logging in or signing up Lecture 2 Petronilla Download Post to : URL : Related Presentations : Share Add to Flag Embed Email Send to Blogs and Networks Add to Channel Uploaded from authorPOINTLite Insert YouTube videos in PowerPont slides with aS Desktop Copy embed code: (To copy code, click on the text box) Embed: URL: Thumbnail: WordPress Embed Customize Embed The presentation is successfully added In Your Favorites. Views: 1928 Category: Entertainment License: All Rights Reserved Like it (0) Dislike it (0) Added: January 12, 2008 This Presentation is Public Favorites: 1 Presentation Description No description available. Comments Posting comment... By: srishti9 (25 month(s) ago) Can u pls let me download this presentation??I need it for a seminar as a part of my presentation Saving..... Post Reply Close Saving..... Edit Comment Close Premium member Presentation Transcript Slide1: Introduction to Modern Cryptography Lecture 2 Symmetric Encryption: Stream & Block CiphersStream Ciphers: Stream Ciphers Start with a secret key (“seed”) Generate a keying stream i-th bit/byte of keying stream is a function of the key and the first i-1 ciphertext bits. Combine the stream with the plaintext to produce the ciphertext (typically by XOR)Example of Stream Encryption: = Example of Stream Encryption Key Ciphertext Stream Plaintext Example of Stream Decryption: Example of Stream Decryption = Key Plaintext Stream Ciphertext Real Cipher Streams: Real Cipher Streams Most pre-WWII machines German Enigma Linear Feedback Shift Register A5 – encrypting GSM handset to base station communication RC-4 (Ron’s Code)Terminology: Terminology Stream cipher is called synchronous if keystream does not depend on the plaintext (depends on key alone). Otherwise cipher is called asynchronous. Current Example: RC-4: Current Example: RC-4 Part of the RC family Claimed by RSA as their IP Between 1987 and 1994 its internal was not revealed – little analytic scrutiny Preferred export status Code released anonymously on the Internet Used in many systems: Lotus Notes, SSL, etc.RC4 Properties: RC4 Properties Variable key size stream cipher with byte oriented operations. Based on using a random looking permutation. 8-16 machine operations per output byte. Very long cipher period (over 10100). Widely believed to be secure. Used for encryption in SSL web protocol.RC-4 Initialization: RC-4 Initialization j=0 S0=0, S1=1, …, S255=255 Let the key be (bytes) k0,…,k255 (repeating bits if necessary) For i=0 to 255 j = (j + Si+ ki) mod 256 Swap Si and Sj RC-4 Key-stream Creation : RC-4 Key-stream Creation Generate an output byte B by: i = (i+1) mod 256 j = (j +Si) mod 256 Swap Si and Sj t = (Si + Sj) mod 256 B = St B is XORed with next plaintext byteBlock Ciphers: Block Ciphers Encrypt a block of input to a block of output Typically, the two blocks are of the same length Most symmetric key systems block size is 64 In AES block size is 128 Different modes for encrypting plaintext longer than a blockReal World Block Ciphers: Real World Block Ciphers DES, 3-DES AES (Rijndael) RC-2 RC-5 IDEA Blowfish, Cast GostECB Mode Encryption (Electronic Code Book): ECB Mode Encryption (Electronic Code Book) P1 Ek C1 P2 Ek C2 P3 Ek C3 encrypt each plaintext block separatelyProperties of ECB: Properties of ECB Simple and efficient Parallel implementation possible Does not conceal plaintext patterns Active attacks are possible (plaintext can be easily manipulated by removing, repeating, or interchanging blocks). CBC Mode Encryption (Cipher Block Chaining): CBC Mode Encryption (Cipher Block Chaining) P1 Ek C1 P2 Ek C2 P3 Ek C3 S0 Previous ciphertext is XORed with current plaintext before encrypting current block. An initialization vector S0 is used as a “seed” for the process. Seed can be “openly” transmitted. Properties of CBC: Properties of CBC Asynchronous stream cipher Errors in one ciphertext block propagate