# Lecture 7 Using Block Ciphers Images from http

- Slides: 33

Lecture 7: Using Block Ciphers Images from http: //rfidanalysis. org/ CS 588: Security and Privacy David Evans University of Virginia 10 February 2005 University of Virginia CS 588 http: //www. cs. virginia. edu/evans Computer Science

Menu • PS 2 • Modes of Operation • Differential Cryptanalysis Sorry, PS 1 is not ready to return yet! If you want it back before then, find me at my office tomorrow morning, or get it from Matt during his office hours (2: 30 -3: 30 tomorrow) 10 February 2005 University of Virginia CS 588 2

Ken Elzinga’s Theory on Writing Mysteries • Requires: – Creativity – Discipline • Very few people can be both • Most good mystery novels are written by pairs: – “Marshall Jevons” = Bill Breit and Ken Elzinga – “Ellery Queen” = Manfred Lee and Frederic Danna 10 February 2005 University of Virginia CS 588 3

Dave Evans’ Ken Elzinga’s Theory on Writing Mysteries • Requires: Cryptography – Creativity – Discipline n e k bro • Very few people can be both gned/ i s ciphers e d written by • Most good mystery novels are pairs: small teams – Dolev-Yao, Needham-Schroeder, Diffie-Hellman, Daemen/Rijmen (AES), Blum-Shub, Rivest. Shamir-Adleman, Boneh/Franklin (IBE) 10 February 2005 University of Virginia CS 588 4

Creativity vs. Discipline – Creativity: mostly about breaking rules – Discipline: mostly about following rules • Rules = internal consistency, mathematical correctness, sticking with stated assumptions • US was founded by rebels and has lots of space, so we value creativity most (except in teenagers and soldiers) 10 February 2005 University of Virginia CS 588 5

RSA [1978] • Ron Rivest and Adi Shamir tried to find ways to implement public-key cryptography • Len Adleman poked holes in their first dozen ideas • Eventually, they found one he couldn’t • Adelman thought the cipher should be RS (but Rivest convinced him otherwise) We’ll cover RSA later after spring break, but you’ve probably heard of it already. It’s the most important cipher invented since One Time Pad (Vernam, 1917). 10 February 2005 University of Virginia CS 588 6

Overstatement? “The most important technological breakthrough in the last thousand years. ” Lawrence Lessig (Possibly an overstatement, but he’s a lawyer) 10 February 2005 University of Virginia CS 588 7

PS 2 Teams • Must be diverse in at least 2 of these: – Nationality – Major (CS/Math/ECE/Bioinformatics/other) – Year (Grad/4 th/3 rd/other) – Liked breaking two-time pad (yes/no) • Examples: Find a partner before leaving today! – Austrailian bioinformatics major can work with anyone – USian, 4 th year CS major who liked breaking two-time pad can’t work with a USian 3 rd year CS major unless she/he didn’t like breaking the two-time pad – If you can get Ron Rivest, Adi Shamir or Len Adelman on your team, you don’t need to worry about the other rules 10 February 2005 University of Virginia CS 588 8

Confidentiality Modes of Operation 10 February 2005 University of Virginia CS 588 9

Modes of Operation • Transmitting a long plaintext using 3 DES: P = P 1 || P 2 ||. . . || PN • Electronic Codebook Mode: C = EK (P 1) || EK (P 2) ||. . . || EK (PN) • Problems: – Any identical blocks encrypted identically • 64 bits = 8 ASCII characters • Reveals lots about your message (even if unbroken) – Lots of ciphertext encrypted with same K 10 February 2005 University of Virginia CS 588 10

Cipher Block Chaining P 1 P 2 IV K DES C 1 to receiver 10 February 2005 K DES . . . C 2 to receiver University of Virginia CS 588 11

Cipher Block Chaining Ci = EK (Pi Ci - 1) C 1 = EK (P 1 IV) Decrypt: Mi = DK (Ci ) Ci - 1 M 1 = DK (C 1 ) IV DK (EK (Pi Ci - 1)) Ci – 1 = Pi Ci - 1 Ci – 1 = Pi 10 February 2005 University of Virginia CS 588 12

Cipher Feedback Mode shift j bits IV K K DES j bits P 1 j bits C 1 to receiver 10 February 2005 . . . DES P 2 C 2 Does the IV need to be secret? to receiver University of Virginia CS 588 13

