CS 4770: Cryptography. CS 6750: Cryptography and Communication Security. Alina Oprea Associate Professor, CCIS Northeastern University

Similar documents
18733: Applied Cryptography Anupam Datta (CMU) Block ciphers. Dan Boneh

Stream ciphers. Pawel Wocjan. Department of Electrical Engineering & Computer Science University of Central Florida

18733: Applied Cryptography Anupam Datta (CMU) Block ciphers. Dan Boneh

Online Cryptography Course. Block ciphers. What is a block cipher? Dan Boneh

CS 4770: Cryptography. CS 6750: Cryptography and Communication Security. Alina Oprea Associate Professor, CCIS Northeastern University

CPA-Security. Definition: A private-key encryption scheme

Block ciphers. Block ciphers. Data Encryption Standard (DES) DES: encryption circuit

Security and Cryptography 1

Modern Cryptography Lecture 4

Module 2 Advanced Symmetric Ciphers

BLOCK CIPHERS KEY-RECOVERY SECURITY

Dan Boneh. Stream ciphers. The One Time Pad

Cryptography: The Landscape, Fundamental Primitives, and Security. David Brumley Carnegie Mellon University

CTR mode of operation

DD2448 Foundations of Cryptography Lecture 3

Lecture 6. Winter 2018 CS 485/585 Introduction to Cryptography. Constructing CPA-secure ciphers

III. Pseudorandom functions & encryption

Chosen Plaintext Attacks (CPA)

Lecture 7: CPA Security, MACs, OWFs

CSA E0 235: Cryptography March 16, (Extra) Lecture 3

Modern symmetric-key Encryption

Practice Final Exam Winter 2017, CS 485/585 Crypto March 14, 2017

CS 6260 Applied Cryptography

CS 4770: Cryptography. CS 6750: Cryptography and Communication Security. Alina Oprea Associate Professor, CCIS Northeastern University

CPSC 91 Computer Security Fall Computer Security. Assignment #3 Solutions

Solution of Exercise Sheet 7

Cryptography. Lecture 2: Perfect Secrecy and its Limitations. Gil Segev

Block ciphers And modes of operation. Table of contents

CS 6260 Applied Cryptography

Online Cryptography Course. Using block ciphers. Review: PRPs and PRFs. Dan Boneh

Lecture 5, CPA Secure Encryption from PRFs

Permutation Generators Based on Unbalanced Feistel Network: Analysis of the Conditions of Pseudorandomness 1

ENEE 457: Computer Systems Security 10/3/16. Lecture 9 RSA Encryption and Diffie-Helmann Key Exchange

Notes for Lecture A can repeat step 3 as many times as it wishes. We will charge A one unit of time for every time it repeats step 3.

Computational security & Private key encryption

Codes and Cryptography. Jorge L. Villar. MAMME, Fall 2015 PART XII

Lecture 5: Pseudorandom functions from pseudorandom generators

Lecture 11: Non-Interactive Zero-Knowledge II. 1 Non-Interactive Zero-Knowledge in the Hidden-Bits Model for the Graph Hamiltonian problem

Introduction on Block cipher Yoyo Game Application on AES Conclusion. Yoyo Game with AES. Navid Ghaedi Bardeh. University of Bergen.

Lectures 2+3: Provable Security

Benes and Butterfly schemes revisited

Private-Key Encryption

A survey on quantum-secure cryptographic systems

1 Number Theory Basics

Chapter 2 Balanced Feistel Ciphers, First Properties

Lecture 10 - MAC s continued, hash & MAC

Symmetric Encryption

Solutions for week 1, Cryptography Course - TDA 352/DIT 250

Provable Security in Symmetric Key Cryptography

Cryptography Lecture 4 Block ciphers, DES, breaking DES

U.C. Berkeley CS276: Cryptography Luca Trevisan February 5, Notes for Lecture 6

Practice Exam Winter 2018, CS 485/585 Crypto March 14, 2018

Building Secure Block Ciphers on Generic Attacks Assumptions

Technische Universität München (I7) Winter 2013/14 Dr. M. Luttenberger / M. Schlund SOLUTION. Cryptography Endterm

