Outline Multiple Encryption Birthday Attack Advanced Encryption Standard Real-World Alternatives

CPSC 367: Cryptography and Security

Michael Fischer

Lecture 7 February 5, 2019

Thanks to Ewa Syta for the slides on AES

CPSC 367, Lecture 7 1/58 Outline Multiple Encryption Birthday Attack Advanced Encryption Standard Real-World Alternatives

Multiple Encryption Composition Group property

Birthday Attack

Advanced Encryption Standard

AES Real-World Issues

Alternative Private Key Block Ciphers

CPSC 367, Lecture 7 2/58 Outline Multiple Encryption Birthday Attack Advanced Encryption Standard Real-World Alternatives

Multiple Encryption

CPSC 367, Lecture 7 3/58 Outline Multiple Encryption Birthday Attack Advanced Encryption Standard Real-World Alternatives

Composition Composition of cryptosystems

Encrypting a message multiple times with the same or diﬀerent ciphers and keys seems to make the cipher stronger, but that’s not always the case. The security of the composition can be diﬃcult to analyze. For example, with the one-time pad, the encryption and decryption functions Ek and Dk are the same. The composition Ek ◦ Ek is the identity function!

CPSC 367, Lecture 7 4/58 Outline Multiple Encryption Birthday Attack Advanced Encryption Standard Real-World Alternatives

Composition Composition within practical cryptosystems

Practical symmetric cryptosystems such as DES and AES are built as a composition of simpler systems. Each component oﬀers little security by itself, but when composed, the layers obscure the message to the point that it is diﬃcult for an adversary to recover. The trick is to ﬁnd ciphers that successfully hide useful information from a would-be attacker when used in concert.

CPSC 367, Lecture 7 5/58 Outline Multiple Encryption Birthday Attack Advanced Encryption Standard Real-World Alternatives

Composition Double Encryption

Double encryption is when a cryptosystem is composed with itself. Each message is encrypted twice using two diﬀerent keys k0 and 00 2 2 k , so E(k00,k0) = Ek00 ◦ Ek0 and D(k00,k0) = Dk0 ◦ Dk00 . (E, D) is the underlying or base cryptosystem and (E 2, D2) is the doubled cryptosystem. M and C are unchanged, but K2 = K × K. The size of the keyspace is squared, resulting in an apparent doubling of the eﬀective key length and making a brute force attack much more costly. However, it does not always increase the security of a cryptosystem as much as one might na¨ıvelythink, for other attacks may become possible.

CPSC 367, Lecture 7 6/58 Outline Multiple Encryption Birthday Attack Advanced Encryption Standard Real-World Alternatives

Composition Example: Double Caesar Consider Double Caesar, the Caesar cipher composed with itself. It has 262 = 676 possible key pairs (k00, k0). One might hope that double Caesar is more resistant to a brute force attack. Unfortunately, still only 26 possible distinct encryption functions and only 26 possible decryptions of each ciphertext.

2 0 00 This is because E(k00,k0) = Ek for k = (k + k ) mod 26. Any attack on the Caesar cipher will work equally well on the Double Caesar cipher. To the attacker, there is no diﬀerence between the two systems. Eve neither knows nor cares how Alice actually computed the ciphertext; all that matters are the probabilistic relationships between plaintexts and ciphertexts.

CPSC 367, Lecture 7 7/58 Outline Multiple Encryption Birthday Attack Advanced Encryption Standard Real-World Alternatives

Group property Group property Let (E, D) be a cryptosystem for which M = C. 1 Each Ek is then a permutation on M. The set of all permutations on M forms a group.2

Deﬁnition (E, D) is said to have the group property if the set of possible encryption functions E = {Ek | k ∈ K} is closed under functional composition ◦. That is, if k0, k00 ∈ K, then there exists k ∈ K such that

Ek = Ek00 ◦ Ek0 .

1A permutation is one-to-one and onto function. 2A group has an associative binary operation with an identity element, and each element has an inverse.

CPSC 367, Lecture 7 8/58 Outline Multiple Encryption Birthday Attack Advanced Encryption Standard Real-World Alternatives

Group property Cryptosystems with group property

We’ve seen that the Caesar cipher has the group property. When E is closed under composition, then (E, ◦) is a subgroup of all permutations on M. In this case, double encryption adds no security against a brute force attack. Even though the key length has doubled, the number of distinct encryption functions has not increased, and the double encryption system will fall to a brute force attack on the original cryptosystem.

