InfoSec 2

Symmetric Ciphes and Hash Functions1
Sugata Gangopadhyay
Indian Institute of Technology Roorkee
1
These slides are informal class notes that are heavily influenced by Douglas Stinson’s
Cryptography Theory and Practice Edition 4 CRC Press.
Sugata Gangopadhyay (CSE IITR) Information and Network Security 1 / 139
Symmetric Ciphers
A symmetric cipher can be represented by a 5-tuple (P, C, K, E, D)

where
P is a finite set of possible plaintexts;
C is a finite set of possible ciphertexts;
K, the keyspace, is a finite set of possible keys;
For each k ∈ K there is an encryption rule Ek : P → C, the set of all such
encryption rules is E. Corresponding to each Ek there is a unique
decryption rule Dk : C → P such that Dk (Ek (x)) = x, for all x ∈ P. The
set of all decryption rules is D.
We may define the functions E : P × K → C and D : C × K → P such

that E(·, k) is Ek and D(·, k) is Dk .

Messages, Ciphertexts, and Keys
A message is a finite binary string, i.e., an element of {0, 1}∗ .
x ∈ {0, 1}∗ is represented as x = x1 x2 . . . xn where xi ∈ {0, 1}, for all

i = 1, . . . , n. The number of binary symbols in x is said to be the length
of x; it is denoted by|x|.
For x ∈ {0, 1}∗ if|x| is divisible by n, then x can be written as

concatenations of substrings of a fixed length n as follows:
x = xh1i kxh2i k . . . kxhN i
where xhii ∈ {0, 1}n , for all i ∈ {1, . . . , N }.
Each xhii = xi1 . . . xin , where each xij ∈ {0, 1}, is said to be a block.

Definition: the finite field F2
F2 is the set {0, 1} endowed with
addition ‘+’ defined by
+ 0 1
0 0 1
1 1 0
The addition on F2 is also called “exclusive or”, “x-or” for short, and denoted
by ‘⊕’.
multiplication ‘·’ defined by

· 0 1
0 0 0
1 0 1
It is customary to write xy instead of x · y for x, y ∈ F2 .
Block Ciphers
A block cipher is a cryptosystem that

transforms an n-bit plaintext block to any
n-bit ciphertext block using an m-bit key.
A block cipher is represented by a

function E : Fn2 × Fm n
2 → F2 where
n
P = C = F2 and K = F2 . m
Figure 1: Schematic diagram of a block

cipher

Challenges in Block Cipher Construction
For each k ∈ K, the function E(·, k) is a permutation on Fn2 .
n
There are (2n )! ≈ (2n )2 permutations. To attain perfect secrecy,
n
theoretically, we need to choose one permutation from (2n )2
permutations uniformly at random.
The challenge is to construct E so that for each choice of k ∈ K = Fm

2 ,
the function E(·, k) behaves as a function chosen uniformly at random
from the space of all possible choices.

Block Ciphers
For block ciphers, a commonly used design is that of an iterated cipher.
An iterated cipher requires the specifications of

round function;
key schedule.

The Key Schedule
Let K be a random binary key of some specified length.
K is used to construct Nr round keys (also called subkeys), which are

denoted by K 1 , . . . , K Nr .
The list of round keys {K 1 , . . . , K Nr } is called the key schedule.
The key schedule is constructed from K by using a fixed public

algorithm.

The round function
The round function, say g, takes two inputs: a round key (K r ) and a
current state denoted by wr−1 .
The initial state w0 is defined to be the plaintext, x.
The ciphertext y is defined to be the state after all Nr rounds.

The round function: encryption
The encryption operation is carried out as follows:
w0 ← x
w1 ← g(w0 , K 1 )
w2 ← g(w1 , K 2 )
.. .. ..
. . .
wNr−1 ← g(wNr−2 , K Nr−1 )
wNr ← g(wNr−1 , K Nr )
y ← wNr

The round function: decryption
For decryption to be possible the function g must have the property that
it is injective (one-to-one) if its second argument is fixed.
That is: g −1 (g(w, y), y) = w.
The encryption operation is carried out as follows:
wNr ← y
wNr−1 ← g −1 (wNr , K Nr )
.. .. ..
. . .
w1 ← g −1 (w2 , K 2 )
w0 ← g −1 (w1 , K 1 )
x ← w0

Block Cipher Designs
Substitution Permutation Network.
Feistel Network.

Substitution-Permutation Network (SPN) 1/6
A plaintext and ciphertex both are binary vectors of length `m, i.e., they
are elements of {0, 1}`m . The integer `m is said to be the blocklength of
the cipher.
Two components of an SPN are

A substitution function that is also known as an S-box:
πS : {0, 1}` → {0, 1}`
A permutation function: πP : [`m] → [`m] where [`m] = {1, . . . , `m}.

Let `, m, and Nr be positive integers, let πS : {0, 1}` → {0, 1}` be a

permutation, and πP : [`m] → [`m] be a permutation. Let
P = C = {0, 1}`m , and let K ⊆ ({0, 1}`m )Nr+1 consist of all possible
key schedules that could be derived from an initial key K using the key
scheduling algorithm. For a key schedule (K 1 , . . . , K Nr+1 ), we encrypt
the plaintext x using Algorithm 1.

Input: x, πS , πP , (K 1 , . . . , K Nr+1 )
Output: y
w0 ← x;
for r = 0 to Nr − 1 do
ur ← wr−1 ⊕ K r ;
for i = 1 to m do
r ← π (ur );
vhii S hii
end
wr ← (vπr P (1) , . . . , vπr P (`m) );
end
uNr ← wNr−1 ⊕ K Nr ;
for i = 0 to m do
Nr ← π (uNr );
vhii S hii
end
y ← v Nr ⊕ K Nr+1
Algorithm 1: SPN algorithm
Plaintext x = (x1 , . . . , x`m ).

Ciphertext y = (y1 , . . . , y`m ).
Key schedule k = (k 1 , . . . , k Nr+1 ).
` = 4, m = 4, Nr = 4, [n] = {1, . . . , n}.
Each S-box, Sij is associated with a

permutation
πS j : F`2 → F`2 .
i
Each substitution layer is followed by a

permutation layer specified by a
Figure 2: Substitution-Permutation
Network having Nr = 4 rounds with permutation
block length `m = 4 × 4 = 16.
πP = [`m] → [`m].
Key-mixing layer: ui = ui−1 ⊕ ki .
Substitution layer: The S-box function πS : F`2 → F`2 is
x 0 1 2 3 4 5 6 7
πS (x) E 4 D 1 2 F B 8
x 8 9 A B C D E F
πS (x) 3 A 6 C 5 9 0 7
This is the S-box used in Stinson’s Cryptography Theory and Practice, page
75, Example 3.1.
Permutation layer: πP : [`m] → [`m] is
x 1 2 3 4 5 6 7 8
πP (x) 1 5 9 13 2 6 10 14
Figure 3: Substitution-Permutation
x 9 10 11 12 13 14 15 16
πP (x) 3 7 11 15 4 8 12 16 Network

Key-mixing layer: ui = ui−1 ⊕ ki .
Substitution layer: The S-box function πS : F`2 → F`2 is
x 0 1 2 3 4 5 6 7
πS (x) C 5 6 B 9 0 A D
x 8 9 A B C D E F
πS (x) 3 E F 8 4 7 1 2
This is the S-box used in the ultra lightweight block cipher PRESENT.
Permutation layer: πP : [`m] → [`m] is
x 1 2 3 4 5 6 7 8
πP (x) 1 5 9 13 2 6 10 14
x 9 10 11 12 13 14 15 16 Figure 4: Substitution-Permutation
πP (x) 3 7 11 15 4 8 12 16 Network

Implementation
Key = 0011 1010 1001 0100 1101 0110 0011 1111

K = (k1 , . . . , k32 ) ∈ {0, 1}32
Key scheduling algorithm: For 1 ≤ r ≤ 5,define K r to consist of 16
consecutive bits of K, beginning with k4r−3 .
K1 = 0011 1010 1001 0100
K2 = 1010 1001 0100 1101
K3 = 1001 0100 1101 0110
K4 = 0100 1101 0110 0011
K5 = 1101 0110 0011 1111
Let x = 0010 0110 1011 0111
Find y.

