Basic Probability Theory
|
|
- Reginald Bailey
- 5 years ago
- Views:
Transcription
1 Foundations of Cybersecurity (Winter 16/17) Prof. Dr. Michael Backes CISPA / Saarland University Lecture 6 (9 December 2016) saarland university computer science Chapter 2 Basic Probability Theory In this chapter, we first give an introduction to basic probability theory required for the cryptography part of the lecture. 2.1 On the Notation for Probabilities We have to introduce some probability notation dealing with events in the execution of cryptographic protocols. You may read this section rather quickly for the moment, getting back to it when the notation is used in the sequel Syntax and Informal Semantics Let x 1,..., x n be variable names, let X 1,..., X n be probabilistic functions (e.g., probabilistic algorithms), and let e 1,..., e n be deterministic expressions where e i may depend on x 1,..., x i 1. Let π be a predicate depending on x 1,..., x n. Then we write P := Pr [π(x 1,..., x n ) : x 1 X 1 (e 1 ),..., x n X n (e n )] for the following probability: First, x 1 is chosen according to X 1 (e 1 ), then x 2 using X 2 (e 2 ) (which may depend on the value of x 1 ), and so forth. Finally, π is evaluated (which depends on the values x 1,..., x n chosen before), and P is the probability that π evaluates to true. In some cases, we use slightly relaxed notation. E.g., we write y f(x) even if f is not a probabilistic function, but a deterministic one. Or we use expressions like A(B(x), y), where both A and B are probabilistic functions. This then means that first z B(x) is evaluated, and then A(z, y). However, expressions with relaxed notation can always be transformed into expressions using the notation as defined above. To make this notation clearer, we give some examples: Let U be the uniform distribution on {1,..., 10} (that is, U is a probabilistic function without arguments). Then Pr [x = y : x U, y U] denotes the probability that x = y if x and y are both independently chosen according to the distribution U. So Pr [x = y : x U, y U] = Although the same expression occurs on the right-hand side of both arrows, this does not imply that x = y with probability 1. Using the relaxed notation introduced above, this probability could as well be written as Pr [x = y : x R {1,..., 10}, y R {1,..., 10}]. For the next example, let f n be some function on bitstrings of length n, and let A be a probabilistic algorithm. Consider the following expression: Pr [f n (x) = f n (y) x y : x R {0, 1} n, y A(n, x)] (2.1) 9
2 2 Basic Probability Theory This describes the following situation: First, x is chosen to be a uniformly chosen bitstring of length n. Then, A is invoked with the length parameter n and the bitstring x as arguments. A now outputs a string y. The expression above then describes the probability that both x and y have the same image under f n, but are not equal (they form a so-called collision for f n ). Note that in this example, the whole expression (2.1) depends on an external argument n. Such parameterized probabilities are especially useful to specify asymptotic behavior. In this example, we could require that for any polynomial-time algorithm A, the probability above decreases sufficiently fast for growing n Towards a Formal Semantics (not required for this lecture) Let M be a finite or countable set. A probability distribution on M is a function D assigning a nonnegative real number to each E M (intuitively, the probability that some x E is chosen, or alternatively, that the event E occurs), such that D(E) = x E D({x}) and D(M) = 1. To highlight the fact that the images of D are probabilities, we often write P D (E) instead of D(E). For sets containing one element we abbreviate P D ({m}) by P D (m). A probabilistic function A: M N is modeled as a deterministic function M Dist(N), i.e., it assigns each input a distribution on the output. Dist(N) is the set of all distributions on N. The probabilistic assignment n A(m) then means choosing a value according to the distribution A(m) and assigning the value to n. The support of A with respect to m M, denoted [A(m)], is defined as the set of all n N that can be output with nonzero probability by A(m). Formally, [A(m)] := {n N P A(m) (n) > 0}. Let π be a predicate on a certain domain M. Then one defines the event that π is fulfilled as E π := {m M π(m) holds}. The probability that π is fulfilled given a probabilistic assignment x D is defined as Pr [π(x) : x D] := P D (E π ) = P D (m) (2.2) m s.t. π(m) holds Given probabilistic functions X 1 : M N and X 2 : M N O, the sequential execution (X 1, X 2 ) : M N O is a probabilistic function that intuitively upon argument m runs x X 1 (m), y X 2 (m, x), and returns (x, y). Formally, P (X1,X 2 )(m)(n, o) := P X1 (m)(n) P X2 (m,n)(o) (2.3) Using Equations 2.2 and 2.3 one obtains the following general formula. Let π be a predicate depending on m, n, and o. For all m M let Pr [π(m, n, o) : n X 1 (m), o X 2 (m, n)] = n,o s.t. π(m,n,o) holds P X1 (m)(n) P X2 (m,n)(o) In a similar way, one can define a more general version involving i algorithms X i as well as a version with several external messages m 1,..., m l. However, this quickly gets lengthy, so that we will not pursue it here for reasons of clarity. To illustrate the computation with the above general formula, we again consider the probability Pr [x = y : x R {1,..., 10}, y R {1,..., 10}] from the previous section. This probability 10
3 2.1 On the Notation for Probabilities can now be formally computed as Pr [x = y : x U, y U] = P U (x) P U (y) x, y s.t. x = y = x P U (x) P U (x) = 10 x= =
4 2 Basic Probability Theory 12
5 Foundations of Cybersecurity (Winter 16/17) Prof. Dr. Michael Backes CISPA / Saarland University Lecture 6 (9 December 2016) saarland university computer science Chapter 3 The One-Time Pad and Stream Ciphers In this chapter, we introduce the one-time pad and strean ciphers, we discuss achieving randomness for cryptography, and, finally, introduce basic notions of security for cryptography. 3.1 The One-Time Pad The one-time pad, also called Vernam cipher, was invented by Gilbert Vernam in It was the first scheme for which a security proof was given, namely by Claude Shannon in (Before that, not even definitions of security existed.) It can be defined over different message spaces, for example {a,..., z} or {0, 1}. We define it over bitstrings. Definition 3.1 (One-Time Pad) Let M = C = {0, 1} n for some n N. Let the key generation algorithm K draw keys from {0, 1} n according to a uniform distribution. Both encryption and decryption are defined by the exclusive OR of the key K with the plaintext m or the ciphertext c, respectively, i.e., E(K, m) := K m and D(K, c) := K c. Only one message can be securely encrypted with each key, hence the name of the scheme. The correctness of the one-time pad can easily be shown: Let K [K] = {0, 1} n, m M, and c [E(K, m)], i.e., c = K m since E is deterministic. Then D(K, c) = D(K, K m) = K K m = m Perfect Secrecy of the One-Time Pad The first definition of security for encryption schemes was the definition of perfect secrecy given by Claude Shannon in Intuitively it says that any message is encrypted to a specific ciphertext with the same probability. This essentially means that, given a ciphertext, no adversary gains any information on which plaintext was encrypted. Definition 3.2 (Perfect Secrecy) Let (K, E, D) be an encryption scheme with message space M and ciphertext space C. The encryption scheme provides perfect secrecy if and only if the following holds for all m 0, m 1 M and for all c C: Pr [ c = c : K K, c E(K, m 0 ) ] = Pr [ c = c : K K, c E(K, m 1 ) ] 13
6 3 The One-Time Pad and Stream Ciphers This definition essentially says that for a randomly chosen key K the probability that a message is encrypted to a particular ciphertext c is the same for all messages m i. Equivalent variants of this definition exist based on statistical independence and entropy. Shannon proved that the one-time pad satisfies this notion of perfect secrecy. Even if the proof is rather simple, it constituted a major step in the history of cryptography since it was the first proof of security of a cryptographic scheme. Proposition 3.3 The one-time pad provides perfect secrecy. Proof. Let m 0, m 1, c {0, 1} n be given. For i {0, 1} it holds that Pr [ c = c : K K, c E(K, m i ) ] = = K K, c s.t. c = c Pr [K = K : K {0, 1} n ] Pr [ c = c : c = m i K ] Pr [K = K : K {0, 1} n ] Pr [c = c : c = m i K] = K { 2 n 1 if c = K mi 0 else = 2 n. This holds both for i = 0 and for i = 1, hence the claim follows. The one-time pad has the disadvantage that the key is as long as the message, and a key cannot be reused without sacrificing perfect secrecy as we will show below. Thus deploying this scheme necessarily requires to securely transmit a large amount of keys. While this is done in very sensitive environments (the Red Telephone linking the White House with the Kremlin during the Cold War was encrypted with the one-time pad) it is impractical for essentially any application. So the question naturally arises if one can securely encrypt with shorter keys. Unfortunately, Shannon also proved that this is not possible given the definition of perfect secrecy. Proposition 3.4 (Optimality of the One-Time Pad) Let (K, E, D) be a cipher with message space M, ciphertext space C, and key space K := [K]. If the cipher provides perfect secrecy, then K M. Proof. Let m 1 M, K 1 K, and c [E(K 1, m 1 )] arbitrary. Assume for contradiction that K < M. Let M c := {m M K K: D(K, c) = m} denote the set of plaintexts that the ciphertext c could be decrypted to using some key K. Since decryption is deterministic and since K < M, we have that M c < M. Thus there exist some m 2 M \ M c, and this m 2 satisfies that for all K K we have D(K, c) m 2 by definition of M c. For the plaintexts m 1, m 2 and the ciphertext c one obtains Pr [ c = c : K K, c E(K, m 1 ) ] > 0 = Pr [ c = c : K K, c E(K, m 2 ) ]. This contradicts the assumption that the cipher provides perfect secrecy. Hence the assumption K < M was not correct. 14
