B504/I538: Introduction to Cryptography Spring 2017 • Lecture 10 (2017—02—09)

Assignment 2 is due on Tuesday! (2017—02—14) (Last day for help is tomorrow!!)

About crypto! Free pizza+brownies! 2 weeks from today

Recall: Pseudorandom generator (PRG) Defⁿ: A (fixed-length) pseudorandom generator (PRG) with expansion ℓ is a function G：{0，1}*→{0，1}* with two properties: 1. Expansion (output is always longer than input): ∀n∈ℕ, ℓ(n)>n and ∀x∈{0，1}*, |G(x)|=ℓ(|x|) 2. Pseudorandom (uniform inputs yield uniform-looking outputs): For every PPT distinguisher Ａ, there exists a negligible function ε：ℕ→ℝ⁺ such that， ∀n∈ℕ, |Pr[Ａ(y)=1｜y∊{0，1}ℓ(ⁿ)]−Pr[Ａ(G(x))=1｜x∊{0，1}ⁿ]|≤ε(n)

Recall: Pseudorandom function (PRF) Defⁿ: A (length-preserving) pseudorandom fuction (PRF) is a “keyed” function F：{0，1}*×{0，1}*→{0，1}* with three properties: 1. Length-preservation (output is same size as inputs): ∀k∈{0，1}* and ∀x∈{0，1}|k|, |F(k，x)|=|x| 2. Uniform PPT (can be evaluated by an efficient algorithm): There exists a (uniform) PPT algorithm Ａ such that， ∀k∈{0，1}* and ∀x∈{0，1}|k|, Ａ(k，x)=F(k，x) 3. Pseudorandom (behaves like a “random function”): For every PPT distinguisher Ａ, there exists a negligible function ε：ℕ→ℝ⁺ such that， ∀n∈ℕ, |Pr[ＡFK(·)(1ⁿ)=1｜k∊{0，1}ⁿ]−Pr[Ａf(·)(1ⁿ)=1｜f∊Func(n)]|≤ε(n) oracle machines

Permutations 3! permuations of 3 colored circles: Q: What is a “permutation” on {0，1}ⁿ? A: A function that “rearranges” the elements of {0，1}ⁿ More formally, it is a bijection from {0，1}ⁿ to itself; that is, a function π：{0，1}ⁿ→{0，1}ⁿ that is 1. Injective (“one-to-one”): π(x)=π(y)⇒x=y 2. Surjective (“onto”): ∀y∈{0，1}ⁿ, ∃x∈{0，1}ⁿ such that π(x)=y 3! permuations of 3 colored circles:

Pseudorandom permutations (PRPs) Intuitively: A pseudorandom permutation (PRP) is a pseudorandom function that is also a permutation (whenever the key is fixed) No efficient algorithm can distinguish between a PRP and a random permutation, except with negligible advantage What in the @#%★‽! is a random permutation?

Random permutations Defⁿ: Let Perm(n) denote the set of all permutations on {0，1}ⁿ. A random permutation is the uniform random variable on Perm(n). Q: How big is the sample space of Perm(n)? A: (2ⁿ)! (compare this with 2ⁿ·2ⁿ functions in Func(n))

Why permutations? Q: What special property of permutations makes PRPs more “useful” than PRFs? A: Permutations have unique inverses; that is, given any y∈{0，1}ⁿ it is possible to find x∈{0，1}ⁿ such that π(x)=y Permutation ¬Permutation

“Efficient” keyed permutation Defⁿ: A permutation family is an infinite sequence {Πk}k∈{0，1}* where ∀k∈{0，1}*, Πk：{0，1}|k|→{0，1}|k| is a permutation on {0，1}|k|. The family is uniform PPT if there is a PPT algorithm that， given any k∈{0，1}* and x∈{0，1}|k|， outputs fk(x). We typically think of a uniform PPT permutation family as a keyed permutation; that is, as a function Π：{0，1}*×{0，1}*→{0，1}* such that Π(k，x)=Πk(x) for all k∈{0，1}* and x∈{0，1}|k|

Pr[Π(k，Inv(k，y))=y｜k,y∈{0，1}ⁿ]≥1−ε(n). Keyed permutation Defⁿ: A keyed permutation Π：{0，1}*×{0，1}*→{0，1}|k| is efficient if there exists a PPT algorithm Inv and negligible function ε：ℕ→ℝ⁺ such that， Pr[Π(k，Inv(k，y))=y｜k,y∈{0，1}ⁿ]≥1−ε(n). Intuitively: a keyed permutation is efficient if both it and its inverse can be evaluated by efficient algorithms

Formal definition: PRP Defⁿ: An efficient keyed permutation is a pseudorandom permutation (PRP) if, for every PPT algorithm Ａ, there exists a negligible function ε：ℕ→ℝ⁺ such that |Pr[ＡΠk(·)(1ⁿ)｜k∊{0，1}ⁿ]−Pr[Ａπ(·)(1ⁿ)｜π∊Perm(n)]|≤ε(n) 2ⁿ outcomes (2ⁿ)! outcomes

