Cryptography Basics

Symmetric Key Cryptography

Prof.dr. Ferucio Laurenţiu Ţiplea

Fall 2022

Department of Computer Science

“Alexandru Ioan Cuza” University of Iaşi
Iaşi 700506, Romania
e-mail: [email protected]
Outline

Symmetric encryption
Symmetric encryption
Stream ciphers
Block ciphers and modes of operation

Hash functions

Message integrity

Authenticated encryption
Symmetric cryptography

Symmetric cryptography includes:

ˆ Symmetric encryption;

ˆ Hash functions;

ˆ Message authentication codes;

ˆ Authenticated encryption.

Prof.dr. F.L. Ţiplea, UAIC, RO Lectures on Information Security Cryptography Basics: Symmetric Key Cryptography Fall 2022 2 / 50
Symmetric encryption
Symmetric encryption

Two main goals:

1. Secure communication
ˆ protects data in motion;
ˆ IPsec and SSL&TLS use it;

2. File protection
ˆ protects data at rest;
ˆ cloud storage tools use it.

Prof.dr. F.L. Ţiplea, UAIC, RO Lectures on Information Security Cryptography Basics: Symmetric Key Cryptography Fall 2022 3 / 50
 Symmetric cipher: S = (G, E, D)

m c = E(K , m) m = D(K , c)
message Alice Bob
ciphertext

E (enc alg) (dec alg) D

key distribution

(key gen) G(λ) → K

sec param (e.g., key size)

Key distribution:

ˆ Alice and Bob meet and get K , or

ˆ Alice and Bob use a dedicated mechanism/protocol.

Prof.dr. F.L. Ţiplea, UAIC, RO Lectures on Information Security Cryptography Basics: Symmetric Key Cryptography Fall 2022 4 / 50
Security models for symmetric encryption

Recall that a security model is a pair consisting of a security goal X and

an attack model Y , usually written as X -Y .

Standard security goals for encryption:

1. Semantic security (SS);

2. Indistinguishability (IND);
3. Non-malleability (NM).

Standard attack models for encryption:

1. Chosen plaintext attack (CPA);

2. Non-adaptive chosen ciphertext attack (CCA1);
3. Adaptive chosen ciphertext attack (CCA2).

Prof.dr. F.L. Ţiplea, UAIC, RO Lectures on Information Security Cryptography Basics: Symmetric Key Cryptography Fall 2022 5 / 50
Security goals

1. Semantic security
1.1 Proposed by Goldwasser and Micali (1984), it was the first definition
of security for encryption;
1.2 It formalizes the fact that no adversary can obtain any partial
information about the message of a given ciphertext (whatever can
efficiently be computed about a message from its ciphertext can also
be computed without the ciphertext);
1.3 It is a “polynomially bounded” version of the concept of perfect
secrecy introduced by Shannon (1949);
1.4 It is complex and difficult to work with;

2. Indistinquishability is an equivalent definition to semantic security

which is somewhat simpler;
3. Non-malleability means that, given a ciphertext c of some message
m, no efficient adversary can construct another ciphertext c ′ of
some message m′ meaningfully related to m.
Prof.dr. F.L. Ţiplea, UAIC, RO Lectures on Information Security Cryptography Basics: Symmetric Key Cryptography Fall 2022 6 / 50
Attack models

1. Passive attacks:
1.1 Cipher-only attack (COA): A has access to the ciphertext;
1.2 Known plaintext attack (KPA): A knows pairs (plaintext,ciphertext);
2. Active attacks:
2.1 Chosen plaintext attack (CPA): A has access to the encryption
oracle (this is for free for PKE);
2.2 Non-adaptive chosen ciphertext attack (CCA1): A has, in addition
to the ability of a CPA adversary, access to a decryption oracle
before the challenge phase;
2.3 Adaptive chosen ciphertext attack (CCA2): A has, in addition to the
ability of a CCA1 adversary, access to a decryption oracle after the
challenge phase. However, no decryption query is allowed involving
the challenge ciphertext.

