symmetric encryption - georgetown...

Symmetric EncryptionAdam O’Neill

based on http://cseweb.ucsd.edu/~mihir/cse207/

SyntaxEat $

1

-k7t~

m→T# c- Do → m

drawrandomised } distinguishes from

or Hatefulywckcipter

CorrectnessPr [ NCK

,Eck ,M))=M]=1

fm in the message - space

where the probability is orer, .

K # K and the

Coins of { if any .

Modes of OperationModes of operation

E : {0, 1}k ⇥ {0, 1}n ! {0, 1}` a family of functions

Usually a block cipher, in which case ` = n.

Notation: x [i ] is the i-th block of a string x, so that x = x [1] . . . x [m].Length of blocks varies.

Always:

Alg KK

$ {0, 1}kreturn K

Mihir Bellare UCSD 4

Modes of OperationModes of operation

Block cipher provides parties sharing K with

EK

M

C

which enables them to encrypt a 1-block message.

How do we encrypt a long message using a primitive that only applies ton-bit blocks?


ECBXID ...

x[ on )I d

Ee Ett d

Electronic code book mode Cfl ] CENT

Algorithm E ( k,

x ) Algorikm Dabck ,c )Ecb

let ×=xTi ].

-x[ m ] let ⇐ EZD

. - In ]For it 1 to m do : For i. 1 to m do :

ei ←

Eklxi) xitetlcd

Let c=c[ is.

-

ctn ) let x=xFD . - In ]

return C return X

Security of ECBleaks input equality !

Security of ECBSecurity of ECB

Suppose we know that there are only two possible messages, Y = 1n andN = 0n, for example representing

• FIRE or DON’T FIRE a missile• BUY or SELL a stock• Vote YES or NO

Then ECB algorithm will be EK (M) = EK (M).

EK

M

C


Voting with ECBVoters

*

did IIIIIIIO. "

Is this avoidable?Is this avoidable?

Let SE = (K, E ,D) be ANY encryption scheme.

Suppose M1,M2 2 {Y ,N} and

• Sender sends ciphertexts C1 EK (M1) and C2 EK (M2)

• Adversary A knows that M1 = Y

Adversary says: If C2 = C1 then M2 must be Y else it must be N.

Does this attack work?

Yes, if E is deterministic.


Randomized EncryptionRandomized encryption

For encryption to be secure it must be randomized

That is, algorithm EK flips coins.

If the same message is encrypted twice, we are likely to get back di↵erentanswers. That is, if M1 = M2 and we let

C1$ EK (M1) and C2

$ EK (M2)

thenPr [C1 = C2]

will (should) be small, where the probability is over the coins of E .


Randomized EncryptionRandomized encryption

A fundamental departure from classical and conventional notions ofencryption.

Clasically, encryption (e.g., substitution cipher) is a code, associating toeach message a unique ciphertext.

Now, we are saying no such code is secure, and we look to encryptionmechanisms which associate to each message a number of di↵erentpossible ciphertexts.


CBC$CBC$: Cipher Block Chaining with random IV mode

SE = (K, E ,D) where:

Alg EK (M)

C [0] $ {0, 1}nfor i = 1, . . . ,m do

C [i ] EK (M[i ]� C [i � 1])return C

Alg DK (C )

for i = 1, . . . ,m do

M[i ] E�1K (C [i ])� C [i � 1]

return M

Correct decryption relies on E being a block cipher.Mihir Bellare UCSD 15

CBLCTR Cipher . block

Chaining mode

µ Called initial :ztnvector Eu )

Voting with CBC$Voters

¥m9e÷IIon# tally. Ek( vote

,of IV )

:¥ PinkEcrocsilkyoten

)=)¥5

F. (

Votenotwn

)

Towards a Definition

• We see CBC$ is better than ECB in some sense.

• But is it secure?

• What does secure mean here?

