Professor: Alfred Menezes | Term: Fall 2024

Chapter 1: Introduction to Cryptography

Cryptography is about securing communications in the presence of malicious adversaries.

Alice and Bob are communicating via an unsecured channel. Eve is eavesdropping (malicious). Communication should be

Confidential: Keep data secret from everyone not authorized to see it.
Data Integrity: Ensure data is not altered by others.
Data Origin Authentication: Corroborating the source of data.
Non-Repudiation: Preventing an entity from denying previous commitments or actions.

Transport Layer Security (TLS): The cryptographic protocol used by web browsers to securely communicate with websites (e.g. Facebook, Gmail).

TLS is used to assure an individual user of the authenticity of the website and establish a secure communications channel.

Symmetric-Key Cryptography: The client and server a priori share some secret information $k$ called a key.

They can encrypt their messages with AES and authenticate the resulting ciphertexts with HMAC.

Question

How do Alice and Bob share the shared secret $k$ ?

Public-key cryptography: The client and server a priori share some authenticated (but non-secret) information.

To establish a secret key, Alice selects the secret session key $k$ , and encrypts it with Bob’s RSA public key. Then only Bob can decrypt the resulting ciphertext with its RSA private key to recover $k$ .

Question

How does Alice obtain an authentic copy of Bob’s RSA public key?

Bob cannot send it to Alice over the internet because it can be intercepted.

Signature scheme: Bob’s RSA public key is signed by a Certification Authority (CA) using its secret signing key with the RSA signature scheme.

Alice can verify the signature using the CA’s RSA public verification key. In this way, Alice obtains an authentic copy of Bob’s RSA public key.

The CA’s RSA public key is embedded in Alice’s browser.

TLS potential vulnerabilities:

The cryptography is weak
Cryptography can be broken using quantum computers
Weak random number generation
Issuance of fraudulent certificates
Software bugs
Phishing attacks
TLS only protects data during transit. It does not protect data stored at the server

Definition

Cybersecurity is comprised of the concepts, technical measures, and administrative measures used to protect networks, computers, programs and data from deliberate or inadvertent unauthorized access, disclosure, manipulation, or use.

Cryptography $\neq =$ Cybersecurity. Cryptography provides some mathematical tools that can assist with the provision of cybersecurity services. It is a small part of a complete security solution.

Security is a chain; weak links become targets.

Chapter 2: Symmetric-Key Encryption

Fundamental Concepts

Definition

Asymmetric-key encryption scheme (SKES) consists of:

$M$ - the plaintext space,

$C$ - the ciphertext space,

$K$ - they key space,

a family of encryption functions $E_{k} : M \to C, \forall k \in K$ ,

a family of decryption functions $D_{k} : C \to M, \forall k \in K$ ,

such that $D_{k} (E_{k} (m)) = m$ for all $m \in M, k \in K$ .

Alice and Bob agree on a secret $k \in K$ communicating over the secured channel
Alice computes $c = E_{k} (m)$ and sends the ciphertext $c$ to Bob over the unsecured channel.
Bob retrieves the plaintext by computing $m = D_{k} (c)$

Note: The secret key $k$ might be used for a fixed time interval, or it might be used a fixed number of times.

Called symmetric-key encryption since the same key is used for encryption and decryption.

The Enigma and Lorenz Machines are examples.

Substitution Cipher

$M =$ all English messages

$C =$ all encrypted messages

$K =$ all permutations of the English alphabet.

$E_{k} (m) :$ Apply permutation $k$ to $m$ , one letter at a time

$D_{k} (c) :$ Apply the inverse permutation $k^{- 1}$ to $c$ , one letter at a time

Security Model: Defined the computational abilities of the adversary, and how she interacts with the communicating parties.

Convention: We will always strive to model maximal adversary capabilities and minimal adversary goals.

Basic assumption: The adversary knows everything about the SKES, except the particular key $k$ chosen by Alice and Bob. Avoid security by obscurity.

Computational power of the adversary:

Information-theoretic security: Eve has infinite computational resources
Complexity-theoretic security: Eve is a “polynomial-time Turing machine”
Computational security: Eve has a bounded amount of computational power. We say Eve is computationally bounded.

Passive Attacks:

Ciphertext-only attack: The adversary knows some ciphertext
Known-plaintext attack: The adversary also knows some plaintext and the corresponding ciphertext. Active Attacks:
Chosen-plaintext attack: The adversary can also choose some plaintext and obtains the corresponding ciphertext
Clandestine attacks: bribery, blackmail (not covered in this course)

Adversary’s goal

Recover the secret key $k$
Systematically recover plaintext from ciphertext, without necessarily learning $k$ .
Learn some partial information about the plaintext from the ciphertext, other than its length

If the adversary can achieve 1 or 2, the SKES is said to be totally insecure.

If the adversary cannot learn any partial information about the plaintext from the ciphertext, the SKES is said to be partially secure.

Definition

A symmetric-key encryption scheme is said to be secure if it is semantically secure against chosen-plaintext attack by a computationally bounded adversary.

To break a symmetric-key encryption scheme, the adversary has to accomplish the following:

The adversary is given a challenge ciphertext $c$
During its computation, the adversary can select arbitrary plaintext and obtain the corresponding ciphertexts
After a feasible amount of computation, the adversary obtains some information about the plaintext $m$ corresponding to $c$ .

Desirable properties of a SKES

Efficient algorithms should be known for computing $E_{k}$ and $D_{k}$ .
The secret key $k$ should be small, but large enough to render exhaustive key search infeasible.
The scheme should be secure.
The scheme should be secure even against the designer of the system.

The simple substitution cipher is totally insecure against a chosen-plaintext attack.

Is exhaustive key search possible?

Number of keys to try is $26! \approx 4 \times 1 0^{26} \approx 2^{88}$ . This will take too long, even with many computers.

In this course:

$2^{40}$ operations is considered very easy.
$2^{56}$ operations is considered easy.
$2^{64}$ operations is considered feasible.
$2^{80}$ operations is considered barely feasible.
$2^{128}$ operations is considered infeasible.

