Lecture 3 - Block Ciphers, DES

What are the problems with OTP?

1. Size is too long 2. Since it's a symmetric encryption, both parties must have it, send along secure channel,

Recall 3 principles of modern crypto: 1. Definitions 2. Proofs 3. Assumptions For each one indicate (in plain English) how these apply to a semantically secure stream cipher.

1. Stream cipher is semantically secure if all efficient statistical tests have negligible advantage. -the definition of Semantic Secure Cipher is that no efficient statistical test should have non-negligible value. 2. Prove that no efficient statistical test can distinguish the output of secure stream cipher from random; can't prove but have heuristic. -If you're able to prove it, doesn't matter how strong the adversity is. There's no way it can break it unless we implement it incorrectly. But in this case, it can't be proven since it's similar to P=NP problem. We have heuristics but it's not absolute. But our attacker doesn't know either. 3. Can't prove unconditionally. "Efficient" attacker, one time key (just once ciphertext), CT only attack, explicit message; can leak with negligible probability. -What kind of assumptions? Has to be an efficient, bounded polynomial algorithm with input size. Constraint ourselves with use cases like limiting to one time key. There's a negligible advantage that information is leaked.

What is considered to be a negligible value and what does it imply for PRG's?

1/(2^88) or so is negligible and implies that the generator is secure.

What is the Formal Definition for a Secure PRG?

A generator is secure, not only if a particular statistical test says that the output looks random, but all efficient statistical tests say the output looks random. Definition: We say that G:K→{0,1}ⁿ is a secure PRG if ∀ efficient statistical test A: Adv_PRG[A, G] is negligible. The advantage of "all efficient" statistical tests has to be negligible. If some have non-negligible values, those can be used by that attackers to break generators. Moreover, PRG has to be unpredictable. Theorem: If ∀i ∃ {0, ..., n-1} PRG G is unpredictable at position i then G is a secure PRG. If next-bit predictors cannot distinguish G from random then no statistical test can. Unpredictable generator: one cannot predict the i+1 bits from the first i bits, and that is true for all i.

What is Confusion?

A technique to make the relationship between the statistics of the ciphertext and the value of the encryption keys as complex as possible. It's to thwart attempts to discover the key. S-boxes provide confusion of input bits.

What is Diffusion?

A technique to obscure the statistical structure of the plaintext by spreading out the influence of each individual plaintext bit over many ciphertext bits. It's to thwart attempts to deduce the key. P-boxes provide diffusion across s-box inputs. It breaks the statistical dependency between ciphertext and plaintext.

Solve the advantage for the following: Suppose G:K → {0,1}ⁿ satisfies msb(G(k)) = 1 for 2/3 of keys in K. Define statistical test A(x) as: if [msb(x)=1) output "1" else output "0"

Adv_PRG[A,G] = |Pr[A(G(k))=1] - Pr[A(r)]=1| = 1/6 Pr[A(G(k))=1] is given where, for the output of PRG, 2/3 of the cases the first bit is 1. Pr[A(r)]=1 which is the output for the truly random string, it can be surmised that 1/2 of the strings will have MSB = 1. Thus 2/3-1/2 = 1/6 A (the statistical test) breaks the generator G with advantage of 1/6. This value is not negligible. Additionally, it's a good statistical test since it can tell whether it's a truly random string or not.

Why is A(x) = 0 not a good statistical test?

Always returns a 0 regardless of the cases. The test can't tell the difference.

What is a PRG?

An efficient, deterministic algorithm that expands a short, uniformly random seed into a longer pseudorandom output. It should not be predictable and done in polynomial time.

Compare stream ciphers and block ciphers in terms of performance.

Block ciphers are very slow cause they work with iterations with round functions while stream ciphers are very fast.

With the formal definition of Secure PRG, why is it important to state "all efficient" statistical tests as opposed to all statistical tests?

But you can't simply say all then it would be impossible to define Secure PRG. PRG is not truly a random string. And a powerful statistical testing using all the computational power, then at some point, it will be able to differentiate that it's not a random string. Thus you need to constrain the power of the attacker.

