1

CS 255 Lecture 4Attacks on Block Ciphers

Brent Waters

2

Recap-Symmetric Encryption

• Two basic types of encryption•Stream Cipher (eg. RC4, CSS)•Block Cipher (e.g. DES, IDEA (Feistel), AES)

3

Recap Block Ciphers

msg_block E CT_block

n-bits n-bitsK

4

Recap-Feistel Networks

• Feistel network: M=L0 || R0

for i=1 to d (# of rounds) Li=Ri-1, Ri=Li-1 © F(Ri-1,Ki)

• Network inverts itself•Construct FN-1:{0,1}2n ! {0,1}2n

s.t. 8 x: FN-1(FN(x))=x

• DES- 16 round Feistel: block-size 64-bits, key 56

5

Recap-Using Block Ciphers

• Encryption must be randomized

• (otherwise mi=mj ) ci=cj)

•ECB mode is insecure

• CBC

IV

E E

PT 1 PT 2

© ©

IV

...

CT 1 CT 1

6

Exhaustive Search Attack

• Known PT attack: given a few PT/CT pairsM1/C1, M2/C2 ... find K

DES: likely need only one PT/CT pairview as collection of 256 random one-to-one functions

8 M,k

Pr[9 k’ k: DESk(M)=DESk’(M)]

· k’ Pr[DESk=DESk’(M)]

· 256 ¢ 1/264 = 1/28

7

DES Challenge

• RSA Labs challenge (http://www.rsasecurity.com/rsalabs/)

"The unknown message is:.... "

• Internet Search: 3 months ’97

• EFF “Deep-Crack”: 3 days ‘9888 billion keys/sec;

$250,000 (do govts have more money?)

• Internet search: 22 hours ‘99

8

DES Challenge

• 56 bit ciphers are dead • (64-bit RC5 also attacked, 72 bit next)

• 128 bit keys ) 272DES-time ¼ 1024 days

• Keep open mind to new attacks•e.g. Internet

9

Triple DES

• TEk1,k2,k3(M)= Ek1(DK2(EK3(M)))

E

D

E

k1

k2

k3

K=k1,k2,k3

PT

CT

Why decrypt in middle?

3 times slower

10

Double DES?

E

E

k1

k2

K=k1,k2

PT

CT

k0’ Ek0(M)

k1’ Ek1(M)

k2’ Ek2(M)meet in middle

Sort on 2nd column

Check for collision on 2nd block

11

Double DES

• Time : 256lg(256)+ 256lg(256)=262 << 2112

• Triple-DES security · 118 bits•same attack

• Large amount of space

12

Idealized Block Ciphers

Experiment A Experiment B

Choose random key k

Choose random permutation

Oracle access to Ek and Ek

-1Oracle access to and -1

Adversary guesses which experiment he was in.

13

DESX

• EX_{k1,k2,k3} = k1© DESk2(M © k3)

• Fast!

• Suppose EK is an ideal cipher; m PT/CT pairs, n-bit block size effective key-length ¸ k+n-1 – log(m) [KR’97]

DESX: if m< 230 then key length ¸ 289

DESk1(M © k2), k1© DESk2(M) not secure

14

Power Analysis

Encryption/Decryption

Secret key K

input output

Power

Figure from Benini et. al.

Have access to power supply?

15

Power Analysis

16

Power Analysis

Difference caused by jump instruction

17

Linear attacks

• Bias ) Pr[F(x)=0]=1/2 +

Pr[ Mi1© ... © Mir© Cj1© ... © Cjv © Kl1 © ... Klv=0] =1/2 + Gather large amount of PT/CT pairs

For each PT/CT pair

For each K*= (Kl1, ... ,Klv)

increment counter if Kl1, ... © Klv= Mi1© ... ©

Cjv Take K* with highest counter

18

Linear Attacks

• Try different key possibilities on chosen PT/CT pairs

• Take one that has strongest bias

• Thm: Given 1/2 pairs correct 97%

• DES =2-21 ) 242 pairs

19

Security Models

• Attacks adversary can do•Can get ahold of of CT/PT pairs?•Brute force power•Access

• Adversary’s goal

20

Attack types

From least to most powerful

1. CT only attack

2. Random plaintext attack – given random PT/CT pairs

3. CPA- Chosen plaintext attack

more to come...

21

Attacker goals

• Key-recovery

• Decrypt a given CT

22

AES Development

• ’97 NIST call for candidates due ’98

• 128,192,256 bit keys and royalty free

• 15 of 21 met initial requirements

• 5 finalists: MARS, RC6, Rijndael, Serpent, Twofish

• Winner: Rijndael by Daemen and Rijmen• International flavor

23

AES Overview

S0,0 S0,1 S0,2 S0,3

S1,0 S1,1 S1,2 S2,3

S2,0 S2,1 S2,2 S2,3

S3,0 S3,1 S3,2 S3,3

Put 128-bit block into 4x4 byte matrix

10 rounds (128-key mode)

24

AES Overview

S0,0 S0,1 S0,2 S0,3

S1,0 S1,1 S1,2 S2,3

S2,0 S2,1 S2,2 S2,3

S3,0 S3,1 S3,2 S3,3

1. S-box per byte (permutation)

2. Shift rows

3. Mix columns

4. Add round key