Scribd
Upload
119 views

Cryptography Engineering: CSIC30040 Spring 2023 Lecture 6

The document discusses the Berlekamp-Massey algorithm which can find the shortest linear feedback shift register for a given binary output sequence. It also outlines extending the Euclidean algorithm to compute multiplicative inverses which are important for public key systems like RSA. Examples are provided on using the Berlekamp-Massey algorithm and extended Euclidean algorithm to analyze sequences and compute keys for RSA encryption.

Uploaded by

王皓平
Copyright
© © All Rights Reserved
Available Formats
Download as PDF, TXT or read online on Scribd
119 views

Cryptography Engineering: CSIC30040 Spring 2023 Lecture 6

The document discusses the Berlekamp-Massey algorithm which can find the shortest linear feedback shift register for a given binary output sequence. It also outlines extending the Euclidean algorithm to compute multiplicative inverses which are important for public key systems like RSA. Examples are provided on using the Berlekamp-Massey algorithm and extended Euclidean algorithm to analyze sequences and compute keys for RSA encryption.

Uploaded by

王皓平
Copyright
© © All Rights Reserved
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 218

Cryptography Engineering

CSIC30040 Spring 2023 Lecture 6


Berlekamp-Massey Algorithm
Semantic Security
From Stream Cipher to Block Ciphers

Jerry J. R. Shieh, PhD March 30 2023 Week 6

Dan Boneh
Outline
• Our final projects
• The second critique
• The hints to work out quiz 5
• Non-Semantic Security Example and its attack
• Block Cipher

Dan Boneh
Write a critique on one of the following
papers:
• Adrian, David, et al. “Imperfect forward secrecy: How Diffie-Hellman fails
in practice.” Proceedings of the 22nd ACM SIGSAC Conference on
Computer and Communications Security. ACM, 2015.
• Text-only, about 1500+ words with lab will be plus.
• 1 to 5 persons
• Submit your Critigue by May 4, 2023 11:59 pm.

https://blog.gslin.org/archives/tag/hellman/
https://rishabhjainnsit.wordpress.com/2018/11/01/paper-review-imperfect-forward-secrecy-how-
diffie-hellman-fails-in-practice/
Grading components
Critique should contain the following:
1.Summary – answering these four questions in your own words:
What problem is the paper trying to solve?
Why does the problem matter?
What is the approach used to solve the problem?
What is the conclusion drawn from this work?
2. Strength(s) of the paper
3. Weakness(es) of the paper
4. Your own reflection, which can include but not limited to:
What did you learn from this paper?
How would you improve or extend the work if you were the author?
What are the unsolved questions that you want to investigate?
What are the broader impacts of this proposed technology?
5. Realization of a technical specification or algorithm as a program extra credit.
Cryptography is a very active research area that enabled many research domains (image
processing, big data, and also cloud computing) to design a feasible system.
We also focus on a wide range of research areas in cryptography because it plays an
important role in information security.
• A basic Password manager like 1Passwoed
https://crypto.stanford.edu/~dabo/cs255/ Stanford Winter 2023 with start code
• Message chat client like Line, Whatapp
https://crypto.stanford.edu/~dabo/cs255/ Stanford Winter 2023 with start code
• Key Reinstallation Attacks Breaking WPA2 by forcing nonce reuse
• How Can ChatGPT Help Crypto Adoption for example break AES ECB mode
https://github.com/topics/ecb?l=python
• Honey Encryption
https://github.com/danielzuot/honeyencryption
• Fully Homographic Encryptions
https://github.com/google/fully-homomorphic-encryption
• Algorithmic Personality Detection
https://github.com/Hardik3296/Personality-Detection-Decision-Tree
• Post Quantum Cryptography for the Internet
https://github.com/topics/ntruencrypt
• DNA cryptography
• Functional Encryption
https://www.youtube.com/watch?v=nY6INhmvuQE

• ZIP/RAR password cracker


https://github.com/The404Hacking/ZIP-Password-BruteForcerhttps

://github.com/SHUR1K-N/RARNinja-RAR-Password-Cracking-Utility

• Secure Voting may with block chain


https://github.com/microsoft/electionguard

• Using NIST SP 800-22 and NIST SP 800-90 to compare AES-256 GSM, ChaCha20-Poly1305, NIST Light Weight Encryption and NSA Simon,
Speck Cipher.
• https://github.com/inmcm/Simon_Speck_Ciphers

• A Merkle Tree used for sets of data, often one-time signatures or keys
https://github.com/piotrmurach/merkle_tree

• Low Bit Rate Advanced Secure Communication


• NIST Low Energy Light Weight Encryption for IoT
https://csrc.nist.gov/Projects/lightweight-cryptography
Why we need prime numbers at Crypto Engineering

• It’s the numbers that have factors (other than 1 and


themselves) but are very difficult to factor. You get such
numbers by multiplying together two very large primes.
• Numbers that are equally large but have more smaller factors
are very much easier to factor, and hence are unsuitable for
cryptography purposes
• for practical purposes, the difficulty of factoring a number
varies with the size of its smallest prime factor, regardless of
how big the number is, and so your prime factors need to be
as large as possible.
Dan Boneh
The Hint of Quiz 5
Problem 1

The Berlekamp–Massey algorithm is an algorithm that will find the shortest linear feedback shift
register (LFSR) for a given binary output sequence.
The algorithm will also find the minimal polynomial of a linearly recurrent sequence in an arbitrary
field.
1. Please white a program based on Berlekamp–Massey algorithm to find the shortest linear feedback
shift register (LFSR) for the given sequence down below.

• 0, 0, 0, 0, 0, 0, 1, 0, 0, 0, 0, 0, 1, 1, 0, 0, 0, 0, 1, 0, 1, 0, 0, 0, 1, 1, 1, 1, 0,
0, 1, 0, 0, 0, 1, 0, 1, 1, 0, 0, 1, 1, 1, 0, 1, 0, 1, 0, 0, 1, 1, 1, 1, 1, 0, 1, 0, 0,
0, 0, 1, 1, 1, 0, 0, 0, 1, 0, 0, 1, 0, 0, 1, 1, 0, 1, 1, 0, 1, 0, 1, 1, 0, 1, 1, 1, 1,
0, 1, 1, 0, 0, 0, 1, 1, 0, 1, 0, 0, 1, 0, 1

You may refer http://bma.bozhu.me/


Problem 2

2. Find the sequence generation rule of 0, 1, 1, 2, 3, 5, 8, 13, 21, 34, 55, 89, 144, 233, 377, 610……….
3. Extra credit
Use Berlekamp–Massey algorithm to find out the sequence rule of 0, 1, 1, 2, 3, 5, 8, 13, 21, 34

HINT 0,1,1,2,3,5,8,13,21,34...
𝑠 𝑥 = 𝑥 8 + 𝑥 7 + 2𝑥 6 + 3𝑥 5 + 5𝑥 4 + 8𝑥 3 + 13𝑥 2 + 21𝑥 + 34
𝑟 𝑥 = 𝑥9
欲求次數小的c(x) 使得 f(x)r(x) + c(x)s(x) = b(x),deg b < deg c
A B
列表
算式 f(x) c(x) b(x)
(1) 1 0 𝑥9
(2) 0 1 𝑥 8 + 𝑥 7 + 2𝑥 6 + 3𝑥 5 + 5𝑥 4 + 8𝑥 3 + 13𝑥 2 + 21𝑥 + 34

Dan Boneh
RECAP

Dan Boneh
Extend Euclidean Algorithm

• Public Key Generation:


– To compute the multiplicative inverse
• The public and private key pair at public key system
• The AES s-box maps an 8-bit input, c, to an 8-bit output, s = S(c).
• The input is mapped to its multiplicative inverse in GF(28) = GF(2)
[x]/(x8 + x4 + x3 + x + 1)
• Berlekamp-Massey Algorithm:
– Find the shortest linear-feedback shift register (LFSR) for a given binary
output sequence.
– Find the minimal polynomial of a linearly recurrent sequence in an
arbitrary field.
Dan Boneh
GCD(56,16) Euclidean Algorithm

Bezout’s theorem
Bézout's identity — Let a and b be integers with greatest common divisor d. Then there exist
integers x and y such that ax + by = d. More generally, the integers of the form ax + by are
exactly the multiples of d.
Ax + By = d

56x+15y=gcd(56,15) Extended

Dan Boneh
An asymmetric ciphers (RSA)
Example
Choose p = 3 and q = 11 (secret)
Compute n = p * q = 3 * 11 = 33
Compute φ(n) = (p - 1) * (q - 1) = 2 * 10 = 20
Choose e such that 1 < e < φ(n) and e and n are coprime.
Let e = 7 RSA Key generation:
Compute a value for d such that (d * e) mod φ(n) = 1. How is multiplicative
inverse computed, i.e.
One solution is d = 3 [(3 * 7) mod 20 = 1] the private key?
Public key is (e, n) => (7, 33)
Private key is (d, n) => (3, 33)
The encryption of m = 2 is c = 27 mod 33 = 29
The decryption of c = 29 is m = 293 mod 33 =2

2023/3/29 14
Dan Boneh
Proof for the RSA Algorithm
• Cd ≡ (Me)d ≡ Med ≡ M1+kφ(n) ≡M1 Mkφ(n) (mod n)
• ≡M1 Mφ(n) k (mod n)

• By Euler’s theorem Mφ(n) (mod n)=1


• ed≡1 (mod φ (n)) ed=1+kφ(n)
15∙15 ≡ 225 ≡ 1 mod 56 15∙15=1+4∙56 Since 4X56=224

2023/3/29 15
Dan Boneh
INPUT 𝒂−𝟏 as input to Build S-BOX
𝒂−𝟏 b A 𝒂−𝟏 F
𝑎 From 01’s inverse to FF inverse
𝒂
1
00000000
1 𝑥4 + 𝑥3 + 𝑥 + 1
00000001 0001 1011
00000010 0
1 B
00000011 0
1
00011011 11001100 1 𝒂−𝟏
.1 B C C 0 𝑥7 + 𝑥6 + 𝑥3 + 𝑥2
. 0 1100 1100
. C C
. Inverse
11111111 𝐴𝑎−1 + 𝐹 = 𝑏 Input
𝐴𝑎−1 = 𝑏 + 𝐹
𝒐𝒗𝒆𝒓 (𝒙𝟖 + 𝒙𝟒 + 𝒙𝟑 + 𝒙 + 𝟏)