Can you prove secure PRGs?

Can't prove secure PRGs exist but we have heuristic candidates. It's similar to the P = NP problem. If you can prove secure PRG's exist then you would solve P = NP.

Show OTP is semantically secure (should be since it's perfectly secure).

Eve constructs m₀, m₁ ∃ M where |m₀|=|m₁| and sends to Challenger. For either b = 0 or b = 1, sends the ciphertext to Eve where m₀ XOR with k or m₁ XOR k. From the ciphertexts, Eve has to output b'. For all A: Adv_SS[A, OTP] = |Pr[A(k XOR m₀) = 1] - Pr[A(k XOR m₁) = 1]| = 0 Both have identical distributions so the probability Eve would output 1 when m₀ or m₁ is encrypted is the same. Eve can't say anything about the ciphertext.

Describe the game for Semantic Security (One-Time Key)- first use case. Then state the Formal Definition of Semantic Security for One-Time Key.

First use case is where you take a key and use it once to encrypt msg and never use it again. Eve has only one ciphertext. And b = 0,1 and defines the experiments EXP(0) and EXP(1). Eve, acting as a statistical test, generates 2 messages of the same size (m₀, m₁) and sends them to the Challenger. The Challenger generates a key at random. Using the b values (of either 0 or 1), the Challenger determines which message to encrypt (m₀, m₁). Then the ciphertext is returned to Eve. Eve, at this point, has to guess which message was encrypted and outputs b' which indicates which one of the m₀ or m₁ was encrypted. The advantage for this statistical test has to be 0. If it's closer to 1, then it means Eve can differentiate which m₀, m₁ got encrypted. For b = 0,1: W_b := [event that EXP(b) = 1] Adv_ss[A,E] := |Pr[W₀] - Pr[W₁]| ∃ [0,1] W_b := [event that EXP(b) = 1] means the event such that Eve returns 1. The advantage is using the probability that Even can guess which message got encrypted. The probability of event that W₀ can happen - probability of event that W₁ can happen. Definition: Symmetric Encryption scheme E is semantically secure if all "efficient" statistical tests A Adv_ss[A,E} is negligible → for all explicit m₀, m₁ ∃ M {E(k, m₀)} ≈_p {E(k, m₁)} The definition was expanded to include cipher and not only the PRG (Formal Definition of Secure PRG).

What is the relationship between PRP and PRF?

Functionally, any PRP is also a PRF. A PRP is a PRF where X=Y and is efficiently invertible.

Describe how the Feistel Network works.

Given arbitrary functions: f₁, ..., f_d: {0,1}ⁿ → {0,1}ⁿ. Goal is to build invertible function: F: {0,1}²ⁿ → {0,1}²ⁿ Takes 2n bits and separates them into R₀ and L₀. R₀ is pass to L₁, to the next round. For L₀, it passes R₀ to f₁ then its output ⊕ L₀. Then it's pass to R₁. You do this n times to get your ciphertext. Mathematically: R_i = f_i(R_i-1)⊕ L_i-1, where i = 1, ..., d L_i = R_i-1

Explain the consistency property.

Have to get the message back. Otherwise the cypher is useless. Should be able to encrypt and decrypt.

What is the theorem behind stream ciphers being semantically secure?

If you have a secure PRG, then you get semantically secure stream cipher. Theorem: G:K→{0,1}ⁿ is a secure PRG → stream cipher E derived from G is semantically secure.

Explain how Shannon's Perfect Secrecy in terms of "Perfect Secrecy" and "Semantic Security" differs for a cipher (E,D) over (K, M, C).

Instead of requiring the two distributions to be identical, we require that two distributions be computationally indistinguishable. (E,D) has perfect secrecy if ∀m₀, m₁ ∃ M(|m₀|=|m₁|) R {E(k, m₀)} = {E(k, m₁)} where k ← K (E,D) has perfect secrecy if ∀m₀, m₁ ∃ M(|m₀|=|m₁|) R {E(k, m₀)} ≈_p {E(k, m₁)} where k ← K For semantic security, it's a computational instead of strict equality.

