1. Introduction to Modern Cryptography Makeup Class Symmetric Encryption:
Stream & Block Ciphers
AES
Modes of Operation
Symmetric Authentication

2. Stream Ciphers Start with a secret key (“seed”)
Generate a keying stream
i-th bit/byte of keying stream is a function of the key and the first i-1 ciphertext bits.
Combine the stream with the plaintext to produce the ciphertext (typically by XOR)

3. Example of Stream Encryption
Key
Stream 
Plaintext =
Ciphertext

4. Example of Stream Decryption
Key
Stream 
Ciphertext =
Plaintext

5. Real Cipher Streams Most pre-WWII machines German Enigma
Linear Feedback Shift Register
A5 – encrypting GSM handset to base station communication
RC-4 (Ron’s Code)

6. Terminology Stream cipher is called synchronous
if keystream does not depend on the
plaintext (depends on key alone).
Otherwise cipher is called asynchronous.

7. Current Example: RC-4 Part of the RC family Claimed by RSA as their IP
Between and 1994 its internal was not revealed – little analytic scrutiny
Preferred export status
Code released anonymously on the Internet
Used in many systems: Lotus Notes, SSL, etc.

8. RC4 Properties
Variable key size stream cipher with byte oriented operations.
Based on using a random looking permutation.
8-16 machine operations per output byte.
Very long cipher period (over 10100).
Widely believed to be secure. Used for encryption in SSL web protocol.

9. RC-4 Initialization j=0 S0=0, S1=1, …, S255=255
Let the key be (bytes) k0,…,k255 (repeating bits if necessary)
For i=0 to 255
j = (j + Si+ ki) mod 256
Swap Si and Sj

10. RC-4 Key-stream Creation
Generate an output byte B by:
i = (i+1) mod 256
j = (j +Si) mod 256
Swap Si and Sj
t = (Si + Sj) mod 256
B = St
B is XORed with next plaintext byte

11. Block Ciphers Encrypt a block of input to a block of output
Typically, the two blocks are of the same length
Most symmetric key systems block size
is 64
In AES block size is 128
Different modes for encrypting plaintext longer than a block

12. Real World Block Ciphers
DES, 3-DES
AES (Rijndael)
RC-2
RC-5
IDEA
Blowfish, Cast
Gost

13. ECB Mode Encryption (Electronic Code Book)Ek Ek Ek C1 C2 C3
encrypt each plaintext block separately

14. Properties of ECB Simple and efficient
Parallel implementation possible
Does not conceal plaintext patterns
Active attacks are possible (plaintext can be
easily manipulated by removing, repeating,
or interchanging blocks).

15. CBC Mode Encryption (Cipher Block Chaining)S0 P1 P2 P3 Ek Ek Ek C1 C2 C3
Previous ciphertext is XORed with current plaintext before
encrypting current block.
An initialization vector S0 is used as a “seed” for the process.
Seed can be “openly” transmitted.

16. Properties of CBC Asynchronous stream cipher
Errors in one ciphertext block propagate
Conceals plaintext patterns
No parallel implementation known
Plaintext cannot be easily manipulated.
Standard in most systems: SSL, IPSec etc.

17. OFB Mode (Output FeedBack)
An initialization vector s0 is use as a ``seed'’ for a sequence of data blocks si

18. Properties of OFB Synchronous stream cipher
Errors in ciphertext do not propagate
Pre-processing is possible
Conceals plaintext patterns
No parallel implementation known
Active attacks by manipulating plaintext are possible

19. AES Proposed Modes
CTR (Counter) mode (OFB modification): Parallel implementation, offline pre-processing, provable security, simple and efficient
OCB (Offset Codebook) mode - parallel implementation, offline preprocessing, provable security (under specific assumptions), authenticity

20. Strengthening a Given Cipher
Design multiple key lengths – AES
Whitening - the DESX idea
Iterated ciphers – Triple DES (3-DES), triple IDEA and so on

21. Triple Cipher - Diagram
Ek1
Ek2
Ek3 C

22. Iterated Ciphers
Plaintext undergoes encryption repeatedly by underlying cipher
Ideally, aach stage uses a different key
In practice triple cipher is usually
C= Ek1(Ek2(Ek1(P))) [EEE mode] or
C= Ek1(Dk2(Ek1(P))) [EDE mode]
EDE is more common in practice

23. Necessary Condition
For some block ciphers iteration does not enhance security
Example – substitution cipher
Consider a block cipher: blocks of size b bits, and key of size k
The number of all possible functions mapping b bits to b bits is (2b)2b

24. Necessary Condition (cont.)
The number of all possible encryption functions (bijections) is 2b!
The number of encryption functions in our cipher is at most 2k.
Claim: The bijections are a group G under the  operation (composition)
Claim: If the encryptions of a cipher form a sub-group of G then iterated cipher does not increases security.

