Some Aspects of Block Ciphers

Home , Rebound attack

Palash Sarkar

Applied Statistics Unit Indian Statistical Institute, Kolkata India [email protected]

CU-ISI Tutorial Workshop on Cryptology, 17th July 2011

Palash Sarkar (ISI, Kolkata) Block Ciphers CU-ISI 2011 1 / 35 Classical Symmetric Key Encryption

Palash Sarkar (ISI, Kolkata) Block Ciphers CU-ISI 2011 2 / 35 Introduction

Sender Receiver message M

public channel

Encrypt ciphertext Decrypt

secret key K adversary secret key K

Palash Sarkar (ISI, Kolkata) Block Ciphers CU-ISI 2011 3 / 35 Attack Models

Ciphertext only attack: the attacker has access to only ciphertext(s); goal: ﬁnd (one of) the message(s) and/or the key.

Palash Sarkar (ISI, Kolkata) Block Ciphers CU-ISI 2011 4 / 35 Attack Models

Ciphertext only attack: the attacker has access to only ciphertext(s); goal: find (one of) the message(s) and/or the key. Known plaintext attack: the attacker knows (P1, C1),..., (Pt , Ct ); goal: find the key or find P∗ corresponding to a “new” C∗. Chosen plaintext attack: the attacker chooses P1,..., Pt ; receives corresponding C1,..., Ct ; goal: find the key or find P∗ corresponding to a “new” C∗.

Palash Sarkar (ISI, Kolkata) Block Ciphers CU-ISI 2011 4 / 35 Attack Models

Palash Sarkar (ISI, Kolkata) Block Ciphers CU-ISI 2011 4 / 35 One-Time Pad

message 1 0 0 1 1 1

true random sequence 0 01 1 1 0

ciphertext 1 0 1 0 0 1

Palash Sarkar (ISI, Kolkata) Block Ciphers CU-ISI 2011 5 / 35 Perfect Secrecy of One-Time Pad

For a, b ∈ {0, 1},

Pr[Mi = a ∧ Ci = b] Pr[Mi = a|Ci = b] = Pr[Ci = b] Pr[M = a, M ⊕ K = b] = i i i Pr[Mi ⊕ Ki = b] Pr[M = a, K = a ⊕ b] = i i Pr[Mi = 0, Ki = b]+ Pr[Mi = 1, Ki = 1 ⊕ b] Pr[M = a] × Pr[K = a ⊕ b] = i i Pr[Mi = 0]Pr[Ki = b]+ Pr[Mi = 1]Pr[Ki = 1 ⊕ b] 1 2 Pr[Mi = a] = 1 2 × (Pr[Mi = 0]+ Pr[Mi = 1]) 1 2 Pr[Mi = a] = 1 2 = Pr[Mi = a].

Palash Sarkar (ISI, Kolkata) Block Ciphers CU-ISI 2011 6 / 35 Perfect Secrecy: General Notion

Entropy. Let X be a random variable with distribution (p0,..., pℓ).

∆ H(X) = − X pi log2 pi .

Conditional entropy.

H(Y |X)= Pr[X = 0]H(Y |X = 0)+ Pr[X = 1]H(Y |X = 1).

Perfect Secrecy. H(M)= H(M|C).

Palash Sarkar (ISI, Kolkata) Block Ciphers CU-ISI 2011 7 / 35 Model of Additive Stream Cipher

secret key K

Initialise initialisation state 1 update state 2 update vector

output output keystream keystream blk blk message blk message blk

ciphertext blk ciphertext blk

Key: k bits; IV: (usually) ≤ k bits; state: (usually) ≥ 2k bits; initialise, update, output: functions (deterministic algorithms); keystream blk, msg blk, cpr blk: ≥ 1 bit. Security: keystream sequence should be computationally indistinguishable from a true random sequence.

Palash Sarkar (ISI, Kolkata) Block Ciphers CU-ISI 2011 8 / 35 Encrypting Short Fixed Length Strings

msg blk cpr blk

key K Encryptkey K Decrypt

cpr blk msg blk

Palash Sarkar (ISI, Kolkata) Block Ciphers CU-ISI 2011 9 / 35 Encrypting Short Fixed Length Strings

msg blk cpr blk

key K Encryptkey K Decrypt

cpr blk msg blk

Block Cipher.

E : {0, 1}k × {0, 1}n → {0, 1}n. D : {0, 1}k × {0, 1}n → {0, 1}n. For each K ∈ {0, 1}k , DK (EK (M)) = M.

