Symetric Encryption et al.




                             Symetric Encryption et al.

                                  ...
Symetric Encryption et al.




     Last Time




         ◮    Presentation
         ◮    Motivation
         ◮    Histor...
Symetric Encryption et al.




     Outline
      Classical Symetric Encryptions
         DES
         3-DES
         AES
...
Symetric Encryption et al.
 Classical Symetric Encryptions



     Outline
      Classical Symetric Encryptions
         D...
Symetric Encryption et al.
 Classical Symetric Encryptions
   DES


     Data Encryption Standard, (call in 1973)

      L...
Symetric Encryption et al.
 Classical Symetric Encryptions
   DES


     DES — overall form
                              ...
Symetric Encryption et al.
 Classical Symetric Encryptions
   DES


     DES — 1 round

               L i−1              ...
Symetric Encryption et al.
 Classical Symetric Encryptions
   DES



      S-Boxes: S1, S2, S3, S4
        14     4     13...
Symetric Encryption et al.
 Classical Symetric Encryptions
   DES



      S-Boxes: S5, S6, S7 and S8
         2    12    ...
Symetric Encryption et al.
 Classical Symetric Encryptions
   DES


      Decryption DES
      Use inverse sequence key.
 ...
Symetric Encryption et al.
 Classical Symetric Encryptions
   DES




      Property of DES DES exhibits the complementati...
Symetric Encryption et al.
 Classical Symetric Encryptions
   DES




      Anomalies of DES
       ◮ Existence of 6 pairs...
Symetric Encryption et al.
 Classical Symetric Encryptions
   DES


     Security of DES

         ◮    No security proofs...
Symetric Encryption et al.
 Classical Symetric Encryptions
   3-DES


     Triple DES

         ◮    Use three stages of e...
Symetric Encryption et al.
 Classical Symetric Encryptions
   AES


     Advanced Encryption Standard
         ◮    Block ...
Symetric Encryption et al.
 Classical Symetric Encryptions
   AES


     AES: High-level cipher algorithm
         ◮    Ke...
Symetric Encryption et al.
 Classical Symetric Encryptions
   AES


     AES: SubBytes




      SubBytes: a non-linear su...
Symetric Encryption et al.
 Classical Symetric Encryptions
   AES


     AES: ShiftRows




      ShiftRows: a transpositi...
Symetric Encryption et al.
 Classical Symetric Encryptions
   AES


     AES: MixColumns




      MixColumns: a mixing op...
Symetric Encryption et al.
 Classical Symetric Encryptions
   AES


     AES: AddRoundKey




      AddRoundKey: each byte...
Symetric Encryption et al.
 Classical Symetric Encryptions
   AES


     AES: Attacks
      Not yet efficient Cryptanalysis ...
Symetric Encryption et al.
 Classical Symetric Encryptions
   IDEA


     IDEA: International Data Encryption Algorithm 19...
Symetric Encryption et al.
 Classical Symetric Encryptions
   IDEA


     IDEA



      Notation
         ◮    Bitwise eXc...
Symetric Encryption et al.
 Classical Symetric Encryptions
   IDEA


     IDEA




                                  24 / ...
Symetric Encryption et al.
 Classical Symetric Encryptions
   IDEA


     IDEA

      After the eight rounds comes a final ...
Symetric Encryption et al.
 Classical Symetric Encryptions
   IDEA


     IDEA

      After the eight rounds comes a final ...
Symetric Encryption et al.
 Classical Symetric Encryptions
   IDEA


     Others Symmetric Encryption Schemes
      Blowfis...
Symetric Encryption et al.
 Modes



     Outline
      Classical Symetric Encryptions
         DES
         3-DES
       ...
Symetric Encryption et al.
 Modes
   ECB


     Electronic Book Code (ECB)




      Each block of the same length is encr...
Symetric Encryption et al.
 Modes
   ECB


     ECB Encryption Algorithm



      algorithm EK (M)
      if (|M| mod n = 0...
Symetric Encryption et al.
 Modes
   ECB




                             30 / 76
Symetric Encryption et al.
 Modes
   ECB


     ECB Decryption Algorithm



      algorithm DK (C )
      if (|C | mod n =...
Symetric Encryption et al.
 Modes
   ECB




                             32 / 76
Symetric Encryption et al.
 Modes
   CBC


     Cipher-block chaining (CBC)


      If the first block has index 1, the mat...
Symetric Encryption et al.
 Modes
   CBC




                             34 / 76
Symetric Encryption et al.
 Modes
   CBC




                             35 / 76
Symetric Encryption et al.
 Modes
   CFB


     The cipher feedback (CFB)


      A close relative of CBC:

              ...
Symetric Encryption et al.
 Modes
   CFB




                             37 / 76
Symetric Encryption et al.
 Modes
   CFB




                             38 / 76
Symetric Encryption et al.
 Modes
   OFB


     Output feedback (OFB)

