data encryption standard des · data encryption standard des. 2 nbs public request for a standard...

1

Secret-Key Ciphers

ECE 646 – Lecture 7

Data Encryption StandardDES

2

NBS public request for a standard cryptographic algorithm

May 15, 1973, August 27, 1974

The algorithm must be:

• secure• public

- completely specified- easy to understand- available to all users

• economic and efficient in hardware• able to be validated• exportable

Secret agreement between IBM & NSA, 1974Obligations of IBM:

• Algorithm developed in secret by IBM• NSA reserved a right to monitor the developmentand propose changes

• No software implementations, just hardware chips• IBM not allowed to ship implementations to certain

countries• License required to ship to carefully selected

customers in approved countriesObligations of NSA:

• seal of approval

3

DES - chronicle of events1973 - NBS issues a public request for proposals for

a standard cryptographic algorithm1975 - first publication of the IBM’s algorithm

and request for comments1976 - NBS organizes two workshops to evaluate

the algorithm1977 - official publication as

FIPS PUB 46: Data Encryption Standard1983, 1987, 1993 - recertification of the algorithm

for another five years1993 - software implementations allowed to be validated

Controversies surrounding DES

Unknowndesigncriteria

Too shortkey

Slowin software

Reinventionof differentialcryptanalysis

Most criteriareconstructedfrom cipher

analysis

Theoreticaldesigns

of DES breakingmachines

Onlyhardware

implementationscertified

Software, firmwareand hardwaretreated equally

PracticalDES cracker

built

199019981993

4

Life of DES

1980 1990 2000 2010 2020 2030

Triple DESDES

AES - RijndaelAmericanstandards

Otherpopular

algorithms

IDEA

AEScontest

1977 1999

2002

Blowfish

RC5

CAST

Twofish

RC6

Mars

Serpent

128, 192, and 256 bit keys56 bit key

112, 168 bit 168 bit only

DES - external look

DES

64 bits

plaintext block

64 bitsciphertext block

key

56 bits

5

Initial transformation

Final transformation

#rounds times

Round Key[i]i:=i+1

Round Key[0]

i:=1

i<#rounds?

Cipher Round

Round Key[#rounds+1]

Typical Flow Diagram of a Secret-Key Block Cipher

DES – high-level internal structure

6

Classical Feistel Network

plaintext = L0R0for i=1 to n{

Li=Ri-1Ri=Li-1Å f(Ri-1, Ki)

}Ln+1 = RnRn+1 = Lnciphertext = Ln+1Rn+1

Ln+1=RnRn+1=LnÅ f(Rn, Kn+1)

L0 R0

fK1

L1

fK2

L2 R2

L15 R15

fK16

R16 L16

. . . . . .

IP-1

IP

R1

DES Main LoopFeistel Structure

7

Ln Rn

f

Ln+1 Rn+1

Kn+1

Ln Rn

f

Ln+1 Rn+1

Kn+1

f Kn+1

Feistel Structure

Encryption Decryption

? ?

? ?

Ln+1, Rn+1

Ln, Rn

L0 R0

fK1

L1

fK2

L2 R2

L15 R15

fK16

R16 L16

. . . . . .

IP

IP-1

R1

fK15

R14 L14

R1 L1

fK1

L0 R0

. . . . . .

IP-1

R16 L16

fK16

R15

IP

L15

Decryption

8

Mangler Function of DES, F

9

Notation for Permutations

i1 i2 i3 i4 i5 i6 i7 i8 i9 i10 … i56 i57 i58 i59 i60 i61 i62 i63 i64

58 50 42 34 26 18 10 2 … 5 63 55 47 39 31 23 15 7

i58 i50 i42 i34 i26 i18 i10 i2 … i5 i63 i55 i47 i39 i31 i23 i15 i7

Input

Output

10

Notation for S-boxes

i1 i2 i3 i4 i5 i6

Input

Output

o1 o2 o3 o4

i1 i6 determines a row number in the S-box table, 0..3

i2 i3 i4 i5 determine a column in the S-box table, 0..15

o1 o2 o3 o4 is a binary representation of a number from 0..15 in the given row and the given column

