chap. 6: contemporary symmetric ciphers jen-chang liu, 2004 adapted from lecture slides by lawrie...

Chap. 6: Contemporary Symmetric Ciphers

Jen-Chang Liu, 2004

Adapted fromLecture slides by Lawrie Brown

"I am fairly familiar with all the forms of secret writings, and am myself the author of a trifling monograph upon the subject, in which I analyze one hundred and sixty separate ciphers," said Holmes.

—The Adventure of the Dancing Men, Sir Arthur Conan Doyle

Outline

Characteristics of advanced symmetric block cipher

Triple DES Blowfish RC5 RC4 stream cipher

Feistel cipher

• Key• Key length• subkey generation

• block• block length• two halves of block

• no. of round• encryption algorithm

• S-box• XOR

+

+

+

Key features not found in DES

• Key• Key length• subkey generation

• block• block length• two halves of block

• no. of round• encryption algorithm

• S-box• XOR

Variable length key : Blowfish, RC5

Complex subkey generation process: Blowfish

Variable plain/ciphertext block length: RC5Operate on both halves each round: Blowfish, RC5Variable no. of round: RC5

Key-dependent S-box: BlowfishData/key-dependent rotation: RC5Mixed operation: more than one arithmetic and Boolean operations

Outline



Triple DES

clear a replacement for DES was needed theoretical attacks that can break it demonstrated exhaustive key search

attacks AES is a new cipher alternative prior to this alternative was to use

multiple encryption with DES implementations

Double-DES ? why not Double-

DES?56x2=112 bits key

Q1: Is that possible ][]][[312PEPEE KKK

for some K3 ?

Space of mapping

1. The whole space of mapping

64-bit plaintext 64-bit ciphertext

264!

264! > 10347380000000000000000

mapping

2. Space of mapping defined by DES

56-key => 256 mapping

256

256 < 1017

Double-DES is likely to producea new mapping !

Q2: meet-in-the-middle attack

DES: O(256) to attack 2DES: O(2112) to attack?1. Given a (P,C)

2. Encrypt P with 256 keys

K1 X000…00000000…00001000…00010000…00011

…111…11111

0101…01011101…0111

0001…0110

…

…

3. Decrypt C with 256 keys

K2

000…00000000…00001000…00010000…00011

…111…11111

X

0001…0110

…

Match!

Triple-DES

3 DES encryption with 3 keys (56x3=168 bits) Avoid meet-in-the-middle attack with O(256) complexity

E-D-E application of DES: PGP, S/MIME Backward compatible with DES: K3=K2 or

K1=K2

E

3

3

Standardized 3DES

3DES standardized in ANSI X9.17 & ISO8732 2 56-bit keys

Compatible with DES

Attack on 3DES Idea: if A and C are known, then it

becomes an attack on double DES

1. Given n known (P,C) pairs

0100…1011001…011…0110…1001001…001

1100…1111011…001…0100…1011101…010

2. Select an arbitrary a for A

a

3. Search 256 keys for K1

K1,1

K1,2

K1,1

K1,2

0110…000

1110…011

4. Search 256 keys for K2

K2

Complexity of attack on 3DES

Brute-force key search: 2112

Known plaintext-ciphertext attack on previous slide:

No practical attack is known for now

n/2120

Outline



Blowfish

a symmetric block cipher designed by Bruce Schneier in 1993/94

Characteristics 64-bit block cipher Variable length key (32 bits to 448 bits) Complex subkey generation Key-dependent S-boxes Simple operations – fast implementation

Modulo 232 addition Bitwise XOR

Blowfish

++

++

+ + + +

++

++

18 subkeys Pi

Blowfish single round

+

+

+Modulo 232 addition

256-entry S-box, 32-bit output/entry

Subkey and S-box generation

uses a 32 to 448 bit key 1 word = 32 bits, 1 to 14 words

to generate 18 32-bit subkeys stored in P-array

four 256 entry S-boxes, 1 word in each entry

K1, K2, K3, K4, …, Kj1<= j <= 14

P1, P2, P3, P4, …, P18

S1,0, S1,1, S1,2, S1,3, …, S1,255

S2,0, S2,1, S2,2, S2,3, …, S2,255S3,0, S3,1, S3,2, S3,3, …, S3,255

S4,0, S4,1, S4,2, S4,3, …, S4,255

Totally 1024 words


1. initialize P-array and then 4 S-boxes using

2. XOR P-array with K-array (reuse as needed)

用用用用用用用用用 P 和 S 陣列P1 = 243F6A88P2 = 85A308D3 … S4,255 = 3AC372E6

P1, P2, P3, P4, … P14, P15, P16, P17, P18

K1, K2, K3, K4, …, K14,K1, K2, K3, K4

+ + + + + + + + +

(Suppose input key is 14 words)


3. loop repeatedly encrypting data using current P & S and replace successive pairs of P then S valuesP1, P2 = EP,S [0] 用現在 P,S 值當參數的 Blowfish, 加密 0

