Lecture 2: Secret Key Cryptography Helger Lipmaa Helsinki - PowerPoint PPT Presentation

T-79.159 Cryptography and Data Security Lecture 2: Secret Key Cryptography Helger Lipmaa Helsinki University of Technology helger@tcs.hut.fi T-79.159 Cryptography and Data Security, 28.01.2004 Lecture 2: Secret Key Cryptography, Helger Lipmaa 1

Reminder: Communication Model Eve Adversary Cipher, Encryption Inverse cipher, Decryption Public channel E − 1 E M = E − 1 M C = E K ( M ) K ( E K ( M )) Plaintext Ciphertext K K Preshared key Private channel Alice Bob Sender Receiver T-79.159 Cryptography and Data Security, 28.01.2004 Lecture 2: Secret Key Cryptography, Helger Lipmaa 2

Block Ciphers • A function E : K × P → C • K —the key space, P —the plaintext space, C —the ciphertext space • E ( k, x ) is often denoted as E k ( x ) • E k is permutation: ( ∀ x ) E − 1 ( E k ( x )) = x . k T-79.159 Cryptography and Data Security, 28.01.2004 Lecture 2: Secret Key Cryptography, Helger Lipmaa 3

Block Ciphers, cont. • Usually P = C = { 0 , 1 } n , K = { 0 , 1 } k • n is the block length, k is the key length • If k is small, then key can be found by exhaustive search • If n is small, one can use known-plaintext attack (store all seen plaintext-ciphertext pairs) T-79.159 Cryptography and Data Security, 28.01.2004 Lecture 2: Secret Key Cryptography, Helger Lipmaa 4

Block Ciphers, cont. • Exhaustively searching k -bit keys takes 2 k time units • Storing sufficient amount of plaintext-ciphertext pairs takes 2 n memory units • Birthday attack: 2 n/ 2 memory units sufficient • Recommendations: key k ≥ 80 bits • Recommendations: block n ≥ 128 bits T-79.159 Cryptography and Data Security, 28.01.2004 Lecture 2: Secret Key Cryptography, Helger Lipmaa 5

Reminder: Substitution ciphers • Input and output belong to some set A with � A � = n • Key is a permutation π on (1 , 2 , 3 , . . . , n ) • Different “letters” are permuted, according to the key: A → C , B → X , C → R , . . . • Examples: Caesar cipher, shift ciphers, . . . T-79.159 Cryptography and Data Security, 28.01.2004 Lecture 2: Secret Key Cryptography, Helger Lipmaa 6

Substitution ciphers, cont. • There are 2 n ! permutations • Storing an arbitrary permutation takes log 2 (2 n !) bits √ � x � x • By Stirling formula, x ! ≈ 2 πx e • Thus, the key length would be k = log 2 (2 128 !) bits, or ≈ 2 134 bits, if n = 128 • Clearly impractical! (Compare with the lower bound of 80 bits) T-79.159 Cryptography and Data Security, 28.01.2004 Lecture 2: Secret Key Cryptography, Helger Lipmaa 7

Ultimate goal: pseudorandom permutations • Have a small key of k -bits ( 80 ≤ k ≤ 256 ) • Cipher E should consist of a set of 2 k permutations { E k } out of the total 2 n ! permutations • For an attacker who does not know the key, the permutation E k should look “random” • That is, deciding whether some permutation π is one of the chosen 2 k permutations should be hard (take ≈ 2 k steps) T-79.159 Cryptography and Data Security, 28.01.2004 Lecture 2: Secret Key Cryptography, Helger Lipmaa 8

Permutation ciphers • Input belongs to A n for some set A . • Key is a permutation π on (1 , 2 , 3 , . . . , n ) • Different “letters” are permuted, according to the key. • Decryption: apply inverse permutation • Very weak by itself! T-79.159 Cryptography and Data Security, 28.01.2004 Lecture 2: Secret Key Cryptography, Helger Lipmaa 9

Example A = Z 26 , n = 2 , and π (1) = 2 , π (2) = 1 . A simple example: willwehaveabreak iwllewahevbaerka T-79.159 Cryptography and Data Security, 28.01.2004 Lecture 2: Secret Key Cryptography, Helger Lipmaa 10

Product ciphers Idea: combine two weak ciphers to get a stronger cipher E ′ E E ′ E K ( x ) K ′ ( E K ( x )) x Plaintext Key K ′ Key K Tweak: Use the SAME cipher but with different keys (Question: Why this is not a good idea with the already shown ciphers?) Tweak II: generate K ′ from K by using some sophisticated key extension algorithm. T-79.159 Cryptography and Data Security, 28.01.2004 Lecture 2: Secret Key Cryptography, Helger Lipmaa 11

Substitution-Permutation Networks Divide the block into small s -bit chunks S S S S Apply a fixed substitution to every small Round 1 chunk P Apply a (key-dependent) permutation Round 2 S S S S to the combined output Do this in r rounds P The bit-permutations mix outputs from Round r different S-boxes S S S S Some cleverness should be involved to P guarantee reversibility Hybrid: Round = Substitutions + Permutation, and then multiple rounds T-79.159 Cryptography and Data Security, 28.01.2004 Lecture 2: Secret Key Cryptography, Helger Lipmaa 12

