BLOCK CIPHERS
BLOCK CIPHERS
Mihir Bellare
UCSD
1
Permutations and Inverses
A function f : {0, 1}` → {0, 1}` is a permutation if there is an inverse
function f −1 : {0, 1}` → {0, 1}` satisfying
∀x ∈ {0, 1}` : f −1 (f (x)) = x
This means f must be one-to-one and onto, meaning for every y ∈ {0, 1}`
there is a unique x ∈ {0, 1}` such that f (x) = y .
Mihir Bellare
UCSD
2
Permutations and Inverses
x
f (x)
00
01
01
11
10
00
11
10
x
f (x)
A permutation
Mihir Bellare
00
01
01
11
10
11
11
10
Not a permutation
UCSD
3
Permutations and Inverses
x
f (x)
00
01
01
11
10
00
11
10
x
f −1 (x)
A permutation
Mihir Bellare
00
10
01
00
10
11
11
01
Its inverse
UCSD
4
Block Ciphers
Let
E : {0, 1}k × {0, 1}` → {0, 1}`
be a function taking a key K and input x to return output E (K , x). For
each key K we let EK : {0, 1}` → {0, 1}` be the function defined by
EK (x) = E (K , x) .
We say that E is a block cipher if
• EK : {0, 1}` → {0, 1}` is a permutation for every K , meaning has an
inverse EK−1 ,
• E , E −1 are efficiently computable,
where E −1 (K , x) = EK−1 (x).
Mihir Bellare
UCSD
5
Example
The table entry corresponding to the key in row K and input in column x
is EK (x).
00
01
10
11
00
00
01
10
11
01
01
00
11
10
10
10
11
00
01
11
11
10
01
00
In this case, the inverse cipher E −1 is given by the same table: the table
entry corresponding to the key in row K and output in column y is EK−1 (y ).
Mihir Bellare
UCSD
6
Block Ciphers: Example
Let ` = k and define E : {0, 1}k × {0, 1}` → {0, 1}` by
EK (x) = E (K , x) = K ⊕ x
Then EK has inverse EK−1 where
EK−1 (y ) = K ⊕ y
Why? Because
EK−1 (EK (x)) = EK−1 (K ⊕ x) = K ⊕ K ⊕ x = x
The inverse of block cipher E is the block cipher E −1 defined by
E −1 (K , y ) = EK−1 (y ) = K ⊕ y
Mihir Bellare
UCSD
7
Block cipher usage
$
• K ← {0, 1}k
• K (magically) given to parties S, R, but not to A.
• S,R use EK
Algorithm E is public! Think of EK as encryption under key K .
Leads to security requirements like:
• Hard to get K from y1 , y2 , . . .
• Hard to get xi from yi
Mihir Bellare
UCSD
8
DES History
1972 – NBS (now NIST) asked for a block cipher for standardization
1974 – IBM designs Lucifer
Lucifer eventually evolved into DES.
Widely adopted as a standard including by ANSI and American Bankers
association
Used in ATM machines
Replaced (by AES) in 2001.
