Lecture 2 – Block ciphers, PRFs/PRPs, - PowerPoint Presentation

Slide1

Lecture 2 – Block ciphers, PRFs/PRPs, DES, AES

TEK4500

01.09.2020

Håkon Jacobsen

hakon.jacobsen@its.uio.no

Slide2

Ideal solution: secure channels

2

Internet

Alice

Bob

M

Adversary

Security goals:

Data privacy:

adversary should not be able to read message M



Data integrity:

adversary should not be able to modify message M Data authenticity: message M really originated from Alice 

Slide3

Encryption schemes

3

 

Plaintext

Key

Ciphertext

 

 

 

Slide4

Block ciphers

4

 

Plaintext

Key

Ciphertext

 

 

 

 

 

 

 

Examples:

DES

:

AES:

 

Slide5

Block ciphers

5

 

 

 

 

 

 

 

Key expansion

 

 

 

 

 

is called a

round function

 

DES

:

AES-128/192/256:

 

Slide6

Block cipher applications (1)

Encryption of messages of 128 bits (block length)

However:

we usually want to encrypt messages of

arbitrary length!

Splitting the message into multiple 128 bit blocks (like above) is not secure!Need to use them in a proper

mode-of-operation (covered later in the course)

Correct viewpoint: block ciphers are not encryption schemes!

Block ciphers are primitives used to construct other things

6

 

 

 

 

 

Slide7

Block cipher applications (2)

The “work horse” of crypto

Can be used to build:

Encryption of arbitrary length messages (including stream ciphers)

Message authentication codesAuthenticated encryptionHash functions

(Cryptographically secure) pseudorandom generatorsKey derivation functions

7

Slide8

Defining block ciphers

Slide9

Permutations

9

Definition:

A function

is a

permutation

if there exists an inverse function

such that

 

 

 

 

Permutation

 

 

 

Not a permutation

Slide10

Permutations

10

Definition:

A function

is a

permutation

if there exists an inverse function

such that

 

 

 

 

Permutation

 

 

 

Not a permutation

Slide11

Block cipher security

Which security properties should a block cipher satisfy?

I.e., what should the

security definition

of a block cipher look like?Some suggestions:P1: Should be hard to obtain

from

for

secret

P2:

Should be hard to obtain from

where

P3: Should be hard to obtain

from

P4: Should be hard to obtain any from

where

P5:

Should be hard to learn

any

bit of

from

P6:

Should be hard to detect

repetitions

among

from

P7:

…

 

11

Slide12

Block cipher security

Which security properties should a block cipher satisfy?

I.e., what should the

security definition

of a block cipher look like?Some suggestions:P1: Should be hard to

obtain from

for

secret

P2:

Should be hard to obtain from

where

P3: Should be hard to obtain

from

P4: Should be hard to obtain any from

where

P5:

Should be hard to learn

any

bit of

from

P6:

Should be hard to detect

repetitions

among

from

Impossible

!

P7:

…

 

12

Not good enough!

Slide13

Pseudorandom functions (PRFs) and permutations (PRP)

are called the

key-length

,

input-length,

and output-length of

Think of a PRF as a family

of functions: For each

we get a function

defined by

 

13

Definition:

A

pseudorandom function (PRF)

is a function

 

Definition:

A

pseudorandom permutation (PRP)

is a function

such that the function

defined by

is a

permutation

for all

 

PRP = block cipher!

also: all PRPs are PRFs

(but not the other way around)

Slide14

 

Secure PRFs

Let

: the set of

all

functions from

to

Intuition:

is

secure

if

a random function in

is

indistinguishable

from

a random function in

 

14

 

size

 

size

 

AES-128:

 

 

Slide15

Random functions

15

Let

 

 

 

Slide16

Random functions

16

Let

Bits needed to specify

one

function

Each bit string of length

specifies

a unique function

the number of

bitstrings

of length

 

 

 

Slide17

Random functions – alternate view

17

---------------------------------

---------------------------------

 

PRF security

Slide18

PRF security definition

18

Definition:

The

PRF-advantage

of an adversary

is

 

---------------------------------

---------------------------------

 

 

I’m in world

 

 

 

 

Slide19

PRF security definition

19

Definition:

The

PRF-advantage

of an adversary

is

 

---------------------------------

---------------------------------

 

 

I’m in world

 

 

 

 

= adversary is doing well

= adversary is doing poorly

 

Slide20

PRF security definition

20

Definition:

The

PRF-advantage

of an adversary

is

 

Intuitive idea

:

is a

secure

PRF

if

is “

small

”

for

all

“

practical

”

 

Slide21

Understanding "advantage"

is a

secure

PRF if

is "small" for all adversaries

that use a "practical" amount of

resourcesAdvantage depends on the adversary's:

strategyavailable resources: running time, number of oracle calls (calls to

), memory…

What does

small

and practical mean?Example: 80-bit security: for all that makes at most

oracle calls Example: a PRF is insecure if we can come up with an adversary having good advantage and not using too many resources

 

21

Slide22

Example

Let

be defined by

Claim:

is not a secure PRF

 

22

Choose

arbitraritly

Query

and

to challenger

Receive back

and

Output

if

else, output

 

 

 

 

 

 

Slide23

Example

Let

be defined by

Claim:

is not a secure PRF

 

Choose

arbitraritly

Query

and

to challenger

Receive back

and

Output

if

else, output

 

 

 

 

 

 

Slide24

Example

Let

be defined by

Claim:

is not a secure PRF

 

 

 

 

 

 

 

Choose

arbitraritly

Query

and

to challenger

Receive back

and

Output

if

else, output

Slide25

Example

Let

be defined by

Claim:

is not a secure PRF

 

 

 

 

 

 

 

