Block ciphers 2 Session 4. Contents Linear cryptanalysis Differential cryptanalysis 2/48.
Cryptanalysis vs. Reality - 131002.net · Antoine Joux, Algorithmic Cryptanalysis. 5/54 Reality...
Transcript of Cryptanalysis vs. Reality - 131002.net · Antoine Joux, Algorithmic Cryptanalysis. 5/54 Reality...
![Page 1: Cryptanalysis vs. Reality - 131002.net · Antoine Joux, Algorithmic Cryptanalysis. 5/54 Reality noun (pl. realities) 1. the state of things as they actually exist, as opposed to an](https://reader034.fdocuments.us/reader034/viewer/2022042400/5f0e77177e708231d43f60d6/html5/thumbnails/1.jpg)
Cryptanalysis vs. Reality
Jean-Philippe Aumasson
1 / 54
![Page 2: Cryptanalysis vs. Reality - 131002.net · Antoine Joux, Algorithmic Cryptanalysis. 5/54 Reality noun (pl. realities) 1. the state of things as they actually exist, as opposed to an](https://reader034.fdocuments.us/reader034/viewer/2022042400/5f0e77177e708231d43f60d6/html5/thumbnails/2.jpg)
2 / 54
Cryptanalysis is the study of methods forobtaining the meaning of encrypted informationwithout access to the secret information that is normallyrequired to do so. Wikipedia
![Page 3: Cryptanalysis vs. Reality - 131002.net · Antoine Joux, Algorithmic Cryptanalysis. 5/54 Reality noun (pl. realities) 1. the state of things as they actually exist, as opposed to an](https://reader034.fdocuments.us/reader034/viewer/2022042400/5f0e77177e708231d43f60d6/html5/thumbnails/3.jpg)
3 / 54
Cryptanalysis is the study of methods forobtaining the meaning of encrypted informationwithout access to the secret information that is normallyrequired to do so. Wikipedia
![Page 4: Cryptanalysis vs. Reality - 131002.net · Antoine Joux, Algorithmic Cryptanalysis. 5/54 Reality noun (pl. realities) 1. the state of things as they actually exist, as opposed to an](https://reader034.fdocuments.us/reader034/viewer/2022042400/5f0e77177e708231d43f60d6/html5/thumbnails/4.jpg)
4 / 54
The fundamental goal of a cryptanalyst is toviolate one or several security notionsfor algorithms that claim, implicitly or explicitly,to satisfy these security notions.Antoine Joux, Algorithmic Cryptanalysis
![Page 5: Cryptanalysis vs. Reality - 131002.net · Antoine Joux, Algorithmic Cryptanalysis. 5/54 Reality noun (pl. realities) 1. the state of things as they actually exist, as opposed to an](https://reader034.fdocuments.us/reader034/viewer/2022042400/5f0e77177e708231d43f60d6/html5/thumbnails/5.jpg)
5 / 54
Reality noun (pl. realities)1. the state of things as they actuallyexist, as opposed to an idealistic ornotional idea of them.2. a thing that is actually experiencedor seen.3. the quality of being lifelike.4. the state or quality of having exis-tence or substance.Compact Oxford English Dictionary
![Page 6: Cryptanalysis vs. Reality - 131002.net · Antoine Joux, Algorithmic Cryptanalysis. 5/54 Reality noun (pl. realities) 1. the state of things as they actually exist, as opposed to an](https://reader034.fdocuments.us/reader034/viewer/2022042400/5f0e77177e708231d43f60d6/html5/thumbnails/6.jpg)
Cryptanalysis relies on an ATTACKER MODEL= assumptions on what the attacker can and cannot do
All models are in simulacra, that is, simplified reflectionsof reality, but, despite their inherent falsity, they arenevertheless extremely usefulG. Box, N. Draper, Empirical Model-Building and Response Surfaces
6 / 54
![Page 7: Cryptanalysis vs. Reality - 131002.net · Antoine Joux, Algorithmic Cryptanalysis. 5/54 Reality noun (pl. realities) 1. the state of things as they actually exist, as opposed to an](https://reader034.fdocuments.us/reader034/viewer/2022042400/5f0e77177e708231d43f60d6/html5/thumbnails/7.jpg)
Cryptanalysis usually excludes methods of attack that donot primarily target weaknesses in the actualcryptography, such as bribery, physical coercion,burglary, keystroke logging, and socialengineering, although these types of attack are animportant concern and are often more effectiveWikipedia
7 / 54
![Page 8: Cryptanalysis vs. Reality - 131002.net · Antoine Joux, Algorithmic Cryptanalysis. 5/54 Reality noun (pl. realities) 1. the state of things as they actually exist, as opposed to an](https://reader034.fdocuments.us/reader034/viewer/2022042400/5f0e77177e708231d43f60d6/html5/thumbnails/8.jpg)
8 / 54
Cryptanalysis used to be tightly connected to reality
![Page 9: Cryptanalysis vs. Reality - 131002.net · Antoine Joux, Algorithmic Cryptanalysis. 5/54 Reality noun (pl. realities) 1. the state of things as they actually exist, as opposed to an](https://reader034.fdocuments.us/reader034/viewer/2022042400/5f0e77177e708231d43f60d6/html5/thumbnails/9.jpg)
But times have changed
9 / 54
![Page 10: Cryptanalysis vs. Reality - 131002.net · Antoine Joux, Algorithmic Cryptanalysis. 5/54 Reality noun (pl. realities) 1. the state of things as they actually exist, as opposed to an](https://reader034.fdocuments.us/reader034/viewer/2022042400/5f0e77177e708231d43f60d6/html5/thumbnails/10.jpg)
10 / 54
![Page 11: Cryptanalysis vs. Reality - 131002.net · Antoine Joux, Algorithmic Cryptanalysis. 5/54 Reality noun (pl. realities) 1. the state of things as they actually exist, as opposed to an](https://reader034.fdocuments.us/reader034/viewer/2022042400/5f0e77177e708231d43f60d6/html5/thumbnails/11.jpg)
11 / 54
![Page 12: Cryptanalysis vs. Reality - 131002.net · Antoine Joux, Algorithmic Cryptanalysis. 5/54 Reality noun (pl. realities) 1. the state of things as they actually exist, as opposed to an](https://reader034.fdocuments.us/reader034/viewer/2022042400/5f0e77177e708231d43f60d6/html5/thumbnails/12.jpg)
12 / 54
Broken in a model does notimply broken in reality!
