CS 4770: Cryptography

CS 6750: Cryptography and Communication Security

Alina Oprea

Associate Professor, CCIS

Northeastern University

February 8 2018

Review

• CPA-secure construction– Security proof by reduction to PRF– Randomized

• How to design block ciphers– Substitution Permutation Networks– Feistel Networks– Multiple rounds

• DES– Feistel Network

• AES– Substitution Permutation Network

2

Block Ciphers Built by Iteration

R(k,m) is called a round function

for DES (n=16), for AES-128 (n=10)

key k

Key schedule

k1 k2 k3 kn

R(k

1,

)

R(k

2,

)

R(k

3,

)

R(k

n,

)

m c

3

Substitution-Permutation Network

Key mixing

Substitution

Permutation

Round key

S-boxFixed permutation

Invertible

S boxes and mixing permutation are public 4

Feistel Networks

𝐿𝑖 = 𝑅𝑖−1𝑅𝑖 = 𝐿𝑖−1⊕ 𝑓𝑖(𝑅𝑖−1)

• Functions 𝑓𝑖 are public• Round key is derived from main key and secret• Advantage: 𝑓𝑖 not invertible!

Given functions f1, …, fd: {0,1}n ⟶ {0,1}n

Often fi(x) = Fki(x), for ki secret keys and F a PRF

Goal: build invertible function (PRP) F: {0,1}2n ⟶ {0,1}2n

input output

Rd-1

Ld-1

Rd

Ld

R0

L0

n-b

itsn

-bits

R1

L1

⊕f1

R2

L2

⊕f2 ⋯

⊕fd

5

DES: 16 round Feistel network

f1, …, f16: {0,1}32 ⟶ {0,1}32 , fi(x) = F( ki, x )

input

64

bit

s

output

64

bit

s

16 round Feistel network

IP IP-1

k

key expansion

k1 k2 k16⋯

To invert, use keys in reverse order

6

56 bits

48 bits

The function F(ki, x)

S-box: function {0,1}6 ⟶ {0,1}4 , implemented as look-up table.

Key mixing

Substitution

Permutation

Substitution-Permutation

Network

7

The AES process

• 1997: NIST publishes request for proposal

• 1998: 15 submissions. Five claimed attacks.

• 1999: NIST chooses 5 finalists

• 2000: NIST chooses Rijndael as AES (designed in Belgium)

Key sizes: 128, 192, 256 bits.

Block size: 128 bits

8

AES is a Subs-Perm network (not Feistel)in

pu

t

⨁

S1

S2

S3

S8

⋯

ou

tpu

t

subs.layer

perm.layer inversion

k1

⨁

S1

S2

S3

S8

⋯

k2S1

S2

S3

S8

⋯

⨁⋯

kn

9

AES-128 schematic

input

4

4

10 rounds

(1) ByteSub(2) ShiftRow(3) MixColumn

⨁

k2

⋯

k9

⨁

(1) ByteSub(2) ShiftRow(3) MixColumn

⨁

k1

⨁

k0

(1) ByteSub(2) ShiftRow

output

4

4

⨁

k10

key

16 bytes

key expansion:

invertible

16 bytes ⟶176 bytes

10

The round function

• ByteSub: a 1 byte S-box. 256 byte table (non- linear, but easily computable

• ShiftRows:

• MixColumns:

𝐴 𝑖, 𝑗 ← 𝑆 𝐴 𝑖, 𝑗 , ∀𝑖, 𝑗

11

Code size/performance tradeoff

Code size Performance

Pre-computeround functions(24KB or 4KB)

largestfastest:

table lookups and xors

Pre-compute S-box only (256 bytes)

smaller slower

No pre-computation smallest slowest

12

AES in hardware

AES instructions in Intel Westmere:

• aesenc, aesenclast: do one round of AES

128-bit registers: xmm1=state, xmm2=round key

aesenc xmm1, xmm2 ; puts result in xmm1

• aeskeygenassist: performs AES key expansion

• Claim 14 x speed-up over OpenSSL on same hardware

Similar instructions on AMD Bulldozer

13

Attacks

Best key recovery attack: four times better than ex. search [BKR’11]

Related key attack on AES-256: [BK’09]

Given 299 inp/out pairs from four related keys in AES-256

can recover keys in time ≈299

14

Block ciphers

• Suggestions:

– Don’t think about the inner-workings of AES and 3DES.

– Don’t implement them yourselves

• We assume both are secure PRPs and will see how to use them

15

Incorrect use of block cipher

Electronic Code Book (ECB):

Problem: – if m1=m2 then c1=c2

PT:

CT:

m1 m2

c1 c2

Not EAV-secure!

