Block ciphers. Block ciphers. Data Encryption Standard (DES) DES: encryption circuit

Similar documents
Stream ciphers. Pawel Wocjan. Department of Electrical Engineering & Computer Science University of Central Florida

Lecture 12: Block ciphers

CS 4770: Cryptography. CS 6750: Cryptography and Communication Security. Alina Oprea Associate Professor, CCIS Northeastern University

Cristina Nita-Rotaru. CS355: Cryptography. Lecture 9: Encryption modes. AES

18733: Applied Cryptography Anupam Datta (CMU) Block ciphers. Dan Boneh

18733: Applied Cryptography Anupam Datta (CMU) Block ciphers. Dan Boneh

Module 2 Advanced Symmetric Ciphers

Introduction. Outline. CSC/ECE 574 Computer and Network Security. Secret Keys or Secret Algorithms? Secrets? (Cont d) Secret Key Cryptography

Outline. 1 Arithmetic on Bytes and 4-Byte Vectors. 2 The Rijndael Algorithm. 3 AES Key Schedule and Decryption. 4 Strengths and Weaknesses of Rijndael

THE UNIVERSITY OF CALGARY FACULTY OF SCIENCE DEPARTMENT OF COMPUTER SCIENCE DEPARTMENT OF MATHEMATICS & STATISTICS MIDTERM EXAMINATION 1 FALL 2018

Introduction on Block cipher Yoyo Game Application on AES Conclusion. Yoyo Game with AES. Navid Ghaedi Bardeh. University of Bergen.

A block cipher enciphers each block with the same key.

Secret Key Systems (block encoding) Encrypting a small block of text (say 64 bits) General considerations for cipher design:

Solution of Exercise Sheet 7

Block Cipher Cryptanalysis: An Overview

Lecture 4: DES and block ciphers

Introduction. CSC/ECE 574 Computer and Network Security. Outline. Introductory Remarks Feistel Cipher DES AES

(Solution to Odd-Numbered Problems) Number of rounds. rounds

Symmetric Encryption

Symmetric Ciphers. Mahalingam Ramkumar (Sections 3.2, 3.3, 3.7 and 6.5)

Online Cryptography Course. Block ciphers. What is a block cipher? Dan Boneh

BLOCK CIPHERS KEY-RECOVERY SECURITY

Zero-Correlation Linear Cryptanalysis of Reduced-Round LBlock

Some integral properties of Rijndael, Grøstl-512 and LANE-256

Lecture Notes. Advanced Discrete Structures COT S

Cryptography Lecture 4 Block ciphers, DES, breaking DES

Symmetric Crypto Systems

Public-key Cryptography: Theory and Practice

Improved Impossible Differential Cryptanalysis of Rijndael and Crypton

A Five-Round Algebraic Property of the Advanced Encryption Standard

Codes and Cryptography. Jorge L. Villar. MAMME, Fall 2015 PART XII

Modern Cryptography Lecture 4

The Advanced Encryption Standard

Symmetric Crypto Systems

The Artin-Feistel Symmetric Cipher

Differential-Linear Cryptanalysis of Serpent

Symmetric Cryptography

CS 6260 Applied Cryptography

SPCS Cryptography Homework 13

Table Of Contents. ! 1. Introduction to AES

Lecture 5: Pseudorandom functions from pseudorandom generators

Block Ciphers and Feistel cipher

An Analytical Approach to S-Box Generation

Introduction to Cybersecurity Cryptography (Part 4)

Introduction to Cybersecurity Cryptography (Part 4)

CS 6260 Applied Cryptography

Type 1.x Generalized Feistel Structures

Security and Cryptography 1

Zero-Correlation Linear Cryptanalysis with Fast Fourier Transform and Applications to Camellia and CLEFIA

Attacks on Hash Functions based on Generalized Feistel Application to Reduced-Round Lesamnta and SHAvite-3 512

SYMMETRIC ENCRYPTION. Mihir Bellare UCSD 1

Secret Key: stream ciphers & block ciphers

Low Complexity Differential Cryptanalysis and Fault Analysis of AES

A Large Block Cipher using an Iterative Method and the Modular Arithmetic Inverse of a key Matrix

