secret key: stream ciphers & block ciphersalberto/didattica/cns-slides/secret-key_2.pdf ·...
TRANSCRIPT
![Page 1: Secret Key: stream ciphers & block ciphersalberto/didattica/cns-slides/Secret-key_2.pdf · Stream Ciphers Idea: try to simulate one-time pad •define a secret key (“seed”) •Using](https://reader033.vdocuments.us/reader033/viewer/2022042019/5e76a8a6b29b01675806a001/html5/thumbnails/1.jpg)
Secret Key: stream ciphers & block ciphers
![Page 2: Secret Key: stream ciphers & block ciphersalberto/didattica/cns-slides/Secret-key_2.pdf · Stream Ciphers Idea: try to simulate one-time pad •define a secret key (“seed”) •Using](https://reader033.vdocuments.us/reader033/viewer/2022042019/5e76a8a6b29b01675806a001/html5/thumbnails/2.jpg)
Stream CiphersIdea: try to simulate one-time pad• define a secret key (“seed”)• Using the seed generates a byte stream
(Keystream): i-th byte is function– only of the key (synchronous Stream cypher)
or– Of the key and first i-1 bytes of ciphertext
(asynchronous Stream cypher).• obtain ciphertext by using XOR of
textplain and keystream (bi-wise)
![Page 3: Secret Key: stream ciphers & block ciphersalberto/didattica/cns-slides/Secret-key_2.pdf · Stream Ciphers Idea: try to simulate one-time pad •define a secret key (“seed”) •Using](https://reader033.vdocuments.us/reader033/viewer/2022042019/5e76a8a6b29b01675806a001/html5/thumbnails/3.jpg)
=
⊕
Synchronous Stream Cipher
Key
Ciphertext
Stream
Plaintext
encryption
![Page 4: Secret Key: stream ciphers & block ciphersalberto/didattica/cns-slides/Secret-key_2.pdf · Stream Ciphers Idea: try to simulate one-time pad •define a secret key (“seed”) •Using](https://reader033.vdocuments.us/reader033/viewer/2022042019/5e76a8a6b29b01675806a001/html5/thumbnails/4.jpg)
Synchronous Stream Cipher
=
⊕
Key
Plaintext
Stream
Ciphertext
decryption
![Page 5: Secret Key: stream ciphers & block ciphersalberto/didattica/cns-slides/Secret-key_2.pdf · Stream Ciphers Idea: try to simulate one-time pad •define a secret key (“seed”) •Using](https://reader033.vdocuments.us/reader033/viewer/2022042019/5e76a8a6b29b01675806a001/html5/thumbnails/5.jpg)
Cipher Streams in practice
• Many codes before 1940• Enigma - II world war (Germany)• A5 – GSM (encryption cell phone-
base station)• WEP - used in ethernet 802.11
(wireless)• RC-4 (Ron’s Code)
![Page 6: Secret Key: stream ciphers & block ciphersalberto/didattica/cns-slides/Secret-key_2.pdf · Stream Ciphers Idea: try to simulate one-time pad •define a secret key (“seed”) •Using](https://reader033.vdocuments.us/reader033/viewer/2022042019/5e76a8a6b29b01675806a001/html5/thumbnails/6.jpg)
Example: RC-4
• RC: code proposed by Ron (Ron’s Code,Ron=Ronald Rivest)
• Considered safe: 1987 - 1994 kept secret,after ‘94 extensively studied
• Good for exporting (complain USrestrictions)
• Easy to program, fast• Very popular: Lotus Notes, SSL, Wep etc.
![Page 7: Secret Key: stream ciphers & block ciphersalberto/didattica/cns-slides/Secret-key_2.pdf · Stream Ciphers Idea: try to simulate one-time pad •define a secret key (“seed”) •Using](https://reader033.vdocuments.us/reader033/viewer/2022042019/5e76a8a6b29b01675806a001/html5/thumbnails/7.jpg)
RC4: properties
• variable key lenght (byte)• synchronous• starting from the key it generates aapparently random permutation:
•Eventually the sequence will repeat•However long period > 10100 [in this way itsimulates one-time-pad]
• very fast: 1 byte of output requires 8-16instruction
![Page 8: Secret Key: stream ciphers & block ciphersalberto/didattica/cns-slides/Secret-key_2.pdf · Stream Ciphers Idea: try to simulate one-time pad •define a secret key (“seed”) •Using](https://reader033.vdocuments.us/reader033/viewer/2022042019/5e76a8a6b29b01675806a001/html5/thumbnails/8.jpg)
RC-4 initialization1. j=02. S0=0, S1=1, …, S255=2553. Assume a key of 255 (bytes) k0,…,k255 (if the
key is shorter repeat)4. For i=0 to 255
j = (j + Si+ ki) mod 256exchange Si and Sj
In this way we obtain a permutation of 0, 1,…,255, the resulting permutation is afunction of the key
![Page 9: Secret Key: stream ciphers & block ciphersalberto/didattica/cns-slides/Secret-key_2.pdf · Stream Ciphers Idea: try to simulate one-time pad •define a secret key (“seed”) •Using](https://reader033.vdocuments.us/reader033/viewer/2022042019/5e76a8a6b29b01675806a001/html5/thumbnails/9.jpg)
RC-4 Key-stream generation
Input: i,j, permutation of 0,1,…2551. i = (i+1) mod 2562. j = (j +Si) mod 2563. exchange Si and Sj
4. t = (Si + Sj) mod 2565. B = St
Output: BRecall: ciphertext EXOR of 1 byte of
plaintext and 1 byte of ciphertext
![Page 10: Secret Key: stream ciphers & block ciphersalberto/didattica/cns-slides/Secret-key_2.pdf · Stream Ciphers Idea: try to simulate one-time pad •define a secret key (“seed”) •Using](https://reader033.vdocuments.us/reader033/viewer/2022042019/5e76a8a6b29b01675806a001/html5/thumbnails/10.jpg)
Real World Block Ciphers
• DES, 3-DES - (64 bit block, 56 bit key)• AES (Rijndael) (128-256 block)• RC-2• RC-5• IDEA ((64 bit block, 128 bit key)• Blowfish, Cast• Gost
![Page 11: Secret Key: stream ciphers & block ciphersalberto/didattica/cns-slides/Secret-key_2.pdf · Stream Ciphers Idea: try to simulate one-time pad •define a secret key (“seed”) •Using](https://reader033.vdocuments.us/reader033/viewer/2022042019/5e76a8a6b29b01675806a001/html5/thumbnails/11.jpg)
ECB Mode Encryption(Electronic Code Book)
P1
Ek
C1
P2
Ek
C2
P3
Ek
C3
encrypt each plaintext block separately
![Page 12: Secret Key: stream ciphers & block ciphersalberto/didattica/cns-slides/Secret-key_2.pdf · Stream Ciphers Idea: try to simulate one-time pad •define a secret key (“seed”) •Using](https://reader033.vdocuments.us/reader033/viewer/2022042019/5e76a8a6b29b01675806a001/html5/thumbnails/12.jpg)
Properties of ECB
• Simple and efficient• Parallel implementation possible• Does not conceal plaintext patterns• Active attacks are possible (plaintext can be easily manipulated by removing, repeating, or interchanging blocks).
