Download - Block cipher - Wikipedia, the free encyclopedia.pdf

6/15/2015 BlockcipherWikipedia,thefreeencyclopedia

https://en.wikipedia.org/wiki/Block_cipher 1/14

BlockcipherFromWikipedia,thefreeencyclopedia

Incryptography,ablockcipherisadeterministicalgorithmoperatingonfixedlengthgroupsofbits,calledblocks,withanunvaryingtransformationthatisspecifiedbyasymmetrickey.Blockciphersareimportantelementarycomponentsinthedesignofmanycryptographicprotocols,andarewidelyusedtoimplementencryptionofbulkdata.

Themoderndesignofblockciphersisbasedontheconceptofaniteratedproductcipher.ProductciphersweresuggestedandanalyzedbyClaudeShannoninhisseminal1949publicationCommunicationTheoryofSecrecySystemsasameanstoeffectivelyimprovesecuritybycombiningsimpleoperationssuchassubstitutionsandpermutations.[1]Iteratedproductcipherscarryoutencryptioninmultiplerounds,eachofwhichusesadifferentsubkeyderivedfromtheoriginalkey.OnewidespreadimplementationofsuchciphersiscalledaFeistelnetwork,namedafterHorstFeistel,andnotablyimplementedintheDEScipher.[2]Manyotherrealizationsofblockciphers,suchastheAES,areclassifiedassubstitutionpermutationnetworks.[3]

ThepublicationoftheDEScipherbytheU.S.NationalBureauofStandards(nowNationalInstituteofStandardsandTechnology,NIST)in1977wasfundamentalinthepublicunderstandingofmodernblockcipherdesign.Inthesameway,itinfluencedtheacademicdevelopmentofcryptanalyticattacks.BothdifferentialandlinearcryptanalysisaroseoutofstudiesontheDESdesign.Today,thereisapaletteofattacktechniquesagainstwhichablockciphermustbesecure,inadditiontobeingrobustagainstbruteforceattacks.

Evenasecureblockcipherissuitableonlyfortheencryptionofasingleblockunderafixedkey.Amultitudeofmodesofoperationhavebeendesignedtoallowtheirrepeateduseinasecureway,commonlytoachievethesecuritygoalsofconfidentialityandauthenticity.However,blockciphersmayalsobeusedasbuildingblocksinothercryptographicprotocols,suchasuniversalhashfunctionsandpseudorandomnumbergenerators.

Contents

1Definition2Design

2.1Iteratedblockciphers2.2Substitutionpermutationnetworks2.3Feistelciphers2.4LaiMasseyciphers2.5Operations

2.5.1ARXaddrotatexor2.5.2otheroperations

3Modesofoperation4Padding5Cryptanalysis

5.1Bruteforceattacks5.2Differentialcryptanalysis5.3Linearcryptanalysis5.4Integralcryptanalysis5.5Othertechniques

6Provablesecurity



6Provablesecurity6.1Standardmodel6.2Idealciphermodel

7Practicalevaluation8Notableblockciphers

8.1Lucifer/DES8.2IDEA8.3RC58.4Rijndael/AES8.5Blowfish

9Generalizations9.1Tweakableblockciphers9.2Formatpreservingencryption

10Relationtoothercryptographicprimitives11Seealso12References13Furtherreading14Externallinks

Definition

Ablockcipherconsistsoftwopairedalgorithms,oneforencryption,E,andtheotherfordecryption,D.[4]Bothalgorithmsaccepttwoinputs:aninputblockofsizenbitsandakeyofsizekbitsandbothyieldannbitoutputblock.ThedecryptionalgorithmDisdefinedtobetheinversefunctionofencryption,i.e.,D=E1.Moreformally,[5][6]ablockcipherisspecifiedbyanencryptionfunction

whichtakesasinputakeyKofbitlengthk,calledthekeysize,andabitstringPoflengthn,calledtheblocksize,andreturnsastringCofnbits.Piscalledtheplaintext,andCistermedtheciphertext.ForeachK,thefunctionEK(P)isrequiredtobeaninvertiblemappingon{0,1}n.TheinverseforEisdefinedasafunction

takingakeyKandaciphertextCtoreturnaplaintextvalueP,suchthat

Forexample,ablockcipherencryptionalgorithmmighttakea128bitblockofplaintextasinput,andoutputacorresponding128bitblockofciphertext.Theexacttransformationiscontrolledusingasecondinputthesecretkey.Decryptionissimilar:thedecryptionalgorithmtakes,inthisexample,a128bitblockofciphertexttogetherwiththesecretkey,andyieldstheoriginal128bitblockofplaintext.[7]

ForeachkeyK,EKisapermutation(abijectivemapping)overthesetofinputblocks.Eachkeyselects

onepermutationfromthepossiblesetof .[8]

Design



Iteratedblockciphers

Mostblockcipheralgorithmsareclassifiedasiteratedblockcipherswhichmeansthattheytransformfixedsizeblocksofplaintextintoidenticalsizeblocksofciphertext,viatherepeatedapplicationofaninvertibletransformationknownastheroundfunction,witheachiterationreferredtoasaround.[9]

Usually,theroundfunctionRtakesdifferentroundkeysKiassecondinput,whicharederivedfromtheoriginalkey:

where istheplaintextand theciphertext,withrbeingtheroundnumber.

