03 Block v2 Annotated

uan 8oneh
8lock clphers
WhaL ls a block clpher?
Cnllne CrypLography Course uan 8oneh
uan 8oneh
8lock clphers: crypLo work horse
E, D
CT Block
n bits
PT Block
n bits
Key
k bits
Canonical examples:
1. 3DES: n= 64 bits, k = 168 bits
2. AES: n=128 bits, k = 128, 192, 256 bits
uan 8oneh
8lock Clphers 8ullL by lLerauon
8(k,m) ls called a round funcuon
!"# %&'( )*+,-./ !"# 0'(123- )*+24.
key k
key expanslon
k
1
k
2
k
3
k
n

8
(
k
1
,

!
)

8
(
k
2
,

!
)

8
(
k
3
,

!
)

8
(
k
n
,

!
)

m c
uan 8oneh
erformance: CrypLo++ 3.6.0 [ Wel ual ]
AMu CpLeron, 2.2 CPz ( Llnux)
Clpher 8lock/key slze Speed (M8/sec)
8C4 126
Salsa20/12 643
Sosemanuk 727

3uLS 64/168 13
ALS-128 128/128 109
b
l
o
c
k

s
L
r
e
a
m

uan 8oneh
AbsLracLly: 8s and 8ls
seudo 8andom luncuon (567) dened over (k,x,?):
l: k " x # ?
such LhaL exlsLs emclenL" algorlLhm Lo evaluaLe l(k,x)
seudo 8andom ermuLauon (565) dened over (k,x):
L: k " x # x
such LhaL:
1. LxlsLs emclenL" deLermlnlsuc algorlLhm Lo evaluaLe L(k,x)
2. 1he funcuon L( k, ! ) ls one-Lo-one
3. LxlsLs emclenL" lnverslon algorlLhm u(k,y)
uan 8oneh
8unnlng example
Lxample 8s: 3uLS, ALS, .
ALS: k " x # x where k = x = [0,1}
128

3uLS: k " x # x where x = [0,1}
64
, k = [0,1}
168

luncuonally, any 8 ls also a 8l.
A 8 ls a 8l where x=? and ls emclenLly lnveruble.
uan 8oneh
Secure 8ls
LeL l: k " x # ? be a 8l
luns[x,?]: Lhe seL of 899 funcuons from x Lo ?
S
l
= [ l(k,!) s.L. k $ k } % luns[x,?]
lnLuluon: a 8l ls :;<=#; lf
a random funcuon ln luns[x,?] ls lndlsungulshable from
a random funcuon ln S
l

S
l

Slze |k|
luns[x,?]
Slze |?|
|x|
uan 8oneh
Secure 8ls
LeL l: k " x # ? be a 8l
luns[x,?]: Lhe seL of 899 funcuons from x Lo ?
S
l
= [ l(k,!) s.L. k $ k } % luns[x,?]
lnLuluon: a 8l ls :;<=#; lf
a random funcuon ln luns[x,?] ls lndlsungulshable from
l

k & k
f & luns[x,?]
x $ x
f(x) or l(k,x) ?
???
uan 8oneh
Secure 8s (secure block clpher)
LeL L: k " x # ? be a 8
erms[x]: Lhe seL of all "*;1>"1"*; funcuons from x Lo ?
S
l
= [ L(k,!) s.L. k $ k } % erms[x,?]
lnLuluon: a 8 ls :;<=#; lf
a random funcuon ln erms[x] ls lndlsungulshable from
l

k & k
n & erms[x]
x $ x
n(x) or L(k,x) ?
???
1emplaLe
verLLeWhlLe2
LeL l: k " x # [0,1}
128
be a secure 8l.
ls Lhe followlng C a secure 8l?

C(k, x) =
0
128
lf x=0
l(k,x) oLherwlse
no, lL ls easy Lo dlsungulsh C from a random funcuon
?es, an auack on C would also break l
lL depends on l
uan 8oneh
An easy appllcauon: 8l 8C
LeL l: k " [0,1}
n
# [0,1}
n
be a secure 8l.

