BLOCK CIPHERS and KEY-RECOVERY SECURITY Mihir Bellare UCSD 1 - PowerPoint PPT Presentation

Notation BLOCK CIPHERS and KEY-RECOVERY SECURITY Mihir Bellare UCSD 1 Mihir Bellare UCSD 2 Notation Functions Let n � 1 be an integer. Let X 1 , . . . , X n and Y be (non-empty) sets. { 0 , 1 } n is the set of n -bit strings and { 0 , 1 } ⇤ is the set of all strings of finite length. By " we denote the empty string. By f : X 1 ⇥ · · · ⇥ X n ! Y we denote that f is a function that • Takes inputs x 1 , . . . , x n , where x i 2 X i for 1  i  n If S is a set then | S | denotes its size. Example: |{ 0 , 1 } 2 | = 4. • and returns an output y = f ( x 1 , . . . , x n ) 2 Y . If x is a string then | x | denotes its length. Example: | 0100 | = 4. We call n the number of inputs (or arguments) of f . We call If m � 1 is an integer then let Z m = { 0 , 1 , . . . , m � 1 } . X 1 ⇥ · · · ⇥ X n the domain of f and Y the range of f . $ By x S we denote picking an element at random from set S and Example: Define f : Z 2 ⇥ Z 3 ! Z 3 by f ( x 1 , x 2 ) = ( x 1 + x 2 ) mod 3. This assigning it to x . Thus Pr[ x = s ] = 1 / | S | for every s 2 S . is a function with n = 2 inputs, domain Z 2 ⇥ Z 3 and range Z 3 . Mihir Bellare UCSD 3 Mihir Bellare UCSD 4

Permutations Permutations versus functions example Consider the following two functions f : { 0 , 1 } 2 ! { 0 , 1 } 2 , where X = Y = { 0 , 1 } 2 : Suppose f : X ! Y is a function with one argument. We say that it is a permutation if x 00 01 10 11 x 00 01 10 11 • X = Y , meaning its domain and range are the same set. f ( x ) 01 11 00 10 f ( x ) 01 11 11 10 • There is an inverse function f � 1 : Y ! X such that f � 1 ( f ( x )) = x A permutation Not a permutation for all x 2 X . This means f must be one-to-one and onto: for every y 2 Y there is a unique x 2 X such that f ( x ) = y . Mihir Bellare UCSD 5 Mihir Bellare UCSD 6 Permutations versus functions example Function families A family of functions (also called a function family) is a two-input function Consider the following two functions f : { 0 , 1 } 2 ! { 0 , 1 } 2 , where F : Keys ⇥ D ! R. For K 2 Keys we let F K : D ! R be defined by X = Y = { 0 , 1 } 2 : F K ( x ) = F ( K , x ) for all x 2 D. • The set Keys is called the key space. If Keys = { 0 , 1 } k we call k the x 00 01 10 11 x 00 01 10 11 key length. f ( x ) 01 11 00 10 f ( x ) 01 11 11 10 • The set D is called the input space. If D = { 0 , 1 } ` we call ` the input A permutation Not a permutation length. • The set R is called the output space or range. If R = { 0 , 1 } L we call L the output length. 00 01 10 11 x f � 1 ( x ) 10 00 11 01 Example: Define F : Z 2 ⇥ Z 3 ! Z 3 by F ( K , x ) = ( K · x ) mod 3. • This is a family of functions with domain Z 2 ⇥ Z 3 and range Z 3 . Its inverse • If K = 1 then F K : Z 3 ! Z 3 is given by F K ( x ) = x mod 3. Mihir Bellare UCSD 7 Mihir Bellare UCSD 8

Block ciphers: Definition Block ciphers: Example Block cipher E : { 0 , 1 } 2 ⇥ { 0 , 1 } 2 ! { 0 , 1 } 2 (left), where the table entry corresponding to the key in row K and input in column x is E K ( x ). Its Let E : Keys ⇥ D ! R be a family of functions. We say that E is a block inverse E � 1 : { 0 , 1 } 2 ⇥ { 0 , 1 } 2 ! { 0 , 1 } 2 (right). cipher if 00 01 10 11 00 01 10 11 • R = D, meaning the input and output spaces are the same set. 00 11 00 10 01 00 01 11 10 00 • E K : D ! D is a permutation for every key K 2 Keys, meaning has an 01 11 10 01 00 01 11 10 01 00 inverse E � 1 K : D ! D such that E � 1 K ( E K ( x )) = x for all x 2 D. 10 10 11 00 01 10 10 11 00 01 We let E � 1 : Keys ⇥ D ! D, defined by E � 1 ( K , y ) = E � 1 K ( y ), be the 11 11 00 10 01 11 01 11 10 00 inverse block cipher to E . In practice we want that E , E � 1 are e ffi ciently computable. • Row 01 of E equals Row 01 of E � 1 , meaning E 01 = E � 1 01 If Keys = { 0 , 1 } k then k is the key length as before. If D = { 0 , 1 } ` we call • Rows have no repeated entries, for both E and E � 1 ` the block length. • Column 00 of E has repeated entries, that’s ok • Rows 00 and 11 of E are the same, that’s ok Mihir Bellare UCSD 9 Mihir Bellare UCSD 10 Block Ciphers: Example Exercise Let ` = k and define E : { 0 , 1 } k ⇥ { 0 , 1 } ` ! { 0 , 1 } ` by E K ( x ) = E ( K , x ) = K � x Let E : Keys ⇥ D ! D be a block cipher. Is E a permutation? Then E K has inverse E � 1 where K • YES E � 1 K ( y ) = K � y • NO • QUESTION DOESN’T MAKE SENSE Why? Because • WHO CARES? E � 1 K ( E K ( x )) = E � 1 K ( K � x ) = K � K � x = x The inverse of block cipher E is the block cipher E � 1 defined by This is an exercise in correct mathematical language. E � 1 ( K , y ) = E � 1 K ( y ) = K � y Mihir Bellare UCSD 11 Mihir Bellare UCSD 12

