Presentation is loading. Please wait.

Presentation is loading. Please wait.

Cryptography: Block Ciphers Edward J. Schwartz Carnegie Mellon University Credits: Slides originally designed by David Brumley. Many other slides are from.

Similar presentations


Presentation on theme: "Cryptography: Block Ciphers Edward J. Schwartz Carnegie Mellon University Credits: Slides originally designed by David Brumley. Many other slides are from."— Presentation transcript:

1 Cryptography: Block Ciphers Edward J. Schwartz Carnegie Mellon University Credits: Slides originally designed by David Brumley. Many other slides are from Dan Boneh’s June 2012 Coursera crypto class.

2 What is a block cipher? Block ciphers are the crypto work horse Canonical examples: 1.3DES: n = 64 bits, k = 168 bits 2.AES: n = 128 bits, k = 128, 192, 256 bits Block of plaintext n bits Key k bits Block of ciphertext n bits E, D 2

3 Block ciphers built by iteration key expansion key k 1 key k 2 key k 3 key k n key k m R(k 1, ∙)R(k n, ∙)R(k 3, ∙)R(k 2, ∙) c R(k, m) is called a round function Ex: 3DES (n=48), AES128 (n=10) mc m1m1 m2m2 m3m3 3

4 Performance: Stream vs. block ciphers Crypto [Wei Dai] AMD Opteron, 2.2 GHz (Linux) CipherBlock/key sizeThroughput [MB/s] Stream RC4126 Salsa20/12643 Sosemanuk727 Block 3DES64/16813 AES128128/

5 Block ciphers The Data Encryption Standard (DES) 5

6 History of DES 1970s: Horst Feistel designs Lucifer at IBM key = 128 bits, block = 128 bits 1973: NBS asks for block cipher proposals. IBM submits variant of Lucifer. 1976: NBS adopts DES as federal standard key = 56 bits, block = 64 bits 1997: DES broken by exhaustive search 2000: NIST adopts Rijndael as AES to replace DES. AES currently widely deployed in banking, commerce and Web 6

7 DES: core idea – Feistel network Given one-way functions Goal: build invertible function R1R1 L1L1 R2R2 L2L2 RdRd LdLd R d-1 L d-1 fdfd ⊕ n-bits R0R0 L0L0 f1f1 ⊕ f2f2 ⊕ input output In symbols: 7

8 Feistel network - inverse Claim: Feistel function F is invertible Proof: construct inverse R i+1 L i+1 RiRi LiLi f i+1 ⊕ inverse RiRi LiLi R i+1 L i+1 f i+1 ⊕ 8

9 L d-1 R d-1 L d-2 R d-2 Decryption circuit RdRd LdLd fdfd ⊕ n-bits f d-1 ⊕ R0R0 L0L0 L1L1 R1R1 f1f1 ⊕ Inversion is basically the same circuit, with f 1, …, f d applied in reverse order General method for building invertible functions (block ciphers) from arbitrary functions. Used in many block ciphers … but not AES 9

10 Recall from Last Time: Block Ciphers are (Modeled As) PRPs Pseudo Random Permutation (PRP) defined over (K,X) such that: 1.Exists “efficient” deterministic algorithm to evaluate E(k,x) 2.The function E(k, ∙) is one-to-one 3.Exists “efficient” inversion algorithm D(k,y) XX E(k,⋅), k ∊ K D(k, ⋅), k ∊ K 10

11 is a secure PRF ⇒ 3-round Feistel is a secure PRP Luby-Rackoff Theorem (1985) n-bits input R0R0 L0L0 f ⊕ R1R1 L1L1 f ⊕ R3R3 L3L3 R2R2 L2L2 f ⊕ output 11

12 DES: 16 round Feistel network key expansion key k 1 key k 64 bits IP -1 IP R1R1 L1L1 R2R2 L2L2 R 16 L 16 R 15 L 15 f 16 R0R0 L0L0 f1f1 ⊕ f2f2 ⊕⊕ 16 round Feistel network 56 bits 48 bits key k 2 key k 16 To invert, use keys in reverse order 12

