Design of block ciphers

Transcription

1 Design of block ciphers Joan Daemen STMicroelectronics and Radboud University University of Zagreb Zagreb, Croatia, March 23, / 49

2 Outline 1 Data Encryption Standard 2 Wide Trail Strategy 3 Rijndael 4 Lessons learnt from 17 years of public scrutiny 5 Conclusions 2 / 49

3 What modern block ciphers look like Iterated block cipher: Data path: transforms P to C iteration of a round function that shall be non-linear depends on a round key Key schedule generates round keys from cipher key K 3 / 49

4 Substitution-permutation network Round function with two (or three) layers substitution layer: lookup tables applied in parallel to blocks S-boxes non-linear: S(x y) = S(x) S(y) permutation layer: moves bits to different S-box positions either key-dependent S-boxes or third layer of key addition 4 / 49

5 But what do we want our block cipher to achieve? Formal security notion: PRP security PRP: Pseudorandom Permutation Infeasibility to distinguish B[K] from random permutation Covers all use cases where key is fixed and secret 5 / 49

6 Data Encryption Standard Outline 1 Data Encryption Standard 2 Wide Trail Strategy 3 Rijndael 4 Lessons learnt from 17 years of public scrutiny 5 Conclusions 6 / 49

7 Data Encryption Standard Data encryption standard Standard by and for US government By National Institute for Standardization and Technology (NIST) Designed by IBM in collaboration with NSA 1977: Federal Information Processing Standard (FIPS) 46 complete block cipher specification block length: 64 bits, key length: 56 bits no design rationale freely usable Massively adopted by banks and industry worldwide Dominated symmetric crypto for more than 20 years 7 / 49

8 Data Encryption Standard The Feistel structure State: left half L and right half R Alteration of involutions apply F to R i and add to L i swap left and right omit swap in last round B 1 similar to B same sequence of operations round keys in reversed order no need for F 1 used in DES 8 / 49

9 Data Encryption Standard Data encryption standard: overview data path key schedule 9 / 49

10 Data Encryption Standard DES algorithmic structure Data path 16-round Feistel Initial (IP) and final permutations (FP): no cryptographic significance historical, due to addressing in hardware implementation Key schedule 8 bits thrown away in permuted choice 1 (PC1) remaining 56-bit string split in two 28-bit strings rotated for each round over 1 or 2 bits 48-bit round key obtained with PC2 of these 56 bits each round key bit is just a cipher key bit 10 / 49

11 Data Encryption Standard Data encryption standard: F-function 4 layers: expansion E: from 32 to 48 bits bitwise round key addition substitution: 8 different 6-to-4 bit non-linear S-boxes permutation P: moving nearby bits to remote positions clearly hardware-oriented 11 / 49

12 Data Encryption Standard Data encryption standard: F-function 1 32 E RK S1 S2 S3 S4 S5 S6 S7 S8 P layers: expansion E: from 32 to 48 bits bitwise round key addition substitution: 8 different 6-to-4 bit non-linear S-boxes permutation P: moving nearby bits to remote positions clearly hardware-oriented 11 / 49

13 Data Encryption Standard Trouble for DES: Weak Keys What happens if the cipher key is all-zero? all round keys are all-zero all rounds are the same cipher and its inverse are the same Same is true for an all-one cipher key And two more keys due to symmetry in key schedule Weak key K w : DES[K w ] DES[K w ] = I Also 6 semi-weak key pairs (K 1, K 2 ) Mostly of academic interest DES[K 1 ] DES[K 2 ] = I 12 / 49

14 Data Encryption Standard Trouble for DES: Complementation Property What happens if we complement the cipher input? flip all bits in key flip all bits in plaintext In first round input to F complemented so output of E complemented round key also complemented so input to S-boxes unaffected output of F unaffected Output of first round is simply complemented Repeat this until you reach the ciphertext Complementation property: DES[K](P) = C = DES[K](P) = C Reduces effective key length from 56 bits to 55 bits 13 / 49