![Page 13: Secret Key: stream ciphers & block ciphersalberto/didattica/cns-slides/Secret-key_2.pdf · Stream Ciphers Idea: try to simulate one-time pad •define a secret key (“seed”) •Using](https://reader033.vdocuments.us/reader033/viewer/2022042019/5e76a8a6b29b01675806a001/html5/thumbnails/13.jpg)
ECB: plaintext repetitionsplaintext ciphertext ECB good cyphertext
![Page 14: Secret Key: stream ciphers & block ciphersalberto/didattica/cns-slides/Secret-key_2.pdf · Stream Ciphers Idea: try to simulate one-time pad •define a secret key (“seed”) •Using](https://reader033.vdocuments.us/reader033/viewer/2022042019/5e76a8a6b29b01675806a001/html5/thumbnails/14.jpg)
CBC (Cipher Block Chaining) mode
m1
Ek
C1
m2
Ek
C2
m3
Ek
C3
seed
Previous ciphertext is XORed with current plaintextbefore encrypting current block.• Seed is used to start the process; it can be sent without encryption• Seed =0 safe in most but NOT all cases (eg assume the file withsalaries is sent once a month, with the same seed we can detectchanges in the salaries) therefore a random seed is better
![Page 15: Secret Key: stream ciphers & block ciphersalberto/didattica/cns-slides/Secret-key_2.pdf · Stream Ciphers Idea: try to simulate one-time pad •define a secret key (“seed”) •Using](https://reader033.vdocuments.us/reader033/viewer/2022042019/5e76a8a6b29b01675806a001/html5/thumbnails/15.jpg)
CBC (Cipher Block Chaining): decryption
m1
Dk
C1
m2
Dk
C2
m3
Dk
C3
seed
ProblemIF a transmission error changes one bit of C(i-1) -THEN block mi changes in a predicatble wayBUT there are unpredictable changes in m (i-1);Solution: always use error detecting codes (for example CRC) to checkquality of transmissione
![Page 16: Secret Key: stream ciphers & block ciphersalberto/didattica/cns-slides/Secret-key_2.pdf · Stream Ciphers Idea: try to simulate one-time pad •define a secret key (“seed”) •Using](https://reader033.vdocuments.us/reader033/viewer/2022042019/5e76a8a6b29b01675806a001/html5/thumbnails/16.jpg)
Properties of CBC
• Asynchronous stream cipher• Errors in one ciphertext block propagate• Conceals plaintext patterns• No parallel implementation known• Plaintext cannot be easily manipulated.• Standard in most systems: SSL, IPSec
etc.
![Page 17: Secret Key: stream ciphers & block ciphersalberto/didattica/cns-slides/Secret-key_2.pdf · Stream Ciphers Idea: try to simulate one-time pad •define a secret key (“seed”) •Using](https://reader033.vdocuments.us/reader033/viewer/2022042019/5e76a8a6b29b01675806a001/html5/thumbnails/17.jpg)
OFB Mode(Output FeedBack)
An initialization vector s0 is use as a``seed'’ for a sequence of data blocks si
s0= seed
![Page 18: Secret Key: stream ciphers & block ciphersalberto/didattica/cns-slides/Secret-key_2.pdf · Stream Ciphers Idea: try to simulate one-time pad •define a secret key (“seed”) •Using](https://reader033.vdocuments.us/reader033/viewer/2022042019/5e76a8a6b29b01675806a001/html5/thumbnails/18.jpg)
OFB modeDiscussion• If f is public (known to the adversary) then initial seed s0
must be encrypted (why?)• If f is a cryptographic funnction that depends on a secret
key then initial sees can be sent in the clear (why?)• Initial seed must be modified for EVERY new message -
even if is protected and unknown to the adversary (in factif the adv knows a pair message, initial seed then he canencode every message - why?)
