Part (02) Modem Encryption techniques

Transcription

1 Part (02) Modem Encryption techniques Dr. Ahmed M. ElShafee 1

2 Block Ciphers and Feistel cipher Dr. Ahmed M. ElShafee 2

3 introduction Modern block ciphers are widely used to provide encryption of quantities of information, and/or a cryptographic checksum to ensure the contents have not been altered. Block ciphers work a on block / word at a time, which is some number of bits. All of these bits have to be available before the block can be processed. Stream ciphers work on a bit or byte of the message at a time, hence process it as a stream. Block ciphers are currently better analysed, and seem to have a broader range of applications, hence focus on them. 3

4 Block cipher principles An arbitrary reversible substitution cipher for a large block size is not practical, however, from an implementation and performance point of view. In general, for an n-bit general substitution block cipher, need a substitution box of 2 n entities For a 64-bit block (8 bytes block), a pure block substation cipher is a huge table contains 2 64 entities, each entity has a 64 bits length. So the size of sbox is 64 x 2 64 = 2 70 = 1.18 E21 bits = 1.34 E8 tera bytes In general, for an n-bit general substitution block cipher, the size of the key is n x 2 n. 4

5 Block length Sbox length 8 bits 8 x 2 8 = 2048 bits = 256 bytes 16 bits 16 x 2 16 = 1.05 E6 bits = 128 kbytes 32 bits 32 x 2 32 = 1.37 E 11 bits = 16 G bytes 64 bits 64 x 2 64 = 2 70 = 1.18 E21 bits = 1.34 E8 tera bytes 5

6 Claude Shannon and Substitution- Permutation Ciphers Claude Shannon s 1949 paper has the key ideas that led to the development of modern block ciphers. Critically, it was the technique of layering groups of S-boxes separated by a larger P-box to form the S-P network, a complex form of a product cipher. He also introduced the ideas of confusion and diffusion, notionally provided by S-boxes and P-boxes (in conjunction with S-boxes). Every block cipher involves a transformation of a block of plaintext into a block of ciphertext, where the transformation depends on the key. 6

7 7

8 The mechanism of diffusion seeks to make the statistical relationship between the plaintext and ciphertext as complex as possible in order to thwart attempts to deduce the key. Confusion seeks to make the relationship between the statistics of the ciphertext and the value of the encryption key as complex as possible, again to thwart attempts to discover the key. So successful are diffusion and confusion in capturing the essence of the desired attributes of a block cipher that they have become the cornerstone of modern block cipher design. 8

9 Block cipher designing rules Applying what shannon said cryptosystem designer should follow the following rules instead of building a huge blocks a smaller blocks is used to create from smaller building blocks using idea of a product cipher (SPN) Block cipher transforms plain block to text block based on user key Block cipher is invertible and based one 1:1 functions 9

10 Feistel Cipher Horst Feistel, working at IBM Thomas J Watson Research Labs devised a suitable invertible cipher structure in early 70's. One of Feistel's main contributions was the invention of a suitable structure which adapted Shannon's S-P network in an easily inverted structure. 10

11 It partitions input block into two halves which are processed through multiple rounds which perform a substitution on left data half, based on round function of right half & subkey, and then have permutation swapping halves. Essentially the same h/w or s/w is used for both encryption and decryption, with just a slight change in how the keys are used. One layer of S-boxes and the following P-box are used to form the round function. 11

12 Feistel cipher as black substitution box Feistel refers to an n-bit general substitution as an ideal block cipher it allows for the maximum number of possible encryption mappings from the plaintext to ciphertext block. 12

13 Ex: A 4-bit input produces one of 16 possible input states, which is mapped by the substitution cipher into a unique one of 16 possible output states, each of which is represented by 4 ciphertext bits. The encryption and decryption mappings can be defined by a 13 tabulation

14 Feistel Cipher Design Elements The exact realization of a Feistel network depends on the choice of the following parameters and design features: block size - increasing size improves security, but slows cipher key size - increasing size improves security, makes exhaustive key searching harder, but may slow cipher number of rounds - increasing number improves security, but slows cipher subkey generation algorithm - greater complexity can make analysis harder, but slows cipher round function - greater complexity can make analysis harder, but slows cipher fast software en/decryption - more recent concern for practical use ease of analysis - for easier validation & testing of strength 14

15 Feistel cipher decryption The process of decryption with a Feistel cipher, is essentially the same as the encryption process. The rule is as follows: Use the ciphertext as input to the algorithm, but use the subkeys Ki in reverse order. 15

16 That is, use Kn in the first round, Kn 1 in the second round, and so on until K1 is used in the last round. This is a nice feature because it means we need not implement two different algorithms, one for encryption and one 16 for decryption.

17 17

18 Proof; Feistel encryption is the same as Feistel decryption Enc: R2 = R1 1 L2 = L1 xor F(R1, K) 2 L1 R1 L2 R2 Dec: R3 = R2 3 L3 = L2 xor F(R2, k) 4 From 3 & 1 R1= R3 L2 R2 L3 R3 From 2 & 4 L 3 = L1 xor F(R1, k) xor F(R2, k) But R1 = R2 L3 = L1 xor F(R1, k) xor F(R1, k) L3 = L1 18

19 Proof; Feistel encryption is the same as Feistel decryption encryption R3 = L2 xor F(R2,K2) 1 L3 = R2 2 R2 = L1 xor F(R1,k1) 3 L2 = R1 4 19

20 Decryption R5 = R4 5 L5 = L4 xor F(R4,K1) 6 R4 = R3 xor F(L3,k2) 7 L4 = L3 8 20

21 R3 = L2 xor F(R2,K2) L3 = R2 R2 = L1 xor F(R1,k1) L2 = R R5 = R4 L5 = L4 xor F(R4,K1) R4 = R3 xor F(L3,k2) L4 = L From 1,2,4: R3 = R1 xor F(L3,K2) 8 From 2,3: L3 = L1 xor F(R1,K1) 9 From 7,5,8: R5 = R3 xor F(L3,K2)10 From 8,5,6: L5 = L3 xor F(R5,K1) 11 Sub 11 in 9 L5 = L1 xor F(R1,K1) xor F(R5,K1) But R1 == R5 so F(R1,K1) = F(R5,K1) Sub 10 in 8 R5 = R1 xor F(L3,K2) xor F(L3,k2) = R1 # So L5 = L1 # 21