Mihir Bellare
UCSD
9
DES parameters
Key Length k = 56
Block length ` = 64
So,
DES : {0, 1}56 × {0, 1}64 → {0, 1}64
DES−1 : {0, 1}56 × {0, 1}64 → {0, 1}64
Mihir Bellare
UCSD
10
DES Construction
function DESK (M) // |K | = 56 and |M| = 64
(K1 , . . . , K16 ) ← KeySchedule(K ) // |Ki | = 48 for 1 ≤ i ≤ 16
M ← IP(M)
Parse M as L0 k R0 // |L0 | = |R0 | = 32
for i = 1 to 16 do
Li ← Ri−1 ; Ri ← f (Ki , Ri−1 ) ⊕ Li−1
C ← IP−1 (L16 k R16 )
return C
Round i:
Mihir Bellare
Invertible given Ki :
UCSD
11
DES Construction
function DESK (M) // |K | = 56 and |M| = 64
(K1 , . . . , K16 ) ← KeySchedule(K ) // |Ki | = 48 for 1 ≤ i ≤ 16
M ← IP(M)
Parse M as L0 k R0 // |L0 | = |R0 | = 32
for i = 1 to 16 do
Li ← Ri−1 ; Ri ← f (Ki , Ri−1 ) ⊕ Li−1
C ← IP−1 (L16 k R16 )
return C
function DES−1
// |K | = 56 and |M| = 64
K (C )
(K1 , . . . , K16 ) ← KeySchedule(K ) // |Ki | = 48 for 1 ≤ i ≤ 16
C ← IP(C )
Parse C as L16 k R16
for i = 16 downto 1 do
Ri−1 ← Li ; Li−1 ← f (Ki , Ri−1 ) ⊕ Ri
M ← IP−1 (L0 k R0 )
return M
Mihir Bellare
UCSD
12
DES Construction
function DESK (M) // |K | = 56 and |M| = 64
(K1 , . . . , K16 ) ← KeySchedule(K ) // |Ki | = 48 for 1 ≤ i ≤ 16
M ← IP(M)
Parse M as L0 k R0 // |L0 | = |R0 | = 32
for i = 1 to 16 do
Li ← Ri−1 ; Ri ← f (Ki , Ri−1 ) ⊕ Li−1
C ← IP−1 (L16 k R16 )
return C
IP−1
IP
58
60
62
64
57
59
61
63
50
52
54
56
49
51
53
55
Mihir Bellare
42
44
46
48
41
43
45
47
34
36
38
40
33
35
37
39
26
28
30
32
25
27
29
31
18
20
22
24
17
19
21
23
10
12
14
16
9
11
13
15
2
4
6
8
1
3
5
7
40
39
38
37
36
35
34
33
UCSD
8
7
6
5
4
3
2
1
48
47
46
45
44
43
42
41
16
15
14
13
12
11
10
9
56
55
54
53
52
51
50
49
24
23
22
21
20
19
18
17
64
63
62
61
60
59
58
57
32
31
30
29
28
27
26
25
13
DES Construction
function f (J, R) // |J| = 48 and |R| = 32
R ← E (R) ; R ← R ⊕ J
Parse R as R1 k R2 k R3 k R4 k R5 k R6 k R7 k R8 // |Ri | = 6 for 1 ≤ i ≤
for i = 1, . . . , 8 do
Ri ← Si (Ri ) // Each S-box returns 4 bits
R ← R1 k R2 k R3 k R4 k R5 k R6 k R7 k R8 // |R| = 32 bits
R ← P(R)
return R
E
Mihir Bellare
32
4
8
12
16
20
24
28
1
5
9
13
17
21
25
29
2
6
10
14
18
22
26
30
P
3
7
11
15
19
23
27
31
4
8
12
16
20
24
28
32
5
9
13
17
21
25
29
1
UCSD
16
29
1
5
2
32
19
22
7
12
15
18
8
27
13
11
20
28
23
31
24
3
30
4
21
17
26
10
14
9
6
25
14
S-boxes
S1 :
S2 :
S3 :
0
0
1
1
0
1
0
1
0
14
0
4
15
1
4
15
1
12
2
13
7
14
8
3
1
4
8
2
4
2
14
13
4
0
0
1
1
0
1
0
1
0
15
3
0
13
1
1
13
14
8
2
8
4
7
10
3
14
7
11
1
4
6
15
10
3
0
0
1
1
0
1
0
1
0
10
13
13
1
1
0
7
6
10
2
9
0
4
13
3
14
9
9
0
4
6
3
8
6
5
15
2
6
9
5
11
2
4
15
5
3
4
15
9
6
11
13
2
1
7
8
1
11
7
6
3
8
13
4
6
15
6
3
8
7
4
14
1
2
7
5
10
0
7
8
3
10
15
5
8
9
12
5
11
8
1
2
11
4
9
10
6
12
11
10
6
12
9
3
11
12
11
7
14
12
5
9
3
10
13
9
5
10
0
14
0
3
5
6
15
7
8
0
13
9
7
0
8
6
10
2
1
12
7
11
13
10
6
12
12
12
6
9
0
13
0
9
3
5
14
5
11
2
14
15
10
5
15
9
9
13
8
1
15
10
12
5
2
14
11
7
14
12
3
12
11
12
5
11
13
4
11
10
5
14
2
15
14
2
15
8
1
7
12
Figure : The DES S-boxes.
