Towards a unifying view of block cipher cryptanalysis David Wagner University of California, Berkeley.

Slides:



Advertisements
Similar presentations
6.1.2 Overview DES is a block cipher, as shown in Figure 6.1.
Advertisements

Foundations of Cryptography Lecture 10 Lecturer: Moni Naor.
Data Encryption Standard (DES)
Cryptography and Network Security Chapter 5 Fifth Edition by William Stallings Lecture slides by Lawrie Brown.
Stream ciphers 2 Session 2. Contents PN generators with LFSRs Statistical testing of PN generator sequences Cryptanalysis of stream ciphers 2/75.
1 Cryptanalysis-tolerant CPA crypt. ● Suppose E, E’ are two encryption schemes which on of them is CPA - secure  E.g., a standard and a proprietary, a.
Cryptography and Network Security Chapter 3
Foundations of Cryptography Lecture 13 Lecturer: Moni Naor.
Public Key Encryption Algorithm
Analysis and design of symmetric ciphers David Wagner University of California, Berkeley.
Data Encryption Standard (DES)
Symmetric Encryption Example: DES Weichao Wang. 2 Overview of the DES A block cipher: – encrypts blocks of 64 bits using a 64 bit key – outputs 64 bits.
Announcements: Quiz grades entered Quiz grades entered Homework 4 updated with more details. Homework 4 updated with more details. Discussion forum is.
Block ciphers 1 Session 3. Contents Design of block ciphers Non-linear transformations 2/25.
Cryptography and Network Security, resuming some notes Dr. M. Sakalli.
Cryptography Course 2008 Lecture 4 Jesper Buus Nielsen Modern Block Ciphers 1/43 Contents Encryption modes –Cipher-Block Chaining (CBC) Mode –Counter mode.
A few open problems in computer security David Wagner University of California, Berkeley.
Session 6: Introduction to cryptanalysis part 2. Symmetric systems The sources of vulnerabilities regarding linearity in block ciphers are S-boxes. Example.
FEAL FEAL 1.
1 Overview of the DES A block cipher: –encrypts blocks of 64 bits using a 64 bit key –outputs 64 bits of ciphertext A product cipher –basic unit is the.
Practical Techniques for Searches on Encrypted Data Author:Dawn Xiaodong Song, David Wagner, Adrian Perrig Presenter: 紀汶承.
Session 6: Introduction to cryptanalysis part 1. Contents Problem definition Symmetric systems cryptanalysis Particularities of block ciphers cryptanalysis.
Foundations of Cryptography Lecture 10: Pseudo-Random Permutations and the Security of Encryption Schemes Lecturer: Moni Naor Announce home )deadline.
Cryptanalysis on Substitution- Permutation Networks Jen-Chang Liu, 2005 Ref: Cryptography: Theory and Practice, D. R. Stinson.
ECE454/CS594 Computer and Network Security Dr. Jinyuan (Stella) Sun Dept. of Electrical Engineering and Computer Science University of Tennessee Fall 2011.
AES Proposal: Rijndael Joan Daemen Vincent Rijmen “Rijndael is expected, for all key and block lengths defined, to behave as good as can be expected from.
Cryptanalysis. The Speaker  Chuck Easttom  
Cryptanalysis of Modern Symmetric-Key Block Ciphers [Based on “A Tutorial on Linear and Differential Cryptanalysis” by Howard Heys.] Modern block ciphers.
Chapter 2 Basic Encryption and Decryption. csci5233 computer security & integrity 2 Encryption / Decryption encrypted transmission AB plaintext ciphertext.
5.1 Copyright © The McGraw-Hill Companies, Inc. Permission required for reproduction or display. Chapter 5 Introduction to Modern Symmetric-key Ciphers.
Block ciphers 2 Session 4. Contents Linear cryptanalysis Differential cryptanalysis 2/48.
Great Theoretical Ideas in Computer Science.
Differential Cryptanalysis - quite similar to linear cryptanalysis - exploits the relationship between the difference of two inputs and the difference.
AES Background and Mathematics CSCI 5857: Encoding and Encryption.
Lec. 5 : History of Cryptologic Research II
1 Lect. 10 : Cryptanalysis. 2 Block Cipher – Attack Scenarios  Attacks on encryption schemes  Ciphertext only attack: only ciphertexts are given  Known.
Pseudo-Random Functions 1/22 Encryption as Permutation Assume cryptosystem correct and P = C If x  x’ then E K (x)  E K (x’) So, no y is hit by more.
CS555Spring 2012/Topic 111 Cryptography CS 555 Topic 11: Encryption Modes and CCA Security.
CRYPTANALYSIS OF STREAM CIPHER Bimal K Roy Cryptology Research Group Indian Statistical Institute Kolkata.
Two New Online Ciphers Mridul Nandi National Institute of Standards and Technology, Gaithersburg, MD Indocrypt 2008, Kharagpur.
CS555Spring 2012/Topic 101 Cryptography CS 555 Topic 10: Block Cipher Security & AES.
Great Theoretical Ideas in Computer Science.
Le Trong Ngoc Security Fundamentals (2) Encryption mechanisms 4/2011.
Alternative Wide Block Encryption For Discussion Only.
15-499Page :Algorithms and Applications Cryptography I – Introduction – Terminology – Some primitives – Some protocols.
Lecture 23 Symmetric Encryption
The RC5 Encryption Algorithm: Two Years On Lisa Yin RC5 Encryption –Ron Rivest, December 1994 –Fast Block Cipher –Software and Hardware Implementations.
© Information Security Group, ICU1 Block Cipher- introduction  DES Description: Feistel, S-box Exhaustive Search, DC and LC Modes of Operation  AES Description:
DES Analysis and Attacks CSCI 5857: Encoding and Encryption.
Linear Cryptanalysis of DES
Block Cipher- introduction
CS519, © A.SelcukDifferential & Linear Cryptanalysis1 CS 519 Cryptography and Network Security Instructor: Ali Aydin Selcuk.
The Advanced Encryption Standard Part 2: Mathematical Background
Linear Cryptanalysis of DES M. Matsui. 1.Linear Cryptanalysis Method for DES Cipher. EUROCRYPT 93, 1994.Linear Cryptanalysis Method for DES Cipher 2.The.
RS – Reed Solomon Error correcting code. Error-correcting codes are clever ways of representing data so that one can recover the original information.
Computer and Information Security Chapter 6 Advanced Cryptanalysis 1.
Chapter 2 Basic Encryption and Decryption
Great Theoretical Ideas in Computer Science
Introduction to Modern Symmetric-key Ciphers
Introduction to Modern Symmetric-key Ciphers
Polynomials, Secret Sharing, And Error-Correcting Codes
December 4--8, Nonlinear Invariant Attack Practical Attack on Full SCREAM, iSCREAM, and Midori64 Name: Position: My research topics.
مروري برالگوريتمهاي رمز متقارن(كليد پنهان)
Introduction to Modern Symmetric-key Ciphers
Polynomials, Secret Sharing, And Error-Correcting Codes
DTTF/NB479: Dszquphsbqiz Day 17
Cryptanalysis of Block Ciphers
Cryptography and Network Security Chapter 5 Fifth Edition by William Stallings Lecture slides by Lawrie Brown.
Cryptanalysis Network Security.
Presentation transcript:

