Fall 2022

CC551: Computer and Network

Security
Lecture 3

Ahmed Kosba

Department of Computer and Systems Engineering

Faculty of Engineering, Alexandria University
Outline
• Previous lecture (Lecture #2)
• Low-level software security (cont.)
• Countermeasures and secure coding practices
• Introduction to cryptography
• Symmetric-key encryption
• Classical ciphers
• Threat models for encryption
• Perfect secrecy

• Today's lecture
• Perfect secrecy (cont.)
• Block ciphers (Introduction)
• Number theory review
2
One-time Pad
• Recall the Vernam cipher.
• The original form was vulnerable
• However, if the key was totally random, and as long as the message, it would
be unbreakable (this is called the one-time pad).
• The one-time pad was proven to be perfectly secret, by Shannon in
the 1940s.

• Given M = {0, 1}n

• Algorithm:
• Key generation: choose a random key k uniformly from {0, 1}n
• Encryption: E(k, m) = k  m
• Decryption: D(k, c) = k  c
6
One-time Pad C = E(k, m) = m XOR k
D(k, c) = c XOR k = m
n bits
proof: (m XOR k) XOR k
k = 0 so = m XOR 0 = m

 c
n bits
XOR

m
n bits

Exercise: How to prove correctness and perfect secrecy formally? 7

One-time Pad Proof of perfect secrecy:

• Correctness:
D(k, c) = D(k, E(k, m)) = k  (k  m)
As XOR is associative
D(k, c) = (k  k )  m = m
• Perfect secrecy: Sketch discussed on board.
The proof is in the [KL] textbook.

E1 - E1 and E2 are messages.

E2
- E3 is the ciphertext.

E3 - Pr(E3) = Pr(E1 intersect E3) + Pr(E2 intersect E3)

9
 One-time Pad
• Achieves perfect secrecy
• Was used to link the White House and Kremlin during the cold war.
• However, it’s not used widely.
• One-time pad drawbacks
• The key cannot be reused, i.e., only one message can be encrypted using one
key. Why?
• The key has the same length as the message. takes lots of storage
• The parties must share a long key in advance, and it must be truly random.
- If the same key is used twice, the attacker will know Drawbacks:
information if they have 2 or more messages.
m1: c1 = m1 XOR k
- They will know which parts of the message is similar. m2: c2 = m2 XOR k

if attacker knows c1 & c2: c1 XOR c2 = m1 XOR m2

12
Perfect Secrecy Limitations
• The previous limitations are not just for the one-time pad.
• Any perfectly-secure encryption scheme has the following drawbacks
[KL]:
• The size of the key space should be at least equal to the size of the message
space.
• If all keys have the same length, and the strings in the message space have fixed
length, then the key must be at least as long as the message.
• The key can only be used once.

13
Computational Security
• To avoid such problems, we move to another notion: computational
security.
• An encryption system would still be secure if it leaks tiny amounts of
information to attackers with bounded computational power.
• For example, one could argue that the time needed to break the algorithm
given the leak will exceed the useful lifetime of the information.
• But we need to be precise. How to quantify ‘tiny’ and ‘bounded’ above?
• Computational security is the default way security is discussed in
many modern cryptography contexts.
bounded --> O (2^112 steps) at least, (2^128) is commonly used

14
Toward More Practical Symmetric Encryption
Schemes
• Goal: Have computationally-secure encryption schemes that avoid
the problems of one-time pad or perfect secrecy.
• The key should be short, e.g., 128 or 256 bits.
• Choosing a smaller key could make the system vulnerable to brute-force attacks.
• We should have schemes that are secure against other threat models as well.
• If the same message is encrypted twice for example, the ciphertext should be completely
different, i.e., introduce some form of randomization.

