![Page 1: Cryptography Primer - IIT Madras CSE Dept. · 2019-03-24 · Cryptography (its use) • A crucial component in all security systems • Fundamental component to achieve • Confidentiality](https://reader030.vdocument.in/reader030/viewer/2022040822/5e6c59828432040cd9072ee1/html5/thumbnails/1.jpg)
Cryptography Primer
ChesterRebeiroIITMadras
![Page 2: Cryptography Primer - IIT Madras CSE Dept. · 2019-03-24 · Cryptography (its use) • A crucial component in all security systems • Fundamental component to achieve • Confidentiality](https://reader030.vdocument.in/reader030/viewer/2022040822/5e6c59828432040cd9072ee1/html5/thumbnails/2.jpg)
Cryptography
• Acrucialcomponentinallsecuritysystems• Fundamentalcomponenttoachieve
• Confidentiality
Allowsonlyauthorizedusersaccesstodata
2
![Page 3: Cryptography Primer - IIT Madras CSE Dept. · 2019-03-24 · Cryptography (its use) • A crucial component in all security systems • Fundamental component to achieve • Confidentiality](https://reader030.vdocument.in/reader030/viewer/2022040822/5e6c59828432040cd9072ee1/html5/thumbnails/3.jpg)
Cryptography (its use) • Acrucialcomponentinallsecuritysystems• Fundamentalcomponenttoachieve
• Confidentiality• DataIntegrity
Cryptographycanbeusedtoensurethatonlyauthorizeduserscanmakemodifications(forinstancetoabankaccountnumber)
3
![Page 4: Cryptography Primer - IIT Madras CSE Dept. · 2019-03-24 · Cryptography (its use) • A crucial component in all security systems • Fundamental component to achieve • Confidentiality](https://reader030.vdocument.in/reader030/viewer/2022040822/5e6c59828432040cd9072ee1/html5/thumbnails/4.jpg)
Cryptography (its use) • Acrucialcomponentinallsecuritysystems• Fundamentalcomponenttoachieve
• Confidentiality• DataIntegrity• Authentication
Cryptographyhelpsproveidentities
4
![Page 5: Cryptography Primer - IIT Madras CSE Dept. · 2019-03-24 · Cryptography (its use) • A crucial component in all security systems • Fundamental component to achieve • Confidentiality](https://reader030.vdocument.in/reader030/viewer/2022040822/5e6c59828432040cd9072ee1/html5/thumbnails/5.jpg)
Cryptography (its use) • Acrucialcomponentinallsecuritysystems• Fundamentalcomponenttoachieve
• Confidentiality• DataIntegrity• Authentication• Non-repudiation
Thesenderofamessagecannotclaimthatshedidnotsendit
Ididnotsendthat
5
![Page 6: Cryptography Primer - IIT Madras CSE Dept. · 2019-03-24 · Cryptography (its use) • A crucial component in all security systems • Fundamental component to achieve • Confidentiality](https://reader030.vdocument.in/reader030/viewer/2022040822/5e6c59828432040cd9072ee1/html5/thumbnails/6.jpg)
SchemeforConfidentiality
Alice Bob
messageAttackatDawn!!
untrustedcommunicationlink
MalloryProblem:AlicewantstosendamessagetoBob(andonlytoBob)throughanuntrustedcommunicationlink
6
![Page 7: Cryptography Primer - IIT Madras CSE Dept. · 2019-03-24 · Cryptography (its use) • A crucial component in all security systems • Fundamental component to achieve • Confidentiality](https://reader030.vdocument.in/reader030/viewer/2022040822/5e6c59828432040cd9072ee1/html5/thumbnails/7.jpg)
Encryption
Alice Bob
message“AttackatDawn!!”
untrustedcommunicationlink
MallorySecrets• OnlyAliceknowstheencryptionkeyKE• OnlyBobknowsthedecryptionkeyKD
E D
KE KD
“AttackatDawn!!”encryption decryption
#%AR3Xf34^$(ciphertext)
Onlyseesciphertext.cannotgettheplaintextmessagebecauseshedoesnotknowthekeys7
![Page 8: Cryptography Primer - IIT Madras CSE Dept. · 2019-03-24 · Cryptography (its use) • A crucial component in all security systems • Fundamental component to achieve • Confidentiality](https://reader030.vdocument.in/reader030/viewer/2022040822/5e6c59828432040cd9072ee1/html5/thumbnails/8.jpg)
EncryptionAlgorithms
Alice BobuntrustedcommunicationlinkE D
KE KD
“AttackatDawn!!”encryption decryption
#%AR3Xf34($(ciphertext)
• ShouldbeeasytocomputeforAlice/Bob(whoknowthekey)• ShouldbedifficulttocomputeforMallory(whodoesnotknowthekey)• Whatis‘difficult’?
• Idealcase:ProvethattheprobabilityofMallorydeterminingtheencryption/decryptionkeyisnobetterthanarandomguess
• Computationally:ShowthatitisdifficultforMallorytodeterminethekeysevenifshehasmassivecomputationalpower
8
![Page 9: Cryptography Primer - IIT Madras CSE Dept. · 2019-03-24 · Cryptography (its use) • A crucial component in all security systems • Fundamental component to achieve • Confidentiality](https://reader030.vdocument.in/reader030/viewer/2022040822/5e6c59828432040cd9072ee1/html5/thumbnails/9.jpg)
Ciphers
• SymmetricAlgorithms• EncryptionandDecryptionusethesamekey• i.e.KE=KD• Examples:
• BlockCiphers:DES,AES,PRESENT,etc.• StreamCiphers:A5,Grain,etc.
• AsymmetricAlgorithms• EncryptionandDecryptionkeysaredifferent• KE≠KD• Examples:
• RSA• ECC
9
E D
![Page 10: Cryptography Primer - IIT Madras CSE Dept. · 2019-03-24 · Cryptography (its use) • A crucial component in all security systems • Fundamental component to achieve • Confidentiality](https://reader030.vdocument.in/reader030/viewer/2022040822/5e6c59828432040cd9072ee1/html5/thumbnails/10.jpg)
EncryptionKeys
• Howarekeysmanaged• HowdoesAlice&Bobselectthekeys?• Needalgorithmsforkeyexchange
10
Alice BobuntrustedcommunicationlinkE D
KE KD
“AttackatDawn!!”encryption decryption
#%AR3Xf34($(ciphertext)
![Page 11: Cryptography Primer - IIT Madras CSE Dept. · 2019-03-24 · Cryptography (its use) • A crucial component in all security systems • Fundamental component to achieve • Confidentiality](https://reader030.vdocument.in/reader030/viewer/2022040822/5e6c59828432040cd9072ee1/html5/thumbnails/11.jpg)
AlgorithmicAttacks
• CanMalloryusetrickstobreakthealgorithm
• Therebyreducingthe‘difficulty’ofgettingthekey.
11
E
![Page 12: Cryptography Primer - IIT Madras CSE Dept. · 2019-03-24 · Cryptography (its use) • A crucial component in all security systems • Fundamental component to achieve • Confidentiality](https://reader030.vdocument.in/reader030/viewer/2022040822/5e6c59828432040cd9072ee1/html5/thumbnails/12.jpg)
CiphersDesignChallenges
Wewantcryptoalgorithmstobefastandsmall
Forsecurity,thealgorithmsarecomputationallyintensive.Typicallyuselargenumbers,complexoperations
Needtoprotectagainstsidechannelattacks.
