A Brief Outlook at Block Ciphers

Size: px

Start display at page:

Download "A Brief Outlook at Block Ciphers"

Morgan Bond
5 years ago
Views:

1 A Brief Outlook at Block Ciphers Pascal Junod École Polytechnique Fédérale de Lausanne, Suisse CSA 03, Rabat, Maroc,

2 Content Generic Concepts DES / AES Cryptanalysis of Block Ciphers Provable Security CSA 03, 10 septembre 2003, Rabat, Maroc i

3 Block Cipher P e C d P K K CSA 03, 10 septembre 2003, Rabat, Maroc ii

4 Block Cipher (2) Deterministic, invertible function: e : {0, 1} n K {0, 1} n d : {0, 1} n K {0, 1} n The function is parametered by a key K. Mapping an n-bit plaintext P to an n-bit ciphertext C: C = e K (P ) The function must be a bijection for a fixed key. CSA 03, 10 septembre 2003, Rabat, Maroc iii

5 Product Ciphers and Iterated Block Ciphers A product cipher combines two or more transformations in a manner intending that the resulting cipher is (hopefully) more secure than the individual components. An iterated block cipher is a block cipher involving the sequential repetition of an internal function f called a round function. Parameters include the number of rounds r, the block bit size n and the bit size k of the input key K from which r subkeys k i (called round keys) are derived. For invertibility purposes, the round function f is a bijection on the round input for each value k i. CSA 03, 10 septembre 2003, Rabat, Maroc iv

6 Product Ciphers and Iterated Block Ciphers (2) P K f k1 f k2 f k r C CSA 03, 10 septembre 2003, Rabat, Maroc v

7 Good and Bad Block Ciphers Flexibility Throughput Estimated Security Level CSA 03, 10 septembre 2003, Rabat, Maroc vi

8 Data Encryption Standard (DES) American standard from ( ). Designed by a team of IBM. Iterated block cipher with 64-bit block size, 56-bit key size. High-level structure is a Feistel scheme. CSA 03, 10 septembre 2003, Rabat, Maroc vii

9 Feistel Scheme F CSA 03, 10 septembre 2003, Rabat, Maroc viii

10 DES f-function S 1 S 2 S 3 S 4 S 5 S 6 S 7 S 8 CSA 03, 10 septembre 2003, Rabat, Maroc ix

11 Advanced Encryption Standard (AES) Competitive basis 15 candidates 5 finalists: Rijndael, Serpent, Twofish, Mars, RC6 Rijndael has become the AES Encrypts 128-bit blocks under 128-, 192- and 256-bit keys. CSA 03, 10 septembre 2003, Rabat, Maroc x

12 AES Substitution-Permutation Network Write the data as a 4 4 matrix over elements of GF(2 8 ): x 1,1 x 1,2 x 1,3 x 1,4 x 2,1 x 2,2 x 2,3 x 2,4 x 3,1 x 3,2 x 3,3 x 3,4 x 4,1 x 4,2 x 4,3 x 4,4 4 main operations: key addition, SubBytes, ShiftRows, MixColumns CSA 03, 10 septembre 2003, Rabat, Maroc xi

13 AES (2) rounds (depends on the key length) SubBytes: inversion operation in GF(2 8 ) followed by an affine application on GF(2) 8. MixColumns: linear (4, 4)-multipermutation on GF(2 8 ) 4. ShiftRows: row-wise rotation of the matrix components. CSA 03, 10 septembre 2003, Rabat, Maroc xii

14 AES (3) Plus de détails sur AES lors des travaux pratiques de demain! CSA 03, 10 septembre 2003, Rabat, Maroc xiii

15 Speed Name Key Size Cycles / byte on an Intel P3 RC CAST Nimbus Khazad Hierocrypt Nush Misty IDEA DES KASUMI Skipjack SAFER Triple-DES CS-Cipher CSA 03, 10 septembre 2003, Rabat, Maroc xiv

16 Speed (2) Name Key Size Cycles / byte on an Intel P3 RC Nush Twofish Mars AES SC Camellia Anubis Serpent SAFER Hierocrypt CSA 03, 10 septembre 2003, Rabat, Maroc xv

17 Kerkhoffs Principle The adversary knows all details of the encrypting and decrypting processes, except for the value of the secret key. CSA 03, 10 septembre 2003, Rabat, Maroc xvi

18 Attack Models Global Deduction Local Deduction Information Deduction Distinguishing Attack CSA 03, 10 septembre 2003, Rabat, Maroc xvii

19 Attack Scenarii Ciphertext-Only Attack Known-Plaintext Attack Chosen-Plaintext Attack Non-Adaptive vs. Adaptive Attacks CSA 03, 10 septembre 2003, Rabat, Maroc xviii

20 Generic Attacks Exhaustive Key Search (related to the key size) Ciphertext-Matching Attack (related to the block size) Hellman s Time-Memory Tradeoff CSA 03, 10 septembre 2003, Rabat, Maroc xix

21 Differential Cryptanalysis Chosen-plaintext attack (re-) discovered by Biham and Shamir (1990). Looks at ciphertext pairs whose corresponding plaintexts have a particular difference: (P, P + ) (C, C + ). Last-round attack concept. CSA 03, 10 septembre 2003, Rabat, Maroc xx

22 Differential Cryptanalysis (2) Since then, many variants have been described. Truncated, impossible, high-order differential cryptanalysis. Boomerang attack, rectangle attack CSA 03, 10 septembre 2003, Rabat, Maroc xxi

