DOCSLIB.ORG

CIT 380: Securing Computer Systems

Total Page:16

File Type:pdf, Size:1020Kb

Download full-text PDF Read full-text
CIT 380: Securing Computer Systems CIT 380: Securing Computer Systems Symmetric Cryptography Topics 1. Modular Arithmetic 2. What is Cryptography? 3. Transposition Ciphers 4. Substitution Ciphers 1. Cæsar cipher 2. Vigènere cipher 5. Cryptanalysis: frequency analysis 6. Block Ciphers 7. AES and DES 8. Stream Ciphers Modular Arithmetic Congruence – a = b (mod N) iff a = b + kN – ex: 37=27 mod 10 b is the residue of a, modulo N – Integers 0..N-1 are the set of residues mod N Modulo 12 number system What is Cryptography? Cryptography: The art and science of keeping messages secure. Cryptanalysis: the art and science of decrypting messages. Cryptology: cryptography + cryptanalysis Terminology Plaintext: message P to be encrypted. Also called Plaintext cleartext. Encryption: altering a Encryption message to keep its Procedure contents secret. Ciphertext: encrypted message C. Ciphertext Cæsar cipher Plaintext is HELLO WORLD Change each letter to the third letter following it (X goes to A, Y to B, Z to C) – Key is 3, usually written as letter ‘D’ Ciphertext is KHOOR ZRUOG ROT 13 Cæsar cipher with key of 13 13 chosen since encryption and decryption are same operation Used to hide spoilers, punchlines, and offensive material online. Kerckhoff’s Principle Security of cryptosystem should only depend on 1. Quality of shared encryption algorithm E 2. Secrecy of key K Security through obscurity tends to fail ex: DVD Content Scrambling System Cryptanalysis Goals 1. Decrypt a given message. 2. Recover encryption key. Threat models vary based on 1. Type of information available to adversary 2. Interaction with cryptosystem. Cryptanalysis Threat Models ciphertext only: adversary has only ciphertext; goal is to find plaintext, possibly key. known plaintext: adversary has ciphertext, corresponding plaintext; goal is to find key. chosen plaintext: adversary may supply plaintexts and obtain corresponding ciphertext; goal is to find key. Brute Force Attack Exhaustive search of keyspace by decrypting ciphertext C with all possible keys K. – Must determine if DK(C) is a likely plaintext – Requires some knowledge of format (language, doc type) For N possible keys, – Worst case is N decryptions. – Mean case is N/2 decryptions. Example: DES has 56-bit keys – Average time to find key is 255 decryptions. Is 128 bits enough? 128-bit keyspace permits 2128 keys – 340,282,366,920,938,463,463,374,607,431,768,211,456 or – 3.4 x 1038 keys Cracking 1 trillion (1012) keys per second requires – 3.4 x 1026 seconds or – 1.08 x 1019 years Cracking 1 trillion keys per second on 1 billion CPUs – requires 1.08 x 1010 years = 10.8 billion years Classical Cryptography Sender and receiver share common key – Keys may be the same, or be trivial to derive from one another. – Sometimes called symmetric cryptography. P encrypt C decrypt P K K Brute Force vs. Cæsar Cipher Decryption key Candidate Brute Force attack (26-K) plaintext – Only 26 possible keys. 0 exxegoexsrgi 1 dwwdfndwrqfh – PC can try all in <1s. 2 cvvcemcvqpeg 3 buubdlbupodf 4 attackatonce 5 zsszbjzsnmbd 6 yrryaiyrmlac ... 23 haahjrhavujl 24 gzzgiqgzutik 25 fyyfhpfytshj General Simple Substitution Cipher Keys: All permutations of alphabet (26! keys) Encryption: Replace each plaintext letter x with K(x) Decryption: Replace each ciphertext letter y with K-1(y) Example: A B C D E F G H I J K L M N O P Q R S T U V W X Y Z K= F U B A R D H G J I L K N M P O S Q Z W X Y V T C E CRYPTO BQCOWP General Simple Substitution Security Exhaustive search impossible – Key space size is 26! =~ 4 x 1026 – Historically thought to be unbreakable. However, languages have different frequencies of letters digraphs (groups of 2 letters) trigraphs (groups of 3 letters) etc. Simple substitution ciphers preserve letter frequencies. English Letter Frequencies Additional Frequency Features Digraph