∆x{12,3}=0∆x{12,2}=β∆x{12,1}=[0,Y,0,0]∆x{12,0}=0
∆x{13,0}=0 ∆x{13,1}=[0,Y,0,0] ∆x{13,2}=β ∆x{13,3}=γ
F0 F1
F0
F0
F0
F1
F1
F1
} 10-roundimprobabledi�erential
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
WK0
WK1
WK2
WK3
RK0 RK1
RK2 RK3
RK22 RK23
RK24 RK25
WK2
Cihangir TEZCAN The Improbable Differential Attack
Outline Introduction The Improbable Differential Attack CLEFIA Conclusion
13-round Improbable Differential Attack
Table: Comparison of Tsunoo et al.’s impossible attack with theexpanded improbable attack
Rounds Attack Key Data Time Memory SuccessType Length Complexity Complexity (blocks) Probability
12 Impossible 128 2118.9 2119 273 -13 Improbable 128 2126.83 2126.83 2101.32 %99
Cihangir TEZCAN The Improbable Differential Attack
Outline Introduction The Improbable Differential Attack CLEFIA Conclusion
14 and 15-round Improbable Differential Attacks
By using the similar expansion technique, we can apply improbabledifferential attack on
14-round CLEFIA when the key length is 192 bits
15-round CLEFIA when the key length is 256 bits
Cihangir TEZCAN The Improbable Differential Attack
Outline Introduction The Improbable Differential Attack CLEFIA Conclusion
Conclusion
We provided
1 a new cryptanalytic technique called improbable differentialattack where a differential holds with less probability whentried with the correct key
2 two techniques to obtain improbable differentials
3 data complexity estimates for improbable differential attacks
4 state of art attacks on the block cipher CLEFIA
Cihangir TEZCAN The Improbable Differential Attack
Introduction Games and Security Padding Schemes Conclusion
On Hiding a Plaintext Length by Preencryption
Cihangir TEZCAN and Serge VAUDENAY
Ecole Polytechnique Federale de Lausanne (EPFL), Switzerland
July 20, 2011Bilkent University, Ankara, Turkey
Cihangir TEZCAN and Serge VAUDENAY On Hiding a Plaintext Length by Preencryption
Introduction Games and Security Padding Schemes Conclusion
Outline
1 Introduction
2 Games and Security
3 Padding Schemes
4 Conclusion
Cihangir TEZCAN and Serge VAUDENAY On Hiding a Plaintext Length by Preencryption
Introduction Games and Security Padding Schemes Conclusion
Introduction
Problem: Encryption schemes cannot hide a plaintext length whenplaintext domain is unbounded.
Moreover, an approximation of theplaintext length may leak some information.
A Solution: Use random padding before the encryption.
e.g. TLS Protocol version 1.2 allows to pad up to 211 bits tofrustrate attacks based on the lengths of exchanged messages (butthe resulting length must be a multiple of the block size).
Aim: To formalize preencryption schemes and define appropriatesecrecy.
Cihangir TEZCAN and Serge VAUDENAY On Hiding a Plaintext Length by Preencryption
Introduction Games and Security Padding Schemes Conclusion
Introduction
Problem: Encryption schemes cannot hide a plaintext length whenplaintext domain is unbounded. Moreover, an approximation of theplaintext length may leak some information.
A Solution: Use random padding before the encryption.
e.g. TLS Protocol version 1.2 allows to pad up to 211 bits tofrustrate attacks based on the lengths of exchanged messages (butthe resulting length must be a multiple of the block size).
Aim: To formalize preencryption schemes and define appropriatesecrecy.
Cihangir TEZCAN and Serge VAUDENAY On Hiding a Plaintext Length by Preencryption
Introduction Games and Security Padding Schemes Conclusion
Introduction
Problem: Encryption schemes cannot hide a plaintext length whenplaintext domain is unbounded. Moreover, an approximation of theplaintext length may leak some information.
A Solution: Use random padding before the encryption.
e.g. TLS Protocol version 1.2 allows to pad up to 211 bits tofrustrate attacks based on the lengths of exchanged messages (butthe resulting length must be a multiple of the block size).
Aim: To formalize preencryption schemes and define appropriatesecrecy.
