Date post: | 19-Jan-2016 |
Category: |
Documents |
Upload: | donna-sabina-lyons |
View: | 212 times |
Download: | 0 times |
1
Symmetric-Key Encryption
CSE 5351: Introduction to Cryptography
Reading assignment:• Chapter 2• Chapter 3 (sections 3.1-3.4)• You may skip proofs, but are encouraged to read some of them.
2
Computational Difficulty (One-Way Functions)
PseudorandomGeneratorsAnd Functions
Zero-KnowledgeProof Systems
EncryptionSchemes
CryptoProtocols
Sign/MAC/hashSchemes
APPLICATIONS (security)
This course:
3
Theory of symmetric-key encryption
What is a symmetric-key encryption scheme?
What does it mean by or ?
How to construct a secu
secure not secur
re encryption scheme?
Pra
ct
e
i
Outline
cal symmetric-key encryption schemes
RC4 : a stream cipher
AES : Advanced Encryption Stand d
ar
4
, , : key space, plaintext space, ciphertexts space.
Key generation algorithm: generates keys.
Encryption algorithm : : .
Decryption algorithm : :
Symmetric-key encryption scheme
K M C
G
E M K C
D C
.
Correctness requirement: for each and ,
( ) .
, , are publicly known, and efficiently computable.
To use the scheme, Alice and Bob run to generate
a k
e
k k
K M
k K m M
D E m m
G E D
G
y , and keep it secret.
Question: What is the security requirement?
k K
5
Consider ciphertext-only attacks; i.e., the adversary is
an eavesdropper.
Different levels of se
How to define security?
security: A curen encryption scheme is
if gi
The notion of security
ven a ciphertext ( ), adversary can recover
(one of the following):
the secret key
the plaintext
any character of the plaintext
any usefu
1.
l or
2.
3.
meaningful inf
no
4 o.
kc E m
k
m
rmation about the plaintext
any information about the plaintext
We will adopt (and formalize) one of these options. Which
5.
? one
6
Adversary: an eavesdropper with unlimited computing power.
Encryption scheme: ( , , , , , )
Regard plaintext and key as random variables with s
om
e
Shannon's notion of perfect secrecy
G E D K M C
m k
, ( )
probability distributions over and , respectively.
The encryption algorithm induces a probability distribution
over : Pr( ) Pr( ) Pr(
)
For simplicity, and w.l.o.g, assk
m M k KE m c
M K
E
C c m k
ume Pr( ) 0 and Pr( ) 0
for all and .
m c
m M c C
7
Pick a message , a key , and obtain a ciphertext .
Pr( ) Pr( ) probability of message being picked
Pr( ) Pr( ) probability of key being picked
Experiment:
Notation
:
m k c
m m m m
k k k k
, ( )
Pr( ) Pr( ) probability of being the ciphertext
Pr( ) Pr( | ) Pr( ) Pr( ) Pr( )Pr( )
(Pr. of being the message given ciphertext )
Pr( | ) Pr ( )
kk K E m c
c c c c
m cm c m k cc
m c
c m E m c
( )
Pr( ) (Pr. of being encrypted as )
k
k KE m c
k m c
8
An encryption scheme is
if for probability distribution over ,
Pr( | ) Pr( ) for all
Shannon's D
perfectly secret
equivalen
efinition:
Theorem
and .
The follo tw:
eve
in
g e
r
:
y
ar
M
m c m m M c C
Pr( | ) Pr( ) for all and .
Pr( | ) Pr( ) for all and .
Pr( | ) Pr( | ) for all , , .
Pr ( ) Pr ( ) for all , , .
m c m m M c C
c m c m M c C
c m c m m m M c C
E m c E m c m m M c C
9
0,1 .
Key generation: 0,1 .
Encryption algorithm: : ( ) : .
0,1 , .
Key generation: 0,1 .
Encryption algo
fixed
ri thm:
Vernam's one-time pad encryption scheme
u
k
n
n
u
M K C
k
c E m m k
M K C
k
n
: ( ) : .
Thus, to use Vernam's one-time pad, Alice and Bob need to
share (in advance) a long enough random key.
This is impractical for most applicati
The sche
ons.
is perfecme tl
y s
kc E m m k
ecret (against eavesdroppers).
10
0 1Distribution of : Pr( 0) , Pr( 1) .
Distribution Pr(of :
It is easy to verify that Pr( ) 1 2 for {0,1}.
For (fix
) 1 2 for
ed) , {0,
{
1
0,1}.
Perfect secrecy of Vernam's one-time pad ( 1)
k i i
M m p m p
K
c i i
i j
n
}, we have
Pr( , ) Pr( , ) Pr( | )
Pr( ) Pr( )
Pr( , ) =
Pr( )
Pr( ) Pr( )
Similar proof for
Pr( )P
1.
r
( )
m i c j m i m k jm i c j
c j c j
m i k i j
c j
m i k i jm i
c j
n
11
0,1 0,1 , fixed.
0,1 .
Key generation: 0,1 .
Encryption algori
thm: : ( ) : , where
if 0,1 then only the first bit of
s
i
One-time pad for messages of varying lengthn
n
n
u
k
M C n
K
k
c E m m k
m k
used.
Is it perfect lQuestio y se: ?n cret
12
Encryption : : .
Necessary condition for perfect secrecy : .
Thus, if {0,1} and {0,1} , then , i.e., keys
must be at least as long as messages.
Thm:
T
Shannon's Theorems
l n
E M K C
K C M
K M l n
When , the encryption scheme is perfectly
secret if and only if both of the following hold:
Every key is used with equal probability 1 ;
For every and , there is a
u
ni
hm: M K C
K
m M c C
que
such that ( ) . (For the same , using different keys
yields different ciphertexts .)k
k K
E m c m k
c
13
Obviously, .
To see , consider the uniform distribution for .
Consider any plaintext .
Let = : ( ) for some key .
We have .
If , then ; som
Proof of
m k
m
m
C M
K C M
m M
C c C E m c k
C K
K C C C
K C M
e is not a valid ciphertext of .
