This document is posted to help you gain knowledge. Please leave a comment to let me know what you think about it! Share it to your friends and learn new things together.
Transcript
Symmetric cryptography: challenges and perspectives Bart Preneel
MITACS, Toronto, June 2010
1
1
Symmetric cryptography: challenges and perspectives
Related key attack: 4 keys, data & time complexity 2119 << 2256
KASUMI A5/3 4 related keys, 226 plaintexts, 230 bytes mem. 232 time
17
Should I worry about a related key attack?• very hard in practice (except for control vector and some
old US banking schemes)• if you are vulnerable to a related key attack, you are
making very bad implementation mistakes
Key
Sch
edul
e
round
.....
round
round
round
plaintext
Key
(256
)
ciphertext
h
• this is a very powerful attack model: if an opponent can zeroize (= AND 0) 224 key bits of his choice (rather than ⊕ C)he can find the key in a few seconds for any cipher with a 256-bit key
• if you are worried, hashing the key is an easy fix
18
Keeloq [Smit+/-’85]aka the M$10 cipher
• block length: 32 • key length: 64• rounds: 528
Symmetric cryptography: challenges and perspectives Bart Preneel
• security goal: can’t distinguish ciphertext from random string (IND-ROR = indistinguishability of real or random)
• capability of an opponent: ciphertext only, chosen plaintext, chosen ciphertext, adaptive chosen ciphertext
29
[Bellare+97] CBC is IND-ROR secure against chosen plaintext attack
• consider the block cipher AES with a block length of n bits; denote the advantage to distinguish it from a pseudo-random permutation with AdvAES/PRP
• consider an adversary who can ask q chosen plaintext queries to a CBC encryptionAdvENC/CBC ≤ 2 AdvAES/PRP + (q2/2)2-n + (q2-q)2-n
reduction is tight as long as q2/2 « 2n or q « 2n/2
30
CBC and the birthday paradox (1)• matching lower bound:
– collision Ci = Cj implies Ci-1 ⊕ Pi = C j-1 ⊕ Pj– collision expected after q =2n/2 blocks
– DES (n = 64) 232 blocks or 32 Gigabyte– AES (n = 128) 264 blocks
AES
IV
P1
C1
AES AES
Pi-1 Pi
Ci-1 Ci
AES
Pj-1
Cj-1
AES AES
Pj P3
Cj C3
Symmetric cryptography: challenges and perspectives Bart Preneel
MITACS, Toronto, June 2010
6
31
CBC and the birthday paradox (2)• the ciphertext blocks Ci are random n-bit
strings or S = 2n
• if we collect r = √2n = 2n/2 ciphertext blocks, we will have a high probability there exist two identical ciphertext blocks, that is, there exist indices i and j such that Ci=Cj
32
CBC (in-)security• CBC is very easy to distinguish (thus weak) under a
chosen ciphertext attack:– decrypting C || C || C yields P’ || P || P
AES-1
IVP’
C
P P
C C
AES-1 AES-1
J.P. Degabriele and K.G. Paterson, Attacking the IPsec Standards in Encryption-only Configurations, IEEE Symposium on Privacy and Security, 2007B. Canvel, A.P. Hiltgen, S. Vaudenay and M. Vuagnoux, Password Interception in a SSL/TLS Channel, CRYPTO 2003, LNCS 2729.
33
Layersapplications
protocols
primitives
algorithms
Proofs: link security at different levels in a quantitative way
L.R. Knudsen: "If it is provably secure, it is probably not"
assumptions
34
Limitations of provable security• adversary needs to respect restrictions (of course)
– chosen ciphertext versus chosen plaintext– blockwise adaptive attackers
• assumptions need to be valid (of course)– DES is not an ideal cipher
• [DESK’(X’)]’ = DESK(X)– DESX = K1 ⊕ DESK(X ⊕ K2) has some “strange”
properties under related key attacks– do one-way functions exist? (best known result is
functions that are a factor 2 harder to invert than to compute)
• proof needs to be correct/complete (of course)• implementation needs to be correct (of course)
35
Limitations of provable security• multiple instances often not addressed• assume specific computational models (Turing
machines, RAM model) but other models may be more relevant– full cost– quantum computers
• provable security may overemphasize one aspect of security
• still, provable security can help to– gain confidence by understanding– compare schemes when deciding on industry
standards
3636
CounTer Mode (CTR) Ci = Pi ⊕ EK(CTRi-), CTRi ++
state initialized with random IV, or CTR0 = IV
CiPi
AES
CTRin
PiCi
AES
CTRin
Symmetric cryptography: challenges and perspectives Bart Preneel
MITACS, Toronto, June 2010
7
37
Block ciphers: conclusions
• several mature block ciphers available• security well understood
– modes of operation– security against statistical attacks (differential,
linear) and structural attacks• more work:
– algebraic attacks– related key attacks– understanding of structural tradeoffs
• what are the limitations for lightweight block ciphers?
