03 Cryptanalysis AES

Cryptanalysis / Block Ciphers: AES

Tjark Weber

Cryptology

March 26, 2013

Tjark Weber (UU) Cryptanalysis / Block Ciphers: AES 1 / 39

Cryptanalysis / Block Ciphers: AES Lab Groups

Lab Groups

Lab groups have been announced on the Student Portal. Please get intouch with your group members! The deadline for part (a) of Lab 1 is thisFriday, March 29.

Please send email to [email protected] as soon as possibleif

you have not been assigned to a lab group but want to do the labs;

you have been assigned to a lab group but dont want to do the labs.


Cryptanalysis / Block Ciphers: AES Lab 1

Lab 1

For your convenience, computer room 1515 has been reserved tomorrow(Wednesday) from 8:15-12:00.

You are not required to be there at this time. You may work on the labwhen- and wherever you like. You may use the computer room at othertimes if it is available.

Jean-Noel will not be there tomorrow. As usual, you can contact him inperson or by email ([email protected]) if you havequestions.


Exercise Solutions

Exercise Solutions


Exercise Solutions Exercise Solutions

Exercise Solutions

1 Use the extended Euclidean algorithm to compute 281 mod 75.

Precondition: a > 0, b > 0

function extended gcd(a, b)x := 0; x := 1y := 1; y := 0while b 6= 0 do

q := a div b(a, b) := (b, a mod b)(x , x ) := (x qx , x)(y , y ) := (y qy , y)

done

return (x , y )


Exercise Solutions Exercise Solutions (cntd.)

Exercise Solutions (cntd.)

2 Define a cryptosystem that generalizes the Hill cipher from lineartransformations to affine transformations. (An affine transformationconsists of a linear transformation followed by a shift, as in the affinecipher.)


Cryptanalysis

Cryptanalysis


Cryptanalysis Attack Models

Attack Models

Ciphertext only attack: The attacker possesses a string of ciphertext, y .

Known plaintext attack: The attacker possesses a string of plaintext, x ,and the corresponding ciphertext, y .

Chosen plaintext attack: The attacker has obtained temporary access tothe encryption machinery. He can choose a plaintext, x , and construct thecorresponding ciphertext, y .

Chosen ciphertext attack: The attacker has obtained temporary accessto the decryption machinery. He can choose a ciphertext, y , and constructthe corresponding plaintext, x .


Cryptanalysis Cryptanalysis of the Shift Cipher

Cryptanalysis of the Shift Cipher

Recall the shift cipher: P = C = K = Z26, ek(x) = (x + k) mod 26,dk(y) = (y k) mod 26.

How many different keys?

26

Given a ciphertext string y , the attacker can conduct a brute forceattack, i.e., perform exhaustive key search:

k dk(y)

0 EUXWHIRUFH1 DTWVGHQTEG2 CSVUFGPSDF3 BRUTEFORCE...

...





How many different keys? 26


k dk(y)

0 EUXWHIRUFH

1 DTWVGHQTEG2 CSVUFGPSDF3 BRUTEFORCE...

...







k dk(y)

0 EUXWHIRUFH1 DTWVGHQTEG

2 CSVUFGPSDF3 BRUTEFORCE...

...







k dk(y)

0 EUXWHIRUFH1 DTWVGHQTEG2 CSVUFGPSDF

3 BRUTEFORCE...

...







k dk(y)

0 EUXWHIRUFH1 DTWVGHQTEG2 CSVUFGPSDF3 BRUTEFORCE...

...


Cryptanalysis Brute Force Attacks

Brute Force Attacks

In the worst case, the attacker needs to check |K | keys. On average, heonly needs to check |K |/2 keys.

Possible against any cipher; however, the attacker must be able torecognize the correct plaintext string, once obtained.