      Because of the symmetry of the XOR operation,...
Symetric Encryption et al.
 Modes
   OFB




                             40 / 76
Symetric Encryption et al.
 Modes
   OFB




                             41 / 76
Symetric Encryption et al.
 Modes
   OFB


     ECB vs Others




                             42 / 76
Symetric Encryption et al.
 Asymmetric vs Symetric



     Outline
      Classical Symetric Encryptions
         DES
     ...
Symetric Encryption et al.
 Asymmetric vs Symetric



     Comparison



         ◮    Size of the key
         ◮    Compl...
Symetric Encryption et al.
 Asymmetric vs Symetric



     Computational cost of encryption


      2 hours of video (assu...
Symetric Encryption et al.
 Diffie-Hellman



     Outline
      Classical Symetric Encryptions
         DES
         3-DES
...
Symetric Encryption et al.
 Diffie-Hellman



     The Diffie-Hellman protocol

      g , p are public parameters.


         ...
Symetric Encryption et al.
 Diffie-Hellman



     The Diffie-Hellman protocol

      g , p are public parameters.


         ...
Symetric Encryption et al.
 Diffie-Hellman



     Hard Problems

      Most cryptographic constructions are based on hard p...
Symetric Encryption et al.
 Diffie-Hellman



     The Discrete Logarithm (DL)



      Let G = ( g , ∗) be any finite cyclic...
Symetric Encryption et al.
 Diffie-Hellman



     Computational Diffie-Hellman (CDH)



      Idea: it is hard for any advers...
Symetric Encryption et al.
 Diffie-Hellman



     Decisional Diffie-Hellman (DDH)

      Idea: Knowing g x and g y , it shoul...
Symetric Encryption et al.
 Diffie-Hellman



     Relation between the problems


      Prop
      Solve DL ⇒ Solve CDH ⇒ S...
Symetric Encryption et al.
 Diffie-Hellman



     Proofs by Reduction


      Solve DL ⇒ Solve CDH
      Attack on DL impli...
Symetric Encryption et al.
 Diffie-Hellman



     Usage of DH assumption



      The Diffie-Hellman problems are widely used...
Symetric Encryption et al.
 Hash Functions



     Outline
      Classical Symetric Encryptions
         DES
         3-DE...
Symetric Encryption et al.
 Hash Functions



     “Classifications” of Hash Functions
      Unkeyed Hash function

       ...
Symetric Encryption et al.
 Hash Functions



     Hash Functions
      A hash function H takes as input a bit-string of a...
Symetric Encryption et al.
 Hash Functions




      Properties of hash functions
      2nd Pre-image resistance (weak-col...
Symetric Encryption et al.
 Hash Functions




      Exercises on properties
       collision resistance ⇒ 2nd pre-image r...
Symetric Encryption et al.
 Hash Functions




      Basic construction of hash functions




                            ...
Symetric Encryption et al.
 Hash Functions



      Basic construction of hash functions




                             ...
Symetric Encryption et al.
 Hash Functions



      Basic construction of hash functions (Merkle-Damgrd)

                ...
Symetric Encryption et al.
 Hash Functions




      Basic construction of hash functions
      Theorem
      If the compr...
Symetric Encryption et al.
 Hash Functions




      Hash functions based on (MDC) block ciphers




                     ...
Symetric Encryption et al.
 Hash Functions




      MAC based on block ciphers




                                   65 ...
Symetric Encryption et al.
 Hash Functions



     List of Hash Functions


         Algorithm             Output size    ...
Symetric Encryption et al.
 Applications



     Outline
      Classical Symetric Encryptions
         DES
         3-DES
...
Symetric Encryption et al.
 Applications



     Utility of Cryptography in Real life



         ◮    Hash function, e.g....
Symetric Encryption et al.
 Applications



     Hash function, e.g. Software Installation




      Integrity of the down...
Symetric Encryption et al.
 Applications



     Asymmetric Encryption for establishing a Session Key




         1. Serv...
Symetric Encryption et al.
 Applications



     Symetric Encryption for GSM communication




      SIM card contains a s...
Symetric Encryption et al.
 Applications



     Signature for Authentication of Credit Card
                             ...
Symetric Encryption et al.
 Conclusion



     Outline
      Classical Symetric Encryptions
         DES
         3-DES
  ...
Symetric Encryption et al.
 Conclusion



     Summary


      Today

         ◮    Classical Symetric Encryption
        ...
Symetric Encryption et al.
 Conclusion



     Next Time




         ◮    Security notions




                          ...
Symetric Encryption et al.
 Conclusion




                             Thank you for your attention


                   ...
Upcoming SlideShare
Loading in …5
×

Symetric Encryption et al.

