This document is posted to help you gain knowledge. Please leave a comment to let me know what you think about it! Share it to your friends and learn new things together.
• Pseudo-Random Functions (PRF)• Proof that CBC Based on a PRF is Good• Probabilistic Encryption• Substitution-Permutation Networks• Linear Cryptanalysis• Differential Cryptanalysis• The DES Cryptosystem
• Produces a random looking bit stream by encrypting the different values r, r+1, … for a random block r
• The stream (S1,S2,…) is then xor’ed onto the plaintext and S is sent along
• A stream cipher
bit stream
EK EK EK EK
Cry
pto
grap
hy C
our
se 2
008
L
ectu
re 4
Jesp
er B
uus
Nie
lsen
Mod
ern
Blo
ck C
iphe
rs
7/43
Pseudo-Random Function
• Both CBC mode and Xor mode are secure if the output of EK(m) looks random even if one is given m
• We will formalize this requirement and call a function with this property a PRF
• All modern block ciphers are designed to be PRFs
• We then prove that CBC is secure when based on a PRF
Cry
pto
grap
hy C
our
se 2
008
L
ectu
re 4
Jesp
er B
uus
Nie
lsen
Mod
ern
Blo
ck C
iphe
rs
8/43
A Game of Two WorldsOracle 1
Random key
K
The attacker
A
m
C=EK(m)
Oracle 2
Uniformly random function
R
m
C=R(m)
The attacker
A
m
C
Oracle b
Uniformly random function
R
b is picked at random
Guess at b
c
advantage(A) = Pr[c=b] – ½
Cry
pto
grap
hy C
our
se 2
008
L
ectu
re 4
Jesp
er B
uus
Nie
lsen
Mod
ern
Blo
ck C
iphe
rs
9/43
PRF
• Adv(t,q) = maximum over advantage(A) for all attackers A running in time t and making at most q queries
• An encryption function EK is called a (t,q,ε)-PRF if Adv(t,q) ε
• We call ε the error probability• With current technology it is sufficient with
t=260 and one should be very paranoid not to tolerate an error probability of ε=2-60
• We can often control q ourselves
Cry
pto
grap
hy C
our
se 2
008
L
ectu
re 4
Jesp
er B
uus
Nie
lsen
Mod
ern
Blo
ck C
iphe
rs
10/43
CBC with PRF
• We prove that CBC mode for encrypting L blocks is a good PRF if the underlying block cipher is a good PRF
• We use: EK: {0,1}m{0,1}m
• We get: CBCK: {0,1}Lm{0,1}Lm
• So, as soon as we have one good PRF, we can get a good PRF for longer blocks and thereby encrypt long blocks– Can e.g. encrypt the picture as one block
Cry
pto
grap
hy C
our
se 2
008
L
ectu
re 4
Jesp
er B
uus
Nie
lsen
Mod
ern
Blo
ck C
iphe
rs
11/43
Hybrids Proof• We use a so-called hybrids proof• We describe three oracles
– O1: Contains CBCK: {0,1}Lm{0,1}Lm
– O2: Is a trick – O3: Contains a random function {0,1}Lm{0,1}Lm
• Let AdvO,O’ be the best advantage in distinguishing O and O’
• To show that CBCK is a PRF we have to show that AdvO1,O3 is small
• We show that AdvO1,O2 and AdvO2,O3 are small• It is easy to see that AdvO1,O3AdvO1,O2+AdvO2,O3
• It follows that AdvO1,O3 is small
Cry
pto
grap
hy C
our
se 2
008
L
ectu
re 4
Jesp
er B
uus
Nie
lsen
Mod
ern
Blo
ck C
iphe
rs
12/43
O1: CBC Mode with EK
m1
EK
C1
EK
m2
C2
m3
C3
EK
m4
C4
EK
• This is just CBCK: {0,1}Lm{0,1}Lm
Cry
pto
grap
hy C
our
se 2
008
L
ectu
re 4
Jesp
er B
uus
Nie
lsen
Mod
ern
Blo
ck C
iphe
rs
13/43
O2: CBC with Random Function R
m1
R
C1
R
m2
C2
m3
C3
R
m4
C4
R
• We use a uniformly random function R instead of EK
