Cours2-3
13
S y e t r i c C r y p t o P i e r r e - A l a i n F o u q u e l u n d i 1 o c t o b r e 2 0 1 2 B i r t h d a y P a r a d o x • I n a s e t o f N e l e m e n t s , b y p i c k i n g a t r a n d o m ! N e l e e t s , w e h a v e w i t h h i g h p r o b a b i l i t y a c o l l i s i o • t w o e l e e t s a r e e q u a l • N = 3 6 5 , a b o u t 2 3 p e o p l e a r e r e q u i r e d • L e t t w o s e t s a d o f r a n d o m e l e e n t s i a l a r g e s e t D , t h e n u m b e r o f e x p e c t e d c o l l i s i o n s i s | | | | / | | ( B i r t h d a y p a r a d o x w i t h b o y s a d g i r l s ) l u n d i 1 o c t o b r e 2 0 1 2 A v o i d i g f r e q u e c y a t t a c k s • a i i d e a : l a r g e b l o c k s i z e a v o i d f r e q u e c y a t t a c k • o s a l l b l o c k , s t a t i s t i c s a r e n o - r a d o l u d i 1 o c t o b r e 2 0 1 2 B l o c k c i p h e r • C i p h e r ( E , D ) « e f f . a l g s » s u c h t h a t D ( k , E ( k , m ) ) = c • a i d r a w b a c k o f s t r e a c i p h e r : l a c k s o f t h e o r y t o c o n s t r u c t s e c u r e P R G • I t e r a t e a y t i e s a s a l l r o u d f u n c t i o F a s t e r K e y k K 1 | | K 2 | | . . . . . | | K r R o u n d K e y s F F F c l u d i 1 o c t o b r e 2 0 1 2
description
Toujours aussi mauvais
Transcript of Cours2-3
-
Symm
etric Cryp
to
Pierre-A
lain Fo
uque
lun
di 1
octo
bre
20
12
Birth
day P
aradox
In
a set of N
elemen
ts, by p
icking at ran
dom
N
elem
ents, w
e have w
ith h
igh p
robab
ility a collisio
n
tw
o elem
ents are eq
ual
N
=365, ab
out 2
3 p
eople are req
uired
Let tw
o sets N
and M
of ran
dom
elemen
ts in a
large set D, th
e num
ber o
f expected
collisio
ns is
|N|
|M|/|D
| (Birth
day p
aradox w
ith b
oys an
d girls)
lun
di 1
octo
bre
20
12
Avo
idin
g frequen
cy attacks
M
ain id
ea: large blo
cksize avoid
frequen
cy attack
on sm
all blo
ck, statistics are non-ran
dom
lun
di 1
octo
bre
20
12
Blo
ck cipher
C
ipher (E
,D) eff. algs su
ch th
at D(k,E
(k,m))=
c
M
ain d
rawback o
f stream cip
her: lacks o
f theo
ry to
constru
ct secure P
RG
Iterate m
any times a
small ro
und fu
nctio
n F
Master K
ey k
K1 || K
2 || ..... || K
rR
ound K
eys
FF
Fm
c
lun
di 1
octo
bre
20
12
-
Data E
ncryp
tion Stan
dard
D
ES (IB
M 1
973) an
d N
BS stan
dard
in 1
977
K
ey Len
gth: 5
6 b
its
B
lock L
ength
: 64 b
its
16 ro
unds w
ith 4
8-b
it round keys
F
R0
L0
F
R1
L1
F
R2
L2
R3
L3
K1
K2
K3
K
FK
i (Li ,R
i )=(R
i ,Li
fKi (R
i ))=(L
i+1 ,R
i+1 )
32 b
its
32 b
its
lun
di 1
octo
bre
20
12
Feistel schem
e
D
esigned
by H
orst Feistel at IB
M
Tran
sform
random
functio
n to
random
perm
utatio
n
LR
f
K
lun
di 1
octo
bre
20
12
f functio
n
Subkey (4
8 b
its)
Round in
put (3
2 b
its)
Round o
utp
ut (3
2 b
its)
Expan
sion
(32 to
48 b
its fu
nctio
n)
SBox
(6 to
4 b
its fu
nctio
ns)
Permutatio
nover 3
2 b
its
lun
di 1
octo
bre
20
12A
ttacks against D
ES
B
efore 1