frequencies – Common digraphs: EN, RE, ER, NT Trigraph frequencies – Common trigraphs: THE, AND, ING – Digraph and trigraph tables can be found at http://www.sttmedia.com/syllablefrequency- english The letter Q is followed only by U. Countering Frequency Analysis Primary weakness of simple substitution: – Each ciphertext letter corresponds to only one letter of plaintext. Solution: polyalphabetic substitution – Use multiple cipher alphabets. – Switch between cipher alphabets from character to character in the plaintext. Letter Frequency Distributions Vigènere Cipher Use phrase instead of letter as key. Example – Message THE BOY HAS THE BALL – Key VIG – Encipher using Cæsar cipher for each letter: key VIGVIGVIGVIGVIGV plain THEBOYHASTHEBALL cipher OPKWWECIYOPKWIRG Reproduction of CSA Cipher Disk Rotor Machines (1920s-1970s) Observation: If Vigènere key is very long, frequency analysis won’t work. Implement: multiple rounds of Vigènere substitution. – Machine contains multiple cylinders. – Each cylinder has 26 states (ciphers.) – Cylinders rotate to change states on different schedules. – m-cylinder machine has 26m substitution ciphers. One-Time Pad • A Vigenère cipher with a random key at least as long as the message. • Provably unbreakable. • Example ciphertext: DXQR. • Equally likely to correspond to – plaintext DOIT (key AJIY) – plaintext DONT (key AJDY) – and any other 4 letters. Binary One Time Pad Encrypt a message M with pad P to produce ciphertext C = M P where is the exclusive⊕ OR operator. Decrypt⊕ a ciphertext C with the same pad P M = C P ⊕ One Time Pad Problems 1. The one-time pad must be random. Software pseudo-random number generators are not random. Pad needs hardware randomness. 2. Transmission of long pads is difficult. The pad is just as long as all the messages you’ll ever send with it, so you’ve just moved the problem of transmitting secret messages to transmitting a secret pad. 3. Pad must always be kept secret. If pad is ever discovered, then attacker can decrypt old messages. Pads must be securely destroyed at end of use. Block Ciphers Encrypt groups (blocks) of chars at once. Improvement over single char substitution – Cryptanalysis must use digraph frequencies for two-char blocks. – Longer blocks are more difficult to analyze. – Modern ciphers are block ciphers. Example: Playfair Cipher, 1854 SP-Networks Combine Substitution+Permutation (transposition) – Confusion: adding unknown key values will confuse attacker about value of plaintext symbol. – Diffusion: Spread plaintext data throughout ciphertext. Designing for Security – Block Size – Number of rounds • Each input bit is XOR of several output bits from previous round. – Substitution algorithm Substitution Boxes Substitution can be done using a matrix, which acts as a lookup table for substituting one set of bits with another. Such tables are called substitution boxes, or S- boxes. Overview of the DES Block cipher (64 bit blocks) – 64-bit key is actually a – 56-bit key + 8 parity bits Product cipher – substitution + transposition 16 rounds (iterations) of encryption – round key generated from user key Feistel Function (F) Differential Cryptanalysis A chosen ciphertext attack – Biham and Shamir rediscovered in late 1980s – Examines pairs of plaintext with particular differences. – Requires 247 plaintext, ciphertext pairs. – Only 214 pairs required with 8 round DES. Revealed several properties – S-box designed to resist differential cryptanalysis. – IBM revealed knowledge of technique at design time. Linear cryptanalysis improves result – Linear approximation of DES. – Requires 243 plaintext, ciphertext pairs. – DES not designed to resist this technique. Electronic Code Book Mode Encrypt each block independently. E(block) = Cblock each time block appears Therefore attacker can build dictionary of blocks. ECB encryption of bitmap hides colors but image is still discernible. Cipher Block Chaining Mode XOR each block with previous