1

Symmetric-Key Encryption

CSE 5351: Introduction to Cryptography

Reading assignment:• Chapter 2• Chapter 3 (sections 3.1-3.4)• You may skip proofs, but are encouraged to read some of them.

2

Computational Difficulty (One-Way Functions)

PseudorandomGeneratorsAnd Functions

Zero-KnowledgeProof Systems

EncryptionSchemes

CryptoProtocols

Sign/MAC/hashSchemes

APPLICATIONS (security)

This course:

3

Theory of symmetric-key encryption

What is a symmetric-key encryption scheme?

What does it mean by or ?

How to construct a secu

secure not secur

re encryption scheme?

Pra

ct

e

i

Outline

cal symmetric-key encryption schemes

RC4 : a stream cipher 

AES : Advanced Encryption Stand d

ar

4

, , : key space, plaintext space, ciphertexts space.

Key generation algorithm: generates keys.

Encryption algorithm : :  .

Decryption algorithm : :

Symmetric-key encryption scheme

K M C

G

E M K C

D C

.

Correctness requirement: for each and ,

( ) .

, , are publicly known, and efficiently computable.

To use the scheme, Alice and Bob run to generate

a k

e

k k

K M

k K m M

D E m m

G E D

G

y , and keep it secret.

Question: What is the security requirement?

k K

5

Consider ciphertext-only attacks; i.e., the adversary is

an eavesdropper.

Different levels of se

How to define security?

security: A curen encryption scheme is

if gi

The notion of security

ven a ciphertext ( ), adversary can recover

(one of the following):

the secret key

the plaintext

any character of the plaintext

any usefu

1.

l or

2.

3.

meaningful inf

no

4 o.

kc E m

k

m

rmation about the plaintext

any information about the plaintext

We will adopt (and formalize) one of these options. Which

5.

? one

6

Adversary: an eavesdropper with unlimited computing power.

Encryption scheme: ( , , , , , )

Regard plaintext and key as random variables with s

om

e

Shannon's notion of perfect secrecy

G E D K M C

m k

, ( )

probability distributions over and , respectively.

The encryption algorithm induces a probability distribution

over : Pr( ) Pr( ) Pr(

)

For simplicity, and w.l.o.g, assk

m M k KE m c

M K

E

C c m k

ume Pr( ) 0 and Pr( ) 0

for all and .

m c

m M c C

7

Pick a message , a key , and obtain a ciphertext .

Pr( ) Pr( ) probability of message being picked

Pr( ) Pr( ) probability of key being picked

Experiment:

Notation

:

m k c

m m m m

k k k k

, ( )

Pr( ) Pr( ) probability of being the ciphertext

Pr( ) Pr( | ) Pr( ) Pr( ) Pr( )Pr( )

(Pr. of being the message given ciphertext )

Pr( | ) Pr ( )

kk K E m c

c c c c

m cm c m k cc

m c

c m E m c

( )

Pr( ) (Pr. of being encrypted as )

k

k KE m c

k m c

8

An encryption scheme is

if for probability distribution over ,

Pr( | ) Pr( ) for all

Shannon's D

perfectly secret

equivalen

efinition:

Theorem

and .

The follo tw:

eve

in

g e

r

:

y

ar

M

m c m m M c C

Pr( | ) Pr( ) for all and .

Pr( | ) Pr( ) for all and .

Pr( | ) Pr( | ) for all , , .

Pr ( ) Pr ( ) for all , , .

m c m m M c C

c m c m M c C

c m c m m m M c C

E m c E m c m m M c C

9

0,1 .

Key generation: 0,1 .

Encryption algorithm: : ( ) : .

0,1 , .

Key generation: 0,1 .

Encryption algo

fixed

ri thm:

Vernam's one-time pad encryption scheme

u

k

n

n

u

M K C

k

c E m m k

M K C

k

n

: ( ) : .

Thus, to use Vernam's one-time pad, Alice and Bob need to

share (in advance) a long enough random key.

This is impractical for most applicati

The sche

ons.

is perfecme tl

y s

kc E m m k

ecret (against eavesdroppers).

10

0 1Distribution of : Pr( 0) , Pr( 1) .

Distribution Pr(of :

It is easy to verify that Pr( ) 1 2 for {0,1}.

For (fix

) 1 2 for

ed) , {0,

{

1

0,1}.

Perfect secrecy of Vernam's one-time pad ( 1)

k i i

M m p m p

K

c i i

i j

n

}, we have

Pr( , ) Pr( , ) Pr( | )

Pr( ) Pr( )

Pr( , ) =

Pr( )

Pr( ) Pr( )

Similar proof for

Pr( )P

1.

r

( )

m i c j m i m k jm i c j

c j c j

m i k i j

c j

m i k i jm i

c j

n

11

0,1 0,1 , fixed.

0,1 .

Key generation: 0,1 .

Encryption algori

thm: : ( ) : , where

if 0,1 then only the first bit of

s

i

One-time pad for messages of varying lengthn

n

n

u

k

M C n

K

k

c E m m k

m k

used.

Is it perfect lQuestio y se: ?n cret

12

Encryption : :  .

Necessary condition for perfect secrecy : .

Thus, if {0,1} and {0,1} , then , i.e., keys

must be at least as long as messages.

Thm:

T

Shannon's Theorems

l n

E M K C

K C M

K M l n

When , the encryption scheme is perfectly

secret if and only if both of the following hold:

Every key is used with equal probability 1 ;

For every and , there is a

u

ni

hm: M K C

K

m M c C

que

such that ( ) .  (For the same , using different keys

yields different ciphertexts .)k

k K

E m c m k

c

13

Obviously, .

To see , consider the uniform distribution for .

Consider any plaintext .

Let = : ( ) for some key .

We have .

If , then ; som

Proof of

m k

m

m

C M

K C M

m M

C c C E m c k

C K

K C C C

K C M

e is not a valid ciphertext of .

