View
217
Download
3
Category
Preview:
Citation preview
Symmetric Key Cryptography
Jooyoung Lee
School of Computing (GSIS), KAIST
Outline
1. Introduction to Symmetric Key Crypto2. Stream Ciphers3. Block Ciphers
3.1 DES3.2 AES3.3 Modes of Operations3.4 Key Exhaustive Search and Meet-in-the-Middle Attack
(Symmetric Key) Cryptography
I Message Privacy: concealing the content of messages viaencryption schemes, modes of operations etc.
I Message Integrity: preventing an adversary from makingunnoticed changes to the message via message authenticationcodes, authenticated modes of operation etc.
Communication Over an Insecure Channel
Oscar(bad)
Bob(good)
insecure channelAlice(good)
x x
x
Symmetric Key Cryptography
Oscar(bad)
secure channel
Bob(good)
insecure channelencryptione(·)
decryptiond(·)
Alice(good)
x y y x
y
k k
I x , y , k are called plaintext, ciphertext, key, resp.I The set of all possible keys is called the key spaceI We write y = ek (x) and x = dk (y)I dk (ek (x)) = x for every key k
The problem of transmitting a message securely is reduced tothe problems of transmitting a key secretly and of storing thekey in a secure fashion.
A Message is a Binary String: ASCII CodeASCII Code
Column Number 000 001 010 011 100 101 110 111
RowNumber
0000 NUL DLE ◊ 0 @ P ` p0001 SOH DC1 ! 1 A Q a q0010 STX DC2 " 2 B R b r
0011 ETX DC3 # 3 C S c s0100 EOT DC4 $ 4 D T d t0101 ENQ NAK % 5 E U e u0110 ACK SYN & 6 F V f v0111 BELL ETB ' 7 G W g w1000 BS CAN ( 8 H X h x1001 HT EM ) 9 I Y i y1010 LF SUB * : J Z j z1011 VT ESC + ; K [ k {1100 FF FS , < L \ l |1101 CR GS - = M ] m }1110 SO RS . > N ^ n ~1111 SI US / ? O _ o DEL
The ASCII code of a character is found by combining its Column Number (given in 3-bit binary) with its Row Number (given in 4-bit binary).The Column Number forms bits 6, 5 and 4 of the ASCII, and the Row Number forms bits 3, 2, 1 and 0 of the ASCII.
Example of use: to get ASCII code for letter "n", locate it in Column 110, Row 1110. Hence its ASCII code is 1101110.
The Control Code mnemonics are given in italics above; e.g. CR for Carriage Return, LF for Line Feed, BELL for the Bell, DEL for Delete.
The Space is ASCII 0100000, and is shown as ◊ here.
Microprocessor Systems 1 (3D1) CS3D11ASCII Code Table, Page 1 of1
Ex) “A" is represented by “1000001".
Key Length
Should be Secure against Exhaustive Key Search
Definition (Basic Exhaustive Key Search)Let (x , y) denote the pair of plaintext and cipher text, and letK = {k1, . . . , kN} be the key space of all possible keys ki .Exhaustive key search checks for every ki ∈ K whether or not
dki (y) = x .
If the equality holds, a possible correct key is found; if not,proceed with the next key.
I If an encryption algorithm uses n-bit keys, then exhaustivekey search requires O(2n) computational steps
I If there is a smart attack whose complexity is less thanO(2n), then the encryption algorithm is said “broken"
Key Length
How many key bits are enough?
I Only relevant if exhaustive key search is the best knownattack
I The key lengths for symmetric and asymmetric algorithmsare dramatically different
Time for exhaustive key search on symmetric algorithms
Key length Security estimation56-64 bits short term: a few hours or days112-128 bits long term: several decades w/o quantum computers256 bits long term: several decades with quantum comp. alg.