1hen Lhe followlng C: k # [0,1}
nL
ls a secure 8C:
?)@. + 7)@/4. 99 7)@/2. 99 99 7)@/>12.
key properLy: parallellzable
SecurlLy from 8l properLy: l(k, !) lndlsL. from random funcuon f(!)

uan 8oneh
Lnd of SegmenL
uan 8oneh
8lock clphers
1he daLa encrypuon
sLandard (uLS)
uan 8oneh
8lock clphers: crypLo work horse
E, D
CT Block
n bits
PT Block
n bits
Key
k Bits
Canonical examples:
1. 3DES: n= 64 bits, k = 168 bits
2. AES: n=128 bits, k = 128, 192, 256 bits
uan 8oneh
8lock Clphers 8ullL by lLerauon
8(k,m) ls called a round funcuon
for 3uLS (n=48), for ALS-128 (n=10)
key k
key expanslon
k
1
k
2
k
3
k
n

8
(
k
1
,

!
)

8
(
k
2
,

!
)

8
(
k
3
,

!
)

8
(
k
n
,

!
)

m c
uan 8oneh
1he uaLa Lncrypuon SLandard (uLS)
Larly 1970s: PorsL lelsLel deslgns Luclfer aL l8M
key-len = 128 blLs , block-len = 128 blLs
1973: n8S asks for block clpher proposals.
l8M submlLs varlanL of Luclfer.
1976: n8S adopLs uLS as a federal sLandard
key-len = 36 blLs , block-len = 64 blLs
1997: uLS broken by exhausuve search
2000: nlS1 adopLs 8l[ndael as ALS Lo replace uLS
Wldely deployed ln banklng (ACP) and commerce

uan 8oneh
uLS: core ldea - lelsLel neLwork
Clven funcuons f
1
, ., f
d
: [0,1}
n
! [0,1}
n

Coal: bulld lnveruble funcuon l: [0,1}
2n
! [0,1}
2n

ln symbols:
lnpuL ouLpuL
8
d-1
L
d-1
8
d
L
d
8
0
L
0
n
-
b
l
L
s

n
-
b
l
L
s

8
1
L
1

f
1
8
2
L
2

f
2

f
d
uan 8oneh
A98BC: for all f
1
, ., f
d
: [0,1}
n
! [0,1}
n

lelsLel neLwork l: [0,1}
2n
! [0,1}
2n
ls lnveruble
roof: consLrucL lnverse
8
l-1
L
l-1
8
l
L
l

f
l
lnverse
8
l-1
= L
l
L
l-1
= f
l
(L
l
) ! 8
l
lnpuL ouLpuL
8
d-1
L
d-1
8
d
L
d
8
0
L
0
n
-
b
l
L
s

n
-
b
l
L
s

8
1
L
1

f
1
8
2
L
2

f
2

f
d
uan 8oneh
A98BC: for all f
1
, ., f
d
: [0,1}
n
! [0,1}
n

lelsLel neLwork l: [0,1}
2n
! [0,1}
2n
ls lnveruble
roof: consLrucL lnverse
8
l-1
L
l-1
8
l
L
l

f
l
lnverse
lnpuL ouLpuL
8
d-1
L
d-1
8
d
L
d
8
0
L
0
n
-
b
l
L
s

n
-
b
l
L
s

8
1
L
1

f
1
8
2
L
2

f
2

f
d
8
l
L
l
8
l-1
L
l-1

f
l
uan 8oneh
uecrypuon clrculL
lnverslon ls baslcally Lhe same clrculL,
wlLh f
1
, ., f
d
applled ln reverse order
Ceneral meLhod for bulldlng lnveruble funcuons (block clphers)
from arblLrary funcuons.
used ln many block clphers . buL noL ALS
8
1
L
1
8
0
L
0
8
d
L
d
n
-
b
l
L
s

n
-
b
l
L
s

8
d-1
L
d-1

f
d
8
d-2
L
d-2

f
d-1

f
1
uan 8oneh
1hm:" (Luby-8acko '83):
f: k [0,1}
n
! [0,1}
n
a secure 8l
3-round lelsLel l: k
3
[0,1}
2n
! [0,1}
2n
a secure 8

