chapter 3
DESCRIPTION
Chapter 3. Block Ciphers and the Advanced Encryption Standard. Outline. 3.1 Introduction 3.2 Substitution-Permutation Networks 3.3 Linear cryptanalysis 3.4 Differential cryptanalysis 3.5 The Data Encryption Standard 3.6 The Advanced Encryption Standard 3.7 Modes of Operation. - PowerPoint PPT PresentationTRANSCRIPT
1
Chapter 3
Block Ciphers and the Advanced Encryption
Standard
2
Outline
3.1 Introduction 3.2 Substitution-Permutation
Networks 3.3 Linear cryptanalysis 3.4 Differential cryptanalysis 3.5 The Data Encryption Standard 3.6 The Advanced Encryption
Standard 3.7 Modes of Operation
3
3.5 The Data Encryption Standard
DES was developed at IBM, as a modification of an earlier system known as Lucifer.
DES was first published in the Federal Register of March 17, 1975.
DES was adopted as a standard for “unclassified” applications on January 15, 1977.
4
The Data Encryption Standard
3.5.1 Description of DES DES is a special type of iterated cipher called a
Feistel cipher. In a Feistel cipher, each state ui is divided into two
halves of equal length, say Li and Ri. Round function g: g(Li-1, Ri-1, Ki)=(Li, Ri), where
Invertible:
).,( 11
1
iiii
ii
KRfLR
RL
.
),(1
1
ii
iiii
LR
KLfRL
5
Plaintext
Ciphertext
L0
L16=R15
R15=L14 xor f(R14,K15)
R2=L0 xor f(R0,K1)
R1=L0 xor f(R0,K1)
R0
R16=L15 xor f(R15,K16)
L15=R14
L1=R0
L2=R1
IP
f
f
IP -1
f
K 1
K 2
K 16
Overview of DES
One round
6
The Data Encryption Standard Initial permutation IP: IP(x)=L0R0
Inverse permutation IP-1: y=IP-1(R16L16) Note L16 and R16 are swapped before IP-1 is applied.
Each Li and Ri is 32 bits in length. The function
takes as input a 32-bit string (the right half of the current state) and a round key.
Key schedule (K1,K2,…,K16) consists of 48-bit round keys that are derived from the 56-bit key, K.
324832 }1,0{}1,0{}1,0{: f
7
The Data Encryption Standard Suppose we denote the first argument of f
function (Figure 3.7) by A, and the second argument by J.
A is expanded to 48-bit according to a fixed expansion function E.
Compute and write the result as concatenation of eight 6-bit strings B=B1B2B3B4B5B6B7B8.
The next step uses eight S-boxes (S1,…,S8), Given a bitstring of length 6, Bj=b1b2b3b4b5b6.
b1b6 determine the row r of Sj, and b2b3b4b5 determine the column c of Sj. We compute Cj=Sj(Bj).
The bitstring C=C1C2C3C4C5C6C7C8 is permuted according to the permutation P. Then f (A,J)=P(C).
