update

content/CSE4303/CSE4303_L8.md

@@ -0,0 +1,320 @@
+# CSE4303 Introduction to Computer Security (Lecture 8)
+
+## Block ciphers
+
+1. Operate on PT one block at a time  
+2. Use same key for multiple blocks (with caveats)  
+3. Chaining modes intertwine successive blocks of CT (or not)  
+
+## Security abstraction
+
+View cipher as a Pseudo-Random Permutation (PRP)
+
+### Background: Pseudo-Random Function (PRF)
+
+Defined over $(K,X,Y)$:
+$$
+F : K \times X \to Y
+$$
+
+Such that there exists an efficient algorithm to evaluate $F(k,x)$.
+
+Let:
+
+- $\text{Funs}[X,Y]$ = set of all functions from $X$ to $Y$  
+- $S_F = \{ F(k,\cdot) \mid k \in K \}$  
+
+Intuition:
+
+A PRF is secure if a random function in $\text{Funs}[X,Y]$ is indistinguishable from a random function in $S_F$.
+
+Adversarial game:
+
+- Challenger samples $k \leftarrow K$  
+- Or samples $f \leftarrow \text{Funs}[X,Y]$  
+- Adversary queries oracle with $x \in X$  
+- Receives either $F(k,x)$ or $f(x)$  
+- Must distinguish  
+
+Goal: adversary’s advantage negligible  
+
+## PRP Definition
+
+Defined over $(K,X)$:
+$$
+E : K \times X \to X
+$$
+
+Such that:
+
+1. Efficient deterministic algorithm to evaluate $E(k,x)$  
+2. $E(k,\cdot)$ is one-to-one  
+3. Efficient inversion algorithm $D(k,y)$ exists  
+
+i.e., a PRF that is an invertible one-to-one mapping from message space to message space  
+
+## Secure PRP
+
+Let $\text{Perms}[X]$ be all permutations on $X$.
+
+Intuition:
+
+A PRP is secure if a random permutation in $\text{Perms}[X]$ is indistinguishable from a random element of:
+$$
+S_E = \{ E(k,\cdot) \mid k \in K \}
+$$
+
+Adversarial game:
+
+- Challenger samples $k \leftarrow K$  
+- Or $\pi \leftarrow \text{Perms}[X]$  
+- Adversary queries $x \in X$  
+- Receives either $E(k,x)$ or $\pi(x)$  
+- Must distinguish  
+
+Goal: negligible advantage  
+
+## Block cipher constructions
+
+### Feistel network
+
+Given:
+$$
+f_1, \dots, f_d : \{0,1\}^n \to \{0,1\}^n
+$$
+
+Build invertible function:
+$$
+F : \{0,1\}^{2n} \to \{0,1\}^{2n}
+$$
+
+Let input be split into $(L_0, R_0)$.
+
+Round $i$:
+$$
+L_i = R_{i-1}
+$$
+$$
+R_i = L_{i-1} \oplus f_i(R_{i-1})
+$$
+
+#### Invertibility
+
+$$
+R_{i-1} = L_i
+$$
+$$
+L_{i-1} = R_i \oplus f_i(L_i)
+$$
+
+Thus Feistel is invertible regardless of whether $f_i$ is invertible.
+
+### Luby–Rackoff Theorem (1985)
+
+If $f$ is a secure PRF, then 3-round Feistel is a secure PRP.
+
+### DES (Data Encryption Standard) — 1976
+
+- 16-round Feistel network  
+- 64-bit block size  
+- 56-bit key  
+- Round functions:
+$$
+f_i(x) = F(k_i, x)
+$$
+
+Round function uses:
+
+- S-box (substitution box) — non-linear  
+- P-box (permutation box)  
+
+To invert: use keys in reverse order.
+
+Problem: 56-bit keyspace too small today (brute-force feasible).
+
+### Substitution–Permutation Network (SPN)
+
+Rounds of:
+
+- Substitution (S-box layer)  
+- Permutation (P-layer)  
+- XOR with round key  
+
+All layers invertible.
