Chapter 3 Symmetric Key Crypto Stream Ciphers Block Ciphers Block Cipher

Chapter 3
Symmetric Key Crypto

Stream Ciphers
Block Ciphers
Block Cipher Modes
Integrity
Chapter 3 Symmetric Key Crypto 1

 Stream cipher  like a one-time pad
 Key is relatively short
 Key is stretched into a long keystream
 Keystream is then used like a one-time pad
except provable security
 Employ confusion only
Chapter 3 Symmetric Key Crypto

2
 Examples of Stream cipher
 A5/1: employed GSM cell phones
 Representative stream cipher based in H/W
 RC4: used SSL protocol
 Almost unique stream cipher since efficiently implemented in
S/W

3
 Block cipher  based on codebook concept
 Block cipher key determines a “electronic”
codebook
 Each key yields a different codebook
 Employ both “confusion” and “diffusion”

4
 Examples of Block cipher
 Data Encryption Stantard(DES): relatively
simple,
 Advanced Encryption STD(AES)
 International Data Encrytption Alg.(IEDA)
 Blowfish,
 RC6
 Tiny Encryption Algorithm

5
 Mode of Operation of block cipher
 Examples of block cipher mode Op
 Electronic codebook (EOB)
 Cipher-block chaining (CBC)
 Cipher feedback (CFB)
 Output feedback (OFB)
 Counter (CTR)
 Data integrity of block cipher
 Message Authentication code (MAC)

6
 Goal of this section
 Introduce symmetric ciphers
 Understand their inner working and uses
 Focus more on the “how” than the “why”
 To understand :”why” -> need to understand
cryptanalysis (Chapter 6)

7
Stream Ciphers

8
Stream Ciphers
 Not as popular today as block ciphers
 Key K of n bits stretches it into a long
keystream
 Function of stream cipher
 StreamCipher(K) = S where K:key, S:keystream
 S is used like a one-time pad
 c0 = p0  s0, c1 = p1  s1, c2 = p2  s2, …
 p0 = c0  s0, p1 = c1  s1, p2 = c2  s2, …
 Sender and receiver have same stream
cipher algorithm and both know the key K

9
Stream Ciphers
 We’ll discuss two examples
 A5/1
 Based on linear feedback shift registers
 Used in GSM mobile phone system
 A5/1 is used in Europe and the United States;
 A5/2, is used in countries that are not considered
trustworthy enough to have strong crypto.
 RC4
 Based on a changing lookup table
 Used many places – SSL

10
A5/1

11
A5/1
 A5/1 is Representative stream cipher based in
H/W
 Consists of 3 Linear feedback shift registers
 X: 19 bits (x0, x1, x2, …, x18)
 Y: 22 bits (y0, y1, y2, ………, y21)
 Z: 23 bits (z0, z1, z2, ………….,z22)
 X+Y+Z = 64 bits

12
A5/1
 At each step: m = maj(x8, y10, z10)
 Examples: maj(0,1,0) = 0 and maj(1,1,0) = 1
 If x8 = m then X steps
 t = x13  x16  x17  x18
 xi = xi1 for i = 18, 17, …, 1 and x0 = t
 If y10 = m then Y steps
 t = y20  y21
 yi = yi1 for i = 21, 20, …, 1 and y0 = t
 If z10 = m then Z steps
 t = z7  z20  z21  z22
 zi = zi1 for i = 22, 21, …, 1 and z0 = t
 Keystream bit is x18  y21  z22
13
A5/1
X x0 x1 x2 x3 x4 x5 x6 x7 x8 x9 x10 x11 x12 x13 x14 x15 x16 x17 x18
Y y0 y1 y2 y3 y4 y5 y6 y7 y8 y9 y10 y11 y12 y13 y14 y15 y16 y17 y18 y19 y20 y21 

Z z0 z1 z2 z3 z4 z5 z6 z7 z8 z9 z10 z11 z12 z13 z14 z15 z16 z17 z18 z19 z20 z21 z22

