REU 2015: Complexity Across Disciplines. Introduction to Cryptography

Transcription

1 REU 2015: Complexity Across Disciplines Introduction to Cryptography

2

3 Iterated Block Ciphers Definition Let KS : K K s be a function that produces a set of subkeys k i K, 1 i s from any key k K. A block cipher Π for which the encryption functions ɛ k are of the form T [k s ] T [k s 1 ] T [k s 2 ] T [k 1 ] is called an iterated block cipher and T [k i ] is called ith-round function.

4 Hash Functions Definition A hash function is a function H : X Y where X is a set of strings of arbitrary length, Y is a finite set of strings of a fixed length and X > Y. 1 Computationally Infeasible means solving the underlying problem is not possible within polynomial time

5 Hash Functions Definition A hash function is a function H : X Y where X is a set of strings of arbitrary length, Y is a finite set of strings of a fixed length and X > Y. A hash function H is one-way hash function for any x X it is computationally infeasible 1 to find y Y such that H(x) = y. 1 Computationally Infeasible means solving the underlying problem is not possible within polynomial time

6 Hash Functions Definition A hash function is a function H : X Y where X is a set of strings of arbitrary length, Y is a finite set of strings of a fixed length and X > Y. A hash function H is one-way hash function for any x X it is computationally infeasible 1 to find y Y such that H(x) = y. A hash function H is second-preimage resistant or weakly-collision free if for a given x X it is computationally infeasible to find x x such that H(x) = H(x ). 1 Computationally Infeasible means solving the underlying problem is not possible within polynomial time

7 Hash Functions Definition A hash function is a function H : X Y where X is a set of strings of arbitrary length, Y is a finite set of strings of a fixed length and X > Y. A hash function H is one-way hash function for any x X it is computationally infeasible 1 to find y Y such that H(x) = y. A hash function H is second-preimage resistant or weakly-collision free if for a given x X it is computationally infeasible to find x x such that H(x) = H(x ). A hash function H is first-preimage resistant or strongly-collision free if it is computationally infeasible to find x, x X such that x x and H(x) = H(x ). 1 Computationally Infeasible means solving the underlying problem is not possible within polynomial time

8 Why Do We Need Hash Functions? Figure: Hashing passwords 2 2 Steve Friedl s Unixwiz.net

9 Verifying file integrity Figure: Verification of Passwords 3 3 Steve Friedl s Unixwiz.net

10 Example: Merkle-Damgård Hash Function Merkle-Damgåard construction 4 5 is a method of building collision-resistant hash function H from collision-resistant one-way compression function, F, which takes a fixed length input and returns a shorter, fixed-length output. 6 4 I. Damgård, A Design Principle for Hash Functions, Lecture Notes in Computer Science Vol. 435, (1989) 5 R.C. Merkle, A Certified Digital Signature, Lecture Notes in Computer Science Vol. 435, (1989) 6

11 Example: Merkle-Damgård Hash Function Let W (k, m) denote a block cipher that encrypts given plaintext m using a key k.

12 Example: Merkle-Damgård Hash Function Let W (k, m) denote a block cipher that encrypts given plaintext m using a key k. The hash functions based on the Merkle-Damgård scheme use a block cipher as a compression function.

13 Example: Merkle-Damgård Hash Function Let W (k, m) denote a block cipher that encrypts given plaintext m using a key k. The hash functions based on the Merkle-Damgård scheme use a block cipher as a compression function. Given a message m consisting of blocks m 1, m 2, m 3,, m t, the hash function is defined as H i = W (H i 1, m i ) m i H i 1, 0 i t (1) where H 0 is some initial value.

14 Groups Generated by Encryption Functions Let T Π = {ɛ k : k K} be the set of all possible encryption transformations. In a cryptosystem the mapping ɛ is a permutation of M. T Π S M

15 Groups Generated by Encryption Functions Let T Π = {ɛ k : k K} be the set of all possible encryption transformations. In a cryptosystem the mapping ɛ is a permutation of M. T Π S M Definition The group G = T Π is called the group generated by the cipher.

16 Groups Generated by Encryption Functions Let T Π = {ɛ k : k K} be the set of all possible encryption transformations. In a cryptosystem the mapping ɛ is a permutation of M. T Π S M Definition The group G = T Π is called the group generated by the cipher. If T Π = G then the set of permutations T Π forms a group (the cipher is a group).

17 Groups Generated by Encryption Functions Let T Π = {ɛ k : k K} be the set of all possible encryption transformations. In a cryptosystem the mapping ɛ is a permutation of M. T Π S M Definition The group G = T Π is called the group generated by the cipher. If T Π = G then the set of permutations T Π forms a group (the cipher is a group). For such a cipher, multiple encryption doesn t offer better security than single encryption.

