BLOCK CIPHERS Mihir Bellare UCSD 1 Permutations and Inverses A function f : {0, 1}` → {0, 1}` is a permutation if there is an inverse function f −1 : {0, 1}` → {0, 1}` satisfying ∀x ∈ {0, 1}` : f −1 (f (x)) = x This means f must be one-to-one and onto, meaning for every y ∈ {0, 1}` there is a unique x ∈ {0, 1}` such that f (x) = y . Mihir Bellare UCSD 2 Permutations and Inverses x f (x) 00 01 01 11 10 00 11 10 x f (x) A permutation Mihir Bellare 00 01 01 11 10 11 11 10 Not a permutation UCSD 3 Permutations and Inverses x f (x) 00 01 01 11 10 00 11 10 x f −1 (x) A permutation Mihir Bellare 00 10 01 00 10 11 11 01 Its inverse UCSD 4 Block Ciphers Let E : {0, 1}k × {0, 1}` → {0, 1}` be a function taking a key K and input x to return output E (K , x). For each key K we let EK : {0, 1}` → {0, 1}` be the function defined by EK (x) = E (K , x) . We say that E is a block cipher if • EK : {0, 1}` → {0, 1}` is a permutation for every K , meaning has an inverse EK−1 , • E , E −1 are efficiently computable, where E −1 (K , x) = EK−1 (x). Mihir Bellare UCSD 5 Example The table entry corresponding to the key in row K and input in column x is EK (x). 00 01 10 11 00 00 01 10 11 01 01 00 11 10 10 10 11 00 01 11 11 10 01 00 In this case, the inverse cipher E −1 is given by the same table: the table entry corresponding to the key in row K and output in column y is EK−1 (y ). Mihir Bellare UCSD 6 Block Ciphers: Example Let ` = k and define E : {0, 1}k × {0, 1}` → {0, 1}` by EK (x) = E (K , x) = K ⊕ x Then EK has inverse EK−1 where EK−1 (y ) = K ⊕ y Why? Because EK−1 (EK (x)) = EK−1 (K ⊕ x) = K ⊕ K ⊕ x = x The inverse of block cipher E is the block cipher E −1 defined by E −1 (K , y ) = EK−1 (y ) = K ⊕ y Mihir Bellare UCSD 7 Block cipher usage $ • K ← {0, 1}k • K (magically) given to parties S, R, but not to A. • S,R use EK Algorithm E is public! Think of EK as encryption under key K . Leads to security requirements like: • Hard to get K from y1 , y2 , . . . • Hard to get xi from yi Mihir Bellare UCSD 8 DES History 1972 – NBS (now NIST) asked for a block cipher for standardization 1974 – IBM designs Lucifer Lucifer eventually evolved into DES. Widely adopted as a standard including by ANSI and American Bankers association Used in ATM machines Replaced (by AES) in 2001. Mihir Bellare UCSD 9 DES parameters Key Length k = 56 Block length ` = 64 So, DES : {0, 1}56 × {0, 1}64 → {0, 1}64 DES−1 : {0, 1}56 × {0, 1}64 → {0, 1}64 Mihir Bellare UCSD 10 DES Construction function DESK (M) // |K | = 56 and |M| = 64 (K1 , . . . , K16 ) ← KeySchedule(K ) // |Ki | = 48 for 1 ≤ i ≤ 16 M ← IP(M) Parse M as L0 k R0 // |L0 | = |R0 | = 32 for i = 1 to 16 do Li ← Ri−1 ; Ri ← f (Ki , Ri−1 ) ⊕ Li−1 C ← IP−1 (L16 k R16 ) return C Round i: Mihir Bellare Invertible given Ki : UCSD 11 DES Construction function DESK (M) // |K | = 56 and |M| = 64 (K1 , . . . , K16 ) ← KeySchedule(K ) // |Ki | = 48 for 1 ≤ i ≤ 16 M ← IP(M) Parse M as L0 k R0 // |L0 | = |R0 | = 32 for i = 1 to 16 do Li ← Ri−1 ; Ri ← f (Ki , Ri−1 ) ⊕ Li−1 C ← IP−1 (L16 k R16 ) return C function DES−1 // |K | = 56 and |M| = 64 K (C ) (K1 , . . . , K16 ) ← KeySchedule(K ) // |Ki | = 48 for 1 ≤ i ≤ 16 C ← IP(C ) Parse C as L16 k R16 for i = 16 downto 1 do Ri−1 ← Li ; Li−1 ← f (Ki , Ri−1 ) ⊕ Ri M ← IP−1 (L0 k R0 ) return M Mihir Bellare UCSD 12 DES Construction function DESK (M) // |K | = 56 and |M| = 64 (K1 , . . . , K16 ) ← KeySchedule(K ) // |Ki | = 48 for 1 ≤ i ≤ 