Stream Ciphers vs. Block Ciphers
Source: C. Paar and J. Pelzl, Understanding Cryptography, Springer, 2010
I Stream ciphers encrypt bits individuallyI Block ciphers encrypt an entire block of plaintext bits at a
time with the same keyI Each key defines a permutation on {0,1}b
I Most block ciphers have a block length of 128 bits (AES) or64 bits (DES, 3DES)
Design Principles for Block CiphersI Confusion: the influence of one key bit is spread over
many ciphertext bits.I Diffusion: the influence of one plaintext bit is spread over
many ciphertext bits.I The goal of diffusion is to hide statistical properties of the
plaintext.I Achieved by substitution boxes (S-boxes) and permutation
boxes (P-boxes).I Iteration: substitution and permutation boxes are iterated,
producing a product cipher.
Confusion
k1=0010 1011
y
k2
DES
Block Cipher
x
k1 k2
DESDESy
k3
DES
x
k1
DES
k2=0000 1011
y1=1011 1001
y2=0110 1100
Diffusion
x1=0010 1011
y
k2
DES
Block Cipher
x
k1 k2
DESDESy
k3
DES
k
k1
DES
x2=0000 1011
y1=1011 1001
y2=0110 1100
SP Network vs. Feistel Network
SP Network
http://en.wikipedia.org/wiki/File:SubstitutionPermutationNetwork2.png
Feistel Network
f⊕K1
f⊕K2
f⊕K3
TS
RL
f⊕K0
I Round function f also uses an SPN. It should behave like arandom function.
Confusion and Diffusion
I Failure to achieve confusion property might allow for anattack that is faster than key exhaustive search
I What if a 2n-bit key n-bit block cipher is represented by
Ek1||k2(x) = Fk1(x)||Fk2(x),
for some keyed function F?
I Failure to achieve diffusion property might allow for astatistical attack (letter frequency analysis)
A Substitution Cipher Using an Arbitrary Table
Idea: Substitute each letter of the alphabet with another one byan arbitrary table
ExampleA B C D E F G H I J K L Mk d w g u z b y s m t f eN O P Q R S T U V W X Y Zx v r a i h j c n o l q p
I What is the encryption of “SEVEN YEARS AGO"?I What is the key of this cipher?I How many keys can be used?I How this cipher can be attacked?
Cryptanalysis of a Substitution Cipher
Observation: Each plaintext symbol always maps to the sameciphertext symbol
1. Frequency of letters in English text (%)E T A O N R I S H D L F C
13.11 10.47 8.15 8.00 7.10 6.83 6.35 6.10 5.26 3.79 3.39 2.92 2.76M U G Y P W B V K X J Q Z
2.54 2.46 1.99 1.98 1.98 1.54 1.44 0.92 0.42 0.17 0.13 0.12 0.08
2. Most common English bigrams (frequency per 1000 words)
th he an re er in on at nd st es en of te ed168 132 92 91 88 86 71 68 61 53 52 51 49 46 46
Stream Ciphers
Source: C. Paar and J. Pelzl, Understanding Cryptography, Springer, 2010
1. Synchronous stream ciphers use a key stream thatdepends only on the key (most stream ciphers)
2. Asynchronous stream ciphers use a key stream thatdepends on the key and the ciphertext
Remark
1. Block ciphers are used more often than stream ciphers2. Stream ciphers tend to be more efficient than block
ciphers: suitable for highly constrained environments
Stream Ciphers
Source: C. Paar and J. Pelzl, Understanding Cryptography, Springer, 2010
Definition (Stream cipher encryption and decryption)The plaintext, the ciphertext and the key stream consist ofindividual bits, i.e., xi , yi , si ∈ {0,1}.
I Encryption: yi = esi (xi) = (xi + si mod 2)(= xi ⊕ si)
I Decryption: xi = dsi (yi) = (yi + si mod 2)(= yi ⊕ si)
Remark
1. Encryption and decryption are the same functions2. The generation of the key stream is the central issue for
the security of stream ciphers (randomness)
Generating “Random" Key Streams
1. True Random Number Generators (TRNG)I Based on physical random processes: coin flipping,
semiconductor noise, thermal noise, etcI Generate 0 and 1 with probability 1/2I Typically used to generate session keys and nonces
2. Pseudorandom Number Generators (PRNG)I Computed from an initial seed valueI Have good statistical properties
3. Cryptographically Secure PRNG (CSPRNG)I PRNG with unpredictability: given N output bits
si , si+1, . . . , sN−1, it should be hard to predict the next bit sN
An Unbreakable Stream Cipher
As a stream cipher
I TRNG: a key stream should be shared between Alice andBob⇒ used in OTP
I CSPRNG: a key should be shared between Alice and Bob
One-Time Pad(OTP)A stream cipher for which
1. the key stream s0, s1, s2 . . . is generated by a TRNG, and2. the key stream is only known to the legitimate
communicating parties, and3. every key stream bit si is only used once
is called a one-time pad. The one-time pad is unconditionallysecure (i.e., cannot be broken even with infinite computationalresources). Then what is the main drawback of OTP?
