The Role of Latin Square in Cipher Systems: A Matrix Approach to Model Encryption Modes of Operation

Transcription

1 UCLA COPUTR SCINC DPARTNT TCHNICAL RPORT The Role of Lati Square i Cipher Systems: A atrix Approach to odel cryptio odes of Operatio Jieju og Computer Sciece Departmet Uiversity of Califoria, Los Ageles jkog@csuclaedu Abstract This paper studies the theoretic backgroud of cryptographic modes of operatio, i particular those modes proposed to esure message privacy A ovel algebraic model is preseted as a archetype of ecryptio desig I the ideal case, ecryptig multiple messages is treated as iductively applyig the algebraic operatio, a operatio correspodig to block-by-block processig, o Lati Squares over a sequece of fiite groups {, 2, 3,, } We further show that a Lati Square cipher is a ewly discovered hard-core fuctio for ay strog oe-way legth-preservig fuctio Based o the discovery, we propose a thesis that ecryptio modes of operatio should implemet cryptographically strog pseudoradom geerators i the ideal case, so that the radom oracle model ca be used to justify the practice of replacig Lati Square ciphers with good implemetatios (eg, AS) Fially we preset a cryptaalysis of NIST s stadard modes of operatio based o this work The algebraic model shows that, eve whe a ideally strog oe-way fuctio is used, oe of NIST s stadard modes of operatio (OFB, CFB, CTR, CBC) ca produce cryptographically strog pseudoradom esembles based o the ideal oe-way fuctio the distictio of this work is to use formal method (rather tha empirical attacks) to illustrate the desig flaws i the stadard modes of operatio As umerous security protocols are usig the flawed modes of operatio, we argue that these atioal stadards should be repaired, ad efficiet repairs (double ecryptio) ca be easily achieved I INTRODUCTION A fudametal problem i cryptography is usig a sigle secret key to process multiple messages i a cipher system with fiite domai ad rage Assumig a reasoable key lifetime, applicatios like data ecryptio, cryptographically strog hashig, timestamped multiple data sigig demad a cipher system to maitai its security stregth eve whe the same secret key is used may times I the real world, cryptographic modes of operatio have bee widely used i practice to esure privacy ad itegrity by reapplyig the same secret key multiple times This paper focuses o privacy orieted modes of operatio (eg, CBC, CFB, OFB modes, but ot CBC-AC, OCB modes etc) ad preset a algebraic aalysis of commo modes of operatio i use Though some literatures [5][1] have addressed the same problem by both empirical ad theoretic aalysis, oe of them has followed the same algebraic approach used i this work I our algebraic otatios, realizig a ideal radom oracle is equivalet to implemetig a good oe-way fuctio over the fiite group The we defie a ovel operatio omial costructio that iductively chages the base fiite group to a sequece of fiite groups {, 2, 3,, } The operatio is a welldefied algebraic operatio o square matrices, ad the iductio is redered o Lati Squares, which are specific kid of square matrices correspodig to the cocept of perfect system (or a collectio of trapdoor permutatios with uiformly distributed key) [20] By the algebraic model, usig the ideal Lati Square radom oracles to ecrypt multiple blocks of data is equivalet to performig a sequece of omial costructios over the sequece of fiite groups We show that Lati Squares with ivariace properties ca be used to costruct a cryptographically strog pseudoradom geerator (CSPRG) The costructio itself, though studied uder ideal coditios i this paper, ca be applied uder radom oracle model[2] to justify ecryptio modes of operatio desig i the real world The applicatios of this algebraic model is demostrated by related cryptaalysis agaist atioal stadard modes widely used i the real world ve whe a ideally strog oe-way fuctio is used, oe of NIST s stadard

2 UCLA COPUTR SCINC DPARTNT TCHNICAL RPORT modes of operatio (OFB, CFB, CTR, CBC) ca produce cryptographically strog pseudoradom esembles based o the ideal oe-way fuctio As umerous security protocols are usig the flawed modes of operatio, we argue that these atioal stadards should be repaired, ad we show at least two efficiet repairs ca be easily achieved The remaiig of the paper is orgaized as follows: Sectio II explais the otatios used i this paper, i particular the algebraic ecryptio model, perfect system, ad Lati Square ciphers The Sectio III itroduces a ew operatio omial costructio ad aalyzes its algebraic properties Based o the ew otios, Sectio IV defies the cocept of pseudoperfect system I Sectio V ad VI we show how to costruct cryptographically strog pseudoradom geerators from Lati Square ciphers I Sectio VII we discuss the desig flaws of NIST s stadard modes of operatio ad the potetial repairs Ad fially Sectio VIII cocludes the paper A Commo otatios II NOTATIONS Let S q deote a fiite set of size q A fuctio f : S q S q maps a elemet i S q to aother elemet Let F q be the set of all q q fuctios mappig S q ito S q Let P q F q be the set of q! such fuctios that are permutatios Let U deote selectig a elemet from a set followig uiform distributio, for example, x U S q We operate o specific fiite sets kow as strigs S 2 = Z 2 deotes the set of all 2 biary strigs of legth, ad Z + 2 deotes biary strigs of ay legth (the symbol + deotes iteger additio elsewhere, ad the symbol or deotes iteger multiplicatio except i the otio of multiplicative group Z ) Similarly, let r be ay positive iteger greater tha 1 S r = Z r deotes the set of all r r-ary strigs of legth (ie, r is the radix), ad Z + r deotes r-ary strigs of ay legth A algebraic represetatio of Z r is, ie, the set {0, 1,, r 1} as we ca treat r as radix ad strigs as umbers i positio system Hece the strig compariso operator is defied as the iteger compariso operator i r-ary positio system 1 A (edomorphic) ecryptio/ecipher fuctio is deoted as T : S q S q S q That is, by usig a key k S q, a plaitext m S q is ecrypted ito ciphertext e = T (k, m) S q Due to Curry s work [6], for ay fuctio f defied o a tuple type D 1 D 2 ad with retur type R, f : (D 1 D 2 ) R there is a high-order fuctio F defied o the first domai that returs a fuctio defied o the secod domai ad with retur type R: F : D 1 (D 2 R) The secod fuctio F is called the curried versio of the first fuctio f, ad f is called the ucurried versio of F 2 Later we will write the fuctio retured by F as f D1 We obtai the curried result of the ecipher T Ituitively, the first argumet (ie, the key) is writte as a subscript, T k I this otatio, T k : S q S q may be thought of as a set of q fuctios idexed by key ad is a subset of F q Similarly, if we defie its couterpart fuctio T (m, k) = T (k, m) ad obtai the curried result of the couterpart T m : S q S q, the result is a set of q fuctios idexed by plaitext The matrix represetatio of a ecryptio fuctio T : S q S q S q is a square matrix 3 L T over S q : k = k 1 k 2 k q m = m 1 m 2 m q e = e k1,m 1 e k1,m 2 e k1,mq e k2,m 1 e k2,m 2 e k2,mq e kq,m1 e kq,m2 e kq,mq 1 Aother algebraic represetatio of (a 1 a 1a 0) Z r is a polyomial f(r) = a 1 r a 1 r + a 0 where a i is from the commutative rig Z r is a special polyomial rig [x] with x = r 2 I this paper we itroduce Curry s work to avoid usig the cumbersome otatio of collectio of fuctios, which is actually a fuctio ucurried o the collectio idex 3 Later i the paper we will use a cipher system T ad the correspodig square matrix L T as syoyms