16 M ← IP(M) Parse M as L0 k R0 // |L0 | = |R0 | = 32 for i = 1 to 16 do Li ← Ri−1 ; Ri ← f (Ki , Ri−1 ) ⊕ Li−1 C ← IP−1 (L16 k R16 ) return C IP−1 IP 58 60 62 64 57 59 61 63 50 52 54 56 49 51 53 55 Mihir Bellare 42 44 46 48 41 43 45 47 34 36 38 40 33 35 37 39 26 28 30 32 25 27 29 31 18 20 22 24 17 19 21 23 10 12 14 16 9 11 13 15 2 4 6 8 1 3 5 7 40 39 38 37 36 35 34 33 UCSD 8 7 6 5 4 3 2 1 48 47 46 45 44 43 42 41 16 15 14 13 12 11 10 9 56 55 54 53 52 51 50 49 24 23 22 21 20 19 18 17 64 63 62 61 60 59 58 57 32 31 30 29 28 27 26 25 13 DES Construction function f (J, R) // |J| = 48 and |R| = 32 R ← E (R) ; R ← R ⊕ J Parse R as R1 k R2 k R3 k R4 k R5 k R6 k R7 k R8 // |Ri | = 6 for 1 ≤ i ≤ for i = 1, . . . , 8 do Ri ← Si (Ri ) // Each S-box returns 4 bits R ← R1 k R2 k R3 k R4 k R5 k R6 k R7 k R8 // |R| = 32 bits R ← P(R) return R E Mihir Bellare 32 4 8 12 16 20 24 28 1 5 9 13 17 21 25 29 2 6 10 14 18 22 26 30 P 3 7 11 15 19 23 27 31 4 8 12 16 20 24 28 32 5 9 13 17 21 25 29 1 UCSD 16 29 1 5 2 32 19 22 7 12 15 18 8 27 13 11 20 28 23 31 24 3 30 4 21 17 26 10 14 9 6 25 14 S-boxes S1 : S2 : S3 : 0 0 1 1 0 1 0 1 0 14 0 4 15 1 4 15 1 12 2 13 7 14 8 3 1 4 8 2 4 2 14 13 4 0 0 1 1 0 1 0 1 0 15 3 0 13 1 1 13 14 8 2 8 4 7 10 3 14 7 11 1 4 6 15 10 3 0 0 1 1 0 1 0 1 0 10 13 13 1 1 0 7 6 10 2 9 0 4 13 3 14 9 9 0 4 6 3 8 6 5 15 2 6 9 5 11 2 4 15 5 3 4 15 9 6 11 13 2 1 7 8 1 11 7 6 3 8 13 4 6 15 6 3 8 7 4 14 1 2 7 5 10 0 7 8 3 10 15 5 8 9 12 5 11 8 1 2 11 4 9 10 6 12 11 10 6 12 9 3 11 12 11 7 14 12 5 9 3 10 13 9 5 10 0 14 0 3 5 6 15 7 8 0 13 9 7 0 8 6 10 2 1 12 7 11 13 10 6 12 12 12 6 9 0 13 0 9 3 5 14 5 11 2 14 15 10 5 15 9 9 13 8 1 15 10 12 5 2 14 11 7 14 12 3 12 11 12 5 11 13 4 11 10 5 14 2 15 14 2 15 8 1 7 12 Figure : The DES S-boxes. Mihir Bellare UCSD 15 Cryptanalysis: Key Recovery Attacks on Block Ciphers Let E : {0, 1}k × {0, 1}` → {0, 1}` be a blockcipher. It is known to the adversary A. Def: We say that K 0 ∈ {0, 1}k is consistent with (M1 , C1 ), . . . , (Mq , Cq ) if E (K 0 , Mi ) = Ci for all 1 ≤ i ≤ q. Key-recovery security game, informally: $ • A target key K ← {0, 1}k is selected but not given to A. • A can submit a plaintext M ∈ {0, 1}` and get back C = E (K , M), in this way gathering input-output examples (M1 , C1 ), . . . , (Mq , Cq ) of E (K , ·). • A outputs a “guess” K 0 • A wins if K 0 is consistent with (M1 , C1 ), . . . , (Mq , Cq ). Mihir Bellare UCSD 16 Cryptanalysis: Key Recovery Attacks on Block Ciphers Key-recovery security game, informally: $ • A target key K ← {0, 1}k is selected but not given to A. • A can submit a plaintext M ∈ {0, 1}` and get back C = E (K , M), in this way gathering input-output examples (M1 , C1 ), . . . , (Mq , Cq ) of E (K , ·). • A outputs a “guess” K 0 • A wins if K 0 is consistent with (M1 , C1 ), . . . , (Mq , Cq ). Usually, if K 0 is consistent with K , then K 0 = K , so the attack recovers the target key. About the model: Certainly A should be given C1 , . . . , Cq . But why does A get to pick M1 , . . . , Mq ? Reasons include a posteriori revelation of data, a priori knowledge of context, and just being conservative! Mihir Bellare UCSD 17 Key recovery game and advantage Let E : {0, 1}k × {0, 1}` → {0, 1}` be a blockcipher and A an adversary. Game KRE procedure Initialize $ K ← {0, 1}k ; i ← 0 procedure Fn(M) i ← i + 1; Mi ← M Ci ← E (K , Mi ) Return Ci procedure Finalize(K 0 ) win ← true For j = 1, . . . , i do If E (K 0 , Mj ) 6= Cj