linear and differential cryptanalysis
TRANSCRIPT
1
Symmetric-Key Encryption
CSE 5351: Introduction to Cryptography Reading assignment: • Chapter 2 • Chapter 3 (sections 3.1-3.4) • You may skip proofs, but are encouraged to read some of them.
2
Computational Difficulty (One-Way Functions)
Pseudorandom Generators And Functions
Zero-Knowledge Proof Systems
Encryption Schemes
Crypto Protocols
Sign/MAC/hash Schemes
APPLICATIONS (security)
This course:
3
Theory of symmetric-key encryption What is a symmetric-key encryption scheme? What does it mean by or ? How to construct a secu
secure not securre encryption scheme?
Pra
ct
e
i
Outline•
•
cal symmetric-key encryption schemes RC4 : a stream cipher AES : Advanced Encryption Stand d
ar
4
, , : key space, plaintext space, ciphertexts space. Key generation algorithm: generates keys. Encryption algorithm : : . Decryption algorithm : :
Symmetric-key encryption schemeK M C
GE M K CD C
•
• × →•
•
( )
. Correctness requirement: for each and ,
( ) . , , are publicly known, and efficiently computable. To use the scheme, Alice and Bob run to generate
a k
e
k k
K Mk K m M
D E m mG E D
G
•
••
× →∈ ∈
=
y , and keep it secret. Question: What is the security requirement?
k K•
∈
5
Consider ciphertext-only attacks; i.e., the adversary is an eavesdropper.
Different levels of seHow to define security?
security: A curen encryption scheme is if gi
The notion of security•
•ven a ciphertext ( ), adversary can recover
(one of the following): the secret key the plaintext any character of the plaintext any usefu
1.
l or
2. 3. meaningful inf
no
4 o.
kc E m
km
=
rmation about the plaintext any information about the plaintext
We will adopt and formalize the last one (
5.
#5).•
6
Adversary: an eavesdropper with unlimited computing power. Encryption scheme: ( , , , , , ) Regard plaintext and key as random variables with s
om
e
Shannon's notion of perfect secrecy
G E D K M Cm k
•••
, ( )
probability distributions over and , respectively. The encryption algorithm induces a probability distribution
over : Pr( ) Pr( ) Pr(
)
For simplicity, and w.l.o.g, assk
m M k KE m c
M KE
C c m k∈ ∈
=
•
=
•
⋅∑
ume Pr( ) 0 and Pr( ) 0 for all and .
m cm M c C
> >∈ ∈
7
Pick a message , a key , and obtain a ciphertext .
Pr( ) Pr( ) probability that message is picked Pr( ) Pr( ) probability that key is picked
Experiment:Notation:
P
m k c
m m m mk k k k
•
= = =
= = =
•
( )
( )
, ( )
r( ) Pr( ) probability that is the ciphertext
Pr( | ) Pr ( )
Pr( ) (Pr that is encrypted as )
Pr( ) Pr( | ) Pr( ) Pr(Pr( )
k
k
k KE m c
k K E m c
c c c c
c m E m c
k m c
m cm c m kc
∈=
∈ =
= = =
= =
=
∧= = ∧
∑
∑
, ( )
)
Pr( ) Pr( ) Pr( )
(Pr. of being the message given ciphertext )kk K E m c
c
m k c
m c∈ =
= ⋅∑
8
An encryption scheme is
if for probability distribution over , Pr( | ) Pr( ) for all
Shannon's Dperfectly secret
equivalen
efinition:
Theorem
and .
The follo tw:
eve
in
g e
r
:
y
ar
Mm c m m M c C
•
= ∈ ∈
•
( ) ( )
Pr( | ) Pr( ) for all and .
Pr( | ) Pr( ) for all and .
Pr( | ) Pr( | ) for all , , .
Pr ( ) Pr ( ) for all , , .
m c m m M c C
c m c m M c C
c m c m m m M c C
E m c E m c m m M c C
= ∈ ∈
= ∈ ∈
′ ′= ∈ ∈
′ ′= = = ∈ ∈
9
{ }{ }
{ }{ }
0,1 .
Key generation: 0,1 .Encryption algorithm: : ( ) : .
0,1 , .
Key generation: 0,1 .Encryption algo
fixed
ri thm:
Vernam's one-time pad encryption scheme
u
k
n
nu
M K C
kc E m m k
M K C
k
n
= = =
←
= = ⊕
=
←
• =
•
=
: ( ) : .
To use Vernam's one-time pad, Alice and Bob need to share (in advance) a long enough random key. This is impractical fo
r most applications.
The schem is perfectly ree sec t
kc E m m k=
•
•
= ⊕
(against eavesdroppers).
10
0 1Distribution of : Pr( 0) , Pr( 1) .Distribution Pr(of : It is easy to verify that Pr( ) 1 2 for {0,1}.For (fix
) 1 2 for
ed) , {0,
{
1
0,1}.
Perfect secrecy of Vernam's one-time pad ( 1)
k i iM m p m pK
c i ii j
n= = = =
= = ∈∈
= = ∈
=
}, we havePr( , ) Pr( , ) Pr( | )
Pr( ) Pr( )Pr( , ) =
Pr( )Pr( ) Pr( )
Similar proof for
Pr( )P
1.r
( )
m i c j m i m k jm i c jc j c j
m i k i jc j
m i k i j m ic j
n
= = = ⊕ == = = =
= == = ⊕
== ⋅ = ⊕
= =
>
==
11
{ } { }{ }
{ }
{ }
0,1 0,1 , fixed.
0,1 .
Key generation: 0,1 .Encryption algori
thm: : ( ) : , where if 0,1 then only the first bit of
s
i
One-time pad for messages of varying lengthn
n
nu
k
M C n
K
kc E m m k
m k
= = ∪
←
•
=
= = ⊕
∈ used.
Is it perfect lQuestio y se: ?n cret•
12
Encryption : : . Necessary condition for perfect secrecy : .
Thus, if {0,1} and {0,1} , then , i.e., keys must be at leas
T
t as long as message
m
s.
h 1:
Shannon's Theorems
n l
E M K CM C K
M K n l
× →
≤ ≤•
=
•
= ≤•
• When , the encryption scheme is perfectly secret if and only if both of the following hold:
Every key is used with equal probability 1 ; For every and , there is
Thm 2:
a
M K C
Km M c C
= =
∈ ∈
unique such that ( ) . (Encrypting a message with different keys will yield different ciphertexts .)
k
k KE m c m
k c
∈=
13
{ }
, since for any fixed key , : is injective.
To see , consider any plaintext .
Let = : ( ) for some key .
