Basic Probability Theory

Transcription

1 Foundations of Cybersecurity (Winter 16/17) Prof. Dr. Michael Backes CISPA / Saarland University Lecture 6 (9 December 2016) saarland university computer science Chapter 2 Basic Probability Theory In this chapter, we first give an introduction to basic probability theory required for the cryptography part of the lecture. 2.1 On the Notation for Probabilities We have to introduce some probability notation dealing with events in the execution of cryptographic protocols. You may read this section rather quickly for the moment, getting back to it when the notation is used in the sequel Syntax and Informal Semantics Let x 1,..., x n be variable names, let X 1,..., X n be probabilistic functions (e.g., probabilistic algorithms), and let e 1,..., e n be deterministic expressions where e i may depend on x 1,..., x i 1. Let π be a predicate depending on x 1,..., x n. Then we write P := Pr [π(x 1,..., x n ) : x 1 X 1 (e 1 ),..., x n X n (e n )] for the following probability: First, x 1 is chosen according to X 1 (e 1 ), then x 2 using X 2 (e 2 ) (which may depend on the value of x 1 ), and so forth. Finally, π is evaluated (which depends on the values x 1,..., x n chosen before), and P is the probability that π evaluates to true. In some cases, we use slightly relaxed notation. E.g., we write y f(x) even if f is not a probabilistic function, but a deterministic one. Or we use expressions like A(B(x), y), where both A and B are probabilistic functions. This then means that first z B(x) is evaluated, and then A(z, y). However, expressions with relaxed notation can always be transformed into expressions using the notation as defined above. To make this notation clearer, we give some examples: Let U be the uniform distribution on {1,..., 10} (that is, U is a probabilistic function without arguments). Then Pr [x = y : x U, y U] denotes the probability that x = y if x and y are both independently chosen according to the distribution U. So Pr [x = y : x U, y U] = Although the same expression occurs on the right-hand side of both arrows, this does not imply that x = y with probability 1. Using the relaxed notation introduced above, this probability could as well be written as Pr [x = y : x R {1,..., 10}, y R {1,..., 10}]. For the next example, let f n be some function on bitstrings of length n, and let A be a probabilistic algorithm. Consider the following expression: Pr [f n (x) = f n (y) x y : x R {0, 1} n, y A(n, x)] (2.1) 9

2 2 Basic Probability Theory This describes the following situation: First, x is chosen to be a uniformly chosen bitstring of length n. Then, A is invoked with the length parameter n and the bitstring x as arguments. A now outputs a string y. The expression above then describes the probability that both x and y have the same image under f n, but are not equal (they form a so-called collision for f n ). Note that in this example, the whole expression (2.1) depends on an external argument n. Such parameterized probabilities are especially useful to specify asymptotic behavior. In this example, we could require that for any polynomial-time algorithm A, the probability above decreases sufficiently fast for growing n Towards a Formal Semantics (not required for this lecture) Let M be a finite or countable set. A probability distribution on M is a function D assigning a nonnegative real number to each E M (intuitively, the probability that some x E is chosen, or alternatively, that the event E occurs), such that D(E) = x E D({x}) and D(M) = 1. To highlight the fact that the images of D are probabilities, we often write P D (E) instead of D(E). For sets containing one element we abbreviate P D ({m}) by P D (m). A probabilistic function A: M N is modeled as a deterministic function M Dist(N), i.e., it assigns each input a distribution on the output. Dist(N) is the set of all distributions on N. The probabilistic assignment n A(m) then means choosing a value according to the distribution A(m) and assigning the value to n. The support of A with respect to m M, denoted [A(m)], is defined as the set of all n N that can be output with nonzero probability by A(m). Formally, [A(m)] := {n N P A(m) (n) > 0}. Let π be a predicate on a certain domain M. Then one defines the event that π is fulfilled as E π := {m M π(m) holds}. The probability that π is fulfilled given a probabilistic assignment x D is defined as Pr [π(x) : x D] := P D (E π ) = P D (m) (2.2) m s.t. π(m) holds Given probabilistic functions X 1 : M N and X 2 : M N O, the sequential execution (X 1, X 2 ) : M N O is a probabilistic function that intuitively upon argument m runs x X 1 (m), y X 2 (m, x), and returns (x, y). Formally, P (X1,X 2 )(m)(n, o) := P X1 (m)(n) P X2 (m,n)(o) (2.3) Using Equations 2.2 and 2.3 one obtains the following general formula. Let π be a predicate depending on m, n, and o. For all m M let Pr [π(m, n, o) : n X 1 (m), o X 2 (m, n)] = n,o s.t. π(m,n,o) holds P X1 (m)(n) P X2 (m,n)(o) In a similar way, one can define a more general version involving i algorithms X i as well as a version with several external messages m 1,..., m l. However, this quickly gets lengthy, so that we will not pursue it here for reasons of clarity. To illustrate the computation with the above general formula, we again consider the probability Pr [x = y : x R {1,..., 10}, y R {1,..., 10}] from the previous section. This probability 10

