Cryptography Lecture 4 Block ciphers, DES, breaking DES

Similar documents
Attacks on DES , K 2. ) L 3 = R 2 = L 1 f ( R 1, K 2 ) R 4 R 2. f (R 1 = L 1 ) = L 1. ) f ( R 3 , K 4. f (R 3 = L 3

Lecture 12: Block ciphers

MATH3302 Cryptography Problem Set 2

Classical Cryptography

Module 2 Advanced Symmetric Ciphers

Lecture 4: DES and block ciphers

Solution of Exercise Sheet 7

Lecture 1: Perfect Secrecy and Statistical Authentication. 2 Introduction - Historical vs Modern Cryptography

Stream ciphers. Pawel Wocjan. Department of Electrical Engineering & Computer Science University of Central Florida

CPE 776:DATA SECURITY & CRYPTOGRAPHY. Some Number Theory and Classical Crypto Systems

Introduction to Cybersecurity Cryptography (Part 4)

Public-key Cryptography: Theory and Practice

Introduction to Cybersecurity Cryptography (Part 4)

Introduction on Block cipher Yoyo Game Application on AES Conclusion. Yoyo Game with AES. Navid Ghaedi Bardeh. University of Bergen.

Introduction. CSC/ECE 574 Computer and Network Security. Outline. Introductory Remarks Feistel Cipher DES AES

Improved Impossible Differential Cryptanalysis of Rijndael and Crypton

Alternative Approaches: Bounded Storage Model

CS 4770: Cryptography. CS 6750: Cryptography and Communication Security. Alina Oprea Associate Professor, CCIS Northeastern University

Block Ciphers and Feistel cipher

Block ciphers. Block ciphers. Data Encryption Standard (DES) DES: encryption circuit

Solutions to the Midterm Test (March 5, 2011)

CPSC 467b: Cryptography and Computer Security

Cryptography and Network Security Prof. D. Mukhopadhyay Department of Computer Science and Engineering Indian Institute of Technology, Kharagpur

Cristina Nita-Rotaru. CS355: Cryptography. Lecture 9: Encryption modes. AES

Symmetric Crypto Systems

Cryptography. Lecture 2: Perfect Secrecy and its Limitations. Gil Segev

Public Key Cryptography

Menu. Lecture 5: DES Use and Analysis. DES Structure Plaintext Initial Permutation. DES s F. S-Boxes 48 bits Expansion/Permutation

BLOCK CIPHERS KEY-RECOVERY SECURITY

Jay Daigle Occidental College Math 401: Cryptology

Exercise Sheet Cryptography 1, 2011

Division Property: a New Attack Against Block Ciphers

Lecture Notes. Advanced Discrete Structures COT S

7 Cryptanalysis. 7.1 Structural Attacks CA642: CRYPTOGRAPHY AND NUMBER THEORY 1

Solution to Midterm Examination

THE UNIVERSITY OF CALGARY FACULTY OF SCIENCE DEPARTMENT OF COMPUTER SCIENCE DEPARTMENT OF MATHEMATICS & STATISTICS MIDTERM EXAMINATION 1 FALL 2018

DD2448 Foundations of Cryptography Lecture 3

On the Design of Trivium

Stream ciphers I. Thomas Johansson. May 16, Dept. of EIT, Lund University, P.O. Box 118, Lund, Sweden

Chapter 2. A Look Back. 2.1 Substitution ciphers

18733: Applied Cryptography Anupam Datta (CMU) Block ciphers. Dan Boneh

Cryptography 2017 Lecture 2

Modified Hill Cipher for a Large Block of Plaintext with Interlacing and Iteration

Extended Criterion for Absence of Fixed Points

Final Exam Math 105: Topics in Mathematics Cryptology, the Science of Secret Writing Rhodes College Tuesday, 30 April :30 11:00 a.m.

Solutions for week 1, Cryptography Course - TDA 352/DIT 250

K Anup Kumar et al,int.j.comp.tech.appl,vol 3 (1), 23-31

The Artin-Feistel Symmetric Cipher

CODING AND CRYPTOLOGY III CRYPTOLOGY EXERCISES. The questions with a * are extension questions, and will not be included in the assignment.