For , Pr( | ) 0 Pr( ) not perfectly secret.m
c m
c C C m c m
14
With Shannon's theorem, it is trivial to see that Vernam's
one-time pad is perfectly secret.
It is easy to design another perfectly secret encryption scheme.
For exam
Use of Shannon's Theorem
ple, take Caesar’s shift cipher:
{0, 1, ..., 25} { , ,..., }.
Key generation: .
Encryption: ( ) ( ) mod 26
This scheme is perfectly secret if a uniformly generanew
u
k
K M C a b z
k K
E m m k
g
g
g
ted
random key is used for every character.
Big problem: how would Alice and Bob agree on a secret key
(a long sequence of random character
True of f
s) in adv
alse
?
?
ance
Vigenère Cipher
15
Alice and Bob agree on a secret key: e.g., .
Then use Caesar’s cipher with keys “b, i, b, l, e” in turn.
For instance : ohio state o h i ( ) ( ) ( ) ( ) ( )
bi
o s
bl
e
b i b l eE E E E E
( ) ( ) ( ) ( )
Of course it is not perfectly secret. (Why not?)
Can you suggest a strategy to improve Vigenère cipher's
security
t a t e
?
b i b lE E E E
16
To achieve perfect secrecy:
keys must be as long as messages (if {0,1} and {0,1} );
a new key must be generated for each message.
It is desired to u
Limitations of Perfect Secrecy
l nK M
g
g
se a to encrypt .
To this end, we need to the security requirement.
Unfortunately, it seems hard to relax the conditions
short key multiple messages
of perfect secrecy
rel
.
a
x
W
g
g
g e will use a different notion of security that is quivalent
to perfect secrecy and can be easily relaxed.
17
0 1
Imagine an experiment on an encryption scheme ( , , ) :
The adversary (Eve) chooses two messages , from
the message s npa ot necessce, aril
y o
Absolute Ciphertext-Indistinguishability
G E D
m m
0 1 Bob selects a key and a message { , }.
He computes a ciphertext ( ) and gives to Eve.
( is called the chal
len
f the same
ge ciphertext.)
E
len
ve tries to
gth.
G u
k
k K m m m
c E m c
c
0 1
absolutely ciphertext-indistinguis
tell whether is the encryption of or .
The encryption scheme is
if no adversary can succeed with probability greater than 1 2
hable
.
c m m
18
Adversary: an eavesdropper with computing power.
Encryption scheme: ( , , , , , ).
: aDistinguishing algo
unlimi
probabilis
ted
rith
tim
Definition of Absolute Ciphertext-Indistinguishability
G E D K M C
0 1
c algorithm that on
input , and outputs a bit {0,1}.
We model an adversary as a distinguishing algorithm.
An encryption sc absolutely ciphertext-indiheme is s tinguishab
i f
le
A
m m M c C b
0 1
0 1
0 1
0
0
11
for every distinguishing algorithms and every two , ,
1 Pr , , ( ) : {0,1}, ,
2
Pr , , ( ) 1:
Pr , , ( ) 1:
ork b u G
k G
k G
A m m M
A m m E m b b k K
A m m E k K
A m m E m k
m
K
19
0 1
0 1
0 1
{0,1}
{0,1}
{0,1}
Pr :
= Pr[ ] Pr[
, , ( )
, ,] Pr
= Pr[ ] Pr[ ] Pr Pr
= Pr[ ]
{0,1},
( )
( ) , ,
Remark
k b
k b
k b
u G
bk K
bk K
bc C
b
b
A m m E m
A m m E m
E m c A m m c
b k
b k
b
b k
b
K
0 1
0 1
0 1
( ) , ,
,
Pr Pr
= output of on input , , ( .( ) ),
b
k kb b
E m c A m m c
A m m E m A m m E
b
m
20
eav,
eav,
The KL book uses PrivK to denote the experiment, where
is the encryption scheme in question
is the adversary, an eavesdropper
PrivK outputs 1 if the adversary succe
Remark
A
A
A
eav,
absolutely ciphertext-indistinguishable
eds
An encryption scheme is
if for every distinguishing algorithms ,
1 P
r PrivK 1 2
A
A
21
Theorem: An encryption scheme is perfectly secret
if and only if it is absolutely ciphertext-indisting
Equivalence of perfect secrecy and absolute ciphertext-indistinguishability
uishable.
22
0 1 0 1
eav,
If the encryption scheme is perfectly secret, then
Pr ( ) Pr ( ) for all , , .
Pr PrivK 1
Pr ,
Pr Eve wins
Perfect secrecy ciphertext-indistinguishability
A
E m c E m c m m M c C
b i
0 10,1;
0 10,1;
0 0 10,1
( ) , ( , , )
Pr Pr ( ) Pr ( , , )
1 1 Pr ( ) Pr ( , , )
2 2
ii c C
ii c C
c C i
E m c A m m c i
b i E m c A m m c i
E m c A m m c i
23
0 1
0 1
If the encryption scheme is not perfectly secret, then
there exist , such that
Pr ( ) Pr ( ) for some .
For these two mess e
ag s
Perfect secrecy ciphertext-indistinguishability
m m M
E m c E m c c C
0 1
0 1 0 1
, the following adversary succeeds
with probability > 1 2 : ,
0 if Pr ( ) Pr ( )
( , , ) 1 if Pr ( ) Pr ( )
0,1 o
therwise
The scheme is not absolutely ciphertext-in
u
c C
E m c E m c
A m m c E m c E m c
i
distinguishable.
24
In absolute ciphertext-indistinguishability (perfect secrecy),
the adversary may have
u computing power,
nlimited
no better than 1 2 p r
Relaxing the security requirement
obability of success;
also, message length .
Now we relax the notion of absolute ciphertext-
indistinguishability (perfect secrecy) by
limiting adversaries to hav
is hidde
ing
n
poly omi
n
al
negli
compu
gibly
ting power,
allowing the success rate to be bett
not hidi
er than 1 2,
message leng h.n gt
25
0
0
A nonegative function : is said to be
if for every positive polynomial ( ), there is an integer
such that
1
negligible
( ) for all (i( )
.
