ECE Lecture 7. Towards modern ciphers. Data Encryption Standard and its extensions. Levels of Security

Transcription

1 ECE Lecture 7 Towards modern ciphers Data Encryption tandard and its extensions Required Reading: I W tallings, "Cryptography and Network-ecurity," 4th Edition, Chapter 3: Block Ciphers and the Data Encryption tandard Chapter 6: Multiple Encryption and Triple DE II A Menezes, P van Oorschot, and Vanstone, Handbook o Applied Cryptography, Chapters 74: DE Levels o ecurity Deinition: Unconditional ecurity A cryptosystem is unconditionally secure i it cannot be broken even with ininite computational resources Q: Which actual cryptosystems are unconditionally secure?

2 Levels o ecurity Deinition: Computational ecurity A cryptosystem is computational secure i best possible algorithm or breaking requires N operations, where N is very large and known Q: Which actual cryptosystems are computational secure? Gilbert Vernam, AT&T Major Joseph Mauborgne One-time Pad Vernam Cipher 926 c i = m i k i m i k i c i All bits o the key must be chosen at random and never reused One-time Pad Equivalent version c i = m i + k i mod 26 m i k i c i TO BE OR NOT TO BE AX TC VI URD WM OF TL UG JZ HFW PK PJ All letters o the key must be chosen at random and never reused 2

3 Perect Cipher Claude hannon Communication Theory o ecrecy ystems, 948 m M c C P(M=m C=c) = P(M = m) The codebreaker can guess a message with the same probability without knowing a ciphertext as with the knowledge o the ciphertext Is substitution cipher a perect cipher? C = XRZ P(M=ADD C=XRZ) = P(M=ADD) Is one-time pad a perect cipher? C = XRZ P(M=ADD C=XRZ) P(M=ADD) M might be equal to CAT, PET, ET, ADD, BBC, AAA, HOT, HI, HER, BET, WA, NOW, etc 3

4 -P Networks P P hannon Product Ciphers Computationally secure ciphers based on the idea o diusion and conusion Conusion relationship between plaintext and ciphertext is obscured, eg through the use o substitutions Diusion spreading inluence o one plaintext letter to many ciphertext letters, eg through the use o permutations Basic operations o -P networks ubstitution Permutation -box P-box 4

5 P Avalanche eect m m c c m 2 c m 3 2 c 2 c 3 m 4 c 4 m 5 m 6 m 7 m 8 m 9 m m m 2 m 6 m 62 m 63 m 64 P c 5 c 5 c 6 c 7 c 7 c 8 c 8 c 9 c c c c 2 c 6 c 6 c 62 c 63 c 64 c 64 LUCIFER Horst Feistel, Walt Tuchman IBM m m 2 m 3 m 4 m 5 m 6 m 7 m 8 m 9 m m m 2 m 25 m 26 m 27 m 28 k, k 2, k 3, k 32, P k,2 k 2,2 K 3,2 k 32,2 P k,6 K 2,6 k 3,6 k 32,6 c c 2 c 3 c 4 c 5 c 6 c 7 c 8 c 9 c c c 2 c 25 c 26 c 27 c 28 6 rounds LUCIFER- external look plaintext block 28 bits LUCIFER key 52 bits 28 bits ciphertext block 5

6 NB public request or a standard cryptographic algorithm May 5, 973, August 27, 974 The algorithm must be: secure public - completely speciied - easy to understand - available to all users economic and eicient in hardware able to be validated exportable DE - chronicle o events NB issues a public request or proposals or a standard cryptographic algorithm irst publication o the IBM s algorithm and request or comments NB organizes two workshops to evaluate the algorithm oicial publication as FIP PUB 46: Data Encryption tandard 983, 987, recertiication o the algorithm or another ive years sotware implementations allowed to be validated Controversies surrounding DE Unknown design criteria Most criteria reconstructed rom cipher analysis 99 Reinvention o dierential cryptanalysis low in sotware Only hardware implementations certiied 993 otware, irmware and hardware treated equally Too short key Theoretical designs o DE breaking machines 998 Practical DE cracker built 6

7 Lie o DE Time DE developed by IBM and NA In common use or over 2 years transision to a new standard Federal and banking standard Over 3 validated implementations De acto world-wide standard Most popular secret-key ciphers American standards DE 56 bit key AE 2 contest Triple DE 2, 68 bit keys AE - Rijndael 28, 92, and 256 bit keys Other popular algorithms IDEA RC5 Blowish CAT erpent Twoish RC6 Mars DE - external look plaintext block 64 bits DE ciphertext block key 56 bits 64 bits 7