7 3.2 Stream Ciphers Active Attacks Against the One-Time Pad If an adversary not only reads messages but also changes messages (called an active adversary), then active attacks such as the following one become possible. Consider a simple voting system, where each participant votes 0 or 1. This vote is encrypted using the one-time pad, i.e., each participant i shares a random bit K i R {0, 1} with a central voting authority. Every participant sends the ciphertext c i := K i m i to the central authority. The voting authority then computes c i K i = m i and counts all votes. Note that this is a very weak form of voting scheme since the voting authority can see the votes of every voter. This is provided for the sake of demonstration only. Now assume that an attacker knows (e.g., by means of an opinion poll) that a majority of all participants is going to vote 0. Then by intercepting all votes c i and replacing them with c i := c i 1 the attacker is able to invert the outcome of the vote, since these ciphertexts decrypt to c i K i = (c i 1) K i = ((m i K i ) 1) K i = m i 1 One says that the one-time pad is highly malleable, i.e., it offers no form of integrity of the plaintexts. Thus, the one-time pad should only be used with suitable integrity protection mechanisms. These are called MACs (message authentication codes) and will be discussed in Section Stream Ciphers Stream ciphers constitute practical encryption schemes that can easily be implemented in hardware. They are widely used in protocols such as SSL/TLS and b WEP. We have seen that the one-time pad provides very strong security guarantees, but it is not usable for most practical applications because the keys need to be as long as the messages in order to retain these guarantees. One idea to overcome this problem is to not use keys that are fully random but keys that only look random. A short truly random string is used as input to a deterministic function, a pseudorandom generator G, which computes a larger string. This larger string of course cannot be truly random, but it will be such that no efficient machine can tell it apart (can distinguish it) from true randomness. Consequently, it is called a pseudorandom string. Typical examples of stream ciphers have encryption and decryption functions that simply take the exclusive OR of the key K i, that is pseudorandomly generated by G, and the message m i or the ciphertext c i, respectively. Recall that we proved in the last chapter that such a cipher cannot provide perfect secrecy since its key space is much smaller than the message space. However, under the assumption that the adversary has not unbounded power, but is efficient, it still provides strong security guarantees Unpredictability of Pseudorandom Generators (PRGs) Why do we need unpredictability? Assume an is transmitted in an encrypted manner. Then one knows that large parts of the plaintext, e.g., the header, have a fixed format. Thus an attacker can obtain some bytes of the pseudorandom string at the beginning by computing the exclusive OR of the initial bits of the encryption and the known parts of the header. Perhaps he needs to guess where exactly the header is placed, but this is possible with reasonably large probability. If he was able to predict the behavior of the pseudorandom generator, then he would be able to decrypt the remaining parts of the message. 15
8 3 The One-Time Pad and Stream Ciphers Getting True Randomness in Practice The seed for a pseudorandom generator, and keys for symmetric encryption schemes in general, should be as random as possible, for example, one uses physical random number generators to get good randomness. There are some physical sources that are supposed to produce good randomness, but the resulting bits may have a certain bias or some correlation. In practice, one often circumvents this by taking the exclusive OR of bits obtained from different such sources; in theory it is more appropriate to apply a randomness extractor to improve the quality of the output. An example for such a randomness extractor is the Von Neumann extractor or hash functions. Typical physical sources of randomness include: thermal noise in various electric circuits, shot noise, avalanche noise, atmospheric noise, captured by antennas, quantum effects, e.g., radioactive decay obtained from Geiger-Müller tubes, Brownian motion, more playfully, lava lamps. There is even a patent for creating random bits with lava lamps (US patent #5,732,138). In July 2009, Reidler, Aviad, Rosenblut and Kanter published a ultrahigh-speed random number generator based on the fluctuating intensity of a chaotic semiconductor laser. The generation rate is up to 12.5 GBits/s. There is also a number of random sources that are more easily available, at the cost of producing weaker randomness. What is used also in practice is measurement of times between user key-strokes, and time needed to access different sectors on the hard-disk drive (the air turbulences caused by the spinning disk is supposed to be sufficiently random) Examples of Pseudorandom Generators In the following, we provide examples for pseudorandom generators and discuss their strengths and weaknesses. RC4 RC4 is a stream cipher invented by Ron Rivest in 1987 for RSA Security Inc., which also holds the trademark for it. The source code was originally not released to the public because it was a trade secret, but was posted to a mailing list in September 1994; thus people referred to this version as alleged RC4. Today it is known that alleged RC4 indeed equals RC4. While RC4 does not satisfy next-bit unpredictability, it is considered secure from a practical point of view if one takes certain precautions. It is used in many protocols such as SSL/TLS and b WEP. Its main data structure is an array S of 256 bytes. The array is initialized to the identity before any output is generated, i.e., the first cell is initialized with 0, the second with 1 and so on. Then the cells are permuted using certain operations that depend on the current state and the chosen key K. In pseudocode, the RC4 initialization phase works as follows: 16 for i from 0 to 255 S[i] := i
9 3.2 Stream Ciphers j := 0 for i from 0 to 255 j := (j S[i] K[i mod keylength]) mod 256 swap(s[i],s[j]) After initialization has been completed, the following procedure computes the pseudorandom sequence. For each output byte, new values of the variables i and j are calculated, the corresponding cells are swapped, and the content of a third cell is output: i := 0 j := 0 while GeneratingOutput i := (i 1) mod 256 j := (j S[i]) mod 256 swap(s[i],s[j]) output S[(S[i] S[j]) mod 256] One easily sees that the first byte that is output depends on the content of three cells only. This property can be used to launch attacks against the cipher, so one usually discards the first 256 bytes of output generated by this algorithm to prevent these attacks. Linear Feedback Shift Register (LFSR) Linear feedback shift registers (LFSRs) constitute a building block for generating pseudorandom strings. An LFSR consists of a shift register that shifts its content for one bit at each clock, and a function that determines the feedback, i.e., the next value that enters the shift register, as a function of its current state. For LFSRs this is a linear function, e.g., the exclusive OR of certain specified bits in the state. But also feedback shift registers with a more complex feedback function exist. The initial state of the shift register comprises the seed. A sketch of an LFSR is given in Figure 3.1. The security of an LFSR is determined by its feedback function and how it K 0 K 1 K 2 K 3 K 4 Figure 3.1: Linear feedback shift register is interlinked with the surrounding operations. Note that LFSRs on their own cannot naively be used as stream ciphers because directly outputting the bits of the state leaks the current state of the register, so after a full turn the complete state is known. A solution often taken is that one throws away the first bits and subsequently combines LFSRs in some clever way either with other LFSRs or with other cryptographic primitives. For instance, one encrypts the output of an LFSR using a secure block cipher, which yields a pseudorandom sequence provided that the bits output by an LFSR do not repeat themselves. 17