16

In pictures

(courtesy B. Preneel)

17

CBC encryption

Let F be a PRP; F: K × {0,1}n ⟶ {0,1}n

EncCBC(k,m): choose random IV∈ {0,1}n and do:

F(k,) F(k,) F(k,)

m[1] m[2] m[3] m[L]IV

F(k,)

c[1] c[2] c[3] c[L]IV

ciphertext

18𝑐𝑖 = 𝐹𝑘(𝑐𝑖−1⊕𝑚𝑖)

Decryption circuit

F-1(k,) F-1(k,) F-1(k,)

m[1] m[2] m[3] m[L]

F-1(k,)

c[1] c[2] c[3] c[L]IV

In symbols: c[1] = Fk( IV⨁m[1] ) ⇒ m[1] = Fk-1(c[1])⨁ IV

19𝑚𝑖 = F−1𝑘(𝑐𝑖) ⊕ 𝑐𝑖−1

CBC Theorem: For any L>0 number of blocks,

If F is a secure PRP over (K, {0,1}n ) then

EncCBC is CPA-secure over (K, {0,1}nL, {0,1}n(L+1)).

In particular, for a q-query adversary A attacking EncCBC

there exists a PRP adversary B s.t.:

Pr[ExpEncCBC

,𝐴CPA 𝑛 = 1] ≤ 1/2 + 2AdvF,𝐵

PRP+ 2 q2 L2 /2n

AdvE,𝐵PRP = |𝑷𝒓 𝑩𝑭𝒌 ⋅ ,𝑭𝒌

−𝟏 ⋅ 𝒏 = 𝟏 − 𝑷𝒓[𝑩𝒇 ⋅ ,𝒇−𝟏 ⋅ 𝒏 |

Note: CBC is only secure as long as q2L2 << 2n

CBC: CPA Analysis

20

An example

q = # messages encrypted with k L = length of max message

Suppose we want Pr[ExpEncCBC𝐴CPA 𝑛 = 1] ≤ 1/2 + 1/232

q2 L2 /2n < 1/ 232

• AES: 2n = 2128 ⇒ q L < 248

So, after 248 AES blocks, must change key

• 3DES: 2n = 264 ⇒ q L < 216

Pr[ExpECBC

,𝐴CPA 𝑛 = 1] ≤ 1/2+AdvE,𝐵

PRP+ 2 q2 L2 /2n

21

Attack on CBC with predictable IV

CBC where attacker can predict the IV is not CPA-secure !!

Suppose given c ⟵ EncCBC(k,m) can predict next IV

Chal. Adv.

kKm0=IV⨁IV1 , m1 ≠ m0

c [ IV, Fk(IV1) ] or

0 {0,1}n

c1 [ IV1, Fk( 0⨁IV1) ]

output 0if c[1] = c1[1]

predict IV

Bug in SSL/TLS 1.0: IV for record #i is last CT block of record #(i-1)

c [ IV, Fk(m1⨁IV) ]

22

CTR-mode encryption

m[1] m[2] …

F(k,IV) F(k,IV+1) …

m[L]

F(k,IV+L)

c[1] c[2] … c[L]

IV

IV

note: parallelizable (unlike CBC)

msg

ciphertext

Let F: K × {0,1}n ⟶ {0,1}n be a secure PRF.

Enc(k,m): choose a random IV {0,1}n and do:

23𝑐𝑖 = 𝐹𝑘(𝐼𝑉 + 𝑖) ⊕𝑚𝑖

Comparison: CTR vs. CBC

CBC CTR mode

Uses PRP PRF

Parallel processing No Yes

Security q^2 L^2 << 2n q^2 L << 2n

Dummy padding block Yes No

24

A CBC technicality: padding

F(k,) F(k,) F(k,)

m[1] m[2] m[3] m[L] ll pad

F(k,)

c[1] c[2] c[3] c[L]IV

IV

TLS: for n>0, n byte pad is

if no pad needed, add a dummy block

n n ⋯n n removedduringdecryption

25

TLS bugs in older versions

IV for CBC is predictable: (chained IV)

- IV for next record is last ciphertext block of current record.

- Not CPA secure.

Padding oracle: during decryption

- If pad is invalid send decryption failed alert

- If mac is invalid send bad_record_mac alert

⇒ attacker learns information about plaintext

Lesson: when decryption fails, do not explain why

26

Recap

• To encrypt longer messages, use CBC or CTR mode– CPA security

• CTR mode has some advantages– Parallelizable

– Better security

• CBC encryption with padding is vulnerable to padding oracle attack

• Authenticated encryption schemes are CCA secure

27

Acknowledgement

Some of the slides and slide contents are taken from http://www.crypto.edu.pl/Dziembowski/teachingand fall under the following:

©2012 by Stefan Dziembowski. Permission to make digital or hard copies of part or all of this material is currently granted without fee provided that copies are made only for personal or classroom use, are not distributed for profit or commercial advantage, and that new copies bear this notice and the full citation.

We have also used slides from Prof. Dan Boneh online cryptography course at

Stanford University:

http://crypto.stanford.edu/~dabo/courses/OnlineCrypto/

28