Block Ciphers. Chester Rebeiro IIT Madras. STINSON : chapters 3

Transcription

1 Block Ciphers Chester Rebeiro IIT Madras STINSON : chapters 3

2 Block Cipher K E K D Alice untrusted communication link E #%AR3Xf34^$ message encryption (ciphertext) Attack at Dawn!! D decryption Bob Attack at Dawn!! Encryption key is the same as the decryption key (K E = K D ) 2

3 Block Cipher : Encryption Key Length Plaintext Secret Key Ciphertext Block Cipher (Encryption) Block Length A block cipher encryption algorithm encrypts n bits of plaintext at a time May need to pad the plaintext if necessary y = e k (x) 3

4 Block Cipher : Decryption Key Length Ciphertext Secret Key Plaintext Block Cipher (Decryption) Block Length A block cipher decryption algorithm recovers the plaintext from the ciphertext. x = d k (y) 4

5 PlaintextBlock Inside the Block Cipher (an iterative cipher) Key Whitening Round Round 2 Round 3 key key2 key3 Ciphertext Block Round n keyn Each round has the same endomorphic cryptosystem, which takes a key and produces an intermediate ouput Size of the key is huge much larger than the block size. 5

6 PlaintextBlock Inside the Block Cipher (the key schedule) Secret Key Key Whitening Round Round 2 Round 3 Round Key Round Key 2 Round Key 3 Key Expansio on Ciphertext Block Round n Round Key n A single secret key of fixed size used to generate round keys for each round 6

7 Inside the Round Function Add Round key : Round Input Add Round Key Mixing operation between the round input and the round key. typically, an ex-or operation Confusion layer : Makes the relationship between round input and output complex. An attacker cannot determine the round key even after knowing large number of input-output pairs. Diffusion layer : dissipate the round input. Avalanche effect : A single bit change in the round input should cause huge changes in the output. Makes it difficult for the attacker to pick out some bits over the others (think Hill cipher) Confusion Layer Diffusion Layer Round Output 7

8 Achieving Confusion and Diffusion (Substitution-Permutation Networks) Confusion achieved by small substitution functions Diffusion achieved by diffusion functions Permutations Linear Transformations 8

9 Diffusion with Permutations Spreads the output of one s-box to other s-boxes Thus causing a diffusion. A single bit change in one input (before S for instance) affects four inputs of the next round Bit wise permutations efficient in hardware but not in software implementations 9

10 Permutation Layer Types straight (24x24) 0 th bit of input goes to st bit of output st bit of input goes to 5 th bit of output expansion (2x24) compression (24x2)

11 Permutation Layer (more variants) Common permutation operations which are used in block ciphers circular shift swap Circular shift input N bits to right (or left) Special case of circular shift with shift = N/2

12 Diffusion with Linear Transformation Linear combination of the inputs (can be done byte wise; more software friendly, as no bit manipulations needed) x y x 2 * x = 3 y 2 y 3 x 4 y 4 Example. The AES mix column operation How to choose the linear transformation in the Permutation layer? Need to have good diffusion properties Should have Maximum Branch Number BranchNumber = MIN( a 0) ( W( a) + W( F( a)) 2

13 Branch Number BranchNumber = MIN( a 0) ( W( a) + W( F( a)) Byte Vector : Number of non-zero input bytes W(a) : Byte vector of input (i.e. non-zero bytes in a) W(F(a)) : Byte vector of output (i.e. non-zero bytes in the output) x x 2 * x = 3 x 4 y y 2 y 3 y 4 Example. The AES mix column operation example: AES mix column matrix has a branch number of 5 non-zero byte in input causes all 4 bytes of output to change 2 non-zero byte in input causes at-least 3 bytes of output to change (and so on ) 3

14 Substitution Layer (Sbox) A lot of the block cipher s security rests with this. Replaces its input with another As with the permutation layer, can be straight sbox(mxm) expansion sbox(mxn, m<n) compression sbox(mxn, m>n) 4

15 Sboxes In an s-box each output bit can be represented as a function of its input bits x x x x x ),,,, ( 3 2 m x x x x f y L = 5 sbox x x 2 x 3 x 4 y y 2 y 3 y 4 x m y n The functions have to be non-linear. Linear functions are easily reversed. ),,,, ( ),,,, ( ),,,, ( m n n m m x x x x f y x x x x f y x x x x f y L M M M M M L L = = =

16 S-boxes are Non-linear transformations x x 2 x 3 x 4 x m sbox y y 2 y 3 y 4 y n 6

17 example : Simplified DES SBox a b c d S0 q r q r y = S0( x) = S0[ a d][ b c] Non-linear equations for S0 7

18 Why Non-linearity? We want to make it difficult for reversing an s-box: i.e. determine x from y x x 2 x 3 x 4 sbox x m Solving linear equations can be done in polynomial time Solving non-linear equation is NP hard y y 2 y 3 y 4 y n Note the difference with the permutation layer, which is a linear layer. The main purpose of the permutation layer is to provide diffusion and not to confuse! 8