11

General design criteria of DES1. Randomness

2. Avalanche propertychanging a single bit at the input changes on average half of the bitsat the output

3. Completeness propertyevery output bit is a complex function of all input bits (and not justa subset of input bits)

4. Nonlinearityencryption function is non-affine for any value of the key

5. Correlation immunityoutput bits are statistically independent of any subset of input bits

12

Completeness property

Every output bit is a complex function of all input bits (and not just a subset of input bits)

Formal requirement:

For all values of i and j, i=1..64, j=1..64there exist inputs X1 and X2, such that

X1 x1 x2 x3 . . . xi-1 0 xi+1 . . . x63 x64X2 x1 x2 x3 . . . xi-1 1 xi+1 . . . x63 x64

Y1 = DES(X1) y1 y2 y3 . . . yj-1 yj yj+1 . . . y63 y64

Y2 = DES(X2) y1’ y2’ y3’ . . . yj-1’ yj yj+1’ . . . y63’ y64’

Linear TransformationsTransformations that fulfill the condition:

T(X[m x 1]) = Y[n x 1] = A[n x m] × X[m x 1]

or

T(X1 Å X2) = T(X1) Å T(X2)

Affine TransformationsTransformations that fulfill the condition:

T(X[m x 1]) = Y[n x 1] = A[n x m] × X[m x 1] Å B[n x 1]

13

Linear Transformations of DES

IP, IP-1, E, PC1, PC2, SHIFT

e.g., IP(X1 Å X2) = IP(X1 ) Å IP( X2)

Non-Linear and non-affine transformations of DES

S

There are no such matrices A[4x6] and B[4x1] that

S(X[6x1]) = A[4x6] × X[6x1] Å B[4x1]

Design of S-boxes

S

S[0..15]

in out = S[in]

• 16! » 2 × 1013 possibilities• precisely defined initially unpublished criteria • resistant against differential cryptanalysis(attack known to the designers and rediscoveredin the open research in 1990 by E. Biham and A. Shamir)

14

Theoretical design of the specialized machine to break DES

Project: Michael Wiener, Entrust Technologies, 1993, 1997

Method: exhaustive key search attackBasic component: specialized integrated circuit

in CMOS technology, 75 MHz

Checks: 200 mln keys per secondCosts: $10

Total cost Estimated time$ 1 mln

$ 100.00035 minutes6 hours

DES breaking machine

plaintext

known ciphertext

known plaintext

. . . .

keykey counter

. . . .

Encryption Round 1 Key Scheduling Round 1

Encryption Round 2

Encryption Round 16

Key Scheduling Round 2

Key Scheduling Round 16

Round key 1

Round key 2

Round key 16

comparator

15

Electronic Frontier Foundation, 1998

1800 ASIC chips, 40 MHz clock

Total cost: $220,000Average time of search:

4.5 days/key

Deep Crack

Deep CrackParameters

Number of ASIC chips 1800

Number of search units per ASIC 24

Clock frequency 40 MHz

Number of clock cycles per key 16

Search speed 90 bln keys/s

Average time to recover the key 4.5 days

16

Ruhr University, Bochum, University of Kiel, Germany, 2006

Cost: € 8980 (ver. 1)

COPACOBANACost-Optimized Parallel COde Breaker

COPACOBANA

• Based on Xilinx FPGAs (Field Programmable Gate Arrays)• ver. 1 – based on 120 Spartan 3 FPGAs• ver. 2 – based on 128 Virtex 4 SX 35 FPGAs

• Description, FAQ, and news available athttp://www.copacobana.org/

• For ver. 1 based on Spartan FPGAsClock frequency = 136 MHzAverage search time for a single DES key = 6.4 daysWorst case search time for a single DES key = 12.8 days

18

Secure key length today and in 20 years(against an intelligence agency with the budget of $300M)

key length

Secure key length in 201793 bits

99 bits Secure key length in 2026

128 bits IDEA, minimum key length in AES

112 bits Triple DES with three different keys

56 bits DES

80 bits Skipjack

Secure key length - discussion• increasing key length in a newly developed cipher costs NOTHING

• increasing effective key length, assuming the use of an existing cipher has a limited influence on the efficiency of implementation (Triple DES)

It is economical to use THE SAME secure key length FOR ALL aplications

The primary barriers blocking the use of symmetric cipherswith a secure key length have been of the political nature