Lecture 12: Block ciphers

Lecture 15 & 16: Trapdoor Permutations, RSA, Signatures

Scribe for Lecture #5

BEYOND POST QUANTUM CRYPTOGRAPHY

Block Ciphers/Pseudorandom Permutations

The Advanced Encryption Standard

Lecture 24: MAC for Arbitrary Length Messages. MAC Long Messages

2 Message authentication codes (MACs)

CS 282A/MATH 209A: Foundations of Cryptography Prof. Rafail Ostrosky. Lecture 4

CPSC 91 Computer Security Fall Computer Security. Assignment #2

The Random Oracle Model and the Ideal Cipher Model are Equivalent

Question 2.1. Show that. is non-negligible. 2. Since. is non-negligible so is μ n +

Introduction to Cybersecurity Cryptography (Part 4)

SYMMETRIC ENCRYPTION. Mihir Bellare UCSD 1

CSA E0 235: Cryptography (19 Mar 2015) CBC-MAC

Introduction to Cybersecurity Cryptography (Part 4)

Lecture 13: Private Key Encryption

Cryptography 2017 Lecture 2

Foundation of Cryptography, Lecture 4 Pseudorandom Functions

Public Key Cryptography

Cryptography CS 555. Topic 22: Number Theory/Public Key-Cryptography

Block Cipher Cryptanalysis: An Overview

Constructing Variable-Length PRPs and SPRPs from Fixed-Length PRPs

Experiments on the Multiple Linear Cryptanalysis of Reduced Round Serpent

The Artin-Feistel Symmetric Cipher

Quantum-secure symmetric-key cryptography based on Hidden Shifts

Provable-Security Approach begins with [GM82] Classical Approach. Practical Cryptography: Provable Security as a Tool for Protocol Design

ECS 189A Final Cryptography Spring 2011

Homework 7 Solutions

Pr[C = c M = m] = Pr[C = c] Pr[M = m] Pr[M = m C = c] = Pr[M = m]

The Pseudorandomness of Elastic Block Ciphers

Lecture 17 - Diffie-Hellman key exchange, pairing, Identity-Based Encryption and Forward Security

Cryptography CS 555. Topic 24: Finding Prime Numbers, RSA

A Generic Hybrid Encryption Construction in the Quantum Random Oracle Model

Division Property: a New Attack Against Block Ciphers

Semantic Security and Indistinguishability in the Quantum World

COS433/Math 473: Cryptography. Mark Zhandry Princeton University Spring 2017

TECHNISCHE UNIVERSITEIT EINDHOVEN Faculty of Mathematics and Computer Science Exam Cryptology, Friday 25 January 2019

Public-Key Cryptography. Lecture 9 Public-Key Encryption Diffie-Hellman Key-Exchange

A Domain Extender for the Ideal Cipher

Online Cryptography Course. Message integrity. Message Auth. Codes. Dan Boneh

The Indistinguishability of the XOR of k permutations

Simple Pseudorandom Number Generator with Strengthened Double Encryption (Cilia)

COS433/Math 473: Cryptography. Mark Zhandry Princeton University Spring 2017

Public-key Cryptography: Theory and Practice

On the Round Security of Symmetric-Key Cryptographic Primitives

Transcription:

CS 4770: Cryptography CS 6750: Cryptography and Communication Security Alina Oprea Associate Professor, CCIS Northeastern University February 5 2018

Review Relation between PRF and PRG Construct PRF from PRG (GGM construction) Pseudorandom permutations Definitions of security for encryption CPA/CCA security Relations between definitions CPA-secure construction Security proof Reduction to PRF 2

How to encrypt using PRF? Enc random r plaintext m ciphertext c key k PRF F k F k (r) r, F k r m Dec r Ciphertext c plaintext m key k PRF F k F k (r) F k r c 3

Proof of security - Intuition Π random r plaintext m ciphertext c key k PRF F k F k (r) r, F k r m Π random r plaintext m ciphertext c key k Random f f(r) r, f r m 4

Proof of security - Intuition Π Enc c = (r, F k r m) Dec c = (r, s) m = F k r s 1. Success of adversary to break Π and Π in CPA game is similar Under the assumption that F is a PRF! Π Enc c = (r, f r m) Dec c = (r, s) m = f r s 2. Success of adversary to break Π in CPA game is negligible 5

Proof of security step 2 2. Success of adversary to break Π in CPA game is negligible For any adversary A that makes q(n) queries to Enc oracle: Pr[Exp CPA Π,A n = 1] 1 2 is negl(n) Let A be an adversary in CPA game for Π that makes q = q(n) queries For each query to Enc oracle m 1,, m q, it gets back c i = (r i, f r i m i ) A picks m 0, m 1 and receives back c = (r, f r m b ) 7