Feistel Network
Feistel function
Figure 5: Feistel function
Li = Ri−1 ,
Ri = Li−1 ⊕ f (Ri−1 ⊕ Ki ).
Figure 6: Feistel Network

Implementation
x = 26B7, K = 3494D63E.
K1 = 26B7, K2 = 2E07, K3 = 41B8, K4 = E46E, K5 = 4D63.

i wi−1 Ki ui vi
1 26B7 3A94 1C23 45D1
2 2E07 A94D 874A 3426
3 41B8 94D6 D56E 9F B0
4 E46E 4D63 A90D 6AE9
5 4D63 y = BCD6

Feistel Network
Feistel function
Figure 7: Feistel function
Li = Ri−1 ,
Ri = Li−1 ⊕ f (Ri−1 ⊕ Ki ).
Figure 8: Feistel Network

Attack Models2
Ciphertext only attack.
Known plaintext attack.
Chosen plaintext attack.
Chosen ciphertext attack.
2
Stinson, D. R.: Cryptography – theory and practice. Discrete mathematics and its applications series, CRC Press (1995)
Probabilistic Formulation
Figure 9: Schematic diagram of a 4 × 4 S-box.
The input variables and output variables are considered as random

variables defined on {0, 1}.
Pr[Xi = 0] = pi where 0 ≤ pi ≤ 1 is said to be the probability
distribution of Xi .
i = pi − 12 is said to the the bias of Xi .
− 12 ≤ i ≤ 12 .
Independence of random variables
In general let X = (X1 , . . . , Xn ), Y = (Y1 , . . . , Ym ) be random
variables corresponding to the input and output of an n × m S-box. It is
reasonable to assume that the random variables X1 , . . . , Xn , are
independent random variables.
If Xi , Xj are independent then
Pr[Xi = 0, Xj = 0] = pi pj
Pr[Xi = 0, Xj = 1] = pi (1 − pj )
Pr[Xi = 1, Xj = 0] = (1 − pi )pj
Pr[Xi = 1, Xj = 1] = (1 − pi )(1 − pj ).
The distribution of the discrete random variable Xi ⊕ Xj is:
Pr[Xi ⊕ Xj = 0] = pi pj + (1 − pi )(1 − pj )
Pr[Xi ⊕ Xj = 1] = pi (1 − pj ) + (1 − pi )pj .

The Piling-up Lemma
Lemma
Let i1 ,...,ik denote the bias of the random variable Xi1 ⊕ · · · ⊕ Xik . Then
i1 ,...,ik = 2k−1 kj=1 ij where ij is the bias of the random variable Xij , for
Q
j = 1, . . . , k.
Proof.
Pr[Xi1 ⊕ Xi2 = 0] = pi1 pi2 + (1 − pi1 )(1 − pi2 )
= ( 21 + i1 )( 12 + i2 ) + ( 21 − i1 )( 12 − i2 ) = 21 + 2i1 i2 .
Pr[Xi1 ⊕ Xi2 ⊕ Xi3 = 0] = Pr[(Xi1 ⊕ Xi2 ) ⊕ Xi3 ]

= ( 21 + 2i1 i2 )( 12 + i3 ) + ( 12 − 2i1 i2 )( 21 − i3 ) = 1
2 + 22 i1 i2 i3 .

S-box Analysis: Linear Approximation
Suppose that S : Fn2 → Fm

2 is an n × m S-box, or equivalently an
(n, m)-function.
Let X = (X1 , . . . , Xn ) and Y = (Y1 , . . . , Ym ) denote sequences of

random variables that correspond to input and output respectively.
For each pair (a, b) ∈ Fn2 × Fm

2 construct the following sum
n
M m
M
a·X ⊕b·Y = ai Xi ⊕ bi Yi .
i=1 i=1

S-box Analysis: Linear Approximation table
Suppose x = (x1 , . . . , xn ) and y = (y1 , . . . , ym ).
NL (a, b) = #{(x, y) : y = πS (x), a · x ⊕ b · y = 0}.
For a 4 S-box
4
M 4
M
NL (a, b) = #{(x, y) : y = πS (x), ai xi ⊕ bi yi = 0}
i=1 i=1

S-box Analysis: Linear Approximation table
x 0 1 2 3 4 5 6 7 8 9 A B C D E F
πS (x) E 4 D 1 2 F B 8 3 A 6 C 5 9 0 7
a/b 0 1 2 3 4 5 6 7 8 9 A B C D E F
0 16 8 8 8 8 8 8 8 8 8 8 8 8 8 8 8
1 8 8 6 6 8 8 6 14 10 10 8 8 10 10 8 8
2 8 8 6 6 8 8 6 6 8 8 10 10 8 8 2 10
3 8 8 8 8 8 8 8 8 10 2 6 6 10 10 6 6
4 8 10 8 6 6 4 6 8 8 6 8 10 10 4 10 8
5 8 6 6 8 6 8 12 10 6 8 4 10 8 6 6 8
6 8 10 6 12 10 8 8 10 8 6 10 12 6 8 8 6
7 8 6 8 10 10 4 10 8 6 8 10 8 12 10 8 10
8 8 8 8 8 8 8 8 8 6 10 10 6 10 6 6 2
9 8 8 6 6 8 8 6 6 4 8 6 10 8 12 10 6
A 8 12 6 10 4 8 10 6 10 10 8 8 10 10 8 8
B 8 12 8 4 12 8 12 8 8 8 8 8 8 8 8 8
C 8 6 12 6 6 8 10 8 10 8 10 12 8 10 8 6
D 8 10 10 8 6 12 8 10 4 6 10 8 10 8 8 10
E 8 10 10 8 6 4 8 10 6 8 8 6 4 10 6 8
F 8 6 4 6 6 8 10 8 8 6 12 6 6 8 10 8

S-box Analysis: Linear Approximation
unsigned int sbox[size];

unsigned int sbox1[size] = {0x0E, 0x04, 0x0D, ...};
//Compute linear profile
for (a=0; a<size; a++){
for (b=0; b<size; b++){
for (i=0; i<size; i++){
p = (weight(a&i)+weight(b&sbox[i]))%2;
if (p == 0) lprofile[a][b]++;
}
}
}

A simple block cipher
NL (a, b) :
L= #{(x, y)Ly =
πS (x), 4i=1 ai xi ⊕ 4i=1 bi yi = 0}
NL (a,b)−8
(a, b) = 16 .
From the linear approximation table we
observe: NL (1, 2) = NL (1, 3) = 6,
NL (6, 3) = NL (A, 1) = NL (B, 1) =
NL (B, 4) = NL (C, 2) = 12.
The biases are (1, 2) = (1, 3) = − 18 ,
(6, 3) = (A, 1) = (B, 1) = (B, 4) =
Figure 10: A simple block cipher
(C, 2) = 14 .

A simple block cipher
NL (A, 1) = 12.
12
Pr[X2 ⊕ K2 ⊕ X4 ⊕ K4 ⊕ V1 = 0] = 16 .
Y1 = V1 ⊕ K5 , i.e., V1 = Y1 ⊕ K5 .
Pr[X2 ⊕ K2 ⊕ X4 ⊕ K4 ⊕ Y1 ⊕ K5 =
0] = 12
16 .
Pr[(X2 ⊕ X4 ⊕ Y1 ⊕ K5 ) ⊕ (K2 ⊕ K4 ) =
12
0] = 16 .
Figure 11: A simple block cipher Pr[(X2 ⊕X4 ⊕Y1 ⊕K5 ) = 0] ∈ { 12 4
16 , 16 }.

Demonstration of linear attack
Pr[(X2 ⊕ X4 ⊕ Y1 ⊕ K5 ) = 0] ∈ { 12 4
16 , 16 }.
Steps of a linear attack:

1 Suppose that we have a sample of planetext-ciphertext pairs,
(xj1 , xj2 , xj3 , xj4 ), (y1j , y2j , y3j , y4j ), for j = 1, . . . , T .
2 We assume a value of K5 , say k5 and compute S = xj2 ⊕ xj4 ⊕ y1j ⊕ k5 ,
for j = 1, . . . , T .
3 The theory says that if the guess of x5 is correct then the number of times
S = xj2 ⊕ xj4 ⊕ y1j ⊕ k5 divided by T is approximately 12 4
16 or 16 .

A slightly more complicated cipher
NL (A, 1) = 12, NL (1, 7) = 14.

T1 = U21 ⊕ U41 ⊕ U12 has bias 14 ;
T2 = U13 ⊕ U14 ⊕ U24 ⊕ U34 has bias 38 .
Since U13 = U12 ⊕ K12 ,
T1 ⊕T2 = U21 ⊕U41 ⊕K12 ⊕U14 ⊕U24 ⊕U34 .
In the next slide we consider T1 ⊕ T2 .
Figure 12: Another toy block cipher

T1 ⊕ T2
T1 = U21 ⊕ U41 ⊕ U12 ; U13 = U12 ⊕ K12 ;

(1)
T2 = U13 ⊕ U14 ⊕ U24 ⊕ U34 .
T1 = U21 ⊕ U41 ⊕ U12 ; T2 = U12 ⊕ K12 ⊕ U14 ⊕ U24 ⊕ U34 . (2)
T1 ⊕ T2 = U21 ⊕ U41 ⊕ K12 ⊕ U14 ⊕ U24 ⊕ U34

= X2 ⊕ K21 ⊕ X4 ⊕ K41 ⊕ K12
⊕ Y1 ⊕ K13 ⊕ Y2 ⊕ K23 ⊕ Y3 ⊕ K33 (3)
= X2 ⊕ X4 ⊕ Y1 ⊕ Y2 ⊕ Y3 ⊕ K13 ⊕ K23 ⊕ K33
⊕ K21 ⊕ K41 ⊕ K12 .
The statistic of interest is
X2 ⊕ X4 ⊕ Y1 ⊕ Y2 ⊕ Y3 ⊕ K13 ⊕ K23 ⊕ K33
T1 ⊕ T2
bias(T1 ) = 14 , bias(T2 ) = 38 .
1 3 3
By Piling-up lemma bias(T1 ⊕ T2 ) = 2 × 4 × 8 = 16 .

