Modes of operation and random numbers

Question 1

What is the purpose of having multiple modes of operation for block ciphers?

Answer 1

The different modes can provide different things. Some modes can be designed to provide confidentiality for data, authentication (and integrity) or both.

Question 2

What is one thing that confidentiality modes includes?

Answer 2

Randomisation

Question 3

What does randomised encryption schemes want to prevent?

Answer 3

The same plaintext block being encrypted to the same ciphertext block every time

Question 4

How can randomisation be achieved in block ciphers?

Answer 4

Using an initialisation vector. This needs to be unique or random.

Can be achieved by including a variable state which is updated with each block.

Question 5

What are some other features of modes?

Answer 5

Can allow parallel processing, enc and/or dec in parallel.

Error propagation: error in C result in multiple bit-errors in P after decryption

Question 6

Why is padding used in some modes?

Answer 6

Some modes require plaintext to consist of complete blocks

Question 7

What is ciphertext stealing?

Answer 7

An alternative to padding.

Question 8

What is the ECB mode?

Answer 8

Enc:
Ct = E(Pt, K), plaintext block Pt

Dec:
Pt = D(Ct, K)

Blocks are appended to each other to make the message.

Question 9

Why is ECB mode normally not used for bulk encryption?

Answer 9

Because it is deterministic

Question 10

What are the properties of ECB?

Answer 10

Randomised: No
Padding: Required
Error propagation: Within block
IV: Not used
Parallel encryption: Yes
Parallel decryption: Yes

Question 11

Describe the CBC mode

Answer 11

Random IV, sent together with the ciphertext

Enc:
Ct = E(Pt XOR Ct-1, K)
C0 = IV

Dec:
Pf = D(Ct, K) XOR Ct-1
C0 = IV

Question 12

How does error propagate through CBC?

Answer 12

An bit error in block n result in a plaintext error for the block n, and a flipped bit in block n + 1,

Question 13

What are the properties of CBC?

Answer 13

Randomised: Yes

Padding: Required

Error propagation: Within block, and into specific bits of next block

IV: Must be random

Parallel Enc: No

Parallel Dec: Yes

Question 14

Describe CTR mode

Answer 14

Synchronous stream cipher.

Keystream generated by enc successive values of a ‘counter’ initialised using a nonce N.

Ot = E(Tt, K)
Tt: Concatination of nonce and block number t

Enc:
Ct = Ot XOR Pt

Dec:
Pt = Ot XOR Ct

Question 15

What is a nonce in CTR mode?

Answer 15

A randomly chosen value

Question 16

How is error propagated in CTR mode?

Answer 16

A one-bit change in C block n, produces a one-bit error in the plaintext at the same location

Question 17

What are the properties of CTR mode?

Answer 17

Randomised: Yes

Padding: Not required

Error propagation: Error occur in specific bits of current block

IV: Nonce must be unique

Parallel Enc: Yes

Parallel Dec: Yes

Question 18

When can using CTR mode be useful?

Answer 18

For access to specific P blocks without decrypting the whole stream

Question 19

Where is CTR mode used today?

Answer 19

Basis for authenticated encryption in TLS 1.3 and 1.3

Question 20

What is a TRNG?

Answer 20

True random number generator.

A physical process which outputs each valid string independently, with equal probability

Question 21

What is a PRNG?

Answer 21

Pseudo random number generator

Deterministic algorithm which approximates TRNG

Question 22

How can PRNG and TRNG be combined?

Answer 22

May use TRNG to provide a seed for a PRNG

Question 23

What is DRBG?

Answer 23

Deterministic Random Bit Generators. These are PRNG algorithms

Based on:
Hash functions
A specific MAC known as HMAC
Block ciphers in counter mode

Question 24

How does PRNGs work?

Answer 24

Each generator takes a seed as input and outputs a bit string. Then its state is updated.

Seed should be updated after a number of calls

Seed can be obtained from TRNG

Question 25

What are entropy sources?

Answer 25

Framework for design and validation of TRNGs

Includes physical noise source, digitalization process, and post-processing stages

Outputs any number of bits

Question 26

What are the functions of DRBGs?

Answer 26

Instantiate: Sets initial state of DRBG using seed

Generate: Provides output bit string

Reseed: Input new seed and update DRBG state

Test: Checks correct operation of the other functions

Uninstantiate: Deletes the state of the DRGB

Question 27

How is security defined for DRBGs?

Answer 27

Ability to destinguish reliably between its output and a truly random string.

2 properties: Backtracking resistance and forward prediction resistanse

Question 28

What is backtracking resistance?

Answer 28

If we have the current state, should not be able to distinguish between the output of earlier states, and random strings

Question 29

What is forward prediction resistance?

Answer 29

If we have the current state, should not be able to distinguish between the later outputs and random strings

Question 30

What is CTR_DRBG?

Answer 30

Uses block with CTR (AES-128 recommended)

Seed length is block-length + key length

Key and state (counter) is defived from high entropy seed. No separate nonce is used

Counter mode enc is run iteratively with no P added and output blocks form the output

Question 31

Define the update function in CTR_DRBG

Answer 31

Used in initialise, generate and reseed functions to generate new key and state.

Input: K and V (state/counter) and optional data input D

Output: K’ and V’

Computation for block size = key size:
- Generate new block O1 = E(V,K)
- Increment V
- O2 = E(V, K)
- K’ || V’ = (O1 || O2) XOR D

Question 32

How does the instantiate function work in CTR_DRBG?

Answer 32

Calls update with D equial to high entroy seed, K and V are zero strings

Question 33

How does the generate function work in CTR_DRBG?

Answer 33

Computes up to 2^19 bits by running CTR mode output from current state.
Update is then called with D empty

Question 34

How does the instantiate function work in CTR_DRBG?

Answer 34

Update with D as high entropy input, K and V in current state

Question 35

How many calls can be made to Generate before Reseed must be called, according to the standard for CTR_DRBG?

Answer 35

2^48

Question 36

In CTR_DRBG what provides backtracking resistance?

Answer 36

Update and Reseed

Question 37

In CTR_DRBG what provides forward prediction resistance?

Answer 37

Reseed

Question 38

What is Dual_EC_DRBG?

Answer 38

Older standard

Based on elliptic curve discrete logarithm problem

Slower than other DRBGs

No security proof exist,

Question 39

What are Cryptographically-secure pseudorandom number
generators (CSPRNGs)?

Answer 39

Algorithms, that given an unpredictable input, a much larger stream of unpredictable outputs are generated.