CS 4770: Cryptography CS 6750: Cryptography and Communication Security Alina Oprea Associate Professor, CCIS Northeastern University February 8 2018
Review CPA-secure construction Security proof by reduction to PRF Randomized How to design block ciphers Substitution Permutation Networks Feistel Networks Multiple rounds DES Feistel Network AES Substitution Permutation Network 2
R(k 1, ) R(k 2, ) R(k 3, ) R(k n, ) Block Ciphers Built by Iteration key k Key schedule k 1 k 2 k 3 k n m c R(k,m) is called a round function for DES (n=16), for AES-128 (n=10) 3
Substitution-Permutation Network Round key Key mixing S-box Fixed permutation Invertible Substitution Permutation S boxes and mixing permutation are public 4
Feistel Networks Given functions f 1,, f d : {0,1} n {0,1} n Often f i (x) = F k i (x), for k i secret keys and F a PRF Goal: build invertible function (PRP) F: {0,1} 2n {0,1} 2n n-bits n-bits R 0 L 0 input R 1 f 1 R 2 L 1 f 2 L 2 R d-1 L d-1 f d R d L d output L i = R i 1 R i = L i 1 f i (R i 1 ) Functions f i are public Round key is derived from main key and secret Advantage: f i not invertible! 5
64 bits 64 bits DES: 16 round Feistel network f 1,, f 16 : {0,1} 32 {0,1} 32, f i (x) = F( k i, x ) k 56 bits key expansion k 1 k 2 k 16 48 bits 16 round IP IP Feistel network -1 input To invert, use keys in reverse order output 6
The function F(k i, x) Key mixing Substitution- Permutation Network Substitution Permutation S-box: function {0,1} 6 {0,1} 4, implemented as look-up table. 7
The AES process 1997: NIST publishes request for proposal 1998: 15 submissions. Five claimed attacks. 1999: NIST chooses 5 finalists 2000: NIST chooses Rijndael as AES Belgium) (designed in Key sizes: 128, 192, 256 bits. Block size: 128 bits 8
input output AES is a Subs-Perm network (not Feistel) k 1 S 1 S 1 k 2 S 1 k n S 2 S 2 S 2 S 3 S 3 S 3 S 8 S 8 S 8 subs. layer perm. layer inversion 9
AES-128 schematic 10 rounds 4 4 input (1) ByteSub (2) ShiftRow (3) MixColumn (1) ByteSub (2) ShiftRow (3) MixColumn (1) ByteSub (2) ShiftRow k 0 invertible k 1 k 2 k 9 key 16 bytes key expansion: 16 bytes 176 bytes k 10 4 output 4 10
The round function ByteSub: a 1 byte S-box. 256 byte table (non- linear, but easily computable A i, j S A i, j, i, j ShiftRows: MixColumns: 11
Code size/performance tradeoff Pre-compute round functions (24KB or 4KB) Pre-compute S-box only (256 bytes) Code size largest smaller Performance fastest: table lookups and xors slower No pre-computation smallest slowest 12
AES in hardware AES instructions in Intel Westmere: aesenc, aesenclast: do one round of AES 128-bit registers: xmm1=state, xmm2=round key aesenc xmm1, xmm2 ; puts result in xmm1 aeskeygenassist: performs AES key expansion Claim 14 x speed-up over OpenSSL on same hardware Similar instructions on AMD Bulldozer 13
Attacks Best key recovery attack: four times better than ex. search [BKR 11] Related key attack on AES-256: [BK 09] Given 2 99 inp/out pairs from four related keys in AES-256 can recover keys in time 2 99 14
Block ciphers Suggestions: Don t think about the inner-workings of AES and 3DES. Don t implement them yourselves We assume both are secure PRPs and will see how to use them 15
Incorrect use of block cipher Electronic Code Book (ECB): PT: m 1 m 2 CT: c 1 c 2 Problem: if m 1 =m 2 then c 1 =c 2 Not EAV-secure! 16
In pictures (courtesy B. Preneel) 17