Dan Boneh
Dan Boneh
−1
How can we find 𝑎 Inverse 𝑎
• (𝑥 4 +𝑥 3 + 𝑥 + 1)−1 𝑚𝑜𝑑 (𝑥 8 + 𝑥 4 + 𝑥 3 + 𝑥 + 1)

𝑥4 + 𝑥3 + 𝑥 + 1
𝑎 0001 1011 AX+BY=GCD(A,B)
1 B
A(x) (𝑥 4 + 𝑥 3 + 𝑥 + 1) + B(x) ( 𝑥 8 +𝑥 4 + 𝑥 3 + 𝑥 + 1) = 1

𝑥7 + 𝑥6 + 𝑥3 + 𝑥2
𝑎−1 1100
C
1100
C
Inverse

Dan Boneh
Extended Euclidean algorithm
• (𝑥 4 +𝑥 3 + 𝑥 + 1)−1 𝑚𝑜𝑑 (𝑥 8 + 𝑥 4 + 𝑥 3 + 𝑥 + 1)

𝑥4 + 𝑥3 + 𝑥 + 1
𝑎 0001 1011 AX+BY=GCD(A,B)
1 B
A(x) (𝑥 4 + 𝑥 3 + 𝑥 + 1) + B(x) ( 𝑥 8 +𝑥 4 + 𝑥 3 + 𝑥 + 1) = 1

X Y
𝑥7 + 𝑥6 + 𝑥3 + 𝑥2

𝑎−1 1100
C
1100
C
Inverse

Dan Boneh
Polynomial Extended Euclidean Algorithm
多項式擴展歐幾里得算法

被除數 = (除數 ✕ 商數) + 餘數



餘數 = 被除數 − (除數 ✕ 商數)

被除式 = (除式 ✕ 商式) + 餘式



餘式 = 被除式 − (除式 ✕ 商式)

Remainder = Dividend – (Divisor x Quotient)

Dan Boneh
Euclidean Algorithm Extend Euclidean Algorithm Build Solution
Rewrite 56s+15t=GCD(56,15)
GCD(56,15) 56x+15y=gcd(56,15)
56(1)-15(3)=(11) 4 56s+15t=1
56=15(3)+(11)
15-11(1)=(4)
15=11(1)+(4) 3
4-3(1)=1
11-4(2)=(3)2
11= 4(2)+(3) 4-(3)=1
4-3(1)=(1) 1
4-(11-4(2))=1
4=3(1)+(1)
3=1(3)+(0) 4-11+(2)4=1
Big rule: 3(4)-11=1
Treat underlined 3(15-11)-11=1
GCD(56,15)=1 3∙15-3(11)-11=1
Number like
variable 3∙15-4(11)=1
4=3(1)+1 3∙15-4(56-(3)15)=1
-3(1) -3(1) x=-4 3∙15-4∙56+12∙15=1
2𝑥 + 𝑥 = 3𝑥
4-3(1)=(1) y=15 (-4)56+15∙15=1
2(11)+(11)=3(11) 15∙15=1+4∙56
Since 4X56=224 15∙15 ≡ 225 ≡ 1 modDan56Boneh
AX+BY=GCD(A,B)

商 (Quotient) A B GCD
5 13
0 1 y 13 被除數
x

1 x 0 y 5 除數

2 -2 = 0 – 1x2 1 = 1- 0x2 3 = 13 – 5x2 餘數

餘數 = 被除數 − (除數 ✕ 商數)


被除數 = (除數 ✕ 商數) + 餘數

餘數 = 被除數 − (除數 ✕ 商數)

Dan Boneh
AX+BY=GCD(A,B)

商 (Quotient) A B GCD
5 13
0 x 1 y 13 被除數

1 x 0 y 5 除數 (被除數)

2 -2 = 0 – 1x2 1 = 1- 0x2 3 = 13 – 5x2 餘數 (除數)

1 3 = 1 – ((-2)x1) -1 = 0 - 1x1 2=5-3X1 (餘數)

被除數 = (除數 ✕ 商數) + 餘數


餘數 = 被除數 − (除數 ✕ 商數) ቊ
餘數 = 被除數 − (除數 ✕ 商數)

Dan Boneh
AX+BY=GCD(A,B)

商 (Quotient) A B GCD
5 13
0 x 1 y 13 被除數

1 x 0 y 5 除數 (被除數)

2 -2 = 0 – 1x2 1 = 1- 0x2 3 = 13 – 5x2 餘數 (除數)


<被除數>

1 3 = 1 – ((-2)x1) -1 = 0 - 1x1 2=5-3X1 (餘數)


<除數>
1 -5 = -2 – 1x3 2 = 1 – 1x(-1) 1=3-2X1 <餘數>

被除數 = (除數 ✕ 商數) + 餘數


餘數 = 被除數 − (除數 ✕ 商數) ቊ
餘數 = 被除數 − (除數 ✕ 商數)

Dan Boneh
AX+BY=GCD(A,B)

商 (Quotient) A B GCD
5 13
0 x 1 y 13 被除數

1 x 0 y 5 除數 (被除數)

2 -2 = 0 – 1x2 1 = 1- 0x2 3 = 13 – 5x2 餘數 (除數)


<被除數>

1 3 = 1 – ((-2)x1) -1 = 0 - 1x1 2=5-3X1 (餘數)


<除數>
1 x -5 = -2 – 1x3 y 2 = 1 – 1x(-1) GCD 1=3-2X1 <餘數>

5x(-5) + 13x(2) = 1
5-1 mod 13 = -5 = 8
餘數 = 被除數 − (除數 ✕ 商數) mod 13 5 inverse 8
13-1 mod 5 =2
mod 5 13 inverse 2 Dan Boneh
AX+BY=GCD(A,B)

商 (Quotient) A B GCD
5 13
0 1 13 被除數
1 0 5 除數 (被除數)

2 -2 = 0 – 1x2 1 = 1- 0x2 3 = 13 – 5x2 餘數 (除數)


餘數 = 被除數 − (除數 ✕ 商數) <被除數>
1 3 = 1 – 1x(-2) -1 = 0 - 1x1 2=5-3X1 (餘數)
<除數>

1 -5 = -2 – 1x3 2 = 1 – 1x(-1) 1=3-2X1 <餘數>

餘數 = 被除數 − (除數 ✕ 商數)

AX+BY=GCD(A,B)=1
5x(-5) + 13x(2) = 1 5∙(13−5) = 40 = 1+3 X13 ≡1 mod 13

5-1 mod 13 = -5 = 8 mod 13 5 inverse 8


mod 5 13 inverse 2
13-1 mod 5 =2

Dan Boneh
−1
How can we find 𝑎 Inverse 𝑎
• (𝑥 4 +𝑥 3 + 𝑥 + 1)−1 𝑚𝑜𝑑 (𝑥 8 + 𝑥 4 + 𝑥 3 + 𝑥 + 1)

𝑥4 + 𝑥3 + 𝑥 + 1
𝑎 0001 1011 AX+BY=GCD(A,B)
1 B
A(x) (𝑥 4 + 𝑥 3 + 𝑥 + 1) + B(x) ( 𝑥 8 +𝑥 4 + 𝑥 3 + 𝑥 + 1) = 1

𝑥7 + 𝑥6 + 𝑥3 + 𝑥2
𝑎−1 1100
C
1100
C
Inverse

Dan Boneh
Extended Euclidean algorithm
• (𝑥 4 +𝑥 3 + 𝑥 + 1)−1 𝑚𝑜𝑑 (𝑥 8 + 𝑥 4 + 𝑥 3 + 𝑥 + 1)

𝑥4 + 𝑥3 + 𝑥 + 1
𝑎 0001 1011 AX+BY=GCD(A,B)
1 B
A(x) (𝑥 4 + 𝑥 3 + 𝑥 + 1) + B(x) ( 𝑥 8 +𝑥 4 + 𝑥 3 + 𝑥 + 1) = 1

𝑥7 + 𝑥6 + 𝑥3 + 𝑥2

𝑎−1 1100
C
1100
C
Inverse

Dan Boneh
𝑥4 + 𝑥3 + 𝑥 + 1
餘數 = 被除數 − (除數 ✕ 商數) 0001 1011
1 B
商 (Quotient) A(x) B(x) GCD
𝒙𝟖 + 𝒙𝟒 + 𝒙𝟑 + 𝒙 + 𝟏 𝑥4 + 𝑥3 + 𝑥 + 1
1 0 𝑥8 + 𝑥4 + 𝑥3 + 𝑥 + 1 被除式

0 1 𝑥4 + 𝑥3 + 𝑥 + 1 除式
(被除式)

𝑥4 + 𝑥3 + 𝑥2 + 1 1 = 1 - 0(𝑥 4 + 𝑥 3 + 𝑥 2 + 𝑥4 + 𝑥3 + 𝑥2 + 1 𝑥 2 =𝑥 8 + 𝑥 4 + 𝑥 3 + 𝑥 + 1 餘式
= 0 – 1× (𝑥 4 + 𝑥 3 + 𝑥 2 + 1) -(𝑥 4 + 𝑥 3 + 𝑥 + 1) (𝑥 4 + (除式)
1) <被除式
𝑥 3 + 𝑥 2 + 1)
>
𝑥2 + 𝑥 𝑥 2 + 𝑥 = 0 – 1× (𝑥 2 + 𝑥) 𝑥6 + 𝑥3 + 𝑥2 + 𝑥 + 1 𝑥 + 1 = 𝑥 4 + 𝑥 3 + 𝑥 + 1- (餘式)
(𝑥 2 )(𝑥 2 + 𝑥) <除式>
= 1 − (𝑥 4 + 𝑥 3 + 𝑥 2 + 1)(𝑥 2
+ 𝑥)
𝑥+1 𝑥3 + 𝑥 + 1 𝑥7 + 𝑥6 + 𝑥3 + 𝑥2 1 <餘式>
= 1 − (𝑥 2 + 𝑥)(𝑥 + 1) = 𝑥 + 𝑥3 + 𝑥2 + 1
4
𝑥 + 𝑥6 + 𝑥3 + 𝑥2
7
− 𝑥 6 + 𝑥 3 + 𝑥 2 + 𝑥 + 1 (𝑥 + 1)
1100 1100
X Y C C
inverse Dan Boneh
餘數 = 被除數 − (除數 ✕ 商數)

