Escolar Documentos
Profissional Documentos
Cultura Documentos
Abstract: The notion of key generators is introduced to symmetric cryptography. Key generators help eliminate the
dependence of a block cipher’s security on a single, static key. If one of the dynamic keys is leaked to the adversary,
then this compromise does not reveal future keys and prior keys used by the block cipher to encrypt distinct blocks
of plaintext. A practical, key generator updating algorithm is provided that enhances the cryptographic strength of
block ciphers and in particular the AES block cipher.
Keywords: AES, block cipher, complexity, dynamic key, key generator, regularity, static key assumption
2 Key Generator Updating and generator. Let be a one-way preimage hash func-
tion whose digest size is r bits. hashes a con-
Dynamic Key Derivation catenation of the dynamic part i,0 , i,1 , . . . i,q 1 of
Key generator updating requires Alice and Bob agree- (i) and the invariant part i,q 1 , . . . i,n 1 in order
ing upon the next sequence element (i) of key gen- to derive a distinct key Ki for each block that is en-
erator . Even though an uncountable number of key crypted. The expression EA (M, K) represents block
generators are Turing incomputable, herein our atten- cipher A encrypting plaintext block M with key K,
tion is on computable key generators because com- and DA (C, K) represents block cipher A decrypting
putability helps simplify the coordination of updating ciphertext C with key K. The key size |K| of the
between Alice and Bob. block cipher is bits and satisfies r. Define
Our one-way preimage hash functions are not in- the projection map ⇡ : {0, 1}r ! {0, 1} where
tended for message authentication. Consequently, in ⇡ (x1 , x2 , . . . , xr ) = (x1 , x2 , . . . , x ).
section 4, our formal definition does not include col-
lision resistance. The reason for this is that the hash Algorithm 2 Block Cipher A uses Dynamic Keys
digest of in algorithm 2 is not readily available to Alice’s Encryption Algorithm:
Eve and that a collision does not provide a feasible Alice executes with Bob a signed, DHM
method for Eve computing prior and future keys, as exchange to share secrets (0) and C 1
further explained in remark 22. With this in mind, the
key generator updating and cryptography algorithms Initialize i = 0
are presented first. while(more plaintext Mi to encrypt)
In key generator updating algorithm 1, is a {
one-way preimage hash function with digest size q. Dynamic key Ki = ⇡ ( i,0 i,1 . . . i,n 1 )
: N ! {0, 1}n is a key generator such that n > q. Encrypt Ci = EA (Mi Ci 1, Ki )
The jth bit of (i) is i,j . Alice and Bob can es- ( Mi Ci 1 is encrypted with key Ki )
tablish a shared element (0), by executing a signed,
Diffie-Hellman-Merkle exchange with elliptic curves Algorithm 1 computes element (i + 1)
[22, 23, 24, 25]. (See Theorem 2.1 in [24] to establish Increment i
shared secrets with n > 256.) }
Dynamic key Ki = ⇡ ( i,0 i,1 . . . i,n 1 ) modes of operation such as ECB, CBC or CTR. First,
and Algorithm 1 computes element (i + 1). each of these modes still relies on a static key. Even
One SHA-512 digest creates four distinct 128-bit CTR – where Ki = EA (nonce || i, K) and the ith
keys. The encryption and decryption execution speeds block of ciphertext is Ci = Mi K – relies on the
can be increased by performing these two steps only static key K. Second, key generator updating uses
when i mod 4 ⌘ 0. Define function ⇧ : {0, 1, 2, 3} ⇥ values of n for the key generator that can be substan-
{0, 1}512 ! {0, 1}128 as ⇧(a, (x0 , x1 , . . . , x511 )) tially greater than the block and static key size. That
= (x128a , x128a+1 , . . . , x128a+127 ) where a 2 is, usually n |Mi | and n . For example, in
{0, 1, 2, 3} and (x0 , x1 , . . . , x511 ) 2 {0, 1}512 . Set algorithm 3, n = 1024, while the key and block size
n = 1024 so that for all i and for each j 2 = 128. As explained in section 5, the periodicity of
{512, . . . , 1023} then i,j = i+1,j . Set = = the orbit of dynamic keys produced by a key genera-
SHA-512. tor can be substantially greater than 2 .
