Roadmap on symmetric ciphers Lecture 01: Historical ciphers (badly broken) Lecture 02: OTP (the One Time Pad cipher) Perfect Secrecy (first notion of security) Stream ciphers (making OTP practical) PRG (unpredictable Pseudo Random Generators) Attacks! Lecture 03: PRGs, PRFs and PRPs Block Ciphers (definition) Block Ciphers (examples: DES, AES) Block Ciphers (modes of operation: ECB, CBC) 2 34
Symmetric Key Cryptography: intuition the same key is used for both encryption and decryption Let s meet at 10am. Alice Let s meet at 10am. plaintext DECRYPTION Bob secret key ciphertext ENCRYPTION Cx8, 0_? a tgy1 $abk the same (shared) secret key 3 34
Symmetric Ciphers: Definition DEFINITION message space key space ciphertext space A (symmetric) cipher defined over ( K, M, C ) is a pair of efficient algorithms ( E, D ) where: E : K M C and D: K C M, such that, for all the messages m M, for all the keys k K, it holds that: if E ( k, m ) = c, then D ( k, c ) = m. we can re-write this expression as: D ( k, E ( k, m ) ) = m. CORRECTNESS PROPERTY of the cipher 4 34
Symmetric Ciphers: the One Time Pad (OTP) - Vernam 1917 - The OTP cipher: K = M = C = { 0, 1 } n E : K M C, E ( k, m ) = k m D: K C M, D ( k, c ) =? k c Example: msg 0 1 1 0 k 1 0 1 1 C 1 1 0 1 CORRECTNESS of the OTP? D ( k, E ( k, m ) ) = m. k E ( k, m ) = k ( k m ) = m 5 34
Quiz 1 scan this QR code and answer the question or type this code at http:goformative.comjoin CRGP363 Is it possible to obtain the key k given a message m and its OTP encryption c? No. The correct answer is YES! One can retrieve only half of the bits of the key. Yes. why? Yes, but only for certain m c = m ( k values m ) of = k m and m m. k = k Is the OTP a good cipher? 6 34
What is a 'good' cipher? How do we define good? THE FUNDAMENTAL PROPERTIES OF A (GOOD) CIPHER 1. CORRECTNESS : D ( k, E ( k, m ) ) = m. 2. EFFICIENCY : the algorithms E and D run in polynomial time formally: there exists a polynomial p( ) such that the algorithms E and D run in time p(n), where n is the length of the algorithms input. 3. SECURITY : the cipher is secure against some attacks (more details in the next slide) Principles of Modern Cryptography if you don t understand what you want to achieve, how can you possibly know when (or if) you have achieved it? 1. Formal Definitions 2. Precise Assumptions 3. Proof of Security 7 34
Security Definition (Perfect Secrecy) by Shannon 1949 intuition: the ciphertext should revel no info about the plaintext Eve DEFINITION for any A cipher ( E, D ) defined over ( K, M, C ) has perfect secrecy if: 8 m 0,m 1 2 M, len(m 0 )=len(m 1 ) and 8 c 2 C Pr[ E(k, m 0 )=c ]=Pr[ E(k, m 1 )=c ] where k is chosen uniformly at random from K, (i.e., k R K ) this is just one definition of security, in the next lectures we will see more! this implies that the adversary (Eve) who sees only the ciphertext c is not able to determine whether c is an encryption of m 0 or m 1 8 34
What does 'uniformly at random' mean? (a.k.a. uniform distribution at random) DEFINITION A probability distribution P over a finite set X is a function P : X [ 0,1 ] X with the following property: P(x) =1 x2x A uniform distribution U is a distribution where U(x) is the same value for all x in X. Example (other distributions): the sum of the values obtain throwing two dices has a gaussian normal distribution Example (uniform distribution): the probability of getting head when flipping a coin is 12 which is also the probability of getting a tail 9 34
The OTP has perfect secrecy Proof live on the board! Shannon s Theorem Perfect secrecy implies that K M (i.e. the keys must be at least as large as the to-be-encrypted message) Corollary Suppose that K = M = C. We have Perfect Secrecy if and only if each key is used with equal probability 1 K and for any m M and for any c C, there exists a unique key k K such that E( k, m ) = c. 10 34
OTP OTP : has perfect Secrecy Encryption Elk. m ) = Kom Perfect Secrecy : tm., m,.cm lenlmoklenlmi.. P ( Elk, mole ) =P ( E ( k, ttce C m, )=c ) PIE ( k, me Think that mo. > Prob that F )=d a key k that $ c are fixed encrypts the msg Mo into c Kkk How many keys encrypt Mo P ( Eotp ( k, Mo) = c) = into c with the OTP cipher? Et. ON Howmenykeysencryptmotoc Total number of keys = Hk, = Ygn Same reasoning for mn Thus. PIECKMD. - c) = # =P I ECK, MI ē) Omnigo K, implication : Perfect Secrecy KIZ I Ml
