Scribd
Upload
2 views

Stream Ciphers - Block Ciphers (1)

The document outlines the formal definition of security in encryption, emphasizing the need for clear security guarantees and threat models. It details essential guarantees for secure encryption schemes, such as preventing key recovery and ensuring no information leakage about plaintext from ciphertext. Additionally, it discusses perfect secrecy and computational security, highlighting the challenges of achieving perfect secrecy in practical applications.

Uploaded by

Tuna Bostancı
Copyright
© © All Rights Reserved
Available Formats
Download as PDF, TXT or read online on Scribd
2 views

Stream Ciphers - Block Ciphers (1)

The document outlines the formal definition of security in encryption, emphasizing the need for clear security guarantees and threat models. It details essential guarantees for secure encryption schemes, such as preventing key recovery and ensuring no information leakage about plaintext from ciphertext. Additionally, it discusses perfect secrecy and computational security, highlighting the challenges of achieving perfect secrecy in practical applications.

Uploaded by

Tuna Bostancı
Copyright
© © All Rights Reserved
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 129

Private-Key

Cryptography
Murat Osmanoglu
Formal Definiton of Security
(in the Context of Encryption)
If you don’t understand what you want to achieve, how can
you possibly know when (or if) you have achieve it?
Formal Definiton of Security
(in the Context of Encryption)
If you don’t understand what you want to achieve, how can
you possibly know when (or if) you have achieve it?

• A security definition has two components :

• security guarantee (defines what the scheme is intended


to prevent the attacker from doing)

• threat model (identifies the power of the adversary – what


actions the attacker is assumed to be able to carry out)
Formal Definiton of Security
(in the Context of Encryption)
• What should a secure encryption scheme guarantee ?

1) it should be impossible for an attacker to recover the key


Formal Definiton of Security
(in the Context of Encryption)
• What should a secure encryption scheme guarantee ?

1) it should be impossible for an attacker to recover the key

Consider a scheme where Enc (m, k) = m


Formal Definiton of Security
(in the Context of Encryption)
• What should a secure encryption scheme guarantee ?

1) it should be impossible for an attacker to recover the key

Consider a scheme where Enc (m, k) = m

• meets the demand, but does not actually encrypt


Formal Definiton of Security
(in the Context of Encryption)
• What should a secure encryption scheme guarantee ?

2) it should be impossible for an attacker to recover the


entire plaintext from the ciphertext
Formal Definiton of Security
(in the Context of Encryption)
• What should a secure encryption scheme guarantee ?

2) it should be impossible for an attacker to recover the


entire plaintext from the ciphertext

What if the ciphertext revealed %90 of the plaintext


Formal Definiton of Security
(in the Context of Encryption)
• What should a secure encryption scheme guarantee ?

3) it should be impossible for an attacker to recover any


character of the plaintext from the ciphertext
Formal Definiton of Security
(in the Context of Encryption)
• What should a secure encryption scheme guarantee ?

3) it should be impossible for an attacker to recover any


character of the plaintext from the ciphertext

consider an encryption scheme on a salary database

assume ciphertext does not reveal any character of


the plaintext
Formal Definiton of Security
(in the Context of Encryption)
• What should a secure encryption scheme guarantee ?

3) it should be impossible for an attacker to recover any


character of the plaintext from the ciphertext

consider an encryption scheme on a salary database

assume ciphertext does not reveal any character of


the plaintext

What if it reveals whether an employee’s salary is


more than or less than 50k
Formal Definiton of Security
(in the Context of Encryption)
• What should a secure encryption scheme guarantee ?

4) regardless of any information an attacker already has,


a ciphertext should leak no additional information about the
underlying plaintext
Formal Definiton of Security
(in the Context of Encryption)
• What should a secure encryption scheme guarantee ?

4) regardless of any information an attacker already has,


a ciphertext should leak no additional information about the
underlying plaintext

Sounds good
Formal Definiton of Security
(in the Context of Encryption)
• What should a secure encryption scheme guarantee ?

