Chapter 4 Block Ciphers Course website: https://ece.uwaterloo.ca/~j25ni/CP460 1 Outline • Block ciphers • Data encryption standard (DES) • Block cipher attacks • Advanced encryption standard (AES) • Encryption Modes 2 Block Ciphers Block ciphers play an important role in securing systems. They be used to construct: • Pseudo-random number generator • Stream ciphers • Message authentication code (MAC) and hash function • The core components of message authentication technology, data integrity mechanism, identity authentication protocol and the single- key digital signature system. 3 Requirements in Implementation • Safety • Speed • Storage (length of program, length of data packet, cache size) • Implementation platform (hardware, software, chip) • Encryption mode 4 Basic Concept Plaintext Sequence x1, x2,…, xi,… Encryption E: Pn×KCm Substitution Cipher for a sequence of length n Key k=(k0, k1,…, kt-1 ) Key k=(k0, k1,…, kt-1 ) Ciphertext Plaintext Plaintext x=(x0, x1,…, xn-1) x=(y0, y1,…, ym-1) x=(x0, x1,…, xn-1) Encryption Decryption n=m in general. If n < m , it is a block cipher with data extension. If n>m , it is a block cipher with data compression. 5 Design Problem The design problem of block ciphers is to find an algorithm that can easily and quickly select a permutation from a large enough and sufficiently good subset of permutations under the control of keys to encrypt the input plaintext. 6 Design Principles Confusion and Diffusion are two properties of the operation of a secure block cipher Confusion: each binary digit (bit) of the ciphertext should depend on several parts of the key, obscuring the connections between the two. Diffusion: if we change a single bit of the plaintext, then (statistically) half of the bits in the ciphertext should change, and similarly, if we change one bit of the ciphertext, then approximately one half of the plaintext bits should change, such that the statistical properties of plaintext can be hidden. 7 Requirements on Block Cipher Algorithm • The block size n is large enough: • Prevent the exhaustive attack on plaintext. • The amount of keys should be large enough: • Eliminate weak keys and make all keys equally good to prevent exhaustive attack on keys. • The permutation algorithm determined by keys is complex enough: • Realize the Confusion and Diffusion plaintext and key, the connections are obscured, to prevent known attacks. • Encryption and decryption operations are simple: • Easy to implement on software and hardware at high speed. • Data extension: • No data extension, and data extension can be introduced when using homomorphic permutation and randomization encryption techniques. • Error propagation is as small as possible. 8 Block Ciphers Examples Plaintext • AES • DES E • 3DES • Twofish Key Ciphertext • Blowfish • Serpent • IDEA D Plaintext 9 Round Function R(k, m) is called a round function 10 Performance Crypto++ 5.6.0 [Wei Dai] AMD Opteron, 2.2 GHz (Linux) Cipher Block/key size Throughput [MB/s] Stream RC4 126 Salsa20/12 643 Sosemanuk 727 Block 3DES 64/168 13 AES128 128/128 109 11 History of DES 1970s: Horst Feistel designs Lucifer at IBM key = 128 bits, block = 128 bits 1973: NBS (National Bureau of Standards) asks for block cipher proposals. IBM submits variant of Lucifer. 1976: NBS adopts DES as federal standard key = 56 bits, block = 64 bits 1997: DES broken by exhaustive search 2000: NIST adopts Rijndael as AES to replace DES. AES currently widely deployed in banking, commerce and Web 12 DES: core idea – Feistel network Given one-way functions Goal: build invertible function n-bits R0 R1 R2 Rd-1 Rd • • • n-bits f1 f2 fd L0 L1 L2 Ld-1 Ld input output In symbols: 13 Feistel network - inverse Claim: Feistel function F is invertible Proof: construct inverse Ri Ri+1 inverse Ri+1 Ri fi+1 fi+1 Li Li+1 Li+1 Li 14 Decryption circuit -isn-bits n-bits R R d d-1 Rd-2 R1 R0 f f d d-1 • • • f1 L L d d-1 Ld-2 L1 L0 • Inversion is basically the same circuit, with f1, …, fd applied in reverse order • General method for building invertible functions (block ciphers) from arbitrary functions. • Used in many block ciphers … but not AES 15 DES: 16 round Feistel network 56 bits key k 48 bits key expansion key k1 key k2 • • • key k16 64 bits64 bits64 R0 R1 R2 R15 R16 -1 IP f1 f2 • • • f16 IP L0 L1 L2 L15 L16 ⊕ ⊕ ⊕ 16 round Feistel network To invert, use keys in reverse order 16 Initial permutation (IP) Table 17 Initial permutation IP 18 IP-1 Table Y=IP-1(X)=IP-1(IP(M)) 19 The function F(ki, x) S-box: function {0,1}6 {0,1}4, implemented as lookup table. 