session 3 symmetric ciphers 2 part 2. triple des ordinary des is now considered obsolete ‒its key...

Session 3

Symmetric ciphers 2part 2

Triple DES

• Ordinary DES is now considered obsolete‒ Its key length is only 56 bits.‒ With today’s technology, it is possible

to recover the key by means of a ”brute force attack” (enumeration of all the possible keys).

• Solution: triple DES.

2/89

Triple DES – mode 1 (EEE)

• The data are enciphered with the first key, then enciphered with the second key, and finally enciphered with the third key.

3/89

Triple DES – mode 2 (EDE)

• The data are enciphered with the first key, then deciphered with the second key, and finally enciphered again with the third key.

• Goal: compatibility with a single DES (set k1=k2=k3=k).

4/89

Triple DES – mode 2 (EDE)

5/89

Triple DES - security

Equivalent key length:•Of Double DES – only 57 bits (so called

Meet-in-the-middle attack is possible that reduces the size of the key from 112 to effective 57 bits).

•Of Triple DES – 112 bits, instead of 168 bits, but this is an acceptable length.

6/89

Triple DES - security

• A variant of Triple DES (called 2-key Triple DES, or 2TDES), with k1=k3 is widely used in ATM devices.

• Due to certain chosen plaintext and known plaintext attacks on this scheme, its equivalent key length is 80 instead of 112 for the ordinary TDES.

7/89

KASUMI

The KASUMI algorithm is the core of the standardised UMTS Confidentiality and Integrity algorithms.

Within the security architecture of the UMTS system there are two standardised algorithms based on KASUMI: •a confidentiality algorithm f8, and

•an integrity algorithm f9. 8/89

KASUMI KASUMI is a Feistel cipher with 8

rounds. It operates on a 64-bit data block

and uses a 128-bit key. Encipherment (1):

•The 64 bit input I is divided into two 32-bit strings L0 and R0, where I = L0 || R0

•Then for each integer i with 1≤i ≤8, we define• Ri = Li-1, Li = Ri-1 fi (Li-1, RKi )

9/89

KASUMI Encipherment (2):

•This constitutes the i-th round function of KASUMI, where fi denotes the round function with Li-1 and round key RKi as inputs.

•The result OUTPUT is equal to the 64-bit string (L8 || R8) offered at the end of the 8-th round.

10/89

KASUMIThe whole algorithm:

11/89

KASUMIThe FO function:

12/89

KASUMIThe FI function:

13/89

KASUMI

The FL function

14/89

KASUMI The f-function has a 32-bit input

and a 32-bit output. Each f-function of KASUMI is

composed of two functions:•an FL-function and•An FO-function.

An FO-function is defined as a network that makes use of three applications of an Fl-function.

15/89

KASUMI An Fl-function has a 16-bit input

and a 16-bit output. Each Fl-function comprises a

network that makes use of two applications of a function S9 and two applications of a function S7.

The functions S7 and S9 are also called "S-boxes of KASUMI".

16/89

KASUMI

In this manner KASUMI decomposes into a number of subfunctions (FL, FO and FI) that are used in conjunction with associated subkeys (KL, KO and KI).

The Kl-key KIi,j splits into two halves KIi,j,1 and KIi,j,2.

17/89

KASUMI

Each f-function fi takes a 32-bit input and returns a 32-bit output O under the control of a round key RKi, where the round key comprises the triplet (KLi, KOi, KIi).

18/89

KASUMI

The f-function fi itself is constructed from two subfunctions: an FL-function FLi and an FO-function FOi with associated subkeys KLi (used with FLi) and subkeys KOi and KIi (used with FOi).

19/89

KASUMI

The f-function fi has two different forms depending on whether it is an even round or an odd round.

For odd rounds i =1, 3, 5 and 7, the f-function is defined as:

fi (i,RKi) = FOi (FLi (I,KLi),KOi,KLi ) For even rounds, i =2, 4, 6 and 8,

the f-function is defined as:fi (i,RKi) =FLi (FOi (I,KOi,KIi),KLi)

20/89

KASUMI

FL functions (1)•The input to the function FLi comprises a

32-bit data input I and a 32-bit subkey KLi .

•The subkey is split into two 16-bit subkeys, KLi,1 and KLi,2, where:

KLi = KLi,1 ll KLi,2

•The input data l is split into two 16-bit halves, L and R, where l =L||R.

21/89

KASUMI

FL functions (2)•The FL functions make use of the

following simple operations:• ROL(D ) the left circular rotation of a data

block D by-one bit.• D1D2 the bitwise OR operation of two data

blocks D1 and D2.

