Cryptography Lecture 4 Block ciphers, DES, breaking DES

Transcription

1 Cryptography Lecture 4 Block ciphers, DES, breaking DES

2 Breaking a cipher Eavesdropper recieves n cryptograms created from n plaintexts in sequence, using the same key Redundancy exists in the messages There is always one n (the unicity distance) where only one value for the key recreates a possible plaintext, unless we use OTP Key Key Alice E k D k m c m Bob Eve

3 Defence against breaking a cipher through exhaustive search Change key often enough, so that unicity distance is not reached OTP Approximation of OTP: Stream ciphers Make sure there are too many possible keys for exhaustive search Single-letter substitution is not enough, even though there are 26! combinations Encrypt larger blocks (than one-, two-, or three-letter combinations) Key Key Alice + + m c m Bob Eve

4 Defence against breaking a cipher through exhaustive search Change key often enough, so that unicity distance is not reached OTP Approximation of OTP: Stream ciphers Make sure there are too many possible keys for exhaustive search Single-letter substitution is not enough, even though there are 26! combinations Encrypt larger blocks (than one-, two-, or three-letter combinations) Key Alice Block Block m cipher c cipher m Key Bob Eve

5 Substitution cipher m i Single letter L = 26 Single letter k from K K = 26! 2 88 k Permutation c i

6 Playfair m i Pair of letters L = 26 2 Key word k from K K < 26! 2 88 k Permutation c i

7 Generic block cipher m i n-bit blocks L = 2 n Key k from K K = (2 n )! k Permutation c i

8 Generic block cipher Too large Key k from K K = (2 n )! m i n-bit blocks L = 2 n k Permutation c i

9 Data Encryption Standard (1975) Key k from K K = 2 56 (2 64 )! m i 64-bit blocks L = 2 64 k Permutation c i

10 Block ciphers v. codes The same block with the same key always produces the same cryptogram, independent of its position in a sequence This is simple substitution on the block level An attacker could, in principle, create a table of all plaintext values and their corresponding cryptograms, one table for each key, and use this for cryptanalysis As defence, blocks and keys must be so large that there are too many values to list in the table

11 Block cipher criteria Diffusion If a plaintext character changes, several ciphertext characters should change. This is a basic demand on a block cipher, and ensures that the statistics used need to be block statistics (as opposed to letter statistics) Confusion Every bit of the ciphertext should depend on several bits in the key. This can be achieved by ensuring that the system is nonlinear

12 Diffusion: the avalanche effect A change in one bit in the input should propagate to many bits in the output The strict avalanche criterion A change in one bit in the input should change each output bit with probability 1 2 If this does not hold, an attacker can make predictions on the input, given only the output

13 Build the system from components Input L R + Output E(L) R Diffusion: A change in one bit in the input should change each output bit with probability 1 2 This is done by mixing the bits

14 Build the system from components Input L R + f Output E(L) R Diffusion: A change in one bit in the input should change each output bit with probability 1 2 This is done by mixing the bits

15 Build the system from components Input L R k + f Output E k (L) R Diffusion: A change in one bit in the input should change each output bit with probability 1 2 This is done by mixing the bits Use different functions depending on the key

16 Build the system from components Input L R k + f Output E k (L) R Diffusion: A change in one bit in the input should change each output bit with probability 1 2 This is done by mixing the bits Use different functions depending on the key Confusion is created by using a nonlinear f

17 Feistel network Input L 0 R 0 k 1 Round 1 + f L 1 R 1 k 2 Round 2 + f L 2 R 2

18 Feistel network Input L 0 R 0 k 1 Round 1 + f Substitution Permutation L 1 R 1 k 2 Round 2 + f L 2 R 2

19 DES Input IP L 0 R 0 k 1 Round 1 + f k 2 Round 2 + f (16 rounds). L 16 R 16 IP 1 Output

20 DES IP b 58 b 50 b 42 b 34 b 26 b 18 b 10 b 2 b 60 b 52 b 44 b 36 b 28 b 20 b 12 b 4 b 62 b 54 b 46 b 38 b 30 b 22 b 14 b 6 b 64 b 56 b 48 b 40 b 32 b 24 b 16 b 8 b 57 b 49 b 41 b 33 b 25 b 17 b 9 b 1 b 59 b 51 b 43 b 35 b 27 b 19 b 11 b 3 b 61 b 53 b 45 b 37 b 29 b 21 b 13 b 5 b 63 b 55 b 47 b 39 b 31 b 23 b 15 b 7