CPSC 367, Lecture 7 9/58 Outline Multiple Encryption Birthday Attack Advanced Encryption Standard Real-World Alternatives

Birthday Attack

CPSC 367, Lecture 7 10/58 Outline Multiple Encryption Birthday Attack Advanced Encryption Standard Real-World Alternatives

Birthday Problem

The birthday problem is to ﬁnd the probability that two people in a set of randomly chosen people have the same birthday. This probability is greater than 50% in any set of at least 23 randomly cho- From Wikipedia, “Birthday problem”. sen people. 23 is far less than the 253 people that are needed for the probability to exceed 50% that at least one of them was born on a speciﬁc day, say January 1.3

31 − (364/365)252 ≈ 0.49910 < 0.5, but 1 − (364/365)253 ≈ 0.50048 > 0.5.

CPSC 367, Lecture 7 11/58 Outline Multiple Encryption Birthday Attack Advanced Encryption Standard Real-World Alternatives

Birthday attack on a cryptosystem

A birthday attack is a known plaintext attack on a cryptosystem that reduces the number of keys that must be tried to roughly the square root of what a brute force attack needs.

If for example the original√ key length was 56 (as is the case with DES), then only about 256 = 228 keys need to be tried. Any cryptosystem with the group property is subject to a birthday attack.

CPSC 367, Lecture 7 12/58 Outline Multiple Encryption Birthday Attack Advanced Encryption Standard Real-World Alternatives

How a birthday attack works

Assume (m, c) is a known plaintext-ciphertext pair, so Ek0 (m) = c for Alice’s secret key k0. 28 I Choose 2 random keys k1 and encrypt m using each. 28 I Choose another 2 random keys k2 and decrypt c using each. I Look for a common element u in these two sets.

I Suppose one is found for k1 and k2, so Ek1 (m) = u = Dk2 (c).

It follows that Ek2 (Ek1 (m)) = c, so we have succeeded in ﬁnding a key pair (k2, k1) that works for the pair (m, c).

By the group property, there is a key k such that Ek = Ek2 ◦ Ek1 , so Ek (m) = c.

CPSC 367, Lecture 7 13/58 Outline Multiple Encryption Birthday Attack Advanced Encryption Standard Real-World Alternatives

How a birthday attack works (cont.)

Alice’s key k0 also has Ek0 (m) = c. If it happens that Ek = Ek0 , then we have broken the cryptosystem.

We do not need to ﬁnd k itself since we can compute Ek from Ek1

and Ek2 and Dk from Dk1 and Dk2 . There are unlikely to be many distinct keys k such that Ek (m) = c, so with signiﬁcant probability we have cracked the system. (For Caesar, there is only one such k.) Using additional plaintext-ciphertext pairs, we can increase our conﬁdence that we have found the correct key pair. Repeat this process if we have not yet succeeded. I’ve glossed over many assumptions and details, but that’s the basic idea.

CPSC 367, Lecture 7 14/58 Outline Multiple Encryption Birthday Attack Advanced Encryption Standard Real-World Alternatives

Weakness of the birthday attack

The drawback to the birthday attack (from the attacker’s perspective) is that it requires a lot of storage in order to ﬁnd a matching element. Fortunately, DES is not a group. If it were, this attack could be carried out in about a gigabyte of storage, easily within the storage capacity of modern workstations.

CPSC 367, Lecture 7 15/58 Outline Multiple Encryption Birthday Attack Advanced Encryption Standard Real-World Alternatives

Advanced Encryption Standard

CPSC 367, Lecture 7 16/58 Outline Multiple Encryption Birthday Attack Advanced Encryption Standard Real-World Alternatives

New Standard Rijndael was the winner of NIST’s competition for a new symmetric key block cipher to replace DES. An open call for algorithms was made in 1997 and in 2001 NIST announced that AES was approved as FIPS PUB 197. Minimum requirements: I Block size of 128-bits I Key sizes of 128-, 192-, and 256-bits I Strength at the level of triple DES I Better performance than triple DES I Available royalty-free worldwide Five AES ﬁnalists: MARS, RC6, Rijndael, Serpent, and Twoﬁsh.

