![Page 1: CS 4770: Cryptography CS 6750: Cryptography and ... · for DES (n=16), for AES-128 (n=10) key k Key ... Permutation Round key S-box Fixed permutation Invertible S boxes and mixing](https://reader033.vdocuments.site/reader033/viewer/2022042121/5e9b5d10abb5c769b16bb284/html5/thumbnails/1.jpg)
CS 4770: Cryptography
CS 6750: Cryptography and Communication Security
Alina Oprea
Associate Professor, CCIS
Northeastern University
February 8 2018
![Page 2: CS 4770: Cryptography CS 6750: Cryptography and ... · for DES (n=16), for AES-128 (n=10) key k Key ... Permutation Round key S-box Fixed permutation Invertible S boxes and mixing](https://reader033.vdocuments.site/reader033/viewer/2022042121/5e9b5d10abb5c769b16bb284/html5/thumbnails/2.jpg)
Review
• CPA-secure construction– Security proof by reduction to PRF– Randomized
• How to design block ciphers– Substitution Permutation Networks– Feistel Networks– Multiple rounds
• DES– Feistel Network
• AES– Substitution Permutation Network
2
![Page 3: CS 4770: Cryptography CS 6750: Cryptography and ... · for DES (n=16), for AES-128 (n=10) key k Key ... Permutation Round key S-box Fixed permutation Invertible S boxes and mixing](https://reader033.vdocuments.site/reader033/viewer/2022042121/5e9b5d10abb5c769b16bb284/html5/thumbnails/3.jpg)
Block Ciphers Built by Iteration
R(k,m) is called a round function
for DES (n=16), for AES-128 (n=10)
key k
Key schedule
k1 k2 k3 kn
R(k
1,
)
R(k
2,
)
R(k
3,
)
R(k
n,
)
m c
3
![Page 4: CS 4770: Cryptography CS 6750: Cryptography and ... · for DES (n=16), for AES-128 (n=10) key k Key ... Permutation Round key S-box Fixed permutation Invertible S boxes and mixing](https://reader033.vdocuments.site/reader033/viewer/2022042121/5e9b5d10abb5c769b16bb284/html5/thumbnails/4.jpg)
Substitution-Permutation Network
Key mixing
Substitution
Permutation
Round key
S-boxFixed permutation
Invertible
S boxes and mixing permutation are public 4
![Page 5: CS 4770: Cryptography CS 6750: Cryptography and ... · for DES (n=16), for AES-128 (n=10) key k Key ... Permutation Round key S-box Fixed permutation Invertible S boxes and mixing](https://reader033.vdocuments.site/reader033/viewer/2022042121/5e9b5d10abb5c769b16bb284/html5/thumbnails/5.jpg)
Feistel Networks
𝐿𝑖 = 𝑅𝑖−1𝑅𝑖 = 𝐿𝑖−1⊕ 𝑓𝑖(𝑅𝑖−1)
• Functions 𝑓𝑖 are public• Round key is derived from main key and secret• Advantage: 𝑓𝑖 not invertible!
Given functions f1, …, fd: {0,1}n ⟶ {0,1}n
Often fi(x) = Fki(x), for ki secret keys and F a PRF
Goal: build invertible function (PRP) F: {0,1}2n ⟶ {0,1}2n
input output
Rd-1
Ld-1
Rd
Ld
R0
L0
n-b
itsn
-bits
R1
L1
⊕f1
R2
L2
⊕f2 ⋯
⊕fd
5
![Page 6: CS 4770: Cryptography CS 6750: Cryptography and ... · for DES (n=16), for AES-128 (n=10) key k Key ... Permutation Round key S-box Fixed permutation Invertible S boxes and mixing](https://reader033.vdocuments.site/reader033/viewer/2022042121/5e9b5d10abb5c769b16bb284/html5/thumbnails/6.jpg)
DES: 16 round Feistel network
f1, …, f16: {0,1}32 ⟶ {0,1}32 , fi(x) = F( ki, x )
input
64
bit
s
output
64
bit
s
16 round Feistel network
IP IP-1
k
key expansion
k1 k2 k16⋯
To invert, use keys in reverse order
6
56 bits
48 bits
![Page 7: CS 4770: Cryptography CS 6750: Cryptography and ... · for DES (n=16), for AES-128 (n=10) key k Key ... Permutation Round key S-box Fixed permutation Invertible S boxes and mixing](https://reader033.vdocuments.site/reader033/viewer/2022042121/5e9b5d10abb5c769b16bb284/html5/thumbnails/7.jpg)
The function F(ki, x)
S-box: function {0,1}6 ⟶ {0,1}4 , implemented as look-up table.
