1
Secret-Key Ciphers
ECE 646 – Lecture 7
Data Encryption StandardDES
2
NBS public request for a standard cryptographic algorithm
May 15, 1973, August 27, 1974
The algorithm must be:
• secure• public
- completely specified- easy to understand- available to all users
• economic and efficient in hardware• able to be validated• exportable
Secret agreement between IBM & NSA, 1974Obligations of IBM:
• Algorithm developed in secret by IBM• NSA reserved a right to monitor the developmentand propose changes
• No software implementations, just hardware chips• IBM not allowed to ship implementations to certain
countries• License required to ship to carefully selected
customers in approved countriesObligations of NSA:
• seal of approval
3
DES - chronicle of events1973 - NBS issues a public request for proposals for
a standard cryptographic algorithm1975 - first publication of the IBM’s algorithm
and request for comments1976 - NBS organizes two workshops to evaluate
the algorithm1977 - official publication as
FIPS PUB 46: Data Encryption Standard1983, 1987, 1993 - recertification of the algorithm
for another five years1993 - software implementations allowed to be validated
Controversies surrounding DES
Unknowndesigncriteria
Too shortkey
Slowin software
Reinventionof differentialcryptanalysis
Most criteriareconstructedfrom cipher
analysis
Theoreticaldesigns
of DES breakingmachines
Onlyhardware
implementationscertified
Software, firmwareand hardwaretreated equally
PracticalDES cracker
built
199019981993
4
Life of DES
1980 1990 2000 2010 2020 2030
Triple DESDES
AES - RijndaelAmericanstandards
Otherpopular
algorithms
IDEA
AEScontest
1977 1999
2002
Blowfish
RC5
CAST
Twofish
RC6
Mars
Serpent
128, 192, and 256 bit keys56 bit key
112, 168 bit 168 bit only
DES - external look
DES
64 bits
plaintext block
64 bitsciphertext block
key
56 bits
5
Initial transformation
Final transformation
#rounds times
Round Key[i]i:=i+1
Round Key[0]
i:=1
i<#rounds?
Cipher Round
Round Key[#rounds+1]
Typical Flow Diagram of a Secret-Key Block Cipher
DES – high-level internal structure
6
Classical Feistel Network
plaintext = L0R0for i=1 to n{
Li=Ri-1Ri=Li-1Å f(Ri-1, Ki)
}Ln+1 = RnRn+1 = Lnciphertext = Ln+1Rn+1
Ln+1=RnRn+1=LnÅ f(Rn, Kn+1)
L0 R0
fK1
L1
fK2
L2 R2
L15 R15
fK16
R16 L16
. . . . . .
IP-1
IP
R1
DES Main LoopFeistel Structure
7
Ln Rn
f
Ln+1 Rn+1
Kn+1
Ln Rn
f
Ln+1 Rn+1
Kn+1
f Kn+1
Feistel Structure
Encryption Decryption
? ?
? ?
Ln+1, Rn+1
Ln, Rn
L0 R0
fK1
L1
fK2
L2 R2
L15 R15
fK16
R16 L16
. . . . . .
IP
IP-1
R1
fK15
R14 L14
R1 L1
fK1
L0 R0
. . . . . .
