Course Cryptography I

Online Cryptography Course Dan Boneh
Introduction
Course Overview
Dan Boneh
Welcome
Course objectives:
• Learn how crypto primitives work
• Learn how to use them correctly and reason about security
My recommendations:
• Take notes
• Pause video frequently to think about the material
• Answer the in-video questions
Dan Boneh
Cryptography is everywhere
Secure communication:
– web traffic: HTTPS
– wireless traffic: 802.11i WPA2 (and WEP), GSM, Bluetooth
Encrypting files on disk: EFS, TrueCrypt
Content protection (e.g. DVD, Blu-ray): CSS, AACS
User authentication
… and much much more

Dan Boneh
Secure communication
no eavesdropping
no tampering
Dan Boneh
Secure Sockets Layer / TLS
Two main parts
1. Handshake Protocol: Establish shared secret key

using public-key cryptography (2nd part of course)
2. Record Layer: Transmit data using shared secret key

Ensure confidentiality and integrity (1st part of course)
Dan Boneh
Protected files on disk
Disk
Alice File 1 Alice
No eavesdropping
No tampering
File 2
Analogous to secure communication:

Alice today sends a message to Alice tomorrow
Dan Boneh
Building block: sym. encryption
Alice Bob
m E(k,m)=c c D(k,c)=m
E D
k k
E, D: cipher k: secret key (e.g. 128 bits)

m, c: plaintext, ciphertext
Encryption algorithm is publicly known

• Never use a proprietary cipher
Dan Boneh
Use Cases
Single use key: (one time key)
• Key is only used to encrypt one message
• encrypted email: new key generated for every email
Multi use key: (many time key)

• Key used to encrypt multiple messages
• encrypted files: same key used to encrypt many files
• Need more machinery than for one-time key
Dan Boneh
Things to remember
Cryptography is:
– A tremendous tool
– The basis for many security mechanisms
Cryptography is not:
– The solution to all security problems
– Reliable unless implemented and used properly
– Something you should try to invent yourself
• many many examples of broken ad-hoc designs
Dan Boneh
End of Segment
Dan Boneh
Introduction
What is cryptography?
Dan Boneh
Crypto core Talking
to Bob
Talking
to Alice
Secret key establishment: Alice

Bob
attacker???
Secure communication: k m1
k
m2
confidentiality and integrity
Dan Boneh
But crypto can do much more
• Digital signatures
• Anonymous communication
Alice
Who did I signature
just talk to?
Alice
Bob
Dan Boneh
But crypto can do much more
• Digital signatures
• Anonymous communication
• Anonymous digital cash

– Can I spend a “digital coin” without anyone knowing who I am?
– How to prevent double spending?
Who was
1$ Alice that?
Internet
(anon. comm.)
Dan Boneh
Protocols
• Elections
• Private auctions
Dan Boneh
Protocols
• Elections
• Private auctions
trusted
Goal: compute f(x1, x2, x3, x4) authority
“Thm:” anything that can done with trusted auth. can also
be done without
• Secure multi-party computation

Dan Boneh
Crypto magic
• Privately outsourcing computation What did she
search for?
search
query E[ query ]
Alice
E[ results ]
results
• Zero knowledge (proof of knowledge)

???
Alice I know the factors of N !!

N=p∙q N
proof π Bob
Dan Boneh
A rigorous science
The three steps in cryptography:
• Precisely specify threat model
• Propose a construction
• Prove that breaking construction under

threat mode will solve an underlying hard problem
Dan Boneh
End of Segment
Dan Boneh
Introduction
History
Dan Boneh
History
David Kahn, “The code breakers” (1996)
Dan Boneh
Symmetric Ciphers
Dan Boneh
Few Historic Examples (all badly broken)
1. Substitution cipher
k :=
Dan Boneh
Caesar Cipher (no key)
Dan Boneh
What is the size of key space in the substitution cipher
assuming 26 letters?
Dan Boneh
How to break a substitution cipher?
What is the most common letter in English text?
“X”
“L”
“E”
“H”
Dan Boneh
How to break a substitution cipher?
(1) Use frequency of English letters
(2) Use frequency of pairs of letters (digrams)
Dan Boneh
An Example
UKBYBIPOUZBCUFEEBORUKBYBHOBBRFESPVKBWFOFERVNBCVBZPRUBOFERVNBCVBPCYYFVUFO
FEIKNWFRFIKJNUPWRFIPOUNVNIPUBRNCUKBEFWWFDNCHXCYBOHOPYXPUBNCUBOYNRVNIWN
CPOJIOFHOPZRVFZIXUBORJRUBZRBCHNCBBONCHRJZSFWNVRJRUBZRPCYZPUKBZPUNVPWPCYVF
ZIXUPUNFCPWRVNBCVBRPYYNUNFCPWWJUKBYBIPOUZBCUIPOUNVNIPUBRNCHOPYXPUBNCUB
OYNRVNIWNCPOJIOFHOPZRNCRVNBCUNENVVFZIXUNCHPCYVFZIXUPUNFCPWZPUKBZPUNVR
B 36  E NC 11  IN UKB 6  THE
N 34 PU 10  AT RVN 6
U 33  T UB 10 FZI 4
P 32  A UN 9 trigrams
C 26 digrams
Dan Boneh
2. Vigener cipher (16’th century, Rome)
k = C R Y P T O C R Y P T O C R Y P T
(+ mod 26)
m = W H A T A N I C E D A Y T O D A Y
c = Z Z Z J U C L U D T U N W G C Q S
suppose most common = “H” first letter of key = “H” – “E” = “C”
Dan Boneh
3. Rotor Machines (1870-1943)
Early example: the Hebern machine (single rotor)
A K E N
B S K E
C T S K
. . T S
. . . T
X R . .
Y N R .
Z key E N R
Dan Boneh
Rotor Machines (cont.)
Most famous: the Enigma (3-5 rotors)
# keys = 264 = 218 (actually 236 due to plugboard)

Dan Boneh
4. Data Encryption Standard (1974)
DES: # keys = 256 , block size = 64 bits
Today: AES (2001), Salsa20 (2008) (and many others)
Dan Boneh
End of Segment
Dan Boneh
See also: http://en.wikibooks.org/High_School_Mathematics_Extensions/Discrete_Probability
Introduction
Discrete Probability
(crash course, cont.)
Dan Boneh
U: finite set (e.g. U = {0,1}n )
Def: Probability distribution P over U is a function P: U ⟶ [0,1]

such that Σ
x∈U
P(x) = 1
Examples:
1. Uniform distribution: for all x∈U: P(x) = 1/|U|
2. Point distribution at x0: P(x0) = 1, ∀x≠x0: P(x) = 0
Distribution vector: ( P(000), P(001), P(010), … , P(111) ) Dan Boneh

Events
• For a set A ⊆ U: Pr[A] = Σ
x∈A
P(x) ∈ [0,1]
note: Pr[U]=1
• The set A is called an event
Example: U = {0,1}8
• A = { all x in U such that lsb2(x)=11 } ⊆U
for the uniform distribution on {0,1}8 : Pr[A] = 1/4
Dan Boneh
The union bound
• For events A1 and A2
Pr[ A1 ∪ A2 ] ≤ Pr[A1] + Pr[A2]
A1
A2
Example:
A1 = { all x in {0,1}n s.t lsb2(x)=11 } ; A2 = { all x in {0,1}n s.t. msb2(x)=11 }
Pr[ lsb2(x)=11 or msb2(x)=11 ] = Pr[A1∪A2] ≤ ¼+¼ = ½

Dan Boneh
Random Variables
Def: a random variable X is a function X:U⟶V
Example: X: {0,1}n ⟶ {0,1} ; X(y) = lsb(y) ∈{0,1}

U V
For the uniform distribution on U:
lsb=0 0
Pr[ X=0 ] = 1/2 , Pr[ X=1 ] = 1/2
lsb=1 1
More generally:
rand. var. X induces a distribution on V: Pr[ X=v ] := Pr[ X-1(v) ]
Dan Boneh
The uniform random variable
Let U be some set, e.g. U = {0,1}n
We write r ⟵R
U to denote a uniform random variable over U
for all a∈U: Pr[ r = a ] = 1/|U|
( formally, r is the identity function: r(x)=x for all x∈U )
Dan Boneh
Let r be a uniform random variable on {0,1}2
Define the random variable X = r1 + r2
Then Pr[X=2] = ¼
Hint: Pr[X=2] = Pr[ r=11 ]
Dan Boneh
Randomized algorithms
inputs outputs
• Deterministic algorithm: y ⟵ A(m)
m
• Randomized algorithm A(m)
y ⟵ A( m ; r ) where r ⟵
R
{0,1}n
output is a random variable

y⟵
R
A( m ) m
A(m)
Example: A(m ; k) = E(k, m) , y⟵

R
A( m )
Dan Boneh
End of Segment
Dan Boneh
See also: http://en.wikibooks.org/High_School_Mathematics_Extensions/Discrete_Probability
Introduction
Discrete Probability
(crash course, cont.)
Dan Boneh
Recap
U: finite set (e.g. U = {0,1}n )
Prob. distr. P over U is a function P: U ⟶ [0,1] s.t. Σ

x∈U
P(x) = 1
A ⊆ U is called an event and Pr[A] = Σx∈AP(x) ∈ [0,1]
A random variable is a function X:U⟶V .

X takes values in V and defines a distribution on V
Dan Boneh
Independence
Def: events A and B are independent if Pr[ A and B ] = Pr*A+ ∙ Pr[B]
random variables X,Y taking values in V are independent if
∀a,b∈V: Pr[ X=a and Y=b] = Pr[X=a] ∙ Pr[Y=b]
2
Example: U = {0,1} = {00, 01, 10, 11} and r⟵
R
U
Define r.v. X and Y as: X = lsb(r) , Y = msb(r)
Pr[ X=0 and Y=0 ] = Pr[ r=00 ] = ¼ = Pr[X=0] ∙ Pr[Y=0]

Dan Boneh
Review: XOR
XOR of two strings in {0,1}n is their bit-wise addition mod 2
0 1 1 0 1 1 1
⊕
1 0 1 1 0 1 0
Dan Boneh
An important property of XOR
Thm: Y a rand. var. over {0,1}n , X an indep. uniform var. on {0,1}n
Then Z := Y⨁X is uniform var. on {0,1}n
Proof: (for n=1)

Pr[ Z=0 ] =
Dan Boneh
The birthday paradox
Let r1, …, rn ∈ U be indep. identically distributed random vars.
Thm: when n= 1.2 × |U|1/2 then Pr[ ∃i≠j: ri = rj ] ≥ ½
notation: |U| is the size of U
Example: Let U = {0,1}128
After sampling about 264 random messages from U,

some two sampled messages will likely be the same
Dan Boneh
|U|=106
collision probability
# samples n
Dan Boneh
End of Segment
Dan Boneh
Stream ciphers
The One Time Pad
Dan Boneh
Symmetric Ciphers: definition
Def: a cipher defined over
is a pair of “efficient” algs (E, D) where
• E is often randomized. D is always deterministic.
Dan Boneh
The One Time Pad (Vernam 1917)
First example of a “secure” cipher
key = (random bit string as long the message)
Dan Boneh
msg: 0 1 1 0 1 1 1
⊕
key: 1 0 1 1 0 1 0
CT:
Dan Boneh
You are given a message (m) and its OTP encryption (c).
Can you compute the OTP key from m and c ?
No, I cannot compute the key.

Yes, the key is k = m ⊕ c.
I can only compute half the bits of the key.
Yes, the key is k = m ⊕ m.
Dan Boneh
Very fast enc/dec !!

… but long keys (as long as plaintext)
Is the OTP secure? What is a secure cipher?
Dan Boneh
What is a secure cipher?
Attacker’s abilities: CT only attack (for now)
Possible security requirements:

attempt #1: attacker cannot recover secret key
attempt #2: attacker cannot recover all of plaintext
Shannon’s idea:
CT should reveal no “info” about PT
Dan Boneh
Information Theoretic Security
(Shannon 1949)
Dan Boneh
Information Theoretic Security
Def: A cipher (E,D) over (K,M,C) has perfect secrecy if
∀m0, m1 ∈M ( |m0| = |m1| ) and ∀c∈C
Pr[ E(k,m0)=c ] = Pr[ E(k,m1)=c ] where k ⟵KR
Dan Boneh
Lemma: OTP has perfect secrecy.
Proof:
Dan Boneh
None
1
2
Dan Boneh
Lemma: OTP has perfect secrecy.
Proof:
Dan Boneh
The bad news …
Dan Boneh
End of Segment
Dan Boneh
Stream ciphers
Pseudorandom
Generators
Dan Boneh
Review
Cipher over (K,M,C): a pair of “efficient” algs (E, D) s.t.
∀ m∈M, k∈K: D(k, E(k, m) ) = m
Weak ciphers: subs. cipher, Vigener, …
A good cipher: OTP M=C=K={0,1}n
E(k, m) = k ⊕ m , D(k, c) = k ⊕ c
Lemma: OTP has perfect secrecy (i.e. no CT only attacks)
Bad news: perfect-secrecy ⇒ key-len ≥ msg-len
Dan Boneh
Stream Ciphers: making OTP practical
idea: replace “random” key by “pseudorandom” key
Dan Boneh
Dan Boneh
Can a stream cipher have perfect secrecy?
Yes, if the PRG is really “secure”

No, there are no ciphers with perfect secrecy
Yes, every cipher has perfect secrecy
No, since the key is shorter than the message
Stream ciphers cannot have perfect secrecy !!
• Need a different definition of security
• Security will depend on specific PRG
Dan Boneh
PRG must be unpredictable
Dan Boneh
PRG must be unpredictable
n
We say that G: K ⟶ {0,1} is predictable if:
Def: PRG is unpredictable if it is not predictable

⇒ ∀i: no “eff” adv. can predict bit (i+1) for “non-neg” ε
Dan Boneh
Suppose G:K ⟶ {0,1}n is such that for all k: XOR(G(k)) = 1
Is G predictable ??
Yes, given the first bit I can predict the second

No, G is unpredictable
Yes, given the first (n-1) bits I can predict the n’th bit
It depends
Dan Boneh
Weak PRGs (do not use for crypto)
glibc random():
r[i+ ← ( r[i-3] + r[i-31] ) % 232
output r[i] >> 1
Dan Boneh
End of Segment
Dan Boneh
Stream ciphers
Negligible vs.
non-negligible
Dan Boneh
Negligible and non-negligible
• In practice: ε is a scalar and
– ε non-neg: ε ≥ 1/230 (likely to happen over 1GB of data)
– ε negligible: ε ≤ 1/280 (won’t happen over life of key)
• In theory: ε is a function ε: Z≥0 ⟶ R≥0 and

– ε non-neg: ∃d: ε(λ) ≥ 1/λd inf. often (ε ≥ 1/poly, for many λ)
– ε negligible: ∀d, λ≥λd: ε(λ) ≤ 1/λd (ε ≤ 1/poly, for large λ)
Dan Boneh
Few Examples
ε(λ) = 1/2λ : negligible
ε(λ) = 1/λ1000 : non-negligible
1/2λ for odd λ

ε(λ) = 1/λ1000 for even λ
Negligible
Non-negligible
Dan Boneh
PRGs: the rigorous theory view
PRGs are “parameterized” by a security parameter λ
• PRG becomes “more secure” as λ increases
Seed lengths and output lengths grow with λ
For every λ=1,2,3,… there is a different PRG Gλ:

n(λ)
Gλ : Kλ ⟶ {0,1}
(in the lectures we will always ignore λ )

Dan Boneh
An example asymptotic definition
n(λ)
We say that Gλ : Kλ ⟶ {0,1} is predictable at position i if:
there exists a polynomial time (in λ) algorithm A s.t.
Prk⟵Kλ[ A(λ, Gλ(k) ) = Gλ(k) ] > 1/2 + ε(λ)

1,…,i i+1
for some non-negligible function ε(λ)
Dan Boneh
End of Segment
Dan Boneh
Stream ciphers
Attacks on OTP and

stream ciphers
Dan Boneh
Review
OTP: E(k,m) = m ⊕ k , D(k,c) = c ⊕ k
Making OTP practical using a PRG: G: K ⟶ {0,1}n
Stream cipher: E(k,m) = m ⊕ G(k) , D(k,c) = c ⊕ G(k)
Security: PRG must be unpredictable (better def in two segments)
Dan Boneh
Attack 1: two time pad is insecure !!
Never use stream cipher key more than once !!
C1  m1  PRG(k)
C2  m2  PRG(k)
Eavesdropper does:
C1  C2  m1  m2
Enough redundancy in English and ASCII encoding that:

m1  m2  m1 , m 2
Dan Boneh
Real world examples
• Project Venona
• MS-PPTP (windows NT):
k k
Need different keys for C⟶S and S⟶C Dan Boneh

Real world examples
802.11b WEP:
m CRC(m)
k PRG( IV ll k ) k
IV ciphetext
Length of IV: 24 bits

• Repeated IV after 224 ≈ 16M frames
• On some 802.11 cards: IV resets to 0 after power cycle
Dan Boneh
Avoid related keys
802.11b WEP:
m CRC(m)
k PRG( IV ll k ) k
IV ciphetext
key for frame #1: (1 ll k)

key for frame #2: (2 ll k)
⋮ Dan Boneh
A better construction
PRG
k k
⇒ now each frame has a pseudorandom key

better solution: use stronger encryption method (as in WPA2) Dan Boneh
Yet another example: disk encryption
Dan Boneh
Two time pad: summary
Never use stream cipher key more than once !!
• Network traffic: negotiate new key for every session (e.g. TLS)
• Disk encryption: typically do not use a stream cipher
Dan Boneh
Attack 2: no integrity (OTP is malleable)
enc ( ⊕k )
m m⊕k
p
⊕
dec ( ⊕k )
m⊕p (m⊕k)⊕p
Modifications to ciphertext are undetected and

have predictable impact on plaintext
Dan Boneh
Attack 2: no integrity (OTP is malleable)
enc ( ⊕k ) From: Bob

⊕
From: Bob
⋯
dec ( ⊕k )
From: Eve From: Eve
Modifications to ciphertext are undetected and

have predictable impact on plaintext
Dan Boneh
End of Segment
Dan Boneh
Stream ciphers
Real-world Stream
Ciphers
Dan Boneh
Old example (software): RC4 (1987)
2048 bits
128 bits
1 byte
per round
seed
• Used in HTTPS and WEP
• Weaknesses:
1. Bias in initial output: Pr[ 2nd byte = 0 ] = 2/256
2. Prob. of (0,0) is 1/2562 + 1/2563
3. Related key attacks
Dan Boneh
Old example (hardware): CSS (badly broken)
Linear feedback shift register (LFSR):
DVD encryption (CSS): 2 LFSRs

GSM encryption (A5/1,2): 3 LFSRs all broken
Bluetooth (E0): 4 LFSRs
Dan Boneh
Old example (hardware): CSS (badly broken)
CSS: seed = 5 bytes = 40 bits
Dan Boneh
Cryptanalysis of CSS (217 time attack)
17-bit LFSR 8 encrypted movie

+ (mod 256)
8 ⊕
prefix
25-bit LFSR 8 CSS prefix
For all possible initial settings of 17-bit LFSR do:

• Run 17-bit LFSR to get 20 bytes of output
• Subtract from CSS prefix ⇒ candidate 20 bytes output of 25-bit LFSR
• If consistent with 25-bit LFSR, found correct initial settings of both !!
Using key, generate entire CSS output

Dan Boneh
Modern stream ciphers: eStream
PRG: {0,1}s × R ⟶ {0,1}n
Nonce: a non-repeating value for a given key.
E(k, m ; r) = m ⊕ PRG(k ; r)
The pair (k,r) is never used more than once.

Dan Boneh
eStream: Salsa 20 (SW+HW)
Salsa20: {0,1} 128 or 256 × {0,1}64 ⟶ {0,1}n (max n = 273 bits)
Salsa20( k ; r) := H( k , (r, 0)) ll H( k , (r, 1)) ll …
τ0
k
k τ1
r r
i h ⊕ 64 byte
output
i τ2 (10 rounds)
32 bytes k
τ3 64 bytes 64 bytes
h: invertible function. designed to be fast on x86 (SSE2) Dan Boneh

Is Salsa20 secure (unpredictable) ?
• Unknown: no known provably secure PRGs
• In reality: no known attacks better than exhaustive search
Dan Boneh
Performance: Crypto++ 5.6.0 [ Wei Dai ]
AMD Opteron, 2.2 GHz ( Linux)
PRG Speed (MB/sec)

RC4 126
Salsa20/12 643
eStream
Sosemanuk 727
Dan Boneh
Generating Randomness (e.g. keys, IV)
Pseudo random generators in practice: (e.g. /dev/random)

• Continuously add entropy to internal state
• Entropy sources:
• Hardware RNG: Intel RdRand inst. (Ivy Bridge). 3Gb/sec.
• Timing: hardware interrupts (keyboard, mouse)
NIST SP 800-90: NIST approved generators

Dan Boneh
End of Segment
Dan Boneh
Stream ciphers
PRG Security Defs
Dan Boneh
Let G:K ⟶ {0,1}n be a PRG
Goal: define what it means that
is “indistinguishable” from
Dan Boneh
Statistical Tests
Statistical test on {0,1}n:
an alg. A s.t. A(x) outputs “0” or “1”
Examples:
Dan Boneh
Statistical Tests
More examples:
Dan Boneh
Advantage
Let G:K ⟶{0,1}n be a PRG and A a stat. test on {0,1}n
Define:
A silly example: A(x) = 0 ⇒ AdvPRG [A,G] = 0 Dan Boneh

Suppose G:K ⟶{0,1}n satisfies msb(G(k)) = 1 for 2/3 of keys in K
Define stat. test A(x) as:

if [ msb(x)=1 + output “1” else output “0”
Then
AdvPRG [A,G] = | Pr[ A(G(k))=1] - Pr[ A(r)=1 ] | =
| 2/3 – 1/2 | = 1/6
Dan Boneh
Secure PRGs: crypto definition
n
Def: We say that G:K ⟶{0,1} is a secure PRG if
Are there provably secure PRGs?

but we have heuristic candidates.
Dan Boneh
Easy fact: a secure PRG is unpredictable
We show: PRG predictable ⇒ PRG is insecure
Suppose A is an efficient algorithm s.t.
for non-negligible ε (e.g. ε = 1/1000)
Dan Boneh
Easy fact: a secure PRG is unpredictable
Define statistical test B as:
Dan Boneh
Thm (Yao’82): an unpredictable PRG is secure
Let G:K ⟶{0,1}n be PRG
“Thm”: if ∀ i ∈ ,0, … , n-1} PRG G is unpredictable at pos. i

then G is a secure PRG.
If next-bit predictors cannot distinguish G from random

then no statistical test can !!
Dan Boneh
Let G:K ⟶{0,1}n be a PRG such that
from the last n/2 bits of G(k)
it is easy to compute the first n/2 bits.
Is G predictable for some i ∈ ,0, … , n-1} ?
Yes
No
More Generally
Let P1 and P2 be two distributions over {0,1}n
Def: We say that P1 and P2 are

computationally indistinguishable (denoted )
Example: a PRG is secure if { k ⟵K

R
: G(k) } ≈p uniform({0,1}n)
Dan Boneh
End of Segment
Dan Boneh
Stream ciphers
Semantic security
Goal: secure PRG ⇒ “secure” stream cipher