Introduction to Symmetric Cryptography

Subspace Trail Cryptanalysis and its Applications to AES

UNDERSTANDING THE COST OF GROVER'S ALGORITHM FOR FINDING A SECRET KEY

DD2448 Foundations of Cryptography Lecture 3

FFT-Based Key Recovery for the Integral Attack

Improved Multiple Impossible Differential Cryptanalysis of Midori128

Extended Criterion for Absence of Fixed Points

Linear Cryptanalysis of Long-Key Iterated Cipher with Applications to Permutation-Based Ciphers

Block ciphers And modes of operation. Table of contents

Impossible Differential Cryptanalysis of Mini-AES

Problem 1. k zero bits. n bits. Block Cipher. Block Cipher. Block Cipher. Block Cipher. removed

Complementing Feistel Ciphers

FORGERY ON STATELESS CMCC WITH A SINGLE QUERY. Guy Barwell University of Bristol

ON THE SECURITY OF THE ADVANCED ENCRYPTION STANDARD

Chosen Plaintext Attacks (CPA)

Cryptanalysis of a Generalized Unbalanced Feistel Network Structure

Part (02) Modem Encryption techniques

Subspace Trail Cryptanalysis and its Applications to AES

CHAPTER 5 A BLOCK CIPHER INVOLVING A KEY APPLIED ON BOTH THE SIDES OF THE PLAINTEXT

CSc 466/566. Computer Security. 5 : Cryptography Basics

CSA E0 235: Cryptography March 16, (Extra) Lecture 3

Block Ciphers. Chester Rebeiro IIT Madras. STINSON : chapters 3

3-6 On Multi Rounds Elimination Method for Higher Order Differential Cryptanalysis

Structural Cryptanalysis of SASAS

The Hash Function JH 1

7 Cryptanalysis. 7.1 Structural Attacks CA642: CRYPTOGRAPHY AND NUMBER THEORY 1

V.U.K. Sastry et al, / (IJCSIT) International Journal of Computer Science and Information Technologies, Vol. 3 (1), 2012,

MATH 509 Differential Cryptanalysis on DES

Bernoulli variables. Let X be a random variable such that. 1 with probability p X = 0 with probability q = 1 p

CTR mode of operation

Division Property: a New Attack Against Block Ciphers

Attacks on DES , K 2. ) L 3 = R 2 = L 1 f ( R 1, K 2 ) R 4 R 2. f (R 1 = L 1 ) = L 1. ) f ( R 3 , K 4. f (R 3 = L 3

MATH3302 Cryptography Problem Set 2

Symmetric Cryptanalytic Techniques. Sean Murphy ショーン マーフィー Royal Holloway

A Block Cipher using an Iterative Method involving a Permutation

Security of the AES with a Secret S-box

CPSC 91 Computer Security Fall Computer Security. Assignment #3 Solutions

Design of Low Power Optimized MixColumn/Inverse MixColumn Architecture for AES

jorge 2 LSI-TEC, PKI Certification department

Experiments on the Multiple Linear Cryptanalysis of Reduced Round Serpent

ECS 189A Final Cryptography Spring 2011

Chapter 2 Symmetric Encryption Algorithms

Linear Cryptanalysis of Reduced-Round PRESENT

Linear Cryptanalysis of DES with Asymmetries

A SIMPLIFIED RIJNDAEL ALGORITHM AND ITS LINEAR AND DIFFERENTIAL CRYPTANALYSES

Lecture 5. Block Diagrams. Modes of Operation of Block Ciphers

Transcription:

