Michigan State University

About This Presentation

Title:

Michigan State University

Description:

Birthday Theorem ... birthday paradox : the probability ... Backwards compatibility with DES... Michigan State University. Computer Science and Engineering ... – PowerPoint PPT presentation

Number of Views:151

Avg rating:3.0/5.0

Slides: 76

Provided by: richard139

Category:

more less

Transcript and Presenter's Notes

Title: Michigan State University

1
Chapter 5 Cryptography

CSE 825

Cryptography, as covered in the text, seems worth
spending some class time on

Egyptians used cryptography 4000 years ago.

4
Monoalphabetic Substitution Cipher

Julius Caesar (50 BC) used it.
abcdefghijklmnopqrstuvwxyz
SECURITYABDFGHJKLMNOPQVWXZ
What is?
YRFFJ VJMFU
Computers can determine key in 150 words.
Humans do better.

Given a sufficiently large encoded message, it
can readily be "cracked" by comparing the
frequency of letter occurrences in the coded
message with the frequency of letter occurrences
in the language used for the message.
Graph of letter frequencies the English language

6
Improvements

Stream cipher
encryption rule depends on the plaintext symbols
position in the stream of plaintext symbols
Block cipher
encrypt several plaintext symbols at once in a
block

7
Stream

As the name implies, you generate a long stream
of ciphertext from a shorter key.

8
Vigenère Stream Cipher

16th-century
polyalphabetic cipher based on using successively
shifted alphabet.

Method 1
Using key LUCKY to encode first two letters
CO
Select rows LU
Select cols CO
Result is NI

10
Method 2 Use key LUCKY to select rows in
order Then use only those rows for the table
(next slide)
11
Method 2 (cont) Key LUCKY is in the repeated
rows Use plaintext for column and then use rows
one at a time (next slide)
12
To encode the first letter C we use the row of
the code indicated by the arrow and the column
indicated by the arrow Hence the letter N is
substituted for C.
The next letter to be encoded is O. We now use
the second shifted alphabet from the code table
and the column headed by the letter O.
13
Note that the letter I in the message corresponds
to four different letters in the encoded message
(i.e. a stream cipher). Also in the encoded
message the letter E was substituted for two
different letters of the original message. Such
many-to-one substitutions make letter frequency
counting much more difficult.
14

The text describes the same process
mathematically and much more simply
C P K mod 26
Where
P alphabetic position of plaintext character
K alphabetic position of key character
C alphabetic position of cipher character

15
Cracking the Vigenere Cipher

For 300 years the Vigenere cipher was considered
to be practically unbreakable.
Then in 1863 a Prussian military officer noticed
that given a long enough piece of ciphertext,
repeated patterns appear at multiples of the
keyword length.
A letter frequency analysis could be then be
applied (see text for example).

16
One-Time Pad

Since repetition is a weakness, one solution is
for the key sequence to be as long as the
plaintext and to never repeat.
The one-time pad (WWI) can provide that.
Encryption/Decryption is simply an XOR of the
plaintext stream with the keystream.

17
Perfect Secrecy

A cipher has perfect secrecy
if and only if there are as many possible keys
as possible plaintexts, and if every key is
equally likely.
The one-time pad is the only one which provides
perfect secrecy (Shannon).

18
Expansion

Key distribution is expensive for one-time pads
so
it is more common for stream ciphers to use a
suitable pseudorandom number generator to
expand a short key into a long keystream.

19
Text Themes

Repetition is badany repetition provides
sufficient clues for cracking.
Also, how you use a cipher is as important as
the quality of the cipher itself, e.g. if you
use it in a way that allows repetition, you
lose.

20
Block vs. stream ciphers

Block cipher encrypts and decrypts one block at
a time
Stream cipher encrypts and decrypts one
character (or even a bit) at a time.

