cos433/math+473:+ cryptographymzhandry/2020-fall-cos433/... · 2020. 9. 24. · cos433/math+473:+...
TRANSCRIPT
![Page 1: COS433/Math+473:+ Cryptographymzhandry/2020-Fall-COS433/... · 2020. 9. 24. · COS433/Math+473:+ Cryptography Mark%Zhandry Princeton%University Spring%2020](https://reader035.vdocument.in/reader035/viewer/2022081411/60ac028da2ebf2146f4104a5/html5/thumbnails/1.jpg)
COS433/Math 473: Cryptography
Mark ZhandryPrinceton University
Spring 2020
![Page 2: COS433/Math+473:+ Cryptographymzhandry/2020-Fall-COS433/... · 2020. 9. 24. · COS433/Math+473:+ Cryptography Mark%Zhandry Princeton%University Spring%2020](https://reader035.vdocument.in/reader035/viewer/2022081411/60ac028da2ebf2146f4104a5/html5/thumbnails/2.jpg)
Announcements/Reminders
HW2 due September 29• Submit through Gradescope
PR1 Due October 6
![Page 3: COS433/Math+473:+ Cryptographymzhandry/2020-Fall-COS433/... · 2020. 9. 24. · COS433/Math+473:+ Cryptography Mark%Zhandry Princeton%University Spring%2020](https://reader035.vdocument.in/reader035/viewer/2022081411/60ac028da2ebf2146f4104a5/html5/thumbnails/3.jpg)
Previously on COS 433…
![Page 4: COS433/Math+473:+ Cryptographymzhandry/2020-Fall-COS433/... · 2020. 9. 24. · COS433/Math+473:+ Cryptography Mark%Zhandry Princeton%University Spring%2020](https://reader035.vdocument.in/reader035/viewer/2022081411/60ac028da2ebf2146f4104a5/html5/thumbnails/4.jpg)
Pseudorandom Functions
Functions that “look like” random functions
Syntax:• Key space Kλ• Domain Xλ• Co-‐domain/range Yλ• Function F:Kλ × XλàYλ
Correctness: F is a function (deterministic)
![Page 5: COS433/Math+473:+ Cryptographymzhandry/2020-Fall-COS433/... · 2020. 9. 24. · COS433/Math+473:+ Cryptography Mark%Zhandry Princeton%University Spring%2020](https://reader035.vdocument.in/reader035/viewer/2022081411/60ac028da2ebf2146f4104a5/html5/thumbnails/5.jpg)
Pseudorandom Functions
Security:
x∈Xλ
y
Challenger
b
b’
![Page 6: COS433/Math+473:+ Cryptographymzhandry/2020-Fall-COS433/... · 2020. 9. 24. · COS433/Math+473:+ Cryptography Mark%Zhandry Princeton%University Spring%2020](https://reader035.vdocument.in/reader035/viewer/2022081411/60ac028da2ebf2146f4104a5/html5/thumbnails/6.jpg)
Pseudorandom Functions
Security:
x∈Xλ
y
k ß Kλ
y ß F(k,x)
Challenger
b=0
b’
PRF-Exp0( , λ)
![Page 7: COS433/Math+473:+ Cryptographymzhandry/2020-Fall-COS433/... · 2020. 9. 24. · COS433/Math+473:+ Cryptography Mark%Zhandry Princeton%University Spring%2020](https://reader035.vdocument.in/reader035/viewer/2022081411/60ac028da2ebf2146f4104a5/html5/thumbnails/7.jpg)
Pseudorandom Functions
Security:
x∈Xλ
y
Challenger
b=1
b’
HßFuncs(Xλ,Yλ)
y = H(x)
PRF-Exp1( , λ)
![Page 8: COS433/Math+473:+ Cryptographymzhandry/2020-Fall-COS433/... · 2020. 9. 24. · COS433/Math+473:+ Cryptography Mark%Zhandry Princeton%University Spring%2020](https://reader035.vdocument.in/reader035/viewer/2022081411/60ac028da2ebf2146f4104a5/html5/thumbnails/8.jpg)
Using PRFs to Build Encryption
Fk
ym⊕
c
r ßX
Ciphertext = ( , )
![Page 9: COS433/Math+473:+ Cryptographymzhandry/2020-Fall-COS433/... · 2020. 9. 24. · COS433/Math+473:+ Cryptography Mark%Zhandry Princeton%University Spring%2020](https://reader035.vdocument.in/reader035/viewer/2022081411/60ac028da2ebf2146f4104a5/html5/thumbnails/9.jpg)
Counter Mode
