1 CS 255 Lecture 4 Attacks on Block Ciphers Brent Waters

2 Recap-Symmetric Encryption Two basic types of encryption Stream Cipher (eg. RC4, CSS) Block Cipher (e.g. DES, IDEA (Feistel), AES)

3 Recap Block Ciphers msg_blockECT_block n-bits K

4 Recap-Feistel Networks Feistel network: M=L 0 || R 0 for i=1 to d (# of rounds) L i =R i-1, R i =L i-1 © F(R i-1,K i ) Network inverts itself Construct FN -1 :{0,1} 2n ! {0,1} 2n s.t. 8 x: FN -1 (FN(x))=x DES- 16 round Feistel: block-size 64-bits, key 56

5 Recap-Using Block Ciphers Encryption must be randomized (otherwise m i =m j ) c i =c j ) ECB mode is insecure CBC IV EE PT 1 PT 2 ©© IV... CT 1

6 Exhaustive Search Attack Known PT attack: given a few PT/CT pairs M 1 /C 1, M 2 /C 2... find K DES: likely need only one PT/CT pair view as collection of 2 56 random one-to-one functions 8 M,k Pr[ 9 k’  k: DES k (M)=DES k’ (M)] ·  k’ Pr[DES k =DES k ’(M)] · 2 56 ¢ 1/2 64 = 1/2 8

7 DES Challenge RSA Labs challenge ( " The unknown message is:.... " Internet Search: 3 months ’97 EFF “Deep-Crack”: 3 days ‘98 88 billion keys/sec; $250,000 (do govts have more money?) Internet search: 22 hours ‘99

8 DES Challenge 56 bit ciphers are dead (64-bit RC5 also attacked, 72 bit next) 128 bit keys ) 2 72 DES-time ¼ days Keep open mind to new attacks e.g. Internet

9 Triple DES TE k1,k2,k3 (M)= E k1 (D K2 (E K3 (M))) E D E k1 k2 k3 K=k1,k2,k3 PT CT Why decrypt in middle? 3 times slower

10 Double DES? E E k1 k2 K=k1,k2 PT CT k0’E k0 (M) k1’E k1 (M) k2’E k2 (M) meet in middle Sort on 2 nd column Check for collision on 2 nd block

11 Double DES Time : 2 56 lg(2 56 ) lg(2 56 )=2 62 << Triple-DES security · 118 bits same attack Large amount of space

12 Idealized Block Ciphers Experiment AExperiment B Choose random key k Choose random permutation  Oracle access to E k and E k - 1 Oracle access to  and  -1 Adversary guesses which experiment he was in.

13 DESX EX_{k1,k2,k3} = k1 © DES k2 (M © k3) Fast! Suppose E K is an ideal cipher; m PT/CT pairs, n-bit block size effective key-length ¸ k+n-1 – log(m) [KR’97] DESX: if m< 2 30 then key length ¸ 2 89 DES k1 (M © k2), k1 © DES k2 (M) not secure

14 Power Analysis Encryption/ Decryption Secret key K input output Power Figure from Benini et. al. Have access to power supply?

15 Power Analysis

16 Power Analysis Difference caused by jump instruction

17 Linear attacks Bias  ) Pr[F(x)=0]=1/2 +  Pr[ M i1 ©... © M ir © C j1 ©... © C jv © K l1 ©... K lv =0] =1/2 +  Gather large amount of PT/CT pairs For each PT/CT pair For each K * = (K l1,...,K lv ) increment counter if K l1,... © K lv = M i1 ©... © C jv Take K * with highest counter

18 Linear Attacks Try different key possibilities on chosen PT/CT pairs Take one that has strongest bias Thm: Given 1/  2 pairs correct 97% DES  =2 -21 ) 2 42 pairs

19 Security Models Attacks adversary can do Can get ahold of of CT/PT pairs? Brute force power Access Adversary’s goal

20 Attack types From least to most powerful 1. CT only attack 2. Random plaintext attack – given random PT/CT pairs 3. CPA- Chosen plaintext attack more to come...

21 Attacker goals Key-recovery Decrypt a given CT

22 AES Development ’97 NIST call for candidates due ’98 128,192,256 bit keys and royalty free 15 of 21 met initial requirements 5 finalists: MARS, RC6, Rijndael, Serpent, Twofish Winner: Rijndael by Daemen and Rijmen International flavor

23 AES Overview S 0,0 S 0,1 S 0,2 S 0,3 S 1,0 S 1,1 S 1,2 S 2,3 S 2,0 S 2,1 S 2,2 S 2,3 S 3,0 S 3,1 S 3,2 S 3,3 Put 128-bit block into 4x4 byte matrix 10 rounds (128-key mode)

24 AES Overview S 0,0 S 0,1 S 0,2 S 0,3 S 1,0 S 1,1 S 1,2 S 2,3 S 2,0 S 2,1 S 2,2 S 2,3 S 3,0 S 3,1 S 3,2 S 3,3 1.S-box per byte (permutation) 2.Shift rows 3.Mix columns 4.Add round key