Block Ciphers and Modes of Operationcrypto.dei.polimi.it/files/lec003presentation.pdf · Data...
Transcript of Block Ciphers and Modes of Operationcrypto.dei.polimi.it/files/lec003presentation.pdf · Data...
Block Ciphers and Modes of Operation
Gerardo Pelosi
Department of Electronics, Information and Bioengineering (DEIB)Politecnico di Milano
gerardo.pelosi - at - polimi.it
G. Pelosi, A. Barenghi (DEIB) Block Ciphers and Modes of Operation 1 / 46
Overview
Lesson contents
Design structures for block ciphers: Feistel Network (FN) andSubstitution & Permutation Network (SPN)
The Feistel Network structure
Data Encryption Standard (DES)
Security of DES, Double-DES, Triple-DES, DES-X
Modes of Operation to guarantee Confidentiality: ECB, CBC, OFB,CFB, CTR
G. Pelosi, A. Barenghi (DEIB) Block Ciphers and Modes of Operation 2 / 46
Block Ciphers
Block ciphers operate on a block of plaintext m∈M (m = 〈m1, . . . ,mn〉)to produce a block of ciphertext (c = 〈c1, . . . , cn〉 ∈ C) through akey-parametric transformation (either Ek() or Dk())
The block size n is in the [64,512] bit range
ptx size might not be multiple of block size ⇒ padding needed!
For ptxs longer than a single block, the scheme used to apply Ek()(or Dk()) is called mode of operation
G. Pelosi, A. Barenghi (DEIB) Block Ciphers and Modes of Operation 3 / 46
Purposes of a block cipher
Security desiderata
Provide nontrivial blending of plaintext and ciphertext (confusion)
Provide statistical flatness of the output (diffusion)
Be analyzable in a clear and formal way to ensure sound security
A structure based on the repetition of a short sequence of steps(round) is preferable to a monolithic design
Efficiency desiderata
Provide efficient encryption and decryption
Possibly reuse SW/HW resources for both Ek() and Dk() (lower codesize or silicon area)
G. Pelosi, A. Barenghi (DEIB) Block Ciphers and Modes of Operation 4 / 46
Design Strategies
Glossary
Cipher state:
The result of each operation performed by the cipherInitialized with the ptx; contains the ctx at the end of the computation
Round: basic sequence of operations applied to the cipher state, anumber of times (involves blending the key into the state)
Key schedule: procedure expanding the original user key into keymaterial to be used in each round
High level strategy
Expand the user key into a set of subkeys and combine them with thecipher state during the execution of the round primitive
Repeating the round increases the complexity of the dependencyrelations among the user key bits and the bits of the cipher state
G. Pelosi, A. Barenghi (DEIB) Block Ciphers and Modes of Operation 5 / 46
Design Strategies: Feistel Networks and SPNs
Feistel Networks
Invented by Horst Feistel (in ’50-’60), it splits the cipher state in twoparts and acts on one of them per round
The decryption employs the same cipher structure, except for areversal in the key schedule
Substitution Permutation Networks
A SPN implements the confusion-diffusion principles suggested byShannon with distinct enc/dec transformations
The round of a SPN acts on the whole cipher state with:
A “non-linear” function providing Confusion (represented as a lookuptable, a.k.a.: Substitution-Box – S-box)A “linear” function providing Diffusion (f.i., a bitwise permutation, orpairs of rot-xor operations)The addition of a part of the key schedule
G. Pelosi, A. Barenghi (DEIB) Block Ciphers and Modes of Operation 6 / 46
Feistel Network
Definition
A Feistel network transforms an n-bit ptx block m=〈L0,R0〉, for n/2-bitsub-blocks L0 and R0, into a ctx block c=〈Rr , Lr 〉, through an r -roundprocess (r≥1).