Proof of security step 2 2. Success of adversary to break Π in CPA game is negligible For any adversary A that makes q(n) queries to Enc oracle: Pr[Exp CPA Π,A n = 1] 1 2 is negl(n) Case 1 - r is not used to answer the q queries to Enc : Pr[Exp CPA Π,A n = 1] = 1 2 Case 2 - r r 1,, r q : Pr[Exp CPA Π,A n = 1] = 1 But Pr r r 1,, r q σ i Pr[r = r i ] q(n)/2 n Pr[Exp CPA Π,A n = 1] 1 2 + q(n) 2 n 8

Wrap up 1. Success of adversary to break Π and Π in CPA game is similar Assume that F is secure PRF. For any adversary A that makes q(n) queries to Enc oracle: Pr[Exp CPA Π,A n = 1] Pr[Exp CPA Π,A n = 1] negl(n) 2. Success of adversary to break Π in CPA game is negligible For any adversary A that makes q(n) queries to Enc oracle: Pr[Exp CPA Π,A n = 1] 1 2 + q(n) 2 n Pr[Exp CPA Π,A n = 1] 1 2 + q(n) 2 n + negl(n) 9

Block ciphers: crypto work horse n bits PT Block n bits E, D CT Block Key k bits Canonical examples: 1. DES: n= 64 bits, k = 56 bits 2. AES: n=128 bits, k = 128, 192, 256 bits 10

R(k 1, ) R(k 2, ) R(k 3, ) R(k n, ) Block Ciphers Built by Iteration key k Key schedule k 1 k 2 k 3 k n m c R(k,m) is called a round function for DES (n=48), for AES-128 (n=10) 11

Design goals Block ciphers should behave like random permutations The number of permutation for n-bit strings is (2 n )! n2 n Construct set of permutations with concise description (short key) Similar to security property of PRP Properties Changing one bit of input should affect all bits of output (good mixing) Two main design approaches Substitution-Permutation Network Feistel Network 12

Substitution-Permutation Network Round key Key mixing S-box Fixed permutation Invertible Substitution Permutation S boxes and mixing permutation are public 13

Three rounds of SPN Invertible if key known 1. Key mixing 2. S boxes 3. Mixing permutation 4. Number of rounds 14

The avalanche effect Changing a single bit of input in S box changes at least 2 bits of output in S box The mixing permutations ensure that the output bits of any S box are used as input to multiple S boxes in the next round 15

Feistel Networks Given functions f 1,, f d : {0,1} n {0,1} n Goal: build invertible function F: {0,1} 2n {0,1} 2n n-bits n-bits R 0 L 0 input R 1 f 1 R 2 L 1 f 2 L 2 R d-1 L d-1 f d R d L d output L i = R i 1 R i = L i 1 f i (R i 1 ) Functions f i are public Round key is derived from main key and secret Advantage: f i not invertible! 16

n-bits n-bits R 0 L 0 input R 1 f 1 R 2 L 1 f 2 L 2 R d-1 L d-1 f d R d L d output Claim: for all f 1,, f d : {0,1} n {0,1} n Feistel network F: {0,1} 2n {0,1} 2n is invertible Proof: construct inverse R i-1 R i f i inverse R i-1 = L i L i-1 L i L i-1 = f i (L i ) R i 17

n-bits n-bits R 0 L 0 input R 1 f 1 R 2 L 1 f 2 L 2 R d-1 L d-1 f d R d L d output Claim: for all f 1,, f d : {0,1} n {0,1} n Feistel network F: {0,1} 2n {0,1} 2n is invertible Proof: construct inverse R i-1 f i R i inverse R i f i R i-1 L i-1 L i L i L i-1 18

Thm: (Luby-Rackoff 85): f: K {0,1} n {0,1} n a secure PRF 3-round Feistel F: K 3 {0,1} 2n {0,1} 2n a secure PRP R 0 f R 1 f R 2 f R 3 L 0 input L 1 L 2 L 3 output Key k 1 Key k 2 Key k 3 Independent 19

The Data Encryption Standard (DES) Early 1970s: Horst Feistel designs Lucifer at IBM key-len = 128 bits ; block-len = 128 bits 1973: NBS asks for block cipher proposals. IBM submits variant of Lucifer. 1976: NBS adopts DES as a federal standard key-len = 56 bits ; block-len = 64 bits 1997: DES broken by exhaustive search 2000: NIST adopts Rijndael as AES to replace DES 20