TradeoffsbetweenSecurity,Speed,Side-ChannelAttacks
![Page 13: Cryptography Primer - IIT Madras CSE Dept. · 2019-03-24 · Cryptography (its use) • A crucial component in all security systems • Fundamental component to achieve • Confidentiality](https://reader030.vdocument.in/reader030/viewer/2022040822/5e6c59828432040cd9072ee1/html5/thumbnails/13.jpg)
Block Ciphers ChesterRebeiro
IITMadras
STINSON:chapters3
![Page 14: Cryptography Primer - IIT Madras CSE Dept. · 2019-03-24 · Cryptography (its use) • A crucial component in all security systems • Fundamental component to achieve • Confidentiality](https://reader030.vdocument.in/reader030/viewer/2022040822/5e6c59828432040cd9072ee1/html5/thumbnails/14.jpg)
Block Cipher
14
Alice Bob
message“AttackatDawn!!”
untrustedcommunicationlinkE D
KE KD
“AttackatDawn!!”encryption decryption
#%AR3Xf34^$(ciphertext)
Encryptionkeyisthesameasthedecryptionkey(KE=KD)
![Page 15: Cryptography Primer - IIT Madras CSE Dept. · 2019-03-24 · Cryptography (its use) • A crucial component in all security systems • Fundamental component to achieve • Confidentiality](https://reader030.vdocument.in/reader030/viewer/2022040822/5e6c59828432040cd9072ee1/html5/thumbnails/15.jpg)
Block Cipher : Encryption
BlockCipher(Encryption)
SecretKeyPlaintext Ciphertext
BlockLength
KeyLength
• Ablockcipherencryptionalgorithmencryptsnbitsofplaintextatatime• Mayneedtopadtheplaintextifnecessary• y=ek(x)
15
![Page 16: Cryptography Primer - IIT Madras CSE Dept. · 2019-03-24 · Cryptography (its use) • A crucial component in all security systems • Fundamental component to achieve • Confidentiality](https://reader030.vdocument.in/reader030/viewer/2022040822/5e6c59828432040cd9072ee1/html5/thumbnails/16.jpg)
Block Cipher : Decryption
• Ablockcipherdecryptionalgorithmrecoverstheplaintextfromtheciphertext.• x=dk(y)
BlockCipher(Decryption)
SecretKeyCiphertext Plaintext
BlockLength
KeyLength
16
![Page 17: Cryptography Primer - IIT Madras CSE Dept. · 2019-03-24 · Cryptography (its use) • A crucial component in all security systems • Fundamental component to achieve • Confidentiality](https://reader030.vdocument.in/reader030/viewer/2022040822/5e6c59828432040cd9072ee1/html5/thumbnails/17.jpg)
Inside the Block Cipher (an iterative cipher)
17
KeyWhitening
Round1
Round2
Round3
Roundn
PlaintextBlock
CiphertextBlock
key1
key2
key3
keyn
• Eachroundhasthesameendomorphiccryptosystem,whichtakesakeyandproducesanintermediateouput• Sizeofthekeyishuge…muchlargerthantheblocksize.
![Page 18: Cryptography Primer - IIT Madras CSE Dept. · 2019-03-24 · Cryptography (its use) • A crucial component in all security systems • Fundamental component to achieve • Confidentiality](https://reader030.vdocument.in/reader030/viewer/2022040822/5e6c59828432040cd9072ee1/html5/thumbnails/18.jpg)
Inside the Block Cipher (the key schedule)
18
SecretKey
RoundKey1
RoundKey2
RoundKey3
RoundKeyn
KeyWhitening
Round1
Round2
Round3
Roundn
PlaintextBlock
CiphertextBlock
KeyExpansion
• Asinglesecretkeyoffixedsizeusedtogenerate‘roundkeys’foreachround
![Page 19: Cryptography Primer - IIT Madras CSE Dept. · 2019-03-24 · Cryptography (its use) • A crucial component in all security systems • Fundamental component to achieve • Confidentiality](https://reader030.vdocument.in/reader030/viewer/2022040822/5e6c59828432040cd9072ee1/html5/thumbnails/19.jpg)
Inside the Round Function • AddRoundkey:Mixingoperationbetweentheroundinputandtheroundkey.typically,anex-oroperation
• Confusionlayer:Makestherelationshipbetweenroundinputandoutputcomplex.
• Diffusionlayer:dissipatetheroundinput.Avalancheeffect:Asinglebitchangeintheroundinputshouldcausehugechangesintheoutput.
Makesitdifficultfortheattackertopickoutsomebitsovertheothers(thinkHillcipher)
19
AddRoundKey
ConfusionLayer
DiffusionLayer
RoundInput
RoundOutput
![Page 20: Cryptography Primer - IIT Madras CSE Dept. · 2019-03-24 · Cryptography (its use) • A crucial component in all security systems • Fundamental component to achieve • Confidentiality](https://reader030.vdocument.in/reader030/viewer/2022040822/5e6c59828432040cd9072ee1/html5/thumbnails/20.jpg)
The Advanced Encryption Standard (AES)
20
![Page 21: Cryptography Primer - IIT Madras CSE Dept. · 2019-03-24 · Cryptography (its use) • A crucial component in all security systems • Fundamental component to achieve • Confidentiality](https://reader030.vdocument.in/reader030/viewer/2022040822/5e6c59828432040cd9072ee1/html5/thumbnails/21.jpg)
Advanced Encryption Standard (AES) • NIST’sstandardforblockciphersinceOctober2000.
• SPNnetworkwitheachroundhaving
• RandomnessLayer:Roundkeyaddition• ConfusionLayer:ByteSubstitution• DiffusionLayer:ShiftrowandMixcolumn(thelastrounddoesnothavemixcolumnstep)
KeyLength No.ofrounds
AES-128 16bytes 10
AES-192 24bytes 12
AES-256 32bytes 14
21
![Page 22: Cryptography Primer - IIT Madras CSE Dept. · 2019-03-24 · Cryptography (its use) • A crucial component in all security systems • Fundamental component to achieve • Confidentiality](https://reader030.vdocument.in/reader030/viewer/2022040822/5e6c59828432040cd9072ee1/html5/thumbnails/22.jpg)
The AES State Representation
• 16bytesarrangedina4x4matrixofbytes
mieanjfbokgcplhd
ponmlkjihgfedcba16byteplaintext
MIEANJFBOKGCPLHD
16byteciphertext
AES
22
![Page 23: Cryptography Primer - IIT Madras CSE Dept. · 2019-03-24 · Cryptography (its use) • A crucial component in all security systems • Fundamental component to achieve • Confidentiality](https://reader030.vdocument.in/reader030/viewer/2022040822/5e6c59828432040cd9072ee1/html5/thumbnails/23.jpg)
AES-128 Encryption
SecretKey
XORkey
ByteSubstitution
CiphertextBlock
ShiftRows
MixColumns(exceptforthelastround)
AddRoundKey
Loop
10tim
es
PlaintextBlock
KeyExpansion
RK1RK2RK3
RK10
23
4Operations• ByteSubstitution• ShiftRows• MixColumns• AddRoundKey
![Page 24: Cryptography Primer - IIT Madras CSE Dept. · 2019-03-24 · Cryptography (its use) • A crucial component in all security systems • Fundamental component to achieve • Confidentiality](https://reader030.vdocument.in/reader030/viewer/2022040822/5e6c59828432040cd9072ee1/html5/thumbnails/24.jpg)
AES-128 Encryption
SecretKey
XORkey
ByteSubstitution
CiphertextBlock
ShiftRows
MixColumns(exceptforthelastround)
AddRoundKey
Loop
10tim
es
PlaintextBlock
KeyExpansion
RK1RK2RK3
RK10
24
confusion
diffusion
![Page 25: Cryptography Primer - IIT Madras CSE Dept. · 2019-03-24 · Cryptography (its use) • A crucial component in all security systems • Fundamental component to achieve • Confidentiality](https://reader030.vdocument.in/reader030/viewer/2022040822/5e6c59828432040cd9072ee1/html5/thumbnails/25.jpg)
AES Operations
• AllAESoperationsareperformedinthefieldGF(28).• Thefield’sirreduciblepolynomialisx8+x4+x3+x+1
inbinarynotation(100011011)2inhexnotation(11B)16
25
