Presentation is loading. Please wait.

Presentation is loading. Please wait.

David Evans CS551: Security and Privacy University of Virginia Computer Science Lecture 5: One Fish, Two Fish, Blowfish,

Published byAudrey McLaughlin Modified over 9 years ago

Similar presentations

Presentation on theme: "David Evans CS551: Security and Privacy University of Virginia Computer Science Lecture 5: One Fish, Two Fish, Blowfish,"— Presentation transcript:

1 David Evans http://www.cs.virginia.edu/~evans CS551: Security and Privacy University of Virginia Computer Science Lecture 5: One Fish, Two Fish, Blowfish, Blue Fish The algorithm might look haphazard, but we did everything for a reason. Nothing is in Twofish by chance. Anything in the algorithm that we couldn't justify, we removed. The result is a lean, mean algorithm that is strong and conceptually simple. Bruce Schneier

2 30 Aug 2000University of Virginia CS 5512 Menu Clipper AES Program AES Candidates –RC6 –Blowfish

3 30 Aug 2000University of Virginia CS 5513 Problem Set 1

4 30 Aug 2000University of Virginia CS 5514 Breaking Grades File Not in my office or any UVA computer Home PC: C:\cs551\grades.txt (encrypted) Adelphia Cable Modem Project proposals are web pages My browser is set to disallow ActiveX, allow Java and JavaScript

5 30 Aug 2000University of Virginia CS 5515 Why a new block cipher? 3DES is almost certainly secure NSA might be able to break it 3DES is too slow 3DES is too inflexible (can’t change block size, key size)

6 30 Aug 2000University of Virginia CS 5516 Clipper 1993 – AT&T markets secure telephony device Law enforcement: US courts can authorize wire taps, must be able to decrypt NSA proposes Clipper Chip –Secret algorithm (Skipjack), only implemented in hardware

7 30 Aug 2000University of Virginia CS 5517 Key Escrow NSA has copy of special key, can get with a court order Sender transmits E (M, k) || LEAF (“law enforcement agents’ field”) Holder of special key can decrypt LEAF to find message key and decrypt message

8 30 Aug 2000University of Virginia CS 5518 LEAF LEAF = E ((E (k, u) || n || a), f ) k = message key u = 80-bit special key (unique to chip) n = 30-bit identifier (unique to chip) a = escrow authenticator f = 80-bit key (same on all chips) Known by FBI

9 30 Aug 2000University of Virginia CS 5519 Wire Tap FBI investigating Alice, intercepts Clipper communication Uses f to decrypt LEAF: D (E ((E (k, u) || n || a), f)) = E (k, u) || n || a) Delivers n and court order to 2 escrow agencies, obtains u Decrypts E (k, u) to obtain message key and decrypt message

10 30 Aug 2000University of Virginia CS 55110 Two Escrow Agencies Proposal didn’t specify who (one probably NSA) Divide u so neither one can decrypt messages on their own (even if they obtain f ) One gets u  X, other gets X

11 30 Aug 2000University of Virginia CS 55111 Clipper Security How do you prevent criminals from transmitting wrong LEAF? –Use a checksum But, easy to find LEAF with right checksum with brute-force attack –NSA solution: put it in hardware, inspect all Clipper devices Still vulnerable to out-of-the box device

12 30 Aug 2000University of Virginia CS 55112 Clipper Politics Not widely adopted, administration backed down –Secret algorithm –Public relations disaster Didn’t involve academic cryptographers early Proposal was rushed, in particular hadn’t figured out who would be escrow agencies Lessons learned well for AES process See http://www.eff.org/pub/Privacy/Key_escrow/Clipper/

13 30 Aug 2000University of Virginia CS 55113 AES 1996: NIST initiates program to choose Advanced Encryption Standard to replace DES Requests algorithm submissions: 15 Requirements: –Secure for next 50-100 years –Performance: faster than 3DES –Support 128, 192 and 256 bit keys –Must be a block cipher

14 30 Aug 2000University of Virginia CS 55114 AES Process Open Design –DES: design criteria for S-boxes kept secret Many decent choices –DES: only one acceptable algorithm Public cryptanalysis efforts before choice –Heavy involvements of academic community, all leading public cryptographers Very conservative: 4 year+ process

15 30 Aug 2000University of Virginia CS 55115 AES Round 1 15 submissions accepted Weak ciphers quickly eliminated –Magenta broken at conference! 5 finalists selected –Security v. performance is main tradeoff –With enough complexity, can make anything secure, challenge is to make something simple secure

16 30 Aug 2000University of Virginia CS 55116 AES Finalists MARS (IBM) RC6 (Rivest, et. al.) Rijndael (top Belgium cryptographers) Serpent (Anderson, Biham, Knudsen) Twofish (Schneier, et. al.)