20 Expansion function E E(a1a2…a32)=a32a1a2a3a4a5a4….a31a32a1 21 Permutation P P(c1c2…c32)=c16c7c20c21c29c12c28….c11c4c25 22 The S Boxes e.g., 011011 1001 23 DES Key Schedule Forms subkeys used in each round – initial permutation of the key (PC1) which selects 56-bits in two 28-bit halves – 16 stages consisting of: • rotating each half separately either 1 or 2 places depending on the key rotation schedule K (left-circular shift) • selecting 24-bits from each half & permuting them by PC2 for use in round function F 24 Input Key 56-bit input key 64-bit key 25 Permuted Choice (PC) 26 Left-circular Shift (LCS) Round 4: left-circular shift 2 bits 1101100011010111000101010100 0110001101011100010101010011 27 Outline • Block ciphers • Data encryption standard (DES) • Block cipher attacks • Advanced encryption standard (AES) • Encryption Modes 28 Exhaustive Search for block cipher key Goal: given a few input output pairs (mi, ci = E(k, mi)) i=1,..,n find key k. Attack: Brute force to find the key k. 29 DES challenge msg = “The unknown messages is:XXXXXXXX…“ CT = c1 c2 c3 c4 56 Goal: find k {0,1} s.t. DES(k, mi) = ci for i=1,2,3 -1 How expensive is it to reveal DES (k, c4)? 1976 DES adopted as federal standard 1997 Distributed search 3 months 1998 EFF deep crack 56 hours $250,000 1999 Distributed search and deep crack 22 hours 2006 COPACOBANA (120 FPGAs parallel machine) 7 days $10,000 72 56-bit keys should not be used (128-bit key 2 days) 30 Strengthening DES Method 1: Triple-DES Let E : K × M M be a block cipher Define 3E: K3 × M M as: 3E( (k1,k2,k3), m) = E(k1, D(k2, E(k3, m) ) ) 3DES - Key-size: 3×56 = 168 bits k = k = k => DES - 3×slower than DES 1 2 3 - Simple attack in time: ≈2118 31 Why not 2DES? • Define 2E( (k1,k2), m) = E(k1 , E(k2 , m) ) key-len = 112 bits for 2DES m E(k2, ) E(k1, ) c Given: M = (m1,…, m10), C = (c1,…,c10). (Naïve method) 56: For each k2 {0,1} 56: For each k1 {0,1} if E(k1, E(k2, mi)) = ci then (k2, k1) k … k … 2 1 2112 checks m c' c’’ … … c’’ = c? 32 Meet in the middle attack • Define 2E( (k1,k2), m) = E(k1 , E(k2 , m) ) key-len = 112 bits for 2DES m E(k2, ) E(k1, ) c … … m c' c’’ c … … Idea: key found when c’ = c’’: E(ki, m) = D(kj, c) 33 Meet in the middle attack • Define 2E( (k1,k2), m) = E(k1 , E(k2 , m) ) key-len = 112 bits for 2DES m E(k2, ) E(k1, ) c Attack: M = (m1,…, m10) , C = (c1,…,c10). • step 1: build table. k0 = 00…00 E(k0 , M) k1 = 00…01 E(k1 , M) nd 56 sort on 2 column 2 2 2 k = 00…10 E(k , M) entries maps c’ to k2 kN = 11…11 E(kN , M) 34 Meet in the middle attack m E(k2, ) E(k1, ) c M = (m ,…, m ) , C = (c ,…,c ) 1 10 1 10 k0 = 00…00 E(k0 , M) • step 1: build table. k1 = 00…01 E(k1 , M) k2 = 00…10 E(k2 , M) • Step 2: for each k {0,1}56: kN = 11…11 E(kN , M) test if D(k, c) is in 2nd column. i i if so then E(k ,M) = D(k,C) (k ,k) = (k2,k1) 35 Meet in the middle attack m E(k2, ) E(k1, ) c Time = 256log(256) + 256 log(256) < 263 << 2112 [Build & Sort Table] [Search Entries] Space ≈ 256 [Table Size] Same attack on 3DES: Time = 2118 , Space ≈ 256 m E(k3, ) D(k2, ) E(k1, ) c 36 Method 2: DESX E : K × {0,1}n {0,1}n a block cipher Define EX as EX(k1, k2, k3, m) = k1 E(k2, m k3 ) For DESX: key-len = 64+56+64 = 184 bits … but there is a meet-in-the-middle attack in time 264+56 = 2120 Note: k1 E(k2, m) and E(k2, m k1) do almost nothing! 37 Attacks on the implementation 1. Side channel attacks: – Measure time to do enc/dec, measure power for enc/dec 16 rounds [Kocher, Jaffe, Jun, 1998] Card is doing DES smartcard IP IP-1 2. Fault attacks: – Computing errors in the last round expose the secret key k never implement crypto primitives yourself … 38 Outline • Block ciphers • Data encryption standard (DES) • Block cipher attacks • Advanced encryption standard (AES) • Encryption Modes 39 AES • 1997: DES broken by exhaustive search • 1997: NIST publishes request for proposal • 1998: 15 submissions • 1999: NIST chooses 5 finalists • 2000: NIST chooses Rijndael as AES (developed by Daemen and Rijmen at K.U. Leuven, Belgium) 40 AES: Subs-Perm network DES is based on Feistel networks AES is based on the idea of substitution-permutation networks That is, alternating steps of substitution and permutation operations 41 AES is a Subs-Perm network (not Feistel) kn k1 k2 S1 S1 S1 S2 S2 S2 S3 S3 S3 input output S8 S8 S8 subs.