What is the significance of the Feistel Network?

It achieved invertibility out of non-invertible functions.

Describe Semantic Security.

It differs from perfect secrecy by: 1. Allowing security to fail with tiny probability 2. Only consider "efficient" attackers It's ok if a cipher leaks information about plaintext with a tiny probability to an attacker with bounded computational resources (efficient). But it's not ok for information to be revealed to an efficient adversary with non negligible probability.

Describe DES.

It is a 16-Round Feistel Network. f₁, ..., f₁₆: {0,1}³² → {0,1}³, f_i(x) = F(k_i, x) where k_i is the round key derived from DES key k. Instead of using 16 different functions, it uses 16 different keys instead. When you fix the key k, it gives the functions that's under the key. It takes 64 bits as input and goes through a permutation. Then a 56-bit DES key is expanded to produce 16 keys where each is 48 bit, round keys. Then the output from the permutation is fed into the 16 round Feistel network. It's output is fed into an inverse permutation. Then it outputs 64 bits.

Describe how block ciphers work.

It takes a key k and undergoes a key expansion to produce n keys. There are n functions and the value of n depends on the cipher. (DES: n = 48, AES: n = 10). Then each round key is fed into the round function along with m. Then sequentially, the output is fed into another round function but with a different key. This is repeated until it goes through all n rounds to produce ciphertext.

How does the function F(k_i, x), round function in DES, work?

It takes half a block (32 bits) and expands it to 48 bits by replicating some bits and moving other bits around resulting in 48 bits. This is XOR'ed with the round key of 48 bits. It's output is then fed into 8 s-boxes, where it takes 6 bit inputs and produces 4 bit outputs. Then the output is fed into a p-box.

What is permutation aka p-box?

It's where a binary string has its bits reordered or permuted. The re-ordering forms the key- which is equivalent to wire-crossing in practice. p-box provides diffusion. You're shuffling bits around.

What is substitution aka s-box?

It's where a binary string is replaced by some other binary string. The whole substitution function forms the key. s-box provides confusion.

Describe the game for Secure PRPs.

Let F: K x X → X be a PRP Eve sends x ∃ X, some values x in set X to the Challenger. The Challenger returns either π(x)←Perms[X,Y] (truly random permutation) or E(k,x) from k←K (random key for PRP). Eve will look at the output & not know if it's truly random permutation or not. Eve cannot tell whether she's interacting with a truly random permutation or interacting with a pseudorandom permutation.

How do we define a Secure PRP?

Let F: K x X → X be a PRP -PRP are constrained PRF with invertibility requirement and set X = set Y Perms[X,Y]: the set of one-to-one functions from X to Y -truly random S_F = {E(k, ∙): k ∃ K} ⊆ Perms[X,Y] -the set of functions under fixed k Intuition: a PRP is secure if a random function in Perms[X,Y] is indistinguishable from a pseudorandom function in S_F

Describe the game for Secure PRFs.

Let F: K x X → Y be a PRF Eve sends x ∃ X, some values x in set X to the Challenger. The Challenger returns either f(x)←Funs[X,Y] (truly random function) or F(k,x) from k←K (random key for PRF). Eve will look at the output & not know if it's truly random function or not. Eve cannot tell whether she's interacting with a truly random function or interacting with a pseudorandom function for all queries.

How do we define a Secure PRF?

Let F: K x X → Y be a PRF Funs[X,Y]: the set of all functions from X to Y -all functions defined on X & Y S_F = {F(k, ∙): k ∃ K} ⊆ Funs[X,Y] -the set of all functions from X to Y that are specified by the PRF S_F as soon as we fix the particular key k Intuition: a PRF is secure if a random function in Funs[X,Y] is indistinguishable from a pseudorandom function in S_F The size of Funs[X,Y] (truly random functions) for 128 bits is 2 ^ (128 * 2^128) since Size|Y|^|X|. -Imagine all possible functions of any structure with no restrictions like them being invertible. The size of S_F is determined by the fixed key k so 2¹²⁸ which is the key space (pseudorandom functions) The uniform distribution on the set of pseudorandom functions is indistinguishable from the uniform distribution on the set of all functions.