![Page 13: Cryptanalysis vs. Reality - 131002.net · Antoine Joux, Algorithmic Cryptanalysis. 5/54 Reality noun (pl. realities) 1. the state of things as they actually exist, as opposed to an](https://reader034.fdocuments.us/reader034/viewer/2022042400/5f0e77177e708231d43f60d6/html5/thumbnails/13.jpg)
13 / 54
Models’ language overlaps with real-world language:“attacks”, “broken” have multiple meanings
Has cryptanalysis lost connectionwith reality?
![Page 14: Cryptanalysis vs. Reality - 131002.net · Antoine Joux, Algorithmic Cryptanalysis. 5/54 Reality noun (pl. realities) 1. the state of things as they actually exist, as opposed to an](https://reader034.fdocuments.us/reader034/viewer/2022042400/5f0e77177e708231d43f60d6/html5/thumbnails/14.jpg)
Cryptography is usually bypassed. I am notaware of any major world-class security systememploying cryptography in which the hackers penetratedthe system by actually going through the cryptanalysis.(. . . ) Usually there are much simpler ways of penetratingthe security system.Adi Shamir, Turing Award lecture, 2002
14 / 54
![Page 15: Cryptanalysis vs. Reality - 131002.net · Antoine Joux, Algorithmic Cryptanalysis. 5/54 Reality noun (pl. realities) 1. the state of things as they actually exist, as opposed to an](https://reader034.fdocuments.us/reader034/viewer/2022042400/5f0e77177e708231d43f60d6/html5/thumbnails/15.jpg)
15 / 54
Is cryptanalysis relevant at all??
![Page 16: Cryptanalysis vs. Reality - 131002.net · Antoine Joux, Algorithmic Cryptanalysis. 5/54 Reality noun (pl. realities) 1. the state of things as they actually exist, as opposed to an](https://reader034.fdocuments.us/reader034/viewer/2022042400/5f0e77177e708231d43f60d6/html5/thumbnails/16.jpg)
16 / 54
Remainder of this talk
PART 1: PHYSICAL ATTACKS
I Bypass and misuseI Side channels
PART 2: ALGORITHMIC ATTACKS
I State-of-the-ciphersI Why attacks aren’t attacksI Cognitive biasesI What about AES?
CONCLUSIONS + REFERENCES
![Page 17: Cryptanalysis vs. Reality - 131002.net · Antoine Joux, Algorithmic Cryptanalysis. 5/54 Reality noun (pl. realities) 1. the state of things as they actually exist, as opposed to an](https://reader034.fdocuments.us/reader034/viewer/2022042400/5f0e77177e708231d43f60d6/html5/thumbnails/17.jpg)
17 / 54
PART 1: PHYSICAL ATTACKS
I Bypass and misuseI Side channels
![Page 18: Cryptanalysis vs. Reality - 131002.net · Antoine Joux, Algorithmic Cryptanalysis. 5/54 Reality noun (pl. realities) 1. the state of things as they actually exist, as opposed to an](https://reader034.fdocuments.us/reader034/viewer/2022042400/5f0e77177e708231d43f60d6/html5/thumbnails/18.jpg)
HTTPS protection uses (say) 2048-bit RSA toauthenticate servers, and to avoid MitM attacks
≈ 100-bit security (see http://www.keylength.com/)
⇒ ≈ 2100 ops to break RSA by factoring the modulus
Or ≈ 233 using a quantum computerimplementing Shor’s algorithm
Or 20 by compromising a CA. . .
18 / 54
![Page 19: Cryptanalysis vs. Reality - 131002.net · Antoine Joux, Algorithmic Cryptanalysis. 5/54 Reality noun (pl. realities) 1. the state of things as they actually exist, as opposed to an](https://reader034.fdocuments.us/reader034/viewer/2022042400/5f0e77177e708231d43f60d6/html5/thumbnails/19.jpg)
HTTPS protection uses (say) 2048-bit RSA toauthenticate servers, and to avoid MitM attacks
≈ 100-bit security (see http://www.keylength.com/)
⇒ ≈ 2100 ops to break RSA by factoring the modulus
Or ≈ 233 using a quantum computerimplementing Shor’s algorithm
Or 20 by compromising a CA. . .