![Page 26: Cryptography Primer - IIT Madras CSE Dept. · 2019-03-24 · Cryptography (its use) • A crucial component in all security systems • Fundamental component to achieve • Confidentiality](https://reader030.vdocument.in/reader030/viewer/2022040822/5e6c59828432040cd9072ee1/html5/thumbnails/26.jpg)
Byte Substitution
a i mb j nc k od l p
A E I MB F J NC G K OD H L P
F
efgh
f
Sbox
7 7
6 6
5 5
4 4
3 3
2 2
1 1
0 0
1 1 1 1 1 0 0 0 00 1 1 1 1 1 0 0 10 0 1 1 1 1 1 0 10 0 0 1 1 1 1 1 01 0 0 0 1 1 1 1 01 1 0 0 0 1 1 1 01 1 1 0 0 0 1 1 11 1 1 1 0 0 0 1 1
b ab ab ab ab ab ab ab a
⎡ ⎤ ⎡ ⎤⎡ ⎤ ⎡ ⎤⎢ ⎥ ⎢ ⎥⎢ ⎥ ⎢ ⎥⎢ ⎥ ⎢ ⎥⎢ ⎥ ⎢⎢ ⎥ ⎢ ⎥⎢ ⎥ ⎢⎢ ⎥ ⎢ ⎥⎢ ⎥ ⎢⎢ ⎥ ⎢ ⎥⎢ ⎥ ⎢= ⊕⎢ ⎥ ⎢ ⎥⎢ ⎥ ⎢⎢ ⎥ ⎢ ⎥⎢ ⎥ ⎢⎢ ⎥ ⎢ ⎥⎢ ⎥ ⎢⎢ ⎥ ⎢ ⎥⎢ ⎥ ⎢⎢ ⎥ ⎢ ⎥⎢ ⎥ ⎢
⎢ ⎥ ⎢⎢ ⎥ ⎢ ⎥⎣ ⎦ ⎣ ⎦⎣ ⎦ ⎣ ⎦
⎥⎥⎥⎥⎥⎥⎥⎥⎥⎥
• Makesanon-linearsubstitutionforeverybyteinthe4x4matrix
AffineTransformation
⎩⎨⎧
=
≠=
−
0)( if)0(0)( if)(
)(1
θθ
AAffineAAAffine
ASbox
26
![Page 27: Cryptography Primer - IIT Madras CSE Dept. · 2019-03-24 · Cryptography (its use) • A crucial component in all security systems • Fundamental component to achieve • Confidentiality](https://reader030.vdocument.in/reader030/viewer/2022040822/5e6c59828432040cd9072ee1/html5/thumbnails/27.jpg)
AES S-box Design Rationale
• Thiss-boxconstructionwasproposedbyKaiserNybergin1993• Steps:
1. InverseinGF(28)• Provideshighdegreesofnon-linearity• Knowntohavegoodresistanceagainstdifferentialandlinearcryptanalysis
2. Affinetransformation• ensuresnofixedpoints:i.e.Fixedpoints:S(x)=x• ComplicatesAlgebraicattacks
27
⎩⎨⎧
=
≠=
−
0)( if)0(0)( if)(
)(1
θθ
AAffineAAAffine
ASbox
![Page 28: Cryptography Primer - IIT Madras CSE Dept. · 2019-03-24 · Cryptography (its use) • A crucial component in all security systems • Fundamental component to achieve • Confidentiality](https://reader030.vdocument.in/reader030/viewer/2022040822/5e6c59828432040cd9072ee1/html5/thumbnails/28.jpg)
S-box Encryption Table
• Useatabletodothebytesubstitution• eg. 2c Sbox[42]=
28
![Page 29: Cryptography Primer - IIT Madras CSE Dept. · 2019-03-24 · Cryptography (its use) • A crucial component in all security systems • Fundamental component to achieve • Confidentiality](https://reader030.vdocument.in/reader030/viewer/2022040822/5e6c59828432040cd9072ee1/html5/thumbnails/29.jpg)
Shift Rows
• ShiftRows• LeavetheFirstrowuntouched• LeftRotate(2ndRowby8bits)• LeftRotate(3rdRowby16bits)• LeftRotate(4thRowby24bits)
• AlongwithMixColumnsprovideshighdiffusion• Bitsflipinat-least25s-boxesafter4rounds
a e i mb f j nc g k od h l p
a e i mf j n bk o c gp d h l
mnop
abcdefghijkl
mbgl
afkpejodinch
29
![Page 30: Cryptography Primer - IIT Madras CSE Dept. · 2019-03-24 · Cryptography (its use) • A crucial component in all security systems • Fundamental component to achieve • Confidentiality](https://reader030.vdocument.in/reader030/viewer/2022040822/5e6c59828432040cd9072ee1/html5/thumbnails/30.jpg)
Mix Columns The4x4matrixismultipliedwiththematrix
a i mb j nc k od l p
A E I MB F J NC G K OD H L P
e
f
g
h
E
F
G
H
h g f e H h g f e G
h g f e F h g f e E
2332
3232
+++=
+++=
+++=
+++=
⎥⎥⎥⎥
⎦
⎤
⎢⎢⎢⎢
⎣
⎡
×
⎥⎥⎥⎥
⎦
⎤
⎢⎢⎢⎢
⎣
⎡
plhdokgcnjfbmiea
2113321113211132
30
NotethatmultiplicationsareinGF(28)field
![Page 31: Cryptography Primer - IIT Madras CSE Dept. · 2019-03-24 · Cryptography (its use) • A crucial component in all security systems • Fundamental component to achieve • Confidentiality](https://reader030.vdocument.in/reader030/viewer/2022040822/5e6c59828432040cd9072ee1/html5/thumbnails/31.jpg)
Mix Columns Rationale Whyusethismatrix?• ItisanMDSmatrix(MaximumDistanceSeparablecodes)
• Iftheinputofacolumnchangesthenalloutputschange• Thismaximizesthebranchnumber• ForAES,thebranchnumberis5
• Values[2,3,1,1],arethesmallestwhichresultinMDSmatrixthatisalsocirculant
• HasaninverseintheAESfield
⎥⎥⎥⎥
⎦
⎤
⎢⎢⎢⎢
⎣
⎡
2113321113211132
31
![Page 32: Cryptography Primer - IIT Madras CSE Dept. · 2019-03-24 · Cryptography (its use) • A crucial component in all security systems • Fundamental component to achieve • Confidentiality](https://reader030.vdocument.in/reader030/viewer/2022040822/5e6c59828432040cd9072ee1/html5/thumbnails/32.jpg)
AES Operations (Add Round Key)
AdditionhereisadditioninGF(28),whichistheex-oroperation
a e i mb f j nc g k od h l p
k0 k4 k8 k12k1 k5 k9 k13k2 k6 k10 k14
k15k11k7k3
a+k0 e+k4 i+k8 m+k12b+k1 f+k5 j+k9 n+k13c+k2 g+k6 k+k10 o+k14
p+k15l+k11h+k7d+k3
32
![Page 33: Cryptography Primer - IIT Madras CSE Dept. · 2019-03-24 · Cryptography (its use) • A crucial component in all security systems • Fundamental component to achieve • Confidentiality](https://reader030.vdocument.in/reader030/viewer/2022040822/5e6c59828432040cd9072ee1/html5/thumbnails/33.jpg)
AES-128 Decryption
SecretKey
XORRK10
InverseByteSubstitution
InverseShiftRows
AddRoundKey
InverseMixColumns(exceptforthelastround)
Loop
10tim
es
PlaintextBlock
CiphertextBlock
KeyExpansion
RK9RK8
RK1key
33
![Page 34: Cryptography Primer - IIT Madras CSE Dept. · 2019-03-24 · Cryptography (its use) • A crucial component in all security systems • Fundamental component to achieve • Confidentiality](https://reader030.vdocument.in/reader030/viewer/2022040822/5e6c59828432040cd9072ee1/html5/thumbnails/34.jpg)
Inverse S-box
34
• SimplytheAESs-boxruninreverse• Aswiththes-boxoperation,alookuptablecanbeused
![Page 35: Cryptography Primer - IIT Madras CSE Dept. · 2019-03-24 · Cryptography (its use) • A crucial component in all security systems • Fundamental component to achieve • Confidentiality](https://reader030.vdocument.in/reader030/viewer/2022040822/5e6c59828432040cd9072ee1/html5/thumbnails/35.jpg)
Inverse Shift Rows
• ShiftRows• LeavetheFirstrowuntouched• RightRotate(2ndRowby8bits)• RightRotate(3rdRowby16bits)• RightRotate(4thRowby24bits)
a e i mf j n bk o c gp d h l
mbgl
afkpejodinch
mnop
abcdefghijkl
a e i mb f j nc g k od h l p
35
![Page 36: Cryptography Primer - IIT Madras CSE Dept. · 2019-03-24 · Cryptography (its use) • A crucial component in all security systems • Fundamental component to achieve • Confidentiality](https://reader030.vdocument.in/reader030/viewer/2022040822/5e6c59828432040cd9072ee1/html5/thumbnails/36.jpg)
Inverse Mix Column
h g f e H h gfe G h g f e F h g f e E
E9DBDE9DDBE99DBE
+++=
+++=
+++=
+++=
a i mb j nc k od l p
e
f
g
h
A E I MB F J NC G K OD H L P
E
F
G
H
• The4x4matrixismultipliedwiththematrix
• Thehardwareimplementationcanbedoneinasimilarwayasmixcolumns
⎥⎥⎥⎥
⎦
⎤
⎢⎢⎢⎢
⎣
⎡
E9DBBE9DDBE99DBE
36
![Page 37: Cryptography Primer - IIT Madras CSE Dept. · 2019-03-24 · Cryptography (its use) • A crucial component in all security systems • Fundamental component to achieve • Confidentiality](https://reader030.vdocument.in/reader030/viewer/2022040822/5e6c59828432040cd9072ee1/html5/thumbnails/37.jpg)
AES Key Schedule
37
• Howtoexpandthesecretkey• DesignCriteria
o Efficiento Non-symmetric:Ensuredbyroundconstantso Efficientdiffusionpropertiesofsecretkeyintoroundkeyso Itshouldexhibitenoughnon-linearitytoprohibitthefulldeterminationofdifferences
intheexpandedkeyfromcipherkeydifferencesonly.
