Outline Analytic Attacks on Block Ciphers 1 CPSC 418/MATH 318 Introduction to Cryptography Linear Cryptanalysis Differential Cryptanalysis Analytic Cryptanalysis of Block Ciphers, Stream Ciphers, Modes of Other Advanced Attacks Operation, One-Way Functions, Cryptographic Key Agreement Stream Ciphers 2 Synchronous Stream Ciphers) Renate Scheidler Self-Synchronizing Stream Cipher) Modes of Operation for Block Ciphers 3 Department of Mathematics & Statistics Department of Computer Science One-Way Functions 4 University of Calgary Cryptographic Key Agreement 5 Week 5 Diffie-Hellman Protocol Number Theory 6 Primitive Roots and Discrete Logarithms Renate Scheidler (University of Calgary) CPSC 418/MATH 318 Week 5 1 / 44 Renate Scheidler (University of Calgary) CPSC 418/MATH 318 Week 5 2 / 44 Analytic Attacks on Block Ciphers Linear Cryptanalysis Analytic Attacks on Block Ciphers Linear Cryptanalysis Linear Cryptanalysis Attacking Linear Cryptosystems M. Matsui, EUROCRYPT 1993 – CCA A cryptanalyst can try to mount a CPA on an affine or linear system by Matsui actually used this method to become the first person to obtaining sufficiently many plaintext/ciphertext pairs ( M i , C i ) to deduce A recover a DES key (50 days using 12 workstations). and B from the equations Definition 1 C i = AM i + B , i = 1 , 2 , 3 , . . . A cryptosystem is affine (linear) if encryptions are affine (linear) functions relating plaintexts to ciphertexts. Examples of linear and affine linear cryptosystems are: substitution ciphers — affine Affine equation: C = AM + B transposition ciphers — linear Linear equation: C = AM (i.e. B = 0) The SubBytes operation in AES is an affine transformation on bytes (see where A and B are matrices of appropriate dimensions. AES overview document on “handouts” page). Idea: A and B reveal information about the key used to encrypt M to C . Renate Scheidler (University of Calgary) CPSC 418/MATH 318 Week 5 3 / 44 Renate Scheidler (University of Calgary) CPSC 418/MATH 318 Week 5 4 / 44
Analytic Attacks on Block Ciphers Linear Cryptanalysis Analytic Attacks on Block Ciphers Differential Cryptanalysis Idea of Linear Cryptanalysis Differential cryptanalysis Linear cryptanalysis attempts to choose ( M , C ) pairs such that with high Biham and Shamir, Journal of Cryptology, 1991 — KPA probability, linear relations exist between portions of the plaintexts M and Compares input XORs to output XORs, and traces these differences ciphertexts C (called “linearly approximations”). through the cipher. If a cryptosystem is “close to” being affine, then the modified system can Both linear and differential cryptanalysis work quite well on DES with be broken and the original system compromised after some searching. fewer than 16 rounds. “close to affine” means modifying a few entries in the system (eg. in The first edition of Doug Stinson’s book “ Cryptography – Theory and the S -boxes) makes it affine on certain plaintext/ciphertext pairs. Practice ” (1995) discusses successful differential cryptanalysis attacks on 3-round and 6-round DES. Since P -boxes are linear, S-boxes must not be linear. Large-scale, parallel, brute-force attack is still the most practical S-boxes must also not be “close” to linear (i.e. closely approximated by a linear function). attack on 16-round DES. DES was not designed to offer optimal resistance to linear cryptanalysis. DES was designed to be resistant against differential cryptanalysis (“T” or Unclear if NSA knew about linear cryptanalysis at the time or was just not “Tickle” attack). IBM and NSA knew about differential cryptanalysis at worried about it. the time. Renate Scheidler (University of Calgary) CPSC 418/MATH 318 Week 5 5 / 44 Renate Scheidler (University of Calgary) CPSC 418/MATH 318 Week 5 6 / 44 Analytic Attacks on Block Ciphers Differential Cryptanalysis Analytic Attacks on Block Ciphers Other Advanced Attacks Requirements for full DES Algebraic Attacks Type of attack Expected time # of ( M , C ) pairs 2 55 Exhaustive search none Courtois 2001 — KPA, generates multivariate equations from S-boxes, 2 43 (chosen) 2 43 Linear Cryptanalysis where the unknowns are the key bits. 2 47 (known) 2 47 Differential Cryptanalysis So far no threat to any modern block cipher. In DES, 2 47 ( M , C ) pairs require 1 Petabyte ( ≈ 1 , 000 Terrabytes) of Obstacle: solving multivariate equations seems to be hard in practice. storage. (In fact so hard that there are cryptosystems whose security is based on Note: AES not affected by these attacks (by design). the intracatability of this problem!) Modern ciphers must be designed to credibly withstand linear and differential cryptanalysis! Renate Scheidler (University of Calgary) CPSC 418/MATH 318 Week 5 7 / 44 Renate Scheidler (University of Calgary) CPSC 418/MATH 318 Week 5 8 / 44