21
Block Cipher

Divide input bit stream into n-bit sections,
encrypt only that section, no
dependency/history between sections

Courtesy Andreas Steffen

In a good block cipher, each output bit is a
function of all n input bits and all k key bits

22
Stream Cipher

Stream ciphers

Rather than divide bit stream into discrete
blocks, as block ciphers do, XOR each bit of
your plaintext continuous stream with a bit from
a pseudo-random sequence
At receiver, use same symmetric key, XOR again
to extract plaintext

23
Diffusion and confusion(Claude Shannon)

Diffusion change a character of the plaintext,
and several characters of the ciphertext should
change. The statistical characteristics of
letters in the plaintext are diffused over many
letters in the ciphertext. Result much more
ciphertext is needed to do a meaningful
statistical attack.
Confusion the key does not relate in a simple
way to the ciphertext. Each character of the
ciphertext should depend on many parts of the
key. The key cannot be solved piece by piece.

Vigenères allowed letter frequency analysis
Block ciphers flatten that distribution

25
Playfair (simple block cipher)

Block 5x5 grid of letters without J
Algorithm
If two letters are in the same row or column,
replace by succeeding letters.
Otherwise, the two letters stand at two of the
corners of a rectangle replace with letters at
other two corners

26
Playfair

Invented around 1854 by Sir Charles Wheatstone
Keyword playfair
Plaintext meet at the schoolhouse
Plaintext1 me et at th es
ch ox ol ho us ex
Ciphertext eg mn fq qm kn bk sv vr gq xn ku

27
Analysis

Playfair allows one character change in input to
change one character in output.
We want small changes in input to diffuse
completely through the output.
Playfair has a block length of two.
DES, a modern block cipher, has a block length of
64
DESs replacement, AES, has a block length of 128.

28
Random Function Desirable Characteristics

One-way functionsTrivial example is sum the
sum of two numbers tells you nothing about the
two numbers.
Output will not provide any information about any
part of the input.
Hard to find collisionsM1 ? M2 with h(M1)
h(M2)

29
Birthday Theorem

How many people do you invite to your party so
that two will have the same birthday (with high
probability)? v365
You need vN to have a high probability of a
collision.

30
Birthday Attack

A birthday attack is a name used to refer to a
class of brute-force attacks.
birthday paradox the probability that two or
more people in a group of 23 share the same
birthday is greater than ½
General formulation
function f() whose output is uniformly
distributed over domain
On repeated random inputs n n1, n2, , .., nk
Pr(ni nj) 1.2k1/2, for some 1
E.g., 1.2(3651/2) 23
Q Why is resilience to birthday attacks
important?

31
Feistel Cipher

1950s IBM
On team that developed DES
He used multiple rounds of permutation blocks
which were reversible.
Notation ?(f1 , f2 , f3 ) represents three
Feistel cipher rounds

32
Luby-Rackoff(proof of Felstel Ciphers)

If fi were random functions,then ?(f1 , f2 , f3
) was indistinguishable from a random permutation
under chosen plain text attack.
(chosen plain text attack opponent chooses some
number of plain text inputs and sees the
corresponding ciphertext outputs.)

33
Luby-Rackoff(proof of Felstel Ciphers)

If fi were random functions, ?(f1 , f2 , f3 ,
f4 ) was indistinguishable under chosen
plaintext/ciphertext attack,i.e. it was a
pseudorandom permutation
That is, four rounds of Feistel are enough
(chosen plaintext/ciphertext attack can choose
either plaintext or ciphertext and see
corresponding result.)