PRNG: Linear Feedback Shift Registers (LFSR)
I Feedback coefficients: p0, . . . ,pm−1 ∈ {0,1} (degree= m)I Initial values: s0, . . . , sm−1 ∈ {0,1}I Recursive relation: si+m = (
∑m−1j=0 pj · si+j mod 2), i ≥ 0
I Characteristic polynomial:P(x) = xm + pm−1xm−1 + · · ·+ p1x + p0
Linear Feedback Shift Registers (LFSRs)
• Concatenated flip-flops (FF), i.e., a shift register together with a feedback path
• Feedback computes fresh input by XOR of certain state bits
• Degree m given by number of storage elements
• If pi = 1, the feedback connection is present (“closed switch), otherwise there is
not feedback from this flip-flop (“open switch”)
• Output sequence repeats periodically
• Maximum output length: 2m-1Chapter 2 of Understanding Cryptography by Christof Paar and Jan Pelzl21/27
Source: C. Paar and J. Pelzl, Understanding Cryptography, Springer, 2010
I Very efficient, easy to implement!
PRNG: Linear Feedback Shift Registers (LFSR) Linear Feedback Shift Registers (LFSRs): Example with m=3
• LFSR output described by recursive equation:
• Maximum output length (of 23-1=7) achieved only for certain
feedback configurations, .e.g., the one shown here.
Chapter 2 of Understanding Cryptography by Christof Paar and Jan Pelzl
clk FF2
FF1
FF0=s
i
0 1 0 0
1 0 1 0
2 1 0 1
3 1 1 0
4 1 1 1
5 0 1 1
6 0 0 1
7 1 0 0
8 0 1 0
2mod13 iiisss += ++
22/27
Source: C. Paar and J. Pelzl, Understanding Cryptography, Springer, 2010
Example
1. With an initial state of (s2, s1, s0) = (1,0,0), compute si fori = 0, . . . ,14.
2. What is the period of this LFSR sequence?3. Can we construct an LFSR with period > 7?4. As a stream cipher, what is the weakness of this LFSR?
PRNG: Linear Feedback Shift Registers (LFSR)
TheoremThe maximum sequence length generated by an LFSR ofdegree m is 2m − 1.
Proof.The m internal register bits of an LFSR determine the next bit.Therefore, as soon as an LFSR has a previous state, it starts torepeat. Since the m internal register bits can only take 2m − 1states, the maximum sequence length before repetition is2m − 1.
RemarkFor any m > 0, there is a polynomial of degree m over GF (2)called “primitive". Each primitive polynomial generates asequence of the maximum length 2m − 1.
Security of LFSR as CPRNG
I In a known-plaintext attack, an attacker is assumed toknow some plaintext and the corresponding ciphertext.
I This means the attacker knows a certain number of keystream bits.
I When the initial values are used as a key: vulnerable to aknown-plaintext attack (with m key stream bits).
I When the feedback coefficients are used as a key:vulnerable to a known-plaintext attack (solving a system oflinear equations defined by 2m key stream bits).
Problems
1. (a) Find every irreducible polynomial of degree 3 over GF (2).(b) Describe the LFSR defined by each irreducible polynomial.(c) With IV = (1,1,1), compute the first 10 output bits.
2. With the recurrence si+3 = si+1 + si and a secret IV , itproduces 110.... (The first bit is the last produced one.)What is the next three output bits?
