1. B504/I538: Introduction to Cryptography
Spring • Lecture 10
(2017—02—09)

2. Assignment 2 is due on Tuesday!
(2017—02—14)
(Last day for help is tomorrow!!)

3. About crypto!
Free pizza+brownies!
2 weeks from today

4. Recall: Pseudorandom generator (PRG)
Defⁿ: A (fixed-length) pseudorandom generator (PRG) with expansion ℓ is a function G：{0，1}*→{0，1}* with two properties:
1. Expansion (output is always longer than input):
∀n∈ℕ, ℓ(n)>n and ∀x∈{0，1}*, |G(x)|=ℓ(|x|)
2. Pseudorandom (uniform inputs yield uniform-looking outputs):
For every PPT distinguisher Ａ, there exists a negligible function ε：ℕ→ℝ⁺ such that， ∀n∈ℕ,
|Pr[Ａ(y)=1｜y∊{0，1}ℓ(ⁿ)]−Pr[Ａ(G(x))=1｜x∊{0，1}ⁿ]|≤ε(n)

5. Recall: Pseudorandom function (PRF)
Defⁿ: A (length-preserving) pseudorandom fuction (PRF) is a “keyed” function F：{0，1}*×{0，1}*→{0，1}* with three properties:
1. Length-preservation (output is same size as inputs):
∀k∈{0，1}* and ∀x∈{0，1}|k|, |F(k，x)|=|x|
2. Uniform PPT (can be evaluated by an efficient algorithm):
There exists a (uniform) PPT algorithm Ａ such that，
∀k∈{0，1}* and ∀x∈{0，1}|k|, Ａ(k，x)=F(k，x)
3. Pseudorandom (behaves like a “random function”):
For every PPT distinguisher Ａ, there exists a negligible function ε：ℕ→ℝ⁺ such that， ∀n∈ℕ,
|Pr[ＡFK(·)(1ⁿ)=1｜k∊{0，1}ⁿ]−Pr[Ａf(·)(1ⁿ)=1｜f∊Func(n)]|≤ε(n)
oracle machines

6. Permutations 3! permuations of 3 colored circles:
Q: What is a “permutation” on {0，1}ⁿ?
A: A function that “rearranges” the elements of {0，1}ⁿ
More formally, it is a bijection from {0，1}ⁿ to itself; that is, a function π：{0，1}ⁿ→{0，1}ⁿ that is
1. Injective (“one-to-one”): π(x)=π(y)⇒x=y
2. Surjective (“onto”): ∀y∈{0，1}ⁿ, ∃x∈{0，1}ⁿ such that π(x)=y
3! permuations of
3 colored circles:

7. Pseudorandom permutations (PRPs)
Intuitively: A pseudorandom permutation (PRP) is a pseudorandom function that is also a permutation (whenever the key is fixed)
No efficient algorithm can distinguish between a PRP and a random permutation, except with negligible advantage
What in is a
random permutation?

8. Random permutations
Defⁿ: Let Perm(n) denote the set of all permutations on {0，1}ⁿ. A random permutation is the uniform random variable on Perm(n).
Q: How big is the sample space of Perm(n)? A: (2ⁿ)!
(compare this with 2ⁿ·2ⁿ functions in Func(n))

9. Why permutations?
Q: What special property of permutations makes PRPs more “useful” than PRFs? A: Permutations have unique inverses; that is, given any y∈{0，1}ⁿ it is possible to find x∈{0，1}ⁿ such that π(x)=y
Permutation
¬Permutation

10. “Efficient” keyed permutation
Defⁿ: A permutation family is an infinite sequence {Πk}k∈{0，1}* where ∀k∈{0，1}*, Πk：{0，1}|k|→{0，1}|k| is a permutation on {0，1}|k|.
The family is uniform PPT if there is a PPT algorithm that， given any k∈{0，1}* and x∈{0，1}|k|， outputs fk(x).
We typically think of a uniform PPT permutation family as a keyed permutation; that is, as a function Π：{0，1}*×{0，1}*→{0，1}* such that
Π(k，x)=Πk(x) for all k∈{0，1}* and x∈{0，1}|k|

11. Pr[Π(k，Inv(k，y))=y｜k,y∈{0，1}ⁿ]≥1−ε(n).
Keyed permutation
Defⁿ: A keyed permutation Π：{0，1}*×{0，1}*→{0，1}|k| is efficient if there exists a PPT algorithm Inv and negligible function ε：ℕ→ℝ⁺ such that，
Pr[Π(k，Inv(k，y))=y｜k,y∈{0，1}ⁿ]≥1−ε(n).
Intuitively: a keyed permutation is efficient if both it and its inverse can be evaluated by efficient algorithms

12. Formal definition: PRP
Defⁿ: An efficient keyed permutation is a pseudorandom permutation (PRP) if, for every PPT algorithm Ａ, there exists a negligible function ε：ℕ→ℝ⁺ such that
|Pr[ＡΠk(·)(1ⁿ)｜k∊{0，1}ⁿ]−Pr[Ａπ(·)(1ⁿ)｜π∊Perm(n)]|≤ε(n)
2ⁿ outcomes
(2ⁿ)! outcomes

