Crypto Notes - Stanford: Birthday Paradox
Crypto Notes - Stanford: Birthday Paradox
From the introduction, really excited about: homographic encryption (computations on cipher
text!)+ Zero-Knowledge proof (proving someone that I know p and q without revealing
anything else than N)
History
Symmetric ciphers:
Discrete Probability
Not much new material covered => See chapter in DS course for more info.
XOR has the amazing property of always adding entropy, never removing it.
Birthday paradox
when n = 1.2 x U^(1/2) ==> Pr[there exists two similar elements] >= 1/2
Stream ciphers
Information theoretic security
A cipher is defined over a triple ( the key space, message space, cipher space) and does
provide two functions E and D in such a way that D(k, E(k,m)) = m.
Vernam is not useful in practise because if we have a secure channel to send the keys over, we
could use that to send the message, so what’s the point of the cipher, right?
A cipher (E,D) over (K, M, C) has perfect secrecy if for every m_0 and m_1 in M, length of
m_0 is equal to the length of m_1 and for every c in C, Pr[E(k,m_0) = c] = Pr[E(k, m_1)=c].
Perfect secrecy means that there are no cipher text only attack!
If one cipher has perfect secrecy => |K| >= |M|, the key_length >= message_length.
Stream ciphers
Idea: replace random key by pseudorandom key.
In stream ciphers, seed = key and define the following operations. E(k,m) := m XOR G(k)
D(k,c) := c XOR G(k)
PRG
A PRG must be unpredictable for a stream cipher to be secure.
We say G:K -> {0,1}^n is predictable if there exists an efficient algorithm A and there exists
an i: 1<i<n-1 such as Pr[A(G(k))|i,…,i = G(k)|i+1] >= 1/2 + epsilon. (for some non-negligible
epsilon).
In short, a PRG is unpredictable: for all i, there is no efficient algorithm A, that can predict the
i+1 bit following the prefix.
Negligible and non-negligible - In practise, epsilon is a scalar such as the event is not likely to
happen. In theory, non-neg is defined as there exists d: epsilon(polynomial lambda) >=
1/(lambda^d) infinitely often.
TLDR’: The function is negligible if it’s less than all polynomial fractions.
The english language (and ASCII encoding) has enough redundancy to find m_1 and m_2.
Vulnerabilities found in Project Venona (1941-1946), MS-PPTP (Windows NT) and WEB
where the same pad would be used every 16M frames. Even worse, most Wi-Fi cards do reset
their IV back to zero on restart, causing the two time pad to appear way quicker because IC is
concatenated with a long-term identity key.
In disk encryption, issue of the one time pad is malleability. Because OTP does not provide
integrity-checking, cipher text could be altered without the user knowing. If you know the
difference between two strings, you can XOR that difference on the cipher text without
knowing the key and it be changed in the cipher text without you having to know the key.
CSS is a stream-cipher used for encrypting DVDs. It’s badly broken. It was designed to be
implemented on hardware and based on a mechanism called LFSR (linear feedback shift
register), also used for GSM encryption (A5/1,2) and Bluetooth (E0). LFSR-derived stream
ciphers are all badly broken but hard to fix because implemented in hardware.
LFSR is works:
CSS:
The pair (k,r) is never used more than once => You can reuse the key because a nonce make
the key unique.
For the 128 version of Salsa20, we start with 64 bytes defined as in this slide. T_0…3 is
defined in the Salsa20 specification. You perform 10 rounds of an invertible function h and do
add all of the them word by word and you get a 64 byte output.
There are no significant attacks known on Salsa20. Very fast stream cipher in both software
and hardware. In crypto++, RC4 = 126 MB/s and Salsa20=643 MB/s.
PRG Security
The seed space is really small compared to the universe {0,1}^n. A pseudorandom generator
outputs would look indistinguishable from a uniform distribution on {0,1}^n.
If the advantage happen to be close to 1 it means that the generator behaved differently from
the random distribution. This statistical test can distinguish the difference from random. If the
advantage is close to 0, A can not distinguish the generator from random.