PRP indistinguishability game Game 0 (Ａ has oracle access to a PRP oracle): Challenger (C) Attacker (Ａ) x1 1ⁿ X1∈{0，1}ⁿ 1ⁿ Πk(x1) ⋮ k∊{0，1}ⁿ ⋮ xq Xq∈{0，1}ⁿ Πk(xq) b' Game 1 (Ａ has oracle access to a random permutation oracle): Challenger (C) Attacker (Ａ) x1 1ⁿ X1∈{0，1}ⁿ 1ⁿ π(x1) ⋮ ⋮ π∊Perms(n) xq Xq∈{0，1}ⁿ π(xq) b' Defⁿ: AdvPRP(Ａ)≔|Pr[b≟b’]−½|

Strong PRPs |Pr[ＡΠk(·),Πk-1(·)(1ⁿ)｜k∊{0，1}ⁿ] Intuitively, a PRP is a strong PRP if it remains difficult to distinguish from a random permutation even when given access to the inverse permutation Defⁿ: An efficient keyed permutation is a strong PRP (SPRP) if, for every PPT algorithm Ａ, there exists a negligible function ε：ℕ→ℝ⁺ such that |Pr[ＡΠk(·),Πk-1(·)(1ⁿ)｜k∊{0，1}ⁿ] − Pr[Ａπ(·),π-1(·)(1ⁿ)｜π∊Perm(n)]|≤ε(n)

Strong PRP indistinguishability game Game 0 (Ａ has oracle access to a PRP oracle and corresponding inverse oracle): Challenger (C) Attacker (Ａ) x1 1ⁿ X1∈{0，1}ⁿ 1ⁿ Πk(x1)，Πk-1(x1) ⋮ k∊{0，1}ⁿ ⋮ xq Xq∈{0，1}ⁿ Πk(xq)，Πk-1(xq) b' Game 1 (Ａ has oracle access to a random permutation oracle and corresponding inverse oracle): Challenger (C) Attacker (Ａ) x1 1ⁿ X1∈{0，1}ⁿ 1ⁿ π(x1)，π-1(x1) ⋮ ⋮ π∊Perms(n) xq Xq∈{0，1}ⁿ π(xq)，π-1(xq) b' Defⁿ: AdvSPRP(Ａ)≔|Pr[b≟b’]−½|

PRPs versus SPRPs Q: Is every PRP a Strong PRP? A: Nope! I’m going to ask you prove this on a3…

PRP versus PRF Q: Is every PRP a PRF? A: Yup! |Pr[ＡΠk(·)(1ⁿ)｜k∈{0，1}ⁿ] Thm (PRF Switching Lemma): Let Π：{0，1}*×{0，1)*→{0，1}* be a PRP. Then for any PPT distinguisher Ａ that makes q(n) oracle queries, |Pr[ＡΠk(·)(1ⁿ)｜k∈{0，1}ⁿ] −Pr[Ａf(·)(1ⁿ)｜f∊Func(n)]|≤q(n)²/2ⁿ⁺¹

Fixed-length encryption from SPRPs (Block ciphers) Fixed-length encryption from SPRPs Let Π be a strong PRP Plaintexts, ciphertexts and keys are all n-bit strings (i.e., Ｍ=Ｃ=Ｋ): Gen(1ⁿ) outputs a uniform random key k∊{0，1}ⁿ Enck(m) outputs c≔Πk(m) Deck(c) outputs m≔Πk-1(c) Q: Is this construction IND-CPA secure? A: Nope! (But it does have indistinguishable encryptions in the presence of an eavesdropper)

Modes of operation Goals: Unathenticated Modes of operation Goals: “Extend” block cipher to encrypt arbitrary- length plaintexts Get IND-CPA security (or better!) in the process There are many modes of operation in the literature; for now, we’ll focus on a few oldies- but-goodies: ECB, CBC, OFB, and CTR

Modes of operation: ECB Unathenticated Modes of operation: ECB Electronic codebook (ECB) mode: Split message into n-bit blocks, apply PRP to each one in turn Most common default mode for encryption software Almost always a very bad idea If I find out you use ECB in the future, I will retroactively give you an F and revoke your degree! Seriously. Don’t use ECB!