22 Thanks,.. See you next week (ISA), 22

23 Feistel Cipher Example Simplified 2 rounds operated on 26 characters English plaintext characters space Dr. Ahmed M. ElShafee 23

24 8 chars 8 chars 4 L1 R1 4 L3 R3 K K2-4 L2 R2 4 K2 L4 R K1 4 L3 R3 4 - L5 R5 24

25 Feistel Function is SP network Plain characters xored with Key a simple substitution (4 x sbox) L1 K1 R1 Followed by simple permutation (1 x pbox) R0,0 R0,1 R0,2 R0,3 + K0,0 + K0,1 + K0,2 + K0,3 S1 S2 S3 S4 Permutation 25

26 Key schedule key

27 Example 1 Use the following feistel cipher to encrypt the following message supplies Using the following key scrt s1= pdqjkfvobwselcmtirhgnyxazu S2=gcobidpjmywurtzqefkxnlhsav S3=musxelogkrqpzbatifjycdnvhw S4=ycsjndegatipzwhrokfqvxlubm 27 P=dacb

28 L1 R1 + SPN + K1 L2 R2 + SPN + K2 L3 R3 28

29 L1 + s u p p p j d W SPN + d k v l R1 K1 l i e s s c r t L2 l i e s R2 h d s l j w p n SPN + j u l d K2 c r t s L3 h d s l R3 u e t f h d s l u e t f

30 SPN Sboxes input p d q j k f v o b w s e l c m t i r h g n y x a z u g c o b i d p j m y w u r t z q e f k x n l h s a v m u s x e l o g k r q p z b a t i f j y c d n v h y y c s j n d e g a t i p z w h r o k f q v x l u b m d a c b pbox Sboxes output Feistel output 30

31 SPN d k v l Sboxes input p d q j k f v o b w s e l c m t i r h g n y x a z u g c o b i d p j m y w u r t z q e f k x n l h s a v m u s x e l o g k r q p z b a t i f j y c d n v h y y c s j n d e g a t i p z w h r o k f q v x l u b m d a c b pbox j w d p Sboxes output p j d w Feistel output 31

32 SPN Sboxes input p d q j k f v o b w s e l c m t i r h g n y x a z u g c o b i d p j m y w u r t z q e f k x n l h s a v m u s x e l o g k r q p z b a t i f j y c d n v h y y c s j n d e g a t i p z w h r o k f q v x l u b m d a c b pbox Sboxes output Feistel output 32

33 SPN j u l d Sboxes input p d q j k f v o b w s e l c m t i r h g n y x a z u g c o b i d p j m y w u r t z q e f k x n l h s a v m u s x e l o g k r q p z b a t i f j y c d n v h y y c s j n d e g a t i p z w h r o k f q v x l u b m d a c b pbox w n p j Sboxes output j w p n Feistel output 33

34 Example 2 Use the following feistel cipher to encrypt the following message ten fifty Using the following key scrt s1= pdqjkfvobwselcmtirhgnyxazu S2=gcobidpjmywurtzqefkxnlhsav S3=musxelogkrqpzbatifjycdnvhw S4=ycsjndegatipzwhrokfqvxlubm 34 P=dacb

35 L1 t e n f R1 i f t y + SPN + K1 s c r t L2 R2 + SPN + K2 c r t s L3 R3 35

36 L1 + t e n f k p q j SPN + a h k r R1 K1 i f t y s c r t L2 i f t y R2 d t d o e f n w SPN + f k w g K2 c r t s L3 d t d o R3 m k g u d t d o m k g u

37 SPN Sboxes input p d q j k f v o b w s e l c m t i r h g n y x a z u g c o b i d p j m y w u r t z q e f k x n l h s a v m u s x e l o g k r q p z b a t i f j y c d n v h y y c s j n d e g a t i p z w h r o k f q v x l u b m d a c b pbox Sboxes output Feistel output 37

38 SPN a h k r Sboxes input p d q j k f v o b w s e l c m t i r h g n y x a z u g c o b i d p j m y w u r t z q e f k x n l h s a v m u s x e l o g k r q p z b a t i f j y c d n v h y y c s j n d e g a t i p z w h r o k f q v x l u b m d a c b pbox p j q k Sboxes output k p q j Feistel output 38

39 SPN Sboxes input p d q j k f v o b w s e l c m t i r h g n y x a z u g c o b i d p j m y w u r t z q e f k x n l h s a v m u s x e l o g k r q p z b a t i f j y c d n v h y y c s j n d e g a t i p z w h r o k f q v x l u b m d a c b pbox Sboxes output Feistel output 39

40 SPN f k w g Sboxes input p d q j k f v o b w s e l c m t i r h g n y x a z u g c o b i d p j m y w u r t z q e f k x n l h s a v m u s x e l o g k r q p z b a t i f j y c d n v h y y c s j n d e g a t i p z w h r o k f q v x l u b m d a c b pbox f w n e Sboxes output e f n w Feistel output 40

41 Example 3 Use the following feistel cipher to decrypt the following message qdkcdyjk Using the following key scrt s1= pdqjkfvobwselcmtirhgnyxazu S2=gcobidpjmywurtzqefkxnlhsav S3=musxelogkrqpzbatifjycdnvhw S4=ycsjndegatipzwhrokfqvxlubm 41 P=dacb

42 L3 R3 + K2 - SPN L4 R4 - SPN + K1 L5 R5 42

43 L3 q d k c v h x n SPN + s u d u R3 d y j k K2 c r t s L4 q d k c R4 i r m x o p x x SPN + a t d q K1 s c r t L5 c o n f R5 i r m x c o n f i r m x

44 SPN Sboxes input p d q j k f v o b w s e l c m t i r h g n y x a z u g c o b i d p j m y w u r t z q e f k x n l h s a v m u s x e l o g k r q p z b a t i f j y c d n v h y y c s j n d e g a t i p z w h r o k f q v x l u b m d a c b pbox Sboxes output Feistel output 44

