New Kid on the Block Practical Construction of Block Ciphers. Table of contents

Similar documents
page 1 Introduction to Cryptography Benny Pinkas Lecture 3 November 18, 2008 Introduction to Cryptography, Benny Pinkas

Private-Key Encryption

Symmetric Cryptography. Chapter 6

Chapter 3 Block Ciphers and the Data Encryption Standard

Lecture 4: Symmetric Key Encryption

Goals of Modern Cryptography

Lecture 3: Symmetric Key Encryption

Symmetric Key Algorithms. Definition. A symmetric key algorithm is an encryption algorithm where the same key is used for encrypting and decrypting.

Introduction to Cryptography. Lecture 2. Benny Pinkas. Perfect Cipher. Perfect Ciphers. Size of key space

Introduction to Cryptology. Lecture 17

Network Security. Lecture# 6 Lecture Slides Prepared by: Syed Irfan Ullah N.W.F.P. Agricultural University Peshawar

COS433/Math 473: Cryptography. Mark Zhandry Princeton University Spring 2018

Block Ciphers and the Data Encryption Standard (DES) Modified by: Dr. Ramzi Saifan

Computer Security CS 526

Course Business. Midterm is on March 1. Final Exam is Monday, May 1 (7 PM) Allowed to bring one index card (double sided) Location: Right here

Cryptography 2017 Lecture 3

Modern Block Ciphers

Block Encryption and DES

COS433/Math 473: Cryptography. Mark Zhandry Princeton University Spring 2017

Secret Key Algorithms (DES)

Dr. Jinyuan (Stella) Sun Dept. of Electrical Engineering and Computer Science University of Tennessee Fall 2010

Cryptography and Network Security Chapter 3. Modern Block Ciphers. Block vs Stream Ciphers. Block Cipher Principles

7. Symmetric encryption. symmetric cryptography 1

Secret Key Algorithms (DES) Foundations of Cryptography - Secret Key pp. 1 / 34

Symmetric Encryption Algorithms

CSCE 813 Internet Security Symmetric Cryptography

CPS2323. Block Ciphers: The Data Encryption Standard (DES)

ICT 6541 Applied Cryptography. Hossen Asiful Mustafa

Block Ciphers and Data Encryption Standard. CSS Security and Cryptography

ENEE 457: Computer Systems Security 09/12/16. Lecture 4 Symmetric Key Encryption II: Security Definitions and Practical Constructions

P2_L6 Symmetric Encryption Page 1

Introduction to Modern Symmetric-Key Ciphers

Network Security Essentials Chapter 2

Information Security CS526

Symmetric Encryption. Thierry Sans

Lecturers: Mark D. Ryan and David Galindo. Cryptography Slide: 24

Homework 2. Out: 09/23/16 Due: 09/30/16 11:59pm UNIVERSITY OF MARYLAND DEPARTMENT OF ELECTRICAL AND COMPUTER ENGINEERING

Symmetric Cryptography

Cryptography and Network Security. Sixth Edition by William Stallings

Data Encryption Standard

Data Encryption Standard

CENG 520 Lecture Note III

Cryptography CS 555. Topic 11: Encryption Modes and CCA Security. CS555 Spring 2012/Topic 11 1

UNIT - II Traditional Symmetric-Key Ciphers. Cryptography & Network Security - Behrouz A. Forouzan

Symmetric key cryptography

Conventional Encryption: Modern Technologies

Secret Key Cryptography (Spring 2004)

Computer and Data Security. Lecture 3 Block cipher and DES

CSC 474/574 Information Systems Security

CSc 466/566. Computer Security. 6 : Cryptography Symmetric Key

Lecture 3: Block Ciphers and the Data Encryption Standard. Lecture Notes on Computer and Network Security. by Avi Kak

Introduction to Cryptography. Lecture 3

Lecture 2: Secret Key Cryptography

PRNGs & DES. Luke Anderson. 16 th March University Of Sydney.

