1.
DES
Description: Feistel, S-box
Exhaustive Search, DC and LC
Modes of Operation
AES
Description: SPN, Branch number
Security and Efficiency
Modes of Operation
Other Ciphers
Linear layer
Confusion layer
1
3.
Confusion:
The ciphertext statistics should depend on the plaintext
statistics in a manner too complicated to be exploited by
the enemy cryptanalyst
Diffusion:
Each digit of the plaintext should influence many digits of
the ciphertext, and/or
Each digit of the secret key should influence many digits
of the the ciphertext.
Block cipher:
◦ A repetition of confusion(Substitution) and
diffusion(Permutation)
◦ Iteration: Weak Strong
Claude Shannon
3
5.
Definition:
Let Bn denote the set of bit strings of length n.
A block cipher is an encryption algorithm E such that EK is a
permutation of Bn for each key K
Characteristics
◦
◦
◦
◦
◦
◦
Based on Shannon’s Theorem(1949)
Same P => Same C
{|P| = |C|} ≥ 64 bit, |P| ≠ |K| ≥ 56 bit
Memoryless configuration
Operate as stream cipher depending on mode
Shortcut cryptanalysis (DC, LC etc) in 90’s
* DC: Differential Cryptanalysis, LC: Linear Cryptanalysis
5
6.
Provide a high level of security
Completely specify and easy to understand
Security must depend on hidden key, not algorithm
Available to all users
Adaptable for use in diverse applications
Economically implementable in electronic device
Efficient to use
Able to be validated
Exportable
* Federal Register, May 15, 1973
6
7. Based on Lucifer (1972)
Developed by IBM and intervened by NSA
Adopted Federal Standard by NIST, revised
every 5 years (~’98),
64bit block cipher, 56bit key
16 Round, Nonlinearity : S-box
Cryptanalysis like DC, LC, etc. after 1992
* DC:Differential Cryptanalysis, LC : Linear Cryptanalysis
7
8.
If we apply its operation 2 times, it returns to the
original value, e.g., f(f(x)) = x.
Type of f-1(x) = f(x)
x1
x2
x1
(d)
(c)
(b)
(a)
x2
x1
x2
⊕
y1
y2
y1
y2
y1=x1⊕ x2
x1
⊕
y2 = x2
x2
g
y1=x1⊕ g(x2) y2 = x2
or x1⊕ g(x2,k)
8
14.
8 S-boxes (6 -> 4 bits)
each row : permutation of 0-15
4 rows : choose by MSB & LSB of input
some known design criteria
◦
◦
◦
◦
◦
◦
not linear (affine)
Any one bit of the inputs changes at least two output bits
S(x) and S(x ⊕ 001100) differs at least 2bits
S(x) ≠ S(x ⊕ 11ef00) for any ef={00.01.10.11}
Resistance against DC etc.
The actual design principles have never been revealed (U.S.
classified information)
14
18. Short
key size : 112 -> 56 bits by NSA
Classified design criteria
Revision of standard every 5 yrs after
1977 by NIST
No more standard
18
19. (P,C) dependency with fixed Key : after 5 round
(K,C) dependency with fixed plaintext : after 5
round
Avalanche effect
Cyclic Test : Random function
Algebraic structure : Not a group
i.e., E(K1, E(K2,P)) ≠ E(K3,P)
19
21.
RSA Data Security Inc’s protest against US’s
export control(‘97)
◦ $10,000(‘97) award
◦ Key search machine by Internet Loveland’s Rocker
Verser
◦ 60.1 Billion/1 day key search, succeeded in 18
quadrillion operations and 96 days
25% of Total 72 quadrillion (1q=1015 =0.1 kyung)
90MHz, 16MB Memory Pentium(700 Million/sec)
◦ http://www.rsa.com/des/
21
22.
Distributed.Net + EFF
◦ 100,000 PC on Network
◦ 56hr
EFF(Electronic Frontier
Foundation)
◦ http://www.eff.org/DEScrac
ker
◦ Specific tools
◦ 22hr 15min
◦ 250,000$
P. Kocher
22
23. Cost-Optimized Parallel Code Breaker Machine
by Univ. of Bochum, Germany and Kiel
Commercially available 120 FPGA’s of type
XILINX Spartan3-1000 run in parallel
10,000$ of ¼ of EFF project
23
26. AES (Rijndael)
Joan Daemen and Vincent Rijmen, “The Design of
Rijndael, AES – The Advanced Encryption Standard”,
Springer, 2002, ISBN 3-540-42580-2
FIPS Pub 197, Advanced Encryption Standard (AES),
December 04, 2001
Rijndael : variable, AES : fixed
Vincent
26
27. Block
cipher
◦ 128-bit blocks
◦ 128/192/256-bit keys
Worldwide-royalty
free
More secure than Triple DES
More efficient than Triple DES
27
28. ◦ Jan. 2, 1997 : Announcement of intent to develop AES and
request for comments
◦ Sep. 12, 1997 : Formal call for candidate algorithms
◦ Aug. 20-22, 1998 : First AES Candidate Conference and
beginning of Round 1 evaluation (15 algorithms), Rome, Italy
◦ Mar. 22-23, 1999 : Second AES Candidate Conference, NY,
USA
◦ Sep. 2000 : Final AES selection (Rijndael !)