4) regardless of any information an attacker already has,


a ciphertext should leak no additional information about the
underlying plaintext

Sounds good

What about the mathematical formulation of


the definition ?
Formal Definiton of Security
(in the Context of Encryption)
There are several options for the threat model
Formal Definiton of Security
(in the Context of Encryption)
There are several options for the threat model
• Ciphertext-only attack :
• the adversary just observes a ciphertext and attemps to
determine information about the underlying plaintext
Formal Definiton of Security
(in the Context of Encryption)
There are several options for the threat model
• Ciphertext-only attack :
• the adversary just observes a ciphertext and attemps to
determine information about the underlying plaintext

• Known-plaintext attack :
• the adversary has some plaintext-ciphertext pairs computed
using some key
• it tries to get information about the plaintext of some other
ciphertext computed using the same key
Formal Definiton of Security
(in the Context of Encryption)
There are several options for the threat model
• Ciphertext-only attack :
• the adversary just observes a ciphertext and attemps to
determine information about the underlying plaintext

• Known-plaintext attack :
• the adversary has some plaintext-ciphertext pairs computed
using some key
• it tries to get information about the plaintext of some other
ciphertext computed using the same key
• Chosen-plaintext attack :
• the adversary is allowed to get some plaintext-ciphertext pairs
for plaintexts of its choice
Formal Definiton of Security
(in the Context of Encryption)
There are several options for the threat model
• Ciphertext-only attack :
• the adversary just observes a ciphertext and attemps to
determine information about the underlying plaintext

• Known-plaintext attack :
• the adversary has some plaintext-ciphertext pairs computed
using some key
• it tries to get information about the plaintext of some other
ciphertext computed using the same key
• Chosen-plaintext attack :
• the adversary is allowed to get some plaintext-ciphertext pairs
for plaintexts of its choice
• Chosen-ciphertext attack :
• the adversary is additionally allowed to get the decryption of
ciphertexts of its choice
Perfect Secrecy
• ‘’A Mathematical Theory of Communication’’, Claude E. Shannon, Bell
System Technical Journal, 1948
Perfect Secrecy
• ‘’A Mathematical Theory of Communication’’, Claude E. Shannon, Bell
System Technical Journal, 1948

• An encryption scheme is perfectly secret if for every m in M


and for every c in C, Pr [M=m] = Pr [M=m l C=c]
Perfect Secrecy
• ‘’A Mathematical Theory of Communication’’, Claude E. Shannon, Bell
System Technical Journal, 1948

• An encryption scheme is perfectly secret if for every m in M


and for every c in C, Pr [M=m] = Pr [M=m l C=c]

• the probability that the adversary guesses the message as


m is Pr[M=m]
Perfect Secrecy
• ‘’A Mathematical Theory of Communication’’, Claude E. Shannon, Bell
System Technical Journal, 1948

• An encryption scheme is perfectly secret if for every m in M


and for every c in C, Pr [M=m] = Pr [M=m l C=c]

• the probability that the adversary guesses the message as


m is Pr[M=m]

• the probability that the adversary guesses the message as


m after seeing the ciphertext is Pr [M=m l C=c]
Perfect Secrecy
• ‘’A Mathematical Theory of Communication’’, Claude E. Shannon, Bell
System Technical Journal, 1948

• An encryption scheme is perfectly secret if for every m in M


and for every c in C, Pr [M=m] = Pr [M=m l C=c]

• the probability that the adversary guesses the message as


m is Pr[M=m]

• the probability that the adversary guesses the message as


m after seeing the ciphertext is Pr [M=m l C=c]

• Pr [M=m] = Pr [M=m l C=c] means that knowing c does not


affect the adversary’s guess
(the adversary learns nothing from the ciphertext)
Perfect Secrecy
• ‘’A Mathematical Theory of Communication’’, Claude E. Shannon, Bell
System Technical Journal, 1948

• An encryption scheme is perfectly secret if for every m in M


and for every c in C, Pr [M=m] = Pr [M=m l C=c]

• the probability that the adversary guesses the message as


m is Pr[M=m]

• the probability that the adversary guesses the message as


m after seeing the ciphertext is Pr [M=m l C=c]

• Pr [M=m] = Pr [M=m l C=c] means that knowing c does not


affect the adversary’s guess
(the adversary learns nothing from the ciphertext)

Ciphertext-only attack
Perfect Secrecy
• An encryption scheme is perfectly secret if for every m
in M and for every c in C, Pr[M=m] = Pr[M=m l C=c]

• Shift Cipher is perfectly secure ?


Perfect Secrecy
• An encryption scheme is perfectly secret if for every m
in M and for every c in C, Pr[M=m] = Pr[M=m l C=c]

• Shift Cipher is perfectly secure ?

• If m is just one letter message:

Pr[M=m] = Pr[M=m l C=c] = 1/26


Perfect Secrecy
• An encryption scheme is perfectly secret if for every m
in M and for every c in C, Pr[M=m] = Pr[M=m l C=c]

• Shift Cipher is perfectly secure ?

