Symmetric Key Cryptography PQCRYPTO Summer School on Post-Quantum Cryptography 2017
Stefan Kölbl June 19th, 2017
DTU Compute, Technical University of Denmark Introduction to Symmetric Key Cryptography User Implementation Protocols Cryptographic Algorithms
Myth ”Cryptographic Algorithms are never the weakest link.”
Symmetric Key Cryptography
Where does security fail? • • • •
1 Implementation Protocols Cryptographic Algorithms
Myth ”Cryptographic Algorithms are never the weakest link.”
Symmetric Key Cryptography
Where does security fail? • User • RC4 • •
Don’t blame the user!
1 Protocols Cryptographic Algorithms
Myth ”Cryptographic Algorithms are never the weakest link.”
Symmetric Key Cryptography
Where does security fail? • User • Implementation • •
Heartbleed
1 Cryptographic Algorithms
Myth ”Cryptographic Algorithms are never the weakest link.”
Symmetric Key Cryptography
Where does security fail? • User • Implementation • Protocols •
Drown Attack
1 Symmetric Key Cryptography
Where does security fail? • User • Implementation • Protocols • Cryptographic Algorithms
Myth ”Cryptographic Algorithms are never the weakest link.”
1 Symmetric Key Cryptography
Hash Function MD5
• Not collision resistant [WY05] • Constructing a rogue CA [Ste+09]
Hash Function SHA-1
• Not collision resistant [WYY05] • First practical collisions this year
Stream Cipher RC4
• Plaintext Recovery in TLS [AlF+13] • ...
2 Symmetric Key Cryptography
A long list...
• MIFARE Classic (Crypto 1) • Keeloq • A5/1, A5/2 • DECT • Kindle Cipher • ...
3 Symmetric Key Cryptography
What can we do? • Encryption • Authentication (MAC) • Hashing • Random Number Generation • Digital Signature Schemes • Key Exchange
4 Symmetric Key Cryptography
Digital Signatures
• Hash-based Signature Schemes (MSS, XMSS [BDH11], SPHINCS [Ber+15]) • Zero-Knowledge Proof Based (Fish [Cha+17], Picnic [Cha+17])
5 Symmetric Key Cryptography
Key Exchange with Merkle Puzzles (1978)
• Alice prepares m Puzzles: P1,..., Pm. • Solving a puzzle requires n steps.
• Reveals an id and key kid.
Alice Bob
P1,..., Pm P → Solve i idi, ki
idi
• Bob needs to compute n steps. • Adversary needs to compute mn.
6 Symmetric Key Cryptography
Note We need a shared secret between the parties.
MeetonFriday MeetonFriday
K E K E
qgWqNDAdcYgmyOy qgWqNDAdcYgmyOy
7 Symmetric Key Cryptography
The adversary • Eavesdrop on communication • Modify transmission • Delete/Insert messages • ...... but is bound in • Computational power • Available memory • Time • Data
8 Symmetric Key Cryptography
Goals of the attacker • Decrypt a ciphertext E • Forge a signature ? • Recover the secret key Message qgWqNDA • Distinguish output • ... ? Random
9 Symmetric Key Cryptography
How do we achieve security for an algorithm?
• Reduce security to a hard problem. • Make it secure against all known attacks.
Note We can not proof security for a primitive.
10 Encryption Block Ciphers
Key
Plaintext BC Ciphertext
• Encrypts blocks of fixed size n with a key of size k. • Requires a mode to encrypt arbitrary messages.
Block cipher is not an encryption scheme
11 K = 001111110000...111111001000...
Symmetric Key
Ideal Block Cipher
Plaintexts Ciphertexts
K = 101010111010...
12 K = 101010111010...111111001000...
Symmetric Key
Ideal Block Cipher
Plaintexts Ciphertexts
K = 001111110000...
12 K = 101010111010...001111110000...
Symmetric Key
Ideal Block Cipher
Plaintexts Ciphertexts
K = 111111001000...
12 Block Ciphers
A block cipher can be seen as a family of 2k n-bit bijections. Problem There are 2n! bijections, we ideally want to choose 2k uniformly at random.
Goal We need something efficient to mimic this behaviour.
13 Block Ciphers
Iterated construction
Key
Plaintext BC Ciphertext
K1 K2 K3 Kr
P f1 f2 f3 fr C
14 Symmetric Key Cryptography
L0 R0
f1 The Data Encryption Standard
• Developed in 1970s at IBM. f2 • Feistel Network with 16 rounds. f3 • Encrypts 64-bit blocks with 56-bit keys.
