Symmetric Key Cryptography PQCRYPTO Summer School on Post-Quantum Cryptography 2017

Stefan Kölbl June 19th, 2017

DTU Compute, Technical University of Denmark Introduction to Symmetric Key Cryptography User Implementation Protocols Cryptographic Algorithms

Myth ”Cryptographic Algorithms are never the weakest link.”

Symmetric Key Cryptography

Where does security fail? • • • •

1 Implementation Protocols Cryptographic Algorithms

Myth ”Cryptographic Algorithms are never the weakest link.”

Symmetric Key Cryptography

Where does security fail? • User • RC4 • •

Don’t blame the user!

1 Protocols Cryptographic Algorithms

Myth ”Cryptographic Algorithms are never the weakest link.”

Symmetric Key Cryptography

Where does security fail? • User • Implementation • •

Heartbleed

1 Cryptographic Algorithms

Myth ”Cryptographic Algorithms are never the weakest link.”

Symmetric Key Cryptography

Where does security fail? • User • Implementation • Protocols •

Drown Attack

1 Symmetric Key Cryptography

Where does security fail? • User • Implementation • Protocols • Cryptographic Algorithms

Myth ”Cryptographic Algorithms are never the weakest link.”

1 Symmetric Key Cryptography

Hash Function MD5

• Not collision resistant [WY05] • Constructing a rogue CA [Ste+09]

Hash Function SHA-1

• Not collision resistant [WYY05] • First practical collisions this year

Stream Cipher RC4

• Plaintext Recovery in TLS [AlF+13] • ...

2 Symmetric Key Cryptography

A long list...

• MIFARE Classic (Crypto 1) • Keeloq • A5/1, A5/2 • DECT • Kindle Cipher • ...

3 Symmetric Key Cryptography

What can we do? • Encryption • Authentication (MAC) • Hashing • Random Number Generation • Digital Signature Schemes • Key Exchange

4 Symmetric Key Cryptography

Digital Signatures

• Hash-based Signature Schemes (MSS, XMSS [BDH11], SPHINCS [Ber+15]) • Zero-Knowledge Proof Based (Fish [Cha+17], Picnic [Cha+17])

5 Symmetric Key Cryptography

Key Exchange with Merkle Puzzles (1978)

• Alice prepares m Puzzles: P1,..., Pm. • Solving a puzzle requires n steps.

• Reveals an id and key kid.

Alice Bob

P1,..., Pm P → Solve i idi, ki

idi

• Bob needs to compute n steps. • Adversary needs to compute mn.

6 Symmetric Key Cryptography

Note We need a shared secret between the parties.

MeetonFriday MeetonFriday

K E K E

qgWqNDAdcYgmyOy qgWqNDAdcYgmyOy

7 Symmetric Key Cryptography

The adversary • Eavesdrop on communication • Modify transmission • Delete/Insert messages • ...... but is bound in • Computational power • Available memory • Time • Data

8 Symmetric Key Cryptography

Goals of the attacker • Decrypt a ciphertext E • Forge a signature ? • Recover the secret key Message qgWqNDA • Distinguish output • ... ? Random

9 Symmetric Key Cryptography

How do we achieve security for an algorithm?

• Reduce security to a hard problem. • Make it secure against all known attacks.

Note We can not proof security for a primitive.

10 Encryption Block Ciphers

Key

Plaintext BC Ciphertext

• Encrypts blocks of fixed size n with a key of size k. • Requires a mode to encrypt arbitrary messages.

Block cipher is not an encryption scheme

11 K = 001111110000...111111001000...

Symmetric Key

Ideal Block Cipher

Plaintexts Ciphertexts

K = 101010111010...

12 K = 101010111010...111111001000...

Symmetric Key

Ideal Block Cipher

Plaintexts Ciphertexts

K = 001111110000...

12 K = 101010111010...001111110000...

Symmetric Key

Ideal Block Cipher

Plaintexts Ciphertexts

K = 111111001000...

12 Block Ciphers

A block cipher can be seen as a family of 2k n-bit bijections. Problem There are 2n! bijections, we ideally want to choose 2k uniformly at random.

Goal We need something efficient to mimic this behaviour.

13 Block Ciphers

Iterated construction

Key

Plaintext BC Ciphertext

K1 K2 K3 Kr

P f1 f2 f3 fr C

14 Symmetric Key Cryptography

L0 R0

f1 The Data Encryption Standard

• Developed in 1970s at IBM. f2 • Feistel Network with 16 rounds. f3 • Encrypts 64-bit blocks with 56-bit keys.

