Lecture 3 - Intro to Modern Cryptography

advertisement
Lecture 3: Block Ciphers
Introduction to Modern Cryptography1
Benny Applebaum
Tel-Aviv University
Fall Semester, 2011–12
1
These slides are based on Benny Chor’s slides.
Different Approach for Encrypting (Ideal Cipher)
• Suppose that Alice and Bob share a truly random function
R : {0, 1}n → {0, 1}n .
I
R
For each input x ∈ {0, 1}n choose R(x) ← {0, 1}n .
• How can we encrypt? Encrypt a message m by R(m).
• Decryption?
• Let’s further assume that R is invertible, or even a permutation,
hence R−1 : {0, 1}n → {0, 1}n is used for decryption.
• Security?
• Claim: Even if (computationally unbounded) adversary saw
encryptions of many messages (m1 , c1 ) . . . , (mt , ct ), she has no
“information” on R(m) for a new message m.
Benny Applebaum (Tel-Aviv University)
Modern Cryptography – Lecture 3
Fall Semester, 2011–12
2 / 39
Computational analogue?
Problem
Alice and Bob can’t share a random function (too expensive), but
can we imitate the above in a computational setting?
Idea
Choose a “pseudorandom” function Fk from a small family of
functions
Benny Applebaum (Tel-Aviv University)
Modern Cryptography – Lecture 3
Fall Semester, 2011–12
3 / 39
Keyed Functions (PRF) and Permutations (PRP)
• Let F : {0, 1}n × {0, 1}n → {0, 1}n be an efficiently computable
function.
• F has two arguments. The first one is called the key.
• We will use the notation Fk (x) = y, where k is the key.
• We view F as a collection of functions Fk one for each key k.
• F is a collection of permutation if for every key k, Fk is a
permutation of {0, 1}n .
• Typically, assume that Fk−1 is also efficiently computable.
• The function should be pseudorandom it is infeasible to
distinguish between the truly and pseudo random.
Benny Applebaum (Tel-Aviv University)
Modern Cryptography – Lecture 3
Fall Semester, 2011–12
4 / 39
Pseudorandom Functions (GoldreichGoldwasserMicali84)
Given a black-box access to the function, it’s infeasible to distinguish
random function from pseudorandom function.
PRF
Random Function
R
≈
Let k ← {0, 1}n
Choose random function
R : {0, 1}n → {0, 1}n
Given x output y = Fk (x)
Given x output y = R(x)
t-bounded Adversary can’t distinguish with probability better than .
The adversary can make up to t queries to the function
E.g., t = 2100 and = 2−40 .
How many functions are there in the PRF collection? How many
are there in the random collection?
Thm: PRG =⇒ PRF =⇒ PRP
Benny Applebaum (Tel-Aviv University)
Modern Cryptography – Lecture 3
Fall Semester, 2011–12
5 / 39
PRPs in Practice: Block Ciphers
• Encrypt a block of input to a block of output (typically of the
same length).
• A block cipher is a concrete implementation of keyed pseudo
random permutations, with concrete block sizes. Typically
n = 64 (DES) or n = 128 (AES).
• Actual lengths of key and blocks may sometimes differ (slightly).
Q: How to encrypt longer messages?
Benny Applebaum (Tel-Aviv University)
Modern Cryptography – Lecture 3
Fall Semester, 2011–12
6 / 39
Block Ciphers: Modes of Operation
• Different modes exist for encrypting plaintext longer than one
block.
• Simplest mode is to encrypt each plaintext block separately.
• This is known as ECB mode encryption (Electronic Code Book).
• Is this secure ?
• Is the encryption of any pair of messages is indistinguishable ?
Benny Applebaum (Tel-Aviv University)
Modern Cryptography – Lecture 3
Fall Semester, 2011–12
7 / 39
Block Ciphers: Modes of Operation
• If two plaintext blocks are equal, the corresponding ciphertext
blocks will also be equal.
• This violates our notion of security.
• Two plausible approaches to prevent this phenomena are
(a) Randomization (e.g. random padding of plaintext blocks).
(b) Introducing state.
• Most existing modes employ state.
Benny Applebaum (Tel-Aviv University)
Modern Cryptography – Lecture 3
Fall Semester, 2011–12
8 / 39
Block Ciphers: CBC Mode Encryption
In CBC mode (Cipher Block Chaining), previous ciphertext is XORed
with current plaintext before encrypting current block.
