Cristina Nita-Rotaru. CS355: Cryptography. Lecture 9: Encryption modes. AES

Similar documents
Secret Key Systems (block encoding) Encrypting a small block of text (say 64 bits) General considerations for cipher design:

The Advanced Encryption Standard

CHAPTER 5 A BLOCK CIPHER INVOLVING A KEY APPLIED ON BOTH THE SIDES OF THE PLAINTEXT

Introduction. CSC/ECE 574 Computer and Network Security. Outline. Introductory Remarks Feistel Cipher DES AES

Table Of Contents. ! 1. Introduction to AES

The Rijndael Block Cipher

Block ciphers. Block ciphers. Data Encryption Standard (DES) DES: encryption circuit

Outline. 1 Arithmetic on Bytes and 4-Byte Vectors. 2 The Rijndael Algorithm. 3 AES Key Schedule and Decryption. 4 Strengths and Weaknesses of Rijndael

A block cipher enciphers each block with the same key.

Invariant Subspace Attack Against Full Midori64

A Very Efficient Pseudo-Random Number Generator Based On Chaotic Maps and S-Box Tables M. Hamdi, R. Rhouma, S. Belghith

Secret Key: stream ciphers & block ciphers

Symmetric Ciphers. Mahalingam Ramkumar (Sections 3.2, 3.3, 3.7 and 6.5)

AURORA: A Cryptographic Hash Algorithm Family

Accelerating AES Using Instruction Set Extensions for Elliptic Curve Cryptography. Stefan Tillich, Johann Großschädl

A Five-Round Algebraic Property of the Advanced Encryption Standard

Public-key Cryptography: Theory and Practice

Symmetric Crypto Systems

Applications of Finite Sets Jeremy Knight Final Oral Exam Texas A&M University March 29 th 2012

Lecture 12: Block ciphers

Symmetric Crypto Systems

CSc 466/566. Computer Security. 5 : Cryptography Basics

Improved S-Box Construction from Binomial Power Functions

Module 2 Advanced Symmetric Ciphers

Modern Cryptography Lecture 4

MASKED INVERSION IN GF(2 N ) USING MIXED FIELD REPRESENTATIONS AND ITS EFFICIENT IMPLEMENTATION FOR AES

Introduction. Outline. CSC/ECE 574 Computer and Network Security. Secret Keys or Secret Algorithms? Secrets? (Cont d) Secret Key Cryptography

Lecture Notes. Advanced Discrete Structures COT S

Introduction on Block cipher Yoyo Game Application on AES Conclusion. Yoyo Game with AES. Navid Ghaedi Bardeh. University of Bergen.

Block ciphers And modes of operation. Table of contents

THE UNIVERSITY OF CALGARY FACULTY OF SCIENCE DEPARTMENT OF COMPUTER SCIENCE DEPARTMENT OF MATHEMATICS & STATISTICS MIDTERM EXAMINATION 1 FALL 2018

Lecture 4: DES and block ciphers

Low Complexity Differential Cryptanalysis and Fault Analysis of AES

Extended Criterion for Absence of Fixed Points

ON THE SECURITY OF THE ADVANCED ENCRYPTION STANDARD

Design of Low Power Optimized MixColumn/Inverse MixColumn Architecture for AES

Methods and Tools for Analysis of Symmetric Cryptographic Primitives

7 Cryptanalysis. 7.1 Structural Attacks CA642: CRYPTOGRAPHY AND NUMBER THEORY 1

Differential Fault Analysis on A.E.S.

STREAM CIPHER. Chapter - 3

Specification on a Block Cipher : Hierocrypt L1

Introduction to Modern Cryptography. (1) Finite Groups, Rings and Fields. (2) AES - Advanced Encryption Standard

Stream ciphers I. Thomas Johansson. May 16, Dept. of EIT, Lund University, P.O. Box 118, Lund, Sweden

Impossible Differential Cryptanalysis of Mini-AES

The XL and XSL attacks on Baby Rijndael. Elizabeth Kleiman. A thesis submitted to the graduate faculty