Perfect Secrecy IKIZIMI STEP 1 : k I 2 I Cl * check pg. 3 apatite.tn#eryet : all different keys ( far different cipher texts ) 1k 1>-1 Cl STEP 2 ICI? I MI m Ehdh.mtB99tanFnngercmfIenpne@M.a.TIf3HowdeIdecrypt7.RemEMmamthusitdtbeMlPr.b ( ) =Preb( ) [ Perfect Secrecy is asking " how encrypt Mo to c and me to the same c think of k as a variable! " many keys
* Step I : for every message m the function Em :K C is surjective IKHICI this is true by the def. ef Perfect >sfney T.EH.mtd.ua so fixed a message there, otherwise it means exists at least one key that = Pnbf Elk, ml c) = o that maps the tm Hc. message there is no a chosen cipher text encryption into check the additional material for detailed proofs
Quiz 2 scan this QR code and answer the question or type this code at http:goformative.comjoin NTJR437 Let m M and c C, how many OTP keys k K = { 0, 1 } n map m into c? None. Infinitely many. 1. It depends on m. 11 34
The Venona project (1943 1980-ish) a NSA counter-intelligence program to decrypt messages transmitted by the intelligence agencies of the Soviet Union (during World War II ). HOWEVER STRATEGY: used a code to convert words and letters into numbers and encrypt the numbers using OTP When used correctly, OTP encryption is unbreakable. Generating the one-time pads was a slow and labor-intensive process, and the outbreak of world war II caused a sudden increase in the need for coded messages. To keep up with demand, Russia intelligence agencies started to re-use old encryption keys. RESULT: 3,000 messages have been partially or wholly decrypted by NSA. All the duplicate one-time pad pages were produced in 1942, and almost all of them had been used by the end of 1945, with a few being used as late as 1948. 12 34
The Venona project: how did NSA break the Russian's OTP? let c 1 = m 1 k and c 2 = m 2 k consider c 1 c 2 = ( m 1 k ) ( m 2 k ) = ( m 1 m 2 ) ( k k ) = m 1 m 2 Gene Grabeel, the first cryptoanalyst of the Venona project Given m 1 m 2 it is easy to retrieve m 1, m 2 Example given a language L ={00100, 10011, 11100, 10100} m 1 = 00100, m 2 = 10011; then m 1 m 2 = 10111 redundancy in a Language ASCII encoding not all combinations of letter are possiblelikely Never use an OTP key twice and can be obtained only adding m 1 adding m 2 13 34
Is the OTP a good cipher? Pros very fast algorithms for encryptiondecryption perfect secrecy (one time key semantic security) Cons very long key (the secret key is as long as the message) ciphertexts are malleable highly unpractical 14 34
Quiz 3 scan this QR code and answer the question or type this code at http:goformative.comjoin AFMA649 Let m be a message and c = m k be its OTP encryption. If the attacker adds a to manipulate the ciphertext, what does Bob decrypt? m k with OTP modifications to the ciphertext are undetectable, and the attacker can predict what the tampered decrypted message will be (if the attacker knows - part of- the original plaintext) m m a a a k k hint: the new ciphertext is c = c a 15 34
Beyond OTP How can we make the OTP practical? k STREAM CIPHERS 1. replace the long (uniformly) random key k with a short key s s G G ( s ) = k plaintext (message) ciphertext Pseudo Random Generator (PRG) -see next slide- (uniformly) random looking 2. use s (the new k ) to generate a long pseudo-random key k for the OTP cipher 3. encrypt the plaintext one bit (or byte) at the time NOTE: there are a lot of tiny important details behind stream ciphers (especially for their implementation), but I won t focus on these. 16 34
Quiz 4 scan this QR code and answer the question or type this code at http:goformative.comjoin YFMP474 Can a stream cipher have perfect secrecy? Yes, but only if the PRG used in the No, since there exists no cipher with perfect secrecy. Yes, every cipher can have perfect secrecy. stream cipher is really secure. No, since the secret key is shorter than the message. 17 34