706 views
611 views

Published on

0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total views
706
On SlideShare
0
From Embeds
0
Number of Embeds
3
Actions
Shares
0
Downloads
22
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide

Symetric Encryption et al.

  1. 1. Symetric Encryption et al. Symetric Encryption et al. Pascal Lafourcade Universit´ Joseph Fourier, Verimag e 7th October 2009 1 / 76
  2. 2. Symetric Encryption et al. Last Time ◮ Presentation ◮ Motivation ◮ History of Cryptography ◮ Classical Asymmetric Encryption 2 / 76
  3. 3. Symetric Encryption et al. Outline Classical Symetric Encryptions DES 3-DES AES IDEA Modes ECB CBC CFB OFB Asymmetric vs Symetric Diffie-Hellman Hash Functions Applications Conclusion 3 / 76
  4. 4. Symetric Encryption et al. Classical Symetric Encryptions Outline Classical Symetric Encryptions DES 3-DES AES IDEA Modes ECB CBC CFB OFB Asymmetric vs Symetric Diffie-Hellman Hash Functions Applications Conclusion 4 / 76
  5. 5. Symetric Encryption et al. Classical Symetric Encryptions DES Data Encryption Standard, (call in 1973) Lucifer designed in 1971 by Horst Feistel at IBM. ◮ Block cipher, encrypting 64-bit blocks Uses 56 bit keys Expressed as 64 bit numbers (8 bits parity checking) ◮ First cryptographic standard. ◮ 1977 US federal standard (US Bureau of Standards) ◮ 1981 ANSI private sector standard 5 / 76
  6. 6. Symetric Encryption et al. Classical Symetric Encryptions DES DES — overall form 64 ◮ 16 rounds Feistel cipher + key-scheduler. Init Perm ◮ Key scheduling algorithm derives subkeys Ki L0 R0 from original key K . K1 f ◮ Initial permutation at start, and inverse permutation at end. . . . . ◮ f consists of two permutations and an . . L15 R15 s-box substitution. K16 Li +1 = Ri and Ri +1 = Li ⊕ f (Ri , Ki ) f L16 R 16 Init Perm−1 64 6 / 76
  7. 7. Symetric Encryption et al. Classical Symetric Encryptions DES DES — 1 round L i−1 R i−1 K i−1 Expansion Permutation Left Shift Left Shift 32 48 Compression Permutation S−Box Substitution 28 P−Box Permutation Li Ri Ki (b1 b6 , b2 b3 b4 b5 ), Cj represents the binary value in the row b1 b6 and column b2 b3 b4 b5 of the Sj box. 7 / 76
  8. 8. Symetric Encryption et al. Classical Symetric Encryptions DES S-Boxes: S1, S2, S3, S4 14 4 13 1 2 15 11 8 3 10 6 12 5 9 0 7 0 15 7 4 14 2 13 1 10 6 12 11 9 5 3 8 4 1 14 8 13 6 2 11 15 12 9 7 3 10 5 0 15 12 8 2 4 9 1 7 5 11 3 14 10 0 6 13 15 1 8 14 6 11 3 4 9 7 2 13 12 0 5 10 3 13 4 7 15 2 8 14 12 0 1 10 6 9 11 5 0 14 7 11 10 4 13 1 5 8 12 6 9 3 2 15 13 8 10 1 3 15 4 2 11 6 7 12 0 5 14 9 10 0 9 14 6 3 15 5 1 13 12 7 11 4 2 8 13 7 0 9 3 4 6 10 2 8 5 14 12 11 15 1 13 6 4 9 8 15 3 0 11 1 2 12 5 10 14 7 1 10 13 0 6 9 8 7 4 15 14 3 11 5 2 12 7 13 14 3 0 6 9 10 1 2 8 5 11 12 4 15 13 8 11 5 6 15 0 3 4 7 2 12 1 10 14 9 10 6 9 0 12 11 7 13 15 1 3 14 5 2 8 4 3 15 0 6 10 1 13 8 9 4 5 11 12 7 2 14 8 / 76
  9. 9. Symetric Encryption et al. Classical Symetric Encryptions DES S-Boxes: S5, S6, S7 and S8 2 12 4 1 7 10 11 6 8 5 3 15 13 0 14 9 14 11 2 12 4 7 13 1 5 0 15 10 3 9 8 6 4 2 1 11 10 13 7 8 15 9 12 5 6 3 0 14 11 8 12 7 1 14 2 13 6 15 0 9 10 4 5 3 12 1 10 15 9 2 6 8 0 13 3 4 14 7 5 11 10 15 4 2 7 12 9 5 6 1 13 14 0 11 3 8 9 14 15 5 2 8 12 3 7 0 4 10 1 13 11 6 4 3 2 12 9 5 15 10 11 14 1 7 6 0 8 13 4 11 2 14 15 0 8 13 3 12 9 7 5 10 6 1 13 0 11 7 4 9 1 10 14 3 5 12 2 15 8 6 1 4 11 13 12 3 7 14 10 15 6 8 0 5 9 2 6 11 13 8 1 4 10 7 9 5 0 15 14 2 3 12 13 2 8 4 6 15 11 1 10 9 3 14 5 0 12 7 1 15 13 8 10 3 7 4 12 5 6 11 0 14 9 2 7 11 4 1 9 12 14 2 0 6 10 13 15 3 5 8 2 1 14 7 4 10 8 13 15 12 9 0 3 5 6 11 9 / 76
  10. 10. Symetric Encryption et al. Classical Symetric Encryptions DES Decryption DES Use inverse sequence key. ◮ IP(C ) = IP(IP −1 (R16 ||L16 ) ◮ L′ = R16 and R0 = L16 0 ′ L′ = R0 = L16 = R15 1 ′ R1 = L′ ⊕ f (R0 , K0 ) ′ 0 ′ ′ ′ R1 = R16 ⊕ f (L16 , K15 ) ′ R1 = R16 ⊕ f (R15 , K15 ) ′ R1 = L15 Recall Li +1 = Ri and Ri +1 = Li ⊕ f (Ri , Ki ) 10 / 76
