Block Ciphers - Courses CMP S12,U ant ruz Block Ciphers 13 DES algorithm •Feistel cipher with added initial permutation •Complex choice of F •16 rounds •56-bit key, shifts

1

Block Ciphers

Structures have been found in DES that were undoubtedly inserted tostrengthen the system against certain types of attack. Structures havealso been found that appear to weaken the system.

Lexar Corporation, “An Evalution of the DES”, 1976.

Block Ciphers 2CMPS 122, UC Santa Cruz

Block ciphers

• Stream ciphers◆ Encrypt small (bit or byte) units one at a time◆ Everything we have seen so far◆ Require less buffering

• Block ciphers◆ Encrypt large chunks (64+ bits) at once◆ Must buffer enough to get a block before encrypting

2


Block cipher

• 64 bit blocks• 264 possible plaintext blocks, must have at least 264

corresponding ciphertext blocks◆ There are 264! possible mappings

• Why not just create a random mapping?◆ Need a 264 * 64-bit table ≈ 1021 bits◆ At $1/GB (for disk), this costs a million million dollars!◆ Need to distribute new table if compromised

• Approximate ideal random mapping usingcomponents controlled by a key


Goals: diffusion and confusion

• Claude Shannon [1945]• Diffusion

◆ Small change in plaintext changes lots of ciphertext◆ Statistical properties of plaintext hidden in ciphertext

• Confusion◆ Statistical relationship between key and ciphertext as

complex as possible⇒ Need to design functions that produce output that is

diffuse and confused

3


Feistel cipher structure

Plaintext

L0 R0

⊕ F

K1

Sub

stitu

tion

Per

mut

atio

n

• Encrypt in rounds◆ Input to each round split

L0 = left half of inputR0 = right half of input

◆ For each round:Li = Ri-1Ri = Li-1 ⊕ F(Ri-1, Ki)

• Substitution: S-box• Permutation: P-box• Proceed for n rounds• After final round, undo last

permutationC = Rn || Ln

R1L1

Round


One round Feistel

E (L0 || R0):L1 = R0

R1 = L0 ⊕ F (R0, K1))C = R1 || L1 = L0 ⊕ F (R0, K1)) || R0

Li = Ri - 1

Ri = Li - 1 ⊕ F (Ri - 1, Ki )

4


Decryption

• Inputs to decryption engine◆ LD0 = left half of ciphertext◆ RD0 = right half of ciphertext

• For each round◆ LDi = RDi - 1◆ RDi = LDi - 1 ⊕ F (RDi - 1,

Kn – i + 1)• Repeat for n rounds• Last round

◆ P = RDn || LDn

Ciphertext

LD0 RD0

⊕ F

Kn

Sub

stitu

tion

Per

mut

atio

n

R1L1

Round


Decryption

D (L0 ⊕ F (R0, K1)) || R0)LD0 = L0 ⊕ F (R0, K1) RD0 = R0LD1 = R0RD1 = LD0 ⊕ F (RD0, K1)

= L0 ⊕ F (R0, K1) ⊕ F (RD0, K1))= L0

P = RD1 || LD1 = L0 || R0

LDi = RDi - 1

RDi = LDi - 1 ⊕ F (RDi - 1, Kn – i + 1)

5


Multiple Rounds

• The entire round is a function:fK (L || R) = R || L ⊕ F (R, K))swap (L || R) = R || L

• E = swap ° swap ° fKr ° swap ° fKr-1 ° ... ° fK2 ° swap ° fK1

• D = fK1 ° swap ° fK2 ° ... °fKr-1 ° swap ° fKr ° swap ° swap


Decryption

swap (fK (swap (fK (L || R))= swap (fK (swap (R || L ⊕ F (R, K))))= swap (fK (L ⊕ F (R, K) || R))= swap (R || (L ⊕ F (R, K)) ⊕ F (R, K))= swap (R || L) = L || R

So swap ° fK is its own inverse!

