Stream ciphers. Pawel Wocjan. Department of Electrical Engineering & Computer Science University of Central Florida

Similar documents
18733: Applied Cryptography Anupam Datta (CMU) Block ciphers. Dan Boneh

18733: Applied Cryptography Anupam Datta (CMU) Block ciphers. Dan Boneh

Online Cryptography Course. Block ciphers. What is a block cipher? Dan Boneh

CS 4770: Cryptography. CS 6750: Cryptography and Communication Security. Alina Oprea Associate Professor, CCIS Northeastern University

Block ciphers. Block ciphers. Data Encryption Standard (DES) DES: encryption circuit

Dan Boneh. Stream ciphers. The One Time Pad

Security and Cryptography 1

Cryptography: The Landscape, Fundamental Primitives, and Security. David Brumley Carnegie Mellon University

BLOCK CIPHERS KEY-RECOVERY SECURITY

Codes and Cryptography. Jorge L. Villar. MAMME, Fall 2015 PART XII

Stream ciphers I. Thomas Johansson. May 16, Dept. of EIT, Lund University, P.O. Box 118, Lund, Sweden

Permutation Generators Based on Unbalanced Feistel Network: Analysis of the Conditions of Pseudorandomness 1

Cryptography Lecture 4 Block ciphers, DES, breaking DES

Building Secure Block Ciphers on Generic Attacks Assumptions

7 Cryptanalysis. 7.1 Structural Attacks CA642: CRYPTOGRAPHY AND NUMBER THEORY 1

Module 2 Advanced Symmetric Ciphers

Lecture 4: DES and block ciphers

Block Cipher Cryptanalysis: An Overview

DD2448 Foundations of Cryptography Lecture 3

Lecture 12: Block ciphers

Introduction to Cybersecurity Cryptography (Part 4)

Lecture 24: MAC for Arbitrary Length Messages. MAC Long Messages

Introduction to Cybersecurity Cryptography (Part 4)

COS433/Math 473: Cryptography. Mark Zhandry Princeton University Spring 2017

Division Property: a New Attack Against Block Ciphers

Introduction on Block cipher Yoyo Game Application on AES Conclusion. Yoyo Game with AES. Navid Ghaedi Bardeh. University of Bergen.

Solution of Exercise Sheet 7

Lecture 5: Pseudorandom functions from pseudorandom generators

ECS 189A Final Cryptography Spring 2011

The Hash Function JH 1

CPSC 91 Computer Security Fall Computer Security. Assignment #3 Solutions

The Advanced Encryption Standard

Introduction. CSC/ECE 574 Computer and Network Security. Outline. Introductory Remarks Feistel Cipher DES AES

The Artin-Feistel Symmetric Cipher

SYMMETRIC ENCRYPTION. Mihir Bellare UCSD 1

Symmetric key cryptography over non-binary algebraic structures

Improved security analysis of OMAC

Symmetric Ciphers. Mahalingam Ramkumar (Sections 3.2, 3.3, 3.7 and 6.5)

Public-key Cryptography: Theory and Practice

Simple Pseudorandom Number Generator with Strengthened Double Encryption (Cilia)

THE UNIVERSITY OF CALGARY FACULTY OF SCIENCE DEPARTMENT OF COMPUTER SCIENCE DEPARTMENT OF MATHEMATICS & STATISTICS MIDTERM EXAMINATION 1 FALL 2018

Quantum Differential and Linear Cryptanalysis

A Domain Extender for the Ideal Cipher

Complementing Feistel Ciphers

Benes and Butterfly schemes revisited

A Five-Round Algebraic Property of the Advanced Encryption Standard

Provable Security in Symmetric Key Cryptography

Question 2.1. Show that. is non-negligible. 2. Since. is non-negligible so is μ n +