JA )E(
46 }1,0{}1,0{: iS
8
A
E(A)
J
f(A,J)
E
+
B1 B2 B3 B4 B5 B6 B7 B8
S1 S2
S3
S4
S5
S6
S7
S8
C1 C2 C3 C4 C5 C6 C7 C8
P
Figure 3.7The DES f function
9
S1
14 4 13 1 2 15 11 8 3 10 6 12 5 9 0 7
0 15 7 4 14 2 13 1 10 6 12 11 6 5 3 8
4 1 14 8 13 6 2 11 15 12 9 7 3 10 5 0
15 12 8 2 4 9 1 7 5 11 3 14 10 0 6 13
S2
15 1 8 14 6 11 3 4 9 7 2 13 12 0 5 10
3 13 4 7 15 2 8 14 12 0 1 10 6 9 11 5
0 14 7 11 10 4 13 1 5 8 12 6 9 3 2 15
13 8 10 1 3 15 4 2 11 6 7 12 0 5 14 9
S3
10 0 9 14 6 3 15 5 1 13 12 7 11 4 2 8
13 7 0 9 3 4 6 10 2 8 5 14 12 11 15 1
13 6 4 9 8 15 3 0 11 1 2 12 5 10 14 7
1 10 13 0 6 9 8 7 4 15 14 3 11 5 2 12
S4
7 13 14 3 0 6 9 10 1 2 8 5 11 12 4 15
13 8 11 5 6 15 0 3 14 7 2 12 1 10 14 9
10 6 9 0 12 11 7 13 15 1 3 14 5 2 8 4
3 15 0 6 10 1 13 8 9 4 5 11 12 7 2 14S-boxes
Example 3.4
10
S5
2 12 4 1 7 10 11 6 8 5 3 15 13 0 14 9
14 11 2 12 4 7 13 1 5 0 15 10 3 9 8 6
4 2 1 11 10 13 7 8 15 9 12 5 6 3 0 14
11 8 12 7 1 14 2 13 6 15 0 9 10 4 5 3
S6
12 1 10 15 9 2 6 8 0 13 3 4 14 7 5 11
10 15 4 2 7 12 9 5 6 1 13 14 0 11 3 8
9 14 15 5 2 8 12 3 7 0 4 10 1 13 11 6
4 3 2 12 9 5 15 10 11 14 1 7 6 0 8 13
S7
4 11 2 14 15 0 8 13 3 12 9 7 5 10 6 1
13 0 11 7 4 9 1 10 14 3 5 12 2 15 8 6
1 4 11 13 12 3 7 14 10 15 6 8 0 5 9 2
6 11 13 8 1 4 10 7 9 5 0 15 14 2 3 12
S8
13 2 8 4 6 15 11 1 10 9 3 14 5 0 12 7
1 15 13 8 10 3 7 4 12 5 6 11 0 14 9 2
7 11 4 1 9 12 14 2 0 6 10 13 15 3 5 8
2 1 14 7 4 10 8 13 15 12 9 0 3 5 6 11S-boxes
11
The Data Encryption Standard
Example 3.4: We show how to compute an output of S-box S1 with input 101000.
b1b6=10 which is 2 b2b3b4b5=1000 which is 4 Output is row 2 and column 4 of S1.
Note: rows are numbered 0,1,2,3 and columns are 0,1,2,…15
So the output is 13 which is 1101 in binary.
12
The Data Encryption Standard The expansion function E is specified by the
following table:
If A=(a1,a2,…,a32) then
E(A)=(a32,a1,a2,a3,a4,a5,a4,…,a31,a32,a1).
E bit-selection table
32 1 2 3 4 5
4 5 6 7 8 9
8 9 10 11 12 13
12 13 14 15 16 17
16 17 18 19 20 21
20 21 22 23 24 25
24 25 26 27 28 29
28 29 30 31 32 1
13
The Data Encryption Standard
The permutation P is as follows:
If C=(c1,c2,…,c32) then
P(C)=(c16,c7,c20,c21,c29,…,c11,c4,c25).
P
16 7 20 21
29 12 28 17
1 15 23 26
5 18 31 10
2 8 24 14
32 27 3 9
19 13 30 6
22 11 4 25
14
The Data Encryption Standard
Key scheduling:
15
The Data Encryption Standard
16
The Data Encryption Standard
3.5.2: Analysis of DES The S-boxes, being the non-linear components of the
cryptosystem, are vital to its security. DES was to make differential cryptanalysis
infeasible. Differential cryptanalysis was known to IBM when they
design DES, but it was kept secret for almost 20 years until Biham and Shamir invented the technique in the early 1990’s.
The most pertinent criticism of DES is that the size of the keyspace, 256, is too small.
17
The Data Encryption Standard
Many people try to design a special purpose machine to do exhaustive key search.
Ex: “DES Cracker” contained 1536 chips and could search 88 billion keys per second. It won RSA Laboratory’s “DES Challenge II-2” by successfully finding a DES key in 56 hours.
