Session 3: Secret key cryptography – block ciphers – part 1
Dec 22, 2015
Session 3: Secret key cryptography – block
ciphers – part 1
Block ciphers - definition
Block cipher encryption provides confidentiality by transforming a plaintext message into a ciphertext message, by means of a special function.
The precise function implemented by the block cipher is determined by a secret key.
Block ciphers - definition
The principal difference between a stream cipher and a block cipher:• A stream cipher contains memory, embodied
in its current state.
• A block cipher is memoryless outside its current block and therefore has no current state.
Block ciphers - definition
Block ciphers operation:• A plaintext message is partitioned into a
series of blocks.
• These blocks are then encrypted one block at a time.
A block cipher can also be used as a component in a stream cipher, message authentication codes (MACs), hash functions, and signature schemes.
Block ciphers - definition
Block cipher encryption is a form of symmetric-key encryption.
Both transmitter and receiver of the ciphertext have knowledge of the secret key.
Example: the substitution cipher, and the transposition cipher are essentially block ciphers.
Block ciphers - definition
A block cipher is a vectorial Boolean function E : {0, 1}K × {0, 1}N → {0, 1}N that takes two inputs:• a K-bit key k ;
• an N-bit plaintext P.
It returns an N-bit ciphertext C = E(k, P).
Block ciphers - definition
For any block cipher, and any key k, the function Ek is a permutation on {0, 1}N.
This means that it is a bijection - a one-to-one mapping of {0, 1}N to {0, 1}N.
Since it is a bijection, it has an inverse, Since E is invertible, decryption is
possible.
1kE
Block ciphers - definition
Both the cipher and its inverse E−1 should be easily computable:• Given k, P, we can compute E(k, P).
• Given k, C, we can compute E−1(k,C).
The key k should be chosen uniformly at random.
Block ciphers - design
The aim of the block cipher design is to make it practically impossible to retrieve the plaintext from the ciphertext without knowledge of the K-bit secret key.
Since decryption is only possible if the encryption function is invertible (i.e. if it is a bijection) the choice of possible N-bit block ciphers is restricted to one of (2N)! block ciphers.
Block ciphers - design
Of all these (2N)! block ciphers, only 2K are used, because of the parameterization by the key.
In practice, these 2K block ciphers that are actually used constitute an infinitesimally small fraction of (2N)! possible block ciphers.
Example: N=3, K=2 A 3-bit block cipher with 2 bits of key. There are (2N)! = 8! = 40320 possible
permutations, of which only 2K = 22 = 4 permutations are used.
Let these permutations be:
• k=00, p0=(4,6,1,8,5,7,3,2)
• k=01, p1=(5,2,7,1,8,6,4,3)
• k=10, p2=(8,6,2,1,3,4,5,7)
• k=11, p3=(3,8,6,2,4,7,5,1)
Example (cont.)
Let us choose k=00, which means:• k=00, p0=(4,6,1,8,5,7,3,2)
• or:
The corresponding block cipher, Ek:
Addr. Value
0 010
1 111
2 110
3 000
4 100
5 001
6 101
7 011
23758164
876543210p
Example (cont.)
The inverse permutation:• P0’=(3,8,7,1,5,2,6,4)
• or:
The corresponding inverse block cipher, Ek
-1:
Addr. Value
0 011
1 101
2 000
3 111
4 100
5 110
6 010
7 001
46251783
87654321'0p
Example (cont.)
Let us encipher X=101. The corresponding address is 5. Y=Ek(X)=Ek(5)=001. Deciphering: Y=001. The corresponding address is 1. Ek
-1(Y)=Ek-1(1)= 101=X.
Block ciphers - design
The problem of block cipher design:• determine which set of 2K block ciphers to
choose such that, for an unknown fixed key, it is virtually impossible to say anything about the ciphertext resulting from a known or chosen plaintext;
• given prior knowledge of a few plaintext/ciphertext pairs it should be impossible to say anything about the fixed key.
Block ciphers - design
Any effective block cipher scheme must be realized efficiently in time and space, with as little implementation cost as possible.
The practical trade-off is to design a block cipher which is both sufficiently secure, and satisfactorily efficient in terms of hardware/software space and time resources.
Block ciphers - design
A block cipher with a secret key is considered perfect if, for all plaintexts P and ciphertexts C, it holds that Pr(P|C)=Pr(P).
If, for a fixed K-bit key, an N-bit block cipher is used to encrypt K/N plaintexts, then the cipher can always be chosen to be the one-time pad.
