Session 3

Session 3

Symmetric ciphers 2part 1

Block ciphers - definition• Block cipher encipherment

provides confidentiality by transforming a plaintext message into a ciphertext message, by means of a special function.

• The precise function implemented by the block cipher is determined by a secret key.

2/73

Block ciphers - definition• The principal difference between a

stream cipher and a block cipher:‒ A stream cipher contains memory,

embodied in its current state. ‒ A block cipher is memoryless outside

its current block and therefore has no current state.

3/73

Block ciphers - definition• Block ciphers operation:

‒ A plaintext message is partitioned into a series of blocks.

‒ These blocks are then enciphered one block at a time.

• A block cipher can also be used as a component in a stream cipher, message authentication code (MAC), hash function, and a signature scheme. 4/73

Block ciphers - definition• Block cipher encipherment is a

form of symmetric-key encipherment.

• Both transmitter and receiver of the ciphertext have knowledge of the secret key.

• Example: the transposition cipher is essentially a block cipher.

5/73

Block ciphers - definition• A block cipher is a vectorial

Boolean function E : {0, 1}K × {0, 1}N → {0, 1}N that takes two inputs:‒ a K-bit key k ;‒ an N-bit plaintext P.

• It returns an N-bit ciphertext C = E(k, P ).

6/73

Block ciphers - definition• For any block cipher, and any key k,

the function Ek is a permutation on {0, 1}N.

• This means that it is a bijection - a one-to-one mapping of {0, 1}N to {0, 1}N.

• Since it is a bijection, it has an inverse,

• Since E is invertible, decipherment is possible.

1kE

7/73

Block ciphers - definition• Both the cipher and its inverse E−1

should be easily computable:‒ Given k, P, we can compute E(k, P ).‒ Given k, C, we can compute E−1(k,C ).

• The key k should be chosen uniformly at random.

8/73

Block ciphers - design• The aim of the block cipher design

is to make it practically impossible to retrieve the plaintext from the ciphertext without knowledge of the K-bit secret key.

9/73

Block ciphers - design• Since decipherment is only

possible if the encipherment function is invertible (i.e. if it is a bijection), the choice of possible N-bit block ciphers is restricted to one of (2N )! block ciphers.

10/73

Block ciphers - design• Of all these (2N )! block ciphers,

only 2K are used, because of the parameterization by the key.

• In practice, these 2K block ciphers that are actually used constitute an infinitesimally small fraction of (2N )! possible block ciphers.

11/73

Example: N=3, K=2 (1)• A 3-bit block cipher with 2 bits of

key.• There are (2N)! = 8! = 40320

possible permutations, of which only 2K = 22 = 4 permutations are used.

12/73

Example: N=3, K=2 (2)• Let these permutations be:

k=00, p0=(4,6,1,8,5,7,3,2)k=01, p1=(5,2,7,1,8,6,4,3)k=10, p2=(8,6,2,1,3,4,5,7)k=11, p3=(3,8,6,2,4,7,5,1)

13/73

Example: N=3, K=2 (3)• Let us choose k=00,

which means:‒ k=00, p0=(4,6,1,8,5,7,3,2)‒ or:

• The corresponding block cipher, Ek:

Addr.

Value

0 0101 1112 1103 0004 1005 0016 1017 011

2375816487654321

0p

14/73

Example: N=3, K=2 (4)• The inverse permutation:

‒ P0’=(3,8,7,1,5,2,6,4)‒ or:

• The corresponding inverse block cipher, Ek

-1:

Addr.

Value

0 0111 1012 0003 1114 1005 1106 0107 001

4625178387654321

'0p

15/73

Example: N=3, K=2 (5)• Let us encipher X=101.• The corresponding address is 5.• Y=Ek(X )=Ek(5)=001.• Deciphering: Y=001.• The corresponding address is 1.• Ek

-1(Y )=Ek-1(1)= 101=X.

16/73

Block ciphers - design• The problem of block cipher

design:‒ determine which set of 2K block

ciphers to choose such that, for an unknown fixed key, it is virtually impossible to say anything about the ciphertext resulting from a known or chosen plaintext;

‒ given prior knowledge of a few plaintext/ciphertext pairs it should be impossible to say anything about the fixed key.

17/73

Block ciphers - design• Any effective block cipher scheme

must be realized efficiently in time and space, with as little implementation cost as possible.

• The practical trade-off is to design a block cipher which is both sufficiently secure, and satisfactorily efficient in terms of hardware/software space and time resources. 18/73

Block ciphers - design• A block cipher with a secret key is

considered perfect if, for all plaintexts P and ciphertexts C, it holds that Pr(P |C )=Pr(P ).

