11-crypto-block-ciphers.pdf, Exams of Cryptography and System Security

General method for building invertible functions (block ciphers) from arbitrary functions. 4, implemented as lookup table. e.g., 011011 ⟶ 1001 Page 15 The S- ...

Typology: Exams

2022/2023

Uploaded on 05/11/2023

ameen
ameen 🇺🇸

4.6

(5)

236 documents

1 / 57

Toggle sidebar

This page cannot be seen from the preview

Don't miss anything!

bg1
Cryptography: Block Ciphers
Edward J. Schwartz
Carnegie Mellon University
Credits:
Slides originally designed by David Brumley. Many other slides are from Dan
Boneh’s June 2012 Coursera crypto class.
pf3
pf4
pf5
pf8
pf9
pfa
pfd
pfe
pff
pf12
pf13
pf14
pf15
pf16
pf17
pf18
pf19
pf1a
pf1b
pf1c
pf1d
pf1e
pf1f
pf20
pf21
pf22
pf23
pf24
pf25
pf26
pf27
pf28
pf29
pf2a
pf2b
pf2c
pf2d
pf2e
pf2f
pf30
pf31
pf32
pf33
pf34
pf35
pf36
pf37
pf38
pf39

Partial preview of the text

Download 11-crypto-block-ciphers.pdf and more Exams Cryptography and System Security in PDF only on Docsity!

Cryptography: Block Ciphers

Edward J. Schwartz

Carnegie Mellon University

Credits:

Slides originally designed by David Brumley. Many other slides are from Dan

Boneh’s June 2012 Coursera crypto class.

What is a block cipher?

Block ciphers are the crypto work horse

Canonical examples:

1. 3DES: n = 64 bits, k = 168 bits

2. AES: n = 128 bits, k = 128, 192, 256 bits

Block of plaintext

n bits

Key

k bits

Block of ciphertext

n bits

E, D

Performance: Stream vs. block ciphers

Crypto++ 5.6.0 [Wei Dai]

AMD Opteron, 2.2 GHz (Linux)

Cipher Block/key size Throughput [MB/s]

Stream

RC4 126

Salsa20/12 643

Sosemanuk 727

Block

3DES 64/168 13

AES128 128/128 109

Block ciphers

The Data Encryption Standard (DES)

DES: core idea – Feistel network

Given one-way functions

Goal: build invertible function

R

1

L

1

R

2

L

2

R

d

L

d

R

d- 1

L

d- 1

f d

n

- bits

R

0

n

- bits

L

0

f 1

f 2

  • • •

input output

In symbols:

Feistel network - inverse

Claim:

Feistel function F is invertible

Proof: construct inverse

R

i+

L

i+

R

i

L

i

f i+

inverse

R

i

L

i

R

i+

L

i+

f i+

Recall from Last Time:

Block Ciphers are (Modeled As) PRPs

Pseudo Random Permutation (PRP) defined over (K,X)

such that:

  1. Exists “efficient” deterministic algorithm to evaluate E(k,x)
  2. The function E(k, ∙) is one-to-one
  3. Exists “efficient” inversion algorithm D(k,y)
X X

E(k,), kK

D(k,), kK

is a secure PRF

⇒ 3 - round Feistel

is a secure PRP

Luby-Rackoff Theorem (1985)

n

- bits

n

- bits

input

R

0

L

0

f

R

1

L

1

f

R

3

L

3

R

2

L

2

f

output

The function F(k

i

, x)

x

32 bits

E

x’

48 bits

k i

48 bits

48 bits

P

32 bits

y

6

4

S

1

6

4

S

2

6

4

S

3

6

4

S

4

6

4

S

5

6

4

S

6

6

4

S

7

6

4

S

8

32 bits

S-box: function {0,1}

6 ⟶ {0,1}

4 ,

implemented as lookup table.

The S-boxes

e.g., 011011 ⟶ 1001

Block cipher attacks

Exhaustive Search for block cipher key

Goal : given a few input output pairs

(m i

, c i

= E(k, m i

)) i=1,..,n find key k.

Attack : Brute force to find the key k.

Homework: What is the probability that the key k

found with one <m,c> pair is correct? For two pairs?

Strengthening DES

Method 1: Triple-DES

Let E : K × M ⟶ M be a block cipher

Define 3E : K

3

× M ⟶ M as:

3E ( (k

1

,k

2

,k

3

), m) = E (k

1

, D (k

2

, E (k

3

, m) ) )

3DES
  • Key-size: 3×56 = 168 bits
  • 3 ×slower than DES
  • Simple attack in time: ≈ 2

118

k

1

= k

2

= k

3

=> DES

• Define 2E( (k

1

,k

2

), m) = E(k

1

, E(k

2

, m) )

Why not 2DES?

key-len = 112 bits for 2DES

m (^) E(k 2

,⋅) E(k 1

,⋅) c

Naïve Attack: M = (m

1

,…, m

10

), C = (c

1

,…,c

10

For each k

2

56:

For each k

1

56:

if E(k

2

, E(k

1

, m

i

)) = c

i

then (k

2

, k

1

2

112 checks

c’’ = c?

m (^) c'

c’’

k 2 k 1