Block Ciphers, Pseudorandom Functions and Permutations in Applied Cryptography - Prof. Ale, Study notes of Cryptography and System Security

Block ciphers, pseudorandom functions and permutations in the context of applied cryptography. It covers the symmetric encryption scheme, the security of block ciphers, and the limitations of key-recovery based security. The document also introduces the concepts of pseudorandom functions and permutations as important tools in cryptography.

Typology: Study notes

Pre 2010

Uploaded on 08/18/2009

koofers-user-dsp-1
koofers-user-dsp-1 🇺🇸

9 documents

1 / 8

Toggle sidebar

This page cannot be seen from the preview

Don't miss anything!

bg1
CS 6260
Applied Cryptography
Alexandra (Sasha) Boldyreva
Lectures 2-3:
Block ciphers, pseudorandom functions and
permutations
Symmetric encryption scheme
A scheme SE is specified by 3 algorithms K,E,D.
RS
A
K
!
"
K
C
M#
K
C M
SE=(K,E,D) or
SE=(KeySp,E,D)
It is required that for every M󲰉MsgSp and every
K󲰉KeySp, D(K,E(K,M))=M
MsgSp-message space
KeySp-key space
A building block: block cipher
Examples: DES, 3DES, AES...
A block cipher is a function family E:{0,1}k×{0,1}n{0,1}n, where k-
key length, n-input and output lengths are the parameters
Notation: for every K󲰉{0,1}k EK(M)=E(K,M)
For every K󲰉{0,1}k EK() is a permutation (one-to-one and onto
function). For every C󲰉{0,1}n there is a single M󲰉{0,1}n s.t. C=EK(M)
Thus each block cipher has an inverse for every key: EK-1() s.t.
EK(EK-1(M))=C for all M,C󲰉{0,1}n
For every K󲰉{0,1}k EK(),EK-1():{0,1}n{0,1}n
M EK C
DES
Key length k=56, input and output length n=64
1973. NBS (National Bureau of Standards)
announced a search for a data protection
algorithm to be standardized
1974. IBM submits a design based on “Lucifer”
algorithm
1975. The proposed DES is published.
1976. DES approved as a federal standard.
DES is highly efficient: 2.5107 DES
computations per second
1
2
3
4
pf3
pf4
pf5
pf8

Partial preview of the text

Download Block Ciphers, Pseudorandom Functions and Permutations in Applied Cryptography - Prof. Ale and more Study notes Cryptography and System Security in PDF only on Docsity!

CS 6260

Applied Cryptography

Alexandra (Sasha) Boldyreva

Lectures 2-3:

Block ciphers, pseudorandom functions and

permutations

Symmetric encryption scheme

A scheme SE is specified by 3 algorithms K,E,D.

S R

A

K

K

C

M

K

C M

SE=(K,E,D) or

SE=(KeySp,E,D)

It is required that for every M MsgSp and every

K KeySp, D(K,E(K,M))=M

MsgSp-message space

KeySp-key space

A building block: block cipher

Examples: DES, 3DES, AES...

A block cipher is a function family E:{0,1}

k ×{0,1}

n →{0,1}

n , where k-

key length, n-input and output lengths are the parameters

Notation: for every K {0,1}

k E K

(M)=E(K,M)

For every K {0,1}

k E K

(⋅) is a permutation (one-to-one and onto

function). For every C {0,1}

n there is a single M {0,1}

n s.t. C=E K

(M)

Thus each block cipher has an inverse for every key: E K

  • (⋅) s.t.

E K

(E K

  • (M))=C for all M,C {0,1}

n

For every K {0,1}

k E K

(⋅),E K

  • (⋅):{0,1}

n →{0,1}

n

M→ E K

→C

DES

Key length k=56, input and output length n=

  1. NBS (National Bureau of Standards)

announced a search for a data protection

algorithm to be standardized

  1. IBM submits a design based on “Lucifer”

algorithm

  1. The proposed DES is published.
  2. DES approved as a federal standard.

DES is highly efficient: ≈2.5⋅ 10

DES

computations per second

Security of block ciphers

Any block cipher E is subject to exhaustive key-

search: given (M1,C1=E(K,M1),...,(Mq,Cq=E(K,Mq)) an

adversary can recover K (or another key

consistent with the given pairs) as follows:

EKS

E

((M1,C1),...(Mq,Cq))

For i=1,...,

k do

If E(Ti,M1)=C1 then //Ti is i-th k-bit string//

If E(Ti,Mj)=Cj for all 2≤j≤q then return Ti

EndIf

EndIf

EndFor

Security of block ciphers

Exhaustive key search takes 2

k block cipher

computations in the worst case.

