Cryptography Engineering: CSIC30040 Spring 2023 Lecture 6

Cryptography Engineering
CSIC30040 Spring 2023 Lecture 6

Berlekamp-Massey Algorithm
Semantic Security
From Stream Cipher to Block Ciphers
Jerry J. R. Shieh, PhD March 30 2023 Week 6
Dan Boneh
Outline
• Our final projects
• The second critique
• The hints to work out quiz 5
• Non-Semantic Security Example and its attack
• Block Cipher
Dan Boneh
Write a critique on one of the following
papers:
• Adrian, David, et al. “Imperfect forward secrecy: How Diffie-Hellman fails
in practice.” Proceedings of the 22nd ACM SIGSAC Conference on
Computer and Communications Security. ACM, 2015.
• Text-only, about 1500+ words with lab will be plus.
• 1 to 5 persons
• Submit your Critigue by May 4, 2023 11:59 pm.
•
https://blog.gslin.org/archives/tag/hellman/
https://rishabhjainnsit.wordpress.com/2018/11/01/paper-review-imperfect-forward-secrecy-how-
diffie-hellman-fails-in-practice/
Grading components
Critique should contain the following:
1.Summary – answering these four questions in your own words:
What problem is the paper trying to solve?
Why does the problem matter?
What is the approach used to solve the problem?
What is the conclusion drawn from this work?
2. Strength(s) of the paper
3. Weakness(es) of the paper
4. Your own reflection, which can include but not limited to:
What did you learn from this paper?
How would you improve or extend the work if you were the author?
What are the unsolved questions that you want to investigate?
What are the broader impacts of this proposed technology?
5. Realization of a technical specification or algorithm as a program extra credit.
Cryptography is a very active research area that enabled many research domains (image
processing, big data, and also cloud computing) to design a feasible system.
We also focus on a wide range of research areas in cryptography because it plays an
important role in information security.
• A basic Password manager like 1Passwoed
https://crypto.stanford.edu/~dabo/cs255/ Stanford Winter 2023 with start code
• Message chat client like Line, Whatapp
https://crypto.stanford.edu/~dabo/cs255/ Stanford Winter 2023 with start code
• Key Reinstallation Attacks Breaking WPA2 by forcing nonce reuse
• How Can ChatGPT Help Crypto Adoption for example break AES ECB mode
https://github.com/topics/ecb?l=python
• Honey Encryption
https://github.com/danielzuot/honeyencryption
• Fully Homographic Encryptions
https://github.com/google/fully-homomorphic-encryption
• Algorithmic Personality Detection
https://github.com/Hardik3296/Personality-Detection-Decision-Tree
• Post Quantum Cryptography for the Internet
https://github.com/topics/ntruencrypt
• DNA cryptography
• Functional Encryption
https://www.youtube.com/watch?v=nY6INhmvuQE
• ZIP/RAR password cracker

https://github.com/The404Hacking/ZIP-Password-BruteForcerhttps
://github.com/SHUR1K-N/RARNinja-RAR-Password-Cracking-Utility
• Secure Voting may with block chain

https://github.com/microsoft/electionguard
• Using NIST SP 800-22 and NIST SP 800-90 to compare AES-256 GSM, ChaCha20-Poly1305, NIST Light Weight Encryption and NSA Simon,
Speck Cipher.
• https://github.com/inmcm/Simon_Speck_Ciphers
• A Merkle Tree used for sets of data, often one-time signatures or keys
https://github.com/piotrmurach/merkle_tree
• Low Bit Rate Advanced Secure Communication

• NIST Low Energy Light Weight Encryption for IoT
https://csrc.nist.gov/Projects/lightweight-cryptography
Why we need prime numbers at Crypto Engineering
• It’s the numbers that have factors (other than 1 and

themselves) but are very difficult to factor. You get such
numbers by multiplying together two very large primes.
• Numbers that are equally large but have more smaller factors
are very much easier to factor, and hence are unsuitable for
cryptography purposes
• for practical purposes, the difficulty of factoring a number
varies with the size of its smallest prime factor, regardless of
how big the number is, and so your prime factors need to be
as large as possible.
Dan Boneh
The Hint of Quiz 5
Problem 1
The Berlekamp–Massey algorithm is an algorithm that will find the shortest linear feedback shift
register (LFSR) for a given binary output sequence.
The algorithm will also find the minimal polynomial of a linearly recurrent sequence in an arbitrary
field.
1. Please white a program based on Berlekamp–Massey algorithm to find the shortest linear feedback
shift register (LFSR) for the given sequence down below.
• 0, 0, 0, 0, 0, 0, 1, 0, 0, 0, 0, 0, 1, 1, 0, 0, 0, 0, 1, 0, 1, 0, 0, 0, 1, 1, 1, 1, 0,
0, 1, 0, 0, 0, 1, 0, 1, 1, 0, 0, 1, 1, 1, 0, 1, 0, 1, 0, 0, 1, 1, 1, 1, 1, 0, 1, 0, 0,
0, 0, 1, 1, 1, 0, 0, 0, 1, 0, 0, 1, 0, 0, 1, 1, 0, 1, 1, 0, 1, 0, 1, 1, 0, 1, 1, 1, 1,
0, 1, 1, 0, 0, 0, 1, 1, 0, 1, 0, 0, 1, 0, 1
You may refer http://bma.bozhu.me/

Problem 2
2. Find the sequence generation rule of 0, 1, 1, 2, 3, 5, 8, 13, 21, 34, 55, 89, 144, 233, 377, 610……….
3. Extra credit
Use Berlekamp–Massey algorithm to find out the sequence rule of 0, 1, 1, 2, 3, 5, 8, 13, 21, 34
HINT 0,1,1,2,3,5,8,13,21,34...
𝑠 𝑥 = 𝑥 8 + 𝑥 7 + 2𝑥 6 + 3𝑥 5 + 5𝑥 4 + 8𝑥 3 + 13𝑥 2 + 21𝑥 + 34
𝑟 𝑥 = 𝑥9
欲求次數小的c(x) 使得 f(x)r(x) + c(x)s(x) = b(x)，deg b < deg c
A B
列表
算式 f(x) c(x) b(x)
(1) 1 0 𝑥9
(2) 0 1 𝑥 8 + 𝑥 7 + 2𝑥 6 + 3𝑥 5 + 5𝑥 4 + 8𝑥 3 + 13𝑥 2 + 21𝑥 + 34
Dan Boneh
RECAP
Dan Boneh
Extend Euclidean Algorithm
• Public Key Generation:

– To compute the multiplicative inverse
• The public and private key pair at public key system
• The AES s-box maps an 8-bit input, c, to an 8-bit output, s = S(c).
• The input is mapped to its multiplicative inverse in GF(28) = GF(2)
[x]/(x8 + x4 + x3 + x + 1)
• Berlekamp-Massey Algorithm:
– Find the shortest linear-feedback shift register (LFSR) for a given binary
output sequence.
– Find the minimal polynomial of a linearly recurrent sequence in an
arbitrary field.
Dan Boneh
GCD(56,16) Euclidean Algorithm
Bezout’s theorem
Bézout's identity — Let a and b be integers with greatest common divisor d. Then there exist
integers x and y such that ax + by = d. More generally, the integers of the form ax + by are
exactly the multiples of d.
Ax + By = d
56x+15y=gcd(56,15) Extended
Dan Boneh
An asymmetric ciphers (RSA)
Example
Choose p = 3 and q = 11 (secret)
Compute n = p * q = 3 * 11 = 33
Compute φ(n) = (p - 1) * (q - 1) = 2 * 10 = 20
Choose e such that 1 < e < φ(n) and e and n are coprime.
Let e = 7 RSA Key generation:
Compute a value for d such that (d * e) mod φ(n) = 1. How is multiplicative
inverse computed, i.e.
One solution is d = 3 [(3 * 7) mod 20 = 1] the private key?
Public key is (e, n) => (7, 33)
Private key is (d, n) => (3, 33)
The encryption of m = 2 is c = 27 mod 33 = 29
The decryption of c = 29 is m = 293 mod 33 =2
2023/3/29 14
Dan Boneh
Proof for the RSA Algorithm
• Cd ≡ (Me)d ≡ Med ≡ M1+kφ(n) ≡M1 Mkφ(n) (mod n)
• ≡M1 Mφ(n) k (mod n)
• By Euler’s theorem Mφ(n) (mod n)=1

• ed≡1 (mod φ (n)) ed=1+kφ(n)
15∙15 ≡ 225 ≡ 1 mod 56 15∙15=1+4∙56 Since 4X56=224
2023/3/29 15
Dan Boneh
INPUT 𝒂−𝟏 as input to Build S-BOX
𝒂−𝟏 b A 𝒂−𝟏 F
𝑎 From 01’s inverse to FF inverse
𝒂
1
00000000
1 𝑥4 + 𝑥3 + 𝑥 + 1
00000001 0001 1011
00000010 0
1 B
00000011 0
1
00011011 11001100 1 𝒂−𝟏
.1 B C C 0 𝑥7 + 𝑥6 + 𝑥3 + 𝑥2
. 0 1100 1100
. C C
. Inverse
11111111 𝐴𝑎−1 + 𝐹 = 𝑏 Input
𝐴𝑎−1 = 𝑏 + 𝐹
𝒐𝒗𝒆𝒓 (𝒙𝟖 + 𝒙𝟒 + 𝒙𝟑 + 𝒙 + 𝟏)
Dan Boneh
Dan Boneh
−1
How can we find 𝑎 Inverse 𝑎
• (𝑥 4 +𝑥 3 + 𝑥 + 1)−1 𝑚𝑜𝑑 (𝑥 8 + 𝑥 4 + 𝑥 3 + 𝑥 + 1)
𝑥4 + 𝑥3 + 𝑥 + 1
𝑎 0001 1011 AX+BY=GCD(A,B)
1 B
A(x) (𝑥 4 + 𝑥 3 + 𝑥 + 1) + B(x) ( 𝑥 8 +𝑥 4 + 𝑥 3 + 𝑥 + 1) = 1
𝑥7 + 𝑥6 + 𝑥3 + 𝑥2
𝑎−1 1100
C
1100
C
Inverse
Dan Boneh
Extended Euclidean algorithm
• (𝑥 4 +𝑥 3 + 𝑥 + 1)−1 𝑚𝑜𝑑 (𝑥 8 + 𝑥 4 + 𝑥 3 + 𝑥 + 1)
𝑥4 + 𝑥3 + 𝑥 + 1
𝑎 0001 1011 AX+BY=GCD(A,B)
1 B
A(x) (𝑥 4 + 𝑥 3 + 𝑥 + 1) + B(x) ( 𝑥 8 +𝑥 4 + 𝑥 3 + 𝑥 + 1) = 1
X Y
𝑥7 + 𝑥6 + 𝑥3 + 𝑥2
𝑎−1 1100
C
1100
C
Inverse
Dan Boneh
Polynomial Extended Euclidean Algorithm
多項式擴展歐幾里得算法
被除數 = (除數 ✕ 商數) + 餘數

