In [3]:
from Crypto.Cipher import AES
import hashlib
import random
from tqdm import tqdm
from Crypto.Util.number import long_to_bytes, bytes_to_long
from Crypto.Util.Padding import pad, unpad
import os

def xor_bytestring(a, b):        
    return bytes([i^j for i, j in zip(a, b)])
def xor_hexstring(a, b):
    res = b''
    x = bytes.fromhex(a)
    y = bytes.fromhex(b)
    for i, j in zip(x, y):
        res+= bytes([i ^j])
    return res

def xor_bytestring_rep(a, b):
    res = b''
    print(len(a), len(b))
    if len(a) > len(b):
        for i in range(0, len(a), len(b)):
            res += xor_bytestring(a[i:i+len(b)], b)
    else:
        for i in range(0, len(b), len(a)):
            res += xor_bytestring(b[i:i+len(a)], a)
    return res

# Prerequisites

- Block Ciphers pdf
- Stream ciphers pdfs
- No need to understand the inner workings of the block ciphers. We'll just understand them as black boxes

# Theory - Modes of operation

Video resources
- https://www.youtube.com/watch?v=Rk0NIQfEXBA - Computerphile
- https://www.youtube.com/watch?v=6rE-KlhBlq4 - Professor Messer
- 

Let $(E, D)$ be a block cipher. Now, block ciphers encrypt blocks of text so we need a way to chain them to encrypt a bigger file:
- Ex: AES128 enccrypts 128 bits of text so we need to chain them to encrypt / decrypt data
- Basically we are looking for ways to use block ciphers for encryption

Let 
- $E, D: \mathcal{K} \times \{0, 1\}^l \longrightarrow \{0, 1\}^l$ where $l$ is the number of bits
- $m, c \in \{0, 1\}^l$

For now we know 
- $c = E(k, m)$
- $m = D(k, m)$

We want to learn to do 
- Encryption: $(c_1, c_2, ... c_n) \longleftarrow MAGIC \longleftarrow (m_1, m_2, ... m_n)$
- Decryption:  $(m_1, m_2, ... m_n)\longleftarrow MAGIC \longleftarrow (c_1, c_2, ... c_n)$



> **Def - Deterministic encryption scheme**  
> An encryption is *deterministic* if a particular plaintext is mapped to a fixed ciphertext if the key is unchanged

> **Def - Probabilistic encryption scheme**  
> An encryption is *probabilistic* if it uses randomness to achieve a non-deterministic generation of the ciphertext

What are we analyzing at a mode of operation?
- How does it work?
- Security issues
- Implementation details (If encrypt/decrypt is paralellizable or not)

**One more note**
- In the coding part the messages need to be padded to fit the block size
- Padding attacks are a security issue for padding oracles

## ECB mode (Electronic Code Book Mode) 

### Theory

![image.png](attachment:image.png)

**How does it work?**
- Encryption 
    - $c_i = E(k, m_i) $
- Decryption
    - $m_i = D(k, c_i) $

**Parallelizable?**
- Encryption - YES
- Decryption - YES

**Security**
- Strengths
    - A single ECB block is secure
- Weaknesses
    - if $m_i = m_j => c_i = c_j$ 
        - Distinguishable from random
        - The same input generates the same output
    - Deterministic. The message encryption is the same every time
    - Weak to man in the middle by changing blocks
    - Data patterns can be found when encrypting large blocks of data
        - Ex: in images
    
![image.png](attachment:image.png)

### Code

In [4]:
KEY = b'some secret key1'

In [5]:
m = b'a message secret longer than 128 bits'
print(len(m) * 8, len(m) * 8 > 128)

296 True


In [6]:
pad(m, 16)

b'a message secret longer than 128 bits\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b'

In [7]:
cipher = AES.new(KEY, AES.MODE_ECB)

c = cipher.encrypt(pad(m, 16)) # we pad the message
print(c)

m_decr = cipher.decrypt(c)
print(m_decr)

b'Ub,I\xc36\x07W\x1as\x03\x1d\x14\x99m_\x13\xd44\x1f\xd8\xa3\xb1\x9c\x87l&U\x93\x00\xac\xf7Y\x10wD.\xa2\xb9\x17L\x1a\xe3N\x1c\xf9\x8b_'
b'a message secret longer than 128 bits\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b'


In [8]:
# Weakness 1
m = b'a' * 16 + b'b' * 16 + b'a' * 16

cipher = AES.new(KEY, AES.MODE_ECB)

c = cipher.encrypt(m) # we pad the message
print(c)
print("First 16 bytes == last 16 bytes? ", c[:16] == c[-16:])

m_decr = cipher.decrypt(c)
print(m_decr)

b"\xe6\x80\x05\x05\xc0~Pd/~\x1b\x0e\x04.\x07\xce\\K/'\x13\x0b6G\x16\xce%\xb8#\xf1\xa4b\xe6\x80\x05\x05\xc0~Pd/~\x1b\x0e\x04.\x07\xce"
First 16 bytes == last 16 bytes?  True
b'aaaaaaaaaaaaaaaabbbbbbbbbbbbbbbbaaaaaaaaaaaaaaaa'


