Symmetric Crypto Systems

Similar documents
Symmetric Crypto Systems

Lecture 12: Block ciphers

Public-key Cryptography: Theory and Practice

Cristina Nita-Rotaru. CS355: Cryptography. Lecture 9: Encryption modes. AES

Codes and Cryptography. Jorge L. Villar. MAMME, Fall 2015 PART XII

Leftovers from Lecture 3

Introduction. CSC/ECE 574 Computer and Network Security. Outline. Introductory Remarks Feistel Cipher DES AES

Solution of Exercise Sheet 7

Symmetric Ciphers. Mahalingam Ramkumar (Sections 3.2, 3.3, 3.7 and 6.5)

A block cipher enciphers each block with the same key.

Block Ciphers and Feistel cipher

Introduction on Block cipher Yoyo Game Application on AES Conclusion. Yoyo Game with AES. Navid Ghaedi Bardeh. University of Bergen.

Outline. 1 Arithmetic on Bytes and 4-Byte Vectors. 2 The Rijndael Algorithm. 3 AES Key Schedule and Decryption. 4 Strengths and Weaknesses of Rijndael

Lecture 4: DES and block ciphers

Lecture 5: Pseudorandom functions from pseudorandom generators

A Five-Round Algebraic Property of the Advanced Encryption Standard

Hashes and Message Digests Alex X. Liu & Haipeng Dai

Improved Impossible Differential Cryptanalysis of Rijndael and Crypton

Extended Criterion for Absence of Fixed Points

Secret Key: stream ciphers & block ciphers

Security and Cryptography 1

Module 2 Advanced Symmetric Ciphers

Public Key Cryptography

Chapter 2 Symmetric Encryption Algorithms

Table Of Contents. ! 1. Introduction to AES

Introduction to Cryptography Lecture 4

Some integral properties of Rijndael, Grøstl-512 and LANE-256

ENEE 457: Computer Systems Security 09/19/16. Lecture 6 Message Authentication Codes and Hash Functions

STRIBOB : Authenticated Encryption

The Hash Function JH 1

Cryptography Lecture 4 Block ciphers, DES, breaking DES

Block ciphers. Block ciphers. Data Encryption Standard (DES) DES: encryption circuit

Introduction to Modern Cryptography Lecture 5

A Pseudo-Random Encryption Mode

U.C. Berkeley CS276: Cryptography Luca Trevisan February 5, Notes for Lecture 6

MESSAGE AUTHENTICATION CODES and PRF DOMAIN EXTENSION. Mihir Bellare UCSD 1

Models and analysis of security protocols 1st Semester Symmetric Encryption Lecture 5

Foundations of Network and Computer Security

Biomedical Security. Overview 9/15/2017. Erwin M. Bakker

CTR mode of operation

Classical Cryptography

Analysis of cryptographic hash functions

Block ciphers And modes of operation. Table of contents

THE UNIVERSITY OF CALGARY FACULTY OF SCIENCE DEPARTMENT OF COMPUTER SCIENCE DEPARTMENT OF MATHEMATICS & STATISTICS MIDTERM EXAMINATION 1 FALL 2018

Winter 2008 Introduction to Modern Cryptography Benny Chor and Rani Hod. Assignment #2

Introduction to Cryptography k. Lecture 5. Benny Pinkas k. Requirements. Data Integrity, Message Authentication

ENEE 459-C Computer Security. Message authentication (continue from previous lecture)

The Advanced Encryption Standard

Introduction to Cryptography

Distinguishing Attacks on MAC/HMAC Based on A New Dedicated Compression Function Framework

Foundations of Network and Computer Security

Modern Cryptography Lecture 4

Low Complexity Differential Cryptanalysis and Fault Analysis of AES

Introduction to Information Security

SIGNATURE SCHEMES & CRYPTOGRAPHIC HASH FUNCTIONS. CIS 400/628 Spring 2005 Introduction to Cryptography

