03 Cryptanalysis AES

Cryptanalysis / Block Ciphers: AES
Tjark Weber
Cryptology
March 26, 2013
Tjark Weber (UU)
1 / 39
Lab Groups
Lab Groups
Lab groups have been announced on the Student Portal. Please get in
touch with your group members! The deadline for part (a) of Lab 1 is this
Friday, March 29.
Please send email to jean-noel.monette@it.uu.se as soon as possible
if
you have not been assigned to a lab group but want to do the labs;
you have been assigned to a lab group but dont want to do the labs.
Tjark Weber (UU)
2 / 39
Lab 1
Lab 1
For your convenience, computer room 1515 has been reserved tomorrow
(Wednesday) from 8:15-12:00.
You are not required to be there at this time. You may work on the lab
when- and wherever you like. You may use the computer room at other
times if it is available.
Jean-Noel will not be there tomorrow. As usual, you can contact him in
person or by email (jean-noel.monette@it.uu.se) if you have
questions.
Tjark Weber (UU)
3 / 39
Exercise Solutions
Exercise Solutions
Tjark Weber (UU)
4 / 39
Exercise Solutions
Exercise Solutions
Exercise Solutions
1
Use the extended Euclidean algorithm to compute 281 mod 75.
Precondition: a > 0, b > 0

function extended gcd(a, b)
x := 0; x 0 := 1
y := 1; y 0 := 0
while b 6= 0 do
q := a div b
(a, b) := (b, a mod b)
(x, x 0 ) := (x 0 qx, x)
(y , y 0 ) := (y 0 qy , y )
done
return (x 0 , y 0 )
Tjark Weber (UU)
5 / 39
Exercise Solutions
Exercise Solutions (cntd.)
Exercise Solutions (cntd.)
Define a cryptosystem that generalizes the Hill cipher from linear

transformations to affine transformations. (An affine transformation
consists of a linear transformation followed by a shift, as in the affine
cipher.)
Tjark Weber (UU)
6 / 39
Cryptanalysis
Cryptanalysis
Tjark Weber (UU)
7 / 39
Cryptanalysis
Attack Models
Attack Models
Ciphertext only attack: The attacker possesses a string of ciphertext, y .

Known plaintext attack: The attacker possesses a string of plaintext, x,
and the corresponding ciphertext, y .
Chosen plaintext attack: The attacker has obtained temporary access to
the encryption machinery. He can choose a plaintext, x, and construct the
corresponding ciphertext, y .
Chosen ciphertext attack: The attacker has obtained temporary access
to the decryption machinery. He can choose a ciphertext, y , and construct
the corresponding plaintext, x.
Tjark Weber (UU)
8 / 39
Cryptanalysis
Cryptanalysis of the Shift Cipher

Recall the shift cipher: P = C = K = Z26 , ek (x) = (x + k) mod 26,
dk (y ) = (y k) mod 26.
How many different keys?
Tjark Weber (UU)
9 / 39
Cryptanalysis

dk (y ) = (y k) mod 26.
How many different keys? 26
Given a ciphertext string y , the attacker can conduct a brute force
attack, i.e., perform exhaustive key search:
k
0
Tjark Weber (UU)
dk (y )
EUXWHIRUFH
9 / 39
Cryptanalysis

dk (y ) = (y k) mod 26.
k
0
1
Tjark Weber (UU)
dk (y )
EUXWHIRUFH
DTWVGHQTEG
9 / 39
Cryptanalysis

dk (y ) = (y k) mod 26.
k
0
1
2
Tjark Weber (UU)
dk (y )
EUXWHIRUFH
DTWVGHQTEG
CSVUFGPSDF
9 / 39
Cryptanalysis

dk (y ) = (y k) mod 26.
k
0
1
2
3
..
.
Tjark Weber (UU)
dk (y )
EUXWHIRUFH
DTWVGHQTEG
CSVUFGPSDF
BRUTEFORCE
..
.
9 / 39
Cryptanalysis
Brute Force Attacks
Brute Force Attacks