Frequently,keywhiteningisusedinadditiontothis.Atthebeginningandtheend,thedataismodifiedwithkeymaterial(oftenwithXOR,butsimplearithmeticoperationslikeaddingandsubtractingarealsoused):

Givenoneofthestandarditeratedblockcipherdesignschemes,itisfairlyeasytoconstructablockcipherthatiscryptographicallysecure,simplybyusingalargenumberofrounds.However,thiswillmakethecipherinefficient.Thus,efficiencyisthemostimportantadditionaldesigncriterionforprofessionalciphers.Further,agoodblockcipherisdesignedtoavoidsidechannelattacks,suchasinputdependentmemoryaccessesthatmightleaksecretdataviathecachestateortheexecutiontime.Inaddition,theciphershouldbeconcise,forsmallhardwareandsoftwareimplementations.Finally,theciphershouldbeeasilycryptanalyzable,suchthatitcanbeshowntohowmanyroundsthecipherneedstobereducedsuchthattheexistingcryptographicattackswouldworkand,conversely,thatthenumberofactualroundsislargeenoughtoprotectagainstthem.

Substitutionpermutationnetworks

Oneimportanttypeofiteratedblockcipherknownasasubstitutionpermutationnetwork(SPN)takesablockoftheplaintextandthekeyasinputs,andappliesseveralalternatingroundsconsistingofasubstitutionstagefollowedbyapermutationstagetoproduceeachblockofciphertextoutput.[10]Thenonlinearsubstitutionstagemixesthekeybitswiththoseoftheplaintext,creatingShannon'sconfusion.Thelinearpermutationstagethendissipatesredundancies,creatingdiffusion.[11][12]

Asubstitutionbox(Sbox)substitutesasmallblockofinputbitswithanotherblockofoutputbits.Thissubstitutionmustbeonetoone,toensureinvertibility(hencedecryption).AsecureSboxwillhavethepropertythatchangingoneinputbitwillchangeabouthalfoftheoutputbitsonaverage,exhibitingwhatisknownastheavalancheeffecti.e.ithasthepropertythateachoutputbitwilldependoneveryinputbit.[13]

Apermutationbox(Pbox)isapermutationofallthebits:ittakestheoutputsofalltheSboxesofoneround,permutesthebits,andfeedsthemintotheSboxesofthenextround.AgoodPboxhasthepropertythattheoutputbitsofanySboxaredistributedtoasmanySboxinputsaspossible.

Ateachround,theroundkey(obtainedfromthekeywithsomesimpleoperations,forinstance,usingSboxesandPboxes)iscombinedusingsomegroupoperation,typicallyXOR.



AsketchofaSubstitutionPermutationNetworkwith3rounds,encryptingaplaintextblockof16bitsintoaciphertextblockof16bits.TheSboxesaretheSis,thePboxesarethesameP,andtheroundkeysaretheKis.

Manyblockciphers,suchasDESandBlowfishutilizestructuresknownasFeistelciphers

Decryptionisdonebysimplyreversingtheprocess(usingtheinversesoftheSboxesandPboxesandapplyingtheroundkeysinreversedorder).

Feistelciphers

InaFeistelcipher,theblockofplaintexttobeencryptedissplitintotwoequalsizedhalves.Theroundfunctionisappliedtoonehalf,usingasubkey,andthentheoutputisXORedwiththeotherhalf.Thetwohalvesarethenswapped.[14]

Let betheroundfunctionandlet bethesubkeysfortherounds respectively.

Thenthebasicoperationisasfollows:[14]

Splittheplaintextblockintotwoequalpieces,( , )

Foreachround ,compute

.

Thentheciphertextis .

Decryptionofaciphertext isaccomplishedbycomputingfor

.

Then istheplaintextagain.

OneadvantageoftheFeistelmodelcomparedtoasubstitutionpermutationnetworkisthattheroundfunction doesnothavetobeinvertible.[15]

LaiMasseyciphers

TheLaiMasseyschemeofferssecuritypropertiessimilartothoseoftheFeistelstructure.Italsosharesitsadvantagethattheroundfunction doesnothavetobeinvertible.Anothersimilarityisthatisalsosplitstheinputblockintotwoequalpieces.However,theroundfunctionisappliedtothedifferencebetweenthetwo,andtheresultisthenaddedtobothhalfblocks.

Let betheroundfunctionand ahalfroundfunctionandlet bethesubkeysfortherounds

respectively.



TheLaiMasseyscheme.ThearchetypicalcipherutilizingitisIDEA.

Thenthebasicoperationisasfollows:

Splittheplaintextblockintotwoequalpieces,( , )

Foreachround ,compute

where and

Thentheciphertextis.

Decryptionofaciphertext isaccomplishedbycomputingfor

where and

Then istheplaintextagain.

