EE 418 Network Security and Cryptography Lecture #7 October 20, 2016 Perfect Secrecy and One-time Pads. Block and stream cipher. DES, Triple DES and AES. Modes of operation. Lecture notes prepared by Professor Radha Poovendran. Tamara Bonaci Department of Electrical Engineering University of Washington, Seattle Outline: 1. Background: Uncertainty, entropy and conditional entropy 2. Perfect secrecy and one-time pads 3. Block and stream cipher 4. Data Encryption Standard (DES) 5. Triple DES 6. Advanced Encryption Standard (AES) 7. Encrypting large plaintexts: Modes of operation { Electronic Code Book (ECB) mode { Cipher Block Chaining (CBC) mode { Counter (CTR) mode 1 Background: Uncertainty, Entropy and Conditional Entropy The idea of having knowledge (or an information) about something is closely related to the idea of uncertainty. Intuitively, it is not hard to see that information increases as an uncertainty decreases. To measure an increase in information, or a decrease in uncertainty we typically use entropy. Before we can talk about entropy, though, let's briefly refresh our memory about probability. 1.1 Random Variable Let's consider an experiment X with possible outcomes in some set X . Let's assume that each outcome from that set has some probability of occurring. If that is the case, then we can talk about an outcome of the considered experiment as a random variable. Therefore, for every possible outcome, x 2 X , we can now denote the probability that the outcome of the experiment is equal to x as follows: pX (x) = px = P[X = x] (1) For example, let's assume that we are rolling a six-sided fair die for our experiment. Then the set of all possible outcomes are numbers one through six, f1; 2;:::; 6g; and each of them is equally likely to occur. Then the probability of seeing any of the numbers 1{6 is equal to: 1 p (1) = p = [X = 1] = [X = 2] = [X = 3] = [X = 4] = [X = 5] = [X = 6] = X 1 P P P P P P 6 1.2 Entropy Let's now consider the following two simple experiments: rolling a six-sided and a ten-sided die. Intuitively, which of these two experiments do you think has more uncertainty? Well, if you make a guess at the outcome of a roll for each of the dies, you are more likely to be wrong with the ten-sided die than with the six-sided die. Therefore, the ten-sided die has more uncertainty. 1 Question: If this is our intuition about uncertainty, how do we measure it? Answer: We typically measure uncertainty with an entropy. Definition 1: For each random variable X with outcomes X = fx1; : : : ; xng having probabilities p1; : : : ; pn, an entropy H is a function satisfying a set of specific conditions [2]: 1. For each set of non-negative numbers p1; : : : ; pn where p1 + ··· + pn = 1, the uncertainty is given by a number H(p1; : : : ; pn): 2. Function H is a continuous function of the probability distribution, which means that a small change in the probability distribution does not cause a drastic change in uncertainty. 3. In a situation where all outcomes are equally likely, the uncertainty increases when there are more possible outcomes: 1 1 1 1 H ;:::; ≤ H ;:::; 8n > 0 n n n + 1 n + 1 4. If a j-outcome can be broken into two suboutcomes, with probabilities qpj and (1 − q)pj; then the entropy increases by the uncertainty caused by the choice between the two suboutcomes, multiplied by the probability pj that we are in the j-th outcome to begin with: H(p1; : : : ; qp1; (1 − q)pj; : : : ; pn) = H(p1; p2; : : : ; pn) + pjH(q; 1 − q) Function H(X) is itself defined as: X H(X)− = p(x) log2(p(x)) (2) x2X 1.3 Conditional Entropy H(YjX) In many cryptosystems, we might want to know the uncertainty of the cryptographic key, given knowledge about the ciphertext. This leads to the concept of conditional entropy, defined next. Definition 2: Conditional entropy is the amount of information in a random variable Y , given that we know random variable X: X X X pX (x)H(Y jX = x) = − pX;Y (x; y) log2 pY (yjx) (3) x x y 2 Perfect Secrecy and One-time Pads Let's assume that we have a cryptosystem with the set of possible plaintext P; the set of possible ciphertexts C and the set of possible keys K. Each plaintext in P has a certain probability of occurring, and some plaintexts are more likely than others. The choice of a key K in K is always assumed to be independent of the choice of plaintext. The possible ciphertexts in C can therefore take on various probabilities, depending on the probability distributions of P and C. The question that we are considering is: if an attacker intercepts a ciphertext y, how much information does (s)he obtain about the key? This question can be formalized by asking what is the conditional entropy of a key K given that we know a ciphertext C, H(KjC)? Initially, the entropy of the key is equal to H(K); but we are now investigating how has the knowledge of the ciphertext decreased the uncertainty. This leads us to the definition of perfect secrecy. Definition 3: A cryptosystem has perfect secrecy if it holds that knowing a ciphertext does not reveal anything about the chosen cryptographic key: H(P jC) = H(P ) (4) One-time pads are an example of a cryptographic system with perfect secrecy. 