Conceals plaintext patterns No parallel implementation known Plaintext cannot be easily manipulated. Standard in most systems: SSL, IPSec etc.Slide17: OFB Mode (Output FeedBack) An initialization vector s0 is use as a ``seed'’ for a sequence of data blocks siProperties of OFB: Properties of OFB Synchronous stream cipher Errors in ciphertext do not propagate Pre-processing is possible Conceals plaintext patterns No parallel implementation known Active attacks by manipulating plaintext are possibleAES Proposed Modes: AES Proposed Modes CTR (Counter) mode (OFB modification): Parallel implementation, offline pre-processing, provable security, simple and efficient OCB (Offset Codebook) mode - parallel implementation, offline preprocessing, provable security (under specific assumptions), authenticity Strengthening a Given Cipher: Strengthening a Given Cipher Design multiple key lengths – AES Whitening - the DESX idea Iterated ciphers – Triple DES (3-DES), triple IDEA and so onTriple Cipher - Diagram: Triple Cipher - Diagram P Ek1 C Ek2 Ek3Iterated Ciphers: Iterated Ciphers Plaintext undergoes encryption repeatedly by underlying cipher Ideally, aach stage uses a different key In practice triple cipher is usually C= Ek1(Ek2(Ek1(P))) [EEE mode] or C= Ek1(Dk2(Ek1(P))) [EDE mode] EDE is more common in practiceNecessary Condition: Necessary Condition For some block ciphers iteration does not enhance security Example – substitution cipher Consider a block cipher: blocks of size b bits, and key of size k The number of all possible functions mapping b bits to b bits is (2b)2b Necessary Condition (cont.): Necessary Condition (cont.) The number of all possible encryption functions (bijections) is 2b! The number of encryption functions in our cipher is at most 2k. Claim: The bijections are a group G under the operation (composition) Claim: If the encryptions of a cipher form a sub-group of G then iterated cipher does not increases security.Meet in the Middle Attack: Meet in the Middle Attack Double ciphers are rarely used due to this attack Attack requires Known plaintext 2k+1 encryptions and decryptions |k|2|k| storage space A square root of trivial attacking time at the expense of storageMeet in the Middle (cont.): Meet in the Middle (cont.) Given a plaintext-ciphertext pair (p,c) Compute & store the table of Dk2(c) for all k2 takes 2k decryptions, |k|2|k| storage. For every k1, test if Ek1(p) is in table Every hit gives a possible k1,k2 pair May have to repeat several times Meet in the middle is applicable to any iterated cipher, reducing the trivial processing time by 2k encryptionsTwo or Three Keys: Two or Three Keys Sometimes only two keys are used in 3-DES Identical key must be at beginning and end Legal advantage (export license) due to smaller overall key size Used as a KEK in the BPI protocol which secures the DOCSIS cable modem standardAdversary’s Goals: Adversary’s Goals Final goal: recover key Intermediate goals: Reduce key space Discover plaintext patterns Recover portions of plaintext Change ciphertext to produce meaningful plaintext, without breaking the system (active attack)Generic Attacks: Generic Attacks Exhaustive search Type: ciphertext only Time: 2|k| decryptions per ciphertext Storage: constant Table lookup Type: chosen plaintext Time: offline 2|k| decryptions, online constant Storage: 2|k| ciphertexts The Problem : The Problem Break ECB mode (known fixed cleartext header) The idea: Define f(k) = Enck(constant) Invert f(k) New Problem: Invert f Time/Space Tradeoffs: Time/Space Tradeoffs 1st Simple solution: Time 2|k| - exhaustive search per message 2nd Simple solution: Precompute all 2|k| values of f(k) Store in lookup table (hash table) Requires O(1) time per inversion Requires space O(2|k|) Hellman (again): can we do better?: Hellman (again): can we do better? If it so happened that f is a permutation: Choose L=2|k|/2 random start points