18 / 54
![Page 20: Cryptanalysis vs. Reality - 131002.net · Antoine Joux, Algorithmic Cryptanalysis. 5/54 Reality noun (pl. realities) 1. the state of things as they actually exist, as opposed to an](https://reader034.fdocuments.us/reader034/viewer/2022042400/5f0e77177e708231d43f60d6/html5/thumbnails/20.jpg)
HTTPS protection uses (say) 2048-bit RSA toauthenticate servers, and to avoid MitM attacks
≈ 100-bit security (see http://www.keylength.com/)
⇒ ≈ 2100 ops to break RSA by factoring the modulus
Or ≈ 233 using a quantum computerimplementing Shor’s algorithm
Or 20 by compromising a CA. . .
18 / 54
![Page 21: Cryptanalysis vs. Reality - 131002.net · Antoine Joux, Algorithmic Cryptanalysis. 5/54 Reality noun (pl. realities) 1. the state of things as they actually exist, as opposed to an](https://reader034.fdocuments.us/reader034/viewer/2022042400/5f0e77177e708231d43f60d6/html5/thumbnails/21.jpg)
19 / 54
![Page 22: Cryptanalysis vs. Reality - 131002.net · Antoine Joux, Algorithmic Cryptanalysis. 5/54 Reality noun (pl. realities) 1. the state of things as they actually exist, as opposed to an](https://reader034.fdocuments.us/reader034/viewer/2022042400/5f0e77177e708231d43f60d6/html5/thumbnails/22.jpg)
AES-256 provides 256-bit security (does it really?)
FIPS 140-2 is supposed to inspire confidence. . .
Yet “secure” USB drives by Kingston, SanDisk, Verbatimwere easily broken
The flaw: password validation on host PC+ static unlock code
20 / 54
![Page 23: Cryptanalysis vs. Reality - 131002.net · Antoine Joux, Algorithmic Cryptanalysis. 5/54 Reality noun (pl. realities) 1. the state of things as they actually exist, as opposed to an](https://reader034.fdocuments.us/reader034/viewer/2022042400/5f0e77177e708231d43f60d6/html5/thumbnails/23.jpg)
How NOT to use decent cryptographic primitives:
ECDSA signing with a constantinstead of a random numberto find SONY PS3’s private key
RC4 stream cipher with part of the key public andpredictable (as found in the WEP WiFi “protection”)
TEA block cipher in hashing modeto perform boot code authenticationEquivalent keys lead to collisions
21 / 54
![Page 24: Cryptanalysis vs. Reality - 131002.net · Antoine Joux, Algorithmic Cryptanalysis. 5/54 Reality noun (pl. realities) 1. the state of things as they actually exist, as opposed to an](https://reader034.fdocuments.us/reader034/viewer/2022042400/5f0e77177e708231d43f60d6/html5/thumbnails/24.jpg)
How NOT to use decent cryptographic primitives:
ECDSA signing with a constantinstead of a random numberto find SONY PS3’s private key
RC4 stream cipher with part of the key public andpredictable (as found in the WEP WiFi “protection”)
TEA block cipher in hashing modeto perform boot code authenticationEquivalent keys lead to collisions
21 / 54
![Page 25: Cryptanalysis vs. Reality - 131002.net · Antoine Joux, Algorithmic Cryptanalysis. 5/54 Reality noun (pl. realities) 1. the state of things as they actually exist, as opposed to an](https://reader034.fdocuments.us/reader034/viewer/2022042400/5f0e77177e708231d43f60d6/html5/thumbnails/25.jpg)
How NOT to use decent cryptographic primitives:
ECDSA signing with a constantinstead of a random numberto find SONY PS3’s private key
RC4 stream cipher with part of the key public andpredictable (as found in the WEP WiFi “protection”)
TEA block cipher in hashing modeto perform boot code authenticationEquivalent keys lead to collisions
21 / 54
![Page 26: Cryptanalysis vs. Reality - 131002.net · Antoine Joux, Algorithmic Cryptanalysis. 5/54 Reality noun (pl. realities) 1. the state of things as they actually exist, as opposed to an](https://reader034.fdocuments.us/reader034/viewer/2022042400/5f0e77177e708231d43f60d6/html5/thumbnails/26.jpg)
How NOT to use decent cryptographic primitives:
ECDSA signing with a constantinstead of a random numberto find SONY PS3’s private key
RC4 stream cipher with part of the key public andpredictable (as found in the WEP WiFi “protection”)
TEA block cipher in hashing modeto perform boot code authenticationEquivalent keys lead to collisions
21 / 54
![Page 27: Cryptanalysis vs. Reality - 131002.net · Antoine Joux, Algorithmic Cryptanalysis. 5/54 Reality noun (pl. realities) 1. the state of things as they actually exist, as opposed to an](https://reader034.fdocuments.us/reader034/viewer/2022042400/5f0e77177e708231d43f60d6/html5/thumbnails/27.jpg)
Software side-channel attacksPractical attacks exploiting non-constant-time AES implementations
Breaking the “secure” AES of OpenSSL 0.9.8n:
Breaking AES on ARM9:
22 / 54
![Page 28: Cryptanalysis vs. Reality - 131002.net · Antoine Joux, Algorithmic Cryptanalysis. 5/54 Reality noun (pl. realities) 1. the state of things as they actually exist, as opposed to an](https://reader034.fdocuments.us/reader034/viewer/2022042400/5f0e77177e708231d43f60d6/html5/thumbnails/28.jpg)
23 / 54
![Page 29: Cryptanalysis vs. Reality - 131002.net · Antoine Joux, Algorithmic Cryptanalysis. 5/54 Reality noun (pl. realities) 1. the state of things as they actually exist, as opposed to an](https://reader034.fdocuments.us/reader034/viewer/2022042400/5f0e77177e708231d43f60d6/html5/thumbnails/29.jpg)
Hardware side-channel attacksI Power analysis (SPA/DPA)I Electromagnetic analysisI Glitches (clock, power supply, data corruption)I MicroprobingI Laser cutting and fault injectionI Focused ion beam surgery, etc.