Cihangir TEZCAN and Serge VAUDENAY On Hiding a Plaintext Length by Preencryption
Introduction Games and Security Padding Schemes Conclusion
Introduction
Problem: Encryption schemes cannot hide a plaintext length whenplaintext domain is unbounded. Moreover, an approximation of theplaintext length may leak some information.
A Solution: Use random padding before the encryption.
e.g. TLS Protocol version 1.2 allows to pad up to 211 bits tofrustrate attacks based on the lengths of exchanged messages (butthe resulting length must be a multiple of the block size).
Aim: To formalize preencryption schemes and define appropriatesecrecy.
Cihangir TEZCAN and Serge VAUDENAY On Hiding a Plaintext Length by Preencryption
Introduction Games and Security Padding Schemes Conclusion
Introduction
Problem: Encryption schemes cannot hide a plaintext length whenplaintext domain is unbounded. Moreover, an approximation of theplaintext length may leak some information.
A Solution: Use random padding before the encryption.
e.g. TLS Protocol version 1.2 allows to pad up to 211 bits tofrustrate attacks based on the lengths of exchanged messages (butthe resulting length must be a multiple of the block size).
Aim: To formalize preencryption schemes and define appropriatesecrecy.
Cihangir TEZCAN and Serge VAUDENAY On Hiding a Plaintext Length by Preencryption
Introduction Games and Security Padding Schemes Conclusion
Games and Security
∆-IND-OTE Game
1 Challenger generates a key K and discloses its public part Kp
2 Adversary selects plaintexts x0 and x1 where ||x0| − |x1|| ≤ ∆
3 Challenger flips a coin b, computes EncK (xb) = Y and gives Y tothe adversary
4 Adversary guesses b′ and wins if b′ = b
IND-OTE security corresponds to the ∆ = 0 case.
Definition
The advantage is Pr[b = b′]− 12 . We say that the encryption scheme is
∆-IND-OTE(t, ε)-secure if for all adversary with time complexity limitedby t, the advantage is at most ε.
Cihangir TEZCAN and Serge VAUDENAY On Hiding a Plaintext Length by Preencryption
Introduction Games and Security Padding Schemes Conclusion
Games and Security
∆-IND-OTE Game
1 Challenger generates a key K and discloses its public part Kp
2 Adversary selects plaintexts x0 and x1 where ||x0| − |x1|| ≤ ∆
3 Challenger flips a coin b, computes EncK (xb) = Y and gives Y tothe adversary
4 Adversary guesses b′ and wins if b′ = b
IND-OTE security corresponds to the ∆ = 0 case.
Definition
The advantage is Pr[b = b′]− 12 . We say that the encryption scheme is
∆-IND-OTE(t, ε)-secure if for all adversary with time complexity limitedby t, the advantage is at most ε.
Cihangir TEZCAN and Serge VAUDENAY On Hiding a Plaintext Length by Preencryption
Introduction Games and Security Padding Schemes Conclusion
Games and Security
∆-IND-OTE Game
1 Challenger generates a key K and discloses its public part Kp
2 Adversary selects plaintexts x0 and x1 where ||x0| − |x1|| ≤ ∆
3 Challenger flips a coin b, computes EncK (xb) = Y and gives Y tothe adversary
4 Adversary guesses b′ and wins if b′ = b
IND-OTE security corresponds to the ∆ = 0 case.
Definition
The advantage is Pr[b = b′]− 12 . We say that the encryption scheme is
∆-IND-OTE(t, ε)-secure if for all adversary with time complexity limitedby t, the advantage is at most ε.
Cihangir TEZCAN and Serge VAUDENAY On Hiding a Plaintext Length by Preencryption
Introduction Games and Security Padding Schemes Conclusion
Games and Security
∆-IND-OTE Game
1 Challenger generates a key K and discloses its public part Kp
2 Adversary selects plaintexts x0 and x1 where ||x0| − |x1|| ≤ ∆
3 Challenger flips a coin b, computes EncK (xb) = Y and gives Y tothe adversary
4 Adversary guesses b′ and wins if b′ = b
IND-OTE security corresponds to the ∆ = 0 case.
Definition
The advantage is Pr[b = b′]− 12 . We say that the encryption scheme is
∆-IND-OTE(t, ε)-secure if for all adversary with time complexity limitedby t, the advantage is at most ε.