3. An LFSR of degree 4 with the maximum sequence lengthproduces 01101011.... What is the next four output bits?
An Example of CSPRNG: TriviumTrivium uses LFSRs as its building blocks
A Modern Stream Cipher - Trivium
• Three nonlinear LFSRs (NLFSR) of length 93, 84, 111
• XOR-Sum of all three NLFSR outputs generates key stream si
• Small in Hardware:
• Total register count: 288
• Non-linearity: 3 AND-Gates
• 7 XOR-Gates (4 with three inputs)
Chapter 2 of Understanding Cryptography by Christof Paar and Jan Pelzl25/27
Source: C. Paar and J. Pelzl, Understanding Cryptography, Springer, 2010
Initialization:1. Load 80-bit IV into A2. Load 80-bit key into B3. c109 = c110 = c111 = 1 and all other bits are set to 04. Clock the cipher 4 x 288 = 1152 times
History of DES
I The National Bureau of Standards (NBS) initiates a requestfor proposals for a standardized cipher in the US (1972)
I IBM submits a block cipher designed based on Lucifer thatencrypts 64-bit blocks using 128-bit keys (1974)
I Lucifer is a family of ciphers developed by Horst Feistel inthe late 1960s
I The NBS requests the help of the National SecurityAgency (NSA)
I Key length reduced from 128 bit to 56 bitI The NBS releases all specs of the modified IBM cipher as
the Data Encryption Standards (DES) (1977)I Due to its short key length, it is used until 1999, and
replaced by Advanced Encryption Standard (AES)
Security of DES
Exhaustive Key Search
I Feasible due to short key length (56-bit keys)I Can break DES in 6.4 days at a cost of $10,000 (2008)
Analytical Attack
I Differential cryptanalysis(DC) and linear cryptanalysis(LC)I We say a block cipher is “broken" when an analytical attack
is faster than exhaustive key searchI DES is secure against DC, but if the number of rounds is
small...I DES is broken by LC, but it is not practical
I 243 plaintext-ciphertext pairs are needed
Overview of the DES Algorithmsingle bit flip many bit flips
Source: C. Paar and J. Pelzl, Understanding Cryptography, Springer, 2010
DES Encryption
Source: C. Paar and J. Pelzl, Understanding Cryptography, Springer, 2010
DES Encryption
Source: C. Paar and J. Pelzl, Understanding Cryptography, Springer, 2010
DES Encryption
16-round Feistel structure
1. Input: L0||R0
2. (Li ,Ri) = (Ri−1,Li−1 ⊕ f (Ri−1, ki)) for i = 1, . . . ,163. Output: L16||R16
PropertyThe Feistel structure is a permutation for any keys ki .
PropertyEncryption and decryption of the Feistel structure (with no swapin the last round) differ only in key schedule.
DES Encryption
14/29 Chapter 3 of Understanding Cryptography by Christof Paar and Jan Pelzl
Initial and Final Permutation
• Bitwise Permutations.
• Inverse operations.
• Described by tables IP and IP-1.
Initial Permutation Final Permutation
Source: C. Paar and J. Pelzl, Understanding Cryptography, Springer, 2010
I Does not increase the security of DESI Probably for efficient hardware implementation
DES EncryptionThe f -function
Initial Permutation Final Permutation
Expansion E
Source: C. Paar and J. Pelzl, Understanding Cryptography, Springer, 2010
DES Encryption
S-box substitution Permutation P
Source: C. Paar and J. Pelzl, Understanding Cryptography, Springer, 2010
ExampleWhat is S1(100101)?
DES Key Schedule Algorithm
Permuted Choice PC-1
Source: C. Paar and J. Pelzl, Understanding Cryptography, Springer, 2010
DES Key Schedule Algorithm
Permuted Choice PC-2
I In rounds i = 1,2,9,16:two halves rotated left by one bit
I The other rounds: two halvesrotated left by two bits
I Note that (C0,D0) = (C16,D16)
Source: C. Paar and J. Pelzl, Understanding Cryptography, Springer, 2010
DES Decryption
Reversed key schedule
I In rounds i = 2,9,16:two halves rotated right byone bit
I The other rounds: two halvesrotated right by two bits
I With the same round keys inreverse order, the encryptionand the decryption functionsare the same!
