sign in sign up
<<
Home , Block cipher

Chapter 4

Block

Course website: https://ece.uwaterloo.ca/~j25ni/CP460

1 Outline • Block ciphers • Data standard (DES) • Block attacks • Advanced encryption standard (AES) • Encryption Modes

2 Block Ciphers

Block ciphers play an important role in securing systems. They be used to construct: • Pseudo-random number generator • Stream ciphers • Message (MAC) and • The core components of technology, data integrity mechanism, identity authentication protocol and the single- system.

3 Requirements in Implementation

• Safety • Speed • Storage (length of program, length of data packet, cache size) • Implementation platform (hardware, software, chip) • Encryption mode

4 Basic Concept Sequence x1, x2,…, xi,…

Encryption E: Pn×KCm for a sequence of length n

Key k=(k0, k1,…, kt-1 ) Key k=(k0, k1,…, kt-1 )

Ciphertext Plaintext Plaintext x=(x0, x1,…, xn-1) x=(y0, y1,…, ym-1) x=(x0, x1,…, xn-1)

Encryption Decryption n=m in general. If n < m , it is a block cipher with data extension. If n>m , it is a block cipher with data compression. 5 Design Problem

The design problem of block ciphers is to find an that can easily and quickly select a permutation from a large enough and sufficiently good subset of permutations under the control of keys to encrypt the input plaintext.

6 Design Principles are two properties of the operation of a secure block cipher

Confusion: each binary digit (bit) of the should depend on several parts of the key, obscuring the connections between the two.

Diffusion: if we change a single bit of the plaintext, then (statistically) half of the bits in the ciphertext should change, and similarly, if we change one bit of the ciphertext, then approximately one half of the plaintext bits should change, such that the statistical properties of plaintext can be hidden.

7 Requirements on Block Cipher Algorithm • The block size n is large enough: • Prevent the exhaustive attack on plaintext. • The amount of keys should be large enough: • Eliminate weak keys and make all keys equally good to prevent exhaustive attack on keys. • The permutation algorithm determined by keys is complex enough: • Realize the Confusion and Diffusion plaintext and key, the connections are obscured, to prevent known attacks. • Encryption and decryption operations are simple: • Easy to implement on software and hardware at high speed. • Data extension: • No data extension, and data extension can be introduced when using homomorphic permutation and randomization encryption techniques. • Error propagation is as small as possible. 8 Block Ciphers Examples Plaintext • AES • DES E • 3DES •

Key Ciphertext • • IDEA D

Plaintext 9 Round Function

R(k, m) is called a round function

10 Performance Crypto++ 5.6.0 [Wei Dai] AMD Opteron, 2.2 GHz (Linux) Cipher Block/ Throughput [MB/s]

Stream RC4 126 /12 643 Sosemanuk 727

Block 3DES 64/168 13 AES128 128/128 109 11 History of DES 1970s: designs at IBM key = 128 bits, block = 128 bits 1973: NBS (National Bureau of Standards) asks for block cipher proposals. IBM submits variant of Lucifer. 1976: NBS adopts DES as federal standard key = 56 bits, block = 64 bits 1997: DES broken by exhaustive search 2000: NIST adopts Rijndael as AES to replace DES. AES currently widely deployed in banking, commerce and Web 12 DES: core idea – Feistel network Given one-way functions Goal: build invertible function n-bits

R0 R1 R2 Rd-1 Rd • • • n-bits f1 f2 fd

L0 L1 L2 Ld-1 Ld

input output

In symbols: 13 Feistel network - inverse Claim: Feistel function F is invertible Proof: construct inverse

Ri Ri+1 inverse Ri+1 Ri

fi+1 fi+1

Li Li+1 Li+1 Li

14 Decryption circuit n-bits n-bits R R d d-1 Rd-2 R1 R0 f f d d-1 • • • f1 L L d d-1 Ld-2 L1 L0

• Inversion is basically the same circuit, with f1, …, fd applied in reverse order • General method for building invertible functions (block ciphers) from arbitrary functions. • Used in many block ciphers … but not AES 15 DES: 16 round Feistel network

56 bits key k

48 bits key expansion

key k1 key k2 • • • key k16 64bits 64bits R0 R1 R2 R15 R16 -1 IP f1 f2 • • • f16 IP