Key mixing
Substitution
Permutation
Substitution-Permutation
Network
7
![Page 8: CS 4770: Cryptography CS 6750: Cryptography and ... · for DES (n=16), for AES-128 (n=10) key k Key ... Permutation Round key S-box Fixed permutation Invertible S boxes and mixing](https://reader033.vdocuments.site/reader033/viewer/2022042121/5e9b5d10abb5c769b16bb284/html5/thumbnails/8.jpg)
The AES process
• 1997: NIST publishes request for proposal
• 1998: 15 submissions. Five claimed attacks.
• 1999: NIST chooses 5 finalists
• 2000: NIST chooses Rijndael as AES (designed in Belgium)
Key sizes: 128, 192, 256 bits.
Block size: 128 bits
8
![Page 9: CS 4770: Cryptography CS 6750: Cryptography and ... · for DES (n=16), for AES-128 (n=10) key k Key ... Permutation Round key S-box Fixed permutation Invertible S boxes and mixing](https://reader033.vdocuments.site/reader033/viewer/2022042121/5e9b5d10abb5c769b16bb284/html5/thumbnails/9.jpg)
AES is a Subs-Perm network (not Feistel)in
pu
t
⨁
S1
S2
S3
S8
⋯
ou
tpu
t
subs.layer
perm.layer inversion
k1
⨁
S1
S2
S3
S8
⋯
k2S1
S2
S3
S8
⋯
⨁⋯
kn
9
![Page 10: CS 4770: Cryptography CS 6750: Cryptography and ... · for DES (n=16), for AES-128 (n=10) key k Key ... Permutation Round key S-box Fixed permutation Invertible S boxes and mixing](https://reader033.vdocuments.site/reader033/viewer/2022042121/5e9b5d10abb5c769b16bb284/html5/thumbnails/10.jpg)
AES-128 schematic
input
4
4
10 rounds
(1) ByteSub(2) ShiftRow(3) MixColumn
⨁
k2
⋯
k9
⨁
(1) ByteSub(2) ShiftRow(3) MixColumn
⨁
k1
⨁
k0
(1) ByteSub(2) ShiftRow
output
4
4
⨁
k10
key
16 bytes
key expansion:
invertible
16 bytes ⟶176 bytes
10
![Page 11: CS 4770: Cryptography CS 6750: Cryptography and ... · for DES (n=16), for AES-128 (n=10) key k Key ... Permutation Round key S-box Fixed permutation Invertible S boxes and mixing](https://reader033.vdocuments.site/reader033/viewer/2022042121/5e9b5d10abb5c769b16bb284/html5/thumbnails/11.jpg)
The round function
• ByteSub: a 1 byte S-box. 256 byte table (non- linear, but easily computable
• ShiftRows:
• MixColumns:
𝐴 𝑖, 𝑗 ← 𝑆 𝐴 𝑖, 𝑗 , ∀𝑖, 𝑗
11
![Page 12: CS 4770: Cryptography CS 6750: Cryptography and ... · for DES (n=16), for AES-128 (n=10) key k Key ... Permutation Round key S-box Fixed permutation Invertible S boxes and mixing](https://reader033.vdocuments.site/reader033/viewer/2022042121/5e9b5d10abb5c769b16bb284/html5/thumbnails/12.jpg)
Code size/performance tradeoff
Code size Performance
Pre-computeround functions(24KB or 4KB)
largestfastest:
table lookups and xors
Pre-compute S-box only (256 bytes)
smaller slower
No pre-computation smallest slowest
12
![Page 13: CS 4770: Cryptography CS 6750: Cryptography and ... · for DES (n=16), for AES-128 (n=10) key k Key ... Permutation Round key S-box Fixed permutation Invertible S boxes and mixing](https://reader033.vdocuments.site/reader033/viewer/2022042121/5e9b5d10abb5c769b16bb284/html5/thumbnails/13.jpg)
AES in hardware
AES instructions in Intel Westmere:
• aesenc, aesenclast: do one round of AES
128-bit registers: xmm1=state, xmm2=round key
aesenc xmm1, xmm2 ; puts result in xmm1
• aeskeygenassist: performs AES key expansion
• Claim 14 x speed-up over OpenSSL on same hardware
Similar instructions on AMD Bulldozer