3 UCLA COPUTR SCINC DPARTNT TCHNICAL RPORT I a matrix L, let L x,y deote the elemet at row by x ad colum idexed by y I the matrix, distict keys k i S q costitute the row idices, distict plaitexts m j S q costitute the colum idices, ad every ciphertext e ki,m j = L T k i,m j = T (k i, m j ) S q Note that the base set S q of a cipher system sufficietly determies the dimesios of the correspodig square matrix Thus we do ot explicitly specify the dimesios of a square matrix as i other literatures The decryptio/decipher fuctio is deoted as T 1 with idetical domai ad rage as T For ay k, there is a k 1, such that T 1 k T 1 k = I where deotes fuctio compositio ad I is the idetity trasformatio I(x) = x The geeral model does ot require k = k 1 or T = T 1 : For public key schemes, there exists a polyomial-time algorithm that ca obtai the ecryptio/verificatio/public key k from the decryptio/sigig/private key k 1 But for sufficietly large q, there exists o polyomial-time algorithm that ca obtai the private key k 1 from the public key k (ie, it is oe-way) For symmetric key schemes, T = T 1, ad there is a polyomial-time algorithm that ca obtai k ad k 1 from each other B Perfect System ad Lati Square Shao [20] developed a mathematical theory for cryptography based o iformatio theory For radom variables,, mappig ito spaces = = = S q, respectively, the etropy differece A(, ) = H() H( ) is the amout of iformatio about which the adversary obtais A perfect system is oe i which A(, ) is zero, ie, H() = H( ) That is, if the secret key k is uiformly chose from the key space, the a adversary with ay ciphertext has o choice but to select the pre-image plaitext followig uiform distributio Shao also proved that H() = H( ) is a ecessary ad sufficiet coditio for A(, ) = 0 ore formally, we defie perfect system usig radom variables: Defiitio 1: (Perfect System): Give a pair of fuctios T : S q S q S q ad T 1 : S q S q S q, the system T, T 1 is a perfect system if the followig coditios hold: 1) Idetity trasformatio: For ay k S q, there exists k 1 S q, k 1 ca be computed i polyomial time from k For ay m S q, T 1 (k 1, (T (k, m))) = m 2) Trasitivity of uiform distributio: Let U q be a radom variables followig uiform distributio over S q The both T (U q, m) ad T (m, U q ) are radom variables followig uiform distributio over S q Similarly, both T 1 (U q, m) ad T 1 (m, U q ) are radom variables followig uiform distributio over S q 3) Uiformly distributed key: k U S q That is, the key k is truly radom A importat property of perfect system is trasitivity of uiform distributio, that is, give a arbitrary plaitext m, a perfect system will uiformly map it ito ay possible ciphertext because of the uiformly selected key The correspodece betwee Lati Square ad perfect system was also show i the same referece [20] I this paper a perfect system is treated as a special Lati Square cipher with truly radom keys I other words, a Lati Square cipher is a sub-perfect system operatig o possibly o-truly radom keys Defiitio 2: (Lati Square): A Lati Square over S q is a q q matrix L over S q whose etries are take from S q ad which has the property that each symbol from S q occurs exactly oce i each row ad exactly oce i each colum of L I formal otios, (1) L i1,j = L i2,j if ad oly if i 1 = i 2 ; (2) L i,j1 = L i,j2 if ad oly if j 1 = j 2 I additio, if the base set S q of a square matrix is a totally ordered set (eg, S r = Z r ), the the matrix s row idices ad colum idices are totally ordered If the square matrix is a Lati Square, it ca be ormalized/reduced Defiitio 3: (Normalized Lati Square): A ormalized (or reduced) Lati Square over a totally ordered set S q has both its first row ad first colum ordered by the elemet compariso operatio of the set xample 1: A ormalized Lati Square over S 2 2 = Z 2 2 is:

4 UCLA COPUTR SCINC DPARTNT TCHNICAL RPORT k = m = e = By the matrix represetatio of cipher systems, Lati Squares over S q becomes a collectio of permutatios idexed by either the key k or the plaitext m T k, the curried result of T, is the set of rows that are mappigs betwee plaitext m ad ciphertext e T m, the curried result of the couterpart T (m, k) = T (k, m), correspods to the set of colums that are mappigs betwee ciphertext e ad key k It is importat to poit out that amog q! permutatios i P q, there are oly q of them are qualified to be a row or a colum i the Lati Square They must pairwisely map distict plaitexts (or keys) ito distict ciphertexts ] It is easy to verify that the bitwise exclusive- OR operatio is a implemetatio of the Lati Square ] implemetatio of the Lati Square over Z 1 2 [ [ over S 2 1 = Z 1 2, ad the egatio of is a III NOINAL CONSTRUCTION I this sectio we defie a ew operatio o matrices ad the study its algebraic properties I the ext sectio we will show the correspodece betwee this operatio ad empirical practice Defiitio 4: (Nomial Costructio): Give a x a y a matrix A over Z a r ad a x b y b matrix B over Z b r, the omial costructio o A with B geerates a (x a x b ) (y a y b ) matrix C = A B over Z a+b r : 1) Iitializatio: C has x b y b sub-matrices of dimesio x a y a Let C(i, j ) deote the sub-matrix at i -th row ad j -th colum at the graularity of sub-matrix ach of the sub-matrix is iitialized as A I other words, C(i, j ) i,j = A i,j ad i shorthad C(i, j ) = A 2) Prefix: ach elemet of a sub-matrix is prefixed with the correspodig elemet i B I other words, each elemet i C(i, j) is prefixed with B s elemet B i,j A algebraic represetatio of the etire procedure is C(i, j ) i,j = r a B i,j + A i,j ore precisely, let x/y be the quotiet of iteger divisio ad x%y be the remaider of iteger divisio, C i,j = r a B i/xa,j/y a + A i%xa,j%y a Note that each elemet i A, B, C is a strig comprised of r-ary itegers A matrix elemet of legth is i the set Z r Z + r xample 2: Here is a example of omial costructio o a 2 2 matrix over Z 1 2 with a 2 3 matrix over Z1 2 The result is a 4 6 matrix over Z 2 2 [ ] [ ] = Theorem 5: Give a Lati Square A over Z a r ad a Lati Square B over Z b r, the omial costructio o A with B geerates a ew Lati Square C = A B over Z a+b r Proof: Ay two elemets at C s same row will be differet followig either of the two cases: (1) They are i differet sub-matrices, thus the prefix is differet because B is a Lati Square; (2) They are i the same sub-matrix, thus the iitialized part is differet because A is a Lati Square The same argumet also applies to ay two elemets at same colum Thus C is a Lati Square ach elemet of C has a r-ary itegers i its iitialized part, ad b r-ary itegers i its prefix part It is a strig of r-ary itegers i legth a + b Corollary 6: Give a ormalized Lati Square A over Z a r ad a ormalized Lati Square B over Z b r, the omial costructio o A with B geerates a ew ormalized Lati Square C = A B over Z a+b Proof: By Theorem 5, C is a Lati Square over Z a+b r r

