Documenti di Didattica
Documenti di Professioni
Documenti di Cultura
3. Block Ciphers
Lectures 3, 4 Saarland University
Block ciphers are symmetric ciphers operating block-wise, i.e., on bitstrings of a xed length. In the following we will see two examples of widely used block ciphers, namely the somehow outdated DES and its successor AES. In the sequel we will learn how such ciphers can be used to securely encrypt a larger amount of data, and we will briey discuss some attacks on block ciphers. First, however, we will introduce the concept of Feistel networks, which constitutes an important design principle underlying many block ciphers.
Proposition 3.1 (Feistel Networks are Permutations) Every Feistel network F : {0, 1}2n
{0, 1}2n constitutes a permutation.
Proof. First, we show how to invert a single round i. Let Fi denote the function computed in the i-th round. We dene the candidate inverse function Gi for input Li Ri as Ri fi (Li ) Li . The following simple calculation shows that this is indeed the inverse function:
Gi (Fi (Li1 Ri1 )) = Gi (Ri1 = Li1
1
Figure 3.1: One Round in a Feistel Network The candidate inverse of the function F having d rounds is now dened as G1 Gd ; easy calculation show that this is indeed the inverse:
G1 (G2 (. . . Gd1 (Gd (Fd (Fd1 (. . . F1 (m) . . . )))) . . . )) = G1 (G2 (. . . Gd1 (Fd1 (. . . F1 (m) . . . )) . . . )) = ... = G1 (F1 (m)) = m.
Feistel networks are appealing because of their simple design, and have the additional nice property that the same hardware circuit can be used for both encryption and decryption. This was particularly important in the 60's and 70's when the rst block ciphers were designed, and when hardware was still much more expensive. There are two minor modication when a ciphertext should be decrypted in a Feistel network, but these do not aect the network itself but the handling of inputs of the circuit, i.e., messages and inputs of round functions. Namely (i) the round functions need to be applied in dierent order, and (ii) writing c = Ld Rd as the ciphertext, one inputs Rd Ld to the network for decryption, i.e., one exchanges the left and the right half of the ciphertext, and additionally one exchanges the left and the right half of the output of the Feistel network. One can easily verify that the Feistel network (with these modications) computes the decryption operation as dened in the above proof.
Figure 3.2: The DES Round Function fi . 10 hours, and this is likely to decrease in the future. A variant called Triple-DES (3DES), which we will discuss later in this chapter, is still deployed and seems to provide good security.
IP : 58 62 57 61
50 54 49 53
42 46 41 45
34 38 33 37
26 30 25 29
18 22 17 21
10 14 9 13
2 6 1 5
60 64 59 63
52 56 51 55
44 48 43 47
36 40 35 39
28 32 27 31
20 24 19 23
12 16 11 15
4 8 3 7
Figure 3.3: Initial permutation (IP) in DES: The rst bit of the output is the 58-th bit of the input, the second bit of the output is the 50-th bits of the input, and so on.
E: 32 4 8 12 16 20 24 28
1 5 9 13 17 21 25 29
2 6 10 14 18 22 26 30
3 7 11 15 19 23 27 31
4 8 12 16 20 24 28 32
5 9 13 17 21 25 29 1
Figure 3.4: Bit-selection function E in DES: The rst bit of output is the 32-nd bit of the input, the second bit of output is the rst of the input and so on. divided into a 28-bit left half C0 and a 28-bit right half D0 . Now for each round we compute
Ci = Ci1 pi Di = Di1 pi
where x pi means a cyclic shift on x to the left by pi positions where pi = 1 if i {1, 2, 9, 16}, and pi = 2 otherwise. Finally, Ci and Di are joined together and permuted according to P C -2, obtaining the 48-bit round key. This permutation is given in Figure 3.7.