商 (Quotient) A(x) B(x) GCD


𝑥8 + 𝑥4 + 𝑥3 + 𝑥 + 1 𝑥4 + 𝑥3 + 𝑥 + 1
1 0 𝑥8 + 𝑥4 + 𝑥3 + 𝑥 + 1 被除式

0 1 𝑥4 + 𝑥3 + 𝑥 + 1 除式
(被除式)

𝑥4 + 𝑥3 + 𝑥2 + 1 1 = 1 - 0(𝑥 4 + 𝑥 3 + 𝑥 2 + 1) 𝑥4 + 𝑥3 + 𝑥2 + 1 𝑥 2 =𝑥 8 + 𝑥 4 + 𝑥 3 + 𝑥 + 1 餘式
= 0 – 1× (𝑥 4 + 𝑥 3 + 𝑥 2 + 1) -(𝑥 4 + 𝑥 3 + 𝑥 + 1) (𝑥 4 + (除式)
𝑥 3 + 𝑥 2 + 1) <被除式
>
𝑥2 + 𝑥 𝑥 2 + 𝑥 = 0 – 1× (𝑥 2 + 𝑥) 𝑥6 + 𝑥3 + 𝑥2 + 𝑥 + 1 𝑥 + 1 = 𝑥 4 + 𝑥 3 + 𝑥 + 1- (餘式)
(𝑥 2 )(𝑥 2 + 𝑥) <除式>
= 1 − (𝑥 4 + 𝑥 3 + 𝑥 2 + 1)(𝑥 2
+ 𝑥)
𝑥+1 1 − (𝑥 2 + 𝑥)(𝑥 + 1) 𝑥7 + 𝑥6 + 𝑥3 + 𝑥2 1 <餘式>
= 𝑥3 + 𝑥 + 1 = 𝑥4 + 𝑥3 + 𝑥2 + 1 𝑥 + 𝑥6 + 𝑥3 + 𝑥2
7
− 𝑥 6 + 𝑥 3 + 𝑥 2 + 𝑥 + 1 (𝑥 + 1)
1100 1100
C C
inverse Dan Boneh
Berlekamp Massey Algorithm
Berlekamp-Massey Algorithm
• Given (part of) a (periodic) sequence, can find shortest LFSR
that could generate the sequence
• Then connection polynomial of s is of form
C(x) = cLxL + … + c2x2 + c1x + c0
• Berlekamp-Massey finds L and C(x)
• Berlekamp-Massey algorithm
– Order N2, where N is length of LFSR
– Iterative algorithm
– Only 2N consecutive bits required 32
Dan Boneh
Berlekamp-Massey Algorithm

33
Dan Boneh
Berlekamp-Massey Algorithm (Modified)
• Given binary sequences s=(s0, s1, s2, ……, sN-1)
• for example: 10110001
• We assume 10110001 are generated from a huge LFSR s(x)= x7 + x5 + x4 +1
• Since LFSR s(x) = x7 + x5 + x4 +1 guarantee generate 10110001

x7 x5 x4 1
1 0 1 1 0 0 0 1
1 0 1 1 0 0 0 1 X X

34
Dan Boneh
Berlekamp-Massey Algorithm (Modified)
• Given binary sequences s=(s0, s1, s2, ……, sN-1)
• for example: 10110001
• We assume 10110001 are generated from a huge LFSR s(x)= x7 + x5 + x4 +1
• Since LFSR s(x) = x7 + x5 + x4 +1 guarantee generate 10110001
• s(x)c(x) mod x8
• Why mod x8 ? Since we assume the max stage is 8
• s(x)c(x) mod x8 c(x)=1
• Since s(x) and x8 are coprime c(x)=s(x)-1 mod x8 ?
• Extended Euclidean Algorithm
• aX+bY=gcd(a,b)
• s(x)X+r(x)Y=gcd(s(x),r(x)) where s(x)= x7 + x5 + x4 +1, r(x)= x8

35
Dan Boneh
找到一個除式產生以上那麼多的位元串24 -1!

𝑥 7 + 𝑥 5 + 𝑥 4 + 1 𝑚𝑜𝑑 𝑥 8≡ 𝑥 7 + 𝑥 5 + 𝑥 4 + 1 x7 x5 x4 1
1 0 1 1 0 0 0 1
𝑐 𝑥 𝑥 7 + 𝑥 5 + 𝑥 4 + 1 𝑚𝑜𝑑 𝑥 8 ≡ 𝑏 𝑥

𝑐 𝑥 𝑥 7 + 𝑥 5 + 𝑥 4 + 1 = 𝑓 𝑥 ∙ 𝑥 8 + 𝑏(x)
(1) 𝑥 7 + 𝑥 5 + 𝑥 4 + 1 = 0 ∙ 𝑥 8 + 𝑥 7 + 𝑥 5 + 𝑥 4 + 1

𝑓 𝑥 ∙ 𝑥8 + 𝑐 𝑥 𝑥7 + 𝑥5 + 𝑥4 + 1 = 𝑏 𝑥
AX + BY

AX+BY=GCD(A,B)
AX+BY=GCD(A,B)
s 𝑥 𝑑 𝑥
Our goal GCD approach

𝐶 𝑥 𝑥 7 + 𝑥 5 + 𝑥 4 + 1 𝑚𝑜𝑑 𝑥 8 ≡ 𝑏 𝑥
Syndrome
𝑓 𝑥 ∙ 𝑥8 + 𝑐 𝑥 𝑥7 + 𝑥5 + 𝑥4 + 1 = 𝑏 𝑥

A(x) 1 0 𝑥8

B(x) 0 1 𝑥 7 + 𝑥 5 +𝑥 4 + 1

𝑐 𝑥 𝑥 7 + 𝑥 5 + 𝑥 4 + 1 = 𝑓 𝑥 ∙ 𝑥 8 + 𝑏(x)
𝑥 7 + 𝑥 5 + 𝑥 4 + 1 𝑤𝑖𝑙𝑙 𝑡ℎ𝑒 𝑟𝑒𝑚𝑖𝑛𝑑𝑒𝑟 𝑤ℎ𝑒𝑛 𝑑𝑖𝑣𝑖𝑒 𝑏𝑦 𝑥 8

𝑐 𝑥 𝑥 7 + 𝑥 5 + 𝑥 4 + 1 𝑚𝑜𝑑 𝑥 8 ≡ 𝑏 𝑥

𝑐 𝑥 𝑥 7 + 𝑥 5 + 𝑥 4 + 1 = 𝑓 𝑥 ∙ 𝑥 8 + 𝑏(x)
(1) 𝑥 7 + 𝑥 5 + 𝑥 4 + 1 = 0 ∙ 𝑥 8 + 𝑥 7 + 𝑥 5 + 𝑥 4 + 1

𝑓 𝑥 ∙ 𝑥8 + 𝑐 𝑥 𝑥7 + 𝑥5 + 𝑥4 + 1 = 𝑏 𝑥
AX + BY AX+BY=GCD(A,B)
被除式 = (除式 ✕ 商式) + 餘式
餘式 = 被除式 − (除式 ✕ 商式)

商 (Quotient) A(x) B(x) GCD


𝑥8 𝑥 7 + 𝑥 5 +𝑥 4 + 1

1 0 𝑥8 被除式

0 1 𝑥 7 + 𝑥 5 +𝑥 4 + 1 除式
(被除式)

𝑥 1 = 1 − 0 (𝑥) 𝑥 = 0 − 1 (𝑥) 𝑥 6 + 𝑥 5 + 𝑥= 餘式
𝑥 8 -(𝑥 7 + 𝑥 5 +𝑥 4 + 1) (𝑥) (除式)
<被除式
>

𝑥 𝑥 = 0 − 1(𝑥) 𝑥 2 + 1 = 1 − 𝑥(𝑥) 𝑥 6 + 𝑥 5 +𝑥 4 + 𝑥 2 + 1 = (餘式)


(𝑥 7 + 𝑥 5 + 𝑥 4 + 1) − <除式>
(𝑥 6 + 𝑥 5 + 𝑥 )(𝑥)

1 𝑥 + 1 = 1 − 𝑥 (1) 𝑥 2 + 𝑥 + 1 = 𝑥 − (𝑥 2 + 1)(1) 𝑥4+ 𝑥2 + 𝑥 + 1 = <餘式>


(𝑥 6 +𝑥 5 + 𝑥) − (𝑥 6 + 𝑥 5
+ 𝑥 4 + 𝑥 2 + 1)(1)

Dan Boneh
被除式 = (除式 ✕ 商式) + 餘式
餘式 = 被除式 − (除式 ✕ 商式)

商 (Quotient) A(x) B(x) GCD


𝑥 𝑥 = 0 − 1(𝑥) 𝑥 2 + 1 = 1 − 𝑥(𝑥) 𝑥 6 + 𝑥 5 +𝑥 4 + 𝑥 2 + 1
= (𝑥 7 + 𝑥 5 + 𝑥 4 + 1)
− (𝑥 6 + 𝑥 5 + 𝑥)(𝑥)

1 𝑥 + 1 = 1 − 𝑥(1) 𝑥 2 + 𝑥 + 1 = 𝑥 − (𝑥 2 + 1)(1) 𝑥 4 + 𝑥 2 + 𝑥 + 1=(𝑥 6 +𝑥 5 + 被除式


𝑥) − (𝑥 6 + 𝑥 5 + 𝑥 4 + 𝑥 2 +
1)(1)

