Homework 2 Due: Tuesday, October 2 - PowerPoint Presentation

1. Homework 2Due: Tuesday, October 2nd at 3PM (beginning of class)Please Typeset Your Solutions (LaTeX, Word etc…)You may collaborate, but must write up your own solutions in your own words1

2. Merkle-Damgård TransformConstruction: (Gen,h) fixed length hash function from 2n bits to n bits =Break x into n bit segments x1,..,xd (pad last block by 0’s) (initialization)For i = 1 to dOutput where encodes as an n-bit string 2

3. CryptographyCS 555Week 6: Random Oracle ModelApplications of HashingStream Ciphers (time permitting)Block CiphersFeistel NetworksDES, 3DESReadings: Katz and Lindell Chapter 6-6.2.43Fall 2017

4. RecapHash FunctionsDefinitionMerkle-DamgardHMAC constructionGeneric Attacks on Hash FunctionBirthday AttackSmall Space Birthday Attacks (cycle detection)Pre-Computation Attacks: Time/Space Tradeoffs4

5. Week 6: Topic 1:Random Oracle Model + Hashing Applications5

6. (Recap) Collision-Resistant Hash FunctionIntuition: Hard for computationally bounded attacker to find x,y s.t.H(x) = H(y)How to formalize this intuition?Attempt 1: For all PPT A, The Problem: Let x,y be given s.t. H(x)=H(y)We are assuming that |x| > |H(x)|. Why?H(x)=x is perfectly collision resistant! (but with no compression) 6

7. (Recap) Keyed Hash Function SyntaxTwo Algorithms (Key-generation algorithm)Input: Random Bits ROutput: Secret key (Hashing Algorithm)Input: key and message (unbounded length)Output: hash value Fixed length hash function with 7

8. Collision Experiment ()  8 sx1,x2Definition: (Gen,H) is a collision resistant hash function if   

9. When Collision Resistance Isn’t EnoughExample: Message CommitmentAlice sends Bob: (e.g., predicted winner of NCAA Tournament)Alice can later reveal message (e.g., after the tournament is over)Just send r and m (note: r has fixed length)Why can Alice not change her message?In the meantime Bob shouldn’t learn anything about mProblem: Let (Gen,H’) be collision resistant then so is (Gen,H) 9

10. When Collision Resistance Isn’t EnoughProblem: Let (Gen,H’) be collision resistant then so is (Gen,H)(Gen,H) definitely does not hide all information about input ()Conclusion: Collision resistance is not sufficient for message commitment 10

11. The TensionExample: Message CommitmentAlice sends Bob: (e.g., predicted winners of NCAA Final Four)Alice can later reveal message (e.g., after the Final Four is decided)In the meantime Bob shouldn’t learn anything about mThis is still a reasonable approach in practice!No attacks when instantiated with any reasonable candidate (e.g., SHA3)Cryptographic hash functions seem to provide “something” beyond collision resistance, but how do we model this capability? 11

12. Random Oracle ModelModel hash function H as a truly random functionAlgorithms can only interact with H as an oracleQuery: xResponse: H(x)If we submit the same query you see the same responseIf x has not been queried, then the value of H(x) is uniformReal World: H instantiated as cryptographic hash function (e.g., SHA3) of fixed length (no Merkle-Damgård)12

13. Back to Message CommitmentExample: Message CommitmentAlice sends Bob: (e.g., predicted winners of NCAA Final Four)Alice can later reveal message (e.g., after the Final Four is decided)Just send r and m (note: r has fixed length)Why can Alice not change her message?In the meantime Bob shouldn’t learn anything about mRandom Oracle Model: Above message commitment scheme is secure (Alice cannot change m + Bob learns nothing about m)Information Theoretic Guarantee against any attacker with q queries to H  13

14. Random Oracle Model: ProsIt is easier to prove security in Random Oracle ModelSuppose we are simulating attacker A in a reductionExtractability: When A queries H at x we see this query and learn x (and can easily find H(x))Programmability: We can set the value of H(x) to a value of our choiceAs long as the value is correctly distribute i.e., close to uniformBoth Extractability and Programmability are useful tools for a security reduction!14