15
Block Ciphers

17
Constructing Block ciphers
• A block cipher operates on a n-bit plaintext message and outputs an
n-bit ciphertext.
• For the mapping to be reversible, no two plaintext messages can be
mapped to the same ciphertext, so it has to be a permutation.
plaintext block n bits

(ideal block cipher)

• How many possible permutations f: {0,1}n → {0,1}n ?
• 2n! (This is factorial not exclamation mark) block
cipher

• First approach: ciphertext block n bits

Construct block ciphers using permutations selected randomly from the above
set of all possible permutations.
18
Block Cipher Example (Substitution Cipher Example for n = 3)

Plaintext Ciphertext
000 110
001 100
010 001
011 111
This is a permutation of all values between 000 and 111
100 000
101 010
110 101
111 011

Note: the key in this setting is the mapping itself.

When using a large block size to avoid brute-force attacks, this scheme won't be practical (see next slide).

19
 Constructing block ciphers
• For security, greater values of the block size need to be used.
• Assume the block size n = 64 bits, what will be the size of the
mapping table? - we have 2^64 mapping and each mapping requires 64 bits to be saved.
2^64 * 2^6
= 2^70 • 264 * 64 = 270 bits, i.e., more than 1020 bits for a single mapping
• Block sizes can be even larger, e.g., 128 bits
• Not practical!
• While not practical, this is called the ideal block cipher setting.
• How to devise more practical constructions?
• Recall: Our objective is to use a shorter key.

20
Making the construction more practical
• The key in the previous construction was the mapping itself.
• Instead, the key in the next construction will be an additional input to
the function. This can also written as
• The function F has to be designed in a
Plaintext block Plaintext block special way in order to be a secure
block cipher.

• For any key k, the function Fk has to be

k F Fk a permutation in order to be
reversible.

• The lengths of the key k and the input

Ciphertext block Ciphertext block plaintext block do not have to be
equal.

21
Making the construction more practical
• We will introduce a new notion (informally for now).
• Keyed function F: {0, 1}* x {0, 1}* → {0, 1}*
• A function F is a two-input function. Its first input is a key k, and the second input is
an input block of data x, i.e., the output of the function is F(k, x) or Fk(x).
• Note that Fk : {0, 1}* → {0, 1}*
• The key and block sizes are set based on security specifications and the
constructions.
• Keyed permutation
• For now, we are interested in the cases where Fk is a permutation, i.e., Fk is one-to-
one.
• For simplicity, assume F: {0, 1}n x {0, 1}m → {0, 1}m for now, i.e., the key length = n,
and the block length = m.
• How many values for the key in this case?
• 2n (brute force time, not perfect but good enough if n is 128 bits or more)

22
Pseudorandom permutations
• For the defined keyed permutations to be effective, F needs to be a
pseudorandom permutation.
Goal:
• Informally, Fk needs to be indistinguishable from a random permutation f selected
uniformly at random from the permutations discussed in the ideal setting earlier.

• Block ciphers are designed to be secure pseudorandom permutations with

some fixed key length and block length.

23
Example
Is Fk(x) = x  k a pseudorandom permutation?
No. We will illustrate the reasons informally.
• A polynomial-time distinguisher can make experiments to distinguish
Fk from a random permutation.
• Example 1: If the distinguisher tries any two inputs that differ in one bit, the
outputs will always differ in one bit. A random function will have this behavior
with very small probability. Therefore, we consider Fk distinguishable from a
random function.
• Example 2: If the distinguisher tries any two random inputs x1 and x2, the
outputs Fk(x1) and Fk(x2) will always satisfy: Fk(x1)  Fk(x2) = x1  x2. This is
unlikely to appear in a function selected randomly.
• Moreover, it's easy to figure out the key k from a single call by observing the
input and output. Note that the key should be kept secret. The distinguisher
should not be able to infer the key from the experiments. Otherwise, it will be
easy to distinguish the function. 24
Designing a secure cipher
Confusion-Diffusion Paradigm
• Introduced by Shannon in the late 1940s.
• Shannon introduced the following terms:
• Diffusion:
• Make the statistical relationship between the ciphertext and plaintext as
complex as possible.
• Changing one bit in the plaintext should affect all bits of the ciphertext.
• About half of the ciphertext bits should change in this case.
• Achieved by using mixing permutations.
- Repeatedly permuting the data and applying a function to the result [Stallings].
• Confusion:
• Make the relation between the ciphertext and the key as complex as possible.
• Achieved by complex substitution algorithms.
25
Feistel Block Cipher Design
• In 1973, Feistel proposed to use a cipher that alternates substitutions
and permutations.
• Note that the Feistel network concept is different from the Substitution-Permutation
Networks (SPNs) that we will discuss later.
• Achieves the properties suggested by Shannon: Diffusion and
Confusion
• The concept is still used in many block ciphers.