Mihir Bellare
UCSD
15
Cryptanalysis: Key Recovery Attacks on Block Ciphers
Let E : {0, 1}k × {0, 1}` → {0, 1}` be a blockcipher. It is known to the
adversary A.
Def: We say that K 0 ∈ {0, 1}k is consistent with (M1 , C1 ), . . . , (Mq , Cq ) if
E (K 0 , Mi ) = Ci for all 1 ≤ i ≤ q.
Key-recovery security game, informally:
$
• A target key K ← {0, 1}k is selected but not given to A.
• A can submit a plaintext M ∈ {0, 1}` and get back C = E (K , M), in
this way gathering input-output examples (M1 , C1 ), . . . , (Mq , Cq ) of
E (K , ·).
• A outputs a “guess” K 0
• A wins if K 0 is consistent with (M1 , C1 ), . . . , (Mq , Cq ).
Mihir Bellare
UCSD
16
Cryptanalysis: Key Recovery Attacks on Block Ciphers
Key-recovery security game, informally:
$
• A target key K ← {0, 1}k is selected but not given to A.
• A can submit a plaintext M ∈ {0, 1}` and get back C = E (K , M), in
this way gathering input-output examples (M1 , C1 ), . . . , (Mq , Cq ) of
E (K , ·).
• A outputs a “guess” K 0
• A wins if K 0 is consistent with (M1 , C1 ), . . . , (Mq , Cq ).
Usually, if K 0 is consistent with K , then K 0 = K , so the attack recovers
the target key.
About the model: Certainly A should be given C1 , . . . , Cq . But why does
A get to pick M1 , . . . , Mq ? Reasons include a posteriori revelation of data,
a priori knowledge of context, and just being conservative!
Mihir Bellare
UCSD
17
Key recovery game and advantage
Let E : {0, 1}k × {0, 1}` → {0, 1}` be a blockcipher and A an adversary.
Game KRE
procedure Initialize
$
K ← {0, 1}k ; i ← 0
procedure Fn(M)
i ← i + 1; Mi ← M
Ci ← E (K , Mi )
Return Ci
procedure Finalize(K 0 )
win ← true
For j = 1, . . . , i do
If E (K 0 , Mj ) 6= Cj then win ← false
If Mj ∈ {M1 , . . . , Mj−1 } then win ← false
Return win
A
Advkr
E (A) = Pr[KRE ⇒ true]
Mihir Bellare
UCSD
18
Running a game with an adversary
• First Initialize executes
• Now A can call (query) Fn on any input M of its choice. It can
make as many queries as it wants
• Eventually A will halt with an output K 0 which is automatically
viewed as the input to Finalize
• The game returns whatever Finalize returns
• The advantage of A is the probability that the game returns true
Advkr
E (A) will depend on the number q of queries that A makes and its
running time.
Mihir Bellare
UCSD
19
Exhaustive Key Search
Let T1 , . . . , T2k be a list of all k bit keys and let hii denote the `-bit
binary representation of integer i. Let 1 ≤ q ≤ 2` be a parameter.
adversary Aeks
For j = 1, . . . , q do Mj ← hj − 1i; Cj ← Fn(Mj )
For i = 1, . . . , 2k do
if (∀j ∈ {1, . . . , q} : E (Ti , Mj ) = Cj ) then return Ti
Then Advkr
E (Aeks ) = 1 because K ∈ {T1 , . . . , T2k } and K is consistent
with (M1 , C1 ), . . . , (Mq , Cq ).