On the Design of Secure Block Ciphers

Fundamentals of Cryptography

Cryptography [Symmetric Encryption]

Introduction to Network Security Missouri S&T University CPE 5420 Data Encryption Standard

Symmetric Key Cryptosystems. Definition

Attack on DES. Jing Li

Block cipher modes. Lecturers: Mark D. Ryan and David Galindo. Cryptography Slide: 75

3 Symmetric Cryptography

Computer Security. 08. Cryptography Part II. Paul Krzyzanowski. Rutgers University. Spring 2018

Computational Security, Stream and Block Cipher Functions

Applied Cryptography Data Encryption Standard

Computer Security 3/23/18

CS6701- CRYPTOGRAPHY AND NETWORK SECURITY UNIT 2 NOTES

1 Achieving IND-CPA security

CSC574: Computer & Network Security

Secret Key Cryptography Overview

6 Block Ciphers. 6.1 Block Ciphers CA642: CRYPTOGRAPHY AND NUMBER THEORY 1

Symmetric Key Encryption. Symmetric Key Encryption. Advanced Encryption Standard ( AES ) DES DES DES 08/01/2015. DES and 3-DES.

On the Security of the 128-Bit Block Cipher DEAL

Lecture 5. Constructions of Block ciphers. Winter 2018 CS 485/585 Introduction to Cryptography

L3. An Introduction to Block Ciphers. Rocky K. C. Chang, 29 January 2015

Block ciphers. CS 161: Computer Security Prof. Raluca Ada Popa. February 26, 2016

CSCI 454/554 Computer and Network Security. Topic 3.1 Secret Key Cryptography Algorithms

Cryptography MIS

AIT 682: Network and Systems Security

CPSC 467b: Cryptography and Computer Security

Cryptography: Symmetric Encryption [continued]

Week 4. : Block Ciphers and DES

Encryption Details COMP620

ECE596C: Handout #7. Analysis of DES and the AES Standard. Electrical and Computer Engineering, University of Arizona, Loukas Lazos

A Related Key Attack on the Feistel Type Block Ciphers

COMP4109 : Applied Cryptography

Secret Key Cryptography

Crypto: Symmetric-Key Cryptography

Cryptography and Network Security Block Ciphers + DES. Lectured by Nguyễn Đức Thái

Geldy : A New Modification of Block Cipher

2 What does it mean that a crypto system is secure?

Cryptography III: Symmetric Ciphers

CIS 6930/4930 Computer and Network Security. Topic 3.1 Secret Key Cryptography (Cont d)

Secret Key Systems (block encoding) Encrypting a small block of text (say 64 bits) General Considerations:

Block Ciphers. Lucifer, DES, RC5, AES. CS 470 Introduction to Applied Cryptography. Ali Aydın Selçuk. CS470, A.A.Selçuk Block Ciphers 1

Cryptography CS 555. Topic 8: Modes of Encryption, The Penguin and CCA security

Lecture 1 Applied Cryptography (Part 1)

ISSN: (Online) Volume 2, Issue 4, April 2014 International Journal of Advance Research in Computer Science and Management Studies

ISA 562: Information Security, Theory and Practice. Lecture 1

CHAPTER 6. SYMMETRIC CIPHERS C = E(K2, E(K1, P))

Transcription:

New Kid on the Block Practical Construction of Block Ciphers Foundations of Cryptography Computer Science Department Wellesley College Fall 2016 Table of contents Introduction Substitution-permutation networks Feistel Networks The Data Encryption Standard

Block ciphers Recall that block cipher is an e cient, keyed permutation F : {0, 1} n {0, 1}`! {0, 1}`. That is, F k (x) def = F (k, x) isa bijection and both it and its inversion F 1 k are e ciently computable for all k. Here n is the key length and ` is block length. *Both the key and block lengths are constant, so we are living in the world of concrete rather than asymptotic security. Security requirements for block ciphers Remark. Concrete security requirements are quite stringent. A block cipher is generally considered good if the best known attack (without preprocessing) has time complexity equivalent to a brute-force attack for the key. Recall Definition 3.28. Let F : {0, 1} {0, 1}! {0, 1} an e cient keyed permutation. We say that F is a strong pseudorandom permutation if for all probabilistic polynomial-time distinguishers D, there exists a negligible function negl such that: Pr[D F k ( ),F 1 k ( ) (1 n ) = 1] Pr[D f ( ),f 1 ( ) (1 n ) = 1] apple negl(n), where k {0, 1} n is chosen uniformly at random and f is chosen uniformly at random from the set of permutations mapping n-bit strings to n-bit strings. Remark. Block ciphers are designed (at the very least) to behave as (strong) pseudorandom permutations.