Prof.dr. F.L. Ţiplea, UAIC, RO Lectures on Information Security Cryptography Basics: Symmetric Key Cryptography Fall 2022 7 / 50
Proving security by indistinguishability

Indistinguishability, as a security model, requires that an adversary from a

specific class of adversaries interact with the cryptographic scheme under
the security study, as follows:
Training The adversary trains with the scheme according to his
type;
Challenge At a given moment, the adversary will choose 2 (different)
messages of equal length and will receive the ciphertext of
one of them (chosen randomly uniformly);
Training Depending on the class to which the adversary belongs, he
can still train with the scheme;
Guess The adversary will have to decide from which of the two
messages the ciphertext comes.
If the guessing probability is non-negligible greater than 1/2, then the
adversary wins the game, which means that the scheme is not secure for
adversaries in this class.
Prof.dr. F.L. Ţiplea, UAIC, RO Lectures on Information Security Cryptography Basics: Symmetric Key Cryptography Fall 2022 8 / 50
Relationships among security models

1. IND-COA (also called indistinguishability in the presence of an

eavesdropper) is the weakest form of security where the adversary
can only eavesdrop on ciphertexts;
2. IND-KPA (also called indistinguishability under multiple encryption
attack) is stronger than IND-COA;
3. The diagram below only aims to create an image on the
relationships between the other security models (some of these
relationships are far from trivial).

NM-CPA NM-CCA1 NM-CCA2

IND-CPA IND-CCA1 IND-CCA2

SS-CPA SS-CCA1 SS-CCA2

Prof.dr. F.L. Ţiplea, UAIC, RO Lectures on Information Security Cryptography Basics: Symmetric Key Cryptography Fall 2022 9 / 50
Stream ciphers

Main characteristics of a stream cipher:

ˆ The message is viewed as a sequence of blocks (also called

characters) of a very limited size, that can efficiently be enumerated
in practice (e.g., bits or bytes);

ˆ The secret key is expanded to a keystream of the same size as the

message block size by a keystream generator initially seeded with the
secret key;

ˆ The encryption is block-driven ;

ˆ One-time pad (OTP) may be regarded as a stream cipher, but a

quite impractical one.

Prof.dr. F.L. Ţiplea, UAIC, RO Lectures on Information Security Cryptography Basics: Symmetric Key Cryptography Fall 2022 10 / 50
Stream ciphers

K keystream
generator G
key
0
0
keystream G (K )
0
1
1

01011 m ⊕ G (K )
encryptor
message m ciphertext

Theorem 1
The SKE scheme above is IND-COA, provided that G is a PRG.

Prof.dr. F.L. Ţiplea, UAIC, RO Lectures on Information Security Cryptography Basics: Symmetric Key Cryptography Fall 2022 11 / 50
Stream ciphers: using the same key twice

Using the same key twice:

ˆ If c1 = m1 ⊕ G (K ) and c2 = m2 ⊕ G (K ), then c1 ⊕ c2 = m1 ⊕ m2 ;
ˆ Natural language text contains enough redundancy to allow the
adversary to recover m1 and m2 from c1 ⊕ c2 .

Real scenarios:

ˆ Microsoft implementation of PPTP in Windows NT uses RC4. Its

original implementation uses the same key to encrypt messages from
A to B and from B to A (see ScMu1998.pdf on the course site);
ˆ Microsoft have used RC4 to protect Word and Excel document.
When encrypted documents were modified and saved, the same key
was used (see Wu2005.pdf on the course site).

Never use the same key to encrypt more than one message with stream
ciphers !
Prof.dr. F.L. Ţiplea, UAIC, RO Lectures on Information Security Cryptography Basics: Symmetric Key Cryptography Fall 2022 12 / 50
Stream ciphers: malleability

Malleability:

ˆ From an encryption c = m ⊕ G (K ) of m one can simply obtain an

encryption of m ⊕ m′ by c ′ = c ⊕ m′ .

Real scenarios:

ˆ Assume that the adversary knows a prefix m1 of m (m1 might be a

standard header filled with someone’s address, name, etc.);
ˆ The adversary wants to replace m1 by m2 (m2 might be a header
filled with information up to his desire);
ˆ The adversary may compute c ⊕ (m1 ⊕ m2 )0 · · · 0 to obtain what he
wants.

