Block Ciphers: DES, AES Guevara Noubir http://www.ccs.neu.edu/home/noubir/Courses/CSG252/F04 Textbook: —Cryptography: Theory and Applications“, Douglas Stinson, Chapman & Hall/CRC Press, 2002 Reading: Chapter 3 Outline n Substitution-Permutation Networks n Linear Cryptanalysis n Differential Cryptanalysis n DES n AES n Modes of Operation CSG252 Classical Cryptography 2 Block Ciphers n Typical design approach: n Product cipher: substitutions and permutations n Leading to a non-idempotent cipher n Iteration: n Nr: number of rounds → 1 2 Nr n Key schedule: k k , k , …, k , n Subkeys derived according to publicly known algorithm i n w : state n Round function r r-1 r n w = g(w , k ) 0 n w : plaintext x n Required property of g: ? n Encryption and Decryption sequence CSG252 Classical Cryptography 3 1 SPN: Substitution Permutation Networks n SPN: special type of iterated cipher (w/ small change) n Block length: l x m n x = x(1) || x(2) || … || x(m) n x(i) = (x(i-1)l+1, …, xil) n Components: π l → l n Substitution cipher s: {0, 1} {0, 1} π → n Permutation cipher (S-box) P: {1, …, lm} {1, …, lm} n Outline: n Iterate Nr times: m substitutions; 1 permutation; ⊕ sub-key; n Definition of SPN cryptosytems: n P = ?; C = ?; K ⊆ ?; n Algorithm: n Designed to allow decryption using the same algorithm n What are the parameters of the decryption algorithm? CSG252 Classical Cryptography 4 SPN: Example n l = m = 4; Nr = 4; n Key schedule: n k: (k1, …, k32) 32 bits r n k : (k4r-3, …, k4r+12) z 0 1 2 3 4 5 6 7 8 9 A B C D E F π S(z) E 4 D 1 2 F B 8 3 A 6 C 5 9 0 7 z 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 π P(z) 1 5 9 13 2 6 10 14 3 7 11 15 4 8 12 16 n K = 0011 1010 1001 0100 1101 0110 0011 1111 n x = 0010 0110 1011 0111 n y = 1011 1100 1101 0110 CSG252 Classical Cryptography 5 Linear Cryptanalysis n Assumption: n Assume there exists a probabilistic linear relationship between a subset of plaintext bits and a subset of state bits immediately preceding the last substitution n Attacker has a large amount of plaintext-ciphertext encrypted using the same key n Principle: n Consider a set of potential sub-keys, whenever a sub- key verifies the linear relation, increment its counter n The sub-key best matching probability could contain the correct values of key bits CSG252 Classical Cryptography 6 2 Piling-up Lemma n Given: n X1, X2, … independent random variables ≤ ≤ n Pr[Xi=0] = pi ; Pr[Xi=1] = 1-pi; 0 pi 1 ε n Let i = pi - ² denote the bias of the distribution n Piling-up Lemma: ε ⊕ ⊕ n Let i1,i2,…,ik denote the bias of the random variable Xi1 Xi2 … ⊕ k Xik. Then: ε = k −1 ε i1,i2,...,ik 2 ∏ ij j=1 n Corollary: ε ε n If ij= 0 for one variable i1,i2,…,ik =0 CSG252 Classical Cryptography 7 Linear Approximations of S-boxes n S-box: Π m → n n S: {0, 1} {0, 1} n Input: n X = (x1, …, xm) n Each coordinate defines a random variable Xi with bias 0 n Variables Xis are independent n Output: n Y = (y1, …, yn) n Variables Yis are not independent from each other and Xis ≠ Π n If (y1, …, yn) S(x1, …, xm) Pr[X1= x1, …, Xm= xm, Y1= y1, …, Yn= yn, ] = ? Π n If (y1, …, yn) = S(x1, …, xm) Pr[X1= x1, …, Xm= xm, Y1= y1, …, Yn= yn, ] = ? ⊕ ⊕ ⊕ ⊕ ⊕ n Therefore: one can compute the bias of: Xi1 … Xik Yj1 … Yjl CSG252 Classical Cryptography 8 Example Π S Table X1 X2 X3 X4 Y1 Y2 Y3 Y4 ⊕ ⊕ 0 0 0 0 1 1 1 0 • Pr[X1 X4 Y2=0]= ? ⊕ ⊕ ⊕ 0 0 0 1 0 1 0 0 • Pr[X3 X4 Y1 Y4=0]= ? 