Negligible functions
f N R
P n
n
f n n nP n
log
e., for sufficiently large ).
Examples: 2 , 2 , are negligible functions.
Negligible functions approach zero faster than the reciprocal of
polynomial.
We wri
every
negl( )te to d
n n n
n
n
n
enote an unspecified negligible function.
26
When we say that an algorithm is polynomial-time, it is w.r.t.
the algorithm's input size (in terms of ).
The running tim
nu
e o
mber o
f an a
f
lgorithm is polynomial if
b
its
Security Parameter
( ) (poly( )) for some polynomial poly( ), where
is the input size.
Each encryptio security
para
n scheme is associated with a
which is related meter, key lengto the
When w
th.
e
T n O n n
n
say a probability is negligible, it is w.r.t. the
encryption scheme security parame's ter.
27
* Message space: {0,1} .
Key generation algorithm : On input 1 , (1 ) outputs
a key {0,1} . ( {0,1} ; and is the security parameter.)
E
ncry
Symmetric-key encryption scheme (refined)
n n
n n
M
G G
k K n
ption algorithm : On input a key and a plaintext
, outputs a ciphertext . We write ( , )
or ( ).
Decryption algorithm : On input a key and a ciphertext ,
output
s
k
E k
m M E c c E k m
c E m
D k c
D
a message . We write : ( , ) or : ( ).
Correctness requirement: for each and ,
( ) .
, , probabilistic algorithms. , deterministic. All poly-time .
k
k k
m m D k c m D c
k K m M
D E m m
G E D
28
Adversary: a eavesdropper with a ciphertext.
( , , ) : an encryption scheme with security parameter .
Imagine a ga
polynomial s
me p
ingle
layed by Bo
Computational Ciphertext-Indistinguishability
G E D n
0 1
of the same
b and Eve (adversary):
Eve, given input 1 , outputs a pair of messages ,
.
Bob chooses a key (1 ) and a bit {0,1};
compute
leng
s ( ); and gives
t
t
h
n
nu
k b
m m
k G b
c E m c
0 1
o Eve.
Eve tries to determine whether is the encryption of or .
An encryption scheme i computationally single-ciphertext-
indistinguishable against eavesdroppe
s
if no ad
verr y
s sar
c m m
noncan -ne succe gligibed with prob ly greater tabilit hany 1 2.
29
0 0 11
computationally
single-ciphertext-indistinguishable agains
An encryption scheme is
if for every polynomial probabilistic algorithm and
t eavesdropper
all
Definition:
s
poly
, ,
A
m m m mM
0 1
0 1
0
0
11
, it holds:
1 Pr (1 , , , ( )) : {0,1}, (1 ) negl( )
2
Pr (1 , , , ( )) 1: (1 )
Pr (1 , , , ( )) 1: (1 ) ne
or
(
)
)
gl(
||
n nk b u
n nk
n nk
n
m
m
A m m E m b b k G n
A m m E k G
A m m E k G n
30
1 20 0 0 0
Now suppose a key is used to encrypt multiple messages.
The adversary, given input 1 , selects two vectors of messages :
( , , ..., )
Multiple-ciphertext indistinguishability
n
tm m m m
1 21 1 1 1
0 1
and ( , , ..., )
such that for all .
Bob generates a key (1 ) and a bit {0,1}; and gives
the ciphertext vector ( ) to the adversary.
The ad
t
i i
nu
k b
m m m m
m m i
k G b
c E m
0 1
computationally multiple-
versary tries to tell wheth
ciphertext-
indistinguis
er was computed from or .
An encryption scheme is
if for every two message vectors no polynhabl omial
e
adv
c m m
ersary can succeed with probability non-negligibly >1 2.
31
We have defined two notions of security against eavesdroppers:
(Computational) -ciphertext-indistinguishability
a key is used to encrypt only one messag
single
e
(Com
1.
2. p ta
u
Remarks
tional) -ciphertext-indistinguishability
a key may be used to encrypt multiple messages
Note: (1) does imply (2). For example:
Vernam's one-time pad is ab
multi
solut
ple
n
e
o
iph
t
ly c
0 1
ertext-indistinguishable.
If keys are not used in a "one-time" fashion, the scheme will not
be ciphertext-indistinguishable. Just let (0,0) and (0,1).
Next, we will see how to con
m m
struct ciphertext-indistinguishable
encryption schemes.
32
Secure (i.e., ciphertext-indistinguishable against eavesdroppers)
symmetric-key encryption schemes may be
constructed from:
Pseudorandom generators
Pseudora
Secure Encryption Schemes
ndom functions
Pseudorandom permutati . ons
Stream Ciphers
Encryption schemes using pseudorandom
generators
33
34
Vernam's one-time pad scheme is perfectly secure against
single-message eavesdropper.
Unfortunately, it requires a random key (pad) as long as the
message.
Solution: use a s
Motivation
hort key as seed to generate a "pseudorandom"
key (pad) which is as long as needed.
This is the basic idea of stream ciphers.
35
Encryption schemes as shown below. Same as Vernam's one-time
pad, except pseudorandom that keystreams are used.
Stream ciphers
36
Informally, a pseudorandom generator is an algorithm that given
a ( ) string , outputs a " " string
longer than .
Inform
short truly random random-lik
al ,
e
ly
What is a pseudorandom generator?
G
s
s
a string is " " if it is to tell
whether was generated by a truly random generator
or by a pseudorandom generator.
Loosely speaking, two sets , {0,1} are said to be
random-like hard
pnn n
r
r
A B
Pr ( ) 1:
o
"1"
lynomially
indistinguishable if for every polynomial distinguisher ,
negl( )
You may
Pr (
interpret as
1
"
) :
||nu
nuD r r
nBD r r
A
D
."nr A
37
In the above, we were actually talking about the indistinguishability
between two ensembles (sequences) of sets: and .