𝑥2 𝑥 3 + 𝑥 2 +𝑥 = 𝑥 − 𝑥 + 1 (𝑥 2 ) 𝑥 4 + 𝑥 3 +1 𝑥 5 + 𝑥 3 +1 除式
= 𝑥 2 + 1 − (𝑥 2 +𝑥 + 1)(𝑥 2 ) = (𝑥 6 + 𝑥 5 + 𝑥 4 + 𝑥 2 + 1) (被除式)
− (𝑥 4 + 𝑥 2 + 𝑥 + 1)(𝑥 2 )

𝑥 𝑥 3 =𝑥 3 + 𝑥 2 +𝑥 − 𝑥 + 1 (𝑥) 𝑥 4 + 𝑥 2 +𝑥 + 1 = 𝑥 4 + 𝑥 3 +1 − 𝑥2 + 𝑥 + 1 餘式
(𝑥 2 + 𝑥 + 1) (𝑥) = (𝑥 5 + 𝑥 3 + 1) (除式)
− 𝑥 4 + 𝑥 2 + 𝑥 + 1 (𝑥)

>

Dan Boneh
AX+BY=GCD(A,B)
s 𝑥 𝑑 𝑥
Our goal GCD approach
𝐶 𝑥 𝑥 7 + 𝑥 5 + 𝑥 4 + 1 𝑚𝑜𝑑 𝑥 8 ≡ 𝑏 𝑥

Syndrome
𝑓 𝑥 ∙ 𝑥8 + 𝑐 𝑥 𝑥7 + 𝑥5 + 𝑥4 + 1 = 𝑏 𝑥

A(x) 1 0 𝑥8

0 1 Degree < 𝑥 7 + 𝑥 5 +𝑥 4 + 1
B(x)
1 𝑥
< 𝑥6 + 𝑥5 + 𝑥

𝑥 𝑥2 + 1 𝑥 6 + 𝑥 5 +𝑥 4 + 𝑥 2 + 1
<
𝑥+1 𝑥2 + 𝑥 + 1 𝑥 4+ 𝑥 2 + 𝑥 + 1
<
𝑥3 + 𝑥2 + 𝑥 𝑥 4+ 𝑥 3 + 1 𝑥 5 +𝑥 3 +1
<
𝑥3 𝑥 4+ 𝑥 2 + 𝑥 + 1 𝑥 2 + 𝑥 +1
> Then stop

𝑥 6 + 𝑥 5 +𝑥 4 + 𝑥 3 + 𝑥 2 + 𝑥 𝑥 7 + 𝑥 6 +𝑥 4 + 𝑥 3 + 𝑥 2 + 𝑥 𝑥+1
= (𝑥 3 + 𝑥 2 + 𝑥 ) −(𝑥 3 )(𝑥 3 + 𝑥 2 + 𝑥 ) = (𝑥 4 + 𝑥 3 + 1 ) −(𝑥 4 + 𝑥 2 + 𝑥 + 1)(𝑥 3 + 𝑥 2 + 𝑥 ) = (𝑥 5 + 𝑥 3 + 1 )−(𝑥 2 + 𝑥 + 1) )(𝑥 3 + 𝑥 2 + 𝑥 )

𝑥 3 −(𝑥 6 + 𝑥 5 +𝑥 4 +𝑥 3 +𝑥 2 + 𝑥) ∙ 𝑥 4 + 𝑥 2 + 𝑥 + 1 −(𝑥 7 + 𝑥 6 +𝑥 4 + 𝑥 3 + 𝑥 2 + 𝑥) ∙ 𝑥 1 = 𝑥 2 +𝑥 + 1 − 𝑥 + 1 ∙ 𝑥
𝑥
𝑥 7 + 𝑥 5 +𝑥 4 + 1
𝑥8

𝑉 𝑋 𝑟 𝑋
=𝑞 𝑋 +
𝑔 𝑋 𝑔 𝑋
If 𝑟 𝑋 = 0,
𝑉 𝑋 𝑟 𝑋 then 𝑞 𝑋 𝑔 𝑋 = 𝑉 𝑋
− =𝑞 𝑋
𝑔 𝑋 𝑔 𝑋

𝑉 𝑋 −𝑟 𝑋 =𝑞 𝑋 𝑔 𝑋
𝑥 4+ 𝑥 2 + 𝑥 + 1

𝑐 𝑥 𝑥 7 + 𝑥 5 + 𝑥 4 + 1 𝑚𝑜𝑑 𝑥 8 ≡ 𝑏 𝑥 𝑟 𝑋

𝑐 𝑥 𝑥 7 + 𝑥 5 + 𝑥 4 + 1 = 𝑓 𝑥 ∙ 𝑥 8 + 𝑏(x)

𝑓 𝑥 ∙ 𝑥8 + 𝑐 𝑥 𝑥7 + 𝑥5 + 𝑥4 + 1 = 𝑏 𝑥
Berlekamp-Massey Algorithm (Modified)
GF(2) 乘法等於 Shift and XOR

x7 x6 x5 x4 x3 x2 x 1 C(x)

S(x) 1 0 1 1 0 0 0 1 1 𝑎𝑛+4
找到一個遞迴
1 0 1 1 0 0 0 1 x 𝑎𝑛+2 式可以滿足
1 0 1 1 0 0 0 1 x2 𝑎𝑛+1 10110001
1 0 1 1 0 0 0 1 這個序列
x4 𝑎𝑛
S(x)C( 1 0 0 0 0 0 0 0 0 1 1 1
x)

1. 1 0 1 1 0 0 0 1 都符合 𝑎𝑛+4 ⨁𝑎𝑛+2 ⨁𝑎𝑛+1 = 𝑎𝑛


2. 1 0 1 1 0 0 0 1 而𝑎𝑛+4 ⨁𝑎𝑛+2 ⨁𝑎𝑛+1 ⨁𝑎𝑛 = 0
3. 1 0 1 1 0 0 0 1
1 0 1 0 => 0 𝑥 4 + 𝑥 2 +𝑥 + 1 = 0
0 1 1 0 => 0
42 1 1 0 0 => 0
1 0 0 1 => 0
n
Let G:K ⟶ {0,1} be a PRG

Goal: define what it means that

is “indistinguishable” from

Dan Boneh
Statistical Tests
Statistical test on {0,1}n:
an alg. A s.t. A(x) outputs “0” or “1”

Examples:

Dan Boneh
Statistical Tests
More examples:

Dan Boneh
Advantage
Let G:K ⟶{0,1}n be a PRG and A a stat. test on {0,1}n

Define:

A silly example: A(x) = 0 ⇒ AdvPRG [A,G] = 0 Dan Boneh


Suppose G:K ⟶{0,1}n satisfies msb(G(k)) = 1 for 2/3 of keys in K

Define stat. test A(x) as:


if [ msb(x)=1 ] output “1” else output “0”

Then

AdvPRG [A,G] = | Pr[ A(G(k))=1] - Pr[ A(r)=1 ] | =

| 2/3 – 1/2 | = 1/6

Dan Boneh
Secure PRGs: crypto definition
Def: We say that G:K ⟶{0,1}n is a secure PRG if

Are there provably secure PRGs?


but we have heuristic candidates.
Dan Boneh
Easy fact: a secure PRG is unpredictable
We show: PRG predictable ⇒ PRG is insecure

Suppose A is an efficient algorithm s.t.

for non-negligible ε (e.g. ε = 1/1000)

Dan Boneh
Easy fact: a secure PRG is unpredictable
Define statistical test B as:

Dan Boneh
Thm (Yao’82): an unpredictable PRG is secure
Let G:K ⟶{0,1}n be PRG

“Thm”: if ∀ i ∈ {0, … , n-1} PRG G is unpredictable at pos. i


then G is a secure PRG.

If next-bit predictors cannot distinguish G from random


then no statistical test can !!

Dan Boneh
Let G:K ⟶{0,1}n be a PRG such that
from the last n/2 bits of G(k)
it is easy to compute the first n/2 bits.

Is G predictable for some i ∈ {0, … , n-1} ?

Yes
No
More Generally
Let P1 and P2 be two distributions over {0,1}n

Def: We say that P1 and P2 are


computationally indistinguishable (denoted )

R
Example: a PRG is secure if { k ⟵K : G(k) } ≈p uniform({0,1}n)
Dan Boneh
End of Segment

Dan Boneh
Online Cryptography Course Dan Boneh

Stream ciphers

Semantic security

Goal: secure PRG ⇒ “secure” stream cipher


Dan Boneh
What is a secure cipher?
Attacker’s abilities: obtains one ciphertext (for now)

Possible security requirements:


attempt #1: attacker cannot recover secret key

attempt #2: attacker cannot recover all of plaintext

Recall Shannon’s idea:


CT should reveal no “info” about PT
Dan Boneh
Recall Shannon’s perfect secrecy
Let (E,D) be a cipher over (K,M,C)

(E,D) has perfect secrecy if ∀ m0, m1 ∈ M ( |m0| = |m1| )

{ E(k,m0) } = { E(k,m1) } where k⟵K

(E,D) has perfect secrecy if ∀ m0, m1 ∈ M ( |m0| = |m1| )

{ E(k,m0) } ≈p { E(k,m1) } where k⟵K

… but also need adversary to exhibit m0, m1 ∈ M explicitly


Dan Boneh
Semantic Security (one-time key)
For b=0,1 define experiments EXP(0) and EXP(1) as:
b
Chal. m0 , m1  M : |m0| = |m1| Adv. A
kK
c  E(k, mb)

b’  {0,1}
for b=0,1: Wb := [ event that EXP(b)=1 ]
Pr(b’=1|b=0) Pr(b’=1|b=1)
AdvSS[A,E] := | Pr[ W0 ] − Pr[ W1 ] | ∈ [0,1]
Dan Boneh
Semantic Security (one-time key)
Def: E is semantically secure if for all efficient A
AdvSS[A,E] is negligible.

