1. 1 Symmetric-Key Encryption CSE 5351: Introduction to Cryptography Reading assignment: Chapter 2 Chapter 3 (sections 3.1-3.4) You may skip proofs, but are encouraged to read some of them.

2. 2 Computational Difficulty (One-Way Functions) Pseudorandom Generators And Functions Zero-Knowledge Proof Systems Encryption Schemes Crypto Protocols Sign/MAC/hash Schemes APPLICATIONS (security) This course:

3. 3

4. 4

5. 5

6. 6

7. 7

8. 8

9. 9

10. 10

11. 11

12. 12

13. 13

14. 14

15. Vigenère Cipher 15

16. 16

17. 17

18. 18

19. 19

20. 20

21. 21

22. 22

23. 23

24. 24

25. 25

26. 26

27. 27

28. 28

29. 29

30. 30

31. 31

32. 32

33. Stream Ciphers Encryption schemes using pseudorandom generators 33

34. 34

35. 35

36. 36

37. 37

38. 38

39. 39

40. 40

41. 41

42. 42

43. 43

44. 44

45. 45

46. 46

47. 47

48. 48 Distinguisher D

49. 49

50. 50

51. 51

52. 52

53. 53

54. 54

55. 55

56. Security of RC4 RC4 is not a truly pseudorandom generator. The keystream generated by RC4 is biased. –The second byte is biased toward zero with high probability. –The first few bytes are strongly non-random and leak information about the input key. Defense: discard the initial n bytes of the keystream. –Called “RC4-drop[n-bytes]”. –Recommended values for n = 256, 768, or 3072 bytes. Efforts are underway (e.g. the eSTREAM project) to develop more secure stream ciphers. 56

57. The Use of RC4 in WEP WEP is an RC4-based protocol for encrypting data transmitted over an IEEE 802.11 wireless LAN. WEP requires each packet to be encrypted with a separate RC4 key. The RC4 key for each packet is a concatenation of a 40 or 104-bit long-term key and a random 24-bit R. 57 l RC4 key: Long-term key (40 or 104 bits) R (24) l Header R Message CRC encrypted 802.11 Frame:

58. WEP is not secure Mainly because of its way of constructing the key Can be cracked in a minute http://eprint.iacr.org/2007/120.pdf 58

59. 59

60. Theory of Block Ciphers Encryption schemes using pseudorandom functions or permutations Reading: Sections 3.5-3.7 of Katz & Lindell 60

61. 61

62. 62

63. 63

64. 64

65. 65

66. 66 k

67. 67

68. 68

69. 69

70. 70

71. 71

72. 72

73. 73

74. 74

75. 75

76. 76

77. 77

78. 78

79. 79 Some properties In CTR and OFB modes, transmission errors to a block c i affect only the decryption of that block; other blocks are not affected. –useful for communications over an unreliable channel. In CBC and CFB modes, changes to a block m i will affect c i and all subsequent ciphertext blocks. –These modes may be used to produce message authentication codes (MAC). In CTR mode, blocks can be encrypted (or decrypted) in parallel or in a “random access” fashion.

80. 80

81. 81

82. 82

83. 83

84. 84

85. 85

86. 86

87. 87

88. 88

89. Practical Block Ciphers: DES and AES DES: Data Encryption Standard (covered in 651) AES: Advanced Encryption Standard Reading: Chapter 5 of Katz/Lindell 89

90. 90

91. 91

92. 92

93. AES: Advanced Encryption Standard Finite field: The mathematics used in AES.

94. 94 AES: Advanced Encryption Standard In1997, NIST began the process of choosing a replacement for DES and called it the Advanced Encryption Standard. Requirements: block length of 128 bits, key lengths of 128, 192, and 256 bits. In 2000, Rijndael cipher (by Rijmen and Daemen) was selected. An iterated cipher, with 10, 12, or 14 rounds. Rijndael allows various block lengths. AES allows only one block size: 128 bits.

95. 95

96. 96

97. 97

98. 98

99. 99

100. 100

101. 101

102. 102

103. A Rijndael Animation by Enrique Zabala 103