Dan Boneh
What is a secure cipher?
Attacker’s abilities: obtains one ciphertext (for now)
Possible security requirements:

attempt #1: attacker cannot recover secret key
attempt #2: attacker cannot recover all of plaintext
Recall Shannon’s idea:

CT should reveal no “info” about PT
Dan Boneh
Recall Shannon’s perfect secrecy
Let (E,D) be a cipher over (K,M,C)
(E,D) has perfect secrecy if ∀ m0, m1 ∈ M ( |m0| = |m1| )
{ E(k,m0) } = { E(k,m1) } where k⟵K
(E,D) has perfect secrecy if ∀ m0, m1 ∈ M ( |m0| = |m1| )
{ E(k,m0) } ≈p { E(k,m1) } where k⟵K
… but also need adversary to exhibit m0, m1 ∈ M explicitly

Dan Boneh
Semantic Security (one-time key)
For b=0,1 define experiments EXP(0) and EXP(1) as:
b
Chal. m0 , m1  M : |m0| = |m1| Adv. A
kK
c  E(k, mb)
b’  {0,1}
for b=0,1: Wb := [ event that EXP(b)=1 ]
AdvSS[A,E] := | Pr[ W0 + − Pr[ W1 ] | ∈ [0,1]

Dan Boneh
Semantic Security (one-time key)
Def: E is semantically secure if for all efficient A
AdvSS[A,E] is negligible.
⇒ for all explicit m0 , m1  M : { E(k,m0) } ≈p { E(k,m1) }
Dan Boneh
Examples
Suppose efficient A can always deduce LSB of PT from CT.
⇒ E = (E,D) is not semantically secure.
b{0,1}
m0, LSB(m0)=0
Chal. Adv. B (us)
m1, LSB(m1)=1
kK
C E(k, mb) C Adv. A
(given)
LSB(mb)=b
Then AdvSS[B, E] = | Pr[ EXP(0)=1 + − Pr[ EXP(1)=1 ] |= |0 – 1| = 1

Dan Boneh
OTP is semantically secure
EXP(0): Chal. m0 , m1  M : |m0| = |m1| Adv. A
kK
c  k⊕m0 b’  {0,1}
identical distributions
Chal. m0 , m1  M : |m0| = |m1| Adv. A

EXP(1):
kK
c  k⊕m1 b’  {0,1}
For all A: AdvSS[A,OTP] = | Pr[ A(k⊕m0)=1 + − Pr[ A(k⊕m1)=1 ] |= 0

Dan Boneh
End of Segment
Dan Boneh
Stream ciphers
Stream ciphers are
semantically secure
Goal: secure PRG ⇒ semantically secure stream cipher

Dan Boneh
Stream ciphers are semantically secure
Thm: G:K ⟶{0,1}n is a secure PRG ⇒
stream cipher E derived from G is sem. sec.
∀ sem. sec. adversary A , ∃a PRG adversary B s.t.
AdvSS*A,E+ ≤ 2 ∙ AdvPRG[B,G]
Dan Boneh
Proof: intuition
m0 , m1 m0 , m1
chal. adv. A chal. adv. A
kK c  m0 ⊕ G(k) ≈p r{0,1}n c  m0 ⊕ r
b’≟1
b’≟1
≈p
m0 , m1 m0 , m1
kK c  m1 ⊕ G(k) ≈p r{0,1}n c  m1 ⊕ r
b’≟1 b’≟1
Dan Boneh
Proof: Let A be a sem. sec. adversary.
Chal. m0 , m1  M : |m0| = |m1| Adv. A

b kK
r{0,1}n
c  mb ⊕ G(k)
b’  {0,1}
For b=0,1: Wb := * event that b’=1 +.
AdvSS[A,E] = | Pr[ W0 + − Pr[ W1 ] |
Dan Boneh
Chal. m0 , m1  M : |m0| = |m1| Adv. A

b kK
r{0,1}n
c  mb ⊕ r
b’  {0,1}
For b=0,1: Wb := * event that b’=1 +.
AdvSS[A,E] = | Pr[ W0 + − Pr[ W1 ] |
For b=0,1: Rb := * event that b’=1 ]

Dan Boneh
Claim 1: |Pr[R0] – Pr[R1]| =

Claim 2: ∃B: |Pr[Wb] – Pr[Rb]| =
0 Pr[W0] Pr[Rb] Pr[W1] 1
⇒ AdvSS[A,E] = |Pr[W0] – Pr[W1]| ≤ 2 ∙ AdvPRG[B,G]

Dan Boneh
Proof of claim 2: ∃B: |Pr[W0] – Pr[R0]| = AdvPRG[B,G]
Algorithm B:
y ∈ {0,1}n PRG adv. B (us)
m0, m1
Adv. A
c  m0⊕y (given)
b’ ∈ {0,1}
AdvPRG[B,G] =
Dan Boneh
End of Segment
Dan Boneh
Block ciphers
What is a block cipher?
Dan Boneh
Block ciphers: crypto work horse
n bits n bits
PT Block E, D CT Block
Key k bits
Canonical examples:
1.  3DES: n= 64 bits, k = 168 bits
2.  AES: n=128 bits, k = 128, 192, 256 bits
Dan Boneh
Block Ciphers Built by Itera<on
key k
key expansion
k1 k2 k3 kn
R(kn, ⋅)
R(k1, ⋅)
R(k2, ⋅)
R(k3, ⋅)
m c
R(k,m) is called a round func<on

for 3DES (n=48), for AES-‐128 (n=10)
Dan Boneh
Cipher Block/key size Speed (MB/sec)

RC4 126
stream
Salsa20/12 643
Sosemanuk 727

3DES 64/168 13
block
AES-‐128 128/128 109

Dan Boneh
Abstractly: PRPs and PRFs
•  Pseudo Random Func<on (PRF) defined over (K,X,Y):
F: K × X → Y
such that exists “efficient” algorithm to evaluate F(k,x)
•  Pseudo Random Permuta<on (PRP) defined over (K,X):

E: K × X → X
such that:
1. Exists “efficient” determinis<c algorithm to evaluate E(k,x)
2. The func<on E( k, ⋅ ) is one-‐to-‐one
3. Exists “efficient” inversion algorithm D(k,y)
Dan Boneh
Running example
•  Example PRPs: 3DES, AES, …
AES: K × X → X where K = X = {0,1}128
3DES: K × X → X where X = {0,1}64 , K = {0,1}168
•  Func<onally, any PRP is also a PRF.

–  A PRP is a PRF where X=Y and is efficiently inver<ble.
Dan Boneh
Secure PRFs
•  Let F: K × X → Y be a PRF
Funs[X,Y]: the set of all func<ons from X to Y
SF = { F(k,⋅) s.t. k ∈ K } ⊆ Funs[X,Y]
•  Intui<on: a PRF is secure if

a random func<on in Funs[X,Y] is indis<nguishable from
a random func<on in SF
SF
Funs[X,Y]
|X|
Size |Y|
Size |K|
Dan Boneh
Secure PRFs
Funs[X,Y]: the set of all func<ons from X to Y
SF = { F(k,⋅) s.t. k ∈ K } ⊆ Funs[X,Y]
•  Intui<on: a PRF is secure if

a random func<on in Funs[X,Y] is indis<nguishable from
f ← Funs[X,Y]
x ∈ X
??? k ← K
f(x) or F(k,x) ? Dan Boneh
Secure PRPs (secure block cipher)
•  Let E: K × X → Y be a PRP
Perms[X]: the set of all one-‐to-‐one func<ons from X to Y
SF = { E(k,⋅) s.t. k ∈ K } ⊆ Perms[X,Y]
•  Intui<on: a PRP is secure if

a random func<on in Perms[X] is indis<nguishable from
π ← Perms[X]
x ∈ X
??? k ← K
π(x) or E(k,x) ? Dan Boneh
Let F: K × X → {0,1}128 be a secure PRF.
Is the following G a secure PRF?

0 128 if x=0
G(k, x) =
F(k,x) otherwise
No, it is easy to dis<nguish G from a random func<on

Yes, an apack on G would also break F
It depends on F
An easy applica<on: PRF ⇒ PRG
Let F: K × {0,1}n → {0,1}n be a secure PRF.

Then the following G: K → {0,1}nt is a secure PRG:
G(k) = F(k,0) ll F(k,1) ll ⋯ ll F(k,t-‐1)
Key property: parallelizable
Security from PRF property: F(k, ⋅) indist. from random func<on f(⋅)
Dan Boneh
End of Segment
Dan Boneh
Block ciphers
The data encryp<on

standard (DES)
Dan Boneh
n bits n bits
Key k Bits
Canonical examples:
1.  3DES: n= 64 bits, k = 168 bits
2.  AES: n=128 bits, k = 128, 192, 256 bits
Dan Boneh
Block Ciphers Built by Itera<on
key k
key expansion
k1 k2 k3 kn
R(kn, ⋅)
R(k1, ⋅)
R(k2, ⋅)
R(k3, ⋅)
m c
R(k,m) is called a round func<on

for 3DES (n=48), for AES-‐128 (n=10)
Dan Boneh
The Data Encryp<on Standard (DES)
•  Early 1970s: Horst Feistel designs Lucifer at IBM
key-‐len = 128 bits ; block-‐len = 128 bits
•  1973: NBS asks for block cipher proposals.
IBM submits variant of Lucifer.
•  1976: NBS adopts DES as a federal standard
key-‐len = 56 bits ; block-‐len = 64 bits
•  1997: DES broken by exhaus<ve search
•  2000: NIST adopts Rijndael as AES to replace DES
Widely deployed in banking (ACH) and commerce Dan Boneh
DES: core idea – Feistel Network
Given func<ons f1, …, fd: {0,1}n ⟶ {0,1}n
Goal: build inver<ble func<on F: {0,1}2n ⟶ {0,1}2n

n-‐bits n-‐bits
R0 R1 R2 Rd-‐1 Rd
f1 f2
L0 ⊕ L1 ⊕ L2
⋯ Ld-‐1
fd
⊕ Ld
input output
In symbols:
Dan Boneh
n-‐bits n-‐bits
R0 R1 R2 Rd-‐1 Rd
f1 f2
L0 ⊕ L1 ⊕ L2
⋯ Ld-‐1
fd
⊕ Ld
input output
Claim: for all f1, …, fd: {0,1}n ⟶ {0,1}n

Feistel network F: {0,1}2n ⟶ {0,1}2n is inver<ble
Proof: construct inverse
Ri-‐1 Ri inverse Ri-‐1 = Li

fi
Li-‐1 ⊕ Li Li-‐1 = fi(Li) ⨁ Ri
Dan Boneh
n-‐bits n-‐bits
R0 R1 R2 Rd-‐1 Rd
f1 f2
L0 ⊕ L1 ⊕ L2
⋯ Ld-‐1
fd
⊕ Ld
input output
Claim: for all f1, …, fd: {0,1}n ⟶ {0,1}n

Feistel network F: {0,1}2n ⟶ {0,1}2n is inver<ble
Proof: construct inverse
Ri ⊕ Ri-‐1
Ri-‐1 Ri inverse
fi
fi
Li-‐1 ⊕ Li Li Li-‐1
Dan Boneh
Decryp<on circuit
⊕ ⊕
n-‐bits n-‐bits
Rd ⊕
Rd-‐1 Rd-‐2 R1 R0
Ld
fd
Ld-‐1
fd-‐1
Ld-‐2
⋯ L1
f1
L0
•  Inversion is basically the same circuit,

with f1, …, fd applied in reverse order
•  General method for building inver<ble func<ons (block ciphers)

from arbitrary func<ons.
•  Used in many block ciphers … but not AES

Dan Boneh
“Thm:” (Luby-‐Rackoff ‘85):
f: K × {0,1}n ⟶ {0,1}n a secure PRF
⇒ 3-‐round Feistel F: K3 × {0,1}2n ⟶ {0,1}2n a secure PRP

R0 R1 R2 R3
f f f
L0 ⊕ L1 ⊕ L2 ⊕ L3
input output
Dan Boneh
DES: 16 round Feistel network
f1, …, f16: {0,1}32 ⟶ {0,1}32 , fi(x) = F( ki, x )
k
key expansion
k1 k2 ⋯ k16
64 bits
64 bits
16 round
IP IP-‐1
Feistel network
input output
To invert, use keys in reverse order Dan Boneh
The func<on F(ki, x)
S-‐box: func<on {0,1}6 ⟶ {0,1}4 , implemented as look-‐up table. Dan Boneh
The S-‐boxes
Si: {0,1}6 ⟶ {0,1}4
Dan Boneh
Example: a bad S-‐box choice
Suppose:
Si(x1, x2, …, x6) = ( x2⨁x3, x1⨁x4⨁x5, x1⨁x6, x2⨁x3⨁x6 )
or wripen equivalently: Si(x) = Ai⋅x (mod 2)

0 1 1 0 0 0 x1 x2⨁x3
1 0 0 1 1 0
. x2 = x1⨁x4⨁x5
1 0 0 0 0 1 x3 x1⨁x6
0 1 1 0 0 1 x4 x2⨁x3⨁x6
x5
We say that Si is a linear func<on. x6
Dan Boneh
Example: a bad S-‐box choice
Then en<re DES cipher would be linear: ∃fixed binary matrix B s.t.
832
m
DES(k,m) = 64
B . k1 = c (mod 2)
k2

⋮
k

16

But then: DES(k,m1) ⨁ DES(k,m2) ⨁ DES(k,m3) = DES(k, m1⨁m2⨁m3)

B m
k 1 ⨁ B m 3 = B m
2 ⨁ B m 1⨁m2⨁m3
k k k⨁k⨁k
Dan Boneh
Choosing the S-‐boxes and P-‐box
Choosing the S-‐boxes and P-‐box at random would result
in an insecure block cipher (key recovery aner ≈224 outputs) [BS’89]

Several rules used in choice of S and P boxes:
•  No output bit should be close to a linear func. of the input bits
•  S-‐boxes are 4-‐to-‐1 maps
⋮
Dan Boneh
End of Segment
Dan Boneh
Block ciphers
Exhaus<ve Search
Apacks
Dan Boneh
Exhaus<ve Search for block cipher key
Goal: given a few input output pairs (mi, ci = E(k, mi)) i=1,..,3
find key k.
Lemma: Suppose DES is an ideal cipher

( 256 random inver<ble func<ons )
Then ∀ m, c there is at most one key k s.t. c = DES(k, m)
Proof: with prob. ≥ 1 – 1/256 ≈ 99.5%
Dan Boneh
Exhaus<ve Search for block cipher key
For two DES pairs (m1, c1=DES(k, m1)), (m2, c2=DES(k, m2))
unicity prob. ≈ 1 -‐ 1/271

For AES-‐128: given two inp/out pairs, unicity prob. ≈ 1 -‐ 1/2128

⇒ two input/output pairs are enough for exhaus<ve key search.

Dan Boneh
DES challenge
msg = “The unknown messages is: XXXX … “
CT = c1 c2 c3 c4

Goal: find k ∈ {0,1}56 s.t. DES(k, mi) = ci for i=1,2,3
1997: Internet search -‐-‐ 3 months

1998: EFF machine (deep crack) -‐-‐ 3 days (250K $)
1999: combined search -‐-‐ 22 hours
2006: COPACOBANA (120 FPGAs) -‐-‐ 7 days (10K $)
⇒ 56-‐bit ciphers should not be used !! (128-‐bit key ⇒ 272 days)
Dan Boneh
Strengthening DES against ex. search
Method 1: Triple-‐DES
•  Let E : K × M ⟶ M be a block cipher
•  Define 3E: K3 × M ⟶ M as
3E( (k1,k2,k3), m) =
For 3DES: key-‐size = 3×56 = 168 bits. 3×slower than DES.
(simple apack in <me ≈2118 )

Dan Boneh
Why not double DES?
•  Define 2E( (k1,k2), m) = E(k1 , E(k2 , m) )
key-‐len = 112 bits for DES
E(k2,⋅) E(k1,⋅)
m c
Apack: M = (m1,…, m10) , C = (c1,…,c10).

k0 = 00…00 E(k0 , M)
•  step 1: build table. k1 = 00…01 E(k1 , M)
k2 = 00…10 E(k2 , M)
256
sort on 2nd column ⋮ ⋮
entries
kN = 11…11 E(kN , M) Dan Boneh
Meet in the middle apack
m E(k2,⋅) E(k1,⋅) c
k0 = 00…00 E(k0 , M)

Apack: M = (m1,…, m10) , C = (c1,…,c10) k1 = 00…01 E(k1 , M)
k2 = 00…10 E(k2 , M)
•  step 1: build table. ⋮ ⋮
kN = 11…11 E(kN , M)
•  Step 2: for all k∈{0,1}56 do:

test if D(k, C) is in 2nd column.
if so then E(ki,M) = D(k,C) ⇒ (ki,k) = (k2,k1)

Dan Boneh
Meet in the middle apack
m E(k2,⋅) E(k1,⋅) c
Time = 256log(256) + 256log(256) < 263 << 2112 , space ≈ 256
Same apack on 3DES: Time = 2118 , space ≈ 256
m E(k3,⋅) E(k2,⋅) E(k1,⋅) c
Dan Boneh
Method 2: DESX
E : K × {0,1}n ⟶ {0,1}n a block cipher
Define EX as EX( (k1,k2,k3), m) = k1 ⨁ E(k2, m⨁k3 )
For DESX: key-‐len = 64+56+64 = 184 bits
… but easy apack in <me 264+56 = 2120 (homework)
Note: k1 ⨁ E(k2, m) and E(k2, m⨁k1) does nothing !!

Dan Boneh
End of Segment
Dan Boneh
Block ciphers
More apacks on

block ciphers
Dan Boneh
Apacks on the implementa<on
1. Side channel apacks:
–  Measure Kme to do enc/dec, measure power for enc/dec
smartcard [Kocher, Jaffe, Jun, 1998]

2. Fault apacks:
–  Compu<ng errors in the last round expose the secret key k
⇒ do not even implement crypto primi<ves yourself …

Dan Boneh
Linear and differen<al apacks [BS’89,M’93]
Given many inp/out pairs, can recover key in <me less than 256 .

Linear cryptanalysis (overview) : let c = DES(k, m)

Suppose for random k,m :
[
Pr m[i1]⨁⋯⨁m[ir] ⨁ c[jj]⨁⋯⨁c[jv] = k[l1]⨁⋯⨁k[lu] = ½ + ε ]

For some ε. For DES, this exists with ε = 1/221 ≈ 0.0000000477
Dan Boneh
Linear apacks
[
Pr m[i1]⨁⋯⨁m[ir] ⨁ c[jj]⨁⋯⨁c[jv] = k[l1]⨁⋯⨁k[lu] = ½ + ε ]

Thm: given 1/ε2 random (m, c=DES(k, m)) pairs then
k[l1,…,lu] = MAJ [ m[i ,…,i ] ⨁ c[j ,…,j ] ]

1 r j v
with prob. ≥ 97.7%

⇒ with 1/ε2 inp/out pairs can find k[l1,…,lu] in <me ≈1/ε2 .
Dan Boneh
Linear apacks
For DES, ε = 1/221 ⇒
with 242 inp/out pairs can find k[l1,…,lu] in <me 242

Roughly speaking: can find 14 key “bits” this way in <me 242

Brute force remaining 56−14=42 bits in <me 242

Total apack <me ≈243 ( << 256 ) with 242 random inp/out pairs

Dan Boneh
Lesson
A <ny bit of linearly in S5 lead to a 242 <me apack.

⇒ don’t design ciphers yourself !!
Dan Boneh
Quantum apacks
Generic search problem:
Let f: X ⟶ {0,1} be a func<on.
Goal: find x∈X s.t. f(x)=1.

Classical computer: best generic algorithm <me = O( |X| )

Quantum computer [Grover ’96] : <me = O( |X|1/2 )

Can quantum computers be built: unknown
Dan Boneh
Quantum exhaus<ve search
Given m, c=E(k,m) define 1  if E(k,m) = c
f(k) =
0 otherwise

Grover ⇒ quantum computer can find k in <me O( |K|1/2 )

DES: <me ≈228 , AES-‐128: <me ≈264

quantum computer ⇒ 256-‐bits key ciphers (e.g. AES-‐256)

Dan Boneh
End of Segment
Dan Boneh
Block ciphers
The AES block cipher
Dan Boneh
The AES process
•  1997: NIST publishes request for proposal
•  1998: 15 submissions. Five claimed apacks.
•  1999: NIST chooses 5 finalists
•  2000: NIST chooses Rijndael as AES (designed in Belgium)
Key sizes: 128, 192, 256 bits. Block size: 128 bits
Dan Boneh
AES is a Subs-‐Perm network (not Feistel)
k1 k2 kn
S1 S1 S1
S2 S2 S2
S3 S3 S3
output
input
⨁
⨁ ⋯
⨁
⋯
⋯
⋯
S8 S8 S8
subs. perm.
layer layer inversion
Dan Boneh
AES-‐128 schema<c
10 rounds
4
(1)  ByteSub (1)  ByteSub (1)  ByteSub
⋯
⨁
⨁
⨁
(2)  ShinRow
⨁
4 input (2)  ShinRow (2)  ShinRow

(3)  MixColumn (3)  MixColumn
inver<ble
k0 k1 k2 k9
⨁
k10
key key expansion:
4 output
16 bytes 16 bytes ⟶176 bytes 4
Dan Boneh
The round func<on
•  ByteSub: a 1 byte S-‐box. 256 byte table (easily computable)
•  ShiORows:
•  MixColumns:

Dan Boneh
Code size/performance tradeoff
Code size Performance
Pre-‐compute fastest:
round func<ons largest table lookups
(24KB or 4KB) and xors
Pre-‐compute
smaller slower
S-‐box only (256 bytes)
No pre-‐computa<on smallest slowest
Dan Boneh
Example: Javascript AES
AES in the browser:
AES library (6.4KB)

no pre-‐computed tables
Prior to encryp<on:

pre-‐compute tables
Then encrypt using tables
hpp://crypto.stanford.edu/sjcl/
Dan Boneh
AES in hardware
AES instruc<ons in Intel Westmere:
•  aesenc, aesenclast: do one round of AES
128-‐bit registers: xmm1=state, xmm2=round key
aesenc xmm1, xmm2 ; puts result in xmm1
•  aeskeygenassist: performs AES key expansion
•  Claim 14 x speed-‐up over OpenSSL on same hardware
Similar instruc<ons on AMD Bulldozer

Dan Boneh
Apacks
Best key recovery apack:
four <mes beper than ex. search [BKR’11]

Related key apack on AES-‐256: [BK’09]
Given 299 inp/out pairs from four related keys in AES-‐256
can recover keys in <me ≈299
Dan Boneh
End of Segment
Dan Boneh
Block ciphers
Block ciphers from PRGs
Dan Boneh
Can we build a PRF from a PRG?
Let G: K ⟶ K2 be a secure PRG k
G
Define 1-‐bit PRF F: K × {0,1} ⟶ K as G(k)[0] G(k)[1]

F(k, x∈{0,1} ) = G(k)[x]

Thm: If G is a secure PRG then F is a secure PRF
Can we build a PRF with a larger domain?

