# Cryptography
Corresponding, profound, Slides (From Cryptography I) at: Blockchain/CryptographyI/LectureSlides

## Introduction to Cryptography

**What is cryptography?**
> **Cryptography** is the practice and study of techniques for secure communication in the presence of third parties called adversaries. More generally, cryptography is about constructing and analyzing protocols that prevent third parties or the public from reading private messages; various aspects in information security such as **data confidentiality**, **data integrity**, **authentication**, and **non-repudiation** are central to modern cryptography. Modern cryptography exists at the intersection of the disciplines of mathematics, computer science, electrical engineering, communication science, and physics. Applications of cryptography include electronic commerce, chip-based payment cards, digital currencies, computer passwords, and military communications.

Cryptography prior to the modern age was effectively synonymous with encryption, the conversion of information from a readable state to apparent nonsense. The originator of an encrypted message shared the decoding technique needed to recover the original information only with intended recipients, thereby precluding unwanted persons from doing the same. The cryptography literature often uses the name Alice ("A") for the sender, Bob ("B") for the intended recipient, and Eve ("eavesdropper") for the adversary. 

**History of Cryptography:**
- Refer to the History segment inside the following PDF: Blockchain/CryptographyI/LectureSlides/Week1/Introduction.pdf
- [History of Cryptography](https://www.tutorialspoint.com/cryptography/origin_of_cryptography.htm)

**Modern Cryptography:**
>Modern cryptography is heavily based on mathematical theory and computer science practice; **cryptographic algorithms are designed around computational hardness assumptions**, making such algorithms hard to break in practice by any adversary. It is theoretically possible to break such a system, but it is infeasible to do so by any known practical means. These schemes are therefore termed computationally secure; theoretical advances, e.g., improvements in integer factorization algorithms, and faster computing technology require these solutions to be continually adapted. There exist **information-theoretically secure** schemes that probably cannot be broken even with unlimited computing power—an example is the one-time pad—but these schemes are more difficult to implement than the best theoretically breakable but computationally secure mechanisms.

More on: [Modern Cryptography](https://www.tutorialspoint.com/cryptography/modern_cryptography.htm)

**Cryptology:**<br>
The art of devising ciphers (i.e cryptography) and breaking them i.e., cryptanalysis) is collectively known as cryptology.

**Cryptanalysis:**<br>
Cryptanalysis is the study of analyzing information systems in order to study the hidden aspects of the systems. Cryptanalysis is used to breach cryptographic security systems and gain access to the contents of encrypted messages, even if the cryptographic key is unknown.

In addition to mathematical analysis of cryptographic algorithms, cryptanalysis includes the study of side-channel attacks that do not target weaknesses in the cryptographic algorithms themselves, but instead exploit weaknesses in their implementation.

>Cryptanalysis is the sister branch of Cryptography and they both co-exist. The cryptographic process results in the cipher text for transmission or storage. It involves the study of cryptographic mechanism with the intention to break them. Cryptanalysis is also used during the design of the new cryptographic techniques to test their security strengths.

### Security Services of Cryptography

The primary objective of using cryptography is to provide the following **four fundamental information security services:**

**Confidentiality**

Confidentiality is the fundamental security service provided by cryptography. It is a security service that keeps the information from an unauthorized person. It is sometimes referred to as privacy or secrecy. 

Confidentiality can be achieved through numerous means starting from physically securing to the use of mathematical algorithms for data encryption.

**Data Integrity**

It is security service that deals with identifying any alteration to the data. The data may get modified by an unauthorized entity intentionally or accidentally. Integrity service confirms that whether data is intact or not since it was last created, transmitted, or stored by an authorized user.

Data integrity cannot prevent the alteration of data, but provides a means for detecting whether data has been manipulated in an unauthorized manner.

**Authentication**

Authentication provides the identification of the originator. It confirms to the receiver that the data received has been sent only by an identified and verified sender.

>Authentication service has two variants:
- Message authentication identifies the originator of the message without any regard router or system that has sent the message.
- Entity authentication is assurance that data has been received from a specific entity, say a particular website.

Apart from the originator, authentication may also provide assurance about other parameters related to data such as the date and time of creation/transmission.

**Non-repudiation**

It is a security service that ensures that an entity cannot refuse the ownership of a previous commitment or an action. It is an assurance that the original creator of the data cannot deny the creation or transmission of the said data to a recipient or third party.

Non-repudiation is a property that is most desirable in situations where there are chances of a dispute over the exchange of data. For example, once an order is placed electronically, a purchaser cannot deny the purchase order, if non-repudiation service was enabled in this transaction.

### Cryptography Primitives

Cryptographic primitives are well-established, low-level cryptographic algorithms that are frequently used to build cryptographic protocols for computer security systems. Alternatively, cryptography primitives can be defined as the tools and techniques in Cryptography that can be selectively used to provide a set of desired security services. 

Following are some cryptography primitives:
- Encryption
- Hash functions
- Message Authentication codes (MAC)
- Digital Signatures

When creating cryptographic systems, designers use cryptographic primitives as their most basic building blocks. Because of this, cryptographic primitives are designed to do one very specific task in a highly reliable fashion.


The following table shows the primitives that can achieve a particular security service on their own.

![](./Images/CryptoPrimitives.png "Crypto Primitives and thier corresponding security service")

Note: Cryptographic primitives are intricately related and they are often combined to achieve a set of desired security services from a cryptosystem.

**The three steps in cryptography:**
>When we introduce/devise a new primitive these 3 steps have to be rigorously followed:
1. **Precisely specify threat model:** Threat model basically is knowing the capabilities of the adversaries, i.e., what can an adversarial do to attack the primitive and what is his goal in forging the primitive. In order to show that the primitive or cryptographic protocol is secure we need to prove that an adversary with the following capabilities would not be able to break the primitive/protocol. More on [Threat Model](https://www.youtube.com/watch?v=f4tk2pnOUos)
2. **Propose a construction**
3. **Prove that breaking construction under threat model will solve an underlying hard problem**: A basic example would be, it is easy to multiply to large prime to get a value N, but it's hard to recover the factors given the value N. So, if our prime works on that concept than if an adversary breaks our primitive/protocol than it would land a solution to solving that hard problem.

**Key Note:** For production system usage, never ever use your own implementation of the primitive or any cryptographic algorithm (as aside from the implementation errors there could be many side channels which could potentially result in easy breaching of your implementation). It is always recommended to use a trusted library for applying ciphering to production level data/information. [Explanatory Video](https://www.youtube.com/watch?v=3Re5xlEjC8w)

---

## Crash Course on Discrete Probability

Why Discrete Probability?
> Over the years many natural cryptographic constructions were found to be insecure. In response, modern cryptography was developed as a rigorous science where constructions are always accompanied by a proof of security. The language used to describe security relies on discreet probability.<br>

Reference Reads: 
- **Highly recommended (Easy to Digest and Preferable read to get it all):** [Discrete Probability](https://en.wikibooks.org/wiki/High_School_Mathematics_Extensions/Discrete_Probability)
-  Refer to the Discrete Probability Crash Course segment inside the following PDF: Blockchain/CryptographyI/LectureNotes/Week1/Introduction.pdf
- [Discrete vs Continuous Random Variables](http://www.henry.k12.ga.us/ugh/apstat/chapternotes/7supplement.html)
- [Random Variable vs Events](https://www.quora.com/What-is-the-difference-between-an-event-and-a-random-variable)