Jan. 1997
Call for
algorithms
Aug. 1998
AES1
15 algorithms
Mar. 1999
AES2
5 algorithms selected
Apr. 2000
AES3
Announce winner
in Sep, 2000
28
32. Proposed by Joan Daemen, Vincent Rijmen(Belgium)
Design choices
– Square type
– Three distinct invertible uniform transformations(Layers)
Linear mixing layer : guarantee high diffusion
Non-linear layer : parallel application of S-boxes
Key addition layer : XOR the round key to the intermediate state
– Initial key addition, final key addition
Representation of state and key
–
–
–
–
Rectangular array of bytes with 4 rows (square type)
Nb : number of column of the state (4~8)
Nk : number of column of the cipher key (4~8)
Nb is independent from Nk
32
35.
Substitution-Permutation Network (SPN)
◦ (Invertible) Nonlinear Layer: Confusion
◦ (Invertible) Linear Layer: Diffusion
Branch Number
◦
◦
◦
◦
◦
Measure Diffusion Power of Linear Layer
Let F be a linear transformation on n words.
W(a): the number of nonzero words in a.
λ(F) = mina≠0 {W(a) + W(F(a))}
Rijndael: branch number =5
35
36.
K-secure
◦ No shortcut attacks key-recover attack faster than keyexhaustive search
◦ No symmetry property such as complementary in DES
◦ No non-negligible classes of weak key as in IDEA
◦ No Related-key attacks
Hermetic
◦ No weakness found for the majority of block ciphers with
same block and key length
Rijndael is k-secure and hermetic
36
38. ECB (Electronic CodeBook) mode
C
P
n
n
K
K
E
IF Ci = Cj,
DK(Ci) = DK(Cj)
D
n
n
C
P
i) Encryption
ii) Decryption
38
39.
CBC (Cipher Block Chaining)
P1
P2
Pl
IV
K
E
K
E
K
E
C1
IV
C2
C2
Ci = EK(Pi Ci-1)
Cl
C1
K
IV : Initialization Vector
Cl
K
D
P1
K
D
P2
Pi = DK(Ci) Ci-1
- 2 block Error Prog.
- self-sync
- If |Pl| |P|,
Padding req’d
D
Pl
39
40. m-bit OFB (Output FeedBack)
IV
IV
Ci = Pi O(EK)
Pi = Ci O(EK)
K
E
Pi
m-bit
Ci
I) Encryption
m-bit
E
K
Ci
- No Error Prog.
- Req’d external sync
- Stream cipher
Pi - EK or DK
II) Decryption
40
41. m-bit CFB (Cipher FeedBack)
IV
K
IV
E
Pi
Ci
I) Encryption
m-bit
m-bit
Ci = Pi EK(Ci-1)
Pi = Ci EK(Ci-1)
E
K
- Error prog. till an error
disappears in the buffer
- self-sync
- EK or DK
Pi
Ci
II) Decryption
41
46.
Introduction
◦
◦
◦
◦
◦
Biham and Shamir : CR90, CR92
Efficient than Key Exhaustive Search
Chosen Plaintext Attack
O(Breaking DES16) ~ 247
Utilize the probabilistic distribution between input XOR and
output XOR values Iteratively
◦ Stimulate to announce hidden criteria of DES [Cop92]
◦ Apply to other DES-like Ciphers
* E.Biham, A. Shamir,”Differential Cryptanalysis of the Data Encryption Standard”, SpringerVerlag, 1993
46
47. Discard linear components(IP, FP)
Properties of XOR (X’ = X ⊕ X* )
◦ {E,P,IP} : (P(X))’=P(X) ⊕ P(X*)=P(X’)
◦ XOR : (X ⊕ Y)’=(X ⊕ Y) ⊕ (X* ⊕ Y*)=X’ ⊕ Y’
◦ Mixing key : (X ⊕ K)’=(X ⊕ K) ⊕ (X* ⊕ K)=X’
◦ Differences(=xor) are linear in linear operation and in
particular the result is key independent.