28
Feistel Block Cipher
Design
• Parameters and design features:
• Block size
• Key size

Decryption
Encryption
• Number of rounds
• Subkey generation (K0, K1, .. , Kn)
• Round function F
• Considerations when designing a Feistel cipher:
• Should be easy to analyze
• Fast software encryption/decryption
Note: the round function F does not need
to be invertible!
29
Figure source: https://commons.wikimedia.org/wiki/File:Feistel_cipher_diagram_en.svg
Data Encryption Standard (DES)
• Was the most widely used encryption algorithm until the introduction
of AES (Advanced encryption standard) in 2001.
• We will learn about AES later.
• DES Outline:
• Uses a Feistel network structure
• Block size = 64 bits
• Key size = 56 bits
• The short key now makes the algorithm vulnerable to brute-force
attacks.

32
Next lecture
• We will discuss the confusion and diffusion paradigm and Feistel
networks in more detail.

33
Number Theory Review [Part 1]

42
Divisibility
• A non-zero integer b divides an integer a, if a = qb, where q is an integer.
• Notation: b | a means b divides a (b is a divisor of a)
• Properties
• If a | 1, then a = ±1
• If a | b and b | a, then b = ±a
• If d | a and d | b, then d | (ax + by) for any integers x and y.

43
Divisibility
• Theorem:
• For any integer a and positive integer n, there are unique integers
q and r such that 0 ≤ r < n and a = qn + r

The quotient q = ⌊a / n⌋ The remainder r = a mod n

44
Prime and Composite Numbers
• An integer a > 1 whose only positive divisors are 1 and a is called a
prime number.
• An integer a > 1 that is not a prime is called a composite number.

• Fundamental Theorem of Arithmetic (Unique Factorization Theorem)

Any composite integer a can be written in only one way as the following:
𝑒 𝑒 𝑒
𝑎 = 𝑝11 𝑝22 … 𝑝𝑟 𝑟
where all pi are primes, and p1 < p2 < … < pr and all ei are positive integers.

45
Greatest Common Divisor (GCD)
• The greatest common divisor of two integers (not both zero) is the largest
integer that divides both integers. (Example: gcd(18, 12) = 6)

• A positive integer d is said to be the gcd of a and b if the following hold

• d is a divisor of a and b Factorizing numbers into their prime numbers:

• Any divisor of a and b is a divisor of d 20 = 2^5 * 5

30 = 2*3*5

• Properties common = 2*5 = 10

• gcd(0,0) is defined to be zero. • gcd(a, b) = gcd(-a, b)

• gcd(a, 0) = |a| • gcd(a, b) = gcd (|a|, |b|)

• Two integers a and b are relatively prime (co-prime) if their GCD is 1.

• Example: 21 and 25 are relatively prime, as gcd(21, 25) = 1
46
Greatest Common Divisor (GCD)
• Computing gcd(a,b) Factorization is said to be an NP-intermediate problem, can't yet be solved in a
polynomial time

• The GCD of two positive numbers a and b can be computed using the prime
factorization of a and b.
• Write a and b as follows. Note that the same set of primes can be used for
NP
both if zero exponents are allowed.
𝑒 𝑒 𝑒
𝑎 = 𝑝11 𝑝22 … 𝑝𝑟 𝑟 P
𝑓 𝑓 𝑓
𝑏 = 𝑝11 𝑝22 … 𝑝𝑟𝑟 NP
NP-C
intermediate

• Given this representation, what will be the value of gcd(a,b)? - Factorizing

min(𝑒1 ,𝑓1 ) min(𝑒2 ,𝑓2 ) min(𝑒𝑟 ,𝑓𝑟 ) - Discrete logarithmic
gcd(𝑎, 𝑏) = 𝑝1 𝑝2 … 𝑝𝑟

• Would that be an efficient approach?