Steps of Linear Attack
Suppose that we have a sample of planetext-ciphertext pairs,

(xj1 , xj2 , xj3 , xj4 ), (y1j , y2j , y3j , y4j ), for j = 1, . . . , T .
We assume a value of K13 , k23 , k33 , and compute

S = xj2 ⊕ xj4 ⊕ y1j ⊕ y2j ⊕ y3j ⊕ k13 ⊕ k23 ⊕ k33 , for j = 1, . . . , T .
The theory says that if the guess of x5 is correct then the number of
times S = xj2 ⊕ xj4 ⊕ y1j ⊕ k5 divided by T is approximately 1611 5
or 16 .

Differential Attack
Differential cryptanalysis is a chosen ciphertext attack.
We assume that an attacker has a large number of tuples (x, x∗ , y, y ∗ )

where x0 = x ⊕ x∗ and y 0 = y ⊕ y ∗ .
The plaintext elements x, x∗ are encrypted by using the same unknown

key, K, yielding the ciphertexts y and y∗, respectively.
For each candidate key, we compute the values of certain state bits, and
determine if their x-or has a certain value (namely, the most likely value
for the given input x-or).
Whenever it does, we increment a counter corresponding to the

particular candidate key.
Differential Properties of S-boxes
Let πS : {0, 1}m → {0, 1}n be an S-box. Consider an (ordered) pair of

bitstirngs of length m, say (x, x∗ ). We say that the inpur x-or of the
S-box is x ⊕ x∗ and the output x-or is πS (x) ⊕ πS (x∗ ). Note that the
output x-or is a bitstring of length n.
For any x0 ∈ {0, 1}m , define ∆(x0 ) to consist of all the ordered pairs
(x, x∗ ) having input x-or equal to x0 .
The set ∆(x0 ) contains 2m pairs, and
∆(x0 ) = {(x, x ⊕ x0 ) : x ∈ {0, 1}m }.

Differential Property of an S-box
x 0 1 2 3 4 5 6 7 8 9 A B C D E F
πS (x) E 4 D 1 2 F B 8 3 A 6 C 5 9 0 7
∆(1011) = {(0000, 1011), (0001, 1010), . . . , (1111, 0100)}
Following are the distributions of the output x-ors: small
0000 0001 0010 0011 0100 0101 0110 0111
0 0 8 0 0 2 0 2
1000 1001 1010 1011 1100 1101 1110 1111

0 0 0 0 0 2 0 2
0 0 ∗ 0 ∗ 0

ND (x , y ) = {(x, x ) ∈ ∆(x ) : πS (x) ⊕ πS (x ) = y }
The propagation ratio for the differential (a0 , b0 ) is
ND (a0 , b0 )
Rp (a0 , b0 ) = .
2m
Conditional probability interpretation
ND (x0 , y 0 ) = {(x, x∗ ) ∈ ∆(x0 ) : πS (x) ⊕ πS (x∗ ) = y 0 }

The propagation ratio for the differential (a0 , b0 ) is
ND (a0 , b0 )
Rp (a0 , b0 ) = .
2m
Rp (a0 , b0 ) can be interpreted as a conditional probability:
Pr[output x-or = b0 |input x-or = a0 ] = Rp (a0 , b0 ).

Differential Attack
x 0 1 2 3 4 5 6 7 8 9 A B C D E F
πS (x) E 4 D 1 2 F B 8 3 A 6 C 5 9 0 7
In S21 , Rp (1011, 0010) = 12 .

In S32 , Rp (0100, 0110) = 38 .
In S23 , Rp (0010, 0101) = 38 .
In S33 , Rp (0010, 0101) = 38 .
These differentials can be combined to form the following differential trail.
3
1 3 27
Rp (0000101100000000, 0000010101010000) = × = .
2 8 1024

x0 = 0000101100000000 ⇒ (v 3 )0 = 0000010101010000 with
27
probability 1024 .
(v 3 )0 = 0000010101010000 ⇒ (u4 )0 = 0000011000000110 with
27
probability 1024 .
x0 = 0000101100000000 ⇒ (u4 )0 = 0000011000000110 with
27
probability 1024 .
Therefore,
3
1 3 27
Rp (0000101100000000, 0000010101010000) = × = .
2 8 1024

D IFFERENTIAL ATTACK
−1
Input: T , T , πS
Output: maxkey
for (L1 , L2 ) ← (0, 0) to (F, F ) do
Count(L1 , L2 ) ← 0 ;
end
for (x, y, x∗ , y ∗ ) ∈ T do
if yh1i = (yh1i )∗ and yh3i = (yh3i )∗ then
for (L1 , L2 ) ← (0, 0) to (F, F ) do
4
vh2i ← L1 ⊕ yh2i ;
4
vh4i ← L2 ⊕ yh4i ;
−1 4 max ← −1 ;
u4
h2i ← πS (vh2i ) ; for (L1 , L2 ) ← (0, 0) to (F, F ) do
4 −1 4
uh4i ← πS (vh4i ) ; if Count[L1 , L2 ] > max then
max ← Count[L1 , L2 ] ;
4
(vh2i )∗ ← L1 ⊕ (yh2i )∗ ;
maxkey ← (L1 , L2 ) ;
4
(vh4i )∗ ← L2 ⊕ (yh4i )∗ ; end
(u4 ∗ −1 4 ∗ return maxkey
h2i ) ← πS ((vh2i ) ) ; end
∗ −1 ∗
(u4 4
h4i ) ← πS ((vh4i ) ) ;
0 ∗
(u4
h2i ) ← u4
h2i ⊕ (u 4
h2i ) ;
0 ∗
(u4 4 4
h4i ) ← uh4i ⊕ (uh4i ) ;
0 0
if (u4 4
h2i ) = 0110 and (uh4i ) = 0110 then
Count[L1 , L2 ] ← Count[L1 , L2 ] + 1;
end
end
end
end

Chosen plaintext attack on a block cipher
It is assumed that the adversary knows

the plaintext-ciphertext pair (x0 , y0 ), but
does not know the key k0 .
The goal of the adversary is to find the

secret key k0 .
Figure 13: Schematic diagram of a block
cipher

Exhaustive Search Attack (1/2)
Precompute the following table
k1 E(x0 , k1 ) = y1
k2 E(x0 , k2 ) = y2
.. .. .. (4)
. . .
k2m E(x0 , k2m ) = y2m
Table 1: Precomputation table.
In the online phase search for y0 in the

Figure 14: E : Fn m n
2 × F2 → F2 .
rightmost column of Table 4.
If yj = y0 , then kj = k0 the secret key.

Exhaustive Search Attack (2/2)
(The foundation of time-memory trade-off)
The running-time complexity of the precomputation

phase is P = O(2m ).
The memory complexity is M = O(2m ).
The running time complexity in the online phase is

T = O(log2 (2m )) = O(m), if the list is sorted.
Figure 15:
E : Fn m n
2 ×F2 → F2 .
If we do not store the preprocessing table then
M = O(1) and T = 2m .

Time-Memory Trade-Off
In the late seventies, after acceptance of DES as the encryption standard,

Martin Hellman 3 proposed a time-memory trade-off attack on DES.
In the previous slide, we have seen that if we have access to memory of

O(2m ), we can search for the key in O(1) time. Conversely, if we allow
computation of order O(2m ), it is possible to mount an attack with O(1)
memory.
Hellman proposed a middle path between these two extreme cases and
demonstrated a practical attack on DES.
3
Hellman, M.E.: A cryptanalytic time-memory trade-off. IEEE Trans. Information Theory 26(4), 401–406 (1980)
TMTO: Hellman’s Approach
Hellman considers block ciphers for which
P = K = C = Fn2 .
Chosen plaintext attack: the attacker can

choose a plaintext, x say, and obtain the
ciphertext y = E(x, k) during the actual
operational phase of the cipher without the
knowledge of the key k ∈ K in use.
Figure 16: Assuming n = m,
The goal of the cryptanalyst (attacker) is to f : Fn n
2 → F2 defined by
find the key. f (xij ) = E(x0 , xij ) = xi(j+1) .

