COS 433: CryptographyRecall: Pseudo-Random Functions (PRF)Block CipherHistorySlide 5Slide 6AES Rijndael - OperationAES Rijndael – Round FunctionSecurity for Block CiphersCryptoanalysis – Historical ExampleDifferential CryptanalysisHow to Choose A Block CipherModes of Operation for Block-CiphersECB – Electronic Codebook Mode ModeCBC – Cipher-Block-Chaining ModeCounter ModeRecommended ReadingPrinceton University • COS 433 • Cryptography • Fall 2007 • Boaz BarakCOS 433: Cryptography Princeton University Fall 2007Boaz BarakLecture 7: Block Ciphers2Recall: Pseudo-Random Functions (PRF){ fs } is PRF, if (s,x) fs(x) is efficiently computable andno efficient adv. can tell apart black-box access tofs(¢) for random s2r {0,1}nrandom F:{0,1}n{0,1}nNew notion: Pseudorandom Permutations (PRP){ Ek } is PRP, if both (k,x) Ek(x) and (k,y)Ek-1(y) are efficiently computable and no efficient adv. can tell apart access to:Ek(¢) and Ek-1(¢) for random k2r {0,1}nrandom permutation F:{0,1}n{0,1}n and F-1PRP can be based on Axiom 1 (through PRF) but also have many practical candidates called block ciphersBlock CipherAnother name for PRP: a block cipher.3Block Cipher{ Ek } is PRP, if both (k,x) Ek(x) and (k,y)Ek-1(y) are efficiently computable and no efficient adv. can tell apart access to:Ek(¢) and Ek-1(¢) for random k2r {0,1}nrandom permutation F:{0,1}n{0,1}n and F-1Another name for PRP: a block cipher.Despite name is not secure encryption by itself. (deterministic) However, yields CPA-secure encryption with essentially any form of random padding (see exercise).Several practical candidates.Note: not all security properties equally well studied.Often used in practice used as an encryption by itself. This is OK if input has high entropy (e.g., not a “yes or no” msg).4History 1972: NIST (then NBS) call for encryption standard proposals. IBM response: “Lucifer”.  NSA tweaked Lucifer to get DES Backdoors? Conspiracy? Mysterious “S boxes” Short key (56 bits) 1970’s: Diffie&Hellman suggest $20M machine to find key within a day. 1990’s: Wiener suggest $1M machine to find key within 3.5 hours. 1997: Over the Internet ~50K machines find key in 90 days. 1998: $210K machine “deep crack” finds key in 56 hours. By late 90’s most commercial applications use 3DES –three applications of DES with independent keys Data Encryption Standard - DES5History 1993: US Govt suggests to give industry a chip (called “clipper”) containing NSA-developed cipher “Skipjack”. Clipper has 3 keys:F – family key shared among all chips hardwired & secret,U – unit key – one per chip, split among 2 federal agencies:Choose random U1 and U2=U©U1K – session key – chosen by user. For each session chip computes LEAF=EF( id info , EU(K) ). Refuses to decrypt without LEAF. Was not very popular. 1998: Skipjack declassified. Weakness found by Biham,Biryokuv, Shamir.Skipjack and the Clipper Chip6History 1997: Call for replacement to DES Goals:  use for ¸30 years , protect info for 100 years. strong at least as 3DES, significantly more efficient. International, open competition. Winner: Rijndael (Daeman, Rijmen Belgium) Block length: 128 bits, key length: 128, 192 or 256 bits Efficiency:Hardware implementations up to ~50Gbit/secondSoftware: 251cycles/block (2 cycles/bit) ~ 1Gbit/sec on 2Ghz Pentium 4Advanced Encryption Standard (AES)7AES Rijndael - Operation Block: 128bits = 16 bytes (4x4 square) Key: 128 bits expanded using PRG to 10 keys k1,…,k9 each 128 bits size(9 – number of rounds, more for larger keys) Components:S-box: “random” function S:[256][256] implemented by lookup(actual function explicit, avoid fear of trapdoor)A: a special 4x4 byte matrix (chosen for fast computation) Operation: repeat 9 for times (i.e., rounds):XOR ki with plaintextRun S-box on each byteShift rowsMatrix-multiply plaintext with A (mix columns) To decrypt do everything backwards (replace A with A-1)8AES Rijndael – Round Functionx1,1x1,2x1,3x1,4x2,1x2,2x2,3x2,4x3,1x3,2x3,3x3,4x4,1x4,2x4,3x4,4k1,1k1,2k1,3k1,4k2,1k2,2k2,3k2,4k3,1k3,2k3,3k3,4k4,1k4,2k4,3k4,4©x1,1x1,2x1,3x1,4x2,1x2,2x2,3x2,4x3,1x3,2x3,3x3,4x4,1x4,2x4,3x4,4XOR keyApply S Boxx1,1x1,2x1,3x1,4x2,2x2,3x2,4x2,1x3,2X3,4x3,1x3,2x4,4x4,1x4,2x4,3Shift rowsMatrix multiply /Mix columnsA9Security for Block CiphersFormal definition: block-cipher = pseudorandom permutation.In practice: Sometimes need less, sometimes need more.Confidence in block ciphers gained through cryptanalysis.Block-ciphers typically not based on number-theoretic problem such as factoring integers, etc.. (Although assume NP P)Block cipher has known weakness if there’s such attack taking less than 2key length resources.Typical question: How many known (or chosen) plaintext/ciphertext pairs and computation steps are needed to find key.Block cipher is broken if there’s such attack taking a feasible amount of resources.10Cryptoanalysis – Historical ExampleFEAL - Shimizu and Miyaguchi, NTT  Architecture similar to DES, slightly larger key (64 bits) First version – 4 rounds proposed in 1987 1988: 100-10,000 msgs chosen-plaintext attack found. Later improved to only 20 chosen msgs  Next version – FEAL-8 : 8 rounds 10,000 chosen plaintexts attack Later attacks: ~30K known plaintext attack for FEAL-85 known plaintext attack for FEAL-4Better than brute force attack for FEAL-N for any N<32.11Differential Cryptanalysis In 1991, Biham & Shamir presented a general method to attack DES-like systems. Is not extremely successful for DES itself (248 operations instead of 256). Works very well for subtle variants:Random S-boxes : 237 known plaintext attackG-DES (Schaumuller-Bichl, 81): 6 known plaintext attack! Insight on (then secret) design criteria of DES.12How to Choose A Block CipherCommon heuristic: Choose fastest unbroken cipher.Problem: unbroken means not known to be broken. Perhaps will be broken in future. Perhaps no one really tried to break it.My (non-expert) suggestion: Choose a secure cipher that is efficient enough.Secure means public and well-studied.Does not mean:Cipher with no known attacks (# analysts < # ciphers)Your own homebrewed cipher with only copy of specs under pillow.(especially if you  { Biham, Rivest, Shamir,…}