Palash Sarkar (ISI, Kolkata) Block Ciphers CU-ISI 2011 9 / 35 Overall Structure of a Block Cipher

msg blk

K1 Round 1

K2 Round 2 KSA: key scheduling key K algorithm KSA

Kr Round r

cpr blk

Palash Sarkar (ISI, Kolkata) Block Ciphers CU-ISI 2011 10 / 35 Feistel Structure L R i−1 i−1

round key K F i

L R i i

Li = Ri−1;

Ri = Li−1 ⊕ F(Ri−1, Ki ).

Irrespective of F, the map is invertible. Security depends on the design of F.

Palash Sarkar (ISI, Kolkata) Block Ciphers CU-ISI 2011 11 / 35 Round Structure of AES

old state

based on inversion over Sub Bytes GF(2^8)

Shift Rows simple shifting of rows

based on matrix−vector Mix Cols multiplication over GF(2^8) round key

Add Keys XOR of state and key

new state

Palash Sarkar (ISI, Kolkata) Block Ciphers CU-ISI 2011 12 / 35 How to “Break” a Block Cipher?

Palash Sarkar (ISI, Kolkata) Block Ciphers CU-ISI 2011 13 / 35 How to “Break” a Block Cipher?

E : {0, 1}k × {0, 1}n → {0, 1}n. Brute Force with known plaintext. Attacker has access to a msg-cpr pair (M, C). For each possible key K , the attacker encrypts M using K and checks whether the result is C. If “yes”, the corresponding key is very likely to be the correct key. Brute Force with only ciphertext. Attacker has access to ciphertext C and knows that it is the encryption of some English text. For each possible key K , the attacker decrypts C using K and checks whether the result is “meaningful”. If “yes”, the corresponding key is very likely to be the correct key.

Palash Sarkar (ISI, Kolkata) Block Ciphers CU-ISI 2011 13 / 35 How Good is Brute Force?

Complexity: 2k encryptions/decryptions in the worst case; 2k−1 encryptions/decrytions on an average.

Palash Sarkar (ISI, Kolkata) Block Ciphers CU-ISI 2011 14 / 35 How Good is Brute Force?

Complexity: 2k encryptions/decryptions in the worst case; 2k−1 encryptions/decrytions on an average. Suppose that 230 trial encryptions can be completed in one second. A very optimistic (from the adversarial viewpoint) estimate; 220 would be more reasonable. There are 230 dedicated machines working in parallel. The machines work for one year (about 225 seconds). Working for 100 years will change this ﬁgure to about 232. Total number of keys that can be examined is about 285.

Palash Sarkar (ISI, Kolkata) Block Ciphers CU-ISI 2011 14 / 35 How Good is Brute Force?

Palash Sarkar (ISI, Kolkata) Block Ciphers CU-ISI 2011 14 / 35 Attacks on Practical Block Ciphers

Linear cryptanalysis.

Palash Sarkar (ISI, Kolkata) Block Ciphers CU-ISI 2011 15 / 35 Attacks on Practical Block Ciphers

Linear cryptanalysis. Differential cryptanalysis. Many variants: impossible differentials, rebound attack, boomerang attack, ...

Palash Sarkar (ISI, Kolkata) Block Ciphers CU-ISI 2011 15 / 35 Attacks on Practical Block Ciphers

Linear cryptanalysis. Differential cryptanalysis. Many variants: impossible differentials, rebound attack, boomerang attack, ... Algebraic attacks.

Palash Sarkar (ISI, Kolkata) Block Ciphers CU-ISI 2011 15 / 35 Attacks on Practical Block Ciphers

Linear cryptanalysis. Differential cryptanalysis. Many variants: impossible differentials, rebound attack, boomerang attack, ... Algebraic attacks. Slide attack. A structural attack.

Palash Sarkar (ISI, Kolkata) Block Ciphers CU-ISI 2011 15 / 35 Attacks on Practical Block Ciphers

Linear cryptanalysis. Differential cryptanalysis. Many variants: impossible differentials, rebound attack, boomerang attack, ... Algebraic attacks. Slide attack. A structural attack. Side channel attacks. Exploits how the block cipher interacts with the environment.

Palash Sarkar (ISI, Kolkata) Block Ciphers CU-ISI 2011 15 / 35 A Bit of Formalism

Palash Sarkar (ISI, Kolkata) Block Ciphers CU-ISI 2011 16 / 35 Idealisation of a Block Cipher (1)

Pseudo-Random Permutation

EK π A

Adv(A)= |Pr[AEK ⇒ 1] − Pr[Aπ ⇒ 1]|.

