Pseudo-Random Functions 1/22 Encryption as Permutation Assume cryptosystem correct and P = C If x  x’ then E K (x)  E K (x’) So, no y is hit by more than one x Therefore all y are hit by some x E K is a permutation of plaintext space P There are |P|! such permutations

Pseudo-Random Functions 2/22 Encryption as Permutation On the other hand, any permutation of P can be used to encrypt –Decryption consists of following the arrows in the backwards direction Symmetric encryption can be seen as just permuting the set of possible messages –The applied permutation is the key

Pseudo-Random Functions 3/22 The more permutations are used for encryption, the less Oscar knows about which permutation is used Why not just use the set of all permutations as the key space? To encrypt L-bit strings there are 2 L plaintexts and thus 2 L ! permutations Takes b = log 2 (2 L !) ~ L·2 L bits to write down one of the permutations (log(n!) ~ n log(n)) Encryption as Permutation

Pseudo-Random Functions 4/22 Encryption as Permutation LKey LengthComparison 1010, ,000, ,000,000,000 A long movie 404* DVDs ,000 DVDs ,000,000,000 DVDs Atoms in the atmosphere Atoms in the universe Atoms in universes ???

Pseudo-Random Functions 5/22 Encryption as Permutation For all practical cryptosystems the set of encryption functions consists of a relatively very small subset of the possible permutations of the plaintext space

Pseudo-Random Functions 6/22 Shift Cipher P = K = Z 26 = {0,1,…,25} Encryption: E K (x) = x + K mod 26 Decryption: D K (y) = y - K mod 26 Correctness: follows from the rule: (a + b mod N) + c mod N = a + (b + c mod N) mod N Illustrated for K=3 (and11 instead of 26):

Pseudo-Random Functions 7/22 Shift Cipher Can of course be seen as encryption of the English alphabet: abcdexyz ABCDEFGH w Z 3 abcdexyz DEFGHZ w ABC 3 … … … …

Pseudo-Random Functions 8/22 Electronic Codebook To encrypt a text, encrypt one letter at a time Known as electronic codebook (ECB) Not a very secure mode! wheela rr ZKHHOE b D UU ow RZ 3

Pseudo-Random Functions 9/22 Exhaustive Search The shift cipher has too few keys and can therefore be broken by trying them all: ZKHHOD UU yjggnd E c ct RZ qy 1 ZKHHOD UU xiffmc E b ss RZ qx 2 ZKHHOD UU wheelb E a rr RZ ow 3

Pseudo-Random Functions 10/22 Exhaustive Search The set of encryption functions should not be a too small subset of all permutations of the plaintext space Currently 2 64 simple computational operations are considered infeasible to perform, so a key of 64 bits should be enough to protect against exhaustive search There are other reasons to have longer keys though!

Pseudo-Random Functions 11/22 Substitution Cipher P = Z 26 = {0,1,…,25} K = set of permutations  of Z 26 Encryption: E  (x) =  (x) Decryption: D  (y) =  -1 (x) Example key: (Z,G,A,O,N,…,C,X,I,Q) –(with letters instead of numbers) There are > 2 88 keys, so exhaustive search is impossible today –But can be broken using statistical analysis abcdexyz ZGAONC w XIQ … …

Pseudo-Random Functions 12/22 Transposition P = ( Z 26 ) m = {0,1,…,25} m K = set of permutations  of {1,…,m} K =  x=(x 1,…,x m ) y=(y 1,…,y m ) Encryption: E  (x) = (x  (1),…,x  (m) ) Decryption: E  (x) = (x  (1),…,x  (m) ) –Where  =  -1 Number of keys: m! –Soon too large to fall pray to exhaustive search –But can easily be broken using other methods

Pseudo-Random Functions 13/22 Transposition Example wheela rr LEE b A B ow HWO RRG K

Pseudo-Random Functions 14/22 Friedman We encode a black and white photo as a bit-string by encoding black as 1 and white as 0 We encrypt the bit- string with ECB mode and turn the resulting bit-string into a black and white image using the reverse encoding Friedman:

Pseudo-Random Functions 15/22 Substitution Example Substitution of 4-bit blocks #keys = 2 4 ! 45-bit keys –log 2 (2 4 !) ~ sub

Pseudo-Random Functions 16/22 Transposition Example Transposition of 16- bit blocks #keys = 16! 45-bit keys –log 2 (16!) ~

Pseudo-Random Functions 17/22 Composition and Iteration Neither substitution of small blocks nor transposition is secure in itself A few rounds of substitution followed by transposition, however, turns out to do a good job –Substitution ensures that changing just one bit in the input makes four bits in output flip at random –Transposition spreads the changes –Iterations creates an avalanche effect The result is that each different 16-bit block is replaced by a completely random looking 16-bit block Idea behind modern symmetric cryptosystems –More about that when we look at AES

Pseudo-Random Functions 18/22 Compose+Iterate Example After 5 rounds: sub ???? ???? ???????????? ???????????? ? ????????????????

Pseudo-Random Functions 19/22 Compose+Iterate Example 45+45=90-bit keys –Withstands exhaustive search The result is a surprisingly good encryption of 16-bit blocks The remaining pattern is due to our use of ECB –Can be fixed by using CBC After 5 rounds:

Pseudo-Random Functions 20/22 Compose+Iterate Example 45+45=90-bit keys –Withstands exhaustive search The result is a surprisingly good encryption of 16-bit blocks The remaining pattern is due to our use of ECB –Can be fixed by using CBC 5 rounds + CBC

Pseudo-Random Functions 21/22 Pseudo-Random Functions The ideal block cipher would have all possible permutations as key The output of such a block cipher would be completely random –Actually F(1)=42 excludes that F(2)=42, but except for that there would be no structure This inspires the definition of a pseudo- random function (PRF) An encryption function F K is said to be a PRF if one cannot distinguish the outputs F K (x) from uniformly random outputs when K is random and one does not know K

Pseudo-Random Functions 22/22 Pseudo-Random Functions F {0,1} k :{0,1} L  {0,1} l is called a (t,  )-PRF if the following two interactive algorithms are (t,  )-IND Algorithm A: –Sample a uniformly random key K from {0,1} k –On each input x in {0,1} L return F K (x) Algorithm B: –For each x in {0,1} L sample a uniformly random y in {0,1} l and store it in a table T, i.e., let T[x]  y –On each input x return y=T[x]