• Standardized in 1977. f4
L4 R4
15 Symmetric Key Cryptography
The Advanced Encryption Standard (AES)
• Public Competition hosted by NIST (1997-2001) • Must support block size of 128 bits and key size of 128, 192 and 256 bits.
• CAST-256 • FROG • RC6 • CRYPTON • HPC • Rijndael • DEAL • LOKI97 • SAFER+ • DFC • MAGENTA • Serpent • E2 • MARS • Twofish
16 Symmetric Key Cryptography
The Advanced Encryption Standard (AES)
• Public Competition hosted by NIST (1997-2001) • Must support block size of 128 bits and key size of 128, 192 and 256 bits.
• CAST-256 • FROG • RC6 • CRYPTON • HPC • Rijndael • DEAL • LOKI97 • SAFER+ • DFC • MAGENTA • Serpent • E2 • MARS • Twofish
16 Block Ciphers
AES/Rijndael
• Blocksize: 128-bit • Keysize: 128/192/256 bits • Iterated block cipher with 10/12/14 rounds • Is part of a wide-range of standards. • Direct support by instructions in modern CPUs.
17 Block Ciphers
Update 4 × 4 state of bytes a0,0 a 0,1 a0,2 a0,3 b0,0 b 0,1 b0,2 b0,3 • SubBytes SubBytes b b b b a1,0 a 1,1 a1,2 a1,3 1,0 1,1 1,2 1,3 • ShiftRows a2,0 a 2,1 a2,2 a2,3 b2,0 b 2,1 b2,2 b2,3
• MixColumns a3,0 a 3,1 a3,2 a3,3 b3,0 b 3,1 b3,2 b3,3 • AddKey S
18 Block Ciphers
Update 4 × 4 state of bytes
No a a a a a a a a • SubBytes change 0,0 0,1 0,2 0,3 0,0 0,1 0,2 0,3 ShiftRows • ShiftRows Shift 1 a1,0 a 1,1 a1,2 a1,3 a 1,1 a1,2 a1,3 a1,0 Shift 2 a2,0 a2,1 a2,2 a2,3 a2,2 a2,3 a2,0 a2,1 • MixColumns Shift 3 a3,0 a3,1 a3,2 a3,3 a3,3 a3,0 a3,1 a3,2 • AddKey
18 Block Ciphers
Update 4 × 4 state of bytes a 0,1 b 0,1 • SubBytes a0,0 a0,2 a0,3 b0,0 b0,2 b0,3 a MixColumns b 1,1 b 1,1 b b • ShiftRows a1,0 a1,2 a1,3 1,0 1,2 1,3 a a a a b2,0 b b b • MixColumns 2,0 2,1 2,2 2,3 2,1 2,2 2,3 a3,0 a3,2 a3,3 b3,0 b3,2 b3,3 • AddKey a 3,1 b 3,1
18 Block Ciphers
a0,0 a 0,1 a0,2 a0,3 b0,0 b 0,1 b0,2 b0,3 AddRoundKey Update 4 × 4 state of bytes a1,0 a 1,1 a1,2 a1,3 b1,0 b 1,1 b1,2 b1,3 • SubBytes a2,0 a 2,1 a2,2 a2,3 b2,0 b 2,1 b2,2 b2,3 a a a a b b b b • ShiftRows 3,0 3,1 3,2 3,3 3,0 3,1 3,2 3,3
• MixColumns k0,0 k 0,1 k0,2 k0,3
• AddKey k1,0 k 1,1 k 1,2 k 1,3
k2,0 k 2,1 k2,2 k2,3
k3,0 k 3,1 k3,2 k3,3
18 Block Ciphers
Current state of key recovery attacks for AES-128
0 6 7 8 10
244 [Fer+00] 2126.18 [BKR11]
299 [DFJ13] 2125.34 [BKR11]
There are many more attacks with different trade-offs of time/data/memory.
19 Stream Ciphers Stream Ciphers
Key IV
E
Keystream
Plaintext Ciphertext
• Encrypts individual digits. • IV to have multiple key stream for each K • Requires no padding. • Often used for low-bandwidth communication.
20 Stream Ciphers
Widely found in practice
• GSM standard (A5/1, A5/2) • LTE (SNOW 3G, ZUC) • Bluetooth (E0) • TLS protocol (RC4, ChaCha20)
21 Stream Ciphers
eSTREAM Project (EU) Goal ...promote the design of efficient and compact stream ciphers suitable for widespread adoption...