10 3 The One-Time Pad and Stream Ciphers The Content Scrambling System (CSS) We conclude with a brief description of the content scrambling system (CSS), which is a proprietary standard for encrypting the contents of DVDs. The key management is rather complex and we do not go into details here. The actual content is encrypted with a stream cipher whose corresponding pseudorandom generator will be described in the sequel. Figure 3.2 illustrates the pseudorandom generator. seed 1 K 0 K 1 17-bit LFSR 8 add mod K 2 K 3 K 4 25-bit LFSR 8 Figure 3.2: Content scrambling system Each sector key consists of 5 bytes K 0,..., K 4. The pseudorandom generator comprises two LFSRs that operate as follows. The first LFSR has a length of 17 bits and is initialized with 1 K 0 K 1, where the feedback is computed as the exclusive OR of bits 1 and 15. The second LFSR has a length of 25 bits initialized as 1 K 2 K 3 K 4, where the feedback is calculated as the exclusive OR of bits 11, 19, 20, and 23. Both LFSRs are clocked eight times, each of them producing eight bits of output. This output is treated as bytes, added modulo 256 observing the carry bit from the previous addition. The resulting output is used to encrypt the actual data. The most apparent weakness of CSS is its short key size of 40 bits. This is a consequence of US export regulations at the time when CSS was standardized. Brute-force attacks are reported to take 17 hours on a Celeron 366, i.e., on a very old hardware, and thus already much faster on more recent hardware. More sophisticated attacks reduce the complexity to even only 2 16 possible keys, thus taking only several seconds until CSS is successfully attacked. 3.3 Adversary Models We distinguish the following adversarial capabilities for modeling our adversaries: Single-message chosen-plaintext attack (1-CPA): the adversary sees one ciphertext only. In the first step, the adversary chooses two messages. In the next step he is given the encryption of one of these messages. This ciphertext is also called challenge ciphertext or simply challenge. If he cannot distinguish which of these (self-chosen) plaintexts is inside the challenge ciphertext, he did not learn any partial information about the message contained in the challenge. We have already seen ciphers fulfilling this notion, e.g., the one-time pad. 18
11 3.3 Adversary Models Chosen-plaintext attack (CPA): here the adversary sees (polynomially) many ciphertexts of self-chosen plaintexts, i.e., in addition to 1-CPA attacks, he may select arbitrary plaintexts whose encryption he sees before proceeding with a challenge. Examples of ciphers fulfilling this stronger notion are randomized CBC based on PRPs (cf. Section 4.4.2) as well as randomized counter mode based on PRFs (cf. Section 4.4.5). Chosen-ciphertext attack (CCA): in addition to the capabilities for CPA, the adversary may choose ciphertexts that get decrypted for him. In order to avoid trivial distinguishability, these ciphertexts must of course be different from the challenge ciphertext. We will work with chosen-ciphertext attacks later. 19
12 3 The One-Time Pad and Stream Ciphers 20
13 Foundations of Cybersecurity (Winter 16/17) Prof. Dr. Michael Backes CISPA / Saarland University Lecture 6 (9 December 2016) saarland university computer science Chapter 4 Block Ciphers and Modes of Operation In the following, we will see an archetypical example of a block cipher, namely, DES. We will subsequently discuss how block ciphers can be used to securely encrypt a larger amount of data, and we will briefly present some attacks on block ciphers. First, however, we will introduce the concept of Feistel networks, which constitutes an important design principle underlying many block ciphers. 4.1 Feistel Networks Feistel networks are a specific construction for designing symmetric encryption schemes. They were first described by Horst Feistel during his work on the cipher Lucifer at IBM. Lucifer was the predecessor of the Data Encryption Standard (DES), and both are built upon the same design. Other ciphers using Feistel networks include IDEA, RC5, and Skipjack. A Feistel network defines a function F : {0, 1} 2n {0, 1} 2n. It is parameterized by the number of rounds d N and the round functions f 1,..., f d : {0, 1} n {0, 1} n. The function F operates in d rounds, typically between 12 and 16. In the i-th round, the following operations are executed: 1. the round input is split into two halves L i 1 R i 1, 2. the round function f i is applied to the right half yielding f i (R i 1 ), 3. the exclusive OR of this value and the left half is computed yielding L i 1 f i (R i 1 ), 4. the left and right side are swapped, thus yielding the round output L i R i := R i 1 L i 1 f i (R i 1 ) This construction is depicted in Figure 4.1. The main innovation is that the function F defined by a Feistel network is a permutation for arbitrary functions f i. In particular, these do not even need to be invertible. Proposition 4.1 (Feistel Networks Are Permutations) Let F : {0, 1} 2n {0, 1} 2n be a Feistel network using an arbitrary round function f i. Then, F constitutes a permutation. Proof. First, we show how to invert a single round i. Let F i denote the function computed in the i-th round. We define the candidate inverse function G i for input L i R i as G i (L i R i ) := R i f i (L i ) L i. The following simple calculation shows that this is indeed the inverse function: G i (F i (L i 1 R i 1 )) = G i (R i 1 L i 1 f i (R i 1 )) = (L i 1 f i (R i 1 )) f i (R i 1 ) R i 1 = L i 1 R i 1 21
14 4 Block Ciphers and Modes of Operation L i-1 R i-1 f i L i R i Figure 4.1: One round in a Feistel network The candidate inverse G of the function F having d rounds is now defined as G := G 1 G d ; the following calculation shows that G is indeed the inverse: G 1 (G 2 (... G d 1 (G d (F d (F d 1 (... F 1 (m)... ))))... )) = G 1 (G 2 (... G d 1 (F d 1 (... F 1 (m)... ))... )) =... = G 1 (F 1 (m)) = m Feistel networks are appealing due to their simple design and their additional nice property that the same hardware circuit can be used for both encryption and decryption. This was particularly important in the 60s and 70s when the first block ciphers were designed, and when hardware was still much more expensive. There are two minor differences between encrypting a plaintext and decrypting a ciphertext in a Feistel network. However, these do not affect the network itself but only the handling of inputs of the circuit, i.e., messages and inputs of round functions. Namely, (i) the round functions need to be applied in reversed order, and (ii) writing c = L d R d as the ciphertext, one inputs R d L d to the network for decryption, i.e., one exchanges the left and the right half of the ciphertext, and additionally one exchanges the left and the right half of the output of the Feistel network. One can easily verify that the Feistel network (with these modifications) computes the decryption operation as defined in the above proof. 4.2 The Data Encryption Standard (DES) For a long time, DES was one of the most widely applied block ciphers. It was designed by IBM in collaboration with the NSA and published as a standard in FIPS PUB There were rumors about weaknesses the NSA had built into it, but until now, no evidence was found for these concerns. The main point of criticism against DES was its limited key length, which is nowadays the reason why pure DES is no longer used. In fact, the first DES break, in the sense of a total break given a certain number of plaintext/ciphertext pairs, was reported in 1997 by the DESCHALL project and took about three months. In 1998, the Electronic Frontier Foundation (EFF) built a specialized hardware device resulting in a break in roughly three days. Later they where cooperating with distributed.net breaking a DES challenge in 22 hours. The world record for breaking a DES encryption is currently around 10 hours and this is likely to decrease in the 22
15 4.2 The Data Encryption Standard (DES) IP: Figure 4.2: Initial permutation (IP) in DES: the first bit of the output is the 58-th bit of the input, the second bit of the output is the 50-th bits of the input, and so on. R i 32 expansion permutation E round key K i S 1 S 2 S 3 S 4 S 5 S 6 S 7 S 8 32 P-Box 32 Figure 4.3: DES round function f i future. A variant called Triple-DES (3DES), which we will discuss later in this chapter, is still deployed and seems to provide good security Overall Construction of DES DES is essentially a Feistel network of 16 rounds operating on blocks of 64 bits and using a key of 56 bits, which is randomly chosen from {0, 1} 56. What makes DES different from a pure Feistel design is the initial permutation IP which is applied before the first round starts, and whose inverse IP 1 is applied after the last round, see Figure 4.2. The DES round function f i, as depicted in Figure 4.3, executes the following steps: 1. Expansion permutation. The message block of 32-bit length is expanded to a block of 48 bits by doubling 16 bits and permuting the block as defined by the expansion permutation E shown in Figure 4.4. The permutation is chosen in a way that one bit in the input affects two substitutions in the output (see the S-Boxes below). This creates an avalanche effect, meaning that a small difference between two plaintexts will produce a large difference in the resulting ciphertexts. 2. Round key addition. The exclusive OR of the 48-bit value with the 48-bit round key K i is computed. The derivation of the round keys, i.e., the key schedule, is defined below. 3. Splitting. This block of 48 bits is split into eight blocks with 6 bits each. 23
