




Study with the several resources on Docsity
Earn points by helping other students or get them with a premium plan
Prepare for your exams
Study with the several resources on Docsity
Earn points to download
Earn points by helping other students or get them with a premium plan
Block ciphers, pseudorandom functions and permutations in the context of applied cryptography. It covers the symmetric encryption scheme, the security of block ciphers, and the limitations of key-recovery based security. The document also introduces the concepts of pseudorandom functions and permutations as important tools in cryptography.
Typology: Study notes
1 / 8
This page cannot be seen from the preview
Don't miss anything!





Alexandra (Sasha) Boldyreva
Lectures 2-3:
Block ciphers, pseudorandom functions and
permutations
A scheme SE is specified by 3 algorithms K,E,D.
SE=(K,E,D) or
SE=(KeySp,E,D)
It is required that for every M MsgSp and every
K KeySp, D(K,E(K,M))=M
MsgSp-message space
KeySp-key space
Examples: DES, 3DES, AES...
A block cipher is a function family E:{0,1}
k ×{0,1}
n →{0,1}
n , where k-
key length, n-input and output lengths are the parameters
Notation: for every K {0,1}
k E K
(M)=E(K,M)
For every K {0,1}
k E K
(⋅) is a permutation (one-to-one and onto
function). For every C {0,1}
n there is a single M {0,1}
n s.t. C=E K
(M)
Thus each block cipher has an inverse for every key: E K
E K
(E K
n
For every K {0,1}
k E K
(⋅),E K
n →{0,1}
n
M→ E K
→C
Key length k=56, input and output length n=
announced a search for a data protection
algorithm to be standardized
algorithm
DES is highly efficient: ≈2.5⋅ 10
computations per second
Security of block ciphers
Any block cipher E is subject to exhaustive key-
search: given (M1,C1=E(K,M1),...,(Mq,Cq=E(K,Mq)) an
adversary can recover K (or another key
consistent with the given pairs) as follows:
((M1,C1),...(Mq,Cq))
For i=1,...,
k do
If E(Ti,M1)=C1 then //Ti is i-th k-bit string//
If E(Ti,Mj)=Cj for all 2≤j≤q then return Ti
EndIf
EndIf
EndFor
Security of block ciphers
Exhaustive key search takes 2
k block cipher
computations in the worst case.
On the average:
DES has a property that ,
this speeds up exhaustive search by a factor of 2
For DES (k=56) exhaustive search takes
that is about 47 years
2 k ∑
i=
i · P r[K = T (^) i ] =
2 k ∑
i=
i
k
k
2 k ∑
i=
i =
k
k ( k
k
k− 1
K
Security of DES
There are more sophisticated attacks known:
differential cryptoanalysis: finds the key given about 2
47
chosen plaintexts and the corresponding ciphertexts
linear cryptoanalysis: finds the key given about 2
42 known
plaintext and ciphertext pairs
These attacks require too many data, hence exhaustive key
search is the best known attack. And it can be mounted in
parallel!
A machine for DES exhaustive key search was built for
$250,000. It finds the key in about 56 hours on average.
A new block cipher was needed....
Triple-DES: 3DES(K1||K2,M)=DES(K2, DES
3DES’s keys are 112-bit long. Good, but needs 3 DES
computations
Advanced Encryption Standard (AES)
cipher.
15 algorithms from different countries were
submitted
Rijndael, designed by Joan Daemen and Vincent
Rijmen from Belgium.
AES: block length n=128, key length k is variable:
128, 192 or 256 bits.
Exhaustive key search is believed infeasible
5
6
7
g F(l,L)
We are interested in the input-output behavior of
a random function. Let’s imagine that we have
access to a subroutine that implements such a
function:
g(Xε{0,1}
l )
global array T
If T[X] is not defined then
EndIf
Return T[X]
Random functions
$
1
$
1
“Black box” access
g(⋅)
global array T
If T[X] is not defined then
T[X] {0,1}
L EndIf
Return Y=T[X]
Note that for any Xε{0,1}
l and Yε{0,1}
Pr[g(X)=Y]=
$
1
Random permutations
Perm(l) is the set of all permutations on {0,1}
l
Q. How large is the key space?
We are interested in a random instance π Perm(l)
π(Xε{0,1}
l )
global arrays T, S; S←
If T[X] is not defined then
l -S; S S {T[X]} EndIf
Return T[X]
l !