Two ensembles of setDefin s ition: and are
o p l
n nn N n N
n nn N n N
A B
A B
if for every polynomial-time
distinguisher , it holds that
Pr ( ) 1:
Pr ( ) 1: negl( )
ynomially ind
istinguishable
||
u n
u n
D
D r r A
D r r B n
100
1
Which of the following are polynomially indistinguishable?
{0,1} , {0,1} 0
{0,1} , {0,1} : 2
{0,1} ,
0 {0,1}
n n nn n
n nn n
n nn n
A B
A B s s
A B
38
Pr Pr ( ) 1
1
{0,1} and {0,1} 0
are polynomially indistinguishable
= Pr ( ) 12
1 = Pr (0
2
.
Pr ( ) 1: n
n
r
nr
n n n
A
n
A
n
n
n
u
n
A B
D r r A r D r
D r
D
1) 1 Pr ( ) 1
2
Pr Pr ( ) 1
1 = Pr ( ) 1
2 1
Pr ( ) 1:
Pr ( negl( )) 1: Pr ( ) 1: | |
n
n
n
B
nB
B
n
nr
r
nr
nu
u
uD r r
D r
rD r D r
D r
r
D rA r n
B
B
39
Let ( ) be a polynomial such that ( ) for all 0.
Let be a deterministic polynomial-time algorithm that, for any
input string {0,1} , outputs a st
Definition of pseudorandom generator
n
l l n n n
G
s
ring of length ( ).
is said to be a pseudorandom generator with expansion factor ( )
if for every polynomial-time distinguisher ,
Pr ( ( )) 1: {0,1}
| nu
l n
G l
D
D G s s
( )
( )
Pr ( ) 1: {0,1} negl( )
That is, the two ensembles and , where
: ( ) : {0,1} and : : {0,1} are polynomially
indistinguishable.
|l nu
n nn N n N
n l nn n
D r r n
A B
A G s s B r r
40
If one-way functions exist, then pseudorandom generators
exist.
That is, pseudorandom generators can be constructed from
one-way functions.
Chap
Existence of pseudorandom generators
ter 6 shows how to construct pseudorandom generators
from one-way permutations.
True pseudorandom generators are slow for applications.
In practice, algorithms such as RC4 are used.
41
Let :{0,1} {0,1} be a one-way function.
Let :{0,1} {0,1} be a hard-core predicate of .
Easy to compute ( ) from .
But hard to co
Existence of pseudorandom generators (basic idea)n n
n
f
b f
b x x
0
0
0 1 2 ( ) 1
0 1 2 ( ) 1
mpute ( ) from ( ).
Given seed , let .
Starting from , apply repeatedly:
Let ( ) ( ), , , , .
is a pseudorandom
f f f fl n
l n
b x f x
x x x
x f
x x x x
G x b x b x b x b x
G
generator with expansion factor ( ).l n
42
2
0 1 2 ( ) 1
Let for two large primes , .
Let ( ) mod .
Let ( ) the least significant bit of
Let
Blum-Blum-ShubExample: pseudorandom generator
f f f fl n
n pq p q
f x x n
b x x
x x x x
G
0 1 2 ( ) 1( ) ( ), , , , .
is a pseudorandom generator with expansion factor ( ).
l nx b x b x b x b x
G l n
43
Enscryption schemes based on pseudorandom generators.
: a pseudorandom generator with expansion factor .
Key generation: on input 1 , generates a key 0,1 .
Encryption: on
Stream ciphers
nnu
G l
k
( )input a key 0,1 and a message 0,1 ,
ciphertext : ( ) : ( ).
Decryption: on input a key and a ciphertext ,
(New keys
: ( ).
or f
n l n
k
k m
c E m m G k
k c
m c G k
Different pseudorandom generators yield different
new messages
stream cip .
.)
hers
44
If a truely pseudorandom generator ( ) is used, and
the input key is randomly generated an used only onced ,
then the stream cipher is polynomial
.
ly single
Security of stream ciphers
G k
k
Theorem
-ciphertext-
indisinguishable against eavesdroppers.
45
0 1
If encrypting with a truely random string
( )
cannot tell between ( ) and ( )
absolutely single-ciphertext-indistinguishable
If
Security of stream ciphers (intuition)
E m m
E m
r
E m
r
0 1
excep
a pseud
t for a
orandom string
negligible
is used instead
fraction of cases
( )
cannot tell between and ( )
cannot tell betw except feen (
( )
( )
) o and ( )
E m m
r G s
E
s
m E m
G s
G
computationa
r a negligible
lly single-ciphert
f
ext-i
raction of ca
ndistinguish
es
e
s
abl
46
By contradition. Will show:
If the stream cipher is computationally
single-ciphertext-indistinguishable, then the "pseudorandom"
not
e
g
Security of stream ciphers (proof sketch)
nerator used in the stream cipher is pseudorandom.
If there exists an adversary that can successfully attack the
stream cipher with significant probability
not true
th
l
e
x s
y
re e i
G
A
ts a distinguisher that can successfully distinguish
between random strings and "pseudorandom" strings ( ) with
significant probability
not truel pseudorand m.y o
D
r G s
G
47
0 1
Assume the stream cipher is computationally
single-ciphertext-indistinguishable, then there exists an adversary ,
a polynomial ( ), infinitely many integers , messag
no
es and
t
of
A
p n m m
0 1
( )
length ( ), such that
1 1 Pr , , ( ) : {0,1}, 0,1 .
2 ( )
Construct a distinguisher :
Given a string 0,1 , tells whether is random or
pseudorandom as foll
n
b u u
l n
l n
A m m m G s b b sp n
D
w D w
0 1
ows.
Let {0,1}, : , and , , .
