Trance-0/NoteNextra-origin
1
0
Fork 0
Code Issues Pull Requests Actions 1 Packages Projects Releases Wiki Activity
Files
571efa1bad06555e64b82919fa7c99d9d6c22a3d
NoteNextra-origin/content/CSE4303/CSE4303_L8.md
Trance-0 0e28ba6261 update
2026-02-12 11:56:24 -06:00

321 lines
5.5 KiB
Markdown
Raw Blame History

This file contains ambiguous Unicode characters

This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.

# CSE4303 Introduction to Computer Security (Lecture 8)
## Block ciphers
1. Operate on PT one block at a time
2. Use same key for multiple blocks (with caveats)
3. Chaining modes intertwine successive blocks of CT (or not)
## Security abstraction
View cipher as a Pseudo-Random Permutation (PRP)
### Background: Pseudo-Random Function (PRF)
Defined over $(K,X,Y)$:
$$
F : K \times X \to Y
$$
Such that there exists an efficient algorithm to evaluate $F(k,x)$.
Let:
- $\text{Funs}[X,Y]$ = set of all functions from $X$ to $Y$
- $S_F = \{ F(k,\cdot) \mid k \in K \}$
Intuition:
A PRF is secure if a random function in $\text{Funs}[X,Y]$ is indistinguishable from a random function in $S_F$.
Adversarial game:
- Challenger samples $k \leftarrow K$
- Or samples $f \leftarrow \text{Funs}[X,Y]$
- Adversary queries oracle with $x \in X$
- Receives either $F(k,x)$ or $f(x)$
- Must distinguish
Goal: adversarys advantage negligible
## PRP Definition
Defined over $(K,X)$:
$$
E : K \times X \to X
$$
Such that:
1. Efficient deterministic algorithm to evaluate $E(k,x)$
2. $E(k,\cdot)$ is one-to-one
3. Efficient inversion algorithm $D(k,y)$ exists
i.e., a PRF that is an invertible one-to-one mapping from message space to message space
## Secure PRP
Let $\text{Perms}[X]$ be all permutations on $X$.
Intuition:
A PRP is secure if a random permutation in $\text{Perms}[X]$ is indistinguishable from a random element of:
$$
S_E = \{ E(k,\cdot) \mid k \in K \}
$$
Adversarial game:
- Challenger samples $k \leftarrow K$
- Or $\pi \leftarrow \text{Perms}[X]$
- Adversary queries $x \in X$
- Receives either $E(k,x)$ or $\pi(x)$
- Must distinguish
Goal: negligible advantage
## Block cipher constructions
### Feistel network
Given:
$$
f_1, \dots, f_d : \{0,1\}^n \to \{0,1\}^n
$$
Build invertible function:
$$
F : \{0,1\}^{2n} \to \{0,1\}^{2n}
$$
Let input be split into $(L_0, R_0)$.
Round $i$:
$$
L_i = R_{i-1}
$$
$$
R_i = L_{i-1} \oplus f_i(R_{i-1})
$$
#### Invertibility
$$
R_{i-1} = L_i
$$
$$
L_{i-1} = R_i \oplus f_i(L_i)
$$
Thus Feistel is invertible regardless of whether $f_i$ is invertible.
### LubyRackoff Theorem (1985)
If $f$ is a secure PRF, then 3-round Feistel is a secure PRP.
### DES (Data Encryption Standard) — 1976
- 16-round Feistel network
- 64-bit block size
- 56-bit key
- Round functions:
$$
f_i(x) = F(k_i, x)
$$
Round function uses:
- S-box (substitution box) — non-linear
- P-box (permutation box)
To invert: use keys in reverse order.
Problem: 56-bit keyspace too small today (brute-force feasible).
### SubstitutionPermutation Network (SPN)
Rounds of:
- Substitution (S-box layer)
- Permutation (P-layer)
- XOR with round key
All layers invertible.
### AES (Advanced Encryption Standard) — 2000
- 10 substitution-permutation rounds (128-bit key version)
- 128-bit block size
Each round includes:
- ByteSub (1-byte S-box)
- ShiftRows
- MixColumns
- AddRoundKey
Key sizes:
- 128-bit
- 192-bit
- 256-bit
Currently de facto standard symmetric-key cipher (e.g. TLS/SSL).
## Block cipher modes
### Challenge
Encrypt PTs longer than one block using same key while maintaining security.
### ECB (Electronic Codebook)
Encrypt blocks independently:
$$
c_i = E(k, m_i)
$$
Problem:
If $m_1 = m_2$, then:
$$
c_1 = c_2
$$
Not semantically secure.
#### Formal non-security argument
Two-block challenge:
- Adversary submits:
- $m_0 = \text{"Hello World"}$
- $m_1 = \text{"Hello Hello"}$
- If $c_1 = c_2$, output 0; else 1
Advantage = 1
### CPA model (Chosen Plaintext Attack)
Attacker:
- Sees many PT/CT pairs under same key
- Can submit arbitrary PTs
Definition:
$$
\text{Adv}_{CPA}[A,E] =
\left|
\Pr[\text{EXP}(0)=1] - \Pr[\text{EXP}(1)=1]
\right|
$$
Must be negligible.
ECB fails CPA security.
### Moral
If same secret key is used multiple times, given same PT twice, encryption must produce different CT outputs.
## Secure block modes
### Idea
Augment key with:
- Per-block nonce
- Or chaining data from prior blocks
### CBC (Cipher Block Chaining)
$$
c_1 = E(k, m_1 \oplus IV)
$$
$$
c_i = E(k, m_i \oplus c_{i-1})
$$
IV must be random/unpredictable.
### CFB (Cipher Feedback)
Uses previous ciphertext as input feedback into block cipher.
### OFB (Output Feedback)
$$
s_i = E(k, s_{i-1})
$$
$$
c_i = m_i \oplus s_i
$$
Can pre-compute keystream.
Acts like stream cipher.
### CTR (Counter Mode)
$$
c_i = m_i \oplus E(k, \text{nonce} \| \text{counter}_i)
$$
Encryption and decryption parallelizable.
Nonce must be unique.
### GCM (Galois Counter Mode)
- Most popular ("AES-GCM")
- Provides authenticated encryption
- Confidentiality + integrity
## Nonce-based semantic security
Encryption:
$$
c = E(k, m, n)
$$
Adversarial experiment:
- Challenger picks $k$
- Adversary submits $(m_{i,0}, m_{i,1})$ and nonce $n_i$
- Receives $c_i = E(k, m_{i,b}, n_i)$
- Nonces must be distinct
Definition:
$$
\text{Adv}_{nCPA}[A,E] =
\left|
\Pr[\text{EXP}(0)=1] - \Pr[\text{EXP}(1)=1]
\right|
$$
In practice:
- CBC: IV must be random
- CTR/GCM: nonce must be unique but not necessarily random
## Symmetric Encryption Summary
### Stream Ciphers
- Rely on secure PRG
- No key re-use
- Fast
- Low memory
- Less robust
- No built-in integrity
### Block Ciphers
- Rely on secure PRP
- Allow key re-use across blocks (secure mode required)
- Provide authenticated encryption in some modes (e.g. GCM)
- Slower
- Higher memory
- More robust
- Used in most practical secure systems (e.g. TLS)
Reference in New Issue View Git Blame Copy Permalink