Feistel(〈L,R〉, k)
1 for i ← 0 to r − 12 do temp ← L3 L← R4 R ← temp ⊕F(ki ,R) // Li = Ri−1, Ri = Li−1 ⊕F(ki ,Ri−1)
5 R ← R ⊕F(kr , L)6 return 〈R, L〉
where F is an arbitrary function (possibly non-linear and non-invertible)and each subkey ki is computed from key schedule of the cipher key k
G. Pelosi, A. Barenghi (DEIB) Block Ciphers and Modes of Operation 7 / 46
Structural Properties
The interesting properties of a Feistel network are
the round transformation is invertible regardless of the choice of thefunction F . Indeed, for the i-th round:
Li = Ri−1, Ri = Li−1 ⊕F(ki ,Ri−1)
we can also write
Ri−1 = Li , Li−1 = Ri ⊕F(ki , Li )
Note that the last round block halves are swapped 〈Rr , Lr 〉, and notin their usual left-right order 〈L,R〉Applying the Feistel network on a ctx (using the subkeys in reverseorder, i.e. kr through k0) provides the ptx
G. Pelosi, A. Barenghi (DEIB) Block Ciphers and Modes of Operation 8 / 46
Feistel Network
Block Diagram
Enc:
Dec:
Figure : The structure of a Feistel Network
G. Pelosi, A. Barenghi (DEIB) Block Ciphers and Modes of Operation 9 / 46
Feistel Network
Description
Confusion: provided by the key-dependent F function
Diffusion: obtained adding the F-processed part Ri to Li
Known ciphers
DES: standard encryption algorithm for US-government unclassifieddocuments from 1976 to 2000
Blowfish: flexible key length, part of the key changes the substitutionmaps of the round, the Key schedule is slow
Twofish: like blowfish, with a more efficient Key Schedule
CAST5: arithmetic operations and key-dependent bit-rotationsemployed in the F map. Efficient SW implementation
G. Pelosi, A. Barenghi (DEIB) Block Ciphers and Modes of Operation 10 / 46
Feistel Network
DES - structure
IP
FP
PTX
CTX
16-round Feistel cryptosystem with 64-bit wide cipher state:
Cipher key: 64 bits; only 56 bits are used. One bit per byte is a parity bit.
Key schedule: produces 〈k1, . . . , k16〉, 48 bits each. Each round keys isobtained through bitwise permutation and selection of the initial 56 bits.DES-peculiar feature: k1 = k16
The fixed permutations IP, FP=IP−1, have no effect on the security;IP and FP were motivated by the ease of laying out the circuit wires
G. Pelosi, A. Barenghi (DEIB) Block Ciphers and Modes of Operation 11 / 46
DES Structure
DES Round
It takes a 64-bit block 〈Li−1,Ri−1〉 and a 48-bit subkey ki to computeLi = Ri−1,Ri = Li−1 ⊕F(ki ,Ri−1), where
F(ki ,Ri−1) = P-box(S-box(ki ⊕ E-box(Ri−1))
1 E-box(Ri−1) expands Ri−1 from 32 into 48 bits (〈b1b2 . . . b8〉, each bi is 6bits) via a fixed expansion that simply duplicates some bits
2 Adds the 48-bit round key: 〈b1b2 . . . b8〉←ki⊕〈b1b2 . . . b8〉3 Map the 48-bit word into a 32-bit one via applying 8 fixed S-boxes.
For each bi , ci = Si (bi ), where Si maps 6 into 4 bitsSi are the only non-linear component of DES.They are usually described as look-up tables: 1st and 2nd input bitsaddress the row, the remaining bits address the column of the cellcontaining the 4 output bits
4 Apply a fixed bitwise permutation specified by the P-box
G. Pelosi, A. Barenghi (DEIB) Block Ciphers and Modes of Operation 12 / 46
DES Round
F -function
Li = Ri−1,Ri = Li−1 ⊕F(ki ,Ri−1)
F(ki ,Ri−1) = P-box(S-box(ki ⊕ E-box(Ri−1))
E-box stage32 bits → 48 bits
bitwise XOR with the48-bit round subkey
S-box stage48 bits → 32 bits
P-box stage32 bits → 32 bits
G. Pelosi, A. Barenghi (DEIB) Block Ciphers and Modes of Operation 13 / 46
DES Properties
Complementation property
Inverting the bit values of the input ptx m and key k, yields a ctx equal tobitwise inversion of the DES(k,m)
DES(k ,m) = DES(k ,m) ∀m ∈M, ∀ k ∈ K
Chosen-ptx attack
An adversary collects the ptx-ctx pairs (m1, c1), (m1, c2), withc1 = DES(k ,m1), and c2 = DES(k,m1). Noting that
c2 = DES(k ,m1)⇔ c2 = DES(k ,m1)
For a random value k̃ , the adversary checks if either DES(k̃ ,m1) yields c1or c2. If not, she rules out 2 key values (k̃,¬k̃), with a single DEScomputation. Exhaustive key search goes down to 254 trials (. . .not thatuseful in practice!)