2 2.1 One-Time Pads The one-time pad is a cryptosystem developed by Gilbert Vernam and Joseph Mauborgne around 1918. In this cryptosystem, we start by representing a message as a binary string, i.e., a sequence of zeros and ones. This can be accomplished by using ASCII conversion to binary representation, or by trying to encrypt video and audio signals. The key is now a random sequence of zeros and ones, and it has the same length as the message being encrypted. The encryption consists of XOR-ing the key to the message bit by bit. Once the key used for encryption, it is discarded and never used again. Example 1: Let's assume that we are trying to encrypt message 00101001 using the one-time pad key 10101100. The ciphertext can then be found as follows: plaintext 00101001 key 10101100 ciphertext 10000101 Question 1: Why is the cryptographic key discarded after every use? Because of a low computational load of a bitwise XOR operation, if a cryptographic key was being used multiple times, both a chosen plaintext or a chosen ciphertext attacks would be very efficient in finding the key, and compromising the confidentiality of the communication. Because of that, the key is typically not being reused. Not reusing the key guarantees that, even if the part of the key gets compromised, the whole system is still secure, since the knowledge of used key does not reveal anything about the next key to be used. Theorem 1. The one-time pad cryptosystem has perfect secrecy. Proof. Please refer to Trappe and Washington, Section 14.4. A disadvantage of the one-time pads is that this cryptosystem requires a very long cryptographic key, which is in general expensive to generate and to transmit. Moreover, once such key is used, it is being discarded. To reduce the cost of key generation and transmission, various approximation to one-time pads are being used. In those methods, a small input is typically used to generate a reasonably random sequence of zeros and ones. One such approximation method is the Linear Feedback Shift Register, which we consider next. 3 Block and Stream Cipher A block cipher is a cryptosystem in which successive plaintext elements are encrypted using the same cryptographic key, K. That is, the ciphertext string y is obtained as follows: y = y1y2 ··· = eK (x1)eK (x2) ::: (5) All of the cryptosystems that we have seen thus far (expect one-time pads) are examples of block ciphers, where a successive plaintext element can be a single alphabetic character (e.g., Shift and Affine ciphers) or blocks of several alphabetic characters (e.g., Vigenere and Hill ciphers). The alternative idea to block ciphers are cryptosystems referred to as stream ciphers. The idea of a stream cipher is to generate a keystream z = z1z2 ::: , and then encrypt each successive element xi of the plaintext with a different key zi: y = y1y2 ··· = ez1 (x1)ez2 (x2) ::: In its simplest form, the keystream is independent of the plaintext, and it is generated from a unique key K using some specified algorithm. This type of a stream is called synchronous stream cipher. Definition 4: A synchronous stream ciphers are tuples (P; C; K; L; E; D), together with function g, where: 3 { P represents a finite set of possible plaintexts, { C a finite set of possible ciphertexts, { K a finite set of possible keys (keyspace), { L a finite set called the keystream alphabet Function g is the keystream generator. It takes a key K as input, and generates an infinite string z1z2 ::: called keystream, where zi 2 L8i ≥ 1. For every z 2 L, there exists an encryption rue ez 2 E, and a corresponding decryption rule, dz 2 D, such that dz(ez(x)) = x for every plaintext element x 2 P. Note 1: We can think of any block cipher as a special case of a stream cipher where the keystream is aa constant, zi = K for all i ≥ 1. Note 2: A stream cipher is a periodic stream cipher with period d if for all integers i ≥ 1 it holds that: zi+d = zi (6) 3.1 Generating a Keystream: Linear Feedback Shift Register (LFSR) Let's assume we are encrypting a plaintext represented using a binary alphabet.