Stream ciphers I. Thomas Johansson. May 16, Dept. of EIT, Lund University, P.O. Box 118, Lund, Sweden

Notes for Lecture 9. 1 Combining Encryption and Authentication

Exam Security January 19, :30 11:30

Part (02) Modem Encryption techniques

Avoiding collisions Cryptographic hash functions. Table of contents

CPSC 467: Cryptography and Computer Security

Introduction to Cryptography

18733: Applied Cryptography Anupam Datta (CMU) Block ciphers. Dan Boneh

Foundations of Network and Computer Security

Question: Total Points: Score:

Week 12: Hash Functions and MAC

18733: Applied Cryptography Anupam Datta (CMU) Block ciphers. Dan Boneh

CS 6260 Applied Cryptography

Message Authentication Codes (MACs)

The Pseudorandomness of Elastic Block Ciphers

Block Cipher Cryptanalysis: An Overview

MATH3302 Cryptography Problem Set 2

Problem 1. k zero bits. n bits. Block Cipher. Block Cipher. Block Cipher. Block Cipher. removed

Modes of Operations for Wide-Block Encryption

McBits: Fast code-based cryptography

Keccak. Guido Bertoni 1 Joan Daemen 1 Michaël Peeters 2 Gilles Van Assche 1

Introduction. Outline. CSC/ECE 574 Computer and Network Security. Secret Keys or Secret Algorithms? Secrets? (Cont d) Secret Key Cryptography

(Solution to Odd-Numbered Problems) Number of rounds. rounds

CPSC 467: Cryptography and Computer Security

Stream ciphers. Pawel Wocjan. Department of Electrical Engineering & Computer Science University of Central Florida

Permutation Generators Based on Unbalanced Feistel Network: Analysis of the Conditions of Pseudorandomness 1

Cryptographic Hashes. Yan Huang. Credits: David Evans, CS588

Structural Evaluation by Generalized Integral Property

COS433/Math 473: Cryptography. Mark Zhandry Princeton University Spring 2017

ECS 189A Final Cryptography Spring 2011

FORGERY ON STATELESS CMCC WITH A SINGLE QUERY. Guy Barwell University of Bristol

Full Key-Recovery Attacks on HMAC/NMAC-MD4 and NMAC-MD5

Secret Key Systems (block encoding) Encrypting a small block of text (say 64 bits) General considerations for cipher design:

CS 6260 Applied Cryptography

REU 2015: Complexity Across Disciplines. Introduction to Cryptography

Collision Attack on Boole

Known and Chosen Key Differential Distinguishers for Block Ciphers

How Fast can be Algebraic Attacks on Block Ciphers?

First-Order DPA Attack Against AES in Counter Mode w/ Unknown Counter. DPA Attack, typical structure

Inside Keccak. Guido Bertoni 1 Joan Daemen 1 Michaël Peeters 2 Gilles Van Assche 1. Keccak & SHA-3 Day Université Libre de Bruxelles March 27, 2013

Introduction to Cybersecurity Cryptography (Part 4)

CSc 466/566. Computer Security. 5 : Cryptography Basics

Low-weight Pseudo Collision Attack on Shabal and Preimage Attack on Reduced Shabal-512

CS 4770: Cryptography. CS 6750: Cryptography and Communication Security. Alina Oprea Associate Professor, CCIS Northeastern University

Linear Cryptanalysis of Reduced-Round Speck

Transcription:

T H E U N I V E R S I T Y O F B R I T I S H C O L U M B I A Symmetric Crypto Systems EECE 412 Copyright 2004-2008 Konstantin Beznosov 09/16/08

Module Outline Stream ciphers under the hood Block ciphers under the hood Modes of operation for block ciphers 2

3 Stream Ciphers

Random Generator (Stream Cipher) as Random Oracle In: short string (key) length of the output Queries Responses Out: long random stream of bits (keystream) Applications: Communications encryption Storage encryption Properties Should not reuse Use seed 4