Preparing for the Precomputation Phase
P = C = K = En2 . Keyspace size: N = 2n .
Block cipher: E : P × K → C.
f : K → C is f (xij ) = E(x0 , xij ) = xi(j+1) ∈ C = K.
f f f f
x10 −
→ x11 −
→ x12 −
→ ··· −
→ x1t
f f f f
→ x21 −
x20 − → x22 −
→ ··· −
→ x2t
.. .. .. ..
. . . .
f f f f
xm0 −
→ xm1 −
→ xm2 −
→ ··· −
→ xmt

Collision Resistance
For i = 1 to m choose xi0 at random. For j = 0 to (t − 1) evaluate

f (xij ) = xi(j+1) . The table will “cover” mt keys.
The probability of obtaining a collision is negligible if

(mt)(t) = mt2 ≤ N . For details we refer to Hellman 4 proposed a
time-memory trade-off attack on DES. Biryukov and Shamir 5 .
f f f f
x10 −
→ x11 −
→ x12 −
→ ··· −
→ x1t
f f f f
x20 −
→ x21 − → x22 −
→ ··· −
→ x2t
.. .. .. ..
. . . .
f f f f
xm0 −
→ xm1 −
→ xm2 −
→ ··· −
→ xmt
4
Hellman, M.E.: A cryptanalytic time-memory trade-off. IEEE Trans. Information Theory 26(4), 401–406 (1980)
5
Biryukov, A., Shamir, A.: Cryptanalytic time/memory/data tradeoffs for stream ciphers. ASIACRYPT 2000. pp. 1–13.
TMTO Matrix
All these mt vectors successively generated by f starting from randomly

chosen vectors xi0 , 1 ≤ i ≤ m, can be summarized in a single m × t
matrix called TMTO-matrix whose elements are called keys.
TMTO-matrix:  
x11 x12 ··· x1t
 x21 x22 ··· x2t
 

 .
 . .. .. .. .. (5)
 . . . . .

xm1 xm2 · · · xmt

How to cover all the keys?
Each TMTO-matrix can store at most mt keys where mt2 = N without
the risk of having to store the same key at several positions.
Instead of f we use hi ◦ f (x) = hj (f (x)), for all x ∈ Fn2 where hi

permutes the coordinates of the input vector. Let hj for j = 1, . . . , t be t
such distinct functions. h1 is the identity permutation.
Let the TMTO-matrix generated by hj ◦ f , jth TMTO-matrix, be

denoted by  
(j) (j) (j)
 x(j)
11 x12 · · · x1t
(j) (j)

x
 21 x 22 · · · x 2t

(6)

 . .. .. .. ..
 .. . . . .
 
(j) (j) (j)
xm1 xm2 · · · xmt
How to cover all the keys?
Hellman envisioned that if each of these functions is used to generate a

TMTO-matrix, the resulting t tables will cover all the mt2 = N keys,
defying the Birthday Paradox.
Hellman was proved to be correct. The time complexity of the

preprocessing phase is P = N , since all the keys have to be visited.
This computation may take several weeks or might be years! However,

this is a one-time investment.

Memory Requirement to Store the Tables
Instead of storing all the mt keys of each of the t matrices, only the
starting and the ending keys are stored in a list.
Instead of the jth TMTO-matrix we construct a list Lj of the pairs

(j) (j)
(xi0 , xit ) for i = 1, . . . , m, sorted with respect to the
second-component.
Let us denote the list corresponding to the jth matrix by Lj .
Therefore, we need mt memory locations to store t matrices.

TMTO Lists
The TMTO lists are as follows:

     
(1) (1) (2) (2) (t) (t)
 x11 x1t   x11 x1t   x11 x1t 
 x(1) x(1)   x(2) x(2)   x(t) x(t) 
L1 =  21 2t   21 2t   21 2t 
 , L2 =  .  , . . . , Lt =  . .

.
 .. .
..   .. .
..   .. .. 
     . 
(1) (1) (2) (2) (t) (t)
xm1 xmt xm1 xmt xm1 xmt
The first column in each Lj is

Online Phase: Algorithm
Input: (x0 , y0 ), Lj for j = 1, . . . , t;

Output: The secret key k0 ;
for i = 0 to t − 1 do
for j = 1 to t do
y 0 ← hj (y0 );
yi0 ← (hj ◦ f )i (y 0 );
. search in the sorted list Lj , for all j
if yi0 ∈ Lj then
(j)
determine ` such that yi0 = x`t ;
(j)
return k = (hj ◦ f )(t−i−1) (x`0 );
end
end
end
Algorithm 2: Time-memory trade-off

Analysis
In case all the keys are covered in the tables, the attack will be successful.
The memory requirement for each table is m. So for t tables the memory
requirement is M = mt.
If we assume that the tables are sorted, the time to search each table is
log2 m.
In case we have to search all t tables before finding a match, the time
complexity if t × log2 m.

Analysis
To search in a table in the ith iteration, first f has to be applied (i − 1)

times on the ciphertext. If there is a match, f has to be applied on the
corresponding starting point (SP) (t − i) times.
The total number of times f has to be applied is t − i + i − 1 = t − 1.
The time complexity of the attack is
T = (t − 1) × t × log2 m.

Complexity of Attack
M = the storage memory.
For each table we need m locations to store the first and the last points of
each row.
For t tables we require mt locations.
The preprocessing and online space complexity is M = mt.

Preprocessing Time Complexity
While preparing the tables we have to cover all the N keys.
The preprocessing time complexity is P = N .

Online Phase Time Complexity
The function f is applied on the output t times for each table to

determine whether the key appears in the table.
Since there are t tables and for each table computation is of the order t
we have the online phase time complexity T = t2 .
In case we include the time complexity of the table search in the online
phase T = t2 log2 m.

The Trade-Off Curve
M = mt
P =N
N = mt2
T = t2
T M 2 = t2 m2 t2 = (mt2 )2 = N 2 .

Hash functions6
A cryptographic hash function provides assurance of data integrity.
A hash function is used to construct a short “fingerprint” of some data.
Even if the data is stored in an insecure place, its integrity can be

checked from time to time by recomputing the fingerprint and verifying
that the fingerprint has not changed.
6
These slides are notes from “Cryptography: Theory and Practice” by Douglas Stinson.
Several sentences are copied from that book. This is only for class room use.
Hash functions: fingerprinting data, message digest
Let h be a hash function and x be some data.
Usually, x is a binary string of arbitrary length.
The corresponding fingerprint y = h(x) is said to be a message digest.
A message digest would typically be a fairly short binary string; 160 bits
is a common choice.

Hash functions: fingerprinting data, message digest
Suppose that y is stored in a secure place, but x is not.
Suppose x is changed to x0 , say.
The fact that x has been altered can be detected by computing y 0 = h(x0 )
and verifying that y 0 6= y.

Keyed hash functions: message authentication code, MAC
Suppose that Alice and Bob share a secret key K which determines a
hash function, say hK .
For a message x, the corresponding authentication tag y = hK (x), can

be computed by Alice and Bob.
The pair (x, y) can be transmitted over an insecure channel from Alice to
Bob.
When Bob receives the pair (x, y), he can verify if y = hK (x).
If this condition is satisfied, he is confident that neither x nor y was

altered by an adversary, provided that the hash family is “secure”.
In particular, Bob is assured that the message x originates from Alice.

Hash functions
A hash family is a four-tuple (X , Y, K, H), where following conditions

are satisfied:
1 X is a set of possible messages

2 Y is a finite set of possible message digests or authentication tags
3 K, the keyspace, is a finite set of possible keys
4 For each K ∈ K, there is a hash function hK : X → Y.

Notation and terminology
In the definition of a hash function, X could be a finite or infinite set; Y

is always a finite set.
If X is a finite set, a hash function is sometimes called a compression

function, and we always assume that|X| ≥ |Y | |.
It is customary to assume that|X | ≥ 2|Y|.
A pair (x, y) ∈ X × Y is said to be a valid pair under the key K if

hK (x) = y.
One aim of the study of hash functions is to develop methods that resist
creation of valid pairs by adversaries.

Notation and terminology
Let F X ,Y denote the set of all functions from X to Y.
|X | = N ,|Y| = M .

X ,Y
The number of all possible hash functions from X to Y is F = MN.
Any hash family F ⊆ F X ,Y is termed as an (N, M )-hash family.
An unkeyed function is a function h : X → Y such that|K| = 1

Security of Hash Functions
Suppose that h : X → Y is an unkeyed hash function. Let x ∈ X , and

define y = h(x).
If a hash function is to be considered to be secure, it should be the case

that the following three problems are difficult to solve.
1 Preimage:
Instance: A hash function h : X → Y and an element y ∈ Y.
Find: x ∈ X such that h(x) = y.
2 Second Preimage:
Instance: A hash function h : X → Y and an element x ∈ X .
Find: x0 ∈ X such that x 6= x0 and h(x) = h(x0 ).
3 Collision:
Instance: A hash function h : X → Y.
Find: x, x0 ∈ X such that x 6= x0 and h(x) = h(x0 ).

Random Oracle Model
Random oracle model is an idealized model for a hash function which

attempts to capture the concept of an “ideal” hash function.
If a hash function h is well designed, it should be the case that the only
efficient way to determine the value h(x) for a given x is actually
evaluate the function h at the value x.
This should remain true even if many other values h(x1 ), h(x2 ), . . . have
already been calculated.