then win ← false If Mj ∈ {M1 , . . . , Mj−1 } then win ← false Return win A Advkr E (A) = Pr[KRE ⇒ true] Mihir Bellare UCSD 18 Running a game with an adversary • First Initialize executes • Now A can call (query) Fn on any input M of its choice. It can make as many queries as it wants • Eventually A will halt with an output K 0 which is automatically viewed as the input to Finalize • The game returns whatever Finalize returns • The advantage of A is the probability that the game returns true Advkr E (A) will depend on the number q of queries that A makes and its running time. Mihir Bellare UCSD 19 Exhaustive Key Search Let T1 , . . . , T2k be a list of all k bit keys and let hii denote the `-bit binary representation of integer i. Let 1 ≤ q ≤ 2` be a parameter. adversary Aeks For j = 1, . . . , q do Mj ← hj − 1i; Cj ← Fn(Mj ) For i = 1, . . . , 2k do if (∀j ∈ {1, . . . , q} : E (Ti , Mj ) = Cj ) then return Ti Then Advkr E (Aeks ) = 1 because K ∈ {T1 , . . . , T2k } and K is consistent with (M1 , C1 ), . . . , (Mq , Cq ). Think of q as small, like q ∈ {1, 2, 3}. As long as q > k/`, empirical evidence says that the attack returns the target key K itself. Mihir Bellare UCSD 20 Exercise: Target key recovery Let E : {0, 1}k × {0, 1}` → {0, 1}` be a blockcipher and A an adversary. The following measures A’s ability to find the target key: Game TKRE procedure Initialize $ K ← {0, 1}k procedure Fn(M) Return E (K , M) procedure Finalize(K 0 ) Return (K = K 0 ) A Let Advtkr E (A) = Pr[TKRE ⇒ true]. Given k, `, design a blockcipher E : {0, 1}k × {0, 1}` → {0, 1}` such that • For any q there is a q-query adversary A with Advkr E (A) = 1 −k for any A • Advtkr E (A) ≤ 2 Mihir Bellare UCSD 21 How long does exhaustive key search take? DES can be computed at 1.6 Gbits/sec in hardware. DES plaintext = 64 bits Chip can perform (1.6 × 109 )/64 = 2.5 × 107 DES computations per second Expect Aeks (q = 1) to succeed in 255 DES computations, so it takes time 255 2.5 × 107 ≈ 1.4 × 109 seconds ≈ 45 years! Key Complementation ⇒ 22.5 years But this is prohibitive. Does this mean DES is secure? Mihir Bellare UCSD 22 Differential and linear cryptanalysis Exhaustive key search is a generic attack: Did not attempt to “look inside” DES and find/exploit weaknesses. The following non-generic key-recovery attacks on DES have advantage close to one and running time smaller than 256 DES computations: Mihir Bellare Attack when q, running time Differential cryptanalysis 1992 247 Linear cryptanalysis 1993 244 UCSD 23 Differential and linear cryptanalysis Exhaustive key search is a generic attack: Did not attempt to “look inside” DES and find/exploit weaknesses. The following non-generic key-recovery attacks on DES have advantage close to one and running time smaller than 256 DES computations: Attack when q, running time Differential cryptanalysis 1992 247 Linear cryptanalysis 1993 244 But merely storing 244 input-output pairs requires 281 Tera-bytes. In practice these attacks were prohibitively expensive. Mihir Bellare UCSD 24 EKS revisited adversary Aeks For j = 1, . . . , q do Mj ← hj − 1i; Cj ← Fn(Mj ) For i = 1, . . . , 2k do if (∀j ∈ {1, . . . , q} : E (Ti , Mj ) = Cj ) then return Ti Mihir Bellare UCSD 25 EKS revisited adversary Aeks For j = 1, . . . , q do Mj ← hj − 1i; Cj ← Fn(Mj ) For i = 1, . . . , 2k do if (∀j ∈ {1, . . . , q} : E (Ti , Mj ) = Cj ) then return Ti Observation: The E computations can be