Intro Attack on iterated ciphers Differential cryptanalysis Linear cryptanalysis Block Ciphers - The Basics Lars R. Knudsen Spring 2011 L.R. Knudsen Block Ciphers - The Basics
Intro Attack on iterated ciphers Differential cryptanalysis Linear cryptanalysis Content Introduction Iterated ciphers Cryptanalysis Differential cryptanalysis Linear cryptanalysis L.R. Knudsen Block Ciphers - The Basics
Intro Attack on iterated ciphers Differential cryptanalysis Linear cryptanalysis Symmetric encryption Same key for encryption and decryption Two types Block ciphers Stream ciphers L.R. Knudsen Block Ciphers - The Basics
Intro Attack on iterated ciphers Differential cryptanalysis Linear cryptanalysis Symmetric encryption: Model of reality Enemy M -Source ✻ m ❄ ✲ ✲ c c m sender receiver insecure channel ✻ ✻ k k secure channel K -Source L.R. Knudsen Block Ciphers - The Basics
Intro Attack on iterated ciphers Differential cryptanalysis Linear cryptanalysis Symmetric encryption Kerckhoffs’ principle Everything is known to an attacker except for the value of the secret key. Attack scenarios Ciphertext only Known plaintext Chosen plaintext/ciphertext Adaptive chosen plaintext/ciphertext (black-box) L.R. Knudsen Block Ciphers - The Basics
Intro Attack on iterated ciphers Differential cryptanalysis Linear cryptanalysis From classical crypto to modern crypto looking back.. (almost) all ciphers before 1920s very weak 1920s, rotor machines, mechanical crypto Enigma, Germany Sigaba, USA Typex, UK 1970s, computers take over from rotor machines ciphers operate on long sequence of bits (bytes) L.R. Knudsen Block Ciphers - The Basics
Intro Attack on iterated ciphers Differential cryptanalysis Linear cryptanalysis Block ciphers Input block m , output block c , key k k ❄ ✲ ✲ m e c e : { 0 , 1 } n × { 0 , 1 } κ → { 0 , 1 } n given k easy to encrypt and decrypt given m , c hard to compute k , such that e k ( m ) = c one-way function: f ( k ) = e k ( m 0 ) for fixed m 0 L.R. Knudsen Block Ciphers - The Basics
Intro Attack on iterated ciphers Differential cryptanalysis Linear cryptanalysis Block ciphers Applications block encryption (symmetric) pseudorandom number generators/stream ciphers message authentication codes building block in hash functions one-way functions L.R. Knudsen Block Ciphers - The Basics
Intro Attack on iterated ciphers Differential cryptanalysis Linear cryptanalysis Block cipher, n -bit blocks, κ -bit key family of n -bit permutations # n -bit permutations in block cipher: 2 κ # n -bit permutations: 2 n ! ≃ (2 n − 1 ) 2 n DES: n = 64 , κ = 56 AES: n = 128 , κ = 128 , 192 , 256 design aim: choose the 2 κ permutations uniformly at random from the set of all 2 n ! permutations L.R. Knudsen Block Ciphers - The Basics
Intro Attack on iterated ciphers Differential cryptanalysis Linear cryptanalysis Cryptanalysis Assumption Assume cryptanalyst has access to black-box implementing block cipher with secret key k Aims of cryptanalyst find key k , or find ( m , c ) such that e k ( m ) = c for unknown k , or distinguish member of block cipher from randomly chosen permutation L.R. Knudsen Block Ciphers - The Basics
Intro Attack on iterated ciphers Differential cryptanalysis Linear cryptanalysis Generic, brute-force attacks Block size n , key size κ 1 exhaustive key search try all keys, one by one ⌈ κ/ n ⌉ texts, time 2 κ , storage small 2 table attack store e k ( m 0 ) for all k storage 2 κ , time (of attack) small 3 Hellman tradeoffs of 1 and 2, e.g. n = κ , 2 2 n / 3 time & memory L.R. Knudsen Block Ciphers - The Basics
Intro Attack on iterated ciphers Differential cryptanalysis Linear cryptanalysis Generic, brute-force attacks (cont.) Dictionary and birthday attacks known plaintexts: Collect pairs ( m , c ) ciphertext-only: Collect ciphertexts, look for matches c i = c j . Example CBC mode 1 Collect 2 n / 2 ciphertext blocks 2 With 2 equal ciphertext blocks c i = c j ⇒ e k ( m i ⊕ c i − 1 ) = e k ( m j ⊕ c j − 1 ) ⇒ m i ⊕ m j = c i − 1 ⊕ c j − 1 (similar attacks for ECB and CFB) L.R. Knudsen Block Ciphers - The Basics
Intro Attack on iterated ciphers Differential cryptanalysis Linear cryptanalysis Short-cut attacks Success dependent on intrinsic properties of e ( · ) Differential cryptanalysis Linear cryptanalysis Interpolation attacks Integral attacks Related key attacks Variants of the above: higher-order differentials, truncated differentials, mod n attack, boomerang attack, ..... L.R. Knudsen Block Ciphers - The Basics