8
3
L
3
8
0
L
0
lnpuL
8
1
L
1

f

8
2
L
2

f

f

ouLpuL
uan 8oneh
uLS: 16 round lelsLel neLwork
f
1
, ., f
16
: [0,1}
32
! [0,1}
32
, f
l
(x) = 7( k
l
, x )
lnpuL
6
4

b
l
L
s

ouLpuL
6
4

b
l
L
s

16 round
lelsLel neLwork
l l
-1

k
key expanslon
k
1

k
2

k
16

1o lnverL, use keys ln reverse order
uan 8oneh
1he funcuon l(k
l
, x)
S-box: funcuon [0,1}
6
! [0,1}
4
, lmplemenLed as look-up Lable.

uan 8oneh
1he S-boxes
S
l
: [0,1}
6
! [0,1}
4

uan 8oneh
Lxample: a bad S-box cholce
Suppose:
S
l
(x
1
, x
2
, ., x
6
) = ( x
2
!x
3
, x
1
!x
4
!x
3
, x
1
!x
6
, x
2
!x
3
!x
6
)
or wrluen equlvalenLly: S
l
(D) = A
l
D (mod 2)

We say LhaL S
l
ls a llnear funcuon.
0 1 1 0 0 0
1 0 0 1 1 0
1 0 0 0 0 1
0 1 1 0 0 1
x
1
x
2
x
3
x
4
x
3
x
6
.
=
x
2
!x
3
x
1
!x
4
!x
3
x
1
!x
6
x
2
!x
3
!x
6

uan 8oneh
Lxample: a bad S-box cholce
1hen enure uLS clpher would be llnear: xed blnary maLrlx 8 s.L.

8uL Lhen: uLS(k,m
1
) ! uLS(k,m
2
) ! uLS(k,m
3
)
8
m
k
1
k
2

k
16

.
=
c
832
64

uLS(k,m) =
= uLS(k, m
1
!m
2
!m
3
)
8 ! 8 ! 8 = 8
m
1
k
m
2
k
m
3
k
m
1
!m
2
!m
3
k!k!k
(mod 2)
uan 8oneh
Chooslng Lhe S-boxes and -box
Chooslng Lhe S-boxes and -box aL random would resulL
ln an lnsecure block clpher (key recovery aer =2
24
ouLpuLs) [8S'89]

Several rules used ln cholce of S and boxes:
no ouLpuL blL should be close Lo a llnear func. of Lhe lnpuL blLs
S-boxes are 4-Lo-1 maps

uan 8oneh
Lnd of SegmenL
uan 8oneh
8lock clphers
Lxhausuve Search
Auacks
uan 8oneh
Lxhausuve Search for block clpher key
?"89: glven a few lnpuL ouLpuL palrs (m
l
, c
l
= L(k, m
l
)) l=1,..,3
nd key k.
Lemma: Suppose uLS ls an !"#$% '!()#*
( 2
36
random lnveruble funcuons )
1hen m, c Lhere ls aL mosL "*; key k s.L. c = uLS(k, m)
roof:
wlLh prob. > 1 - 1/236 = 99.3
uan 8oneh
Lxhausuve Search for block clpher key
lor Lwo uLS palrs (m
1
, c
1
=uLS(k, m
1
)), (m
2
, c
2
=uLS(k, m
2
))
unlclLy prob. = 1 - 1/2
71

lor ALS-128: glven Lwo lnp/ouL palrs, unlclLy prob. = 1 - 1/2
128

Lwo lnpuL/ouLpuL palrs are enough for exhausuve key search.