Security RequirementsSecurity requirements

Suppose sender computes

C1$ EK (M1) ; · · · ; Cq

$ EK (Mq)

Adversary A has C1, . . . ,Cq

What if A

Retrieves K Bad!Retrieves M1 Bad!

But also we want to hide all partial information about the data stream,such as

• Does M1 = M2?

• What is first bit of M1?

• What is XOR of first bits of M1,M2?

Something we won’t hide: the length of the messageMihir Bellare UCSD 21

What we seek• A “master” property that


• Can be easily specified



• Allows us to evaluate whether a scheme is secure




• Implies a ciphertext reveals NO partial information about plaintext




• Implies a ciphertext reveals NO partial information about plaintext

• In the case of a blockcipher the master property was PRF-security. Here it is different because encryption should be randomized

IntuitionIntuition for definition of IND-CPA

The master property MP is called IND-CPA (indistinguishability underchosen plaintext attack).

Consider encrypting one of two possible message streams, either

M10 , ...,M

q0

orM1

1 , ...,Mq1

Adversary, given ciphertexts and both data streams, has to figure outwhich of the two streams was encrypted.


lmiklmilti

IND-CPA GamesGames for ind-cpa-advantage of an adversary A

Let SE = (K, E ,D) be an encryption scheme

Game LeftSE

procedure Initialize

K$ K

procedure LR(M0,M1)

Return C$ EK (M0)

Game RightSE


K$ K

procedure LR(M0,M1)

Return C$ EK (M1)

Associated to SE ,A are the probabilities

PrhLeft

ASE)1

iPr

hRight

ASE)1

i

that A outputs 1 in each world. The (ind-cpa) advantage of A is

Adv

ind-cpaSE (A) = Pr

hRight

ASE)1

i� Pr

hLeft

ASE)1

i


In distinguish ability under chosen - plaintext attack

Measure of SuccessThe measure of success

Adv

ind-cpaSE (A) ⇡ 1 means A is doing well and SE is not ind-cpa-secure.

Adv

ind-cpaSE (A) ⇡ 0 (or 0) means A is doing poorly and SE resists the

attack A is mounting.

Adversary resources are its running time t and the number q of its oraclequeries, the latter representing the number of messages encrypted.

Security: SE is IND-CPA-secure if Advind-cpaSE (A) is “small” for ALL Athat use “practical” amounts of resources.

Insecurity: SE is not IND-CPA-secure if we can specify an explicit A thatuses “few” resources yet achieves “high” ind-cpa-advantage.


IND-CPA security of ECBin

Adversary ACRC .

,. )

M.

← IlMet ol

C ← LRLM.,µ ,

) -In LEFT ret

LRCM . ,m .)

✓ €kCMo )

C '← RIGHT at

It c=c'

ret 0 Even , )

Else ret I

Added

.tn#=prTRIbttEaast7H-prEtt.t.aEnf

Right Game AnalysisCtapffmbttteni .⇒A=1 .

Proof Since Mo # M,

and EK is determinate

we have Ctd.

⇒ A returns 1$

Left Game AnalysisClaim

. PELEFTEAA,

⇒ 17 IO

Proof Analogous .

ConclusionAdviencdjon (a) = 1 - 0=1

⇒ GCB is notIWD - CPA secure

!

Any deterministic scheme is not IND-CPA

The theorem generalizes to show that thesame adversary breaks

any deterministicenc scheme ( meaning E is deterministic & Stateless )

CTR$CTR$ mode

Let E : {0, 1}k ⇥ {0, 1}n ! {0, 1}` be a family of functions. If X 2 {0, 1}nand i 2 N then X + i denotes the n-bit string formed by converting X toan integer, adding i modulo 2n, and converting the result back to an n-bitstring. Below the message is a sequence of `-bit blocks:

Alg EK (M)