ciphertext block. Random initialization vector (IV) used for 1st. CBC encryption of bitmap looks random. Cipher Block Chaining Mode Formula for CBC encryption (i=1 is 1st block) Formula for CBC decryption Triple DES Encrypt-Decrypt-Encrypt Mode (3 keys: k, k´, k´´) –1 – c = DESk(DESk´ (DESk’’(m))) – Middle decrypt allows backward compatibility if all keys are equal: k = k´= k´´ – Double-encryption vulnerable to meet-in-middle attack, reducing difficulty from 2112 to 257. DES is Insecure Brute force attacks can be completed in <1 day. – Distributed computing attacks. – RIVYERA FPGA-based parallel computer breaks DES in <1 day for a hardware cost of <$10,000. Linear cryptanalysis faster than brute force – Need 241 known plaintexts Advanced Encryption Standard (AES) Winner of open NIST competition (1997-2000) – Rijndael, designed by Joan Daemen and Vincent Rijmen. – Published as FIPS 197 in November 2001. 128-bit block cipher – 128-, 192-, or 256-bit keys. – 10, 12, or 14 rounds, depending on key size. Replacement for DES – DES vulnerable to brute force attacks due to 56-bit keys. – Triple DES is very slow. AES Round Structure Round keys derived from user key using AES key schedule. Each round transforms 128-bit state, Xi in 4 steps: 1. SubBytes: S-box substitution. 2. ShiftRows: permutation. 3. MixColumns: matrix multiplication. 4. AddRoundKey: XOR with round key for this round. AES Round Steps AES Cryptanalysis Biclique attack (2011) – Faster than brute force by a factor of 4 – So can break AES-128 with 2126.1 operations. Related key attacks (2009) – Requires 299.5 operations to break AES-256 – Requires 2176 operations to break AES-192 – Due to weak key scheduling for AES-256 – AES-128 is more secure than AES-256! Modern Block Ciphers Blowfish – 64-bit block cipher designed in 1993 – Variable key length: 32 to 448 bit – Weak key attacks exist Twofish (AES finalist) – 128-bit block cipher with up to 256 bit keys – Designed by Blowfish team, no known breaks Serpent (AES finalist) – 32-round 128-bit block cipher with up to 256 bit keys – Known attacks against reduced round versions Stream Ciphers Combine plaintext with cipher bitstream – Cipher generates stream of pseudo-random bits – Loosely inspired by one time pad.
Load more

Recommended publications
  • Related-Key Cryptanalysis of 3-WAY, Biham-DES,CAST, DES-X, Newdes, RC2, and TEA
    Related-Key Cryptanalysis of 3-WAY, Biham-DES,CAST, DES-X, NewDES, RC2, and TEA John Kelsey Bruce Schneier David Wagner Counterpane Systems U.C. Berkeley kelsey,schneier @counterpane.com [email protected] f g Abstract. We present new related-key attacks on the block ciphers 3- WAY, Biham-DES, CAST, DES-X, NewDES, RC2, and TEA. Differen- tial related-key attacks allow both keys and plaintexts to be chosen with specific differences [KSW96]. Our attacks build on the original work, showing how to adapt the general attack to deal with the difficulties of the individual algorithms. We also give specific design principles to protect against these attacks. 1 Introduction Related-key cryptanalysis assumes that the attacker learns the encryption of certain plaintexts not only under the original (unknown) key K, but also under some derived keys K0 = f(K). In a chosen-related-key attack, the attacker specifies how the key is to be changed; known-related-key attacks are those where the key difference is known, but cannot be chosen by the attacker. We emphasize that the attacker knows or chooses the relationship between keys, not the actual key values. These techniques have been developed in [Knu93b, Bih94, KSW96]. Related-key cryptanalysis is a practical attack on key-exchange protocols that do not guarantee key-integrity|an attacker may be able to flip bits in the key without knowing the key|and key-update protocols that update keys using a known function: e.g., K, K + 1, K + 2, etc. Related-key attacks were also used against rotor machines: operators sometimes set rotors incorrectly.