L0 L1 L2 L15 L16 ⊕ ⊕ ⊕

16 round Feistel network To invert, use keys in reverse order 16 Initial permutation (IP) Table

17 Initial permutation

IP

18 IP-1 Table

Y=IP-1(X)=IP-1(IP(M)) 19 The function F(ki, x)

S-box: function {0,1}6 {0,1}4,

implemented as lookup table. 20 Expansion function E

E(a1a2…a32)=a32a1a2a3a4a5a4….a31a32a1 21 Permutation P

P(c1c2…c32)=c16c7c20c21c29c12c28….c11c4c25 22 The S Boxes

e.g., 011011 1001

23 DES Forms subkeys used in each round – initial permutation of the key (PC1) which selects 56-bits in two 28-bit halves – 16 stages consisting of: • rotating each half separately either 1 or 2 places depending on the key rotation schedule K (left-circular shift) • selecting 24-bits from each half & permuting them by PC2 for use in round function F

24 Input Key

56-bit input key 64-bit key

25 Permuted Choice (PC)

26 Left-circular Shift (LCS)

Round 4: left-circular shift 2 bits 1101100011010111000101010100

0110001101011100010101010011 27 Outline • Block ciphers • (DES) • Block cipher attacks • Advanced encryption standard (AES) • Encryption Modes

28 Exhaustive Search for block cipher key

Goal: given a few input output pairs

(mi, ci = E(k, mi)) i=1,..,n find key k. Attack: Brute force to find the key k.

29 DES challenge msg = “The unknown messages is:XXXXXXXX…“ CT = c1 c2 c3 c4 56 Goal: find k {0,1} s.t. DES(k, mi) = ci for i=1,2,3 -1 How expensive is it to reveal DES (k, c4)? 1976 DES adopted as federal standard 1997 Distributed search 3 months 1998 EFF deep crack 56 hours $250,000 1999 Distributed search and deep crack 22 hours 2006 COPACOBANA (120 FPGAs parallel machine) 7 days $10,000

72 56-bit keys should not be used (128-bit key 2 days) 30 Strengthening DES Method 1: Triple-DES Let E : K × M M be a block cipher Define 3E: K3 × M M as:

3E( (k1,k2,k3), m) = E(k1, D(k2, E(k3, m) ) )

3DES - Key-size: 3×56 = 168 bits k = k = k => DES - 3×slower than DES 1 2 3 - Simple attack in time: ≈2118

31 Why not 2DES? • Define 2E( (k1,k2), m) = E(k1 , E(k2 , m) ) key-len = 112 bits for 2DES m E(k2, ) E(k1, ) c

Given: M = (m1,…, m10), C = (c1,…,c10). (Naïve method) 56: For each k2 {0,1} 56: For each k1 {0,1} if E(k1, E(k2, mi)) = ci then (k2, k1) k … k … 2 1 2112 checks m c' c’’ … … c’’ = c? 32 Meet in the middle attack

• Define 2E( (k1,k2), m) = E(k1 , E(k2 , m) ) key-len = 112 bits for 2DES

m E(k2, ) E(k1, ) c … …

m c' c’’ c … …

Idea: key found when c’ = c’’: E(ki, m) = D(kj, c) 33 Meet in the middle attack

• Define 2E( (k1,k2), m) = E(k1 , E(k2 , m) ) key-len = 112 bits for 2DES

m E(k2, ) E(k1, ) c

Attack: M = (m1,…, m10) , C = (c1,…,c10).

• step 1: build table. k0 = 00…00 E(k0 , M) k1 = 00…01 E(k1 , M) nd 56 sort on 2 column 2 2 2 k = 00…10 E(k , M) entries maps c’ to k2 kN = 11…11 E(kN , M) 34 Meet in the middle attack

m E(k2, ) E(k1, ) c

M = (m ,…, m ) , C = (c ,…,c ) 1 10 1 10 k0 = 00…00 E(k0 , M) • step 1: build table. k1 = 00…01 E(k1 , M) k2 = 00…10 E(k2 , M) • Step 2: for each k {0,1}56: kN = 11…11 E(kN , M) test if D(k, c) is in 2nd column. i i if so then E(k ,M) = D(k,C) (k ,k) = (k2,k1)