Clearly, . Perfect secrecy Pr( | ) P
Proof of
k
m k
m
M C k E M C
C K m M
C c C E m c k
C Kc m
M C K
≤ →
≤ ∈
∈ =
≤
⇒
•
=
•
≤ ≤
r( ) .
m
m
c c CC CK C C
∀ ∈⇒ =
⇒ ≥ =
14
Sufficiency: The two conditions Pr( | ) 1 for all , Perfect secrecy.
Necessity: Perfect secrecy
Proof of the necessary and sufficient condition
c m K c C m M•
•
⇒ = ∈ ∈
⇒
Pr( | ) Pr( ) , ( as defined in the last slide) , , there is a key mapping to . Since , the mapping to must be unique. This establishe
m m
c m c c C m MC C m M C
m M c C k m cK C k m c
⇒ = ∀ ∈ ∈⇒ = ∀ ∈⇒ ∀ ∈ ∈
=
s the second condition of the theorem.
15
{ } { }1 1
To show the first condition, fix a ciphertext . Let , , and , , with mapped to under key . Perfect secrecy implies that for all
Pr( ) Pr( | )Pr( | ) P
n n
i i
i i
i
c CM m m K k k
m c ki
m m cc m
∈
= =
=⋅
=
•
r( ) (by Bayes' theorem)Pr( )
Pr( ) Pr( )Pr( )
Thus, Pr( ) Pr( ) for all . That is, the key space has a uniform distribution.
i
i i
i
mc
k mc
k c i
⋅=
=
16
With Shannon's theorem, it is trivial to see that Vernam's one-time pad is perfectly secret. It is easy to design another perfectly secret encryption scheme. For exam
Use of Shannon's Theorem•
•• ple, take Caesar’s shift cipher: {0, 1, ..., 25} { , ,..., }. Key generation: . Encryption: ( ) ( ) mod 26 This scheme is perfectly secret if a uniformly generanew
u
k
K M C a b zk K
E m m k•
= = = =←= +
ted random key is used for every character. Big problem: how would Alice and Bob agree on a secret key
(a long sequence of random character
True of f
s) in adv
alse
?
?
ance•
Vigenère Cipher
17
Alice and Bob agree on a secret key: e.g., . Then use Caesar’s cipher with keys “b, i, b, l, e” in turn.
For instance : ohio state o h i ( ) ( ) ( ) ( ) ( )
bi
o s
bl
e
b i b l eE E E E E
•
→•
( ) ( ) ( ) ( ) Of course it is not perfectly secret. (Why not?) Can you suggest a strategy to improve the security of
Vigenère ci
t a t
pher?
eb i b lE E E E••
18
To achieve perfect secrecy: keys must be as long as messages (if {0,1} and {0,1} ); a new key must be generated for each message.
It is desired to u
Limitations of Perfect Secrecy
l nK M=
•
•
=
se a to encrypt . To this end, we need to the security requirement. Unfortunately, it seems hard to relax the conditions
short key multiple messages
of perfect secrecy
rel
.
a
x
W
e will use a different notion of security that is quivalent to perfect secrecy and can be easily relaxed.
19
0 1 Imagine an experiment on an encryption scheme ( , , ) :
The adversary (Eve) chooses two messages , from the message s npa ot necessce, aril
y o
Absolute Ciphertext-IndistinguishabilityG E D
m m•
0 1 Bob selects a key and a message { , }. He computes a ciphertext ( ) and gives to Eve. ( is called the chal
len
f the same
ge ciphertext.) E
len
ve tries to
gth.
G u
k
k K m m mc E m c
c
← ←←
0 1
absolutely ciphertext-indistinguistell whether is the encryption of or .
The encryption scheme is if no adversary can succeed with probability greater than 1 2
hable .
c m m•
20
Adversary: an eavesdropper with computing power. Encryption scheme: ( , , , , , ). : aDistinguishing algo
unlimi
probabilis
ted
rith
tim
Definition of Absolute Ciphertext-Indistinguishability
G E D K M C•••
0 1
c algorithm that on input , and outputs a bit {0,1}. We model an adversary as a distinguishing algorithm.
An encryption sc absolutely ciphertext-indiheme is s tinguishab i f
le
Am m M c C b∈ ∈
•
∈
( )
( )( )
0
0 1
0 1
1
0 1
0 1
for distinguishing algorithms and every two , , 1 Pr , , ( ) : {0,1}, , 2
Pr , , ( ) 1:
Pr , ,
e
( )
or
very
1:
k b u G
k G
k G
m
A m m M
A m m E m b b k K
A m m E k K
A mm m E k K
∈
= ← ← ≤
= ← = ←
=
21
( )
( )
[ ] ( )
0 1
0 1
0 1
{0,1}
{0,1} ,
{0,1}
Pr :
= Pr[ ] Pr[ ] Pr
= Pr[ ] Pr[ ] Pr Pr
{0,1}
= Pr[ ]
, , ( )
, , ( )
( ) , ,
,
Remark
u Gk b
k b
k b
bk K
k K c
c
Cb
b
b
b
A m m E m
A m m E m
E m c A m m c
b k K
k b
b k
b
b
∈
∈∈
∈∈
∈∈
=
⋅ ⋅ =
⋅ ⋅ ⋅ =
← ←•
=
∑
∑
[ ] ( )
( ) 0
0 1
0 1 1
Pr Pr
= output of on input ,
( ) , ,
, ( , ., ) ( )
b
k k bb
C
E m c A m m c
A A m mm m mE
b
m E
=⋅ ⋅ = ∑
22
eav,
eav,
The KL book uses PrivK to denote the experiment, where is the encryption scheme in question is the adversary, an eavesdropper
PrivK outputs 1 if the adversary succe
Remark
A
A
A
Π
Π
•
•
Π
eav,
absolutely ciphertext-indistinguishable
eds
An encryption scheme is if for every distinguishing algorithms ,
1 P
r PrivK 1 2
A
A
Π = ≤
•
23
Theorem: An encryption scheme is perfectly secret if and only if it is absolutely ciphertext-indisting
Equivalence of perfect secrecy and absolute ciphertext-indistinguishability
•uishable.
24
[ ] [ ]
[ ]( )0 1 0 1
eav,
If the encryption scheme is perfectly secret, then
Pr ( ) Pr ( ) for all , , .
Pr PrivK 1
Pr ,
Pr Eve wins
Perfect secrecy ciphertext-indistinguishability
A
E m c E m c m m M c C
b i
Π
= = = ∈ ∈
=
=
•
•
=
=
⇒
[ ]
[ ] [ ] [ ]
[ ] [ ]
0 10,1;
0 10,1;
0 0 10,1
( ) , ( , , )
Pr Pr ( ) Pr ( , , )
1 1 Pr ( ) Pr ( , , )2 2
ii c C
ii c C
c C i
E m c A m m c i
b i E m c A m m c i
E m c A m m c i
= ∈
= ∈
∈ =
= =
= = ⋅ = ⋅ =
= = ⋅ = =
∑
∑
∑ ∑
25
[ ] [ ]0 1
0 1
If the encryption scheme is not perfectly secret, then
there exist , such that
Pr ( ) Pr ( ) for some ciphertext .