The Bitcoin network is performing about $2^{80}$ hash operations per hour.

Definition

A cryptographic scheme is said to have a security level of $ℓ$ bits if the fastest known attack on the scheme takes approximately $2^{ℓ}$ operations. A security level of $128$ bits is desirable in practice.

Simple frequency analysis of ciphertext letters can be used to recover the secret key.

Vigenere Cipher

The secret key is an English word having no repeated letters, e.g. $k =$ CRYPTO. We sum each letter in $m$ by $k$ to get $c$ . Here $A = 0, B = 1, \dots, Z = 25$ , and addition of letters is module $26$ . Decryption is subtraction module $26 : m = c - k$ .

The Vigenere cipher is totally insecure against a chosen-plaintext attack.

It is also insecure against a cipher-text only attack.

Stream Ciphers

A stream cipher is a SKES that encrypts the plaintext one bit at a time. A block cipher is a SKES that encrypts the plaintext one block at a time.

One-time Pad

The secret key is a random string of letters with the same length as the message. We use the same process as the Vigenere.

The key should not be reused. If $c_{1} = m_{1} + k$ and $c_{2} = m_{2} + k$ , then $c_{1} - c_{2} = (m_{1} + k) - (m_{2} + k) = m_{1} - m_{2}$ . So, $c_{1} - c_{2}$ depends only on the plaintext (and not on the key $k$ ), and hence can leak information.

Convention: From now on, messages and keys will be assumed to be bit (binary) strings.

Notation: $\oplus$ is bitwise exclusive-or (XOR) (bitwise addition mod $2$ ).

Example

$1011001011 \oplus 1001001001 = 0010000010$

Note that $x \oplus x = 0, x \oplus y = y \oplus x$

So, for the one-time pad, encryption is $c = m \oplus k$ and decryption is $m = c \oplus k$ .

Perfect secrecy: The one-time pad is semantically secure against ciphertext-only attack by an adversary with infinite computational resources.

This can be formally proven using concepts from information theory. Shannon proved that if plaintexts are $ℓ$ -bit strings, then any symmetric-key encryption with perfect secrecy must have $∣ K ∣ \geq 2^{ℓ}$ . So perfect secrecy is useless in practice.

Basic Idea: Instead of using a random key in the one-time pad, use a “pseudorandom” key.

Definition

A pseudorandom bit generator (PRBG) is a deterministic algorithm that takes as input a (random) seed, and outputs a longer “pseudorandom” sequence called the keystream.

Stream cipher: uses a PRGB for encryption. The seed is the secret key shared by Alice and Bob.

No more perfect secrecy - security depends on the quality of the PRBG.

For a stream cipher to be secure:

Indistinguishability requirement: The keystream should be “indistinguishable” from a random sequence.
Unpredictability requirement: Given portions of the keystream, it should be computationally infeasible to learn any information about the remainder of the keystream
- If an adversary knows a portion $c_{1}$ of ciphertext and the corresponding plaintext $m_{1}$ , then she can easily find the corresponding portion $k_{1} = c_{1} \oplus m_{1}$ of the keystream.

Aside: Don’t use UNIX random number generators rand and srand for cryptographic purposes.

Now we introduce the ChaCha20 stream cipher. Designed by Dan Bernstein in 2008, the ChaCha20 is conceptually very simple. It is extremely fast in software an does not require and special hardware. No security weaknesses have been found.

Notation:

$256 -$ bit $k = (k_{1}, k_{2}, k_{3}, \dots, k_{8})$
$128 -$ bit constant $f = (f_{1}, f_{2}, f_{3}, f_{4})$
$96 -$ bit nonce $n = (n_{1}, n_{2}, n_{3})$
$32 -$ bit counter $c$
A hexadecimal digit is a $4 -$ bit number.
- $f_{1} = 0 x 61707865$
- $f_{2} = 0 x 3320646 e$
- $f_{3} = 0 x 79622 d 32$
- $f_{4} = 0 x 6 b 206574$
A nonce is a non-repeating quantity

The initial state is:

f_{1} k_{1} k_{5} c f_{2} k_{2} k_{6} n_{1} f_{3} k_{3} k_{7} n_{2} f_{4} k_{4} k_{8} n_{3} = S_{1} S_{5} S_{9} S_{13} S_{2} S_{6} S_{10} S_{14} S_{3} S_{7} S_{11} S_{15} S_{4} S_{8} S_{12} S_{16}

More Notation:

$\oplus :$ xor
$⊞ :$ integer addition module $2^{32}$
$<<< t :$ left-rotation by $t$ positions

Define $QR$ : Quarter Round Function

Input: Four $32$ -bit words $a, b, c, d$

a \leftarrow a ⊞ b, d \leftarrow d \oplus a, d \leftarrow d <<< 16 c \leftarrow c ⊞ d, b \leftarrow b \oplus c, b \leftarrow b <<< 12 a \leftarrow a ⊞ b, d \leftarrow d \oplus a, d \leftarrow d <<< 8 c \leftarrow c ⊞ d, b \leftarrow b \oplus c, b \leftarrow b <<< 7

Output: $a, b, c, d$

ChaCha20 Keystream Generator

Select a nonce $n$ and initialize the counter $c$ to $0$ . While keystream bytes are required do:

Create the initial state $S$ , and make a copy $S^{'}$ of $S$ .

Update $S$ by repeating the following $10$ times:

$QR (S_{1}, S_{5}, S_{9}, S_{13}), QR (S_{2}, S_{6}, S_{10}, S_{14}), QR (S_{3}, S_{7}, S_{11}, S_{15})$

$QR (S_{4}, S_{8}, S_{12}, S_{16}) QR (S_{1}, S_{6}, S_{11}, S_{16}), QR (S_{2}, S_{7}, S_{12}, S_{13})$

$QR (S_{3}, S_{8}, S_{9}, S_{14}), QR (S_{4}, S_{5}, S_{10}, S_{15})$

Output $S \oplus S^{'}$ ( $64$ keystream bytes).