CPSC 367, Lecture 7 17/58 Outline Multiple Encryption Birthday Attack Advanced Encryption Standard Real-World Alternatives

Details

Rijndael was developed by two Belgian cryptographers Vincent Rijmen and Joan Daemen. Rijndael is pronounced like Reign Dahl, Rain Doll or Rhine Dahl. Name confusion I AES is the name of the standard. I Rijndael is the name of the cipher. I AES is a restricted version of Rijndael which was designed to handle additional block sizes and key lengths.

CPSC 367, Lecture 7 18/58 Outline Multiple Encryption Birthday Attack Advanced Encryption Standard Real-World Alternatives

More details

AES was a replacement for DES. I Like DES, AES is an iterated block cipher. I Unlike DES, AES is not a Feistel cipher. I Unlike DES, AES can be parameterized. AES supports key lengths of 128-, 192- and 256-bits. The algorithm consists of 10 to 14 rounds. I Number of rounds depends on the key length. I 10 rounds for 128-bit key, 12 for 192, 14 for 256.

CPSC 367, Lecture 7 19/58 Outline Multiple Encryption Birthday Attack Advanced Encryption Standard Real-World Alternatives

How does AES actually work?

3 Big Ideas:

I Big Idea #1: Confusion I Big Idea #2: Diﬀusion I Big Idea #3: Key secrecy

CPSC 367, Lecture 7 20/58 Outline Multiple Encryption Birthday Attack Advanced Encryption Standard Real-World Alternatives

Confusion & Diﬀusion

Confusion and diﬀusion are two properties of the operation of a secure cipher which were identiﬁed by Claude Shannon in his paper Communication Theory of Secrecy Systems4.

DES, AES and many block ciphers are designed using Shannon’s idea of confusion and diﬀusion.

4 http://netlab.cs.ucla.edu/wiki/files/shannon1949.pdf

CPSC 367, Lecture 7 21/58 Outline Multiple Encryption Birthday Attack Advanced Encryption Standard Real-World Alternatives

www.moserware.com/2009/09/stick-figure-guide-to-advanced.html

CPSC 367, Lecture 7 22/58 Outline Multiple Encryption Birthday Attack Advanced Encryption Standard Real-World Alternatives

www.moserware.com/2009/09/stick-figure-guide-to-advanced.html

CPSC 367, Lecture 7 23/58 Outline Multiple Encryption Birthday Attack Advanced Encryption Standard Real-World Alternatives

www.moserware.com/2009/09/stick-figure-guide-to-advanced.html

CPSC 367, Lecture 7 24/58 Outline Multiple Encryption Birthday Attack Advanced Encryption Standard Real-World Alternatives

Avalanche Eﬀect and Evaluation Criteria5

Strict avalanche criterion (SAC) states that when a single input bit 1 i is inverted, each output bit j changes with probability 2 , for all i and j.

Bit independence criterion (BIC) states that output bits j and k should change independently when any single input bit i is inverted, for all i, j and k.

5 Wikipedia: Avalanche Eﬀect

CPSC 367, Lecture 7 25/58 Outline Multiple Encryption Birthday Attack Advanced Encryption Standard Real-World Alternatives

Transformations

Each AES round consists of 4 transformations: I SubBytes(State) I ShiftRows(State) I MixColumns(State) I AddRoundKey(State, Key) Each round works on a state array. A round key is derived from the primary key using a key schedule algorithm. All four transformations are invertible. Q: Is it a good thing?

CPSC 367, Lecture 7 26/58 Outline Multiple Encryption Birthday Attack Advanced Encryption Standard Real-World Alternatives

Roles of the four transformations

SubBytes() replaces bytes using a ﬁxed S-box to achieve non-linearity. ShiftRow() and MixColumns() are intended to mix up bits to achieve a wider distribution of plaintext in the whole message space. AddRoundKey() provides the necessary secret randomness.

Q: How do these transformations relate to the Big Ideas?