64 bits 64 bits DES: 16 round Feistel network f 1,, f 16 : {0,1} 32 {0,1} 32, f i (x) = F( k i, x ) k 56 bits key expansion k 1 k 2 k 16 48 bits 16 round IP IP Feistel network -1 input To invert, use keys in reverse order output 21

The function F(k i, x) Key mixing Substitution- Permutation Network Substitution Permutation S-box: function {0,1} 6 {0,1} 4, implemented as look-up table. 22

The S-boxes Look up table S i : {0,1} 6 {0,1} 4 x 2 x 3 x 4 x 5 x 1 x 6 x 1 x 2 x 3 x 4 x 5 x 6 Not invertible 23

Choosing the S-boxes and P-box Choosing the S-boxes and P-box at random would result in an insecure block cipher (key recovery after 2 24 outputs) [BS 89] Several rules used in choice of S and P boxes: No output bit should be close to a linear function of the input bits S-boxes are 4-to-1 maps (Exactly 4 inputs are mapped to each output) Each row in the table contains each 4-bit string exactly once Changing one bit of input to S box results in changing 2 bits of output 24

DES challenge msg = The unknown messages is: XXXX CT = c 1 c 2 c 3 c 4 Goal: find k {0,1} 56 s.t. DES(k, m i ) = c i for i=1,2,3 1997: Internet search -- 3 months 1998: EFF machine (deep crack) -- 3 days (250K $) 1999: combined search -- 22 hours 2006: COPACOBANA (120 FPGAs) -- 7 days (10K $) 56-bit ciphers should not be used!! (128-bit key 2 72 days) 25

Double DES Define 2E( (k 1,k 2 ), m) = E(k 1, E(k 2, m) ) key length = 112 bits for DES m E(k 2, ) E(k 1, ) c Meet-in-the-middle attack Find (k 1, k 2 ) such that E(k 1, E(k 2, m) ) = C Equivalent to E(k 2, m) = D(k 1, m) 26

Double DES Define 2E( (k 1,k 2 ), m) = E(k 1, E(k 2, m) ) key-len = 112 bits for DES m E(k 2, ) E(k 1, ) c Attack: M = (m 1,, m u ), C = (c 1,,c u ) step 1: build table. sort on 2 nd column k 0 = 00 00 k 1 = 00 01 k 2 = 00 10 k N = 11 11 E(k 0, M) E(k 1, M) E(k 2, M) E(k N, M) 2 56 entries Time 2 56 log(2 56 ) 27

Meet in the middle attack m E(k 2, ) E(k 1, ) c Attack: M = (m 1,, m u ), C = (c 1,,c u ) Step 1: build table. k 0 = 00 00 k 1 = 00 01 k 2 = 00 10 k N = 11 11 E(k 0, M) E(k 1, M) E(k 2, M) E(k N, M) Step 2: for all k {0,1} 56 do: test if D(k, C) is in 2 nd column. if so then E(k i,m) = D(k,C) (k i,k) = (k 2,k 1 ) 28

Meet in the middle attack m E(k 2, ) E(k 1, ) c Time = 2 56 log(2 56 ) + 2 56 log(2 56 ) < 2 63 << 2 112 Build table Search table Space 2 56 29

Triple DES Let E : K M M be a block cipher Define 3E: K 3 M M as 3E( (k 1,k 2, k 3 ), m) = E(k 1, D(k 2,E(k 3, m) ) ) If k 1 = k 2 = k 3 then 3E = DES! For 3DES: key-size = 3 56 = 168 bits 3 slower than DES (simple attack in time 2 118 ) 30

The AES process 1997: NIST publishes request for proposal 1998: 15 submissions. Five claimed attacks. 1999: NIST chooses 5 finalists 2000: NIST chooses Rijndael as AES Belgium) (designed in Key sizes: 128, 192, 256 bits. Block size: 128 bits 31

Acknowledgement Some of the slides and slide contents are taken from http://www.crypto.edu.pl/dziembowski/teaching and fall under the following: 2012 by Stefan Dziembowski. Permission to make digital or hard copies of part or all of this material is currently granted without fee provided that copies are made only for personal or classroom use, are not distributed for profit or commercial advantage, and that new copies bear this notice and the full citation. We have also used slides from Prof. Dan Boneh online cryptography course at Stanford University: http://crypto.stanford.edu/~dabo/courses/onlinecrypto/ 32

2024 © sciencedocbox.com Privacy Policy | Terms of Service | Feedback