Increment the counter $c$

Encryption: The keystream bytes are xored with the plaintext bytes to produce ciphertext bytes. The nonce is appended to the ciphertext.

Block Ciphers: DES

Definition

A block cipher is a symmetric-key encryption scheme that breaks up the plaintext into blocks of a fixed length (e.g. $128$ bits), and encrypts the blocks one at a time.

In contrast, a stream cipher encrypts the plaintext one character (usually a bit) at a time.

A historically important example of a block cipher is the Data Encryption Standard (DES):

flowchart LR
key
key -- 56 bits --> DES
plaintext -- 64 bits --> DES
DES -- 64 bits --> ciphertext

Key length: $56$ bits, size of key space: $2^{56}$ , block length: $64$ bits.

Design principles articulated by Claude Shannon

Security:

Diffusion: Each ciphertext bit should depend on all plaintext bits.
Confusion: The relationship between key and ciphertext bits should be complicated.
Key length: Should be small, but large enough to preclude exhausting key search.

Efficiency:

Simplicity: Easier to implement and analyze.
Speed: High encryption and decryption rates.
Platform: Suitable for hardware and software.

The design principles of DES are still classified.

DES Problem #1: Small key size

Exhaustive search on the key space takes $2^{56}$ operations and can easily be parallelized.

DES Problem #2: Small block size

If plaintext blocks are distributed uniformly at random, then the expected number of ciphertext blocks observed before a collision occurs is $\approx 2^{32}$ . This is by the birthday paradox.

Birthday paradox: Suppose that an urn contains $n$ numbered balls. Suppose that balls are drawn from the urn, one at a time, with replacement. The expected number of draws before a ball is selected for the second time (called a collision) is approximately $πn /2 \approx n$ .

Thus the ciphertext reveals some information about the plaintext.

Block Ciphers: Triple-DES

Recall: The only substantial weaknesses known in DES are the obvious ones: small key length and small block length.

Question

How can one construct a more secure block cipher from DES?

Multiple encryption: Re-encrypt the ciphertext one or more times using independent keys. Hope that this increases the effective key length.

Note: Multiple encryption does not necessarily result in increased security.

Example

If $E_{π}$ denotes the encryption function for the simple substitution cipher with the key $π$ , then $E_{π_{2}} \circ E_{π_{1}}$ any more secure than $E_{π}$ ?

No, since $E_{π_{2}} \circ E_{π_{1}} = E_{π_{2} \circ π_{1}}$

Encryption is: $c = E_{k_{2}} (E_{k_{1}} (m))$ , where $E =$ DES decryption.

The Double-DES key length is $ℓ = 112$ bits, so exhaustive key search takes $2^{112}$ operations.

Note: The block length is unchanged ( $64$ bits).

Meet-in-the-middle Attack on Double-DES

Input: 3 plaintext/ciphertext pairs $(m_{1}, c), (m_{2}, c_{2}), (m_{3}, c_{3})$ Output: The secret key $(k_{1}, k_{2})$

For each $h_{2} \in {0, 1}^{56}$ do: a. Compute $E_{h_{2}}^{- 1} (c_{1})$ and store $[E_{h_{2}}^{- 1} (c_{1}), h_{2}]$

For each $h_{1} \in {0, 1}^{56}$ do:

Compute $E_{h_{1}} (m_{1})$

Search for $E_{h_{1}} (m_{1})$ in the table

For each match $[E_{h_{2}}^{- 1} (c_{1}), h_{2}]$ in the table:

Check if $E_{h_{2}} (E_{h_{1}} (m_{2})) = c_{2}$ ; if so then:

Check if $E_{h_{2}} (E_{h_{1}} (m_{3})) = c_{3}$ ; if so then:

Output $(h_{1}, h_{2})$ and STOP.

The main idea is that $c = E_{k_{2}} (E_{k_{1}} (m)) ⟺ E_{k_{2}}^{- 1} (c) = E_{k_{1}} (m)$

Question

How many plaintext/ciphertext pairs are needed for unique key determination?

Let $E$ be a block cipher with key space $K = {0, 1}^{ℓ}$ , and plaintext and ciphertext space ${0, 1}^{L}$ .

Let $k^{'} \in K$ be the secret key chosen by Alice and Bob, and let $(m_{i}, c_{i}), 1 \leq i \leq t$ , be known plaintext/ciphertext pairs where the plaintext $m_{i}$ are distinct.

Question

So how large should $t$ be to ensure that there is only one key $k \in K$ for which $E_{k} (m_{i}) = c_{i}$ for all $1 \leq i \leq t$ ?

We select $t$ so that $F K \approx 0$ where $F K$ is the expected number of false keys.

For each $k \in K$ , the encryption function $E_{k} : {0, 1}^{L} \to {0, 1}^{L}$ is a permutation (bijection).

We make the heuristic assumption that for each $k \in K, E_{k}$ is a random function, i.e. a randomly selected function. This assumption is certainly false since $E_{k}$ is not random, and because a random function is almost certainly not a permutation.

Now, fix $k \in K, k \neq = k^{'}$ .

The probability that $E_{k} (m_{i}) = c_{i}$ for all $1 \leq i \leq t$ is $t \frac{1}{2 ^{L}} \cdot \frac{1}{2 ^{L}} \dots \frac{1}{2 ^{L}} = \frac{1}{2 ^{L t}}$ Thus, the expected number of false keys $k \in K$ for which $E_{k} (m_{i}) = c_{i}$ for all $1 \leq i \leq t$ is $F K = \frac{2 ^{ℓ} - 1}{2 ^{L t}}$

Time: The number of DES operations is $\approx 2^{56} + 2^{56} + 2 \cdot 2^{48} + 2 (1 + \frac{1}{2 ^{16}}) \approx 2^{57}$

The security level of Double-DES is 57 bits, so Double-DES is not much more secure than DES.