G. Pelosi, A. Barenghi (DEIB) Block Ciphers and Modes of Operation 14 / 46
DES Properties
The DES secret key should be randomly chosen, but there are some particular
values that should not be used as the key schedule creates 16 identical subkeys
(Weak Keys) or only two different values for 16 subkeys (Semi-weak keys)
Weak Keys
Encrypting a ptx twice with a weak key k , yields the original ptx.DES(k ,DES(k ,m)) = m, ∀ m ∈M
There are 4 weak keys (Group1)If the implementation does not check the parity bits of k , 4 extra key values areweak (Group2)
Group1 Group20x 0101010101010101 0x 0000000000000000
0x FEFEFEFEFEFEFEFE 0x FFFFFFFFFFFFFFFF
0x E0E0E0E0F1F1F1F1 0x E1E1E1E1F0F0F0F0
0x 1F1F1F1F0E0E0E0E 0x 1E1E1E1E0F0F0F0F
G. Pelosi, A. Barenghi (DEIB) Block Ciphers and Modes of Operation 15 / 46
DES Properties
Semi-Weak Keys
A Semi-Weak key pair 〈k , k ′〉 cause the composition of two DESencryptions employing k and k ′ to compute the original ptx
DES(k,DES(k ′,m)) = m, ∀ m ∈M
There are 6 semi-weak key pairs:
〈 0x 011F011F010E010E, 0x 1F011F010E010E01 〉〈 0x 01E001E001F101F1, 0x E001E001F101F101 〉〈 0x 01FE01FE01FE01FE, 0x FE01FE01FE01FE01 〉〈 0x 1FE01FE00EF10EF1, 0x E01FE01FF10EF10E 〉〈 0x 1FFE1FFE0EFE0EFE, 0x FE1FFE1FFE0EFE0E 〉〈 0x E0FEE0FEF1FEF1FE, 0x FEE0FEE0FEF1FEF1 〉
G. Pelosi, A. Barenghi (DEIB) Block Ciphers and Modes of Operation 16 / 46
DES Properties
DES is not a group
Given a ptx m and a pair of keys k1, k2, the set of DES (biijective)transformations is not closed under composition:
∀m @ k3 s.t. DES(k3,m) = DES(k2,DES(k1,m))
The above condition means that encrypting a ptx m through applying DES twice
with two different keys, is not the same as encrypting m once with a third key
Demonstrated in
K.W. Campbell and M.J. Wiener, DES is not a group, Advances inCryptology - Crypto’92, Springer-Verlag (1993), pp. 512-520
G. Pelosi, A. Barenghi (DEIB) Block Ciphers and Modes of Operation 17 / 46
DES Breaking
Due to the computational power available today that employs alsospecialized parallel hardware DES has become insecure
Brute Forcing DES
Given a ptx-ctx pair, an exhaustive key search needs to perform on average255 DES encryptions:
Computing 1 encryption per micro-second⇒ 255 ≈ 3.6 1010 [DES/s] ≈ 1142 [DES/year]
Employing 106 devices in parallel gives a break in ≈ 10 hours
G. Pelosi, A. Barenghi (DEIB) Block Ciphers and Modes of Operation 18 / 46
DES Breaking
Brute Forcing DES
1998: Electronic Frontier Foundation (EFF) broke the DES employingad-hoc ASIC hw (EFF DES Cracker: [92 109 [keys/sec]) in 56 hoursfor less than 250K USD
1999: EFF provided a DES breaking in 23 hours (245 109 [key/s])employing a distributed breaker with 105 computers
2008: a German company, SciEngines GmbH, reduced the time tobreak DES in about 20 hours (292 109 [key/s]), using a cluster of 16devices, each equipped with 8 FPGAs Spartan-3 5000’s, for a totalcost of about than 5K Euros, with a power consumption ≤ 850 peakwatts
To increase the resistance of the standard cipher against brute forceattacks, in 1998 the Triple DES was standardized by ANSI and NIST
G. Pelosi, A. Barenghi (DEIB) Block Ciphers and Modes of Operation 19 / 46
Double DES (2DES)
Remember that DES “is not a group” thus, multiple applications of theprimitive with different keys seems to be a good strategy to improve thesecurity
2DES
Double DES cipher consists of applying the DES primitive twice
c = 2DES(k1, k2,m)def.= DES(k1,DES(k2,m))
nevertheless, this structure is vulnerable to meet-in-the-middle attacks:
c = DES(k1,DES(k2,m))⇐⇒ DES−1(k1, c) = DES(k2,m)
