Cryptanalysis / Block Ciphers: AES Tjark Weber Cryptology March 26, 2013 Tjark Weber (UU) Cryptanalysis / Block Ciphers: AES 1 / 39
Nov 07, 2015
Cryptanalysis / Block Ciphers: AES
Tjark Weber
Cryptology
March 26, 2013
Tjark Weber (UU) Cryptanalysis / Block Ciphers: AES 1 / 39
Cryptanalysis / Block Ciphers: AES Lab Groups
Lab Groups
Lab groups have been announced on the Student Portal. Please get intouch with your group members! The deadline for part (a) of Lab 1 is thisFriday, March 29.
Please send email to [email protected] as soon as possibleif
you have not been assigned to a lab group but want to do the labs;
you have been assigned to a lab group but dont want to do the labs.
Tjark Weber (UU) Cryptanalysis / Block Ciphers: AES 2 / 39
Cryptanalysis / Block Ciphers: AES Lab 1
Lab 1
For your convenience, computer room 1515 has been reserved tomorrow(Wednesday) from 8:15-12:00.
You are not required to be there at this time. You may work on the labwhen- and wherever you like. You may use the computer room at othertimes if it is available.
Jean-Noel will not be there tomorrow. As usual, you can contact him inperson or by email ([email protected]) if you havequestions.
Tjark Weber (UU) Cryptanalysis / Block Ciphers: AES 3 / 39
Exercise Solutions
Exercise Solutions
Tjark Weber (UU) Cryptanalysis / Block Ciphers: AES 4 / 39
Exercise Solutions Exercise Solutions
Exercise Solutions
1 Use the extended Euclidean algorithm to compute 281 mod 75.
Precondition: a > 0, b > 0
function extended gcd(a, b)x := 0; x := 1y := 1; y := 0while b 6= 0 do
q := a div b(a, b) := (b, a mod b)(x , x ) := (x qx , x)(y , y ) := (y qy , y)
done
return (x , y )
Tjark Weber (UU) Cryptanalysis / Block Ciphers: AES 5 / 39
Exercise Solutions Exercise Solutions (cntd.)
Exercise Solutions (cntd.)
2 Define a cryptosystem that generalizes the Hill cipher from lineartransformations to affine transformations. (An affine transformationconsists of a linear transformation followed by a shift, as in the affinecipher.)
Tjark Weber (UU) Cryptanalysis / Block Ciphers: AES 6 / 39
Cryptanalysis
Cryptanalysis
Tjark Weber (UU) Cryptanalysis / Block Ciphers: AES 7 / 39
Cryptanalysis Attack Models
Attack Models
Ciphertext only attack: The attacker possesses a string of ciphertext, y .
Known plaintext attack: The attacker possesses a string of plaintext, x ,and the corresponding ciphertext, y .
Chosen plaintext attack: The attacker has obtained temporary access tothe encryption machinery. He can choose a plaintext, x , and construct thecorresponding ciphertext, y .
Chosen ciphertext attack: The attacker has obtained temporary accessto the decryption machinery. He can choose a ciphertext, y , and constructthe corresponding plaintext, x .
Tjark Weber (UU) Cryptanalysis / Block Ciphers: AES 8 / 39
Cryptanalysis Cryptanalysis of the Shift Cipher
Cryptanalysis of the Shift Cipher
Recall the shift cipher: P = C = K = Z26, ek(x) = (x + k) mod 26,dk(y) = (y k) mod 26.
How many different keys?
26
Given a ciphertext string y , the attacker can conduct a brute forceattack, i.e., perform exhaustive key search:
k dk(y)
0 EUXWHIRUFH1 DTWVGHQTEG2 CSVUFGPSDF3 BRUTEFORCE...
...
Tjark Weber (UU) Cryptanalysis / Block Ciphers: AES 9 / 39
Cryptanalysis Cryptanalysis of the Shift Cipher
Cryptanalysis of the Shift Cipher
Recall the shift cipher: P = C = K = Z26, ek(x) = (x + k) mod 26,dk(y) = (y k) mod 26.
How many different keys? 26
Given a ciphertext string y , the attacker can conduct a brute forceattack, i.e., perform exhaustive key search:
k dk(y)
0 EUXWHIRUFH
1 DTWVGHQTEG2 CSVUFGPSDF3 BRUTEFORCE...
...