A Triple-DES secret key is $k = (k_{1}, k_{2}, k_{3})$ , where $k_{1}, k_{2}, k_{3} \in_{R} {0, 1}^{56}$

Encryption is: $c = E_{k_{3}} (E_{k_{2}} (E_{k_{1}} (m)))$ , where $E =$ DES encryption.

flowchart LR
k1
k2
k3
id1[DES]
id2[DES]
id3[DES]
k1 --> id1
k2 --> id2
k3 --> id3
m -- 64 bits --> id1
id1 -- 64 bits --> id2
id2 -- 64 bits --> id3 
id3 -- 64 bits --> c

Decryption is: $m = E_{k_{1}}^{- 1} (E_{k_{2}}^{- 1} (E_{k_{3}}^{- 1} (c)))$ , where $E^{- 1} =$ DES decryption.

The Triple-DES key length is $ℓ = 168$ bits, so exhaustive key search takes $2^{168}$ operations (infeasible).

Meet-in-the-middle attack takes $\approx 2^{112}$ operations. So the security level of Triple-DES is 112 bits.

Block Ciphers: AES

The Advanced Encryption Standard (AES)

Key lengths: $128$ , $192$ and $256$ bits.

Block length: $128$ bits

2024: No attacks have been found on AES that are faster than exhaustive key search.

AES is an example of a substitution-permutation network.

Definition

A substitution-permutation network (SPN) is an iterated block cipher where a round consists of a substitution operation followed by a permutation operation

Components of an SPN cipher:

$n$ : the block length (in bits)

$ℓ$ : the key length (in bits)

$h$ : the number of rounds

A fixed invertible function $S : {0, 1}^{b} \to {0, 1}^{b}$ called substitution, where $b$ is a divisor of $n$ .

A fixed permutation $P$ on ${1, 2, \dots, n}$ .

A key scheduling algorithm that determines subkeys $k_{1}, k_{2}, \dots, k_{h}, k_{h + 1}$ from a key $k$ . Note: $n, ℓ, h, S, P$ and the key scheduling algorithm are public.

The encryption looks like: $A \leftarrow$ plaintext for $i = 1, 2, \dots, h$ do $A \leftarrow A \oplus k_{i}$ $A \leftarrow S (A)$ $A \leftarrow P (A)$ $A \leftarrow A \oplus k_{h + 1}$ ciphertext $\leftarrow A$

Decryption is the reverse of encryption.

AES is an SPN, where the permutation operation is comprised of two invertible linear transformations.

All operations are byte oriented, e.g., $b = 8$ so the $S -$ box maps $8$ bits to $8$ bits. This facilitates fast implementations on software platforms.

The block length of AES is $n = 128$ . Each subkey is $128$ bits.

AES accepts three key lengths. The number of rounds $h$ depends on the key length.

Each round updates a variable called State which consists of a $4 \times 4$ array of bytes (note $4 \times 4 \times 8 = 128$ , the block length).

State is initialized with the plaintext.

Add AES round uses four invertible operations:

AddRoundKey (key-mixing)
SubBytes (S-box)
ShiftRows (permutation)
MixColumns (linear transformation)

After $h$ rounds are completed, a final subkey is XORed with State, the result being the ciphertext.

Definition

The elements of the finite filed $GF (2^{8})$ are the polynomials of degree at most $7$ in $Z_{2} [y]$ , with addition and multiplication performed module the irreducible polynomial $f (y) = y^{8} + y^{4} + y^{3} + y + 1$ ( $Z_{2} [y]$ is the set of polynomials in $y$ with coefficients from $Z_{2}$ ). We interpret an $8 -$ bit string $a = a_{7} a_{6} a_{5} \dots a_{1} a_{0}$ as coefficients of the polynomial $a (y) = a_{7} y^{7} + a_{6} y^{6} + a_{5} y^{5} + \dots + a_{1} y + a_{0}$ and vice versa.

Example

Let $a = 11101100 = ec$ and $b = 00111011 = 3 b$ , so $a (y) = y^{7} + y^{6} + y^{5} + y^{3} + y^{2}$ and $b (y) = y^{5} + y^{4} + y^{3} + y + 1$ .

Addition: $a (y) + b (y) = y^{7} + y^{6} + y^{4} + y^{2} + y + 1$ , so $ec + 3 b = d 7$ .

Multiplication: $a (y) \cdot b (y) = y^{12} + y^{10} + y^{8} + y^{4} + y^{2}$ , which leaves a remainder of $r (y) = y^{7} + y^{6} + y^{3}$ upon division by $f (y)$ . Hence $a \cdot b =$ $11001000$ in $GF (2^{8})$ , or $ec \cdot 3 b = c 8$ .

Inversion: $e c^{- 1} = 5 d,$ since $ec \cdot 5 d = 01$ .

Definition (S-box)

Let $p \in {0, 1}^{8}$ , and consider $p$ as an element of $GF (2^{8})$ .

Let $q = p^{- 1}$ if $p \neq = 0$ , and $q = p$ if $p = 0$

Define $q = (q_{7} q_{6} q_{5} \dots q_{1} q_{0})$

Compute

$S (p) = r = r_{0} r_{1} r_{2} r_{3} r_{4} r_{5} r_{6} r_{7} = 1111100001111100001111100001111110001111110001111110001111110001 = q_{0} q_{1} q_{2} q_{3} q_{4} q_{5} q_{6} q_{7} + 11000110$

Then $S (p) = r = (r_{7} r_{6} r_{5} \dots r_{1} r_{0})$

ShiftRows: Permute the bytes of State by applying a cyclic shift to each row.

MixColumns:

Read column $i$ of State as a polynomial $(a_{0, i}, a_{1, i}, a_{2, i}, a_{3, i}) = a_{0, i} + a_{1, i} x + a_{2, i} x^{2} + a_{3, i} x^{3}$ (interpret the coefficients as elements of the finite field $GF (2^{8})$ .
Multiply this polynomial with the constant polynomial with the constant polynomial $c (x) = 02 + 01 x + 01 x^{2} + 03 x^{3}$ and reduce module $x^{4} - 1$ . This gives a new polynomial $b_{0, i} + b_{1, i} x + b_{2, i} x^{2} + b_{3, i} x^{3}$

The $\oplus c (x)$ operation.

