Transcript Document

Lecture 4
The Advanced Encryption
Standard (AES)
On January 2, 1997, the National Institute of
Standards and Technology (NIST)
announced the initiation of a new
symmetric-key block cipher algorithm as
the new encryption standard to replace the
DES. The new algorithm would be named
the Advanced Encryption Standard (AES).
Unlike the closed design process for the
DES, an open call for the AES algorithms
was formally made on September 12, 1997.
The requirements of AES is as follows:
(1) The call stipulated that the AES would specify
an unclassified, publicly disclosed symmetric-key
encryption algorithm(s).
(2) The algorithm(s) must support (at a minimum)
block sizes of 128-bits, key sizes of 128-, 192-, and
256-bits, and should have a strength at the level of
the triple DES, but should be more efficient then
the triple DES.
(3) It should work on a variety of different
hardware.
(4) The algorithm(s), if selected, must be available
royalty-free, worldwide.
On August 20, 1998, NIST announced a group
of fifteen AES candidate algorithms. These
algorithms had been submitted by members of
the cryptographic community from around the
world. Public comments on the fifteen
candidates were solicited as the initial review
of these algorithms (the period for the initial
public comments was also called the Round 1).
The Round 1 closed on April 15, 1999. Using
the analyses and comments received, NIST
selected five algorithms from the fifteen.
The five AES finalist candidate algorithms
were MARS (from IBM), RC6 (from RSA
Laboratories), Rijndael (from Joan Daemen
and Vincent Rijmen), Serpent (from Ross
Anderson, Eli Biham, and Lars Knudsen),
and Twofish (from Bruce Schneier, John
Kelsey, Doug Whiting, David Wagner, Chris
Hall, and Niels Ferguson). These finalist
algorithms received further analysis during a
second, more in-depth review period (the
Round 2).
In the Round 2, comments and analysis were
sought on any aspect of the candidate
algorithms, including, but not limited to, the
following topics: cryptanalysis, intellectual
property, cross-cutting analyses of all of the
AES finalists, overall recommendations and
implementation issues. On October 2 , 2000,
NIST announced that it has selected Rijndael
to propose for the AES.
Outline
 About the Finite Field GF(pn)
 The Basic Algorithm
 The Layers
 Decryption
 Design Consideration
 Implementation Concerns
 Positive Impact of the AES
 Modes of Operation
 Message Authentication Code
1 About the Finite Field
n
GF(p )
For everypower pn of a prime,thereis exactly
one finitefield with pn elements.But theinteger
modulo pn does not forma field, since the
congrucence px  1(mod p ) does not havea
solution.
n
Exam ple1 ConstructGF(22 ).
Solut ion : Let Z2 [ X ]be theset of polynomial
s whose
coefficients are integersmod2, such as X 6  X  1, X . T heconstant
polynomial
s 0,1 are also in Z2 [ X ]. We can add, subtract,and multiply
in t hisset, as long as we work with thecoefficients mod2, such as
( X 3  X  1)( X  1)  X 4  X 3  X 2  1. We can performdivision
with remainder,just as with t heintegers.For example,we divide
X 2  X  1 into X 4  X 3  1, get X 4  X 3  1  ( X 2  1)( X 2  X  1)  X .
We can writ ethisas X 4  X 3  1  X (mod X 2  X  1). T herefore,
