Stream ciphers. Pawel Wocjan. Department of Electrical Engineering & Computer Science University of Central Florida

Transcription

1 Stream ciphers Pawel Wocjan Department of Electrical Engineering & Computer Science University of Central Florida

2 Definition of block ciphers

3 Block ciphers: crypto work horse n bits PT block n bits E, D CT block key k bits 3DES n=64 bits k=168 bits AES n=128 bits k=168, 192, 256 bits

4 Block ciphers built by iteration k key expansion k 1 k 2 k 3 k l m R(k 1, ) R(k 2, ) R(k 3, ) R(k l, ) c R(, ) is called a round function l = 48 for DES, l = 10 for AES-128

5 Performance Crypto benchmarks on AMD 8354 Opteron 2.2 GHz processor under Linux cipher block/key size speed (MB/sec) RC4 126 Salsa20/ Sosemanuk 727 3DES 64/ AES /

6 Crypto check out for the most recent version Crypto the library contains: authenticated encryption high speed stream ciphers AES and AES candidates other block ciphers block cipher modes of operation message authentication codes hash functions public key cryptography padding schemes for public key cryptography key agreement schemes elliptic curve cryptography... many other features

7 Abstraction of block ciphers: PRPs and PRFs F is a pseudo random function (PRF) defined over (K, X, Y) F : K X Y if efficient algorithm for evaluating F (k, x) E is a pseudo random permutation (PRF) defined over (K, X ) E : K X X provided that the function E(k, ) is injective k K an efficient deterministic algorithm for evaluating E(k, x) an efficient inversion algorithm D such that D ( k, E(k, x) ) = x k K x X

8 Example PRPs: AES and DES AES K X X, K = X = {0, 1} 128 3DES K X X, K = {0, 1} 168, X = {0, 1} 64

9 PRPs are special PRFs a PRP is a special PRF where the two sets X and Y are the same there is an efficient algorithm for inverting

10 Secure PRFs let F : K X Y be a PRF let F(X, Y) denote the set of all functions from X and Y let S = {F (k, ) : k K} F(X, Y) intuitively, a PRF is secure if a random function in F(X, Y) is indistinguishable from a random function in S S S = K F(X, Y) F(X, Y) = Y X

11 Secure PRF b {0, 1} x X Challenger Adversary b = 0 f F(X, Y) f (x) b = 1 F (k, x) k R K b {0, 1}

12 Secure PRPs let E : K X X be a PRP let P(X ) denote the set of all permutations of X let S = {E(k, ) : k K} P(X ) intuitively, a PRP is secure if a random permutation in P(X ) is indistinguishable from a random permutation in S S S = K P(X ) P(X ) = X!

13 Secure PRF b {0, 1} x X Challenger Adversary b = 0 π P(X ) π(x) b = 1 E(k, x) k R K b {0, 1}

14 Question let F : K X {0, 1} 128 be a secure PRF define G by { if x = 0 G(k, x) = F (k, x) otherwise is G a secure PRP?

15 Secure PRFs yield secure PRGs let F : K {0, 1} n {0, 1} n be a secure PRF the following function G : K {0, 1} nt is a secure PRG: G(k) = F (k, 0) F (k, 1) F (k, t) G is parallelizable security of G follows from PRF property: F (k, ) is indistinguishable from function f ( )

16 Data Encryption Standard

17 Data encryption standard (DES) widely deployed in banking (ACH) and commerce early 1970s: Horst Feistel designs Lucifer at IBM key-len = 128 bits; block-len = 128 bits 1973: NBS asks for block cipher proposals IBM submits variant of Lucifer 1976: NBS adopts DES as a federal standard key-len = 56 bits; block-len = 64 bits 1997: DES broken by exhaustive search 2000: NIST adopts Rijndael as AES to replace DES

18 DES core idea: Feistel network given function f 1,..., f d : {0, 1} n {0, 1} n goal: build invertible function F : {0, 1} 2n {0, 1} 2n R 0 R 1 R 2 R d 1 R d f 1 f 2 f d L 0 L 1 L 2 L d 1 L d R i = f i (R i 1 ) L i 1, L i = R i