23 Linear Cryptanalysis Invented by Matsui in 1993, based on ideas of Gilbert et al.. Known-plaintext attack. Looks at equation of the type a P b C = c K One expects that the above equation is probabilistically biased. CSA 03, 10 septembre 2003, Rabat, Maroc xxii

24 Other Attacks Differential-Linear Cryptanalysis Integral Cryptanalysis Interpolation Attack Statistical Attacks CSA 03, 10 septembre 2003, Rabat, Maroc xxiii

25 Algebraic Attacks Shannon (1949) stated that the break of a block cipher should require as much work as solving a system of simultaneous equations in a large number of unknowns of a complex type. Overdefined systems (AES) (papers of Courtois, Pieprzyk, Murphy, Robshaw...) Actual (real) complexity of the known solving algorithms remains at this time an open problem. Ongoing, exciting research field! CSA 03, 10 septembre 2003, Rabat, Maroc xxiv

26 Attacks against the Key-Schedule Algorithm Linear Factors Related-Key Attacks Slide Attacks Weak Keys CSA 03, 10 septembre 2003, Rabat, Maroc xxv

27 Provable Security Theoretical Notions of Security Linear, Differential Cryptanalysis Luby-Rackoff Model Decorrelation Theory CSA 03, 10 septembre 2003, Rabat, Maroc xxvi

28 Luby-Rackoff Model Distinguisher δ: computationally unbounded Turing machine. Oracle Ω implements a permutation on {0, 1} n. C vs. C The distinguisher can submit a bounded number of queries to Ω and ultimately outputs a decision bit. CSA 03, 10 septembre 2003, Rabat, Maroc xxvii

29 Luby-Rackoff Model (2) Advantage: Adv n δ (C, C ) = Pr [δ(x) = 1] Pr [δ(x) = 1] C C Best Advantage BestAdv n (C, C ) = max δ Adv n δ (C, C ) A security proof means that one is able to provide an acceptable upper bound on BestAdv n (C, C ) for a given block cipher C. CSA 03, 10 septembre 2003, Rabat, Maroc xxviii

30 Luby-Rackoff Model (3) Feistel scheme is the most studied one in the Luby-Rackoff model. For 4 rounds or more, a random Feistel scheme is secure against knownplaintext attacks. For 7 rounds or more, a random Feistel scheme is secure against chosenplaintext attacks. For 10 rounds or more, a random Feistel scheme is secure against chosenplaintext and chosen-ciphertext attacks. CSA 03, 10 septembre 2003, Rabat, Maroc xxix

31 Decorrelation Theory Constructive Security Framework proposed by Vaudenay (1998). Based on the Luby-Rackoff model. Central concept is the decorrelation matrix of order d of a random function F : [F ] d (x 1,...,x d ),(y 1,...,y d ) = Pr K [F (x 1) = y 1... F (x d ) = y d ] CSA 03, 10 septembre 2003, Rabat, Maroc xxx

32 Decorrelation Theory (2) Given the decorrelation matrix of a random function F, one can compare it to a canonical function F using the concept of decorrelation bias: Dec d (F ) = [F ] d (x 1,...,x d ),(y 1,...,y d ) [F ] d (x 1,...,x d ),(y 1,...,y d ) Idea: find a matrix distance meaning something in terms of security! Link to the best advantage of any adaptive distinguisher limited to d queries through the following distance: M a max max max M (x1,...,x x 1 x 2 x d )(y 1,...,y d ) d y d y 1 y 2 CSA 03, 10 septembre 2003, Rabat, Maroc xxxi

33 Decorrelation Theory (3) Theorem 1 BestAdv d (F, F ) = 1 2 [F ] d (x 1,...,x d ),(y 1,...,y d ) [ F ] d (x1,...,x d ),(y 1,...,y d ) a CSA 03, 10 septembre 2003, Rabat, Maroc xxxii

34 Decorrelation Theory (4) Concept of decorrelation modules. DFC, candidate for the AES contest. CSA 03, 10 septembre 2003, Rabat, Maroc xxxiii

35 Future Perspectives New designs, new attacks. Study of generic attacks. Provable security for block ciphers!? CSA 03, 10 septembre 2003, Rabat, Maroc xxxiv

36 Related Topics Stream Ciphers Modes of Encryption Combined primitives (confidentiality + authentication) CSA 03, 10 septembre 2003, Rabat, Maroc xxxv

37 More Information Proceedings of Crypto, Eurocrypt, Asiacrypt, Fast Software Encryption (FSE), Selected Areas in Cryptography (SAC), and other conferences published in Springer s Lecture Notes in Computer Science. CSA 03, 10 septembre 2003, Rabat, Maroc xxxvi

38 Merci! Homepage: Homepage of my lab: CSA 03, 10 septembre 2003, Rabat, Maroc xxxvii

39 Questions?

CROSS-REFERENCE TABLE ASME A Including A17.1a-1997 Through A17.1d 2000 vs. ASME A

CROSS-REFERENCE TABLE ASME A Including A17.1a-1997 Through A17.1d 2000 vs. ASME A CROSS-REFERENCE TABLE ASME Including A17.1a-1997 Through A17.1d 2000 vs. ASME 1 1.1 1.1 1.1.1 1.2 1.1.2 1.3 1.1.3 1.4 1.1.4 2 1.2 3 1.3 4 Part 9 100 2.1 100.1 2.1.1 100.1a 2.1.1.1 100.1b 2.1.1.2 100.1c