Random Oracle Model
The random oracle model, which was introduced by Bellare and

Rogaway, provides a mathematical model of an “ideal” hash function.
In this model, a hash function h : X → Y is chosen randomly from

F X ,Y , and we are only permitted oracle access to the function h.
This means that we are not given a formula or an algorithm to compute

values of the function h, and the only way to compute a value h(x) is to
query the oracle.

The random oracle model
Theorem
Suppose that h ∈ F X ,Y is chosen randomly, and let X0 ⊆ X . Suppose that
the values h(x) have been determined (by querying an oracle h) if and only if
1
x ∈ X0 . The Pr[h(x) = y] = M for all x ∈ X \ X0 and all y ∈ Y.

Example where the random oracle model does not apply
h : Zn × Zn → Zn , h(x, y) = ax + by mod n a, b ∈ Zn and n ≥ 2 is a
positive integer.
Suppose h(x1 , y1 ) = z1 and h(x2 , y2 ) = z2 . Let r, s ∈ Zn . Then
h(rx1 + sx2 mod n, ry1 + sy2 mod n)
= a(rx1 + sx2 ) + b(ry1 + sy2 ) mod n
= r(ax1 + by1 ) + s(ax2 + by2 ) mod n
= rh(x1 , y1 ) + sh(x2 , y2 ).
Suppose we are told that a hash function in use is a linear function from
Zn × Zn to Zn .
Then given the hash values for any two points, we can determine the
hash values at several other points without actually evaluating the hash
function.
This proves that the random oracle model does not hold for such a
function.
Randomized algorithms
A Las Vegas algorithm is a randomized algorithm which may fail to give
an answer, but if the algorithm does return an answer, then the answer
must be correct.
Suppose 0 ≤ < 1 is a real number. A randomized algorithm has

worst-case success probability if the probability that the algorithm
returns a correct answer, averaged over all problem instances of a
specified size, is at least .
(, Q)-algorithm denotes a Las Vegas algorithm with average-case

success probability , in which the oracle queries made by the algorithms
is at most Q.
The success probability is the average over all possible random choices
of h ∈ F X ,Y , and all possible random choices of x ∈ X or y ∈ Y, if x
and y are specified as part of the problem instance.
Find-Preimage
Input: h, y, Q;
choose any X0 ⊆ X ,|X0 | = Q;
for x ∈ X0 do
if h(x) = y then
return x
end
return failure
end
Algorithm 3: Find-Preimage

Find-Preimage
Theorem
For any X0 ⊆ X with|X0 | = Q, the average-case success probability of
1 Q
Algorithm 3 is = 1 − (1 − M ) .
Proof.
Let y ∈ Y, and X0 = {x1 , . . . , xQ }. Let Ei denote the event “h(xi ) = y. ”
Pr[Ei ] = 1/M and Pr[Eic ] = 1 − 1/M .
Pr[E1 ∨ E2 ∨ · · · ∨ EQ ] = 1 − Pr[E1c ∧ E2c ∧ · · · ∧ EQ

c
]
Q
1
=1− 1− .
M

Find-Second-Preimage
Input: h, x, Q;
y ← h(x);
choose X0 ⊆ X \ {x},|X0 | = Q − 1;
for x ∈ X0 do
if h(x) = y then
return x
end
return failure
end
Algorithm 4: Find-Second-Preimage

Find-Second-Preimage
Theorem
For any X0 ⊆ X with|X0 | = Q − 1, the average-case success probability of
1 Q−1
Algorithm 4 is = 1 − (1 − M ) .
Proof.
Let y ∈ Y, and X0 = {x1 , . . . , xQ−1 }. Let Ei denote the event “h(xi ) = y. ”
Pr[Ei ] = 1/M and Pr[Eic ] = 1 − 1/M .
Pr[E1 ∨ E2 ∨ · · · ∨ EQ−1 ] = 1 − Pr[E1c ∧ E2c ∧ · · · ∧ EQ−1

c
]
Q−1
1
=1− 1− .
M

Find-Collision
Input: h, Q;
choose X0 ⊆ X ,|X0 | = Q;
for x ∈ X0 do
yx ← h(x);
end
if yx = yx0 for some x 6= x0 then
return (x, x0 )
end
else
return failure
end
Algorithm 5: Find-Collision

Find-Collision
Theorem
For any X0 ⊆ X with|X0 | = Q, the success probability of Algorithm 5 is

M −1 M −2 M −Q+1
=1− ···
M M M
Proof.
Let X0 = {x1 , x2 , . . . , xQ }. For 1 ≤ i ≤ Q, let Ei denote the event
h(xi ) ∈
/ {h(x1 ), h(x2 ), . . . , h(xi−1 )}.
M −i+1
Pr[Ei |E1 ∧ E2 ∧ · · · ∧ Ei−1 ] = .
M
Therefore
Q−1
Y
i
Pr[E1 ∧ E2 ∧ · · · ∧ EQ ] = 1− .
M
i=1
Find-Collision
Q−1
Y
i
Pr[E1 ∧ E2 ∧ · · · ∧ EQ ] = 1−
M
i=1
Q−1
Y −i PQ−1 i −Q(Q−1)
= e M = e− i=1 M =e 2M .
i=1
−Q(Q−1)
The probability of finding at least one collision is = 1 − e 2M .
−Q(Q−1)
e 2M ≈ 1 − ; −Q(Q−1) 2M ≈ ln(1 − ); Q2 − Q ≈ 2M ln 1− 1
r
1
Q≈ 2M ln
1−
√
If we take = 0.5, then our estimate is Q ≈ 1.17 M .
Comparison of security criteria
C OLLISION -T O -S ECOND -P REIMAGE Finding a collision is easier than
finding the second-preimage. If we have an algorithm that solves the
second-primage problem, then it can be used to find collision. This is sail
to be a “reduction of the problem C OLLISION to the problem
S ECOND -P REIMAGE.
C OLLISION -T O -S ECOND -P REIMAGE
Input: external O RACLE -2 ND -P REIMAGE
choose x ∈ X uniformly at random;
if O RACLE -2 ND -P REIMAGE(h, x) = x0 then
return (x, x0 )
end
else
return failure
end
Algorithm 6: Collision-To-Second-Preimage
C OLLISION -T O -P REIMAGE
C OLLISION -T O -P REIMAGE Suppose that we have a (1, Q) algorithm to
solve preimage. The question is whether it can be used to solve collision.
The following randomized algorithm performs that task. The is a
“reduction of the problem C OLLISION to the problem P REIMAGE.
C OLLISION -T O -P REIMAGE
Input: external O RACLE -P REIMAGE
choose x ∈ X uniformly at random;
y ← h(x) ;
if O RACLE -P REIMAGE(h, y) = x0 and x 6= x0 then
return (x, x0 )
end
else
return failure
end
Algorithm 7: Collision-To-Preimage
Collision-to-Preimage
Let x ∼ x0 if and only if h(x) = h(x0 ).

[x] = {x0 ∈ X : x0 ∼ x} is the equivalence class of x.
Let the set of all equivalence classes be C.
For x ∈ X , let y = h(x). The probability that
|[x]|−1
C OLLISION -T O -P REIMAGE is successful is [x] .
| |
The average probability of success

1 X [x] − 1 1 X X |C| − 1
Pr[success] = =
|X | [x] |X | |C|
x∈X C∈C x∈C
1 X |X | −|Y| |Y| 1
= (|C| − 1) = =1− ≥ , if |X | ≥ 2|Y| .
|X | |X | |X | 2
C∈C

Iterated Hash Functions
We denote the length of a bitstring x by|x|.
The concatenation of the bitstrings x and y is written as xky.
Let compress : {0, 1}m+t → {0, 1}m .
We use the compression function compress to construct a hash function

∞
[
h: {0, 1}i → {0, 1}` .
i=m+t+1

Preprocessing step
Given an input string x, where|x| ≥ m + t + 1, construct a string y, using a
public algorithm, such that|y| ≡ 0 (mod t). Denote y = y1 ky2 k · · · kyr ,
where|yi | = t for 1 ≤ i ≤ r.
Processing step
Let IV be a public initial value that is a bitstring of length m. Then compute
the following:
z0 ← IV
z1 ← compress(z0 ky1 )
.. ..
. .
zr ← compress(zr−1 kyr ).
Output step
Let g : {0, 1}m → {0, 1}` be a public function. Define h(x) = g(zr ).
Padding
Padding function is a publicly disclosed function that is applied on x to
produce pad(x).
Typically pad(x) involves the length|x| and additional zeros so that the
length of y = xkpad(x) is divisible by t.