3 2.1 On the Notation for Probabilities can now be formally computed as Pr [x = y : x U, y U] = P U (x) P U (y) x, y s.t. x = y = x P U (x) P U (x) = 10 x= =

4 2 Basic Probability Theory 12

5 Foundations of Cybersecurity (Winter 16/17) Prof. Dr. Michael Backes CISPA / Saarland University Lecture 6 (9 December 2016) saarland university computer science Chapter 3 The One-Time Pad and Stream Ciphers In this chapter, we introduce the one-time pad and strean ciphers, we discuss achieving randomness for cryptography, and, finally, introduce basic notions of security for cryptography. 3.1 The One-Time Pad The one-time pad, also called Vernam cipher, was invented by Gilbert Vernam in It was the first scheme for which a security proof was given, namely by Claude Shannon in (Before that, not even definitions of security existed.) It can be defined over different message spaces, for example {a,..., z} or {0, 1}. We define it over bitstrings. Definition 3.1 (One-Time Pad) Let M = C = {0, 1} n for some n N. Let the key generation algorithm K draw keys from {0, 1} n according to a uniform distribution. Both encryption and decryption are defined by the exclusive OR of the key K with the plaintext m or the ciphertext c, respectively, i.e., E(K, m) := K m and D(K, c) := K c. Only one message can be securely encrypted with each key, hence the name of the scheme. The correctness of the one-time pad can easily be shown: Let K [K] = {0, 1} n, m M, and c [E(K, m)], i.e., c = K m since E is deterministic. Then D(K, c) = D(K, K m) = K K m = m Perfect Secrecy of the One-Time Pad The first definition of security for encryption schemes was the definition of perfect secrecy given by Claude Shannon in Intuitively it says that any message is encrypted to a specific ciphertext with the same probability. This essentially means that, given a ciphertext, no adversary gains any information on which plaintext was encrypted. Definition 3.2 (Perfect Secrecy) Let (K, E, D) be an encryption scheme with message space M and ciphertext space C. The encryption scheme provides perfect secrecy if and only if the following holds for all m 0, m 1 M and for all c C: Pr [ c = c : K K, c E(K, m 0 ) ] = Pr [ c = c : K K, c E(K, m 1 ) ] 13

6 3 The One-Time Pad and Stream Ciphers This definition essentially says that for a randomly chosen key K the probability that a message is encrypted to a particular ciphertext c is the same for all messages m i. Equivalent variants of this definition exist based on statistical independence and entropy. Shannon proved that the one-time pad satisfies this notion of perfect secrecy. Even if the proof is rather simple, it constituted a major step in the history of cryptography since it was the first proof of security of a cryptographic scheme. Proposition 3.3 The one-time pad provides perfect secrecy. Proof. Let m 0, m 1, c {0, 1} n be given. For i {0, 1} it holds that Pr [ c = c : K K, c E(K, m i ) ] = = K K, c s.t. c = c Pr [K = K : K {0, 1} n ] Pr [ c = c : c = m i K ] Pr [K = K : K {0, 1} n ] Pr [c = c : c = m i K] = K { 2 n 1 if c = K mi 0 else = 2 n. This holds both for i = 0 and for i = 1, hence the claim follows. The one-time pad has the disadvantage that the key is as long as the message, and a key cannot be reused without sacrificing perfect secrecy as we will show below. Thus deploying this scheme necessarily requires to securely transmit a large amount of keys. While this is done in very sensitive environments (the Red Telephone linking the White House with the Kremlin during the Cold War was encrypted with the one-time pad) it is impractical for essentially any application. So the question naturally arises if one can securely encrypt with shorter keys. Unfortunately, Shannon also proved that this is not possible given the definition of perfect secrecy. Proposition 3.4 (Optimality of the One-Time Pad) Let (K, E, D) be a cipher with message space M, ciphertext space C, and key space K := [K]. If the cipher provides perfect secrecy, then K M. Proof. Let m 1 M, K 1 K, and c [E(K 1, m 1 )] arbitrary. Assume for contradiction that K < M. Let M c := {m M K K: D(K, c) = m} denote the set of plaintexts that the ciphertext c could be decrypted to using some key K. Since decryption is deterministic and since K < M, we have that M c < M. Thus there exist some m 2 M \ M c, and this m 2 satisfies that for all K K we have D(K, c) m 2 by definition of M c. For the plaintexts m 1, m 2 and the ciphertext c one obtains Pr [ c = c : K K, c E(K, m 1 ) ] > 0 = Pr [ c = c : K K, c E(K, m 2 ) ]. This contradicts the assumption that the cipher provides perfect secrecy. Hence the assumption K < M was not correct. 14