ቊ
餘數 = 被除數 − (除數 ✕ 商數)
被除式 = (除式 ✕ 商式) + 餘式

ቊ
餘式 = 被除式 − (除式 ✕ 商式)
Remainder = Dividend – (Divisor x Quotient)
Dan Boneh
Euclidean Algorithm Extend Euclidean Algorithm Build Solution
Rewrite 56s+15t=GCD(56,15)
GCD(56,15) 56x+15y=gcd(56,15)
56(1)-15(3)=(11) 4 56s+15t=1
56=15(3)+(11)
15-11(1)=(4)
15=11(1)+(4) 3
4-3(1)=1
11-4(2)=(3)2
11= 4(2)+(3) 4-(3)=1
4-3(1)=(1) 1
4-(11-4(2))=1
4=3(1)+(1)
3=1(3)+(0) 4-11+(2)4=1
Big rule: 3(4)-11=1
Treat underlined 3(15-11)-11=1
GCD(56,15)=1 3∙15-3(11)-11=1
Number like
variable 3∙15-4(11)=1
4=3(1)+1 3∙15-4(56-(3)15)=1
-3(1) -3(1) x=-4 3∙15-4∙56+12∙15=1
2𝑥 + 𝑥 = 3𝑥
4-3(1)=(1) y=15 (-4)56+15∙15=1
2(11)+(11)=3(11) 15∙15=1+4∙56
Since 4X56=224 15∙15 ≡ 225 ≡ 1 modDan56Boneh
AX+BY=GCD(A,B)
商 (Quotient) A B GCD
5 13
0 1 y 13 被除數
x
1 x 0 y 5 除數
2 -2 = 0 – 1x2 1 = 1- 0x2 3 = 13 – 5x2 餘數

ቊ
Dan Boneh
AX+BY=GCD(A,B)
5 13
0 x 1 y 13 被除數
1 x 0 y 5 除數 (被除數)
2 -2 = 0 – 1x2 1 = 1- 0x2 3 = 13 – 5x2 餘數 (除數)
1 3 = 1 – ((-2)x1) -1 = 0 - 1x1 2=5-3X1 (餘數)

餘數 = 被除數 − (除數 ✕ 商數) ቊ
Dan Boneh
AX+BY=GCD(A,B)
5 13
0 x 1 y 13 被除數
1 x 0 y 5 除數 (被除數)
2 -2 = 0 – 1x2 1 = 1- 0x2 3 = 13 – 5x2 餘數 (除數)

<被除數>
1 3 = 1 – ((-2)x1) -1 = 0 - 1x1 2=5-3X1 (餘數)

<除數>
1 -5 = -2 – 1x3 2 = 1 – 1x(-1) 1=3-2X1 <餘數>

餘數 = 被除數 − (除數 ✕ 商數) ቊ
Dan Boneh
AX+BY=GCD(A,B)
5 13
0 x 1 y 13 被除數
1 x 0 y 5 除數 (被除數)
2 -2 = 0 – 1x2 1 = 1- 0x2 3 = 13 – 5x2 餘數 (除數)

<被除數>
1 3 = 1 – ((-2)x1) -1 = 0 - 1x1 2=5-3X1 (餘數)

<除數>
1 x -5 = -2 – 1x3 y 2 = 1 – 1x(-1) GCD 1=3-2X1 <餘數>
5x(-5) + 13x(2) = 1
5-1 mod 13 = -5 = 8
餘數 = 被除數 − (除數 ✕ 商數) mod 13 5 inverse 8
13-1 mod 5 =2
mod 5 13 inverse 2 Dan Boneh
AX+BY=GCD(A,B)
5 13
0 1 13 被除數
1 0 5 除數 (被除數)
2 -2 = 0 – 1x2 1 = 1- 0x2 3 = 13 – 5x2 餘數 (除數)

餘數 = 被除數 − (除數 ✕ 商數) <被除數>
1 3 = 1 – 1x(-2) -1 = 0 - 1x1 2=5-3X1 (餘數)
<除數>
1 -5 = -2 – 1x3 2 = 1 – 1x(-1) 1=3-2X1 <餘數>
AX+BY=GCD(A,B)=1
5x(-5) + 13x(2) = 1 5∙(13−5) = 40 = 1+3 X13 ≡1 mod 13
5-1 mod 13 = -5 = 8 mod 13 5 inverse 8

mod 5 13 inverse 2
13-1 mod 5 =2
Dan Boneh
−1
How can we find 𝑎 Inverse 𝑎
• (𝑥 4 +𝑥 3 + 𝑥 + 1)−1 𝑚𝑜𝑑 (𝑥 8 + 𝑥 4 + 𝑥 3 + 𝑥 + 1)
𝑥4 + 𝑥3 + 𝑥 + 1
𝑎 0001 1011 AX+BY=GCD(A,B)
1 B
A(x) (𝑥 4 + 𝑥 3 + 𝑥 + 1) + B(x) ( 𝑥 8 +𝑥 4 + 𝑥 3 + 𝑥 + 1) = 1
𝑥7 + 𝑥6 + 𝑥3 + 𝑥2
𝑎−1 1100
C
1100
C
Inverse
Dan Boneh
Extended Euclidean algorithm
• (𝑥 4 +𝑥 3 + 𝑥 + 1)−1 𝑚𝑜𝑑 (𝑥 8 + 𝑥 4 + 𝑥 3 + 𝑥 + 1)
𝑥4 + 𝑥3 + 𝑥 + 1
𝑎 0001 1011 AX+BY=GCD(A,B)
1 B
A(x) (𝑥 4 + 𝑥 3 + 𝑥 + 1) + B(x) ( 𝑥 8 +𝑥 4 + 𝑥 3 + 𝑥 + 1) = 1
𝑥7 + 𝑥6 + 𝑥3 + 𝑥2
𝑎−1 1100
C
1100
C
Inverse
Dan Boneh
𝑥4 + 𝑥3 + 𝑥 + 1
餘數 = 被除數 − (除數 ✕ 商數) 0001 1011
1 B
商 (Quotient) A(x) B(x) GCD
𝒙𝟖 + 𝒙𝟒 + 𝒙𝟑 + 𝒙 + 𝟏 𝑥4 + 𝑥3 + 𝑥 + 1
1 0 𝑥8 + 𝑥4 + 𝑥3 + 𝑥 + 1 被除式
0 1 𝑥4 + 𝑥3 + 𝑥 + 1 除式
(被除式)
𝑥4 + 𝑥3 + 𝑥2 + 1 1 = 1 - 0(𝑥 4 + 𝑥 3 + 𝑥 2 + 𝑥4 + 𝑥3 + 𝑥2 + 1 𝑥 2 =𝑥 8 + 𝑥 4 + 𝑥 3 + 𝑥 + 1 餘式
= 0 – 1× (𝑥 4 + 𝑥 3 + 𝑥 2 + 1) -(𝑥 4 + 𝑥 3 + 𝑥 + 1) (𝑥 4 + (除式)
1) <被除式
𝑥 3 + 𝑥 2 + 1)
>
𝑥2 + 𝑥 𝑥 2 + 𝑥 = 0 – 1× (𝑥 2 + 𝑥) 𝑥6 + 𝑥3 + 𝑥2 + 𝑥 + 1 𝑥 + 1 = 𝑥 4 + 𝑥 3 + 𝑥 + 1- (餘式)
(𝑥 2 )(𝑥 2 + 𝑥) <除式>
= 1 − (𝑥 4 + 𝑥 3 + 𝑥 2 + 1)(𝑥 2
+ 𝑥)
𝑥+1 𝑥3 + 𝑥 + 1 𝑥7 + 𝑥6 + 𝑥3 + 𝑥2 1 <餘式>
= 1 − (𝑥 2 + 𝑥)(𝑥 + 1) = 𝑥 + 𝑥3 + 𝑥2 + 1
4
𝑥 + 𝑥6 + 𝑥3 + 𝑥2
7
− 𝑥 6 + 𝑥 3 + 𝑥 2 + 𝑥 + 1 (𝑥 + 1)
1100 1100
X Y C C
inverse Dan Boneh

