c Eli Biham - March 13, Cryptanalysis of Modes of Operation (4) c Eli Biham - March 13, Cryptanalysis of Modes of Operation (4)

Size: px

Start display at page:

Download "c Eli Biham - March 13, Cryptanalysis of Modes of Operation (4) c Eli Biham - March 13, Cryptanalysis of Modes of Operation (4)"

Felix Thornton
5 years ago
Views:

1 Single Modes: the S Modes of Operation Modes of Operation are used to hide patterns in the plaintexts, protect against chosen plaintext attacks, and to support fast on-line encryption with precomputation. None of the modes can protect against known plaintext attacks. Cryptanalysis of Modes of Operation c li Biham - March 13, Cryptanalysis of Modes of Operation (4) c li Biham - March 13, Cryptanalysis of Modes of Operation (4) Single Modes: the S Modes of Operation (cont.) The standard modes of S are: Multiple Modes of Operation ue to the recent development in the analysis of S (including the ability to exhaustively search for keys), it was proposed to use multiple (cascaded) modes of operation. CB CBC CFB OFB Other modes were proposed: PCBC, counter mode, PFF, etc. We will call these modes single modes. c li Biham - March 13, Cryptanalysis of Modes of Operation (4) c li Biham - March 13, Cryptanalysis of Modes of Operation (4) xample: The Triple-CB Mode: Triple-S xample: The Triple-CBC Mode Claimed to be as secure as triple-s in (single) CBC mode: c li Biham - March 13, Cryptanalysis of Modes of Operation (4) c li Biham - March 13, Cryptanalysis of Modes of Operation (4) xample: The CBC CBC 1 CBC Mode Was almost accepted as an ANSI standard: Advantages of Multiple Modes Multiple modes were claimed to have several advantages: 1. More secure than single modes, 2. As fast as single encryption on pipelinable hardware, 3. Attackers cannot know the feedbacks used during encryption, and thus cannot even mount known plaintext attacks! c li Biham - March 13, Cryptanalysis of Modes of Operation (4) c li Biham - March 13, Cryptanalysis of Modes of Operation (4)

2 ANSI Triple Modes Standardization ANSI X9F1 committee is working on a triple modes standard, already several years, which had to be accepted at the end of It included three kinds of modes: 1. The standard S modes, with (two or three-key) triple S as the underlying cipher. 2. Interleaved variants of the same modes, to allow efficient hardware implementations. 3. The CBCM mode (described later). Multiple Modes Cannot Reduce Strength Let A and B be two modes and let C be the combined double mode C=AB, whose component keys K A and K B are chosen independently. The following theorem shows that C is not weaker than either of its components. theorem: The cracking problem of either A or B is efficiently reducible to the cracking problem of C=AB. conclusion: A multiple mode may not be weaker than its strongest component, if the component keys are chosen independently. c li Biham - March 13, Cryptanalysis of Modes of Operation (4) c li Biham - March 13, Cryptanalysis of Modes of Operation (4) Multiple Modes Cannot Reduce Strength (cont.) A counter-example when the keys are not independent: Multiple Modes Cannot Reduce Strength (cont.) The weakest components in this mode are those using. By methods described later, we can find the key K 1 of the first component using 2 18 chosen ciphertexts, and thus also of the third component using S. The key of the second component can then be easily found using 1000 chosen ciphertexts (or 2 24 known plaintexts). The third component (which uses S) by itself is much more resistant than the whole system, and cannot be attacked successfully by any known method with complexity smaller than S S S S S c li Biham - March 13, Cryptanalysis of Modes of Operation (4) c li Biham - March 13, Cryptanalysis of Modes of Operation (4) Cryptanalysis of Multiple Modes of Operation All the triple (cascaded) modes of operation of S are not much more secure than single modes (as they require up to complexity and plaintexts). The cryptanalytic techniques to attack multiple modes attack one single component mode at a time, and can be based on any technique to attack single modes, including differential and linear cryptanalysis, avies attack, and exhaustive search. The main observation is that the attacker can have some control over the unknown feedbacks, and can thus feed them with the data required to apply cryptanalysis of the single modes. To feed these values, the attacks are usually chosen plaintext or chosen ciphertext. Technique A: ifferential Cryptanalysis As an example we attack the CB CBC CBC mode: c li Biham - March 13, Cryptanalysis of Modes of Operation (4) c li Biham - March 13, Cryptanalysis of Modes of Operation (4) Technique A: ifferential Cryptanalysis (cont.) 1. Let Ω T be the ciphertext difference required to attack S with chosen ciphertexts (the usual attack from the opposite direction). 2. Assume that n pairs are required for an attack of S using this Ω T. Technique A: ifferential Cryptanalysis (cont.) 3. The attacker chooses n pairs of ciphertext tuples (,, ), and ( Ω T,, ), with arbitrary,,. 4. The attacker requests to decrypt the 6n blocks by the triple mode under the unknown keys. 5. The ciphertext difference in each pair of tuples is (Ω T, 0, 0). 6. After decryption of one component the difference is (, Ω T, 0). 7. After decryption of two components the difference is (,, Ω T ). 8. The plaintexts are known, and in particular and P 2. c li Biham - March 13, Cryptanalysis of Modes of Operation (4) c li Biham - March 13, Cryptanalysis of Modes of Operation (4)