In this special case, the encryption is provably secure and the block cipher is perfect.
Block ciphers - design
In most situations the one-time pad is impractical as far too many secret keys must be used.
Therefore it is highly desirable to securely encrypt T plaintexts using the same, fixed K-bit secret key, where T >> K/N .
Block ciphers - design
Most modern block ciphers seek to maximize T, whilst still achieving an acceptable security.
This is achieved via a combination of:• confusion, which makes the relationship between key
and ciphertext as complicated as possible, and
• diffusion, which seeks to eliminate any redundancy in the plaintext. Diffusion also makes it difficult for any attacker to partially approximate the cipher.
Block ciphers - design
Confusion:• The relation between the key and the
ciphertext must be as complex as possible.
• Thus, the statistics of the ciphertext is not significantly influenced by the plaintext statistics.
• Confusion is achieved by means of substitution (through non linear functions, so called S boxes).
Block ciphers - design
Diffusion:• Diffusion annihilates the influence of the
redundancy of the plaintext on the ciphertext.
• It is achieved by making every letter of the ciphertext dependent on as much plaintext letters as possible (by means of linear transformations such as permutations).
Block ciphers - design
Theoretically, the ideal block cipher, from a security viewpoint, would involve one very large, well-chosen N-bit Substitution Box (S-Box), keyed by K key bits and,
ideally, it would be impossible to decompose this S-box into smaller sub-units.
Such a block cipher would have a huge implementation complexity.
Block ciphers - design
Any practical block cipher combines relatively small sub-units to confuse (S-boxes) and diffuse (linear transformation layers) the plaintext.
These sub-units are applied iteratively as keyed rounds, parameterized by sub-keys, which are derived from the master K-bit key.
This decomposition into practical sub-units constitutes a trade-off between security and acceptable complexity.
Block ciphers - design
A key-schedule is needed to derive round keys from a master key.
It is an accepted design principle that encryption using a block cipher, selected via a randomly-chosen key, should look like encryption by a randomly-chosen invertible function over N bits.
Block ciphers - design
Basic design types of block ciphers:• Feistel ciphers
• Substitution-permutation networks.
Both design philosophies have their advantages and disadvantages.
It is possible to combine these design types in a single block cipher (rarely used, e.g. SC2000).
There is no agreement about the best design philosophy for block ciphers.
Feistel ciphers
A basic Feistel cipher takes 2t plaintext bits, and is a permutation, F, which uses m round permutations, Fi:
Where ◦ is a composition of functions, i.e.
110 mFFFF
xGFxGxF
Feistel ciphers
Round i acts on t bits, R (right), by means of the keyed nonlinear function, fi, and XORs the result with other t bits, L (left).
The L and R halves are then swapped. After the i-th round, we have:
[L’ R’] becomes the new input [L,R] to the round i + 1.
RfLRRLFRL ii , , ','
Feistel ciphers F and the Fi must be permutations, but
the fi need not be. It takes two rounds before all plaintext
bits have been acted on in a nonlinear way.
In the decryption process, the same functions are used, but with the round keys used in reverse order.
Feistel ciphers Example of a round:
Feistel ciphers
Examples of Feistel design:• LUCIFER (author: Horst Feistel)
• DES (Data Encryption Standard)
• MISTY1
• KASUMI (used in UMTS)
• CAMELLIA
• FEAL
• etc.
Substitution-permutation networks A substitution-permutation network (SPN)
separates the role of confusion and diffusion in the cipher.
The cipher is also decomposed into iterative rounds.
Each round comprises a layer of non linear functions (often S-boxes), followed by a linear layer (often a permutation).
The non linear layer provides the confusion. The linear layer provides the diffusion.
Substitution-permutation networks
The separating of the tasks of confusion and diffusion allows the designer to maximise nonlinearity for the non linear layer, and maximise information spread for the diffusion layer.
Examples of SPN design:• AES (Rijndael) (Advanced Encryption Standard)
• IDEA
• etc.
Non linear transformations
Non linearity in block ciphers is usually introduced by means of tables, so called S-boxes.
There are also designs without explicit S-boxes. Instead, integer addition and multiplication, discrete logarithm and exponentiation, etc. are used (examples of such ciphers are IDEA, RC6, etc.)
Non linear transformations
S-boxes can be very simple. For example, S-boxes of Rijndael and Camellia are essentially X-1 over GF(28).
Regarding the relation with the key, S-boxes can be• Key dependent
• Key independent.
Non linear transformations
Almost perfect non linear functions (APN) – resistant to certain attacks against block ciphers (differential and linear cryptanalysis):• Let f(x) be a mapping: GF(pn)→GF(pn).
