update

content/CSE4303/CSE4303_L7.md

@@ -1,6 +1,6 @@
 # CSE4303 Introduction to Computer Security (Lecture 7)
 
-## Cyptography in Symmetric Systems
+## Cryptography in Symmetric Systems
 
 ### Symmetric systems
 
@@ -13,53 +13,132 @@ Symmetric (shared-key) encryption
   - Stream ciphers
   - Block ciphers
 
-#### Stream ciphers
+## Stream ciphers
 
 1. Operate on PT one bit at a time (usually), as a bit "stream"
 2. Generate arbitrarily long keystream on demand
 
-Security abstraction:
+### Keystream
+
+Keystream $G(k)$ generated from key $k$.
+
+Encryption:
+$$
+E(k,m) = m \oplus G(k)
+$$
+
+Decryption:
+$$
+D(k,c) = c \oplus G(k)
+$$
+
+### Security abstraction
 
 1. XOR transfers randomness of keystream to randomness of CT regardless of PT’s content
-2. Security depends on G being “practically” indistinguishable from random string and “practically” unpredictable
+2. Security depends on $G$ being "practically" indistinguishable from random string and "practically" unpredictable
 3. Idea: shouldn’t be able to predict next bit of generator given all bits seen so far
 
-Keystream $G(k)$
+### Keystream $G(k)$
 
 - Idea: shouldn’t be able to predict next bit of generator given all bits seen so far
 - Strategies and challenges: many!
-- Idea that doesn’t quite work: Linear Feedback Shift Register (LFSR)
-  - Choice of feedback: by algebra
-  - Pro: fast, statistically close to random
-  - Problem: susceptible to cryptanalysis (b/c linear)
-  - LFSR-based
-- Modifications to basic LFSR:
-  - Use non-linear combo of multiple LFSRs
-  - Use controlled clocking (e.g. only cycle the LFSR when another LFSR outputs a 1)
-  - Etc.
-- Others: mod arithmetic-based, other algebraic constructions
 
-#### Block ciphers
+#### Idea that doesn’t quite work: Linear Feedback Shift Register (LFSR)
 
-1. Operate on PT one block at a time
-2. Use same key for multiple blocks (with caveats)
-3. Chaining modes intertwine successive blocks of CT (or not)
+- Choice of feedback: by algebra
+- Pro: fast, statistically close to random
+- Problem: susceptible to cryptanalysis (because linear)
 
-View cipher as a Pseudo-Random Permutation (PRP)
+#### LFSR-based modifications
 
-- PRP defined over $(K, X)$:
+- Use non-linear combo of multiple LFSRs
+- Use controlled clocking (e.g. only cycle the LFSR when another LFSR outputs a 1)
+- Etc.
 
+#### Others
+
+- Modular arithmetic-based constructions
+- Other algebraic constructions
+
+### Hazards
+
+1. Weak PRG
+2. Key re-use
+3. Predictable effect of modifying CT on decrypted PT
+
+#### Weak PRG
+
+- Makes semantic security impossible
+
+#### Key re-use
+
+Suppose:
 $$
-E: K \times X \to X
+c_1 = m_1 \oplus G(k)
+$$
+and
+$$
+c_2 = m_2 \oplus G(k)
 $$
 
-such that:
+Then:
+$$
+c_1 \oplus c_2 = m_1 \oplus m_2
+$$
 
-1. There exists an “efficient” deterministic algorithm to evaluate $E(k,x)$.
-2. The function $E( k, \cdot )$ is one-to-one.
-3. There exists an “efficient” inversion algorithm $D(k,y)$.
+This may be enough to recover $m_1$ or $m_2$ using natural language properties.
 
-- i.e. a PRF that is an invertible 1-to-1 mapping from message space to
-message space
+##### IV (Initialization Vector)
 
+Used to avoid key re-use:
 
+- IV incremented per frame
+- But repeats after $2^{24}$ frames
+- Sometimes resets to 0
+- Enough to recover key within minutes
+
+Note:
+
+- Happens if keystream period is too short
+- Real-world example: WEP attack (802.11b)
+
+#### Predictable modification of ciphertext
+
+If attacker modifies ciphertext by XORing $p$:
+
+Ciphertext becomes:
+$$
+(m \oplus k) \oplus p
+$$
+
+Decryption yields:
+$$
+m \oplus p
+$$
+
+- Affects integrity
+- Not CCA-secure for integrity
+
+### Summary: Stream ciphers
+
+Pros
+
+- Fast
+- Memory-efficient
+- No minimum PT size
+
+Cons
+
+- Require good PRG
+- Can never re-use key
+- No integrity mechanism
+
+Note
+
+- Integrity mechanisms exist for other symmetric ciphers (block ciphers)
+- "Authenticated encryption"
+
+Examples / Uses
+
+- RC4: legacy stream cipher (e.g. WEP)
+- ChaCha / Salsa: Android cell phone encryption (Adiantum)