For , Pr( | ) 0 Pr( ) not perfectly secret.m

c m

c C C m c m

14

With Shannon's theorem, it is trivial to see that Vernam's

one-time pad is perfectly secret.

It is easy to design another perfectly secret encryption scheme.

For exam

Use of Shannon's Theorem

ple, take Caesar’s shift cipher:

{0, 1, ..., 25} { , ,..., }.

Key generation: .

Encryption: ( ) ( ) mod 26

This scheme is perfectly secret if a uniformly generanew

u

k

K M C a b z

k K

E m m k

g

g

g

ted

random key is used for every character.

Big problem: how would Alice and Bob agree on a secret key

(a long sequence of random character

True of f

s) in adv

alse

?

?

ance

Vigenère Cipher

15

Alice and Bob agree on a secret key: e.g., .

Then use Caesar’s cipher with keys “b, i, b, l, e” in turn. 

For instance :   ohio state o h i ( ) ( ) ( ) ( ) ( )

bi

o s

bl

e

b i b l eE E E E E

( ) ( ) ( ) ( )

Of course it is not perfectly secret. (Why not?)

Can you suggest a strategy to improve Vigenère cipher's

security

t a t e

?

b i b lE E E E

16

To achieve perfect secrecy:

keys must be as long as messages (if {0,1} and {0,1} );

a new key must be generated for each message.

It is desired to u

Limitations of Perfect Secrecy

l nK M

g

g

se a to encrypt .

To this end, we need to the security requirement.

Unfortunately, it seems hard to relax the conditions

short key multiple messages

of perfect secrecy

rel

.

a

x

W

g

g

g e will use a different notion of security that is quivalent

to perfect secrecy and can be easily relaxed.

17

0 1

Imagine an experiment on an encryption scheme ( , , ) :

The adversary (Eve) chooses two messages , from

the message s npa ot necessce, aril

y o

Absolute Ciphertext-Indistinguishability

G E D

m m

0 1 Bob selects a key and a message { , }.

He computes a ciphertext ( ) and gives to Eve.

( is called the chal

len

f the same

ge ciphertext.)

E

len

ve tries to

gth.

G u

k

k K m m m

c E m c

c

0 1

absolutely ciphertext-indistinguis

tell whether is the encryption of or .

The encryption scheme is

if no adversary can succeed with probability greater than 1 2

hable

.

c m m

18

Adversary: an eavesdropper with computing power.

Encryption scheme: ( , , , , , ).

: aDistinguishing algo

unlimi

probabilis

ted

rith

tim

Definition of Absolute Ciphertext-Indistinguishability

G E D K M C

0 1

c algorithm that on

input , and outputs a bit {0,1}.

We model an adversary as a distinguishing algorithm.

An encryption sc absolutely ciphertext-indiheme is s tinguishab

i f

le

A

m m M c C b

0 1

0 1

0 1

0

0

11

for every distinguishing algorithms and every two , ,

1 Pr , , ( ) : {0,1}, ,

2

Pr , , ( ) 1:

Pr , , ( ) 1:

ork b u G

k G

k G

A m m M

A m m E m b b k K

A m m E k K

A m m E m k

m

K

19

0 1

0 1

0 1

{0,1}

{0,1}

{0,1}

Pr :

= Pr[ ] Pr[

, , ( )

, ,] Pr

= Pr[ ] Pr[ ] Pr Pr

= Pr[ ]

{0,1},

( )

( ) , ,

Remark

k b

k b

k b

u G

bk K

bk K

bc C

b

b

A m m E m

A m m E m

E m c A m m c

b k

b k

b

b k

b

K

0 1

0 1

0 1

( ) , ,

,

Pr Pr

= output of on input , , ( .( ) ),

b

k kb b

E m c A m m c

A m m E m A m m E

b

m

20

eav,

eav,

The KL book uses PrivK to denote the experiment, where

is the encryption scheme in question

is the adversary, an eavesdropper

PrivK outputs 1 if the adversary succe

Remark

A

A

A

eav,

absolutely ciphertext-indistinguishable

eds

An encryption scheme is

if for every distinguishing algorithms ,

1 P

r PrivK 1 2

A

A

21

Theorem: An encryption scheme is perfectly secret

if and only if it is absolutely ciphertext-indisting

Equivalence of perfect secrecy and absolute ciphertext-indistinguishability

uishable.

22

0 1 0 1

eav,

If the encryption scheme is perfectly secret, then

Pr ( ) Pr ( ) for all , , .

Pr PrivK 1

Pr ,

Pr Eve wins

Perfect secrecy ciphertext-indistinguishability

A

E m c E m c m m M c C

b i

0 10,1;

0 10,1;

0 0 10,1

( ) , ( , , )

Pr Pr ( ) Pr ( , , )

1 1 Pr ( ) Pr ( , , )

2 2

ii c C

ii c C

c C i

E m c A m m c i

b i E m c A m m c i

E m c A m m c i

23

0 1

0 1

If the encryption scheme is not perfectly secret, then

there exist , such that

Pr ( ) Pr ( ) for some .

For these two mess e

ag s

Perfect secrecy ciphertext-indistinguishability

m m M

E m c E m c c C

0 1

0 1 0 1

, the following adversary succeeds

with probability > 1 2 : ,

0 if Pr ( ) Pr ( )

( , , ) 1 if Pr ( ) Pr ( )

0,1 o

therwise

The scheme is not absolutely ciphertext-in

u

c C

E m c E m c

A m m c E m c E m c

i

distinguishable.

24

In absolute ciphertext-indistinguishability (perfect secrecy),

the adversary may have

u computing power,

nlimited

no better than 1 2 p r

Relaxing the security requirement

obability of success;

also, message length .

Now we relax the notion of absolute ciphertext-

indistinguishability (perfect secrecy) by

limiting adversaries to hav

is hidde

ing

n

poly omi

n

al

negli

compu

gibly

ting power,

allowing the success rate to be bett

not hidi

er than 1 2,

message leng h.n gt

25

0

0

A nonegative function : is said to be

if for every positive polynomial ( ), there is an integer

such that

1

negligible

( ) for all (i( )

.