Stream ciphers do not guarantee integrity !

Prof.dr. F.L. Ţiplea, UAIC, RO Lectures on Information Security Cryptography Basics: Symmetric Key Cryptography Fall 2022 13 / 50
The stream cipher RC4

1. RC4 was proposed by Ronald Rivest in 1987 as a trade secret but

posted anonymously in September 1994 on a mailing list;

2. RC4 was used in a large variety of applications: SSL/TLS, WEP,

WPA, MS-PPTP etc.;
3. Recent results have shown that the RC 4 gen output is biased (see
AlFardan et al. (2013)):
1
3.1 (Mantin & Shamir, 2001) P(Z2 = 0x00) ≈ ;
128
1 cr
3.2 (Gupta et al., 2012) P(Zr = 0x00) ≈ + for 3 ≤ r ≤ 255,
256 2562
where c3 = 0.351089 and 0.242811 ≤ cr ≤ 1.337057 for r ≥ 4;

4. Several other variants of RC4 have been proposed: RC 4A, VMPC ,

RC 4+ , Spritz.

Prof.dr. F.L. Ţiplea, UAIC, RO Lectures on Information Security Cryptography Basics: Symmetric Key Cryptography Fall 2022 14 / 50
Other practical stream ciphers

1. CSS (Content Scrambling System)

ˆ Designed in 1980’s for preventing unauthorized duplication of DVDs;
ˆ Can be brute-force attacked in time 240 (the seed space size). A
faster attack to recover the seed (time 216 ) was proposed by Frank
Stevenson in 1999;

2. A5/1, A5/2, A5/3 stream ciphers for GSM encryption

ˆ All have been cryptanalysed (see Barkan et al. (2003));
3. E0 stream cipher for Bluetooth encryption
ˆ The most efficient cryptanalysis requires the first 24 bits of 223.8
frames (a frame is 2745 bits long) and 238 computations to recover
the key (see Lu et al. (2005));

4. Salsa, designed by Bernstein in 2005 (see Bernstein (2008b));

5. ChaCha, designed by Bernstein in 2008 (see Bernstein (2008a)).

Prof.dr. F.L. Ţiplea, UAIC, RO Lectures on Information Security Cryptography Basics: Symmetric Key Cryptography Fall 2022 15 / 50
Block ciphers

An intensively used method to encrypt a message is the next one:

1. View the message as a sequence of blocks of a larger size so that the

enumeration of all blocks is infeasible in practice;
2. Iteratively encrypt each message block by another block.

Remark 2
1. The encryption of a message block by another block is done by
families of permutations (i.e., block ciphers) or families of functions;

2. The iteration method is crucial and it is called mode of operation;

3. In the encryption process of a message block, the encryption key is

expanded to a fixed number of round keys.

Prof.dr. F.L. Ţiplea, UAIC, RO Lectures on Information Security Cryptography Basics: Symmetric Key Cryptography Fall 2022 16 / 50
Block ciphers

Key expansion algorithm

K1 K2 ··· Kn

m Ti TK1 TK2 ··· TKn Tf c

ˆ Ti is an initial transformation, and Tf is a final transformation;

ˆ TKi is a transformation induced by Ki , 1 ≤ i ≤ n

c = (Tf ◦ TKn ◦ · · · ◦ TK1 ◦ Ti )(m)

Prof.dr. F.L. Ţiplea, UAIC, RO Lectures on Information Security Cryptography Basics: Symmetric Key Cryptography Fall 2022 17 / 50
DES and AES block cipher

1. DES:
ˆ M = C = {0, 1}64 ;
ˆ K = {0, 1}56 ;
ˆ The number of rounds is 16;

2. AES:
ˆ M = C = M4×m (Z82 ), where m ∈ {4, 6, 8};
ˆ K = M4×k (Z82 ), where k ∈ {4, 6, 8};
ˆ The number of rounds varies on the key and message block length

m=4 m=6 m=8

k=4 10 12 14
k=6 12 12 14
k=8 14 14 14

Prof.dr. F.L. Ţiplea, UAIC, RO Lectures on Information Security Cryptography Basics: Symmetric Key Cryptography Fall 2022 18 / 50
Pseudo-random functions

A pseudo-random function (PRF) is a family F of functions with the

following properties:

1. Efficiently computable: Each function f ∈ F can be computed by a

deterministic poly-time algorithm;

2. Pseudo-randomness: If we randomly choose a function from this

family then its input-output behavior is computationally
indistinguishable from that of a random function.