45 SPN s u d u Sboxes input p d q j k f v o b w s e l c m t i r h g n y x a z u g c o b i d p j m y w u r t z q e f k x n l h s a v m u s x e l o g k r q p z b a t i f j y c d n v h y y c s j n d e g a t i p z w h r o k f q v x l u b m d a c b pbox h n x v Sboxes output v h x n Feistel output 45

46 SPN Sboxes input p d q j k f v o b w s e l c m t i r h g n y x a z u g c o b i d p j m y w u r t z q e f k x n l h s a v m u s x e l o g k r q p z b a t i f j y c d n v h y y c s j n d e g a t i p z w h r o k f q v x l u b m d a c b pbox Sboxes output Feistel output 46

47 SPN a t d q Sboxes input p d q j k f v o b w s e l c m t i r h g n y x a z u g c o b i d p j m y w u r t z q e f k x n l h s a v m u s x e l o g k r q p z b a t i f j y c d n v h y y c s j n d e g a t i p z w h r o k f q v x l u b m d a c b pbox p x x o Sboxes output o p x x Feistel output 47

48 Example 4 Use the following feistel cipher to decrypt the following message hvxswxwk Using the following key scrt s1= pdqjkfvobwselcmtirhgnyxazu S2=gcobidpjmywurtzqefkxnlhsav S3=musxelogkrqpzbatifjycdnvhw S4=ycsjndegatipzwhrokfqvxlubm 48 P=dacb

49 L3 h v x s R3 w x w k - SPN + K2 c r t s L4 R4 - SPN + K1 s c r t L5 R5 49

50 L3 h v x s i w i r SPN + j m q k R3 w x w k K2 c r t s L4 h v x s R4 o b o t z v l b SPN + g d f m K1 s c r t L5 i a m r R5 o b o t i a m r o b o t

51 SPN Sboxes input p d q j k f v o b w s e l c m t i r h g n y x a z u g c o b i d p j m y w u r t z q e f k x n l h s a v m u s x e l o g k r q p z b a t i f j y c d n v h y y c s j n d e g a t i p z w h r o k f q v x l u b m d a c b pbox Sboxes output Feistel output 51

52 SPN j m q k Sboxes input p d q j k f v o b w s e l c m t i r h g n y x a z u g c o b i d p j m y w u r t z q e f k x n l h s a v m u s x e l o g k r q p z b a t i f j y c d n v h y y c s j n d e g a t i p z w h r o k f q v x l u b m d a c b pbox w r i i Sboxes output i w i r Feistel output 52

53 SPN Sboxes input p d q j k f v o b w s e l c m t i r h g n y x a z u g c o b i d p j m y w u r t z q e f k x n l h s a v m u s x e l o g k r q p z b a t i f j y c d n v h y y c s j n d e g a t i p z w h r o k f q v x l u b m d a c b pbox Sboxes output Feistel output 53

54 SPN g d f m Sboxes input p d q j k f v o b w s e l c m t i r h g n y x a z u g c o b i d p j m y w u r t z q e f k x n l h s a v m u s x e l o g k r q p z b a t i f j y c d n v h y y c s j n d e g a t i p z w h r o k f q v x l u b m d a c b pbox v b l z Sboxes output z v l b Feistel output 54

55 Data Encryption Standard Dr. Ahmed M. ElShafee 55

56 Data Encryption Standard (DES) The most widely used private key block cipher, is the Data Encryption Standard (DES). It was adopted in 1977 by the National Bureau of Standards now (NIST) as Federal Information Processing Standard 46 (FIPS PUB 46). DES encrypts data in 64-bit blocks using a 56-bit key. The DES enjoys widespread use. It has also been the subject of much controversy its security. 56

57 DES history In the late 1960s, IBM set up a research project in computer cryptography led by Horst Feistel. The project concluded in 1971 with the development of the LUCIFER algorithm. LUCIFER is a Feistel block cipher that operates on blocks of 64 bits, using a key size of 128 bits. Because of the promising results produced by the LUCIFER project, IBM embarked on an effort, headed by Walter Tuchman and Carl Meyer, to develop a marketable commercial encryption product that ideally could be implemented on a single chip. 57

58 It involved not only IBM researchers but also outside consultants and technical advice from NSA. The outcome of this effort was a refined version of LUCIFER that was more resistant to cryptanalysis but that had a reduced key size of 56 bits, to fit on a single chip. In 1973, the National Bureau of Standards (NBS) issued a request for proposals for a national cipher standard. IBM submitted the modified LUCIFER. It was by far the best algorithm proposed and was adopted in 1977 as the Data Encryption Standard. 58

59 DES Design Controversy although DES standard is public, and before its adoption as a standard, DES faced considerable controversy (arguing) over design in choice of 56-bit key (vs Lucifer 128-bit) and because design criteria were classified subsequent events and public analysis show in fact design was appropriate use of DES has flourished especially in financial applications Recent analysis has shown despite this controversy, that DES is well designed. DES is theoretically broken using Differential or Linear Cryptanalysis but in practise is unlikely to be a problem yet. 59

60 Also rapid advances in computing speed though have rendered the 56 bit key susceptible to exhaustive key search, as predicted by Diffie & Hellman. It is still standardized for legacy systems, with either AES or triple DES for new applications 60

61 DES overall structure DES takes 64-bits of data as input and as a key. process for enciphering a 64- bit data block which consists of: an initial permutation (IP) which shuffles the 64-bit input block

62 2. 16 rounds of a complex key dependent round function involving substitutions & permutations 3. a final permutation, being the inverse of IP 62

63 handling of the 56- bit key and consists of: 1. an initial permutation of the key (PC1) which selects 56-bits out of the 64-bits input, in two 28-bit halves stages to generate the 48-bit subkeys using a left circular shift and a permutation of the two 28-bit halves 63

64 1. Initial Permutation IP The initial permutation and its inverse are defined by tables, in next slide The input to a table consists of 64 bits numbered left to right from 1 to 64. The 64 entries in the permutation table contain a permutation of the numbers from 1 to 64. Each entry in the permutation table indicates the position of a numbered input bit in the output, which also consists of 64 bits. 64

