Some encryption schemes

Let us begin with a few examples.

Scheme 6.2 The one-time-pad encryption scheme (also called the Vernam cipher)SE= (K,E,D) is stateful and deterministic. The key generation algorithm simply returns a random k-bit string K, where the key-lengthkis a parameter of the scheme, so that the key space isKeys(SE) ={0,1}^k. The encryptor maintains a counterctr which is initially zero. The encryption and decryption algorithms operate as follows:

AlgorithmEK(M)

HereX[i] dennotes thei-th bit of a binary stringX. The encryption algorithm XORs the message bits with key bits, starting with the key bit indicated by the current counter value. The counter is then incremented by the length of the message. Key bits are not reused, and thus if not enough key bits are available to encrypt a message, the encryption algorithm returns⊥. Note that the ciphertext returned includes the value of the counter. This is in order to enable decryption. (Recall that the decryption algorithm, as per Definition 6.1, must be stateless and deterministic, so we do not want it to have to maintain a counter as well.)

The following schemes rely either on a family of permutations (ie. a block cipher) or a family of functions. It is convenient if the length of the message to be encrypted is a positive multiple of a block length associated to the family. Accordingly, the encryption algorithm returns⊥if this is not the case. In practice, however, one would first pad the message appropriately so that the padded message always had length a positive multiple of the block length, and apply the encryption algorithm to the padded message. The padding function should be injective and easily invertible.

Scheme 6.3 Let E:{0,1}^k× {0,1}^l → {0,1}^l be a block cipher. Operating it in ECB (Electronic Code Book) mode yields a stateless symmetric encryption scheme,SE = (K,E,D). The key generation algorithm simply returns a random key for the block cipher, meaning it picks a randomk-bit string key and returns it, so that the key space is{0,1}^k. The encryption and decryption algorithms are as follows:

AlgorithmEK(M)

ParsingM means that we divide it intol-bit blocks and let M[i] denote thei-th such block, and similarly for C. Notice that here the encryption algorithm did not make any random choices. That does not mean we are not allowed to call it a randomized algorithm; it is simply a randomized algorithm that happened to choose to not make random choices.

Cipher-block chaining (CBC) is the most popular mode, used pervasively in practice.

Scheme 6.4 LetE:{0,1}^k× {0,1}^l→ {0,1}^lbe a block cipher. Operating it in CBC mode with random IV yields a stateless symmetric encryption scheme, SE = (K,E,D). The key generation algorithm simply returns a random key for the block cipher, meaning it picks a randomk-bit string key and returns it, so that the key space is{0,1}^k. The encryption and decryption algorithms are as follows:

AlgorithmEK(M)

ParsingM means that we divide it intol-bit blocks and letM[i] denote thei-th such block. In parsingCwe also divide it intol-bit blocks, but this time the blocks are numbered starting at 0. The IV isC[0], which is

Cryptography: Lecture Notes 85

chosen at random by the encryption algorithm. This choice is made independently each time the algorithm is invoked.

For the following schemes it is useful to introduce some notation. Ifl≥1 andiare integers with 0≤i≤2^l−1 then we letNtSl(i) (read “number to string”) denote the l-bit string which is the binary representation of integer i. If s is a string we let StN(s) (read “string to number”) denote the non-negative integer whose binary representation iss.

The CTR (counter) modes that follow are not much used, to the best of our knowledge, but perhaps wrongly so. We will see later that they have good security properties. In contrast to CBC, the encryption and decryption procedures are parallelizable, which can be exploited to speed up these processes in the presence of hardware support. There are two variants of the mode, one random and the other stateful, and, as we will see later, their security properties are different.

Scheme 6.5 Let F:{0,1}^k × {0,1}^l → {0,1}^L be a family of functions. (Not necessarily a family of permutations.) Operating it in CTR mode with starting point chosen at random anew for each message yields a stateless symmetric encryption scheme,SE = (K,E,D), which we call R-CTR mode or the R-CTR symmetric encryption scheme. The key generation algorithm simply returns a random key for F, meaning it picks a random k-bit string key and returns it, so that the key space is {0,1}^k. The encryption and decryption algorithms are as follows:

AlgorithmEK(M)

If|M|< Lthen return⊥ If|M|modL6= 0 then return⊥ ParseM as M[1]. . . M[n]

R← {^R 0,1, . . . ,2^l−1} Fori= 1, . . . , ndo

C[i]←FK(NtSl(R+i))⊕M[i]

EndFor

C[0]←NtSl(R) C←C[0]C[1]. . . C[n]

ReturnC

AlgorithmDK(C)

If|C|< l+Lthen return⊥

If (|C| −l) modL6= 0 then return⊥ LetC[0] be the firstl bits ofC Parse the rest ofCas C[1]. . . C[n]

R←StN(C[0]) Fori= 1, . . . , ndo

M[i]←FK(NtSl(R+i))⊕C[i]

EndFor

M ←M[1]. . . M[n]

ReturnM

ParsingM means that we divide it intoL-bit (notl-bit!) blocks and letM[i] denote thei-th such block. For C the decryption algorithm first chops off the first l bits, and then divides the rest of the string into L-bit blocks. The random value chosen by the encryption algorithm is an integer in the range 0, . . . ,2^l−1. It is used to define a sequence of values on which FK is applied to produce a “pseudo one-time pad” to which the data is XORed. The random value is included in the ciphertext in order to enable decryption.

Scheme 6.6 Let F:{0,1}^k × {0,1}^l → {0,1}^L be a family of functions. (Not necessarily a family of permutations.) Operating it in CTR mode with counter yields a stateful symmetric encryption scheme, SE = (K,E,D), which we call C-CTR mode or C-CTR symmetric encryption scheme. The key generation algorithm simply returns a random key forF, meaning it picks a randomk-bit string key and returns it, so that the key space is{0,1}^k. The encryptor maintains a counterctr which is initially zero. The encryption and decryption algorithms are as follows:

AlgorithmEK(M)

Parsing M means that we divide it intoL-bit (not l-bit!) blocks and letM[i] denote thei-th such block.

For C the decryption algorithm first chops off the first l bits, and then divides the rest of the string into L-bit blocks. The counter is not allowed to wrap around: the encryption algorithm returns⊥if this would happen. The counter is included in the ciphertext in order to enable decryption. The encryption algorithm updates the counter upon each invocation, and begins with this updated value the next time it is invoked.

We will return to the security of these schemes after we have developed the appropriate notions.