• D1D2 the bitwise AND operation of two data blocks D1 and D2.

22/89

KASUMI

FL functions (3)•Then the 32-bit output value of the FL

function is defined as L’ ll R ’, where:L’=L ROL(R ’KLi,2)

R ’=R ROL(LKLi,1)

23/89

KASUMI

FO functions (1)•The input to the function FOi comprises

a 32-bit data input I and two sets of subkeys: • a 48-bit KOi and • a 48-bit KIi.

24/89

KASUMI

FO functions (2)•The 32-bit data input is split into two

halves, L0 and R0, where I = L0 ll R0, while the 48-bit subkeys are subdivided into three 16-bit subkeys, where:

KOi=KOi,1 ll KOi,2 ll KOi,3 and KIi=KIi,1 ll KIi,2 ll KIi,3

25/89

KASUMI

FO functions (3)•For each integer j with 1≤j ≤3 the

operation of the j th round of the function FOi is defined as:

Rj=FIi,j (Lj -1 KOi,j,KIi,j) Rj -1

Lj=Rj -1

•Output from the FOi function is defined as the 32-bit data block L3 ll R3.

26/89

KASUMI

FI functions (1)•An Fl-function FIi,j takes a 16-bit data

input I and a 16-bit subkey KIi,j . •The input I is split into two unequal

components, a 9-bit left half L0 and a 7-bit right half R0, where I =L0 ll R0.

•Similarly, the key KIi,j is split into a 7-bit component KIi,j,1 and a 9-bit component Kli,j,2, where KIi,j= KIi,j,1 ll KIi,j,2.

27/89

KASUMI

FI functions (2)•Each Fl-function FIi,j uses two S-boxes:

S7, which maps a 7-bit input to a 7-bit output and S9, which maps a 9-bit input to a 9-bit output.

•Fl-functions also use two additional functions, which are designated by ZE (appends 2 zeros before the MSB of a 7-bit string) and TR (discards 2 MSB of a 9-bit string).

28/89

KASUMI

FI functions (3)•The function FIi,j is defined by the following

series of operations:L1= R0 R1=S9[L0]ZE(R0)L2=R1KIi,j,2 R2=S7[L1]TR(R1)KIi,j,1L3=R2 R3=S9[L2]ZE(R2)L4 =S7[L3]TR(R3) R4=R3

•The output of the FIi,j function is the 16-bit data block L4 ll R4.

29/89

KASUMI

FI functions (4)•The key schedule of KASUMI contains

linear transforms and is rather simple.•That was a consequence of performance

requirements.

30/89

Rijndael - AES

In 2001, Rijndael was accepted by NIST as the Advanced Encryption Standard (AES) that was to replace DES.

Rijndael was designed for block and key lengths of 128, 192 and 256 bits.

AES supports only the 128 bit version.

31/89

Rijndael - AES

Consists of 10 rounds for a 128 bit key, 12 rounds for a 192 bit key, and 14 rounds for a 256 bit key.

We consider a 128 bit version, i.e. the AES.

32/89

Rijndael - AES

Each round has a round key, derived from the original key.

There is also a 0th round key, which is the original key.

A round starts with an input of 128 bits and produces an output of 128 bits.

33/89

Rijndael - AES

There are four basic steps, called layers, that are used to form the rounds:

The ByteSub Transformation (BS)•This non-linear layer is for resistance to

differential and linear cryptanalysis attacks.

34/89

Rijndael - AES

The ShiftRow Transformation (SR)•This linear mixing step causes diffusion

of the bits over multiple rounds. The MixColumn Transformation

(MC)•This layer has a purpose similar to

ShiftRow. AddRoundKey (ARK)

•The round key is XoRed with the result of the above layer.

35/89

Rijndael - AES

36/89

One round of AES

Rijndael - AES

AES encipherment:•ARK, using the 0th round key.•Nine rounds of BS, SR, MC, ARK using

round keys 1 to 9.•A final round: BS, SR, ARK, using the

10th round key (i.e. the final round uses the ByteSub, ShiftRow, and AddRoundKey steps but omits MixColumn).

•The 128-bit output is the ciphertext block.

37/89

Rijndael - AES

38/89

Rijndael - AES

• The 128 input bits are grouped into 16 bytes of 8 bits each

a00, a10, a20, a30, a01, a11, …, a33.