47
50.
2-round characteristic in S1 box (0Cx --> Ex
with 14/64)
(00 80 82 00 60 00 00 00x)
A’=00808200x
=P(E0000000x)
B’=0x
F
F
a’=60000000x
b’=0x
p=14/64
p=1
(60 00 00 00 00 00 00 00x)
0110 0C=001100 E=1110
50
51. (1) Choose suitable Plaintext (Pt) XOR.
(2) Get 2 Pts for a chosen Pt and obtain the
corresponding Ct by encryption
(3) From Pt XOR and pair of Ct, get the expected
output XOR for the S-boxes of final round.
(4) Count the maximum potential key at the final round
using the estimated key
(5) Right key is a subkey of having large number of
pairs of expected output XOR
51
52. Self-concatenating probability
Best iterative char. of DES
(19 60 00 00 00 00 00 00x)
A’=0x
B’=0x
F
F
a’=0x
b’=19 60 00 00x
E(b)=03 32 2C
00 00 00 00 00x
p1=1
p2 =14 x 8 x 10 / 643
= 1/234
(00 00 00 00 19 60 00 00x)
52
54.
Introduction
◦ Matsui : EC931, CR942
◦ Known Plaintext Attack
◦ O(Breaking DES16) ~ 243
12 HP W/S, 50-day operation
◦ Utilize the probabilistic distribution between input
linear sum and output linear sum values Iteratively
◦ Duality to DC : XOR branch vs.three-forked branch
◦ Apply to other DES-like cryptosytems
1. M.Matsui,”Linear Cryptanalysis Method for DES Cipher”, Proc. Of Eurocrypt’93,LNCS765, pp.386-397
2. M.Matsui,”The First Experimental Cryptanalysis of the Data Encryption Standard”, Proc. Of Crypto’94,LNCS839, pp.1-11 .
54
55. LC
DC
X i-1
Y i
X i
Fi
Ki
Xi
X i-1 Yi
Y i
Xi
Y i
Y i-1
Y i
Fi
X i
Ki
Yi-1Xi
XOR branch after f-ft. i.e.,
DC goes downstream through f-ft.
Xi = Xi-2 Yi-1 (3 i n)
with {i=1}n pi
3-forked branch before f-ft. i.e.,
LC goes upstream through f-ft.
Yi = Yi-2 Xi-1 (3 i n)
with 2n-1{i=1}n |pi -1/2|
Xi : Xi’s Differential value
Xi-1 : Xi-1’s Masking value
55
56. (Goal) : Find linear approximation
P[i1,i2,…,ia] ⊕ C[j1,j2,…,jb]=K[k1,k2,…,kc]
with significant prob. p (≠ ½)
where A[i,j,…,k]=A[i] ⊕ A[j] ⊕ … ⊕ A[k]
(Algorithm)MLE(Maximum Likelihood Estimation)
(Step 1) For given P and C, compute X=P[i1,i2,…,ia] ⊕ C[j1,j2,…,jb],
let N = # of Pt given,
(Step 2) if |X=0| > N/2 K[k1,k2,…,Kc]=0 else 1.
if |X=0| < N/2 K[k1,k2,…,kc]=1 else 0.
56
57.
For a S-box Sa,(a=1,2,…,8) of DES
NSa(α,β)= #{x | 0 ≤ x < 64, parity(x•α) = parity(S(x)•β)}
1≤ α ≤ 63 , 1 ≤ β ≤15, • : dot product (bitwise AND)
Ex) NS5(16,15) =12
◦ The 5-th input bit at S5-box is equal to the linear sum of 4 output
bits with probability 12/64.
◦ X[15] ⊕ F(X,K)[7,18,24,29]=K[22] with 0.19
◦ X[15] ⊕ F(X,K)[7,18,24,29]=K[22] ⊕ 1 with 1-0.19=0.81
(Note) least significant at the right and index 0 at the least significant bit (Little endian)
57
60.
If independent prob. value, Xi ‘s ( 1≤ i ≤ n )
have prob pi to value 0, (1-pi) to value 1,
p
= {prob(X1⊕ X2⊕ … ⊕Xn ) = 0} is
p = 2n-1Πi=1n(pi - 1/2) +1/2.
The number of known pt req’d for LC with
success prob. 97.7% is |p - 1/2|-2
60
63.
Traditional Cryptographic Model vs. Side Channel
Power Consumption / Timing / EM Emissions / Acoustic
Attacker
C=E(P,Ke)
P
E()
Ke
Key
P=D(C,Kd)
C
Insecure
channel
D()
D
Kd
Secure channel
Radiation / Temperature / Power Supply / Clock Rate, etc.