Merkle-Damgård Construction
Suppose compress : {0, 1}m+t → {0, 1}m is a collision resistant

compression function, where t ≥ 1. We will use compress to construct a
collision resistant hash function h : X → {0, 1}m , where
X = ∪∞ i
i=m+t+1 {0, 1} .
Case 1: t ≥ 2
n
Suppose x ∈ X , and|x| = n ≥ m + t + 1. k = d t−1 e and d = k(t − 1) − n.
We can express x as the concatenation: x = x1 kx2 k · · · kxk , where
|x1 | = |x2 | = · · · = |xk−1 | = t − 1 and xk = t − 1 − d.
y(x) = y1 ky2 k · · · kyk+1 . yk is formed from xk by padding on the right with
d zeroes, so that all the blocks yi (1 ≤ i ≤ k) are of length t − 1. yk+1 should
be padded on the left with zeroes so that|yk+1 | = t − 1.

external compress;
comment compress : {0, 1}m+t → {0, 1}m , where t ≥ 2 ;
n ← |x| ;
k ← dn/(t − 1)e ;
d ← k(t − 1) − n;
for i ← 1 to k − 1 do
yi ← x i ;
end
yk ← xk k0d ;
yk+1 ← the binary representation of d;
z1 ← 0m+1 ky1 ;
g1 ← compress(z1 );
for i ← 1 to k do
zi+1 ← gi k1kyi+1 ;
gi+1 ← compress(zi+1 );
end
Collision Resistance
Theorem
Suppose compress : {0, 1}m+t → {0, 1}m is a collision resistant
compression function, where t ≥ 2. Then the function
∞
[
h: {0, 1}i → {0, 1}m ,
i=m+t+1
as constructed in 8 is a collision resistant hash function.

Merkle-Damgård(x) for t = 1
external compress;
comment compress : {0, 1}m+1 → {0, 1}m ;
n ← |x| ;
y ← 11kf (x1 )kf (x2 )k · · · kf (xn );
denote y = y1 ky2 k · · · kyk , where yi ∈ {0, 1}, 1 ≤ i ≤ k;
g1 ← compress(0m ky1 ) ;
for i ← 1 to k − 1 do
gi+1 ← compress(gi kyi+1 );
end
return gk ;
Algorithm 9: M ERKLE -DAMGÅRD(x)
|x| = n ≥ m + 2. f (0) = 0, f (1) = 01.

Collision Resistance t = 1
Theorem
Suppose compress : {0, 1}m+1 → {0, 1}m is a collision resistant
compression function, where t ≥ 2. Then the function
∞
[
h: {0, 1}i → {0, 1}m ,
i=m+2
as constructed in 9 is a collision resistant hash function.

Some Examples of iterated hash functions
Hash functions constructed by using Merkle-Damgård approach:
MD4 was proposed by Rivest in 1990.

MD5 was proposed by Rivest in 1992.
SHA was proposed as a standard by NIST in 1993, and published as FIPS
180-1. Now SHA is referred to as SHA-0.
Discovery of collisions:
Collision in the compression function of MD4 and MD5 were discovered

in mid-1990s.
It was shown in 1998 that SHA-0 has a weakness that would allow
collision to be found in approximately 261 steps that is much more
efficient than a birthday attack, which requires 280 steps.

Some Examples of iterated hash functions
List of further attacks:

In CRYPTO-2004:
Collision for SHA-0 was found by Joux.
Collision for MD5 and several other popular hash functions were found by
Wang, Lai, and Yu.
The first collision for SHA-1 was found by Stevens, Bursztein, Karpman,
Albertini, and Markov and announced in 23 February 2017. This attack
was approximately 100000 times faster than a brute-force “birthday
paradox” search having roughly 280 trials.
SHA-2 includes four hash functions known as SHA-224, SHA-256,
SHA-384, and SHA-512.
The last three of the above are approved as FIPS standard in 2002.

Operations used in SHA-1
X ∧Y bitwise “and” of X and Y

X ∨Y bitwise “or” of X and Y
X ⊕Y bitwise “x-or” of X and Y
¬X bitwise complement of X
X +Y integer addition modulo 232
ROTLs (X) circular left shift of X by s positions (0 ≤ s ≤ 31)
These operations are very efficient.

However, when a suitable sequence of these operations is performed, the
output is quite unpredictable.

The Sponge Construction
SHA-3 is based on a design called the sponge construction.
This technique was developed by Bertoni, Daemen, Peeters, and Van

Assche.
Instead of using a compression function, the basic “building block” is a

function f that maps bitstrings of a fixed length to bitstrings of the same
length.
Typically f will be a bijection, so every bitstring will have a unique

preimage.

Suppose that f operates on bitstrings of length b. That is

f 0 : {0, 1}b → {0, 1}b . The integer b is call the width.
Write b = r + c, where r is the bitrate and c is the capacity.
The value of r affects the efficiency of the resulting sponge function, as a

message will be processed r bits at a time.
The value of c affects the resulting security of the sponge function.
The security level against a certain kind of collision attack is intended to

be roughly 2c/2 . This is comparable to the security of a random oracle
with a c-bit output.

The sponge function based on f works as follows:
The input message M is a bitstring of arbitrary length.
M is padded appropriately so that its length is a multiple of r.
Then the padded message is split into blocks of length r.
The sponge function based on f works as follows:
Absorbing phase
Initially the state is a bitstring of length b consisting of zeroes.
The first block of the padded message is exclusive-ored with the first r
bits of the state. Then the function f is applied which updates the state.
This process is repeated with the remaining blocks of the padded
message.
Squeezing phase
Suppose ` output bits are desired.
Take the first r bits of the current state; this forms an output block.
If ` > r we apply f to the current state and take the first r output bits as
another output block.
The process is repeated until we have a total of at least ` bits.
Diagram of the sponge construction
Sugata Gangopadhyay (CSE IITR) Figure 17: sponge

Information construction
and Network Security 102 / 139
M = m1 k · · · kmk , where m1 , . . . , mk ∈ {0, 1}r .

. . . 0} ∈ {0, 1}r and
Let the initial state be x0 ky0 where x0 = |00 {z
r
. . . 0} ∈ {0, 1}c , and let the state after the ith step be xi kyi ,
y0 = |00 {z
c
where xi ∈ {0, 1}r and yi ∈ {0, 1}c .
The following equations describe the state transitions.
x1 ky1 = f (m1 ⊕ x0 ky0 )

x2 ky2 = f (m2 ⊕ x1 ky1 )
.. .. ..
. . .
xk kyk = f (mk ⊕ xk−1 kyk−1 ).
Generation of an internal collision
Suppose
x1 ky1 = f (x0 ky0 ) x1 ky1 = f (x0 ⊕ x0 ky0 ) = f (x0 ky0 )

x2 ky2 = f (x0 ky1 ) x2 ky2 = f (x1 ⊕ x1 ky1 ) = f (x0 ky1 )
.. .. .. · · ·
. . . xh kyh = f (xh−1 ⊕ xh−1 kyh−1 )
xk kyk = f (x0 kyk−1 ). = f (x0 kyh−1 )
xh+1 kyh+1 = f (xh ⊕ xh kyh ) = f (x0 kyh )
· · ·
M = x0 kx1 k · · · kxh
xk+1 kyk+1 = f (xk ⊕ xk kyk ) = f (x0 kyk ).
M 0 = x0 kx1 k · · · kxk
There exists h < k, Since f (x0 kyh ) = f (x0 kyk )

h 6= k such that
f (x0 kyk ) = f (x0 kyh ). xh+1 kyh+1 = xk+1 kyk+1 .
Generating collision from the output
Suppose the squeezing phase produces an `-bit output string.
We can generate a collision by mounting a birthday attack on the output

`
by evaluating the sponge function approximately 2 2 times.
Therefore, we can generate collision by applying the sponge function

` c
min{2 2 , 2 2 } times.
If ` ≤ c, then generate collision from `-bit output strings by mounting
birthday attack.
If c < ` generate output collision by constructing internal collision using
the technique discussed in the previous slide.
SHA-3
SHA3-224, SHA3-256, SHA3-384, and SHA3-512.
SHAKE128, SHAKE256 are extendable output functions that is

abbreviated to XOF.
hash function b r c collision security preimage security

SHA3-224 1600 1152 448 112 224
SHA3-256 1600 1088 512 128 256
SHA3-384 1600 832 768 192 384
SHA3-512 1600 576 1024 256 512
SHAKE128 1600 1344 256 min{ d2 , 128} min{d, 128}
SHAKE256 1600 1088 512 min{ d2 , 256} min{d, 256}
Message Authentication Codes: keyed hash function
Keyed hash function from an unkeyed hash function
Suppose h is an unkeyed hash function with IV as the initial value that
required every input message x to have length that is a multiple of t.
h utilizes the compression function compress : {0, 1}m+t → {0, 1}m .
The initial value IV is set to the key K, i.e., IV = K.
An iterative keyed has function
z0 ← K
.. ..
. .
Unkeyed to keyed hash functions
IV = K
z0 ← K
.. ..
. .
Length extension attack