we can define Z 2 [ X ](modX 2  X  1) to be theset
{0,1, X , X  1}
of polynomial
s of degree at most1. For addition and multiplication
mod X 2  X  1, it is a field with 4 element s.
1.1 The Construction of the Finite Field GF(pn)
T hegeneralprocedurefor constructing a finitefield GF ( p n ).
(1) Z p [ X ] is theset of polynomial
s with coefficients modp.
(2) Choose P( X ) to be an irreducible polynomialmodp of
degree n.
(3) Let GF ( p n ) be Z p [ X ]mod P( X ). T hen GF ( p n ) is a
field with p n elements.
# What happensif we do thesame construction for two
differentirreducible polynomial
s, both of degree n? It is
possible to show that thes
e are essentially thesame field.
1.2 Division
T heExtendedEuclidean Algorithm
Exam ple2 Consider GF(28 )  Z 2 [ X ](modX 8  X 4
 X 3  X  1), find theinverseof X 7  X 6  X 3  X  1.
Solution : Calculategcd( X 7  X 6  X 3  X  1, X 8  X 4
 X 3  X  1)(remainder divisor  dividend  ignore)
is thesame as for int egers:
X 8  X 4  X 3  X  1  ( X  1)( X 7  X 6  X 3  X  1)  ( X 6  X 2  X )
X 7  X 6  X 3  X  1  ( X  1)( X 6  X 2  X )  1.
T herefore,
1  ( X 2 )( X 7  X 6  X 3  X  1)  ( X  1)( X 8  X 4  X 3  X  1).
Reducing mod X 8  X 4  X 3  X  1, we obtain:
( X 2 )( X 7  X 6  X 3  X  1)  1(mod X 8  X 4  X 3  X  1).
1.3 GF(28)
Use GF(28 )  Z 2 [ X ](modX 8  X 4  X 3  X  1) as an example. Every
elementcan be represented uniquely as a polynomial
b7 X 7  b6 X 6  b5 X 5  b4 X 4  b3 X 3  b2 X 2  b1 X  b0 ,
where each bi is 0 or 1. T he8 bits b7b6b5b4b3b2b1b0 representa byte. For
example,X 7  X 6  X 3  X  1 becomes11001011. Addition is the XOR
of thebits :
（X 7  X 6  X 3  X  1）（X 4  X 3  1） 11001011XOR00011001
11010010 X 7  X 6  X 4  X .
Multiplication is
（X 7  X 6  X 3  X  1）
( X )  11001011
(shift left and appenda 0) 
110010110 110010110XOR100011011
(subtract X 8  X 4  X 3 
X  1, if thefirst bit is 1)  010001101
.
In summary,we see that theoperationsin GF (28 ) is efficiently.
2 The Basic Algorithm
For simplicity, we restrict to 128 bits, and
firstly give a brief outline of the algorithm.
The algorithm consists of 10 rounds. Each
round has a round key, derived from the
original key. There is also a 0th round key
using the original of 128 bits. A round starts
with an input of 128 bits and produces an
output of 128 bits.
There a four basic step, called layers, that are
used to form the rounds:
(1) The ByteSub (SB) Transformation: This
non-linear layer is for resistance to
differential and linear cryptanalysis attacks.
(2) The ShiftRow (SR) Transformation: This
linear mixing step causes diffusion of the
bits over multiple rounds.
(3) The MixColumn (MC) Transformation:
This layer has a purpose similar to ShiftRow.
(4) AddRoundKey (ARK) Transformation:
The round key is XORed with the result of
the above layer.
A round is then
ByteSub
ShiftRow
MixColumn
AddRoundKey
Rijndael Encryption
(1) ARK, using the 0th round key.
(2) Nine rounds of BS, SR, MC, ARK, using round
keys 1 to 9.
(3) A final round: BS, SR, ARK, using the 10th
round key.
# The final round omits Mixcolumn layer.
3 The Layers
T he128input bits are groupedinto16 byt esof 8 bits each,call them
a0,0 , a1,0 , a2,0 , a3,0 , a0,1 , a1,1 ,  , a3,3 ,
and are arrangedint 4  4 mat rix
a0,0
a
 1,0
 a2 , 0