• As a consequence the outputs are uniformly random and independent until two inputs to R are the same
Cry
pto
grap
hy C
our
se 2
008
L
ectu
re 4
Jesp
er B
uus
Nie
lsen
Mod
ern
Blo
ck C
iphe
rs
14/43
The Proof (1/3)• Advantage in distinguishing O1 and O2 is
AdvO1,O2(t,q) AdvEK,R(t,Lq)
• If we plug EK respectively R into the below we get O1 or O2
• So, a distinguisher for O1 and O2 can be turned into a distinguisher for EK and R– It uses L queries for each CBC encryption
m1
R
C1
R
m2
C2
m3
C3
R
m4
C4
R
Cry
pto
grap
hy C
our
se 2
008
L
ectu
re 4
Jesp
er B
uus
Nie
lsen
Mod
ern
Blo
ck C
iphe
rs
15/43
O3: A Random Function
m1
R
C1
m2
C2
m3
C3
m4
C4
• Here R is a random function from Lm bits to Lm bits
Cry
pto
grap
hy C
our
se 2
008
L
ectu
re 4
Jesp
er B
uus
Nie
lsen
Mod
ern
Blo
ck C
iphe
rs
16/43
The Proof (2/3)• Advantage in distinguishing O2 and O3 is
AdvO2,O3(t,q) (Lq)2/2m
• The two oracles both output independent uniformly random values until two inputs are the same, at which point they behave differently
• Such a collision happens with probability less than Q2/2m after Q queries– There are less than Q2 pairs of inputs and each collide with
probability 1/2m
m1
R
C1
R
m2
C2
m3
C3
R
m4
C4
R
Cry
pto
grap
hy C
our
se 2
008
L
ectu
re 4
Jesp
er B
uus
Nie
lsen
Mod
ern
Blo
ck C
iphe
rs
17/43
The Proof (3/3)• Advantage in distinguishing O1 and O3 is
AdvO1,O3(t,q) AdvEK,R(t,Lq)+(Lq)2/2m
• And AdvO1,O3(t,q) = AdvCBCK,R(t,q)
• So, if EK is a good PRF and well below the square root of 2mblocks are encrypted in total, then CBCK is a good PRF
Cry
pto
grap
hy C
our
se 2
008
L
ectu
re 4
Jesp
er B
uus
Nie
lsen
Mod
ern
Blo
ck C
iphe
rs
18/43
Probabilistic Encryption
• Block ciphers we large block still have the problem that the same message sent twice gives the same ciphertext– If we encrypt and send Friedman twice it will be
obvious that the same message was sent twice!
• To protect against this we can e.g. add an initial random block to ensure that all plaintexts are unique (except with very small probability)– Called randomized encryption when the encryption
adds its own randomness r– Note that Xor mode is already randomized
Cry
pto
grap
hy C
our
se 2
008
L
ectu
re 4
Jesp
er B
uus
Nie
lsen
Mod
ern
Blo
ck C
iphe
rs
19/43
Semantic SecurityOracle 1Random key
KNew randomr each time
The attacker
A
m
C=EK(m,r)
Oracle 2Random key
KNew random
m’ and r each time
m
C=EK(m’,r)
The attacker
A
m
C
Oracle b
Uniformly random function
R
b is picked at random
Guess at b
c
advantage(A) = Pr[c=b] – ½
Cry
pto
grap
hy C
our
se 2
008
L
ectu
re 4
Jesp
er B
uus
Nie
lsen
Mod
ern
Blo
ck C
iphe
rs
20/43
Probabilistic Encryption
• Oracle 1: Given same m twice it replies with EK(m) and EK(m)
• Oracle 2: Given same m twice it replies with EK(m’) and EK(m’’)
• Semantic security says that these replies cannot be distinguished– The same message encrypted twice look like
encryptions of independent values!– Strong guarantee!
• Clearly requires that EK is randomized
Cry
pto
grap
hy C
our
se 2
008
L
ectu
re 4
Jesp
er B
uus
Nie
lsen
Mod
ern
Blo
ck C
iphe
rs
21/43
In Search of Good PRFs
• Given a good PRF we can build semantic secure cryptosystems!
