Administrative Details

1
Introduction to Modern Cryptography
Lecture 2
Symmetric Encryption Stream Block Ciphers
2
Stream Ciphers

• Start with a secret key (seed)
• Generate a keying stream
• i-th bit/byte of keying stream is a function of
  the key and the first i-1 ciphertext bits.
• Combine the stream with the plaintext to produce
  the ciphertext (typically by XOR)

3
Example of Stream Encryption
Key
Stream
?
Plaintext

Ciphertext
4
Example of Stream Decryption
Key
Stream
?
Ciphertext

Plaintext
5
Real Cipher Streams

• Most pre-WWII machines
• German Enigma
• Linear Feedback Shift Register
• A5 encrypting GSM handset to base station
  communication
• RC-4 (Rons Code)

6
Terminology
Stream cipher is called synchronous if
keystream does not depend on the plaintext
(depends on key alone). Otherwise cipher is
called asynchronous.
7
Current Example RC-4

• Part of the RC family
• Claimed by RSA as their IP
• Between 1987 and 1994 its internal was not
  revealed little analytic scrutiny
• Preferred export status
• Code released anonymously on the Internet
• Used in many systems Lotus Notes, SSL, etc.

8
RC4 Properties

• Variable key size stream cipher with byte
  oriented operations.
• Based on using a random looking permutation.
• 8-16 machine operations per output byte.
• Very long cipher period (over 10100).
• Widely believed to be secure. Used for
  encryption in SSL web protocol.

9
RC-4 Initialization

• j0
• S00, S11, , S255255
• Let the key be (bytes) k0,,k255 (repeating bits
  if necessary)
• For i0 to 255
• j (j Si ki) mod 256
• Swap Si and Sj

10
RC-4 Key-stream Creation

• Generate an output byte B by
• i (i1) mod 256
• j (j Si) mod 256
• Swap Si and Sj
• t (Si Sj) mod 256
• B St
• B is XORed with next plaintext byte

11
Block Ciphers

• Encrypt a block of input to a block of output
• Typically, the two blocks are of the same length
• Most symmetric key systems block size
• is 64
• In AES block size is 128
• Different modes for encrypting plaintext longer
  than a block

12
Real World Block Ciphers

• DES, 3-DES
• AES (Rijndael)
• RC-2
• RC-5
• IDEA
• Blowfish, Cast
• Gost

13
ECB Mode Encryption(Electronic Code Book)
P1
P2
P3
Ek
Ek
Ek
C1
C2
C3
encrypt each plaintext block separately
14
Properties of ECB

• Simple and efficient
• Parallel implementation possible
• Does not conceal plaintext patterns
• Active attacks are possible (plaintext can be
• easily manipulated by removing, repeating,
• or interchanging blocks).

15
CBC Mode Encryption(Cipher Block Chaining)
P1
P2
P3
S0
Ek
Ek
Ek
C1
C2
C3
Previous ciphertext is XORed with current
plaintext before encrypting current block. An
initialization vector S0 is used as a seed for
the process. Seed can be openly transmitted.
16
Properties of CBC

• Asynchronous stream cipher
• Errors in one ciphertext block propagate
• Conceals plaintext patterns
• No parallel implementation known
• Plaintext cannot be easily manipulated.
• Standard in most systems SSL, IPSec etc.

17
OFB Mode(Output FeedBack)
An initialization vector s0 is use as a seed'
for a sequence of data blocks si
18
Properties of OFB

• Synchronous stream cipher
• Errors in ciphertext do not propagate
• Pre-processing is possible
• Conceals plaintext patterns
• No parallel implementation known
• Active attacks by manipulating plaintext are
  possible

19
AES Proposed Modes

• CTR (Counter) mode (OFB modification) Parallel
  implementation, offline pre-processing, provable
  security, simple and efficient
• OCB (Offset Codebook) mode - parallel
  implementation, offline preprocessing, provable
  security (under specific assumptions),
  authenticity

20
Strengthening a Given Cipher

• Design multiple key lengths AES
• Whitening - the DESX idea
• Iterated ciphers Triple DES (3-DES), triple
  IDEA and so on

21
Triple Cipher - Diagram
P
Ek1
Ek2
Ek3
C
22
Iterated Ciphers

• Plaintext undergoes encryption repeatedly by
  underlying cipher
• Ideally, aach stage uses a different key
• In practice triple cipher is usually
• C Ek1(Ek2(Ek1(P))) EEE mode or
• C Ek1(Dk2(Ek1(P))) EDE mode
• EDE is more common in practice

23
Necessary Condition

• For some block ciphers iteration does not enhance
  security
• Example substitution cipher
• Consider a block cipher blocks of size b bits,
  and key of size k
• The number of all possible functions mapping b
  bits to b bits is (2b)2b

24
Necessary Condition (cont.)

• The number of all possible encryption functions
  (bijections) is 2b!
• The number of encryption functions in our cipher
  is at most 2k.
• Claim The bijections are a group G under the ?
  operation (composition)
• Claim If the encryptions of a cipher form a
  sub-group of G then iterated cipher does not
  increases security.

