1 / 44

Lecture 5: One Fish, Two Fish, Blowfish, Blue Fish

This lecture discusses various block cipher algorithms, including Blowfish and Twofish. It explores the reasons behind the development of these algorithms and their strengths. It also covers topics like Clipper, AES, and the design philosophy of RC6.

nkessel
Télécharger la présentation

Lecture 5: One Fish, Two Fish, Blowfish, Blue Fish

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Lecture 5: One Fish, Two Fish, Blowfish, Blue Fish The algorithm might look haphazard, but we did everything for a reason. Nothing is in Twofish by chance. Anything in the algorithm that we couldn't justify, we removed. The result is a lean, mean algorithm that is strong and conceptually simple. Bruce Schneier David Evans http://www.cs.virginia.edu/~evans CS551: Security and Privacy University of Virginia Computer Science

  2. Menu • Clipper • AES Program • AES Candidates • RC6 • Blowfish University of Virginia CS 551

  3. Problem Set 1 University of Virginia CS 551

  4. Breaking Grades File • Not in my office or any UVA computer • Home PC: C:\cs551\grades.txt (encrypted) • Adelphia Cable Modem • Project proposals are web pages • My browser is set to disallow ActiveX, allow Java and JavaScript University of Virginia CS 551

  5. Why a new block cipher? • 3DES is almost certainly secure • NSA might be able to break it • 3DES is too slow • 3DES is too inflexible (can’t change block size, key size) University of Virginia CS 551

  6. Clipper • 1993 – AT&T markets secure telephony device • Law enforcement: US courts can authorize wire taps, must be able to decrypt • NSA proposes Clipper Chip • Secret algorithm (Skipjack), only implemented in hardware University of Virginia CS 551

  7. Key Escrow • NSA has copy of special key, can get with a court order • Sender transmits E (M, k) || LEAF (“law enforcement agents’ field”) • Holder of special key can decrypt LEAF to find message key and decrypt message University of Virginia CS 551

  8. Known by FBI LEAF LEAF = E ((E (k, u) || n || a), f ) k = message key u = 80-bit special key (unique to chip) n = 30-bit identifier (unique to chip) a = escrow authenticator f = 80-bit key (same on all chips) University of Virginia CS 551

  9. Wire Tap • FBI investigating Alice, intercepts Clipper communication • Uses fto decrypt LEAF: D (E ((E (k, u) || n || a), f)) = E (k, u) || n || a) • Delivers n and court order to 2 escrow agencies, obtains u • Decrypts E (k, u) to obtain message key and decrypt message University of Virginia CS 551

  10. Two Escrow Agencies • Proposal didn’t specify who (one probably NSA) • Divide u so neither one can decrypt messages on their own (even if they obtain f) • One gets u X, other gets X University of Virginia CS 551

  11. Clipper Security • How do you prevent criminals from transmitting wrong LEAF? • Use a checksum • But, easy to find LEAF with right checksum with brute-force attack • NSA solution: put it in hardware, inspect all Clipper devices • Still vulnerable to out-of-the box device University of Virginia CS 551

  12. Clipper Politics • Not widely adopted, administration backed down • Secret algorithm • Public relations disaster • Didn’t involve academic cryptographers early • Proposal was rushed, in particular hadn’t figured out who would be escrow agencies • Lessons learned well for AES process • See http://www.eff.org/pub/Privacy/Key_escrow/Clipper/ University of Virginia CS 551

  13. AES • 1996: NIST initiates program to choose Advanced Encryption Standard to replace DES • Requests algorithm submissions: 15 • Requirements: • Secure for next 50-100 years • Performance: faster than 3DES • Support 128, 192 and 256 bit keys • Must be a block cipher University of Virginia CS 551

  14. AES Process • Open Design • DES: design criteria for S-boxes kept secret • Many decent choices • DES: only one acceptable algorithm • Public cryptanalysis efforts before choice • Heavy involvements of academic community, all leading public cryptographers • Very conservative: 4 year+ process University of Virginia CS 551

  15. AES Round 1 • 15 submissions accepted • Weak ciphers quickly eliminated • Magenta broken at conference! • 5 finalists selected • Security v. performance is main tradeoff • With enough complexity, can make anything secure, challenge is to make something simple secure University of Virginia CS 551

  16. AES Finalists • MARS (IBM) • RC6 (Rivest, et. al.) • Rijndael (top Belgium cryptographers) • Serpent (Anderson, Biham, Knudsen) • Twofish (Schneier, et. al.) University of Virginia CS 551