Operations

ARXaddrotatexor

ManymodernblockciphersandhashesareARXalgorithmstheirroundfunctioninvolvesonlythreeoperations:modularaddition,rotationwithfixedrotationamounts,andXOR(ARX).ExamplesincludeSalsa20andSpeckandBLAKE.ManyauthorsdrawanARXnetwork,akindofdataflowdiagram,toillustratesucharoundfunction.[16]

TheseARXoperationsarepopularbecausetheyarerelativelyfastandcheapinhardwareandsoftware,andalsobecausetheyruninconstanttime,andarethereforeimmunetotimingattacks.Therotationalcryptanalysistechniqueattemptstoattacksuchroundfunctions.

otheroperations

OtheroperationsoftenusedinblockciphersincludedatadependentrotationsasinRC5andRC6,asubstitutionboximplementedasalookuptableasinDataEncryptionStandardandAdvancedEncryptionStandard,apermutationbox,andmultiplicationasinIDEA.

Modesofoperation

Ablockcipherbyitselfallowsencryptiononlyofasingledatablockofthecipher'sblocklength.Foravariablelengthmessage,thedatamustfirstbepartitionedintoseparatecipherblocks.Inthesimplestcase,knownastheelectroniccodebook(ECB)mode,amessageisfirstsplitintoseparateblocksofthecipher'sblocksize(possiblyextendingthelastblockwithpaddingbits),andtheneachblockis



Insecureencryptionofanimageasaresultofelectroniccodebookmodeencoding.

encryptedanddecryptedindependently.However,suchanaivemethodisgenerallyinsecurebecauseequalplaintextblockswillalwaysgenerateequalciphertextblocks(forthesamekey),sopatternsintheplaintextmessagebecomeevidentintheciphertextoutput.[17]

Toovercomethislimitation,severalsocalledblockciphermodesofoperationhavebeendesigned[18][19]andspecifiedinnationalrecommendationssuchasNIST80038A[20]andBSITR02102[21]

andinternationalstandardssuchasISO/IEC10116.[22]Thegeneralconceptistouserandomizationoftheplaintextdatabasedonanadditionalinputvalue,frequentlycalledaninitializationvector,tocreatewhatistermedprobabilisticencryption.[23]Inthepopularcipherblockchaining(CBC)mode,forencryptiontobesecuretheinitializationvectorpassedalongwiththeplaintextmessagemustbearandomorpseudorandomvalue,whichisaddedinanexclusiveormannertothefirstplaintextblockbeforeitisbeingencrypted.Theresultantciphertextblockisthenusedasthenewinitializationvectorforthenextplaintextblock.Inthecipherfeedback(CFB)mode,whichemulatesaselfsynchronizingstreamcipher,theinitializationvectorisfirstencryptedandthenaddedtotheplaintextblock.Theoutputfeedback(OFB)moderepeatedlyencryptstheinitializationvectortocreateakeystreamfortheemulationofasynchronousstreamcipher.Thenewercounter(CTR)modesimilarlycreatesakeystream,buthastheadvantageofonlyneedinguniqueandnot(pseudo)randomvaluesasinitializationvectorstheneededrandomnessisderivedinternallybyusingtheinitializationvectorasablockcounterandencryptingthiscounterforeachblock.[20]

Fromasecuritytheoreticpointofview,modesofoperationmustprovidewhatisknownassemanticsecurity.[24]Informally,itmeansthatgivensomeciphertextunderanunknownkeyonecannotpracticallyderiveanyinformationfromtheciphertext(otherthanthelengthofthemessage)overwhatonewouldhaveknownwithoutseeingtheciphertext.Ithasbeenshownthatallofthemodesdiscussedabove,withtheexceptionoftheECBmode,providethispropertyundersocalledchosenplaintextattacks.

Padding

SomemodessuchastheCBCmodeonlyoperateoncompleteplaintextblocks.Simplyextendingthelastblockofamessagewithzerobitsisinsufficientsinceitdoesnotallowareceivertoeasilydistinguishmessagesthatdifferonlyintheamountofpaddingbits.Moreimportantly,suchasimplesolutiongivesrisetoveryefficientpaddingoracleattacks.[25]Asuitablepaddingschemeisthereforeneededtoextendthelastplaintextblocktothecipher'sblocksize.Whilemanypopularschemesdescribedinstandardsandintheliteraturehavebeenshowntobevulnerabletopaddingoracleattacks,[25][26]asolutionwhichaddsaonebitandthenextendsthelastblockwithzerobits,standardizedas"paddingmethod2"inISO/IEC97971,[27]hasbeenprovensecureagainsttheseattacks.[26]

Cryptanalysis

Bruteforceattacks



Duetoablockcipher'scharacteristicasaninvertiblefunction,itsoutputbecomesdistinguishablefromatrulyrandomoutputstringovertimeduetothebirthdayattack.Thispropertyresultsinthecipher'ssecuritydegradingquadratically,andneedstobetakenintoaccountwhenselectingablocksize.Thereisatradeoffthoughaslargeblocksizescanresultinthealgorithmbecominginefficienttooperate.[28]EarlierblockcipherssuchastheDEShavetypicallyselecteda64bitblocksize,whilenewerdesignssuchastheAESsupportblocksizesof128bitsormore,withsomecipherssupportingarangeofdifferentblocksizes.[29]

Differentialcryptanalysis

Linearcryptanalysis

Linearcryptanalysisisaformofcryptanalysisbasedonfindingaffineapproximationstotheactionofacipher.Linearcryptanalysisisoneofthetwomostwidelyusedattacksonblockcipherstheotherbeingdifferentialcryptanalysis.

