1. Cryptography
Lecture 19

2. Advanced encryption standard (AES)
Public design competition run by NIST
Began in Jan 1997
15 algorithms submitted
Workshops in 1998, 1999
Narrowed to 5 finalists
Workshop in early 2000; winner announced in late 2000
Factors besides security taken into account

3. AES 128-bit block length 128-, 192-, and 256-bit key lengths
Basically an SPN structure!
1-byte S-box (same for all bytes)
Mixing permutation replaced by invertible linear transformation
If two inputs differ in b bytes, outputs differ in ≥ 5-b bytes
No attacks better than brute-force known

4. Hash functions

5. Security goal Main goal is collision resistance
Want optimal birthday security
Also want preimage resistance, 2nd-preimage resistance
Want optimal security here as well
“Optimal” measured relative to a random function
Why not design H to be a “random function”?

6. The random-oracle (RO) model
Treat H as a public, random function
Then H(x) is uniform for any x…
…unless the attacker computes H(x) explicitly

7. Many applications
One canonical example: key derivation

8. Key derivation
Consider deriving a (shared) key from (shared) high-entropy information
E.g., biometric data
E.g., generating randomness
Cryptographic keys must be uniform, but shared data is only high-entropy

9. Min-entropy Let X be a distribution
The min-entropy of X (measured in bits) is H(X) = - log maxx { Pr[X=x] }
I.e., if H(X) = n, then the probability of guessing x sampled from X is (at most) 2-n
Min-entropy is more suitable for crypto than standard (Shannon) entropy

10. Key derivation
Given shared information x (sampled from distribution X), derive shared key k=H(x)
In what sense can we claim that k is a good (i.e., uniform) cryptographic key?

11. The random-oracle (RO) model
Treat H as a public, random function
Then H(x) is uniform for any x…
…unless the attacker computes H(x)…
…but the attacker cannot do that (with high probability) if X has high min-entropy!

12. The RO model Intuitively Assume the hash function “is random”
Models attacks that are agnostic to the specific hash function being used
Security in the real world as long as “no weaknesses found” in the hash function

13. The RO model
Formally
Choose a uniform hash function as part of the security experiment
Attacker can only evaluate H via explicit queries to an oracle
Simulate H for the attacker as part of the security proof/reduction

14. The RO model In practice Prove security in the RO model
Instantiate the RO with a “good” hash function
Hope for the best…

15. Pros and cons of the RO model
There is no such thing as a public hash function that “is random”
Not even clear what this means formally
Known counterexamples
There are (contrived) schemes secure in the RO model, but insecure when using any real-world hash function
Sometimes over-abused (arguably)

16. Pros and cons of the RO model
No known example of “natural” scheme secure in the RO model being attacked in the real world
If an attack is found, just replace the hash
Proof in the RO model better than no proof at all
Evidence that the basic design principles are sound

17. Ideal-cipher model “Stronger” than the RO model!
Model block cipher F: {0,1}n x {0,1}n  {0,1}n as a collection of public, independent, random permutations
I.e., for each key k, Fk is a random permutation on {0,1}n

18. The ideal-cipher model
This is more than assuming F is a PRP
Fk random even when k is known!
No weak keys
No related-key attacks
Formally, similar to the RO model
In particular, the only way to evaluate F is via explicit oracle queries
Attacker allowed to query F and F-1

19. Building a hash function
Two-stage approach
Build a compression function (from a block cipher)
I.e., collision-resistant hash function for fixed-length inputs
Build a full-fledged hash function from a compression function
Other approaches are possible

20. Building a compression function
(Davies-Meyer)
h(k, m) = Fk(m)  m m k F 

21. Proof of security
Claim: attacker making q queries finds a collision with probability  q2/2n (optimal)
Proof
Each query to F/F-1 reveals one value hi = h(ki ,mi)
Moreover, each hi is (essentially) uniform and independent of all previous outputs
So probability of finding a collision is (essentially) the same as for a birthday attack

22. Building a hash function
Assume as a primitive a compression function h for fixed input lengths
Construct a hash function H for arbitrary-length inputs from a compression function h
Prove collision-resistance of H based on collision-resistance of h
(Could look at other properties also)

23. Merkle-Damgard transformmt
|M| z1 … h h h h
Note: M is padded with 0s if necessary

24. Merkle-Damgard transform
Claim: if h is collision-resistant, than so is H
Proof: Collision in H  collision in h
Say H(m1, …, mt) = H(m’1, …, m’t’)
|M|  |M’|, obvious
|M| = |M’|, look at largest i with (zi, mi)  (z’i, m’i) m1 m2 mt
|M| = mt+1 z1 z2 z3
zt+1
zt+2 … h h h h

25. (Computational) number theory

26. Why now?
We have not needed any number theory or “advanced math” until now
Practical private-key cryptography is based on stream ciphers, block ciphers, and hash functions
Lots of non-trivial crypto can be done without any number theory!

27. Why now? Reason 1: Culmination of “top-down” approach
For most cryptography, we ultimately need to assume some problem is hard
The “lowest-level” assumptions we can make relate to problems in number theory
These problems have often also been studied a long time

28. Why now? Reason 2: The public-key setting
Public-key cryptography requires number theory (in some sense)