EE817/IS893 CryptographyEngineeringand Cryptocurrency YongdaeKim - - PowerPoint PPT Presentation

EE817/IS893 CryptographyEngineeringand Cryptocurrency

YongdaeKim 한국과학기술원

AdminStuff

q Mar13midnight:Homework1submission q Mar14morning:Homework1solutionposting q Mar19class:Quiz1 q About2weeksafter:Homework2,Quiz2 q About2weeksafter:Homework3,midterm,… q Questiononhomework?

Recap

q Prooftechniques

▹ Direct/Indirectproof,Proofbycontradiction,Proofbycases,Existential/UniversalProof,

Forward/backwardreasoning

q Divisibility:adividesb(a|b)if ∃csuchthatb=ac q d=gcd(a,b)isthelargestpositiveintegerthatdividesbothaandb,moreformally,1)d>

0,2)d|aandd|b,3)e|aande|bimpliese|d

q lcm(a,b)isthesmallestpositiveintegerdivisiblebybothaandb q EuclideanAlgorithm q p≥2isprimeif1)a|p⇒a= ±1or±p q Primenumbertheorem: limx→∞π(x)/(x/lnx)=1 q Eulerphifunction:Forn≥1,letf(n)denotethenumberofintegersin[1,n]whichare

relativelyprimeton.

q Pairwiserelativelyprime! q a≡b(modm)ifmdividesa-b q a*isanarithmeticinverseofamodulon,ifaa*≡1modn. q Cardinality,counting,discreteprobability,… q Onewayfunction,Trapdooronewayfunction q Symmetrickeycryptography,publickeycryptography

2

KeyManagement

q Keyestablishment

▹ Processtowherebyasharedsecretkeybecomes

availabletotwoormoreparties

▹ Subdividedintokeyagreementandkeytransport.

q Keymanagement

▹ Thesetofprocessesandmechanismswhichsupport

keyestablishment

▹ Themaintenanceofongoingkeyingrelationships

betweenparties

KeyManagementThroughSKE

q Pros

▹ Easytoaddandremove

entities

▹ Eachentityneedstostore

• nlyonelong-termsecretkey

q Cons

▹ Initialinteractionwiththe

TTP

▹ TTPneedstomaintainnlong-

termsecretkeys

▹ TTPcanreadallmessages ▹ Singlepointoffailure

KA KB KA,KB

3.ESK(“Hi”),EKB(SK) 4.ESK(“Hi,Alice”)

KeyManagementThroughPKE

q Advantages

▹ TTPnotrequired ▹ Onlynpublickeysneedto

bestored

▹ Thecentralrepository

couldbealocalfile

q Problem

▹ Publickeyauthentication

problem

q Solution

▹ NeedofTTPtocertifythe

publickeyofeachentity

0xBADD00D1 Bob 0xDAD12345 Alice

SKA,PKA

1.Alice,PKA 2.Bob,PKB

SKB,PKB

PublicKeyCertificates

q Entitiestrustathirdparty,whoissuesacertificate q Certificate=(datapart,signaturepart)

▹ Datapart=(name,public-key,otherinformation) ▹ Signature=(signatureofTTPondatapart)

q IfBwantstoverifyauthenticityofA’spublickey

▹ AcquirepublickeycertificateofAoverasecuredchannel ▹ VerifyTTP’ssignature ▹ IfsignatureverifiedA’spublickeyinthecertificateis

authentic

Symmetricvs.Publickey

Pros Cons SKE

n Highdatathroughput n Relativelyshortkeysize n Thekeymustremainsecretat

bothends

n O(n2)keystobemanaged n Relativelyshortlifetimeofthe

key PKE

n O(n)keys n Onlytheprivatekeymustbe

keptsecret

n longerkeylifetime n digitalsignature n Lowdatathroughput n Muchlargerkeysizes

Kerckhoff’sPrinciple

q Securityshoulddependonlyonthekey

▹ Don’tassumeenemywon’tknowalgorithm

» Cancapturemachines,disassembleprograms,etc. » Tooexpensivetoinventnewalgorithmifitmighthavebeen compromised

▹ Securitythroughobscurityisn’t

» Lookathistoryofexamples » Bettertohavescrutinybyopenexperts

q “Theenemyknowsthesystembeingused.”(Claude

Shannon)

ID-basedCryptography

q Nopublickey q Publickey=ID(email,name,etc.) q PKG

▹ Privatekeygenerationcenter ▹ SKID=PKGS(ID) ▹ PKG’spublickeyispublic. ▹ distributesprivatekeyassociatedwiththeID

q Encryption:C=EID(M) q Decryption:DSK(C)=M

Discussion(PKIvs.Kerberosvs.IBE)

q On-linevs.off-lineTTP

▹ Implication?

q Non-reputation? q Revocation? q Scalability? q Trustissue?

BlockCipher

q E:Vn×K→ Vn

▹ Vn={0,1}n,K={0,1}k,niscalledblocklength,kiscalledkeysize ▹ E(P,K)=CforK∈KandP,C∈Vn ▹ E(P,K)=EK(P)isinvertiblemappingfromVntoVn

» EK:encryptionfunction

▹ D(C,K)=DK(C)istheinverseofEK

» Dk:decryptionfunction

P(plaintext)

E

C(ciphertext) K Key P(plaintext)

EK

C(ciphertext)

ModesofOperation

q

Ablockcipherencryptsplaintextinfixed-sizen-bitblocks(oftenn=128).Whathappens ifyourmessageisgreaterthantheblocksize?

E xj k E-1 k xj’ E k xj Cj-1 D k Cj-1 xj’

c0=IV

Ij E Oj xj Ij E Oj k k xj’ Ij E Oj xj Ij E Oj k k xj’

I1=IV I1=IV

ModesofOperation

q

ECB

▹

Encryption:cj←EK(xj)

▹

Decryption:xj←E−1

K(cj)

q

CBC

▹

Encryption:c0←IV,cj←EK(cj−1⊕xj)

▹

Decryption:c0←IV,xj←cj−1⊕E−1

K(cj)

q

CFB

▹

Encryption:I1←IV,cj←xj⊕EK(Ij),Ij+1=cj

▹

Decryption:I1←IV,xj←cj⊕EK(Ij),Ij+1=cj

q

OFB

▹

Encryption:I1←IV,oj=EK(Ij),cj←xj⊕oj,Ij+1=oj

▹

Decryption:I1←IV,oj=EK(Ij),xj←cj⊕oj,Ij+1=oj

ModesofOperation(CTR)

14

E x1 k

CTR

c1 E x2 k

CTR+1

c2 E xN k

CTR+N-1

cN E c1 k

CTR

x1 E c2 k

CTR+1

x2 E cN k

CTR+N-1

xN

CTRadvantages

q Hardwareefficiency

▹ Parallelizable

q Softwareefficiency

▹ Similar,modernprocessorssupportparallelcomputation

q Preprocessing

▹ Padcanbecomputedearlier

q Random-access

▹ Eachciphertextblockcanbeencryptedindependently ▹ importantinapplicationslikehard-diskencryption

q Provablesecurity

▹ noworsethanwhatonegetsforCBCencryption

q Simplicity

▹ Nodecryptionalgorithmandkeyscheduling

DoubleDES

q C=EK2[EK1[P]] q P=DK1[DK2[C]] q Reductiontosinglestage?

▹ EK2[EK1[P]]=?EK3[P] ▹ Itwasproventhatitdoesnothold

Meet-in-the-middleAttack

q Diffie1977 q Exhaustivelycrackingitrequires2112? q C=EK2[EK1[P]]

▹ X=EK1[P]=DK2[C]

q Givenaknownpair,(P,C)

▹ EncryptPwithallpossible256valuesofK1 ▹ StorethisresultsandsortbyX ▹ DecryptCwithallpossible256K2,andchecktable ▹ Ifsame,acceptitasthecorrectkey

q Arewedone?&&#@!#(

Meet-in-the-middleAttack,cnt

q Littlestatistics

▹ ForanyP,thereare264possibleC ▹ DDESuses112bitkey,so2112keys ▹ GivenC,thereare2112/264=248possibleP

» Sothereare248falsealarms

▹ Ifonemore(P’,C’)pair,wecanreduceitto2-16

q Sousingtwo(plaintext,ciphertext)pairs,wecanbreak

DDESc*256encryption/decryption

q C=EK2[DK1[P]]different?

TripleDESwithtwokeys

q ObviouscountertoDDES:Usethreekeys

▹ Complexity? ▹ 168bitkey

q TripleDES=EDE=encrypt-decrypt-encrypt

▹ C=EK1[DK2[EK1[P]]]

q Attacks?

▹ Nopracticalonesofar

ProductCipher

q Tobuildcomplexfunctionto

composeseveralsimpleoperation

• ffercomplementary,but

individuallyinsufficientprotection

q Basicoperation:transposition,

translation(XOR)andlinear transformation,arithmetic

• peration,modmult,simple

substitution

q Substitution-permutation(SP)

networkisproductciphercomposed

• fanumberofstageseachinvolving

substitutionandpermutation

20

… S … S … S … S … P … … … … … … … … … S … S … S … S … P … … … … … … … … ...

FeistelCipher

q Virtuallyallconventionalblockciphers

▹ byHorstFeistelofIBMin1973

q TherealizationofaFeistelNetworkdependsonthe

choiceofthefollowingparametersandfeatures:

▹ Blocksize:largerblocksizesmeangreatersecurity ▹ KeySize:largerkeysizemeansgreatersecurity ▹ Numberofrounds:multipleroundsofferincreasing

security

▹ Subkeygenerationalgorithm:greatercomplexitywilllead

togreaterdifficultyofcryptanalysis.