(e.g., export policy of USA)

19

Triple DES EDE mode with two keysencryption decryption

Eencryption

Ddecryption

Eencryption

plaintext

ciphertext

Ddecryption

Eencryption

Ddecryption

ciphertext

plaintext

56K1

56K2

56K1

56K1

56K2

56K1

Diffie, Hellman, 1977

Triple DES EDE mode with three keysencryption decryption

Eencryption

Ddecryption

Eencryption

plaintext

ciphertext

Ddecryption

Eencryption

Ddecryption

ciphertext

plaintext

56K1

56K2

56K3

56K1

56K2

56K3

Diffie, Hellman, 1977

20

Best Attacks Against Triple DES

• Version with two keys (112 bits of key)

• Version with three keys (168 bits of key)

232 known plaintexts2113 steps290 single DES encryptions, and 288 memory

Meet-in-the-middle attack

Effective key size = 2112

Effective key size = 280

Triple DESAdvantages:• secure key length (112 or 168 bits)

• increased compared to DES resistance to linearand differential cryptanalysis

• possibility of utilizing existing implementations of DES

Disadvantages:

• relatively slow, especially in software

21

Advanced Encryption StandardAES

Why a new standard?

1. Old standard insecure against brute-force attacks

2. Straightforward fixes lead to inefficient implementations

3. New trends in fast software encryption

4. New ways of assessing cipher strength • use of basic instructions of the microprocessor

• Triple DES

• differential cryptanalysis• linear cryptanalysis

K1 K2 K3

in out

22

Why a contest?

• Speed-up the acceptance of the standard

Small number of specialists in the open research

• Focus the effort of cryptographic community

• Stimulate the research on methods of constructing secure ciphers

• Avoid backdoor theories

128 bits

128 bits

128, 192, 256 bits

plaintext block

ciphertext block

keyAES

External format of the AES algorithm

23

Rules of the contest

Each team submits

Detailedcipher

description

Justificationof designdecisions

Tentativeresults

of cryptanalysis

Sourcecodein C

Sourcecode

in Java

Testvectors

AES Contest Effort

15 Candidatesfrom USA, Canada, Belgium,

France, Germany, Norway, UK, Isreal,Korea, Japan, Australia, Costa Rica

June 1998

August 1999

October 20001 winner: Rijndael

Belgium

5 final candidatesMars, RC6, Rijndael, Serpent, Twofish

Round 1

Round 2

SecuritySoftware efficiency

SecurityHardware efficiency

24

AES contest - First Round

August 1998 1st AES Conference in Ventura, CAPresentation of candidates

15 June 1998 Deadline for submitting candidates21 submissions, 15 fulfilled all requirements

March 1999 2nd AES Conference in w Rome, ItalyReview of results of the First Round analysis

August 1999 NIST announces five final candidates

AES: Candidate algorithms

USA: MarsRC6TwofishSafer+HPC

Canada:CAST-256Deal

Costa Rica:Frog

Australia:LOKI97

Japan:E2

Korea:Crypton

Belgium:Rijndael

France:DFC

Germany:Magenta

Israel, UK,Norway:

Serpent

North America (8) Europe (4) Asia (2)

Australia (1)

25

AES Finalists (1)USA

Mars - IBM C. Burwick, D. Coppersmith, E. D’Avignon, R. Gennaro, S. Halevi, C. Jutla, S. M. Matyas,L. O’Connor, M. Peyravian, D. Safford,N. Zunic

RC6 - RSA Data Security, Inc.R. Rivest - MITM. Robshaw, R. Sidney, Y. L. Yin - RSA

Twofish - Counterpane SystemsB. Schneier, J. Kelsey, C. Hall, N. Ferguson - Counterpane, D.Whiting - Hi/fn, D. Wagner - Berkeley

Europe

Rijndael - J. Daemen, V. RijmenKatholieke Universiteit LeuvenBelgium

Serpent - R. Anderson, Cambridge, EnglandE. Biham - Technion, IsraelL. Knudsen, University of Bergen, Norway

AES Finalists (2)

26

How NIST has made a final decision?

