Introduction to Cryptography @ Rice Olivier Pereira Slide 05 UCL - - PowerPoint PPT Presentation

introduction to cryptography rice
SMART_READER_LITE
LIVE PREVIEW

Introduction to Cryptography @ Rice Olivier Pereira Slide 05 UCL - - PowerPoint PPT Presentation

Apr 28, 2023 270 likes •587 views

Introduction to Cryptography @ Rice Olivier Pereira Slide 05 UCL Crypto Group COMP477 - Slide 05 1 Microelectronics Laboratory Usefulness of PRPs Let F be a PRP: { 0 , 1 } n { 0 , 1 } n { 0 , 1 } n . Then F is also a PRF. Proof idea:

slide-1
SLIDE 1

UCL Crypto Group

Microelectronics Laboratory

COMP477 - Slide 05 1

Introduction to Cryptography @ Rice

Olivier Pereira Slide 05

slide-2
SLIDE 2

UCL Crypto Group

Microelectronics Laboratory

COMP477 - Slide 05 2

Usefulness of PRPs

Let F be a PRP: {0, 1}n × {0, 1}n → {0, 1}n. Then F is also a PRF. Proof idea:

◮ PRF attacker queries relayed to and from PRP challenger ◮ Only way to distinguish is that PRFs have collisions ◮ But we can only hope to observe collisions after 2n/2

queries (birthday paradox) So, go enough to focus on building good PRPs, and then use them as PRFs when needed.

slide-3
SLIDE 3

UCL Crypto Group

Microelectronics Laboratory

COMP477 - Slide 05 3

Usefulness of PRPs

Let F be a PRP: {0, 1}n × {0, 1}n → {0, 1}n. Then G : s → Fs(0)Fs(1) is a PRG. So, a PRP also gives us a PRG!

slide-4
SLIDE 4

UCL Crypto Group

Microelectronics Laboratory

COMP477 - Slide 05 4

Practical constructions of block ciphers

Block ciphers:

◮ Other name for PRP ◮ Typically defined for just a few values of n

Our goals:

◮ Review some of the key principles used in the design of

block ciphers candidates

◮ Substitution-permutation network ◮ Feistel scheme ◮ Get a general idea of the most popular block cipher today:

AES, as well as some other common ones

slide-5
SLIDE 5

UCL Crypto Group

Microelectronics Laboratory

COMP477 - Slide 05 5

Heuristic designs?

AES is a PRP . . . as long as nobody shows otherwise No reduction proof to a well-known problem. But:

◮ Decades of research on how to build a good PRP

Good to be able to focus on just one goal!

◮ Lot of wisdom gained: good paradigms, efficiency in

software and hardware, secure implementation techniques for resistance to leakages, . . .

◮ Considerably faster than all “provably secure” proposals.

slide-6
SLIDE 6

UCL Crypto Group

Microelectronics Laboratory

COMP477 - Slide 05 6

How good are we at this?

Examples:

◮ Data Encryption Standard (DES) [1976] has no practical

weakness so far (parameters just became too small)

◮ Advanced Encryption Standard (AES) [1998], no known

attack, most widespread today Both are based on generic techniques that have also been extensively scrutinized (and for which some “partial proofs” also exist)

slide-7
SLIDE 7

UCL Crypto Group

Microelectronics Laboratory

COMP477 - Slide 05 7

The Design of Rijndael

250+ pages on the design of the AES Rijndael:

slide-8
SLIDE 8

UCL Crypto Group

Microelectronics Laboratory

COMP477 - Slide 05 8

Definition of a breaking

Practical requirement is: Distinguishing from random permutation should be roughly as hard as exhaustive key search.

◮ So, 2n/2 security would not be enough, even if not PPT ◮ Motivations: ◮ better than brute-force is usually a bad sign ◮ keeps parameters as small as possible (n = 128 today)

slide-9
SLIDE 9

UCL Crypto Group

Microelectronics Laboratory

COMP477 - Slide 05 9

Substitution-permutation networks

Can’t keep the 2128 · 128 table of a full permutation in memory. ⇒ can we build a big permutation from smaller ones? Suppose we have 16 (key dependent) 8-bit random permutations f1(·), . . . f16(·) Can we define F(x) := f1(x1)|| . . . ||f16(x16)? Quizz: consider x, x′ differing by only 1 bit. What will F(x) and F(x′) look like?