The adversary is allowed to train with f ∈ F to establish the

pseudo-randomness of f (see “indistinguishability”)!

Prof.dr. F.L. Ţiplea, UAIC, RO Lectures on Information Security Cryptography Basics: Symmetric Key Cryptography Fall 2022 19 / 50
Pseudo-random permutations

Pseudo-random permutations (PRPs) are special cases of PRFs.

Content Efficient com-

F Pseudo-randomness
type putability
PRF functions each f A trains with f
weak PRP permutations each f and f −1 A trains with f
A trains with f and
strong PRP permutations each f and f −1
f −1

Remark 3
1. Strong PRP are simply referred to as PRP;

2. PRP are sometimes called block ciphers.

Prof.dr. F.L. Ţiplea, UAIC, RO Lectures on Information Security Cryptography Basics: Symmetric Key Cryptography Fall 2022 20 / 50
PRP candidates

1. DES = (DESK )K ∈{0,1}56 , where

DESK : {0, 1}64 → {0, 1}64

2. 3DES = (3DESK )K ∈{0,1}168 , where

3DESK : {0, 1}64 → {0, 1}64

3. AES-128 = (AESK )K ∈{0,1}128 , where

AESK : {0, 1}128 → {0, 1}128

Prof.dr. F.L. Ţiplea, UAIC, RO Lectures on Information Security Cryptography Basics: Symmetric Key Cryptography Fall 2022 21 / 50
Electronic Code Block (ECB)

F = (FK )K is a PRP

message: m1 m2 ··· mℓ

FK FK FK

ciphertext: c1 c2 ··· cℓ

Theorem 4
ECB is not IND-KPA.

Prof.dr. F.L. Ţiplea, UAIC, RO Lectures on Information Security Cryptography Basics: Symmetric Key Cryptography Fall 2022 22 / 50
ECB illustrated

Original image ECB encryption

Prof.dr. F.L. Ţiplea, UAIC, RO Lectures on Information Security Cryptography Basics: Symmetric Key Cryptography Fall 2022 23 / 50
Cipher Block Chaining (CBC)

F = (FK )K is a PRP

message: m1 m2 ··· mℓ

IV ← {0, 1}n ⊕ ⊕ ⊕

FK FK FK

ciphertext: IV c1 c2 ··· cℓ

Theorem 5
If F = (FK )K is a PRP, then CBC with F is IND-CPA.

Prof.dr. F.L. Ţiplea, UAIC, RO Lectures on Information Security Cryptography Basics: Symmetric Key Cryptography Fall 2022 24 / 50
CBC versus ECB

Original image ECB encryption CBC encryption

Prof.dr. F.L. Ţiplea, UAIC, RO Lectures on Information Security Cryptography Basics: Symmetric Key Cryptography Fall 2022 25 / 50
Deterministic counter mode (DCTR)

F = (FK )K is a PRF

message: m1 m2 ··· mℓ
⊕ ⊕ ⊕
r = 1 FK (r ) FK (r +1) ··· FK (r +ℓ-1)

ciphertext: c1 c2 ··· cℓ

The scheme works like a stream cipher with the PRG G given by

G (K ) = FK (1) ∥ FK (2) ∥ · · · ∥ FK (ℓ)

Theorem 6
If F = (FK )K is a PRF, then DCTR with F is IND-KPA but not
IND-CPA.