Cihangir TEZCAN and Serge VAUDENAY On Hiding a Plaintext Length by Preencryption
Introduction Games and Security Padding Schemes Conclusion
Games and Security
∆-IND-OTE Game
1 Challenger generates a key K and discloses its public part Kp
2 Adversary selects plaintexts x0 and x1 where ||x0| − |x1|| ≤ ∆
3 Challenger flips a coin b, computes EncK (xb) = Y and gives Y tothe adversary
4 Adversary guesses b′ and wins if b′ = b
IND-OTE security corresponds to the ∆ = 0 case.
Definition
The advantage is Pr[b = b′]− 12 . We say that the encryption scheme is
∆-IND-OTE(t, ε)-secure if for all adversary with time complexity limitedby t, the advantage is at most ε.
Cihangir TEZCAN and Serge VAUDENAY On Hiding a Plaintext Length by Preencryption
Introduction Games and Security Padding Schemes Conclusion
Games and Security
∆-IND-OTE Game
1 Challenger generates a key K and discloses its public part Kp
2 Adversary selects plaintexts x0 and x1 where ||x0| − |x1|| ≤ ∆
3 Challenger flips a coin b, computes EncK (xb) = Y and gives Y tothe adversary
4 Adversary guesses b′ and wins if b′ = b
IND-OTE security corresponds to the ∆ = 0 case.
Definition
The advantage is Pr[b = b′]− 12 . We say that the encryption scheme is
∆-IND-OTE(t, ε)-secure if for all adversary with time complexity limitedby t, the advantage is at most ε.
Cihangir TEZCAN and Serge VAUDENAY On Hiding a Plaintext Length by Preencryption
Introduction Games and Security Padding Schemes Conclusion
Preencryption Schemes
Definition
Given two plaintext domains X and X 0, a preencryption scheme from Xto X 0 is a pair of algorithms
a (probabilistic) algorithm pre such that for all x ∈ X , pre(x) ∈ X 0
with probability 1
a (deterministic) algorithm Extract
where Extract(pre(x)) = x with probability 1.
a preencryption scheme is B-almost length preserving if||pre(x)| − |x || ≤ B with probability 1 for all x .
a preencryption scheme is length-increasing if |pre(x)| ≥ |x | withprobability 1 for all x .
Cihangir TEZCAN and Serge VAUDENAY On Hiding a Plaintext Length by Preencryption
Introduction Games and Security Padding Schemes Conclusion
Preencryption Schemes
Definition
Given two plaintext domains X and X 0, a preencryption scheme from Xto X 0 is a pair of algorithms
a (probabilistic) algorithm pre such that for all x ∈ X , pre(x) ∈ X 0
with probability 1
a (deterministic) algorithm Extract
where Extract(pre(x)) = x with probability 1.
a preencryption scheme is B-almost length preserving if||pre(x)| − |x || ≤ B with probability 1 for all x .
a preencryption scheme is length-increasing if |pre(x)| ≥ |x | withprobability 1 for all x .
Cihangir TEZCAN and Serge VAUDENAY On Hiding a Plaintext Length by Preencryption
Introduction Games and Security Padding Schemes Conclusion
Preencryption Schemes
Definition
Given two plaintext domains X and X 0, a preencryption scheme from Xto X 0 is a pair of algorithms
a (probabilistic) algorithm pre such that for all x ∈ X , pre(x) ∈ X 0
with probability 1
a (deterministic) algorithm Extract
where Extract(pre(x)) = x with probability 1.
a preencryption scheme is B-almost length preserving if||pre(x)| − |x || ≤ B with probability 1 for all x .
a preencryption scheme is length-increasing if |pre(x)| ≥ |x | withprobability 1 for all x .
Cihangir TEZCAN and Serge VAUDENAY On Hiding a Plaintext Length by Preencryption
Introduction Games and Security Padding Schemes Conclusion
Preencryption Schemes
∆-IND Game:
1 Adversary selects plaintexts x0 and x1 where ||x0| − |x1|| ≤ ∆
2 Challenger flips a coin b, computes |pre(xb)| = L and gives L to theadversary
3 Adversary guesses b′ and wins if b′ = b
Definition (Security and Advantage)
A preencryption scheme is ∆-IND (t, ε)-secure if for all adversary A withtime complexity limited by t, the advantage in the following game is atmost ε. The advantage is defined as Pr[b = b′]− 1
2 .
Cihangir TEZCAN and Serge VAUDENAY On Hiding a Plaintext Length by Preencryption
Introduction Games and Security Padding Schemes Conclusion
Preencryption Schemes
∆-IND Game:
1 Adversary selects plaintexts x0 and x1 where ||x0| − |x1|| ≤ ∆
2 Challenger flips a coin b, computes |pre(xb)| = L and gives L to theadversary
3 Adversary guesses b′ and wins if b′ = b
Definition (Security and Advantage)
A preencryption scheme is ∆-IND (t, ε)-secure if for all adversary A withtime complexity limited by t, the advantage in the following game is atmost ε. The advantage is defined as Pr[b = b′]− 1
2 .
Cihangir TEZCAN and Serge VAUDENAY On Hiding a Plaintext Length by Preencryption
Introduction Games and Security Padding Schemes Conclusion
Preencryption Schemes
∆-IND Game:
1 Adversary selects plaintexts x0 and x1 where ||x0| − |x1|| ≤ ∆
2 Challenger flips a coin b, computes |pre(xb)| = L and gives L to theadversary
3 Adversary guesses b′ and wins if b′ = b
Definition (Security and Advantage)
A preencryption scheme is ∆-IND (t, ε)-secure if for all adversary A withtime complexity limited by t, the advantage in the following game is atmost ε. The advantage is defined as Pr[b = b′]− 1
2 .
Cihangir TEZCAN and Serge VAUDENAY On Hiding a Plaintext Length by Preencryption
Introduction Games and Security Padding Schemes Conclusion
Preencryption Schemes
∆-IND Game:
1 Adversary selects plaintexts x0 and x1 where ||x0| − |x1|| ≤ ∆
2 Challenger flips a coin b, computes |pre(xb)| = L and gives L to theadversary
3 Adversary guesses b′ and wins if b′ = b
Definition (Security and Advantage)
A preencryption scheme is ∆-IND (t, ε)-secure if for all adversary A withtime complexity limited by t, the advantage in the following game is atmost ε. The advantage is defined as Pr[b = b′]− 1
2 .
Cihangir TEZCAN and Serge VAUDENAY On Hiding a Plaintext Length by Preencryption
Introduction Games and Security Padding Schemes Conclusion
Preencryption Schemes
Theorem
For an IND-OTE-secure encryption C 0 which fully leaks the plaintextlength, the ∆-IND security of P is necessary and sufficient to have C∆-IND-OTE-secure where C (x) = C 0(pre(x)).
i.e. P ∆-IND-secure + C 0 IND-OTE-secure => C ∆-IND-OTE-secure
Cihangir TEZCAN and Serge VAUDENAY On Hiding a Plaintext Length by Preencryption
Introduction Games and Security Padding Schemes Conclusion
Preencryption Schemes
Theorem
For an IND-OTE-secure encryption C 0 which fully leaks the plaintextlength, the ∆-IND security of P is necessary and sufficient to have C∆-IND-OTE-secure where C (x) = C 0(pre(x)).
i.e. P ∆-IND-secure + C 0 IND-OTE-secure => C ∆-IND-OTE-secure
Cihangir TEZCAN and Serge VAUDENAY On Hiding a Plaintext Length by Preencryption
Introduction Games and Security Padding Schemes Conclusion
Advantage
Definition
Given a set of integers A, x0 and x1, we define a ∆-IND adversaryDA(x0, x1) as the one selecting x0 and x1 then yielding b′ = 1 if and onlyif L ∈ A. We define AdvA(x0, x1) as the advantage of this adversary.
Notation
We denote Adv(x0, x1) as the maximal advantage for adversaries selectingx0 and x1.
Actually, Adv(x0, x1) is the statistical distance between |pre(x0)| and|pre(x1)|.
Cihangir TEZCAN and Serge VAUDENAY On Hiding a Plaintext Length by Preencryption
Introduction Games and Security Padding Schemes Conclusion
Advantage
Definition
Given a set of integers A, x0 and x1, we define a ∆-IND adversaryDA(x0, x1) as the one selecting x0 and x1 then yielding b′ = 1 if and onlyif L ∈ A. We define AdvA(x0, x1) as the advantage of this adversary.
