Recap Random Oracle Model - PowerPoint Presentation

1. RecapRandom Oracle ModelPros (Easier Proofs/More Efficient Protocols/Solid Evidence for Security in Practice)Cons (Strong Assumption)Hashing ApplicationsBlock Ciphers, SPNs, Feistel Networks, DESMeet in the Middle, 3DESBuilding Stream CiphersLinear Feedback Shift Registers (+ Attacks)RC4 (+ Attacks)Trivium1

2. DES SecurityBest Known attack is brute-force 256Except under unrealistic conditions (e.g., 243 known plaintexts)Brute force is not too difficult on modern hardwareAttack can be accelerated further after precomputationOutput is a few terabytesSubsequently keys are cracked in 238 DES evaluations (minutes) Precomputation costs amortize over number of DES keys crackedEven in 1970 there were objections to the short key length for DESHow could we increase key-length?2

3. Double DESLet Fk(x) denote the DES block cipherA new block cipher F’ with a key of length 2n can be defined by Can you think of an attack better than brute-force? 3

4. Meet in the Middle AttackGoal: try to find secret key k in time and space given known plaintext/ciphertext pair(s) (x, ).Solution? Key ObservationCompute and for each potential n-bit key K and store and Sort each list of pairs (by or ) to find K1 and K2. 4

5. Triple DES Variant 1Let Fk(x) denote the DES block cipherA new block cipher F’ with a key of length 2n can be defined by Meet-in-the-Middle Attack Requires time and space  5

6. Triple DES Variant 1Let Fk(x) denote the DES block cipherA new block cipher F’ with a key of length 3n can be defined by Meet-in-the-Middle Attack Requires time and space  6Allows backward compatibility with DES by setting k1=k2=k3

7. Triple DES Variant 2Let Fk(x) denote the DES block cipherA new block cipher F’ with a key of length 2n can be defined by Meet-in-the-Middle Attack still requires time and space Key length is still just 112 bits (NIST recommends 128+ bits) 7Just two keys!

8. Triple DES Variant 1Standardized in 1999Still widely used, but it is relatively slow (three block cipher operations)Current gold standard: AES 8

9. Stream Cipher vs PRGPRG pseudorandom bits output all at onceStream CipherPseudorandom bits can be output as a streamRC4, RC5 (Ron’s Code) st0 := Init(s) For i=1 to : (yi,sti):=GetBits(sti-1) Output: y1,…,y 9

10. Linear Feedback Shift Register10

11. Linear Feedback Shift RegisterState at time t: (n registers) Feedback Coefficients:  11

12. Linear Feedback Shift RegisterState at time t: (n registers) Feedback Coefficients: State at time t+1:Output at time t+1:  12

13. Linear Feedback Shift RegisterObservation 1: First n bits of output reveal initial stateObservation 2: Next n bits allow us to solve for n unknowns  13

14. Linear Feedback Shift RegisterObservation 1: First n bits of output reveal initial stateObservation 2: Next n bits allow us to solve for n unknowns  14

15. Linear Feedback Shift RegisterObservation 2: Next n bits allow us to solve for n unknowns  15… N unknowns &N linear independent constraints

16. Removing LinearityAttacks exploited linear relationship between state and output bitsNonlinear Feedback: 16Non linear function

17. Removing LinearityAttacks exploited linear relationship between state and output bitsNonlinear Combination:Important: f must be balanced! 17Non linear function

18. Trivium (2008)Won the eSTREAM competitionCurrently, no known attacks are better than brute forceCouples Output from three nonlinear Feedback Shift RegistersFirst 4*288 “output bits” are discared18

19. Trivium (2008)19

20. Trivium (2008)20AND (Non-linear)

21. Trivium (2008)21 (Non-linear) Feedback

22. Combination GeneratorAttacks exploited linear relationship between state and output bitsNonlinear Combination:Important: f must be balanced! 22Non linear function

23. Feedback Shift RegistersGood performance in hardwarePerformance is less ideal for software23

24. CryptographyCS 555Week 7: Hash Functions from Block CiphersBlock Ciphers, AESStream CiphersOne Way FunctionsReadings: Katz and Lindell Chapter 6.2.5, 6.3, 7.1-7.424Fall 2018