 a3,0
a0,1
a0, 2
a1,1 a1, 2
a2,1 a2, 2
a3,1
a3, 2
a0 , 3 
a1,3 
.

a2 , 3

a3,3 
In thefollowing, we' ll need to work wit h thefinitefield GF (28 ). T he
modelof GF (28 ) depends on a choiceof irreducible polynomialof
degree 8. T hechoicefor Rijndeal is X 8  X 4  X 3  X  1. T heelement s
of GF (28 ) can be represent ed by byt es.T heycan added by XOR. T hey
also be mult ipliedin a cert ain way. Each elementhas a mult iplicative
inverse.
3.1 The ByteSub Transformation
S  Box (1616)
99 124 119 123 242 107 111 197
202 130 201 125 250
183 253 147 38 54
35
44
195
26
24
27
150
110
5
90
154
160
83
209
0
237
32
252 177
91
208 239 170 251
67
77
51
133
64
143 146 157
56
205 12
19
236
95
151
68
96 129
224 50
79
58
220
10
34
73
42
6
231 200 55
186 120 37
103
43
254 215 171 118
71 240 173 212 162 175 156 164 114 192
247 204 52 165 229 241 113 216 49 21
199
131
163
1
89
63
4
9
81
48
7
82
18
59
128 226 235 39 178 117
214 179 41 227 47 132
106 203 190
57
74
76
88
69
127
80
69
159 168
245 188 182 218
33
16
255 243 210
23
196 167 126
61
100
93
144 136 70 238 184
36 92 194 211 172
20
98
222 94 11 219
145 149 228 121
249
2
25
207
115
109 141 213 78 169 108 86 244 234 101 122 174 8
46 28 166 180 198 232 221 116 31 75 189 139 138
112 62 181 102 72
3 246 14 97 53 87 185 134 193 29 158
225 248 152 17 105 217 142 148 155 30 135 233 206 85 40 223
140 161 137 13 191 230 66 104 65 153 45 15 176 84 187 22
3.1 The ByteSub Transformation (Continued)
Wirtea byteas 8 bits : abcdefgh. Lookfor theentry
in theabcd row and efgh column.For example,if
theinput byteis 10001011,we look in row 9 and
column12.T heentryis 61, which is 111101in binary.
T heoutput of ByteSub is again a 4  4 matrixof bytes.
a0,0
a
 1,0
 a2 , 0

 a3,0
a0,1 a0, 2
a1,1 a1, 2
a2,1 a2, 2
a3,1 a3, 2
a0,3  b0,0


a1,3   b1,0

a2,3  b2,0
 
a3,3  b3,0
b0,1 b0, 2
b1,1 b1, 2
b2,1 b2, 2
b3,1 b3, 2
b0,3 

b1,3 
.
b2,3 

b3,3 
3.2 The ShiftRow Transformation
T hefour rows of thematrixare shiftedcyclically
to theleft by offsetsof 0,1,2,and 3, to obtain
c0,0
c
 1,0
c2,0

c3,0
c0,1 c0, 2
c1,1 c1, 2
c2,1 c2, 2
c3,1
c3, 2
c0,3  b0,0
c1,3   b1,1

c2,3  b2, 2
 
c3,3  b3,3
b0,1
b0, 2
b1, 2 b1,3
b2,3 b2,0
b3,0
b3,1
b0,3 
b1,0 
.
b2,1 

b3, 2 
3.3 The MixColumn Transformation
T heoutput of theShiftRow step is a 4  4 matrix(ci , j ) with
entriesin GF (28 ). Multiply his
t by a matrix,again with
entriesin GF (28 ), to produce theoutput (d i , j ), as follows:
00000010
 00000001

 00000001

 00000011
 d 0, 0
d
1, 0

 d 2, 0

 d 3,0
00000011 00000001 00000001 c0,0

00000010 00000011 00000001  c1,0
00000001 00000010 00000011 c2,0

00000001 00000001 00000010 c3,0
d 0,1 d 0, 2
d1,1 d1, 2
d 2,1 d 2, 2
d 3,1 d 3, 2
d 0,3 
d1,3 
.

d 2,3

d 3,3 
c0,1 c0, 2
c1,1 c1, 2
c2,1 c2, 2
c3,1 c3, 2
c0,3 
c1,3 
c2 , 3 

c3,3 
3.4 The RoundKey Addition
T heround key,derived from theoriginalkey consistsof
128 bits, which are arrangedin a 4  4 matrix(ki , j ) consisting
of bytes.T hisis XORed with theoutput (d i , j ) in theMixColumn
step :
 d 0, 0
d
 1,0
 d 2, 0

 d 3,0
e0,0
e
1, 0


e2,0

e3,0
d 0,1
d1,1
d 0, 2
d1, 2
d 2,1 d 2, 2
d 3,1 d 3, 2
e0,1 e0, 2
e1,1 e1, 2
e2,1 e2, 2
e3,1 e3, 2
d 0,3   k 0, 0
d1,3   k1,0

d 2,3   k 2, 0
 
d 3,3   k3,0
e0,3 
e1,3 
.