• If m is just one letter message:

Pr[M=m] = Pr[M=m l C=c] = 1/26

• If m is two-letter message:

m1 = AB, m2 = AZ, and c = BC


Pr[M=m1 l C=c] = 1/26, but Pr[M=m2 l C=c] = 0
One-Time Pad
• introduced by Frank Miller in 1882
• patented by Vernam in 1917
• Shannon demonstrated that one-time pad achieves perfect secrecy
One-Time Pad
• introduced by Frank Miller in 1882
• patented by Vernam in 1917
• Shannon demonstrated that one-time pad achieves perfect secrecy

• K = M = C = {0,1}L, the set of all binary strings of length L


One-Time Pad
• introduced by Frank Miller in 1882
• patented by Vernam in 1917
• Shannon demonstrated that one-time pad achieves perfect secrecy

• K = M = C = {0,1}L, the set of all binary strings of length L


• Gen : randomly chooses a key k
One-Time Pad
• introduced by Frank Miller in 1882
• patented by Vernam in 1917
• Shannon demonstrated that one-time pad achieves perfect secrecy

• K = M = C = {0,1}L, the set of all binary strings of length L


• Gen : randomly chooses a key k
• Enc : given a key k in {0,1}L and a message m in {0,1}L, c = k XOR m
• Dec : given a key k in {0,1}L and a ciphertext c in {0,1}L, m = k XOR c
One-Time Pad
• introduced by Frank Miller in 1882
• patented by Vernam in 1917
• Shannon demonstrated that one-time pad achieves perfect secrecy

• K = M = C = {0,1}L, the set of all binary strings of length L


• Gen : randomly chooses a key k
• Enc : given a key k in {0,1}L and a message m in {0,1}L, c = k XOR m
• Dec : given a key k in {0,1}L and a ciphertext c in {0,1}L, m = k XOR c

m : 0 1 1 0 1 1 0 0 1 1
XOR
k : 1 0 1 1 0 1 0 1 0 1

c : 1 1 0 1 1 0 0 1 1 0
One-Time Pad
• introduced by Frank Miller in 1882
• patented by Vernam in 1917
• Shannon demonstrated that one-time pad achieves perfect secrecy

• K = M = C = {0,1}L, the set of all binary strings of length L


• Gen : randomly chooses a key k
• Enc : given a key k in {0,1}L and a message m in {0,1}L, c = k XOR m
• Dec : given a key k in {0,1}L and a ciphertext c in {0,1}L, m = k XOR c

Correctness : for every key k and every message m,

Dec(k, Enc(k, m)) = k XOR (k XOR m)


= (k XOR k) XOR m
= 0 XOR m = m
One-Time Pad

• ‘the red phone’ during Cold War, the trusted


couriers carried briefcases of paper on which
random characters were written
One-Time Pad

• ‘the red phone’ during Cold War, the trusted


couriers carried briefcases of paper on which
random characters were written

• It is not practical !
• the key is as long as the message
• the key cannot be reused
• two parties must share a new key whenever they
coomunicate
Computational Security

• perfect secrecy is too difficult to achieve in practice


(imagine using OTP for every website that employes HTTPS)
Computational Security

• perfect secrecy is too difficult to achieve in practice


(imagine using OTP for every website that employes HTTPS)

• security is guaranteed only against computationally bounded


adversaries
• limits on computational power and storage
• polynomial-time adversaries
Computational Security

• perfect secrecy is too difficult to achieve in practice


(imagine using OTP for every website that employes HTTPS)

• security is guaranteed only against computationally bounded


adversaries
• limits on computational power and storage
• polynomial-time adversaries

• adversaries may successfully break the encryption with a very


small probability
Computational Security

• perfect secrecy is too difficult to achieve in practice


(imagine using OTP for every website that employes HTTPS)

• security is guaranteed only against computationally bounded


adversaries
• limits on computational power and storage
• polynomial-time adversaries

• adversaries may successfully break the encryption with a very


small probability

• computational assumptions are essential for the threat model


Computational Security
4) regardless of any information an attacker already has, a ciphertext
should leak no additional information about the underlying plaintext

What about the mathematical formulation of the definition ?