13 The function F(k i, x) x 32 bits E x’ 48 bits kiki ⊕ P 32 bits y 6 4 S1S1 6 4 S2S2 6 4 S3S3 6 4 S4S4 6 4 S5S5 6 4 S6S6 6 4 S7S7 6 4 S8S8 S-box: function {0,1} 6 ⟶ {0,1} 4, implemented as lookup table. 13

14 The S-boxes 14 e.g., ⟶ 1001

15 The S-boxes Alan Konheim (one of the designers of DES) commented, "We sent the S-boxes off to Washington. They came back and were all different.“ 1990: (Re-)Discovery of differential cryptanalysis – DES S-boxes resistant to differential cryptanalysis! – Both IBM and NSA knew of attacks, but they were classified 15

16 Block cipher attacks 16

17 Exhaustive Search for block cipher key Goal: given a few input output pairs (m i, c i = E(k, m i )) i=1,..,nfind key k. Attack: Brute force to find the key k. Homework: What is the probability that the key k found with one pair is correct? For two pairs? 17

18 msg = “The unknown messages is:XXXXXXXX…“ CT = Goal: find k ∈ {0,1} 56 s.t. DES(k, m i ) = c i for i=1,2,3 Proof: Reveal DES -1 (k, c 4 ) ⇒ 56-bit ciphers should not be used (128-bit key ⇒ 2 72 days) c1c1 DES challenge 18 c2c2 c3c3 c4c4 1976DES adopted as federal standard 1997Distributed search3 months 1998EFF deep crack3 days$250, Distributed search22 hours 2006COPACOBANA (120 FPGAs)7 days$10,000

19 Strengthening DES Method 1: Triple-DES Let E : K × M ⟶ M be a block cipher Define 3E: K 3 × M ⟶ M as: 3E( (k 1,k 2,k 3 ), m) = E(k 1, D(k 2, E(k 3, m) ) ) 3DES -Key-size: 3×56 = 168 bits -3×slower than DES -Simple attack in time: ≈2 118 k 1 = k 2 = k 3 => DES 19

20 Define 2E( (k 1,k 2 ), m) = E(k 1, E(k 2, m) ) Why not 2DES? key-len = 112 bits for 2DES m E(k 2,⋅)E(k 1,⋅) c Naïve Attack: M = (m 1,…, m 10 ), C = (c 1,…,c 10 ). For each k 2 ∈{0,1} 56: For each k 1 ∈{0,1} 56: if E(k 2, E(k 1, m i )) = c i then (k 2, k 1 ) 20 Shrink font to fit. What font? checks c’’ = c? m c' … … c’’ … … k2k2 k1k1

21 Meet in the middle attack Define 2E( (k 1,k 2 ), m) = E(k 1, E(k 2, m) ) key-len = 112 bits for 2DES Idea: key found when c’ = c’’: E(k i, m) = D(k j, c) m c' … … c … … c’’ m E(k 2,⋅)E(k 1,⋅) c 21

22 Meet in the middle attack Define 2E( (k 1,k 2 ), m) = E(k 1, E(k 2, m) ) Attack: M = (m 1,…, m 10 ), C = (c 1,…,c 10 ). step 1: build table. sort on 2 nd column maps c’ to k 2 key-len = 112 bits for 2DES k 0 = 00…00 k 1 = 00…01 k 2 = 00…10 ⋮ k N = 11…11 E(k 0, M) E(k 1, M) E(k 2, M) ⋮ E(k N, M) 2 56 entries m E(k 2,⋅)E(k 1,⋅) c 22 ugly

23 Meet in the middle attack M = (m 1,…, m 10 ), C = (c 1,…,c 10 ) step 1: build table. Step 2: for each k∈{0,1} 56 : test if D(k, c) is in 2 nd column. if so then E(k i,M) = D(k,C) ⇒ (k i,k) = (k 2,k 1 ) k 0 = 00…00 k 1 = 00…01 k 2 = 00…10 ⋮ k N = 11…11 E(k 0, M) E(k 1, M) E(k 2, M) ⋮ E(k N, M) m E(k 2,⋅)E(k 1,⋅) c 23 ugly