 Each value is a single bit
 Key is used as initial fill of registers
 Each register steps or not, based on (x8, y10, z10)
 Keystream bit is XOR of right bits of registers
14
From Wikipedia

15
A5/1
X 1 0 1 0 1 0 1 0 1 0 1 0 1 0 1 0 1 0 1
Y 1 1 0 0 1 1 0 0 1 1 0 0 1 1 0 0 1 1 0 0 0 1 

Z 1 1 1 0 0 0 0 1 1 1 1 0 0 0 0 1 1 1 1 0 0 0 1
 In this example, m = maj(x8, y10, z10) = maj(1,0,1) = 1

 Register X steps, Y does not step, and Z steps
 Keystream bit is XOR of right bits of registers
 Here, keystream bit will be 0  1  0 = 1
16
RC4

17
RC4
 RC4 Optimized for software implementation,
whereas A5/1 for hardware
 RC4 produces a keystream BYTE at each step,
whereas A5/1 only produce a single keystream
bit

18
RC4
 RC4 is remarkably simple
 Because it is essentially just lookup table
containing permutation of the 256(28)-byte
values
 Each time a byte of keystream is produced,
the lookup table is modified in such a way
that the table always contains a
permutation of {0,1,2,…256}

19
RC4 Initialization
 The first phase -  S[] is permutation of 0,1,…,255
initialize the lookup  key[] contains N bytes of key
table using key
 Key: key[i] for for i = 0 to 255
i=0,1,…,N-1 where S[i] = i
key[i] is a byte
K[i] = key[i (mod N)]
 Lookup table: S[i]
is a byte next i
 Key can be any j=0
length 0 to 256 for i = 0 to 255
bytes j = (j + S[i] + K[i]) mod 256
 Key is only use to swap(S[i], S[j])
initialize the next j
permutation S
i=j=0

20
RC4 Keystream
 The next phase – each keystream byte is
generated according the following algorithm
i = (i + 1) mod 256
j = (j + S[i]) mod 256
swap(S[i], S[j])
t = (S[i] + S[j]) mod 256
keystreamByte = S[t]
 Use keystream bytes like a one-time pad
 Note: first 256 bytes must be discarded
 Otherwise attacker may be able to recover key

21
Stream Ciphers
 Stream ciphers were big in the past
 Efficient in hardware
 Speed needed to keep up with voice, etc.
 Today, processors are fast, so software-
based crypto is fast enough
 Future of stream ciphers?
 Shamir: “the death of stream ciphers”
 May be exaggerated…

22
Block Ciphers

23
Block Cipher
 Plaintext and ciphertext consists of fixed
sized blocks
 Design goal: security and efficiency
 It is not easy to design a block cipher that is secure
and efficient

24
(Iterated) Block Cipher
 Ciphertext obtained
from plaintext by
iterating a round
function
 Input to round
function consists of
key and the output
of previous round
 Usually implemented
in software
 Typical Type is
Feistel Cipher

25
Feistel Cipher
 Feistel cipher refers to a type of block cipher
design, not a specific cipher
 Split plaintext block into left and right halves:
Plaintext = (L0,R0)
 For each round i=1,2,...,n, compute
Li= Ri1
Ri= Li1  F(Ri1,Ki)
where F is round function and Ki is subkey
 Ciphertext = (Ln,Rn)

26
Feistel Cipher
 Decryption: Ciphertext = (Ln,Rn)
 For each round i=n,n1,…,1, compute
Ri1 = Li
Li1 = Ri  F(Ri1,Ki)
where F is round function and Ki is subkey
 Plaintext = (L0,R0)
 Formula “works” for any function F
 But only secure for certain functions F
 Ex: F(Ri-1, Ki) = 0 for all Ri-1 and Ki -> not secure

27
Data Encryption Standard

28
Data Encryption Standard
 DES developed in 1970’s
 Based on IBM Lucifer cipher
 U.S. government standard
 DES development was controversial
 NSA was secretly involved
 Design process not open
 Key length was reduced
 Subtle changes to Lucifer algorithm