更新 P1, P2

P3, P4 = EP,S [P1 || P2]…

S1,0, S1,1 = EP,S [P17 || P18]…

S4,254, S4,255 = EP,S [S4,252 || S4,253]

Totally 521 executions of Blowfish encryption => not suitable for frequent key changes

Blowfish Encryption

++

+

++

+

+

+

+

+ and do not commute

Discussion

key dependent S-boxes and subkeys, generated using cipher itself, makes analysis very difficult

changing both halves in each round increases security (c.f. Feistel cipher)

brute-force key search is not practical (maximally 448 bits)

Discussion (cont.)

fast

Outline



RC5

designed by Ronald Rivest (of RSA fame) used in RSA Data Security, Inc.’s products

can vary key size / data size / no rounds

very clean and simple design easy implementation on various CPUs yet still regarded as secure

RC5 Ciphers

RC5 is a family of ciphers RC5-w/r/b w = word size in bits (16/32/64), block

data=2w r = number of rounds (0..255) b = number of bytes in key (0..255)

nominal version is RC5-32/12/16 i.e. 32-bit words so encrypts 64-bit data

blocks using 12 rounds with 16 bytes (128-bit) secret key

+ +

++

Simple operations:

1. Addition: modulo 2w

2. Bitwise XOR3. Circular shift (rotation): x <<< y, x is left rotate y bits

w w

1. Substitution depends on both words2. Permutation depends on both words3. Substitution depends on key

A Substitution-permutation round:

subkey

(nonlinear and data dependent !!!)

RC5 Key Expansion RC5 uses t=2r+2 subkey words (w-bits)

( 決定 subkeys大小和個數 )

RC5 subkey initialization

e = 2.718281828459… Pw=Odd[(e-2)2w] = B7E1 (16 bits) B7E15163 (32 bits)

= 1.618033988749… Qw=Odd[( -1)2w] = 9E37 (16 bits) 9E3779B9 (32 bits)

S[0] = Pw

for i=1 to t-1 do S[i] = S[i-1] + Qw

/* initialize subkey array */

RC5 Decryption

+ +

++ + +

++

RC5 Modes

RFC2040 defines 4 modes used by RC5 RC5 Block Cipher, is ECB mode RC5-CBC, is CBC (cipher block chaining)

mode RC5-CBC-PAD, is CBC with padding by

bytes with value being the number of padding bytes

RC5-CTS, a variant of CBC which is the same size as the original message, uses ciphertext stealing to keep size same as original

Plaintext message may not be a multiple of the block size

RC5 ciphertext stealing mode

Not transmitted

Ciphertext chaining

Summary: Block Cipher Characteristics

features seen in modern block ciphers are: variable key length / block size / no rounds mixed operators, data/key dependent

rotation key dependent S-boxes more complex key scheduling operation of full data in each round varying non-linear functions

Outline



Stream cipher diagram

+ +

Recall: One-time pad in Chap. 2

Stream Cipher Properties

some design considerations are: A pseudorandom number generator

produces a deterministic stream that eventually repeats

The period should be long Keystream should approximate a true

random stream Ex. Approximately equal number of 1s and 0s

The key needs to be sufficiently long Ex. 128 bits or longer key to avoid brute-force

attack

Advantage of stream cipher

Fasters than block ciphers

Disadvantage of stream cipher

never reuse stream key

Ciphertext 1 = plaintext 1 keystream

Ciphertext 2 = plaintext 2 keystream

Ciphertext 1 Ciphertext 2= (plaintext 1 keystream) (plaintext 2 keystream) = plaintext 1 plaintext 2

If plaintexts are text string, credit card no., or other streams with known properties, then cryptanalysis may be successful

RC4

Designed by Ron Rivest in 1987, owned by RSA DSI

variable key size, byte-oriented stream cipher widely used (web SSL/TLS, wireless WEP)

SSL: secure sockets layer TLS: transport layer security WEP: wired equivalent privacy

Main steps: key forms random permutation of all 8-bit values

(state vector S[0],S[1],…,S[255]) uses that permutation to scramble input info

processed a byte at a time

RC4 Key Schedule

starts with an array S of numbers: 0…255 S forms internal state of the cipher given a key K of length keylen bytes (1 to

256 bytes)

254253

RC4 key scheduling and stream generation

j=0, for i=0 to 255

Plaintext k = ciphertext

i=0, j=0 While(1){ i=i+1 mod 256, …}

RC4 Encryption

encryption continues shuffling array values sum of shuffled pair selects "stream key"

value XOR with next byte of message to en/decrypt

i = j = 0

for each message byte Mi

i = (i + 1) (mod 256)

j = (j + S[i]) (mod 256)

swap(S[i], S[j])

t = (S[i] + S[j]) (mod 256)

Ci = Mi XOR S[t]

RC4 Security

The period of RC4 > 10100

claimed secure against known attacks have some analyses, none practical

result is very non-linear since RC4 is a stream cipher, must

never reuse a key have a concern with WEP, but due to

key handling rather than RC4 itself

chap. 6: contemporary symmetric ciphers jen-chang liu, 2004 adapted from lecture slides by lawrie...

Documents