15. Random Oracle ClaimTheorem: Any algorithm A that makes q to a random oracle will find a collision with probability at mostProof: For distinct strings x,y we have Let denote A’s queries to random oracle. By the union bound 15

16. Key DerivationTransform (low-entropy) password into high-entropy secret key KSuppose that and attacker can make at most queries to random oracle H.If attacker does not query then the secret key can be viewed as a uniformly random -bit string!  Probability of violating MAC security with K is at most  16

17. Random Oracle Model: ProsIt is easier to prove security in Random Oracle ModelProvably secure constructions in random oracle model are often much more efficient (compared to provably secure construction is “standard model”Sometimes we only know how to design provably secure protocol in random oracle model17

18. Random Oracle Model: ConsLack of formal justificationWhy should security guarantees translate when we instantiate random oracle with a real cryptographic hash function?We can construct (contrived) examples of protocols which are Secure in random oracle model…But broken in the real world18

19. Random Oracle Model: Justification“A proof of security in the random-oracle model is significantly better than no proof at all.”Evidence of sound design (any weakness involves the hash function used to instantiate the random oracle)Empirical Evidence for Security“there have been no successful real-world attacks on schemes proven secure in the random oracle model”19

20. Hash Function Application: FingerprintingThe hash h(x) of a file x is a unique identifier for the fileCollision Resistance  No need to worry about another file y with H(y)=H(y)Application 1: Virus FingerprintingApplication 2: P2P File SharingApplication 3: Data deduplication20

21. Tamper Resistant Storage21m1H(m1)m1’

22. Tamper Resistant StorageFile IndexHash1H(m1)2H(m2)3H(m3)22m1,m2,m3m1’Send file 1Disadvantage: Too many hashes to store

23. Tamper Resistant Storage23m1,m2,m3m1’Send file 1Disadvantage: Need all files to compute hash m1,m2,m3H(m1,m2,m3)

24. Merkle TreesProof of Correctness for data block 2Verify that root matchesProof consists of just log(n) hashesVerifier only needs to permanently store only one hash value24

25. Merkle Trees25Theorem: Let (Gen, hs) be a collision resistant hash function and let Hs(m)return the root hash in a Merkle Tree. Then Hs is collision resistant.

26. Tamper Resistant Storage26m1,m2,m3,m4m2’,h1,h3-4 Send file 2Root: H1-4

27. Commitment SchemesAlice wants to commit a message m to BobAnd possibly reveal it later at a time of her choosingPropertiesHiding: commitment reveals nothing about m to BobBinding: it is infeasible for Alice to alter message27

28. Commitment Hiding ()  28r = Gen(.)Bit bm0,m1commit(r,mb)b’  

29. Commitment Binding ()  29r0,r1,m0,m1  

30. Secure Commitment SchemeDefinition: A secure commitment scheme is hiding and bindingHidingBinding30  

31. Commitment Scheme in Random Oracle ModelTheorem: In the random oracle model this is a secure commitment scheme. Binding:  31

32. Commitment Hiding ()  32r = Gen(.)Bit bm0,m1 b’  

33. Commitment Hiding ()  33r = Gen(.)Bit bm0,m1 b’  If attacker never makes query of the form then bit b is information theoretically hidden 

34. Other ApplicationsPassword HashingKey Derivation LaterKey Encapsulation MechanismRSA-FDH etc...34

35. CS 555: Week 6: Topic 6Block Ciphers35

36. An Existential Crisis?We have used primitives like PRGs, PRFs to build secure MACs, CCA-Secure Encryption, Authenticated Encryption etc…Do such primitives exist in practice?How do we build them?36

37. RecapHash Functions/PRGs/PRFs, CCA-Secure Encryption, MACsGoals for This Week:Practical Constructions of Symmetric Key PrimitivesToday’s Goals: Block CiphersSboxConfusion Diffusion ParadigmFeistel Networks37

38. Pseudorandom PermutationA keyed function , which is invertible and “looks random” without the secret key k. Similar to a PRF, but Computing Fk(x) and is efficient (polynomial-time)Definition 3.28: A keyed function is a strong pseudorandom permutation if for all PPT distinguishers D there is a negligible function s.t.  38