  11. 11. Symetric Encryption et al. Classical Symetric Encryptions DES Property of DES DES exhibits the complementation property, namely that EK (P) = C ⇔ EK (P) = C where x is the bitwise complement of x. EK denotes encryption with key K . Then P and C denote plaintext and ciphertext blocks respectively. 11 / 76
  12. 12. Symetric Encryption et al. Classical Symetric Encryptions DES Anomalies of DES ◮ Existence of 6 pairs of semi-weak keys: Ek (Ek (x)) = x. 1 2 ◮ 0x011F011F010E010E and 0x1F011F010E010E01 ◮ 0x01E001E001F101F1 and 0xE001E001F101F101 ◮ 0x01FE01FE01FE01FE and 0xFE01FE01FE01FE01 ◮ 0x1FE01FE00EF10EF1 and 0xE01FE01FF10EF10E ◮ 0x1FFE1FFE0EFE0EFE and 0xFE1FFE1FFE0EFE0E ◮ 0xE0FEE0FEF1FEF1FE and 0xFEE0FEE0FEF1FEF1 12 / 76
  13. 13. Symetric Encryption et al. Classical Symetric Encryptions DES Security of DES ◮ No security proofs or reductions known ◮ Main attack: exhaustive search ◮ 7 hours with 1 million dollar computer (in 1993). ◮ 7 days with $10,000 FPGA-based machine (in 2006). ◮ Mathematical attacks ◮ Not know yet. ◮ But it is possible to reduce key space from 256 to 243 using (linear) cryptanalysis. ◮ To break the full 16 rounds, differential cryptanalysis requires 247 chosen plaintexts (Eli Biham and Adi Shamir). ◮ Linear cryptanalysis needs 243 known plaintexts (Matsui, 1993) 13 / 76
  14. 14. Symetric Encryption et al. Classical Symetric Encryptions 3-DES Triple DES ◮ Use three stages of encryption instead of two. ◮ Compatibility is maintained with standard DES (K2 = K1 ). ◮ No known practical attack ⇒ brute-force search with 2112 operations. 14 / 76
  15. 15. Symetric Encryption et al. Classical Symetric Encryptions AES Advanced Encryption Standard ◮ Block cipher, approved for use by US Government in 2002. Very popular standard, designed by two Belgian cryptographers. ◮ Block-size = 128 bits, Key size = 128, 192, or 256 bits. ◮ Uses various substitutions and transpositions + key scheduling, in different rounds. ◮ Algorithm believed secure. Only attacks are based on side channel analysis, i.e., attacking implementations that inadvertently leak information about the key. Key Size Round Number 128 10 192 12 256 14 15 / 76
  16. 16. Symetric Encryption et al. Classical Symetric Encryptions AES AES: High-level cipher algorithm ◮ KeyExpansion using Rijndael’s key schedule ◮ Initial Round: AddRoundKey ◮ Rounds: 1. SubBytes: a non-linear substitution step where each byte is replaced with another according to a lookup table. 2. ShiftRows: a transposition step where each row of the state is shifted cyclically a certain number of steps. 3. MixColumns: a mixing operation which operates on the columns of the state, combining the four bytes in each column 4. AddRoundKey: each byte of the state is combined with the round key; each round key is derived from the cipher key using a key schedule. ◮ Final Round (no MixColumns) 1. SubBytes 2. ShiftRows 3. AddRoundKey 16 / 76
  17. 17. Symetric Encryption et al. Classical Symetric Encryptions AES AES: SubBytes SubBytes: a non-linear substitution step where each byte is replaced with another according to a lookup table. 17 / 76
  18. 18. Symetric Encryption et al. Classical Symetric Encryptions AES AES: ShiftRows ShiftRows: a transposition step where each row of the state is shifted cyclically a certain number of steps. 18 / 76
  19. 19. Symetric Encryption et al. Classical Symetric Encryptions AES AES: MixColumns MixColumns: a mixing operation which operates on the columns of the state, combining the four bytes in each column 19 / 76
  20. 20. Symetric Encryption et al. Classical Symetric Encryptions AES AES: AddRoundKey AddRoundKey: each byte of the state is combined with the round 20 / 76 key; each round key is derived from the cipher key using a key