On the average:

DES has a property that ,

this speeds up exhaustive search by a factor of 2

For DES (k=56) exhaustive search takes

that is about 47 years

2 k ∑

i=

i · P r[K = T (^) i ] =

2 k ∑

i=

i

k

k

2 k ∑

i=

i =

k

k ( k

k

  • 1

k− 1

DES K (M ) = DES

K

(M )

Security of DES

There are more sophisticated attacks known:

differential cryptoanalysis: finds the key given about 2

47

chosen plaintexts and the corresponding ciphertexts

linear cryptoanalysis: finds the key given about 2

42 known

plaintext and ciphertext pairs

These attacks require too many data, hence exhaustive key

search is the best known attack. And it can be mounted in

parallel!

A machine for DES exhaustive key search was built for

$250,000. It finds the key in about 56 hours on average.

A new block cipher was needed....

Triple-DES: 3DES(K1||K2,M)=DES(K2, DES

  • (K1, DES(K2,M)).

3DES’s keys are 112-bit long. Good, but needs 3 DES

computations

Advanced Encryption Standard (AES)

  1. NIST announced a search for a new block

cipher.

15 algorithms from different countries were

submitted

  1. NIST announces the winner: an algorithm

Rijndael, designed by Joan Daemen and Vincent

Rijmen from Belgium.

AES: block length n=128, key length k is variable:

128, 192 or 256 bits.

Exhaustive key search is believed infeasible

5

6

7

g F(l,L)

We are interested in the input-output behavior of

a random function. Let’s imagine that we have

access to a subroutine that implements such a

function:

g(Xε{0,1}

l )

global array T

If T[X] is not defined then

T[X] {0,1}

L

EndIf

Return T[X]

Random functions

$

1

$

1

“Black box” access

g(⋅)

global array T

If T[X] is not defined then

T[X] {0,1}

L EndIf

Return Y=T[X]

X

Y

Note that for any Xε{0,1}

l and Yε{0,1}

L

Pr[g(X)=Y]=

-L

$

1

Random permutations

Perm(l) is the set of all permutations on {0,1}

l

Q. How large is the key space?

A.

We are interested in a random instance π Perm(l)

π(Xε{0,1}

l )

global arrays T, S; S←

If T[X] is not defined then

T[X] {0,1}

l -S; S S {T[X]} EndIf

Return T[X]

l !

$

1

$

1

“Black box” access

π(⋅)

global array T, S; S←

If T[X] is not defined then

T[X] {0,1} l -S; S S {T[X]} EndIf

Return Y=T[X]

X

Y

For any Xε{0,1}

l and Yε{0,1}

l Pr[π(X)=Y]=

  • l

$

13

14

15

Random functions vs permutations

F ix X 1 , X 2 ∈ { 0 , 1 }

l and Y 1 , Y 2 ∈ { 0 , 1 }

L

. T hen

−L

−L 2

−L P r[f (X 1 ) = Y 1 ] =

P r[f (X 1 ) = Y 1 |f (X 2 ) = Y 2 ] =

P r[f (X 1 ) = Y 1 and f (X 2 ) = Y 1 ] =

P r[f (X 1 ) ⊕ f (X 2 ) = Y 1 ] =

f-random function permutation

{ 2 − 2 L if X 1 "= X 2

2 − L if X 1 = X 2

1

{ 0 if X 1 != X 2

2 − L if X 1 = X 2

1

{ 1 2 l^ − 1 if Y 1 "= Y 2

0 if Y 1 = Y 2

1

 

2 − L if X 1 "= X 2 0 if X 1 = X 2 and Y 1 "= 0 L

1 if X 1 = X 2 and Y 1 = 0 L

1

  

 

1 2 l^ − 1 if X 1 "= X 2 and Y 1 "= 0 l 0 if X 1 "= X 2 and Y 1 = 0 l

0 if X 1 = X 2 and Y 1 "= 0 L

1 if X 1 = X 2 and Y 1 = 0 l

1

Pseudorandom functions (PRFs)

A function family F is a PRF if the input-output

behavior of its random instance is computationally

indistinguishable from that of a random function.