7 3.2 Stream Ciphers Active Attacks Against the One-Time Pad If an adversary not only reads messages but also changes messages (called an active adversary), then active attacks such as the following one become possible. Consider a simple voting system, where each participant votes 0 or 1. This vote is encrypted using the one-time pad, i.e., each participant i shares a random bit K i R {0, 1} with a central voting authority. Every participant sends the ciphertext c i := K i m i to the central authority. The voting authority then computes c i K i = m i and counts all votes. Note that this is a very weak form of voting scheme since the voting authority can see the votes of every voter. This is provided for the sake of demonstration only. Now assume that an attacker knows (e.g., by means of an opinion poll) that a majority of all participants is going to vote 0. Then by intercepting all votes c i and replacing them with c i := c i 1 the attacker is able to invert the outcome of the vote, since these ciphertexts decrypt to c i K i = (c i 1) K i = ((m i K i ) 1) K i = m i 1 One says that the one-time pad is highly malleable, i.e., it offers no form of integrity of the plaintexts. Thus, the one-time pad should only be used with suitable integrity protection mechanisms. These are called MACs (message authentication codes) and will be discussed in Section Stream Ciphers Stream ciphers constitute practical encryption schemes that can easily be implemented in hardware. They are widely used in protocols such as SSL/TLS and b WEP. We have seen that the one-time pad provides very strong security guarantees, but it is not usable for most practical applications because the keys need to be as long as the messages in order to retain these guarantees. One idea to overcome this problem is to not use keys that are fully random but keys that only look random. A short truly random string is used as input to a deterministic function, a pseudorandom generator G, which computes a larger string. This larger string of course cannot be truly random, but it will be such that no efficient machine can tell it apart (can distinguish it) from true randomness. Consequently, it is called a pseudorandom string. Typical examples of stream ciphers have encryption and decryption functions that simply take the exclusive OR of the key K i, that is pseudorandomly generated by G, and the message m i or the ciphertext c i, respectively. Recall that we proved in the last chapter that such a cipher cannot provide perfect secrecy since its key space is much smaller than the message space. However, under the assumption that the adversary has not unbounded power, but is efficient, it still provides strong security guarantees Unpredictability of Pseudorandom Generators (PRGs) Why do we need unpredictability? Assume an is transmitted in an encrypted manner. Then one knows that large parts of the plaintext, e.g., the header, have a fixed format. Thus an attacker can obtain some bytes of the pseudorandom string at the beginning by computing the exclusive OR of the initial bits of the encryption and the known parts of the header. Perhaps he needs to guess where exactly the header is placed, but this is possible with reasonably large probability. If he was able to predict the behavior of the pseudorandom generator, then he would be able to decrypt the remaining parts of the message. 15

8 3 The One-Time Pad and Stream Ciphers Getting True Randomness in Practice The seed for a pseudorandom generator, and keys for symmetric encryption schemes in general, should be as random as possible, for example, one uses physical random number generators to get good randomness. There are some physical sources that are supposed to produce good randomness, but the resulting bits may have a certain bias or some correlation. In practice, one often circumvents this by taking the exclusive OR of bits obtained from different such sources; in theory it is more appropriate to apply a randomness extractor to improve the quality of the output. An example for such a randomness extractor is the Von Neumann extractor or hash functions. Typical physical sources of randomness include: thermal noise in various electric circuits, shot noise, avalanche noise, atmospheric noise, captured by antennas, quantum effects, e.g., radioactive decay obtained from Geiger-Müller tubes, Brownian motion, more playfully, lava lamps. There is even a patent for creating random bits with lava lamps (US patent #5,732,138). In July 2009, Reidler, Aviad, Rosenblut and Kanter published a ultrahigh-speed random number generator based on the fluctuating intensity of a chaotic semiconductor laser. The generation rate is up to 12.5 GBits/s. There is also a number of random sources that are more easily available, at the cost of producing weaker randomness. What is used also in practice is measurement of times between user key-strokes, and time needed to access different sectors on the hard-disk drive (the air turbulences caused by the spinning disk is supposed to be sufficiently random) Examples of Pseudorandom Generators In the following, we provide examples for pseudorandom generators and discuss their strengths and weaknesses. RC4 RC4 is a stream cipher invented by Ron Rivest in 1987 for RSA Security Inc., which also holds the trademark for it. The source code was originally not released to the public because it was a trade secret, but was posted to a mailing list in September 1994; thus people referred to this version as alleged RC4. Today it is known that alleged RC4 indeed equals RC4. While RC4 does not satisfy next-bit unpredictability, it is considered secure from a practical point of view if one takes certain precautions. It is used in many protocols such as SSL/TLS and b WEP. Its main data structure is an array S of 256 bytes. The array is initialized to the identity before any output is generated, i.e., the first cell is initialized with 0, the second with 1 and so on. Then the cells are permuted using certain operations that depend on the current state and the chosen key K. In pseudocode, the RC4 initialization phase works as follows: 16 for i from 0 to 255 S[i] := i