C [0] $ {0, 1}nfor i = 1, . . . ,m do

P[i ] EK (C [0] + i)C [i ] P[i ]�M[i ]

return C

Alg DK (C )

for i = 1, . . . ,m do

P[i ] EK (C [0] + i)M[i ] P[i ]� C [i ]

return M


CM - C

¥ Gnline - offline

* parwlli table

Birthday Attack on CTR$Birthday attack on CTR$

Let E : {0, 1}k ⇥ {0, 1}n ! {0, 1}` be a family of functions and SE = (K,E ,D) the corresponding CTR$ symmetric encryption scheme. Suppose1-block messages M0,M1 are encrypted:

C0[0]C0[1]$ E(K ,M0) C1[0]C1[1]

$ E(K ,M1)

Let us say we are lucky If C0[0] = C1[0]. If so:

C0[1] = C1[1] if and only if M0 = M1

So if we are lucky we can detect message equality and violate IND-CPA.Mihir Bellare UCSD 38

E¥f

The AdversaryBirthday attack on CTR$

Let 1 q < 2n be a parameter and let hii be integer i encoded as an `-bitstring.

adversary A

for i = 1, ..., q do

C i [0]C i [1] $ LR(hii, h0i)S {(j , t) : C j [0] = C t [0] and j < t}If S 6= ;, then

(j , t) $ SIf C j [1] = C t [1] then return 1

return 0


Birthday Of queryq

birthday attack

adversary

← µ±fPr[rioHEaigm⇒D- Preening'⇒D

Want to know Adviundrjem ( Aida " ) zoisodzl

Left Game AnalysisAyr

'

Abadan⇒ If = O

.Prf letters

ProofTwo cases :

Case 1 . S=f$ . Then CIED ot Cj > A city # ( ⇒

Since Cite ]=ct 'Ll ] and j¥t .

Case 2 = 5=4 .A always oupits O

.

So in either case A outputs O⇒

Right Game AnalysisClaim Pr[Rl6HEAm£$M ] } o

.3q÷-

proof If s # ¢ then we have

Cs 'Ll ]=@'Cozy ) goal =< ettoftlsoolsince C

's'LoT=ctZo ]

.

i

ConclusionAdrien:P

"

C Abi.,) I G 3¥

`Security of CTR$

So far: A q-query adversary can break CTR$ with advantage ⇡ q2

2n+1

Question: Is there any better attack?

Answer: NO!

We can prove that the best q-query attack short of breaking the blockcipher has advantage at most

2(q � 1)�

2n

where � is the total number of blocks across all messages encrypted.

Example: If q 1-block messages are encrypted then � = q so the adversaryadvantage is not more than 2q2/2n.

For E = AES this means up to about 264 blocks may be securelyencrypted, which is good.Mihir Bellare UCSD 45

Security of CTR$

The TheoremSecurity of CTR$

Theorem: [BDJR97] Let E : {0, 1}k ⇥ {0, 1}n ! {0, 1}` be a family offunctions and SE = (K, E ,D) the corresponding CTR$ symmetricencryption scheme. Let A be an ind-cpa adversary against SE that hasrunning time t and makes at most q LR queries, the messages across themtotaling at most � blocks. Then there is a prf-adversary B against E suchthat

Adv

ind-cpaSE (A) 2 · AdvprfE (B) +

2(q � 1)�

2n

Furthermore, B makes at most � oracle queries and has running timet +⇥(� · (n + `)).


-

birthday.

Intuition

thought:

replace E with random function wl same domain and

Runge .

Now,

if the adversary is lucky-

and makesLR queries such that Cito ]=etE @

then it can gain advantage .

Otherwise we are encrypting with a

)one-tinepad]

Interval IntersectionInterval intersection probability

Let N, q,m � 1 be integers and let ZN = {0, 1, . . . ,N � 1}. Let + beaddition modulo N. Consider the game

For i = 1, . . . , q do

ci$ ZN ; Ii {ci + 1, . . . , ci +m}

For 1 i < j q define the events

Bi ,j : Si \ Sj 6= ; and B :W

1i<jqBi ,j .

Then let

IIP(N, q,m) = Pr[B] .