Think of q as small, like q ∈ {1, 2, 3}. As long as q > k/`, empirical
evidence says that the attack returns the target key K itself.
Mihir Bellare
UCSD
20
Exercise: Target key recovery
Let E : {0, 1}k × {0, 1}` → {0, 1}` be a blockcipher and A an adversary.
The following measures A’s ability to find the target key:
Game TKRE
procedure Initialize
$
K ← {0, 1}k
procedure Fn(M)
Return E (K , M)
procedure Finalize(K 0 )
Return (K = K 0 )
A
Let Advtkr
E (A) = Pr[TKRE ⇒ true].
Given k, `, design a blockcipher E : {0, 1}k × {0, 1}` → {0, 1}` such that
• For any q there is a q-query adversary A with Advkr
E (A) = 1
−k for any A
• Advtkr
E (A) ≤ 2
Mihir Bellare
UCSD
21
How long does exhaustive key search take?
DES can be computed at 1.6 Gbits/sec in hardware.
DES plaintext = 64 bits
Chip can perform (1.6 × 109 )/64 = 2.5 × 107 DES computations per
second
Expect Aeks (q = 1) to succeed in 255 DES computations, so it takes time
255
2.5 × 107
≈ 1.4 × 109 seconds
≈ 45 years!
Key Complementation ⇒ 22.5 years
But this is prohibitive. Does this mean DES is secure?
Mihir Bellare
UCSD
22
Differential and linear cryptanalysis
Exhaustive key search is a generic attack: Did not attempt to “look
inside” DES and find/exploit weaknesses.
The following non-generic key-recovery attacks on DES have advantage
close to one and running time smaller than 256 DES computations:
Mihir Bellare
Attack
when
q, running time
Differential cryptanalysis
1992
247
Linear cryptanalysis
1993
244
UCSD
23
Differential and linear cryptanalysis
Exhaustive key search is a generic attack: Did not attempt to “look
inside” DES and find/exploit weaknesses.
The following non-generic key-recovery attacks on DES have advantage
close to one and running time smaller than 256 DES computations:
Attack
when
q, running time
Differential cryptanalysis
1992
247
Linear cryptanalysis
1993
244
But merely storing 244 input-output pairs requires 281 Tera-bytes.
In practice these attacks were prohibitively expensive.
Mihir Bellare
UCSD
24
EKS revisited
adversary Aeks
For j = 1, . . . , q do Mj ← hj − 1i; Cj ← Fn(Mj )
For i = 1, . . . , 2k do
if (∀j ∈ {1, . . . , q} : E (Ti , Mj ) = Cj ) then return Ti
Mihir Bellare
UCSD
25
EKS revisited
adversary Aeks
For j = 1, . . . , q do Mj ← hj − 1i; Cj ← Fn(Mj )
For i = 1, . . . , 2k do
if (∀j ∈ {1, . . . , q} : E (Ti , Mj ) = Cj ) then return Ti
Observation: The E computations can be performed in parallel!
Mihir Bellare
UCSD
26
EKS revisited
adversary Aeks
For j = 1, . . . , q do Mj ← hj − 1i; Cj ← Fn(Mj )
For i = 1, . . . , 2k do
if (∀j ∈ {1, . . . , q} : E (Ti , Mj ) = Cj ) then return Ti
Observation: The E computations can be performed in parallel!
In 1993, Wiener designed a dedicated DES-cracking machine:
• $1 million
• 57 chips, each with many, many DES processors
• Finds key in 3.5 hours
Mihir Bellare
UCSD
27
DES security summary
DES is considered broken because its short key size permits rapid
key-search.
But DES is a very strong design as evidenced by the fact that there are no
practical attacks that exploit its structure.