Negligible functions

f N R

P n

n

f n n nP n

log

e., for sufficiently large ).

Examples: 2 , 2 , are negligible functions.

Negligible functions approach zero faster than the reciprocal of

polynomial.

We wri

every

negl( )te to d

n n n

n

n

n

enote an unspecified negligible function.

26

When we say that an algorithm is polynomial-time, it is w.r.t.

the algorithm's input size (in terms of ).

The running tim

nu

e o

mber o

f an a

f

lgorithm is polynomial if

b

its

Security Parameter

( ) (poly( )) for some polynomial poly( ), where

is the input size.

Each encryptio security

para

n scheme is associated with a

which is related meter, key lengto the

When w

th.

e

T n O n n

n

say a probability is negligible, it is w.r.t. the

encryption scheme security parame's ter.

27

* Message space: {0,1} .

Key generation algorithm : On input 1 , (1 ) outputs

a key {0,1} . ( {0,1} ; and is the security parameter.)

E

ncry

Symmetric-key encryption scheme (refined)

n n

n n

M

G G

k K n

ption algorithm : On input a key and a plaintext

, outputs a ciphertext . We write ( , )

or ( ).

Decryption algorithm : On input a key and a ciphertext ,

output

s

k

E k

m M E c c E k m

c E m

D k c

D

a message . We write : ( , ) or : ( ).

Correctness requirement: for each and ,

( ) .

, , probabilistic algorithms. , deterministic. All poly-time .

k

k k

m m D k c m D c

k K m M

D E m m

G E D

28

Adversary: a eavesdropper with a ciphertext.

( , , ) : an encryption scheme with security parameter .

Imagine a ga

polynomial s

me p

ingle

layed by Bo

Computational Ciphertext-Indistinguishability

G E D n

0 1

of the same

b and Eve (adversary):

Eve, given input 1 , outputs a pair of messages ,

.

Bob chooses a key (1 ) and a bit {0,1};

compute

leng

s ( ); and gives

t

t

h

n

nu

k b

m m

k G b

c E m c

0 1

o Eve.

Eve tries to determine whether is the encryption of or .

An encryption scheme i computationally single-ciphertext-

indistinguishable against eavesdroppe

s

if no ad

verr y

s sar

c m m

noncan -ne succe gligibed with prob ly greater tabilit hany 1 2.

29

0 0 11

computationally

single-ciphertext-indistinguishable agains

An encryption scheme is

if for every polynomial probabilistic algorithm and

t eavesdropper

all

Definition:

s

poly

, ,

A

m m m mM

0 1

0 1

0

0

11

, it holds:

1 Pr (1 , , , ( )) : {0,1}, (1 ) negl( )

2

Pr (1 , , , ( )) 1: (1 )

Pr (1 , , , ( )) 1: (1 ) ne

or

(

)

)

gl(

||

n nk b u

n nk

n nk

n

m

m

A m m E m b b k G n

A m m E k G

A m m E k G n

30

1 20 0 0 0

Now suppose a key is used to encrypt multiple messages.

The adversary, given input 1 , selects two vectors of messages :

( , , ..., )

Multiple-ciphertext indistinguishability

n

tm m m m

1 21 1 1 1

0 1

and ( , , ..., )

such that for all .

Bob generates a key (1 ) and a bit {0,1}; and gives

the ciphertext vector ( ) to the adversary.

The ad

t

i i

nu

k b

m m m m

m m i

k G b

c E m

0 1

computationally multiple-

versary tries to tell wheth

ciphertext-

indistinguis

er was computed from or .

An encryption scheme is

if for every two message vectors no polynhabl omial

e

adv

c m m

ersary can succeed with probability non-negligibly >1 2.

31

We have defined two notions of security against eavesdroppers:

(Computational) -ciphertext-indistinguishability

a key is used to encrypt only one messag

single

e

(Com

1.

2. p ta

u

Remarks

tional) -ciphertext-indistinguishability

a key may be used to encrypt multiple messages

Note: (1) does imply (2). For example:

Vernam's one-time pad is ab

multi

solut

ple

n

e

o

iph

t

ly c

0 1

ertext-indistinguishable.

If keys are not used in a "one-time" fashion, the scheme will not

be ciphertext-indistinguishable. Just let (0,0) and (0,1).

Next, we will see how to con

m m

struct ciphertext-indistinguishable

encryption schemes.

32

Secure (i.e., ciphertext-indistinguishable against eavesdroppers)

symmetric-key encryption schemes may be

constructed from:

Pseudorandom generators

Pseudora

Secure Encryption Schemes

ndom functions

Pseudorandom permutati . ons

Stream Ciphers

Encryption schemes using pseudorandom

generators

33

34

Vernam's one-time pad scheme is perfectly secure against

single-message eavesdropper.

Unfortunately, it requires a random key (pad) as long as the

message.

Solution: use a s

Motivation

hort key as seed to generate a "pseudorandom"

key (pad) which is as long as needed.

This is the basic idea of stream ciphers.

35

Encryption schemes as shown below. Same as Vernam's one-time

pad, except pseudorandom that keystreams are used.

Stream ciphers

36

Informally, a pseudorandom generator is an algorithm that given

a ( ) string , outputs a " " string

longer than .

Inform

short truly random random-lik

al ,

e

ly

What is a pseudorandom generator?

G

s

s

a string is " " if it is to tell

whether was generated by a truly random generator

or by a pseudorandom generator.

Loosely speaking, two sets , {0,1} are said to be

random-like hard

pnn n

r

r

A B

Pr ( ) 1:

o

"1"

lynomially

indistinguishable if for every polynomial distinguisher ,

negl( )

You may

Pr (

interpret as

1

"

) :

||nu

nuD r r

nBD r r

A

D

."nr A

37

In the above, we were actually talking about the indistinguishability

between two ensembles (sequences) of sets: and .