Each of these modes puts an upper bound on the
Algorithm 3 AES-128 uses a SHA-512 Key amount of entropy increase, based on the block size
Generator Update or key size. In the case of ECB, no entropy increase
occurs. In the case of CBC, the entropy increase is
Alice’s Encryption Algorithm: bounded above by the size of the message space. In
Alice executes with Bob a signed, DHM the case of CTR, the nonce concatenated with the
exchange to share secrets (0) and C 1
counter i is bounded above by the size of the message
Initialize i = 0 space and the resulting key orbit is bounded above by
while(more plaintext Mi to encrypt) the size of the key space. Since n can be substantially
{ greater than the key or block size, a greater entropy
Set a = i mod 4 increase can occur with key generator updating. Fur-
if (a == 0) then compute thermore, nothing precludes combining key generator
updating with the CBC mode or the CTR mode. Both
i/4 = ( i,0 i,1 . . . i,1023 )
algorithms 2 and 3 show key generator updating com-
Set dynamic key Ki = ⇧(a, i/4 ) bined with the CBC mode.
Encrypt Ci = EAES (Mi Ci 1, Ki )
If (a == 0) then algorithm 1
computes element (i + 1) from (i) 4 Concrete Complexity and
Increment i One-Way Preimage Functions
}
Based on Turing machines, this section introduces
Bob’s Decryption Algorithm: concrete complexity and then defines a one-way
Bob executes with Alice a signed, DHM preimage hash function. The first goal of our new defi-
exchange to share secrets (0) and C 1 nitions is to avoid the difficulty that asymptotic defini-
Initialize i = 0 tions of complexity cannot model one-way hash func-
while(more ciphertext Ci to decrypt) tions used in practice. A second longer term goal is to
{ further develop an appropriate framework to charac-
Set a = i mod 4 terize one-wayness, by applying powerful tools from
dynamical systems to the Turing machine.
if (a == 0) then compute
As a brief review, a Turing machine is a triple
i/4 = ( i,0 i,1 . . . i,1023 )
(Q, ⌃, ⌘) where Q is a finite set of states that does not
Set dynamic key Ki = ⇧(a, i/4 ) contain a unique halting state h. When machine exe-
Decrypt Mi = Ci 1 DAES (Ci , Ki ) cution begins, the machine is in an initial state s 2 Q.
⌃ is a finite alphabet whose symbols are read from
If (a == 0) then algorithm 1 and written to a tape T : Z ! ⌃. The alphabet sym-
computes element (i + 1) from (i) bol in the kth tape square is T (k). 1 and +1 repre-
Increment i sent advancing the tape head to the left or right tape
} square, respectively. ⌘ is a program function, where
⌘ : Q ⇥ ⌃ ! Q [ {h} ⇥ ⌃ ⇥ { 1, +1}.
Note that cipher block chaining is used.
For each q in Q and ↵ in ⌃, the instruction
The use of key generator updating in algorithm 3 ⌘(q, ↵) = (r, , x) specifies how the machine exe-
should not be confused with the existing block cipher cutes one computational step. When in state q and
ISBN: 978-1-61804-297-2 15
Recent Advances in Computer Science
reading alphabet symbol ↵ on the tape: the machine B. Any probabilistic, Turing machine P – that is
jumps to state r. On the tape, the machine replaces given y 2 {0, 1}q as input and searches for an
alphabet symbol ↵ with symbol . If x = 1 or inverse image point x 2 h 1 (y) – only succeeds
x = +1, then the machine moves its tape head one with exponentially low probability under the fol-
square to the left or right, respectively, and subse- lowing 3 conditions: (1) Turing machine P has at
quently reads the symbol in this new square. If r = h, most alphabet symbols. (2) Turing machine P
the machine reaches the halting state and stops exe- has at most % states. (3) There is some fixed de-
cuting. gree r and each success takes at least |x|r steps.
The following definition helps analyze algorithms 45, 216, 97, 239, 223, 158}. Also, |[1]| = 81,
2 and 3. |[4]| = 87, |[11]| = 27 and |[115]| = 2 and
|[0]| + |[1]| + |[4]| + |[11]| + |[115]| = 28 .
Definition 17 A hash function : {0, 1}<N ! During a single execution of algorithm 2, there
{0, 1} is regular on its subdomain {0, 1}k with k q
q
is a low probability of encrypting two distinct blocks
if for every y 2 {0, 1}q , then the intersection of the in- with identical keys. In other words, when i 6= j, the
verse image 1 (y) and {0, 1}k have the same num- event Ki = Kj has a low probability. The follow-
ber of points. This means that for every y 2 {0, 1}q , ing lemma helps sharpen the expression ”low proba-
then | 1 (y) \ {0, 1}k | = 2k q . bility”.