S1 : 14 0 4 15 S2 : 15 3 0 13 S3 : 10 13 13 1 S4 : 7 13 10 3 S5 : 2 14 4 11 S6 : 12 10 9 4 S7 : 4 13 1 6 S8 : 13 1 7 2
4 15 1 12 1 13 14 8 0 7 6 10 13 8 6 15 12 11 2 8 1 15 14 3 11 0 4 11 2 15 11 1
13 7 14 8 8 4 7 10 9 0 4 13 14 11 9 0 4 2 1 12 10 4 15 2 2 11 11 13 8 13 4 14
1 4 8 2 14 7 11 1 14 9 9 0 3 5 0 6 1 12 11 7 15 2 5 12 14 7 13 8 4 8 1 7
2 14 13 4 6 15 10 3 6 3 8 6 0 6 12 10 7 4 10 1 9 7 2 9 15 4 12 1 6 10 9 4
15 2 6 9 11 2 4 15 3 4 15 9 6 15 11 1 10 7 13 14 2 12 8 5 0 9 3 4 15 3 12 10
11 13 2 1 3 8 13 4 15 6 3 8 9 0 7 13 11 13 7 2 6 9 12 15 8 1 7 10 11 7 14 8
8 1 11 7 4 14 1 2 5 10 0 7 10 3 13 8 6 1 8 13 8 5 3 10 13 10 14 7 1 4 2 13
3 10 15 5 9 12 5 11 1 2 11 4 1 4 15 9 8 5 15 6 0 6 7 11 3 14 10 9 10 12 0 15
10 6 12 11 7 0 8 6 13 8 1 15 2 7 1 4 5 0 9 15 13 1 0 14 12 3 15 5 9 5 6 12
6 12 9 3 2 1 12 7 12 5 2 14 8 2 3 5 3 15 12 0 3 13 4 1 9 5 6 0 3 6 10 9
12 11 7 14 13 10 6 12 7 14 12 3 5 12 14 11 15 10 5 9 4 14 10 7 7 12 8 15 14 11 13 0
5 9 3 10 12 6 9 0 11 12 5 11 11 1 5 12 13 3 6 10 14 0 1 6 5 2 0 14 5 0 15 3
9 5 10 O 0 9 3 5 4 11 10 5 12 10 2 7 0 9 3 4 7 11 13 0 10 15 5 2 0 14 3 5
0 3 5 6 5 11 2 14 2 15 14 2 4 14 8 2 14 8 O 5 5 3 11 8 6 8 9 3 12 9 5 6
7 8 0 13 10 5 15 9 8 1 7 12 15 9 4 14 9 6 14 3 11 8 6 13 1 6 2 12 7 2 8 11
Figure 3.5: S-Boxes in DES: For a binary string x0 x1 x2 x3 x4 x5 x6 x7 , the output is computed by looking up the entry in row x0 x7 and column x1 x2 x3 x4 x5 x6 . This representation has historic reasons.
P: 16 1 2 19
7 15 8 13
20 23 24 30
21 26 14 6
29 5 32 22
12 18 27 11
28 31 3 4
17 10 9 25
Figure 3.6: DES permutation P : The rst bit of the output is the 16-th bit of the input. 5
P C -1: 57 1 10 19 63 7 14 21
49 58 2 11 55 62 6 13
41 50 59 3 47 54 61 5
33 42 51 60 39 46 53 28
25 34 43 52 31 38 45 20
17 26 35 44 23 30 37 12
9 18 27 36 15 22 29 4
P C -2: 14 3 23 16 41 30 44 46
17 28 19 7 52 40 49 42
11 15 12 27 31 51 39 50
24 6 4 20 37 45 56 36
1 21 26 13 47 33 34 29
5 10 8 2 55 48 53 32
Figure 3.7: DES Key schedule permutations P C -1 and P C -2 (Note that the indices refer to the original key with error-correcting bits.)
0 1 2 3 4 5 6 7 8 9 a b c d e f
0 63 ca b7 04 09 53 d0 51 cd 60 e0 e7 ba 70 e1 8c
1 7c 82 fd c7 83 d1 ef a3 0c 81 32 c8 78 3e f8 a1
2 77 c9 93 23 2c 00 aa 40 13 4f 3a 37 25 b5 98 89
3 7b 7d 26 c3 1a ed fb 8f ec dc 0a 6d 2e 66 11 0d
4 f2 fa 36 18 1b 20 43 92 5f 22 49 8d 1c 48 69 bf
5 6b 59 3f 96 6e fc 4d 9d 97 2a 06 d5 a6 03 d9 e6
6 6f 47 f7 05 5a b1 33 38 44 90 24 4e b4 f6 8e 42
7 c5 f0 cc 9a a0 5b 85 f5 17 88 5c a9 c6 0e 94 68
8 30 ad 34 07 52 6a 45 bc c4 46 c2 6c e8 61 9b 41
9 01 d4 a5 12 3b cb f9 b6 a7 ee d3 56 dd 35 1e 99
a 67 a2 e5 80 d6 be 02 da 7e b8 ac f4 74 57 87 2d
b 2b af f1 e2 b3 39 7f 21 3d 14 62 ea 1f b9 e9 0f
c Le 9c 71 eb 29 4a 50 10 64 de 91 65 4b 86 ce b0
d d7 a4 d8 27 e3 4c 3c ff 5d 5e 95 7a bd c1 55 54
e ab 72 31 b2 2f 58 9f f3 19 0b e4 ae 8b 1d 28 bb
f 76 c0 15 75 84 cf a8 d2 73 db 79 08 8a 9e df 16
Figure 3.9: S-box in AES: Substitution values for the byte xy (in hexadecimal format).