An initialization vector, S0 , is used as a seed for the process. This
seed can be openly transmitted but should not be repeated (why?).
• State is last ciphertext.
• CBC is self synchronizing.
Benny Applebaum (Tel-Aviv University)
Modern Cryptography – Lecture 3
Fall Semester, 2011–12
9 / 39
Properties of CBC
• Asynchronous block/stream cipher.
• Errors in one ciphertext block propagate one block.
• Seems inherently sequential – no parallel implementation known.
• Standard in most systems: SSL, IPSec, etc.
Security: It is proved that if E is a pseudo random permutation, then
CBC is resistant to chosen plaintext attacks (CPA-secure).
• Adversary can’t distinguish Ek (m) from Ek (m0 ) even after
seeing many plaintext/ciphertext pairs (mi , Ek (mi )).
Benny Applebaum (Tel-Aviv University)
Modern Cryptography – Lecture 3
Fall Semester, 2011–12
10 / 39
Additional Mode: OFB (Output Feedback)
An initialization vector S0 is use as a “seed’ for a sequence of
psuedo random blocks S1 , S2 , . . ..
Each Si is XORed with the i-th plaintext block Pi to produce
the i-th ciphertext block Ci .
It is important to use a new seed for each message. Does the
seed have to be random?
Benny Applebaum (Tel-Aviv University)
Modern Cryptography – Lecture 3
Fall Semester, 2011–12
11 / 39
Properties of OFB
• Synchronous block/stream cipher.
• Errors in one ciphertext block do not propagate.
• Seems inherently sequential – no parallel implementation known.
• Can be batch preprocessed (on both ends).
Security: It is proved that if E is a pseudo random permutation, then
CBC is resistant to chosen plaintext attacks.
Benny Applebaum (Tel-Aviv University)
Modern Cryptography – Lecture 3
Fall Semester, 2011–12
12 / 39
Block Ciphers: Design Principles
Want:
• Confusion – making the relationship between the key and the
ciphertext as complex and involved as possible (Shannon, 1949).
• Diffusion – minor modification of the key/input bits results in
large changes in the output. Therefore, redundancy in the
statistics of the plaintext should be ”dissipated” in the statistics
of the ciphertext.
• Non-linearity.
Benny Applebaum (Tel-Aviv University)
Modern Cryptography – Lecture 3
Fall Semester, 2011–12
13 / 39
Block Ciphers: Components
Idea: Combine simple building blocks (components).
Iterate each component possibly with different parts of key, to
generate a (hopefully) strong cipher.
Components may include:
• Bit-shuffling (“permutation boxes”) creates confusion.
• Simple non-linear functions (“substitution boxes”) Creates
diffusion and non-linearity.
• Key mixing: Linear (mod 2) mixing, by XORing sub-key at
beginning of each iteration. Sub-keys are derived via “key
schedule”.
Benny Applebaum (Tel-Aviv University)
Modern Cryptography – Lecture 3
Fall Semester, 2011–12
14 / 39
Block Ciphers: Properties
• High speed.
• Fixed block size (typically 64, 128, 256 bits).
• Ciphertext is a non-linear function of key and message bits.
Benny Applebaum (Tel-Aviv University)
Modern Cryptography – Lecture 3
Fall Semester, 2011–12
15 / 39
How to ensure invertibility?
• Make sure that all components are invertible (AES).
• Use Feistel network (DES)
Benny Applebaum (Tel-Aviv University)
Modern Cryptography – Lecture 3
Fall Semester, 2011–12
16 / 39
Feistel Networks: Important Building Block in DES
(From http://www.theamazingking.com/crypto-block.html)
Encryption (and decryption) is done by identical iterations, or rounds.
Here we consider the i-th round.
• The input to this round consists of the previous output,
P = Li−1 |Ri−1 , where Li−1 , Ri−1 are of the same length.
• Ri =Li−1 (shifted, unchanged, to the right side of the output).
L
• Ri =Li−1 f (Ri−1 , Ki ), where Ki is the key (portion) for
round i.
• f should be a keyed function that is at least mildly hard to
invert. It need not be a permutation.
• How is decryption done?