IP-1
R16 L16
fK16
R15
IP
L15
Decryption
8
Mangler Function of DES, F
9
Notation for Permutations
i1 i2 i3 i4 i5 i6 i7 i8 i9 i10 … i56 i57 i58 i59 i60 i61 i62 i63 i64
58 50 42 34 26 18 10 2 … 5 63 55 47 39 31 23 15 7
i58 i50 i42 i34 i26 i18 i10 i2 … i5 i63 i55 i47 i39 i31 i23 i15 i7
Input
Output
10
Notation for S-boxes
i1 i2 i3 i4 i5 i6
Input
Output
o1 o2 o3 o4
i1 i6 determines a row number in the S-box table, 0..3
i2 i3 i4 i5 determine a column in the S-box table, 0..15
o1 o2 o3 o4 is a binary representation of a number from 0..15 in the given row and the given column
11
General design criteria of DES1. Randomness
2. Avalanche propertychanging a single bit at the input changes on average half of the bitsat the output
3. Completeness propertyevery output bit is a complex function of all input bits (and not justa subset of input bits)
4. Nonlinearityencryption function is non-affine for any value of the key
5. Correlation immunityoutput bits are statistically independent of any subset of input bits
12
Completeness property
Every output bit is a complex function of all input bits (and not just a subset of input bits)
Formal requirement:
For all values of i and j, i=1..64, j=1..64there exist inputs X1 and X2, such that
X1 x1 x2 x3 . . . xi-1 0 xi+1 . . . x63 x64X2 x1 x2 x3 . . . xi-1 1 xi+1 . . . x63 x64
Y1 = DES(X1) y1 y2 y3 . . . yj-1 yj yj+1 . . . y63 y64
Y2 = DES(X2) y1’ y2’ y3’ . . . yj-1’ yj yj+1’ . . . y63’ y64’
Linear TransformationsTransformations that fulfill the condition:
T(X[m x 1]) = Y[n x 1] = A[n x m] × X[m x 1]
or
T(X1 Å X2) = T(X1) Å T(X2)
Affine TransformationsTransformations that fulfill the condition:
T(X[m x 1]) = Y[n x 1] = A[n x m] × X[m x 1] Å B[n x 1]
13
Linear Transformations of DES
IP, IP-1, E, PC1, PC2, SHIFT
e.g., IP(X1 Å X2) = IP(X1 ) Å IP( X2)
Non-Linear and non-affine transformations of DES
S
There are no such matrices A[4x6] and B[4x1] that
S(X[6x1]) = A[4x6] × X[6x1] Å B[4x1]
Design of S-boxes
S
S[0..15]
in out = S[in]
• 16! » 2 × 1013 possibilities• precisely defined initially unpublished criteria • resistant against differential cryptanalysis(attack known to the designers and rediscoveredin the open research in 1990 by E. Biham and A. Shamir)
14
Theoretical design of the specialized machine to break DES
Project: Michael Wiener, Entrust Technologies, 1993, 1997
Method: exhaustive key search attackBasic component: specialized integrated circuit
in CMOS technology, 75 MHz
Checks: 200 mln keys per secondCosts: $10
Total cost Estimated time$ 1 mln
$ 100.00035 minutes6 hours
DES breaking machine
plaintext
known ciphertext
known plaintext
. . . .
keykey counter
. . . .
Encryption Round 1 Key Scheduling Round 1
Encryption Round 2
Encryption Round 16
Key Scheduling Round 2
Key Scheduling Round 16
Round key 1
Round key 2
Round key 16
comparator
15
Electronic Frontier Foundation, 1998
1800 ASIC chips, 40 MHz clock
Total cost: $220,000Average time of search:
4.5 days/key
Deep Crack
Deep CrackParameters
Number of ASIC chips 1800
Number of search units per ASIC 24
Clock frequency 40 MHz
Number of clock cycles per key 16
Search speed 90 bln keys/s
Average time to recover the key 4.5 days
16
Ruhr University, Bochum, University of Kiel, Germany, 2006
Cost: € 8980 (ver. 1)
COPACOBANACost-Optimized Parallel COde Breaker
COPACOBANA
• Based on Xilinx FPGAs (Field Programmable Gate Arrays)• ver. 1 – based on 120 Spartan 3 FPGAs• ver. 2 – based on 128 Virtex 4 SX 35 FPGAs
• Description, FAQ, and news available athttp://www.copacobana.org/
• For ver. 1 based on Spartan FPGAsClock frequency = 136 MHzAverage search time for a single DES key = 6.4 daysWorst case search time for a single DES key = 12.8 days
17
18
Secure key length today and in 20 years(against an intelligence agency with the budget of $300M)
key length
Secure key length in 201793 bits
99 bits Secure key length in 2026
128 bits IDEA, minimum key length in AES
112 bits Triple DES with three different keys
56 bits DES
80 bits Skipjack
Secure key length - discussion• increasing key length in a newly developed cipher costs NOTHING
• increasing effective key length, assuming the use of an existing cipher has a limited influence on the efficiency of implementation (Triple DES)
It is economical to use THE SAME secure key length FOR ALL aplications
The primary barriers blocking the use of symmetric cipherswith a secure key length have been of the political nature
(e.g., export policy of USA)
19
Triple DES EDE mode with two keysencryption decryption
Eencryption
Ddecryption
Eencryption
plaintext
ciphertext
Ddecryption
Eencryption
Ddecryption
ciphertext
plaintext
56K1
56K2
56K1
56K1
56K2
56K1
Diffie, Hellman, 1977
Triple DES EDE mode with three keysencryption decryption
Eencryption
Ddecryption
Eencryption
plaintext
ciphertext
Ddecryption
Eencryption
Ddecryption
ciphertext
plaintext
56K1
56K2
56K3
56K1
56K2
56K3
Diffie, Hellman, 1977
20
Best Attacks Against Triple DES
• Version with two keys (112 bits of key)
• Version with three keys (168 bits of key)
232 known plaintexts2113 steps290 single DES encryptions, and 288 memory
Meet-in-the-middle attack
Effective key size = 2112
Effective key size = 280
Triple DESAdvantages:• secure key length (112 or 168 bits)
• increased compared to DES resistance to linearand differential cryptanalysis
• possibility of utilizing existing implementations of DES
Disadvantages:
• relatively slow, especially in software
21
Advanced Encryption StandardAES
Why a new standard?