• If, for a fixed K-bit key, an N-bit block cipher is used to encipher K /N plaintexts, then the cipher is the one-time pad.

19/73

Block ciphers - design• In this special case, the

encipherment is provably secure and the block cipher is perfect.

• In most situations the one-time pad is impractical as far too many secret keys must be used.

20/73

Block ciphers - design• Therefore it is highly desirable to

securely encipher T plaintexts using the same, fixed K-bit secret key, where T >> K /N .

• Most modern block ciphers seek to maximize T, still achieving an acceptable security.

21/73

Block ciphers - design• This is achieved via a combination

of:‒ confusion, which makes the

relationship between the key and the ciphertext as complicated as possible, and

‒ diffusion, which seeks to eliminate influence of any redundancy in the plaintext. Diffusion also makes it difficult for any attacker to partially approximate the cipher. 22/73

Block ciphers - design• Confusion:

‒ The relation between the key and the ciphertext must be as complex as possible.

‒ Thus, the statistics of the ciphertext are not significantly influenced by the plaintext statistics.

‒ Confusion is achieved by means of substitution (through non-linear functions, so called S-boxes).

23/73

Block ciphers - design• Diffusion:

‒ Diffusion annihilates the influence of the redundancy of the plaintext on the ciphertext.

‒ It is achieved by making every symbol of the ciphertext dependent on as much plaintext letters as possible (by means of linear transformations such as permutations).

24/73

Block ciphers - design• Theoretically, the ideal block

cipher, from a security viewpoint, would involve one very large, well-chosen N-bit Substitution Box (S-Box), keyed by K key bits.

25/73

Block ciphers - design• Ideally, it would be impossible to

decompose this S-box into smaller sub-units.

• Such a block cipher would have a huge implementation complexity.

26/73

Block ciphers - design• Any practical block cipher

combines relatively small sub-units to confuse (S-boxes) and diffuse (linear transformation layers) the plaintext.

• These sub-units are applied iteratively as keyed rounds, parameterized by sub-keys, which are derived from the master K-bit key. 27/73

Block ciphers - design• This decomposition into practical

sub-units constitutes a trade-off between security and acceptable complexity.

• A key-schedule is needed to derive round keys from a master key.

28/73

Block ciphers - design• It is an accepted design principle

that encipherment using a block cipher, selected via a randomly-chosen key, should look like encipherment by a randomly-chosen invertible function over N bits.

29/73

Block ciphers - design• Basic design types of block ciphers:

‒ Feistel ciphers‒ Substitution-permutation networks.

• Both design philosophies have their advantages and disadvantages.

30/73

Block ciphers - design• It is possible to combine these

design types in a single block cipher (rarely used, e.g. SC2000).

• There is no agreement about the best design philosophy for block ciphers.

31/73

Feistel ciphers• A basic Feistel cipher takes 2t

plaintext bits, and is a permutation F, which uses m round permutations Fi:

where ◦ is a composition of functions, i.e.

110 mFFFF

xGFxGxF

32/73

Feistel ciphers• Round i acts on t bits, R (right), by

means of the keyed nonlinear function, fi, and XORs the result with other t bits, L (left).

• The L and R halves are then swapped.

33/73

Feistel ciphers• After the i -th round, we have:

• [L’ R ’] becomes the new input [L,R ] to the round i + 1.

RfLRRLFRL ii , , ','

34/73

Feistel ciphers• F and the Fi must be permutations,

but the fi need not be. • It takes two rounds before all

plaintext bits have been acted on in a nonlinear way.

• In the decipherment process, the same functions are used, but with the round keys used in reverse order.

35/73

Feistel ciphers• Example of a round:

36/73

Feistel ciphers• Examples of Feistel designs:

‒ LUCIFER (author: Horst Feistel)‒ DES (Data Encryption Standard)‒ MISTY1‒ KASUMI (used in UMTS)‒ CAMELLIA‒ FEAL‒ etc.

37/73

Substitution-permutation networks• A substitution-permutation

network (SPN) separates the role of confusion and diffusion in the cipher.

• The cipher is also decomposed into iterative rounds.

38/73

Substitution-permutation networks• Each round comprises a layer of

non-linear functions (often S-boxes), followed by a linear layer (often a permutation).

• The non linear layer provides the confusion.

• The linear layer provides the diffusion.

39/73

Substitution-permutation networks• The separating of the tasks of

confusion and diffusion allows the designer to maximize nonlinearity for the non linear layer, and maximize information spread for the diffusion layer.