Problem: Upper bound IIP(N, q,m) as a function of N, q,m.


Pvt Av B) I PREAI + PRIB)

.

.

Interval IntersectionInterval intersection probability

Claim: IIP(N, q,m) q(q � 1)

2

(2m � 1)

N

Why? For any 1 i < j q we have

Pr[Bi ,j ] = Pr[Si \ Sj 6= ;]

= Pr[cj 2 {ci �m + 1, . . . , ci +m � 1}] = 2m � 1

N.

Then by the Union bound

IIP(N, q,m) = Pr[W

1i<jq] X

1i<jq

Pr[Bi ,j ]

=

✓q

2

◆2m � 1

N.


proof . Pr[ B ] s § RIBI,;) = (E) PIB ; ;]

and

PVLBI, ;] = PRICE { ci - MH

,. .

, Citm . i }=

Zm÷⇒ PRTB ) e- 9k¥ Kmt

Advantage RevisitedAlternative formulation of advantage

Let SE = (K, E ,D) be a symmetric encryption scheme and A an adversary.

Game GuessSE


K$ K ; b $ {0, 1}

procedure LR(M0,M1)

return C$ EK (Mb)

procedure Finalize(b0)return (b = b0)

Proposition: Advind-cpaSE (A) = 2 · PrhGuess

ASE)true

i� 1.

Proof: Observe

Pr⇥b0 = 1 | b = 1

⇤= Pr

hRight

ASE)1

i

Pr⇥b0 = 1 | b = 0

⇤= Pr

hLeft

ASE)1

i


Game ChainGames G0,G1 for the proof

Game G0

procedure LR(M0,M1)

C [0] $ {0, 1}nfor i = 1, ...,m do

P C [0] + iif P 62 S then T[P] EK (P)C [i ] T [P] � Mb[i ]S S [ {P}

return C

Game G1

procedure LR(M0,M1)

C [0] $ {0, 1}nfor i = 1, ...,m do

P C [0] + i

if P /2 S then T[P] $ {0, 1}`C [i ] T[P] � Mb[i ]S S [ {P}

return C

ThenAdv

ind-cpaSE (A) = 2 · Pr

hGA0

i� 1


Code I ×]{ no o }

ClaimsAnalysis

Clearly Pr[GA0 ] = Pr[GA

1 ] +�Pr[GA

0 ]� Pr[GA1 ]�.

Claim 1: We can design prf-adversary B so that

Pr[GA0 ]� Pr[GA

1 ] Adv

prfE (B)

Claim 2: Pr[GA1 ]

1

2+

(q � 1)�

2n

Given these, we have

Adv

ind-cpaSE (A) 2 ·

✓1

2+

(q � 1)�

2n

◆� 1 + 2 · AdvprfE (B)

=2(q � 1)�

2n+ 2 · AdvprfE (B)

which proves the theorem. It remains to prove the claims.


}

Proof of Claim 1Adversary BFNC . )

bets { o( 19

Run A

when A makes ER every no,

m,

Code ITIP ] ← FNCP ) ]tf A outputs b then net

. 1

Proof of Claim 2

Games Con’tIntroducing the “bad” flag

Game G1

procedure LR(M0,M1)

C [0] $ {0, 1}n

for i = 1, ...,m do

P C [0] + i

If P /2 S thenT[P] $ {0, 1}`

C [i ] T[P]�Mb[i ]

S S [ {P}return C

Game G2 , G3

procedure LR(M0,M1)

C [0] $ {0, 1}n

for i = 1, ...,m do

P C [0] + i

C [i ] $ {0, 1}`

If P 2 S thenbad true ; C [i ] T[P]�Mb[i ]

T[P] C [i ]�Mb[i ]

S S [ {P}return C

Pr[GA1 ] = Pr[GA

2 ] = Pr[GA3 ] +

⇣Pr[GA

2 ]� Pr[GA3 ]⌘


Using fundamental lemmaUsing the fundamental lemma

Game G2 , G3

procedure LR(M0,M1)

C [0] $ {0, 1}n

for i = 1, ...,m do

P C [0] + i; C [i ] $ {0, 1}`

If P 2 S thenbad true ; C [i ] T[P]�Mb[i ]

T[P] C [i ]�Mb[i ]; S S [ {P}return C

G2 and G3 are identical-until-bad, so Fundamental Lemma implies

PrhGA2

i� Pr

hGA3

i Pr

hGA3 sets bad

i.