Dan Boneh
Extending a PRG
Let G: K ⟶ K2 .
define G1: K ⟶ K4 as G1(k) = G(G(k)[0]) ll G(G(k)[1])
k
We get a 2-‐bit PRF: G

G(k)[0] G(k)[1]
F(k, x∈{0,1}2 ) = G1(k)[x] G G
00 01 10 11
G1(k)
Dan Boneh
k
G1 is a secure PRG
G
G(k)[0] G(k)[1] r0 r1
G G G G
00 01 10 11 ≈p
G1(k)
≈p
r1
G
random in K4 ≈p r00 r01
Dan Boneh
Extending more
Let G: K ⟶ K2 .
define G2: K ⟶ K8 as G2(k) = k
G
G(k)[0] G(k)[1]
We get a 3-‐bit PRF G G
G G G G
000 001 010 011 100 101 110 111
G2(k) Dan Boneh

Extending even more: the GGM PRF
Let G: K ⟶ K2 . define PRF F: K × {0,1}n ⟶ K as
For input x = x0 x1 … xn-‐1 ∈ {0,1}n do:
G(k)[x0] G(k1)[x1] k G(k2)[x2] k G(kn-‐1)[xn-‐1] kn

k k1 2 3
⋯
Security: G a secure PRG ⇒ F is a secure PRF on {0,1}n .
Not used in prac<ce due to slow performance.

Dan Boneh
Secure block cipher from a PRG?
Can we build a secure PRP from a secure PRG?
No, it cannot be done

Yes, just plug the GGM PRF into the Luby-‐Rackoff theorem
It depends on the underlying PRG
End of Segment
Dan Boneh
Using block ciphers
Review: PRPs and PRFs
Dan Boneh
n bits n bits
Key k bits
Canonical examples:
1.  3DES: n= 64 bits, k = 168 bits
2.  AES: n=128 bits, k = 128, 192, 256 bits
Dan Boneh
Abstractly: PRPs and PRFs
•  Pseudo Random FuncAon (PRF) defined over (K,X,Y):
F: K × X → Y
such that exists “efficient” algorithm to evaluate F(k,x)
•  Pseudo Random PermutaAon (PRP) defined over (K,X):

E: K × X → X
such that:
1. Exists “efficient” determinisAc algorithm to evaluate E(k,x)
2. The funcAon E( k, ⋅ ) is one-‐to-‐one
3. Exists “efficient” inversion algorithm D(k,x)
Dan Boneh
Secure PRFs
Funs[X,Y]: the set of all funcAons from X to Y
SF = { F(k,⋅) s.t. k ∈ K } ⊆ Funs[X,Y]
•  IntuiAon: a PRF is secure if

a random funcAon in Funs[X,Y] is indisAnguishable from
a random funcAon in SF
SF
Funs[X,Y]
|X|
Size |Y|
Size |K|
Dan Boneh
Secure PRF: definiAon
•  For b=0,1 define experiment EXP(b) as:
b
Chal. b=0: k←K, f ←F(k,⋅) Adv. A

b=1: f←Funs[X,Y] x1 ∈ X , x2 , …, xq
f
f(x1) , f(x2) , …, f(xq)
b’ ∈ {0,1}
•  Def: F is a secure PRF if for all “efficient” A: EXP(b)
AdvPRF[A,F] := |Pr[EXP(0)=1] – Pr[EXP(1)=1] |
is “negligible.” Dan Boneh
Secure PRP (secure block cipher)
•  For b=0,1 define experiment EXP(b) as:
b
Chal. b=0: k←K, f ←E(k,⋅) Adv. A

b=1: f←Perms[X] x1 ∈ X , x2, …, xq
f
f(x1) , f(x2), …, f(xq)
•  Def: E is a secure PRP if for all “efficient” A:

b’ ∈ {0,1}
AdvPRP[A,E] = |Pr[EXP(0)=1] – Pr[EXP(1)=1] |
is “negligible.” Dan Boneh
Let X = {0,1}. Perms[X] contains two funcAons

Consider the following PRP:
key space K={0,1}, input space X = {0,1},
PRP defined as:
E(k,x) = x⨁k
Is this a secure PRP?
Yes
No
It depends
Example secure PRPs
•  PRPs believed to be secure: 3DES, AES, …
AES-‐128: K × X → X where K = X = {0,1}128
•  An example concrete assumpAon about AES:
All 280–Ame algs. A have AdvPRP[A, AES] < 2-‐40

Dan Boneh
Consider the 1-‐bit PRP from the previous quesAon: E(k,x) = x⨁k

Is it a secure PRF?

Note that Funs[X,X] contains four funcAons
Yes
No
Akacker A:
It depends (1)  query f(⋅) at x=0 and x=1
(2)  if f(0) = f(1) output “1”, else “0”
AdvPRF[A,E] = |0-‐½| = ½
PRF Switching Lemma
Any secure PRP is also a secure PRF, if |X| is sufficiently large.
Lemma: Let E be a PRP over (K,X)

Then for any q-‐query adversary A:
| AdvPRF [A,E] - AdvPRP[A,E] | < q2 / 2|X|
⇒ Suppose |X| is large so that q2 / 2|X| is “negligible”
Then AdvPRP [A,E] “negligible” ⇒ AdvPRF[A,E] “negligible”
Dan Boneh
Final note
•  SuggesAon:
–  don’t think about the inner-‐workings of AES and 3DES.
•  We assume both are secure PRPs and will

see how to use them
Dan Boneh
End of Segment
Dan Boneh
Using block ciphers
Modes of operaAon:

one Ame key
example: encrypted email, new key for every message.

Dan Boneh
Using PRPs and PRFs
Goal: build “secure” encrypAon from a secure PRP (e.g. AES).
This segment: one-‐8me keys

1.  Adversary’s power:
Adv sees only one ciphertext (one-‐Ame key)
2.  Adversary’s goal:

Learn info about PT from CT (semanAc security)

Next segment: many-‐Ame keys (a.k.a chosen-‐plaintext security)
Dan Boneh
Incorrect use of a PRP
Electronic Code Book (ECB):
PT: m1 m2
CT: c1 c2
Problem:
–  if m1=m2 then c1=c2
Dan Boneh
In pictures
(courtesy B. Preneel) Dan Boneh

SemanAc Security (one-‐Ame key)
EXP(0): Chal. m0 , m1 ∈ M : |m0| = |m1| Adv. A
k←K c ← E(k,m0) b’ ∈ {0,1}
one Ame key ⇒ adversary sees only one ciphertext
Chal. m0 , m1 ∈ M : |m0| = |m1| Adv. A

EXP(1):
k←K c ← E(k,m1) b’ ∈ {0,1}
AdvSS[A,OTP] = | Pr[ EXP(0)=1 ] − Pr[ EXP(1)=1 ] | should be “neg.”

Dan Boneh
ECB is not SemanAcally Secure
ECB is not semanAcally secure for messages that contain
more than one block.
b∈{0,1}
Two blocks
Chal. m0 = “Hello World” Adv. A
k←K m1 = “Hello Hello”
(c1,c2) ← E(k, mb)
If c1=c2 output 0, else output 1

Then AdvSS [A, ECB] = 1 Dan Boneh
Secure ConstrucAon I
DeterminisAc counter mode from a PRF F :
•  EDETCTR (k, m) =

m[0] m[1] … m[L]
⊕ F(k,0) F(k,1) … F(k,L)
c[0] c[1] … c[L]

⇒ Stream cipher built from a PRF (e.g. AES, 3DES)

Dan Boneh
Det. counter-‐mode security
Theorem: For any L>0,
If F is a secure PRF over (K,X,X) then
EDETCTR is sem. sec. cipher over (K,XL,XL).
In parAcular, for any eff. adversary A akacking EDETCTR
there exists a n eff. PRF adversary B s.t.:
AdvSS[A, EDETCTR] = 2 ⋅ AdvPRF[B, F]
AdvPRF[B, F] is negligible (since F is a secure PRF)

Hence, AdvSS[A, EDETCTR] must be negligible.
Dan Boneh
Proof
m0 , m1 m0 , m1
k←K c ← m0
F(k,0) … F(k,L)
⊕ ≈p f←Funs c ← m0 ⊕
f(0) … f(L)
b’≟1 b’≟1
≈p ≈p
m0 , m1 m0 , m1
k←K c ← m1 ⊕ ≈p r←{0,1}n c ← m1 ⊕
F(k,0) … F(k,L) f(0) … f(L)
b’≟1 b’≟1
Dan Boneh
End of Segment
Dan Boneh
Using block ciphers
Security for
many-‐Ame key
Example applicaAons:
1. File systems: Same AES key used to encrypt many files.
2. IPsec: Same AES key used to encrypt many packets. Dan Boneh
SemanAc Security for many-‐Ame key
Key used more than once ⇒ adv. sees many CTs with same key

Adversary’s power: chosen-‐plaintext akack (CPA)
•  Can obtain the encrypAon of arbitrary messages of his choice
(conservaAve modeling of real life)

Adversary’s goal: Break semaAc security
Dan Boneh
E = (E,D) a cipher defined over (K,M,C). For b=0,1 define EXP(b) as:
b Chal. Adv.
k←K m1,0 , m1,1 ∈ M : |m1,0| = |m1,1|
c1 ← E(k, m1,b)
Dan Boneh
b Chal. Adv.
k←K m2,0 , m2,1 ∈ M : |m2,0| = |m2,1|
c2 ← E(k, m2,b)
Dan Boneh
SemanAc Security for many-‐Ame key (CPA security)
for i=1,…,q:
b Chal. Adv.
k←K mi,0 , mi,1 ∈ M : |mi,0| = |mi,1|
ci ← E(k, mi,b)
b’ ∈ {0,1}
if adv. wants c = E(k, m) it queries with mj,0= mj,1=m
Def: E is sem. sec. under CPA if for all “efficient” A:
AdvCPA [A,E] = |Pr[EXP(0)=1] – Pr[EXP(1)=1] | is “negligible.”
Dan Boneh
Ciphers insecure under CPA
Suppose E(k,m) always outputs same ciphertext for msg m. Then:

m0 , m0 ∈ M
Chal. Adv.
c0 ←E(k, m0)
k←K
m0 , m1 ∈ M
output 0
c ← E(k, mb) if c = c0
So what? an akacker can learn that two encrypted files are
the same, two encrypted packets are the same, etc.
•  Leads to significant akacks when message space M is small
Dan Boneh
Ciphers insecure under CPA
Suppose E(k,m) always outputs same ciphertext for msg m. Then:

m0 , m0 ∈ M
Chal. Adv.
c0 ←E(k, m0)
k←K
m0 , m1 ∈ M
output 0
If secret key is to be used mulAple Ames ⇒

given the same plaintext message twice,
encrypAon must produce different outputs.
Dan Boneh
SoluAon 1: randomized encrypAon
•  E(k,m) is a randomized algorithm:
enc dec
m0 m0
m1 m1
⇒ encrypAng same msg twice gives different ciphertexts (w.h.p)
⇒ ciphertext must be longer than plaintext
Roughly speaking: CT-‐size = PT-‐size + “# random bits”

Dan Boneh
Let F: K × R ⟶ M be a secure PRF.

For m∈M define E(k,m) = [ r⟵R,
R
output (r, F(k,r)⨁m) ]

Is E semanAcally secure under CPA?
Yes, whenever F is a secure PRF

No, there is always a CPA akack on this system
Yes, but only if R is large enough so r never repeats (w.h.p)
It depends on what F is used
SoluAon 2: nonce-‐based EncrypAon
nonce
Alice Bob
m, n E(k,m,n)=c c, n D(k,c,n)=m
E D
k k
•  nonce n: a value that changes from msg to msg.
(k,n) pair never used more than once
•  method 1: nonce is a counter (e.g. packet counter)
–  used when encryptor keeps state from msg to msg
–  if decryptor has same state, need not send nonce with CT
•  method 2: encryptor chooses a random nonce, n ← N Dan Boneh
CPA security for nonce-‐based encrypAon
System should be secure when nonces are chosen adversarially.
for i=1,…,q:
b Chal. Adv.
k←K ni and mi,0 , mi,1 : |mi,0| = |mi,1|
c ← E(k, mi,b , ni)
b’ ∈ {0,1}
All nonces {n1, …, nq} must be dis8nct.

Def: nonce-‐based E is sem. sec. under CPA if for all “efficient” A:
AdvnCPA [A,E] = |Pr[EXP(0)=1] – Pr[EXP(1)=1] | is “negligible.”
Dan Boneh
Let F: K × R ⟶ M be a secure PRF. Let r = 0 iniAally.

For m∈M define E(k,m) = [ r++, output (r, F(k,r)⨁m) ]

Is E CPA secure nonce-‐based encrypAon?
Yes, whenever F is a secure PRF

No, there is always a nonce-‐based CPA akack on this system
Yes, but only if R is large enough so r never repeats
It depends on what F is used
End of Segment
Dan Boneh
Using block ciphers
Modes of operaAon:

many Ame key (CBC)
ConstrucAon 1: CBC with random IV
Let (E,D) be a PRP. ECBC(k,m): choose random IV∈X and do:

IV m[0] m[1] m[2] m[3]
⊕ ⊕ ⊕ ⊕
E(k,⋅) E(k,⋅) E(k,⋅) E(k,⋅)
IV c[0] c[1] c[2] c[3]
ciphertext
Dan Boneh
DecrypAon circuit
In symbols: c[0] = E(k, IV⨁m[0] ) ⇒ m[0] = D(k, c[0]) ⨁ IV
IV c[0] c[1] c[2] c[3]
D(k,⋅) D(k,⋅) D(k,⋅) D(k,⋅)

⊕ ⊕ ⊕ ⊕
m[0] m[1] m[2] m[3]
Dan Boneh
CBC: CPA Analysis
CBC Theorem: For any L>0,
If E is a secure PRP over (K,X) then
ECBC is a sem. sec. under CPA over (K, XL, XL+1).
In parAcular, for a q-‐query adversary A akacking ECBC

there exists a PRP adversary B s.t.:
AdvCPA [A, ECBC] ≤ 2⋅AdvPRP[B, E] + 2 q2 L2 / |X|
Note: CBC is only secure as long as q2L2 << |X|
Dan Boneh
An example
AdvCPA [A, ECBC] ≤ 2⋅PRP Adv[B, E] + 2 q2 L2 / |X|
q = # messages encrypted with k , L = length of max message
Suppose we want AdvCPA [A, ECBC] ≤ 1/232 ⇐ q2 L2 /|X| < 1/ 232
•  AES: |X| = 2128 ⇒ q L < 248
So, ader 248 AES blocks, must change key
•  3DES: |X| = 264 ⇒ q L < 216

Dan Boneh
Warning: an akack on CBC with rand. IV
CBC where akacker can predict the IV is not CPA-‐secure !!

Suppose given c ⟵ ECBC(k,m) can predict IV for next message
0 ∈ X
Chal. Adv.
c1 ← [ IV1, E(k, 0⨁IV1) ]
k←K predict IV
m0=IV⨁IV1 , m1 ≠ m0
output 0
c ← [ IV, E(k, IV1) ] or
if c[1] = c1[1]
c ← [ IV, E(k, m1⨁IV) ]
Bug in SSL/TLS 1.0: IV for record #i is last CT block of record #(i-‐1) Dan Boneh
ConstrucAon 1’: nonce-‐based CBC
•  Cipher block chaining with unique nonce: key = (k,k1)
unique nonce means: (key, n) pair is used for only one message
nonce m[0] m[1] m[2] m[3]

IV
⊕ ⊕ ⊕ ⊕
E(k1,⋅) E(k,⋅) E(k,⋅) E(k,⋅) E(k,⋅)
nonce c[0] c[1] c[2] c[3]

ciphertext
included only if unknown to decryptor Dan Boneh
An example Crypto API (OpenSSL)
void AES_cbc_encrypt(
const unsigned char *in,
unsigned char *out,
size_t length,
const AES_KEY *key,
unsigned char *ivec, ⟵ user supplies IV
AES_ENCRYPT or AES_DECRYPT);
When nonce is non random need to encrypt it before use
Dan Boneh
A CBC technicality: padding
IV m[0] m[1] m[2] m[3] ll pad
IVʹ′
⊕ ⊕ ⊕ ⊕
E(k1,⋅) E(k,⋅) E(k,⋅) E(k,⋅) E(k,⋅)
IV c[0] c[1] c[2] c[3]
removed
TLS: for n>0, n byte pad is n n n ⋯ n during
decrypAon
if no pad needed, add a dummy block Dan Boneh
End of Segment
Dan Boneh
Using block ciphers
Modes of operaAon:

many Ame key (CTR)
ConstrucAon 2: rand ctr-‐mode
Let F: K × {0,1}n ⟶ {0,1}n be a secure PRF.
E(k,m): choose a random IV ∈ {0,1}n and do:
msg
IV m[0] m[1] … m[L]
F(k,IV) F(k,IV+1) … F(k,IV+L)

⊕
IV c[0] c[1] … c[L]
ciphertext
note: parallelizable (unlike CBC)

Dan Boneh
ConstrucAon 2’: nonce ctr-‐mode
msg
IV m[0] m[1] … m[L]
F(k,IV) F(k,IV+1) … F(k,IV+L)

⊕
IV c[0] c[1] … c[L]
ciphertext
To ensure F(k,x) is never used more than once, choose IV as:
128 bits
IV: nonce counter
starts at 0
64 bits 64 bits for every msg Dan Boneh
rand ctr-‐mode (rand. IV): CPA analysis
•  Counter-‐mode Theorem: For any L>0,
ECTR is a sem. sec. under CPA over (K,XL,XL+1).
In parAcular, for a q-‐query adversary A akacking ECTR

there exists a PRF adversary B s.t.:
AdvCPA[A, ECTR] ≤ 2⋅AdvPRF[B, F] + 2 q2 L / |X|
Note: ctr-‐mode only secure as long as q2L << |X| . Beker than CBC !
Dan Boneh
An example
AdvCPA [A, ECTR] ≤ 2⋅AdvPRF[B, E] + 2 q2 L / |X|
q = # messages encrypted with k , L = length of max message
Suppose we want AdvCPA [A, ECTR] ≤ 1/232 ⇐ q2 L /|X| < 1/ 232
•  AES: |X| = 2128 ⇒ q L1/2 < 248

So, ader 232 CTs each of len 232 , must change key
(total of 264 AES blocks)

Dan Boneh
Comparison: ctr vs. CBC
CBC ctr mode
uses PRP PRF
parallel processing No Yes
Security of rand. enc. q^2 L^2 << |X| q^2 L << |X|
dummy padding block Yes No
1 byte msgs (nonce-‐based) 16x expansion no expansion
(for CBC, dummy padding block can be solved using ciphertext stealing)
Dan Boneh
Summary
•  PRPs and PRFs: a useful abstracAon of block ciphers.
•  We examined two security noAons: (security against eavesdropping)

1.  SemanAc security against one-‐Ame CPA.
2.  SemanAc security against many-‐Ame CPA.
Note: neither mode ensures data integrity.
•  Stated security results summarized in the following table:

Power CPA and
one-time key Many-time key (CPA)
Goal integrity
steam-ciphers rand CBC

Sem. Sec. later
det. ctr-mode rand ctr-mode
Dan Boneh
Further reading
•  A concrete security treatment of symmetric encrypAon:
Analysis of the DES modes of operaAon,
M. Bellare, A. Desai, E. Jokipii and P. Rogaway, FOCS 1997
•  Nonce-‐Based Symmetric EncrypAon, P. Rogaway, FSE 2004
Dan Boneh
End of Segment
Dan Boneh
Message integrity
Message Auth. Codes
Dan Boneh
Message Integrity
Goal: integrity, no confiden>ality.
Examples:
–  Protec>ng public binaries on disk.
–  Protec>ng banner ads on web pages.
Dan Boneh
Message integrity: MACs
k message m tag
k
Alice Bob
Generate tag: Verify tag:

?
tag ← S(k, m) V(k, m, tag) = `yes’
Def: MAC I = (S,V) defined over (K,M,T) is a pair of algs:
–  S(k,m) outputs t in T
–  V(k,m,t) outputs `yes’ or `no’
Dan Boneh
Integrity requires a secret key
message m tag
Alice Bob
Generate tag: Verify tag:

?
tag ← CRC(m) V(m, tag) = `yes’
•  ARacker can easily modify message m and re-‐compute CRC.
•  CRC designed to detect random, not malicious errors.

Dan Boneh
Secure MACs
ARacker’s power: chosen message a?ack
•  for m1,m2,…,mq aRacker is given ti ← S(k,mi)
ARacker’s goal: existenAal forgery

•  produce some new valid message/tag pair (m,t).
(m,t) ∉ { (m1,t1) , … , (mq,tq) }

⇒ aRacker cannot produce a valid tag for a new message
⇒ given (m,t) aRacker cannot even produce (m,t’) for t’ ≠ t
Dan Boneh
Secure MACs
•  For a MAC I=(S,V) and adv. A define a MAC game as:
m1 ∈ M m2 , …, mq
Chal. Adv.
k←K t1 ← S(k,m1) t2 , …, tq
(m,t)
b
b=1 if V(k,m,t) = `yes’ and (m,t) ∉ { (m1,t1) , … , (mq,tq) }
b=0 otherwise
Def: I=(S,V) is a secure MAC if for all “efficient” A:
AdvMAC[A,I] = Pr[Chal. outputs 1] is “negligible.” Dan Boneh
Let I = (S,V) be a MAC.
Suppose an aRacker is able to find m0 ≠ m1 such that
S(k, m0) = S(k, m1) for ½ of the keys k in K
Can this MAC be secure?
Yes, the aRacker cannot generate a valid tag for m0 or m1
No, this MAC can be broken using a chosen msg aRack
It depends on the details of the MAC
Let I = (S,V) be a MAC.
Suppose S(k,m) is always 5 bits long

Can this MAC be secure?
No, an aRacker can simply guess the tag for messages
It depends on the details of the MAC
Yes, the aRacker cannot generate a valid tag for any message
Example: protec>ng system files
Suppose at install >me the system computes:
filename filename filename
k derived from
F1 F2 ⋯ Fn
user’s password
t1 = S(k,F1) t2 = S(k,F2) tn = S(k,Fn)
Later a virus infects system and modifies system files

User reboots into clean OS and supplies his password
–  Then: secure MAC ⇒ all modified files will be detected
Dan Boneh
End of Segment
Dan Boneh
Message Integrity
MACs based on PRFs
Dan Boneh
Review: Secure MACs
MAC: signing alg. S(k,m)⟶t and verifica>on alg. V(k,m,t) ⟶0,1
ARacker’s power: chosen message a?ack

•  for m1,m2,…,mq aRacker is given ti ← S(k,mi)
ARacker’s goal: existenAal forgery

•  produce some new valid message/tag pair (m,t).
(m,t) ∉ { (m1,t1) , … , (mq,tq) }
⇒ aRacker cannot produce a valid tag for a new message

Dan Boneh
Secure PRF ⇒ Secure MAC
For a PRF F: K × X ⟶ Y define a MAC IF = (S,V) as:
–  S(k,m) := F(k,m)
–  V(k,m,t): output `yes’ if t = F(k,m) and `no’ otherwise.
message m tag
Alice Bob
tag ← F(k,m) accept msg if

tag = F(k,m)
Dan Boneh
A bad example
Suppose F: K × X ⟶ Y is a secure PRF with Y = {0,1}10

Is the derived MAC IF a secure MAC system?