s1, …, sL For every such point, compute ti=f(f(…f(si)…)), repeated L times. Store a lookup table of values (ti,si), i=1, …, L, indexed by ti. Searching for k given f(k): Searching for k given f(k) Let s=x = f(k) Repeat until f(x) = s, if f(x) = s then x = k If x = ti for some i, let x = si otherwise let x = f(x) Claim: for an arbitrary permutation and arbitrary k, the probability that this inverts k is constantWhy?: Why? Values of f(k) on a small cycle will be inverted Consider what happens when we add the i’th chain (si, ti): If we cover a constant times L new values then we’re done If not, assume that the previous chains have covered less than a constant of the L2 values The uncovered values must themselves lie on chains whose average length is a constant times L (as all values lie on some chain) Thus, we have a constant probability of covering at least a constant fraction of L new values All this does not work when f is not a permutation: All this does not work when f is not a permutation Hellman’s ingenious idea: Don’t invert f(x), invert g(f(x)) for some known random function g. Obviously, if you can invert g(f(x)) then you can invert f(x). Note that if f is not a permutation then g(f) is not a permutation eitherInverting g(f(x)): Inverting g(f(x)) Not a permutation: Choose L=2|k|/3 random start points s1, …, sL For every such point, compute ti=f(f(…f(si)…)), repeated L times. Store a lookup table of values (ti,si), i=1, …, L, indexed by ti. Claim: we cover by chains at least a constant fraction of L2 = 22|k|/3 Consider the last chain added, we’ve covered at most 22|k|/3 values until now, so with constant probability, the new L=2|k|/3 values on the new chain will be entirely new. Hellman’s next idea: Hellman’s next idea Use many different g’s Every g will cover a random 22|k|/3 set of values. So, choose L=2|k|/3 g’s Space required: L2 = 22|k|/3 Time required: L2 = 22|k|/3 You do not have the permission to view this presentation. In order to view it, please contact the author of the presentation.
Lecture 2 Petronilla Download Post to : URL : Related Presentations : Share Add to Flag Embed Email Send to Blogs and Networks Add to Channel Uploaded from authorPOINTLite Insert YouTube videos in PowerPont slides with aS Desktop Copy embed code: (To copy code, click on the text box) Embed: URL: Thumbnail: WordPress Embed Customize Embed The presentation is successfully added In Your Favorites. Views: 1928 Category: Entertainment License: All Rights Reserved Like it (0) Dislike it (0) Added: January 12, 2008 This Presentation is Public Favorites: 1 Presentation Description No description available. Comments Posting comment... By: srishti9 (25 month(s) ago) Can u pls let me download this presentation??I need it for a seminar as a part of my presentation Saving..... Post Reply Close Saving..... Edit Comment Close Premium member Presentation Transcript Slide1: Introduction to Modern Cryptography Lecture 2 Symmetric Encryption: Stream & Block CiphersStream Ciphers: Stream Ciphers Start with a secret key (“seed”) Generate a keying stream i-th bit/byte of keying stream is a function of the key and the first i-1 ciphertext bits. Combine the stream with the plaintext to produce the ciphertext (typically by XOR)Example of Stream Encryption: = Example of Stream Encryption Key Ciphertext Stream Plaintext Example of Stream Decryption: Example of Stream Decryption = Key Plaintext Stream Ciphertext Real Cipher Streams: Real Cipher Streams Most pre-WWII machines German Enigma Linear Feedback Shift Register A5 – encrypting GSM handset to base station communication RC-4 (Ron’s Code)Terminology: Terminology Stream cipher is called synchronous if keystream does not depend on the plaintext (depends on key alone). Otherwise cipher is called asynchronous. Current Example: RC-4: Current Example: RC-4 Part of the RC family Claimed by RSA as their IP Between 1987 and 1994 its internal was not revealed – little analytic scrutiny Preferred export status Code released anonymously on the Internet Used in many systems: Lotus Notes, SSL, etc.RC4 Properties: RC4 Properties Variable key size stream cipher with byte oriented operations. Based on using a random looking permutation. 