Understanding Block Ciphers in Cryptography

cryptography block ciphers l.w
1 / 57
Embed
Share

Delve into the realm of block ciphers, essential cryptographic tools used for securing data. Explore the history of DES, Feistel networks, key expansion, round functions, performance comparisons between stream and block ciphers, and the core concepts behind block ciphers like DES and AES.

  • Cryptography
  • Block Ciphers
  • Data Encryption
  • Feistel Networks
  • AES
rayaanacharya
dall717 Follow

Uploaded on | 0 Views

Download Presentation

Please find below an Image/Link to download the presentation.

The content on the website is provided AS IS for your information and personal use only. It may not be sold, licensed, or shared on other websites without obtaining consent from the author. If you encounter any issues during the download, it is possible that the publisher has removed the file from their server.

You are allowed to download the files provided on this website for personal or commercial use, subject to the condition that they are used lawfully. All files are the property of their respective owners.

Download Presentation

The content on the website is provided AS IS for your information and personal use only. It may not be sold, licensed, or shared on other websites without obtaining consent from the author.

E N D

Presentation Transcript

  1. Cryptography: Block Ciphers Edward J. Schwartz Carnegie Mellon University Credits: Slides originally designed by David Brumley. Many other slides are from Dan Boneh s June 2012 Coursera crypto class.

  2. What is a block cipher? Block ciphers are the crypto work horse n bits n bits Block of plaintext E, D Block of ciphertext Key k bits Canonical examples: 1. 3DES: 2. AES: n = 64 bits, n = 128 bits, k = 168 bits k = 128, 192, 256 bits 2

  3. Block ciphers built by iteration key k key expansion key k1 key k2 key k3 key kn m1 m2 m3 m m c c R(k1, ) R(k2, ) R(k3, ) R(kn, ) R(k, m) is called a round function Ex: 3DES (n=48), AES128 (n=10) 3

  4. Performance: Stream vs. block ciphers Crypto++ 5.6.0 [Wei Dai] AMD Opteron, 2.2 GHz (Linux) Cipher RC4 Salsa20/12 Sosemanuk Block/key size Throughput [MB/s] 126 643 727 Stream 3DES AES128 64/168 128/128 13 109 Block 4

  5. Block ciphers The Data Encryption Standard (DES) 5

  6. History of DES 1970s: Horst Feistel designs Lucifer at IBM key = 128 bits, block = 128 bits 1973: NBS asks for block cipher proposals. IBM submits variant of Lucifer. 1976: NBS adopts DES as federal standard key = 56 bits, block = 64 bits 1997: DES broken by exhaustive search 2000: NIST adopts Rijndael as AES to replace DES. AES currently widely deployed in banking, commerce and Web 6

  7. DES: core idea Feistel network Given one-way functions Goal: build invertible function n-bits R0 R1 R2 Rd-1 Rd f1 f2 fd n-bits L0 L1 L2 Ld-1 Ld output input In symbols: 7

  8. Feistel network - inverse Claim: Feistel function F is invertible Proof: construct inverse Ri Ri+1 Ri+1 Ri inverse fi+1 fi+1 Li Li+1 Li+1 Li 8

  9. Decryption circuit n-bits Rd Rd-1 Rd-2 R1 R0 fd fd-1 f1 n-bits Ld Ld-1 Ld-2 L1 L0 Inversion is basically the same circuit, with f1, , fdapplied in reverse order General method for building invertible functions (block ciphers) from arbitrary functions. Used in many block ciphers but not AES 9

  10. Recall from Last Time: Block Ciphers are (Modeled As) PRPs Pseudo Random Permutation (PRP) defined over (K,X) such that: 1. Exists efficient deterministic algorithm to evaluate E(k,x) 2. The function E(k, ) is one-to-one 3. Exists efficient inversion algorithm D(k,y) E(k, ), k K X X D(k, ), k K 10

  11. Luby-Rackoff Theorem (1985) is a secure PRF 3-round Feistel is a secure PRP n-bits R0 R1 R3 R2 f f f n-bits input L0 L1 L3 L2 output 11

  12. DES: 16 round Feistel network 56 bits key k 48 bits key expansion key k1 key k16 key k2 R0 R1 R2 R15 R16 64 bits 64 bits IP IP-1 f1 f2 f16 L0 L1 L2 L15 L16 16 round Feistel network To invert, use keys in reverse order 12

  13. The function F(ki, x) 32 bits x ki 48 bits E 48 bits x 48 bits 6 S4 6 S1 6 S2 6 S3 6 S5 6 S6 6 S7 6 S8 4 4 4 4 4 4 4 4 32 bits S-box: function {0,1}6 {0,1}4, implemented as lookup table. P 32 bits y 13