+
+### AES (Advanced Encryption Standard) — 2000
+
+- 10 substitution-permutation rounds (128-bit key version)  
+- 128-bit block size  
+
+Each round includes:
+
+- ByteSub (1-byte S-box)  
+- ShiftRows  
+- MixColumns  
+- AddRoundKey  
+
+Key sizes:
+
+- 128-bit  
+- 192-bit  
+- 256-bit  
+
+Currently de facto standard symmetric-key cipher (e.g. TLS/SSL).
+
+## Block cipher modes
+
+### Challenge
+
+Encrypt PTs longer than one block using same key while maintaining security.
+
+### ECB (Electronic Codebook)
+
+Encrypt blocks independently:
+$$
+c_i = E(k, m_i)
+$$
+
+Problem:
+
+If $m_1 = m_2$, then:
+$$
+c_1 = c_2
+$$
+
+Not semantically secure.
+
+#### Formal non-security argument
+
+Two-block challenge:
+
+- Adversary submits:
+  - $m_0 = \text{"Hello World"}$  
+  - $m_1 = \text{"Hello Hello"}$  
+- If $c_1 = c_2$, output 0; else 1  
+
+Advantage = 1  
+
+### CPA model (Chosen Plaintext Attack)
+
+Attacker:
+
+- Sees many PT/CT pairs under same key  
+- Can submit arbitrary PTs  
+
+Definition:
+$$
+\text{Adv}_{CPA}[A,E] =
+\left|
+\Pr[\text{EXP}(0)=1] - \Pr[\text{EXP}(1)=1]
+\right|
+$$
+
+Must be negligible.
+
+ECB fails CPA security.
+
+### Moral
+
+If same secret key is used multiple times, given same PT twice, encryption must produce different CT outputs.
+
+## Secure block modes
+
+### Idea
+
+Augment key with:
+
+- Per-block nonce  
+- Or chaining data from prior blocks  
+
+### CBC (Cipher Block Chaining)
+
+$$
+c_1 = E(k, m_1 \oplus IV)
+$$
+$$
+c_i = E(k, m_i \oplus c_{i-1})
+$$
+
+IV must be random/unpredictable.
+
+### CFB (Cipher Feedback)
+
+Uses previous ciphertext as input feedback into block cipher.
+
+### OFB (Output Feedback)
+
+$$
+s_i = E(k, s_{i-1})
+$$
+$$
+c_i = m_i \oplus s_i
+$$
+
+Can pre-compute keystream.
+
+Acts like stream cipher.
+
+### CTR (Counter Mode)
+
+$$
+c_i = m_i \oplus E(k, \text{nonce} \| \text{counter}_i)
+$$
+
+Encryption and decryption parallelizable.
+
+Nonce must be unique.
+
+### GCM (Galois Counter Mode)
+
+- Most popular ("AES-GCM")  
+- Provides authenticated encryption  
+- Confidentiality + integrity  
+
+## Nonce-based semantic security
+
+Encryption:
+$$
+c = E(k, m, n)
+$$
+
+Adversarial experiment:
+
+- Challenger picks $k$  
+- Adversary submits $(m_{i,0}, m_{i,1})$ and nonce $n_i$  
+- Receives $c_i = E(k, m_{i,b}, n_i)$  
+- Nonces must be distinct  
+
+Definition:
+$$
+\text{Adv}_{nCPA}[A,E] =
+\left|
+\Pr[\text{EXP}(0)=1] - \Pr[\text{EXP}(1)=1]
+\right|
+$$
+
+In practice:
+
+- CBC: IV must be random  
+- CTR/GCM: nonce must be unique but not necessarily random  
+
+## Symmetric Encryption Summary
+
+### Stream Ciphers
+
+- Rely on secure PRG  
+- No key re-use  
+- Fast  
+- Low memory  
+- Less robust  
+- No built-in integrity  
+
+### Block Ciphers
+
+- Rely on secure PRP  
+- Allow key re-use across blocks (secure mode required)  
+- Provide authenticated encryption in some modes (e.g. GCM)  
+- Slower  
+- Higher memory  
+- More robust  
+- Used in most practical secure systems (e.g. TLS)