1. Old standard insecure against brute-force attacks
2. Straightforward fixes lead to inefficient implementations
3. New trends in fast software encryption
4. New ways of assessing cipher strength • use of basic instructions of the microprocessor
• Triple DES
• differential cryptanalysis• linear cryptanalysis
K1 K2 K3
in out
22
Why a contest?
• Speed-up the acceptance of the standard
Small number of specialists in the open research
• Focus the effort of cryptographic community
• Stimulate the research on methods of constructing secure ciphers
• Avoid backdoor theories
128 bits
128 bits
128, 192, 256 bits
plaintext block
ciphertext block
keyAES
External format of the AES algorithm
23
Rules of the contest
Each team submits
Detailedcipher
description
Justificationof designdecisions
Tentativeresults
of cryptanalysis
Sourcecodein C
Sourcecode
in Java
Testvectors
AES Contest Effort
15 Candidatesfrom USA, Canada, Belgium,
France, Germany, Norway, UK, Isreal,Korea, Japan, Australia, Costa Rica
June 1998
August 1999
October 20001 winner: Rijndael
Belgium
5 final candidatesMars, RC6, Rijndael, Serpent, Twofish
Round 1
Round 2
SecuritySoftware efficiency
SecurityHardware efficiency
24
AES contest - First Round
August 1998 1st AES Conference in Ventura, CAPresentation of candidates
15 June 1998 Deadline for submitting candidates21 submissions, 15 fulfilled all requirements
March 1999 2nd AES Conference in w Rome, ItalyReview of results of the First Round analysis
August 1999 NIST announces five final candidates
AES: Candidate algorithms
USA: MarsRC6TwofishSafer+HPC
Canada:CAST-256Deal
Costa Rica:Frog
Australia:LOKI97
Japan:E2
Korea:Crypton
Belgium:Rijndael
France:DFC
Germany:Magenta
Israel, UK,Norway:
Serpent
North America (8) Europe (4) Asia (2)
Australia (1)
25
AES Finalists (1)USA
Mars - IBM C. Burwick, D. Coppersmith, E. D’Avignon, R. Gennaro, S. Halevi, C. Jutla, S. M. Matyas,L. O’Connor, M. Peyravian, D. Safford,N. Zunic
RC6 - RSA Data Security, Inc.R. Rivest - MITM. Robshaw, R. Sidney, Y. L. Yin - RSA
Twofish - Counterpane SystemsB. Schneier, J. Kelsey, C. Hall, N. Ferguson - Counterpane, D.Whiting - Hi/fn, D. Wagner - Berkeley
Europe
Rijndael - J. Daemen, V. RijmenKatholieke Universiteit LeuvenBelgium
Serpent - R. Anderson, Cambridge, EnglandE. Biham - Technion, IsraelL. Knudsen, University of Bergen, Norway
AES Finalists (2)
26
How NIST has made a final decision?
securitysoftware efficiencyhardware efficiency
flexibility
BASIC CRITERIA =
Security
27
Security: Theoretical attacks better than exhaustive key search
0 5 10 15 20 25 30 35
Twofish
Serpent
Rijndael
RC6
Mars without 16 mixing rounds
# of rounds in the attack/total # of rounds
6 16
329
7 10
15 20
1611
23
10
5
3
5
0 10 20 30 40 50 60 70 80 90 100
Twofish
Serpent
Rijndael
RC6
Mars
Security: Theoretical attacks better than exhaustive key search
# of rounds in the attack/total # of rounds × 100%
28% 72%
38% 62%
69% 31%
70% 30%
75% 25%
28
Security Margin
Complexity
High
Adequate
Simple Complex
NIST Report: Security
Rijndael
MARSSerpentTwofish
RC6
Efficiency -What’s more important:software or hardware?
29
Software or hardware?
