CS555Spring 2012/Topic 101 Cryptography CS 555 Topic 10: Block Cipher Security & AES.

Slides:



Advertisements
Similar presentations
DES The Data Encryption Standard (DES) is a classic symmetric block cipher algorithm. DES was developed in the 1970’s as a US government standard The block.
Advertisements

Origins  clear a replacement for DES was needed Key size is too small Key size is too small The variants are just patches The variants are just patches.
“Advanced Encryption Standard” & “Modes of Operation”
Formal Verification of Hardware Support For Advanced Encryption Standard Anna Slobodová Centaur Technology This work was done while at Intel.
Week 3 - Wednesday.  What did we talk about last time?  DES  Started AES.
1 CIS 5371 Cryptography 5b. Pseudorandom Objects in Practice Block Ciphers.
Cryptography and Network Security Chapter 5 Fifth Edition by William Stallings Lecture slides by Lawrie Brown.
Cryptography and Network Security Chapter 3
The Advanced Encryption Standard (AES) Simplified.
Cryptography and Network Security
Data Encryption Standard (DES)
Advanced Encryption Standard
Advanced Encryption Standard(AES) Presented by: Venkata Marella Slide #9-1.
1 Overview of the DES A block cipher: –encrypts blocks of 64 bits using a 64 bit key –outputs 64 bits of ciphertext A product cipher –basic unit is the.
Advanced Encryption Standard. This Lecture Why AES? NIST Criteria for potential candidates The AES Cipher AES Functions and Inverse Functions AES Key.
1 CS 255 Lecture 4 Attacks on Block Ciphers Brent Waters.
RIJNDAEL Arta Doci University Of Colorado.
The Design of Improved Dynamic AES and Hardware Implementation Using FPGA 游精允.
Introduction to Modern Cryptography Lecture 3 (1) Finite Groups, Rings and Fields (2) AES - Advanced Encryption Standard.
Cryptography and Network Security Chapter 5. Chapter 5 –Advanced Encryption Standard "It seems very simple." "It is very simple. But if you don't know.
CNS2010lecture 5 :: attacks on DES1 ELEC5616 computer and network security matt barrie
ICS 454 Principles of Cryptography Advanced Encryption Standard (AES) (AES) Sultan Almuhammadi.
Lecture 2.2: Private Key Cryptography II CS 436/636/736 Spring 2012 Nitesh Saxena.
Cryptanalysis on Substitution- Permutation Networks Jen-Chang Liu, 2005 Ref: Cryptography: Theory and Practice, D. R. Stinson.
CS555Spring 2012/Topic 91 Cryptography CS 555 Topic 9: Block Cipher Construction & DES.
CSE 651: Introduction to Network Security
ECE454/CS594 Computer and Network Security Dr. Jinyuan (Stella) Sun Dept. of Electrical Engineering and Computer Science University of Tennessee Fall 2011.
AES Proposal: Rijndael Joan Daemen Vincent Rijmen “Rijndael is expected, for all key and block lengths defined, to behave as good as can be expected from.
Chapter 5 Advanced Encryption Standard. Origins clear a replacement for DES was needed –have theoretical attacks that can break it –have demonstrated.
The Data Encryption Standard - see Susan Landau’s paper: “Standing the test of time: the data encryption standard.” DES - adopted in 1977 as a standard.
Cryptography Lecture 4 Stefan Dziembowski
Advance Encryption Standard. Topics  Origin of AES  Basic AES  Inside Algorithm  Final Notes.
Week 3 - Monday.  What did we talk about last time?  Secure encryption  DES.
AES Background and Mathematics CSCI 5857: Encoding and Encryption.
Information Security Lab. Dept. of Computer Engineering 122/151 PART I Symmetric Ciphers CHAPTER 5 Advanced Encryption Standard 5.1 Evaluation Criteria.
Rijndael Advanced Encryption Standard. Overview Definitions Definitions Who created Rijndael and the reason behind it Who created Rijndael and the reason.
Chapter 20 Symmetric Encryption and Message Confidentiality.
AES Advanced Encryption Standard. Requirements for AES AES had to be a private key algorithm. It had to use a shared secret key. It had to support the.
AES (Advanced Encryption Standard) By- Sharmistha Roy M.Tech, CSE 1 st semester NIT, Agartala.
AES: Rijndael 林志信 王偉全. Outline Introduction Mathematical background Specification Motivation for design choice Conclusion Discussion.
Advanced Encryption Standard. Origins NIST issued a new version of DES in 1999 (FIPS PUB 46-3) DES should only be used in legacy systems 3DES will be.
Lecture 23 Symmetric Encryption
Cryptography Lecture 17: Advanced Encryption Standard (AES) Piotr Faliszewski.
Fifth Edition by William Stallings
Chapter 2 (C) –Advanced Encryption Standard. Origins clearly a replacement for DES was needed –have theoretical attacks that can break it –have demonstrated.
Block Ciphers and the Advanced Encryption Standard
AES Encryption FIPS 197, November 26, Bit Block Encryption Key Lengths 128, 192, 256 Number of Rounds Key Length Rounds Block.
DES Analysis and Attacks CSCI 5857: Encoding and Encryption.
1 The Data Encryption Standard. 2 Outline 4.1 Introduction 4.4 DES 4.5 Modes of Operation 4.6 Breaking DES 4.7 Meet-in-the-Middle Attacks.
CS555Spring 2012/Topic 31 Cryptography CS 555 Topic 3: One-time Pad and Perfect Secrecy.
CS519, © A.SelcukDifferential & Linear Cryptanalysis1 CS 519 Cryptography and Network Security Instructor: Ali Aydin Selcuk.
Linear Cryptanalysis of DES M. Matsui. 1.Linear Cryptanalysis Method for DES Cipher. EUROCRYPT 93, 1994.Linear Cryptanalysis Method for DES Cipher 2.The.
Lecture 4 Overview. Data Encryption Standard Combination of substitution and transposition – Repeated for 16 cycles – Provides confusion and diffusion.
Block Ciphers and the Data Encryption Standard. Modern Block Ciphers  One of the most widely used types of cryptographic algorithms  Used in symmetric.
The Advanced Encryption Standard Part 1: Overview
Understanding Cryptography by Christof Paar and Jan Pelzl Chapter 4 – The Advanced Encryption Standard (AES) ver. October 28, 2009.
1 CPCS425: Information Security (Topic 5) Topic 5  Symmetrical Cryptography  Understand the principles of modern symmetric (conventional) cryptography.
Secret Key Systems (block encoding) Encrypting a small block of text (say 64 bits) General considerations for cipher design:
Secret Key Systems (block encoding)
Combinations COURSE 3 LESSON 11-3
The Advanced Encryption Standard: Rijndael
AES Objectives ❏ To review a short history of AES
Rotors and Secret-Key Encryption
Chapter -3 ADVANCED ENCRYPTION STANDARD & BLOCK CIPHER OPERATION
Advanced Encryption Standard
Advanced Encryption Standard
Advanced Encryption Standard
Presentation transcript:

CS555Spring 2012/Topic 101 Cryptography CS 555 Topic 10: Block Cipher Security & AES

CS555Spring 2012/Topic 102 Outline and Readings Outline Attacks against block ciphers Differential cryptanalysis Linear cryptanalysis Double & triple encryption AES Readings: Katz and Lindell: 5.4, 5.5, 5.6

Block Cipher Security Two attack objectives –Key Recovery –Distinguish from a random permutation Four attack modes –Ciphertext only –Known plaintext –Chosen plaintext –Chosen ciphertext CS555Spring 2012/Topic 103

CS555Spring 2012/Topic 104 Attacking Block Ciphers Standard attacks –exhaustive key search –dictionary attack –differential cryptanalysis –linear cryptanalysis Side channel attacks against implementations. –Timing attacks –Power consumption attacks –Fault injection attacks

Chosen-Plaintext Dictionary Attacks Against Block Ciphers Construct a table with the following entries –(K, E K [0]) for all possible key K –Sort based on the second field (ciphertext) –How much time does this take? To attack a new key K (under chosen message attacks) –Choose 0, obtain the ciphertext C, looks up in the table, and finds the corresponding key –How much time does this step take? Trade off space for time CS555Spring 2012/Topic 105

6 Differential Cryptanalysis Main idea: –This is a chosen plaintext attack, –The attacker knows many (plaintext, ciphertext) pairs –Difference ∆ P = P 1  P 2, ∆ C = C 1  C 2 –Distribution of ∆ C ’s given ∆ P may reveal information about the key (certain key bits) –After finding several bits, use brute-force for the rest of the bits to find the key. CS555