ThediscoveryisattributedtoMitsuruMatsui,whofirstappliedthetechniquetotheFEALcipher(MatsuiandYamagishi,1992).[30]

Integralcryptanalysis

Integralcryptanalysisisacryptanalyticattackthatisparticularlyapplicabletoblockciphersbasedonsubstitutionpermutationnetworks.Unlikedifferentialcryptanalysis,whichusespairsofchosenplaintextswithafixedXORdifference,integralcryptanalysisusessetsorevenmultisetsofchosenplaintextsofwhichpartisheldconstantandanotherpartvariesthroughallpossibilities.Forexample,anattackmightuse256chosenplaintextsthathaveallbut8oftheirbitsthesame,butalldifferinthose8bits.SuchasetnecessarilyhasanXORsumof0,andtheXORsumsofthecorrespondingsetsofciphertextsprovideinformationaboutthecipher'soperation.Thiscontrastbetweenthedifferencesofpairsoftextsandthesumsoflargersetsoftextsinspiredthename"integralcryptanalysis",borrowingtheterminologyofcalculus.

Othertechniques

Inadditiontolinearanddifferentialcryptanalysis,thereisagrowingcatalogofattacks:truncateddifferentialcryptanalysis,partialdifferentialcryptanalysis,integralcryptanalysis,whichencompassessquareandintegralattacks,slideattacks,boomerangattacks,theXSLattack,impossibledifferentialcryptanalysisandalgebraicattacks.Foranewblockcipherdesigntohaveanycredibility,itmustdemonstrateevidenceofsecurityagainstknownattacks.

Provablesecurity

Whenablockcipherisusedinagivenmodeofoperation,theresultingalgorithmshouldideallybeaboutassecureastheblockcipheritself.ECB(discussedabove)emphaticallylacksthisproperty:regardlessofhowsecuretheunderlyingblockcipheris,ECBmodecaneasilybeattacked.Ontheotherhand,CBCmodecanbeproventobesecureundertheassumptionthattheunderlyingblockcipherislikewisesecure.Note,however,thatmakingstatementslikethisrequiresformalmathematicaldefinitionsforwhatitmeansforanencryptionalgorithmorablockcipherto"besecure".Thissectiondescribestwocommonnotionsforwhatpropertiesablockciphershouldhave.Eachcorrespondstoamathematicalmodelthatcanbeusedtoprovepropertiesofhigherlevelalgorithms,suchasCBC.



Thedevelopmentoftheboomerangattackenableddifferentialcryptanalysistechniquestobeappliedtomanyciphersthathadpreviouslybeendeemedsecureagainstdifferentialattacks

Thisgeneralapproachtocryptographyprovinghigherlevelalgorithms(suchasCBC)aresecureunderexplicitlystatedassumptionsregardingtheircomponents(suchasablockcipher)isknownasprovablesecurity.

Standardmodel

Informally,ablockcipherissecureinthestandardmodelifanattackercannottellthedifferencebetweentheblockcipher(equippedwitharandomkey)andarandompermutation.

Tobeabitmoreprecise,letEbeannbitblockcipher.Weimaginethefollowinggame:

1. Thepersonrunningthegameflipsacoin.Ifthecoinlandsonheads,hechoosesarandomkeyKanddefinesthefunctionf=EK.Ifthecoinlandsontails,hechoosesarandompermutationonthesetofnbitstrings,anddefinesthefunctionf=.

2. TheattackerchoosesannbitstringX,andthepersonrunningthegametellshimthevalueoff(X).

3. Step2isrepeatedatotalofqtimes.(Eachoftheseqinteractionsisaquery.)4. Theattackerguesseshowthecoinlanded.Hewinsifhisguessiscorrect.

Theattacker,whichwecanmodelasanalgorithm,iscalledanadversary.Thefunctionf(whichtheadversarywasabletoquery)iscalledanoracle.

Notethatanadversarycantriviallyensurea50%chanceofwinningsimplybyguessingatrandom(orevenby,forexample,alwaysguessing"heads").ThereforeletPE(A)denotetheprobabilitythattheadversaryAwinsthisgameagainstE,anddefinetheadvantageofAas2(PE(A)1/2).ItfollowsthatifAguessesrandomly,itsadvantagewillbe0ontheotherhand,ifAalwayswins,thenitsadvantageis1.TheblockcipherEisapseudorandompermutation(PRP)ifnoadversaryhasanadvantagesignificantlygreaterthan0,givenspecifiedrestrictionsonqandtheadversary'srunningtime.IfinStep2aboveadversarieshavetheoptionoflearningf1(X)insteadoff(X)(butstillhaveonlysmalladvantages)thenEisastrongPRP(SPRP).AnadversaryisnonadaptiveifitchoosesallqvaluesforXbeforethegamebegins(thatis,itdoesnotuseanyinformationgleanedfrompreviousqueriestochooseeachXasitgoes).

