Session 3: Secret key cryptography – block ciphers – part 1
Download
Report
Transcript Session 3: Secret key cryptography – block ciphers – part 1
Session 3:
Secret key cryptography –
block ciphers – part 1
Block ciphers - definition
Block cipher encryption provides
confidentiality by transforming a plaintext
message into a ciphertext message, by
means of a special function.
The precise function implemented by the
block cipher is determined by a secret
key.
Block ciphers - definition
The principal difference between a
stream cipher and a block cipher:
• A stream cipher contains memory, embodied
•
in its current state.
A block cipher is memoryless outside its
current block and therefore has no current
state.
Block ciphers - definition
Block ciphers operation:
• A plaintext message is partitioned into a
•
series of blocks.
These blocks are then encrypted one block at
a time.
A block cipher can also be used as a
component in a stream cipher, message
authentication codes (MACs), hash
functions, and signature schemes.
Block ciphers - definition
Block cipher encryption is a form of
symmetric-key encryption.
Both transmitter and receiver of the
ciphertext have knowledge of the secret
key.
Example: the substitution cipher, and the
transposition cipher are essentially block
ciphers.
Block ciphers - definition
A block cipher is a vectorial Boolean
function E : {0, 1}K × {0, 1}N → {0, 1}N
that takes two inputs:
• a K-bit key k ;
• an N-bit plaintext P.
It returns an N-bit ciphertext C = E(k, P).
Block ciphers - definition
For any block cipher, and any key k, the
function Ek is a permutation on {0, 1}N.
This means that it is a bijection - a
one-to-one mapping of {0, 1}N to {0, 1}N.
1
Since it is a bijection, it has an inverse, E k
Since E is invertible, decryption is
possible.
Block ciphers - definition
Both the cipher and its inverse E−1
should be easily computable:
• Given k, P, we can compute E(k, P).
• Given k, C, we can compute E−1(k,C).
The key k should be chosen uniformly at
random.
Block ciphers - design
The aim of the block cipher design is to make
it practically impossible to retrieve the plaintext
from the ciphertext without knowledge of the
K-bit secret key.
Since decryption is only possible if the
encryption function is invertible (i.e. if it is a
bijection) the choice of possible N-bit block
ciphers is restricted to one of (2N)! block
ciphers.
Block ciphers - design
Of all these (2N)! block ciphers, only 2K are
used, because of the parameterization by the
key.
In practice, these 2K block ciphers that are
actually used constitute an infinitesimally small
fraction of (2N)! possible block ciphers.
Example: N=3, K=2
A 3-bit block cipher with 2 bits of key.
There are (2N)! = 8! = 40320 possible
permutations, of which only 2K = 22 = 4
permutations are used.
Let these permutations be:
• k=00, p0=(4,6,1,8,5,7,3,2)
• k=01, p1=(5,2,7,1,8,6,4,3)
• k=10, p2=(8,6,2,1,3,4,5,7)
• k=11, p3=(3,8,6,2,4,7,5,1)
Example (cont.)
Let us choose k=00, which means:
•
•
k=00, p0=(4,6,1,8,5,7,3,2)
or:
1 2 3 4 5 6 7 8
p0
4 618 5 7 3 2
The corresponding block cipher, Ek:
Addr. Value
0
010
1
111
2
110
3
000
4
100
5
001
6
101
7
011
Example (cont.)
The inverse permutation:
•
•
P0’=(3,8,7,1,5,2,6,4)
or:
1 2 3 4 5 6 7 8
p0 '
3 8 7 15 2 6 4
The corresponding inverse block
cipher, Ek-1:
Addr. Value
0
011
1
101
2
000
3
111
4
100
5
110
6
010
7
001
Example (cont.)
Let us encipher X=101.
The corresponding address is 5.
Y=Ek(X)=Ek(5)=001.
Deciphering: Y=001.
The corresponding address is 1.
Ek-1(Y)=Ek-1(1)= 101=X.