  • 1. Differ by 1 bit
  • 2. Differ by a few bits
  • 3. Be totally different
slide-10
SLIDE 10

UCL Crypto Group

Microelectronics Laboratory

COMP477 - Slide 05 10

Substitution-permutation networks

Possible solution:

◮ Permute the bits of x after applying F ◮ Repeat these two steps several times

Then we can hope to achieve something close to a PRP This is also known as the confusion-diffusion paradigm [Shannon, 1945]

◮ Substitution ≈ Caesar’s cipher ◮ Permutation ≈ Scytale cipher

slide-11
SLIDE 11

UCL Crypto Group

Microelectronics Laboratory

COMP477 - Slide 05 11

Substitution-permutation networks

f1 S1 f2 S2 f3 S3 f4 S4 Subkey K1 mixing f5 S5 f6 S6 f7 S7 f8 S8 Subkey K2 mixing . . . . . . . . . . . . A SPN is an application of the confusion-diffusion paradigm,

◮ Ideally, new fi picked for

each use

◮ But difficult in practice ◮ Instead, we use fixed

S-boxes

◮ And key-dependence

achieved by combining (e.g. ⊕) key bits with input to S-boxes

◮ Different “parts” of key

used at each round, according to a key schedule

slide-12
SLIDE 12

UCL Crypto Group

Microelectronics Laboratory

COMP477 - Slide 05 12

Beware, do not mix up

◮ The word “permutation” is used with 2 different meanings

in cryptography

◮ A pseudorandom permutation is a (pseudorandom)

function that is one-to-one (i.e. injective and surjective)

◮ In a SPN, a permutation in a reordering of the bits

◮ Keep in mind that a PRP does not simply reorder bits !

slide-13
SLIDE 13

UCL Crypto Group

Microelectronics Laboratory

COMP477 - Slide 05 13

Basic design principles

  • 1. S-boxes must be invertible

◮ Otherwise we would not get a permutation

  • 2. Avalanche effect: each change (even local) to the input

must result in a large change in the output. For this:

◮ Changing a single bit in a S-box input should change

at least two bits in the output

◮ The mixing permutation should ensure that the

  • utput bits of a given S-box are spread into different

S-boxes in the next round

slide-14
SLIDE 14

UCL Crypto Group

Microelectronics Laboratory

COMP477 - Slide 05 14

Basic design principles

S-boxes, mixing permutations, key schedule and number of rounds are what makes the difference between a strong and a weak block cipher Involves a very careful analysis, taking into account many properties and known attack techniques Conclusion: do not try building your own block cipher

slide-15
SLIDE 15

UCL Crypto Group

Microelectronics Laboratory

COMP477 - Slide 05 15

Attacking a one-round SPN

With just one plaintext-ciphertext pair, A can

◮ Undo mixing on ciphertext (public design) ◮ Undo S-boxes (public design) ◮ XOR with plaintext and recover the key

⇒ Can trivially distinguish the SPN from a RP

slide-16
SLIDE 16

UCL Crypto Group

Microelectronics Laboratory

COMP477 - Slide 05 16

Attacking a two-round SPN

These four output bits can be traced back to this S-box and thus depend on these 16 input bits, 4 bits of K2 and 16 bits of K1 ⇒ Exhaustive search on this partial key is possible ⇒ And thus can of course also be distinguished from a RP

slide-17
SLIDE 17

UCL Crypto Group

Microelectronics Laboratory

COMP477 - Slide 05 17

Three-round SPN

“Avalanche effect” is not complete after three rounds, A can

◮ Send strings differing in only one bit ◮ Observe if ciphertexts are affected locally or globally

⇒ This will allow to tell the difference between SPN and a RP But AES-128 has 10 rounds

slide-18
SLIDE 18

UCL Crypto Group

Microelectronics Laboratory

COMP477 - Slide 05 18

Advanced Encryption Standard (AES)

NIST’s standardization project

◮ First call in 1997 (15 candidates) ◮ Final decision in 2000

Final decision: Rijndael

◮ 128-bit block cipher ◮ Substitution-permutation network ◮ 3 key sizes: 128, 192 or 256 bits

slide-19
SLIDE 19

UCL Crypto Group

Microelectronics Laboratory

COMP477 - Slide 05 19

The AES in practice

Adoption: almost immediate and ubiquitous

◮ Network: TLS, SSH, . . . ◮ Disk encryption (BitLocker, LibreCrypt, TrueCrypt, . . . ) ◮ Archive and compression tools (7z, RAR, WinZip,

KeePass, . . . )