3 Technique A: ifferential Cryptanalysis (cont.) Technique A: ifferential Cryptanalysis (cont.) 9. We result with n pairs, P 2, for which Ω T Ω T 0 K1 ( ) K1 (P 2 ) = Ω T This is exactly the data required for differential cryptanalysis! 10. If the underlying cipher is S, we need 2 47 chosen ciphertext blocks to find the key of the CB component. The other component keys can be recovered by other techniques. Ω T 0 0 Known differences Known values c li Biham - March 13, Cryptanalysis of Modes of Operation (4) c li Biham - March 13, Cryptanalysis of Modes of Operation (4) Technique C: Linear Cryptanalysis As an example we attack the CBC CB CBC mode: Technique C: Linear Cryptanalysis (cont.) 1. The attacker chooses n tuples (,, ), with is chosen arbitrarily for each tuple, but and are fixed for all the tuples. 2. The attacker requests to decrypt the 3n blocks by the triple mode under the unknown keys. 3. The plaintexts are known, and in particular. 4. He gets n encryptions of the form K2 ( V 2 ) V 1 = where V 1 and V 2 are fixed, depend only on and. c li Biham - March 13, Cryptanalysis of Modes of Operation (4) c li Biham - March 13, Cryptanalysis of Modes of Operation (4) Technique C: Linear Cryptanalysis (cont.) V 2 V 1 V 2 Fixed Fixed V 1 Technique C: Linear Cryptanalysis (cont.) 5. The independent key variant of linear cryptanalysis can find the actual subkeys used in this encryption, to which V 1 and V 2 are combined. Then, the key K 2, and V 1 and V 2 can be recovered. 6. If the underlying cipher is S, we need 2 60 chosen ciphertext blocks to find the key of the CB component. c li Biham - March 13, Cryptanalysis of Modes of Operation (4) c li Biham - March 13, Cryptanalysis of Modes of Operation (4) Technique : Using xhaustive Search This technique uses exhaustive search for the component keys, and can thus be applied for any underlying cipher, independent of its internal operations. All the techniques described later use exhaustive search as a basic tool for more complex analysis, and thus also have this property. Technique : Using xhaustive Search (cont.) As an example we attack the CBC CBC CB mode: c li Biham - March 13, Cryptanalysis of Modes of Operation (4) c li Biham - March 13, Cryptanalysis of Modes of Operation (4)