If , then return 1, else return 0.u bb c m w b A m m c
b b
48
0 1
succeeds, ,
fails
adversary against thestream cipher
1{0,1};
: 0m m cu
b
Abw
c m w
Distinguisher D
Pr ( ) 1 Pr succeeds
1 2 if truely random
1 2 1 ( ) if pseudorandom
can distinguish between random and pseudorandom strings
with probabi
lity significantly better
D w A
w
p n w
D
than 1 2 pseudorandom
49
( )
( )0 1
0 1
Pr ( ) 1: {0,1}
Pr , , : {0,1}, {0,1} 1 2
Pr ( ) 1: : ( ), {0,1}
I
Pr , , : : ( ), {0,1}, 0,1
1 2 1 ( )
n More Deta
r
i
P
l
|
l nu
l nb u u
nu
n
b u u
D w w
A m m m w b b w
D w w G s s
A m m m w b w G s b s
p n
D
( )( ) 1: {0,1}
1 Pr ( ) 1: : ( ), {0,1}
( )
is a truely pseudorandomnot generator.
|
l nu
nu
w w
D w w G s sp n
G
50
Stream ciphers require a new key for each plaintext (or not sesure).
In practice, Alice and Bob wish to share a permanent key and
use it to encr
Encrypting multiple messages with a single key
k
ypt many messages. One possible strategy:
Derive from a new key for each message.
For example, to send a message , Bob generates a random string
and use as a seed
to
k k
m
r k k r
: ( ) : , ( )
the pseudorandom generator .
Include in the ciphertext, i.e.,
Unfortunately, the res
It i
ulting
s probabilis
scheme is not necessarily s
tic
ecu
.
r
!
e.
kc E m r m r
G
r G k
51
1 2
1 2
At the beginning of a session, Alice and Bob agree on two keys
and (called session keys).
Alice and Bob each run ( ) and ( ) to get two (long enough)
Using stream ciphers in a session
k k
G k G k
1 2
1 2 3
1 2 3 11 2 3
2
pseudorandom strings, say and .
Alice encrypts her sequence of messeges , , , ... as
, , , ... : , , , ... .
Bob uses for encryption.
Online pseudorand
PS P
PS
S
m m m
c c c m m m
PS
om generators.
52
Most popular stream cipher
Simple and fast
Used in many standards
Actually not a cipher, but a practical, approximate
pseudorandom generator.
•
•
•
•
Not truely pseudorandom.
The RC4 Stream Cipher
Designed by Ron Rivest in 1987 for RSA Security,
and kept as a trade secret until leaked out in
•
1994.
53
Two vectors of :
[0], [1], [2], , [255]
[0], [1], [2], , [255]
Input Key (seed) : variable length, 1 to 256 bytes
Initialization:
1. [ ] , for 0 255
byt
es
2.
RC4
S S S S
T T T T
K
S i i i
[0..255] , , ... (until filled up)
T K K
54
Initial Permutation of :
0
for 0 to 255 do
( [ ] [ ] ) mod 256
Swap [ ], [ ]
Idea: swapping bytes dependentl
RC4: Initial Permutation
S
j
i
j j S i T i
S i S j
y of the input key.
After this step, the input key will not be used.
55
Key stream generation:
, 0
while (true)
( 1 ) mod 256
( [ ] ) mod 256
Swap [ ], [ ]
RC4:Key StreamGeneration
i j
i i
j j S i
S i S j
( [ ] [ ] ) mod 256
output [ ]
Idea: systematically keep swapping and producing
output bytes
t S i S j
S t
Security of RC4
• RC4 is not a truly pseudorandom generator.• The keystream generated by RC4 is biased.
– The second byte is biased toward zero with high probability.– The first few bytes are strongly non-random and leak
information about the input key.
• Defense: discard the initial n bytes of the keystream. – Called “RC4-drop[n-bytes]”.– Recommended values for n = 256, 768, or 3072 bytes.
• Efforts are underway (e.g. the eSTREAM project) to develop more secure stream ciphers.
56
57
The Use of RC4 in WEP
• WEP is an RC4-based protocol for encrypting data transmitted
over an IEEE 802.11 wireless LAN.
• WEP requires each packet to be encrypted with a separate
RC4 key.
• The RC4 key for each packet is a concatenation of a 40 or
104-bit long-term key and a random 24-bit R.
lRC4 key: Long-term key (40 or 104 bits) R (24)
lHeader R Message CRC
encrypted
802.11Frame:
58
WEP is not secure
• Mainly because of its way of constructing the key
• Can be cracked in a minute
• http://eprint.iacr.org/2007/120.pdf
59
Vernam's one-time pad is absolutely single-ciphertext-
indistinguishable.
The pad here is truely random and used only once.
A stream cipher is a practical implementation of
V
e
Summary
rnam's one-time .
The is pseudorandom (depending on a short key) and
used only once.
It is polynomially single-ciphertext-indistinguishable.
Question: How to use
pad
pa
a sho
ke
d
rt
y to encrypt multiple messages?
Question: How p about using a ?seudorandom genesecret rator
Theory of Block Ciphers
Encryption schemes using pseudorandom
functions or permutations
Reading: Sections 3.5-3.7 of Katz & Lindell
60
61
Let be the set of all functions :{0,1} {0,1} .
How many such functions are there?
There are 2 choices (0 or 1) for each of 2 bits.
So, there are 2
Motivation and basic idean n
n
n
H f
n
2 2 different functions. I.e.,
Now, suppose Alice and Bob randomly choose a function ,
and use as their secret key.
To encrypt a message {0,1} , randomly choose a string
.
2n n
n
n
n
n nH
f H
m
f
{0,1} , and encrypt as : , ( ) .
To decrypt , , where ( ), compute : ( ).
The secret key here is the functio n .
nr m c r m f r
r m m m f r m m f
f
r
62
222 log
Question: what's the length of the key ?
Since , we need a string of bits to
name/label a function in . That is infeasible.
Solution:
Choose a "
222nn
n
n
nn n
f
H
H
n
small" subset such that is
indistinguished from by any polynomial-time distinguisher.
is said to be a set of pseudorandom functions.
Or is a pseudorandom se
n n n
n
n
n
F H F
H
F
F
t of functions.
Then, randomly picking a function from (as the encryption key)
will be almost as good as randomly picking a function from .