Fk
⊕
Xà r
( , )
1
Fk
⊕
2
Fk
⊕
3
Fk
⊕
4
Fk
⊕
5
![Page 10: COS433/Math+473:+ Cryptographymzhandry/2020-Fall-COS433/... · 2020. 9. 24. · COS433/Math+473:+ Cryptography Mark%Zhandry Princeton%University Spring%2020](https://reader035.vdocument.in/reader035/viewer/2022081411/60ac028da2ebf2146f4104a5/html5/thumbnails/10.jpg)
Today
Block ciphers, more modes of operation
Begin constructing block ciphers/PRFs
![Page 11: COS433/Math+473:+ Cryptographymzhandry/2020-Fall-COS433/... · 2020. 9. 24. · COS433/Math+473:+ Cryptography Mark%Zhandry Princeton%University Spring%2020](https://reader035.vdocument.in/reader035/viewer/2022081411/60ac028da2ebf2146f4104a5/html5/thumbnails/11.jpg)
Pseudorandom Permutations
Functions that “look like” random permutations
Syntax:• Key space Kλ• Domain=Range= Xλ• Function F:Kλ × Xλ à Xλ• Function F-1:Kλ × Xλ à Xλ
Correctness: ∀k,x, F-1(k, F(k, x) ) = x
(also known as block ciphers)
![Page 12: COS433/Math+473:+ Cryptographymzhandry/2020-Fall-COS433/... · 2020. 9. 24. · COS433/Math+473:+ Cryptography Mark%Zhandry Princeton%University Spring%2020](https://reader035.vdocument.in/reader035/viewer/2022081411/60ac028da2ebf2146f4104a5/html5/thumbnails/12.jpg)
Pseudorandom Permutations
Security:
x∈Xλ
y
Challenger
b
b’
![Page 13: COS433/Math+473:+ Cryptographymzhandry/2020-Fall-COS433/... · 2020. 9. 24. · COS433/Math+473:+ Cryptography Mark%Zhandry Princeton%University Spring%2020](https://reader035.vdocument.in/reader035/viewer/2022081411/60ac028da2ebf2146f4104a5/html5/thumbnails/13.jpg)
Pseudorandom Permutations
Security:
x∈Xλ
y
k ß Kλ
y ß F(k,x)
Challenger
b=0
b’
PRF-Exp0( , λ)
![Page 14: COS433/Math+473:+ Cryptographymzhandry/2020-Fall-COS433/... · 2020. 9. 24. · COS433/Math+473:+ Cryptography Mark%Zhandry Princeton%University Spring%2020](https://reader035.vdocument.in/reader035/viewer/2022081411/60ac028da2ebf2146f4104a5/html5/thumbnails/14.jpg)
Pseudorandom Permutations
Security:
x∈Xλ
y
Challenger
b=1
b’
HßPerms(Xλ,Xλ)
y = H(x)
PRF-Exp1( , λ)
![Page 15: COS433/Math+473:+ Cryptographymzhandry/2020-Fall-COS433/... · 2020. 9. 24. · COS433/Math+473:+ Cryptography Mark%Zhandry Princeton%University Spring%2020](https://reader035.vdocument.in/reader035/viewer/2022081411/60ac028da2ebf2146f4104a5/html5/thumbnails/15.jpg)
PRP Security Definition
Definition: F is a secure PRP if, for all running in polynomial time, ∃ negligible ε such that:
| Pr[1ßPRF-Exp0( , λ) ]
– Pr[1ßPRF-Exp1( , λ) ] | ≤ ε(λ)
![Page 16: COS433/Math+473:+ Cryptographymzhandry/2020-Fall-COS433/... · 2020. 9. 24. · COS433/Math+473:+ Cryptography Mark%Zhandry Princeton%University Spring%2020](https://reader035.vdocument.in/reader035/viewer/2022081411/60ac028da2ebf2146f4104a5/html5/thumbnails/16.jpg)
Theorem: Assuming |Xλ| is super-‐polynomial, a PRP (F,F-1) is secure iff F is secure as a PRF
![Page 17: COS433/Math+473:+ Cryptographymzhandry/2020-Fall-COS433/... · 2020. 9. 24. · COS433/Math+473:+ Cryptography Mark%Zhandry Princeton%University Spring%2020](https://reader035.vdocument.in/reader035/viewer/2022081411/60ac028da2ebf2146f4104a5/html5/thumbnails/17.jpg)
Proof
Secure as PRP ⇒ Secure as PRF• Assume , hybrids
Hybrid 0:
x∈Xy
k ß K
y ß F(k,x)
Challenger
b’
