cs 4770: cryptography cs 6750: cryptography and ... · for des (n=16), for aes-128 (n=10) key k key...
TRANSCRIPT
CS 4770: Cryptography
CS 6750: Cryptography and Communication Security
Alina Oprea
Associate Professor, CCIS
Northeastern University
February 8 2018
Review
• CPA-secure construction– Security proof by reduction to PRF– Randomized
• How to design block ciphers– Substitution Permutation Networks– Feistel Networks– Multiple rounds
• DES– Feistel Network
• AES– Substitution Permutation Network
2
Block Ciphers Built by Iteration
R(k,m) is called a round function
for DES (n=16), for AES-128 (n=10)
key k
Key schedule
k1 k2 k3 kn
R(k
1,
)
R(k
2,
)
R(k
3,
)
R(k
n,
)
m c
3
Substitution-Permutation Network
Key mixing
Substitution
Permutation
Round key
S-boxFixed permutation
Invertible
S boxes and mixing permutation are public 4
Feistel Networks
𝐿𝑖 = 𝑅𝑖−1𝑅𝑖 = 𝐿𝑖−1⊕ 𝑓𝑖(𝑅𝑖−1)
• Functions 𝑓𝑖 are public• Round key is derived from main key and secret• Advantage: 𝑓𝑖 not invertible!
Given functions f1, …, fd: {0,1}n ⟶ {0,1}n
Often fi(x) = Fki(x), for ki secret keys and F a PRF
Goal: build invertible function (PRP) F: {0,1}2n ⟶ {0,1}2n
input output
Rd-1
Ld-1
Rd
Ld
R0
L0
n-b
itsn
-bits
R1
L1
⊕f1
R2
L2
⊕f2 ⋯
⊕fd
5
DES: 16 round Feistel network
f1, …, f16: {0,1}32 ⟶ {0,1}32 , fi(x) = F( ki, x )
input
64
bit
s
output
64
bit
s
16 round Feistel network
IP IP-1
k
key expansion
k1 k2 k16⋯
To invert, use keys in reverse order
6
56 bits
48 bits
The function F(ki, x)
S-box: function {0,1}6 ⟶ {0,1}4 , implemented as look-up table.
Key mixing
Substitution
Permutation
Substitution-Permutation
Network
7
The AES process
• 1997: NIST publishes request for proposal
• 1998: 15 submissions. Five claimed attacks.
• 1999: NIST chooses 5 finalists
• 2000: NIST chooses Rijndael as AES (designed in Belgium)
Key sizes: 128, 192, 256 bits.
Block size: 128 bits
8
AES is a Subs-Perm network (not Feistel)in
pu
t
⨁
S1
S2
S3
S8
⋯
ou
tpu
t
subs.layer
perm.layer inversion
k1
⨁
S1
S2
S3
S8
⋯
k2S1
S2
S3
S8
⋯
⨁⋯
kn
9
AES-128 schematic
input
4
4
10 rounds
(1) ByteSub(2) ShiftRow(3) MixColumn
⨁
k2
⋯
k9
⨁
(1) ByteSub(2) ShiftRow(3) MixColumn
⨁
k1
⨁
k0
(1) ByteSub(2) ShiftRow
output
4
4
⨁
k10
key
16 bytes
key expansion:
invertible
16 bytes ⟶176 bytes
10
The round function
• ByteSub: a 1 byte S-box. 256 byte table (non- linear, but easily computable
• ShiftRows:
• MixColumns:
𝐴 𝑖, 𝑗 ← 𝑆 𝐴 𝑖, 𝑗 , ∀𝑖, 𝑗
11
Code size/performance tradeoff
Code size Performance
Pre-computeround functions(24KB or 4KB)
largestfastest:
table lookups and xors
Pre-compute S-box only (256 bytes)
smaller slower
No pre-computation smallest slowest
12
AES in hardware
AES instructions in Intel Westmere:
• aesenc, aesenclast: do one round of AES
128-bit registers: xmm1=state, xmm2=round key
aesenc xmm1, xmm2 ; puts result in xmm1
• aeskeygenassist: performs AES key expansion
• Claim 14 x speed-up over OpenSSL on same hardware
Similar instructions on AMD Bulldozer
13
Attacks
Best key recovery attack: four times better than ex. search [BKR’11]
Related key attack on AES-256: [BK’09]
Given 299 inp/out pairs from four related keys in AES-256
can recover keys in time ≈299
14
Block ciphers
• Suggestions:
– Don’t think about the inner-workings of AES and 3DES.
– Don’t implement them yourselves
• We assume both are secure PRPs and will see how to use them
15
Incorrect use of block cipher
Electronic Code Book (ECB):
Problem: – if m1=m2 then c1=c2
PT:
CT:
m1 m2
c1 c2
Not EAV-secure!