securitysoftware efficiencyhardware efficiency

flexibility

BASIC CRITERIA =

Security

27

Security: Theoretical attacks better than exhaustive key search

0 5 10 15 20 25 30 35

Twofish

Serpent

Rijndael

RC6

Mars without 16 mixing rounds

# of rounds in the attack/total # of rounds

6 16

329

7 10

15 20

1611

23

10

5

3

5

0 10 20 30 40 50 60 70 80 90 100

Twofish

Serpent

Rijndael

RC6

Mars

Security: Theoretical attacks better than exhaustive key search

# of rounds in the attack/total # of rounds × 100%

28% 72%

38% 62%

69% 31%

70% 30%

75% 25%

28

Security Margin

Complexity

High

Adequate

Simple Complex

NIST Report: Security

Rijndael

MARSSerpentTwofish

RC6

Efficiency -What’s more important:software or hardware?

29

Software or hardware?

SOFTWARE HARDWAREsecurity of data

during transmission

flexibility(new cryptoalgorithms,

protection against new attacks)

speed

random keygeneration

access controlto keys

tamper resistance(viruses, internal attacks)

low cost

Efficiency indicators

30

Memory

Power consumption

Primary efficiency indicators

Software Hardware

Speed Memory Speed Area

Efficiency parameters

Latency Throughput = Speed

Encryption/decryption

Time to encrypt/decrypt

a single block of data

Mi

Ci

Number of bits encrypted/decrypted

in a unit of time

Encryption/decryption

Mi

Mi+1

Mi+2

Ci

Ci+1

Ci+2

Throughput =Block_size · Number_of_blocks_processed_simultaneouslyLatency

31

Efficiency in software

0

5

10

15

20

25

30

SerpentRijndael TwofishRC6 Mars

Efficiency in software: Code submitted by authors

128-bit key192-bit key256-bit key

200 MHz Pentium Pro, Borland C++Speed [Mbits/s]

32

NIST Report: Software EfficiencyEncryption and Decryption Speed

32-bitprocessors

64-bitprocessors

DSPs

high

medium

low

RC6

RijndaelMars

Twofish

Serpent

RijndaelTwofish

MarsRC6

Serpent

RijndaelTwofish

MarsRC6

Serpent

NIST Report: Software EfficiencyEncryption and decryption speed in software

on smart cards

8-bit processors

32-bit processors

high

medium

low

Rijndael

RC6Mars

Twofish

Serpent

RijndaelRC6

Mars

TwofishSerpent

33

Efficiency in software

Strong dependence on:

1. Instruction set architecture(e.g., variable rotations)

2. Programming language(assembler, C, Java)

3. Compiler

4. Programming style

Efficiency in hardware

34

• designs must be sentfor expensive and timeconsuming fabricationin semiconductor foundry

• bought off the shelfand reconfigured bydesigners themselves

Primary ways of implementing cryptographyin hardware

ASICApplication Specific

Integrated Circuit

FPGAField Programmable

Gate Array

• designed all the wayfrom behavioral descriptionto physical layout

• no physical layout design;design ends witha bitstream usedto configure a device

Which way to go?

ASICs FPGAs

High performanceOff-the-shelf

Short time to the market

Low development costs

Reconfigurability

Low power

Low cost (but only in high volumes)

35

Efficiency in hardware: FPGA Virtex 1000: Speed

050100150200250300350400450500Throughput [Mbit/s]

Serpent I8

Rijndael Twofish RC6 MarsSerpent I1

431 444414

353

294

177 173

104

149

62

143112

88102

61

Worcester Polytechnic Institute

University of Southern CaliforniaGeorge Mason University

0

100

200

300

400

500

600

700

Rijndael Twofish RC6 MarsSerpent I1

606

202

105 10357

443

202

105 10457

3-in-1 (128, 192, 256 bit) key scheduling

128-bit key scheduling

ASIC implementations: NSA group

36

NIST Report + GMU Report: Hardware Efficiency

Speed

Area

High

Low

Small

Rijndael

MARS

Serpent

TwofishRC6

Medium

Medium Large

Selecting the Winner

72

Straw Poll @ AES 3 conferenceGMU FPGA Results

Rijndael second best in FPGAs,selected as a winner due to much better performance