Prof.dr. F.L. Ţiplea, UAIC, RO Lectures on Information Security Cryptography Basics: Symmetric Key Cryptography Fall 2022 26 / 50
Counter mode (CTR)

F = (FK )K is a PRF

message: m1 m2 ··· mℓ
⊕ ⊕ ⊕
r ← {0, 1}n FK (r ) FK (r +1) ··· FK (r +ℓ-1)

ciphertext: r c1 c2 ··· cℓ

The scheme works like a stream cipher with the PRG G given by

G (K ) = FK (r ) ∥ FK (r + 1) ∥ · · · ∥ FK (r + ℓ − 1)

Theorem 7
If F = (FK )K is a PRF, then CTR with F is IND-CPA.

Prof.dr. F.L. Ţiplea, UAIC, RO Lectures on Information Security Cryptography Basics: Symmetric Key Cryptography Fall 2022 27 / 50
Output feedback (OFB) and cipher feedback (CFB)

1. The key stream in CTR mode is

FK (r ) ∥ FK (r + 1) ∥ FK (r + 2) ∥ · · ·

where r ← {0, 1}n

2. The OFB and CFB modes are defined as the CTR mode but with a
different key stream generation :
2.1 The key stream in OFB mode is

FK (r ) ∥ FK (FK (r )) ∥ FK (FK (FK (r ))) ∥ · · ·

where r ← {0, 1}n

2.2 The key stream in CFB mode is

FK (r ) ∥ FK (c1 ) ∥ FK (c2 ) ∥ · · ·

where r ← {0, 1}n

Prof.dr. F.L. Ţiplea, UAIC, RO Lectures on Information Security Cryptography Basics: Symmetric Key Cryptography Fall 2022 28 / 50
Hash functions
Hash functions

A hash function outputs a fixed-length bitstring (e.g., 128 or 160) when

applied to an arbitrary-length bitstring.

Hash functions are used in many cryptographic applications such as:

ˆ signing messages, in connection with digital signatures (signing a

document should be a fast operation and the signature should be
small so that it can be put on a smart card);
ˆ identifying files on peer-to-peer file sharing networks;
ˆ ensuring security of micro-payment schemes (e.g., PayWord);
ˆ etc.

Prof.dr. F.L. Ţiplea, UAIC, RO Lectures on Information Security Cryptography Basics: Symmetric Key Cryptography Fall 2022 29 / 50
Hash functions

(Keyed) hash function: H = (G, H)

When no key is used, H is called a hash function.

m H c = H(K , m)
message (DPT) message digest

(key gen) G(λ) → K

sec param (e.g., key size)

Prof.dr. F.L. Ţiplea, UAIC, RO Lectures on Information Security Cryptography Basics: Symmetric Key Cryptography Fall 2022 30 / 50
Collision-resistant hash functions

m0
H

If m0 ̸= m1 then
G(λ) → K H(K , m0 ) = H(K , m1 ) (m0 , m1 ) is a collision

m1
H

A keyed hash function H is collision-resistant (CRHF) if no adversary,

given a randomly generated key K , can compute a collision (m0 , m1 ) for
H under K with a higher than negligible probability.

Prof.dr. F.L. Ţiplea, UAIC, RO Lectures on Information Security Cryptography Basics: Symmetric Key Cryptography Fall 2022 31 / 50
One-way hash functions

m0
H −1
(K , c) .. c
. H
mℓ

G(λ) → K
?

A keyed hash function H is one-way (OWHF) if no adversary, given a

randomly generated key K and a message digest c obtained with K , can
compute m ∈ H −1 (K , c) with a higher than negligible probability.
Theorem 8
Any CRHF is also a OWHF, as long as the domain of the hash function
is significantly larger than its range.

Prof.dr. F.L. Ţiplea, UAIC, RO Lectures on Information Security Cryptography Basics: Symmetric Key Cryptography Fall 2022 32 / 50
Looking for collisions

Theorem 9
Let m be the number of possible message digests of a hash function H
under some key K . If we compute message digests for r messages
chosen uniformly at random and
√
⌊ 2cm⌋ < r < m

for some real constant c > 0, then the probability to get a collision is
higher than 1 − e −c (e is Euler’s number, e = 2.71828 · · · ).