Twin goals of modern encryption Confusion: Make the statical relationship between the ciphertext and the key value as complex as possible. di usion: Dissipate the statistical structure of the plaintext throughout the ciphertext. A Substitution-Permutation Network SPN) attempts both; substitution for confusion and permutation for di usion. *Both ideas and promotion of substitution-permutation networks are due to Claude Shannon. A single round of a substitution-permutation network We fix a public substitution function S called an S-box, and let the key k define the function f (x) =S(k x). For example, suppose SPN has a 64-bit clock length based on a collection of 8-bit S-boxes, S 1,...,S 8 : 1. Key mixing: Set x := x k. 2. Substitution: Set x := S 1 (x 1 ) k...k S 8 (x 8 ), where x i is the ith byte of x. 3. Permutation: Permute the bits of x to obtain the output of round.

The full substitution-permutation network The output of each round is fed as input to the next round. After the last round there is afinalkey-mixingstep (x := x k).* Di erent round keys are used in each round which are derived from the actual or master key according to a key schedule. *Since we assume the S-boxes and the mixing permutations are public, without this final key-mixing the last substitution and permutations steps would be useless. Substitution-permutation networks are invertible Proposition 6.3 Let F be a keyed function defined by an SPN in which the S-boxes are all permutations. Then regardless ofthe key schedule and number of rounds, F k is a permutation for any k. Proof. We show that given the output of the SPN and the key, it is possible to invert any single round. The mixing permutation is clearly invertible and all the S-box are permutations, so these too can be inverted. The result is then XORed with the appropriate sub-key to obtain the input.

The avalanche e ect The avalanche e ect: Asmall change in either the plaintext or the key produces a significant change in the ciphertext. One way to induce the avalanche e ect in a SPN is to ensure: 1. The S-boxes are designed so that changing a single input bit changes at least two bits in the output. 2. The mixing permutations are designed so that the the output bits an any S-box are used as input to multiple S-boxes in the next round. (a) Two plaintexts di er by one bit (all zeros and a one followed by 63 zeros.) (b) The two keys also di er by just one bit. How this works in practice Suppose 8-bit S-boxes and and the mixing permutations are chosen as above for a 128-bit block size SPN. Now consider two inputs that di er by a single bit.

LUCIFER In the early 1970s, Horst Feistel developed a sequence of fixed transpositions and key-dependent, multipartite non-linear substitutions (LUCIFER) thatproduceda thorough amalgamation. In this simplified illustration of LUCIFER we see a plain text input of a single 1 and fourteen 0s transformed by the non-linear S-boxes into an avalance of eleven 1s. Feistel was successful enough to upset the NSA. Attacking a one-round substitution-permutation network Suppose the SPN F consists of a single full round and no final key-mixing. An adversary can easily learn the secret key k given only a single input/output pair (x, y = F k (y)). How?

Attacking a one-round substitution-permutation network with key-mixing The attacker fixes a pair, (x, y) could simple try all 64-bit possibilities for second-round mixing key, k 2, then use above attack to construct 2 6 4 candidate keysk 1 k k 2. Additional pairs narrow the field But the attacker can do better: 1. First enumerate over all possible first bytes of k 2. 2. Then XOR each with of these with the first byte of y to obtain candidates for the outputs of the first S-box. 3. Backing each of these up through the first S-box, the adversary has 256 candidates for the the first bit of x k 1 and hence 256 candidates for the first byte of k 1. Feistel: An alternative to substitution-permutation networks A Feistel network gives a way to construct invertible functions from non-invertible components. The goal is a block cipher that has an unstructured behavior *. Requiring all components to be invertible inherently introduces structure. Like SPNs, Feistel networks operate in a series of rounds each with a keyed round function constructed from S-boxes and permutations. *So it looks random.

