Notes - Computer Security MT24, Block modes



Flashcards

ECB, Electronic codebook

Suppose you have a cipher with encryption and decryption functions

\[\begin{aligned} &E : \mathcal K \times \mathcal M \to \mathcal C \\\\ &D : \mathcal K \times \mathcal C \to \mathcal M \end{aligned}\]

but want to encrypt a message longer than a single plaintext by splitting the message into several blocks.

@Define the electronic codebook (ECB) technique in this case.


Each block $m _ i$ is encrypted separately with the same key:

\[c _ i = E _ k(m _ i)\]

Leads to weaknesses if plaintexts might include repeated or similar blocks.

Suppose you have a cipher with encryption and decryption functions

\[\begin{aligned} &E : \mathcal K \times \mathcal M \to \mathcal C \\\\ &D : \mathcal K \times \mathcal C \to \mathcal M \end{aligned}\]

but want to encrypt a message longer than a single plaintext by splitting the message into several blocks.

In this case, the electronic codebook (ECB) technique is to encrypt each block $m _ i$ separately with same key:

\[c _ i = E _ k(m _ i)\]

What are three problems with this approach?


  1. Repeated blocks encrypt to equal ciphertexts
  2. The enemy can reorder the message blocks
  3. Altering one ciphertext block affects only one plaintext block

CBC, Cipherblock chaining

Suppose you have a cipher with encryption and decryption functions

\[\begin{aligned} &E : \mathcal K \times \mathcal M \to \mathcal C \\\\ &D : \mathcal K \times \mathcal C \to \mathcal M \end{aligned}\]

but want to encrypt a message longer than a single plaintext by splitting the message into several blocks.

@Define the cipherblock chaining (CBC) technique in this case, by:

  • Defining $c _ i$ in terms of $m _ i$,
  • Defining $m _ i$ in terms of $c _ i$, and
  • Giving a recursive definition for $E^\ast _ k\langle m _ 1, \ldots, m _ k \rangle$.

.


Encryption of block $i$ is XOR-ed with the plaintext of block $i+1$ before encryption, starting with an initialisation vector $IV$.

\[\begin{aligned} c _ 1 &= IV \\\\ c _ {i+1} &= E _ k(m _ i \oplus c _ i) \end{aligned}\] \[m_i = c_i \oplus D_k(c_{i+1})\] \[\begin{aligned} E^\ast_k\langle\rangle &= IV \\\\ E^\ast_k\langle m_1, \ldots, m_n \rangle &= E^\ast_k\langle m_1, \ldots, m_{n-1} \rangle \parallel \langle E_k(m_n \oplus \text{last}(E^\ast_k\langle m_1, \ldots, m_{n-1})) \rangle \end{aligned}\]

($IV$ must also be transmitted).

OFB, Output feedback mode

Suppose you have a cipher with encryption and decryption functions

\[\begin{aligned} &E : \mathcal K \times \mathcal M \to \mathcal C \\\\ &D : \mathcal K \times \mathcal C \to \mathcal M \end{aligned}\]

but want to encrypt a message longer than a single plaintext by splitting the message into several blocks.

@Define the output feedback mode (OFB) technique in this case, and highlight a way in which you need to be careful.


Use iterated encryption of a random initialisation vector $IV$ to generate a pseudorandom stream $\langle r _ 2, r _ 3, \ldots \rangle$. Use this pseudorandom stream as a Vernam cipher on each block:

\[\begin{aligned} c _ 1 = r _ 1 &= IV \\\\ r _ {i+1} &= E _ k(r _ i) \\\\ c _ {i+1} &= m _ i \oplus r _ {i+1} \end{aligned}\]

Need to be careful that the pseudorandom stream doesn’t get into a cycle.

CTR, Counter mode

Suppose you have a cipher with encryption and decryption functions

\[\begin{aligned} &E : \mathcal K \times \mathcal M \to \mathcal C \\\\ &D : \mathcal K \times \mathcal C \to \mathcal M \end{aligned}\]

but want to encrypt a message longer than a single plaintext by splitting the message into several blocks.

@Define the counter mode (CTR) technique in this case.


Use encryption of “shifts” of an initialisation vector $IV \oplus i$ to generate a pseudorandom stream $\langle r _ 2, r _ 3, \ldots \rangle$. Use this pseudorandom stream as a Vernam cipher on each block:

\[\begin{aligned} r _ i &= E _ k(IV \oplus i) \\\\ c _ 1 &= IV \\\\ c _ {i+1} &= m _ i \oplus r _ {i+1} \end{aligned}\]

Need to be careful that the pseudorandom stream doesn’t get into a cycle.

GCM, Galois counter mode

Briefly describe the purpose of Galois counter mode.


A block mode, similar to CTR, which encrypts long messages and simultaneously uses the key of the underlying block cipher to produce a tag for message integrity.




Related posts