Symmetric Key Cryptography PQCRYPTO Summer School on Post-Quantum Cryptography 2017 Stefan Kölbl June 19th, 2017 DTU Compute, Technical University of Denmark Introduction to Symmetric Key Cryptography User Implementation Protocols Cryptographic Algorithms Myth ”Cryptographic Algorithms are never the weakest link.” Symmetric Key Cryptography Where does security fail? • • • • 1 Implementation Protocols Cryptographic Algorithms Myth ”Cryptographic Algorithms are never the weakest link.” Symmetric Key Cryptography Where does security fail? • User • RC4 • • Don’t blame the user! 1 Protocols Cryptographic Algorithms Myth ”Cryptographic Algorithms are never the weakest link.” Symmetric Key Cryptography Where does security fail? • User • Implementation • • Heartbleed 1 Cryptographic Algorithms Myth ”Cryptographic Algorithms are never the weakest link.” Symmetric Key Cryptography Where does security fail? • User • Implementation • Protocols • Drown Attack 1 Symmetric Key Cryptography Where does security fail? • User • Implementation • Protocols • Cryptographic Algorithms Myth ”Cryptographic Algorithms are never the weakest link.” 1 Symmetric Key Cryptography Hash Function MD5 • Not collision resistant [WY05] • Constructing a rogue CA [Ste+09] Hash Function SHA-1 • Not collision resistant [WYY05] • First practical collisions this year Stream Cipher RC4 • Plaintext Recovery in TLS [AlF+13] • ... 2 Symmetric Key Cryptography A long list... • MIFARE Classic (Crypto 1) • Keeloq • A5/1, A5/2 • DECT • Kindle Cipher • ... 3 Symmetric Key Cryptography What can we do? • Encryption • Authentication (MAC) • Hashing • Random Number Generation • Digital Signature Schemes • Key Exchange 4 Symmetric Key Cryptography Digital Signatures • Hash-based Signature Schemes (MSS, XMSS [BDH11], SPHINCS [Ber+15]) • Zero-Knowledge Proof Based (Fish [Cha+17], Picnic [Cha+17]) 5 Symmetric Key Cryptography Key Exchange with Merkle Puzzles (1978) • Alice prepares m Puzzles: P1;:::; Pm. • Solving a puzzle requires n steps. • Reveals an id and key kid. Alice Bob P1;:::; Pm P ! Solve i idi; ki idi • Bob needs to compute n steps. • Adversary needs to compute mn. 6 Symmetric Key Cryptography Note We need a shared secret between the parties. Meet on Friday Meet on Friday K E K E qgWqNDAdcYgmyOy qgWqNDAdcYgmyOy 7 Symmetric Key Cryptography The adversary • Eavesdrop on communication • Modify transmission • Delete/Insert messages • ... ...but is bound in • Computational power • Available memory • Time • Data 8 Symmetric Key Cryptography Goals of the attacker • Decrypt a ciphertext E • Forge a signature ? • Recover the secret key Message qgWqNDA • Distinguish output • ... ? Random 9 Symmetric Key Cryptography How do we achieve security for an algorithm? • Reduce security to a hard problem. • Make it secure against all known attacks. Note We can not proof security for a primitive. 10 Encryption Block Ciphers Key Plaintext BC Ciphertext • Encrypts blocks of fixed size n with a key of size k. • Requires a mode to encrypt arbitrary messages. Block cipher is not an encryption scheme 11 K = 001111110000...111111001000... Symmetric Key Ideal Block Cipher Plaintexts Ciphertexts K = 101010111010... 12 K = 101010111010...111111001000... Symmetric Key Ideal Block Cipher Plaintexts Ciphertexts K = 001111110000... 12 K = 101010111010...001111110000... Symmetric Key Ideal Block Cipher Plaintexts Ciphertexts K = 111111001000... 12 Block Ciphers A block cipher can be seen as a family of 2k n-bit bijections. Problem There are 2n! bijections, we ideally want to choose 2k uniformly at random. Goal We need something efficient to mimic this behaviour. 13 Block Ciphers Iterated construction Key Plaintext BC Ciphertext K1 K2 K3 Kr P f1 f2 f3 fr C 14 Symmetric Key Cryptography L0 R0 f1 The Data Encryption Standard • Developed in 1970s at IBM. f2 • Feistel Network with 16 rounds. f3 • Encrypts 64-bit blocks with 56-bit keys. • Standardized in 1977. f4 L4 R4 15 Symmetric Key Cryptography The Advanced Encryption Standard (AES) • Public Competition hosted by NIST (1997-2001) • Must support block size of 128 bits and key size of 128, 192 and 256 bits. • CAST-256 • FROG • RC6 • CRYPTON • HPC • Rijndael • DEAL • LOKI97 • SAFER+ • DFC • MAGENTA • Serpent • E2 • MARS • Twofish 16 Symmetric Key Cryptography The Advanced Encryption Standard (AES) • Public Competition hosted by NIST (1997-2001) • Must support block size of 128 bits and key size of 128, 192 and 256 bits. • CAST-256 • FROG • RC6 • CRYPTON • HPC • Rijndael • DEAL • LOKI97 • SAFER+ • DFC • MAGENTA • Serpent • E2 • MARS • Twofish 16 Block Ciphers AES/Rijndael • Blocksize: 128-bit • Keysize: 128/192/256 bits • Iterated block cipher with 10/12/14 rounds • Is part of a wide-range of standards. • Direct support by instructions in modern CPUs. 17 Block Ciphers Update 4 × 4 state of bytes a0,0 a 0,1 a0,2 a0,3 b0,0 b 0,1 b0,2 b0,3 • SubBytes SubBytes b b b b a1,0 a 1,1 a1,2 a1,3 1,0 1,1 1,2 1,3 • ShiftRows a2,0 a 2,1 a2,2 a2,3 b2,0 b 2,1 b2,2 b2,3 • MixColumns a3,0 a 3,1 a3,2 a3,3 b3,0 b 3,1 b3,2 b3,3 • AddKey S 18 Block Ciphers Update 4 × 4 state of bytes No a a a a a a a a • SubBytes change 0,0 0,1 0,2 0,3 0,0 0,1 0,2 0,3 ShiftRows • ShiftRows Shift 1 a1,0 a 1,1 a1,2 a1,3 a 1,1 a1,2 a1,3 a1,0 Shift 2 a2,0 a2,1 a2,2 a2,3 a2,2 a2,3 a2,0 a2,1 • MixColumns Shift 3 a3,0 a3,1 a3,2 a3,3 a3,3 a3,0 a3,1 a3,2 • AddKey 18 Block Ciphers Update 4 × 4 state of bytes a 0,1 b 0,1 • SubBytes a0,0 a0,2 a0,3 b0,0 b0,2 b0,3 a MixColumns b 1,1 b 1,1 b b • ShiftRows a1,0 a1,2 a1,3 1,0 1,2 1,3 a a a a b2,0 b b b • MixColumns 2,0 2,1 2,2 2,3 2,1 2,2 2,3 a3,0 a3,2 a3,3 b3,0 b3,2 b3,3 • AddKey a 3,1 b 3,1 18 Block Ciphers a0,0 a 0,1 a0,2 a0,3 b0,0 b 0,1 b0,2 b0,3 AddRoundKey Update 4 × 4 state of bytes a1,0 a 1,1 a1,2 a1,3 b1,0 b 1,1 b1,2 b1,3 • SubBytes a2,0 a 2,1 a2,2 a2,3 b2,0 b 2,1 b2,2 b2,3 a a a a b b b b • ShiftRows 3,0 3,1 3,2 3,3 3,0 3,1 3,2 3,3 • MixColumns k0,0 k 0,1 k0,2 k0,3 • AddKey k1,0 k 1,1 k 1,2 k 1,3 k2,0 k 2,1 k2,2 k2,3 k3,0 k 3,1 k3,2 k3,3 18 Block Ciphers Current state of key recovery attacks for AES-128 0 6 7 8 10 244 [Fer+00] 2126:18 [BKR11] 299 [DFJ13] 2125:34 [BKR11] There are many more attacks with different trade-offs of time/data/memory. 19 Stream Ciphers Stream Ciphers Key IV E Keystream Plaintext Ciphertext • Encrypts individual digits. • IV to have multiple key stream for each K • Requires no padding. • Often used for low-bandwidth communication. 20 Stream Ciphers Widely found in practice • GSM standard (A5/1, A5/2) • LTE (SNOW 3G, ZUC) • Bluetooth (E0) • TLS protocol (RC4, ChaCha20) 21 Stream Ciphers eSTREAM Project (EU) Goal ...promote the design of efficient and compact stream ciphers suitable for widespread adoption... Software Hardware HC-128 Grain v1 Rabbit MICKEY 2.0 Salsa20/12 Trivium SOSEMANUK 22 Stream Ciphers LFSR-based Constructions, e.g. A5/1 • Load IV and Key in registers. • Shift registers depending on values in . • Produces 1-bit output in each iteration. 0 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 0 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 0 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 Stream Ciphers Counter Mode (CTR) Njj0 ::: 01 Njj0 ::: 02 Njj0 ::: 03 AESK AESK AESK … Keystream: C0;:::; C127 C128;:::; C255 C256;:::; C383 Note Reusing nonce and counter gives same keystream. 24 Stream Ciphers Salsa20 / ChaCha20 • ARX-based design • 512-bit state • Uses 256-bit key • 20 rounds • Fast in software • ChaCha20-Poly1305 in TLS 25 Stream Ciphers Current state of key recovery attacks for Salsa20 0 5 6 7 8 20 28 [CM16] 2244:9 [CM16] 232 [CM16] 2137 [CM16] For ChaCha typically one round less. 26 Cryptographic Hash Functions Hash Functions ”There was of course no way of knowing whether you were being watched at any given moment. How often, or on what system, the Thought Police plugged in on any individual wire was guesswork. It was even conceivable that they watched everybody all the time. But at any H rate they could plug in your wire whenever they wanted WqNDAdcYgmyO to. You had to live – did live, from habit that became instinct – in the assumption that every sound you made was overheard, and, except in darkness, every movement scrutinized.” 27 Hash Functions ”There was of course no way of knowing whether you were being watched at any given moment. How often, or on what system, the Thought Police plugged in on any individual wire was guesswork. It was even conceivable that they watched everybody all the time. But at any H rate they could plug in your wire whenever they wanted a1IMC3mLo9Lx to. You had to live – did live, from habit that became instinct – in the assumption that every noise you made was overheard, and, except in darkness, every movement scrutinized.” 28 Hash Functions Applications • Integrity Check • Digital Signature Schemes (this afternoon) • Password Hashing (https://password-hashing.net/) • Message Authentication • Commitment Schemes • ..