For the
se t
Perfect secrecy ciphertext-indistinguishability
m m M
E m c E m c c C
∈
= ≠ = ∈
•
•
⇐
[ ] [ ][ ] [ ]
{ }
0 1
0 1 0 1
wo messages, the following adversary succeeds
with probability >1 2 : ,
0 if Pr ( ) Pr ( ) ( , , ) 1 if Pr ( ) Pr ( )
0,1 otherwise
The scheme is not absolutel y cip
u
c C
E m c E m cA m m c E m c E m c
i
•
∀ ∈
= > == = < = ←
hertext-indistinguishable.
26
In absolute ciphertext-indistinguishability (perfect secrecy), the adversary may have u computing power,
nlimited no better than 1 2 p r
Relaxing the security requirement •
obability of success; also, message length .
Now we relax the notion of absolute ciphertext- indistinguishability (perfect secrecy) by limiting adversaries to hav
is hidde
ing
n
poly omi
n
•
al negli
compugibly
ting power, allowing the success rate to be bett
not hidier than 1 2,
message leng h.n gt
27
0
0
A nonegative function : is said to be if for every positive polynomial ( ), there is an integer such that
1
negligible
( ) for all (i( )
.
Negligible functionsf N R
P nn
f n n nP n
→
< >
•
log
e., for sufficiently large ).
Examples: 2 , 2 , are negligible functions.
Negligible functions approach zero faster than the reciprocal of polynomial. We wri
everynegl( )te to d
n n n
n
n
n
− − −•
•
• enote an unspecified negligible function.
28
When we say that an algorithm is polynomial-time, it is w.r.t. the algorithm's input size (in terms of ). The running tim
nue o
mber of an a
f lgorithm is polynomial if
b
its
Security Parameter•
( ) (poly( )) for some polynomial poly( ), where is the input size.
Each encryptio security para
n scheme is associated with a which is related meter, key lengto the
When wth.
e
T n O n nn
•
=
•
say a probability is negligible, it is w.r.t. the encryption scheme security parame's ter.
29
* Message space: {0,1} . Key generation algorithm : On input 1 , (1 ) outputs
a key {0,1} . ( {0,1} ; and is the security parameter.) E
ncry
Symmetric-key encryption scheme (refined)
n n
n n
MG G
k K n
⊆
←•
=
•
•
ption algorithm : On input a key and a plaintext , outputs a ciphertext . We write ( , ) or ( ).
Decryption algorithm : On input a key and a ciphertext , output
s
k
E km M E c c E k m
c E mD k c
D
∈ ←←
•
( )
a message . We write : ( , ) or : ( ). Correctness requirement: for each and ,
( ) . , , probabilistic algorithms. , deterministic. All poly-time .
k
k k
m m D k c m D ck K m M
D E m mG E D
=
•
=∈ ∈•
=
30
Adversary: a eavesdropper with a ciphertext. ( , , ) : an encryption scheme with security parameter . Imagine a ga
polynomial s
me p
ingle
layed by Bo
Computational Ciphertext-Indistinguishability
G E D n•••
0 1
of the same
b and Eve (adversary): Eve, given input 1 , outputs a pair of messages ,
. Bob chooses a key (1 ) and a bit {0,1};
compute
leng
s ( ); and gives
t
t
h
n
nu
k b
m m
k G bc E m c
← ←←
0 1
o Eve. Eve tries to determine whether is the encryption of or .
An encryption scheme i computationally single-ciphertext- indistinguishable against eavesdroppe
s if no ad
verr y
s sar
c m m•
noncan -ne succe gligibed with prob ly greater tabilit hany 1 2.
31
0 0 11
computationally single-ciphertext-indistinguishable agains
An encryption scheme is
if for every polynomial probabilistic algorithm and t eavesdropper
all
Definition:s
poly
, , A
m m m mM = ≤∈
•
0 1
0 1
0
0
11
, it holds:1 Pr (1 , , , ( )) : {0,1}, (1 ) negl( )2
Pr (1 , , , ( )) 1: (1 )
Pr (1 , , , ( )) 1: (1 ) ne
or
(
)
)
gl(
||
n nk b u
n nk
n nk
n
m
m
A m m E m b b k G n
A m m E k G
A m m E k G n
= ← ← ≤ +
= ←
− = ← ≤
32
1 20 0 0 0
Now suppose a key is used to encrypt multiple messages.
The adversary, given input 1 , selects two vectors of messages : ( , , ..., )
Multiple-ciphertext indistinguishability
n
tm m m m=
•
1 21 1 1 1
0 1
and ( , , ..., )
such that for all .
Bob generates a key (1 ) and a bit {0,1}; and gives the ciphertext vector ( ) to the adversary.
The ad
t
i i
nu
k b
m m m m
m m i
k G bc E m
=
=
← ←←
0 1
computationally multiple-versary tries to tell wheth
ciphertext- indistinguis
er was computed from or . An encryption scheme is
if for every two message vectors no polynhabl omial
e adv
c m m
•
ersary can succeed with probability non-negligibly >1 2.
33
We have defined two notions of security against eavesdroppers: (Computational) -ciphertext-indistinguishability a key is used to encrypt only one messag
singlee
(Com
1.
2. p ta
u
Remarks•
tional) -ciphertext-indistinguishability a key may be used to encrypt multiple messages
Note: (1) does imply (2). For example: Vernam's one-time pad is ab
multi
solut
ple
ne
oiph
tly c
•
0 1
ertext-indistinguishable. If keys are not used in a "one-time" fashion, the scheme will not be ciphertext-indistinguishable. Just let (0,0) and (0,1).
Next, we will see how to con
m m
•
= =
struct ciphertext-indistinguishable encryption schemes.
34
Secure (i.e., ciphertext-indistinguishable against eavesdroppers) symmetric-key encryption schemes may be
constructed from:
Pseudorandom generators Pseudora
Secure Encryption Schemes•
ndom functions Pseudorandom permutati . ons
Stream Ciphers
Encryption schemes using pseudorandom generators
35
36
Vernam's one-time pad scheme is perfectly secure against single-message eavesdropper. Unfortunately, it requires a random key (pad) as long as the
message. Solution: use a s
Motivation•
•
• hort key as seed to generate a "pseudorandom" key (pad) which is as long as needed. This is the basic idea of stream ciphers.•
37
Encryption schemes as shown below. Same as Vernam's one-time pad, except pseudorandom that keystreams are used.