19 ex-or (An Important Operation) Used considerably for key addition 9

20 Block Cipher Design Techniques Substitution-Permutation Networks (SPN) AES, PRESENT, SHARK Feistel Ciphers DES, CLEFIA, SERPENT, RC5, and many more 20

21 A Four Round SPN Block Cipher An SPN block cipher contains repeating rounds of Key addition Add randomization Substitution A non-linear layer Diffusion A linear layer for spreading The repeating randomization, nonlinear and linear layers makes it difficult to cryptanalyse Used in ciphers such as AES (Advanced Encryption Standard) PRESENT (The Light weight block cipher standard) SPN: Substitution Permutation Network 2

22 Diffusionin the SPN A single bit of plaintext gets diffused to all bits of the ciphertext. If a single bit in the plaintext is flipped Each bit of the ciphertextwill flip with probability /2 In other words, half the bits of the ciphertext will flip. If, even a single bit of the key is wrong, half the bits of the ciphertext is flipped 22

23 Decryption Is the reverse process Start with the ciphertextand do all operations in the reverse order The round keys are applied in the reverse order Permutation layer should be inverse Substitution (S-boxes) should be inverse This also means that the inverse of the s-box should exist 23

24 FeistelCiphers A popular technique for designing block ciphers Examples: DES, RC5, CLEFIA, Does not require invertible substitution and permutation layers round input split into two parts L i- and R i- round output L i- R i- L i F R i K i- Encryption L = Ri = L Decryption R L i i i = = R i i L R F( Ri, Ki ) i i F( Li, Ki ) 24

25 What does F contain? contains : key mixing, substitution, permutation A single round of DES 32 bit 32 bit L i- R i- F K i- L i R i the sboxes(s to S8) are 6x4 they are not invertible 25

26 plaintext 3 round Fiestel cipher Iterative L R F L 2 R 2 F L 3 R 3 F 26 L 4 ciphertext R 4

27 Linear Cryptanalysis 27

28 Non-linearity in S-boxes In the 970s, cryptographers took a lot of care in designing s-boxes each output bit of the s-box was the output of a complex non-linear function of the input bits. Like this also, the value of each output bit was un-biased i.e. Pr[ y i = 0] = Pr[ yi = ] = for i n 2 x x 2 x 3 x 4 sbox y y 2 y 3 y 4 This meant that it was difficult to infer anything about x from an output bit x m y n However. 28

29 Linear Approximations they overlooked about linear combinations of the s-box output which turned out to be biased...such as Pr[ y Pr[ y x x x x 5 5 x x 7 7 = 0] << 2 = ] >> 2 or low probability of occurrence high probability of occurrence This bias was exploited by Mitsuru Matsui in 993 to attack DES. The attack was known as linear cryptanalysis it is a known plaintext attack required 2 43 known plaintext-ciphertext pairs to break DES background needed for the understanding the attack 29

30 Bias (A measure of deviation from uniform randomness) Consider discrete independent random variables over {0,} Let thus for i=,2,3,. Due to independence, the joint probability is obtained by simply multiplying. Thus for i j, Consider discrete random variables where i j 30

31 Bias Define biasof X i as Some properties of the bias Pr[ X i X j = 0] = Pr[ X = 2 i = 0]Pr[ X j = 0] + Pr[ X = ]Pr[ X + εi + ε j + εi ε j = + 2εiε j If the bias is 0 then X i can take values of 0 or with equal probability The further the bias is from 0 (ie. close to ±/2) then X i takes 0 with higher (or lower) probability The bias is therefore a measure of the randomness i j = ] 3

32 Linear Approximations of an s-box How to construct? X X 2 X 3 X 4 sbox Y Y 2 Y 3 Y 4 Represent the s-box in binary as in the following table 32

33 Linear Approximations of an s-box Consider a linear combination of inputs and ouputs For example X X and fill in the truth table 4 Y #s = 8 #0s = 8 p= Pr[ X X4 Y2 = 0] = / 2 ε = p = 0 2 unbiased 33

34 Linear Approximations of an s-box Consider a linear combination of inputs and ouputs for example X X X and fill in the truth table 2 3 Y #s = 0 #0s = 6 p= Pr[ X X2 X3 Y2 ε = p = = biased = 0] = 3/8 34

35 Linear Approximations of an s-box Consider another example X X Y and fill in the truth table 3 4 Y4 0 0 #s = 4 #0s = 2 p= Pr[ X3 X4 Y Y4 = 0] = /8 3 ε = p = = Highly biased 35

36 Linear Approximation Tables Y Y X X 6 8 ), ( ), ( = b a NL b a ε 36 Linear Approximation Table 2 4 Y X X Y X X X (captures number of 0s in the truth table)

37 What does the linear approximations mean X 3 X4 Y Y4 If we do the following x 3 x 4 y y 4 while(large number of times){ generate a random plaintext z = ex-or(x 3,x 4,y,y 4 ) } The probability that z takes the value 0 is /8 How do we use this fact to attack the block cipher? 37

