attacks on block ciphers
TRANSCRIPT
1
CS 255 Lecture 4Attacks on Block Ciphers
Brent Waters
2
Recap-Symmetric Encryption• Two basic types of encryption
•Stream Cipher (eg. RC4, CSS)•Block Cipher (e.g. DES, IDEA (Feistel), AES)
3
Recap Block Ciphers
msg_block E CT_block
n-bits n-bitsK
4
Recap-Feistel Networks• Feistel network: M=L0 || R0
for i=1 to d (# of rounds) Li=Ri-1, Ri=Li-1 © F(Ri-1,Ki)
• Network inverts itself•Construct FN-1:{0,1}2n ! {0,1}2n
s.t. 8 x: FN-1(FN(x))=x
• DES- 16 round Feistel: block-size 64-bits, key 56
5
Recap-Using Block Ciphers• Encryption must be randomized
• (otherwise mi=mj ) ci=cj)•ECB mode is insecure
• CBC
IV
E E
PT 1 PT 2
© ©
IV
...
CT 1 CT 1
6
Exhaustive Search Attack• Known PT attack: given a few PT/CT pairs
M1/C1, M2/C2 ... find K
DES: likely need only one PT/CT pairview as collection of 256 random one-to-one functions8 M,k Pr[9 k’ k: DESk(M)=DESk’(M)] · k’ Pr[DESk=DESk’(M)] · 256 ¢ 1/264 = 1/28
7
DES Challenge• RSA Labs challenge (http://
www.rsasecurity.com/rsalabs/)"The unknown message is:.... "
• Internet Search: 3 months ’97• EFF “Deep-Crack”: 3 days ‘98
88 billion keys/sec; $250,000 (do govts have more money?)• Internet search: 22 hours ‘99
8
DES Challenge• 56 bit ciphers are dead
• (64-bit RC5 also attacked, 72 bit next)
• 128 bit keys ) 272DES-time ¼ 1024 days
• Keep open mind to new attacks•e.g. Internet
9
Triple DES• TEk1,k2,k3(M)= Ek1(DK2(EK3(M)))
E
D
E
k1
k2
k3
K=k1,k2,k3
PT
CT
Why decrypt in middle?
3 times slower
10
Double DES?
E
E
k1
k2
K=k1,k2
PT
CT
k0’ Ek0(M)
k1’ Ek1(M)
k2’ Ek2(M)meet in middle
Sort on 2nd columnCheck for collision on 2nd block
11
Double DES• Time : 256lg(256)+ 256lg(256)=262 << 2112
• Triple-DES security · 118 bits•same attack
• Large amount of space
12
Idealized Block Ciphers
Experiment A Experiment BChoose random key k
Choose random permutation
Oracle access to Ek and Ek
-1Oracle access to and -1
Adversary guesses which experiment he was in.
13
DESX• EX_{k1,k2,k3} = k1© DESk2(M © k3)
• Fast!
• Suppose EK is an ideal cipher; m PT/CT pairs, n-bit block size effective key-length ¸ k+n-1 – log(m) [KR’97]
DESX: if m< 230 then key length ¸ 289
DESk1(M © k2), k1© DESk2(M) not secure
14
Power Analysis
Encryption/Decryption
Secret key K
input output
Power
Figure from Benini et. al.
Have access to power supply?
15
Power Analysis
16
Power Analysis
Difference caused by jump instruction
17
Linear attacks• Bias ) Pr[F(x)=0]=1/2 +
Pr[ Mi1© ... © Mir© Cj1© ... © Cjv © Kl1 © ... Klv=0] =1/2 + Gather large amount of PT/CT pairsFor each PT/CT pair For each K*= (Kl1, ... ,Klv)
increment counter if Kl1, ... © Klv= Mi1© ... ©
Cjv Take K* with highest counter
18
Linear Attacks• Try different key possibilities on chosen PT/CT
pairs
• Take one that has strongest bias
• Thm: Given 1/2 pairs correct 97%
• DES =2-21 ) 242 pairs
19
Security Models• Attacks adversary can do
•Can get ahold of of CT/PT pairs?•Brute force power•Access
• Adversary’s goal
20
Attack typesFrom least to most powerful
1. CT only attack
2. Random plaintext attack – given random PT/CT pairs
3. CPA- Chosen plaintext attack
more to come...
21
Attacker goals• Key-recovery
• Decrypt a given CT
22
AES Development• ’97 NIST call for candidates due ’98• 128,192,256 bit keys and royalty free
• 15 of 21 met initial requirements
• 5 finalists: MARS, RC6, Rijndael, Serpent, Twofish
• Winner: Rijndael by Daemen and Rijmen• International flavor
23
AES Overview
S0,0 S0,1 S0,2 S0,3
S1,0 S1,1 S1,2 S2,3
S2,0 S2,1 S2,2 S2,3
S3,0 S3,1 S3,2 S3,3
Put 128-bit block into 4x4 byte matrix10 rounds (128-key mode)
24
AES OverviewS0,0 S0,1 S0,2 S0,3
S1,0 S1,1 S1,2 S2,3
S2,0 S2,1 S2,2 S2,3
S3,0 S3,1 S3,2 S3,3
1. S-box per byte (permutation)2. Shift rows3. Mix columns4. Add round key