13
![Page 14: CS 4770: Cryptography CS 6750: Cryptography and ... · for DES (n=16), for AES-128 (n=10) key k Key ... Permutation Round key S-box Fixed permutation Invertible S boxes and mixing](https://reader033.vdocuments.site/reader033/viewer/2022042121/5e9b5d10abb5c769b16bb284/html5/thumbnails/14.jpg)
Attacks
Best key recovery attack: four times better than ex. search [BKR’11]
Related key attack on AES-256: [BK’09]
Given 299 inp/out pairs from four related keys in AES-256
can recover keys in time ≈299
14
![Page 15: CS 4770: Cryptography CS 6750: Cryptography and ... · for DES (n=16), for AES-128 (n=10) key k Key ... Permutation Round key S-box Fixed permutation Invertible S boxes and mixing](https://reader033.vdocuments.site/reader033/viewer/2022042121/5e9b5d10abb5c769b16bb284/html5/thumbnails/15.jpg)
Block ciphers
• Suggestions:
– Don’t think about the inner-workings of AES and 3DES.
– Don’t implement them yourselves
• We assume both are secure PRPs and will see how to use them
15
![Page 16: CS 4770: Cryptography CS 6750: Cryptography and ... · for DES (n=16), for AES-128 (n=10) key k Key ... Permutation Round key S-box Fixed permutation Invertible S boxes and mixing](https://reader033.vdocuments.site/reader033/viewer/2022042121/5e9b5d10abb5c769b16bb284/html5/thumbnails/16.jpg)
Incorrect use of block cipher
Electronic Code Book (ECB):
Problem: – if m1=m2 then c1=c2
PT:
CT:
m1 m2
c1 c2
Not EAV-secure!
16
![Page 17: CS 4770: Cryptography CS 6750: Cryptography and ... · for DES (n=16), for AES-128 (n=10) key k Key ... Permutation Round key S-box Fixed permutation Invertible S boxes and mixing](https://reader033.vdocuments.site/reader033/viewer/2022042121/5e9b5d10abb5c769b16bb284/html5/thumbnails/17.jpg)
In pictures
(courtesy B. Preneel)
17
![Page 18: CS 4770: Cryptography CS 6750: Cryptography and ... · for DES (n=16), for AES-128 (n=10) key k Key ... Permutation Round key S-box Fixed permutation Invertible S boxes and mixing](https://reader033.vdocuments.site/reader033/viewer/2022042121/5e9b5d10abb5c769b16bb284/html5/thumbnails/18.jpg)
CBC encryption
Let F be a PRP; F: K × {0,1}n ⟶ {0,1}n
EncCBC(k,m): choose random IV∈ {0,1}n and do:
F(k,) F(k,) F(k,)
m[1] m[2] m[3] m[L]IV
F(k,)
c[1] c[2] c[3] c[L]IV
ciphertext
18𝑐𝑖 = 𝐹𝑘(𝑐𝑖−1⊕𝑚𝑖)
![Page 19: CS 4770: Cryptography CS 6750: Cryptography and ... · for DES (n=16), for AES-128 (n=10) key k Key ... Permutation Round key S-box Fixed permutation Invertible S boxes and mixing](https://reader033.vdocuments.site/reader033/viewer/2022042121/5e9b5d10abb5c769b16bb284/html5/thumbnails/19.jpg)
Decryption circuit
F-1(k,) F-1(k,) F-1(k,)
m[1] m[2] m[3] m[L]
F-1(k,)
c[1] c[2] c[3] c[L]IV
In symbols: c[1] = Fk( IV⨁m[1] ) ⇒ m[1] = Fk-1(c[1])⨁ IV
19𝑚𝑖 = F−1𝑘(𝑐𝑖) ⊕ 𝑐𝑖−1
![Page 20: CS 4770: Cryptography CS 6750: Cryptography and ... · for DES (n=16), for AES-128 (n=10) key k Key ... Permutation Round key S-box Fixed permutation Invertible S boxes and mixing](https://reader033.vdocuments.site/reader033/viewer/2022042121/5e9b5d10abb5c769b16bb284/html5/thumbnails/20.jpg)
CBC Theorem: For any L>0 number of blocks,
If F is a secure PRP over (K, {0,1}n ) then
EncCBC is CPA-secure over (K, {0,1}nL, {0,1}n(L+1)).