15 Data Encryption Standard Intermezzo: statistical attacks (simplified) Distinguisher Ω over r 1 rounds, for (almost) all keys property Ω should not be present in a random permutation Online part: collect many couples (C i, P i ) Offline part: recover k a of last round key make a guess k a for k a compute a i from C i K P if not Ω, k a is wrong Assumption: Key Data wrong k a destroys Ω variants and optimizations sched. path rounds rounds C 14 / 49

16 Data Encryption Standard Intermezzo: statistical attacks (simplified) Distinguisher Ω over r 1 rounds, for (almost) all keys property Ω should not be present in a random permutation Online part: collect many couples (C i, P i ) Offline part: recover k a of last round key make a guess k a for k a P compute a i from C i if not Ω, k a is wrong Assumption: wrong k a destroys Ω Distinguisher variants and optimizations a k a C 14 / 49

17 Data Encryption Standard Intermezzo: statistical attacks (simplified) Distinguisher Ω over r 1 rounds, for (almost) all keys property Ω should not be present in a random permutation Online part: collect many couples (C i, P i ) Offline part: recover k a of last round key make a guess k a for k a P compute a i from C i if not Ω, k a is wrong Assumption: p wrong k a destroys Ω variants and optimizations DP( p, a ) a a k a C 14 / 49

18 Data Encryption Standard Intermezzo: statistical attacks (simplified) Distinguisher Ω over r 1 rounds, for (almost) all keys property Ω should not be present in a random permutation Online part: collect many couples (C i, P i ) Offline part: recover k a of last round key make a guess k a for k a P compute a i from C i if not Ω, k a is wrong u Assumption: p wrong k a destroys Ω variants and optimizations C 2 (u p, u a ) u a a k a C 14 / 49

19 Data Encryption Standard Trouble for DES: Differential Cryptanalysis (DC) Statistical attack published by [Biham and Shamir, 1990] Distinguishing property: differential ( p, a ) difference p leads to difference a with probability DP( p, a ) Online phase: collect many pairs (P i, C i ), (P i, C i ) with P i P i = p Offline phase: per key guess k a compute a from C i and C i Required # pairs proportionate to 1/DP( p, a ) Biham-Shamir broke DES with 2 47 chosen plaintexts: 1000 TeraByte 13-round differential with DP guessing part of keys of last 2 rounds many subtleties and optimizations 15 / 49

20 Data Encryption Standard DC of DES: origin of fatal differential Difference propagation over multiple rounds called characteristic or differential trail Q differential probability of a trail DP(Q) product over the rounds special case: iterative trails important: # active S-boxes in trail for this trail DP( p, a ) DP(Q) for p Q a 1 S1 S2 S3 S4 S5 S6 S7 S8 32 E RK P / 49

21 Data Encryption Standard DC of DES: origin of fatal differential Difference propagation over multiple rounds called characteristic or differential trail Q differential probability of a trail DP(Q) product over the rounds special case: iterative trails important: # active S-boxes in trail for this trail DP( p, a ) DP(Q) for p Q a 16 / 49

22 Data Encryption Standard Trouble for DES: Linear Cryptanalysis (LC) Statistical attack published by Matsui 1992 Distinguishing property: correlation C(u p, u a ) between sum of plaintext bits u T pp and sum of output bits u T aa correlation C(u p, u a ) ranges between 1 and +1 Online phase: collect many couples (P i, C i ) Offline phase: per key guess k a compute a i from C i Required # pairs proportionate to 1/C 2 (u p, u a ) = 1/LP(u p, u a ) High correlation C(u p, u a ) constructed using linear trail dual of differential trails, propagation of masks u rather than difference patterns used trail has few active S-boxes Matsui broke DES with 2 43 known plaintexts: 64 TeraByte 17 / 49

23 Data Encryption Standard LC of DES: origin of fatal correlation Correlations over F If output mask is active in a single S-box only Its parity has high correlation with parity for some input mask Correlation contribution of a trail is product of correlation of rounds 1 32 E RK S1 S2 S3 S4 S5 S6 S7 S8 P / 49

