Presentation is loading. Please wait.

Presentation is loading. Please wait.

1 CS 255 Lecture 4 Attacks on Block Ciphers Brent Waters.

Published by Modified over 8 years ago

Similar presentations

Presentation on theme: "1 CS 255 Lecture 4 Attacks on Block Ciphers Brent Waters."— Presentation transcript:

1 1 CS 255 Lecture 4 Attacks on Block Ciphers Brent Waters

2 2 Recap-Symmetric Encryption Two basic types of encryption Stream Cipher (eg. RC4, CSS) Block Cipher (e.g. DES, IDEA (Feistel), AES)

3 3 Recap Block Ciphers msg_blockECT_block n-bits K

4 4 Recap-Feistel Networks Feistel network: M=L 0 || R 0 for i=1 to d (# of rounds) L i =R i-1, R i =L i-1 © F(R i-1,K i ) Network inverts itself Construct FN -1 :{0,1} 2n ! {0,1} 2n s.t. 8 x: FN -1 (FN(x))=x DES- 16 round Feistel: block-size 64-bits, key 56

5 5 Recap-Using Block Ciphers Encryption must be randomized (otherwise m i =m j ) c i =c j ) ECB mode is insecure CBC IV EE PT 1 PT 2 ©© IV... CT 1

6 6 Exhaustive Search Attack Known PT attack: given a few PT/CT pairs M 1 /C 1, M 2 /C 2... find K DES: likely need only one PT/CT pair view as collection of 2 56 random one-to-one functions 8 M,k Pr[ 9 k’  k: DES k (M)=DES k’ (M)] ·  k’ Pr[DES k =DES k ’(M)] · 2 56 ¢ 1/2 64 = 1/2 8

7 7 DES Challenge RSA Labs challenge (http://www.rsasecurity.com/rsalabs/)http://www.rsasecurity.com/rsalabs/ " The unknown message is:.... " Internet Search: 3 months ’97 EFF “Deep-Crack”: 3 days ‘98 88 billion keys/sec; $250,000 (do govts have more money?) Internet search: 22 hours ‘99

8 8 DES Challenge 56 bit ciphers are dead (64-bit RC5 also attacked, 72 bit next) 128 bit keys ) 2 72 DES-time ¼ 10 24 days Keep open mind to new attacks e.g. Internet

9 9 Triple DES TE k1,k2,k3 (M)= E k1 (D K2 (E K3 (M))) E D E k1 k2 k3 K=k1,k2,k3 PT CT Why decrypt in middle? 3 times slower

10 10 Double DES? E E k1 k2 K=k1,k2 PT CT k0’E k0 (M) k1’E k1 (M) k2’E k2 (M) meet in middle Sort on 2 nd column Check for collision on 2 nd block

11 11 Double DES Time : 2 56 lg(2 56 )+ 2 56 lg(2 56 )=2 62 << 2 112 Triple-DES security · 118 bits same attack Large amount of space

12 12 Idealized Block Ciphers Experiment AExperiment B Choose random key k Choose random permutation  Oracle access to E k and E k - 1 Oracle access to  and  -1 Adversary guesses which experiment he was in.

13 13 DESX EX_{k1,k2,k3} = k1 © DES k2 (M © k3) Fast! Suppose E K is an ideal cipher; m PT/CT pairs, n-bit block size effective key-length ¸ k+n-1 – log(m) [KR’97] DESX: if m< 2 30 then key length ¸ 2 89 DES k1 (M © k2), k1 © DES k2 (M) not secure

14 14 Power Analysis Encryption/ Decryption Secret key K input output Power Figure from Benini et. al. Have access to power supply?

15 15 Power Analysis

16 16 Power Analysis Difference caused by jump instruction

17 17 Linear attacks Bias  ) Pr[F(x)=0]=1/2 +  Pr[ M i1 ©... © M ir © C j1 ©... © C jv © K l1 ©... K lv =0] =1/2 +  Gather large amount of PT/CT pairs For each PT/CT pair For each K * = (K l1,...,K lv ) increment counter if K l1,... © K lv = M i1 ©... © C jv Take K * with highest counter

18 18 Linear Attacks Try different key possibilities on chosen PT/CT pairs Take one that has strongest bias Thm: Given 1/  2 pairs correct 97% DES  =2 -21 ) 2 42 pairs

19 19 Security Models Attacks adversary can do Can get ahold of of CT/PT pairs? Brute force power Access Adversary’s goal

20 20 Attack types From least to most powerful 1. CT only attack 2. Random plaintext attack – given random PT/CT pairs 3. CPA- Chosen plaintext attack more to come...

