Block ciphers Block ciphers Myrto Arapinis School o Inormatics University o Edinburgh January 22, 2015 A block cipher with parameters k and l is a pair o deterministic algorithms (E, D) such that Encryption E : {0, 1} k {0, 1} l {0, 1} l Decryption D : {0, 1} k {0, 1} l {0, 1} l Examples: 3DES : l = 64, k = 56 AES : l = 64, k = 128, 192, 256 1 / 26 2 / 26 Data Encryption Standard (DES) DES: encryption circuit Early 1970s: Horst Feistel designs Lucier at IBM k = 128 bits, l = 128 bits 56 bit K 1973: NBS calls or block cipher proposals. IBM submits a variant o Lucier. 48 bit K 1 48 bit K 2 48 bit K 16 key expansion 1976: NBS adopts DES as a ederal standard k = 56 bits, l = 64 bits 1997: DES broken by exhaustive search 64 bit plaintext IP R 0 L 0 R 1 R 15 L 1 L 15 R 16 L 16 IP 1 64 bit ciphertext 2001: NIST adopts AES to replace DES k = 128, 192, 256 bits, l = 128 bits 1 st DES Feistel round 16 th DES Feistel round Widely deployed in banking (ATM machines) and commerce 3 / 26 4 / 26
Each DES Feistel round is invertible Each DES Feistel round is invertible 48 bit K i 48 bit K i R i 1 R i R i 1 R i R i R i 1 L i 1 L i L i 1 L i L i L i 1 48 bit K i 5 / 26 6 / 26 DES: decryption circuit DES: the unction 32 bit X i 48 bit k i 64 bit ciphertext IP R 16 L 16 R 15 L 15 R 1 L 1 R 0 L 0 IP 1 64 bit plaintext E 48 bit Y i 48 bit K 16 48 bit K 15 48 bit K 1 56 bit K key expansion S 1 S 2 S 7 S 8 P 32 bit X i 7 / 26 8 / 26
DES: S 5 -box Attacks on DES Exhaustive search: it takes 2 56 to do an exhaustive search over the key space COBACOBANA (120 FPGAs, 10K$): 7 days S 5 : {0, 1} 6 {0, 1} 4 (source: Wikipedia) Note that S 5 is not reversible as it maps 6 bits to 4 bits. Linear cryptanalysis: ound aine approximations to DES can ind 14 key bits in time 2 42 brute orce the remaining 56-14=42 in time 2 42 total attack time 2 43 DES is badly broken! Do not use it in new projects!! 9 / 26 10 / 26 Triple DES (3DES) Goal: build on top o DES a block cipher resistant against exhaustive search attacks Let DES = (E DES, D DES ). We build 3DES = (E 3DES, D 3DES ) as ollows E 3DES : ({0, 1} k ) 3 {0, 1} l {0, 1} l E 3DES ((K 1, K 2, K 3 ), M) = E DES (K 1, D DES (K 2, E DES (K 3, M))) K 1 = K 2 = K 3 DES D3DES : ({0, 1} k ) 3 {0, 1} l {0, 1} l D 3DES ((K 1, K 2, K 3 ), C) = D DES (K 3, E DES (K 2, D DES (K 1, C))) 3 times as slow as DES!! key-size = 3 56 = 168 bits Exhaustive search attack in 2 168 simple (meet in the middle) attack in time 2 118 What about double DES (2DES)? E 2DES ((K 1, K 2 ), M) = E DES (K 1, E DES (K 2, M)) m E E(k 2 m 2 ) k 2 E k 1 c=e 2DES ((k 1 k 2 )m) For m and c such that E 2DES ((k 1, k 2 ), m) = c we have that E DES (k 2, m) = D DES (k 1, m) 2DES admits a meet in the middle attack that reduces the time or key recovery rom 2 112 or an exhaustive search to 2 56. Given M = (m 1,..., m 10 ) and C = (E 2DES ((k 1, k 2 ), m 1 ),..., E 2DES ((k 1, k 2 ), m 10 )) } - For all possible k 2, computee DES (k 2, M) 2 - Sort table according to the resulting E DES (k 2, M) 56 log(56) } - For each possible k 1, computed DES (k 1, C) 2 - Look up in the table i D DES (k 1, C) = E DES (k 2, M) 56 log(56) time < 2 63 11 / 26 Similar attack on 3DES in time 2 118 12 / 26