38 Piling-up Lemma Consider two linear combinations of random variables X X A B = = X X Whatisthebiasof X The resulta ntbiasε 4 A AB X X 2 5 X X B X? 3 6 having biasε having biasε can be computed by the Pilingup Lemma A B Proof by Mathematical Induction 38

39 The General Attack Scheme. Use piling up lemma to identify linear trails in the cipher, which have high bias. Compute the bias till the pen-ultimate round 2. To determine k = (K 5,5 ---K 5,8 )do the following a. Guess the value of k (6 possibilities) b. Compute S - (k^ c i ) for each ciphertext (we get a distribution) c. Determine if the bias matches the theoretical estimates. 39

40 Applying Piling-up Lemma for the cipher a= 0, b= 000, N L = 2, ε = / 4 Find paths which are highly biased a= 000, b= 00, N L = 4, ε = / 4 a= 000, b= 00, N L = 4, ε = / 4 4

41 4

42 From the cipher Thus, Now,, the key part is a constant (either 0 or ) Thus, bias of is either +/32 or -/32 depending on the key bits 42

43 The Linear Cryptanalysis Attack The attacker needs A large number of plaintext-ciphertextpairs We denote each pair by (x,y) x: plaintext, y: ciphertext For the Toy cipher above (approx 8000) For a cipher like DES 2 48 all plaintexts are encrypted with the same key The attack 5. Guess and (256 possibilities) k <2> 5 k <4> 4 4 y< v< 2> v < 4> 4 4 v <2> v <4> For each y and y compute and v 3. Then compute inv-sbox( ) and inv-sbox( ) 4 4 to obtain and 4. Now compute y<2> 4> u <2> u <4> 4 v <2> 4 v <4> 5 k 5 <2> k <4> If the key guess is correct, the bias of z must be ±/32 (i.e. z must be 0 (or ) with probability /2 ±/32) If the key guess is wrong, the bias of z must be 0 (i.e. z must be 0 (or ) with probability /2) 5 y 5 <2> y <4> 43

44 The Linear Cryptanalysis Attack The plaintext-ciphertext pair array Number of the ptext-ctext pairs Inverse s-box This is the guessed key which varies from 0 to 255. For a key guess, Count counts how often z=0. For the correct key guess, count should be highest For each plaintext-ciphertext pair 4 Compute u <2> and 4 u <4> Increment count if z=0 Determine most probable key byte of the256 possible keys The correct key should have max count value Wrong keys should have count value approximately T/2 44

45 Differential Cryptanalysis 45

46 Differential Cryptanalysis Attributed to Eli Bihamand AdiShamir in YPTO 90 Althought, the idea was known in the 970s by IBM (and the NSA) In IBM, this used to be known as T-attack or Tickle attack Differential cryptanalysis is a chosen plaintext attack It requires 2 47 chosen plaintexts to break DES 46

47 Differentials If we have two Boolean linear equations such as Then, the differential is their ex-or 2 2 k k d c B k k b a A = = d c b a B A = Note that the common terms are cancelled out 47

48 Differentials of an s-box Let x and x* be the inputs to an s-box Let y and y* be the corresponding outputs Differential Input : x' = x x * x x 2 x 3 x 4 sbox Differential Output: y' = y y * y y 2 y 3 y 4 If x is (0) 2 : 48

49 Differentials of an s-box If x is (0) 2 : Note the non-uniformity.. This non-uniformity Is used in differential cryptanalysis 49

50 Differential Distribution Table S-box output difference of the s-box S-box inpu ut difference Probability that output difference Is b given that input difference is a This is known as the Propagation Ratio Counts the number of times input difference is x and output difference of the s-box is y 50

51 Differential trails in a cipher First note that the differential output y does not depend on the secret key Choose a set of consecutive s-boxes so that differences propagate with high propagation ratio. This is the differential trail. Assuming independence between the s-boxes in the trail, propagation ratio for the trail is the product of individual propagation ratios. This means that, if the input difference is ( ) then the probability that the output difference is ( ) is 27/024 5

52 The Differential Cryptanalysis Attack The attacker needs A large number of chosen plaintext-ciphertextpairs encrypted with the same key The attack 5 5. Guess k <2> and k <4> (256 possibilities) 4 v <2> 4 v <4> 4 v <4> 2. Compute and for each plaintext ciphertext using the guessed key 4 v <2> 3. Compute the difference between the inv-sbox( ) 4 and inv-sbox( ) v <4> 4. Test if the required differential is obtained. 4 v <2> 4 v <4> 5 k 5 <2> k <4> 5 y 5 <2> y <4> If the key guess is correct, the correct differential will be obtained with a probability of 27/024 If the key guess is wrong, the differential will be obtained with a probability which is much lower (/256) 52

53 The Differential Cryptanalysis Algorithm Co Function inputs are the plaintext-ciphertext Differentials, T is the number of them, and the Inverse of the targeted s-box The guessed key (L, L2) : is of 256 values For each differential, do an initial filtering, and then compute u 4 <2>and u 4 <4>. If these result in the targeted differential 00, 00, then increment The count for the corresponding key guess The values of (L, L 2 ) which has the maximum count Implies, that it is the case where the targeted Differential appears most often. This (L, L 2 ) is the likely key. 53