Output Feedback Mode shift j bits IV K K DES j bits P 1 j bits C 1 to receiver 10 February 2005 . . . DES P 2 C 2 to receiver University of Virginia CS 588 14

CFB vs OFB shift j bits IV DES K j bits P 1 DES K C 1 to receiver j bits P 2 shift j bits IV DES K C 2 to receiver P 1 DES K C 1 to receiver j bits P 2 C 2 to receiver Which is better for wireless transmissions? Which is better for preventing message tampering? 10 February 2005 University of Virginia CS 588 15

What does is mean to “break” a cipher? • Practical: – You can determine the plaintext corresponding to some ciphertext without the key – You can determine the key given some plaintextciphertext pairs 10 February 2005 University of Virginia CS 588 16

What does is mean to “break” a cipher? • Academic: – You have a technique that does better than brute force (e. g. , break 112 -bit 3 DES with 2111 max attempts) – You have a techniques that does better than brute force on a weakened (less rounds, smaller block) version of cipher (e. g. , break DES with 15 rounds) – You have identified some mathematical weakness if the cipher, but don’t yet know how to use it usefully (e. g. , there exist two different keys that map plaintext to same ciphertext) 10 February 2005 University of Virginia CS 588 17

DES Attacks • Last time: – Mostly Brute force (guessing all keys) • DES keyspace is too small • But no where near good enough for 3 DES – Side-Channel: Power Analysis • Now: Differential Cryptanalysis 10 February 2005 University of Virginia CS 588 18

Differential Cryptanalysis • [Biham & Shamir, 1990] • With enough work (247) and enough chosen plaintexts (247) can find key (compared to 256 brute force work) • Successful academic attack: takes 3 years of 1. 5 Mbps encrypting chosen plaintext to get enough! • Is successful practical attack on other ciphers 10 February 2005 University of Virginia CS 588 19

Differential Cryptanalysis Idea • Choose plaintext pairs with fixed difference: X = X X’ • Use differences in resulting ciphertext to guess key probabilities • Requires choosen plaintext: attacker chooses plaintext and receives ciphertext (e. g. , Speedy. Pass challenge-response protocol!) 10 February 2005 University of Virginia CS 588 20

One Round X X’ 32 bits E/P X 1 48 bits Kn X 2 32 bits E/P X 1’ 48 bits X 2’ S S X 3 32 bits X 3’ P X 4 10 February 2005 E/P preserves values: Xi = 0 X 1 ep(i) = X 1 ep(i)’ where ep(i) is a function defined by 32 bits the E table P X 4’ X = X X’ Xi = 0 iff Xi = Xi’ preserves values: X 2 i = X 1 i Kn X 2 i’ = X 1 i’ Kn Xi = 0 X 2 ep(i) = X 2 ep(i)’ University of Virginia CS 588 21

One Round, cont. X 2’ X 2 S S Xi = 0 X 2 ep(i) = X 2 ep(i)’ X 3 P X 4 P X 3 i = X 3 i’ X 4 p(i) = X 4 p(i)’ X 4’ S-boxes are non-linear! (Known from ciphertext) Xi = 0 X 3 s(ep(i)) = X 3 s(ep(i))’ But, maybe they do probabilistically: Xi = 0 p(X 3 s(ep(i)) = X 3 s(ep(i))’) >. 5 ? p(X 3 s(ep(i)) = X 3 s(ep(i))’) <. 5 ? Its a function of the key: p determined experimentally. 10 February 2005 University of Virginia CS 588 22

This slides are based on Howard Heys’ Tutorial on Linear and Divverential Cryptanalysis (linked from course website) Differential Characteristics Inputs: A = [A 1, A 2, A 3…A 64] B = [B 1, B 2, B 3…B 64] Outputs: a = [a 1, a 2, a 3…a 64] = { A }K b = [b 1, b 2, b 3…b 64] = { B }K Differences: ΔP = A B = [ A 1 B 1, …, A 64 B 64 ] ΔC = a b = [ a 1 b 1, …, a 64 b 64 ] Differential = (ΔP, ΔC) 10 February 2005 University of Virginia CS 588 23