Modes of operation: ECB Unathenticated Modes of operation: ECB Electronic codebook (ECB) mode encryption: m≔m1∥m2∥⋯∥mℓ m1 m2 mℓ k k k ⋯ Πk Πk Πk c1 c2 cℓ c≔c1∥c2∥⋯∥cℓ

Modes of operation: ECB Unathenticated Modes of operation: ECB Electronic codebook (ECB) mode decryption: c≔c1∥c2∥⋯∥cℓ c1 c2 cn k k k Πk-1 ⋯ Π k-1 Π k-1 m1 m2 mℓ m≔m1∥m2∥⋯∥mℓ

Modes of operation: ECB Unathenticated Modes of operation: ECB Q1: Does ECB mode provide IND-CPA security? A1: Nope! Q2: Does ECB mode provide indistinguishable encryptions in the presence of an eavesdropper? A2: Nope! Choose m0≔m∥m, m1≔m∥m’ for any distinct m,m’∈{0，1}ⁿ Retrieve c≔c1∥c2; output 0 if c1≟c2 and 1 otherwise

Modes of operation: ECB Unathenticated Modes of operation: ECB plaintext (bitmap) ECB mode ciphertext CBC mode ciphertext Tux image created in 1996 by Larry Ewing (lewing@isc.tamu.edu) with The GIMP. All uses permitted provided that you mention Larry Ewing, the owner of the original image, his email address (lewing@isc.tamu.edu) and The GIMP,

Modes of operation: ECB Unathenticated Modes of operation: ECB Take away: Don’t use ECB!

Modes of operation: CBC Unathenticated Modes of operation: CBC Cipher block chaining (CBC) mode: Choose uniform random initialization vector IV∈{0，1}ⁿ XOR first plaintext block with IV before applying PRP For each subsequent plaintext block, XOR with preceding ciphertext block before appliying PRP Output IV as part with ciphertext (ℓ-block plaintext ⇒ (ℓ+1)-block ciphertext)

Modes of operation: CBC Unathenticated Modes of operation: CBC Cipher block chaining (CBC) mode encryption: m≔m1∥m2∥⋯∥mℓ k m1 k m2 k mℓ Πk ⋯ Π k Π k c1 c2 cℓ IV c≔IV∥c1∥c2∥⋯∥cℓ

Modes of operation: CBC Unathenticated Modes of operation: CBC Cipher block chaining (CBC) mode decryption: c≔IV∥c1∥c2∥⋯∥cℓ k c1 k c2 k cn ⋯ Πk-1 Π k-1 Π k-1 m1 m2 mℓ IV m≔m1∥m2∥⋯∥mℓ

Modes of operation: OFB Unathenticated Modes of operation: OFB Output feedback (OFB) mode: Choose uniform random initialization vector IV∈{0，1}ⁿ Apply PRP to IV to get a “pad” to XOR with first block For each subsequent plaintext block, apply PRP to preceding pad and XOR result with the plaintext block Output IV as part with ciphertext (ℓ-block plaintext ⇒ (ℓ+1)-block ciphertext)

Modes of operation: OFB Unathenticated Modes of operation: OFB Output feedback (OFB) mode encryption: m≔m1∥m2∥⋯∥mℓ k k IV k ⋯ Πk Πk Πk m1 m2 mℓ c1 c2 cℓ c≔IV∥c1∥c2∥⋯∥cℓ

Modes of operation: OFB Unathenticated Modes of operation: OFB Output feedback (OFB) mode decryption: c≔IV∥c1∥c2∥⋯∥cℓ k k IV k ⋯ Πk Π k Π k c1 c2 cℓ m1 m2 mℓ m≔m1∥m2∥⋯∥mℓ

Modes of operation: CTR Unathenticated Modes of operation: CTR Counter (CTR) mode: Choose uniform random initialization vector IV∈{0，1}ⁿ Apply PRP to IV to get a “pad” to XOR with first block For each subsequent increment IV by one (treat as binary string modulo 2ⁿ) and XOR result with the plaintext block Output IV as part with ciphertext (ℓ-block plaintext ⇒ (ℓ+1)-block ciphertext)

Modes of operation: CTR Unathenticated Modes of operation: CTR Counter (CTR) mode encryption: m≔m1∥m2∥⋯∥mℓ k IV k IV+1 IV+ℓ−1 k ⋯ Πk Πk Πk m1 m2 mℓ c1 c2 cℓ c≔IV∥c1∥c2∥⋯∥cℓ

Modes of operation: CTR Unathenticated Modes of operation: CTR Counter (CTR) mode decryption: c≔IV∥c1∥c2∥⋯∥cℓ k IV k IV+1 IV+ℓ−1 k ⋯ Πk Πk Πk c1 c2 cℓ m1 m2 mℓ m≔m1∥m2∥⋯∥mℓ

Modes of operation: Comparison Unathenticated Modes of operation: Comparison Electronic Code Book (ECB) mode Pros: simple, parallelizable Cons: no reasonable security guarantees Cipher Block Chaining (CBC) mode Pros: IND-CPA secure, decryption is parallelizable Cons: encryption is inherently sequential; malleable Output Feedback (OFB) mode Pros: IND-CPA secure Cons: encryption and decryption both inherently sequential; malleable Counter (CTR) mode Pros: IND-CPA secure, encryption and decryption are both fully parallelizable Cons: malleable

That’s all for today, folks!