DES AES TEK4500 01092020 Håkon Jacobsen hakonjacobsenitsuiono Ideal solution secure channels 2 Internet Alice Bob M Adversary Security goals Data privacy adversary should not be able to read message M ID: 916057
Download Presentation The PPT/PDF document "Lecture 2 – Block ciphers, PRFs/PRPs," is the property of its rightful owner. Permission is granted to download and print the materials on this web site for personal, non-commercial use only, and to display it on your personal computer provided you do not modify the materials and that you retain all copyright notices contained in the materials. By downloading content from our website, you accept the terms of this agreement.
Slide1
Lecture 2 – Block ciphers, PRFs/PRPs, DES, AES
TEK4500
01.09.2020
Håkon Jacobsen
hakon.jacobsen@its.uio.no
Slide2Ideal solution: secure channels
2
Internet
Alice
Bob
M
Adversary
Security goals:
Data privacy:
adversary should not be able to read message M
Data integrity:
adversary should not be able to modify message M Data authenticity: message M really originated from Alice
Slide3Encryption schemes
3
Plaintext
Key
Ciphertext
Block ciphers
4
Plaintext
Key
Ciphertext
Examples:
DES
:
AES:
Block ciphers
5
Key expansion
is called a
round function
DES
:
AES-128/192/256:
Block cipher applications (1)
Encryption of messages of 128 bits (block length)
However:
we usually want to encrypt messages of
arbitrary length!
Splitting the message into multiple 128 bit blocks (like above) is not secure!Need to use them in a proper
mode-of-operation (covered later in the course)
Correct viewpoint: block ciphers are not encryption schemes!
Block ciphers are primitives used to construct other things
6
Block cipher applications (2)
The “work horse” of crypto
Can be used to build:
Encryption of arbitrary length messages (including stream ciphers)
Message authentication codesAuthenticated encryptionHash functions
(Cryptographically secure) pseudorandom generatorsKey derivation functions
7
Slide8Defining block ciphers
Slide9Permutations
9
Definition:
A function
is a
permutation
if there exists an inverse function
such that
Permutation
Not a permutation
Slide10Permutations
10
Definition:
A function
is a
permutation
if there exists an inverse function
such that
Permutation
Not a permutation
Slide11Block cipher security
Which security properties should a block cipher satisfy?
I.e., what should the
security definition
of a block cipher look like?Some suggestions:P1: Should be hard to obtain
from
for
secret
P2:
Should be hard to obtain from
where
P3: Should be hard to obtain
from
P4: Should be hard to obtain any from
where
P5:
Should be hard to learn
any
bit of
from
P6:
Should be hard to detect
repetitions
among
from
P7:
…
11
Slide12Block cipher security
Which security properties should a block cipher satisfy?
I.e., what should the
security definition
of a block cipher look like?Some suggestions:P1: Should be hard to
obtain from
for
secret
P2:
Should be hard to obtain from
where
P3: Should be hard to obtain
from
P4: Should be hard to obtain any from
where
P5:
Should be hard to learn
any
bit of
from
P6:
Should be hard to detect
repetitions
among
from
Impossible
!
P7:
…
12
Not good enough!
Slide13Pseudorandom functions (PRFs) and permutations (PRP)
are called the
key-length
,
input-length,
and output-length of
Think of a PRF as a family
of functions: For each
we get a function
defined by
13
Definition:
A
pseudorandom function (PRF)
is a function
Definition:
A
pseudorandom permutation (PRP)
is a function
such that the function
defined by
is a
permutation
for all
PRP = block cipher!
also: all PRPs are PRFs
(but not the other way around)
Slide14Secure PRFs
Let
: the set of
all
functions from
to
Intuition:
is
secure
if
a random function in
is
indistinguishable
from
a random function in
14
size
size
AES-128:
Random functions
15
Let
Random functions
16
Let
Bits needed to specify
one
function
Each bit string of length
specifies
a unique function
the number of
bitstrings
of length
Random functions – alternate view
17
---------------------------------
---------------------------------
PRF security
Slide18PRF security definition
18
Definition:
The
PRF-advantage
of an adversary
is
---------------------------------
---------------------------------
I’m in world
PRF security definition
19
Definition:
The
PRF-advantage
of an adversary
is
---------------------------------
---------------------------------
I’m in world
= adversary is doing well
= adversary is doing poorly
PRF security definition
20
Definition:
The
PRF-advantage
of an adversary
is
Intuitive idea
:
is a
secure
PRF
if
is “
small
”
for
all
“
practical
”
Understanding "advantage"
is a
secure
PRF if
is "small" for all adversaries
that use a "practical" amount of
resourcesAdvantage depends on the adversary's:
strategyavailable resources: running time, number of oracle calls (calls to
), memory…
What does
small
and practical mean?Example: 80-bit security: for all that makes at most
oracle calls Example: a PRF is insecure if we can come up with an adversary having good advantage and not using too many resources
21
Slide22Example
Let
be defined by
Claim:
is not a secure PRF
22
Choose
arbitraritly
Query
and
to challenger
Receive back
and
Output
if
else, output
Example
Let
be defined by
Claim:
is not a secure PRF
Choose
arbitraritly
Query
and
to challenger
Receive back
and
Output
if
else, output
Example
Let
be defined by
Claim:
is not a secure PRF
Choose
arbitraritly
Query
and
to challenger
Receive back
and
Output
if
else, output
Slide25Example
Let
be defined by
Claim:
is not a secure PRF
Choose
arbitraritly
Query
and
to challenger
Receive back
and
Output
if
else, output
Slide26Example
Let
be defined by
Claim:
is not a secure PRF
Choose
arbitraritly
Query
and
to challenger
Receive back
and
Output
if
else, output
Slide27Example
Let
be defined by
Claim:
is not a secure PRF
Choose
arbitraritly
Query
and
to challenger
Receive back
and
Output
if
else, output
Slide28Example
Let
be defined by
Claim:
is not a secure PRF
Choose
arbitraritly
Query
and
to challenger
Receive back
and
Output
if
else, output
Slide29Example
Let
be defined by
Claim:
is not a secure PRF
Choose
arbitraritly
Query
and
to challenger
Receive back
and
Output
if
else, output
Slide30PRP security definition
30
PRP security definition
31
Definition:
The
PRP-advantage
of an adversary
is
---------------------------------
Block cipher security
Which security properties should a block cipher satisfy?