Computational Security
4) regardless of any information an attacker already has, a ciphertext
should leak no additional information about the underlying plaintext

What about the mathematical formulation of the definition ?

indistinguishability in the presence of an eavesdropper (IND-EAV)


Computational Security
4) regardless of any information an attacker already has, a ciphertext
should leak no additional information about the underlying plaintext

What about the mathematical formulation of the definition ?

indistinguishability in the presence of an eavesdropper (IND-EAV)

Charlie Adversary
(Challenger)

k, Enc( . )
Computational Security
4) regardless of any information an attacker already has, a ciphertext
should leak no additional information about the underlying plaintext

What about the mathematical formulation of the definition ?

indistinguishability in the presence of an eavesdropper (IND-EAV)

Charlie Adversary
(Challenger)
m1, m0 in M
k, Enc( . )
Computational Security
4) regardless of any information an attacker already has, a ciphertext
should leak no additional information about the underlying plaintext

What about the mathematical formulation of the definition ?

indistinguishability in the presence of an eavesdropper (IND-EAV)

Charlie Adversary
(Challenger)
m1, m0 in M
k, Enc( . )
cb = Enc(k, mb)
b ç {0, 1}
Computational Security
4) regardless of any information an attacker already has, a ciphertext
should leak no additional information about the underlying plaintext

What about the mathematical formulation of the definition ?

indistinguishability in the presence of an eavesdropper (IND-EAV)

Charlie Adversary
(Challenger)
m1, m0 in M
k, Enc( . )
cb = Enc(k, mb)
b ç {0, 1}

b’
Computational Security
4) regardless of any information an attacker already has, a ciphertext
should leak no additional information about the underlying plaintext

What about the mathematical formulation of the definition ?

indistinguishability in the presence of an eavesdropper (IND-EAV)

Charlie Adversary
(Challenger)
m1, m0 in M
k, Enc( . )
cb = Enc(k, mb)
b ç {0, 1}

b’

adversary wins the game if b = b’


Computational Security
4) regardless of any information an attacker already has, a ciphertext
should leak no additional information about the underlying plaintext

What about the mathematical formulation of the definition ?

indistinguishability in the presence of an eavesdropper (IND-EAV)

Charlie Adversary
(Challenger)
m1, m0 in M
k, Enc( . )
The scheme is IND-EAV secure
cb = Enc(k, mb)if the adversary
b ç {0, 1}
wins the game with the probability 1/2 + ε

b’

adversary wins the game if b = b’


Stream Ciphers

• encrypt a digital data stream one bit or one byte at a time


(one-time pad)
Stream Ciphers

• encrypt a digital data stream one bit or one byte at a time


(one-time pad)
• making one-time pad practical
• use pseudo-random generator (PRG) to shorten the key size
Stream Ciphers

• encrypt a digital data stream one bit or one byte at a time


(one-time pad)
• making one-time pad practical
• use pseudo-random generator (PRG) to shorten the key size

Enc(k, m) = PRG(k) XOR m k PRG(k) XOR m


Stream Ciphers

• encrypt a digital data stream one bit or one byte at a time


(one-time pad)
• making one-time pad practical
• use pseudo-random generator (PRG) to shorten the key size

Enc(k, m) = PRG(k) XOR m k PRG(k) XOR m

Dec(k, c) = PRG(k) XOR c k PRG(k) XOR c


Stream Ciphers

• encrypt a digital data stream one bit or one byte at a time


(one-time pad)
• making one-time pad practical
• use pseudo-random generator (PRG) to shorten the key size

Enc(k, m) = PRG(k) XOR m k PRG(k) XOR m

one-time pad is IND-EAV secure if PRG is unpredictable

Dec(k, c) = PRG(k) XOR c k PRG(k) XOR c


Attacks on Stream Ciphers
Attacks on Stream Ciphers
1) two-time pad is insecure
c1 = m1 XOR PRG(k)
c2 = m2 XOR PRG(k)
Attacks on Stream Ciphers
1) two-time pad is insecure
c1 = m1 XOR PRG(k)
c2 = m2 XOR PRG(k)
c1 XOR c2 = m1 XOR m2
Attacks on Stream Ciphers
1) two-time pad is insecure
c1 = m1 XOR PRG(k)
c2 = m2 XOR PRG(k)
c1 XOR c2 = m1 XOR m2 è m1 and m2
Attacks on Stream Ciphers
1) two-time pad is insecure
c1 = m1 XOR PRG(k)
c2 = m2 XOR PRG(k)
c1 XOR c2 = m1 XOR m2 è m1 and m2

• Venona Project : US counterintelligence program initiated


during World War II to decrypt messages transmitted by the
intelligence agencies of Soviet Union (1943-1980)
• Russians used one-time pad to encrypt various messages
Attacks on Stream Ciphers
1) two-time pad is insecure
c1 = m1 XOR PRG(k)
c2 = m2 XOR PRG(k)
c1 XOR c2 = m1 XOR m2 è m1 and m2