Palash Sarkar (ISI, Kolkata) Block Ciphers CU-ISI 2011 17 / 35 Idealisation of a Block Cipher (2)

Strong Pseudo-Random Permutation

-1 -1 EK EK π π A

− E ,E 1 π,π−1 Adv(A)= |Pr[A K K ⇒ 1] − Pr[A ⇒ 1]|.

Palash Sarkar (ISI, Kolkata) Block Ciphers CU-ISI 2011 18 / 35 Authentication: The Conjoined Twin of Encryption

Palash Sarkar (ISI, Kolkata) Block Ciphers CU-ISI 2011 19 / 35 Authentication: General Idea

Sender Receiver msg (msg, tag) (msg,tag) generate tag verify tag yes/no public channel

secret key secret key K adversary K Active adversary: can listen to and modify information on the public channel; can obtain tag corresponding to chosen messages. Adversarial goal: To make the receiver accept a msg-tag pair not generated by the sender.

Palash Sarkar (ISI, Kolkata) Block Ciphers CU-ISI 2011 20 / 35 Authentication: A Simple Scheme

Let {Hτ }τ∈T be a family of functions such that n for each τ, Hτ : M → {0, 1} ;

for a uniform random τ, and any two distinct M1, M2,

Pr[Hτ (M1)= Hτ (M2)] ≤ ε.

Palash Sarkar (ISI, Kolkata) Block Ciphers CU-ISI 2011 21 / 35 Authentication: A Simple Scheme

Let {Hτ }τ∈T be a family of functions such that n for each τ, Hτ : M → {0, 1} ;

for a uniform random τ, and any two distinct M1, M2,

Pr[Hτ (M1)= Hτ (M2)] ≤ ε.

n n Let EK : {0, 1} → {0, 1} be a block cipher.

Palash Sarkar (ISI, Kolkata) Block Ciphers CU-ISI 2011 21 / 35 Authentication: A Simple Scheme

Let {Hτ }τ∈T be a family of functions such that n for each τ, Hτ : M → {0, 1} ;

for a uniform random τ, and any two distinct M1, M2,

Pr[Hτ (M1)= Hτ (M2)] ≤ ε.

n n Let EK : {0, 1} → {0, 1} be a block cipher.

Tag generation: M → (M, tag)

where tag = EK (Hτ (M)).

Palash Sarkar (ISI, Kolkata) Block Ciphers CU-ISI 2011 21 / 35 Construction of Suitable {Hτ }τ∈T

Let T = GF(2n); M = GF(2n)s, i.e., τ is an n-bit string; a message consists of s n-bit strings.

Palash Sarkar (ISI, Kolkata) Block Ciphers CU-ISI 2011 22 / 35 Construction of Suitable {Hτ }τ∈T

Let T = GF(2n); M = GF(2n)s, i.e., τ is an n-bit string; a message consists of s n-bit strings.

Write M =(M0,..., Ms−1). Then

s−1 s−2 Hτ (M)= M0τ ⊕ M1τ ⊕⊕ Ms−2τ ⊕ Ms−1.

Palash Sarkar (ISI, Kolkata) Block Ciphers CU-ISI 2011 22 / 35 Construction of Suitable {Hτ }τ∈T

Let T = GF(2n); M = GF(2n)s, i.e., τ is an n-bit string; a message consists of s n-bit strings.

Write M =(M0,..., Ms−1). Then

s−1 s−2 Hτ (M)= M0τ ⊕ M1τ ⊕⊕ Ms−2τ ⊕ Ms−1.

Easy to show that for uniform random τ and M1 = M2, s − 1 Pr[H (M )= H (M )] ≤ . τ 1 τ 2 2n

Palash Sarkar (ISI, Kolkata) Block Ciphers CU-ISI 2011 22 / 35 How Far Does a Block Cipher Take You?

Palash Sarkar (ISI, Kolkata) Block Ciphers CU-ISI 2011 23 / 35 Is a Block Cipher Sufﬁcient?

Assumption: the block cipher is “perfectly secure” (whatever that may mean).

Is that the end of the story?

Palash Sarkar (ISI, Kolkata) Block Ciphers CU-ISI 2011 24 / 35 Is a Block Cipher Sufﬁcient?

Assumption: the block cipher is “perfectly secure” (whatever that may mean).

Is that the end of the story?

No!

