8/30/2013 Outline • Block ciphers review Block Ciphers: Past and Present • Cryptographic events • Standardized block ciphers Mohammad Dakhilalian http://www.dakhilalian.iut.ac.ir • Lightweight block ciphers • On practical security of block ciphers Isfahan University of Technology (IUT) Electrical and Computer Engineering Department • Summary Cryptography and System Security Research Laboratory (CSSRL) ISCISC 2013 August 2013 8/30/2013 1/80 8/30/2013 2/80 Outline History of cryptography • Block ciphers review Classical crypto : The earliest known use of cryptography is about 1900 BD • History of cryptography • Schemes of the block ciphers • Challenges & attacks Medieval crypto : 800-1800 AD • Standardized block ciphers • Cryptographic events • Standardized block ciphers Crypto from 1800 to WWII • Lightweight block ciphers • On practical security of block ciphers Modern crypto • Summary Crypto can be seen in everywhere 8/30/2013 3/80 8/30/2013 ISCISC 2013 4/80 1 8/30/2013 History of cryptography Symmetric key ciphers Information Theory(1948-9) "A Mathematical Theory of Communication“ "Communication Theory of Secrecy Systems“ Block ciphers Symmetric key ciphers • Diffusion Stream • Confusion • Product cipher ciphers Claude Elwood Shannon 8/30/2013 ISCISC 2013 5/80 8/30/2013 ISCISC 2013 6/80 Block ciphers schemes Evaluation of block ciphers x •Level of security S •Ease of implementation(low-cost, low power) Security P •Performance(throughput) y Low-cost SPN scheme Feistel scheme Lai-Massey scheme Throughput (AES,SERPENT ) (DES, Camellia ) (IDEA ) Low-power 8/30/2013 ISCISC 2013 7/80 8/30/2013 ISCISC 2013 8/80 2 8/30/2013 When is a block cipher secure? Attacks efficiency Answer : when these two black boxes are indistinguishable x •Data complexity •Memory complexity k E π •Time (computation) complexity π Ek(x) (x) 8/30/2013 ISCISC 2013 9/80 8/30/2013 ISCISC 2013 10/80 Kerckhoffs’ Principle Cryptanalysis Types of cryptanalytic attacks: 1. Ciphertext-only The security of an encryption system must depend 2. Known-plaintext only on the key , not on the secrecy of the algorithm . 3. Chosen-plaintext 4. Adaptive-chosen-plaintext attack 5. Chosen-ciphertext attack 6. Chose-key. 7. Rubber-hose 8/30/2013 ISCISC 2013 11/80 8/30/2013 ISCISC 2013 12/80 3 8/30/2013 Generic attacks Shortcut attacks • Linear cryptanalysis • Differential cryptanalysis •Dictionary attack • Differential-Linear Cryptanalysis •Codebook attack • Impossible differential attack • Slide attack •Exhaustive key search (brute force search) • Related key attack •Time memory data trade off • Boomerang attack • Higher order differentials cryptanalysis • Interpolation attack • Algebraic attack 8/30/2013 ISCISC 2013 13/80 8/30/2013 ISCISC 2013 14/80 Real and academic attacks Outline • Block ciphers review •Real attack: Block cipher can be broken in practice • Cryptographic events • Example: • AES • Brute force attack on DES • NESSIE • CRYPTREC •Academic attack: Block cipher behaves suboptimal • ECERYPT • Example: • Standardized block ciphers • Biclique attack on AES with a computational complexity of • Lightweight block ciphers On practical security of block ciphers • ٢.2126 • Summary 8/30/2013 ISCISC 2013 15/80 8/30/2013 ISCISC 2013 16/80 4 8/30/2013 AES ( 1997 –2000 ) Advanced Encryption Standard – By National Institute of Standards and Technology of the United States (NIST) AES competition The algorithms were all to be block ciphers, supporting a block size of 128 bits and key sizes of 128, 192, and 256 bits. Submitted Block ciphers AES finalists (in order of score) AES winner • CAST-256 • Rijendael • Rijendael • AES finalists (in order of score) • CRYPTON • Serpent • Rijndael : 86 positive, 10 negative (the winner) • DEAL • TwoFish • DFC • RC6 • Serpent : 59 positive, 7 negative • E2 • MARS • Twofish : 31 positive, 21 negative • FROG • HPC On November 26, 2001, NIST announced that AES • RC6: 23 positive, 37 negative • LOKI97 was approved as FIPS PUB 197. • MARS : 13 positive, 84 negative • MAGENTA • MARS • RC6 • Rijendael • SAFER+ • Serpent • TwoFish 8/30/2013 ISCISC 2013 17/80 8/30/2013 ISCISC 2013 18/80 NESSIE Project (2000–2003) AES competition New European Schemes for Signatures, Integrity and Encryption Submitted Block ciphers Finally selected algorithms Algorithm Structure Block size Key size Round # Year • 64-bit block ciphers • 160-bit block ciphers • CS-Cipher • SHACAL • MISTY1: Mitsubishi Electric Corp., Japan. Rijndael SPN 128 128-192-256 10-12-14 1998 • Hierocrypt-L1, • Camellia : Nippon Telegraph and Telephone Corp., Japan (revised September 2001). • variable length block ciphers and Mitsubishi Electric Corp., Japan. SHACAL-2: Gemplus, France. Serpent SPN 128 128-192-256 32 1998 • IDEA • NUSH : 64, 128, and 256-bit • • Khazad • RC6: at least 128-bit • AES (Advanced Encryption Standard)* (USA FIPS 197). Twofish Feistel 128 128-192-256 16 1998 • MISTY1 • SAFER++ : 64 and 128-bit • Nimbus RC6 Feistel 128 128-192-256 20 1998 • 128-bit block ciphers • Anubis MARC Feistel 128 128-192-256 32 1998 • Camellia Submissions selected for 2nd Phase • Grand Cru • Hierocrypt-3 • Noekeon • IDEA , MISTY1, SAFER++ , RC6: no modifications • Q • Khazad • SC2000 • Camellia • SHACAL-1 and SHACAL-2 8/30/2013 ISCISC 2013 19/80 8/30/2013 20/80 5 8/30/2013 CRYPTREC ( 2000 – 2003 ) NESSIE Project CRYPT ography Research and Evaluation Committees The selected algorithms: Considered block ciphers Recommended techniques Not submitted to CRYPTREC Submitted to CRYPTREC • 64-bit block ciphers • CIPHERUNICORN-E Algorithm Round # Key size Block size Structure Year • 64-bit block ciphers • 64-bit block ciphers • Hierocrypt-L1 • DES • Hierocrypt-L1 • MISTY1 Misty1 8(recommended) 128 64 Feistel 1995 • Triple DES • MISTY1 • 3-key Triple DES • RC2 • CIPHERUNICORN-E Camellia 18 or 24 128,192,256 128 Feistel 2000 • 128-bit block ciphers • 128-bit block ciphers • 128-bit block ciphers AES 10,12,14 128,192,256 128 SPN 1998 • AES • Camellia • AES • SEED • CIPHERUNICORN-A • Camellia • Hierocrypt-3 • CIPHERUNICORN-A SHACAL2 64 128 to 512 256 Cryptographic Hash 2001 • RC6 (withdrawn) • Hierocrypt-3 function • SC2000 • SC2000 All six stream ciphers submitted to the NESSIE project were failed 128-bit block ciphers are preferred 8/30/2013 ISCISC 2013 21/80 8/30/2013 ISCISC 2013 22/80 ECRYPT ( 2004 – 2008 ) CRYPTREC recommended ciphers (latest report 2013) European Network of Excellence in Cryptology – Lead by Katholieke Universiteit Leuven (KUL) Considered block ciphers • 64-bit block ciphers • DES (56-bit key length) • Widespread deployment, e.g. RFC 2406 (IPsec), RFC 2246 (TLS) 64-bit 3-key Triple DES NIST SP 800-67 Revision 1 (January 2012) • Key length inadequate for current use block cipher • 3DES (112-bit and 168-bit key length) • Widespread deployment, e.g. 112-bit 3DES widely used in financial applications, 168-bit 3DES featured within IPsec, SSL/TLS • For 168-bit key, the attack complexity can be reduced down to 2112 operations. 120-t t AES NIST FIPS PUB 197 • For 168-bit key, the attack complexity reduces to 2 operations if 2 plaintext/ciphertext pairs are available. 128-bit • Kasumi as a variant of MISTY-1 (128-bit key length) block cipher Camellia Algorithm specifications of 128-bits block cipher Camelia (2nd • Deployed by Universal Mobile Telecommunications System (UMTS) version: September 26, 2001) • No security issue • Blowfish (32 to 448-bit key length) Stream • Popular in IPsec configurations. KCipher-2 Stream Cipher KCipher-2 (February 1, 2010) cipher • No security issue • 128-bit block ciphers • AES (128-bit, 192-bit and 256-bit key length) • Widespread deployment, included in TLS, S/MIME, IPsec, IEEE 802.11i • No security issue • Camellia (If a backup algorithm is desired) 8/30/2013 ISCISC 2013 23/80 8/30/2013 ISCISC 2013 24/80 6 8/30/2013 ECRYPT II ( 2008 – 2013 ) European Network of Excellence in Cryptology – Lead by Katholieke Universiteit Leuven (KUL) Outline • Block ciphers review In August 2008 the network started another 4-year • Cryptographic events phase as ECRYPT II • Standardized block ciphers The activities of the ECRYPT II Network of Excellence are organized into three virtual laboratories established as • Lightweight block ciphers follows: 1-Symmetric techniques virtual lab ( SymLab ) • On practical security of block biphers 2- Secure and efficient implementations virtual lab ( VAMPIRE ) 3-Multi-party and asymmetric algorithms virtual lab virtual lab (MAYA ) • Summary Each virtual lab within the ECRYPT Network of Excellence aims to promote and facilitate cryptographic research on a pan-European level. 8/30/2013 ISCISC 2013 25/80 8/30/2013 26/80 Standardized Block ciphers Standardized block ciphers ISO/IEC JTC 1 is a Joint Technical Committee 1 of ISO (International Organization for Standardization) and the IEC (International Electrotechnical Commission) which was formed in 1987. • Sufficient security • Its purpose as a technical committee is to develop, maintain, promote, and facilitate standards in the fields of IT and ICT • The general scope of ISO/IEC JTC 1 is "International standardization in the field of Information Technology “ • Efficient implementation on hardware or Software • The security of IT systems and information is one of the main scopes of ISO/IEC JTC 1 which is the working area of its • Extent of the application Sub Committee 27. • Positive comments The block cipher has been approved for use by the ISO/IEC JTC 1/SC 27 Information Technology - Security Techniques • STANDARD ISO/IEC 18033-3:2010 - Encryption algorithms (standard has been reviewed and then confirmed