Benny Applebaum (Tel-Aviv University)
Modern Cryptography – Lecture 3
Fall Semester, 2011–12
17 / 39
Feistel Networks - Properties
• No matter which function is used as f , we obtain a permutation
(namely F is reversible even if f is not).
• The same code/circuit, with keys deployed in reverse order, can
be used for decryption.
• Important Theoretical Result: If f is a pseudo-random function
then four rounds of Feistel network yield a pseudo-random
permutation (Luby and Rackoff, 1988).
Benny Applebaum (Tel-Aviv University)
Modern Cryptography – Lecture 3
Fall Semester, 2011–12
18 / 39
DES – Historic Note
The DES (data encryption standard) is a block cipher, using 64 bit
blocks and a 56 bit key. Has 16 round Feistel network, where each
round key is a 48 bit subset of the complete key. See Eli Biham’s
slides for more details.
Developed at IBM, it was approved by the US goverment (in 1976)
as a standard. Size of key (56 bit) was apparently small enough to
allow the mighty NSA (US national security agency) to break it
exhaustively even back in 70s.
Throughput is 10Mb/sec in software, and 1Gb/sec in hardware (back
in 1991!).
Criticized for unpublished design decisions (designers did not want to
disclose differential cryptanalysis, which they discovered).
In the 90s it became clear that DES is too weak for contemporary
hardware & algorithmics. (Best attack, Matsui linear attack, requires
only ≈ 241 known plaintext/ciphertext pairs.)
Benny Applebaum (Tel-Aviv University)
Modern Cryptography – Lecture 3
Fall Semester, 2011–12
19 / 39
AES – Historic Note
The US government NIST (national inst. of standards and
technology) announced a call for an advanced encryption standard in
1997.
This was an international open competition. Overall, nine proposals
were made and evaluated, and five were finalists. Out of those, a
proposal named Rijndael, by Daemen and Rijmen (two Belgians) was
chosen in February 2001.
Benny Applebaum (Tel-Aviv University)
Modern Cryptography – Lecture 3
Fall Semester, 2011–12
20 / 39
AES - Advanced Encryption Standard
• Symmetric block cipher.
• Key lengthes: 128, 192, or 256 bits.
• Approved US standard (2001).
• Resistant to all known attacks.
• Very fast.
• Compact code.
• Simple (kind of).
See animation.
Benny Applebaum (Tel-Aviv University)
Modern Cryptography – Lecture 3
Fall Semester, 2011–12
21 / 39
AES Encryption/Decryption: Carried out in Ten Rounds
Benny Applebaum (Tel-Aviv University)
Modern Cryptography – Lecture 3
Fall Semester, 2011–12
22 / 39
AES Specifications: State
• Input & output block length: 128 bits.
• State: 128 bits, arranged in a 4-by-4 matrix of bytes.
• Each byte is viewed as an element in GF (28 ).
S0,0
S1,0
S2,0
S3,0
Benny Applebaum (Tel-Aviv University)
S0,1
S1,1
S2,1
S3,1
S0,2
S1,2
S2,2
S3,2
S0,3
S1,3
S2,3
S3,3
Modern Cryptography – Lecture 3
Fall Semester, 2011–12
23 / 39
Rounds in AES
128 bits AES uses 10 rounds. These are not Feistel rounds.
• The secret key is expanded from 128 bits to 10 round keys, 128
bits each.
• Each round changes the state, then XORS the round key.
Each rounds complicates things a little. Overall it seems infeasible to
invert without the secret key (but easy given the key).
Benny Applebaum (Tel-Aviv University)
Modern Cryptography – Lecture 3
Fall Semester, 2011–12
24 / 39
AES Specifications: One Round
Transform the state by applying:
1
Substitution.
2
Shift rows.
3
Mix columns.
4
XOR round key
S0,0
S1,0
S2,0
S3,0
S0,1
S1,1
S2,1
S3,1
S0,2
S1,2
S2,2
S3,2
S0,3
S1,3
S2,3
S3,3
−1
1) Substitution operates on every byte separately: Si,j ← Si,j
8
(multiplicative inverse in GF (2 ), which is highly non-linear).
If Si,j = 0, dont change it.
Clearly, the substitution is invertible.