Completing the Proof

Security of CBC$Security of CBC$

Theorem: [BDJR97] Let E : {0, 1}k ⇥ {0, 1}n ! {0, 1}n be a block cipherand SE = (K, E ,D) the corresponding CBC$ symmetric encryptionscheme. Let A be an ind-cpa adversary against SE that has running time tand makes at most q LR queries, the messages across them totaling atmost � blocks. Then there is a prf-adversary B against E such that

Adv

ind-cpaSE (A) 2 · AdvprfE (B) +

�2

2n

Furthermore, B makes at most � oracle queries and has running timet +⇥(� · n).

Exercise: Prove the above theorem.


Padding

mi0, mi1, and vi are completely determined, as are the values vi0 and xi0j for i0 = 1, . . . , i � 1 andj = 0, . . . , vi0�1; however, the values of yi0, . . . , yi` are still uniformly and independently distributedover X . Moreover, as xij = yij �mib[j] for j = 0, . . . , vi � 1, it follows that these xij values are alsouniformly and independently distributed over X . Thus, for any fixed index j = 0, . . . , vi � 1, andany fixed indices i0 and j0, with (i0, j0) < (i, j), the probability that xij = xi0j0 in this conditionalprobability space is 1/N . The bound (5.28) now follows from an easy calculation.

Finally, we claim thatPr[W3] = 1/2. (5.29)

This follows from the fact that

Coins , b, yij (i = 1, . . . Q, j = 0, . . . , `)

are independently distributed, and the fact that the adversary’s output b̂ is a function of

Coins, yij (i = 1, . . . Q, j = 0, . . . , `).

From this, we see that b̂ and b are independent, and so (5.29) follows immediately.Putting together (5.24) through (5.29), we have

CPAadv

⇤[A, E 0] Q2`2

2N+ PRFadv[B, E].

By Theorem 4.4, we have

�

�BCadv[B, E ] � PRFadv[B, E]�

� Q2`2

2N,

and (5.23) follows, which proves the theorem. 2

5.4.4 Case study: CBC padding in TLS 1.0

Let E = (E, D) be a block cipher with domain X . Our description of CBC mode encryption using Eassumes that messages to be encrypted are elements of X`. When the domain is X = {0, 1}128,as in the case of AES, this implies that the length of messages to be encrypted must be a multipleof 16 bytes. Since the length of messages in practice need not be a multiple of 16 we need a wayaugment CBC to handle messages whose length is not necessarily a multiple of the block size.

Suppose we wish to encrypt a v-byte message m using AES in CBC mode when v is notnecessarily a multiple of 16. The first thing that comes to mind is to somehow pad the message mso that its length in bytes is a multiple of 16. Clearly the padding function needs to be invertibleso that during decryption the padding can be removed.

The TLS 1.0 protocol defines the following padding function for encrypting a v-byte messagewith AES in CBC mode: let p := 16 � (v mod 16), then append p bytes to the message m wherethe content of each byte is value p � 1. For example, consider the following two cases:

• if m is 29 bytes long then p = 3 and the pad consists of the three bytes “222” so that thepadded message is 32 bytes long which is exactly two AES blocks.

• if the length of m is a multiple of the block size, say 32 bytes, then p = 16 and the padconsists of 16 bytes. The padded message is then 48 bytes long which is three AES blocks.