5. Classical Cryptographic Techniques from modular arithmetic perspective

Implementation Tutorial on RSA

Akelarre. Akelarre 1

A Block Cipher using an Iterative Method involving a Permutation

Permutation Generators Based on Unbalanced Feistel Network: Analysis of the Conditions of Pseudorandomness 1

Winter 2008 Introduction to Modern Cryptography Benny Chor and Rani Hod. Assignment #2

A Large Block Cipher using an Iterative Method and the Modular Arithmetic Inverse of a key Matrix

Type 1.x Generalized Feistel Structures

Structural Cryptanalysis of SASAS

CHAPTER 5 A BLOCK CIPHER INVOLVING A KEY APPLIED ON BOTH THE SIDES OF THE PLAINTEXT

How Fast can be Algebraic Attacks on Block Ciphers?

18733: Applied Cryptography Anupam Datta (CMU) Block ciphers. Dan Boneh

Symmetric Crypto Systems

Differential Attack on Five Rounds of the SC2000 Block Cipher

ECS 189A Final Cryptography Spring 2011

Lattices. A Lattice is a discrete subgroup of the additive group of n-dimensional space R n.

Public-Key Cryptosystems CHAPTER 4

(Solution to Odd-Numbered Problems) Number of rounds. rounds

functions. E.G.BARDIS*, N.G.BARDIS*, A.P.MARKOVSKI*, A.K.SPYROPOULOS**

The Hash Function JH 1

Truncated differential cryptanalysis of five rounds of Salsa20

Security Issues in Cloud Computing Modern Cryptography II Asymmetric Cryptography

Block Ciphers. Chester Rebeiro IIT Madras. STINSON : chapters 3

Codes and Cryptography. Jorge L. Villar. MAMME, Fall 2015 PART XII

Modified Hill Cipher with Interlacing and Iteration

Chosen Plaintext Attacks (CPA)

CSCI3381-Cryptography

Cryptography CS 555. Topic 2: Evolution of Classical Cryptography CS555. Topic 2 1

Cryptography: A Fairy Tale for Mathematicians and Starring Mathematicians!

monoalphabetic cryptanalysis Character Frequencies (English) Security in Computing Common English Digrams and Trigrams Chapter 2

Number theory (Chapter 4)

Cryptography and RSA. Group (1854, Cayley) Upcoming Interview? Outline. Commutative or Abelian Groups

Lecture Notes, Week 6

Block Cipher Cryptanalysis: An Overview

Lecture 5: Pseudorandom functions from pseudorandom generators

MATH 509 Differential Cryptanalysis on DES

Part (02) Modem Encryption techniques

Introduction to Cryptology. Lecture 2

Symmetric Ciphers. Mahalingam Ramkumar (Sections 3.2, 3.3, 3.7 and 6.5)

Algebraic Aspects of Symmetric-key Cryptography

Dan Boneh. Stream ciphers. The One Time Pad

Biomedical Security. Overview 9/15/2017. Erwin M. Bakker

Perfectly-Secret Encryption

EXAM IN. TDA352 (Chalmers) - DIT250 (GU) 18 January 2019, 08:

STREAM CIPHER. Chapter - 3

Public Key Encryption

Dan Boneh. Introduction. Course Overview

Public Key Cryptography

Outline. 1 Arithmetic on Bytes and 4-Byte Vectors. 2 The Rijndael Algorithm. 3 AES Key Schedule and Decryption. 4 Strengths and Weaknesses of Rijndael

A block cipher enciphers each block with the same key.

Problem 1. k zero bits. n bits. Block Cipher. Block Cipher. Block Cipher. Block Cipher. removed

Transcription:

Cryptography Lecture 4 Block ciphers, DES, breaking DES

Breaking a cipher Eavesdropper recieves n cryptograms created from n plaintexts in sequence, using the same key Redundancy exists in the messages There is always one n (the unicity distance) where only one value for the key recreates a possible plaintext, unless we use OTP Key Key Alice E k D k m c m Bob Eve

Defence against breaking a cipher through exhaustive search Change key often enough, so that unicity distance is not reached OTP Approximation of OTP: Stream ciphers Make sure there are too many possible keys for exhaustive search Single-letter substitution is not enough, even though there are 26! 4 10 26 2 88 combinations Encrypt larger blocks (than one-, two-, or three-letter combinations) Key Key Alice + + m c m Bob Eve