Mihir Bellare
UCSD
28
2DES
Block cipher 2DES : {0, 1}112 × {0, 1}64 → {0, 1}64 is defined by
2DESK1 K2 (M) = DESK2 (DESK1 (M))
• Exhaustive key search takes 2112 DES computations, which is too
much even for machines
• Resistant to differential and linear cryptanalysis.
Mihir Bellare
UCSD
29
Meet-in-the-middle attack on 2DES
Suppose K1 K2 is a target 2DES key and adversary has M, C such that
C = 2DESK1 K2 (M) = DESK2 (DESK1 (M))
Then
DESK−1
(C ) = DESK1 (M)
2
Mihir Bellare
UCSD
30
Meet-in-the-middle attack on 2DES
Suppose DESK−1
(C ) = DESK1 (M) and T1 , . . . , TN are all possible DES
2
keys, where N = 256 .
T1
DES(T1 , M)
DES −1 (T1 , C )
T1
Ti
DES(Ti , M)
DES −1 (Tj , C )
Tj
TN
DES(TN , M)
Table L
DES −1 (TN , C )
TN
Table R
Attack idea:
• Build L,R tables
Mihir Bellare
UCSD
31
Meet-in-the-middle attack on 2DES
Suppose DESK−1
(C ) = DESK1 (M) and T1 , . . . , TN are all possible DES
2
keys, where N = 256 .
T1
DES(T1 , M)
K 1 → Ti
DES(Ti , M)
TN
DES(TN , M)
Table L
equal
←→
DES −1 (T1 , C )
T1
DES −1 (Tj , C )
Tj
DES −1 (TN , C )
TN
← K2
Table R
Attack idea:
• Build L,R tables
• Find i, j s.t. L[i] = R[j]
• Guess that K1 K2 = Ti Tj
Mihir Bellare
UCSD
32
Meet-in-the-middle attack on 2DES
Let T1 , . . . , T256 denote an enumeration of DES keys.
adversary AMinM
M1 ← 064 ; C1 ← Fn(M1 )
for i = 1, . . . , 256 do L[i] ← DES(Ti , M1 )
for j = 1, . . . , 256 do R[j] ← DES−1 (Tj , C1 )
S ← { (i, j) : L[i] = R[j] }
Pick some (l, r ) ∈ S and return Tl k Tr
Attack takes about 257 DES/DES−1 computations and has
Advkr
2DES (AMinM ) = 1.
This uses q = 1 and is unlikely to return the target key. For that one
should extend the attack to a larger value of q.
Mihir Bellare
UCSD
33
3DES
Block ciphers
3DES3 : {0, 1}168 × {0, 1}64 → {0, 1}64
3DES2 : {0, 1}112 × {0, 1}64 → {0, 1}64
are defined by
3DES3K1 k K2 k K3 (M) = DESK3 (DES−1
K2 (DESK1 (M))
3DES2K1 k K2 (M) = DESK2 (DES−1
K1 (DESK2 (M))
Meet-in-the-middle attack on 3DES3 reduces its “effective” key length to
112.
Mihir Bellare
UCSD
34
DESX
DESXKK1 K2 (M) = K2 ⊕ DESK (K1 ⊕ M)
• Key length = 56 + 64 + 64 = 184
• “effective” key length = 120 due to a 2120 time meet-in-middle attack
• No more resistant than DES to linear or differential cryptanalysis
Good practical replacement for DES that has lower computational cost
than 2DES or 3DES.
Mihir Bellare
UCSD
35
Block size limitation
Later we will see “birthday” attacks that “break” a block cipher
E : {0, 1}k × {0, 1}` → {0, 1}` in time 2`/2
For DES this is 264/2 = 232 which is small, and this is unchanged for 2DES
and 3DES.
Would like a larger block size.