21 DES Input IP L 0 R 0 k 1 Round 1 + f k 2 Round 2 + f (16 rounds). L 16 R 16 IP 1 Output

22 DES R i k i f 6 bits 32 bits Expander 48 bits + S 1 S 2 S 3 S 4 S 5 S 6 S 7 S 8 4 bits Permutation 32 bits f (R i, k i )

23 DES Expander b 32 b 1 b 2 b 3 b 4 b 5 b 6 b 7 b 8 b 9 b 8 b 9 b 10 b 11 b 12 b 13 b 14 b 15 b 16 b 17 b 16 b 17 b 18 b 19 b 20 b 21 b 22 b 23 b 24 b 25 b 24 b 25 b 26 b 27 b 28 b 29 b 30 b 31 b 32 b 1 Permutation b 16 b 7 b 20 b 21 b 29 b 12 b 28 b 17 b 1 b 15 b 23 b 26 b 5 b 18 b 31 b 10 b 2 b 8 b 24 b 14 b 32 b 27 b 3 b 9 b 19 b 13 b 30 b 6 b 22 b 11 b 4 b 25

24 DES b 1 b 2 b 3 b 4 b 5 b 6 S row index: b 1 b 6, column index: b 2 b 3 b 4 b 5

25 DES R i k i f 6 bits 32 bits Expander 48 bits + S 1 S 2 S 3 S 4 S 5 S 6 S 7 S 8 4 bits Permutation 32 bits f (R i, k i )

26 DES Input IP L 0 R 0 k 1 Round 1 + f k 2 Round 2 + f (16 rounds). L 16 R 16 IP 1 Output

27 DES key schedule 56 bits Key Key-permutation Each key bit is used in (close to) 14 of 16 rounds C 0 D 0 Rotation Rotation C 1 D 1 Rotation Rotation Choice k 1 48 bits..

28 DES S row index: b 1 b 6, column index: b 2 b 3 b 4 b 5 There was a lot of controversy surrounding the S-box construction People were worried there were backdoors in the system But in the late eighties it was found that even small changes in the S-boxes gave a weaker system

29 DES After the (re-)discovery of differential cryptanalysis, in 1994 IBM published the construction criteria Each S-box has 6 input bits and four output bits (1970 s hardware limit) The S-boxes should not be linear functions, or even close to linear Each row of an S-box contains all numbers from 0 to 15 Two inputs that differ by 1 bit should give outputs that differ by at least 2 bits Two inputs that differ in the first 2 bits but are equal in the last 2 bits should give unequal outputs There are 32 pairs of inputs with a given XOR. No more than eight of the corresponding outputs should have equal XORs A similar criterion involving three S-boxes

30 DES After the (re-)discovery of differential cryptanalysis, in 1994 IBM published the construction criteria Each S-box has 6 input bits and four output bits (1970 s hardware limit) The S-boxes should not be linear functions, or even close to linear Each row of an S-box contains all numbers from 0 to 15 Two inputs that differ by 1 bit should give outputs that differ by at least 2 bits Two inputs that differ in the first 2 bits but are equal in the last 2 bits should give unequal outputs There are 32 pairs of inputs with a given XOR. No more than eight of the corresponding outputs should have equal XORs A similar criterion involving three S-boxes

31 Linearity A function f from is linear if f (ax + by) = a f (x) + b f (y) Example: f (t) = 7t is linear A (close to) linear system is much easier to analyse Therefore, you cannot use only simple mathematical functions

32 Linear cryptanalysis Make a linear approximation of the cipher This will have k as parameter Use many plaintext-ciphertext pairs to deduce which linear approximation is the best, and this will correspond to the most likely key Key Key Alice E k D k m c m Bob Eve

33 Prohibit linear cryptanalysis Examples: f (t) = 7t is linear but f (t) = (7t mod 8) in the ring of numbers mod 16 is nonlinear, because f (2) 2f (1): f (2) = (14 mod 8) = 6 2f (1) = 2(7 mod 8) = 14 of course f (t) = (7t mod 8) is linear in the ring of numbers mod 8