I.e., what should the
security definition
of a block cipher look like?Some suggestions:P1: Should be hard to
obtain from
for
secret
P2:
Should be hard to obtain from
where
P3: Should be hard to obtain
from
P4: Should be hard to obtain any from
where
P5:
Should be hard to learn
any
bit of
from
P6:
Should be hard to detect
repetitions
among
from
Impossible
!
P7:
…
32
Not good enough!
is PRF/PRP secure
has properties P1 – P5
Logic 101
is
equivalent to:
is
not
PRF/PRP secure
has does
not
have properties P1 – P5
PRP security
PRF security
33
Theorem:
(PRP/PRF Switching Lemma)
A
secure
PRP
is also a secure PRF.
In
particular, for all
making at most
oracle queries:
Constructing block ciphers
Slide35PRPs from PRFs – the Feistel construction
35
Let
be a
PRF
not a
permutation!
Function
is
a
PRP
Called a
Feistel network/construction
More or less DES:
(56-bit key is expanded to 16 48-bit
roundkeys
)
Feistel network security – theory
36
Theorem:
(
Luby
&
Rackoff
'86)
I
f
is a secure PRF 3-round
Feistel
is a
secure
PRP
Data Encryption Standard (DES)
1972 – NIST calls for a block cipher standard
1974 – Horst
Feistel
at IBM designs LuciferKey-length: 128 bits; block-length: 128 bitsLucifer evolves into DESInput from the NSAKey-length: 56 bits; block-length: 64 bits
#Rounds: 161976 – Lucifer (now DES) is standardized
Widely implemented1997 – Broken by exhaustive search
2001 – Replaced by AES
37
Slide38Principles for designing block ciphers
C
. Shannon, “Communication Theory of Secrecy Systems”(1949
):
Diffusion: plaintext spread over large parts of the ciphertextConfusion: a complex relation between plaintext, key and ciphertext
38
Slide3916-round
Feistel
network
DES
39
Key expansion
64 bits
64 bits
…
…
Slide40DES round function
40
S-box:
function
Implemented as a look-up table
Easy to implement in hardware
Not as efficient in software
Many design decisions still unclear
Design criteria classified for many years
Controversy around NSA influenceInitial S-boxes were changed
Switching to 56-bit keys (from 128 bits) probably to allow NSA to decrypt
Not secure since key space and block length too small
replacement needed
DES properties
41
Slide42Advanced Encryption Standard
Slide43Substitution-permutation networks
43
Slide44AES-128
SubBytes
ShiftRow
MixColumn
SubBytes
ShiftRow
MixColumn
SubBytes
ShiftRow
input
output
10 rounds
128
128
128
128
128
Slide45AES round function
45
SubBytes
ShiftRow
MixColumn
Slide46AES round
SubBytes
ShiftRows
MixColumns
AddRoundKey
SubBytes
ShiftRows
MixColumns
AddRoundKey
AES round
SubBytes
ShiftRows
MixColumns
AddRoundKey
SubBytes
ShiftRows
MixColumns
AddRoundKey
AES performance
AES is reasonably efficient in software
T-table implementation very fast
(but not secure!)
Hard to implement fast and constant-timeIntel introduced dedicated AES instructions into their CPUs (AES-NI):aesenc, aesenclast
: do one round of AES in one cycleaeskeygenassist: do AES key
expansionaesdec,
aesdeclast: do one round of AES decryption in one cycle
aesimc: do AES inverser MixColumns
Now standard in all modern CPUs
48
Throughput
AES-128 (in software)265 MB/sAES-128 (w/AES-NI)3.45 GB/s
Slide49Attacking block ciphers
Slide50Attacks on block ciphers
Brute force attacks: search through every possible key in key space
Generic: works for all block ciphers
Not practical for large key spaces
Advanced attacks: try to exploit the concrete details of the block cipherDifferential cryptanalysis ('90, but known by the designers of DES + NSA since mid '70 )Linear cryptanalysis ('92)
AES designed to resist bothImplementation attacks: vulnerabilities due to implementation characteristics
Power drawTiming
Cache misses
50
Slide51Summary
Block ciphers are very important
primitives
(building blocks) – but they are not encryption schemes!
Correct abstraction: block ciphers = PRPsRight security notion for PRFs/PRPs: indistinguishability from random function/permutationConcrete block cipher designs: DES and AES
51