Palash Sarkar (ISI, Kolkata) Block Ciphers CU-ISI 2011 24 / 35 Block Cipher and Various Requirements

Block length. The block cipher handles n-bit blocks. Typically, n = 128, 192 or 256 bits.

Palash Sarkar (ISI, Kolkata) Block Ciphers CU-ISI 2011 25 / 35 Block Cipher and Various Requirements

Block length. The block cipher handles n-bit blocks. Typically, n = 128, 192 or 256 bits.

Message Requirements. Handle “long” messages. Handle “variable” length messages. Handle ﬁxed length messages (a disk sector).

Palash Sarkar (ISI, Kolkata) Block Ciphers CU-ISI 2011 25 / 35 Block Cipher and Various Requirements

Secure Block Cipher. The block cipher ensures strong security for n-bit blocks.

Palash Sarkar (ISI, Kolkata) Block Ciphers CU-ISI 2011 26 / 35 Block Cipher and Various Requirements

Secure Block Cipher. The block cipher ensures strong security for n-bit blocks.

Different Security Requirements. Privacy only. Authentication. Authenticated encryption. Authenticated encryption with associated data. Wide-block encryption. Disk sector encryption. Format preserving encryption. Deterministic authenticated encryption (key wrap problem). On-line encryption. Other niche requirements.

Palash Sarkar (ISI, Kolkata) Block Ciphers CU-ISI 2011 26 / 35 Modes of Operations

Commonly known modes. Electronic codebook mode (ECB). Cipher block chaining mode (CBC). Counter mode (Ctr). Output feedback mode (OFB). Cipher feedback mode (CFB).

Palash Sarkar (ISI, Kolkata) Block Ciphers CU-ISI 2011 27 / 35 Modes of Operations

message: M1, M2, M3,... (n-bit blocks); Electronic codebook (ECB) mode: Ci = EK (Mi ), i ≥ 1.

Palash Sarkar (ISI, Kolkata) Block Ciphers CU-ISI 2011 28 / 35 Insecurity of ECB Mode

Source: Wikipedia http://en.wikipedia.org/wiki/Block_cipher_modes_of_operation.

Palash Sarkar (ISI, Kolkata) Block Ciphers CU-ISI 2011 29 / 35 Modes of Operations (contd.)

message: M1, M2, M3,... (n-bit blocks); initialization vector: n-bit IV (used as nonce). Cipher block chaining (CBC) mode: C1 = EK (M1 ⊕ IV); Ci = EK (Mi ⊕ Ci−1), i ≥ 2.

Palash Sarkar (ISI, Kolkata) Block Ciphers CU-ISI 2011 30 / 35 CBC Mode

PPPP1 2 m−1 m

EK EK EK EK

C1 C2 Cm−1 Cm

Palash Sarkar (ISI, Kolkata) Block Ciphers CU-ISI 2011 31 / 35 Modes of Operations (contd.)

message: M1, M2, M3,... (n-bit blocks); initialization vector: n-bit IV (used as nonce). Output feedback (OFB) mode: Z1 = EK (IV); Zi = EK (Zi−1), i ≥ 2; Ci = Mi ⊕ Zi , i ≥ 1. This is essentially an additive stream cipher. Cipher feedback (CFB) mode: C1 = M1 ⊕ EK (IV); Ci = Mi ⊕ EK (Ci−1), i ≥ 2. Can be used as a self-synchronizing stream cipher in a 1-bit feedback mode. Counter (CTR) mode: Ci = Mi ⊕ EK (nonce||bin(i)), i ≥ 1.

Palash Sarkar (ISI, Kolkata) Block Ciphers CU-ISI 2011 32 / 35 Things to Note

ECB does not provide privacy. Ctr provides privacy but not authentication. CBC provides authentication, but, not authenticated encryption. Authenticated encryption with associated data? Wide block encryption? Disk encryption? Other security requirements? There is no single mode which can be used for all applications.

Palash Sarkar (ISI, Kolkata) Block Ciphers CU-ISI 2011 33 / 35 Summary

A brief introduction to symmetric encryption. One-time pad and additive stream ciphers. Structure of practical block ciphers. Theoretical model of block ciphers. Authentication. Modes of operations of a block cipher.

Palash Sarkar (ISI, Kolkata) Block Ciphers CU-ISI 2011 34 / 35 Summary

Hopefully, this summary will be useful.

Palash Sarkar (ISI, Kolkata) Block Ciphers CU-ISI 2011 34 / 35 Thank you for your attention!

Palash Sarkar (ISI, Kolkata) Block Ciphers CU-ISI 2011 35 / 35