5 UCLA COPUTR SCINC DPARTNT TCHNICAL RPORT The first row of C is ordered because: (1) the most sigificat b r-ary itegers of the row elemets are ordered because B is a ormalized Lati Square; (2) the least sigificat a r-ary itegers of the row elemets are ordered because A is a ormalized Lati Square The same argumet also applies to the first colum Thus C is a ormalized Lati Square Give certai iductio bases, omial costructio ca be used to costruct algebraic structures Defiitio 7: (Biary 1-power Nomial Lati Squares): For all x 1, a biary 1-power omial Lati Square L (x) 2,1 is over the set Zx 2 ad costructed by mathematical iductio i exactly x rouds: ] ] or The geerator L (1) 2,1 is either of the two Lati Squares over Z1 2, ie, [ L (x+1) 2,1 is costructed as the omial costructio o L (x) 2,1 with L(1) 2,1 That is, L (x+1) 2,1 = L (x) 2,1 L(1) 2,1 I particular, the ormalized biary 1-power omial Lati Square L N(x) 2,1 is uiquely costructed from the ormalized oe [ Ay L N(x) 2,1 is ormalized by costructio accordig to Corollary 6 For example, The simplest costructio is ] L N(2) 2,1 = [ Later i this paper we will show the relatio betwee stream ciphers ad L N(x) 2,1 It is easy to verify that forms a Abelia semigroup o biary 1-power omial Lati Squares Theorem 8: L 2,1, forms a ifiite Abelia semigroup o omial Lati Squares L 2,1 = i=1 L(i) 2,1 Proof: Give ay biary 1-power omial Lati Square A = L (a) 2,1, ad ay biary 1-power omial Lati Square B = L (b) 2,1 Their omial costructio Y = A B is i the set Y = L (1) (1) ( 2,1 L(1) 2,1 L2,1 L(1) 2,1 = L a+ b ) 2,1 L 2,1 } {{ } a } {{ } b A B = L (a+b) 2,1 = L (b+a) 2,1 = B A, so is commutative For ay biary 1-power omial Lati Square C = L (c) 2,1, (A B) C = A (B C) = L(a+b+c) 2,1 Thus is associative ore geerally, if the geerator L (1) 2,1 of the semigroup L 2,1 is substituted with a arbitrary Lati Square L (1) r, over Z r, we have followig defiitios ad theorems Defiitio 9: (r-ary -power Nomial Lati Squares): A r-ary -power omial Lati Square L r, (x) is over the set Z x r ad costructed by mathematical iductio i exactly x rouds: The geerator L (1) r, is a arbitrary Lati Square over Z r L (x+1) r, is costructed as the omial costructio o L (x) r, with L (1) r, That is, L r, (x+1) = L r, L (x) (1) r, Theorem 10: L r,, forms a ifiite semigroup o Lati Squares L r, = i=1 L(i) r, Proof: The proof is idetical to the proof of Theorem 8, except ay occurrece of 2, 1 is replaced by r, (which meas the term bit is replaced by r-ary iteger ad bit-legth is ot always 1) Ituitively, the closure law of semigroup esures that all members of this semigroup share system-level property with its geerator Ad the associativity law of semigroup esures the order of operatios is trivial These laws are useful i costructig the pseudoperfect systems described below A Costructio of Pseudoperfect System IV PSUDOPRFCT SYST We employ radom oracle model [2] ad assume the existece of a ideal implemetatio of Lati Square The radom oracle is amed as Lati Square Oracle ad will be replaced by actual implemetatios followig the radom oracle model

6 UCLA COPUTR SCINC DPARTNT TCHNICAL RPORT Defiitio 11: (Lati Square Oracle): A r-ary -power Lati Square Oracle () is a radom oracle that implemets L (1) r,, ie, a arbitrary Lati Square over Z r By the radom oracle model we assume such a L T = L (1) r, is realizable Now we show that the empirical method of processig data block-by-block actually correspods to omial costructio Defiitio 12: (Little-edia System): Let B 0, B 1,, B x 1 deote a sequece of x blocks of bits (ie, strigs from Z + 2 ), ad b i(0), b i(1),, b i( 1) deote the bits of block B i A little-edia system stores the blocks from left to right accordig to the order of block idex, with the leftmost B 0 as the least sigificat block ad rightmost B x 1 as the most sigificat block Withi each block, the storage is implemetatio-defied, with b i( 1) as the most sigificat bit ad b i(0) as the least sigificat bit If we replace each bit with r-ary iteger, we obtai a little-edia system over Z + r Such storage protocol is eeded i computer systems to store multiple blocks of data ad a block is ormally called a byte For example, a hexadecimal bit sequece of multiple bytes 0x is stored as i little-edia systems 4 Defiitio 13: (Pseudoperfect System): Let x be a polyomial A r-ary -power omial system of polyomial degree is a cipher system that uses r-ary -power to produce x log r-ary ciphertext from x log r-ary plaitext ad x log r-ary key The ecryptio is accomplished i exactly x rouds: For all 1 i x, the ciphertext block B i is produced by the L T from the plaitext block B i ad the key block B i A r-ary -power pseudoperfect system of polyomial degree is a omial system of the same metrics, ad the x log r-ary key is geerated from a log r-ary truly radom key by a pseudoradom geerator (PRG) If the PRG is cryptographically strog (ie, CSPRG, so o Turig-complete algorithm ca differetiate the pseudoradom result from truly radom itegers with o-egligible probability), the the system is called r-ary -power cryptographically strog pseudoperfect system of polyomial degree Figure 1 depicts a r-ary -power pseudoperfect system Note that it is ot allowed to chage the implemetatio of durig the etire process, that is, the same is used to process all blocks We prove that the omial system, the costructio depicted iside the solid lie i Figure 1, is a Lati Square Theorem 14: A r-ary -power omial system of degree x costitutes a Lati Square cipher over Z x r Proof: We prove the theorem by iductio: (1) If x = 1, L T is a perfect system, the theorem is true by assumptio; (2) Suppose the theorem is true whe x = l, we deote the correspodig perfect system ad as T ad L T, respectively For x = l + 1, the procedure adds a ew most sigificat bits to the plaitext, key, ad ciphertext, respectively Let B l deote the ew block i the plaitext, B l deote the ew block i the key, ad B l deote the ew block i the ciphertext Without loss of geerality, the procedure is divided ito two steps: We use the L T to produce B l from B l ad B l I little-edia systems, this step produces the most sigificat bits of the ciphertext from the most sigificat bits of the key ad the plaitext This is equivalet to idetifyig a sub-lati-square from the r r choices that i tur were created i the prefixig step of omial costructio We use the L T to process the remaiig least-sigificat l blocks as usual I other words, o chage is made i processig the least sigificat l bits of ciphertext from the key ad the plaitext This is equivalet to applyig the Lati Square created i the iitializatio step of omial costructio Accordig to Theorem 10, the closure law of L r,, esures the result is exactly the Lati Square L r, (x) Like a perfect system, a pseudoperfect system is also a Lati Square cipher The differece betwee them is how the iput key is chose: (1) For a perfect system, the x log r-ary key is truly radom; (2) For a pseudoperfect system, the iput key is ot truly radom But if the PRG geerates a cryptographically strog pseudoradom esemble, the the x log r-ary key is a pseudoradom sequece that caot be differetiated from truly radom sequece 4 The storage model is for the ease of presetatio oly If we use big-edia systems (ie, blocks are stored i reversed order), the the prefix operatio i Defiitio 4 should be chaged to postfix operatio, ad the compariso operator should be re-defied