In particular, for a q-query adversary A attacking EncCBC
there exists a PRP adversary B s.t.:
Pr[ExpEncCBC
,𝐴CPA 𝑛 = 1] ≤ 1/2 + 2AdvF,𝐵
PRP+ 2 q2 L2 /2n
AdvE,𝐵PRP = |𝑷𝒓 𝑩𝑭𝒌 ⋅ ,𝑭𝒌
−𝟏 ⋅ 𝒏 = 𝟏 − 𝑷𝒓[𝑩𝒇 ⋅ ,𝒇−𝟏 ⋅ 𝒏 |
Note: CBC is only secure as long as q2L2 << 2n
CBC: CPA Analysis
20
![Page 21: CS 4770: Cryptography CS 6750: Cryptography and ... · for DES (n=16), for AES-128 (n=10) key k Key ... Permutation Round key S-box Fixed permutation Invertible S boxes and mixing](https://reader033.vdocuments.site/reader033/viewer/2022042121/5e9b5d10abb5c769b16bb284/html5/thumbnails/21.jpg)
An example
q = # messages encrypted with k L = length of max message
Suppose we want Pr[ExpEncCBC𝐴CPA 𝑛 = 1] ≤ 1/2 + 1/232
q2 L2 /2n < 1/ 232
• AES: 2n = 2128 ⇒ q L < 248
So, after 248 AES blocks, must change key
• 3DES: 2n = 264 ⇒ q L < 216
Pr[ExpECBC
,𝐴CPA 𝑛 = 1] ≤ 1/2+AdvE,𝐵
PRP+ 2 q2 L2 /2n
21
![Page 22: CS 4770: Cryptography CS 6750: Cryptography and ... · for DES (n=16), for AES-128 (n=10) key k Key ... Permutation Round key S-box Fixed permutation Invertible S boxes and mixing](https://reader033.vdocuments.site/reader033/viewer/2022042121/5e9b5d10abb5c769b16bb284/html5/thumbnails/22.jpg)
Attack on CBC with predictable IV
CBC where attacker can predict the IV is not CPA-secure !!
Suppose given c ⟵ EncCBC(k,m) can predict next IV
Chal. Adv.
kKm0=IV⨁IV1 , m1 ≠ m0
c [ IV, Fk(IV1) ] or
0 {0,1}n
c1 [ IV1, Fk( 0⨁IV1) ]
output 0if c[1] = c1[1]
predict IV
Bug in SSL/TLS 1.0: IV for record #i is last CT block of record #(i-1)
c [ IV, Fk(m1⨁IV) ]
22
![Page 23: CS 4770: Cryptography CS 6750: Cryptography and ... · for DES (n=16), for AES-128 (n=10) key k Key ... Permutation Round key S-box Fixed permutation Invertible S boxes and mixing](https://reader033.vdocuments.site/reader033/viewer/2022042121/5e9b5d10abb5c769b16bb284/html5/thumbnails/23.jpg)
CTR-mode encryption
m[1] m[2] …
F(k,IV) F(k,IV+1) …
m[L]
F(k,IV+L)
c[1] c[2] … c[L]
IV
IV
note: parallelizable (unlike CBC)
msg
ciphertext
Let F: K × {0,1}n ⟶ {0,1}n be a secure PRF.