Stream ciphers•
38
Informally, a pseudorandom generator is an algorithm that given a ( ) string , outputs a " " (i.e.,pseudorandom) string l
short truly random raonge
ndr
om-like
What is a pseudorandom generator?G
s•
than . Informally, a string is " " if it is to tell
whether or not was generated by a truly random generator. Loosely speaking, two sets , {0,1} are said to be
random-like hard
polynominn n
sr
rA B
•
• ⊆
[ ][ ]
"1" " .
ally
indistinguishable
Pr ( )
if for every polynomial distinguisher ,
negl( ) You may interp "
1:
Pr ( ) 1ret as
:
||
n
u
n
u
n
A
D
nBr A
D r r
D r r
= ←
≤
∈•
− = ←
39
( ) ( )( ) ( )
In the above, we were actually talking about the indistinguishability between two ensembles (sequences) of sets: and .
Two ensembles of setDefin s ition: and are
o p l
n nn N n N
n nn N n N
A B
A B∈ ∈
∈ ∈
•
•
[ ][ ]
if for every polynomial-time distinguisher , it holds that
Pr ( ) 1:
Pr ( ) 1: negl( )
ynomially ind
istinguishable
||
u n
u n
D
D r r A
D r r B n
= ←
− ≤
•
= ←
{ }{ }100
1
Which of the following are polynomially indistinguishable?
{0,1} , {0,1} 0
{0,1} , {0,1} : 2 as a binary integer
{0,1} ,
0 {0,1}
n n nn n
n nn n
n nn n
A B
A B s s
A B −
= = −
= = ∈ >
= =
40
{ }[ ] [ ] [ ]
[ ]
Pr Pr ( ) 1
1
{0,1} and {0,1} 0
are polynomially indistinguishable
= Pr ( ) 121 = Pr (02
.
Pr ( ) 1: n
n
r
nr
n n n
A
n
A
n
n
n
u
n
A B
D r r A r D r
D r
D
∈
∈
= ⋅ =
=
= ←
=
= −
∑
∑
[ ]
[ ] [ ] [ ]
[ ]
[ ] [ ]
1) 1 Pr ( ) 12
Pr Pr ( ) 1
1 = Pr ( ) 12 1
Pr ( ) 1:
Pr ( negl( )) 1: Pr ( ) 1: | |
n
n
n
B
nB
B
n
nr
r
nr
nu
u
uD r r
D r
rD r D r
D r
r
D rA r n
B
B
∈
∈
∈
= + =
= ⋅ =
=−
−= ←
=
= ≤
←
←
∑
∑
∑
41
Let ( ) be a polynomial such that ( ) for all 0. Let be a deterministic polynomial-time algorithm that, for any
input string {0,1} , outputs a st
Definition of pseudorandom generator
n
l l n n nG
s
••
⋅ > >
∈ ring of length ( ). is said to be a pseudorandom generator with expansion factor ( )
if for every polynomial-time distinguisher ,
Pr ( ( )) 1: {0,1}
| nu
l nG l
D
D G s s
⋅
= ←
•
( ) ( )
( ) { } { }
( )
( )
Pr ( ) 1: {0,1} negl( )
That is, the two ensembles and , where
: {0,1} ( ) : {0,1} and : 0,1 are
polynomially indistinguishable.
|l nu
n nn N n Nl nn n
n n
D r r n
A B
A G G s s B∈ ∈
− = ← ≤
= = ∈ =
•
42
If one-way functions exist, then pseudorandom generators exist. That is, pseudorandom generators can be constructed from
one-way functions. Chap
Existence of pseudorandom generators•
•
• ter 6 shows how to construct pseudorandom generators from one-way permutations. True pseudorandom generators are slow for applications. In practice, algorithms such as RC4 are used. ••
43
Let :{0,1} {0,1} be a one-way function. Let :{0,1} {0,1} be a hard-core predicate of .
Easy to compute ( ) from . But hard to co
Existence of pseudorandom generators (basic idea)n n
n
fb f
b x x•
→
→
•
( ) ( ) ( )( )
0
0
0 1 2 ( ) 1
0 1 2 ( ) 1
mpute ( ) from ( ). Given seed , let . Starting from , apply repeatedly:
Let ( ) ( ), , , , .
is a pseudorandom
f f f fl n
l n
b x f xx x x
x f
x x x x
G x b x b x b x b x
G
−
−
• =
→ → →⋅⋅⋅→
•
•
=
•
generator with expansion factor ( ).l n
44
2
0 1 2 ( ) 1
Let for two large primes , .
Let ( ) mod . Let ( ) the least significant bit of
Let
Blum-Blum-ShubExample: pseudorandom generator
f f f fl n
n pq p q
f x x nb x x
x x x x
G
−
=
==
→ → →⋅⋅⋅
•
••
•
→
( ) ( ) ( )( )0 1 2 ( ) 1( ) ( ), , , , .
is a pseudorandom generator with expansion factor ( ).
l nx b x b x b x b x
G l n
−
•
=
45
{ }
Enscryption schemes based on pseudorandom generators. : a pseudorandom generator with expansion factor .
Key generation: on input 1 , generates a key 0,1 .
Encryption: on
Stream ciphers
nnu
G l
k ←
••
•
• { } { } ( )input a key 0,1 and a message 0,1 , ciphertext : ( ) : ( ). Decryption: on input a key and a ciphertext ,
(New keys
: ( ).or f
n l n
k
k mc E m m G k
k cm c G k
∈ ∈
= = ⊕
=•
⊕•
Different pseudorandom generators yield different
new messages
stream cip .
.)
hers•
46
If a truely pseudorandom generator ( ) is used, and the input key is randomly generated an used only onced , then the stream cipher is polynomial
.
ly single
Security of stream ciphersG k
kTheorem
-ciphertext- indisinguishable against eavesdroppers.
47
0 1
If encrypting with a truely random string ( ) cannot tell between ( ) and ( ) absolutely single-ciphertext-indistinguishable
If
Security of stream ciphers (intuition)
E m mE m
rE m
r•
•
= ⊕
0 1
excep
a pseud
t for a
orandom string
negligible
is used instead
fraction of cases
( ) cannot tell between and ( )
cannot tell betw except feen (
( )( )
) o and ( )
E m mr G s
E
s
m E m
G sG= ⊕
computationa
r a negligible
lly single-ciphert f
ext-iraction of ca
ndistinguishes
es
abl
48
By contradition. Will show:
If the stream cipher is computationally single-ciphertext-indistinguishable, then the "pseudorandom"
not
e
g
Security of stream ciphers (proof sketch)•
nerator used in the stream cipher is pseudorandom.