Defence against breaking a cipher through exhaustive search Change key often enough, so that unicity distance is not reached OTP Approximation of OTP: Stream ciphers Make sure there are too many possible keys for exhaustive search Single-letter substitution is not enough, even though there are 26! 4 10 26 2 88 combinations Encrypt larger blocks (than one-, two-, or three-letter combinations) Key Alice Block Block m cipher c cipher m Key Bob Eve

Substitution cipher m i Single letter L = 26 Single letter k from K K = 26! 2 88 k Permutation c i

Playfair m i Pair of letters L = 26 2 Key word k from K K < 26! 2 88 k Permutation c i

Generic block cipher m i n-bit blocks L = 2 n Key k from K K = (2 n )! k Permutation c i

Generic block cipher Too large Key k from K K = (2 n )! m i n-bit blocks L = 2 n k Permutation c i

Data Encryption Standard (1975) Key k from K K = 2 56 (2 64 )! m i 64-bit blocks L = 2 64 k Permutation c i

Block ciphers v. codes The same block with the same key always produces the same cryptogram, independent of its position in a sequence This is simple substitution on the block level An attacker could, in principle, create a table of all plaintext values and their corresponding cryptograms, one table for each key, and use this for cryptanalysis As defence, blocks and keys must be so large that there are too many values to list in the table

Block cipher criteria Diffusion If a plaintext character changes, several ciphertext characters should change. This is a basic demand on a block cipher, and ensures that the statistics used need to be block statistics (as opposed to letter statistics) Confusion Every bit of the ciphertext should depend on several bits in the key. This can be achieved by ensuring that the system is nonlinear

Diffusion: the avalanche effect A change in one bit in the input should propagate to many bits in the output The strict avalanche criterion A change in one bit in the input should change each output bit with probability 1 2 If this does not hold, an attacker can make predictions on the input, given only the output

Build the system from components Input L R + Output E(L) R Diffusion: A change in one bit in the input should change each output bit with probability 1 2 This is done by mixing the bits

Build the system from components Input L R + f Output E(L) R Diffusion: A change in one bit in the input should change each output bit with probability 1 2 This is done by mixing the bits

Build the system from components Input L R k + f Output E k (L) R Diffusion: A change in one bit in the input should change each output bit with probability 1 2 This is done by mixing the bits Use different functions depending on the key

Build the system from components Input L R k + f Output E k (L) R Diffusion: A change in one bit in the input should change each output bit with probability 1 2 This is done by mixing the bits Use different functions depending on the key Confusion is created by using a nonlinear f

Feistel network Input L 0 R 0 k 1 Round 1 + f L 1 R 1 k 2 Round 2 + f L 2 R 2

Feistel network Input L 0 R 0 k 1 Round 1 + f Substitution Permutation L 1 R 1 k 2 Round 2 + f L 2 R 2

DES Input IP L 0 R 0 k 1 Round 1 + f k 2 Round 2 + f (16 rounds). L 16 R 16 IP 1 Output

DES IP b 58 b 50 b 42 b 34 b 26 b 18 b 10 b 2 b 60 b 52 b 44 b 36 b 28 b 20 b 12 b 4 b 62 b 54 b 46 b 38 b 30 b 22 b 14 b 6 b 64 b 56 b 48 b 40 b 32 b 24 b 16 b 8 b 57 b 49 b 41 b 33 b 25 b 17 b 9 b 1 b 59 b 51 b 43 b 35 b 27 b 19 b 11 b 3 b 61 b 53 b 45 b 37 b 29 b 21 b 13 b 5 b 63 b 55 b 47 b 39 b 31 b 23 b 15 b 7

DES Input IP L 0 R 0 k 1 Round 1 + f k 2 Round 2 + f (16 rounds). L 16 R 16 IP 1 Output

DES R i k i f 6 bits 32 bits Expander 48 bits + S 1 S 2 S 3 S 4 S 5 S 6 S 7 S 8 4 bits Permutation 32 bits f (R i, k i )