What is the Formal Definition of PRG?

Let G: K→{0,1}ⁿ be a PRG Goal: define what it means that R [k←K, output G(k)] where k is chosen uniformly at random from the seed space is indistinguishable from R [r← {0,1}ⁿ output r] where r is a truly random string. This means from a set of truly random distribution (possible outputs), there's a smaller subset of outputs produced by the generator because the seed is small.

What is the statistical test and advantage for PRG?

Let G:K → {0,1}ⁿ be a PRG and A be a statistical test on {0,1}ⁿ. -A returns 0 if it's not random, 1 if it is. Advantage of a statistical test A relative to the generator G: Adv_PRG[A,G] = |Pr[A(G(k)) = 1] - Pr[A(r) = 1]]| ∃ [0,1] where R R k ← K and r ← {0,1}ⁿ G(k) is the pseudorandom input and A(r) is the truly random input. Probability that the statistical test says it's random input when looking at PRG's output - Probability the statistical test say 1 when looking at the truly random string. Adv is close to 1 → A can distinguish G from random. A broke generator G. Implies the test was able to differentiate between 2 situations. Getting 1 or close to 1 is good. Tells you that probability of one is close to 1 while the other one is zero. When looking at the truly random string as oppose to the PRG's output. The test was able to tell apart which is good. Adv is close to 0 → A cannot distinguish G from random. This implies both cases were similar so the test can't tell the difference so it's a stupid test.

Let F: K x X → {0,1}¹²⁸ be a secure PRF. Is the following function G a secure PRF? Why or Why not? G(k,x) = 0¹²⁸ if x = 0, F(k,x) otherwise

No. The probability that the truly random function returns 0 given 128 bit strings is 1/128. It's easy to distinguish G from a random function.

What is a Pseudo Random Function (PRF)?

PRF is defined over (K, X, Y): F: K x X → Y such that exists "efficient" algorithm to evaluate F(k,x) Over key space K, input space X, output space Y. This is generic (arbitrary) and not invertible. {0,1}ⁿ→{0,1}^m means X can be mapped to a different output from X (which is Y)- ie a 2 bit mapped to 3 bit binary number.

How can we build stream ciphers using block ciphers?

PRF → PRG Pseudorandom functions directly gives us a pseudorandom generator. Let F:K x {0,1}ⁿ → {0,1}ⁿ be a secure PRF Then the following G: K → {0,1}^nt is a secure PRG, where t is the blocks of n bits each: G(k) = F(k,0) || F(k,1) || ... || F(k,t) -take the key for PRF and expand it into n*t bits -Build this function, as a result get a pseudo random string where its size is n*t. So you get a pseudorandom generator out of this. ie. use AES as a PRF to get PRG Key property: parallelizable stream cipher (the generation of random string) Security follows from PRF property: F(k, ∙) is indistinguishable from truly random function f(∙) G(k) = f(0) || f(1) || ... || f(t) -concatenation does not affect indistinguishability.

What is a Pseudo Random Permutation (PRP)?

PRP is defined over (K,X): E: K x X → X accurately captures what a block cipher is. 1. Exists "efficient" deterministic algorithm to evaluate E(k,x) 2. The function E(k, ∙) (where key is fixed) is one-to-one (invertible- or you won't be able to decrypt). 3. Exists efficient inversion algorithm D(k,y)- to be practical, the function to invert has to be efficient. Takes key and applies to X to produce an output from set X. {0,1}ⁿ→{0,1}ⁿ

How is Perfect Secrecy and Semantic Security different in terms of adversities?

Perfect Secrecy was too strong in that there was no restrictions on the power of the attacker (can be anything). With Semantic Security, you only look at efficient attackers and a tiny probability that ciphertext leaks something about the plaintext. Allowing the system to fail is a negligible probability.