25. CS 555: Week 7: Topic 1Block Ciphers (Continued)25

26. Hash Functions from Block CiphersDavies-Meyer Construction from block cipher Theorem: If is modeled as an ideal block cipher then Davies-Meyer construction is a collision-resistant hash function (Concrete: Need roughly queries to find collision)Ideal Cipher Model: For each key K model FK as a truly random permutation which may only be accessed in black box manner.(Equivalent to Random Oracle Model) 26

27. Advanced Encryption Standard (AES)(1997) US National Institute of Standards and Technology (NIST) announces competition for new block cipher to replace DESFifteen algorithms were submitted from all over the worldAnalyzed by NISTContestants given a chance to break competitors schemesOctober, 2000 NIST announces a winner RijndaelVincent Rijmen and Joan DaemenNo serious vulnerabilities found in four other finalistsRijndael was selected for efficiency, hardware performance, flexibility etc… 27

28. Advanced Encryption StandardBlock Size: 128 bits (viewed as 4x4 byte array)Key Size: 128, 192 or 256Essentially a Substitution Permutation NetworkAddRoundKey: Generate 128-bit sub-key from master key XOR with current stateSubBytes: Each byte of state array (16 bytes) is replaced by another byte according a a single S-box (lookup table)ShiftRows – shift ith row by i bytesMixColumns – permute the bits in each column28

29. Substitution Permutation NetworksS-box a public “substitution function” (e.g.).S is not part of a secret key, but can be used with one Input to round: x, k (k is subkey for current round)Key Mixing: Set Substitution: Bit Mixing Permutation: permute the bits of x to obtain the round output 29Note: there are only n! possible bit mixing permutations of [n] as opposed to 2n! Permutations of {0,1}n

30. Substitution Permutation NetworksProposition 6.3: Let F be a keyed function defined by a Substitution Permutation Network. Then for any keys/number of rounds Fk is a permutation.Why? Composing permutations f,g results in another permutation h(x)=g(f(x)).30

31. Advanced Encryption StandardBlock Size: 128 bitsKey Size: 128, 192 or 256Essentially a Substitution Permutation NetworkAddRoundKey: Generate 128-bit sub-key from master key, XOR with current state arraySubBytes: Each byte of state array (16 bytes) is replaced by another byte according a single S-box (lookup table)ShiftRowsMixColumns31PermutationKey MixingSubstitution

32. 1111000001100010…00110000…11111111…32State0000111110100011…11001100…01111111…Round Key (16 Bytes)AddRoundKey:  1111111111000001…11111100…10000000… 

33. 33State10100011………Round Key (16 Bytes)AddRoundKey: 1111111111000001…11111100…10000000…S(11111111)S(11000001)S(…)S(11111100)S(…)S(10000000)S(…)SubBytes (Apply S-box)

34. 34StateS(11111111)S(11000001)S(…)S(11111100)S(…)S(10000000)S(…)Shift RowsS(11111111)S(11000001)S(…)S(…)S(11111100)S(…)S(10000000)10100011………Round Key (16 Bytes)AddRoundKey:

35. 35StateMix ColumnsInvertible (linear) transformation. Key property: if inputs differ in b>0 bytes then output differs in 5-b bytes (minimum)S(11111111)S(11000001)S(…)S(…)S(11111100)S(…)S(10000000)10100011………Round Key (16 Bytes)AddRoundKey:

36. AESWe just described one round of the SPNAES uses 10 rounds (with 128 bit key)12 rounds (with 192 bit key)14 rounds (with 256 bit key)36

37. AnnouncementsHomework 2 Solutions Posted (See Piazza).Please read through carefully and make sure you understand the solutions to each problem.Grading in progressNo Class on Tuesday (October Break)Look for Practice Midterm Next Week37