SOFTWARE HARDWAREsecurity of data
during transmission
flexibility(new cryptoalgorithms,
protection against new attacks)
speed
random keygeneration
access controlto keys
tamper resistance(viruses, internal attacks)
low cost
Efficiency indicators
30
Memory
Power consumption
Primary efficiency indicators
Software Hardware
Speed Memory Speed Area
Efficiency parameters
Latency Throughput = Speed
Encryption/decryption
Time to encrypt/decrypt
a single block of data
Mi
Ci
Number of bits encrypted/decrypted
in a unit of time
Encryption/decryption
Mi
Mi+1
Mi+2
Ci
Ci+1
Ci+2
Throughput =Block_size · Number_of_blocks_processed_simultaneouslyLatency
31
Efficiency in software
0
5
10
15
20
25
30
SerpentRijndael TwofishRC6 Mars
Efficiency in software: Code submitted by authors
128-bit key192-bit key256-bit key
200 MHz Pentium Pro, Borland C++Speed [Mbits/s]
32
NIST Report: Software EfficiencyEncryption and Decryption Speed
32-bitprocessors
64-bitprocessors
DSPs
high
medium
low
RC6
RijndaelMars
Twofish
Serpent
RijndaelTwofish
MarsRC6
Serpent
RijndaelTwofish
MarsRC6
Serpent
NIST Report: Software EfficiencyEncryption and decryption speed in software
on smart cards
8-bit processors
32-bit processors
high
medium
low
Rijndael
RC6Mars
Twofish
Serpent
RijndaelRC6
Mars
TwofishSerpent
33
Efficiency in software
Strong dependence on:
1. Instruction set architecture(e.g., variable rotations)
2. Programming language(assembler, C, Java)
3. Compiler
4. Programming style
Efficiency in hardware
34
• designs must be sentfor expensive and timeconsuming fabricationin semiconductor foundry
• bought off the shelfand reconfigured bydesigners themselves
Primary ways of implementing cryptographyin hardware
ASICApplication Specific
Integrated Circuit
FPGAField Programmable
Gate Array
• designed all the wayfrom behavioral descriptionto physical layout
• no physical layout design;design ends witha bitstream usedto configure a device
Which way to go?
ASICs FPGAs
High performanceOff-the-shelf
Short time to the market
Low development costs
Reconfigurability
Low power
Low cost (but only in high volumes)
35
Efficiency in hardware: FPGA Virtex 1000: Speed
050100150200250300350400450500Throughput [Mbit/s]
Serpent I8
Rijndael Twofish RC6 MarsSerpent I1
431 444414
353
294
177 173
104
149
62
143112
88102
61
Worcester Polytechnic Institute
University of Southern CaliforniaGeorge Mason University
0
100
200
300
400
500
600
700
Rijndael Twofish RC6 MarsSerpent I1
606
202
105 10357
443
202
105 10457
3-in-1 (128, 192, 256 bit) key scheduling
128-bit key scheduling
ASIC implementations: NSA group
36
NIST Report + GMU Report: Hardware Efficiency
Speed
Area
High
Low
Small
Rijndael
MARS
Serpent
TwofishRC6
Medium
Medium Large
Selecting the Winner
72
Straw Poll @ AES 3 conferenceGMU FPGA Results
Rijndael second best in FPGAs,selected as a winner due to much better performance
in software
37
Input, internal state, and output
128 bits = 16 bytes
a0,0 a1,0 a2,0 a3,0 a0,1 a1,1 a2,1 a3,1 a0,2 a1,2 a2,2 a3,2 a0,3 a1,3 a2,3 a3,3
column 0 column 1 column 2 column 3
a0,0 a0,1 a0,2 a0,3
a1,0 a1,1 a1,2 a1,3
a2,0 a2,1 a2,2 a2,3
a3,0 a3,1 a3,2 a3,3
Order of bytes within input, internal state, and output arrays
38
a0,0 a0,1 a0,2 a0,3
a1,0 a1,1 a1,2 a1,3
a2,0 a2,1 a2,2 a2,3
a3,0 a3,1 a3,2 a3,3
b0,0 b0,1 b0,2 b0,3
b1,0 b1,1 a1,2 b1,3
b2,0 b2,1 b2,2 b2,3
b3,0 b3,1 b3,2 b3,3
ai,j
S-box
bi,j
SubBytes
• Bytes are transformed by applying an invertible S-box
• One single S-box for the complete cipher
S-box: substitution values for the byte xy (in hexadecimal notation)