• Extension: it can be modified in such a way that only k bitsare used to compute the ciphertext (k-OFB)
![Page 19: Secret Key: stream ciphers & block ciphersalberto/didattica/cns-slides/Secret-key_2.pdf · Stream Ciphers Idea: try to simulate one-time pad •define a secret key (“seed”) •Using](https://reader033.vdocuments.us/reader033/viewer/2022042019/5e76a8a6b29b01675806a001/html5/thumbnails/19.jpg)
Properties of OFB
• Synchronous stream cipher• Errors in ciphertext do not propagate• Pre-processing is possible• Conceals plaintext patterns• No parallel implementation known• Active attacks by manipulating plaintext
are possible
![Page 20: Secret Key: stream ciphers & block ciphersalberto/didattica/cns-slides/Secret-key_2.pdf · Stream Ciphers Idea: try to simulate one-time pad •define a secret key (“seed”) •Using](https://reader033.vdocuments.us/reader033/viewer/2022042019/5e76a8a6b29b01675806a001/html5/thumbnails/20.jpg)
CTR (Counter Mode)
seed
Ek
C1
seed +1
Ek
C2
seed +2
Ek
C3
Similar to OFB•There are problems in repeated use of same seed (like OFB)•CTR vs OFB: using CTR you can decrypt the message starting fromblock i for any i (i.e. You do not need to decrypt from the first blockas in OFB)
m1 m2 m3
![Page 21: Secret Key: stream ciphers & block ciphersalberto/didattica/cns-slides/Secret-key_2.pdf · Stream Ciphers Idea: try to simulate one-time pad •define a secret key (“seed”) •Using](https://reader033.vdocuments.us/reader033/viewer/2022042019/5e76a8a6b29b01675806a001/html5/thumbnails/21.jpg)
AES Proposed Modes
• CTR (Counter) mode (OFB modification):Parallel implementation, offline pre-processing, provable security, simple andefficient
• OCB (Offset Codebook) mode - parallelimplementation, offline preprocessing,provable security (under specificassumptions), authenticity
![Page 22: Secret Key: stream ciphers & block ciphersalberto/didattica/cns-slides/Secret-key_2.pdf · Stream Ciphers Idea: try to simulate one-time pad •define a secret key (“seed”) •Using](https://reader033.vdocuments.us/reader033/viewer/2022042019/5e76a8a6b29b01675806a001/html5/thumbnails/22.jpg)
Strengthening a GivenCipher
• Design multiple key lengths – AES• Whitening - the DESX idea• Iterated ciphers – Triple DES (3-
DES), triple IDEA and so on
![Page 23: Secret Key: stream ciphers & block ciphersalberto/didattica/cns-slides/Secret-key_2.pdf · Stream Ciphers Idea: try to simulate one-time pad •define a secret key (“seed”) •Using](https://reader033.vdocuments.us/reader033/viewer/2022042019/5e76a8a6b29b01675806a001/html5/thumbnails/23.jpg)
Triple Cipher - DiagramP
Ek1
C
Ek2
Ek3
![Page 24: Secret Key: stream ciphers & block ciphersalberto/didattica/cns-slides/Secret-key_2.pdf · Stream Ciphers Idea: try to simulate one-time pad •define a secret key (“seed”) •Using](https://reader033.vdocuments.us/reader033/viewer/2022042019/5e76a8a6b29b01675806a001/html5/thumbnails/24.jpg)
Iterated Ciphers
• Plaintext undergoes encryption repeatedlyby underlying cipher
• Ideally, each stage uses a different key• In practice triple cipher is usually
C= Ek1(Ek2(Ek1(P))) [EEE mode] orC= Ek1(Dk2(Ek1(P))) [EDE mode]EDE is more common in practice
![Page 25: Secret Key: stream ciphers & block ciphersalberto/didattica/cns-slides/Secret-key_2.pdf · Stream Ciphers Idea: try to simulate one-time pad •define a secret key (“seed”) •Using](https://reader033.vdocuments.us/reader033/viewer/2022042019/5e76a8a6b29b01675806a001/html5/thumbnails/25.jpg)
Two or Three Keys
• Sometimes only two keys are used in 3-DES• Identical key must be at beginning and end• Legal advantage (export license) due to
smaller overall key size• Used as a KEK in the BPI protocol which
secures the DOCSIS cable modemstandard
![Page 26: Secret Key: stream ciphers & block ciphersalberto/didattica/cns-slides/Secret-key_2.pdf · Stream Ciphers Idea: try to simulate one-time pad •define a secret key (“seed”) •Using](https://reader033.vdocuments.us/reader033/viewer/2022042019/5e76a8a6b29b01675806a001/html5/thumbnails/26.jpg)
Adverary’s goal
• Final goal: find the secret key• Partial goals:
– Reduee the no of possible keys– Detect patterns in the text– Decode part of the text– Modify the cipertext obtaining a plausible text
(even without breaking the cipher; evenwithout knowing which modifications)
![Page 27: Secret Key: stream ciphers & block ciphersalberto/didattica/cns-slides/Secret-key_2.pdf · Stream Ciphers Idea: try to simulate one-time pad •define a secret key (“seed”) •Using](https://reader033.vdocuments.us/reader033/viewer/2022042019/5e76a8a6b29b01675806a001/html5/thumbnails/27.jpg)
Repeated coding
• To increase the robustness performmultiple encryption. How many times?2,3, 678?
• In practice triple cipherC= Ek1(Ek2(Ek1(P))) [EEE mode ] orC= Ek1(Dk2(Ek1(P))) [EDE mode]EDE more used
![Page 28: Secret Key: stream ciphers & block ciphersalberto/didattica/cns-slides/Secret-key_2.pdf · Stream Ciphers Idea: try to simulate one-time pad •define a secret key (“seed”) •Using](https://reader033.vdocuments.us/reader033/viewer/2022042019/5e76a8a6b29b01675806a001/html5/thumbnails/28.jpg)
Double DES: man in the middleattack
Cipher twice with two different keys? NOMan in th emiddle attack. Requirements
– Known plaintext and ciphertext– 2k+1 encryption and decryption (2 keys of k bit)– |k|2|k| memory space– Idea: try all possible encryptions of the plaintext and all
possible decryption of the ciphertext. Check for a pairof keys that transform the palintext in the ciphertext.