18 Groups Generated by Encryption functions Group generated by T [k]: G τ = T [k] k K

19 Groups Generated by Encryption functions Group generated by T [k]: G τ = T [k] k K Group generated by an arbitrary composition of s-round functions with independent keys k 1, k 2,, k s K:

20 Groups Generated by Encryption functions Group generated by T [k]: G τ = T [k] k K Group generated by an arbitrary composition of s-round functions with independent keys k 1, k 2,, k s K: G s τ = T [k s ]T [k s 1 ] T [k 1 ] k i K Group generated by any composition of s-round functions permitted by the key schedule KS : K K s (group generated by the cipher):

21 Groups Generated by Encryption functions Group generated by T [k]: G τ = T [k] k K Group generated by an arbitrary composition of s-round functions with independent keys k 1, k 2,, k s K: G s τ = T [k s ]T [k s 1 ] T [k 1 ] k i K Group generated by any composition of s-round functions permitted by the key schedule KS : K K s (group generated by the cipher): G = T [k s ]T [k s 1 ] T [k 1 ] KS(k) = (k 1, k 2,, k s )

22 Groups Generated by Encryption functions Group generated by T [k]: G τ = T [k] k K Group generated by an arbitrary composition of s-round functions with independent keys k 1, k 2,, k s K: G s τ = T [k s ]T [k s 1 ] T [k 1 ] k i K Group generated by any composition of s-round functions permitted by the key schedule KS : K K s (group generated by the cipher): G = T [k s ]T [k s 1 ] T [k 1 ] KS(k) = (k 1, k 2,, k s ) Lemma For every s N, G s τ is a normal subgroup of G τ.

23 Figure: Advanced Encryption Standard

24 Generalized AES cipher Definition A structure (F, +, ) is a field if and only if both (F, +) and (F, ) are Abelian groups and the law of distributivity applies. If the number of elements in F is finite, F is called a finite field; otherwise it is called an infinite field.

25 Generalized AES cipher Definition A structure (F, +, ) is a field if and only if both (F, +) and (F, ) are Abelian groups and the law of distributivity applies. If the number of elements in F is finite, F is called a finite field; otherwise it is called an infinite field. Classical AES is a set of permutations of the finite field M = GF(2 128 ) = GF(2 8 ) 4 4. Generalized AES is a set of permutations of the finite field M = GF(p r ) mn.

26 Generalized AES cipher Definition For any k K the function T s [k] : GF (p r ) mn GF (p r ) mn defined by T s [k] := σ[k s+1 ] π λ (σ[k i ] ρ π λ) s 1 σ[k 1 ] for 2 i s is called s-round AES encryption function.

27 Groups Generated by the AES Encryption Functions Theorem Let p > 2 and m, n, r > 1 be natural numbers. Then the set of s-round AES encryption functions is not a group if

28 Groups Generated by the AES Encryption Functions Theorem Let p > 2 and m, n, r > 1 be natural numbers. Then the set of s-round AES encryption functions is not a group if s is even, and n and (p rm 1)/ c are odd, where c GF(p r ) is the polynomial used in the ρ function, or

29 Groups Generated by the AES Encryption Functions Theorem Let p > 2 and m, n, r > 1 be natural numbers. Then the set of s-round AES encryption functions is not a group if s is even, and n and (p rm 1)/ c are odd, where c GF(p r ) is the polynomial used in the ρ function, or s, m, and n are odd, and either p 4 3, r is odd, and (p r 1)/ a is odd, or

30 Groups Generated by the AES Encryption Functions Theorem Let p > 2 and m, n, r > 1 be natural numbers. Then the set of s-round AES encryption functions is not a group if s is even, and n and (p rm 1)/ c are odd, where c GF(p r ) is the polynomial used in the ρ function, or s, m, and n are odd, and either p 4 3, r is odd, and (p r 1)/ a is odd, or p 4 1 or r is even, and (p r 1)/ a is even,

31 Groups Generated by the AES Encryption Functions Theorem Let p > 2 and m, n, r > 1 be natural numbers. Then the set of s-round AES encryption functions is not a group if s is even, and n and (p rm 1)/ c are odd, where c GF(p r ) is the polynomial used in the ρ function, or s, m, and n are odd, and either p 4 3, r is odd, and (p r 1)/ a is odd, or p 4 1 or r is even, and (p r 1)/ a is even, where a GF(p r ) is the polynomial used in the λ function.

32 Group generated by the AES round functions 7 R. Sparr and R. Wernsdorf, Group theoretic properties of Rijndael-like ciphers, Discrete Applied Mathematics 156 (2008) L. Babinkostova, K. Bombardier, M. Cole, T. Morrell, and C. Scott, Algebraic Structure of generalized Rijndael-like SP networks, (2014) Groups Complexity Cryptology Volume 6, Issue 1 pp

33 Group generated by the AES round functions Theorem 7 Let T [k] : GF (2 8 ) 4n GF (2 8 ) 4n be a 1-round AES function. Then 7 R. Sparr and R. Wernsdorf, Group theoretic properties of Rijndael-like ciphers, Discrete Applied Mathematics 156 (2008) L. Babinkostova, K. Bombardier, M. Cole, T. Morrell, and C. Scott, Algebraic Structure of generalized Rijndael-like SP networks, (2014) Groups Complexity Cryptology Volume 6, Issue 1 pp