Reference Videos: 
- [Discrete Probability Crash Course [Part 1]](https://www.coursera.org/learn/crypto/lecture/qaEcL/discrete-probability-crash-course)
- [Discrete Probability Crash Course [Part 2]](https://www.coursera.org/learn/crypto/lecture/JkDRg/discrete-probability-crash-course-cont)
- [Probability Distribution for Random Variable X](https://www.youtube.com/watch?v=cqK3uRoPtk0)

**Deterministic vs Randomized Algorithms:**
> It's due to Discrete Probability that cryptographic algorithms took a leap from being deterministic, producing same output for a given input each time, in nature to being randomized algorithms that we use today. <br><br>
>**Randomized Algorithms:** are those which produce different outputs given the same input, i.e., even though the input to the randomized algorithm is the same, it will produce different output each time, as Random Algorithm have an implicit argument, say r, which is sampled anew, from it's give universe, every time the algorithm is run therefore making the outcome different.<br><br>
The output of this Random Algorithm is basically a random variable which is a distribution over the set of all possible encryption of message m under a  uniform key r.

More on Randomized Algorithm: Refer to the Randomized Algorithms topic undert Discrete Probability segment inside the following PDF: Blockchain/CryptographyI/LectureNotes/Week1/Introduction.pdf

**XOR:**
XOR is very important when it comes to cryptography. Review: XOR of two bit string is their bitwise addition mod 2. Also, something XORed with itself yields zeros => x XOR x = 0.
[Why XOR is imp in cryptography?](https://www.quora.com/Why-is-XOR-important-in-cryptography).

![](./Images/XOR-Property.png "The Important Property of XOR")

Note: Review the following video [Discrete Probability Crash Course [Part 2]](https://www.coursera.org/learn/crypto/lecture/JkDRg/discrete-probability-crash-course-cont), watch it from 6:19 where description of the important property of XOR is explained which makes it so useful in cryptography.

---

## Cryptosystems

A cryptosystem is an implementation of cryptographic techniques and their accompanying infrastructure to provide information security services. A cryptosystem is also referred to as a cipher system.

### Components of a Cryptosystem

The various components of a basic cryptosystem are as follows:

- **Plaintext:** It is the data to be protected during transmission.

- **Encryption Algorithm:** It is a mathematical process that produces a ciphertext for any given plaintext and encryption key. It is a cryptographic algorithm that takes plaintext and an encryption key as input and produces a ciphertext.

- **Ciphertext:** It is the scrambled version of the plaintext produced by the encryption algorithm using a specific the encryption key. The ciphertext is not guarded. It flows on public channel. It can be intercepted or compromised by anyone who has access to the communication channel.

- **Decryption Algorithm:** It is a mathematical process, that produces a unique plaintext for any given ciphertext and decryption key. It is a cryptographic algorithm that takes a ciphertext and a decryption key as input, and outputs a plaintext. The decryption algorithm essentially reverses the encryption algorithm and is thus closely related to it.

- **Encryption Key:** It is a value that is known to the sender. The sender inputs the encryption key into the encryption algorithm along with the plaintext in order to compute the ciphertext.

- **Decryption Key:** It is a value that is known to the receiver. The decryption key is related to the encryption key, but is not always identical to it. The receiver inputs the decryption key into the decryption algorithm along with the ciphertext in order to compute the plaintext.

For a given cryptosystem, a collection of all possible decryption keys is called a **key space**.

An interceptor (an attacker) is an unauthorized entity who attempts to determine the plaintext. He can see the ciphertext and may know the decryption algorithm. He, however, must never know the decryption key.

### Types of Cryptosystems
Fundamentally, there are two types of cryptosystems based on the manner in which encryption-decryption is carried out in the system:

- Symmetric Key Cryptosystems
- Asymmetric Key Cryptosystems

The main difference between these cryptosystems is the relationship between the encryption and the decryption key. Logically, in any cryptosystem, both the keys are closely associated. It is practically impossible to decrypt the ciphertext with the key that is unrelated to the encryption key.

### Cryptographic Attacks
The basic intention of an attacker is to break a cryptosystem and to find the plaintext from the ciphertext. To obtain the plaintext, the attacker only needs to find out the secret decryption key, as the algorithm is already in public domain.

Hence, he applies maximum effort towards finding out the secret key used in the cryptosystem. Once the attacker is able to determine the key, the attacked system is considered as broken or compromised.

Based on the methodology used, attacks on cryptosystems are categorized as follows:

- **Ciphertext Only Attacks (COA):** In this method, the attacker has access to a set of ciphertext(s). He does not have access to corresponding plaintext. COA is said to be successful when the corresponding plaintext can be determined from a given set of ciphertext. Occasionally, the encryption key can be determined from this attack. Modern cryptosystems are guarded against ciphertext-only attacks.<br><br>

- **Known Plaintext Attack (KPA):** In this method, the attacker knows the plaintext for some parts of the ciphertext. The task is to decrypt the rest of the ciphertext using this information. This may be done by determining the key or via some other method. The best example of this attack is linear cryptanalysis against block ciphers.<br><br>

- **Chosen Plaintext Attack (CPA):** In this method, the attacker has the text of his choice encrypted. So he has the ciphertext-plaintext pair of his choice. This simplifies his task of determining the encryption key. An example of this attack is differential cryptanalysis applied against block ciphers as well as hash functions. A popular public key cryptosystem, RSA is also vulnerable to chosen-plaintext attacks.<br><br>

- **Dictionary Attack:** This attack has many variants, all of which involve compiling a ‘dictionary’. In simplest method of this attack, attacker builds a dictionary of ciphertexts and corresponding plaintexts that he has learnt over a period of time. In future, when an attacker gets the ciphertext, he refers the dictionary to find the corresponding plaintext.<br><br>

- **Brute Force Attack/Extensive Search:** In this method, the attacker tries to determine the key by attempting all possible keys. If the key is 8 bits long, then the number of possible keys is 28 = 256. The attacker knows the ciphertext and the algorithm, now he attempts all the 256 keys one by one for decryption. The time to complete the attack would be very high if the key is long.<br><br>

- **Birthday Attack:** This attack is a variant of brute-force technique. It is used against the cryptographic hash function. When students in a class are asked about their birthdays, the answer is one of the possible 365 dates. Let us assume the first student's birthdate is 3rd Aug. Then to find the next student whose birthdate is 3rd Aug, we need to enquire 1.25*√365 ≈ 25 students. <br><br> Similarly, if the hash function produces 64 bit hash values, the possible hash values are 1.8x10^19. By repeatedly evaluating the function for different inputs, the same output is expected to be obtained after about 5.1x10^9 random inputs. If the attacker is able to find two different inputs that give the same hash value, it is a collision and that hash function is said to be broken.<br><br>

- **Man in Middle Attack (MIM):**  The targets of this attack are mostly public key cryptosystems where key exchange is involved before communication takes place.
    - Host A wants to communicate to host B, hence requests public key of B.
    - An attacker intercepts this request and sends his public key instead.
    - Thus, whatever host A sends to host B, the attacker is able to read.
    - In order to maintain communication, the attacker re-encrypts the data after reading with his public key and sends to B.
    - The attacker sends his public key as A’s public key so that B takes it as if it is taking it from A.<br><br>

- **Side Channel Attack (SCA):** This type of attack is not against any particular type of cryptosystem or algorithm. Instead, it is launched to exploit the weakness in physical implementation of the cryptosystem.<br><br>

- **Timing Attacks:** They exploit the fact that different computations take different times to compute on processor. By measuring such timings, it is be possible to know about a particular computation the processor is carrying out. For example, if the encryption takes a longer time, it indicates that the secret key is long.<br><br>

- **Power Analysis Attacks:** These attacks are similar to timing attacks except that the amount of power consumption is used to obtain information about the nature of the underlying computations.<br><br>

- **Fault analysis Attacks:** In these attacks, errors are induced in the cryptosystem and the attacker studies the resulting output for useful information.