• Let N(a,b) denote the number of solutions xGF(pn) of the equation f(x+a)–f(x)=b, a,b GF(pn).
• Let f = max{N(a,b) | a,bGF(pn), a≠0}.
Non linear transformations
For linear functions, f(x+a)=f(x)+f(a). So, f(x+a)-f(x)=f(x)+f(a)-f(x)=f(a). Thus for linear functions b=f(a), which
means that every x satisfies the equation.
A completely contrary case: only 1 solution of the equation – the “most nonlinear” function f(x).
Non linear transformations
If f =k , the mapping is called differentially k uniform.
For applications in cryptography, f should be as small as possible.
If p is odd, there exist functions for which f = 1 → perfect nonlinear functions (PN).
Functions of the form f(x)=xd over GF(pn), p prime, are of special interest.
Non linear transformations
Theorem 1:• f(x)=xd is a mapping over GF(pn), p>2.
• Then f(x) is 1-uniform (PN) in the following cases:• d=2;
• d=pk+1, n/(n,k) is odd;
• d=(3k+1)/2, p=3, k odd, (n,k)=1.
Since for the most interesting case, p=2, PN functions do not exist, we use APN.
Non linear transformations
APN functions → f = 2. For p = 2, if x is a solution of f(x+a)-
f(x)=b, so is x+a. Thus f = 2 is the smallest possible value
when p=2. This means that the restricted meaning of
“almost” is not justified in this case.
Non linear transformations
Theorem 2:• f(x)=xd is a mapping over GF(2n).
• Then f(x) is APN in the following cases:
• n=2m+1:• d=2n-2;
• d=2k+1, (n,k)=1, 1km; (Gold’s function)
• d=22k-2k+1, (n,k)=1, 2km; (Kasami’s function)
• d=2m+3; (Welch’s function)
• d=2m + 2m/2 − 1 (even m), 2m + 2(3m+1)/2 − 1 (odd m); (Niho’s function)
Non linear transformations
Theorem 2 (cont.):• n=2m:
• d=2k+1, (n,k)=1, 1km; (Gold’s function)
• d=22k-2k+1, (n,k)=1, 2km; (Kasami’s function).
An exponent d’ is equivalent to d if there is t such that d’=2td.
An S-box can be obtained by means of a linear transform of a power function xd of this type.
The Hamming weight of d is equal to the non linear order of the S-box obtained from xd.
Non linear transformations
Example: Use the Kasami exponent to design a 7-bit S-box.• n=7, m=3, 2k3.
• Let us choose k=2. (2,7)=1.
• Then d=22k-2k+1 = 24-22+1=13.
• The Hamming weight of d=1310=11012 is 3, so the non linear order of the S-box will be 3.
• We now pick an irreducible polynomial of degree n=7, f(x)=x7+x+1.
Non linear transformations
Example (cont.):• We also pick polynomials a(x) and b(x) at
random, deg a(x)<n, deg b(x)<n. For example, let a(x)=x5+x4+x+1, b(x)=x4+x.
• The general linear function F(x)=ax+b is used to transform xd linearly, i.e. S(x)=F(x)◦xd=F(xd)=axd+b, a,b,xGF(27).
• Thus, the S-box is S(x)=a(x)xd+b(x) mod f(x), x=0,…,2n-1.
Non linear transformations
Example (cont.):• For any primitive element , the field elements
of GF(27) determined by f(x)=x7+x+1 are:0=1→0000001 7= +1 →000011
1= →0000010 8= 2+ →0000110
2= 2 →0000100 9= 3+2 →0001100
3= 3 →0001000 10= 4+3 →0011000
4= 4 →0010000 11= 5+4 →0110000
5= 5 →0100000 12= 6+5 →1100000
6= 6 →1000000 13= 6++1 →1000011 …
Non linear transformations
Example (cont.):• Then (i)13= (i13) mod 127:
• (0)13=1→0000001
• (1)13=13= 6++1→1000011
• (2)13=26= 6+5+2+1→1100101
• (3)13=39= 5+4+3+ →0111010
• …
• (10)13=130 mod 127=3→0001000
• …
Non linear transformations
Example (cont.):• Every (i)d= (id) mod 127 should now be multiplied
by a(x) mod f(x) and b(x) is added to the result. So we finally get:0=0000001→a(x)+b(x)→ 5+1→01000011=0000010→ ((x5+x4+x+1)(x6+x+1)+(x4+x)) mod
(x7+x+1) →5+3+2→0101100
• The addresses should be given in the increasing order, from 0000000 to 1111111, and the corresponding values of S are given for every address → S-box.