0 0 1 0 1 1 0 1 • In general one computes the 0 0 1 1 0 0 0 1 biases for all possible subsets: 0 1 0 0 0 0 1 0 4 4 0 1 0 1 1 1 1 1 ⊕ ⊕ ⊕ 0 1 1 0 1 0 1 1 ( ai X i ) ( biYi ) i=1 i=1 0 1 1 1 1 0 0 0 • Derive a table (a, b) Number of 1 0 0 0 0 0 1 1 1 0 0 1 1 0 1 0 times we get a 0: NL(a, b) Entry for a=3, b=9: 2 1 0 1 0 0 1 1 0 ε 1 0 1 1 1 1 0 0 Bias (a, b) = (NL(a, b)-8)/16 1 1 0 0 0 1 0 1 1 1 0 1 1 0 0 1 NL(3, 9) = 2 1 1 1 0 0 0 0 0 NL(2, E) = 2 1 1 1 1 0 1 1 1 CSG252 Classical Cryptography 9 3 Linear Attack on SPN n Approach: n Find a set of linear approximations of S-boxes that can be used to derive a linear approximation of the SPN (excluding the last round) n Derive the bias value using pilling-up lemma n This linear approximation depends on some subset of the key bits n For each possible pair (plaintext, ciphertext), and each key increment the counter of the subkey if the approximation equation gives a 0 n Hopefully the correct value for sub-keys will have the expected bias CSG252 Classical Cryptography 10 Example n Approximation equations: = 1 ⊕ 1 ⊕ 1 ⊕ 1 T1 U5 U 7 U8 V6 n T1 has bias ³ = 2 ⊕ 2 ⊕ 2 n T2 has bias -³ T2 U6 V6 V8 n T3 has bias -³ = 3 ⊕ 3 ⊕ 3 T3 U6 V6 V8 n T has bias -1/4 4 = 3 ⊕ 3 ⊕ 3 T4 U14 V14 V16 n If T1, T2, T3, T4, were independentthen the bias of ⊕ ⊕ ⊕ n T1 T2 T3 T4 would be -1/32 n We will make this non-rigorous approximations, because it seems to work in practice ⊕ ⊕ ⊕ ⊕ ⊕ ⊕ 3 ⊕ 3 ⊕ 3 ⊕ 3 ⊕ 1 ⊕ 1 n T1 T2 T3 T4 = X5 X7 X8 V 6 V 8 V 14 V 16 K 5 K 7 ⊕ 1 ⊕ 2 ⊕ 3 ⊕ 3 ⊕ ⊕ ⊕ 4 ⊕ 4 ⊕ 4 ⊕ 4 ⊕ K 8 K 6 K 6 K 14 = X5 X7 X8 U 6 U 14 U 8 U 16 1 ⊕ 1 ⊕ 1 ⊕ 2 ⊕ 3 ⊕ 3 ⊕ 4 ⊕ 4 ⊕ 4 ⊕ 4 K 5 K 7 K 8 K 6 K 6 K 14 K 6 K 8 K 14 K 16 CSG252 Classical Cryptography 11 x K1 u1 v1 w1 K2 u2 v2 w2 K3 u3 v3 w3 K4 u4 v4 K5 y 4 Example (Cont.) n If the key bits in: 1 ⊕ 1 ⊕ 1 ⊕ 2 ⊕ 3 ⊕ 3 ⊕ 4 ⊕ 4 ⊕ 4 ⊕ 4 n K 5 K 7 K 8 K 6 K 6 K 14 K 6 K 8 K 14 K 16 are fixed n Then the random variable: ⊕ ⊕ ⊕ 4 ⊕ 4 ⊕ 4 ⊕ 4 ± n X5 X7 X8 U 6 U 14 U 8 U 16 has bias 1/32 n This allows us to derive 8 bits for last subkey: 5 5 n K (2) and K (2) n Outline of alg: 5 5 n Build a table for all possible 256 values of K (2) and K (4) n For each (x, y) pair of plaintext and ciphertext; for each candidate subkey: u4 u4 n Obtain the values of (2) and (4) by decrypting y ⊕ ⊕ ⊕ 4 ⊕ 4 ⊕ 4 ⊕ 4 n Compute x5 x7 x8 u 6 u 14 u 8 u 16 5 5 n If equal 0 : increment counter of corresponding K (2) and K (2) 5 n The table entry that has bias close to 1/32 is the right value for K (2) 5 and K (2) CSG252 Classical Cryptography 13 Requirements for Linear Cryptanalysis n A bias of ε requires: -2 n T = cε pairs of plaintext-ciphertext n For the previous example T = 8000 was usually successful c ≈ 8 CSG252 Classical Cryptography 14 Differential Cryptanalysis n Similar to Linear Cryptanalysis: n Compares the x-or of two inputs to the x-or of the corresponding two outputs: x‘ = x⊕x* and y‘ = y⊕y* n Adversary has a large number of chosen plaintext tuples (x, x*, y, y*) s.t. x‘ is fixed n Approach: n For each candidate key: decrypt y, and y* n For each candidate key: compute the values of certain state bits n If the state bits match the most likely value for the input x-or then increment the candidate key counter n Proposed Encryption Standard (PES) which is the original proposal