We define a secure PRG such as, for all statistical tests A, Adv[A,G] is negligible.
So, can we prove it? No we can’t. ( p != np) but we have heuristic candidates. — If PRG is
predictable => PRG is insecure (can be proved easily by using the advantage definition of a
secure PRG). If next-bit predictors cannot distinguish G from random then no statistical test
can!
For every message m_0, m1 in M: E(k, m_0) is computationally indistinguishable from E(k,
m_1).
A cipher is semantically secure if for all efficient adversary A, Adv[A, cipher] is negligible.
Block Ciphers
A block cipher maps n bits of inputs to n bits of output. Examples :
Block ciphers are typically built by iteration with a round function. It takes as input the round
key and the message.
Block ciphers are considerably slower than stream ciphers. (+/- 6x slower if you compare
Salsa to AES)
Examples:
Secure PRF
Let F: K x {0,1}^n -> {0,1}^n be a secure PRF. Then the following G: K -> {0,1}^{nt} is a
secure PRG: G(k) = F(k,0) || F(k,1) || … || F(k,t) Key property: parallelizable Security from
PRF property: F(k,・) indistinguishable from a random function f(・)
Feistel Network
Given functions f_1, …, f_d: {0,1}^n -> {0,1}^n Goal: build invertible function F:{0,1}^{2n}
-> {0,1}^{2n} A Feistel Network mapping a 2n bit input to 2n bit output: Encryption L_i =
R_{i-1} R_i = L_i XOR f_i (R_{i-1}) Decryption L_i = f_{i+1} (L_{i+1}) XOR R_{i+1}
R_i = L_{i+1}
Feistal networks are a general method for building invertible functions (block ciphers) from
arbitrary functions. And it’s used in many block ciphers but not AES.
The Luby-Rackoff Theorem proves that if I take a secure PRF and let it go through 3 rounds
of a Feistal network, the result is a secure PRP. Formally f: K x {0,1}^n -> {0,1}^n a secure
PRF => 3-round Feistel F: K^3 x {0,1}^{2n} -> {0,1}^{2n} is a secure PRP.
f_1, … , f_1: {0,1}^32 -> {0,1}^32, f_i (x) = F{k_i, x} where k_i is a round key from the key
expansion. For decryption, the algorithm is the same but you use the round keys in reverse-
order. F(k_i, x) is taking a 32-bit value x and a 48-bit round key k_i.
S-boxes
S-boxes are just lookup tables. If S-Boxes were linear (if the S-boxes could be written as a
Matrix vector product), the entire cipher would be linear and quickly broken. If S-Boxes
would be random, it would result in an insecure block cipher (key recovery after 2^24
outputs).
So what are the creators of DES advising to make S boxes lookup tables?
Goal: given a few input/output pairs (m_i, c_i = E(k, m_i)), find key k.
Lemma: Suppose DES is an ideal cipher (2^56 random invertible functions). Then for all m,c
there is at most one key k such that c = DES(k,m).
With two input-output pairs, the probability that the key is unique is very close to one for both
DES and AES. Hence, two input/output pairs are enough for exhaustive key search.
DES is broken
The key-size of 3DES is 3*56 bits = 168 bits but does not provide 168 bits security only 118
bits. -> Meet in the middle attack
For 2DES: exhaustive search is formulated as finding (k_1,k_2) such that E(k_1, E(k_2, M))
= C. A meet-in-the-middle attack is E(k_2, m) = D(k_1,c)
Step 1: Build table of pairs (k0…kN ; E(k0, M)…E(KN, M) Step 2: For all k ∈ {0,1}^56: test
if D(k,C) is in 2nd column. Step 3: If found, then E(k^i, M) = D(k,c) => (k^i, k) = (k_2, k1)
Running time = Time = 2* 2^56 * log 2^56 < 2^63 << 2^112
Method 2: DESX
E: K x {0,1}^n —> {0,1}^n a block cipher. EX((k,1,k2,k3), m) = k_1 XOR E(k_2, m XOR
k_3) key-length = 184 bits. Attack known in 2^120.