24 / 54
![Page 30: Cryptanalysis vs. Reality - 131002.net · Antoine Joux, Algorithmic Cryptanalysis. 5/54 Reality noun (pl. realities) 1. the state of things as they actually exist, as opposed to an](https://reader034.fdocuments.us/reader034/viewer/2022042400/5f0e77177e708231d43f60d6/html5/thumbnails/30.jpg)
25 / 54
PART 2: ALGORITHMIC ATTACKS
I State-of-the-ciphersI Why attacks aren’t attacksI What about AES?I Cognitive biases
![Page 31: Cryptanalysis vs. Reality - 131002.net · Antoine Joux, Algorithmic Cryptanalysis. 5/54 Reality noun (pl. realities) 1. the state of things as they actually exist, as opposed to an](https://reader034.fdocuments.us/reader034/viewer/2022042400/5f0e77177e708231d43f60d6/html5/thumbnails/31.jpg)
ALGORITHMIC ATTACKS = attacks targetting acryptographic function seen as an algorithm anddescribed as algorithms rather than physicalprocedures
ALGORITHMIC ATTACKS are thus independent of theimplementation of the function attacked
26 / 54
![Page 32: Cryptanalysis vs. Reality - 131002.net · Antoine Joux, Algorithmic Cryptanalysis. 5/54 Reality noun (pl. realities) 1. the state of things as they actually exist, as opposed to an](https://reader034.fdocuments.us/reader034/viewer/2022042400/5f0e77177e708231d43f60d6/html5/thumbnails/32.jpg)
We’ll focus on symmetric cryptographic primitives:I Block ciphersI Stream ciphersI Hash functionsI PRNGsI MACs
Though there’d be a lot to say about public-key encryption/signatures,authentication protocols, etc.
27 / 54
![Page 33: Cryptanalysis vs. Reality - 131002.net · Antoine Joux, Algorithmic Cryptanalysis. 5/54 Reality noun (pl. realities) 1. the state of things as they actually exist, as opposed to an](https://reader034.fdocuments.us/reader034/viewer/2022042400/5f0e77177e708231d43f60d6/html5/thumbnails/33.jpg)
Null- to low-impact attacks (examples)
Block ciphers:I AESI GOST (Russian standard, 1970’s!)I KASUMI (3GPP)I Triple DES
Hash functions:I SHA-1I Whirlpool (ISO)
28 / 54
![Page 34: Cryptanalysis vs. Reality - 131002.net · Antoine Joux, Algorithmic Cryptanalysis. 5/54 Reality noun (pl. realities) 1. the state of things as they actually exist, as opposed to an](https://reader034.fdocuments.us/reader034/viewer/2022042400/5f0e77177e708231d43f60d6/html5/thumbnails/34.jpg)
Medium- to high-impact attacks (examples)
Block cipher:I DES (56-bit key): practical break by. . . bruteforce
Stream cipher:I A5/1 (GSM): attacks on GSM facilitated
Hash function:I MD5: famous rogue certificate attack PoC
29 / 54
![Page 35: Cryptanalysis vs. Reality - 131002.net · Antoine Joux, Algorithmic Cryptanalysis. 5/54 Reality noun (pl. realities) 1. the state of things as they actually exist, as opposed to an](https://reader034.fdocuments.us/reader034/viewer/2022042400/5f0e77177e708231d43f60d6/html5/thumbnails/35.jpg)
Unattacked primitives (examples)Block ciphers
I CAST5 (default cipher in OpenPGP)I IDEA (1991!)I IDEA-NXT (aka FOX)I Serpent (AES finalist)I Twofish (AES finalist)
Stream ciphers:I Grain128a (for hardware)I Salsa20 (for software)
Hash functions:I SHA-2 (SHA-256, . . . , SHA-512)I RIPEMD-160 (ISO)
30 / 54
![Page 36: Cryptanalysis vs. Reality - 131002.net · Antoine Joux, Algorithmic Cryptanalysis. 5/54 Reality noun (pl. realities) 1. the state of things as they actually exist, as opposed to an](https://reader034.fdocuments.us/reader034/viewer/2022042400/5f0e77177e708231d43f60d6/html5/thumbnails/36.jpg)
31 / 54
Despite the large amount of research andnew techniques, “breaks” almost never happen:Why?