    [Show full text]
  • Implementation of Symmetric Encryption Algorithms
    Computer Engineering and Intelligent Systems www.iiste.org ISSN 2222-1719 (Paper) ISSN 2222-2863 (Online) Vol.8, No.4, 2017 Implementation of Symmetric Encryption Algorithms Haider Noori Hussain *1 Waleed Noori Hussein *2 1.Department of Computer science , College of Education for Pure Science, University of Basra, Iraq 2.Department of Mathematics , College of Education for Pure Science, University of Basra, Iraq Abstract Cryptography considered being the most vital component in information security because it is responsible for securing all information passed through networked computers. The discussions in this paper include an overview of cryptography and symmetric encryption. This paper also discusses some of the algorithms used in our research. This paper aims to design an application that consist of some symmetric encryption algorithms which allow users to encrypt and decrypt different size of files, also the application can be used as a test field to compare between different symmetric algorithms. Keywords: Cryptography, symmetric, encryption 1. Introduction In today's technology, every second data are generated on the internet due to the online transaction. Cryptography is a necessary part of network security which allows the virtual world to be more secure. In many applications of our daily life information security plays a key role (Kumar and Munjal 2011). This applies even stronger for ubiquitous computing applications where a multitude of sensors and actuators observe and control our physical environment (Kumar and Munjal 2011). When developing such applications a software engineer usually relies on well-known cryptographic mechanisms like encryption or hashing. However, due to the multitude of existing cryptographic algorithms, it can be challenging to select an adequate and secure one (Masram, Shahare et al.
    [Show full text]
  • Weak Keys for AEZ, and the External Key Padding Attack
    Weak Keys for AEZ, and the External Key Padding Attack Bart Mennink1;2 1 Dept. Electrical Engineering, ESAT/COSIC, KU Leuven, and iMinds, Belgium [email protected] 2 Digital Security Group, Radboud University, Nijmegen, The Netherlands [email protected] Abstract. AEZ is one of the third round candidates in the CAESAR competition. We observe that the tweakable blockcipher used in AEZ suffers from structural design issues in case one of the three 128-bit sub- keys is zero. Calling these keys \weak," we show that a distinguishing attack on AEZ with weak key can be performed in at most five queries. Although the fraction of weak keys, around 3 out of every 2128, seems to be too small to violate the security claims of AEZ in general, they do reveal unexpected behavior of the scheme in certain use cases. We derive a potential scenario, the \external key padding," where a user of the authenticated encryption scheme pads the key externally before it is fed to the scheme. While for most authenticated encryption schemes this would affect the security only marginally, AEZ turns out to be com- pletely insecure in this scenario due to its weak keys. These observations open a discussion on the significance of the \robustness" stamp, and on what it encompasses. Keywords. AEZ, tweakable blockcipher, weak keys, attack, external key padding, robustness. 1 Introduction Authenticated encryption aims to offer both privacy and authenticity of data. The ongoing CAESAR competition [8] targets the development of a portfolio of new, solid, authenticated encryption schemes. It received 57 submissions, 30 candidates advanced to the second round, and recently, 16 of those advanced to the third round.
    [Show full text]
  • Multiplicative Differentials
    Multiplicative Differentials Nikita Borisov, Monica Chew, Rob Johnson, and David Wagner University of California at Berkeley Abstract. We present a new type of differential that is particularly suited to an- alyzing ciphers that use modular multiplication as a primitive operation. These differentials are partially inspired by the differential used to break Nimbus, and we generalize that result. We use these differentials to break the MultiSwap ci- pher that is part of the Microsoft Digital Rights Management subsystem, to derive a complementation property in the xmx cipher using the recommended modulus, and to mount a weak key attack on the xmx cipher for many other moduli. We also present weak key attacks on several variants of IDEA. We conclude that cipher designers may have placed too much faith in multiplication as a mixing operator, and that it should be combined with at least two other incompatible group opera- ¡ tions. 1 Introduction Modular multiplication is a popular primitive for ciphers targeted at software because many CPUs have built-in multiply instructions. In memory-constrained environments, multiplication is an attractive alternative to S-boxes, which are often implemented us- ing large tables. Multiplication has also been quite successful at foiling traditional dif- ¢ ¥ ¦ § ferential cryptanalysis, which considers pairs of messages of the form £ ¤ £ or ¢ ¨ ¦ § £ ¤ £ . These differentials behave well in ciphers that use xors, additions, or bit permutations, but they fall apart in the face of modular multiplication. Thus, we con- ¢ sider differential pairs of the form £ ¤ © £ § , which clearly commute with multiplication. The task of the cryptanalyst applying multiplicative differentials is to find values for © that allow the differential to pass through the other operations in a cipher.