Commonly used designs
Feistel ciphers:• DES (triple DES, etc.)
• KASUMI
• …
Substitution-permutation networks:• Rijndael (AES)
• IDEA
• …
DES
The block cipher most implemented in practice is (still, as triple DES) DES (Data Encryption Standard), introduced in USA by NBS (National Bureau of Standards) in 1974.
The length of the block in this cipher is 64 bits and the length of the key is 56 bits.
DES works alternatively over two halves of the block to be enciphered.
DES First, an initial fixed permutation of the input
block is performed. Then the block is divided into two halves. After that, a modular operation is realized 16
times (“rounds"). This operation consists of summing modulo 2 the
left part with a function of the right part F(Ki), managed by the subkey Ki, i=1,…,16, where i is the ordinal number of the round.
After that, the left and the right parts are interchanged.
DES The initial permutation is represented in the following
way in the standard FIPS 46-3: 58 50 42 34 26 18 10 2 60 52 44 36 28 20 12 4 62 54 46 38 30 22 14 6 64 56 48 40 32 24 16 8 57 49 41 33 25 17 9 1 59 51 43 35 27 19 11 3 61 53 45 37 29 21 13 5 63 55 47 39 31 23 15 7 This means that the 58th bit of input becomes the 1st
bit of output, 50th bit of input becomes the 2nd bit of output, etc.
DES
DES
In the round 16 the interchange is omitted. There is a final permutation, inverse to the
initial one. DES realizes an involution and because of that
it is not necessary to invert the function F in the deciphering algorithm.
The function F contains non linear operations.
DES The final permutation: 40 8 48 16 56 24 64 32 39 7 47 15 55 23 63 31 38 6 46 14 54 22 62 30 37 5 45 13 53 21 61 29 36 4 44 12 52 20 60 28 35 3 43 11 51 19 59 27 34 2 42 10 50 18 58 26 33 1 41 9 49 17 57 25 The 40th bit of input becomes the 1st bit of output, etc.
DES
DES
The expansion algorithm from 32 to 48 bits:
32 1 2 3 4 5 4 5 6 7 8 9 8 9 10 11 12 13 12 13 14 15 16 17 16 17 18 19 20 21 20 21 22 23 24 25 24 25 26 27 28 29 28 29 30 31 32 1 The first bit of the resulting 48 bit vector
is the 32nd bit of the input vector, etc.
DES The function F is a set of following operations:
• The first manipulation consists of producing a vector of 48 bits from the initial 32 bits by means of a linear expansion.
• Next, the local key of 48 bits is combined with the obtained vector by means of the sum modulo 2, bit by bit.
• Thus another vector of 48 bits is obtained, which is divided in 8 groups of 6 bits each.
• Each group serves as input to 8 functions called S-boxes.• These boxes are responsible for the non linearity of DES.• The output of each S-box are 4 bits. • When a single input bit is changed, at least 2 output bits
are changed.
DES
S1 14 4 13 1 2 15 11 8 3 10 6 12 5 9 0 7 0 15 7 4 14 2 13 1 10 6 12 11 9 5 3 8 4 1 14 8 13 6 2 11 15 12 9 7 3 10 5 0 15 12 8 2 4 9 1 7 5 11 3 14 10 0 6 13
DES
S2 15 1 8 14 6 11 3 4 9 7 2 13 12 0 5 10 3 13 4 7 15 2 8 14 12 0 1 10 6 9 11 5 0 14 7 11 10 4 13 1 5 8 12 6 9 3 2 15 13 8 10 1 3 15 4 2 11 6 7 12 0 5 14 9
DES
S3 10 0 9 14 6 3 15 5 1 13 12 7 11 4 2 8 13 7 0 9 3 4 6 10 2 8 5 14 12 11 15 1 13 6 4 9 8 15 3 0 11 1 2 12 5 10 14 7 1 10 13 0 6 9 8 7 4 15 14 3 11 5 2 12
DES
S4 7 13 14 3 0 6 9 10 1 2 8 5 11 12 4 15 13 8 11 5 6 15 0 3 4 7 2 12 1 10 14 9 10 6 9 0 12 11 7 13 15 1 3 14 5 2 8 4 3 15 0 6 10 1 13 8 9 4 5 11 12 7 2 14
DES
S5 2 12 4 1 7 10 11 6 8 5 3 15 13 0 14 9 14 11 2 12 4 7 13 1 5 0 15 10 3 9 8 6 4 2 1 11 10 13 7 8 15 9 12 5 6 3 0 14 11 8 12 7 1 14 2 13 6 15 0 9 10 4 5 3
DES
S6 12 1 10 15 9 2 6 8 0 13 3 4 14 7 5 11 10 15 4 2 7 12 9 5 6 1 13 14 0 11 3 8 9 14 15 5 2 8 12 3 7 0 4 10 1 13 11 6 4 3 2 12 9 5 15 10 11 14 1 7 6 0 8 13
DES
S7 4 11 2 14 15 0 8 13 3 12 9 7 5 10 6 1 13 0 11 7 4 9 1 10 14 3 5 12 2 15 8 6 1 4 11 13 12 3 7 14 10 15 6 8 0 5 9 2 6 11 13 8 1 4 10 7 9 5 0 15 14 2 3 12
DES
S8 13 2 8 4 6 15 11 1 10 9 3 14 5 0 12 7 1 15 13 8 10 3 7 4 12 5 6 11 0 14 9 2 7 11 4 1 9 12 14 2 0 6 10 13 15 3 5 8 2 1 14 7 4 10 8 13 15 12 9 0 3 5 6 11
DES
Addressing of the DES S-boxes:• Let the addressing 6-tuple for any S-box be
b1b2b3b4b5b6.