![Page 37: Cryptanalysis vs. Reality - 131002.net · Antoine Joux, Algorithmic Cryptanalysis. 5/54 Reality noun (pl. realities) 1. the state of things as they actually exist, as opposed to an](https://reader034.fdocuments.us/reader034/viewer/2022042400/5f0e77177e708231d43f60d6/html5/thumbnails/37.jpg)
High-complexity attacks
Example: preimage attack on MD5 with time complexity
2123.4
against 2128 ideally
High-complexity attacks do not matter as long asI the effort is obviously unfeasible, orI overwhelms the cost of other attacks
Yet MD5 can no longer be sold as “128-bit security” hash
32 / 54
![Page 38: Cryptanalysis vs. Reality - 131002.net · Antoine Joux, Algorithmic Cryptanalysis. 5/54 Reality noun (pl. realities) 1. the state of things as they actually exist, as opposed to an](https://reader034.fdocuments.us/reader034/viewer/2022042400/5f0e77177e708231d43f60d6/html5/thumbnails/38.jpg)
The difference between 80 bits and 128 bits of keysearchis like the difference between a mission to Mars and amission to Alpha Centauri. As far as I can see, there is*no* meaningful difference between 192-bit and256-bit keys in terms of practical brute force attacks;impossible is impossible.John Kelsey (NIST)
33 / 54
![Page 39: Cryptanalysis vs. Reality - 131002.net · Antoine Joux, Algorithmic Cryptanalysis. 5/54 Reality noun (pl. realities) 1. the state of things as they actually exist, as opposed to an](https://reader034.fdocuments.us/reader034/viewer/2022042400/5f0e77177e708231d43f60d6/html5/thumbnails/39.jpg)
Back-to-reality interlude
2 GHz CPU⇒ 1 sec = 2 · 109 ≈233 clocks
1 year 258 clocks1000 years 268 clockssince the Big-Bang 2116 clocks
34 / 54
![Page 40: Cryptanalysis vs. Reality - 131002.net · Antoine Joux, Algorithmic Cryptanalysis. 5/54 Reality noun (pl. realities) 1. the state of things as they actually exist, as opposed to an](https://reader034.fdocuments.us/reader034/viewer/2022042400/5f0e77177e708231d43f60d6/html5/thumbnails/40.jpg)
The encryption doesn’t even have to be very strong to beuseful, it just must be stronger than the otherweak links in the system. Using any standardcommercial risk management model, cryptosystem failureis orders of magnitude below any other risk.Ian Griff, Peter Gutmann, IEEE Security & Privacy 9(3), 2011
35 / 54
![Page 41: Cryptanalysis vs. Reality - 131002.net · Antoine Joux, Algorithmic Cryptanalysis. 5/54 Reality noun (pl. realities) 1. the state of things as they actually exist, as opposed to an](https://reader034.fdocuments.us/reader034/viewer/2022042400/5f0e77177e708231d43f60d6/html5/thumbnails/41.jpg)
Attacks on building blocks
Example: 296 collision attack on the compressionfunction of the SHA-3 candidate LANE
I Did not lead to an attack on the hashI Invalidates the security reduction compression≺hashI Disqualified LANE from the SHA-3 competition!
How to interprete those attacks?1. We attacked something⇒ crypto must be weak!
2. We failed to attack the full function⇒ crypto must be strong!
36 / 54
![Page 42: Cryptanalysis vs. Reality - 131002.net · Antoine Joux, Algorithmic Cryptanalysis. 5/54 Reality noun (pl. realities) 1. the state of things as they actually exist, as opposed to an](https://reader034.fdocuments.us/reader034/viewer/2022042400/5f0e77177e708231d43f60d6/html5/thumbnails/42.jpg)
Attacks on building blocks
Example: 296 collision attack on the compressionfunction of the SHA-3 candidate LANE
I Did not lead to an attack on the hashI Invalidates the security reduction compression≺hashI Disqualified LANE from the SHA-3 competition!
How to interprete those attacks?1. We attacked something⇒ crypto must be weak!
2. We failed to attack the full function⇒ crypto must be strong!
36 / 54
![Page 43: Cryptanalysis vs. Reality - 131002.net · Antoine Joux, Algorithmic Cryptanalysis. 5/54 Reality noun (pl. realities) 1. the state of things as they actually exist, as opposed to an](https://reader034.fdocuments.us/reader034/viewer/2022042400/5f0e77177e708231d43f60d6/html5/thumbnails/43.jpg)
Strong models: ex of related-key attacks
Attackers learn encryptions with a derived key
K ′ = f (K )
One of the first attacks: when Enigma operators set rotorsincorrectly, they sent again with the correct key. . .
Modern version introduced by Knudsen/Biham in 1992
Practical on weak key-exchange protocols (EMV, 3GPP?),but unrealistic in most decent protocols
37 / 54
![Page 44: Cryptanalysis vs. Reality - 131002.net · Antoine Joux, Algorithmic Cryptanalysis. 5/54 Reality noun (pl. realities) 1. the state of things as they actually exist, as opposed to an](https://reader034.fdocuments.us/reader034/viewer/2022042400/5f0e77177e708231d43f60d6/html5/thumbnails/44.jpg)
Related-key attacks example
Key-recovery on AES-256 with time complexity
2119
against 2256 ideally!