24 Meet in the middle attack Time = 2 56 log(2 56 ) log(2 56 ) < 2 63 << Space ≈ 2 56 [Table Size] Same attack on 3DES: Time = 2 118, Space ≈ 2 56 m m E(k 2, ⋅ ) E(k 1, ⋅ ) c c E(k 3, ⋅ ) [Build & Sort Table] [Search Entries] m E(k 2,⋅)E(k 1,⋅) c 24

25 Method 2: DESX E : K × {0,1} n ⟶ {0,1} n a block cipher Define EX as EX(k 1, k 2, k 3, m) = k 1 ⨁ E(k 2, m⨁k 3 ) For DESX: key-len = = 184 bits … but easy attack in time = Note: k 1 ⨁E(k 2, m) and E(k 2, m⨁k 1 ) does nothing! 25

26 Attacks on the implementation 1. Side channel attacks: – Measure time to do enc/dec, measure power for enc/dec 2. Fault attacks: – Computing errors in the last round expose the secret key k ⇒ never implement crypto primitives yourself … [Kocher, Jaffe, Jun, 1998] smartcard 26 Card is doing DES IPIP rounds

27 Block ciphers AES – Advanced encryption standard 27

28 The AES process 1997: DES broken by exhaustive search 1997: NIST publishes request for proposal 1998: 15 submissions 1999: NIST chooses 5 finalists 2000: NIST chooses Rijndael as AES (developed by Daemen and Rijmen at K.U. Leuven, Belgium) Key sizes: 128, 192, 256 bits Block size: 128 bits 28

29 AES core idea: Subs-Perm network DES is based on Feistel networks AES is based on the idea of substitution-permutation networks That is, alternating steps of substitution and permutation operations 29

30 AES: Subs-Perm network input ⊕ k1k1 output ⊕ k2k2 S1S1 S2S2 S3S3 S8S8 S1S1 S2S2 S3S3 S8S8 S1S1 S2S2 S3S3 S8S8 ⊕ knkn subs. layer perm. layer inversion 30

31 AES128 schematic ⊕ input 4 4 k0k0 k1k1 k2k2 k9k9 ⊕⊕ (1) ByteSub (2) ShiftRow (3) MixColumn (1) ByteSub (2) ShiftRow (3) MixColumn ⊕ (1) ByteSub (2) ShiftRow ⊕ output 4 4 k 10 key Key expansion: 16 bytes ⟶176 bytes 10 rounds Ugly. Use less solid backgrounds

32 ByteSub: a 1 byte S-box. 256 byte table (easily computable) ShiftRows: MixColumns: The round function s 0,0 s 0,1 s 0,2 s 0,3 s 1,0 s 1,1 s 1,2 s 1,3 s 2,0 s 2,1 s 2,2 s 2,3 s 3,0 s 3,1 s 3,2 s 3,3 s 0,0 s 0,1 s 0,2 s 0,3 s 1,1 s 1,2 s 1,3 s 1,0 s 2,2 s 2,3 s 2,0 s 2,1 s 3,3 s 3,0 s 3,1 s 3,2 s 0,0 s 0,1 s 0,2 s 0,3 s 1,0 s 1,1 s 1,2 s 1,3 s 2,0 s 2,1 s 2,2 s 2,3 s 3,0 s 3,1 s 3,2 s 3,3 s’ 0,0 s’ 0,1 s’ 0,2 s’ 0,3 s’ 1,0 s’ 1,1 s’ 1,2 s’ 1,3 s’ 2,0 s’ 2,1 s’ 2,2 s’ 2,3 s’ 3,0 s’ 3,1 s’ 3,2 s’ 3,3 s 0,c s 1,c s 2,c s 3,c s’ 0,c s’ 1,c s’ 2,c s’ 3,c MixColumns() 32

33 Code size/performance tradeoff Code sizePerformance Pre-compute round functions (24KB or 4KB) largest fastest: table lookups and xors Pre-compute S-box only (256 bytes) smallerslower No pre- computation smallestslowest 33

34 Size + performance (Javascript AES) AES in the browser AES library (6.4KB) No pre-computed tables (1)Uncompress code (one time effort) (2)Pre-compute tables (one time effort) (3)Perform encryption using tables Implementation: Stanford Javascript Crypto Library https://crypto.stanford.edu/sjcl/ 34

35 AES in hardware Advanced Encryption Standard (AES) Instruction Set Proposed seven AES instructions in 2008 Intel Westmere (2010 Intel Core + later), AMD Bulldozer ( + later) aesenc, aesenclast : do one round of AES 128 bit registers: xmm1=state, xmm2=round key aesenc xmm1, xmm2 ; puts result in xmm1 aeskeygenassist : performs AES key expansion Claim 2-10x speed-up over OpenSSL on same hardware 35 We can skip this.