Yes, the MAC is secure because the PRF is secure
No tags are too short: anyone can guess the tag for any msg
It depends on the func>on F
Security
Thm: If F: K×X⟶Y is a secure PRF and 1/|Y| is negligible
(i.e. |Y| is large) then IF is a secure MAC.
In par>cular, for every eff. MAC adversary A aRacking IF

there exists an eff. PRF adversary B aRacking F s.t.:
AdvMAC[A, IF] ≤ AdvPRF[B, F] + 1/|Y|

⇒ IF is secure as long as |Y| is large, say |Y| = 280 .
Dan Boneh
Proof Sketch
Suppose f: X ⟶ Y is a truly random func>on
Then MAC adversary A must win the following game:
m1 ∈ X m2 , …, mq
Chal. Adv.
t1 ← f(m1) f(m2) , …, f(mq)
f in
Funs[X,Y] (m,t)

A wins if t = f(m) and m ∉ { m1 , … , mq }

⇒ Pr[A wins] = 1/|Y| same must hold for F(k,x)
Dan Boneh
Examples
•  AES: a MAC for 16-‐byte messages.
•  Main ques>on: how to convert Small-‐MAC into a Big-‐MAC ?
•  Two main construc>ons used in prac>ce:

–  CBC-‐MAC (banking – ANSI X9.9, X9.19, FIPS 186-‐3)
–  HMAC (Internet protocols: SSL, IPsec, SSH, …)
•  Both convert a small-‐PRF into a big-‐PRF.

Dan Boneh
Trunca>ng MACs based on PRFs
Easy lemma: suppose F: K × X ⟶ {0,1}n is a secure PRF.
Then so is Ft(k,m) = F(k,m)[1…t] for all 1 ≤ t ≤ n

⇒ if (S,V) is a MAC is based on a secure PRF outpuung n-‐bit tags
the truncated MAC outpuung w bits is secure
… as long as 1/2w is s>ll negligible (say w≥64)
Dan Boneh
End of Segment
Dan Boneh
Message Integrity
CBC-‐MAC and NMAC
Dan Boneh
MACs and PRFs
Recall: secure PRF F ⇒ secure MAC, as long as |Y| is large
S(k, m) = F(k, m)

Our goal:
given a PRF for short messages (AES)
construct a PRF for long messages

From here on let X = {0,1}n (e.g. n=128)
Dan Boneh
Construc>on 1: encrypted CBC-‐MAC
raw CBC
m[0] m[1] m[3] m[4]
⊕ ⊕ ⊕
F(k,⋅) F(k,⋅) F(k,⋅) F(k,⋅)
Let F: K × X ⟶ X be a PRP tag

F(k1,⋅)
Define new PRF FECBC : K2 × X≤L ⟶ X
Dan Boneh
Construc>on 2: NMAC (nested MAC)
cascade
m[0] m[1] m[3] m[4]
k t
> F > F > F > F t ll fpad
> F
Let F: K × X ⟶ K be a PRF k1
tag
Define new PRF FNMAC : K2 × X≤L ⟶ K
Dan Boneh
Why the last encryp>on step in ECBC-‐MAC and NMAC?
NMAC: suppose we define a MAC I = (S,V) where
S(k,m) = cascade(k, m)

This MAC is secure
This MAC can be forged without any chosen msg queries
This MAC can be forged with one chosen msg query
This MAC can be forged, but only with two msg queries
Why the last encryp>on step in ECBC-‐MAC?
Suppose we define a MAC IRAW = (S,V) where
S(k,m) = rawCBC(k,m)
Then IRAW is easily broken using a 1-‐chosen msg aRack.
Adversary works as follows:

–  Choose an arbitrary one-‐block message m∈X
–  Request tag for m. Get t = F(k,m)
–  Output t as MAC forgery for the 2-‐block message (m, t⊕m)
Indeed: rawCBC(k, (m, t⊕m) ) = F(k, F(k,m)⊕(t⊕m) ) = F(k, t⊕(t⊕m) ) = t

Dan Boneh
ECBC-‐MAC and NMAC analysis
Theorem: For any L>0,
For every eff. q-‐query PRF adv. A aRacking FECBC or FNMAC
there exists an eff. adversary B s.t.:
AdvPRF[A, FECBC] ≤ AdvPRP[B, F] + 2 q2 / |X|
AdvPRF[A, FNMAC] ≤ q⋅L⋅AdvPRF[B, F] + q2 / 2|K|
CBC-‐MAC is secure as long as q << |X|1/2

NMAC is secure as long as q << |K|1/2 (264 for AES-‐128)
Dan Boneh
An example
AdvPRF[A, FECBC] ≤ AdvPRP[B, F] + 2 q2 / |X|
q = # messages MAC-‐ed with k
Suppose we want AdvPRF[A, FECBC] ≤ 1/232 ⇐ q2 /|X| < 1/ 232
•  AES: |X| = 2128 ⇒ q < 248
So, acer 248 messages must, must change key
•  3DES: |X| = 264 ⇒ q < 216

Dan Boneh
The security bounds are >ght: an aRack
Acer signing |X|1/2 messages with ECBC-‐MAC or
|K|1/2 messages with NMAC
the MACs become insecure

Suppose the underlying PRF F is a PRP (e.g. AES)
•  Then both PRFs (ECBC and NMAC) have the following
extension property:
∀x,y,w: FBIG(k, x) = FBIG(k, y) ⇒ FBIG(k, xllw) = FBIG(k, yllw)
Dan Boneh
The security bounds are >ght: an aRack
Let FBIG: K × X ⟶ Y be a PRF that has the extension property
FBIG(k, x) = FBIG(k, y) ⇒ FBIG(k, xllw) = FBIG(k, yllw)
Generic aRack on the derived MAC:
step 1: issue |Y|1/2 message queries for rand. messages in X.
obtain ( mi, ti ) for i = 1 ,…, |Y|1/2
step 2: find a collision tu = tv for u≠v (one exists w.h.p by b-‐day paradox)
step 3: choose some w and query for t := FBIG(k, mullw)
step 4: output forgery (mvllw, t). Indeed t := FBIG(k, mvllw)
Dan Boneh
BeRer security: a rand. construc>on
2 blocks
m
k1
k > rawCBC t
>
rawCBC
tag
r
rand. r in X
Let F: K × X ⟶ X be a PRF. Result: MAC with tags in X2.

Security: AdvMAC[A, IRCBC] ≤ AdvPRP[B, F] ⋅ (1 + 2 q2 / |X| )
⇒ For 3DES: can sign q=232 msgs with one key Dan Boneh
Comparison
ECBC-‐MAC is commonly used as an AES-‐based MAC
•  CCM encryp>on mode (used in 802.11i)
•  NIST standard called CMAC
NMAC not usually used with AES or 3DES

•  Main reason: need to change AES key on every block
requires re-‐compu>ng AES key expansion
•  But NMAC is the basis for a popular MAC called HMAC (next)
Dan Boneh
End of Segment
Dan Boneh
Message Integrity
MAC padding
Dan Boneh
Recall: ECBC-‐MAC
m[0] m[1] m[3] m[4]
⊕ ⊕ ⊕
F(k,⋅) F(k,⋅) F(k,⋅) F(k,⋅)
Let F: K × X ⟶ X be a PRP tag

F(k1,⋅)
Define new PRF FECBC : K2 × X≤L ⟶ X
Dan Boneh
What if msg. len. is not mul>ple of block-‐size?
m[0] m[1] m[3] m[4] ???
⊕ ⊕ ⊕
F(k,⋅) F(k,⋅) F(k,⋅) F(k,⋅)
tag
F(k1,⋅)
Dan Boneh
CBC MAC padding
Bad idea: pad m with 0’s
m[0] m[1] m[0] m[1] 0000
Is the resul>ng MAC secure?
Yes, the MAC is secure

It depends on the underlying MAC
No, given tag on msg m aRacker obtains tag on mll0
Problem: pad(m) = pad(mll0)

CBC MAC padding
For security, padding must be inver>ble !
m0 ≠ m1 ⇒ pad(m0) ≠ pad(m1)
ISO: pad with “1000…00”. Add new dummy block if needed.
–  The “1” indicates beginning of pad.
m[0] m[1] m[0] m[1] 100
m’[0] m’[1] m’[0] m’[1] 1000…000
Dan Boneh
CMAC (NIST standard)
Variant of CBC-‐MAC where key = (k, k1, k2)
•  No final encryp>on step (extension aRack thwarted by last keyed xor)
•  No dummy block (ambiguity resolved by use of k1 or k2)
m[0] m[1] ⋯ m[w] 100 m[0] m[1] ⋯ m[w]
⊕ ⊕ k1 ⊕ ⊕ k2
F(k,⋅) F(k,⋅) F(k,⋅) F(k,⋅) F(k,⋅) F(k,⋅)

tag tag
Dan Boneh
End of Segment
Dan Boneh
Message Integrity
PMAC and
Carter-‐Wegman MAC
Dan Boneh
•  ECBC and NMAC are sequen>al.
•  Can we build a parallel MAC from a small PRF ??
Dan Boneh
Construc>on 3: PMAC – parallel MAC
P(k, i): an easy to compute func>on
m[0] m[1] m[2] m[3]
key = (k, k1)
P(k,0) ⊕ P(k,1) ⊕ P(k,2) ⊕ P(k,3) ⊕
Padding similar
to CMAC F(k1,⋅) F(k1,⋅) F(k1,⋅)
⊕
Let F: K × X ⟶ X be a PRF
Define new PRF FPMAC : K2 × X≤L ⟶ X F(k1,⋅) tag
Dan Boneh
PMAC: Analysis
PMAC Theorem: For any L>0,
FPMAC is a secure PRF over (K, X≤L, X).
For every eff. q-‐query PRF adv. A aRacking FPMAC

there exists an eff. PRF adversary B s.t.:
AdvPRF[A, FPMAC] ≤ AdvPRF[B, F] + 2 q2 L2 / |X|
PMAC is secure as long as qL << |X|1/2

Dan Boneh
PMAC is incremental
Suppose F is a PRP. m[0] m[1] m[3] m[4]
P(k,0) ⊕ P(k,1) ⊕ P(k,2) ⊕ P(k,3) ⊕

When m[1] ⟶ m’[1] F(k1,⋅) F(k1,⋅) F(k1,⋅)
can we quickly update tag? ⊕

F(k1,⋅) tag
no, it can’t be done

do F-‐1(k1,tag) ⨁ F(k1, m’[1] ⨁ P(k,1))
do F-‐1(k1,tag) ⨁ F(k1, m[1] ⨁ P(k,1)) ⨁ F(k1, m’[1] ⨁ P(k,1))
do tag ⨁ F(k1, m[1] ⨁ P(k,1)) ⨁ F(k1, m’[1] ⨁ P(k,1))
Then apply F(k1, ⋅)
One >me MAC (analog of one >me pad)

•  For a MAC I=(S,V) and adv. A define a MAC game as:
m1 ∈ M
Chal. Adv.
k←K t1 ← S(k,m1)
(m,t)
b
b=1 if V(k,m,t) = `yes’ and (m,t) ≠ (m1,t1)
b=0 otherwise
Def: I=(S,V) is a secure MAC if for all “efficient” A:
Adv1MAC[A,I] = Pr[Chal. outputs 1] is “negligible.”
Dan Boneh
One-‐>me MAC: an example
Can be secure against all adversaries and faster than PRF-‐based MACs
Let q be a large prime (e.g. q = 2128+51 )

key = (a, b) ∈ {1,…,q}2 (two random ints. in [1,q] )
msg = ( m[1], …, m[L] ) where each block is 128 bit int.
S( key, msg ) = Pmsg(a) + b (mod q)
where Pmsg(x) = xL+1 + m[L]⋅xL + … + m[1]⋅x is a poly. of deg L+1
We show: given S( key, msg1 ) adv. has no info about S( key, msg2 )
Dan Boneh
One-‐>me security (uncondi>onal)
Thm: the one-‐>me MAC on the previous slide sa>sfies (L=msg-‐len)
∀m1≠m2,t1,t2: Pra,b[ S( (a,b), m1) = t1 | S( (a,b), m2) = t2] ≤ L/q
Proof: ∀m1≠m2, t1, t2:
(1) Pra,b[ S( (a,b), m2) = t2] = Pra,b[Pm2(a)+b=t2] = 1/q
(2) Pra,b[ S( (a,b), m1) = t1 and S( (a,b), m2) = t2] =
Pra,b[ Pm1(a)-‐Pm2(a)=t1-‐t2 and Pm2(a)+b=t2 ] ≤ L/q2 ∎

⇒ given valid (m2,t2) , adv. outputs (m1,t1) and is right with prob. ≤ L/q
Dan Boneh
One-‐>me MAC ⇒ Many-‐>me MAC
Let (S,V) be a secure one-‐>me MAC over (KI,M, {0,1}n ) .
Let F: KF × {0,1}n ⟶ {0,1}n be a secure PRF.
slow but fast
short inp long inp
Carter-‐Wegman MAC: CW( (k1,k2), m) = (r, F(k1,r) ⨁ S(k2,m) )

for random r ⟵ {0,1}n .

Thm: If (S,V) is a secure one-‐Ame MAC and F a secure PRF
then CW is a secure MAC outpuung tags in {0,1}2n .
Dan Boneh
CW( (k1,k2), m) = (r, F(k1,r) ⨁ S(k2,m) )
How would you verify a CW tag (r, t) on message m ?
Recall that V(k2,m,.) is the verifica>on alg. for the one >me MAC.
Run V( k2, m, F(k1, t) ⨁r) )

Run V( k2, m, r )
Run V( k2, m, t )
Run V( k2, m, F(k1, r) ⨁ t) )
Construc>on 4: HMAC (Hash-‐MAC)
Most widely used MAC on the Internet.
… but, we first we need to discuss hash func>on.
Dan Boneh
Further reading
•  J. Black, P. Rogaway: CBC MACs for Arbitrary-‐Length Messages: The Three-‐
Key Construc>ons. J. Cryptology 18(2): 111-‐131 (2005)
•  K. Pietrzak: A Tight Bound for EMAC. ICALP (2) 2006: 168-‐179

•  J. Black, P. Rogaway: A Block-‐Cipher Mode of Opera>on for Parallelizable
Message Authen>ca>on. EUROCRYPT 2002: 384-‐397
•  M. Bellare: New Proofs for NMAC and HMAC: Security Without Collision-‐
Resistance. CRYPTO 2006: 602-‐619
•  Y. Dodis, K. Pietrzak, P. Puniya: A New Mode of Opera>on for Block
Ciphers and Length-‐Preserving MACs. EUROCRYPT 2008: 198-‐219
Dan Boneh
End of Segment
Dan Boneh
Collision resistance
Introduc3on
Dan Boneh
Recap: message integrity
So far, four MAC construc3ons:
ECBC-‐MAC, CMAC : commonly used with AES (e.g. 802.11i)
PRFs NMAC : basis of HMAC (this segment)
PMAC: a parallel MAC
randomized
MAC Carter-‐Wegman MAC: built from a fast one-‐3me MAC
This module: MACs from collision resistance.

Dan Boneh
Collision Resistance
Let H: M →T be a hash func3on ( |M| >> |T| )
A collision for H is a pair m0 , m1 ∈ M such that:

H(m0) = H(m1) and m0 ≠ m1
A func3on H is collision resistant if for all (explicit) “eff” algs. A:
AdvCR[A,H] = Pr[ A outputs collision for H]
is “neg”.
Example: SHA-‐256 (outputs 256 bits)

Dan Boneh
MACs from Collision Resistance
Let I = (S,V) be a MAC for short messages over (K,M,T) (e.g. AES)
Let H: Mbig → M
Def: Ibig = (Sbig , Vbig ) over (K, Mbig, T) as:
Sbig(k,m) = S(k,H(m)) ; Vbig(k,m,t) = V(k,H(m),t)
Thm: If I is a secure MAC and H is collision resistant

then Ibig is a secure MAC.
Example: S(k,m) = AES2-‐block-‐cbc(k, SHA-‐256(m)) is a secure MAC.

Dan Boneh
MACs from Collision Resistance
Sbig(k, m) = S(k, H(m)) ; Vbig(k, m, t) = V(k, H(m), t)
Collision resistance is necessary for security:
Suppose adversary can find m0 ≠ m1 s.t. H(m0) = H(m1).
Then: Sbig is insecure under a 1-‐chosen msg a]ack

step 1: adversary asks for t ⟵S(k, m0)
step 2: output (m1 , t) as forgery
Dan Boneh
Protec3ng file integrity using C.R. hash
So`ware packages: read-‐only
package name package name package name public space
F1 F2 ⋯ Fn H(F1)
H(F2)
H(Fn)
When user downloads package, can verify that contents are valid
H collision resistant ⇒
a]acker cannot modify package without detec3on
no key needed (public verifiability), but requires read-‐only space
Dan Boneh
End of Segment
Dan Boneh
Generic birthday a]ack
Dan Boneh
Generic a]ack on C.R. func3ons
Let H: M → {0,1}n be a hash func3on ( |M| >> 2n )
Generic alg. to find a collision in Lme O(2n/2) hashes
Algorithm:
1.  Choose 2n/2 random messages in M: m1, …, m2n/2 (dis3nct w.h.p )
2.  For i = 1, …, 2n/2 compute ti = H(mi) ∈{0,1}n
3.  Look for a collision (ti = tj). If not found, got back to step 1.
How well will this work?

Dan Boneh
The birthday paradox
Let r1, …, rn ∈ {1,…,B} be indep. iden3cally distributed integers.
Thm: when n= 1.2 × B1/2 then Pr[ ∃i≠j: ri = rj ] ≥ ½

Proof: (for uniform indep. r1, …, rn )
Dan Boneh
B=106
# samples n
Dan Boneh
Generic a]ack
H: M → {0,1}n . Collision finding algorithm:
1.  Choose 2n/2 random elements in M: m1, …, m2n/2
2.  For i = 1, …, 2n/2 compute ti = H(mi) ∈{0,1}n
3.  Look for a collision (ti = tj). If not found, got back to step 1.

Expected number of itera3on ≈ 2

Running 3me: O(2n/2) (space O(2n/2) )
Dan Boneh
Sample C.R. hash func3ons: Crypto++ 5.6.0 [ Wei Dai ]
digest generic
func3on size (bits) Speed (MB/sec) a]ack 3me
NIST standards
SHA-‐1 160 153 280

SHA-‐256 256 111 2128
SHA-‐512 512 99 2256
Whirlpool 512 57 2256
* best known collision finder for SHA-‐1 requires 251 hash evalua3ons
Dan Boneh
Quantum Collision Finder
Classical Quantum
algorithms algorithms
Block cipher
E: K × X ⟶ X O( |K| ) O( |K|1/2 )
exhaus3ve search
Hash func3on
H: M ⟶ T O( |T|1/2 ) O( |T|1/3 )
collision finder
Dan Boneh
End of Segment
Dan Boneh
The Merkle-‐Damgard
Paradigm
Dan Boneh
Collision resistance: review
Let H: M →T be a hash func3on ( |M| >> |T| )
A collision for H is a pair m0 , m1 ∈ M such that:

H(m0) = H(m1) and m0 ≠ m1

Goal: collision resistant (C.R.) hash func3ons

Step 1: given C.R. func3on for short messages,
construct C.R. func3on for long messages
Dan Boneh
The Merkle-‐Damgard iterated construc3on
m[0] m[1] m[2] m[3] ll PB
IV H(m)
(fixed) H0 h H1 h H2 h H3 h H4
Given h: T × X ⟶ T (compression func3on)
we obtain H: X≤L ⟶ T . Hi -‐ chaining variables

1000…0 ll msg len If no space for PB
PB: padding block
add another block
64 bits Dan Boneh
MD collision resistance
Thm: if h is collision resistant then so is H.
Proof: collision on H ⇒ collision on h
Suppose H(M) = H(M’). We build collision for h.
IV = H0 , H1 , … , Ht , Ht+1 = H(M)
IV = H0’ , H1’ , … , H’r, H’r+1 = H(M’)
h( Ht, Mt ll PB) = Ht+1 = H’r+1 = h(H’r, M’r ll PB’)
Dan Boneh
Suppose Ht = H’r and Mt = M’r and PB = PB’
Then: h( Ht-‐1, Mt-‐1) = Ht = H’t = h(H’t-‐1, M’t-‐1 )
Dan Boneh
⇒ To construct C.R. func3on,
suffices to construct compression func3on
End of Segment
Dan Boneh
Construc3ng Compression
Func3ons
Dan Boneh
m[0] m[1] m[2] m[3] ll PB
IV H(m)
(fixed) h h h h
Thm: h collision resistant ⇒ H collision resistant

Goal: construct compression func3on h: T × X ⟶ T
Dan Boneh
Compr. func. from a block cipher
E: K× {0,1}n ⟶ {0,1}n a block cipher.
The Davies-‐Meyer compression func3on: h(H, m) = E(m, H)⨁H

mi
>
E ⨁
Hi

Thm: Suppose E is an ideal cipher (collec3on of |K| random perms.).
Finding a collision h(H,m)=h(H’,m’) takes O(2n/2) evalua3ons of (E,D).
Best possible !! Dan Boneh

Suppose we define h(H, m) = E(m, H)

Then the resul3ng h(.,.) is not collision resistant:
to build a collision (H,m) and (H’,m’)
choose random (H,m,m’) and construct H’ as follows:
H’=D(m’, E(m,H))
H’=E(m’, D(m,H))
H’=E(m’, E(m,H))
H’=D(m’, D(m,H))
Other block cipher construc3ons
Let E: {0,1}n × {0,1}n ⟶ {0,1}n for simplicity
Miyaguchi-‐Preneel: h(H, m) = E(m, H)⨁H⨁m (Whirlpool)

h(H, m) = E(H⨁m, m)⨁m
total of 12 variants like this

Other natural variants are insecure:
h(H, m) = E(m, H)⨁m (HW)
Dan Boneh
Case study: SHA-‐256
•  Merkle-‐Damgard func3on
•  Davies-‐Meyer compression func3on
•  Block cipher: SHACAL-‐2
512-‐bit key
>
SHACAL-‐2 256-‐bit block
256-‐bit block
Dan Boneh
Provable compression func3ons
Choose a random 2000-‐bit prime p and random 1 ≤ u, v ≤ p .

For m,h ∈ {0,…,p-‐1} define h(H,m) = uH ⋅ vm (mod p)

Fact: finding collision for h(.,.) is as hard as

solving “discrete-‐log” modulo p.