38. Recap2DES, Meet in the Middle Attack3DESStream CiphersBreaking Linear Feedback Shift RegistersTriviumAES38

39. AES Attacks?Side channel attacks affect a few specific implementationsBut, this is not a weakness of AES itselfTiming attack on OpenSSL’s implementation AES encryption (2005, Bernstein)(2009) Related-Key Attack on 11 round version of AES Related Key Attack: Attacker convinces Alice to use two related (but unknown) keysrecovers 256-bit key in time 270But AES is 14 round (with 256 bit key) so the attack doesn’t apply in practice(2009) Related Key Attack on 192-bit and 256 bit version of AESrecovers 256-bit key in time 299.5.(2011) Key Recovery attack on AES-128 in time 2126.2.Improved to 2126.0 for AES-128, 2189.9 for AES-192 and 2254.3 for AES-256First public cipher approved by NSA for Top Secret informationSECRET level (AES-128,AES-192 & AES-256), TOP SECRET level (AES-128,AES-192 & AES-256)39

40. NIST Recommendations40Recommendations from Other Groups (Including NIST): www.keylength.com Ok, to use for HMAC, Key Derivation and as PRGOk, as CRHF and in Digital Signatures80 bits-security is no longer acceptable

41. Linear CryptanalysisDefinition: Fixed set of input bits and output bits are said to have -linear bias if the following holds(randomness taken over the selection of input x and secret key K) 41

42. Linear CryptanalysisDefinition: Fixed set of input bits and output bits are said to have -linear bias if the following holds(randomness taken over the selection of input x and secret key K, )Matsui: DES can be broken with just known plaintext/ciphertext pairs.Lots of examples needed! But the examples do not need to be chosen plaintext/ciphertext pairs…One encrypted file can provide a large amounts of known plaintext 42

43. Differential CryptanalysisDefinition: We say that the differential occurs with probability in the keyed block cipher ifCan Lead to Efficient (Round) Key Recovery AttacksExploiting Weakness Requires: well over chosen plaintext-ciphertext pairsDifferentials in S-box can lead to (weaker) differentials in SPN. 43

44. CS 555: Week 8: Topic 1:One Way Functions44What are the minimal assumptions necessary for symmetric key-cryptography?

45. One-Way Functions (OWFs)Definition: A function is one way if it is (Easy to compute) There is a polynomial time algorithm (in |x|) for computing f(x).(Hard to Invert) Select uniformly at random and give the attacker input 1n, f(x). The probability that a PPT attacker outputs x’ such that is negligible. 45

46. One-Way Functions (OWFs)Key Takeaway: One-Way Functions is a necessary and sufficient assumption for most of symmetric key cryptography.From OWFs we can construct PRGs, PRFs, Authenticated EncryptionFrom eavesdropping secure encryption (weakest) notion we can construct OWFs 46

47. One-Way Functions (OWFs)Remarks:A function that is not one-way is not necessarily always easy to invert (even often)Any such function can be inverted in time 2n (brute force)Length-preserving OWF: |f(x)| = |x|One way permutation: Length-preserving + one-to-one 47

48. One-Way Functions (OWFs)Remarks:f(x) does not necessarily hide all information about x.If f(x) is one way then so is  48

49. One-Way Functions (OWFs)Remarks:Actually we usually consider a family of one-way functions 49

50. Candidate One-Way Functions (Subset Sum Problem is NP-Complete)Note: and  50

51. Candidate One-Way Functions (Subset Sum Problem is NP-Complete)Question: Does imply this is a OWF?Answer: No! only implies that any polynomial-time algorithm fails to solve “some instance” of subset sum. By contrast, we require that PPT attacker fails to solve “almost all instances” of subset sum.  51

52. Candidate One-Way Functions (OWFs)(Discrete Logarithm Problem)Note: The existence of OWFs implies so we cannot be absolutely certain that they do exist. 52

53. How to Build a PRG with One-Way Functions?53

54. Hard Core PredicatesRecall that a one-way function f may potentially reveal lots of information about inputExample: f(x1,x2)=(x1,g(x2)), where g is a one-way function.Claim: f is one-way (even if f(x1,x2) reveals half of the input bits!)54

55. Hard Core PredicatesDefinition: A predicate is called a hard-core predicate of a function f if (Easy to Compute) can be computed in polynomial time(Hard to Guess) For all PPT attacker A there is a negligible function negl such that we have  55

56. Attempt 1: Hard-Core PredicateConsider the predicateHope: hc is hard core predicate for any OWF.Counter-example:f(x) = (g(x), ) 56

57. Trivial Hard-Core PredicateConsider the functionf(x1,…,xn) = x1,…,xn-1f has a trivial hard core predicateNot useful for crypto applications (e.g., f is not a OWF) 57