54 DES (Data Encryption Standard) 54

55 History of DES Standardized in 977 by FIPS, as the standard for data encryption Based on a Feistelcipher called Lucifer (Lucifer is a Feistelcipher developed by IBM in the early 70s) NSA made some minor (supposedly controversial) modifications to the Lucifer algorithm Reduced the key size from 64 bits to 56 bits Modifications to the s-boxes 55

56 DES Specification Block Size : 64 bits Key size : 56 bits (+8 parity bits) Structure : Fiestel Rounds : 6 Algorithm specifies : encryption / decryption algorithm key expansion algorithm 56

57 DES Initial and Final Permutation Plaintext subjected to an Initial permutation (IP) initially After 6 rounds, there is a final permutation (FP) before the ciphertext is generated neither operation has any cryptographic significance. Used to facilitate loading of blocks in and out of 970s eight bit computer

58 Initial Permutation (IP) IP and FP Final Permutation (FP = IP - ) The first bit of the o/p is taken from the 58 th input bit This is the inverse of IP 58

59 DES F Function (E and Key mixing) Eis the expansion block. The 32 bit input is expanded to 48 bits by duplicating some of the bits key mixing with subkey, Expansion Function 59

60 DES F Function (S-boxes) S to S8 are compression s-boxes. Each s-box takes 6 input bits and outputs 4 bits. S

61 DES F Function (Permutation) Permutation Layer 6

62 DES Key Expansion 64 bits input Of which 8 are discarded (or used for parity) No non-linear components Rotate left PC PC2 Select 48 out of the 56 bits 62

63 DES Decryption Same as encryption algorithm, with subkeysapplied in reverse order 63

64 DES Weak Keys In a DES weak key, all the subkeysare the same Thus DES WK (DES WK (x)) = x (WK is a weak key) DES weak keys are as follows 56 bit DES weak keys FFFFFFF FFFFFFF FFFFFFF FFFFFFF

65 DES Semi weak keys Semi-weak keys have the following properties They appear in pairs: (SK and SK ) DES SK (DES SK (x)) = x Each semi-weak key has only two sub keys. SK SK 65

66 DES Semi weak key pairs 66

67 Objections to DES Key size matters Brute Force Attacks due to the small key size S-box secrecy During the initial years, the rationale for the DES s- box was kept secret ( to increase security). Mathematical attacks : Differential Cryptanalysis Linear Cryptanalysis 67

68 DES Cracker Specialized ASICs for DES bruteforce Could determine the secret key in less than a day. Need to increase key length!! 68

69 DES Composition Key size can be increased by composition C = DES K (DES K2 (P)) P K DES K 2 2 DES keysize = 2*56=2 bits DES does not form a group under composition. i.e. It is not possible to obtain DES K (DES K2 (P)) = DES K3 (P) for some key K3 DES C 69

70 Meet in the Middle Attack against 2-DES K K 2 P DES Q DES C Attacker collects a pair of (P,C). For P, compute Q K* = DES K* (P) for every possible value of K*. Record the corresponding Q K* 2. For C, compute Q K2* = DES - K2*(C) for every possible value of K2*. Record the corresponding Q K2* 3. Find all K* and K2* such that Q K* = Q K2* 4. If Multiple such K* and K2* are found, then repeat with another pair of (P,C) Complexity of this attack is =

71 3-DES K K 2 K P DES Q DES - DES C encrypt decrypt encrypt 2 bit security as in 2-DES Encrypt Decrypt Encrypt K K2 K (two 56 bit keys) Why EDE and not EEE? Compatibility with the classical DES if K = K 2 Used extensively as a stopgap arrangement until a new cipher standard (AES) was established Drawbacks of 3-DES: Sluggish in software Could only encrypt 64 bit blocks at a time 7

72 How to choose a good s-box? 72

73 Criteria for a good s-box Completeness Balance Non-linearity Propagation criteria Good XOR profile High Algebraic Degree 73

74 Sboxes In an s-box each output bit can be represented as a Boolean functionof its input bits x x x x x ),,,, ( 3 2 m x x x x f y L = 74 sbox x x 2 x 3 x 4 y y 2 y 3 y 4 x m y n The functions have to be non-linear. Linear functions are easily reversed. ),,,, ( ),,,, ( ),,,, ( m n n m m x x x x f y x x x x f y x x x x f y L M M M M M L L = = =

75 Boolean Functions A Boolean function is a mapping from {0,} m {0,} Algebraic Normal Form representation of a Boolean function A Boolean function on m-inputs can be represented with sum (XOR +) of products (AND.) form: y = a where a i is either 0 or. 0 ax a2x2 a3xx2 Affine Form: if all the AND terms have coefficients 0 Linear form : Affine form and a 0 = 0 75