Let $a (x) = a_{0} + a_{1} x + a_{2} x^{2} + a_{3} x^{3}$ , where each $a_{i} \in GF (2^{8})$ .

Let $c (x) = 02 + 01 x + 01 x^{2} + 03 x^{3}$ , where 01, 02, 03 are elements in $GF (2^{8})$ (written in hex).

To compute $a (x) \oplus c (x)$ do:

Compute $d (x) = a (x) \times c (x)$ (polynomial multiplication where coefficient arithmetic is in $GF (2^{8})$ ).
Divide by $x^{4} - 1$ to find the remainder polynomial $r (x)$ . Equivalently, replace $x^{4}$ by $1$ , $x^{5}$ by $x$ , and $x^{6}$ by $x^{2}$ , and simplify.
Then $a (x) \oplus c (x) = r (x)$

AES Encryption

From the key $k$ derive $h + 1$ subkeys $k_{0}, k_{1}, \dots k_{h}$ .

State $\leftarrow$ plaintext

State $\leftarrow$ State $\oplus k_{0}$

for $i = 1, 2, \dots, h - 1$ do
	State ← SubBytes(State)
	State ← ShiftRows(State)
	State ← MixColumns(State)
	State ← State ⊕ k_i
State $\leftarrow$ SubBytes(State)

State $\leftarrow$ ShiftRows(State)

State $\leftarrow$ State $\oplus k_{h}$

ciphertext $\leftarrow$ State

AES Decryption

From the key $k$ derive $h + 1$ subkeys $k_{0}, k_{1}, \dots, k_{h}$

State $\leftarrow$ ciphertext

State $\leftarrow$ State $\oplus k_{h}$

State $\leftarrow$ InvShiftRows(State)

State $\leftarrow$ InvSubBytes(State)

for $i = h - 1, \dots, 2, 1$ do
	State ← State ⊕ k_i
	State ← InvMixColumns(State)
	State ← InvShiftRows(State)
	State ← InvSubBytes(State)
State $\leftarrow$ State $\oplus k_{0}$

plaintext $\leftarrow$ State

For 128-bit keys, AES has 10 rounds, so we need 11 subkeys.

The first subkey is $k_{0} = (r_{0}, r_{1}, r_{2}, r_{3})$ is the actual AES key.
The second subkey is $k_{1} = (r_{4}, r_{5}, r_{6}, r_{7})$
The third subkey is $k_{2} = (r_{8}, r_{9}, r_{10}, r_{11})$
The eleventh subkey is $k_{10} = (r_{40}, r_{41}, r_{42}, r_{43})$

The function $f_{i} : {0, 1}^{32} \to {0, 1}^{32}$ are defined as follows:

The input is divided into four bytes: $(a, b, c, d)$
Left-rotate the bytes: $(b, c, d, a)$
Apply the AES S-box to each byte: $(S (b), S (c), S (d), S (a))$
XOR the leftmost byte with the constant $ℓ_{i}$ , and output the result: $(S (b) \oplus ℓ_{i}, S (c), S (d), S (a))$

The constants $ℓ_{i}$ (in hex): $ℓ_{1} = 01, ℓ_{2} = 02, ℓ_{3} = 04, ℓ_{4} = 08, ℓ_{5} = 10, ℓ_{6} = 20, ℓ_{7} = 40, ℓ_{8} = 80, ℓ_{9} = 1 b, ℓ_{10} = 36$

Modes of Operation

In practice, one usually wishes to encrypt a large quantity of data. The plaintext message is $m = m_{1}, m_{2}, \dots, m_{t}$ where each $m_{i}$ is an $L -$ bit block.

Question

How should we use a block cipher $E_{k} : {0, 1}^{L} \to {0, 1}^{L}$ to encrypt $m$ ?

Some modes of operation: ECB, CBC, CTR, GCM, CCM.

Suppose that the plaintext message is $m = m_{1}, m_{2}, \dots, m_{t}$

Electronic Codebook Mode (ECB): encrypts the blocks independently, one at a time. Drawback: Identical plaintext result in identical ciphertext blocks.

Cipher Block Chaining (CBC) mode:

Encryption: Select $c_{0} \in_{R} {0, 1}^{L}$ ( $c_{0}$ is a random non-secret IV), and then compute $c_{i} = E_{k} (m_{i} \oplus c_{i - 1})$ for $i = 1, 2, \dots, t$ . The ciphertext is $(c_{0}, c_{1}, c_{2}, \dots, c_{t})$ .

Decryption: $m_{i} = E_{k}^{- 1} (c_{i}) \oplus c_{i - 1},$ for $i = 1, 2, \dots t$ .

Identical plaintexts with different IVs result in different ciphertexts.

Chapter 3: Hash Functions

Fundamental Concepts

Hash functions play a fundamental role in cryptography. They are used in a variety of cryptographic primitives and protocols.

They are very difficult to design because of stringent security and performance requirements.

The most commonly used hash functions are:

SHA-1
SHA-2 family: SHA-224, SHA-256, SHA-384, SHA-512
SHA-3 family

SHA-256

SHA-256: ${0, 1}^{*} \to {0, 1}^{256}$ SHA-256(“Hello there”) = $0x4e47826698bb4630fb4451010062fadbf85d61427cbdfaed7ad0f23f239bed89$

Definition

A hash function is a mapping $H$ such that:

$H$ maps binary messages of arbitrary lengths $\leq L$ to outputs of a fixed length $n$ : $H : {0, 1}^{\leq L} \to {0, 1}^{n}$ . ( $L$ is usually large, e.g., $L = 2^{64}$ , whereas $n$ is small, e.g. $n = 256$ )

$H (x)$ can be efficiently computed for all $x \in {0, 1}^{\leq L}$

$H$ is called an $n -$ bit hash function. $H (x)$ is called the hash or message digest of $x$ .