---

## Symmetric Key Cryptosystems

The encryption process where **same keys are used for encrypting and decrypting** the information is known as Symmetric Key Encryption. The study of symmetric cryptosystems is referred to as symmetric cryptography. Symmetric cryptosystems are also sometimes referred to as **secret key cryptosystems**.

A few well-known examples of symmetric key encryption methods are: Digital Encryption Standard (DES), Triple-DES (3-DES), IDEA, RC4, eStreams and BLOWFISH.
![](./Images/SymmetricEncryption.png)


**Crypto Lesson:** In a symmetric cryptosystem, you should never use a single shared key to encrypt data/information in both direction i.e. traffic from Client(C) to Sever(S) should not be encrypted with the same key as used for encrypting the traffic from Server to Client. Hence, the shared key should be a pair of keys => $K_{shared}$ = {$K_{C>>S}$, $K_{S>>C}$} where prior is used to encrypt/decrypt the information from client to server and the latter from server to client.

**Symmetric Ciphers:**
![](./Images/SymmetricCipherDef.png )

**Type of symmetric ciphers:**<br>
An important distinction in symmetric cryptographic algorithms is between stream and block ciphers. 
- **[Stream ciphers](#Stream-Ciphers)** convert one symbol of plaintext directly into a symbol of ciphertext. 
- **[Block ciphers](#Block-Ciphers)** encrypt a group of plaintext symbols as one block. 


Prior to 1970, all cryptosystems employed symmetric key encryption. Even today, its relevance is very high and it is being used extensively in many cryptosystems. It is very unlikely that this encryption will fade away, as it has certain advantages over asymmetric key encryption.

The **salient features of cryptosystem based on symmetric key encryption** are:
- Persons using symmetric key encryption must share a common key prior to exchange of information.
- Keys are recommended to be changed regularly to prevent any attack on the system.
- A robust mechanism needs to exist to exchange the key between the communicating parties. As keys are required to be changed regularly, this mechanism becomes expensive and cumbersome.
- In a group of n people, to enable two-party communication between any two persons, the number of keys required for group is $\frac{n\times (n-1)}{2}$.
- Length of Key (number of bits) in this encryption is smaller and hence, process of encryption-decryption is faster than asymmetric key encryption.
- Processing power of computer system required to run symmetric algorithm is less.

**Challenge of Symmetric Key Cryptosystem**<br>
There are two restrictive challenges of employing symmetric key cryptography:

- **Key establishment:** Before any communication, both the sender and the receiver need to agree on a secret symmetric key. It requires a secure key establishment mechanism in place.

- **Trust Issue:** Since the sender and the receiver use the same symmetric key, there is an implicit requirement that the sender and the receiver ‘trust’ each other. For example, it may happen that the receiver has lost the key to an attacker and the sender is not informed.

These two challenges are highly restraining for modern day communication. Today, people need to exchange information with non-familiar and non-trusted parties. For example, a communication between online seller and customer. These limitations of symmetric key encryption gave rise to **asymmetric key encryption** schemes.

---

### One Time Pad and Information Theoretic Security: 
Short Intuitive Description: [One Time Pad](https://www.khanacademy.org/computing/computer-science/cryptography/crypt/v/one-time-pad "by Khan Academy")<br>
Recommended Watch: [One Time Pad and Information Theoretic Security](https://www.coursera.org/learn/crypto/lecture/cbnX1/information-theoretic-security-and-the-one-time-pad "by Coursera: Cryptography I") <br>
Go through the One Time Pad section in: Blockchain/CryptographyI/LectureSlides/Week1/StreamCiphers.pdf

One-time pad (OTP), also called Vernam-cipher or the perfect cipher, is a crypto algorithm where plaintext is combined with a random key (where the random key is a uniform random variable from a key space K, i.e., selection of any key from K has equal uniform/equal probability). It is the only existing mathematically unbreakable encryption and is a symmetric cipher.

>The one-time pad (OTP) is an encryption technique that cannot be cracked, but requires the use of a one-time pre-shared key the same size as, or longer than, the message being sent. In this technique, a plaintext is paired with a random secret key (also referred to as a one-time pad). Then, each bit or character of the plaintext is encrypted by combining it with the corresponding bit or character from the pad using modular addition. If the key is truly random, is at least as long as the plaintext, is never reused in whole or in part, and is kept completely secret, then the resulting ciphertext will be impossible to decrypt or break.

>Even infinite computational power and infinite time cannot break one-time pad encryption, simply because it is mathematically impossible. However, if only one of these rules is disregarded, the cipher is no longer unbreakable.
- The key is at least as long as the message or data that must be encrypted.
- The key is truly random (not generated by a simple computer function or such)
- Key and plaintext are calculated modulo 10 (digits), modulo 26 (letters) or modulo 2 (binary)
- Each key is used only once (that's why we call it **One Time Pad**), and both sender and receiver must destroy their key after use. If the same key is used twice, the security will be compromised.
- There should only be two copies of the key: one for the sender and one for the receiver (some exceptions exist for multiple receivers)

**Perfect Secrecy:** Perfect secrecy is the notion that, given an encrypted message (or ciphertext) from a perfectly secure encryption system (or cipher), absolutely nothing will be revealed about the unencrypted message (or plaintext) by the ciphertext i.e. perfect secrecy could be defined as having an absolute immunity to Cipher text only attacks. <br>

How One Time Pad has perfect secrecy?
>Shannon proved in 1949 that One Time Pad has perfect secrecy due to uniform probability distribution of all mssgs (of same length) that could have resulted in the cipher text c (that adversary might have hold to) with the key k (of same length). That means, given a cipher text c (generated using a key k of length n) the probability of all the possible message, of length n, to be encrypted to that c is uniform/equal. Hence, c is equally probable of being an encryption of $m_{1}$, $m_{2}$ ...$m_{xyz}$. While there exist only single key that maps m to c (given as k = m XOR c).

**Pitfalls:** 
- One Time Pad though have a perfect secrecy but it still is largely impractical to implement (because of the length of key being equal to that of the message, and if we even found a way to secretly transfer message-long key then it would be a better approach to use that transfer mechanism to secretly transfer the message at the first place).
- Thought it is secure to Cipher Text only attacks, but it is vulnerable to other forms of attacks.

**Bad News:** Shannon who proved that the OTP has the perfect secrecy later proved a theorem that states: **"To have perfect secrecy the key size must always be greater than or equal to the size of the message"**. Hence, ciphers that use keys smaller in size than the messages don't have perfect secrecy. 
Why? Because if the size of key (say n) is smaller than the message size (m), then the universe of keys (all possible keys of length n) would not have enough unique keys for encrypting each message in the universe of message (containing all the messages of of length m). And therefore we will end up using keys multiple times (at least twice) which breaks the perfect secrecy (Attack 1).