COS433/Math 473: Cryptography. Mark Zhandry Princeton University Spring 2017

Modern Cryptography Lecture 4

Practice Final Exam Winter 2017, CS 485/585 Crypto March 14, 2017

The Random Oracle Model and the Ideal Cipher Model are Equivalent

Practice Exam Winter 2018, CS 485/585 Crypto March 14, 2018

Lecture 1: Perfect Secrecy and Statistical Authentication. 2 Introduction - Historical vs Modern Cryptography

Winter 2008 Introduction to Modern Cryptography Benny Chor and Rani Hod. Assignment #2

A Pseudo-Random Encryption Mode

Linear Cryptanalysis of Long-Key Iterated Cipher with Applications to Permutation-Based Ciphers

Block Ciphers/Pseudorandom Permutations

Differential Fault Analysis on DES Middle Rounds

A survey on quantum-secure cryptographic systems

Symmetric Crypto Systems

CS 290G (Fall 2014) Introduction to Cryptography Oct 23rdd, Lecture 5: RSA OWFs. f N,e (x) = x e modn

Lecture 10 - MAC s continued, hash & MAC

Private-Key Encryption

CSA E0 235: Cryptography March 16, (Extra) Lecture 3

Online Cryptography Course. Using block ciphers. Review: PRPs and PRFs. Dan Boneh

Symmetric Encryption

CS 6260 Applied Cryptography

Cryptography 2017 Lecture 2

G /G Introduction to Cryptography November 4, Lecture 10. Lecturer: Yevgeniy Dodis Fall 2008

Breaking Symmetric Cryptosystems Using Quantum Algorithms

Cryptography. Lecture 2: Perfect Secrecy and its Limitations. Gil Segev

Lecture 5, CPA Secure Encryption from PRFs

Quantum-secure symmetric-key cryptography based on Hidden Shifts

MESSAGE AUTHENTICATION CODES and PRF DOMAIN EXTENSION. Mihir Bellare UCSD 1

Towards Provable Security of Substitution-Permutation Encryption Networks

On related-key attacks and KASUMI: the case of A5/3

CPSC 467: Cryptography and Computer Security

Asymmetric Encryption

MATH3302 Cryptography Problem Set 2

Introduction. Outline. CSC/ECE 574 Computer and Network Security. Secret Keys or Secret Algorithms? Secrets? (Cont d) Secret Key Cryptography

Akelarre. Akelarre 1

Differential-Linear Cryptanalysis of Serpent

On the Round Security of Symmetric-Key Cryptographic Primitives

Links Between Theoretical and Effective Differential Probabilities: Experiments on PRESENT

Security of the AES with a Secret S-box

Biomedical Security. Overview 9/15/2017. Erwin M. Bakker

Cryptography and Network Security Prof. D. Mukhopadhyay Department of Computer Science and Engineering Indian Institute of Technology, Kharagpur

Lecture Notes on Secret Sharing

Solutions for week 1, Cryptography Course - TDA 352/DIT 250

Scribe for Lecture #5

The Hash Function Fugue

Block Ciphers and Feistel cipher

Lecture 14: Cryptographic Hash Functions

Klein s and PTW Attacks on WEP

STRIBOB : Authenticated Encryption

Chosen Plaintext Attacks (CPA)

Symmetric Crypto Systems

Chapter 2 Symmetric Encryption Algorithms

Attacks on DES , K 2. ) L 3 = R 2 = L 1 f ( R 1, K 2 ) R 4 R 2. f (R 1 = L 1 ) = L 1. ) f ( R 3 , K 4. f (R 3 = L 3

Transcription:

Stream ciphers Pawel Wocjan Department of Electrical Engineering & Computer Science University of Central Florida wocjan@eecs.ucf.edu

Definition of block ciphers

Block ciphers: crypto work horse n bits PT block n bits E, D CT block key k bits 3DES n=64 bits k=168 bits AES n=128 bits k=168, 192, 256 bits

Block ciphers built by iteration k key expansion k 1 k 2 k 3 k l m R(k 1, ) R(k 2, ) R(k 3, ) R(k l, ) c R(, ) is called a round function l = 48 for DES, l = 10 for AES-128