![Page 18: COS433/Math+473:+ Cryptographymzhandry/2020-Fall-COS433/... · 2020. 9. 24. · COS433/Math+473:+ Cryptography Mark%Zhandry Princeton%University Spring%2020](https://reader035.vdocument.in/reader035/viewer/2022081411/60ac028da2ebf2146f4104a5/html5/thumbnails/18.jpg)
Proof
Secure as PRP ⇒ Secure as PRF• Assume , hybrids
Hybrid 1:
x∈Xy y ß H(x)
Challenger
b’
HßPerms(X,X)
![Page 19: COS433/Math+473:+ Cryptographymzhandry/2020-Fall-COS433/... · 2020. 9. 24. · COS433/Math+473:+ Cryptography Mark%Zhandry Princeton%University Spring%2020](https://reader035.vdocument.in/reader035/viewer/2022081411/60ac028da2ebf2146f4104a5/html5/thumbnails/19.jpg)
Proof
Secure as PRP ⇒ Secure as PRF• Assume , hybrids
Hybrid 2:
x∈Xy y ß H(x)
Challenger
b’
HßFuncs(X,X)
![Page 20: COS433/Math+473:+ Cryptographymzhandry/2020-Fall-COS433/... · 2020. 9. 24. · COS433/Math+473:+ Cryptography Mark%Zhandry Princeton%University Spring%2020](https://reader035.vdocument.in/reader035/viewer/2022081411/60ac028da2ebf2146f4104a5/html5/thumbnails/20.jpg)
Proof
Secure as PRP ⇒ Secure as PRF• Assume , hybrids
Hybrids 0 and 1 are indistinguishable by PRP security
Hybrids 1 and 2?• In Hybrid 1, sees random distinct answers• In Hybrid 2, sees random answers• Except with probability ≈q2/2|Xλ|, random answers will be distinct anyway
![Page 21: COS433/Math+473:+ Cryptographymzhandry/2020-Fall-COS433/... · 2020. 9. 24. · COS433/Math+473:+ Cryptography Mark%Zhandry Princeton%University Spring%2020](https://reader035.vdocument.in/reader035/viewer/2022081411/60ac028da2ebf2146f4104a5/html5/thumbnails/21.jpg)
Proof
Secure as PRF ⇒ Secure as PRP• Assume , hybrids
Proof essentially identical to other direction
![Page 22: COS433/Math+473:+ Cryptographymzhandry/2020-Fall-COS433/... · 2020. 9. 24. · COS433/Math+473:+ Cryptography Mark%Zhandry Princeton%University Spring%2020](https://reader035.vdocument.in/reader035/viewer/2022081411/60ac028da2ebf2146f4104a5/html5/thumbnails/22.jpg)
How to use block ciphers for encryption
![Page 23: COS433/Math+473:+ Cryptographymzhandry/2020-Fall-COS433/... · 2020. 9. 24. · COS433/Math+473:+ Cryptography Mark%Zhandry Princeton%University Spring%2020](https://reader035.vdocument.in/reader035/viewer/2022081411/60ac028da2ebf2146f4104a5/html5/thumbnails/23.jpg)
( , )
Counter Mode (CTR)
Fk
⊕
IV
IV
1
Fk
⊕
2
Fk
⊕
3
Fk
⊕
4
Fk
⊕
5
![Page 24: COS433/Math+473:+ Cryptographymzhandry/2020-Fall-COS433/... · 2020. 9. 24. · COS433/Math+473:+ Cryptography Mark%Zhandry Princeton%University Spring%2020](https://reader035.vdocument.in/reader035/viewer/2022081411/60ac028da2ebf2146f4104a5/html5/thumbnails/24.jpg)
Electronic Code Book (ECB)
Fk Fk Fk Fk Fk
![Page 25: COS433/Math+473:+ Cryptographymzhandry/2020-Fall-COS433/... · 2020. 9. 24. · COS433/Math+473:+ Cryptography Mark%Zhandry Princeton%University Spring%2020](https://reader035.vdocument.in/reader035/viewer/2022081411/60ac028da2ebf2146f4104a5/html5/thumbnails/25.jpg)
ECB Decryption
F-1k F-1k F-1k F-1k F-1k
![Page 26: COS433/Math+473:+ Cryptographymzhandry/2020-Fall-COS433/... · 2020. 9. 24. · COS433/Math+473:+ Cryptography Mark%Zhandry Princeton%University Spring%2020](https://reader035.vdocument.in/reader035/viewer/2022081411/60ac028da2ebf2146f4104a5/html5/thumbnails/26.jpg)
Security of ECB?
Is ECB mode CPA secure?
Is ECB mode one-‐time secure?