63
64. ☆
J. DAEMEN AND V. RIJMEN. The Design of Rijndael.AES - The Advanced
Encryption Standard. Springer, 2002.
배성호
1
★
M. E. HELLMAN. A cryptanalytic time-memory trade-off. IEEE Transactions
of Information Theory, 26 (1980), 401-406.
임준현
2
☆
E. BIHAM AND A. SHAMIR. Differential cryptanalysis of the full 16-round
DES. LNCS 740 (1993), 494-502. (CRYPTO '92)
장래영
3
☆
M. BELLARE AND P. ROGAWAY. Optimal asymmetric encryption. Lecture Notes
in Computer Science, 950 (1995), 92-111. (EUROCRYPT '94)
조준희
4
황대성
5
남궁호
6
장래영
7
☆
★
☆
S. GOLDWASSER AND S. MICALI. Probabilistic encryption. Journal of
Computer and Systems Science, 28 (1984), 270-299.
J. H. Moore. Protocol failures in cryptosystems. In Contemporary
Cryptology, The Science of Information Integrity, pages 541-558. IEEE
Press, 1992.
M. BELLARE, J. KILIAN AND P. ROGAWAY. The security of the cipher block
chaining message authentication code. Journal of Computer and System
Sciences, 61 (2000), 362-399.
★
W. DIFFIE AND M. E. HELLMAN. New directions in cryptography. IEEE
Transactions on Information Theory, 22 (1976), 644-654.
조준희
8
★
M. MATSUI. Linear cryptanalysis method for DES cipher. LNCS 765 (1994),
386-397. (EUROCRYPT '93)
배성호
9
☆
M. BELLARE AND P. ROGAWAY. Random oracles are practical: a paradigm for
designing efficient protocols. In First ACM Conference on Computer and
Communications Security, pages 62-73. ACM Press, 1993.
김영삼
PT #1
10
PT#2
64
65. ☆
☆
☆
★
☆
☆☆
☆☆
★
☆☆
★
N. T. COURTOIS AND J. PIEPRZYK. Cryptanalysis of block ciphers with
overdefined systems of equations. LNCS 2501 (2002), 267-287. (ASIACRYPT
2002)
S. C. POHLIG AND M. E. HELLMAN. An improved algorithm for computing
logarithms ove GF(p) and its cryptographic significance. IEEE
Transations on Information Theory, 24 (1978), 106-110.
M. J. WIENER. Cryptanalysis of short RSA secret exponents. IEEE
Transations on Inforamtion Theory, 36 (1990), 553-558.
T. ELGAMAL. Apublic key cryptosystem and a signature scheme based on
discrete logarithms. IEEE Transactions on Information Theory, 31 (1985),
469-472.
D. CHAUM AND H. VAN ANTWERPEN. Undeniable signature. LNCS 435 (1990),
212-216. (CRYPTO '89)
P. BEAUCHEMIN AND G. BRASSARD, C. CREPEAU, C. GOUTIER and C. POMERANCE.
The generation of random numbers that are probably prime. Journal of
Cryptology, 1 (1988), 53-64.
M. BELLARE AND P. ROGAWAY. The exact security of digital signatures: how
to sign with RSA and Rabin. LNCS, 1070(1996), 399-416. (EUROCRYPT '96)
A. FIAT AND A. SHAMIR. How to prove yourself: practical solutions to
identification and signature problems. LNCS 263 (1987), 186-194. (CRYPTO
'86)
M. BELLARE. Practice-oriented provable-security. In Lectures on Data
Security, pages 1-15. Springer, 1999.
A. FIAT AND M. NAOR. Broadcast encryption. LNCS 773 (1994), 480-491.
(CRYPTO '93)
조준희
11
황대성
12
남궁호
13
장래영
14
신지강
15
남궁호
16
임준현
17
김영삼
18
신지강
19
황대성
20
PT#3
PT#4
65
66. ☆
M. BURMESTER AND Y. DESMEDT. A secure and efficient conference key
distribution system. LNCS 250 (1994), 275-286 (EUROCRYPT '94)
김영삼
21
★
U. FEIGE, A. FIAT AND A. SHAMIR. Zero-knolwedge proofs of identity.
Journal of Cyrptology, 1 (1988), 77-94
신지강
22
☆
C. P. SHNORR. Efficient signature generation by smart cards. Journal of
Cryptology, 4 (1991), 161-174.
임준현
23
☆
D. E. DENNING AND G. M. SACCO. Timestamps in key distribution protocols.
Communications of the ACM 24 (1981), 533-536.
배성호
24
PT#5
★ : 필수 , ☆: 난이도 1, ☆☆: 난이도 2( 가산점 )
66