uan 8oneh
uLS challenge
msg = The unknown messages is: XXXX
C1 = c
1
c
2
c
3
c
4

?"89: nd k [0,1}
36
s.L. uLS(k, m
l
) = c
l
for l=1,2,3
1997: lnLerneL search -- % C"*>E:
1998: Lll machlne (deep crack) -- % F8G: (230k $)
1999: comblned search -- 33 E"=#:
2006: CCACC8AnA (120 lCAs) 11 H F8G: (10k $)
36-blL clphers should noL be used !! (128-blL key 2
72
days)

uan 8oneh
SLrengLhenlng uLS agalnsL ex. search
MeLhod 1: I#BJ9;1&'(
LeL L : k M ! M be a block clpher
uene %': k
3
M ! M as

lor 3uLS: key-slze = 336 = 168 blLs. 3slower Lhan uLS.
(slmple auack ln ume =2
118
)
%'( (k
1
,k
2
,k
3
), m) =
uan 8oneh
Why noL double uLS?
uene 2L( (k
1
,k
2
), m) = L(k
1
, L(k
2
, m) )

Auack: M = (m
1
,., m
10
) , C = (c
1
,.,c
10
).
sLep 1: bulld Lable.
sorL on 2
nd
column
key-len = 112 blLs for uLS
m
L(@
3
,) L(@
2
,)
c
k
0
= 00.00
k
1
= 00.01
k
2
= 00.10

k
n
= 11.11
L(k
0
, M)
L(k
1
, M)
L(k
2
, M)

L(k
n
, M)
2
36

enLrles
uan 8oneh
MeeL ln Lhe mlddle auack
Auack: M = (m
1
,., m
10
) , C = (c
1
,.,c
10
)
sLep 1: bulld Lable.
SLep 2: for all k[0,1}
36
do:
LesL lf u(k, C) ls ln 2
nd
column.
lf so Lhen L(k
l
,M) = u(k,C) (k
l
,k) = (k
2
,k
1
)
m
L(@
3
,) L(@
2
,)
c
k
0
= 00.00
k
1
= 00.01
k
2
= 00.10

k
n
= 11.11
L(k
0
, M)
L(k
1
, M)
L(k
2
, M)

L(k
n
, M)
uan 8oneh
MeeL ln Lhe mlddle auack
1lme = 2
36
log(2
36
) + 2
36
log(2
36
) 2
63
2
112
, space = 2
36
Same auack on 3uLS: 1lme = 2
118
, space = 2
36
m
L(@
3
,) L(@
2
,)
c
m
L(@
3
,) L(@
2
,)
c
L(@
%
,)
uan 8oneh
MeLhod 2: uLSx
L : k [0,1}
n
! [0,1}
n
a block clpher
uene Lx as Lx( (k
1
,k
2
,k
3
), m) = k
1
! L(k
2
, m!k
3
)
lor uLSx: key-len = 64+36+64 = 184 blLs
. buL easy auack ln ume 2
64+36
= 2
120
(homework)

noLe: k
1
! L(k
2
, m) and L(k
2
, m!k
1
) does noLhlng !!

uan 8oneh
Lnd of SegmenL
uan 8oneh
8lock clphers
More auacks on
block clphers
uan 8oneh
Auacks on Lhe lmplemenLauon
1. Slde channel auacks:
Measure KC; Lo do enc/dec, measure J"L;# for enc/dec

2. laulL auacks:
Compuung errors ln Lhe lasL round expose Lhe secreL key k
do noL even lmplemenL crypLo prlmluves yourself .
[kocher, ae, un, 1998]
smarLcard
uan 8oneh
Llnear and dlerenual auacks [8S'89,M'93]
Clven !"#$ lnp/ouL palrs, can recover key ln ume less Lhan 2
36
.