If there exists an adversary that can successfully attack the stream cipher with significant probability
not true
th
l
e
x s
y
re e i
G
A
⇒
ts a distinguisher that can successfully distinguish between random strings and "pseudorandom" strings ( ) with significant probability not truel pseudorand m.y o
Dr G s
G⇒
49
0 1
Assume the stream cipher is computationally single-ciphertext-indistinguishable, then there exists an adversary , a polynomial ( ), infinitely many integers , messag
no
es and
t
of
Ap n m m⋅
•
( ) { }
{ }
0 1
( )
length ( ), such that 1 1 Pr , , ( ) : {0,1}, 0,1 .2 ( )
Construct a distinguisher :
Given a string 0,1 , tells whether is random or pseudorandom as foll
nb u u
l n
l n
A m m m G s b b sp n
D
w D w
⊕ = ← ← > +
•
∈
( )0 1
ows. Let {0,1}, : , and , , . If , then return 1, else return 0.
u bb c m w b A m m cb b
′← = ⊕ ←
′=
50
0 1
succeeds, ,
fails
adversary against thestream cipher
1{0,1};: 0
m m cu
b
Abwc m w
→←→ →
= ⊕ →
Distinguisher D
[ ] [ ]Pr ( ) 1 Pr succeeds
1 2 if truely random
1 2 1 ( ) if pseudorandom
can distinguish between random and pseudorandom strings
with probabi
lity significantly better
D w A
wp n w
D
= =
= +
•
•
than 1 2 pseudorandom⇒⇐
51
[ ]
( )
( ) { }
( )
( )0 1
0 1
Pr ( ) 1: {0,1}
Pr , , : {0,1}, {0,1} 1 2
Pr ( ) 1: : ( ), {0,1}
I
Pr , , : : ( ), {0,1}, 0,1
1 2 1 ( )
n More Deta
r
i
P
l
|
l nu
l nb u u
nu
nb u u
D w w
A m m m w b b w
D w w G s s
A m m m w b w G s b s
p n
D
= ← = ⊕ = ← ← =
= = ← = ⊕ = = ← ←
> +
•
•
• ( )( ) 1: {0,1}
1 Pr ( ) 1: : ( ), {0,1} ( )
is a truely pseudorandomnot generator.
|l n
u
nu
w w
D w w G s sp n
G
= ←
− = = ← >
• ⇒⇐
52
Stream ciphers require a new key for each plaintext (or not sesure). In practice, Alice and Bob wish to share a permanent key and
use it to encr
Encrypting multiple messages with a single key
k••
ypt many messages. One possible strategy: Derive from a new key for each message. For example, to send a message , Bob generates a random string and use as a seed
to
k km
r k k r
′
′ =
( ): ( ) : , ( ) the pseudorandom generator .
Include in the ciphertext, i.e., Unfortunately, the res
It i
ultings probabilis
scheme is not necessarily stic
ecu
.
r!
e.
kc E m r m rG
r G k= =
•
⊕
53
1 2
1 2
At the beginning of a session, Alice and Bob agree on two keys and (called session keys).
Alice and Bob each run ( ) and ( ) to get two (long enough)
Using stream ciphers in a session
k k
G k G k
•
•
( )( ) ( )( )
1 2
1 2 3
1 2 3 11 2 3
2
pseudorandom strings, say and .
Alice encrypts her sequence of messeges , , , ... as
, , , ... : , , , ... .
Bob uses for encryption.
Online pseudorand
PS P
PS
S
m m m
c c c m m m
PS
•
•
⊕
•
=
om generators.
54
( )
Most popular stream cipher Simple and fast Used in many standards Actually not a cipher, but a practical, approximate
pseudorandom generator.
••••
Not truely pseudorandom.
The RC4 Stream Cipher
Designed by Ron Rivest in 1987 for RSA Security, and kept as a trade secret until leaked out in •
1994.
55
Two vectors of : [0], [1], [2], , [255] [0], [1], [2], , [255] Input Key (seed) : variable length, 1 to 256 bytes Initialization:
1. [ ] , for 0 255
byt
es
2.
RC4
S S S ST T T T
K
S i i i
•−−
••
← ≤ ≤
[0..255] , , ... (until filled up)
T K K←
56
Initial Permutation of : 0 for 0 to 255 do ( [ ] [ ] ) mod 256 Swap [ ], [ ]
Idea: swapping bytes dependentl
RC4: Initial PermutationS
jij j S i T i
S i S j
•←
←← + +
• y of the input key. After this step, the input key will not be used.•
57
Key stream generation: , 0 while (true) ( 1 ) mod 256 ( [ ] ) mod 256 Swap [ ], [ ]
RC4:Key StreamGeneration
i j
i ij j S i
S i S j
•←
← +← +
( [ ] [ ] ) mod 256 output [ ]
Idea: systematically keep swapping and producing output bytes
t S i S jS t
← +
•
Security of RC4
• RC4 is not a truly pseudorandom generator. • The keystream generated by RC4 is biased.
– The second byte is biased toward zero with high probability. – The first few bytes are strongly non-random and leak
information about the input key.
• Defense: discard the initial n bytes of the keystream. – Called “RC4-drop[n-bytes]”. – Recommended values for n = 256, 768, or 3072 bytes.
• Efforts are underway (e.g. the eSTREAM project) to develop more secure stream ciphers.
58
The Use of RC4 in WEP • WEP is an RC4-based protocol for encrypting data transmitted
over an IEEE 802.11 wireless LAN. • WEP requires each packet to be encrypted with a separate RC4
key. • The RC4 key for each packet is a concatenation of a 40 or 104-bit
long-term key and a random 24-bit R.
59
l RC4 key: Long-term key (40 or 104 bits) R (24)
l Header R Message CRC
encrypted
802.11 Frame:
WEP is not secure
• Mainly because of its way of constructing the key
• Can be cracked in a minute
• http://eprint.iacr.org/2007/120.pdf
60
61
Vernam's one-time pad is absolutely single-ciphertext- indistinguishable. The pad here is truely random and used only once. A stream cipher is a practical implementation of
V
e
Summary•
•
rnam's one-time . The is pseudorandom (depending on a short key) and used only once. It is polynomially single-ciphertext-indistinguishable.
Question: How to use
padpa
a sho
ke
d
rt•
y to encrypt multiple messages? Question: How p about using a ?seudorandom genesecret rator•
Theory of Block Ciphers
Encryption schemes using pseudorandom functions or permutations
Reading: Sections 3.5-3.7 of Katz & Lindell
62
63
Let be the set of all functions :{0,1} {0,1} . How many such functions are there?
There are 2 choices (0 or 1) for each of 2 bits.
So, there are 2
Motivation and basic idean n
n
n
H f
n ⋅
• →•
2 2 different functions. I.e., Now, suppose Alice and Bob randomly choose a function ,
and use as their secret key. To encrypt a message {0,1} , randomly choose a string
.