194

Revocable Broadcast

k1k1 k2k2 k3k3 k4k4 k5k5 k6k6 k7k7 k8k8

k9 k10 k11 k12

k13 k14

k15

Figure 5.5: The tree of keys for n = 8 devices; shaded nodes are the keys embedded in device 3.

to revoke that key, so that this device key cannot be used to decrypt future Blu-ray disks, butwithout impacting any other devices in the field.

A revocable broadcast system. Suppose there are n devices in the system, where for simplicity,let us assume n is a power of two. We treat these n devices as the leaves of a complete binary tree,as shown in Fig. 5.5. Every internal node in the tree is assigned a random key in the key space K.The keys embedded in device number i 2 {1, . . . , n} is the set of keys on the path from leaf numberi to the root. This way, every device is given exactly log2 n keys in K.

When the system is first launched, and no device keys are yet revoked, all content is encryptedusing the key at the root (key number 15 in Fig. 5.5). More precisely, we encrypt a movie m as:

cm :=�

k R K, c1 R E(kroot, k), c R E0(k, m), output (c1, c)

Because all devices have the root key kroot, all devices can decrypt.

Revoking devices. Now, suppose device number i is attacked, and all the keys stored on it arepublished. Then all future content will be encrypted using the keys associated with the siblings ofthe log2 n nodes on the path from leaf i to the root. For example, when device number 3 in Fig. 5.5is revoked, all future content is encrypted using the three keys k4, k9, k14 as

cm :=

8

>

>

<

>

>

:

k R Kc1 R E(k4, k), c2 R E(k9, k), c3 R E(k14, k)c R E0(k, m)output (c1, c2, c3, c)

9

>

>

=

>

>

;

(5.34)

Again, (c1, c2, c3) is the ciphertext header, and c is the ciphertext body. Observe that devicenumber 3 cannot decrypt cm, because it cannot decrypt any of the ciphertexts in the header.However, every other device can easily decrypt using one of the keys at its disposal. For exampledevice number 6 can use k14 to decrypt c3. In e↵ect, changing the encryption scheme to encryptas in (5.35) revokes device number 3, without impacting any other device. The cost to this is thatthe ciphertext header now contains log2 n blocks, as opposed to a single block before the devicewas revoked.

More generally, suppose r devices have been compromised and need to be revoked. Let S ✓{1, . . . , n} be the set of non-compromised devices, so that that |S| = n � r. New content will beencrypted using keys in the tree so that devices in S can decrypt, but all devices outside of Scannot. The set of keys that makes this possible is characterized by the following definition:

201

Definition 5.4. Let T be a complete binary tree with n leaves, where n is a power of two. LetS ✓ {1, . . . , n} be a set of leaves. We say that a set of nodes W ✓ {1, . . . , 2n � 1} covers the setS if every leaf in S is a descendant of some node in W , and leaves outside of S are not. We usecover(S) to denote the smallest set of nodes that covers S.

Fig. 5.6 gives an example of a cover of the set of leaves {1, 2, 4, 5, 6}. The figure captures asettings where devices number 3, 7, and 8 are revoked. It should be clear that if we use keys incover(S) to encrypt a movie m, then devices in S can decrypt, but devices outside of S cannot. Inparticular, we encrypt m as follows:

cm :=

8

>

>

<

>

>

:

k R Kfor u 2 cover(S) : cu R E(ku, k)c R E0(k, m)output ({cu}u2cover(S), c)

9

>

>

=

>

>

;

. (5.35)

The more devices are revoked, the larger the header of cm becomes. The following theorem showshow big the header gets in the worst case. The proof is an induction argument that also suggestsan e�cient recursive algorithm to compute an optimal cover.