6


Requirements for F

• For decryption to work:◆ F must be deterministic and solely a function of its inputs

(key and block)◆ Could even be a constant function!◆ Certainly could produce identical values for a given K

and more than one block• For security:

◆ Hide patterns in plaintext◆ Hide patterns in key

• Coming up with a good F is hard!


DES (Data Encryption Standard)

• NIST (then NBS) sought standard for data security(1973)

• IBM’s Lucifer only reasonable proposal• Modified by NSA

◆ Changed S-Boxes◆ Reduced key from 128 to 56 bits

• Adopted as standard in 1976• More bits have been encrypted using DES than any

other cipher

7


DES algorithm

• Feistel cipher with added initial permutation• Complex choice of F• 16 rounds• 56-bit key, shifts and permutations produce 48-bit

subkeys for each round


F used for DES

Expand and permute (using E table)

32 bits

48 bits

Kn

Substitute (using S boxes)32 bits

Permutation

The goal is confusion!

8


S-Box

6 bits

4 bits

Example: 110011

1001

64 entry lookup table

S-Boxes

• Critical to security• NSA changed choice of S-Boxes• Only non-linear step in DES

◆ E(11) ≠ E(01) + E(10)


DES avalanche

Input: ...............................................................* 1Permuted: .......................................*........................ 1Round 1: .......*........................................................ 1Round 2: .*..*...*.....*........................*....................….. 5Round 3: .*..*.*.**..*.*.*.*....**.....**.*..*...*.....*................. 18Round 4: ..*.*****.*.*****.*.*......*.....*..*.*.**..*.*.*.*....**.....** 28Round 5: *...**..*.*...*.*.*.*...*.***..*..*.*****.*.*****.*.*......*.... 29Round 6: ...*..**.....*.*..**.*.**...*..**...**..*.*...*.*.*.*...*.***..* 26Round 7: *****...***....**...*..*.*..*......*..**.....*.*..**.*.**...*..*Round 8: *.*.*.*.**.....*.*.*...**.*...*******...***....**...*..*.*..*...Round 9: ***.*.***...**.*.****.....**.*..*.*.*.*.**.....*.*.*...**.*...**Round 10: *.*..*.*.**.*..*.**.***.**.*...****.*.***...**.*.****.....**.*..Round 11: ..******......*..******....*....*.*..*.*.**.*..*.**.***.**.*...*Round 12: *..***....*...*.*.*.***...****....******......*..******....*....Round 13: **..*....*..******...*........*.*..***....*...*.*.*.***...****..Round 14: *.**.*....*.*....**.*...*..**.****..*....*..******...*........*.Round 15: **.*....*.*.*...*.**.*..*.*.**.**.**.*....*.*....**.*...*..**.**Round 16: .*..*.*..*..*.**....**..*..*..****.*....*.*.*...*.**.*..*.*.**.*Output: ..*..**.*.*...*....***..***.**.*...*..*..*.*.*.**.*....*.*.*.**.

Source: Willem de Graaf, http://www-groups.dcs.st-and.ac.uk/~wdg/slides/node150.html

9


Generating DES round keys

• Need 16 48-bit keys◆ Best security: just use 16

independent keys◆ Problem: 768 key bits is too

long!• 56-bit key used

◆ Actually use 64 bits,including parity checking

• Produce 48-bit round keysby shifting and permutingKi = PC (Shift (Left (Ki-1)) ||

Shift (Right (Ki-1)))◆ How is decrypting done?◆ Are there weak keys?

Shift(1 or 2 bits)

Shift(1 or 2 bits)

Key (56 bits)

Compress / permute

Kn

28 bits 28 bits


Is DES a perfect cipher?

• No!◆ There are more messages than keys

• What about for a 64-bit block?◆ No!◆ 264 messages > 256 keys

10


Brute force attacks on DES

• Key is 56 bits◆ 256 = 7.2 * 1016 = 72 quadrillion keys◆ On average, try half the keys to find the right one

• How long will it take?◆ 1 per second => 1.1 billion years◆ 10 million per second => 110 years◆ 10 million per second on each of 10,000 PCs: 4.1 days!

