Lecture 3: Block Ciphers Introduction to Modern Cryptography1 Benny Applebaum Tel-Aviv University Fall Semester, 2011–12 1 These slides are based on Benny Chor’s slides. Different Approach for Encrypting (Ideal Cipher) • Suppose that Alice and Bob share a truly random function R : {0, 1}n → {0, 1}n . I R For each input x ∈ {0, 1}n choose R(x) ← {0, 1}n . • How can we encrypt? Encrypt a message m by R(m). • Decryption? • Let’s further assume that R is invertible, or even a permutation, hence R−1 : {0, 1}n → {0, 1}n is used for decryption. • Security? • Claim: Even if (computationally unbounded) adversary saw encryptions of many messages (m1 , c1 ) . . . , (mt , ct ), she has no “information” on R(m) for a new message m. Benny Applebaum (Tel-Aviv University) Modern Cryptography – Lecture 3 Fall Semester, 2011–12 2 / 39 Computational analogue? Problem Alice and Bob can’t share a random function (too expensive), but can we imitate the above in a computational setting? Idea Choose a “pseudorandom” function Fk from a small family of functions Benny Applebaum (Tel-Aviv University) Modern Cryptography – Lecture 3 Fall Semester, 2011–12 3 / 39 Keyed Functions (PRF) and Permutations (PRP) • Let F : {0, 1}n × {0, 1}n → {0, 1}n be an efficiently computable function. • F has two arguments. The first one is called the key. • We will use the notation Fk (x) = y, where k is the key. • We view F as a collection of functions Fk one for each key k. • F is a collection of permutation if for every key k, Fk is a permutation of {0, 1}n . • Typically, assume that Fk−1 is also efficiently computable. • The function should be pseudorandom it is infeasible to distinguish between the truly and pseudo random. Benny Applebaum (Tel-Aviv University) Modern Cryptography – Lecture 3 Fall Semester, 2011–12 4 / 39 Pseudorandom Functions (GoldreichGoldwasserMicali84) Given a black-box access to the function, it’s infeasible to distinguish random function from pseudorandom function. PRF Random Function R ≈ Let k ← {0, 1}n Choose random function R : {0, 1}n → {0, 1}n Given x output y = Fk (x) Given x output y = R(x) t-bounded Adversary can’t distinguish with probability better than . The adversary can make up to t queries to the function E.g., t = 2100 and = 2−40 . How many functions are there in the PRF collection? How many are there in the random collection? Thm: PRG =⇒ PRF =⇒ PRP Benny Applebaum (Tel-Aviv University) Modern Cryptography – Lecture 3 Fall Semester, 2011–12 5 / 39 PRPs in Practice: Block Ciphers • Encrypt a block of input to a block of output (typically of the same length). • A block cipher is a concrete implementation of keyed pseudo random permutations, with concrete block sizes. Typically n = 64 (DES) or n = 128 (AES). • Actual lengths of key and blocks may sometimes differ (slightly). Q: How to encrypt longer messages? Benny Applebaum (Tel-Aviv University) Modern Cryptography – Lecture 3 Fall Semester, 2011–12 6 / 39 Block Ciphers: Modes of Operation • Different modes exist for encrypting plaintext longer than one block. • Simplest mode is to encrypt each plaintext block separately. • This is known as ECB mode encryption (Electronic Code Book). • Is this secure ? • Is the encryption of any pair of messages is indistinguishable ? Benny Applebaum (Tel-Aviv University) Modern Cryptography – Lecture 3 Fall Semester, 2011–12 7 / 39 Block Ciphers: Modes of Operation • If two plaintext blocks are equal, the corresponding ciphertext blocks will also be equal. • This violates our notion of security. • Two plausible approaches to prevent this phenomena are (a) Randomization (e.g. random padding of plaintext blocks). (b) Introducing state. • Most existing modes employ state. Benny Applebaum (Tel-Aviv University) Modern Cryptography – Lecture 3 Fall Semester, 2011–12 8 / 39 Block Ciphers: CBC Mode