Tjark Weber (UU) Cryptanalysis / Block Ciphers: AES 9 / 39
Cryptanalysis Cryptanalysis of the Shift Cipher
Cryptanalysis of the Shift Cipher
Recall the shift cipher: P = C = K = Z26, ek(x) = (x + k) mod 26,dk(y) = (y k) mod 26.
How many different keys? 26
Given a ciphertext string y , the attacker can conduct a brute forceattack, i.e., perform exhaustive key search:
k dk(y)
0 EUXWHIRUFH1 DTWVGHQTEG
2 CSVUFGPSDF3 BRUTEFORCE...
...
Tjark Weber (UU) Cryptanalysis / Block Ciphers: AES 9 / 39
Cryptanalysis Cryptanalysis of the Shift Cipher
Cryptanalysis of the Shift Cipher
Recall the shift cipher: P = C = K = Z26, ek(x) = (x + k) mod 26,dk(y) = (y k) mod 26.
How many different keys? 26
Given a ciphertext string y , the attacker can conduct a brute forceattack, i.e., perform exhaustive key search:
k dk(y)
0 EUXWHIRUFH1 DTWVGHQTEG2 CSVUFGPSDF
3 BRUTEFORCE...
...
Tjark Weber (UU) Cryptanalysis / Block Ciphers: AES 9 / 39
Cryptanalysis Cryptanalysis of the Shift Cipher
Cryptanalysis of the Shift Cipher
Recall the shift cipher: P = C = K = Z26, ek(x) = (x + k) mod 26,dk(y) = (y k) mod 26.
How many different keys? 26
Given a ciphertext string y , the attacker can conduct a brute forceattack, i.e., perform exhaustive key search:
k dk(y)
0 EUXWHIRUFH1 DTWVGHQTEG2 CSVUFGPSDF3 BRUTEFORCE...
...
Tjark Weber (UU) Cryptanalysis / Block Ciphers: AES 9 / 39
Cryptanalysis Brute Force Attacks
Brute Force Attacks
In the worst case, the attacker needs to check |K | keys. On average, heonly needs to check |K |/2 keys.
Possible against any cipher; however, the attacker must be able torecognize the correct plaintext string, once obtained.
Resources required grow exponentially with key size:
Key size (bits) |K | Max. time (256 keys per second)8 28
Cryptanalysis Brute Force Attacks
Brute Force Attacks
In the worst case, the attacker needs to check |K | keys. On average, heonly needs to check |K |/2 keys.
Possible against any cipher; however, the attacker must be able torecognize the correct plaintext string, once obtained.
Resources required grow exponentially with key size:
Key size (bits) |K | Max. time (256 keys per second)8 28
Cryptanalysis Cryptanalysis of the Substitution Cipher
Cryptanalysis of the Substitution Cipher
Recall the substitution cipher: P = C = Z26,K = {pi : Z26 Z26 | pi is a permutation}, epi(x) = pi(x),dpi(y) = pi
1(y).
How many different keys?
26! > 4 1026
Brute force is (probably) not feasible: > 177 years at 256 keys/second
How can we break it?
Tjark Weber (UU) Cryptanalysis / Block Ciphers: AES 11 / 39
Cryptanalysis Cryptanalysis of the Substitution Cipher
Cryptanalysis of the Substitution Cipher
Recall the substitution cipher: P = C = Z26,K = {pi : Z26 Z26 | pi is a permutation}, epi(x) = pi(x),dpi(y) = pi
1(y).
How many different keys? 26! > 4 1026
Brute force is (probably) not feasible: > 177 years at 256 keys/second
How can we break it?
Tjark Weber (UU) Cryptanalysis / Block Ciphers: AES 11 / 39
Cryptanalysis Frequency Analysis
Frequency Analysis
Frequency analysis relies on the observation that in natural-languageplaintexts, certain letters and combinations of letters (bigrams,trigrams, . . . ) occur with varying frequencies.
Already described by al-Kindi around 800 AD, frequency analysis waseasily the biggest breakthrough in cryptanalysis until World War II.