Thesedefinitionshaveprovenusefulforanalyzingvariousmodesofoperation.Forexample,onecandefineasimilargameformeasuringthesecurityofablockcipherbasedencryptionalgorithm,andthentrytoshow(throughareductionargument)thattheprobabilityofanadversarywinningthisnewgameisnotmuchmorethanPE(A)forsomeA.(ThereductiontypicallyprovideslimitsonqandtherunningtimeofA.)Equivalently,ifPE(A)issmallforallrelevantA,thennoattackerhasasignificantprobabilityofwinningthenewgame.Thisformalizestheideathatthehigherlevelalgorithminheritstheblockcipher'ssecurity.

Idealciphermodel

Practicalevaluation



Blockciphersmaybeevaluatedaccordingtomultiplecriteriainpractice.Commonfactorsinclude:[31][32]

Keyparameters,suchasitskeysizeandblocksize,bothwhichprovideanupperboundonthesecurityofthecipher.Theestimatedsecuritylevel,whichisbasedontheconfidencegainedintheblockcipherdesignafterithaslargelywithstoodmajoreffortsincryptanalysisovertime,thedesign'smathematicalsoundness,andtheexistenceofpracticalorcertificationalattacks.Thecipher'scomplexityanditssuitabilityforimplementationinhardwareorsoftware.Hardwareimplementationsmaymeasurethecomplexityintermsofgatecountorenergyconsumption,whichareimportantparametersforresourceconstraineddevices.Thecipher'sperformanceintermsofprocessingthroughputonvariousplatforms,includingitsmemoryrequirements.Thecostofthecipher,whichreferstolicensingrequirementsthatmayapplyduetointellectualpropertyrights.Theflexibilityofthecipher,whichincludesitsabilitytosupportmultiplekeysizesandblocklengths.

Notableblockciphers

Lucifer/DES

Luciferisgenerallyconsideredtobethefirstcivilianblockcipher,developedatIBMinthe1970sbasedonworkdonebyHorstFeistel.ArevisedversionofthealgorithmwasadoptedasaU.S.governmentFederalInformationProcessingStandard:FIPSPUB46DataEncryptionStandard(DES).[33]ItwaschosenbytheU.S.NationalBureauofStandards(NBS)afterapublicinvitationforsubmissionsandsomeinternalchangesbyNBS(and,potentially,theNSA).DESwaspubliclyreleasedin1976andhasbeenwidelyused.

DESwasdesignedto,amongotherthings,resistacertaincryptanalyticattackknowntotheNSAandrediscoveredbyIBM,thoughunknownpubliclyuntilrediscoveredagainandpublishedbyEliBihamandAdiShamirinthelate1980s.Thetechniqueiscalleddifferentialcryptanalysisandremainsoneofthefewgeneralattacksagainstblockcipherslinearcryptanalysisisanother,butmayhavebeenunknowneventotheNSA,priortoitspublicationbyMitsuruMatsui.DESpromptedalargeamountofotherworkandpublicationsincryptographyandcryptanalysisintheopencommunityanditinspiredmanynewcipherdesigns.

DEShasablocksizeof64bitsandakeysizeof56bits.64bitblocksbecamecommoninblockcipherdesignsafterDES.Keylengthdependedonseveralfactors,includinggovernmentregulation.Manyobserversinthe1970scommentedthatthe56bitkeylengthusedforDESwastooshort.Astimewenton,itsinadequacybecameapparent,especiallyafteraspecialpurposemachinedesignedtobreakDESwasdemonstratedin1998bytheElectronicFrontierFoundation.AnextensiontoDES,TripleDES,tripleencryptseachblockwitheithertwoindependentkeys(112bitkeyand80bitsecurity)orthreeindependentkeys(168bitkeyand112bitsecurity).Itwaswidelyadoptedasareplacement.Asof2011,thethreekeyversionisstillconsideredsecure,thoughtheNationalInstituteofStandardsandTechnology(NIST)standardsnolongerpermittheuseofthetwokeyversioninnewapplications,duetoits80bitsecuritylevel.[34]

IDEA



Oneround(twohalfrounds)oftheRC5blockcipher

TheInternationalDataEncryptionAlgorithm(IDEA)isablockcipherdesignedbyJamesMasseyofETHZurichandXuejiaLaiitwasfirstdescribedin1991,asanintendedreplacementforDES.

IDEAoperateson64bitblocksusinga128bitkey,andconsistsofaseriesofeightidenticaltransformations(around)andanoutputtransformation(thehalfround).Theprocessesforencryptionanddecryptionaresimilar.IDEAderivesmuchofitssecuritybyinterleavingoperationsfromdifferentgroupsmodularadditionandmultiplication,andbitwiseexclusiveor(XOR)whicharealgebraically"incompatible"insomesense.

ThedesignersanalysedIDEAtomeasureitsstrengthagainstdifferentialcryptanalysisandconcludedthatitisimmuneundercertainassumptions.Nosuccessfullinearoralgebraicweaknesseshavebeenreported.Asof2012,thebestattackwhichappliestoallkeyscanbreakfull8.5roundIDEAusinganarrowbicliquesattackaboutfourtimesfasterthanbruteforce.

RC5

RC5isablockcipherdesignedbyRonaldRivestin1994which,unlikemanyotherciphers,hasavariableblocksize(32,64or128bits),keysize(0to2040bits)andnumberofrounds(0to255).Theoriginalsuggestedchoiceofparameterswereablocksizeof64bits,a128bitkeyand12rounds.