4 Technique : Using xhaustive Search (cont.) 1. The attacker chooses one pair of tuples (,, ), (C 0,, ), where C He requests the plaintexts (,, ) and (P 0,P 1,P 2 ). 3. The value P 2 is the difference of the CB mode in the first block! Technique : Using xhaustive Search (cont.) P 2 P 2 0 P ifferences c li Biham - March 13, Cryptanalysis of Modes of Operation (4) c li Biham - March 13, Cryptanalysis of Modes of Operation (4) Technique : Using xhaustive Search (cont.) 4. The attacker exhaustively search all keys for K3 ( ) K3 (C 0) = P 2 Technique : Using xhaustive Search (cont.) A known plaintext variant: Given about 2 65 random known plaintext tuples, the birthday paradox predicts the existence of a pair (,, ) and (C 0,C 1, C 2) with = C 1 and = C 2! 5. The two tuples can be generated with only four chosen ciphertext blocks. c li Biham - March 13, Cryptanalysis of Modes of Operation (4) c li Biham - March 13, Cryptanalysis of Modes of Operation (4) Technique : Using xhaustive Search (cont.) Another example: CBC 1 CB CBC Technique : Using xhaustive Search (cont.) xercise: Find all the three keys with 3 chosen plaintexts, or 2 64 known plaintexts. c li Biham - March 13, Cryptanalysis of Modes of Operation (4) c li Biham - March 13, Cryptanalysis of Modes of Operation (4) Technique F: The Birthday Technique escribed on the triple-cbc mode: Technique F: The Birthday Technique (cont.) 1. We choose ciphertext tuples of the form (C,C,C,C). c li Biham - March 13, Cryptanalysis of Modes of Operation (4) c li Biham - March 13, Cryptanalysis of Modes of Operation (4)

5 Technique F: The Birthday Technique (cont.) 2. uring decryption we get Y X X X Y Z Technique F: The Birthday Technique (cont.) 3. The function X = K3 (C) C behaves like a random function, thus, given 2 33 such tuples, a collision is expected to occur with a high probability. 4. This collision can be identified by comparing the resultant plaintext block Z. A key search can be applied with 2 57 S encryptions. 5. Note: Collisions can occur in each of the CBC components, thus only a third occur in the last component. This increases the complexity by a factor of at most 3, without increase in the number of chosen ciphertexts. C C C C c li Biham - March 13, Cryptanalysis of Modes of Operation (4) c li Biham - March 13, Cryptanalysis of Modes of Operation (4) Technique G This technique enables to attack modes whose plaintext and ciphertext are mixed with some unknown feedback, or do not affect the encryption box at all. Technique G (cont.) The CB CB OFB mode: It is later used as a building block by the techniques described afterwards. We describe two variants of this technique on two examples: the triple mode CB CB OFB and on the double mode CBC OFB. c li Biham - March 13, Cryptanalysis of Modes of Operation (4) c li Biham - March 13, Cryptanalysis of Modes of Operation (4) Technique G (cont.) Technique G (cont.) To attack this mode we choose a plaintext consisting of 2 64 equal blocks P. The CBC OFB mode: We result with a ciphertext,,..., which equals the output of the OFB component V i XORed with a fixed value. We choose some value u arbitrarily, and guess that it appears in the OFB stream. We encrypt it under all possible keys K, and test whether the difference u K (u) is a difference between two consecutive ciphertext blocks. We usually succeed, as the cycle of the OFB mode includes about 2 63 different blocks. Otherwise, we try another value u. c li Biham - March 13, Cryptanalysis of Modes of Operation (4) c li Biham - March 13, Cryptanalysis of Modes of Operation (4) Technique G (cont.) In this case we attack the CBC component: we choose the ciphertext to consist of 2 64 C followed by 2 64 C. We get p pairs of the form Technique I: ouble Stream Ciphers The double-ofb mode seems difficult to analyze, as we cannot control the feedbacks: C V i = K1 (P i C V i 1 ) C V i = K1 (P i C V i 1 ) where p is the period of the OFB component. Again, we guess a value u arbitrarily, and hope that it is one of the V i s in the cycle (whose period is very easily identified from the plaintexts). We compute P i V i 1 and Pi V i 1 (for the unknown i) by the above equations, and test whether the resultant difference equals P i Pi for some i. As a bonus we also recover the OFB stream. c li Biham - March 13, Cryptanalysis of Modes of Operation (4) c li Biham - March 13, Cryptanalysis of Modes of Operation (4)