Improved Impossible Differential Cryptanalysis of Rijndael and Crypton

Block Cipher Cryptanalysis: An Overview

CHAPTER 12 CRYPTOGRAPHY OF A GRAY LEVEL IMAGE USING A MODIFIED HILL CIPHER

AES side channel attacks protection using random isomorphisms

U.C. Berkeley CS276: Cryptography Luca Trevisan February 5, Notes for Lecture 6

Cryptography Lecture 4 Block ciphers, DES, breaking DES

New Block Cipher: ARIA

Cryptanalysis of the Light-Weight Cipher A2U2 First Draft version

Lecture 5: Pseudorandom functions from pseudorandom generators

The Hash Function JH 1

A B CDE F B FD D A C AF DC A F

Codes and Cryptography. Jorge L. Villar. MAMME, Fall 2015 PART XII

Thesis Research Notes

A Pseudo-Random Encryption Mode

Cryptography. Lecture 2: Perfect Secrecy and its Limitations. Gil Segev

CTR mode of operation

Developing a Distributed Java-based Speech Recognition Engine

Classical Cryptography

4.3 Analog Value Representation

arxiv: v1 [cs.cr] 13 Sep 2016

FORGERY ON STATELESS CMCC WITH A SINGLE QUERY. Guy Barwell University of Bristol

Lecture Notes. Advanced Discrete Structures COT S

(Solution to Odd-Numbered Problems) Number of rounds. rounds

Cube Analysis of KATAN Family of Block Ciphers

Models and analysis of security protocols 1st Semester Symmetric Encryption Lecture 5

Profiling the International New Venture -A literature review of the empirical evidence

Solution of Exercise Sheet 7

Consistency of Academic Performance in Higher Education: A Study of an Irish Business Degree Programme

Architecture and development methodology for Location Based Services

First-Order DPA Attack Against AES in Counter Mode w/ Unknown Counter. DPA Attack, typical structure

CS 6260 Applied Cryptography

Block Ciphers and Feistel cipher

Cryptanalysis of Patarin s 2-Round Public Key System with S Boxes (2R)

Differential Attack on Five Rounds of the SC2000 Block Cipher

Nonlinear Invariant Attack

Linear Approximations for 2-round Trivium

How Fast can be Algebraic Attacks on Block Ciphers?

Subspace Trail Cryptanalysis and its Applications to AES

Cryptanalysis of the SIMON Family of Block Ciphers

Structural Cryptanalysis of SASAS

A New Algorithm to Construct. Secure Keys for AES

Processing with Block Ciphers. CSC/ECE 574 Computer and Network Security. Issues (Cont d) Issues for Block Chaining Modes. Electronic Code Book (ECB)

The Vigenère cipher is a stronger version of the Caesar cipher The encryption key is a word/sentence/random text ( and )

Cryptographic Hashes. Yan Huang. Credits: David Evans, CS588

Optimized Interpolation Attacks on LowMC

CSA E0 235: Cryptography March 16, (Extra) Lecture 3

A Large Block Cipher using an Iterative Method and the Modular Arithmetic Inverse of a key Matrix

Questions of Ethical Responsibility in the Research of Unaccompanied Minors

MATH3302 Cryptography Problem Set 2

Introduction to Symmetric Cryptography

Unit 3. Digital encoding

The Hash Function Fugue

Differential-Linear Cryptanalysis of Serpent

Security of the AES with a Secret S-box

Chair for Network Architectures and Services Institute of Informatics TU München Prof. Carle. Network Security. Chapter 2 Basics

Transcription:

CS355: Cryptography Lecture 9: Encryption modes. AES

Encryption modes: ECB } Message is broken into independent blocks of block_size bits; } Electronic Code Book (ECB): each block encrypted separately. } Encryption: c i = E k (x i ) } Decryption: x i = D k (c i ) 2

Properties of ECB } Deterministic: the same data block gets encrypted the same way, reveals patterns of data when a data block repeats. } Malleable: reordering ciphertext results in reordered plaintext. } Errors in one ciphertext block do not propagate. } Usage: not recommended to encrypt more than one block of data. 3

Encryption modes: CBC } Cipher Block Chaining (CBC): next input depends upon previous output Encryption: C i = E k (M i C i-1 ), with C 0 =IV Decryption: M i = C i-1 D k (C i ), with C 0 =IV M 1 M 2 M 3 IV E k E k E k C 0 C 1 C 2 C 3 4

Properties of CBC } Randomized encryption: repeated text gets mapped to different encrypted data. } can be proven to be secure assuming that the block cipher has desirable properties and that random IV s are used } A ciphertext block depends on all preceding plaintext blocks; reorder affects decryption } Errors in one block propagate to two blocks } one bit error in C j affects all bits in M j and one bit in M j+1 } Sequential encryption, cannot use parallel hardware } Usage: chooses random IV and protects the integrity of IV } Observation: if C i =C j then E k (M i C i-1 ) = E k (M j C j-1 ); thus M i C i-1 = M j C j-1 ; thus M i M j = C i-1 C j-1 5

Use DES to construct stream ciphers } Cipher Feedback (CFB) } Output Feedback (OFB) } Counter Mode (CTR) } Common properties: } Uses only the encryption function of the cipher both for encryption and for decryption } Malleable: possible to make predictable bit changes 6

Encryption modes: CFB } Cipher Feedback (CFB): the message is XORed with the feedback of encrypting the previous block Encryption r-bit shift I 1 =IV I j Decryption r-bit shift I j k E E k O j O j c j c j x j x j 7

Properties of CFB } Randomized encryption } A ciphertext block depends on all preceding plaintext blocks; reorder affects decryption } Errors propagate for several blocks after the error, but the mode is self-synchronizing (like CBC). } Decreased throughput. } Can vary the number of bits feed back, trading off throughput for ease of use } Sequential encryption 8

Encryption modes: OFB } Output feedback (OFB): } construct a PRNG using DES } y 0 =IV y i = E k [y i-1 ] Encryption Decryption O j-1 O j-1 I 1 =IV I j I j I 1 =IV k E E k O j O j 9 x j c j c j x j

Properties of OFB } Randomized encryption } Sequential encryption, but pre-processing possible } Error propagation limited } Subject to limitation of stream cipher 10

Encryption modes:ctr } Counter Mode (CTR): Another way to construct PRNG using DES } y i = E k [counter+i] } Sender and receiver share: counter (does not need to be secret) and the secret key. 11

Properties of CTR } Software and hardware efficiency: different blocks can be encrypted in parallel. } Preprocessing: the encryption part can be done offline and when the message is known, just do the XOR. } Random access: decryption of a block can be done in random order, very useful for hard-disk encryption. } Messages of arbitrary length: ciphertext is the same length with the plaintext (i.e., no IV). 12

Summary so far } Block ciphers must be used with encryption modes when encrypting larger messages: CBC or CTR modes 13

How to Improve Block Ciphers } Variable key length } Mixed operators: use more than one arithmetic and/ or Boolean; this can provide non-linearity } Data dependent rotation } Key-dependent S-boxes } Lengthy key schedule algorithm } Variable plaintext/ciphertext block length } Variable number of rounds } Operation on both data halves each round } Variable F function (varies from round to round } Key-dependent rotation 14

Rijndael Features } Designed to be efficient in both hardware and software across a variety of platforms. } Uses a variable block size, 128,192, 256-bits, key size of 128-, 192-, or 256-bits. } 128-bit round key used for each round (Can be pre-computed and cached for future encryptions). } Note: AES uses a 128-bit block size. } Variable number of rounds (10, 12, 14): } 10 if B = K = 128 bits } 12 if either B or K is 192 and the other is 192 } 14 if either B or K is 256 bits 15

Rijndael Design } Operations performed on State (4 rows of bytes). } The 128 bit key is expanded as an array of 44 32bits words; 4 distinct words serve as a round key for each round; key schedule relies on the S-box } Algorithms composed of three layers } Linear diffusion } Non-linear diffusion } Key mixing 16

Rijandael: High-Level Description State = X AddRoundKey(State, Key 0 ) for r = 1 to Nr - 1 SubBytes(State, S-box) ShiftRows(State) MixColumns(State) AddRoundKey(State, Key r ) endfor SubBytes(State, S-box) ShiftRows(State) AddRoundKey(State, Key Nr ) Y = State 17

AddRound Key State is represented as follows (16 bytes): S 0,0 S 0,1 S 0,2 S 0,3 S 1,0 S 1,1 S 1,2 S 1,3 S 2,0 S 2,1 S 2,2 S 2,3 AddRoundKey(State, Key): S 3,0 S 3,1 S 3,2 S 3,3 key state state 18

SubBytes } Byte substitution using non-linear S-Box (independently on each byte). } S-box is represented as a 16x16 array, rows and columns indexed by hexadecimal bits } 8 bytes replaced as follows: 8 bytes defines a hexadecimal number rc, then s r,c = binary(s-box(r, c)) } How is AES S-box different from DES S-box? } Only one S-box } S-boxes based on modular arithmetic with polynomials, can be defined algebraically, not random } Easy to analyze, prove attacks fail 19