29
National Security Agency/
Central Security Service

30
DES Numerology (수비학)
 DES is a Feistel cipher

 64 bit block length
 56 bit key length
 16 rounds
 48 bits of key used each round (subkey)
 Each round is simple (for a block cipher)
 Security depends primarily on “S-boxes”
 Each S-boxes maps 6 bits to 4 bits
 Total 8 S-boxes

31
One Round of DES
L R key
32 32 28 28
L R
expand
28 28
48
48
Compress
48
S-boxes(8)
32 28 28
P Box
32
32 32
L R key Next Slide

32
DES Expansion Permutation
 Input 32 bits
0 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15
16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31
 Output 48 bits
31 0 1 2 3 4 3 4 5 6 7 8
7 8 9 10 11 12 11 12 13 14 15 16
15 16 17 18 19 20 19 20 21 22 23 24
23 24 25 26 27 28 27 28 29 30 31 0 BACK

33
DES S-box
 8 “substitution boxes” or S-boxes
 Each S-box maps 6 bits to 4 bits
 S-box number 1
input bits (0,5)
input bits (1,2,3,4)

00 00 00 00 01 01 01 01 10 10 10 10 11 11 11 11
00 01 10 11 00 01 10 11 00 01 10 11 00 01 10 11
0 11 01 11 00 00 11 10 10 00 10 01 11 01 10 00 01
0 10 00 01 01 10 11 11 00 11 10 10 00 01 01 00 11
0 00 11 01 01 11 00 11 00 10 01 11 10 10 01 00 10
1 00 11 11 00 10 10 01 01 10 10 00 11 01 01 11 00
1 01 11 11 10 11 01 00 10 11 11 10 01 00 10 01 00
0 00 01 10 00 01 10 10 11 11 00 01 11 11 10 01 00
1 11 11 10 00 01 10 00 01 01 10 00 11 10 00 01 11
1 11 00 00 10 00 01 01 11 11 11 11 10 10 00 10 01
Chapter 3 Symmetric Key Crypto BACK 34

DES P-box
 Input 32 bits
0 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15
16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31
 Output 32 bits
15 6 19 20 28 11 27 16 0 14 22 25 4 17 30 9
1 7 23 13 31 26 2 8 18 12 29 5 21 10 3 24
BACK
35
DES Subkey
 56 bit DES key, numbered 0,1,2,…,55
 Left half key bits, LK
49 42 35 28 21 14 7
0 50 43 36 29 22 15
8 1 51 44 37 30 23
16 9 2 52 45 38 31
 Right half key bits, RK

55 48 41 34 27 20 13
6 54 47 40 33 26 19
12 5 53 46 39 32 25
18 11 4 24 17 10 3

36
DES Subkey
 For rounds i=1,2,...,16
 Let LK = (LK circular shift left by ri)
 Let RK = (RK circular shift left by
ri)
 Left half of subkey Ki is of LK bits
13 16 10 23 0 4 2 27 14 5 20
9
22 18 11 3 25 7 15 6 26 19 12
1
 Right half of subkey Ki is RK bits
12 23 2 8 18 26 1 11 22 16 4
19 37
DES Subkey
 For rounds 1, 2, 9 and 16 the shift ri is 1,
and in all other rounds ri is 2
 Bits 8,17,21,24 of LK omitted each round
 Bits 6,9,14,25 of RK omitted each round
 Compression permutation yields 48 bit
subkey Ki from 56 bits of LK and RK
 Key schedule generates subkey
BACK

38
DES Last Word (Almost)
 An initial perm P before round 1
 Halves are swapped after last round
 A final permutation (inverse of P) is
applied to (R16,L16) to yield ciphertext
 None of these serve any security
purpose

39
Security of DES
 Security of DES depends a lot on S-boxes
 Everything else in DES is linear
 Thirty years of intense analysis has
revealed no “back door”
 Attacks today use exhaustive key search
 Inescapable conclusions
 Designers of DES knew what they were doing
 Designers of DES were ahead of their time