▹ Fastsoftwareencryption/decryption:thespeedof

executionofthealgorithmbecomesaconcern

FeistelNetwork

q iteratedciphermapping(L0,R0)to(Rr,Lr)throughr-

roundprocess,(Li−1,Ri−1)→Ki(Li,Ri)asfollows

▹ Li=Ri−1,Ri=Li−1⊕f(Ri−1,Ki),KiisderivedfromK

Li-1 Ri-1 Li Ri f Ki

FeistelNetwork­Whyitworks?

q 2Roundexample q Encryption

▹ L1=R0,R1=L0⊕f(K1,R0) ▹ L2=R1=L0⊕f(K1,R0),R2=L1⊕f(K2,R1)

q Decryption

▹ R1=L2,L1=R2⊕f(K2,R1) ▹ R0=L1,L0=R1⊕f(K1,R0)

q Easilyextensibletomulti-round

DESHistory

q Originatedwithearly1970'sIBMefforttodevelop

bankingsecuritysystems

q FirstresultwasLucifer,mostcommonvarianthas128-

bitkeyandblocksize

▹ Broken

q NBS(CurrentlyNIST)calledforAlgorithmsin1973 q IBMsubmittedthebestalgorithmin1977andthat

becameDES

▹ OriginalIBMkeysize=128,DES=56:-) ▹ DesignphilosophyofS-Boxwasunknown

» Turnedouttobestrong

DESOverview

q |P|,|C|=64,|K|=56,16rounds,K!sixteen48-bitsubkeysKiaregenerated

Input L0 R0 f Input IP Input L1 R1 Input L15 R15 f Output Input IP-1 f

K1 K2 K1

6

L16 R16 E

Ri-1 Ki

S1 P S2 S3 S4 S5 S6 S7 S8

S-Box

q 6bitinput,4bitoutput q 27=011011=(01)(1101) q S1-Boxoutputfor27=5

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 0 14 4 13 1 2 15 11 8 3 10 6 12 5 9 0 7 1 0 15 7 4 14 2 13 1 10 6 12 11 9 5 3 8 2 4 1 14 8 13 6 2 11 15 12 9 7 3 10 5 0 3 15 12 8 2 4 9 1 7 5 11 3 14 10 0 6 13

NewEra!

q DESbroken

▹ DESIIIChallengebyRSA ▹ IdleCPUtimeofaround100,000computers ▹ In22hours

q TripleDES?

▹ OriginalDESwasdesignedforH/Wimplementation ▹ 64bitblocksizetoosmallforsecurityandefficiency

q Nowwhat?

AdvancedEncryptionStandard

q In1997,NISTissuedacallforproposal

▹ Blocklength=128bit ▹ Keysize=128,192,256bits

q Inthefirstround,15algorithmswereaccepted q Secondround,5algorithmswereselected q InNovember2001,finalstandardwaspublished

▹ Rijndel,FIPSPUB197 ▹ http://csrc.nist.gov/publications/fips/fips197/fips-197.pdf ▹ JoanDaemenandVincentRijmen

AESEvaluationCriteria

q Security

▹ Actualsecurity:comparedwithothersubmissions ▹ Randomness:outputisindistinguishablefromrandom ▹ Soundness:ofmathematicalbasis ▹ Othersecurityfactors:raisedbysecuritycommunity

q Cost

▹ Nolicensing:World-wide,non-exclusive,royalty-free ▹ Computationefficiency:bothS/WandH/W ▹ Memoryrequirements

q AlgorithmandImplementationcharacteristics

▹ Flexibility:key-/block-size,widevarietyofplatforms ▹ Simplicity

StreamCipher

q Definition

▹ encryptindividualcharactersofplaintextmessageoneatatime,usingencryption

transformationwhichvarieswithtime.

q Blockvs.Stream

▹ Blockciphers

» processplaintextinrelativelylargeblocks » Thesamefunctionisusedtoencryptsuccessiveblocks⇒memoryless

▹ streamciphers

» processplaintextinsmallblocks,andtheencryptionfunctionmayvaryasplaintextis processed⇒havememory » sometimescalledstatecipherssinceencryptiondependsonnotonlythekeyandplaintext, butalsoonthecurrentstate.

▹ Thisdistinctionbetweenblockandstreamciphersisnotdefinitive

» addingmemorytoablockcipher(asinCBC)resultsinastreamcipher

One-timePadandStreamCipher

q One-timepad

▹ Vernamcipher:ci=mi⊕xifori=1,2,3…

C

keyisgeneratedindependentlyandrandomly

C

Ciphertextcontributesnoinformationaboutplaintext

D

keyshouldbeaslongasplaintext⇒keymanagement

q Streamciphertriestosolvethisproblemhavingshort

keyandgeneratepseudo-randomsequence

▹ Notunconditionallysecure,buttrytobecomputationally

secure

Questions?

q YongdaeKim

▹ email: yongdaek@kaist.ac.kr ▹ Home: http://syssec.kaist.ac.kr/~yongdaek ▹ Facebook: https://www.facebook.com/y0ngdaek ▹ Twitter: https://twitter.com/yongdaek ▹ Google “Yongdae Kim”

32