16 4 Block Ciphers and Modes of Operation E: Figure 4.4: Expansion permutation E in DES: the first bit of output is the 32-nd bit of the input, the second bit of output is the first of the input and so on. 4. S-Box. Each of these blocks is the input to one of the eight S-boxes S 1,..., S 8, as shown in Figure 4.5. Each S-box yields a 4-bit output. Concatenating these outputs yields a block of 32 bits. 5. P-Box. The permutation P defined in Figure 4.6 is applied to the 32-bit block, yielding the output of f i Key Schedule The choice of the key used in each round is called key schedule. Even if a DES key is composed of 64 bits, 8 bits are used for error detection, thus resulting in an actual key length of 56 bits. In the first step, the error correction bits are stripped off a 64-bit key K and the bits are permuted by a fixed permutation. Both is performed by the function P C-1 shown in Figure 4.7. The output is divided into a 28-bit left half C 0 and a 28-bit right half D 0. Now for each round we compute C i = C i 1 «p i D i = D i 1 «p i where x «p i means a cyclic shift on x to the left by p i positions where p i = 1 if i {1, 2, 9, 16}, and p i = 2 otherwise. Finally, C i and D i are joined together and permuted according to P C-2, obtaining the 48-bit round key. This permutation is given in Figure The Security of DES DES withstood attacks quite successfully apart from some attacks based on linear and differential cryptanalysis which we shall discuss later. However, the major weakness of DES is its limited key length of 56 bits which is nowadays not enough to provide a reasonable level of security. For this reason, several improvements on the plain DES have been proposed. We will discuss some of them in the following. For more information about the security of DES we refer to Section Some Attacks on Block Ciphers In the sequel we sketch some possible attacks on block ciphers and briefly discuss their effects on DES. 24
17 4.3 Some Attacks on Block Ciphers S 1: O 6 13 S 2: S 3: S 4: S 5: O S 6: S 7: S 8: Figure 4.5: S-Boxes in DES: for a binary string x 0 x 1 x 2 x 3 x 4 x 5, the output is computed by looking up the entry in row x 0 x 5 and column x 1 x 2 x 3 x 4. This representation has historical reasons. P Figure 4.6: P-Box in DES: the first bit of the output is the 16-th bit of the input. 25
18 4 Block Ciphers and Modes of Operation P C-1: P C-2: Figure 4.7: DES key schedule permutations P C-1 and P C-2 (note that the indices refer to the original key with error-correcting bits) K PC-1 64bit C 0 D 0 LS 1 LS 1 C 1 D 1 PC-2 K 1 LS 2 LS 2 LS 16 LS 16 C 16 D 16 PC-2 K 16 Figure 4.8: Key scheduling in DES 26
19 4.3 Some Attacks on Block Ciphers Exhaustive Key Search The conceptually simplest attack that can be mounted against any block cipher is exhaustive key search, also called brute-force attack. Knowing a few plaintext/ciphertext pairs (m 1, c 1 ), (m 2, c 2 ),... with c i = E(K, m i ), one tries to find the key K by testing every possible key. To estimate the effectiveness of this attack we need to know how many keys would encrypt a fixed plaintext to a specific ciphertext. We will give an estimation for this in the sequel, where we replace the block cipher with a random function for every key. While this technique is not accurate, it makes use of the intuition that the encryption function should essentially constitute a random function, and is usually considered to be a reasonable abstraction. In this case, one says that the block cipher is considered to be an ideal cipher. This heuristic is used quite often, because an accurate analysis of a real block cipher such as DES is extremely complex. For the case of DES we prove the following statement: for a randomly chosen message block m {0, 1} 64 and a randomly chosen key K {0, 1} 56, the probability that there exists another key K {0, 1} 56 encrypting the message m to the same ciphertext is very low, provided that DES behaves like an ideal cipher. Hence, the probability that a key is already uniquely determined after seeing one plaintext/ciphertext pair, is high. Lemma 4.2 Let (K DES, E DES, D DES ) denote the idealized DES cipher, i.e., for randomly chosen key K [K DES ], the function E DES (K, ) is as good as a randomly chosen function R: {0, 1} 64 {0, 1} 64. Then [ Pr K [K DES ] s.t. E DES (K, m) = E DES (K, m) K K : m R M, K K DES] Proof. We have Pr [ K [K DES ] s.t. K K E DES (K, m) = E DES (K, m) : m R M, K K DES] (1) K {0,1} 56 Pr [E DES (K, m) = E DES (K, m) K K : m R M, K K DES] 1 [ ] = 2 56 Pr E DES (K, m) = E DES (K, m) K K : m R M K,K {0,1} 56 (2) { 1 0 if K = K = if K K K,K {0,1} = 2 8 For inequality (1) we exploited that the probability of a union is always less or equal than the sum of the probabilities of all elements of the union. Equality (2) holds because E DES was considered to be an ideal cipher. Consequently, both E DES (K, m) and E DES (K, m) are (independent) uniformly random in {0, 1} 64 over the choice of the random functions, provided 1 that the keys are not equal. Thus the probability that both encryptions are equal is
20 4 Block Ciphers and Modes of Operation Exhaustive Key Search in Practice. The DES Challenge was put forward by RSA Security to encourage research on the security of DES. A reward of $10,000 was offered for solving the challenge, i.e., for computing the key that was used to encrypt a specific plaintext/ciphertext pair of the form The unknown message is:. In 1997, the DESCHALL project needed about three months to break the DES challenge with a distributed search. In 1998, the Electronic Frontier Foundation (EFF) built the specialized hardware device Deep Crack that was able to break DES keys in roughly three days, at rather moderate costs of about $250,000. While this is certainly too expensive for individuals, this amount is reasonable for large organizations or governments. Later the EFF and distributed.net together broke the challenge in 22 hours Linear Cryptanalysis Suppose messages m and keys K are drawn uniformly at random from their respective sets. Further suppose one knows i 1,..., i r, j 1,..., j s, k 1,..., k t such that [ ] Pr m (i1)... m (ir) c (j1)... c (js) K (k1)... K (kt) = ɛ, where m (i), c (i), K (i) denote the i-th bits of the bitstring m, the ciphertext c, and the key K, respectively. Such relations can be found for DES with ɛ If one gets enough plaintext/ciphertext pairs, one can obtain partial information about the key. Namely for 1/ɛ 2 plaintext/ciphertext pairs (m l, c l ) one has [ ( Pr K (k1)... K (kt) = MAJ m (i 1) l... m (ir) l c (j 1) l... c (js) l l = 1,..., 1/ɛ 2)] 97.7%. where MAJ denotes the majority function, taken over all exclusive ORs computed from any given plaintext/ciphertext pair, i.e., MAJ(b i i = 1,..., n) returns 0 if n 2 or more arguments b i are 0, and 1 otherwise. One can calculate that obtaining 2 42 plaintext/ciphertext pairs for DES allows for retrieving 14 bits of information of the key using these techniques. This enables an attacker to reduce the complexity of an exhaustive key search to 2 42 DES operations, as one only has to test keys fulfilling the relation. An even more involved method to break block ciphers is differential cryptanalysis, which we will not discuss here Side-channel Attacks All the previous attacks are concerned with the input/output behavior of the algorithm only. This is the most common view, sometimes called the standard view, on cryptographic algorithms. However, in certain scenarios an attacker can gain access to more data. This can, for example, be the time needed to compute an encryption, the electric power consumption of a processor, or the electromagnetic emanation of a device, in particular of smartcards. Some of these attacks were able to completely break a system in seconds, and several smartcards have been withdrawn after it was discovered that they were highly vulnerable to such attacks. One of the most famous side-channel attacks is due to Paul Kocher, who measured electric power consumption of microprocessors. He showed that by inspection of power consumption curves one can identify which conditional branch the executed code took. Consequently, if these conditions depend on the secret key, then information about the key is leaked. In fact, from several popular algorithms the key could quite easily be retrieved using such an attack. 28
