Pse

udo-

Ran

dom

Fun

ctio

ns

1/22

Encryption as Permutation• Assume cryptosystem correct and P=C• If xx’ then EK(x) EK(x’)• So, no y is hit by more than one x• Therefore all y are hit by some x• EK is a permutation of plaintext space P

• There are |P|! such permutations

000 001 010 011 100 101 110 111

000 001 010 011 100 101 110 111

Pse

udo-

Ran

dom

Fun

ctio

ns

2/22

Encryption as Permutation

• On the other hand, any permutation of P can be used to encrypt– Decryption consists of following the arrows in

the backwards direction• Symmetric encryption can be seen as just

permuting the set of possible messages– The applied permutation is the key

000 001 010 011 100 101 110 111

000 001 010 011 100 101 110 111

Pse

udo-

Ran

dom

Fun

ctio

ns

3/22

• The more permutations are used for encryption, the less Oscar knows about which permutation is used

• Why not just use the set of all permutations as the key space?

• To encrypt L-bit strings there are 2L plaintexts and thus 2L! permutations

• Takes b = log2(2L!) ~ L·2L bits to write down one of the permutations (log(n!) ~ n log(n))

000 001 010 011 100 101 110 111

000 001 010 011 100 101 110 111

Encryption as Permutation

Pse

udo-

Ran

dom

Fun

ctio

ns

4/22

Encryption as PermutationL Key Length Comparison

10 10,00020 20,000,00030 30,000,000,000 A long movie

40 4*1013 100 DVDs

50 1017 1000,000 DVDs

64 1021 10,000,000,000 DVDs

128 1041 Atoms in the atmosphere

256 1079 Atoms in the universe

512 10157 Atoms in 1078 universes

1024 10311 ???

Pse

udo-

Ran

dom

Fun

ctio

ns

5/22

Encryption as Permutation

• For all practical cryptosystems the set of encryption functions consists of a relatively very small subset of the possible permutations of the plaintext space

Pse

udo-

Ran

dom

Fun

ctio

ns

6/22

Shift Cipher

• P = K = Z26 = {0,1,…,25}

• Encryption: EK(x) = x + K mod 26

• Decryption: DK(y) = y - K mod 26

• Correctness: follows from the rule: (a + b mod N) + c mod N = a + (b + c mod N) mod N

• Illustrated for K=3 (and11 instead of 26):

0 1 2 3 4 8 9 10

0 1 2 3 4 5 6 7

5 6 7

8 9 10

3

Pse

udo-

Ran

dom

Fun

ctio

ns

7/22

Shift Cipher

• Can of course be seen as encryption of the English alphabet:

a b c d e x y z

A B C D E F G H

w

Z

3

a b c d e x y z

D E F G H Z

w

A B C

3

…

…

…

…

Pse

udo-

Ran

dom

Fun

ctio

ns

8/22

Electronic Codebook

• To encrypt a text, encrypt one letter at a time

• Known as electronic codebook (ECB)• Not a very secure mode!

w h e e l a r r

Z K H H O E

b

D U U

o w

R Z

3

Pse

udo-

Ran

dom

Fun

ctio

ns

9/22

Exhaustive Search

• The shift cipher has too few keys and can therefore be broken by trying them all:

Z K H H O D U U

y j g g n d

E

c c t

R Z

q y

1

Z K H H O D U U

x i f f m c

E

b s s

R Z

q x

2

Z K H H O D U U

w h e e l b

E

a r r

R Z

o w

3

Pse

udo-

Ran

dom

Fun

ctio

ns

10/22

Exhaustive Search

• The set of encryption functions should not be a too small subset of all permutations of the plaintext space

• Currently 264 simple computational operations are considered infeasible to perform, so a key of 64 bits should be enough to protect against exhaustive search

• There are other reasons to have longer keys though!