Llnear crypLanalysls (overvlew) : leL c = uLS(k, m)
Suppose for random k,m :
r[ m[l
1
]!!m[l
r
] ! c[[
[
]!!c[[
v
] = k[l
1
]!!k[l
u
] ] = +

lor some . lor uLS, Lhls exlsLs wlLh = 1/2
21
= 0.0000000477
uan 8oneh
Llnear auacks
r[ m[l
1
]!!m[l
r
] ! c[[
[
]!!c[[
v
] = k[l
1
]!!k[l
u
] ] = +

1hm: glven 1/
2
random (m, c=uLS(k, m)) palrs Lhen
k[l
1
,.,l
u
] = MA [ m[l
1
,.,l
r
] ! c[[
[
,.,[
v
] ]
wlLh prob. > 97.7

wlLh 1/
2
lnp/ouL palrs can nd k[l
1
,.,l
u
] ln ume =1/
2
.
uan 8oneh
Llnear auacks
lor uLS, = 1/2
21

wlLh 2
42
lnp/ouL palrs can nd k[l
1
,.,l
u
] ln ume 2
42

8oughly speaklng: can nd 14 key blLs" Lhls way ln ume 2
42

8ruLe force remalnlng 3614=42 blLs ln ume 2
42

1oLal auack ume =2
43
( 2
36
) wlLh 2
42
random lnp/ouL palrs

uan 8oneh
Lesson
A uny blL of llnearly ln S
3
lead Lo a 2
42

ume auack.

don'L deslgn clphers yourself !!
uan 8oneh
uanLum auacks
Cenerlc search problem:
LeL f: x ! [0,1} be a funcuon.
Coal: nd xx s.L. f(x)=1.

Classlcal compuLer: besL generlc algorlLhm ume = C( |x| )

uanLum compuLer [Crover '96] : ume = C( |x|
1/2
)

Can quanLum compuLers be bullL: unknown
uan 8oneh
uanLum exhausuve search
Clven m, c=L(k,m) dene

Crover quanLum compuLer can nd k ln ume C( |k|
1/2
)

uLS: ume =2
28
, ALS-128: ume =2
64

quanLum compuLer 236-blLs key clphers (e.g. ALS-236)

1 lf L(k,m) = c
0 oLherwlse
f(k) =
uan 8oneh
Lnd of SegmenL
uan 8oneh
8lock clphers
1he ALS block clpher
uan 8oneh
1he ALS process
1997: nlS1 publlshes requesL for proposal
1998: 13 submlsslons. llve clalmed auacks.
1999: nlS1 chooses 3 nallsLs
2000: nlS1 chooses 8l[ndael as ALS (deslgned ln 8elglum)
key slzes: 128, 192, 236 blLs. 8lock slze: 128 blLs
uan 8oneh
ALS ls a Subs-erm neLwork (noL lelsLel)
l
n
p
u
L

!

S
1
S
2
S
3
S
8
o
u
L
p
u
L

subs.
layer
perm.
layer
lnverslon
k
1
!

S
1
S
2
S
3
S
8
k
2
S
1
S
2
S
3
S
8
!

k
n
uan 8oneh
ALS-128 schemauc
lnpuL
4
4
10 rounds
(1) 8yLeSub
(2) Shl8ow
(3) MlxColumn
!

k
2

k
9
!

(1) 8yLeSub
(2) Shl8ow
(3) MlxColumn
!

k
1
!

k
0
(1) 8yLeSub
(2) Shl8ow

ouLpuL
4
4
!