– Note: the method can be applied to all block codes
![Page 29: Secret Key: stream ciphers & block ciphersalberto/didattica/cns-slides/Secret-key_2.pdf · Stream Ciphers Idea: try to simulate one-time pad •define a secret key (“seed”) •Using](https://reader033.vdocuments.us/reader033/viewer/2022042019/5e76a8a6b29b01675806a001/html5/thumbnails/29.jpg)
Triple encodingP
Ek1
C
Ek2
Ek3
![Page 30: Secret Key: stream ciphers & block ciphersalberto/didattica/cns-slides/Secret-key_2.pdf · Stream Ciphers Idea: try to simulate one-time pad •define a secret key (“seed”) •Using](https://reader033.vdocuments.us/reader033/viewer/2022042019/5e76a8a6b29b01675806a001/html5/thumbnails/30.jpg)
Triple encoding and CBCM1
Ek1
Ek2
M2
Ek1
C1
Mn
Ek1
0000000
... . . . .....
Ek3
Ek2
C2
Ek3
In the picture: External CBC: code (using triple encoding) eachblock ; then concatenate
Other possibility: Internal CBC (the concatenation depends onthe level of encoding)
![Page 31: Secret Key: stream ciphers & block ciphersalberto/didattica/cns-slides/Secret-key_2.pdf · Stream Ciphers Idea: try to simulate one-time pad •define a secret key (“seed”) •Using](https://reader033.vdocuments.us/reader033/viewer/2022042019/5e76a8a6b29b01675806a001/html5/thumbnails/31.jpg)
Group and Fields
AESAdvanced Encryption Standard
![Page 32: Secret Key: stream ciphers & block ciphersalberto/didattica/cns-slides/Secret-key_2.pdf · Stream Ciphers Idea: try to simulate one-time pad •define a secret key (“seed”) •Using](https://reader033.vdocuments.us/reader033/viewer/2022042019/5e76a8a6b29b01675806a001/html5/thumbnails/32.jpg)
Review - Groups
Def (group): A set G with a binary operation +(addition) is called a commutative group if
1 ∀ a,b∈G, a+b∈G2 ∀ a,b,c∈G, (a+b)+c=a+(b+c)3 ∀ a,b∈G, a+b=b+a4 ∃ 0∈G, ∀ a∈G, a+0=a5 ∀ a∈G, ∃ -a∈G, a+(-a)=0
+,0, and -aare only notations!
![Page 33: Secret Key: stream ciphers & block ciphersalberto/didattica/cns-slides/Secret-key_2.pdf · Stream Ciphers Idea: try to simulate one-time pad •define a secret key (“seed”) •Using](https://reader033.vdocuments.us/reader033/viewer/2022042019/5e76a8a6b29b01675806a001/html5/thumbnails/33.jpg)
Sub-groups
• Let (G, +) be a group, (H,+) is a sub-groupof (G,+) if it is a group, and H⊆G.
• Claim: Let (G, +) be a finite group, and H⊆G. If H is closed under +, then (H,+) is asub-group of (G,+).
• Examples• Lagrange theorem: if G is finite and (H,+)
is a sub-group of (G,+) then |H| divides |G|
![Page 34: Secret Key: stream ciphers & block ciphersalberto/didattica/cns-slides/Secret-key_2.pdf · Stream Ciphers Idea: try to simulate one-time pad •define a secret key (“seed”) •Using](https://reader033.vdocuments.us/reader033/viewer/2022042019/5e76a8a6b29b01675806a001/html5/thumbnails/34.jpg)
Order of Elements
• Let an denote a+…+a (n times)• We say that a is of order n if an = 0, and
for any m<n, am≠0• Examples• Euler theorem: In the multiplicative group
of Zm, every element is of order at most φ(m).
![Page 35: Secret Key: stream ciphers & block ciphersalberto/didattica/cns-slides/Secret-key_2.pdf · Stream Ciphers Idea: try to simulate one-time pad •define a secret key (“seed”) •Using](https://reader033.vdocuments.us/reader033/viewer/2022042019/5e76a8a6b29b01675806a001/html5/thumbnails/35.jpg)
Cyclic Groups• Claim: let G be a group and a be an
element of order n. The set <a>={1, a,…,an-1} is a sub-group of G.• a is called the generator of <a>.• If G is generated by a, then G is
called cyclic, and a is called aprimitive element of G.