• These are arranged into a 4x4 byte matrix:

33231303

32221202

31211101

30201000

,,,,

,,,,

,,,,

,,,,

aaaa

aaaa

aaaa

aaaa

39/89

Rijndael - AES

The operations that are performed in the field GF(28) use the following generating polynomial (Rijndael polynomial):

f (X )=1+X+X 3+X 4+X 8

Each byte, except the zero byte has a multiplicative inverse in GF(28).

40/89

Rijndael - AES

The ByteSub transformation:•In this step, each of the bytes in the

matrix is changed to another byte by means of the S-box.

•If we write a byte as 8 bits: abcdefgh, we can look for the entry in the abcd row and efgh column of the S-box (the rows and columns are numbered from 0 to 15).

•This entry, when converted to binary, is the output.

41/89

Rijndael - AES

• The output of ByteSub is again a 4x4 matrix of bytes

33231303

32221202

31211101

30201000

,,,,

,,,,

,,,,

,,,,

bbbb

bbbb

bbbb

bbbb

42/89

Rijndael - AES

• The ShiftRow Transformation:– The four rows of the matrix are

shifted cyclically to the left by offsets of 0, 1, 2, and 3, to obtain

23130333

12023222

01312111

30201000

33231303

32221202

31211101

30201000

,,,,

,,,,

,,,,

,,,,

,,,,

,,,,

,,,,

,,,,

bbbb

bbbb

bbbb

bbbb

cccc

cccc

cccc

cccc

43/89

Rijndael - AES

The MixColumn Transformation•Regard a byte as an element of GF(28).

•Then the output of the ShiftRow step is a 4x4 matrix [ci,j ] with entries in GF(28).

•We multiply from the left the matrix [ci,j ] by a special matrix, whose entries are the elements of GF(28), to produce the output [di,j ].

44/89

Rijndael - AES

33231303

32221202

31211101

30201000

33231303

32221202

31211101

30201000

00000010000000010000000100000011

00000011000000100000000100000001

00000001000000110000001000000001

00000001000000010000001100000010

,,,,

,,,,

,,,,

,,,,

,,,,

,,,,

,,,,

,,,,

dddd

dddd

dddd

dddd

cccc

cccc

cccc

cccc

45/89

Rijndael - AES

The RoundKey Addition•The round key, derived from the key,

consists of 128 bits, which are arranged in a 4x4 matrix [ki,j ] of bytes.

•This is XORed with the output of the MixColumn step.

46/89

Rijndael - AES

33231303

32221202

31211101

30201000

33231303

32221202

31211101

30201000

33231303

32221202

31211101

30201000

,,,,

,,,,

,,,,

,,,,

,,,,

,,,,

,,,,

,,,,

,,,,

,,,,

,,,,

,,,,

eeee

eeee

eeee

eeee

kkkk

kkkk

kkkk

kkkk

dddd

dddd

dddd

dddd

47/89

Rijndael - AES

The key schedule (1)•The original key consists of 128 bits,

which are arranged into a 4x4 matrix of bytes.

•This matrix is expanded by adjoining 40 more columns, as follows.

•Label the first four columns W(0), W(1), W(2), W(3).

•The new columns are generated recursively.

48/89

Rijndael - AES

The key schedule (2)•Suppose columns up through W(i -1)

have been defined.

•If i is not a multiple of 4, then• W(i )=W(i -4)W(i -1)

•If i is a multiple of 4, then• W(i )=W(i -4)T(W(i -1))

49/89

Rijndael - AES

The key schedule (3)•T(W(i -1)) is the transformation of W(i -

1) obtained as follows (1)• Let the elements of the column W(i -1) be

a, b, c, d. • Shift these cyclically to obtain b, c, d, a. • Now replace each of these bytes with the

corresponding element in the S-box from the ByteSub step, to get 4 bytes e, f, g, h.

50/89

Rijndael - AES

The key schedule (4)•T(W(i -1)) is the transformation of W(i -

1) obtained as follows (2)• Finally, compute the round constant

r(i )=00000010(i -1)/4

in GF(28).

•Then T(W(i - 1)) is the column vector(e r(i ),f,g,h) .

51/89

Rijndael - AES

The key schedule (5)•In this way columns W(4), ..., W(43) are

generated from the initial four columns.

•The round key for the i th round consists of the columns

W(4i ), W(4i +1), W(4i +2), W(4i +3).

52/89

Rijndael - AES

The S-box was obtained on the basis of the multiplicative inverse of input in GF(28).

The only exception is S(0)=0, since 0 has no multiplicative inverse.