• A lot of attention in symmetric cryptography goes into designing and breaking PRF candidates
• Most used design is Substitution-Permutation Networks (SPNs)
• Most used cryptanalytic methods are linear cryptoanalysis and differential cryptanalysis
• Best known PRF candidates are DES and AES
Cry
pto
grap
hy C
our
se 2
008
L
ectu
re 4
Jesp
er B
uus
Nie
lsen
Mod
ern
Blo
ck C
iphe
rs
22/43
SPNs
• Use substitution of small blocks and transposition like the cryptosystem from Lecture 1
• The substitution and transpositions are, however, fixed and known
• A key is added using Vernam’s one-time pad after each iteration of substitution and transposition– Called key mixing
Cry
pto
grap
hy C
our
se 2
008
L
ectu
re 4
Jesp
er B
uus
Nie
lsen
Mod
ern
Blo
ck C
iphe
rs
23/43
SPN
1
1011
0
0
101
0
00110010
sub
sub
sub
sub
1
0011
1
1
001
0
01101011
1
0011
0
0
101
0
10111000
0
10
0011
1
10011010011
0
1
1
1
0011
10010101101
sub
sub
sub
sub
1
0011
1
1
110
1
01001010
1
0011
1
1
011
0
10010110
1
0011
1
0
011
0
00101011
0
0011
0
1
000
0
10111101
sub
sub
sub
sub
0
0
1
0
110110010011
100
• For m rounds, m keys K1,…,Km are used– Called key schedule– Derived from one key K, often in a simple manner
like selecting subsets of the bits of K
Called S-box
1
1011
0
1
001
0
01110011
1
0011
0
0
100
0
10100111
End with key mixing
Cry
pto
grap
hy C
our
se 2
008
L
ectu
re 4
Jesp
er B
uus
Nie
lsen
Mod
ern
Blo
ck C
iphe
rs
24/43
SPN
1
1011
0
0
101
0
00110010
sub
sub
sub
sub
1
0011
1
1
001
0
01101011
1
0011
0
0
101
0
10111000
0
10
0011
1
10011010011
0
1
1
1
0011
10010101101
sub
sub
sub
sub
1
0011
1
1
110
1
01001010
1
0011
1
1
011
0
10010110
1
0011
1
0
011
0
00101011
0
0011
0
1
000
0
10111101
sub
sub
sub
sub
0
0
1
0
110110010011
100
• In transposition: c’[j]:=c[i]• In key mixing: c’’[j]:=c’[j]Kr[j]• All linear: c’’[j]:= c[i]+Kr[j] mod 2
1
1011
0
1
001
0
01110011
1
0011
0
0
100
0
10100111
Cry
pto
grap
hy C
our
se 2
008
L
ectu
re 4
Jesp
er B
uus
Nie
lsen
Mod
ern
Blo
ck C
iphe
rs
25/43
SPN
1
1011
0
0
101
0
00110010
sub
sub
sub
sub
1
0011
1
1
001
0
01101011
1
0011
0
0
101
0
10111000
0
10
0011
1
10011010011
0
1
1
1
0011
10010101101
sub
sub
sub
sub
1
0011
1
1
110
1
01001010
1
0011
1
1
011
0
10010110
1
0011
1
0
011
0
00101011
0
0011
0
1
000
0
10111101
sub
sub
sub
sub
0
0
1
0
110110010011
100
• Linear cryptosystems are easy to break!– Like the affine cipher
• Substitution is the only non-linear component• Makes non-linearity of S-boxes important!
1
1011
0
1
001
0
01110011
1
0011
0
0
100
0
10100111
Cry
pto
grap
hy C
our
se 2
008
L
ectu
re 4
Jesp
er B
uus
Nie
lsen
Mod
ern
Blo
ck C
iphe
rs
26/43
Linear Cryptanalysis
• Tries to approximate the S-boxes by linear equations
• Examples: 1. Bit 3 in output of S-box always equal to xor of bit 2
and 4 in input
2. Xor of bit 2 and 3 in output of S-box equal to xor of bit 1 and 4 in input with probability 75%
• Typically patterns involve more bits and have correlation closer to ½
– ½ is equal to being completely non-linear
• We do an attack using pattern 1
Cry
pto
grap
hy C
our
se 2
008
L
ectu
re 4
Jesp
er B
uus
Nie
lsen
Mod
ern
Blo
ck C
iphe
rs
27/43
Linear Cryptanalysis
1
1011
0
0
101
0
0
1
0a1
sub
sub
sub
sub
1
0011
1
0010110101c
1
0011
0
k1
101
k2
1011100d
0
1
1
1
0011
10010
011
0
sub
sub
sub
sub
sub
sub
sub
sub
0
0
1
0
110110010011
100
• c=ab
• f=de
• g=ck1
bc
c
f
d
ef
1
0011
1
0010110101c
g
h
10011
1
0010110101c
i1
1
0011
0010110101c
1
1
i
1
0011
k3
1011011100d
1
0011
0010110101c
1
1
j
• h=fk2
• i=hg
• j=ik3
• j = abde k1k2k3