19 Feistel network is invertible the Feistel network is invertible because each iteration is invertible R i 1 R i R i R i 1 f i inverse f i L i 1 L i L i L i 1 this provides a general method for building invertible functions (block ciphers) from arbitrary functions this is used in many block ciphers, but not in AES

20 3-round Feistel network yields a secure PRP Theorem (Luby-Rackoff 85) let F : K {0, 1} n {0, 1} n be a secure PRF 3-round Feistel E : K 3 {0, 1} 2n {0, 1} 2n is a secure PRP R 0 R 1 R 2 R 3 F (k 1, ) F (k 2, ) F (k 3, ) L 0 L 1 L 2 L 3 the three keys k 1, k 2, k 3 have to be independent

21 DES: 16 round Feistel network with key expansion f 1,..., f 16 : {0, 1} 32 {0, 1} 32, f i (x) = F (k i, x) k key expansion k 1 k 2 k 3 k 16 input IP 16 round Feistel network FP output

22 DES key schedule

23 DES: 16 round Feistel network

24 The Feistel functions F (k i, ) x E 32 k i S 1 6 S 2 6 S 3 6 S 4 6 S 5 6 S 6 6 S 7 6 S the S i -boxes are functions {0, 1} 6 {0, 1} 4 that are implemented as a look-up tables P 32 32

25 The Feistel functions F (k i, )

26 The Feistel functions F (k i, ) expansion: the 32-bit half-block is expanded to 48 bits using the expansion permutation E by duplicating half of the bits its output consists of eight 6-bit pieces, each containing a copy of 4 corresponding input bits, plus a copy of the immediately adjacent bit from each of the input pieces to either side key mixing: the result is combined with a subkey using an XOR operation. substitution: after mixing in the subkey, the block is divided into eight 6-bit pieces before processing by the S-boxes permutation: the 32 outputs from the S-boxes are rearranged according to a fixed permutation, the P-box this is designed so that, after permutation, each S-box s output bits are spread across 4 different S boxes in the next round

27 The S i -boxes given a 6-bit input, the 4-bit output is found by selecting the row using the outer two bits (the first and last bits), and the column using the inner four bits. for example, an input has outer bits 01 and inner bits 1101; the corresponding output would be 1001

28 Insecure block cipher if S i boxes linear suppose S i (x 1, x 2,..., x 6 ) = (x 1 x 2, x 1 x 4 x 5, x 1 x 6, x 2 x 3 x 6 ) this can be equivalently written the matrix equation: S i (x) = A i x = (mod 2) we say that S i is linear

29 Insecure block cipher if S i boxes linear all S i -boxes linear the entire DES cipher linear fixed binary matrix B such that 832 m k 1 DES(k, m) = B k 2 = c. k 16 but then 64 DES(k, m 1 ) DES(k, m 2 ) DES(k, m 2 ) = DES(k, m 1 m 2 m 3 )

30 Rules for choosing S and P boxes choosing the S and P boxes at random would yield an insecure block cipher (key recovery possible after 2 24 outputs) no output bit should be close to a linear function of the input bits S-boxes are 4-to-1 maps

31 Exhaustive search attacks

32 Exhaustive search for block cipher key goal: given a few PT-CT pairs (m i, c i = E(k, m i )), find k Lemma: suppose DES is an ideal cipher, i.e., E(k 1, ) = π 1,..., E(k 2 56, ) = π 2 56 behave as if we had selected the permutations π 1,..., π 2 56 uniformly at random from P(X ) where X = {0, 1} 64 m, c there is at most one key k such that c = DES(k, m) Proof: Pr ( k k : c = DES(k, m) = DES(k, k) ) ( DES(k, m) = DES(k, m) ) k {0,1} 56 Pr = 1 2 8