Feistel round functions The ith round function, ˆf i takes as input a sub-key k i and an `/2-bit string and outputs an `/2-bit string. Amasterkeyk determines a series of round keys k i. The round function f i : {0, 1}`/2! {0, 1}`/2 is defined by f i (R) def = ˆf i (k i, R). The output of the ith round (L i, R i )is L i := R i 1 and R i := L i 1 f i (R i 1 ). *So it looks random. Feistel networks are invertible Proposition 6.4. Let F be a keyed function defined by a Feistel network. Then regardless of the round functions {ˆf i } and the number of rounds, F k is an e ciently invertible permutation for all k. Proof. We need only show that each round is invertible if the {f i } are known. Given (L i, R i ), we first compute R i 1 := L i. Then compute L i 1 = R i f i R i 1).

The return of LUCIFER LUCIFER was redesign as a 16 round Feistel network on 128-bit blocks and 128-bit keys and was submitted by IBM as a candidate for the Data Encryption Standard. It became DES after the National Security Agency reduced its block size to 64 bits and its key size to 56 bits* and was adopted as the Federal Information Processing Standard for the US in 1977. Believe it or not, it remains in wide use today in its triple-des incarnation. *Which means that it is now vulnerable to brute-force attacks. The Data Encryption Standard DES is a 16-round Feistel network with a block length of 64 bits and a key length of 56 bits. The same function, ˆf called the DES mangler function, isusedfor all 16 rounds. It takes a 48-bit round key derived from the 56-bit master using a relatively simple key schedule. We give a high-level overview of the main components of DES. A homework exercise is available for those interested in more details.

The DES mangler function Computation of ˆf (k i, R) with k i 2 {0, 1} 48 and R 2 {0, 1} 32 begins by duplicating half the bits of R to obtain R 0 := E(R), E the expansion function. The expanded R 0 is XORed with k and the resulting value is divided into 8 6-bit-blocks. Each block is passed through a di erent S-box.* Finally a mixing permutation is applied to the bits and it o to the next round. *The S-boxes are publicly known, but unlike our previous SPNs, they are not invertible. The DES mangler function The eight S-boxes at the core of the mangler function were very carefully designed. Even slight modification would make DES more vulnerable to attack.* The resulting mangler function ensures the DES exhibits a strong avalanche e ect. In fact, the avalanche example above was from DES. *The Feistel version of LUCIFER was susceptible to di erential cryptanalysis; for about half the keys, the cipher could be broken with 236 chosen plaintexts and 236 time complexity. This is one of the reasons NSA redesigned them.

Time to worry: Security of DES After 30 years of intensive study, the best known practical attack on DES is exhaustive search.* However, a 56-bit key isn t very big. A second concern is the relatively short bock length of DES. The proof of security for CTR mode (Theorem 3.32) show that even when a completely random function is used an attacker can break it with probability 2q 2 /2` if it obtains q plaintext/ciphertext pairs. *In your homework you get the chance to investigate some theoretical attack, but these require a large number of input/output pairs which would be di to obtain. cult Double encryption Let F be a block cipher with an n-bit key length and `-bit block length. Define a new block cipher with a key length of 2n by F 0 k 1,k 2 (x) def = F k2 (F k1 (x)). For the case where F is DES, we obtain a cipher F 0 call 2DES that takes a 112-bit key. Exhaustive search is now out of reach.

Meet in the middle attack Say adversary is given a single input/output pair (x, y), where y = Fk 0 (x) =F 1,k k 2 2 (F k 1 (x)) for unknown k1, k 2. 1. For each k 1 2 {0, 1} n compute z := F k1 (x) andstore(z, k 1 )inlist L. 2. For each k 2 2 {0, 1} n compute z := F 1 k 2 (x) andstore(z, k 2 )in list L 0. 3. Entries (z 1, k 1 ) 2 L and (z 2, k 2 ) 2 L 0 are a match if z 1 = z 2. The attack takes O(n 2 n )timeandrequiresspaceo((n + `) 2 n )space and finds pairs (k 1, k 2 )with F k1 (x) =F 1 k 2 (y). Triple DES with two keys An obvious counter to the meet-in-the-middle attack is to use three stages of encryption with three di erent keys. As an alternative, Tuchman proposed a triple encryption using only two keys y = F k1 (F 1 k2 (F k 1 (x))). Triple-DES s relatively small block length and the fact that is slow since it requires 3 full block-cipher operations, led to its replacement by the Advanced Encryption Standard.

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback