Transcript Exact MEDP/MELP for 2
Introduction to Block Ciphers
Liam Keliher Dept. Mathematics and Computer Science Mount Allison University
Terminology
Cryptography
: Study of mathematical techniques to provide information security
Cryptanalysis
: Analysis of cryptographic methods, either to expose weaknesses or to prove strengths
Cryptology
: Cryptography + Cryptanalysis
Primitive
: Cryptographic building block – typically a mathematical function of some kind, e.g., hash function digital signature scheme block cipher
A
block cipher
is an encryption/decryption algorithm ► parameterized by a
(master) key
known only to communicating parties ► input (
plaintext
) / output (
ciphertext
) are
n
-bit strings (
n
=
block size
)
plaintext (p) k
e
k
d encryption algorithm
ciphertext (c)
decryption algorithm
plaintext (p)
Attacker
Most Block Ciphers are Product Ciphers
plaintext (p)
Round 1 subkeys
k 1
Round 2
k 2 k 3
master key Round 3
k
Round
R ciphertext (c) k R
Feistel Network
► Standard block cipher structure ► Consists of multiple
rounds
(simpler encryption steps) ► One round: input is split in half left input half copied to right half of output left input half forms input to
round function
, which depends on subkey for current round round function output is XORed with right half of input to produced left half of output
n/2 bits n/2 bits
f
n/2 bits n/2 bits
k r
SPN-Based Block Ciphers
Substitution-Permutation Network
(
SPN
): ► Consists of multiple encryption
rounds
► one round = three
layers
Subkey mixing (XOR) Substitution (s-boxes) Linear transformation
Well-known Block Ciphers
Data Encryption Standard (DES) standardized by U.S. government in 1977 Feistel network with 64-bit block and 56-bit key
extensively
cryptanalyzed (led to many new attacks) Advanced Encryption Standard (AES) selected as winner of NIST competition in 2001 SPN structure with 128-bit block and 128/192/256-bit key Camellia successor to Japanese AES candidate E2 Feistel network in which the round function is a mini SPN
Advanced Encryption Standard (AES)
Originally called
Rijndael
(“Rhine-doll”) from names of designers, Vincent Rijmen and Joan Daemen Number of rounds is based on key size: 128 bits 192 bits 256 bits 10 rounds 12 rounds 14 rounds Widely adopted since 2001 arguably the most implemented block cipher today used in Mount Allison’s wireless network
Camellia
Block cipher introduced by NTT and Mitsubishi in August 2000 used in Sony PSP, WinZIP, OpenSSH, etc.
Incorporated into numerous international standards (e.g., ISO/IET, IETF) Considered competitive with the Advanced Encryption Standard (AES) for security and speed Based on variation of Feistel network design above
Camellia Specifics
Block size:
N
=128 bits Possible key sizes: 128, 192, 256 bits Number of rounds depends on key size: 128 18 rounds / 192 or 256 24 rounds Subkeys are same size as input block (128 bits) Round function:
k r
S S S S S S 64-bit linear transformation S S
Breakdown of Camellia Round Function
= XOR operation (bitwise addition modulo 2) S = substitution box (s-box): invertible mapping {0,1} 8 {0,1} 8 [needs to be nonlinear] = linear transformation; fast way to combine s-box outputs
Differential Cryptanalysis (DC)
Based on probability that a plaintext pair with a fixed XOR “difference” will produce an intermediate pair after (
R
-1) rounds with a fixed XOR difference called
differential probability
(
DP
) depends on (unknown) key, but average values can be used Given fixed input/output differences with high
DP
, and enough captured plaintext-ciphertext pairs, attack can extract some or all of the key
DC
was first successful attack on the
Data Encryption Standard
(an ancestor of
Camellia
) Discovered in 1990 by Biham and Shamir
input (plaintext) difference Δ
p
rounds 1 … (
R
-1) Δ
q
round
R
Δ
c
output (ciphertext) difference View this as a big s-box: Want to find (Δ
x
, Δ
y
) that
DP
(Δ
x
, Δ
y
) is maximized such Reason:
inverse
data complexity
(number of p-c pairs required for successful attack) is proportional to of this
DP
value