21 4.4 Modes of Operation 4.4 Modes of Operation Given a block cipher (K, E, D) with message space M = {0, 1} n and key space K := [K], i.e., a symmetric encryption scheme where the message space M corresponds to the cipher space C. There are several ways it can be used to encrypt messages that are longer than a single block. The standard FIPS PUB 81 defines four modes of operation (ECB, CBC, OFB, CFB). Another mode is the counter mode, which has several variants. All operation modes have in common that their key generation algorithm is the same as the key generation for the cipher, we omit its description in the sequel Electronic Codebook Mode (ECB) The electronic codebook (ECB) mode corresponds to the naive use of a block cipher. The message is split into a sequence m = m 1,..., m t of blocks m i M. Each block m i is encrypted with the same key K. Formally, the encryption c = c 1,..., c t is computed as c i := E(K, m i ). The decryption operation is obvious. The ECB mode is depicted in Figure 4.9. The main weakness of the ECB mode is that identical blocks m i are encrypted to the same ciphertext c i. This is a particularly strong weakness if messages come from a source with low entropy, e.g., securely encrypting (uncompressed) images is not possible using ECB. On the positive side, if one block c i gets corrupted due to unreliable channels, then only one block is affected while all other blocks can still be decrypted Cipher Block Chaining Mode (CBC) The cipher block chaining (CBC) mode overcomes the main weakness of ECB by using an initialization vector IV which is chosen uniformly at randomly from the set M in the encryption process as follows. A message m = m 1,..., m t is encrypted by computing c 1 := E(K, m 1 IV ) and c i := E(K, m i c i 1 ), for i 2, i.e., each ciphertext block c i is XOR ed with the next block of the plaintext. The ciphertext is c = IV, c 1,..., c t. The decryption operation is straightforwardly derivable from the encryption; thus we omit its description. The CBC mode is depicted in Figure For the CBC mode, a one-bit error in the ciphertext gives not only a one-block error in the corresponding message block but also a one-bit error in the next decrypted plaintext block. The initial value IV ensures that two encryptions of the same plaintext yield different ciphertexts, as opposed to the ECB mode. Note that the initialization vector needs to be included in the ciphertext, as otherwise the ciphertext cannot be decrypted Cipher Feedback Mode (CFB) To encrypt a message m = m 1,..., m t in the cipher feedback (CFB) mode, one first randomly chooses an initialization vector IV. The ciphertext c = IV, c 1,..., c t is computed by appending the initialization vector IV to the c i that are computed as follows: c 1 := m 1 E(K, IV ), and c i := m i E(K, c i 1 ) for i 2. 29
22 4 Block Ciphers and Modes of Operation m 1 m 2 c 1 c 2 E(K, ) E(K, ) D(K, ) D(K, ) c 1 c 2 m 1 m 2 Figure 4.9: Encryption and Decryption in ECB Mode m 1 m 2 c 1 c 2 IV D(K, ) D(K, ) E(K, ) E(K, ) IV c 1 c 2 m 1 m 2 Figure 4.10: Encryption and Decryption in CBC Mode IV m 1 m 2 IV c 1 c 2 E(K,.) E(K,.) E(K,.) E(K,.) c 1 c 2 m 1 m 2 Figure 4.11: Encryption and Decryption in CFB Mode IV E(K,.) E(K,.) E(K,.) IV E(K,.) E(K,.) E(K,.) m 1 m 2 c 1 c 2 c 1 c 2 m 1 m 2 Figure 4.12: Encryption and Decryption in OFB Mode IV IV1 IV2 IV IV1 IV2 E(K, ) m 1 E(K, ) m 2 E(K, ) c 1 E(K, ) c 2 c 1 c 2 m 1 m 2 Figure 4.13: Encryption and Decryption in CTR Mode 30
23 4.4 Modes of Operation The decryption operation is defined in the straightforward manner. Note that the decryption algorithm D from the block cipher is not involved. A one-bit error in the ciphertext causes a one-bit error in the corresponding plaintext block and a block-error in the next decrypted plaintext block, i.e., the opposite of what happens in the CBC mode. The CFB is depicted in Figure Output Feedback Mode (OFB) To encrypt a message m = m 1,..., m t in the output feedback (OFB) mode one randomly chooses an initialization vector IV, the ciphertext c = IV, c 1,..., c t is computed by appending the initialization vector to the c i that are computed as follows c i := m i E i (K, IV ). where E i (K, ) means iterating the encryption algorithm i times. Of course, when implementing this mode one reuses previously computed iterations in the obvious way, see also Figure Decryption is computed analogously. Again, the initialization vector needs to be included in the ciphertext. The OFB mode has the property that a one-bit error in the ciphertext gives only a one-bit error in the decrypted ciphertext. Furthermore, the key stream can be pre-computed, as it does not depend on the ciphertext. So this mode is good if latency between receiving a message and decrypting it is important. A Note on the Initialization Vector. We have defined the modes ECB, CBC, CFB, and OFB in such a way that the initialization vector is chosen uniformly at random and included in the ciphertext. However, the key requirement is that an initialization vector is not used twice, so one could define these modes such that subsequent initialization vectors are determined by a counter. Then the initialization vector does not have to be sent with the ciphertext; however, both the sender and the recipient have to synchronize their counters Counter Mode (CTR) In contrast to the former modes of operation, the key stream in the counter mode is computed by applying the function E to values generated by a so-called counter, which can be essentially any function that will not repeat itself for a long time. In the following we will take a simple, deterministic counter. This mode comes in two variations, depending on how the initialization vector is chosen. The overall operation of the counter mode (both deterministic and randomized) is sketched in Figure Let an initialization vector IV be given. (We will later explain how it may be chosen.) The encryption of a message m = m 1,..., m l, where each m i M, is given by c = c 1,..., c l where c i := m i E(K, IV i). Here, the addition IV i is computed modulo 2 n. Deterministic Counter Mode (detctr). In this variant, the initialization vector is chosen to be IV = 0. We will see that this has the consequence that only one message can be encrypted securely, as we would re-use a value output by the function E when encrypting the second message. 31
24 4 Block Ciphers and Modes of Operation Deterministic counter mode has very similar characteristics to OFB. A bit-error in ciphertext leads to a bit-error in the message; subsequent blocks are not affected. The key stream can be precomputed, and random access to the ciphertext is possible. Randomized Counter Mode (randctr). This variant does not use a fixed initialization vector, but randomly chooses a new one for every message that is encrypted. This value has to be sent along with the ciphertext c as constructed above, i.e., the actual ciphertext is (IV, c). Randomized counter mode has very similar characteristics to detctr and OFB. However, in contrast to detctr we will see that it can be used to securely encrypt multiple messages. As for detctr, the key stream can be precomputed, and random access to the ciphertext is possible. 32
page 1 Introduction to Cryptography Benny Pinkas Lecture 3 November 18, 2008 Introduction to Cryptography, Benny Pinkas
Introduction to Cryptography Lecture 3 Benny Pinkas page 1 1 Pseudo-random generator Pseudo-random generator seed output s G G(s) (random, s =n) Deterministic function of s, publicly known G(s) = 2n Distinguisher
More informationInformation Security CS526
Information CS 526 Topic 3 Ciphers and Cipher : Stream Ciphers, Block Ciphers, Perfect Secrecy, and IND-CPA 1 Announcements HW1 is out, due on Sept 10 Start early, late policy is 3 total late days for
More informationNetwork Security Essentials Chapter 2
Network Security Essentials Chapter 2 Fourth Edition by William Stallings Lecture slides by Lawrie Brown Encryption What is encryption? Why do we need it? No, seriously, let's discuss this. Why do we need
More information1 Achieving IND-CPA security
ISA 562: Information Security, Theory and Practice Lecture 2 1 Achieving IND-CPA security 1.1 Pseudorandom numbers, and stateful encryption As we saw last time, the OTP is perfectly secure, but it forces
More informationChapter 3 Block Ciphers and the Data Encryption Standard
Chapter 3 Block Ciphers and the Data Encryption Standard Last Chapter have considered: terminology classical cipher techniques substitution ciphers cryptanalysis using letter frequencies transposition
More informationDouble-DES, Triple-DES & Modes of Operation
Double-DES, Triple-DES & Modes of Operation Prepared by: Dr. Mohamed Abd-Eldayem Ref.: Cryptography and Network Security by William Stallings & Lecture slides by Lawrie Brown Multiple Encryption & DES
More informationSymmetric Encryption Algorithms
Symmetric Encryption Algorithms CS-480b Dick Steflik Text Network Security Essentials Wm. Stallings Lecture slides by Lawrie Brown Edited by Dick Steflik Symmetric Cipher Model Plaintext Encryption Algorithm
More informationNetwork Security Essentials
Network Security Essentials Applications and Standards Third Edition William Stallings Chapter 2 Symmetric Encryption and Message Confidentiality Dr. BHARGAVI H. GOSWAMI Department of Computer Science
More informationStream ciphers. Lecturers: Mark D. Ryan and David Galindo. Cryptography Slide: 91
Stream ciphers Lecturers: Mark D. Ryan and David Galindo. Cryptography 2017. Slide: 91 Lecturers: Mark D. Ryan and David Galindo. Cryptography 2017. Slide: 92 Stream Cipher Suppose you want to encrypt
More information7. Symmetric encryption. symmetric cryptography 1
CIS 5371 Cryptography 7. Symmetric encryption symmetric cryptography 1 Cryptographic systems Cryptosystem: t (MCKK GED) (M,C,K,K,G,E,D) M, plaintext message space C, ciphertext message space K, K, encryption
More information3 Symmetric Cryptography
CA4005: CRYPTOGRAPHY AND SECURITY PROTOCOLS 1 3 Symmetric Cryptography Symmetric Cryptography Alice Bob m Enc c = e k (m) k c c Dec m = d k (c) Symmetric cryptography uses the same secret key k for encryption
More informationComputer Security CS 526
Computer Security CS 526 Topic 4 Cryptography: Semantic Security, Block Ciphers and Encryption Modes CS555 Topic 4 1 Readings for This Lecture Required reading from wikipedia Block Cipher Ciphertext Indistinguishability
More informationIntroduction to Cryptography. Lecture 3
Introduction to Cryptography Lecture 3 Benny Pinkas March 6, 2011 Introduction to Cryptography, Benny Pinkas page 1 Pseudo-random generator seed s (random, s =n) Pseudo-random generator G Deterministic
More informationPRNGs & DES. Luke Anderson. 16 th March University Of Sydney.