53/89

Rijndael - AES

Deciphering (1)•Each of the steps ByteSub, ShiftRow,

MixColumn, and AddRoundKey is invertible:• The inverse of ByteSub is another lookup

table, called InvByteSub.• The inverse of ShiftRow is obtained by

shifting the rows to the right instead of to the left, yielding InvByteSub.

54/89

Rijndael - AES

• Deciphering (2)– Since the 4x4 matrix used in

MixColumn is invertible, the inverse of MixColumn exists.

– The transformation InvMixColumn is multiplication by the matrix

00001110000010010000110100001011

00001011000011100000100100001101

00001101000010110000111000001001

00001001000011010000101100001110

55/89

Rijndael - AES

Deciphering (3)•AddRoundKey is its own inverse.

•The deciphering process:• ARK, using the 10th round key.• Nine rounds of IBS, ISR, IMC, IARK, using

round keys 9 to 1.• A final round: IBS, ISR, ARK, using the 0th

round key.

56/89

Rijndael - AES

Deciphering (4)•The fact that enciphering and

deciphering are not identical processes leads to the expectation that there are no so called “weak keys”, in contrast to DES and several other algorithms.

57/89

Modes of operation of block ciphers

Block ciphers operate over highly reduced information sets.

They are adequate for enciphering short messages, such as keys, identifications, signatures, passwords, etc.

58/89

Modes of operation of block ciphers

Block ciphers are totally inadequate for enciphering great quantities of data, such as very formatted text, listings, programs, tables, documents and especially images, because the structure of these documents can be determined easily.

59/89

Modes of operation of block ciphers By convention, the direct use of a

block cipher is called Electronic Codebook Mode (ECB).

Other modes of operation:•Cipher Block Chaining mode, CBC.

•Cipher Feedback mode, CFB.

•Output Feedback mode, OFB.

•Counter mode, CTR.

60/89

Modes of operation of block ciphers

It is supposed that the block length is n.

In the following illustrations of modes of operation, DES is used as an example.

However, any block cipher can be used instead of DES.

61/89

Modes of operation of block ciphers

Cipher block chaining•An n bit shift register is loaded with a

random initial vector (IV), which is not kept secret.

•In such a way, the output of the block cipher depends not only on the current input, but also on all the previous inputs.

62/89

Modes of operation of block ciphers

63/89

Cipher block chaining

Modes of operation of block ciphers Cipher feedback mode (1)

•An n bit shift register is loaded with a random initial vector (IV) that is not kept secret, but it must be unique to every message to be enciphered.

•The plaintext is divided into blocks of m bits.

64/89

Modes of operation of block ciphers Cipher feedback mode (2)

•The sum modulo 2 is performed over blocks of m bits, where m can vary between 1 and n.

•The shift register of n bits is shifted left m bits after each operation of block encipherment.

•In this mode, the block cipher is converted into a stream cipher.

•Such a cipher is self-synchronizing, i.e. error propagation is limited.

65/89

Modes of operation of block ciphers Cipher feedback mode (3)

•Unlike the CBC mode, both encipherment and the decipherment side use the block cipher that performs enciphering.

•This enables use of any keyed function instead of the block cipher, e.g. a hash function.

66/89

Modes of operation of block ciphers

67/89

Cipher feedback mode

Modes of operation of block ciphers Output feedback mode (1)

•An n bit shift register is loaded with an initial vector (IV) that is not kept secret but it must be unique to every message to be enciphered.

•The plaintext is divided into m bit blocks.

•The sum modulo 2 is performed, bit by bit, over blocks, whose length can vary between 1 and n.

68/89

Modes of operation of block ciphers Output feedback mode (2)

•The shift register shifts left m bits after each block encipherment.

•In this mode, the block cipher is also converted into a stream cipher.

•But unlike CFB, this cipher is NOT self-synchronising.

69/89

Modes of operation of block ciphers Output feedback mode (3)

•The encipherment and the decipherment side in the OFB mode are exactly the same (they use a block cipher that performs enciphering, the same as in the CFB mode).

•Therefore, any keyed function may be used instead of the block cipher, e.g. a hash function.

70/89

Modes of operation of block ciphers

71/89

Output feedback mode

Modes of operation of block ciphers

Counter mode (1)•Counter mode creates an output key

stream that is XoRed with blocks of plaintext to produce ciphertext.

•The output stream in CTR is not linked to previous output streams.

