CIS 5371 Cryptography
6. Practical Constructions of
Symmetric-Key Primitives
Based on: Jonathan Katz and Yehuda Lindell Introduction to Modern Cryptography
1
Stream ciphers

A stream cipher is a pair of deterministic
algorithms (Init, GetBits), where


Init takes input a seed 𝑠 and an optional 𝐼𝑉 and outputs
an initial state 𝑠𝑡0 . That is,
𝑠𝑡0 := Init (𝑠, 𝐼𝑉)
GetBits takes as input 𝑠𝑡𝑖 and outputs a bit 𝑦𝑖 and an
updated state 𝑠𝑡𝑖+1 . That is,
(𝑦𝑖 , 𝑠𝑡𝑖 ) := GetBits(𝑠𝑡𝑖−1 ), 𝑖 = 1,2, . . .
2
Linear Feedback Shift Registers
(LFSR)
Linear feedback
(𝑛 = 5)


𝑠𝑠34
x
𝑠𝑠33
x
𝑠𝑠32
x
𝑠𝑠31
x
𝑠𝑠30
x
𝑡
𝑠𝑖𝑡+1 := 𝑠𝑖+1
, 𝑖 = 0, … , 𝑛 − 2
𝑡
𝑡+1
𝑠𝑛−1
:= 𝑛−1
𝑐
𝑠
𝑖=0 𝑖 𝑖
Output:
𝑡
𝑦𝑖 = 𝑠𝑖−1
, 𝑡 = 1, … , 𝑛, 𝑖 = 𝑡
𝑛−1
𝑦𝑖 = 𝑗=0
𝑐𝑗 𝑦𝑖−𝑛+𝑗−1 , 𝑖 > 𝑛
3
Reconstruction attacks

Solve for unknowns: 𝑐0 , . . . , 𝑐𝑛−1
𝑦𝑛+1 = 𝑐𝑛−1 𝑦𝑛

⋯  𝑐0 𝑦1
⋮
𝑦2𝑛 = 𝑐𝑛−1 𝑦2𝑛−1 

⋯  𝑐0 𝑦𝑛
So we must use nonlinear feedback
𝑡
𝑠𝑖𝑡+1 := 𝑠𝑖+1
,
𝑖 = 0, … , 𝑛 − 2
𝑡+1
𝑡
𝑠𝑛−1
:= 𝑔(𝑠0𝑡 , . . . , 𝑠𝑛−1
), some nonlinear function 𝑔
4
Self-shrinking generator

The self-shrinking generator uses alternating output
bits of a single register to control its final output.
1.
2.
3.
4.
5.
Clock two bits from the LFSR.
If the pair is 10 output a zero.
If the pair is 11 output a one.
Otherwise, output nothing.
Return to step one.
5
Self-shrinking generator, Example
Use polynomial: x8 + x4 + x3 + x2 + 1
Initial state:
1 0 1 1 0 1 1 0.
t
8
7
6
5
4
3
2
1
Out1
Out2
0
1
0
1
1
0
1
1
0
n/a
n/a
1
1
1
0
1
1
0
1
1
0
2
1
1
1
0
1
1
0
1
1
3
1
1
1
1
0
1
1
0
1
4
1
1
1
1
1
0
1
1
0
n/a
0
6
Other nonlinear stream ciphers

Trivium, eSTREAM project --see textbook

These are hardware implementations of PRNG

Next we shall consider a software implementation.
7
RC4
Init for RC4 (key scheduling) Algorithm 6.1
Input 16 byte key 𝑘
Output Initial state (𝑆, 𝑖, 𝑗),
𝑆 is a permutation of 0, . . . , 255,
𝑖, 𝑗 𝜖 {0, . . . , 255}
for 𝑖 = 0 to 255
𝑆 𝑖 ≔ 𝑖, 𝑘 𝑖 ≔ 𝑘[𝑖 𝑚𝑜𝑑 16]
𝑗 ≔0
for 𝑖 = 0 to 255
𝑗 ≔ 𝑗 + 𝑆 𝑖 + 𝑘[𝑖]
Swap 𝑆[𝑖] and 𝑆 𝑗
Return 𝑆, 𝑖, 𝑗
8
RC4
GetBits for RC4 (Algorithm 6.2)
Input: (𝑆, 𝑖, 𝑗)
Output: byte y, updated state (𝑆, 𝑖, 𝑗)
𝑖 ≔𝑖+1
𝑗 ≔𝑗+𝑆 𝑖
Swap 𝑆[𝑖] and 𝑆 𝑗
𝑡 ≔ 𝑆 𝑖 + 𝑆[𝑗]
𝑦 ≔ 𝑆[𝑡]
Return 𝑆, 𝑖, 𝑗 , 𝑦
𝑦
9
Attacks on RC4


There are several attacks on RC4 known for some
time and therefore this stream cipher should not
be used anymore.
A serious attack occurs when an IV is prepended
to the to the key. This attack can be used to
recover the key (regardless of it length).
This attack was used to break the WEP encryption
standard, and was influential in getting the
standard replaced---see textbook for details of
the attack.
10
Block ciphers




A block cipher is an efficient keyed permutation
𝐹 ∶ {0,1}𝑛 × {0,1}𝑙 → {0,1}𝑙
𝐹𝑘 𝑥 ≝ 𝐹(𝑘, 𝑥) is a bijection, and 𝐹𝑘 and its
inverse 𝐹𝑘−1 are efficiently computable given 𝑘.
Block ciphers should be viewed as pseudorandom
permutations rather than as encryption schemes.
They are a basic building blocks for symmetric key
applications.
11
Block ciphers