7 UCLA COPUTR SCINC DPARTNT TCHNICAL RPORT seed key r ary itegers r ary itegers PRG keystream x r ary itegers plaitext x r ary itegers r ary itegers r ary itegers r ary itegers r ary itegers ( x is a polyomial) r ary itegers r ary itegers = Z xz (,) Z x r x r x r x x x ciphertext x r ary itegers r ary itegers Nomial System Pseudoperfect System r ary itegers r ary itegers Fig 1 Costructio of Pseudoperfect System by ay Turig-complete algorithm i polyomial time Cryptographically strog pseudoperfect system is the ideal case of ecryptio modes of operatio This algebraic view of modes of operatio is more geeral tha the classic otio of oe-time pad (OTP) I a pseudoperfect system, L T is a Lati Square over Z r for ay r ad ay The geerator L (1) 2,1 (implemeted by bitwise exclusive-or ) used i OTP is merely a special case I OTP, r = 2 ad = 1 Give the cipher T ad a kow-plaitext m, T m must be oe-way to prevet the adversary from discoverig the key However, there is o practical way to implemet a oe-way L (1) 2,1, which is vulerable to exhaustive search I pseudoperfect system, r ad ca be sufficietly but reasoably large We will show below that a large r-ary -power oe-way ca be realized ad ca be replaced by some good implemetatios of oeway fuctio For example, for DLP-based implemetatios, r is a large strog prime ad = 1; for RSA ad Rabi fuctio, r is the product of two large primes ad = 1; for AS, r = 2 ad = 128 Breakig the oe-way property of these implemetatios equals to solvig some computatioally hard problems V RLATION BTWN LASO AND ON WAY FUNCTION I this sectio we will firstly propose a slightly modified probabilistic polyomial time model based o wellstudied cocepts i foudatios of cryptography The we will propose useful cocepts eeded to costruct cryptographically strog pseudoperfect systems: (1) The compositio of ay Lati Square cipher ad ay oe way fuctio is yet aother oe way fuctio; (2) Some Lati Square ciphers are oe-way fuctios that ca be used to realize pseudoradom geerator

8 UCLA COPUTR SCINC DPARTNT TCHNICAL RPORT A Geeralized probabilistic computatio model ad Oe-way Fuctio (OWF) I our algebraic otatios, realizig a ideal radom oracle is equivalet to implemetig a good oe-way fuctio over the fiite group Z r (ie, ) The cocept of oe-way fuctio is defied o polyomial relatio betwee the iput legth ad output legth Here we follow the commo defiitio [11]: Defiitio 15: (Oe-way Fuctio): A fuctio f : Z + 2 Z+ 2 is a (strog) oe-way fuctio if the followig two coditios hold: 1) asy to compute: There exists a determiistic polyomial-time algorithm A such that o iput x it outputs f(x), ie, A(x) = f(x) 2) Hard to ivert: For every probabilistic polyomial-time algorithm A, every positive polyomial P ( ), ad all sufficietly large, Pr[A (f(u ), 1 ) f 1 (f(u ))] < 1 P () where U deotes a radom variable uiformly distributed over Z 2, ad the auxiliary iput 1 gives the legth of the desired output i uary otatio I particular, ca be replaced by = if f is bijective, ad the auxiliary iput 1 is redudat if the oe-way fuctio is edomorphic f : Z 2 Z 2 The existece of oe-way fuctios is ot prove Yet a umber of cojectured oe-way fuctios are routiely used i commerce ad idustry, such as Discrete Logarithm [8], RSA fuctio [18], Rabi fuctio [16], Feistel structures [10], ad Substitutio-Permutatio Networks ost existig cryptaalysis o their oe-way property is based o biary system If we replace 2 with arbitrary radix r, the we switch the study of oe-way property from Z + 2 to Z+ r This ca be simply justified by chagig the alphabet used i the correspodig probabilistic Turig achies we ca replace the biary alphabet set Z 2 = {0, 1} with the r-ary alphabet set = {0, 1,, r 1}, ad the ew probabilistic Turig achie tosses a r-face dice rather tha a 2-face coi The biary probabilistic Turig achie is a special case of this more geeral computatio model with r = 2 Defiitio 16: (r-ary Bouded-Probability Time, BPP): Let (x) be the radom variable deotig the output of a r-ary probabilistic machie Let Pr[(x) = y] = {d Zt(x) r : d (x) = y} r t(x) where d is a r-face dice throw, t (x) is the umber of dice throws made by o iput x, ad d (x) deotes the output of o iput x whe d is the outcome of its dice throws We say that L is recogized by the r-ary probabilistic polyomial-time Turig achie if for every x L it holds that Pr[ accepts x] P () for every polyomial P ( ) for every x L it holds that Pr[ accepts x] P () for every polyomial P ( ) BPP is the class of laguages that ca be recogized by a r-ary probabilistic polyomial time Turig achie It is clear that the complexity classes of P, NP, PSPAC, NPSPAC are uchaged by choosig differet alphabets i Turig achies oreover, the followig theorem justifies the coclusio that the probabilistic computatio model BPP is also uchaged by radix coversio Theorem 17: Let radom variable X deote the distributio of 1 log r 1 -ary strig x = x 1, x 2,, x 1 If x i U 1, the X ca be reduced i polyomial time to a correspodece Y i r 2 -ary system such that the distributio Y for r 2 -ary strig y = y 1, y 2,, y 2 satisfies y i U 2 Proof: Firstly, we ca treat X s sample space as r1 1 pigeo holes The combiatios of x i s fill the holes oce, hece X is a uiform distributio o Z 1 r 1 For ay x U X, i a little-edia system we have x = x 1 r x 2 r1 1 + x 1, the we chage the represetatio to be y = y 2 r y 2 r2 1 + y 1 To obtai a truly radom variable Y, we ca apply the paddig argumet ad pad some truly radom bits to x The paddig is equivalet to turig the umber of pigeo holes from r1 1 to r2 2 The the radix coversio procedure ca be accomplished i polyomial time by repetitively producig the remaider ad quotiet of x/r 2

9 UCLA COPUTR SCINC DPARTNT TCHNICAL RPORT Fially, if y i, y i U 2 ad w is the value ot i the distributio, the there are 0 j< r 2,j i 2 = r2 2 1 empty pigeo holes caused by w, hece Y is ot a uiform distributio over Z 2 r 2 This cotradictio proves y i, y i U 2 A r 1 -ary probabilistic Turig achie ca be viewed as havig two iput tapes: (1) a real r 1 -ary iput x of t (x) legth x ad (2) a uiformly chose d Zr 1 playig the role of a possible outcome for a sequece of dice throws The we ca always covert the iput tape x to its r 2 -ary equivalece with legth x log r2 r 1 ad covert the sequece o dice-throw tape to its r 2 -ary equivalece of legth t (x) log r2 r 1 Polyomial costrait o iput legth is uchaged as P (t (x) log r2 r 1 ) is always a polyomial if P (t (x)) is a polyomial of x I particular, we ca always covert a r-ary radom iput ito the correspodig biary represetatio, the ru biary probabilistic Turig achies to process the iput, ad if ecessary covert the biary result back to the r-ary represetatio Therefore, from this poit o we will discuss oe-way fuctios ad pseudoradom geerators i r-ary systems, where a sigle r-ary iteger plays the role of a biary bit B Compositio of OWF ad The followig theorem shows the relatio betwee oe-way fuctios ad Lati Square ciphers Theorem 18: Fuctio compositios of a bijective edomorphic oe-way fuctio f : Z r Z r ad a {T, T 1 } over Z r are oe-way fuctios That is, {f T k, T k f, f T m, T m f} ad {f T 1 k, T 1 1 k f, f T 1 1 e, Te 1 f} are sets of oe-way fuctios from Z r to Z r Proof: As ay key assigmet always returs permutatio from a Lati Square cipher, we eed to prove permutatios over Z r do ot chage the oe-way property For f T k, the proof is divided ito three steps: 1) As a permutatio o U is also a uiform distributio, V = T k (U ) is a radom variable uiformly distributed over Z r Thus by oe-way fuctio s defiitio, for every probabilistic polyomial-time algorithm A, every positive polyomial P ( ), ad all sufficietly large Pr[A (f(v )) = f 1 (f(v ))] < 1 P () 2) Based o step 1, we eed to prove for all sufficietly large T 1 k 1 (f 1 (f(v ))) = T 1 thus Pr[A (f(v )) = T 1 k 1 (f 1 (f(v )))] < 1 P () k (V ) Let radom variable W deote A (f(v )), the by Lati Square s property, 1 x Z r, Pr[V = x] = Pr[T 1 k (V ) = x] = 1 1 2, Pr[W = V ] = x,y = x,y Pr[W = x] Pr[V = y] χ(x = y) Pr[W = x] Pr[T 1 k 1 (V ) = y] χ(x = y) = Pr[W = T 1 k 1 (V )] < 1 P () 3) Substitute the otatios V ad W by their origis Pr[A (f T k (U )) = (f T k ) 1 (f T k (U ))] < 1 P () The proof for T k f is similar: 1) A T k is a polyomial-time algorithm Thus by oe-way fuctio s defiitio, for every such a probabilistic polyomial-time algorithm A T k, every positive polyomial P ( ), ad all sufficietly large Pr[A (T k (f(u ))) = f 1 (f(u ))] < 1 P () 2) Based o step 1, Pr[A (T k (f(u ))) = f 1 (f(u ))] = Pr[A (T k (f(u ))) = f 1 (T 1 k 1 (T k (f(u ))))] < 1 P ()