in software

37

Input, internal state, and output

128 bits = 16 bytes

a0,0 a1,0 a2,0 a3,0 a0,1 a1,1 a2,1 a3,1 a0,2 a1,2 a2,2 a3,2 a0,3 a1,3 a2,3 a3,3

column 0 column 1 column 2 column 3

a0,0 a0,1 a0,2 a0,3

a1,0 a1,1 a1,2 a1,3

a2,0 a2,1 a2,2 a2,3

a3,0 a3,1 a3,2 a3,3

Order of bytes within input, internal state, and output arrays

38

a0,0 a0,1 a0,2 a0,3

a1,0 a1,1 a1,2 a1,3

a2,0 a2,1 a2,2 a2,3

a3,0 a3,1 a3,2 a3,3

b0,0 b0,1 b0,2 b0,3

b1,0 b1,1 a1,2 b1,3

b2,0 b2,1 b2,2 b2,3

b3,0 b3,1 b3,2 b3,3

ai,j

S-box

bi,j

SubBytes

• Bytes are transformed by applying an invertible S-box

• One single S-box for the complete cipher

S-box: substitution values for the byte xy (in hexadecimal notation)

39

ShiftRows

a b c d

e g h

i j k l

m n o p

f

a b c d

g ef

i jk l

op m n

h

no shift

cyclic shift left by C1=1



MixColumns

a0,0 a0,1 a0,2 a0,3

a1,0 a1,1 a1,2 a1,3

a2,0 a2,1 a2,2 a2,3

a3,0 a3,1 a3,2 a3,3

b0,0 b0,1 a0,2 b0,3

b1,0 b1,1 a1,2 b1,3

b2,0 b2,1 a2,2 b2,3

b3,0 b3,1 a3,2 b3,3

a1,j

a0,j

a2,j

a3,j

b1,j

b0,j

b2,j

b3,j

2 3 1 1 1 2 3 11 1 2 33 1 1 2

A difference in 1 input byte propagates to all 4 output bytesA difference in 2 input bytes propagates to at least 3 output bytesAny linear relation between input and output bits involves bits from

at least 5 different bytes (branch number = 5)

High diffusion

40

a0,0 a0,1 a0,2 a0,3

a1,0 a1,1 a1,2 a1,3

a2,0 a2,1 a2,2 a2,3

a3,0 a3,1 a3,2 a3,3

b0,0 b0,1 b0,2 b0,3

b1,0 b1,1 b1,2 b1,3

b2,0 b2,1 b2,2 b2,3

b3,0 b3,1 b3,2 b3,3

AddRoundKey

k0,0 k0,1 k0,2 k0,3

k1,0 k1,1 k1,2 k1,3

k2,0 k2,1 k2,2 k2,3

k3,0 k3,1 k3,2 k3,3

+ =

• simple bitwise addition (xor) of round keys

Number of roundsKey length

Blocklength

128 bitsNk=4

192 bitsNk=6

256 bitsNk=8

128 bitsNb=4

192 bitsNb=6

256 bitsNb=8

10 12 14

12 12 14

14 14 14

required by the standard

non-standard extensions

41

Pseudocode for AES encryption

Modes of Operationof Block Ciphers

42

Block vs. stream ciphers

Stream cipher

Internal state - ISBlock cipher

KK

M1, M2, …, Mn m1, m2, …, mn

C1, C2, …, Cn c1, c2, …, cn

Ci=fK(Mi) ci = fK(mi, ISi) ISi+1=gK(mi, ISi)

Every block of ciphertext is a function of only one

corresponding block of plaintext

Every block of ciphertext is a function of the current block

of plaintext and the current internal state of the cipher

Typical stream cipherSender Receiver

PseudorandomKeyGenerator

mi

plaintext

ci

ciphertext

ki keystream

keyinitialization vector (seed)

PseudorandomKeyGenerator

mi

plaintext

ci

ciphertext

ki keystream

keyinitializationvector (seed)

43

Standard modes of operation of block ciphers

Block ciphers Stream ciphers

ECB mode Counter modeOFB modeCFB modeCBC mode

ECB (Electronic CodeBook) mode

44

Electronic CodeBook Mode – ECBEncryption

M1 M2 M3

E

Ci = EK(Mi) for i=1..N

MN-1 MN

E E E E. . .

