Introduction to Modern Cryptography

Lecture 2
: Symmetric Encryption
Stream & Block Ciphers

Stream Ciphers
Start with a secret key (seed)
Generate a keying stream
i-th bit/byte of keying stream is a function
of the key and the first i-1 ciphertext bits.
Combine the stream with the plaintext to
produce the ciphertext (typically by XOR)

Example of Stream Encryption

Key

Stream

Plaintext
=
Ciphertext

Example of Stream Decryption

Key

Stream

Ciphertext
=
Plaintext

Real Cipher Streams

Most pre-WWII machines

German Enigma
Linear Feedback Shift Register
A5 encrypting GSM handset to base
station communication
RC-4 (Rons Code)

Terminology
Stream cipher is called synchronous
if keystream does not depend on the
.plaintext (depends on key alone)
.Otherwise cipher is called asynchronous

Current Example: RC-4

Part of the RC family
Claimed by RSA as their IP
Between 1987 and 1994 its internal was not
revealed little analytic scrutiny
Preferred export status
Code released anonymously on the Internet
Used in many systems: Lotus Notes, SSL,
etc.

RC4 Properties
Variable key size stream cipher with byte oriented
operations.
Based on using a random looking permutation.
8-16 machine operations per output byte.
Very long cipher period (over 10100).
Widely believed to be secure. Used for encryption in
SSL web protocol.

RC-4 Initialization
1. j=0
2. S0=0, S1=1, , S255=255
3. Let the key be (bytes) k0,,k255 (repeating
bits if necessary)
4. For i=0 to 255

j = (j + Si+ ki) mod 256

Swap Si and Sj

RC-4 Key-stream Creation

Generate an output byte B by:
i = (i+1) mod 256
j = (j +Si) mod 256
Swap Si and Sj

t = (Si + Sj) mod 256

B = St

B is XORed with next plaintext byte

Block Ciphers
Encrypt a block of input to a block of output
Typically, the two blocks are of the same
length
Most symmetric key systems block size
is 64
In AES block size is 128
Different modes for encrypting plaintext
longer than a block

Real World Block Ciphers

DES, 3-DES
AES (Rijndael)
RC-2
RC-5
IDEA
Blowfish, Cast
Gost

ECB Mode Encryption

(Electronic Code Book)
P1

P2

P3

Ek

Ek

Ek

C1

C2

C3

encrypt each plaintext block separately

Properties of ECB

Simple and efficient

Parallel implementation possible
Does not conceal plaintext patterns
Active attacks are possible (plaintext can be
easily manipulated by removing, repeating,
or interchanging blocks).

CBC Mode Encryption

(Cipher Block Chaining)
S0

P1

P2

P3

Ek

Ek

Ek

C1

C2

C3

Previous ciphertext is XORed with current plaintext before

.encrypting current block
.An initialization vector S0 is used as a seed for the process
.Seed can be openly transmitted

Properties of CBC

Asynchronous stream cipher

Errors in one ciphertext block propagate
Conceals plaintext patterns
No parallel implementation known
Plaintext cannot be easily manipulated.
Standard in most systems: SSL, IPSec etc.

OFB Mode
(Output FeedBack)

An initialization vector s0 is use as a

``seed' for a sequence of data blocks si

Properties of OFB

Synchronous stream cipher

Errors in ciphertext do not propagate
Pre-processing is possible
Conceals plaintext patterns
No parallel implementation known
Active attacks by manipulating plaintext are
possible

AES Proposed Modes

CTR (Counter) mode (OFB modification):
Parallel implementation, offline preprocessing, provable security, simple and
efficient
OCB (Offset Codebook) mode - parallel
implementation, offline preprocessing,
provable security (under specific
assumptions), authenticity

Strengthening a Given Cipher

Design multiple key lengths AES
Whitening - the DESX idea
Iterated ciphers Triple DES (3-DES),
triple IDEA and so on

Triple Cipher - Diagram

P
Ek1
Ek2
Ek3
C

Iterated Ciphers
Plaintext undergoes encryption repeatedly
by underlying cipher
Ideally, aach stage uses a different key
In practice triple cipher is usually
C= Ek1(Ek2(Ek1(P))) [EEE mode] or
C= Ek1(Dk2(Ek1(P))) [EDE mode]
EDE is more common in practice

Necessary Condition
For some block ciphers iteration does not
enhance security
Example substitution cipher
Consider a block cipher: blocks of size b
bits, and key of size k
The number of all possible functions
mapping b bits to b bits is (2b)2
b

Necessary Condition (cont.)