Needs 4 related keys. . . actually, related subkeys!attacks are still mainly of theoretical interest and do notpresent a threat to practical applications using AESthe authors (Khovratovich / Biryukov)
38 / 54
![Page 45: Cryptanalysis vs. Reality - 131002.net · Antoine Joux, Algorithmic Cryptanalysis. 5/54 Reality noun (pl. realities) 1. the state of things as they actually exist, as opposed to an](https://reader034.fdocuments.us/reader034/viewer/2022042400/5f0e77177e708231d43f60d6/html5/thumbnails/45.jpg)
Model from reality: pay-TV encryption
MPEG stream encrypted with CSACommon Scrambling Algorithm, 48b or 64b key
Useful break of CSA needsI Unknown- fixed-key attacksI Ciphertext-only, partially-known plaintext (no TMTO)I Key recovery in <10 seconds (“cryptoperiod”)
39 / 54
![Page 46: Cryptanalysis vs. Reality - 131002.net · Antoine Joux, Algorithmic Cryptanalysis. 5/54 Reality noun (pl. realities) 1. the state of things as they actually exist, as opposed to an](https://reader034.fdocuments.us/reader034/viewer/2022042400/5f0e77177e708231d43f60d6/html5/thumbnails/46.jpg)
There’s not only time!
Back to our previous examples:I MD5: time 2123.4 and 250B memory (1024 TiB)I LANE: time 296 and 293B memory (253 TiB)I AES-256: time 2119 and 277B memory (237 TiB)
Memory is not free! ($$$, infrastructure, latency)
Practical cost of access to memory neglected
New attacks should be compared to genericattacks with a same budget
See “cracking machines” in Understanding bruteforcehttp://cr.yp.to/papers.html#bruteforce
40 / 54
![Page 47: Cryptanalysis vs. Reality - 131002.net · Antoine Joux, Algorithmic Cryptanalysis. 5/54 Reality noun (pl. realities) 1. the state of things as they actually exist, as opposed to an](https://reader034.fdocuments.us/reader034/viewer/2022042400/5f0e77177e708231d43f60d6/html5/thumbnails/47.jpg)
Distinguishing attacks
aka distinguishers
Used to be statistical biases
Now distinguishers areI Known- or chosen-key attacksI Sets of input/output’s satisfying some relation
Example: differential q-multicollision distinguisher on AES
EK1(P1)⊕ EK1⊕∆(P1 ⊕∇) = EK2(P2)⊕ EK2⊕∆(P2 ⊕∇)= EK3(P3)⊕ EK3⊕∆(P3 ⊕∇) = . . .
NO IMPACT ON SECURITY in a large majority of cases
41 / 54
![Page 48: Cryptanalysis vs. Reality - 131002.net · Antoine Joux, Algorithmic Cryptanalysis. 5/54 Reality noun (pl. realities) 1. the state of things as they actually exist, as opposed to an](https://reader034.fdocuments.us/reader034/viewer/2022042400/5f0e77177e708231d43f60d6/html5/thumbnails/48.jpg)
Distinguishing attacks
aka distinguishers
Used to be statistical biases
Now distinguishers areI Known- or chosen-key attacksI Sets of input/output’s satisfying some relation
Example: differential q-multicollision distinguisher on AES
EK1(P1)⊕ EK1⊕∆(P1 ⊕∇) = EK2(P2)⊕ EK2⊕∆(P2 ⊕∇)= EK3(P3)⊕ EK3⊕∆(P3 ⊕∇) = . . .
NO IMPACT ON SECURITY in a large majority of cases
41 / 54
![Page 49: Cryptanalysis vs. Reality - 131002.net · Antoine Joux, Algorithmic Cryptanalysis. 5/54 Reality noun (pl. realities) 1. the state of things as they actually exist, as opposed to an](https://reader034.fdocuments.us/reader034/viewer/2022042400/5f0e77177e708231d43f60d6/html5/thumbnails/49.jpg)
42 / 54
Attacks (high-complexity, strong model, high-memory,distinguishers, etc.) vs. Reality
2 general interpretations:1. This little thing is a sign of bigger things!2. This little thing is a sign of no big things!
Why are we biased? (towards 1. or 2.)