• The latter can be done with a distributed attack◆ Steal/borrow idle cycles on networked PCs

– A large corporation with 25,000 PCs could do this in less than aweek, even assuming the software runs only during off hours….

◆ Increase speed further with more hardware assist


Brute Force Attacks

• RSA DES challenges:◆ 1997: 96 days (using 70,000 machines)◆ Feb 1998: 41 days (distributed.net)◆ July 1998: 56 hours (EFF custom hardware)◆ January 1999: 22 hours (EFF + distributed.net)

– 245 Billion keys per second• NSA can probably crack DES routinely (but they

won’t admit it)◆ Hardware is simple to design◆ 10,000 inexpensive PCs cost only $5 million

11


Electronic Codebook Mode (ECB)

• Transmitting a long plaintext using DES:◆ P = P1 || P2 || ... || PN

• Electronic Codebook Mode:◆ C = EK (P1) || EK (P2) || ... || EK (PN)

• Problems:◆ Any identical blocks encrypted identically

– 64 bits = 8 ASCII characters– Identical 8 character sequences encrypt to the same thing

◆ Lots of ciphertext encrypted with same K◆ Enemy can easily substitute

– Example: salary is always bytes 24-31 of the message– Replace my salary with Dean Kang’s

– I don’t know what it is, but it’s more than mine…


Cipher Block Chaining (CBC)

DES

Initializationvector (IV)

K

⊕

P1

C1

to receiver

DESK

⊕

P2

C2

to receiver

...

12


Cipher Feedback Mode (CFB)

DES

IV

K

⊕j bits

P1

C1

to receiver

shift j bits

...DESK

⊕j bits

P2

C2

to receiver

Encrypt in unitsof j < 64 bits


Output Feedback Mode (OFB)

DES

IV

K

⊕j bits

P1

C1

to receiver

shift j bits

...DESK

⊕j bits

P2

C2

to receiver

Encrypt in unitsof j < 64 bits

13


Cipher/output feedback

• 1-bit transmission error◆ Recoverable in output feedback◆ May not be recoverable in cipher feedback

• Active eavesdropper◆ Can modify stream using XOR◆ May make undetectable changes if parity used for error

correction• Known plaintext attacks work on OFB

◆ Sequence of DES outputs are always the same• Performance

◆ Slower than full DES, but works on smaller chunks of data


Multiple encryption

• C = EK2 (EK1 (P))• Does it double the key space?• Monoalphabetic cipher

◆ Ci = K2[K1[Pi]]= K3[Pi] for some K3

• Composition over monoalphabetic encryption is agroup◆ Result of composing two encryptions is another

encryption that’s a member of the group◆ By extension, so is a composition of n encryptions◆ In this case there’s no benefit to multiple encryptions

14


Double-Vigenère

C = EK2 (EK1 (P))Vigenère: Ci = (Pi + Ki mod N) mod Z

Ci = ((Pi + K1i mod N1 mod Z) + K2i mod N2) mod Z= (Pi + K1i mod N1 + K2i mod N2 ) mod Z

if N1 = N2:= (Pi + K3i mod N) mod Z (K3 = K1 + K2)

But what if N1 ≠ N2?


Double-Vigenère

• K1 = "BOND"• K2 = "JAMES"

BONDBONDBONDBONDBONDBONDBOND+ JAMESJAMESJAMESJAMESJAMESJAM= KOZHTXNPFGWDNSFMBARVKOZHTXNP

• Effective key length: LCM (N1, N2) = 20• Composition over Vignère is a group

◆ This means that the result could be obtained with a 20-letter alphabetic key (though not necessarily a real word)

15


Double DES

• C = EK2 (EK1 (P))• Is there a K3 such that C = EK3 (P)?