⇒ for all explicit m0 , m1  M : { E(k,m0) } ≈p { E(k,m1) }

Dan Boneh
Examples
Suppose efficient A can always deduce LSB of PT from CT.
⇒ E = (E,D) is not semantically secure. m0 00000000

b{0,1} m1 11111111

m0, LSB(m0)=0
Chal. Adv. B (us)
m1, LSB(m1)=1
kK
C E(k, mb) C Adv. A
(given)
m0 00000000
m1 11111111
C1 10110101 LSB(mb)=b

Pr(b’=1|b=0) Pr(b’=1|b=1)
Then AdvSS[B, E] = | Pr[ EXP(0)=1 ] − Pr[ EXP(1)=1 ] |= |0 – 1| = 1
Dan Boneh
OTP is semantically secure
EXP(0): Chal. m0 , m1  M : |m0| = |m1| Adv. A
kK
c  k⊕m0 b’  {0,1}

identical distributions

Chal. m0 , m1  M : |m0| = |m1| Adv. A


EXP(1):
kK
c  k⊕m1 b’  {0,1}

For all A: AdvSS[A,OTP] = | Pr[ A(k⊕m0)=1 ] − Pr[ A(k⊕m1)=1 ] |= 0


Dan Boneh
End of Segment

Dan Boneh
Online Cryptography Course Dan Boneh

Stream ciphers
Stream ciphers are
semantically secure

Goal: secure PRG ⇒ semantically secure stream cipher


Dan Boneh
Stream ciphers are semantically secure
Thm: G:K ⟶{0,1}n is a secure PRG ⇒
stream cipher E derived from G is sem. sec.

∀ sem. sec. adversary A , ∃a PRG adversary B s.t.

AdvSS[A,E] ≤ 2 ∙ AdvPRG[B,G]

Dan Boneh
𝑎0 , 𝑎1 , 𝑎2 , 𝑎3 , 𝑎4 , 𝑎5 , 𝑎6 , 𝑎7 , 𝑎8 , 𝑎9 , 𝑎10 ………………..
0 0 0 1 0 0 1 1 0 1 0 …………………….. Q4
Q D
Q3
Q D
Q2
Q D
Q1
Q D

CLK

0 0 0 1
其實是𝑎𝑛+4 = 𝑎𝑛+1 + 𝑎𝑛 的數列
再由數列生成行多項式
𝑎𝑛 = 𝑟 𝑛 , 𝑟待定 𝑟 𝑛+4 = 𝑟 𝑛+1 + 𝑟 𝑛 , 𝑟 4 = 𝑟 + 1 𝑥 4= 𝑥 + 1

AdvSS[A,E] ≤ 2 ∙ AdvPRG[B,G]

Dan Boneh
Proof: intuition
m0 , m1 m0 , m1
chal. adv. A chal. adv. A
kK c  m0 ⊕ G(k) ≈p r{0,1}n c  m0 ⊕ r

b’≟1 b’≟1
Pr(b’=1|b=0) Pr(b’=1|b=1) ≈p
m0 , m1 m0 , m1
chal. adv. A chal. adv. A
kK c  m1 ⊕ G(k) ≈p r{0,1}n c  m1 ⊕ r

b’≟1 b’≟1
Dan Boneh
Proof: Let A be a sem. sec. adversary.

Chal. m0 , m1  M : |m0| = |m1| Adv. A


b kK
r{0,1}n
c  mb ⊕ G(k)

b’  {0,1}
For b=0,1: Wb := [ event that b’=1 ].
AdvSS[A,E] = | Pr[ W0 ] − Pr[ W1 ] |
Pr(b’=1|b=0) Pr(b’=1|b=1)

Dan Boneh
Proof: Let A be a sem. sec. adversary.

Chal. m0 , m1  M : |m0| = |m1| Adv. A


b kK
r{0,1}n
c  mb ⊕ r

b’  {0,1}
For b=0,1: Wb := [ event that b’=1 ].
AdvSS[A,E] = | Pr[ W0 ] − Pr[ W1 ] |
Pr(b’=1|b=0) Pr(b’=1|b=1)
For b=0,1: Rb := [ event that b’=1 ]
Dan Boneh
Proof: Let A be a sem. sec. adversary.

Claim 1: |Pr[R0] – Pr[R1]| =


Claim 2: ∃B: |Pr[Wb] – Pr[Rb]| =
Pr(b’=1|b=0) Pr(b’=1|b=1)
0 Pr[W0] Pr[Rb] Pr[W1] 1

⇒ AdvSS[A,E] = |Pr[W0] – Pr[W1]| ≤ 2 ∙ AdvPRG[B,G]


Dan Boneh
Proof of claim 2: ∃B: |Pr[W0] – Pr[R0]| = AdvPRG[B,G]

Algorithm B:
y ∈ {0,1}n PRG adv. B (us)
m0, m1
Adv. A
c  m0⊕y (given)
b’ ∈ {0,1}

AdvPRG[B,G] =
Dan Boneh
End of Segment

Dan Boneh
Online Cryptography Course Dan Boneh

Stream ciphers
semantic insecure
case

Goal: secure PRG ⇒ semantically secure stream cipher


Dan Boneh
Dan Boneh
Chosen Plaintext Attack 嘗試送出明文,由密文知道加
密邏輯

Encryption ATTACKER
Algorithm cryptanalyst

Dan Boneh
Chosen Plaintext Attack 嘗試送出明文,由密文知道加
密邏輯

以 Huffman Coding作為加密為例 ATTACKER


Cryptanalyst
ATTACKER
連續送出
EEEEEEE或
0000000明文

Dan Boneh
Using Huffman Coding as an
Encryption Algorithm
• In Huffman coding, you assign shorter
codes to symbols that occur more
frequently and longer codes to those that
occur less frequently.
• For example:
Character A B C D E
------------------------------------------------------
Frequency 17 12 12 27 32
Table Frequency of characters

Dan Boneh
Figure 15-4

Huffman
coding

Dan Boneh
Figure 15-5

Final tree and code

Dan Boneh
Figure 15-6

Huffman
encoding

Dan Boneh
Figure 15-7

Huffman
decoding

Dan Boneh
Figure 15-7

Huffman
decoding

11:A 101:B
01:D 100:C
00:E

Dan Boneh
Figure 15-7

Huffman
decoding

Dan Boneh
ATTACKER 嘗試送出明文讓ATTACKER由密文
知道加密邏輯使其失效

以 Huffman Coding作為加密為例 ATTACKER


Cryptanalyst
ATTACKER
連續送出
EEEEEEE或
0000000明文

Dan Boneh
Figure 15-6

Using Huffman encoding as Encryption


Algorithm is NOT Semantic Secure it will be
broken easily…….

11:A 101:B
01:D 100:C Black
EEEEEEEEEEEEEEEEEEEEEEEEE
00:E Box

00000000000000000000000

Dan Boneh
Figure 15-6

Using Huffman encoding as Encryption


Algorithm is NOT Semantic Secure it will be
broken easily…….

Black
AAAAAAAAAAAAAA
Box

111111111111111111

Dan Boneh
End of Segment

Dan Boneh
Dan Boneh
Online Cryptography Course Dan Boneh

Block ciphers

What is a block cipher?

Dan Boneh
4 = x4 mod x4 + x + 1
= x4 xor x4 + x + 1
=x+1
4-bit LFSR
0
(1)
0
0
Q D
0
Q D
0Q D
1Q D
0001
0010
Q4 Q3 Q2 Q1
0100
0 xor 1 = 1 (2)
1 (3) 1 (3) 1000
CLK 0011
0 0 0 1 0 0110
xor 0 0 0 0 0 1100
• Circuit counts through 24-1 different non- 0 0 0 1 0 0 1011
xor 0 0 0 0 0
zero bit patterns. 0101
0 0 1 0 0 0 1010
• Left most bit determines shift or more xor 0 0 0 0 0 0111
complex operation 0 1 0 0 0 0 1110
xor 1 0 0 1 1
• Can build a similar circuit with any 0 0 0 1 1 0
1111
1101
number of FFs, may need more xor gates. xor 0 0 0 0 0 1001
• In general, with n flip-flops, 2n-1 different 0 0 1 1 0 0 0001
xor 0 0 0 0 0
non-zero bit patterns.
0 1 1 0 0 0
• (Intuitively, this is a counter that wraps Q4 Q3 Q2 Q1 xor 1 0 0 1 1
around many times and in a strange way.) 0 1 0 1 1

89
Dan Boneh
Block ciphers: crypto work horse
n bits n bits
PT Block E, D CT Block

Key k bits

Canonical examples:
1. 3DES: n= 64 bits, k = 168 bits
2. AES: n=128 bits, k = 128, 192, 256 bits
Dan Boneh
Block Ciphers Built by Iteration
key k

key expansion

k1 k2 k3 kn

R(kn, )
R(k1, )

R(k2, )

R(k3, )
m c

R(k,m) is called a round function


for 3DES (n=48), for AES-128 (n=10)
Dan Boneh
Dan Boneh
Performance: Crypto++ 5.6.0 [ Wei Dai ]

AMD Opteron, 2.2 GHz ( Linux)

Cipher Block/key size Speed (MB/sec)


RC4 126
stream

Fast
Salsa20/12 643
Sosemanuk 727

3DES 64/168 13
block

Slow
AES-128 128/128 109
Dan Boneh
Abstractly: PRPs and PRFs

Dan Boneh
• A Pseudo Random Function is a function that is
indistinguishable from a function selected at random from the
set of all functions with the same domain and value set.
• A Pseudo Random Permutation is, similarly, a bijective
function that is indistinguishable from a bijective function
selected at random from the set of all bijective functions over
the same domain. For instance, a cryptographically secure
block cipher parametrized by a secret key is a PRP.
• The term PRG is on the other hand, most commonly used for stateful functions that are used for generating
successive pseudo random strings, e.g. to be used as a key, iv, salt, nonce etc. (TRNG/PRNG)

Dan Boneh
Abstractly: PRPs and PRFs
• Pseudo Random Function (PRF) defined over (K,X,Y):
F: K  X → Y
虛擬隨機函數定義一個金鑰空間一個輸入空間 以及一個輸出空間
它輸入一個K中的元素 一個X中的元素 輸出一個Y中的元素

such that exists “efficient” algorithm to evaluate F(k,x)

• Pseudo Random Permutation (PRP) defined over (K,X):


E: K  X → X
such that:
1. Exists “efficient” deterministic algorithm to evaluate E(k,x)
2. The function E( k,  ) is one-to-one 一一對應可逆的
3. Exists “efficient” inversion algorithm D(k,y) 一個高效的反演演算法解密
Dan Boneh
PRF PRP
DES

Dan Boneh
X
PRF AES

PRP

Dan Boneh
Running example

• Example PRPs: 3DES, AES, …

AES: K  X → X where K = X = {0,1}128

3DES: K  X → X where X = {0,1}64 , K = {0,1}168

• Functionally, any PRP is also a PRF.