8 DE high-level internal structure L R IP K DE Main Loop Feistel tructure L R L 2 R 2 L 5 R 5 K 2 K 6 L n+ =R n R n+ =L n (R n, K n+ ) R 6 L 6 IP - Feistel tructure Encryption Decryption L n R n L n R n K n+ K n+ L n+ R n+ L n+ R n+ L n+, R n+?? K n+ L n, R n?? 8

9 IP - Decryption IP L R R 6 L 6 K K 6 L R R 5 L 5 K 2 K 5 L 2 R 2 R 4 L 4 L 5 R 5 R L K 6 K R 6 L 6 L R IP IP - Classical Feistel Network plaintext = L R or i= to n { L i =R i- R i =L i- (R i-, K i ) } L n+ = R n R n+ = L n ciphertext = L n+ R n+ Mangler Function o DE, F 9

10 Notation or Permutations Input i i 2 i 3 i 4 i 5 i 6 i 7 i 8 i 9 i i 56 i 57 i 58 i 59 i 6 i 6 i 62 i 63 i i 58 i 5 i 42 i 34 i 26 i 8 i i 2 i 5 i 63 i 55 i 47 i 39 i 3 i 23 i 5 i 7 Output

11 Notation or -boxes Input i i 2 i 3 i 4 i 5 i 6 i i 6 determines a row number in the -box table, 3 i 2 i 3 i 4 i 5 determine a column in the -box table, 5 o o 2 o 3 o 4 is a binary representation o a number rom 5 in the given row and the given column o o 2 o 3 o 4 Output

12 Randomness General design criteria o DE 2 Avalanche property changing a single bit at the input changes on average hal o the bits at the output 3 Completeness property every output bit is a complex unction o all input bits (and not just a subset o input bits) 4 Nonlinearity encryption unction is non-aine or any value o the key 5 Correlation immunity output bits are statistically independent o any subset o input bits Completeness property Every output bit is a complex unction o all input bits (and not just a subset o input bits) Formal requirement: For all values o i and j, i=64, j=64 there exist inputs X and X 2, such that X x x 2 x 3 x i- x i+ x 63 x 64 X 2 x x 2 x 3 x i- x i+ x 63 x 64 Y = DE(X ) y y 2 y 3 y j- y j y j+ y 63 y 64 Y 2 = DE(X 2 ) y y 2 y 3 y j- y j y j+ y 63 y 64 Linear Transormations Transormations that ulill the condition: T(X [m x ] ) = Y [n x ] = A [n x m] X [m x ] or T(X X 2 ) = T(X ) T(X 2 ) Aine Transormations Transormations that ulill the condition: T(X [m x ] ) = Y [n x ] = A [n x m] X [m x ] B [n x ] 2

13 Linear Transormations o DE IP, IP -, E, PC, PC2, HIFT eg, IP(X X 2 ) = IP(X ) IP( X 2 ) Non-Linear and non-aine transormations o DE There are no such matrices A [4x6] and B [4x] that (X [6x] ) = A [4x6] X [6x] B [4x] Design o -boxes [5] in out = [in] 6! 2 3 possibilities precisely deined initially unpublished criteria resistant against dierential cryptanalysis (attack known to the designers and rediscovered in the open research in 99 by E Biham and A hamir) Round Key[] Typical Flow Diagram o a ecret-key Block Cipher Initial transormation i:= Round Key[i] Cipher Round i<#rounds? i:=i+ #rounds times Round Key[#rounds+] Final transormation 3

14 Implementation o a secret-key cipher in hardware Round keys computed on-the-ly input key encryption/decryption key scheduling round keys output Implementation o a secret-key cipher Round keys precomputed input key key scheduling encryption/decryption memory o round keys output Basic iterative architecture o secret key ciphers input key Key scheduling round keys multiplexer register combinational logic output one round 4

15 Theoretical design o the specialized machine to break DE Project: Michael Wiener, Entrust Technologies, 993, 997 Method: exhaustive key search attack Basic component: specialized integrated circuit in CMO technology, 75 MHz Checks: 2 mln keys per second Costs: $ Total cost $ mln $ Estimated time 35 minutes 6 hours DE breaking machine known ciphertext key counter Round key Encryption Round key Key cheduling Round Encryption Round 2 Round key 2 Key cheduling Round 2 plaintext Encryption Round 6 comparator Round key 6 known plaintext Key cheduling Round 6 Deep Crack Electronic Frontier Foundation, 998 Total cost: $22, Average time o search: 45 days/key 8 AIC chips, 4 MHz clock 5