Feistel ciphers f — “suitable” function L 0 R 0 Round 1 K i — round key K 1 L i = R i − 1 f R i = L i − 1 ⊕ f ( K i , R i − 1 ) Ciphertext: ( R r , L r ) L 1 R 1 Round 2 Decryption: same K 2 but with the order of round keys reversed f It is proven that a Feistel cipher with many rounds is secure if f is a L r − 1 R r − 1 Round r pseudorandom function K r f R r L r T-79.159 Cryptography and Data Security, 28.01.2004 Lecture 2: Secret Key Cryptography, Helger Lipmaa 13

DES (1/2) • In 1973, NBS published a solicitation for a cryptosystems • One suitable candidate raised: DES (by IBM) • DES first published in 1975 • Adapted as a standard for “unclassified” communication on January 15, 1977. • Now superseded by AES T-79.159 Cryptography and Data Security, 28.01.2004 Lecture 2: Secret Key Cryptography, Helger Lipmaa 14

DES (2/2) • Being the first ever published government-endorsed cryptosystem, DES sparkled a great controversy but also genuine interest • Wide user-base • Birth of public cryptanalysis of block ciphers: new methods developed in early 90s to break DES have been used to break many other ciphers • It seems that DES is essentially secure: best attack requires ≈ 2 40 known plaintext-ciphertext pairs • Is 2 40 secure? Is 2 56 secure? T-79.159 Cryptography and Data Security, 28.01.2004 Lecture 2: Secret Key Cryptography, Helger Lipmaa 15

DES: Description • A block cipher with 56-bit key, 64-bit block • Apply a fixed permutation IP to the plaintext x • Apply a 16 -round Feistel cipher to IP( x ) • Apply the inverse permutation IP − 1 • Keys K i are derived from K by using key extension algorithm T-79.159 Cryptography and Data Security, 28.01.2004 Lecture 2: Secret Key Cryptography, Helger Lipmaa 16

DES: Picture Plaintext IP 32 A L 0 R 0 32 1. round E 32 K 1 f 48 48 32 J 32 B 1 B 2 B 3 B 4 B 5 B 6 B 7 B 8 L 1 R 1 6 1 S 1 S 2 S 3 S 4 S 5 S 6 S 7 S 8 L 16 R 16 4 C 1 C 2 C 3 C 4 C 5 C 6 C 7 C 8 32 32 32 P IP − 1 32 Result: f ( A, J ) Ciphertext General SchemeFunction f ( A, J ) , where A = R i T-79.159 Cryptography and Data Security, 28.01.2004 Lecture 2: Secret Key Cryptography, Helger Lipmaa 17

DES Components • E : { 0 , 1 } 32 → { 0 , 1 } 48 : Expansion function. Permutes 32 bits with duplicating half of them • S i : { 0 , 1 } 6 → { 0 , 1 } 4 : i th S-box. A nonlinear function • P : Bit Permutation. Changes bit locations • Note that E , S i , P do not depend on the key! T-79.159 Cryptography and Data Security, 28.01.2004 Lecture 2: Secret Key Cryptography, Helger Lipmaa 18

DES: Quick evaluation (1/2) • Suffers from short key-length: 2 56 DES operations (for exhaustive search) is currently feasible. • Key complementation property, E K ( x ) = E K ( x ) , decreases this to 2 55 • . . . DES key has been found by using special hardware in 3 . 5 hours (1999, see http://www.eff.org/descracker/) T-79.159 Cryptography and Data Security, 28.01.2004 Lecture 2: Secret Key Cryptography, Helger Lipmaa 19

DES: Quick evaluation (2/2) • Best attack: linear cryptanalysis (Matsui 1994, later improved by oth- ers), requires ≈ 2 40 known plaintext-ciphertext pairs • Relatively slow in software: 18 MByte/s on a 800 MHz Pentium • Very fast in hardware: multi-gigabyte range (designed for hardware) T-79.159 Cryptography and Data Security, 28.01.2004 Lecture 2: Secret Key Cryptography, Helger Lipmaa 20

Differential Cryptanalysis: History • The first publicly known successful attack against DES (Biham and Shamir, 1990) • . . . who found DES to be surprisingly strong against the DC • Don Coppersmith (IBM) later admitted that the designers knew this attack when they designed DES and took it into consideration T-79.159 Cryptography and Data Security, 28.01.2004 Lecture 2: Secret Key Cryptography, Helger Lipmaa 21

Differential Cryptanalysis • A chosen plaintext attack: n plaintext pairs ( x [ i ] , x ∗ [ i ]) , i ∈ [1 , n ] are chosen, so that x [ i ] ⊕ x ∗ [ i ] = ∆ x • If ∆ x is well chosen then for some ∆ y , E K ( x [ i ]) ⊕ E K ( x ∗ [ i ]) = ∆ y with a high probability p • We say that (∆ x → ∆ y ) has a differential probability p • Use most probable differentials to select some keys as more probable • Protection: design cipher not to have highly probable differentials T-79.159 Cryptography and Data Security, 28.01.2004 Lecture 2: Secret Key Cryptography, Helger Lipmaa 22