◆ There are 256 keys, and 264! mappings◆ If DES is good, keys map randomly to mappings

– Probability that a randomly chosen mapping corresponds to aDES key:256 / 264! << 1 / 263!

– Composition over DES is not a group [Campbell 1992]◆ Answer: EK3 (P) ≠ EK2 (EK1 (P)), at least for most K1, K2

• Effective key size of Double DES?= 256 * 256 = 2112

NOT!!!


Known plaintext attack

E EP

K1 K2

C

P E

try all possible keys

XK1

XK2

XK256

CD

try all possible keys

YK1

YK2

YK256

One XKi = YKj means K1 = Ki and K2 = Kj

16


Meet-in-the-Middle attack

• C = EK2 (EK1 (P))• X = EK1 (P) = DK2 (C)• Brute force attack (given one P/C pair):

◆ Calculate EK1 (P) for all keys (256 work)◆ Calculate DK2 (C) for all keys (256 work)◆ Match gives the keys!

• Total work = 2 * 256 = 257


2-Key Triple DES

• C = EK1 (DK2 (EK1 (P)))• Why DK2 not EK2?

◆ Backwards compatibility with DES◆ If K1 = K2: C = EK1 (DK1 (EK1 (P))) = EK1 (P)

• Actual key size = 56 + 56 bits = 112 bits• Meet-in-the-middle?

X = EK1 (P) = DK1 (EK2 (C))256 need to try 2112

17


How secure is Triple-DES?

• Brute force search: 2112 keys◆ Best DES attack: 245 B keys/second◆ ≈ 6.7 * 1014 years (compared to 22 hours)◆ 1011 years = total lifetime of universe (closed universe

theory)• Best known attack - reduces to 2120-log2n

◆ n = number of known P-C pairs◆ n = 264, work is 256

Is this realistic?


3-Key Triple DES

• C = EK3 (DK2 (EK1 (P)))• H(K) = 168• Used by PGP, S/MIME• How much work to brute-force?

◆ Meet-in-the-middle:X = DK3 (C) = DK2 (EK1 (P))

256 + 2112

18


Attacks on DES and other block ciphers

• Brute force◆ Try all possible keys, and check to see if the resulting

plaintext is reasonable• Differential cryptanalysis

◆ Try inputs (key, ciphertext, plaintext) that differ by only afew bits and see how the output changes

• Power cryptanalysis◆ Analyze power usage◆ More power may indicate something about the key or

plaintext: more power => particular bit is 1?


Side channel cryptanalysis

• Regular cryptanalysis is mathematical◆ Attacker sees inputs, outputs

• Side channel cryptanalysis◆ Attacker sees something else

– Power consumption: can measure at 1 GHz!– Encryption/decryption time (longer for 1’s)– Radiation

◆ Example– Current for a left shift depends on leftmost bit: if 1, need to set

rightmost bit afterwards– DES key schedule uses shifts, can tell bits in key!– Current for XOR may depend on number of switches

◆ Can be difficult to prevent!• Depends on implementation of algorithm

19


Defenses against side channel attacks

• Reduce signal◆ Physical shielding, microprocessor design (make all shifts

use same power, etc.)• Introduce random noise

◆ Change execution order, do random computation, etc.◆ Design computation to do the same thing regardless of

input, varying only the result– Works best with reduced signal!

• Design cryptosystems with DPA in mind◆ Nonlinear key updates between transactions


What’s next after DES?

