# CSE4303 Introduction to Computer Security (Lecture 8)

## Block ciphers

1. Operate on PT one block at a time  
2. Use same key for multiple blocks (with caveats)  
3. Chaining modes intertwine successive blocks of CT (or not)  

## Security abstraction

View cipher as a Pseudo-Random Permutation (PRP)

### Background: Pseudo-Random Function (PRF)

Defined over $(K,X,Y)$:
$$
F : K \times X \to Y
$$

Such that there exists an efficient algorithm to evaluate $F(k,x)$.

Let:

- $\text{Funs}[X,Y]$ = set of all functions from $X$ to $Y$  
- $S_F = \{ F(k,\cdot) \mid k \in K \}$  

Intuition:

A PRF is secure if a random function in $\text{Funs}[X,Y]$ is indistinguishable from a random function in $S_F$.

Adversarial game:

- Challenger samples $k \leftarrow K$  
- Or samples $f \leftarrow \text{Funs}[X,Y]$  
- Adversary queries oracle with $x \in X$  
- Receives either $F(k,x)$ or $f(x)$  
- Must distinguish  

Goal: adversary’s advantage negligible  

## PRP Definition

Defined over $(K,X)$:
$$
E : K \times X \to X
$$

Such that:

1. Efficient deterministic algorithm to evaluate $E(k,x)$  
2. $E(k,\cdot)$ is one-to-one  
3. Efficient inversion algorithm $D(k,y)$ exists  

i.e., a PRF that is an invertible one-to-one mapping from message space to message space  

## Secure PRP

Let $\text{Perms}[X]$ be all permutations on $X$.

Intuition:

A PRP is secure if a random permutation in $\text{Perms}[X]$ is indistinguishable from a random element of:
$$
S_E = \{ E(k,\cdot) \mid k \in K \}
$$

Adversarial game:

- Challenger samples $k \leftarrow K$  
- Or $\pi \leftarrow \text{Perms}[X]$  
- Adversary queries $x \in X$  
- Receives either $E(k,x)$ or $\pi(x)$  
- Must distinguish  

Goal: negligible advantage  

## Block cipher constructions

### Feistel network

Given:
$$
f_1, \dots, f_d : \{0,1\}^n \to \{0,1\}^n
$$

Build invertible function:
$$
F : \{0,1\}^{2n} \to \{0,1\}^{2n}
$$

Let input be split into $(L_0, R_0)$.

Round $i$:
$$
L_i = R_{i-1}
$$
$$
R_i = L_{i-1} \oplus f_i(R_{i-1})
$$

#### Invertibility

$$
R_{i-1} = L_i
$$
$$
L_{i-1} = R_i \oplus f_i(L_i)
$$

Thus Feistel is invertible regardless of whether $f_i$ is invertible.

### Luby–Rackoff Theorem (1985)

If $f$ is a secure PRF, then 3-round Feistel is a secure PRP.

### DES (Data Encryption Standard) — 1976

- 16-round Feistel network  
- 64-bit block size  
- 56-bit key  
- Round functions:
$$
f_i(x) = F(k_i, x)
$$

Round function uses:

- S-box (substitution box) — non-linear  
- P-box (permutation box)  

To invert: use keys in reverse order.

Problem: 56-bit keyspace too small today (brute-force feasible).

### Substitution–Permutation Network (SPN)

Rounds of:

- Substitution (S-box layer)  
- Permutation (P-layer)  
- XOR with round key  

All layers invertible.

### AES (Advanced Encryption Standard) — 2000

- 10 substitution-permutation rounds (128-bit key version)  
- 128-bit block size  

Each round includes:

- ByteSub (1-byte S-box)  
- ShiftRows  
- MixColumns  
- AddRoundKey  

Key sizes:

- 128-bit  
- 192-bit  
- 256-bit  

Currently de facto standard symmetric-key cipher (e.g. TLS/SSL).

## Block cipher modes

### Challenge

Encrypt PTs longer than one block using same key while maintaining security.

### ECB (Electronic Codebook)

Encrypt blocks independently:
$$
c_i = E(k, m_i)
$$

Problem:

If $m_1 = m_2$, then:
$$
c_1 = c_2
$$

Not semantically secure.

#### Formal non-security argument

Two-block challenge:

- Adversary submits:
  - $m_0 = \text{"Hello World"}$  
  - $m_1 = \text{"Hello Hello"}$  
- If $c_1 = c_2$, output 0; else 1  

Advantage = 1  

### CPA model (Chosen Plaintext Attack)

Attacker:

- Sees many PT/CT pairs under same key  
- Can submit arbitrary PTs  

Definition:
$$
\text{Adv}_{CPA}[A,E] =
\left|
\Pr[\text{EXP}(0)=1] - \Pr[\text{EXP}(1)=1]
\right|
$$

Must be negligible.

ECB fails CPA security.

### Moral

If same secret key is used multiple times, given same PT twice, encryption must produce different CT outputs.

## Secure block modes

### Idea

Augment key with:

- Per-block nonce  
- Or chaining data from prior blocks  

### CBC (Cipher Block Chaining)

$$
c_1 = E(k, m_1 \oplus IV)
$$
$$
c_i = E(k, m_i \oplus c_{i-1})
$$

IV must be random/unpredictable.

### CFB (Cipher Feedback)

Uses previous ciphertext as input feedback into block cipher.

### OFB (Output Feedback)

$$
s_i = E(k, s_{i-1})
$$
$$
c_i = m_i \oplus s_i
$$

Can pre-compute keystream.

Acts like stream cipher.

### CTR (Counter Mode)

$$
c_i = m_i \oplus E(k, \text{nonce} \| \text{counter}_i)
$$

Encryption and decryption parallelizable.

Nonce must be unique.

### GCM (Galois Counter Mode)

- Most popular ("AES-GCM")  
- Provides authenticated encryption  
- Confidentiality + integrity  

## Nonce-based semantic security

Encryption:
$$
c = E(k, m, n)
$$

Adversarial experiment:

- Challenger picks $k$  
- Adversary submits $(m_{i,0}, m_{i,1})$ and nonce $n_i$  
- Receives $c_i = E(k, m_{i,b}, n_i)$  
- Nonces must be distinct  

Definition:
$$
\text{Adv}_{nCPA}[A,E] =
\left|
\Pr[\text{EXP}(0)=1] - \Pr[\text{EXP}(1)=1]
\right|
$$

In practice:

- CBC: IV must be random  
- CTR/GCM: nonce must be unique but not necessarily random  

## Symmetric Encryption Summary

### Stream Ciphers

- Rely on secure PRG  
- No key re-use  
- Fast  
- Low memory  
- Less robust  
- No built-in integrity  

### Block Ciphers

- Rely on secure PRP  
- Allow key re-use across blocks (secure mode required)  
- Provide authenticated encryption in some modes (e.g. GCM)  
- Slower  
- Higher memory  
- More robust  
- Used in most practical secure systems (e.g. TLS)