𝑥8 + 𝑥4 + 𝑥3 + 𝑥 + 1 𝑥4 + 𝑥3 + 𝑥 + 1
1 0 𝑥8 + 𝑥4 + 𝑥3 + 𝑥 + 1 被除式
0 1 𝑥4 + 𝑥3 + 𝑥 + 1 除式
(被除式)
𝑥4 + 𝑥3 + 𝑥2 + 1 1 = 1 - 0(𝑥 4 + 𝑥 3 + 𝑥 2 + 1) 𝑥4 + 𝑥3 + 𝑥2 + 1 𝑥 2 =𝑥 8 + 𝑥 4 + 𝑥 3 + 𝑥 + 1 餘式
= 0 – 1× (𝑥 4 + 𝑥 3 + 𝑥 2 + 1) -(𝑥 4 + 𝑥 3 + 𝑥 + 1) (𝑥 4 + (除式)
𝑥 3 + 𝑥 2 + 1) <被除式
>
𝑥2 + 𝑥 𝑥 2 + 𝑥 = 0 – 1× (𝑥 2 + 𝑥) 𝑥6 + 𝑥3 + 𝑥2 + 𝑥 + 1 𝑥 + 1 = 𝑥 4 + 𝑥 3 + 𝑥 + 1- (餘式)
(𝑥 2 )(𝑥 2 + 𝑥) <除式>
= 1 − (𝑥 4 + 𝑥 3 + 𝑥 2 + 1)(𝑥 2
+ 𝑥)
𝑥+1 1 − (𝑥 2 + 𝑥)(𝑥 + 1) 𝑥7 + 𝑥6 + 𝑥3 + 𝑥2 1 <餘式>
= 𝑥3 + 𝑥 + 1 = 𝑥4 + 𝑥3 + 𝑥2 + 1 𝑥 + 𝑥6 + 𝑥3 + 𝑥2
7
− 𝑥 6 + 𝑥 3 + 𝑥 2 + 𝑥 + 1 (𝑥 + 1)
1100 1100
C C
inverse Dan Boneh
Berlekamp Massey Algorithm
• Given (part of) a (periodic) sequence, can find shortest LFSR
that could generate the sequence
• Then connection polynomial of s is of form
C(x) = cLxL + … + c2x2 + c1x + c0
• Berlekamp-Massey finds L and C(x)
• Berlekamp-Massey algorithm
– Order N2, where N is length of LFSR
– Iterative algorithm
– Only 2N consecutive bits required 32
Dan Boneh
33
Dan Boneh
Berlekamp-Massey Algorithm (Modified)
• Given binary sequences s=(s0, s1, s2, ……, sN-1)
• for example: 10110001
• We assume 10110001 are generated from a huge LFSR s(x)= x7 + x5 + x4 +1
• Since LFSR s(x) = x7 + x5 + x4 +1 guarantee generate 10110001
x7 x5 x4 1
1 0 1 1 0 0 0 1
1 0 1 1 0 0 0 1 X X
34
Dan Boneh
• Given binary sequences s=(s0, s1, s2, ……, sN-1)
• for example: 10110001
• We assume 10110001 are generated from a huge LFSR s(x)= x7 + x5 + x4 +1
• Since LFSR s(x) = x7 + x5 + x4 +1 guarantee generate 10110001
• s(x)c(x) mod x8
• Why mod x8 ? Since we assume the max stage is 8
• s(x)c(x) mod x8 c(x)=1
• Since s(x) and x8 are coprime c(x)=s(x)-1 mod x8 ?
• Extended Euclidean Algorithm
• aX+bY=gcd(a,b)
• s(x)X+r(x)Y=gcd(s(x),r(x)) where s(x)= x7 + x5 + x4 +1, r(x)= x8
35
Dan Boneh
找到一個除式產生以上那麼多的位元串24 -1!
𝑥 7 + 𝑥 5 + 𝑥 4 + 1 𝑚𝑜𝑑 𝑥 8≡ 𝑥 7 + 𝑥 5 + 𝑥 4 + 1 x7 x5 x4 1
1 0 1 1 0 0 0 1
𝑐 𝑥 𝑥 7 + 𝑥 5 + 𝑥 4 + 1 𝑚𝑜𝑑 𝑥 8 ≡ 𝑏 𝑥
𝑐 𝑥 𝑥 7 + 𝑥 5 + 𝑥 4 + 1 = 𝑓 𝑥 ∙ 𝑥 8 + 𝑏(x)
(1) 𝑥 7 + 𝑥 5 + 𝑥 4 + 1 = 0 ∙ 𝑥 8 + 𝑥 7 + 𝑥 5 + 𝑥 4 + 1
𝑓 𝑥 ∙ 𝑥8 + 𝑐 𝑥 𝑥7 + 𝑥5 + 𝑥4 + 1 = 𝑏 𝑥
AX + BY
AX+BY=GCD(A,B)
AX+BY=GCD(A,B)
s 𝑥 𝑑 𝑥
Our goal GCD approach
𝐶 𝑥 𝑥 7 + 𝑥 5 + 𝑥 4 + 1 𝑚𝑜𝑑 𝑥 8 ≡ 𝑏 𝑥
Syndrome
𝑓 𝑥 ∙ 𝑥8 + 𝑐 𝑥 𝑥7 + 𝑥5 + 𝑥4 + 1 = 𝑏 𝑥
A(x) 1 0 𝑥8
B(x) 0 1 𝑥 7 + 𝑥 5 +𝑥 4 + 1
𝑐 𝑥 𝑥 7 + 𝑥 5 + 𝑥 4 + 1 = 𝑓 𝑥 ∙ 𝑥 8 + 𝑏(x)
𝑥 7 + 𝑥 5 + 𝑥 4 + 1 𝑤𝑖𝑙𝑙 𝑡ℎ𝑒 𝑟𝑒𝑚𝑖𝑛𝑑𝑒𝑟 𝑤ℎ𝑒𝑛 𝑑𝑖𝑣𝑖𝑒 𝑏𝑦 𝑥 8
𝑐 𝑥 𝑥 7 + 𝑥 5 + 𝑥 4 + 1 𝑚𝑜𝑑 𝑥 8 ≡ 𝑏 𝑥
𝑐 𝑥 𝑥 7 + 𝑥 5 + 𝑥 4 + 1 = 𝑓 𝑥 ∙ 𝑥 8 + 𝑏(x)
(1) 𝑥 7 + 𝑥 5 + 𝑥 4 + 1 = 0 ∙ 𝑥 8 + 𝑥 7 + 𝑥 5 + 𝑥 4 + 1
𝑓 𝑥 ∙ 𝑥8 + 𝑐 𝑥 𝑥7 + 𝑥5 + 𝑥4 + 1 = 𝑏 𝑥
AX + BY AX+BY=GCD(A,B)

𝑥8 𝑥 7 + 𝑥 5 +𝑥 4 + 1
1 0 𝑥8 被除式
0 1 𝑥 7 + 𝑥 5 +𝑥 4 + 1 除式
(被除式)
𝑥 1 = 1 − 0 (𝑥) 𝑥 = 0 − 1 (𝑥) 𝑥 6 + 𝑥 5 + 𝑥= 餘式
𝑥 8 -(𝑥 7 + 𝑥 5 +𝑥 4 + 1) (𝑥) (除式)
<被除式
>
𝑥 𝑥 = 0 − 1(𝑥) 𝑥 2 + 1 = 1 − 𝑥(𝑥) 𝑥 6 + 𝑥 5 +𝑥 4 + 𝑥 2 + 1 = (餘式)

(𝑥 7 + 𝑥 5 + 𝑥 4 + 1) − <除式>
(𝑥 6 + 𝑥 5 + 𝑥 )(𝑥)
1 𝑥 + 1 = 1 − 𝑥 (1) 𝑥 2 + 𝑥 + 1 = 𝑥 − (𝑥 2 + 1)(1) 𝑥4+ 𝑥2 + 𝑥 + 1 = <餘式>

(𝑥 6 +𝑥 5 + 𝑥) − (𝑥 6 + 𝑥 5
+ 𝑥 4 + 𝑥 2 + 1)(1)
Dan Boneh

𝑥 𝑥 = 0 − 1(𝑥) 𝑥 2 + 1 = 1 − 𝑥(𝑥) 𝑥 6 + 𝑥 5 +𝑥 4 + 𝑥 2 + 1
= (𝑥 7 + 𝑥 5 + 𝑥 4 + 1)
− (𝑥 6 + 𝑥 5 + 𝑥)(𝑥)
1 𝑥 + 1 = 1 − 𝑥(1) 𝑥 2 + 𝑥 + 1 = 𝑥 − (𝑥 2 + 1)(1) 𝑥 4 + 𝑥 2 + 𝑥 + 1=(𝑥 6 +𝑥 5 + 被除式

𝑥) − (𝑥 6 + 𝑥 5 + 𝑥 4 + 𝑥 2 +
1)(1)
𝑥2 𝑥 3 + 𝑥 2 +𝑥 = 𝑥 − 𝑥 + 1 (𝑥 2 ) 𝑥 4 + 𝑥 3 +1 𝑥 5 + 𝑥 3 +1 除式
= 𝑥 2 + 1 − (𝑥 2 +𝑥 + 1)(𝑥 2 ) = (𝑥 6 + 𝑥 5 + 𝑥 4 + 𝑥 2 + 1) (被除式)
− (𝑥 4 + 𝑥 2 + 𝑥 + 1)(𝑥 2 )
𝑥 𝑥 3 =𝑥 3 + 𝑥 2 +𝑥 − 𝑥 + 1 (𝑥) 𝑥 4 + 𝑥 2 +𝑥 + 1 = 𝑥 4 + 𝑥 3 +1 − 𝑥2 + 𝑥 + 1 餘式
(𝑥 2 + 𝑥 + 1) (𝑥) = (𝑥 5 + 𝑥 3 + 1) (除式)
− 𝑥 4 + 𝑥 2 + 𝑥 + 1 (𝑥)
>
Dan Boneh
AX+BY=GCD(A,B)
s 𝑥 𝑑 𝑥
Our goal GCD approach
𝐶 𝑥 𝑥 7 + 𝑥 5 + 𝑥 4 + 1 𝑚𝑜𝑑 𝑥 8 ≡ 𝑏 𝑥
Syndrome
𝑓 𝑥 ∙ 𝑥8 + 𝑐 𝑥 𝑥7 + 𝑥5 + 𝑥4 + 1 = 𝑏 𝑥
A(x) 1 0 𝑥8
0 1 Degree < 𝑥 7 + 𝑥 5 +𝑥 4 + 1
B(x)
1 𝑥
< 𝑥6 + 𝑥5 + 𝑥
𝑥 𝑥2 + 1 𝑥 6 + 𝑥 5 +𝑥 4 + 𝑥 2 + 1
<
𝑥+1 𝑥2 + 𝑥 + 1 𝑥 4+ 𝑥 2 + 𝑥 + 1
<
𝑥3 + 𝑥2 + 𝑥 𝑥 4+ 𝑥 3 + 1 𝑥 5 +𝑥 3 +1
<
𝑥3 𝑥 4+ 𝑥 2 + 𝑥 + 1 𝑥 2 + 𝑥 +1
> Then stop
𝑥 6 + 𝑥 5 +𝑥 4 + 𝑥 3 + 𝑥 2 + 𝑥 𝑥 7 + 𝑥 6 +𝑥 4 + 𝑥 3 + 𝑥 2 + 𝑥 𝑥+1
= (𝑥 3 + 𝑥 2 + 𝑥 ) −(𝑥 3 )(𝑥 3 + 𝑥 2 + 𝑥 ) = (𝑥 4 + 𝑥 3 + 1 ) −(𝑥 4 + 𝑥 2 + 𝑥 + 1)(𝑥 3 + 𝑥 2 + 𝑥 ) = (𝑥 5 + 𝑥 3 + 1 )−(𝑥 2 + 𝑥 + 1) )(𝑥 3 + 𝑥 2 + 𝑥 )
𝑥 3 −(𝑥 6 + 𝑥 5 +𝑥 4 +𝑥 3 +𝑥 2 + 𝑥) ∙ 𝑥 4 + 𝑥 2 + 𝑥 + 1 −(𝑥 7 + 𝑥 6 +𝑥 4 + 𝑥 3 + 𝑥 2 + 𝑥) ∙ 𝑥 1 = 𝑥 2 +𝑥 + 1 − 𝑥 + 1 ∙ 𝑥
𝑥
𝑥 7 + 𝑥 5 +𝑥 4 + 1
𝑥8
𝑉 𝑋 𝑟 𝑋
=𝑞 𝑋 +
𝑔 𝑋 𝑔 𝑋
If 𝑟 𝑋 = 0,
𝑉 𝑋 𝑟 𝑋 then 𝑞 𝑋 𝑔 𝑋 = 𝑉 𝑋
− =𝑞 𝑋
𝑔 𝑋 𝑔 𝑋
𝑉 𝑋 −𝑟 𝑋 =𝑞 𝑋 𝑔 𝑋
𝑥 4+ 𝑥 2 + 𝑥 + 1
𝑐 𝑥 𝑥 7 + 𝑥 5 + 𝑥 4 + 1 𝑚𝑜𝑑 𝑥 8 ≡ 𝑏 𝑥 𝑟 𝑋
𝑐 𝑥 𝑥 7 + 𝑥 5 + 𝑥 4 + 1 = 𝑓 𝑥 ∙ 𝑥 8 + 𝑏(x)
𝑓 𝑥 ∙ 𝑥8 + 𝑐 𝑥 𝑥7 + 𝑥5 + 𝑥4 + 1 = 𝑏 𝑥
GF(2) 乘法等於 Shift and XOR
x7 x6 x5 x4 x3 x2 x 1 C(x)
S(x) 1 0 1 1 0 0 0 1 1 𝑎𝑛+4
找到一個遞迴
1 0 1 1 0 0 0 1 x 𝑎𝑛+2 式可以滿足
1 0 1 1 0 0 0 1 x2 𝑎𝑛+1 10110001
1 0 1 1 0 0 0 1 這個序列
x4 𝑎𝑛
S(x)C( 1 0 0 0 0 0 0 0 0 1 1 1
x)
1. 1 0 1 1 0 0 0 1 都符合 𝑎𝑛+4 ⨁𝑎𝑛+2 ⨁𝑎𝑛+1 = 𝑎𝑛