34 Prohibit linear analysis R i f 32 bits Expander k i 48 bits + 6 bits S 1 S 2 S 3 S 4 S 5 S 6 S 7 S 8 4 bits Permutation 32 bits f (R i, k i ) In DES, smaller blocks are used in each step, and are combined to create non-linearity with respect to the larger blocks The S-box itself is also chosen to be non-linear

35 Linear cryptanalysis of DES Make a linear approximation of the S-boxes Combine these into a linear approximation of the whole cipher This will have k as parameter Use many plaintext-ciphertext pairs to deduce which linear approximation is the best, and this will correspond to the most likely key Needs 2 43 plaintext-ciphertext pairs for DES

36 DES After the (re-)discovery of differential cryptanalysis, in 1994 IBM published the construction criteria Each S-box has 6 input bits and four output bits (1970 s hardware limit) The S-boxes should not be linear functions, or even close to linear Each row of an S-box contains all numbers from 0 to 15 Two inputs that differ by 1 bit should give outputs that differ by at least 2 bits Two inputs that differ in the first 2 bits but are equal in the last 2 bits should give unequal outputs There are 32 pairs of inputs with a given XOR. No more than eight of the corresponding outputs should have equal XORs A similar criterion involving three S-boxes

37 DES After the (re-)discovery of differential cryptanalysis, in 1994 IBM published the construction criteria Each S-box has 6 input bits and four output bits (1970 s hardware limit) The S-boxes should not be linear functions, or even close to linear Each row of an S-box contains all numbers from 0 to 15 Two inputs that differ by 1 bit should give outputs that differ by at least 2 bits Two inputs that differ in the first 2 bits but are equal in the last 2 bits should give unequal outputs There are 32 pairs of inputs with a given XOR. No more than eight of the corresponding outputs should have equal XORs A similar criterion involving three S-boxes

38 DES R i k i f 6 bits 32 bits Expander 48 bits + S 1 S 2 S 3 S 4 S 5 S 6 S 7 S 8 4 bits Permutation 32 bits f (R i, k i )

39 Simple(r) Encryption System R i f 6 bits Expander b 1 b 2 b 4 b 3 b 4 b 3 b 5 b 6 k i 8 bits + 4 bits S bits 6 bits S f (R i, k i )

40 A one-round Feistel network is trivial to break Input L 0 R 0 k 1 Round 1 + f L 1 R 1 A known-plaintext attack breaks the system, because then you know R 0 and f (R 0, k 1 ) = R 1 L 0, so you can find k 1

41 A one-round Feistel network is trivial to break Input L 0 R 0 k 1 Round 1 + f L 1 = R 0 R 1 = L 0 f (R 0, k 1 ) A known-plaintext attack breaks the system, because then you know R 0 and f (R 0, k 1 ) = R 1 L 0, so you can find k 1

42 Simple(r) Encryption System, example R i = f 6 bits Expander b 1 b 2 b 4 b 3 b 4 b 3 b 5 b 6 k i 8 bits + 4 bits S bits 6 bits S f (R i, k i ) =

43 Simple(r) Encryption System, example R i = f Expander b 1 b 2 b 4 b 3 b 4 b 3 b 5 b 6 k i k h i S k l i S f (R i, k i ) =

44 Simple(r) Encryption System, example R i = f Expander b 1 b 2 b 4 b 3 b 4 b 3 b 5 b 6 k i k h i S k l i S f (R i, k i ) =

45 A two-round Feistel network is trivial to break Input L 0 R 0 k 1 Round 1 + f Round 2 + f R 0 L 0 f (R 0, k 1 ) k 2 L 0 f (R 0, k 1 ) R 0 f (L 2, k 2 ) Use the same method twice: (R 0, f (R 0, l 1 ) = L 2 L 0 ); (L 2, f (L 2, k 2 ) = R 2 R 0 ). Now, the key schedule may rule out some combinations.