40
Exhaustive Key Search time
Key # of possible keys Execution time Execution time

size (1 Encypt/us) (10 Encypt/us)
(bits)
32 232=4.3X109 231us=35.8 min 2.15 ms
56 256=7.2X1016 255 us=1142 yrs 10.01 hrs
128 2128=4.3X1038 2127 us=5.4X1024 yr 5.4X1018 yrs
168 2168=4.3X1050 2167 us=5.9X1036 yr 5.9X1030 yr
Block Cipher Notation
 P = plaintext block
 C = ciphertext block
 Encrypt P with key K to get ciphertext C
 C = E(P, K)
 Decrypt C with key K to get plaintext P
 P = D(C, K)
 Note that
 P = D(E(P, K), K) and C = E(D(C, K), K)

42
Double DES
 DES’s key length is insufficient today.
 A clear way to use DES with a larger key
length: intuitively “double DES”
 C = E(E(P,K),K) ?
 Problem: Still just 56 bit key
 C = E(E(P,K1),K2) ?
 There is an attack that is more-or-less
equivalent to single DES
 Although the attack is somewhat impractical, it’s
close enough to being practical
43
Double DES attack
 C = E(E(P,K1),K2) Attack: chosen plaintext attack
 For particular P, precompute table of E(P,K) for
every possible key K (resulting table has 256
entries)
 Given this table(C= E(P,K), K) and C
corresponding to chosen P
 Then for each possible K2, compute D(C,K2) until
a match in table is found
 Here, P = D(C,K2) → E(P,K2) = E(D(C,K2), K2) = C, that is,
D(C,K2) should be in the table

44
Double DES attack
 When match is found, have E(P,K1) = D(C,K2)
 Result is keys: C = E(E(P,K1),K2) where K1 and K2
are known, i.e. C is decrypted
 Neglecting the work needed to precompute
the table, the work consists of computing
D(C,K) until we find a match in the table
 This has an expected work of 255 : single
DES exhausted key search work
 So, double DES is not secure

45
Triple DES
 Logical approach to
triple DES
 But practically, Triple DES is

 C = E(D(E(P,K1),K2),K1)
 P = D(E(D(C,K1),K2),K1)
 (112 bit key)

46
Triple DES
 Why use Encrypt-Decrypt-Encrypt (EDE)
with 2 keys? (Why not EEE and not 3
keys?)
 Backward compatible with single DES:
If K1=K2=K then E(D(E(P,K),K),K) = E(P,K)
 And 112 bits is enough
 3DES is popular today, But with coming
of the AES, 3DES should fade from use
over time
47
Advanced Encryption STD

48
AES History
 Needs for replacement for DES
 DES had outlived its usefulness
 Attacked by exhaustive key search: Special purpose DES
crackers and distributed attack at internet
 3DES is very resistant to crypto analysis but
 No efficient software code
 Too slow: 3 times as many rounds as DES
 3DES use 64-bit block size: for reasons of both efficient
and security, a larger blk size desirable
 So, 3DES is not solution for long-term use
 In 1997, NIST made a formal call for advanced
encryption standard algorithms
49
AES History
 GOAL: replace DES for both government and
private sector encryption.
 ROC of AES
 Unclassified, publicly disclosed encryption algorithm,
available royalty-free, worldwide.
 The algorithm must implement symmetric key
 Cryptography as a block cipher and (at a minimum)
support block sizes of 128-bits and key sizes of 128- ,
192-, and 256-bits.
 In 1998, NIST announced a group of 15 AES
candidate algorithms.