---

### Stream Ciphers

**Question:** How to make a cipher that, if not have a perfect secrecy but still provides acceptable levels of security (i.e. how to make OTP practical)?
>**Solution:** Replace the random keys (of length equal or greater than the message) with psuedorandom keys (smaller length keys). These psuedorandom keys are generated using a **PRG (Psuedo Random Generator)** which is basically a function that takes in a seed space (initial key space, say $[0,1]^{s}$) and expand it to $[0,1]^{n}$ such that n>>s. And it is out of this inflated space a key is chosen at random. Ciphers using PRG are referred to as Stream Ciphers and they also maintain the aspect of using the psuedorandom key only to pad one mssg and not multiple messages.

![](./Images/PRG.png "Generator  G expands the key space and chose a key, which is psuedorandom in nature, at random from it to XOR with the message")
Note: PRG should be efficiently computable by a deterministic algorithm. The key, from the space G(k), XORed with mssg is a psuedorandom pad and not a truly random pad.

**Stream Cipher:** A stream cipher is a symmetric key cipher where plaintext digits are combined with a pseudorandom cipher digit stream (keystream). In a stream cipher, each plaintext digit is encrypted one at a time with the corresponding digit of the keystream, to give a digit of the ciphertext stream. Since encryption of each digit is dependent on the current state of the cipher, it is also known as state cipher. In practice, a digit is typically a bit and the combining operation an exclusive-or (XOR).<br>
Note: Stream ciphers convert one symbol of plaintext directly into a symbol of ciphertext.

**Redefining Security:**<br>
**Stream ciphers cannot have perfect secrecy!!** Therefore, we need to rethink how we define security as perfect secrecy is not practically feasible. So:
- Need a different definition of security
- Security will depend on specific PRG >> [Security Definition](#PRG-Security-Definition)

**Fundamental Requirement to secure Stream Ciphers:**<br>
A minimal property that a psuedo random generator must have is property of being unpredictable, i.e., **PRG must be unpredictable**. Therefore, for a stream cipher to be secure, at it's minimum, the PRG it uses must be unpredictable in nature.

What it mean to be unpredictable for a generator is that given first few bits of the output of the generator (which is the psuedorandom key), say 1...i bits, there is no efficient algorithm that can compute the rest, i+1...n, bits of the stream.

**Attacks on One Time Pad/Stream ciphers:**
- Attack 1: **Two time pad is insecure**, i.e., if we used the same key (or psuedorandom key) to pad two different messages(m1 and m2) and produce c1 and c2 cipher texts then for an adversary who captured both of those cipher texts, it's fairly easy to recover both m1 and m2 using the CT only attack. Hence a Stream Cipher key or a One Time Pad key should never, never ever, be used more than once.
![](./Images/TwoTimePad.png)
<br>
- Attack 2: One Time Pad or the Stream Ciphers in general provides **no integrity** at all (all they do is try to provide confidentiality when the key is only used once) and therefore are referred as malleables.
![](./Images/MalleableOTP.png)

Real World Examples:<br>
- **Old Stream Ciphers:** RC4, CSS etc.
- **Modern Stream Ciphers:** eStream project (qualify 5 Stream ciphers), Modern stream cipher in addition to seed uses nonce which is a non-repeating value for a given key. Hence, we can reuse a key because the nonce make the (k, r) pair unique.
![](./Images/ModernStreamCiphers.png)

---

### PRG Security Definition
Recommended Watch: [PRG Security](https://www.coursera.org/learn/crypto/lecture/De10M/prg-security-definitions)

Security of a Stream Cipher depends on how secure is the Psuedo Random Generator it uses is. In turn the the PRG is regarded as secure if the output of the PRG is **indistinguishable from the truly random output.** That is, the distribution of pseudo random is indistinguishable from a truly (random) uniform distribution.

![](./Images/IndistinguishablePRG.png)
>Goal: To show that the psuedorandom output G(k), where k is a random variable from (seed)K = {0, 1}$^{s}$ and G(k) is the psuedorandom output from the expanded space, {0 , 1}$^n$, of the seed is indistinguishable from truly random r selected from a key space of {0, 1}$^n$ (not an expansion space).

How to show this indistinguishability from random? : Using **Statistical Test**<br>

**Statistical Test:**
Let's define what is a Statistical test on space {0, 1}$^{n}$:<br>
It's basically an algorithm (A) such that:
- A takes and input x (which is an n bit string) and 
- Outputs 0 (means input don't seem random) and 1 (means the input seems to be random)

One can think of any number of statistical tests, therefore, while considering indistinguishability we only account for efficient statistical tests.

A statistical test uses the concept of Advantage over a PRG to determine that whether it could distinguish the psuedorandom input from a truly random or not. Following image shows the formulation for calculation of Advantage of a given Statistical test A over a generator PRG.
![](./Images/Advantage-ST.png "G(k) is psuedorandom and r is truly random; Pr abbriviation for probability")
Note: We only want to consider the advantage of efficient statistical test for the generator PRG (we don't give a damn about inefficient ones). Also, we want the advantage to be negligible, i.e., a close to zero as possible (which indicates the statistical test wasn't able to distinguish).

Hence, crypto definition for a secure PRG is as follows:
![](./Images/SecurePRGs.png)
Note: Efficient algo (statistical test) theoretical means that finishes in polynomial time and practically could be regarded as one which finishes in a given time.

**Secure PRG is an unpredictable generator and vice versa**

A secure PRG implies: It's unpredictable (which covers the minimal requirement for a secure PRG). 
![](./Images/SecureMeanUnpredict.png)

Also, there exist a theorem that proved that: an unpredictable generator is secure in nature.
![](./Images/UnpredictMeanSecure.png)

**General Representation:**
![](./Images/GeneralSecure.png)
Note: For Stream Cipher, $P_{1}$ is G(K) [psuedorandom distribution] and $P_{2}$ is a truly random distribution

---

### Semantic Security

Recall: Shannon's idea of security: CT should not reveal anything about PT, this is the concept of semantic security. <br>
In semantic security, an adversary sends 2 messages (of equal length) and our cipher(E) encrypt it and sends the ciphertext back to the the adversary and if the adversary have no idea about which message this ciphertext correspond to then our cipher is said to be semantically secure.

Overview:
>An adversary (A) chooses two messages: $m_{0}$,$m_{1}$ and supplies it to the encryption algorithm (E) and it encrypts one of these messages: c←E(k,$m_{b}$) where b = 0, 1 and offer it back to the adversary.<br>
The adversary tries to guess which message was ciphered and outputs $b^{'}$ = 0 or 1 corresponding to the message number that the adversary thinks the ciphertext is encryption of (either  $m_{0}$,$m_{1}$).<br>

Corresponding Watch: [Semantic Security](https://www.coursera.org/learn/crypto/lecture/q0h9g/semantic-security)                 
![](./Images/SemanticSecurity.png)

Description: 
>We have 2 experiments, namely Exp(0) and Exp(1), where in the Exp(0) encryptor (E) gives back the ciphertext for $m_{0}$ (out of the supplied two) and in Exp(1) it sends back the ciphertext for $m_{1}$. Based on the experiments we have 2 events $W_{0}$ and $W_{1}$ where $W_{0}$ represents an event where for Exp(0) adversary outputted $b^{'}$ as 1 (thinking, wrongly, that the ciphertext corresponds to $m_{1}$). Similarly, $W_{1}$ represents an event where for Exp(1) adversary outputted $b^{'}$ as 1 (rightly guessed). The advantage is defined such that if the probability of both the events $W_{0}$ and $W_{1}$ is similar or close to each other then advantage would be close to zero, which would mean that the adversary isn't able to distinguish that whether the ciphertext was of $m_{0}$ or $m_{1}$. 