Spring 2012/Topic 107 Differential Cryptanalysis of DES Surprisingly … DES was resistant to differential cryptanalysis. At the time DES was designed, the authors knew about differential cryptanalysis. S-boxes were designed to resist differential cryptanalysis. Against 8-round DES, attack requires 2 38 known plaintext-ciphertext pairs. Against 16-round DES, attack requires 2 47 chosen plaintexts. Differential cryptanalysis not effective against DES in practice. CS555

Spring 2012/Topic 108 Linear Cryptanalysis of DES Introduced in 1993 by M. Matsui Instead of looking for isolated points at which a block cipher behaves like something simpler, it involves trying to create a simpler approximation to the block cipher as a whole. CS555

Spring 2012/Topic 109 Basic idea of linear cryptanalysis Suppose that (*) Pr [ M i1  M i2  …  M iu  C j1  C j2  …  C jv  K p1  k p2  …  k pw =1 ] =  Then one can recover some key bits given large number of PT/CT pairs For DES, exists (*) with  =2 -21 Using this method, one can find 14 key bits using (2 21 ) 2 PT/CT pairs CS555

Spring 2012/Topic 1010 Linear Cryptanalysis of DES M. Matsui showed (1993/1994) that DES can be broke: –8 rounds: 2 21 known plaintext –16 rounds: 2 43 known plaintext, 40 days to generate the pairs (plaintext, ciphertext) and 10 days to find the key The attack has no practical implication, requires too many pairs. Exhaustive search remains the most effective attack. CS555

Spring 2012/Topic 1011 DES Strength Against Various Attacks Attack Method KnownChosenStorage complexity Processing complexity Exhaustive precomputation Exhaustive search1-negligible2 55 Linear cryptanalysis For texts Differential cryptanalysis For texts The weakest point of DES remains the size of the key (56 bits)! CS555

Spring 2012/Topic 1012 Double Encryption: Given a block cipher E k [m], Define Enc k1,k2 [m] = E k1 [E k2 [m]] The “Meet-in-the-middle” attack –Given a pair (m,c), we have D k1 [c] = E k2 [m] –Build table of all encryptions of m –Then for each possible k, test if D k (c) is in the table –For 2DES, this takes about 2 56 time –Requires  2 56 space  Effective key length is 56, instead of 2*56=112 CS555

Spring 2012/Topic 1013 Triple Encryption Let E k [M] be a symmetric block cipher Variant 1: 3E k1,k2,k3 [M] = E k1 [D k2 [E k3 [M]]] –Observe: when k1=k2=k3, 3E k1,k2,k3 [M]=E k [M] –For triple DES, key=168 bits –Effective key length is only 112 bits because of the meet-in-the- middle attack. Variant 2: 3E k1,k2 [M] = E k1 [D k2 [E k1 [M]]] –Given one pair (m,c), no known attack with less than 2 2n time –There exists a 2 n chosen-plaintext attack using 2 n chosen pairs CS555

Spring 2012/Topic 1014 Strengthening DES to avoid Exhaustive Search: DES-X Given block cipher E k Define EX k1,k2,k3 (M)=E k2 (M  k3)  k1 DESX: key-length=2*64+56=184 bits Increases effective key length Fast! CS555

Spring 2012/Topic 1015 Advanced Encryption Standard In 1997, NIST made a formal call for algorithms stipulating that the AES would specify an unclassified, publicly disclosed encryption algorithm, available royalty-free, worldwide. Goal: replace DES for both government and private-sector encryption. The algorithm must implement symmetric key cryptography as a block cipher and (at a minimum) support block sizes of 128-bits and key sizes of 128-, 192-, and 256-bits. In 1998, NIST selected 15 AES candidate algorithms. On October 2, 2000, NIST selected Rijndael (invented by Joan Daemen and Vincent Rijmen) to as the AES.