    [Show full text]
  • Public Evaluation Report UEA2/UIA2
    ETSI/SAGE Version: 2.0 Technical report Date: 9th September, 2011 Specification of the 3GPP Confidentiality and Integrity Algorithms 128-EEA3 & 128-EIA3. Document 4: Design and Evaluation Report LTE Confidentiality and Integrity Algorithms 128-EEA3 & 128-EIA3. page 1 of 43 Document 4: Design and Evaluation report. Version 2.0 Document History 0.1 20th June 2010 First draft of main technical text 1.0 11th August 2010 First public release 1.1 11th August 2010 A few typos corrected and text improved 1.2 4th January 2011 A modification of ZUC and 128-EIA3 and text improved 1.3 18th January 2011 Further text improvements including better reference to different historic versions of the algorithms 1.4 1st July 2011 Add a new section on timing attacks 2.0 9th September 2011 Final deliverable LTE Confidentiality and Integrity Algorithms 128-EEA3 & 128-EIA3. page 2 of 43 Document 4: Design and Evaluation report. Version 2.0 Reference Keywords 3GPP, security, SAGE, algorithm ETSI Secretariat Postal address F-06921 Sophia Antipolis Cedex - FRANCE Office address 650 Route des Lucioles - Sophia Antipolis Valbonne - FRANCE Tel.: +33 4 92 94 42 00 Fax: +33 4 93 65 47 16 Siret N° 348 623 562 00017 - NAF 742 C Association à but non lucratif enregistrée à la Sous-Préfecture de Grasse (06) N° 7803/88 X.400 c= fr; a=atlas; p=etsi; s=secretariat Internet [email protected] http://www.etsi.fr Copyright Notification No part may be reproduced except as authorized by written permission. The copyright and the foregoing restriction extend to reproduction in all media.
    [Show full text]
  • Data Encryption Standard (DES)
    6 Data Encryption Standard (DES) Objectives In this chapter, we discuss the Data Encryption Standard (DES), the modern symmetric-key block cipher. The following are our main objectives for this chapter: + To review a short history of DES + To defi ne the basic structure of DES + To describe the details of building elements of DES + To describe the round keys generation process + To analyze DES he emphasis is on how DES uses a Feistel cipher to achieve confusion and diffusion of bits from the Tplaintext to the ciphertext. 6.1 INTRODUCTION The Data Encryption Standard (DES) is a symmetric-key block cipher published by the National Institute of Standards and Technology (NIST). 6.1.1 History In 1973, NIST published a request for proposals for a national symmetric-key cryptosystem. A proposal from IBM, a modifi cation of a project called Lucifer, was accepted as DES. DES was published in the Federal Register in March 1975 as a draft of the Federal Information Processing Standard (FIPS). After the publication, the draft was criticized severely for two reasons. First, critics questioned the small key length (only 56 bits), which could make the cipher vulnerable to brute-force attack. Second, critics were concerned about some hidden design behind the internal structure of DES. They were suspicious that some part of the structure (the S-boxes) may have some hidden trapdoor that would allow the National Security Agency (NSA) to decrypt the messages without the need for the key. Later IBM designers mentioned that the internal structure was designed to prevent differential cryptanalysis.