Resources required grow exponentially with key size:

Key size (bits) |K | Max. time (256 keys per second)8 28

Cryptanalysis Cryptanalysis of the Substitution Cipher

Cryptanalysis of the Substitution Cipher

Recall the substitution cipher: P = C = Z26,K = {pi : Z26 Z26 | pi is a permutation}, epi(x) = pi(x),dpi(y) = pi

1(y).

How many different keys?

26! > 4 1026

Brute force is (probably) not feasible: > 177 years at 256 keys/second

How can we break it?


Cryptanalysis Cryptanalysis of the Substitution Cipher

Cryptanalysis of the Substitution Cipher

Recall the substitution cipher: P = C = Z26,K = {pi : Z26 Z26 | pi is a permutation}, epi(x) = pi(x),dpi(y) = pi

1(y).

How many different keys? 26! > 4 1026

Brute force is (probably) not feasible: > 177 years at 256 keys/second

How can we break it?


Cryptanalysis Frequency Analysis

Frequency Analysis

Frequency analysis relies on the observation that in natural-languageplaintexts, certain letters and combinations of letters (bigrams,trigrams, . . . ) occur with varying frequencies.

Already described by al-Kindi around 800 AD, frequency analysis waseasily the biggest breakthrough in cryptanalysis until World War II.


Cryptanalysis Frequency Analysis for the Substitution Cipher

Frequency Analysis for the Substitution Cipher

The substitution cipher leaves the frequency of letters (bigrams, . . . )unchanged. Therefore, letters (bigrams, . . . ) that are frequent in theciphertext likely correspond to letters (bigrams, . . . ) that are frequent inthe plaintext language.

For instance, if the plaintext is in English, the most frequent ciphertextletter likely corresponds to E.

Frequency analysis involves some guesswork and backtracking. It is lessreliable for short ciphertexts.


Cryptanalysis Cryptanalysis of the Vigene`re Cipher

Cryptanalysis of the Vigene`re Cipher

The Vigene`re cipher can be attacked because the key is reused periodically:xi , xi+m, xi+2m, . . . are all encrypted with the same key character, ki .

To break the cipher, we proceed in two steps:

1 Determine the key length, m.

2 Break m shift ciphers using frequency analysis.


Cryptanalysis The Kasiski Test

The Kasiski Test

The Kasiski test (Friedrich Kasiski, 1863) is based on the observation thatidentical plaintext segments will be encrypted to the same ciphertextwhenever their occurrence in the plaintext is 0 (mod m) positionsapart.

Conversely, identical ciphertext segments of length at least 3, say, likelycorrespond to identical plaintext segments.

1 Search the ciphertext for pairs of identical segments of length 3.Let 1, . . . , n be the distances between identical segments.

2 Likely, m divides all i (and hence divides the greatest commondivisor of all i s).


Cryptanalysis The Friedman Test

The Friedman Test

The Friedman test (William Friedman, 1920) exploits that anatural-language plaintext is much less random in its characterdistribution than a ciphertext that was produced by different shift ciphers.

Suppose x = x1x2 . . . xn is a string of n characters. The index ofcoincidence of x , denoted Ic(x), is the probability that two randomelements of x are identical.


Cryptanalysis The Friedman Test (cntd.)

The Friedman Test (cntd.)

Let pi (0 i 25) denote the probability of character i in the Englishlanguage. Then, for an English text x , we would expect that

Ic(x) 25i=0

p2i = 0.065.

On the other hand, a completely random string x will have

Ic(x) =25i=0

(1

26

)2=

1

26 0.038.


Cryptanalysis The Friedman Test (cntd.)

The Friedman Test (cntd.)

Let m be a possible key length. We split the ciphertext x into m separatestrings, x j := xjxj+mxj+2m . . . (1 j m), each of length l := n/m.

Let fi (xj) denote the number of occurrences of character i in x j .

We compute each Ic(xj) =

25i=0

fi (xj )(fi (x

j )1)l(l1) .

We then compute their average, Im

c (x) :=1mm

j=1 Ic(xj).