Other than exhaustive key search, differential cryptanalysis and linear cryptanalysis are the most important attacks. (linear attack is more efficient)
In 1994, Matsui implemented the attack by using 243 plaintext-ciphertext pairs with the same key. It took 40 days to generate the pairs and 10 days to find the key.
DES is still secure theoretically due to the extremely large number of pairs required. An adversary is impossible to collect that amount of pairs.
18
3.6 The Advanced Encryption Standard
On January 2, 1997, NIST began the process of choosing a replacement for DES and called the Advanced Encryption Standard, or AES.
It was required that the AES have a block length of 128 bits, and supported key lengths of 128, 192, and 256 bits.
After several AES candidate conferences were held. On Oct. 2, 2000, Rijndael was selected.
3 main criteria: security, cost, algorithm and implementation characteristics
19
The Advanced Encryption Standard 3.6.1 Description of AES
Block length: 128 bits (Nb=4) 192 bits (Nb=6) 256 bits (Nb=8)
Key length: 128 bits (Nk=4) 192 bits (Nk=6) 256 bits (Nk=8)
Number of rounds Nr:
S0,
0
S0,
1
S0,
2
S0,
3
S0,
4
S0,
5
S0,
6
S0,
7
S1,
0
S1,
1
S1,
2
S1,
3
S1,
4
S1,
5
S1,
6
S1,
7
S2,
0
S2,
1
S2,
2
S2,
3
S2,
4
S2,
5
S2,
6
S2,
7
S3,
0
S3,
1
S3,
2
S3,
3
S3,
4
S3,
5
S3,
6
S3,
7
20
The Advanced Encryption Standard
Overview of AES: ADDROUNDKEY, which xors the RoundKey with
State. For each of the first Nr-1 rounds: perform
SUBBYTES(State), SHIFTROWS(State), MIXCOLUMN(State), ADDROUNDKEY.
Final round: SUBBYTES, SHIFTROWS, ADDROUNDKEY. All operations in AES are byte-oriented.
The plaintext x consists of 16 byte, x0,x1,…,x15. Initially State is plaintext x (for 128-bit case):S0,0 S0,1 S0,2 S0,3
S1,0 S1,1 S1,2 S1,3
S2,0 S2,1 S2,2 S2,3
S3,0 S3,1 S3,2 S3,3
x0 x4 x8 x12
x1 x5 x9 x13
x2 x6 x10 x14
x3 x7 x11 x15
21
The Advanced Encryption Standard
SUBBYTES: It performs a substitution on each byte of State
using an S-box, say . is a 16x16 array (Figure 3.8). A byte is
represented as two hexadecimal digits XY. So XY after substitution is .
SS
)(XYS
22
Y X
0 1
2
3 4 5 6 7 8 9 A B C D E F
0 63 7C 77 7B F2 6B 6F C5 30 01 67 2B FE D7 AB 76
1 CA
82 C9 7D FA 59 47 F0 AD D4 A2 AF 9C A4 72 C0
2 B7
FD 93 26 36 3F F7 CC 34 A5 E5 F1 71 D8 31 15
3 04 C7 23 C3 18 96 05 9A 07 12 80 E2 EB 27 B2 75
4 09 83 2C 1A 1B 6E 5A A0 52 3B D6 B3 29 E3 2F 84
5 53 D1 00 ED 20 FC B1 5B 6A CB BE 39 4A 4C 58 CF
6 D0
EF AA FB 43 4D 33 85 45 F9 02 7F 50 3C 9F A8
7 51 A3 40 8F 92 9D 38 F5 BC B6 DA 21 10 FF F3 D2
8 CD
0C 13 EC 5F 97 44 17 C4 A7 7E 3D 64 5D 19 73
9 60 81 4F DC
22 2A 90 88 46 EE B8 14 DE 5E 0B DB
A E0 32 3A 0A 49 06 24 5C C2 D3 AC 62 91 95 E4 79
B E7 C8 37 6D 8D D5 4E A9 6C 56 F4 EA 65 7A AE 08
C BA
78 25 2E 1C A6 B4 C6 E8 DD
74 1F 4B BD
8B 8A
