Download ppt - David Evans cs.virginia/evans

David Evanshttp://www.cs.virginia.edu/evans

CS588: Security and PrivacyUniversity of VirginiaComputer Science

Lecture 7: Using Block Ciphers

Images from http://rfidanalysis.org/

10 February 2005 University of Virginia CS 588 2

Menu

• PS2

• Modes of Operation

• Differential Cryptanalysis

Sorry, PS1 is not ready to return yet!If you want it back before then, find me at my office tomorrow morning, or get it from Matt during his office hours (2:30-3:30 tomorrow)


Ken Elzinga’s Theory on Writing Mysteries

• Requires:– Creativity– Discipline

• Very few people can be both• Most good mystery novels are written by

pairs:– “Marshall Jevons” = Bill Breit and Ken Elzinga– “Ellery Queen” = Manfred Lee and Frederic Danna


Ken Elzinga’s Theory on Writing Mysteries

• Requires:– Creativity– Discipline

• Very few people can be both

• Most good mystery novels are written by pairs:– Dolev-Yao, Needham-Schroeder, Diffie-Hellman,

Daemen/Rijmen (AES), Blum-Blum-Shub, Rivest-Shamir-Adleman, Boneh/Franklin (IBE)

Dave Evans’

Cryptography

ciphers

designed/

broken

small teams


Creativity vs. Discipline

– Creativity: mostly about breaking rules– Discipline: mostly about following rules

• Rules = internal consistency, mathematical correctness, sticking with stated assumptions

• US was founded by rebels and has lots of space, so we value creativity most (except in teenagers and soldiers)


RSA [1978]

• Ron Rivest and Adi Shamir tried to find ways to implement public-key cryptography

• Len Adleman poked holes in their first dozen ideas

• Eventually, they found one he couldn’t

• Adelman thought the cipher should be RS (but Rivest convinced him otherwise)

We’ll cover RSA later after spring break, but you’ve probably heard of it already. It’s the most important cipher invented since One Time Pad (Vernam, 1917).


Overstatement?

“The most important technological breakthrough in the last thousand years.”

Lawrence Lessig(Possibly an overstatement, but

he’s a lawyer)


PS2 Teams• Must be diverse in at least 2 of these:

– Nationality– Major (CS/Math/ECE/Bioinformatics/other)– Year (Grad/4th/3rd/other)– Liked breaking two-time pad (yes/no)

• Examples:– Austrailian bioinformatics major can work with anyone– USian, 4th year CS major who liked breaking two-time pad

can’t work with a USian 3rd year CS major unless she/he didn’t like breaking the two-time pad

– If you can get Ron Rivest, Adi Shamir or Len Adelman on your team, you don’t need to worry about the other rules

Find a partner before leaving today!


Confidentiality Modes of Operation


Modes of Operation• Transmitting a long plaintext using 3DES:

P = P1 || P2 || ... || PN• Electronic Codebook Mode:

C = EK (P1) || EK (P2) || ... || EK (PN)

• Problems:– Any identical blocks encrypted identically

• 64 bits = 8 ASCII characters

• Reveals lots about your message (even if unbroken)

– Lots of ciphertext encrypted with same K


Cipher Block Chaining

DES

IV

K

P1

C1

to receiver

DESK

P2

C2

to receiver

...


Cipher Block ChainingCi = EK (Pi Ci - 1) C1 = EK (P1 IV)Decrypt:

Mi = DK (Ci ) Ci - 1

M1 = DK (C1 ) IV

DK (EK (Pi Ci - 1)) Ci – 1

= Pi Ci - 1 Ci – 1 = Pi


Cipher Feedback Mode

DES

IV

K

j bits

P1

C1

to receiver

DESK

j bits

P2

C2

to receiver

shift j bits

...

Does the IV need to be secret?


Output Feedback Mode

j bits

DES

IV

K

P1

C1

to receiver

DESK

j bits

P2

C2

to receiver

shift j bits

...


CFB vs OFB

DES

IV

K

j bits

P1

C1

to receiver

DESK

j bits

P2

C2

to receiver

shift j bits

DES

IV

K

P1

C1

to receiver

DESK

j bits

P2

C2

to receiver

shift j bits

Which is better for wireless transmissions?Which is better for preventing message tampering?


What does is mean to “break” a cipher?

• Practical:– You can determine the plaintext corresponding to

some ciphertext without the key– You can determine the key given some plaintext-

ciphertext pairs


What does is mean to “break” a cipher?

• Academic:– You have a technique that does better than brute

force (e.g., break 112-bit 3DES with 2111 max attempts)

– You have a techniques that does better than brute force on a weakened (less rounds, smaller block) version of cipher (e.g., break DES with 15 rounds)

– You have identified some mathematical weakness if the cipher, but don’t yet know how to use it usefully (e.g., there exist two different keys that map plaintext to same ciphertext)


DES Attacks

• Last time: – Mostly Brute force (guessing all keys)

• DES keyspace is too small• But no where near good enough for 3DES

– Side-Channel: Power Analysis

• Now: Differential Cryptanalysis


Differential Cryptanalysis• [Biham & Shamir, 1990]

• With enough work (247) and enough chosen plaintexts (247) can find key (compared to 256

brute force work)

• Successful academic attack: takes 3 years of 1.5Mbps encrypting chosen plaintext to get enough!

• Is successful practical attack on other ciphers


Differential Cryptanalysis Idea

• Choose plaintext pairs with fixed difference: X = X X’

• Use differences in resulting ciphertext to guess key probabilities

• Requires choosen plaintext: attacker chooses plaintext and receives ciphertext

(e.g., SpeedyPass challenge-response protocol!)