39
ShiftRows
a b c d
e g h
i j k l
m n o p
f
a b c d
g ef
i jk l
op m n
h
no shift
cyclic shift left by C1=1
cyclic shift left by C2=2
cyclic shift left by C3=3
MixColumns
a0,0 a0,1 a0,2 a0,3
a1,0 a1,1 a1,2 a1,3
a2,0 a2,1 a2,2 a2,3
a3,0 a3,1 a3,2 a3,3
b0,0 b0,1 a0,2 b0,3
b1,0 b1,1 a1,2 b1,3
b2,0 b2,1 a2,2 b2,3
b3,0 b3,1 a3,2 b3,3
a1,j
a0,j
a2,j
a3,j
b1,j
b0,j
b2,j
b3,j
2 3 1 1 1 2 3 11 1 2 33 1 1 2
A difference in 1 input byte propagates to all 4 output bytesA difference in 2 input bytes propagates to at least 3 output bytesAny linear relation between input and output bits involves bits from
at least 5 different bytes (branch number = 5)
High diffusion
40
a0,0 a0,1 a0,2 a0,3
a1,0 a1,1 a1,2 a1,3
a2,0 a2,1 a2,2 a2,3
a3,0 a3,1 a3,2 a3,3
b0,0 b0,1 b0,2 b0,3
b1,0 b1,1 b1,2 b1,3
b2,0 b2,1 b2,2 b2,3
b3,0 b3,1 b3,2 b3,3
AddRoundKey
k0,0 k0,1 k0,2 k0,3
k1,0 k1,1 k1,2 k1,3
k2,0 k2,1 k2,2 k2,3
k3,0 k3,1 k3,2 k3,3
+ =
• simple bitwise addition (xor) of round keys
Number of roundsKey length
Blocklength
128 bitsNk=4
192 bitsNk=6
256 bitsNk=8
128 bitsNb=4
192 bitsNb=6
256 bitsNb=8
10 12 14
12 12 14
14 14 14
required by the standard
non-standard extensions
41
Pseudocode for AES encryption
Modes of Operationof Block Ciphers
42
Block vs. stream ciphers
Stream cipher
Internal state - ISBlock cipher
KK
M1, M2, …, Mn m1, m2, …, mn
C1, C2, …, Cn c1, c2, …, cn
Ci=fK(Mi) ci = fK(mi, ISi) ISi+1=gK(mi, ISi)
Every block of ciphertext is a function of only one
corresponding block of plaintext
Every block of ciphertext is a function of the current block
of plaintext and the current internal state of the cipher
Typical stream cipherSender Receiver
PseudorandomKeyGenerator
mi
plaintext
ci
ciphertext
ki keystream
keyinitialization vector (seed)
PseudorandomKeyGenerator
mi
plaintext
ci
ciphertext
ki keystream
keyinitializationvector (seed)
43
Standard modes of operation of block ciphers
Block ciphers Stream ciphers
ECB mode Counter modeOFB modeCFB modeCBC mode
ECB (Electronic CodeBook) mode
44
Electronic CodeBook Mode – ECBEncryption
M1 M2 M3
E
Ci = EK(Mi) for i=1..N
MN-1 MN
E E E E. . .
C1 C2 C3 CN-1 CN
K K K K K
Electronic CodeBook Mode – ECBDecryption
C1 C2 C3
D
Mi = EK(Ci) for i=1..N
CN-1 CN
D D D D. . .
M1 M2 M3 MN-1 MN
K K K K K
45
Criteria for Comparison of Modes of Operation• hiding repeating message blocks• speed• capability for parallel processing and pipelining
during encryption / decryption• use of block cipher operations (encryption only or both)• capability for preprocessing
during encryption / decryption• capability for random access
for the purpose of reading / writing• number of plaintext and ciphertext blocks required forexhaustive key search
• error propagation in the message after modifying / deletingone block / byte / bit of the corresponding ciphertext
ECB OFB CFB CBCCTRHiding repeatingplaintext blocksBasic speed
Capabilityfor parallel processingand pipelining
Cipheroperations
Preprocessing
Random access
Block Cipher Modes of OperationBasic Features (1)
No
sECB
Encryption and
decryption
Encryption and
decryption
No
R/W
46
Block Cipher Modes of OperationBasic Features (2)
ECB OFB CFB CBCCTR
Security against the exhaustive key search attack
Minimum number ofthe messageand ciphertextblocksneeded
Integrity
Error propagation in the decrypted message
1 plaintext block,
1 ciphertext block
Modificationof j-bits
Deletion of j bits
No
L bits
Current and all subsequent
Counter Mode
47
Counter Mode - CTREncryption
m1 m2 m3
E
ci = mi Å ki
ki = EK(IV+i-1) for i=1..N
mN-1 mN
. . .
