Embed Size (px)
Citation preview
UNIT II
BLOCK CIPHERS & PUBLIC KEY CRYPTOGRAPHY
Data Encryption Standard - Block cipher principles - Block cipher modes of operation - Advanced
Encryption Standard (AES) - Triple DES. Public key cryptography: Principles of public key
cryptosystems - The RSA algorithm - Key management - Diffie Hellman Key exchange - Elliptic
curve arithmetic - Elliptic curve cryptography – Side Channel Analysis.
INTRODUCTION
Block Cipher: A block cipher is one in which a block of plaintext is treated as a whole
and used to produce a cipher text block of equal length. Typical block size is 64 bits or 128
bits. Eg: DES, AES.
Stream Cipher: A stream cipher is one that encrypts a digital data stream one bit or one
byte at a time. Eg: Vigenere cipher, vernam cipher.
Reversible or non-singular transformation: For an encryption to be reversible, i.e. decryption
to be possible, each plaintext must produce a unique cipher text block.
Feistel Cipher:
Approximate the ideal block cipher by utilizing the concept of a product cipher, which is the
execution of two or more simple ciphers in the sequence in such a way that the final result or
product is cryptographically stronger than any of the component ciphers.
Basic Design idea of Feistel cipher:
Feistel proposed the use of a cipher that alternates substitutions and permutations.
• Substitution: Each plaintext element or group of elements is uniquely replaced by a
corresponding cipher text element or group of elements.
• Permutation: A sequence of plaintext elements is replaced by a permutation of that
sequence, i.e. no elements are added or deleted or replaced in the sequence, rather the order
in which the elements appear in that sequence is changed.
Feistel cipher is the practical application of Claude Shannon’s proposal to develop a product cipher
that alternates confusion and diffusion functions that frustrate statistical cryptanalysts.
Diffusion: The statistical structure of the plaintext is dissipated into long-range statistics of
ciphertext. This is achieved by having each plaintext digit affect the value of many ciphertext
digits.
Confusion: Confusion seeks to make the relationship between the statistics of the cipher text and
the value of the encryption key as complex as possible.
Parameters and Design Features of Feistel Cipher:
• Block size
• Key size
• Number of rounds
• Subkey generation algorithm
• Round function F
• Other considerations:
o Fast software encryption/decryption
o Ease of analysis
DES-DATA ENCRYPTION STANDARD
DES is also called as Data Encryption Algorithm. This algorithm is proposed by National Institute
of Standards and Technology (NIST) in 1977.
DES working principle:
• DES is a symmetric key block cipher.
• It has exact structure as Feistel cipher: it partitions input block into two halves which are
processed through multiple rounds which perform substitution on left data half – based on
round function of right half and subkey and then have permutation swapping halves.
• In addition to Feistel cipher structure, it does initial permutation of plaintext and final
inverse initial permutation of last round’s output.
• DES takes plain text of block size 64 bits and produces 64-bit as cipher text. Key is of 56
bit size.
• DES has 16 rounds.
• Same algorithm is used for encryption and decryption.
The processing of the algorithm proceeds in 3 phases
Phase 1- Permutation phase, which rearranges the bits to produce permuted input (IP)
Phase 2- This phase has 16 rounds. Each round has permutation and substitution steps.
Phase 3- The output of the phase 2 is passed through permutation which is the inverse of initial
permutation. The final output is 64 bit cipher text.
General depiction of DES encryption algorithm
Initial Permutation (IP)
• The 64 bit plain text is permuted once before entering the round functions.
Single Round of DES
1. Key transformation
2. Expansion permutation
3. S-box substitution
4. Permutation
5. XOR and swap
Single round of a DES algorithm
1. Key transformation
• 64 bit key is taken as input. The key is first subjected to permutation – permuted choice 1
resulting in a 56 bit key.
• This 56-bit key is divided into two halves. Each of 28 bits are left circularly shifted one or
two positions based on the round.
• The permuted 56 bits are given as input to permutation – permuted choice 2 – and a 48 bit
unique subkey is selected for each round.
2. Expansion permutation
• Right (Ri-1) plain text is expanded from 32 bits to 48 bits by expansion permutation (E-
table).
• 48 bit key is XORed with 48 bit right plain text and resulting 48 bit output is given to next
step.
3. Substitution S Boxes
• S-box substitution is a process that accepts 48-bit input from XOR operation and produces
32 bit output.
• There are 8 S-boxes numbered from 1-8. Each S-box takes 6 bits as inputs and gives 4 bits
as output.
4. Permutation
• The output of s-box consists of 32 bits. These 32 bits are permuted using p-box.
5. XOR and swap
• All the above operations are performed only on 32 bits right plain text. Now left plaintext
(Li-1) is XORed with p-box output.
• The result of XOR operation becomes the new right half (Ri). The old right half becomes
the new left half (Li).
Inverse Initial permutation
• At the end of 16 rounds simple transposition is performed.
DES decryption
It uses the same algorithm as encryption except the key is used in reverse order.
Avalanche Effect
• When there is a small change in either the plaintext or the key, it should produce a
significant change in the cipher text. In particular, a change in one bit of the plaintext or one
bit of the key should produce a change in many bits of the cipher text. This is referred to as
the avalanche effect.
• DES exhibits a strong avalanche effect.
Strength of DES
1) The use of 56 bit Key
As the key length is 56 bits, for brute force attack there are 256 possible keys. Hence, it is
impractical.
2) The Nature of the DES Algorithm
For cryptanalysis attack, the characteristic of DES needs to be analyzed. Hence, it makes use of
substitution boxes called S-boxes. Algorithm for the design of S- box wasn’t known to the public.
When the weakness of the S-box is known, then there is a possibility to break DES by cryptanalytic
attack. But until now there is no such attack.
3) Timing attack
Timing attack is one in which information about the key or the plaintext is obtained by observing
how long it takes a given implementation to perform decryptions on various cipher texts. A timing
attack exploits the fact that an encryption or decryption algorithm often takes slightly different
amounts of time on different inputs. An approach known as Hamming weight, yields number of bits
equal to the secret key.
BLOCK CIPHER DESIGN PRINCIPLES
The cryptographic strength of a Feistel cipher derives from three aspects of the design:
1) The number of rounds,
2) The function F, and
3) The key schedule algorithm.
1) Number of Rounds
When the number of rounds increases, the difficulty to perform cryptanalysis also increases even
with a weak F. The number of rounds is to be chosen so that known cryptanalytic efforts should be
greater than the efforts of brute-force attack.
2) Design of Function F
Criteria needed for F,
• It must be difficult to unscramble the substitution done by F.
• The function should satisfy Strict Avalanche Criterion (SAC) – output bit j should change
with the probability of ½ when input bit i is inverted, for all i and j.
• The function should satisfy Bit Independence Criterion (BIC) - Output bits j and k should
change independently when any single input bit i is inverted for all i, j, and k.
• The S- box should have guaranteed avalanche effect.
3) Key Schedule Algorithm
The key generation algorithm is used to generate one subkeys for each round. The subkeys should
be different for each round and it should be difficult to deduce the subkeys and trace the main key.
BLOCK CIPHER MODES OF OPERATION
DES is the basic building block for providing data security. To apply a block cipher in a variety of
applications, five "modes of operation" have been defined by NIST.
A mode of operation is a technique for enhancing the effect of a cryptographic algorithm or
adapting the algorithm for an application, such as applying a block cipher to a sequence of data
blocks or a data stream.
(i) Electronic Code Book (ECB)
• The simplest mode is the electronic codebook (ECB) mode, in which 64 bit plaintext is
handled one block at a time and each block of plaintext is encrypted using the same key.
• Message is broken into independent blocks that are encrypted, i.e. if message is longer than
64 bits, break them into 64 bit blocks and pad the last block with some regular patterns of
0 and 1 to complete the block.
• For a given key, there is a unique cipher text for every 64 bit block of plaintext.
• Decryption is performed on one block at a time using the same key K.
Encryption: CN=E(K, PN), N=1,…,n
Decryption: PN=D(K,CN), N=1,…,n
Advantages
• The ECB method is ideal for a short amount of data, such as an encryption of a key.
Disadvantages
• In longer messages, for the same b-bit block of plaintext, if it appears more than once in the
message, ECB always produces the same cipher text, hence the ECB mode may not be secure.
(ii) Cipher Block Chaining Mode (CBC)
• To overcome the drawback of ECB, it is a technique in which the same plaintext block if
repeated, produces different ciphertext blocks.
• The input to the encryption algorithm is the XOR of the current plaintext block and the
preceding ciphertext block; the same key is used for each block.
where - IV- Initialization vector (only known to the communication parties)
• The input to the encryption function for each plain text block bears no fixed relationship to
the plain text block. Therefore, repeating patterns of bits are not exposed.
• For decryption, each cipher block is passed through the decryption algorithm. The result is
XORed with the preceding cipher text block to produce the plain text block.
• To produce the first block of cipher text, an Initialization Vector (IV) is XORed with the
first block of plaintext and to output of decryption algorithm.
Encryption : C1 = E(K, [IV⊕P1]); Cj = E(K, [Cj-1⊕Pj]) j=2 to N
Decryption : D(K, Cj) = D(K, E(K, [Cj-1⊕Pj]))
Advantages :
• An appropriate mode for encrypting messages of length greater than b bits.
• In addition to its use to achieve confidentiality, the CBC mode can be used for authentication.
• CBC mode is self-recovering, i.e. if two blocks are affected by an error, the system recovers
and continues to work correctly for all subsequent blocks.
Disadvantages:
• Both IV and key should be protected.
(iii) Cipher Feedback Mode
DES is a block cipher technique that uses 64 bit blocks. It is possible to convert DES into a stream
cipher using Cipher Feedback (CFB), Output Feedback (OFB) or Counter (CTR) mode.
• The input to the encryption function is a b-bit shift register that is initially set to some
initialization vector (IV).
• The leftmost (most significant) s bits of the output of the encryption function are XORed
with the first segment of plaintext P1 s bits to produce the first unit of ciphertext C1.
• The contents of the shift register are shifted left by s bits and C1 is placed in the rightmost.
• This process continues until all plaintext units have been encrypted.
• For decryption, the same scheme is used, except that the received ciphertext unit is XORed
with the output of the encryption function to produce the plaintext unit.
Encryption & Decryption function
Let Ss(X) be defined as the most significant s bits of X.
C1 = P1⊕Ss[E(K, IV)]
P1 = C1⊕Ss[E(K, IV)]
Advantages:
• Avoids padding
• Operates on real-time
• It is self-recovering
• Simplicity
• Need not be used on byte boundary
(iv) Output feedback mode
• The output feedback (OFB) mode is similar in structure to that of CFB.
• The output of the encryption function that is fed back to the shift register in OFB, whereas
in CFB the cipher text unit is fed back to the shift register.
• Feedback is independent of message.
Advantage
One advantage of the OFB method is that bit errors in transmission do not propagate.
Disadvantage
The disadvantage of OFB is that it is more vulnerable to a message stream modification attack
than is CFB.
(v) Counter Mode – (CTR)
• Here, the counter is equal to the plaintext block size used.
• The counter value must be different for each plain text block.
• The counter is initialized to some value and then incremented by 1 for each subsequent
block.
• For encryption, the counter is encrypted and then XORed with the plaintext block to
produce the cipher text block; there is no chaining.
• For decryption, the same sequence of counter values is used, with each encrypted counter
XORed with a cipher text block to recover the corresponding plaintext block.
Advantages
• Hardware efficiency: Unlike the three chaining modes, encryption (or decryption) in CTR
mode can be done in parallel on multiple blocks of plaintext or cipher text.
• Software efficiency: Similarly, because of the opportunities for parallel execution in CTR
mode, processors that support parallel features can be utilized.
• Preprocessing: The execution of the underlying encryption algorithm does not depend on
input of the plaintext or cipher text.
• Random access: The ith block of plaintext or ciphertext can be processed in random-access
fashion.
Disadvantages
• Synchronous counter at sender and receiver must be present. Loss of
synchronization leads to incorrect recovery of plaintext.
DOUBLE DES
The simplest form of multiple encryption has two encryption stages and two keys. Given a
plaintext P and two encryption keys K1 and K2, ciphertext C is generated as
C = E(K2, E(K1, P))
Drawback
• Meet-in-the-middle attack
Given a known pair, (P, C), the attack proceeds as follows. First, encrypt P for all 256 possible
values of K1. Store these results in a table and then sort the table by the values of X. Next, decrypt
C using all 256 possible values of K2. As each decryption is produced, check the result against the
table for a match. If a match occurs, then test the two resulting keys against a new known plaintext-
ciphertext pair. If the two keys produce the correct ciphertext, accept them as the correct keys.
TRIPLE DES
• To overcome the meet-in-the-middle attack, three stages of encryption with the different
key is used. This is called triple DES.
• Tuchman proposed a triple encryption method that uses only two keys. The function
follows an encrypt-decrypt-encrypt sequence
• C = E(K1, D(K2, E(K1, P)))
• There is no cryptographic significance to the use of decryption for the second stage. Its only
advantage is that it allows users of 3DES to decrypt data encrypted by users of the older
single DES.
• 3DES with two keys is a relatively popular alternative to DES and has been adopted for use
in the key management standards
12
ADVANCED ENCRYPTION STANDARD (AES)
The Rijndael proposal for AES was submitted by two Belgium cryptographers, Dr. Joan Daemen
and Dr. Vincent Rijmen. The Advanced Encryption Standard (AES) was published by the National
Institute of Standards and Technology (NIST) in 2001. AES is a symmetric block cipher that is
intended to replace DES as the approved standard for a wide range of applications.
• The cipher takes a plaintext block size of 128 bits, or 16 bytes.
• The key length can be 16, 24, or 32 bytes (128, 192, or 256 bits). The algorithm is referred
to as AES-128, AES-192, or AES-256, depending on the key length.