46 A three-round Feistel network is simple to break L 0 R 0 R 0 L 0 f (R 0, k 1 ) L 0 f (R 0, k 1 ) L 3 L 3 R 3 = L 0 f (R 0, k 1 ) f (L 3, k 3 ) Perform two known-plaintext attacks for L 0 R 0 and L 0 R 0 with R 0 = R 0. Then, the outputs have the relation R 3 R 3 = L 0 L 0 f (L 3, k 3 ) f (L 3, k 3 ) We have L 3 L 3 and f (L 3, k 3 ) f (L 3, k 3)

47 Simple(r) Encryption System, given XOR L 3 L 3 = f Expander b 1 b 2 b 4 b 3 b 4 b 3 b 5 b 6 k i E(L 3) E(L 3 ) = XOR: 1011 S XOR: 100 S f (L 3, k 3 ) f (L 3, k 3) =

48 Simple(r) Encryption System, given XOR k i f L 3 L 3 = E(L 3) E(L 3 ) = XOR: 1011 S XOR: 100 f (L 3, k 3 ) f (L 3, k 3) = E(L 3 ) k 3 E(L 3 ) k 3 Out XOR Expander b 1 b 2 b 4 b 3 b 4 b 3 b b S

49 Simple(r) Encryption System, given XOR k i f L 3 L 3 = E(L 3) E(L 3 ) = XOR: 1011 S XOR: 100 f (L 3, k 3 ) f (L 3, k 3) = E(L 3 ) k 3 E(L 3 ) k 3 Out XOR Expander b 1 b 2 b 4 b 3 b 4 b 3 b b S

50 Simple(r) Encryption System, given XOR k i f L 3 L 3 = E(L 3) E(L 3 ) = XOR: 1011 S XOR: 100 f (L 3, k 3 ) f (L 3, k 3) = E(L 3 ) k 3 E(L 3 ) k 3 Out XOR Expander b 1 b 2 b 4 b 3 b 4 b 3 b b S

51 A three-round Feistel network is simple to break L 0 R 0 R 0 L 0 f (R 0, k 1 ) L 0 f (R 0, k 1 ) L 3 L 3 R 3 = L 0 f (R 0, k 1 ) f (L 3, k 3 ) Choose R 0 = R 0 so that f (R 0, k 1 ) f (R 0, k 1) = 0. Then, we can calculate f (L 3, k 3 ) f (L 3, k 3)

52 A four-round Feistel network is more complicated to break L 0 R 0 L 1 R 1 R 1 L 1 f (R 1, k 2 ) L 1 f (R 1, k 2 ) L 4 = L 0 f (R 0, k 1 ) f (L 3, k 3 ) L 4 R 4 = L 1 f (R 1, k 2 ) f (L 4, k 4 ) Here, if we can guess f (R 1, k 2 ) f (R 1, k 2) (even if it is 0), we can calculate f (L 4, k 4 ) f (L 4, k 4)

53 Simple(r) Encryption System, given XOR R 1 R 1 = f Expander b 1 b 2 b 4 b 3 b 4 b 3 b 5 b 6 k i E(R 1) E(R1 ) = XOR: 0011 S XOR:? S f (R 1, k 2 ) f (R 1, k 2) =?

54 Simple(r) Encryption System, given XOR k i f R 1 R 1 = E(R 1) E(R1 ) = XOR: 0011 S XOR:? f (R 1, k 2 ) f (R 1, k 2) =? E(R 1 ) k 2 E(R 1 ) k 2 Out XOR Expander b 1 b 2 b 4 b 3 b 4 b 3 b b S

55 Simple(r) Encryption System, given XOR k i f R 1 R 1 = E(R 1) E(R1 ) = XOR: 0011 S XOR:? f (R 1, k 2 ) f (R 1, k 2) =? E(R 1 ) k 2 E(R 1 ) k 2 Out XOR Expander b 1 b 2 b 4 b 3 b 4 b 3 b b S Warning!

56 A four-round Feistel network is more complicated to break L 0 R 0 L 1 R 1 R 1 L 1 f (R 1, k 2 ) L 1 f (R 1, k 2 ) L 4 = L 0 f (R 0, k 1 ) f (L 3, k 3 ) L 4 R 4 = L 1 f (R 1, k 2 ) f (L 4, k 4 ) Here, if we can guess f (R 1, k 2 ) f (R 1, k 2) (even if it is 0), we can calculate f (L 4, k 4 ) f (L 4, k 4) Take random input pairs, and use the most likely output XOR to deduce the most likely k 4

57 DES The seemingly strange criterion is to prohibit differential cryptanalysis There are 32 pairs of inputs with a given XOR. No more than eight of the corresponding outputs should have equal XORs The designers knew about differential cryptanalysis Still, it works on DES, and breaks 15-round DES faster than exhaustive search (16-round DES requires 2 47 chosen plaintexts pairs)