The Advenced Encryption Standard (AES) AES: encryption circuit key expansion Goal: replace 3DES which is too slow (3DES is 3 times as slow as DES) 2001: NIST adopts Rijndael as AES Block size l = 128 bits, Key size k = 128, 192, 256 bits AES is Substitution-Permutation network (not a Feistel network) 128 bit K K 0 K 10 1. SubBytes m 2. Shi3Rows m 1. SubBytes m 2. Shi3Rows m 0 1 10 11 3. MixColumns m i : 4 4 byte matrix, K i : 128-bit key m 0 : plaintext, m 11 : ciphertext at the last round MixColumns is not applied K 9 As AES is not a Feistel network, each step needs to be reversible! 13 / 26 14 / 26 AES: SubBytes AES: ShitRows m i m i m i [0,0] m i [0,1] m i [0,2] m i [0,3] m i [0,0] m i [0,1] m i [0,2] m i [0,3] m i [1,0] m i [1,1] m i [1,2] m i [1,3] m i [1,1] m i [1,2] m i [1,3] m i [1,0] m i [2,0] m i [2,1] m i [2,2] m i [2,3] m i [2,2] m i [2,3] m i [2,0] m i [2,1] m i [3,0] m i [3,1] m i [3,2] m i [3,3] m i [3,3] m i [3,0] m i [3,1] m i [3,2] j, k. m i [j, k] = S[m i[j, k]] rows: most signiicant 4 bits columns: least signiicant 4 bits Note that SubBytes is reversible 15 / 26 16 / 26
AES: MixColumns Attacks on AES m i m i [0,0] m i[0,1] m i[0,2] m i[0,3] m i[1,0] m i[1,1] m i[1,2] m i[1,3] m i[1,1] m i[2,0] m i[2,1] m i[2,2] m i[2,3] m i[2,1] m i[3,0] m i[3,1] m i[3,2] m i[3,3] c(x) m i m i [0,0] m i[0,1] m i[0,2] m i[0,3] m i[1,0] m i[1,1] m i[1,2] m i[1,3] m i[1,1] m i[2,0] m i[2,1] m i[2,2] m i[2,3] m i[2,1] m i[3,0] m i[3,1] m i[3,2] m i[3,3] Related-key attack on the 192-bit and 256-bit versions o AES: exploits the AES key schedule [A. Biryukov, D. Khovratovich (2009)] key recovery in time 2 99 First key-recovery attack on ull AES [A. Bogdanov, D. Khovratovich, C. Rechberger (2011)] 4 times aster than exhaustive search m i[3,1] m i[3,1] Existing attacks on AES 128 are still not practical, but use AES 192 and AES 256 in new projects! 17 / 26 18 / 26 Using block ciphers Myrto Arapinis School o Inormatics University o Edinburgh Goal: Encrypt M using a block cipher operating on blocks o length l when M > l 19 / 26 20 / 26
Electronic Code Book (ECB) mode Weakness o ECB (E, D) a block cipher. To encrypt message M under key K using ECB mode: M is padded: M = M P such that M = m l M is broken into m blocks o length l M = M 1 M 2... M m m: E ECB (k,m): m 1 m 2 m n c 1 c 2 c n Each block M i is encrypted under the key K using the block cipher C i = E(K, M i ) or all i {1,..., m} The ciphertext corresponding to M is the concatenation o the C i s C = C 1 C 2... C m Problem: i, j. m i = m j c i = E(k, m i ) = E(k, m j ) = c j Weak to requency analysis! Playstation attack 21 / 26 22 / 26 Weakness o ECB in pictures Cipher-block chaining (CBC) mode: encryption (E, D) a block cipher that manipulates blocks o size l. initialisation vector plaintext IV m 0 m 1 m 2 m 3 IV C 0 C 1 C 2 C 3 Original image Image encrypted using ECB mode ciphertext 23 / 26 IV chosen at random in {0, 1} l 24 / 26
Cipher-block chaining (CBC) mode: decryption Counter (CTR) mode ciphertext (E, D) a block cipher that manipulates blocks o size l. IV C 0 C 1 C 2 C 3 initialisation vector plaintext D(k, ) D(k, ) D(k, ) D(k, ) IV m 0 m 1 m L E(k, IV) E(k, IV1) E(k, IVL) IV C 0 C 1 C L IV initialisation vector m 0 m 1 m 2 m 3 plaintext IV chosen at random in {0, 1} l ciphertext 25 / 26 26 / 26