We have x and hK (x).
Consider the message xkx0 . Then hK (xkx0 ) = compress(hk (x)kx0 ).
Length extension attack with padding
Length extension attack with padding
Suppose y = xkpad(x), such that|y| = rt.
Let|w| = t. Define: x0 = xkpad(x)kw.
y 0 = x0 kpad(x0 ) = xkpad(x)kwkpad(x0 ). where y 0 = r0 t for some

integer r0 > r.
Computing hK (x0 )
Let zr = hK (x).
zr+1 ← compress(hK (x)kyr+1 )

zr+2 ← compress(zr+1 kyr+2 )
.. ..
. .
zr0 ← compress(zr0 −1 kyr0 )
(x0 ) = z(CSE
hKGangopadhyay
SoSugata r0 . IITR) Information and Network Security 109 / 139
MAC attack models
The objective of an adversary (Oscar) is to try to produce a message-tag

pair (x, y) that is valid under a fixed but unknown key, K.
Oscar might have access to some valid pairs for the key K:
(x1 , y1 ), (x2 , y2 ), . . . , (xQ , yQ ).
Two standard attack models are

1 known message attack;
2 chosen message attack.
Forgery
Suppose Q valid pairs (x1 , y1 ), (x2 , y2 ), . . . , (xQ , yQ ) for an unknown

key K is available to Oscar.
If Oscar can output a message-tag valid pair (x, y) such that
x∈ / {x1 , . . . , xQ } with the probability bounded below by , then Oscar
is said to be an (, Q)-forger for the given MAC.
The pair (x, y) is said to be a forgery.
The probability can be an average-case probability over all possible
keys, or the worst-case probability.
Two obvious attacks
Key guessing attack:

1 Oscar chooses K ∈ K uniformly at random, and outputs the tag hK (x) for
an arbitrary message x.
1
2 This attack succeeds with probability |K| .
Tag guessing attack:

1 Oscar chooses the tag y ∈ Y uniformly at random and outputs y has the
tag for any arbitrary message x.
1
2 This attack succeeds with probability |Y| .
Nested MACs
A nested MAC builds a MAC algorithm from the composition of two

(keyed) hash families.
Compositions of the hash families (X , Y, K, G) and (Y, Z, L, H) is

(X , Z, M, G ◦ H) in which M = K × L and
G ◦ H = {g ◦ h : g ∈ G, h ∈ H}
where (g ◦ h)(K,L) (x) = hL (gK (x)) for all x ∈ X .
|Y| ≥ |Z| and|X | is either finite or infinite.
If X is finite, then|X | > |Y|.
Nested MACs
The nested MAC is secure if the following two conditions are satisfied:
1 (Y, Z, L, H) is secure as a MAC, given a fixed (unknown) key.
2 (X , Y, K, G) is collision resistant, given a fixed (unknown) key.
We will refer to (Y, Z, L, H) as the “little MAC”.
(X , Z, M, G ◦ H) is the “big MAC” or the “nested MAC.”
Adversaries
We consider the following three adversaries:

1 a forger for the little MAC (which carries a “little MAC attack”),
2 a collision-finder for the has family (X , Y, K, G), when the key is secret
(this is an “unknown-key collision attack”), and
3 a forger for the nested MAC (which we term a “big MAC attack”).
Types of attacks
Little MAC attack : a key L is chosen and kept secret. Oscar is allowed
to choose values for y and query a little MAC oracle for the value of
hL (y). Then Oscar attempts to output a pair (y 0 , z) such that z = hL (y 0 )
where y 0 was not one of his previous queries.
Unknown-key collision attack : a key K is chosen and kept secret.
Oscar is allowed to choose values for x and query a hash oracle for
values of gK (x). Then Oscar attempts to output a pair x0 , x00 such that
x0 6= x and gK (x0 ) = gK (x00 ).
Big MAC attack : a pair of keys (K, L) is chosen and kept secret. Oscar
is allowed to choose values for x and query a big MAC oracle for values
of hL (gK (x)). Then Oscar attempts to output a pair (x0 , z) such that
z = hL (gK (x0 )) where x0 was not one of its previous queries.
Assumptions
We assume that:
1 there does not exist an (1 , Q + 1)-unknown-key collision attack for a
randomly chosen function gK ∈ G where K is secret.
2 there does not exist an (2 , Q)-little MAC attack for a randomly chosen
function hL ∈ H, where L is secret.
3 There exists an (, Q)-big MAC attack for a randomly chosen function
(g ◦ h)(K,L) ∈ G ◦ H, where (K, L) is a secret.
The attack
The big MAC algorithm outputs a valid pair (x, z) after making at most
Q queries to a big MAC oracle.
x1 , . . . , xQ are the queries, say, generating valid message-tag pairs
(x1 , z1 ), . . . , (xQ , zQ ), as well the valid message-tag pair (x, z) with
probability at least .
Make Q + 1 queries to a hash oracle gK to obtain
y1 = gK (x1 ), . . . , yQ = gK (xQ ), and y = gK (x).
If y = yi for some i ∈ {1, . . . , Q} we have a collision. Else, we have a
valid pair for the little MAC, hence a forger for the little MAC.
Probability bounds
Any unknown-collision attack has probability at most 1 of succeeding.

The big MAC attack has success probability at least .
Therefore, the probability that (x, z) is a valid pair and y ∈
/ {y1 , . . . , yQ }
is at least − 1 .
The success probability of any little MAC attack is at most 2 .
So ≤ 1 + 2 .
Theorem
Suppose (X , Z, M, G ◦ H) is a nested MAC. Suppose that there does not exist
an (1 , Q + 1)-collision attack for a randomly chosen function gK ∈ G, when
the key K is secret. Further, suppose that there does not exist an
(2 , Q)-forger for a randomly chosen function hL ∈ H, where L is secret.
Finally, suppose there exist an (, Q)-forger for the nested MAC, for a
randomly chosen function (g ◦ h)(K,L) ∈ G ◦ H. Then ≤ 1 + 2 .
HMAC
HMAC is a nested MAC algorithm that was adopted as a FIPS standard

in March, 2002.
HMACK (x) = SHA-1((K ⊕ opad)kSHA-1((K ⊕ ipad)kx))
ipad and opad are 512-bit constants, defined in hexadecimal notation as
ipad = 3636 · · · 36, opad = 5C5C · · · 5C.
CBC-MAC
CBC-MAC(x, K)
denote x = x1 kx2 k · · · kxn ;
IV ← 00 · · · 0;
y0 ← IV;
for i ← 1tok − 1 do
yi ← EK (yi−1 ⊕ xi );
end
return yy ;
Algorithm 10: MAC FROM BLOCK CIPHERS
Authenticated encryption
MAC-and-encrypt: Given a message x, compute a tag z = hK1 (x) and
a ciphertext y = eK2 (x). The pair (y, z) is transmitted. The receiver
would decrypt y, obtaining x, and then verify the correctness of the tag z
on x.
MAC-then-encrypt Here the tag z = hK1 (x) would be computed first.
Then the plaintext and tag would both be encrypted, yielding
y = eK2 (xkz). The ciphertext y would be transmitted. The receiver will
decrypt y, obtaining x and z, and then verify the correctness of the tag z
on x.
encrypt-then-MAC Here the first step is to encrypt x, producing a
ciphertext y = eK2 (x). Then a tag is created for the ciphertext y, namely,
z = hK1 (y). The pair (y, z) is transmitted. The receiver will first verify
the correctness of the tag z on y. Then, provided that the tag is valid, the
receiver will decrypt y to obtain x.
Authenticated encryption
Encrypt-then-MAC is preferred over the other methods.

A security result due to Bellare and Namprempre says that this method
of authenticated encryption is secure provided that the two component
schemes are secure.
There exist instantiations of MAC-then-Encrypt and MAC-and-Encrypt
then are insecure, even though the component schemes are secure.
Counter with CBC MAC (CCM) mode of operation
CCM mode computes a tag using CBC-MAC. This is then followed by

an encryption in counter mode.
Let K be the encryption key and let x = x1 kx2 k · · · kxn be the plaintext.
We choose a counter ctr, and construct a sequence T0 , T1 , . . . , Tn
defined as Ti = ctr + i mod 2m where m is the block length of the
cipher.
The plaintext blocks x1 , x2 , . . . , xn are encrypted by computing
yi = xi ⊕ eK (Ti ).
Compute temp = CBC-MAC(x, K) and y 0 = T0 ⊕ temp.
The ciphertext is the string y = y1 ky2 k · · · kyn ky 0 .
Decryption
To decrypt and verify y, one would first decrypt y1 k · · · kyn using the
counter mode decryption with the counter sequence T1 , T2 , . . . , Tn ,
obtaining the plaintext string x.
The second step is to compute CBC-MAC(x, K) and see if it is equal to
y 0 ⊕ T0 .
The ciphertext is rejected if this condition does not hold.
Galois Counter mode
A detailed description of GCM is given in NIST Special Publication

800-38D.
The encryption is done in counter mode using a 128-bit AES key. The
initial value of the 128-bit counter is derived from an IV that is typically
96 bits in length.
The IV is transmitted along with the ciphertext, and it should be changed
every time a new encryption is performed.
The computation of the authentication tag requires performing
multiplications by a constant value H in the finite field F2128 . The value
of H is determined by encrypting Counter 0.
Unconditionally secure MACS
Assumptions:
The adversary has infinite computational power.
Any given key is used to produce only one authentication tag.
For Q ∈ {0, 1} we define deception probability P dQ to be the

probability that the adversary can create a successful forgery after
observing Q valid message-tag pairs.
The attack when Q = 0 is said to be impersonation attack, and the attack
when Q = 1 is said to be substitution attack.
Unconditionally Secure MACs
Assumption: the key K is chosen uniformly at random from K.