• Theorem: for any prime p, themultiplicative group of Zp is cyclic
![Page 36: Secret Key: stream ciphers & block ciphersalberto/didattica/cns-slides/Secret-key_2.pdf · Stream Ciphers Idea: try to simulate one-time pad •define a secret key (“seed”) •Using](https://reader033.vdocuments.us/reader033/viewer/2022042019/5e76a8a6b29b01675806a001/html5/thumbnails/36.jpg)
GroupZ set of integers (positive and negative) ;Zn integer modulo n (0,,2,3,…,n-1); Z*n =(1,2,3,…,n-1);- Z and addition (0 identity; -a inverse of a) is a group- Zn and addition addizione is a group (0 identity; -a inverse of a)- Zn and multiplication is NOT a group (inverse exist only for 1 and -1)- Set of rational numbers and multiplication is a group- Z*n [a mod n] and multiplication IS NOT ALWAYS a group
- n=6 then {1,2,3,4,5} is not close (2*3= 0 mod 6)- n prime then it is a group
- Zn* [a mod n] and multiplication if MCD(a,n) = 1 is a group ( 1 is identity- And if as + nt = 1 mod n then s is inverse of a
- n =15 then {1,2,4,7,8,11,13,14}- n=5 {1,2,3,4} (in fact all numbers are prim ewith 5)
![Page 37: Secret Key: stream ciphers & block ciphersalberto/didattica/cns-slides/Secret-key_2.pdf · Stream Ciphers Idea: try to simulate one-time pad •define a secret key (“seed”) •Using](https://reader033.vdocuments.us/reader033/viewer/2022042019/5e76a8a6b29b01675806a001/html5/thumbnails/37.jpg)
Review - RingsDef (ring): A set F with two binaryoperations + (addition) and · (multiplication) is called a commutative ring with identity if
6 ∀ a,b∈F, a·b∈F7 ∀ a,b,c∈F, (a·b)·c=a·(b·c)8 ∀ a,b∈F, a·b=b·a9 ∃ 1∈F, ∀ a∈F, a·1=a10 ∀ a,b,c∈F,a·(b+c)=a·b+a·c
1 ∀ a,b∈F, a+b∈F2 ∀ a,b,c∈F, (a+b)+c=a+(b+c)3 ∀ a,b∈F, a+b=b+a4 ∃ 0∈F, ∀ a∈F, a+0=a5 ∀ a∈F, ∃ -a∈F, a+(-a)=0
+,·,0, 1 and-a are only notations!
![Page 38: Secret Key: stream ciphers & block ciphersalberto/didattica/cns-slides/Secret-key_2.pdf · Stream Ciphers Idea: try to simulate one-time pad •define a secret key (“seed”) •Using](https://reader033.vdocuments.us/reader033/viewer/2022042019/5e76a8a6b29b01675806a001/html5/thumbnails/38.jpg)
Review - FieldsDef (field): A set F with two binaryoperations + (addition) and · (multiplication) is called a field if
6 ∀ a,b∈F, a·b∈F7 ∀ a,b,c∈F, (a·b)·c=a·(b·c)8 ∀ a,b∈F, a·b=b·a9 ∃ 1∈F, ∀ a∈F, a·1=a10 ∀ a,b,c∈F,a·(b+c)=a·b+a·c
1 ∀ a,b∈F, a+b∈F2 ∀ a,b,c∈F, (a+b)+c=a+(b+c)3 ∀ a,b∈F, a+b=b+a4 ∃ 0∈F, ∀ a∈F, a+0=a5 ∀ a∈F, ∃ -a∈F, a+(-a)=0
11 ∀ a≠0∈F, ∃ a-1∈F, a·a-1=1
+,·,0, 1,-a and a-1 are
only notations!
![Page 39: Secret Key: stream ciphers & block ciphersalberto/didattica/cns-slides/Secret-key_2.pdf · Stream Ciphers Idea: try to simulate one-time pad •define a secret key (“seed”) •Using](https://reader033.vdocuments.us/reader033/viewer/2022042019/5e76a8a6b29b01675806a001/html5/thumbnails/39.jpg)
Review - Fields
A field is a commutative ring with identity where eachnon-zero element has a multiplicative inverse
∀ a≠0∈F, ∃ a-1∈F, a·a-1=1
Equivalently, (F,+) is a commutative (additive) group,and (F \ {0}, ·) is a commutative (multiplicative) group.
![Page 40: Secret Key: stream ciphers & block ciphersalberto/didattica/cns-slides/Secret-key_2.pdf · Stream Ciphers Idea: try to simulate one-time pad •define a secret key (“seed”) •Using](https://reader033.vdocuments.us/reader033/viewer/2022042019/5e76a8a6b29b01675806a001/html5/thumbnails/40.jpg)
ExamplesZn with addition and multiplication is a ring but not always a field• n=15 NO ( {1,2,3,4,….,15} is not a group with resepct ot
multiplication)• n=5 Yes ( {1,2,3,4} is a gropu w.r.t. multiplication)
![Page 41: Secret Key: stream ciphers & block ciphersalberto/didattica/cns-slides/Secret-key_2.pdf · Stream Ciphers Idea: try to simulate one-time pad •define a secret key (“seed”) •Using](https://reader033.vdocuments.us/reader033/viewer/2022042019/5e76a8a6b29b01675806a001/html5/thumbnails/41.jpg)
Polynomials over Fields
Let f(x)= an·xn + an-1·xn-1 + an-2·xn-2 + … + a1·x + a0be a polynomial of degree n in one variable x over a fieldF (namely an, an-1,…, a1, a0 ∈ F).
Theorem: The equation f(x)=0 has at most n solutions in F.
Remark: The theorem does not hold over rings with identity. For example, in Z24 the equation 6·x = 0 has six solutions (0,4,8,12,16,20).
![Page 42: Secret Key: stream ciphers & block ciphersalberto/didattica/cns-slides/Secret-key_2.pdf · Stream Ciphers Idea: try to simulate one-time pad •define a secret key (“seed”) •Using](https://reader033.vdocuments.us/reader033/viewer/2022042019/5e76a8a6b29b01675806a001/html5/thumbnails/42.jpg)
Polynomial RemaindersLet f(x)= an·xn + an-1·xn-1 + an-2·xn-2 + … + a1·x + a0
g(x)= bm·xm + bm-1·xm-1 + bm-2·xm-2 + … + b1·x + b0be two polynomials over F such that m < n (or m=n).
Theorem: There is a unique polynomial r(x) of degree < mover F such that f(x) = h(x) · g(x) + r(x).
Remark: r(x) is called the remainder of f(x) modulo g(x).
![Page 43: Secret Key: stream ciphers & block ciphersalberto/didattica/cns-slides/Secret-key_2.pdf · Stream Ciphers Idea: try to simulate one-time pad •define a secret key (“seed”) •Using](https://reader033.vdocuments.us/reader033/viewer/2022042019/5e76a8a6b29b01675806a001/html5/thumbnails/43.jpg)
Finite FieldsDef (finite field): A field (F,+,·) is called a finite field if the
set F is finite.