If c ≥ ln 2 ∼ 0.693, then 1 − e −c > 1

2

Example 10
√
Let m = 240 and r such that 1.200.000 ≈ ⌊220 2 ln 2⌋ < r < 240 .
The probability of getting a collision is greater than 1/2. Therefore,
40-bit message digests do not ensure security.
Prof.dr. F.L. Ţiplea, UAIC, RO Lectures on Information Security Cryptography Basics: Symmetric Key Cryptography Fall 2022 33 / 50
Construction of CRHFs

Two practical techniques to construct CRHFs:

1. The Merkle-Damgard (MD) transform;

2. The sponge construction.

Prof.dr. F.L. Ţiplea, UAIC, RO Lectures on Information Security Cryptography Basics: Symmetric Key Cryptography Fall 2022 34 / 50
The MD transform

ˆ Use a compression function h : K × {0, 1}ℓ+k → {0, 1}ℓ

size ℓ + k size ℓ
h(K , ·)

ℓ
ˆ Use an MD-complaint padding pad : {0, 1}<2 → nℓ
S
n≥1 {0, 1}
with the following properties:
1. m is a prefix of pad(m)
2. if |m1 | = |m2 | then |pad(m1 )| = |pad(m2 )|;
3. if m1 ̸= m2 , then the last block of pad(m1 ); is different than the last
block of pad(m2 );

Prof.dr. F.L. Ţiplea, UAIC, RO Lectures on Information Security Cryptography Basics: Symmetric Key Cryptography Fall 2022 35 / 50
The MD transform

ˆ Iterate h on messages m as follows:

1. pad(m) = m1 ∥ · · · ∥ mn with |mi | = k for all i;
2. V := IV , where IV ← {0, 1}ℓ ;
3. for i := 1 to n do V := h(K , mi ∥ V );
4. return V ;

m1 m2 mn
···
message digest
IV hK hK ··· hK

Theorem 11
If h is collision-resistant, then the MD-transform based on h is so.

Prof.dr. F.L. Ţiplea, UAIC, RO Lectures on Information Security Cryptography Basics: Symmetric Key Cryptography Fall 2022 36 / 50
The MD transform in practice

Practical hash functions based on the MD-transform:

ˆ MD4 – developed by Rivest in 1990. It was the starting point for the
development of a series of similar hash functions;

ˆ SHA (Secure Hash Algorithm) or SHA-0 – developed by NSA in

1993 (withdrawn shortly after publication because of some flaw);

ˆ MD5 – the strengthened successor of MD4 (Rivest 1995);

ˆ SHA-1 – developed by NSA in 1995; not longer approved after 2010;

ˆ SHA-2 family includes 6 hash functions, SHA-224, SHA-256,

SHA-384, SHA-512, SHA-512/224, SHA-512/256 (the last two are
truncated versions of SHA-512).

Prof.dr. F.L. Ţiplea, UAIC, RO Lectures on Information Security Cryptography Basics: Symmetric Key Cryptography Fall 2022 37 / 50
The sponge construction

ˆ Choose a permutation π : {0, 1}ℓ → {0, 1}ℓ (π has no key!); and

write ℓ = r + c (r is the rate and c is the capacity);

ˆ Pad m and divide it into r -bit blocks m1 · · · mn ;

ˆ Absorbing phase .

m1 m2 ··· mn

m1 ∥ 0c m2 ∥ 0c ··· mn ∥ 0c

0ℓ ⊕ ⊕ ⊕
···
π π π V

Prof.dr. F.L. Ţiplea, UAIC, RO Lectures on Information Security Cryptography Basics: Symmetric Key Cryptography Fall 2022 38 / 50
The sponge construction

ˆ Squeezing phase

π π ··· π
V

z1 z2 zi each of size r

z1 z2 ··· zi
message digest

Theorem 12
If π is a random permutation and 2ℓ and 2c are super-poly, then the
sponge construction yields a CRHF.

The sponge construction is the basis of SHA-3 standard.