2. 1 0 1 1 0 0 0 1 而𝑎𝑛+4 ⨁𝑎𝑛+2 ⨁𝑎𝑛+1 ⨁𝑎𝑛 = 0
3. 1 0 1 1 0 0 0 1
1 0 1 0 => 0 𝑥 4 + 𝑥 2 +𝑥 + 1 = 0
0 1 1 0 => 0
42 1 1 0 0 => 0
1 0 0 1 => 0
n
Let G:K ⟶ {0,1} be a PRG
Goal: define what it means that
is “indistinguishable” from
Dan Boneh
Statistical Tests
Statistical test on {0,1}n:
an alg. A s.t. A(x) outputs “0” or “1”
Examples:
Dan Boneh
Statistical Tests
More examples:
Dan Boneh
Advantage
Let G:K ⟶{0,1}n be a PRG and A a stat. test on {0,1}n
Define:
A silly example: A(x) = 0 ⇒ AdvPRG [A,G] = 0 Dan Boneh

Suppose G:K ⟶{0,1}n satisfies msb(G(k)) = 1 for 2/3 of keys in K
Define stat. test A(x) as:

if [ msb(x)=1 ] output “1” else output “0”
Then
AdvPRG [A,G] = | Pr[ A(G(k))=1] - Pr[ A(r)=1 ] | =
| 2/3 – 1/2 | = 1/6
Dan Boneh
Secure PRGs: crypto definition
Def: We say that G:K ⟶{0,1}n is a secure PRG if
Are there provably secure PRGs?

but we have heuristic candidates.
Dan Boneh
Easy fact: a secure PRG is unpredictable
We show: PRG predictable ⇒ PRG is insecure
Suppose A is an efficient algorithm s.t.
for non-negligible ε (e.g. ε = 1/1000)
Dan Boneh
Easy fact: a secure PRG is unpredictable
Define statistical test B as:
Dan Boneh
Thm (Yao’82): an unpredictable PRG is secure
Let G:K ⟶{0,1}n be PRG
“Thm”: if ∀ i ∈ {0, … , n-1} PRG G is unpredictable at pos. i

then G is a secure PRG.
If next-bit predictors cannot distinguish G from random

then no statistical test can !!
Dan Boneh
Let G:K ⟶{0,1}n be a PRG such that
from the last n/2 bits of G(k)
it is easy to compute the first n/2 bits.
Is G predictable for some i ∈ {0, … , n-1} ?
Yes
No
More Generally
Let P1 and P2 be two distributions over {0,1}n
Def: We say that P1 and P2 are

computationally indistinguishable (denoted )
R
Example: a PRG is secure if { k ⟵K : G(k) } ≈p uniform({0,1}n)
Dan Boneh
End of Segment
Dan Boneh
Online Cryptography Course Dan Boneh
Stream ciphers
Semantic security
Goal: secure PRG ⇒ “secure” stream cipher

Dan Boneh
What is a secure cipher?
Attacker’s abilities: obtains one ciphertext (for now)
Possible security requirements:

attempt #1: attacker cannot recover secret key
attempt #2: attacker cannot recover all of plaintext
Recall Shannon’s idea:

CT should reveal no “info” about PT
Dan Boneh
Recall Shannon’s perfect secrecy
Let (E,D) be a cipher over (K,M,C)
(E,D) has perfect secrecy if ∀ m0, m1 ∈ M ( |m0| = |m1| )
{ E(k,m0) } = { E(k,m1) } where k⟵K
(E,D) has perfect secrecy if ∀ m0, m1 ∈ M ( |m0| = |m1| )
{ E(k,m0) } ≈p { E(k,m1) } where k⟵K
… but also need adversary to exhibit m0, m1 ∈ M explicitly

Dan Boneh
Semantic Security (one-time key)
For b=0,1 define experiments EXP(0) and EXP(1) as:
b
Chal. m0 , m1  M : |m0| = |m1| Adv. A
kK
c  E(k, mb)
b’  {0,1}
for b=0,1: Wb := [ event that EXP(b)=1 ]
Pr(b’=1|b=0) Pr(b’=1|b=1)
AdvSS[A,E] := | Pr[ W0 ] − Pr[ W1 ] | ∈ [0,1]
Dan Boneh
Semantic Security (one-time key)
Def: E is semantically secure if for all efficient A
AdvSS[A,E] is negligible.
⇒ for all explicit m0 , m1  M : { E(k,m0) } ≈p { E(k,m1) }
Dan Boneh
Examples
Suppose efficient A can always deduce LSB of PT from CT.
⇒ E = (E,D) is not semantically secure. m0 00000000
b{0,1} m1 11111111
m0, LSB(m0)=0
Chal. Adv. B (us)
m1, LSB(m1)=1
kK
C E(k, mb) C Adv. A
(given)
m0 00000000
m1 11111111
C1 10110101 LSB(mb)=b
Pr(b’=1|b=0) Pr(b’=1|b=1)
Then AdvSS[B, E] = | Pr[ EXP(0)=1 ] − Pr[ EXP(1)=1 ] |= |0 – 1| = 1
Dan Boneh
OTP is semantically secure
EXP(0): Chal. m0 , m1  M : |m0| = |m1| Adv. A
kK
c  k⊕m0 b’  {0,1}
identical distributions
Chal. m0 , m1  M : |m0| = |m1| Adv. A

EXP(1):
kK
c  k⊕m1 b’  {0,1}
For all A: AdvSS[A,OTP] = | Pr[ A(k⊕m0)=1 ] − Pr[ A(k⊕m1)=1 ] |= 0

Dan Boneh
End of Segment
Dan Boneh
Stream ciphers
Stream ciphers are
semantically secure
Goal: secure PRG ⇒ semantically secure stream cipher

Dan Boneh
Stream ciphers are semantically secure
Thm: G:K ⟶{0,1}n is a secure PRG ⇒
stream cipher E derived from G is sem. sec.
∀ sem. sec. adversary A , ∃a PRG adversary B s.t.
AdvSS[A,E] ≤ 2 ∙ AdvPRG[B,G]
Dan Boneh
𝑎0 , 𝑎1 , 𝑎2 , 𝑎3 , 𝑎4 , 𝑎5 , 𝑎6 , 𝑎7 , 𝑎8 , 𝑎9 , 𝑎10 ………………..
0 0 0 1 0 0 1 1 0 1 0 …………………….. Q4
Q D
Q3
Q D
Q2
Q D
Q1
Q D
CLK
0 0 0 1
其實是𝑎𝑛+4 = 𝑎𝑛+1 + 𝑎𝑛 的數列
再由數列生成行多項式
𝑎𝑛 = 𝑟 𝑛 , 𝑟待定 𝑟 𝑛+4 = 𝑟 𝑛+1 + 𝑟 𝑛 , 𝑟 4 = 𝑟 + 1 𝑥 4= 𝑥 + 1
Dan Boneh
Proof: intuition
m0 , m1 m0 , m1
chal. adv. A chal. adv. A
kK c  m0 ⊕ G(k) ≈p r{0,1}n c  m0 ⊕ r
b’≟1 b’≟1
Pr(b’=1|b=0) Pr(b’=1|b=1) ≈p
m0 , m1 m0 , m1
kK c  m1 ⊕ G(k) ≈p r{0,1}n c  m1 ⊕ r
b’≟1 b’≟1
Dan Boneh
Proof: Let A be a sem. sec. adversary.
Chal. m0 , m1  M : |m0| = |m1| Adv. A

b kK
r{0,1}n
c  mb ⊕ G(k)
b’  {0,1}
For b=0,1: Wb := [ event that b’=1 ].
AdvSS[A,E] = | Pr[ W0 ] − Pr[ W1 ] |
Pr(b’=1|b=0) Pr(b’=1|b=1)
Dan Boneh
Chal. m0 , m1  M : |m0| = |m1| Adv. A

b kK
r{0,1}n
c  mb ⊕ r
b’  {0,1}
AdvSS[A,E] = | Pr[ W0 ] − Pr[ W1 ] |
Pr(b’=1|b=0) Pr(b’=1|b=1)
For b=0,1: Rb := [ event that b’=1 ]
Dan Boneh
Claim 1: |Pr[R0] – Pr[R1]| =