Theorem 18 Suppose hash function : {0, 1}<N ! Lemma 20 Suppose {0, 1}<N ! {0, 1}q is a
{0, 1}q is regular on subdomain {0, 1}q . Then every (N, , %, r + m + 2) one-way preimage function satis-
point in {0, 1}q is a periodic point and lies in a unique fying the regularity condition on subdomain {0, 1}q ,
periodic orbit with respect to . where r, m 1, N = n + 1, and = q and
% = q 2 . Suppose machine M computes on any in-
PROOF. By reductio ad absurdum, suppose x 2 put x 2 {0, 1}q in at most q m computational steps.
{0, 1}q is not a periodic point. Let k be the smallest Suppose Alice randomly chooses x 2 {0, 1}q and
positive natural number such that y = k (x) is a peri- computes (x) = y. Suppose Eve only sees y. Set
odic point. Let m be the period of y. Then 1 (y)
S = {x 2 {0, 1}q : |O( , , A1 )| < q r and
contains at least two points m 1 (y) and k 1 (x). ⇡q (0) = x}. Then |S| 2 2 .
q
the biclique preimage attack [34] that depends on a block M1 , and so on. This sequence of encryptions
reduced 50 rounds instead of 80. induces a function f : {0, 1}512M ! {0, 1}512M ,
where f = (f1 , f2 , . . . , f512M ). As discussed in ex-
Remark 22 ample 21, even for an extremely rare event such as
Standard block cipher methods must not reveal the a collision after only 134,217,728 iterations of SHA-
static key to Eve. This is equivalent to not reveal- 512 (if such an orbit exists), the induced f will be
ing any dynamic key to Eve. To construct future a function of 68,719,476,736 Boolean variables ver-
dynamic keys Kk such that k > j, Eve must find sus 128 Boolean variables for EK . The cipher block
the preimage point (j). In algorithm 3, suppose chaining and key generator orbit create a composition
a processor backdoor leaks four consecutive 128-bit of the AES encryption functions EK0 , EK1 , . . . ; for
dynamic keys j = Kj Kj+1 Kj+2 Kj+3 to Eve. example, C2 = EK2 (M2 EK1 (M1 EK0 (M0
4 C 1 ))). Thus, f1+128k , . . . f128(k+1) are a function of
Even after the leak, constructing future keys requires
the 128(k + 1) variables x1 , . . . , x128(k+1) for 0
Eve knowing (j). For algorithm 3, this involves
k < 4M . Based on the work of Boura, Canteaut [38]
considerably more computational steps than finding
and Biss [39], we conjecture that for most key gener-
a single, preimage point x 2 {0, 1}1024 such that
ator orbits the degree of f is at least M .
512 (x) = j. If 512 is regular on subdomain
4
1
{0, 1}1024 , then | 512 ( j )| = 2512 . The regular-
4
ity condition implies Eve must guess (j) from 2512
6 Algorithms 2 and 3 Stop a
possible preimage points. When Eve attempts to find Generic Block Cipher Attack
dynamic keys that precede Kj , she has even less infor-
mation available than when she is attempting to con- The dynamic keys, derived in algorithms 2 and 3, help
struct future keys. While the last n q bits of (j) stop Huang and Lai’s generic block cipher attack [21],
are invariant, even if Eve knows (j), this doesn’t which is described below and shown in algorithm 24.
enable her to immediately capture (j 1) because The following list describes the symbols, used in their
512 ( j 1,0 . . . j 1,q 1 ) = j,0 . . . j,q 1 . attack algorithm 24.