Notation
We denote Adv(x0, x1) as the maximal advantage for adversaries selectingx0 and x1.
Actually, Adv(x0, x1) is the statistical distance between |pre(x0)| and|pre(x1)|.
Cihangir TEZCAN and Serge VAUDENAY On Hiding a Plaintext Length by Preencryption
Introduction Games and Security Padding Schemes Conclusion
Advantage
Definition
Given a set of integers A, x0 and x1, we define a ∆-IND adversaryDA(x0, x1) as the one selecting x0 and x1 then yielding b′ = 1 if and onlyif L ∈ A. We define AdvA(x0, x1) as the advantage of this adversary.
Notation
We denote Adv(x0, x1) as the maximal advantage for adversaries selectingx0 and x1.
Actually, Adv(x0, x1) is the statistical distance between |pre(x0)| and|pre(x1)|.
Cihangir TEZCAN and Serge VAUDENAY On Hiding a Plaintext Length by Preencryption
Introduction Games and Security Padding Schemes Conclusion
Maximal Security of the Pad-then-Encrypt Scheme
Definition
A padding scheme defines the preencryption scheme pre(x) = x‖pad(x).
Note that preencryption schemes made out from a padding scheme areall length-increasing.
Example
Let B = 11 and N be the binomial distribution with parameters 10 and 12 .
Let the lengths of the two chosen plaintexts for the ∆-IND game be|x0| = 24 and |x1| = 27.
Cihangir TEZCAN and Serge VAUDENAY On Hiding a Plaintext Length by Preencryption
Introduction Games and Security Padding Schemes Conclusion
Maximal Security of the Pad-then-Encrypt Scheme
Definition
A padding scheme defines the preencryption scheme pre(x) = x‖pad(x).
Note that preencryption schemes made out from a padding scheme areall length-increasing.
Example
Let B = 11 and N be the binomial distribution with parameters 10 and 12 .
Let the lengths of the two chosen plaintexts for the ∆-IND game be|x0| = 24 and |x1| = 27.
Cihangir TEZCAN and Serge VAUDENAY On Hiding a Plaintext Length by Preencryption
Introduction Games and Security Padding Schemes Conclusion
Maximal Security of the Pad-then-Encrypt Scheme
Definition
A padding scheme defines the preencryption scheme pre(x) = x‖pad(x).
Note that preencryption schemes made out from a padding scheme areall length-increasing.
Example
Let B = 11 and N be the binomial distribution with parameters 10 and 12 .
Let the lengths of the two chosen plaintexts for the ∆-IND game be|x0| = 24 and |x1| = 27.
Cihangir TEZCAN and Serge VAUDENAY On Hiding a Plaintext Length by Preencryption
Introduction Games and Security Padding Schemes Conclusion
An Example
0
0.05
0.1
0.15
0.2
0.25
0.3
0.35
0.4
0 2 4 6 8 10
Prob
abili
ty
Padding Length
Cihangir TEZCAN and Serge VAUDENAY On Hiding a Plaintext Length by Preencryption
Introduction Games and Security Padding Schemes Conclusion
An Example
0
0.05
0.1
0.15
0.2
0.25
0.3
0.35
0.4
24 26 28 30 32 34 36 38 40
Prob
abili
ty
Preencryption Length
Cihangir TEZCAN and Serge VAUDENAY On Hiding a Plaintext Length by Preencryption
Introduction Games and Security Padding Schemes Conclusion
Maximal Security of the Pad-then-Encrypt Scheme
Theorem (Lower bound)
If P is length-increasing and B-almost length-preserving, then there existsan adversary with advantage at least 1
2d B∆e
.
Some assumptions:
(uniformity) the distribution of the padding length is fixed (it doesnot depend on the plaintext)
(almost length-preserving) the padding length is in {1, . . . ,B}
Cihangir TEZCAN and Serge VAUDENAY On Hiding a Plaintext Length by Preencryption
Introduction Games and Security Padding Schemes Conclusion
Maximal Security of the Pad-then-Encrypt Scheme
Theorem (Lower bound)
If P is length-increasing and B-almost length-preserving, then there existsan adversary with advantage at least 1
2d B∆e
.