33 Exhaustive search for block cipher key for two DES pairs (m 1, DES(k 1, m 1 )), (m 2, DES(k 2, m 2 )) the probability of the key being unique is 1 1/2 71 for two AES-128 pairs (m 1, AES(k 1, m 1 )), (m 2, AES(k 2, m 2 )) the probability of the key being unique is 1 1/2 128 two PT-CT pairs are enough for exhaustive key search

34 DES challenge PT = The unkn own mess age is: XXX... CT = c 1 c 2 c 3 c 4 Goal: find k {0, 56} 56 such that DES(k, m i ) = c i for i = 1, 2, Internet search: 3 months 1998 EEF machine (deep crack): 3 days $250k 1999 combined search: 22 hours 2006 COPACOBANA (120 FPGAs): 7 days $10k 56-bit ciphers should not be used

35 Strengthening block encryption method 1 Triple encryption let E : K M M be a block cipher define 3E : K 3 M M by 3E((k 1, k 2, k 3 ), m) = E(k 1, D(k 2, E(k 3, m))) observe that we recover (single) encryption when all keys equal E((k, k, k), m) = E(k, m) for 3DES: key-size = 3 56 = 168 bits; 3 times slower than DES

36 Why not double encryption? define 2E((k 1, k 2 ), m) = E(k 1, E(k 2, m)) m E(k 2, ) E(k 1, ) c goal: find (k 1, k 2 ) such that E(k 1, E(k 2, m)) = c E(k 2, m) = D(k 1, c)

37 Meet-in-the-middle attack on double encryption attack: M = (m 1,..., m 10 ), C = (c 1,..., c 10 ) build table and sort on second column k 0 = E(k 0, M) k 1 = E(k 1, M) k 2 = E(k 2, M).. k N = E(k N, M) repeat ranging k {0, 1} 56 until D(k, c) appears in second column (check using binary search) when this happens, then E(k i, M) = D(k, C) (k 2, k 1 ) = (k 2, k 1 )

38 Complexity of the meet-in-the-middle attack Triple DES m E(k 2, ) E(k 1, ) c Time = 2 56 log(2 56 ) log(2 56 ) < Space 2 56 Double DES m E(k 3, ) E(k 2, ) E(k 1, ) c same attack on 3DES Time = Space 2 56

39 Strengthening block encryption method 2 X (xor before and after encryption) let E : K {0, 1} n {0, 1} n be a block cipher define EX by EX ((k 1, k 2, k 3 ), m) = k 1 E(k 2, m k 3 ) observe that k 1 E(k 2 ) and E(k 2, m k 1 ) does nothing for DESX: key-len= =184 bits there is an easy attack in time = 2 120

40 More attacks on block ciphers

41 Attack on the implementation side channel attacks: measure time to do enc/dec, measure power for enc/dec fault attacks: computing errors in the last round expose the secret key k

42 Linear and differential attacks given many PT-CT pairs, the key can be recovered in time less than 2 56 linear cryptanalysis: suppose for random k and m, we have Pr(m[i 1 ] m[i r ] c[j 1 ] c[j s ] k[l 1 ] c[l t ]) = 1 2 +ε for some ε > 0 for DES, relation exist with ε = 1/2 21

43 Linear attacks Theorem: Assume Pr k K m M (m[i 1 ] m[i r ] c[j 1 ] c[j s ] k[l 1 ] c[l t ]) = 1 2 +ε holds, then with probability greater than 97.7% the equality k[l 1 ] c[l t ] = MAJ(m[i 1 ] m[i r ] c[j 1 ] c[j s ] is satisfied provided that we are given 1/ε 2 pairs (m, DES(k, m)) with m M we can determine k[l 1,..., l t ] with 1/ε 2 random PT-CT pairs in time 1/ε 2

44 Linear attacks for DES ε = 1/2 21 given 2 42 random PT-CP pairs, we can determine k[l 1,..., l t in time key bits can be found this way in time 2 42 brute force search the remaining = 42 bits in time 2 42 total attack time is with 2 42 random PT-CT pairs a slight amount of linearity in S 5 leads to a 2 42 time attack

45

46