38
Model of a practical stream cipher
C
“looks”random
output function
IV
P
next state
function
K
initial state
output function
IV
P
next state
function
K
initial state
39
Moore’s Law: computation/storage 2000-2020
Microprocessor performance: Gflops/sEthernet: speed in GbpsStorage: Gigabyte/s
1000000
1
10
100
1000
10000
100000
20042006
20082010
20122014
20162000
2002
40
Stream ciphers
• historically very important (compact)– LFSR-based: A5/1, E0 – practical attacks known– software-oriented: RC4 – serious weaknesses– block cipher in CTR or OFB (slower)
• today: – many broken schemes– lack of standards and open solutions– standards: SNOW2.0, SNOW3G, MUGI, Rabbit,
DECIM, K2,..
41
A5/1 stream cipher (GSM)
Clock control: registers agreeing with majority are clocked (2 or 3)
018
21
22
0
0
• exhaustive key search: 264 (or rather 254)• search 2 smallest registers: 243 values – a few steps to verify
a guess• [BB05]: 10 minutes on a PC with 3-4 minutes of ciphertext only
42
Bluetooth stream cipher
• brute force: 2128 steps• [Lu+05] 24 known bits of 224 frames, 238 computations, 233 memory
Symmetric cryptography: challenges and perspectives Bart Preneel
MITACS, Toronto, June 2010
8
43
A simple cipher: RC4 (1987)
• designed by Ron Rivest (MIT)• leaked in 1994• S[0..255]: secret table derived from user key K
for i=0 to 255 S[i]:=i
j:=0
for i=0 to 255
j:=(j + S[i] + K[i]) mod 256
swap S[i] and S[j]
i:=0, j:=0
44
A simple cipher: RC4 (1987)Generate key stream which is added to plaintexti:=i+1j:=(j + S[i]) mod 256swap S[i] and S[j]t:=(S[i] + S[j]) mod 256output S[t]
000
205
001
092
002
013 ...
093
033
094
162
095
079 ...
254
099
255
143
i
j
t
162 92
45
RC4: weaknesses
• was used with 40-bit key – US export restrictions until Q4/2000
• best known general shortcut attack: 2300
• weak keys and key setup (shuffle theory)• some statistical deviations
– e.g., 2nd output byte is biased– solution: drop first 256 bytes of output
• problem with resynchronization modes (WEP)
46
Cryptanalysis of stream cipherskey size k bits, internal memory m bits
• exhaustive key search: 2k encryptions• time-memory trade-off: s =min(m,k)
– time T, memory M, data D, precomputation P – Babbage-Golic
• T * M=2s, D=T and P=M– Biryukov-Shamir
• T * M² * D² = 22s, T>D² and P=2s/D
• solution: larger key and/or larger IV
47
Time-memory-data trade-offs: 128 bit keyExample: Dk=240, T=280, M=248, P=288
log Timelog Memorylog Precomputation
48
Open competition for stream ciphers http://www.ecrypt.eu.org
• run by ECRYPT– high performance in software (32/64-bit): 128-bit key– low-gate count hardware (< 1000 gates): 80-bit key– variants: authenticated encryption
• 29 April 2005: 33 submissions• Many broken in first year• End of competition: April 2008
Symmetric cryptography: challenges and perspectives Bart Preneel
MITACS, Toronto, June 2010
9
49
The eSTREAM PortfolioApr. 2008 (Rev1 Sept. 2008)
TriviumSosemanuk
MICKEY v2Salsa20/12
Grain v1Rabbit
F-FCSR-HHC-128
HardwareSoftware
in alphabetical order
3-10 cycles per byte 1500..3000 gates
50
Performance reference data (Pentium M 1.70GHz Model 6/9/5)
020406080
100120
RC4 HC-128 DES 3-DES AES
05000
100001500020000250003000035000
RC4 HC-128
DES 3-DES AES
encryption speed (cycles/byte)
key setup (cycles)
51
Low cost hw: throughput versus area
0100200300400500600700800900
0 1000 2000 3000 4000 5000 6000
Gate equivalents
Thro
ughp
ut (K
bps)
100 KHz clock
AES (13)AES (35)
mCRYPTON-96 (13)
PRESENT-128 (18) HIGHT (25)
PRESENT-80 (18)
TEA (18)
(technology in 10 nm)
MISTY1 (18)
CLEFIA (9)
KATAN (18)TDEA (9)GRAIN (13) Trivium(13)
GRAIN[8] (13) Trivium[8](13)
Enocoro-80[8](18)
52
Stream ciphers: conclusions
• substantial progress made in last 5 years– concrete designs– data-time-memory tradeoffs
• 80-bit security implies 160-bit memory (seems to be a lower bound)
• many designs still “at the edge” (quite risky)• expect further progress
This is an input to a crypto-graphic hash function. The input is a very long string, that is reduced by the hash function to a string of fixed length. There are additional security conditions: it should be very hard to find an input hashing to a given value (a preimage) or to find two colliding inputs (a collision).