Theorem 5.8. Let T be a complete binary tree with n leaves, where n is a power of two. For every1 r n, and every set S of n� r leaves, we have

|cover(S)| r · log2(n/r)

Proof. We prove the theorem by induction on log2 n. For n = 1 the theorem is trivial. Now, assumethe theorem holds for a tree with n/2 leaves, and let us prove it for a tree T with n leaves. Thetree T is made up of a root node, and two disjoint sub-trees, T1 and T2, each with n/2 leaves. Letus split the set S ✓ {1, . . . , n} in two: S = S1 [ S2, where S1 is contained in {1, . . . , n/2}, and S2

is contained in {n/2+ 1, . . . , n}. That is, S1 are the elements of S that are leaves in T1, and S2 arethe elements of S that are leaves in T2. Let r1 := (n/2)� |S1| and r2 := (n/2)� |S2|. Then clearlyr = r1 + r2.

First, suppose both r1 and r2 are greater than zero. By the induction hypothesis, we know thatfor i = 1, 2 we have |cover(Si)| ri log2(n/2ri). Therefore,

|cover(S)| = |cover(S1)| + |cover(S2)| r1 log2(n/2r1) + r2 log2(n/2r2)

= r log2(n/r) +�

r log2 r � r1 log2(2r1)� r2 log2(2r2)� r log2(n/r),

which is what we had to prove in the induction step. The last inequality follows from a simple factabout logarithms, namely that for all numbers r1 � 1 and r2 � 1, we have

(r1 + r2) log2(r1 + r2) r1 log2(2r1) + r2 log2(2r2).

Second, if r1 = 0 then r2 = r � 1, and the induction step follows from:

|cover(S)| = 1 + |cover(S2)| 1 + r log2(n/2r) = 1 + r log2(n/r)� r r log2(n/r),

as required. The case r2 = 0 follows similarly. This completes the induction step, and the proof. 2

Theorem 5.8 shows that r devices can be revoked at the cost of increasing the ciphertext headersize to O(r log n) blocks. For moderate values of r this is not too big. Nevertheless, this general

202

Definition 5.4. Let T be a complete binary tree with n leaves, where n is a power of two. LetS ✓ {1, . . . , n} be a set of leaves. We say that a set of nodes W ✓ {1, . . . , 2n � 1} covers the setS if every leaf in S is a descendant of some node in W , and leaves outside of S are not. We usecover(S) to denote the smallest set of nodes that covers S.

Fig. 5.6 gives an example of a cover of the set of leaves {1, 2, 4, 5, 6}. The figure captures asettings where devices number 3, 7, and 8 are revoked. It should be clear that if we use keys incover(S) to encrypt a movie m, then devices in S can decrypt, but devices outside of S cannot. Inparticular, we encrypt m as follows:

cm :=

8

>

>

<

>

>

:

k R Kfor u 2 cover(S) : cu R E(ku, k)c R E0(k, m)output ({cu}u2cover(S), c)

9

>

>

=

>

>

;

. (5.35)

The more devices are revoked, the larger the header of cm becomes. The following theorem showshow big the header gets in the worst case. The proof is an induction argument that also suggestsan e�cient recursive algorithm to compute an optimal cover.

Theorem 5.8. Let T be a complete binary tree with n leaves, where n is a power of two. For every1 r n, and every set S of n� r leaves, we have

|cover(S)| r · log2(n/r)

Proof. We prove the theorem by induction on log2 n. For n = 1 the theorem is trivial. Now, assumethe theorem holds for a tree with n/2 leaves, and let us prove it for a tree T with n leaves. Thetree T is made up of a root node, and two disjoint sub-trees, T1 and T2, each with n/2 leaves. Letus split the set S ✓ {1, . . . , n} in two: S = S1 [ S2, where S1 is contained in {1, . . . , n/2}, and S2

is contained in {n/2+ 1, . . . , n}. That is, S1 are the elements of S that are leaves in T1, and S2 arethe elements of S that are leaves in T2. Let r1 := (n/2)� |S1| and r2 := (n/2)� |S2|. Then clearlyr = r1 + r2.