In the worst case, the attacker needs to check |K | keys. On average, he
only needs to check |K |/2 keys.
Possible against any cipher; however, the attacker must be able to
recognize the correct plaintext string, once obtained.
Resources required grow exponentially with key size:
Key size (bits)
8
40
56
64
128
Tjark Weber (UU)
|K |
28
240
256
264
2128
Max. time (256 keys per second)

<1 nanosecond
0.015 milliseconds
1 second
4 minutes 16 seconds
10 / 39
Cryptanalysis
Brute Force Attacks
Brute Force Attacks

In the worst case, the attacker needs to check |K | keys. On average, he
only needs to check |K |/2 keys.
Possible against any cipher; however, the attacker must be able to
recognize the correct plaintext string, once obtained.
Resources required grow exponentially with key size:
Key size (bits)
8
40
56
64
128
Tjark Weber (UU)
|K |
28
240
256
264
2128
Max. time (256 keys per second)

<1 nanosecond
0.015 milliseconds
1 second
4 minutes 16 seconds
149,745,258,842,898 years
10 / 39
Cryptanalysis
Cryptanalysis of the Substitution Cipher
Recall the substitution cipher: P = C = Z26 ,

K = { : Z26 Z26 | is a permutation}, e (x) = (x),
d (y ) = 1 (y ).
How many different keys?
Tjark Weber (UU)
11 / 39
Cryptanalysis
Recall the substitution cipher: P = C = Z26 ,

K = { : Z26 Z26 | is a permutation}, e (x) = (x),
d (y ) = 1 (y ).
How many different keys? 26! > 4 1026
Brute force is (probably) not feasible: > 177 years at 256 keys/second
How can we break it?
Tjark Weber (UU)
11 / 39
Cryptanalysis
Frequency Analysis
Frequency Analysis
Frequency analysis relies on the observation that in natural-language
plaintexts, certain letters and combinations of letters (bigrams,
trigrams, . . . ) occur with varying frequencies.
Already described by al-Kindi around 800 AD, frequency analysis was

easily the biggest breakthrough in cryptanalysis until World War II.
Tjark Weber (UU)
12 / 39
Cryptanalysis
Frequency Analysis for the Substitution Cipher
Frequency Analysis for the Substitution Cipher
The substitution cipher leaves the frequency of letters (bigrams, . . . )

unchanged. Therefore, letters (bigrams, . . . ) that are frequent in the
ciphertext likely correspond to letters (bigrams, . . . ) that are frequent in
the plaintext language.
For instance, if the plaintext is in English, the most frequent ciphertext
letter likely corresponds to E.
Frequency analysis involves some guesswork and backtracking. It is less
reliable for short ciphertexts.
Tjark Weber (UU)
13 / 39
Cryptanalysis
Cryptanalysis of the Vigen`

ere Cipher
Cryptanalysis of the Vigen`ere Cipher
The Vigen`ere cipher can be attacked because the key is reused periodically:
xi , xi+m , xi+2m , . . . are all encrypted with the same key character, ki .
To break the cipher, we proceed in two steps:
1
Determine the key length, m.
Break m shift ciphers using frequency analysis.
Tjark Weber (UU)
14 / 39
Cryptanalysis
The Kasiski Test
The Kasiski Test

The Kasiski test (Friedrich Kasiski, 1863) is based on the observation that
identical plaintext segments will be encrypted to the same ciphertext
whenever their occurrence in the plaintext is 0 (mod m) positions
apart.
Conversely, identical ciphertext segments of length at least 3, say, likely
correspond to identical plaintext segments.
1
Search the ciphertext for pairs of identical segments of length 3.

