Stream ciphers Pawel Wocjan Department of Electrical Engineering & Computer Science University of Central Florida wocjan@eecs.ucf.edu
Definition of block ciphers
Block ciphers: crypto work horse n bits PT block n bits E, D CT block key k bits 3DES n=64 bits k=168 bits AES n=128 bits k=168, 192, 256 bits
Block ciphers built by iteration k key expansion k 1 k 2 k 3 k l m R(k 1, ) R(k 2, ) R(k 3, ) R(k l, ) c R(, ) is called a round function l = 48 for DES, l = 10 for AES-128
Performance Crypto++ 5.6.0 benchmarks on AMD 8354 Opteron 2.2 GHz processor under Linux http://www.cryptopp.com/benchmarks.html cipher block/key size speed (MB/sec) RC4 126 Salsa20/12 643 Sosemanuk 727 3DES 64/168 13 AES-128 128/128 109
Crypto++ 5.6.2 check out http://www.cryptopp.com/ for the most recent version Crypto++ 5.6.2 the library contains: authenticated encryption high speed stream ciphers AES and AES candidates other block ciphers block cipher modes of operation message authentication codes hash functions public key cryptography padding schemes for public key cryptography key agreement schemes elliptic curve cryptography... many other features
Abstraction of block ciphers: PRPs and PRFs F is a pseudo random function (PRF) defined over (K, X, Y) F : K X Y if efficient algorithm for evaluating F (k, x) E is a pseudo random permutation (PRF) defined over (K, X ) E : K X X provided that the function E(k, ) is injective k K an efficient deterministic algorithm for evaluating E(k, x) an efficient inversion algorithm D such that D ( k, E(k, x) ) = x k K x X
Example PRPs: AES and DES AES K X X, K = X = {0, 1} 128 3DES K X X, K = {0, 1} 168, X = {0, 1} 64
PRPs are special PRFs a PRP is a special PRF where the two sets X and Y are the same there is an efficient algorithm for inverting
Secure PRFs let F : K X Y be a PRF let F(X, Y) denote the set of all functions from X and Y let S = {F (k, ) : k K} F(X, Y) intuitively, a PRF is secure if a random function in F(X, Y) is indistinguishable from a random function in S S S = K F(X, Y) F(X, Y) = Y X
Secure PRF b {0, 1} x X Challenger Adversary b = 0 f F(X, Y) f (x) b = 1 F (k, x) k R K b {0, 1}
Secure PRPs let E : K X X be a PRP let P(X ) denote the set of all permutations of X let S = {E(k, ) : k K} P(X ) intuitively, a PRP is secure if a random permutation in P(X ) is indistinguishable from a random permutation in S S S = K P(X ) P(X ) = X!
Secure PRF b {0, 1} x X Challenger Adversary b = 0 π P(X ) π(x) b = 1 E(k, x) k R K b {0, 1}
Question let F : K X {0, 1} 128 be a secure PRF define G by { 0 128 if x = 0 G(k, x) = F (k, x) otherwise is G a secure PRP?