9 3.2 Stream Ciphers j := 0 for i from 0 to 255 j := (j S[i] K[i mod keylength]) mod 256 swap(s[i],s[j]) After initialization has been completed, the following procedure computes the pseudorandom sequence. For each output byte, new values of the variables i and j are calculated, the corresponding cells are swapped, and the content of a third cell is output: i := 0 j := 0 while GeneratingOutput i := (i 1) mod 256 j := (j S[i]) mod 256 swap(s[i],s[j]) output S[(S[i] S[j]) mod 256] One easily sees that the first byte that is output depends on the content of three cells only. This property can be used to launch attacks against the cipher, so one usually discards the first 256 bytes of output generated by this algorithm to prevent these attacks. Linear Feedback Shift Register (LFSR) Linear feedback shift registers (LFSRs) constitute a building block for generating pseudorandom strings. An LFSR consists of a shift register that shifts its content for one bit at each clock, and a function that determines the feedback, i.e., the next value that enters the shift register, as a function of its current state. For LFSRs this is a linear function, e.g., the exclusive OR of certain specified bits in the state. But also feedback shift registers with a more complex feedback function exist. The initial state of the shift register comprises the seed. A sketch of an LFSR is given in Figure 3.1. The security of an LFSR is determined by its feedback function and how it K 0 K 1 K 2 K 3 K 4 Figure 3.1: Linear feedback shift register is interlinked with the surrounding operations. Note that LFSRs on their own cannot naively be used as stream ciphers because directly outputting the bits of the state leaks the current state of the register, so after a full turn the complete state is known. A solution often taken is that one throws away the first bits and subsequently combines LFSRs in some clever way either with other LFSRs or with other cryptographic primitives. For instance, one encrypts the output of an LFSR using a secure block cipher, which yields a pseudorandom sequence provided that the bits output by an LFSR do not repeat themselves. 17

10 3 The One-Time Pad and Stream Ciphers The Content Scrambling System (CSS) We conclude with a brief description of the content scrambling system (CSS), which is a proprietary standard for encrypting the contents of DVDs. The key management is rather complex and we do not go into details here. The actual content is encrypted with a stream cipher whose corresponding pseudorandom generator will be described in the sequel. Figure 3.2 illustrates the pseudorandom generator. seed 1 K 0 K 1 17-bit LFSR 8 add mod K 2 K 3 K 4 25-bit LFSR 8 Figure 3.2: Content scrambling system Each sector key consists of 5 bytes K 0,..., K 4. The pseudorandom generator comprises two LFSRs that operate as follows. The first LFSR has a length of 17 bits and is initialized with 1 K 0 K 1, where the feedback is computed as the exclusive OR of bits 1 and 15. The second LFSR has a length of 25 bits initialized as 1 K 2 K 3 K 4, where the feedback is calculated as the exclusive OR of bits 11, 19, 20, and 23. Both LFSRs are clocked eight times, each of them producing eight bits of output. This output is treated as bytes, added modulo 256 observing the carry bit from the previous addition. The resulting output is used to encrypt the actual data. The most apparent weakness of CSS is its short key size of 40 bits. This is a consequence of US export regulations at the time when CSS was standardized. Brute-force attacks are reported to take 17 hours on a Celeron 366, i.e., on a very old hardware, and thus already much faster on more recent hardware. More sophisticated attacks reduce the complexity to even only 2 16 possible keys, thus taking only several seconds until CSS is successfully attacked. 3.3 Adversary Models We distinguish the following adversarial capabilities for modeling our adversaries: Single-message chosen-plaintext attack (1-CPA): the adversary sees one ciphertext only. In the first step, the adversary chooses two messages. In the next step he is given the encryption of one of these messages. This ciphertext is also called challenge ciphertext or simply challenge. If he cannot distinguish which of these (self-chosen) plaintexts is inside the challenge ciphertext, he did not learn any partial information about the message contained in the challenge. We have already seen ciphers fulfilling this notion, e.g., the one-time pad. 18

11 3.3 Adversary Models Chosen-plaintext attack (CPA): here the adversary sees (polynomially) many ciphertexts of self-chosen plaintexts, i.e., in addition to 1-CPA attacks, he may select arbitrary plaintexts whose encryption he sees before proceeding with a challenge. Examples of ciphers fulfilling this stronger notion are randomized CBC based on PRPs (cf. Section 4.4.2) as well as randomized counter mode based on PRFs (cf. Section 4.4.5). Chosen-ciphertext attack (CCA): in addition to the capabilities for CPA, the adversary may choose ciphertexts that get decrypted for him. In order to avoid trivial distinguishability, these ciphertexts must of course be different from the challenge ciphertext. We will work with chosen-ciphertext attacks later. 19