G. Pelosi, A. Barenghi (DEIB) Block Ciphers and Modes of Operation 20 / 46
Double DES (2DES)
Meet-in-the-middle
This analysis technique trades the number of DES encryptions employed inan exhaustive key search with storage. Given a ptx-ctx pair, 〈m, c〉
c = DES(k1,DES(k2,m))⇔ DES−1(k1, c) = DES(k2,m)
for all k2 candidate key values k(2,i)∈{0, . . . , 256−1} computeAi=DES(k(2,i),m) and store Ai
this costs 256 DES encryptions and 256 memory cells (with 64-bit size)
for every k1 candidate key values k(1,j)∈{0, . . . , 256−1} compute
Bj=DES−1(k(1,j), c) and check all the equalities Ai=Bj .If an equality Ai=Bj holds, then store the key pair 〈k(2,i), k(1,j)〉
in the worst case, this costs 256 decryptions
G. Pelosi, A. Barenghi (DEIB) Block Ciphers and Modes of Operation 21 / 46
Double DES (2DES)
Key pair sieving
with the meet-in-the-middle analysis, there is a set of candidate key pairsS={〈k(2,i), k(1,j)〉,. . ., }
Obs: given m, c=DES(k(1,j),DES(k(2,i)(m)), there are 2112 possiblekey values and 264 possible ctxs values c , therefore there are up to2112
264=248 key values 〈k(1,j), k(2,i)〉 associated to the pair 〈m, c〉
Through employing a second ptx-ctx pair 〈m′, c ′〉, it is possible to checkwhich key pair in S is the correct one
Obs. c ′ may have a value in the range {0, . . . , 264−1}, but the set Slimits the number of such values to 248 (one for each possible key pairin S). Thus, the probability to have more than one key pairs in S that
yield to the same c ′ is 248
264= 1
216.
The 2DES cipher employs a 112-bit key but it is vulnerable to a Knownptx attack with a cost of ≈ 257 DES enc.s, thus, it is not better than thesingle DES !!!
G. Pelosi, A. Barenghi (DEIB) Block Ciphers and Modes of Operation 22 / 46
Triple DES (TDES)
The standardized TDES provides a simple method to effectively increasethe key size w.r.t. DES without designing a completely new block cipher
3DES
The improved primitive employs:
a ”key bundle” with three DES keys: k1, k2 and k3, each of 56 bits(excluding parity bits)
an iterated application of the DES primitive to define both theencryption and the decryption transformation
c = 3DES(k1, k2, k3,m)def.= DES(k1,DES−1(k2,DES(k3,m)))
m = 3DES−1(k1, k2, k3,m)def.= DES−1(k3,DES(k2,DES−1(k1, c)))
where DES−1 indicates the inverse DES transformation (i.e. theapplication of the key schedule in reverse order)
G. Pelosi, A. Barenghi (DEIB) Block Ciphers and Modes of Operation 23 / 46
Triple DES (TDES)
c = DES(k1,DES−1(k2,DES(k3,m)))
The standards define three keying options:
Keying opt. 1 (3DES3): All three keys are independent
Keying opt. 2 (3DES2): k1 and k2 are independent, and k3=k1Keying opt. 3 (no longer recommended): All three keys are identical,i.e. k1=k2=k3
was used to provide backward compatibility with DES, because the 1stand 2nd DES operations cancel out
G. Pelosi, A. Barenghi (DEIB) Block Ciphers and Modes of Operation 24 / 46
Triple DES (TDES)
3DES3
c = DES(k1,DES−1(k2,DES(k3,m)))
The 3DES with k1 6=k2 6=k3 can be attacked with two variants of the meet-in-themiddle strategy:DES−1(k1, c) = DES−1(k2,DES(k3,m))
storage for 2112 values: {〈 〈k1, k2〉, DES−1(k2,DES(k3,m)) 〉}
256 DES−1 computations and lookups in the previous table to find a match
DES(k2,DES−1(k1, c)) = DES(k3,m)
storage for 256 values: {〈k3, DES(k3,m))〉}
2112 DES(k2,DES−1(k1, c)) comp.s and lookups to find a match
The 3DES3 cipher employs a 168-bit key and requires 2112 DESencryptions for a known ptx attack
G. Pelosi, A. Barenghi (DEIB) Block Ciphers and Modes of Operation 25 / 46