8-16 machine operations per output byte. Very long cipher period (over 10100). Widely believed to be secure. Used for encryption in SSL web protocol.RC-4 Initialization: RC-4 Initialization j=0 S0=0, S1=1, …, S255=255 Let the key be (bytes) k0,…,k255 (repeating bits if necessary) For i=0 to 255 j = (j + Si+ ki) mod 256 Swap Si and Sj RC-4 Key-stream Creation : RC-4 Key-stream Creation Generate an output byte B by: i = (i+1) mod 256 j = (j +Si) mod 256 Swap Si and Sj t = (Si + Sj) mod 256 B = St B is XORed with next plaintext byteBlock Ciphers: Block Ciphers Encrypt a block of input to a block of output Typically, the two blocks are of the same length Most symmetric key systems block size is 64 In AES block size is 128 Different modes for encrypting plaintext longer than a blockReal World Block Ciphers: Real World Block Ciphers DES, 3-DES AES (Rijndael) RC-2 RC-5 IDEA Blowfish, Cast GostECB Mode Encryption (Electronic Code Book): ECB Mode Encryption (Electronic Code Book) P1 Ek C1 P2 Ek C2 P3 Ek C3 encrypt each plaintext block separatelyProperties of ECB: Properties of ECB Simple and efficient Parallel implementation possible Does not conceal plaintext patterns Active attacks are possible (plaintext can be easily manipulated by removing, repeating, or interchanging blocks). CBC Mode Encryption (Cipher Block Chaining): CBC Mode Encryption (Cipher Block Chaining) P1 Ek C1 P2 Ek C2 P3 Ek C3 S0 Previous ciphertext is XORed with current plaintext before encrypting current block. An initialization vector S0 is used as a “seed” for the process. Seed can be “openly” transmitted. Properties of CBC: Properties of CBC Asynchronous stream cipher Errors in one ciphertext block propagate Conceals plaintext patterns No parallel implementation known Plaintext cannot be easily manipulated. Standard in most systems: SSL, IPSec etc.Slide17: OFB Mode (Output FeedBack) An initialization vector s0 is use as a ``seed'’ for a sequence of data blocks siProperties of OFB: Properties of OFB Synchronous stream cipher Errors in ciphertext do not propagate Pre-processing is possible Conceals plaintext patterns No parallel implementation known Active attacks by manipulating plaintext are possibleAES Proposed Modes: AES Proposed Modes CTR (Counter) mode (OFB modification): Parallel implementation, offline pre-processing, provable security, simple and efficient OCB (Offset Codebook) mode - parallel implementation, offline preprocessing, provable security (under specific assumptions), authenticity Strengthening a Given Cipher: Strengthening a Given Cipher Design multiple key lengths – AES Whitening - the DESX idea Iterated ciphers – Triple DES (3-DES), triple IDEA and so onTriple Cipher - Diagram: Triple Cipher - Diagram P Ek1 C Ek2 Ek3Iterated Ciphers: Iterated Ciphers Plaintext undergoes encryption repeatedly by underlying cipher Ideally, aach stage uses a different key In practice triple cipher is usually C= Ek1(Ek2(Ek1(P))) [EEE mode] or C= Ek1(Dk2(Ek1(P))) [EDE mode] EDE is more common in practiceNecessary Condition: Necessary Condition For some block ciphers iteration does not enhance security Example – substitution cipher Consider a block cipher: blocks of size b bits, and key of size k The number of all possible functions mapping b bits to b bits is (2b)2b Necessary Condition (cont.): Necessary Condition (cont.) The number of all possible encryption functions (bijections) is 2b! The number of encryption functions in our cipher is at most 2k. Claim: The bijections are a group G under the operation (composition) Claim: If the encryptions of a cipher form a sub-group of G then