12 3 The One-Time Pad and Stream Ciphers 20

13 Foundations of Cybersecurity (Winter 16/17) Prof. Dr. Michael Backes CISPA / Saarland University Lecture 6 (9 December 2016) saarland university computer science Chapter 4 Block Ciphers and Modes of Operation In the following, we will see an archetypical example of a block cipher, namely, DES. We will subsequently discuss how block ciphers can be used to securely encrypt a larger amount of data, and we will briefly present some attacks on block ciphers. First, however, we will introduce the concept of Feistel networks, which constitutes an important design principle underlying many block ciphers. 4.1 Feistel Networks Feistel networks are a specific construction for designing symmetric encryption schemes. They were first described by Horst Feistel during his work on the cipher Lucifer at IBM. Lucifer was the predecessor of the Data Encryption Standard (DES), and both are built upon the same design. Other ciphers using Feistel networks include IDEA, RC5, and Skipjack. A Feistel network defines a function F : {0, 1} 2n {0, 1} 2n. It is parameterized by the number of rounds d N and the round functions f 1,..., f d : {0, 1} n {0, 1} n. The function F operates in d rounds, typically between 12 and 16. In the i-th round, the following operations are executed: 1. the round input is split into two halves L i 1 R i 1, 2. the round function f i is applied to the right half yielding f i (R i 1 ), 3. the exclusive OR of this value and the left half is computed yielding L i 1 f i (R i 1 ), 4. the left and right side are swapped, thus yielding the round output L i R i := R i 1 L i 1 f i (R i 1 ) This construction is depicted in Figure 4.1. The main innovation is that the function F defined by a Feistel network is a permutation for arbitrary functions f i. In particular, these do not even need to be invertible. Proposition 4.1 (Feistel Networks Are Permutations) Let F : {0, 1} 2n {0, 1} 2n be a Feistel network using an arbitrary round function f i. Then, F constitutes a permutation. Proof. First, we show how to invert a single round i. Let F i denote the function computed in the i-th round. We define the candidate inverse function G i for input L i R i as G i (L i R i ) := R i f i (L i ) L i. The following simple calculation shows that this is indeed the inverse function: G i (F i (L i 1 R i 1 )) = G i (R i 1 L i 1 f i (R i 1 )) = (L i 1 f i (R i 1 )) f i (R i 1 ) R i 1 = L i 1 R i 1 21

14 4 Block Ciphers and Modes of Operation L i-1 R i-1 f i L i R i Figure 4.1: One round in a Feistel network The candidate inverse G of the function F having d rounds is now defined as G := G 1 G d ; the following calculation shows that G is indeed the inverse: G 1 (G 2 (... G d 1 (G d (F d (F d 1 (... F 1 (m)... ))))... )) = G 1 (G 2 (... G d 1 (F d 1 (... F 1 (m)... ))... )) =... = G 1 (F 1 (m)) = m Feistel networks are appealing due to their simple design and their additional nice property that the same hardware circuit can be used for both encryption and decryption. This was particularly important in the 60s and 70s when the first block ciphers were designed, and when hardware was still much more expensive. There are two minor differences between encrypting a plaintext and decrypting a ciphertext in a Feistel network. However, these do not affect the network itself but only the handling of inputs of the circuit, i.e., messages and inputs of round functions. Namely, (i) the round functions need to be applied in reversed order, and (ii) writing c = L d R d as the ciphertext, one inputs R d L d to the network for decryption, i.e., one exchanges the left and the right half of the ciphertext, and additionally one exchanges the left and the right half of the output of the Feistel network. One can easily verify that the Feistel network (with these modifications) computes the decryption operation as defined in the above proof. 4.2 The Data Encryption Standard (DES) For a long time, DES was one of the most widely applied block ciphers. It was designed by IBM in collaboration with the NSA and published as a standard in FIPS PUB There were rumors about weaknesses the NSA had built into it, but until now, no evidence was found for these concerns. The main point of criticism against DES was its limited key length, which is nowadays the reason why pure DES is no longer used. In fact, the first DES break, in the sense of a total break given a certain number of plaintext/ciphertext pairs, was reported in 1997 by the DESCHALL project and took about three months. In 1998, the Electronic Frontier Foundation (EFF) built a specialized hardware device resulting in a break in roughly three days. Later they where cooperating with distributed.net breaking a DES challenge in 22 hours. The world record for breaking a DES encryption is currently around 10 hours and this is likely to decrease in the 22

15 4.2 The Data Encryption Standard (DES) IP: Figure 4.2: Initial permutation (IP) in DES: the first bit of the output is the 58-th bit of the input, the second bit of the output is the 50-th bits of the input, and so on. R i 32 expansion permutation E round key K i S 1 S 2 S 3 S 4 S 5 S 6 S 7 S 8 32 P-Box 32 Figure 4.3: DES round function f i future. A variant called Triple-DES (3DES), which we will discuss later in this chapter, is still deployed and seems to provide good security Overall Construction of DES DES is essentially a Feistel network of 16 rounds operating on blocks of 64 bits and using a key of 56 bits, which is randomly chosen from {0, 1} 56. What makes DES different from a pure Feistel design is the initial permutation IP which is applied before the first round starts, and whose inverse IP 1 is applied after the last round, see Figure 4.2. The DES round function f i, as depicted in Figure 4.3, executes the following steps: 1. Expansion permutation. The message block of 32-bit length is expanded to a block of 48 bits by doubling 16 bits and permuting the block as defined by the expansion permutation E shown in Figure 4.4. The permutation is chosen in a way that one bit in the input affects two substitutions in the output (see the S-Boxes below). This creates an avalanche effect, meaning that a small difference between two plaintexts will produce a large difference in the resulting ciphertexts. 2. Round key addition. The exclusive OR of the 48-bit value with the 48-bit round key K i is computed. The derivation of the round keys, i.e., the key schedule, is defined below. 3. Splitting. This block of 48 bits is split into eight blocks with 6 bits each. 23