SecretKey
KeyExpansion
RK1RK2RK3
RK10
![Page 38: Cryptography Primer - IIT Madras CSE Dept. · 2019-03-24 · Cryptography (its use) • A crucial component in all security systems • Fundamental component to achieve • Confidentiality](https://reader030.vdocument.in/reader030/viewer/2022040822/5e6c59828432040cd9072ee1/html5/thumbnails/38.jpg)
AES Key Schedule
38
K0,0
K0,4
K0,8
K0,12
K0,1
K0,5
K0,9
K0,13
K0,2
K0,6
K0,10
K0,14
K0,3
K0,7
K0,11
K0,15
rotword
S-boxoperation
roundconstantxor
K1,0
K1,4
K1,8
K1,12
secretkey
1stroundkey
K1,1
K1,5
K1,9
K1,13
K1,2
K1,6
K1,10
K1,14
K1,3
K1,7
K1,11
K1,15
2i-1000
![Page 39: Cryptography Primer - IIT Madras CSE Dept. · 2019-03-24 · Cryptography (its use) • A crucial component in all security systems • Fundamental component to achieve • Confidentiality](https://reader030.vdocument.in/reader030/viewer/2022040822/5e6c59828432040cd9072ee1/html5/thumbnails/39.jpg)
39
Implementation Aspects of AES
![Page 40: Cryptography Primer - IIT Madras CSE Dept. · 2019-03-24 · Cryptography (its use) • A crucial component in all security systems • Fundamental component to achieve • Confidentiality](https://reader030.vdocument.in/reader030/viewer/2022040822/5e6c59828432040cd9072ee1/html5/thumbnails/40.jpg)
Software Implementations of AES Encryption • S-boximplementedasalookup-table(256bytes)• ShiftrowscombinedwithMixcolumns• MultiplicationwithMDSmatrixeasilyachieved
• x2,donebyleftshift.Ifthereisanoverflowanex-orwith0x1Bisneeded• x3=x2+x
40
![Page 41: Cryptography Primer - IIT Madras CSE Dept. · 2019-03-24 · Cryptography (its use) • A crucial component in all security systems • Fundamental component to achieve • Confidentiality](https://reader030.vdocument.in/reader030/viewer/2022040822/5e6c59828432040cd9072ee1/html5/thumbnails/41.jpg)
AES on 32 bit Systems (A Round of AES)
41
![Page 42: Cryptography Primer - IIT Madras CSE Dept. · 2019-03-24 · Cryptography (its use) • A crucial component in all security systems • Fundamental component to achieve • Confidentiality](https://reader030.vdocument.in/reader030/viewer/2022040822/5e6c59828432040cd9072ee1/html5/thumbnails/42.jpg)
T Tables
42
CombiningOperations(foracolumn)
Define4T-Tables
OneRoundofAESusingT-Tables
![Page 43: Cryptography Primer - IIT Madras CSE Dept. · 2019-03-24 · Cryptography (its use) • A crucial component in all security systems • Fundamental component to achieve • Confidentiality](https://reader030.vdocument.in/reader030/viewer/2022040822/5e6c59828432040cd9072ee1/html5/thumbnails/43.jpg)
OpenSSL Implementation of AES (with T-tables)
43
![Page 44: Cryptography Primer - IIT Madras CSE Dept. · 2019-03-24 · Cryptography (its use) • A crucial component in all security systems • Fundamental component to achieve • Confidentiality](https://reader030.vdocument.in/reader030/viewer/2022040822/5e6c59828432040cd9072ee1/html5/thumbnails/44.jpg)
Last Round of AES
• Usesadifferenttable(Te4)
44
![Page 45: Cryptography Primer - IIT Madras CSE Dept. · 2019-03-24 · Cryptography (its use) • A crucial component in all security systems • Fundamental component to achieve • Confidentiality](https://reader030.vdocument.in/reader030/viewer/2022040822/5e6c59828432040cd9072ee1/html5/thumbnails/45.jpg)
AES NI
• AcceleratingAESonmodernIntelandAMDprocessorswithdedicatedinstructions
45
![Page 46: Cryptography Primer - IIT Madras CSE Dept. · 2019-03-24 · Cryptography (its use) • A crucial component in all security systems • Fundamental component to achieve • Confidentiality](https://reader030.vdocument.in/reader030/viewer/2022040822/5e6c59828432040cd9072ee1/html5/thumbnails/46.jpg)
Compact Implementations of AES
• HowshouldtheS-boxbeimplemented?• Lookuptable(256bytes)
• Thismaybetoolargeforsomedevices• Findingtheinverse(usingItoh-TsujiiortheextendedEuclideanalgorithm)andthenaffinetransformation
• Againexpensive(toobig!!!)• Thirdalternative
• Usecompositefields
46
![Page 47: Cryptography Primer - IIT Madras CSE Dept. · 2019-03-24 · Cryptography (its use) • A crucial component in all security systems • Fundamental component to achieve • Confidentiality](https://reader030.vdocument.in/reader030/viewer/2022040822/5e6c59828432040cd9072ee1/html5/thumbnails/47.jpg)
Composite Fields for AES • TheAESFieldisGF(28)/x8+x4+x3+x+1
• Hasorder256• ManycompositefieldsforAESexists
• GF(24)2• Requirestwoirreduciblepolynomials
Onehastheformx4+....,wherecoefficientsareinGF(2)Thesecondhastheformx2+ax+b,wherea,bareinGF(24)
• GF((22)2)2• Requiresthreeirreduciblepolynomials
Firstoftheformx2+a1x+b1,wherea1,b1inGF(2)Secondhastheformx2+a2x+b2,wherea2,b2inGF(22)Thirdhastheformx2+a3x+b3,wherea3,b3inGF(22)2
47
![Page 48: Cryptography Primer - IIT Madras CSE Dept. · 2019-03-24 · Cryptography (its use) • A crucial component in all security systems • Fundamental component to achieve • Confidentiality](https://reader030.vdocument.in/reader030/viewer/2022040822/5e6c59828432040cd9072ee1/html5/thumbnails/48.jpg)
Mapping between GF(28) and Composite Fields
48https://drive.google.com/file/d/0BwxUBZXYoUKCTEJmNUozMl9xM3M/edit?usp=sharing
}andreturn
']'[']'[
)GF(2fieldtheination(Multiplic''))GF(2fieldtheination(Multiplic''
2551For1';1'
)2(fieldofrootprimitiveaFind)2(fieldofrootprimitiveaFind0]0[and0]0[Initilize
FindMap(){
24
8
24
8
REVMAPMAPREVMAPMAP
toi
GFGF
REVMAPMAP
αββα
βββ
ααα
βαβ
α
=
=
⋅=
⋅=
=
==
==
![Page 49: Cryptography Primer - IIT Madras CSE Dept. · 2019-03-24 · Cryptography (its use) • A crucial component in all security systems • Fundamental component to achieve • Confidentiality](https://reader030.vdocument.in/reader030/viewer/2022040822/5e6c59828432040cd9072ee1/html5/thumbnails/49.jpg)
Implementing the AES S-box in Composite Fields
49
MapInverseinComposite
Fieldeg.InGF((24)2)
ReverseMapx Sbox(x)
AffineTransform
![Page 50: Cryptography Primer - IIT Madras CSE Dept. · 2019-03-24 · Cryptography (its use) • A crucial component in all security systems • Fundamental component to achieve • Confidentiality](https://reader030.vdocument.in/reader030/viewer/2022040822/5e6c59828432040cd9072ee1/html5/thumbnails/50.jpg)
S-box Based on Composite Fields -boxApproach
S-boxApproach No.ofSlices
CriticalPath
GateCount
Lookuptablebased
64 11.9ns 1128
CompositeFieldbased
30 18.3ns 312
PerformanceofS-boxesonFPGA*XOR NAND NOR TotalGatesintermsof
NAND(usingstdcelllib)
80 34 6 180
GateCountforcompositeSbox#
# D. Canright, A Very Compact S-box for AES, CHES-2005 * Simulation Results using Xilinx ISE
![Page 51: Cryptography Primer - IIT Madras CSE Dept. · 2019-03-24 · Cryptography (its use) • A crucial component in all security systems • Fundamental component to achieve • Confidentiality](https://reader030.vdocument.in/reader030/viewer/2022040822/5e6c59828432040cd9072ee1/html5/thumbnails/51.jpg)
Overhead of Composite Field s-boxes
• Compositefields-boxesrequiremappingandreversemappingtoandfromthecompositefieldsineachround
• Analternateapproachistoconvertallotherroundoperationsintocompositefieldoperations.
