Symmetric

Symmetric Encryption
Encryption

• Recall types of attacks against an encryption scheme

– ciphertext only

– known plaintext

– chosen plaintext

– chosen ciphertext

• In this lecture, we

– move towards security against more powerful adversaries

– learn about block ciphers

 Security
Security Against
Against Chosen-Plaintext
Chosen-Plaintext Attacks
Attacks

• In chosen-plaintext attack (CPA), adversary A is allowed to ask for

encryptions of messages of its choice
– it is now active and adaptive

• A is given black-box access to encryption oracle and can query it

on different messages

– notation A O ( · ) means A has oracle access to algorithm O

• As before, A is asked to distinguish between encryptions of messages of its

choice

• Is this model too strong?

2
 CPA
CPA Security
Security

• CPA indistinguishability experiment PrivKcpa

A,E(n)

1. random key k is generated by Gen(1n)

2. A is given 1n and ability to query Enck(·), and chooses two messages

m 0, m 1 of the same length

3. random bit b ← {0, 1} is chosen, challenge ciphertext c ← Enck(mb)

is computed and given to A

4. A can use Enck (·) and eventually outputs bit b′

5. experiment outputs 1 if b ′ = b (A wins) and 0 otherwise

• E = (Gen, Enc, Dec) has indistinguishable encryptions under
the chosen-plaintext attack (CPA-secure) if for all PPT A

1
Pr[PrivKcpa
A ,E(n) = 1] ≤ 2 + negl(n)

3
 CPA
CPA Security
Security

• How come adversary is allowed to query Enck on a message and later use
that message for the challenge?

• How does this notion of security compare to the indistinguishability

against eavesdroppers?

• How about security for multiple encryptions?

– good news! no need for other definitions

– then really long messages can be treated as several fixed-length

messages

4
 Towards
Towards CPA-Secure
CPA-Secure Encryption
Encryption

• We are going to use a new building block: pseudorandom functions

– just like pseudorandomness of one string doesn’t make sense, we’ll

consider a distribution (or class) of functions

– we’ll look at keyed functions F : {0, 1} n × {0, 1} n → {0, 1} n

• the first argument is the key k and second argument is the input
x

– once the key is fixed, the function F k : {0, 1} n → {0, 1} n is

fixed

• Pseudorandom property is now defined as

– a computationally limited adversary cannot distinguish behavior of a

pseudorandom function F k (for a randomly chosen and secret k) from a
function f chosen at random
5
 Towards
Towards CPA-Secure
CPA-Secure Encryption
Encryption

• f is one of all possible functions that map n-bit inputs to n-bit outputs

– each function can be specified as a lookup table

– if f is chosen at random, outputs f (x) and f (y) are

uniformly distributed and independent

• Pseudorandomness property of F k no longer holds if

– key k is known or not chosen at random

– adversary is not bounded by polynomial (in n) time

6
 Towards
Towards CPA-Secure
CPA-Secure Encryption
Encryption

• Definition: An efficient function F : {0, 1} n × {0, 1} n → {0, 1} n is a

pseudorandom function if any PPT distinguisher D cannot tell apart
outputs of F k and f , i.e.,

| Pr [D F k (·) (1 n ) = 1] − Pr [D f (·) (1 n ) = 1]| ≤ negl(n)

for a uniformly chosen function f : {0, 1} n → {0, 1} n and

uniformly chosen key k ← {0, 1} n

• Pseudorandom functions are useful for different purposes in

cryptography

– we start with CPA-secure encryption schemes

7
 CPA-Secure
CPA-Secure Encryption
Encryption

• Intuitively, F k enciphers its input (message?) rather well

– the problem is that F k (m) is deterministic, not sufficient

– how do we randomize encryption?

• Solution for CPA-secure encryption

– Gen: on input 1n , choose k R
{ 0, 1} n
←

– Enc: on input key k ∈ {0, 1} n and message m ∈ {0, 1} n ,

choose
r ←R {0, 1} n and output ciphertext c := (r, F k (r) ⊕ m)

– Dec: on input key k ∈ {0, 1} n and ciphertext c = (c1 , c2),

output message m = F k (c1) ⊕ c2

8
 CPA-Secure
CPA-Secure Encryption
Encryption

• Theorem: Given that F is a pseudorandom function, the above

construction is a CPA-secure encryption scheme for n-bit messages

• Proof idea:

1. Suppose that random function f is used in place of F k . Prove the

construction secure.

2. Replace f with F k and show that any non-negligible advantage in

breaking indistinguishability has to come from the use of F k .
 CPA-Secure
CPA-Secure Encryption
Encryption in
in Practice
Practice

• Block ciphers used in practice are keyed permutations

– can we use them in place of pseudorandom functions and still get

the proper level of security?

• Define pseudorandom permutation similar to pseudorandom functions

– efficient, negligible advantage in distinguishing from a random

permutation

• Claim: a pseudorandom permutation is also a pseudorandom

function
– probability of collision in a pseudorandom function is
negligible

• We also want to be able to invert pseudorandom permutation F k

– i.e., block cipher decryption algorithm

 CPA-Secure
CPA-Secure Encryption
Encryption in
in Practice
Practice

• How about messages of sizes other than n?