Let 1 , . . . , n be the distances between identical segments.
Likely, m divides all i (and hence divides the greatest common

divisor of all i s).
Tjark Weber (UU)
15 / 39
Cryptanalysis
The Friedman Test
The Friedman Test
The Friedman test (William Friedman, 1920) exploits that a

natural-language plaintext is much less random in its character
distribution than a ciphertext that was produced by different shift ciphers.
Suppose x = x1 x2 . . . xn is a string of n characters. The index of

coincidence of x, denoted Ic (x), is the probability that two random
elements of x are identical.
Tjark Weber (UU)
16 / 39
Cryptanalysis
The Friedman Test (cntd.)

Let pi (0 i 25) denote the probability of character i in the English
language. Then, for an English text x, we would expect that
Ic (x)
25
X
pi2 = 0.065.
i=0
On the other hand, a completely random string x will have

25
X
1
1 2
Ic (x) =
=
0.038.
26
26
i=0
Tjark Weber (UU)
17 / 39
Cryptanalysis
Let m0 be a possible key length. We split the ciphertext x into m0 separate

strings, x j := xj xj+m0 xj+2m0 . . . (1 j m0 ), each of length l := n/m0 .
Let fi (x j ) denote the number of occurrences of character i in x j .
We compute each Ic (x j ) =
P25
i=0
fi (x j )(fi (x j )1)
.
l(l1)
0
We then compute their average, Icm (x) :=
1
m0
Pm0
j=1 Ic (x
j ).
Icm (x) will likely be maximal (namely 0.065) for m0 = m.
Tjark Weber (UU)
18 / 39
Cryptanalysis
Frequency Analysis for the Shift Cipher
Frequency Analysis for the Shift Cipher

Both the Kasiski test and the Friedman test can be used to determine the
(likely) key length, m.
Once m is known, it remains to determine the key
k = (k1 , . . . , km ) (Z26 )m .
As before, consider the string x j := xj xj+m xj+2m . . . (1 j m), of
length l := n/m, and let fi (x j ) denote the number of occurrences of
character i in x j .
We would expect the correctly shifted frequencies to be close to the
English character probabilities, pi . Choose kj Z26 so that
f(i+kj ) mod 26 (x j )
P25
p
is maximized ( 0.065).
i
i=0
l
Tjark Weber (UU)
19 / 39
Cryptanalysis
Modern Cryptanalysis: A Perspective
Modern Cryptanalysis: A Perspective
Many are the cryptosystems offered [...] today that cannot be broken by
any known methods of cryptanalysis. [...] In a sense, then, cryptanalysis is
dead.
David Kahn, 2002
Almost all breaks of modern cipher systems are due to implementation

errors, operational failures, burglary, blackmail, and bribery.
Ross Anderson, 2004
Now we are [...] moving very slowly forward in a mature field.

Brian Snow, 2010
Tjark Weber (UU)
20 / 39
Advanced Encryption Standard
Tjark Weber (UU)
21 / 39
AES: Overview
AES: Overview
Advanced Encryption Standard (AES) is a modern symmetric-key

block cipher. It is the first publicly disclosed cipher approved for top secret
information by the National Security Agency (NSA).
AES uses a block size of 128 bits, and key sizes of 128, 192, or 256 bits. It
was standardised in 2001, after an open search for a suitable algorithm
that took almost five years.
AES achieves a throughput of 100 MB/s on an Intel Pentium 4 CPU.
AES replaced DES (introduced in 1977), which had become vulnerable to
brute force attacks due to its relatively small key size of 56 bits.
Tjark Weber (UU)
22 / 39
AES: Standardisation Process
AES: Standardisation Process

In 1997, the National Institute of Standards and Technology (NIST)
announced that they were looking for a successor to DES. In an unusually
open and international process, a call for new algorithms was issued.
15 algorithms were submitted, and evaluated based on different criteria:
security, performance on different architectures, feasibility in limited
environments (e.g., smart cards).
Three conferences were held to discuss these algorithms. Ultimately,
Rijndael (an algorithm submitted by Joan Daemen and Vincent Rijmen)
was selected by NIST.
I have nothing but good things to say about NIST and the AES process.
Bruce Schneier, http://www.schneier.com/crypto-gram-0010.html#8
Tjark Weber (UU)
23 / 39
Confusion and Diffusion
Confusion and Diffusion