PRNGs & DES Luke Anderson luke@lukeanderson.com.au 16 th March 2018 University Of Sydney Overview 1. Pseudo Random Number Generators 1.1 Sources of Entropy 1.2 Desirable PRNG Properties 1.3 Real PRNGs
More informationCHAPTER 6. SYMMETRIC CIPHERS C = E(K2, E(K1, P))
CHAPTER 6. SYMMETRIC CIPHERS Multiple encryption is a technique in which an encryption algorithm is used multiple times. In the first instance, plaintext is converted to ciphertext using the encryption
More informationLecturers: Mark D. Ryan and David Galindo. Cryptography Slide: 24
Assume encryption and decryption use the same key. Will discuss how to distribute key to all parties later Symmetric ciphers unusable for authentication of sender Lecturers: Mark D. Ryan and David Galindo.
More informationInformation Security CS526
Information Security CS 526 Topic 3 Cryptography: One-time Pad, Information Theoretic Security, and Stream CIphers 1 Announcements HW1 is out, due on Sept 11 Start early, late policy is 3 total late days
More informationCSC 474/574 Information Systems Security
CSC 474/574 Information Systems Security Topic 2.2 Secret Key Cryptography CSC 474/574 Dr. Peng Ning 1 Agenda Generic block cipher Feistel cipher DES Modes of block ciphers Multiple encryptions Message
More information6 Block Ciphers. 6.1 Block Ciphers CA642: CRYPTOGRAPHY AND NUMBER THEORY 1
CA642: CRYPTOGRAPHY AND NUMBER THEORY 1 6 Block Ciphers 6.1 Block Ciphers Block Ciphers Plaintext is divided into blocks of fixed length and every block is encrypted one at a time. A block cipher is a
More informationChapter 6 Contemporary Symmetric Ciphers
Chapter 6 Contemporary Symmetric Ciphers "I am fairly familiar with all the forms of secret writings, and am myself the author of a trifling monograph upon the subject, in which I analyze one hundred and
More informationSecret Key Algorithms (DES)
Secret Key Algorithms (DES) G. Bertoni L. Breveglieri Foundations of Cryptography - Secret Key pp. 1 / 34 Definition a symmetric key cryptographic algorithm is characterized by having the same key used
More informationCryptography. Dr. Michael Schneider Chapter 10: Pseudorandom Bit Generators and Stream Ciphers
Cryptography Dr. Michael Schneider michael.schneider@h-da.de Chapter 10: Pseudorandom Bit Generators and Stream Ciphers December 12, 2017 h_da WS2017/18 Dr. Michael Schneider 1 1 Random and Pseudorandom
More informationStream Ciphers An Overview
Stream Ciphers An Overview Palash Sarkar Indian Statistical Institute, Kolkata email: palash@isicalacin stream cipher overview, Palash Sarkar p1/51 Classical Encryption Adversary message ciphertext ciphertext
More informationPractical Aspects of Modern Cryptography
Practical Aspects of Modern Cryptography Lecture 3: Symmetric s and Hash Functions Josh Benaloh & Brian LaMacchia Meet Alice and Bob Alice Bob Message Modern Symmetric s Setup: Alice wants to send a private
More informationComputer Security. 08. Cryptography Part II. Paul Krzyzanowski. Rutgers University. Spring 2018
Computer Security 08. Cryptography Part II Paul Krzyzanowski Rutgers University Spring 2018 March 23, 2018 CS 419 2018 Paul Krzyzanowski 1 Block ciphers Block ciphers encrypt a block of plaintext at a
More informationGoals of Modern Cryptography
Goals of Modern Cryptography Providing information security: Data Privacy Data Integrity and Authenticity in various computational settings. Data Privacy M Alice Bob The goal is to ensure that the adversary
More informationSecret Key Algorithms (DES) Foundations of Cryptography - Secret Key pp. 1 / 34
Secret Key Algorithms (DES) Foundations of Cryptography - Secret Key pp. 1 / 34 Definition a symmetric key cryptographic algorithm is characterized by having the same key used for both encryption and decryption.
More informationCryptographic Primitives A brief introduction. Ragesh Jaiswal CSE, IIT Delhi
Cryptographic Primitives A brief introduction Ragesh Jaiswal CSE, IIT Delhi Cryptography: Introduction Throughout most of history: Cryptography = art of secret writing Secure communication M M = D K (C)
More information3 Symmetric Key Cryptography 3.1 Block Ciphers Symmetric key strength analysis Electronic Code Book Mode (ECB) Cipher Block Chaining Mode (CBC) Some
3 Symmetric Key Cryptography 3.1 Block Ciphers Symmetric key strength analysis Electronic Code Book Mode (ECB) Cipher Block Chaining Mode (CBC) Some popular block ciphers Triple DES Advanced Encryption
More informationLecture 4: Symmetric Key Encryption
Lecture 4: Symmetric ey Encryption CS6903: Modern Cryptography Spring 2009 Nitesh Saxena Let s use the board, please take notes 2/20/2009 Lecture 1 - Introduction 2 Data Encryption Standard Encrypts by
More informationSymmetric Key Algorithms. Definition. A symmetric key algorithm is an encryption algorithm where the same key is used for encrypting and decrypting.
Symmetric Key Algorithms Definition A symmetric key algorithm is an encryption algorithm where the same key is used for encrypting and decrypting. 1 Block cipher and stream cipher There are two main families
More informationECE596C: Handout #7. Analysis of DES and the AES Standard. Electrical and Computer Engineering, University of Arizona, Loukas Lazos
ECE596C: Handout #7 Analysis of DES and the AES Standard Electrical and Computer Engineering, University of Arizona, Loukas Lazos Abstract. In this lecture we analyze the security properties of DES and
More informationHomework 2. Out: 09/23/16 Due: 09/30/16 11:59pm UNIVERSITY OF MARYLAND DEPARTMENT OF ELECTRICAL AND COMPUTER ENGINEERING
UNIVERSITY OF MARYLAND DEPARTMENT OF ELECTRICAL AND COMPUTER ENGINEERING ENEE 457 Computer Systems Security Instructor: Charalampos Papamanthou Homework 2 Out: 09/23/16 Due: 09/30/16 11:59pm Instructions
More informationNew Kid on the Block Practical Construction of Block Ciphers. Table of contents
New Kid on the Block Practical Construction of Block Ciphers Foundations of Cryptography Computer Science Department Wellesley College Fall 2016 Table of contents Introduction Substitution-permutation
More informationCryptography 2017 Lecture 3
Cryptography 2017 Lecture 3 Block Ciphers - AES, DES Modes of Operation - ECB, CBC, CTR November 7, 2017 1 / 1 What have seen? What are we discussing today? What is coming later? Lecture 2 One Time Pad
More informationComputer Security 3/23/18
s s encrypt a block of plaintext at a time and produce ciphertext Computer Security 08. Cryptography Part II Paul Krzyzanowski DES & AES are two popular block ciphers DES: 64 bit blocks AES: 128 bit blocks
More informationSymmetric Cryptography
CSE 484 (Winter 2010) Symmetric Cryptography Tadayoshi Kohno Thanks to Dan Boneh, Dieter Gollmann, John Manferdelli, John Mitchell, Vitaly Shmatikov, Bennet Yee, and many others for sample slides and materials...
More informationSymmetric Encryption. Thierry Sans
Symmetric Encryption Thierry Sans Design principles (reminder) 1. Kerkoff Principle The security of a cryptosystem must not rely on keeping the algorithm secret 2. Diffusion Mixing-up symbols 3. Confusion
More informationBlock Ciphers and Data Encryption Standard. CSS Security and Cryptography
Block Ciphers and Data Encryption Standard CSS 322 - Security and Cryptography Contents Block Cipher Principles Feistel Structure for Block Ciphers DES Simplified DES Real DES DES Design Issues CSS 322
More informationLecture 3: Symmetric Key Encryption
Lecture 3: Symmetric Key Encryption CS996: Modern Cryptography Spring 2007 Nitesh Saxena Outline Symmetric Key Encryption Continued Discussion of Potential Project Topics Project proposal due 02/22/07
More informationISA 562: Information Security, Theory and Practice. Lecture 1
ISA 562: Information Security, Theory and Practice Lecture 1 1 Encryption schemes 1.1 The semantics of an encryption scheme. A symmetric key encryption scheme allows two parties that share a secret key
More informationComp527 status items. Crypto Protocols, part 2 Crypto primitives. Bart Preneel July Install the smart card software. Today
Comp527 status items Crypto Protocols, part 2 Crypto primitives Today s talk includes slides from: Bart Preneel, Jonathan Millen, and Dan Wallach Install the smart card software Bring CDs back to Dan s
More information2 What does it mean that a crypto system is secure?