65 65

66 66

67 Note that the bit numbering for DES reflects IBM mainframe practice, and is the opposite of what we now mostly use - so be careful! Numbers from Bit 1 (leftmost, most significant) to bit 32/48/64 etc (rightmost, least significant). Note that examples are specified using hexadecimal. Here a 64-bit plaintext value of 675a6967 5e5a6b5a (written in left & right halves) after permuting with IP becomes ffb2194d 004df6fb. IP(675a6967 5e5a6b5a) = (ffb2194d 004df6fb) 67

68 DES Round Structure 68

69 function F, takes R half & subkey, and processes them through E, add subkey, S & P. This follows the classic structure for a feistel cipher. uses two 32-bit L & R halves as for any Feistel cipher can describe as: L i = R i 1 R i = L i 1 F(R i 1, K i ) 69

70 F takes 32-bit R half and 48-bit subkey: expands R to 48-bits using perm E adds to subkey using XOR passes through 8 S-boxes to get 32-bit result finally permutes using 32-bit perm P Note that the s-boxes provide the confusion of data and key values, the permutation P then spreads this as widely as possible, so each S-box output affects as many S-box inputs in the next round as possible, giving diffusion. 70

71 71

72 72

73 The R input is first expanded to 48 bits by using expansion table E that defines a permutation plus an expansion that involves duplication of 16 of the R bits The resulting 48 bits are XORed with Ki. This 48-bit result passes through a substitution function comprising 8 S-boxes which each map 6 input bits to 4 output bits, producing a 32-bit output, which is then permuted by permutation P. 73

74 Substitution Boxes S have eight S-boxes which map 6 to 4 bits each S-box is actually 4 little 4 bit boxes outer bits 1 & 6 (row bits) select one row of 4 inner bits 2-5 (col bits) are substituted result is 8 lots of 4 bits, or 32 bits row selection depends on both data & key feature known as autoclaving (autokeying) example: S( d ) = 5fd25e03 74

75 75

76 76

77 For example, in S1, for input , the row is 01 (row 1) and the column is 1100 (column 12). The value in row 1, column 12 is 9, so the output is The example lists 8 6-bit values (ie 18 in hex is in binary, 09 hex is binary, 12 hex is binary, 3d hex is binary etc), each of which is replaced following the process detailed above using the appropriate S-box. ie S1(011000) lookup row 00 col 1100 in S1 to get 5 S2(001001) lookup row 01 col 0100 in S2 to get 15 = f in hex S3(010010) lookup row 00 col 1001 in S3 to get 13 = d in hex S4(111101) lookup row 11 col 1110 in S4 to get 2 etc 77

78 78

79 DES Key Schedule The DES Key Schedule generates the subkeys needed for each data encryption round. The 64-bit key input is first processed by Permuted Choice One The resulting 56-bit key is then treated as two 28-bit quantities C & D. In each round, these are separately processed through a circular left shift (rotation) of 1 or 2bits 79

80 These shifted values serve as input to the next round of the key schedule. They also serve as input to Permuted Choice Two which produces a 48-bit output that serves as input to the round function F. The 56 bit key size comes from security considerations as we know now. It was big enough so that an exhaustive key search was about as hard as the best direct attack 80

81 The extra 8 bits were then used as parity (error detecting) bits, which makes sense given the original design use for hardware communications links. However we hit an incompatibility with simple s/w implementations since the top bit in each byte is 0 (since ASCII only uses 7 bits), but the DES key schedule throws away the bottom bit! A good implementation needs to be cleverer! 81

82 82

83 83

84 84

85 DES Decryption As with any Feistel cipher, DES decryption uses the same algorithm as encryption except that the subkeys are used in reverse order SK16.. SK1. If you trace through the DES overview diagram can see how each decryption step top to bottom with reversed subkeys, undoes the equivalent encryption step moving from bottom to top. 85

86 Avalanche Effect A desirable property of any encryption algorithm is that a small change in either the plaintext or the key should produce a significant change in the ciphertext. In particular, a change in one bit of the plaintext or one bit of the key should produce a change in many bits of the ciphertext. If the change were small, this might provide a way to reduce the size of the plaintext or key space to be searched. DES exhibits a strong avalanche effect. 86

87 87

88 88

89 Strength of DES Key Size With a key length of 56 bits, there are 2 56 possible keys, which is approximately 7.2*10 16 keys. Thus a brute-force attack appeared impractical. in July 1998, the Electronic Frontier Foundation (EFF) announced that it had broken a DES encryption using a special-purpose "DES cracker" machine that was built for less than $250,000. The attack took less than three days. The EFF has published a detailed description of the machine, enabling others to build their own cracker [EFF98]. 89

90 There have been other demonstrated breaks of the DES using both large networks of computers & dedicated h/w, including: 1997 on a large network of computers in a few months 1998 on dedicated h/w (EFF) in a few days 1999 above combined in 22hrs! It is important to note that there is more to a key-search attack than simply running through all possible keys. Unless known plaintext is provided, the analyst must be able to recognize plaintext as plaintext. Clearly must now consider alternatives to DES, the most important of which are AES and triple DES. 90

91 Strength of DES Analytic Attacks Another concern is the possibility that cryptanalysis is possible by exploiting the characteristics of the DES algorithm. The focus of concern has been on the eight substitution tables, or S-boxes, that are used in each iteration. These techniques utilise some deep structure of the cipher by gathering information about encryptions so that eventually you can recover some/all of the sub-key bits, and then exhaustively search for the rest if necessary. Generally these are statistical attacks which depend on the amount of information gathered for their likelihood of success. Attacks of this form include differential cryptanalysis, linear 91 cryptanalysis, and related key attacks.