Tjark Weber (UU) Cryptanalysis / Block Ciphers: AES 12 / 39
Cryptanalysis Frequency Analysis for the Substitution Cipher
Frequency Analysis for the Substitution Cipher
The substitution cipher leaves the frequency of letters (bigrams, . . . )unchanged. Therefore, letters (bigrams, . . . ) that are frequent in theciphertext likely correspond to letters (bigrams, . . . ) that are frequent inthe plaintext language.
For instance, if the plaintext is in English, the most frequent ciphertextletter likely corresponds to E.
Frequency analysis involves some guesswork and backtracking. It is lessreliable for short ciphertexts.
Tjark Weber (UU) Cryptanalysis / Block Ciphers: AES 13 / 39
Cryptanalysis Cryptanalysis of the Vigene`re Cipher
Cryptanalysis of the Vigene`re Cipher
The Vigene`re cipher can be attacked because the key is reused periodically:xi , xi+m, xi+2m, . . . are all encrypted with the same key character, ki .
To break the cipher, we proceed in two steps:
1 Determine the key length, m.
2 Break m shift ciphers using frequency analysis.
Tjark Weber (UU) Cryptanalysis / Block Ciphers: AES 14 / 39
Cryptanalysis The Kasiski Test
The Kasiski Test
The Kasiski test (Friedrich Kasiski, 1863) is based on the observation thatidentical plaintext segments will be encrypted to the same ciphertextwhenever their occurrence in the plaintext is 0 (mod m) positionsapart.
Conversely, identical ciphertext segments of length at least 3, say, likelycorrespond to identical plaintext segments.
1 Search the ciphertext for pairs of identical segments of length 3.Let 1, . . . , n be the distances between identical segments.
2 Likely, m divides all i (and hence divides the greatest commondivisor of all i s).
Tjark Weber (UU) Cryptanalysis / Block Ciphers: AES 15 / 39
Cryptanalysis The Friedman Test
The Friedman Test
The Friedman test (William Friedman, 1920) exploits that anatural-language plaintext is much less random in its characterdistribution than a ciphertext that was produced by different shift ciphers.
Suppose x = x1x2 . . . xn is a string of n characters. The index ofcoincidence of x , denoted Ic(x), is the probability that two randomelements of x are identical.
Tjark Weber (UU) Cryptanalysis / Block Ciphers: AES 16 / 39
Cryptanalysis The Friedman Test (cntd.)
The Friedman Test (cntd.)
Let pi (0 i 25) denote the probability of character i in the Englishlanguage. Then, for an English text x , we would expect that
Ic(x) 25i=0
p2i = 0.065.
On the other hand, a completely random string x will have
Ic(x) =25i=0
(1
26
)2=
1
26 0.038.
Tjark Weber (UU) Cryptanalysis / Block Ciphers: AES 17 / 39
Cryptanalysis The Friedman Test (cntd.)
The Friedman Test (cntd.)
Let m be a possible key length. We split the ciphertext x into m separatestrings, x j := xjxj+mxj+2m . . . (1 j m), each of length l := n/m.
Let fi (xj) denote the number of occurrences of character i in x j .
We compute each Ic(xj) =
25i=0
fi (xj )(fi (x
j )1)l(l1) .
We then compute their average, Im
c (x) :=1mm
j=1 Ic(xj).
Im
c (x) will likely be maximal (namely 0.065) for m = m.
Tjark Weber (UU) Cryptanalysis / Block Ciphers: AES 18 / 39
Cryptanalysis Frequency Analysis for the Shift Cipher
Frequency Analysis for the Shift Cipher
Both the Kasiski test and the Friedman test can be used to determine the(likely) key length, m.
Once m is known, it remains to determine the keyk = (k1, . . . , km) (Z26)m.
As before, consider the string x j := xjxj+mxj+2m . . . (1 j m), oflength l := n/m, and let fi (x
j) denote the number of occurrences ofcharacter i in x j .
We would expect the correctly shifted frequencies to be close to theEnglish character probabilities, pi . Choose kj Z26 so that25
i=0 pif(i+kj ) mod 26(x
j )
l is maximized ( 0.065).
Tjark Weber (UU) Cryptanalysis / Block Ciphers: AES 19 / 39
Cryptanalysis Modern Cryptanalysis: A Perspective
Modern Cryptanalysis: A Perspective
Many are the cryptosystems offered [...] today that cannot be broken byany known methods of cryptanalysis. [...] In a sense, then, cryptanalysis isdead.