DES Expander b 32 b 1 b 2 b 3 b 4 b 5 b 6 b 7 b 8 b 9 b 8 b 9 b 10 b 11 b 12 b 13 b 14 b 15 b 16 b 17 b 16 b 17 b 18 b 19 b 20 b 21 b 22 b 23 b 24 b 25 b 24 b 25 b 26 b 27 b 28 b 29 b 30 b 31 b 32 b 1 Permutation b 16 b 7 b 20 b 21 b 29 b 12 b 28 b 17 b 1 b 15 b 23 b 26 b 5 b 18 b 31 b 10 b 2 b 8 b 24 b 14 b 32 b 27 b 3 b 9 b 19 b 13 b 30 b 6 b 22 b 11 b 4 b 25

DES b 1 b 2 b 3 b 4 b 5 b 6 S1 14 4 13 1 2 15 11 8 3 10 6 12 5 9 0 7 0 15 7 4 14 2 13 1 10 6 12 11 9 5 3 8 4 1 14 8 13 6 2 11 15 12 9 7 3 10 5 0 15 12 8 2 4 9 1 7 5 11 3 14 10 0 6 13 row index: b 1 b 6, column index: b 2 b 3 b 4 b 5

DES R i k i f 6 bits 32 bits Expander 48 bits + S 1 S 2 S 3 S 4 S 5 S 6 S 7 S 8 4 bits Permutation 32 bits f (R i, k i )

DES Input IP L 0 R 0 k 1 Round 1 + f k 2 Round 2 + f (16 rounds). L 16 R 16 IP 1 Output

DES key schedule 56 bits Key Key-permutation Each key bit is used in (close to) 14 of 16 rounds C 0 D 0 Rotation Rotation C 1 D 1 Rotation Rotation Choice k 1 48 bits..

DES S1 14 4 13 1 2 15 11 8 3 10 6 12 5 9 0 7 0 15 7 4 14 2 13 1 10 6 12 11 9 5 3 8 4 1 14 8 13 6 2 11 15 12 9 7 3 10 5 0 15 12 8 2 4 9 1 7 5 11 3 14 10 0 6 13 row index: b 1 b 6, column index: b 2 b 3 b 4 b 5 There was a lot of controversy surrounding the S-box construction People were worried there were backdoors in the system But in the late eighties it was found that even small changes in the S-boxes gave a weaker system

DES After the (re-)discovery of differential cryptanalysis, in 1994 IBM published the construction criteria Each S-box has 6 input bits and four output bits (1970 s hardware limit) The S-boxes should not be linear functions, or even close to linear Each row of an S-box contains all numbers from 0 to 15 Two inputs that differ by 1 bit should give outputs that differ by at least 2 bits Two inputs that differ in the first 2 bits but are equal in the last 2 bits should give unequal outputs There are 32 pairs of inputs with a given XOR. No more than eight of the corresponding outputs should have equal XORs A similar criterion involving three S-boxes

DES After the (re-)discovery of differential cryptanalysis, in 1994 IBM published the construction criteria Each S-box has 6 input bits and four output bits (1970 s hardware limit) The S-boxes should not be linear functions, or even close to linear Each row of an S-box contains all numbers from 0 to 15 Two inputs that differ by 1 bit should give outputs that differ by at least 2 bits Two inputs that differ in the first 2 bits but are equal in the last 2 bits should give unequal outputs There are 32 pairs of inputs with a given XOR. No more than eight of the corresponding outputs should have equal XORs A similar criterion involving three S-boxes

Linearity A function f from is linear if f (ax + by) = a f (x) + b f (y) Example: f (t) = 7t is linear A (close to) linear system is much easier to analyse Therefore, you cannot use only simple mathematical functions

Linear cryptanalysis Make a linear approximation of the cipher This will have k as parameter Use many plaintext-ciphertext pairs to deduce which linear approximation is the best, and this will correspond to the most likely key Key Key Alice E k D k m c m Bob Eve

Prohibit linear cryptanalysis Examples: f (t) = 7t is linear but f (t) = (7t mod 8) in the ring of numbers mod 16 is nonlinear, because f (2) 2f (1): f (2) = (14 mod 8) = 6 2f (1) = 2(7 mod 8) = 14 of course f (t) = (7t mod 8) is linear in the ring of numbers mod 8