24 Data Encryption Standard LC of DES: origin of fatal correlation Correlations over F If output mask is active in a single S-box only Its parity has high correlation with parity for some input mask Correlation contribution of a trail is product of correlation of rounds 18 / 49

25 Data Encryption Standard Trouble for DES: the short key Exhaustive key search: about trials More than 15 years ago: software cracking about workstations trials per second per workstation expected time: seconds: 2,5 months applied in cracking RSA labs DES challenge, June 97 Cracking using dedicated hardware COPACOBANA RIVYERA (2008) costs about $ board with 128 Spartan FPGAs. finds a DES key in less than a day Short DES key is real-world concern! 19 / 49

26 Data Encryption Standard The solution: Triple DES (FIPS 46-2 and 46-3) Double DES allows meet-in-the-middle attacks Three variants of Triple-DES 3-key: 168-bit key, only option allowed by NIST 2-key: 112-bit key K 3 = K 1 still massively deployed by banks worldwide 1-key: 56-bit key K 3 = K 2 = K 1 falls back to single DES thanks to inverse in middle 20 / 49

27 Wide Trail Strategy Outline 1 Data Encryption Standard 2 Wide Trail Strategy 3 Rijndael 4 Lessons learnt from 17 years of public scrutiny 5 Conclusions 21 / 49

28 Wide Trail Strategy Wide trail strategy a rationale for designing the data path round function main objectives: absence of differential trails with high DP absence of linear trails with high LP how? See next slides 22 / 49

29 Wide Trail Strategy Trails in substitution-permutation networks active S-box: non-zero input difference DP(Q) is product over its active S-boxes: i DP(Sbox i ) Assuming independence of propagation in active S-boxes 23 / 49

30 Wide Trail Strategy Trails in substitution-permutation networks active S-box: non-zero input difference DP(Q) is product over its active S-boxes: i DP(Sbox i ) Assuming independence of propagation in active S-boxes 23 / 49

31 Wide Trail Strategy NOT the wide trail strategy Naive approach to cipher design DP(Q) = i DP(Sbox i ) i DP max (Sbox i ) DC/LC of DES and SPN: few active S-boxes per round decrease DP(Q) (or LP(Q)): S-boxes with low maximum DP/LP For given S-box width b, upper bounds: DP max (Sbox) 2 1 b LP max (Sbox) 2 b Consensus in nineties: bigger S-boxes are better! Implementation complexity of S-boxes strongly increases with size software: lookup tables of size 2 b hardware: increase of combinatorial logic 24 / 49

32 Wide Trail Strategy Principle of wide trail Principle of the wide trail strategy Instead of big S-boxes have many active S-boxes Ensure that any trail has many active S-boxes multiple active S-boxes per round Separate layers for nonlinearity and diffusion nonlinear layer: S-boxes with some maximum DP and LP diffusion layer: ensures many S-boxes per trail Origin introduced early nineties for lightweight bit-oriented designs particular flavor became mainstream after Rijndael was chosen AES 25 / 49

33 Wide Trail Strategy Mixing layers and branch number Introducing mixing layers and their branch number A new type of transformation in the round function: mixing layer linear goal: each output bit depends on multiple input bits Desired properties of mixing layer: avalanche: few active bits at input many at output avalanche of inverse: few at output many at input Branch number B of a mixing layer minimum number of active bits at input and output two types: linear and differential relative to a state partition in bits, bytes, or 26 / 49

34 Wide Trail Strategy First-order approach Wide trail: first-order approach Round function with three layers round key addition nonlinearity: n S-boxes of b bits (say b = 8) mixing Use a mixing layer with highest possible branch number value: B = n + 1 defines a maximum distance separable code: MDS matrix # active S-boxes per two rounds B Strategy adopted in SHARK [SHARK, FSE 1996] b = 8, n = 8 so block length is 64 9 active S-boxes per 2 rounds first-order: locally optimizes worst-case 2-round behaviour 27 / 49