39. Pseudorandom PermutationDefinition 3.28: A keyed function is a strong pseudorandom permutation if for all PPT distinguishers D there is a negligible function s.t. Notes: the first probability is taken over the uniform choice of as well as the randomness of D. the second probability is taken over uniform choice of f Permnas well as the randomness of D. D is never given the secret kHowever, D is given oracle access to keyed permutation and inverse 39

40. How many permutations? |Permn|=?Answer: 2n!How many bits to store f Permn?Answer: 40

41. How many bits to store permutations? Example: Storing f Perm50 requires over 6.8 petabytes (1015)Example 2: Storing f Perm100 requires about 12 yottabytes (1024)Example 3: Storing f Perm8 requires about 211 bytes 41

42. Attempt 1: Pseudorandom PermutationSelect 16 random permutations on 8-bits .Secret key: (about 3 KB)Input: x=x1,…,x16 (16 bytes)Any concerns? 42

43. Attempt 1: Pseudorandom PermutationSelect 16 random permutations on 8-bits .Any concerns?Changing a bit of input produces insubstantial changes in the output.A truly random permutationwould not behave this way! 43

44. Pseudorandom Permutation RequirementsConsider a truly random permutationLet inputs x and x’ differ on a single bitWe expect outputs F(x) and F(x’) to differ on approximately half of their bits F(x) and F(x’) should be (essentially) independent.A pseudorandom permutation must exhibit the same behavior! 44

45. Confusion-Diffusion ParadigmOur previous construction was not pseudorandom, but apply the permutations do accomplish something They introduce confusion into FAttacker cannot invert (after seeing a few outputs)Approach: Confuse: Apply random permutations to each block of input to obtain ,…,Diffuse: Mix the bytes ,…, to obtain byes ,…,Confuse: Apply random permutations with inputs ,…,Repeat as necessary 45

46. Attempt 1: Pseudorandom PermutationSelect 16 random permutations on 8-bits .Any concerns?Changing a bit of input produces insubstantial changes in the output.A truly random permutationwould not behave this way! 46

47. Confusion-Diffusion ParadigmExample: Select 8 random permutations on 8-bits Select 8 extra random permutations on 8-bits =Output:  47

48. Example Mixing Function=For i=1 to 8 End ForOutput:  48     

49. Are We Done?=Output: Suppose and = Output:  49     Highly unlikely that a truly random permutation would behave this way!

50. Substitution Permutation NetworksS-box a public “substitution function” (e.g.).S is not part of a secret key, but can be used with one Input to round: x, k (k is subkey for current round)Key Mixing: Set Substitution: Bit Mixing Permutation: permute the bits of x to obtain the round output 50Note: there are only n! possible bit mixing permutations of [n] as opposed to 2n! Permutations of {0,1}n

51. Substitution Permutation NetworksProposition 6.3: Let F be a keyed function defined by a Substitution Permutation Network. Then for any keys/number of rounds Fk is a permutation.Why? Composing permutations f,g results in another permutation h(x)=g(f(x)).51

52. RemarksWant to achieve “avalanche effect” (one bit change should “affect” every output bit)Should a S-box be a random byte permutation?Better to ensure that S(x) differs from x on at least 2-bits (for all x)Helps to maximize “avalanche effect”Mixing Permutation should ensure that output bits of any given S-box are used as input to multiple S-boxes in the next round52

53. RemarksHow many rounds?Informal Argument: If we ensure that S(x) differs from x on at least 2-bits (for all bytes x) then every input bit affects2 bits of round 1 output4 bits of round 2 output8 bits of round 3 output….128 bits of round 4 outputNeed at least 7 rounds (minimum) to ensure that every input bit affects every output bit53

54. Attacking Lower Round SPNsTrivial Case: One full round with no final key mixing stepKey Mixing: Set Substitution: Bit Mixing Permutation: P permute the bits of y to obtain the round outputGiven input/output (x,Fk(x))Permutations P and Si are public and can be run in reverse P-1(Fk(x)) = =Si-1Attacker knows xi and can thus obtain ki 54