iterated cipher does not increases security.Meet in the Middle Attack: Meet in the Middle Attack Double ciphers are rarely used due to this attack Attack requires Known plaintext 2k+1 encryptions and decryptions |k|2|k| storage space A square root of trivial attacking time at the expense of storageMeet in the Middle (cont.): Meet in the Middle (cont.) Given a plaintext-ciphertext pair (p,c) Compute & store the table of Dk2(c) for all k2 takes 2k decryptions, |k|2|k| storage. For every k1, test if Ek1(p) is in table Every hit gives a possible k1,k2 pair May have to repeat several times Meet in the middle is applicable to any iterated cipher, reducing the trivial processing time by 2k encryptionsTwo or Three Keys: Two or Three Keys Sometimes only two keys are used in 3-DES Identical key must be at beginning and end Legal advantage (export license) due to smaller overall key size Used as a KEK in the BPI protocol which secures the DOCSIS cable modem standardAdversary’s Goals: Adversary’s Goals Final goal: recover key Intermediate goals: Reduce key space Discover plaintext patterns Recover portions of plaintext Change ciphertext to produce meaningful plaintext, without breaking the system (active attack)Generic Attacks: Generic Attacks Exhaustive search Type: ciphertext only Time: 2|k| decryptions per ciphertext Storage: constant Table lookup Type: chosen plaintext Time: offline 2|k| decryptions, online constant Storage: 2|k| ciphertexts The Problem : The Problem Break ECB mode (known fixed cleartext header) The idea: Define f(k) = Enck(constant) Invert f(k) New Problem: Invert f Time/Space Tradeoffs: Time/Space Tradeoffs 1st Simple solution: Time 2|k| - exhaustive search per message 2nd Simple solution: Precompute all 2|k| values of f(k) Store in lookup table (hash table) Requires O(1) time per inversion Requires space O(2|k|) Hellman (again): can we do better?: Hellman (again): can we do better? If it so happened that f is a permutation: Choose L=2|k|/2 random start points s1, …, sL For every such point, compute ti=f(f(…f(si)…)), repeated L times. Store a lookup table of values (ti,si), i=1, …, L, indexed by ti. Searching for k given f(k): Searching for k given f(k) Let s=x = f(k) Repeat until f(x) = s, if f(x) = s then x = k If x = ti for some i, let x = si otherwise let x = f(x) Claim: for an arbitrary permutation and arbitrary k, the probability that this inverts k is constantWhy?: Why? Values of f(k) on a small cycle will be inverted Consider what happens when we add the i’th chain (si, ti): If we cover a constant times L new values then we’re done If not, assume that the previous chains have covered less than a constant of the L2 values The uncovered values must themselves lie on chains whose average length is a constant times L (as all values lie on some chain) Thus, we have a constant probability of covering at least a constant fraction of L new values All this does not work when f is not a permutation: All this does not work when f is not a permutation Hellman’s ingenious idea: Don’t invert f(x), invert g(f(x)) for some known random function g. Obviously, if you can invert g(f(x)) then you can invert f(x). Note that if f is not a permutation then g(f) is not a permutation eitherInverting g(f(x)): Inverting g(f(x)) Not a permutation: Choose L=2|k|/3 random start points s1, …, sL For every such point, compute ti=f(f(…f(si)…)), repeated L times. Store a lookup table of values (ti,si), i=1, …, L, indexed by ti. Claim: we cover by chains at least a constant fraction of L2 = 22|k|/3 Consider the last chain added, we’ve covered at most 22|k|/3 values until now, so with constant probability, the new L=2|k|/3 values on the new chain will be entirely new. Hellman’s next idea: Hellman’s next idea Use many different g’s Every g will cover a random 22|k|/3 set of values. So, choose L=2|k|/3 g’s Space required: L2 = 22|k|/3 Time required: L2 = 22|k|/3