David Kahn, 2002
Almost all breaks of modern cipher systems are due to implementationerrors, operational failures, burglary, blackmail, and bribery.
Ross Anderson, 2004
Now we are [...] moving very slowly forward in a mature field.Brian Snow, 2010
Tjark Weber (UU) Cryptanalysis / Block Ciphers: AES 20 / 39
Advanced Encryption Standard
Advanced Encryption Standard
Tjark Weber (UU) Cryptanalysis / Block Ciphers: AES 21 / 39
Advanced Encryption Standard AES: Overview
AES: Overview
Advanced Encryption Standard (AES) is a modern symmetric-keyblock cipher. It is the first publicly disclosed cipher approved for top secretinformation by the National Security Agency (NSA).
AES uses a block size of 128 bits, and key sizes of 128, 192, or 256 bits. Itwas standardised in 2001, after an open search for a suitable algorithmthat took almost five years.
AES achieves a throughput of 100 MB/s on an Intel Pentium 4 CPU.
AES replaced DES (introduced in 1977), which had become vulnerable tobrute force attacks due to its relatively small key size of 56 bits.
Tjark Weber (UU) Cryptanalysis / Block Ciphers: AES 22 / 39
Advanced Encryption Standard AES: Standardisation Process
AES: Standardisation Process
In 1997, the National Institute of Standards and Technology (NIST)announced that they were looking for a successor to DES. In an unusuallyopen and international process, a call for new algorithms was issued.
15 algorithms were submitted, and evaluated based on different criteria:security, performance on different architectures, feasibility in limitedenvironments (e.g., smart cards).
Three conferences were held to discuss these algorithms. Ultimately,Rijndael (an algorithm submitted by Joan Daemen and Vincent Rijmen)was selected by NIST.
I have nothing but good things to say about NIST and the AES process.Bruce Schneier, http://www.schneier.com/crypto-gram-0010.html#8
Tjark Weber (UU) Cryptanalysis / Block Ciphers: AES 23 / 39
Advanced Encryption Standard Confusion and Diffusion
Confusion and Diffusion
Claude Shannon (1949) suggested two properties that help ensure securityof a block cipher.
Confusion: Each bit of the ciphertext block depends on the plaintextblock bits and the key bits in a complex (highly nonlinear) way.
Confusion makes it hard to find the key even if one has a large number ofplaintext-ciphertext pairs.
Diffusion: Each plaintext block bit or key bit affects many bits of theciphertext block. Ideally, the strict avalanche criterion is satisfied:flipping a single input bit changes each output bit with probability 0.5.
Diffusion dissipates statistical regularities of small plaintext structures intostatistical regularities of much larger ciphertext structures.
Tjark Weber (UU) Cryptanalysis / Block Ciphers: AES 24 / 39
Advanced Encryption Standard Substitution Boxes
Substitution Boxes
A substitution box (S-box) is a basic component of a symmetric-keyalgorithm that transforms m input bits into n output bits. Often, m = n,and the transformation is invertible.
m
n
S
An m-to-n S-Box can be implemented as a lookup table with 2m words, ofn bits each.
S-Boxes may implement arbitrary functions. In practice, S-Boxes arecarefully chosen to achieve confusion and resist cryptanalysis.
Tjark Weber (UU) Cryptanalysis / Block Ciphers: AES 25 / 39
Advanced Encryption Standard Permutation Boxes
Permutation Boxes
A permutation box (P-box) is a basic component of a symmetric-keyalgorithm that permutes m input bits into n output bits. Often, m = n.
n
m
P
P-boxes are used (in combination with S-boxes) to achieve diffusion.
Tjark Weber (UU) Cryptanalysis / Block Ciphers: AES 26 / 39
Advanced Encryption Standard Substitution-Permutation Networks
Substitution-Permutation Networks
A single (typical) S-box or a singleP-box alone does not have muchcryptographic strength.
A substitution-permutationnetwork (SPN) is a series oflinked S- and P-boxes.