25. Meet in the Middle Attack
Double ciphers are rarely used due to this attack
Attack requires
Known plaintext
2k+1 encryptions and decryptions
|k|2|k| storage space
A square root of trivial attacking time at the expense of storage

26. Meet in the Middle (cont.)
Given a plaintext-ciphertext pair (p,c)
Compute & store the table of Dk2(c) for all k2
takes 2k decryptions, |k|2|k| storage.
For every k1, test if Ek1(p) is in table
Every hit gives a possible k1,k2 pair
May have to repeat several times
Meet in the middle is applicable to any iterated cipher, reducing the trivial processing time by 2k encryptions

27. Two or Three Keys Sometimes only two keys are used in 3-DES
Identical key must be at beginning and end
Legal advantage (export license) due to smaller overall key size
Used as a KEK in the BPI protocol which secures the DOCSIS cable modem standard

28. Adversary’s Goals Final goal: recover key Intermediate goals:
Reduce key space
Discover plaintext patterns
Recover portions of plaintext
Change ciphertext to produce meaningful plaintext, without breaking the system
(active attack)

29. Generic Attacks Exhaustive search Table lookup Type: ciphertext only
Time: 2|k| decryptions per ciphertext
Storage: constant
Table lookup
Type: chosen plaintext
Time: offline 2|k| decryptions, online constant
Storage: 2|k| ciphertexts

30. The Problem Break ECB mode (known fixed cleartext header) The idea:
Define f(k) = Enck(constant)
Invert f(k)
New Problem: Invert f

31. Time/Space Tradeoffs 1st Simple solution: 2nd Simple solution:
Time 2|k| - exhaustive search per message
2nd Simple solution:
Precompute all 2|k| values of f(k)
Store in lookup table (hash table)
Requires O(1) time per inversion
Requires space O(2|k|)

32. Hellman (again): can we do better?
If it so happened that f is a permutation:
Choose L=2|k|/2 random start points s1, …, sL
For every such point, compute ti=f(f(…f(si)…)), repeated L times.
Store a lookup table of values (ti,si), i=1, …, L, indexed by ti.

33. Searching for k given f(k)
Let s=x = f(k)
Repeat until f(x) = s, if f(x) = s then x = k
If x = ti for some i, let x = si
otherwise let x = f(x)
Claim: for an arbitrary permutation and arbitrary k, the probability that this inverts k is constant

34. Why? Values of f(k) on a small cycle will be inverted
Consider what happens when we add the i’th chain (si, ti):
If we cover a constant times L new values then we’re done
If not, assume that the previous chains have covered less than a constant of the L2 values
The uncovered values must themselves lie on chains whose average length is a constant times L (as all values lie on some chain)
Thus, we have a constant probability of covering at least a constant fraction of L new values

35. All this does not work when f is not a permutation
Hellman’s ingenious idea:
Don’t invert f(x), invert g(f(x)) for some known random function g.
Obviously, if you can invert g(f(x)) then you can invert f(x).
Note that if f is not a permutation then g(f) is not a permutation either

36. Inverting g(f(x)) Not a permutation:
Choose L=2|k|/3 random start points s1, …, sL
For every such point, compute ti=f(f(…f(si)…)), repeated L times.
Store a lookup table of values (ti,si), i=1, …, L, indexed by ti.
Claim: we cover by chains at least a constant fraction of L2 = 22|k|/3
Consider the last chain added, we’ve covered at most 22|k|/3 values until now, so with constant probability, the new L=2|k|/3 values on the new chain will be entirely new.

37. Hellman’s next idea Use many different g’s
Every g will cover a random 22|k|/3 set of values.
So, choose L=2|k|/3 g’s
Space required: L2 = 22|k|/3
Time required: L2 = 22|k|/3

38. AES - Advanced Encryption Standard
Symmetric block cipher
Key lengthes: 128, 192, or 256 bits
Approved US standard (2001)

39. AES Design Rationale Resistance to all known attacks.
Speed and code compactness.
Simplicity.

40. AES Specifications Each byte is viewed as an element in GF(28)
Input & output block length: 128 bits.
State: 128 bits, arranged in a 4-by-4 matrix of bytes.
A0,3
A0,2
A0,1
A0,0
A1,3
A1,2
A1,1
A1,0
A2,3
A2,2
A2,1
A2,0
A3,3
A3,2
A3,1
A3,0
Each byte is viewed
as an element in
GF(28)
Input/Output: A0,0, A1,0, A2,0, A3,0, A0,1,…