Pse

udo-

Ran

dom

Fun

ctio

ns

11/22

Substitution Cipher

• P = Z26 = {0,1,…,25}• K = set of permutations of Z26

• Encryption: E(x) = (x)• Decryption: D(y) = -1(x)• Example key: (Z,G,A,O,N,…,C,X,I,Q)

– (with letters instead of numbers)

• There are > 288 keys, so exhaustive search is impossible today– But can be broken using statistical analysis

a b c d e x y z

Z G A O N C

w

X I Q

…

…

Pse

udo-

Ran

dom

Fun

ctio

ns

12/22

Transposition

• P = (Z26)m = {0,1,…,25}m

• K = set of permutations of {1,…,m}• K = x=(x1,…,xm) y=(y1,…,ym)

• Encryption: E(x) = (x(1),…,x(m))

• Decryption: E(x) = (x(1),…,x(m))– Where = -1

• Number of keys: m!– Soon too large to fall pray to exhaustive

search– But can easily be broken using other methods

Pse

udo-

Ran

dom

Fun

ctio

ns

13/22

Transposition Example

w h e e l a r r

L E E

b

A B

o w

H W O R R G

1 3

1 3

5

5

2

2

4

4

K

Pse

udo-

Ran

dom

Fun

ctio

ns

14/22

Friedman• We encode a black and white photo as a

bit-string by encoding black as 1 and white as 0

• We encrypt the bit-string with ECB mode and turn the resulting bit-string into a black and white image using the reverse encoding

Friedman:

Pse

udo-

Ran

dom

Fun

ctio

ns

15/22

Substitution Example• Substitution of 4-bit

blocks

• #keys = 24!• 45-bit keys

– log2(24!) ~ 45

0 1 1 0 0 0 1 1 0 1 1 0 1 1 0 1

1 1 0 1 1 0 0 0 1 1 0 1 0 0 1 0

sub sub sub sub

Pse

udo-

Ran

dom

Fun

ctio

ns

16/22

Transposition Example• Transposition of 16-

bit blocks

• #keys = 16!• 45-bit keys

– log2(16!) ~ 45

1 1 1 1 1 0 1 1 0 1 1 1 1 1 0 1

1 1 0 1 1 1 1 1 1 0 1 1 0 1 1 1

Pse

udo-

Ran

dom

Fun

ctio

ns

17/22

Composition and Iteration• Neither substitution of small blocks nor

transposition is secure in itself• A few rounds of substitution followed by

transposition, however, turns out to do a good job– Substitution ensures that changing just one bit in the

input makes four bits in output flip at random– Transposition spreads the changes– Iterations creates an avalanche effect

• The result is that each different 16-bit block is replaced by a completely random looking 16-bit block

• Idea behind modern symmetric cryptosystems– More about that when we look at AES

Pse

udo-

Ran

dom

Fun

ctio

ns

18/22

Compose+Iterate ExampleAfter 5 rounds:

sub sub sub sub

? ? ? ?

1 1 0 1 1 1 1 1 1 0 1 1 0 1 1 1? ? ? ?

? ? ? ? ? ? ? ? ? ? ? ?

1 1 0 1 1 1 1 1 1 0 1 1 0 1 1 1? ? ? ? ? ? ? ? ? ? ? ?

sub sub sub sub

1 1 0 1 1 1 1 1 1 0 1 1 0 1 1 1?

sub sub sub sub

? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ?

Pse

udo-

Ran

dom

Fun

ctio

ns

19/22

Compose+Iterate Example• 45+45=90-bit keys

– Withstands exhaustive search

• The result is a surprisingly good encryption of 16-bit blocks

• The remaining pattern is due to our use of ECB– Can be fixed by using

CBC

After 5 rounds:

Pse

udo-

Ran

dom

Fun

ctio

ns

20/22

Compose+Iterate Example• 45+45=90-bit keys

– Withstands exhaustive search

• The result is a surprisingly good encryption of 16-bit blocks

• The remaining pattern is due to our use of ECB– Can be fixed by using

CBC

5 rounds + CBC

Pse

udo-

Ran

dom

Fun

ctio

ns

21/22

Pseudo-Random Functions• The ideal block cipher would have all

possible permutations as key• The output of such a block cipher would

be completely random– Actually F(1)=42 excludes that F(2)=42, but

except for that there would be no structure• This inspires the definition of a pseudo-

random function (PRF)• An encryption function FK is said to be a

PRF if one cannot distinguish the outputs FK(x) from uniformly random outputs when K is random and one does not know K

Pse

udo-

Ran

dom

Fun

ctio

ns

22/22

Pseudo-Random Functions• F{0,1}k:{0,1}L{0,1}l is called a (t,)-PRF if the

following two interactive algorithms are (t,)-IND

• Algorithm A:– Sample a uniformly random key K from {0,1}k

– On each input x in {0,1}L return FK(x) • Algorithm B:

– For each x in {0,1}L sample a uniformly random y in {0,1}l and store it in a table T, i.e., let T[x]y

– On each input x return y=T[x]