• Thiswouldrequirejustonemappingandonereversemappingfortheentireencryption
• OperationsAddRoundKeyandShiftRowsarenotaltered.• MixColumnswillneedtobere-implemented
![Page 52: Cryptography Primer - IIT Madras CSE Dept. · 2019-03-24 · Cryptography (its use) • A crucial component in all security systems • Fundamental component to achieve • Confidentiality](https://reader030.vdocument.in/reader030/viewer/2022040822/5e6c59828432040cd9072ee1/html5/thumbnails/52.jpg)
Modes of Operation
52
![Page 53: Cryptography Primer - IIT Madras CSE Dept. · 2019-03-24 · Cryptography (its use) • A crucial component in all security systems • Fundamental component to achieve • Confidentiality](https://reader030.vdocument.in/reader030/viewer/2022040822/5e6c59828432040cd9072ee1/html5/thumbnails/53.jpg)
What are Modes of Operation? • Blockcipheralgorithmsonlyencryptasingleblockofmessage• Amodeofoperationdescribeshowtorepeatedlyapplyacipher'ssingle-blockoperationtosecurelytransformamountsofdatalargerthanablock
• ModesofOperation• Electroniccodebookmode(ECBMode)• Cipherfeedbackmode(CFBMode)• Cipherblockchainingmode(CBCmode)• Outputfeedbackmode(OFBmode)• Countermode
53
![Page 54: Cryptography Primer - IIT Madras CSE Dept. · 2019-03-24 · Cryptography (its use) • A crucial component in all security systems • Fundamental component to achieve • Confidentiality](https://reader030.vdocument.in/reader030/viewer/2022040822/5e6c59828432040cd9072ee1/html5/thumbnails/54.jpg)
ECB Mode
• Everyblockinthemessageisencryptedindependentlywiththesamekey• Drawback1:Ifpi=pj(i≠j)thenci=cj
• Encryptionshouldprotectagainstknownplaintextattacks(sincetheattackercouldguesspartsofthemessage…..Likestereotypebeginnings)
• Drawback2:Aninterceptormayaltertheorderoftheblocksduringtransmission
• Notrecommendedforencryptionofmorethanoneblock
54
eK
p0
c0
eK
p1
c1
eK
p2
c2
eK
p3
c3
eK
p4
c4
![Page 55: Cryptography Primer - IIT Madras CSE Dept. · 2019-03-24 · Cryptography (its use) • A crucial component in all security systems • Fundamental component to achieve • Confidentiality](https://reader030.vdocument.in/reader030/viewer/2022040822/5e6c59828432040cd9072ee1/html5/thumbnails/55.jpg)
CBC Mode
• CipherBlockChaining• Advantage1:Encryptiondependentontheciphertextofapreviousblock,therefore
• ci≠cj(i≠j)evenifpi=pj
• Advantage2:Intrudercannotaltertheorderoftheblocksduringtransmission
• Ifanerrorispresentinonereceivedblock(sayci)• Thenciandci+1willnotbedecryptedcorrectly• Allremainingblockswillbecorrectlydecrypted
55
eK
p0
c0
eK
p1
c1
eK
p2
c2
eK
p3
c3
eK
p4
c4
IV
![Page 56: Cryptography Primer - IIT Madras CSE Dept. · 2019-03-24 · Cryptography (its use) • A crucial component in all security systems • Fundamental component to achieve • Confidentiality](https://reader030.vdocument.in/reader030/viewer/2022040822/5e6c59828432040cd9072ee1/html5/thumbnails/56.jpg)
CBC Mode Decryption
56
eK
p0
c0
eK
p1
c1
eK
p2
c2
eK
p3
c3
eK
p4
c4
IV
dK
c0
p0
dK
c1
p1
dK
c2
p2
dK
c3
p3
dK
c4
p4
IV
![Page 57: Cryptography Primer - IIT Madras CSE Dept. · 2019-03-24 · Cryptography (its use) • A crucial component in all security systems • Fundamental component to achieve • Confidentiality](https://reader030.vdocument.in/reader030/viewer/2022040822/5e6c59828432040cd9072ee1/html5/thumbnails/57.jpg)
CFB (Cipher feedback Mode)
Cantransformablockcipherintoastreamcipher.• i.e.Eachblockencryptedwithadifferentkey
UsesashiftregisterthatisinitializedwithanIV
57
IV
eK
register
messagestream(8bitsatatime) ciphertextstream
(8bitstransmittedatatime)
EncryptionScheme
![Page 58: Cryptography Primer - IIT Madras CSE Dept. · 2019-03-24 · Cryptography (its use) • A crucial component in all security systems • Fundamental component to achieve • Confidentiality](https://reader030.vdocument.in/reader030/viewer/2022040822/5e6c59828432040cd9072ee1/html5/thumbnails/58.jpg)
CFB - Error Propagation
UsesashiftregisterthatisinitializedwithanIVPreviousciphertextblockfedintoshiftregister
58
eK
register
Ciphertextstream(8bitsatatime) Plaintextstream
(8bitsdecryptedatatime)
DecryptionScheme
![Page 59: Cryptography Primer - IIT Madras CSE Dept. · 2019-03-24 · Cryptography (its use) • A crucial component in all security systems • Fundamental component to achieve • Confidentiality](https://reader030.vdocument.in/reader030/viewer/2022040822/5e6c59828432040cd9072ee1/html5/thumbnails/59.jpg)
Output Feedback Mode (OFB) • VerysimilartoCFBbutfeedbacktakenfromoutputofek
• Anerrorinonebyteoftheciphertextsaffectsonlyonedecryption
59
eK
shiftreg
messagestream(8bitsatatime) ciphertextstream
(8bitstransmittedatatime)
EncryptionScheme(Decryptionschemeissimilar)
![Page 60: Cryptography Primer - IIT Madras CSE Dept. · 2019-03-24 · Cryptography (its use) • A crucial component in all security systems • Fundamental component to achieve • Confidentiality](https://reader030.vdocument.in/reader030/viewer/2022040822/5e6c59828432040cd9072ee1/html5/thumbnails/60.jpg)
Counter Mode
• Arandomlyinitializedcounterisincrementedwitheveryencryption• Canbeparallelized
• Ie.Multipleencryptionenginescansimultaneouslyrun
• AswithOFB,anerrorinasingleciphertextblockaffectsonlyonedecryptedplaintext
60
eK
counter
c0
eK
counter+1
c1
eK
counter+2
c2
eK
counter+3
c3
eK
counter+4
c4
p0 p1 p2 p3 p4
![Page 61: Cryptography Primer - IIT Madras CSE Dept. · 2019-03-24 · Cryptography (its use) • A crucial component in all security systems • Fundamental component to achieve • Confidentiality](https://reader030.vdocument.in/reader030/viewer/2022040822/5e6c59828432040cd9072ee1/html5/thumbnails/61.jpg)
Cryptographic Hash Functions
STINSON:chapter4
![Page 62: Cryptography Primer - IIT Madras CSE Dept. · 2019-03-24 · Cryptography (its use) • A crucial component in all security systems • Fundamental component to achieve • Confidentiality](https://reader030.vdocument.in/reader030/viewer/2022040822/5e6c59828432040cd9072ee1/html5/thumbnails/62.jpg)
Issues with Integrity
Alice Bob
Message“AttackatDawn!!”
HowcanBobensurethatAlice’smessagehasnotbeenmodified?Note….Wearenotconcernedwithconfidentialityhere
“AttackatDusk!!”