Stream Ciphers Not as popular today as block ciphers A5/1 Designed for hardware implementations Based on shift registers Used in GSM mobile phone system RC4 Designed for software implementations Based on a changing lookup table Used many places 5

A5/1 A5/1 consists of 3 shift registers X: 19 bits (x 0,x 1,x 2,,x 18 ) Y: 22 bits (y 0,y 1,y 2,,y 21 ) Z: 23 bits (z 0,z 1,z 2,,z 22 ) 6

A5/1 At each step: m = maj(x 8, y 10, z 10 ) Examples: maj(0,1,0) = 0 and maj(1,1,0) = 1 If x 8 = m then X steps t = x 13 x 16 x 17 x 18 x i = x i 1 for i = 18,17,,1 and x 0 = t If y 10 = m then Y steps t = y 20 y 21 y i = y i 1 for i = 21,20,,1 and y 0 = t If z 10 = m then Z steps t = z 7 z 20 z 21 z 22 z i = z i 1 for i = 22,21,,1 and z 0 = t Keystream bit is x 18 y 21 z 22 7

A5/1 X Y x 0 x 1 x 2 x 3 x 4 x 5 x 6 x 7 x 8 x 9 x 10 x 11 x 12 x 13 x 14 x 15 x 16 x 17 x 18 y 0 y 1 y 2 y 3 y 4 y 5 y 6 y 7 y 8 y 9 y 10 y 11 y 12 y 13 y 14 y 15 y 16 y 17 y 18 y 19 y 20 y 21 Z z 0 z 1 z 2 z 3 z 4 z 5 z 6 z 7 z 8 z 9 z 10 z 11 z 12 z 13 z 14 z 15 z 16 z 17 z 18 z 19 z 20 z 21 z 22 Each value is a single bit Key is used as initial fill of registers Each register steps or not, based on (x 8, y 10, z 10 ) Keystream bit is XOR of right bits of registers 8

A5/1: example X 1 0 1 0 1 0 1 0 1 0 1 0 1 0 1 0 1 0 1 Y 1 1 0 0 1 1 0 0 1 1 0 0 1 1 0 0 1 1 0 0 0 1 Z 1 1 1 0 0 0 0 1 1 1 1 0 0 0 0 1 1 1 1 0 0 0 1 In this example, m = maj(x 8, y 10, z 10 ) = maj(1,0,1) = 1 Register X steps, Y does not step, and Z steps Keystream bit is XOR of right bits of registers Here, keystream bit will be 0 1 0 = 1 9

Shift Register Crypto Shift register-based crypto is efficient in hardware Harder to implement in software In the past, very popular Today, more is done in software due to faster processors Shift register crypto still used some 10

Use of Stream Ciphers Stream ciphers were big in the past Efficient in hardware Speed needed to keep up with voice, etc. Today, processors are fast, so software-based crypto is fast enough 11

T H E U N I V E R S I T Y O F B R I T I S H C O L U M B I A Block Ciphers Under the Hood Copyright 2004-2007 Konstantin Beznosov 09/16/08

Random Permutation (Block Cipher) as Random Oracle In fixed size short string (plaintext) M, DES -- 64 bits Key K Queries K 1 Responses K 2 Out same fixed size short string (ciphertext) C Notation C = { M } K M = { C } K 13

Related Notes Main properties of block ciphers invertible confusing diffusing Main block ciphers Data Encryption Standard (DES) Advanced Encryption Standard (AES) a.k.a., Rijndael 14

(Iterated) Block Cipher Plaintext and ciphertext consists of fixed sized blocks Ciphertext obtained from plaintext by iterating a round function Input to round function consists of key and the output of previous round Usually implemented in software 15

Feistel Cipher type of block cipher design, not a specific cipher Split plaintext block into left and right halves: Plaintext = (L 0,R 0 ) For each round i=1,2,...,n, compute L i = R i 1 R i = L i 1 F(R i 1,K i ) where F is round function and K i is subkey Ciphertext = (L n,r n ) 16

Feistel Cipher 17 Decryption: Ciphertext = (L n,r n ) For each round i=n,n 1,,1, compute R i 1 = L i L i 1 = R i F(R i 1,K i ) where F is round function and K i is subkey Plaintext = (L 0,R 0 ) Formula works for any function F But only secure for certain functions F silly round function example: F(x, y) == 0 for any x and y.

