Post on 01-Jan-2016
transcript
Pse
udo-
Ran
dom
Fun
ctio
ns
1/22
Encryption as Permutation• Assume cryptosystem correct and P=C• If xx’ then EK(x) EK(x’)• So, no y is hit by more than one x• Therefore all y are hit by some x• EK is a permutation of plaintext space P
• There are |P|! such permutations
000 001 010 011 100 101 110 111
000 001 010 011 100 101 110 111
Pse
udo-
Ran
dom
Fun
ctio
ns
2/22
Encryption as Permutation
• On the other hand, any permutation of P can be used to encrypt– Decryption consists of following the arrows in
the backwards direction• Symmetric encryption can be seen as just
permuting the set of possible messages– The applied permutation is the key
000 001 010 011 100 101 110 111
000 001 010 011 100 101 110 111
Pse
udo-
Ran
dom
Fun
ctio
ns
3/22
• The more permutations are used for encryption, the less Oscar knows about which permutation is used
• Why not just use the set of all permutations as the key space?
• To encrypt L-bit strings there are 2L plaintexts and thus 2L! permutations
• Takes b = log2(2L!) ~ L·2L bits to write down one of the permutations (log(n!) ~ n log(n))
000 001 010 011 100 101 110 111
000 001 010 011 100 101 110 111
Encryption as Permutation
Pse
udo-
Ran
dom
Fun
ctio
ns
4/22
Encryption as PermutationL Key Length Comparison
10 10,00020 20,000,00030 30,000,000,000 A long movie
40 4*1013 100 DVDs
50 1017 1000,000 DVDs
64 1021 10,000,000,000 DVDs
128 1041 Atoms in the atmosphere
256 1079 Atoms in the universe
512 10157 Atoms in 1078 universes
1024 10311 ???
Pse
udo-
Ran
dom
Fun
ctio
ns
5/22
Encryption as Permutation
• For all practical cryptosystems the set of encryption functions consists of a relatively very small subset of the possible permutations of the plaintext space
Pse
udo-
Ran
dom
Fun
ctio
ns
6/22
Shift Cipher
• P = K = Z26 = {0,1,…,25}
• Encryption: EK(x) = x + K mod 26
• Decryption: DK(y) = y - K mod 26
• Correctness: follows from the rule: (a + b mod N) + c mod N = a + (b + c mod N) mod N
• Illustrated for K=3 (and11 instead of 26):
0 1 2 3 4 8 9 10
0 1 2 3 4 5 6 7
5 6 7
8 9 10
3
Pse
udo-
Ran
dom
Fun
ctio
ns
7/22
Shift Cipher
• Can of course be seen as encryption of the English alphabet:
a b c d e x y z
A B C D E F G H
w
Z
3
a b c d e x y z
D E F G H Z
w
A B C
3
…
…
…
…
Pse
udo-
Ran
dom
Fun
ctio
ns
8/22
Electronic Codebook
• To encrypt a text, encrypt one letter at a time
• Known as electronic codebook (ECB)• Not a very secure mode!
w h e e l a r r
Z K H H O E
b
D U U
o w
R Z
3
Pse
udo-
Ran
dom
Fun
ctio
ns
9/22
Exhaustive Search
• The shift cipher has too few keys and can therefore be broken by trying them all:
Z K H H O D U U
y j g g n d
E
c c t
R Z
q y
1
Z K H H O D U U
x i f f m c
E
b s s
R Z
q x
2
Z K H H O D U U
w h e e l b
E
a r r
R Z
o w
3
Pse
udo-
Ran
dom
Fun
ctio
ns
10/22
Exhaustive Search
• The set of encryption functions should not be a too small subset of all permutations of the plaintext space
• Currently 264 simple computational operations are considered infeasible to perform, so a key of 64 bits should be enough to protect against exhaustive search
• There are other reasons to have longer keys though!
