Beruflich Dokumente
Kultur Dokumente
Lecture 3
Block ciphers
Input from previous round
Design principles
SP and Feistel networks S−box S−box S−box S−box
DES P−box
AES/Rijndael
Output to next round
Modes of operation
Design principles
crypt-
analysis
Example
We try to separate out a subspace with a simple description.
‘the keys k0 k1 · · · k25 such that k4 = Z.’
Example
Small parts of C can be solved locally due to redundancy in M.
ioT ⇒ T=n?
AunYreY ⇒ A=h, Y=d??
Design principles
Diffusion
Confusion
Avalanche Effect
In terms of bits, a change of one input bit should change about half the bits
of output.
(If all bits changed, that would be predictable...)
Block ciphers
Block ciphers
Block ciphers
A block cipher with block size n is, for a given key, a permutation on the set
of n-bit strings {0, 1}n , i.e., a bijection {0, 1}n → {0, 1}n .
How many such ciphers exist; i.e. which is the key length if we can index
them all by key?
The number of block ciphers is 2n !. If all were used, i.e., one key for each,
key length needs to be log2 (2n !). For n = 128, this would mean key length
≈ 1040 .
Typical modern key sizes are 128, and 256, which means practical block
ciphers only use a small subset of all possible permutations.
Block ciphers
let E : {0, 1}k → {0, 1}n → {0, 1}n be a block cipher, and
I be the set of all permutations {0, 1}n → {0, 1}n
Select a random k , and select a permutation I ∈ I uniformly at random.
Now, given black box access to either Ek or I the adversary should not be
able to determine which it has access to. We say that a block cipher is a
pseudo random permutation (PRP) if the probability of distinguishing is
negligible.
plain block
K1
Round 1
K2 key
2 K
scheduling
Kn
n
cipher block
Each round i
takes subkey Ki derived from K by key scheduling.
contains Permutation-box for diffusion by transposition,
Substitution-box for confusion.
Block ciphers
P−box
0 ⊕ 0 = 0, 0 ⊕ 1 = 1
1 ⊕ 0 = 1, 1 ⊕ 1 = 0
Groups
(a ⊕ b ) ⊕ b = a ⊕ (b ⊕ b ) = a ⊕ 0 = a .
Block ciphers
Feistel Networks
Blocks treated in two halves:
input left half (Li −1 ) right half (Ri −1 )
Ki
Li = Ri −1
cipher func.
⊕
f Ri = Li −1 ⊕ f (Ki , Ri −1 )
Remarks
Cipher function f is the same for every round.
The security of a Feistel network relies on the properties of f .
f need not be invertible for the round to be invertible, instead it relies
on (a ⊕ b) ⊕ b = b.
Last round does not swap left and right half (allows the same network
to be used for decryption).
Block ciphers
Proof.
We first consider last round (L and R not swapped):
Rn = Rn−1
Ln = Ln−1 ⊕ f (Kn , Rn−1 )
The block cipher DES was designed by IBM in the early 70’s.
It was the standard encryption algorithm for civilian applications
(banking, government records, . . .) for more than 25 years. (US
standard since 1977). New standard is AES.
Advances in hardware and parallel computation have made single
encryption (key length 56 bits) insecure. The current standard
requires triple encryption (key length 168 or 112 bits).
DES withstood intense cryptanalysis well for 25 years. The best
practical attack is still exhaustive key search. (Much ‘better’
theoretical attacks exist.)
Most design considerations unknown.
Fairly slow by modern standards; very slow in software (around 80
cycles per byte).
DES
Decryption
Is DES secure?
Complementation property
DES has a complementation property that ensures that
E (K , M ) = E (K , M )
This property can successfully be used to distinguish DES from the ideal
block cipher. How?
Weak keys
DES has a number of weak keys. Weak keys are keys that cause one or
more round keys to be equal. The all 0 key is one example of this.
Any key generation algorithm for DES must avoid the weak keys.
DES
Cryptanalysis of DES
Evaluation Criteria
Security
Candidates with major attacks with less work than exhaustive key
search were eliminated. So were ones with significantly many ‘weak
keys’.
Resistance against known and future attacks was considered in terms
of attacks on simplified (reduced-round) variants and security
margins.