NO 47
Euclid’s Algorithm (300 B.C.)
• GCD recursion theorem
For any non-negative integer a and any positive integer b,
gcd(a,b) = gcd(b, a mod b)
• Euclid’s algorithm
Tracing example:
Euclid(a,b){
30 18
if b = 0 18 12
return a 12 6
else 6 0

return Euclid(b, a mod b) Then (6) is the gcd(30,18)

}
O (log (min (a, b))
Exercise: What is the runtime complexity of this algorithm? 48
Extended Euclidean Algorithm
• Theorem:
• If a and b are any integers, not both zero, then gcd(a,b) is the smallest positive
integer of the set {ax + by : x, y ϵ Z} of linear combinations of a and b.

• How to find integers x and y that make the following equation hold?
ax + by = gcd (a,b)
For example, if a = 30, b = 18
x = -1, y = 2 would satisfy the equation.
There are infinite solutions.

To obtain one solution, the extended Euclidean algorithm can be used.

49
Extended Euclidean Algorithm [CLRS - Ch31]

ExtendedEuclid(a,b){
if b = 0
return (a, 1, 0)

else depth first

(d’, x’, y’) = ExtendedEuclid(b, a mod b)
(d, x, y) = (d’, y’, x’ - ⌊a / b⌋ y’)
return (d, x, y)
}

50
 ExtendedEuclid(a,b){
1: if b = 0

Extended Euclidean 2:
3:
4:
else
return (a, 1, 0)

(d’, x’, y’) = ExtendedEuclid(b, a mod b)

Algorithm 5:
6:
}
(d, x, y) = (d’, y’, x’ - ⌊a / b⌋ y’)
return (d, x, y)

• Tracing the algorithm for a = 30, b = 18

1
This is a b ⌊a / b⌋ d x y x' y'
filled first,
till the 30 18 1
base case
18 12 1
(b=0) is
reached. 12 6 2
6 0 - 6 1 0

Base case returns (a, 1, 0)

51
 ExtendedEuclid(a,b){
1: if b = 0

Extended Euclidean 2:
3:
4:
else
return (a, 1, 0)

(d’, x’, y’) = ExtendedEuclid(b, a mod b)

Algorithm 5:
6:
}
(d, x, y) = (d’, y’, x’ - ⌊a / b⌋ y’)
return (d, x, y)

• Tracing the algorithm for a = 30, b = 18 Result: (6, -1, 2)

2
a b ⌊a / b⌋ d x y x' y'
30 18 1 6 -1 2 1 -1 This is filled in the
other direction,
18 12 1 6 1 -1 0 1 starting from the
base case result.
12 6 2 6 0 1 1 0
6 0 - 6 1 0

Note: d won't change once
found. d and d' are always the
same, so no column was added
for d'.
• At any step (except the base case), x' and y' are equal to result returned by the
recursive call which is found in the row below. See line 4 in the pseudocode.
• For example, in the 3rd row, x' = 1, y' = 0, because x = 1, y = 0 in the 4th row.
• At any step (except the base case), the new x and y are calculated based on the
current x', y' and ⌊a / b⌋. See line 5 in the pseudocode.
• For example, in the 3rd row, x = 0, as x = y' = 0
y = 1, as y = x’ - ⌊a / b⌋ y' = 1 – 2*0 = 1 52
Modular Arithmetic
• Given an integer a, and a positive integer n,
a mod n is the remainder of dividing a by n. (n is called the modulus in
this context)
Using the division theorem,
a = ⌊a / n⌋ n + (a mod n)
2 mod 7 = 9 mod 7
2 = 9 (mod 7)

• Congruence modulo n (a + ? ) mod N = 0.