40/73

Substitution-permutation networks• Examples of SPN design:

‒ AES (Rijndael) (Advanced Encryption Standard)

‒ IDEA‒ etc.

41/73

Commonly used designs• Feistel ciphers:

‒ DES (triple DES, etc.)‒ KASUMI‒ …

• Substitution-permutation networks:‒ Rijndael (AES)‒ IDEA‒ …

42/73

DES• The block cipher most implemented

in practice is (still, as triple DES) DES (Data Encryption Standard), introduced in USA by NBS (National Bureau of Standards) in 1974.

• The length of the block in this cipher is 64 bits and the length of the key is 56 bits.

• DES works alternatively over two halves of the block to be enciphered. 43/73

DES• First, an initial fixed permutation of

the input block is performed. • Then the block is divided into two

halves. • After that, a modular operation is

realized 16 times (“rounds").

44/73

DES• This operation consists of summing

modulo 2 the left part with a function of the right part F (Ki ), managed by the subkey Ki, i =1,…,16, where i is the ordinal number of the round.

• After that, the left and the right parts are interchanged.

45/73

DES• The initial permutation is represented

in the following way in the standard FIPS 46-3:58 50 42 34 26 18 10 2 60 52 44 36 28 20

12 462 54 46 38 30 22 14 6 64 56 48 40 32 24

16 857 49 41 33 25 17 9 1 59 51 43 35 27 19

11 361 53 45 37 29 21 13 5 63 55 47 39 31 23

15 7• This means that the 58th bit of input

becomes the 1st bit of output, 50th bit of input becomes the 2nd bit of output, etc.

46/73

DES

47/73

DES• In the round 16 the interchange is

omitted.• There is a final permutation,

inverse to the initial one.

48/73

DES• DES realizes an involution and

because of that it is not necessary to invert the function F in the deciphering algorithm.

• The function F contains non linear operations.

49/73

DES• The final permutation:

40 8 48 16 56 24 64 32 39 7 47 15 55 23 63 31

38 6 46 14 54 22 62 30 37 5 45 13 53 21 61 29

36 4 44 12 52 20 60 28 35 3 43 11 51 19 59 27

34 2 42 10 50 18 58 26 33 1 41 9 49 17 57 25

• The 40th bit of input becomes the 1st bit of output, etc. 50/73

DES – the function F (Ki)

51/73

DES – the function F (Ki)• The expansion algorithm from 32

to 48 bits:32 1 2 3 4 5 4 5 6 7 8 98 9 10 11 12 13 12 13 14 15 16 1716 17 18 19 20 21 20 21 22 23 24 2524 25 26 27 28 29 28 29 30 31 32 1

• The first bit of the resulting 48 bit vector is the 32nd bit of the input vector, etc.

52/73

DES – the function F (Ki)• The function F is a set of following

operations (1):‒ The first manipulation consists of

producing a vector of 48 bits from the initial 32 bits by means of a linear expansion.

‒ Next, the local key of 48 bits is combined with the obtained vector by means of the sum modulo 2, bit by bit.

‒ Thus another vector of 48 bits is obtained, which is divided in 8 groups of 6 bits each.

53/73

DES – the function F (Ki)• The function F is a set of following

operations (2):‒ Each group serves as input to 8

functions called S-boxes.‒ These boxes are responsible for the non

linearity of DES.‒ The output of each S-box are 4 bits. ‒ When a single input bit is changed, at

least 2 output bits are changed.

54/73

DES• S1

14 4 13 1 2 15 11 8 3 10 6 12 5 9 0 70 15 7 4 14 2 13 1 10 6 12 11 9 5 3 84 1 14 8 13 6 2 11 15 12 9 7 3 10 5 015 12 8 2 4 9 1 7 5 11 3 14 10 0 6 13

55/73

DES• S2

15 1 8 14 6 11 3 4 9 7 2 13 12 0 5 103 13 4 7 15 2 8 14 12 0 1 10 6 9 11 50 14 7 11 10 4 13 1 5 8 12 6 9 3 2 1513 8 10 1 3 15 4 2 11 6 7 12 0 5 14 9

56/73

DES• S3

10 0 9 14 6 3 15 5 1 13 12 7 11 4 2 813 7 0 9 3 4 6 10 2 8 5 14 12 11 15 113 6 4 9 8 15 3 0 11 1 2 12 5 10 14 71 10 13 0 6 9 8 7 4 15 14 3 11 5 2 12