  14. The S-boxes e.g., 011011 1001 14

  15. The S-boxes Alan Konheim (one of the designers of DES) commented, "We sent the S-boxes off to Washington. They came back and were all different. 1990: (Re-)Discovery of differential cryptanalysis DES S-boxes resistant to differential cryptanalysis! Both IBM and NSA knew of attacks, but they were classified 15

  16. Block cipher attacks 16

  17. Exhaustive Search for block cipher key Goal: given a few input output pairs (mi, ci = E(k, mi)) i=1,..,n find key k. Attack: Brute force to find the key k. Homework: What is the probability that the key k found with one <m,c> pair is correct? For two pairs? 17

  18. DES challenge msg = The unknown messages is:XXXXXXXX CT = c1 c2 c3 c4 Goal: find k {0,1}56 s.t. DES(k, mi) = ci for i=1,2,3 Proof: Reveal DES-1(k, c4) 1976 DES adopted as federal standard 1997 Distributed search 1998 EFF deep crack 1999 Distributed search 2006 COPACOBANA (120 FPGAs) 3 months 3 days 22 hours 7 days $250,000 $10,000 56-bit ciphers should not be used (128-bit key 272 days) 18

  19. Strengthening DES Method 1: Triple-DES Let E : K M M be a block cipher Define 3E: K3 M M as: 3E( (k1,k2,k3), m) = E(k1, D(k2, E(k3, m) ) ) 3DES k1 = k2 = k3 => DES - Key-size: 3 56 = 168 bits - 3 slower than DES - Simple attack in time: 2118 19

  20. Why not 2DES? Define 2E( (k1,k2), m) = E(k1 , E(k2 , m) ) key-len = 112 bits for 2DES E(k2, ) E(k1, ) c m Na ve Attack: M = (m1, , m10), C = (c1, ,c10). For each k2 {0,1}56: For each k1 {0,1}56: if E(k2, E(k1, mi)) = ci then (k2, k1) k2 k1 2112 checks c = c? m c c' 20

  21. Meet in the middle attack Define 2E( (k1,k2), m) = E(k1 , E(k2 , m) ) key-len = 112 bits for 2DES E(k2, ) E(k1, ) c m m c' c c Idea: key found when c = c : E(ki, m) = D(kj, c) 21

  22. Meet in the middle attack Define 2E( (k1,k2), m) = E(k1 , E(k2 , m) ) key-len = 112 bits for 2DES E(k2, ) E(k1, ) c m Attack: M = (m1, , m10) , C = (c1, ,c10). step 1: build table. sort on 2nd column maps c to k2 k0= 00 00 k1= 00 01 k2= 00 10 kN= 11 11 E(k0 , M) E(k1 , M) E(k2 , M) E(kN , M) 256 entries 22

  23. Meet in the middle attack E(k2, ) E(k1, ) c m k0= 00 00 k1= 00 01 k2= 00 10 kN= 11 11 E(k0 , M) E(k1 , M) E(k2 , M) E(kN , M) M = (m1, , m10) , C = (c1, ,c10) step 1: build table. Step 2: for each k {0,1}56: test if D(k, c) is in 2nd column. if so then E(ki,M) = D(k,C) (ki,k) = (k2,k1) 23

  24. Meet in the middle attack E(k2, ) E(k1, ) c m Time = 256log(256) + 256 log(256) < 263 << 2112 [Build & Sort Table] [Search Entries] Space 256 [Table Size] Same attack on 3DES: Time = 2118 , Space 256 E(k3, ) E(k2, ) E(k1, ) m c 24

  25. Method 2: DESX E : K {0,1}n {0,1}n a block cipher Define EX as EX(k1, k2, k3, m) = k1 E(k2, m k3 ) For DESX: key-len = 64+56+64 = 184 bits but easy attack in time 264+56 = 2120 Note: k1 E(k2, m) and E(k2, m k1) does nothing! 25

  26. Attacks on the implementation 1. Side channel attacks: Measure time to do enc/dec, measure power for enc/dec 16 rounds [Kocher, Jaffe, Jun, 1998] Card is doing DES smartcard IP IP-1 2. Fault attacks: Computing errors in the last round expose the secret key k never implement crypto primitives yourself 26

  27. Block ciphers AES Advanced encryption standard 27

  28. The AES process 1997: DES broken by exhaustive search 1997: NIST publishes request for proposal 1998: 15 submissions 1999: NIST chooses 5 finalists 2000: NIST chooses Rijndael as AES (developed by Daemen and Rijmen at K.U. Leuven, Belgium) Key sizes: 128, 192, 256 bits Block size: 128 bits 28

  29. AES core idea: Subs-Perm network DES is based on Feistel networks AES is based on the idea of substitution-permutation networks That is, alternating steps of substitution and permutation operations 29