50
AES History
 Criteria for selecting AES:
 Security, Robustness, Speed
 In 1999, out of 15, the selection was narrowed to
5 candidates:
 MARS, RC6, Rijndael, Serpent, and Twofish.
 All the five protocols were thought to be secure
 On October 2, 2000, NIST has selected Rijndael
to propose for the AES.
 Pronounced like “Rain Doll” or “Rhine Doll”
 Invented by Joan Daemen and Vincent Rijmen

51
AES Features
 Designed to be efficient in both
hardware and software across a variety
of platforms.
 Not a Feistel Network
 Iterated block cipher (like DES)
 Not a Feistel cipher (unlike DES)
 “Secure forever” – Shamir

52
AES Features
 Rijndael proposed
 a variable block size, 128,192, 256-bits,
 key size of 128-, 192-, or 256-bits.
 Variable number of rounds (10, 12, 14):
 10 if B = K = 128 bits
 12 if either B or K is 192 and the other is ≤ 192
 14 if either B or K is 256 bits
 But note: AES uses a 128-bit block size.

53
AES Overview
 Definition: State→ 4X4 array of bytes
 128 bits = 16 bytes
 Variable number of rounds (10, 12, 14):
 10 if K is 128 bits
 12 if K is 192 bites
 14 if K is 256 bits
 128-bit round key used for each round:
 128 bits = 16 bytes = 4 words
 needs Nr+1 round keys for Nr rounds
 needs 44 words for 128-bit key (10 rounds)
54
AES Overview
 Each round uses 4 functions (in 3 “layers”)
 4 functions: 1 of permutation and 3 substitutions
 3 layers: Linear, Nonlinear and Key addition
 Permutation
 Linear mixing layer: ShiftRow (State)
 Substitutions
 Nonlinear layer: ByteSub (State, S-box)
 Nonlinear layer: MixColumn (State)
 Key addition layer: AddRoundKey (State, KeyNr)

55
AES: High-Level Description
 State: 4 X 4 array of bytes: 128 bits = 16 bytes
State = X
AddRoundKey(State, Key0) (op1)
for r = 1 to Nr - 1
SubBytes(State, S-box) (op2)
ShiftRows(State) (op3)
MixColumns(State) (op4)
AddRoundKey(State, KeyNr)
endfor
SubBytes(State, S-box)
ShiftRows(State)
AddRoundKey(State, KeyNr)
Y = State

56
AES AddRoundKey
 XOR subkey
with block:
Assume 128-bits
block
 RoundKey (subkey)
determined by
key schedule
algorithm
 We will ignore
the AES key
schedule
57
AES ByteSub
 Assume 128 bit block, i.e. 4ⅹ4 bytes
 ByteSub is AES’s “S-box”

 Can be viewed as nonlinear (but invertible)
composition of two math operations
58
AES BytesSub
 Byte substitution using non-linear S-Box
(independently on each byte).
 S-box is represented as a 16x16 array,
rows and columns indexed by
hexadecimal bits
 8 bits replaced as follows:
 8 bits defines a hexadecimal number (r,c),
 then (sr,sc) = binary(Sbox(r, c))

59
AES “S-box”
 Example: hexa 53 is replaced with hexa ED
Last 4 bits of input
First 4
bits of
input

60
AES ShiftRow
 Cyclic shift rows

61
AES MixColumn
 Nonlinear, invertible operation applied
to each column
 Implemented as a (big) lookup table

62
AES Decryption
 To decrypt, process must be invertible
 Inverse of AddRoundKey is easy, since
 is its own inverse
 MixColumn is invertible (inverse is also
implemented as a lookup table)
 Inverse of ShiftRow is easy (cyclic
shift the other direction)
 ByteSub is invertible (inverse is also
implemented as a lookup table)
63
AES Design Rationale
 Substitute Byte
 To be resistant to known cryptanalytic
attacks by making a low correlation between
input bits and output bits.
 Shift Row
 Note input and output are treated as
State(4X4 array)
 To move an individual byte from one column
to another

64
AES Design Rationale
 Mix Column
 To ensure a good mixing the bytes of each
column
 Add Round Key
 To affect every bit of State
 The complexity of the round key expension
ensure security