First, suppose both r1 and r2 are greater than zero. By the induction hypothesis, we know thatfor i = 1, 2 we have |cover(Si)| ri log2(n/2ri). Therefore,

|cover(S)| = |cover(S1)| + |cover(S2)| r1 log2(n/2r1) + r2 log2(n/2r2)

= r log2(n/r) +�

r log2 r � r1 log2(2r1)� r2 log2(2r2)� r log2(n/r),

which is what we had to prove in the induction step. The last inequality follows from a simple factabout logarithms, namely that for all numbers r1 � 1 and r2 � 1, we have

(r1 + r2) log2(r1 + r2) r1 log2(2r1) + r2 log2(2r2).

Second, if r1 = 0 then r2 = r � 1, and the induction step follows from:

|cover(S)| = 1 + |cover(S2)| 1 + r log2(n/2r) = 1 + r log2(n/r)� r r log2(n/r),

as required. The case r2 = 0 follows similarly. This completes the induction step, and the proof. 2

Theorem 5.8 shows that r devices can be revoked at the cost of increasing the ciphertext headersize to O(r log n) blocks. For moderate values of r this is not too big. Nevertheless, this general

202

Broadcast Encryption

In particular, for every nCPA adversary A that attacks E 0 as in the bit-guessing version of AttackGame 5.3, and which makes at most Q queries to its challenger, there exists BC adversary Bthat attacks E as in Attack Game 4.1, and a PRF adversary BF that attacks F as in AttackGame 4.2, where B and BF are elementary wrappers around A, such that

nCPAadv[A, E 0] 2Q2`2

N+ 2 · PRFadv[BF , F ] + 2 · BCadv[B, E ]. (5.33)

Again, we leave the proof as an exercise for the reader. Note that in the above construction,we may use the underlying block cipher E for the PRF F ; however, it is essential that independentkeys k and k0 are used (see Exercise 5.14).

5.6 A fun application: revocable broadcast encryption

Movie studios spend a lot of e↵ort making blockbuster movies, and then sell the movies (on DVDs)to millions of customers who purchase them to watch at home. A customer should be able to watchmovies on a stateless standalone movie player, that has no network connection.

The studios are worried about piracy, and do not want to send copyrighted digital content in theclear to millions of users. A simple solution could work as follows. Every authorized manufactureris given a device key kd 2 K, and it embeds this key in every device that it sells. If there are a

hundred authorized device manufacturers, then there are a hundred device keys k(1)d , . . . , k(100)

d . Amovie m is encrypted as:

cm :=

8

>

>

<

>

>

:

k R Kfor i = 1, . . . , 100 : ci R E(k(i)

d , k)c R E0(k, m)output (c1, . . . , c100, c)

9

>

>

=

>

>

;

where (E, D) is a CPA secure cipher, and (E0, D0) is semantically secure with key space K. Weanalyze this construction in Exercise 5.4, where we show that it is CPA secure. We refer to(c1, . . . , c100) as the ciphertext header, and refer to c is the body.

Now, every authorized device can decrypt the movie using its embedded device key. First,decrypt the appropriate ciphertext in the header, and then use the obtained key k to decryptthe body. This mechanism forms the basis of the content scrambling system (CSS) used toencrypted DVDs. We previously encountered CSS in Section 3.8.

The trouble with this scheme is that once a single device is comprised, and its device key kd isextracted and published, then anyone can use this kd to decrypt every movie ever published. Thereis no way to revoke kd without breaking many consumer devices in the field. In fact, this is exactlyhow CSS was broken: the device key was extracted from an authorized player, and then used in asystem called DeCSS to decrypt encrypted DVDs.

The lesson from CSS is that global unrevocable device keys are a bad idea. Once a single keyis leaked, all security is lost. When the DVD format was updated to a new format called Blu-ray,the industry got a second chance to design the encryption scheme. In the new scheme, called theAdvanced Access Content System (AACS), every device gets a random device key unique tothat device. The system is designed to support billions of devices, each with its own key.

The goals of the system are twofold. First, every authorized device should be able to decryptevery Blu-ray disk. Second, whenever a device key is extracted and published, it should be possible

200

symmetric encryption - georgetown...

Documents