  30. AES: Subs-Perm network k1 k2 kn S1 S1 S1 S2 S2 S2 S3 S3 S3 output input S8 S8 S8 subs. layer perm. layer inversion 30

  31. AES128 schematic 10 rounds 4 (1) ByteSub (2) ShiftRow (3) MixColumn (1) ByteSub (2) ShiftRow (3) MixColumn (1) ByteSub (2) ShiftRow input 4 k0 k1 k2 k9 4 k10 output 4 4 4 key Key expansion: 16 bytes 176 bytes 31

  32. The round function ByteSub: a 1 byte S-box. 256 byte table (easily computable) ShiftRows: s0,0 s0,1 s0,2 s0,3 s0,0 s0,1 s0,2 s0,3 s1,0 s1,1 s1,2 s1,3 s1,1 s1,2 s1,3 s1,0 s2,0 s2,1 s2,2 s2,3 s2,2 s2,3 s2,0 s2,1 s3,0 s3,1 s3,2 s3,3 s3,3 s3,0 s3,1 s3,2 MixColumns: MixColumns() s0,1 s0,c s1,c s2,c s3,c s 0,1 s 0,c s 1,c s 2,c s 3,c s0,0 s0,2 s0,3 s 0,0 s 0,2 s 0,3 s1,0 s1,1 s1,2 s1,3 s 1,0 s 1,1 s 1,2 s 1,3 s2,0 s2,1 s2,2 s2,3 s 2,0 s 2,1 s 2,2 s 2,3 s3,0 s3,1 s3,2 s3,3 s 3,0 s 3,1 s 3,2 s 3,3 32

  33. Code size/performance tradeoff Code size Performance Pre-compute round functions (24KB or 4KB) Pre-compute S-box only (256 bytes) No pre- computation fastest: table lookups and xors largest smaller slower smallest slowest 33

  34. Size + performance (Javascript AES) AES in the browser AES library (6.4KB) No pre-computed tables (1) Uncompress code (one time effort) (2) Pre-compute tables (one time effort) (3) Perform encryption using tables Implementation: Stanford Javascript Crypto Library https://crypto.stanford.edu/sjcl/ 34

  35. Modes of operation 36

  36. Electronic Code Book (ECB) Mode PT: m1 m2 m3 m4 m5 mn E(k, mi) CT: c1 c2 c3 c4 c5 cn Problem: m1 = m2 c1 = c2 37

  37. What can possibly go wrong? Plaintext Ciphertext Images from Wikipedia 38

  38. Semantic security for ECB mode ECB is not semantically secure for messages that contain more than one block Two blocks m0= Hello World m1= Hello Hello Challenger Adversary A k K (c1, c2) E(k,mb) if c1 = c2 output 1 else output 0 AdvSS[A,ECB] = 1 39

  39. Deterministic counter mode from a PRF F: EDETCTR(k,m) = m[0] m[1] m[2] m[L] F(k,0) F(k,1) F(k,2) F(k,L) c[0] c[1] c[2] c[L] Stream cipher built from a PRF (e.g. AES, 3DES) Better than ECB but only works as long as the key is only used once (one-time-key) 40

  40. Semantic security under CPA Modes that return the same ciphertext (e.g., ECB, CTR) for the same plaintext are not semantically secure under a chosen plaintext attack (CPA) (many-time-key) m0, m0 M C0 E(k,m) m0, m1 M Cb E(k,mb) Challenger Adversary A k K if cb = c0 output 0 else output 1 Encryption modes must be randomized or use a nonce (or are vulnerable to CPA) 42

  41. Semantic security under CPA Modes that return the same ciphertext (e.g., ECB, CTR) for the same plaintext are not semantically secure under a chosen plaintext attack (CPA) (many-time-key) Two solutions: 1. Randomized encryption Encrypting the same msg twice gives different ciphertexts (w.h.p.) Ciphertext must be longer than plaintext 2. Nonce-based encryption 43

  42. Nonce-based encryption Nonce n: a value that changes for each msg. E(k,m,n) / D(k,c,n) E(k,m,n) = c E(k,c,n) = m c,n m,n E D k k (k,n) pair never used more than once 44

  43. Nonce-based encryption Method 1: Nonce is a counter Used when encryptor keeps state from msg to msg If decryptor has same state, nonce need not be transmitted (i.e., len(PT) = len(CT)) Method 2: Sender chooses a random nonce No state required but nonce has to be transmitted with CT 45

  44. Cipher block chaining mode (CBC) Let(E,D) be a PRP. ECBC(k,m): chose random IV X and do: IV m[0] m[1] m[2] m[3] E(k, ) E(k, ) E(k, ) E(k, ) IV c[0] c[1] c[2] c[3] Decryption: ciphertext c[0] = E(k, IV m[0] = D(k,c[0]) m[0]) IV 46