• 3DES is almost certainly secure◆ 168 bit keys are long enough◆ Many years of experience and testing

• But…◆ NSA might be able to break it◆ 3DES is too slow

– Three sequential applications of DES– Can’t easily parallelize because of data dependencies

◆ 3DES is too inflexible– Can’t change block size– Can’t change key size

20


First try: Clipper

• 1993: AT&T markets secure telephony device• Law enforcement has issues

◆ US courts can authorize wire taps◆ “Authorities” must be able to decrypt

• NSA proposes Clipper Chip◆ Secret algorithm (Skipjack)

– No public review– “Take our word for it — it’s secure”

◆ Only implemented in hardware


Key escrow

• NSA has copy of special key◆ Authorities can obtain key with a court order

• With each message, sender transmitsE (M, k) || LEAF◆ LEAF = “law enforcement agents’ field”

• Holder of special key can decrypt LEAF to find message key◆ With message key, message can be decrypted

k = message keyu = 80-bit special key (unique to chip)n = 30-bit identifier (unique to chip)a = escrow authenticatorf = 80-bit key (same on all chips)

Known by FBILEAF = E ((E (k, u) || n || a), f)

21


How wire taps are supposed to work

• FBI investigating Alice◆ FBI intercepts Clipper-encoded communication

• Uses f to decrypt LEAF:◆ D (E ((E (k, u) || n || a), f)) = E (k, u) || n || a)

• Delivers n and court order to 2 escrow agencies◆ Agencies provide u (2 pieces of split key) to authorities

• Decrypts E (k, u)◆ Obtains message key

• Decrypts message!


Why didn’t Clipper succeed?

• Politics◆ Administration backed down

– Secret algorithm– Public relations disaster

– Didn’t involve academic cryptographers early– Proposal was rushed– Hadn’t even figured out who would escrow the keys!

• Crypto strength◆ How do you prevent criminals from transmitting wrong LEAF?

– Use a checksum– But, easy to find LEAF with right checksum with brute-force attack

[Blaze]– Attack could be done in less than a day– Just transmit new LEAF with correct checksum

◆ NSA solution: put it in hardware, inspect all Clipper devices– Still vulnerable to out-of-the box device

◆ Bottom line: people will find ways around hardware security…

22

Blowfish, Rijndael, and Other StrangeCreatures

The algorithm might look haphazard, but we did everything for a reason.Nothing is in Twofish by chance. Anything in the algorithm that we couldn'tjustify, we removed. The result is a lean, mean algorithm that is strong andconceptually simple.

- Bruce Schneier


AES: Advanced Encryption Standard

• 1996: NIST initiated program to choose AdvancedEncryption Standard to replace DES

• Requested algorithm submissions◆ Got 15 of them!

• Requirements:◆ Secure for next 50 – 100 years◆ Faster than 3DES◆ Supports variable length keys (at least 128, 192 and 256

bits)◆ Must be a block cipher

23


AES process

• Open design◆ DES: design criteria for S-boxes kept secret◆ Open => less chance for subversion

• Many decent choices◆ DES: only one acceptable algorithm◆ Less likelihood that the algorithm is “fixed”

• Public cryptanalysis efforts before choice◆ Heavy involvements of academic community◆ Leading public cryptographers tried to break it

• Very conservative: 4+ year process


AES: Round 1

• 15 submissions accepted• Weak ciphers quickly eliminated

◆ Magenta broken at conference!• 5 finalists selected

◆ Security versus performance is main tradeoff◆ Lots of complexity => anything can be made secure◆ Tougher to make simple ciphers secure…

24


AES finalists

• MARS (IBM)• RC6 (Rivest, et. al.)• Rijndael (top Belgium cryptographers)• Serpent (Anderson, Biham, Knudsen)• Twofish (Schneier, et. al.)


Blowfish

• [Schneier93]• 64-bit block cipher• Much faster than DES• Variable key length:

32-448 bits• Many attempted crytanalyses, none successful yet• Widely used: ssh, OpenBSD, PGPFone

25


Key-dependent S-boxes

• Differential cryptanalysis depends on analyzing S-box input/output different probabilities

• Prevent this by making the S-boxes key-dependent◆ S-boxes differ by key, so no a priori analysis

• Problem for AES: too much setup time & space◆ Must run algorithm 521 times to set up S-boxes

• Solution: Twofish◆ Provides options for how many key-dependent S-boxes

– Trade off security for time-space◆ Does other things

– Increases block size (128 required by AES)– Changes key schedule– Other stuff…


Why use π/e/Φ in cryptography?