13. PRP indistinguishability game
Game 0 (Ａ has oracle access to a PRP oracle):
Challenger (C)
Attacker (Ａ) x1 1ⁿ
X1∈{0，1}ⁿ 1ⁿ
Πk(x1) ⋮
k∊{0，1}ⁿ ⋮ xq
Xq∈{0，1}ⁿ
Πk(xq) b'
Game 1 (Ａ has oracle access to a random permutation oracle):
Challenger (C)
Attacker (Ａ) x1 1ⁿ
X1∈{0，1}ⁿ 1ⁿ
π(x1) ⋮ ⋮
π∊Perms(n) xq
Xq∈{0，1}ⁿ
π(xq) b'
Defⁿ: AdvPRP(Ａ)≔|Pr[b≟b’]−½|

14. Strong PRPs |Pr[ＡΠk(·),Πk-1(·)(1ⁿ)｜k∊{0，1}ⁿ]
Intuitively, a PRP is a strong PRP if it remains difficult to distinguish from a random permutation even when given access to the inverse permutation
Defⁿ: An efficient keyed permutation is a strong PRP (SPRP) if, for every PPT algorithm Ａ, there exists a negligible function ε：ℕ→ℝ⁺ such that
|Pr[ＡΠk(·),Πk-1(·)(1ⁿ)｜k∊{0，1}ⁿ]
− Pr[Ａπ(·),π-1(·)(1ⁿ)｜π∊Perm(n)]|≤ε(n)

15. Strong PRP indistinguishability game
Game 0 (Ａ has oracle access to a PRP oracle and corresponding inverse oracle):
Challenger (C)
Attacker (Ａ) x1 1ⁿ
X1∈{0，1}ⁿ 1ⁿ
Πk(x1)，Πk-1(x1) ⋮
k∊{0，1}ⁿ ⋮ xq
Xq∈{0，1}ⁿ
Πk(xq)，Πk-1(xq) b'
Game 1 (Ａ has oracle access to a random permutation oracle and corresponding inverse oracle):
Challenger (C)
Attacker (Ａ) x1 1ⁿ
X1∈{0，1}ⁿ 1ⁿ
π(x1)，π-1(x1) ⋮ ⋮
π∊Perms(n) xq
Xq∈{0，1}ⁿ
π(xq)，π-1(xq) b'
Defⁿ: AdvSPRP(Ａ)≔|Pr[b≟b’]−½|

16. PRPs versus SPRPs Q: Is every PRP a Strong PRP? A: Nope!
I’m going to ask you prove this on a3…

17. PRP versus PRF Q: Is every PRP a PRF? A: Yup! |Pr[ＡΠk(·)(1ⁿ)｜k∈{0，1}ⁿ]
Thm (PRF Switching Lemma): Let Π：{0，1}*×{0，1)*→{0，1}* be a PRP. Then for any PPT distinguisher Ａ that makes q(n) oracle queries,
|Pr[ＡΠk(·)(1ⁿ)｜k∈{0，1}ⁿ]
−Pr[Ａf(·)(1ⁿ)｜f∊Func(n)]|≤q(n)²/2ⁿ⁺¹

18. Fixed-length encryption from SPRPs
(Block ciphers)
Fixed-length encryption from SPRPs
Let Π be a strong PRP
Plaintexts, ciphertexts and keys are all n-bit strings (i.e., Ｍ=Ｃ=Ｋ):
Gen(1ⁿ) outputs a uniform random key k∊{0，1}ⁿ
Enck(m) outputs c≔Πk(m)
Deck(c) outputs m≔Πk-1(c)
Q: Is this construction IND-CPA secure?
A: Nope! (But it does have indistinguishable encryptions in the presence of an eavesdropper)

19. Modes of operation Goals:
Unathenticated
Modes of operation
Goals:
“Extend” block cipher to encrypt arbitrary- length plaintexts
Get IND-CPA security (or better!) in the process
There are many modes of operation in the literature; for now, we’ll focus on a few oldies- but-goodies: ECB, CBC, OFB, and CTR

20. Modes of operation: ECB
Unathenticated
Modes of operation: ECB
Electronic codebook (ECB) mode:
Split message into n-bit blocks, apply PRP to each one in turn
Most common default mode for encryption software
Almost always a very bad idea
If I find out you use ECB in the future, I will retroactively give you an F and revoke your degree!
Seriously. Don’t use ECB!