• Venona Project : US counterintelligence program initiated


during World War II to decrypt messages transmitted by the
intelligence agencies of Soviet Union (1943-1980)
• Russians used one-time pad to encrypt various messages
• the pad used in the encryption was generated by human by
throwing a dice
• eventually they used same pad for multiple messages
Attacks on Stream Ciphers
1) two-time pad is insecure
c1 = m1 XOR PRG(k)
c2 = m2 XOR PRG(k)
c1 XOR c2 = m1 XOR m2 è m1 and m2

• Venona Project : US counterintelligence program initiated


during World War II to decrypt messages transmitted by the
intelligence agencies of Soviet Union (1943-1980)
• Russians used one-time pad to encrypt various messages
• the pad used in the encryption was generated by human by
throwing a dice
• eventually they used same pad for multiple messages
• Americans achieved to crack 3000 ciphertexts
Attacks on Stream Ciphers
1) two-time pad is insecure

• MS-PPTP (point to Point Tunnelling Protocol) enables to create virtual


private network using tunnelling (considered cryptographically broken
by Microsoft since 2012)
Attacks on Stream Ciphers
1) two-time pad is insecure

• MS-PPTP (point to Point Tunnelling Protocol) enables to create virtual


private network using tunnelling (considered cryptographically broken
by Microsoft since 2012)
Attacks on Stream Ciphers
1) two-time pad is insecure

• MS-PPTP (point to Point Tunnelling Protocol) enables to create virtual


private network using tunnelling (considered cryptographically broken
by Microsoft since 2012)

• the client and the server use the same key (usually created from the
user’s password) in exactly same way for sending their messages

k k
Attacks on Stream Ciphers
1) two-time pad is insecure

• MS-PPTP (point to Point Tunnelling Protocol) enables to create virtual


private network using tunnelling (considered cryptographically broken
by Microsoft since 2012)

• the client and the server use the same key (usually created from the
user’s password) in exactly same way for sending their messages

m1

k m2 k

m3

[m1 ll m2 ll m3 ll …] XOR PRG(k)


Attacks on Stream Ciphers
1) two-time pad is insecure

• MS-PPTP (point to Point Tunnelling Protocol) enables to create virtual


private network using tunnelling (considered cryptographically broken
by Microsoft since 2012)

• the client and the server use the same key (usually created from the
user’s password) in exactly same way for sending their messages

m1 s1

k m2 s2 k

m3 s3

[m1 ll m2 ll m3 ll …] XOR PRG(k) [s1 ll s2 ll s3 ll …] XOR PRG(k)


Attacks on Stream Ciphers
2) no integrity (just confidentiality)

m
Attacks on Stream Ciphers
2) no integrity (just confidentiality)

Enc
m m XOR k
Attacks on Stream Ciphers
2) no integrity (just confidentiality)

Enc
m m XOR k
XOR
u

m XOR k XOR u
Attacks on Stream Ciphers
2) no integrity (just confidentiality)

Enc
m m XOR k
XOR
u

Dec
m XOR u m XOR k XOR u
Attacks on Stream Ciphers
2) no integrity (just confidentiality)

Enc
From : Alice From : Alice
XOR
...

Dec
From : xxxx From : xxxx
Computational Security
indistinguishability under chosen-plaintext attack (IND-CPA)

Charlie Adversary
(Challenger)

k, Enc( . )
Computational Security
indistinguishability under chosen-plaintext attack (IND-CPA)

Charlie m Adversary
(Challenger)
Enc(k, m)

k, Enc( . )
Computational Security
indistinguishability under chosen-plaintext attack (IND-CPA)

Charlie m Adversary
(Challenger)
Enc(k, m)

m1, m0 in M
k, Enc( . )
Computational Security
indistinguishability under chosen-plaintext attack (IND-CPA)

Charlie m Adversary
(Challenger)
Enc(k, m)

m1, m0 in M
k, Enc( . )
cb = Enc(k, mb)
b ç {0, 1}
Computational Security
indistinguishability under chosen-plaintext attack (IND-CPA)

Charlie m Adversary
(Challenger)
Enc(k, m)

m1, m0 in M
k, Enc( . )
cb = Enc(k, mb)
b ç {0, 1}

Enc(k, m)
Computational Security
indistinguishability under chosen-plaintext attack (IND-CPA)

Charlie m Adversary
(Challenger)
Enc(k, m)

m1, m0 in M
k, Enc( . )
cb = Enc(k, mb)
b ç {0, 1}

Enc(k, m)

b’
Computational Security
indistinguishability under chosen-plaintext attack (IND-CPA)