Claim 2: ∃B: |Pr[Wb] – Pr[Rb]| =
Pr(b’=1|b=0) Pr(b’=1|b=1)
0 Pr[W0] Pr[Rb] Pr[W1] 1
⇒ AdvSS[A,E] = |Pr[W0] – Pr[W1]| ≤ 2 ∙ AdvPRG[B,G]

Dan Boneh
Proof of claim 2: ∃B: |Pr[W0] – Pr[R0]| = AdvPRG[B,G]
Algorithm B:
y ∈ {0,1}n PRG adv. B (us)
m0, m1
Adv. A
c  m0⊕y (given)
b’ ∈ {0,1}
AdvPRG[B,G] =
Dan Boneh
End of Segment
Dan Boneh
Stream ciphers
semantic insecure
case
Goal: secure PRG ⇒ semantically secure stream cipher

Dan Boneh
Dan Boneh
Chosen Plaintext Attack 嘗試送出明文，由密文知道加
密邏輯
Encryption ATTACKER
Algorithm cryptanalyst
Dan Boneh
Chosen Plaintext Attack 嘗試送出明文，由密文知道加
密邏輯
以 Huffman Coding作為加密為例 ATTACKER

Cryptanalyst
ATTACKER
連續送出
EEEEEEE或
0000000明文
Dan Boneh
Using Huffman Coding as an
Encryption Algorithm
• In Huffman coding, you assign shorter
codes to symbols that occur more
frequently and longer codes to those that
occur less frequently.
• For example:
Character A B C D E
------------------------------------------------------
Frequency 17 12 12 27 32
Table Frequency of characters
Dan Boneh
Figure 15-4
Huffman
coding
Dan Boneh
Figure 15-5
Final tree and code
Dan Boneh
Figure 15-6
Huffman
encoding
Dan Boneh
Figure 15-7
Huffman
decoding
Dan Boneh
Figure 15-7
Huffman
decoding
11:A 101:B
01:D 100:C
00:E
Dan Boneh
Figure 15-7
Huffman
decoding
Dan Boneh
ATTACKER 嘗試送出明文讓ATTACKER由密文
知道加密邏輯使其失效
以 Huffman Coding作為加密為例 ATTACKER

Cryptanalyst
ATTACKER
連續送出
EEEEEEE或
0000000明文
Dan Boneh
Figure 15-6
Using Huffman encoding as Encryption

Algorithm is NOT Semantic Secure it will be
broken easily…….
11:A 101:B
01:D 100:C Black
EEEEEEEEEEEEEEEEEEEEEEEEE
00:E Box
00000000000000000000000
Dan Boneh
Figure 15-6
Using Huffman encoding as Encryption

Algorithm is NOT Semantic Secure it will be
broken easily…….
Black
AAAAAAAAAAAAAA
Box
111111111111111111
Dan Boneh
End of Segment
Dan Boneh
Dan Boneh
Block ciphers
What is a block cipher?
Dan Boneh
4 = x4 mod x4 + x + 1
= x4 xor x4 + x + 1
=x+1
4-bit LFSR
0
(1)
0
0
Q D
0
Q D
0Q D
1Q D
0001
0010
Q4 Q3 Q2 Q1
0100
0 xor 1 = 1 (2)
1 (3) 1 (3) 1000
CLK 0011
0 0 0 1 0 0110
xor 0 0 0 0 0 1100
• Circuit counts through 24-1 different non- 0 0 0 1 0 0 1011
xor 0 0 0 0 0
zero bit patterns. 0101
0 0 1 0 0 0 1010
• Left most bit determines shift or more xor 0 0 0 0 0 0111
complex operation 0 1 0 0 0 0 1110
xor 1 0 0 1 1
• Can build a similar circuit with any 0 0 0 1 1 0
1111
1101
number of FFs, may need more xor gates. xor 0 0 0 0 0 1001
• In general, with n flip-flops, 2n-1 different 0 0 1 1 0 0 0001
xor 0 0 0 0 0
non-zero bit patterns.
0 1 1 0 0 0
• (Intuitively, this is a counter that wraps Q4 Q3 Q2 Q1 xor 1 0 0 1 1
around many times and in a strange way.) 0 1 0 1 1
89
Dan Boneh
Block ciphers: crypto work horse
n bits n bits
PT Block E, D CT Block
Key k bits
Canonical examples:
1. 3DES: n= 64 bits, k = 168 bits
2. AES: n=128 bits, k = 128, 192, 256 bits
Dan Boneh
Block Ciphers Built by Iteration
key k
key expansion
k1 k2 k3 kn
R(kn, )
R(k1, )
R(k2, )
R(k3, )
m c
R(k,m) is called a round function

for 3DES (n=48), for AES-128 (n=10)
Dan Boneh
Dan Boneh
Performance: Crypto++ 5.6.0 [ Wei Dai ]
AMD Opteron, 2.2 GHz ( Linux)
Cipher Block/key size Speed (MB/sec)

RC4 126
stream
Fast
Salsa20/12 643
Sosemanuk 727
3DES 64/168 13
block
Slow
AES-128 128/128 109
Dan Boneh
Abstractly: PRPs and PRFs
Dan Boneh
• A Pseudo Random Function is a function that is
indistinguishable from a function selected at random from the
set of all functions with the same domain and value set.
• A Pseudo Random Permutation is, similarly, a bijective
function that is indistinguishable from a bijective function
selected at random from the set of all bijective functions over
the same domain. For instance, a cryptographically secure
block cipher parametrized by a secret key is a PRP.
• The term PRG is on the other hand, most commonly used for stateful functions that are used for generating
successive pseudo random strings, e.g. to be used as a key, iv, salt, nonce etc. (TRNG/PRNG)
Dan Boneh
Abstractly: PRPs and PRFs
• Pseudo Random Function (PRF) defined over (K,X,Y):
F: K  X → Y
虛擬隨機函數定義一個金鑰空間一個輸入空間以及一個輸出空間
它輸入一個K中的元素一個X中的元素輸出一個Y中的元素
such that exists “efficient” algorithm to evaluate F(k,x)
• Pseudo Random Permutation (PRP) defined over (K,X):

E: K  X → X
such that:
1. Exists “efficient” deterministic algorithm to evaluate E(k,x)
2. The function E( k,  ) is one-to-one 一一對應可逆的
3. Exists “efficient” inversion algorithm D(k,y) 一個高效的反演演算法解密
Dan Boneh
PRF PRP
DES
Dan Boneh
X
PRF AES
PRP
Dan Boneh
Running example
• Example PRPs: 3DES, AES, …
AES: K  X → X where K = X = {0,1}128
3DES: K  X → X where X = {0,1}64 , K = {0,1}168
• Functionally, any PRP is also a PRF.

– A PRP is a PRF where X=Y and is efficiently invertible.
Dan Boneh
Secure PRFs
• Let F: K  X → Y be a PRF
Funs[X,Y]: the set of all functions from X to Y
SF = { F(k,) s.t. k  K }  Funs[X,Y]
• Intuition: a PRF is secure if

a random function in Funs[X,Y] is indistinguishable from
a random function in SF
SF
Funs[X,Y]
|X|
Size |Y|
Size |K|
Dan Boneh
Dan Boneh
所有128 bit 進128 bit 出的函數有幾個？
Dan Boneh
所有128進128出的函數有幾個？
2128
128
•2
Funs[X,Y]
|X|
Size |Y|
Dan Boneh
先看所有2進2出的函數有幾個？
• 00 00
• 01 01
• 10 10
• 11 11
Dan Boneh
先看所有2進2出的函數有幾個？
• 00 00
• 01 01
• 10 10
• 11 11
2
4 22
• 4∗4∗4∗4=4 2
Dan Boneh
所有128進128出的函數有幾個？
2128
128
•2
Funs[X,Y]
|X|
Size |Y|
Dan Boneh
以假亂真
THE GOAL FOR SECURE PRF/PRP
Dan Boneh
Stream ciphers are semantically secure
Thm: G:K ⟶{0,1}n is a secure PRG ⇒
stream cipher E derived from G is sem. sec.
∀ sem. sec. adversary A , ∃a PRG adversary B s.t.
Dan Boneh
Proof: intuition
m0 , m1 m0 , m1
kK c  m0 ⊕ G(k) ≈p r{0,1}n c  m0 ⊕ r
b’≟1 b’≟1
≈p
m0 , m1 m0 , m1
kK c  m1 ⊕ G(k) ≈p r{0,1}n c  m1 ⊕ r
b’≟1 b’≟1
Dan Boneh
Chal. m0 , m1  M : |m0| = |m1| Adv. A

b kK
r{0,1}n
c  mb ⊕ G(k)
b’  {0,1}
AdvSS[A,E] = | Pr[ W0 ] − Pr[ W1 ] |
Pr(b’=1|b=0) Pr(b’=1|b=1)
Dan Boneh
Chal. m0 , m1  M : |m0| = |m1| Adv. A

b kK
r{0,1}n
c  mb ⊕ r
b’  {0,1}
AdvSS[A,E] = | Pr[ W0 ] − Pr[ W1 ] |
For b=0,1: Rb := [ event that b’=1 ]