Cryptography Written by: Marius Zimand Notes: On the notion of security 1 The One-time Pad cryptosystem The one-time pad cryptosystem was introduced by Vernam and Mauborgne in 1919 (for more details about
More informationSymmetric Cryptography. Chapter 6
Symmetric Cryptography Chapter 6 Block vs Stream Ciphers Block ciphers process messages into blocks, each of which is then en/decrypted Like a substitution on very big characters 64-bits or more Stream
More informationChapter 6: Contemporary Symmetric Ciphers
CPE 542: CRYPTOGRAPHY & NETWORK SECURITY Chapter 6: Contemporary Symmetric Ciphers Dr. Lo ai Tawalbeh Computer Engineering Department Jordan University of Science and Technology Jordan Why Triple-DES?
More informationData Encryption Standard (DES)
Data Encryption Standard (DES) Best-known symmetric cryptography method: DES 1973: Call for a public cryptographic algorithm standard for commercial purposes by the National Bureau of Standards Goals:
More informationStream Ciphers and Block Ciphers
Stream Ciphers and Block Ciphers Ruben Niederhagen September 18th, 2013 Introduction 2/22 Recall from last lecture: Public-key crypto: Pair of keys: public key for encryption, private key for decryption.
More informationCS6701- CRYPTOGRAPHY AND NETWORK SECURITY UNIT 2 NOTES
CS6701- CRYPTOGRAPHY AND NETWORK SECURITY UNIT 2 NOTES PREPARED BY R.CYNTHIA PRIYADHARSHINI AP/IT/SREC Block Ciphers A block cipher is an encryption/decryption scheme in which a block of plaintext is treated
More informationCENG 520 Lecture Note III
CENG 520 Lecture Note III Symmetric Ciphers block ciphers process messages in blocks, each of which is then en/decrypted like a substitution on very big characters 64-bits or more stream ciphers process
More informationIntroduction to Cryptography. Lecture 3
Introduction to Cryptography Lecture 3 Benny Pinkas March 6, 2011 Introduction to Cryptography, Benny Pinkas page 1 Pseudo-random generator seed s (random, s =n) Pseudo-random generator G Deterministic
More informationCryptography. Summer Term 2010
Cryptography Summer Term 2010 Harald Baier Chapter 3: Pseudo Random Bit Generators and Stream Ciphers Contents Random bits and pseudo random bits Stream ciphers Harald Baier Cryptography h_da, Summer Term
More informationComputational Security, Stream and Block Cipher Functions
Computational Security, Stream and Block Cipher Functions 18 March 2019 Lecture 3 Most Slides Credits: Steve Zdancewic (UPenn) 18 March 2019 SE 425: Communication and Information Security 1 Topics for
More informationIntroduction to Modern Cryptography. Lecture 2. Symmetric Encryption: Stream & Block Ciphers
Introduction to Modern Cryptography Lecture 2 Symmetric Encryption: Stream & Block Ciphers Stream Ciphers Start with a secret key ( seed ) Generate a keying stream i-th bit/byte of keying stream is a function
More informationSecret Key Cryptography
Secret Key Cryptography General Block Encryption: The general way of encrypting a 64-bit block is to take each of the: 2 64 input values and map it to a unique one of the 2 64 output values. This would
More informationCryptography [Symmetric Encryption]
CSE 484 / CSE M 584: Computer Security and Privacy Cryptography [Symmetric Encryption] Spring 2017 Franziska (Franzi) Roesner franzi@cs.washington.edu Thanks to Dan Boneh, Dieter Gollmann, Dan Halperin,
More informationSecret Key Cryptography (Spring 2004)
Secret Key Cryptography (Spring 2004) Instructor: Adi Shamir Teaching assistant: Eran Tromer 1 Background Lecture notes: DES Until early 1970 s: little cryptographic research in industry and academcy.
More informationLecture 1 Applied Cryptography (Part 1)
Lecture 1 Applied Cryptography (Part 1) Patrick P. C. Lee Tsinghua Summer Course 2010 1-1 Roadmap Introduction to Security Introduction to Cryptography Symmetric key cryptography Hash and message authentication
More informationSome Aspects of Block Ciphers
Some Aspects of Block Ciphers Palash Sarkar Applied Statistics Unit Indian Statistical Institute, Kolkata India palash@isical.ac.in CU-ISI Tutorial Workshop on Cryptology, 17 th July 2011 Palash Sarkar
More informationBlock Cipher Operation. CS 6313 Fall ASU
Chapter 7 Block Cipher Operation 1 Outline q Multiple Encryption and Triple DES q Electronic Codebook q Cipher Block Chaining Mode q Cipher Feedback Mode q Output Feedback Mode q Counter Mode q XTS-AES
More informationCIS 6930/4930 Computer and Network Security. Topic 3.1 Secret Key Cryptography (Cont d)
CIS 6930/4930 Computer and Network Security Topic 3.1 Secret Key Cryptography (Cont d) 1 Principles for S-Box Design S-box is the only non-linear part of DES Each row in the S-Box table should be a permutation
More informationCPSC 467b: Cryptography and Computer Security
CPSC 467b: Cryptography and Computer Security Lecture 6 Michael J. Fischer Department of Computer Science Yale University January 27, 2010 Michael J. Fischer CPSC 467b, Lecture 6 1/36 1 Using block ciphers
More informationENEE 457: Computer Systems Security 09/12/16. Lecture 4 Symmetric Key Encryption II: Security Definitions and Practical Constructions
ENEE 457: Computer Systems Security 09/12/16 Lecture 4 Symmetric Key Encryption II: Security Definitions and Practical Constructions Charalampos (Babis) Papamanthou Department of Electrical and Computer
More informationCOS433/Math 473: Cryptography. Mark Zhandry Princeton University Spring 2017
COS433/Math 473: Cryptography Mark Zhandry Princeton University Spring 2017 Previously on COS 433 Pseudorandom Permutations unctions that look like random permutations Syntax: Key space K (usually {0,1}
More informationCSE 127: Computer Security Cryptography. Kirill Levchenko
CSE 127: Computer Security Cryptography Kirill Levchenko October 24, 2017 Motivation Two parties want to communicate securely Secrecy: No one else can read messages Integrity: messages cannot be modified
More informationComputer Security. 08r. Pre-exam 2 Last-minute Review Cryptography. Paul Krzyzanowski. Rutgers University. Spring 2018
Computer Security 08r. Pre-exam 2 Last-minute Review Cryptography Paul Krzyzanowski Rutgers University Spring 2018 March 26, 2018 CS 419 2018 Paul Krzyzanowski 1 Cryptographic Systems March 26, 2018 CS
More informationLecture 2: Secret Key Cryptography
T-79.159 Cryptography and Data Security Lecture 2: Secret Key Cryptography Helger Lipmaa Helsinki University of Technology helger@tcs.hut.fi 1 Reminder: Communication Model Adversary Eve Cipher, Encryption
More informationIntroduction to Cryptography. Lecture 2. Benny Pinkas. Perfect Cipher. Perfect Ciphers. Size of key space
Perfect Cipher Introduction to Cryptography Lecture 2 Benny Pinkas What type of security would we like to achieve? Given C, the adversary has no idea what M is Impossible since adversary might have a-priori
More informationNetwork Security. Lecture# 6 Lecture Slides Prepared by: Syed Irfan Ullah N.W.F.P. Agricultural University Peshawar
Network Security Lecture# 6 Lecture Slides Prepared by: Syed Irfan Ullah N.W.F.P. Agricultural University Peshawar Modern Block Ciphers now look at modern block ciphers one of the most widely used types
More informationIntroduction to Network Security Missouri S&T University CPE 5420 Data Encryption Standard
Introduction to Network Security Missouri S&T University CPE 5420 Data Encryption Standard Egemen K. Çetinkaya Egemen K. Çetinkaya Department of Electrical & Computer Engineering Missouri University of
More informationAcronyms. International Organization for Standardization International Telecommunication Union ITU Telecommunication Standardization Sector
Acronyms 3DES AES AH ANSI CBC CESG CFB CMAC CRT DoS DEA DES DoS DSA DSS ECB ECC ECDSA ESP FIPS IAB IETF IP IPsec ISO ITU ITU-T Triple DES Advanced Encryption Standard Authentication Header American National
More informationCryptography and Network Security Chapter 3. Modern Block Ciphers. Block vs Stream Ciphers. Block Cipher Principles
Cryptography and Network Security Chapter 3 Fifth Edition by William Stallings Lecture slides by Lawrie Brown Chapter 3 Block Ciphers and the Data Encryption Standard All the afternoon Mungo had been working
More informationAssignment 3: Block Ciphers
Assignment 3: Block Ciphers CSCI3381-Cryptography Due October 3, 2014 1 Solutions to the Written Problems 1. Block Cipher Modes of Operation 6 points per part, 30 total. Parts (a)-(d) refer to the cipherblock
More informationCIS 4360 Secure Computer Systems Symmetric Cryptography
CIS 4360 Secure Computer Systems Symmetric Cryptography Professor Qiang Zeng Spring 2017 Previous Class Classical Cryptography Frequency analysis Never use home-made cryptography Goals of Cryptography
More informationData Encryption Standard
ECE 646 Lecture 7 Data Encryption Standard Required Reading W. Stallings, "Cryptography and Network-Security," 5th Edition, Chapter 3: Block Ciphers and the Data Encryption Standard Chapter 6.1: Multiple
More informationIDEA, RC5. Modes of operation of block ciphers
C 646 - Lecture 8 IDA, RC5 Modes of operation of block ciphers Required Reading: I. W. Stallings, "Cryptography and Network-Security," 5th dition, Chapter 6 Block Cipher Operation II. A. Menezes, P. van
More informationStream Ciphers. Çetin Kaya Koç Winter / 13
Çetin Kaya Koç http://koclab.cs.ucsb.edu Winter 2016 1 / 13 Block Ciphers Cryptography Plaintext: M i with M i = n, where n is the block length (in bits) Ciphertext: C i with C i = m, where m n, however,
More informationBlock ciphers. CS 161: Computer Security Prof. Raluca Ada Popa. February 26, 2016
Block ciphers CS 161: Computer Security Prof. Raluca Ada Popa February 26, 2016 Announcements Last time Syntax of encryption: Keygen, Enc, Dec Security definition for known plaintext attack: attacker provides
More informationLecture 6: Symmetric Cryptography. CS 5430 February 21, 2018
Lecture 6: Symmetric Cryptography CS 5430 February 21, 2018 The Big Picture Thus Far Attacks are perpetrated by threats that inflict harm by exploiting vulnerabilities which are controlled by countermeasures.