34
How Feistel Cipher Scheme works

All conventional encryption schemes have the
same structure
The input to the encryption algorithm are a
plaintext block of length 2w bits and a key K.
The plaintext block is divided into two halves
Li and Ri
The two halves pass through n rounds of
processing and then combine to produce the
ciphertext block

35
How Feistel Cipher Scheme works

5. Each Round i has inputs Li-1 and Ri-1,
derived from the previous round, as well as a
unique subkey Ki generated by a sub-key
generation algorithm
6. All rounds have the same structure which
involves substitution (mapping) and transposition
(rearrangement of data) using a round function
F and subkey Ki

36
(No Transcript)
37
Decryption with the Feistel Cipher Structure

Decryption with Feistel cipher is the same as
the encryption process
The rule is to use the ciphertext as input to
the same encryption algorithm but use the
subkeys Ki in reverse order. That is, use kn in
R1, Kn-1 in R2 and so on until k1 is used in Rn.
The output will be the plaintext.
The advantage of this scheme is that we use the
same algorithm for both encryption and
decryption

38
Feistel Cipher Structure

Virtually all conventional block encryption
algorithms, including data encryption standard
(DES) have the same structure, first described
by Horst Feistel of IBM in 1973
The realization or development of a Fesitel
encryption scheme depends on the choice of the
following parameters and design features (see
next slide)

39
Feistel Cipher Structure

Block size larger block sizes mean greater
security but slower processing
Key Size larger key size means greater security
but slower processing
Number of rounds multiple rounds offer
increasing security but slower processing
Subkey generation algorithm greater complexity
will lead to greater difficulty of cryptanalysis.
Round Function greater complexity will lead to
greater difficulty of cryptanalysis.

40
A Brief History of DES

In 1974, IBM proposed "Lucifer", an encryption
algorithm using 64-bit keys.
Two years later (1977), NBS (now NIST) in
consultation with NSA made a modified version of
that algorithm into a standard.

41
A Brief History of DES
42

DES was the most widely-used block cipher in the
80s and 90s. (e.g. Funds transfer security in
banks)

43
DES

Consists of several phases
An initial permutation (IP)
Key transformation
16 rounds of
Expansion permutation of input(Avalanche Effect)
Expands 32 bits to 48 bits, thus a single bit
affects 2 substitutions. Dependency of output
bits on input bits spread faster
S-box substitution (confusion)
P-box permutation (diffusion)
A final permutation (IP-1)

44
DES Algorithm
45
PeDEStrian attacks

Obvious attack guess the key. 256 keys
Complementation Property 255 keys
1 million per second 1100 years
Store EK(P1) for all K 512 petabytes

46
DEStroying Security

Differential Cryptanalysis (1990) (in text)
Say you know plaintext, ciphertext pairs
Difference dP P1 ? P2, dC C1 ? C2
Distribution of dCs given dP may reveal key
Need lots of pairs to get lots of good dPs
Look at pairs, build up key in pieces
Could find some bits, brute-force for rest

47
DEServing of Praise

Against 8-round DES, attack requires
214 16,384 chosen plaintexts, or
238 known plaintext-ciphertext pairs
Against 16-round DES, attack requires
247 chosen plaintexts, or
Roughly 255.1 known plaintext-ciphertext pairs
Differential cryptanalysis not effective
Designers knew about it

48
DESperate measures

Linear cryptanalysis (in text)
Look at algorithm structure find places where,
if you XOR plaintext and ciphertext bits
together, you get key bits
S-boxes not linear, but can approximate
Need 243 known pairs best known attack
DES apparently not optimized against this
Still, not an easy-to-mount attack

49
Characteristics of DES

Dependence All output bits depend on all input
bits.
Avalanche effect a small alternation of the
plaintext results in a large change of the
ciphertext. A small change in the key results in
a large change in the ciphertext.
Small space (4) of weak keys. A pair of keys is
weak if after two subsequent encipherments with
the keys, we get the original plaintext.
12 semi-weak keys (the inverse of the key is
another key).
Complimentarity
DESk(P)C ? DESco(k)(co(P))co(C)

50
Cracking DES

In the summer of 1998, the Electronic Frontier
Foundation (EFF) built a DES cracker machine at a
cost of 250,000
It had 1536 chips, worked at a rate of 88 billion
keys per second, and was able to break a DES
encrypted message in 56 hours
One year later, with the cracker working in
tandem with 100,000 PCs over the Internet, a DES
encrypted message was cracked in only 22 hours.
They were testing 245 billion keys per second.