![Page 50: Cryptanalysis vs. Reality - 131002.net · Antoine Joux, Algorithmic Cryptanalysis. 5/54 Reality noun (pl. realities) 1. the state of things as they actually exist, as opposed to an](https://reader034.fdocuments.us/reader034/viewer/2022042400/5f0e77177e708231d43f60d6/html5/thumbnails/50.jpg)
43 / 54
![Page 51: Cryptanalysis vs. Reality - 131002.net · Antoine Joux, Algorithmic Cryptanalysis. 5/54 Reality noun (pl. realities) 1. the state of things as they actually exist, as opposed to an](https://reader034.fdocuments.us/reader034/viewer/2022042400/5f0e77177e708231d43f60d6/html5/thumbnails/51.jpg)
44 / 54
Cryptographic Num3rol0gy
The basic concept is that as long as your encryption keysare at least “this big”, you’re fine, even if none of thesurrounding infrastructure benefits from that size or evenworks at allIan Griff, Peter Gutmann, IEEE Security & Privacy 9(3), 2011
![Page 52: Cryptanalysis vs. Reality - 131002.net · Antoine Joux, Algorithmic Cryptanalysis. 5/54 Reality noun (pl. realities) 1. the state of things as they actually exist, as opposed to an](https://reader034.fdocuments.us/reader034/viewer/2022042400/5f0e77177e708231d43f60d6/html5/thumbnails/52.jpg)
45 / 54
Cryptographic Num3rol0gy
The basic concept is that as long as your encryption keysare at least “this big”, you’re fine, even if none of thesurrounding infrastructure benefits from that size or evenworks at allIan Griff, Peter Gutmann, IEEE Security & Privacy 9(3), 2011
Choosing a key size if fantastically easy, whereas makingthe crypto work effectively is really hardIbid
![Page 53: Cryptanalysis vs. Reality - 131002.net · Antoine Joux, Algorithmic Cryptanalysis. 5/54 Reality noun (pl. realities) 1. the state of things as they actually exist, as opposed to an](https://reader034.fdocuments.us/reader034/viewer/2022042400/5f0e77177e708231d43f60d6/html5/thumbnails/53.jpg)
Zero-risk bias
= Preference for reducing a small risk to zeroover a greater reduction in a larger risk
Example: reduce risk from 1% to 0% whereas anotherrisk could be reduced from 50% to 30% at the same cost
Cryptographic numerology (examples)I 1% = scary-new attack threatI Move from 1024- to 2048-bit (or 4096-bit!) RSAI Cascade-encryption with AES + Serpent + Twofish
+ Unintended consequences:Crypto is slower⇒ less deployed⇒ less security
46 / 54
![Page 54: Cryptanalysis vs. Reality - 131002.net · Antoine Joux, Algorithmic Cryptanalysis. 5/54 Reality noun (pl. realities) 1. the state of things as they actually exist, as opposed to an](https://reader034.fdocuments.us/reader034/viewer/2022042400/5f0e77177e708231d43f60d6/html5/thumbnails/54.jpg)
Zero-risk bias
= Preference for reducing a small risk to zeroover a greater reduction in a larger risk
Example: reduce risk from 1% to 0% whereas anotherrisk could be reduced from 50% to 30% at the same cost
Cryptographic numerology (examples)I 1% = scary-new attack threatI Move from 1024- to 2048-bit (or 4096-bit!) RSAI Cascade-encryption with AES + Serpent + Twofish
+ Unintended consequences:Crypto is slower⇒ less deployed⇒ less security
46 / 54
![Page 55: Cryptanalysis vs. Reality - 131002.net · Antoine Joux, Algorithmic Cryptanalysis. 5/54 Reality noun (pl. realities) 1. the state of things as they actually exist, as opposed to an](https://reader034.fdocuments.us/reader034/viewer/2022042400/5f0e77177e708231d43f60d6/html5/thumbnails/55.jpg)
Survivorship bias
We only remember/see the unbroken, deployedand/or standardized, algorithms
Not the numerous experimental designs broken
Example: of the 56 SHA-3 submissions publishedI 14 implemented attacks (e.g. example of collision)I 3 close-to-practical attacks (≈ 260)I 14 high-complexity attacks
⇒ Practical attacks kill ciphers before they areused and known to the public
47 / 54
![Page 56: Cryptanalysis vs. Reality - 131002.net · Antoine Joux, Algorithmic Cryptanalysis. 5/54 Reality noun (pl. realities) 1. the state of things as they actually exist, as opposed to an](https://reader034.fdocuments.us/reader034/viewer/2022042400/5f0e77177e708231d43f60d6/html5/thumbnails/56.jpg)
Survivorship bias
We only remember/see the unbroken, deployedand/or standardized, algorithms
Not the numerous experimental designs broken
Example: of the 56 SHA-3 submissions publishedI 14 implemented attacks (e.g. example of collision)I 3 close-to-practical attacks (≈ 260)I 14 high-complexity attacks
⇒ Practical attacks kill ciphers before they areused and known to the public
47 / 54
![Page 57: Cryptanalysis vs. Reality - 131002.net · Antoine Joux, Algorithmic Cryptanalysis. 5/54 Reality noun (pl. realities) 1. the state of things as they actually exist, as opposed to an](https://reader034.fdocuments.us/reader034/viewer/2022042400/5f0e77177e708231d43f60d6/html5/thumbnails/57.jpg)
What about AES?
48 / 54
![Page 58: Cryptanalysis vs. Reality - 131002.net · Antoine Joux, Algorithmic Cryptanalysis. 5/54 Reality noun (pl. realities) 1. the state of things as they actually exist, as opposed to an](https://reader034.fdocuments.us/reader034/viewer/2022042400/5f0e77177e708231d43f60d6/html5/thumbnails/58.jpg)
What about AES?
Groundbreaking attack bogeyman!
49 / 54
![Page 59: Cryptanalysis vs. Reality - 131002.net · Antoine Joux, Algorithmic Cryptanalysis. 5/54 Reality noun (pl. realities) 1. the state of things as they actually exist, as opposed to an](https://reader034.fdocuments.us/reader034/viewer/2022042400/5f0e77177e708231d43f60d6/html5/thumbnails/59.jpg)
What about AES?