Prohibit linear analysis R i f 32 bits Expander k i 48 bits + 6 bits S 1 S 2 S 3 S 4 S 5 S 6 S 7 S 8 4 bits Permutation 32 bits f (R i, k i ) In DES, smaller blocks are used in each step, and are combined to create non-linearity with respect to the larger blocks The S-box itself is also chosen to be non-linear

Linear cryptanalysis of DES Make a linear approximation of the S-boxes Combine these into a linear approximation of the whole cipher This will have k as parameter Use many plaintext-ciphertext pairs to deduce which linear approximation is the best, and this will correspond to the most likely key Needs 2 43 plaintext-ciphertext pairs for DES

DES After the (re-)discovery of differential cryptanalysis, in 1994 IBM published the construction criteria Each S-box has 6 input bits and four output bits (1970 s hardware limit) The S-boxes should not be linear functions, or even close to linear Each row of an S-box contains all numbers from 0 to 15 Two inputs that differ by 1 bit should give outputs that differ by at least 2 bits Two inputs that differ in the first 2 bits but are equal in the last 2 bits should give unequal outputs There are 32 pairs of inputs with a given XOR. No more than eight of the corresponding outputs should have equal XORs A similar criterion involving three S-boxes

DES After the (re-)discovery of differential cryptanalysis, in 1994 IBM published the construction criteria Each S-box has 6 input bits and four output bits (1970 s hardware limit) The S-boxes should not be linear functions, or even close to linear Each row of an S-box contains all numbers from 0 to 15 Two inputs that differ by 1 bit should give outputs that differ by at least 2 bits Two inputs that differ in the first 2 bits but are equal in the last 2 bits should give unequal outputs There are 32 pairs of inputs with a given XOR. No more than eight of the corresponding outputs should have equal XORs A similar criterion involving three S-boxes

DES R i k i f 6 bits 32 bits Expander 48 bits + S 1 S 2 S 3 S 4 S 5 S 6 S 7 S 8 4 bits Permutation 32 bits f (R i, k i )

Simple(r) Encryption System R i f 6 bits Expander b 1 b 2 b 4 b 3 b 4 b 3 b 5 b 6 k i 8 bits + 4 bits S 1 5 2 1 6 3 4 7 0 1 4 6 2 0 7 5 3 3 bits 6 bits S 2 4 0 6 5 7 1 3 2 5 3 0 7 6 2 1 4 f (R i, k i )

A one-round Feistel network is trivial to break Input L 0 R 0 k 1 Round 1 + f L 1 R 1 A known-plaintext attack breaks the system, because then you know R 0 and f (R 0, k 1 ) = R 1 L 0, so you can find k 1

A one-round Feistel network is trivial to break Input L 0 R 0 k 1 Round 1 + f L 1 = R 0 R 1 = L 0 f (R 0, k 1 ) A known-plaintext attack breaks the system, because then you know R 0 and f (R 0, k 1 ) = R 1 L 0, so you can find k 1

Simple(r) Encryption System, example R i = 101110 f 6 bits Expander b 1 b 2 b 4 b 3 b 4 b 3 b 5 b 6 k i 8 bits + 4 bits S 1 5 2 1 6 3 4 7 0 1 4 6 2 0 7 5 3 3 bits 6 bits S 2 4 0 6 5 7 1 3 2 5 3 0 7 6 2 1 4 f (R i, k i ) = 100011

Simple(r) Encryption System, example R i = 101110 f 101110 Expander b 1 b 2 b 4 b 3 b 4 b 3 b 5 b 6 k i 10111110 + 1011 k h i S 1 5 2 1 6 3 4 7 0 1 4 6 2 0 7 5 3 100 100011 1110 k l i S 2 4 0 6 5 7 1 3 2 5 3 0 7 6 2 1 4 011 f (R i, k i ) = 100011

Simple(r) Encryption System, example R i = 101110 f 101110 Expander b 1 b 2 b 4 b 3 b 4 b 3 b 5 b 6 k i 10111110 + 1011 k h i S 1 5 2 1 6 3 4 7 0 1 4 6 2 0 7 5 3 100 100011 1110 k l i S 2 4 0 6 5 7 1 3 2 5 3 0 7 6 2 1 4 011 1001 0101 f (R i, k i ) = 100011 1001 0110

A two-round Feistel network is trivial to break Input L 0 R 0 k 1 Round 1 + f Round 2 + f R 0 L 0 f (R 0, k 1 ) k 2 L 0 f (R 0, k 1 ) R 0 f (L 2, k 2 ) Use the same method twice: (R 0, f (R 0, l 1 ) = L 2 L 0 ); (L 2, f (L 2, k 2 ) = R 2 R 0 ). Now, the key schedule may rule out some combinations.