Tjark Weber (UU) Cryptanalysis / Block Ciphers: AES 27 / 39
Advanced Encryption Standard The AES Algorithm
The AES Algorithm
(Animation)
Tjark Weber (UU) Cryptanalysis / Block Ciphers: AES 28 / 39
Advanced Encryption Standard AES: Cryptanalysis
AES: Cryptanalysis
For specific keys and a reduced number of rounds, attacks that are fasterthan brute force are known since 2009.
The first key-recovery attacks on full AES were published in 2011. Theyare faster than brute force by a factor of about four. Technically, AES isbroken.
However, AES remains secure in practice: all currently known attacks arecomputationally infeasible.
Tjark Weber (UU) Cryptanalysis / Block Ciphers: AES 29 / 39
Advanced Encryption Standard Side-channel Attacks
Side-channel Attacks
Side-channel attacks do not exploit weaknesses in the underlying cipher,but rely on information gained from physical implementations of thecipher on systems that inadvertently leak data.
Timing, power monitoring, and differential fault analysis (i.e., deliberatelyintroducing errors into a computation) are commonly exploited sidechannels.
Side-channel attacks on AES implementations are known that determinethe key, e.g., by carefully measuring the time required for encryption/decryption.
Tjark Weber (UU) Cryptanalysis / Block Ciphers: AES 30 / 39
Modes of Operation
Modes of Operation
Tjark Weber (UU) Cryptanalysis / Block Ciphers: AES 31 / 39
Modes of Operation Modes of Operation
Modes of Operation
A mode of operation enables the repeated and secure use of a blockcipher under a single key.
Longer messages first need to be split into blocks of suitable size, possiblyusing padding.
Often, randomization based on an additional input value, called aninitialization vector, is used to encrypt each block safely.
Tjark Weber (UU) Cryptanalysis / Block Ciphers: AES 32 / 39
Modes of Operation Electronic Codebook (ECB)
Electronic Codebook (ECB)
Tjark Weber (UU) Cryptanalysis / Block Ciphers: AES 33 / 39
Modes of Operation Cipher-Block Chaining (CBC)
Cipher-Block Chaining (CBC)
Tjark Weber (UU) Cryptanalysis / Block Ciphers: AES 34 / 39
Modes of Operation Cipher Feedback (CFB)
Cipher Feedback (CFB)
Tjark Weber (UU) Cryptanalysis / Block Ciphers: AES 35 / 39
Modes of Operation Output Feedback (OFB)
Output Feedback (OFB)
Tjark Weber (UU) Cryptanalysis / Block Ciphers: AES 36 / 39
Modes of Operation Counter
Counter
Tjark Weber (UU) Cryptanalysis / Block Ciphers: AES 37 / 39
Exercises
Exercises
Tjark Weber (UU) Cryptanalysis / Block Ciphers: AES 38 / 39
Exercises Exercises
Exercises
1 Describe a chosen plaintext attack on the Hill cipher (assuming m isknown). How many plaintext elements are necessary to determine thekey?
2 Discuss whether the classical block ciphers presented in the coursesatisfy confusion or diffusion.
3 Compute the encryption of the following plaintext3243F6A8 885A308D 313198A2 E0370734
using the 128-bit key2B7E1516 28AED2A6 ABF71588 09CF4F3C
under the (initial and) first round of AES.
Tjark Weber (UU) Cryptanalysis / Block Ciphers: AES 39 / 39
Cryptanalysis / Block Ciphers: AESLab GroupsLab 1
Exercise SolutionsExercise SolutionsExercise Solutions (cntd.)
CryptanalysisAttack ModelsCryptanalysis of the Shift CipherBrute Force AttacksCryptanalysis of the Substitution CipherFrequency AnalysisFrequency Analysis for the Substitution CipherCryptanalysis of the Vigenre CipherThe Kasiski TestThe Friedman TestThe Friedman Test (cntd.)The Friedman Test (cntd.)Frequency Analysis for the Shift CipherModern Cryptanalysis: A Perspective
Advanced Encryption StandardAES: OverviewAES: Standardisation ProcessConfusion and DiffusionSubstitution BoxesPermutation BoxesSubstitution-Permutation NetworksThe AES AlgorithmAES: CryptanalysisSide-channel Attacks
Modes of OperationModes of OperationElectronic Codebook (ECB)Cipher-Block Chaining (CBC)Cipher Feedback (CFB)Output Feedback (OFB)Counter
ExercisesExercises