Towards a unifying view of block cipher cryptanalysis David Wagner University of California, Berkeley

In this talk: Survey of cryptanalysis of block ciphers Steps towards a unifying view of this field Algebraic attacks How do we tell if a block cipher is secure? How do we design good ones?

x Ek(x)Ek(x) k What’s a block cipher? E k : X → X bijective for all k

When is a block cipher secure?  x  (x) random permutation k E x Ek(x)Ek(x) block cipher Answer: when these two black boxes are indistinguishable.

So many cryptanalytic attacks… truncated d.c. differential crypt. complementation props. linear factors linear crypt. l.c. with multiple approximations impossible d.c. higher-order d.c. boomerang yo-yo sliding integrals interpolation attacks MITM interpolation rational interpol. probabilistic interpol. prob. rational interpol. How do we unify them?

How to attack a product cipher 1. Identify local properties of its round functions 2. Piece these together into global properties of the whole cipher X X EkEk X X X X f1f1 fnfn =

Motif #1: projection Identify local properties using commutative diagrams:  ’’ X X fkfk where: f k = original round function Y Y g k’ g k’ = reduced round function and: g k’ ○  =  ’ ○ f k

Composing local properties Build global commutative diagrams out of local ones:  ’’ X X f1f1 Y Y g1g1 ’’ ”” X X f2f2 Y Y g2g2 +  XY ’’ X f1f1 Y g1g1 ”” X f2f2 Y g2g2 =

Exploiting global properties Use global properties to build a known-text attack:  ’’ X X EkEk Y Y g The distinguisher: Let (x, y) be a plaintext/ciphertext pair If g(  (x)) =  ’(y), it’s probably from E k Otherwise, it’s from 

Example: linearity in Madryga Madryga leaves parity unchanged –Let  (x) = parity of x –We see  (E k (x)) =  (x) This yields a distinguisher –Pr[  (  (x)) =  (x)] = ½ –Pr[  (E k (x)) =  (x)] = 1 GF(2) 64 f1f1 fnfn GF(2) id    

Motif #2: statistics Suffices to find a property that holds with large enough probability A first attempt: probabilistic commutative diagrams? –Turns out to be too weak  ’’ X X EkEk Y Y g Prob. p where p = Pr[  (E k (x)) = g(  (x))]

A more general formulation: Markov processes Stochastic commutative diagrams: E k, ,  ’ induce a Markov process M, M(i,j) = Pr[  ’(E k (x)) = j |  (x) = i] , ,  ’ induce M’ Pick a distance measure, e.g., d(M, M’) = ||M – M’|| ∞ Best distinguisher of E k from  has advantage 0.5 ||M – M’|| ∞ [Vaudenay] Also, ~ 1/(||M – M’|| ∞ ) 2 known texts suffice for a distinguishing attack  ’’ X X EkEk Y Y M  ’’ X X  Y Y M’ stochastic