Intro Attack on iterated ciphers Differential cryptanalysis Linear cryptanalysis Iterated block ciphers (DES, AES, . . . ) k 0 k 1 k 2 kr ↓ ↓ ↓ ↓ m − → ⊕− → g − → ⊕− → g − → ⊕ · · · · · · − → g − → ⊕− → c plaintext m , ciphertext c , key k key-schedule: user-selected key k → k 0 , . . . , k r round function, g , weak by itself idea: g r , strong for “large” r L.R. Knudsen Block Ciphers - The Basics
Intro Attack on iterated ciphers Differential cryptanalysis Linear cryptanalysis DES History developed in early 70’s by IBM using 17 man years evaluation by National Security Agency (US) 1975: publication of proposed standard public discussion (trapdoors, key size) 1977: publication of FIPS 46 (DES) most realistic attack is exhaustive search for key L.R. Knudsen Block Ciphers - The Basics
Intro Attack on iterated ciphers Differential cryptanalysis Linear cryptanalysis DES Parameters block size 64 bits key size 64 bits, effective 56 bits 16 round Feistel cipher Feistel network ✛ ✛ ⊕ f L.R. Knudsen Block Ciphers - The Basics
Intro Attack on iterated ciphers Differential cryptanalysis Linear cryptanalysis DES Results ∀ m , k : c = DES k ( m ) ⇐ ⇒ c = DES k ( m ) 4 weak keys: DES k ( DES k ( m )) = m , ∀ m 6 pairs of semi-weak keys: DES k 1 = DES − 1 k 2 differential cryptanalysis (1991), 2 47 chosen plaintexts linear cryptanalysis (1993), 2 45 known plaintexts key search engine (98-99), 1 mio US$, 1 key/30 min. record for finding DES-key: 22 hours, 1999 L.R. Knudsen Block Ciphers - The Basics
Intro Attack on iterated ciphers Differential cryptanalysis Linear cryptanalysis AES Advanced Encryption Standard US governmental encryption standard open (world) competition announced January 97 keys: choice of 128-bit, 192-bit, and 256-bit keys blocks: 128 bits October 2000: AES=Rijndael standard: FIPS 197, November 2001 iterated cipher, 10, 12 or 14 iterations depending on key L.R. Knudsen Block Ciphers - The Basics
Intro Attack on iterated ciphers Differential cryptanalysis Linear cryptanalysis Multiple encryption 1 assume e · ( · ) is a block cipher k 1 k 2 2 double encryption ↓ ↓ m − → e − → e − → c 3 triple encryption k 1 k 2 k 3 ↓ ↓ ↓ m − → e − → e − → e − → c L.R. Knudsen Block Ciphers - The Basics
Intro Attack on iterated ciphers Differential cryptanalysis Linear cryptanalysis Triple-DES e k ( · ), d k ( · ): single encryption and decryption two-key triple DES: c = e k 1 ( d k 2 ( e k 1 ( m ))) known attack: time ≃ 2 120 / 2 t , 2 t known plaintexts tripleDES: c = e k 3 ( e k 2 ( e k 1 ( m ))) known attack: time ≃ 2 112 , 2 known plaintexts, memory ≈ 2 56 L.R. Knudsen Block Ciphers - The Basics
Intro Attack on iterated ciphers Differential cryptanalysis Linear cryptanalysis Provably secure encryption (assuming ideal components) 1 assume p ( · ) is ideal n -bit bijection (permutation) 2 Even-Mansour (1991) k 0 k 1 ↓ ↓ m − → ⊕− → p − → ⊕− → c 3 security bound of 2 n / 2 4 bound tight, attack by Daemen L.R. Knudsen Block Ciphers - The Basics
Intro Attack on iterated ciphers Differential cryptanalysis Linear cryptanalysis Provably secure encryption (assuming ideal components) 1 assume p ( · ) and q ( · ) are two ideal n -bit bijections 2 Knudsen-Leander et al. (work in progress) k 0 k 1 k 2 ↓ ↓ ↓ m − → ⊕− → p − → ⊕− → q − → ⊕− → c 2 3 security bound of 2 3 n r r +1 n 4 with r “rounds”, bound is 2 L.R. Knudsen Block Ciphers - The Basics
Intro Attack on iterated ciphers Differential cryptanalysis Linear cryptanalysis Generic attack: r-round iterated ciphers k 0 k 1 k 2 cr − 1 kr ↓ ↓ ↓ ↓ ↓ m − → ⊕− → g − → ⊕− → g − → ⊕ · · · · · · − → g − → ⊕− → c 1 assume “correlation” between m and c r − 1 2 given a number of pairs ( m , c ) 3 repeat for all pairs and all values i of k r : let c ′ = g − 1 ( c ⊕ i ), compute x = cor( m , c ′ ) 1 if key gives cor( m , c r − 1 ), increment counter 2 4 value of i which yields cor( m , c r − 1 ) taken as value of k r L.R. Knudsen Block Ciphers - The Basics
Intro Attack on iterated ciphers Differential cryptanalysis Linear cryptanalysis Differential cryptanalysis - (Biham-Shamir 1991) chosen plaintext attack assume x is combined with key, k , via group operation ⊗ define difference of x 1 and x 2 as ∆( x 1 , x 2 ) = x 1 ⊗ x − 1 2 difference same after combination of key ∆( x 1 ⊗ k , x 2 ⊗ k ) = x 1 ⊗ k ⊗ k − 1 ⊗ x − 1 = ∆( x 1 , x 2 ) 2 definition of difference relative to cipher (often exor) L.R. Knudsen Block Ciphers - The Basics
Recommend
More recommend