One Round

32 bits

48 bits

Kn

S32 bits

P

E/P

32 bits

48 bits

S32 bits

P

X X’

E/P

X = X X’Xi = 0 iff Xi = Xi’

X1 X1’

X2 X2’

X3’

X4’X4

X3

E/P preserves values:

Xi = 0 X1ep(i) = X1ep(i)’

where ep(i) is a function defined by the E

table preserves values:X2i = X1i Kn X2i’ = X1i’ Kn

Xi = 0 X2ep(i) = X2ep(i)’


One Round, cont.

S

P

S

P

X2 X2’

X3’

X4’X4

X3Xi = 0 X2ep(i) = X2ep(i)’

X3i = X3i’ X4p(i) = X4p(i)’

S-boxes are non-linear!

Xi = 0 X3s(ep(i)) = X3s(ep(i))’But, maybe they do probabilistically:

Xi = 0 p(X3s(ep(i)) = X3s(ep(i))’) > .5 ?p(X3s(ep(i)) = X3s(ep(i))’) < .5 ?

Its a function of the key: p determined experimentally.

(Known from ciphertext)


Differential CharacteristicsInputs:A = [A1, A2, A3…A64]

B = [B1, B2, B3…B64]

Outputs: a = [a1, a2, a3…a64] = { A }K b = [b1, b2, b3…b64] = { B }K

Differences:

ΔP = A B = [ A1 B1, …, A64 B64 ]

ΔC = a b = [ a1 b1, …, a64 b64 ]

Differential = (ΔP, ΔC)

This slides are based on Howard Heys’Tutorial on Linear and Divverential Cryptanalysis(linked from course website)


Goal

• Find a particular value of ΔP for which a particular ΔC value occurs with high probability

• Allows attacker to predict bits coming into last round of cipher

Inputs: A = [A1, A2, A3…A64]

B = [B1, B2, B3…B64]

Outputs: a = [a1, a2, a3…a64] = { A }K b = [b1, b2, b3…b64] = { B }K

Differences:

ΔP = A B = [ A1 B1, …, A64 B64 ]

ΔC = a b = [ a1 b1, …, a64 b64 ]

Differential = (ΔP, ΔC)

If you know what one round of DES does, you canfind the subkey for that round (fairly easily)!


FromHoward Heys’ Tutorial on Linear and Differential Cryptanalysishttp://www.engr.mun.ca/~howard/PAPERS/ldc_tutorial.pdf


S-box: S1

0 1 2 3 4 5 6 7 8 9 A B C D E F

E 4 D 1 2 F B 8 3 A 6 C 5 9 0 7

0 F 7 4 E 2 D 1 A 6 C B 9 5 3 8

4 1 E 8 D 6 2 B F C 9 7 3 A 5 0

F C 8 2 4 9 1 7 5 B 3 E A 0 6 D

6 bits: x1x2x3x4x5x6

x1x6

00

01

10

11

x2x3x4x5 select column

4 inputs to S1 produce 0: 011100, 000001, 111110, 111011

Remember: S-Boxesare confusing, but not secret. All DES implementataions use the same S-Boxes.


Partial pair XOR Distribution, S1

Output XOR (4 bits)

0 1 2 3 4 5 6 7 8 9 A B C D E F

0 64 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0

1 0 0 0 0 6 2 4 4 0 10 12 4 10 6 2 4

2 0 0 0 8 0 4 4 4 0 6 8 6 12 6 4 2

...

3F 4 8 4 2 4 0 2 4 4 2 4 8 8 6 2 2

Inpu

t X

OR

(6

bits

)


What would ideal distribution be?

Output XOR

0 1 2 3 4 5 6 7 8 9 A B C D E F

0

1

2

...

3F

Inpu

t X

OR


What would ideal distribution be?

Output XOR

0 1 2 3 4 5 6 7 8 9 A B C D E F

0 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4

1 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4

2 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4

... 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4

3F 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4

Inpu

t X

OR

Why can’t we just make S-Boxes that do this?

Getting determinstically different outputs when

the inputs are identical is really, really hard!


Differential Cryptanalysis• Propagate experimental probabilities for

1 round through 16 rounds• After enough P-C pairs, one key

becomes most probable• Difficulty depends heavily on S-Box

choices• First published in 1990, but NSA knew

about it in 1973! (That’s why they changed IBM’s S-Boxes!)


Differential Cryptanalysis• “Successful” on DES up to 15 rounds (better

than exhaustive search)• By 16th round, characteristics probabilities

are 2-56

• Very successful on DES variants (breaks GDES with 6 chosen plaintexts)

• Very successful on FEAL (FEAL-4, FEAL-8, FEAL-N, FEAL-NX, ...)

• Would be very successful on Curry Cipher (but so would less sophisticated techniques)


Related Techniques• Linear Cryptanalysis [Matsui, 1994]

– Try to find equations like, Xi1 Xi2 … Xin

Yj1 Yj2 … Yjv = 0

where Xik selects some input bit and Yjk selects some output bit

such that probability it is satisfied is different from ½

• Boomerang Attack [Wagner 1999]

• Slide Attacks [Biryukov & Wagner, 1999]


Charge

• Find a partner for PS2 now– If you already have gotten past question 1

with someone, you can keep working together

– Otherwise, find a partner who satisfies the diversity constraints (different in 2 or more):

• Nationality• Major (CS/Math/ECE/Bioinformatics/other)• Year (Grad/4th/3rd/other)• Liked breaking two-time pad (yes/no)