Example: Linear cryptanalysis Matsui’s linear cryptanalysis –Set X = GF(2) 64, Y = GF(2) –Cryptanalyst chooses linear maps ,  ’ cleverly to make ||M – M’|| ∞ as large as possible –Note: M is a 2×2 matrix of the form shown to the right, and 1/  2 known texts break the cipher  ’’ X X EkEk Y Y M ½+  ½–½– ½–½– [] M = and ||M – M’|| ∞ = 2  stochastic

Motif #3: higher-order attacks Use many encryptions to find better properties:  ’’ X ×X ÊkÊk Y Y M  Here we’ve defined Ê k (x,x’) = (E k (x), E k (x’)) stochastic

Example: Complementation Complementation properties are a simple example:   X ×X ÊkÊk X X M  Take  (x,x’) = x’ – x  Suppose M(Δ,Δ) = 1 for some cleverly chosen Δ  Then we obtain a complementation property  We can distinguish with just 2 chosen texts, since ||M – M’|| ∞ ≈ 1 stochastic

Example: Differential cryptanalysis Differential cryptanalysis:   X ×X ÊkÊk X X M  Set X = GF(2) n, and take  (x,x’) = x’ – x  If p = M(Δ,Δ’) >> 2 -n for some clever choice of Δ,Δ’, we can distinguish with 2/p chosen plaintexts stochastic

Example: Impossible differentials Impossible differential cryptanalysis:   X ×X ÊkÊk X X M  Set X = GF(2) n, and take  (x,x’) = x’ – x  If M(Δ,Δ’) = 0 for some clever choice of Δ,Δ’, we can distinguish with 2 n chosen texts stochastic

Example: Truncated diff. crypt. Truncated differential cryptanalysis: 11 22 X ×X ÊkÊk Y Y M  Set X = GF(2) n, Y = GF(2) m, cleverly choose linear maps φ 1, φ 2 : X → Y, and take  i (x,x’) = φ i (x’ – x)  If M(Δ,Δ) >> 2 -m for some clever choice of Δ, Δ’, we can distinguish stochastic

Generalized truncated d.c. Generalized truncated differential cryptanalysis: 11 22 X ×X ÊkÊk Y1Y1 Y2Y2 M  Take X, Y i,  i as before; then ||M – M’|| ∞ measures the distinguishing advantage of the attack  Generalizes d.c., trunc d.c., l.c., diff-linear crypt.,... stochastic

The attacks, compared generalized truncated diff. crypt. truncated d.c. differential crypt. complementation props. linear factors linear crypt. l.c. with multiple approximations impossible d.c. higher-order d.c. boomerang yo-yo sliding integrals

Summary (1) A few leitmotifs generate many known attacks –Many other attack methods can also be viewed this way (higher-order d.c., slide attacks, mod n attacks, d.c. over other groups, diff.-linear attacks, algebraic attacks, etc.) –Are there other powerful attacks in this space? –Can we prove security against all commutative diagram attacks? We’re primarily exploiting linearities in ciphers –E.g., the closure properties of GL(Y, Y)  Perm(X) –Are there other subgroups with useful closure properties? –Are there interesting “non-linear’’ attacks? –Can we prove security against all “linear” comm. diagram attacks?

Part 2: Algebraic attacks

Example: Interpolation attacks Express cipher as a polynomial in the message & key: id X X EkEk X X p  Write E k (x) = p(x), then interpolate from known texts  Generalization: MITM interpolation: p’(E k (x)) = p(x)  Generalization: probabilistic interpolation attacks  They use noisy polynomial reconstruction, decoding Reed-Solomon codes

Example: Rational inter. attacks Express the cipher as a rational polynomial: id X X EkEk X X p/q  If E k (x) = p(x)/q(x), then:  Write E k (x) × q(x) = p(x), and apply linear algebra  Note: rational poly’s are closed under composition  Q: Are probabilistic rational interpolation attacks feasible?

A generalization: resultants A possible direction: bivariate polynomials:  The small diagrams commute if p i (x, f i (x)) = 0 for all x X X f1f1 X p1p1 X p2p2 X f2f2  The small diagrams can be composed, yielding a large diagram q(.,.) = 0  Let q(x, z) = Res y (p 1 (x, y), p 2 (y, z)); then we have q(x, f 2 (f 1 (x))) = 0, i.e., the large diagram commutes X q

Bivariate attacks generalize polynomial & rational interpolation id X X EkEk X X p X q1q1 X X EkEk where q 1 (x, y) = p(x) – y → id X X EkEk X X p/p’ X q2q2 X X EkEk q 2 (x, y) = p’(x) × y – p(x) →

Algebraic attacks, compared probabilistic bivariate attacks bivariate attacks interpolation attacks MITM interpolation rational interpol. probabilistic interpol. prob. rational interpol.

Summary (2) Many cryptanalytic methods can be understood, and compared, by expressing them as a combination of only a few basic ideas Commutative diagrams are a powerful way to think about cryptanalysis Questions?