3.3.1 Construction
AES operates on an array of 44 bytes, which is initialized with a message m = m0 as follows:
m1
...
m15
m0 m1 m2 m3
m4 m5 m6 m7
m8 m9 m10 m11
Each round applies the following manipulations to the state (i.e., to the array): 1. A substitution operation on every single byte SubBytes(), 2. a byte permutation ShiftRows(), 3. a column manipulation MixColumns(), 4. and the Exclusive OR of the state with the round key AddRoundKey(). An exception is the last round, where the MixColumns() operation is skipped. Now we discuss these operations in detail.
SubBytes(): This operation is similar to the S-Box substitution of DES. Each byte ai,j of the state is substituted by the output of a single S-Box. This S-Box has also a nice algebraic representation over the nite eld F28 ; However, we do not want to develop all the theory and simply give it in the form of a table, see Table 3.9. This table can also be used in implementations where spending space to a fully specied table is not a major concern since table look-up is signicantly faster than on-the-y calculations. ShiftRow(): The lower three rows are shifted by one, two, and three positions, respectively. a0,0 a1,0 a2,0 a3,0 a0,1 a1,1 a2,1 a3,1 a0,2 a1,2 a2,2 a3,2 a0,3 a1,3 a2,3 a3,3 a0,0 a 1,1 a2,2 a3,3
7
MixColumns(): The MixColumns operation replaces each a0,i 02 03 01 01 a1,i 01 02 03 01 a = 01 01 02 03 2,i 03 01 01 02 a3,i
where the multiplication is calculated in F28 .
column i as follows:
AddRoundKey(): The round key is represented as a 4 4 matrix with bytes as elements. The new state is computed as the Exclusive OR of the key and the current state.
cipher. One also says that the unicity distance, i.e., the probability that a key is already uniquely determined after seeing one plaintext/ciphertext pair, is very high.
Lemma 3.2 Let (KDES , EDES , DDES ) denote the idealized DES cipher, i.e., for randomly chosen key
K [KDES ], the function EDES (K, ) is as good as a randomly chosen function R : {0, 1}64 {0, 1}64 . Then Pr K [KDES ] : K = K EDES (K, m) = EDES (K , m); m R M, K KDES 1 256 2
=
K,K {0,1}56 (2)
K,K {0,1}56
if K = K if K = K
For inequality (1) we exploited that the probability of a union is always less of equal than the sum of the probabilities of all elements of the union. Equality (2) holds because EDES was considered to be an ideal cipher: Consequently both EDES (K, m) and EDES (K , m) are (independent) uniformly random in {0, 1}64 over the choice of the random functions, provided that the keys are not equal. Thus the probability that both encryptions are equal is 21 . 64 Thus the unicity distance of DES, when considered as an ideal encryption, is at least 1 28 .
Exhaustive Key Search in Practice: The DES Challenge was put forward by RSA Security to encourage research on the security of DES. A reward of 10000$ was oered for solving the challenge, i.e., for computing the key that was used to encrypt a specic plaintext/ciphertext pair of the form The unknown message is: . In 1997 the DESCHALL project needed about three months to break the DES challenge with a distributed search. In 1998 The Electronic Frontier Foundation (EFF) built the specialized hardware device Deep Crack that was able to break DES keys in roughly three days, at rather moderate costs of about 250.000$. While this is certainly too expensive for individuals, this amount is reasonable for large organizations or governments. Later the EFF and distributed.net together broke the challenge in 22 hours.
9
1 + , 2
where m(i) , c(i) , K (i) denote the i-th bits of the bitstring m, the ciphertext c, and the key K , respectively. Such relations can be found for DES with 221 . If one gets enough plaintext/ciphertext pairs, one can obtain partial information about the key. Namely for 1/ 2 plaintext/ciphertext pairs (ml , cl ) one has
(i1 )
ml
(ir )
cl
(j1 )
cl
(js )
| l = 1, . . . , 1/
97.7%.
where MAJ denotes the majority function, taken over all Exclusive ORs computed from any given plaintext/ciphertext pair. One can calculate that obtaining 242 plaintext/ciphertext pairs for DES allows for retrieving 14 bits of information of the key using these techniques. This enables an attacker to reduce the complexity of an exhaustive key search to 242 DES operations, as one only has to test keys fullling the relation. An even more involved method to break block ciphers is dierential cryptanalysis, which we will not discuss here.