E E E E. . .
c1 c2 c3 cN-1 cN
IV IV+1 IV+2 IV+N-2 IV+N-1
k1 k2 k3 kN-1 kN
K K K K K
Counter Mode - CTRDecryption
c1 c2 c3
E
mi = ci Å ki
ki = EK(IV+i-1) for i=1..N
cN-1 cN
. . .
E E E E. . .
m1 m2 m3 mN-1 mN
IV IV+1 IV+2 IV+N-2 IV+N-1
k1 k2 k3 kN-1 kN
K K K K K
48
Counter Mode - CTR
EK
IN
OUT
counter
IV
1 L
ci
mi
EK
IN
OUT
counter
IV
1 L
ci
mi
1 L 1 L
IS1 = IV
ci = EK(ISi) Å miISi+1 = ISi+1
J-bit Counter Mode - CTR
m1 m2 m3
E
ci = mi Å ki
ki = E(IV+i-1)[1..j] for i=1..N
mN-1 mN
. . .
E E E E. . .
c1 c2 c3 cN-1 cN
IV IV+1 IV+2 IV+N-2 IV+N-1
k1 k2 k3 kN-1 kN
K K K K K
j j j j j
j j j j j
j jjj j
49
J-bit Counter Mode - CTR
j bits L-j bits
EK
IN
OUT
counter
IV
1 j L
ci
mi
j bits L-j bits
EK
IN
OUT
counter
IV
1 j L
ci
mi
1 L 1 L
ECB OFB CFB CBCCTRHiding repeatingplaintext blocksBasic speed
Capabilityfor parallel processingand pipelining
Cipheroperations
Preprocessing
Random access
Block Cipher Modes of OperationBasic Features (1)
No Yes
sECB
Encryption and
decryption
Encryption and
decryption
Encryption and
decryption
Encryption only
No Yes
R/W R/W
»j/L×sECB
50
Block Cipher Modes of OperationBasic Features (2)
ECB OFB CFB CBCCTR
Security against the exhaustive key search attack
Minimum number ofthe messageand ciphertextblocksneeded
Integrity
Error propagation in the decrypted message
1 plaintext block,
1 ciphertext block
1 plaintext block,
1 ciphertext block
Modificationof j-bits
Deletion of j bits
No No
L bits j bits
Current and all subsequent
Current and all subsequent
OFB (Output FeedBack) Mode
51
Output Feedback Mode - OFBEncryption
m1 m2 m3
E
ci = mi Å ki
ki =EK(ki-1) for i=1..N, and k0 = IV
mN-1 mN
. . .
E E E E. . .
c1 c2 c3 cN-1 cN
IV
k1 k2 k3 kN-1 kN
Output Feedback Mode - OFBDecryption
c1 c2 c3
E
mi = ci Å ki
ki =EK(ki-1) for i=1..N, and k0 = IV
cN-1 cN
. . .
E E E E. . .
m1 m2 m3 mN-1 mN
IV
k1 k2 k3 kN-1 kN
52
Output Feedback Mode - OFB
EK
IN
OUT1 L
ci
mi
EK
IN
OUT1 L
ci
mi
1 L 1 L
IVIV
IS1 = IV
ci = EK(ISi) Å miISi+1 = EK(ISi)
J-bit Output Feedback Mode - OFB
j bits L-j bits
EK
IN
OUT
1 j L
ci
mi
j bits L-j bits
EK
IN
OUT
1 j L
ci
mi
L-j bits j bits L-j bits j bits
shift shift
1 LL-j 1 LL-j
IVIV
53
ECB OFB CFB CBCCTRHiding repeatingplaintext blocksBasic speed
Capabilityfor parallel processingand pipelining
Cipheroperations
Preprocessing
Random access
Block Cipher Modes of OperationBasic Features (1)
No Yes Yes
sECB »j/L×sECB
Encryption and
decryption
Encryption and
decryption
None
Encryption and
decryption
Encryption only
Encryption only
No Yes Yes
R/W R/W No
»j/L×sECB
Block Cipher Modes of OperationBasic Features (2)
ECB OFB CFB CBCCTR
Security against the exhaustive key search attack
Minimum number ofthe messageand ciphertextblocksneeded
Integrity
Error propagation in the decrypted message
1 plaintext block,
1 ciphertext block
1 plaintext block,
1 ciphertext block
2 plaintext blocks,
2 ciphertext blocks
(for j=L)
Modificationof j-bits
Deletion of j bits
No No No
L bits j bits j bits
Current and all subsequent
Current and all subsequent
Current and all subsequent
54
CFB (Cipher FeedBack) Mode
Cipher Feedback Mode - CFBEncryption
m1 m2 m3
E
mN-1 mN
. . .