Block ciphers Block ciphers Myrto Arapinis School o Inormatics University o Edinburgh January 22, 2015 A block cipher with parameters k and l is a pair o deterministic algorithms (E, D) such that Encryption E : {0, 1} k {0, 1} l {0, 1} l Decryption D : {0, 1} k {0, 1} l {0, 1} l Examples: 3DES : l = 64, k = 56 AES : l = 64, k = 128, 192, 256 1 / 26 2 / 26 Data Encryption Standard (DES) DES: encryption circuit Early 1970s: Horst Feistel designs Lucier at IBM k = 128 bits, l = 128 bits 56 bit K 1973: NBS calls or block cipher proposals. IBM submits a variant o Lucier. 48 bit K 1 48 bit K 2 48 bit K 16 key expansion 1976: NBS adopts DES as a ederal standard k = 56 bits, l = 64 bits 1997: DES broken by exhaustive search 64 bit plaintext IP R 0 L 0 R 1 R 15 L 1 L 15 R 16 L 16 IP 1 64 bit ciphertext 2001: NIST adopts AES to replace DES k = 128, 192, 256 bits, l = 128 bits 1 st DES Feistel round 16 th DES Feistel round Widely deployed in banking (ATM machines) and commerce 3 / 26 4 / 26

Each DES Feistel round is invertible Each DES Feistel round is invertible 48 bit K i 48 bit K i R i 1 R i R i 1 R i R i R i 1 L i 1 L i L i 1 L i L i L i 1 48 bit K i 5 / 26 6 / 26 DES: decryption circuit DES: the unction 32 bit X i 48 bit k i 64 bit ciphertext IP R 16 L 16 R 15 L 15 R 1 L 1 R 0 L 0 IP 1 64 bit plaintext E 48 bit Y i 48 bit K 16 48 bit K 15 48 bit K 1 56 bit K key expansion S 1 S 2 S 7 S 8 P 32 bit X i 7 / 26 8 / 26

DES: S 5 -box Attacks on DES Exhaustive search: it takes 2 56 to do an exhaustive search over the key space COBACOBANA (120 FPGAs, 10K$): 7 days S 5 : {0, 1} 6 {0, 1} 4 (source: Wikipedia) Note that S 5 is not reversible as it maps 6 bits to 4 bits. Linear cryptanalysis: ound aine approximations to DES can ind 14 key bits in time 2 42 brute orce the remaining 56-14=42 in time 2 42 total attack time 2 43 DES is badly broken! Do not use it in new projects!! 9 / 26 10 / 26 Triple DES (3DES) Goal: build on top o DES a block cipher resistant against exhaustive search attacks Let DES = (E DES, D DES ). We build 3DES = (E 3DES, D 3DES ) as ollows E 3DES : ({0, 1} k ) 3 {0, 1} l {0, 1} l E 3DES ((K 1, K 2, K 3 ), M) = E DES (K 1, D DES (K 2, E DES (K 3, M))) K 1 = K 2 = K 3 DES D3DES : ({0, 1} k ) 3 {0, 1} l {0, 1} l D 3DES ((K 1, K 2, K 3 ), C) = D DES (K 3, E DES (K 2, D DES (K 1, C))) 3 times as slow as DES!! key-size = 3 56 = 168 bits Exhaustive search attack in 2 168 simple (meet in the middle) attack in time 2 118 What about double DES (2DES)? E 2DES ((K 1, K 2 ), M) = E DES (K 1, E DES (K 2, M)) m E E(k 2 m 2 ) k 2 E k 1 c=e 2DES ((k 1 k 2 )m) For m and c such that E 2DES ((k 1, k 2 ), m) = c we have that E DES (k 2, m) = D DES (k 1, m) 2DES admits a meet in the middle attack that reduces the time or key recovery rom 2 112 or an exhaustive search to 2 56. Given M = (m 1,..., m 10 ) and C = (E 2DES ((k 1, k 2 ), m 1 ),..., E 2DES ((k 1, k 2 ), m 10 )) } - For all possible k 2, computee DES (k 2, M) 2 - Sort table according to the resulting E DES (k 2, M) 56 log(56) } - For each possible k 1, computed DES (k 1, C) 2 - Look up in the table i D DES (k 1, C) = E DES (k 2, M) 56 log(56) time < 2 63 11 / 26 Similar attack on 3DES in time 2 118 12 / 26