Encryption In CBC mode (Cipher Block Chaining), previous ciphertext is XORed with current plaintext before encrypting current block. An initialization vector, S0 , is used as a seed for the process. This seed can be openly transmitted but should not be repeated (why?). • State is last ciphertext. • CBC is self synchronizing. Benny Applebaum (Tel-Aviv University) Modern Cryptography – Lecture 3 Fall Semester, 2011–12 9 / 39 Properties of CBC • Asynchronous block/stream cipher. • Errors in one ciphertext block propagate one block. • Seems inherently sequential – no parallel implementation known. • Standard in most systems: SSL, IPSec, etc. Security: It is proved that if E is a pseudo random permutation, then CBC is resistant to chosen plaintext attacks (CPA-secure). • Adversary can’t distinguish Ek (m) from Ek (m0 ) even after seeing many plaintext/ciphertext pairs (mi , Ek (mi )). Benny Applebaum (Tel-Aviv University) Modern Cryptography – Lecture 3 Fall Semester, 2011–12 10 / 39 Additional Mode: OFB (Output Feedback) An initialization vector S0 is use as a “seed’ for a sequence of psuedo random blocks S1 , S2 , . . .. Each Si is XORed with the i-th plaintext block Pi to produce the i-th ciphertext block Ci . It is important to use a new seed for each message. Does the seed have to be random? Benny Applebaum (Tel-Aviv University) Modern Cryptography – Lecture 3 Fall Semester, 2011–12 11 / 39 Properties of OFB • Synchronous block/stream cipher. • Errors in one ciphertext block do not propagate. • Seems inherently sequential – no parallel implementation known. • Can be batch preprocessed (on both ends). Security: It is proved that if E is a pseudo random permutation, then CBC is resistant to chosen plaintext attacks. Benny Applebaum (Tel-Aviv University) Modern Cryptography – Lecture 3 Fall Semester, 2011–12 12 / 39 Block Ciphers: Design Principles Want: • Confusion – making the relationship between the key and the ciphertext as complex and involved as possible (Shannon, 1949). • Diffusion – minor modification of the key/input bits results in large changes in the output. Therefore, redundancy in the statistics of the plaintext should be ”dissipated” in the statistics of the ciphertext. • Non-linearity. Benny Applebaum (Tel-Aviv University) Modern Cryptography – Lecture 3 Fall Semester, 2011–12 13 / 39 Block Ciphers: Components Idea: Combine simple building blocks (components). Iterate each component possibly with different parts of key, to generate a (hopefully) strong cipher. Components may include: • Bit-shuffling (“permutation boxes”) creates confusion. • Simple non-linear functions (“substitution boxes”) Creates diffusion and non-linearity. • Key mixing: Linear (mod 2) mixing, by XORing sub-key at beginning of each iteration. Sub-keys are derived via “key schedule”. Benny Applebaum (Tel-Aviv University) Modern Cryptography – Lecture 3 Fall Semester, 2011–12 14 / 39 Block Ciphers: Properties • High speed. • Fixed block size (typically 64, 128, 256 bits). • Ciphertext is a non-linear function of key and message bits. Benny Applebaum (Tel-Aviv University) Modern Cryptography – Lecture 3 Fall Semester, 2011–12 15 / 39 How to ensure invertibility? • Make sure that all components are invertible (AES). • Use Feistel network (DES) Benny Applebaum (Tel-Aviv University) Modern Cryptography – Lecture 3 Fall Semester, 2011–12 16 / 39 Feistel Networks: Important Building Block in DES (From http://www.theamazingking.com/crypto-block.html) Encryption (and decryption) is done by identical iterations, or rounds. Here we consider the i-th round. • The input to this round consists of the previous output, P = Li−1 |Ri−1 , where Li−1 , Ri−1 are of the same length. • Ri =Li−1 (shifted, unchanged, to the right side of the output). L • Ri =Li−1 f (Ri−1 , Ki ), where Ki is the key (portion) for