CPSC 367, Lecture 7 27/58 Outline Multiple Encryption Birthday Attack Advanced Encryption Standard Real-World Alternatives

Roles of the four transformations

Big Idea #1 SubBytes() replaces bytes using a ﬁxed S-box to achieve non-linearity. Q: Why non-linearity? Big Idea #2 ShiftRow() and MixColumns() are intended to mix up bits to achieve a wider distribution of plaintext in the whole message space. Big Idea #3 AddRoundKey() provides the necessary secret randomness. Q: How do these transformations relate to the Big Ideas?

CPSC 367, Lecture 7 28/58 Outline Multiple Encryption Birthday Attack Advanced Encryption Standard Real-World Alternatives

Preliminaries We will consider the minimum case of 128-bit key. I The input and output arrays consist of sequences of 128 bits represented by a 4 x 4 matrix of 8-bit bytes. I The intermediate state is referred to as the state array. I Columns and rows are also referred to as words which consist of 4 bytes.

All AES images come from FIPS Pub 197 available at http://csrc.nist.gov/publications/fips/fips197/fips-197.pdf

CPSC 367, Lecture 7 29/58 Outline Multiple Encryption Birthday Attack Advanced Encryption Standard Real-World Alternatives

SubBytes() Non-linear byte substitution that operates independently on each byte of the state array using a substitution table (S-box).

CPSC 367, Lecture 7 30/58 Outline Multiple Encryption Birthday Attack Advanced Encryption Standard Real-World Alternatives

SubBytes() S-box Example: SubBytes(45) = 6e I Rows: First 4 bits of the input byte I Columns: Last 4 bits of input

CPSC 367, Lecture 7 31/58 Outline Multiple Encryption Birthday Attack Advanced Encryption Standard Real-World Alternatives

SubBytes() Each non-zero byte x is substituted using the following transformation y = Ax−1 + b I If x is a zero byte, then y = b

S-box is just a pre-computed table of inverses. It eliminates the possibility of a timing analysis attack: I Observing the time diﬀerence may give out whether an operation is performed on a zero or a non-zero byte.

CPSC 367, Lecture 7 32/58 Outline Multiple Encryption Birthday Attack Advanced Encryption Standard Real-World Alternatives

ShiftRows()

The bytes are cyclically shifted over by 0, 1, 2 and 3 bytes. This operation works like a transposition cipher because only the positions of bytes are changed, not the bytes themselves.

CPSC 367, Lecture 7 33/58 Outline Multiple Encryption Birthday Attack Advanced Encryption Standard Real-World Alternatives

MixColumns()

Operates on the state array column-by-column. Each column is multiplied by a ﬁxed array.

CPSC 367, Lecture 7 34/58 Outline Multiple Encryption Birthday Attack Advanced Encryption Standard Real-World Alternatives

Matrix multiplication

As a result of this multiplication, the four bytes in a column are replaced by the following:

L exclusive OR operation, • ﬁnite ﬁeld multiplication

CPSC 367, Lecture 7 35/58 Outline Multiple Encryption Birthday Attack Advanced Encryption Standard Real-World Alternatives

AddRoundKey()

Each column of the state array is XORed with a word from the key schedule. The round key is determined by the key schedule algorithm.

Nb - number of columns, here Nb = 4

CPSC 367, Lecture 7 36/58 Outline Multiple Encryption Birthday Attack Advanced Encryption Standard Real-World Alternatives

Decryption

AES is not a Feistel cipher.

Q: How does it aﬀect the decryption process?

CPSC 367, Lecture 7 37/58 Outline Multiple Encryption Birthday Attack Advanced Encryption Standard Real-World Alternatives

Decryption

AES is not a Fiestel cipher so decryption works diﬀerently than encryption. Steps are done in reverse. All four transformations (SR, SB, MC, ARK) are invertible. I InvShiftRows() I InvSubBytes() I InvMixColumns() I AddRoundKey()

CPSC 367, Lecture 7 38/58 Outline Multiple Encryption Birthday Attack Advanced Encryption Standard Real-World Alternatives

Decryption

I InvShiftRows() - bytes in the last three rows of the state array are cyclically shifted over to the right I InvSubBytes() - the inverse S-box is applied to each byte of the state array I InvMixColumns() - the state array is multiplied by the matrix inverse used in MixColumns() I AddRoundKey() is its own inverse, since it is an XOR operation

CPSC 367, Lecture 7 39/58 Outline Multiple Encryption Birthday Attack Advanced Encryption Standard Real-World Alternatives

Encryption I ARK I BS, SR, MC, ARK I ··· I BS, SR, MC, ARK I BS, SR, ARK Decryption I ARK, ISR, IBS I ARK, IMC, ISR, IBS I ··· I ARK, IMC, ISR, IBS I ARK MixColumns() is not applied in the last round in order to make the encryption and decryption more similar in structure. This is similar to the absence of the swap operation in the last round of the DES.