36 Modes of operation 36

37 Problem: m 1 = m 2 ⟶ c 1 = c 2 37 m1m1 m2m2 m3m3 m4m4 m5m5 mnmn PT: c1c1 c2c2 c3c3 c4c4 c5c5 cncn CT: Electronic Code Book (ECB) Mode E(k, m i )

38 What can possibly go wrong? 38 PlaintextCiphertext Images from Wikipedia

39 Semantic security for ECB mode 39 ECB is not semantically secure for messages that contain more than one block Challenger k ← K Adversary A m 0 = “Hello World” m 1 = “Hello Hello” Two blocks (c 1, c 2 ) ← E(k,m b ) if c 1 = c 2 output 1 else output 0 Adv SS [A,ECB] = 1

40 Deterministic counter mode 40 from a PRF F: E DETCTR (k,m) = Stream cipher built from a PRF (e.g. AES, 3DES) Better than ECB but only works as long as the key is only used once (one-time-key) m[0]m[1] m[L] m[2] F(k,0)F(k,1) F(k,L) F(k,2) ⊕ c[0]c[1] c[L] c[2] ugly

41 Deterministic counter mode security 41 Theorem: For any L > 0, If F is a secure PRF over (K,X,X) then E DETCTR is a sem. secure cipher over (K,X L,X L ). In particular, for any eff. adversary A attacking E DETCTR there exists an eff. PRF adversary B s.t.: Adv SS [A,EDETCTR] = 2 ∙Adv PRF [B,F]

42 Semantic security under CPA 42 Modes that return the same ciphertext (e.g., ECB, CTR) for the same plaintext are not semantically secure under a chosen plaintext attack (CPA) (many-time-key) if c b = c 0 output 0 else output 1 m 0, m 0 ∊ M C 0 ← E(k,m) m 0, m 1 ∊ M C b ← E(k,m b ) Challenger k ← K Adversary A Encryption modes must be randomized or use a nonce (or are vulnerable to CPA)

43 Semantic security under CPA 43 Modes that return the same ciphertext (e.g., ECB, CTR) for the same plaintext are not semantically secure under a chosen plaintext attack (CPA) (many-time-key) Two solutions: 1.Randomized encryption Encrypting the same msg twice gives different ciphertexts (w.h.p.) Ciphertext must be longer than plaintext 2.Nonce-based encryption

44 Nonce-based encryption 44 Nonce n: a value that changes for each msg. E(k,m,n) / D(k,c,n) (k,n) pair never used more than once m,n E k E(k,m,n) = c D c,n k E(k,c,n) = m

45 Nonce-based encryption 45 Method 1: Nonce is a counter Used when encryptor keeps state from msg to msg If decryptor has same state, nonce need not be transmitted (i.e., len(PT) = len(CT)) Method 2: Sender chooses a random nonce No state required but nonce has to be transmitted with CT

46 Cipher block chaining mode (CBC) 46 Let(E,D) be a PRP. E CBC (k,m): chose random IV ∊ X and do: ⊕⊕ c[0]c[1]c[2]c[3]IV ⊕⊕ E(k,∙) m[0]m[1]m[2]m[3]IV ciphertext Decryption: c[0] = E(k, IV ⊕ m[0]) ⟶ m[0] = D(k,c[0]) ⊕ IV