Fault attacks
Given many inp/out pairs, can recover key in less than exhaustive search (2^56 for DES)
Pr[m[i_1] XOR … XOR m[i_r] XOR c[j_j] XOR … XOR c[j_v] = k[l_1] XOR … XOR
k[l_u] ] = 1/2 + epsilon
For DES, epsilon = 1/(2^(21)) because the fifth S-Box is too close to a linear function.
Given 1/epsilon^2 random (m, c=DES(k, m) ) pairs then k[l_1, … , l_u] = MAJ [ m[i_1 , … ,
i_r] XOR c[j_j, …,j_v] ] with probability 97.7%.
For DES, with 2^42 inp/out pairs, you can find k[l_i, …, l_u] in time 2^42. Roughly
speaking: you can find 14 = 2 +12(from the 5th S-box) key bits this way in time 2^42.
There are 42 remaining bits in the key. Overall, the total attack time = 2^43 way better than
2^56! Better than exhaustive search.
Lesson: A tiny bit of linearity in S_5 lead to a 2^42 time attack! NEVER DESIGN YOUR
OWN BLOCK CIPHER.
Quantum attacks
If you could build a quantum computer, a generic search problem that would be solved in O(
|X| ), can be solved in O( |X|^(1/2) ) whatever the function is.
Examples:
DES = 2^28
AES-128 = 2^64
AES-256 = 2^128
AES
History
Key sizes = 128, 192, 256 bits. Larger keys: slower but thought to be more secure.
AES is a substitution-permutation network. In a Feistal network, half of the bits are not
changed in every round. In a subs-perm network, all bits are changed on every round.
AES-128 schematic
AES operates on 128 bits, a 4x4 matrix, each cell containing a byte. Then we XOR with the
first round key, apply the round function, x10 and then we get the output. The keys are
coming from the 16 bytes AES key using key expansion.
Byte substitution: one byte S-Box (256 byte table). We take the current cell as an
index into the lookup table, and the value is the output.
Shift row step: We shift the second row from 1 position, third row by 2 positions and
last row by 3 positions.
Mix column: We apply a linear transformation to each of the communes
independently.
If you want to send an implementation over a network. Don’t send precomputed table but
algorithm to compute it. And then compute them upon receival.
Attacks on AES
Best key recovery attack: four times better than exhaustive search. 128key => 126 key.
Related key attack on AES-256: If related keys => 2^99 security! Importance to choose keys
at random.
Let’s start with a PRG G such that G:K -> K^2 be a secure PRG.
If G is a secure PRG, then F is a secure PRF on {0,1}^n => Not used in expanded mode due
to performance reasons.
Thanks to the Luby-Rackoff theorem, we know that we can thus make a secure PRP with a 3-
round Feistal network.
PRF -> function, X -> Y, doesn’t have to be the same. PRP -> One to one revertible function.
Domain X=Y. Key concept to build a block cipher.
Lemma: Let E be a PRP over (K,X) then for any q-query adversary A: |Adv_{PRF} [A,E] -
Adv_{PRF} [A,E] | < q^2 / 2|X| When X is large, the ratio will be negligible.
Reminder: semantic security for a one-time key. The attacker, if given c_0 and c_1 and m_0
and m_1 can’t know which one is the result of what message. Adv_{SS} [A, OTP] = | Pr[
EXP(0)=1 ] - Pr[ EXP(1) = 1 ] |
When we use a key more than once, the adversary sees many cipher texts with the same key.
Adversary power: chosen-plaintext attack, the attacker can obtain the encryption of arbitrary
messages of his choice (How does it work IRL? You can email someone, email will be stored
encrypted on disk and boom you have m and c).
Semantic-security for many-time key is defined exactly as semantic security for a one-time
key but he can repeat any of the messages in the challenge that the attacker can choose. ==>
Chosen Plaintext attack.
