CS 6260 Applied Cryptography Alexandra (Sasha) Boldyreva Block ciphers, pseudorandom functions and permutations 1 Block ciphers Building blocks for symmetric encryption. M→ EK →C Examples: DES, 3DES, AES... k n n • A block cipher is a function family E:{0,1} ×{0,1} →{0,1} , where k-key length, n-input and output lengths are the parameters ∈ k • Notation: for every K {0,1} EK(M)=E(K,M) ∈ k • For every K {0,1} , EK(⋅) is a permutation (one-to-one and onto function). For every C∈{0,1}n there is a single M∈{0,1}n s.t. C=EK(M) -1 • Thus each block cipher has an inverse for every key: EK (⋅) -1 ∈ n s.t. EK(EK (M))=C for all M,C {0,1} ∈ k -1 n n • For every K {0,1} , EK(⋅),EK (⋅):{0,1} →{0,1} 2 DES • Key length k=56, input and output length n=64 • 1973. NBS (National Bureau of Standards) announced a search for a data protection algorithm to be standardized • 1974. IBM submits a design based on “Lucifer” algorithm • 1975. The proposed DES is published • 1976. DES approved as a federal standard 7 • DES is highly efficient: ≈2.5⋅10 DES computations per second 3 Security of block ciphers • Any block cipher E is subject to exhaustive key-search: given (M1,C1=E(K,M1),...,(Mq,Cq=E(K,Mq)) an adversary can recover K (or another key consistent with the given pairs) as follows: EKSE((M1,C1),...(Mq,Cq)) For i=1,...,2k do if E(Ti,M1)=C1 then //Ti is i-th k-bit string// if E(Ti,Mj)=Cj for all 2≤j≤q then return Ti EndIf EndIf EndFor 4 Bellare and Rogaway 9 Bellare and Rogaway 9 feed the oracle M1 and get back C1 = EK (M1). It can then decide on a value M2, feed the oracle this, and get back C2, and so on. Clearly a chosen-message attack gives the adversary much more power, but is feed the oracle M1 and get back C1 = EK (M1). It can then decide on a value M2, also less realistic in practice. feed the oracle this, and get back C2, and so on. The most obvious attack strategy is exhaustive key search. The adversary goes Clearly a chosen-message attack gives thtehraoduvgerhsaarllypmossibuchlemokeysre pKower, b0u,t1isk until it finds one that explains the input- ! ∈ { } also less realistic in practice. output pairs. Here is the attack in detail, using q = 1, meaning one input-output The most obvious attack strategy is exhaustive key search. The akdversary goes example. For i = 1, . , 2 let Ti denote the i-th k-bit string (in lexicographic order). through all possible keys K 0, 1 k until it finds one that explains the input- ! ∈ { } output pairs. Here is the attack in detail, usinEKgSEq (=M1,,Cmea1) ning one input-output k for i = 1, . , 2k do example. For i = 1, . , 2 let Ti denote the i-th k-bit string (in lexicographic order). if E(Ti, M1) = C1 then return Ti fi EKS (M , C ) E 1 1 20 BLOCK CIPHERS for i = 1, . , 2k do This attack always returns a key consistent with the given input-output example (M , C ). Whether or not it is the target key depends on the block cipher, and if E(Ti, M1) = C1 then return Ti fi 1 1 in particular on its key length and block length, and in some cases the probability This attack always returns a key consistent owf itthisthise tgoivoensmainll.putT-ohuetplikueliht exaoompd olef the attack returning the target key can be (M1, C1). Whether or not it is the target kineycreadepsedendbys toestn tinhge abgloacinkstcipmoherre,inapnudt-output examples: in particular on its keybylensagyinth agn:d“bBuloctk, lencleagtrhly, ,anDdEinS soanmed AcaEsesS atrhee npotrobdabesigilityned like this.” True. But that of this is too small. The likelihood of the aEttKacSkEr(et(Mu1rn, Cin1g),t.h.e. ,t(aMrgqet, Cqk)ey) can be is missing the point. The point is thakt security against key-recovery alone does not increased by testing against more input-output exaformpi =les:1, . , 2 do make a “good” block ciphifer.E(Ti, M1) = C1 then EKSE((M1, C1), . , (Mq, Cq)) if ( E(T , M ) = C AND AND E(T , M ) = C ) then return T fi But then what does make a gooi d 2block 2cipher·?· · This questi ioqns turq ns out to i for i = 1, . , 2k do not be so easy to anAswfaerirly. Csmaertllavinaulye ofnqe, casayn solistmewvahraiot mous rdeesirthaanbkle/np, risopenerotuies.gh thFaotrthis attack if E(T , M ) = C then i 1 exa1 mple, the ciphertwextill ushsuoaullyldretnoutrnrevtheeatal rhgaetlfkteyheitbselfits. oFforthDeESp,laqin=text2 is.enBuoutght.hat is if ( E(T , M ) = C AND AND E(T , M ) = C ) then return T fi i n2 ot en2ough eit· ·h· er. As wTehi seeus,qnmoo brloeqcuksacipgesherofiscipperhferects,ilywsecue burilde. Itupisaalolwnaysgerpaossibnd lelonfogreran attacker A fairly small vaue oflistq, saoyf sosecumewrithyatpmoropreertotthriesaecon kSv/erPn1,t,hiseSenPkey2o,u. gShAP3tgh,oao.td.t.hbtislohcakttcipacrkehernecessa, howevrery ,foisr dtesighe nsecued troitmay okfe this task will usually return