What is the relationship between Performance and Security?

Performance ↓ as Security ↑

What real world stream cipher should you not use?

RC4

How would you construct the inverse to the Feistel Network?

R_i = L_i+1 L_i = f_i+1(L_i+1)⊕R_i+1 The arbitrary functions have to be processed in reverse order. So f₁, ..., f_d is applied in reverse order.

How do we define stream cipher?

Replace random key with pseudorandom key. Have a small, truly random seed and then expand this to a large string of arbitrary size.

How does the s-box in DES work?

S-box: function {0,1}⁶ → {0,1}⁴, implemented as a look-up table. The outer two bits of the 6-bits represent the row while the 4 bits in the middle of the outer two bits are columns. Using the 6 bit value, it finds the intersection of the row and column. The value in that cell is a 4-bit output. The requirement for the table is that there's no linear transformation of input. If there is, then it is breakable. There must be no linear dependency between inputs and outputs.

What real stream ciphers should you use?

Salsa 20/12 Sosemanuk

Why can't we prove that stream cipher is semantically secure if all efficient statistical tests have negligible advantage?

Similar to the P= NP problem. We have heuristics but can't prove.

What are statistical tests? Why does it include advantage?

Statistical tests are viewed as a adversary and used as part for defining security. Advantage allows us to evaluate whether a statistical test is good or not.

What are the two main techniques used to accomplish encryption with block ciphers?

Substitution and Permutation

How does block cipher work?

Take a key and expand this (using an expansion algorithm) so it's not predictable. Then from the expanded key, you get n round keys. Use a round function that takes a round key as input along with m and produces m₁. The m₁ is fed along with another round key to the round function to produce m₂. This is iterated n time until you get the ciphertext.

What is a high level description of a block cipher?

Takes a block of n bits and keys (symmetric) and spits out n bits.

What was the issue with the weak ciphers like substitution cipher, Vigener, and etc...?

The problem was the absence of formal definitions of security and no proofs. It used heuristics only.

Why is confusion and diffusion, both needed?

To hide keys.

How do we make OTP practical?

Use PRGs (stream cipher)

Suppose efficient A (cipher) can always deduce LSB of PT from CT. Show how this is not a semantically secure cipher.

Using the Chosen Plaintext Attack (CPA): Eve constructs m₀ and m₁ where each ends in 0, 1 with LSB, respectively and sends them to the Challenger. Challenger sends back the ciphertext using a randomly generated k and b value of either 0 or 1. But Eve can always determined what LSB is from ciphertext. So she simply outputs the LSB of the plaintext and ultimately knows which b value Challenger used to encrypt which message. Thus Adv_ss[A,E] = |Pr[EXP(0)=1] - Pr[EXP(1)=1]| = 1. Pr[EXP(0)=1] never returns 1. Eve can deduce which message (LSB) was encrypted by looking at the ciphertext. This breaks Semantic Security since information was revealed to an efficient adversary.

What type of attacks is OTP vulnerable to? What type of attack is OTP strong against?

Weak: Two Time Pad Integrity attack -Malleability property: can introduce predictable plaintext by taking the ciphertext and XOR'ing with a specially constructed string and change it Strong: Confidentiality and Ciphertext only

What does it mean for the output of the generator to be indistinguishable from random?

When Eve looks at it, can't tell truly random string or it's a pseudorandom string. Eve looks at the output of the generator and can't distinguish it from the output of the uniform distribution over the entire set.

What is the underlying theorem behind Feistel networks?

f: K x {0,1}ⁿ → {0,1}ⁿ a secure PRF (indistinguishable from random) 3-round Feistel F: K³ x {0,1}²ⁿ → {0,1}²ⁿ then it's a secure PRP -if you use at least 3 of them The Formal Definition of PRP determined the number of rounds needed (not proven here but it was proven) to make it secure. The constraint is that the keys used must be completely independent. If you start with a secure pseudorandom function, you end up with a secure block cipher.