– A PRP is a PRF where X=Y and is efficiently invertible.
Dan Boneh
Secure PRFs
• Let F: K  X → Y be a PRF
Funs[X,Y]: the set of all functions from X to Y

SF = { F(k,) s.t. k  K }  Funs[X,Y]

• Intuition: a PRF is secure if


a random function in Funs[X,Y] is indistinguishable from
a random function in SF
SF
Funs[X,Y]
|X|
Size |Y|
Size |K|
Dan Boneh
Dan Boneh
所有128 bit 進128 bit 出的函數有幾個?

Dan Boneh
所有128進128出的函數有幾個?

2128
128
•2

Funs[X,Y]
|X|
Size |Y|

Dan Boneh
先看所有2進2出的函數有幾個?

• 00 00
• 01 01
• 10 10
• 11 11

Dan Boneh
先看所有2進2出的函數有幾個?

• 00 00
• 01 01
• 10 10
• 11 11
2
4 22
• 4∗4∗4∗4=4 2

Dan Boneh
所有128進128出的函數有幾個?

2128
128
•2

Funs[X,Y]
|X|
Size |Y|

Dan Boneh
以假亂真
THE GOAL FOR SECURE PRF/PRP

Dan Boneh
Stream ciphers are semantically secure
Thm: G:K ⟶{0,1}n is a secure PRG ⇒
stream cipher E derived from G is sem. sec.

∀ sem. sec. adversary A , ∃a PRG adversary B s.t.

AdvSS[A,E] ≤ 2 ∙ AdvPRG[B,G]

Dan Boneh
Proof: intuition
m0 , m1 m0 , m1
chal. adv. A chal. adv. A
kK c  m0 ⊕ G(k) ≈p r{0,1}n c  m0 ⊕ r

b’≟1 b’≟1
≈p
m0 , m1 m0 , m1
chal. adv. A chal. adv. A
kK c  m1 ⊕ G(k) ≈p r{0,1}n c  m1 ⊕ r

b’≟1 b’≟1
Dan Boneh
Proof: Let A be a sem. sec. adversary.

Chal. m0 , m1  M : |m0| = |m1| Adv. A


b kK
r{0,1}n
c  mb ⊕ G(k)

b’  {0,1}
For b=0,1: Wb := [ event that b’=1 ].
AdvSS[A,E] = | Pr[ W0 ] − Pr[ W1 ] |
Pr(b’=1|b=0) Pr(b’=1|b=1)
Dan Boneh
Proof: Let A be a sem. sec. adversary.

Chal. m0 , m1  M : |m0| = |m1| Adv. A


b kK
r{0,1}n
c  mb ⊕ r

b’  {0,1}
For b=0,1: Wb := [ event that b’=1 ].
AdvSS[A,E] = | Pr[ W0 ] − Pr[ W1 ] |

For b=0,1: Rb := [ event that b’=1 ]


Pr(b’=1|b=0) Pr(b’=1|b=1) Dan Boneh
Proof: Let A be a sem. sec. adversary.

Claim 1: |Pr[R0] – Pr[R1]| =


Claim 2: ∃B: |Pr[Wb] – Pr[Rb]| =

0 Pr[W0] Pr[Rb] Pr[W1] 1

Pr(b’=1|b=0) Pr(b’=1|b=1)
⇒ AdvSS[A,E] = |Pr[W0] – Pr[W1]| ≤ 2 ∙ AdvPRG[B,G]
Dan Boneh
Proof of claim 2: ∃B: |Pr[W0] – Pr[R0]| = AdvPRG[B,G]

Algorithm B:
y ∈ {0,1}n PRG adv. B (us)
m0, m1
Adv. A
c  m0⊕y (given)
b’ ∈ {0,1}

AdvPRG[B,G] =
Dan Boneh
X
PRF AES

PRP

Dan Boneh
Secure PRFs
• Let F: K  X → Y be a PRF
Funs[X,Y]: the set of all functions from X to Y 真隨機

SF = { F(k,) s.t. k  K }  Funs[X,Y] 虛擬隨機

• Intuition: a PRF is secure if


a random function in Funs[X,Y] is indistinguishable from
a random function in SF
真隨機
f  Funs[X,Y]
xX
??? 真隨機 虛擬隨機 kK 虛擬隨機
f(x) or F(k,x) ?
Dan Boneh
Secure PRPs (secure block cipher)

• Let E: K  X → Y be a PRP
Perms[X]: the set of all one-to-one functions from X to Y

SF = { E(k,) s.t. k  K }  Perms[X,Y]

• Intuition: a PRP is secure if


a random function in Perms[X] is indistinguishable from
a random function in SF
π  Perms[X]
xX
??? kK
π(x) or E(k,x) ? (True Random)
Dan Boneh
Let F: K  X → {0,1}128 be a secure PRF.
Is the following G a secure PRF?

0 128 if x=0
G(k, x) =
F(k,x) otherwise

No, it is easy to distinguish G from a random function


Yes, an attack on G would also break F
It depends on F
An easy application: PRF ⇒ PRG
Let F: K  {0,1}n → {0,1}n be a secure PRF.

Then the following G: K → {0,1}nt is a secure PRG:

G(k) = F(k,0) ll F(k,1) ll ⋯ ll F(k,t-1)

Key property: parallelizable

Security from PRF property: F(k, ) indist. from random function f()
Dan Boneh
End of Segment

Dan Boneh
Online Cryptography Course Dan Boneh

Block ciphers

The data encryption


standard (DES)

Dan Boneh
Block ciphers: crypto work horse
n bits n bits
PT Block E, D CT Block

Key k Bits

Canonical examples:
1. 3DES: n= 64 bits, k = 168 bits
2. AES: n=128 bits, k = 128, 192, 256 bits
Dan Boneh
Block Ciphers Built by Iteration
key k

key expansion

k1 k2 k3 kn

R(kn, )
R(k1, )

R(k2, )

R(k3, )
m c

R(k,m) is called a round function


for 3DES (n=48), for AES-128 (n=10)
Dan Boneh
The Data Encryption Standard (DES)
• Early 1970s: Horst Feistel designs Lucifer at IBM
key-len = 128 bits ; block-len = 128 bits
• 1973: NBS asks for block cipher proposals.
IBM submits variant of Lucifer.
• 1976: NBS adopts DES as a federal standard
key-len = 56 bits ; block-len = 64 bits
• 1997: DES broken by exhaustive search
• 2000: NIST adopts Rijndael as AES to replace DES
Widely deployed in banking (ACH) and commerce Dan Boneh
DES: core idea – Feistel Network
Given functions f1, …, fd: {0,1}n ⟶ {0,1}n

Goal: build invertible function F: {0,1}2n ⟶ {0,1}2n


n-bits

R0 R1 R2 Rd-1 Rd
f1 f2
⋯ fd
n-bits

L0 ⊕ L1 ⊕ L2 Ld-1 ⊕ Ld
input output

In symbols:
Dan Boneh
n-bits
R0 R1 R2 Rd-1 Rd
f1 f2
⋯ fd
n-bits

L0 ⊕ L1 ⊕ L2 Ld-1 ⊕ Ld
input output

Claim: for all f1, …, fd: {0,1}n ⟶ {0,1}n


Feistel network F: {0,1}2n ⟶ {0,1}2n is invertible
Proof: construct inverse

Ri-1 Ri inverse Ri-1 = Li


fi

Li-1 ⊕ Li Li-1 = fi(Li) ⨁ Ri


Dan Boneh
n-bits
R0 R1 R2 Rd-1 Rd
f1 f2
⋯ fd
n-bits

L0 ⊕ L1 ⊕ L2 Ld-1 ⊕ Ld
input output

Claim: for all f1, …, fd: {0,1}n ⟶ {0,1}n


Feistel network F: {0,1}2n ⟶ {0,1}2n is invertible
Proof: construct inverse
Ri ⊕ Ri-1
Ri-1 = Li
Ri-1 Ri inverse
fi Li-1 = fi(Li) ⨁ Ri
fi
Li-1 ⊕ Li Li Li-1
Dan Boneh
Decryption circuit
⊕ ⊕ ⊕
n-bits

Rd Rd-1 Rd-2 R1 R0
fd fd-1
⋯ f1
n-bits

Ld Ld-1 Ld-2 L1 L0

• Inversion is basically the same circuit,


with f1, …, fd applied in reverse order

• General method for building invertible functions (block ciphers)


from arbitrary functions.

• Used in many block ciphers … but not AES


Dan Boneh
“Thm:” (Luby-Rackoff ‘85):

f: K × {0,1}n ⟶ {0,1}n a secure PRF

⇒ 3-round Feistel F: K3 × {0,1}2n ⟶ {0,1}2n a secure PRP

R0 R1 R2 R3
f f f
L0 ⊕ L1 ⊕ L2 ⊕ L3

input output

Dan Boneh
DES: 16 round Feistel network
f1, …, f16: {0,1}32 ⟶ {0,1}32 , fi(x) = F( ki, x )

k
key expansion
k1 k2 ⋯ k16

64 bits
64 bits

16 round
IP IP-1
Feistel network

input output
To invert, use keys in reverse order Dan Boneh
The function F(ki, x)

S-box: function {0,1}6 ⟶ {0,1}4 , implemented as look-up table. Dan Boneh


Dan Boneh
The S-boxes
Si: {0,1}6 ⟶ {0,1}4

Dan Boneh
Example: a bad S-box choice
Suppose:
Si(x1, x2, …, x6) = ( x2⨁x3, x1⨁x4⨁x5, x1⨁x6, x2⨁x3⨁x6 )

or written equivalently: Si(x) = Ai⋅x (mod 2)

011000 x1 x2⨁x3
100110
. x2 = x1⨁x4⨁x5
100001 x3 x1⨁x6
011001 x4 x2⨁x3⨁x6
x5
We say that Si is a linear function. x6
Dan Boneh
Example: a bad S-box choice
Then entire DES cipher would be linear: ∃fixed binary matrix B s.t.