34 Group generated by the AES round functions Theorem 7 Let T [k] : GF (2 8 ) 4n GF (2 8 ) 4n be a 1-round AES function. Then for every n {4, 5, 6, 7, 8} the group G τ = T [k] k K is equal to the alternating group on GF (2 8 ) 4n. 7 R. Sparr and R. Wernsdorf, Group theoretic properties of Rijndael-like ciphers, Discrete Applied Mathematics 156 (2008) L. Babinkostova, K. Bombardier, M. Cole, T. Morrell, and C. Scott, Algebraic Structure of generalized Rijndael-like SP networks, (2014) Groups Complexity Cryptology Volume 6, Issue 1 pp

35 Group generated by the AES round functions Theorem 7 Let T [k] : GF (2 8 ) 4n GF (2 8 ) 4n be a 1-round AES function. Then for every n {4, 5, 6, 7, 8} the group G τ = T [k] k K is equal to the alternating group on GF (2 8 ) 4n. Theorem 8 Let T s [k] : GF (p r ) mn GF (p r ) mn be s-round AES function. Then 7 R. Sparr and R. Wernsdorf, Group theoretic properties of Rijndael-like ciphers, Discrete Applied Mathematics 156 (2008) L. Babinkostova, K. Bombardier, M. Cole, T. Morrell, and C. Scott, Algebraic Structure of generalized Rijndael-like SP networks, (2014) Groups Complexity Cryptology Volume 6, Issue 1 pp

36 Group generated by the AES round functions Theorem 7 Let T [k] : GF (2 8 ) 4n GF (2 8 ) 4n be a 1-round AES function. Then for every n {4, 5, 6, 7, 8} the group G τ = T [k] k K is equal to the alternating group on GF (2 8 ) 4n. Theorem 8 Let T s [k] : GF (p r ) mn GF (p r ) mn be s-round AES function. Then 1. If G τ = A p rmn, then G s τ = A p rmn. 7 R. Sparr and R. Wernsdorf, Group theoretic properties of Rijndael-like ciphers, Discrete Applied Mathematics 156 (2008) L. Babinkostova, K. Bombardier, M. Cole, T. Morrell, and C. Scott, Algebraic Structure of generalized Rijndael-like SP networks, (2014) Groups Complexity Cryptology Volume 6, Issue 1 pp

37 Group generated by the AES round functions Theorem 7 Let T [k] : GF (2 8 ) 4n GF (2 8 ) 4n be a 1-round AES function. Then for every n {4, 5, 6, 7, 8} the group G τ = T [k] k K is equal to the alternating group on GF (2 8 ) 4n. Theorem 8 Let T s [k] : GF (p r ) mn GF (p r ) mn be s-round AES function. Then 1. If G τ = A p rmn, then G s τ = A p rmn. 2. If G τ = S p rmn, then 7 R. Sparr and R. Wernsdorf, Group theoretic properties of Rijndael-like ciphers, Discrete Applied Mathematics 156 (2008) L. Babinkostova, K. Bombardier, M. Cole, T. Morrell, and C. Scott, Algebraic Structure of generalized Rijndael-like SP networks, (2014) Groups Complexity Cryptology Volume 6, Issue 1 pp

38 Group generated by the AES round functions Theorem 7 Let T [k] : GF (2 8 ) 4n GF (2 8 ) 4n be a 1-round AES function. Then for every n {4, 5, 6, 7, 8} the group G τ = T [k] k K is equal to the alternating group on GF (2 8 ) 4n. Theorem 8 Let T s [k] : GF (p r ) mn GF (p r ) mn be s-round AES function. Then 1. If G τ = A p rmn, then G s τ = A p rmn. 2. If G τ = S p rmn, then If s is even then G s τ = A p rmn 7 R. Sparr and R. Wernsdorf, Group theoretic properties of Rijndael-like ciphers, Discrete Applied Mathematics 156 (2008) L. Babinkostova, K. Bombardier, M. Cole, T. Morrell, and C. Scott, Algebraic Structure of generalized Rijndael-like SP networks, (2014) Groups Complexity Cryptology Volume 6, Issue 1 pp

39 Group generated by the AES round functions Theorem 7 Let T [k] : GF (2 8 ) 4n GF (2 8 ) 4n be a 1-round AES function. Then for every n {4, 5, 6, 7, 8} the group G τ = T [k] k K is equal to the alternating group on GF (2 8 ) 4n. Theorem 8 Let T s [k] : GF (p r ) mn GF (p r ) mn be s-round AES function. Then 1. If G τ = A p rmn, then G s τ = A p rmn. 2. If G τ = S p rmn, then If s is even then G s τ = A p rmn If s is odd then G s τ = S p rmn 7 R. Sparr and R. Wernsdorf, Group theoretic properties of Rijndael-like ciphers, Discrete Applied Mathematics 156 (2008) L. Babinkostova, K. Bombardier, M. Cole, T. Morrell, and C. Scott, Algebraic Structure of generalized Rijndael-like SP networks, (2014) Groups Complexity Cryptology Volume 6, Issue 1 pp