• Mathematical constants have good pseudorandomdistribution◆ Transcendental, so not predictable◆ Generate as many digits as needed…

• Since they are public and well-known, little fear thatchoice is a trap door◆ Still could be there, but just how powerful is the NSA?

• Used by RC5, RC6, Blowfish, etc. to help generatemagic constants

26


TwofishF

rom

http

://ww

w.d

dj.co

m/a

rticles

/19

98

/98

12

/98

12

b/9

81

2b

f1.h

tm


Choosing AES

Simplicity(code size)

Safetyfactor

Speed(8 bits)

Speed(32 bits)

Cipher

104 KB2.671816Twofish

98 KB1.332018Rijndael

48 KB1.184315RC6

85 KB1.903423MARS

341 KB3.566962Serpent

Cycles perbyte encrypted

27


And the winner is…

• Rijndael chosen as AES algorithm• Key characteristics

◆ Fast◆ Small◆ Well-understood characteristics

• Twofish drawbacks◆ Key-dependent S-boxes not well-understood◆ Full implementation was a memory and space hog

– OK for some applications, but not for smart cards…


Rijndael details

• Central operation: xtime(a)◆ xtime(a) = (a << 1) ⊕ 0x1b◆ Apply repeatedly to perform operations on larger numbers◆ Example: 57 • 13:

57 • 02 = xtime (57) = AE57 • 04 = xtime (AE) = 4757 • 08 = xtime (47) = 8E57 • 10 = xtime (8E) = 0757 • 13 = 57 ⊕ AE ⊕ 07 = FE

• Three layers◆ Linear mixing◆ Non-linear (application of S-boxes)◆ Key addition (by XOR)

• Rijndael is not a Feistel cipher!

28


Rijndael data structures

• Assume block size of 128,key size of 192

• State array is 4 columns(n/32) x 4 rows of bytes

• Key array is 6 columns(k/32) x 4 rows of bytes

• Both packed into lineararrays column by column

a3,3a3,2a3,1a3,0

a2,3a2,2a2,1a2,0

a1,3a1,2a1,1a1,0

a0,3a0,2a0,1a0,0

State array

k3,4

k2,4

k1,4

k0,4

k3,5

k2,5

k1,5

k0,5

k3,3k3,2k3,1k3,0

k2,3k2,2k2,1k2,0

k1,3k1,2k1,1k1,0

k0,3k0,2k0,1k0,0

Key array

k3,5k2,5…k2,0k1,0k0,0


Rijndael operationsRound (State, RoundKey){

ByteSub (State);ShiftRow (State);MixColumn (State);AddRoundKey(State,RoundKey);

}

ByteSub (State){ for each byte in State { Map byte using S-box table Replace byte in State }}

ShiftRow (State){ for each row k of State { // Ck depends on block size cyclic shift left by Ck }}

MixColumn (State){ for each row k of State { Invertible transform }}

AddRoundKey (State, RoundKey){ State = State ⊕ RoundKey}

29


Running Rijndael

• Generate S-boxes (or use static S-boxes)• Generate round keys from 128 – 256 bit key• Add first round key to block• Run Nr-1 rounds• Run the final round without mixing columns• Output the state array as the ciphertext

• Code available online from Homework #2 page…


Advantages of Rijndael

• Uses only simple operations◆ XOR◆ Substitution◆ Cyclic shifts

• Doesn’t depend on natural constants◆ Less chance of choosing a “bad” constant

• Requires very little space and time to run◆ S-boxes can be hard-coded in 256 bytes for 8-bit processor◆ Lots of parallelism within each round

Documents

Block Ciphers - Courses CMP S12,U ant ruz Block Ciphers 13 DES algorithm •Feistel cipher with added initial permutation •Complex choice of F •16 rounds •56-bit key, shifts