41. AES Specifications Initial layout: K0,0, K1,0, K2,0, K3,0, K0,1,… K0,5
Key length: 128, 196, 256 bits.
Cipher Key Layout: n = 128, 196, 256 bits, arranged in a
4-by-n/32 matrix of bytes.
K0,5
K0,4
K0,3
K0,2
K0,1
K0,0
K1,5
K1,4
K1,3
K1,2
K1,1
K1,0
K2,5
K2,4
K2,3
K2,2
K2,1
K2,0
K3,5
K3,4
K3,3
K3,2
K3,1
K3,0
Initial layout: K0,0, K1,0, K2,0, K3,0, K0,1,…

42. AES Specifications High level code: AES(State,Key)
KeyExpansion(Key,ExpandKey)
AddRoundKey(State,ExpandKey[0])
For (i=1; i<R; i++) Round(State,ExpandKey[i]);
FinalRound(State,ExpandKey[R]);

43. Encryption: Carried out in rounds
Secret key (128 bits)
input block
(128 bits)
output block
(128 bits)

44. Rounds in AES 128 bits AES uses 10 rounds, no shortcuts
known for 6 rounds
The secret key is expanded from 128 bits
to 10 round keys, 128 bits each.
Each round changes the state, then
XORS the round key. (For longer keys, add
One round for every extra 32 bits)
Each rounds complicates things a little.
Overall it seems infeasible to invert without
the secret key (but easy given the key).

45. AES Specifications: One Round
Transform the state by applying:
Substitution.
Shift rows
Mix columns
XOR round key
A0,3
A0,2
A0,1
A0,0
A1,3
A1,2
A1,1
A1,0
A2,3
A2,2
A2,1
A2,0
A3,3
A3,2
A3,1
A3,0

46. Substitution (S-Box) Substitution operates on every Byte
separately: Ai,j <-- Ai,j-1
(multiplicative inverse in GF(28)
which is highly non linear.)
If Ai,j =0, don’t change Ai,j .
Clearly, the substitution is invertible.

47. Cyclic Shift of Rows no shift shift 1 position shift 2 positions
A0,3
A0,2
A0,1
A0,0
A1,2
A1,1
A1,0
A1,3
A2,1
A2,0
A2,3
A2,2
A3,0
A3,3
A3,2
A3,1
Clearly, the shift is invertible.

48. Mixing Columns Every state column is considered as a
Polynomial over GF(28)
Multiply with an invertible polynomial
03 x3 + 01x2 + 01x + 02 (mod x4 + 1)
Inv = 0B x3 + 0D x2 +09 x + 0E
Round: Subbytes(State)
ShiftRows(State)
MixColumns(State)
AddRoundKey(State,ExpandedKey[i])

49. Key Expansion Generate a “different key” per round
Need a 4 x 4 matrix of values (over GF(28)) per round
Based upon a non-linear transformation of the original key.
Details available:
The Design of Rijndael, Joan Daemen and Vincent Rijmen, Springer

50. Breaking AES Breaking 1 or 2 rounds is easy.
It is not known how to break 5 rounds.
Breaking the full 10 rounds AES efficiently
(say 1 year on existing hardware, or in
less than 2128 operations) is considered
impossible ! (a good, tough challenge…)

51. Column Mixing in AES

54. Authentication Ensure integrity of messages, even in presence of
an active adversary who sends own messages.
Alice
(sender)
Bob
(reciever)
Fran
(forger)
Remark: Authentication is orthogonal to secrecy, yet
systems often required to provide both.

55. Definitions Authentication algorithm - A
Verification algorithm - V (“accept”/”reject”)
Authentication key – k
Message space (usually binary strings)
Every message between Alice and Bob is a pair (m, Ak(m))
Ak(m) is called the authentication tag of m

56. Definition (cont.) Requirement – Vk(m,Ak(m)) = “accept”
The authentication algorithm is called MAC (Message Authentication Code)
Ak(m) is frequently denoted MACk(m)
Verification is by executing authentication on m and comparing with MACk(m)

57. Properties of MAC Functions
Security requirement – adversary can’t construct a new legal pair (m, MACk(m))
even after seeing (mi, MACk(mi)) (i=1,2,…,n)
Output should be as short as possible
The MAC function is not 1-to-1

58. Adversarial Model Available Data: The MAC algorithm Known plaintext
Chosen plaintext
Note: chosen MAC is unrealistic
Goal: Given n legal pairs
(m1, MACk(m1)), …, (mn, MACk(mn))
find a new legal pair (m, MACk(m))

59. Adversarial Model We will say that the adversary succeeded
even if the message Fran forged is
“meaningless”. The reason is that it is hard to
predict what has and what does not have a
meaning in an unknown context, and how will
Bob, the reciever, react to such successful
forgery.