All the deterministic encryption schemes we’ve seen before are broken under CPA.
1. Randomized encryption: encrypting same message twice gives different cipher text.
Ciphertext must be longer than plaintext. size(CT) = size (PT) + “#random bits”
2. Nonce-based encryption. We define a nonce as a value that changes from message to
message. The pair (k, n) should NEVER be used more than once. The nonce can
conveniently be a counter (if in-order and reliable transmission channel, no need to
transmit nonce). If same key used by multiple machines, the nonce space needs to be
very big and picked at random (easier to implement a “stateless” protocol)
Modes of operation
Goal: Build a secure encryption from a secure PRP
ECB is badly broken. It works by breaking down the message into n blocks of size of the
block cipher and then encrypt each of the parts individually. Issue, the attacker learns when a
two segments have the same value. (if m_1 = m_2 -> c_1 = c_2)
ECB is not semantically secure.
Deterministic counter mode from a PRF F (eg. AES) - One time key
IV-based encryption
When we start encrypting the first block, we pick a random IV (initialization vector of length
one bloc). We XOR the first message with it before encrypting. IV is publicly known and
prepended to the cipher text. Chaining is done by for the next block XORing the cipher text of
the first block with the new message and then encrypting.
Adv_CPA [A , E_{CBC} ] =< 2 * Adv_PRP [B, E] + (2 q^2 L^2 / |X| = error term, needs to
be negligible)
CBC is secure as long as q^2L^2 << |X| where L is the length of the messages and q is
the number of times we used q to encrypt messages.
Applied to AES, this means that after 2^48 blocks, we need to replace the key.
Nonce-based encryption
Cipher-block chaining with unique nonce. (no need to include in first cipher text)
In TLS, you pad the n remaining bytes with the number n. If no pad is needed, add a dummy
block.
Unlike CBC, randomised counter-mode doesn’t need a secure block cipher (PRP) but works
with a secure PRF because we’re never going to invert the function F.
We pick a random IV, then we XOR the messages blocks with F(k,IV + message block
number)
Nonce based counter mode: IV = [ 64-bit nonce | 64-bit counter (starts at 0 for every
message)]
Note that we can encrypt a maximum of 2^64 blocks per nonce because otherwise the counter
overflows and the pad would be used a second time.
We can use counter-mode for more blocks than CBC because the adversary’s advantage is
2q^2L / |X| < CBC’s advantage.
For AES, we can encrypt 2^64 AES blocks with the same key with semantic secrecy.
Advantage: It’s parallelizable! Fast encryption! And is so much better than CBC.
Message Integrity
Message Authentication Codes (MAC)
A MAC is defined as (S,V) and defined over (K, M, T) is a pair of algorithms:
Consistency requirement: for every message and for every key: V(k, m, S(k,m)) = yes
Integrity requires a shared key between Alice and Bob. Algorithms like CRC do detect
random errors but not malicious errors!
Secure MACs
produce some new valid message/tag pair (m,t): (m,t) different than any pair that is
given to him.
Definition: I=(S,V) is a secure MAC if for all “efficient” A: Adv_{MAC} [A, I] = Pr[Chal.
outputs 1] is negligible.
A secure PRF => Secure MAC if the output space of the PRF is big enough. In practice, 80-
bits is good security for a PRF.
We can use AES for 16-byte messages but how can we convert a MAC for small inputs and
scale them for bigger inputs. The output of a n bit PRF can be truncated.
(encrypted) CBC-MAC
Let F:K x X -> X be a PRP, define a new PRF F_ECBC:K^2 x X^{=< L} -> X
NMAC
Let F:K x X -> K be a PRF, define a new PRF F_NMAC : K^2 x X^{=<L} -> K.
MAC padding
Errors in padding can have disastrous consequences, just imagine if someone can forge a
banking transaction with an additional 0!