6 Technique I: ouble Stream Ciphers (cont.) The attack: Preliminaries: enote the stream by: s i = a i b i where a i and b i are the original two OFB streams. The sum stream is known by s i = P i C i. We start by finding the periods of the two components OFBs: denote them by k and l (WLG k < l, and k + l is even). Both periods are expected to be about 2 64, and thus the expected period of {s i } is about Technique I: ouble Stream Ciphers (cont.) We know that And thus also s i = a i b i = a i modk b i modl s 0 = a 0 b 0 s k = a k b k = a 0 b k s l = a l b l = a l b 0 s k+l = a k+l b k+l = a l b k from which we derive s 0 s k s l s k+l = 0 c li Biham - March 13, Cryptanalysis of Modes of Operation (4) c li Biham - March 13, Cryptanalysis of Modes of Operation (4) Technique I: ouble Stream Ciphers (cont.) In order to use this equation, we need to know both k and l, and there are too many possibilities to try. Therefore, we rewrite the equations (shifted in the stream by i (k + l)/2 blocks, for any i) as s i (k+l)/2 = a i (k+l)/2 b i (k+l)/2 s i (l k)/2 = a i (l k)/2 b i (l k)/2 = a i (k+l)/2 b i+(k+l)/2 s i+(l k)/2 = a i+(l k)/2 b i+(l k)/2 = a i+(k+l)/2 b i (k+l)/2 s i+(k+l)/2 = a i+(k+l)/2 b i+(k+l)/2 Technique I: ouble Stream Ciphers (cont.) We define S i to be the concatenation of s i and s i+1, in order to increase the block size and to reduce random effects. Then, We define S i (k+l)/2 S i+(k+l)/2 = S i (l k)/2 S i+(l k)/2. and for i = 2 64 get the equation j = S 2 64 j S j and thus s i (k+l)/2 s i+(k+l)/2 = s i (l k)/2 s i+(l k)/2. (k+l)/2 = (l k)/2. c li Biham - March 13, Cryptanalysis of Modes of Operation (4) c li Biham - March 13, Cryptanalysis of Modes of Operation (4) Technique I: ouble Stream Ciphers (cont.) Finding the periods: The attack we use is a start in the middle attack. Given 2 65 stream blocks, we compute j for each j = 1, 2,...,2 64 and search for two distinct j s (j 1 > j 2 ) for which Technique I: ouble Stream Ciphers (cont.) Given the periods, we can compute the component streams up to XOR with an unknown value. Technique G can then be applied and find the keys. This technique (I) can be used against many other modes which can be viewed as double-ofb-like, such as the CBC 1 CBC OFB, whose first two components have period about 2 64 when fed with a fixed plaintext block. j1 = j2 by keeping the values in a hash table, and waiting till some value is entered twice into the table. These j 1 and j 2 satisfy from which we conclude that S 2 64 j1 S 2 64 j2 S j2 S j1 = 0 k = j 1 j 2 and l = j 1 + j 2. c li Biham - March 13, Cryptanalysis of Modes of Operation (4) c li Biham - March 13, Cryptanalysis of Modes of Operation (4) Technique J: Multiple Stream Ciphers The triple-ofb mode is more complex: Technique J: Multiple Stream Ciphers (cont.) The following LFSR generates this mode: s k+l+m = s 0 s k s l s m s k+l s k+m s l+m The previous technique is not applicable to more than two components. So, how can we recover this LFSR? c li Biham - March 13, Cryptanalysis of Modes of Operation (4) c li Biham - March 13, Cryptanalysis of Modes of Operation (4)