![Page 27: COS433/Math+473:+ Cryptographymzhandry/2020-Fall-COS433/... · 2020. 9. 24. · COS433/Math+473:+ Cryptography Mark%Zhandry Princeton%University Spring%2020](https://reader035.vdocument.in/reader035/viewer/2022081411/60ac028da2ebf2146f4104a5/html5/thumbnails/27.jpg)
Security of ECB
Plaintex Ciphertext Ideal
![Page 28: COS433/Math+473:+ Cryptographymzhandry/2020-Fall-COS433/... · 2020. 9. 24. · COS433/Math+473:+ Cryptography Mark%Zhandry Princeton%University Spring%2020](https://reader035.vdocument.in/reader035/viewer/2022081411/60ac028da2ebf2146f4104a5/html5/thumbnails/28.jpg)
Cipher Block Chaining (CBC) Mode
( , )
Fk
IV
Fk Fk Fk Fk
⊕ ⊕ ⊕ ⊕ ⊕
IV
( )
(For now, assume all messages are multiples of the block length)
![Page 29: COS433/Math+473:+ Cryptographymzhandry/2020-Fall-COS433/... · 2020. 9. 24. · COS433/Math+473:+ Cryptography Mark%Zhandry Princeton%University Spring%2020](https://reader035.vdocument.in/reader035/viewer/2022081411/60ac028da2ebf2146f4104a5/html5/thumbnails/29.jpg)
CBC Mode Decryption
F-1k F-1k F-1k F-1k F-1k
⊕ ⊕
( , )IV
( )
⊕ ⊕ ⊕
![Page 30: COS433/Math+473:+ Cryptographymzhandry/2020-Fall-COS433/... · 2020. 9. 24. · COS433/Math+473:+ Cryptography Mark%Zhandry Princeton%University Spring%2020](https://reader035.vdocument.in/reader035/viewer/2022081411/60ac028da2ebf2146f4104a5/html5/thumbnails/30.jpg)
Theorem: If (F,F-1) is a secure pseudorandom permutation and |Xλ| is super-‐polynomial, then CBC mode encryption is CPA secure.
![Page 31: COS433/Math+473:+ Cryptographymzhandry/2020-Fall-COS433/... · 2020. 9. 24. · COS433/Math+473:+ Cryptography Mark%Zhandry Princeton%University Spring%2020](https://reader035.vdocument.in/reader035/viewer/2022081411/60ac028da2ebf2146f4104a5/html5/thumbnails/31.jpg)
Proof Sketch
Assume toward contradiction an adversary for CBC mode
Hybrids…
![Page 32: COS433/Math+473:+ Cryptographymzhandry/2020-Fall-COS433/... · 2020. 9. 24. · COS433/Math+473:+ Cryptography Mark%Zhandry Princeton%University Spring%2020](https://reader035.vdocument.in/reader035/viewer/2022081411/60ac028da2ebf2146f4104a5/html5/thumbnails/32.jpg)
Proof Sketch
Hybrid 0
( , )
Fk
IV
Fk Fk Fk Fk
⊕ ⊕ ⊕ ⊕ ⊕
IV
( )
m0
![Page 33: COS433/Math+473:+ Cryptographymzhandry/2020-Fall-COS433/... · 2020. 9. 24. · COS433/Math+473:+ Cryptography Mark%Zhandry Princeton%University Spring%2020](https://reader035.vdocument.in/reader035/viewer/2022081411/60ac028da2ebf2146f4104a5/html5/thumbnails/33.jpg)
Proof Sketch
Hybrid 1
( , )
H
IV
H H H H
⊕ ⊕ ⊕ ⊕ ⊕
IV
( )
m0
![Page 34: COS433/Math+473:+ Cryptographymzhandry/2020-Fall-COS433/... · 2020. 9. 24. · COS433/Math+473:+ Cryptography Mark%Zhandry Princeton%University Spring%2020](https://reader035.vdocument.in/reader035/viewer/2022081411/60ac028da2ebf2146f4104a5/html5/thumbnails/34.jpg)
Proof Sketch
Hybrid 2
( , )
H
IV
H H H H
⊕ ⊕ ⊕ ⊕ ⊕
IV
( )
m1
![Page 35: COS433/Math+473:+ Cryptographymzhandry/2020-Fall-COS433/... · 2020. 9. 24. · COS433/Math+473:+ Cryptography Mark%Zhandry Princeton%University Spring%2020](https://reader035.vdocument.in/reader035/viewer/2022081411/60ac028da2ebf2146f4104a5/html5/thumbnails/35.jpg)
Proof Sketch
Hybrid 3
( , )
Fk
IV
Fk Fk Fk Fk
⊕ ⊕ ⊕ ⊕ ⊕
IV
( )
m1
![Page 36: COS433/Math+473:+ Cryptographymzhandry/2020-Fall-COS433/... · 2020. 9. 24. · COS433/Math+473:+ Cryptography Mark%Zhandry Princeton%University Spring%2020](https://reader035.vdocument.in/reader035/viewer/2022081411/60ac028da2ebf2146f4104a5/html5/thumbnails/36.jpg)
Proof Sketch
Hybrid 0,1 differ by replacing calls to F with calls to random permutation H• Indistinguishable by PRP security
Same for Hybrids 2,3
All that is left is to show indistinguishability of 1,2
![Page 37: COS433/Math+473:+ Cryptographymzhandry/2020-Fall-COS433/... · 2020. 9. 24. · COS433/Math+473:+ Cryptography Mark%Zhandry Princeton%University Spring%2020](https://reader035.vdocument.in/reader035/viewer/2022081411/60ac028da2ebf2146f4104a5/html5/thumbnails/37.jpg)