Triple DES (TDES)
3DES2
c = 3DES2(k1, k2, k1,m)def.= DES(k1,DES−1(k2,DES(k1,m)))
The 3DES2 with k1 6=k2 can also be attacked with a meet-in-the middlestrategy having the same costs of attacking the 3DES3
The 3DES2 cipher is the preferred choice as it employs a 112-bit key andrequires 2112 DES encryptions for a known ptx attack
G. Pelosi, A. Barenghi (DEIB) Block Ciphers and Modes of Operation 26 / 46
Triple DES (TDES)
2DES is 2× slower than DES, with a double key length and the samesecurity margin (≈ 256 DES enc.s)
3DES3 is 3× slower than DES, with a triple key length and a doublesecurity margin (≈ 2112 DES enc.s)
3DES2 is 3× slower than DES, with a double key length and a doublesecurity margin (≈ 2112 DES enc.s)
DES-XIt is a variant on the DES block cipher to increase the complexity of a brute forceattack using a technique called key whitening. Three independent keys are used.The fist key k has 56-bit size, while the other keys k1, k2 have 64-bit size
c = DES-X(k , k1, k2,m)def.= k2 ⊕DES(k ,m ⊕ k1)
m = DES-X−1(k , k1, k2, c)def.= k1 ⊕DES−1(k, c ⊕ k2)
DES-X is about as fast as DES, with a 184-bit key and a security margin ≈ 2120
DES enc.s
G. Pelosi, A. Barenghi (DEIB) Block Ciphers and Modes of Operation 27 / 46
Theoretical Attacks
More effective techniques for the cryptanalysis of the DES cipher are
linear cryptanalysis
differential cryptanalysis
(Quantitative examples in the next lesson)These techniques are always applied to test the robustness of every blockcipher
G. Pelosi, A. Barenghi (DEIB) Block Ciphers and Modes of Operation 28 / 46
Theoretical Attacks
Linear cryptanalysis
Finds an approximated linear relation among some bits of a ptx and thebits in input at the last round of the cipher, in such a way to easily recover(in a second step) the values of some bits of the secret key.
243 known ptx-ctx pairs to find a DES key [Matsui, 1993]
Differential cryptanalysis
Finds how differences between two input ptxs propagate within the cipherup to the beginning of the last round. In a subsequent step, thisknowledge is exploited to obtain the values of some bits in the last subkey.
247 chosen ptx-ctx pairs to find a DES key, [Biham and Shamir, 1990]
G. Pelosi, A. Barenghi (DEIB) Block Ciphers and Modes of Operation 29 / 46
Modes of Operation
Definition
A Mode of operation specifies the way to encrypt a message m ∈M ofarbitrary length through employing a block cipher
Currently, there are modes of operations to guarantee
Confidentiality of messages: (5 modes)
Electronic CodeBook mode (ECB)Cipher Block Chaining mode (CBC)–most popular–not entirely secureOutput FeedBack mode (OFB)Cipher FeedBack mode (CFB)Counter mode (CTR)
Authentication of messages: (1 mode) CMAC
Both confidentiality and authentication: (2 modes) CCM and GCM
We will present the last two categories after the study of Hash functions!
G. Pelosi, A. Barenghi (DEIB) Block Ciphers and Modes of Operation 30 / 46
Modes of Operation
The plaintext message m ∈M is broken into blocks of equal sizem=〈m1,m2, . . .〉The last part of m might be shorter than one block, thus padding is neededPossible padding:
Known non-data values (e.g. nulls)
A number indicating the size of the pad
A number indicating the size of the plaintext
Note that the last two schemes may require an extra block
G. Pelosi, A. Barenghi (DEIB) Block Ciphers and Modes of Operation 31 / 46
Electronic Code Book (ECB)
Each block is encrypted independently to compose the ciphertext messagec ∈ C as c = 〈 c1, c2, . . .〉, where:
ci = Ek(mi ), i = 1, 2, . . .