35 Meet in the middle attack

m E(k2, ) E(k1, ) c

Time = 256log(256) + 256 log(256) < 263 << 2112 [Build & Sort Table] [Search Entries] Space ≈ 256 [Table Size] Same attack on 3DES: Time = 2118 , Space ≈ 256

m E(k3, ) D(k2, ) E(k1, ) c

36 Method 2: DESX E : K × {0,1}n {0,1}n a block cipher Define EX as

EX(k1, k2, k3, m) = k1 E(k2, m k3 ) For DESX: key-len = 64+56+64 = 184 bits … but there is a meet-in-the-middle attack in time 264+56 = 2120

Note: k1 E(k2, m) and E(k2, m k1) do almost nothing! 37 Attacks on the implementation 1. Side channel attacks: – Measure time to do enc/dec, measure power for enc/dec

16 rounds [Kocher, Jaffe, Jun, 1998]

Card is doing DES smartcard IP IP-1 2. Fault attacks: – Computing errors in the last round expose the secret key k

never implement crypto primitives yourself … 38 Outline • Block ciphers • Data encryption standard (DES) • Block cipher attacks • Advanced encryption standard (AES) • Encryption Modes

39 AES • 1997: DES broken by exhaustive search • 1997: NIST publishes request for proposal • 1998: 15 submissions • 1999: NIST chooses 5 finalists • 2000: NIST chooses Rijndael as AES (developed by Daemen and Rijmen at K.U. Leuven, Belgium)

40 AES: Subs-Perm network

DES is based on Feistel networks AES is based on the idea of substitution-permutation networks That is, alternating steps of substitution and permutation operations

41 AES is a Subs-Perm network (not Feistel)

kn k1 k2 S1 S1 S1

S2 S2 S2

S3 S3 S3 input output

S8 S8 S8 subs. perm. layer layer inversion 42 States Key sizes: 128, 192, 256 bits Block size: 128 bits

State: The output of the round function in AES • The state can be represented by a matrix array of bytes.

• The array has 4 rows, and the number of columns Nb is the block size divided by 32.

Key: A matrix array with bytes, the array is 4 rows, and the number of columns Nk is the key size divided by 32.

Nb=4 Nb=6 Nb=8

Nk=4 10 12 14

Nk=6 12 12 14

Nk=8 14 14 14 43 AES-128 10 rounds

4 (1) ByteSub (1) ByteSub (1) ByteSub 4 input (2) ShiftRow (2) ShiftRow (2) ShiftRow (3) MixColumn (3) MixColumn

invertible k0 k1 k2 k9

k10 4 key key expansion: output 16 bytes 176 bytes 16 bytes 4 44 ByteSub

Approach (1) Approach (2): Substitute XY (1) Find the inverse on GF(28), i.e., X=Inv(A) Y (2) Substitute X:

y0  1 0 0 0 1 1 1 1x0  1  y  1 1 0 0 0 1 1 1x  1  1    1    y2  1 1 1 0 0 0 1 1x2  0        y 1 1 1 1 0 0 0 1 x 0  3     3     y  1 1 1 1 1 0 0 0x  0 X  4    4    y5  0 1 1 1 1 1 0 0x5  1 y  0 0 1 1 1 1 1 0x  1  6    6    y7  0 0 0 1 1 1 1 1x7  0

45 ShiftRows and MixColumns • ByteSub: a 1 byte S-box. 256 byte table (easily computable)

• ShiftRows:

c(x)A • MixColumns:

https://www.youtube.com/watch?v=gP4PqVGudtg 46 Code size/performance tradeoff

Code size Performance

Pre-compute fastest: round functions largest table lookups (24KB or 4KB) and xors

Pre-compute smaller slower S-box only (256 bytes)

No pre-computation smallest slowest 47 Example: Javascript AES

AES in the browser:

AES library (6.4KB) no pre-computed tables

Prior to encryption: pre-compute tables Then encrypt using tables

48 AES in hardware AES instructions in Intel Westmere: • aesenc, aesenclast: do one round of AES 128-bit registers: xmm1=state, xmm2=round key aesenc xmm1, xmm2 ; puts result in xmm1 • aeskeygenassist: performs AES key expansion • Claim 14 x speed-up over OpenSSL on same hardware

Similar instructions on AMD Bulldozer 49 Attacks

Best key recovery attack: four times better than ex. search [BKR’11]

Related key attack on AES-256: [BK’09] Given 299 inp/out pairs from four related keys in AES-256 can recover keys in time ≈299

50 Outline • Block ciphers • Data encryption standard (DES) • Block cipher attacks • Advanced encryption standard (AES) • Encryption Modes

51 Bit

Block ciphers require their input to be an exact multiple of the block size. If the plaintext to be encrypted is not an exact multiple, a padding string is added before encryption.