Im

c (x) will likely be maximal (namely 0.065) for m = m.


Cryptanalysis Frequency Analysis for the Shift Cipher

Frequency Analysis for the Shift Cipher

Both the Kasiski test and the Friedman test can be used to determine the(likely) key length, m.

Once m is known, it remains to determine the keyk = (k1, . . . , km) (Z26)m.

As before, consider the string x j := xjxj+mxj+2m . . . (1 j m), oflength l := n/m, and let fi (x

j) denote the number of occurrences ofcharacter i in x j .

We would expect the correctly shifted frequencies to be close to theEnglish character probabilities, pi . Choose kj Z26 so that25

i=0 pif(i+kj ) mod 26(x

j )

l is maximized ( 0.065).


Cryptanalysis Modern Cryptanalysis: A Perspective

Modern Cryptanalysis: A Perspective

Many are the cryptosystems offered [...] today that cannot be broken byany known methods of cryptanalysis. [...] In a sense, then, cryptanalysis isdead.

David Kahn, 2002

Almost all breaks of modern cipher systems are due to implementationerrors, operational failures, burglary, blackmail, and bribery.

Ross Anderson, 2004

Now we are [...] moving very slowly forward in a mature field.Brian Snow, 2010


Advanced Encryption Standard

Advanced Encryption Standard


Advanced Encryption Standard AES: Overview

AES: Overview

Advanced Encryption Standard (AES) is a modern symmetric-keyblock cipher. It is the first publicly disclosed cipher approved for top secretinformation by the National Security Agency (NSA).

AES uses a block size of 128 bits, and key sizes of 128, 192, or 256 bits. Itwas standardised in 2001, after an open search for a suitable algorithmthat took almost five years.

AES achieves a throughput of 100 MB/s on an Intel Pentium 4 CPU.

AES replaced DES (introduced in 1977), which had become vulnerable tobrute force attacks due to its relatively small key size of 56 bits.


Advanced Encryption Standard AES: Standardisation Process

AES: Standardisation Process

In 1997, the National Institute of Standards and Technology (NIST)announced that they were looking for a successor to DES. In an unusuallyopen and international process, a call for new algorithms was issued.

15 algorithms were submitted, and evaluated based on different criteria:security, performance on different architectures, feasibility in limitedenvironments (e.g., smart cards).

Three conferences were held to discuss these algorithms. Ultimately,Rijndael (an algorithm submitted by Joan Daemen and Vincent Rijmen)was selected by NIST.

I have nothing but good things to say about NIST and the AES process.Bruce Schneier, http://www.schneier.com/crypto-gram-0010.html#8


Advanced Encryption Standard Confusion and Diffusion

Confusion and Diffusion

Claude Shannon (1949) suggested two properties that help ensure securityof a block cipher.

Confusion: Each bit of the ciphertext block depends on the plaintextblock bits and the key bits in a complex (highly nonlinear) way.

Confusion makes it hard to find the key even if one has a large number ofplaintext-ciphertext pairs.

Diffusion: Each plaintext block bit or key bit affects many bits of theciphertext block. Ideally, the strict avalanche criterion is satisfied:flipping a single input bit changes each output bit with probability 0.5.

Diffusion dissipates statistical regularities of small plaintext structures intostatistical regularities of much larger ciphertext structures.


Advanced Encryption Standard Substitution Boxes

Substitution Boxes

A substitution box (S-box) is a basic component of a symmetric-keyalgorithm that transforms m input bits into n output bits. Often, m = n,and the transformation is invertible.

m

n

S

An m-to-n S-Box can be implemented as a lookup table with 2m words, ofn bits each.

S-Boxes may implement arbitrary functions. In practice, S-Boxes arecarefully chosen to achieve confusion and resist cryptanalysis.


Advanced Encryption Standard Permutation Boxes

Permutation Boxes

A permutation box (P-box) is a basic component of a symmetric-keyalgorithm that permutes m input bits into n output bits. Often, m = n.

n

m

P

P-boxes are used (in combination with S-boxes) to achieve diffusion.


Advanced Encryption Standard Substitution-Permutation Networks

Substitution-Permutation Networks

A single (typical) S-box or a singleP-box alone does not have muchcryptographic strength.

A substitution-permutationnetwork (SPN) is a series oflinked S- and P-boxes.


Advanced Encryption Standard The AES Algorithm

The AES Algorithm

(Animation)


Advanced Encryption Standard AES: Cryptanalysis

AES: Cryptanalysis

For specific keys and a reduced number of rounds, attacks that are fasterthan brute force are known since 2009.

The first key-recovery attacks on full AES were published in 2011. Theyare faster than brute force by a factor of about four. Technically, AES isbroken.

However, AES remains secure in practice: all currently known attacks arecomputationally infeasible.


Advanced Encryption Standard Side-channel Attacks

Side-channel Attacks

Side-channel attacks do not exploit weaknesses in the underlying cipher,but rely on information gained from physical implementations of thecipher on systems that inadvertently leak data.

Timing, power monitoring, and differential fault analysis (i.e., deliberatelyintroducing errors into a computation) are commonly exploited sidechannels.

Side-channel attacks on AES implementations are known that determinethe key, e.g., by carefully measuring the time required for encryption/decryption.


Modes of Operation

Modes of Operation


Modes of Operation Modes of Operation

Modes of Operation

A mode of operation enables the repeated and secure use of a blockcipher under a single key.

Longer messages first need to be split into blocks of suitable size, possiblyusing padding.

Often, randomization based on an additional input value, called aninitialization vector, is used to encrypt each block safely.


Modes of Operation Electronic Codebook (ECB)

Electronic Codebook (ECB)


Modes of Operation Cipher-Block Chaining (CBC)

Cipher-Block Chaining (CBC)


Modes of Operation Cipher Feedback (CFB)

Cipher Feedback (CFB)


Modes of Operation Output Feedback (OFB)

Output Feedback (OFB)


Modes of Operation Counter

Counter


Exercises

Exercises


Exercises Exercises

Exercises

1 Describe a chosen plaintext attack on the Hill cipher (assuming m isknown). How many plaintext elements are necessary to determine thekey?

2 Discuss whether the classical block ciphers presented in the coursesatisfy confusion or diffusion.

3 Compute the encryption of the following plaintext3243F6A8 885A308D 313198A2 E0370734

using the 128-bit key2B7E1516 28AED2A6 ABF71588 09CF4F3C

under the (initial and) first round of AES.


Cryptanalysis / Block Ciphers: AESLab GroupsLab 1

Exercise SolutionsExercise SolutionsExercise Solutions (cntd.)

CryptanalysisAttack ModelsCryptanalysis of the Shift CipherBrute Force AttacksCryptanalysis of the Substitution CipherFrequency AnalysisFrequency Analysis for the Substitution CipherCryptanalysis of the Vigenre CipherThe Kasiski TestThe Friedman TestThe Friedman Test (cntd.)The Friedman Test (cntd.)Frequency Analysis for the Shift CipherModern Cryptanalysis: A Perspective

Advanced Encryption StandardAES: OverviewAES: Standardisation ProcessConfusion and DiffusionSubstitution BoxesPermutation BoxesSubstitution-Permutation NetworksThe AES AlgorithmAES: CryptanalysisSide-channel Attacks

Modes of OperationModes of OperationElectronic Codebook (ECB)Cipher-Block Chaining (CBC)Cipher Feedback (CFB)Output Feedback (OFB)Counter

ExercisesExercises

03 Cryptanalysis AES

Documents

cryptanalysis cryptanalysis

ciphertext string y

string of ciphertext

ydonereturn x

chosen ciphertext attack

shift cipherrecall

shift ciphercryptanalysis

string of plaintext