AkeyfeatureofRC5istheuseofdatadependentrotationsoneofthegoalsofRC5wastopromptthestudyandevaluationofsuchoperationsasacryptographicprimitive.RC5alsoconsistsofanumberofmodularadditionsandXORs.ThegeneralstructureofthealgorithmisaFeistellikenetwork.Theencryptionanddecryptionroutinescanbespecifiedinafewlinesofcode.Thekeyschedule,however,ismorecomplex,expandingthekeyusinganessentiallyonewayfunctionwiththebinaryexpansionsofbotheandthegoldenratioassourcesof"nothingupmysleevenumbers".ThetantalisingsimplicityofthealgorithmtogetherwiththenoveltyofthedatadependentrotationshasmadeRC5anattractiveobjectofstudyforcryptanalysts.

12roundRC5(with64bitblocks)issusceptibletoadifferentialattackusing244chosenplaintexts.[35]1820roundsaresuggestedassufficientprotection.

Rijndael/AES

DEShasbeensupersededasaUnitedStatesFederalStandardbytheAES,adoptedbyNISTin2001aftera5yearpubliccompetition.ThecipherwasdevelopedbytwoBelgiancryptographers,JoanDaemenandVincentRijmen,andsubmittedunderthenameRijndael.

AEShasafixedblocksizeof128bitsandakeysizeof128,192,or256bits,whereasRijndaelcanbespecifiedwithblockandkeysizesinanymultipleof32bits,withaminimumof128bits.Theblocksizehasamaximumof256bits,butthekeysizehasnotheoreticalmaximum.AESoperatesona44columnmajorordermatrixofbytes,termedthestate(versionsofRijndaelwithalargerblocksizehaveadditionalcolumnsinthestate).



Blowfish

Blowfishisablockcipher,designedin1993byBruceSchneierandincludedinalargenumberofciphersuitesandencryptionproducts.Blowfishhasa64bitblocksizeandavariablekeylengthfrom1bitupto448bits.[36]Itisa16roundFeistelcipheranduseslargekeydependentSboxes.NotablefeaturesofthedesignincludethekeydependentSboxesandahighlycomplexkeyschedule.

SchneierdesignedBlowfishasageneralpurposealgorithm,intendedasanalternativetotheageingDESandfreeoftheproblemsandconstraintsassociatedwithotheralgorithms.AtthetimeBlowfishwasreleased,manyotherdesignswereproprietary,encumberedbypatentsorwerecommercial/governmentsecrets.Schneierhasstatedthat,"Blowfishisunpatented,andwillremainsoinallcountries.Thealgorithmisherebyplacedinthepublicdomain,andcanbefreelyusedbyanyone."Blowfishprovidesagoodencryptionrateinsoftwareandnoeffectivecryptanalysisofthefullroundversionhasbeenfoundtodate.

Generalizations

Tweakableblockciphers

M.Liskov,R.Rivest,andD.Wagnerhavedescribedageneralizedversionofblockcipherscalled"tweakable"blockciphers.[37]Atweakableblockcipheracceptsasecondinputcalledthetweakalongwithitsusualplaintextorciphertextinput.Thetweak,alongwiththekey,selectsthepermutationcomputedbythecipher.Ifchangingtweaksissufficientlylightweight(comparedwithausuallyfairlyexpensivekeysetupoperation),thensomeinterestingnewoperationmodesbecomepossible.Thediskencryptiontheoryarticledescribessomeofthesemodes.

Formatpreservingencryption

Blockcipherstraditionallyworkoverabinaryalphabet.Thatis,boththeinputandtheoutputarebinarystrings,consistingofnzeroesandones.Insomesituations,however,onemaywishtohaveablockcipherthatworksoversomeotheralphabetforexample,encrypting16digitcreditcardnumbersinsuchawaythattheciphertextisalsoa16digitnumbermightfacilitateaddinganencryptionlayertolegacysoftware.Thisisanexampleofformatpreservingencryption.Moregenerally,formatpreservingencryptionrequiresakeyedpermutationonsomefinitelanguage.Thismakesformatpreservingencryptionschemesanaturalgeneralizationof(tweakable)blockciphers.Incontrast,traditionalencryptionschemes,suchasCBC,arenotpermutationsbecausethesameplaintextcanencrypttomultipledifferentciphertexts,evenwhenusingafixedkey.

Relationtoothercryptographicprimitives

Blockcipherscanbeusedtobuildothercryptographicprimitives,suchasthosebelow.Fortheseotherprimitivestobecryptographicallysecure,carehastobetakentobuildthemtherightway.

Streamcipherscanbebuiltusingblockciphers.OFBmodeandCTRmodeareblockmodesthatturnablockcipherintoastreamcipher.

Cryptographichashfunctionscanbebuiltusingblockciphers.[38][39]Seeonewaycompressionfunctionfordescriptionsofseveralsuchmethods.Themethodsresembletheblockciphermodesofoperationusuallyusedforencryption.