51
DES Problem

Key is too short (56 bits).
A linear attack requiring 242 known texts exists,
but from a practical standpoint even 240 known
texts is impractical.

52
3DES

One common way to make DES more secure today is
to encrypt three times using DES.
triple-DES (3DES).
3DES is extremely slow, so a better algorithm
was needed.
Provides us with a key space of 2112 keys

53
Triple DES (3-DES)

The keyspace of DES is too small
3-DES was designed to use the widely installed
base of DES
Why not just use DES twice?
Subject to meet-in-the-middle attack
A known plaintext attack is one order of
magnitude harder in double DES than single DES
Alright, how about using 3 keys?
Key space unwieldy?
Backwards compatibility with DES

54
The Advanced Encryption Standard (AES)

Although Triple DES can solve the key length
problem, it has a slow operation and a short
block length (64 bit)
NIST worked with the cryptographic community to
develop the Advanced Encryption Standard (AES)
AES has a block length of 128 bits supporting
key sizes of 128, 192 and 256 bits
Rijndael developed by Daemen and Rijmen from
Belgium, was selected to be the AES
The effect date of AES was May 26, 2002
NIST anticipates that AES will be in use for
20-30 years
NIST plans to formally reevaluate AES every 5
years and make the needed maintenance

55
AES Requirements

Motivation
To replace DES with a single block encryption
algorithm with a strength equal to or better than
3DES and with significantly improved efficiency
Minimum Acceptability Requirements
implement symmetric (private) key cryptography
be a block cipher
work on 128-bit blocks with three key sizes
128, 192, 256 bits

56
AES Evaluation Criteria
57
Block Cipher Design

General Design Principles
Confusion
obscure relationship among key, plaintext and
ciphertext
Diffusion
every bit of plaintext influences each bit of
ciphertext
Iteration
thorough mixing of bits
Related balance, non-linearity,
correlation-immunity

58
Rijndael Encryption Algo

Rijndael(State, Key)
KeyExpansion( Key, ExpandedKey )
AddRoundKey( State, ExpandedKey )
for (i1 i
Round(State, ExpandedKey4)
FinalRound(State,ExpandedKey4X10)

Round(State, RoundKey)
ByteSub(State)
ShiftRow(State)
MixColumn(State)
AddRoundKey(State, RoundKey)

State -- array of 4 words(each 32 bits) of a
block
No. of Rounds -- 10 rounds for key-block
combination of 128-128 bits
KeyExpansion -- consists of XOR of keywords(each
3bits),
S-box lookups, intra-word byte rotation
AddRoundKey -- bitwise-XOR with keywords for
whitening
FinalRound -- similar to Round except without
MixColumn

59
Rijndael Key and State Bytes
Key and State bytes are arranged in rectangular
arrays.
Variable Key size 16, 24 or 32 bytes
Variable State size 16, 24 or 32 bytes
60
Round Function ByteSub

ByteSub acts on individual bytes of the State.
Purpose (high) non-linearity
Note only 1 S-box (8 bits x 8 bits)
ByteSub is a non-linear byte substitution
constructed by the composition of two
transformations
Take multiplicative inverse in GF(28) (00
mapped to itself)
Apply an affine ( over GF(2) ) transformation
8F a i,j ? A6

61
Round Function ShiftRow
no shift
cyclic shift by 3
cyclic shift by 2
cyclic shift by 1
ShiftRow operates on the rows of the
State. Purpose inter-column diffusion
62
Round Function MixColumn
MixColumn operates on the columns of the State.
The columns of the State are considered as
polynomials over GF(28) and multiplied module
x41 with a fixed polynomial c(x) c(x) 03x3
01x2 01x 02 MixColumn is implemented using
operations of XOR, conditional bit-shifts. Purpos
e inter-byte diffusion within columns (based on
ECC theory) Together with ShiftRow, it ensures
that after a few rounds,all output bits depend on
all input bits. Coefficients of the matrix were
also chosen for efficient implementation.
63
Round Function AddRoundKey
?