Claude Shannon (1949) suggested two properties that help ensure security
of a block cipher.
Confusion: Each bit of the ciphertext block depends on the plaintext
block bits and the key bits in a complex (highly nonlinear) way.
Confusion makes it hard to find the key even if one has a large number of
plaintext-ciphertext pairs.
Diffusion: Each plaintext block bit or key bit affects many bits of the
ciphertext block. Ideally, the strict avalanche criterion is satisfied:
flipping a single input bit changes each output bit with probability 0.5.
Diffusion dissipates statistical regularities of small plaintext structures into
statistical regularities of much larger ciphertext structures.
Tjark Weber (UU)
24 / 39
Substitution Boxes
Substitution Boxes
A substitution box (S-box) is a basic component of a symmetric-key
algorithm that transforms m input bits into n output bits. Often, m = n,
and the transformation is invertible.
m
S
n
An m-to-n S-Box can be implemented as a lookup table with 2m words, of

n bits each.
S-Boxes may implement arbitrary functions. In practice, S-Boxes are
carefully chosen to achieve confusion and resist cryptanalysis.
Tjark Weber (UU)
25 / 39
Permutation Boxes
Permutation Boxes
A permutation box (P-box) is a basic component of a symmetric-key

algorithm that permutes m input bits into n output bits. Often, m = n.
m
P
n
P-boxes are used (in combination with S-boxes) to achieve diffusion.
Tjark Weber (UU)
26 / 39
Substitution-Permutation Networks
Substitution-Permutation Networks
A single (typical) S-box or a single

P-box alone does not have much
cryptographic strength.
A
substitution-permutation
network (SPN) is a series of
linked S- and P-boxes.
Tjark Weber (UU)
27 / 39
The AES Algorithm
The AES Algorithm
(Animation)
Tjark Weber (UU)
28 / 39
AES: Cryptanalysis
AES: Cryptanalysis
For specific keys and a reduced number of rounds, attacks that are faster
than brute force are known since 2009.
The first key-recovery attacks on full AES were published in 2011. They
are faster than brute force by a factor of about four. Technically, AES is
broken.
However, AES remains secure in practice: all currently known attacks are
computationally infeasible.
Tjark Weber (UU)
29 / 39
Side-channel Attacks
Side-channel Attacks
Side-channel attacks do not exploit weaknesses in the underlying cipher,

but rely on information gained from physical implementations of the
cipher on systems that inadvertently leak data.
Timing, power monitoring, and differential fault analysis (i.e., deliberately
introducing errors into a computation) are commonly exploited side
channels.
Side-channel attacks on AES implementations are known that determine
the key, e.g., by carefully measuring the time required for encryption/
decryption.
Tjark Weber (UU)
30 / 39
Modes of Operation
Modes of Operation
Tjark Weber (UU)
31 / 39
Modes of Operation
Modes of Operation
Modes of Operation
A mode of operation enables the repeated and secure use of a block

cipher under a single key.
Longer messages first need to be split into blocks of suitable size, possibly
using padding.
Often, randomization based on an additional input value, called an
initialization vector, is used to encrypt each block safely.
Tjark Weber (UU)
32 / 39
Modes of Operation
Electronic Codebook (ECB)
Electronic Codebook (ECB)
Tjark Weber (UU)
33 / 39
Modes of Operation
Cipher-Block Chaining (CBC)
Cipher-Block Chaining (CBC)
Tjark Weber (UU)
34 / 39
Modes of Operation
Cipher Feedback (CFB)
Cipher Feedback (CFB)
Tjark Weber (UU)
35 / 39
Modes of Operation
Output Feedback (OFB)
Output Feedback (OFB)
Tjark Weber (UU)
36 / 39
Modes of Operation
Counter
Counter
Tjark Weber (UU)
37 / 39
Exercises
Exercises
Tjark Weber (UU)
38 / 39
Exercises
Exercises
Exercises
Describe a chosen plaintext attack on the Hill cipher (assuming m is

known). How many plaintext elements are necessary to determine the
key?
Discuss whether the classical block ciphers presented in the course

satisfy confusion or diffusion.
Compute the encryption of the following plaintext