Two ensembles of setDefin s ition: and are

o p l

n nn N n N

n nn N n N

A B

A B

if for every polynomial-time

distinguisher , it holds that

Pr ( ) 1:

Pr ( ) 1: negl( )

ynomially ind

istinguishable

||

u n

u n

D

D r r A

D r r B n

100

1

Which of the following are polynomially indistinguishable?

{0,1} , {0,1} 0

{0,1} , {0,1} : 2

{0,1} ,

0 {0,1}

n n nn n

n nn n

n nn n

A B

A B s s

A B

38

Pr Pr ( ) 1

1

{0,1} and {0,1} 0

are polynomially indistinguishable

= Pr ( ) 12

1 = Pr (0

2

.

Pr ( ) 1: n

n

r

nr

n n n

A

n

A

n

n

n

u

n

A B

D r r A r D r

D r

D

1) 1 Pr ( ) 1

2

Pr Pr ( ) 1

1 = Pr ( ) 1

2 1

Pr ( ) 1:

Pr ( negl( )) 1: Pr ( ) 1: | |

n

n

n

B

nB

B

n

nr

r

nr

nu

u

uD r r

D r

rD r D r

D r

r

D rA r n

B

B

39

Let ( ) be a polynomial such that ( ) for all 0.

Let be a deterministic polynomial-time algorithm that, for any

input string {0,1} , outputs a st

Definition of pseudorandom generator

n

l l n n n

G

s

ring of length ( ).

is said to be a pseudorandom generator with expansion factor ( )

if for every polynomial-time distinguisher ,

Pr ( ( )) 1: {0,1}

| nu

l n

G l

D

D G s s

( )

( )

Pr ( ) 1: {0,1} negl( )

That is, the two ensembles and , where

: ( ) : {0,1} and : : {0,1} are polynomially

indistinguishable.

|l nu

n nn N n N

n l nn n

D r r n

A B

A G s s B r r

40

If one-way functions exist, then pseudorandom generators

exist.

That is, pseudorandom generators can be constructed from

one-way functions.

Chap

Existence of pseudorandom generators

ter 6 shows how to construct pseudorandom generators

from one-way permutations.

True pseudorandom generators are slow for applications.

In practice, algorithms such as RC4 are used.

41

Let :{0,1} {0,1} be a one-way function.

Let :{0,1} {0,1} be a hard-core predicate of .

Easy to compute ( ) from .

But hard to co

Existence of pseudorandom generators (basic idea)n n

n

f

b f

b x x

0

0

0 1 2 ( ) 1

0 1 2 ( ) 1

mpute ( ) from ( ).

Given seed , let .

Starting from , apply repeatedly:

Let ( ) ( ), , , , .

is a pseudorandom

f f f fl n

l n

b x f x

x x x

x f

x x x x

G x b x b x b x b x

G

generator with expansion factor ( ).l n

42

2

0 1 2 ( ) 1

Let for two large primes , .

Let ( ) mod .

Let ( ) the least significant bit of

Let

Blum-Blum-ShubExample: pseudorandom generator

f f f fl n

n pq p q

f x x n

b x x

x x x x

G

0 1 2 ( ) 1( ) ( ), , , , .

is a pseudorandom generator with expansion factor ( ).

l nx b x b x b x b x

G l n

43

Enscryption schemes based on pseudorandom generators.

: a pseudorandom generator with expansion factor .

Key generation: on input 1 , generates a key 0,1 .

Encryption: on

Stream ciphers

nnu

G l

k

( )input a key 0,1 and a message 0,1 ,

ciphertext : ( ) : ( ).

Decryption: on input a key and a ciphertext ,

(New keys

: ( ).

or f

n l n

k

k m

c E m m G k

k c

m c G k

Different pseudorandom generators yield different

new messages

stream cip .

.)

hers

44

If a truely pseudorandom generator ( ) is used, and

the input key is randomly generated an used only onced ,

then the stream cipher is polynomial

.

ly single

Security of stream ciphers

G k

k

Theorem

-ciphertext-

indisinguishable against eavesdroppers.

45

0 1

If encrypting with a truely random string

( )

cannot tell between ( ) and ( )

absolutely single-ciphertext-indistinguishable

If

Security of stream ciphers (intuition)

E m m

E m

r

E m

r

0 1

excep

a pseud

t for a

orandom string

negligible

is used instead

fraction of cases

( )

cannot tell between and ( )

cannot tell betw except feen (

( )

( )

) o and ( )

E m m

r G s

E

s

m E m

G s

G

computationa

r a negligible

lly single-ciphert

f

ext-i

raction of ca

ndistinguish

es

e

s

abl

46

By contradition. Will show:

If the stream cipher is computationally

single-ciphertext-indistinguishable, then the "pseudorandom"

not

e

g

Security of stream ciphers (proof sketch)

nerator used in the stream cipher is pseudorandom.

If there exists an adversary that can successfully attack the

stream cipher with significant probability

not true

th

l

e

x s

y

re e i

G

A

ts a distinguisher that can successfully distinguish

between random strings and "pseudorandom" strings ( ) with

significant probability

not truel pseudorand m.y o

D

r G s

G

47

0 1

Assume the stream cipher is computationally

single-ciphertext-indistinguishable, then there exists an adversary ,

a polynomial ( ), infinitely many integers , messag

no

es and

t

of

A

p n m m

0 1

( )

length ( ), such that

1 1 Pr , , ( ) : {0,1}, 0,1 .

2 ( )

Construct a distinguisher :

Given a string 0,1 , tells whether is random or

pseudorandom as foll

n

b u u

l n

l n

A m m m G s b b sp n

D

w D w

0 1

ows.

Let {0,1}, : , and , , .