  45. Attack on CBC with Predictable IV Suppose given c ECBC(k,m) Adv. can predict IV for next msg. 0 X c1 [IV1, E(k,0 IV1)] m0= IV IV1, m1 m0 M c [IV, E(k,IV1)] or c [IV, E(k,m1 IV)] Challenger Adversary A k K (IV IV1) IV output 0 if c[1] = c1[1] Bug in SSL/TLS 1.1: IV for record #i is last CT block of record #(i-1) 47

  46. Nonce-based CBC CBC with unique nonce: key = (k, k1) two independent keys unique nonce means: (key,n) pair is used for only one msg. m[0] m[1] nonce m[2] m[3] IV E(k1, ) E(k, ) E(k, ) E(k, ) E(k, ) nonce c[0] c[1] c[2] c[3] Included only if unknown to decryptor ciphertext 48

  47. CBC: padding nonce m[0] m[1] m[2] m[3] || pad IV removed during decryption E(k1, ) E(k, ) E(k, ) E(k, ) E(k, ) nonce c[0] c[1] c[2] c[3] n n n TLS: for n > 0 n byte pad is: If no pad needed, add a dummy block: 16 16 16 Padding oracle side channel attacks 49

  48. Cipher block chaining mode (CBC) Example applications: 1. File system encryption: use the same AES key to encrypt all files (e.g., loopaes) 2. IPsec: use the same AES key to encrypt multiple packets Problem: If attacker can predict IV, CBC is not CPA-secure 50

  49. Summary Block ciphers Map fixed length input blocks to same length output blocks Canonical block ciphers: 3DES, AES PRPs are effectively block ciphers PRPs can be created from arbitrary functions through Feistel networks 3DES based on Feistel networks AES based on substitution-permutation networks 51

  50. Questions? 52

Related


Crypto Recovery Experts - cryptorecoverysystem

Crypto Recovery Experts - cryptorecoverysystem

Amelia1
Buy Block Heels for Women Online in India 9threadz

Buy Block Heels for Women Online in India 9threadz

internal
Bitdeals-Binance-Clone-Script

Bitdeals-Binance-Clone-Script

Michelle2
Benefits of launching Binance Clone Script

Benefits of launching Binance Clone Script

John9
Red-Hot Features Of Binance Clone For Crypto Exchange Business!

Red-Hot Features Of Binance Clone For Crypto Exchange Business!

John9
Introduction to RSA Cryptography and Public Key Encryption

Introduction to RSA Cryptography and Public Key Encryption

romilly
Block Graphs: Examples and Explanations

Block Graphs: Examples and Explanations

tyler
Comparison of Erector Spinae Plane Block vs Serratus Anterior Plane Block in Thoracic Surgery Recovery

Comparison of Erector Spinae Plane Block vs Serratus Anterior Plane Block in Thoracic Surgery Recovery

jones
IEEE 802.11-20/0055r0 Multi-link Block Ack Architecture Overview

IEEE 802.11-20/0055r0 Multi-link Block Ack Architecture Overview

haleema
Classification of Elements and Periodicity in Properties: Overview and Evolution

Classification of Elements and Periodicity in Properties: Overview and Evolution

colby
Transposition Cipher Techniques in Modern Block Ciphers

Transposition Cipher Techniques in Modern Block Ciphers

autumn
D-Block Elements: Properties and Classification in Chemistry

D-Block Elements: Properties and Classification in Chemistry

ardi_847
Block Ciphers in Cryptography

Block Ciphers in Cryptography

knim
Symmetric Key Block Ciphers - Overview and Implementation

Symmetric Key Block Ciphers - Overview and Implementation

aedwa
Encryption Techniques: From Transposition Ciphers to Rail Fence Ciphers

Encryption Techniques: From Transposition Ciphers to Rail Fence Ciphers

marcelle_v
Taekwondo Techniques and Blocks: Defensive Moves in Action

Taekwondo Techniques and Blocks: Defensive Moves in Action

rosenthal_t
Taekwondo Techniques - Basics and Blocks for Self-Defense

Taekwondo Techniques - Basics and Blocks for Self-Defense

eil_h
Overview of Modern Cryptography and Data Encryption Standard (DES)

Overview of Modern Cryptography and Data Encryption Standard (DES)

cop_cro
Public Key Cryptography in Network Security

Public Key Cryptography in Network Security

mwasd
Crack the Code: A Journey into Transposition Ciphers

Crack the Code: A Journey into Transposition Ciphers

dulcemar
MLA Style Guide for Block Quotations

MLA Style Guide for Block Quotations

rdunk
Taekwondo Training: Block Techniques Explained

Taekwondo Training: Block Techniques Explained

lapaglia_v

More Related Content