Def. Fix a function family F: Keys(F) × Dom(F) → Range(F)

F is a secure PRF if for any adversary with “reasonable”

resources its prf-advantage is “small”.

PRFs

Adv

prf F (A) = Pr[Exp

prf − 1 (A) = 1] − Pr[Exp

prf − 0 (A) = 1]

The prf-advantage of an adversary A is

Exp

pr f − 0

1

Exp

pr f − 1

1

Experiment Experiment

g Func(Dom(F),Range(F))

A

g

b

Return b

K Keys(F)

F K

b

Return b

$

1

$

1

A

Def. Fix a function family F: Keys(F) × Dom(F) → Range(F)

F is a secure PRF if for any adversary with “reasonable”

resources its prf-advantage is “small”.

Def. Fix a function family F: Keys(F) × Dom(F) → Range(F)

PRFs

Adv

prf F (A) = Pr[Exp

prf − 1 (A) = 1] − Pr[Exp

prf − 0 (A) = 1]

The prf-advantage of an adversary A is

Exp

pr f − 0 Exp pr f − 1

1

Experiment Experiment

g Func(Dom(F),Range(F))

Return b

K Keys(F)

Return b

b A b A

FK g

$

$

$

$

17

18

19

20

PRP-CCA PRP-CPA

Theorem. Let F:Keys×D→D be a permutation

family. Then for any adversary A that runs in time

t and makes q chosen-plaintext queries these

totalling μ bits there exists an adversary B that

also runs in time t and makes q chosen-plaintext

queries these totalling μ bits and no chosen-

ciphertext queries such that

Adv

prpcca

F

( B ) ≤ Adv

prpcpa

F

( A )

1

Want a “master” property that a block cipher be

PRP-CPA or PRP-CCA secure.

Conjectures:

DES and AES are PRP-CCA (thus also PRP-CPA)

secure.

For any A running time t and making q queries

Modeling block ciphers

Adv

prpcpa AES ( A )^ ≤^ c 1 ·^

t

t AES · 2 128

  • c 2 ·

q

2 128

Adv pr f AES ( A ) ≤ c 1 ·

t

t (^) AES · 2 128

q 2

2 128

1

The “birthday” attack

Theorem. For any block cipher E with domain and

range {0,1}

l and any A that makes q queries s.t.

Lemma. If we throw (at random) q balls into N≥q

bins then the probability of a collision

Adv

prf E

(A) ≥ 0. 3 ·

q(q − 1)

l

C(N, q) ≥ 0. 3

q(q − 1)

N

2 ≤ q ≤ 2

l+ (^2) :

Proof of Lemma

1 − C(N, q) = 1 ·

N − 1

N

N − 2

N

N − q + 1

N

N

N

q − 1

N

1 − x ≤ e

−x

// Using that

≤ e

1 N (^) ·... e

q− 1 N (^) = e

q(q−1) N

// Using that 1 − e

−x ≥ (1 − e − 1 )x

q(q − 1)

2 N

(^) if ≤ 1

e

q(q − 1)

2 N

C(N, q) ≥ (1 −

e

q(q − 1)

2 N

q(q − 1)

N

Thus

25

26

27

Adv

prf F (A) = Pr[Exp

prf − 1 (A) = 1] − Pr[Exp

prf − 0 (A) = 1]

Proof of Theorem

Adversary A

g

For i=1,..q do y i

←g(<x i

) EndFor

If y i

,...y q

are all distinct return 1, else return 0

EndIf

E

= 1 − (1 − C(

l , q) = C(

l , q)) ≥ 0. 3 ·

q(q − 1)

l