Secure PRFs yield secure PRGs let F : K {0, 1} n {0, 1} n be a secure PRF the following function G : K {0, 1} nt is a secure PRG: G(k) = F (k, 0) F (k, 1) F (k, t) G is parallelizable security of G follows from PRF property: F (k, ) is indistinguishable from function f ( )
Data Encryption Standard
Data encryption standard (DES) widely deployed in banking (ACH) and commerce early 1970s: Horst Feistel designs Lucifer at IBM key-len = 128 bits; block-len = 128 bits 1973: NBS asks for block cipher proposals IBM submits variant of Lucifer 1976: NBS adopts DES as a federal standard key-len = 56 bits; block-len = 64 bits 1997: DES broken by exhaustive search 2000: NIST adopts Rijndael as AES to replace DES
DES core idea: Feistel network given function f 1,..., f d : {0, 1} n {0, 1} n goal: build invertible function F : {0, 1} 2n {0, 1} 2n R 0 R 1 R 2 R d 1 R d f 1 f 2 f d L 0 L 1 L 2 L d 1 L d R i = f i (R i 1 ) L i 1, L i = R i
Feistel network is invertible the Feistel network is invertible because each iteration is invertible R i 1 R i R i R i 1 f i inverse f i L i 1 L i L i L i 1 this provides a general method for building invertible functions (block ciphers) from arbitrary functions this is used in many block ciphers, but not in AES
3-round Feistel network yields a secure PRP Theorem (Luby-Rackoff 85) let F : K {0, 1} n {0, 1} n be a secure PRF 3-round Feistel E : K 3 {0, 1} 2n {0, 1} 2n is a secure PRP R 0 R 1 R 2 R 3 F (k 1, ) F (k 2, ) F (k 3, ) L 0 L 1 L 2 L 3 the three keys k 1, k 2, k 3 have to be independent
DES: 16 round Feistel network with key expansion f 1,..., f 16 : {0, 1} 32 {0, 1} 32, f i (x) = F (k i, x) k key expansion k 1 k 2 k 3 k 16 input IP 16 round Feistel network FP output
DES key schedule
DES: 16 round Feistel network
The Feistel functions F (k i, ) x E 32 k i 48 48 S 1 6 S 2 6 S 3 6 S 4 6 S 5 6 S 6 6 S 7 6 S 8 6 4 4 4 4 4 4 4 4 the S i -boxes are functions {0, 1} 6 {0, 1} 4 that are implemented as a look-up tables P 32 32
The Feistel functions F (k i, )
The Feistel functions F (k i, ) expansion: the 32-bit half-block is expanded to 48 bits using the expansion permutation E by duplicating half of the bits its output consists of eight 6-bit pieces, each containing a copy of 4 corresponding input bits, plus a copy of the immediately adjacent bit from each of the input pieces to either side key mixing: the result is combined with a subkey using an XOR operation. substitution: after mixing in the subkey, the block is divided into eight 6-bit pieces before processing by the S-boxes permutation: the 32 outputs from the S-boxes are rearranged according to a fixed permutation, the P-box this is designed so that, after permutation, each S-box s output bits are spread across 4 different S boxes in the next round
The S i -boxes given a 6-bit input, the 4-bit output is found by selecting the row using the outer two bits (the first and last bits), and the column using the inner four bits. for example, an input 011011 has outer bits 01 and inner bits 1101; the corresponding output would be 1001
Insecure block cipher if S i boxes linear suppose S i (x 1, x 2,..., x 6 ) = (x 1 x 2, x 1 x 4 x 5, x 1 x 6, x 2 x 3 x 6 ) this can be equivalently written the matrix equation: 0 1 1 0 0 0 S i (x) = A i x = 1 0 0 1 1 0 1 0 0 0 0 1 (mod 2) 0 1 1 0 0 1 we say that S i is linear
Insecure block cipher if S i boxes linear all S i -boxes linear the entire DES cipher linear fixed binary matrix B such that 832 m k 1 DES(k, m) = B k 2 = c. k 16 but then 64 DES(k, m 1 ) DES(k, m 2 ) DES(k, m 2 ) = DES(k, m 1 m 2 m 3 )
Rules for choosing S and P boxes choosing the S and P boxes at random would yield an insecure block cipher (key recovery possible after 2 24 outputs) no output bit should be close to a linear function of the input bits S-boxes are 4-to-1 maps