Choose

arbitraritly

Query

and

to challenger

Receive back

and

Output

if

else, output

Slide26

Example

Let

be defined by

Claim:

is not a secure PRF

 

 

 

 

 

 

 

Choose

arbitraritly

Query

and

to challenger

Receive back

and

Output

if

else, output

Slide27

Example

Let

be defined by

Claim:

is not a secure PRF

 

 

 

 

 

 

 

Choose

arbitraritly

Query

and

to challenger

Receive back

and

Output

if

else, output

Slide28

Example

Let

be defined by

Claim:

is not a secure PRF

 

 

 

 

 

 

 

Choose

arbitraritly

Query

and

to challenger

Receive back

and

Output

if

else, output

Slide29

Example

Let

be defined by

Claim:

is not a secure PRF

 

 

 

 

 

 

Choose

arbitraritly

Query

and

to challenger

Receive back

and

Output

if

else, output

Slide30

PRP security definition

30

Slide31

PRP security definition

31

Definition:

The

PRP-advantage

of an adversary

is

 

---------------------------------

 

Slide32

Block cipher security

Which security properties should a block cipher satisfy?

I.e., what should the

security definition

of a block cipher look like?Some suggestions:P1: Should be hard to

obtain from

for

secret

P2:

Should be hard to obtain from

where

P3: Should be hard to obtain

from

P4: Should be hard to obtain any from

where

P5:

Should be hard to learn

any

bit of

from

P6:

Should be hard to detect

repetitions

among

from

Impossible

!

P7:

…

 

32

Not good enough!

is PRF/PRP secure

has properties P1 – P5

 

Logic 101

is

equivalent to:

 

is

not

PRF/PRP secure

has does

not

have properties P1 – P5

 

Slide33

PRP security

PRF security

 

33

Theorem:

(PRP/PRF Switching Lemma)

A

secure

PRP

is also a secure PRF.

In

particular, for all

making at most

oracle queries:

 

Slide34

Constructing block ciphers

Slide35

PRPs from PRFs – the Feistel construction

35

Let

be a

PRF

not a

permutation!

Function

is

a

PRP

Called a

Feistel network/construction

More or less DES:

(56-bit key is expanded to 16 48-bit

roundkeys

)

 

Slide36

Feistel network security – theory

36

Theorem:

(

Luby

&

Rackoff

'86)

I

f

is a secure PRF 3-round

Feistel

is a

secure

PRP

 

 

 

Slide37

Data Encryption Standard (DES)

1972 – NIST calls for a block cipher standard

1974 – Horst

Feistel

at IBM designs LuciferKey-length: 128 bits; block-length: 128 bitsLucifer evolves into DESInput from the NSAKey-length: 56 bits; block-length: 64 bits

#Rounds: 161976 – Lucifer (now DES) is standardized

Widely implemented1997 – Broken by exhaustive search

2001 – Replaced by AES

37

Slide38

Principles for designing block ciphers

C

. Shannon, “Communication Theory of Secrecy Systems”(1949

):

Diffusion: plaintext spread over large parts of the ciphertextConfusion: a complex relation between plaintext, key and ciphertext

38

Slide39

16-round

Feistel

network

DES

39

 

 

Key expansion

 

 

 

 

 

64 bits

64 bits

 

…

…

Slide40

DES round function

40

 

S-box:

function

Implemented as a look-up table

 

Slide41

Easy to implement in hardware

Not as efficient in software

Many design decisions still unclear

Design criteria classified for many years

Controversy around NSA influenceInitial S-boxes were changed

Switching to 56-bit keys (from 128 bits) probably to allow NSA to decrypt

Not secure since key space and block length too small

replacement needed

 

DES properties

41

Slide42

Advanced Encryption Standard

Slide43

Substitution-permutation networks

43

Slide44

AES-128

 

 

 

 

SubBytes

ShiftRow

MixColumn

 

SubBytes

ShiftRow

MixColumn

SubBytes

ShiftRow

 

 

 

 

 

input

output

 

10 rounds

 

128

128

128

128

128

Slide45

AES round function

45

SubBytes

ShiftRow

MixColumn

Slide46

AES round

SubBytes

ShiftRows

MixColumns

AddRoundKey

SubBytes

ShiftRows

MixColumns

AddRoundKey

 

 

Slide47

AES round

SubBytes

ShiftRows

MixColumns

AddRoundKey

SubBytes

ShiftRows

MixColumns

AddRoundKey

 

Slide48

AES performance

AES is reasonably efficient in software

T-table implementation very fast

(but not secure!)

Hard to implement fast and constant-timeIntel introduced dedicated AES instructions into their CPUs (AES-NI):aesenc, aesenclast

: do one round of AES in one cycleaeskeygenassist: do AES key

expansionaesdec,

aesdeclast: do one round of AES decryption in one cycle

aesimc: do AES inverser MixColumns

Now standard in all modern CPUs

48

Throughput

AES-128 (in software)265 MB/sAES-128 (w/AES-NI)3.45 GB/s

Slide49

Attacking block ciphers

Slide50

Attacks on block ciphers

Brute force attacks: search through every possible key in key space

Generic: works for all block ciphers

Not practical for large key spaces

Advanced attacks: try to exploit the concrete details of the block cipherDifferential cryptanalysis ('90, but known by the designers of DES + NSA since mid '70 )Linear cryptanalysis ('92)

AES designed to resist bothImplementation attacks: vulnerabilities due to implementation characteristics

Power drawTiming

Cache misses

50

Slide51

Summary

Block ciphers are very important

primitives

(building blocks) – but they are not encryption schemes!

Correct abstraction: block ciphers = PRPsRight security notion for PRFs/PRPs: indistinguishability from random function/permutationConcrete block cipher designs: DES and AES

51