E E E E. . .
c1 c2 c3 cN-1 cN
IV
ci = mi Å ki
ki =EK(ci-1) for i=1..N, and c0 = IV
k1 k2 k3 kN-1 kN
55
Cipher Feedback Mode - CFBDecryption
m1 m2 m3
E
mN-1 mN
. . .
E E E E. . .
c1 c2 c3 cN-1 cN
IV
mi = ci Å ki
ki =EK(ci-1) for i=1..N, and c0 = IV
k1 k2 k3 kN-1 kN
Cipher Feedback Mode - CFB
EK
IN
OUT1 L
ci
mi
EK
IN
OUT1 L
ci
mi
1 L 1 L
IVIV
IS1 = IV
ci = EK(ISi) Å miISi+1 = ci
56
J-bit Cipher Feedback Mode - CFB
j bits L-j bits
EK
IN
OUT
1 j L
ci
mi
j bits L-j bits
EK
IN
OUT
1 j L
ci
mi
L-j bits j bits L-j bits j bitsshift shift
1 LL-j 1 LL-j
IVIV
ECB OFB CFB CBCCTRHiding repeatingplaintext blocksBasic speed
Capabilityfor parallel processingand pipelining
Cipheroperations
Preprocessing
Random access
Block Cipher Modes of OperationBasic Features (1)
No Yes Yes Yes
sECB »j/L×sECB »j/L×sECB
Encryption and
decryption
Encryption and
decryption
None Decryptiononly
Encryption and
decryption
Encryption only
Encryption only
Encryption only
No Yes Yes No
R/W R/W R onlyNo
»j/L×sECB
57
Block Cipher Modes of OperationBasic Features (2)
ECB OFB CFB CBCCTR
Security against the exhaustive key search attack
Minimum number ofthe messageand ciphertextblocksneeded
Integrity
Error propagation in the decrypted message
1 plaintext block,
1 ciphertext block
1 plaintext block,
1 ciphertext block
2 plaintext blocks,
2 ciphertext blocks
(for j=L)
1 plaintext block,
2 ciphertext blocks
(for j=L)
Modificationof j-bits
Deletion of j bits
No No No No
L bits j bits j bits L+j bits
Current and all subsequent
Current and all subsequent
Current and all subsequent L bits
CBC (Cipher Block Chaining) Mode
58
Cipher Block Chaining Mode - CBCEncryption
m1 m2 m3
E
IV
ci = EK(mi Å ci-1) for i=1..N c0=IV
mN-1 mN
. . .
E E E E. . .
c1 c2 c3 cN-1 cN
Cipher Block Chaining Mode - CBCDecryption
mi = DK(ci) Å ci-1 for i=1..N c0=IV
m1 m2 m3 mN-1 mN
IV . . .
D D D D D. . .
c1 c2 c3 cN-1 cN
59
ECB OFB CFB CBCCTRHiding repeatingplaintext blocksBasic speed
Capabilityfor parallel processingand pipelining
Cipheroperations
Preprocessing
Random access
Block Cipher Modes of OperationBasic Features (1)
No Yes Yes Yes Yes
sECB »j/L×sECB »j/L×sECB »sECB
Encryption and
decryption
Encryption and
decryption
None Decryptiononly
Decryptiononly
Encryption and
decryption
Encryption only
Encryption only
Encryption only
Encryption and
decryption
No Yes Yes No No
R/W R/W R only R onlyNo
»j/L×sECB
Block Cipher Modes of OperationBasic Features (2)
ECB OFB CFB CBCCTR
Security against the exhaustive key search attack
Minimum number ofthe messageand ciphertextblocksneeded
Integrity
Error propagation in the decrypted message
1 plaintext block,
1 ciphertext block
1 plaintext block,
1 ciphertext block
2 plaintext blocks,
2 ciphertext blocks
(for j=L)
1 plaintext block,
2 ciphertext blocks
(for j=L)
1 plaintext block,
2 ciphertext blocks
Modificationof j-bits
Deletion of j bits
No No No No No
L bits j bits j bits L+j bits L+j bits
Current and all subsequent
Current and all subsequent
Current and all subsequent L bits Current and
all subsequent
60
New modes of operation
Evaluation Criteria for Modes of Operation
Security
Efficiency Functionality
61
Evaluation criteria (1) Security
• resistance to attacks• proof of security• random properties of the ciphertext
• number of calls of the block cipher• capability for parallel processing• memory/area requirements• initialization time • capability for preprocessing
Efficiency
Functionality• security services
- confidentiality, integrity, authentication• flexibility
- variable lengths of blocks and keys- different amount of precomputations- requirements on the length of the message
• vulnerability to implementation errors• requirements on the amount of keys, initializationvectors, random numbers, etc.