round i. • f should be a keyed function that is at least mildly hard to invert. It need not be a permutation. • How is decryption done? Benny Applebaum (Tel-Aviv University) Modern Cryptography – Lecture 3 Fall Semester, 2011–12 17 / 39 Feistel Networks - Properties • No matter which function is used as f , we obtain a permutation (namely F is reversible even if f is not). • The same code/circuit, with keys deployed in reverse order, can be used for decryption. • Important Theoretical Result: If f is a pseudo-random function then four rounds of Feistel network yield a pseudo-random permutation (Luby and Rackoff, 1988). Benny Applebaum (Tel-Aviv University) Modern Cryptography – Lecture 3 Fall Semester, 2011–12 18 / 39 DES – Historic Note The DES (data encryption standard) is a block cipher, using 64 bit blocks and a 56 bit key. Has 16 round Feistel network, where each round key is a 48 bit subset of the complete key. See Eli Biham’s slides for more details. Developed at IBM, it was approved by the US goverment (in 1976) as a standard. Size of key (56 bit) was apparently small enough to allow the mighty NSA (US national security agency) to break it exhaustively even back in 70s. Throughput is 10Mb/sec in software, and 1Gb/sec in hardware (back in 1991!). Criticized for unpublished design decisions (designers did not want to disclose differential cryptanalysis, which they discovered). In the 90s it became clear that DES is too weak for contemporary hardware & algorithmics. (Best attack, Matsui linear attack, requires only ≈ 241 known plaintext/ciphertext pairs.) Benny Applebaum (Tel-Aviv University) Modern Cryptography – Lecture 3 Fall Semester, 2011–12 19 / 39 AES – Historic Note The US government NIST (national inst. of standards and technology) announced a call for an advanced encryption standard in 1997. This was an international open competition. Overall, nine proposals were made and evaluated, and five were finalists. Out of those, a proposal named Rijndael, by Daemen and Rijmen (two Belgians) was chosen in February 2001. Benny Applebaum (Tel-Aviv University) Modern Cryptography – Lecture 3 Fall Semester, 2011–12 20 / 39 AES - Advanced Encryption Standard • Symmetric block cipher. • Key lengthes: 128, 192, or 256 bits. • Approved US standard (2001). • Resistant to all known attacks. • Very fast. • Compact code. • Simple (kind of). See animation. Benny Applebaum (Tel-Aviv University) Modern Cryptography – Lecture 3 Fall Semester, 2011–12 21 / 39 AES Encryption/Decryption: Carried out in Ten Rounds Benny Applebaum (Tel-Aviv University) Modern Cryptography – Lecture 3 Fall Semester, 2011–12 22 / 39 AES Specifications: State • Input & output block length: 128 bits. • State: 128 bits, arranged in a 4-by-4 matrix of bytes. • Each byte is viewed as an element in GF (28 ). S0,0 S1,0 S2,0 S3,0 Benny Applebaum (Tel-Aviv University) S0,1 S1,1 S2,1 S3,1 S0,2 S1,2 S2,2 S3,2 S0,3 S1,3 S2,3 S3,3 Modern Cryptography – Lecture 3 Fall Semester, 2011–12 23 / 39 Rounds in AES 128 bits AES uses 10 rounds. These are not Feistel rounds. • The secret key is expanded from 128 bits to 10 round keys, 128 bits each. • Each round changes the state, then XORS the round key. Each rounds complicates things a little. Overall it seems infeasible to invert without the secret key (but easy given the key). Benny Applebaum (Tel-Aviv University) Modern Cryptography – Lecture 3 Fall Semester, 2011–12 24 / 39 AES Specifications: One Round Transform the state by applying: 1 Substitution. 2 Shift rows. 3 Mix columns. 