Analytic Attacks on Block Ciphers Other Advanced Attacks Analytic Attacks on Block Ciphers Other Advanced Attacks Biclique Attacks Lightweight Cryptography Enhanced meet-in-the-middle attack using bicliques that map internal states to ciphertexts via subkeys. Lightweight ciphers are systems targeted to operate in constrained First improved key recovery through the biclique attack on AES environments, such as (Bogdanov, Khovratovich, Rechberger 2011): Sensors AES key length Exhaustive search Biclique (expected) Healthcare devices 2 128 2 126 . 1 128 Distributed control systems 2 192 2 189 . 7 192 Internet of Things (IoT) devices 2 256 2 254 . 4 256 See the NIST lightweight crypto competition at These and other attacks (e.g. square attack) are successful on 8 and https://csrc.nist.gov/projects/lightweight-cryptography lower round AES. Biclique attacks have also been successfully mounted on some lightweight ciphers Renate Scheidler (University of Calgary) CPSC 418/MATH 318 Week 5 9 / 44 Renate Scheidler (University of Calgary) CPSC 418/MATH 318 Week 5 10 / 44 Stream Ciphers Stream Ciphers Synchronous Stream Ciphers) Stream Ciphers Synchronous Stream Cipher (SSC) In contrast to block ciphers, stream ciphers don’t treat incoming characters independently. Idea: Encryption C i of plaintext character M i depends on internal state of State depends only on the previous state, not on the input M i . device. C i depends only on M i and i , not on M i − 1 , M i − 2 , . . . After encryption, the device changes state according to some rule. Implemented by boolean logic that should produce a pseudo-random sequence R i synchronized by the key ( e.g. a shift register). Result: two occurrences of the same plaintext character will usually not result in the same ciphertext character. Example 2 Stream ciphers incorporate a key stream into encryption and decryption The one-time pad can be interpreted as an SSC. The key stream consists that is generated from the key. In practice, this is a pseudo-random of the key bits. sequence of bits. Blocks of key bits are x-or’ed with plaintext blocks for encryption, and the same blocks are x-or’ed with ciphertext blocks for decryption. Renate Scheidler (University of Calgary) CPSC 418/MATH 318 Week 5 11 / 44 Renate Scheidler (University of Calgary) CPSC 418/MATH 318 Week 5 12 / 44
Stream Ciphers Synchronous Stream Ciphers) Stream Ciphers Synchronous Stream Ciphers) Diagram of an SSC Block Ciphers as SSCs Idea: SENDER RECEIVER Send an initial key value KS 0 = IV to the receiver in the clear. Compute KS i = E K ( KS i − 1 ) and C i = M i ⊕ KS i . COUNTER COUNTER K M i BOOLEAN BOOLEAN K K LOGIC LOGIC KEY STREAM BLOCK + IV (INITIAL V ALUE ) CIPHER R R i i M M + + C i i i C C i i Renate Scheidler (University of Calgary) CPSC 418/MATH 318 Week 5 13 / 44 Renate Scheidler (University of Calgary) CPSC 418/MATH 318 Week 5 14 / 44 Stream Ciphers Synchronous Stream Ciphers) Stream Ciphers Self-Synchronizing Stream Cipher) Properties of Block-Cipher Based SSCs Self-Synchronizing Stream Cipher (Self-SSC) Advantages: Only the encryption function of the block cipher is used (important AKA asynchronous strem cipher for AES where decryption is slightly less efficient than encryption) Idea: The fact that the i -th ciphertext block does not depend on previous ciphertext or plaintext blocks allows for random-access Similar to SSC, except the counter is replaced by a register containing the previous k ciphertexts. encryption/decryption and parallelism Self-synchronizing after k steps. Problems: Can also be implemented with a block cipher as above. 1 No error propagation Limited error propagation ( k steps). 2 Loss of one character between sender and receiver destroys synchronization (no memory) Renate Scheidler (University of Calgary) CPSC 418/MATH 318 Week 5 15 / 44 Renate Scheidler (University of Calgary) CPSC 418/MATH 318 Week 5 16 / 44
Recommend
More recommend