We refer to 𝑛 as the key length and 𝑙 as the block
length of 𝐹.
These are now constants (fixed) whereas earlier
they where functions of the security parameter.
This takes us away from the asymptotic security to
concrete security.
12
Substitution-Permutation Networks



A block cipher must behave like a random
permutation.
However there are 2𝑙 ! permutations on 𝑙-bit
strings, so representing an arbitrary permutation
with block length 𝑙 requires roughly
log(2𝑙 !) ≈ 𝑙 ∙ 2𝑙 bits.
Thus, we need to somehow construct a concise
function that behaves like a random function
13
The confusion−diffusion paradigm

Idea (Shannon): construct a random looking
permutation 𝐹 with large block length using smaller
random looking substitutions {𝑓𝑖 } with small length.

A substitution-permutation network is an
implementation of this paradigm.
14
The confusion−diffusion paradigm


The substitution component refers to small random
functions 𝑓𝑖 called S-boxes and the permutation
component refers to the mixing of the outputs of the
random functions.
The permutation component involves the reordering of
the output bits and are called mixing permutations.
15
The confusion−diffusion paradigm
An example, 1




Suppose we want 𝐹 to have block length 128 bits,
and use 16 substitutions 𝑓1 , . . . , 𝑓16 that have block
length 8 bits.
The key 𝑘 will specify the 16 substitutions.
For input 𝑥 ∈ {0,1}128 we parse 𝑥 as 𝑥1 , … , 𝑥16 and
set
𝐹𝑘 𝑥 = 𝑓1 𝑥1 || ⋯ ||𝑓16 𝑥16
The “round” functions {𝑓𝑖 } are said to introduce
confusion.
16
The confusion−diffusion paradigm
An example, 2

A diffusion step then mixes the bits of the output.
For example the bits of 𝐹𝑘 𝑥 are shuffled to get 𝑥′.

The confusion-diffusion process is repeated several
times

A substitution-permutation network is an
implementation of this paradigm.
17
The confusion−diffusion paradigm
An example, 3
Consider an SPN network with 64 bit block length
and 8 bit 𝑆-boxes, 𝑆1 , … , 𝑆8 .
Evaluating the cipher proceeds in a number of
rounds in which:



Key mixing: set 𝑥 ≔ 𝑥  𝑘, where 𝑘 is the current “round
sub-key”.
Substitution: set 𝑥 ≔ 𝑆1 (𝑥1 )|| ⋯ ||𝑆8 𝑥8 .
Permutation: Permute the bits of 𝑥 to get the output for
the next round.
18
Substitution-permutation network
Example 3, single round
19
The confusion−diffusion paradigm





The basic idea is to break the input up into small
parts and then feed these parts through different
S-boxes (random permutations).
The outputs are then mixed together.
The process is repeated a given number of times,
called a rounds.
The S-boxes introduce confusion into the
construction.
In order to spread the confusion throughout, the
results are mixed together, achieving diffusion.
20
Any SPN is invertible
(given the key)
It suffices to invert each round.
Given the SPN output for a round and the key we:
 First invert the mixing permutation
 Then invert the 𝑆-box permutations
 Finally XOR the result with the appropriate sub-key to
get the round input.
21
The avalanche effect
 An important property in any block cipher is that
small changes to the input must result in large
changes to the output.
 To ensure this, block ciphers are designed so that
small changes in the input propagate quickly to very
large changes in the intermediate values.
22
The avalanche effect
It is easy to demonstrate that the avalanche effect
holds in a substitution-permutation network, when
the following hold:
1. The 𝑆-boxes are designed so that any change of at
least a single bit to the input to an 𝑆-box results in a
change of at least two bits in the output.
2. The mixing permutations are designed so that the
output bits of any given 𝑆-box are spread into
different 𝑆-boxes in the next round.
23
Feistel Networks
 A Feistel* network is an alternative way of
constructing a block cipher.
 The low-level building blocks (S-boxes, mixing
permutations and key schedule) are the same.
 The difference is in the high-level design.
 The advantage of Feistel networks over
substitution permutation networks is that they
enable the use of S-boxes that are not necessarily
invertible.
* Horst Feistel who did pioneering research while working for IBM
24
Feistel Networks
 This is important because a good block cipher has
chaotic behavior (it should look random).
 Requiring that all of the components of the
construction be invertible inherently introduces
structure, which contradicts the need for chaos.
25
Feistel Networks
 A Feistel network is thus a way of constructing
an invertible function from non-invertible
components.
 This seems like a contradiction in terms---if you
cannot invert the components, how can you
invert the overall structure.
 Nevertheless, the Feistel design ingeniously
overcomes this obstacle.
26
A Feistel network
1. For input 𝑥, denote by 𝑥1 and 𝑥2 the first and
second halves of 𝑥 respectively.
2. Let 𝑣1 = 𝑥1 and 𝑣2 = 𝑥2 .
3. For 𝑖 = 1 to 𝑟 (where 𝑟 is the number of rounds
in the network):
a) Let 𝑤1 = 𝑣2 and 𝑤2 = 𝑣1 𝑓𝑖 (𝑣2 ), where 𝑓𝑖
denotes the 𝑓-function in the 𝑖-th round of
the network.
b) Let 𝑣1 = 𝑤1 and 𝑣2 = 𝑤2 .
c) The output 𝑦 is (𝑣1 , 𝑣2 ).
27
Feistel Network
.
mm
mmm
mm
mmm
m
mmm
mmm
28