10 UCLA COPUTR SCINC DPARTNT TCHNICAL RPORT ) Therefore, Pr[A (T k f(u )) = (T k f) 1 (T k f(u ))] < 1 P () The cases for f T m, T m f as well as for the symmetric cases i T 1 {f T 1 k, T 1 1 proved similarly k f, f T 1 1 e, Te 1 f} ca be Theorem 18 meas that fuctio compositio o a does ot chage the oe-way property of ay strog oeway fuctio This stable property implies that fuctio compositio ca be itegrated with omial costructio to realize a stable structure That is, if a also implemets oe-way fuctio, the (1) Shamir [19] proved that the values retured by compositios of such oe-way fuctios are ideed upredictable; (2) ore formally, Yao [21, p88] defied stable oe-way fuctio with ivariace properties ad also showed that ay stable oe-way fuctio f ca be used to costruct a cryptographically strog pseudoradom umber geerator Defiitio 19: (Oe-way Lati Square Oracle): For a Lati Square Oracle OWL that produces ciphertext e = OWL(m, k) from plaitext m ad key k, it is a oe-way Lati Square Oracle () if its curried result OWL m is a oe-way fuctio I other words, it is hard to obtai key k from a pair of kow plaitext ad ciphertext (m, e) Due to erckhoffs desiderata, the key possesses all secrecy i the system, thus cryptaalysts have o chace to gai iformatio of m by obtaiig L T k from the key As a result, for the couterpart fuctio LT (k, m) = L T (m, k), the curried result L T k is assumed to be safe But for the curried result LT m, it should be a oe-way fuctio Here we use a commoly used oe-way fuctio based o DLP to demostrate the existece of upo the existece of OWF Defiitio 20: Let p be a strog prime i the form of 2 p + 1 where p is a large prime Let g be a geerator of the multiplicative group Z p The oe-way fuctio expoetiatio modulo p f : Z p Z p is defied as f(x) = g x mod p Let g be a geerator of the multiplicative group Z p By the fuctio m g k mod p used i l Gamal ecryptio 5 [9], the is comprised of permutatios costructed from differet plaitexts ad differet keys raised to the geerator (usig Z 5 as a example): m = k = e = 1 g 1 2 g 1 3 g 1 4 g 1 1 g 2 2 g 2 3 g 2 4 g 2 1 g 3 2 g 3 3 g 3 4 g lemets at the same colum are distict due to the differet powers raised to the geerator Ay collisio cotradicts the assumptio that g is a geerator lemets at the same row are distict because of the differet plaitexts Ay collisio cotradicts the uiqueess of multiplicative iverse Thus the result is a Lati Square (The last row is always the plaitext itself as g p 1 1 mod p) I additio, key is ot revealed give a kow plaitext-ciphertext pair due to the oe-way property of DLP Not all oe-way fuctios ca realize a ay Feistel structures ad S-P Networks used i commercial software are ot collisio-free If differet keys map same plaitext ito same ciphertext, the the cipher is obviously ot a Lati Square RSA fuctio ad Rabi fuctio operate over multiplicative group Z p q where p ad q are large primes The square matrices correspodig to such ecryptios are also ot Lati Square (due to collisios at the rows ad colums correspodig to p or q s multiples) However, for these two oe-way fuctios, the imperfectess is measurable so that we ca predict how bad it is whe omial costructio is applied o such o-lati square matrices They are good eough approximatio of whe the measured imperfectess is egligible for sufficietly large C Double oe-way Lati Square Oracle (D) I Defiitio 19, the curried result k is ot ecessarily a oe-way fuctio due to erchhoffs desiderata If we igore erchhoffs desiderata ad improve the desig so that k is also a oe-way fuctio, 5 If we defie ecryptio as (m + 1) g k+1 mod p, the schemes based o Z p ca be used to ecrypt messages from Z p 1

11 UCLA COPUTR SCINC DPARTNT TCHNICAL RPORT the we obtai double oe-way Lati Square Oracle (D) Defiitio 21: (Double oe-way Lati Square Oracle): For a Lati Square Oracle OWL that produces ciphertext e = OWL(m, k) from plaitext m ad key k, it is a double oe-way Lati Square Oracle (D) if its curried results OWL m ad OWL k are oe-way fuctios I other words, it is hard to obtai key k from a pair of kow plaitext ad ciphertext (m, e), or to obtai plaitext m from a pair of kow key ad ciphertext (k, e) I a D, kowig the cipher key caot decrypt the ciphertext ito plaitext Thus D caot be directly used i symmetric key ecryptio schemes It ca be directly applied i other scearios Oe example is from zero-kowledge protocols [4] For istace, g m+k mod p is a good cadidate for costructig a D For a strog prime p ad geerator g selected i multiplicative group Z p, g m g k = g m+k mod p forms a Lati Square It is hard to obtai k from ay kow pair (m, e), or to obtai m from ay kow pair (k, e) Thus the costructed Lati Square is a D if DLP realizes a good oe-way fuctio Aother example is the oe-way fuctio (g x ) y = g x y mod p used i Diffie-Hellma key exchage protocol For a strog prime p ad geerator g selected i multiplicative group Z p, if the plaitext is ot p 1, that is, m (Z p {p 1}), the g = (g m mod p) is yet aother geerator of Z p Thus g m k mod p forms a Lati Square over the set (Z p {p 1}) The Lati Square ca be used to do key exchage over the set Z p 2 cryptio modes of operatio is also a potetial applicatio for D I stream cipher modes of operatio, pseudoradom keystream is eeded i ecryptio ad decryptio I Sectio VII we will show that flawed NIST s modes of operatio ca be fixed by substitutig with D This repair is ecessary due to the fact that Feistel Structures ad S-P Networks are ot good implemetatio of D Give a kow pair (k, e), it is always easy to obtai the correspodig plaitext m D Depictio of,, ad D Later i this paper we will use the followig depictios to deote,, ad D i modes of operatio desig, where they are cosidered ideal radom oracles that ca be replaced by good eough implemetatios like Feistel structures ad S-P etworks x x D x Fig 2 Depictio of,, ad D over Z r VI PSUDORANDO GNRATOR This sectio discusses how to implemet the pseudoradom geerator (PRG) depicted i Figure 1 ore specifically, we discuss how to realize cryptographically strog pseudoradom geerator (CSPRG) o top of Lati Square ciphers A as hard-core fuctio For a oe way fuctio f, it is ujustified that f(x) will ot leak ay iformatio about ay bit i x However, some specific bits i x or i some efficiet fuctio h(x) may remai hidde, eve if f(x) ad h are give Such a bit/fuctio is cosidered a hard-core for f, ad ca be used to costruct pseudoradom geerators For example, i a biary system, suppose f is a oe-way fuctio ad H is a set of boolea fuctios such that for h H, h(x) is upredictable give f(x), h Ituitively, by the followig procedure we ca produce a radom sequece

