Lecture 4.2 - Block Cipher Part 2 Flashcards
(42 cards)
Are the constructions of block ciphers secure?
There are constructions that are BELIEVED to be secure. Because someone trustworthy said they are safe (IBM, NSA).
Experts have tried to break the construction and failed
What are the typical requirements for block cyphers?
Security - ideally, the best possible attack should be a brute force key search
Efficiency in implementation:
- 8 bit microcontroller and smart-cards with limited memory space
- Tablet, mobile phone
- PC, Workstation, Server
- Specialized hardware (ASIC, FPGA) - speeds up to gigabits/second
Flexibility of the key: the key size can be adapted efficiently
Extended sec requirements: Protection against side-channel attacks, related-key attacks,…
Explain the iterated cipher design.
R: {0,1}^a x {0,1}^m –> {0,1}^m - a “secure” round-function.
Key k goes into Round-keys (makes multiple keys as part of a), then the input message is encrypted using all the keys one by one these steps are called rounds
If M0 is input message then:
M1 = Rk1(M0)
M2 = Rk2(M1)
…
Mn = Rkn(Mn-1)
Mn is the output
What are the advantages of the iteraded cipher design
Simplicity:
- easy to implement
- protection against backdoors in the design
Symmetry (repetitive design patterns):
- smaller circuits (in hardware)
- easier to program (in software)
Examples of the iterated cipher paradigm?
Feistel-Cipher (DES - Data Encryption Standard)
Substitution-Permutation networks (AES - Advanced Envryption Standard)
Explain the Feistel Network cipher.
The input block is split into two halves L0 and R0 where each half is m/2 bits if the total block size is m.
The function is applied in n rounds, each using a different round key ki.
Each round follows these steps:
- Apply a round function f using the right half Ri and the round key ki
- XOR the result with Li
- The new right becomes the previous left half and the new left half is computed using f
- Repeat n rounds
Typically in the last step we would swap left and right, but in ciphers such as DES, we don’t
Even if f is NOT easily invertible, every round can be EASILY INVERTED!
In theory when is a feistel network a PRP?
Assuming that f is a pseudorandom function (PRF), that we use for the construction of the feistel-network
Then:
- 2-rounds Feistel-network isn’t a PRP
- 3-rounds Feistel-network is a PRP
- 4-rounds Feistel-network is a strong PRP
What do we have to specify to get block cipher from feistel network?
- Concrete parameters:
- Block size: m
- Key size: |k|
- Number of rounds: n - Algorithm for generating the round keys
- The round function f.
What values are specified for the feistel network in DES?
Key size:
- effective: 56 bits
- formal: 64 bits (8 for parity check)
Block size: 64 bits
Number of rounds: 16
What does the DES diagram look like?
Input -> Initial permutation (IP) -> 16 rounds of feistel network with keys going in -> Final Permutation (IP^(-1)) -> Output
How secure is DES?
- The biggest weakness is the short key (brute-force possible)
- Also, block size is too short
Apart from that - DES is a secure design:
- even after 4 decades brute-force still most practical attack
Well known theoretical attacks:
- Differential cryptanalysis
- Linear cryptanalysis
What alternatives are there to DES to increase the key size, and what are their specifications?
2DES
2DESk1,k2(m) := DESk1(DESk2(m))
- Vulnerable to Meet-in-the-middle attacks
- Security the same as with DES (approx. 2^57)
3DES
3DESk1,k2,k3(m) := DESk1(DESk2^(-1)(DESk3(m)))
Options for choice of key:
- k1,k2,k3 independently
- k1,k2 independently and k3-k1
k1=k2=k3 => DES=3DES (backward compatible)
Explain how substitution-permutation networks work
- The main secret key k is expanded into multiple round keys k0,k1…kn
- The input plaintext M0 is XORed with the first round key k0:
M’=M0 ⊕ k0 - Rounds of the SPN (repeated multiple times), each round has 3 operations:
- Substitution - the state is divided into small blocks, each block passes through an S-box (substitution box), which applies a non-linear transformation. Goal to introduce confusion.
- Permutation (π Layer) - Output of s-box layer is shuffled according to a predefined permutation function π. This ensures diffusion (small input change changes through the whole block)
- Add Round Key - The transformed state is XORed with the next round key ki (ensures each round is unique and dependent on the key)
After the final round the state is XORed with the final round key kn and the result Mn is the ciphertext
Explain the round function in AES.
The message M is represented as a 4x4 matrix of bytes where one byte (Aij ∈ {0,1}^8)
The matrix is 4x4x4 = 128 bits, then:
- Sub Bytes
- Shift Rows
- Mix Columns
Output X
Explain how AES encryption utilizes the round function.
In the first round the initial key is added straight to the message so it would be there from the start. Then perform the round function over and over again until the last round.
Last round, just do sub bytes and shift rows, then add final round key kn and we get the Output Mn
Explain the decryption of AES.
Just invert the whole process, start from the cyphertext, add final round key kn, inverse shit rows, inverse shift bytes, and add ki round key.
Then, perform the round function but using inverses until last round, last round just add k0 and we get the input M0 plaintext
What are the properties of AES?
- Permutation for fixed k: AES(k,.): {0,1}^128 –> {0,1}^128
- Easy to invert for known k: AES^(-1)(k,.): {0,1)^128 –> {0,1}^128
- All AES transformations can be represented by operations in the Galois field GF(2^n)
- Concrete Parameters:
Key size: 128 192 265
Number of Rounds: 10 12 14 - Security: the best attack known is the Biclique-attack
Attacks on block siphers?
Brute force (always possible!) - does not use the property or the structure of the cipher: ideal cipher
- Idea: Try out all keys
- Time-Memory tradeoff:
– N = Size of the key space (=|K|)
– D = Data complexity (=|Target data available to the adversary|)
– P = Time complexity of pre-processing
– T = Time complexity of the attack after getting the target data
– M = Memory space of the adversary
Adversary Models:
- Known Plaintext Attack (KPA)
- Chosen Plaintext Attack (CPA)
Time - Memory tradeoffs
Check slide 47 in Block Ciphers 4.2 (there are tables)
Explain TMTO: Meet-in-the-middle attack
Goal: Given (m,c) find (k1, k2) such that: c=Ek2(Ek1(m))
Generic attack: Ek1(m) = Ek2^(-1)(c)
Remark: Successful against 2DES
It will attempt to encrypt the message using all possible instances of k1 and store the intermediate result. Then it will attempt to decript c using all possible instances of k2 and store the intermediate result. Then it will match the intermediate values, if the values match, that’s a potential key value pair candidate.
What’s the complexity of a naive brute force attack on 2des?
2^2n
What’s the complexity of the meet-in-the-middle attack on 2DES
O(2^n)
Are differential and linear cryptanalysis practical on DES?
Neither differential nor linear cryptanalysis are practical.
Differential
- Chosen-plaintext attacks
- D = 2^47 requests to the encryption oracle -> not practical
- But: a small change in DES makes the differential analysis much easier
- Moral: NSA and IBM knew about differential cryptanalysis
Linear
- Known plaintext attack
- D = 2^43 pairs -> still not practical
Explain attacks on the implementation of DES
Side-channel attacks
- Observe the device while encryption/decryption
– Measure the time needed for the cryptographic operation
– Measure the power consumption
Fault attacks
- Induce an Error (e.g. with a laser beam) to computation
– Observe the changes in the behavior
– E.g.: Errors in the last couple of rounds in DES reveal the key k
“It’s dangerous to implement cryptography by yourself!”