security of DES, as there exists a meet-in-the-middle attack, which can be summarized as follows. Assume that we are given a plaintext/ciphertext pair (m, c), i.e., c = EDES (K1 , EDES (K2 , m)) for some K1 and K2 . (i) 1. Decrypt the given ciphertext c with every possible key K2 , where 1 i 256 . This yields a table with entries (K2 , DDES (K2 , c)), . . . , (K2 , DDES (K2 , c)). This step requires 256 executions of DES. 2. Sort this table with respect to the second entry. This takes a number of steps in the order of 256 log(256 ). (i) 3. Encrypt the message m with any possible key K1 , where 1 i 256 , and look up the result(i ) ing encryption in the second column of the table, until a matching ciphertext EDES (K1 1 , m) is found. Let i2 be the row containing such a ciphertext. This step takes at most 256 executions of DES. (i ) 4. Let K2 2 denote the key in the rst column of the table at row i2 . Then the correct key is (i ) (i ) (K1 1 , K2 2 ). Since the sorting step does not produce a noticeable overhead over executing DES 256 times, we ignore its cost in the overall complexity. Then one sees that the total number of DES executions is 2 256 = 257 , so the eective key length of Double-DES is at most 57 bits. Note that the above argument ignored the memory necessary to store the table, which is pretty large in the above example. So there is a trade-o between memory and time the meet-in-the-middle attack uses, but with still moderate memory usage the time can be reduced quite a lot. Since Double-DES does not improve a lot over DES, Double-DES is rarely used.
(1) (1) (256 ) (256 )
3.5.3 DESX
Another variant is DESX, which is not that widely used although it provides an even larger eective key length than 3DES and is roughly three times faster. A key is a triple (K1 , K2 , K3 ) where 11
K1 , K3 {0, 1}64 and K2 {0, 1}56 . Thus K2 is a DES key and K1 and K3 are random binary strings of the same length as the message blocks. Encryption and decryption are dened as EDESX ((K1 , K2 , K3 ), m) := K3 EDES (K2 , K1 m), and DDESX ((K1 , K2 , K3 ), c) := K1 DDES (K2 , K3 c).
The following theorem was given by Kilian and Rogaway in 1998; it gives evidence that DESX has an eective key length of at least 119 bits. The proof is omitted and can be found in the original paper.
Theorem 3.3 (Kilian, Rogaway 1998) Let (E, D) be an ideal cipher with key length l and blocksize b. Let (K1 , K2 , K3 ) {0, 1}2b+l , and let
EX((K1 , K2 , K3 ), m) := K3 E(K2 , K1 m)
a cipher having key length k = 2b+l. Then the eective key length of EX is at least kb1 = b+l1 bit. In particular, the eective key length of (an idealized) DESX is at least 64 + 56 1 = 119 bits. 2
ci := E(K, mi ).
The decryption operation is obvious. The ECB mode is depicted in Figure 3.10. The main weakness of the ECB mode is that identical blocks mi are encrypted to the same ciphertext ci . This is a particularly strong weakness if messages come from a source with low entropy, e.g., securely encrypting (uncompressed) images is not possible using ECB. On the positive side, if one block ci gets corrupted due to unreliable channels, then only one block is aected while all other blocks can still be decrypted.
13
ci := mi Ei (K, IV ).
where Ei (K, ) means iterating the encryption operation i times. Of course, when implementing this mode one reuses previously computed iterations in the obvious way, see also in Figure 3.13. Decryption is computed analogously. Again, the initialization vector needs to be included in the ciphertext. The OFB mode has the property that a one-bit error in the ciphertext gives only a one-bit error in the decrypted ciphertext. Furthermore, the key stream can be pre-computed, as it does not depend on the ciphertext. So this mode is good if latency between receiving a message and decrypting it is important.
A Note on the Initialization Vector (IV ) We have dened the modes ECB, CBC, CFB, and
OFB in such a way that the initialization vector is chosen uniformly at random and included in the ciphertext. However, the key requirement is that an initialization vector is not used twice, so one could dene these modes such that subsequent initialization vectors are determined by a counter. Then the initialization vector does not have to be sent with the ciphertext; however, both the sender and the receiver have to synchronize their counters. 14
ci := mi E(K, IV + i).
Here for computing the addition IV + i both values are interpreted as values in Z2n .
Deterministic Counter Mode (detCTR) In this variant the initialization vector is chosen to
be IV = 0. We will see that this has the consequence that only one message can be encrypted securely, as we would re-use a value output by the function E when encrypting the second message. Deterministic counter mode has very similar characteristics to OFB. A bit-error in ciphertext leads to a bit-error in the message; subsequent blocks are not aected. The key stream can be precomputed, and random access to the ciphertext is possible.
Randomized Counter Mode (randCTR) This variant does not use a xed initialization vec-
tor, but randomly chooses a new one for every message that is encrypted. This value has to be sent along with the ciphertext c as constructed above, i.e., the actual ciphertext is (IV , c). Randomized counter mode has very similar characteristics to detCTR and OFB. In contrast to detCTR we will see that it can be used to securely encrypt multiple messages. As for detCTR, the key stream can be precomputed, and random access to the ciphertext is possible.
15