Let contain no more than 2 eleme
n
n
nn
F
H
F
nts.
Then the key length will only be .n
63
( ) ( )
Let ( ) be a polynomial. For instance, ( ) .
Let := the set of all functions :{0,1} {0,1} , and .
is a set of ( )-bit pseudorandom f
Definition of pseudorandom functions
l n l nn n n
n
l n l n n
H h F H
F l n
)
( )
(Pr (1 ) 1:
unctions if for every
polynomial-time distinguisher , it holds that
negl( )
Remark
Pr (1 ) 1
s:
:
||
f n
hu n
n
n
uD f F
H
D
D h n
The running time of is polynomial in , the input size.
is equipped with an "oracle" ( ) which can query about the
value of ( ) for various . The running time of each query
D n
D f D
f x x
is 1.
(May regard ( ) as a subroutine.)f
64
( )
( ) ( )
In the above definition, we actually were talking about two
ensembles of functions: and .
Examples:
: 0 0 .
1 if 0Distingui
s hable. Let (1
) :
n nn N n N
l n l nn n
l nh n
H F
F h H
hD
h
( ) (
(
(
)
)
)
: 0 0 .
: for all {0
0
0 otherw
,1} .
i
se
l n l nn n
l nn n
l n
F h H h
F h H h x x x
65
2
A set of ( )-bit pseudorandom functions can be constructed
from a pseudorandom generator.
For simplicity, assume ( ) .
Let : {0,1} {0,1} be a ps
Constructing pseudorandom functions
n n
l n
l n n
G
1 3 2 1
0
1
1
2 3
eudorandom generator.
Write .
For all {0,1} and {0,1} ,define
( ) ( ) .
A set of pseudorandom functions:
( ) (
) (
)
n n
n nn
k b b b b b
k r b b b b
f r G G G G G
s
k
G G s G s
:{0,1} {0,1} | {0,1} .n n nn kF f k
66
Each leave represents
an ( ), with
specifying the
path from the root to
that leave.
kf r r
k
0G
0G
1G
1G
1G
0G
(000)kf
(110)kf
(111)kf
67
( ) ( )
A function : is called a permutation if it is
bijective (one-to-one and onto).
We are interested in permutations :{0,1} {0,1} .
Permutations
l n l n
f X X
f
68
( ) ( )
Let ( ) be a polynomial. For instance, ( ) .
Let := the set of all :{0,1permutations } {0,1} ,
and let be a subset.
is a set of ( )-bit pse
Pseudorandom permutations
l n l nn
n n
n
l n l n n
H h
F H
F l n
( )
( )
udorandom permutations if for every
polynomial-time distinguisher , it holds that
Pr (1 ) 1:
Pr (1 ) 1: negl( )
|
|
f nu n
h nu n
D
D f F
D h H n
Pseudorandom permutations can be constructed from
pseduorandom functions using Feistel networks (next slide).
69
31
Let := : {0,1} be a set of ( )-bit pseudorandom
functions, where ( ) is a fixed polynomial.
For every key {0,1} , parse it as (
Constructing pseudorandom permutations (skipped)
nn k
n
F f k l n
l n
k k k
1 2 3
1 2 3
2 3
2 ( )
, , ) with each
of length .
Use the three pseudorandom functions , , in a 3-round
Feistel network. This yields a permutation
: {0,1} {0,
i
k k k
l nk k k
k k k
n
f f f
p
1 2 3
2 ( )
3 1 2 3
1} .
Theorem: The set of all such permutations
:= : , , {0,1}
is a set of pseudorandom permutations.
l n
nn k k kP p k k k
70
Let : {0,1} be a set of ( )-bit pseudorandom
functions or permutations. ( ( ) is a fixed polynomial.)
Key space: {0,1} .
Encrypting data blocks using pseudorandom functions
nn k
n
F f k l n
l n
K
( )
Key length = .
Message space: {0,1} .
(A string of a fixed size is called a .)
Key generation algorithm : on input 1 , outputs {0,1} .
Encry
Block size = ( ).
b
ption
oc
k
a
l
l n
n nu
n
G G k
l nM
( )
lgorithm : On input and key , randomly
generates a string {0,1} and outputs ciphertext
: , ( ) . (Note: ( , ) is a probabilistic algorithm.)
Note: ( ) is used as a
l nu
k
k
E m M k E
r
c r f r m E k m
f r
mask (pseudorandom string) to hide .
Decryption is trivial.
m
71
Now let's see how to encrypt a message of arbitrary length
using a pseudorandom function or permutation.
Let ( ) be the block size.
Encryption algorit
Encrypting variable-length messages
b l n
*
1 2
hm : On input {0,1} and key ,
Pad the message so that its length is a multiple of (block size).
Divide the padded message into blocks of size , say
E m k
b
m b
m m m
3
1 2 1
1 1 1 2 2 2
Let , , , {0,1} , and use ( ), ... , ( ) as .
The ciphertext is
: , ( ) , ( ) , ( )
masks
t
bt u k k t
k k t k t t
m m
r r r f r f r
c r f r m r f r m r f r m
72
1 2
The above encryption scheme doubles the message size.
More efficient ways to do it, traditionaly called modes of operation
(of block ciphers).
Idea: compute , , , f
Modes of operation
tr r r
0rom some initial value, say, .
Important modes of operation include:
Counter mode (CTR mode)
Output feedback mode OFB mode
Cipher feedback mode CFB mode
Cipher block chain
r
permut
ing mo
ation
de CBC mode
CBC requires the underlying to be a pseudorandom .
The other three modes work fo functions and permutationsr both .kf
73
1 2 Idea: Instead of choosing random strings , , , ,
choose just string , and 1, 0 1.
Thus, to encrypt a padded message , with key :
o
Divide in
ne
Counter mode (CTR)
t
i
t r r r
r r r i i t
m k
m
1 2 3
1
to blocks of size , say,
Choose a random string {0,1} .