Exhaustive search attacks
Exhaustive search for block cipher key goal: given a few PT-CT pairs (m i, c i = E(k, m i )), find k Lemma: suppose DES is an ideal cipher, i.e., E(k 1, ) = π 1,..., E(k 2 56, ) = π 2 56 behave as if we had selected the permutations π 1,..., π 2 56 uniformly at random from P(X ) where X = {0, 1} 64 m, c there is at most one key k such that c = DES(k, m) Proof: Pr ( k k : c = DES(k, m) = DES(k, k) ) ( DES(k, m) = DES(k, m) ) k {0,1} 56 Pr 2 56 1 2 64 = 1 2 8
Exhaustive search for block cipher key for two DES pairs (m 1, DES(k 1, m 1 )), (m 2, DES(k 2, m 2 )) the probability of the key being unique is 1 1/2 71 for two AES-128 pairs (m 1, AES(k 1, m 1 )), (m 2, AES(k 2, m 2 )) the probability of the key being unique is 1 1/2 128 two PT-CT pairs are enough for exhaustive key search
DES challenge PT = The unkn own mess age is: XXX... CT = c 1 c 2 c 3 c 4 Goal: find k {0, 56} 56 such that DES(k, m i ) = c i for i = 1, 2, 3 1997 Internet search: 3 months 1998 EEF machine (deep crack): 3 days $250k 1999 combined search: 22 hours 2006 COPACOBANA (120 FPGAs): 7 days $10k 56-bit ciphers should not be used
Strengthening block encryption method 1 Triple encryption let E : K M M be a block cipher define 3E : K 3 M M by 3E((k 1, k 2, k 3 ), m) = E(k 1, D(k 2, E(k 3, m))) observe that we recover (single) encryption when all keys equal E((k, k, k), m) = E(k, m) for 3DES: key-size = 3 56 = 168 bits; 3 times slower than DES
Why not double encryption? define 2E((k 1, k 2 ), m) = E(k 1, E(k 2, m)) m E(k 2, ) E(k 1, ) c goal: find (k 1, k 2 ) such that E(k 1, E(k 2, m)) = c E(k 2, m) = D(k 1, c)
Meet-in-the-middle attack on double encryption attack: M = (m 1,..., m 10 ), C = (c 1,..., c 10 ) build table and sort on second column k 0 = 00... 00 E(k 0, M) k 1 = 00... 01 E(k 1, M) k 2 = 00... 00 E(k 2, M).. k N = 00... 00 E(k N, M) repeat ranging k {0, 1} 56 until D(k, c) appears in second column (check using binary search) when this happens, then E(k i, M) = D(k, C) (k 2, k 1 ) = (k 2, k 1 )
Complexity of the meet-in-the-middle attack Triple DES m E(k 2, ) E(k 1, ) c Time = 2 56 log(2 56 ) + 2 56 log(2 56 ) < 2 63 2 112 Space 2 56 Double DES m E(k 3, ) E(k 2, ) E(k 1, ) c same attack on 3DES Time = 2 118 Space 2 56
Strengthening block encryption method 2 X (xor before and after encryption) let E : K {0, 1} n {0, 1} n be a block cipher define EX by EX ((k 1, k 2, k 3 ), m) = k 1 E(k 2, m k 3 ) observe that k 1 E(k 2 ) and E(k 2, m k 1 ) does nothing for DESX: key-len=64+56+64=184 bits there is an easy attack in time 2 64+56 = 2 120
More attacks on block ciphers
Attack on the implementation side channel attacks: measure time to do enc/dec, measure power for enc/dec http://www.cryptography.com/public/pdf/dpa.pdf fault attacks: computing errors in the last round expose the secret key k
Linear and differential attacks given many PT-CT pairs, the key can be recovered in time less than 2 56 linear cryptanalysis: suppose for random k and m, we have Pr(m[i 1 ] m[i r ] c[j 1 ] c[j s ] k[l 1 ] c[l t ]) = 1 2 +ε for some ε > 0 for DES, relation exist with ε = 1/2 21
Linear attacks Theorem: Assume Pr k K m M (m[i 1 ] m[i r ] c[j 1 ] c[j s ] k[l 1 ] c[l t ]) = 1 2 +ε holds, then with probability greater than 97.7% the equality k[l 1 ] c[l t ] = MAJ(m[i 1 ] m[i r ] c[j 1 ] c[j s ] is satisfied provided that we are given 1/ε 2 pairs (m, DES(k, m)) with m M we can determine k[l 1,..., l t ] with 1/ε 2 random PT-CT pairs in time 1/ε 2
Linear attacks for DES ε = 1/2 21 given 2 42 random PT-CP pairs, we can determine k[l 1,..., l t in time 2 42 14 key bits can be found this way in time 2 42 brute force search the remaining 56 14 = 42 bits in time 2 42 total attack time is 2 43 2 56 with 2 42 random PT-CT pairs a slight amount of linearity in S 5 leads to a 2 42 time attack