Transcript Overview of Modern Cryptography

Cryptography
• Block Ciphers and Feistel Functions
What Cryptography is about
Don’t Panic…it is not as hard as you think,
so why do you think its hard?
Some Basics:
Kerkchoff’s principle
Symmetric v Asymmetric
Asymmetric: relationships in number theory
Symmetric: Transposition and Substitution
Block v Stream Cipher
Symmetric ciphers
• Block ciphers
– Substitution and Transposition
• Historical ciphers (all substitution):
–
–
–
–
ATBASH
Playfair
Caesar
Vigenere
Information Theory Cryptography
Concepts
• Diffusion: Diffusion literally means having changes to
one character in the plain text, affect multiple
characters in the cipher text. Unlike historical
algorithms (Caesar Cipher, Atbash, Vigenere) where
each plain text character only affected one cipher
text character.
• Confusion: attempts to make the relationship
between the statistical frequencies of the cipher text
and the actual key as complex as possible. This
occurs by using a complex substitution algorithm.
Information Theory
Cryptography concepts
Avalanche: This term means that a small change
yields large effects in the output, like an
avalanche. This is Fiestel’s variation on Claude
Shannon’s concept of diffusion.
Obviously a high avalanche impact is desirable in any
cryptographic algorithm. Ideally a change in one
bit in the plain text would affect all the bits of the
cipher text. This would be complete avalanche.
The Feistel Function
This function is named after its inventor, the
German-born physicist and cryptographer
Horst Feistel.
At the heart of most block ciphers is a Feistel
function. This function forms the basis for
most block ciphers. This makes it one of the
most influential developments in symmetric
block ciphers. It is also known as a Feistel
Network or a Feistel cipher.
Feistel History
 Used in DES, CAST-128, BlowFish, TwoFish, RC5,
and others.
 First seen in IBM’s Lucifer algorithm (the precursor
to DES).
 Michael Luby and Charles Rackoff analyzed the
Feistel cipher construction and proved that if the
round function is a cryptographically secure
pseudorandom function, then 3 rounds is
sufficient to make the block cipher a
pseudorandom permutation, while 4 rounds is
sufficient to make it a "strong" pseudorandom
permutation
The Feistel Function-Continued
This function starts by splitting the bock of plain text data (often 64 bits) into
two parts (traditionally termed L0 and R0)
The round function F is applied to 1 of the halves. The term ‘round function’
simply means a function performed with each iteration, or round, of the Feistel
cipher. The details of the round function F can vary with different
implementations. Usually these are relatively simple functions, to allow for
increased speed of the algorithm.
The output of each round function F is then xor’d with the other half. What this
means is that, for example, you take L0, pass it through the round function F,
then take the result and xor it with R0.
Then the halves are transposed. So L0 gets moved to the right and R0 gets
moved to the left.
This process is repeated a given number of times. The main difference between
Feistel based cryptography algorithms is the exact nature of the round function
F, and the number of iterations.
A simple view of a single Round
The Feistel Function
Here is a general overview of a basic round of a Feistel cipher.
Block from the Plain Text
½ of block L0
Round Function F
½ of block Ro
XOR
Output of XOR of
Output of F And Ro
Output of F
Then swap L0 and Ro
Feistel
Encryption
and
Decryption
11
Basic Facts
• Larger Block sizes increase security.
• Larger Key sizes increase security.
• If the round function is secure, then more
rounds increase security.
P-Boxes and S-Boxes
An s-box is just a substitution box. It defines that each of
the input bits are substituted with a new bit.
A p-box, or permutation box is a variation on the s-box.
Instead of each input bit being mapped to a bit in found in
a lookup table, the bits that are input are transposed or
permuted. Some may be transposed, and others left in
place. For example a 6 bit p-box may swap the 1st and 4th
bits, swap the 2nd and 3rd bit, but leave the 5th bit in place.
Using the Feistel FUNCTION
The classic example is DES, The Data Encryption Standard is a
classic in that annals of cryptography. It was selected by the
National Bureau of Standards as an official Federal Information
Processing Standard (FIPS) for the United States in 1976. While it
is now considered outdated and is not recommended for use, it
was the premier block cipher for many years and bears study.
Many cryptography textbooks and university courses use this as
the primary example of block ciphers.
DES uses a 56-bit key applied to a 64 bit block. (note there is
actually a 64 bit key generated but 8 bits are just for error
correction.)
DES is a Feistel cipher with 16 rounds and a 48-bit round key for
each round. So its general functionality follows the Feistel method
of dividing the 64 bit block into two halves (32 bits each), applying
the round function to one half, then xor’ing that output with the
other half, and finally swapping the halves.
DES REALLY HAS ONLY 4 STEPS
DES
The actual algorithm: Generating the round key
Step 1: To generate the round keys, the 56-bit key is split into two
28-bit halves and those halves are circularly shifted after each
round by one or two bits. In other words the halves are first
subjected to a round function, then the keys are shifted by 1 to
2 bits. 48 bits are selected from this process each round to
create the round key. So each round has a slightly different key.
Step 2: Then the 32 bit halves are expanded to 48 bits (8 6 bit
blocks), this is permutation. The 48 bit halves are xord with the
round key. Then the round function (next slide) is applied.
DES- Continued
Step 3: The DES round function uses eight S-boxes. The term s-box just
means substitution boxes and they are look-up tables. Each item
passed into the box, is substituted with the item that matches it in
the lookup table. This is a very common tactic in symmetric key
algorithms. Each one of the DES s-boxes takes in 6 bits and produces
4 bits. The middle 4 bits of the 6 bit input are used to lookup the 4 bit
replacement. This produces 8 – 4 bit blocks, that are concatenated
into one 32 bit block.
Step 4: The 32 bit block is put through a P-box
This is done each round of DES, and remember that DES has 16
rounds. So this is an effective way to scramble the plain text.
We get high diffusion and confusion.
Unbalanced Feistel Cipher
There is a variation of the Feistel network called
an Unbalanced Feistel cipher. Unbalanced Feistel
ciphers use a modified structure where L0 and R0
are not of equal lengths. This means that L0
might be 32 bits and R0 could be 64 bits (making
a 96 bit block of text). This variation is actually
used in the Skipjack algorithm.
Note: one can also have an expanding or
contracting unbalanced cipher.
KFC (Krazy Feistel Cipher)
• Developed by Thomas Baignères and
Matthieu Finiasz, presented at AsiaCrypt
2006
• Instead of computing the advantage of the
best d-limited adversary, KFC will bound it
by a function of the advantage of the best
(d − 1)-limited adversary.
KFC Continued
• Note this image comes from Baigneres and
Finiasz paper
 Idea: Replace the layers of
random permutations with
layers of random functions
 The following image is also
from their paper/presentation
KFC Continued
Dual Feistel
This is my own variation. It involves two round functions, one being applied to
each half.
Block from the Plain Text
½ of block L0
Round Function F
Output of F
½ of block Ro
XOR
Round Function F2
Output of F2
Simple ways to improve block ciphers
• Without any math at all you can improve any
block cipher with some simple techniques:
– Whitening
– Cipher block chaining mode
– Cipher feedback mode
– Initialization Vector
Whitening
• Just xor a key with the text either before the
round function, after the round function, or
both
Whitening
plain text block for
round
XOR
Random key same size
as block
pseudo plain text
round function
plain text block for
round
plain text block for
round
XOR
pseudo plain text
Random key same size
as block
round function
XOR
Random key same
size as block
pseudo plain text
round function
XOR
Random key same
size as block
Electronic codebook (ECB)
The most basic encryption mode is the
electronic codebook (ECB) mode. The message
is divided into blocks and each block is
encrypted separately. The problem is that if you
submit the same plain text more than once, you
always get the same cipher text. This gives
attackers a place to begin analyzing the cipher to
attempt to derive the key.
Cipher-block chaining (CBC)
When using cipher-block chaining (CBC) mode,
each block of plaintext is XORed with the
previous ciphertext block before being
encrypted. This means there is significantly
more randomness in the final ciphertext. This is
much more secure than electronic codebook
mode and is the most common mode.
CBC
plain text block for
round i
XOR
cipher text
produced in round
i-1
pseudo plain text
round function
Cipher feedback (CFB)
In CFB mode the previous ciphertext block is
encrypted then the ciphertext produced is XOR’d
back with the plaintext to produce the current
ciphertext block. Essentially it loops back on
itself, increasing the randomness of the
resultant ciphertext.
CBC
plain text block for
round i
round function
cipher text for
round i
XOR
cipher text
produced in round
i-1
Initialization vector (IV)
An IV is a fixed-size input to a cryptographic primitive that is
random or pseudorandom. Some cryptographic methods require
the IV only to be non-repeating, not truly random. In this case,
the IV is commonly called a nonce (number used once), and the
methods are described as stateful as opposed to randomized.
In a block ciphers using Electronic Code Book (ECB) mode,
encryption of the same plain text with the same key results in
the same ciphertext. Use of an initialization vector that is xor’d
with the first block of plaintext or included in front of the
plaintext prior to encryption solves this problem.
Additional Resources
 The original article describing Feistel ciphers H. Feistel,
"Cryptography and Computer Privacy," Scientific
American, v. 228, n. 5, May 73, pp. 15-23.
 Bruce Schneier on unbalanced Feistel ciphers
http://www.schneier.com/paper-unbalanced-feistel.pdf
 Elastic Block Ciphers
http://www.cs.columbia.edu/techreports/cucs-02104.pdf
 KFC http://www.baigneres.net/papers/kfc_slides.pdf
 KFC
http://www.iacr.org/archive/asiacrypt2006/42840384/4
2840384.pdf