Example: Zp denotes {0,1,...,p-1}. We define + and · as additionand multiplication modulo p, respectively.
One can prove that (Zp,+,·) is a field iff p is prime.
Q.: Are there any finite fields except (Zp,+,·) ?
![Page 44: Secret Key: stream ciphers & block ciphersalberto/didattica/cns-slides/Secret-key_2.pdf · Stream Ciphers Idea: try to simulate one-time pad •define a secret key (“seed”) •Using](https://reader033.vdocuments.us/reader033/viewer/2022042019/5e76a8a6b29b01675806a001/html5/thumbnails/44.jpg)
Galois Fields GF(pk)
Évariste Galois (1811-1832)
Theorem: For every prime power pk (k=1,2,…) there is aunique finite field containing pk elements. These fields aredenoted by GF(pk).There are no finite fields with other cardinalities.
![Page 45: Secret Key: stream ciphers & block ciphersalberto/didattica/cns-slides/Secret-key_2.pdf · Stream Ciphers Idea: try to simulate one-time pad •define a secret key (“seed”) •Using](https://reader033.vdocuments.us/reader033/viewer/2022042019/5e76a8a6b29b01675806a001/html5/thumbnails/45.jpg)
Polynomials over Finite FieldsPolynomial equations and factorizations in finitefields can be different than over the rationals.
Examples from an XMAPLE session:
![Page 46: Secret Key: stream ciphers & block ciphersalberto/didattica/cns-slides/Secret-key_2.pdf · Stream Ciphers Idea: try to simulate one-time pad •define a secret key (“seed”) •Using](https://reader033.vdocuments.us/reader033/viewer/2022042019/5e76a8a6b29b01675806a001/html5/thumbnails/46.jpg)
Irreducible PolynomialsA polynomial is irreducible in GF(p) if it does not factor overGF(p). Otherwise it is reducible.
Examples:
The same polynomial is reducible in Z5 but irreducible in Z2.
![Page 47: Secret Key: stream ciphers & block ciphersalberto/didattica/cns-slides/Secret-key_2.pdf · Stream Ciphers Idea: try to simulate one-time pad •define a secret key (“seed”) •Using](https://reader033.vdocuments.us/reader033/viewer/2022042019/5e76a8a6b29b01675806a001/html5/thumbnails/47.jpg)
Implementing GF(p^k) arithmetic
Theorem: Let f(x) be an irreducible polynomialof degree k over Zp.
The finite field GF(pk) can be realized as the set
of degree k-1 polynomials over Zp, with additionand multiplication done modulo f(x).
![Page 48: Secret Key: stream ciphers & block ciphersalberto/didattica/cns-slides/Secret-key_2.pdf · Stream Ciphers Idea: try to simulate one-time pad •define a secret key (“seed”) •Using](https://reader033.vdocuments.us/reader033/viewer/2022042019/5e76a8a6b29b01675806a001/html5/thumbnails/48.jpg)
Example: Implementing GF(2^k)
By the theorem the finite field GF(25) can be realized as
the set of degree 4 polynomials over Z2, with additionand multiplication done modulo the irreducible polynomialf(x)=x5+x4+x3+x+1.
The coefficients of polynomials over Z2 are 0 or 1.So a degree k polynomial can be written down by k+1 bits.For example, with k=4:
x3+x+1 (0,1,0,1,1)
x4+ x3+x+1 (1,1,0,1,1)
![Page 49: Secret Key: stream ciphers & block ciphersalberto/didattica/cns-slides/Secret-key_2.pdf · Stream Ciphers Idea: try to simulate one-time pad •define a secret key (“seed”) •Using](https://reader033.vdocuments.us/reader033/viewer/2022042019/5e76a8a6b29b01675806a001/html5/thumbnails/49.jpg)
Implementing GF(2^k)
Addition: bit-wise XOR (since 1+1=0)
x3+x+1 (0,1,0,1,1) + x4+ x3+x (1,1,0,1,0)------------------------------- x4 +1 (1,0,0,0,1)
![Page 50: Secret Key: stream ciphers & block ciphersalberto/didattica/cns-slides/Secret-key_2.pdf · Stream Ciphers Idea: try to simulate one-time pad •define a secret key (“seed”) •Using](https://reader033.vdocuments.us/reader033/viewer/2022042019/5e76a8a6b29b01675806a001/html5/thumbnails/50.jpg)
Multiplication: Polynomial multiplication, and then remainder modulo the defining polynomial f(x):
Implementing GF(2^k)
For small size finite field, a lookup table is the most efficientmethod for implementing multiplication.