Slow is good Exercise Let E : Keys ⇥ D ! D be a block cipher. Is E a permutation? How to proceed to answer this: Think slow. Don’t jump to a conclusion. Instead: • Look back at the definition of a block cipher. • Look back at the definition of a permutation. • Pattern match these. • Now make an informed and justified conclusion. This is an exercise in correct mathematical language. This is considered a high-school level exercise. Mihir Bellare UCSD 13 Mihir Bellare UCSD 14 Exercise Exercise Above we had given the following example of a family of functions: Above we had given the following example of a family of functions: F : Z 2 ⇥ Z 3 ! Z 3 defined by F ( K , x ) = ( K · x ) mod 3. F : Z 2 ⇥ Z 3 ! Z 3 defined by F ( K , x ) = ( K · x ) mod 3. Question: Is F a block cipher? Why or why not? Question: Is F a block cipher? Why or why not? Answer: No, because F 0 (1) = F 0 (2) so F 0 is not a permutation. Mihir Bellare UCSD 15 Mihir Bellare UCSD 16

Exercise Exercise Above we had given the following example of a family of functions: Above we had given the following example of a family of functions: F : Z 2 ⇥ Z 3 ! Z 3 defined by F ( K , x ) = ( K · x ) mod 3. F : Z 2 ⇥ Z 3 ! Z 3 defined by F ( K , x ) = ( K · x ) mod 3. Question: Is F a block cipher? Why or why not? Question: Is F a block cipher? Why or why not? Answer: No, because F 0 (1) = F 0 (2) so F 0 is not a permutation. Answer: No, because F 0 (1) = F 0 (2) so F 0 is not a permutation. Question: Is F 1 a permutation? Question: Is F 1 a permutation? Answer: Yes. But that alone does not make F a block cipher. Mihir Bellare UCSD 17 Mihir Bellare UCSD 18 Block cipher usage DES History Let E : { 0 , 1 } k ⇥ { 0 , 1 } ` ! { 0 , 1 } ` be a block cipher. It is considered public. In typical usage { 0 , 1 } k is known to parties S , R , but not given to adversary A . $ • K 1972 – NBS (now NIST) asked for a block cipher for standardization • S , R use E K for encryption 1974 – IBM designs Lucifer Lucifer eventually evolved into DES. Widely adopted as a standard including by ANSI and American Bankers association Used in ATM machines Replaced (by AES) in 2001. Leads to security requirements like: Hard to get K from y 1 , y 2 , . . . ; Hard to get x i from y i ; ... Mihir Bellare UCSD 19 Mihir Bellare UCSD 20

FIPS DES Standard: Rea ffi rmed 1999 DES parameters Key Length k = 56 Block length ` = 64 So, DES: { 0 , 1 } 56 ⇥ { 0 , 1 } 64 ! { 0 , 1 } 64 DES � 1 : { 0 , 1 } 56 ⇥ { 0 , 1 } 64 ! { 0 , 1 } 64 Mihir Bellare UCSD 21 Mihir Bellare UCSD 22 DES Construction DES Construction function DES K ( M ) / / | K | = 56 and | M | = 64 function DES K ( M ) / / | K | = 56 and | M | = 64 ( K 1 , . . . , K 16 ) KeySchedule ( K ) / / | K i | = 48 for 1  i  16 ( K 1 , . . . , K 16 ) KeySchedule ( K ) / / | K i | = 48 for 1  i  16 M IP ( M ) M IP ( M ) Parse M as L 0 k R 0 / / | L 0 | = | R 0 | = 32 Parse M as L 0 k R 0 / / | L 0 | = | R 0 | = 32 for i = 1 to 16 do for i = 1 to 16 do L i R i � 1 ; R i f ( K i , R i � 1 ) � L i � 1 L i R i � 1 ; R i f ( K i , R i � 1 ) � L i � 1 C IP � 1 ( L 16 k R 16 ) C IP � 1 ( L 16 k R 16 ) return C return C Round i: Invertible given K i : function DES � 1 K ( C ) / / | K | = 56 and | M | = 64 ( K 1 , . . . , K 16 ) KeySchedule ( K ) / / | K i | = 48 for 1  i  16 C IP ( C ) Parse C as L 16 k R 16 for i = 16 downto 1 do R i � 1 L i ; L i � 1 f ( K i , R i � 1 ) � R i M IP � 1 ( L 0 k R 0 ) return M Mihir Bellare UCSD 23 Mihir Bellare UCSD 24