21. Modes of operation: ECB
Unathenticated
Modes of operation: ECB
Electronic codebook (ECB) mode encryption:
m≔m1∥m2∥⋯∥mℓ m1 m2 mℓ k k k ⋯ Πk Πk Πk c1 c2 cℓ
c≔c1∥c2∥⋯∥cℓ

22. Modes of operation: ECB
Unathenticated
Modes of operation: ECB
Electronic codebook (ECB) mode decryption:
c≔c1∥c2∥⋯∥cℓ c1 c2 cn k k k
Πk-1 ⋯
Π k-1
Π k-1 m1 m2 mℓ
m≔m1∥m2∥⋯∥mℓ

23. Modes of operation: ECB
Unathenticated
Modes of operation: ECB
Q1: Does ECB mode provide IND-CPA security?
A1: Nope!
Q2: Does ECB mode provide indistinguishable encryptions in the presence of an eavesdropper?
A2: Nope!
Choose m0≔m∥m, m1≔m∥m’ for any distinct m,m’∈{0，1}ⁿ
Retrieve c≔c1∥c2; output 0 if c1≟c2 and 1 otherwise

24. Modes of operation: ECB
Unathenticated
Modes of operation: ECB
plaintext (bitmap)
ECB mode ciphertext
CBC mode ciphertext
Tux image created in 1996 by Larry Ewing with The GIMP. All uses permitted provided that you mention Larry Ewing, the owner of the original image, his address and The GIMP,

25. Modes of operation: ECB
Unathenticated
Modes of operation: ECB
Take away: Don’t use ECB!

26. Modes of operation: CBC
Unathenticated
Modes of operation: CBC
Cipher block chaining (CBC) mode:
Choose uniform random initialization vector IV∈{0，1}ⁿ
XOR first plaintext block with IV before applying PRP
For each subsequent plaintext block, XOR with preceding ciphertext block before appliying PRP
Output IV as part with ciphertext (ℓ-block plaintext ⇒ (ℓ+1)-block ciphertext)

27. Modes of operation: CBC
Unathenticated
Modes of operation: CBC
Cipher block chaining (CBC) mode encryption:
m≔m1∥m2∥⋯∥mℓ k m1 k m2 k mℓ Πk ⋯
Π k
Π k c1 c2 cℓ IV
c≔IV∥c1∥c2∥⋯∥cℓ

28. Modes of operation: CBC
Unathenticated
Modes of operation: CBC
Cipher block chaining (CBC) mode decryption:
c≔IV∥c1∥c2∥⋯∥cℓ k c1 k c2 k cn ⋯
Πk-1
Π k-1
Π k-1 m1 m2 mℓ IV
m≔m1∥m2∥⋯∥mℓ

29. Modes of operation: OFB
Unathenticated
Modes of operation: OFB
Output feedback (OFB) mode:
Choose uniform random initialization vector IV∈{0，1}ⁿ
Apply PRP to IV to get a “pad” to XOR with first block
For each subsequent plaintext block, apply PRP to preceding pad and XOR result with the plaintext block
Output IV as part with ciphertext (ℓ-block plaintext ⇒ (ℓ+1)-block ciphertext)

30. Modes of operation: OFB
Unathenticated
Modes of operation: OFB
Output feedback (OFB) mode encryption:
m≔m1∥m2∥⋯∥mℓ k k IV k ⋯ Πk Πk Πk m1 m2 mℓ c1 c2 cℓ
c≔IV∥c1∥c2∥⋯∥cℓ

31. Modes of operation: OFB
Unathenticated
Modes of operation: OFB
Output feedback (OFB) mode decryption:
c≔IV∥c1∥c2∥⋯∥cℓ k k IV k ⋯ Πk
Π k
Π k c1 c2 cℓ m1 m2 mℓ
m≔m1∥m2∥⋯∥mℓ

32. Modes of operation: CTR
Unathenticated
Modes of operation: CTR
Counter (CTR) mode:
Choose uniform random initialization vector IV∈{0，1}ⁿ
Apply PRP to IV to get a “pad” to XOR with first block
For each subsequent increment IV by one (treat as binary string modulo 2ⁿ) and XOR result with the plaintext block
Output IV as part with ciphertext (ℓ-block plaintext ⇒ (ℓ+1)-block ciphertext)

33. Modes of operation: CTR
Unathenticated
Modes of operation: CTR
Counter (CTR) mode encryption:
m≔m1∥m2∥⋯∥mℓ k IV k
IV+1
IV+ℓ−1 k ⋯ Πk Πk Πk m1 m2 mℓ c1 c2 cℓ
c≔IV∥c1∥c2∥⋯∥cℓ

34. Modes of operation: CTR
Unathenticated
Modes of operation: CTR
Counter (CTR) mode decryption:
c≔IV∥c1∥c2∥⋯∥cℓ k IV k
IV+1
IV+ℓ−1 k ⋯ Πk Πk Πk c1 c2 cℓ m1 m2 mℓ
m≔m1∥m2∥⋯∥mℓ

35. Modes of operation: Comparison
Unathenticated
Modes of operation: Comparison
Electronic Code Book (ECB) mode
Pros: simple, parallelizable
Cons: no reasonable security guarantees
Cipher Block Chaining (CBC) mode
Pros: IND-CPA secure, decryption is parallelizable
Cons: encryption is inherently sequential; malleable
Output Feedback (OFB) mode
Pros: IND-CPA secure
Cons: encryption and decryption both inherently sequential; malleable
Counter (CTR) mode
Pros: IND-CPA secure, encryption and decryption are both fully parallelizable
Cons: malleable

36. That’s all for today, folks!