D 70 3E B5 66 48 03 F6 0E 61 35 57 B9 86 C1 1D 9E
E E1 F8 98 11 69 D9 8E 94 9B 1E 87 E9 CE 55 28 DF
F 8C A1 89 0D BF E6 42 68 41 99 2D 0F B0 54 BB 16
Figure 3.8The AES S-box
Example 3.5
23
The Advanced Encryption Standard The AES S-box can be defined algebraically. The
permutation incorporates operations in the finite field
FIELDINV: the multiplicative inverse of a filed element
BINARYTOFIELD: convert a byte to a field element FIELDTOBINARY: inverse operation
corresponds to the byte
S
).1/(][ 348228 xxxxxΖF
7
0i
iixa
01234567 aaaaaaaa
24
The Advanced Encryption Standard Algorithm 3.4: SUBBYTES(a7a6a5a4a3a2a1a0)
external FIELDINV, BINARYTOFIELD, FIELDTOBINARY
BINARYTOFILED(a7a6a5a4a3a2a1a0)
if then FIELDINV(z)
(a7a6a5a4a3a2a1a0) FIELDTOBINARY(z)
(c7c6c5c4c3c2c1c0) (01100011)
comment: In the following loop, all subscripts are to bereduced modulo 8for to 7 doreturn (b7b6b5b4b3b2b1b0)
z0z
z
0i2mod)( 7654 iiiiiii caaaaab
25
The Advanced Encryption Standard
Example 3.5: (illustrates Algorithm 3.4) Suppose we begin with (hex) 53. In binary, it’s
01010011,which represents the field element
The multiplicative inverse (in ) can be shown to be
Thus we have
146 xxx82
Fxxxx 367
).11001010()( 01234567 aaaaaaaa
26
The Advanced Encryption Standard
etc. The result is
which is ED in hex. This computation can be checked by verifying the entry
in row 5 and column 3 of Figure 3.8.
,0
2mod 101101
2mod
1
2mod 111000
2mod
1076511
0765400
caaaaab
caaaaab
).11101101()( 01234567 bbbbbbbb
27
The Advanced Encryption Standard
SHIFTROWS:
Row 0: no shift Row i: shift Ci
S0,0 S0,1 S0,2 S0,3
S1,0 S1,1 S1,2 S1,3
S2,0 S2,1 S2,2 S2,3
S3,0 S3,1 S3,2 S3,3
S0,0 S0,1 S0,2 S0,3
S1,1 S1,2 S1,3 S1,0
S2,2 S2,3 S2,0 S2,1
S3,3 S3,0 S3,1 S3,2
Case Nb=4 or 6
28
The Advanced Encryption Standard
MIXCOLUMNS: (Algorithm 3.5) It is carried out on each of the four columns of State. Each column of State is replaced by a new column
which is formed by multiplying that column by a certain matrix of elements of the field .
FIELDMULT computes two inputs product in the field.82
F
Note: 2 is x in and 3 is x+1 in 82F 82
F
29
The Advanced Encryption Standard
Algorithm 3.5: MIXCOLUMN(c)external FIELDMULT, BINARYTOFIELD, FIELDTOBINARY
for to 3 do BINARYTOFIELD(si,c)
u0 FIELDMULT(x,t0) FIELDMULT(x+1,t1) t2 t3
u1 FIELDMULT(x,t1) FIELDMULT(x+1,t2) t3 t0
u2 FIELDMULT(x,t2) FIELDMULT(x+1,t3) t0 t1
u3 FIELDMULT(x,t3) FIELDMULT(x+1,t0) t1 t2
for to 3 do si,c FIELDTOBINARY(ui)
0i
0i
it
30
The Advanced Encryption Standard
KEYEXPANSION: (for 10-round AES) 10-round, 128-bit key We need 11 round keys, each of 16 bytes Key scheduling algorithm is word-oriented (4 bytes),
so a round key consists of 4 words The concatenation of round keys is called the
expanded key, which consists of 44 words, w[0], w[1],…, w[43].