55. Attacking Lower Round SPNsEasy Case: One full round with final key mixing stepKey Mixing: Set 1 Substitution: Bit Mixing Permutation: =P(y)Final Key Mixing: Output z2 Given input/output (x,Fk(x))Permutations P and Si are public and can be run in reverse once k2 is knownImmediately yields attack in 264 time (k1,k2 are each 64 bit keys) which narrows down key-space to 264 but we can do much better! 55

56. Attacking Lower Round SPNsEasy Case: One full round with final key mixing stepKey Mixing: Set 1 Substitution: Bit Mixing Permutation: =P(y)Final Key Mixing: Output 2 Given input/output (x,Fk(x))Permutations P and Si are public and can be run in reverse once k2 is knownGuessing 8 specific bits of k2 (which bits depends on P) we can obtain one value Attacker knows xi and can thus obtain ki by inverting Si and using XORNarrows down key-space to 264 , but in time 8x28 56

57. Attacking Lower Round SPNsEasy Case: One full round with final key mixing stepKey Mixing: Set 1 Substitution: Bit Mixing Permutation: =P(y)Final Key Mixing: Output z2 Given several input/output pairs (xj,Fk(xj))Can quickly recover k1 and k2 57

58. Attacking Lower Round SPNsHarder Case: Two round SPNExercise 58

59. Feistel NetworksAlternative to Substitution Permutation NetworksAdvantage: underlying functions need not be invertible, but the result is still a permutation59

60. Ri-1 = LiLi-1:=(Ri-1)Proposition: the function is invertible.Digital Encryption Standard (DES): 16-round Feistel Network.  60

61. CS 555: Week 6: Topic 4 DES, 3DES61

62. Feistel NetworksAlternative to Substitution Permutation NetworksAdvantage: underlying functions need not be invertible, but the result is still a permutation62

63. Li+1 = RiRi+1≔L(Ri)Proposition: the function is invertible. 63

64. Data Encryption StandardDeveloped in 1970s by IBM (with help from NSA)Adopted in 1977 as Federal Information Processing Standard (US)Data Encryption Standard (DES): 16-round Feistel Network. Key Length: 56 bitsVulnerable to brute-force attacks in modern times1.5 hours at 14 trillion DES evals/second e.g., Antminer S9 runs at 14 TH/s64

65. DES Round65

66. Generating the Round KeysInitial Key: 64 bitsEffective Key Length: 56 bitsRound Key Length: 48 bits (each)16 round keys derived from initial key66

67. DES Mangle FunctionExpand E: 32-bit input  48-bit output (duplicates 16 bits)S-boxes: S1,…,S8Input: 6-bitsOutput: 4 bitsNot a permutation!4-to-1 functionExactly four inputs mapped to each possible output67

68. Mangle Function6832 bit input48-bit sub key48 bit output of expandXOR block beforeApplying S-BoxesEach S-box outputs 4 bits

69. S-Box Representation as Table000110110000000100100011010001010110S(x)=1101….….….….….111169x =101101 S(x) = Table[0110,11]4 columns (2 bits)16 columns (4 bits)

70. S-Box Representation000110110000000100100011010001010110S(x)=1101….….….….….111170x =101101 S(x) = T[0110,11]4 columns (2 bits)16 columns (4 bits)Each column is permutation

71. Pseudorandom Permutation RequirementsConsider a truly random permutationLet inputs x and x’ differ on a single bitWe expect outputs F(x) and F(x’) to differ on approximately half of their bits F(x) and F(x’) should be (essentially) independent.A pseudorandom permutation must exhibit the same behavior!Requirement: DES Avalanche Effect! 71

72. DES Avalanche EffectPermutation the end of the mangle function helps to mix bitsSpecial S-box property #1Let x and x’ differ on one bit then Si(x) differs from Si(x’) on two bits.72

73. Avalanche Effect ExampleConsider two 64 bit inputs(Ln,Rn) and (Ln’,R’n=Rn)Ln and Ln’ differ on one bitThis is worst case exampleLn+1 = Ln+1’=RnBut now R’n+1 and Rn+1 differ on one bit Even if we are unlucky E(R’n+1) and E(Rn+1) differ on 1 bit Rn+2 and R’n+2 differ on two bits Ln+2 = R’n+1 and Ln+2’ = R’n+1 differ in one bit73