◮ Implementations available for “all” languages

slide-20
SLIDE 20

UCL Crypto Group

Microelectronics Laboratory

COMP477 - Slide 05 20

The AES in practice

Speed > 100MB/s on single core AES-NI instruction set on processors ⇒≈ 8× speedup So far, no known attack better than exhaustive search

slide-21
SLIDE 21

UCL Crypto Group

Microelectronics Laboratory

COMP477 - Slide 05 21

Feistel networks

Suppose that we have a good PRF, yet not invertible (i.e. not a permutation) Can we build a block cipher from this? Yes

◮ One way of achieving this has been proposed by Feistel

slide-22
SLIDE 22

UCL Crypto Group

Microelectronics Laboratory

COMP477 - Slide 05 22

Feistel networks

L0 R0 f K1 R1 L1 R1 L1 f K1 L0 R0 Encryption

◮ L1 := R0 ◮ R1 := fK1(R0) ⊕ L0

Decryption

◮ R′

0 := L1

◮ L′

0 := fK1(L1) ⊕ R1

Of course, this is not a good encryption scheme

◮ But if we iterate it. . .

slide-23
SLIDE 23

UCL Crypto Group

Microelectronics Laboratory

COMP477 - Slide 05 23

Feistel networks

It can be proved (Luby-Rackoff) that If f is a PRF,

◮ Then a 3-round Feistel

network is a PRP

◮ And a 4-round Feistel

network is a strong PRP (i.e. strong even if distinguisher is given oracle access to the inverse of the function)

slide-24
SLIDE 24

UCL Crypto Group

Microelectronics Laboratory

COMP477 - Slide 05 24

In practice.. .

◮ fi functions are constructed

in a similar way as for SPN

◮ fi are typically fixed, with

key dependence ensured by combining (⊕,. . . ) input with subkeys

◮ Subkeys are derived

according to some key schedule

slide-25
SLIDE 25

UCL Crypto Group

Microelectronics Laboratory

COMP477 - Slide 05 25

Feistel networks

Advantages

◮ More latitude in the choice of fi ◮ Same software/hardware can be used for encryption and

decryption (just revert the key schedule) Feistel networks adoption:

◮ DES [1975–1999–2005] (IBM, NSA) ◮ Camellia [2000—] (Mitsubishi, NTT) ◮ . . .

slide-26
SLIDE 26

UCL Crypto Group

Microelectronics Laboratory

COMP477 - Slide 05 26

Data Encryption Standard

◮ US encryption standard (1977), designed by IBM / NSA ◮ Feistel Network ◮ 64-bit block cipher ◮ 56-bit keys

These sizes are to short for today’s computing power

◮ DES should not be used any more ◮ Yet, still present in many “legacy” applications ◮ Some attacks found, but best practical attack known so far

is exhaustive search ⇒ “A remarkable success story in cryptography”

slide-27
SLIDE 27

UCL Crypto Group

Microelectronics Laboratory

COMP477 - Slide 05 27

Data Encryption Standard

slide-28
SLIDE 28

UCL Crypto Group

Microelectronics Laboratory

COMP477 - Slide 05 28

The f function

Essentially, a 1-round SPN

◮ Expansion: 32 bits → 48 bits (by duplication) ◮ S-boxes: substitutions 6 bits → 4 bits ◮ Permutation: reorders 32-bit output

slide-29
SLIDE 29

UCL Crypto Group

Microelectronics Laboratory

COMP477 - Slide 05 29

DES security

In 1990, a new class of attacks, differential cryptanalysis, was proposed by Biham and Shamir

◮ Attack requires 247 chosen plaintexts and has 237

complexity

◮ Remark: it turned out that the DES S-boxes were designed

to resist that (at that time publicly unknown) attack More followed, but the best practical attack against DES is brute-force key search

◮ 1999: 22h by dedicated machine + 100 000 PCs (≈ $250k) ◮ 2006: ≈ 1 day with Copacabana: dedicated FPGAs (≈

$10k)

slide-30
SLIDE 30

UCL Crypto Group

Microelectronics Laboratory

COMP477 - Slide 05 30

Triple-DES

Double encryption adds little security Use triple encryption

◮ With 3 keys ◮ Or just with 2 ◮ Classical way: EDE mode ◮ c = DESK1(DES−1

K2 (DESK1(m)))

But does not solve small block size problem Still used in some legacy applications

slide-31
SLIDE 31

UCL Crypto Group

Microelectronics Laboratory

COMP477 - Slide 05 31

Conclusion

Block ciphers:

◮ One of the most versatile crypto objects:

PRG, encryption, authentication, . . .

◮ Most common: AES, 128-bit blocks, 128-192-256-bit keys

Many countries have their own BC for “internal” use

◮ AES implementations widely available,

  • ften with HW support

Think twice before picking something else (Efficiency, side-channel resistance, . . . )