Proof Sketch
Hybrid 1
( , )
H
IV
H H H H
⊕ ⊕ ⊕ ⊕ ⊕
IV
( )
m0
![Page 38: COS433/Math+473:+ Cryptographymzhandry/2020-Fall-COS433/... · 2020. 9. 24. · COS433/Math+473:+ Cryptography Mark%Zhandry Princeton%University Spring%2020](https://reader035.vdocument.in/reader035/viewer/2022081411/60ac028da2ebf2146f4104a5/html5/thumbnails/38.jpg)
Proof Sketch
Hybrid 2
( , )
H
IV
H H H H
⊕ ⊕ ⊕ ⊕ ⊕
IV
( )
m1
![Page 39: COS433/Math+473:+ Cryptographymzhandry/2020-Fall-COS433/... · 2020. 9. 24. · COS433/Math+473:+ Cryptography Mark%Zhandry Princeton%University Spring%2020](https://reader035.vdocument.in/reader035/viewer/2022081411/60ac028da2ebf2146f4104a5/html5/thumbnails/39.jpg)
Proof Sketch
Idea:• As long as, say, the sequence of left messages queried by does not result in two calls to H on the same input, all outputs will be random (distinct) outputs • For each message, first query to H will be uniformly random• Second query gets XORed with output of first query to H⇒ ≈ uniformly random
![Page 40: COS433/Math+473:+ Cryptographymzhandry/2020-Fall-COS433/... · 2020. 9. 24. · COS433/Math+473:+ Cryptography Mark%Zhandry Princeton%University Spring%2020](https://reader035.vdocument.in/reader035/viewer/2022081411/60ac028da2ebf2146f4104a5/html5/thumbnails/40.jpg)
Proof Sketch
Idea:• Since queries to H are (essentially) uniformly random, probability of querying same input twice is exponentially small• Ciphertexts will be essentially random• True regardless of encrypting m0 or m1
![Page 41: COS433/Math+473:+ Cryptographymzhandry/2020-Fall-COS433/... · 2020. 9. 24. · COS433/Math+473:+ Cryptography Mark%Zhandry Princeton%University Spring%2020](https://reader035.vdocument.in/reader035/viewer/2022081411/60ac028da2ebf2146f4104a5/html5/thumbnails/41.jpg)
Output Feedback Mode (OFB)
Fk
IV
( , )IV
⊕
Fk
⊕
Fk
⊕
Fk
⊕
Turn block cipher into stream cipher
![Page 42: COS433/Math+473:+ Cryptographymzhandry/2020-Fall-COS433/... · 2020. 9. 24. · COS433/Math+473:+ Cryptography Mark%Zhandry Princeton%University Spring%2020](https://reader035.vdocument.in/reader035/viewer/2022081411/60ac028da2ebf2146f4104a5/html5/thumbnails/42.jpg)
OFB Decryption
Fk
⊕
Fk
⊕
Fk
⊕IV
Fk
⊕
![Page 43: COS433/Math+473:+ Cryptographymzhandry/2020-Fall-COS433/... · 2020. 9. 24. · COS433/Math+473:+ Cryptography Mark%Zhandry Princeton%University Spring%2020](https://reader035.vdocument.in/reader035/viewer/2022081411/60ac028da2ebf2146f4104a5/html5/thumbnails/43.jpg)
Cipher Feedback (CFB)
Fk
IV
( , )IV
⊕
Fk
⊕
Fk
⊕
Fk
⊕
Turn block cipher into self-‐synchronizing stream cipher
![Page 44: COS433/Math+473:+ Cryptographymzhandry/2020-Fall-COS433/... · 2020. 9. 24. · COS433/Math+473:+ Cryptography Mark%Zhandry Princeton%University Spring%2020](https://reader035.vdocument.in/reader035/viewer/2022081411/60ac028da2ebf2146f4104a5/html5/thumbnails/44.jpg)
CFB Decryption
Fk
⊕
Fk
⊕
Fk
⊕IV
Fk
⊕
![Page 45: COS433/Math+473:+ Cryptographymzhandry/2020-Fall-COS433/... · 2020. 9. 24. · COS433/Math+473:+ Cryptography Mark%Zhandry Princeton%University Spring%2020](https://reader035.vdocument.in/reader035/viewer/2022081411/60ac028da2ebf2146f4104a5/html5/thumbnails/45.jpg)
Security of OFB, CFB modes
Security very similar to CBC
Define 4 hybrids• 0: encrypt left messages• 1: replace PRP with random permutation• 2: encrypt right messages• 3: replace random permutation with PRP
0,1 and 2,3 are indistinguishable by PRP security
1,2 are indistinguishable since ciphertexts are essentially random
![Page 46: COS433/Math+473:+ Cryptographymzhandry/2020-Fall-COS433/... · 2020. 9. 24. · COS433/Math+473:+ Cryptography Mark%Zhandry Princeton%University Spring%2020](https://reader035.vdocument.in/reader035/viewer/2022081411/60ac028da2ebf2146f4104a5/html5/thumbnails/46.jpg)
Which Mode to Use?