Prof.dr. F.L. Ţiplea, UAIC, RO Lectures on Information Security Cryptography Basics: Symmetric Key Cryptography Fall 2022 39 / 50
Message integrity
Message authentication codes

Message authentication codes (MACs) = used to prove message integrity

based on a shared secret key between parties
MAC system: S = (G, Tg , V)

Alice
Dear Tom,

I informe you ...

Dear Tom, Tom

Accept?
I informe you ...
V Yes/No

Tg tag tag

G(λ) → K

Prof.dr. F.L. Ţiplea, UAIC, RO Lectures on Information Security Cryptography Basics: Symmetric Key Cryptography Fall 2022 40 / 50
MACs

A MAC system S is secure if no adversary, who has been allowed to train

with the MAC system, can generate valid tags for messages of his choice,
except with negligible probability.

MAC systems can be obtained from:

1. PRFs;

2. Hash functions.

Prof.dr. F.L. Ţiplea, UAIC, RO Lectures on Information Security Cryptography Basics: Symmetric Key Cryptography Fall 2022 41 / 50
MACs from PRFs: CMAC

If F is a PRF on messages of length ℓ, define the following MAC scheme,

called Cipher-based MAC (CMAC) (see Dworkin (2005)):

1. Generate three keys K0 , K1 , and K2 of length ℓ from K ;

2. Break the message m into m = (m1 , . . . , mk−1 , mk );

3. Randomize the last block:
ˆ If |mk | = ℓ then replace mk by mk ⊕ K1 ;

ˆ If |mk | < ℓ then replace mk by (mk ∥ 1 ∥ 0j ) ⊕ K2 ;

4. Apply F with K0 in the CBC mode and output only the last block
as the message tag.

Prof.dr. F.L. Ţiplea, UAIC, RO Lectures on Information Security Cryptography Basics: Symmetric Key Cryptography Fall 2022 42 / 50
MACs from PRFs: CMAC

m1 m2 ··· mk−1 mk

0ℓ ⊕ ⊕ ⊕ ⊕

F K0 F K0 ··· F K0 FK0

Theorem 13
CMAC is secure, provided that F is a PRF.

Prof.dr. F.L. Ţiplea, UAIC, RO Lectures on Information Security Cryptography Basics: Symmetric Key Cryptography Fall 2022 43 / 50
MACs from CRHFs: HMAC

Let H be a hash function defined by the MD transform from a

compression function h(K , m). Define FH by

FH ((K1 , K2 ), m) = H(K2 ∥ H(K1 ∥ m))

Theorem 14
If h and h′ given by h′ (K , m) = h(m, K ) are PRFs, then FH is a PRF.

For a proof of this theorem please see Boneh and Shoup (2020).

The HMAC construction uses one single key K from which two keys are
derived: K1 = K ⊕ ipad and K2 = K ⊕ opad.

HMAC-SHA1 and HMAC-SHA256 are instances of the above

construction, with H = SHA1 and H = SHA256, respectively.

Prof.dr. F.L. Ţiplea, UAIC, RO Lectures on Information Security Cryptography Basics: Symmetric Key Cryptography Fall 2022 44 / 50
Authenticated encryption
The need for authenticated encryption

Combining secure encryption schemes with secure MACs may lead to

error-prone systems (see Krawczyk (2001), Bernstein (2013))
Definition 15
Let S be a cipher.

1. S provides ciphertext integrity (CI) if no adversary can output valid

ciphertexts, except with negligible probability.
2. S provides authenticated encryption (AE) if:
2.1 S is IND-CPA secure
2.2 S provides CI.

Theorem 16
If S is AE secure then it is IND-CCA secure.

Prof.dr. F.L. Ţiplea, UAIC, RO Lectures on Information Security Cryptography Basics: Symmetric Key Cryptography Fall 2022 45 / 50
Constructing AE secure ciphers

One popular way to construct AE secure ciphers is to combine an

IND-CPA secure cipher with a secure MAC. There are two main variants:

1. Encrypt-then-MAC (EtM)
1.1 c ← E(K , m), t ← Tg (K ′ , c), output (c, t);

1.2 Used in IPsec, TLS 1.2 and later versions, and in the NIST standard
GCM;

2. MAC-then-Encrypt (MtE)
2.1 t ← Tg (K ′ , m), c ← E(K , (m, t)), output c;

2.2 Used in SSL 3.0, TLS 1.0, and in 802.11i WiFi encryption protocol.

The keys K and K ′ are chosen independently!