## CBC Mode (Cipher block chaining)

### Theory

![image.png](attachment:image.png)

Solves ECB problems: 
- Makes encryption probabilistic (Uses an $IV$ = initialization vector)
- Combine encryption of all blocks

**How does it work?**
- Encryption 
    - $c_1 = E(k, m_1 \oplus IV)$
        - $IV$ = initialization vector
    - $c_i = E(k, m_i \oplus c_{i-1}) \text{ for } i > 1$
- Decryption
    - $m_1 = D(k, c_1) \oplus IV$
    - $m_i = D(k, c_i) \oplus c_{i-1}$

**Parallelizable?**
- Encryption - NO
- Decryption - YES

**Security**
- $IV$ security (Security depends on how the $IV$ is manipulated
    - If $IV$ is the same then we have deterministic encryption 
    - If $IV$ is used as a random nonce and it's sent with the ciphertext
        - Is not indistinguishable under a CPA
    - If $IV$ is completely random as an internal state
        - Secure under CPA

In [9]:
KEY = b'some secret key1'
IV = os.urandom(16)
IV

b'\x10\xdbp(Z\x0ej\x19)-% \xcb2\xa3\x92'

In [10]:
m = b'a message secret longer than 128 bits'
print(len(m) * 8, len(m) * 8 > 128)

296 True


In [11]:
pad(m, 16)

b'a message secret longer than 128 bits\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b'

In [12]:
cipher = AES.new(KEY, AES.MODE_CBC, iv = IV)

c = cipher.encrypt(pad(m, 16)) # we pad the message
print(c)

cipher = AES.new(KEY, AES.MODE_CBC, iv = IV)
m_decr = cipher.decrypt(c)
print(m_decr)

b'\x9a\x0e&\x05En\x9d\xcd\xf2\xee\x85\x7f\x0e\xe8h\xd5\x9b\xaf\xb4\xaa\x0e\x16\x01\xed\xe6:\xd3/G\xc4\xa8\xc3M\xc3\xac\\r\x19\x9d\x16X\xc41\xad\xfa$\x8bR'
b'a message secret longer than 128 bits\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b'


In [13]:
# ECB weakness isn't here anymore
m = b'a' * 16 + b'b' * 16 + b'a' * 16

cipher = AES.new(KEY, AES.MODE_CBC, iv = IV)

c = cipher.encrypt(m) # we pad the message
print(c)
print("First 16 bytes == last 16 bytes? ", c[:16] == c[-16:]) # False

cipher = AES.new(KEY, AES.MODE_CBC, iv = IV)
m_decr = cipher.decrypt(c)
print(m_decr)

b'\x0b~.6\x93TBQ\n\x89W\x1b\xa9\xa8\xa3\t7;\xde\x80\x1fg\xde\xddIk\xa8\x9bR\xfc\x99\x8fw\xf8\xdcF\xb83p\x19\xb8A\xef\x19.g\xb3s'
First 16 bytes == last 16 bytes?  False
b'aaaaaaaaaaaaaaaabbbbbbbbbbbbbbbbaaaaaaaaaaaaaaaa'


## CFB (Cipher FeedBack)

![image.png](attachment:image.png)

- uses the block cipher to produce a stream cipher

**How does it work?**
- Encryption 
    - $c_0 = IV$
    - $c_i = E(k, c_{i-1}) \oplus m_i \text{ for } i>=1$
    - The output is $IV || c_1 || c_2 ||...$
- Decryption
    - $m_i = E(k, c_{i-1}) \oplus c_i$
    

**Parallelizable?**
- Encryption - NO
- Decryption - YES

**Security**
- When $IV$ is used as a nonce then it is not indistinguishable from random under CPA
    - Attacker has $IV || c_1 || c_2 ||...$
    - Attacker queries $IV = c_1$ and $m_1 = 0$ => we will get $c' = E(k, c_1) \oplus 0$ 
    - We can decrypt $m_2 = E(k, c_{1}) \oplus c_2 = c' \oplus c_2$
    - We can get the messages after the first


In [14]:
m = b'a message secret longer than 128 bits'
print(len(m) * 8, len(m) * 8 > 128)

cipher = AES.new(KEY, AES.MODE_CFB, iv = IV)
c = cipher.encrypt(pad(m, 16)) # we pad the message
print(c)

296 True
b'\xfa\xa3X\x92\x82#\xf5\x8a\xf1R\xe2\xad\xeev\x8c<\xe3\x9d\x7fx\x8e\xe3f*d5j\xec\x8c\xe8\xd8\xda\xa1\x8b\x90\x12B\x88dJ\x84yI\xab4\x9d\t\xf8'


In [15]:
cipher = AES.new(KEY, AES.MODE_CFB, iv = IV)
m_decr = cipher.decrypt(c)
print(m_decr)

b'a message secret longer than 128 bits\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b'


#### The attack

In [16]:
KEY = b'some secret key1'
IV = os.urandom(16)
IV

b'\xc2\x90\xb2j\x9f\xba\\~\xbbc\xfdP\xfd\xf6Lo'