4 XOR round key S0,0 S1,0 S2,0 S3,0 S0,1 S1,1 S2,1 S3,1 S0,2 S1,2 S2,2 S3,2 S0,3 S1,3 S2,3 S3,3 −1 1) Substitution operates on every byte separately: Si,j ← Si,j 8 (multiplicative inverse in GF (2 ), which is highly non-linear). If Si,j = 0, dont change it. Clearly, the substitution is invertible. Benny Applebaum (Tel-Aviv University) Modern Cryptography – Lecture 3 Fall Semester, 2011–12 25 / 39 Cyclic Shift inside Rows S0,0 S1,3 S2,2 S3,1 S0,1 S1,0 S2,3 S3,2 S0,2 S0,3 S1,1 S1,2 S2,0 S2,1 S3,3 S3,0 (no shift) (shift one position) (shift two positions) (shift three positions) Clearly, the shift is invertible. Benny Applebaum (Tel-Aviv University) Modern Cryptography – Lecture 3 Fall Semester, 2011–12 26 / 39 Mix Columns MixCol maps the state to a new one. It multiplies each column of state by the polynomial c(x) mod x4 + 1, where c(x) = 0x03 · x3 + 0x01 · x2 + 0x01 · x + 0x02. Specifically, for the first column, 0 · x3 + S 0 · x2 + S 0 x + S 0 = (0x03 · x3 + 0x01 · x2 + 0x01 · S0,0 1,0 2,0 3,0 x + 0x02) · (S0,0 x3 + S1,0 · x2 + S2,0 · x + S3,0 ) mod x4 + 1. The inverse operation is InvMixCol: It multiplies each column of state by the polynomial d(x) mod x4 + 1, where d(x) = 0x0b · x3 + 0x0d · x2 + 0x09 · x + 0x0e. Benny Applebaum (Tel-Aviv University) Modern Cryptography – Lecture 3 Fall Semester, 2011–12 27 / 39 Mix Columns – Clarifications Comment: All these coefficients from c(x) and d(x) (0x03, 0x01, 0x02, 0x0b, 0x0d,0x09, 0x0e) are hexadecimal constants from GF (28 ) (which are low degree polynomials, e.g. 0x0e in hex is 14 in decimal, 1110 in binary, and x3 + x2 + x as a polynomial). Comment 2: These c(x) and d(x) correspond to the first (left most) column. The other columns have different but similar coefficients/polynomials. See next slide. Benny Applebaum (Tel-Aviv University) Modern Cryptography – Lecture 3 Fall Semester, 2011–12 28 / 39 Mix Columns, the Movie (taken from a presentation by William Stallings, drawing by Lawrie Brown) Benny Applebaum (Tel-Aviv University) Modern Cryptography – Lecture 3 Fall Semester, 2011–12 29 / 39 More AES • Expanding key to round keys is not too complicated either, but is not discussed here. • Round key bits are xored with the state, to produce new state (figure from Wikipedia). • See original document at www.daimi.au.dk/∼ivan/rijndael.pdf. Benny Applebaum (Tel-Aviv University) Modern Cryptography – Lecture 3 Fall Semester, 2011–12 30 / 39 AES, Famous Last Words • AES comes in 3 flavors: • 128 bits key, 10 rounds (most common). • 192 bits key, 12 rounds. • 156 bits key, 14 rounds. • The NSA certified the use of 128 bit AES for Secret documents, and both 192 bit and 256 bit AES for Top Secret. • Attacks against 2 rounds AES are known. • Attack against 6 round 128 bits AES using 6 · 232 chosen plaintexts and 244 encryption operations. (Ferguson et al., 2000). • But for full, 10 round 128 bit key AES, this is considered infeasible and breaking AES efficiently an open problem. Benny Applebaum (Tel-Aviv University) Modern Cryptography – Lecture 3 Fall Semester, 2011–12 31 / 39 Strengthening a Given Block Cipher A block cipher, like DES, is initially considered secure. It gains wide usage, but as time passes, it is realized that due to technological/algorithmic advances some attacks becomes feasible As the security chief of a large company, what do you do? 1 Switch to a fancy new block cipher (may be too expensive, e.g. if the cipher is physically embedded in all bank ATM machines). 2 Find ways to use the existing cipher with enhanced security (great idea, but how?). Benny Applebaum (Tel-Aviv University) Modern Cryptography – Lecture 3 Fall Semester, 2011–12 32 / 39 Iterated Ciphers Formally, 1 2 Let Ek is a block-cipher with block size and key size of n-bits. Key can be found in time O(2n ) given O(1) plaintext/ciphertext pairs. 3 Problem: Due to technological advances this becomes feasible (i.e., via a special purpose hardware). 