Performance Crypto++ 5.6.0 benchmarks on AMD 8354 Opteron 2.2 GHz processor under Linux http://www.cryptopp.com/benchmarks.html cipher block/key size speed (MB/sec) RC4 126 Salsa20/12 643 Sosemanuk 727 3DES 64/168 13 AES-128 128/128 109

Crypto++ 5.6.2 check out http://www.cryptopp.com/ for the most recent version Crypto++ 5.6.2 the library contains: authenticated encryption high speed stream ciphers AES and AES candidates other block ciphers block cipher modes of operation message authentication codes hash functions public key cryptography padding schemes for public key cryptography key agreement schemes elliptic curve cryptography... many other features

Abstraction of block ciphers: PRPs and PRFs F is a pseudo random function (PRF) defined over (K, X, Y) F : K X Y if efficient algorithm for evaluating F (k, x) E is a pseudo random permutation (PRF) defined over (K, X ) E : K X X provided that the function E(k, ) is injective k K an efficient deterministic algorithm for evaluating E(k, x) an efficient inversion algorithm D such that D ( k, E(k, x) ) = x k K x X

Example PRPs: AES and DES AES K X X, K = X = {0, 1} 128 3DES K X X, K = {0, 1} 168, X = {0, 1} 64

PRPs are special PRFs a PRP is a special PRF where the two sets X and Y are the same there is an efficient algorithm for inverting

Secure PRFs let F : K X Y be a PRF let F(X, Y) denote the set of all functions from X and Y let S = {F (k, ) : k K} F(X, Y) intuitively, a PRF is secure if a random function in F(X, Y) is indistinguishable from a random function in S S S = K F(X, Y) F(X, Y) = Y X

Secure PRF b {0, 1} x X Challenger Adversary b = 0 f F(X, Y) f (x) b = 1 F (k, x) k R K b {0, 1}

Secure PRPs let E : K X X be a PRP let P(X ) denote the set of all permutations of X let S = {E(k, ) : k K} P(X ) intuitively, a PRP is secure if a random permutation in P(X ) is indistinguishable from a random permutation in S S S = K P(X ) P(X ) = X!

Secure PRF b {0, 1} x X Challenger Adversary b = 0 π P(X ) π(x) b = 1 E(k, x) k R K b {0, 1}

Question let F : K X {0, 1} 128 be a secure PRF define G by { 0 128 if x = 0 G(k, x) = F (k, x) otherwise is G a secure PRP?

Secure PRFs yield secure PRGs let F : K {0, 1} n {0, 1} n be a secure PRF the following function G : K {0, 1} nt is a secure PRG: G(k) = F (k, 0) F (k, 1) F (k, t) G is parallelizable security of G follows from PRF property: F (k, ) is indistinguishable from function f ( )

Data Encryption Standard

Data encryption standard (DES) widely deployed in banking (ACH) and commerce early 1970s: Horst Feistel designs Lucifer at IBM key-len = 128 bits; block-len = 128 bits 1973: NBS asks for block cipher proposals IBM submits variant of Lucifer 1976: NBS adopts DES as a federal standard key-len = 56 bits; block-len = 64 bits 1997: DES broken by exhaustive search 2000: NIST adopts Rijndael as AES to replace DES

DES core idea: Feistel network given function f 1,..., f d : {0, 1} n {0, 1} n goal: build invertible function F : {0, 1} 2n {0, 1} 2n R 0 R 1 R 2 R d 1 R d f 1 f 2 f d L 0 L 1 L 2 L d 1 L d R i = f i (R i 1 ) L i 1, L i = R i

Feistel network is invertible the Feistel network is invertible because each iteration is invertible R i 1 R i R i R i 1 f i inverse f i L i 1 L i L i L i 1 this provides a general method for building invertible functions (block ciphers) from arbitrary functions this is used in many block ciphers, but not in AES