Encrypt as
: ( ) ( 1)
In the literature, the string
t
bu
k k t
b
m m m m m
r
m
c r f r m f r t m
r
is called an Initialization Vector (IV).
74
0
0 1 2 1
1 2 0 1 1
Idea: Let IV, and
Use , , , (i.e., ( ), ( ), , ( )) as masks.
More precisely, to
Output feedback mode (OFB)
t t
t k k k t
k k k kf f f f
r
r r r r r
r r r f r f r f r
1 2 3
0
encrypt a padded message , with key :
Divide into blocks of size , say,
Choose a random initialization vector IV {0,1} .
Encrypt as :
t
bu
m k
m b
m m m m m
m c r
0 1 1
0 1 1
0
1
( ) ( )
or equivalently, :
where : IV, and
: ( ) for 1 .
k k t t
t t
i k i
f r m f r m
c r r m r m
r
r f r i t
75
2
0 1
1
1 Idea: Similar to OFB, but now strings , , ,
are chosen to be for 1 ,
where : IV, and is the previous cipher block.
Thus, to enc y
r
:
Cipher feedback mode (CFB)
t
i
i i
r r r
i tc
c
r
c
1 2 3
0 1 2 3
0
pt a padded message , with key :
Let :
Choose a random initialization vector IV {0,1} .
Encrypt as :
where : IV
t
bu
t
m k
m m m m m
m c c c c c c
c
1: ( ) for 1 .i k i ic f c m i t
76
1 2 3
1 1 1 2 2 2
Suppose
CTR, OFB, CFB are based on the idea of encrypting as:
: , ( ) , ( ) , ( )
By contrast, CBC is based
Cipherblock chaining mode (CBC)
t
k k t k t t
m m m m m
m
c r f r m r f r m r f r m
1 1 1 2 2 2
1 2
on the idea of encrypting as:
: , , ,
Note: this approach requires to be a permutation.
Like in CFB, the strings , , , in CBC
are
chose
k k t k t t
k
t
m
c r f r m r f r m r f r m
f
r r r
0 1
1n to be for 1 ,
where : IV, and is the previ
:
ous cipher block.i i
i
c i t
c c
r
77
1 2 3
Let be a pseudorandom permutation.
To encrypt a padded message using :
Let :
Choose a random initialization vector IV {0,1} .
Cipherblock chaining mode (CBC)
k
k
t
bu
f
m f
m m m m m
0 1 2 3
0
1
Encrypt as :
where : IV
: ( ) for 1 .
Note: Decryption requires to be invertible (i.e., a permutation).
Traditionally,
t
i k i i
k
m c c c c c c
c
c f c m i t
f
the term "block cipher" refers to a pseudorandom
permutation.
78
1 2 3
1 2 3
Suppose be a pseudorandom permutation.
Encrypt : as
: ( ) ( ) ( ) ( )
The resulting scheme is not ciphertext-indistinguishabl
Electronic codebook mode (ECB)
k
t
k k k k t
f
m m m m m
c f m f m f m f m
e.
Used only for sending a short message (in a single block).
79
Some properties
• In CTR and OFB modes, transmission errors to a block ci affect
only the decryption of that block; other blocks are not affected.
– useful for communications over an unreliable channel.
• In CBC and CFB modes, changes to a block mi will affect ci and
all subsequent ciphertext blocks.
– These modes may be used to produce message authentication
codes (MAC).
• In CTR mode, blocks can be encrypted (or decrypted) in parallel
or in a “random access” fashion.
80
functions or permutations,
If : {0,1} is a family of pseudorandom
then are secure
OFB, CFB,
against chosen-plaintext attacks (CPA-
C
secure).
If
TR
Security of CBC, OFB, CFB, CTR
nn k
n NF f k
F
: {0,1} is a family of pseudorando
permutation
m
, the CBCn is CPA-secu re.s
nn k
n Nf k
81
1 1 2 2 1 2
In the introduction we described CPA as follows:
Given : ( , ), ( , ), , ( , ), where , , ,
are chosen by the adversary; and a new ciphert
Chosen-plaintext attacks (CPA)
t t tm c m c m c m m m
1 2
ext .
Q : what is the plaintext of ?
Adaptively-chosen-plaintext attack : , , , are chosen
adaptively.
We will describe CPA in terms of oracle and
ciphertext-indistinguishabi
t
c
c
m m m
lity.
82
1. A key
A CPA against an encryption scheme ( , , ) is modeled as fo
(1 ) is generated.
2. The adversary is given input 1 and to . She may
oracle acc
llows
e
e
.
r q
ss
Chosen-plaintext attacks (CPA)
n
nk
k G
E
G E D
0 1 0 1
uest the oracle to encrypt messages of her choice.
3. The adversary chooses two message , with ; and
is given a challenge ciphertext ( ), where {0,1}.
4. The adversary continues to k b u
m m m m
c E m b
0 1even
have or
an
acle access and may request the
encryptions of additional messages of her choice, .
5. The adversary finally answers 0 or 1.
Note: The CPA he a
d
dar pe tiis a ven CPA.
m m
83
pol
An encryption scheme ( , , ) is CPA-secure if no
y adversary can answer correctly with probability
non-negligibly greater than 1
nom
2.
ia
D
e
l-tim
Ciphertext-indistinguishability against CPA
G E D
0 1 0 1
0
0
11
efinition: an encryption scheme ( , , ) is CPA-secure if for
every polynomial adversary it holds that:
Pr 1 , , , ( ) 1: (1 ), ,
Pr 1 , , , ( ) 1: (1 ),
| k
k
n nk A
n nk
E
E
G E D
A
A m m E k G m m M
A m m E k
m
Gm
0 1,
negl( ) |Am m M
n
84
1 1 2 2 1 2
In the introduction we also described CCA as follows:
Given : ( , ), ( , ), , ( , ), where , , ,
are chosen by the adversary; and a new c
Chosen-ciphertext attacks (CCA)
t t tm c m c m c c c c
1 2
iphertext .
Q : what is the plaintext of ?
Adaptively-chosen-plaintext attack : , , , are chosen
adaptively.