In a substitution attack Oscar’s success probability may depend on the
the particular message-tag pair (x, y) that he observes.
We will assume P d1 to be the maximum of the relevant values (x, y).
Thus when we say that P d1 ≤ , it means that Oscar’s success
probability is at most regardless of the message-tag pair he observes
prior to making his substitution.
key 0 1 2
(0, 0) 0 0 0
(0, 1) 1 1 1
Example (0, 2) 2 2 2
Suppose X = Y = Z3 , and K = Z3 × Z3 . For (1, 0) 0 1 2
each K = (a, b) ∈ K and each x ∈ X , define (1, 1) 1 2 0
h(a,b) (x) = ax + b mod 3, and then define (1, 2) 2 0 1
H = {h(a,b) : (a, b) ∈ Z3 × Z3 }. Each of the (2, 0) 0 2 1
9 keys are used with probability 19 . (2, 1) 1 0 2
(2, 2) 2 1 0
Table 2: An authentication matrix
Deception probabilities
key 0 1 2
Any message-tag pair (x, y) will be a (0, 0) 0 0 0
valid pair with probability 13 . (0, 1) 1 1 1
So P d0 = 13 . (0, 2) 2 2 2
If Oscar sees the message-tag pair (0, 0) (1, 0) 0 1 2
he knows that (1, 1) 1 2 0
K0 = {(0, 0), (1, 0), (2, 0)}. (1, 2) 2 0 1
(1, 1) is a forgery if K0 = (1, 0). This (2, 0) 0 2 1
happens with probability 13 . (2, 1) 1 0 2
(2, 2) 2 1 0
Repeating this for all possible
message-tag pairs gives us the same Table 3: An authentication matrix
probability. So P d1 = 13 .
Payoff: deception probability of impersonation
Let K0 denote the key chosen by Alice and Bob. For x ∈ X and y ∈ Y,
define payoff (x, y) to be the probability that the message-tag pair (x, y)
is valid.
payoff (x, y) = Pr[y = hK0 (x)]

{K ∈ K : hK (x) = y}
= .
|K|
P d0 = max{payoff (x, y) : x ∈ X , y ∈ Y}.
Payoff: deception probability of substitution
payoff (x0 , y 0 ; x, y) = Pr[y 0 = hK0 (x0 )|y = hK0 (x)]

Pr[y 0 = hK0 (x0 ) ∧ y = hK0 (x)]
=
Pr[y = hK0 (x)]
{K ∈ K : y 0 = hK (x0 ), y = hK (x)}

=
{K ∈ K : y = hK (x)}

V = {(x, y) : {K ∈ K : y = hK (x)} ≥ 1}.
P d1 = max(x,y)∈V {max(x0 ,y0 ),x0 6=x {payoff (x0 , y 0 ; x, y)}}.
Strongly Universal Hash Families
Definition
Suppose (X , Y, K, H) is an (N, M ) hash family. This hash family is strongly
universal provided that the following condition is satisfied for every x, x0 ∈ X
such that x 6= x0 , and for every y, y 0 ∈ Y:
{K ∈ K : y 0 = hK (x0 ), y = hK (x)} = |K| .

M2
Strongly Universal Hash Families
Suppose that (X , Y, K, H) is a strongly universal (N, M )-hash family. Then
{K ∈ K : hK (x) = y} = |K| ,

M
for every x ∈ X and for every y ∈ Y.
Suppose (X , Y, K, H) is a strongly universal (N, M )-hash family. Then

1
(X , Y, K, H) is an authentication code with P d0 = P d1 = M .
Optimality of Deception Probabilities
Suppose (X , Y, K, H) is and (N, M )-hash family. Suppose we fix a

message x ∈ X . Then we can computer as follows:

X X {K ∈ K : hK (x) = y}
payoff (x, y) =
|K|
y∈Y y∈Y
|K|
= = 1.
|K|
Hence, for every x ∈ X , there exists an authenticating tag y (depending

on x), such that
1
payoff (x, y) ≥ .
M
Optimality of deception probabilities
Theorem
1
Suppose (X , Y, K, H) is an (N, M )-hash family. Then P d0 ≥ M. Further
1
P d0 = M if and only if
{K ∈ K : hK (x) = y} = |K|

M
for every x ∈ X and y ∈ Y.
Theorem
1
Suppose (X , Y, K, H) is an (N, M )-hash family. Then P d1 ≥ M.
Optimality of deception probabilities
Theorem
1
Suppose (X , Y, K, H) is an (N, M )-hash family. Then P d1 = M. Further
1
P d0 = M if and only if the hash family is strongly universal.
Theorem
1
Suppose (X , Y, K, H) is an (N, M )-hash family such that P d1 = M. Then
1
P d0 = M .
The End

InfoSec 2

Uploaded by

Document Information

Original Description:

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

InfoSec 2

Uploaded by

Copyright:

Available Formats

Symmetric Ciphes and Hash Functions1

Indian Institute of Technology Roorkee

A symmetric cipher can be represented by a 5-tuple (P, C, K, E, D)

We may define the functions E : P × K → C and D : C × K → P such

Sugata Gangopadhyay (CSE IITR) Information and Network Security 2 / 139

A message is a finite binary string, i.e., an element of {0, 1}∗ .

x ∈ {0, 1}∗ is represented as x = x1 x2 . . . xn where xi ∈ {0, 1}, for all

For x ∈ {0, 1}∗ if|x| is divisible by n, then x can be written as

x = xh1i kxh2i k . . . kxhN i

where xhii ∈ {0, 1}n , for all i ∈ {1, . . . , N }.

Sugata Gangopadhyay (CSE IITR) Information and Network Security 3 / 139

multiplication ‘·’ defined by

A block cipher is a cryptosystem that

A block cipher is represented by a

Figure 1: Schematic diagram of a block

Sugata Gangopadhyay (CSE IITR) Information and Network Security 5 / 139

For each k ∈ K, the function E(·, k) is a permutation on Fn2 .

The challenge is to construct E so that for each choice of k ∈ K = Fm

Sugata Gangopadhyay (CSE IITR) Information and Network Security 6 / 139

For block ciphers, a commonly used design is that of an iterated cipher.

An iterated cipher requires the specifications of

Sugata Gangopadhyay (CSE IITR) Information and Network Security 7 / 139

Let K be a random binary key of some specified length.

K is used to construct Nr round keys (also called subkeys), which are

The list of round keys {K 1 , . . . , K Nr } is called the key schedule.

The key schedule is constructed from K by using a fixed public

Sugata Gangopadhyay (CSE IITR) Information and Network Security 8 / 139

The initial state w0 is defined to be the plaintext, x.

The ciphertext y is defined to be the state after all Nr rounds.

Sugata Gangopadhyay (CSE IITR) Information and Network Security 9 / 139

The encryption operation is carried out as follows:

Sugata Gangopadhyay (CSE IITR) Information and Network Security 10 / 139

That is: g −1 (g(w, y), y) = w.

The encryption operation is carried out as follows:

Sugata Gangopadhyay (CSE IITR) Information and Network Security 11 / 139

Substitution Permutation Network.

Sugata Gangopadhyay (CSE IITR) Information and Network Security 12 / 139

Two components of an SPN are

Sugata Gangopadhyay (CSE IITR) Information and Network Security 13 / 139

Let `, m, and Nr be positive integers, let πS : {0, 1}` → {0, 1}` be a

Sugata Gangopadhyay (CSE IITR) Information and Network Security 14 / 139

Plaintext x = (x1 , . . . , x`m ).

Each S-box, Sij is associated with a

Each substitution layer is followed by a

Key-mixing layer: ui = ui−1 ⊕ ki .

Substitution layer: The S-box function πS : F`2 → F`2 is

Permutation layer: πP : [`m] → [`m] is

Sugata Gangopadhyay (CSE IITR) Information and Network Security 17 / 139

Key-mixing layer: ui = ui−1 ⊕ ki .

Substitution layer: The S-box function πS : F`2 → F`2 is

Permutation layer: πP : [`m] → [`m] is

Sugata Gangopadhyay (CSE IITR) Information and Network Security 18 / 139

Key = 0011 1010 1001 0100 1101 0110 0011 1111

Sugata Gangopadhyay (CSE IITR) Information and Network Security 19 / 139

Figure 5: Feistel function

Figure 6: Feistel Network

K1 = 26B7, K2 = 2E07, K3 = 41B8, K4 = E46E, K5 = 4D63.

Sugata Gangopadhyay (CSE IITR) Information and Network Security 21 / 139

Figure 7: Feistel function

Figure 8: Feistel Network

Ciphertext only attack.

Known plaintext attack.