35 Wide Trail Strategy First-order approach First-order approach illustrated 28 / 49

36 Wide Trail Strategy First-order approach First-order approach illustrated S S S S S S S S S MDS S S S S S S S S S MDS 28 / 49

37 Wide Trail Strategy First-order approach The trouble with the first-order approach Mappings with high branch numbers are expensive software: n look-up tables with 2 8 entries of size 8n hardware: # gates per bit grows quickly as a function of n Instead of expensive big S-boxes, we now have expensive big MDS matrices 29 / 49

38 Wide Trail Strategy Second-order approach Second-order approach Round function with four layers round key addition nonlinearity: n S-boxes mixing: m parallel MDS mappings each taking n/m bytes dispersion: moving bytes/bits around Use an optimal dispersion layer moves bytes in MDS block to all different MDS blocks # active S-boxes per four rounds B 2 Strategy adopted in Square [Square, FSE 1997] b = 8, m = 4, n = 16 so block length is active S-boxes per 4 rounds 30 / 49

39 Wide Trail Strategy Second-order approach Second-order approach illustrated 31 / 49

40 Wide Trail Strategy Second-order approach Second-order approach illustrated 31 / 49

41 Rijndael Outline 1 Data Encryption Standard 2 Wide Trail Strategy 3 Rijndael 4 Lessons learnt from 17 years of public scrutiny 5 Conclusions 32 / 49

42 Rijndael The AES competition The start of the AES competition January 1997: NIST announces the AES initiative replacement of DES open call for block cipher proposals and for analysis, comparisons, etc. September 1997: official request for proposals faster than Triple-DES 128-bit blocks, 128-, 192- and 256-bit keys specs, reference and optimized code, test vectors design rationale and preliminary analysis patent waiver Vincent Rijmen and I decided to submit a variant of Square Most important change: multiple key and block lengths We call it Rijndael 33 / 49

43 Rijndael The AES competition The AES competition First round: August 1998 to August candidates at 1st AES conference in Ventura, California analysis presented at 2nd AES conf. in Rome, March 1999 NIST narrowed down to 5 finalists using this analysis Second round: August 1999 to summer 2000 analysis presented at 3rd AES conf. in New York, April 2000 NIST selected winner using this analysis Criteria security margin efficiency in software and hardware key agility simplicity NIST motivated their choice with two solid reports 34 / 49

44 Rijndael The cipher Rijndael Block cipher with block and key lengths {128, 160, 192, 224, 256} set of 25 block ciphers AES fixes block length to 128 and limits key length to multiples of 64 Simple round function with four steps (like Square) all rounds are identical except for the round keys and omission of mixing layer in last round parallel and symmetric Key schedule Expansion of cipher key to round key sequence Recursive procedure that can be done in-place Manipulates bytes with simple operations in GF(2 8 ) 35 / 49

45 Rijndael The layers of the round function The non-linear layer: SubBytes Single S-box with two layers y = x 1 in GF(2 8 ), or more exactly y = x 254 max LP = max DP = 2 6 [Nyberg, Eurocrypt 1993] Affine mapping: multiplication by 8 8 matrix in GF(2) to complicate the algebraic expressions 36 / 49

46 Rijndael The layers of the round function The mixing layer: MixColumns Single MDS mapping applied to columns: B = 5 Multiplication by a 4 4 circulant matrix in GF(2 8 ) Elements: 1, 1, x and x + 1 circulant MDS matrix with the simplest elements Inverse has more complex elements 37 / 49

47 Rijndael The layers of the round function The dispersion layer: ShiftRows Each row is shifted by a different amount Different shift offsets for higher block lengths 38 / 49

48 Rijndael The layers of the round function Round key addition: AddRoundKey 39 / 49

49 Rijndael The layers of the round function Key schedule: 192-bit key, 128-bit block example k 0 k 1 k 2 k 3 k 4 k 5 k 6 k 7 k 8 k 9 k 10 k 11 k 12 k 13 k 14 k Round key 0 Round key 1 Round key 2 k 6n = k 6n 6 f(k 6n 1 ) k i = k i 6 k i 1, i = 6n 40 / 49