(1,1,0,1,1) *(0,1,0,1,1)
= (1,1,0,0,1)
![Page 51: Secret Key: stream ciphers & block ciphersalberto/didattica/cns-slides/Secret-key_2.pdf · Stream Ciphers Idea: try to simulate one-time pad •define a secret key (“seed”) •Using](https://reader033.vdocuments.us/reader033/viewer/2022042019/5e76a8a6b29b01675806a001/html5/thumbnails/51.jpg)
Implementing GF(25) in XMAPLE
Irreducible polynomial
![Page 52: Secret Key: stream ciphers & block ciphersalberto/didattica/cns-slides/Secret-key_2.pdf · Stream Ciphers Idea: try to simulate one-time pad •define a secret key (“seed”) •Using](https://reader033.vdocuments.us/reader033/viewer/2022042019/5e76a8a6b29b01675806a001/html5/thumbnails/52.jpg)
More GF(25) Operations in XMAPLEAddition: b+c
test primitive element
e <--inverse of a Multiplication: a*e
Loop forfinding primitiveelements
![Page 53: Secret Key: stream ciphers & block ciphersalberto/didattica/cns-slides/Secret-key_2.pdf · Stream Ciphers Idea: try to simulate one-time pad •define a secret key (“seed”) •Using](https://reader033.vdocuments.us/reader033/viewer/2022042019/5e76a8a6b29b01675806a001/html5/thumbnails/53.jpg)
Back to Symmetric BlockCiphers
out in
DES AES
![Page 54: Secret Key: stream ciphers & block ciphersalberto/didattica/cns-slides/Secret-key_2.pdf · Stream Ciphers Idea: try to simulate one-time pad •define a secret key (“seed”) •Using](https://reader033.vdocuments.us/reader033/viewer/2022042019/5e76a8a6b29b01675806a001/html5/thumbnails/54.jpg)
Historic NoteDES (data encryption standard) is a symmetric block cipherusing 64 bit blocks and a 56 bit key.
Developed at IBM, approved by the US goverment (1976)as a standard. Size of key (56 bits) was apparently small enough to allow the NSA (US national security agency) tobreak it exhaustively even back in 70’s.
In the 90’s it became clear that DES is too weak for contemporary hardware & algorithmics. (Best attack, Matsui“linear attack”, requires only 243 known plaintext/ciphertextpairs.)
![Page 55: Secret Key: stream ciphers & block ciphersalberto/didattica/cns-slides/Secret-key_2.pdf · Stream Ciphers Idea: try to simulate one-time pad •define a secret key (“seed”) •Using](https://reader033.vdocuments.us/reader033/viewer/2022042019/5e76a8a6b29b01675806a001/html5/thumbnails/55.jpg)
Historic Note (cont.)The US government NIST (national inst. of standards and technology) announced a call for an advanced encryption standard in 1997.
This was an international open competition.Overall, 15 proposals were made and evaluated, and 6 were finalists. Out of those, a proposal namedRijndael, by Daemen and Rijmen (two Belgians) was chosen in February 2001.
![Page 56: Secret Key: stream ciphers & block ciphersalberto/didattica/cns-slides/Secret-key_2.pdf · Stream Ciphers Idea: try to simulate one-time pad •define a secret key (“seed”) •Using](https://reader033.vdocuments.us/reader033/viewer/2022042019/5e76a8a6b29b01675806a001/html5/thumbnails/56.jpg)
AES - Advanced Encryption Standard
• Symmetric block cipher• Key lengthes: 128, 192, or 256 bits• Approved US standard (2001)
![Page 57: Secret Key: stream ciphers & block ciphersalberto/didattica/cns-slides/Secret-key_2.pdf · Stream Ciphers Idea: try to simulate one-time pad •define a secret key (“seed”) •Using](https://reader033.vdocuments.us/reader033/viewer/2022042019/5e76a8a6b29b01675806a001/html5/thumbnails/57.jpg)
AES Design Rationale
• Resistance to all known attacks.
• Speed and code compactness.
• Simplicity.
![Page 58: Secret Key: stream ciphers & block ciphersalberto/didattica/cns-slides/Secret-key_2.pdf · Stream Ciphers Idea: try to simulate one-time pad •define a secret key (“seed”) •Using](https://reader033.vdocuments.us/reader033/viewer/2022042019/5e76a8a6b29b01675806a001/html5/thumbnails/58.jpg)
AES Specifications• Input & output block length: 128 bits.
• State: 128 bits, arranged in a 4-by-4 matrix of bytes.
A3,3A3,2A3,1A3,0
A2,3A2,2A2,1A2,0
A1,3A1,2A1,1A1,0
A0,3A0,2A0,1A0,0 Each byte is viewedas an element in GF(28)
Input/Output: A0,0, A1,0, A2,0, A3,0, A0,1,…
![Page 59: Secret Key: stream ciphers & block ciphersalberto/didattica/cns-slides/Secret-key_2.pdf · Stream Ciphers Idea: try to simulate one-time pad •define a secret key (“seed”) •Using](https://reader033.vdocuments.us/reader033/viewer/2022042019/5e76a8a6b29b01675806a001/html5/thumbnails/59.jpg)
AES Specifications• Key length: 128, 196, 256 bits.
Cipher Key Layout: n = 128, 196, 256 bits, arranged in a 4-by-n/32 matrix of bytes.
K3,3
K2,3
K1,3
K0,3
K3,4
K2,4
K1,4
K0,4
K3,5K3,2K3,1K3,0
K2,5K2,2K2,1K2,0
K1,5K1,2K1,1K1,0
K0,5K0,2K0,1K0,0
Initial layout: K0,0, K1,0, K2,0, K3,0, K0,1,…
![Page 60: Secret Key: stream ciphers & block ciphersalberto/didattica/cns-slides/Secret-key_2.pdf · Stream Ciphers Idea: try to simulate one-time pad •define a secret key (“seed”) •Using](https://reader033.vdocuments.us/reader033/viewer/2022042019/5e76a8a6b29b01675806a001/html5/thumbnails/60.jpg)
AES Specifications
• High level code:• AES(State,Key)
– KeyExpansion(Key,ExpandKey)– AddRoundKey(State,ExpandKey[0])– For (i=1; i<R; i++)
Round(State,ExpandKey[i]);– FinalRound(State,ExpandKey[R]);
![Page 61: Secret Key: stream ciphers & block ciphersalberto/didattica/cns-slides/Secret-key_2.pdf · Stream Ciphers Idea: try to simulate one-time pad •define a secret key (“seed”) •Using](https://reader033.vdocuments.us/reader033/viewer/2022042019/5e76a8a6b29b01675806a001/html5/thumbnails/61.jpg)
Encryption: Carried out in rounds
input block (128 bits)
output block (128 bits)
Secret key (128 bits)
![Page 62: Secret Key: stream ciphers & block ciphersalberto/didattica/cns-slides/Secret-key_2.pdf · Stream Ciphers Idea: try to simulate one-time pad •define a secret key (“seed”) •Using](https://reader033.vdocuments.us/reader033/viewer/2022042019/5e76a8a6b29b01675806a001/html5/thumbnails/62.jpg)
Rounds in AES128 bits AES uses 10 rounds, no shortcutsknown for 6 rounds• The secret key is expanded from 128 bits to 10 round keys, 128 bits each.• Each round changes the state, then XORS the round key. (For longer keys, addOne round for every extra 32 bits)
Each rounds complicates things a little. Overall it seems infeasible to invert without the secret key (but easy given the key).
