1. 6. Practical Constructions of Symmetric-Key Primitives
CIS Cryptography
6. Practical Constructions of Symmetric-Key Primitives
Based on: Jonathan Katz and Yehuda Lindell Introduction to Modern Cryptography

2. Stream ciphers
A stream cipher is a pair of deterministic algorithms (Init, GetBits), where
Init takes input a seed 𝑠 and an optional 𝐼𝑉 and outputs an initial state 𝑠𝑡 0 . That is,
𝑠𝑡 0 := Init (𝑠,𝐼𝑉)
GetBits takes as input 𝑠𝑡 𝑖 and outputs a bit 𝑦 𝑖 and an updated state 𝑠𝑡 𝑖+1 . That is,
(𝑦 𝑖 , 𝑠𝑡 𝑖 ) := GetBits( 𝑠𝑡 𝑖−1 ), 𝑖=1,2, . . .

3. Linear Feedback Shift Registers (LFSR)
(𝑛=5)  
𝑠 3 x
𝑠 4
𝑠 3 x
𝑠 3
𝑠 3 x
𝑠 2
𝑠 3 x
𝑠 1
𝑠 3 x
𝑠 0
𝑠 𝑖 𝑡+1 := 𝑠 𝑖+1 𝑡 , 𝑖=0,…, 𝑛−2
𝑠 𝑛−1 𝑡+1 :=  𝑖=0 𝑛−1 𝑐 𝑖 𝑠 𝑖 𝑡
Output: 𝑦 𝑖 = 𝑠 𝑖−1 𝑡 , 𝑡=1,…, 𝑛, 𝑖=𝑡
𝑦 𝑖 =  𝑗=0 𝑛−1 𝑐 𝑗 𝑦 𝑖−𝑛+𝑗−1 , 𝑖>𝑛

4. Reconstruction attacks
Solve for unknowns: 𝑐 0 , , 𝑐 𝑛−1
So we must use nonlinear feedback
𝑦 𝑛+1 = 𝑐 𝑛−1 𝑦 𝑛  ⋯  𝑐 0 𝑦 1 ⋮
𝑦 2𝑛 = 𝑐 𝑛−1 𝑦 2𝑛−1  ⋯  𝑐 0 𝑦 𝑛
𝑠 𝑖 𝑡+1 := 𝑠 𝑖+1 𝑡 , 𝑖=0,…, 𝑛−2
𝑠 𝑛−1 𝑡+1 := 𝑔(𝑠 0 𝑡 , , 𝑠 𝑛−1 𝑡 ), some nonlinear function 𝑔

5. Self-shrinking generator
The self-shrinking generator uses alternating output bits of a single register to control its final output.
Clock two bits from the LFSR.
If the pair is 10 output a zero.
If the pair is 11 output a one.
Otherwise, output nothing.
Return to step one.

6. Self-shrinking generator, Example
Use polynomial: x8 + x4 + x3 + x2 + 1
Initial state: t 8 7 6 5 4 3 2 1
Out1
Out2
n/a

7. Other nonlinear stream ciphers
Trivium, eSTREAM project --see textbook
These are hardware implementations of PRNG
Next we shall consider a software implementation.

8. RC4 Init for RC4 (key scheduling) Algorithm 6.1 Input 16 byte key 𝑘
Output Initial state (𝑆,𝑖,𝑗),
𝑆 is a permutation of 0, ,255,
𝑖, 𝑗 𝜖 {0, , 255}
for 𝑖=0 to 255
𝑆 𝑖 ≔𝑖, 𝑘 𝑖 ≔𝑘[𝑖 𝑚𝑜𝑑 16]
𝑗 ≔0
𝑗≔𝑗+𝑆 𝑖 +𝑘[𝑖]
Swap 𝑆[𝑖] and 𝑆 𝑗
Return 𝑆,𝑖,𝑗

9. RC4 GetBits for RC4 (Algorithm 6.2) Input: (𝑆,𝑖,𝑗)
Output: byte y, updated state (𝑆,𝑖,𝑗)
𝑖 ≔𝑖+1
𝑗 ≔𝑗+𝑆 𝑖
Swap 𝑆[𝑖] and 𝑆 𝑗
𝑡 ≔𝑆 𝑖 +𝑆[𝑗]
𝑦 ≔𝑆[𝑡]
Return 𝑆,𝑖,𝑗 , 𝑦 𝑦

10. Attacks on RC4
There are several attacks on RC4 known for some time and therefore this stream cipher should not be used anymore.
A serious attack occurs when an IV is prepended to the to the key. This attack can be used to recover the key (regardless of it length) This attack was used to break the WEP encryption standard, and was influential in getting the standard replaced---see textbook for details of the attack.

11. Block ciphers A block cipher is an efficient keyed permutation
𝐹 :{0,1 } 𝑛 ×{0,1 } 𝑙 →{0,1 } 𝑙
𝐹 𝑘 𝑥 ≝𝐹(𝑘,𝑥) is a bijection, and 𝐹 𝑘 and its inverse 𝐹 𝑘 −1 are efficiently computable given 𝑘.
Block ciphers should be viewed as pseudorandom permutations rather than as encryption schemes.
They are a basic building blocks for symmetric key applications.

