CSE4303 Introduction to Computer Security (Lecture 8)

Block ciphers

Operate on PT one block at a time
Use same key for multiple blocks (with caveats)
Chaining modes intertwine successive blocks of CT (or not)

Security abstraction

View cipher as a Pseudo-Random Permutation (PRP)

Background: Pseudo-Random Function (PRF)

Defined over $(K,X,Y)$ :

F : K \times X \to Y

Such that there exists an efficient algorithm to evaluate $F(k,x)$ .

Let:

$\text{Funs}[X,Y]$ = set of all functions from $X$ to $Y$
$S_F = \{ F(k,\cdot) \mid k \in K \}$

Intuition:

A PRF is secure if a random function in $\text{Funs}[X,Y]$ is indistinguishable from a random function in $S_F$ .

Adversarial game:

Challenger samples $k \leftarrow K$
Or samples $f \leftarrow \text{Funs}[X,Y]$
Adversary queries oracle with $x \in X$
Receives either $F(k,x)$ or $f(x)$
Must distinguish

Goal: adversary’s advantage negligible

PRP Definition

Defined over $(K,X)$ :

E : K \times X \to X

Such that:

Efficient deterministic algorithm to evaluate $E(k,x)$
$E(k,\cdot)$ is one-to-one
Efficient inversion algorithm $D(k,y)$ exists

i.e., a PRF that is an invertible one-to-one mapping from message space to message space

Secure PRP

Let $\text{Perms}[X]$ be all permutations on $X$ .

Intuition:

A PRP is secure if a random permutation in $\text{Perms}[X]$ is indistinguishable from a random element of:

S_E = \{ E(k,\cdot) \mid k \in K \}

Adversarial game:

Challenger samples $k \leftarrow K$
Or $\pi \leftarrow \text{Perms}[X]$
Adversary queries $x \in X$
Receives either $E(k,x)$ or $\pi(x)$
Must distinguish

Goal: negligible advantage

Block cipher constructions

Feistel network

Given:

f_1, \dots, f_d : \{0,1\}^n \to \{0,1\}^n

Build invertible function:

F : \{0,1\}^{2n} \to \{0,1\}^{2n}

Let input be split into $(L_0, R_0)$ .

Round $i$ :

L_i = R_{i-1}

R_i = L_{i-1} \oplus f_i(R_{i-1})

Invertibility

R_{i-1} = L_i

L_{i-1} = R_i \oplus f_i(L_i)

Thus Feistel is invertible regardless of whether $f_i$ is invertible.

Luby–Rackoff Theorem (1985)

If $f$ is a secure PRF, then 3-round Feistel is a secure PRP.

DES (Data Encryption Standard) — 1976

16-round Feistel network
64-bit block size
56-bit key
Round functions:

f_i(x) = F(k_i, x)

Round function uses:

S-box (substitution box) — non-linear
P-box (permutation box)

To invert: use keys in reverse order.

Problem: 56-bit keyspace too small today (brute-force feasible).

Substitution–Permutation Network (SPN)

Rounds of:

Substitution (S-box layer)
Permutation (P-layer)
XOR with round key

All layers invertible.

AES (Advanced Encryption Standard) — 2000

10 substitution-permutation rounds (128-bit key version)
128-bit block size

Each round includes:

ByteSub (1-byte S-box)
ShiftRows
MixColumns
AddRoundKey

Key sizes:

128-bit
192-bit
256-bit

Currently de facto standard symmetric-key cipher (e.g. TLS/SSL).

Block cipher modes

Challenge

Encrypt PTs longer than one block using same key while maintaining security.

ECB (Electronic Codebook)

Encrypt blocks independently:

c_i = E(k, m_i)

Problem:

If $m_1 = m_2$ , then:

c_1 = c_2

Not semantically secure.

Formal non-security argument

Two-block challenge:

Adversary submits:
- $m_0 = \text{"Hello World"}$
- $m_1 = \text{"Hello Hello"}$
If $c_1 = c_2$ , output 0; else 1

Advantage = 1

CPA model (Chosen Plaintext Attack)

Attacker:

Sees many PT/CT pairs under same key
Can submit arbitrary PTs

Definition:

\text{Adv}_{CPA}[A,E] = \left| \Pr[\text{EXP}(0)=1] - \Pr[\text{EXP}(1)=1] \right|

Must be negligible.

ECB fails CPA security.

Moral

If same secret key is used multiple times, given same PT twice, encryption must produce different CT outputs.

Secure block modes

Idea

Augment key with:

Per-block nonce
Or chaining data from prior blocks

CBC (Cipher Block Chaining)

c_1 = E(k, m_1 \oplus IV)

c_i = E(k, m_i \oplus c_{i-1})

IV must be random/unpredictable.

CFB (Cipher Feedback)

Uses previous ciphertext as input feedback into block cipher.

OFB (Output Feedback)

s_i = E(k, s_{i-1})

c_i = m_i \oplus s_i

Can pre-compute keystream.

Acts like stream cipher.

CTR (Counter Mode)

c_i = m_i \oplus E(k, \text{nonce} \| \text{counter}_i)

Encryption and decryption parallelizable.

Nonce must be unique.

GCM (Galois Counter Mode)

Most popular (“AES-GCM”)
Provides authenticated encryption
Confidentiality + integrity

Nonce-based semantic security

Encryption:

c = E(k, m, n)

Adversarial experiment:

Challenger picks $k$
Adversary submits $(m_{i,0}, m_{i,1})$ and nonce $n_i$
Receives $c_i = E(k, m_{i,b}, n_i)$
Nonces must be distinct

Definition:

\text{Adv}_{nCPA}[A,E] = \left| \Pr[\text{EXP}(0)=1] - \Pr[\text{EXP}(1)=1] \right|

In practice:

CBC: IV must be random
CTR/GCM: nonce must be unique but not necessarily random

Symmetric Encryption Summary

Stream Ciphers

Rely on secure PRG
No key re-use
Fast
Low memory
Less robust
No built-in integrity

Block Ciphers

Rely on secure PRP
Allow key re-use across blocks (secure mode required)
Provide authenticated encryption in some modes (e.g. GCM)
Slower
Higher memory
More robust
Used in most practical secure systems (e.g. TLS)