1A3FD4128A198FB3CA345932
• MDC (manipulationdetection code)
• Protect short hash valuerather than long text
h
Symmetric cryptography: challenges and perspectives Bart Preneel
MITACS, Toronto, June 2010
10
55
MAC Algorithms
• CBC-MAC: EMAC and CMAC• HMAC• GCM and GMAC• Authenticated encryption
56
CBC-MAC based on AES (LMAC)
AES
P1
C1
AES AES
P2 P3
C2C3
select leftmost 64 bits
security level against forgery: 264 text/MAC pairs
NIST prefers CMAC: requires only 1 block cipher key
57
HMAC based on MDx, SHA
f1
f2
xK2
K1
2126 CP33 of 6464MD5
2154.9 CP43 of 8080SHA-12109 CP8080SHA(-0)
251 CP & 2100 time (RK)6464MD5
288 CP & 295 time 4848MD4Data complexityRounds in f2Rounds in f1
• measure: time, power, electromagnetic radiation, sound
• introduce faults (even in CPUs – bug attacks)• combine with statistical analysis and
cryptanalysis• software: API attacks
• major impact on implementation cost
Sun Tzu, The Art of War: In war, avoid what is strong and attack what is weak
L.R. Knudsen: "It is not cryptanalysis, it is vandalism"66
• active versus passive – active: perturbate and conclude– passive: observe and infer
• invasive versus non-invasive– invasive: open package and contact chip– semi-invasive: open package, no contact– non-invasive: no modification
• side channel: passive and non-invasive– very difficult to detect– often cheap to set-up – often: need lots of measurements automation
• circuit modification: active and invasive– expensive to detect invasion (chip might be without power)– very expensive equipment and expertise required
Classification of Physical Attacks
active passive
Non-Invasive
Invasive
Symmetric cryptography: challenges and perspectives Bart Preneel
MITACS, Toronto, June 2010
12
67
Power or EM attack
Main PCrun the Acquisition
software
Server
store the filesand run the Treatment
software
Cardreader
Card extentionGCR
Oscilloscope
files transfer
command emission
Arm scoperetrieve file
Current waveformacquisition
Scope triggeron IO
Protection box
R
68
Key value : 2E C6 91 5B F9 4A
A simple attack on RSA
2
0010
E
1 1 10
C
1 100
6
0 1 10
9
100 1
1
000 1
5
0 10 1
B
10 1 1
F
1 1 1
9
100 1
4
0 100
A
10 10
69
semi-invasive: exploit faulty behavior provokedby physical stress applied to the device
Active attacks (semi invasive) fault injection
[www.new-wave.com]
– laser fault injection allows to target a relatively small surface area of the target device
– laser pulse frequency ~ 50Hz– fully automated scan of chip
surface–once you have a weak spot:
perturbate and exploit
70
Timing attacks on AES software implementations
• variable execution time typically associated with “if then else”, rotations, multiplications
• due to cache effects, several fast software implementations can be broken– e.g., AES in Open SSL: 65 milliseconds
• fixes: – implementations: first version 2/3 times slower,
today even faster than original ones– special cache for crypto algorithms– hardware crypto
• cache attacks apply to any cryptographic algorithm that uses tables
71
Cryptology + side channels
Clear text
CRYPTOBOX
CRYPTOBOX
Clear text
%^C&@&^(
%^C&@&^(
Alice Bob
Eve
72
Challenges for crypto• security for 50-100 years• authenticated encryption of Terabit/s
networks• ultra-low power/footprint
secure software and hardware implementations
algorithm agility
performance
cost security
Symmetric cryptography: challenges and perspectives Bart Preneel
MITACS, Toronto, June 2010
13
73
The power challenge: AES-128 speed/power for various platforms (Joule/Gb)
CMOS FPGA PIII C - Emb.Sparc
Java-Emb.Spar
speed power power/speed
1 Gbit/s
1 Mbit/s
1 Kbit/s
mWatt
Watt
106
103
1
74
demand in applications
maturity
low
low
high
high
block ciphers
hash functions
stream ciphers
public key operations
sophisticated protocols
simple protocols
MAC
75
http://www.ecrypt.eu.org/lightweight/
76
Conclusions• major challenges remain in cryptographic
algorithm design• pushing the limits requires specific solutions
– high end: parallelism– low end: RFID, sensor nodes, co-processor for 8-bit
CPU,…• symmetric crypto with < 1500 gates is feasible
– cost is then dominated by memory (2 to 8 gates per bit)– energy consumption may be high– software: RAM usage is critical
• challenges for implementers: upgrading algorithms and implementation attacks