Block ciphers - design
The problem of block cipher design:
• determine which set of 2K block ciphers to
•
choose such that, for an unknown fixed key, it
is virtually impossible to say anything about
the ciphertext resulting from a known or
chosen plaintext;
given prior knowledge of a few
plaintext/ciphertext pairs it should be
impossible to say anything about the fixed
key.
Block ciphers - design
Any effective block cipher scheme must
be realized efficiently in time and space,
with as little implementation cost as
possible.
The practical trade-off is to design a
block cipher which is both sufficiently
secure, and satisfactorily efficient in
terms of hardware/software space and
time resources.
Block ciphers - design
A block cipher with a secret key is considered
perfect if, for all plaintexts P and ciphertexts C,
it holds that Pr(P|C)=Pr(P).
If, for a fixed K-bit key, an N-bit block cipher is
used to encrypt K/N plaintexts, then the
cipher can always be chosen to be the
one-time pad.
In this special case, the encryption is provably
secure and the block cipher is perfect.
Block ciphers - design
In most situations the one-time pad is
impractical as far too many secret keys must
be used.
Therefore it is highly desirable to securely
encrypt T plaintexts using the same, fixed K-bit
secret key, where T >> K/N .
Block ciphers - design
Most modern block ciphers seek to maximize
T, whilst still achieving an acceptable security.
This is achieved via a combination of:
•
•
confusion, which makes the relationship between key
and ciphertext as complicated as possible, and
diffusion, which seeks to eliminate any redundancy in
the plaintext. Diffusion also makes it difficult for any
attacker to partially approximate the cipher.
Block ciphers - design
Confusion:
• The relation between the key and the
•
•
ciphertext must be as complex as possible.
Thus, the statistics of the ciphertext is not
significantly influenced by the plaintext
statistics.
Confusion is achieved by means of
substitution (through non linear functions, so
called S boxes).
Block ciphers - design
Diffusion:
• Diffusion annihilates the influence of the
•
redundancy of the plaintext on the ciphertext.
It is achieved by making every letter of the
ciphertext dependent on as much plaintext
letters as possible (by means of linear
transformations such as permutations).
Block ciphers - design
Theoretically, the ideal block cipher, from a
security viewpoint, would involve one very
large, well-chosen N-bit Substitution Box (SBox), keyed by K key bits and,
ideally, it would be impossible to decompose
this S-box into smaller sub-units.
Such a block cipher would have a huge
implementation complexity.
Block ciphers - design
Any practical block cipher combines relatively
small sub-units to confuse (S-boxes) and
diffuse (linear transformation layers) the
plaintext.
These sub-units are applied iteratively as
keyed rounds, parameterized by sub-keys,
which are derived from the master K-bit key.
This decomposition into practical sub-units
constitutes a trade-off between security and
acceptable complexity.
Block ciphers - design
A key-schedule is needed to derive round keys
from a master key.
It is an accepted design principle that
encryption using a block cipher, selected via a
randomly-chosen key, should look like
encryption by a randomly-chosen invertible
function over N bits.
Block ciphers - design
Basic design types of block ciphers:
•
•
Feistel ciphers
Substitution-permutation networks.
Both design philosophies have their advantages
and disadvantages.
It is possible to combine these design types in a
single block cipher (rarely used, e.g. SC2000).
There is no agreement about the best design
philosophy for block ciphers.
Feistel ciphers
A basic Feistel cipher takes 2t plaintext bits,
and is a permutation, F, which uses m round
permutations, Fi:
F F0 F1 Fm1
Where ◦ is a composition of functions, i.e.
F x Gx F Gx
Feistel ciphers
Round i acts on t bits, R (right), by means of
the keyed nonlinear function, fi, and XORs the
result with other t bits, L (left).
The L and R halves are then swapped.
After the i-th round, we have:
L' , R' Fi L, R R, L fi R
[L’ R’] becomes the new input [L,R] to the
round i + 1.
Feistel ciphers
F and the Fi must be permutations, but
the fi need not be.
It takes two rounds before all plaintext
bits have been acted on in a nonlinear
way.
In the decryption process, the same
functions are used, but with the round
keys used in reverse order.
Feistel ciphers
Example of a round:
Feistel ciphers
Examples of Feistel design:
• LUCIFER (author: Horst Feistel)
• DES (Data Encryption Standard)
• MISTY1
• KASUMI (used in UMTS)
• CAMELLIA
• FEAL
• etc.
Substitution-permutation networks
A substitution-permutation network (SPN)
separates the role of confusion and diffusion in
the cipher.
The cipher is also decomposed into iterative
rounds.
Each round comprises a layer of non linear
functions (often S-boxes), followed by a linear
layer (often a permutation).
The non linear layer provides the confusion.
The linear layer provides the diffusion.
Substitution-permutation networks
The separating of the tasks of confusion
and diffusion allows the designer to
maximise nonlinearity for the non linear
layer, and maximise information spread for
the diffusion layer.
Examples of SPN design:
• AES (Rijndael) (Advanced Encryption Standard)
• IDEA
• etc.
Non linear transformations
Non linearity in block ciphers is usually
introduced by means of tables, so called
S-boxes.
There are also designs without explicit
S-boxes. Instead, integer addition and
multiplication, discrete logarithm and
exponentiation, etc. are used (examples
of such ciphers are IDEA, RC6, etc.)
Non linear transformations
S-boxes can be very simple. For
example, S-boxes of Rijndael and
Camellia are essentially X-1 over GF(28).
Regarding the relation with the key,
S-boxes can be
• Key dependent
• Key independent.
Non linear transformations
Almost perfect non linear functions
(APN) – resistant to certain attacks
against block ciphers (differential and
linear cryptanalysis):
• Let f(x) be a mapping: GF(pn)→GF(pn).
• Let N(a,b) denote the number of solutions
•
xGF(pn) of the equation f(x+a)–f(x)=b,
a,b GF(pn).
Let f = max{N(a,b) | a,bGF(pn), a≠0}.
Non linear transformations
For linear functions, f(x+a)=f(x)+f(a).
So, f(x+a)-f(x)=f(x)+f(a)-f(x)=f(a).
Thus for linear functions b=f(a), which
means that every x satisfies the
equation.
A completely contrary case: only 1
solution of the equation – the “most
nonlinear” function f(x).
Non linear transformations
If f =k , the mapping is called
differentially k uniform.
For applications in cryptography, f
should be as small as possible.
If p is odd, there exist functions for which
f = 1 → perfect nonlinear functions (PN).
Functions of the form f(x)=xd over GF(pn),
p prime, are of special interest.
Non linear transformations
Theorem 1:
• f(x)=xd is a mapping over GF(pn), p>2.
• Then f(x) is 1-uniform (PN) in the following
cases:
• d=2;
• d=pk+1, n/(n,k) is odd;
• d=(3k+1)/2, p=3, k odd, (n,k)=1.
Since for the most interesting case, p=2,
PN functions do not exist, we use APN.
Non linear transformations
APN functions → f = 2.
For p = 2, if x is a solution of f(x+a)f(x)=b, so is x+a.
Thus f = 2 is the smallest possible value
when p=2.
This means that the restricted meaning
of “almost” is not justified in this case.
Non linear transformations
Theorem 2:
• f(x)=xd is a mapping over GF(2n).
• Then f(x) is APN in the following cases:
• n=2m+1:
• d=2n-2;
• d=2k+1, (n,k)=1, 1km; (Gold’s function)
• d=22k-2k+1, (n,k)=1, 2km; (Kasami’s function)
• d=2m+3; (Welch’s function)
• d=2m + 2m/2 − 1 (even m), 2m + 2(3m+1)/2 − 1 (odd m);
(Niho’s function)
Non linear transformations
Theorem 2 (cont.):
•
n=2m:
• d=2k+1, (n,k)=1, 1km; (Gold’s function)
• d=22k-2k+1, (n,k)=1, 2km; (Kasami’s function).
An exponent d’ is equivalent to d if there is t
such that d’=2td.
An S-box can be obtained by means of a linear
transform of a power function xd of this type.
The Hamming weight of d is equal to the non
linear order of the S-box obtained from xd.
Non linear transformations
Example: Use the Kasami exponent to
design a 7-bit S-box.
• n=7, m=3, 2k3.
• Let us choose k=2. (2,7)=1.
• Then d=22k-2k+1 = 24-22+1=13.
• The Hamming weight of d=1310=11012 is 3, so
•
the non linear order of the S-box will be 3.
We now pick an irreducible polynomial of
degree n=7, f(x)=x7+x+1.
Non linear transformations
Example (cont.):
• We also pick polynomials a(x) and b(x) at
•
•
random, deg a(x)<n, deg b(x)<n. For example,
let a(x)=x5+x4+x+1, b(x)=x4+x.
The general linear function F(x)=ax+b is used
to transform xd linearly, i.e.
S(x)=F(x)◦xd=F(xd)=axd+b, a,b,xGF(27).
Thus, the S-box is S(x)=a(x)xd+b(x) mod f(x),
x=0,…,2n-1.
Non linear transformations
Example (cont.):
• For any primitive element , the field elements
of GF(27) determined by f(x)=x7+x+1 are:
• 0=1→0000001
• 1= →0000010
• 2= 2 →0000100
• 3= 3 →0001000
• 4= 4 →0010000
• 5= 5 →0100000
• 6= 6 →1000000
7= +1 →000011
8= 2+ →0000110
9= 3+2 →0001100
10= 4+3 →0011000
11= 5+4 →0110000
12= 6+5 →1100000
13= 6++1 →1000011 …
Non linear transformations
Example (cont.):
• Then (i)13= (i13) mod 127:
• (0)13=1→0000001
• (1)13=13= 6++1→1000011
• (2)13=26= 6+5+2+1→1100101
• (3)13=39= 5+4+3+ →0111010
•…
• (10)13=130 mod 127=3→0001000
•…
Non linear transformations
Example (cont.):
• Every (i)d= (id) mod 127 should now be
multiplied by a(x) mod f(x) and b(x) is added to
the result. So we finally get:
• 0=0000001→a(x)+b(x)→ 5+1→0100001
• 1=0000010→ ((x5+x4+x+1)(x6+x+1)+(x4+x)) mod
(x7+x+1) →5+3+2→0101100
• The addresses should be given in the
increasing order, from 0000000 to 1111111,
and the corresponding values of S are given
for every address → S-box.
Commonly used designs
Feistel ciphers:
Substitution-permutation networks:
• DES (triple DES, etc.)
• KASUMI
•…
• Rijndael (AES)
• IDEA
•…
DES
The block cipher most implemented in
practice is (still, as triple DES) DES (Data
Encryption Standard), introduced in USA
by NBS (National Bureau of Standards) in
1974.
The length of the block in this cipher is 64
bits and the length of the key is 56 bits.
DES works alternatively over two halves of
the block to be enciphered.
DES
First, an initial fixed permutation of the input block
is performed.
Then the block is divided into two halves.
After that, a modular operation is realized 16
times (“rounds").
This operation consists of summing modulo 2 the
left part with a function of the right part F(Ki),
managed by the subkey Ki, i=1,…,16, where i is
the ordinal number of the round.
After that, the left and the right parts are
interchanged.
DES
The initial permutation is represented in the following
way in the standard FIPS 46-3:
58 50 42 34 26 18 10 2 60 52 44 36 28 20 12 4
62 54 46 38 30 22 14 6 64 56 48 40 32 24 16 8
57 49 41 33 25 17 9 1 59 51 43 35 27 19 11 3
61 53 45 37 29 21 13 5 63 55 47 39 31 23 15 7
This means that the 58th bit of input becomes the 1st
bit of output, 50th bit of input becomes the 2nd bit of
output, etc.
DES
DES
In the round 16 the interchange is omitted.
There is a final permutation, inverse to the
initial one.
DES realizes an involution and because of that
it is not necessary to invert the function F in the
deciphering algorithm.
The function F contains non linear operations.
DES
The final permutation:
40 8 48 16 56 24 64 32
39 7 47 15 55 23 63 31
38 6 46 14 54 22 62 30
37 5 45 13 53 21 61 29
36 4 44 12 52 20 60 28
35 3 43 11 51 19 59 27
34 2 42 10 50 18 58 26
33 1 41 9 49 17 57 25
The 40th bit of input becomes the 1st bit of output, etc.
DES
DES
The expansion algorithm from 32 to 48
bits:
32 1 2 3 4 5 4 5 6 7 8 9
8 9 10 11 12 13 12 13 14 15 16 17
16 17 18 19 20 21 20 21 22 23 24 25
24 25 26 27 28 29 28 29 30 31 32 1
The first bit of the resulting 48 bit vector
is the 32nd bit of the input vector, etc.
DES
The function F is a set of following operations:
•
•
•
•
•
•
•
The first manipulation consists of producing a vector of
48 bits from the initial 32 bits by means of a linear
expansion.
Next, the local key of 48 bits is combined with the
obtained vector by means of the sum modulo 2, bit by bit.
Thus another vector of 48 bits is obtained, which is
divided in 8 groups of 6 bits each.
Each group serves as input to 8 functions called S-boxes.
These boxes are responsible for the non linearity of DES.
The output of each S-box are 4 bits.
When a single input bit is changed, at least 2 output bits
are changed.
DES
S1
14 4 13 1 2 15 11 8 3 10 6 12 5 9 0 7
0 15 7 4 14 2 13 1 10 6 12 11 9 5 3 8
4 1 14 8 13 6 2 11 15 12 9 7 3 10 5 0
15 12 8 2 4 9 1 7 5 11 3 14 10 0 6 13
DES
S2
15 1 8 14 6 11 3 4 9 7 2 13 12 0 5 10
3 13 4 7 15 2 8 14 12 0 1 10 6 9 11 5
0 14 7 11 10 4 13 1 5 8 12 6 9 3 2 15
13 8 10 1 3 15 4 2 11 6 7 12 0 5 14 9
DES
S3
10 0 9 14 6 3 15 5 1 13 12 7 11 4 2 8
13 7 0 9 3 4 6 10 2 8 5 14 12 11 15 1
13 6 4 9 8 15 3 0 11 1 2 12 5 10 14 7
1 10 13 0 6 9 8 7 4 15 14 3 11 5 2 12
DES
S4
7 13 14 3 0 6 9 10 1 2 8 5 11 12 4 15
13 8 11 5 6 15 0 3 4 7 2 12 1 10 14 9
10 6 9 0 12 11 7 13 15 1 3 14 5 2 8 4
3 15 0 6 10 1 13 8 9 4 5 11 12 7 2 14
DES
S5
2 12 4 1 7 10 11 6 8 5 3 15 13 0 14 9
14 11 2 12 4 7 13 1 5 0 15 10 3 9 8 6
4 2 1 11 10 13 7 8 15 9 12 5 6 3 0 14
11 8 12 7 1 14 2 13 6 15 0 9 10 4 5 3
DES
S6
12 1 10 15 9 2 6 8 0 13 3 4 14 7 5 11
10 15 4 2 7 12 9 5 6 1 13 14 0 11 3 8
9 14 15 5 2 8 12 3 7 0 4 10 1 13 11 6
4 3 2 12 9 5 15 10 11 14 1 7 6 0 8 13
DES
S7
4 11 2 14 15 0 8 13 3 12 9 7 5 10 6 1
13 0 11 7 4 9 1 10 14 3 5 12 2 15 8 6
1 4 11 13 12 3 7 14 10 15 6 8 0 5 9 2
6 11 13 8 1 4 10 7 9 5 0 15 14 2 3 12
DES
S8
13 2 8 4 6 15 11 1 10 9 3 14 5 0 12 7
1 15 13 8 10 3 7 4 12 5 6 11 0 14 9 2
7 11 4 1 9 12 14 2 0 6 10 13 15 3 5 8
2 1 14 7 4 10 8 13 15 12 9 0 3 5 6 11
DES
Addressing of the DES S-boxes:
•
•
•
•
Let the addressing 6-tuple for any S-box be
b 1b 2b 3b 4b 5b 6.
The bits b1b6 determine the row of the S-box.
The bits b2b3b4b5 determine the column of the S-box.
Example:
• Let the addressing 6-tuple of the 3rd S-box be 001001.
• The row is 01, which means the 2nd row, since 00 is the
•
first row.
The column is 0100, which means the 5th column, since
the numbering starts from 0000.
DES
Finally, the information passes through a "Pbox", which is a fixed permutation, chosen in
such a way that a maximum diffusion of bits is
achieved through the whole 32 bit vector.
The P-box:
16 7 20 21 29 12 28 17 1 15 23 26 5 18 31 10
2 8 24 14 32 27 3 9 19 13 30 6 22 11 4 25
16th bit of input becomes the 1st bit of output,
etc.
DES
Although DES handles 64 bit keys, the
first operation that is realized in the
process of key expansion is their
reduction to 56 bits, by eliminating one
bit of every 8 bits.
Then the remaining bits are reordered.
Next, 16 subkeys necessary in the 16
rounds of the algorithm are obtained.
DES
The reordering key permutation:
57 49 41 33 25 17 9
1 58 50 42 34 26 18
10 2 59 51 43 35 27
19 11 3 60 52 44 36
63 55 47 39 31 23 15
7 62 54 46 38 30 22
14 6 61 53 45 37 29
21 13 5 28 20 12 4
57th bit of input becomes the 1st bit of output, etc.
Every 8th bit of the initial 64 bit key is dropped.
DES
During the deciphering process, the subkeys are used in
the reverse order.
The subkeys are generated in the following way:
•
•
•
•
First, the key of 56 bits is divided in two halves of 28 bits
each.
Then, the halves are rotated left 1 or 2 bits, depending on
the round. Rotating left a number of positions depending on
the round is recursive, which means that the initial vector for
the i-th round is the output vector of the (i-1)st round.
After the rotation, the halves are reunited, obtaining again
16 groups of 56 bits.
Next, 48 bits of each group are selected to form the final 16
subkeys, in the process denominated "permutation with
compression".
DES
Iteration Number
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
Number of Left Shifts
1
1
2
2
2
2
2
2
1
2
2
2
2
2
2
1
DES
The choice of 48 bits of the i-th subkey from
the corresponding 56 bits:
14 17 11 24 1 5
3 28 15 6 21 10
23 19 12 4 26 8
16 7 27 20 13 2
41 52 31 37 47 55
30 40 51 45 33 48
44 49 39 56 34 53
46 42 50 36 29 32
DES
For deciphering, DES should run
backwards, which means that K16
subkey is used in the first round, K15 in
the second, …, K1 in the 16th round.
Triple DES – mode 1
The data is
encrypted with the
first key, then
encrypted with the
second key, and
finally encrypted with
the third key.
Triple DES – mode 2
The data is
encrypted with the
first key, then
decrypted with the
second key, and
finally encrypted
again with the first
key.
Goal: compatibility
with a single DES.
Triple DES - security
Equivalent key length:
• Of Double DES – only 57 bits (so called Meet•
in-the-middle attack is possible that reduces
the size of the key from 112 to 57 bits).
Of Triple DES – 112 bits, instead of 168 bits,
but this is an acceptable length.