Advanced Encryption Standard Replacement for DES AES competition (late 90 s) NSA openly involved Transparent process Many strong algorithms proposed Rijndael Algorithm ultimately selected Pronounced like Rain Doll or Rhine Doll invented by Joan Daemen and Vincent Rijmen Iterated block cipher (like DES) 18

AES Overview Block size: 128, 192 or 256 bits Key length: 128, 192 or 256 bits (independent of block size) 10 to 14 rounds (depends on key length) Each round uses 4 functions (in 3 layers ) ByteSub (nonlinear layer) ShiftRow (linear mixing layer) MixColumn (nonlinear layer) AddRoundKey (key addition layer) 19

20 AES demonstration

T H E U N I V E R S I T Y O F B R I T I S H C O L U M B I A Modes of Operation Copyright 2004-2007 Konstantin Beznosov 09/16/08

Electronic Code Book (ECB) M = m 1 m 2 m n m 1 m 2 m n K E E E c 1 c 2 c n 27 ci = EK(mi) Drawbacks C = c 1 c 2 c n Same message has same ciphertext Redundant/repetitive patterns will show through Subject to cut-and-splice attacks

28 Alice in ECB Mode

Cipher Block Chaining (CBC) M = m 1 m 2 m n ci = EK(mi ci-1) init. vector (IV) m 1 K E m 2 E c 1 c 2 C = IV c 1 c 2 c n Decrypting with CBC ci = DK(mi) ci-1 29

30 Alice in CBC Mode

Output Feedback (OFB)Mode C i = m i E K (K i-1 ), K 0 = IV K 1 = E K (IV), K 2 =E K (K 1 ), K i =E K (K i-1 ) Purpose use block cipher as a stream cipher

Counter Encryption Drawbacks of feedback modes Hard to parallelize CBC -- cannot pre-compute OFB -- memory requirements Counter Encryption is easier to parallelize ci = mi EK(IV+i) mi = ci EK(IV+i) 35

Message Authentication Code Purpose (MAC) protect message integrity and authenticity How to do MAC with a block cipher? init. vector (IV) m 1 E k c 1 m 2 E k c 2 In CBC mode, the last block of cipher text serves as the MAC for the entire message 36

Hash Function from a Block Cipher h = H(M) 1. Easy to compute h from M - efficient 2. Hard to compute M from h one way 3. For given M, hard to find another M s.t. H(M) == H(M ) weak collision resistance 4. For any M & M s.t. H(M) == H(M ) strong collision resistance h i-1 M i h i = E M i (h i-1 ) h i-1 key input plaintext input E 37 h i

Common Hash Functions and Applications Common hash functions (Message Digest) MD5 value 128b (Secure Hash Algorithm) SHA-1 180b value, SHA-256, SHA-512 Applications MACs MAC K (M) = H(K,M) 38 HMAC K (M) = H(K Α, Η(Κ Β,Μ)), Α & Β = magic (pg. 94, Stamp) Time stamping service key updating K i = H(K i-1 ) Backward security Autokeying K i+1 = H(K i,m i1, M i2, ) Forward security

Key Points Ciphers are either substitution, transposition (a.k.a., permutation), or product Any block cipher should confuse and defuse Block ciphers are implemented in SP-networks Stream ciphers and hash functions are commonly implemented with block ciphers Hash functions used for fingerprinting data, MAC, key updating, autokeying, 39

2024 © sciencedocbox.com Privacy Policy | Terms of Service | Feedback