$
1
$
1
“Black box” access
π(⋅)
global array T, S; S←
If T[X] is not defined then
T[X] {0,1} l -S; S S {T[X]} EndIf
Return Y=T[X]
For any Xε{0,1}
l and Yε{0,1}
l Pr[π(X)=Y]=
$
13
14
15
Random functions vs permutations
F ix X 1 , X 2 ∈ { 0 , 1 }
l and Y 1 , Y 2 ∈ { 0 , 1 }
L
. T hen
−L
−L 2
−L P r[f (X 1 ) = Y 1 ] =
P r[f (X 1 ) = Y 1 |f (X 2 ) = Y 2 ] =
P r[f (X 1 ) = Y 1 and f (X 2 ) = Y 1 ] =
P r[f (X 1 ) ⊕ f (X 2 ) = Y 1 ] =
{ 2 − 2 L if X 1 "= X 2
2 − L if X 1 = X 2
1
{ 0 if X 1 != X 2
2 − L if X 1 = X 2
1
{ 1 2 l^ − 1 if Y 1 "= Y 2
0 if Y 1 = Y 2
1
2 − L if X 1 "= X 2 0 if X 1 = X 2 and Y 1 "= 0 L
1 if X 1 = X 2 and Y 1 = 0 L
1
1 2 l^ − 1 if X 1 "= X 2 and Y 1 "= 0 l 0 if X 1 "= X 2 and Y 1 = 0 l
0 if X 1 = X 2 and Y 1 "= 0 L
1 if X 1 = X 2 and Y 1 = 0 l
1
Pseudorandom functions (PRFs)
A function family F is a PRF if the input-output
behavior of its random instance is computationally
indistinguishable from that of a random function.
Def. Fix a function family F: Keys(F) × Dom(F) → Range(F)
F is a secure PRF if for any adversary with “reasonable”
resources its prf-advantage is “small”.
PRFs
Adv
prf F (A) = Pr[Exp
prf − 1 (A) = 1] − Pr[Exp
prf − 0 (A) = 1]
The prf-advantage of an adversary A is
Exp
pr f − 0
1
Exp
pr f − 1
1
Experiment Experiment
g Func(Dom(F),Range(F))
A
g
b
Return b
K Keys(F)
F K
b
Return b
$
1
$
1
A
Def. Fix a function family F: Keys(F) × Dom(F) → Range(F)
F is a secure PRF if for any adversary with “reasonable”
resources its prf-advantage is “small”.
Def. Fix a function family F: Keys(F) × Dom(F) → Range(F)
PRFs
Adv
prf F (A) = Pr[Exp
prf − 1 (A) = 1] − Pr[Exp
prf − 0 (A) = 1]
The prf-advantage of an adversary A is
Exp
pr f − 0 Exp pr f − 1
1
Experiment Experiment
g Func(Dom(F),Range(F))
Return b
K Keys(F)
Return b
b A b A
FK g
$
$
$
$
17
18
19
20
PRP-CCA PRP-CPA
Theorem. Let F:Keys×D→D be a permutation
family. Then for any adversary A that runs in time
t and makes q chosen-plaintext queries these
totalling μ bits there exists an adversary B that
also runs in time t and makes q chosen-plaintext
queries these totalling μ bits and no chosen-
ciphertext queries such that
prp − cca
F
prp − cpa
F
1
Want a “master” property that a block cipher be
PRP-CPA or PRP-CCA secure.
Conjectures:
DES and AES are PRP-CCA (thus also PRP-CPA)
secure.
For any A running time t and making q queries
Modeling block ciphers
Adv
prp − cpa AES ( A )^ ≤^ c 1 ·^
t
t AES · 2 128
q
2 128
Adv pr f AES ( A ) ≤ c 1 ·
t
t (^) AES · 2 128
q 2
2 128
1
The “birthday” attack
Theorem. For any block cipher E with domain and
range {0,1}
l and any A that makes q queries s.t.
Lemma. If we throw (at random) q balls into N≥q
bins then the probability of a collision
Adv
prf E
q(q − 1)
l
C(N, q) ≥ 0. 3
q(q − 1)
2 ≤ q ≤ 2
l+ (^2) :
Proof of Lemma
1 − C(N, q) = 1 ·
N − q + 1
q − 1
1 − x ≤ e
−x
≤ e
1 N (^) ·... e
q− 1 N (^) = e
q(q−1) N
−x ≥ (1 − e − 1 )x
q(q − 1)
(^) if ≤ 1
e
q(q − 1)
C(N, q) ≥ (1 −
e
q(q − 1)
q(q − 1)
Thus
25
26
27
Adv
prf F (A) = Pr[Exp
prf − 1 (A) = 1] − Pr[Exp
prf − 0 (A) = 1]
Proof of Theorem
Adversary A
g
For i=1,..q do y i
←g(<x i
) EndFor
If y i
,...y q
are all distinct return 1, else return 0
EndIf
E
l , q) = C(
l , q)) ≥ 0. 3 ·
q(q − 1)
l