k
10
key
16 byLes
key expanslon:
lnveruble
16 byLes !176 byLes
uan 8oneh
1he round funcuon
MG>;(=N: a 1 byLe S-box. 236 byLe Lable (easlly compuLable)
(EBO6"L::
PBDA"9=C*::

uan 8oneh
Code slze/performance Lradeo
A"F; :BQ; 5;#!"#C8*<;
re-compuLe
round funcuons
(24k8 or 4k8)
largesL
fasLesL:
Lable lookups
and xors
re-compuLe
S-box only (236 byLes)
smaller slower
no pre-compuLauon smallesL slowesL
uan 8oneh
Lxample: avascrlpL ALS
ALS llbrary (6.4k8)
no pre-compuLed Lables
ALS ln Lhe browser:
rlor Lo encrypuon:
pre-compuLe Lables
1hen encrypL uslng Lables
hup://crypLo.sLanford.edu/s[cl/
uan 8oneh
ALS ln hardware
ALS lnsLrucuons ln lnLel WesLmere:
8;:;*</ 8;:;*<98:>: do one round of ALS
128-blL reglsLers: xmm1=sLaLe, xmm2=round key
8;:;*< DCC2/ DCC3 , puLs resulL ln xmm1
8;:@;GR;*8::B:>: performs ALS key expanslon
Clalm 14 x speed-up over CpenSSL on same hardware
Slmllar lnsLrucuons on AMu 8ulldozer
uan 8oneh
Auacks
8esL key recovery auack:
four umes beuer Lhan ex. search [8k8'11]

8elaLed key auack on ALS-236: [8k'09]
Clven 2
99
lnp/ouL palrs from !"=# #;98>;F @;G: ln ALS-236
can recover keys ln ume =2
99

uan 8oneh
Lnd of SegmenL
uan 8oneh
8lock clphers
8lock clphers from 8Cs
uan 8oneh
Can we bulld a 8l from a 8C?
LeL C: k ! k
2
be a secure 8C
uene 1-blL 8l l: k [0,1} ! k as

l(k, x[0,1} ) = C(k)[x]

1hm: lf C ls a secure 8C Lhen l ls a secure 8l
Can we bulld a 8l wlLh a larger domaln?
C(k)[0]
k
C(k)[1]
C
uan 8oneh
LxLendlng a 8C
LeL C: k ! k
2
.
dene C
1
: k ! k
4
as C
1
(k) = C(C(k)[0]) ll C(C(k)[1])

C(k)[0]
k
C(k)[1]
C
C
1
(k)
C C
We geL a 2-blL 8l:
l(k, x[0,1}
2
) = C
1
(k)[x]

00 01
10 11
uan 8oneh
C
1
ls a secure 8C
C(k)[0]
k
C(k)[1]
C
C
1
(k)
C C
00 01
10 11
random ln k
4
r
0
r
1
C C
=
p

r
1
r
01
r
00
C
=
p

=
p

uan 8oneh
LxLendlng more
LeL C: k ! k
2
.
dene C
2
: k ! k
8
as C
2
(k) =

C(k)[0]
k
C(k)[1]
C
C
2
(k)
C C
We geL a 3-blL 8l
C C C C
000 001 010 011 100 101 110 111
uan 8oneh
LxLendlng even more: Lhe CCM 8l
LeL C: k ! k
2
. dene 8l l: k [0,1}
n
! k as

k k
1
k
2
k
3
k
n
lor lnpuL x = x
0
x
1
. x
n-1
[0,1}
n
do:
?)@.SD
4
T ?)@
2
.SD
2
T ?)@
3
.SD
3
T ?)@
*12
.SD
*12
T

SecurlLy: C a secure 8C l ls a secure 8l on [0,1}
n
.
noL used ln pracuce due Lo slow performance.
1emplaLe
verLLeWhlLe2
Secure block clpher from a 8C?
Can we bulld a secure 8 from a secure 8C?
no, lL cannoL be done
?es, [usL plug Lhe CCM 8l lnLo Lhe Luby-8acko Lheorem
lL depends on Lhe underlylng 8C
uan 8oneh
Lnd of SegmenL

03 Block v2 Annotated

Uploaded by

Document Information

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

03 Block v2 Annotated

Uploaded by

Copyright:

Available Formats

uan 8oneh

You might also like