Goal Inputs: A = [A 1, A 2, A 3…A 64] B = [B 1, B 2, B 3…B 64] Outputs: a = [a 1, a 2, a 3…a 64] = { A }K b = [b 1, b 2, b 3…b 64] = { B }K Differences: ΔP = A B = [ A 1 B 1, …, A 64 B 64 ] ΔC = a b = [ a 1 b 1, …, a 64 b 64 ] Differential = (ΔP, ΔC) • Find a particular value of ΔP for which a particular ΔC value occurs with high probability • Allows attacker to predict bits coming into last round of cipher If you know what one round of DES does, you can find the subkey for that round (fairly easily)! 10 February 2005 University of Virginia CS 588 24

From Howard Heys’ Tutorial on Linear and Differential Cryptanalysis http: //www. engr. mun. ca/~howard/PAPERS/ldc_tutorial. pdf 10 February 2005 University of Virginia CS 588 25

S-box: S 1 6 bits: x 1 x 2 x 3 x 4 x 5 x 6 x 2 x 3 x 4 x 5 select column x 1 x 6 0 1 2 3 4 5 6 7 8 9 Remember: S-Boxes are confusing, but not secret. All DES implementataions use the same S-Boxes. A B C D E F 00 E 4 D 1 2 F B 8 3 A 6 C 5 9 0 7 01 0 F 7 4 E 2 D 1 A 6 C B 9 5 3 8 10 4 1 E 8 D 6 2 B F C 9 7 3 A 5 0 F C 8 2 4 9 1 7 5 B 3 E A 0 6 D 11 4 inputs to S 1 produce 0: 011100, 000001, 111110, 111011 10 February 2005 University of Virginia CS 588 26

Partial pair XOR Distribution, S 1 Input XOR (6 bits) Output XOR (4 bits) 0 1 2 3 4 5 6 7 8 9 A B C D E F 0 64 0 0 0 0 1 0 0 6 2 4 4 0 10 12 4 10 6 2 4 2 0 0 0 8 0 4 4 4 0 6 8 6 12 6 4 2 4 8 4 2 4 0 2 4 4 2 4 8 6 2 2 . . . 3 F 10 February 2005 University of Virginia CS 588 8 27

What would ideal distribution be? Output XOR 0 1 2 3 4 5 6 7 8 9 A B C D E Input XOR 0 1 2. . . 3 F 10 February 2005 University of Virginia CS 588 28 F

Input XOR What would ideal distribution be? Getting determinstically different outputs when Output XOR the inputs are identical is really, 2 3 4 5 really 6 hard! 7 8 9 A B C D 0 1 0 4 4 4 4 1 4 4 4 4 E F 4 4 4 Why can’t we just make 4 4 4 4. . . 4 S-Boxes 4 4 4 that 4 4 4 do 4 this? 4 4 4 2 3 F 4 4 4 10 February 2005 4 4 4 4 University of Virginia CS 588 4 4 4 4 29

Differential Cryptanalysis • Propagate experimental probabilities for 1 round through 16 rounds • After enough P-C pairs, one key becomes most probable • Difficulty depends heavily on S-Box choices • First published in 1990, but NSA knew about it in 1973! (That’s why they changed IBM’s S-Boxes!) 10 February 2005 University of Virginia CS 588 30

Differential Cryptanalysis • “Successful” on DES up to 15 rounds (better than exhaustive search) • By 16 th round, characteristics probabilities are 2 -56 • Very successful on DES variants (breaks GDES with 6 chosen plaintexts) • Very successful on FEAL (FEAL-4, FEAL-8, FEAL-NX, . . . ) • Would be very successful on Curry Cipher (but so would less sophisticated techniques) 10 February 2005 University of Virginia CS 588 31

Related Techniques • Linear Cryptanalysis [Matsui, 1994] – Try to find equations like, Xi 1 Xi 2 … Xin Yj 1 Yj 2 … Yjv =0 where Xik selects some input bit and Yjk selects some output bit such that probability it is satisfied is different from ½ • Boomerang Attack [Wagner 1999] • Slide Attacks [Biryukov & Wagner, 1999] 10 February 2005 University of Virginia CS 588 32

Charge • Find a partner for PS 2 now – If you already have gotten past question 1 with someone, you can keep working together – Otherwise, find a partner who satisfies the diversity constraints (different in 2 or more): • • Nationality Major (CS/Math/ECE/Bioinformatics/other) Year (Grad/4 th/3 rd/other) Liked breaking two-time pad (yes/no) 10 February 2005 University of Virginia CS 588 33