Pse
udo-
Ran
dom
Fun
ctio
ns
11/22
Substitution Cipher
• P = Z26 = {0,1,…,25}• K = set of permutations of Z26
• Encryption: E(x) = (x)• Decryption: D(y) = -1(x)• Example key: (Z,G,A,O,N,…,C,X,I,Q)
– (with letters instead of numbers)
• There are > 288 keys, so exhaustive search is impossible today– But can be broken using statistical analysis
a b c d e x y z
Z G A O N C
w
X I Q
…
…
Pse
udo-
Ran
dom
Fun
ctio
ns
12/22
Transposition
• P = (Z26)m = {0,1,…,25}m
• K = set of permutations of {1,…,m}• K = x=(x1,…,xm) y=(y1,…,ym)
• Encryption: E(x) = (x(1),…,x(m))
• Decryption: E(x) = (x(1),…,x(m))– Where = -1
• Number of keys: m!– Soon too large to fall pray to exhaustive
search– But can easily be broken using other methods
Pse
udo-
Ran
dom
Fun
ctio
ns
13/22
Transposition Example
w h e e l a r r
L E E
b
A B
o w
H W O R R G
1 3
1 3
5
5
2
2
4
4
K
Pse
udo-
Ran
dom
Fun
ctio
ns
14/22
Friedman• We encode a black and white photo as a
bit-string by encoding black as 1 and white as 0
• We encrypt the bit-string with ECB mode and turn the resulting bit-string into a black and white image using the reverse encoding
Friedman:
Pse
udo-
Ran
dom
Fun
ctio
ns
15/22
Substitution Example• Substitution of 4-bit
blocks
• #keys = 24!• 45-bit keys
– log2(24!) ~ 45
0 1 1 0 0 0 1 1 0 1 1 0 1 1 0 1
1 1 0 1 1 0 0 0 1 1 0 1 0 0 1 0
sub sub sub sub
Pse
udo-
Ran
dom
Fun
ctio
ns
16/22
Transposition Example• Transposition of 16-
bit blocks
• #keys = 16!• 45-bit keys
– log2(16!) ~ 45
1 1 1 1 1 0 1 1 0 1 1 1 1 1 0 1
1 1 0 1 1 1 1 1 1 0 1 1 0 1 1 1
Pse
udo-
Ran
dom
Fun
ctio
ns
17/22
Composition and Iteration• Neither substitution of small blocks nor
transposition is secure in itself• A few rounds of substitution followed by
transposition, however, turns out to do a good job– Substitution ensures that changing just one bit in the
input makes four bits in output flip at random– Transposition spreads the changes– Iterations creates an avalanche effect
• The result is that each different 16-bit block is replaced by a completely random looking 16-bit block
• Idea behind modern symmetric cryptosystems– More about that when we look at AES
Pse
udo-
Ran
dom
Fun
ctio
ns
18/22
Compose+Iterate ExampleAfter 5 rounds:
sub sub sub sub
? ? ? ?
1 1 0 1 1 1 1 1 1 0 1 1 0 1 1 1? ? ? ?
? ? ? ? ? ? ? ? ? ? ? ?
1 1 0 1 1 1 1 1 1 0 1 1 0 1 1 1? ? ? ? ? ? ? ? ? ? ? ?
sub sub sub sub
1 1 0 1 1 1 1 1 1 0 1 1 0 1 1 1?
sub sub sub sub
? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ?
Pse
udo-
Ran
dom
Fun
ctio
ns
19/22
Compose+Iterate Example• 45+45=90-bit keys
– Withstands exhaustive search
• The result is a surprisingly good encryption of 16-bit blocks
• The remaining pattern is due to our use of ECB– Can be fixed by using
CBC
After 5 rounds:
Pse
udo-
Ran
dom
Fun
ctio
ns
20/22
Compose+Iterate Example• 45+45=90-bit keys
– Withstands exhaustive search
• The result is a surprisingly good encryption of 16-bit blocks
• The remaining pattern is due to our use of ECB– Can be fixed by using
CBC
5 rounds + CBC
Pse
udo-
Ran
dom
Fun
ctio
ns
21/22
Pseudo-Random Functions• The ideal block cipher would have all
possible permutations as key• The output of such a block cipher would
be completely random– Actually F(1)=42 excludes that F(2)=42, but
except for that there would be no structure• This inspires the definition of a pseudo-
random function (PRF)• An encryption function FK is said to be a
PRF if one cannot distinguish the outputs FK(x) from uniformly random outputs when K is random and one does not know K
Pse
udo-
Ran
dom
Fun
ctio
ns
22/22
Pseudo-Random Functions• F{0,1}k:{0,1}L{0,1}l is called a (t,)-PRF if the
following two interactive algorithms are (t,)-IND
• Algorithm A:– Sample a uniformly random key K from {0,1}k
– On each input x in {0,1}L return FK(x) • Algorithm B:
– For each x in {0,1}L sample a uniformly random y in {0,1}l and store it in a table T, i.e., let T[x]y
– On each input x return y=T[x]