74. Avalanche Effect ExampleRn+2 and R’n+2 differ on two bitsLn+2 = Rn+1 and Ln+2’ = R’n+1 differ in one bitRn+3 and R’n+3 differ on four bits since we have different inputs to two of the S-boxesLn+3 = R’n+2 and Ln+2’ = R’n+2 now differ on two bitsSeven rounds we expect all 32 bits in right half to be “affected” by input change…DES has sixteen rounds74

75. Attack on One-Round DESGiven input output pair (x,y)y=(L1,R1)X=(L0,R0)Note: R0=L1Note: R1=L0 where is the Mangling Function with key k1Conclusion: 75

76. Attack on One-Round DES76  Four possible inputsTrivial to Recover

77. Attack on Two-Round DESOutput y =(L2,R2)Note: Also, Thus, So we can still attack the first round key k1 as before as and are knownNote:Also,and Thus, So we can attack the second round key k2 as before as and are known 77L0R0K1F L1R1K2F R2L2  

78. Attack on Three-Round DES We know all of the values , and .Leads to attack in time 2n/2(See details in textbook)Remember that DES is 16 rounds 78

79. DES SecurityBest Known attack is brute-force 256Except under unrealistic conditions (e.g., 243 known plaintexts)Brute force is not too difficult on modern hardwareAttack can be accelerated further after precomputationOutput is a few terabytesSubsequently keys are cracked in 238 DES evaluations (minutes) Precomputation costs amortize over number of DES keys crackedEven in 1970 there were objections to the short key length for DES79

80. Double DESLet Fk(x) denote the DES block cipherA new block cipher F’ with a key of length 2n can be defined by Can you think of an attack better than brute-force? 80

81. Meet in the Middle AttackGoal: Given (x, ) try to find secret key k in time and space .Solution? Key ObservationCompute and for each potential n-bit key K and store and Sort each list of pairs (by or ) to find K1 and K2. 81

82. Triple DES Variant 1Let Fk(x) denote the DES block cipherA new block cipher F’ with a key of length 2n can be defined by Meet-in-the-Middle Attack Requires time and space  82

83. Triple DES Variant 1Let Fk(x) denote the DES block cipherA new block cipher F’ with a key of length 2n can be defined by Meet-in-the-Middle Attack Requires time and space  83Allows backward compatibility with DES by setting k1=k2=k3

84. Triple DES Variant 2Let Fk(x) denote the DES block cipherA new block cipher F’ with a key of length 2n can be defined by Meet-in-the-Middle Attack still requires time and space Key length is still just 112 bits (NIST recommends 128+ bits) 84Just two keys!

85. Triple DES Variant 1Standardized in 1999Still widely used, but it is relatively slow (three block cipher operations)Current gold standard: AES 85

86. Hash Functions from Block CiphersDavies-Meyer Construction from block cipher Theorem: If is modeled as an ideal block cipher then Davies-Meyer construction is a collision-resistant hash function (Concrete: Need roughly queries to find collision)Ideal Cipher Model: For each key K model FK as a truly random permutation which may only be accessed in black box manner.(Equivalent to Random Oracle Model) 86

87. Next ClassRead Katz and Lindell 6.2.5-6.3AES & Differential Cryptanalysis87

88. CS 555:Week 6: Topic 2Stream Ciphers88

89.  PRG Security as a Game89Random bit bIf b=1 R = G(r)Else  b’  R

90. Stream Cipher vs PRGPRG pseudorandom bits output all at onceStream CipherPseudorandom bits can be output as a streamRC4, RC5 (Ron’s Code) st0 := Init(s) For i=1 to : (yi,sti):=GetBits(sti-1) Output: y1,…,y 90

91. Linear Feedback Shift Register91

92. Linear Feedback Shift RegisterState at time t: (n registers) Feedback Coefficients:  92

93. Linear Feedback Shift RegisterState at time t: (n registers) Feedback Coefficients: State at time t+1:Output at time t+1:  93