Notes:

The description of a hash function is public; there are no secret keys.
For simplicity, we will usually write ${0, 1}^{*}$ instead of ${0, 1}^{\leq L}$
More generally, a hash function is an efficiently computable function from a set $S$ to a set $T$ .

Consider $H : {0, 1}^{\leq 4} \to {0, 1}^{2}$ to be a hash function mapping a bitstring to its last two digits.

$1001$ is a preimage of $01$ .

$H (01, 1001)$ is a collision. $01$ is a second preimage of $1011$ .

Hash functions are used in all kind of applications. One reason for the widespread use of hash functions is speed.

Definition

A hash function $H : {0, 1}^{*} \to {0, 1}^{n}$ is preimage resistant if, given a hash value $y \in_{R} {0, 1}^{n}$ , it is computationally infeasible to find (with non-negligible success probability) any $x \in {0, 1}^{*}$ with $H (x) = y$ . ( $x$ is called a preimage of $y$ .)

Password protection on a multi-user computer system:

The server stores $[$ userid, $H$ (password) $]$
If the attacker obtains a copy of the password file, they do not learn any passwords.
This requires preimage resistance.

Definition

A hash function $H : {0, 1}^{*} \to {0, 1}^{n}$ is 2nd preimage resistant if, given $x \in_{R} {0, 1}^{*}$ , it is computationally infeasible to find (with non-negligible success probability) any $x^{'} \in {0, 1}^{*}$ with $x^{'} \neq = x$ and $H (x^{'}) = H (x)$

Modification Detection Codes (MDC’s):

To ensure that a message $m$ is not modified by unauthorized means, one computes $H (m)$ and protects $H (m)$ from unauthorized modification.
This is useful protection and requires 2nd preimage resistance.

Definition

A hash function $H : {0, 1}^{*} \to {0, 1}^{n}$ is collision resistant if it is computationally infeasible to find $x, x^{'} \in {0, 1}^{*}$ with $x^{'} \neq = x$ and $H (x^{'}) = H (x)$ . Such a pair $(x, x^{'})$ is called a collision for $H$ .

Message digests for digital signature schemes:

For reasons of efficiency, instead of signing a long message $x$ , the (much shorter) message digest $h = H (x)$ is signed.
This application requires preimage-resistance, 2nd preimage resistance, and collision resistance.
To see why collision resistance is required, suppose that the legitimate signer Alice can find a collision $(x_{1}, x_{2})$ for $H$ . Alice can sign $x_{1}$ and later claimed to have signed $x_{2}$ .

Other applications:

Message Authentication Codes
Pseudorandom bit generation
Key derivation functions
Proof-of-work
Quantum-safe signature schemes

Relationships between PR, 2PR, CP

Breaking preimage resistance (PR):

Given: $y \in_{R} {0, 1}^{n}$

Required: $x \in {0, 1}^{*}$ with $H (x) = y$ .

Breaking 2nd preimage resistance (2PR):

Given: $x \in_{R} {0,1}^*

Required: $x^{'} \in {0, 1}^{*}$ with $x^{'} \neq = x$ and $H (x^{'}) = H (x)$

Breaking collision resistance (CR):

Given: $-$

Required: $x, x^{'} \in {0, 1}^{*}$ with $x^{'} \neq = x$ and $H (x^{'}) = H (x)$

Claim $1$ : If $H$ is CR, then $H$ is 2PR

Proof: Suppose that $H : {0, 1}^{*} t o {0, 1}^{n}$ is not 2PR.

We’ll show that $H$ is not CR.

Select $x \in_{R} {0, 1}^{*}$ . Since $H$ is not 2PR, we can efficiently find $x^{'} \in {0, 1}^{*}, x \neq = x$ , with $H (x^{'}) = H (x)$ .

Thus, $(x, x^{'})$ is a collision for $H$ that we have efficiently found, showing that $H$ is not CR.

Note: This proof established the contrapositive statement.

Claim $2$ : CR does not guarantee PR

Proof: Suppose that $H : {0, 1}^{*} \to {0, 1}^{n}$ is CR.

Consider the hash function $\overline{H} : {0, 1}^{*} \to {0, 1}^{n + 1}$ defined by

\overline{H} (x) = {0∣∣ H (x), 1∣∣ x, if x \in {0, 1}^{n} if x \in {0, 1}^{n}

Then $\overline{H}$ is CR (since $H$ is).

And $\overline{H}$ is not PR since preimages can be efficiently found for at least half of all $y \in {0, 1}^{n + 1}$ , namely the hash values that begin with $1$ .

Note: The hash function $\overline{H}$ is rather contrived. For somewhat uniform hash functions, i.e., hash functions for which all hash values have roughly the same number of preimages, CR does not guarantee PR.

Claim $2^{*}$ : Suppose $H$ is somewhat uniform. If $H$ is CR, then $H$ is PR

Proof: Suppose that $H : {0, 1}^{*} \to {0, 1}^{n}$ is not PR.

We’ll show that $H$ is not CR.

Select $x \in_{R} {0, 1}^{*}$ and compute $y = H (x)$ . Since $H$ is not PR, we can efficiently find $x^{'} \in {0, 1}^{*}$ with $H (x^{'}) = y$ . Since $H$ is somewhat uniform, we expect that $y$ has many preimages, and thus $x^{'} = x$ with very high probability. Thus, $(x, x^{'})$ is a collision for $H$ that we have efficiently found, so $H$ is not CR.

Claim $3$ : PR does not guarantee 2PR

Proof: Suppose that $H : {0, 1}^{*} \to {0, 1}^{n}$ is PR.

Define $\overline{H} : {0, 1}^{*} \to {0, 1}^{n}$ by $\overline{H} (x_{1}, x_{2}, \dots, x_{t}) = H (0, x_{2}, \dots, x_{t})$ for all $(x_{1}, x_{2}, \dots, x_{t}) \in {0, 1}^{*}$ .