If , then return 1, else return 0.u bb c m w b A m m c

b b

48

0 1

succeeds, ,

fails

adversary against thestream cipher

1{0,1};

: 0m m cu

b

Abw

c m w

Distinguisher D

Pr ( ) 1 Pr succeeds

1 2 if truely random

1 2 1 ( ) if pseudorandom

can distinguish between random and pseudorandom strings

with probabi

lity significantly better

D w A

w

p n w

D

than 1 2 pseudorandom

49

( )

( )0 1

0 1

Pr ( ) 1: {0,1}

Pr , , : {0,1}, {0,1} 1 2

Pr ( ) 1: : ( ), {0,1}

I

Pr , , : : ( ), {0,1}, 0,1

1 2 1 ( )

n More Deta

r

i

P

l

|

l nu

l nb u u

nu

n

b u u

D w w

A m m m w b b w

D w w G s s

A m m m w b w G s b s

p n

D

( )( ) 1: {0,1}

1 Pr ( ) 1: : ( ), {0,1}

( )

is a truely pseudorandomnot generator.

|

l nu

nu

w w

D w w G s sp n

G

50

Stream ciphers require a new key for each plaintext (or not sesure).

In practice, Alice and Bob wish to share a permanent key and

use it to encr

Encrypting multiple messages with a single key

k

ypt many messages. One possible strategy:

Derive from a new key for each message.

For example, to send a message , Bob generates a random string

and use as a seed

to

k k

m

r k k r

: ( ) : , ( )

the pseudorandom generator .

Include in the ciphertext, i.e.,

Unfortunately, the res

It i

ulting

s probabilis

scheme is not necessarily s

tic

ecu

.

r

!

e.

kc E m r m r

G

r G k

51

1 2

1 2

At the beginning of a session, Alice and Bob agree on two keys

and (called session keys).

Alice and Bob each run ( ) and ( ) to get two (long enough)

Using stream ciphers in a session

k k

G k G k

1 2

1 2 3

1 2 3 11 2 3

2

pseudorandom strings, say and .

Alice encrypts her sequence of messeges , , , ... as

, , , ... : , , , ... .

Bob uses for encryption.

Online pseudorand

PS P

PS

S

m m m

c c c m m m

PS

om generators.

52

Most popular stream cipher

Simple and fast

Used in many standards

Actually not a cipher, but a practical, approximate

pseudorandom generator.

•

•

•

•

Not truely pseudorandom.

The RC4 Stream Cipher

Designed by Ron Rivest in 1987 for RSA Security,

and kept as a trade secret until leaked out in

•

1994.

53

Two vectors of :

[0], [1], [2], , [255]

[0], [1], [2], , [255]

Input Key (seed) : variable length, 1 to 256 bytes

Initialization:

1. [ ] , for 0 255

byt

es

2.

RC4

S S S S

T T T T

K

S i i i

[0..255] , , ... (until filled up)

T K K

54

Initial Permutation of :

0

for 0 to 255 do

( [ ] [ ] ) mod 256

Swap [ ], [ ]

Idea: swapping bytes dependentl

RC4: Initial Permutation

S

j

i

j j S i T i

S i S j

y of the input key.

After this step, the input key will not be used.

55

Key stream generation:

, 0

while (true)

( 1 ) mod 256

( [ ] ) mod 256

Swap [ ], [ ]

RC4:Key StreamGeneration

i j

i i

j j S i

S i S j

( [ ] [ ] ) mod 256

output [ ]

Idea: systematically keep swapping and producing

output bytes

t S i S j

S t

Security of RC4

• RC4 is not a truly pseudorandom generator.• The keystream generated by RC4 is biased.

– The second byte is biased toward zero with high probability.– The first few bytes are strongly non-random and leak

information about the input key.

• Defense: discard the initial n bytes of the keystream. – Called “RC4-drop[n-bytes]”.– Recommended values for n = 256, 768, or 3072 bytes.

• Efforts are underway (e.g. the eSTREAM project) to develop more secure stream ciphers.

56

57

The Use of RC4 in WEP

• WEP is an RC4-based protocol for encrypting data transmitted

over an IEEE 802.11 wireless LAN.

• WEP requires each packet to be encrypted with a separate

RC4 key.

• The RC4 key for each packet is a concatenation of a 40 or

104-bit long-term key and a random 24-bit R.

lRC4 key: Long-term key (40 or 104 bits) R (24)

lHeader R Message CRC

encrypted

802.11Frame:

58

WEP is not secure

• Mainly because of its way of constructing the key

• Can be cracked in a minute

• http://eprint.iacr.org/2007/120.pdf

59

Vernam's one-time pad is absolutely single-ciphertext-

indistinguishable.

The pad here is truely random and used only once.

A stream cipher is a practical implementation of

V

e

Summary

rnam's one-time .

The is pseudorandom (depending on a short key) and

used only once.

It is polynomially single-ciphertext-indistinguishable.

Question: How to use

pad

pa

a sho

ke

d

rt

y to encrypt multiple messages?

Question: How p about using a ?seudorandom genesecret rator

Theory of Block Ciphers

Encryption schemes using pseudorandom

functions or permutations

Reading: Sections 3.5-3.7 of Katz & Lindell

60

61

Let be the set of all functions :{0,1} {0,1} .

How many such functions are there?

There are 2 choices (0 or 1) for each of 2 bits.

So, there are 2

Motivation and basic idean n

n

n

H f

n

2 2 different functions. I.e.,

Now, suppose Alice and Bob randomly choose a function ,

and use as their secret key.

To encrypt a message {0,1} , randomly choose a string

.

2n n

n

n

n

n nH

f H

m

f

{0,1} , and encrypt as : , ( ) .

To decrypt , , where ( ), compute : ( ).

The secret key here is the functio n .

nr m c r m f r

r m m m f r m m f

f

r

62

222 log

Question: what's the length of the key ?

Since , we need a string of bits to

name/label a function in . That is infeasible.

Solution:

Choose a "

222nn

n

n

nn n

f

H

H

n

small" subset such that is

indistinguished from by any polynomial-time distinguisher.

is said to be a set of pseudorandom functions.

Or is a pseudorandom se

n n n

n

n

n

F H F

H

F

F

t of functions.

Then, randomly picking a function from (as the encryption key)

will be almost as good as randomly picking a function from .

