Cryptography: Key Issues in Security

Transcription

1 L. Babinkostova J. Keller B. Schreiner J. Schreiner-McGraw K. Stubbs August 1, 2014

2 Introduction Motivation Group Generated Questions and Notation Translation Based Ciphers Previous Results Definitions Advanced Encryption Standard (AES) Definition of AES AES as a tb cipher Results Proper Mixing Layer Non-Surjective Key Schedule Conclusions

3 Motivation

4 Motivation

5 Group Generated General Cryptosystems Definition A cryptosystem is an ordered 4-tuple (M, C, K, T ) where M, C, and K are called the message space, the ciphertext space, and the key space respectively, and where T : M K C is a transformation such that for each k K, the mapping T [k] : M C, called an encryption transformation, is invertible.

6 Group Generated General Cryptosystems Definition A cryptosystem is an ordered 4-tuple (M, C, K, T ) where M, C, and K are called the message space, the ciphertext space, and the key space respectively, and where T : M K C is a transformation such that for each k K, the mapping T [k] : M C, called an encryption transformation, is invertible. For any cryptosystem Π = (M, C, K, T ), let T Π = {T [k] : k K} be the set of all encryption transformations.

7 Group Generated General Cryptosystems Definition A cryptosystem is an ordered 4-tuple (M, C, K, T ) where M, C, and K are called the message space, the ciphertext space, and the key space respectively, and where T : M K C is a transformation such that for each k K, the mapping T [k] : M C, called an encryption transformation, is invertible. For any cryptosystem Π = (M, C, K, T ), let T Π = {T [k] : k K} be the set of all encryption transformations. Definition The symbol G = T Π denotes group that is generated by the set T Π.

8 Group Generated Group Generated by One Round Function Definition Let T [k] denote the round function of the cipher under the key k K, where K denotes the set of all round keys.

9 Group Generated Group Generated by One Round Function Definition Let T [k] denote the round function of the cipher under the key k K, where K denotes the set of all round keys. Definition Let L = {T [k] k K} be the set of all round functions.

10 Group Generated Group Generated by One Round Function Definition Let T [k] denote the round function of the cipher under the key k K, where K denotes the set of all round keys. Definition Let L = {T [k] k K} be the set of all round functions. Definition We denote G T = {T [k] k K} generated by these permutations.

11 Group Generated Key Schedule Definition An s-round cipher has key schedule KS : K K s so that any key k K produces a set of subkeys k i K, 1 i s.

12 Group Generated Key Schedule Definition An s-round cipher has key schedule KS : K K s so that any key k K produces a set of subkeys k i K, 1 i s. Definition The group G s T = T [k s]t [k s 1 ] T [k 1 ] k i K is the group generated by s round functions (independently chosen).

13 Group Generated Relation between these groups G T = T [k] k K G s T = T [k s ]T [k s 1 ] T [k 1 ] k i K G = T [k s ]T [k s 1 ] T [k 1 ] KS(k) = (k 1, k 2,, k s )

14 Group Generated Relation between these groups G T = T [k] k K G s T = T [k s ]T [k s 1 ] T [k 1 ] k i K G = T [k s ]T [k s 1 ] T [k 1 ] KS(k) = (k 1, k 2,, k s ) G = T Π

15 Group Generated Relation between these groups G T = T [k] k K G s T = T [k s ]T [k s 1 ] T [k 1 ] k i K G = T [k s ]T [k s 1 ] T [k 1 ] KS(k) = (k 1, k 2,, k s ) G = T Π G G s T G T

16 Group Generated Primitivity Definition Recall that a group action on a set V is transitive if x, y V, g G s.t. xg = y.

17 Group Generated Primitivity Definition Recall that a group action on a set V is transitive if x, y V, g G s.t. xg = y. Definition A transitive group G is imprimitive in its action on V if there exists a non-trivial partition B of V (i.e. B {V }, B {{v} v V }) such that Bg B, B B and g G. We call such a B a block system for G. A group action is primitive if it is not imprimitive.

18 Group Generated Examples of Block Systems Example T (Z n ), the group of translations on Z n, where x a + x (mod n) has as many block systems as there are factorizations of n into two integers a and b, both greater than 1.