Problem: slow.
Dan Boneh
End of Segment
Dan Boneh
HMAC:
a MAC from SHA-‐256
Dan Boneh
m[0] m[1] m[2] m[3] ll PB
IV H(m)
(fixed) h h h h
Thm: h collision resistant ⇒ H collision resistant

Can we use H(.) to directly build a MAC?
Dan Boneh
MAC from a Merkle-‐Damgard Hash Func3on
H: X≤L ⟶ T a C.R. Merkle-‐Damgard Hash Func3on
A]empt #1: S(k, m) = H( k ll m)
This MAC is insecure because:

Given H( k ll m) can compute H( w ll k ll m ll PB) for any w.
Given H( k ll m) can compute H( k ll m ll w ) for any w.
Given H( k ll m) can compute H( k ll m ll PB ll w ) for any w.
Anyone can compute H( k ll m ) for any m.
Standardized method: HMAC (Hash-‐MAC)
Most widely used MAC on the Internet.
H: hash func3on.

example: SHA-‐256 ; output is 256 bits
Building a MAC out of a hash func3on:
HMAC: S( k, m ) = H( k⊕opad ll H( k⊕ipad ll m ) )

Dan Boneh
HMAC in pictures
k⨁ipad m[0] m[1] m[2] ll PB
IV >
h > h > h > h
(fixed)
k⨁opad
> tag
h > h
IV
(fixed)
Similar to the NMAC PRF.

main difference: the two keys k1, k2 are dependent Dan Boneh
HMAC proper3es
Built from a black-‐box implementa3on of SHA-‐256.

HMAC is assumed to be a secure PRF
•  Can be proven under certain PRF assump3ons about h(.,.)
•  Security bounds similar to NMAC
–  Need q2/|T| to be negligible ( q << |T|½ )

In TLS: must support HMAC-‐SHA1-‐96
Dan Boneh
End of Segment
Dan Boneh
Timing a]acks on MAC

verifica3on
Dan Boneh
Warning: verifica3on 3ming a]acks [L’09]
Example: Keyczar crypto library (Python) [simplified]
def Verify(key, msg, sig_bytes):

return HMAC(key, msg) == sig_bytes

The problem: ‘==‘ implemented as a byte-‐by-‐byte comparison
•  Comparator returns false when first inequality found
Dan Boneh
Warning: verifica3on 3ming a]acks [L’09]
m , tag
target k
msg m accept or reject
Timing a]ack: to compute tag for target message m do:

Step 1: Query server with random tag
Step 2: Loop over all possible first bytes and query server.
stop when verifica3on takes a li]le longer than in step 1
Step 3: repeat for all tag bytes un3l valid tag found
Dan Boneh
Defense #1
Make string comparator always take same 3me (Python) :
return false if sig_bytes has wrong length

result = 0
for x, y in zip( HMAC(key,msg) , sig_bytes):
result |= ord(x) ^ ord(y)
return result == 0

Can be difficult to ensure due to op3mizing compiler.
Dan Boneh
Defense #2
Make string comparator always take same 3me (Python) :
def Verify(key, msg, sig_bytes):

mac = HMAC(key, msg)
return HMAC(key, mac) == HMAC(key, sig_bytes)

A]acker doesn’t know values being compared
Dan Boneh
Lesson

Don’t implement crypto yourself !
Dan Boneh
End of Segment
Dan Boneh
Authen,cated Encryp,on
Ac,ve a4acks on

CPA-‐secure encryp,on
Dan Boneh
Recap: the story so far
Confiden'ality: seman,c security against a CPA a4ack
•  Encryp,on secure against eavesdropping only
Integrity:
•  Existen,al unforgeability under a chosen message a4ack
•  CBC-‐MAC, HMAC, PMAC, CW-‐MAC
This module: encryp,on secure against tampering

•  Ensuring both confiden,ality and integrity
Dan Boneh
Sample tampering a4acks
TCP/IP: (highly abstracted)
WWW
port = 80
packet
dest = 80 data
source machine
TCP/IP
stack Bob
port = 25
des,na,on machine
Dan Boneh
Sample tampering a4acks
IPsec: (highly abstracted)
WWW
TCP/IP port = 80
packet stack
dest = 80 data
stuff
dest = 25 stuff

k
k
packets encrypted Bob
port = 25
using key k
Dan Boneh
Reading someone else’s data
Note: a4acker obtains decryp,on of any ciphertext
beginning with “dest=25”
WWW
IV, dest = 80 data port = 80
Bob:
k IV’, dest = 25 data
k
Bob
Easy to do for CBC with rand. IV port = 25
(only IV is changed)

Dan Boneh
IV , dest = 80 data IV’ , dest = 25 data
Encryp,on is done with CBC with a random IV.

What should IV’ be? m[0] = D(k, c[0]) ⨁ IV = “dest=80…”
IV’ = IV ⨁ (…25…)

IV’ = IV ⨁ (…80…)
IV’ = IV ⨁ (…80…) ⨁ (…25…)
It can’t be done
An a4ack using only network access
Remote terminal app.: each keystroke encrypted with CTR mode
TCP/IP packet
k
IP hdr TCP hdr T D
k 16 bit TCP checksum 1 byte keystroke
for all t, s send: IP hdr TCP hdr ⨁ t ⨁ s
ACK if valid checksum, nothing otherwise
{ checksum(hdr, D) = t ⨁ checksum(hdr, D⨁s) } ⇒ can find D

Dan Boneh
The lesson
CPA security cannot guarantee secrecy under ac,ve a4acks.

Only use one of two modes:
•  If message needs integrity but no confiden,ality:
use a MAC
•  If message needs both integrity and confiden,ality:
use authen'cated encryp'on modes (this module)
Dan Boneh
End of Segment
Dan Boneh
Defini,ons
Dan Boneh
Goals
An authen'cated encryp'on system (E,D) is a cipher where
As usual: E: K × M × N ⟶ C
but D: K × C × N ⟶ M ∪{⊥}

ciphertext
Security: the system must provide is rejected
•  sem. security under a CPA a4ack, and
•  ciphertext integrity:
a4acker cannot create new ciphertexts that decrypt properly
Dan Boneh
Ciphertext integrity
Let (E,D) be a cipher with message space M.

m1 ∈ M m2 , …, mq
Chal. Adv.
k←K c1 ← E(k,m1) c2 , …, cq

c
b

b=1 if D(k,c) ≠⊥ and c ∉ { c1 , … , cq }

b=0 otherwise
Def: (E,D) has ciphertext integrity if for all “efficient” A:
AdvCI[A,E] = Pr[Chal. outputs 1] is “negligible.”
Dan Boneh
Authen,cated encryp,on
Def: cipher (E,D) provides authen'cated encryp'on (AE) if it is
(1) seman,cally secure under CPA, and
(2) has ciphertext integrity

Bad example: CBC with rand. IV does not provide AE
•  D(k,⋅) never outputs ⊥, hence adv. easily wins CI game
Dan Boneh
Implica,on 1: authen,city
A4acker cannot fool Bob into thinking a
message was sent from Alice
m1 , …, mq c
Alice Bob
ci = E(k, mi)
k k
Cannot create
valid c ∉ { c1, …, cq }
⇒ if D(k,c) ≠⊥ Bob knows message is from someone who knows k
(but message could be a replay)
Dan Boneh
Implica,on 2

Authen,cated encryp,on ⇒

Security against chosen ciphertext aCacks
(next segment)
Dan Boneh
End of Segment
Dan Boneh
Chosen ciphertext
a4acks
Dan Boneh
Example chosen ciphertext a4acks
Adversary has ciphertext c that it wants to decrypt
•  O]en, adv. can fool server into decryp,ng certain ciphertexts (not c)

dest = 25 data data
•  O]en, adversary can learn par,al informa,on about plaintext
TCP/IP packet ACK

if valid
checksum
Dan Boneh
Chosen ciphertext security

Adversary’s power: both CPA and CCA
•  Can obtain the encryp,on of arbitrary messages of his choice
•  Can decrypt any ciphertext of his choice, other than challenge
(conserva,ve modeling of real life)

Adversary’s goal: Break sema,c security
Dan Boneh
Chosen ciphertext security: defini,on
E = (E,D) cipher defined over (K,M,C). For b=0,1 define EXP(b):
Chal. for i=1,…,q: Adv.

b (1) CPA query:
k←K
mi,0 , mi,1 ∈ M : |mi,0| = |mi,1|
ci ← E(k, mi,b)

(2) CCA query:
ci ∈ C : ci ∉ {c1, …, ci-‐1}
mi ← D(k, ci) b’ ∈ {0,1}
Dan Boneh
Chosen ciphertext security: defini,on
E is CCA secure if for all “efficient” A:
AdvCCA [A,E] = |Pr[EXP(0)=1] – Pr[EXP(1)=1] | is “negligible.”
Example: CBC with rand. IV is not CCA-‐secure
m0 , m1 : |m0| = |m1|=1

Chal. Adv.
b c ← E(k, mb) = (IV, c[0])
k←K
c’ = (IV⨁1, c[0])
b
D(k, c’) = mb⨁1
Dan Boneh
Authen,cated enc. ⇒ CCA security
Thm: Let (E,D) be a cipher that provides AE.
Then (E,D) is CCA secure !

In par,cular, for any q-‐query eff. A there exist eff. B1, B2 s.t.
AdvCCA[A,E] ≤ 2q⋅AdvCI[B1,E] + AdvCPA[B2,E]
Dan Boneh
Proof by pictures
Chal. CPA query: mi,0 , mi,1 Adv. Chal. CPA query: mi,0 , mi,1 Adv.
ci=E(k,mi,0) ci=E(k,mi,0)
k←K k←K
CCA query: ci ≈p CCA query: ci
D(k,ci) ⊥
≈p ≈p
Chal. CPA query: mi,0 , mi,1 Adv. Chal. CPA query: mi,0 , mi,1 Adv.
k←K ci=E(k,mi,1)
≈p k←K
ci=E(k,mi,1)
CCA query: ci CCA query: ci

D(k,ci) ⊥
Dan Boneh
So what?
Authen,cated encryp,on:
•  ensures confiden,ality against an ac,ve adversary
that can decrypt some ciphertexts

Limita,ons:
•  does not prevent replay a4acks
•  does not account for side channels (,ming)
Dan Boneh
End of Segment
Dan Boneh
Construc,ons from
ciphers and MACs
Dan Boneh
… but first, some history
Authen,cated Encryp,on (AE): introduced in 2000 [KY’00, BN’00]

Crypto APIs before then: (e.g. MS-‐CAPI)
•  Provide API for CPA-‐secure encryp,on (e.g. CBC with rand. IV)
•  Provide API for MAC (e.g. HMAC)

Every project had to combine the two itself without
a well defined goal
•  Not all combina,ons provide AE …
Dan Boneh
Combining MAC and ENC (CCA)
Encryption key kE. MAC key = kI
Op,on 1: (SSL) S(kI, m) E(kE , mlltag)

msg m msg m tag

Op,on 2: (IPsec) S(kI, c)
E(kE, m)
always msg m tag
correct
Op,on 3: (SSH) E(kE , m) S(kI, m)

msg m tag
Dan Boneh
A.E. Theorems
Let (E,D) be CPA secure cipher and (S,V) secure MAC. Then:

1.  Encrypt-‐then-‐MAC: always provides A.E.
2.  MAC-‐then-‐encrypt: may be insecure against CCA a4acks

however: when (E,D) is rand-‐CTR mode or rand-‐CBC
M-‐then-‐E provides A.E.
for rand-‐CTR mode, one-‐,me MAC is sufficient
Dan Boneh
Standards (at a high level)
•  GCM: CTR mode encryp,on then CW-‐MAC
(accelerated via Intel’s PCLMULQDQ instruc,on)
•  CCM: CBC-‐MAC then CTR mode encryp,on (802.11i)
•  EAX: CTR mode encryp,on then CMAC
All support AEAD: (auth. enc. with associated data). All are nonce-‐based.
encrypted
associated data encrypted data

authen,cated
Dan Boneh
An example API (OpenSSL)
int AES_GCM_Init(AES_GCM_CTX *ain,
unsigned char *nonce, unsigned long noncelen,
unsigned char *key, unsigned int klen )

int AES_GCM_EncryptUpdate(AES_GCM_CTX *a,
unsigned char *aad, unsigned long aadlen,
unsigned char *data, unsigned long datalen,
unsigned char *out, unsigned long *outlen)
Dan Boneh
MAC Security -‐-‐ an explana,on
Recall: MAC security implies (m , t) ⇏
(m , t’ )
Why? Suppose not: (m , t) ⟶ (m , t’)
Then Encrypt-‐then-‐MAC would not have Ciphertext Integrity !!
m0, m1
Chal. Adv.
b c ← E(k, mb) = (c0, t) (c0, t)
k←K
c’ = (c0 , t’ ) ≠ c
(c0, t’) b
D(k, c’) = mb
Dan Boneh
OCB: a direct construc,on from a PRP
More efficient authenticated encryption: one E() op. per block.
m[0] m[1] m[2] m[3] checksum
P(N,k,0) ⊕ P(N,k,1) ⊕ P(N,k,2) ⊕ P(N,k,3) ⊕ P(N,k,0) ⊕

E(k,⋅) E(k,⋅) E(k,⋅) E(k,⋅) E(k,⋅)
P(N,k,0) ⊕ P(N,k,1) ⊕ P(N,k,2) ⊕ P(N,k,3) ⊕ auth ⊕

c[0] c[1] c[2] c[3] c[4]
Dan Boneh
code Speed
Cipher size (MB/sec)
AES/GCM large ** 108 AES/CTR 139
AES/CCM smaller 61 AES/CBC 109
AES/EAX smaller 61
AES/CMAC 109
AES/OCB 129* HMAC/SHA1 147
* extrapolated from Ted Kravitz’s results ** non-‐Intel machines
Dan Boneh
End of Segment
Dan Boneh
Case study: TLS
Dan Boneh
The TLS Record Protocol (TLS 1.2)
HDR TLS record
kb⇾s , ks⇾b kb⇾s , ks⇾b

Unidirec,onal keys: kb⇾s and ks⇾b
Stateful encryp,on:
•  Each side maintains two 64-‐bit counters: ctrb⇾s , ctrs⇾b
•  Init. to 0 when session started. ctr++ for every record.
•  Purpose: replay defense
Dan Boneh
TLS record: encryp,on (CBC AES-‐128, HMAC-‐SHA1)
type ll ver ll len
kb⇾s = (kmac , kenc)
data

tag pad
Browser side enc(kb⇾s , data, ctrb⇾s ) :

step 1: tag ⟵ S( kmac , [ ++ctrb⇾s ll header ll data] )
step 2: pad [ header ll data ll tag ] to AES block size
step 3: CBC encrypt with kenc and new random IV
step 4: prepend header
Dan Boneh
TLS record: decryp,on (CBC AES-‐128, HMAC-‐SHA1)
Server side dec(kb⇾s , record, ctrb⇾s ) :
step 1: CBC decrypt record using kenc
step 2: check pad format: send bad_record_mac if invalid
step 3: check tag on [ ++ctrb⇾s ll header ll data]
send bad_record_mac if invalid

Provides authen,cated encryp,on
(provided no other info. is leaked during decryp,on)
Dan Boneh
Bugs in older versions (prior to TLS 1.1)
IV for CBC is predictable: (chained IV)
IV for next record is last ciphertext block of current record.
Not CPA secure. (a prac,cal exploit: BEAST a4ack)
Padding oracle: during decryp,on

if pad is invalid send decryption failed alert
if mac is invalid send bad_record_mac alert
⇒ a4acker learns info. about plaintext (a4ack in next segment)
Lesson: when decryp,on fails, do not explain why
Dan Boneh
Leaking the length
The TLS header leaks the length of TLS records
•  Lengths can also be inferred by observing network traffic
For many web applica,ons, leaking lengths reveals sensi,ve info:

•  In tax prepara,on sites, lengths indicate the type of return being
filed which leaks informa,on about the user’s income
•  In healthcare sites, lengths leaks what page the user is viewing
•  In Google maps, lengths leaks the loca,on being requested
No easy solu,on
Dan Boneh
802.11b WEP: how not to do it
802.11b WEP:
m CRC(m)
k PRG( IV ll k ) k

IV ciphetext

Previously discussed problems:
two ,me pad and related PRG seeds
Dan Boneh
Ac,ve a4acks
Fact: CRC is linear, i.e. ∀m,p: CRC( m ⨁ p) = CRC(m) ⨁ F(p)
WEP ciphertext: IV dest-‐port = 80 data CRC

⨁
a4acker: 000…….00…..XX…0000… F(XX)
XX = 25⨁80 IV dest-‐port = 25 data CRC’
Upon decryp,on: CRC is valid, but ciphertext is changed !!
Dan Boneh
End of Segment
Dan Boneh
CBC paddings a4acks
Dan Boneh
Recap
Authen'cated encryp'on: CPA security + ciphertext integrity
•  Confiden,ality in presence of ac've adversary
•  Prevents chosen-‐ciphertext a4acks
Limita,on: cannot help bad implementa,ons … (this segment)

Authen,cated encryp,on modes:
•  Standards: GCM, CCM, EAX
•  General construc,on: encrypt-‐then-‐MAC
Dan Boneh
The TLS record protocol (CBC encryp,on)
Decryp,on: dec(kb⇾s , record, ctrb⇾s ) :
step 1: CBC decrypt record using kenc
step 2: check pad format: abort if invalid
step 3: check tag on [ ++ctrb⇾s ll header ll data]
abort if invalid
type ll ver ll len
Two types of error:
data
•  padding error
•  MAC error tag pad
Dan Boneh
Padding oracle
Suppose a4acker can differen,ate the two errors
(pad error, MAC error):
⇒ Padding oracle:
a4acker submits ciphertext and learns if
last bytes of plaintext are a valid pad
type ll ver ll len
Nice example of a data

chosen ciphertext aCack
tag pad
Dan Boneh
Padding oracle via ,ming OpenSSL
Credit: Brice Canvel
(fixed in OpenSSL 0.9.7a)
In older TLS 1.0: padding oracle due to different alert messages.
Dan Boneh
Using a padding oracle (CBC encryp,on)
A4acker has ciphertext c = (c[0], c[1], c[2]) and it wants m[1]
IV c[0] c[1] c[2]
D(k,⋅) D(k,⋅) D(k,⋅)

⊕ ⊕ ⊕
m[0] m[1] m[2] ll pad
Dan Boneh
step 1: let g be a guess for the last byte of m[1]
IV c[0] c[1]
⨁ g ⨁ 0x01
D(k,⋅) D(k,⋅)
= last-‐byte ⨁ g ⨁ 0x01
⊕ ⊕
m[0] m[1]
if last-‐byte = g: valid pad
otherwise: invalid pad
Dan Boneh
A4ack: submit ( IV, c’[0], c[1] ) to padding oracle
⇒ a4acker learns if last-‐byte = g

Repeat with g = 0,1, …, 255 to learn last byte of m[1]

Then use a (02, 02) pad to learn the next byte and so on …
Dan Boneh
IMAP over TLS
Problem: TLS renego,ates key when an invalid record is received

Enter IMAP over TLS: (protocol for reading email)
•  Every five minutes client sends login message to server:

LOGIN "username” "password”
•  Exact same a4ack works, despite new keys

⇒ recovers password in a few hours.
Dan Boneh
Lesson

1. Encrypt-‐then-‐MAC would completely avoid this problem:

MAC is checked first and ciphertext discarded if invalid

2. MAC-‐then-‐CBC provides A.E., but padding oracle destroys it
Dan Boneh
Will this a4ack work if TLS used counter mode instead of CBC?
(i.e. use MAC-‐then-‐CTR )
Yes, padding oracles affect all encryp,on schemes

It depends on what block cipher is used
No, counter mode need not use padding
End of Segment
Dan Boneh
A4acking non-‐atomic
decryp,on
SSH Binary Packet Protocol
CBC encryp,on (chained IV)
seq. packet pad MAC
payload pad
num. len. len. tag
MAC computed
over plaintext
Decryp,on:
•  step 1: decrypt packet length field only (!)
•  step 2: read as many packets as length specifies
•  step 3: decrypt remaining ciphertext blocks
•  step 4: check MAC tag and send error response if invalid
Dan Boneh
An a4ack on the enc. length field (simplified)
A4acker has one ciphertext block c = AES(k, m) and it wants m
one AES block
seq.
num.
c
k
decrypt
and obtain
len “len” field
send bytes one at a ,me
when “len” bytes read:

server sends “MAC error”
a4acker learns 32 LSB bits of m !!
Dan Boneh
Lesson
The problem: (1) non-‐atomic decrypt
(2) len field decrypted and used before it is authen,cated
How would you redesign SSH to resist this a4ack?
Send the length field unencrypted (but MAC-‐ed)

Replace encrypt-‐and-‐MAC by encrypt-‐then-‐MAC
Add a MAC of (seq-‐num, length) right a]er the len field
Remove the length field and iden,fy packet boundary
by verifying the MAC a]er every received byte
Further reading
•  The Order of Encryp,on and Authen,ca,on for Protec,ng
Communica,ons, H. Krawczyk, Crypto 2001.
•  Authen,cated-‐Encryp,on with Associated-‐Data,
P. Rogaway, Proc. of CCS 2002.
•  Password Intercep,on in a SSL/TLS Channel,
B. Canvel, A. Hiltgen, S. Vaudenay, M. Vuagnoux, Crypto 2003.
•  Plaintext Recovery A4acks Against SSH,
M. Albrecht, K. Paterson and G. Watson, IEEE S&P 2009
•  Problem areas for the IP security protocols,
S. Bellovin, Usenix Security 1996.
Dan Boneh
End of Segment
Dan Boneh
Odds and ends
Key Deriva1on
Dan Boneh
Deriving many keys from one
Typical scenario. a single source key (SK) is sampled from:
•  Hardware random number generator
•  A key exchange protocol (discussed later)
Need many keys to secure session:

•  unidirec1onal keys; mul1ple keys for nonce-‐based CBC.
Goal: generate many keys from this one source key
SK k1, k2, k3, …

KDF
Dan Boneh
When source key is uniform
F: a PRF with key space K and outputs in {0,1}n

Suppose source key SK is uniform in K

•  Define Key Deriva1on Func1on (KDF) as:
KDF( SK, CTX, L) :=
F(SK, (CTX ll 0)) ll F(SK, (CTX ll 1)) ll ⋯ ll F(SK, (CTX ll L))

CTX: a string that uniquely iden1fies the applica1on
Dan Boneh
KDF( SK, CTX, L) :=
F(SK, (CTX ll 0)) ll F(SK, (CTX ll 1)) ll ⋯ ll F(SK, (CTX ll L))
What is the purpose of CTX?
Even if two apps sample same SK they get indep. keys
It’s good prac1ce to label strings with the app. name
It serves no purpose
What if source key is not uniform?
Recall: PRFs are pseudo random only when key is uniform in K
•  SK not uniform ⇒ PRF output may not look random
Source key oXen not uniformly random:

•  Key exchange protocol: key uniform in some subset of K
•  Hardware RNG: may produce biased output
Dan Boneh
Extract-‐then-‐Expand paradigm
Step 1: extract pseudo-‐random key k from source key SK
prob
prob
extractor
SK k

salt

salt: a fixed non-‐secret string chosen at random

step 2: expand k by using it as a PRF key as before
Dan Boneh
HKDF: a KDF from HMAC

Implements the extract-‐then-‐expand paradigm:

•  extract: use k ⟵ HMAC( salt, SK )
•  Then expand using HMAC as a PRF with key k
Dan Boneh
Password-‐Based KDF (PBKDF)
Deriving keys from passwords:
•  Do not use HKDF: passwords have insufficient entropy
•  Derived keys will be vulnerable to dic1onary aaacks
(more on this later)
PBKDF defenses: salt and a slow hash funcJon

Standard approach: PKCS#5 (PBKDF1)
H(c)(pwd ll salt): iterate hash func1on c 1mes

Dan Boneh
End of Segment
Dan Boneh
Odds and ends
Determinis1c Encryp1on
Dan Boneh
The need for det. Encryp1on (no nonce)
Alice data ??
k1, k2 Bob data

⋮
encrypted
database
Dan Boneh
The need for det. Encryp1on (no nonce)
??
Alice data
k1, k2 Bob data
, “A lic e ”) ⋮
Later: o rd E(k 1
i eve rec encrypted
Retr database
data
Alice
det. enc. enables later lookup
Dan Boneh
Problem: det. enc. cannot be CPA secure
The problem: aaacker can tell when two ciphertexts
encrypt the same message ⇒ leaks informa1on
Leads to significant aaacks when message space M is small.
equal ciphertexts
means same index
Dan Boneh
Problem: det. enc. cannot be CPA secure
The problem: aaacker can tell when two ciphertexts
encrypt the same message ⇒ leaks informa1on
Aaacker wins CPA game:
b Chal.
m0 , m0 ∈ M
Adv.
c0 ←E(k, m0)
k←K
m0 , m1 ∈ M
output 0
Dan Boneh
A solu1on: the case of unique messages
Suppose encryptor never encrypts same message twice:
the pair (k , m) never repeats

This happens when encryptor:
•  Chooses messages at random from a large msg space (e.g. keys)
•  Message structure ensures uniqueness (e.g. unique user ID)
Dan Boneh
Determinis1c CPA security
for i=1,…,q:
b Chal. Adv.
k←K mi,0 , mi,1 ∈ M : |mi,0| = |mi,1|
ci ← E(k, mi,b) b’ ∈ {0,1}
where m1,0, …, mq,0 are dis1nct and m1,1, …, mq,1 are dis1nct
Def: E is sem. sec. under det. CPA if for all efficient A:
AdvdCPA [A,E] = |Pr[EXP(0)=1] – Pr[EXP(1)=1] | is negligible.
Dan Boneh
A Common Mistake
CBC with fixed IV is not det. CPA secure.
Let E: K × {0,1}n ⟶ {0,1}n be a secure PRP used in CBC
b 0n 1n , 0n 1n

Chal. Adv.
c1 ← [ FIV, E(k, 0n⨁FIV) , …]
k←K
m0=0n , m1 = 1n
output 0
c ← [ FIV, E(k, FIV) ] or
if c[1] = c1[1]
c ← [ FIV, E(k, 1n⨁FIV) ]
Leads to significant aaacks in prac1ce.