  21. 21. Symetric Encryption et al. Classical Symetric Encryptions AES AES: Attacks Not yet efficient Cryptanalysis on complete version, but Niels Ferguson proposed in 2000 an attack on a versopn with 7 rounds and 128 bits key. But Marine Minier, Raphael C.-W. Phan, Benjamin Pousse: Distinguishers for Ciphers and Known Key Attack against Rijndael with Large Blocks. AFRICACRYPT 2009: 60-76 Samuel Galice, Marine Minier: Improving Integral Attacks Against Rijndael-256 Up to 9 Rounds. AFRICACRYPT 2008: 1-15 Side channel attacks using on optimized version (2005) ◮ Timing. ◮ Cache Default. ◮ Electric Consumptions. ◮ .. There exists algebraic attacks ... 21 / 76
  22. 22. Symetric Encryption et al. Classical Symetric Encryptions IDEA IDEA: International Data Encryption Algorithm 1991 Designed by Xuejia Lai and James Massey of ETH Zurich. IDEA uses a message of 64-bit blocks and a 128-bit key, Key schedule ◮ K1 to K6 for the first round are taken directly as the first 6 consecutive blocks of 16 bits. ◮ This means that only 96 of the 128 bits are used in each round. ◮ 128 bit key undergoes a 25 bit rotation to the left, i.e. the LSB becomes the 25th LSB. 22 / 76
  23. 23. Symetric Encryption et al. Classical Symetric Encryptions IDEA IDEA Notation ◮ Bitwise eXclusive OR (denoted with a blue ⊕). ◮ Addition modulo 216 (denoted with a green ⊞). ◮ Multiplication modulo 216+1, where the all-zero word (0x0000) is interpreted as 216 (denoted by a red ⊙). 23 / 76
  24. 24. Symetric Encryption et al. Classical Symetric Encryptions IDEA IDEA 24 / 76
  25. 25. Symetric Encryption et al. Classical Symetric Encryptions IDEA IDEA After the eight rounds comes a final ”half round”. 25 / 76
  26. 26. Symetric Encryption et al. Classical Symetric Encryptions IDEA IDEA After the eight rounds comes a final ”half round”. The best attack which applies to all keys can break IDEA reduced to 6 rounds (the full IDEA cipher uses 8.5 rounds) Biham, E. and Dunkelman, O. and Keller, N. ”A New Attack on 6-Round IDEA”. 25 / 76
  27. 27. Symetric Encryption et al. Classical Symetric Encryptions IDEA Others Symmetric Encryption Schemes Blowfish, Serpent, Twofish, 3-Way, ABC, Akelarre, Anubis, ARIA, BaseKing, BassOmatic, BATON, BEAR and LION, C2, Camellia, CAST-128, CAST-256, CIKS-1, CIPHERUNICORN-A, CIPHERUNICORN-E, CLEFIA, CMEA, Cobra, COCONUT98, Crab, CRYPTON, CS-Cipher, DEAL, DES-X, DFC, E2, FEAL, FEA-M, FROG, G-DES, GOST, Grand Cru, Hasty Pudding Cipher, Hierocrypt, ICE, IDEA, IDEA NXT, Intel Cascade Cipher, Iraqi, KASUMI, KeeLoq, KHAZAD, Khufu and Khafre, KN-Cipher, Ladder-DES, Libelle, LOKI97, LOKI89/91, Lucifer, M6, M8, MacGuffin, Madryga, MAGENTA, MARS, Mercy, MESH, MISTY1, MMB, MULTI2, MultiSwap, New Data Seal, NewDES, Nimbus, NOEKEON, NUSH, Q, RC2, RC5, RC6, REDOC, Red Pike, S-1, SAFER, SAVILLE, SC2000, SEED, SHACAL, SHARK, Skipjack, SMS4, Spectr-H64, Square, SXAL/MBAL, TEA, Treyfer, UES, Xenon, xmx, XTEA, XXTEA, Zodiac. 26 / 76
  28. 28. Symetric Encryption et al. Modes Outline Classical Symetric Encryptions DES 3-DES AES IDEA Modes ECB CBC CFB OFB Asymmetric vs Symetric Diffie-Hellman Hash Functions Applications Conclusion 27 / 76
  29. 29. Symetric Encryption et al. Modes ECB Electronic Book Code (ECB) Each block of the same length is encrypted separately using the same key K . In this mode, only the block in which the flipped bit is contained is changed. Other blocks are not affected. 28 / 76
  30. 30. Symetric Encryption et al. Modes ECB ECB Encryption Algorithm algorithm EK (M) if (|M| mod n = 0 or |M| = 0) then return FAIL Break M into n-bit blocks M[1] . . . M[m] for i = 1 to m do C [i ] = EK (M[i ]) C = C [1] . . . C [m] return C 29 / 76
  31. 31. Symetric Encryption et al. Modes ECB 30 / 76