76 Consider a Boolean function Truth Tables The following Binary sequence is the truth table of f ( ) f α ), f( α ), f( α ),, f( α ) ( 0 2 L 2 m where arembit numbers andα α unless i= The truth table is therefore (0,,,) f :{0,} m j : y= x x x x X X2 Y i i 0 f {0,}

77 Balanced Boolean Functions A Boolean function is said to be balanced its truth table has equal number of 0s and s. S-box equations should be balanced (i.e. 0 and have an equal probability of occurrence) f : y= x x x x 2 2 g : y= x x 2 Unbalanced function X X2 Y Balanced Function X X2 Y

78 Distance Between functions Let f and g be two Boolean functions Letη be the truth table for f and ε the truth table for g HDη (, ε)isthe X X2 Y Y Hamming distance between the two sequences f : y = x x x x 2 2 g: y = x x HDη (, ε) =

79 Nonlinearity of a Boolean Function The non-linearity of a Boolean function is the minimum distance between the function and the set of all affine functions. Strengthens against linear cryptanalysis y = y y y y x x = 0 = = = Nonlinearity x x x 2 2 x x 2 x 2 X X2 Y Y2 Y3 Y4 Y ( HD( f, )) : N = MIN g Nonlinearity of f y gεaffine : N y = 3 79

80 On the Non-linearity of Boolean Functions HD of any two linear functions is 2 n- HD between linear functions and a non-linear function is < 2 n- Letξ = #( f = g) #( f g) = 2 n #( f g) #( f g) = 2 n 2#( f g) HD( f, g) = #( f g) = 2 n ξ 2 80

81 Bent Functions Bent functions are non-linear Boolean functions which have maximum non-linearity The non-linearity of a Bent function is 2 n 2 n 2 They satisfy SAC but are not balanced Example : f(x) = x x 2 + x 3 x 4 8

82 Walsh HadamandMatrix A compact combinatorial representation of all affine functions Each row of the WH matrix forms the truth table of all affine functions with N variables can be represented by the matrix H 0 H(2 ) = = 0 H(2 ) 0 0 H(2 H(2 N N N ( 2 ) = N N ) ) x 0 0 x 2 x 0 x 2^ x H(2 complement( H(2 82 ) ))

83 Affine Transformations and Non-linearity If a Boolean function is balanced, then an affine transformation does not affect its non-linearity f( x) is a balanced Boolean function, then f( xb A)isalsobalanced x= ( x, x2, x3,..., xn) Bisan n binary invertible matrix Aisannbitvector The nonlinearity of f( x) = nonlinearity of f( xb A) 83

84 Strict Avalanche Criteria (SAC) For a function (f) to satisfy SAC, f( x) f( x α) mustbe balanced,for anyα with HW( α) = Also called propagation criteria of order Higher order SAC, Propagation criteria of order > When input changes in more than bit Show that y= xx z = x x 2 2 x x 3 3 x 4 does not satisfy satisfiessac SAC Note that z is a Bent function 84

85 How to make a Boolean function satisfy SAC Let f(x) be a Boolean function of order n Let A be an nxnnon-singular Boolean matrix If r is a row in the matrix A and is balanced then g ( x) = f( xa) satisfies SAC f( x) f( x r) Example : f = x x 2 0 A= 0 then g( x) x = f( xa) satisfies SAC verify this? 85

86 Completeness More a criteria for the complete cipher (SP) Given s-boxes with a fixed mapping, P-layer needs to be fixed and rounds need to be fixed such that ciphertextis a complex function of every plaintext input 86

87 XOR Profile The difference distribution table of the s-box must contain small variations 87

88 Modes of Operation 88

89 What are Modes of Operation? Block cipher algorithms only encrypt a single block of message A mode of operation describes how to repeatedly apply a cipher's single-block operation to securely transform amounts of data larger than a block Modes of Operation Electronic code book mode (ECB Mode) Cipher feedback mode (CFB Mode) Cipher block chaining mode (CBC mode) Output feedback mode (OFB mode) Counter mode 89

90 ECB Mode p0 p p2 p3 p4 e K e K e K e K e K c0 c c2 c3 c4 Every block in the message is encrypted independently with the same key Drawback : If p i = p j (i j) then c i = c j Encryption should protect against known plaintext attacks (since the attacker could guess parts of the message.. Like stereotype beginnings) Drawback 2 : An interceptor may alter the order of the blocks during transmission Not recommended for encryption of more than one block 90

91 CBC Mode p0 p p2 p3 p4 IV e K e K e K e K e K Cipher Block Chaining c0 c c2 c3 c4 Advantage :Encryption dependent on a previous the ciphertextof a previous block, therefore c i c j (i j) even if p i = p j Advantage 2:Intruder cannot alter the order of the blocks during transmission If an error is present in one received block (say c i ) Then c i and c i+ will not be decrypted correctly All remaining blocks will be correctly decrypted 9

92 CBC Mode Decryption p0 p p2 p3 p4 IV e K e K e K e K e K c0 c c2 c3 c4 c0 c c2 c3 c4 d K d K d K d K d K IV p0 p p2 92 p3 p4