25
Meet in the Middle Attack

• Double ciphers are rarely used due to this attack
• Attack requires
• Known plaintext
• 2k1 encryptions and decryptions
• k2k storage space
• A square root of trivial attacking time at the
  expense of storage

26
Meet in the Middle (cont.)

• Given a plaintext-ciphertext pair (p,c)
• Compute store the table of Dk2(c) for all k2
• takes 2k decryptions, k2k storage.
• For every k1, test if Ek1(p) is in table
• Every hit gives a possible k1,k2 pair
• May have to repeat several times
• Meet in the middle is applicable to any iterated
  cipher, reducing the trivial processing time by
  2k encryptions

27
Two or Three Keys

• Sometimes only two keys are used in 3-DES
• Identical key must be at beginning and end
• Legal advantage (export license) due to smaller
  overall key size
• Used as a KEK in the BPI protocol which secures
  the DOCSIS cable modem standard

28
Adversarys Goals

• Final goal recover key
• Intermediate goals
• Reduce key space
• Discover plaintext patterns
• Recover portions of plaintext
• Change ciphertext to produce meaningful
  plaintext, without breaking the system
• (active attack)

29
Generic Attacks

• Exhaustive search
• Type ciphertext only
• Time 2k decryptions per ciphertext
• Storage constant
• Table lookup
• Type chosen plaintext
• Time offline 2k decryptions, online constant
• Storage 2k ciphertexts

30
The Problem

• Break ECB mode (known fixed cleartext header)
• The idea
• Define f(k) Enck(constant)
• Invert f(k)
• New Problem Invert f

31
Time/Space Tradeoffs

• 1st Simple solution
• Time 2k - exhaustive search per message
• 2nd Simple solution
• Precompute all 2k values of f(k)
• Store in lookup table (hash table)
• Requires O(1) time per inversion
• Requires space O(2k)

32
Hellman (again) can we do better?

• If it so happened that f is a permutation
• Choose L2k/2 random start points s1, , sL
• For every such point, compute tif(f(f(si))),
  repeated L times.
• Store a lookup table of values (ti,si), i1, ,
  L, indexed by ti.

33
Searching for k given f(k)

• Let sx f(k)
• Repeat until f(x) s, if f(x) s then x k
• If x ti for some i, let x si
• otherwise let x f(x)
• Claim for an arbitrary permutation and arbitrary
  k, the probability that this inverts k is constant

34
Why?

• Values of f(k) on a small cycle will be inverted
• Consider what happens when we add the ith chain
  (si, ti)
• If we cover a constant times L new values then
  were done
• If not, assume that the previous chains have
  covered less than a constant of the L2 values
• The uncovered values must themselves lie on
  chains whose average length is a constant times L
  (as all values lie on some chain)
• Thus, we have a constant probability of covering
  at least a constant fraction of L new values

35
All this does not work when f is not a permutation

• Hellmans ingenious idea
• Dont invert f(x), invert g(f(x)) for some known
  random function g.
• Obviously, if you can invert g(f(x)) then you can
  invert f(x).
• Note that if f is not a permutation then g(f) is
  not a permutation either

36
Inverting g(f(x))

• Not a permutation
• Choose L2k/3 random start points s1, , sL
• For every such point, compute tif(f(f(si))),
  repeated L times.
• Store a lookup table of values (ti,si), i1, ,
  L, indexed by ti.
• Claim we cover by chains at least a constant
  fraction of L2 22k/3
• Consider the last chain added, weve covered at
  most 22k/3 values until now, so with constant
  probability, the new L2k/3 values on the new
  chain will be entirely new.

37
Hellmans next idea

• Use many different gs
• Every g will cover a random 22k/3 set of
  values.
• So, choose L2k/3 gs
• Space required L2 22k/3
• Time required L2 22k/3