Week 3 - Monday

 What did we talk about last time?  Secure encryption  DES

Yuki Gage

 DES has 16 rounds  The book calls them cycles  In each round, the input is broken into 2 halves, manipulated, and combined with part of the key Input Permutation Left 0 Right 0 f f Key 1 Left 1 Right Left 0 Right 0

 DES uses bitwise operations as well as lookup tables  DES has 8 substitution boxes (S-boxes) which take 6 bits of data and give back 4

 The expansion permutation takes 32 input bits and expands them into 48 bits while permuting them  16 bits are repeated  These 48 bits are XORed with the round key  The resulting 48 bits are substituted through S-boxes which produces a 32 bit result  The final 32 bits are permuted Expansion Permutation XOR with Key S-boxP-box

 The encryption key is 64 bits, but only 56 bits are used  The other 8 bits are for parity  Each of the 16 rounds has a 48 bit round key  To produce the round key, the left and right halves of the 56 bit key are independently shifted by either 1 or 2 bits, depending on the round  48 bits are chosen and permuted by a key transformation box

 There is an initial permutation before the rounds  There is a final permutation after the rounds  Otherwise, each round feeds into the next one

 The NSA tinkered with DES  They shortened the key length from the original 128 bits of Lucifer to 56  They changed the S-boxes  People were concerned that the NSA had introduced a trapdoor so that they could read messages  Eventually, the NSA released information about the choice of S-boxes:  No S-box is a linear or affine function of its input  Changing 1 bit of the S-box input changes at least 2 bits of its output  If a single bit is held constant, changing the others should not radically change the total number of 1s or 0s in the output

 In 1990, researchers independently discovered differential cryptanalysis  It uses related plaintext-ciphertext pairs to trace small changes in input to the output  The changes the NSA made to the S-boxes made them significantly more resistant to differential cryptanalysis  Declassified explanations show that people at IBM and the NSA knew about differential cryptanalysis in the 1970s

 DES has four weak keys that are their own inverse  Encryption = decryption for these keys  They are all 1s, all 0s, or half and half  DES has six pairs of semiweak keys  Encryption with one key is the same as decryption with the other in the pair  Complements:  If c = DES(p, k) then  c = DES(  p,  k)  These problems are easily avoidable  Don’t use weak or semiweak keys  People are usually not encrypting the negation of a plaintext with the negation of a key

 DES is fast  Easy to implement in software or hardware  Encryption is the same as decryption  Triple DES is still standard for many financial applications  Resistant to differential and linear cryptanalysis (2 47 and 2 43 known pairs required, respectively)

 Short key size  Brute force attack by EFF in 1998 in 56 hours then in 1999 in just over 22 hours  Brute force attack by University of Bochum and Kiel in 9 days in 2006 (but, using a machine costing only $10,000)  If you could check 1,000,000,000 keys per second (which is unlikely with a commodity PC), it would take an average of 417 days to recover a key

 The short key size leaves DES vulnerable to brute force attacks  How can we make up for this weakness?  Possibilities:  Encrypt twice with DES  Encrypt three times with DES ……

 "DES is wrong if you listen to NIST, Double DES ain't no better, man, that got dissed" --MC Plus+  Double DES encrypts a plaintext with DES twice, using two different keys  Double DES is susceptible to a meet-in-the- middle attack  This attack uses a space-time tradeoff  Although two keys should mean = 112 bits of security or time for a brute force attack, the meet-in-the-middle attack can run in roughly 2 57 or 2 58 time, using 2 56 space

Encrypt P 1 Decrypt C 1  Two pairs of plaintexts and ciphertexts are needed  Encrypt P 1 with all possible keys and save them  Decrypt C 1 with all possible keys  If the result matches anything in the list, use the key to encrypt P 2  If that matches C 2, you win!  On the left, I show all the decryptions, but only the encryptions need to be stored

 Although susceptible to a brute force attack, DES has no other major weaknesses  Double DES can be defeated by an extension of the brute force attack  What about triple DES?  Let E K (X) and D K (X) be encryption and decryption using DES with key K  Triple DES uses keys K1, K2, and K3  C = E K1 (D K2 (E K3 (M)))  Setting K1 = K2 = K3 allows for compatibility with single DES systems  Triple DES is still a standard for financial transactions with no known practical attacks

 Advanced Encryption Standard  Block cipher designed to replace DES  Block size of 128-bits  Key sizes of 128, 192, and 256 bits  Like DES, has a number of rounds (10, 12, or 14 depending on key size)  Originally called Rijndael, after its Belgian inventors  Competed with 14 other algorithms over a 5 year period before being selected by NIST

 In 1997, NIST made a call for a new encryption standard to replace DES  The algorithms had to have these properties:  Unclassified  Publicly disclosed  Royalty-free  Symmetric block ciphers for blocks of 128 bits  Usable with keys of 128, 192, and 256 bits  15 algorithms were chosen for further scrutiny  5 algorithms were finalists  NIST said that the 4 runner-up algorithms had excellent security properties  Rijndael was chosen for its efficiency