19 Group Generated Examples of Block Systems Example T (Z n ), the group of translations on Z n, where x a + x (mod n) has as many block systems as there are factorizations of n into two integers a and b, both greater than 1. Example The subgroup of the symmetric group on S = {1, 2, 3, 4}, σ, where σ = (1234), is imprimitive. A block system B is {{1, 3}, {2, 4}}.

20 Questions and Notation Our Questions Is the set of encryption functions a group?

21 Questions and Notation Our Questions Is the set of encryption functions a group? When is the group generated transitive?

22 Questions and Notation Our Questions Is the set of encryption functions a group? When is the group generated transitive? When is the group generated primitive?

23 Questions and Notation Our Questions Is the set of encryption functions a group? When is the group generated transitive? When is the group generated primitive? When is the group generated by the encryption functions the symmetric or alternating group?

24 Questions and Notation Notation Message Space: r, m, n Z +, M = GF(p rmn ) = (GF(p r )) mn

25 Questions and Notation Notation Message Space: r, m, n Z +, M = GF(p rmn ) = (GF(p r )) mn Internal Representation: t : (GF(p r )) mn M m,n (GF(p r )) t : [a 1,..., a mn ] a 1 a 2... a n a n+1 a n+2... a 2n a (m 1)n a (m 1)n+1... a mn

26 Previous Results Theorem Let C be a translation-based cipher over F q, and suppose that the h-th round is proper. If each brick of γ h is 1. weakly p r -uniform, and 2. strongly r-anti-invariant then the group generated by C is primitive.

27 Previous Results Theorem Let C be a translation-based cipher such that 1. C satisfies the hypotheses of the above theorem, and 2. for all 0 a V i, {(x + a)γ i xγ i x V i } is not a coset of a subgroup of V i then the group generated by C is either Alt(V) or Sym(V). R. Aragona, A. Caranti, F. Dalla Volta, and M. Sala, On the group generated by round functions of translation based ciphers over arbitrary finite fields, Elsevier, (2013).

28 Definitions Definition An element γ Sym(V ) is called a bricklayer transformation with respect to V = V 1 V n if γ acts on an element v = v v n with v i V i as vγ = v 1 γ v n γ n for some γ i Sym(V ).

29 Definitions Definition Let ψ GL(V ) be a linear map. Then ψ is called a mixing layer. If ψ leaves no sum V i invariant, then ψ is called a proper mixing layer.

30 Definitions Key Schedule: KS : K K s. Key Mapping: φ(k, h) : K {1,..., s} M.

31 Definitions Key Schedule: KS : K K s. Key Mapping: φ(k, h) : K {1,..., s} M. In both cases the key k is called the master key.

32 Definitions A block cipher C = {τ k : k K} over F q is translation based (tb) if 1. each τ k is the composition of h round functions τ k,h, and h = 1,..., s where in turn each round function can be written as a composition σ φ(k,h) ψ h γ h of three permutations of V, where γ h is a bricklayer transformation not depending on k and with 0γ h = 0, ψ h is a linear transformation not depending on k, φ : K {1,..., s} V is the key schedule 2. for one round h 0 is a proper mixing layer, and ψ h0 the map K V by k φ(k, h 0 ) is surjective on V.

33 AES as a tb cipher AES as a tb cipher For reference a single round of AES is the following composition of functions: σ k ρ π λ Recall, our definition of tb cipher had three components:

34 AES as a tb cipher AES as a tb cipher For reference a single round of AES is the following composition of functions: σ k ρ π λ Recall, our definition of tb cipher had three components: A bricklayer transformation.

35 AES as a tb cipher AES as a tb cipher For reference a single round of AES is the following composition of functions: σ k ρ π λ Recall, our definition of tb cipher had three components: A bricklayer transformation. A mixing layer.

36 AES as a tb cipher AES as a tb cipher For reference a single round of AES is the following composition of functions: σ k ρ π λ Recall, our definition of tb cipher had three components: A bricklayer transformation. A mixing layer. A surjective key schedule.