? --> N-a
• Two integers a and b are congruent modulo n if (a mod n) = (b mod n)
• This is alternatively written as a ≡ b (mod n).
• If a ≡ 0 (mod n), then n | a.
53
Modular Arithmetic
• Properties
• a ≡ b (mod n) implies b ≡ a (mod n)
• a ≡ b (mod n), if n | (b – a)
• If a ≡ b (mod n) and b ≡ c (mod n), then a ≡ c (mod n)

• Operations
• ((a mod n) + (b mod n)) mod n = (a + b) mod n
• ((a mod n) - (b mod n)) mod n = (a - b) mod n
• ((a mod n) * (b mod n)) mod n = (a * b) mod n

• Proving all the above can trivially be done by using the equation in the previous
slide.
54
Modular Addition and Multiplication
- multiplicative inverse happens when the two numbers are co-prime
- additive inverse always occurs,
Addition modulo 8 Multiplication modulo 8
but multiplicative inverse is available
in some number only
+8 0 1 2 3 4 5 6 7 *8 0 1 2 3 4 5 6 7
0 0 1 2 3 4 5 6 7 0 0 0 0 0 0 0 0 0
1 1 2 3 4 5 6 7 0 1 0 1 2 3 4 5 6 7
2 2 3 4 5 6 7 0 1 2 0 2 4 6 0 2 4 6
3 3 4 5 6 7 0 1 2 3 0 3 6 1 4 7 2 5
4 4 5 6 7 0 1 2 3 4 0 4 0 4 0 4 0 4
5 5 6 7 0 1 2 3 4 5 0 5 2 7 4 1 6 3
6 6 7 0 1 2 3 4 5 6 0 6 4 2 0 6 4 2
7 7 0 1 2 3 4 5 6 7 0 7 6 5 4 3 2 1
55
Modular Arithmetic in Zn
• Define Zn = {0, 1, 2, …, n – 1}
• This is called the set of residue classes modulo n (or set of equivalence classes
modulo n.
• Each integer a ϵ Zn represents the equivalence class [a]n which is defined as:
[a]n = { a + kn : k ϵ Z }

• The following properties hold for the arithmetic over integers in Zn

• Commutative laws
• Associative laws
• Distributive laws
• Identities
• Additive inverse
For both modular multiplication and addition
For both modular multiplication and addition
Multiplication can be distributed over addition.
(0 + a) mod n = a mod n, (1 * a) mod n = a mod n
For any a ϵ Zn, there exists b, s.t., (a + b) mod n = 0
56
 (a*b) mod n = 1

Modular Multiplicative Inverse b exists if gcd (a, n) = 1 (a & n are

co-prime) so b = a^-1
Multiplication modulo 8
• The modular multiplicative inverse
may not exist for all elements in Zn. *8 0 1 2 3 4 5 6 7
• Recall the multiplication modulo 8 0 0 0 0 0 0 0 0 0
table. 1 0 1 2 3 4 5 6 7
• Two questions: 2 0 2 4 6 0 2 4 6
• For which elements, does the modular 3 0 3 6 1 4 7 2 5
multiplicative inverse exist?
• Elements that are relatively prime to n. 4 0 4 0 4 0 4 0 4
• When it exists, how to compute it 5 0 5 2 7 4 1 6 3
efficiently?
• Using the extended Euclidean algorithm. 6 0 6 4 2 0 6 4 2
7 0 7 6 5 4 3 2 1
57
More questions
• If ( a + b ) ≡ ( a + c ) (mod n), does this imply that b ≡ c (mod n) ?
Yes.

• If ab ≡ ac (mod n), does this imply that b ≡ c (mod n) ?

Not in all cases.
Example: if a = 6, b = 1, c = 5, n = 8
To get modular multiplicative inverse:
ab ≡ 6 (mod n)
ax + by = gcd(a, b)
ac ≡ 6 (mod n) since a and b have to be co-prime so, gcd(a, b) = 1
ax + by = 1
ax mod(n) = 1

claim: x is the multiplicative inverse of a mod n

x = a^-1 mod n
bn mod(n) = 0
58
Using Euclid’s algorithm to break (improperly-
generated) cryptographic keys in real world

Awarded best paper in USENIX Security 2012! 59