Some Aspects of Block Ciphers Palash Sarkar Applied Statistics Unit Indian Statistical Institute, Kolkata India [email protected] CU-ISI Tutorial Workshop on Cryptology, 17th July 2011 Palash Sarkar (ISI, Kolkata) Block Ciphers CU-ISI 2011 1 / 35 Classical Symmetric Key Encryption Palash Sarkar (ISI, Kolkata) Block Ciphers CU-ISI 2011 2 / 35 Introduction Sender Receiver message M public channel Encrypt ciphertext Decrypt secret key K adversary secret key K Palash Sarkar (ISI, Kolkata) Block Ciphers CU-ISI 2011 3 / 35 Attack Models Ciphertext only attack: the attacker has access to only ciphertext(s); goal: find (one of) the message(s) and/or the key. Palash Sarkar (ISI, Kolkata) Block Ciphers CU-ISI 2011 4 / 35 Attack Models Ciphertext only attack: the attacker has access to only ciphertext(s); goal: find (one of) the message(s) and/or the key. Known plaintext attack: the attacker knows (P1, C1),..., (Pt , Ct ); goal: find the key or find P∗ corresponding to a “new” C∗. Palash Sarkar (ISI, Kolkata) Block Ciphers CU-ISI 2011 4 / 35 Attack Models Ciphertext only attack: the attacker has access to only ciphertext(s); goal: find (one of) the message(s) and/or the key. Known plaintext attack: the attacker knows (P1, C1),..., (Pt , Ct ); goal: find the key or find P∗ corresponding to a “new” C∗. Chosen plaintext attack: the attacker chooses P1,..., Pt ; receives corresponding C1,..., Ct ; goal: find the key or find P∗ corresponding to a “new” C∗. Palash Sarkar (ISI, Kolkata) Block Ciphers CU-ISI 2011 4 / 35 Attack Models Ciphertext only attack: the attacker has access to only ciphertext(s); goal: find (one of) the message(s) and/or the key. Known plaintext attack: the attacker knows (P1, C1),..., (Pt , Ct ); goal: find the key or find P∗ corresponding to a “new” C∗. Chosen plaintext attack: the attacker chooses P1,..., Pt ; receives corresponding C1,..., Ct ; goal: find the key or find P∗ corresponding to a “new” C∗. Chosen ciphertext attack. Palash Sarkar (ISI, Kolkata) Block Ciphers CU-ISI 2011 4 / 35 One-Time Pad message 1 0 0 1 1 1 true random sequence 0 01 1 1 0 ciphertext 1 0 1 0 0 1 Palash Sarkar (ISI, Kolkata) Block Ciphers CU-ISI 2011 5 / 35 Perfect Secrecy of One-Time Pad For a, b ∈ {0, 1}, Pr[Mi = a ∧ Ci = b] Pr[Mi = a|Ci = b] = Pr[Ci = b] Pr[M = a, M ⊕ K = b] = i i i Pr[Mi ⊕ Ki = b] Pr[M = a, K = a ⊕ b] = i i Pr[Mi = 0, Ki = b]+ Pr[Mi = 1, Ki = 1 ⊕ b] Pr[M = a] × Pr[K = a ⊕ b] = i i Pr[Mi = 0]Pr[Ki = b]+ Pr[Mi = 1]Pr[Ki = 1 ⊕ b] 1 2 Pr[Mi = a] = 1 2 × (Pr[Mi = 0]+ Pr[Mi = 1]) 1 2 Pr[Mi = a] = 1 2 = Pr[Mi = a]. Palash Sarkar (ISI, Kolkata) Block Ciphers CU-ISI 2011 6 / 35 Perfect Secrecy: General Notion Entropy. Let X be a random variable with distribution (p0,..., pℓ). ∆ H(X) = − X pi log2 pi . Conditional entropy. H(Y |X)= Pr[X = 0]H(Y |X = 0)+ Pr[X = 1]H(Y |X = 1). Perfect Secrecy. H(M)= H(M|C). Palash Sarkar (ISI, Kolkata) Block Ciphers CU-ISI 2011 7 / 35 Model of Additive Stream Cipher secret key K Initialise initialisation state 1 update state 2 update vector output output keystream keystream blk blk message blk message blk ciphertext blk ciphertext blk Key: k bits; IV: (usually) ≤ k bits; state: (usually) ≥ 2k bits; initialise, update, output: functions (deterministic algorithms); keystream blk, msg blk, cpr blk: ≥ 1 bit. Security: keystream sequence should be computationally indistinguishable from a true random sequence. Palash Sarkar (ISI, Kolkata) Block Ciphers CU-ISI 2011 8 / 35 Encrypting Short Fixed Length Strings msg blk cpr blk key K Encryptkey K Decrypt cpr blk msg blk Palash Sarkar (ISI, Kolkata) Block Ciphers CU-ISI 2011 9 / 35 Encrypting Short Fixed Length Strings msg blk cpr blk key K Encryptkey K Decrypt cpr blk msg blk Block Cipher. E : {0, 1}k × {0, 1}n → {0, 1}n. D : {0, 1}k × {0, 1}n → {0, 1}n. For each K ∈ {0, 1}k , DK (EK (M)) = M. Palash Sarkar (ISI, Kolkata) Block Ciphers CU-ISI 2011 9 / 35 Overall Structure of a Block Cipher msg blk K1 Round 1 K2 Round 2 KSA: key scheduling key K algorithm KSA Kr Round r cpr blk Palash Sarkar (ISI, Kolkata) Block Ciphers CU-ISI 2011 10 / 35 Feistel Structure L R i−1 i−1 round key K F i L R i i Li = Ri−1; Ri = Li−1 ⊕ F(Ri−1, Ki ). Irrespective of F, the map is invertible. Security depends on the design of F. Palash Sarkar (ISI, Kolkata) Block Ciphers CU-ISI 2011 11 / 35 Round Structure of AES old state based on inversion over Sub Bytes GF(2^8) Shift Rows simple shifting of rows based on matrix−vector Mix Cols multiplication over GF(2^8) round key Add Keys XOR of state and key new state Palash Sarkar (ISI, Kolkata) Block Ciphers CU-ISI 2011 12 / 35 How to “Break” a