  17. From RC5 to RC6 in seven easy steps From Rivest’s RC6 talk, http://www.rsasecurity.com/rsalabs/aes/

  18. Description of RC6 • RC6-w/r/bparameters: • Word size in bits: w( 32 )( lg(w) = 5 ) • Number of rounds: r( 20 ) • Number of key bytes: b ( 16, 24, or 32 ) • Key Expansion: • Produces array S[ 0 … 2r+ 3] of w-bit round keys. • Encryption and Decryption: • Input/Output in 32-bit registers A,B,C,D University of Virginia CS 551

  19. Design Philosophy • Leverage experience with RC5: use data-dependent rotations to achieve a high level of security. • Adapt RC5 to meet AES requirements • Take advantage of a new primitive for increased security and efficiency: 32x32 multiplication, which executes quickly on modern processors, to compute rotation amounts. University of Virginia CS 551

  20. Data-Dependent Rotations << 3 X  X’ =  X X1 = X << f(X, k) X1’ = X’ << f (X’, k) Can we say anything about X1? Same number of bits are still different, but can’t tell which ones. <<< n means rotate left by amount in low order log2w bits of n (word size w = 32, 5 bits) University of Virginia CS 551

  21. (1) Start with RC5 RC5 encryption inner loop: for i = 1 to r doA = ((A  B) <<< B) + S [i] (A, B) = (B, A) Can RC5 be strengthened by having rotation amounts depend on all the bits of B? (Recall that <<< only depends on 5 bits of B) Book makes it look more complicated by combining 2 rounds (as originally described). University of Virginia CS 551

  22. Better rotation amounts? • Modulo function?Use low-order bits of (B mod d)Too slow! • Linear function?Use high-order bits of (c x B)Hard to pick c well! • Quadratic function?Use high-order bits of (B x (2B+1)) University of Virginia CS 551

  23. Properties B X (2B+1) should have: • One-to-one (can invert for decryption) • Good distribution – if B is well distributed, so is B X (2B + 1) • High order bits depend on all bits of B (diffusion) University of Virginia CS 551

  24. B x (2B+1) is one-to-one mod 2w Proof: By contradiction. If B  C but B x (2B + 1) = C x (2C + 1) (mod 2w) then (B - C) x (2B+2C+1) = 0 (mod 2w)But (B-C) is nonzero and (2B+2C+1) is odd; their product can’t be zero!  Corollary:B uniform  B x (2B+1) uniform (and high-order bits are uniform too!) University of Virginia CS 551

  25. High-order bits of B x (2B+1) • The high-order bits of f(B) = B x ( 2B + 1 ) = 2B2 + B depend on all the bits of B . • Let B = B31B30B29 … B1B0 in binary. • Flipping bit i of input B • Leaves bits 0 … i-1 of f(B) unchanged, • Flips bit i of f(B) with probability one, • Flips bit j of f(B), for j > i , with probability approximately 1/2 (1/4…1), • is likely to change some high-order bit. University of Virginia CS 551

  26. (2) Quadratic Rotation Amounts for i = 1 to r do { t=( B x ( 2B + 1 ) ) <<< 5A = ( ( A  B ) <<< t ) + S[ i ] ( A, B ) = ( B, A ) }But now much of the output of this nice multiplication is being wasted... University of Virginia CS 551

  27. (3) Use t, not B, as xor input for i = 1 to rdo t =( B x ( 2B + 1 ) ) <<< 5 A = ( ( A  t ) <<< t ) + S[ i] ( A, B ) = ( B, A )Now AES requires 128-bit blocks. We could use two 64-bit registers, but 64-bit operations are poorly supported with typical C compilers... University of Virginia CS 551

  28. (4) Do two RC5’s in parallel Use four 32-bit regs (A,B,C,D), and do RC5 on (C,D) in parallel with RC5 on (A,B): for i = 1 to rdo t = ( B x ( 2B + 1 ) ) <<< 5 A = ( ( A  t ) <<< t ) + S[ 2i ] ( A, B ) = ( B, A )u = ( D x ( 2D + 1 ) ) <<< 5C = ( ( C  u ) <<< u ) + S[ 2i + 1 ] ( C, D ) = ( D, C ) University of Virginia CS 551

  29. (5) Mix up data between copies Switch rotation amounts between copies, and cyclically permute registers instead of swapping: for i = 1 to r do t = ( B x ( 2B + 1 ) ) <<< 5 u = ( D x ( 2D + 1 ) ) <<< 5 A = ( ( A  t ) <<< u ) + S[ 2i ] C = ( ( C  u ) <<< t ) + S[ 2i + 1 ] (A, B, C, D) = (B, C, D, A) University of Virginia CS 551