16 Deep Crack Parameters Number o AIC chips 8 Clock requency 4 MHz Number o clock cycles per key 6 Number o search units per AIC 24 earch speed Average time to recover the key 9 bln keys/s 45 days COPACOBANA Cost-Optimized Parallel COde Breaker Ruhr University, Bochum, University o Kiel, Germany, 26 Cost: 898 (ver ) COPACOBANA Based on Xilinx FPGAs (Field Programmable Gate Arrays) ver based on 2 partan 3 FPGAs ver 2 based on 28 Virtex 4 X 35 FPGAs Description, FAQ, and news available at For ver based on partan FPGAs Clock requency = 36 MHz Average search time or a single DE key = 64 days Worst case search time or a single DE key = 28 days 6

17 Minimum length o the key or symmetric ciphers I Panel o experts, January 996 M Blaze, W Diie, R Rivest, B chneier, T himomura, E Thompson, M Wiener Report: Minimal Key Lengths or ymmetric Ciphers to Provide Adequate Commercial ecurity II National Academy o ciences, National Research Council, May 996 Report: Cryptography's Role in ecuring the Inormation ociety 7

18 ecure key length today and in 2 years (against an intelligence agency with the budget o $3M) key length 28 bits IDEA, minimum key length in AE 2 bits DEX 2 bits Triple DE with two keys 97 bits ecure key length in bits 8 bits kipjack ecure key length in bits DE ecure key length - discussion increasing key length in a newly developed cipher costs NOTHING increasing eective key length, assuming the use o an existing cipher has a limited inluence on the eiciency o implementation (DEX, Triple DE) It is economical to use THE AME secure key length FOR ALL aplications The primary barriers blocking the use o symmetric ciphers with a secure key length have been o the political nature (eg, export policy o UA) Other attacks dierential cryptanalysis Biham, hamir 99 linear cryptanalysis Matsui, 993 8

19 Dierential cryptanalysis M M * M 2 M 2 * M N- M N- * M N M N * M i M i * = const Encryption module key C C * C 2 C 2 * C N- C N- * C N C N * access to the encryption module with the key inside analysis o trilions o pairs plaintext-ciphertext Dierential cryptanalysis o DE Requirements: Biham, hamir 99 access to the encryption module with the key inside time or encryption o 2 47 = 4 4 plaintext blocks = million gigabytes o plaintext Conclusions: attack impossible to mount DE specially designed (IBM, NA) to be resistant against dierential cryptanalysis Requirements: Linear cryptanalysis o DE Matsui = 88 2 known plaintext blocks = 73 terabytes o known plaintext 2 43 operations probability o success 85% Conclusions: attack impossible to mount in practice 9

20 What i creators o DE did not know about dierential cryptanalysis Required number o plaintext blocks Original DE Modiications: Identity permutation in place o P Order o -boxes XOR replaced by addition -boxes random one position changed Expansion unction E eliminated 2 47 = mln GB 2 9 = 4 MB 2 38 = 2, GB 2 3 = 2 GB 2 2 = 6 MB 2 33 = 8 GB 2 26 = 64 MB Dierential and linear cryptanalysis - discussion Attacks ineasible or correctly designed ciphers Perect tool or comparing strengths o various ciphers Resistance against these attacks does not imply resistance against other unknown methods o attack Triple DE EDE mode with two keys encryption decryption plaintext ciphertext Diie, Hellman, 977 E encryption 56 K D decryption 56 K D decryption 56 K2 E encryption 56 K2 E encryption 56 K D decryption 56 K ciphertext plaintext 2

21 Triple DE EDE mode with three keys encryption decryption plaintext ciphertext Diie, Hellman, 977 E encryption 56 K D decryption 56 K D decryption 56 K2 E encryption 56 K2 E encryption 56 K3 D decryption 56 K3 ciphertext plaintext Advantages: Triple DE secure key length (2 or 68 bits) increased compared to DE resistance to linear and dierential cryptanalysis possibility o utilizing existing implementations o DE Disadvantages: relatively slow, especially in sotware DEX Rivest, 988 plaintext 64 DE 56 K a K KEY = (K, K a ) 2 bits 64 K b = hash unction(k, K a ) K b ciphertext 2