832
m
DES(k,m) = 64
B . k1 = c (mod 2)
k2

k16

But then: DES(k,m1) ⨁ DES(k,m2) ⨁ DES(k,m3) = DES(k, m1⨁m2⨁m3)


B mk1 ⨁ B m2 ⨁ B m3 = B m1⨁m2⨁m3
k k k⨁k⨁k
Dan Boneh
Choosing the S-boxes and P-box
Choosing the S-boxes and P-box at random would result
in an insecure block cipher (key recovery after ≈224 outputs) [BS’89]

Several rules used in choice of S and P boxes:


• No output bit should be close to a linear func. of the input bits
• S-boxes are 4-to-1 maps

Dan Boneh
End of Segment

Dan Boneh
Online Cryptography Course Dan Boneh

Block ciphers

Exhaustive Search
Attacks

Dan Boneh
Exhaustive Search for block cipher key
Goal: given a few input output pairs (mi, ci = E(k, mi)) i=1,..,3
find key k.

Lemma: Suppose DES is an ideal cipher


( 256 random invertible functions )
Then ∀ m, c there is at most one key k s.t. c = DES(k, m)
Proof: with prob. ≥ 1 – 1/256 ≈ 99.5%

Dan Boneh
Exhaustive Search for block cipher key
For two DES pairs (m1, c1=DES(k, m1)), (m2, c2=DES(k, m2))
unicity prob. ≈ 1 - 1/271

For AES-128: given two inp/out pairs, unicity prob. ≈ 1 - 1/2128

⇒ two input/output pairs are enough for exhaustive key search.

Dan Boneh
DES challenge
msg = “The unknown messages is: XXXX … “
CT = c1 c2 c3 c4

Goal: find k ∈ {0,1}56 s.t. DES(k, mi) = ci for i=1,2,3

1997: Internet search -- 3 months


1998: EFF machine (deep crack) -- 3 days (250K $)
1999: combined search -- 22 hours
2006: COPACOBANA (120 FPGAs) -- 7 days (10K $)

⇒ 56-bit ciphers should not be used !! (128-bit key ⇒ 272 days)


Dan Boneh
Strengthening DES against ex. search
Method 1: Triple-DES

• Let E : K × M ⟶ M be a block cipher

• Define 3E: K3 × M ⟶ M as
3E( (k1,k2,k3), m) =

For 3DES: key-size = 3×56 = 168 bits. 3×slower than DES.

(simple attack in time ≈2118 )


Dan Boneh
Dan Boneh
Why is the middle portion of 3DES a decryption
rather than an encryption?
• There is no cryptographic significance to the use of decryption
for the second stage.
• Its only advantage is that it allows users of 3DES to decrypt
data encrypted by users of the older single DES by repeating
the key.
• K1=K2=K3

Dan Boneh
Why not double DES?
• Define 2E( (k1,k2), m) = E(k1 , E(k2 , m) )
key-len = 112 bits for DES

m E(k2,⋅) E(k1,⋅) c

Attack: M = (m1,…, m10) , C = (c1,…,c10).


k0 = 00…00 E(k0 , M)
• step 1: build table. k1 = 00…01 E(k1 , M)
k2 = 00…10 E(k2 , M) 256
sort on 2nd column entries
⋮ ⋮
kN = 11…11 E(kN , M) Dan Boneh
Man in the middle

Dan Boneh
Meet in the middle attack
D(k, C) attack point
Guess K
m E(k2,⋅) E(k1,⋅) c

k0 = 00…00 E(k0 , M)
Attack: M = (m1,…, m10) , C = (c1,…,c10) k1 = 00…01 E(k1 , M)
k2 = 00…10 E(k2 , M)
• step 1: build table. ⋮ ⋮
kN = 11…11 E(kN , M)

• Step 2: for all k∈{0,1}56 do:


test if D(k, C) is in 2nd column.

if so then E(ki,M) = D(k,C) ⇒ (ki,k) = (k2,k1)


Dan Boneh
Meet in the middle attack
m E(k2,⋅) E(k1,⋅) c

Time = 256log(256) + 256log(256) < 263 << 2112 , space ≈ 256

Same attack on 3DES: Time = 2118 , space ≈ 256

m E(k3,⋅) E(k2,⋅) E(k1,⋅) c

Dan Boneh
Method 2: DESX
E : K × {0,1}n ⟶ {0,1}n a block cipher

Define EX as EX( (k1,k2,k3), m) = k1 ⨁ E(k2, m⨁k3 )

For DESX: key-len = 64+56+64 = 184 bits

… but easy attack in time 264+56 = 2120 (homework)

Note: k1 ⨁ E(k2, m) and E(k2, m⨁k1) does nothing !!

Dan Boneh
DESX

Dan Boneh
End of Segment

Dan Boneh
Online Cryptography Course Dan Boneh

Block ciphers

More attacks on
block ciphers

Dan Boneh
Attacks on the implementation
1. Side channel attacks:
– Measure time to do enc/dec, measure power for enc/dec

smartcard [Kocher, Jaffe, Jun, 1998]

2. Fault attacks:
– Computing errors in the last round expose the secret key k

⇒ do not even implement crypto primitives yourself …


Dan Boneh
Designing a secure smart card
• Several people involved with different
assumptions
– Algorithm designers
– Protocol designers
– Software developers
– Hardware engineers

Dan Boneh
Algorithm designer assumption

from “Introduction to Differential Power Analysis and Related Attacks” by P. Kocher et al., Cryptography Research

• Typically, the algorithm is evaluated in isolation


– Differential cryptanalysis
– Linear cryptanalysis

Dan Boneh
Reality!

from “Introduction to Differential Power Analysis and Related Attacks” by P. Kocher et al., Cryptography Research

Dan Boneh
Reality – Side Channel Attacks
• “A correct implementation of a strong protocol is not
necessarily secure”
• Failures can be cause by:
– Defective computation
• D. Boneh, R. A. DeMillo, and R. J. Lipton, On the importance of
checking cryptographic protocols for faults, EUROCRYPT '97

– Information leaked during secret key operations


– Timing information
– Invasive measuring techniques
– Electromagnetic emanations (i.e. TEMPEST)

Dan Boneh
Power analysis attacks
• ICs are built out of invidual
transistors which consume
power
• Monitoring and analysis of the
power consumption of a
device to extract the private
information stored in it.
• Active, relatively cheap, non
invasive attack

Dan Boneh
Simple Power Analysis
• Focus on the use of visual inspection techniques to
identify relevant power fluctuations during
cryptographic operations
• Interpretation of power traces
– Power consumption measurements taken across a
cryptographic operation
– Typically current used by a device over time

Dan Boneh
SPA DES traces
SPA trace showing an entire DES operation

SPA trace showing DES rounds 2 and 3

Dan Boneh
SPA DES trace showing differences in power
consumption of different microprocessor instructions
jump

no jump

Dan Boneh
SPA attack
• SPA can reveal sequence of instructions executed
• It can be use to break cryptographic implementations in
which the execution path depend on the data being
processed
– DES keyschedule
– DES permutations
– Comparisons
– Multipliers
– Exponentiators

Dan Boneh
Preventing SPA
• In general, techniques to prevent SPA are
fairly simple.
– Avoid procedures that use secret intermediates
or keys for conditional branching operations
– Hardwired implementations of symmetric
cryptography algorithms

Dan Boneh
Differential Power Analysis
• Use of statistical analysis and error
correction techniques to extract information
correlated to secret keys
• Based on the effects correlated to data
values being manipulated.
• More powerful than SPA and is much more
difficult to prevent

Dan Boneh
DPA basic idea
• Data collection
– Capture power traces T1...m[1...k] containing k samples each

– Record the ciphertextsC1...m


– Knowledge of plaintext is notrequired

• Data analysis
– DPA selection function D(C,b,Ks)→{0,1}

– Compute ksample differential trace ΔD[1...k], where:

Dan Boneh
DPA against DES
• DPA selection function D(C,b,K ) is defined as: s

• – Returning the value b of the DES intermediate L at the beginning of the 16th
(0 <= b < 32 )
• – C is the corresponding ciphertext
• – Ks is the 6 key bits entering the Sbox corresponding to bit b (0 <= Ks < 26)
ATTTTACK
•• Repeat procedure to find all Ks values (8) to get the entire 48 bit subkey
• C
C

Ks
b Ks

C
16 DES round
th
Dan Boneh
C1 1 1 1 0 0 1 0 1 1 1 0
C2 1 1 1 0 1 1 1 0 1 0 1
C3 1 1 0 1 0 1 1 1 1 0 1
C= K+P
Attack

Dan Boneh
Right 𝐾0 𝐾1 𝐾2 𝐾3 𝐾4 𝐾5 𝐾6 𝐾7 𝐾8 𝐾9 𝐾10

P1 0 1 1 0 0 1 0 1 0 1 0
P2 1 0 1 0 1 0 1 0 1 0 1
P3 0 1 0 1 0 1 0 1 0 1 0
P=C + K

Dan Boneh
DPA traces for DES
Power reference

Correct Ks

Incorrect Ks

1000 samples
Dan Boneh
Quantitative DPA measurements
Reference power
consumption trace

Standard deviation

Differential trace
(m=104)

Dan Boneh
More about DPA
• Noise can be a problem
– Electronic radiation and thermal noise
– Quantization errors
– Uncorrected temporal misalignment
• DPA variations
– Automated template DPA
– Highorder DPA

Dan Boneh
DPA against other algorithms
• In general, DPA can be used to break any
symmetric or asymmetric algorithm
• Public key algorithms (i.e. RSA)
– Asymmetric operations tend to produce stronger
signals leaking than symmetric ones

• Reverse engineering using DPA

Dan Boneh
Preventing DPA
• Reduce signals size
• Introducing noise into power
consumption measurements
• Designing cryptosystems with
realistic assumptions about the
underlying hardware.
– Balanced HW and SW (i.e. leak tolerant design)
– Incorporatingrandomness
– Algorithm and protocollevel countermeasures

Dan Boneh
Dan Boneh
Side-Channel Analysis
Side Channel Leakage

Timing

EM Emissions
Current, Voltage

Dan Boneh
Dan Boneh
Linear and differential attacks [BS’89,M’93]

Given many inp/out pairs, can recover key in time less than 256 .