Examples of stream ciphers A51: steam cipher used in GSM (Global System for Mobile Communications, originally Groupe SpécialMobile) E0 : stream cipher used in the Bluetooth protocol both are badly broken! 18 34
PRG: Pseudo Random Generators Intuition: a PRG is a function that, on input a seed, outputs a string which looks completely random DEFINITION G : {0, 1}`! {0, 1} n ` n A function with, is a secure Pseudo Random Generator (PRG) if for any efficient statistical test (Distinguisher), it holds that: D P[D(G(s)) = 1] P[D(r) = 1] for every s R {0, 1}`,r R {0, 1} n is negligible picked uniformly at random. important to understand! STATISTICAL TEST (distinguisher) D(x) = 1 if x is a truly random string 0 if x is a pseudo-random output - see examples in the exercise lecture - 19 34
What does it mean that the output of G(s) =k 0 is indistinguishable from random? key space s 1 { 0, 1 } l G output space s 2 k 2.. image x k 1 { 0, 1 } n does x belong to image or not? D An adversary that sees the output of cannot distinguish it from something completely random (i.e. something coming from the uniform distribution.) G 20 34
Unpredictable PRGs given a part of the output of ( s ) = k, it is impossible to predict the remaining part of the output. G A good secure PRG must be unpredictable! G ( s ) = k 0 1 1 1 0 1 0 1 0 0?????? Giving a formal definition for unpredictable is hard. So we give a definition of predictable PRG! DEFINITION G : {0, 1}`! {0, 1} n A PRG is said to be predictable if there exists an efficient algorithm and an index 1 apple i apple n such that: this algorithm will be our Adversary P s R K A apple 1 A(G(s)) 1,...,i = G(s) i+1 1 for some non-negligible value ". 2 30 2 + " you can break a weak PRG in the programming Assignment! In 1982 Yao proved that if unpredictable PRG are secure. But it is still unknown if there exists provably secure PRGs. 21 34
Predictable PRGs, what is the problem? Let A be the algorithm that can efficiently compute G(s) i+1 given G(s)) 1,...,i c m A suppose knows the ciphertext and the beginning of the plaintext (e.g. standard headers). G(k) A Then A can efficiently decrypt! 22 34
Quiz 5 scan this QR code and answer the question or type this code at http:goformative.comjoin JWVZ293 Suppose G: { 0, 1 } l { 0, 1 } n is such that for all s K = { 0, 1 } l, it hold XOR[ G( s ) ] = 1. Is G predictable? No, there exists no efficient algorithm to obtain the last bit from the first one. No, G is unpredictable. Yes, given the first (n 1) bits, I can predict the last bit. Yes, given the first bit, I can predict the second. 23 34
WEP attacks WEP attack - two time pad Length of IV: 24 bits Repeated IV after 2 24 16M frames On some 802.11 cards: IV resets to 0 after power cycle. Repetition after a power cycle or every 16 M frames. There are several solutions (not all of them have been used) Always negotiate new keys for every session (e.g. TLS) 24 34
How to define the security of a cipher? First we need to define the power and the goals of an adversary encrypt change ciphertext tamper with the communication see some ciphertext spoofing get encryption of chosen messages decrypt find the secret key encrypt a chosen message change the content of a ciphertext and to decide what approach to use: information theoretic security mathematics proof that an attacker cannot do better than 1 in producing a forgery something (hard to achieve and bad security values) complexity-based security an attacker that can make a forgery is also able to break a complex hard problem (most cryptographic primitives are of this type. Better security values, but relies on the hope that no one ever solves the hard problem) 25 34
Security: definitions attempts Attacker s power = see cipher texts goals = break the cipher What does break mean? Attempt 1 attacker cannot recover the secret key E ( k, m ) = m Attempt 2 attacker cannot recover the whole plaintext E ( k, m 0 m 1 ) = m 0 ( k m 1 ) this cipher satisfies the requirement but is not really secure this cipher satisfies the requirement but is not really secure it is not easy to give good definition in cryptography 26 34