Then $\overline{H}$ is PR. However $\overline{H}$ is not 2PR.

Claim $4$ : Suppose $H$ is somewhat uniform. If $H$ is 2PR, then $H$ is PR

Proof: Suppose that $H : {0, 1}^{*} \to {0, 1}^{n}$ is not PR.

We will show that $H$ is not 2PR.

So, suppose we are given $x \in_{R} {0, 1}^{*}$ . We compute $y = H (x)$ .

Since $H$ is not PR, we can efficiently find $x^{'} \in {0, 1}^{*}$ with $H (x^{'}) = y$ .

Since $H$ is somewhat uniform, we expect that $x^{'} \neq = x$ with very high probability. Hence, $x^{'}$ is a second preimage of $x$ that we have efficiently found.

Thus $H$ is not 2PR.

Claim $5$ : 2PR does not guarantee CR

Proof: Suppose that $H : {0, 1}^{*} \to {0, 1}^{n}$ is 2PR.

Consider $\overline{H} : {0, 1}^{*} \to {0, 1}^{n}$ defined by $\overline{H} (x) = H (x)$ if $x \neq = 1$ , and $\overline{H} (1) = H (0)$ .

Then $\overline{H}$ is not CR, since $(0, 1)$ is a collision for $\overline{H}$
Suppose now that $\overline{H} : {0, 1}^{*} \to {0, 1}^{n}$ is not 2PR. We’ll show that $H$ is not 2PR.

So, we are given $x \in_{R} {0, 1}^{*}$ . Since $\overline{H}$ is not 2PR, we can efficiently find $x^{'} \in {0, 1}^{*}, x^{'} \neq = x$ , with $\overline{H} (x^{'}) = \overline{H} (x)$ . With probability essentially $1$ , we can assume that $x \neq = 0, 1$ . Hence, $\overline{H} (x) = H (x)$ .

Now, if $x^{'} \neq = 1$ , then $H (x^{'}) = \overline{H} (x^{'}) = \overline{H} (x) = H (x)$

And, if $x^{'} = 1$ , then $\overline{H} (x^{'}) = \overline{H} (1) = H (0) = H (x)$ .

In either case, we have efficiently found a second preimage for $x$ with respect to $H$ .

Hence, $H$ is not 2PR, a contradiction. Thus, $\overline{H}$ is 2PR.

Generic Attacks

Definition

A generic attack on hash functions $H : {0, 1}^{*} \to {0, 1}^{n}$ does not exploit any properties that the specific hash function might have.

In the analysis of a generic attack, we view $H$ as a random function in the sense that for each $x \in {0, 1}^{*}$ , the hash value $y = H (x)$ was defined by selecting $y \in_{R} {0, 1}^{n}$ .

A random function is an ideal hash function (from a security point-of-view). However they are not practical.

Attack

Given $y \in_{R} {0, 1}^{n}$ , repeatedly select arbitrary $x \in {0, 1}^{*}$ until $H (x) = y$ .

The expected number of hash operations is $2^{n}$ .

This generic attack is infeasible if $n \geq 128$ .

Attack

Select arbitrary $x \in {0, 1}^{*}$ and store $(H (x), x)$ in a table sorted by first entry. Repeat until a collision is found.

Analysis: By the birthday paradox, the expected number of hash operations is $π 2^{n} /2 \approx 2^{n}$

This generic attack is infeasible if $n \geq 256$ .

This generic attack for finding collisions is optimal. The expected space required is $π 2^{n} /2 \approx 2^{n}$ .

VW: van Oorschot & Wiener parallel collision search.

The expected number of hash operations: $\approx 2^{n}$ . The expected space required is negligible.

It is easy to parallelize, $m$ -fold speedup with $m$ processors.

The VW collision-finding algorithm can easily be modified to find meaningful collisions.

If collision resistance is desired, then use an $n$ -bit hash function with $n \geq 256$ .

Parallel Collision search (VW method)

Problem: Find a collision for $H : {0, 1}^{*} \to {0, 1}^{n}$ .

Assumption: $H$ is a random function.

Notation: Let $N = 2^{n}$ .

Define a sequence ${x_{i}}_{i \geq 0}$ by $x_{0} \in_{R} {0, 1}^{n}, x_{i} = H (x_{i - 1})$ for $i \geq 1$ .

Let $j$ be the smallest index for which $x_{j} = x_{i}$ for some $i < j$ ; such a $j$ must exist. Then $x_{j + ℓ} = x_{i + ℓ}$ for all $ℓ \geq 1$ . By the birthday paradox, $E [j] \approx π N /2 \approx N$ . In fact, $E [i] \approx \frac{1}{2} N$ and $E [j - i] \approx \frac{1}{2} N$ .

Now, $i \neq = 0$ with overwhelming probability, in which event $(x_{i - 1}, x_{j - 1})$ is a collision for $H$ .

Question

How to find $(x_{i - 1}, x_{j - 1})$ without using much storage?

We only store distinguished points.

Distinguished points: Select an easily-testable distinguishing property for elements of ${0, 1}^{n}$ , e.g. leading 32 bits are all 0.

Let $θ$ be the proportion of elements of ${0, 1}^{n}$ that are distinguished.

VW method: Compute the sequence $x_{0}, x_{1}, x_{2}, x_{3}, \dots$ and only store the points that are distinguished.

VW Collision Finding

Stage 1: Detecting a collision

Select $x_{0} \in_{R} {0, 1}^{n}$

Store $(x_{0}, 0, -)$ in a sorted table.

$L P \leftarrow x_{0}$ ( $L P$ = last point stored)

For $d = 1, 2, 3, \dots$ do:

Compute $x_{d} = H (x_{d - 1})$

If $x_{d}$ is distinguished then

If $x_{d}$ is already in the table, say $x_{d} = x_{b}$ where $b < d$ , then go to Stage 2

Store $(x_{d}, d, L P)$ in the table.