for the International Data Encryption Standard (IDEA used in PGP) was modified to resist to this kind of attacks n GSM A3 algorithm is sensitive to this kind of attacks n SIM card secret key can be recovred=> GSM cloning CSG252 Classical Cryptography 15 5 Differential Cryptanalysis n ∆(x‘) = {(x, x⊕x‘) : x ∈ {0, 1}m } ∈ ∆ Π ⊕ Π n ND(x‘, y‘) = |{ (x, x*) (x‘) : S(x) S(x*) = y‘}| n Similarly to Linear cryptanalysis build the table: N (a, b) D N (a',b') n Define propagation ratio: R (a',b') = D p 2m n Differential Trail: n Is multi-round combination n Permutations and key XORs do not impact the differential n Sub-key recovery and filtering n Example: n Rp(1011, 0010) = ²; Rp(0100, 0110) = 3/8; Rp(0010, 0101) = 3/8; Rp(0010, 0101) = 3/8 n Propagation ratio of differential trail: 27/1024 n Complete attack requires between 50 and 100 tuples to find sub-key CSG252 Classical Cryptography 16 x K1 u1 v1 w1 K2 u2 v2 w2 K3 u3 v3 w3 K4 u4 v4 K5 y Today‘s Block Encryption Algorithms n Key size: n Two short => easy to guess n Block size: n Two short easy to build a table by the attacker: (plaintext, ciphertext) n Reasonable size: 64 bits n Properties: n One-to-one mapping n Mapping should look random to someone who doesn‘t have the key n Efficient to compute/reverse n How? n Substitution (small chunks) & permutation (long chunks) n Multiple rounds CSG252 Classical Cryptography 18 6 Data Encryption Standard (DES) n Developed by IBM for the US government n Based on Lucifer (64-bits, 128-bits key in 1971) n To respond to the National Bureau of Standards CFP (now called NIST) n Modified characteristics (with help from NSA): n 64-bits block size, 56 bits key length n Concerns about trapdoors, key size, sbox structure n Adopted in 1977 as the DES (FIPS PUB 46, ANSI X3.92) and reaffirmed in 1994 for 5 more years n Today replaced by AES CSG252 Classical Cryptography 19 Plaintext: 64 IP 32 32 L 0 R0 48 f K1 Feistel Cipher: L1 = R0 R = L ⊕ f(R , K ) 1 0 0 1 Li = Ri-1 ⊕ Ri = Li-1 f(Ri-1, Ki) f K2 ⊕ L2 = R1 R2 = L1 f(R1, K2) ⊕ L15 = R14 R15 = L14 f(R14, K15) f K16 ⊕ L = R R16 = L15 f(R15, K16) 16 15 IP-1 Ciphertext Feistel Cipher n Function f does not have to be injective! n Li = Ri-1 ⊕ n Ri = Li-1 f(Ri-1, Ki) n How can we invert one round? CSG252 Classical Cryptography 21 7 One DES Round Key (56 bits) 28 28 L Shift Shift i-1 Ri-1 32 32 Compression Permutation Expansion Permutation 48 48 S-Box Substitution P-Box Permutation Key (56 bits) ⊕ Li = Ri-1 Ri = Li-1 f(Ri-1, Ki) CSG252 Classical Cryptography 22 S-Box Substitution 48-Bit Input S-Box 1 S-Box 2 S-Box 3 S-Box 4 S-Box 5 S-Box 6 S-Box 7 S-Box 8 32-Bit Output n S-Box heart of DES security n S-Box: 4x16 entry table n Input 6 bits: b1b2b3b4b5b6 n 2 bits (b1b6): determine the table row (1-4) n 4 bits (b2b3b4b5): determine the table entry n Output: 4 bits n Example: S1(101000) = 1101 n S-Boxes are optimized against Differential cryptanalysis CSG252 Classical Cryptography 23 Double/Triple DES K1 K2 n Double DES P X C E E n Vulnerable to Meet-in-the- Middle Attack [DH77] K2 K1 C X P D D K1 K2 K1 n Triple DES P A B C E D E n Used two keys K1 and K2 n Compatible with simple DES K1 K2 K1 (K1=K2) C A B E D E D n Used in ISO 8732, PEM CSG252 Classical Cryptography 24 8 DES Linear/Differential Cryptanalysis n Differential cryptanalysis n —Rediscovered“ by E.