Benny Applebaum (Tel-Aviv University)
Modern Cryptography – Lecture 3
Fall Semester, 2011–12
25 / 39
Cyclic Shift inside Rows
S0,0
S1,3
S2,2
S3,1
S0,1
S1,0
S2,3
S3,2
S0,2 S0,3
S1,1 S1,2
S2,0 S2,1
S3,3 S3,0
(no shift)
(shift one position)
(shift two positions)
(shift three positions)
Clearly, the shift is invertible.
Benny Applebaum (Tel-Aviv University)
Modern Cryptography – Lecture 3
Fall Semester, 2011–12
26 / 39
Mix Columns
MixCol maps the state to a new one.
It multiplies each column of state by the polynomial c(x)
mod x4 + 1, where c(x) = 0x03 · x3 + 0x01 · x2 + 0x01 · x + 0x02.
Specifically, for the first column,
0 · x3 + S 0 · x2 + S 0 x + S 0 = (0x03 · x3 + 0x01 · x2 + 0x01 ·
S0,0
1,0
2,0
3,0
x + 0x02) · (S0,0 x3 + S1,0 · x2 + S2,0 · x + S3,0 ) mod x4 + 1.
The inverse operation is InvMixCol: It multiplies each column of
state by the polynomial d(x) mod x4 + 1, where
d(x) = 0x0b · x3 + 0x0d · x2 + 0x09 · x + 0x0e.
Benny Applebaum (Tel-Aviv University)
Modern Cryptography – Lecture 3
Fall Semester, 2011–12
27 / 39
Mix Columns – Clarifications
Comment: All these coefficients from c(x) and d(x) (0x03, 0x01,
0x02, 0x0b, 0x0d,0x09, 0x0e) are hexadecimal constants from
GF (28 ) (which are low degree polynomials, e.g. 0x0e in hex is 14 in
decimal, 1110 in binary, and x3 + x2 + x as a polynomial).
Comment 2: These c(x) and d(x) correspond to the first (left most)
column. The other columns have different but similar
coefficients/polynomials. See next slide.
Benny Applebaum (Tel-Aviv University)
Modern Cryptography – Lecture 3
Fall Semester, 2011–12
28 / 39
Mix Columns, the Movie
(taken from a presentation by William Stallings, drawing by Lawrie Brown)
Benny Applebaum (Tel-Aviv University)
Modern Cryptography – Lecture 3
Fall Semester, 2011–12
29 / 39
More AES
• Expanding key to round keys is not too complicated either, but
is not discussed here.
• Round key bits are xored with the state, to produce new state
(figure from Wikipedia).
• See original document at www.daimi.au.dk/∼ivan/rijndael.pdf.
Benny Applebaum (Tel-Aviv University)
Modern Cryptography – Lecture 3
Fall Semester, 2011–12
30 / 39
AES, Famous Last Words
• AES comes in 3 flavors:
• 128 bits key, 10 rounds (most common).
• 192 bits key, 12 rounds.
• 156 bits key, 14 rounds.
• The NSA certified the use of 128 bit AES for Secret documents,
and both 192 bit and 256 bit AES for Top Secret.
• Attacks against 2 rounds AES are known.
• Attack against 6 round 128 bits AES using 6 · 232 chosen
plaintexts and 244 encryption operations. (Ferguson et al.,
2000).
• But for full, 10 round 128 bit key AES, this is considered
infeasible and breaking AES efficiently an open problem.
Benny Applebaum (Tel-Aviv University)
Modern Cryptography – Lecture 3
Fall Semester, 2011–12
31 / 39
Strengthening a Given Block Cipher
A block cipher, like DES, is initially considered secure. It gains wide
usage, but as time passes, it is realized that due to
technological/algorithmic advances some attacks becomes feasible
As the security chief of a large company, what do you do?
1
Switch to a fancy new block cipher (may be too expensive, e.g.
if the cipher is physically embedded in all bank ATM machines).
2
Find ways to use the existing cipher with enhanced security
(great idea, but how?).
Benny Applebaum (Tel-Aviv University)
Modern Cryptography – Lecture 3
Fall Semester, 2011–12
32 / 39
Iterated Ciphers
Formally,
1
2
Let Ek is a block-cipher with block size and key size of n-bits.
Key can be found in time O(2n ) given O(1) plaintext/ciphertext
pairs.
3
Problem: Due to technological advances this becomes feasible
(i.e., via a special purpose hardware).