92 Strength of DES Timing Attacks timing attacks relate to public-key algorithms. However, the issue may also be relevant for symmetric ciphers. A timing attack is one in which information about the key or the plaintext is obtained by observing how long it takes a given implementation to perform decryptions on various ciphertexts. A timing attack exploits the fact that an encryption or decryption algorithm often takes slightly different amounts of time on different inputs. though DES appears to be fairly resistant to a successful timing attack. 92

93 Differential Cryptanalysis Biham & Shamir show Differential Cryptanalysis can be successfully used to cryptanalyse the DES with an effort on the order of 2 47 encryptions, requiring 2 47 chosen plaintexts. They also demonstrated this form of attack on a variety of encryption algorithms and hash functions. Differential cryptanalysis was known to the IBM DES design team as early as 1974 (as a T attack), and influenced the design of the S-boxes and the permutation P to improve its resistance to it. Compare DES s security with the cryptanalysis of an eightround LUCIFER algorithm which requires only 256 chosen plaintexts, verses an attack on an eight-round version of DES requires 2 14 chosen plaintexts. 93

94 The differential cryptanalysis attack is complex. The rationale behind differential cryptanalysis is to observe the behavior of pairs of text blocks evolving along each round of the cipher, instead of observing the evolution of a single text block. Each round of DES maps the right-hand input into the lefthand output and sets the right-hand output to be a function of the left-hand input and the subkey for this round, which means you cannot trace values back through cipher without knowing the value of the key. Differential Cryptanalysis compares two related pairs of encryptions, which can leak information about the key, given a sufficiently large number of suitable pairs. 94

95 with a known difference in the input searching for a known difference in output when same subkeys are used 95

96 The AES analysis process has highlighted this attack approach, and showed that it is a concern particularly with smartcard implementations, 96

97 Linear Cryptanalysis A more recent development is linear cryptanalysis. This attack is based on finding linear approximations to describe the transformations performed in DES. This method can find a DES key given 2^43 known plaintexts, as compared to 2^47 chosen plaintexts for differential cryptanalysis. Although this is a minor improvement, because it may be easier to acquire known plaintext rather than chosen plaintext, it still leaves linear cryptanalysis infeasible as an attack on DES. 97

98 The objective of linear cryptanalysis is to find an effective linear equation relating some plaintext, ciphertext and key bits that holds with probability p<>0.5 as shown. P[i 1,i 2,...,i a ] C[j 1,j 2,...,j b ] = K[k 1,k 2,...,k c ] where i a,j b,k c are bit locations in P,C,K Once a proposed relation is determined, the procedure is to compute the results of the left-hand side of the equation for a large number of plaintext-ciphertext pairs, in order to determine whether the sum of the key bits is 0 or 1, thus giving 1 bit of info about them. 98

99 This is repeated for other equations and many pairs to derive some of the key bit values. Because we are dealing with linear equations, the problem can be approached one round of the cipher at a time, with the results combined. 99

100 What is good in DES Design 8 S-boxes provide for non-linearity resistance to differential cryptanalysis good confusion 3 permutation P provide for increased diffusion number of rounds more is better, exhaustive search best attack function f: provides confusion, is nonlinear, avalanche have issues of how S-boxes are selected key schedule 100 complex subkey creation, key avalanche

101 Feistel cipher design aspcets The cryptographic strength of a Feistel cipher derives from three aspects of the design: the number of rounds, the function F, and the key schedule algorithm. number of rounds, The greater the number of rounds, the more difficult it is to perform cryptanalysis, even for a relatively weak F. In general, the criterion should be that the number of rounds is chosen so that known cryptanalytic efforts require greater effort than a simple brute-force key search attack. This criterion is attractive because it makes it easy to judge the strength of an algorithm and to compare different algorithms. 101

102 the function F, The function F provides the element of confusion in a Feistel cipher, want it to be difficult to unscramble the substitution performed by F. One obvious criterion is that F be nonlinear. The more nonlinear F, the more difficult any type of cryptanalysis will be. We would like it to have good avalanche properties, or even the strict avalanche criterion (SAC). Another criterion is the bit independence criterion (BIC). One of the most intense areas of research in the field of symmetric block ciphers is that of S-box design. Would like any change to the input vector to an S-box to result in randomlooking changes to the output. The relationship should be nonlinear and difficult to approximate with linear functions. 102

103 The key schedule algorithm. With any Feistel block cipher, the key schedule is used to generate a subkey for each round. Would like to select subkeys to maximize the difficulty of deducing individual subkeys and the difficulty of working back to the main key. The key schedule should guarantee key/ciphertext Strict Avalanche Criterion and Bit Independence Criterion. 103

104 Data Encryption Standard summery Dr. Ahmed M. ElShafee 104

105 * Initial Permutation Round 1 Round key generation Round key generation Round key generation Inverse Initial Permutation 105

106 106 Back

107 107 Back

108 Plain Block 64 bits L i-1 R i-1 Expansion Permutation (E) table Permuted Choice 1 Xor Permuted Choice 2 Left Circular Shift Substation/Choice (S-Box) Permutation (P) L i R i 108 Ciphered Block 64 bits

109 109 Back

110 110 Back

111 111 Back

112 112 Back

113 113 Back

114 114 Back

115 115 Back

116 116 Back

117 117 Back

118 DES Cipher Example Simplified 2 rounds operated on 26 characters English plaintext characters space Dr. Ahmed M. ElShafee 118

119 * 119

120 120

121 8 characters cipher IP L3 R3 8 characters plain IP L1 R1 8 characters key PC1 EP + CP PC2 Left shift EP + CP PC2 Left shift P P L2 - R2 L2 + R2 EP + CP PC2 Left shift EP + CP PC2 Left shift P L121 R1 Swap IP -1 8 characters plain - PC1 8 characters key L3 121 P + R3 Swap IP -1 8 characters cipher

122 Example 1 Encrypt the following message using simplified 2 rounds DES cipher operated on 26 English plaintext chars pace supplies, using key secretky PC1 = beagdfc PC2 = befcda IP = bheagdfc EP = dacbad CP = bdca P = dacb 122

123 Key generation key PC1 b e a g d f c PC2 b e f c d a PC1 Left shift PC2 K1 Left shift PC2 K2 123

124 Key generation PC1 b e a g d f c PC2 b e f c d a key s e c r e t k y PC1 K1 e s k r t c e PC2 s t c k r E Left shift e e s k r t c s k r t c e e Left shift e s k r t c e PC2 K2 k c e r t s