50 Rijndael The layers of the round function Rijndael: summary # rounds: 6 + max(l k, l b ) with l k key and l b block length in 32-bit words last round has no MixColumns to make inverse similar to cipher 41 / 49

51 Rijndael The layers of the round function Rijndael: some distinguishing features Bounds on trails: minimum 25 active S-boxes in any 4-round trail DP(Q) 2 150, LP(Q) Symmetric and simple too simple to be secure? no successful attacks up to now Inverse is different and slightly more expensive Table-lookup implementation: 4 Kbytes of table 1 table-lookup + 1 XOR per byte per round inverse uses different tables No integer arithmetic as opposed to IDEA, SHA-1, SHA-2 42 / 49

52 Lessons learnt from 17 years of public scrutiny Outline 1 Data Encryption Standard 2 Wide Trail Strategy 3 Rijndael 4 Lessons learnt from 17 years of public scrutiny 5 Conclusions 43 / 49

53 Lessons learnt from 17 years of public scrutiny Heavily (crypt-)analyzed Many papers on AES and Rijndael IACR Crypto DB search on AES: about hits IACR Crypto DB search on Rijndael: about 1490 hits Not all are equally relevant or interesting We discuss some instructive attacks: square attack algebraic attacks biclique attacks 44 / 49

54 Lessons learnt from 17 years of public scrutiny The Square attack The Square attack Consider Square, predecessor of Rijndael DP of 4-round differential trails LP of 4-round linear trails So we thought 6 rounds would be sufficient Knudsen invents Square attack [Square, FSE 1997] input sets: constant in some and complete in other bytes properties decay only slowly through steps of the round broke up to 6 rounds of Square (or Rijndael) Lesson learnt: interpret trail bounds with caution later even stronger attacks, e.g., impossible differentials helped by byte-alignment and strong local diffusion remedy: just add rounds 45 / 49

55 Lessons learnt from 17 years of public scrutiny Algebraic cryptanalysis Algebraic attacks Algebraic attack on AES [Courtois, Pieprzyk, Asiacrypt 2002] consider the cipher as a set of algebraic equations simple equations due to multiplicative inverse, e.g. xy = 1 Another suspect property [Murphy, Robshaw, Crypto 2002] embedding AES in 8 times larger structure BES BES is fully linear in GF(2 8 ) except multiplicative inverse Both turned out to be false alarms ambitions of algebraic attacks have been adjusted since tools in statistical attacks attacks exploiting low degree of round function 46 / 49

56 Lessons learnt from 17 years of public scrutiny Biclique attacks Biclique attack [Khovratovich, Bogdanov, Rechberger, 2011] first academic single-key attacks of full AES covers all three AES key lengths Speed-up of exhaustive keysearch by a small factor (2 or 3) large (2 88 ) to modest (2 40 ) data complexity reducing proportion of AES to be computed for each key by combination of sophisticated tools and techniques Lessons learnt no practical threat and unlikely it can be improved some say this does not even qualify as an academic attack quasi all modern ciphers are vulnerable to biclique or similar attacks protecting against possible but very costly: huge # rounds 47 / 49

57 Conclusions Outline 1 Data Encryption Standard 2 Wide Trail Strategy 3 Rijndael 4 Lessons learnt from 17 years of public scrutiny 5 Conclusions 48 / 49

58 Conclusions Conclusions Modern block ciphers iterate a simple round function DES: historically important as test bed for attacks 3-key Triple-DES still reasonably secure today Wide trail strategy: inspired by linear and differential cryptanalysis Rijndael is fully based on the wide trail strategy AES (Rijndael) is the dominating block cipher nowadays omnipresent, even dedicated instructions in Intel CPUs (AES-NI) inspired many other block cipher and permutation designs 17 years of public scrutiny: no threatening attacks Thanks for your attention! 49 / 49