More informationSecret Key Cryptography Overview
Secret Key Cryptography Overview Dr. Arjan Durresi Louisiana State University Baton Rouge, LA 70810 Durresi@csc.lsu.Edu These slides are available at: http://www.csc.lsu.edu/~durresi/csc01_07/ Block ciphers
More informationData Encryption Standard
ECE 646 Lecture 6 Data Encryption Standard Required Reading: I. W. Stallings, "Cryptography and Network-Security," 5th Edition, Chapter 3: Block Ciphers and the Data Encryption Standard Chapter 6.1: Multiple
More informationCryptology complementary. Symmetric modes of operation
Cryptology complementary Symmetric modes of operation Pierre Karpman pierre.karpman@univ-grenoble-alpes.fr https://www-ljk.imag.fr/membres/pierre.karpman/tea.html 2018 05 03 Symmetric modes 2018 05 03
More informationBlock cipher modes. Lecturers: Mark D. Ryan and David Galindo. Cryptography Slide: 75
Block cipher modes Lecturers: Mark D. Ryan and David Galindo. Cryptography 2017. Slide: 75 Lecturers: Mark D. Ryan and David Galindo. Cryptography 2017. Slide: 76 Block cipher modes Block ciphers (like
More informationApplied Cryptography Data Encryption Standard
Applied Cryptography Data Encryption Standard Sape J. Mullender Huygens Systems Research Laboratory Universiteit Twente Enschede 1 History DES has a checkered history. The book provided fascinating reading
More informationWinter 2011 Josh Benaloh Brian LaMacchia
Winter 2011 Josh Benaloh Brian LaMacchia Symmetric Cryptography January 20, 2011 Practical Aspects of Modern Cryptography 2 Agenda Symmetric key ciphers Stream ciphers Block ciphers Cryptographic hash
More informationStream Ciphers and Block Ciphers
Stream Ciphers and Block Ciphers 2MMC10 Cryptology Fall 2015 Ruben Niederhagen October 6th, 2015 Introduction 2/32 Recall: Public-key crypto: Pair of keys: public key for encryption, private key for decryption.
More informationCryptography CS 555. Topic 11: Encryption Modes and CCA Security. CS555 Spring 2012/Topic 11 1
Cryptography CS 555 Topic 11: Encryption Modes and CCA Security CS555 Spring 2012/Topic 11 1 Outline and Readings Outline Encryption modes CCA security Readings: Katz and Lindell: 3.6.4, 3.7 CS555 Spring
More informationWeek 4. : Block Ciphers and DES
Week 4. : Block Ciphers and DES Model of Symmetric Cryptosystem Cryptanalyst Adversary M K E Insecure Channel D Plaintext M Ciphertext C Secure Channel Plaintext M Key K Shared Secret Key C = E K (M) D
More informationBlock Encryption and DES
Block Encryption and DES Plain Text Block 1 Block 2 Block 3 Overview Raj Jain Washington University in Saint Louis Saint Louis, MO 63130 Jain@cse.wustl.edu Audio/Video recordings of this lecture are available
More informationCS61A Lecture #39: Cryptography
Announcements: CS61A Lecture #39: Cryptography Homework 13 is up: due Monday. Homework 14 will be judging the contest. HKN surveys on Friday: 7.5 bonus points for filling out their survey on Friday (yes,
More informationPrivate-Key Encryption
Private-Key Encryption Ali El Kaafarani Mathematical Institute Oxford University 1 of 50 Outline 1 Block Ciphers 2 The Data Encryption Standard (DES) 3 The Advanced Encryption Standard (AES) 4 Attacks
More informationDataTraveler 5000 (DT5000) and DataTraveler 6000 (DT6000) Ultimate Security in a USB Flash Drive. Submitted by SPYRUS, Inc.
Submitted by SPYRUS, Inc. Contents DT5000 and DT6000 Technology Overview...2 Why DT5000 and DT6000 Encryption Is Different...3 Why DT5000 and DT6000 Encryption Is Different - Summary...4 XTS-AES Sector-Based
More informationCOS433/Math 473: Cryptography. Mark Zhandry Princeton University Spring 2018
COS433/Math 473: Cryptography Mark Zhandry Princeton University Spring 2018 Previously on COS 433 Confusion/Diffusion Paradigm f 1 f 2 f 3 f 4 f 5 f 6 Round π 1 f 7 f 8 f 9 f 10 f 11 f 12 π 2 Substitution
More informationsymmetric cryptography s642 computer security adam everspaugh
symmetric cryptography s642 adam everspaugh ace@cs.wisc.edu computer security Announcement Midterm next week: Monday, March 7 (in-class) Midterm Review session Friday: March 4 (here, normal class time)
More informationUnderstanding Cryptography A Textbook for Students and Practitioners by Christof Paar and Jan Pelzl
Understanding Cryptography A Textbook for Students and Practitioners by Christof Paar and Jan Pelzl www.crypto-textbook.com Chapter 5 More About Block Ciphers ver. November 26, 2010 Last modified 10-2-17
More informationA Chosen-key Distinguishing Attack on Phelix
A Chosen-key Distinguishing Attack on Phelix Yaser Esmaeili Salehani* and Hadi Ahmadi** * Zaeim Electronic Industries Co., Tehran, Iran. ** School of Electronic Engineering, Sharif University of Technology,
More informationModes of Operation. Raj Jain. Washington University in St. Louis
Modes of Operation Raj Jain Washington University in Saint Louis Saint Louis, MO 63130 Jain@cse.wustl.edu Audio/Video recordings of this lecture are available at : http://www.cse.wustl.edu/~jain/cse567-06/
More informationCPSC 467: Cryptography and Computer Security
CPSC 467: Cryptography and Computer Security Michael J. Fischer Lecture 8 September 28, 2015 CPSC 467, Lecture 8 1/44 Chaining Modes Block chaining modes Extending chaining modes to bytes Public-key Cryptography
More informationHow many DES keys, on the average, encrypt a particular plaintext block to a particular ciphertext block?
Homework 1. Come up with as efficient an encoding as you can to specify a completely general one-to-one mapping between 64-bit input values and 64-bit output values. 2. Token cards display a number that
More informationCOMP4109 : Applied Cryptography
COMP4109 : Applied Cryptography Fall 2013 M. Jason Hinek Carleton University Applied Cryptography Day 4 (and 5 and maybe 6) secret-key primitives symmetric-key encryption security notions and types of
More informationPaper presentation sign up sheet is up. Please sign up for papers by next class. Lecture summaries and notes now up on course webpage
1 Announcements Paper presentation sign up sheet is up. Please sign up for papers by next class. Lecture summaries and notes now up on course webpage 2 Recap and Overview Previous lecture: Symmetric key
More information