Pr(b’=1|b=0) Pr(b’=1|b=1) Dan Boneh
Claim 1: |Pr[R0] – Pr[R1]| =

Claim 2: ∃B: |Pr[Wb] – Pr[Rb]| =
0 Pr[W0] Pr[Rb] Pr[W1] 1
Pr(b’=1|b=0) Pr(b’=1|b=1)
⇒ AdvSS[A,E] = |Pr[W0] – Pr[W1]| ≤ 2 ∙ AdvPRG[B,G]
Dan Boneh
Proof of claim 2: ∃B: |Pr[W0] – Pr[R0]| = AdvPRG[B,G]
Algorithm B:
y ∈ {0,1}n PRG adv. B (us)
m0, m1
Adv. A
c  m0⊕y (given)
b’ ∈ {0,1}
AdvPRG[B,G] =
Dan Boneh
X
PRF AES
PRP
Dan Boneh
Secure PRFs
• Let F: K  X → Y be a PRF
Funs[X,Y]: the set of all functions from X to Y 真隨機
SF = { F(k,) s.t. k  K }  Funs[X,Y] 虛擬隨機
• Intuition: a PRF is secure if

a random function in Funs[X,Y] is indistinguishable from
真隨機
f  Funs[X,Y]
xX
??? 真隨機虛擬隨機 kK 虛擬隨機
f(x) or F(k,x) ?
Dan Boneh
Secure PRPs (secure block cipher)
• Let E: K  X → Y be a PRP
Perms[X]: the set of all one-to-one functions from X to Y
SF = { E(k,) s.t. k  K }  Perms[X,Y]
• Intuition: a PRP is secure if

a random function in Perms[X] is indistinguishable from
π  Perms[X]
xX
??? kK
π(x) or E(k,x) ? (True Random)
Dan Boneh
Let F: K  X → {0,1}128 be a secure PRF.
Is the following G a secure PRF?
0 128 if x=0
G(k, x) =
F(k,x) otherwise
No, it is easy to distinguish G from a random function

Yes, an attack on G would also break F
It depends on F
An easy application: PRF ⇒ PRG
Let F: K  {0,1}n → {0,1}n be a secure PRF.
Then the following G: K → {0,1}nt is a secure PRG:
G(k) = F(k,0) ll F(k,1) ll ⋯ ll F(k,t-1)
Key property: parallelizable
Security from PRF property: F(k, ) indist. from random function f()
Dan Boneh
End of Segment
Dan Boneh
Block ciphers
The data encryption

standard (DES)
Dan Boneh
Block ciphers: crypto work horse
n bits n bits
PT Block E, D CT Block
Key k Bits
Canonical examples:
1. 3DES: n= 64 bits, k = 168 bits
2. AES: n=128 bits, k = 128, 192, 256 bits
Dan Boneh
Block Ciphers Built by Iteration
key k
key expansion
k1 k2 k3 kn
R(kn, )
R(k1, )
R(k2, )
R(k3, )
m c
R(k,m) is called a round function

for 3DES (n=48), for AES-128 (n=10)
Dan Boneh
The Data Encryption Standard (DES)
• Early 1970s: Horst Feistel designs Lucifer at IBM
key-len = 128 bits ; block-len = 128 bits
• 1973: NBS asks for block cipher proposals.
IBM submits variant of Lucifer.
• 1976: NBS adopts DES as a federal standard
key-len = 56 bits ; block-len = 64 bits
• 1997: DES broken by exhaustive search
• 2000: NIST adopts Rijndael as AES to replace DES
Widely deployed in banking (ACH) and commerce Dan Boneh
DES: core idea – Feistel Network
Given functions f1, …, fd: {0,1}n ⟶ {0,1}n
Goal: build invertible function F: {0,1}2n ⟶ {0,1}2n

n-bits
R0 R1 R2 Rd-1 Rd
f1 f2
⋯ fd
n-bits
L0 ⊕ L1 ⊕ L2 Ld-1 ⊕ Ld
input output
In symbols:
Dan Boneh
n-bits
R0 R1 R2 Rd-1 Rd
f1 f2
⋯ fd
n-bits
L0 ⊕ L1 ⊕ L2 Ld-1 ⊕ Ld
input output
Claim: for all f1, …, fd: {0,1}n ⟶ {0,1}n

Feistel network F: {0,1}2n ⟶ {0,1}2n is invertible
Proof: construct inverse
Ri-1 Ri inverse Ri-1 = Li

fi
Li-1 ⊕ Li Li-1 = fi(Li) ⨁ Ri

Dan Boneh
n-bits
R0 R1 R2 Rd-1 Rd
f1 f2
⋯ fd
n-bits
L0 ⊕ L1 ⊕ L2 Ld-1 ⊕ Ld
input output
Claim: for all f1, …, fd: {0,1}n ⟶ {0,1}n

Feistel network F: {0,1}2n ⟶ {0,1}2n is invertible
Proof: construct inverse
Ri ⊕ Ri-1
Ri-1 = Li
Ri-1 Ri inverse
fi Li-1 = fi(Li) ⨁ Ri
fi
Li-1 ⊕ Li Li Li-1
Dan Boneh
Decryption circuit
⊕ ⊕ ⊕
n-bits
Rd Rd-1 Rd-2 R1 R0
fd fd-1
⋯ f1
n-bits
Ld Ld-1 Ld-2 L1 L0
• Inversion is basically the same circuit,

with f1, …, fd applied in reverse order
• General method for building invertible functions (block ciphers)

from arbitrary functions.
• Used in many block ciphers … but not AES

Dan Boneh
“Thm:” (Luby-Rackoff ‘85):
f: K × {0,1}n ⟶ {0,1}n a secure PRF
⇒ 3-round Feistel F: K3 × {0,1}2n ⟶ {0,1}2n a secure PRP
R0 R1 R2 R3
f f f
L0 ⊕ L1 ⊕ L2 ⊕ L3
input output
Dan Boneh
DES: 16 round Feistel network
f1, …, f16: {0,1}32 ⟶ {0,1}32 , fi(x) = F( ki, x )
k
key expansion
k1 k2 ⋯ k16
64 bits
64 bits
16 round
IP IP-1
Feistel network
input output
To invert, use keys in reverse order Dan Boneh
The function F(ki, x)
S-box: function {0,1}6 ⟶ {0,1}4 , implemented as look-up table. Dan Boneh

Dan Boneh
The S-boxes
Si: {0,1}6 ⟶ {0,1}4
Dan Boneh
Example: a bad S-box choice
Suppose:
Si(x1, x2, …, x6) = ( x2⨁x3, x1⨁x4⨁x5, x1⨁x6, x2⨁x3⨁x6 )
or written equivalently: Si(x) = Ai⋅x (mod 2)
011000 x1 x2⨁x3
100110
. x2 = x1⨁x4⨁x5
100001 x3 x1⨁x6
011001 x4 x2⨁x3⨁x6
x5
We say that Si is a linear function. x6
Dan Boneh
Example: a bad S-box choice
Then entire DES cipher would be linear: ∃fixed binary matrix B s.t.
832
m
DES(k,m) = 64
B . k1 = c (mod 2)
k2
⋮
k16
But then: DES(k,m1) ⨁ DES(k,m2) ⨁ DES(k,m3) = DES(k, m1⨁m2⨁m3)

B mk1 ⨁ B m2 ⨁ B m3 = B m1⨁m2⨁m3
k k k⨁k⨁k
Dan Boneh
Choosing the S-boxes and P-box
Choosing the S-boxes and P-box at random would result
in an insecure block cipher (key recovery after ≈224 outputs) [BS’89]
Several rules used in choice of S and P boxes:

• No output bit should be close to a linear func. of the input bits
• S-boxes are 4-to-1 maps
⋮
Dan Boneh
End of Segment
Dan Boneh
Block ciphers
Exhaustive Search
Attacks
Dan Boneh
Exhaustive Search for block cipher key
Goal: given a few input output pairs (mi, ci = E(k, mi)) i=1,..,3
find key k.
Lemma: Suppose DES is an ideal cipher

( 256 random invertible functions )
Then ∀ m, c there is at most one key k s.t. c = DES(k, m)
Proof: with prob. ≥ 1 – 1/256 ≈ 99.5%
Dan Boneh
Exhaustive Search for block cipher key
For two DES pairs (m1, c1=DES(k, m1)), (m2, c2=DES(k, m2))
unicity prob. ≈ 1 - 1/271
For AES-128: given two inp/out pairs, unicity prob. ≈ 1 - 1/2128
⇒ two input/output pairs are enough for exhaustive key search.
Dan Boneh
DES challenge
msg = “The unknown messages is: XXXX … “
CT = c1 c2 c3 c4
Goal: find k ∈ {0,1}56 s.t. DES(k, mi) = ci for i=1,2,3
1997: Internet search -- 3 months

1998: EFF machine (deep crack) -- 3 days (250K $)
1999: combined search -- 22 hours
2006: COPACOBANA (120 FPGAs) -- 7 days (10K $)
⇒ 56-bit ciphers should not be used !! (128-bit key ⇒ 272 days)

Dan Boneh
Strengthening DES against ex. search
Method 1: Triple-DES
• Let E : K × M ⟶ M be a block cipher
• Define 3E: K3 × M ⟶ M as
3E( (k1,k2,k3), m) =
For 3DES: key-size = 3×56 = 168 bits. 3×slower than DES.
(simple attack in time ≈2118 )

Dan Boneh
Dan Boneh
Why is the middle portion of 3DES a decryption
rather than an encryption?
• There is no cryptographic significance to the use of decryption
for the second stage.
• Its only advantage is that it allows users of 3DES to decrypt
data encrypted by users of the older single DES by repeating
the key.
• K1=K2=K3
Dan Boneh
Why not double DES?
• Define 2E( (k1,k2), m) = E(k1 , E(k2 , m) )
key-len = 112 bits for DES
m E(k2,⋅) E(k1,⋅) c
Attack: M = (m1,…, m10) , C = (c1,…,c10).

k0 = 00…00 E(k0 , M)
• step 1: build table. k1 = 00…01 E(k1 , M)
k2 = 00…10 E(k2 , M) 256
sort on 2nd column entries
⋮ ⋮
kN = 11…11 E(kN , M) Dan Boneh
Man in the middle
Dan Boneh
Meet in the middle attack
D(k, C) attack point
Guess K
m E(k2,⋅) E(k1,⋅) c
k0 = 00…00 E(k0 , M)
Attack: M = (m1,…, m10) , C = (c1,…,c10) k1 = 00…01 E(k1 , M)
k2 = 00…10 E(k2 , M)
• step 1: build table. ⋮ ⋮
kN = 11…11 E(kN , M)
• Step 2: for all k∈{0,1}56 do:

test if D(k, C) is in 2nd column.
if so then E(ki,M) = D(k,C) ⇒ (ki,k) = (k2,k1)