7 Technique J: Multiple Stream Ciphers (cont.) The Berlekamp-Massey algorithm: The Berlekamp-Massey algorithm finds the shortest generating polynomial of a given sequence. Assume that s k+l+m = s 0 s k s l s m s k+l s k+m s l+m is the minimal polynomial, it gives us the periods! But it is not minimal. Technique J: Multiple Stream Ciphers (cont.) In polynomial notation where Q(x) = x k+l+m + x l+m + x k+m + x k+l + x m + x l + x k + x 0 = = Q k (x)q l (x)q m (x) = 0, Q k (x) = x k + 1 = ( k 1 Q l(x) = x l + 1 = ( l 1 j=0 xj )(x + 1) j=0 xj )(x + 1) Q m (x) = x m + 1 = ( m 1 j=0 xj )(x + 1) The minimal polynomial of s i is, Q (x) = lcm(q k (x),q l (x),q m (x)) which, when k, l, and m are coprimes is Q (x) = Q(x)/(x + 1) 2 of degree k + l + m 2. c li Biham - March 13, Cryptanalysis of Modes of Operation (4) c li Biham - March 13, Cryptanalysis of Modes of Operation (4) Technique J: Multiple Stream Ciphers (cont.) Thus, it is usually easy to find the polynomial Q(x) from the minimal polynomial, and thus the periods can be found. Then, technique G can be used to find the keys. Technique J: Multiple Stream Ciphers (cont.) Problem: The Berlekamp-Massey algorithm has complexity n 2, and thus it takes steps to find the minimal polynomial, given a stream of size k + l + m < However, there is a variant of the Berlekamp-Massey algorithm, called the recursive Berlekamp-Massey algorithm, whose complexity is only O(n log n log log n). This complexity is about log 66 = 2 75 when n 2 66, i.e., when up to four OFB streams are combined. These 2 75 steps are very simple, and are faster to apply than 2 66 S encryptions. c li Biham - March 13, Cryptanalysis of Modes of Operation (4) c li Biham - March 13, Cryptanalysis of Modes of Operation (4) Technique H This mode is one of the most complicated to attack: Technique H (cont.) It would be too complicated do describe the attack here. c li Biham - March 13, Cryptanalysis of Modes of Operation (4) c li Biham - March 13, Cryptanalysis of Modes of Operation (4) The CBCM Mode The CBCM Mode (cont.) This mode was designed by IBM (Coppersmith, Johnson, Matyas) to be invulnerable to the attacks described above, and will soon be an ANSI standard. P 5 It uses two kinds of feedbacks: 1. Outer CBC feedback. 2. Two application of additional inner OFB single mode. M1 M2 M3 M4 M5 It is claimed that this construction is immune against the above attacks, as the cryptanalyst has no way to affect the inner feedbacks. C 5 c li Biham - March 13, Cryptanalysis of Modes of Operation (4) c li Biham - March 13, Cryptanalysis of Modes of Operation (4)

8 The CBCM Mode (cont.) where M 1, M 2,... are the output blocks of an OFB mode with as the initial value, encrypted under the key K 3 : Related Works 1. Attacking 4-round Feistel ciphers, in which S is used as the roundfunction (Biham; Knudsen; Coppersmith) 2. All-or-Nothing encryption (Rivest) 3. ANSI X9.52 triple modes, and the CBCM mode. M1 M2 M3 M4 M5 c li Biham - March 13, Cryptanalysis of Modes of Operation (4) c li Biham - March 13, Cryptanalysis of Modes of Operation (4)

Technion - Computer Science Department - Technical Report CS

Technion - Computer Science Department - Technical Report CS [13] National Bureau of Standards, DS Modes of Operation, U.S. Department of Commerce, FIPS pub. 81, December 1980. [14] Paul C. van Oorschot, Michael J. Wiener, A Known Plaintext Attack on Two-Key Triple