• Standardized in 1977. f4

L4 R4

15 Symmetric Key Cryptography

The Advanced Encryption Standard (AES)

• Public Competition hosted by NIST (1997-2001) • Must support block size of 128 bits and key size of 128, 192 and 256 bits.

• CAST-256 • FROG • RC6 • CRYPTON • HPC • Rijndael • DEAL • LOKI97 • SAFER+ • DFC • MAGENTA • Serpent • E2 • MARS • Twofish

16 Symmetric Key Cryptography

The Advanced Encryption Standard (AES)

• Public Competition hosted by NIST (1997-2001) • Must support block size of 128 bits and key size of 128, 192 and 256 bits.

• CAST-256 • FROG • RC6 • CRYPTON • HPC • Rijndael • DEAL • LOKI97 • SAFER+ • DFC • MAGENTA • Serpent • E2 • MARS • Twofish

16 Block Ciphers

AES/Rijndael

• Blocksize: 128-bit • Keysize: 128/192/256 bits • Iterated block cipher with 10/12/14 rounds • Is part of a wide-range of standards. • Direct support by instructions in modern CPUs.

17 Block Ciphers

Update 4 × 4 state of bytes a0,0 a 0,1 a0,2 a0,3 b0,0 b 0,1 b0,2 b0,3 • SubBytes SubBytes b b b b a1,0 a 1,1 a1,2 a1,3 1,0 1,1 1,2 1,3 • ShiftRows a2,0 a 2,1 a2,2 a2,3 b2,0 b 2,1 b2,2 b2,3

• MixColumns a3,0 a 3,1 a3,2 a3,3 b3,0 b 3,1 b3,2 b3,3 • AddKey S

18 Block Ciphers

Update 4 × 4 state of bytes

No a a a a a a a a • SubBytes change 0,0 0,1 0,2 0,3 0,0 0,1 0,2 0,3 ShiftRows • ShiftRows Shift 1 a1,0 a 1,1 a1,2 a1,3 a 1,1 a1,2 a1,3 a1,0 Shift 2 a2,0 a2,1 a2,2 a2,3 a2,2 a2,3 a2,0 a2,1 • MixColumns Shift 3 a3,0 a3,1 a3,2 a3,3 a3,3 a3,0 a3,1 a3,2 • AddKey

18 Block Ciphers

Update 4 × 4 state of bytes a 0,1 b 0,1 • SubBytes a0,0 a0,2 a0,3 b0,0 b0,2 b0,3 a MixColumns b 1,1 b 1,1 b b • ShiftRows a1,0 a1,2 a1,3 1,0 1,2 1,3 a a a a b2,0 b b b • MixColumns 2,0 2,1 2,2 2,3 2,1 2,2 2,3 a3,0 a3,2 a3,3 b3,0 b3,2 b3,3 • AddKey a 3,1 b 3,1

18 Block Ciphers

a0,0 a 0,1 a0,2 a0,3 b0,0 b 0,1 b0,2 b0,3 AddRoundKey Update 4 × 4 state of bytes a1,0 a 1,1 a1,2 a1,3 b1,0 b 1,1 b1,2 b1,3 • SubBytes a2,0 a 2,1 a2,2 a2,3 b2,0 b 2,1 b2,2 b2,3 a a a a b b b b • ShiftRows 3,0 3,1 3,2 3,3 3,0 3,1 3,2 3,3

• MixColumns k0,0 k 0,1 k0,2 k0,3

• AddKey k1,0 k 1,1 k 1,2 k 1,3

k2,0 k 2,1 k2,2 k2,3

k3,0 k 3,1 k3,2 k3,3

18 Block Ciphers

Current state of key recovery attacks for AES-128

0 6 7 8 10

244 [Fer+00] 2126.18 [BKR11]

299 [DFJ13] 2125.34 [BKR11]

There are many more attacks with different trade-offs of time/data/memory.

19 Stream Ciphers Stream Ciphers

Key IV

E

Keystream

Plaintext Ciphertext

• Encrypts individual digits. • IV to have multiple key stream for each K • Requires no padding. • Often used for low-bandwidth communication.

20 Stream Ciphers

Widely found in practice

• GSM standard (A5/1, A5/2) • LTE (SNOW 3G, ZUC) • Bluetooth (E0) • TLS protocol (RC4, ChaCha20)

21 Stream Ciphers

eSTREAM Project (EU) Goal ...promote the design of efficient and compact stream ciphers suitable for widespread adoption...