4
Idea: Double-encryption. Instead of using a single key, k, use
two keys, k1 , k2 .
Hope: Complexity of exhaustive attack grow from O(2n ) to O(22n ),
giving us another decade or two of tight sleep :-)
Benny Applebaum (Tel-Aviv University)
Modern Cryptography – Lecture 3
Fall Semester, 2011–12
33 / 39
Double Cipher
If encryption is closed under composition, we gain nothing.
That is, if for all k1 , k2 there is k3 such that (Ek2 (Ek1 (x))) = Ek3 (x),
then we could just exhaustively search for such k3 .
• Substitution ciphers certainly posses this property. In fact they
constitute a permutation group, hence closed under composition.
• It was suspected that DES also acts as a group (or is almost
one) under composition. Quite a lot of research was devoted to
this question, and it was refuted only in 1992.
• Notice that if an encryption scheme is closed under composition,
then not only double iteration, but any fixed number of
iterations are useless.
Benny Applebaum (Tel-Aviv University)
Modern Cryptography – Lecture 3
Fall Semester, 2011–12
34 / 39
Meet in the Middle Attack
Goal: Recover the two keys k1 , k2 .
1
2
Ask for a pair of plaintext/ciphertext (x, y) for the new scheme,
i.e., Ek2 (Ek1 )(x) = y.
Find all candidates (k, k 0 ) for which Ek (x) = Dk0 (y).
I
3
How many such pairs exist? O(2n ) in expectation see blackboard
Use another plaintext/ciphertext pair (x0 , y 0 ) to filter out
inconsistent candidates. Whp, only the right key survives. (If
not, use another pair).
Q: How can we implement Step 2 in time O(n2n ) and space O(2n )?
A: For each key k store Ek (x) in list L1 and store Dk (y) in L2 , sort
lists in time O(n2n ) and find intersection in time O(2n ).
Can you improve to O(2n )?
Benny Applebaum (Tel-Aviv University)
Modern Cryptography – Lecture 3
Fall Semester, 2011–12
35 / 39
Meet in the Middle Attack: Performance
Time: O(n2n ) (sorting a 2n long list).
Space: Must store O(2n ) pairs.
Compare this to exhaustive search over the space of a single key:
Time: O(2n ).
Space: Must store just O(1) pairs.
Conclusion: Double cipher (two iterations) does not add much to
security (though it adds some, esp. if fast memory is expensive).
Let us then move to triple cipher (three iterations).
Benny Applebaum (Tel-Aviv University)
Modern Cryptography – Lecture 3
Fall Semester, 2011–12
36 / 39
Triple Cipher
• The first version utilizes three independent keys k1 , k2 , k3 . The
second, just two – k1 , k2 .
• The ”middle box” employs decryption rather than encryption.
This results in backward compatibility: Taking k1 , k2 , k3 =k, this
is identical to a single encryption using k.
• When the key is unknown, decryption (should) also be a pseudo
random function, so using Dk2 does not reduce security.
Benny Applebaum (Tel-Aviv University)
Modern Cryptography – Lecture 3
Fall Semester, 2011–12
37 / 39
Triple Cipher / Triple DES
• Both versions are susceptible to a meet in the middle attack,
albeit one that uses a list of size 22n (where n is length of keys).
This is the best attack known for version (1).
• For version (2), there is a O(n2n ) attack using O(2n ) chosen
input/output pairs. This substantially reduces the practical risk
of such attack. Triple DES, using version (1), has key size 3 · 56
bits, and best attack known is meet in the middle, with
complexity 22·56 = 2112 . It is considered secure, and was
endorsed by a standard of NIST. However, AES is pushing it out
of the market.
Benny Applebaum (Tel-Aviv University)
Modern Cryptography – Lecture 3
Fall Semester, 2011–12
38 / 39
Meta-Lessons
Things may not be what they seem. (double cipher).
Intuition may be misleading.
Security is a subtle issue – Best to have a proof of security.
Good design methodology: Reduce a complicated task to a simpler
task. Solve the simple task and extend the solution. (E.g., design
encryption for a single-block messages and then show how to extend
it to longer messages).
Benny Applebaum (Tel-Aviv University)
Modern Cryptography – Lecture 3
Fall Semester, 2011–12
39 / 39
Download