  32. 32. Symetric Encryption et al. Modes ECB ECB Decryption Algorithm algorithm DK (C ) if (|C | mod n = 0 or |C | = 0) then return FAIL Break C into n-bit blocks C [1] . . . C [m] for i = 1 to m do M[i ] = DK (C [i ]) M = M[1] . . . M[m] return M 31 / 76
  33. 33. Symetric Encryption et al. Modes ECB 32 / 76
  34. 34. Symetric Encryption et al. Modes CBC Cipher-block chaining (CBC) If the first block has index 1, the mathematical formula for CBC encryption is Ci = EK (Pi ⊕ Ci −1 ), C0 = IV while the mathematical formula for CBC decryption is Pi = DK (Ci ) ⊕ Ci −1 , C0 = IV CBC has been the most commonly used mode of operation. 33 / 76
  35. 35. Symetric Encryption et al. Modes CBC 34 / 76
  36. 36. Symetric Encryption et al. Modes CBC 35 / 76
  37. 37. Symetric Encryption et al. Modes CFB The cipher feedback (CFB) A close relative of CBC: Ci = EK (Ci −1 ) ⊕ Pi Pi = EK (Ci −1 ) ⊕ Ci C0 = IV 36 / 76
  38. 38. Symetric Encryption et al. Modes CFB 37 / 76
  39. 39. Symetric Encryption et al. Modes CFB 38 / 76
  40. 40. Symetric Encryption et al. Modes OFB Output feedback (OFB) Because of the symmetry of the XOR operation, encryption and decryption are exactly the same: Ci = Pi ⊕ Oi Pi = Ci ⊕ Oi Oi = EK (Oi −1 ) O0 = IV 39 / 76
  41. 41. Symetric Encryption et al. Modes OFB 40 / 76
  42. 42. Symetric Encryption et al. Modes OFB 41 / 76
  43. 43. Symetric Encryption et al. Modes OFB ECB vs Others 42 / 76
  44. 44. Symetric Encryption et al. Asymmetric vs Symetric Outline Classical Symetric Encryptions DES 3-DES AES IDEA Modes ECB CBC CFB OFB Asymmetric vs Symetric Diffie-Hellman Hash Functions Applications Conclusion 43 / 76
  45. 45. Symetric Encryption et al. Asymmetric vs Symetric Comparison ◮ Size of the key ◮ Complexity of computation (time, hardware, cost ...) ◮ Number of different keys ? ◮ Key distribution ◮ Signature only possible with asymmetric scheme 44 / 76
  46. 46. Symetric Encryption et al. Asymmetric vs Symetric Computational cost of encryption 2 hours of video (assumes 3Ghz CPU) DVD 4,7 G.B Blu-Ray 25 GB Schemes encrypt decrypt encrypt decrypt RSA 2048(1) 22 min 24 h 115 min 130 h RSA 1024(1) 21 min 10 h 111 min 53 h AES CTR(2) 20 sec 20 sec 105 sec 105 sec 45 / 76
  47. 47. Symetric Encryption et al. Diffie-Hellman Outline Classical Symetric Encryptions DES 3-DES AES IDEA Modes ECB CBC CFB OFB Asymmetric vs Symetric Diffie-Hellman Hash Functions Applications Conclusion 46 / 76
  48. 48. Symetric Encryption et al. Diffie-Hellman The Diffie-Hellman protocol g , p are public parameters. g x mod p Diffie chooses x and computes g x mod p. Hellman chooses y and computes g y mod p. Basic Diffie-Hellman key-exchange: initiator I and responder R exchange public “half-keys” to arrive at mutual session key k = gxy mod p. 47 / 76
  49. 49. Symetric Encryption et al. Diffie-Hellman The Diffie-Hellman protocol g , p are public parameters. g x mod p g y mod p Diffie chooses x and computes g x mod p. Hellman chooses y and computes g y mod p. Basic Diffie-Hellman key-exchange: initiator I and responder R exchange public “half-keys” to arrive at mutual session key k = gxy mod p. 47 / 76
  50. 50. Symetric Encryption et al. Diffie-Hellman Hard Problems Most cryptographic constructions are based on hard problems. Their security is proved by reduction to these problems: ◮ RSA. Given N = pq and e ∈ Z∗ , compute the inverse of e ϕ(N) modulo ϕ(N) = (p − 1)(q − 1). Factorization ◮ Discrete Logarithm problem, DL. Given a group g and g x , compute x. ◮ Computational Diffie-Hellman, CDH Given a group g , g x and g y , compute g xy . ◮ Decisional Diffie-Hellman, DDH Given a group g , distinguish between the distributions (g x , g y , g xy ) and (g x , g y , g r ). 48 / 76
  51. 51. Symetric Encryption et al. Diffie-Hellman The Discrete Logarithm (DL) Let G = ( g , ∗) be any finite cyclic group of prime order. Idea: it is hard for any adversary to produce x if he only knows g x . For any adversary A, R AdvDL (A) = Pr A(g x ) → x x, y ← [1, q] is negligible. 49 / 76