16 4 Block Ciphers and Modes of Operation E: Figure 4.4: Expansion permutation E in DES: the first bit of output is the 32-nd bit of the input, the second bit of output is the first of the input and so on. 4. S-Box. Each of these blocks is the input to one of the eight S-boxes S 1,..., S 8, as shown in Figure 4.5. Each S-box yields a 4-bit output. Concatenating these outputs yields a block of 32 bits. 5. P-Box. The permutation P defined in Figure 4.6 is applied to the 32-bit block, yielding the output of f i Key Schedule The choice of the key used in each round is called key schedule. Even if a DES key is composed of 64 bits, 8 bits are used for error detection, thus resulting in an actual key length of 56 bits. In the first step, the error correction bits are stripped off a 64-bit key K and the bits are permuted by a fixed permutation. Both is performed by the function P C-1 shown in Figure 4.7. The output is divided into a 28-bit left half C 0 and a 28-bit right half D 0. Now for each round we compute C i = C i 1 «p i D i = D i 1 «p i where x «p i means a cyclic shift on x to the left by p i positions where p i = 1 if i {1, 2, 9, 16}, and p i = 2 otherwise. Finally, C i and D i are joined together and permuted according to P C-2, obtaining the 48-bit round key. This permutation is given in Figure The Security of DES DES withstood attacks quite successfully apart from some attacks based on linear and differential cryptanalysis which we shall discuss later. However, the major weakness of DES is its limited key length of 56 bits which is nowadays not enough to provide a reasonable level of security. For this reason, several improvements on the plain DES have been proposed. We will discuss some of them in the following. For more information about the security of DES we refer to Section Some Attacks on Block Ciphers In the sequel we sketch some possible attacks on block ciphers and briefly discuss their effects on DES. 24

17 4.3 Some Attacks on Block Ciphers S 1: O 6 13 S 2: S 3: S 4: S 5: O S 6: S 7: S 8: Figure 4.5: S-Boxes in DES: for a binary string x 0 x 1 x 2 x 3 x 4 x 5, the output is computed by looking up the entry in row x 0 x 5 and column x 1 x 2 x 3 x 4. This representation has historical reasons. P Figure 4.6: P-Box in DES: the first bit of the output is the 16-th bit of the input. 25

18 4 Block Ciphers and Modes of Operation P C-1: P C-2: Figure 4.7: DES key schedule permutations P C-1 and P C-2 (note that the indices refer to the original key with error-correcting bits) K PC-1 64bit C 0 D 0 LS 1 LS 1 C 1 D 1 PC-2 K 1 LS 2 LS 2 LS 16 LS 16 C 16 D 16 PC-2 K 16 Figure 4.8: Key scheduling in DES 26

19 4.3 Some Attacks on Block Ciphers Exhaustive Key Search The conceptually simplest attack that can be mounted against any block cipher is exhaustive key search, also called brute-force attack. Knowing a few plaintext/ciphertext pairs (m 1, c 1 ), (m 2, c 2 ),... with c i = E(K, m i ), one tries to find the key K by testing every possible key. To estimate the effectiveness of this attack we need to know how many keys would encrypt a fixed plaintext to a specific ciphertext. We will give an estimation for this in the sequel, where we replace the block cipher with a random function for every key. While this technique is not accurate, it makes use of the intuition that the encryption function should essentially constitute a random function, and is usually considered to be a reasonable abstraction. In this case, one says that the block cipher is considered to be an ideal cipher. This heuristic is used quite often, because an accurate analysis of a real block cipher such as DES is extremely complex. For the case of DES we prove the following statement: for a randomly chosen message block m {0, 1} 64 and a randomly chosen key K {0, 1} 56, the probability that there exists another key K {0, 1} 56 encrypting the message m to the same ciphertext is very low, provided that DES behaves like an ideal cipher. Hence, the probability that a key is already uniquely determined after seeing one plaintext/ciphertext pair, is high. Lemma 4.2 Let (K DES, E DES, D DES ) denote the idealized DES cipher, i.e., for randomly chosen key K [K DES ], the function E DES (K, ) is as good as a randomly chosen function R: {0, 1} 64 {0, 1} 64. Then [ Pr K [K DES ] s.t. E DES (K, m) = E DES (K, m) K K : m R M, K K DES] Proof. We have Pr [ K [K DES ] s.t. K K E DES (K, m) = E DES (K, m) : m R M, K K DES] (1) K {0,1} 56 Pr [E DES (K, m) = E DES (K, m) K K : m R M, K K DES] 1 [ ] = 2 56 Pr E DES (K, m) = E DES (K, m) K K : m R M K,K {0,1} 56 (2) { 1 0 if K = K = if K K K,K {0,1} = 2 8 For inequality (1) we exploited that the probability of a union is always less or equal than the sum of the probabilities of all elements of the union. Equality (2) holds because E DES was considered to be an ideal cipher. Consequently, both E DES (K, m) and E DES (K, m) are (independent) uniformly random in {0, 1} 64 over the choice of the random functions, provided 1 that the keys are not equal. Thus the probability that both encryptions are equal is