12. Block ciphers
We refer to 𝑛 as the key length and 𝑙 as the block length of 𝐹.
These are now constants (fixed) whereas earlier they where functions of the security parameter.
This takes us away from the asymptotic security to concrete security.

13. Substitution-Permutation Networks
A block cipher must behave like a random permutation.
However there are 2 𝑙 ! permutations on 𝑙-bit strings, so representing an arbitrary permutation with block length 𝑙 requires roughly log ( 2 𝑙 !)≈ 𝑙∙ 2 𝑙 bits.
Thus, we need to somehow construct a concise function that behaves like a random function

14. The confusion−diffusion paradigm
Idea (Shannon): construct a random looking permutation 𝐹 with large block length using smaller random looking substitutions { 𝑓 𝑖 } with small length.
A substitution-permutation network is an implementation of this paradigm.

15. The confusion−diffusion paradigm
The substitution component refers to small random functions 𝑓 𝑖 called S-boxes and the permutation component refers to the mixing of the outputs of the random functions.
The permutation component involves the reordering of the output bits and are called mixing permutations.

16. The confusion−diffusion paradigm An example, 1
Suppose we want 𝐹 to have block length 128 bits, and use 16 substitutions 𝑓 1 , .. . , 𝑓 16 that have block length 8 bits.
The key 𝑘 will specify the 16 substitutions.
For input 𝑥∈{0,1 } 128 we parse 𝑥 as 𝑥 1 , …, 𝑥 16 and set
𝐹 𝑘 𝑥 = 𝑓 1 𝑥 1 || ⋯ ||𝑓 16 𝑥 16
The “round” functions { 𝑓 𝑖 } are said to introduce confusion.

17. The confusion−diffusion paradigm An example, 2
A diffusion step then mixes the bits of the output. For example the bits of 𝐹 𝑘 𝑥 are shuffled to get 𝑥′.
The confusion-diffusion process is repeated several times
A substitution-permutation network is an implementation of this paradigm.

18. The confusion−diffusion paradigm An example, 3
Consider an SPN network with 64 bit block length and 8 bit 𝑆-boxes, 𝑆 1 , …, 𝑆 8 .
Evaluating the cipher proceeds in a number of rounds in which:
Key mixing: set 𝑥≔𝑥  𝑘, where 𝑘 is the current “round sub-key”.
Substitution: set 𝑥≔ 𝑆 1 ( 𝑥 1 )||⋯|| 𝑆 8 𝑥 8 .
Permutation: Permute the bits of 𝑥 to get the output for the next round.

19. Substitution-permutation network Example 3, single round

20. The confusion−diffusion paradigm
The basic idea is to break the input up into small parts and then feed these parts through different S-boxes (random permutations).
The outputs are then mixed together.
The process is repeated a given number of times, called a rounds.
The S-boxes introduce confusion into the construction.
In order to spread the confusion throughout, the results are mixed together, achieving diffusion.

21. Any SPN is invertible (given the key)
It suffices to invert each round.
Given the SPN output for a round and the key we:
First invert the mixing permutation
Then invert the 𝑆-box permutations
Finally XOR the result with the appropriate sub-key to get the round input.

22. The avalanche effect
An important property in any block cipher is that small changes to the input must result in large changes to the output.
To ensure this, block ciphers are designed so that small changes in the input propagate quickly to very large changes in the intermediate values.

23. The avalanche effect
It is easy to demonstrate that the avalanche effect holds in a substitution-permutation network, when the following hold:
The 𝑆-boxes are designed so that any change of at least a single bit to the input to an 𝑆-box results in a change of at least two bits in the output.
The mixing permutations are designed so that the output bits of any given 𝑆-box are spread into different 𝑆-boxes in the next round.

24. Feistel Networks
A Feistel* network is an alternative way of constructing a block cipher.
The low-level building blocks (S-boxes, mixing permutations and key schedule) are the same.
The difference is in the high-level design.
The advantage of Feistel networks over substitution permutation networks is that they enable the use of S-boxes that are not necessarily invertible.
* Horst Feistel who did pioneering research while working for IBM

25. Feistel Networks
This is important because a good block cipher has chaotic behavior (it should look random).
Requiring that all of the components of the construction be invertible inherently introduces structure, which contradicts the need for chaos.

26. Feistel Networks
A Feistel network is thus a way of constructing an invertible function from non-invertible components.
This seems like a contradiction in terms---if you cannot invert the components, how can you invert the overall structure.
Nevertheless, the Feistel design ingeniously overcomes this obstacle.

27. A Feistel network
For input 𝑥, denote by 𝑥 1 and 𝑥 2 the first and second halves of 𝑥 respectively.
Let 𝑣 1 = 𝑥 1 and 𝑣 2 = 𝑥 2 .
For 𝑖=1 to 𝑟 (where 𝑟 is the number of rounds in the network):
Let 𝑤 1 = 𝑣 2 and 𝑤 2 = 𝑣 1  𝑓 𝑖 ( 𝑣 2 ), where 𝑓 𝑖 denotes the 𝑓-function in the 𝑖-th round of the network.
Let 𝑣 1 = 𝑤 1 and 𝑣 2 = 𝑤 2 .
The output 𝑦 is (𝑣 1 , 𝑣 2 ).

28. Feistel Network .
mmm mm m