2n n
n
n
n
n nHf H
mf
⋅ ⋅=
∈•
∈•
( )( )
{0,1} , and encrypt as : , ( ) .
To decrypt , , where ( ), compute : ( ). The secret key here is the functio n .
nr m c r m f r
r m m m f r m m ff
r
← = ⊕
′ ′ ′= ⊕•
•
= ⊕
64
222 log
Question: what's the length of the key ?
Since , we need a string of bits to name/label a function in . That is infeasible. Solution:
Choose a "
222 nn
n
n
nn n
f
HH
n⋅ ⋅ ⋅=
•
•
=
small" subset such that is indistinguished from by any polynomial-time distinguisher. is said to be a set of pseudorandom functions. Or is a pseudorandom se
n n n
n
n
n
F H FH
FF
⊂
t of functions. Then, randomly picking a function from (as the encryption key) will be almost as good as randomly picking a function from .
Let contain no more than 2 eleme
n
n
nn
FH
F
nts. Then the key length will only be .n
65
( ) ( )
Let ( ) be a polynomial. For instance, ( ) . Let := the set of all functions :{0,1} {0,1} , and . is a set of ( )-bit pseudorandom f
Definition of pseudorandom functions
l n l nn n n
n
l n l n nH h F H
F l n
=
→
•
⊂••
)
( )
(Pr (1 ) 1:
unctions if for every polynomial-time distinguisher , it holds that
negl( )
Remark
Pr (1 ) 1
s:
:
||
f n
hu n
n
n
uD f F
H
D
D h n⋅
⋅ = ←
=− ≤•
←
The running time of is polynomial in , the input size. is equipped with an "oracle" ( ) which can query about the value of ( ) for various . The running time of each query
D nD f D
f x x⋅
is 1. (May regard ( ) as a subroutine.)f ⋅
66
( ) ( )
( ){ }( )( )
( ) ( )
In the above definition, we actually were talking about two ensembles of functions: and .
Examples:
: 0 0 .
1 if 0Distingui
s hable. Let (1
) :
n nn N n N
l n l nn n
l nh n
H F
F h H
hD
h
∈ ∈
•
•
=
=
= ∈
( ){ }( ){ }
( ) (
(
(
)
)
)
: 0 0 .
: for all {0
0
0 otherw
,1} .
i
se
l n l nn n
l nn n
l n
F h H h
F h H h x x x
= ∈ ≠
= ∈
=
∈
≠
67
2
A set of ( )-bit pseudorandom functions can be constructed from a pseudorandom generator. For simplicity, assume ( ) . Let : {0,1} {0,1} be a ps
Constructing pseudorandom functions
n n
l n
l n nG →•
=
•
•
( )( )( )( )1 3 2 1
0
1
1
2 3
eudorandom generator. Write .
For all {0,1} and {0,1} ,define
( ) ( ) .
A set of pseudorandom functions:
( ) (
) (
)
n n
n nn
k b b b b b
k r b b b b
f r G G G G G
s
k
G G s G s
−
=•
∈ = ∈
= ⋅
•
•
⋅⋅
{ } :{0,1} {0,1} | {0,1} .n n nn kF f k= → ∈
68
Each leave representsan ( ), with specifying thepath from the root tothat leave.
kf r r
k
0G
0G
1G
1G
1G
0G
(000)kf
(110)kf
(111)kf
69
( ) ( )
A function : is called a permutation if it is bijective (one-to-one and onto). We are interested in permutations :{0,1} {0,1} .
Permutations
l n l n
f X X
f →
•
•
→
70
( ) ( )
Let ( ) be a polynomial. For instance, ( ) . Let := the set of all :{0,1permutations } {0,1} ,
and let be a subset. is a set of ( )-bit pse
Pseudorandom permutations
l n l nn
n n
n
l n l n nH h
F HF l n
•
•
=
→⊂
•
( )
( )
udorandom permutations if for every polynomial-time distinguisher , it holds that
Pr (1 ) 1:
Pr (1 ) 1: negl( )
||
f nu n
h nu n
D
D f F
D h H n
⋅
⋅
= ← − = ← ≤
Pseudorandom permutations can be constructed from pseduorandom functions using Feistel networks (next slide). •
71
{ }
31
Let := : {0,1} be a set of ( )-bit pseudorandom
functions, where ( ) is a fixed polynomial. For every key {0,1} , parse it as (
Constructing pseudorandom permutations (skipped)n
n k
n
F f k l n
l nk k k
• ∈
=• ∈
1 2 3
1 2 3
2 3
2 ( )
, , ) with each of length . Use the three pseudorandom functions , , in a 3-round
Feistel network. This yields a permutation : {0,1} {0,
i
k k k
l nk k k
k k kn
f f f
p
•
→
{ }1 2 3
2 ( )
3 1 2 3
1} .
Theorem: The set of all such permutations
:= : , , {0,1}
is a set of pseudorandom permutations.
l n
nn k k kP p k k k
•
∈
72
{ } Let : {0,1} be a set of ( )-bit pseudorandom
functions or permutations. ( ( ) is a fixed polynomial.) Key space: {0,1} .
Encrypting data blocks using pseudorandom functionsn
n k
n
F f k l n
l nK
=•
=•
∈
( )
Key length = . Message space: {0,1} .
(A string of a fixed size is called a .) Key generation algorithm : on input 1 , outputs {0,1} . Encry
Block size = ( ). b
ption
oc
k
a
l
l n
n nu
n
G G k
l nM• =
←••
( )
( )
lgorithm : On input and key , randomly generates a string {0,1} and outputs ciphertext : , ( ) . (Note: ( , ) is a probabilistic algorithm.) Note: ( ) is used as a
l nu
k
k
E m M k Er
c r f r m E k mf r
∈
←
⊕
•
=
mask (pseudorandom string) to hide . Decryption is trivial.
m•
73
Now let's see how to encrypt a message of arbitrary length using a pseudorandom function or permutation. Let ( ) be the block size. Encryption algorit
Encrypting variable-length messages
b l n=
•
•
• *
1 2
hm : On input {0,1} and key , Pad the message so that its length is a multiple of (block size). Divide the padded message into blocks of size , say
E m kb
m bm m m
∈
=
( ) ( ) ( )
3
1 2 1
1 1 1 2 2 2
Let , , , {0,1} , and use ( ), ... , ( ) as . The ciphertext is
: , ( ) , ( ) , ( )
masks
tb
t u k k t
k k t k t t
m mr r r f r f r
c r f r m r f r m r f r m
←
= ⊕ ⊕ ⊕
74
1 2
The above encryption scheme doubles the message size. More efficient ways to do it, traditionaly called modes of operation
(of block ciphers). Idea: compute , , , f
Modes of operation
tr r r
••
•
( )( )
0rom some initial value, say, . Important modes of operation include:
Counter mode (CTR mode) Output feedback mode OFB mode
Cipher feedback mode CFB mode
Cipher block chain
r•
( )permut
ing moation
de CBC mode CBC requires the underlying to be a pseudorandom .