= abde F(K)
1
0011
1011011100d
0
0
1
0
110110010011
100
Cry
pto
grap
hy C
our
se 2
008
L
ectu
re 4
Jesp
er B
uus
Nie
lsen
Mod
ern
Blo
ck C
iphe
rs
28/43
Linear Cryptanalysis
1
1011
0
0
101
0
0
1
0a1
sub
sub
sub
sub
1
0011
1
0010110101c
1
0011
0
k1
101
k2
1011100d
0
1
11
0011
10010
011
0
sub
sub
sub
sub
sub
sub
sub
sub
bc
c
f
d
ef
1
0011
1
0010110101c
g
h
10011
1
0010110101c
i1
1
0011
0010110101c
1
1
i
1
0011
k3
1011011100d
1
0011
0010110101c
1
1
j
• j = abde F(K)• For fixed key K either j=abde 1 or
j=abde – Let us assume the first and do a KPA
0
0
1
0
110110010011
100
1
0011
1011011100d
0
0
1
0
110110010011
100
Cry
pto
grap
hy C
our
se 2
008
L
ectu
re 4
Jesp
er B
uus
Nie
lsen
Mod
ern
Blo
ck C
iphe
rs
29/43
Linear Cryptanalysis
1
1011
0
0
101
0
0
1
0a1
sub
sub
sub
sub
1
0011
1
0010110101c
1
0011
0
1011011100d
0
1
11
0011
10010
011
0
sub
sub
sub
sub
sub
sub
sub
sub
bc
c
f
d
ef
1
0011
1
0010110101c
g
h
10011
1
0010110101c
i1
1
0011
0010110101c
1
1
i
1
0011
1011011100d
1
0011
0010110101c
1
1
• j=abde1 with probability 1
• Decrypt y1y2y3y4 with all k1k2k3k4 and the inverse sub– Discard those where j is not the expected value
– Correct key is never discarded
– Incorrect keys are discarded with probability around ½
0
0
1
0
110110010011
100
0
0
0011
k4
1011011100d
y4
110110010011
100
j
Known yKnown x Known j
k3
k2
k1
y3
y2
y1
Cry
pto
grap
hy C
our
se 2
008
L
ectu
re 4
Jesp
er B
uus
Nie
lsen
Mod
ern
Blo
ck C
iphe
rs
30/43
Linear Cryptanalysis
• Repeat for n plaintext/ciphertext pairs (x,y)
• The correct k1k2k3k4 is never discarded
• The incorrect k1k2k3k4 are discarded with probability around 1-½n which soon goes to 1
• Allows to find correct k1k2k3k4 using a few plaintext/ciphertext pairs
• In a full attack more so-called active S-boxes are used to learn more key bits– When enough are found an exhaustive search is
done
Cry
pto
grap
hy C
our
se 2
008
L
ectu
re 4
Jesp
er B
uus
Nie
lsen
Mod
ern
Blo
ck C
iphe
rs
31/43
Linear Cryptanalysis
• Typically the relation is not certain– E.g. j=abde with probability ½ +0.01
• In this case there are many false negatives – Correct key does not give the expected j
• Then one takes the key which matched for most pairs (x,y)– MANY more pairs are needed to “see
through the noise”
Cry
pto
grap
hy C
our
se 2
008
L
ectu
re 4
Jesp
er B
uus
Nie
lsen
Mod
ern
Blo
ck C
iphe
rs
32/43
Differential Cryptanalysis
• We call (Δin, Δout) a differential if it holds with high probability for (x1,y1) and (x2,y2) that: x1x2=Δin z1z2=Δout
– z is the ciphertext after m-1 rounds of encryption
– Differentials for S-boxes can be turned into differentials for rounds
– Differentials for rounds can be combined into differentials for the first m-1 rounds
• Decrypt y1 and y2 through some S-boxes and see if z’1z’2=Δout for the corresponding z-values – Allows to find some key bits as in linear cryptanalysis
Cry
pto
grap
hy C
our
se 2
008
L
ectu
re 4
Jesp
er B
uus
Nie
lsen
Mod
ern
Blo
ck C
iphe
rs
33/43
Differential Cryptanalysis
• Often the probability of the combined differentials are not very far away from the expected probability for a random function
• Then the attack requires a lot of different pairs (x1,y1) and (x2,y2) with x1x2=Δin and z1z2=Δout to “see through the noise”
Cry
pto
grap
hy C
our
se 2
008
L
ectu
re 4
Jesp
er B
uus
Nie
lsen
Mod
ern
Blo
ck C
iphe
rs
34/43
PRF versus Total Break
• A total break using linear cryptanalysis or differential cryptanalysis often requires a lot of known plaintext/ciphertext pairs to do a total break