990: attacks again
st round red
uced
versio
n (less th
an 1
6 ro
unds)
1990-9
2: D
ifferential cryp
tanalysis
1993-9
4: L
inear cryp
tanalysis
oth
er attacks: Davies-M
urp
hy, side-ch
annel
In
practice
, the m
ost effi
cient attack is th
e ex
hau
stive search (E
FF, copacab
ana)
lun
di 1
octo
bre
20
12
-
Main
draw
back o
f DES
Exhau
stive key search in
256 (3
DES)
B
lock size (co
llision fo
r 232 b
locks)
D
ifferential / Lin
ear Cryp
tanalysis
D
ES: w
ell-design
ed an
d w
ithstan
ds
successfu
lly 30 years o
f cryptan
alysis
lun
di 1
octo
bre
20
12
2D
ES
3D
ES
lun
di 1
octo
bre
20
12
Advan
ced E
ncryp
tion Stan
dard
Su
bstitu
tion / Perm
utatio
n N
etwork
K
ey Len
gth: 1
28 / 1
92 / 2
56 b
its
B
lock L
ength
: 128 b
its
D
esigned
by D
aemen
and R
ijmen
Stan
dard
ized b
y NIST
in 2
000
lun
di 1
octo
bre
20
12
AES
S
xi
xi+
1
ki
SubB
ytes
ShiftR
ow
s
M
Mix
Colu
mns
lun
di 1
octo
bre
20
12
-
Security gam
e
Blo
ck cipher m
ust b
e indistin
guish
able fro
m a
random
perm
utatio
n
fo
r all k, E(k,x
) is a perm
utatio
n w
hich
looks
random
pro
vided
the key is n
ot kn
ow
n
Dist.
E(k,.)
PC
hal.
b
{0,1
}f=
E(k, ) o
r P()
accord
ing to
b
Adv.
xf(x)
xf(x)
...b
Adv(A
)=|P
r[b=
b]-1
/2|
lun
di 1
octo
bre
20
12
Feistel security
C
ould
you d
istingu
ish o
ne-ro
und Feistel ?
C
ould
you d
istingu
ish tw
o-ro
und Feistel ?
C
ould
you d
istingu
ish th
ree-round Feistel ?
lun
di 1
octo
bre
20
12
Modes o
f operatio
n
How
to en
cipher larger m
essages ?
EC
B, C
BC
, CT
R, O
FB, C
FB
Draw
backs:
- determ
inistic
Advan
tages:- p
arallelisable
lun
di 1
octo
bre
20
12
Cip
hertex
t Blo
ck Chain
ing (C
BC
)
Encryp
ting: C
0 =IV, ..., C
i =E(k,C
i-1
Mi )
D
ecryptin
g: Mi =
D(k,C
i )C
i-1
Draw
backs:
- sequen
tial A
dvan
tages:- ran
dom
ized- p
ropagatio
n o
f erro
r in d
ecryptio
n
lun
di 1
octo
bre
20
12
-
Cip
hertex
t FeedB
ack (CFB
)
How
to u
se a blo
ck cipher as a stream
cipher ?
lun
di 1
octo
bre
20
12
Outp
ut Feed
Back (O
FB)
H
ow
to u
se a blo
ck cipher as a stream
cipher ?
lun
di 1
octo
bre
20
12
Counter M
ode (C
TR
)
Better so
lutio
n
lun
di 1
octo
bre
20
12
Security
C
onfiden
tiality is ensu
re by th
e mode o
f operatio
n
In
tegrity: first b
lock o
f CB
C ?
M
ain id
ea: the cip
hertex
t must b
e indistin
guish
able
from
random
for p
olyn
om
ial-time ad
versaries
Secu
rity Gam
e:
Exam
ple o
n C
BC
:
lun
di 1
octo
bre
20
12
-
Hash
Functio
n
D
ef:
Hm
essage M
M
{0,1
}*
hash
H(M
)
H(M
) {0
,1}n
A h
ash fu
nctio
n H
com
pute a h
ash valu
e, a.k.a. fi
ngerp
rint
of n
bits fo
r a given arb
itrary long m
essage M
H : {0
,1}*
{0,1
}n
U
sage: integrity, p
assword
storage
, signatu
re, ...
Eg: SH
A-1
(160 b
its), MD
5 (1
28 b
its), SHA
-2, ...
lun
di 1
octo
bre
20
12
Use cases: File in
tegrity
Idea : w
e wan
t to d
etect if a file h
as been
modifi
ed
by reco
mputin
g its fingerp
rint
// Fichier code.c
#include
#include
int main(int argc, char** argv)
{ if (argc