12 UCLA COPUTR SCINC DPARTNT TCHNICAL RPORT h(x 0 ), h(x 1 ),, h(x m ) that is upredictable i polyomial time (1) Choose a radom h, a radom x 0 ad output h(x 0 ); (2) Update x i+1 = f(x i ) ad output h(x i ) ad repeat this step for i = 0, 1,, m; (3) Publish h For a sigle bit, the hard-core b is called hard-core predicate, which is discovered by Blum ad icali [3] Such b(x) caot be efficietly predicted give oly f(x), thus ca be used to costruct pseudoradom bit geerators I particular, if predicate b(x, r) is defied as the ier product mod 2 of the biary vector x ad r, the the predicate b is a hard-core of ay oe-way fuctio f Defiitio 22: (Hard-core predicate): A polyomial-time-computable predicate B : Z 2 Z 2 Z 2 is called a hard-core of a oe-way fuctio f : Z 2 Z 2 if for every probabilistic polyomial-time algorithm A, every positive polyomial P ( ), ad all sufficietly large s, Pr[A (f(x ), R ) = B(R, f(x ))] < P () where X ad R are two idepedet ad uiformly chose radom variables over Z 2 Goldreich ad Levi [12] proved that B is a hard-core predicate of ay oe-way fuctio if B is defied as ier product mod 2 Hard-core fuctios are similarly defied ad discovered Here we applied a restrictio of edomorphism (ie, f is legth-preservig o fiite iteger groups), sice our cryptaalysis o ecryptio modes of operatio is performed o edomorphic oe-way fuctios Defiitio 23: (Hard-core fuctio): Let f : Z 2 Z 2 be a edomorphic oe-way fuctio Let H : Z 2 Z 2 Zm 2 be a polyomial-time-computable fuctio, where m ad each curried h H is also a polyomial-time-computable fuctio h : Z 2 Zm 2 A ε()-oracle for H is a probabilistic polyomial-time algorithm A such that Pr[A (f(x ), R ) = H(R, f(x ))] 2 m + ε() where X, R are two idepedet ad uiform distributios over Z 2 H is called a hard-core fuctio for f if o ε()-oracle exists for o-egligible ε() Whe m = 1, the hard-core fuctio is called hard-core predicate I our cryptaalysis o ecryptio modes of operatio desig, we are iterested i the case whe m = Theorem 24: A T over Z r is a hard-core fuctio of ay oe-way edomorphic fuctio f : Z r Z r Proof: At first we ca always do radix coversio ad covert a T over Z r to aother equivalet T over Z 2 This ca be doe by extedig the correspodig Lati Square to wide, where = log 2 2 r A T over Z 2 is a sampleable collectio of fuctios We eed to prove the case 2 Pr[A (f(x ), R ) = T (R, f(x ))] < P ( ) for every probabilistic polyomial-time algorithm A, every positive polyomial P ( ), ad all sufficietly large s Because the key follows the uiform distributio R, the costitutes a perfect system Thus T (R, f(x )) also follows uiform distributio due to perfect system s secod property (Defiitio 1) The output of T (R, f(x )) ca oly be predicted with 1 2 < P ( ) probability The polyomial relatio o legth is ot affected if we chage to be by goig back to the r-ary system xample 3: Näslud[13] shows that all bits i a x + b mod p is hard whe p is a prime ad a, b Z p ore formally, let oe way fuctio f be legth-preservig ad = x = f(x) be the security parameter of f, let P k deote the set of primes of legth /k (k < ) The set of fuctios H k 2 = {h(x) = a x + b mod p p U P k, a U Z p, b U Z p } is a hard-core fuctio for ay oe-way fuctio Here the fuctio h U H k 2 For each specific p P k, h(x) = a x + b mod p costitutes the followig Lati Square (the mod p part is omitted i the matrix for ease of presetatio):

13 UCLA COPUTR SCINC DPARTNT TCHNICAL RPORT a = 0 1 p 1 b = 0 1 p 1 h(x) = 0 x (p 1) x 1 x + 1 (p 1) x + 1 p 1 x + (p 1) (p 1) x + (p 1) (1) It is clear that elemets per colum are distict Whe x mod p 0, x has a uique multiplicative iverse, thus elemets per row are also distict A straight-forward view of Näslud s result is to treat the iput sequece {x i } as a huge umber with hybrid radixes Let a sequece of uiformly selected p 1, p 2,, p m U P k deote the sequece of primes applied o the iput α = x 1, x 2,, x m (ie, p i is used i h for x i, ad truly radom p i is padded if m < m) I Näslud s work α U Z m 2 Usig a method similar to Theorem 17, we firstly covert the represetatio of x to hybrid radixes: i a little-edia system we treat the iput x as the iteger α = x m 2 (m 1) + + x x 1, the we chage the radixes x is represeted as α = x 1 m pm m + + x 2 p1 2 + x 1 This procedure ca be accomplished i polyomial time by paddig some truly radom bits to α ad by repetitively producig the remaider ad quotiet of α/p i for all 1 i m Now we have x i UZ pi, thus h(x i ) UZ pi due to perfect system s property (ie, i Lati Square (1), whe h( ) is always a Lati Square over Z pi ad a, b U Z pi, the result h( ) U Z pi ) I other words, the output is a sequece of truly radom p i -ary itegers However, Näslud s process is slightly differet from the above oe Istead of splittig the etire iput ito flexible blocks i the form of p i -ary itegers, the process is applied o fixed -bit blocks That is, each x i is a -bit iteger Nevertheless, this chage does ot ivalidate the hard-core coclusio Case I: For ay x i mod p i 0 (ie, x i has a multiplicative iverse i Z pi ), othig chages (ote mod p i is omitted i Lati Square (1) for ease of presetatio) Case II: Otherwise (ie, x i mod p i = 0), it is easy to verify that the probability of selectig such x i is oly k 2 < 2, where = x is the security parameter of the oe-way fuctio f This is also a egligible quatity for sufficietly large s We ca use the above aalysis to prove Näslud s Theorem i terms of perfect system Theorem 25: (Näslud s Theorem): For a (strog) oe-way fuctio f, every bit geerated from H2 k is hard Proof: Näslud has already prove this theorem i [13] The sketch previously described i Case I ad II will obtai the same result I the proof we oly use the fact that the set H2 k always returs Lati Square i Case I, ad the probability that H2 k fails to retur Lati Square is egligible (Case II) For Case I, o matter what x i is, as log as x i mod p i 0, we always have a perfect system costituted by a Lati Square ad its uiformly distributed iputs a, b U Z pi ach output h(x i ) is a truly radom p i -ary iteger Thus for every probabilistic polyomial-time algorithm A, every positive polyomial P ( ), ad all sufficietly large > log 2 p i, Pr[A (f(x ), R ) = h(r, f(x ))] < P ( ) For Case II, i the worst case, let s assume that a polyomial time algorithm A ca always differetiate truly radom p i -ary itegers from the oes retured by h(x) This evet happes with probability < 2 for the uiform distributio X Combiig these two quatities, we have Pr[A (f(x ), R ) = h(r, f(x ))] < P ( ) + 2 = P ( ) Due to L Hospital s rule, the quatity 2 is less tha 1 P () for ay polyomial P ( ) ad all sufficietly large The we ca fid a polyomial P 1 such that P ( ) + 1 P ( ) = 1 P ( )