  52. 52. Symetric Encryption et al. Diffie-Hellman Computational Diffie-Hellman (CDH) Idea: it is hard for any adversary to produce g xy if he only knows g x and g y . For any adversary A, R AdvCDH (A) = Pr A(g x , g y ) → g xy x, y ← [1, q] is negligible. 50 / 76
  53. 53. Symetric Encryption et al. Diffie-Hellman Decisional Diffie-Hellman (DDH) Idea: Knowing g x and g y , it should be hard for any adversary to distinguish between g xy and g r for some random value r . For any adversary A, the advantage of A R AdvDDH (A) = Pr A(g x , g y , g xy ) → 1 x, y ← [1, q] R −Pr A(g x , g y , g r ) → 1 x, y , r ← [1, q] is negligible. This means that an adversary cannot extract a single bit of information on g xy from g x and g y . 51 / 76
  54. 54. Symetric Encryption et al. Diffie-Hellman Relation between the problems Prop Solve DL ⇒ Solve CDH ⇒ Solve DDH. (Exercise) Prop (Moaurer & Wolf) For many groups, DL ⇔ CDH Prop (Joux & Wolf) There are groups for which DDH is easier than CDH. 52 / 76
  55. 55. Symetric Encryption et al. Diffie-Hellman Proofs by Reduction Solve DL ⇒ Solve CDH Attack on DL implies attack on CDH. Given g , g x , g y using DL we get x and y so we can compute g xy . Solve CDH ⇒ Solve DDH Attack on CDH implies attack on DDH. Given g , g x , g y , g r using CDH we compute g xy and we can compare with g r . 53 / 76
  56. 56. Symetric Encryption et al. Diffie-Hellman Usage of DH assumption The Diffie-Hellman problems are widely used in cryptography: ◮ Public key crypto-systems [ElGamal, Cramer& Shoup] ◮ Pseudo-random functions [Noar& Reingold, Canetti] ◮ Pseudo-random generators [Blum& Micali] ◮ (Group) key exchange protocols [many] 54 / 76
  57. 57. Symetric Encryption et al. Hash Functions Outline Classical Symetric Encryptions DES 3-DES AES IDEA Modes ECB CBC CFB OFB Asymmetric vs Symetric Diffie-Hellman Hash Functions Applications Conclusion 55 / 76
  58. 58. Symetric Encryption et al. Hash Functions “Classifications” of Hash Functions Unkeyed Hash function ◮ Modification Code Detection (MDC) ◮ Data integrity ◮ Fingerprints of messages ◮ Other applications Keyed Hash function ◮ Message Authentication Code (MAC) ◮ Password Verification in uncrypted password-image files. ◮ Key confirmation or establishment ◮ Time-stamping 56 / 76 ◮ Others applications
  59. 59. Symetric Encryption et al. Hash Functions Hash Functions A hash function H takes as input a bit-string of any finite length and returns a corresponding ’digest’ of fixed length. h : {0, 1}∗ → {0, 1}n H(Alice) = Definition (Pre-image resistance (One-way) OWHF) Given an output y , it is computationally infeasible to compute x such that h(x) = y 57 / 76
  60. 60. Symetric Encryption et al. Hash Functions Properties of hash functions 2nd Pre-image resistance (weak-collision resistant) CRHF Given an input x, it is computationally infeasible to compute x ′ such that h(x ′ ) = h(x) Collision resistance (strong-collision resistant) It is computationally infeasible to compute x and x ′ such that h(x) = h(x ′ ) 58 / 76
  61. 61. Symetric Encryption et al. Hash Functions Exercises on properties collision resistance ⇒ 2nd pre-image resistance If h is not 2nd pre-image resistance then given x it is possible to compute x ′ such that h(x ′ ) = h(x) which contradict the definition of collision resistance. But collision resistance does not implies pre-image resistance. Example let g be collision resistant we build h such that 1||x if x has bit length n h(x) = 0||g (x) otherwise h is collision resistance but not pre-image resistant. 59 / 76
  62. 62. Symetric Encryption et al. Hash Functions Basic construction of hash functions 60 / 76
  63. 63. Symetric Encryption et al. Hash Functions Basic construction of hash functions 61 / 76