16
In pictures
(courtesy B. Preneel)
17
CBC encryption
Let F be a PRP; F: K × {0,1}n ⟶ {0,1}n
EncCBC(k,m): choose random IV∈ {0,1}n and do:
F(k,) F(k,) F(k,)
m[1] m[2] m[3] m[L]IV
F(k,)
c[1] c[2] c[3] c[L]IV
ciphertext
18𝑐𝑖 = 𝐹𝑘(𝑐𝑖−1⊕𝑚𝑖)
Decryption circuit
F-1(k,) F-1(k,) F-1(k,)
m[1] m[2] m[3] m[L]
F-1(k,)
c[1] c[2] c[3] c[L]IV
In symbols: c[1] = Fk( IV⨁m[1] ) ⇒ m[1] = Fk-1(c[1])⨁ IV
19𝑚𝑖 = F−1𝑘(𝑐𝑖) ⊕ 𝑐𝑖−1
CBC Theorem: For any L>0 number of blocks,
If F is a secure PRP over (K, {0,1}n ) then
EncCBC is CPA-secure over (K, {0,1}nL, {0,1}n(L+1)).
In particular, for a q-query adversary A attacking EncCBC
there exists a PRP adversary B s.t.:
Pr[ExpEncCBC
,𝐴CPA 𝑛 = 1] ≤ 1/2 + 2AdvF,𝐵
PRP+ 2 q2 L2 /2n
AdvE,𝐵PRP = |𝑷𝒓 𝑩𝑭𝒌 ⋅ ,𝑭𝒌
−𝟏 ⋅ 𝒏 = 𝟏 − 𝑷𝒓[𝑩𝒇 ⋅ ,𝒇−𝟏 ⋅ 𝒏 |
Note: CBC is only secure as long as q2L2 << 2n
CBC: CPA Analysis
20
An example
q = # messages encrypted with k L = length of max message
Suppose we want Pr[ExpEncCBC𝐴CPA 𝑛 = 1] ≤ 1/2 + 1/232
q2 L2 /2n < 1/ 232
• AES: 2n = 2128 ⇒ q L < 248
So, after 248 AES blocks, must change key
• 3DES: 2n = 264 ⇒ q L < 216
Pr[ExpECBC
,𝐴CPA 𝑛 = 1] ≤ 1/2+AdvE,𝐵
PRP+ 2 q2 L2 /2n
21
Attack on CBC with predictable IV
CBC where attacker can predict the IV is not CPA-secure !!
Suppose given c ⟵ EncCBC(k,m) can predict next IV
Chal. Adv.
kKm0=IV⨁IV1 , m1 ≠ m0
c [ IV, Fk(IV1) ] or
0 {0,1}n
c1 [ IV1, Fk( 0⨁IV1) ]
output 0if c[1] = c1[1]
predict IV
Bug in SSL/TLS 1.0: IV for record #i is last CT block of record #(i-1)
c [ IV, Fk(m1⨁IV) ]
22
CTR-mode encryption
m[1] m[2] …
F(k,IV) F(k,IV+1) …
m[L]
F(k,IV+L)
c[1] c[2] … c[L]
IV
IV
note: parallelizable (unlike CBC)
msg
ciphertext
Let F: K × {0,1}n ⟶ {0,1}n be a secure PRF.
Enc(k,m): choose a random IV {0,1}n and do:
23𝑐𝑖 = 𝐹𝑘(𝐼𝑉 + 𝑖) ⊕𝑚𝑖
Comparison: CTR vs. CBC
CBC CTR mode
Uses PRP PRF
Parallel processing No Yes
Security q^2 L^2 << 2n q^2 L << 2n
Dummy padding block Yes No
24
A CBC technicality: padding
F(k,) F(k,) F(k,)
m[1] m[2] m[3] m[L] ll pad
F(k,)
c[1] c[2] c[3] c[L]IV
IV
TLS: for n>0, n byte pad is
if no pad needed, add a dummy block
n n ⋯n n removedduringdecryption
25
TLS bugs in older versions
IV for CBC is predictable: (chained IV)
- IV for next record is last ciphertext block of current record.
- Not CPA secure.
Padding oracle: during decryption
- If pad is invalid send decryption failed alert
- If mac is invalid send bad_record_mac alert
⇒ attacker learns information about plaintext
Lesson: when decryption fails, do not explain why
26
Recap
• To encrypt longer messages, use CBC or CTR mode– CPA security
• CTR mode has some advantages– Parallelizable
– Better security
• CBC encryption with padding is vulnerable to padding oracle attack
• Authenticated encryption schemes are CCA secure
27
Acknowledgement
Some of the slides and slide contents are taken from http://www.crypto.edu.pl/Dziembowski/teachingand fall under the following:
©2012 by Stefan Dziembowski. Permission to make digital or hard copies of part or all of this material is currently granted without fee provided that copies are made only for personal or classroom use, are not distributed for profit or commercial advantage, and that new copies bear this notice and the full citation.
We have also used slides from Prof. Dan Boneh online cryptography course at
Stanford University:
http://crypto.stanford.edu/~dabo/courses/OnlineCrypto/
28