C1 C2 C3 CN-1 CN

K K K K K

Electronic CodeBook Mode – ECBDecryption

C1 C2 C3

D

Mi = EK(Ci) for i=1..N

CN-1 CN

D D D D. . .

M1 M2 M3 MN-1 MN

K K K K K

45

Criteria for Comparison of Modes of Operation• hiding repeating message blocks• speed• capability for parallel processing and pipelining

during encryption / decryption• use of block cipher operations (encryption only or both)• capability for preprocessing

during encryption / decryption• capability for random access

for the purpose of reading / writing• number of plaintext and ciphertext blocks required forexhaustive key search

• error propagation in the message after modifying / deletingone block / byte / bit of the corresponding ciphertext

ECB OFB CFB CBCCTRHiding repeatingplaintext blocksBasic speed

Capabilityfor parallel processingand pipelining

Cipheroperations

Preprocessing

Random access

Block Cipher Modes of OperationBasic Features (1)

No

sECB

Encryption and

decryption

Encryption and

decryption

No

R/W

46


ECB OFB CFB CBCCTR

Security against the exhaustive key search attack

Minimum number ofthe messageand ciphertextblocksneeded

Integrity

Error propagation in the decrypted message

1 plaintext block,

1 ciphertext block

Modificationof j-bits

Deletion of j bits

No

L bits

Current and all subsequent

Counter Mode

47

Counter Mode - CTREncryption

m1 m2 m3

E

ci = mi Å ki

ki = EK(IV+i-1) for i=1..N

mN-1 mN

. . .

E E E E. . .

c1 c2 c3 cN-1 cN

IV IV+1 IV+2 IV+N-2 IV+N-1

k1 k2 k3 kN-1 kN

K K K K K

Counter Mode - CTRDecryption

c1 c2 c3

E

mi = ci Å ki

ki = EK(IV+i-1) for i=1..N

cN-1 cN

. . .

E E E E. . .

m1 m2 m3 mN-1 mN


k1 k2 k3 kN-1 kN

K K K K K

48

Counter Mode - CTR

EK

IN

OUT

counter

IV

1 L

ci

mi

EK

IN

OUT

counter

IV

1 L

ci

mi

1 L 1 L

IS1 = IV

ci = EK(ISi) Å miISi+1 = ISi+1

J-bit Counter Mode - CTR

m1 m2 m3

E

ci = mi Å ki

ki = E(IV+i-1)[1..j] for i=1..N

mN-1 mN

. . .

E E E E. . .

c1 c2 c3 cN-1 cN


k1 k2 k3 kN-1 kN

K K K K K

j j j j j

j j j j j

j jjj j

49

J-bit Counter Mode - CTR

j bits L-j bits

EK

IN

OUT

counter

IV

1 j L

ci

mi

j bits L-j bits

EK

IN

OUT

counter

IV

1 j L

ci

mi

1 L 1 L



Cipheroperations

Preprocessing

Random access


No Yes

sECB

Encryption and

decryption

Encryption and

decryption

Encryption and

decryption

Encryption only

No Yes

R/W R/W

»j/L×sECB

50


ECB OFB CFB CBCCTR



Integrity


1 plaintext block,

1 ciphertext block

1 plaintext block,

1 ciphertext block


Deletion of j bits

No No

L bits j bits



OFB (Output FeedBack) Mode

51

Output Feedback Mode - OFBEncryption

m1 m2 m3

E

ci = mi Å ki

ki =EK(ki-1) for i=1..N, and k0 = IV

mN-1 mN

. . .

E E E E. . .

c1 c2 c3 cN-1 cN

IV

k1 k2 k3 kN-1 kN

Output Feedback Mode - OFBDecryption

c1 c2 c3

E

mi = ci Å ki

ki =EK(ki-1) for i=1..N, and k0 = IV

cN-1 cN

. . .