CS555Spring 2012/Topic 1016 AES Features Designed to be efficient in both hardware and software across a variety of platforms. Not a Feistel Network Block size: 128 bits Variable key size: 128, 192, or 256 bits. Variable number of rounds (10, 12, 14): –10 if K = 128 bits –12 if K = 192 bits –14 if K = 256 bits No known weaknesses

Spring 2012/Topic 1017 Overview of Rijndael/AES Essentially a Substitution-Permutation Network 128-bit round key used for each round: –128 bits = 16 bytes = 4 words –needs N+1 round keys for N rounds –needs 44 words for 128-bit key (10 rounds) State: 4 by 4 array of bytes –128 bits = 16 bytes CS555

Spring 2012/Topic 1018 Rijandael: High-Level Description State = X AddRoundKey(State, Key 0 )(op1) for r = 1 to Nr - 1 SubBytes(State, S-box)(op2) ShiftRows(State)(op3) MixColumns(State)(op4) AddRoundKey(State, Key r ) endfor SubBytes(State, S-box) ShiftRows(State) AddRoundKey(State, Key Nr ) Y = State CS555

Spring 2012/Topic 1019 AddRound Key State is represented as follows (16 bytes): AddRoundKey(State, Key): S 0,0 S 0,1 S 0,2 S 0,3 S 1,0 S 1,1 S 1,2 S 1,3 S 2,0 S 2,1 S 2,2 S 2,3 S 3,0 S 3,1 S 3,2 S 3,3 keystate CS555

Spring 2012/Topic 1020 SubBytes Byte substitution using non-linear S-Box (independently on each byte). S-box is represented as a 16x16 array, rows and columns indexed by hexadecimal bits 8 bytes replaced as follows: 8 bytes defines a hexadecimal number rc, then s r,c = binary(S- box(r, c)) CS555

Spring 2012/Topic 1021 Rijandael S-box How is AES S-box different from DES S-box? –Only one S-box –The S-box is not random; rather it is based on modular arithmetic with polynomials in the field –as it can be defined algebraically, it can be easily analyzed, can be proven that linear and differential cryptanalysis fail CS555

Spring 2012/Topic 1022 S-box Table A B C D E F C 77 7B F2 6B 6F C B FE D7 AB 76 1 CA 82 C9 7D FA F0 AD D4 A2 AF 9C A4 72 C0 2 B7 FD F F7 CC 34 A5 E5 F1 71 D C7 23 C A E2 EB 27 B C 1A 1B 6E 5A A0 52 3B D6 B3 29 E3 2F D1 00 ED 20 FC B1 5B 6A CB BE 39 4A 4C 58 CF 6 D0 EF AA FB 43 4D F9 02 7F 50 3C 9F A A3 40 8F 92 9D 38 F5 BC B6 DA FF F3 D2 8 CD 0C 3 EC 5F C4 A7 7E 3D 64 5D F DC 22 2A EE B8 14 DE 5E 0B DB A E0 32 3A 0A C C2 D3 AC E4 79 B E7 C8 37 6D 8D D5 4E A9 6C 56 F4 EA 65 7A AE 08 C BA E 1C A6 B4 C6 E8 DD 74 1F 4B BD 8B 8A D 70 3E B F6 0E B9 86 C1 1D 9E E E1 F D9 8E 94 9B 1E 87 E9 CE DF F 8C A1 89 0D BF E D 0F B0 54 BB 16 Example: hexa 53 is replaced with hexa ED CS555

Spring 2012/Topic 1023 Rijandael: High-Level Description State = X AddRoundKey(State, Key 0 )(op1) for r = 1 to Nr - 1 SubBytes(State, S-box)(op2) ShiftRows(State)(op3) MixColumns(State)(op4) AddRoundKey(State, Key r ) endfor SubBytes(State, S-box) ShiftRows(State) AddRoundKey(State, Key Nr ) Y = State Diffusion Step CS555

Spring 2012/Topic 1024 ShiftRows S 0,0 S 0,1 S 0,2 S 0,3 S 1,0 S 1,1 S 1,2 S 1,3 S 2,0 S 2,1 S 2,2 S 2,3 S 3,0 S 3,1 S 3,2 S 3,3 S 0, 0 S 0,1 S 0,2 S 0,3 S 1, 1 S 1,2 S 1,3 S 1,0 S 2, 2 S 2,3 S 2,0 S 2,1 S 3, 3 S 3,0 S 3,1 S 3,2 CS555

Spring 2012/Topic 1025 MixColumns Interpret each column as a vector of length 4. Each column of State is replaced by another column obtained by multiplying that column with a matrix in CS555

Spring 2012/Topic 1026 Coming Attractions … Block cipher encryption modes Reading: Katz & Lindell: 3.6.3, 3.6.4, 3.7

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.