– shorter messages

– really long messages

• Short messages

– unambiguously pad the message to be n bits

– often can append a “1” followed by the necessary number of “0”s

• Messages longer than n

– partition message into blocks of size n: m = m 1 m 2 . . .m ℓ

– encrypting each block separately results in doubling message length

– modes of encryption with less expansion exist

 Encryption
Encryption Modes
Modes

• Encryption modes indicate how messages longer than one block

are encrypted and decrypted

• 4 modes of operation were standardized in 1980 for Digital

Encryption Standard (DES)
– can be used with any block cipher

– electronic codebook mode (ECB), cipher feedback mode (CFB),

cipher block chaining mode (CBC), and output feedback mode (OFB)

• 5 modes were specified with the current standard Advanced Encryption

Standard (AES) in 2001
– the 4 above and counter mode
 Encryption
Encryption Modes
Modes

• Electronic Codebook (ECB) mode

– divide the message m into blocks m 1 m 2 . . .m ℓ of size n each

– encipher each block separately: for i = 1, . . ., ℓ, c i = F k (m i )

– the resulting ciphertext is c = c1c2. . .c ℓ

m1 m2
k Fk k Fk ...

c1 c2
 Encryption
Encryption Modes
Modes

• Properties of ECB mode:

– identical plaintext blocks result in identical ciphertexts (under the same

key)
– each block can be decrypted independently

• Is it secure?
 Encryption
Encryption Modes
Modes

• Cipher Block Chaining (CBC) mode

R
– set c0 = I V ← { 0, 1} n
(initialization vector)

– encryption: for i = 1, . . ., ℓ, c i =
– F decryption: for i = 1, . . ., ℓ, m i = c i − 1 ⊕ Fk
k (m i ⊕ c i − 1 )
− 1 (c )
i m1

m2

IV
k Fk k Fk

c0 c1 c2
 Encryption
Encryption Modes
Modes

• Properties of CBC mode:

– if F is a pseudorandom permutation, this mode is CPA-secure

– a ciphertext block depends on all preceding plaintext blocks

– sequential encryption, cannot use parallel hardware

– IV must be random and communicated intact

• if the IV is not random, security quickly degrades
• if someone can fool the receiver into using a different IV, security
issues arise
 Encryption
Encryption Modes
Modes

• Cipher Feedback (CFB) mode

– the message is XORed with the encryption of the feedback from the
previous block

– set initial input I 1 = IV

– encryption: ci = F k (I i ) ⊕ m i ; I i + 1 = ci

– decryption: m i = ci ⊕ F k (I i )

• This mode allows the block cipher to be used as a stream cipher

– if our application requires that plaintext units shorter than the block
are transmitted without delay, we can use this mode
– the message is transmitted in r-bit units (r is often 8 or 1)
 Encryption
Encryption Modes
Modes

• Cipher Feedback (CFB) mode

– input: key k, n-bit IV , r-bit plaintext blocks m 1 , . . .

– output: r-bit ciphertext blocks c1, . . .

Shift register Shift register

IV n − r bits r bits
n n

k Fk k Fk
n n
Select Discard Select Discard
r bits n − r bits r bits n − r bits
r r
r r r r
m1 c1 m2 c2
 Encryption
Encryption Modes
Modes

• Properties of CFB mode:

– the mode is CPA-secure

– similar to CBC, a ciphertext block depends on all previous plaintext

blocks
– decreased throughput when used on small units
• one encryption operation is applied per r bits, not per n bits
 Encryption
Encryption Modes
Modes

• Output Feedback (OFB) mode

– similar to CFB, but the feedback is from encryption output and

is independent of the message

Shift register Shift register

IV n − r bits r bits
n n

k Fk k Fk
n n
Select Discard Select Discard
r bits n − r bits r bits n − r bits
r r
r r

r r
m1 c1 m2 c2
 Encryption
Encryption Modes
Modes

• Output Feedback (OFB) mode:

– n-bit feedback is recommended

– using fewer bits for the feedback reduces the size of the cycle

• Properties of OFB:

– the mode is CPA-secure

– the key stream is plaintext-independent must be avoided

– similar to CFB, throughput is decreased for r < n, but the key stream
can be precomputed
 Encryption
Encryption Modes
Modes

• Counter (CRT) mode

– a counter is encrypted and XORed with a plaintext block

– no feedback into the encryption function

– initially set ctr = I V R
{ 0, 1} n
←

ctr ctr+1 ctr+2

k Fk k Fk ...

m1 m2

c0 c1 c2
 Encryption
Encryption Modes
Modes

• Counter (CRT) mode

– encryption: for i = 1, . . ., ℓ, c i = Fk(ctr + i) ⊕

mi

– decryption: for i = 1, . . ., ℓ, m i = Fk(ctr + i) ⊕

ci

• Properties:

– ciphertext can have the same length as the plaintext

– we just truncate the value and transmit it

 Encryption
Encryption Modes
Modes

• Advantages of counter mode

– Hardware and software efficiency: multiple blocks can be encrypted or

decrypted in parallel
– Preprocessing: encryption can be done in advance; the rest is only
XOR
– Random access: ith block of plaintext or ciphertext can be processed
independently of others
– Security: at least as secure as other modes (i.e., CPA-secure)

– Simplicity: doesn’t require decryption or decryption key scheduling

• But what happens if the counter is reused?

 Practical
Practical Remarks
Remarks

• Use good randomness

– true randomness for long-term secrets

– cryptographically strong pseudo-random number generator in other cases

• Stick to exact specification of a CPA-secure encryption mode

– ECB mode is of historical significance as encryption, but is useful as a

PRF

• Both the size of the key and block size must be sufficiently large
 Message
Message Integrity
Integrity

• The above modes in general don’t protect transmitted ciphertexts from

tampering
– some modes are easier to tamper with than others

– none achieve “proper” integrity protection

• A separate integrity or message authentication mechanism should be used to

ensure that the message arrives intact
 Summary
Summary

• Block ciphers vs stream ciphers

– which type is preferred?

• Notions of security for symmetric encryption

• What is next?

– practical constructions for block ciphers

– past and current standards