14 UCLA COPUTR SCINC DPARTNT TCHNICAL RPORT Theorem 26: (Geeralized Näslud s Theorem): Näslud s Theorem is true if we use aother collectio of Lati Squares to replace the collectio of Lati Squares correspodig to a x + b mod p (ie, collectio of Lati Square (1) actualized o argumet x) Proof: The proof is based o the previous oe sice we do t care about other mathematical properties of a x + b mod p as log as it costitutes a collectio of Lati Squares The theorem geeralizes Näslud s result For example, there is o eed to add the coditio p U P k, a prime costat p P k will ot affect the validity of the theorem I additio, either a, or b, but ot both, ca be a fixed costat U Z p B Cryptographically strog pseudoradom geerator Cryptographically strog pseudoradom geerators ca be costructed upo hard-cores of a oe-way fuctio f The followig costructio is based o Blum-icali pseudoradom geerator [3], except that the hard-core predicate is substituted with a hard-core fuctio Defiitio 27: (Blum-icali pseudoradom geerator): Let f be a edormorphic oe-way fuctio f : Z 2 Z 2 Z 2 Let b : Z 2 Z 2 Zm 2 be a polyomial-time-computable hard-core fuctio of f, ad let P ( ) be a arbitrary polyomial satisfyig P () > Give a truly radom iputs s, x, y U Z 2, the pseudoradom geerator def G is defied as G(s) = σ 1 σ 1 σ P (), where s 0 =s, ad for every 1 i P () it holds that σ i = b(x, s i 1 ) ad s i = f(y, s i 1 ) That is, the algorithm G proceeds as follows: 1) Uiformly choose s 0 U Z 2 2) For i = 1 to P () do σ i b(x, s i 1 ) ad s i f(y, s i 1 ), where x, y U Z 2 3) Output σ 1 σ 1 σ P () G is a cryptographically strog pseudoradom geerator The essetial structure of Blum-icali pseudoradom geerator is depicted i Figure 3 I this paper we cojecture that a valid ecryptio mode of operatio desig must be a cryptographically strog pseudoradom geerator (CSPRG), ad i particular such CSPRG ca be reduced to Blum-icali pseudoradom geerator G s 0 f s 1 f s 2 f f s p() b σ 1 b σ 2 b b σ p() Fig 3 Blum-icali pseudoradom geerator (A biary cryptographically strog pseudoradom geerator) Propositio 28: (Desig thesis of ecryptio modes of operatio): A ecryptio mode of operatio desig should be prove to be equivalet to Blum-icali pseudoradom geerator C Cryptographically strog pseudoperfect system By the help of ideal oracles like,, ad D, we ca costruct cryptographically strog pseudoperfect systems that are equivalet to Blum-icali pseudoradom geerators Figure 4 ad 5 show two equivalet cryptographically strog pseudoperfect systems with key, plaitext, ciphertext depicted i details (they are equivalet due to the symmetric ature of D) I the costructio D is used i places of oe-way fuctio f, ad is used i places of hard-core fuctio b I both figures, y, s, x is istatiated o radom seed key k, radom seed vector v, ad radom plaitext m, respectively

15 UCLA COPUTR SCINC DPARTNT TCHNICAL RPORT ( x is a polyomial) seed key repetitio r ary itegers U r, seed vector r ary itegers U r, D x D x D x plaitext U r, U r, U r ary itegers r, = x x x x x x x ciphertext x r ary itegers 1 2 x Fig 4 Usig ad D to implemet Blum-icali pseudoradom geerator (A r -ary cryptographically strog pseudoperfect system) ( x is a polyomial) seed vector r ary itegers U r, seed key repetitio r ary itegers U r, D x D x D x plaitext U r, U r, U r ary itegers r, = x x x x x x x ciphertext x r ary itegers 1 2 x Fig 5 A equivalece of Figure 4 If D is uavailable, for istace, whe Feistel structures ad S-P etworks are used as oe-way fuctios, must be used to costruct cryptographically strog pseudoperfect systems Figure 6 shows the based cryptographically strog pseudoperfect systems Figure 7 ad 8 demostrate two possible mistakes i the costructio: 1) The oly differece betwee Figure 6 ad Figure 7 is the switch betwee ad ports at the top-level As is ot a symmetric structure, the oe depicted i Figure 7 is ot a cryptographically strog pseudoradom geerator sice we caot fid a oe-way fuctio compositio chai at all 2) The oly differece betwee Figure 6 ad Figure 8 is that at bottom-level is replaced by ivertible Thus the keystream fed ito ext fuctio compositio could be revealed by a kow-plaitext attack The the cryptaalyst ca reveal the seed key upo the kowledge (ie, deduce from ad The D-based system i Figure 5 is ot vulerable to this attack)

16 UCLA COPUTR SCINC DPARTNT TCHNICAL RPORT ( x is a polyomial) seed vector r ary itegers U r, seed key repetitio r ary itegers U r, x x x plaitext r ary itegers = x x x x U r, x U r, x U r, x ciphertext x r ary itegers 1 2 x Fig 6 Usig to implemet Blum-icali pseudoradom geerator (A r -ary cryptographically strog pseudoperfect system) ( x is a polyomial) seed key repetitio r ary itegers U r, seed vector r ary itegers U r, x x x plaitext r ary itegers = x x x x U r, x U r, x U r, x ciphertext x r ary itegers 1 2 x Fig 7 Not a valid equivalece of Figure 6 A NIST s stadard modes of operatio VII APPLYING TH PSUDOPRFCT SYST ODL IN PRACTIC The pseudoperfect system model proposed i this work ca be used to aalyze stadard ecryptio modes of operatio (OFB,CFB,CTR,CBC) [14], [15] published by Natioal Istitute of Stadards ad Techology (NIST) We will proceed accordig to the followig order: Output-Feedback mode (OFB), Cipher-Feedback mode (CFB), Couter mode (CTR), ad Cipher-Block-Chaiig mode (CBC) Cipher FeedBack (CFB) mode, Output Feedback (OFB) mode, ad Couter (CTR) mode are stream ciphers based o stadard block ciphers A stream cipher is i geeral a pseudoperfect system followig the diagrams depicted i Figure 4 ad Figure 5 The implemetatio of the ivertible is the bitwise exclusive-or operatio Note that a cryptographically strog stream cipher is ot operatig o L N(1) 2,1 Istead, it operates o LN(1) 2, where is the output legth of the oe-way fuctio it employs The legth is determied by cryptographic parameters used

17 UCLA COPUTR SCINC DPARTNT TCHNICAL RPORT ( x is a polyomial) seed vector r ary itegers U r, seed key repetitio r ary itegers U r, x x x plaitext r ary itegers = x x x x U r, x U r, x U r, x ciphertext x r ary itegers 1 2 x Fig 8 Pseudoperfect system ot robust agaist kow-plaitext attack ( x is a polyomial) seed key r ary itegers seed vector V V r ary itegers x Z r x keystream x r ary itegers plaitext x r ary itegers = (,) x x x x 1 2 x 1 2 x x x x x ciphertext x r ary itegers 1 2 x 1 x Fig 9 Pseudoperfect system correspodig to CFB mode (r = 2, ot a valid 2 -ary cryptographically strog pseudoperfect system) i a real implemetatio, such as the block size i block cipher based stream ciphers, or the register legth i shift register based stream ciphers Ufortuately, Feistel structures ad S-P etworks implemet rather tha D Whe DS ad AS are used, OFB mode correspods to the system depicted i Figure 7 It implemets a pseudoperfect system, but ot a cryptographically strog pseudoperfect system For CFB mode, it correspods to the system depicted i Figure 9 Agai we caot fid a oe-way fuctio compositio chai eeded i CSPRG CFB mode is ot a cryptographically strog pseudoperfect system CTR mode correspods to the system depicted i Figure 9, where r = 2, is the block cipher s block size, the top-level is costituted by the Lati Square cipher e = (k + m + 1) mod 2 over the set Z 2, the bottom-level is L N(1) 2,, ad the mid-level is DS or AS Agai we caot fid a oe-way fuctio compositio chai eeded by Blum-icali pseudoradom geerator CTR mode is ot a cryptographically strog pseudoperfect system