Indistinguishability from random permutations was tested statistically.
Simplicity and cleanness of algorithm and mathematical bases of
designs were valued.
Specialised attacks on smart-card implementation (power-,
timing-analysis).
AES
Rijndael/AES
In 2000, the cipher Rijndael was selected the winner of AES competition.
It
has variable block and key sizes: 128bit block size and 128, 192, and
256 bit key sizes were selected for the AES standard.
is a Substitution-Permutation network cipher with 10, 12, or 14 rounds
corresponding to the different key sizes.
has an elegant, clean mathematical specification.
is aggressively designed for speed. It is fast in both software (in the
order of 10 cycles/byte) and hardware (several GByte/sec in ASIC).
is also well suited for smart-cards implementation.
AES
Rijndael/AES outline
byteSub
s = m ⊕ k0
for r = 1 to 10 do
s = byteSub(s)
s = shiftRow(s)
if r ≤ 9 then s = mixCols(s)
s = s ⊕ Kr
return s
shiftRow
s = m ⊕ k0
for r = 1 to 10 do
s = byteSub(s)
s = shiftRow(s)
if r ≤ 9 then s = mixCols(s)
s = s ⊕ Kr
return s
mixCols
s = m ⊕ k0
for r = 1 to 10 do
s = byteSub(s)
s = shiftRow(s)
if r ≤ 9 then s = mixCols(s)
s = s ⊕ Kr
return s
Each of the columns of s is multiplied (in GF28 ) with the fixed matrix
02 03 01 01
01 02 03 01
01 02 02 03
03 01 01 02
Rijndael, summary
Security of AES
During the selection process attacks on AES were found:
7 round attack on 128-bit keys,
8 round attack on 192-bit keys,
9 round attack on 256-bit keys
Leaves a 3 to 5 rounds security margin, but 70% of the cipher broken for
128-bit keys.
The side channel attacks on AES are particularly nasty, since the bypass
all theory by attacking the implementation. Osvik et al. demonstrate a
practical attack om dm-crypt, the linux encrypting file system.
The attack achieves full key recovery using only 800 accesses to an
encrypted file, 65ms of measurements and 3 seconds of analysis!
Crypto in hardware
Benefits
Three times faster encryption/decryption (or more).
Avoids side channel attacks in software implementations (cache
access patterns for lookup tables).
Modes
Plaintext is divided into full size blocks (with padding of last block) and
each block is independently en(de)crypted.
plaintext ciphertext
encryption
M0 M1 M2 ··· 7−→ C0 C1 C2 ··· [Ci = EK (Mi )]
This usage is called Electronic Codebook Mode (ECB) and has several
problems.
Adversary A
Select any two messages m0 and m1 and use Ek to encrypt m0 ,
c0 = Ek (m0 ). Return m0 and m1 . In the guessing phase compare c with
c0 . Since Ek is deterministic we have that if c = c0 then b = 0 (b = 1
otherwise). Thus, return c = c0 as guess.
Setting
Plaintext M0 M1 M2 M3 · · · is divided into full size blocks.
Both sender and receiver store one previous cipher block.
Sender and receiver agree on initialization vector C−1 . (Typically
chosen at random by sender and sent as first ciphertext block.)
Ci = EK (Mi ⊕ Ci −1 ), i ≥ 0.
Mi = DK (Ci ) ⊕ Ci −1 , i ≥ 0.
Security of CBC
CBC is IND-CPA given that the underlying block cipher is a PRP, i.e.,
indistinguishable from a random permutation.
If adversary makes q queries to the encryption function then the
advantage of the adversary is q 2 /2n . This is an example of exact security.
Exact security should not necessarily be interpretated as a tight bound,
rather be contrasted to the asymptotic case.
Actual bounds give hints to safe use of the cipher. For instance, the above
bound implies that we should not encrypt more that 2n/2 blocks, where n is
the block size, before chnging key. This is not much for DES (232 = 4Gb —
less than a DVD)!
Home assignment 1
Here is the same image file as before, encrypted using AES in CBC mode.
Modes
ki ki
⊕ ⊕
mi ci ci mi
Ki = EK (nonce||i ), i≥0
Ci = Mi ⊕ Ki , i ≥ 0.
CBC allows for random read access, but not random write access. Why?