See Algorithm 3.6
31
The Advanced Encryption Standard
Notations of Algorithm 3.6: Input: 128-bit key, key, key[0],…,key[15] Output: words, w ROTWORD: a cyclic shift of four bytes B0,B1,B2,B3
ROTWORD (B0,B1,B2,B3)= (B1,B2,B3,B0) SUBWORD: applies the S-box to each byte
SUBWORD (B0,B1,B2,B3)=(B0’,B1’,B2’,B3’)
where Bi’=SUBBYTES(Bi) RCon: an array of 10 words, RCon[1],…,RCon[10],
they are constants defined at the beginning
32
external ROTWORD, SUBWORD
RCon[1] 01000000RCon[2] 02000000RCon[3] 04000000RCon[4] 08000000RCon[5] 10000000RCon[6] 20000000RCon[7] 40000000RCon[8] 80000000RCon[9] 1B000000RCon[10] 36000000for to 3
do w[i] (key[4i],key[4i+1],key[4i+2],key[4i+3])for to 43 do temp w[i-1]
if 0 (mod 4) then temp SUBWORD(ROTWORD(temp)) RCon[1/4]
w[i] w[i-4] tempreturn (w[0],…,w[43])
Algorithm 3.6: KEYEXPANSION(key)
0i
4i
i
33
The Advanced Encryption Standard
Above are the operations need to encrypt in AES.
To decrypt, we perform all operations and the key schedule in the reverse order.
Each operation, SHIFTROWS, SUBBYTES, MIXCOLUMNS must be replaced by their inverse operations.
ADDROUNDKEY is its own reverse.
34
The Advanced Encryption Standard
3.6.2 Analysis of AES AES is secure against all known attacks. Various aspects of design incorporate specific
features to against specific attacks. Ex1: Finite field inversion in S-box yields linear
approximation and difference distribution tables close to uniform.
Ex2: MIXCOLUMNS makes it impossible to find differential and linear attacks that involve “few” active S-boxes (wide trail strategy).
35
3.7 Modes of Operation
Four modes of operation for DES: Electronic codebook mode (ECB mode) Cipher feedback mode (CFB mode) Cipher block chaining mode (CBC mode) Output feedback mode (OFB mode)
ECB mode corresponds to the naive use of a block cipher:
x1,x2,…of 64-bit plaintext blocks, encrypted with the same key K, producing a string of ciphertext blocks, y1,y2,…
36
Modes of Operation
CBC mode: initialization vector IV and y0=IV .1 ),( 1 ixyey iiKi
IV=y0
+
x1
eK
y1
+
x2
eK
y2
encrypt IV=y0
+
y1
dK
x1
+
y2
dK
x2
decrypt
Figure 3.9 CBC mode
37
Modes of Operation
OFB mode: a synchronous stream cipher (cf. section 1.1.7) z0=IV, then keystream z1z2…
encryption:
.1for ),( 1 izez iKi
.1for , izxy iii
IV=z0 eK +
x1
y1
eK +
x2
y2encrypt
IV=z0 eK +
y1
x1
eK +
y2
x2decrypt
38
Modes of Operation
CFB mode: y0=IV keystream: encryption:
.1for ),( 1 iyez iKi
.1for , izxy iii
IV=y0 eK +
x1
y1
eK +
x2
y2encrypt
IV=y0 eK +
y1
x1
eK +
y2
x2decrypt
Figure 3.10 CFB mode
39
Modes of Operation
Some properties: In ECB and OFB modes, changing one 64-bit
plaintext block, xi, causes the corresponding ciphertext block, yi, to be altered, but other ciphertext blocks are not affected.
It is useful in some cases, like communicating on an unreliable channel.
In CBC and CFB modes, if a plaintext block xi is changed, then yi and all subsequent ciphertext blocks will be affected.
These modes can be used to produce a message authentication code (MAC). (see Chap 4)