Let contain no more than 2 eleme

n

n

nn

F

H

F

nts.

Then the key length will only be .n

63

( ) ( )

Let ( ) be a polynomial. For instance, ( ) .

Let := the set of all functions :{0,1} {0,1} , and .

is a set of ( )-bit pseudorandom f

Definition of pseudorandom functions

l n l nn n n

n

l n l n n

H h F H

F l n

)

( )

(Pr (1 ) 1:

unctions if for every

polynomial-time distinguisher , it holds that

negl( )

Remark

Pr (1 ) 1

s:

:

||

f n

hu n

n

n

uD f F

H

D

D h n

The running time of is polynomial in , the input size.

is equipped with an "oracle" ( ) which can query about the

value of ( ) for various . The running time of each query

D n

D f D

f x x

is 1.

(May regard ( ) as a subroutine.)f

64

( )

( ) ( )

In the above definition, we actually were talking about two

ensembles of functions: and .

Examples:

: 0 0 .

1 if 0Distingui

s hable. Let (1

) :

n nn N n N

l n l nn n

l nh n

H F

F h H

hD

h

( ) (

(

(

)

)

)

: 0 0 .

: for all {0

0

0 otherw

,1} .

i

se

l n l nn n

l nn n

l n

F h H h

F h H h x x x

65

2

A set of ( )-bit pseudorandom functions can be constructed

from a pseudorandom generator.

For simplicity, assume ( ) .

Let : {0,1} {0,1} be a ps

Constructing pseudorandom functions

n n

l n

l n n

G

1 3 2 1

0

1

1

2 3

eudorandom generator.

Write .

For all {0,1} and {0,1} ,define

( ) ( ) .

A set of pseudorandom functions:

( ) (

) (

)

n n

n nn

k b b b b b

k r b b b b

f r G G G G G

s

k

G G s G s

:{0,1} {0,1} | {0,1} .n n nn kF f k

66

Each leave represents

an ( ), with

specifying the

path from the root to

that leave.

kf r r

k

0G

0G

1G

1G

1G

0G

(000)kf

(110)kf

(111)kf

67

( ) ( )

A function : is called a permutation if it is

bijective (one-to-one and onto).

We are interested in permutations :{0,1} {0,1} .

Permutations

l n l n

f X X

f

68

( ) ( )

Let ( ) be a polynomial. For instance, ( ) .

Let := the set of all :{0,1permutations } {0,1} ,

and let be a subset.

is a set of ( )-bit pse

Pseudorandom permutations

l n l nn

n n

n

l n l n n

H h

F H

F l n

( )

( )

udorandom permutations if for every

polynomial-time distinguisher , it holds that

Pr (1 ) 1:

Pr (1 ) 1: negl( )

|

|

f nu n

h nu n

D

D f F

D h H n

Pseudorandom permutations can be constructed from

pseduorandom functions using Feistel networks (next slide).

69

31

Let := : {0,1} be a set of ( )-bit pseudorandom

functions, where ( ) is a fixed polynomial.

For every key {0,1} , parse it as (

Constructing pseudorandom permutations (skipped)

nn k

n

F f k l n

l n

k k k

1 2 3

1 2 3

2 3

2 ( )

, , ) with each

of length .

Use the three pseudorandom functions , , in a 3-round

Feistel network. This yields a permutation

: {0,1} {0,

i

k k k

l nk k k

k k k

n

f f f

p

1 2 3

2 ( )

3 1 2 3

1} .

Theorem: The set of all such permutations

:= : , , {0,1}

is a set of pseudorandom permutations.

l n

nn k k kP p k k k

70

Let : {0,1} be a set of ( )-bit pseudorandom

functions or permutations. ( ( ) is a fixed polynomial.)

Key space: {0,1} .

Encrypting data blocks using pseudorandom functions

nn k

n

F f k l n

l n

K

( )

Key length = .

Message space: {0,1} .

(A string of a fixed size is called a .)

Key generation algorithm : on input 1 , outputs {0,1} .

Encry

Block size = ( ).

b

ption

oc

k

a

l

l n

n nu

n

G G k

l nM

( )

lgorithm : On input and key , randomly

generates a string {0,1} and outputs ciphertext

: , ( ) . (Note: ( , ) is a probabilistic algorithm.)

Note: ( ) is used as a

l nu

k

k

E m M k E

r

c r f r m E k m

f r

mask (pseudorandom string) to hide .

Decryption is trivial.

m

71

Now let's see how to encrypt a message of arbitrary length

using a pseudorandom function or permutation.

Let ( ) be the block size.

Encryption algorit

Encrypting variable-length messages

b l n

*

1 2

hm : On input {0,1} and key ,

Pad the message so that its length is a multiple of (block size).

Divide the padded message into blocks of size , say

E m k

b

m b

m m m

3

1 2 1

1 1 1 2 2 2

Let , , , {0,1} , and use ( ), ... , ( ) as .

The ciphertext is

: , ( ) , ( ) , ( )

masks

t

bt u k k t

k k t k t t

m m

r r r f r f r

c r f r m r f r m r f r m

72

1 2

The above encryption scheme doubles the message size.

More efficient ways to do it, traditionaly called modes of operation

(of block ciphers).

Idea: compute , , , f

Modes of operation

tr r r

0rom some initial value, say, .

Important modes of operation include:

Counter mode (CTR mode)

Output feedback mode OFB mode

Cipher feedback mode CFB mode

Cipher block chain

r

permut

ing mo

ation

de CBC mode

CBC requires the underlying to be a pseudorandom .

The other three modes work fo functions and permutationsr both .kf

73

1 2 Idea: Instead of choosing random strings , , , ,

choose just string , and 1, 0 1.

Thus, to encrypt a padded message , with key :

o

Divide in

ne

Counter mode (CTR)

t

i

t r r r

r r r i i t

m k

m

1 2 3

1

to blocks of size , say,

Choose a random string {0,1} .

Encrypt as

: ( ) ( 1)

In the literature, the string

t

bu

k k t

b

m m m m m

r

m

c r f r m f r t m

r

is called an Initialization Vector (IV).