The other three modes work fo functions and permutationsr both .kf•
75
1 2 Idea: Instead of choosing random strings , , , , choose just string , and 1, 0 1.
Thus, to encrypt a padded message , with key :
o
Divide in
ne
Counter mode (CTR)
t
i
t r r rr r r i i t
m km
= + − ≤ ≤ −•
•
1 2 3
1
to blocks of size , say,
Choose a random string {0,1} . Encrypt as : ( ) ( 1) In the literature, the string
tb
u
k k t
bm m m m m
rm
c r f r m f r t mr•
=
←
= ⊕ + − ⊕
is called an Initialization Vector (IV).
76
0
0 1 2 1
1 2 0 1 1
Idea: Let IV, and
Use , , , (i.e., ( ), ( ), , ( )) as masks.
More precisely, to
Output feedback mode (OFB)
t t
t k k k t
k k k kf f f f
r
r r r r r
r r r f r f r f r
−
−
=
→ → → ⋅⋅⋅
•
→
•
1 2 3
0
encrypt a padded message , with key : Divide into blocks of size , say,
Choose a random initialization vector IV {0,1} . Encrypt as :
tb
u
m km b
m m m m m
m c r
=
←=
0 1 1
0 1 1
0
1
( ) ( ) or equivalently, : where : IV, and : ( ) for 1 .
k k t t
t t
i k i
f r m f r mc r r m r m
rr f r i t
−
−
⊕ ⊕= ⊕ ⊕
== ≤ ≤
77
2
0 1
1
1 Idea: Similar to OFB, but now strings , , , are chosen to be for 1 , where : IV, and is the previous cipher block.
Thus, to enc y
r
:
Cipher feedback mode (CFB)
t
i
i i
r r ri tc
cr
c −
−
•
=
•= ≤ ≤
1 2 3
0 1 2 3
0
pt a padded message , with key : Let :
Choose a random initialization vector IV {0,1} . Encrypt as : where : IV
tb
u
t
m km m m m m
m c c c c c cc
=
←=
=
1: ( ) for 1 .i k i ic f c m i t−= ⊕ ≤ ≤
78
( ) ( ) ( )
1 2 3
1 1 1 2 2 2
Suppose
CTR, OFB, CFB are based on the idea of encrypting as: : , ( ) , ( ) , ( )
By contrast, CBC is based
Cipherblock chaining mode (CBC)
t
k k t k t t
m m m m m
mc r f r m r f r m r f r m
=•
•
⊕
•
= ⊕ ⊕
( )( ) ( )( ) ( )( )1 1 1 2 2 2
1 2
on the idea of encrypting as:
: , , ,
Note: this approach requires to be a permutation.
Like in CFB, the strings , , , in CBC are
chose
k k t k t t
k
t
m
c r f r m r f r m r f r m
f
r r r
= ⊕ ⊕ ⊕
•
0 1
1n to be for 1 , where : IV, and is the previ
: ous cipher block.
i i
i
c i tc c
r −
−
≤= ≤=
79
1 2 3
Let be a pseudorandom permutation. To encrypt a padded message using :
Let :
Choose a random initialization vector IV {0,1} .
Cipherblock chaining mode (CBC)
k
k
tb
u
fm f
m m m m m
••
=
←
0 1 2 3
0
1
Encrypt as : where : IV : ( ) for 1 . Note: Decryption requires to be invertible (i.e., a permutation). Traditionally,
t
i k i i
k
m c c c c c ccc f c m i t
f−
=
≤••
== ⊕ ≤
the term "block cipher" refers to a pseudorandom permutation.
80
1 2 3
1 2 3
Suppose be a pseudorandom permutation. Encrypt : as
: ( ) ( ) ( ) ( ) The resulting scheme is not ciphertext-indistinguishabl
Electronic codebook mode (ECB)
k
t
k k k k t
fm m m m m
c f m f m f m f m=
••
=•
e. Used only for sending a short message (in a single block).•
81
Some properties
• In CTR and OFB modes, transmission errors to a block ci affect only the decryption of that block; other blocks are not affected.
– useful for communications over an unreliable channel.
• In CBC and CFB modes, changes to a block mi will affect ci and all subsequent ciphertext blocks.
– These modes may be used to produce message authentication codes (MAC).
• In CTR mode, blocks can be encrypted (or decrypted) in parallel or in a “random access” fashion.
82
{ }( )functions or permutations,
If : {0,1} is a family of pseudorandom
then are secure
OFB, CFB, against chosen-plaintext attacks (CPA-
Csecure).
If
TR
Security of CBC, OFB, CFB, CTRn
n k n NF f k
F
∈=
•
∈•
{ }( ): {0,1} is a family of pseudorando
permutation
m
, the CBCn is CPA-secu re.s
nn k n N
f k∈
= ∈
83
1 1 2 2 1 2
In the introduction we described CPA as follows:
Given : ( , ), ( , ), , ( , ), where , , , are chosen by the adversary; and a new ciphert
Chosen-plaintext attacks (CPA)
t t tm c m c m c m m m…
•
…
1 2
ext . Q : what is the plaintext of ?
Adaptively-chosen-plaintext attack : , , , are chosen adaptively.
We will describe CPA in terms of oracle and ciphertext-indistinguishabi
t
cc
m m m• …
•
lity.
84
1. A key
A CPA against an encryption scheme ( , , ) is modeled as fo
(1 ) is generated.2. The adversary is given input 1 and to . She may
oracle acc
llows
e e
.
r qss
Chosen-plaintext attacks (CPA)
n
nk
k GE
G E D
←
0 1 0 1
uest the oracle to encrypt messages of her choice. 3. The adversary chooses two message , with ; and is given a challenge ciphertext ( ), where {0,1}.4. The adversary continues to
k b u
m m m mc E m b
=
← ←
0 1even have or
anacle access and may request the
encryptions of additional messages of her choice, .5. The adversary finally answers 0 or 1.
Note: The CPA he a
d
dar pe tiis a ven CPA.
m m
85
pol An encryption scheme ( , , ) is CPA-secure if no
y adversary can answer correctly with probability non-negligibly greater than 1
nom2.
ia
D
e
l-tim
Ciphertext-indistinguishability against CPAG E D•
•
( )( )
0 1 0 1
0
0
11
efinition: an encryption scheme ( , , ) is CPA-secure if for every polynomial adversary it holds that:
Pr 1 , , , ( ) 1: (1 ), ,
Pr 1 , , , ( ) 1: (1 ),
| k
k
n nk A
n nk
E
E
G E DA
A m m E k G m m M
A m m E k
m
Gm
= ← ←
− = ← 0 1,
negl( ) |Am m M
n
← ≤
86
1 1 2 2 1 2
In the introduction we also described CCA as follows:
Given : ( , ), ( , ), , ( , ), where , , , are chosen by the adversary; and a new c
Chosen-ciphertext attacks (CCA)
t t tm c m c m c c c c…
•
…
1 2
iphertext . Q : what is the plaintext of ?