Security: considerations about Shannon's perfect secrecy DEFINITION seen in slide 8 (SHANNON DEFINITION) A cipher ( E, D ) defined over ( K, M, C ) has perfect secrecy if: 8 m 0,m 1 2 M, len(m 0 )=len(m 1 ) and 8 c 2 C Pr[ E(k, m 0 )=c]=pr[ E(k, m 1 )=c] k R K where k is chosen uniformly at random from K, (i.e., ) What does the definition say? If we pick a random key k and we encrypt a random message m 0, the resulting ciphertext has the same distribution as if we encrypted m 1, i.e., the adversary cannot tell whether we encrypted m 0 or m 1. The truth is: only the OTP has perfect secrecy! Shannon s definition is too strong (strict). 27 34
Security: 'relaxing' the notion of perfect secrecy If the definition is too strict, let s relax it! (i.e. the probability with which E(k,m) equals the given c) Instead of having identical distributions let s require that the distributions are indistinguishable and also that m 0 and m 1 are not completely random, but messages that the attacker can create This definition is called one-time key semantic security (the relaxedrealistic perfect secrecy) - see the security game in the next slide- 28 34
The semantic security game (one time key) Attacker A C Challenger m 0,m 1 D M len(m 0 )=len(m 1 ) Probabilistic Polynomial Time (PPT) Algorithm taken from some appropriate distribution of messages k 2 K m 0,m 1 b R {0, 1} c chosen uniformly at random c = E(k, m b ) output a guess for b b 0 2 {0, 1} DEFINITION A cipher ( E, D ) is semantic secure (with a one time key) if for any PPT adversary, it holds that: P(b = b 0 ) < 1 2 + negligible negligible means < 12 80, non-negligible means > 12 30 29 34
How to use the definition of semantic security? C C Define W 0 as the event that chose b=0, and outputs b =0 and W 1 as the event that chose b=1, and outputs b =0 (e.g. at the exercise sessions exam ) A A Show that P(W 0 ) P(W 1 ) is (non-)negligible Example: Prove that the encryption scheme is not semantically secure We need to show that A E ( k, m 0 m 1 ) = m 0 ( k m 1 ) can win the security game (on the previous slide). Let A choose m 0 = m 00 m 01 = 0 0; If C chose b=0, then c = 0 c 0 m 1 = m 10 m 11 = 1 1. b=1, then c = 1 c 1 A can output b = c[1] as guess for b. With this strategy we have that: P(W 0 ) P(W 1 ) = 1 0 =1 30 34
The 'Advantage' of an adversary The value P(W 0 ) P(W 1 ) is usually called advantage of A and it is denoted as : name of the security notion we are considering Adv sem.sec. [A, E] name of the adversary we are considering name of the scheme function we are considering 31 34
Before Thursday: say what exercises you want to see solved during the exercise lecture next Friday! We opened a questionnaire WMPX442 have a look at the exercises, try to solve them and let us know what you would like that we solve together at the next exercise session 32 34
References Chapters: 2.1,2.2, 7.1 + read up about semantic security Chapters: 1.4, 2, and 3.3.1 e.g. in https:people.eecs.berkeley.edu~lucacs276lecture02.pdf 33 34
What we will see the next time! AES: the Advance Encryption Standard Encryption Decryption 128 bits 4x4 bytes k 0 k key expansion (e.g. PRG) 11 keys of 128-bits k 10 k 1 k i k 9 SubBytes ShiftRow MixColumn AddRoundKey 128-bits 9, 11, 13 rounds depending on the key size 128,192 or 256 bits 16 keys of 48-bits SubBytes ShiftRow lec03 Block Ciphers (DES&AES) blocks of 128-bits ( K, M, C ) ciphertexts 128-bits 128 bits ciphertext 64 bits block DES: the Data Encryption Standard Encryption Decryption plaintext input initial permutation IP Modes of operation: CBC (Cipher Block Chaining) Let ( E, D ) be a cipher. The 20 CBC 35 block cipher is defined as follows. R 0 L 0 think of it as a number string E ( k, m ) : pick a random IV {0,1} nt (Initialisation Vector) and do k 56-bits key expansion (e.g. PRG) 16 keys of 48-bits k 1 k i k 16 16 rounds of Feistel Networks see next slide for the function f i with random IV (Initialisation Vector) 56-bits lec03 Block Ciphers (DES&AES) L 16 R 16 blocks of 64-bits ( K, M, C ) inverse of IP IP -1 ciphertexts of 64 bits 64 bits ciphertext 11 35 Each cipher-block is chained to the previous one. The ciphertext is longer than the plaintext due to of the IV. 34 34