94. Linear Feedback Shift RegisterObservation 1: First n bits of output reveal initial stateObservation 2: Next n bits allow us to solve for n unknowns  94

95. Linear Feedback Shift RegisterObservation 1: First n bits of output reveal initial stateObservation 2: Next n bits allow us to solve for n unknowns  95

96. Linear Feedback Shift RegisterObservation 2: Next n bits allow us to solve for n unknowns  96… N unknowns &N linear independent constraints

97. Removing LinearityAttacks exploited linear relationship between state and output bitsNonlinear Feedback: 97Non linear function

98. Removing LinearityAttacks exploited linear relationship between state and output bitsNonlinear Combination:Important: f must be balanced! 98Non linear function

99. Trivium (2008)Won the eSTREAM competitionCurrently, no known attacks are better than brute forceCouples Output from three nonlinear Feedback Shift RegistersFirst 4*288 “output bits” are discared99

100. Trivium (2008)100

101. Trivium (2008)101AND (Non-linear)

102. Trivium (2008)102 (Non-linear) Feedback

103. Combination GeneratorAttacks exploited linear relationship between state and output bitsNonlinear Combination:Important: f must be balanced! 103Non linear function

104. Feedback Shift RegistersGood performance in hardwarePerformance is less ideal for software104

105. CS555105The RC4 Stream CipherA proprietary cipher owned by RSA, designed by Ron Rivest in 1987. Became public in 1994.Simple and effective design. Variable key size (typical 40 to 256 bits), Output unbounded number of bytes. Widely used (web SSL/TLS, wireless WEP). Extensively studied, not a completely secure PRNG, when used correctly, no known attacks existNewer Versions: RC5 and RC6Rijndael selected by NIST as AES in 2000

106. 106The RC4 CipherThe cipher internal state consists of a 256-byte array S, which contains a permutation of 0 to 255total number of possible states is 256!  21700two indexes: i, ji = j = 0 Loopi = (i + 1) (mod 256)j = (j + S[i]) (mod 256)swap(S[i], S[j])output S[S[i] + S[j] (mod 256)] End LoopCS555

107. 107Distinguishing AttackLet denote initial state Suppose that [2]=0 and [1]i = j = 0 Loopi = (i + 1) (mod 256)j = (j + S[i]) (mod 256)swap(S[i], S[j])output S[S[i] + S[j] (mod 256)] End Loop CS555123…X…255[1]0[3][X][255]123…X…2550

108. 108Distinguishing AttackLet denote initial state Suppose that [2]=0 and [1]i = j = 0 Loopi = (i + 1) (mod 256)j = (j + S[i]) (mod 256)swap(S[i], S[j])output S[S[i] + S[j] (mod 256)] End Loop CS555123…X…2550[3][X][255]123…X…2550i=1, j =X

109. 109Distinguishing AttackLet denote initial state Suppose that [2]=0 and [1]i = j = 0 Loopi = (i + 1) (mod 256)j = (j + S[i]) (mod 256)swap(S[i], S[j])output S[S[i] + S[j] (mod 256)] End Loop CS555123…X…2550[3][X][255][X]0[3][255]123…X…25500i=2, j =XOutput y1= [S[i]+S[j]] i=1, j =X

110. 110Distinguishing AttackLet denote initial state Suppose that [2]=0 and [1]i = j = 0 Loopi = (i + 1) (mod 256)j = (j + S[i]) (mod 256)swap(S[i], S[j])output S[S[i] + S[j] (mod 256)] End Loop CS555123…X…2550[3][X][255][X]0[3][255][X][3]0123…X…255000i=2, j =XOutput: y2= S2[S2[2]+S2[X]] = S2[0+X] =0

111. 111Distinguishing AttackLet Probability second output byte is 0 CS555

112. 112Other AttacksWired Equivalent Privacy (WEP) encryption used RC4 with an initialization vectorDescription of RC4 doesn’t involve initialization vector…But WEP imposes an initialization vectorK=IV || K’Since IV is transmitted attacker may have first few bytes of K!Giving the attacker partial knowledge of K often allows recovery of the entire key K’ over time!CS555