• The bits b1b6 determine the row of the S-box.
• The bits b2b3b4b5 determine the column of the S-box.
• Example:
• Let the addressing 6-tuple of the 3rd S-box be 001001.
• The row is 01, which means the 2nd row, since 00 is the first row.
• The column is 0100, which means the 5th column, since the numbering starts from 0000.
DES
Finally, the information passes through a "P-box", which is a fixed permutation, chosen in such a way that a maximum diffusion of bits is achieved through the whole 32 bit vector.
The P-box: 16 7 20 21 29 12 28 17 1 15 23 26 5 18 31 10 2 8 24 14 32 27 3 9 19 13 30 6 22 11 4 25 16th bit of input becomes the 1st bit of output,
etc.
DES
Although DES handles 64 bit keys, the first operation that is realized in the process of key expansion is their reduction to 56 bits, by eliminating one bit of every 8 bits.
Then the remaining bits are reordered. Next, 16 subkeys necessary in the 16
rounds of the algorithm are obtained.
DES The reordering key permutation: 57 49 41 33 25 17 9 1 58 50 42 34 26 18 10 2 59 51 43 35 27 19 11 3 60 52 44 36 63 55 47 39 31 23 15 7 62 54 46 38 30 22 14 6 61 53 45 37 29 21 13 5 28 20 12 4 57th bit of input becomes the 1st bit of output, etc.
Every 8th bit of the initial 64 bit key is dropped.
DES During the deciphering process, the subkeys are used in
the reverse order. The subkeys are generated in the following way:
• First, the key of 56 bits is divided in two halves of 28 bits each.
• Then, the halves are rotated left 1 or 2 bits, depending on the round. Rotating left a number of positions depending on the round is recursive, which means that the initial vector for the i-th round is the output vector of the (i-1)st round.
• After the rotation, the halves are reunited, obtaining again 16 groups of 56 bits.
• Next, 48 bits of each group are selected to form the final 16 subkeys, in the process denominated "permutation with compression".
DES Iteration Number Number of Left Shifts
1 1 2 1 3 2 4 2 5 2 6 2 7 2 8 2 9 1 10 2 11 2 12 2 13 2 14 2 15 2 16 1
DES The choice of 48 bits of the i-th subkey from
the corresponding 56 bits: 14 17 11 24 1 5 3 28 15 6 21 10 23 19 12 4 26 8 16 7 27 20 13 2 41 52 31 37 47 55 30 40 51 45 33 48 44 49 39 56 34 53 46 42 50 36 29 32
DES
For deciphering, DES should run backwards, which means that K16 subkey is used in the first round, K15 in the second, …, K1 in the 16th round.
Triple DES – mode 1
The data is encrypted with the first key, then encrypted with the second key, and finally encrypted with the third key.
Triple DES – mode 2
The data is encrypted with the first key, then decrypted with the second key, and finally encrypted again with the first key.
Goal: compatibility with a single DES.
Triple DES - security
Equivalent key length:• Of Double DES – only 57 bits (so called Meet-
in-the-middle attack is possible that reduces the size of the key from 112 to 57 bits).
• Of Triple DES – 112 bits, instead of 168 bits, but this is an acceptable length.