Download Block Ciphers II: Applied Cryptography Lecture Notes and more Lecture notes Cryptography and System Security in PDF only on Docsity!
University of Illinois, Urbana Champaign CS/ECE 498AC3/4 Applied Cryptography
Instructor: Dakshita Khurana Scribe: Jeremy Poynton, Hamilton Silberg Date: September 3, 2020
LECTURE
Block Ciphers II
In the previous lecture, we introduced block ciphers as a solution to the problems of stream ciphers. We looked into the definitions of PRFs and PRPs and analyzed the games that can be played to determine the semantic security of these devices. As a continuation of last lecture, we will continue to look into the significance of PRFs and PRPs, especially in the case of using a block cipher as a PRP to create a semantically secure cipher.
Last lecture introduced the DES algorithm with the Feistel network structure, with the ability to create invertible functions out of uninvertible components. We will investigate attacks on the DES algorithm and introduce the evolution of DES into further modified alogrithms to improve security.
Expanding on the example of DES, we will also look at the AES block cipher. AES has a substitution-permutation network, distinguishing it from DES. Comprising entirely of many invertible steps, we see the non-linearity we identified as being critical to a secure cipher implemented within the various steps of the algorithm. Along with going through its implementation, we will compare its security with DES through their known best attacks.
Finally, we will look into a few modes of operation for block ciphers. These modes each define a way to use the block cipher to encrypt and decrypt a plaintext which comprises of many blocks. Each of these modes have different properties which will affect the security and performance of the overall process. While specifically used for AES, these modes can be applied to many block ciphers.
4.1 Building a PRF from a PRG
Last lecture we talked about how you can construct a PRG from a PRF by concatenating the outputs of the PRF with an incrementing counter. The result is a secure PRG because every output from the PRF is guaranteed to be pseudorandom.
We will now talk about how a PRG can be constructed from a PRF. Similar to how we concactenated PRF input to create a PRG, we can partition PRG outputs to create a PRF. That is, given a secure PRG G that doubles the key, we can define a PRF F as:
F (K, x ∈ { 0 , 1 }) = G(K)[x]
As noted, however, this will only work with x ∈ { 0 , 1 }, as it assigns both halves of the output from the PRG. What happens if we want to extend past that range of x? It turns out, we can construct a binary tree by feeding each half of the PRG’s output back into the PRG. This will still be guaranteed pseudorandom because the initial output is pseudorandom. Now given a binary input x, we can follow the corresponding edge in the graph for each bit of x. More formally, with xn representing the nth bit of x:
F (K, x ∈ { 0 , 1 }^2 ) = G(G(K)[x 0 ])[x 1 ]
This will allow us to create a tree for any input size of x desired. We can simply add more layers and recursive calls to the tree. For a tree of depth a, this method will allow us to cover up to 2a^ values of x. Example for a three bit size of x:
F (K, x ∈ { 0 , 1 }^3 ) = G(G(G(K)[x 0 ])[x 1 ])[x 2 ]
This process can be extended as needed. While inefficient in nature, this construction does prove a secure PRF because each leaf in the tree is guaranteed to be pseudorandom, as they are made by feeding pseudorandom previous inputs into the PRG. And thus, the existence of a secure PRG implies a secure PRF.
4.2 DES attacks
DES is vulnerable to certain brute force attacks with known plaintext. That is, with two sets of plaintext and their corresponding encryption, we can iterate through the entire keyspace. If a key is found that encrypts both plaintexts to the correct ciphertexts, there is high prob- ability that this is the only correct key.
More formally, given two pairs (m 1 , c 1 ), (m 2 , c 2 ) where c 1 = E(k 1 , m 1 ), c 2 = E(k 2 , m 2 ), with high probability there is at most one key k such that c 1 = E(k, m 1 ) and c 2 = E(k, m 2 )
Because DES uses a key of 56 bits, running this exhaustive key search would take time 2^56. With modern computing available, this level of security can be broken quickly with ease. For example, in a series of challenges in 1999 called DES Challenge III, the key to a DES encryption was found in just over 22 hours using plain brute force.
Due to the low level of security guaranteed by DES, there have been multiple extensions to try and increase security against this type of attack.
4.3 Triple-DES
The first intuitive way of increasing security against an exhaustive key search is to increase the key size. Triple-DES uses a key-size of 168 bit, breaking down to three separate DES
Meet in the middle can be extended to Triple-DES also. Like in 2-DES, the ciphertext is decrypted using every possible key. However, the first two operations are treated as a single step. That is, an intermediary text is generated for every possible (k1, k2) pair. Then the intermediary texts are searched for matches. The attacker now must searched through a 2^112 space and a 2^56 space, bringing the time complexity to attack Triple-DES to 2^112 log 2^112. Again, the log term is used for scanning for matches.
Because of the way DES is structured, it is clear that no matter how many encryption or decrpytion operations are present, a meet in the middle attack would still be possible with known ciphertexts. That is, a theoretical 4-DES or 5-DES could save time from an exhaustive key search by storing intermediary texts into tables and looking for matches. At that point, the problem becomes a trade-off between space and time concerns.
4.6 DESX
DESX is a variant of DES encyption that is less vulnerable to meet in the middle attack than its multiple DES counterparts. DESX uses a triple keyspace, like Triple-DES, but instead uses various xor operations with a single DES encryption.