72/89

Modes of operation of block ciphers

Counter mode (2)•CTR starts with the plaintext divided

into m-bit blocks, P = [P1, P2, ...].

•m can vary between 1 and n.

•We begin with an initial value X1, which has a length equal to the block length n of the cipher, e.g. 64 bits.

73/89

Modes of operation of block ciphers

Counter mode (3)•X1 is enciphered using the key K to

produce n bits of output, whose leftmost m-bits are extracted and XoRed with P1 to produce m bits of ciphertext, C1.

74/89

Modes of operation of block ciphers

Counter mode (4)•Rather than update the register X2 to

contain the output of the block cipher, we simply take X2=X1+1.

•In this way, X2 does not depend on previous output.

•CTR then creates new output stream by enciphering X2.

75/89

Modes of operation of block ciphers Counter mode (5)

•In this mode, the block cipher is also converted into a stream cipher.

•This cipher is not self-synchronising.•Both the enciphering and the deciphering

side use the block cipher that performs enciphering.

•Major advantage of CTR• Enciphering/deciphering can be done in

parallel for each state of the counter – very fast!

76/89

Modes of operation of block ciphers

77/89

Counter mode

Security of block ciphers The decomposition of

encipherment/decipherment into subprocesses provides the cryptanalyst the possibility for an attack.

No practical block cipher is provably secure.

Consequently, new design criteria are being discovered, often as a response to emerging novel attacks on block ciphers.

78/89

Security of block ciphers

The development of theoretical knowledge about block ciphers:•Typically, a block cipher design is

proposed according to widely-accepted and well-founded rules.

•This forces the cryptanalysts to attempt to attack the cipher in a new way.

•These new attacks, if successful, lead in turn to the extending of the set of design criteria.

79/89

Security of block ciphers

There exist accepted security models, which can be used for analyzing a block cipher. The most widely used ones are:•Unconditional Security (Perfect

Secrecy).

•Security Against a Polynomial Attack.

•“Provable” Security.

•Practical Security.

•Historical Security.80/89

Security of block ciphers Unconditional Security (Shannon)

(1) •An adversary has unlimited

computational resources.

•Secure encryption only exists if the size of the key is as large as the number of bits to be enciphered.

81/89

Security of block ciphers Unconditional Security (Shannon)

(2) •Perfect secrecy is possible only if no

more than K /N plaintexts are enciphered using a fixed key (e.g. the one-time pad).

•Not a useful model for practical block ciphers.

82/89

Security of block ciphers Security Against a Polynomial Attack

(1) •It is assumed that the adversary is a

probabilistic algorithm, which runs in polynomial time.

•Security is claimed with respect to the feasibility of breaking the cryptosystem.

•The origin of the model is in complexity theory considerations: adversaries are assumed to possess only polynomial computational resources - polynomial in the size of the input to the cipher in bits.

83/89

Security of block ciphers Security Against a Polynomial Attack

(2) •The model typically conducts worst-case

and asymptotic analyses to determine whether polynomial attacks on a cipher exist.

•Even if such attacks do exist, it is not guaranteed that they are practical.

84/89

Security of block ciphers “Provable” Security (1)

•Tries to show that breaking a block cipher is as difficult as solving some well known hard problem (e.g. discrete log or factoring).

•The problem: there is a fundamental open question in computer science as to whether these hard problems are in P or in NP.

85/89

Security of block ciphers “Provable” Security (2)

•In fact, provable security requires a proof that P NP, and the existence of one-way functions.

•This is an asymptotic complexity measure - one is assessing the level of complexity as the input size, in bits, tends to infinity.

•Very useful for practical analysis of the cipher.

86/89

Security of block ciphers

“Provable” Security (3)•A block cipher may be shown to be

provably secure against a known subclass of attacks.

•Example: provable security against linear and differential cryptanalysis.

•This does not mean that the cipher is secure against all attacks.

87/89

Security of block ciphers Practical Security

•A block cipher is considered practically secure if the best known attack against it requires too much resources.

•A very practical model: it is possible to test the cipher with different known attacks, and then give an assessment of its strength against such attacks in terms of time/space resources needed.

•The model says nothing about the security level with respect to yet unknown attacks.

88/89

Security of block ciphers Historical Security

•Tries to assess the security level of a block cipher according to how much cryptanalytic attention the cipher has attracted over the years.

•If a cipher has been under scrutiny for many years without any serious security flaws found in it, that inspires a certain confidence in the cipher.

•Drawback: the effort spent on breaking a cipher cannot always be measured reliably from the time passed.

89/89