The number of all possible encryption functions
(bijections) is 2b!
The number of encryption functions in our cipher
is at most 2k.
Claim: The bijections are a group G under the
operation (composition)
Claim: If the encryptions of a cipher form a subgroup of G then iterated cipher does not increases
security.

Meet in the Middle Attack

Double ciphers are rarely used due to this
attack
Attack requires
Known plaintext
2k+1 encryptions and decryptions
|k|2|k| storage space

A square root of trivial attacking time at the

expense of storage

Meet in the Middle (cont.)

Given a plaintext-ciphertext pair (p,c)
Compute & store the table of Dk2(c) for all k2

takes 2k decryptions, |k|2|k| storage.

For every k1, test if Ek1(p) is in table
Every hit gives a possible k1,k2 pair
May have to repeat several times

Meet in the middle is applicable to any iterated

cipher, reducing the trivial processing time by 2 k
encryptions

Two or Three Keys

Sometimes only two keys are used in 3DES
Identical key must be at beginning and end
Legal advantage (export license) due to
smaller overall key size
Used as a KEK in the BPI protocol which
secures the DOCSIS cable modem standard

Adversarys Goals
Final goal: recover key
Intermediate goals:

Reduce key space

Discover plaintext patterns
Recover portions of plaintext
Change ciphertext to produce meaningful
plaintext, without breaking the system
(active attack)

Generic Attacks
Exhaustive search
Type: ciphertext only
Time: 2|k| decryptions per ciphertext
Storage: constant

Table lookup
Type: chosen plaintext
Time: offline 2|k| decryptions, online constant
Storage: 2|k| ciphertexts

The Problem
Break ECB mode (known fixed cleartext
header)
The idea:
Define f(k) = Enck(constant)
Invert f(k)

New Problem: Invert f

Time/Space Tradeoffs
1st Simple solution:
Time 2|k| - exhaustive search per message

2nd Simple solution:

Precompute all 2|k| values of f(k)

Store in lookup table (hash table)
Requires O(1) time per inversion
Requires space O(2|k|)

?Hellman (again): can we do better

If it so happened that f is a permutation:
Choose L=2|k|/2 random start points s1, , sL
For every such point, compute ti=f(f(f(si))),
repeated L times.
Store a lookup table of values (ti,si), i=1, , L,
indexed by ti.

Searching for k given f(k)

Let s=x = f(k)
Repeat until f(x) = s, if f(x) = s then x = k
If x = ti for some i, let x = si
otherwise let x = f(x)

Claim: for an arbitrary permutation and

arbitrary k, the probability that this inverts k
is constant

?Why
Values of f(k) on a small cycle will be inverted
Consider what happens when we add the ith chain
(si, ti):
If we cover a constant times L new values then were
done
If not, assume that the previous chains have covered
less than a constant of the L2 values
The uncovered values must themselves lie on chains whose
average length is a constant times L (as all values lie on some
chain)
Thus, we have a constant probability of covering at least a
constant fraction of L new values

All this does not work when f is not

a permutation
Hellmans ingenious idea:
Dont invert f(x), invert g(f(x)) for some known
random function g.
Obviously, if you can invert g(f(x)) then you
can invert f(x).
Note that if f is not a permutation then g(f) is
not a permutation either

Inverting g(f(x))
Not a permutation:
Choose L=2|k|/3 random start points s1, , sL
For every such point, compute ti=f(f(f(si))), repeated
L times.
Store a lookup table of values (ti,si), i=1, , L, indexed
by ti.

Claim: we cover by chains at least a constant

fraction of L2 = 22|k|/3
Consider the last chain added, weve covered at
most 22|k|/3 values until now, so with constant
probability, the new L=2|k|/3 values on the new chain
will be entirely new.

Hellmans next idea

Use many different gs
Every g will cover a random 22|k|/3 set of values.
So, choose L=2|k|/3 gs

Space required: L2 = 22|k|/3

Time required: L2 = 22|k|/3