CPSC 367, Lecture 7 40/58 Outline Multiple Encryption Birthday Attack Advanced Encryption Standard Real-World Alternatives

www.moserware.com/2009/09/stick-figure-guide-to-advanced.html

CPSC 367, Lecture 7 41/58 Outline Multiple Encryption Birthday Attack Advanced Encryption Standard Real-World Alternatives

Additional Resources

A Stick Figure Guide to AES by Jeﬀ Moser Highly recommended!

http://www.moserware.com/2009/09/stick-figure-guide-to-advanced.html AES Inspector by Enrique Zabala

http://www.formaestudio.com/rijndaelinspector/archivos/inspector.html AES Animation by Enrique Zabala

http://www.formaestudio.com/rijndaelinspector/archivos/rijndaelanimation.html AES Example by instructors at Massey U., New Zealand

http://www.box.net/shared/static/uqrq0hmnb9.pdf

CPSC 367, Lecture 7 42/58 Outline Multiple Encryption Birthday Attack Advanced Encryption Standard Real-World Alternatives

AES Real-World Issues

CPSC 367, Lecture 7 43/58 Outline Multiple Encryption Birthday Attack Advanced Encryption Standard Real-World Alternatives

Hardware Support for AES

Both Intel and AMD provide a set of instructions for AES promising 3x to 10x acceleration versus pure software implementation.

I AESENC/AESDEC - one round of encryption / decryption I AESENCLAST/AESDECLAST - last round of encryption / decryption I AESKEYGENASSIST - key expansion

CPSC 367, Lecture 7 44/58 Outline Multiple Encryption Birthday Attack Advanced Encryption Standard Real-World Alternatives

Breaking AES

The ability to recover a key from known or chosen ciphertext(s) with a reasonable time and memory requirements. Frequently, reported attacks are attacks on the implementation, not the actual cipher: I Buggy implementation of the cipher (e.g., memory leakage) I Side channel attacks (e.g., time and power consumption analysis, electromagnetic leaks) I Weak key generation (e.g., bad PRBGs, attacks on master passwords) I Key leakage (e.g., a key saved to a hard drive)

CPSC 367, Lecture 7 45/58 Outline Multiple Encryption Birthday Attack Advanced Encryption Standard Real-World Alternatives

AES Security: Keys

Certain ciphers (e.g., DES, IDEA, Blowﬁsh) suﬀer from weak keys. A weak key6 is a key that makes a cipher behave in some undesirable way. A cipher with no weak keys is said to have a ﬂat, or linear, key space. DES, unlike AES, suﬀers from weak keys (alternating 0’s and 1’s, F’s and E’s, E’s and 0’s, 1’s and F’s). DES weak keys produce 16 identical subkeys.

Q: Why are DES weak keys a problem?

6 Wikipedia: Weak Keys

CPSC 367, Lecture 7 46/58 Outline Multiple Encryption Birthday Attack Advanced Encryption Standard Real-World Alternatives

AES Security

Attacks have been published that are computationally faster than a full brute force attack.

Q: What is the complexity of a brute force attack on AES-128?

CPSC 367, Lecture 7 47/58 Outline Multiple Encryption Birthday Attack Advanced Encryption Standard Real-World Alternatives

AES Security

All known attacks are computationally infeasible. Interesting results: I Best key recovery attack: AES-128 with computational complexity 2126.1; AES-192, 2189.7; and AES-256, 2254.4.

A. Bogdanov, D. Khovratovich and C. Rechberger, Biclique Cryptanalysis of the Full AES, ASIACRYPT

2011 I Related-key attack on AES-256 with complexity 299 given 299 plaintext/ciphertext pairs encrypted with four related keys.