62
Change‘Dawn’to‘Dusk’
unsecurechannel
![Page 63: Cryptography Primer - IIT Madras CSE Dept. · 2019-03-24 · Cryptography (its use) • A crucial component in all security systems • Fundamental component to achieve • Confidentiality](https://reader030.vdocument.in/reader030/viewer/2022040822/5e6c59828432040cd9072ee1/html5/thumbnails/63.jpg)
Hashes Alice Bob
Message“AttackatDawn!!”
“AttackatDawn!!”
63
“AttackatDawn!!”
“Messagedigest”securechannel
Alicepassesthemessagethroughahashfunction,whichproducesafixedlengthmessagedigest.• ThemessagedigestisrepresentativeofAlice’smessage.• Evenasmallchangeinthemessagewillresultinacompletelynewmessagedigest• Typicallyof160bits,irrespectiveofthemessagesize.
Bobre-computesamessagehashandverifiesthedigestwithAlice’smessagedigest.
y=h(x)h
unsecurechannel h
=
![Page 64: Cryptography Primer - IIT Madras CSE Dept. · 2019-03-24 · Cryptography (its use) • A crucial component in all security systems • Fundamental component to achieve • Confidentiality](https://reader030.vdocument.in/reader030/viewer/2022040822/5e6c59828432040cd9072ee1/html5/thumbnails/64.jpg)
Integrity with Hashes
64
y=h(x)y=h(x’)
Mallorydoesnothaveaccesstothedigesty.Hertask(tomodifyAlice’smessage)ismuchmoredifficult.Ifshemodifiesxtox’,themodificationcanbedetectedunlessh(x)=h(x’)Hashfunctionsarespeciallydesignedtoresistsuchcollisions
Alice Bob
Message“AttackatDawn!!”
“AttackatDawn!!”“AttackatDawn!!”
“Messagedigest”securechannel
y=h(x)h
insecurechannelh
=
![Page 65: Cryptography Primer - IIT Madras CSE Dept. · 2019-03-24 · Cryptography (its use) • A crucial component in all security systems • Fundamental component to achieve • Confidentiality](https://reader030.vdocument.in/reader030/viewer/2022040822/5e6c59828432040cd9072ee1/html5/thumbnails/65.jpg)
Message Authentication Codes (MAC)
Alice Bob
Message“AttackatDawn!!”
65
“AttackatDawn!!”MessageDigest
MACsallowthemessageandthedigesttobesentoveraninsecurechannelHowever,itrequiresAliceandBobtoshareacommonkey
y=hK(x)
hK
unsecurechannel hK
=K
K
![Page 66: Cryptography Primer - IIT Madras CSE Dept. · 2019-03-24 · Cryptography (its use) • A crucial component in all security systems • Fundamental component to achieve • Confidentiality](https://reader030.vdocument.in/reader030/viewer/2022040822/5e6c59828432040cd9072ee1/html5/thumbnails/66.jpg)
Avalanche Effect
Hashfunctionsprovideuniquedigestswithhighprobability.EvenasmallchangeinMwillresultinanewdigest
MessageM
HashFunction
Shortfixedlength
digestalsocalled‘hash’
![Page 67: Cryptography Primer - IIT Madras CSE Dept. · 2019-03-24 · Cryptography (its use) • A crucial component in all security systems • Fundamental component to achieve • Confidentiality](https://reader030.vdocument.in/reader030/viewer/2022040822/5e6c59828432040cd9072ee1/html5/thumbnails/67.jpg)
Hash functions in Security • Digitalsignatures• Randomnumbergeneration• Keyupdatesandderivations• Onewayfunctions• MAC• Detectmalwareincode• Userauthentication(storingpasswords)
67
![Page 68: Cryptography Primer - IIT Madras CSE Dept. · 2019-03-24 · Cryptography (its use) • A crucial component in all security systems • Fundamental component to achieve • Confidentiality](https://reader030.vdocument.in/reader030/viewer/2022040822/5e6c59828432040cd9072ee1/html5/thumbnails/68.jpg)
Hash Family
• Thehashfamilyisa4-tupledefinedby(X,Y,K,H)• Xisasetofmessages(maybeinfinite)• Yisafinitesetofmessagedigests(akaauthenticationtags)• Kisafinitesetofkeys• EachKƐK,definesakeyedhashfunctionhKƐH
68
X Y
hK
![Page 69: Cryptography Primer - IIT Madras CSE Dept. · 2019-03-24 · Cryptography (its use) • A crucial component in all security systems • Fundamental component to achieve • Confidentiality](https://reader030.vdocument.in/reader030/viewer/2022040822/5e6c59828432040cd9072ee1/html5/thumbnails/69.jpg)
Hash Family : some definitions
• ValidpairunderK:(x,y)ƐXxysuchthat,x=hK(y)• Sizeofthehashfamily:isthenumberoffunctionspossiblefromsetXtosetY;
|Y| = Mand|X| = NthenthenumberofmappingspossibleisMN
• Thecollectionofallsuchmappingsaretermed(N,M)-hashmapping.
69
X Y
hK
![Page 70: Cryptography Primer - IIT Madras CSE Dept. · 2019-03-24 · Cryptography (its use) • A crucial component in all security systems • Fundamental component to achieve • Confidentiality](https://reader030.vdocument.in/reader030/viewer/2022040822/5e6c59828432040cd9072ee1/html5/thumbnails/70.jpg)
Unkeyed Hash Function
• Thehashfamilyisa4-tupledefinedby(X,Y,K,H)• Xisasetofmessages(maybeinfinite,weassumetheminimumsizeisatleast2|Y|)
• Yisafinitesetofmessagedigests• Inanunkeyedhashfunction:|K|=1• Wethushaveonlyonemappingfunctioninthefamily
70
X Y
h
![Page 71: Cryptography Primer - IIT Madras CSE Dept. · 2019-03-24 · Cryptography (its use) • A crucial component in all security systems • Fundamental component to achieve • Confidentiality](https://reader030.vdocument.in/reader030/viewer/2022040822/5e6c59828432040cd9072ee1/html5/thumbnails/71.jpg)
Security Aspects of Unkeyed Hash Functions
h=XàYy=h(x)----->noshortcutsincomputing.Theonlyvalidwayifcomputingyistoinvokethehashfunctionhonx• Threeproblemsthatdefinesecurityofahashfunction*PreimageResistance*SecondPreimageResistance*CollisionResistance
71
![Page 72: Cryptography Primer - IIT Madras CSE Dept. · 2019-03-24 · Cryptography (its use) • A crucial component in all security systems • Fundamental component to achieve • Confidentiality](https://reader030.vdocument.in/reader030/viewer/2022040822/5e6c59828432040cd9072ee1/html5/thumbnails/72.jpg)
Hash function Requirement 1 Preimage Resistant
• Alsoknowasone-waynessproblem• IfMalloryhappenstoknowthemessagedigest,sheshouldnotbeabletodeterminethemessage
• Givenahashfunctionh:XàYandanelementyƐY. FindanyxƐX suchthat,h(x)=y
72X Y
h
![Page 73: Cryptography Primer - IIT Madras CSE Dept. · 2019-03-24 · Cryptography (its use) • A crucial component in all security systems • Fundamental component to achieve • Confidentiality](https://reader030.vdocument.in/reader030/viewer/2022040822/5e6c59828432040cd9072ee1/html5/thumbnails/73.jpg)
Hash function Requirement 2 (Second Preimage)
• Malloryhasxandcancomputeh(x),sheshouldnotbeabletofindanothermessagex’whichproducesthesamehash.
• Itwouldbeeasytoforgenewdigitalsignaturesfromoldsignaturesifthehashfunctionusedweren’tsecondpreimageresistant
• Givenahashfunctionh:XàYandanelementxƐX,find,x’ƐX suchthat,h(x)=h(x’)
73X Y
h
![Page 74: Cryptography Primer - IIT Madras CSE Dept. · 2019-03-24 · Cryptography (its use) • A crucial component in all security systems • Fundamental component to achieve • Confidentiality](https://reader030.vdocument.in/reader030/viewer/2022040822/5e6c59828432040cd9072ee1/html5/thumbnails/74.jpg)
Hash Function Requirement (Collision Resistant)
• Malloryshouldnotbeabletofindtwomessagesxandx’whichproducethesamehash
• Givenahashfunctionh:XàYandanelementxƐX, find,x,x’ƐX andx≠x’suchthat,h(x)=h(x’)
74
X Y
h
ThereisnocollisionFreehashFunctionbuthash
functionscanbedesignedsothat
collisionsaredifficulttofind.