For a given key, this mode behaves like we have a gigantic codebook, inwhich each ptx block has an entry, hence the name Electronic Code Book
G. Pelosi, A. Barenghi (DEIB) Block Ciphers and Modes of Operation 32 / 46
Electronic Code Book (ECB)
The major disadvantage of this method is that identical ptx blocks areencrypted into identical ctx blocks; thus, it does not hide data patternswell!
Original ECB mode Other modes
G. Pelosi, A. Barenghi (DEIB) Block Ciphers and Modes of Operation 33 / 46
Remarks on ECB
Strengths:
It’s simple, fast and amenable to massive parallelization
One-bit error in the ctx causes a single block error in the ptx
Weaknesses:
If the same message is encrypted (under the same key) twice, the ctxsare the same
Repetitive information contained in the ptx may show in the ctx(expecially if aligned with blocks!)
Suffers from block insertion or deletion attacks.These threats can be mitigated or countered by
adding checksums over a number of ptx blocksusing a mode of operation which adds some ’context’ to each ctx block
Typical application: secure transmission of short pieces of information(e.g., a temporary encryption key)
G. Pelosi, A. Barenghi (DEIB) Block Ciphers and Modes of Operation 34 / 46
Cipher Block Chaining (CBC)
Blocks are encrypted/decrypted via the following equations:{c0 = IVci = Ek(mi ⊕ ci−1), for i ≥ 1 mi = Dk(ci )⊕ ci−1, for i ≥ 1
The Initialization Vector (IV) ensures that two encryptions of the sameptx produce different ctxs
IV is a random value usually transmitted in clear from the encryptorto the decryptor as part of the ctx message
IV is a fixed value (e.g. zero) when the key k of the block cipher isused only once
IV can be sent encrypted in ECB mode before the rest of ctx blocks
G. Pelosi, A. Barenghi (DEIB) Block Ciphers and Modes of Operation 35 / 46
Cipher Block Chaining (CBC)
A Chaining strategy is the easiest way to add ’context’ to each ctx block
G. Pelosi, A. Barenghi (DEIB) Block Ciphers and Modes of Operation 36 / 46
Remarks on CBC
Strengths:
The encryption of a block depends on itself and all blocks before it.So, repeated ptx blocks are encrypted differently
A ptx block can be recovered from two adjacent blocks of ctx ⇒decryption can be parallelized !
A one-bit change to the ctx corrupts the corresponding ptx block, andinverts the corresponding bit in the next ptx block.Further error propagation is avoided (CBC is self-recovering)
insertion or deletion attacks aiming to replace/insert/delete someblocks are detected!
G. Pelosi, A. Barenghi (DEIB) Block Ciphers and Modes of Operation 37 / 46
Remarks on CBC
Weaknesses:
Its main drawback is that encryption is sequential (i.e., encryptioncannot be parallelized !)
No recover against synchronization errors is possible:
If a bit is added or lost from the cipher-text string, then all subsequentblocks are garbled
An adversary can alter a ctx block in such a way to arbitrarily modifythe following ptx block. This comes at the cost of destroying thecorresponding ptx block.
G. Pelosi, A. Barenghi (DEIB) Block Ciphers and Modes of Operation 38 / 46
Stream based Modes
Given a plaintext message m ∈M as a sequence of blocks m = 〈 m1, m2,. . . , 〉 the CFB, OFB and CTR modes of operation generate a key streamk1, k2, k3 . . . (each key has the size of a block) to mask each ptx block as:
ci = mi ⊕ ki , for i ≥ 1
G. Pelosi, A. Barenghi (DEIB) Block Ciphers and Modes of Operation 39 / 46
Cipher FeedBack mode (CFB)
The plaintext message m ∈M is broken into blocks of j bits (1≤j≤ n):m = 〈m1, m2, m3, . . .〉A n-bit block cipher employed in CFB mode is provided with an n-bitInput Shift Register (ISR) and an n-bit Output Shift Register (OSR).