CBC encryption Let F be a PRP; F: K {0,1} n {0,1} n Enc CBC (k,m): choose random IV {0,1} n and do: IV m[1] m[2] m[3] m[l] F(k, ) F(k, ) F(k, ) F(k, ) IV c[1] c[2] c[3] c[l] ciphertext c i = F k (c i 1 m i ) 18
Decryption circuit In symbols: c[1] = F k ( IV m[1] ) m[1] = F k -1 (c[1]) IV IV c[1] c[2] c[3] c[l] F -1 (k, ) F -1 (k, ) F -1 (k, ) F -1 (k, ) m[1] m[2] m[3] m[l] m i = F 1 k(c i ) c i 1 19
CBC: CPA Analysis CBC Theorem: For any L>0 number of blocks, If F is a secure PRP over (K, {0,1} n ) then Enc CBC is CPA-secure over (K, {0,1} nl, {0,1} n(l+1) ). In particular, for a q-query adversary A attacking Enc CBC there exists a PRP adversary B s.t.: CPA Pr[Exp EncCBC,A n = 1] 1/2 + 2Adv PRP F,B + 2 q 2 L 2 /2 n Adv PRP E,B = Pr B F 1 k,f k n = 1 Pr[B f,f 1 n Note: CBC is only secure as long as q 2 L 2 << 2 n 20
An example CPA Pr[Exp ECBC,A n = 1] 1/2+Adv PRP E,B + 2 q 2 L 2 /2 n q = # messages encrypted with k L = length of max message CPA Suppose we want Pr[Exp EncCBC A n = 1] 1/2 + 1/2 32 q 2 L 2 /2 n < 1/ 2 32 AES: 2 n = 2 128 q L < 2 48 So, after 2 48 AES blocks, must change key 3DES: 2 n = 2 64 q L < 2 16 21
Attack on CBC with predictable IV CBC where attacker can predict the IV is not CPA-secure!! Suppose given c Enc CBC (k,m) can predict next IV Chal. k K 0 {0,1} n c 1 [ IV 1, F k ( 0 IV 1 ) ] m 0 =IV IV 1, m 1 m 0 c [ IV, F k (IV 1 ) ] or c [ IV, F k (m 1 IV) ] Adv. predict IV output 0 if c[1] = c 1 [1] Bug in SSL/TLS 1.0: IV for record #i is last CT block of record #(i-1) 22
CTR-mode encryption Let F: K {0,1} n {0,1} n be a secure PRF. Enc(k,m): choose a random IV {0,1} n and do: IV msg m[1] m[2] F(k,IV) F(k,IV+1) m[l] F(k,IV+L) IV c[1] c[2] c[l] ciphertext note: parallelizable (unlike CBC) c i = F k (IV + i) m i 23
Comparison: CTR vs. CBC CBC CTR mode Uses PRP PRF Parallel processing No Yes Security q^2 L^2 << 2 n q^2 L << 2 n Dummy padding block Yes No 24
A CBC technicality: padding IV m[1] m[2] m[3] m[l] ll pad F(k, ) F(k, ) F(k, ) F(k, ) IV c[1] c[2] c[3] c[l] TLS: for n>0, n byte pad is n n n if no pad needed, add a dummy block n removed during decryption 25
TLS bugs in older versions IV for CBC is predictable: (chained IV) - IV for next record is last ciphertext block of current record. - Not CPA secure. Padding oracle: during decryption - If pad is invalid send decryption failed alert - If mac is invalid send bad_record_mac alert attacker learns information about plaintext Lesson: when decryption fails, do not explain why 26
Recap To encrypt longer messages, use CBC or CTR mode CPA security CTR mode has some advantages Parallelizable Better security CBC encryption with padding is vulnerable to padding oracle attack Authenticated encryption schemes are CCA secure 27
Acknowledgement Some of the slides and slide contents are taken from http://www.crypto.edu.pl/dziembowski/teaching and fall under the following: 2012 by Stefan Dziembowski. Permission to make digital or hard copies of part or all of this material is currently granted without fee provided that copies are made only for personal or classroom use, are not distributed for profit or commercial advantage, and that new copies bear this notice and the full citation. We have also used slides from Prof. Dan Boneh online cryptography course at Stanford University: http://crypto.stanford.edu/~dabo/courses/onlinecrypto/ 28