Dan Boneh
Is counter mode with a fixed IV det. CPA secure?
message
⨁
F(k, FIV) ll F(k, FIV+1) ll … ll F(k, FIV+L)
ciphertext
Yes
b
No m , m
Adv.
Chal.
c ←m⨁F(k, FIV)
It depends k←K
m0 , m1 output 0 if
c’ ← mb⨁F(k, FIV) c⨁c’=m⨁m0
End of Segment
Dan Boneh
Odds and ends
Determinis1c Encryp1on
Construc1ons:
SIV and wide PRP
Dan Boneh
Determinis1c encryp1on
Needed for maintaining an encrypted database index
•  Lookup records by encrypted index
Determinis1c CPA security:

•  Security if never encrypt same message twice using same key:
the pair (key , msg) is unique

Formally: we defined determinis1c CPA security game

Dan Boneh
Construc1on 1: Synthe1c IV (SIV)
Let (E, D) be a CPA-‐secure encryp1on. E(k, m ; r) ⟶ c
Let F:K × M ⟶ R be a secure PRF
Define: Edet( (k1,k2) , m) =
Thm: Edet is sem. sec. under det. CPA .

Proof sketch: dis1nct msgs. ⇒ all r’s are indist. from random

Well suited for messages longer than one AES block (16 bytes)
Dan Boneh
Ensuring ciphertext integrity
Goal: det. CPA security and ciphertext integrity
⇒ DAE: determinisJc authenJcated encrypJon
Consider a SIV special case: SIV-‐CTR
SIV where cipher is counter mode with rand. IV
PRF F message
k1
CTR mode with PRF Fctr k2
Fctr(k2, IV) ll Fctr(k2, IV+1) ll … ll Fctr(k2, IV+L)
IV ciphertext
Dan Boneh
Det. Auth. Enc. (DAE) for free
DecrypJon: IV ciphertext

CTR mode with PRF Fctr k2
Fctr(k2,IV) ll Fctr(k2, IV+1) ll … ll Fctr(k2,IV+L)
k1 PRF F

message

if ≠IV output ⊥

Thm: if F is a secure PRF and CTR from Fctr is CPA-‐secure
then SIV-‐CTR from F, Fctr provides DAE
Dan Boneh
Construc1on 2: just use a PRP
Let (E, D) be a secure PRP. E: K × X ⟶ X
Thm: (E,D) is sem. sec. under det. CPA .

Proof sketch: let f: X ⟶ X be a truly random inver1ble func.
in EXP(0) adv. sees: f(m1,0), …, f(mq,0) q random values in X
in EXP(1) adv. sees: f(m1,1), …, f(mq,1)

Using AES: Det. CPA secure encryp1on for 16 byte messages.
Longer messages?? Need PRPs on larger msg spaces …
Dan Boneh
EME: construc1ng a wide block PRP
Let (E, D) be a secure PRP. E: K × {0,1}n ⟶ {0,1}n
EME: a PRP on {0,1}N for N ⨠ n x[0] x[1] x[2]
⨁ ⨁ ⨁
E E E
E ⨁ ⨁
⨁
E E E
⨁ ⨁ ⨁
Performance: y[0] y[1] y[2]

•  can be 2x slower then SIV
Dan Boneh
PRP-‐based Det. Authen1cated Enc.
Goal: det. CPA security and ciphertext integrity
⇒ DAE: determinisJc authenJcated encrypJon
EncrypJon: DecrypJon:
80
message 00000 ciphertext
E(k, ⋅) D(k, ⋅) if ≠080 output ⊥
ciphertext message ………
Dan Boneh
PRP-‐based Det. Authen1cated Enc.
Let (E, D) be a secure PRP. E: K × (X×{0,1}n) ⟶ X×{0,1}n
Thm: 1/2n is negligible ⇒ PRP-‐based enc. provides DAE
Proof sketch: suffices to prove ciphertext integrity

x1, … , xq ∈ X
Chal. Adv.
π (x1 0n), …, π(xq 0n)
π⟵Perms[X×{0,1}n]
c ∉ { π (x1 0n), …, π(xq 0n) }

But then Pr[ LSBn( π-‐1(c) ) = 0n ] ≤ 1/2n Dan Boneh
End of Segment
Dan Boneh
Odds and ends
Tweakable encryp1on
Dan Boneh
Disk encryp1on: no expansion
Sectors on disk are fixed size (e.g. 4KB)
⇒ encryp1on cannot expand plaintext (i.e. M = C)
⇒ must use determinis1c encryp1on, no integrity

Lemma: if (E, D) is a det. CPA secure cipher with M=C
then (E, D) is a PRP.

⇒ every sector will need to be encrypted with a PRP
Dan Boneh
sector 1 sector 2 sector 3
PRP(k, ⋅) PRP(k, ⋅) PRP(k, ⋅)
Problem: sector 1 and sector 3 may have same content

•  Leaks same informa1on as ECB mode

Can we do beaer?
Dan Boneh
PRP(k1, ⋅) PRP(k2, ⋅) PRP(k3, ⋅)
Avoids previous leakage problem

•  … but aaacker can tell if a sector is changed and then reverted
Managing keys: the trivial construc1on kt = PRF(k, t) , t=1,…,L

Can we do beaer?
Dan Boneh
Tweakable block ciphers
Goal: construct many PRPs from a key k∈K .
Syntax: E , D : K × T × X ⟶ X
for every t∈T and k⟵K:

E(k, t, ⋅) is an inver1ble func. on X, indist. from random

Applica1on: use sector number as the tweak
⇒ every sector gets its own independent PRP
Dan Boneh
Secure tweakable block ciphers
E , D : K × T × X ⟶ X . For b=0,1 define experiment EXP(b) as:
b
b=1: π←(Perms[X])|T|
Chal. Adv. A
b=0: k←K, π[t] ←E(k,t,⋅)
t1, x1 t2, x2 … tq, xq
π
π[t1](x1) π[t2](x2) … π[tq](xq)
b’ ∈ {0,1}
•  Def: E is a secure tweakable PRP if for all efficient A:
AdvtPRP[A,E] = |Pr[EXP(0)=1] – Pr[EXP(1)=1] | is negligible.
Dan Boneh
Example 1: the trivial construc1on
Let (E,D) be a secure PRP, E: K × X ⟶ X .
•  The trivial tweakable construc1on: (suppose K = X)
Etweak(k, t, x) = E( E(k, t), x)

⇒ to encrypt n blocks need 2n evals of E(.,.)
Dan Boneh
2. the XTS tweakable block cipher [R’04]
Let (E,D) be a secure PRP, E: K × {0,1}n ⟶ {0,1}n .
•  XTS: Etweak( (k1,k2), (t,i), x) =

N ⟵E(k2, t)
x
⇒ to encrypt n blocks need n+1 evals of E(.,.)

Dan Boneh
Is it necessary to encrypt the tweak before using it?
That is, is the following a secure tweakable PRP?
x c
Yes, it is secure

No: E(k, (t,1), P(t,2)) ⨁ E(k, (t,2), P(t,1)) = P(t,1)
No: E(k, (t,1), P(t,1)) ⨁ E(k, (t,2), P(t,2)) = P(t,1) ⨁ P(t,2)
No: E(k, (t,1), P(t,1)) ⨁ E(k, (t,2), P(t,2)) = 0
Disk encryp1on using XTS
sector # t: block 1 block 2 block n
tweak: tweak: tweak:

(t,1) (t,2) (t,n)
•  note: block-‐level PRP, not sector-‐level PRP.

•  Popular in disk encryp1on products:
Mac OS X-‐Lion, TrueCrypt, BestCrypt, …
Dan Boneh
Summary
•  Use tweakable encryp1on when you need many
independent PRPs from one key
•  XTS is more efficient than the trivial construc1on

–  Both are narrow block: 16 bytes for AES
•  EME (previous segment) is a tweakable mode for wide block

–  2x slower than XTS
Dan Boneh
End of Segment
Dan Boneh
Odds and ends
Format preserving
encryp1on
Dan Boneh
Encryp1ng credit card numbers
Credit card format: bbbb bbnn nnnn nnnc ( ≈ 42 bits )
k
k
POS
terminal
processor #1 processor #2 processor #3 acquiring

bank
Goal: end-‐to-‐end encryp1on
Intermediate processors expect to see a credit card number
⇒ encrypted credit card should look like a credit card
Dan Boneh
Format preserving encryp1on (FPE)
This segment: given 0 < s ≤ 2n, build a PRP on {0,…,s-‐1}
from a secure PRF F: K × {0,1}n ⟶ {0,1}n (e.g. AES)

Then to encrypt a credit card number: (s = total # credit cards)
1.  map given CC# to {0,…,s-‐1}
2.  apply PRP to get an output in {0,…,s-‐1}
3.  map output back a to CC#
Dan Boneh
Step 1: from {0,1}n to {0,1}t (t<n)
Want PRP on {0,…,s-‐1} . Let t be such that 2t-‐1 < s ≤ 2t .
Method: Luby-‐Rackoff with F’: K × {0,1}t/2 ⟶ {0,1}t/2 (truncate F)
t/2 bits R0 R1 R2 R3
F’(k1,⋅ F’(k2,⋅ F’(k3,⋅
) ) )
t/2 bits L0 ⊕ L1 ⊕ L2 ⊕ L3
input output
(beaer to use 7 rounds a la Patarin, Crypto’03)
Dan Boneh
Step 2: from {0,1}t to {0,…,s-‐1}
Given PRP (E,D): K × {0,1}t ⟶ {0,1}t
we build (E’,D’): K × {0,…,s-‐1} ⟶ {0,…,s-‐1}

E’(k, x): on input x ∈ {0,…,s-‐1} do:
y⟵x; do { y ⟵ E(k, y) } un1l y∈ {0,…,s-‐1}; output y
Expected # itera1ons: 2
{0,…,s-‐1} {0,1}t
Dan Boneh
Security
Step 2 is 1ght: ∀A ∃B: PRPadv[A,E] = PRPadv[B,E’]

Intui1on: ∀sets Y ⊆ X, applying the transforma1on to a
random perm. π: X⟶ X
gives a random perm. π': Y ⟶ Y

Step 1: same security as Luby-‐Rackoff construc1on
(actually using analysis of Patarin, Crypto’03)
note: no integrity
Dan Boneh
Further reading
•  Cryptographic Extrac1on and Key Deriva1on: The HKDF Scheme.
H. Krawczyk, Crypto 2010
•  Determinis1c Authen1cated-‐Encryp1on:
A Provable-‐Security Treatment of the Keywrap Problem.
P. Rogaway, T. Shrimp1on, Eurocrypt 2006
•  A Parallelizable Enciphering Mode. S. Halevi, P. Rogaway, CT-‐RSA 2004
•  Efficient Instan1a1ons of Tweakable Blockciphers and Refinements to
Modes OCB and PMAC. P. Rogaway, Asiacrypt 2004
•  How to Encipher Messages on a Small Domain:
Determinis1c Encryp1on and the Thorp Shuffle.
B. Morris, P. Rogaway, T. Stegers, Crypto 2009
Dan Boneh
End of Segment
Dan Boneh
Basic key exchange
Trusted 3rd par7es
Dan Boneh
Key management
Problem: n users. Storing mutual secret keys is difficult

Total: O(n) keys per user
Dan Boneh
A beFer solu7on
Online Trusted 3rd Party (TTP)
TTP
Dan Boneh
Genera7ng keys: a toy protocol
Alice wants a shared key with Bob. Eavesdropping security only.

Bob (kB) Alice (kA) TTP
“Alice wants key with Bob”
choose
random kAB
7cket
kAB kAB (E,D) a CPA-‐secure cipher

Dan Boneh
Genera7ng keys: a toy protocol
Alice wants a shared key with Bob. Eavesdropping security only.

Eavesdropper sees: E(kA, “A, B” ll kAB ) ; E(kB, “A, B” ll kAB )
(E,D) is CPA-‐secure ⇒

eavesdropper learns nothing about kAB
Note: TTP needed for every key exchange, knows all session keys.
(basis of Kerberos system)

Dan Boneh
Toy protocol: insecure against ac7ve aFacks
Example: insecure against replay aFacks

AFacker records session between Alice and merchant Bob
–  For example a book order

AFacker replays session to Bob
–  Bob thinks Alice is ordering another copy of book
Dan Boneh
Key ques7on
Can we generate shared keys without an online trusted 3rd party?

Answer: yes!

Star7ng point of public-‐key cryptography:
•  Merkle (1974), Diffie-‐Hellman (1976), RSA (1977)
•  More recently: ID-‐based enc. (BF 2001), Func7onal enc. (BSW 2011)
Dan Boneh
End of Segment
Dan Boneh
Basic key exchange
Merkle Puzzles
Dan Boneh
Key exchange without an online TTP?
Goal: Alice and Bob want shared key, unknown to eavesdropper
•  For now: security against eavesdropping only (no tampering)
Alice Bob
eavesdropper ??
Can this be done using generic symmetric crypto?

Dan Boneh
Merkle Puzzles (1974)
Answer: yes, but very inefficient

Main tool: puzzles
•  Problems that can be solved with some effort
•  Example: E(k,m) a symmetric cipher with k ∈ {0,1}128
–  puzzle(P) = E(P, “message”) where P = 096 ll b1… b32
–  Goal: find P by trying all 232 possibili7es
Dan Boneh
Merkle puzzles
Alice: prepare 232 puzzles
•  For i=1, …, 232 choose random Pi ∈{0,1}32 and xi, ki ∈{0,1}128
set puzzlei ⟵ E( 096 ll Pi , “Puzzle # xi” ll ki )
•  Send puzzle1 , … , puzzle232 to Bob
Bob: choose a random puzzlej and solve it. Obtain ( xj, kj ) .
•  Send xj to Alice
Alice: lookup puzzle with number xj . Use kj as shared secret
Dan Boneh
In a figure
puzzle1 , … , puzzlen
Alice Bob
xj
kj kj
Alice’s work: O(n) (prepare n puzzles)

Bob’s work: O(n) (solve one puzzle)

Eavesdropper’s work: O( n2 ) (e.g. 264 7me)
Dan Boneh
Impossibility Result
Can we achieve a beFer gap using a general symmetric cipher?
Answer: unknown

But: roughly speaking,
quadra7c gap is best possible if we treat cipher as
a black box oracle [IR’89, BM’09]

Dan Boneh
End of Segment
Dan Boneh
Basic key exchange
The Diffie-‐Hellman
protocol
Dan Boneh
Key exchange without an online TTP?
Goal: Alice and Bob want shared secret, unknown to eavesdropper
Alice Bob
eavesdropper ??
Can this be done with an exponen7al gap?

Dan Boneh
The Diffie-‐Hellman protocol (informally)
Fix a large prime p (e.g. 600 digits)
Fix an integer g in {1, …, p}
Alice Bob
choose random a in {1,…,p-‐1} choose random b in {1,…,p-‐1}
a b
Ba (mod p) = (gb) = = gab (mod p)
kAB = (ga) = Ab (mod p)
Dan Boneh
Security (much more on this later)
Eavesdropper sees: p, g, A=ga (mod p), and B=gb (mod p)

Can she compute gab (mod p) ??

More generally: define DHg(ga, gb) = gab (mod p)

How hard is the DH func7on mod p?
Dan Boneh
How hard is the DH func7on mod p?
Suppose prime p is n bits long.
Best known algorithm (GNFS): run 7me exp( )
Ellip7c Curve
cipher key size modulus size size
80 bits 1024 bits bits
160
128 bits 3072 bits 256
bits
256 bits (AES) 15360 bits bits
512
As a result: slow transi7on away from (mod p) to ellip7c curves
Dan Boneh
Ellip7c curve
Diffie-‐Hellman
Dan Boneh
Insecure against man-‐in-‐the-‐middle
As described, the protocol is insecure against acJve aFacks
Alice MiTM Bob
Dan Boneh
Another look at DH
Facebook
ga gb gc gd
Alice Bob Charlie David

a b c d ⋯
KAC =gac KAC=gac
Dan Boneh
An open problem
Facebook
ga gb gc gd
Alice Bob Charlie David

a b c d ⋯
KABCD KABCD KABCD KABCD
Dan Boneh
End of Segment
Dan Boneh
Basic key exchange
Public-‐key encryp7on
Dan Boneh
Establishing a shared secret
Goal: Alice and Bob want shared secret, unknown to eavesdropper
Alice Bob
eavesdropper ??
This segment: a different approach

Dan Boneh
Public key encryp7on
Alice Bob
E D
Dan Boneh
Def: a public-‐key encryp7on system is a triple of algs. (G, E, D)
•  G(): randomized alg. outputs a key pair (pk, sk)
•  E(pk, m): randomized alg. that takes m∈M and outputs c ∈C
•  D(sk,c): det. alg. that takes c∈C and outputs m∈M or ⊥
Consistency: ∀(pk, sk) output by G :

∀m∈M: D(sk, E(pk, m) ) = m
Dan Boneh
Seman7c Security
For b=0,1 define experiments EXP(0) and EXP(1) as:
pk
b Chal. Adv. A
m0 , m1 ∈ M : |m0| = |m1|
(pk,sk)←G()
c ← E(pk, mb) b’ ∈ {0,1}

EXP(b)
Def: E =(G,E,D) is sem. secure (a.k.a IND-‐CPA) if for all efficient A:
AdvSS [A,E] = |Pr[EXP(0)=1] – Pr[EXP(1)=1] | < negligible

Dan Boneh
Establishing a shared secret
Alice Bob
(pk, sk) ⟵ G()
“Alice”, pk
choose random
x ∈ {0,1}128
Dan Boneh
Security (eavesdropping)
Adversary sees pk, E(pk, x) and wants x ∈M

Seman7c security ⇒
adversary cannot dis7nguish
{ pk, E(pk, x), x } from { pk, E(pk, x), rand∈M }

⇒ can derive session key from x.
Note: protocol is vulnerable to man-‐in-‐the-‐middle

Dan Boneh
Insecure against man in the middle
As described, the protocol is insecure against acJve aFacks
Alice MiTM Bob

(pk, sk) ⟵ G() (pk’, sk’) ⟵ G()
“Alice”, pk
choose random
x ∈ {0,1}128
“Bob”, E(pk, x) “Bob”, E(pk’, x)
Dan Boneh
Public key encryp7on: construc7ons

Construc7ons generally rely on hard problems from
number theory and algebra

Next module:
•  Brief detour to catch up on the relevant background
Dan Boneh
Further readings
•  Merkle Puzzles are Op7mal,
B. Barak, M. Mahmoody-‐Ghidary, Crypto ’09
•  On formal models of key exchange (sec7ons 7-‐9)

V. Shoup, 1999
Dan Boneh
End of Segment
Dan Boneh
Intro. Number Theory
Nota3on
Dan Boneh
Background
We will use a bit of number theory to construct:
•  Key exchange protocols
•  Digital signatures
•  Public-‐key encryp3on
This module: crash course on relevant concepts

More info: read parts of Shoup’s book referenced
at end of module
Dan Boneh
Nota3on
From here on:
•  N denotes a posi3ve integer.
•  p denote a prime.
Nota3on:

Can do addi3on and mul3plica3on modulo N
Dan Boneh
Modular arithme3c
Examples: let N = 12

9 + 8 = 5 in

5 × 7 = 11 in

5 − 7 = 10 in

Arithme3c in works as you expect, e.g x⋅(y+z) = x⋅y + x⋅z in
Dan Boneh
Greatest common divisor
Def: For ints. x,y: gcd(x, y) is the greatest common divisor of x,y
Example: gcd( 12, 18 ) = 6
Fact: for all ints. x,y there exist ints. a,b such that
a⋅x + b⋅y = gcd(x,y)
a,b can be found efficiently using the extended Euclid alg.
If gcd(x,y)=1 we say that x and y are rela5vely prime

Dan Boneh
Modular inversion
Over the ra3onals, inverse of 2 is ½ . What about ?

Def: The inverse of x in is an element y in s.t.

y is denoted x-‐1 .

Example: let N be an odd integer. The inverse of 2 in is
Dan Boneh
Modular inversion
Which elements have an inverse in ?

Lemma: x in has an inverse if and only if gcd(x,N) = 1
Proof:
gcd(x,N)=1 ⇒ ∃ a,b: a⋅x + b⋅N = 1

gcd(x,N) > 1 ⇒ ∀a: gcd( a⋅x, N ) > 1 ⇒ a⋅x ≠ 1 in
Dan Boneh
More nota3on
Def: = (set of inver3ble elements in ) =
= { x∈ : gcd(x,N) = 1 }
Examples:
1.  for prime p,
2.  = { 1, 5, 7, 11}
For x in , can find x-‐1 using extended Euclid algorithm.

Dan Boneh
Solving modular linear equa3ons
Solve: a⋅x + b = 0 in

Solu3on: x = −b⋅a-‐1 in

Find a-‐1 in using extended Euclid. Run 3me: O(log2 N)

What about modular quadra3c equa3ons?
next segments
Dan Boneh
End of Segment
Dan Boneh
Fermat and Euler
Dan Boneh
Review
N denotes an n-‐bit posi3ve integer. p denotes a prime.
•  ZN = { 0, 1, …, N-‐1 }
•  (ZN)* = (set of inver3ble elements in ZN) =
= { x∈ZN : gcd(x,N) = 1 }

Can find inverses efficiently using Euclid alg.: 3me = O(n2)

Dan Boneh
Fermat’s theorem (1640)
Thm: Let p be a prime
∀ x ∈ (Zp)* : xp-‐1 = 1 in Zp

Example: p=5. 34 = 81 = 1 in Z5

So: x ∈ (Zp)* ⇒ x⋅xp-‐2 = 1 ⇒ x−1 = xp-‐2 in Zp
another way to compute inverses, but less efficient than Euclid
Dan Boneh
Applica3on: genera3ng random primes
Suppose we want to generate a large random prime
say, prime p of length 1024 bits ( i.e. p ≈ 21024 )

Step 1: choose a random integer p ∈ [ 21024 , 21025-‐1 ]
Step 2: test if 2p-‐1 = 1 in Zp
If so, output p and stop. If not, goto step 1 .

Simple algorithm (not the best). Pr[ p not prime ] < 2-‐60
Dan Boneh
The structure of (Zp)*
Thm (Euler): (Zp)* is a cyclic group, that is
∃ g∈(Zp)* such that {1, g, g2, g3, …, gp-‐2} = (Zp)*
g is called a generator of (Zp)*
Example: p=7. {1, 3, 32, 33, 34, 35} = {1, 3, 2, 6, 4, 5} = (Z7)*
Not every elem. is a generator: {1, 2, 22, 23, 24, 25} = {1, 2, 4}
Dan Boneh
Order
For g∈(Zp)* the set {1 , g , g2, g3, … } is called
the group generated by g, denoted <g>
Def: the order of g∈(Zp)* is the size of <g>
ordp(g) = |<g>| = (smallest a>0 s.t. ga = 1 in Zp)
Examples: ord7(3) = 6 ; ord 7(2) = 3 ; ord7(1) = 1
Thm (Lagrange): ∀g∈(Zp)* : ordp(g) divides p-‐1

Dan Boneh
Euler’s generaliza3on of Fermat (1736)
Def: For an integer N define ϕ (N) = |(ZN)*| (Euler’s ϕ func.)
Examples: ϕ (12) = |{1,5,7,11}| = 4 ; ϕ (p) = p-‐1

For N=p⋅q: ϕ (N) = N-‐p-‐q+1 = (p-‐1)(q-‐1)

ϕ(N)
Thm (Euler): ∀ x ∈ (ZN) : x
* = 1 in ZN
Example: 5ϕ(12) = 54 = 625 = 1 in Z12
Generaliza3on of Fermat. Basis of the RSA cryptosystem

Dan Boneh
End of Segment
Dan Boneh
Modular e’th roots
Dan Boneh
We know how to solve modular linear equa3ons:
a⋅x + b = 0 in ZN Solu3on: x = −b⋅a-‐1 in ZN

What about higher degree polynomials?

Example: let p be a prime and c∈Zp . Can we solve:

x2 – c = 0 , y3 – c = 0 , z37 – c = 0 in Zp

Dan Boneh
Let p be a prime and c∈Zp .

Def: x∈Zp s.t. xe = c in Zp is called an e’th root of c .

Examples: 71/3 = 6 in

31/2 = 5 in 21/2 does not exist in

11/3 = 1 in

Dan Boneh
The easy case
When does c1/e in Zp exist? Can we compute it efficiently?
The easy case: suppose gcd( e , p-‐1 ) = 1

Then for all c in (Zp)*: c1/e exists in Zp and is easy to find.
Proof: let d = e-‐1 in Zp-‐1 . Then
d⋅e = 1 in Zp-‐1 ⇒
Dan Boneh
The case e=2: square roots
If p is an odd prime then gcd( 2, p-‐1) ≠ 1 x −x

Fact: in , x ⟶ x2 is a 2-‐to-‐1 func3on x2

Example: in : 1 10 2 9 3 8 4 7 5 6

1 4 9 5 3
Def: x in is a quadra5c residue (Q.R.) if it has a square root in
p odd prime ⇒ the # of Q.R. in is (p-‐1)/2 + 1
Dan Boneh
Euler’s theorem
Thm: x in (Zp)* is a Q.R. ⟺ x(p-‐1)/2 = 1 in Zp (p odd prime)

Example: in : 15, 25, 35, 45, 55, 65, 75, 85, 95, 105

= 1 -‐1 1 1 1, -‐1, -‐1, -‐1, 1, -‐1

1/2
Note: x≠0 ⇒ x(p-‐1)/2 = (x ) = 11/2 ∈ { 1, -‐1 } in Z
p-‐1
p
Def: x(p-‐1)/2 is called the Legendre Symbol of x over p (1798)
Dan Boneh
Compu3ng square roots mod p
Suppose p = 3 (mod 4)

Lemma: if c∈(Zp)* is Q.R. then √c = c(p+1)/4 in Zp

Proof:

When p = 1 (mod 4), can also be done efficiently, but a bit harder
run 3me ≈ O(log3 p)

Dan Boneh
Solving quadra3c equa3ons mod p
Solve: a⋅x2 + b⋅x + c = 0 in Zp
Solu3on: x = (-‐b ± √b2 – 4⋅a⋅c ) / 2a in Zp

•  Find (2a)-‐1 in Zp using extended Euclid.

•  Find square root of b2 – 4⋅a⋅c in Zp (if one exists)
using a square root algorithm
Dan Boneh
Compu3ng e’th roots mod N ??
Let N be a composite number and e>1

When does c1/e in ZN exist? Can we compute it efficiently?

Answering these ques3ons requires the factoriza3on of N
(as far as we know)

Dan Boneh
End of Segment
Dan Boneh
Arithme3c algorithms
Dan Boneh
Represen3ng bignums
Represen3ng an n-‐bit integer (e.g. n=2048) on a 64-‐bit machine

32 bits 32 bits 32 bits
⋯ 32 bits
n/32 blocks

Note: some processors have 128-‐bit registers (or more)
and support mul3plica3on on them
Dan Boneh
Arithme3c
Given: two n-‐bit integers
•  Addi5on and subtrac5on: linear 3me O(n)
•  Mul5plica5on: naively O(n2). Karatsuba (1960): O(n1.585)

Basic idea: (2b x2+ x1) × (2b y2+ y1) with 3 mults.
Best (asympto3c) algorithm: about O(n⋅log n).
•  Division with remainder: O(n2).

Dan Boneh
Exponen3a3on
Finite cyclic group G (for example G = )

Goal: given g in G and x compute gx

Example: suppose x = 53 = (110101)2 = 32+16+4+1
Then: g53 = g32+16+4+1 = g32⋅g16⋅g4⋅g1
g ⟶ g2 ⟶ g4 ⟶ g8 ⟶ g16 ⟶ g32 g53

Dan Boneh
The repeated squaring alg.
Input: g in G and x>0 ; Output: gx
example: g53
write x = (xn xn-‐1 … x2 x1 x0)2 y z
g2 g
y ⟵ g , z ⟵ 1
g4 g
for i = 0 to n do:
g8 g5
if (x[i] == 1): z ⟵ z⋅y
g16 g5
y ⟵ y2
g32 g21
output z
g64 g53
Dan Boneh
Running 3mes
Given n-‐bit int. N:
•  Addi5on and subtrac5on in ZN: linear 3me T+ = O(n)
•  Modular mul5plica5on in ZN: naively T× = O(n2)
•  Modular exponen5a5on in ZN ( gx ):
O( (log x)⋅T×) ≤ O( (log x)⋅n2) ≤ O( n3 )
Dan Boneh
End of Segment
Dan Boneh
Intractable problems
Dan Boneh
Easy problems
•  Given composite N and x in ZN find x-‐1 in ZN
•  Given prime p and polynomial f(x) in Zp[x]

find x in Zp s.t. f(x) = 0 in Zp (if one exists)
Running 3me is linear in deg(f) .
… but many problems are difficult

Dan Boneh
Intractable problems with primes
Fix a prime p>2 and g in (Zp)* of order q.
Consider the func3on: x ⟼ gx in Zp
Now, consider the inverse func3on:
Dlogg (gx) = x where x in {0, …, q-‐2}

Example: in : 1, 2, 3, 4, 5, 6, 7, 8, 9, 10

Dlog2(⋅) : 0, 1, 8, 2, 4, 9, 7, 3, 6, 5
Dan Boneh
DLOG: more generally
Let G be a finite cyclic group and g a generator of G
G = { 1 , g , g2 , g3 , … , gq-‐1 } ( q is called the order of G )
Def: We say that DLOG is hard in G if for all efficient alg. A:
Pr g⟵G, x ⟵Z [ A( G, q, g, gx ) = x ] < negligible
q
Example candidates:
(1) (Zp)* for large p, (2) Ellip3c curve groups mod p
Dan Boneh
Compu3ng Dlog in (Zp)* (n-‐bit prime p)
Best known algorithm (GNFS): run 3me exp( )
Ellip3c Curve
cipher key size modulus size group
size
80 bits 1024 bits 160
bits
128 bits 3072 bits 256
bits
256 bits (AES) 15360 bits 512
bits
As a result: slow transi3on away from (mod p) to ellip3c curves
Dan Boneh
An applica3on: collision resistance
Choose a group G where Dlog is hard (e.g. (Zp)* for large p)
Let q = |G| be a prime. Choose generators g, h of G
For x,y ∈ {1,…,q} define H(x,y) = gx ⋅ hy in G

Lemma: finding collision for H(.,.) is as hard as compu3ng Dlogg(h)
Proof: Suppose we are given a collision H(x0,y0) = H(x1,y1)
then gx0⋅hy0 = gx1⋅hy1 ⇒ gx0-‐x1 = hy1-‐y0 ⇒ h = g x0-‐x1/y1-‐y0

Dan Boneh
Intractable problems with composites
Consider the set of integers: (e.g. for n=1024)

:= { N = p⋅q where p,q are n-‐bit primes }

Problem 1: Factor a random N in (e.g. for n=1024)
Problem 2: Given a polynomial f(x) where degree(f) > 1

and a random N in
find x in s.t. f(x) = 0 in

Dan Boneh
The factoring problem
Gauss (1805): “The problem of dis0nguishing prime numbers from
composite numbers and of resolving the la8er into
their prime factors is known to be one of the most
important and useful in arithme0c.”
Best known alg. (NFS): run 3me exp( ) for n-‐bit integer
Current world record: RSA-‐768 (232 digits)

•  Work: two years on hundreds of machines
•  Factoring a 1024-‐bit integer: about 1000 3mes harder
⇒ likely possible this decade
Dan Boneh
Further reading
•  A Computa3onal Introduc3on to Number Theory and Algebra,
V. Shoup, 2008 (V2), Chapter 1-‐4, 11, 12

Available at //shoup.net/ntb/ntb-v2.pdf
Dan Boneh
End of Segment
Dan Boneh
Public Key Encryp4on

from trapdoor permuta4ons
Public key encryp4on:

defini4ons and security
Dan Boneh
Bob: generates (PK, SK) and gives PK to Alice
Alice Bob
m c c m
E D
pk sk
Dan Boneh
Applica4ons
Session setup (for now, only eavesdropping security)
Alice pk Bob
Generate (pk, sk)
choose random x
E(pk, x) (e.g. 48 bytes)
x
Non-‐interac3ve applica3ons: (e.g. Email)

•  Bob sends email to Alice encrypted using pkalice
•  Note: Bob needs pkalice (public key management)
Dan Boneh
Def: a public-‐key encryp4on system is a triple of algs. (G, E, D)
•  E(pk, m): randomized alg. that takes m∈M and outputs c ∈C
•  D(sk,c): det. alg. that takes c∈C and outputs m∈M or ⊥
Consistency: ∀(pk, sk) output by G :

∀m∈M: D(sk, E(pk, m) ) = m
Dan Boneh
Security: eavesdropping
For b=0,1 define experiments EXP(0) and EXP(1) as:
pk
b Chal. Adv. A
m0 , m1 ∈ M : |m0| = |m1|
(pk,sk)←G()
c ← E(pk, mb) b’ ∈ {0,1}

EXP(b)
Def: E =(G,E,D) is sem. secure (a.k.a IND-‐CPA) if for all efficient A:
AdvSS [A,E] = |Pr[EXP(0)=1] – Pr[EXP(1)=1] | < negligible

Dan Boneh
Rela4on to symmetric cipher security
Recall: for symmetric ciphers we had two security no4ons:
•  One-‐4me security and many-‐4me security (CPA)
•  We showed that one-‐4me security ⇒ many-‐4me security
For public key encryp4on:

•  One-‐4me security ⇒ many-‐4me security (CPA)
(follows from the fact that aaacker can encrypt by himself)
•  Public key encryp4on must be randomized
Dan Boneh
Security against ac4ve aaacks
What if aaacker can tamper with ciphertext?
mail server Caroline

to: caroline@gmail body
(e.g. Gmail)
aaacker:
pkserver to: aaacker@gmail body
skserver
aaacker
Aaacker is given decryp4on of msgs
that start with “to: a;acker”
Dan Boneh
(pub-‐key) Chosen Ciphertext Security: defini4on
E = (G,E,D) public-‐key enc. over (M,C). For b=0,1 define EXP(b):
pk
Chal. Adv. A
(pk,sk)←G()
b CCA phase 1: ci ∈ C
mi ← D(k, ci)

challenge: m0 , m1 ∈ M : |m0| = |m1|
c ← E(pk, mb)
CCA phase 2: ci ∈ C : ci ≠ c

mi ← D(k, ci) b’ ∈ {0,1}
Dan Boneh
Chosen ciphertext security: defini4on
Def: E is CCA secure (a.k.a IND-‐CCA) if for all efficient A:
AdvCCA [A,E] = |Pr[EXP(0)=1] – Pr[EXP(1)=1] | is negligible.
Example: Suppose (to:

a lice,
b ody)
⟶ (to: david, body)
pk
b Chal. Adv. A
(pk,sk)←G() chal.: (to:alice, 0) , (to:alice, 1)
c
c ← E(pk, mb) (to: david, b)
CCA phase 2: c’ = (to:
d avid,
b ) ≠c
m’ ← D(sk, c’ ) b
Dan Boneh
Ac4ve aaacks: symmetric vs. pub-‐key
Recall: secure symmetric cipher provides authen3cated encryp3on
[ chosen plaintext security & ciphertext integrity ]
•  Roughly speaking: a;acker cannot create new ciphertexts
•  Implies security against chosen ciphertext aaacks
In public-‐key sefngs:
•  Aaacker can create new ciphertexts using pk !!
•  So instead: we directly require chosen ciphertext security
Dan Boneh
This and next module:

construc4ng CCA secure pub-‐key systems
End of Segment
Dan Boneh

Construc4ons
Goal: construct chosen-‐ciphertext secure public-‐key encryp4on

Dan Boneh
Trapdoor func4ons (TDF)
Def: a trapdoor func. X⟶Y is a triple of efficient algs. (G, F, F-‐1)
•  F(pk,⋅): det. alg. that defines a func4on X ⟶ Y
•  F-‐1(sk,⋅): defines a func4on Y ⟶ X that inverts F(pk,⋅)

More precisely: ∀(pk, sk) output by G
∀x∈X: F-‐1(sk, F(pk, x) ) = x
Dan Boneh
Secure Trapdoor Func4ons (TDFs)
(G, F, F-‐1) is secure if F(pk, ⋅) is a “one-‐way” func4on:
can be evaluated, but cannot be inverted without sk

Chal. Adv. A

(pk,sk)←G()

x ⟵ R
X pk, y ← F(pk, x) x’

Def: (G, F, F ) is a secure TDF if for all efficient A:
-‐1
AdvOW [A,F] = Pr[ x = x’ ] < negligible

Dan Boneh
Public-‐key encryp4on from TDFs
•  (G, F, F-‐1): secure TDF X ⟶ Y
•  (Es, Ds) : symmetric auth. encryp4on defined over (K,M,C)
•  H: X ⟶ K a hash func4on

We construct a pub-‐key enc. system (G, E, D):
Key genera4on G: same as G for TDF
Dan Boneh
Public-‐key encryp4on from TDFs
•  (G, F, F-‐1): secure TDF X ⟶ Y
•  H: X ⟶ K a hash func4on
E( pk, m) : D( sk, (y,c) ) :

x ⟵
R
X, y ⟵ F(pk, x) x ⟵ F-‐1(sk, y),
k ⟵ H(x), c ⟵ Es(k, m) k ⟵ H(x), m ⟵ Ds(k, c)
output (y, c) output m
Dan Boneh
In pictures: F(pk, x) Es( H(x), m )

header body
Security Theorem:
If (G, F, F-‐1) is a secure TDF, (Es, Ds) provides auth. enc.
and H: X ⟶ K is a “random oracle”
then (G,E,D) is CCAro secure.
Dan Boneh
Incorrect use of a Trapdoor Func4on (TDF)
Never encrypt by applying F directly to plaintext:

E( pk, m) : D( sk, c ) :

output c ⟵ F(pk, m) output F-‐1(sk, c)

Problems:
•  Determinis4c: cannot be seman4cally secure !!
•  Many aaacks exist (next segment)
Dan Boneh
Next step: construct a TDF
End of Segment
Dan Boneh

The RSA trapdoor

permuta4on
Dan Boneh
Review: trapdoor permuta4ons
Three algorithms: (G, F, F-‐1)

•  G: outputs pk, sk. pk defines a func4on F(pk, ⋅): X → X
•  F(pk, x): evaluates the func4on at x
•  F-‐1(sk, y): inverts the func4on at y using sk
Secure trapdoor permuta4on:

The func4on F(pk, ⋅) is one-‐way without the trapdoor sk
Dan Boneh
Review: arithme4c mod composites
Let N = p⋅q where p,q are prime
ZN = {0,1,2,…,N-‐1} ; (ZN)* = {inver4ble elements in ZN}

Facts: x ∈ ZN is inver4ble ⇔ gcd(x,N) = 1
–  Number of elements in (ZN)* is ϕ(N) = (p-‐1)(q-‐1) = N-‐p-‐q+1
Euler’s thm: ∀ x∈ (ZN)* : xϕ(N) = 1

Dan Boneh
The RSA trapdoor permuta4on
First published: Scien4fic American, Aug. 1977.

Very widely used:
–  SSL/TLS: cer4ficates and key-‐exchange
–  Secure e-‐mail and file systems
… many others
Dan Boneh
The RSA trapdoor permuta4on
G(): choose random primes p,q ≈1024 bits. Set N=pq.
choose integers e , d s.t. e⋅d = 1 (mod ϕ(N) )

output pk = (N, e) , sk = (N, d)
F( pk, x ): ; RSA(x) = xe (in ZN)
kϕ(N)+1 ϕ(N) k
-‐1 d d d ed
F ( sk, y) = y ; y = RSA(x) = x = x = (x ) ⋅ x =
x
Dan Boneh
The RSA assump4on
RSA assump4on: RSA is one-‐way permuta4on
For all efficient algs. A:
[ ]
Pr A(N,e,y) = y1/e < negligible
where p,q ←
R
n-‐bit primes, N←pq, y←Z
R
N
*
Dan Boneh
Review: RSA pub-‐key encryp4on (ISO std)
(Es, Ds): symmetric enc. scheme providing auth. encryp4on.
H: ZN → K where K is key space of (Es,Ds)
•  G(): generate RSA params: pk = (N,e), sk = (N,d)

•  E(pk, m): (1) choose random x in ZN
(2) y ← RSA(x) = xe , k ← H(x)
(3) output (y , Es(k,m) )
•  D(sk, (y, c) ): output Ds( H(RSA-‐1 (y)) , c)

Dan Boneh
Textbook RSA is insecure
Textbook RSA encryp4on:
–  public key: (N,e) Encrypt: c ⟵ me (in ZN)
–  secret key: (N,d) Decrypt: cd ⟶ m

Insecure cryptosystem !!
–  Is not seman4cally secure and many aaacks exist

⇒ The RSA trapdoor permuta4on is not an encryp4on scheme !
Dan Boneh
A simple aaack on textbook RSA
CLIENT HELLO
random
Web SERVER HELLO (e,N) Web d
session-‐key k
Browser Server
c=RSA(k)
Suppose k is 64 bits: k ∈ {0,…,264}. Eve sees: c= ke in ZN
If k = k1⋅k2 where k1, k2 < 234 (prob. ≈20%) then c/k1e = k2e in ZN
Step 1: build table: c/1e, c/2e, c/3e, …, c/234e . 4me: 234
Step 2: for k2 = 0,…, 234 test if k2e is in table. 4me: 234
Output matching (k1, k2). Total aaack 4me: ≈240 << 264 Dan Boneh
End of Segment
Dan Boneh

PKCS 1
Dan Boneh
RSA encryp4on in prac4ce
Never use textbook RSA.
RSA in prac4ce (since ISO standard is not often used) :
ciphertext
msg Preprocessing RSA
key
Main ques4ons:
–  How should the preprocessing be done?
–  Can we argue about security of resul4ng system?
Dan Boneh
PKCS1 v1.5
PKCS1 mode 2: (encryp4on)
16 bits
02 random pad FF msg
RSA modulus size (e.g. 2048 bits)
•  Resul4ng value is RSA encrypted
•  Widely deployed, e.g. in HTTPS

Dan Boneh
Aaack on PKCS1 v1.5 (Bleichenbacher 1998)
PKCS1 used in HTTPS:
c= ciphertext

Is t his d c
Web
PKCS1? yes: con4nue Aaacker
Server
no: error
02

⇒ aaacker can test if 16 MSBs of plaintext = ’02’
Chosen-‐ciphertext aaack: to decrypt a given ciphertext c do:

e
–  (r ⋅ PKCS1(m))
Choose r ∈ ZN. Compute c’ ⟵ re⋅c =
–  Send c’ to web server and use response
Dan Boneh
Baby Bleichenbacher
compute x⟵cd in ZN c= ciphertext
d c
is msb=1? Web Aaacker
Server yes: con4nue
1 no: error
Suppose N is N = 2n (an invalid RSA modulus). Then:

•  Sending c reveals msb( x )
•  Sending 2e⋅c = (2x)e in ZN reveals msb(2x mod N) = msb2(x)
•  Sending 4e⋅c = (4x)e in ZN reveals msb(4x mod N) = msb3(x)
•  … and so on to reveal all of x
Dan Boneh
HTTPS Defense (RFC 5246)
A"acks discovered by Bleichenbacher and Klima et al. … can be
avoided by trea9ng incorrectly forma"ed message blocks … in a
manner indis9nguishable from correctly forma"ed RSA blocks.
In other words:
1. Generate a string R of 46 random bytes
2. Decrypt the message to recover the plaintext M
3. If the PKCS#1 padding is not correct
pre_master_secret = R
Dan Boneh
PKCS1 v2.0: OAEP
New preprocessing func4on: OAEP [BR94]
msg 01 00..0 rand.

check pad + H
on decryp4on.
reject CT if invalid. G +
plaintext to encrypt with RSA ∈{0,1}n-‐1
Thm [FOPS’01] : RSA is a trap-‐door permuta4on ⇒

RSA-‐OAEP is CCA secure when H,G are random oracles
in prac4ce: use SHA-‐256 for H and G
Dan Boneh
OAEP Improvements
OAEP+: [Shoup’01] m W(m,r) r
∀ trap-‐door permuta4on F + H
F-‐OAEP+ is CCA secure when
H,G,W are random oracles. G +
During decryp4on validate W(m,r) field.

SAEP+: [B’01] m W(m,r) r
RSA (e=3) is a trap-‐door perm ⇒ H
+
RSA-‐SAEP+ is CCA secure when
H,W are random oracle.
Dan Boneh
m W(m,r) r
+ H
How would you decrypt
an SAEP ciphertext ct ? x r
RSA
ciphertext
(x,r) ⟵RSA-‐1(sk,ct) , (m,w) ⟵ x⨁H(r) , output m if w = W(m,r)

(x,r) ⟵RSA-‐1(sk,ct) , (m,w) ⟵ r⨁H(x) , output m if w = W(m,r)
(x,r) ⟵RSA-‐1(sk,ct) , (m,w) ⟵ x⨁H(r) , output m if r = W(m,x)
Subtle4es in implemen4ng OAEP [M ’00]
OAEP-‐decrypt(ct):
error = 0;
if ( RSA-1(ct) > 2n-1 )

{ error =1; goto exit; }
if ( pad(OAEP-1(RSA-1(ct))) != “01000” )
{ error = 1; goto exit; }
Problem: 4ming informa4on leaks type of error

⇒ Aaacker can decrypt any ciphertext
Lesson: Don’t implement RSA-‐OAEP yourself !
Dan Boneh
End of Segment
Dan Boneh

Is RSA a one-‐way
func4on?
Dan Boneh
Is RSA a one-‐way permuta4on?
To invert the RSA one-‐way func. (without d) aaacker must compute:
x from c = xe (mod N).
How hard is compu4ng e’th roots modulo N ??
Best known algorithm:

–  Step 1: factor N (hard)
–  Step 2: compute e’th roots modulo p and q (easy)
Dan Boneh
Shortcuts?
Must one factor N in order to compute e’th roots?
To prove no shortcut exists show a reduc4on:

–  Efficient algorithm for e’th roots mod N
⇒ efficient algorithm for factoring N.
–  Oldest problem in public key cryptography.
Some evidence no reduc4on exists: (BV’98)

–  “Algebraic” reduc4on ⇒ factoring is easy.
Dan Boneh
How not to improve RSA’s performance
To speed up RSA decryp4on use small private key d ( d ≈ 2128 )
cd = m (mod N)

Wiener’87: if d < N0.25 then RSA is insecure.
BD’98: if d < N0.292 then RSA is insecure (open: d < N0.5 )

Insecure: priv. key d can be found from (N,e)

Dan Boneh
Wiener’s aaack
Recall: e⋅d = 1 (mod ϕ(N) ) ⇒ ∃ k∈Z : e⋅d = k⋅ϕ(N) + 1

ϕ(N) = N-‐p-‐q+1 ⇒ |N − ϕ(N)| ≤ p+q ≤ 3√N
d ≤ N0.25/3 ⇒
Con4nued frac4on expansion of e/N gives k/d.

e⋅d = 1 (mod k) ⇒ gcd(d,k)=1 ⇒ can find d from k/d
Dan Boneh
End of Segment
Dan Boneh

RSA in prac4ce
Dan Boneh
RSA With Low public exponent
To speed up RSA encryp4on use a small e: c = me (mod N)
•  Minimum value: e=3 ( gcd(e, ϕ(N) ) = 1)

•  Recommended value: e=65537=216+1
Encryp4on: 17 mul4plica4ons
Asymmetry of RSA: fast enc. / slow dec.

–  ElGamal (next module): approx. same 4me for both.
Dan Boneh
Key lengths
Security of public key system should be comparable to security
of symmetric cipher:
RSA
Cipher key-‐size Modulus size
80 bits 1024 bits
128 bits 3072 bits
256 bits (AES) 15360 bits

Dan Boneh
Implementa4on aaacks
Timing a;ack: [Kocher et al. 1997] , [BB’04]
The 4me it takes to compute cd (mod N) can expose d
Power a;ack: [Kocher et al. 1999)

The power consump4on of a smartcard while
it is compu4ng cd (mod N) can expose d.
Faults a;ack: [BDL’97]

A computer error during cd (mod N) can expose d.
A common defense:: check output. 10% slowdown.

Dan Boneh
An Example Fault Aaack on RSA (CRT)
A common implementa4on of RSA decryp4on: x = cd in ZN
decrypt mod p: xp = cd in Zp

combine to get x = cd in ZN
decrypt mod q: xq = cd in Zq
Suppose error occurs when compu4ng xq , but no error in xp
Then: output is x’ where x’ = cd in Zp but x’ ≠ cd in Zq
⇒ (x’)e = c in Zp but (x’)e ≠ c in Zq ⇒ gcd( (x’)e -‐ c , N) = p

Dan Boneh
RSA Key Genera4on Trouble [Heninger et al./Lenstra et al.]
OpenSSL RSA key genera4on (abstract):
prng.seed(seed)
p = prng.generate_random_prime()
prng.add_randomness(bits)
q = prng.generate_random_prime()
N = p*q
Suppose poor entropy at startup:

•  Same p will be generated by mul4ple devices, but different q
•  N1 , N2 : RSA keys from different devices ⇒ gcd(N1,N2) = p
Dan Boneh
RSA Key Genera4on Trouble [Heninger et al./Lenstra et al.]

Experiment: factors 0.4% of public HTTPS keys !!
Lesson:
–  Make sure random number generator is properly

seeded when genera4ng keys
Dan Boneh
Further reading
•  Why chosen ciphertext security maaers, V. Shoup, 1998
•  Twenty years of aaacks on the RSA cryptosystem,

D. Boneh, No4ces of the AMS, 1999
•  OAEP reconsidered, V. Shoup, Crypto 2001
•  Key lengths, A. Lenstra, 2004
Dan Boneh
End of Segment
Dan Boneh

from Diffie-‐Hellman
The ElGamal
Public-‐key System
Dan Boneh
Recap: public key encryp3on: (Gen, E, D)
Gen
pk sk
m c c m
E D
Dan Boneh
Recap: public-‐key encryp3on applica3ons
Key exchange (e.g. in HTTPS)
Encryp3on in non-‐interac3ve seKngs:
•  Secure Email: Bob has Alice’s pub-‐key and sends her an email
•  Encrypted File Systems
skA
write read
Alice
E(pkA, KF)
Bob File
E(kF, File) E(pkB, KF)
Dan Boneh
Recap: public-‐key encryp3on applica3ons
Key exchange (e.g. in HTTPS)
Encryp3on in non-‐interac3ve seKngs:
•  Secure Email: Bob has Alice’s pub-‐key and sends her an email
•  Encrypted File Systems
•  Key escrow: data recovery without Bob’s key
Escrow
Service
write
skescrow
E(pkescrow, KF)
Bob
E(kF, File) E(pkB, KF)
Dan Boneh
Construc3ons
This week: two families of public-‐key encryp3on schemes
•  Previous lecture: based on trapdoor func3ons (such as RSA)

–  Schemes: ISO standard, OAEP+, …
•  This lecture: based on the Diffie-‐Hellman protocol

–  Schemes: ElGamal encryp3on and variants (e.g. used in GPG)
Security goals: chosen ciphertext security

Dan Boneh
Review: the Diffie-‐Hellman protocol (1977)
Fix a finite cyclic group G (e.g G = (Zp)* ) of order n
Fix a generator g in G (i.e. G = {1, g, g2, g3, … , gn-‐1 } )
Alice Bob
choose random a in {1,…,n} choose random b in {1,…,n}
A = ga
B = gb
a b
B = (g ) =
a b
kAB = gab = (g ) = Ab
a
Dan Boneh
ElGamal: conver3ng to pub-‐key enc. (1984)
Fix a generator g in G (i.e. G = {1, g, g2, g3, … , gn-‐1} )
Alice Bob
Treat as a
choose random a in {1,…,n} key random b in {1,…,n}
choose
public
A = ga
compute gab = Ab ,
derive symmetric key k ,
[
ct = B
= g b
, encrypt
m essage
m
w ith ]
k
Dan Boneh
ElGamal: conver3ng to pub-‐key enc. (1984)
Fix a generator g in G (i.e. G = {1, g, g2, g3, … , gn-‐1} )
Alice Bob
Treat as a
choose random a in {1,…,n} key random b in {1,…,n}
choose
public
A = ga
compute gab = Ab ,
derive symmetric key k ,
To decrypt:
compute gab = Ba ,
[
ct = B
= g b
, encrypt
m essage
m
w ith ]
k
derive k, and decrypt
Dan Boneh
The ElGamal system (a modern view)
•  G: finite cyclic group of order n
•  H: G2 ⟶ K a hash func3on
We construct a pub-‐key enc. system (Gen, E, D):

•  Key genera3on Gen:
–  choose random generator g in G and random a in Zn
–  output sk = a , pk = (g, h=ga )
Dan Boneh
The ElGamal system (a modern view)
•  G: finite cyclic group of order n
•  H: G2 ⟶ K a hash func3on
E( pk=(g,h), m) : D( sk=a, (u,c) ) :

b ⟵
R
Zn , u ⟵ gb , v ⟵ hb v ⟵ ua
k ⟵ H(u,v) , c ⟵ Es(k, m) k ⟵ H(u,v) , m ⟵ Ds(k, c)
output (u, c) output m
Dan Boneh
ElGamal performance
E( pk=(g,h), m) : D( sk=a, (u,c) ) :
b ⟵ Zn , u ⟵ gb , v ⟵ hb v ⟵ ua
Encryp=on: 2 exp. (fixed basis)

–  Can pre-‐compute [ g(2î) , h(2î) for i=1,…,log2 n ]
–  3x speed-‐up (or more)
Decryp=on: 1 exp. (variable basis)

Dan Boneh
Next step: why is this system chosen ciphertext secure?
under what assump3ons?
End of Segment
Dan Boneh

ElGamal Security
Dan Boneh
Computa3onal Diffie-‐Hellman Assump3on
G: finite cyclic group of order n
Comp. DH (CDH) assump3on holds in G if: g, ga , gb ⇏ gab
for all efficient algs. A:
[ ]
Pr A(g, ga, gb ) = gab < negligible
where g ⟵ {generators of G} , a, b ⟵ Zn

Dan Boneh
Hash Diffie-‐Hellman Assump3on
G: finite cyclic group of order n , H: G2 ⟶ K a hash func3on
Def: Hash-‐DH (HDH) assump3on holds for (G, H) if:

(g, ga, gb , H(gb,gab) ) ≈p (g, ga, gb , R )

where g ⟵ {generators of G} , a, b ⟵ Zn , R ⟵ K
H acts as an extractor: strange distribu3on on G2 ⇒ uniform on K
Dan Boneh
Suppose K = {0,1}128 and

H: G2 ⟶ K only outputs strings in K that begin with 0
( i.e. for all x,y: msb(H(x,y))=0 )

Can Hash-‐DH hold for (G, H) ?
Yes, for some groups G

No, Hash-‐DH is easy to break in this case
Yes, Hash-‐DH is always true for such H
ElGamal is sem. secure under Hash-‐DH
KeyGen: g ⟵ {generators of G} , a ⟵ Zn
output pk = (g, h=g

a) , sk = a

E( pk=(g,h), m) : b ⟵ Zn D( sk=a, (u,c) ) :

k ⟵ H(gb,hb) , c ⟵ Es(k, m) k ⟵ H(u,ua) , m ⟵ Ds(k, c)
output (gb, c) output m

Dan Boneh
ElGamal is sem. secure under Hash-‐DH
pk = (g,ga) pk = (g,ga)
m0 , m1 m0 , m1
pk,sk
gb, Es(H(), m0) ≈p pk,sk
k←K
gb, Es(k, m0)
(gb , gab) b’≟1 b’≟1

≈p ≈p
pk = (g,ga) pk = (g,ga)
m0 , m1 m0 , m1
pk,sk
gb, E s (H(), m1)
≈p pk,sk
gb, Es(k, m1)
k←K
(gb , gab) b’≟1 b’≟1
Dan Boneh
ElGamal chosen ciphertext security?
To prove chosen ciphertext security need stronger assump3on
Interac=ve Diffie-‐Hellman (IDH) in group G:
g, h=ga, u=gb
Chal. Adv. A
(u1,v1)
g⟵{gen}
a,b⟵Zn 1  if (u1)a = v1 v

0 otherwise wins if v=gab

IDH holds in G if: ∀efficient A: Pr[ A outputs gab] < negligible
Dan Boneh
ElGamal chosen ciphertext security?
Security Theorem:
If IDH holds in the group G, (Es, Ds) provides auth. enc.
and H: G2 ⟶ K is a “random oracle”
then ElGamal is CCAro secure.

Ques3ons: (1) can we prove CCA security based on CDH?
(2) can we prove CCA security without random oracles?
Dan Boneh
End of Segment
Dan Boneh

ElGamal Variants
With Berer Security
Dan Boneh
Review: ElGamal encryp3on
KeyGen: g ⟵ {generators of G} , a ⟵ Zn
output pk = (g, h=g

a) , sk = a

E( pk=(g,h), m) : b ⟵ Zn D( sk=a, (u,c) ) :

k ⟵ H(gb,hb) , c ⟵ Es(k, m) k ⟵ H(u,ua) , m ⟵ Ds(k, c)

Dan Boneh
ElGamal chosen ciphertext security
Security Theorem:
If IDH holds in the group G, (Es, Ds) provides auth. enc.
then ElGamal is CCAro secure.
Can we prove CCA security based on CDH (g, ga , gb ↛ gab ) ?
•  Op3on 1: use group G where CDH = IDH (a.k.a bilinear group)
•  Op3on 2: change the ElGamal system
Dan Boneh
Variants: twin ElGamal [CKS’08]
KeyGen: g ⟵ {generators of G} , a1, a2 ⟵ Zn
output pk = (g, h1=g

a1, h =ga2) , sk = (a1, a2)
2
E( pk=(g,h1,h2), m) : b ⟵ Zn D( sk=(a1,a2), (u,c) ) :

k ⟵ H(gb, h1b, h2b) k ⟵ H(u, ua1, ua2)
c ⟵ Es(k, m) m ⟵ Ds(k, c)
Dan Boneh
Chosen ciphertext security
Security Theorem:
If CDH holds in the group G, (Es, Ds) provides auth. enc.
then twin ElGamal is CCAro secure.

Cost: one more exponen3a3on during enc/dec
–  Is it worth it? No one knows …
Dan Boneh
ElGamal security w/o random oracles?
Can we prove CCA security without random oracles?
•  Op3on 1: use Hash-‐DH assump3on in “bilinear groups”

–  Special ellip3c curve with more structure [CHK’04 + BB’04]
•  Op3on 2: use Decision-‐DH assump3on in any group [CS’98]
Dan Boneh
Further Reading
•  The Decision Diffie-‐Hellman problem. D. Boneh, ANTS 3, 1998
•  Universal hash proofs and a paradigm for chosen ciphertext secure public
key encryp3on. R. Cramer and V. Shoup, Eurocrypt 2002
•  Chosen-‐ciphertext security from Iden3ty-‐Based Encryp3on.

D. Boneh, R. CaneK, S. Halevi, and J. Katz, SICOMP 2007
•  The Twin Diffie-‐Hellman problem and applica3ons.

D. Cash, E. Kiltz, V. Shoup, Eurocrypt 2008
•  Efficient chosen-‐ciphertext security via extractable hash proofs.

H. Wee, Crypto 2010
Dan Boneh

A Unifying Theme
Dan Boneh
One-‐way func3ons (informal)
A func3on f: X ⟶ Y is one-‐way if
•  There is an efficient algorithm to evaluate f(⋅), but
•  Inver3ng f is hard:

for all efficient A and x ⟵ X :
Pr[ A(f(x)) ] < negligible

Func3ons that are not one-‐way: f(x) = x, f(x) = 0

Dan Boneh
Ex. 1: generic one-‐way func3ons
Let f: X ⟶ Y be a secure PRG (where |Y| ≫ |X| )
(e.g. f built using det. counter mode)
Lemma: f a secure PRG ⇒ f is one-‐way

Proof sketch:
A inverts f ⇒ B(y) = is a dis3nguisher
Generic: no special proper3es. Difficult to use for key exchange.
Dan Boneh
Ex 2: The DLOG one-‐way func3on
g: a random generator in G (i.e. G = {1, g, g2, g3, … , gn-‐1} )

Define: f: Zn ⟶ G as f(x) = gx ∈ G

Lemma: Dlog hard in G ⇒ f is one-‐way

Proper=es: f(x), f(y) ⇒ f(x+y) = f(x) ⋅ f(y)
⇒ key-‐exchange and public-‐key encryp3on
Dan Boneh
Ex. 3: The RSA one-‐way func3on
•  choose random primes p,q ≈1024 bits. Set N=pq.
•  choose integers e , d s.t. e⋅d = 1 (mod ϕ(N) )
Define: f: as f(x) = xe in

Lemma: f is one-‐way under the RSA assump3on

Proper=es: f(x⋅y) = f(x) ⋅ f(y) and f has a trapdoor
Dan Boneh
Summary

Public key encryp3on:
made possible by one-‐way func3ons

with special proper3es
homomorphic proper3es and trapdoors
Dan Boneh
End of Segment
Dan Boneh
Farewell (for now)
Dan Boneh
Quick Review: primi3ves
CTR
CMAC, HMAC
PRG PRF, PRP MAC
GGM PMAC
Collision
resistance
key
exchange
Trapdoor public key Diffie-‐Hellman

Func3ons encryp3on groups
Dan Boneh
Quick Review: primi3ves
To protect non-‐secret data: (data integrity)
–  using small read-‐only storage: use collision resistant hash
–  no read-‐only space: use MAC … requires secret key
To protect sensi=ve data: only use authen3cated encryp3on
(eavesdropping security by itself is insufficient)

Session setup:
•  Interac3ve seKngs: use authen3cated key-‐exchange protocol
•  When no-‐interac3on allowed: use public-‐key encryp3on
Dan Boneh
Remaining Core Topics (part II)
•  Digital signatures and cer3ficates
•  Authen3cated key exchange
•  User authen3ca3on:
passwords, one-‐3me passwords, challenge-‐response

•  Privacy mechanisms
•  Zero-‐knowledge protocols
Dan Boneh
Many more topics to cover …
•  Ellip3c Curve Crypto
•  Quantum compu3ng
•  New key management paradigms:
iden3ty based encryp3on and func3onal encryp3on
•  Anonymous digital cash
•  Private vo3ng and auc3on systems
•  Compu3ng on ciphertexts: fully homomorphic encryp3on
•  LaKce-‐based crypto
•  Two party and mul3-‐party computa3on
Dan Boneh
Final Words
Be careful when using crypto:
•  A tremendous tool, but if incorrectly implemented:
system will work, but may be easily aracked
Make sure to have others review your designs and code

Don’t invent your own ciphers or modes
Dan Boneh
End of part I
Dan Boneh

Course Cryptography I

Uploaded by

Document Information

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Course Cryptography I

Uploaded by

Copyright:

Available Formats

Online Cryptography Course Dan Boneh

Encrypting files on disk: EFS, TrueCrypt

Content protection (e.g. DVD, Blu-ray): CSS, AACS

… and much much more

1. Handshake Protocol: Establish shared secret key

2. Record Layer: Transmit data using shared secret key

Alice File 1 Alice

Analogous to secure communication:

E, D: cipher k: secret key (e.g. 128 bits)

Encryption algorithm is publicly known

Multi use key: (many time key)

Secret key establishment: Alice

• Anonymous digital cash

• Secure multi-party computation

• Zero knowledge (proof of knowledge)

Alice I know the factors of N !!

• Precisely specify threat model

• Prove that breaking construction under

David Kahn, “The code breakers” (1996)

What is the most common letter in English text?

(1) Use frequency of English letters

(2) Use frequency of pairs of letters (digrams)

Early example: the Hebern machine (single rotor)

Most famous: the Enigma (3-5 rotors)

# keys = 264 = 218 (actually 236 due to plugboard)

DES: # keys = 256 , block size = 64 bits

Today: AES (2001), Salsa20 (2008) (and many others)

See also: http://en.wikibooks.org/High_School_Mathematics_Extensions/Discrete_Probability

Def: Probability distribution P over U is a function P: U ⟶ [0,1]

Distribution vector: ( P(000), P(001), P(010), … , P(111) ) Dan Boneh

for the uniform distribution on {0,1}8 : Pr[A] = 1/4

Pr[ lsb2(x)=11 or msb2(x)=11 ] = Pr[A1∪A2] ≤ ¼+¼ = ½

Example: X: {0,1}n ⟶ {0,1} ; X(y) = lsb(y) ∈{0,1}

for all a∈U: Pr[ r = a ] = 1/|U|

( formally, r is the identity function: r(x)=x for all x∈U )

Define the random variable X = r1 + r2

Hint: Pr[X=2] = Pr[ r=11 ]

output is a random variable

Example: A(m ; k) = E(k, m) , y⟵

See also: http://en.wikibooks.org/High_School_Mathematics_Extensions/Discrete_Probability

Prob. distr. P over U is a function P: U ⟶ [0,1] s.t. Σ

A ⊆ U is called an event and Pr[A] = Σx∈AP(x) ∈ [0,1]

A random variable is a function X:U⟶V .

Define r.v. X and Y as: X = lsb(r) , Y = msb(r)

Pr[ X=0 and Y=0 ] = Pr[ r=00 ] = ¼ = Pr[X=0] ∙ Pr[Y=0]

Proof: (for n=1)

Thm: when n= 1.2 × |U|1/2 then Pr[ ∃i≠j: ri = rj ] ≥ ½

notation: |U| is the size of U

Example: Let U = {0,1}128

After sampling about 264 random messages from U,

The One Time Pad

• E is often randomized. D is always deterministic.

First example of a “secure” cipher

key = (random bit string as long the message)

No, I cannot compute the key.

Very fast enc/dec !!

Is the OTP secure? What is a secure cipher?

Possible security requirements:

attempt #2: attacker cannot recover all of plaintext

Pr[ E(k,m0)=c ] = Pr[ E(k,m1)=c ] where k ⟵KR

Yes, if the PRG is really “secure”

Stream ciphers cannot have perfect secrecy !!

• Need a different definition of security

• Security will depend on specific PRG