![Page 63: Secret Key: stream ciphers & block ciphersalberto/didattica/cns-slides/Secret-key_2.pdf · Stream Ciphers Idea: try to simulate one-time pad •define a secret key (“seed”) •Using](https://reader033.vdocuments.us/reader033/viewer/2022042019/5e76a8a6b29b01675806a001/html5/thumbnails/63.jpg)
AES Specifications: One Round
A3,3A3,2A3,1A3,0
A2,3A2,2A2,1A2,0
A1,3A1,2A1,1A1,0
A0,3A0,2A0,1A0,0
Transform the state by applying:
1. Substitution.2. Shift rows3. Mix columns
4. XOR round key
![Page 64: Secret Key: stream ciphers & block ciphersalberto/didattica/cns-slides/Secret-key_2.pdf · Stream Ciphers Idea: try to simulate one-time pad •define a secret key (“seed”) •Using](https://reader033.vdocuments.us/reader033/viewer/2022042019/5e76a8a6b29b01675806a001/html5/thumbnails/64.jpg)
Substitution operates on every Byteseparately: Ai,j <-- Ai,j
-1 (multiplicative inverse in GF(28)which is highly non linear.)
Substitution (S-Box)
If Ai,j =0, don’t change Ai,j .
Clearly, the substitution is invertible.
![Page 65: Secret Key: stream ciphers & block ciphersalberto/didattica/cns-slides/Secret-key_2.pdf · Stream Ciphers Idea: try to simulate one-time pad •define a secret key (“seed”) •Using](https://reader033.vdocuments.us/reader033/viewer/2022042019/5e76a8a6b29b01675806a001/html5/thumbnails/65.jpg)
Cyclic Shift of Rows
A3,0A3,3A3,2A3,1
A2,1A2,0A2,3A2,2
A1,2A1,1A1,0A1,3
A0,3A0,2A0,1A0,0 no shift shift 1 position shift 2 positions shift 3 positions
Clearly, the shift is invertible.
![Page 66: Secret Key: stream ciphers & block ciphersalberto/didattica/cns-slides/Secret-key_2.pdf · Stream Ciphers Idea: try to simulate one-time pad •define a secret key (“seed”) •Using](https://reader033.vdocuments.us/reader033/viewer/2022042019/5e76a8a6b29b01675806a001/html5/thumbnails/66.jpg)
Mixing Columns Every state column is considered as a Polynomial over GF(28)
Multiply with an invertible polynomial03 x3 + 01x2 + 01x + 02 (mod x4 + 1)Inv = 0B x3 + 0D x2 +09 x + 0E
Round: Subbytes(State) ShiftRows(State) MixColumns(State) AddRoundKey(State,ExpandedKey[i])
![Page 67: Secret Key: stream ciphers & block ciphersalberto/didattica/cns-slides/Secret-key_2.pdf · Stream Ciphers Idea: try to simulate one-time pad •define a secret key (“seed”) •Using](https://reader033.vdocuments.us/reader033/viewer/2022042019/5e76a8a6b29b01675806a001/html5/thumbnails/67.jpg)
Key Expansion
• Generate a “different key” per round• Need a 4 x 4 matrix of values (over
GF(28)) per round• Based upon a non-linear transformation of
the original key.• Details available:• The Design of Rijndael, Joan Daemen and
Vincent Rijmen, Springer
![Page 68: Secret Key: stream ciphers & block ciphersalberto/didattica/cns-slides/Secret-key_2.pdf · Stream Ciphers Idea: try to simulate one-time pad •define a secret key (“seed”) •Using](https://reader033.vdocuments.us/reader033/viewer/2022042019/5e76a8a6b29b01675806a001/html5/thumbnails/68.jpg)
Breaking AESBreaking 1 or 2 rounds is easy.
It is not known how to break 5 rounds.
Breaking the full 10 rounds AES efficiently (say 1 year on existing hardware, or in less than 2128 operations) is considered impossible ! (a good, tough challenge…)
![Page 69: Secret Key: stream ciphers & block ciphersalberto/didattica/cns-slides/Secret-key_2.pdf · Stream Ciphers Idea: try to simulate one-time pad •define a secret key (“seed”) •Using](https://reader033.vdocuments.us/reader033/viewer/2022042019/5e76a8a6b29b01675806a001/html5/thumbnails/69.jpg)
Exercises1. Evaluate error propagation in CBC e OFB:
• Show how an adevrsary can modify a block as he/sheprefers assuming that the remaining part of themessage is modified
• Discuss the security of this and techniques foravoiding such attacks
2. CBC and OFB use and initial seed that must be known toboth the sender and the receiver• Assume that the initial seed is sent in the clear (so
it is known to the adversary). Show how theadversary is able to modify part of the messahe.Conclusion: either the initial seed is fixed inadvance or it muts be encypted and sent before thmessage
• Break OFB if you use the same key and the sameinitial seed mote than once