The Advenced Encryption Standard (AES) AES: encryption circuit key expansion Goal: replace 3DES which is too slow (3DES is 3 times as slow as DES) 2001: NIST adopts Rijndael as AES Block size l = 128 bits, Key size k = 128, 192, 256 bits AES is Substitution-Permutation network (not a Feistel network) 128 bit K K 0 K 10 1. SubBytes m 2. Shi3Rows m 1. SubBytes m 2. Shi3Rows m 0 1 10 11 3. MixColumns m i : 4 4 byte matrix, K i : 128-bit key m 0 : plaintext, m 11 : ciphertext at the last round MixColumns is not applied K 9 As AES is not a Feistel network, each step needs to be reversible! 13 / 26 14 / 26 AES: SubBytes AES: ShitRows m i m i m i [0,0] m i [0,1] m i [0,2] m i [0,3] m i [0,0] m i [0,1] m i [0,2] m i [0,3] m i [1,0] m i [1,1] m i [1,2] m i [1,3] m i [1,1] m i [1,2] m i [1,3] m i [1,0] m i [2,0] m i [2,1] m i [2,2] m i [2,3] m i [2,2] m i [2,3] m i [2,0] m i [2,1] m i [3,0] m i [3,1] m i [3,2] m i [3,3] m i [3,3] m i [3,0] m i [3,1] m i [3,2] j, k. m i [j, k] = S[m i[j, k]] rows: most signiicant 4 bits columns: least signiicant 4 bits Note that SubBytes is reversible 15 / 26 16 / 26

AES: MixColumns Attacks on AES m i m i [0,0] m i[0,1] m i[0,2] m i[0,3] m i[1,0] m i[1,1] m i[1,2] m i[1,3] m i[1,1] m i[2,0] m i[2,1] m i[2,2] m i[2,3] m i[2,1] m i[3,0] m i[3,1] m i[3,2] m i[3,3] c(x) m i m i [0,0] m i[0,1] m i[0,2] m i[0,3] m i[1,0] m i[1,1] m i[1,2] m i[1,3] m i[1,1] m i[2,0] m i[2,1] m i[2,2] m i[2,3] m i[2,1] m i[3,0] m i[3,1] m i[3,2] m i[3,3] Related-key attack on the 192-bit and 256-bit versions o AES: exploits the AES key schedule [A. Biryukov, D. Khovratovich (2009)] key recovery in time 2 99 First key-recovery attack on ull AES [A. Bogdanov, D. Khovratovich, C. Rechberger (2011)] 4 times aster than exhaustive search m i[3,1] m i[3,1] Existing attacks on AES 128 are still not practical, but use AES 192 and AES 256 in new projects! 17 / 26 18 / 26 Using block ciphers Myrto Arapinis School o Inormatics University o Edinburgh Goal: Encrypt M using a block cipher operating on blocks o length l when M > l 19 / 26 20 / 26

Electronic Code Book (ECB) mode Weakness o ECB (E, D) a block cipher. To encrypt message M under key K using ECB mode: M is padded: M = M P such that M = m l M is broken into m blocks o length l M = M 1 M 2... M m m: E ECB (k,m): m 1 m 2 m n c 1 c 2 c n Each block M i is encrypted under the key K using the block cipher C i = E(K, M i ) or all i {1,..., m} The ciphertext corresponding to M is the concatenation o the C i s C = C 1 C 2... C m Problem: i, j. m i = m j c i = E(k, m i ) = E(k, m j ) = c j Weak to requency analysis! Playstation attack 21 / 26 22 / 26 Weakness o ECB in pictures Cipher-block chaining (CBC) mode: encryption (E, D) a block cipher that manipulates blocks o size l. initialisation vector plaintext IV m 0 m 1 m 2 m 3 IV C 0 C 1 C 2 C 3 Original image Image encrypted using ECB mode ciphertext 23 / 26 IV chosen at random in {0, 1} l 24 / 26

Cipher-block chaining (CBC) mode: decryption Counter (CTR) mode ciphertext (E, D) a block cipher that manipulates blocks o size l. IV C 0 C 1 C 2 C 3 initialisation vector plaintext D(k, ) D(k, ) D(k, ) D(k, ) IV m 0 m 1 m L E(k, IV) E(k, IV1) E(k, IVL) IV C 0 C 1 C L IV initialisation vector m 0 m 1 m 2 m 3 plaintext IV chosen at random in {0, 1} l ciphertext 25 / 26 26 / 26

2024 © sciencedocbox.com Privacy Policy | Terms of Service | Feedback