In AddRoundKey, the Round Key is bitwise XORed to
the State. Purpose makes round function
key-dependent Key-XORing with plaintext or
ciphertext is sometimes called whitening. This
is a cheap way of adding to the security of the
cipher by preventing the collection of
plaintext-ciphertext pairs.
64

Play animation here

65
Why Rijndael was selected

When considered together, Rijndaels combination
of security, performance, efficiency, ease of
implementation, and flexibility makes it an
appropriate selection for the AES. Specifically,
Rijndael appears to be consistently a very good
performer in both hardware and software across a
wide range of computing environments regardless
of its use in feedback or non-feedback modes.
NIST fact sheet
It was my favourite of the algorithms a clean
and succinct description, good reasons for its
design parameters, efficient implementations.
S. Landau, senior staff engineer, Sun
Microsystems
Symmetric and parallel structure
affords flexibility in implementation
not allowed effective cryptanalytic attacks
Well adapted to modern processors
Pentium
RISC and parallel processors
Suitable for smart cards
Flexible in dedicated hardware -- Daemen
Rijmen

66
After the selection

AES FIPS(Federal Information Processing
Standards) by NIST became official in November
2001.
Cryptanalytic attacks on AES?
mid-2002 Coutois and Peiprzyk claimed XSL
technique using one or two known plaintext for a
2100-ish attack against AES and 2200-ish attack
against Serpent attack based on the complexity
of the non-linear components
2002 Fuller and Millan, showed AESs 8x8-bit
S-box is really 8x1 bit S-box
2002 Filiol claimed some biases in Boolean
functions of AES
Crypto2002 Murply and Robshaw showed all of AES
can be expressed in a single field allowed a
representation with nice properties which make it
easier to cryptanalyze
(Basically, these are theoretical attacks, but
worrisome if they are improved.)
IETF protocols
most that use encryption are naturally AES
ready
AES phased in over next 2 or 3 years from year
2000
DES will remain for backwards compatibility till
2003

67
Finally

a standard for cryptographic algorithms to
protect international commerce and communications
Everything in the cipher world from now on will
be measured, quantified, and compared to AES.
Be it speed, strength, block size, key size,
number of rounds, and so on it will be relative
to the AES. It is the yardstick! --Raif S.
Naffah, senior software engineer, Forge Research
openness about the design
strong endorsement of the public-sector
cryptographic expertise

68
Levels of security

An encryption scheme is unconditionally secure if
the ciphertext generated by the scheme does not
contain enough information to determine uniquely
the corresponding plaintext.
An encryption scheme is computationally secure
if the cost of breaking the cipher exceeds the
value of the encrypted information or the time
requited to break the cipher exceeds the lifetime
of the information.

69
Average time needed to break a secret key
cryptosystem
70
Public Key Cryptography

Public Key cryptography
Each key pair consists of a public and private
component k (public key), k- (private key)
D( E(p, k), k- ) p
D( E(p, k-), k ) p
Public keys are distributed (typically) through
public key certificates
Anyone can communicate secretly with you, if
they have your certificate
E.g., SSL-base web commerce

71
RSA (Rivest, Shamir, Adelman)

A dominant public key algorithm
The algorithm itself is conceptually simple
Why it is secure is very deep (number thoery)
Use properties of exponentiation modulo a product
of large primes
"A method for obtaining Digital Signatures and
Public Key Cryptosystems, Communications of the
ACM, Feb., 1978 21(2) pages 120-126.

72
RSA Key Generation

Pick two large primes p and q
Calculate n pq
Pick e such that it is relatively prime to phi(n)
(q-1)(p-1) Eulers Totient Function
d e-1 mod phi(n) or
de mod phi(n) 1