3-round Feistel network yields a secure PRP Theorem (Luby-Rackoff 85) let F : K {0, 1} n {0, 1} n be a secure PRF 3-round Feistel E : K 3 {0, 1} 2n {0, 1} 2n is a secure PRP R 0 R 1 R 2 R 3 F (k 1, ) F (k 2, ) F (k 3, ) L 0 L 1 L 2 L 3 the three keys k 1, k 2, k 3 have to be independent

DES: 16 round Feistel network with key expansion f 1,..., f 16 : {0, 1} 32 {0, 1} 32, f i (x) = F (k i, x) k key expansion k 1 k 2 k 3 k 16 input IP 16 round Feistel network FP output

DES key schedule

DES: 16 round Feistel network

The Feistel functions F (k i, ) x E 32 k i 48 48 S 1 6 S 2 6 S 3 6 S 4 6 S 5 6 S 6 6 S 7 6 S 8 6 4 4 4 4 4 4 4 4 the S i -boxes are functions {0, 1} 6 {0, 1} 4 that are implemented as a look-up tables P 32 32

The Feistel functions F (k i, )

The Feistel functions F (k i, ) expansion: the 32-bit half-block is expanded to 48 bits using the expansion permutation E by duplicating half of the bits its output consists of eight 6-bit pieces, each containing a copy of 4 corresponding input bits, plus a copy of the immediately adjacent bit from each of the input pieces to either side key mixing: the result is combined with a subkey using an XOR operation. substitution: after mixing in the subkey, the block is divided into eight 6-bit pieces before processing by the S-boxes permutation: the 32 outputs from the S-boxes are rearranged according to a fixed permutation, the P-box this is designed so that, after permutation, each S-box s output bits are spread across 4 different S boxes in the next round

The S i -boxes given a 6-bit input, the 4-bit output is found by selecting the row using the outer two bits (the first and last bits), and the column using the inner four bits. for example, an input 011011 has outer bits 01 and inner bits 1101; the corresponding output would be 1001

Insecure block cipher if S i boxes linear suppose S i (x 1, x 2,..., x 6 ) = (x 1 x 2, x 1 x 4 x 5, x 1 x 6, x 2 x 3 x 6 ) this can be equivalently written the matrix equation: 0 1 1 0 0 0 S i (x) = A i x = 1 0 0 1 1 0 1 0 0 0 0 1 (mod 2) 0 1 1 0 0 1 we say that S i is linear

Insecure block cipher if S i boxes linear all S i -boxes linear the entire DES cipher linear fixed binary matrix B such that 832 m k 1 DES(k, m) = B k 2 = c. k 16 but then 64 DES(k, m 1 ) DES(k, m 2 ) DES(k, m 2 ) = DES(k, m 1 m 2 m 3 )

Rules for choosing S and P boxes choosing the S and P boxes at random would yield an insecure block cipher (key recovery possible after 2 24 outputs) no output bit should be close to a linear function of the input bits S-boxes are 4-to-1 maps

Exhaustive search attacks

Exhaustive search for block cipher key goal: given a few PT-CT pairs (m i, c i = E(k, m i )), find k Lemma: suppose DES is an ideal cipher, i.e., E(k 1, ) = π 1,..., E(k 2 56, ) = π 2 56 behave as if we had selected the permutations π 1,..., π 2 56 uniformly at random from P(X ) where X = {0, 1} 64 m, c there is at most one key k such that c = DES(k, m) Proof: Pr ( k k : c = DES(k, m) = DES(k, k) ) ( DES(k, m) = DES(k, m) ) k {0,1} 56 Pr 2 56 1 2 64 = 1 2 8

Exhaustive search for block cipher key for two DES pairs (m 1, DES(k 1, m 1 )), (m 2, DES(k 2, m 2 )) the probability of the key being unique is 1 1/2 71 for two AES-128 pairs (m 1, AES(k 1, m 1 )), (m 2, AES(k 2, m 2 )) the probability of the key being unique is 1 1/2 128 two PT-CT pairs are enough for exhaustive key search