![Page 75: Cryptography Primer - IIT Madras CSE Dept. · 2019-03-24 · Cryptography (its use) • A crucial component in all security systems • Fundamental component to achieve • Confidentiality](https://reader030.vdocument.in/reader030/viewer/2022040822/5e6c59828432040cd9072ee1/html5/thumbnails/75.jpg)
Finding Collisions
75
Find_Collisions(h,Q){chooseQdistinctvaluesfromX(sayx1,x2,….,xQ)for(i=1;i<=Q;++i)yi=h(xi)ifthereexists(yj==yk)forj≠kthenreturn(xj,xk)returnFAIL}
∏−
=
⎟⎠
⎞⎜⎝
⎛ −−=1
1
11)(PrQ
i MiisobabilitySuccess εε
![Page 76: Cryptography Primer - IIT Madras CSE Dept. · 2019-03-24 · Cryptography (its use) • A crucial component in all security systems • Fundamental component to achieve • Confidentiality](https://reader030.vdocument.in/reader030/viewer/2022040822/5e6c59828432040cd9072ee1/html5/thumbnails/76.jpg)
Birthday Paradox • Findtheprobabilitythatat-leasttwopeopleinaroomhavethesamebirthday
76
∏
∏−
=
−
=
⎟⎠
⎞⎜⎝
⎛ −−=
⎟⎠
⎞⎜⎝
⎛ −=
⎟⎠
⎞⎜⎝
⎛ −−⎟
⎠
⎞⎜⎝
⎛ −×⎟⎠
⎞⎜⎝
⎛ −×⎟⎠
⎞⎜⎝
⎛ −×=
−=
1
1
1
1
36511]Pr[
3651
36511
36531
36521
365111]'Pr[
]'Pr[1]Pr[:':
Q
i
Q
i
iA
i
QA
AAbirthdaysamethehaveroomtheinpeopletwonoAEvent
birthdaysamethehaveroomtheinpeopletwoatleastAEvent
!!
![Page 77: Cryptography Primer - IIT Madras CSE Dept. · 2019-03-24 · Cryptography (its use) • A crucial component in all security systems • Fundamental component to achieve • Confidentiality](https://reader030.vdocument.in/reader030/viewer/2022040822/5e6c59828432040cd9072ee1/html5/thumbnails/77.jpg)
Birthday Paradox • Ifthereare23peopleinaroom,thentheprobabilitythattwobirthdayscollideis1/2
77
![Page 78: Cryptography Primer - IIT Madras CSE Dept. · 2019-03-24 · Cryptography (its use) • A crucial component in all security systems • Fundamental component to achieve • Confidentiality](https://reader030.vdocument.in/reader030/viewer/2022040822/5e6c59828432040cd9072ee1/html5/thumbnails/78.jpg)
Collisions in Birthdays to Collisions in Hash Functions
78
Find_Collisions(h,Q){chooseQdistinctvaluesfromX(sayx1,x2,….,xQ)for(i=1;i<=Q;++i)yi=h(xi)ifthereexists(yj==yk)forj≠kthenreturn(xj,xk)returnFAIL}
∏−
=
⎟⎠
⎞⎜⎝
⎛ −−=1
1
11)(PrQ
i MiisobabilitySuccess εε |Y|=M
RelationshipbetweenQ,M,andsuccess
MQthenIf
MQ
17.15.011ln2
≈=
−≈
ε
ε
QalwaysproportionaltosquarerootofM.Ɛonlyaffectstheconstantfactor
![Page 79: Cryptography Primer - IIT Madras CSE Dept. · 2019-03-24 · Cryptography (its use) • A crucial component in all security systems • Fundamental component to achieve • Confidentiality](https://reader030.vdocument.in/reader030/viewer/2022040822/5e6c59828432040cd9072ee1/html5/thumbnails/79.jpg)
Birthday Attacks and Message Digests
• Ifthesizeofamessagedigestis40bits• M=240
• Abirthdayattackwouldrequire220queries
• Thustoachieve128bitsecurityagainstcollisionattacks,hashesoflengthat-least256isrequired
79
MQ 17.1≈
![Page 80: Cryptography Primer - IIT Madras CSE Dept. · 2019-03-24 · Cryptography (its use) • A crucial component in all security systems • Fundamental component to achieve • Confidentiality](https://reader030.vdocument.in/reader030/viewer/2022040822/5e6c59828432040cd9072ee1/html5/thumbnails/80.jpg)
Iterated Hash Functions • Sofar,we’velookedathashfunctionswherethemessagewaspickedfromafinitesetX
• Whatifthemessageisofaninfinitesize?• Weuseaniteratedhashfunction
• Thecoreinaniteratedhashfunctionisafunctioncalledcompress• Compress,hashesfromm+tbittombit
80
1}1,0{}1,0{:
≥
→+
tcompress mtm compress
m+tbit
mbit
![Page 81: Cryptography Primer - IIT Madras CSE Dept. · 2019-03-24 · Cryptography (its use) • A crucial component in all security systems • Fundamental component to achieve • Confidentiality](https://reader030.vdocument.in/reader030/viewer/2022040822/5e6c59828432040cd9072ee1/html5/thumbnails/81.jpg)
Iterated Hash Function (given m and t)
81
AppendPad
PadLength
compress
g
inputmessage(x)(maybeofanylength)
m
t
m
• Inputmessageispaddedsothatitslengthisamultipleoft
• Numberofbitsinthepadappended
• Thecompressfunctionisinvokediterativelyforeachtbitblockinthemessage.Forthefirstoperation,an
initializationvectorisused
• Afteralltbitblocksareprocessed,thereisapostprocessingstep,andfinallythehashisobtained.Thisstepisoptional.
h(y)
IV y
concatenate
compress
• Concatenatepreviousmbitoutputwithnexttbitblock(IVusedonlyduringinitialization)
• mustbeat-leastm+t+1inlength
![Page 82: Cryptography Primer - IIT Madras CSE Dept. · 2019-03-24 · Cryptography (its use) • A crucial component in all security systems • Fundamental component to achieve • Confidentiality](https://reader030.vdocument.in/reader030/viewer/2022040822/5e6c59828432040cd9072ee1/html5/thumbnails/82.jpg)
Iterated Hash Function (Principle)
• Anotherperspective
82
![Page 83: Cryptography Primer - IIT Madras CSE Dept. · 2019-03-24 · Cryptography (its use) • A crucial component in all security systems • Fundamental component to achieve • Confidentiality](https://reader030.vdocument.in/reader030/viewer/2022040822/5e6c59828432040cd9072ee1/html5/thumbnails/83.jpg)
Hash Functions in Practice • MD5• NISTspecified“securehashalgorithm”
• SHA0:publishedin1993.160bithash.• Therewereunpublishedweaknessesinthisalgorithm• Thefirstpublishedweaknesswasin1998,whereacollisionattackwasdiscoveredwithcomplexity261
• SHA1:publishedin1995.160bithash.• SHA0replacedwithSHA1whichresolvedseveraloftheweaknesses• SHA1usedinseveralapplicationsuntil2005,whenanalgorithmtofindcollisionswithacomplexityof269was
developed• In2010,SHA1wasnolongersupported.AllapplicationsthatusedSHA1neededtobemigratedtoSHA2
• SHA2:publishedin2001.Supports6functions:224,256,384,512,andtwotruncatedversionsof512bithashes
• NocollisionattacksonSHA2asyet.Thebestattacksofarassumesreducedroundsofthealgorithm(46rounds)
• SHA3:publishedin2015.AlsoknownasKecchak
83
![Page 84: Cryptography Primer - IIT Madras CSE Dept. · 2019-03-24 · Cryptography (its use) • A crucial component in all security systems • Fundamental component to achieve • Confidentiality](https://reader030.vdocument.in/reader030/viewer/2022040822/5e6c59828432040cd9072ee1/html5/thumbnails/84.jpg)
MD5
84
AppendPad
PadLength
inputmessagex
• Appendedwith1andthen0ssothatlengthisamultipleof512–64=448
• Messagelengthappended(in64bits)andsplitintoblocksof512bits
1
Round1
Round2
Round3
Round4
A B C D
• Eachroundhas16similaroperationsofthismodifiedFeistelform
512bits
32bitsx16
eachlimbisof32bits
round1round2round3round4
roundoperations32bit
messageparts
constants
128bithash