74

0

0 1 2 1

1 2 0 1 1

Idea: Let IV, and

Use , , , (i.e., ( ), ( ), , ( )) as masks.

More precisely, to

Output feedback mode (OFB)

t t

t k k k t

k k k kf f f f

r

r r r r r

r r r f r f r f r

1 2 3

0

encrypt a padded message , with key :

Divide into blocks of size , say,

Choose a random initialization vector IV {0,1} .

Encrypt as :

t

bu

m k

m b

m m m m m

m c r

0 1 1

0 1 1

0

1

( ) ( )

or equivalently, :

where : IV, and

: ( ) for 1 .

k k t t

t t

i k i

f r m f r m

c r r m r m

r

r f r i t

75

2

0 1

1

1 Idea: Similar to OFB, but now strings , , ,

are chosen to be for 1 ,

where : IV, and is the previous cipher block.

Thus, to enc y

r

:

Cipher feedback mode (CFB)

t

i

i i

r r r

i tc

c

r

c

1 2 3

0 1 2 3

0

pt a padded message , with key :

Let :

Choose a random initialization vector IV {0,1} .

Encrypt as :

where : IV

t

bu

t

m k

m m m m m

m c c c c c c

c

1: ( ) for 1 .i k i ic f c m i t

76

1 2 3

1 1 1 2 2 2

Suppose

CTR, OFB, CFB are based on the idea of encrypting as:

: , ( ) , ( ) , ( )

By contrast, CBC is based

Cipherblock chaining mode (CBC)

t

k k t k t t

m m m m m

m

c r f r m r f r m r f r m

1 1 1 2 2 2

1 2

on the idea of encrypting as:

: , , ,

Note: this approach requires to be a permutation.

Like in CFB, the strings , , , in CBC

are

chose

k k t k t t

k

t

m

c r f r m r f r m r f r m

f

r r r

0 1

1n to be for 1 ,

where : IV, and is the previ

:

ous cipher block.i i

i

c i t

c c

r

77

1 2 3

Let be a pseudorandom permutation.

To encrypt a padded message using :

Let :

Choose a random initialization vector IV {0,1} .

Cipherblock chaining mode (CBC)

k

k

t

bu

f

m f

m m m m m

0 1 2 3

0

1

Encrypt as :

where : IV

: ( ) for 1 .

Note: Decryption requires to be invertible (i.e., a permutation).

Traditionally,

t

i k i i

k

m c c c c c c

c

c f c m i t

f

the term "block cipher" refers to a pseudorandom

permutation.

78

1 2 3

1 2 3

Suppose be a pseudorandom permutation.

Encrypt : as

: ( ) ( ) ( ) ( )

The resulting scheme is not ciphertext-indistinguishabl

Electronic codebook mode (ECB)

k

t

k k k k t

f

m m m m m

c f m f m f m f m

e.

Used only for sending a short message (in a single block).

79

Some properties

• In CTR and OFB modes, transmission errors to a block ci affect

only the decryption of that block; other blocks are not affected.

– useful for communications over an unreliable channel.

• In CBC and CFB modes, changes to a block mi will affect ci and

all subsequent ciphertext blocks.

– These modes may be used to produce message authentication

codes (MAC).

• In CTR mode, blocks can be encrypted (or decrypted) in parallel

or in a “random access” fashion.

80

functions or permutations,

If : {0,1} is a family of pseudorandom

then are secure

OFB, CFB,

against chosen-plaintext attacks (CPA-

C

secure).

If

TR

Security of CBC, OFB, CFB, CTR

nn k

n NF f k

F

: {0,1} is a family of pseudorando

permutation

m

, the CBCn is CPA-secu re.s

nn k

n Nf k

81

1 1 2 2 1 2

In the introduction we described CPA as follows:

Given : ( , ), ( , ), , ( , ), where  , , ,

are chosen by the adversary; and a new ciphert

Chosen-plaintext attacks (CPA)

t t tm c m c m c m m m

1 2

ext .

Q : what is the plaintext of ?

Adaptively-chosen-plaintext attack : , , , are chosen

adaptively.

We will describe CPA in terms of oracle and

ciphertext-indistinguishabi

t

c

c

m m m

lity.

82

1. A key

A CPA against an encryption scheme ( , , ) is modeled as fo

(1 ) is generated.

2. The adversary is given input 1 and to . She may

oracle acc

llows

e

e

.

r q

ss

Chosen-plaintext attacks (CPA)

n

nk

k G

E

G E D

0 1 0 1

uest the oracle to encrypt messages of her choice.

3. The adversary chooses two message , with ; and

is given a challenge ciphertext ( ), where {0,1}.

4. The adversary continues to k b u

m m m m

c E m b

0 1even

have or

an

acle access and may request the

encryptions of additional messages of her choice, .

5. The adversary finally answers 0 or 1.

Note: The CPA he a

d

dar pe tiis a ven CPA.

m m

83

pol

An encryption scheme ( , , ) is CPA-secure if no

y adversary can answer correctly with probability

non-negligibly greater than 1

nom

2.

ia

D

e

l-tim

Ciphertext-indistinguishability against CPA

G E D

0 1 0 1

0

0

11

efinition: an encryption scheme ( , , ) is CPA-secure if for

every polynomial adversary it holds that:

Pr 1 , , , ( ) 1: (1 ), ,

Pr 1 , , , ( ) 1: (1 ),

| k

k

n nk A

n nk

E

E

G E D

A

A m m E k G m m M

A m m E k

m

Gm

0 1,

negl( ) |Am m M

n

84

1 1 2 2 1 2

In the introduction we also described CCA as follows:

Given : ( , ), ( , ), , ( , ), where  , , ,

are chosen by the adversary; and a new c

Chosen-ciphertext attacks (CCA)

t t tm c m c m c c c c

1 2

iphertext .

Q : what is the plaintext of ?

Adaptively-chosen-plaintext attack : , , , are chosen

adaptively.