Cryptographicallysecurepseudorandomnumbergenerators(CSPRNGs)canbebuiltusingblockciphers.[40][41]

SecurepseudorandompermutationsofarbitrarilysizedfinitesetscanbeconstructedwithblockciphersseeFormatPreservingEncryption.

Messageauthenticationcodes(MACs)areoftenbuiltfromblockciphers.CBCMAC,OMACandPMACaresuchMACs.

Authenticatedencryptionisalsobuiltfromblockciphers.ItmeanstobothencryptandMACatthesametime.Thatistobothprovideconfidentialityandauthentication.CCM,EAX,GCMandOCBaresuchauthenticatedencryptionmodes.

Justasblockcipherscanbeusedtobuildhashfunctions,hashfunctionscanbeusedtobuildblockciphers.ExamplesofsuchblockciphersareSHACAL,BEARandLION.

Seealso

CiphersecuritysummaryTopicsincryptography

References1. Shannon,Claude(1949)."CommunicationTheoryofSecrecySystems"

(http://netlab.cs.ucla.edu/wiki/files/shannon1949.pdf)(PDF).BellSystemTechnicalJournal28(4):656715.2. vanTilborg,HenkC.A.Jajodia,Sushil,eds.(2011).EncyclopediaofCryptographyandSecurity

(http://books.google.com/books?id=UuNKmgv70lMC&pg=PA455).Springer.ISBN9781441959058.,p.455.

3. vanTilborg&Jajodia2011,p.1268.4. Cusick,ThomasW.&Stanica,Pantelimon(2009).CryptographicBooleanfunctionsandapplications

(http://books.google.com/books?id=OAkhkLSxxxMC&pg=PA158).AcademicPress.pp.158159.ISBN9780123748904.

5. Menezes,AlfredJ.vanOorschot,PaulC.Vanstone,ScottA.(1996)."Chapter7:BlockCiphers".HandbookofAppliedCryptography(http://www.cacr.math.uwaterloo.ca/hac/).CRCPress.ISBN0849385237.

6. Bellare,MihirRogaway,Phillip(11May2005),IntroductiontoModernCryptography(http://www.cs.ucdavis.edu/~rogaway/classes/227/spring05/book/main.pdf)(LECTURENOTES),chapter3.

7. Chakraborty,D.&RodriguezHenriquezF.(2008)."BlockCipherModesofOperationfromaHardwareImplementationPerspective".InKo,etinK.CryptographicEngineering(http://books.google.com/books?id=nErZY4vYHIoC&pg=PA321).Springer.p.321.ISBN9780387718163.

8. Menezes,vanOorschot&Vanstone1996,section7.2.9. Junod,Pascal&Canteaut,Anne(2011).AdvancedLinearCryptanalysisofBlockandStreamCiphers

(http://books.google.com/books?id=pMnRhjStTZoC&pg=PA2).IOSPress.p.2.ISBN9781607508441.10. Keliher,Liametal.(2000)."ModelingLinearCharacteristicsofSubstitutionPermutationNetworks".In

Hays,Howard&Carlisle,Adam.Selectedareasincryptography:6thannualinternationalworkshop,SAC'99,Kingston,Ontario,Canada,August910,1999:proceedings(http://books.google.com/books?id=qxurbiN0CcYC&pg=PA79).Springer.p.79.ISBN9783540671855.

11. Baigneres,Thomas&Finiasz,Matthieu(2007)."Dial'C'forCipher".InBiham,Eli&Yousseff,Amr.Selectedareasincryptography:13thinternationalworkshop,SAC2006,Montreal,Canada,August1718,2006:revisedselectedpapers(http://books.google.com/books?id=yb99g5G7FS4C&pg=PA77).Springer.p.77.ISBN9783540744610.

12. Cusick,ThomasW.&Stanica,Pantelimon(2009).CryptographicBooleanfunctionsandapplications(http://books.google.com/books?id=OAkhkLSxxxMC&pg=PA164).AcademicPress.p.164.ISBN9780123748904.

13. Katz,JonathanLindell,Yehuda(2008).Introductiontomoderncryptography



(http://books.google.com/books?id=TTtVKHdOcDoC&pg=PA166).CRCPress.ISBN9781584885511.,pages166167.

14. Katz&Lindell2008,pp.170172.15. Katz&Lindell2008,p.171.16. Aumasson,JeanPhilippeBernstein,DanielJ.(20120918)."SipHash:afastshortinputPRF"

(https://131002.net/siphash/siphash.pdf)(PDF).p.5.17. Menezes,Oorschot&Vanstone1996,pp.228230,Chapter7.18. "BlockCipherModes"(http://csrc.nist.gov/groups/ST/toolkit/BCM/index.html).NISTComputerSecurity

ResourceCenter.19. Menezes,vanOorschot&Vanstone1996,pp.228233.20. MorrisDworkin(December2001),"RecommendationforBlockCipherModesofOperationMethodsand

Techniques"(http://csrc.nist.gov/publications/nistpubs/80038a/sp80038a.pdf)(PDF),SpecialPublication80038A(NationalInstituteofStandardsandTechnology(NIST))

21. "KryptographischeVerfahren:EmpfehlungenundSchlssellngen",BSITR02102(TechnischeRichtlinie)(Version1.0),June20,2008

22. ISO/IEC10116:2006InformationtechnologySecuritytechniquesModesofoperationforannbitblockcipher(http://www.iso.org/iso/iso_catalogue/catalogue_tc/catalogue_detail.htm?csnumber=38761)

23. Bellare&Rogaway2005,p.101,section5.3.24. Bellare&Rogaway2005,section5.6.25. SergeVaudenay(2002)."SecurityFlawsInducedbyCBCPaddingApplicationstoSSL,IPSEC,WTLS...".