Adaptively-chosen-plaintext attack : , , , are chosen adaptively.
We will allow a CCA adversary to also have CPA capability. (CCA se
t
cc
c c c
•
…•
ems harder to perform than CPA; an adversary who can perform CCA probably can also do CPA.)
87
1. A key
A CCA on an encryption scheme ( , , ) is modeled as f
(1 ) is generated.2. The adversary is given input 1 and oracle access to and . S
ol
he
low .
ay
s
m
Chosen-ciphertext attacks (CCA)
n
nk k
k GE D
G E D
←
0 1 0 1
request the oracles to perform encryptions and/or decryptions for her.3. The adversary chooses two message , with ; and is given a challenge ciphertext ( ), where {0,1}.4. The
k b u
m m m mc E m b
=
← ← adversary continues to have oracle access to and , but
is not allowed to request the decryption of .5. The adversary finally answers 0 or 1.
k k
cE D
88
pol An encryption scheme ( , , ) is CCA-secure if no
y adversary can answer correctly with probability non-negligibly greater than 1
nom2.
ia
D
e
l-tim
Ciphertext-indistinguishability against CCAG E D•
•
( )( )
0,
1 0 0
1
1
1,
0
efinition: an encryption scheme ( , , ) is CCA-secure if for ever polynomial-time adversary , it holds that:
Pr 1 , , , ( ) 1: (1 ), ,
Pr 1 , , , ( ) 1:
| k k
k k
n nk A
n
E D
E Dk
G E DA
A m m E k G m m M
A m
m
mm E k
= ← ←
− = 0 1(1 ), ,
negl( ) |n
AG m m M
n
← ← ≤
89
( )0 1 0
The encryption schemes we have seen so far are CCA-secure.Example: consider the scheme
( ) , ( ) . The adversary chooses an
not
y and :mes g
sa e
Remarks
k kE m r f r mm m m
←
•
⊕
=
•
( )
( ) ( )( )
. Let the challenge ciphertext be , where : ( ) , with 0 or 1. , = , ( ) is a legitimate ciphertext of .
Requesting the oracle to decrypt , , the adve
k b
k b b
r cc f r m br c r f r m m
r c
= ⊕ =
⊕
rsary will get and hence know the value of .
In practice, if from a ciphertext ( ) yosort of pre
u can produce a ciphertext of a message , then the encryption
dictable sche
b
k
m bc E m
c m• ←
me is not CCA-secure.
90
We will see that: CPA-secure encryption secure MAC
CCA-secu
re encryption
Remarks
+⇒
••
Practical Block Ciphers: DES and AES
DES: Data Encryption Standard (covered in 651)
AES: Advanced Encryption Standard
Reading: Chapter 5 of Katz/Lindell
91
92
A block cipher is a symmetric-key that maps a block of bits to a block of bits.
encryption scheme
{0,1} and {0,1} . Block length
: .
Traditional view of block ciphers
n r
n nM C K
n= = =
•
{ } { } Key length: .
For a fixed key , : 0,1 0,1 is a permutation.
n nk
r
k K E∈ →
93
{ } ( )
All that we need is a pseudorandom permutation.
A block cipher is a pseudorandom permutatin ensemble of ,
: {0,1}
{0,1} and {0
ons
Another view of block ciphers
nk
l n
f k
M C K
•
•
∈
= = =
{ } { }( ) ( )
,1} . Block length: ( ). Key length: .
For , : 0,1 0,1 is a permutation.
n
l n l nk
l nn
k K f∈ →
94
There are methods to construct block ciphers (pseudorandom permutations) from one-way
functions. One-way functions pseudorandom generators
Practical constructions of block ciphers
⇒
•
pseudorandom functions pseudorandom permutations
Slow In practice, modern block ciphers are constructed using
Feistel ne •
⇒⇒
tworks (e.g., DES, covered in CSE 651) Substitution-permutation networks (e.g., AES)
AES: Advanced Encryption Standard
Finite field: The mathematics used in AES.
96
AES: Advanced Encryption Standard • In1997, NIST began the process of choosing a replacement
for DES and called it the Advanced Encryption Standard.
• Requirements: block length of 128 bits, key lengths of 128, 192, and 256 bits.
• In 2000, Rijndael cipher (by Rijmen and Daemen) was selected.
• An iterated cipher, with 10, 12, or 14 rounds.
• Rijndael allows various block lengths.
• AES allows only one block size: 128 bits.
97
: block size (number of words). For AES, 4. : key length (number of words). : number of rounds, depending on , . Assume: 4, 4, 10.
:
Structure of Rijndael
b b
k
r b k
b k r
N NNN N
sta
NN N
eN
t
=
= = =
0 1 10
a variable of 4 words, holding the data block, viewed as a each column is a word. Key schedule: 1 round keys , , ,
are computed from the main
4 4 matrix of bytes
key .
;
rN key key key
k
×+
98
( )
0
input: plaintext , key 1 2 AddKey( , ) 3 for 1 to 1 do 4 SubBytes( ) 5 ShiftRows( ) 6 Mixcolumns( ) 7
Rijndael algorithm
r
m kstate m
state keyi N
statestate
state
←
← −
AddKey( , ) 8 SubBytes( ) 9 ShiftRows( ) 10 AddKey( , ) 11 return( )
r
i
N
state keystatestate
state keystate
99
AddKey( , )
i
i
state state key
state key
← ⊕
100
Each byte in is substituted with another byte according to a table.
SubBytes( )
staz te
state
101
Left-shift row circularly by bytes, 0 3.
ShiftRows( )i i i
a b c d a b c de f g h f g h ei j k l k l i jm n o p p m n o
state≤ ≤
→
102
0 1 2 38
3 23 2 1 0
Operates on each column of the matrix. View each column ( , , , ) as a
polynomial with coefficients in GF(2 ) : ( ) +
A fixed pol
MixColumns( )
astate
a a a a
a x a x a x a x a
state
=
= + +
3 2
4
ynomial: ( ) 03 01 +01 02. The MixColumns operation maps each column
( ) ( ) ( ) mod ( 1)a x a
c x x x x
x c x x
= + +
⋅ +
103
Each step of Rijndael encryption is invertible.
Rijndael Decryption
104
Round keys are derived from the main key
Rijndael key schedule
A Rijndael Animation by Enrique Zabala
105