P plaintext
Remark 23 C ciphertext
A Boolean function f : {0, 1}n ! {0, 1} can n block size
be P expressed as a polynomial f (x1 , . . . , xn ) = K master key
ca x1 a1 . . . xn an over F2 [x1 , . . . , xn ] / (x21 k master key size
a2{0,1}n
P R number of rounds
x1 , . . . , x2 xn ), where ca = f (x1 , . . . , xn ) and
xa S non-linear layer
x a iff xi ai for each i. The algebraic degree of f L linear layer
is defined as deg f = max{wt(a) : a 2 {0, 1}n , ca 6= Kr subkey used in round r
0}, where wt(a) is the Hamming weight of a. Con-
Xr input block to round r
sider functions f1 , f2 . . . fn : {0, 1}n ! {0, 1} and
where X 0 = P
function F : {0, 1}n ! {0, 1}n , defined as F (x) =
(f1 (x), f2 (x), . . . , fn (x)). The algebraic degree of Yr output block of the key mixing in
round r
F = max{deg f1 , deg f2 , . . . , deg fn }. For a
static AES key K, the AES encryption function EK : Zr output block of the nonlinear
{0, 1}128 ! {0, 1}128 has an algebraic degree 128 layer in round r
and EK is a function of 128 Boolean variables. It Zi r i th subblock in Z r
is well-known that a Boolean function’s resistance to S1 is the internal state that can be calculated from
differential cryptanalyis and higher order differentials P only with k1 bits of subkeys, where k1 is the max-
depends on its algebraic degree and how quickly its imum smaller than k that can be obtained. Similarly,
degree can be reduced by taking discrete derivatives S2 is the internal state that can be derived from C only
[35, 36, 37]. with (other) k1 bits of subkeys. For any block cipher,
Set M = |O( , , A3 )|. For each dynamic key the states of S1 and S2 can be found. The attack algo-
Ki , let EKi : {0, 1}128 ! {0, 1}128 , denote the AES rithm has two stages:
encryption function. During execution of algorithm
3, there are 4M distinct functions EK0 . . . EK4M 1 , 1. A meet-in-the-middle stage generates the candi-
where encryption function EK0 is applied to plain- date list containing 2k M keys, where M is the
text block M0 , encryption function EK1 is applied to met intermediate size.
ISBN: 978-1-61804-297-2 19
Recent Advances in Computer Science
2. A check stage that examines the keys in the can- keys Kj , Kj+1 , Kj+2 , Kj+3 are derived from an up-
didate list. dated key generator j,0 . . . j,1023 where the aver-
age Hamming distance between j,0 . . . j,511 and
Line numbers have been added to the attack algo- j 1,0 . . . j 1,511 is 256.
rithm in [21] to help explain how algorithms 2 and 3 Consider algorithm 3, encrypting 25,600 bytes
hinder this attack. of voice data per second. At this rate, a one
hour phone conversation requires a key genera-
Algorithm 24 Generic Block Cipher Attack tor orbit ( 0,0 . . . 0,511 ), 512 ( 0,0 . . . 0,511 ), . . .
1440000
Data: d nk e+1 (plaintext, ciphertext) pairs 512 ( 0,0 . . . 0,511 ) with size 1,440,001. If
a collision occurred in this orbit during a one hour
Result: the output key K phone call, then theorem 16 provides a devastating,
preimage attack on SHA-512 with at most 1,440,000
1 for each value in the 1st k1 key bits
iterations of SHA-512. Based on an extremely
{
low probability of this rare event (such orbits may
2 compute S1 from P with these k1 bits not even exist), a collision would also imply that
SHA-512 does not satisfy any reasonable values of
3 for each value in the remaining (2128 , , %, r) preimage complexity. ”Reasonable”
k k1 key bits means not constraining Eve’s machine P so much that
{ R she cannot compute, for example, SHA-512. Con-
4 compute Z0 b 2 c from S1
R
sider % = 1, so machine P can have only one state.
5 store Z0 b 2 c in a table Recall that the biclique preimage attack [34] – on
corresponding to the guessed key a reduced 50 rounds of SHA-512 instead of the com-
6 } plete 80 – has an estimated preimage complexity of
7 } 2511.5 . From this work, it is considerably more likely
that an orbit O( , 512 , A3 ) has a size far greater
8 for each value in the last k1 key bits than the number of SHA-512 iterations needed to
{ provide a complete encryption for any foreseeable ap-
9 compute S2 from C with these k1 bits plication. In this case, the assumption that there are
d nk e (plaintext, ciphertext) pairs does not
10 for each value in the remaining hold for algorithm 3. Furthermore, the lack of d nk e
k k1 key bits (plaintext, ciphertext) pairs invalidates the
{ effectiveness of the loop composed of lines 1 through
7 and the loop composed of lines 8 through 18.
R
11 compute Z0 b 2 c from S2
R
12 if Z0 b 2 c corresponding to the
guessed key is in the table
{ 7 Speed Testing of Algorithm 3
13 add guessed key to candidate
list Algorithm 3’s execution speed is compared to stan-
14 move onto the next guess dard AES-128. Figure 1 shows 10,000 speed tests,
15 } measured in microseconds, where AES-128 uses a
16 else move onto the next guess static key to encrypt 64 bytes of random plaintext.