17 From RC5 to RC6 in seven easy steps From Rivest’s RC6 talk, http://www.rsasecurity.com/rsalabs/aes/

18 30 Aug 2000University of Virginia CS 55118 Description of RC6 RC6-w/r/b parameters: –Word size in bits: w ( 32 )( lg(w) = 5 ) –Number of rounds: r ( 20 ) –Number of key bytes: b ( 16, 24, or 32 ) Key Expansion: –Produces array S[ 0 … 2r + 3] of w-bit round keys. Encryption and Decryption: –Input/Output in 32-bit registers A,B,C,D

19 30 Aug 2000University of Virginia CS 55119 Design Philosophy Leverage experience with RC5: use data-dependent rotations to achieve a high level of security. Adapt RC5 to meet AES requirements Take advantage of a new primitive for increased security and efficiency: 32x32 multiplication, which executes quickly on modern processors, to compute rotation amounts.

20 30 Aug 2000University of Virginia CS 55120 Data-Dependent Rotations abcdefgh << 3 defghabc X  X’ =  X X 1 = X << f(X, k)X 1 ’ = X’ << f (X’, k) Can we say anything about  X 1 ? Same number of bits are still different, but can’t tell which ones. <<< n means rotate left by amount in low order log 2 w bits of n (word size w = 32, 5 bits)

21 30 Aug 2000University of Virginia CS 55121 (1) Start with RC5 RC5 encryption inner loop: for i = 1 to r do A = ((A  B) <<< B) + S [i] (A, B) = (B, A) Can RC5 be strengthened by having rotation amounts depend on all the bits of B? (Recall that <<< only depends on 5 bits of B) Book makes it look more complicated by combining 2 rounds (as originally described).

22 30 Aug 2000University of Virginia CS 55122 Modulo function? Use low-order bits of (B mod d) Too slow! Linear function? Use high-order bits of (c x B) Hard to pick c well! Quadratic function? Use high-order bits of (B x (2B+1)) Better rotation amounts?

23 30 Aug 2000University of Virginia CS 55123 Properties B X (2B+1) should have: One-to-one (can invert for decryption) Good distribution – if B is well distributed, so is B X (2B + 1) High order bits depend on all bits of B (diffusion)

24 30 Aug 2000University of Virginia CS 55124 B x (2B+1) is one-to-one mod 2 w Proof: By contradiction. If B  C but B x (2B + 1) = C x (2C + 1) (mod 2 w ) then (B - C) x (2B+2C+1) = 0 (mod 2 w ) But (B-C) is nonzero and (2B+2C+1) is odd; their product can’t be zero!  Corollary: B uniform  B x (2B+1) uniform (and high-order bits are uniform too!)

25 30 Aug 2000University of Virginia CS 55125 High-order bits of B x (2B+1) The high-order bits of f(B) = B x ( 2B + 1 ) = 2B 2 + B depend on all the bits of B. Let B = B 31 B 30 B 29 … B 1 B 0 in binary. Flipping bit i of input B –Leaves bits 0 … i-1 of f(B) unchanged, –Flips bit i of f(B) with probability one, –Flips bit j of f(B), for j > i, with probability approximately 1/2 (1/4…1), –is likely to change some high-order bit.

26 30 Aug 2000University of Virginia CS 55126 (2) Quadratic Rotation Amounts for i = 1 to r do { t = ( B x ( 2B + 1 ) ) <<< 5 A = ( ( A  B ) <<< t ) + S[ i ] ( A, B ) = ( B, A ) } But now much of the output of this nice multiplication is being wasted...

27 30 Aug 2000University of Virginia CS 55127 for i = 1 to r do t = ( B x ( 2B + 1 ) ) <<< 5 A = ( ( A  t ) <<< t ) + S[ i ] ( A, B ) = ( B, A ) Now AES requires 128-bit blocks. We could use two 64-bit registers, but 64-bit operations are poorly supported with typical C compilers... (3) Use t, not B, as xor input

28 30 Aug 2000University of Virginia CS 55128 (4) Do two RC5’s in parallel Use four 32-bit regs (A,B,C,D), and do RC5 on (C,D) in parallel with RC5 on (A,B): for i = 1 to r do t = ( B x ( 2B + 1 ) ) <<< 5 A = ( ( A  t ) <<< t ) + S[ 2i ] ( A, B ) = ( B, A ) u = ( D x ( 2D + 1 ) ) <<< 5 C = ( ( C  u ) <<< u ) + S[ 2i + 1 ] ( C, D ) = ( D, C )

29 30 Aug 2000University of Virginia CS 55129 (5) Mix up data between copies Switch rotation amounts between copies, and cyclically permute registers instead of swapping: for i = 1 to r do t = ( B x ( 2B + 1 ) ) <<< 5 u = ( D x ( 2D + 1 ) ) <<< 5 A = ( ( A  t ) <<< u ) + S[ 2i ] C = ( ( C  u ) <<< t ) + S[ 2i + 1 ] (A, B, C, D) = (B, C, D, A)