Software Hardware HC-128 Grain v1 Rabbit MICKEY 2.0 Salsa20/12 Trivium SOSEMANUK

22 Stream Ciphers

LFSR-based Constructions, e.g. A5/1

• Load IV and Key in registers. • Shift registers depending on values in . • Produces 1-bit output in each iteration.

0 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18

0 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21

0 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22

23 Stream Ciphers

Counter Mode (CTR)

N||0 ... 01 N||0 ... 02 N||0 ... 03

AESK AESK AESK …

Keystream: C0,..., C127 C128,..., C255 C256,..., C383

Note Reusing nonce and counter gives same keystream.

24 Stream Ciphers

Salsa20 / ChaCha20 • ARX-based design • 512-bit state • Uses 256-bit key • 20 rounds • Fast in software • ChaCha20-Poly1305 in TLS

25 Stream Ciphers

Current state of key recovery attacks for Salsa20

0 5 6 7 8 20

28 [CM16] 2244.9 [CM16] 232 [CM16]

2137 [CM16]

For ChaCha typically one round less.

26 Cryptographic Hash Functions Hash Functions

”There was of course no way of knowing whether you were being watched at any given moment. How often, or on what system, the Thought Police plugged in on any individual wire was guesswork. It was even conceivable that they watched everybody all the time. But at any H rate they could plug in your wire whenever they wanted WqNDAdcYgmyO to. You had to live – did live, from habit that became instinct – in the assumption that every sound you made was overheard, and, except in darkness, every movement scrutinized.”

27 Hash Functions

”There was of course no way of knowing whether you were being watched at any given moment. How often, or on what system, the Thought Police plugged in on any individual wire was guesswork. It was even conceivable that they watched everybody all the time. But at any H rate they could plug in your wire whenever they wanted a1IMC3mLo9Lx to. You had to live – did live, from habit that became instinct – in the assumption that every noise you made was overheard, and, except in darkness, every movement scrutinized.”

28 Hash Functions

Applications

• Integrity Check • Digital Signature Schemes (this afternoon) • Password Hashing (https://password-hashing.net/) • Message Authentication • Commitment Schemes • ...

29 Hash Functions

Preimage Resistance

? H H(x)

For n-bit output size

• Best attack: 2n

30 Hash Functions

Second-Preimage Resistance

x H H(x)

≠

? H H(x)

For n-bit output size

• Best attack: 2n

31 Hash Functions

Collision Resistance

? H h

≠ =

? H h′

For n-bit output size

• Best attack: 2n/2

32 278.4 [Guo+10] 2123.4 [SA09] 2151.1 [KK12] 57/80 rounds 2255.5 [KRS12] 45/64 rounds

Hash Functions

Hardness of finding collision vs. preimages in practice

Algorithm Year n Collision Preimage

MD4 1990 128 < 1 sec MD5 1992 128 < 1 sec SHA-1 1995 160 263 SHA-256 2001 256 265.5 31/64 rounds

33 Hash Functions

Hardness of finding collision vs. preimages in practice

Algorithm Year n Collision Preimage

MD4 1990 128 < 1 sec 278.4 [Guo+10] MD5 1992 128 < 1 sec 2123.4 [SA09] SHA-1 1995 160 263 2151.1 [KK12] 57/80 rounds SHA-256 2001 256 265.5 31/64 rounds 2255.5 [KRS12] 45/64 rounds

33 Hash Functions

Requirements for security and performance can vary on application.

Password Hashing should be slow!

Performance on long/short mes- sages.

Collision resistance not required!

34 M2

M3

Hash Functions

Ideal Hash Function

M1

Messages Hashes

35 M3

Hash Functions

Ideal Hash Function

M1

M2

Messages Hashes

35 Hash Functions

Ideal Hash Function

M1

M2

M3

Messages Hashes

35 Hash Functions

How to construct a hash function?

• Merkle-Damgård with compression function (SHA-1, SHA-2)

M1 M2 Mn

f h1 f f hn+1 g IV h

Problem How do we construct the compression function?

36 Hash Functions

How to construct a hash function? • Merkle-Damgård with compression function (SHA-1, SHA-2)

hi

mi BC

hi+1

Solution Use a block cipher! ... but often state is too small.