We will allow a CCA adversary to also have CPA capability.
(CCA se
t
c
c
c c c
ems harder to perform than CPA; an adversary who can
perform CCA probably can also do CPA.)
85
1. A key
A CCA on an encryption scheme ( , , ) is modeled as f
(1 ) is generated.
2. The adversary is given input 1 and oracle access to and .
S
ol
he
low .
ay
s
m
Chosen-ciphertext attacks (CCA)
n
nk k
k G
E D
G E D
0 1 0 1
request the oracles to perform encryptions and/or
decryptions for her.
3. The adversary chooses two message , with ; and
is given a challenge ciphertext ( ), where {0,1}.
4. Thek b u
m m m m
c E m b
adversary continues to have oracle access to and , but
is not allowed to request the decryption of .
5. The adversary finally answers 0 or 1.
k k
c
E D
86
pol
An encryption scheme ( , , ) is CCA-secure if no
y adversary can answer correctly with probability
non-negligibly greater than 1
nom
2.
ia
D
e
l-tim
Ciphertext-indistinguishability against CCA
G E D
0,
1 0 0
1
1
1,
0
efinition: an encryption scheme ( , , ) is CCA-secure if for
ever polynomial-time adversary , it holds that:
Pr 1 , , , ( ) 1: (1 ), ,
Pr 1 , , , ( ) 1:
| k k
k k
n nk A
n
E D
E Dk
G E D
A
A m m E k G m m M
A m
m
mm E k
0 1(1 ), ,
negl( ) |n
AG m m M
n
87
0 1 0
The encryption schemes we have seen so far are CCA-secure.
Example: consider the scheme
( ) , ( ) .
The adversary chooses an
not
y and :mes g
sa e
Remarks
k kE m r f r m
m m m
.
Let the challenge ciphertext be , where
: ( ) , with 0 or 1.
, = , ( ) is a legitimate ciphertext of .
Requesting the oracle to decrypt , , the adve
k b
k b b
r c
c f r m b
r c r f r m m
r c
rsary will get
and hence know the value of .
In practice, if from a ciphertext ( ) yo
sort of pre
u can produce
a ciphertext of a message , then the
encryption
dictable
sche
b
k
m b
c E m
c m
me is not CCA-secure.
88
We will see that:
CPA-secure encryption secure MAC
CCA-secu
re encryption
Remarks
Practical Block Ciphers: DES and AES
DES: Data Encryption Standard (covered in 651)
AES: Advanced Encryption Standard
Reading: Chapter 5 of Katz/Lindell
89
90
A block cipher is a symmetric-key that
maps a block of bits to a block of bits.
encryption scheme
{0,1} and {0,1} .
Block length
: .
Traditional view of block ciphers
n r
n n
M C K
n
Key length: .
For a fixed key , : 0,1 0,1 is
a permutation.
n n
k
r
k K E
91
( )
All that we need is a pseudorandom permutation.
A block cipher is a pseudorandom permutatin ensemble of ,
: {0,1}
{0,1} and {0
ons
Another view of block ciphers
nk
l n
f k
M C K
( ) ( )
,1} .
Block length: ( ).
Key length: .
For , : 0,1 0,1 is a permutation.
n
l n l n
k
l n
n
k K f
92
There are methods to construct block ciphers (pseudorandom
permutations) from one-way
functions.
One-way functions pseudorandom generators
Practical constructions of block ciphers
pseudorandom functions
pseudorandom permutations
Slow
In practice, modern block ciphers are constructed using
Feistel ne
tworks (e.g., DES, covered in CSE 651)
Substitution-permutation networks (e.g., AES)
AES: Advanced Encryption Standard
Finite field: The mathematics used in AES.
94
AES: Advanced Encryption Standard
• In1997, NIST began the process of choosing a replacement
for DES and called it the Advanced Encryption Standard.
• Requirements: block length of 128 bits, key lengths of 128,
192, and 256 bits.
• In 2000, Rijndael cipher (by Rijmen and Daemen) was
selected.
• An iterated cipher, with 10, 12, or 14 rounds.
• Rijndael allows various block lengths.
• AES allows only one block size: 128 bits.
95
: block size (number of words). For AES, 4.
: key length (number of words).
: number of rounds, depending on , .
Assume: 4, 4, 10.
:
Structure of Rijndael
b b
k
r b k
b k r
N N
N
N N
sta
N
N N
e
N
t
0 1 10
a variable of 4 words, holding the data block,
viewed as a each column is a word.
Key schedule: 1 round keys , , ,
are computed from the main
4 4 matrix of bytes
key .
;
rN key key key
k
96
0
input: plaintext , key
1 2 AddKey( , ) 3 for 1 to 1 do 4 SubBytes( ) 5 ShiftRows( ) 6 Mixcolumns( ) 7
Rijndael algorithm
r
m k
state mstate key
i Nstatestatestate
AddKey( , ) 8 SubBytes( ) 9 ShiftRows( ) 10 AddKey( , )
11 return( )r
i
N
state keystatestate
state key
state
97
AddKey( , )
i
i
state state key
state key
98
Each byte in is substituted with another byte
according to a table.
SubBytes( )
staz te
state
99
Left-shift row circularly by bytes, 0 3.
ShiftRows( )
i i i
a b c d a b c d
e f g h f g h e
i j k l k l i j
m n o p p m n o
state
100
0 1 2 3
8
3 23 2 1 0
Operates on each column of the matrix.
View each column ( , , , ) as a
polynomial with coefficients in GF(2 ) :
( ) +
A fixed pol
MixColumns( )
a
state
a a a a
a x a x a x a x a
state
3 2
4
ynomial: ( ) 03 01 +01 02.
The MixColumns operation maps each column
( ) ( ) ( ) mod ( 1)a x a
c x x x x
x c x x
101
Each step of Rijndael encryption is invertible.
Rijndael Decryption
102
Round keys are derived from the main key
Rijndael key schedule
A Rijndael Animation by Enrique Zabala
103