thesotamergetbkloeyckitselfcip.herForbDacosedEmpS, uqatpa=ptio2licanisallytenioopnur.goh.ibitive. Thus, no block cipher is perfectly secure. ItHisowalwlonaysg dpooesssibexhleafuostr ivane kaey-seattackerrch take? Since q is small we can neglect the to recover the key. A gooSducbhlocak locipnhgerlist, hodwoiffevfernerenecessa,ceis indesigruynnnbedinutgtotnimeomat sukbeetffitwhcieneenis tatthskeprtwopoervertiessioniss onf othewaatytactko atbroeave,t and focus computationally prohibsecuitive.rity. What weSecuritnfeedor simpis onylicite ofsiy n oblockngleth“eMASTEfir stciphersattacRk.”Inprtohpe erwotrystofcaase,bloitcuksescip2hk ercompwhuicthat,ions of the How long does exhifaumetstive, kguarey-seaanrtechestasecuke?blocSrkitincipyceohqferislots. Hsmaoofwllevnweraetitcaurconaulnldegusalectbegeslessthoesinf thceeocipne hcoeruld. get lucky. For example if the target key is in the first half of the search space, only 2k 1 computations would be difference in running time• ExhaustivSbuetcwheena ptrhoep ertkweytoy vissearchersiothants totakhf ethbeseloa ct2tkkac cipblockk ahberov e,bciphereaandpseuf ocomputationscudsorandom per inm u−tation (PRF), used. So a betterk measure is how long it takes on the average. This is for simplicity on the fiarstnoathettioa cnworstk.expInlot hcase.reedwoinrstacanose,therit ucseshap2terco. mputations of the block cipher. However it could be less since one2cok uld get lucky. For 2exak mple if the 2k k k k k 1 i 1 1 2 (2 + 1) 2 + 1 k 1 target key is in the first half of the search space, oinlyPr2[K =coTmpi] =utations w=ould be i = = 2 − • On the average: · − 2k 2k · 2k · 2 2 ≈ used. So a better measure is how long it takes o!i=1n the average. This !iis=1 !i=1 2.7 Problemcosmputations of the block cipher. This is because the target key is chosen at random, 2k 2k 2k k k k i 1 so w1ith2pr(o2ba+bilit1)y 1/22k equ+ 1als T ,kan1 d in that case the attack uses i E-computations i Pr[K = Ti] = = i = = 2i − · Prob2lemk 2.12k · Showtoth2fikantd· fito.r a2ll K 0, 12 56 ≈and all x 0, 1 64 !i=1 !i=1 !i=1 Thus to make∈key-r{ eco}very by exhau∈stiv{ e sea} rch computationally prohibitive, computations of the block cipDESher has. Th isa ispropertbecauseyt hthate tar g et k ey is c h o sen a t r a n d o m,, this speeds k• one must maDkEe SthKe(kxey-len) = DgEthSkKo(fxt)h.e block cipher large enough. so with probability 1/2 equupals exhaustivTi, and in teh asearcht case t hbeya tata factorck uses ofi E 2-co mputations to find it. This is called the key-coLetmp’slemenlook attaDtioESn. pWroepnerottedy oafboDvEe Sth.at there is VLSI chip that can compute Thus to make key-r•ecoFvorer yDESby exh(k=56)austivit eexhaustivaseat trhceh rcoatmpee osearchfut1a.6tioGnb aittakllys/sec.espro h Hib oit w iv loe, n g w o u ld key-recovery via exhaustive search one must make the key-leng55th k of the blo7ck cipher large enough. Prob2 lem/2⋅2.52.2⋅10Exp thatlain isho aboutw to u23se ytearshe key-complementation property of DES to Let’s look at DES. We noted above that there is VLSI chip that can compute it at the rate of 1.6 Gbspiteeds/sec.upHexhow loaunstg ivwoeuldkeykey-rseaecorchverby viaaboexhut aaustfaivcteosear orfchtwo. Explain any assumptions that you make. 1 Problem 2.3 Find a key K such that DES ( ) = DES− ( ). Such a key is some- K · K · times called a “weak” key. 5 Problem 2.4 As with AES, suppose we are working in the finite field with 28 elements, representing field points using the irreducible polynomial m(x) = x8 + x4 + x3 + x + 1. Compute the byte that is the result of multiplying bytes: Security of DES e1 05 • There are more sophisticated attacks{ } · {known:} • differential cryptoanalysis: finds the key given about 247 chosen plaintexts and the corresponding ciphertexts Prob• lemlinear2.5 cryptoanalysis:For AES, we hfindsave gtheiven keytw ogivdienffer aboutent descr 242ip t knownions of mix-cols: one using plaintextmatric m uandltip licaciphertexttion (in pairsGF(28)) and one based on multiplying by a fixed p•olynTheseomia attacksl c(x) mo requiredulo a secotoo nmand fixedy data,polyn henceomia l,exhaustivd(x) = xe4 +key1. Show that these twosearchmetho diss theare equbestiv aknownlent. attack. And it can be mounted in parallel! • A machine for DES exhaustive key search was built for $250,000. It finds the key in about 56 hours on average. • A new block cipher was needed.... • Triple-DES: 3DES(K1||K2,M)=DES(K2, DES-1(K1, DES(K2,M)). • 3DES’s keys are 112-bit long. Good, but needs 3 DES computations 6 Advanced Encryption Standard (AES) • 1998. NIST announced a search for a new block cipher. • 15 algorithms from different countries were submitted • 2001. NIST announces the winner: an algorithm Rijndael, designed by Joan Daemen and Vincent Rijmen from Belgium.