EX((k 1 , k 2 , k 3 ), m) = k 1 ⊕ E(k 2 , m ⊕ k 3 )
The process of using xor before and after an encryption has been coined key whitening, and DESX was the first scheme to employ this technique. k 1 and k 2 are 64 bit keys, increasing the key size to 184 bits. However, the effective security of DESX has been determined to be that of time complexity 2^120.
4.7 The AES algorithm
The Advanced Encryption Standard or AES algorithm, also known as the Rjindael al- gorithm, derived from competition to select a standard encryption algorithm. It has a substitution-permutation network design, which means it interleaves substitution and permutation functions as its method of non-linearity. Another name used to describe this type of structure is confusion-diffusion network. One important detail of the AES algorithm is the multiple key size options. The three levels provide a trade off between per- formance and security, with performance improvements for smaller keys due to less rounds, and security improvements for larger keys due to increased key space. These options within the algorithm allow for more simple user control of security as compared to DES, where a separate system of 3DES or DESX must be created in order to improve security.
The specific AES structure follows a series of rounds accomplishing this substitution and permutation. Between each round, a generated round key is XOR’d with the output of the prior round as the input to the next round. The amount of rounds is determined by the size of the key, with larger keys causing more rounds. There are 10 rounds for a 128 bit key, 12 for 192, and 14 for a 256 bit one. The key expansion works by expanding the input key into several round keys through a relatively simple process of shifting and XORing with specified values. The larger keys will produce larger round keys, but only the first 128 bits are used as the true round keys.
During the algorithm, the 128 bit input data block is represented by a 4x4 grid of bytes, in which this layout is particularly relevant for some of the steps in the process. For each round, the first step is a substitution box (or S-box) transformation where each byte is sub- stituted with another following a lookup table. This is one of the key points of non-linearity introduced into the algorithm. The specific lookup table is specified by the AES procedure and is specially designed to be non-linear. In particular, no inputs will match their output nor be the exact complement. The result is a one-to-one mapping that is non-linear and invertible.
After the S-box, there is a shift rows step. Since the data block is represented by the four-wide-four-tall matrix, each row is cycled independently. Row i is shifted left i times, where the first row is index 0. This step is also invertible.
Shif tRows
s 0 , 0 s 0 , 1 s 0 , 2 s 0 , 3 s 1 , 0 s 1 , 1 s 1 , 2 s 1 , 3 s 2 , 0 s 2 , 1 s 2 , 2 s 2 , 3 s 3 , 0 s 3 , 1 s 3 , 2 s 3 , 3
s 0 , 0 s 0 , 1 s 0 , 2 s 0 , 3 s 1 , 1 s 1 , 2 s 1 , 3 s 1 , 0 s 2 , 2 s 2 , 3 s 2 , 0 s 2 , 1 s 3 , 3 s 3 , 0 s 3 , 1 s 3 , 2
The final step of the round is the mix columns step. Here each column is independently mixed using its four elements. A specified matrix describes the weights to use. The matrix multiplication that occurs here is within GF (2^8 ), where each byte represents a polynomial where x^0 , x^1 , x^2 ...x^7 may either be present or absent. The resulting output of this operation becomes the input for the next round of the cipher once the round key is XOR’d. A small detail of AES is that mix columns is not applied to the final round. This was done to make the encryption and decryption process more similar. [1]
s 0 ,c s 1 ,c s 2 ,c s 3 ,c
s 0 ,c + s 1 ,c + 2s 2 ,c + 3s 1 ,c s 0 ,c + 2s 1 ,c + 3s 2 ,c + s 1 ,c 2 s 0 ,c + 3s 1 ,c + s 2 ,c + s 1 ,c 3 s 0 ,c + s 1 ,c + s 2 ,c + 2s 1 ,c
At the end of the algorithm, we are left with a ciphertext of 128 bits, using our key of 128, 192, or 256 bits. AES has been a standard for many years, and has undergone significant cryptanalysis for attacks and vulnerabilities.
4.8 Attacks on AES
AES is empirically stronger when using DES or 3DES as a comparison point. While the key space for AES can be significantly larger (2^256 > 256 ) the best general key recovery attack for AES 128 is in 2^122 , which is slightly better than searching the entire key space, compared to the general key recovery attack on 3DES, which is 2^118 , a significantly smaller value than the entire key space of 2^168.
There are better attacks, however the input they require is quite specialized. Due to the key expansion being simple relative to the rest of the algorithm, there exists an attack on a set of keys related in specific ways where the keys can be found in only 2^99 time. This
4.10 Conclusion
In this lecture we continued our journey through block ciphers, looking at specific examples in practice of DES and AES and how they relate to the discussion of core security structures such as PRPs. We looked at the implementations of these algorithms to get a stronger sense of what is important for a cipher with our desired attributes, and in some cases how some properties of the algorithm can remove semantic security. We also introduced modes of operations for block ciphers and their implications, and how depending on how a secure PRP is applied can make or break a secure encryption. Looking forward to future lectures, we will cover further modes of operation that achieve different properties, such as key reuse and better performance in machines through the option of parallelization of the encryption and decryption algorithms.
Acknowledgement
These scribe notes were prepared by editing a light modification of the template designed by Alexander Sherstov.
References
[1] D. Boneh and V. Shoup. A Graduate Course in Applied Cryptography. Cambridge University Press, 0.5 edition, 2020.