Mihir Bellare
UCSD
36
AES
1998: NIST announces competition for a new block cipher
• key length 128
• block length 128
• faster than DES in software
Submissions from all over the world: MARS, Rijndael, Two-Fish, RC6,
Serpent, Loki97, Cast-256, Frog, DFC, Magenta, E2, Crypton, HPC,
Safer+, Deal
Mihir Bellare
UCSD
37
AES
1998: NIST announces competition for a new block cipher
• key length 128
• block length 128
• faster than DES in software
Submissions from all over the world: MARS, Rijndael, Two-Fish, RC6,
Serpent, Loki97, Cast-256, Frog, DFC, Magenta, E2, Crypton, HPC,
Safer+, Deal
2001: NIST selects Rijndael to be AES.
Mihir Bellare
UCSD
38
AES
function AESK (M)
(K0 , . . . , K10 ) ← expand(K )
s ← M ⊕ K0
for r = 1 to 10 do
s ← S(s)
s ← shift-rows(s)
if r ≤ 9 then s ← mix-cols(s) fi
s ← s ⊕ Kr
end for
return s
• Fewer tables than DES
• Finite field operations
Mihir Bellare
UCSD
39
The AES movie
http://www.youtube.com/watch?v=H2LlHOw_ANg
Mihir Bellare
UCSD
40
Implementing AES
Pre-compute and store
round function tables
Pre-compute and store
S-boxes only
No pre-computation
Code size
Performance
largest
fastest
smaller
slower
smallest
slowest
AES-NI: Hardware for AES, now present on most processors. Your laptop
may have it! Can run AES at around 1 cycle/byte. VERY fast!
Mihir Bellare
UCSD
41
Security of AES
Best known key-recovery attack [BoKhRe11] takes 2126.1 time, which is
only marginally better than the 2128 time of EKS.
There are attacks on reduced-round versions of AES as well as on its
sibling algorithms AES192, AES256. Many of these are “related-key”
attacks. There are also effective side-channel attacks on AES such as
“cache-timing” attacks [Be05,OsShTr05].
Mihir Bellare
UCSD
42
Exercise
Define F : {0, 1}256 × {0, 1}256 → {0, 1}256 by
Alg FK1 kK2 (x1 kx2 )
y1 ← AES−1 (K1 , x1 ⊕ x2 ); y2 ← AES(K2 , x2 ⊕ K1 )
Return y1 ky2
for all 128-bit strings K1 , K2 , x1 , x2 . Let TAES denote the time for one
computation of AES or AES−1 . Below, running times are worst-case and
should be functions of TAES .
1.
Prove that F is a blockcipher.
2.
What is the running time of a 4-query exhaustive key-search attack
on F ?
3.
Give the best 4-query key-recovery attack that you can on F in the
form of an adversary A specified in pseudocode and achieving
Advkr
F (A) = 1. Say what is the running time of A.
Mihir Bellare
UCSD
43
Limitations of security against key recovery
So far, a block cipher has been viewed as secure if it resists key recovery,
meaning there is no efficient adversary A having Advkr
E (A) ≈ 1.
Is security against key recovery enough?
Not really. For example define E : {0, 1}128 × {0, 1}256 → {0, 1}256 by
EK (M[1]M[2]) = M[1]kAESK (M[2])
This is as secure against key-recovery as AES, but not a “good”
blockcipher because half the message is in the clear in the ciphertext.
Mihir Bellare
UCSD
44
So what?
Possible reaction: But DES, AES are not designed like E above, so why
does this matter?
Answer: It tells us that security against key recovery is not, as a
block-cipher property, sufficient for security of uses of the block cipher.
As designers and users we want to know what properties of a block cipher
give us security when the block cipher is used.
Mihir Bellare
UCSD
45
So what is a “good” block cipher?
Possible Properties
security against key recovery
hard to find M given C = EK (M)
..
.
Necessary?
YES
YES
Sufficient?
NO!
NO!
We can’t define or understand security well via some such (indeterminable)
list.
We want a single “master” property of a block cipher that is sufficient to
ensure security of common usages of the block cipher.
Mihir Bellare
UCSD
46
© Copyright 2024