18 UCLA COPUTR SCINC DPARTNT TCHNICAL RPORT ( x is a polyomial) seed key r ary itegers seed couter V V x x x couter plaitext stream x r ary itegers 1 2 x Z r x Z r x Z r x plaitext 1 x r ary itegers = x (,) x x x x 2 x x x ciphertext x r ary itegers 1 2 x Fig 10 Pseudoperfect system correspodig to CTR mode (Not a valid r -ary cryptographically strog pseudoperfect system) m = k = e = CBC mode correspods to the system depicted i Figure 11 Like the previous stream cipher modes, it is ot a cryptographically strog pseudoperfect system due to lack of oe-way fuctio compositio chai ( x is a polyomial) seed key r ary itegers seed vector V r ary itegers plaitext 1 x r ary itegers x 2 x x x plaitext stream x r ary itegers = x (, ) x x x 1 x 2 x x x ciphertext x r ary itegers 1 2 x 1 x Fig 11 Pseudoperfect system correspodig to CBC mode (Not a r -ary cryptographically strog pseudoradom geerator) I a utshell, oe of the NIST s stadard modes of operatio is a cryptographically strog pseudoradom geerator or a cryptographically strog pseudoperfect system They should be replaced by efficiet desigs that are cryptographically strog pseudoperfect systems

19 UCLA COPUTR SCINC DPARTNT TCHNICAL RPORT B xemplary repairs fficiet repairs for the stadard modes of operatio are available Figure 6 is a valid desig Let s deote it by key-ecryptio-trasform (T) Compared to CB mode, T ecrypts the seed key before a AS ecryptio ( x is a polyomial) seed key repetitio r ary itegers U r, U r, U r, seed vector repititio r ary itegers U r, x U r, x U r, x plaitext r ary itegers U r, x U r, x U r, x = x x x x x x x ciphertext x r ary itegers 1 2 x Fig 12 Pseudoperfect system correspodig to AONT Figure 12 shows Rivest s All-Or-Nothig-Trasform (AONT) [17][7] Ituitively, AONT ecrypts the plaitext twice It is aother valid desig: (1) The top-level costitutes a oe-way fuctio compositio chai eeded by Blum-icali CSPRG; (2) Give a shared seed key ad seed vector V, the decryptor ca always recover the at bottom-level ad at top-level, the recover the plaitext at the mid-level; (3) The double ecryptios at top ad bottom levels protect the the ad used at the mid-level This avoids the chose-plaitext discussed i Figure 8; (4) fed ito the bottom-level is already a cryptographically strog pseudoradom esemble k is a permutatio that wo t affect the pseudoradomess of this esemble VIII CONCLUSION This work presets a algebraic model for privacy-orieted cryptographic modes of operatio The proposed model extesively explore various roles of Lati Square cipher i formal cryptaalysis We show the relatio betwee Lati Square ciphers ad followig issues: (a) block-by-block ecryptio modes of operatio desig, (2) compositio with oe-way fuctio, (3) hard-core fuctio of oe-way fuctio, ad fially (4) how to costruct cryptographically strog pseudoradom geerators from Lati Square based radom oracles As a result, Lati Square ciphers with ivariace properties ca be used to costruct a cryptographically strog pseudoradom geerator (CSPRG), ad thus a cryptographically strog pseudoperfect system that are treated as the ideal case of ecryptio modes of operatio desig Whe the radom oracles i the ideal case is replaced by good implemetatios like AS, the security of real world modes of operatio desig ca be aalyzed ad challeged We fid desig flaws i NIST s stadard modes of operatio ad show that efficiet repairs are easily achievable

20 UCLA COPUTR SCINC DPARTNT TCHNICAL RPORT RFRNCS [1] Bellare, A Desai, Jokipii, ad P Rogaway A Cocrete Security Treatmet of Symmetric cryptio: Aalysis of the DS odes of Operatio I Symposium o Foudatios of Computer Sciece (FOCS), pages , 1997 [2] Bellare ad P Rogaway Radom Oracles are Practical: a Paradigm for Desigig fficiet Protocols I 1st AC coferece o Computer ad Commuicatios Security (CCS), pages 62 73, 1993 [3] Blum ad S icali How to Geerate Cryptographically Strog Sequeces of Pseudo-Radom Bits Society for Idustrial ad Applied athematics (SIA) Joural o Computig, 13(4): , 1984 [4] D Chaum ad T Pederse Wallet Database with Observers I CRYPTO, pages , 1993 [5] D Coppersmith, D Johso, ad S atyas Triple DS Cipher Block Chaiig with Output Feedback askig IB Research ad Developmet Joural, 40(2): , 1996 [6] H B Curry ad R Feys Combiatory Logic North-Hollad, 1958 [7] A Desai The Security of All-or-Nothig cryptio: Protectig agaist xhaustive ey Search I Bellare, editor, CRYPTO 00, Lecture Notes i Computer Sciece, pages , 2000 [8] W Diffie ad Hellma New Directios i Cryptography I Trasactios o Iformatio Theory, 22(6): , 1976 [9] T l-gamal A Public-key Cryptosystem ad a Sigature Scheme Based o Discrete Logarithms I Advaces i Cryptology UROCRYPT, pages 10 18, 1984 [10] H Feistel Cryptography ad Computer Privacy Scietific America, 228(5):15 23, 1973 [11] O Goldreich Foudatios of Cryptography: Basic Tools Cambridge Uiversity Press, 2001 [12] O Goldreich ad L A Levi A Hard-Core Predicate for all Oe-Way Fuctios I Symposium o the Theory of Computatio (STOC), pages 25 32, 1989 [13] Näslud All Bits i ax + b mod p are Hard I N oblitz, editor, CRYPTO 96, Lecture Notes i Computer Sciece 1109, pages , 1996 [14] Natioal Istitute of Stadards ad Techology FIPS PUB 81: DS odes of Operatio fipspubs/fip81htm, 1980 [15] Natioal Istitute of Stadards ad Techology Recommedatio for Block Cipher odes of Operatio gov/publicatios/istpubs/800-38a/sp800-38apdf, December 2001 [16] O Rabi Digital Sigatures ad Public ey Fuctios as Itractable as Factorizatio Techical Report T-212, Laboratory of Computer Sciece, assachusett Istitute of Techology, 1979 [17] R L Rivest All-or-Nothig cryptio ad the Package Trasform I Biham, editor, FS 97, Lecture Notes i Computer Sciece 1267, pages , 1997 [18] R L Rivest, A Shamir, ad L Adlema A ethod for Obtaiig Digital Sigatures ad Public-ey Cryptosystems CAC, 21(2): , 1978 [19] A Shamir O the Geeratio of Cryptographically Strog Pseudo-Radom Sequeces I S ve ad O ariv, editors, Iteratioal Colloquium o Automata, Laguages ad Programmig (ICALP 81), Lecture Notes i Computer Sciece 115, pages , 1981 [20] C Shao Commuicatio Theory of Secrecy Systems Bell System Techical Joural, 28(4): , 1949 [21] A C-C Yao Theory ad Applicatios of Trapdoor Fuctios (xteded Abstract) I Symposium o Foudatios of Computer Sciece (FOCS), pages 80 91, 1982