Dan Boneh
Meet in the middle attack
m E(k2,⋅) E(k1,⋅) c
Time = 256log(256) + 256log(256) < 263 << 2112 , space ≈ 256
Same attack on 3DES: Time = 2118 , space ≈ 256
m E(k3,⋅) E(k2,⋅) E(k1,⋅) c
Dan Boneh
Method 2: DESX
E : K × {0,1}n ⟶ {0,1}n a block cipher
Define EX as EX( (k1,k2,k3), m) = k1 ⨁ E(k2, m⨁k3 )
For DESX: key-len = 64+56+64 = 184 bits
… but easy attack in time 264+56 = 2120 (homework)
Note: k1 ⨁ E(k2, m) and E(k2, m⨁k1) does nothing !!
Dan Boneh
DESX
Dan Boneh
End of Segment
Dan Boneh
Block ciphers
More attacks on
block ciphers
Dan Boneh
Attacks on the implementation
1. Side channel attacks:
– Measure time to do enc/dec, measure power for enc/dec
smartcard [Kocher, Jaffe, Jun, 1998]
2. Fault attacks:
– Computing errors in the last round expose the secret key k
⇒ do not even implement crypto primitives yourself …

Dan Boneh
Designing a secure smart card
• Several people involved with different
assumptions
– Algorithm designers
– Protocol designers
– Software developers
– Hardware engineers
Dan Boneh
Algorithm designer assumption
from “Introduction to Differential Power Analysis and Related Attacks” by P. Kocher et al., Cryptography Research
• Typically, the algorithm is evaluated in isolation

– Differential cryptanalysis
– Linear cryptanalysis
Dan Boneh
Reality!
from “Introduction to Differential Power Analysis and Related Attacks” by P. Kocher et al., Cryptography Research
Dan Boneh
Reality – Side Channel Attacks
• “A correct implementation of a strong protocol is not
necessarily secure”
• Failures can be cause by:
– Defective computation
• D. Boneh, R. A. DeMillo, and R. J. Lipton, On the importance of
checking cryptographic protocols for faults, EUROCRYPT '97
– Information leaked during secret key operations

– Timing information
– Invasive measuring techniques
– Electromagnetic emanations (i.e. TEMPEST)
Dan Boneh
Power analysis attacks
• ICs are built out of invidual
transistors which consume
power
• Monitoring and analysis of the
power consumption of a
device to extract the private
information stored in it.
• Active, relatively cheap, non
invasive attack
Dan Boneh
Simple Power Analysis
• Focus on the use of visual inspection techniques to
identify relevant power fluctuations during
cryptographic operations
• Interpretation of power traces
– Power consumption measurements taken across a
cryptographic operation
– Typically current used by a device over time
Dan Boneh
SPA DES traces
SPA trace showing an entire DES operation
SPA trace showing DES rounds 2 and 3
Dan Boneh
SPA DES trace showing differences in power
consumption of different microprocessor instructions
jump
no jump
Dan Boneh
SPA attack
• SPA can reveal sequence of instructions executed
• It can be use to break cryptographic implementations in
which the execution path depend on the data being
processed
– DES keyschedule
– DES permutations
– Comparisons
– Multipliers
– Exponentiators
Dan Boneh
Preventing SPA
• In general, techniques to prevent SPA are
fairly simple.
– Avoid procedures that use secret intermediates
or keys for conditional branching operations
– Hardwired implementations of symmetric
cryptography algorithms
Dan Boneh
Differential Power Analysis
• Use of statistical analysis and error
correction techniques to extract information
correlated to secret keys
• Based on the effects correlated to data
values being manipulated.
• More powerful than SPA and is much more
difficult to prevent
Dan Boneh
DPA basic idea
• Data collection
– Capture power traces T1...m[1...k] containing k samples each
– Record the ciphertextsC1...m

– Knowledge of plaintext is notrequired
• Data analysis
– DPA selection function D(C,b,Ks)→{0,1}
– Compute ksample differential trace ΔD[1...k], where:
Dan Boneh
DPA against DES
• DPA selection function D(C,b,K ) is defined as: s
•
• – Returning the value b of the DES intermediate L at the beginning of the 16th
(0 <= b < 32 )
• – C is the corresponding ciphertext
• – Ks is the 6 key bits entering the Sbox corresponding to bit b (0 <= Ks < 26)
ATTTTACK
•• Repeat procedure to find all Ks values (8) to get the entire 48 bit subkey
• C
C
Ks
b Ks
C
16 DES round
th
Dan Boneh
C1 1 1 1 0 0 1 0 1 1 1 0
C2 1 1 1 0 1 1 1 0 1 0 1
C3 1 1 0 1 0 1 1 1 1 0 1
C= K+P
Attack
Dan Boneh
Right 𝐾0 𝐾1 𝐾2 𝐾3 𝐾4 𝐾5 𝐾6 𝐾7 𝐾8 𝐾9 𝐾10
P1 0 1 1 0 0 1 0 1 0 1 0
P2 1 0 1 0 1 0 1 0 1 0 1
P3 0 1 0 1 0 1 0 1 0 1 0
P=C + K
Dan Boneh
DPA traces for DES
Power reference
Correct Ks
Incorrect Ks
1000 samples
Dan Boneh
Quantitative DPA measurements
Reference power
consumption trace
Standard deviation
Differential trace
(m=104)
Dan Boneh
More about DPA
• Noise can be a problem
– Electronic radiation and thermal noise
– Quantization errors
– Uncorrected temporal misalignment
• DPA variations
– Automated template DPA
– Highorder DPA
Dan Boneh
DPA against other algorithms
• In general, DPA can be used to break any
symmetric or asymmetric algorithm
• Public key algorithms (i.e. RSA)
– Asymmetric operations tend to produce stronger
signals leaking than symmetric ones
• Reverse engineering using DPA
Dan Boneh
Preventing DPA
• Reduce signals size
• Introducing noise into power
consumption measurements
• Designing cryptosystems with
realistic assumptions about the
underlying hardware.
– Balanced HW and SW (i.e. leak tolerant design)
– Incorporatingrandomness
– Algorithm and protocollevel countermeasures
Dan Boneh
Dan Boneh
Side-Channel Analysis
Side Channel Leakage
Timing
EM Emissions
Current, Voltage
Dan Boneh
Dan Boneh
Linear and differential attacks [BS’89,M’93]
Given many inp/out pairs, can recover key in time less than 256 .
Linear cryptanalysis (overview) : let c = DES(k, m)

Suppose for random k,m :
[
Pr m[i1]⨁⋯⨁m[ir] ⨁ c[jj]⨁⋯⨁c[jv] = k[l1]⨁⋯⨁k[lu] ]=½ +ε
For some ε. For DES, this exists with ε = 1/221 ≈ 0.0000000477

Dan Boneh
Linear attacks
[
Pr m[i1]⨁⋯⨁m[ir] ⨁ c[jj]⨁⋯⨁c[jv] = k[l1]⨁⋯⨁k[lu] ]=½ +ε
Thm: given 1/ε2 random (m, c=DES(k, m)) pairs then
k[l1,…,lu] = MAJ [ m[i1,…,ir] ⨁ c[jj,…,jv] ]

with prob. ≥ 97.7%
⇒ with 1/ε2 inp/out pairs can find k[l1,…,lu] in time ≈1/ε2 .

Dan Boneh
Linear attacks
For DES, ε = 1/221 ⇒
with 242 inp/out pairs can find k[l1,…,lu] in time 242
Roughly speaking: can find 14 key “bits” this way in time 242
Brute force remaining 56−14=42 bits in time 242
Total attack time ≈243 ( << 256 ) with 242 random inp/out pairs
Dan Boneh
Lesson
A tiny bit of linearly in S5 lead to a 242 time attack.
⇒ don’t design ciphers yourself !!
Dan Boneh
Quantum attacks
Generic search problem:
Let f: X ⟶ {0,1} be a function.
Goal: find x∈X s.t. f(x)=1.
Classical computer: best generic algorithm time = O( |X| )
Quantum computer [Grover ’96] : time = O( |X|1/2 )
Can quantum computers be built: unknown

Dan Boneh
Quantum exhaustive search
Given m, c=E(k,m) define 1 if E(k,m) = c
f(k) =
0 otherwise
Grover ⇒ quantum computer can find k in time O( |K|1/2 )
DES: time ≈228 , AES-128: time ≈264
quantum computer ⇒ 256-bits key ciphers (e.g. AES-256)
Dan Boneh
End of Segment
Dan Boneh
Block ciphers
The AES block cipher
Dan Boneh
The AES process
• 1997: NIST publishes request for proposal
• 1998: 15 submissions. Five claimed attacks.
• 1999: NIST chooses 5 finalists
• 2000: NIST chooses Rijndael as AES (designed in Belgium)
Key sizes: 128, 192, 256 bits. Block size: 128 bits
Dan Boneh
AES is a Subs-Perm network (not Feistel)
k1 k2 kn
S1 S1 S1
S2 S2 S2
S3 S3 S3
output
input
⨁
⨁ ⋯
⨁
⋯
⋯
⋯
S8 S8 S8
subs. perm.
layer layer inversion
Dan Boneh
AES-128 schematic
10 rounds
4
(1) ByteSub (1) ByteSub (1) ByteSub
⋯ (2) ShiftRow
⨁
⨁
(2) ShiftRow
⨁
4 input (2) ShiftRow

(3) MixColumn (3) MixColumn
invertible
k0 k1 k2 k9
⨁
k10
key key expansion:
4 output
16 bytes 16 bytes ⟶176 bytes 4
Dan Boneh
The round function
• ByteSub: a 1 byte S-box. 256 byte table (easily computable)
• ShiftRows:
• MixColumns:
Dan Boneh
Code size/performance tradeoff
Code size Performance
Pre-compute fastest:
round functions largest table lookups
(24KB or 4KB) and xors
Pre-compute
smaller slower
S-box only (256 bytes)
No pre-computation smallest slowest
Dan Boneh
Example: Javascript AES
AES in the browser:
AES library (6.4KB)

no pre-computed tables
Prior to encryption:
pre-compute tables
Then encrypt using tables
http://crypto.stanford.edu/sjcl/
Dan Boneh
AES in hardware
AES instructions in Intel Westmere:
• aesenc, aesenclast: do one round of AES
128-bit registers: xmm1=state, xmm2=round key
aesenc xmm1, xmm2 ; puts result in xmm1
• aeskeygenassist: performs AES key expansion
• Claim 14 x speed-up over OpenSSL on same hardware
Similar instructions on AMD Bulldozer

Dan Boneh
Attacks
Best key recovery attack:
four times better than ex. search [BKR’11]
Related key attack on AES-256: [BK’09]

Given 299 inp/out pairs from four related keys in AES-256
can recover keys in time ≈299
Dan Boneh
End of Segment
Dan Boneh
Block ciphers
Block ciphers from PRGs
Dan Boneh
Can we build a PRF from a PRG?
Let G: K ⟶ K2 be a secure PRG k
G
Define 1-bit PRF F: K × {0,1} ⟶ K as G(k)[0] G(k)[1]
F(k, x∈{0,1} ) = G(k)[x]
Thm: If G is a secure PRG then F is a secure PRF
Can we build a PRF with a larger domain?