S-box Table 0 1 2 3 4 5 6 7 8 9 A B C D E F 0 63 7C 77 7B F2 6B 6F C5 30 01 67 2B FE D7 AB 76 1 CA 82 C9 7D FA 59 47 F0 AD D4 A2 AF 9C A4 72 C0 2 B7 FD 93 26 36 3F F7 CC 34 A5 E5 F1 71 D8 31 15 3 04 C7 23 C3 18 96 05 9A 07 12 80 E2 EB 27 B2 75 4 09 83 2C 1A 1B 6E 5A A0 52 3B D6 B3 29 E3 2F 84 5 53 D1 00 ED 20 FC B1 5B 6A CB BE 39 4A 4C 58 CF 6 D0 EF AA FB 43 4D 33 85 45 F9 02 7F 50 3C 9F A8 7 51 A3 40 8F 92 9D 38 F5 BC B6 DA 21 10 FF F3 D2 8 CD 0C 3 EC 5F 97 44 17 C4 A7 7E 3D 64 5D 19 73 9 60 81 4F DC 22 2A 90 88 46 EE B8 14 DE 5E 0B DB A E0 32 3A 0A 49 06 24 5C C2 D3 AC 62 91 95 E4 79 B E7 C8 37 6D 8D D5 4E A9 6C 56 F4 EA 65 7A AE 08 C BA 78 25 2E 1C A6 B4 C6 E8 DD 74 1F 4B BD 8B 8A D 70 3E B5 66 48 03 F6 0E 61 35 57 B9 86 C1 1D 9E E E1 F8 98 11 69 D9 8E 94 9B 1E 87 E9 CE 55 28 DF F 8C A1 89 0D BF E6 42 68 41 99 2D 0F B0 54 BB 16 Example: hexa 53 is replaced with hexa ED 20

ShiftRows S 0,0 S 0,1 S 0,2 S 0,3 S 0,0 S 0,1 S 0,2 S 0,3 S 1,0 S 1,1 S 1,2 S 1,3 S 1,1 S 1,2 S 1,3 S 1,0 S 2,0 S 2,1 S 2,2 S 2,3 S 2,2 S 2,3 S 2,0 S 2,1 S 3,0 S 3,1 S 3,2 S 3,3 S 3,3 S 3,0 S 3,1 S 3,2 21

MixColumns } Interpret each column as a vector of length 4. } Each column of State is replaced by another column obtained by multiplying that column with a matrix in a particular field. 22

Decryption } The decryption algorithm is not identical with the encryption algorithm, but uses the same key schedule. } There is also a way of implementing the decryption with an algorithm that is equivalent to the encryption algorithm (each operation replaced with its inverse), however in this case, the key schedule must be changed. 23

Rijandel Cryptanalysis Resistant to linear and differential cryptanalysis l l l Academic break on weaker version of the cipher, 9 rounds Requires 2 224 work and 2 85 chosen related-key plaintexts. Attack not practical. 24

Rijandel Cryptanalysis as of 2012 2009, attack against 11-round AES-256 that requires 2 70 time l Attack can not be extended to AES-128 l It is against 11-round AES-256, AES-256 requires 14 rounds l l l Exploits weaknesses in the key schedule for AES-256-bit Requires the cryptanalyst to have access to plaintexts encrypted with multiple keys that are related in a specific way. Attacks are not practical 25

Rijandel Cryptanalysis as of 2012 } New attacks published in 2011 that do not need related keys } The first key recovery attack on the full AES-128 with computational complexity 2 126.1. } The first key recovery attack on the full AES-192 with computational complexity 2 189.7. } The first key recovery attack on the full AES-256 with computational complexity 2 254.4. } Attacks with lower complexity on the reduced-round versions of AES not considered before, including an attack on 8-round AES-128 with complexity 2 124.9. } Attacks are not practical. 26

So were are we? } New attacks show that AES safety margin with respect to attacks is not as large as believed } Can be fixed by increasing the number of rounds. Schneier suggest } AES-128 use 16 rounds } AES-192 use 20 rounds } AES-256 use 28 rounds 27

Summary } There are no attacks against any AES variants that are better than brute force } All existing attacks are against reduced-round variants } Stay tuned: attacks never get worse, they only get better. 28

2024 © sciencedocbox.com Privacy Policy | Terms of Service | Feedback