125 IP L1 b h e a g d f C Plain R1 EP d a c b a d Encryption Round 1 CP P K1 b d c a d a c b + + L2 R2 125

126 IP L1 b h e a g d f C s u p p l i e s Plain u s l s e p i p R EP d a c b a d Encryption Round 1 CP P K1 s t c k r E b d c a d a c b + h x k z v t x z k h p e i p e p h x k z L2 e p i p b p v r R2 126

127 L2 EP d a c b a d R2 K2 + Encryption Round 2 CP P b d c a d a c b + L3 R3 IP -1 b h e a g d f C Cipher 127

128 L2 e p i p EP d a c b a d b p v r R2 Encryption Round 2 CP P K2 k c e r t s b d c a d a c b + b d z g u j d g z b r b v p b r b d z g L3 b p v r f s h v R3 IP -1 b h e a g d f C f s h v b p v r v f r p h v b s Cipher 128

129 Example 3 Decrypt the following message using simplified 2 rounds DES cipher operated on 26 English plaintext chars pace qkqhnbyt, using key secretky PC1 = beagdfc PC2 = befcda IP = bheagdfc EP = dacbad CP = bdca P = dacb 129

130 Key generation key PC1 b e a g d f c PC2 b e f c d a PC1 Left shift PC2 K1 Left shift PC2 K2 130

131 Key generation PC1 b e a g d f c PC2 b e f c d a key s e c r e t k y PC1 K1 e s k r t c e PC2 s t c k r E Left shift e e s k r t c s k r t c e e Left shift e s k r t c e PC2 K2 k c e r t s

132 IP L3 b h e a g d f C cipher R3 EP d a c b a d Decryption Round 1 CP P K2 k c e r t s b d c a d a c b - - L2 R2 132

133 IP L3 b h e a g d f C q k q h n b y t cipher k t n q y h b q R EP d a c b a d Decryption Round 1 CP P K2 k c e r t s b d c a d a c b - a a f y r i a y f a q y b h y q a a f y L2 y h b q k t i s R2 133

134 L2 EP d a c b a d R2 Decryption Round 2 CP P K1 s t c k r E b d c a d a c b - - L1 R1 IP -1 b h e a g d f C plain 134

135 L2 y h b q EP d a c b a d k t i s R2 Decryption Round 2 CP P K1 s t c k r E b d c a d a c b - k d k d b w d d k k s k i t k s k d k d L1 k t i s o e r n R1 IP -1 b h e a g d f C o e r n k t i s n o s t r i k e plain 135

136 Empty Forms 136

137 Key generation key PC1 b e a g d f c PC2 b e f c d a PC1 Left shift PC2 K1 Left shift PC2 K2 137

138 IP L1 EP Plain R1 Encryption Round 1 CP P K1 + + L2 R2 138

139 L2 EP R2 Encryption Round 2 CP P K2 + + L3 R3 IP -1 Cipher 139

140 IP L1 b h e a g d f C cipher R1 EP d a c b a d Decryption Round 1 CP P K2 b d c a d a c b - - L2 R2 140

141 L2 EP d a c b a d R2 K1 - Decryption Round 2 CP P b d c a d a c b - L3 R3 IP -1 b h e a g d f C plain 141

142 Advanced Encryption Standard Dr. Ahmed M. ElShafee 142

143 Introduction The Advanced Encryption Standard (AES) was published by NIST (National Institute of Standards and Technology) in AES is a symmetric block cipher that is intended to replace DES as the approved standard for a wide range of applications. The AES cipher (& other candidates) form the latest generation of block ciphers, and now we see a significant increase in the block size - from the old standard of 64-bits up to 128-bits; and keys from 128 to 256-bits. Whilst triple-des is regarded as secure and well understood, it is slow, especially in s/w. 143

144 In a first round of evaluation, 15 proposed algorithms were accepted. A second round narrowed the field to 5 algorithms. NIST completed its evaluation process and published a final standard (FIPS PUB 197) in November of NIST selected Rijndael as the proposed AES algorithm. The two researchers who developed and submitted Rijndael for the AES are both cryptographers from Belgium: Dr. Joan Daemen and Dr.Vincent Rijmen. 144

145 AES selection, the competition private key symmetric block cipher 128-bit data, 128/192/256-bit keys stronger & faster than Triple-DES active life of years (+ archival use) provide full specification & design details both C & Java implementations NIST SuiteB suggests AES128 for secret data and AES256 for top secret data 145

146 AES Evaluation Criteria When NIST issued its original request for candidate algorithm nominations in 1997, the request stated that candidate algorithms would be compared based on the factors shown in Stallings Table5.1, which were used to evaluate field of 15 candidates to select shortlist of 5. initial criteria: security effort for practical cryptanalysis cost in terms of computational efficiency algorithm & implementation characteristics 146

147 The final criteria evolved during the evaluation process, and were used to select Rijndael from that short-list, general security ease of software & hardware implementation implementation attacks flexibility (in en/decrypt, keying, other factors) 147

148 AES Shortlist after testing and evaluation, shortlist in Aug-99: MARS (IBM) - complex, fast, high security margin RC6 (USA) - v. simple, v. fast, low security margin Rijndael (Belgium) - clean, fast, good security margin Serpent (Euro) - slow, clean, v. high security margin Twofish (USA) - complex, v. fast, high security margin Notice the mix of commercial (MARS, RC6, Twofish) verses academic (Rijndael, Serpent) proposals, sourced from various countries. All were thought to be good it came down to the best balance of attributes to meet criteria, in particular the 148 balance between speed, security & flexibility.