Source: C. Paar and J. Pelzl, Understanding Cryptography, Springer, 2010
DES DecryptionI In rounds i = 1,2,9,16:
1-bit Left RotationI The other rounds: 2-bit
I No rotation in round 1I In rounds i = 2,9,16:
1-bit Right RotationI The other rounds: 2-bit
Source: C. Paar and J. Pelzl, Understanding Cryptography, Springer, 2010
History of AES
I US NIST(National Institute of Standards and Technology)announced 3DES should be used instead of DES (1996)
I However, 3DES is slow and block size is too small forcertain applications (hash functions etc.)
I NIST called for proposals for a new Advanced EncryptionStandard (AES) as an open process (1997)
I RequirementsI 128-bit block sizeI 128, 192, 256-bit key supportedI security relative to other submissionsI efficiency in software and hardware
I 15 algorithms collected (1998)I 5 finalists announced (1999)
I Mars(IBM), RC6(RSA), Rijndael(J.Daemen, V.Rijmen),Serpent(R.Anderson, et.al.),Twofish(B.Schneier et.al.)
I Rijndael was chosen as the AES (2000)
Overview of the AES Algorithm
k1 k2
DES-1
DES
k3
DES
AES
x
y
k
128
128
128/192/256
key lengths # rounds128 10192 12256 14
Source: C. Paar and J. Pelzl, Understanding Cryptography, Springer, 2010
AES Round Function
Source: C. Paar and J. Pelzl, Understanding Cryptography, Springer, 2010
AES Round Function: Byte Substitution LayerS-box: Bi = S(Ai)
k1 k2
DES-1DES
k3
DES
AES
x
y
k
128
128
128/192/256
GF(28)inverse
Affinemapping
Ai B'i Bi
1. In GF (28) (finite field of 28 elements), B′i = (Ai)−1
I GF (28) = GF (2)[x ]/ < x8 + x4 + x3 + x + 1 >
2. In GF (2)8 (vector space over GF (2)),
b0b1b2b3b4b5b6b7
=
1 0 0 0 1 1 1 11 1 0 0 0 1 1 11 1 1 0 0 0 1 11 1 1 1 0 0 0 11 1 1 1 1 0 0 00 1 1 1 1 1 0 00 0 1 1 1 1 1 00 0 0 1 1 1 1 1
b′0b′1b′2b′3b′4b′5b′6b′7
+
11000110
AES Round Function: Byte Substitution Layer
S-box Table LookupS(xy) is...(in hexadecimal notation)
AES Round Function: Diffusion Layer
ShiftRows Sublayer
B0 B4 B8 B12
B1 B5 B9 B13
B2 B6 B10 B14
B3 B7 B11 B15
−→
B0 B4 B8 B12
B5 B9 B13 B1
B10 B14 B2 B6
B15 B3 B7 B11
no shift1 pos.←2 pos.←3 pos.←
MixColumn Sublayer
In GF (28),C0 C4 C8 C12
C1 C5 C9 C13
C2 C6 C10 C14
C3 C7 C11 C15
=
02 03 01 0101 02 03 0101 01 02 0303 01 01 02
B0 B4 B8 B12
B5 B9 B13 B1
B10 B14 B2 B6
B15 B3 B7 B11
AES Key Schedule Algorithm
k
I RC[i] = x i−1 in GF (28)
Source: C. Paar and J. Pelzl, Understanding
Cryptography, Springer, 2010
AES Decryption
Source: C. Paar and J. Pelzl, Understanding Cryptography, Springer, 2010
AES Decryption
Inv MixColumn Sublayer
In GF (28),B0 B4 B8 B12
B5 B9 B13 B1
B10 B14 B2 B6
B15 B3 B7 B11
=
0E 0B 0D 0909 0E 0B 0D0D 09 0E 0B0B 0D 09 0E
C0 C4 C8 C12
C1 C5 C9 C13
C2 C6 C10 C14
C3 C7 C11 C15
Inv ShiftRows Sublayer
B0 B4 B8 B12
B5 B9 B13 B1
B10 B14 B2 B6
B15 B3 B7 B11
−→
B0 B4 B8 B12
B1 B5 B9 B13
B2 B6 B10 B14
B3 B7 B11 B15
no shift1 pos.→2 pos.→3 pos.→
Inv Byte Substitution LayerIt is possible to construct an inverse such that Ai = S−1(Bi)⇒ It is usually realized as a lookup table
AES Design Considerations
I In a Feistel cipher, half the bits are moved, but not changedduring each round. AES treats all bits uniformly, makingthe effect of diffusing the input bits faster.