4 Idea: Double-encryption. Instead of using a single key, k, use two keys, k1 , k2 . Hope: Complexity of exhaustive attack grow from O(2n ) to O(22n ), giving us another decade or two of tight sleep :-) Benny Applebaum (Tel-Aviv University) Modern Cryptography – Lecture 3 Fall Semester, 2011–12 33 / 39 Double Cipher If encryption is closed under composition, we gain nothing. That is, if for all k1 , k2 there is k3 such that (Ek2 (Ek1 (x))) = Ek3 (x), then we could just exhaustively search for such k3 . • Substitution ciphers certainly posses this property. In fact they constitute a permutation group, hence closed under composition. • It was suspected that DES also acts as a group (or is almost one) under composition. Quite a lot of research was devoted to this question, and it was refuted only in 1992. • Notice that if an encryption scheme is closed under composition, then not only double iteration, but any fixed number of iterations are useless. Benny Applebaum (Tel-Aviv University) Modern Cryptography – Lecture 3 Fall Semester, 2011–12 34 / 39 Meet in the Middle Attack Goal: Recover the two keys k1 , k2 . 1 2 Ask for a pair of plaintext/ciphertext (x, y) for the new scheme, i.e., Ek2 (Ek1 )(x) = y. Find all candidates (k, k 0 ) for which Ek (x) = Dk0 (y). I 3 How many such pairs exist? O(2n ) in expectation see blackboard Use another plaintext/ciphertext pair (x0 , y 0 ) to filter out inconsistent candidates. Whp, only the right key survives. (If not, use another pair). Q: How can we implement Step 2 in time O(n2n ) and space O(2n )? A: For each key k store Ek (x) in list L1 and store Dk (y) in L2 , sort lists in time O(n2n ) and find intersection in time O(2n ). Can you improve to O(2n )? Benny Applebaum (Tel-Aviv University) Modern Cryptography – Lecture 3 Fall Semester, 2011–12 35 / 39 Meet in the Middle Attack: Performance Time: O(n2n ) (sorting a 2n long list). Space: Must store O(2n ) pairs. Compare this to exhaustive search over the space of a single key: Time: O(2n ). Space: Must store just O(1) pairs. Conclusion: Double cipher (two iterations) does not add much to security (though it adds some, esp. if fast memory is expensive). Let us then move to triple cipher (three iterations). Benny Applebaum (Tel-Aviv University) Modern Cryptography – Lecture 3 Fall Semester, 2011–12 36 / 39 Triple Cipher • The first version utilizes three independent keys k1 , k2 , k3 . The second, just two – k1 , k2 . • The ”middle box” employs decryption rather than encryption. This results in backward compatibility: Taking k1 , k2 , k3 =k, this is identical to a single encryption using k. • When the key is unknown, decryption (should) also be a pseudo random function, so using Dk2 does not reduce security. Benny Applebaum (Tel-Aviv University) Modern Cryptography – Lecture 3 Fall Semester, 2011–12 37 / 39 Triple Cipher / Triple DES • Both versions are susceptible to a meet in the middle attack, albeit one that uses a list of size 22n (where n is length of keys). This is the best attack known for version (1). • For version (2), there is a O(n2n ) attack using O(2n ) chosen input/output pairs. This substantially reduces the practical risk of such attack. Triple DES, using version (1), has key size 3 · 56 bits, and best attack known is meet in the middle, with complexity 22·56 = 2112 . It is considered secure, and was endorsed by a standard of NIST. However, AES is pushing it out of the market. Benny Applebaum (Tel-Aviv University) Modern Cryptography – Lecture 3 Fall Semester, 2011–12 38 / 39 Meta-Lessons Things may not be what they seem. (double cipher). Intuition may be misleading. Security is a subtle issue – Best to have a proof of security. Good design methodology: Reduce a complicated task to a simpler task. Solve the simple task and extend the solution. (E.g., design encryption for a single-block messages and then show how to extend it to longer messages). Benny Applebaum (Tel-Aviv University) Modern Cryptography – Lecture 3 Fall Semester, 2011–12 39 / 39