Note: Semantic Security (One time key) means that the adversary is provided with only a single ciphertext (which could correspond to any of the two supplied message).

**E is said to be semantically secure if for all "efficient" A (adversary), Adv$_{SS}$ [A, E] = negligible.**

OTP is semantically secure (it has perfect semantic security due to uniform probability distribution):
![](./Images/OTPSemantic.png)

>Theorem: **Given that G is a secure PRG (i.e. holds the indistinguishability property). A Stream Cipher E derived from or incorporates G is semantically secure.** [Proof!!](https://www.coursera.org/learn/crypto/lecture/VeLNT/stream-ciphers-are-semantically-secure-optional)

![](./Images/StreamSemantic.png)

---

### Block Ciphers

Overview:
>A block cipher is an encryption method that applies a **deterministic algorithm along with a symmetric key to encrypt a block of text**, rather than encrypting one bit at a time as in stream ciphers. For example, a common block cipher, AES, encrypts 128 bit blocks with a key of predetermined length: 128, 192, or 256 bits. **Block ciphers are pseudorandom permutation (PRP) families** that operate on the fixed size block of bits. <br>
Note: PRPs are functions that cannot be differentiated from completely random permutations and thus, are considered reliable, until proven unreliable.

![](./Images/BlockCiphers.png)

Block cipher **modes of operation have been developed to eliminate the chance of encrypting identical blocks of text the same way**, the ciphertext formed from the previous encrypted block is applied to the next block. A block of bits called an **initialization vector (IV)** is also used by modes of operation to ensure ciphertexts remain distinct even when the same plaintext message is encrypted a number of times.

Some of the various modes of operation for block ciphers include **CBC** (cipher block chaining), **CFB** (cipher feedback), **CTR** (counter), and **GCM** (Galois/Counter Mode), among others. Above is an example of CBC mode. Where an IV is crossed with the initial plaintext block and the encryption algorithm is completed with a given key and the ciphertext is then outputted. This resultant cipher text is then used in place of the IV in subsequent plaintext blocks.

**Working of Block Ciphers (Generic):**

![](./Images/BlockCipher-Working.png)
Description: 
1. key is expanded into n number of keys called round keys (where n is the number of rounds which is subjective to individual block cipher).
2. Cipher uses these round keys by iteratively encrypting the message again and again and again using what's referred to as the round function.
3. Round function takes 2 inputs: Current state of the message and a round key (corresponding to that round). 
4. The output of one round function acts as the new state of the original message which is fed into the next round function. The output from the $n^{th}$ round function is the ciphertext.

In order to specify a particular block cipher (built by iteration, like DES) one has to specify the key expansion mechanism and the round function. (Those are the two dynamic part of a block cipher).

Note: Block ciphers are relatively slower than the stream cipher (and slower by large magnitude to eStream ciphers) but we will see that we can do many things with block ciphers that we couldn't do very efficiently with stream ciphers.

**Block Cipher aka Psuedo Random Permutation (PRP)**<br>
PRP accurately captures what a block ciphers basically is. <br>
How?
>As per my perception: A block cipher with size of the key as K, used (to say XOR), dictates the size of the block of the message M. Hence limiting the size of message block from its true gigantic universe to a small key-size universe and while we operate the key onto the message block the resultant/output is another state of the message belonging from the key-size universe (i.e. with the help of key we mapped the current state of message from the key-sized message universe to another state in itself, in a one-to-one mapping fashion, therefore permuted).

Therefore, in many places PRPs and block ciphers are used interchangebly depending on the context.

![](./Images/PRP.png)
where,
- PRF: [K: Key, X: Input domain, Y: Output domain] 
- PRP: [K: Key, X: Input and Output Domain]

![](./Images/PRP&PRF.png)

---

#### Secure Block Cipher:
Explanatory video: [Block Ciphers and Secure PRFs](https://www.coursera.org/learn/crypto/lecture/t4JJr/what-are-block-ciphers)

Exploring what it means for a PRP or PRF (in general) to be secure and this concept will essentially captures what it means for a block cipher to be secure.

![](./Images/SecurePRF.png)
Description: 
- The set of all the possible function from X to Y is gigantic which is referred, above, as Funs[X,Y]. However, we get a relatively smaller set of functions $S_{F}$ (which is regarded as a set of psuedo random function cuz it is in some sense determined by the key) when we restrict the size of X to be equal to the size of key (as we have to perform XOR or another operation b/w input domain X and Key K, therefore there lengths must be equal). 
- Hence, the PRF is restricted in it's domain by the size of the key (say 128 bits for AES then domain is of size $2^{128}$).
- Given that $S_{F}$ <<<< Funs[X, Y] a PRF is considered secure if the uniform distribution from a set of psuedo random functions ($S_{F}$) is indistinguishable from the uniform distribution of truly random functions (Funs[X,Y]).

Note: The above is a description for a secure PRF. For a secure PRP instead of choosing a random function from X to Y we are going to choose a random permutation on the set X (Perms[X]), in other words,  a random one-to-one function on the set x. The adversary can either query this random permutation on the set X or it can query a psuedo random permutation $S_{F}$ (which is <<< then random permutation Perms[X]) and if the adversary cannot tell the difference then the PRP is secure.


**Secure PRP Implies a Secure PRF**
![](./Images/SecurePRP2PRF.png)


**Relation between PRF(Psuedo Random Functions) and PRG (Psuedo Random Generators):**
![](./Images/PRF2PRG.png)
Description: 
- Assume we have a psuedo random function F (here, it's PGP as defined one to one on {0, 1}$^{n}$) which is secure.
- Now we define a PRG (G) whose seed space (K) is same as the Key Space (K) for the PRF and its output space is basically going to be t blocks of n bits each and concatenated to get the generator value. So we basically took the key of the PRF and expanded to t times of n bits each.
- Key property of such a generator would be that it's parallelizable, which means, if we have 2 cores to compute on than we can compute the even entries on one core and odd entries on the other and concatinate at the end. Hence, we a cipher using such a generator would be paralellizable. Where as many of the previous stream ciphers that we looked before were inherently sequential like RC4 which therefore can't take the advantage of multi cores.
- Such a PGF derived PGR is secure because the PGF is indistinguishable from truly random therefore as we can see the Generator is just a concatination of t different PGFs and hence it would also be indistinguishable and therefore secure in nature.

Bottom line: A secure PRF gives rise to secure PRG which has this key property of being parallelizable.