e2,3

e3,3 
k0,1
k1,1
k 0, 2
k1, 2
k 2,1 k 2, 2
k3,1 k3, 2
k 0,3 
k1,3 
k 2,3 

k3,3 
3.5 The Key Schedule
T heoriginalkey consistsof 128 bits, which are generatedinto
a 4  4 matrixof bytes.Label thefirst four columsW (0),W (1),
W (2),W (3).T henew columnsare generatedrecursively. If 4 | i ,
then W (i )  W (i  4)  W (i  1). If 4 | i , thenW (i )  W (i  4) 
T (W (i  1)), whereT (W (i  1)) is the transformationof W (i  1).
a  a  b 
 e  e  (10) (i  4) / 4 

b  b   c 
f 
f
S box  








Let W (i  1) 
.




 c   c  d 
g 
g

     
  
h

d  d   a 
 h  
 T (W (i  1)).
T heround key for theith round consistsof thecolumnsW (4i ),
W (4i  1),W (4i  2),W (4i  3).
3.6 The Construction of the S-Box
T heS - box has a simple mathematic
al description. T heinverseof the
byt e x7 x6 x5 x4 x3 x2 x1 x0 in GF (28 ) can be represented by y7 y6 y5 y4 y3
y2 y1 y0 . Suppose theinverseof thebyt e00000000is 00000000.T he
ent ryof x7 x6 x5 x4 x3 x2 x1 x0 in theS - box can be comput eby
1
1

1

1
1

0
0

0
0 0 0 1 1 1 1  y0  1  z0 
1 0 0 0 1 1 1  y1  1  z1 
1 1 0 0 0 1 1   y 2  0   z 2 
     
1 1 1 0 0 0 1  y3  0  z3 


.







z4
1 1 1 1 0 0 0 y4
0
     
1 1 1 1 1 0 0  y5  1  z5 
0 1 1 1 1 1 0  y6  1  z6 
     
0 0 1 1 1 1 1  y7  0  z7 
3.6 The Construction of the S-Box (Continued)
Exam ple3 T he inverseof thebyte11001011in GF (28 ) is 00000100.
We calculate
1
1

1

1
1

0
0

0
0
1
1
1
0
0
1
1
0
0
0
1
1
0
0
0
1
1
0
0
1
1
1
0
1
1
0
0
1
1
1
0
1
1
1
1
1
1
1
1
0
1
1
1
0
0
1
1
1 0 1 1
1 0 1 1
1 1 0 1
     
1 0 0 1


.
0 0 0 1
     
0 0 1 0
0 0 1 0
     
1 0 0 0
T his yield thebyte00011111 31. We check therow1100 1  13
and thecolumn1011 1  12 in theS - box. We also obtian theentry31.
4 Decryption
Each of the steps ByteSub, ShiftRow,
MixColumn, and AddRoundKey is invertible:
(1) The inverse of ByteSub is another lookup
table, called InvByteSub (IBS).
(2) The inverse of ShiftRow is obtained by
shifting the rows to the right instead of to the
left, yielding InvShiftRow (ISR).
(3) The transformation InvMixColumn (IMC)
is given by multiplication by the matrix
00001110
 00001001

 00001101

 00001011
00001011
00001110
00001001
00001101
00001101
00001011
00001110
00001001
(4) AddRoundKey is its own inverse.
00001001
00001101
.
00001011

00001110
T herefore,
Rijndael encryption
Rijndael decryption
ARK
BS, SR,
ARK, ISR, IBS
ARK, IMC, ISR, IBS
MC,
ARK


BS,
SR,
MC,
ARK

ARK, IMC, ISR, IBS
BS, SR, ARK.
ARK.
We can rewrite thedecryptionto achievethesame structureas encryption. Clearly,
theoder of ISR and IBS can be reversed.ApplyingMC and thenARK toa matrix
(ci , j ) is gave as
(ci , j )  (mi , j )(ci , j )  (ei , j )  (mi , j )(ci , j )  (ki , j ).
T heinverseis obtainedby solving(ei , j )  (mi , j )(ci , j )  (ki , j ). Since (ci , j )  (mi , j ) 1
((ei , j )  (ki , j ))  (mi , j ) 1 (ei , j )  (mi , j ) 1 (ki , j ), the processis
(ei , j )  (mi , j ) 1 (ei , j )  (mi , j ) 1 (ei , j )  (ki, j ),
where (ki, j )  (mi , j ) 1 (ki , j ). T hefirst arrowis IMC.Let InvAddRoundKey(IARK)
be XORing with (ki, j ). We can use " IMC and IARK" to replace" ARK and IMC".
Now, t he decrypt ionis given by
Rijndael decrypt ion
ARK, IBS,
ISR
IMC, IARK, IBS,