A three-round Feistel network is simple to break L 0 R 0 R 0 L 0 f (R 0, k 1 ) L 0 f (R 0, k 1 ) L 3 L 3 R 3 = L 0 f (R 0, k 1 ) f (L 3, k 3 ) Perform two known-plaintext attacks for L 0 R 0 and L 0 R 0 with R 0 = R 0. Then, the outputs have the relation R 3 R 3 = L 0 L 0 f (L 3, k 3 ) f (L 3, k 3 ) We have L 3 L 3 and f (L 3, k 3 ) f (L 3, k 3)

Simple(r) Encryption System, given XOR L 3 L 3 = 101110 f Expander b 1 b 2 b 4 b 3 b 4 b 3 b 5 b 6 k i E(L 3) E(L 3 ) = 10111110 + XOR: 1011 S 1 5 2 1 6 3 4 7 0 1 4 6 2 0 7 5 3 XOR: 100 S 2 4 0 6 5 7 1 3 2 5 3 0 7 6 2 1 4 f (L 3, k 3 ) f (L 3, k 3) = 100011

Simple(r) Encryption System, given XOR k i f L 3 L 3 = 101110 E(L 3) E(L 3 ) = 10111110 + XOR: 1011 S 1 5 2 1 6 3 4 7 0 1 4 6 2 0 7 5 3 XOR: 100 f (L 3, k 3 ) f (L 3, k 3) = 100011 E(L 3 ) k 3 E(L 3 ) k 3 Out XOR 0000 1011 111 0001 1010 100 Expander 0010 1001 101 b 1 b 2 b 4 b 3 b 4 b 3 b0011 5 b 6 1000 111 0100 1111 000 0101 1110 001 0110 1101 000 0111 1100 000 1000 0011 111 1001 0010 101 S 1010 2 0001 100 4 01011 6 5 7 1 0000 3 2 111 5 31100 0 7 6 2 01111 4 000 1101 0110 000 1110 0101 001 1111 0100 000

Simple(r) Encryption System, given XOR k i f L 3 L 3 = 101110 E(L 3) E(L 3 ) = 10111110 + XOR: 1011 S 1 5 2 1 6 3 4 7 0 1 4 6 2 0 7 5 3 XOR: 100 f (L 3, k 3 ) f (L 3, k 3) = 100011 E(L 3 ) k 3 E(L 3 ) k 3 Out XOR 0000 1011 111 0001 1010 100 Expander 0010 1001 101 b 1 b 2 b 4 b 3 b 4 b 3 b0011 5 b 6 1000 111 0100 1111 000 0101 1110 001 0110 1101 000 0111 1100 000 1000 0011 111 1001 0010 101 S 1010 2 0001 100 4 01011 6 5 7 1 0000 3 2 111 5 31100 0 7 6 2 01111 4 000 1101 0110 000 1110 0101 001 1111 0100 000

Simple(r) Encryption System, given XOR k i f L 3 L 3 = 101110 E(L 3) E(L 3 ) = 10111110 + XOR: 1011 S 1 5 2 1 6 3 4 7 0 1 4 6 2 0 7 5 3 XOR: 100 f (L 3, k 3 ) f (L 3, k 3) = 100011 E(L 3 ) k 3 E(L 3 ) k 3 Out XOR 0000 1011 111 0001 1010 100 Expander 0010 1001 101 b 1 b 2 b 4 b 3 b 4 b 3 b0011 5 b 6 1000 111 0100 1111 000 0101 1110 001 0110 1101 000 0111 1100 000 1000 0011 111 1001 0010 101 S 1010 2 0001 100 4 01011 6 5 7 1 0000 3 2 111 5 31100 0 7 6 2 01111 4 000 1101 0110 000 1110 0101 001 1111 0100 000