Linear cryptanalysis (overview) : let c = DES(k, m)


Suppose for random k,m :

[
Pr m[i1]⨁⋯⨁m[ir] ⨁ c[jj]⨁⋯⨁c[jv] = k[l1]⨁⋯⨁k[lu] ]=½ +ε

For some ε. For DES, this exists with ε = 1/221 ≈ 0.0000000477


Dan Boneh
Linear attacks
[
Pr m[i1]⨁⋯⨁m[ir] ⨁ c[jj]⨁⋯⨁c[jv] = k[l1]⨁⋯⨁k[lu] ]=½ +ε

Thm: given 1/ε2 random (m, c=DES(k, m)) pairs then

k[l1,…,lu] = MAJ [ m[i1,…,ir] ⨁ c[jj,…,jv] ]


with prob. ≥ 97.7%

⇒ with 1/ε2 inp/out pairs can find k[l1,…,lu] in time ≈1/ε2 .


Dan Boneh
Linear attacks
For DES, ε = 1/221 ⇒
with 242 inp/out pairs can find k[l1,…,lu] in time 242

Roughly speaking: can find 14 key “bits” this way in time 242

Brute force remaining 56−14=42 bits in time 242

Total attack time ≈243 ( << 256 ) with 242 random inp/out pairs

Dan Boneh
Lesson

A tiny bit of linearly in S5 lead to a 242 time attack.

⇒ don’t design ciphers yourself !!

Dan Boneh
Quantum attacks
Generic search problem:
Let f: X ⟶ {0,1} be a function.
Goal: find x∈X s.t. f(x)=1.

Classical computer: best generic algorithm time = O( |X| )

Quantum computer [Grover ’96] : time = O( |X|1/2 )

Can quantum computers be built: unknown


Dan Boneh
Quantum exhaustive search
Given m, c=E(k,m) define 1 if E(k,m) = c
f(k) =
0 otherwise

Grover ⇒ quantum computer can find k in time O( |K|1/2 )

DES: time ≈228 , AES-128: time ≈264

quantum computer ⇒ 256-bits key ciphers (e.g. AES-256)

Dan Boneh
End of Segment

Dan Boneh
Online Cryptography Course Dan Boneh

Block ciphers

The AES block cipher

Dan Boneh
The AES process
• 1997: NIST publishes request for proposal

• 1998: 15 submissions. Five claimed attacks.

• 1999: NIST chooses 5 finalists

• 2000: NIST chooses Rijndael as AES (designed in Belgium)

Key sizes: 128, 192, 256 bits. Block size: 128 bits
Dan Boneh
AES is a Subs-Perm network (not Feistel)
k1 k2 kn
S1 S1 S1
S2 S2 S2
S3 S3 S3

output
input


⨁ ⋯



S8 S8 S8
subs. perm.
layer layer inversion
Dan Boneh
AES-128 schematic
10 rounds

4
(1) ByteSub (1) ByteSub (1) ByteSub
⋯ (2) ShiftRow



(2) ShiftRow

4 input (2) ShiftRow


(3) MixColumn (3) MixColumn

invertible
k0 k1 k2 k9


k10
key key expansion:
4 output
16 bytes 16 bytes ⟶176 bytes 4
Dan Boneh
The round function
• ByteSub: a 1 byte S-box. 256 byte table (easily computable)

• ShiftRows:

• MixColumns:

Dan Boneh
Code size/performance tradeoff
Code size Performance

Pre-compute fastest:
round functions largest table lookups
(24KB or 4KB) and xors

Pre-compute
smaller slower
S-box only (256 bytes)

No pre-computation smallest slowest

Dan Boneh
Example: Javascript AES
AES in the browser:

AES library (6.4KB)


no pre-computed tables

Prior to encryption:
pre-compute tables
Then encrypt using tables
http://crypto.stanford.edu/sjcl/
Dan Boneh
AES in hardware
AES instructions in Intel Westmere:
• aesenc, aesenclast: do one round of AES
128-bit registers: xmm1=state, xmm2=round key
aesenc xmm1, xmm2 ; puts result in xmm1
• aeskeygenassist: performs AES key expansion
• Claim 14 x speed-up over OpenSSL on same hardware

Similar instructions on AMD Bulldozer


Dan Boneh
Attacks
Best key recovery attack:
four times better than ex. search [BKR’11]

Related key attack on AES-256: [BK’09]


Given 299 inp/out pairs from four related keys in AES-256
can recover keys in time ≈299

Dan Boneh
End of Segment

Dan Boneh
Online Cryptography Course Dan Boneh

Block ciphers

Block ciphers from PRGs

Dan Boneh
Can we build a PRF from a PRG?
Let G: K ⟶ K2 be a secure PRG k
G
Define 1-bit PRF F: K × {0,1} ⟶ K as G(k)[0] G(k)[1]

F(k, x∈{0,1} ) = G(k)[x]

Thm: If G is a secure PRG then F is a secure PRF

Can we build a PRF with a larger domain?


Dan Boneh
Extending a PRG
Let G: K ⟶ K2 .
define G1: K ⟶ K4 as G1(k) = G(G(k)[0]) ll G(G(k)[1])

We get a 2-bit PRF: G


G(k)[0] G(k)[1]
F(k, x∈{0,1}2 ) = G1(k)[x] G G
00 01 10 11

G1(k)
Dan Boneh
k
G1 is a secure PRG
G
G(k)[0] G(k)[1] r0 r1

G G G G
00 01 10 11 ≈p
G1(k)
≈p
r1

G
random in K4 ≈p r00 r01

Dan Boneh
Extending more
Let G: K ⟶ K2 .
define G2: K ⟶ K8 as G2(k) = k

G
G(k)[0] G(k)[1]
We get a 3-bit PRF G G

G G G G
000 001 010 011 100 101 110 111

G2(k) Dan Boneh


Extending even more: the GGM PRF
Let G: K ⟶ K2 . define PRF F: K × {0,1}n ⟶ K as

For input x = x0 x1 … xn-1 ∈ {0,1}n do:

G(k)[x0] G(k1)[x1] k G(k2)[x2] k G(kn-1)[xn-1] kn


k k1 2 3

Security: G a secure PRG ⇒ F is a secure PRF on {0,1}n .

Not used in practice due to slow performance.


Dan Boneh
Secure block cipher from a PRG?

Can we build a secure PRP from a secure PRG?

No, it cannot be done


Yes, just plug the GGM PRF into the Luby-Rackoff theorem
It depends on the underlying PRG
End of Segment

Dan Boneh
Differential Power Analysis
• Use of statistical analysis and error correction techniques to
extract information correlated to secret keys
• Based on the effects correlated to data values being
manipulated
• More powerful than SPA and is much more difficult to
prevent

Dan Boneh
Dan Boneh
Complementary Metal-Oxide-Semiconductor
• 互補式金屬氧化物半導體(英語:Complementary Metal-Oxide-
Semiconductor,縮寫作 CMOS;簡稱互補式金氧半導體),是一種積體電路
的設計製程,可以在矽質晶圓模板上製出NMOS(n-type MOSFET)和PMOS
(p-type MOSFET)的基本元件,由於NMOS與PMOS在物理特性上為互補性,
因此被稱為CMOS。
• 此一般的製程上,可用來製作的靜態隨機存取記憶體、微控制器、微處理器
與其他數位邏輯電路系統(FPGA) 。
• 互補式金屬氧化物半導體具有只有在電晶體需要切換啟動與關閉時才需消耗
能量的優點,因此非常節省電力且發熱量少,且製程上也是最基礎而最常用
的半導體元件。

Dan Boneh
Complementary Metal-Oxide-Semiconductor

Dan Boneh
Dan Boneh
DPA traces for DES
Power reference

Correct Ks

Incorrect Ks

1000 samples
Dan Boneh
Dan Boneh
Dan Boneh
Dan Boneh
Dan Boneh
Dan Boneh
Dan Boneh
Dan Boneh
DPA traces for DES
Power reference

Correct Ks

Incorrect Ks

1000 samples
Dan Boneh
Dan Boneh
𝑆(𝐾𝑛 |𝑋𝑛 )

K K K K KK KK KK KK K Ciphertext

P1 1 1 1 0 1 1 1 1 1

P2 1 1 0 0 1 1 0 0 0

P3 1 1 0 0 1 1 1 0 1
Attack
P4 0 1 0 0 1 1 1 O O Key
Guess
P5 1 0 0 1 0 1 1 0 0 the
right
key
There is no peak when K guesting is WRONG
𝑆(𝐾𝑛 |𝑋𝑛 ) Plaintext
Ks is the 6 key bits entering the Sbox corresponding to bit b (0 <= Ks < 2 ) ATTACK
6

Dan Boneh
DPA traces for DES
Power reference

Correct Ks

Incorrect Ks

1000 samples
Dan Boneh
K K K K KK KK KK KK K Ciphertext

P1 1 0 1 0 0 1 1 1 1

P2 0 1 0 1 1 0 0 0 0

P3 1 0 1 0 0 1 1 1 1 Attack
Key
P4 0 1 0 1 1 O O O O
Guess
P5 1 0 1 1 0 1 1 1 1 the
right
key
There is HUGE peak when K guesting is Correct
Plaintext

Dan Boneh

You might also like