AdvancesinCryptologyEUROCRYPT2002,Proc.InternationalConferenceontheTheoryandApplicationsofCryptographicTechniques(SpringerVerlag)(2332):534545.

26. KennethG.PatersonGavenJ.Watson(2008)."ImmunisingCBCModeAgainstPaddingOracleAttacks:AFormalSecurityTreatment".SecurityandCryptographyforNetworksSCN2008,LectureNotesinComputerScience(SpringerVerlag)(5229):340357.

27. ISO/IEC97971:InformationtechnologySecuritytechniquesMessageAuthenticationCodes(MACs)Part1:Mechanismsusingablockcipher(http://www.iso.org/iso/iso_catalogue/catalogue_ics/catalogue_detail_ics.htm?csnumber=50375),ISO/IEC,2011

28. Martin,KeithM.(2012).EverydayCryptography:FundamentalPrinciplesandApplications(http://books.google.com/books?id=5DZ_vvgl4oC&pg=PA114).OxfordUniversityPress.p.114.ISBN9780199695591.

29. Paar,Cristofetal.(2010).UnderstandingCryptography:ATextbookforStudentsandPractitioners(http://books.google.com/books?id=f24wFELSzkoC&pg=PA30).Springer.p.30.ISBN9783642041006.

30. Matsui,M.andYamagishi,A."AnewmethodforknownplaintextattackofFEALcipher".AdvancesinCryptologyEUROCRYPT1992.

31. Menezes,vanOorschot&Vanstone1996,p.227.32. JamesNechvatal,ElaineBarker,LawrenceBassham,WilliamBurr,MorrisDworkin,JamesFoti,Edward

Roback(October2000),ReportontheDevelopmentoftheAdvancedEncryptionStandard(AES)(http://csrc.nist.gov/archive/aes/round2/r2report.pdf)(PDF),NationalInstituteofStandardsandTechnology(NIST)

33. FIPSPUB463DataEncryptionStandard(DES)(http://csrc.nist.gov/publications/fips/fips463/fips463.pdf)(Thisisthethirdedition,1999,butincludeshistoricalinformationinthepreliminarysection12.)

34. NISTSpecialPublication80057RecommendationforKeyManagementPart1:General(Revised),March,2007(http://csrc.nist.gov/publications/nistpubs/80057/sp80057Part1revised2_Mar082007.pdf)

35. BiryukovA.andKushilevitzE.(1998).ImprovedCryptanalysisofRC5.EUROCRYPT1998.36. BruceSchneier(1993)."DescriptionofaNewVariableLengthKey,64BitBlockCipher(Blowfish)"

(http://www.schneier.com/paperblowfishfse.html).37. M.Liskov,R.Rivest,andD.Wagner."TweakableBlockCiphers"

(http://www.cs.colorado.edu/~jrblack/class/csci7000/f03/papers/tweakcrypto02.pdf)(PDF).Crypto2002.38. ISO/IEC101182:2010InformationtechnologySecuritytechniquesHashfunctionsPart2:Hash

functionsusingannbitblockcipher(http://www.iso.org/iso/iso_catalogue/catalogue_tc/catalogue_detail.htm?csnumber=44737)

39. Menezes,vanOorschot&Vanstone1996,Chapter9:HashFunctionsandDataIntegrity.40. NISTSpecialPublication80090ARecommendationforRandomNumberGenerationUsingDeterministic

RandomBitGenerators(http://csrc.nist.gov/publications/nistpubs/80090A/SP80090A.pdf)41. Menezes,vanOorschot&Vanstone1996,Chapter5:PseudorandomBitsandSequences.



Furtherreading

Knudsen,LarsR.&(2011).TheBlockCipherCompanion(http://books.google.com/books?id=YiZKt_FcmYQC).Springer.ISBN9783642173417.

Externallinks

Alistofmanysymmetricalgorithms,themajorityofwhichareblockciphers.(http://www.users.zetnet.co.uk/hopwood/crypto/scan/cs.html)Theblockcipherlounge(http://www.mat.dtu.dk/people/Lars.R.Knudsen/bc.html)Whatisablockcipher?(http://www.rsa.com/rsalabs/node.asp?id=2168)fromRSAFAQ

Retrievedfrom"https://en.wikipedia.org/w/index.php?title=Block_cipher&oldid=663735007"

Categories: Blockciphers Cryptographicprimitives

Thispagewaslastmodifiedon24May2015,at00:25.TextisavailableundertheCreativeCommonsAttributionShareAlikeLicenseadditionaltermsmayapply.Byusingthissite,youagreetotheTermsofUseandPrivacyPolicy.WikipediaisaregisteredtrademarkoftheWikimediaFoundation,Inc.,anonprofitorganization.