I The S-box was constructed in an explicit and simplealgebraic way.
I The ShiftRow step resist the truncated differential analysisand the Square attack.
I The MixColumn causes diffusion among the bytes.I A change in one input byte results in all four output bytes
changing.I Changes in two input bytes results in at least three output
bytes changing.
AES Design Considerations
I The Key Schedule involves nonlinear mixing of the key bitsusing the S-box.
I Even though an attacker knows part of the key, it cannotdeduce the remaining bits.
I It ensures that two distinct keys do not have a large numberof round keys in common.
I The round constants eliminates symmetries in theencryption process by making each round different.
I Until recently, there have been no known attacks that arebetter than exhaustive key search up to six rounds. It wasfelt that four extra rounds provide a large enough securitymargin of safety.
DES vs. AES
DES AESFeistel Network SP Network
8 different S-boxes: A single S-boxnot 1-1 (6-bit to 4-bit) 1-1 (8-bit to 8-bit)
Design principle unclear Algebraic structureEncryption=Decryption Encryption 6=Decryption
using round keys in reverse order
Modes of Operation
I A block cipher by itself allows encryption only of a singledata block of the cipher’s block length.
I In order to encrypt a variable-length message, the datamust first be partitioned into separate cipher blocks.
I Typically, the last block must also be extended to match thecipher’s block length using a suitable padding scheme.
I The method of encrypting each of these blocks is called amode of operation.
I A mode of operation generally uses randomization basedon an additional input value, often called an initializationvector.
Modes of Operation
I ECB, CBC, OFB, and CFB were specified in FIPS 81,“DES Modes of Operation" (1981).
I NIST added CTR mode in SP800-38A, “Recommendationfor Block Cipher Modes of Operation" (2001).
I NIST added XTS-AES in SP800-38E, “Recommendationfor Block Cipher Modes of Operation: The XTS-AES Modefor Confidentiality on Storage Devices" (2010).
I ECB, CBC, OFB, CFB, CTR, and XTS modes only provideconfidentiality.
I Some modern modes of operation combine encryption andauthentication in an efficient way, and are known asauthenticated modes of operation.
Electronic Codebook Mode (ECB)
http://en.wikipedia.org/wiki/File:Ecb_encryption.pnghttp://en.wikipedia.org/wiki/File:Ecb_decryption.png
Electronic Codebook Mode (ECB)
I Both encryption and decryption algorithms are usedI Identical plaintext blocks map to identical ciphertext blocks
I images distinguishableI Susceptible to codebook attacks and replay attacksI Not recommended
http://en.wikipedia.org/wiki/File:Tux_ecb.jpg
Cipher Block Chaining Mode (CBC)
http://en.wikipedia.org/wiki/File:Cbc_encryption.pnghttp://en.wikipedia.org/wiki/File:Cbc_decryption.png
Cipher Block Chaining Mode (CBC)
I Invented by IBM in 1976I Both encryption and decryption algorithms are usedI An initialization vector is used
I IV does not need to be secret. However, in most cases, aninitialization vector should not be reused under the samekey
I Encryption cannot be parallelized / Decryption can beparallelized
I A one-bit change to the ciphertext causesI complete corruption of the corresponding block of plaintextI a one-bit change in the corresponding bit in the following
block of plaintext
Cipher Feedback Mode (CFB)
http://en.wikipedia.org/wiki/File:Cfb_encryption.pnghttp://en.wikipedia.org/wiki/File:Cfb_decryption.png
Cipher Feedback Mode (CFB)
I Makes a block cipher into an asynchronous stream cipherI Only an encryption algorithms is used
I Suitable for a block cipher for which decryption is slowerthan encryption
I An initialization vector is usedI Encryption cannot be parallelized / Decryption can be
parallelizedI A one-bit change in the ciphertext causes