  30. A A B B C C D D One Round of RC6 u t <<< f <<< f 5 5 <<< <<< S[2i] S[2i+1] University of Virginia CS 551

  31. = Odd[(e-2)232] = Odd[(-1)232] Key Expansion (Same as RC5’s) • Input: array L [0 … c-1] of input key words • Output: array S [0 … 43] of round key words • Procedure:S [0] = 0xB7E15163for i = 1 to 43 do S[i] = S[i-1] + 0x9E3779B9A = B = i = j = 0for s = 1 to 132 do A = S[ i ] = (S[ i ] + A + B) <<< 3 B = L[ j ] = (L[ j ] + A + B) <<< (A + B ) i = (i + 1) mod 44 j = (j + 1) mod c University of Virginia CS 551

  32. What do /e/ have to do with cryptography? • Used by RC5, RC6, Blowfish, etc. in magic constants • Mathematical constants have good pseudorandom distribution • Since they are public and well-known, no fear that choice is a trap door University of Virginia CS 551

  33. (6) Add Pre- and Post-Whitening B = B + S[ 0 ] D = D + S[ 1 ] for i = 1 to r do t = ( B x ( 2B + 1 ) ) <<< 5 u = ( D x ( 2D + 1 ) ) <<< 5 A = ( ( A  t ) <<< u ) + S[ 2i ] C = ( ( C  u ) <<< t ) + S[ 2i + 1 ] (A, B, C, D) = (B, C, D, A) A = A + S[ 2r+ 2 ] C = C + S[ 2r+ 3 ] University of Virginia CS 551

  34. (7) Set r = 20 for high security (based on analysis) B = B + S[ 0 ]D = D + S[ 1 ]for i = 1 to 20 do t = ( B x ( 2B + 1 ) ) <<< 5 u = ( D x ( 2D + 1 ) ) <<< 5 A = ( ( A  t ) <<< u ) + S[ 2i ] C = ( ( C  u ) <<< t ) + S[ 2i + 1 ] (A, B, C, D) = (B, C, D, A)A = A + S[ 42 ]C = C + S[ 43 ] Final RC6 University of Virginia CS 551

  35. RC6 Decryption (for AES) C = C – S [2r + 3]A = A – S [2r + 2]for i = r downto 1 do(A, B, C, D) = (D, A, B, C) u = (D x (2D + 1)) <<< log2(w) t = (B x (2B + 1)) <<< log2(w) C = ((C – S [2i + 1]) >>> t )  u A = ((A – S [2i]) >>> u )  tD = D - S[1] B = B - S[0] University of Virginia CS 551

  36. DKEK (P) = P ? Exercise to the reader... Proof is worth 100 bonus points (1 problem set). University of Virginia CS 551

  37. Blowfish • [Schneier93] • 64-bit block cipher • Much faster than DES • Variable key length: 32-448 bits • Many attempted crytanalyses, none successful yet • Widely used: ssh, OpenBSD, PGPFone University of Virginia CS 551

  38. Key-Dependent S-Boxes • Differential Cryptanalysis depends on analyzing S-box input/output different probabilities • Change the S-boxes so you can’t do analysis University of Virginia CS 551

  39. Blowfish  Twofish • Blowfish: runs encryption 521 times to produce S-boxes • Too slow for AES, requires too much memory for smart cards • Twofish • Provides options for how many key-dependant S-boxes (tradeoff security/time-space) • Also: increase block size (128 required by AES), change key schedule, etc. University of Virginia CS 551

  40. Two Fish From http://www.ddj.com/articles/1998/9812/9812b/9812bf1.htm University of Virginia CS 551

  41. Choosing AES (cycles/byte encrypt) University of Virginia CS 551

  42. Performance/Security Just how paranoid are you? How much progress will happen in cryptanalysis? University of Virginia CS 551

  43. AES Status August 31, 2000 - NIST is still on track to announce its proposed selection for the AES in late summer / early fall, and it is likely to occur sometime in September. HOWEVER, a specific date for the announcement has NOT been set at this time. When a date has been selected, it will be indicated here, to give the public as much advance notice as possible. http://csrc.nist.gov/encryption/aes/ University of Virginia CS 551

  44. Charge • Project Pre-Proposals due Monday • Challenge #1 still open, 2 new challenge problems: • RC6 Decryption Proof • Break SDMI ($10K reward!) • Next time: • Key Distribution • US Army communications officer • Public-Key Cryptosystems University of Virginia CS 551

More Related