36 Hash Functions

Compression Function Design (MD4)

Ai Bi Ci Di

Fi

Mi

Ki

≪ s

Ai+1 Bi+1 Ci+1 Di+1

37 Hash Functions

Compression Function Design (MD5)

Ai Bi Ci Di

Fi

Mi

Ki

≪ s

Ai+1 Bi+1 Ci+1 Di+1

38 Hash Functions

Compression Function Design (SHA-1)

Ai Bi Ci Di Ei

Fi

≪ 5

≪ 30 Wi

Ki

Ai+1 Bi+1 Ci+1 Di+1 Ei+1

39 Hash Functions

Compression Function Design (SHA-2)

Ai Bi Ci Di Ei Fi Gi Hi

If Wt

Σ1 Kt

Maj

Σ0

Ai+1 Bi+1 Ci+1 Di+1 Ei+1 Fi+1 Gi+1 Hi+1

40 Hash Functions

The 2005 Hash Crisis • Wang and Yu show that MD5 is not collision resistant [WY05]... • ... and SHA-1 isn’t either [WYY05]. • Concerns that SHA-2 will also fail.

SHA-1

MD5

MD4

41 Hash Functions

The SHA-3 Competition

• Public Competition to find a new standard SHA-3. • From 2007 to 2012

• Abacus • ECHO • Lesamnta • SHAMATA • ARIRANG • ECOH • Luffa • SHAvite-3 • AURORA • Edon-R • LUX • SIMD • Blake • EnRUPT • Maraca • Skein • Blender • ESSENCE • MCSSHA-3 • Spectral Hash • Blue Midnight Wish • FSB • MD6 • StreamHash • Boole • Fugue • MeshHash • SWIFFTX • Cheetah • Grøstl • NaSHA • Tangle • CHI • Hamsi • NKS2D • TIB3 • CRUNCH • HASH 2X • Ponic • Twister • CubeHash • JH • SANDstorm • Vortex • DCH • Keccak • Sarmal • WaMM • Dynamic SHA • Khichidi-1 • Sgàil • Waterfall • Dynamic SHA2 • LANE • Shabal • ZK-Crypt

42 Hash Functions

The SHA-3 Competition • Public Competition to find a new standard SHA-3. • From 2007 to 2012

• ECHO • Abacus • ECOH • SHAMATA • Lesamnta • ARIRANG • Edon-R • SHAvite-3 • Luffa • AURORA • EnRUPT • SIMD • LUX • ESSENCE • Maraca • Blake • FSB • Skein • MCSSHA-3 • Blender • Fugue • Spectral Hash • MD6 • Blue Midnight Wish • StreamHash • MeshHash • Boole • Grøstl • SWIFFTX • NaSHA • Cheetah • Hamsi • Tangle • NKS2D • CHI • HASH 2X • TIB3 • Ponic • CRUNCH • Twister • SANDstorm • CubeHash • JH • Vortex • Sarmal • DCH • WaMM • Sgàil • Dynamic SHA • Keccak • Waterfall • Shabal • Dynamic SHA2 • Khichidi-1 • ZK-Crypt • LANE

42 Hash Functions

The SHA-3 Competition

• Public Competition to find a new standard SHA-3. • From 2007 to 2012

• ECHO • Abacus • Lesamnta • SHAMATA • ECOH • ARIRANG • Luffa • SHAvite-3 • Edon-R • AURORA • LUX • SIMD • EnRUPT • Blake • Maraca • Skein • ESSENCE • Blender • MCSSHA-3 • Spectral Hash • FSB • Blue Midnight Wish • MD6 • StreamHash • Fugue • Boole • MeshHash • SWIFFTX • Grøstl • Cheetah • NaSHA • Tangle • Hamsi • CHI • NKS2D • TIB3 • HASH 2X • CRUNCH • Ponic • Twister • JH • CubeHash • SANDstorm • Vortex • DCH • Sarmal • WaMM • Keccak • Dynamic SHA • Sgàil • Waterfall • Khichidi-1 • Dynamic SHA2 • Shabal • ZK-Crypt • LANE

42 Hash Functions

SHA-3 Winner Keccak

h M0 M1 M2 h0 h1

r 0 π π π π π

c 0

• Based on the sponge construction. • Uses 1600-bit permutation π. • Parameters: rate r and capacity c. • Security claim of 2c/2. 43 Hash Functions

SHA3-256 (c = 512) collision resistance

0 4 5 24

2115 [DDS13]

practical [Qia+17]

Practical Attacks for c = 1601:

• Collisions for 6 rounds • Preimages for 4 rounds 1http://keccak.noekeon.org/crunchy_contest.html

44 Hash Functions

What should you use now?