The facts:
I AES-128: 2126 complexity, 288 plaintext/ciphertextagainst 2128 and 20 for bruteforce
I AES-256: 2254 complexity, 240 plaintext/ciphertextagainst 2256 and 21 for bruteforce
See Bogdanov, Khovratovich, Rechberger:http://research.microsoft.com/en-us/projects/
cryptanalysis/aesbc.pdf
Reactions heard (from customers, third parties):I AES is insecure! Let’s use AES with 42 rounds!I AES is secure! The attack is far from practical!
50 / 54
![Page 60: Cryptanalysis vs. Reality - 131002.net · Antoine Joux, Algorithmic Cryptanalysis. 5/54 Reality noun (pl. realities) 1. the state of things as they actually exist, as opposed to an](https://reader034.fdocuments.us/reader034/viewer/2022042400/5f0e77177e708231d43f60d6/html5/thumbnails/60.jpg)
What about AES?
The facts:
I AES-128: 2126 complexity, 288 plaintext/ciphertextagainst 2128 and 20 for bruteforce
I AES-256: 2254 complexity, 240 plaintext/ciphertextagainst 2256 and 21 for bruteforce
See Bogdanov, Khovratovich, Rechberger:http://research.microsoft.com/en-us/projects/
cryptanalysis/aesbc.pdf
Reactions heard (from customers, third parties):I AES is insecure! Let’s use AES with 42 rounds!I AES is secure! The attack is far from practical!
50 / 54
![Page 61: Cryptanalysis vs. Reality - 131002.net · Antoine Joux, Algorithmic Cryptanalysis. 5/54 Reality noun (pl. realities) 1. the state of things as they actually exist, as opposed to an](https://reader034.fdocuments.us/reader034/viewer/2022042400/5f0e77177e708231d43f60d6/html5/thumbnails/61.jpg)
51 / 54
CONCLUSIONS + REFERENCES
![Page 62: Cryptanalysis vs. Reality - 131002.net · Antoine Joux, Algorithmic Cryptanalysis. 5/54 Reality noun (pl. realities) 1. the state of things as they actually exist, as opposed to an](https://reader034.fdocuments.us/reader034/viewer/2022042400/5f0e77177e708231d43f60d6/html5/thumbnails/62.jpg)
Conclusions
Algorithmic attacks on deployed schemes are (almost)never a threat to security, due to
I High complexities, unrealistic models, etc.I Weak ciphers are broken earlier and forgotten
We don’t break ciphers, we evaluate their securityOrr Dunkelman
Beware cryptographic numerology!
AES is fine, weak implementations are the biggest threat
52 / 54
![Page 63: Cryptanalysis vs. Reality - 131002.net · Antoine Joux, Algorithmic Cryptanalysis. 5/54 Reality noun (pl. realities) 1. the state of things as they actually exist, as opposed to an](https://reader034.fdocuments.us/reader034/viewer/2022042400/5f0e77177e708231d43f60d6/html5/thumbnails/63.jpg)
Conclusions
Algorithmic attacks on deployed schemes are (almost)never a threat to security, due to
I High complexities, unrealistic models, etc.I Weak ciphers are broken earlier and forgotten
We don’t break ciphers, we evaluate their securityOrr Dunkelman
Beware cryptographic numerology!
AES is fine, weak implementations are the biggest threat
52 / 54
![Page 64: Cryptanalysis vs. Reality - 131002.net · Antoine Joux, Algorithmic Cryptanalysis. 5/54 Reality noun (pl. realities) 1. the state of things as they actually exist, as opposed to an](https://reader034.fdocuments.us/reader034/viewer/2022042400/5f0e77177e708231d43f60d6/html5/thumbnails/64.jpg)
Conclusions
Algorithmic attacks on deployed schemes are (almost)never a threat to security, due to
I High complexities, unrealistic models, etc.I Weak ciphers are broken earlier and forgotten
We don’t break ciphers, we evaluate their securityOrr Dunkelman
Beware cryptographic numerology!
AES is fine, weak implementations are the biggest threat
52 / 54
![Page 65: Cryptanalysis vs. Reality - 131002.net · Antoine Joux, Algorithmic Cryptanalysis. 5/54 Reality noun (pl. realities) 1. the state of things as they actually exist, as opposed to an](https://reader034.fdocuments.us/reader034/viewer/2022042400/5f0e77177e708231d43f60d6/html5/thumbnails/65.jpg)
Related works
Leakage-resilience vs. RealityLeakage Resilient Cryptography in PracticeStandaert et al. http://eprint.iacr.org/2009/341
Bruteforce vs. RealityUsing the Cloud to Determine Key StrengthsKleinjung et al. http://eprint.iacr.org/2011/254
Crypto libs vs. RealityOpen-Source Cryptographic Libraries and Embedded PlatformsJunod http://crypto.junod.info/hashdays10_talk.pdf
53 / 54
![Page 66: Cryptanalysis vs. Reality - 131002.net · Antoine Joux, Algorithmic Cryptanalysis. 5/54 Reality noun (pl. realities) 1. the state of things as they actually exist, as opposed to an](https://reader034.fdocuments.us/reader034/viewer/2022042400/5f0e77177e708231d43f60d6/html5/thumbnails/66.jpg)
54 / 54
Thank you for your attention