20 4 Block Ciphers and Modes of Operation Exhaustive Key Search in Practice. The DES Challenge was put forward by RSA Security to encourage research on the security of DES. A reward of $10,000 was offered for solving the challenge, i.e., for computing the key that was used to encrypt a specific plaintext/ciphertext pair of the form The unknown message is:. In 1997, the DESCHALL project needed about three months to break the DES challenge with a distributed search. In 1998, the Electronic Frontier Foundation (EFF) built the specialized hardware device Deep Crack that was able to break DES keys in roughly three days, at rather moderate costs of about $250,000. While this is certainly too expensive for individuals, this amount is reasonable for large organizations or governments. Later the EFF and distributed.net together broke the challenge in 22 hours Linear Cryptanalysis Suppose messages m and keys K are drawn uniformly at random from their respective sets. Further suppose one knows i 1,..., i r, j 1,..., j s, k 1,..., k t such that [ ] Pr m (i1)... m (ir) c (j1)... c (js) K (k1)... K (kt) = ɛ, where m (i), c (i), K (i) denote the i-th bits of the bitstring m, the ciphertext c, and the key K, respectively. Such relations can be found for DES with ɛ If one gets enough plaintext/ciphertext pairs, one can obtain partial information about the key. Namely for 1/ɛ 2 plaintext/ciphertext pairs (m l, c l ) one has [ ( Pr K (k1)... K (kt) = MAJ m (i 1) l... m (ir) l c (j 1) l... c (js) l l = 1,..., 1/ɛ 2)] 97.7%. where MAJ denotes the majority function, taken over all exclusive ORs computed from any given plaintext/ciphertext pair, i.e., MAJ(b i i = 1,..., n) returns 0 if n 2 or more arguments b i are 0, and 1 otherwise. One can calculate that obtaining 2 42 plaintext/ciphertext pairs for DES allows for retrieving 14 bits of information of the key using these techniques. This enables an attacker to reduce the complexity of an exhaustive key search to 2 42 DES operations, as one only has to test keys fulfilling the relation. An even more involved method to break block ciphers is differential cryptanalysis, which we will not discuss here Side-channel Attacks All the previous attacks are concerned with the input/output behavior of the algorithm only. This is the most common view, sometimes called the standard view, on cryptographic algorithms. However, in certain scenarios an attacker can gain access to more data. This can, for example, be the time needed to compute an encryption, the electric power consumption of a processor, or the electromagnetic emanation of a device, in particular of smartcards. Some of these attacks were able to completely break a system in seconds, and several smartcards have been withdrawn after it was discovered that they were highly vulnerable to such attacks. One of the most famous side-channel attacks is due to Paul Kocher, who measured electric power consumption of microprocessors. He showed that by inspection of power consumption curves one can identify which conditional branch the executed code took. Consequently, if these conditions depend on the secret key, then information about the key is leaked. In fact, from several popular algorithms the key could quite easily be retrieved using such an attack. 28

21 4.4 Modes of Operation 4.4 Modes of Operation Given a block cipher (K, E, D) with message space M = {0, 1} n and key space K := [K], i.e., a symmetric encryption scheme where the message space M corresponds to the cipher space C. There are several ways it can be used to encrypt messages that are longer than a single block. The standard FIPS PUB 81 defines four modes of operation (ECB, CBC, OFB, CFB). Another mode is the counter mode, which has several variants. All operation modes have in common that their key generation algorithm is the same as the key generation for the cipher, we omit its description in the sequel Electronic Codebook Mode (ECB) The electronic codebook (ECB) mode corresponds to the naive use of a block cipher. The message is split into a sequence m = m 1,..., m t of blocks m i M. Each block m i is encrypted with the same key K. Formally, the encryption c = c 1,..., c t is computed as c i := E(K, m i ). The decryption operation is obvious. The ECB mode is depicted in Figure 4.9. The main weakness of the ECB mode is that identical blocks m i are encrypted to the same ciphertext c i. This is a particularly strong weakness if messages come from a source with low entropy, e.g., securely encrypting (uncompressed) images is not possible using ECB. On the positive side, if one block c i gets corrupted due to unreliable channels, then only one block is affected while all other blocks can still be decrypted Cipher Block Chaining Mode (CBC) The cipher block chaining (CBC) mode overcomes the main weakness of ECB by using an initialization vector IV which is chosen uniformly at randomly from the set M in the encryption process as follows. A message m = m 1,..., m t is encrypted by computing c 1 := E(K, m 1 IV ) and c i := E(K, m i c i 1 ), for i 2, i.e., each ciphertext block c i is XOR ed with the next block of the plaintext. The ciphertext is c = IV, c 1,..., c t. The decryption operation is straightforwardly derivable from the encryption; thus we omit its description. The CBC mode is depicted in Figure For the CBC mode, a one-bit error in the ciphertext gives not only a one-block error in the corresponding message block but also a one-bit error in the next decrypted plaintext block. The initial value IV ensures that two encryptions of the same plaintext yield different ciphertexts, as opposed to the ECB mode. Note that the initialization vector needs to be included in the ciphertext, as otherwise the ciphertext cannot be decrypted Cipher Feedback Mode (CFB) To encrypt a message m = m 1,..., m t in the cipher feedback (CFB) mode, one first randomly chooses an initialization vector IV. The ciphertext c = IV, c 1,..., c t is computed by appending the initialization vector IV to the c i that are computed as follows: c 1 := m 1 E(K, IV ), and c i := m i E(K, c i 1 ) for i 2. 29