Dan Boneh
Extending a PRG
Let G: K ⟶ K2 .
define G1: K ⟶ K4 as G1(k) = G(G(k)[0]) ll G(G(k)[1])
We get a 2-bit PRF: G

G(k)[0] G(k)[1]
F(k, x∈{0,1}2 ) = G1(k)[x] G G
00 01 10 11
G1(k)
Dan Boneh
k
G1 is a secure PRG
G
G(k)[0] G(k)[1] r0 r1
G G G G
00 01 10 11 ≈p
G1(k)
≈p
r1
G
random in K4 ≈p r00 r01
Dan Boneh
Extending more
Let G: K ⟶ K2 .
define G2: K ⟶ K8 as G2(k) = k
G
G(k)[0] G(k)[1]
We get a 3-bit PRF G G
G G G G
000 001 010 011 100 101 110 111
G2(k) Dan Boneh

Extending even more: the GGM PRF
Let G: K ⟶ K2 . define PRF F: K × {0,1}n ⟶ K as
For input x = x0 x1 … xn-1 ∈ {0,1}n do:
G(k)[x0] G(k1)[x1] k G(k2)[x2] k G(kn-1)[xn-1] kn

k k1 2 3
⋯
Security: G a secure PRG ⇒ F is a secure PRF on {0,1}n .
Not used in practice due to slow performance.

Dan Boneh
Secure block cipher from a PRG?
Can we build a secure PRP from a secure PRG?
No, it cannot be done

Yes, just plug the GGM PRF into the Luby-Rackoff theorem
It depends on the underlying PRG
End of Segment
Dan Boneh
Differential Power Analysis
• Use of statistical analysis and error correction techniques to
extract information correlated to secret keys
• Based on the effects correlated to data values being
manipulated
• More powerful than SPA and is much more difficult to
prevent
Dan Boneh
Dan Boneh
Complementary Metal-Oxide-Semiconductor
• 互補式金屬氧化物半導體（英語：Complementary Metal-Oxide-
Semiconductor，縮寫作 CMOS；簡稱互補式金氧半導體），是一種積體電路
的設計製程，可以在矽質晶圓模板上製出NMOS（n-type MOSFET）和PMOS
（p-type MOSFET）的基本元件，由於NMOS與PMOS在物理特性上為互補性，
因此被稱為CMOS。
• 此一般的製程上，可用來製作的靜態隨機存取記憶體、微控制器、微處理器
與其他數位邏輯電路系統(FPGA) 。
• 互補式金屬氧化物半導體具有只有在電晶體需要切換啟動與關閉時才需消耗
能量的優點，因此非常節省電力且發熱量少，且製程上也是最基礎而最常用
的半導體元件。
Dan Boneh
Complementary Metal-Oxide-Semiconductor
Dan Boneh
Dan Boneh
DPA traces for DES
Power reference
Correct Ks
Incorrect Ks
1000 samples
Dan Boneh
Dan Boneh
Dan Boneh
Dan Boneh
Dan Boneh
Dan Boneh
Dan Boneh
Dan Boneh
DPA traces for DES
Power reference
Correct Ks
Incorrect Ks
1000 samples
Dan Boneh
Dan Boneh
𝑆(𝐾𝑛 |𝑋𝑛 )
K K K K KK KK KK KK K Ciphertext
P1 1 1 1 0 1 1 1 1 1
P2 1 1 0 0 1 1 0 0 0
P3 1 1 0 0 1 1 1 0 1
Attack
P4 0 1 0 0 1 1 1 O O Key
Guess
P5 1 0 0 1 0 1 1 0 0 the
right
key
There is no peak when K guesting is WRONG
𝑆(𝐾𝑛 |𝑋𝑛 ) Plaintext
Ks is the 6 key bits entering the Sbox corresponding to bit b (0 <= Ks < 2 ) ATTACK
6
Dan Boneh
DPA traces for DES
Power reference
Correct Ks
Incorrect Ks
1000 samples
Dan Boneh
K K K K KK KK KK KK K Ciphertext
P1 1 0 1 0 0 1 1 1 1
P2 0 1 0 1 1 0 0 0 0
P3 1 0 1 0 0 1 1 1 1 Attack
Key
P4 0 1 0 1 1 O O O O
Guess
P5 1 0 1 1 0 1 1 1 1 the
right
key
There is HUGE peak when K guesting is Correct
Plaintext
Dan Boneh

Cryptography Engineering: CSIC30040 Spring 2023 Lecture 6

Uploaded by

Copyright:

Available Formats

Cryptography Engineering: CSIC30040 Spring 2023 Lecture 6

Uploaded by

Document Information

Original Description:

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Cryptography Engineering: CSIC30040 Spring 2023 Lecture 6

Uploaded by

Copyright:

Available Formats

Cryptography Engineering

CSIC30040 Spring 2023 Lecture 6

Jerry J. R. Shieh, PhD March 30 2023 Week 6

• ZIP/RAR password cracker

• Secure Voting may with block chain

• Low Bit Rate Advanced Secure Communication

• It’s the numbers that have factors (other than 1 and

You may refer http://bma.bozhu.me/

• Public Key Generation:

• By Euler’s theorem Mφ(n) (mod n)=1

被除數 = (除數 ✕ 商數) + 餘數

被除式 = (除式 ✕ 商式) + 餘式

Remainder = Dividend – (Divisor x Quotient)

2 -2 = 0 – 1x2 1 = 1- 0x2 3 = 13 – 5x2 餘數

餘數 = 被除數 − (除數 ✕ 商數)

2 -2 = 0 – 1x2 1 = 1- 0x2 3 = 13 – 5x2 餘數 (除數)

1 3 = 1 – ((-2)x1) -1 = 0 - 1x1 2=5-3X1 (餘數)

被除數 = (除數 ✕ 商數) + 餘數

2 -2 = 0 – 1x2 1 = 1- 0x2 3 = 13 – 5x2 餘數 (除數)

1 3 = 1 – ((-2)x1) -1 = 0 - 1x1 2=5-3X1 (餘數)

被除數 = (除數 ✕ 商數) + 餘數

2 -2 = 0 – 1x2 1 = 1- 0x2 3 = 13 – 5x2 餘數 (除數)

1 3 = 1 – ((-2)x1) -1 = 0 - 1x1 2=5-3X1 (餘數)

2 -2 = 0 – 1x2 1 = 1- 0x2 3 = 13 – 5x2 餘數 (除數)

1 -5 = -2 – 1x3 2 = 1 – 1x(-1) 1=3-2X1 <餘數>

餘數 = 被除數 − (除數 ✕ 商數)

5-1 mod 13 = -5 = 8 mod 13 5 inverse 8

商 (Quotient) A(x) B(x) GCD

商 (Quotient) A(x) B(x) GCD

𝑥 𝑥 = 0 − 1(𝑥) 𝑥 2 + 1 = 1 − 𝑥(𝑥) 𝑥 6 + 𝑥 5 +𝑥 4 + 𝑥 2 + 1 = (餘式)

1 𝑥 + 1 = 1 − 𝑥 (1) 𝑥 2 + 𝑥 + 1 = 𝑥 − (𝑥 2 + 1)(1) 𝑥4+ 𝑥2 + 𝑥 + 1 = <餘式>

商 (Quotient) A(x) B(x) GCD

1 𝑥 + 1 = 1 − 𝑥(1) 𝑥 2 + 𝑥 + 1 = 𝑥 − (𝑥 2 + 1)(1) 𝑥 4 + 𝑥 2 + 𝑥 + 1=(𝑥 6 +𝑥 5 + 被除式

1. 1 0 1 1 0 0 0 1 都符合 𝑎𝑛+4 ⨁𝑎𝑛+2 ⨁𝑎𝑛+1 = 𝑎𝑛

Goal: define what it means that

A silly example: A(x) = 0 ⇒ AdvPRG [A,G] = 0 Dan Boneh

Define stat. test A(x) as:

AdvPRG [A,G] = | Pr[ A(G(k))=1] - Pr[ A(r)=1 ] | =

| 2/3 – 1/2 | = 1/6

Are there provably secure PRGs?

Suppose A is an efficient algorithm s.t.

for non-negligible ε (e.g. ε = 1/1000)

“Thm”: if ∀ i ∈ {0, … , n-1} PRG G is unpredictable at pos. i

If next-bit predictors cannot distinguish G from random

Is G predictable for some i ∈ {0, … , n-1} ?

Def: We say that P1 and P2 are

Goal: secure PRG ⇒ “secure” stream cipher

Possible security requirements:

attempt #2: attacker cannot recover all of plaintext

Recall Shannon’s idea:

(E,D) has perfect secrecy if ∀ m0, m1 ∈ M ( |m0| = |m1| )

{ E(k,m0) } = { E(k,m1) } where k⟵K

(E,D) has perfect secrecy if ∀ m0, m1 ∈ M ( |m0| = |m1| )

{ E(k,m0) } ≈p { E(k,m1) } where k⟵K

… but also need adversary to exhibit m0, m1 ∈ M explicitly

⇒ for all explicit m0 , m1  M : { E(k,m0) } ≈p { E(k,m1) }

Chal. m0 , m1  M : |m0| = |m1| Adv. A

For all A: AdvSS[A,OTP] = | Pr[ A(k⊕m0)=1 ] − Pr[ A(k⊕m1)=1 ] |= 0