• error propagation and the capability forresynchronization
• patent restrictions
Evaluation criteria (2)
62
CBCm1 m2 m3
E
IV
Problems:
mN-1 mN
. . .
E E E E. . .
c1 c2 c3 cN-1 cN
- No parallel processing of blocks from the same packet- No speed-up by preprocessing- No integrity or authentication
Counter mode
m0m1 m2
E
mN-1 mN
. . .
E E E E. . .
c0 c1 c2 cN-1 cN
IV IV+1 IV+2 IV+N-1 IV+N
Features:+ Potential for parallel processing+ Speed-up by preprocessing- No integrity or authentication
k0 k1 k2 kN-1 kN
63
Properties of existing and new cipher modesCBC CFB OFB New
standardProof of security
Preprocessing
Parallel processing
Integrity andauthentication
Resistanceto implementationerrors
decryption only
– –
–
– – –
–
E
IV
E
C1
M1
Z1
Z1
E
C2
M2
Z2
Z2
E
CN-1
MN-1
ZN-1
ZN-1
E
CN
MN
ZN
MN
. . .L
R
length
g(L)
Zi=f(L, R, i)
E
0
E
T
ZN
t bits
Control sum
OCB - Offset Codebook Mode
64
New modes of block ciphers
1. CCM - Counter with CBC-MAC• developed by R. Housley, D. Whiting, N. Ferguson in 2002• assures simultaneous confidentiality and authentication• not covered by any patent• part of the IEEE 802.11i standard for wireless networks
2. GCM – Galois/Counter Mode• developed by D. McGrew and J. Viega in 2005 • assures simultaneous confidentiality and authentication• not covered by any patent• used in the IEEE 802.1AE (MACsec) Ethernet security,
ANSI (INCITS) Fibre Channel Security Protocols (FC-SP), IEEE P1619.1 tape storage, and IETF IPSec standards
Properties of new modes of operationCBC CFB OFB CCM
only decryption
– –
–
– – –
–
CTR
–
–
Half ofoperations
–
GCM
–
Half ofoperations
Half ofoperations
Proof of security
Preprocessing
Parallel processing
Integrity andauthentication
Resistanceto implementationerrors
65
CAESARContest
2013-2018
Message
Bob
Tag
Alice
Confidentiality & AuthenticationAuthenticated Ciphers
KAB KABAuthenticatedCipher
Encryption
N
CiphertextN
TagCiphertextN
Message
AuthenticatedCipher
Decryption
invalid
KAB - Secret key of Alice and BobN – Nonce or Initialization Vector
or
66
Confidentiality & AuthenticationAuthenticated Ciphers
or
Key
TagNpub AD CiphertextNsecEnc
Key
Encryption
Npub Nsec AD Message
Npub AD CiphertextNsecEnc Tag Nsec AD MessageInvalid
Decryption
Npub - Public Message NumberNsec - Secret Message NumberEnc Nsec - Encrypted Secret Message NumberAD - Associated DataKAB - Secret key of Alice and Bob
KAB KAB
Cryptographic Standard Contests
time97 98 99 00 01 02 03 04 05 06 07 08 09 10 11 12 13 14 15 16 17
AES
NESSIE
CRYPTREC
eSTREAM
SHA-3
34 stream 4 HW winnersciphers ® + 4 SW winners
51 hash functions ® 1 winner
15 block ciphers ® 1 winnerIX.1997 X.2000
I.2000 XII.2002
IV.2008
X.2007 X.2012
XI.2004
CAESARI.2013
57 authenticated ciphers ® multiple winners2018
Top Related