A three-round Feistel network is simple to break L 0 R 0 R 0 L 0 f (R 0, k 1 ) L 0 f (R 0, k 1 ) L 3 L 3 R 3 = L 0 f (R 0, k 1 ) f (L 3, k 3 ) Choose R 0 = R 0 so that f (R 0, k 1 ) f (R 0, k 1) = 0. Then, we can calculate f (L 3, k 3 ) f (L 3, k 3)

A four-round Feistel network is more complicated to break L 0 R 0 L 1 R 1 R 1 L 1 f (R 1, k 2 ) L 1 f (R 1, k 2 ) L 4 = L 0 f (R 0, k 1 ) f (L 3, k 3 ) L 4 R 4 = L 1 f (R 1, k 2 ) f (L 4, k 4 ) Here, if we can guess f (R 1, k 2 ) f (R 1, k 2) (even if it is 0), we can calculate f (L 4, k 4 ) f (L 4, k 4)

Simple(r) Encryption System, given XOR R 1 R 1 = 001110 f Expander b 1 b 2 b 4 b 3 b 4 b 3 b 5 b 6 k i E(R 1) E(R1 ) = 00111110 + XOR: 0011 S 1 5 2 1 6 3 4 7 0 1 4 6 2 0 7 5 3 XOR:? S 2 4 0 6 5 7 1 3 2 5 3 0 7 6 2 1 4 f (R 1, k 2 ) f (R 1, k 2) =?

Simple(r) Encryption System, given XOR k i f R 1 R 1 = 001110 E(R 1) E(R1 ) = 00111110 + XOR: 0011 S 1 5 2 1 6 3 4 7 0 1 4 6 2 0 7 5 3 XOR:? f (R 1, k 2 ) f (R 1, k 2) =? E(R 1 ) k 2 E(R 1 ) k 2 Out XOR 0000 0011 011 0001 0010 011 Expander 0010 0001 011 b 1 b 2 b 4 b 3 b 4 b 3 b0011 5 b 6 0000 011 0100 0111 011 0101 0110 011 0110 0101 011 0111 0100 011 1000 1011 011 1001 1010 010 S 1010 2 1001 010 4 01011 6 5 7 1 1000 3 2 011 5 31100 0 7 6 2 1111 1 4 011 1101 1110 010 1110 1101 010 1111 1100 011

Simple(r) Encryption System, given XOR k i f R 1 R 1 = 001110 E(R 1) E(R1 ) = 00111110 + XOR: 0011 S 1 5 2 1 6 3 4 7 0 1 4 6 2 0 7 5 3 XOR:? f (R 1, k 2 ) f (R 1, k 2) =? E(R 1 ) k 2 E(R 1 ) k 2 Out XOR 0000 0011 011 0001 0010 011 Expander 0010 0001 011 b 1 b 2 b 4 b 3 b 4 b 3 b0011 5 b 6 0000 011 0100 0111 011 0101 0110 011 0110 0101 011 0111 0100 011 1000 1011 011 1001 1010 010 S 1010 2 1001 010 4 01011 6 5 7 1 1000 3 2 011 5 31100 0 7 6 2 1111 1 4 011 Warning! 1101 1110 010 1110 1101 010 1111 1100 011

A four-round Feistel network is more complicated to break L 0 R 0 L 1 R 1 R 1 L 1 f (R 1, k 2 ) L 1 f (R 1, k 2 ) L 4 = L 0 f (R 0, k 1 ) f (L 3, k 3 ) L 4 R 4 = L 1 f (R 1, k 2 ) f (L 4, k 4 ) Here, if we can guess f (R 1, k 2 ) f (R 1, k 2) (even if it is 0), we can calculate f (L 4, k 4 ) f (L 4, k 4) Take random input pairs, and use the most likely output XOR to deduce the most likely k 4

DES The seemingly strange criterion is to prohibit differential cryptanalysis There are 32 pairs of inputs with a given XOR. No more than eight of the corresponding outputs should have equal XORs The designers knew about differential cryptanalysis Still, it works on DES, and breaks 15-round DES faster than exhaustive search (16-round DES requires 2 47 chosen plaintexts pairs)