In [17]:
m = b'some trash inputSUPER SECRET STUFF HERE'
print(len(m))

cipher = AES.new(KEY, AES.MODE_CFB, iv = IV, segment_size = 128)
c = cipher.encrypt(pad(m, 16)) # we pad the message
print(len(c), c)

39
48 b'K\xffa\x8an\xe2\xf0\xac\xe5W\xa8z\x0bo\x8c\xb5t\xb0\xff\x7fF\x02\x11m\x15\x9c\xd3\xbc\x03\xbc\xcd\xe5\xa6\x1cvs\x18Ouy[\xb4\x81\x9aZ\xb0\x1f\x83'


In [18]:
cipher2 = AES.new(KEY, AES.MODE_CFB, iv = c[:16], segment_size = 128) #encryption oracle
c_ = cipher2.encrypt(bytes([0]) * 16)
c_

b'\'\xe5\xaf:\x14"B(V\xce\x96\xe8#\xef\x99\xb0'

In [19]:
xor_bytestring(c_, c[16:32]) 

b'SUPER SECRET STU'

In [20]:
cipher2 = AES.new(KEY, AES.MODE_CFB, iv = c[16:32], segment_size = 128) #encryption oracle
c_ = cipher2.encrypt(bytes([0]) * 16)
c_
xor_bytestring(c_, c[32:48]) 

b'FF HERE\t\t\t\t\t\t\t\t\t'

## OFB mode (output feedback mode)

![image.png](attachment:image.png)

- Transforms a block cipher into a stream cipher -> We use the block cipher to create the keystream $y$
- It's symmetric => Encryption is the same as decryption

**How does it work?**
- Encryption 
    - $y_0 = IV$
    - $y_i = E(k, y_{i-1})$
    - $c_i = m_i \oplus y_i$
    - The output is $IV || c_1 || c_2 ||...$
- Decryption
    - Same as encryption, just reverse $m_i$ with $c_i$
    

**Parallelizable?**
- Encryption - NO
- Decryption - NO
- Note:
    - The key $y$ can be generated in advance

**Security**
- flipping a bit in the ciphertext changes the plaintext at the same location
- When used with a fixed $IV$ OFB is not indistinguishable from random under a CPA

In [21]:
KEY = b'some secret key1'
IV = os.urandom(16)

In [22]:
m = b'a message secret longer than 128 bits'
print(len(m) * 8, len(m) * 8 > 128)

296 True


In [23]:
cipher = AES.new(KEY, AES.MODE_OFB, iv = IV)

c = cipher.encrypt(pad(m, 16)) # we pad the message
print(c)

cipher = AES.new(KEY, AES.MODE_OFB, iv = IV)
m_decr = cipher.decrypt(c)
print(m_decr)

b'\x15+\x8aWG\xefM\x82s\xc5h\x00=\x90!\xe4\xa8]v\xd6\xac\xb1\\)\xd8\x87\x00\x19E\x97s\xc9\xb9r\x8d^\x14\x7f%\xa5\xbea\xdd\x02\t\x81`r'
b'a message secret longer than 128 bits\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b'


## CTR (Counter mode)

![image.png](attachment:image.png)

- Transforms the block cipher into a stream cipher
- Uses the block cipher on a counter to generate a keystream

**How does it work?**
- Encryption 
    - $c_i = m_i \oplus E(k, IV + i)$
- Decryption
    - $m_i = c_i \oplus E(k, IV + i)$
    
**Parallelizable?**
- Encryption - YES
- Decryption - YES
- Note:
    - The key $y$ can be generated in advance

**Security**
- Is indistinguishable from random  under CPA

In [24]:
from Crypto.Util import Counter
KEY = b'some secret key1'
IV = os.urandom(16)

In [25]:
m = b'a message secret longer than 128 bits'
print(len(m) * 8, len(m) * 8 > 128)

296 True


In [26]:
cipher = AES.new(KEY, AES.MODE_CTR,  counter = Counter.new(128, initial_value=bytes_to_long(IV)))
c = cipher.encrypt(pad(m, 16)) # we pad the message
print(c)

cipher = AES.new(KEY, AES.MODE_CTR, counter = Counter.new(128, initial_value=bytes_to_long(IV)))
m_decr = cipher.decrypt(c)
print(m_decr)

b'H]\x83cTS\xf9\xfe2\x11}\xad\x8b\x96G\x9b\ta\xf8\xef=\x85/\xe6\xa1\xd8\x98\xd8\xf8\xe8+|\xabu\xff\x9b\xae\x1e\xc7\xae\xf1\xda\xbe\x12\xb0\xed!\xbe'
b'a message secret longer than 128 bits\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b'


 # Resources

- https://www.youtube.com/watch?v=Rk0NIQfEXBA
- https://www.geeksforgeeks.org/block-cipher-modes-of-operation/
- http://www.crypto-it.net/eng/theory/modes-of-block-ciphers.html
- https://www.highgo.ca/2019/08/08/the-difference-in-five-modes-in-the-aes-encryption-algorithm/