17 }
18 } 10000
16
Median = 16.0
pairs 100
18
25
1920 24 2627
28
323334
35 40 46 50
1
2 and 3. To illustrate this, in algorithm 3, af- 0 20 40
Time (µs)
60 80 100
All speed tests were performed on an Apple Mac generator updating and dynamic key derivation from
mini, running OSX 10.9.2 with a 2.5 Ghz Intel Core. the 1024-bit key generator. Figures 3, 4 and 5 show
The median was selected over the sample mean [40] these tests.
in order to filter out the effects of OSX interrupts. All
random plaintext, keys and key generators were cre- 10000
6
Median = 5.0
Frequency
9
11
13
14
12
10 1516
10000 17
18
27
Median = 27.0
28
20 2223 2627
1
1000 26 0 20 40 60 80 100
2930
Time (µs)
Frequency
31
100 34
33
44 55 58 60 6465 70 72 84
1
0 20 40 60 80 100 by almost 70 percent over standard AES-128 for these
Time (µs)
64 byte tests, as indicated in figures 3, 4 and 5. The
Figure 2: Algorithm 3 encrypts 64 bytes. 128-bit key expansion uses almost 39 percent of this
increase in execution time.
10000
5
Median = 5.0 8 Summary and Future Research
6
1000
4 In algorithms 2 and 3, a successful attack that obtains
a sequence element (j) of the key generator requires
Frequency
8
100
at least a preimage attack on a one-way preimage hash
7 10
11
13
12 14
function, where no direct information about the one-
way preimage digest is revealed to Eve. When the
10
17 25
1
0 20 40 60 80 100 ity condition, obtaining (j) requires Eve guessing
Time (µs)
the correct preimage point from all possible preim-
Figure 3: Four AES 128-bit key expansions. age points; when the key generator element (j) has
length n bits, and the digest size is q, there are 2n q
possible preimage points. Furthermore, if Eve suc-
10000
cessfully captures (j), she still must find additional
3
4
Median = 3.0 preimage attacks to obtain preceding dynamic keys.
1000
The complexity is lower for a standard block cipher
2 because Eve is searching for a static key used directly
Frequency
100
6
Future research will focus on the theoretical se-
10 curity of computable key generators, which depends
7
8 12
13
on the existence of one-way hash functions and a bet-
1
9 14
ter understanding of their dynamical behavior. In this
regard, a number theoretic method has been designed
0 20 40 60 80 100
Time (µs)
that satisfies our regularity condition and the propaga-
Figure 4: One key generator update with SHA-512. tion criteria [41].
[27] NIST. FIPS-180-2: Secure Hash Standard, Au- [38] Christina Boura and Anne Canteaut. On the In-
gust 2002. fluence of the Algebraic Degree of F 1 on the
Algebraic Degree of G F . IEEE Transactions
[28] Claude Shannon. A universal Turing machine on Information Theory. 59, No. 1, 691–702, Jan.
with two internal states. Automata Studies, C.E. 2013.
Shannon and J. McCarthy (eds.). Princeton Uni-
versity Press, 129–153, 1956. [39] Daniel Biss. A lower bound on the number of
functions satisfying the strict avalanche crite-
[29] Yiannis N. Moschovakis. What is an algorithm? rion. Discrete Math. 185, 29–39, 1998.
In Mathematics Unlimited 2001 and beyond
(eds. B. Engquist and W. Schmid), Springer. [40] Bart Kosko. Noise: THE SAMPLE MEAN.
919–936, 2001. What have you changed your mind about? The
Edge, 2008.
[30] Yiannis N. Moschovakis. Algorithms and Im-
[41] B. Preneel, W.V. Leekwijck, L.V. Linden, R. Go-
plementations. Tarski Lecture 1, March 3, 2008.
vaerts, J. Vandewalle. Propagation characteris-
http://www.math.ucla.edu/˜ynm/lectures/
tics of Boolean functions. Advances in Cryptol-
tlect1.pdf
ogy. EUROCRYPT 90 Proceedings. LNCS 473.
[31] Yuri Gurevich. What is an algorithm? In SOF- Springer, 161–173, 1991.
SEM: Theory and Practice of Computer Science
(eds. M. Bielikova et al.), LNCS 7147. Springer.
31-42, 2012. http://research.microsoft.com/
pubs/155608/209-3.pdf
http://link.springer.com/chapter/10.1007%
2F978-3-642-27660-6_3#page-1