Block Cipher? E : {0, 1}k × {0, 1}n → {0, 1}n. Brute Force with known plaintext. Attacker has access to a msg-cpr pair (M, C). For each possible key K , the attacker encrypts M using K and checks whether the result is C. If “yes”, the corresponding key is very likely to be the correct key. Palash Sarkar (ISI, Kolkata) Block Ciphers CU-ISI 2011 13 / 35 How to “Break” a Block Cipher? E : {0, 1}k × {0, 1}n → {0, 1}n. Brute Force with known plaintext. Attacker has access to a msg-cpr pair (M, C). For each possible key K , the attacker encrypts M using K and checks whether the result is C. If “yes”, the corresponding key is very likely to be the correct key. Brute Force with only ciphertext. Attacker has access to ciphertext C and knows that it is the encryption of some English text. For each possible key K , the attacker decrypts C using K and checks whether the result is “meaningful”. If “yes”, the corresponding key is very likely to be the correct key. Palash Sarkar (ISI, Kolkata) Block Ciphers CU-ISI 2011 13 / 35 How Good is Brute Force? Complexity: 2k encryptions/decryptions in the worst case; 2k−1 encryptions/decrytions on an average. Palash Sarkar (ISI, Kolkata) Block Ciphers CU-ISI 2011 14 / 35 How Good is Brute Force? Complexity: 2k encryptions/decryptions in the worst case; 2k−1 encryptions/decrytions on an average. Suppose that 230 trial encryptions can be completed in one second. A very optimistic (from the adversarial viewpoint) estimate; 220 would be more reasonable. There are 230 dedicated machines working in parallel. The machines work for one year (about 225 seconds). Working for 100 years will change this figure to about 232. Total number of keys that can be examined is about 285. Palash Sarkar (ISI, Kolkata) Block Ciphers CU-ISI 2011 14 / 35 How Good is Brute Force? Complexity: 2k encryptions/decryptions in the worst case; 2k−1 encryptions/decrytions on an average. Suppose that 230 trial encryptions can be completed in one second. A very optimistic (from the adversarial viewpoint) estimate; 220 would be more reasonable. There are 230 dedicated machines working in parallel. The machines work for one year (about 225 seconds). Working for 100 years will change this figure to about 232. Total number of keys that can be examined is about 285. Two crucial parameters of any actual attack: cost (in Rupees/Dollars/...) and the time. Palash Sarkar (ISI, Kolkata) Block Ciphers CU-ISI 2011 14 / 35 Attacks on Practical Block Ciphers Linear cryptanalysis. Palash Sarkar (ISI, Kolkata) Block Ciphers CU-ISI 2011 15 / 35 Attacks on Practical Block Ciphers Linear cryptanalysis. Differential cryptanalysis. Many variants: impossible differentials, rebound attack, boomerang attack, ... Palash Sarkar (ISI, Kolkata) Block Ciphers CU-ISI 2011 15 / 35 Attacks on Practical Block Ciphers Linear cryptanalysis. Differential cryptanalysis. Many variants: impossible differentials, rebound attack, boomerang attack, ... Algebraic attacks. Palash Sarkar (ISI, Kolkata) Block Ciphers CU-ISI 2011 15 / 35 Attacks on Practical Block Ciphers Linear cryptanalysis. Differential cryptanalysis. Many variants: impossible differentials, rebound attack, boomerang attack, ... Algebraic attacks. Slide attack. A structural attack. Palash Sarkar (ISI, Kolkata) Block Ciphers CU-ISI 2011 15 / 35 Attacks on Practical Block Ciphers Linear cryptanalysis. Differential cryptanalysis. Many variants: impossible differentials, rebound attack, boomerang attack, ... Algebraic attacks. Slide attack. A structural attack. Side channel attacks. Exploits how the block cipher interacts with the environment. Palash Sarkar (ISI, Kolkata) Block Ciphers CU-ISI 2011 15 / 35 A Bit of Formalism Palash Sarkar (ISI, Kolkata) Block Ciphers CU-ISI 2011 16 / 35 Idealisation of a Block Cipher (1) Pseudo-Random Permutation EK π A Adv(A)= |Pr[AEK ⇒ 1] − Pr[Aπ ⇒ 1]|. Palash Sarkar (ISI, Kolkata) Block Ciphers CU-ISI 2011 17 / 35 Idealisation of a Block Cipher (2) Strong Pseudo-Random Permutation -1 -1 EK EK π π A − E ,E 1 π,π−1 Adv(A)= |Pr[A K K ⇒ 1] − Pr[A ⇒ 1]|. Palash Sarkar (ISI, Kolkata) Block Ciphers CU-ISI 2011 18 / 35 Authentication: The Conjoined Twin of Encryption Palash Sarkar (ISI, Kolkata) Block Ciphers CU-ISI 2011 19 / 35 Authentication: General Idea Sender Receiver msg (msg, tag) (msg,tag) generate tag verify tag yes/no public channel secret key secret key K adversary K Active adversary: can listen to and modify information on the public channel; can obtain tag corresponding to chosen messages. Adversarial goal: To make the receiver accept a msg-tag pair not generated by the sender.