58. Attempt 3: Hard-Core PredicateConsider the predicate(the bits ,…, will be selected uniformly at random)Goldreich-Levin Theorem: (Assume OWFs exist) For any OWF f, hc is a hard-core predicate of g(x,r)=(f(x),r). 58

59. Using Hard-Core PredicatesTheorem: Given a one-way-permutation f and a hard-core predicate hc we can construct a PRG G with expansion factor Construction: Intuition: f(s) is actually uniformly distributed s is randomf(s) is a permutationLast bit is hard to predict given f(s) (since hc is hard-core for f) 59

60. Arbitrary ExpansionTheorem: Suppose that there is a PRG G with expansion factor Then for any polynomial p(.) there is a PRG with expansion factor p(n).Construction: G(x) = y||b. (n+1 bits)G1(x) = G(y)||b (n+2 bits)Gi+1(x) = Gi(y)||b where Gi (x) = y||b (n+2 bits) 60

61. And Beyond…Theorem: Suppose that there is a PRG G with expansion factor Then for any polynomial p(.) there is a PRG with expansion factor p(n).Theorem: Suppose that there is a PRG G with expansion factor Then there is a secure PRF.Theorem: Suppose that there is a secure PRF then there is a strong pseudorandom permutation. 61

62. And Beyond…Corollary: If one-way functions exist then PRGs, PRFs and strong PRPs all exist. Corollary: If one-way functions exist then there exist CCA-secure encryption schemes and secure MACs. 62

63. PRFs from PRGsTheorem: Suppose that there is a PRG G with expansion factor Then there is a secure PRF.Let G(x) = G0(x)||G1(x) (first/last n bits of output) 63

64. PRFs from PRGsTheorem: Suppose that there is a PRG G with expansion factor Then there is a secure PRF. 64kG0(k)G1(k)G0(G0(k))G1(G0(k))……G0(G1(k))G1(G1(k))……0000…………0001111111Fk(011)=G1(G1(G0(k)))

65. PRFs from PRGsTheorem: Suppose that there is a PRG G with expansion factor Then there is a secure PRF.Proof:Claim 1: For any t(n) and any PPT attacker A we have 65

66. PRFs from PRGsClaim 1: For any t(n) and any PPT attacker A we haveProof by Triangle Inequality: Fix jThis difference negligible by PRG security (just replaced  66

67. PRFs from PRGsClaim 1: For any t(n) and any PPT attacker A we haveProof 67

68. PRFs from PRGsClaim 1: For any t(n) and any PPT attacker A we haveProof(QED, Claim 1) 68

69. Hybrid H16969rr0r1G0(r0)G1(r0)……G0(r1)G1(r1)……0000…………0001111111

70. Hybrid H1 vs H270Claim 1: For any t(n) and any PPT attacker A we haveClaim 2: Attacker who makes t(n) queries to Fk (or f) cannot distinguish H2 from the real game (except with negligible probability).Proof Intuition: Follows by Claim 1 

71. Hybrid H271Claim 1: For any t(n) and any PPT attacker A we haveClaim 2: Attacker who makes t(n) queries to Fk (or f) cannot distinguish H2 from the real game (except with negligible probability).Similarly, attacker cannot distinguish H2 from H3 etc… Attacker cannot distinguish Fk from f (triangle inequality) 

72. From OWFs (Recap)Theorem: Suppose that there is a PRG G with expansion factor Then for any polynomial p(.) there is a PRG with expansion factor p(n).Theorem: Suppose that there is a PRG G with expansion factor Then there is a secure PRF.Theorem: Suppose that there is a secure PRF then there is a strong pseudorandom permutation. 72

73. From OWFs (Recap)Corollary: If one-way functions exist then PRGs, PRFs and strong PRPs all exist. Corollary: If one-way functions exist then there exist CCA-secure encryption schemes and secure MACs. 73

74. Are OWFs Necessary for Private Key CryptoPrevious results show that OWFs are sufficient.Can we build Private Key Crypto from weaker assumptions?Short Answer: No, OWFs are also necessary for most private-key crypto primitives74