$L P \leftarrow x_{d}$

Stage 2: Finding a collision

Set $ℓ_{1} \leftarrow b - a, ℓ_{2} \leftarrow d - c$

Suppose $ℓ_{1} \geq ℓ_{2}$ , and set $k \gets \ell_1 - \ell_2

Compute $x_{a + 1}, x_{a + 2}, \dots x_{a + k}$

For $m = 1, 2, 3, \dots$ do:

Compute $(x_{a + k + m}, x_{c + m})$

Until $x_{a + k + m} = x_{c + m}$

The collision is $(x_{a + k + m - 1}, x_{c + m - 1})$

VW Analysis

Stage 1: Expected number of $H$ -evaluations is:

π N /2 + \frac{1}{θ} \approx N + \frac{1}{θ}

Stage 2: Expected number of $H -$ evaluations is $\leq \frac{3}{θ}$

Overall expected running time: $N + \frac{4}{θ}$

Expected storage: $\approx 3 n θ N$ bits

Example

Consider $n = 128$ . Take $θ = 1/ 2^{32}$ . Then the expected run time of VW collision search is $2^{64}$ $H -$ evaluations (feasible), and the expected storage is 192 gigabytes (negligible).

Iterated Hash Functions

Merkle's Meta Method

Components:

Fixed initializing value $I V \in {0, 1}^{n}$

Efficiently-computable compression function $f : {0, 1}^{n + r} \to {0, 1}^{n}$

To compute $H (x)$ where $x$ has bitlength $b < 2^{r}$ do:

Break up $x$ into $r -$ bit blocks, $\overline{x} = x_{1}, x_{2}, \dots, x_{t}$ , padding the last block with $0$ bits as necessary.

Define $x_{t + 1}$ , the length-block, to hold the right-justified binary representation of $b$ .

Define $H_{0} = I V$ .

Compute $H_{i} = f (H_{i - 1}, x_{i})$ for $i = 1, 2, \dots, t + 1$ . (The $H_{i}‘s are called chaining variables).

Define $H (x) = H_{t + 1}$

Theorem (Merkle)

If the compression function $f$ is collision resistant, then the iterated hash function $H$ is also collision resistant.

Merkle’s theorem reduces the problem of designing collision-resistant hash functions to that of designing collision-resistant compression functions.

A major theme in cryptographic research is to formula precise security definitions and assumptions, and then prove that a protocol is secure.

A proof of security is certainly desirable since it rules out the possibility of attacks being discovered in the future.

However, it isn’t always easy to asses the practical security assurances (if any) that a security proof provides).

Assumptions might be unrealistic, or false, or circular.
The security model might not account for certain kinds of realistic attacks.
The security proof might be asymptotic.

Proof of Merkle’s Theorem ( $f$ is CR $⟹ H$ is CR)

Suppose that $H$ is not CR. We’ll show that $f$ is not CR.

Since $H$ is not R, we can efficiently find messages $x, x^{'} \in {0, 1}^{*}$ , with $x \neq = x^{'}$ and $H (x) = H (x^{'})$ .

Let $\overline{x} = x_{1}, x_{2}, \dots, x_{t}$ , $b$ = bit-length( $x$ ), $x_{t + 1} =$ length block.

Let $\overline{x^{'}} = x_{1}^{'}, x_{2}^{'}, \dots, x_{t}^{'}$ , $b^{'}$ = bit-length( $x^{'}$ ), $x_{t + 1}^{'} =$ length block.

We can efficiently compute:

H_{0} H_{1} H_{2} H_{t - 1} H_{t} H (x) = H_{t + 1} = I V = f (H_{0}, x_{1}) = f (H_{1}, x_{2}) ⋮ = f (H_{t - 2}, x_{t - 1}) = f (H_{t - 1}, x_{t}) = f (H_{t}, x_{t + 1})

H_{0} H_{1}^{'} H_{2}^{'} H_{t^{'} - 1}^{'} H_{t^{'}}^{'} H (x^{'}) = H_{t^{'} + 1}^{'} = I V = f (H_{0}, x_{1}^{'}) = f (H_{1}^{'}, x_{2}^{'}) ⋮ = f (H_{t^{'} - 2}^{'}, x_{t^{'} - 1}^{'}) = f (H_{t^{'} - 1}^{'}, x_{t^{'}}^{'}) = f (H_{t^{'}}^{'}, x_{t^{'} + 1}^{'})

Since $H (x) = H (x^{'})$ , we have $H_{t + 1} = H_{t^{'} + 1}^{'}$

Case 1: Now, if $b \neq = b^{'}$ then $x_{t + 1} \neq = x_{t^{'} + 1}^{'}$ . Thus, $(H_{t}, x_{t + 1}), H_{t^{'}}^{'}, x_{t^{'} + 1}^{'}$ is a collision for $f$ that we have efficiently found.

Case 2: Suppose next that $b = b^{'}$ . Then $t = t^{'}$ and $x_{t + 1} = x_{t + 1}^{'}$

Let $i$ be the largest index, $0 \leq i \leq t$ , for which $(H_{i}, x_{i + 1}) \neq = (H_{i}^{'}, x_{i + 1}^{'})$ . Such an $i$ must exist since $x \neq = x^{'}$ .
Then $H_{i + 1} = f (H_{i}, x_{i + 1}) = f (H_{i}^{'}, x_{i + 1}^{'}) = H_{i + 1}^{'}$ , so $(H_{i}, x_{i + 1}), (H_{i}^{'}, x_{i + 1}^{'})$ is a collision for $f$ that we have efficiently found.

Thus, $f$ is not collision resistant $□$

Jaiden Ratti

Explorer

CO487

Chapter 1: Introduction to Cryptography

Chapter 2: Symmetric-Key Encryption

Fundamental Concepts

Stream Ciphers

Block Ciphers: DES

Block Ciphers: Triple-DES

Block Ciphers: AES

Modes of Operation

Chapter 3: Hash Functions

Fundamental Concepts

Relationships between PR, 2PR, CP

Generic Attacks

Iterated Hash Functions

Graph View

Table of Contents

Backlinks