149 The AES Cipher - Rijndael The Rijndael has block length and the key length can be independently specified to be 128,192,or 256 bits, while the AES specification uses the same three key size alternatives but limits the block length to 128 bits. Rijndael is an academic submission, based on the earlier Square cipher, from Belgium academics Dr Joan Daemen and Dr Vincent Rijmen. It is an iterative cipher (operates on entire data block in every round) rather than feistel (operate on halves at a time) 149

150 It was designed to have characteristics of: Resistance against all known attacks, Speed and code compactness on a wide range of platforms, & Design simplicity. 150

151 RIJNDAEL, the AES structure Block length/ key length Multiple of 32 bits, with a minimum of 128 bits and a maximum of 256 bits Block length = 128, 192, and 256 bits. Key lengths = 128, 192, and 256 bits. Due to fixed block length of 128 bits = 16 bytes, Rijndael uses 4 4 matrix calls state Rijndael versions of larger key length, adds columns to state. 151

152 Overall structure 152

153 The state, the cipher key and the number of rounds Block mapped to array of 4 rows N b columns. Key is mapped to array of 4 rows N k columns. A 0,0 A 0,1 A 0,2 A 0,3 A 0,4 A 0,5 K 0,0 K 0,1 K 0,2 K 0,3 A 1,0 A 1,1 A 1,2 A 1,3 A 1,4 A 1,5 K 1,0 K 1,1 K 1,2 K 1,3 A 2,0 A 2,1 A 2,2 A 2,3 A 2,4 A 2,5 K 2,0 K 2,1 K 2,2 K 2,3 A 3,0 A 3,1 A 3,2 A 3,3 A 3,4 A 3,5 K 3,0 K 3,1 K 3,2 K 3,3 example of state (with N b = 6) and cipher key (with N k = 4) layout State may be considered as 4 bytes vectors (a,b,c,d). 153

154 Rijndael input/ output Input is an array of bytes, length = ((4 Nb)-1) Output is the same length as input. Rijndael rounds (N r ) N r N b = 4 N b = 6 N b = 8 N k = N k = N k =

155 The round transformation All rounds Round (State, RoundKey) { ByteSub (State); ShiftRow (State); MixColumn (State); AddRoundKey (State, RoundKey); } 155

156 Last round FinalRound (State, RoundKey) { ByteSub (State); ShiftRow (State); AddRoundKey (State, RoundKey); } 156

157 The ByteSub transformation a simple substitution of each byte uses one table of 16x16 bytes containing a permutation of all bit values each byte of state is replaced by byte indexed by row (left 4- bits) & column (right 4-bits) S-box may be constructed using defined transformation of values in GF(28) designed to be resistant to all known attacks 157

158 a a a a a a a a b b b b b b b b 00 is mapped to itself Affine transformation

159 159

160 160

161 The ShiftRow Transformation N b C 1 C 2 C

162 The MixColumn Transformation 162 '02' '01' '01' '03' ) ( 2 3 x x x x C ) ( ) ( ) ( x a x c x b a a a a b b b b ' '0 '09' ' '0 ' '0 ) ( 2 3 E x x D x B x d

163 The Round Key Addition Regardless the user key length, round key (generated) equals to N b 163

164 164

165 165

166 Key Schedule 3 simple rules; 1. expanded key length (bits) = (block length * number of rounds+1) 2. User key (cipher) expanded to expanded key 3. Expanded key divided into N r round keys in ascending order Generated as; W [N b (N r +1)]. W is 4 bytes array. 166

167 Round Key Selection Key expansion and round key selection for N b = 6 and N k = 4 167

168 ShiftRow g 1 ByteSub Xor Rcon g 1 168

169 ShiftRow g 1 ByteSub g 1 Xor Rcon ByteSub g 2 W 8 W 9 Xor Rcon g 2 169

170 N k < 6 170

171 N k >= 6 171

172 AES Decryption The Cipher RIJNDAEL (State, CipherKey) { KeyExpansion (CipherKey, ExpandedKey); AddRoundKey (State, RoundKey); For (I = 0; I < N r ; I++) Round (State, ExpandedKey + N b I); FinalRound (State, ExpandedKey + N b N r ); } 172

173 The Inverse Cipher InverseRIJNDAEL (State, CipherKey) { KeyExpansion (CipherKey, ExpandedKey); InverseFinalRound (State, ExpandedKey + N b N r ); For (I = 0; I < N r ; I++) InverseRound (State, ExpandedKey + N b I); AddRoundKey (State, RoundKey); } 173

174 Implementation Aspects can efficiently implement on 8-bit CPU byte substitution works on bytes using a table of 256 entries shift rows is simple byte shift add round key works on byte XOR s mix columns requires matrix multiply in GF(2 8 ) which works on byte values, can be simplified to use table lookups & byte XOR s 174

175 can efficiently implement on 32-bit CPU redefine steps to use 32-bit words can precompute 4 tables of 256-words then each column in each round can be computed using 4 table lookups + 4 XORs at a cost of 4Kb to store tables designers believe this very efficient implementation was a key factor in its selection as the AES cipher 175

176 RIJNDAEL cryptanalysis Brute Force Attack Key length Number of Trials 128 bits bits bits

177 Linear Cryptanalysis By 2006, Key length Number of rounds Broken number of rounds RIJNDAEL Algebraic Description Concerns Rijndael has a neat algebraic description. This has not yet led to any attacks some cryptanalyst believe 177 that complicated algebraic description is required.

178 XSL Attack announced by Nicolas Courtois and Josef Pieprzyk, in Some famous cryptographers faced problems in the underlying mathematics of the proposed attack, so they think authors may mistaken in some estimates. So it remains an open question. Side Channel Attacks Side channel attacks do not attack the underlying cipher, but attack implementations of the cipher on systems which inadvertently leak data. 178

179 In April 2005, D.J. Bernstein announced a cache timing attack that he used to break a custom server that used OpenSSL's AES encryption. The custom server was designed to give out as much timing information as possible, and the attack required over 200 million chosen plaintexts. Some say the attack is not practical over the internet with a distance of one or more hops; Bruce Schneier called the research a "nice timing attack". In October 2005, "Dag Arne Osvik", "Adi Shamir" and "Eran Tromer" presented a paper demonstrating several cache timing attacks against AES. One attack was able to obtain an entire AES key after only 800 writes. 179

180 Simplified AES example Dr. Ahmed M. ElShafee 180

181 Example 01 Encrypt the following message tomorrow never die using simplified AES operates on 26 English plaintext characters, using the following key simpler than des Sbox: pdqjkfvobwselcmtirhgnyxazu 181