22 4 Block Ciphers and Modes of Operation m 1 m 2 c 1 c 2 E(K, ) E(K, ) D(K, ) D(K, ) c 1 c 2 m 1 m 2 Figure 4.9: Encryption and Decryption in ECB Mode m 1 m 2 c 1 c 2 IV D(K, ) D(K, ) E(K, ) E(K, ) IV c 1 c 2 m 1 m 2 Figure 4.10: Encryption and Decryption in CBC Mode IV m 1 m 2 IV c 1 c 2 E(K,.) E(K,.) E(K,.) E(K,.) c 1 c 2 m 1 m 2 Figure 4.11: Encryption and Decryption in CFB Mode IV E(K,.) E(K,.) E(K,.) IV E(K,.) E(K,.) E(K,.) m 1 m 2 c 1 c 2 c 1 c 2 m 1 m 2 Figure 4.12: Encryption and Decryption in OFB Mode IV IV1 IV2 IV IV1 IV2 E(K, ) m 1 E(K, ) m 2 E(K, ) c 1 E(K, ) c 2 c 1 c 2 m 1 m 2 Figure 4.13: Encryption and Decryption in CTR Mode 30

23 4.4 Modes of Operation The decryption operation is defined in the straightforward manner. Note that the decryption algorithm D from the block cipher is not involved. A one-bit error in the ciphertext causes a one-bit error in the corresponding plaintext block and a block-error in the next decrypted plaintext block, i.e., the opposite of what happens in the CBC mode. The CFB is depicted in Figure Output Feedback Mode (OFB) To encrypt a message m = m 1,..., m t in the output feedback (OFB) mode one randomly chooses an initialization vector IV, the ciphertext c = IV, c 1,..., c t is computed by appending the initialization vector to the c i that are computed as follows c i := m i E i (K, IV ). where E i (K, ) means iterating the encryption algorithm i times. Of course, when implementing this mode one reuses previously computed iterations in the obvious way, see also Figure Decryption is computed analogously. Again, the initialization vector needs to be included in the ciphertext. The OFB mode has the property that a one-bit error in the ciphertext gives only a one-bit error in the decrypted ciphertext. Furthermore, the key stream can be pre-computed, as it does not depend on the ciphertext. So this mode is good if latency between receiving a message and decrypting it is important. A Note on the Initialization Vector. We have defined the modes ECB, CBC, CFB, and OFB in such a way that the initialization vector is chosen uniformly at random and included in the ciphertext. However, the key requirement is that an initialization vector is not used twice, so one could define these modes such that subsequent initialization vectors are determined by a counter. Then the initialization vector does not have to be sent with the ciphertext; however, both the sender and the recipient have to synchronize their counters Counter Mode (CTR) In contrast to the former modes of operation, the key stream in the counter mode is computed by applying the function E to values generated by a so-called counter, which can be essentially any function that will not repeat itself for a long time. In the following we will take a simple, deterministic counter. This mode comes in two variations, depending on how the initialization vector is chosen. The overall operation of the counter mode (both deterministic and randomized) is sketched in Figure Let an initialization vector IV be given. (We will later explain how it may be chosen.) The encryption of a message m = m 1,..., m l, where each m i M, is given by c = c 1,..., c l where c i := m i E(K, IV i). Here, the addition IV i is computed modulo 2 n. Deterministic Counter Mode (detctr). In this variant, the initialization vector is chosen to be IV = 0. We will see that this has the consequence that only one message can be encrypted securely, as we would re-use a value output by the function E when encrypting the second message. 31

24 4 Block Ciphers and Modes of Operation Deterministic counter mode has very similar characteristics to OFB. A bit-error in ciphertext leads to a bit-error in the message; subsequent blocks are not affected. The key stream can be precomputed, and random access to the ciphertext is possible. Randomized Counter Mode (randctr). This variant does not use a fixed initialization vector, but randomly chooses a new one for every message that is encrypted. This value has to be sent along with the ciphertext c as constructed above, i.e., the actual ciphertext is (IV, c). Randomized counter mode has very similar characteristics to detctr and OFB. However, in contrast to detctr we will see that it can be used to securely encrypt multiple messages. As for detctr, the key stream can be precomputed, and random access to the ciphertext is possible. 32