So, how do we pad? Padding must be reversible (1 to 1) to make sure it’s unique. We pad
with “100…0”. Add a new dummy block if the message size is already a multiple of the block
size.
CMAC
Variant of CBC-MAC where no additional encryption step is necessary and no need to add a
dummy block. CMAC uses key = (k, k_1, k_2) where k_1 and k_2 are derived from K.
PMAC - Parallel MAC
All the PRFs seen so far for MACs are sequential. PMAC is parallel and incremental (if one
block changes, no need to recompute everything).
One-time MAC
Many-time MAC
Collision Resistance
Let H:M -> T be a hash function (|M| >> |T|)
A collision for H is a pair m_0, m_1 in M such that: H(m_0) = H(m_1) and m0 != m1
A function H is collision resistant if for all efficient algorithms A: Adv_CR [A,H] = PR[A
outputs collision for H] is negligible.
If we have a collision-resistant function, we can build MACs for bigger messages from secure
MACs that work on smaller messages.
If we have a public read-only space and no key, we can use a collision resistant hash function
to verify integrity of a package.
Birthday attack
Using the birthday paradox, we can predict collisions with probability: when n = 1.2 *
B^{1/2} then Pr[collision] => 1/2 with n, number of items in attack set and B, number of
items in universe.
Using Hash-functions
Compression functions
SHA-256
Authenticated Encryption
Confidentiality (CPA secure ciphers) without integrity cannot guarantee secrecy under
active attacks.
If message needs integrity but no confidentiality -> MAC. If message needs both integrity and
confidentiality, use authenticated encryption modes.
Example of attack: Altering destination port of IP packet even if CPA secure cipher is
possible by changing IV (if in CBC mode for instance).
—
Authenticated encryption was introduced in 2000 but before then, many crypto libraries
supported CPA-secure encryption and MAC. Every developer had to find his own way of
combining both to provide AE.
Definition
The system must provide both semantic security under a CPA attack and cipher text integrity
(attacker cannot create new cipher texts that decrypt properly).
Implications
Authenticity: Attacker cannot fool Bob into thinking a message was sent from Alice.
(doesn’t protect against replay/side channels attacks though)
Security against chosen cipher text attack
Let (E,D) be a cipher that provides authenticated encryption, then (E,D) is CCA secure.
Encrypt-then-Mac vs MAC-then-Encrypt
Three approaches:
MAC-then-Encypt (SSL): May be insecure against CCA attacks. If you’re using rand-
CTR mode or rand-CBC, you have authenticated encryption. And for rand-ctr mode,
one time MAC is sufficient.
Encrypt-then-Mac (IPSec): This is the favorite method. Because encryption provides
confidentiality on the message and then the MAC algorithm provides the signing.
Always correct.
Encrypt and MAC (SSH) : This means that MACs (of the message) are concatenated
with the cipher text. This is an issue if the MACing algorithm reveals information
about the plaintext. (MAC algorithms are not designed for confidentiality, only
integrity). No issues with the specifics of SSL though but should really not be used.
Standards
All these modes are AEAD (auth enc. with associated data, partial encryption but fully
authenticated) and nonce-based.
GCM (Galois counter mode - NIST): CTR mode encryption then CW-MAC.
Recommended way to provide authenticated encryption if code size is not an issue
(non-embedded systems).
CCM (CBC counter mode - NIST): CBC-MAC then CTR mode encryption (used for
802.11)
EAX : CTR mode encryption then CMAC.
New constructions
After authenticated encryption got formalised. People started thinking about newer
constructions that would provide AE without combining an encryption mode and a MAC
algorithm.
OCB is an example of that. OCB is parallelizable. Sadly, OCB is not used because of patents
:(
Encrypt-then-MAC would completely avoid issues of MAC verifications in TLS because the
MAC is checked first and ciphertext discarded if invalid. MAC-then CBC provides AE but
padding oracle destroys it.
The attacker can “stream” the bits of the ciphertext and then see when the MAC is verified
because it’s probably going to be false and hence learn the first LSB of a message.