93 CFB (Cipher feedback Mode) IV register Can transform a block cipher into a stream cipher. i.e. Each block encrypted with a different key e K Uses a shift register that is initialized with an IV message stream (8 bits at a time) ciphertext stream (8 bits transmitted at a time) Encryption Scheme 93

94 CFB -Error Propagation register Uses a shift register that is initialized with an IV Previous ciphertext block fed into shift register e K Ciphertext stream (8 bits at a time) Plaintext stream (8 bits decrypted at a time) Decryption Scheme 94

95 Output Feedback Mode (OFB) Very similar to CFB but feedback taken from output of e k shift reg An error in one byte of the ciphertextsaffects only one decryption e K message stream (8 bits at a time) ciphertext stream (8 bits transmitted at a time) Encryption Scheme (Decryption scheme is similar) 95

96 Counter Mode counter counter+ counter+2 counter+3 counter+4 e K e K e K e K e K p0 p p2 p3 p4 c0 c c2 c3 c4 A randomly initialized counter is incremented with every encryption Can be parallelized Ie. Multiple encryption engines can simultaneously run As with OFB, an error in a single ciphertextblock affects only one decrypted plaintext 96

97 The Advanced Encryption Standard (AES) 97

98 Advanced Encryption Standard (AES) NIST s standard for block cipher since October Key Length AES-28 6 bytes 0 AES-92 24bytes 2 No. of rounds AES bytes 4 SPN network with each round having Randomness Layer: Round key addition Confusion Layer : Byte Substitution Diffusion Layer : Shift row and Mix column (the last round does not have mix column step) 98

99 Mathematical Background Finite Fields 99

100 The AES State Representation m i e a n j f b o k g c p o m n l k j i h g f e d c b a 6 byte plaintext M I E A N J F B O K G C AES 6 bytes arranged in a 4x4 matrix of bytes o k g c p l h d O K G C P L H D 6 byte ciphertext 00

101 AES-28 Encryption Plaintext Block Secret Key XOR key 4 Operations Byte Substitution Shift Rows Mix Columns Add Round Key Ciphertext Block Loop 0 times Byte Substitution Shift Rows Mix Columns (except for the last round) Add Round Key RK RK2 RK3 RK0 Key Expansion 0

102 AES-28 Encryption Plaintext Block Secret Key XOR key confusion Byte Substitution Ciphertext Block diffusion Loop 0 times Shift Rows Mix Columns (except for the last round) Add Round Key RK RK2 RK3 RK0 Key Expansion 02

103 AES Operations All AES operations are performed in the field GF(2 8 ). The field s irreducible polynomial is x 8 + x 4 + x 3 + x + in binary notation ( 000 0) 2 in hex notation (B) 6 03

104 Byte Substitution Makes a non-linear substitution for every byte in the 4x4 matrix Sbox Sbox( A) = a b c d e fff g h Affine( A Affine(0) i m j n k o l p ) if if A( θ) 0 A( θ) = 0 A E I M B F J N C G K O D H L P Affine Transformation b a7 0 b a 6 b a 5 b a4 0 = b a 3 0 b a2 0 b a b a0 04

105 AES S-box Design Rationale Sbox( A) = Affine( A Affine(0) ) if if A( θ) 0 A( θ) = 0 This s-box construction was proposed by Kaiser Nyberg in 993 Steps:. Inverse in GF(2 8 ) Provides high degrees of non-linearity Known to have good resistance against differential and linear cryptanalysis 2. Affine transformation ensures no fixed points : i.e. Fixed points : S(x) = x Complicates Algebraic attacks 05

106 S-box Encryption Table Use a table to do the byte substitution eg. Sbox[42] = 2c 06

107 Shift Rows a e i m b f j n c g k o d h l p a e i m f j n b k o c g p d h l ShiftRows Leave the First row untouched Left Rotate (2 nd Row by 8 bits) Left Rotate (3 rd Row by 6 bits) Left Rotate (4 th Row by 24 bits) Along with MixColumnsprovides high diffusion Bits flip in at-least 25 s-boxes after 4 rounds a b c d e f g h i j k l m n o p a f k p e j o d i n c h m b g l 07

108 Mix Columns The 4x4 matrix is multiplied with the matrix o k g c n j f b m i e a Note that multiplications are in GF(2 8 ) field a i m b j n c k o d l p A E I M B F J N C G K O D H L P e f g h E F G H h g f e H h g f e G h g f e F h g f e E = = = = p l h d

109 Mix Columns Rationale Why use this matrix? It is an MDS matrix (Maximum Distance Separable codes) If the input of a column changes then all outputs change This maximizes the branch number For AES, the branch number is 5 Values [2,3,,], are the smallest which result in MDS matrix that is also circulant Has an inverse in the AES field