DES challenge PT = The unkn own mess age is: XXX... CT = c 1 c 2 c 3 c 4 Goal: find k {0, 56} 56 such that DES(k, m i ) = c i for i = 1, 2, 3 1997 Internet search: 3 months 1998 EEF machine (deep crack): 3 days $250k 1999 combined search: 22 hours 2006 COPACOBANA (120 FPGAs): 7 days $10k 56-bit ciphers should not be used

Strengthening block encryption method 1 Triple encryption let E : K M M be a block cipher define 3E : K 3 M M by 3E((k 1, k 2, k 3 ), m) = E(k 1, D(k 2, E(k 3, m))) observe that we recover (single) encryption when all keys equal E((k, k, k), m) = E(k, m) for 3DES: key-size = 3 56 = 168 bits; 3 times slower than DES

Why not double encryption? define 2E((k 1, k 2 ), m) = E(k 1, E(k 2, m)) m E(k 2, ) E(k 1, ) c goal: find (k 1, k 2 ) such that E(k 1, E(k 2, m)) = c E(k 2, m) = D(k 1, c)

Meet-in-the-middle attack on double encryption attack: M = (m 1,..., m 10 ), C = (c 1,..., c 10 ) build table and sort on second column k 0 = 00... 00 E(k 0, M) k 1 = 00... 01 E(k 1, M) k 2 = 00... 00 E(k 2, M).. k N = 00... 00 E(k N, M) repeat ranging k {0, 1} 56 until D(k, c) appears in second column (check using binary search) when this happens, then E(k i, M) = D(k, C) (k 2, k 1 ) = (k 2, k 1 )

Complexity of the meet-in-the-middle attack Triple DES m E(k 2, ) E(k 1, ) c Time = 2 56 log(2 56 ) + 2 56 log(2 56 ) < 2 63 2 112 Space 2 56 Double DES m E(k 3, ) E(k 2, ) E(k 1, ) c same attack on 3DES Time = 2 118 Space 2 56

Strengthening block encryption method 2 X (xor before and after encryption) let E : K {0, 1} n {0, 1} n be a block cipher define EX by EX ((k 1, k 2, k 3 ), m) = k 1 E(k 2, m k 3 ) observe that k 1 E(k 2 ) and E(k 2, m k 1 ) does nothing for DESX: key-len=64+56+64=184 bits there is an easy attack in time 2 64+56 = 2 120

More attacks on block ciphers

Attack on the implementation side channel attacks: measure time to do enc/dec, measure power for enc/dec http://www.cryptography.com/public/pdf/dpa.pdf fault attacks: computing errors in the last round expose the secret key k

Linear and differential attacks given many PT-CT pairs, the key can be recovered in time less than 2 56 linear cryptanalysis: suppose for random k and m, we have Pr(m[i 1 ] m[i r ] c[j 1 ] c[j s ] k[l 1 ] c[l t ]) = 1 2 +ε for some ε > 0 for DES, relation exist with ε = 1/2 21

Linear attacks Theorem: Assume Pr k K m M (m[i 1 ] m[i r ] c[j 1 ] c[j s ] k[l 1 ] c[l t ]) = 1 2 +ε holds, then with probability greater than 97.7% the equality k[l 1 ] c[l t ] = MAJ(m[i 1 ] m[i r ] c[j 1 ] c[j s ] is satisfied provided that we are given 1/ε 2 pairs (m, DES(k, m)) with m M we can determine k[l 1,..., l t ] with 1/ε 2 random PT-CT pairs in time 1/ε 2

Linear attacks for DES ε = 1/2 21 given 2 42 random PT-CP pairs, we can determine k[l 1,..., l t in time 2 42 14 key bits can be found this way in time 2 42 brute force search the remaining 56 14 = 42 bits in time 2 42 total attack time is 2 43 2 56 with 2 42 random PT-CT pairs a slight amount of linearity in S 5 leads to a 2 42 time attack

2024 © sciencedocbox.com Privacy Policy | Terms of Service | Feedback