Some assumptions:
(uniformity) the distribution of the padding length is fixed (it doesnot depend on the plaintext)
(almost length-preserving) the padding length is in {1, . . . ,B}
Cihangir TEZCAN and Serge VAUDENAY On Hiding a Plaintext Length by Preencryption
Introduction Games and Security Padding Schemes Conclusion
Maximal Security of the Pad-then-Encrypt Scheme
Theorem (Lower bound)
If P is length-increasing and B-almost length-preserving, then there existsan adversary with advantage at least 1
2d B∆e
.
Some assumptions:
(uniformity) the distribution of the padding length is fixed (it doesnot depend on the plaintext)
(almost length-preserving) the padding length is in {1, . . . ,B}
Cihangir TEZCAN and Serge VAUDENAY On Hiding a Plaintext Length by Preencryption
Introduction Games and Security Padding Schemes Conclusion
Uniform Padding Schemes
We are considering the ∆-IND game where ||x0| − |x1|| ≤ ∆, N is thedistribution for the padding length, and |pad(x)| ≤ B. Three questionsto answer:
1 Given B and ∆, what is the optimal distribution N?
(uniformdistribution is nearly optimal)
2 What is the ε-security of the optimal distribution? (nearly ∆2B )
3 Given ∆, to obtain ε-security, what should be the padding length B?(nearly ∆
2ε )
Cihangir TEZCAN and Serge VAUDENAY On Hiding a Plaintext Length by Preencryption
Introduction Games and Security Padding Schemes Conclusion
Uniform Padding Schemes
We are considering the ∆-IND game where ||x0| − |x1|| ≤ ∆, N is thedistribution for the padding length, and |pad(x)| ≤ B. Three questionsto answer:
1 Given B and ∆, what is the optimal distribution N? (uniformdistribution is nearly optimal)
2 What is the ε-security of the optimal distribution? (nearly ∆2B )
3 Given ∆, to obtain ε-security, what should be the padding length B?(nearly ∆
2ε )
Cihangir TEZCAN and Serge VAUDENAY On Hiding a Plaintext Length by Preencryption
Introduction Games and Security Padding Schemes Conclusion
Uniform Padding Schemes
We are considering the ∆-IND game where ||x0| − |x1|| ≤ ∆, N is thedistribution for the padding length, and |pad(x)| ≤ B. Three questionsto answer:
1 Given B and ∆, what is the optimal distribution N? (uniformdistribution is nearly optimal)
2 What is the ε-security of the optimal distribution?
(nearly ∆2B )
3 Given ∆, to obtain ε-security, what should be the padding length B?(nearly ∆
2ε )
Cihangir TEZCAN and Serge VAUDENAY On Hiding a Plaintext Length by Preencryption
Introduction Games and Security Padding Schemes Conclusion
Uniform Padding Schemes
We are considering the ∆-IND game where ||x0| − |x1|| ≤ ∆, N is thedistribution for the padding length, and |pad(x)| ≤ B. Three questionsto answer:
1 Given B and ∆, what is the optimal distribution N? (uniformdistribution is nearly optimal)
2 What is the ε-security of the optimal distribution? (nearly ∆2B )
3 Given ∆, to obtain ε-security, what should be the padding length B?(nearly ∆
2ε )
Cihangir TEZCAN and Serge VAUDENAY On Hiding a Plaintext Length by Preencryption
Introduction Games and Security Padding Schemes Conclusion
Uniform Padding Schemes
We are considering the ∆-IND game where ||x0| − |x1|| ≤ ∆, N is thedistribution for the padding length, and |pad(x)| ≤ B. Three questionsto answer:
1 Given B and ∆, what is the optimal distribution N? (uniformdistribution is nearly optimal)
2 What is the ε-security of the optimal distribution? (nearly ∆2B )
3 Given ∆, to obtain ε-security, what should be the padding length B?
(nearly ∆2ε )
Cihangir TEZCAN and Serge VAUDENAY On Hiding a Plaintext Length by Preencryption
Introduction Games and Security Padding Schemes Conclusion
Uniform Padding Schemes
We are considering the ∆-IND game where ||x0| − |x1|| ≤ ∆, N is thedistribution for the padding length, and |pad(x)| ≤ B. Three questionsto answer:
1 Given B and ∆, what is the optimal distribution N? (uniformdistribution is nearly optimal)
2 What is the ε-security of the optimal distribution? (nearly ∆2B )
3 Given ∆, to obtain ε-security, what should be the padding length B?(nearly ∆
2ε )
Cihangir TEZCAN and Serge VAUDENAY On Hiding a Plaintext Length by Preencryption
Introduction Games and Security Padding Schemes Conclusion
Uniform Padding Schemes
Example
The padding scheme that has uniformly distributed padding length in
{1, . . . ,B} has advantage Adv(x0, x1) = ||x1|−|x0||2B . So, this preencryption
scheme is ∆-IND(t, ∆
2B
)-secure for all ∆ and any t.