Prof.dr. F.L. Ţiplea, UAIC, RO Lectures on Information Security Cryptography Basics: Symmetric Key Cryptography Fall 2022 46 / 50
Encrypt-then-MAC

Theorem 17
If S is an IND-CPA secure cipher and S ′ is a secure MAC, then the
EtM construction is a secure AE.

Common mistakes in implementing the EtM construction:

1. Use the same key for the cipher and the MAC;

2. Apply the MAC only to part of the ciphertext (we may loose
ciphertext integrity) – discovered in 2013 at RNCryptor facility in
Apple’s iOS.

Prof.dr. F.L. Ţiplea, UAIC, RO Lectures on Information Security Cryptography Basics: Symmetric Key Cryptography Fall 2022 47 / 50
MAC-then-Encrypt

MtE is not generally secure:

1. The attack POODLE on SSL 3.0;

2. Padding oracle timing attack in TLS 1.0;

3. Informative error messages in TLS 1.0.

There are secure instances of MtE:

1. The randomized counter mode of the cipher assures AE security.

Prof.dr. F.L. Ţiplea, UAIC, RO Lectures on Information Security Cryptography Basics: Symmetric Key Cryptography Fall 2022 48 / 50
References

References

AlFardan, N., Bernstein, D. J., Paterson, K. G., Poettering, B., and Schuldt, J. C. N. (2013). On
the security of rc4 in TLS. In 22nd USENIX Security Symposium (USENIX Security 13), pages
305–320, Washington, D.C. USENIX Association.
Barkan, E., Biham, E., and Keller, N. (2003). Instant ciphertext-only cryptanalysis of gsm
encrypted communication. In Boneh, D., editor, Advances in Cryptology - CRYPTO 2003,
pages 600–616, Berlin, Heidelberg. Springer Berlin Heidelberg.
Bernstein, D. J. (2008a). ChaCha, a variant of Salsa20. Technical report, The University of Illinois
at Chicago.
Bernstein, D. J. (2008b). The salsa20 family of stream ciphers. In Robshaw, M. and Billet, O.,
editors, New Stream Cipher Designs: The eSTREAM Finalists, pages 84–97, Berlin, Heidelberg.
Springer Berlin Heidelberg.
Bernstein, D. J. (2013). Failures of secret-key cryptography. Invited talk to the 20th International
Workshop on Fast Software Encryption 2013.
Boneh, D. and Shoup, V. (2020). A Graduate Course in Applied Cryptography. Authors’ website,
Version 0.5.

Prof.dr. F.L. Ţiplea, UAIC, RO Lectures on Information Security Cryptography Basics: Symmetric Key Cryptography Fall 2022 49 / 50
References (cont.)

Dworkin, M. (2005). Recommendation for block cipher modes of operation: The CMAC mode for
authentication. NIST Pubs 800-30B, NIST. Updated, 2016.
Goldwasser, S. and Micali, S. (1984). Probabilistic encryption. Journal of Computer and System
Sciences, 28:270–299.
Krawczyk, H. (2001). The order of encryption and authentication for protecting communications
(or: How secure is SSL?). In Kilian, J., editor, Advances in Cryptology — CRYPTO 2001,
pages 310–331, Berlin, Heidelberg. Springer Berlin Heidelberg.
Lu, Y., Meier, W., and Vaudenay, S. (2005). The conditional correlation attack: A practical attack
on bluetooth encryption. In Shoup, V., editor, Advances in Cryptology – CRYPTO 2005, pages
97–117, Berlin, Heidelberg. Springer Berlin Heidelberg.
Shannon, C. E. (1949). Communication theory of secrecy systems. The Bell System Technical
Journal, 28(4):656–715.

Prof.dr. F.L. Ţiplea, UAIC, RO Lectures on Information Security Cryptography Basics: Symmetric Key Cryptography Fall 2022 50 / 50