58 Computational cost of breaking DES DES was standardized 1975, and already 1977 there was an estimate that a machine to break it would cost $20M (1977 dollars) DES was recertified in 1992 despite growing concerns One can use distributed computing, specialized hardware, or nowadays, cheap FPGAs In the DES challenge in 1997 the key was found in five months (distributed computation) having searched 25% of the key space (1998: 39 days, 85%) 1998: EFF DES cracker, parallelized, $200k, 4.5 days (on average)

59 Key length Table 7.1: Minimum symmetric key-size in bits for various attackers. Attacker Budget Hardware Min security Hacker 0 PC 58 < $400 PC(s)/FPGA 63 0 Malware 77 Small organization $10k PC(s)/FPGA 69 Medium organization $300k FPGA/ASIC 69 Large organization $10M FPGA/ASIC 78 Intelligence agency $300M ASIC 84 From ECRYPT II Yearly Report on Algorithms and Keysizes ( )

60 Key length Table 7.1: Minimum symmetric key-size in bits for various attackers Attacker Budget Hardware Min security (1996) Hacker 0 PC < $400 PC(s)/FPGA Malware 77 Small organization $10k PC(s)/FPGA Medium organization $300k FPGA/ASIC Large organization $10M FPGA/ASIC Intelligence agency $300M ASIC From ECRYPT II Yearly Report on Algorithms and Keysizes ( )

61 Key length Table 7.4: Security levels (symmetric equivalent) Security Protection Comment (bits) 32 Real-time, individuals Only auth. tag size 64 Very short-term, small org Not for confidentiality in new systems 72 Short-term, medium org Medium-term, small org 80 Very short-term, agencies Smallest general-purpose Long-term, small org < 4 years protection (E.g., use of 2-key 3DES, < 2 40 plaintext/ciphertexts) 96 Legacy standard level 2-key 3DES restricted to 10 6 plaintext/ciphertexts, 10 years protection 112 Medium-term protection 20 years protection (E.g., 3-key 3DES) 128 Long-term protection Good, generic application-indep. Recommendation, 30 years 256 Foreseeable future Good protection against quantum computers unless Shor s algorithm applies. From ECRYPT II Yearly Report on Algorithms and Keysizes ( )

62 Double DES k 1 k 2 Cleartext DES DES Cryptotext E k2 ( Ek1 (m) ) E k3 (m) Encrypt repeatedly with the keys consisting of all 0s and all 1s. The smallest n such that (E 0 E 1 ) n (m) = m is called the cycle length. If DES is a group, then n < 2 56 Lemma: the smallest integer N such that (E 0 E 1 ) N (m) = m for all m contains all individual cycles as factors An example has been found where the cycle lengths of 33 messages has the least common multiple of

63 Meet-in-the-middle attacks A meet-in-the-middle attack is a known plaintext attack Make a list of all 2 56 possible (single-des) encryptions of the plaintext, and of all 2 56 (single-des) decryptions of the ciphertext Match the two lists. The key(s) that give the same middle value is (are) the key (candidates) Attack is of complexity 2 57

64 Triple DES Cleartext k 1 k 2 k 3 E k1 E k2 E k3 Cryptotext More common: Cleartext k 1 k 2 k 3 E k1 D k2 E k3 Cryptotext Breaking three-key triple DES has a complexity of 2 112

65 Key length Table 7.4: Security levels (symmetric equivalent) Security Protection Comment (bits) 32 Real-time, individuals Only auth. tag size 64 Very short-term, small org Not for confidentiality in new systems 72 Short-term, medium org Medium-term, small org 80 Very short-term, agencies Smallest general-purpose Long-term, small org < 4 years protection (E.g., use of 2-key 3DES, < 2 40 plaintext/ciphertexts) 96 Legacy standard level 2-key 3DES restricted to 10 6 plaintext/ciphertexts, 10 years protection 112 Medium-term protection 20 years protection (E.g., 3-key 3DES) 128 Long-term protection Good, generic application-indep. Recommendation, 30 years 256 Foreseeable future Good protection against quantum computers unless Shor s algorithm applies. From ECRYPT II Yearly Report on Algorithms and Keysizes ( )

66 Next lecture AES Mathematics: intro to finite fields Modes of operation Message Authentication Codes, MACs