performed in parallel! Mihir Bellare UCSD 26 EKS revisited adversary Aeks For j = 1, . . . , q do Mj ← hj − 1i; Cj ← Fn(Mj ) For i = 1, . . . , 2k do if (∀j ∈ {1, . . . , q} : E (Ti , Mj ) = Cj ) then return Ti Observation: The E computations can be performed in parallel! In 1993, Wiener designed a dedicated DES-cracking machine: • $1 million • 57 chips, each with many, many DES processors • Finds key in 3.5 hours Mihir Bellare UCSD 27 DES security summary DES is considered broken because its short key size permits rapid key-search. But DES is a very strong design as evidenced by the fact that there are no practical attacks that exploit its structure. Mihir Bellare UCSD 28 2DES Block cipher 2DES : {0, 1}112 × {0, 1}64 → {0, 1}64 is defined by 2DESK1 K2 (M) = DESK2 (DESK1 (M)) • Exhaustive key search takes 2112 DES computations, which is too much even for machines • Resistant to differential and linear cryptanalysis. Mihir Bellare UCSD 29 Meet-in-the-middle attack on 2DES Suppose K1 K2 is a target 2DES key and adversary has M, C such that C = 2DESK1 K2 (M) = DESK2 (DESK1 (M)) Then DESK−1 (C ) = DESK1 (M) 2 Mihir Bellare UCSD 30 Meet-in-the-middle attack on 2DES Suppose DESK−1 (C ) = DESK1 (M) and T1 , . . . , TN are all possible DES 2 keys, where N = 256 . T1 DES(T1 , M) DES −1 (T1 , C ) T1 Ti DES(Ti , M) DES −1 (Tj , C ) Tj TN DES(TN , M) Table L DES −1 (TN , C ) TN Table R Attack idea: • Build L,R tables Mihir Bellare UCSD 31 Meet-in-the-middle attack on 2DES Suppose DESK−1 (C ) = DESK1 (M) and T1 , . . . , TN are all possible DES 2 keys, where N = 256 . T1 DES(T1 , M) K 1 → Ti DES(Ti , M) TN DES(TN , M) Table L equal ←→ DES −1 (T1 , C ) T1 DES −1 (Tj , C ) Tj DES −1 (TN , C ) TN ← K2 Table R Attack idea: • Build L,R tables • Find i, j s.t. L[i] = R[j] • Guess that K1 K2 = Ti Tj Mihir Bellare UCSD 32 Meet-in-the-middle attack on 2DES Let T1 , . . . , T256 denote an enumeration of DES keys. adversary AMinM M1 ← 064 ; C1 ← Fn(M1 ) for i = 1, . . . , 256 do L[i] ← DES(Ti , M1 ) for j = 1, . . . , 256 do R[j] ← DES−1 (Tj , C1 ) S ← { (i, j) : L[i] = R[j] } Pick some (l, r ) ∈ S and return Tl k Tr Attack takes about 257 DES/DES−1 computations and has Advkr 2DES (AMinM ) = 1. This uses q = 1 and is unlikely to return the target key. For that one should extend the attack to a larger value of q. Mihir Bellare UCSD 33 3DES Block ciphers 3DES3 : {0, 1}168 × {0, 1}64 → {0, 1}64 3DES2 : {0, 1}112 × {0, 1}64 → {0, 1}64 are defined by 3DES3K1 k K2 k K3 (M) = DESK3 (DES−1 K2 (DESK1 (M)) 3DES2K1 k K2 (M) = DESK2 (DES−1 K1 (DESK2 (M)) Meet-in-the-middle attack on 3DES3 reduces its “effective” key length to 112. Mihir Bellare UCSD 34 DESX DESXKK1 K2 (M) = K2 ⊕ DESK (K1 ⊕ M) • Key length = 56 + 64 + 64 = 184 • “effective” key length = 120 due to a 2120 time meet-in-middle attack • No more resistant than DES to linear or differential cryptanalysis Good practical replacement for DES that has lower computational cost than 2DES or 3DES. Mihir Bellare UCSD 35 Block size limitation Later we will see “birthday” attacks that “break” a block cipher E : {0, 1}k × {0, 1}` → {0, 1}` in time 2`/2 For DES this is 264/2 = 232 which is small, and this is unchanged for 2DES and 3DES. Would like a larger block size. Mihir Bellare UCSD 36 AES 1998: NIST announces competition for a new block cipher • key length 128 • block length 128 • faster than DES in software Submissions from all over the world: MARS, Rijndael, Two-Fish, RC6, Serpent, Loki97, Cast-256, Frog, DFC, Magenta, E2, Crypton, HPC, Safer+, Deal Mihir Bellare UCSD 37 AES 1998: NIST announces competition for a new block cipher • key length 128 • block length 128 • faster than DES in software Submissions from all over the world: MARS, Rijndael, Two-Fish, RC6, Serpent, Loki97, Cast-256, Frog, DFC, Magenta, E2, Crypton, HPC, Safer+, Deal 2001: NIST selects Rijndael to be AES. Mihir Bellare UCSD 38 AES function AESK (M) (K0 , . . . , K10 ) ← expand(K ) s ← M ⊕ K0 for r = 1 to 10 do s ← S(s) s ← shift-rows(s) if r ≤ 9 then s ← mix-cols(s) fi s ← s ⊕ Kr end for return s • Fewer tables than DES • Finite field operations Mihir Bellare UCSD 39 The AES movie http://www.youtube.com/watch?v=H2LlHOw_ANg Mihir Bellare UCSD 40 Implementing AES Pre-compute and store round function tables Pre-compute and store S-boxes only No pre-computation Code size Performance largest fastest smaller slower smallest slowest AES-NI: Hardware for AES, now present on most processors. Your laptop may have it! Can run AES at around 1 cycle/byte. VERY fast! Mihir Bellare UCSD 41 Security of AES Best known key-recovery attack [BoKhRe11] takes 2126.1 time, which is only marginally better than the 2128 time of EKS. There are attacks on reduced-round versions of AES as well as on its sibling algorithms AES192, AES256. Many of these are “related-key” attacks. There are also effective side-channel attacks on AES such as “cache-timing” attacks [Be05,OsShTr05]. Mihir Bellare UCSD 42 Exercise Define F : {0, 1}256 × {0, 1}256 → {0, 1}256 by Alg FK1 kK2 (x1 kx2 ) y1 ← AES−1 (K1 , x1 ⊕ x2 ); y2 ← AES(K2 , x2 ⊕ K1 ) Return y1 ky2 for all 128-bit strings K1 , K2 , x1 , x2 . Let TAES denote the time for one computation of AES or AES−1 . Below, running times are worst-case and should be functions of TAES . 1. Prove that F is a blockcipher. 2. What is the running time of a 4-query exhaustive key-search attack on F ? 3. Give the best 4-query key-recovery attack that you can on F in the form of an adversary A specified in pseudocode and achieving Advkr F (A) = 1. Say what is the running time of A. Mihir Bellare UCSD 43 Limitations of security against key recovery So far, a block cipher has been viewed as secure if it resists key recovery, meaning there is no efficient adversary A having Advkr E (A) ≈ 1. Is security against key recovery enough? Not really. For example define E : {0, 1}128 × {0, 1}256 → {0, 1}256 by EK (M[1]M[2]) = M[1]kAESK (M[2]) This is as secure against key-recovery as AES, but not a “good” blockcipher because half the message is in the clear in the ciphertext. Mihir Bellare UCSD 44 So what? Possible reaction: But DES, AES are not designed like E above, so why does this matter? Answer: It tells us that security against key recovery is not, as a block-cipher property, sufficient for security of uses of the block cipher. As designers and users we want to know what properties of a block cipher give us security when the block cipher is used. Mihir Bellare UCSD 45 So what is a “good” block cipher? Possible Properties security against key recovery hard to find M given C = EK (M) .. . Necessary? YES YES Sufficient? NO! NO! We can’t define or understand security well via some such (indeterminable) list. We want a single “master” property of a block cipher that is sufficient to ensure security of common usages of the block cipher. Mihir Bellare UCSD 46
© Copyright 2025