---

### DES (Data Encryption Standard):

Recommended Watch: 
- [DES Explained Concisely](https://www.youtube.com/watch?v=Y61qn_SQl40)
- [DES In Depth](https://www.coursera.org/learn/crypto/lecture/TzBaf/the-data-encryption-standard)
<br>

Read: [DES Quick Read](https://www.tutorialspoint.com/cryptography/data_encryption_standard.htm)

The Data Encryption Standard (DES) is a symmetric-key block cipher which is an implementation of a Feistel Network. It uses 16 round Feistel structure. The block size is 64-bit. Though, key length is 64-bit, DES has an effective key length of 56 bits, since 8 of the 64 bits of the key are not used by the encryption algorithm (function as check bits only). General Structure of DES is depicted in the following illustration:

![](./Images/DES.png)
where, [IP: Initial Permutation]
<br>

**Fundamental Component of DES: The Feistel Network:**
![](./Images/FeistelNetwork.png)

The key property of the Feistel Network is that it is invertible:<br>
![](./Images/Invertible-Feistel.png)

This property of the Feistel Network results in an easy formulation of the Decryption algorithm for DES.
![](./Images/DES-Decryption.png)
Note: The Feistel mechanism is a general method for making invertible functions from arbitrary functions and is infact used in many different block ciphers. Although, interestingly it's not used in AES.

**Is DES a secure block cipher?**<br>
There is this theorem that states: given that we use a secure PRF (F) in each round, then a 3-round Feistel network (therefore, also a 16 round Feistel network i.e. DES), with 3 independently derived keys being passed to F, results in a secure PRP (which implicitly means a secure block cipher).
![](./Images/SecureFeistel.png)

**Overview of DES and the Round function:**

![](./Images/DES-View.png)


The heart of DES cipher is the round function. The function applies a 48-bit key to the rightmost 32 bits to produce a 32-bit output. Following are the steps:

- **Expansion Permutation Box:** Since right input is 32-bit and round key is a 48-bit, we first need to expand right input to 48 bits. 
- **XOR (Whitener):** After the expansion permutation, DES does XOR operation on the expanded right section and the round key to generate a 48-bit output. The round key is used only in this operation.
- **Substitution Boxes:** The S-boxes carry out the real mixing (confusion). DES uses 8 S-boxes, each with a 6-bit input and a 4-bit output. There are a total of eight S-box tables taking a 48-bit input. The output of all eight s-boxes is then combined in to 32 bit section.
- **Straight Permutation:** The 32 bit output of S-boxes is then subjected to the straight permutation.

![](./Images/DES-Round.png)


**Status of DES:**<br>
DES is no more recommended for use in production level applications as it can be broke using exhaustive search (brute force over the entire key space) attacks and now a days with the present hardware we can recover a DES key within 24 hours, hence highly insecure. Also, there are many more types of attacks that DES is subjected to like: linear and differential attacks and quantum exhaustive attacks. DES has been superseded by the more secure Advanced Encryption Standard (AES) algorithm. <br>
Bottom line: **DES is completely DEAD** [i.e. 56-bits ciphers shouldn't be used anymore].

As DES was really popular it was deployed at many places and a lot of hardware support was developed for it, then naturally the next question was what to do next and organically people thought that in order to thwart the exhaustive search lets increase the key space such that it becomes computationally infeasible to do an exhaustive search attack. Hence, **Triple-DES** was born.

**Triple DES:**
It has, as the name says, triple the key space($2^{168}$) of the normal DES, however it is 3 times slower as well. There is still an attack that can be done on 3-DES in $2^{118}$, but practically it takes too long to perform. In general, anything that has a key space beyond $2^{90}$ is considered secure to exhaustive search. If you are, for some reason, are forced use DES in production then only use Triple DES.

![](./Images/3-DES.png)

The Whys?:
- In triple DES we first do an Encryption of message block with key 1, then a decryption with key 2 and again an encryption with key 3 and all 3 keys are used in the decryption process inversely. Why did we have a decryption in b/w and not 3 consecutive encryptions? cuz there exist a possibility that k1 = k2 = k3 and hence what we have is a single DES but 3 times slower.
- Why not use 2-DES, while it also have a secure $2^{112}$ key space? Because it is prone to a special kind of attack known as Meet in the middle attack.

**You should never ever use your own crypto implementations or even design a new cipher for delivering security**, due to the following reason:
![](./Images/ImplementationAttacks.png)

Note: Use a well implemented library instead which take care of these side channel and fault attacks.

---

### AES (Advanced Encryption Standard)

Recommended Watch: [AES in Depth](https://www.coursera.org/learn/crypto/lecture/cHOMl/the-aes-block-cipher)

The more popular and widely adopted symmetric encryption algorithm likely to be encountered nowadays is the Advanced Encryption Standard (AES). It is found at least six time faster than triple DES.

A replacement for DES was needed as its key size was too small. With increasing computing power, it was considered vulnerable against exhaustive key search attack. Triple DES was designed to overcome this drawback but it was found slow.

The features of AES are as follows:
- Symmetric key symmetric block cipher
- encrypts 128-bit block of data using either 128/192/256-bit keys
- Stronger and faster than Triple-DES

**Security vs Speed Trade-off:** The larger the key size is, the more secure the block cipher is as a psuedo random permutation (PRP) but as it would also have more rounds involve in its operation the slower the cipher become. Hence, AES-128 is fastest while AES-256 is the most secure.

**Foundation of AES** [Generic Construction]:
![](./Images/AES-Generic.png "Generic Construction of AES")

>AES is built as a **Substitution Permutation (Subs-Perm) Network** and not a Feistel network. Note that in a Feistel network only have the bits are changed from round to round (the left half of the next round are simply the copy of the right half of the previous round). While in Subs-Perm network all the bits are changed in every round. <br><br>
AES also uses the concept of round keys which are derived from 128-bit key space. AES is built to be completely reversible, otherwise the decryption would have not been possible, therefore the substitution layers as well the permutation layers are reversible, i.e., given the ciphertext we can applying all the steps in AES in reverse order (with the same round keys) and produce the original text.

Having a view of the generic construction of the AES, now lets look at the specifics of AES:

**AES-128**<br>
![](./Images/AES-128.png)

The Flow(Encryption):
1. AES-128 operates on blocks of 128 bits, hence we start off with a $4\times 4$ byte input block (each cell with 1 byte).
2. Then we XOR the input block with a $4\times 4$ byte block of round key (which are derived, by expansion, from the 16-byte[128] AES key).
3. Then a round function is applied which contains 3 sub-routines, namely Byte Substitution, Shift Row and Mix-Column.
4. This is done again and again for 10 rounds, but interestingly in the last round the Mix-column routine is absent.
5. The output, ciphertext, is the XOR of the last round key and with the output of the last round function.

Decryption is just the inverse:
The process of decryption of an AES ciphertext is similar to the encryption process in the reverse order. The round keys are applied in reverse order followed by inverted round function. Following are the steps, except for the initial round in reverse order (as it do not contains the mix-column sub-routine) :

- Add round key
- Mix columns
- Shift rows
- Byte substitution

The round function:

![](./Images/AES-Round.png)

Description:
- ByteSub: Applies a 256-byte S-box(just a lookup table) to each byte in the $4\times 4$ byte message block and outputs a $4\times 4$ byte block.
- ShiftRows: Applies a cyclic shift to the rows in the $4\times 4$ byte block (no shift on the first row)
- MixColumns:Applies linear transformation independently to each column

Note: AES is being used everywhere now as it is easily computable as well as compact. Even Intel and AMD have integrated AES into their processors itself.