Enc(k,m): choose a random IV {0,1}n and do:
23𝑐𝑖 = 𝐹𝑘(𝐼𝑉 + 𝑖) ⊕𝑚𝑖
![Page 24: CS 4770: Cryptography CS 6750: Cryptography and ... · for DES (n=16), for AES-128 (n=10) key k Key ... Permutation Round key S-box Fixed permutation Invertible S boxes and mixing](https://reader033.vdocuments.site/reader033/viewer/2022042121/5e9b5d10abb5c769b16bb284/html5/thumbnails/24.jpg)
Comparison: CTR vs. CBC
CBC CTR mode
Uses PRP PRF
Parallel processing No Yes
Security q^2 L^2 << 2n q^2 L << 2n
Dummy padding block Yes No
24
![Page 25: CS 4770: Cryptography CS 6750: Cryptography and ... · for DES (n=16), for AES-128 (n=10) key k Key ... Permutation Round key S-box Fixed permutation Invertible S boxes and mixing](https://reader033.vdocuments.site/reader033/viewer/2022042121/5e9b5d10abb5c769b16bb284/html5/thumbnails/25.jpg)
A CBC technicality: padding
F(k,) F(k,) F(k,)
m[1] m[2] m[3] m[L] ll pad
F(k,)
c[1] c[2] c[3] c[L]IV
IV
TLS: for n>0, n byte pad is
if no pad needed, add a dummy block
n n ⋯n n removedduringdecryption
25
![Page 26: CS 4770: Cryptography CS 6750: Cryptography and ... · for DES (n=16), for AES-128 (n=10) key k Key ... Permutation Round key S-box Fixed permutation Invertible S boxes and mixing](https://reader033.vdocuments.site/reader033/viewer/2022042121/5e9b5d10abb5c769b16bb284/html5/thumbnails/26.jpg)
TLS bugs in older versions
IV for CBC is predictable: (chained IV)
- IV for next record is last ciphertext block of current record.
- Not CPA secure.
Padding oracle: during decryption
- If pad is invalid send decryption failed alert
- If mac is invalid send bad_record_mac alert
⇒ attacker learns information about plaintext
Lesson: when decryption fails, do not explain why
26
![Page 27: CS 4770: Cryptography CS 6750: Cryptography and ... · for DES (n=16), for AES-128 (n=10) key k Key ... Permutation Round key S-box Fixed permutation Invertible S boxes and mixing](https://reader033.vdocuments.site/reader033/viewer/2022042121/5e9b5d10abb5c769b16bb284/html5/thumbnails/27.jpg)
Recap
• To encrypt longer messages, use CBC or CTR mode– CPA security
• CTR mode has some advantages– Parallelizable
– Better security
• CBC encryption with padding is vulnerable to padding oracle attack
• Authenticated encryption schemes are CCA secure
27
![Page 28: CS 4770: Cryptography CS 6750: Cryptography and ... · for DES (n=16), for AES-128 (n=10) key k Key ... Permutation Round key S-box Fixed permutation Invertible S boxes and mixing](https://reader033.vdocuments.site/reader033/viewer/2022042121/5e9b5d10abb5c769b16bb284/html5/thumbnails/28.jpg)
Acknowledgement
Some of the slides and slide contents are taken from http://www.crypto.edu.pl/Dziembowski/teachingand fall under the following:
©2012 by Stefan Dziembowski. Permission to make digital or hard copies of part or all of this material is currently granted without fee provided that copies are made only for personal or classroom use, are not distributed for profit or commercial advantage, and that new copies bear this notice and the full citation.
We have also used slides from Prof. Dan Boneh online cryptography course at
Stanford University:
http://crypto.stanford.edu/~dabo/courses/OnlineCrypto/
28