• The existence of a linear relation or differential going all the way to the output bits is, however, enough to show that the function is not a good PRF– Random functions show no such structure– So the structure allows to distinguish the
function from a uniformly random one
Cry
pto
grap
hy C
our
se 2
008
L
ectu
re 4
Jesp
er B
uus
Nie
lsen
Mod
ern
Blo
ck C
iphe
rs
35/43
DES
• Digital Encryption Standard
• USA’s industrial standard from 1977 to 2004 – Now officially replaced by AES
• We look at AES next week
– Still widely used
• An SPN with 16 rounds
• Block size is 64 bits
• Key size is 56 bits
Cry
pto
grap
hy C
our
se 2
008
L
ectu
re 4
Jesp
er B
uus
Nie
lsen
Mod
ern
Blo
ck C
iphe
rs
36/43
DES Round Function
• Uses a round function F– Designed to be a PRF, though a rather poor
one
• Block size is 32 bits• Key size is 48 bit
R: 32 bits
F
C: 32 bits
Ki: 48 bits
Cry
pto
grap
hy C
our
se 2
008
L
ectu
re 4
Jesp
er B
uus
Nie
lsen
Mod
ern
Blo
ck C
iphe
rs
37/43
DES Round Function
C: 32 bits
E: 48 bits
transposition and expansion
R: 32 bits
KI: 48 bits
B: 48 bits
B1 B2 B3 B4 B5 B6 B7 B8
split
C1 C2 C3 C4 C5 C6 C7 C8
S8S7S6S5S4S3S2S1
substitution with 8 different S-boxes
Round key:Bits selected from
the 56-bit key
Input
Output
Cry
pto
grap
hy C
our
se 2
008
L
ectu
re 4
Jesp
er B
uus
Nie
lsen
Mod
ern
Blo
ck C
iphe
rs
38/43
DES Round Function
• The S-boxes are not invertible – Makes it impossible to “decrypt” the round
function
• This is handled using a trick by Feistel– Turns any function FK:{0,1}32{0,1}32 into an
invertible function GK: {0,1}64{0,1}64
• It is then G which is repeated 16 times, using a different key Ki in each round
Cry
pto
grap
hy C
our
se 2
008
L
ectu
re 4
Jesp
er B
uus
Nie
lsen
Mod
ern
Blo
ck C
iphe
rs
39/43
Feistel Network
L: 32 bits R: 32 bits
F
R: 32 bitsL: 32 bits
• Easy to see that this is invertible• If F is a PRF and the Feistel structure is
repeated at least 4 times with independent keys, then the result is a new PRF– But now an invertible one!
K: 48 bits
Cry
pto
grap
hy C
our
se 2
008
L
ectu
re 4
Jesp
er B
uus
Nie
lsen
Mod
ern
Blo
ck C
iphe
rs
40/43
Feistel NetworkL: 32 bits R: 32 bits
R: 32 bitsL: 32 bits
• DES repeates for 16 rounds!– (above shows two rounds)
K1: 48 bits
R: 32 bitsL: 32 bits
K2: 48 bits
F
F
Cry
pto
grap
hy C
our
se 2
008
L
ectu
re 4
Jesp
er B
uus
Nie
lsen
Mod
ern
Blo
ck C
iphe
rs
41/43
DES
• DES repeats for 16 rounds to deal with the following facts:– F is not a strong PRF on its own– The keys are not independent
• Using 16 rounds is exactly enough– There are linear and differential attacks on
reduced-round DES – Not a coincidence – The S-boxes and number of rounds were
carefully designed to withstand these attacks
Cry
pto
grap
hy C
our
se 2
008
L
ectu
re 4
Jesp
er B
uus
Nie
lsen
Mod
ern
Blo
ck C
iphe
rs
42/43
DES
• The best linear cryptanalysis of DES (total break) requires 243 plaintext/ciphertext pairs– When implemented in 1994 it took 40 days to
generate the pairs and 10 days to find the key
• Hard to get so many pairs in practice!• Best differential attack is worse• Best attack on DES is exhaustive search
– 56-bit key is way too short today– You can buy a special machine for $250,000 which
can search all keys in 56 hours (1998 numbers!)
Cry
pto
grap
hy C
our
se 2
008
L
ectu
re 4
Jesp
er B
uus
Nie
lsen
Mod
ern
Blo
ck C
iphe
rs
43/43
Read
• Chapters 3.1-3.5 in Stinson
• Chapters 4 and 5 in the note Definitions and results on Cryptosystem