A. Biryuko and D. Khovratovich, Related-key Cryptanalysis of the Full AES-192 and AES-256,

ASIACRYPT 2009

CPSC 367, Lecture 7 48/58 Outline Multiple Encryption Birthday Attack Advanced Encryption Standard Real-World Alternatives

AES Security

Allegedly, NSA is actively looking for ways to break AES.

“Prying Eyes: Inside the NSA’s War on Internet Security”, Spiegiel, 12/2014

CPSC 367, Lecture 7 49/58 Outline Multiple Encryption Birthday Attack Advanced Encryption Standard Real-World Alternatives

Bruce Schneier on AES security7

“I don’t think there’s any danger of a practical attack against AES for a long time now. Which is why the community should start thinking about migrating now” (2011) “Cryptography is all about safety margins. If you can break n round of a cipher, you design it with 2n or 3n rounds. At this point, I suggest AES-128 at 16 rounds, AES-192 at 20 rounds, and AES-256 at 28 rounds. Or maybe even more; we don’t want to be revising the standard again and again”(2009)

7 Bruce Schneier’s Blog http://www.schneier.com/blog/archives/2011/08/new_attack_on_a_1.html

CPSC 367, Lecture 7 50/58 Outline Multiple Encryption Birthday Attack Advanced Encryption Standard Real-World Alternatives

Alternative Private Key Block Ciphers

CPSC 367, Lecture 7 51/58 Outline Multiple Encryption Birthday Attack Advanced Encryption Standard Real-World Alternatives

Other ciphers

There are many good block ciphers to choose from: I Blowﬁsh, Serpent, Twoﬁsh, Camellia, CAST-128, IDEA, RC2/RC5/RC6, SEED, Skipjack, TEA, XTEA

We will have a brief look at I IDEA I Blowﬁsh I RC6 I TEA

CPSC 367, Lecture 7 52/58 Outline Multiple Encryption Birthday Attack Advanced Encryption Standard Real-World Alternatives

IDEA (International Data Encryption Algorithm)

I Invented by James Massey I Supports 64-bit data block and 128-bit key I 8 rounds I Novelty: Uses mixed-mode arithmetic to produce non-linearity I Addition mod 2 combined with addition mod 216 I Lai-Massey multiplication ˜multiplication mod 216 I No explicit S-boxes required

CPSC 367, Lecture 7 53/58 Outline Multiple Encryption Birthday Attack Advanced Encryption Standard Real-World Alternatives

multiplication modulo 216 + 1 bitwise XOR addition modulo 216

Image retrieved from http://en.wikipedia.org/wiki/International_Data_Encryption_Algorithm

CPSC 367, Lecture 7 54/58 Outline Multiple Encryption Birthday Attack Advanced Encryption Standard Real-World Alternatives

Blowﬁsh

I Invented by Bruce Schneier I Supports 64-bit data block and a variable key length up to 448 bits I 16 rounds I Round function uses 4 S-boxes which map 8 bits to 32 bits I Novelty: the S-boxes are key-dependent (determined each time by the key)

CPSC 367, Lecture 7 55/58 Outline Multiple Encryption Birthday Attack Advanced Encryption Standard Real-World Alternatives

RC6

I Invented by Ron Rivest I Variable block size, key length, and number of rounds I Compliant with the AES competition requirements (AES ﬁnalist) I Novelty: data dependent rotations I Very unusual to rely on data

CPSC 367, Lecture 7 56/58 Outline Multiple Encryption Birthday Attack Advanced Encryption Standard Real-World Alternatives

TEA (Tiny Encryption Algorithm)

I Invented by David Wheeler and Roger Needham I Supports 64-bit data block and 128-bit key I Variable number of rounds (64 rounds suggested) I “Weak” round function, hence large number of rounds I Novelty: extremely simple, eﬃcient and easy to implement

CPSC 367, Lecture 7 57/58 Outline Multiple Encryption Birthday Attack Advanced Encryption Standard Real-World Alternatives

TEA Encryption(32 rounds)

TEA Decryption

Figures retrieved from Information Security Principles and Practice, Mark Stamp, Wiley, 2006

CPSC 367, Lecture 7 58/58