E E E E. . .

m1 m2 m3 mN-1 mN

IV

k1 k2 k3 kN-1 kN

52

Output Feedback Mode - OFB

EK

IN

OUT1 L

ci

mi

EK

IN

OUT1 L

ci

mi

1 L 1 L

IVIV

IS1 = IV

ci = EK(ISi) Å miISi+1 = EK(ISi)

J-bit Output Feedback Mode - OFB

j bits L-j bits

EK

IN

OUT

1 j L

ci

mi

j bits L-j bits

EK

IN

OUT

1 j L

ci

mi

L-j bits j bits L-j bits j bits

shift shift

1 LL-j 1 LL-j

IVIV

53



Cipheroperations

Preprocessing

Random access


No Yes Yes

sECB »j/L×sECB

Encryption and

decryption

Encryption and

decryption

None

Encryption and

decryption

Encryption only

Encryption only

No Yes Yes

R/W R/W No

»j/L×sECB


ECB OFB CFB CBCCTR



Integrity


1 plaintext block,

1 ciphertext block

1 plaintext block,

1 ciphertext block

2 plaintext blocks,

2 ciphertext blocks

(for j=L)


Deletion of j bits

No No No

L bits j bits j bits




54

CFB (Cipher FeedBack) Mode

Cipher Feedback Mode - CFBEncryption

m1 m2 m3

E

mN-1 mN

. . .

E E E E. . .

c1 c2 c3 cN-1 cN

IV

ci = mi Å ki

ki =EK(ci-1) for i=1..N, and c0 = IV

k1 k2 k3 kN-1 kN

55

Cipher Feedback Mode - CFBDecryption

m1 m2 m3

E

mN-1 mN

. . .

E E E E. . .

c1 c2 c3 cN-1 cN

IV

mi = ci Å ki

ki =EK(ci-1) for i=1..N, and c0 = IV

k1 k2 k3 kN-1 kN

Cipher Feedback Mode - CFB

EK

IN

OUT1 L

ci

mi

EK

IN

OUT1 L

ci

mi

1 L 1 L

IVIV

IS1 = IV

ci = EK(ISi) Å miISi+1 = ci

56

J-bit Cipher Feedback Mode - CFB

j bits L-j bits

EK

IN

OUT

1 j L

ci

mi

j bits L-j bits

EK

IN

OUT

1 j L

ci

mi

L-j bits j bits L-j bits j bitsshift shift

1 LL-j 1 LL-j

IVIV



Cipheroperations

Preprocessing

Random access


No Yes Yes Yes

sECB »j/L×sECB »j/L×sECB

Encryption and

decryption

Encryption and

decryption

None Decryptiononly

Encryption and

decryption

Encryption only

Encryption only

Encryption only

No Yes Yes No

R/W R/W R onlyNo

»j/L×sECB

57


ECB OFB CFB CBCCTR



Integrity


1 plaintext block,

1 ciphertext block

1 plaintext block,

1 ciphertext block

2 plaintext blocks,

2 ciphertext blocks

(for j=L)

1 plaintext block,

2 ciphertext blocks

(for j=L)


Deletion of j bits

No No No No

L bits j bits j bits L+j bits



Current and all subsequent L bits

CBC (Cipher Block Chaining) Mode

58

Cipher Block Chaining Mode - CBCEncryption

m1 m2 m3

E

IV

ci = EK(mi Å ci-1) for i=1..N c0=IV

mN-1 mN

. . .

E E E E. . .

c1 c2 c3 cN-1 cN

Cipher Block Chaining Mode - CBCDecryption

mi = DK(ci) Å ci-1 for i=1..N c0=IV

m1 m2 m3 mN-1 mN

IV . . .

D D D D D. . .

c1 c2 c3 cN-1 cN

59



Cipheroperations

Preprocessing

Random access


No Yes Yes Yes Yes

sECB »j/L×sECB »j/L×sECB »sECB

Encryption and

decryption

Encryption and

decryption

None Decryptiononly

Decryptiononly

Encryption and

decryption

Encryption only

Encryption only

Encryption only

Encryption and

decryption

No Yes Yes No No

R/W R/W R only R onlyNo

»j/L×sECB


ECB OFB CFB CBCCTR



Integrity


1 plaintext block,

1 ciphertext block

1 plaintext block,

1 ciphertext block

2 plaintext blocks,

2 ciphertext blocks

(for j=L)

1 plaintext block,

2 ciphertext blocks

(for j=L)

1 plaintext block,

2 ciphertext blocks


Deletion of j bits

No No No No No

L bits j bits j bits L+j bits L+j bits



Current and all subsequent L bits Current and

all subsequent

60

New modes of operation

Evaluation Criteria for Modes of Operation

Security

Efficiency Functionality

61

Evaluation criteria (1) Security

• resistance to attacks• proof of security• random properties of the ciphertext

• number of calls of the block cipher• capability for parallel processing• memory/area requirements• initialization time • capability for preprocessing

Efficiency

Functionality• security services

- confidentiality, integrity, authentication• flexibility

- variable lengths of blocks and keys- different amount of precomputations- requirements on the length of the message

• vulnerability to implementation errors• requirements on the amount of keys, initializationvectors, random numbers, etc.