    [Show full text]
  • CRYPTREC Report 2001
    CRYPTREC 2001 CRYPTREC Report 2001 March 2002 Information-technology Promotion Agency, Japan Telecommunications Advancement Organization of Japan CRYPTREC 2001 Contents Introduction 1 On the CRYPTREC Evaluation Committee Report 3 Note on the use of this report 7 1 Overview of Cryptographic Technique Evaluation 8 1.1 Evaluation Organs and Schedule ・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・8 1.2 How cryptography evaluation was carried out. ・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・12 1.3 Terminology ・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・13 1.4 Evaluation Committee Members ・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・14 2 Evaluation of public key cryptographic techniques 17 2.1 Target of Evaluation and Evaluation Method ・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・17 2.1.1 Evaluated Cryptographic Techniques ・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・17 2.1.2 Evaluation Policy・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・17 2.1.3 Evaluation Method ・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・19 2.2 Evaluation result ・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・21 2.2.1 Outline of evaluation result ・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・21 2.2.2 General Evaluation of the Difficulty of Arithmetic Problems・・・・・・・・・・・・・・・・・23 2.2.3 Overall Judgment of Cryptographic Techniques that were the Target of Detailed Evaluation ・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・・23 2.2.4 Overall Judgment of Cryptographic Techniques under Observation ・・・・・・・・・・・26 2.2.5 Overall Judgment of Cryptosystems that were Targets of Screening Evaluations in 2001
    [Show full text]
  • 24 Apr 2014 a Previous Block Cipher Known As MISTY1[10], Which Was Chosen As the Foundation for the 3GPP Confidentiality and Integrity Algorithm[14]
    Multidimensional Zero-Correlation Linear Cryptanalysis of the Block Cipher KASUMI Wentan Yi∗ and Shaozhen Chen State Key Laboratory of Mathematical Engineering and Advanced Computing, Zhengzhou 450001, China Abstract. The block cipher KASUMI is widely used for security in many synchronous wireless standards. It was proposed by ETSI SAGE for usage in 3GPP (3rd Generation Partnership Project) ciphering algorthms in 2001. There are a great deal of cryptanalytic results on KASUMI, however, its security evaluation against the recent zero-correlation linear attacks is still lacking so far. In this paper, we select some special input masks to refine the general 5-round zero-correlation linear approximations combining with some observations on the FL functions and then propose the 6- round zero-correlation linear attack on KASUMI. Moreover, zero-correlation linear attacks on the last 7-round KASUMI are also introduced under some weak keys conditions. These weak keys take more than half of the whole key space. The new zero-correlation linear attack on the 6-round needs about 2107:8 encryptions with 259:4 known plaintexts. For the attack under weak keys conditions on the last 7 round, the data complexity is about 262:1 known plaintexts and the time complexity 2125:2 encryptions. Keywords: KASUMI, Zero-correlation linear cryptanalysis, Cryptography. 1 Introduction With the rapid growth of wireless services, various security algorithms have been developed to provide users with effective and secure communications. The KASUMI developed from arXiv:1404.6100v1 [cs.CR] 24 Apr 2014 a previous block cipher known as MISTY1[10], which was chosen as the foundation for the 3GPP confidentiality and integrity algorithm[14].
    [Show full text]
  • HW 1: Solution Page 1 of 4
    CMSC 414 (Shankar) HW 1: Solution Page 1 of 4 ___________________________________________________________ 1. (text 3.5) Suppose the DES mangler function maps every 32-bit value to zero, regardless of the value of its input. What function would DES then compute? DES does the following (see text figure 3-2): • Initial permutation • 16 DES rounds • Swap left and right halves • final permutation (inverse of initial permuation) With a mangler function that outputs 0 always, each DES round just swaps L and R. So after 16 (even number) DES rounds, the initial 64-bit word would be unchanged. So DES would do the following: • Initial permutation • Swap left and right halves • final permutation Based on the initial permutation, the net result is a permutation that interchanges consecutive even and odd bits. [If the swap were not there, DES would have no affect at all.] Grading key [out of 5 points]: 1 point for just writing something. 2 points for saying that each DES round just exchanges L and R. 3 points for saying that each DES round just exchanges L and R, so after 16 (even) rounds, there is no change. 4 points: if you miss the final L-R swap and just say that DES has no effect. 5 points: if you get the answer. ___________________________________________________________ 2. (text 3.8) Why is a DES weak key its own inverse? (Hint: DES encryption and decryption are the same once the per-round keys are generated.) For a DES weak key, each of C 0 and D 0 is equal to all ones or all zeros.