75. PRGs  OWFsProposition 7.28: If PRGs exist then so do OWFs.Proof: Let G be a secure PRG with expansion factor Question: why can we assume that we have an PRG with expansion 2n? Answer: Last class we showed that a PRG with expansion factor . Implies the existence of a PRG with expansion p(n) for any polynomial. 75

76. PRGs  OWFsProposition 7.28: If PRGs exist then so do OWFs.Proof: Let G be a secure PRG with expansion factor Claim: G is also a OWF! (Easy to Compute?) ✓ (Hard to Invert?) Intuition: If we can invert G(x) then we can distinguish G(x) from a random string.  76

77. PRGs  OWFsProposition 7.28: If PRGs exist then so do OWFs.Proof: Let G be a secure PRG with expansion factor Claim 1: Any PPT A, given G(s), cannot find s except with negligible probability.Reduction: Assume (for contradiction) that A can invert G(s) with non-negligible probability p(n). Distinguisher D(y): Simulate A(y) Output 1 if and only if A(y) outputs x s.t. G(x)=y.  77

78. PRGs  OWFsProposition 7.28: If PRGs exist then so do OWFs.Proof: Let G be a secure PRG with expansion factor Claim 1: Any PPT A, given G(s), cannot find s except with negligible probability.Intuition for Reduction: If we can find x s.t. G(x)=y then y is not random. Fact: Select a random 2n bit string y. Then (whp) there does not exist x such that G(x)=y.Why not? 78

79. PRGs  OWFsProposition 7.28: If PRGs exist then so do OWFs.Proof: Let G be a secure PRG with expansion factor Claim 1: Any PPT A, given G(s), cannot find s except with negligible probability.Intuition: If we can invert G(x) then we can distinguish G(x) from a random string. Fact: Select a random 2n bit string y. Then (whp) there does not exist x such that G(x)=y.Why not? Simple counting argument, 22n possible y’s and 2n x’s. Probability there exists such an x is at most 2-n (for a random y) 79

80. What other assumptions imply OWFs?PRGs  OWFs(Easy Extension) PRFs  PRGs  OWFsDoes secure crypto scheme imply OWFs?CCA-secure? (Strongest)CPA-Secure? (Weaker)EAV-secure? (Weakest)As long as the plaintext is longer than the secret keyPerfect Secrecy? X (Guarantee is information theoretic)80

81. EAV-Secure Crypto  OWFsProposition 7.29: If there exists a EAV-secure private-key encryption scheme that encrypts messages twice as long as its key, then a one-way function exists.Recap: EAV-secure. Attacker picks two plaintexts m0,m1 and is given c=EncK(mb) for random bit b.Attacker attempts to guess b.No ability to request additional encryptions (chosen-plaintext attacks) In fact, no ability to observe any additional encryptions81

82. EAV-Secure Crypto  OWFsProposition 7.29: If there exists a EAV-secure private-key encryption scheme that encrypts messages twice as long as its key, then a one-way function exists.Reduction: . Input: 4n bits(For simplicity assume that Enck accepts n bits of randomness)Claim: f is a OWF 82

83. EAV-Secure Crypto  OWFsProposition 7.29: If there exists a EAV-secure private-key encryption scheme that encrypts messages twice as long as its key, then a one-way function exists.Reduction: . Claim: f is a OWFReduction: If attacker A can invert f, then attacker A’ can break EAV-security as follows. Given c=Enck(mb;r) run A(c0). If A outputs (m’,k’,r’) such that 0 then output 0; otherwise 1; 83

84. MACs OWFsIn particular, given a MAC that satisfies MAC security (Definition 4.2) against an attacker who sees an arbitrary (polynomial) number of message/tag pairs.Conclusions: OWFs are necessary and sufficient for all (non-trivial) private key cryptography. OWFs are a minimal assumption for private-key crypto.Public Key Crypto/Hashing? OWFs are known to be necessaryNot known (or believed) to be sufficient.84

85. Computational IndistinguishabilityConsider two distributions X and (e.g., over strings of length ).Let D be a distinguisher that attempts to guess whether a string s came from distribution X or .The advantage of a distinguisher D is Definition: We say that an ensemble of distributions and are computationally indistinguishable if for all PPT distinguishers D, there is a negligible function negl(n), such that we have  85