110 AES Operations (Add Round Key) a e i m b f j n c g k o k 0 k 4 k 8 k 2 k k 5 k 9 k 3 k 2 k 6 k 0 k 4 a +k 0 e+k 4 i+k 8 m+k 2 b+k f+k 5 j+k 9 n+k 3 c+k 2 g+k 6 k+k 0 o+k 4 d h l p k 3 k 7 k k 5 d+k 3 h+k 7 l+k p+k 5 Addition here is addition in GF(2 8 ), which is the ex-or operation 0

111 AES-28 Decryption Ciphertext Block Secret Key XOR RK0 Inverse Byte Substitution Plaintext Block Loop 0 times Inverse Shift Rows Add Round Key Inverse Mix Columns (except for the last round) RK9 RK8 RK key Key Expansion

112 Inverse S-box Simply the AESs-box run in reverse As withthe s-box operation, a lookup table can be used 2

113 Inverse Shift Rows a e i m f j n b k o c g p d h l a e i m b f j n c g k o d h l p ShiftRows Leave the First row untouched Right Rotate (2 nd Row by 8 bits) Right Rotate (3 rd Row by 6 bits) Right Rotate (4 th Row by 24 bits) m b g l a f k p e j o d i n c h a b c d e f g h i j k l m n o p 3

114 Inverse Mix Column h g f e H h g f e G h g f e F h g f e E E 9 D B D E 9 D D B E 9 9 D B E = = = = a i m b j n c k o e f A E I M B F J N C G K O E F c k o d l p g h C G K O D H L P G H The 4x4 matrix is multiplied with the matrix The hardware implementation can be done in a similar way as mix columns E 9 D B B E 9 D D B E 9 9 D B E 4

115 AES Key Schedule How to expand the secret key Design Criteria o o o o Efficient Non-symmetric : Ensured by round constants Efficient diffusion properties of secret key into round keys It should exhibit enough non-linearity to prohibit the full determination of differences in the expanded key from cipher key differences only. Secret Key RK RK2 RK3 RK0 Key Expansion 5

116 AES Key Schedule K 0,0 K 0, K 0,2 K 0,3 secret key K 0,4 K 0,8 K 0,5 K 0,9 K 0,6 K 0,0 K 0,7 K 0, rotword K 0,2 K 0,3 K 0,4 K 0,5 round constant xor S-box operation st round key K,0 K,4 K,8 K,2 K, K,5 K,9 K,3 K,2 K,6 K,0 K,4 6 K,3 K,7 K, K,5 2 i

117 Implementation Aspects of AES 7

118 Software Implementations of AES Encryption S-box implemented as a lookup-table (256 bytes) Shift rows combined with Mix columns Multiplication with MDS matrix easily achieved x2, done by left shift. If there is an overflow an ex-or with 0xB is needed x3 = x2 + x 8

119 a a a a 0,0,0 2,0 3,0 AES state a a a a 0,, 2, 3, a a a AES on 32 bit Systems a 0,2,2 2,2 3,2 a a a a 0,3,3 2,3 3,3 c c c Combining Operations 0, j, j b b, = b2, b3, 0, j C j 2, j C2 j c3, j C3 j Byte Substitution Shift Rows (c = c2 = c3 = are cyclic shifts) bi, j = S( ai, j) for i, j {0,,2,3} Mix Columns Add Round Key ei, j = di, j ki, j for i, j {0,,2,3} 9

120 T Tables Combining Operations Define 4 T-Tables One Round of AES using T-Tables 20

121 OpenSSLImplementation of AES (with T-tables) 2

122 Last Round of AES Uses a different table (Te4) 22

123 AES NI Accelerating AES on modern Intel and AMD processors with dedicated instructions 23

124 Compact Implementations of AES How should the S-box be implemented? Look up table (256 bytes) This may be too large for some devices Finding the inverse (using Itoh-Tsujiior the extended Euclidean algorithm) and then affine transformation Again expensive (too big!!!) Third alternative Use composite fields 24

125 Composite Fields (refer Math. Background) 25

126 Composite Fields for AES The AES Field is GF(2 8 )/x 8 +x 4 +x 3 +x+ Has order 256 Many composite fields for AES exists GF(2 4 ) 2 Requires two irreducible polynomials One has the form x , where coefficients are in GF(2) The second has the form x 2 + ax + b, where a, b are in GF(2 4 ) GF((2 2 ) 2 ) 2 Requires three irreducible polynomials First of the form x 2 + a x + b, where a, b in GF(2) Second has the form x 2 + a 2 x + b 2, where a 2, b 2 in GF(2 2 ) Third has the form x 2 + a 3 x + b 3, where a 3, b 3 in GF(2 2 ) 2 26

127 Mapping between GF(2 8 ) and Composite Fields FindMap(){ InitilizeMAP[0] = 0andREVMAP[0] = 0 return } Findα a primitiveroot offieldgf(2 Findβ a primitiveroot offieldgf(2 α ' = ; β ' = Fori= to 255 α' = α α' β' = β β' MAP[ α'] = β' REVMAP[ β'] = α' MAPandREVMAP 8 4 ) ) (Multiplication in the field GF(2 2 (Multiplication in the field GF(2 4 8 ) ))