21 21 Attacker goals Key-recovery Decrypt a given CT

22 22 AES Development ’97 NIST call for candidates due ’98 128,192,256 bit keys and royalty free 15 of 21 met initial requirements 5 finalists: MARS, RC6, Rijndael, Serpent, Twofish Winner: Rijndael by Daemen and Rijmen International flavor

23 23 AES Overview S 0,0 S 0,1 S 0,2 S 0,3 S 1,0 S 1,1 S 1,2 S 2,3 S 2,0 S 2,1 S 2,2 S 2,3 S 3,0 S 3,1 S 3,2 S 3,3 Put 128-bit block into 4x4 byte matrix 10 rounds (128-key mode)

24 24 AES Overview S 0,0 S 0,1 S 0,2 S 0,3 S 1,0 S 1,1 S 1,2 S 2,3 S 2,0 S 2,1 S 2,2 S 2,3 S 3,0 S 3,1 S 3,2 S 3,3 1.S-box per byte (permutation) 2.Shift rows 3.Mix columns 4.Add round key

Download ppt "1 CS 255 Lecture 4 Attacks on Block Ciphers Brent Waters."

Similar presentations

Dan Boneh Block ciphers Exhaustive Search Attacks Online Cryptography Course Dan Boneh.

Dan Boneh Block ciphers Exhaustive Search Attacks Online Cryptography Course Dan Boneh.
Origins  clear a replacement for DES was needed Key size is too small Key size is too small The variants are just patches The variants are just patches.

Origins  clear a replacement for DES was needed Key size is too small Key size is too small The variants are just patches The variants are just patches.
“Advanced Encryption Standard” & “Modes of Operation”

“Advanced Encryption Standard” & “Modes of Operation”
CS 483 – SD SECTION BY DR. DANIYAL ALGHAZZAWI (3) Information Security.

CS 483 – SD SECTION BY DR. DANIYAL ALGHAZZAWI (3) Information Security.
1 CIS 5371 Cryptography 5b. Pseudorandom Objects in Practice Block Ciphers.

1 CIS 5371 Cryptography 5b. Pseudorandom Objects in Practice Block Ciphers.
Cryptography and Network Security Chapter 5

Cryptography and Network Security Chapter 5
Cryptography and Network Security Chapter 3

Cryptography and Network Security Chapter 3
Rachana Y. Patil 1 Data Encryption Standard (DES) (DES)

Rachana Y. Patil 1 Data Encryption Standard (DES) (DES)
History Applications Attacks Advantages & Disadvantages Conclusion.

History Applications Attacks Advantages & Disadvantages Conclusion.
CMSC 414 Computer (and Network) Security Lecture 5 Jonathan Katz.

CMSC 414 Computer (and Network) Security Lecture 5 Jonathan Katz.
Cryptography and Network Security

Cryptography and Network Security
1 The AES block cipher Niels Ferguson. 2 What is it? Block cipher: encrypts fixed-size blocks. Design by two Belgians. Chosen from 15 entries in a competition.

1 The AES block cipher Niels Ferguson. 2 What is it? Block cipher: encrypts fixed-size blocks. Design by two Belgians. Chosen from 15 entries in a competition.
Foundations of Network and Computer Security J J ohn Black Lecture #5 Sep 7 th 2007 CSCI 6268/TLEN 5831, Fall 2007.

Foundations of Network and Computer Security J J ohn Black Lecture #5 Sep 7 th 2007 CSCI 6268/TLEN 5831, Fall 2007.
Advanced Encryption Standard(AES) Presented by: Venkata Marella Slide #9-1.

Advanced Encryption Standard(AES) Presented by: Venkata Marella Slide #9-1.
AES clear a replacement for DES was needed

AES clear a replacement for DES was needed
1 Overview of the DES A block cipher: –encrypts blocks of 64 bits using a 64 bit key –outputs 64 bits of ciphertext A product cipher –basic unit is the.

1 Overview of the DES A block cipher: –encrypts blocks of 64 bits using a 64 bit key –outputs 64 bits of ciphertext A product cipher –basic unit is the.
Introduction to Modern Cryptography Lecture 2 Symmetric Encryption: Stream & Block Ciphers.

Introduction to Modern Cryptography Lecture 2 Symmetric Encryption: Stream & Block Ciphers.
Introduction to Symmetric Block Cipher Jing Deng Based on Prof. Rick Han’s Lecture Slides Dr. Andreas Steffen’s Security Tutorial.

Introduction to Symmetric Block Cipher Jing Deng Based on Prof. Rick Han’s Lecture Slides Dr. Andreas Steffen’s Security Tutorial.
Cryptography and Network Security Chapter 5. Chapter 5 –Advanced Encryption Standard It seems very simple. It is very simple. But if you don't know.

Cryptography and Network Security Chapter 5. Chapter 5 –Advanced Encryption Standard "It seems very simple." "It is very simple. But if you don't know.
Cryptography and Network Security Chapter 5 Fourth Edition by William Stallings.

Cryptography and Network Security Chapter 5 Fourth Edition by William Stallings.

Similar presentations

Ads by Google