60. Efficiency Adversary goal: given n legal pairs
(m1, MACk(m1)), …, (mn, MACk(mn)) find a new legal pair (m, MACk(m)) efficiently and with non negligible probability.
If n is large enough then n pairs (mi, MACk(mi))
determine the key k uniquely (with high prob.).
Thus a non-deterministic machine can guess k and
verify it. But doing this in poly time should
be computationally hard.

61. MACs Used in Practice
We describe a MAC based on CBC Mode Encryption, and a MAC based on cryptographic hash functions.

62. Reminder: CBC Mode Encryption (Cipher Block Chaining)S0 P1 P2 P3 Ek Ek Ek C1 C2 C3
Previous ciphertext is XORed with current plaintext before
encrypting current block.
An initialization vector S0 is used as a “seed” for the process.
Seed can be “openly” transmitted.

63. CBC Mode MACs Start with the all zero seed.
Given a message consisting of n blocks M1,M2,…,Mn, apply CBC (using the secret key k). M1 M2 Mn


 Ek Ek Ek C1 C2 Cn
Produce n “cipertext” blocks C1,C2,…,Cn , discard first n-1.
Send M1,M2,…,Mn & the authentication tag MACk(M)=Cn .

64. Security of CBC MAC [BKR]
Claim: If Ek is a pseudo random function, then CBC MACis resilient to forgery.
Proof outline: Assume CBC MAC can be
forged efficiently. Transform the forging
algorithm into an algorithm distinguishing
Ek from random function efficiently.

65. Combined Secrecy & MAC
Given a message consisting of n blocks M1,M2,…,Mn, apply CBC (using the secret key k1) to produce MACk1(M).
Produce n cipertext blocks C1,C2,…,Cn
under a different key, k2.
Send C1,C2,…,Cn & the authentication tag MACk1(M).

66. Hash Functions Map large domains to smaller ranges
Example h: {0,1,…,p2}  {0,1,…,p-1} defined by h(x) = ax+b mod p
Used extensively for searching (hash tables)
Collisions are resolved by several possible means – chaining, double hashing, etc.

67. Collision Resistance
A hash function h: D  R is called weakly collision resistant for xD if it is hard to find x’x such that h(x’)=h(x)
A function h: DR is called strongly collision resistant if it is hard to find x, x’ such that x’x but h(x)=h(x’)

68. Cryptographic Hash Functions
Cryptographic hash functions are hash functions that are strongly collision resistant.
Notice: No secret key.
Should be very fast to compute, yet hard to
find coliding pairs (impossible if P=NP).
Usually defined by:
Compression function mapping n bits (e.g. 512) to m bits (e.g 160), m < n.

69. Extending to Longer Strings
h(M)
Seed H H H  M1 M2 Mk
D --> R (fixed sets, typically {0,1}n and {0,1}m )

70. Extending the Domain (cont.)
The seed is usually constant
Typically, padding (including text length of original message) is used to ensure a multiple of n.
Claim: if the basic function H is collision resistant, then so is its extension.

71. Lengths
Input message length should be arbitrary. In practice it is usually up to 264, which is good enough for all practical purposes.
Block length is usually 512 bits.
Output length should be at least 160 bits
to prevent birthday attacks.

72. Real-World Hash Functions
MD family (“message digest”)
MD-2
MD-4 (full description in Stinson’s book)
MD-5
SHA and SHA-1 (secure hash standard, 160 bits) (
RIPE-MD
SHA-256, 384 and 512 (proposed standards,
longer digests)

73. Basing MACs on Hash Functions
First goal: combine message and secret key, hash and produce MAC
Second goal: work with any cryptographic hash function
First attempt: MACk(m)=h(k,m)
Second attempt: MACk(m)=h(m,k)

74. HMAC Proposed in 1996 by [Bellare Canetti Krawczyk]
Internet engineering task force RFP
Receives as input a message m, a key k and a hash function h
Outputs a MAC by:
HMACk(m,h)= h(kopad, h(kipad,m))
Theorem [BCK]: HMAC can be forged if and only if the underlying hash function is broken (collisions found).
FIPS Standard: The keyed hash message authentication code

75. HMAC in Practice
SSL / TLS
WTLS
IPSec: AH
ESP