37 AES as a tb cipher SubBytes, λ a 0 a 1 a 2 a 3 a 0 a 1 a 2 a 3 a 4 a 5 a 6 a 7 a 4 a 5 a 6 a 7 a 8 a 9 a 10 a 11 a 8 a 9 a 10 a 11 a 12 a 13 a 14 a 15 a 12 a 13 a 14 a 15 a i Aa 1 i + B

38 AES as a tb cipher ShiftRows, π a 0 a 1 a 2 a 3 shift c 0 a 0 a 1 a 2 a 3 a 4 a 5 a 6 a 7 shift c 1 a 7 a 4 a 5 a 6 a 8 a 9 a 10 a 11 shift c 2 a 10 a 11 a 8 a 9 a 12 a 13 a 14 a 15 a 13 a 14 a 15 shift c 3 a 12

39 AES as a tb cipher MixColumns, ρ c 0 c 1 c 2 c 3 a 0 a 1 a 2 a 3 a 0 a 1 a 2 a 3 c 1 c 2 c 2 c 3 c 3 c 0 c 0 c 1 a 4 a 5 a 6 a 7 = a 8 a 9 a 10 a 11 a 4 a 8 a 5 a 9 a 6 a 10 a 7 a 11 c 3 c 0 c 1 c 2 a 12 a 13 a 14 a 15 a 12 a 13 a 14 a 15

40 AES as a tb cipher AddRoundKey, σ k a 15 a 11 a 7 a 3 k 0 k 1 k 2 k 3 a 0 a 1 a 2 a 3 a 14 a 13 a 10 a 9 a 6 a 5 a 2 a 1 k 4 k 5 k 6 k 7 = k 8 k 9 k 10 k 11 a 4 a 8 a 5 a 9 a 6 a 10 a 7 a 11 a 12 a 8 a 4 a 0 a 12 a 13 a 14 k 12 k 13 k 14 k 15 a 15

41 Proper Mixing Layer Proper Mixing Layer Definition A linear map ψ is a proper mixing layer if it leaves no nontrivial, nonzero subspace W of V invariant, where W = i I V i, V = M m,n (GF(p r )) = V 1 V mn, and I {1,..., mn}.

42 Proper Mixing Layer ShiftRows Conditions Theorem The composition ρ π is a proper mixing layer if and only if ρ properly mixes columns and for all k (1,..., n 1), there exists some c i such that j a c a + + j b c b n k for j i N.

43 Proper Mixing Layer MixColumns Conditions Theorem Let C M m,m GF (p r ) be a circulant matrix with first row [c 1, c 2,..., c m ] such that the only nonzero terms are indexed c i+1 for i I = {α 1, α 2,..., α k }. Then C is a proper mixing matrix if and only if < I >= Z m.

44 Proper Mixing Layer MixColumns Conditions Theorem Let C M m,m GF (p r ) be a circulant matrix with first row [c 1, c 2,..., c m ] such that the only nonzero terms are indexed c i+1 for i I = {α 1, α 2,..., α k }. Then C is a proper mixing matrix if and only if < I >= Z m. Example Example on Board

45 Non-Surjective Key Schedule Non-Surjective Key Schedules Instead of surjectivity, we actually need T (V ) T s [k] : k K. Theorem If the key mapping function is onto a set of generators and the zero key, then T (V ) T s [k] : k K. Conjecture If T s [k] is a generlized AES cipher with a proper mixing layer than the converse holds.

46 Implications and future work Analyze existing hash functions based on AES.

47 Implications and future work Analyze existing hash functions based on AES. Construct future ciphers over more complicated fields.

48 Implications and future work Analyze existing hash functions based on AES. Construct future ciphers over more complicated fields. Prove the Non-surjectivity conjecture.

49 Implications and future work Analyze existing hash functions based on AES. Construct future ciphers over more complicated fields. Prove the Non-surjectivity conjecture. Analyze the effects of using a Mixing Matrix with zero entries.

50 Implications and future work Analyze existing hash functions based on AES. Construct future ciphers over more complicated fields. Prove the Non-surjectivity conjecture. Analyze the effects of using a Mixing Matrix with zero entries. Analyze the effects of using a key schedule surjective onto generators.

51 Acknowledgements Boise State University and NSF DMS

52 References R. Aragona, A. Caranti, F. Dalla Volta, and M. Sala, On the group generated by the round functions of translation based ciphers over arbitrary finite fields, Finite Fields and Their Applications, Vol , (2014). L. Babinkostova, K. Bombardier, M. Cole, T. Morrell, and C. Scott, Algebraic Structure of generalized Rijndael-like SP networks, Groups Complexity Cryptology, Vol. 6 Issue , (2014) R. Sparr, R. Wernsdorf, Group Theoretic Properties of Rijndael-like Ciphers, Discrete Applied Mathematics, 156(16): (2008)