![Page 85: Cryptography Primer - IIT Madras CSE Dept. · 2019-03-24 · Cryptography (its use) • A crucial component in all security systems • Fundamental component to achieve • Confidentiality](https://reader030.vdocument.in/reader030/viewer/2022040822/5e6c59828432040cd9072ee1/html5/thumbnails/85.jpg)
Collisions in MD5 (Timeline) • AbirthdayattackonMD5hascomplexityof264
• Smallenoughtobruteforcecollisionsearch• 1996,collisionsontheinnerfunctionsofMD5found• 2004,collisionsdemonstratedpractically• 2007,chosen-prefixcollisionsdemonstrated
• 2008,rogueSSLcertificatesgenerated• 2012,MD5collisionsusedincyberwarfare
• FlamemalwareusesanMD5prefixcollisiontofakeaMicrosoftdigitalcodesignature
85
Given two different prefixes p1, p2 find two appendages m1 and m2 such that hash(p1 || m1) = hash(p2 || m2)
MD5Collisionsdemos:http://www.mscs.dal.ca/~selinger/md5collision/
![Page 86: Cryptography Primer - IIT Madras CSE Dept. · 2019-03-24 · Cryptography (its use) • A crucial component in all security systems • Fundamental component to achieve • Confidentiality](https://reader030.vdocument.in/reader030/viewer/2022040822/5e6c59828432040cd9072ee1/html5/thumbnails/86.jpg)
Collision attack on MD5 like hash functions
• Analyzedifferentialtrails• Abitdifferentfromblockciphers
• Nosecretkeyinvolved• WecanchooseMandNaswewant
• WehaveavalidattackifprobabilityoftrailisP>2-N/2
86
M,N
ΔH=0
![Page 87: Cryptography Primer - IIT Madras CSE Dept. · 2019-03-24 · Cryptography (its use) • A crucial component in all security systems • Fundamental component to achieve • Confidentiality](https://reader030.vdocument.in/reader030/viewer/2022040822/5e6c59828432040cd9072ee1/html5/thumbnails/87.jpg)
Collision attack on MD5 like hash functions
WangandYumadeitpossibletofindtwopairsofblocks(mi,mi+1)and(ni,ni+1)suchthatF(F(s,mi),mi+1)=F(F(s,ni),ni+1)Wheresissomestateofthehashfunction(canbeanything)Themethodmakesitpossibletoconstructtwostringsm0,m1,m2,…..mi,mi+1,…......mk,m0,m1,m2,…..ni,ni+1,…......mk,whichhavethesameMD5hash.
87
M,N
ΔH=0
![Page 88: Cryptography Primer - IIT Madras CSE Dept. · 2019-03-24 · Cryptography (its use) • A crucial component in all security systems • Fundamental component to achieve • Confidentiality](https://reader030.vdocument.in/reader030/viewer/2022040822/5e6c59828432040cd9072ee1/html5/thumbnails/88.jpg)
Example of an MD5 collision
88
Block1
Block2
![Page 89: Cryptography Primer - IIT Madras CSE Dept. · 2019-03-24 · Cryptography (its use) • A crucial component in all security systems • Fundamental component to achieve • Confidentiality](https://reader030.vdocument.in/reader030/viewer/2022040822/5e6c59828432040cd9072ee1/html5/thumbnails/89.jpg)
A Visualization of the Collision
http://www.links.org/?p=6
![Page 90: Cryptography Primer - IIT Madras CSE Dept. · 2019-03-24 · Cryptography (its use) • A crucial component in all security systems • Fundamental component to achieve • Confidentiality](https://reader030.vdocument.in/reader030/viewer/2022040822/5e6c59828432040cd9072ee1/html5/thumbnails/90.jpg)
A Visualization (Difference in just one MSB of the two blocks)
90
![Page 91: Cryptography Primer - IIT Madras CSE Dept. · 2019-03-24 · Cryptography (its use) • A crucial component in all security systems • Fundamental component to achieve • Confidentiality](https://reader030.vdocument.in/reader030/viewer/2022040822/5e6c59828432040cd9072ee1/html5/thumbnails/91.jpg)
SHA1
91
inputmessage(x)(maybeofanylengthlessthan264)
IVeachwordis32bits(512/16=32)
expandto79words
32*5=160bithashoutput
![Page 92: Cryptography Primer - IIT Madras CSE Dept. · 2019-03-24 · Cryptography (its use) • A crucial component in all security systems • Fundamental component to achieve • Confidentiality](https://reader030.vdocument.in/reader030/viewer/2022040822/5e6c59828432040cd9072ee1/html5/thumbnails/92.jpg)
Kacchak and the SHA3
• Usesaspongeconstruction• Achievesvariablelengthhashfunctions
92
securityparameter
bitrate
SuccessofanattackagainstKecchak<N2/2c+1whereNisnumberofcallstof
![Page 93: Cryptography Primer - IIT Madras CSE Dept. · 2019-03-24 · Cryptography (its use) • A crucial component in all security systems • Fundamental component to achieve • Confidentiality](https://reader030.vdocument.in/reader030/viewer/2022040822/5e6c59828432040cd9072ee1/html5/thumbnails/93.jpg)
Message Authentication Codes (Keyed Hash Functions)
93
Alice Bob
Message“AttackatDawn!!”
“AttackatDawn!!”MessageDigest
y=hK(x)hK
unsecurechannel hK
=K
K
ProvidesIntegrityandAuthenticityIntegrity:MessagesarenottamperedAuthenticity:BobcanverifythatthemessagecamefromAlice(Doesnotprovidenon-repudiation)
![Page 94: Cryptography Primer - IIT Madras CSE Dept. · 2019-03-24 · Cryptography (its use) • A crucial component in all security systems • Fundamental component to achieve • Confidentiality](https://reader030.vdocument.in/reader030/viewer/2022040822/5e6c59828432040cd9072ee1/html5/thumbnails/94.jpg)
CBC-MAC
94
eK
m0
eK
m1
eK
m2
eK
m3
hK(m0||m1||…||m4)
IV
![Page 95: Cryptography Primer - IIT Madras CSE Dept. · 2019-03-24 · Cryptography (its use) • A crucial component in all security systems • Fundamental component to achieve • Confidentiality](https://reader030.vdocument.in/reader030/viewer/2022040822/5e6c59828432040cd9072ee1/html5/thumbnails/95.jpg)
Birthday Attack on CBC MAC
95
ByBirthdayparadox,in264steps(assuminga128bitcipher),acollisionwillarise.Let’sassumethatthecollisionoccursinthea-thandb-thstep.
ca = cbEk (ma ⊕ ca−1) = Ek (mb ⊕ cb−1)thusma ⊕ ca−1 =mb ⊕ cb−1ma ⊕mb = ca−1⊕ cb−1
![Page 96: Cryptography Primer - IIT Madras CSE Dept. · 2019-03-24 · Cryptography (its use) • A crucial component in all security systems • Fundamental component to achieve • Confidentiality](https://reader030.vdocument.in/reader030/viewer/2022040822/5e6c59828432040cd9072ee1/html5/thumbnails/96.jpg)
Birthday Attack on CBC MAC
96
ByBirthdayparadox,in264steps(assuminga128bitcipher),acollisionwillarise.Let’sassumethatthecollisionoccursinthea-thandb-thstep.
ca = cbEk (ma ⊕ ca−1) = Ek (mb ⊕ cb−1)thusma ⊕ ca−1 =mb ⊕ cb−1ma ⊕mb = ca−1⊕ cb−1
M1 =m1 ||m2 || ... ||mi || ... ||mn
M2 =m1 ||m2 || ... || (mi ⊕ ca−1⊕ ca−2 ) || ... ||mn
![Page 97: Cryptography Primer - IIT Madras CSE Dept. · 2019-03-24 · Cryptography (its use) • A crucial component in all security systems • Fundamental component to achieve • Confidentiality](https://reader030.vdocument.in/reader030/viewer/2022040822/5e6c59828432040cd9072ee1/html5/thumbnails/97.jpg)
HMAC • FIPSstandardforMAC• Basedonunkeyedhashfunction(SHA-1)
97
HMACk (x) = SHA1((K ⊕ opad) || SHA1(K ⊕ ipad) || x))Ipadandopadarepredefinedconstants