Cihangir TEZCAN and Serge VAUDENAY On Hiding a Plaintext Length by Preencryption
Introduction Games and Security Padding Schemes Conclusion
Example: Uniform Distribution
0
0.02
0.04
0.06
0.08
0.1
10 15 20 25 30 35
Prob
abili
ty
Preencryption Length
Cihangir TEZCAN and Serge VAUDENAY On Hiding a Plaintext Length by Preencryption
Introduction Games and Security Padding Schemes Conclusion
Uniform Padding Schemes
Thus, we have ∆2B ≥ Adv(a, b) ≥ 1
2d B∆e
.
Theorem (∆ = 2 Case)
Consider a uniform strictly length-increasing and B-almostlength-preserving padding scheme. If B is odd and ∆ = 2 thenAdv(a, b) ≥ B
B2+1 .
Cihangir TEZCAN and Serge VAUDENAY On Hiding a Plaintext Length by Preencryption
Introduction Games and Security Padding Schemes Conclusion
Uniform Padding Schemes
Thus, we have ∆2B ≥ Adv(a, b) ≥ 1
2d B∆e
.
Theorem (∆ = 2 Case)
Consider a uniform strictly length-increasing and B-almostlength-preserving padding scheme. If B is odd and ∆ = 2 thenAdv(a, b) ≥ B
B2+1 .
Cihangir TEZCAN and Serge VAUDENAY On Hiding a Plaintext Length by Preencryption
Introduction Games and Security Padding Schemes Conclusion
Table: Security when ∆ = 2 and B is odd
B Uniform Distribution ∆2B Best Achievable B
B2+1Lower Bound 1
2⌈B∆
⌉3 0.333333333333333 0.3 0.255 0.2 0.192307692307692 0.1666666666666677 0.142857142857143 0.14 0.1259 0.111111111111111 0.109756097560976 0.111 0.0909090909090909 0.0901639344262295 0.083333333333333313 0.0769230769230769 0.0764705882352941 0.071428571428571415 0.0666666666666667 0.0663716814159292 0.062517 0.0588235294117647 0.0586206896551724 0.055555555555555619 0.0526315789473684 0.0524861878453039 0.0521 0.0476190476190476 0.0475113122171946 0.045454545454545523 0.0434782608695652 0.0433962264150943 0.041666666666666725 0.04 0.0399361022364217 0.038461538461538527 0.037037037037037 0.036986301369863 0.035714285714285729 0.0344827586206897 0.0344418052256532 0.033333333333333331 0.032258064516129 0.0322245322245322 0.0312533 0.0303030303030303 0.0302752293577982 0.029411764705882435 0.0285714285714286 0.0285481239804241 0.027777777777777837 0.027027027027027 0.027007299270073 0.026315789473684239 0.0256410256410256 0.0256241787122208 0.02541 0.024390243902439 0.0243757431629013 0.023809523809523843 0.0232558139534884 0.0232432432432432 0.022727272727272745 0.0222222222222222 0.0222112537018756 0.021739130434782647 0.0212765957446809 0.0212669683257919 0.020833333333333349 0.0204081632653061 0.0203996669442132 0.02
Cihangir TEZCAN and Serge VAUDENAY On Hiding a Plaintext Length by Preencryption
Introduction Games and Security Padding Schemes Conclusion
Some Consequences
TLS Protocol version 1.2 allows to pad up to B = 211 bits tofrustrate attacks based on the lengths of exchanged messages. So itis ∆-IND(t, ∆
212 )-secure.
However, the resulting length must be amultiple of the block size. For example, B = 32 blocks of data whenthe block cipher uses blocks of 64 bits. So the real security is ε = ∆
25 .