57/73

DES• S4

7 13 14 3 0 6 9 10 1 2 8 5 11 12 4 1513 8 11 5 6 15 0 3 4 7 2 12 1 10 14 910 6 9 0 12 11 7 13 15 1 3 14 5 2 8 43 15 0 6 10 1 13 8 9 4 5 11 12 7 2 14

58/73

DES• S5

2 12 4 1 7 10 11 6 8 5 3 15 13 0 14 914 11 2 12 4 7 13 1 5 0 15 10 3 9 8 64 2 1 11 10 13 7 8 15 9 12 5 6 3 0 1411 8 12 7 1 14 2 13 6 15 0 9 10 4 5 3

59/73

DES• S6

12 1 10 15 9 2 6 8 0 13 3 4 14 7 5 1110 15 4 2 7 12 9 5 6 1 13 14 0 11 3 89 14 15 5 2 8 12 3 7 0 4 10 1 13 11 64 3 2 12 9 5 15 10 11 14 1 7 6 0 8 13

60/73

DES• S7

4 11 2 14 15 0 8 13 3 12 9 7 5 10 6 113 0 11 7 4 9 1 10 14 3 5 12 2 15 8 61 4 11 13 12 3 7 14 10 15 6 8 0 5 9 26 11 13 8 1 4 10 7 9 5 0 15 14 2 3 12

61/73

DES• S8

13 2 8 4 6 15 11 1 10 9 3 14 5 0 12 71 15 13 8 10 3 7 4 12 5 6 11 0 14 9 27 11 4 1 9 12 14 2 0 6 10 13 15 3 5 82 1 14 7 4 10 8 13 15 12 9 0 3 5 6 11

62/73

DES• Addressing of the DES S-boxes:

‒ Let the addressing 6-tuple for any S-box be b1b2b3b4b5b6.

‒ The bits b1b6 determine the row of the S-box.

‒ The bits b2b3b4b5 determine the column of the S-box.

63/73

DES• Example:

‒ Let the addressing 6-tuple of the 3rd S-box be 001001.

‒ The row is 01, which means the 2nd row, since 00 is the first row.

‒ The column is 0100, which means the 5th column, since the numbering starts from 0000.

64/73

DES• Finally, the information passes

through a "P-box", which is a fixed permutation, chosen in such a way that a maximum diffusion of bits is achieved through the whole 32 bit vector.

65/73

DES• The P-box:

16 7 20 21 29 12 28 17 1 15 23 26 5 18 31 10

2 8 24 14 32 27 3 9 19 13 30 6 22 11 4 25

• 16th bit of input becomes the 1st bit of output, etc.

66/73

DES• Although DES handles 64 bit keys,

the first operation that is realized in the process of key expansion is their reduction to 56 bits, by eliminating one bit of every 8 bits.

• Then the remaining bits are reordered.

• Next, 16 subkeys necessary in the 16 rounds of the algorithm are obtained. 67/73

DES• The reordering key permutation:

57 49 41 33 25 17 9 1 58 50 42 34 26 18

10 2 59 51 43 35 27 19 11 3 60 52 44 36

63 55 47 39 31 23 15 7 62 54 46 38 30 22

14 6 61 53 45 37 29 21 13 5 28 20 12 4

• 57th bit of input becomes the 1st bit of output, etc. Every 8th bit of the initial 64 bit key is dropped.

68/73

DES• During the deciphering process,

the subkeys are used in the reverse order.

• Generation of the subkeys (1)‒ First, the key of 56 bits is divided in

two halves of 28 bits each. ‒ Then, the halves are rotated left 1 or

2 bits, depending on the round. Rotating left a number of positions depending on the round is recursive, which means that the initial vector for the i -th round is the output vector of the (i -1)st round. 69/73

DES• Generation of the subkeys (2)

‒ After the rotation, the halves are reunited, obtaining again 16 groups of 56 bits.

‒ Next, 48 bits of each group are selected to form the final 16 subkeys, in the process denominated "permutation with compression".

70/73

DESIteration Number Number of Left Shifts

1 12 13 24 25 26 27 28 29 110 211 212 213 214 215 216 1

71/73

DES• The choice of 48 bits of the i -th subkey

from the corresponding 56 bits:14 17 11 24 1 53 28 15 6 21 1023 19 12 4 26 816 7 27 20 13 241 52 31 37 47 5530 40 51 45 33 4844 49 39 56 34 5346 42 50 36 29 32

72/73

DES• For deciphering, DES should run

backwards, which means that K16 subkey is used in the first round, K15 in the second, …, K1 in the 16th round.

73/73