Attacks on AES:
- Best key recovery attack $2^{124}$: Just 4 times better than the exhaustive search($2^{128}$)
- Related key attack: Given that we have inp/out pairs from four related keys, key could be recovered in $2^{99}$. But it would require related keys while we chose keys at random.

---

### Using Block Ciphers: Modes of Operation
Suggestion: Don't bother about the inner-working of AES and 3-DES. Assume both are secure PRPs and we will see how to use them.

>**Modes of Operation** are procedural rules for a generic block cipher. Interestingly, the different modes result in different properties being achieved which add to the security of the underlying block cipher.

A block cipher processes the data blocks of fixed size. Usually, the size of a message is larger than the block size. Hence, the long message is divided into a series of sequential message blocks, and the cipher operates on these blocks one at a time.

#### Electronic Code Book (ECB) Mode
Corresponding Watch: [Modes of Operation: One Time Key](https://www.coursera.org/learn/crypto/lecture/QZAHs/modes-of-operation-one-time-key)<br>
Take a look at the CryptographyI/LectureSlides/Week 2/UsingBlockCiphers.pdf for more on ECB.

This mode is a most straightforward way of processing a series of sequentially listed message blocks.

Operations:
- Cipher the first block of plaintext and encrypts it with the key to produce the first block of ciphertext.
- It then takes the second block of plaintext and follows the same process with same key and so on so forth.

>The ECB mode is **deterministic**, that is, if plaintext block $p_{1}$, $p_{2}$,…, $p_{m}$ are encrypted twice under the same key (i.e if there exist an identical plaintext $p_{x}$ = $p_{y}$), the output ciphertext for those blocks will be the same. Therefore, ECB is terrible as it **breaks the semantic security** (the adversary will learn something about the plaintext from the given ciphertext) given that we have two identical plaintext blocks. Attacks like CPA (chosen plain text attacks) breaks ECB, hence,**ECB is not CPA secure**.

Bottom line: ECB is not semantically secure for messages that would take more than one block. More generally, deterministic algorithms aren't semantically secure (as they output same ciphertext for same plaintext, hence, allowing the adversary to know that there exist two identical plaintexts in the message just by analyzing their corresponding, identical, ciphertexts).

#### Security for Many Time Keys (CPA Security):
For in-depth look: [Security for Many Time Keys](https://www.coursera.org/learn/crypto/lecture/1pnne/security-for-many-time-key-cpa-security)

Following represents the Threat Model for Many Time Keys(keys that are used to encrypt multiple messages):
![](./Images/SSforManyTimeKeys.png)

Why deterministic ciphers Insecure against CPA(chosen plain text attack)?
![](./Images/DeterministicCiphersInsecure.png)
Description:
- The CPA ability allows the attacker to do q queries/challenges to the cipher. Where as everything else is same as in the [Semantic Security](#Semantic-Security) setting.
- The cipher is deterministic and under the same key, it will produce the same ciphertext given that adversary supplied the same plaintext $m_{0}$, so in both the Exp(0) and Exp(1) the ciphertext for $m_{0}$ will be returned.
- The adversary will again challenge the Cipher (as it can do it q times), while the cipher is using the same key. Adversary now sends in $m_{0}$, $m_{1}$ and it can accurately tell which ciphertext is returned (as it already know what is the ciphertext corresponding to $m_{0}$ from the previous query).
- Hence, the deterministic quality of the cipher (and that it uses same key for multiple message/query encryption) coupled with CPA ability of the adversary breaks the semantic security.

Bottom line: **Deterministic Encryption cannot be semantically secure under a Chosen Plaintext Attack (CPA).**<br>

**What do we require to provide CPA Security?**
![](./Images/RequisiteForCPASecurity.png)

**Solutions for CPA Security:**
- **Randomized Encryption:** The Encryption Algorithm chooses some random string and uses that random string along side the plaintext to generate the ciphertext. This would allow for the generation of different ciphertexts (blocks) for the same plaintexts (blocks). Also, the size of the ciphertext is relatively longer, roughly speaking, $CT-size = PT-size + #random-bits$ (# stands for number of). Note, the random string should be large enough such that we can use it without repetition of the ciphertext for multiple encryptions of the same plaintext.<br><br>

- **Nonce-Based Encryption:** Here we use a nonce which is a unique value such that the pair (k, n) which is used to encrypt message m becomes unique and until we keep changing the nonce for encrypting even the identical messages with the same key, we will generate a unique ciphertext.
![](./Images/NonceBasedEncryption.png)
- **Nonce as counter:** Both encryptor and decryptor uses a counter for keeping state from mssg to mssg and this counter can be used as a nonce as the counter will be a unique value for each mssg and would be synced at both ends, therefore could be used as a nonce (no explicit nonce would be required). It's a stateful method.

- **Random Nonce:** Here nonce is a random variable from a Nonce Space N, which should be large enough such that there is a really low (or negligible) probability of a nonce being repeated in a given key's lifetime. This is a stateless method.

General definition of Nonce: Nonce is a unique value that doesn't repeat. It does not have to be random.

---

**Discovering the CPA Secure Ciphers [There are 2 prominent Constructions to achieve CPA Security]**

#### Cipher Block Chaining(CBC) Mode
Recommended Watch: [Cipher Block Chaining](https://www.coursera.org/learn/crypto/lecture/wlIX8/modes-of-operation-many-time-key-cbc)

>**Cipher block chaining (CBC)** is a mode of operation for a block cipher (one in which a sequence of bits are encrypted as a single unit or block with a cipher key applied to the entire block). Cipher block chaining uses what is known as an initialization vector (IV) of a certain length. One of its key characteristics is that it uses a chaining mechanism that causes the decryption of a block of ciphertext to depend on all the preceding ciphertext blocks. As a result, the entire validity of all preceding blocks is contained in the immediately previous ciphertext block. A single bit error in a ciphertext block affects the decryption of all subsequent blocks. Rearrangement of the order of the ciphertext blocks causes decryption to become corrupted. Basically, in cipher block chaining, each plaintext block is XORed (see XOR) with the immediately previous ciphertext block, and then encrypted.

Note: CBC cannot be parallelized as it is inherently sequential.

**How $AES_{CBC}$ is CPA secure (Semantically secure under CPA)?**<br>
Identical ciphertext blocks can only result if the same plaintext block is encrypted using both the same key and the initialization vector, and if the ciphertext block order is not changed. It has the advantage over the Electronic Code Book mode in that the XOR'ing process hides plaintext patterns. Ideally, the initialization vector should be different for any two messages encrypted with the same key.

**Construction 1: CBC with rand IV**
![](./Images/CBC-1.png "CBC Construction with rand IV")

The Flow:<br>
$E_{CBC}$ is the our AES encryption scheme using the CBC mode of operation. When it's asked to encrypt a message m, the first thing it's going to do is it's going to choose a random IV (Initialization) that's exactly one block of the block cipher. So IV is one cypher block. So in the case of AES the IV would be 16 bytes (128 bits). And then we're gonna run through the algorithm here: 

The IV basically that we chose is gonna be XORed to the first plain text block. And then the result is gonna be encrypted using the AES block cipher and output the first block of the ciphertext. And now comes the chaining part where we actually use the first block of the ciphertext to kind of mask the second block of the plaintext. So we XOR the two together and the encryption of that becomes the second ciphertext block. And so on, and so on, and so forth. So this is cIpher block chaining, you can see that each cipher block is chained and XORed into the next plaintext block, and the final ciphertext is going to be essentially the initial IV that we chose along with all the ciphertext blocks. 