I a one-bit change in the corresponding plaintext blockI complete corruption of the following plaintext block
Output Feedback Mode (OFB)
http://en.wikipedia.org/wiki/File:Ofb_encryption.pnghttp://en.wikipedia.org/wiki/File:Ofb_decryption.png
Output Feedback Mode (OFB)
I Makes a block cipher into a synchronous stream cipherI Only an encryption algorithms is usedI An initialization vector is usedI Encryption and decryption cannot be parallelized
I However, a keysteam can be computed in advanceI A one-bit change in the ciphertext causes only a one-bit
change in the corresponding plaintext block
Counter Mode (CTR)
http://en.wikipedia.org/wiki/File:Ctr_encryption.pnghttp://en.wikipedia.org/wiki/File:Ctr_decryption.png
Counter Mode (CTR)
I Makes a block cipher into a synchronous stream cipherI Only an encryption algorithms is usedI A nonce and a counter are used
I A counter produces a sequence which is guaranteed not torepeat for a long time
I Encryption and decryption can be parallelizedI A one-bit change in the ciphertext causes only a one-bit
change in the corresponding plaintext block
Cryptanalysis
Mathematical Analysis
Brute-ForceAttacks
Cryptanalysis
Classical Cryptanalysis
Social Engineering
Implementation Attacks
I Classical Analysis: tries to recover the plaintext x(or thekey k ) from the ciphertext y
I Mathematical Analysis: exploits the internal structure of theencryption method
I Exhaustive Key Search: treat the encryption algorithm as ablack box and test all possible keys
I Implementation Attacks: use power consumption,electromagnetic radiation, runtime behavior, etc.
I Social Engineering Attacks: include bribing, blackmailing,tricking, espionage, etc.
Cryptanalysis
An attacker looks for the weakest link in your cryptosystem.That means we have to choose strong algorithms and we haveto make sure that social engineering and implementationattacks are not practical.
Kerckhoffs’ PrincipleA cryptosystem should be secure even if the attacker knows alldetails about the system, with the exception of the secret key.In particular, the system should be secure when the attackerknows the encryption and decryption algorithms.
QuestionDoesn’t it improve the security to keep the details of analgorithm hidden? (This is called security by obscurity)
Exhaustive Key Search Revisited
Exhaustive Key SearchLet K = {k1, . . . , kN} be the key space. Given t plaintext-ciphertext pairs (x1, y1), . . . , (xt , yt), check for every ki ∈ Kwhether or not DESki (xj) = yj for all j = 1, . . . , t . If the equalityholds, a possible correct key is found; if not, proceed with thenext key.What if a wrong key k satisfies DESk (xj) = yj for j = 1, . . . , t?
TheoremGiven a block cipher with a key length of κ bits and block size ofn bits, as well as t plaintext-ciphertext pairs (x1, y1), . . . , (xt , yt),the expected number of false keys which encrypt all plaintextsto the corresponding ciphertexts is 2κ−tn.Choose t such that 2κ−tn � 1.
Increasing the Security of DES: Double Encryption
2DES
x y
k1 k2
DESDES
x
k1 k2
DESDESy
k3
DES
ExampleWhat is the size of the key space of 2DES?
Meet-in-the-middle Attack on 2DES
1. Table Computation: Given a plaintext-ciphertext pair (x1, y1),encrypt z = DESk (x1) for every k ∈ {0,1}56. Arrange thesevalues and store them in a list L.
2. Key Matching: Decrypt w = DES−1k (y1) for every k ∈ {0,1}56. If
for some k∗,
w∗ = DES−1k∗ (y1) = DESk∗∗(x1)
is in the list L, then we have
DESk∗ ◦ DESk∗∗(x1) = y1.
Problems
1. What is the expected number of false keys when we use threeplaintext-ciphertext pairs (x1, y1), (x2, y2), (x3, y3)?
2. What is the number of encryptions, decryptions, and memorylocations (of κ+ n-bits) with t = 3?
Increasing the Security of DES: Triple Encryption
3DES
x y
k1 k2
DESDES
x
k1 k2
DESDESy
k3
DES
ProblemApply the meet-in-the-middle attack to 3DES. What is thenumber of encryptions, decryptions, and memory locations (ofn-bits)?
Recommended