182 simpler than des Key generation k1 s i m p l e r t h a n d e s x x K2 182

183 simpler than des Key generation k1 s i m p l e r t h a n d e s x x K2 h p b q e i z s k k x a b t q n 183

184 PlainState bytesub tomorrow never die Enc 1 st Round p d q j k f v o b w s e l c m t i r h g n y x a z u X ShiftRow 3 MixColumn = = K1

185 PlainState bytesub t o m o r r o w n e v e r d i e Enc 1 st Round p d q j k f v o b w s e l c m t i r h g n y x a z u g m l m 0 g m l m r r m x 1 x r r m c k y k 2 y k c k X r j b k ShiftRow 3 j b k r MixColumn = l v k m x g h e t a d l g w u t = K1

186 PlainState bytesub l v k m x g h e t a d l g w u t Enc 2 nd Round p d q j k f v o b w s e l c m t i r h g n y x a z u X ShiftRow 3 MixColumn = = K2

187 PlainState bytesub l v k m x g h e t a d l g w u t Enc 2 nd Round p d q j k f v o b w s e l c m t i r h g n y x a z u e y s l 0 e y s l a v o k 1 k a v o g p j e 2 j e g p X v x n g ShiftRow 3 x n g v MixColumn = m a u q j v n p f o t j z l h f = K2

188 Example 02 Decryot the following message uhqhhiogepdtoaja using simplified AES operates on 26 English plaintext characters, using the following key simpler than des Sbox: pdqjkfvobwselcmtirhgnyxazu 188

189 uhqhhiogepdtoaja Dec 1 st Round CipherState ShiftRow MixColumn p d q j k f v o b w s e l c m t i r h g n y x a z u bytesub K2 = = X 189

190 uhqhhiogepdtoaja Dec 1 st Round u h q h h i o g e p d t o a j a CipherState e b e a s t q l w f o h f d b r ShiftRow 3 - e b e a l s t q o h w f d b r f p d q j k f v o b w s e l c m t i r h g n y x a z u K2 = = X MixColumn l i l x k p c m j f h s f b i r bytesub

191 l i l x k p c m j f h s f b i r CipherState ShiftRow MixColumn p d q j k f v o b w s e l c m t i r h g n y x a z u K1 = Dec 2 nd Round = bytesub -1 X 191

192 l i l x k p c m j f h s f b i r CipherState h m b g b h d r k p s p d e k a MixColumn p d q j k f v o b w s e l c m t i r h g n y x a z u s o i t i s b r e a k a b l e x ShiftRow h m b g r b h d s p k p e k a d So it is breakable x K Dec 2 nd Round bytesub -1 = = X

193 Example 03 Encrypt the following message play hide and seek using simplified AES operates on 26 English plaintext characters, using the following key my hidden secret key Sbox: pdqjkfvobwselcmtirhgnyxazu 193

194 my hidden secret key Key generation k K2 194

195 my hidden secret key Key generation k1 m y h i d d e n s e c r e t k e K2 u s z h q t x k j n p g i b l p 195

196 PlainState bytesub play hide and seek Enc 1 st Round p d q j k f v o b w s e l c m t i r h g n y x a z u ShiftRow 3 X MixColumn = = K1

197 PlainState bytesub p l a y h i d e a n d s e e k x play hide and seek Enc 1 st Round p d q j k f v o b w s e l c m t i r h g n y x a z u t e p z 0 o b j k 1 p c j h 2 k k s a ShiftRow 3 t e p z k o b j j h p c k s a k X MixColumn = o z p w n t p g m k m e u r g a = K1

198 PlainState bytesub o z p w n t p g m k m e u r g a Enc 2 nd Round p d q j k f v o b w s e l c m t i r h g n y x a z u ShiftRow 3 X MixColumn = = K2

199 PlainState bytesub o z p w n t p g m k m e u r g a Enc 2 nd Round p d q j k f v o b w s e l c m t i r h g n y x a z u m u t x 0 c g t v 1 l s l k 2 n r v p ShiftRow 3 m u t x v c g t l k l s r v p n X MixColumn = w g c m t h d l c r s s n s e u = K2

200 Example 04 Decrypt the following message ltnyobbbswbgrmxj using simplified AES operates on 26 English plaintext characters, using the following key my hidden secret key Sbox: pdqjkfvobwselcmtirhgnyxazu 200

201 ltnyobbbswbgrmxj Dec 1 st Round CipherState ShiftRow MixColumn p d q j k f v o b w s e l c m t i r h g n y x a z u K2 = = X bytesub

202 ltnyobbbswbgrmxj l t n y o b b b s w b g r m x j CipherState g i r c x v m l e k h n q d f c ShiftRow g i r c l x v m h n e k d f c q p d q j k f v o b w s e l c m t i r h g n y x a z u K = = Dec 1 st Round X MixColumn t q r n w g o m l e s u c b f n 202 bytesub -1

203 t q r n w g o m l e s u c b f n CipherState ShiftRow 3 - MixColumn p d q j k f v o b w s e l c m t i r h g n y x a z u K = Dec 2 nd Round = X bytesub

204 t q r n w g o m l e s u c b f n CipherState d k o b c j k c k l z e b c k h MixColumn p d q j k f v o b w s e l c m t i r h g n y x a z u b e h i n d e n e m y l i n e s ShiftRow d k o b c c j k z e k l c k h b Behind enemy lines K Dec 2 nd Round = = X bytesub -1

205 Thanks,.. See you next week (ISA), 205

206 k1 Key generation K2 206

207 PlainState Enc 1 st Round bytesub p d q j k f v o b w s e l c m t i r h g n y x a z u ShiftRow 3 X MixColumn = = K1

208 PlainState Enc 2 nd Round bytesub p d q j k f v o b w s e l c m t i r h g n y x a z u ShiftRow 3 X MixColumn = = K2

209 Dec 1 st Round - = CipherState ShiftRow MixColumn p d q j k f v o b w s e l c m t i r h g n y x a z u K2 = X bytesub

210 Dec 2 nd Round - = CipherState ShiftRow MixColumn p d q j k f v o b w s e l c m t i r h g n y x a z u K1 = X bytesub