We will allow a CCA adversary to also have CPA capability.

(CCA se

t

c

c

c c c

ems harder to perform than CPA; an adversary who can

perform CCA probably can also do CPA.)

85

1. A key

A CCA on an encryption scheme ( , , ) is modeled as f

(1 ) is generated.

2. The adversary is given input 1 and oracle access to and .

S

ol

he

low .

ay

s

m

Chosen-ciphertext attacks (CCA)

n

nk k

k G

E D

G E D

0 1 0 1

request the oracles to perform encryptions and/or

decryptions for her.

3. The adversary chooses two message , with ; and

is given a challenge ciphertext ( ), where {0,1}.

4. Thek b u

m m m m

c E m b

adversary continues to have oracle access to and , but

is not allowed to request the decryption of .

5. The adversary finally answers 0 or 1.

k k

c

E D

86

pol

An encryption scheme ( , , ) is CCA-secure if no

y adversary can answer correctly with probability

non-negligibly greater than 1

nom

2.

ia

D

e

l-tim

Ciphertext-indistinguishability against CCA

G E D

0,

1 0 0

1

1

1,

0

efinition: an encryption scheme ( , , ) is CCA-secure if for

ever polynomial-time adversary , it holds that:

Pr 1 , , , ( ) 1: (1 ), ,

Pr 1 , , , ( ) 1:

| k k

k k

n nk A

n

E D

E Dk

G E D

A

A m m E k G m m M

A m

m

mm E k

0 1(1 ), ,

negl( ) |n

AG m m M

n

87

0 1 0

The encryption schemes we have seen so far are CCA-secure.

Example: consider the scheme

( ) , ( ) .

The adversary chooses an

not

y and :mes g

sa e

Remarks

k kE m r f r m

m m m

.

Let the challenge ciphertext be , where

: ( ) , with 0 or 1.

, = , ( ) is a legitimate ciphertext of .

Requesting the oracle to decrypt , , the adve

k b

k b b

r c

c f r m b

r c r f r m m

r c

rsary will get

and hence know the value of .

In practice, if from a ciphertext ( ) yo

sort of pre

u can produce

a ciphertext of a message , then the

encryption

dictable

sche

b

k

m b

c E m

c m

me is not CCA-secure.

88

We will see that:

CPA-secure encryption secure MAC

CCA-secu

re encryption

Remarks

Practical Block Ciphers: DES and AES

DES: Data Encryption Standard (covered in 651)

AES: Advanced Encryption Standard

Reading: Chapter 5 of Katz/Lindell

89

90

A block cipher is a symmetric-key that

maps a block of bits to a block of bits.

encryption scheme

{0,1} and {0,1} .

Block length

: .

Traditional view of block ciphers

n r

n n

M C K

n

Key length: .

For a fixed key , : 0,1 0,1 is

a permutation.

n n

k

r

k K E

91

( )

All that we need is a pseudorandom permutation.

A block cipher is a pseudorandom permutatin ensemble of ,

: {0,1}

{0,1} and {0

ons

Another view of block ciphers

nk

l n

f k

M C K

( ) ( )

,1} .

Block length: ( ).

Key length: .

For , : 0,1 0,1 is a permutation.

n

l n l n

k

l n

n

k K f

92

There are methods to construct block ciphers (pseudorandom

permutations) from one-way

functions.

One-way functions pseudorandom generators

Practical constructions of block ciphers

pseudorandom functions

pseudorandom permutations

Slow

In practice, modern block ciphers are constructed using

Feistel ne

tworks (e.g., DES, covered in CSE 651)

Substitution-permutation networks (e.g., AES)

AES: Advanced Encryption Standard

Finite field: The mathematics used in AES.

94

AES: Advanced Encryption Standard

• In1997, NIST began the process of choosing a replacement

for DES and called it the Advanced Encryption Standard.

• Requirements: block length of 128 bits, key lengths of 128,

192, and 256 bits.

• In 2000, Rijndael cipher (by Rijmen and Daemen) was

selected.

• An iterated cipher, with 10, 12, or 14 rounds.

• Rijndael allows various block lengths.

• AES allows only one block size: 128 bits.

95

: block size (number of words). For AES, 4.

: key length (number of words).

: number of rounds, depending on , .

Assume: 4, 4, 10.

:

Structure of Rijndael

b b

k

r b k

b k r

N N

N

N N

sta

N

N N

e

N

t

0 1 10

a variable of 4 words, holding the data block,

viewed as a each column is a word.

Key schedule: 1 round keys , , ,

are computed from the main

4 4 matrix of bytes

key .

;

rN key key key

k

96

0

input: plaintext , key

1 2 AddKey( , ) 3 for 1 to 1 do 4 SubBytes( ) 5 ShiftRows( ) 6 Mixcolumns( ) 7

Rijndael algorithm

r

m k

state mstate key

i Nstatestatestate

AddKey( , ) 8 SubBytes( ) 9 ShiftRows( ) 10 AddKey( , )

11 return( )r

i

N

state keystatestate

state key

state

97

AddKey( , )

i

i

state state key

state key

98

Each byte in is substituted with another byte

according to a table.

SubBytes( )

staz te

state

99

Left-shift row circularly by bytes, 0 3.

ShiftRows( )

i i i

a b c d a b c d

e f g h f g h e

i j k l k l i j

m n o p p m n o

state

100

0 1 2 3

8

3 23 2 1 0

Operates on each column of the matrix.

View each column ( , , , ) as a

polynomial with coefficients in GF(2 ) :

( ) +

A fixed pol

MixColumns( )

a

state

a a a a

a x a x a x a x a

state

3 2

4

ynomial: ( ) 03 01 +01 02.

The MixColumns operation maps each column

( ) ( ) ( ) mod ( 1)a x a

c x x x x

x c x x

101

Each step of Rijndael encryption is invertible.

Rijndael Decryption

102

Round keys are derived from the main key

Rijndael key schedule

A Rijndael Animation by Enrique Zabala

103