Computational cost of breaking DES DES was standardized 1975, and already 1977 there was an estimate that a machine to break it would cost $20M (1977 dollars) DES was recertified in 1992 despite growing concerns One can use distributed computing, specialized hardware, or nowadays, cheap FPGAs In the DES challenge in 1997 the key was found in five months (distributed computation) having searched 25% of the key space (1998: 39 days, 85%) 1998: EFF DES cracker, parallelized, $200k, 4.5 days (on average)

Key length Table 7.1: Minimum symmetric key-size in bits for various attackers. Attacker Budget Hardware Min security Hacker 0 PC 58 < $400 PC(s)/FPGA 63 0 Malware 77 Small organization $10k PC(s)/FPGA 69 Medium organization $300k FPGA/ASIC 69 Large organization $10M FPGA/ASIC 78 Intelligence agency $300M ASIC 84 From ECRYPT II Yearly Report on Algorithms and Keysizes (2011-2012)

Key length Table 7.1: Minimum symmetric key-size in bits for various attackers Attacker Budget Hardware Min security (1996) Hacker 0 PC 58 45 < $400 PC(s)/FPGA 63 50 0 Malware 77 Small organization $10k PC(s)/FPGA 69 55 Medium organization $300k FPGA/ASIC 69 60 Large organization $10M FPGA/ASIC 78 70 Intelligence agency $300M ASIC 84 75 From ECRYPT II Yearly Report on Algorithms and Keysizes (2011-2012)

Key length Table 7.4: Security levels (symmetric equivalent) Security Protection Comment (bits) 32 Real-time, individuals Only auth. tag size 64 Very short-term, small org Not for confidentiality in new systems 72 Short-term, medium org Medium-term, small org 80 Very short-term, agencies Smallest general-purpose Long-term, small org < 4 years protection (E.g., use of 2-key 3DES, < 2 40 plaintext/ciphertexts) 96 Legacy standard level 2-key 3DES restricted to 10 6 plaintext/ciphertexts, 10 years protection 112 Medium-term protection 20 years protection (E.g., 3-key 3DES) 128 Long-term protection Good, generic application-indep. Recommendation, 30 years 256 Foreseeable future Good protection against quantum computers unless Shor s algorithm applies. From ECRYPT II Yearly Report on Algorithms and Keysizes (2009-2010)

Double DES k 1 k 2 Cleartext DES DES Cryptotext E k2 ( Ek1 (m) ) E k3 (m) Encrypt repeatedly with the keys consisting of all 0s and all 1s. The smallest n such that (E 0 E 1 ) n (m) = m is called the cycle length. If DES is a group, then n < 2 56 Lemma: the smallest integer N such that (E 0 E 1 ) N (m) = m for all m contains all individual cycles as factors An example has been found where the cycle lengths of 33 messages has the least common multiple of 10 277 2 56

Meet-in-the-middle attacks A meet-in-the-middle attack is a known plaintext attack Make a list of all 2 56 possible (single-des) encryptions of the plaintext, and of all 2 56 (single-des) decryptions of the ciphertext Match the two lists. The key(s) that give the same middle value is (are) the key (candidates) Attack is of complexity 2 57

Triple DES Cleartext k 1 k 2 k 3 E k1 E k2 E k3 Cryptotext More common: Cleartext k 1 k 2 k 3 E k1 D k2 E k3 Cryptotext Breaking three-key triple DES has a complexity of 2 112

Key length Table 7.4: Security levels (symmetric equivalent) Security Protection Comment (bits) 32 Real-time, individuals Only auth. tag size 64 Very short-term, small org Not for confidentiality in new systems 72 Short-term, medium org Medium-term, small org 80 Very short-term, agencies Smallest general-purpose Long-term, small org < 4 years protection (E.g., use of 2-key 3DES, < 2 40 plaintext/ciphertexts) 96 Legacy standard level 2-key 3DES restricted to 10 6 plaintext/ciphertexts, 10 years protection 112 Medium-term protection 20 years protection (E.g., 3-key 3DES) 128 Long-term protection Good, generic application-indep. Recommendation, 30 years 256 Foreseeable future Good protection against quantum computers unless Shor s algorithm applies. From ECRYPT II Yearly Report on Algorithms and Keysizes (2009-2010)

Next lecture AES Mathematics: intro to finite fields Modes of operation Message Authentication Codes, MACs

2024 © sciencedocbox.com Privacy Policy | Terms of Service | Feedback