47 Suppose given c ← E CBC (k,m) Adv. can predict IV for next msg. Attack on CBC with Predictable IV 47 0 ∊ X output 0 if c[1] = c 1 [1] c 1 ← [IV 1, E(k,0 ⊕ IV 1 )] m 0 = IV ⊕IV 1, m 1 ≠ m 0 ∊ M c ← [IV, E(k,IV 1 )] or c ← [IV, E(k,m 1 ⊕ IV)] (IV ⊕ IV 1 ) ⊕IV Challenger k ← K Adversary A Bug in SSL/TLS 1.1: IV for record #i is last CT block of record #(i-1)

48 Nonce-based CBC 48 CBC with unique nonce: key = (k, k 1 ) two independent keys unique nonce means: (key,n) pair is used for only one msg. ⊕⊕ c[0]c[1]c[2]c[3]nonce ⊕⊕ E(k,∙) E(k 1,∙) m[0]m[1]m[2]m[3]nonce ciphertext IV Included only if unknown to decryptor

49 CBC: padding 49 TLS: for n > 0 n byte pad is: If no pad needed, add a dummy block: ⊕⊕ c[0]c[1]c[2]c[3]nonce ⊕⊕ E(k,∙) E(k 1,∙) m[0]m[1]m[2]m[3] || padnonce IV nn…n removed during decryption 16 … Padding oracle side channel attacks

50 Cipher block chaining mode (CBC) 50 Example applications: 1.File system encryption: use the same AES key to encrypt all files (e.g., loopaes) 2.IPsec: use the same AES key to encrypt multiple packets Problem: If attacker can predict IV, CBC is not CPA-secure

51 Summary Block ciphers – Map fixed length input blocks to same length output blocks – Canonical block ciphers: 3DES, AES – PRPs are effectively block ciphers – PRPs can be created from arbitrary functions through Feistel networks 3DES based on Feistel networks AES based on substitution-permutation networks 51

52 Questions? 52

53 END

54 Linear and differential attacks [BS’89,M’93] Given many inp/out pairs, can recover key in time less than Linear cryptanalysis (overview) : let c = DES(k, m) Suppose for random k,m : Pr [ m[i 1 ]⨁⋯⨁m[i r ] ⨁ c[j j ]⨁⋯⨁c[j v ] = k[l 1 ]⨁⋯⨁k[l u ] ] = ½ + ε For some ε. For DES, this exists with ε = 1/2 21 ≈

55 Linear attacks Pr [ m[i 1 ]⨁⋯⨁m[i r ] ⨁ c[j j ]⨁⋯⨁c[j v ] = k[l 1 ]⨁⋯⨁k[l u ] ] = ½ + ε Thm: given 1/ε 2 random (m, c=DES(k, m)) pairs then k[l 1,…,l u ] = MAJ [ m[i 1,…,i r ] ⨁ c[j j,…,j v ] ] with prob. ≥ 97.7% ⇒ with 1/ε 2 inp/out pairs can find k[l 1,…,l u ] in time ≈1/ε 2. 55

56 Linear attacks For DES, ε = 1/2 21 ⇒ with 2 42 inp/out pairs can find k[l 1,…,l u ] in time 2 42 Roughly speaking: can find 14 key “bits” this way in time 2 42 Brute force remaining 56−14=42 bits in time 2 42 Total attack time ≈2 43 ( << 2 56 ) with 2 42 random inp/out pairs 56

57 Lesson A tiny bit of linearity in S 5 lead to a 2 42 time attack. ⇒ don’t design ciphers yourself !! 57

58 Quantum attacks Generic search problem: Let f: X ⟶ {0,1} be a function. Goal: find x∈X s.t. f(x)=1. Classical computer: best generic algorithm time = O( |X| ) Quantum computer [Grover ’96] : time = O( |X| 1/2 ) Can quantum computers be built: unknown 58

59 Quantum exhaustive search Given m, c=E(k,m) define Grover ⇒ quantum computer can find k in time O( |K| 1/2 ) DES: time ≈2 28, AES-128: time ≈2 64 quantum computer ⇒ 256-bits key ciphers (e.g. AES-256) 1if E(k,m) = c 0 otherwise f(k) = 59


Download ppt "Cryptography: Block Ciphers Edward J. Schwartz Carnegie Mellon University Credits: Slides originally designed by David Brumley. Many other slides are from."

Similar presentations


Ads by Google