Charlie m Adversary
(Challenger)
Enc(k, m)

m1, m0 in M
k, Enc( . )
cb = Enc(k, mb)
b ç {0, 1}

Enc(k, m)

b’
adversary wins the game if b = b’
Computational Security
indistinguishability under chosen-plaintext attack (IND-CPA)

Charlie m Adversary
(Challenger)
Enc(k, m)

m1, m0 in M
k, Enc( . )
cb = Enc(k, mb)
b ç {0, 1}
The scheme is IND-CPA
m secure if the adversary
wins the game with the probability 1/2 + ε
Enc(k, m)

b’
adversary wins the game if b = b’
Computational Security
indistinguishability under chosen-plaintext attack (IND-CPA)

Charlie m Adversary
(Challenger)
Enc(k, m)

m1, m0 in M
k, Enc( . )
cb = Enc(k, mb)
b ç {0, 1}
The scheme is IND-CPA
m secure if the adversary
wins the game with the probability 1/2 + ε
Enc(k, m)
one-time pad is not IND-CPA secure
b’
adversary wins the game if b = b’
Computational Security
indistinguishability under chosen-plaintext attack (IND-CPA)

Charlie m Adversary
(Challenger)
Enc(k, m)

m1, m0 in M
k, Enc( . )
cb = Enc(k, mb)
b ç {0, 1}
The scheme is IND-CPA
m secure if the adversary
wins the game with the probability 1/2 + ε
Enc(k, m)
one-time pad is not IND-CPA secure
b’
deterministic encryption
adversary is not
wins the game if IND-CPA
b = b’ secure
Block Ciphers
k bits KEY

n bits n bits

Plaintext ENC Ciphertext


Block DEC Block
Block Ciphers
k bits KEY

n bits n bits

Plaintext ENC Ciphertext


Block DEC Block

Canonical Examples
• DES : n = 64 bits, k = 56 bits
• 3DES : n = 64 bits, k = 168 bits
• AES : n = 128 bits, k = 128, 192, 256 bits
Block Ciphers
k bits KEY

n bits n bits

Plaintext ENC Ciphertext


Block DEC Block

Canonical Examples
• DES : n = 64 bits, k = 56 bits
• 3DES : n = 64 bits, k = 168 bits
• AES : n = 128 bits, k = 128, 192, 256 bits
Block Ciphers
k

k1 k2 ... kn

m R(k1,--) R(k1,--) ... R(k1,--) c


Block Ciphers
k
key expansion

k1 k2 ... kn

m R(k1,--) R(k1,--) ... R(k1,--) c


Block Ciphers
k
key expansion

k1 k2 ... kn

m R(k1,--) R(k1,--) ... R(k1,--) c

• R(k, m) called round function


• for 3DES : n = 48, for AES : n = 10
DES (Data Encryption Standart)
• Early 1970s : Horst Feistel designed Lucifer at IBM
(Fiestel was the leader of the group that designed
the scheme to meet the customer’s demand)
key = 128 bits, block = 128 bits
DES (Data Encryption Standart)
• Early 1970s : Horst Feistel designed Lucifer at IBM
(Fiestel was the leader of the group that designed
the scheme to meet the customer’s demand)
key = 128 bits, block = 128 bits
• 1973 : NBS (National Bureau of Standarts) asks for block
cipher proposals
IBM submits variant of Lucifer
• 1976 : NBS adopts DES as a federal standart
key = 56 bits, block = 64 bits
DES (Data Encryption Standart)
• Early 1970s : Horst Feistel designed Lucifer at IBM
(Fiestel was the leader of the group that designed
the scheme to meet the customer’s demand)
key = 128 bits, block = 128 bits
• 1973 : NBS (National Bureau of Standarts) asks for block
cipher proposals
IBM submits variant of Lucifer
• 1976 : NBS adopts DES as a federal standart
key = 56 bits, block = 64 bits
• 1997 : DES broken by exhaustive search
(the machine tries all the possible 2^56 keys)
• 2000 : NIST adopts Rijndael as AES to replace DES
DES (Data Encryption Standart)
• Early 1970s : Horst Feistel designed Lucifer at IBM
(Fiestel was the leader of the group that designed
the scheme to meet the customer’s demand)
key = 128 bits, block = 128 bits
• 1973 : NBS (National Bureau of Standarts) asks for block
cipher proposals
IBM submits variant of Lucifer
• 1976 : NBS adopts DES as a federal standart
key = 56 bits, block = 64 bits
• 1997 : DES broken by exhaustive search
(the machine tries all the possible 2^56 keys)
• 2000 : NIST adopts Rijndael as AES to replace DES