30 30 Aug 2000University of Virginia CS 55130 One Round of RC6 5 5 f f ABCD <<< S[2i] S[2i+1] ABCD t u

31 30 Aug 2000University of Virginia CS 55131 Key Expansion (Same as RC5’s) Input: array L [0 … c-1] of input key words Output: array S [0 … 43] of round key words Procedure: S [0] = 0xB7E15163 for i = 1 to 43 do S[i] = S[i-1] + 0x9E3779B9 A = B = i = j = 0 for s = 1 to 132 do A = S[ i ] = (S[ i ] + A + B) <<< 3 B = L[ j ] = (L[ j ] + A + B) <<< (A + B ) i = (i + 1) mod 44 j = (j + 1) mod c = Odd[(e-2)2 32 ] = Odd[(  -1)2 32 ]

32 30 Aug 2000University of Virginia CS 55132 What do  / e /  have to do with cryptography? Used by RC5, RC6, Blowfish, etc. in magic constants Mathematical constants have good pseudorandom distribution Since they are public and well-known, no fear that choice is a trap door

33 30 Aug 2000University of Virginia CS 55133 (6) Add Pre- and Post-Whitening B = B + S[ 0 ] D = D + S[ 1 ] for i = 1 to r do t = ( B x ( 2B + 1 ) ) <<< 5 u = ( D x ( 2D + 1 ) ) <<< 5 A = ( ( A  t ) <<< u ) + S[ 2i ] C = ( ( C  u ) <<< t ) + S[ 2i + 1 ] (A, B, C, D) = (B, C, D, A) A = A + S[ 2r + 2 ] C = C + S[ 2r + 3 ]

34 30 Aug 2000University of Virginia CS 55134 (7) Set r = 20 for high security Final RC6 (based on analysis) B = B + S[ 0 ] D = D + S[ 1 ] for i = 1 to 20 do t = ( B x ( 2B + 1 ) ) <<< 5 u = ( D x ( 2D + 1 ) ) <<< 5 A = ( ( A  t ) <<< u ) + S[ 2i ] C = ( ( C  u ) <<< t ) + S[ 2i + 1 ] (A, B, C, D) = (B, C, D, A) A = A + S[ 42 ] C = C + S[ 43 ]

35 30 Aug 2000University of Virginia CS 55135 RC6 Decryption (for AES) C = C – S [2r + 3] A = A – S [2r + 2] for i = r downto 1 do (A, B, C, D) = (D, A, B, C) u = (D x (2D + 1)) >> t )  u A = ((A – S [2i]) >>> u )  t D = D - S[1] B = B - S[0]

36 30 Aug 2000University of Virginia CS 55136 D K E K (P) = P ? Exercise to the reader... Proof is worth 100 bonus points (1 problem set).

37 30 Aug 2000University of Virginia CS 55137 Blowfish [Schneier93] 64-bit block cipher Much faster than DES Variable key length: 32-448 bits Many attempted crytanalyses, none successful yet Widely used: ssh, OpenBSD, PGPFone

38 30 Aug 2000University of Virginia CS 55138 Key-Dependent S-Boxes Differential Cryptanalysis depends on analyzing S-box input/output different probabilities Change the S-boxes so you can’t do analysis

39 30 Aug 2000University of Virginia CS 55139 Blowfish  Twofish Blowfish: runs encryption 521 times to produce S-boxes –Too slow for AES, requires too much memory for smart cards Twofish –Provides options for how many key- dependant S-boxes (tradeoff security/time- space) –Also: increase block size (128 required by AES), change key schedule, etc.

40 30 Aug 2000University of Virginia CS 55140 Two Fish From http://www.ddj.com/articles/1998/9812/9812b/9812bf1.htm

41 30 Aug 2000University of Virginia CS 55141 Choosing AES Cipher Speed (32) Speed (8) Safety Factor Simplicity (code size) Serpent62693.56341 KB MARS23341.9085 KB RC615431.1848 KB Rijndael18201.3398 KB Twofish16182.67104 KB (cycles/byte encrypt)

42 30 Aug 2000University of Virginia CS 55142 Performance/Security Just how paranoid are you? How much progress will happen in cryptanalysis?