  64. 64. Symetric Encryption et al. Hash Functions Basic construction of hash functions (Merkle-Damgrd) f : {0, 1}m → {0, 1}n 1. Break the message x to hash in blocks of size m − n: x = x1 x2 . . . xt 2. Pad xt with zeros as necessary. 3. Define xt+1 as the binary representation of the bit length of x. 4. Iterate over the blocks: H0 = 0n Hi = f (Hi −1 ||xi ) h(x) = Ht+1 62 / 76
  65. 65. Symetric Encryption et al. Hash Functions Basic construction of hash functions Theorem If the compression function f is collision resistant, then the obtained hash function h is collision resistant. 63 / 76
  66. 66. Symetric Encryption et al. Hash Functions Hash functions based on (MDC) block ciphers 64 / 76
  67. 67. Symetric Encryption et al. Hash Functions MAC based on block ciphers 65 / 76
  68. 68. Symetric Encryption et al. Hash Functions List of Hash Functions Algorithm Output size Internal state size Block size Length size Word size Collision HAVAL 256/.../128 256 1024 64 32 Yes MD2 128 384 128 No 8 Almost MD4 128 128 512 64 32 Yes MD5 128 128 512 64 32 Yes PANAMA 256 8736 256 No 32 Yes RadioGatn Arbitrarily long 58 words 3 words No 1-64 No RIPEMD 128 128 512 64 32 Yes RIPEMD 128/256 128/256 512 64 32 No RIPEMD 160/320 160/320 512 64 32 No SHA-0 160 160 512 64 32 Yes SHA-1 160 160 512 64 32 With flaws SHA-256/224 256/224 256 512 64 32 No SHA-512/384 512/384 512 1024 128 64 No Tiger(2) 192/160/128 192 512 64 64 No WHIRLPOOL 512 512 512 256 8 No 66 / 76
  69. 69. Symetric Encryption et al. Applications Outline Classical Symetric Encryptions DES 3-DES AES IDEA Modes ECB CBC CFB OFB Asymmetric vs Symetric Diffie-Hellman Hash Functions Applications Conclusion 67 / 76
  70. 70. Symetric Encryption et al. Applications Utility of Cryptography in Real life ◮ Hash function, e.g. Software Installation ◮ Asymmetric Encryption for establishing a Session Key ◮ Symetric Encryption for GSM communication ◮ Signature for Authentication, e.g. CB 68 / 76
  71. 71. Symetric Encryption et al. Applications Hash function, e.g. Software Installation Integrity of the downloaded file. 1. Download on server 1 the software. 2. Download on server 2 the hash of the software. 3. Check the integrity of the software. 69 / 76
  72. 72. Symetric Encryption et al. Applications Asymmetric Encryption for establishing a Session Key 1. Server has a public and private key 2. Computer asks for a secure connection 3. Server sends him his public key 4. Client chooses a symetric key which is sent encrypted by the public key of the server 70 / 76
  73. 73. Symetric Encryption et al. Applications Symetric Encryption for GSM communication SIM card contains a shared secret key used for authenticating phones and operators, then creating key session for communication. 1. Message is encrypted and sent by Alice. 2. The antenna receives the message then uncrypted. 3. Message is encrypted by the antenna with the second key. 4. Second mobile uncrypted the communication. 71 / 76
  74. 74. Symetric Encryption et al. Applications Signature for Authentication of Credit Card I S(H(I),sk) I, S Off-line authentication of the card. 1. Credit Card has informations I and S a signature of H(I). 2. Machine reads I and S. 3. Machine checks if h(I) = Unsign(S). Example: SHA1 ... 72 / 76
  75. 75. Symetric Encryption et al. Conclusion Outline Classical Symetric Encryptions DES 3-DES AES IDEA Modes ECB CBC CFB OFB Asymmetric vs Symetric Diffie-Hellman Hash Functions Applications Conclusion 73 / 76
  76. 76. Symetric Encryption et al. Conclusion Summary Today ◮ Classical Symetric Encryption ◮ Encryption Modes ◮ Comparison between Symetric and Asymetric encryption ◮ Diffie Hellman ◮ Hash functions ◮ Applications 74 / 76
  77. 77. Symetric Encryption et al. Conclusion Next Time ◮ Security notions 75 / 76
  78. 78. Symetric Encryption et al. Conclusion Thank you for your attention Questions ? 76 / 76

×