• DES widely deployed in banking and commerce


DES – Fiestel Network
DES – Fiestel Network

• f1, f2, …, fd : {0,1}n è{0,1}n are arbitrary functions


DES – Fiestel Network

• f1, f2, …, fd : {0,1}n è{0,1}n are arbitrary functions


• Ri = fi(Ri-1) XOR Li-1 , Li = Ri-1
DES – Fiestel Network

• f1, f2, …, fd : {0,1}n è{0,1}n are arbitrary functions


• Ri = fi(Ri-1) XOR Li-1 , Li = Ri-1

• Li-1 = fi(Li) XOR Ri , Ri-1 = Li


DES – 16 round Fiestel Network
DES – 16 round Fiestel Network

• f1, f2, …, f16 : {0,1}32 è{0,1}32


DES – 16 round Fiestel Network

• f1, f2, …, f16 : {0,1}32 è{0,1}32


• fi = F(ki, x) where ki is just round key generated by key expension
(56-bit key is expanded to 16 48-bit keys)
DES – 16 round Fiestel Network

• f1, f2, …, f16 : {0,1}32 è{0,1}32


• fi = F(ki, x) where ki is just round key generated by key expension
(56-bit key is expanded to 16 48-bit keys)
• IP : initial permutation (not for security, just for the standart)
DES – 16 round Fiestel Network

• f1, f2, …, f16 : {0,1}32 è{0,1}32


• fi = F(ki, x) where ki is just round key generated by key expension
(56-bit key is expanded to 16 48-bit keys)
• IP : initial permutation (not for security, just for the standart)
• F(ki, x) : {0,1}48 X {0,1}32 è{0,1}32
(expansion, S-boxes, and permutation)
DES – Exhaustive Search
DES – Exhaustive Search
64 bits 64 bits 64 bits
DES – Exhaustive Search
64 bits 64 bits 64 bits

• find k in {0,1}56 such that DES(k, mi) = ci for i=1,2,3


DES – Exhaustive Search
64 bits 64 bits 64 bits

• find k in {0,1}56 such that DES(k, mi) = ci for i=1,2,3


• The first challenge began in 1997 and was solved in 96 days by the DESCHALL
DES – Exhaustive Search
64 bits 64 bits 64 bits

• find k in {0,1}56 such that DES(k, mi) = ci for i=1,2,3


• The first challenge began in 1997 and was solved in 96 days by the DESCHALL
• DES Challenge II-1 was solved by distributed.net in 39 days in early 1998.
The plaintext was "The unknown message is: Many hands make light work”
DES – Exhaustive Search
64 bits 64 bits 64 bits

• find k in {0,1}56 such that DES(k, mi) = ci for i=1,2,3


• The first challenge began in 1997 and was solved in 96 days by the DESCHALL
• DES Challenge II-1 was solved by distributed.net in 39 days in early 1998.
The plaintext was "The unknown message is: Many hands make light work”
• DES Challenge II-2 was solved in just 56 hours in July 1998, by the Electric
Frontier Foundation, with their purpose-built Deep Crack machine. The
machine cost 250k, they won 10k. The plaintext was "The unknown message is:
It's time for those 128-, 192-, and 256-bit keys.”
DES – Exhaustive Search
64 bits 64 bits 64 bits

• find k in {0,1}56 such that DES(k, mi) = ci for i=1,2,3


• The first challenge began in 1997 and was solved in 96 days by the DESCHALL
• DES Challenge II-1 was solved by distributed.net in 39 days in early 1998.
The plaintext was "The unknown message is: Many hands make light work”
• DES Challenge II-2 was solved in just 56 hours in July 1998, by the Electric
Frontier Foundation, with their purpose-built Deep Crack machine. The
machine cost 250k, they won 10k. The plaintext was "The unknown message is:
It's time for those 128-, 192-, and 256-bit keys.”
• DES Challenge III was a joint effort between distributed.net and Deep
Crack. The key was found in just 22 hours 15 minutes in January 1999, and the
plaintext was "See you in Rome (second AES Conference, March 22-23, 1999)”

h+ps://en.wikipedia.org/wiki/DES_Challenges
DES – Exhaustive Search

Strengthening DES

• Triple-DES
DES – Exhaustive Search

Strengthening DES

• Triple-DES

3DES((k1,k2,k3),m) = E(k1, D(k2, E(k3, m)))


DES – Exhaustive Search

Why decryption in the middle?