43 30 Aug 2000University of Virginia CS 55143 AES Status August 31, 2000 - NIST is still on track to announce its proposed selection for the AES in late summer / early fall, and it is likely to occur sometime in September. HOWEVER, a specific date for the announcement has NOT been set at this time. When a date has been selected, it will be indicated here, to give the public as much advance notice as possible. http://csrc.nist.gov/encryption/aes/

44 30 Aug 2000University of Virginia CS 55144 Charge Project Pre-Proposals due Monday Challenge #1 still open, 2 new challenge problems: –RC6 Decryption Proof –Break SDMI ($10K reward!) Next time: –Key Distribution US Army communications officer Public-Key Cryptosystems

Download ppt "David Evans CS551: Security and Privacy University of Virginia Computer Science Lecture 5: One Fish, Two Fish, Blowfish,"

Similar presentations

Origins  clear a replacement for DES was needed Key size is too small Key size is too small The variants are just patches The variants are just patches.

Origins  clear a replacement for DES was needed Key size is too small Key size is too small The variants are just patches The variants are just patches.
Chap. 5: Advanced Encryption Standard (AES) Jen-Chang Liu, 2005 Adapted from lecture slides by Lawrie Brown.

Chap. 5: Advanced Encryption Standard (AES) Jen-Chang Liu, 2005 Adapted from lecture slides by Lawrie Brown.
1 Lecture 3: Secret Key Cryptography Outline concepts DES IDEA AES.

1 Lecture 3: Secret Key Cryptography Outline concepts DES IDEA AES.
Cryptography and Network Security Chapter 5 Fifth Edition by William Stallings Lecture slides by Lawrie Brown.

Cryptography and Network Security Chapter 5 Fifth Edition by William Stallings Lecture slides by Lawrie Brown.
Cryptography and Network Security Chapter 5

Cryptography and Network Security Chapter 5
Data Encryption Standard (DES)

Data Encryption Standard (DES)
Cryptography and Network Security

Cryptography and Network Security
Advanced Encryption Standard(AES) Presented by: Venkata Marella Slide #9-1.

Advanced Encryption Standard(AES) Presented by: Venkata Marella Slide #9-1.
AES clear a replacement for DES was needed

AES clear a replacement for DES was needed
CSE331: Introduction to Networks and Security Lecture 18 Fall 2002.

CSE331: Introduction to Networks and Security Lecture 18 Fall 2002.
Cryptography and Network Security (AES) Dr. Monther Aldwairi New York Institute of Technology- Amman Campus 10/18/2009 INCS 741: Cryptography 10/18/20091Dr.

Cryptography and Network Security (AES) Dr. Monther Aldwairi New York Institute of Technology- Amman Campus 10/18/2009 INCS 741: Cryptography 10/18/20091Dr.
McGraw-Hill©The McGraw-Hill Companies, Inc., 2004 1 Security PART VII.

McGraw-Hill©The McGraw-Hill Companies, Inc., Security PART VII.
Introduction to Modern Cryptography Lecture 3 (1) Finite Groups, Rings and Fields (2) AES - Advanced Encryption Standard.

Introduction to Modern Cryptography Lecture 3 (1) Finite Groups, Rings and Fields (2) AES - Advanced Encryption Standard.
Cryptography and Network Security Chapter 5. Chapter 5 –Advanced Encryption Standard It seems very simple. It is very simple. But if you don't know.

Cryptography and Network Security Chapter 5. Chapter 5 –Advanced Encryption Standard "It seems very simple." "It is very simple. But if you don't know.
Cryptography and Network Security Chapter 5 Fourth Edition by William Stallings.

Cryptography and Network Security Chapter 5 Fourth Edition by William Stallings.
15-441 Computer Networking Lecture 21: Security and Cryptography Thanks to various folks from 15-441, semester’s past and others.

Computer Networking Lecture 21: Security and Cryptography Thanks to various folks from , semester’s past and others.
CS 682 - Network Security Lecture 2 Prof. Katz. 9/7/2000Lecture 2 - Data Encryption2 DES – Data Encryption Standard Private key. Encrypts by series of.

CS Network Security Lecture 2 Prof. Katz. 9/7/2000Lecture 2 - Data Encryption2 DES – Data Encryption Standard Private key. Encrypts by series of.
Lecture 23 Symmetric Encryption

Lecture 23 Symmetric Encryption
CS470, A.SelcukAfter the DES1 Block Ciphers After the DES CS 470 Introduction to Applied Cryptography Instructor: Ali Aydin Selcuk.

CS470, A.SelcukAfter the DES1 Block Ciphers After the DES CS 470 Introduction to Applied Cryptography Instructor: Ali Aydin Selcuk.
Dr. Lo’ai Tawalbeh 2007 Chapter 5: Advanced Encryption Standard (AES) Dr. Lo’ai Tawalbeh New York Institute of Technology (NYIT) - 2007 Jordan’s Campus.

Dr. Lo’ai Tawalbeh 2007 Chapter 5: Advanced Encryption Standard (AES) Dr. Lo’ai Tawalbeh New York Institute of Technology (NYIT) Jordan’s Campus.

Similar presentations

Ads by Google