Software Hardware HC-128 Grain v1 Rabbit MICKEY 2.0 Salsa20/12 Trivium SOSEMANUK
22 Stream Ciphers
LFSR-based Constructions, e.g. A5/1
• Load IV and Key in registers. • Shift registers depending on values in . • Produces 1-bit output in each iteration.
0 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18
0 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21
0 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22
23 Stream Ciphers
Counter Mode (CTR)
N||0 ... 01 N||0 ... 02 N||0 ... 03
AESK AESK AESK …
Keystream: C0,..., C127 C128,..., C255 C256,..., C383
Note Reusing nonce and counter gives same keystream.
24 Stream Ciphers
Salsa20 / ChaCha20 • ARX-based design • 512-bit state • Uses 256-bit key • 20 rounds • Fast in software • ChaCha20-Poly1305 in TLS
25 Stream Ciphers
Current state of key recovery attacks for Salsa20
0 5 6 7 8 20
28 [CM16] 2244.9 [CM16] 232 [CM16]
2137 [CM16]
For ChaCha typically one round less.
26 Cryptographic Hash Functions Hash Functions
”There was of course no way of knowing whether you were being watched at any given moment. How often, or on what system, the Thought Police plugged in on any individual wire was guesswork. It was even conceivable that they watched everybody all the time. But at any H rate they could plug in your wire whenever they wanted WqNDAdcYgmyO to. You had to live – did live, from habit that became instinct – in the assumption that every sound you made was overheard, and, except in darkness, every movement scrutinized.”
27 Hash Functions
”There was of course no way of knowing whether you were being watched at any given moment. How often, or on what system, the Thought Police plugged in on any individual wire was guesswork. It was even conceivable that they watched everybody all the time. But at any H rate they could plug in your wire whenever they wanted a1IMC3mLo9Lx to. You had to live – did live, from habit that became instinct – in the assumption that every noise you made was overheard, and, except in darkness, every movement scrutinized.”
28 Hash Functions
Applications
• Integrity Check • Digital Signature Schemes (this afternoon) • Password Hashing (https://password-hashing.net/) • Message Authentication • Commitment Schemes • ...
29 Hash Functions
Preimage Resistance
? H H(x)
For n-bit output size
• Best attack: 2n
30 Hash Functions
Second-Preimage Resistance
x H H(x)
≠
? H H(x)
For n-bit output size
• Best attack: 2n
31 Hash Functions
Collision Resistance
? H h
≠ =
? H h′
For n-bit output size
• Best attack: 2n/2
32 278.4 [Guo+10] 2123.4 [SA09] 2151.1 [KK12] 57/80 rounds 2255.5 [KRS12] 45/64 rounds
Hash Functions
Hardness of finding collision vs. preimages in practice
Algorithm Year n Collision Preimage
MD4 1990 128 < 1 sec MD5 1992 128 < 1 sec SHA-1 1995 160 263 SHA-256 2001 256 265.5 31/64 rounds
33 Hash Functions
Hardness of finding collision vs. preimages in practice
Algorithm Year n Collision Preimage
MD4 1990 128 < 1 sec 278.4 [Guo+10] MD5 1992 128 < 1 sec 2123.4 [SA09] SHA-1 1995 160 263 2151.1 [KK12] 57/80 rounds SHA-256 2001 256 265.5 31/64 rounds 2255.5 [KRS12] 45/64 rounds
33 Hash Functions
Requirements for security and performance can vary on application.
Password Hashing should be slow!
Performance on long/short mes- sages.
Collision resistance not required!
34 M2
M3
Hash Functions
Ideal Hash Function
M1
Messages Hashes
35 M3
Hash Functions
Ideal Hash Function
M1
M2
Messages Hashes
35 Hash Functions
Ideal Hash Function
M1
M2
M3
Messages Hashes
35 Hash Functions
How to construct a hash function?
• Merkle-Damgård with compression function (SHA-1, SHA-2)
M1 M2 Mn
f h1 f f hn+1 g IV h
Problem How do we construct the compression function?
36 Hash Functions
How to construct a hash function? • Merkle-Damgård with compression function (SHA-1, SHA-2)
hi
mi BC
hi+1
Solution Use a block cipher! ... but often state is too small.