A single set ('1') bit is added to the message and then as many reset ('0') bits as required (possibly none) are added. The number of reset ('0') bits added will depend on the block boundary to which the message needs to be extended. In bit terms, this is "1000 ... 0000". 52 Encryption Modes With a secure block cipher algorithm, the encryption mode is needed to hide the statistical characteristics of the plaintext, data format, etc., and improve the overall security and prevent deleting, replaying, inserting and forging attacks.

• Electronic (ECB) • Cipher Block Chaining (CBC) • Output Feedback (OFB) • Cipher Feedback (CFB) • Counter (CTR)

53 Electronic Codebook (ECB)

Problem:

if m1=m2 then c1=c2 54 In pictures

55

EXP(0): Chal. m0 , m1  M : |m0| = |m1| Adv. A kK c  E(k,m0) b’  {0,1}

one time key adversary sees only one ciphertext

Chal. m0 , m1  M : |m0| = |m1| Adv. A EXP(1): kK c  E(k,m1) b’  {0,1}

AdvSS[A,OTP] = | Pr[ EXP(0)=1 ] − Pr[ EXP(1)=1 ] | should be “neg.” 56 ECB is not Semantically Secure ECB is not semantically secure for messages that contain more than one block. b{0,1} Two blocks Chal. m0 = “Hello World” Adv. A kK m1 = “Hello Hello”

(c1,c2)  E(k, mb)

If c =c output 1, else output 0 Then AdvSS [A, ECB] = 1 1 2 57 ECB

• ECB is ideal for short data, such as encryption keys. If you need to pass DES keys securely, ECB is the recommended mode. • The characteristic of ECB is that if the same plaintext packet is repeated in the message, the generated ciphertext packet is also the same. • ECB may not be secure enough for long messages.

58 Cipher Block Chaining (CBC)

Use the ciphertext in the previous block to generate the ciphertext

59 CBC • Advantages: hide the plaintext format to prevent data tampering, such as playback, embedding and deletion. • Disadvantages: error propagation, sensitive to errors (increasing or losing one or more bits). • If there is one-bit error in the plaintext, the subsequent ciphertext will be affected; In decryption, the plaintext block with error cannot be recovered, the subsequent plaintext blocks can be correctly recovered.

• If a ciphertext block yi has error during transmission, the plaintext xi and the next block xi+1 cannot be recovered, the following blocks can be recovered without error. 60 Cipher Feedback (CFB)

• Block cipher is the key stream generator • The size of feedback is k, if k=1, it is 61 CFB

Advantages: • It is suitable for any data formats. • Easy to hide the data format, and detect the tampering of ciphertext. Disadvantages: • It is sensitive to errors on channels and the errors can be propagated in ciphertext. • CFB needs an initial vector (IV) that should be changed for each key.

62 Output Feedback (OFB)

• Block cipher is the key stream generator • k-bit key is fed back to the input of the block cipher 63 OFB

• Address the problem of error propagation in CBC and CFB. • It is difficult to detect the tampering of ciphertext • Cannot self-synchronized, requires the system to maintain strict synchronization

64 Counter (CTR)

Example applications: 1. File systems: Same AES key used to encrypt many files. 2. IPsec: Same AES key used to encrypt many packets. 65 Comparison

• ECB mode, simple, high speed, but the weakest, vulnerable to replay attacks, not recommended. • CBC is suitable for file encryption, but slower than ECB. Security is strengthened. No synchronization error if there are a few errors. • OFB and CFB are much slower than CBC. Only a few bits complete encryption at each iteration. CFB is used in the system that can be self- synchronized and tolerate a small amount of error propagation. Widely used in stream cipher for character by character. • OFB is used in high-speed synchronization systems and does not have error propagation.

66 Thank You

67 Acknowledge

Dan Boneh, David Brumley, and Shaoquan Jiang for PowerPoint Slides and figures

68