• error propagation and the capability forresynchronization

• patent restrictions

Evaluation criteria (2)

62

CBCm1 m2 m3

E

IV

Problems:

mN-1 mN

. . .

E E E E. . .

c1 c2 c3 cN-1 cN

- No parallel processing of blocks from the same packet- No speed-up by preprocessing- No integrity or authentication

Counter mode

m0m1 m2

E

mN-1 mN

. . .

E E E E. . .

c0 c1 c2 cN-1 cN

IV IV+1 IV+2 IV+N-1 IV+N

Features:+ Potential for parallel processing+ Speed-up by preprocessing- No integrity or authentication

k0 k1 k2 kN-1 kN

63

Properties of existing and new cipher modesCBC CFB OFB New

standardProof of security

Preprocessing

Parallel processing

Integrity andauthentication

Resistanceto implementationerrors

decryption only

– –

–

– – –

–

E

IV

E

C1

M1

Z1

Z1

E

C2

M2

Z2

Z2

E

CN-1

MN-1

ZN-1

ZN-1

E

CN

MN

ZN

MN

. . .L

R

length

g(L)

Zi=f(L, R, i)

E

0

E

T

ZN

t bits

Control sum

OCB - Offset Codebook Mode

64

New modes of block ciphers

1. CCM - Counter with CBC-MAC• developed by R. Housley, D. Whiting, N. Ferguson in 2002• assures simultaneous confidentiality and authentication• not covered by any patent• part of the IEEE 802.11i standard for wireless networks

2. GCM – Galois/Counter Mode• developed by D. McGrew and J. Viega in 2005 • assures simultaneous confidentiality and authentication• not covered by any patent• used in the IEEE 802.1AE (MACsec) Ethernet security,

ANSI (INCITS) Fibre Channel Security Protocols (FC-SP), IEEE P1619.1 tape storage, and IETF IPSec standards

Properties of new modes of operationCBC CFB OFB CCM

only decryption

– –

–

– – –

–

CTR

–

–

Half ofoperations

–

GCM

–

Half ofoperations

Half ofoperations

Proof of security

Preprocessing

Parallel processing

Integrity andauthentication

Resistanceto implementationerrors

65

CAESARContest

2013-2018

Message

Bob

Tag

Alice

Confidentiality & AuthenticationAuthenticated Ciphers

KAB KABAuthenticatedCipher

Encryption

N

CiphertextN

TagCiphertextN

Message

AuthenticatedCipher

Decryption

invalid

KAB - Secret key of Alice and BobN – Nonce or Initialization Vector

or

66

Confidentiality & AuthenticationAuthenticated Ciphers

or

Key

TagNpub AD CiphertextNsecEnc

Key

Encryption

Npub Nsec AD Message

Npub AD CiphertextNsecEnc Tag Nsec AD MessageInvalid

Decryption

Npub - Public Message NumberNsec - Secret Message NumberEnc Nsec - Encrypted Secret Message NumberAD - Associated DataKAB - Secret key of Alice and Bob

KAB KAB

Cryptographic Standard Contests

time97 98 99 00 01 02 03 04 05 06 07 08 09 10 11 12 13 14 15 16 17

AES

NESSIE

CRYPTREC

eSTREAM

SHA-3

34 stream 4 HW winnersciphers ® + 4 SW winners

51 hash functions ® 1 winner

15 block ciphers ® 1 winnerIX.1997 X.2000

I.2000 XII.2002

IV.2008

X.2007 X.2012

XI.2004

CAESARI.2013

57 authenticated ciphers ® multiple winners2018

data encryption standard des · data encryption standard des. 2 nbs public request for a standard...

Documents