 The 15 algorithms were CAST-256, CRYPTON, DEAL, DFC, E2, FROG, HPC, LOKI97, MAGENTA, MARS, RC6, Rijndael, SAFER+, Serpent, and Twofish  The 5 finalists: AlgorithmDesigners RijndaelVincent Rijmen, Joan Daemen SerpentRoss Anderson, Eli Biham, Lars Knudsen Twofish Bruce Schneier, John Kelsey, Doug Whiting, David Wagner, Chris Hall, and Niels Ferguson RC6 Ron Rivest, Matt Robshaw, Ray Sidney, and Yiqun Lisa Yin MARSIBM

 AES keeps an internal state of 128 bits in a 4 x 4 table of bytes  There are four operations on the state:  Substitute bytes  Shift rows  Mix columns  Add round key

 Each byte is substituted for some other byte  This operation is similar to the S-box from DES  The substitution is based on the multiplicative inverse of the value in GF(2 8 )  An algebraic structure is used instead of hand picking substitution value  0 is used as its own multiplicative inverse  To break up patterns, the result of finding the multiplicative inverse is XORed with the value 99 | a b c d e f ---|--|--|--|--|--|--|--|--|--|--|--|--|--|--|--|--| 00 |63 7c 77 7b f2 6b 6f c b fe d7 ab |ca 82 c9 7d fa f0 ad d4 a2 af 9c a4 72 c0 20 |b7 fd f f7 cc 34 a5 e5 f1 71 d |04 c7 23 c a e2 eb 27 b | c 1a 1b 6e 5a a0 52 3b d6 b3 29 e3 2f |53 d1 00 ed 20 fc b1 5b 6a cb be 39 4a 4c 58 cf 60 |d0 ef aa fb 43 4d f9 02 7f 50 3c 9f a8 70 |51 a3 40 8f 92 9d 38 f5 bc b6 da ff f3 d2 80 |cd 0c 13 ec 5f c4 a7 7e 3d 64 5d | f dc 22 2a ee b8 14 de 5e 0b db a0 |e0 32 3a 0a c c2 d3 ac e4 79 b0 |e7 c8 37 6d 8d d5 4e a9 6c 56 f4 ea 65 7a ae 08 c0 |ba e 1c a6 b4 c6 e8 dd 74 1f 4b bd 8b 8a d0 |70 3e b f6 0e b9 86 c1 1d 9e e0 |e1 f d9 8e 94 9b 1e 87 e9 ce df f0 |8c a1 89 0d bf e d 0f b0 54 bb 16

 For 128-bit blocks (those used in AES), the rows are shifted by a set amount  Row 1 is not shifted at all  Row 2 is shifted over by 1 byte  Row 3 is shifted over by 2 bytes  Row 4 is shifted over by 3 bytes  Rijndael has slightly different shifts for larger block sizes

 XOR the current round key with the state  This step is very simple, except that the key schedule that generates the round key from the overall key is complex

 AES supports key sizes of 128, 192, and 256 bits  Rijndael supports unlimited key size, in principle, as well as other block sizes  128 bit keys use 10 rounds, 192 use 12, and 256 use 14 Add round key First RoundNormal RoundLast Round

 Strengths  Strong key size  Fast in hardware and software  Rich algebraic structure  Well-studied, open standard  Weaknesses  Almost none  A few theoretical attacks exist on reduced round numbers of AES  No practical attacks other than side channel attacks

 No practical attacks exist on the full AES  With reduced numbers of rounds and strong attack models, there are some theoretical attacks  CP = chosen plaintexts  RK-CP = related key chosen plaintexts RoundsKey SizeDataTimeYear 6All2 32 CP All6 ∙ 2 32 CP ∙ 2 32 CP ∙ 2 32 CP All2 128 – CP – CP – CP RK-CP RK-CP RK-CP CP

 Attacks that rely on timing, measuring cache, energy consumption, or other ways an implementation leaks data are called side channel attacks  Several practical side channel attacks for AES do exist  In 2005, Bernstein found a cache-timing attack that broke an OpenSSL implementation of AES using 200 million chosen plaintexts and a server that would give him precise timing data  Later in 2005, Osvik et al. found an attack that recovered a key after 800 encryptions in only 65 milliseconds, with software running on the target machine  In 2009, Saha et al. found an attack on hardware using differential fault analysis to recover a key with a complexity of 2 32  In 2010, Bangerter et al. found a cache-timing attack that required no knowledge of plaintexts or ciphertexts and could work in about 3 minutes after monitoring 100 encryptions

DESAES Date Block size64 bits128 bits Key length56 bits128, 192, 256 bits Encryption primitivesSubstitution, permutation Substitution, shift, bit mixing Cryptographic primitivesConfusion, diffusion DesignOpen Design rationaleClosedOpen Selection processSecret Secret with public comment SourceIBM with NSA helpIndependent Belgians Security Broken if you’ve got the resources No practical attacks yet

 Finish AES  Public key cryptography background  Omar Mustardo presents

 Keep reading Section 2.5  Keep working on Assignment 1  Due this Friday by midnight