**Initialization Vector:** IV stands for Initialization Vector. And we're going to be seeing that term used quite a bit, every time we need to pick something at random at the beginning of the encryption scheme typically we'll call that an IV for initialization vector. So you notice that the **ciphertext is a little bit longer than the plaintext** because we had to include this IV in the ciphertexts which basically captures the randomness that was used during encryption.

**CBC Construction 1[Decryption]:**
![](./Images/CBC-1Decrypt.png)

**CBC - CPA Analysis:**
So the following theorem is going to show that in fact CBC mode encryption with a random IV is in fact semantically secure under a chosen plaintext attack.
![](./Images/CBC-CPA-Analysis.png)
So let's take it more precisely, basically if we start with a PRP, in other words, our block cipher E, that is defined over a space X, then we are gonna to end up with a encryption algorithm $E_{CBC}$ that takes messages of length L and outputs ciphertexts of length L+1. And then suppose we have an adversary that makes q chosen plaintext queries. 

Then we can state the following security fact, that for every such adversary that's attacking $E_{CBC}$, to exist an adversary that's attacking the PRP, the block cipher, with the following relation between the two algorithms: the advantage of algorithm A against the encryption scheme is less than the advantage of algorithm B against the original PRP plus some noise term. So lets  interpret this theorem, so what this means is that essentially since E is a secure PRP $Adv_{PRP}$[B, E] is negligible, and our goal is to say that adversary A's advantage is also negligible. However, here we are prevented from saying that because we got this extra error term. This is often called an error term and to argue that CBC is secure we have to make sure that the error term is also negligible. Because if both of these terms on the right are negligible, there sum is negligible and therefore the advantage of A against $E_{CBC}$ would also be negligible.

So this says that in fact for $E_{CBC}$ to be secure it has better be the case that $q^{2}$.$l^{2}$ is much, much, much smaller than the value X, where L is simply the length of the messages that we're encrypting (so L could be like say a 1000, which means that we are encrypting messages that are at most 1000 AES blocks) and q is the number of ciphertexts that the adversary gets to see under the CPA attack, but in real life what q is, is basically the number of times that we have used the key K to encrypt messages.

Example:
![](./Images/CBC-CPA-Ex.png)
Note: Using the given Adv formulation, we are able to precisely calculate after how many encryptions [and therefore after how many bytes of encryption], here in AES-128 it's $2^{48}$blocks, we must change the key.

Warning: CBC where attacker can predict the IV is not CPA-secure!!. Hence, it's crucial that the IV be random and not predictable.

**Construction 1': Nonce Based CBC**

![](./Images/NonceBasedCBC.png)

Description:
This is a nonce based version of the CBC where the IV is replaced by a nonce (if the nonce is already known to the recipient, ex: counter nonce, then we don't need to include the nonce explicitly in the ciphertext, so ciphertext is exactly the same as the plaintext). 

If the nonce is random then we don't need the below explained extra step (we can use it directly to XOR with the initial plaintext block).

However, it's perfectly fine to use a non random unique nonce, however, it's absolutely crucial to know that if we do this then we would have to take an **extra step** before using the nonce in the CBC chain, that is: **to first encrypt the nonce using a key $k_{1}$** (which is different from the key, k, that is used in the rest of the mechanism) **so that the output is going to be a random IV which is then used in the CBC chain.** So, this extra step is extremely crucial without CBC mode encryption with nonce wouldn't be CPA secure. <br>
Note: Key $k_{1}$ could not be equal to key k, as that would also not be CPA secure.

Example of a Cyrto API [AES-CBC with rand IV]:
![](./Images/ExampleCryptoAPI.png)

#### Counter (CTR) Mode

CTR mode is method to achieve CPA security, it is actually superior to CBC and is also referred to as randomized counter mode. Unlike CBC, randomized counter mode uses a secure PRF. It doesn't need a block cypher (PRP). It's enough for counter mode to just use a PRF because we're never going to be inverting this function F. So we're going to let F be the secure PRF and it acts on N byte blocks. Again if we use AES, N will be 128.

**Construction 2: Random Counter Mode**
![](./Images/CounterMode.png)

Work Flow:
The way the encryption algorithm works in counter mode is it starts off by choosing a random IV, that's 128 bytes random IV in the case of AES, and the essentially we start counting. From this random IV, so you notice the first encryption is of IV then IV+1 up to IV+L. So we generate this random pad. We XOR the result with the message, and that gives us the cipher text. And, as usual, you notice that the IV here is included along with the cipher text.<br>

So that, in fact, the cipher text is a little longer than the original plain text. And the point, of course, is that, encryption algorithm chooses a new IV for every message. And so even if I encrypt the same message twice, I'm gonna get different resulting cipher texts. One thing to notice that this mode is completely paralyzable, unlike CBC. CBC was sequential. Hence, if you have three AES engines encryption basically will work three times as fast. So that's the beauty of counter mode. 

**Construction 2': Nonce Counter Mode**
![](./Images/CounterMode-2.png)

Description:<br>
Counter mode also has a corresponding nonce based counter mode. Where the IV is not truly random, but rather, is just a nonce which could be a counter. And the way you would implement nonce based counter mode is:
- you would take the 128 bits block that used in AES. And then you would split it in two. 
- You would use the left 64 bits as the nonce. 
- And then once you specify the nonce, the lower order, 64 bits, would be doing the counting inside of the counter modes encryption. 
- So nonce goes on the left, and the counter mode encryption counter goes on the right. 

And it's perfectly fine if this nonce is unpredictable. The only restriction is that you encrypt at most $2^{64}$ blocks using one particular nonce. The danger is that you don't want the right side counter to reset to zero (that's what will happen after $2^{64}$ block encryption), then, you will have two blocks that are encrypted using the same one time pad. Therefore, we should change the block, after $2^{64}$ blocks, to avoid two time pading.

**Counter mode - CPA Analysis**
![](./Images/Counter-CPA-Analysis.png)

Description: Everything is same as that of CBC Analysis, with just the following exceptions:
- In counter mode, we use a secure PRF instead of a secure PRP.
- Counter mode is secure as long as $q^{2}l$ is << |X|, which is better than that of CBC ($q^{2}l^{2}$ << |X|). Which means that we can encrypt more blocks using AES in counter mode as compared to AES in CBC.


Example:
![](./Images/Counter-CPA-Ex.png)
Note: We can encrypt $2^{64}$ blocks in counter mode without the requirement of changing the key which is much better that $2^{48}$ blocks in CBC.

#### Counter Mode vs Cipher Block Chaining
![](./Images/CounterVsCBC.png)

A quick comparison of counter mode and CBC unveils that **in every single aspect, counter mode is superior to CBC** with parallelizability and ability to encrypt more blocks with the same key being the major advantages of counter mode. And that's actually why most modern encryption schemes actually are starting to migrate to counter mode, and abandon CBC. Even though CBC is still quite widely used.

<br>
### Summarizing the Block Ciphers
![](./Images/BlockCipherSummary.png)

The security notions discussed up to here only provides security against eavesdropping but not against tampering. And **because neither one is designed to defend against tampering, neither one provides data integrity. And we're going to see this as a real problem. As a result, in fact, these modes actually should never, ever be used. You should only be using these modes in addition to an integrity mechanism.** 

---