Usual security levels cannot be obtained for the ∆-IND-OTE gamein practice. e.g. To have 2−80-indistinguishable two plaintexts with asingle bit of length difference (i.e. 1-IND-OTE(t, 2−80)), we need toappend a padding of length 279 bits.
Cihangir TEZCAN and Serge VAUDENAY On Hiding a Plaintext Length by Preencryption
Introduction Games and Security Padding Schemes Conclusion
Some Consequences
TLS Protocol version 1.2 allows to pad up to B = 211 bits tofrustrate attacks based on the lengths of exchanged messages. So itis ∆-IND(t, ∆
212 )-secure. However, the resulting length must be amultiple of the block size. For example, B = 32 blocks of data whenthe block cipher uses blocks of 64 bits. So the real security is ε = ∆
25 .
Usual security levels cannot be obtained for the ∆-IND-OTE gamein practice. e.g. To have 2−80-indistinguishable two plaintexts with asingle bit of length difference (i.e. 1-IND-OTE(t, 2−80)), we need toappend a padding of length 279 bits.
Cihangir TEZCAN and Serge VAUDENAY On Hiding a Plaintext Length by Preencryption
Introduction Games and Security Padding Schemes Conclusion
Some Consequences
TLS Protocol version 1.2 allows to pad up to B = 211 bits tofrustrate attacks based on the lengths of exchanged messages. So itis ∆-IND(t, ∆
212 )-secure. However, the resulting length must be amultiple of the block size. For example, B = 32 blocks of data whenthe block cipher uses blocks of 64 bits. So the real security is ε = ∆
25 .
Usual security levels cannot be obtained for the ∆-IND-OTE gamein practice. e.g. To have 2−80-indistinguishable two plaintexts with asingle bit of length difference (i.e. 1-IND-OTE(t, 2−80)), we need toappend a padding of length 279 bits.
Cihangir TEZCAN and Serge VAUDENAY On Hiding a Plaintext Length by Preencryption
Introduction Games and Security Padding Schemes Conclusion
Conclusion
We formalized the notion of preencryption scheme and its associated∆-IND security notion.
We formalized the pad-then-encrypt technique and showed that∆-IND-security is necessary and sufficient to make an encryptionscheme ∆-IND-OTE secure.
We showed that there is always an adversary with advantage nearly∆2B . So, insecurity degrades linearly with the padding length B.
We showed that a padding scheme making padding lengthsuniformly distributed is nearly optimal.
Cihangir TEZCAN and Serge VAUDENAY On Hiding a Plaintext Length by Preencryption
Introduction Games and Security Padding Schemes Conclusion
Conclusion
We formalized the notion of preencryption scheme and its associated∆-IND security notion.
We formalized the pad-then-encrypt technique and showed that∆-IND-security is necessary and sufficient to make an encryptionscheme ∆-IND-OTE secure.
We showed that there is always an adversary with advantage nearly∆2B . So, insecurity degrades linearly with the padding length B.
We showed that a padding scheme making padding lengthsuniformly distributed is nearly optimal.
Cihangir TEZCAN and Serge VAUDENAY On Hiding a Plaintext Length by Preencryption
Introduction Games and Security Padding Schemes Conclusion
Conclusion
We formalized the notion of preencryption scheme and its associated∆-IND security notion.
We formalized the pad-then-encrypt technique and showed that∆-IND-security is necessary and sufficient to make an encryptionscheme ∆-IND-OTE secure.
We showed that there is always an adversary with advantage nearly∆2B . So, insecurity degrades linearly with the padding length B.
We showed that a padding scheme making padding lengthsuniformly distributed is nearly optimal.
Cihangir TEZCAN and Serge VAUDENAY On Hiding a Plaintext Length by Preencryption
Introduction Games and Security Padding Schemes Conclusion
Conclusion
We formalized the notion of preencryption scheme and its associated∆-IND security notion.
We formalized the pad-then-encrypt technique and showed that∆-IND-security is necessary and sufficient to make an encryptionscheme ∆-IND-OTE secure.
We showed that there is always an adversary with advantage nearly∆2B . So, insecurity degrades linearly with the padding length B.
We showed that a padding scheme making padding lengthsuniformly distributed is nearly optimal.
Cihangir TEZCAN and Serge VAUDENAY On Hiding a Plaintext Length by Preencryption