128 Implementing the AES S-box in Composite Fields x Map Inverse in Composite Field eg. In GF((2 4 ) 2 ) Reverse Map Affine Transform Sbox(x) 28

129 S-box Based on Composite Fields -box Approach Gate Count for composite Sbox # XOR NAND NOR Total Gates in terms of NAND (using std cell lib) # D. Canright, A Very Compact S-box for AES, CHES-2005 * Simulation Results using Xilinx ISE Performance of S-boxes on FPGA* S-box Approach Lookup table based Composite Field based No. of Slices Critical Path Gate Count 64.9ns ns 32

130 Overhead of Composite Field s-boxes Composite field s-boxes require mapping and reverse mapping to and from the composite fields in each round An alternate approach is to convert all other round operations into composite field operations. This would require just one mapping and one reverse mapping for the entire encryption Operations Add Round Key and Shift Rows are not altered. Mix Columns will need to be re-implemented

131 Attackson AES 3

132 Differential and Linear Properties of Differential Cryptanalysis AES No 4 round differential trail > /2 50 and no 8 round differential trail > /2 300 exists. Linear Cryptanalysis No 4 round bias > /2 75 and no 8 round bias > /2 50 exists AES can easily resist differential and linear cryptanalysis 32

133 Attack on 4 Rounds of AES Plaintext Block Secret Key XOR key 4 Operations Byte Substitution Shift Rows Mix Columns Add Round Key Ciphertext Block Loop 4 times Byte Substitution Shift Rows Mix Columns (except for the last round) Add Round Key RK RK2 RK3 RK4 Key Expansion 33

134 Square Attack (known by the AES designers) Works for 4 round of AES Can be extended up to 6 rounds Consider 256 plaintext blocks having the following properties. byte 0 is different for in all cases (i.e. p i,0 p j,0 ), for i, j = 0 to 255 and i j 2. bytes to 5 are the same (i.e. p i,k = p j,k ), for i, j = 0 to 255 and k plaintext blocks Active Byte all different FF values 34

135 Square Attack Consider 256 plaintext blocks having the following properties. byte 0 is different in all cases (i.e. p i,0 p j,0 ), for i, j = 0 to 255 and i j 2. bytes to 5 are the same (i.e. p i,k = p j,k ), for i, j = 0 to 255 and k 5 Active byte Two properties 255 p 0, = i= i k 0 For some k; k 5 The state is balanced FF 255 p 0,0 = i= i 0 35

136 Add Whitening Key Square Attack (Propagation in 3 rounds) Round Subs Bytes Shift Rows Mix Columns Add Round Key Active byte property 255 p 0 0,0 = i= i Round 2 Sub Bytes Shift Rows Mix Columns Add Round Key Round 3 Sub Bytes Shift Rows Mix Columns = 255 i= 0 = 2 (2a+ 3b+ c+ d) 255 i= 0 a i= 0 b+ = = i= 0 c+ 255 i= 0 d Balanced retained 36

137 Add Whitening Key Square Attack (Propagation in 3 rounds) Round Subs Bytes Shift Rows Mix Columns Add Round Key Active byte property 255 p 0 0,0 = i= i Round 2 Sub Bytes Shift Rows Mix Columns Add Round Key Round 3 Sub Bytes Shift Rows Mix Columns Add Round Key s i 3, (0 i 5) This property does not hold after Sub Bytes in the 4 th Round 37

138 A 4 round square attack Round 3 Sub Bytes Shift Rows Mix Columns Add Round Key Round 4 Sub Bytes Shift Rows Mix Columns Add Round Key ciphertext S ( E( c0 k0) B( c k) D( c2 k2) 9( c3 k3)) ( c k ) for 0 i 3 i i 38

139 4 round square attack (A chosen plaintext attack) Choose 256 plaintexts with one active byte Perform 4 round encryption for each plaintext For each potential key ( k0 k k2 k3) do the following, a. Compute s correspondingtoeach c (thereare256such c call them b. compute If 3, 0 s 255 (0) 3,0 i= 0, s s (i) 3,0 () 3,0, s (2), Ls thisis0, then guessed( k (255) If not, guessed key is incorrect 3,0 3,0 0 k k 2 i k 3 ) may be correct i ) 39

140 Why square attack may lead to an incorrect key If the key guess is wrong, (i) s 3,0 may still be 0. This is because 255 i= 0 (i) s 3,0 evaluated to one of {0,, 2, 3,., i= 0 255} with equal probability Thus with probability 2-8 (i), we may get s = 0 3,0 for the i= 0 wrong key

141 Extending beyond 4 rounds Read how the square attack can be extended to 5 rounds and 6 rounds. math.boisestate.edu/~liljanab/math509spring0/aes-security.pdf 4

142 Related Key Attacks on AES (theoretical attacks on full AES) By Alex Biryukov and Dmitry Khovratovich(2009) Strong assumption : the attacker forces the victim to choose keys of particular form. Determine how key differences affect the cipher text difference 42

143 Tracing key differences 43