Never use ECB
Otherwise, largely depends on application• Some advantages/disadvantages to each
![Page 47: COS433/Math+473:+ Cryptographymzhandry/2020-Fall-COS433/... · 2020. 9. 24. · COS433/Math+473:+ Cryptography Mark%Zhandry Princeton%University Spring%2020](https://reader035.vdocument.in/reader035/viewer/2022081411/60ac028da2ebf2146f4104a5/html5/thumbnails/47.jpg)
Parallelism
Fk
⊕
Xà r
( , )
1
Fk
⊕
2
Fk
⊕
3
Fk
⊕
4
Fk
⊕
5
Enc,Dec easily parallelized
CTR mode:
✓
![Page 48: COS433/Math+473:+ Cryptographymzhandry/2020-Fall-COS433/... · 2020. 9. 24. · COS433/Math+473:+ Cryptography Mark%Zhandry Princeton%University Spring%2020](https://reader035.vdocument.in/reader035/viewer/2022081411/60ac028da2ebf2146f4104a5/html5/thumbnails/48.jpg)
Parallelism
Enc not parallelizable
CBC mode encryption:
✘
( , )
Fk
IV
Fk Fk Fk Fk
⊕ ⊕ ⊕ ⊕ ⊕
IV
( )
![Page 49: COS433/Math+473:+ Cryptographymzhandry/2020-Fall-COS433/... · 2020. 9. 24. · COS433/Math+473:+ Cryptography Mark%Zhandry Princeton%University Spring%2020](https://reader035.vdocument.in/reader035/viewer/2022081411/60ac028da2ebf2146f4104a5/html5/thumbnails/49.jpg)
Parallelism
Dec parallelizable
CBC mode decryption:
F-1k F-1k F-1k F-1k F-1k
⊕ ⊕
( , )IV
( )
⊕ ⊕ ⊕
✓
![Page 50: COS433/Math+473:+ Cryptographymzhandry/2020-Fall-COS433/... · 2020. 9. 24. · COS433/Math+473:+ Cryptography Mark%Zhandry Princeton%University Spring%2020](https://reader035.vdocument.in/reader035/viewer/2022081411/60ac028da2ebf2146f4104a5/html5/thumbnails/50.jpg)
Parallelism
Enc,Dec not parallelizable
OFB mode:
Fk
⊕
Fk
⊕
Fk
⊕IV
Fk
⊕
✘
![Page 51: COS433/Math+473:+ Cryptographymzhandry/2020-Fall-COS433/... · 2020. 9. 24. · COS433/Math+473:+ Cryptography Mark%Zhandry Princeton%University Spring%2020](https://reader035.vdocument.in/reader035/viewer/2022081411/60ac028da2ebf2146f4104a5/html5/thumbnails/51.jpg)
Parallelism
Enc not parallelizable
CFB mode encryption:
✘
Fk
IV
( , )IV
⊕
Fk
⊕
Fk
⊕
Fk
⊕
![Page 52: COS433/Math+473:+ Cryptographymzhandry/2020-Fall-COS433/... · 2020. 9. 24. · COS433/Math+473:+ Cryptography Mark%Zhandry Princeton%University Spring%2020](https://reader035.vdocument.in/reader035/viewer/2022081411/60ac028da2ebf2146f4104a5/html5/thumbnails/52.jpg)
ParallelismCFB mode decryption:
Fk
⊕
Fk
⊕
Fk
⊕IV
Fk
⊕
Dec parallelizable✓
![Page 53: COS433/Math+473:+ Cryptographymzhandry/2020-Fall-COS433/... · 2020. 9. 24. · COS433/Math+473:+ Cryptography Mark%Zhandry Princeton%University Spring%2020](https://reader035.vdocument.in/reader035/viewer/2022081411/60ac028da2ebf2146f4104a5/html5/thumbnails/53.jpg)
Lose Block During Transmission?