”We don’t need another slow, secure hash function—we’ve already got SHA-2.” —Adam Langley, Mar. 20172

SHA-3 standard too conservative?3 • Use different parameters. • Tree hashing mode for better performance. • RFC for Kangaroo124

2 https://www.imperialviolet.org/2017/05/31/skipsha3.html 3 http://keccak.noekeon.org/is_sha3_slow.html 4 https://tools.ietf.org/html/draft-viguier-kangarootwelve-00 45 Symmetric Key Cryptography

What can we do? • Encryption • Authentication (MAC) • Hashing • Random Number Generation • Digital Signature Schemes • Key Exchange

46 Questions?

46 References i

Nadhem J. AlFardan et al. “On the Security of RC4 in TLS”. In: Proceedings of the 22th USENIX Security Symposium. 2013, pp. 305–320.

Johannes A. Buchmann, Erik Dahmen, and Andreas Hülsing. “XMSS - A Practical Forward Secure Signature Scheme Based on Minimal Security Assumptions”. In: Post-Quantum Cryptography - 4th International Workshop, PQCrypto 2011, Taipei, Taiwan, November 29 - December 2, 2011. Proceedings. 2011, pp. 117–129.

Andrey Bogdanov, Dmitry Khovratovich, and Christian Rechberger. “Biclique Cryptanalysis of the Full AES”. In: Advances in Cryptology - ASIACRYPT 2011. 2011, pp. 344–371.

Daniel J. Bernstein et al. “SPHINCS: Practical Stateless Hash-Based Signatures”. In: Advances in Cryptology - EUROCRYPT 2015. 2015, pp. 368–397.

47 References ii

Arka Rai Choudhuri and Subhamoy Maitra. “Significantly Improved Multi-bit Differentials for Reduced Round Salsa and ChaCha”. In: IACR Trans. Symmetric Cryptol. 2016.2 (2016), pp. 261–287.

Melissa Chase et al. Post-Quantum Zero-Knowledge and Signatures from Symmetric-Key Primitives. Cryptology ePrint Archive, Report 2017/279. http://eprint.iacr.org/2017/279. 2017.

Itai Dinur, Orr Dunkelman, and Adi Shamir. “Collision Attacks on Up to 5 Rounds of SHA-3 Using Generalized Internal Differentials”. In: Fast Software Encryption - 20th International Workshop, FSE 2013. 2013, pp. 219–240.

Patrick Derbez, Pierre-Alain Fouque, and Jérémy Jean. “Improved Key Recovery Attacks on Reduced-Round AES in the Single-Key Setting”. In: Advances in Cryptology - EUROCRYPT 2013. 2013, pp. 371–387.

Niels Ferguson et al. “Improved Cryptanalysis of Rijndael”. In: Fast Software Encryption, 7th International Workshop, FSE 2000. 2000, pp. 213–230.

48 References iii

Jian Guo et al. “Advanced Meet-in-the-Middle Preimage Attacks: First Results on Full Tiger, and Improved Results on MD4 and SHA-2”. In: Advances in Cryptology - ASIACRYPT 2010. 2010, pp. 56–75.

Simon Knellwolf and Dmitry Khovratovich. “New Preimage Attacks against Reduced SHA-1”. In: Advances in Cryptology - CRYPTO 2012. 2012, pp. 367–383.

Dmitry Khovratovich, Christian Rechberger, and Alexandra Savelieva. “Bicliques for Preimages: Attacks on Skein-512 and the SHA-2 Family”. In: Fast Software Encryption - 19th International Workshop, FSE 2012. 2012, pp. 244–263.

Kexin Qiao et al. “New Collision Attacks on Round-Reduced Keccak”. In: Advances in Cryptology - EUROCRYPT 2017. 2017, pp. 216–243.

Yu Sasaki and Kazumaro Aoki. “Finding Preimages in Full MD5 Faster Than Exhaustive Search”. In: Advances in Cryptology - EUROCRYPT 2009. 2009, pp. 134–152.

49 References iv

Marc Stevens et al. “Short Chosen-Prefix Collisions for MD5 and the Creation of a Rogue CA Certificate”. In: Advances in Cryptology - CRYPTO 2009. 2009, pp. 55–69.

Xiaoyun Wang and Hongbo Yu. “How to Break MD5 and Other Hash Functions”. In: Advances in Cryptology - EUROCRYPT 2005. 2005, pp. 19–35.

Xiaoyun Wang, Yiqun Lisa Yin, and Hongbo Yu. “Finding Collisions in the Full SHA-1”. In: Advances in Cryptology - CRYPTO 2005. 2005, pp. 17–36.

50