65
A Few Other Block Ciphers
 Briefly…
 IDEA
 Blowfish
 RC6
 More detailed…
 TEA

66
IDEA
 International Data Encryption Alg
 Invented by Xuejia Lai (學嘉來) and James
Massey
 One of the giants of modern crypto
 Used in Pretty Good Privacy(PGP) V2.0
 Characteristics
 IDEA uses mixed-mode arithmetic
 IDEA the first to use this approach
 Frequently used today
 64-bit block, 128-bit key
 8 rounds, operates on 16-bit numbers

67
IDEA
mixed-mode arithmetic
 Bitwise eXclusive OR
 (denoted with a blue ⊕)
 Addition modulo 216
 (denoted with a green )
 Multiplication modulo 216+1,
where the all-zero word
(0x0000) is interpreted as
216
 (denoted by a red )

68
Blowfish
 Invented by Bruce Schneier
 Characteristics
 Block length: 64-bit blocks
 Key is variable length, up to 448 bits
 Fast
 Compact: can run in less than 5K of memory
 Simple: simple structure and to implement
 Variably secure: dependent on the key length
 Key-dependent S-boxes
 S-boxes determined by the key
69
Blowfish
 Almost a Feistel
cipher
Ri = Li1  Ki
Li = Ri1  F(Li1 
Ki)
 The round
function F uses 4
S-boxes
 Each S-box maps 8 Where Pi: round key
bits to 32 bits
 Key-dependent S-
boxes
 S-boxes determined
by the key

70
RC6
 Invented by Ron Rivest
 Public key: RSA, Block cipher: RC6
 Stream cipher: RC4, Hash function: MD5,
 Characteristics
 Variables
 Block size, Key size, Number of rounds
 Very fast, Clean and simple design
 An AES finalist
 Uses data dependent rotations
 Unusual to rely on data as part of algorithm
71
Tiny Encryption Algorithm
 Invented by David Wheeler
 Characteristics
 64 bit block, 128 bit key
 Assumes 32-bit arithmetic
 Targeting 32-bit computer
 Operation based on modulo 232
 Number of rounds is variable
 32 is considered secure
 Uses “weak” round function, so large number
rounds required

72
Tiny Encryption Algorithm
 Trade off between complexity of each
round and no. of rounds
 DES: balance between these two. (16)
 AES: reduce the no. of rounds and more
complex round function (10,12,14)
 TEA: simple round function and large no.
of rounds
 32 is considered secure

73
TEA Encryption
Assuming 32 rounds:
(<<: L shift, >> R shift)
(K[0],K[1],K[2],K[3]) = 128 bit key
(L,R) = plaintext (64-bit block)
delta = 0x9e3779b9
sum = 0
for i = 1 to 32
sum = sum+delta
L = L + ((R<<4)+K[0])^(R+sum)
^((R>>5)+K[1])
R = R + ((L<<4)+K[2])^(L+sum)
^((L>>5)+K[3])
next i
ciphertext = (L,R)

74
TEA Decryption
Assuming 32 rounds:
(K[0],K[1],K[2],K[3]) = 128 bit key
(L,R) = ciphertext (64-bit block)
delta = 0x9e3779b9
sum = delta << 5
for i = 1 to 32
R = R - ((L<<4)+K[2])^(L+sum)^((L>>5)+K[3])
L = L - ((R<<4)+K[0])^(R+sum)^((R>>5)+K[1])
sum = sum - delta
next i
plaintext = (L,R)

75
TEA comments
 Almost a Feistel cipher
 Uses + and - instead of  (XOR)
 Need to separate encryption and decryption
routines
 Simple, easy to implement, fast, low
memory requirement, etc.
 Possibly a related key attack
 If a cryptanalyst knows that two TEA messages
are encrypted with keys that are related to
each other in a special way, then the plaintext
can be recovered

76
TEA comments
 eXtended TEA (XTEA) eliminates
related key attack (slightly more
complex)
 Simplified TEA (STEA)  insecure
version used as an example for
cryptanalysis

77
Block Cipher Modes

78
Symmetric cipher encryption
 Stream cipher is easy:
 keystream is the same length as the plaintext
and XOR
 How to encrypt multiple blocks?
 A new key for each block?
 As bad as (or worse than) a one-time pad!
 Encrypt each block independently?
 Make encryption depend on previous block(s), i.e.,
“chain” the blocks together?
 How to handle partial blocks?