Fk
⊕( , )
1
Fk
⊕
2
Fk
⊕
3
Fk
⊕
4
Fk
⊕
5
CTR mode decryption:
r
Message corrupted after deleted block✘Same for any mode that builds stream cipher (e.g. OFB)
![Page 54: COS433/Math+473:+ Cryptographymzhandry/2020-Fall-COS433/... · 2020. 9. 24. · COS433/Math+473:+ Cryptography Mark%Zhandry Princeton%University Spring%2020](https://reader035.vdocument.in/reader035/viewer/2022081411/60ac028da2ebf2146f4104a5/html5/thumbnails/54.jpg)
Lose Block During Transmission?CBC mode decryption:
Lose one block, one more corrupted, rest fine
F-1k F-1k F-1k F-1k F-1k
⊕ ⊕
( , )IV
( )
⊕ ⊕ ⊕
✓Same for CFB
![Page 55: COS433/Math+473:+ Cryptographymzhandry/2020-Fall-COS433/... · 2020. 9. 24. · COS433/Math+473:+ Cryptography Mark%Zhandry Princeton%University Spring%2020](https://reader035.vdocument.in/reader035/viewer/2022081411/60ac028da2ebf2146f4104a5/html5/thumbnails/55.jpg)
PRPs vs PRFs
In practice, PRPs are the central building block of most crypto• Also PRFs• Can build PRGs• Very versatile
![Page 56: COS433/Math+473:+ Cryptographymzhandry/2020-Fall-COS433/... · 2020. 9. 24. · COS433/Math+473:+ Cryptography Mark%Zhandry Princeton%University Spring%2020](https://reader035.vdocument.in/reader035/viewer/2022081411/60ac028da2ebf2146f4104a5/html5/thumbnails/56.jpg)
Constructing block ciphers
![Page 57: COS433/Math+473:+ Cryptographymzhandry/2020-Fall-COS433/... · 2020. 9. 24. · COS433/Math+473:+ Cryptography Mark%Zhandry Princeton%University Spring%2020](https://reader035.vdocument.in/reader035/viewer/2022081411/60ac028da2ebf2146f4104a5/html5/thumbnails/57.jpg)
Difficulties
2n! Permutations on n-‐bit blocks⇒ ≈n2n bits to write down random perm.
Reasonable for very small n (e.g. n<20), but totally infeasible for large n (e.g. n=128)
Challenge:• Design permutations with small description that “behave like” random permutations
![Page 58: COS433/Math+473:+ Cryptographymzhandry/2020-Fall-COS433/... · 2020. 9. 24. · COS433/Math+473:+ Cryptography Mark%Zhandry Princeton%University Spring%2020](https://reader035.vdocument.in/reader035/viewer/2022081411/60ac028da2ebf2146f4104a5/html5/thumbnails/58.jpg)
Difficulties
For a random permutation H, H(x) and H(x’) are (essentially) independent random strings• Even if x and x’ differ by just a single bit
Therefore, for a random key k, changing a single bit of x should “affect” all output bits of F(k,x)
![Page 59: COS433/Math+473:+ Cryptographymzhandry/2020-Fall-COS433/... · 2020. 9. 24. · COS433/Math+473:+ Cryptography Mark%Zhandry Princeton%University Spring%2020](https://reader035.vdocument.in/reader035/viewer/2022081411/60ac028da2ebf2146f4104a5/html5/thumbnails/59.jpg)
Definition: For a function H:{0,1}n à {0,1}n, we say that bit i of the input affects bit j of the output if
For a random x1,…,xi-1,xi+1, …, xn, if we let y=H(x1…xi-10xi+1…xn) and z=H(x1…xi-11xi+1…xn) Then yj ≠ zj with probability ≈ 1/2
![Page 60: COS433/Math+473:+ Cryptographymzhandry/2020-Fall-COS433/... · 2020. 9. 24. · COS433/Math+473:+ Cryptography Mark%Zhandry Princeton%University Spring%2020](https://reader035.vdocument.in/reader035/viewer/2022081411/60ac028da2ebf2146f4104a5/html5/thumbnails/60.jpg)
Proof sketch:• For random permutations this is true• If bit i did not affect bit j, we can construct an adversary that distinguishes F from random
Theorem: If (F,F-1) is a secure PRP, then with (with “high” probability over the key k), for the function F(k,•), every bit of input affects every bit of output
![Page 61: COS433/Math+473:+ Cryptographymzhandry/2020-Fall-COS433/... · 2020. 9. 24. · COS433/Math+473:+ Cryptography Mark%Zhandry Princeton%University Spring%2020](https://reader035.vdocument.in/reader035/viewer/2022081411/60ac028da2ebf2146f4104a5/html5/thumbnails/61.jpg)