3243F6A8 885A308D 313198A2 E0370734
using the 128-bit key
2B7E1516 28AED2A6 ABF71588 09CF4F3C
under the (initial and) first round of AES.
Tjark Weber (UU)
39 / 39

03 Cryptanalysis AES

Transféré par

Informations du document

Copyright

Formats disponibles

Partager ce document

Partager ou intégrer le document

Options de partage

Avez-vous trouvé ce document utile ?

Ce contenu est-il inapproprié ?

Droits d'auteur :

Formats disponibles

03 Cryptanalysis AES

Transféré par

Droits d'auteur :

Formats disponibles

Cryptanalysis / Block Ciphers: AES

Tjark Weber (UU)

Cryptanalysis / Block Ciphers: AES

Cryptanalysis / Block Ciphers: AES

Tjark Weber (UU)

Cryptanalysis / Block Ciphers: AES

Cryptanalysis / Block Ciphers: AES

Tjark Weber (UU)

Cryptanalysis / Block Ciphers: AES

Tjark Weber (UU)

Cryptanalysis / Block Ciphers: AES

Use the extended Euclidean algorithm to compute 281 mod 75.

Precondition: a > 0, b > 0

Tjark Weber (UU)

Cryptanalysis / Block Ciphers: AES

Exercise Solutions (cntd.)

Exercise Solutions (cntd.)

Define a cryptosystem that generalizes the Hill cipher from linear

Tjark Weber (UU)

Cryptanalysis / Block Ciphers: AES

Tjark Weber (UU)

Cryptanalysis / Block Ciphers: AES

Ciphertext only attack: The attacker possesses a string of ciphertext, y .

Tjark Weber (UU)

Cryptanalysis / Block Ciphers: AES

Cryptanalysis of the Shift Cipher

Cryptanalysis of the Shift Cipher

Tjark Weber (UU)

Cryptanalysis / Block Ciphers: AES

Cryptanalysis of the Shift Cipher

Cryptanalysis of the Shift Cipher

Tjark Weber (UU)

Cryptanalysis / Block Ciphers: AES

Cryptanalysis of the Shift Cipher

Cryptanalysis of the Shift Cipher

Tjark Weber (UU)

Cryptanalysis / Block Ciphers: AES

Cryptanalysis of the Shift Cipher

Cryptanalysis of the Shift Cipher

Tjark Weber (UU)

Cryptanalysis / Block Ciphers: AES

Cryptanalysis of the Shift Cipher

Cryptanalysis of the Shift Cipher

Cryptanalysis / Block Ciphers: AES

Brute Force Attacks

Brute Force Attacks

Tjark Weber (UU)

Max. time (256 keys per second)

Cryptanalysis / Block Ciphers: AES

Brute Force Attacks

Brute Force Attacks

Tjark Weber (UU)

Max. time (256 keys per second)

Cryptanalysis / Block Ciphers: AES

Cryptanalysis of the Substitution Cipher

Cryptanalysis of the Substitution Cipher

Recall the substitution cipher: P = C = Z26 ,

Tjark Weber (UU)

Cryptanalysis / Block Ciphers: AES

Cryptanalysis of the Substitution Cipher

Cryptanalysis of the Substitution Cipher

Recall the substitution cipher: P = C = Z26 ,

Tjark Weber (UU)

Cryptanalysis / Block Ciphers: AES