Strengthening DES if k1 = k2 = k3, 3DES becomes slower DES

• Triple-DES

3DES((k1,k2,k3),m) = E(k1, D(k2, E(k3, m)))


DES – Exhaustive Search

Why decryption in the middle?

Strengthening DES if k1 = k2 = k3, 3DES becomes slower DES

• Triple-DES

3DES((k1,k2,k3),m) = E(k1, D(k2, E(k3, m)))

• for 3DES, key = 168 bits, 3xslower than DES


DES – Exhaustive Search

Why decryption in the middle?

Strengthening DES if k1 = k2 = k3, 3DES becomes slower DES

• Triple-DES

3DES((k1,k2,k3),m) = E(k1, D(k2, E(k3, m)))

• for 3DES, key = 168 bits, 3xslower than DES

• for exhaustive search, 2168 possible keys

however, there is a simple attack in time 2118


AES (Advanced Encryption Standart)

• 1997 : NIST published the request for a proposal

• 1998 : 15 submission

• 1999 : NIST chose 5 finalists

• 2000 : NIST chose Rijndael as AES (designed in Belgium)


AES (Advanced Encryption Standart)

• 1997 : NIST published the request for a proposal

• 1998 : 15 submission

• 1999 : NIST chose 5 finalists

• 2000 : NIST chose Rijndael as AES (designed in Belgium)

• key = 128, 192, 256 bits block = 128 bits


AES – Subs/Perm Network
AES – Subs/Perm Network

• In Fiestel, half of the bits remained unchanged from


round to round, but here all the bits change in every
round
Attacks on AES
• best key recovery attack: four times better than
exhaustive search (128-bit key becomes 126-bit key)
Attacks on AES
• best key recovery attack: four times better than
exhaustive search (128-bit key becomes 126-bit key)
“Biclique Cryptanalysis of the Full AES”,
Andrey Bogdanov, Dmitry Khovratovich, Christian Rechberger
Aisacrypt, 2011
Attacks on AES
• best key recovery attack: four times better than
exhaustive search (128-bit key becomes 126-bit key)
“Biclique Cryptanalysis of the Full AES”,
Andrey Bogdanov, Dmitry Khovratovich, Christian Rechberger
Aisacrypt, 2011

• related key attack on AES-256


given 299 input-output pairs from four related keys,
keys can be recovered in 299
Attacks on AES
• best key recovery attack: four times better than
exhaustive search (128-bit key becomes 126-bit key)
“Biclique Cryptanalysis of the Full AES”,
Andrey Bogdanov, Dmitry Khovratovich, Christian Rechberger
Aisacrypt, 2011

• related key attack on AES-256


given 299 input-output pairs from four related keys,
keys can be recovered in 299
-choose the keys independently-
Attacks on AES
• best key recovery attack: four times better than
exhaustive search (128-bit key becomes 126-bit key)
“Biclique Cryptanalysis of the Full AES”,
Andrey Bogdanov, Dmitry Khovratovich, Christian Rechberger
Aisacrypt, 2011

• related key attack on AES-256


given 299 input-output pairs from four related keys,
keys can be recovered in 299
-choose the keys independently-
“Related-Key Cryptanalysis of the Full AES-192 and AES-256”
Alex Biryukov, Dmitry Khovratovich
Asiacrypt, 2009
Modes of Operations
Electronic Code Book

• message is broken into independent blocks


• each block is encrypted separately
Modes of Operations
Electronic Code Book
Modes of Operations
Electronic Code Book

• if m1 = m2, then c1 = c2
Modes of Operations
Electronic Code Book

• if m1 = m2, then c1 = c2
• same data block always gets encrypted in the same way
reveals patterns when data repeats
Modes of Operations
Electronic Code Book

• if m1 = m2, then c1 = c2
• same data block always gets encrypted in the same way
reveals patterns when data repeats
• it is deterministic !
not IND-CPA, not IND-EAV
Modes of Operations
Cipher Block Chaining
Modes of Operations
Cipher Block Chaining
• uses a random initialization vector
• block i depends on block i-1
Modes of Operations
Cipher Block Chaining
• uses a random initialization vector
• block i depends on block i-1

• randomizes the encryption


Modes of Operations
Cipher Block Chaining
• uses a random initialization vector
• block i depends on block i-1

• randomizes the encryption


• IND-CPA secure if block cipher is secure (pseudorandom
permutation), lV is truly random

You might also like