Confusion/Diffusion Paradigm
![Page 62: COS433/Math+473:+ Cryptographymzhandry/2020-Fall-COS433/... · 2020. 9. 24. · COS433/Math+473:+ Cryptography Mark%Zhandry Princeton%University Spring%2020](https://reader035.vdocument.in/reader035/viewer/2022081411/60ac028da2ebf2146f4104a5/html5/thumbnails/62.jpg)
Confusion/Diffusion Paradigm
Goal: build permutation for large blocks from permutations for small blocks
• Small block perms can be made truly random
• Hopefully result is pseudorandom
![Page 63: COS433/Math+473:+ Cryptographymzhandry/2020-Fall-COS433/... · 2020. 9. 24. · COS433/Math+473:+ Cryptography Mark%Zhandry Princeton%University Spring%2020](https://reader035.vdocument.in/reader035/viewer/2022081411/60ac028da2ebf2146f4104a5/html5/thumbnails/63.jpg)
Confusion/Diffusion Paradigm
First attempt: break blocks into smaller blocks, apply smaller permutation blockwise
f1 f2 f3 f4 f5 f6
Small blocks (e.g. 8 bits)
Big blocks (e.g. λ=128 bits)
Key: description of f1, f2,…
![Page 64: COS433/Math+473:+ Cryptographymzhandry/2020-Fall-COS433/... · 2020. 9. 24. · COS433/Math+473:+ Cryptography Mark%Zhandry Princeton%University Spring%2020](https://reader035.vdocument.in/reader035/viewer/2022081411/60ac028da2ebf2146f4104a5/html5/thumbnails/64.jpg)
Confusion/Diffusion Paradigm
Is this a secure PRP?• Key size: ≈(8×28)×(λ/8) = O(λ)• Running time: a few table lookups, so efficient• Security?
f1 f2 f3 f4 f5 f6
![Page 65: COS433/Math+473:+ Cryptographymzhandry/2020-Fall-COS433/... · 2020. 9. 24. · COS433/Math+473:+ Cryptography Mark%Zhandry Princeton%University Spring%2020](https://reader035.vdocument.in/reader035/viewer/2022081411/60ac028da2ebf2146f4104a5/html5/thumbnails/65.jpg)
Confusion/Diffusion Paradigm
Second attempt: shuffle output bits
Is this a secure PRP?• Key size: ≈ 28λ + λ×log λ• Running time: a few table lookups• Security?
f1 f2 f3 f4 f5 f6
π
Confusion
Diffusion
![Page 66: COS433/Math+473:+ Cryptographymzhandry/2020-Fall-COS433/... · 2020. 9. 24. · COS433/Math+473:+ Cryptography Mark%Zhandry Princeton%University Spring%2020](https://reader035.vdocument.in/reader035/viewer/2022081411/60ac028da2ebf2146f4104a5/html5/thumbnails/66.jpg)
Confusion/Diffusion Paradigm
f1 f2 f3 f4 f5 f6
π2
f7 f8 f9 f10 f11 f12
π1
Round
Third Attempt: Repeat multiple times!
![Page 67: COS433/Math+473:+ Cryptographymzhandry/2020-Fall-COS433/... · 2020. 9. 24. · COS433/Math+473:+ Cryptography Mark%Zhandry Princeton%University Spring%2020](https://reader035.vdocument.in/reader035/viewer/2022081411/60ac028da2ebf2146f4104a5/html5/thumbnails/67.jpg)
Confusion/Diffusion Paradigm
While single round is insecure, we’ve made progress• Each bit affects 8 output bits
With repetition, hopefully we will make more and more progress
![Page 68: COS433/Math+473:+ Cryptographymzhandry/2020-Fall-COS433/... · 2020. 9. 24. · COS433/Math+473:+ Cryptography Mark%Zhandry Princeton%University Spring%2020](https://reader035.vdocument.in/reader035/viewer/2022081411/60ac028da2ebf2146f4104a5/html5/thumbnails/68.jpg)
Confusion/Diffusion Paradigm
With 2 rounds,• Each bit affects 64 output bits
With 3 rounds, all 128 bits are affected
Repeat a few more times for good measure
![Page 69: COS433/Math+473:+ Cryptographymzhandry/2020-Fall-COS433/... · 2020. 9. 24. · COS433/Math+473:+ Cryptography Mark%Zhandry Princeton%University Spring%2020](https://reader035.vdocument.in/reader035/viewer/2022081411/60ac028da2ebf2146f4104a5/html5/thumbnails/69.jpg)
Announcements/Reminders
HW2 due September 29• Submit through Gradescope
PR1 Due October 6