IMC, IARK, IBS,
ARK.
ISR
ISR
Rijndael Decryption
(1) ARK, using the 10th round key.
(2) Nine rounds of IBS, ISR, IMC, IARK, using round
keys 9 to 1.
(3) A final round: IBS, ISR, ARK, using the 0th round
key.
# To keep the perfect structure, the MC is omitted
in the last round of the encryption.
5 Design Consideration
(1) The fact that encryption and decryption
are not identical processes leads to the
expectation that there are no weak keys, in
contrast to DES.
(2) Unlike the Feistel system, all bits are
treat uniformly. This has effect of diffusing
the input bits faster. It can be shown that
two rounds are sufficient to obtain full
diffusion.
(3) The S-box is constructed in an explicit
and simple algebraic way so as to avoid
the mysteries of trapdoors built into the
algorithm. It is excellent at resisting
differential and linear cryptanalysis, as
well as interpolation attacks.
(4) The SR step is added to resist truncated
differentials and square attack.
(5) The MC causes diffusion among the
bytes.
(6) The ARK involves nonlinear mixing of
the key bits. The mixing is designed to
resist the known part key attack. The round
constants are used to eliminate symmetries.
(7) The number of rounds was chosen to be
10 because there are attacks that are better
than brute force up to seven rounds in 2004.
No known attack beats brute force for seven
or more rounds. It was felt that three extra
rounds provide a large enough margin of
safety.
6 Implementation Concerns
We have seen that the Rijndael internal
functions are very simple and operate in
trivially small algebraic spaces. As a result,
implementations of these internal functions
can be done with extremely good efficiency.
From our descriptions of the Rijndael internal
functions, SB/ISB and MC/IMC are worthy of
fast implementation considerations.
(1) For SB/ISB, we suggest to use the "S-box
lookup" method: a small S-box with 28 = 256
pairs of bytes can be built once and used
forever (i.e., the table can be "hardwired" into
hardware or software implementations). The "
S-box lookup" method not only is efficient,
but also prevents a timing analysis attack
which is based on observing the operation
time difference for different data which may
suggest whether an operation is performed on
bit 0 or bit 1.
(2) In MC, multiplication between elements in
GF(28) can also be realized via a "table
lookup" method: z = xy (field multiplication)
where x  {01, 10, 11} and yGF(28). Further
notice that the byte 01 is simply the
multiplicative identity in the field, i.e., 01y = y.
Thus, implementation (either in software or
hardware) of this multiplication table only
needs 2256=512 entries. This small table is
not much larger than one which every primary
school pupil has to recite. This realization not
only is fast, but also decreases the risk of the
timing analysis attack.
(3) IMC is not quite as fast as MC. This is
because the entries in the 44 matrix for
IMC are more complex than those for MC,
and 30% longer than encryption for these
processors. However, in some applications,
decryption is not needed.
7 Positive Impact of the AES
(1) Multiple encryption, such as triple-DES,
will become unnecessary with the AES.
Since multiple encryption uses a plural
number of keys, the avoidance of using
multiple encryption will mean a reduction
on the number of cryptographic keys that
an application has to manage, and hence
will simplify the design of security
protocols and systems.
(2) Wide use of the AES will lead to the
emergence of new hash functions of compatible
security strengths. In several ways, block cipher
encryption algorithms are closely related to hash
functions. It has been a standard practice that
block cipher encryption algorithms are often used
to play the role of one-way hash functions. The
logging-in authentication protocol of the UNIX
operating system is a well-known example. We
have seen a typical "one-way transformation"
usage of the DES function in the realization of the
UNIX password scheme. Another example is to
use block cipher encryption algorithms to realize
(keyed) one-way hash functions.
(3) As in the case that the DES's standard
position had attracted much cryptanalysis
attention trying to break the algorithm, and
that these efforts have contributed to the
advance of knowledge in block cipher
cryptanalysis, the AES as the new block
cipher standard will also give rise to a new
resurgence of high research interest in block
cipher cryptanalysis which will certainly
further advance the knowledge in the area.
8 Modes of Operation
Usually, the long message is divided into a series of
sequentially listed message blocks, and the cipher
processes these blocks one at a time. A number of
different modes of operation have been devised on
top of an underlying block cipher algorithm. These
modes of operation provide several desirable
properties to the ciphertext blocks, such as adding
non-determinism (randomness) to a block cipher
algorithm, padding plaintext messages to an
arbitrary length, control of error propagation,
generation of key stream for a stream cipher, etc.
8.1 Electronic Codebook (ECB)
T heplaint extP is brokenint osmaller chunks P  [ P1 , P2 ,  , PL ] and t he
ciphert extis
C  [C1 , C2 ,  , C L ]
where C j  E K ( Pj ) is t heencrypt ionof Pj using t hekey K .
P ropert iesof t heECB mode of operat ion:
(1) Ident icalplaint extblocks (under t hesame key)result in ident ical
ciphert ext.
(2) Chainingdependencies : blocks are encipheredindependent ly of
ot herblocks.Reorderingciphert extblocks result sin correspondingly
re - orderedplaint extblocks.
(3) Errorpropagat ion : one or morebit errorsin a single ciphert ext
block affectdecipherment of t hatblock only.
8.1 Electronic Codebook (ECB) (Continued)
C om m e n t.
Since ciphert extblocks are independent ,
malicioussubst it ut ion of ECB blocks (e.g., insert ion
of a frequent lyoccurringblock)does not affect t he
decrypt ionof adjacent blocks.Furt hermore, block
ciphersdo not hide dat a pat t erns- ident icalciphert ext
blocksimplyident icalplaint extblocks.For t hisreason,
t he ECB mode is not recommended for messages longer
t hanone block,or if keysare reused for more t hana
single one- block message.Securit y may be improved
somewhatby inclusion of randompadding bit s in each
block.
8.2 Cipher Block Chaining (CBC)
T hecipher- block chaining(CBC) mode of operationspecifiedas
C j  EK ( Pj  C j 1 ), Pj  DK (C j )  C j 1 ,
where C0 is some choseninitialvalue and where DK is thedecryption
function.
P1
P2
…
C0
EK
EK
C1
C2
8.2 Cipher Block Chaining (CBC) (Continued)
P ropert iesof theCBC mode of operation
(1) Identicalplaintexts: identicalciphertextblocks result when thesame
plaintextis enciphered. Changingfirst plaintextblock (e.g., using a
count eror randomfield) resultsin differentciphertext.
(2) Chainingdependencies : thechainingmechanismcauses ciphertext
C j to depend on Pj and all precedingplaintextblocks.Consequently,
rearranging theorder of ciphertextblocks affectsdecryption. P roper
decryptionof a correctciphertextblock requires a correctpreceding
ciphertextblock.
(3) Errorpropagation : a single bit errorin ciphertextblock C j affects
decipherment of blocksC j and C j+1.
(4) Errorrecovery: theCBC mode is self - synchronizing or ciphertext
autokeyin thesense thatif an error(includingloss of one or moreentire
blocks) occursin block C j but not C j+1 , C j+1 is correctlydecryptedto Pj+2 .
8.3 Cipher Feedback (CFB)
T heplaintextis brokeninto8 - bit pieces: P  [ P1 , P2 , , P8 ],
where each Pj has 8 bits, rather tha
n 64 bits. T heCFB mode has
thefollowingoperations.
EncryptionP rocedure
An initial64 bit - bit X 1 is chosen.T henfor j  1,2,3,, the
followingis performed:
C j  Pj  L8 ( E K ( X j ))
X j 1  R56 ( X j ) || C j ,
where L8 ( X ) denotesthe8 leftmostbits of X , R56 ( X ) denotes
the56 rightmostbits of X , and X || Y denotestheconcatenation.
DecryptionP rocedure
Pj  C j  L8 ( E K ( X j )) X j 1  R56 ( X j ) || C j .
# By theend of the8th round, theinitialhas disappeared from the
64 - bit register and X 9  C1 || C2 ||  || C8 .
8.3 Cipher Feedback (CFB) (Continued)
P ropertiesof theCFB mode of operation
(1) Identicalplaintexts: changingthe X 1 resultsin thesame
plaintextinput being encipheredto a differentoutput.T he X 1
need not be secret.
(2) Chainingdependencies : similar toCBC encryption
, thechaining
mechanismcauses ciphertextblock C j to dependon both Pj and
precedingplaintextblocks.Consequently, re - orderingciphertext
blocks affectsdecryption. P roperdecryptionof a correct
ciphertextblock requires thepreceding8 ciphertextblocks to be
correct.
(3) Errorpropagation : one or morebit errorsin any single
ciphertextblock C j affectsthedecipherment of thatand thenext8
ciphertextblocks.
8.3 Cipher Feedback (CFB) (Continued)
(4) Errorrecovery: theCFB mode is self - synchronizing
similar toCBC, but requires 8 ciphertextblocks (64 bits )
to recover.
(5) T hroughput: throughput is decreased by a factorof
64/8(vs.CBC) in thateach executionof E yields only8
bits of ciphertextoutput.
C om m e nt.Since theencryptionfunctionE is used for
both CFB encryptionand decryption, theCFB mode must
not be used if theblock cipher E is a public - key algorithm;
instead, theCBC mode should be used.
9 Message Authentication Code
Definition 1 A message authentication code
(MAC) algorithm is a family of functions hk
parameterized by a secret key k, with the
following properties:
(1) Ease of computation: for a known function
hk, given a value k and an input x, hk(x) is easy
to compute. This result is called the MAC-value
or MAC.
(2) Compression: hk maps an input x of arbitrary
finite bit length to an output hk(x) of fixed bit
length n. Furthermore, given a description of
the function family h, for every fixed allowable
value of k (unknown to an adversary), the
following property holds:
(3) Computation-resistance: given zero or more
text-MAC pairs (xi, hk(xi)), it is computationally
infeasible to compute any text-MAC pair (x,
hk(x)) for any new input x  xi (including
possibly for hk(x)=hk(xi) for some i).
9.1 Objectives of Adversaries vs. MAC
The goal: without prior knowledge of a key k,
compute a new text-MAC pair (x, hk(x)) for some
text xxi, given one or more pairs (xi, hk(xi)).
The potential abilities of the adversaries:
(1) Known-text attack.
(2) Chosen-text attack: one or more text-MAC
pairs (xi, hk(xi)) are available for xi chosen by the
adversary.
(3) Adaptive chosen-text attack: now allowing
successive choices to be based on the results of
prior queries.
9.2 Types of Forgery
The severity of the practical consequences
may differ depending on the degree of control
an adversary has over the value x for which a
MAC may be forged.
(1) Selective forgery: attacks whereby an
adversary is able to produce a new text-MAC
pair for a text of his choice (or perhaps
partially under his control).
(2) Existential forgery: attacks whereby an
adversary is able to produce a new text-MAC
pair, but with no control over the value of that
text.
9.3 Case Study – CBC-Based MAC
Let E K be a block cipher.T hemessage M is brokeninto
n - bit blocks M  [ M 1 , M 2 , , M t ], where n is theblock
length of E K . T heCBC - MAC algorithmperformsthe
followingsteps:
(1) CBC processing. Computetheblock H t as follows:
H1  E K ( M 1 ); H i  E K ( H i 1  M i ), 2  i  t.
(2) Optionalprocessto increasestrengthof MAC. Using
a secondsecret key K   K , optionallycompute: H t  DK  (Ht ),
H t  E K ( H t ).
(3) Completion. T heMAC is then - bit block H t .
9.3 Case Study – CBC-Based MAC (Continued)
M1
M2
Mt
…
0
H1
EK
H2
…
Ht1
EK
EK
Ht
DK'
optional
EK
Ht
9.3 Case Study – CBC-Based MAC (Continued)
Comment.
(1) It is obvious that the computation for
creating a CBC-MAC involves noninvertible
data compression (in essence, a CBC-MAC is a
'short digest' of the whole message), and so a
CBC-MAC is a one-way transformation.
(2) The mixing-transformation property of the
underlying block cipher adds a hash feature to
this one-way transformation (i.e., distributes a
MAC over the MAC space as uniform as the
underlying block cipher should do over its
ciphertext message space).
(3) We can assume that in order to create a
valid CBC-MAC, a principal actually has
to be in possession of the key K for the
underlying block cipher algorithm. The
receiver who shares the key K with the
transmitter should recalculate the MAC
from the received message and check that
it agrees with the version received. If so,
the message can be believed to have come
from the claimed transmitter.
Thank You !