1 The ISR is initially filled with an initialization vector (IV)
2 The encryption algorithm is run once to output n bits into OSR
3 The leftmost j bits of OSR are then xor’ed with a group of j ptx bits
4 The result of this xor operation is sent over the network and fed backto the ISR, shifting the leftmost j bits out
5 The encryption algorithm is run again and the next group of j bits isencrypted in the same fashion
G. Pelosi, A. Barenghi (DEIB) Block Ciphers and Modes of Operation 40 / 46
Cipher feedback mode (CFB)
EncryptionISR0 ← IVOSRi ← Ek(ISRi−1), for i ≥ 1ci ← mi ⊕ j-leftmost bits of OSRiISRi ← (ISRi−1<<j)⊕ ci
DecryptionISR0 ← IVOSRi ← Ek(ISRi−1), for i ≥ 1mi ← ci ⊕ j-leftmost bits of OSRiISRi ← (ISRi−1<<j)⊕ ci
The IV has the same properties discussed for the CBC mode
It’s useful in some applications such as encrypting interactive terminal inputs
G. Pelosi, A. Barenghi (DEIB) Block Ciphers and Modes of Operation 41 / 46
Remarks on CFB
Strengths:
The transmitted information comes in the form of arbitrarily size data
Used with j=1-bit, a one bit de-synchronization is automaticallyrecovered n+1 positions after the inserted or deleted bit
Weaknesses:
Bit errors will corrupt the ptx block at the same bit positions. Thecorrupted cipher block will then be fed to the ISR and cause bit errorsin the ptx for as long as the erroneous bits stay in ISR. After that, thesystem recovers, and all following bytes are decrypted correctly
It is subject to insertion attacks/deletion attacks that spoil the blocksynchronization boundaries
Cannot recover from lost ctx segments; if a ctx segment is lost, allfollowing segments will be decrypted incorrectly (if the receiver is notaware of the segment loss)
G. Pelosi, A. Barenghi (DEIB) Block Ciphers and Modes of Operation 42 / 46
Output Feedback mode (OFB)
The Mode is similar to CFB, except that ISR is fed back with OSR insteadof the ctx
EncryptionISR0 ← IVOSRi ← Ek (ISRi−1), for i ≥ 1ci ← mi ⊕ j-leftmost bits of OSRiISRi ← (ISRi−1<<j)⊕ j-leftmost bits of OSRi
DecryptionISR0 ← IVOSRi ← Ek (ISRi−1), for i ≥ 1mi ← ci ⊕ j-leftmost bits of OSRiISRi ← (ISRi−1<<j)⊕ j-leftmost bits of OSRi
G. Pelosi, A. Barenghi (DEIB) Block Ciphers and Modes of Operation 43 / 46
Remarks on OFB
Strengths:
The transmitted information comes in the form of arbitrarily size data
The encryption process can be partially parallelized as the values ofOSR can be pre-computed
In OFB, the bit error(s) in the decrypted ctx block (or segment)occur in the same bit position(s) as in the ctx block (or segment); theother bit positions are not affected
Weaknesses:
bit errors in the IV affect the decryption of every ctx block
It is subject to malicious bit insertion/deletion into the ctx, thusspoiling the synchronization of the block (or segment) boundaries;
Cannot recover from lost ctx segments; if a ctx segment is lost, allfollowing segments will be decrypted incorrectly (if the receiver is notaware of the segment loss)
G. Pelosi, A. Barenghi (DEIB) Block Ciphers and Modes of Operation 44 / 46
CounTeR mode (CTR)
The plaintext message m ∈M is broken into blocks of equal size m = 〈m1, m2, . . . , 〉 The encryption proceeds for the i-th block, by encryptingthe value of IV+i and then xor’ing this with the message block: ctri ← IV + i , i ≥ 0
ti ← Ek(ctri )ci ← mi ⊕ ti
The Initialization Vector (IV) must be a random number to make surethat two encryptions of the same ptx produce different ctxs
G. Pelosi, A. Barenghi (DEIB) Block Ciphers and Modes of Operation 45 / 46
Remarks on CTR
Strengths:
Needs only the encryption algorithm
Fast encryption/decryption; blocks can be processed (encrypted ordecrypted) in parallel; good for high speed links
Random access to encrypted data blocks
Bit errors in a ctx block cause errors only in the same bit position(s)of the decrypted block
Weaknesses:
IV should be unpredictable
an error in a certain ctx block affects the whole decrypted ctx block;however, no other block is affected
G. Pelosi, A. Barenghi (DEIB) Block Ciphers and Modes of Operation 46 / 46