    [Show full text]
  • AES3 Presentation
    Cryptanalytic Progress: Lessons for AES John Kelsey1, Niels Ferguson1, Bruce Schneier1, and Mike Stay2 1 Counterpane Internet Security, Inc., 3031 Tisch Way, 100 Plaza East, San Jose, CA 95128, USA 2 AccessData Corp., 2500 N University Ave. Ste. 200, Provo, UT 84606, USA 1 Introduction The cryptanalytic community is currently evaluating five finalist algorithms for the AES. Within the next year, one or more ciphers will be chosen. In this note, we argue caution in selecting a finalist with a small security margin. Known attacks continuously improve over time, and it is impossible to predict future cryptanalytic advances. If an AES algorithm chosen today is to be encrypting data twenty years from now (that may need to stay secure for another twenty years after that), it needs to be a very conservative algorithm. In this paper, we review cryptanalytic progress against three well-regarded block ciphers and discuss the development of new cryptanalytic tools against these ciphers over time. This review illustrates how cryptanalytic progress erodes a cipher’s security margin. While predicting such progress in the future is clearly not possible, we claim that assuming that no such progress can or will occur is dangerous. Our three examples are DES, IDEA, and RC5. These three ciphers have fundamentally different structures and were designed by entirely different groups. They have been analyzed by many researchers using many different techniques. More to the point, each cipher has led to the development of new cryptanalytic techniques that not only have been applied to that cipher, but also to others. 2 DES DES was developed by IBM in the early 1970s, and standardized made into a standard by NBS (the predecessor of NIST) [NBS77].
    [Show full text]
  • Weak-Key Distinguishers for AES
    Weak-Key Distinguishers for AES Lorenzo Grassi1;4, Gregor Leander2, Christian Rechberger1, Cihangir Tezcan3, and Friedrich Wiemer2 1 IAIK, Graz University of Technology, Austria 2 Horst Görtz Institute for IT-Security, Ruhr-Universität Bochum, Germany 3 Informatics Institute, Department of Cyber Security, CyDeS Laboratory, Middle East Technical University, Ankara, Turkey 4 Digital Security Group, Radboud University, Nijmegen, The Netherlands [email protected],[email protected], [email protected],[email protected], [email protected] Abstract In this paper, we analyze the security of AES in the case in which the whitening key is a weak key. After a systematization of the classes of weak-keys of AES, we perform an extensive analysis of weak-key distinguishers (in the single-key setting) for AES instantiated with the original key-schedule and with the new key-schedule proposed at ToSC/FSE'18. As one of the main results, we show that (almost) all the secret-key distinguishers for round-reduced AES currently present in the literature can be set up for a higher number of rounds of AES if the whitening key is a weak-key. Using these results as starting point, we describe a property for 9-round AES-128 and 12-round AES-256 in the chosen-key setting with complex- ity 264 without requiring related keys. These new chosen-key distinguish- ers set up by exploiting a variant of the multiple-of-8 property intro- duced at Eurocrypt'17 improve all the AES chosen-key distinguishers in the single-key setting. The entire analysis has been performed using a new framework that we introduce here called weak-key subspace trails, which is obtained by combining invariant subspaces (Crypto'11) and subspace trails (FSE'17) into a new, more powerful, attack.
    [Show full text]
  • Correlation Cube Attacks: from Weak-Key Distinguisher to Key Recovery
    Correlation Cube Attacks: From Weak-Key Distinguisher to Key Recovery B Meicheng Liu( ), Jingchun Yang, Wenhao Wang, and Dongdai Lin State Key Laboratory of Information Security, Institute of Information Engineering, Chinese Academy of Sciences, Beijing 100093, People’s Republic of China [email protected] Abstract. In this paper, we describe a new variant of cube attacks called correlation cube attack. The new attack recovers the secret key of a cryp- tosystem by exploiting conditional correlation properties between the superpoly of a cube and a specific set of low-degree polynomials that we call a basis, which satisfies that the superpoly is a zero constant when all the polynomials in the basis are zeros. We present a detailed procedure of correlation cube attack for the general case, including how to find a basis of the superpoly of a given cube. One of the most significant advantages of this new analysis technique over other variants of cube attacks is that it converts from a weak-key distinguisher to a key recovery attack. As an illustration, we apply the attack to round-reduced variants of the stream cipher Trivium. Based on the tool of numeric mapping intro- duced by Liu at CRYPTO 2017, we develop a specific technique to effi- ciently find a basis of the superpoly of a given cube as well as a large set of potentially good cubes used in the attack on Trivium variants, and further set up deterministic or probabilistic equations on the key bits according to the conditional correlation properties between the super- polys of the cubes and their bases.
    [Show full text]