36 Hash Functions
Compression Function Design (MD4)
Ai Bi Ci Di
Fi
Mi
Ki
≪ s
Ai+1 Bi+1 Ci+1 Di+1
37 Hash Functions
Compression Function Design (MD5)
Ai Bi Ci Di
Fi
Mi
Ki
≪ s
Ai+1 Bi+1 Ci+1 Di+1
38 Hash Functions
Compression Function Design (SHA-1)
Ai Bi Ci Di Ei
Fi
≪ 5
≪ 30 Wi
Ki
Ai+1 Bi+1 Ci+1 Di+1 Ei+1
39 Hash Functions
Compression Function Design (SHA-2)
Ai Bi Ci Di Ei Fi Gi Hi
If Wt
Σ1 Kt
Maj
Σ0
Ai+1 Bi+1 Ci+1 Di+1 Ei+1 Fi+1 Gi+1 Hi+1
40 Hash Functions
The 2005 Hash Crisis • Wang and Yu show that MD5 is not collision resistant [WY05]... • ... and SHA-1 isn’t either [WYY05]. • Concerns that SHA-2 will also fail.
SHA-1
MD5
MD4
41 Hash Functions
The SHA-3 Competition
• Public Competition to find a new standard SHA-3. • From 2007 to 2012
• Abacus • ECHO • Lesamnta • SHAMATA • ARIRANG • ECOH • Luffa • SHAvite-3 • AURORA • Edon-R • LUX • SIMD • Blake • EnRUPT • Maraca • Skein • Blender • ESSENCE • MCSSHA-3 • Spectral Hash • Blue Midnight Wish • FSB • MD6 • StreamHash • Boole • Fugue • MeshHash • SWIFFTX • Cheetah • Grøstl • NaSHA • Tangle • CHI • Hamsi • NKS2D • TIB3 • CRUNCH • HASH 2X • Ponic • Twister • CubeHash • JH • SANDstorm • Vortex • DCH • Keccak • Sarmal • WaMM • Dynamic SHA • Khichidi-1 • Sgàil • Waterfall • Dynamic SHA2 • LANE • Shabal • ZK-Crypt
42 Hash Functions
The SHA-3 Competition • Public Competition to find a new standard SHA-3. • From 2007 to 2012
• ECHO • Abacus • ECOH • SHAMATA • Lesamnta • ARIRANG • Edon-R • SHAvite-3 • Luffa • AURORA • EnRUPT • SIMD • LUX • ESSENCE • Maraca • Blake • FSB • Skein • MCSSHA-3 • Blender • Fugue • Spectral Hash • MD6 • Blue Midnight Wish • StreamHash • MeshHash • Boole • Grøstl • SWIFFTX • NaSHA • Cheetah • Hamsi • Tangle • NKS2D • CHI • HASH 2X • TIB3 • Ponic • CRUNCH • Twister • SANDstorm • CubeHash • JH • Vortex • Sarmal • DCH • WaMM • Sgàil • Dynamic SHA • Keccak • Waterfall • Shabal • Dynamic SHA2 • Khichidi-1 • ZK-Crypt • LANE
42 Hash Functions
The SHA-3 Competition
• Public Competition to find a new standard SHA-3. • From 2007 to 2012
• ECHO • Abacus • Lesamnta • SHAMATA • ECOH • ARIRANG • Luffa • SHAvite-3 • Edon-R • AURORA • LUX • SIMD • EnRUPT • Blake • Maraca • Skein • ESSENCE • Blender • MCSSHA-3 • Spectral Hash • FSB • Blue Midnight Wish • MD6 • StreamHash • Fugue • Boole • MeshHash • SWIFFTX • Grøstl • Cheetah • NaSHA • Tangle • Hamsi • CHI • NKS2D • TIB3 • HASH 2X • CRUNCH • Ponic • Twister • JH • CubeHash • SANDstorm • Vortex • DCH • Sarmal • WaMM • Keccak • Dynamic SHA • Sgàil • Waterfall • Khichidi-1 • Dynamic SHA2 • Shabal • ZK-Crypt • LANE
42 Hash Functions
SHA-3 Winner Keccak
h M0 M1 M2 h0 h1
r 0 π π π π π
c 0
• Based on the sponge construction. • Uses 1600-bit permutation π. • Parameters: rate r and capacity c. • Security claim of 2c/2. 43 Hash Functions
SHA3-256 (c = 512) collision resistance
0 4 5 24
2115 [DDS13]
practical [Qia+17]
Practical Attacks for c = 1601:
• Collisions for 6 rounds • Preimages for 4 rounds 1http://keccak.noekeon.org/crunchy_contest.html
44 Hash Functions
What should you use now?