• The cipher consists of N rounds, where the number of rounds depends on the key length:
10 rounds for a 16-byte key, 12 rounds for a 24-byte key, and 14 rounds for a 32-byte key.
• The first N - 1 rounds consist of four distinct transformation functions:
o SubBytes,
o ShiftRows,
o MixColumns
o AddRoundKey
• The final round contains only three transformations, and there is an initial single
transformation (AddRoundKey) before the first round, which can be considered Round 0.
• Each transformation takes one or more 4 x4 matrices as input and produces a 4x4 matrix
as output.
• Also, the key expansion function generates N + 1 round keys, each of which is a distinct
4x4 matrix.
• Each round key serves as one of the inputs to the AddRoundKey transformation in each
round.
13
Detailed Structure
1. AES is not a Feistel structure. AES processes the entire data block as a single matrix during
each round using substitutions and permutation.
2. The key expanded into an array of forty-four 32-bit words.
3. Four different stages are used,
• Substitute bytes
• ShiftRows
• MixColumns
• AddRoundKey
4. The structure is simple. For both encryption and decryption, the cipher begins with an
AddRoundKey stage, followed by nine rounds that each includes all four stages, followed by a
tenth round of three stages.
5. Only the AddRoundKey stage makes use of the key. For this reason, the cipher begins and
ends with an AddRoundKey stage. Any other stage, applied at the beginning or end, is reversible
without knowledge of the key and so would add no security.
6. The AddRoundKey stage is, in effect, a form of Vernam cipher and by itself would not be
formidable. This scheme is both efficient and highly secure.
7. Each stage is easily reversible. For the Substitute Byte, ShiftRows, and MixColumns stages,
an inverse function is used in the decryption algorithm.
8. The decryption algorithm uses the expanded key in reverse order.
9. The decryption algorithm is does recover the plaintext. At each horizontal point (e.g., the
dashed line in the figure), State is the same for both encryption and decryption.
10. The final round of both encryption and decryption consists of only three stages.
14
Substitute Bytes Transformation
• The forward substitute byte transformation is called SubBytes.
• It is represented by 16x16 matrix called an S-box.
• For each individual byte of State the value is mapped into a new byte.
• The leftmost 4 bits of the byte are used as a row value and the rightmost 4 bits are used as
a column value.
• These row and column values serve as indexes into the S-box to select a unique 8-bit output
value.
• For example, the hexadecimal value {95} references row 9, column 5 of the S-box, which
contains the value {2A}.
15
ShiftRows Transformation
• The forward shift row transformation is also called ShiftRows.
• The first row of State is not altered.
• For the second row, a 1-byte circular left shift is performed.
• For the third row, a 2- byte circular left shift is performed.
• For the fourth row, a 3-byte circular left shift is performed.
• The inverse shift row transformation, called InvShiftRows, performs the circular shifts
in the opposite direction for each of the last three rows, with a 1-byte circular right shift
for the second row, and so on.
• The following is an example of ShiftRows.
16
MixColumns Transformation
• The forward mix column transformation, called MixColumns, operates on each column
individually.
• Each byte of a column is mapped into a new value that is a function of all four bytes in
that column.
• The transformation can be defined by the following matrix:
• The following is an example for mixcolumns:
• Multiplication of a value by x (i.e., by {02}) can be implemented as a 1-bit left shift
followed by a conditional bitwise XOR with (0001 1011) if the leftmost bit of the original
value (prior to the shift) is 1.
• If the leftmost bit is 0 prior to shift, simply do a 1-bit left shift alone.
• Thus, to verify the MixColumns transformation on the first column:
AddRoundKey Transformation
In the forward add round key transformation, called AddRoundKey, the 128 bits (16 bytes) of
State are bitwise XORed with the 128 bits (16 bytes) of the round key.
17
Key Expansion Algorithm
• The input to this algorithm is 4-word key.
• The output is 44 words.
• The key is copied to the first 4-words of the expanded key.
• The remainder of the expanded key is filled in four words at a time.
• Each added word depends on the immediately preceding word w(i-1) and the word four
positions back, w(i-4).
AES Evaluation Criteria
AES can be evaluated in 3 categories, namely,
• Security
• Cost
• Algorithm and implementation characteristics
a) Security
This refers to the effort required to cryptanalyze an algorithm. Its emphasis in the
18
evaluation was on the practicality of the attack because minimum key size in AES is
128 bits. This criterion focused on the resistance to cryptanalytic attacks rather than
brute force attacks.
b) Cost
It covers the computational efficiency and storage requirement for different
implementations sch as hardware, software or smart card.
c) Algorithm and implementation characteristics
• Flexibility
• Suitability for a variety of hardware and software implementations
• Simplicity, which will make an analysis of security more straightforward
• C and java implementation