”We don’t need another slow, secure hash function—we’ve already got SHA-2.” —Adam Langley, Mar. 20172
SHA-3 standard too conservative?3 • Use different parameters. • Tree hashing mode for better performance. • RFC for Kangaroo124
2 https://www.imperialviolet.org/2017/05/31/skipsha3.html 3 http://keccak.noekeon.org/is_sha3_slow.html 4 https://tools.ietf.org/html/draft-viguier-kangarootwelve-00 45 Symmetric Key Cryptography
What can we do? • Encryption • Authentication (MAC) • Hashing • Random Number Generation • Digital Signature Schemes • Key Exchange
46 Questions?
46 References i
Nadhem J. AlFardan et al. “On the Security of RC4 in TLS”. In: Proceedings of the 22th USENIX Security Symposium. 2013, pp. 305–320.
Johannes A. Buchmann, Erik Dahmen, and Andreas Hülsing. “XMSS - A Practical Forward Secure Signature Scheme Based on Minimal Security Assumptions”. In: Post-Quantum Cryptography - 4th International Workshop, PQCrypto 2011, Taipei, Taiwan, November 29 - December 2, 2011. Proceedings. 2011, pp. 117–129.
Andrey Bogdanov, Dmitry Khovratovich, and Christian Rechberger. “Biclique Cryptanalysis of the Full AES”. In: Advances in Cryptology - ASIACRYPT 2011. 2011, pp. 344–371.
Daniel J. Bernstein et al. “SPHINCS: Practical Stateless Hash-Based Signatures”. In: Advances in Cryptology - EUROCRYPT 2015. 2015, pp. 368–397.
47 References ii
Arka Rai Choudhuri and Subhamoy Maitra. “Significantly Improved Multi-bit Differentials for Reduced Round Salsa and ChaCha”. In: IACR Trans. Symmetric Cryptol. 2016.2 (2016), pp. 261–287.
Melissa Chase et al. Post-Quantum Zero-Knowledge and Signatures from Symmetric-Key Primitives. Cryptology ePrint Archive, Report 2017/279. http://eprint.iacr.org/2017/279. 2017.
Itai Dinur, Orr Dunkelman, and Adi Shamir. “Collision Attacks on Up to 5 Rounds of SHA-3 Using Generalized Internal Differentials”. In: Fast Software Encryption - 20th International Workshop, FSE 2013. 2013, pp. 219–240.
Patrick Derbez, Pierre-Alain Fouque, and Jérémy Jean. “Improved Key Recovery Attacks on Reduced-Round AES in the Single-Key Setting”. In: Advances in Cryptology - EUROCRYPT 2013. 2013, pp. 371–387.
Niels Ferguson et al. “Improved Cryptanalysis of Rijndael”. In: Fast Software Encryption, 7th International Workshop, FSE 2000. 2000, pp. 213–230.
48 References iii
Jian Guo et al. “Advanced Meet-in-the-Middle Preimage Attacks: First Results on Full Tiger, and Improved Results on MD4 and SHA-2”. In: Advances in Cryptology - ASIACRYPT 2010. 2010, pp. 56–75.
Simon Knellwolf and Dmitry Khovratovich. “New Preimage Attacks against Reduced SHA-1”. In: Advances in Cryptology - CRYPTO 2012. 2012, pp. 367–383.
Dmitry Khovratovich, Christian Rechberger, and Alexandra Savelieva. “Bicliques for Preimages: Attacks on Skein-512 and the SHA-2 Family”. In: Fast Software Encryption - 19th International Workshop, FSE 2012. 2012, pp. 244–263.
Kexin Qiao et al. “New Collision Attacks on Round-Reduced Keccak”. In: Advances in Cryptology - EUROCRYPT 2017. 2017, pp. 216–243.
Yu Sasaki and Kazumaro Aoki. “Finding Preimages in Full MD5 Faster Than Exhaustive Search”. In: Advances in Cryptology - EUROCRYPT 2009. 2009, pp. 134–152.
49 References iv
Marc Stevens et al. “Short Chosen-Prefix Collisions for MD5 and the Creation of a Rogue CA Certificate”. In: Advances in Cryptology - CRYPTO 2009. 2009, pp. 55–69.
Xiaoyun Wang and Hongbo Yu. “How to Break MD5 and Other Hash Functions”. In: Advances in Cryptology - EUROCRYPT 2005. 2005, pp. 19–35.
Xiaoyun Wang, Yiqun Lisa Yin, and Hongbo Yu. “Finding Collisions in the Full SHA-1”. In: Advances in Cryptology - CRYPTO 2005. 2005, pp. 17–36.
50