79
Modes of Operation
 Many encryption ways (modes of operation) for
multiple block cipher we discuss three
 Electronic Codebook (ECB) mode
 Obvious thing to do
 Encrypt each block independently
 There is a serious weakness
 Cipher Block Chaining (CBC) mode
 Chain the blocks together
 More secure than ECB, virtually no extra work
 Counter Mode (CTR) mode
 Acts like a stream cipher
 Popular for random access

80
ECB(Electronic Codebook) Mode
 Notation: C=E(P,K)
 Given plaintext P0, P1, …, Pm, …
 Obvious way to use a block cipher is
Encrypt Decrypt
C0 = E(P0, K), P0 = D(C0, K),
C1 = E(P1, K), P1 = D(C1, K),
C2 = E(P2, K),… P2 = D(C2, K),…
 For a fixed key K, this is an electronic version
of a codebook cipher
 A new codebook for each key
81
ECB Mode

82
ECB Cut and Paste Attack
 Suppose plaintext is
Alice digs Bob. Trudy digs Tom.
 Assuming 64-bit blocks and 8-bit ASCII:
P0 = “Alice di”, P1 = “gs Bob. ”,
P2 = “Trudy di”, P3 = “gs Tom. ”
 Ciphertext: C0, C1, C2, C3
 Trudy cuts and pastes복사-붙여넣기공격: C0, C3, C2, C1
 Decrypts as
Alice digs Tom. Trudy digs Bob.

83
ECB Weakness
 Suppose Pi = Pj
 Then Ci = Cj and Trudy knows Pi = Pj
 This gives Trudy some information, even
if she does not know Pi or Pj
 We should not give the cryptanalyst anything
for free.
 Trudy might know Pi
 Is this a serious issue? -> Next slide

84
Alice Hates ECB Mode
 Alice’s uncompressed image, Alice ECB encrypted
(TEA)
 Why does this happen?

 Same plaintext block  same ciphertext!
 Solution??? -> Next slide

85
Cipher Block Chaining Mode
 Blocks are “chained” together
 A random initialization vector, or IV, is
required to initialize CBC mode
 IV is random, but need not be secret
Encryption Decryption
C0 = E(IV  P0, K), P0 = IV  D(C0, K),
C1 = E(C0  P1, K), P1 = C0  D(C1, K),
C2 = E(C1  P2, K),… P2 = C1  D(C2, K),…

86
Cipher Block Chaining Mode
 Main drawbacks
 encryption is sequential (i.e., it cannot be parallelized),
 the message must be padded to a multiple of the cipher
blk size.

87
CBC Mode
 Identical plaintext blocks yield different
ciphertext blocks
 Cut and paste is still possible, but more
complex (and will cause garbles)
 If C1 is garbled to, say, G then
P1  C0  D(G, K), P2  G  D(C2, K)
 But P3 = C2  D(C3, K), P4 = C3  D(C4, K),…
 Automatically recovers from errors!

88
Alice Likes CBC Mode
 Alice’s uncompressed image, Alice CBC
encrypted (TEA)
 Why does this happen?

 Same plaintext yields different ciphertext!

89
Counter (CTR) Mode
 CTR is popular for random access
 Use block cipher like stream cipher
Encryption Decryption
C0 = P0  E(IV, K), P0 = C0  E(IV, K),
C1 = P1  E(IV+1, K), P1 = C1  E(IV+1, K),
C2 = P2  E(IV+2, K),… P2 = C2  E(IV+2, K),…
 EBC can also be used for random access!!!

90
Counter (CTR) Mode

91

Chapter 3 Symmetric Key Crypto Stream Ciphers Block Ciphers Block Cipher

Caricato da

Informazioni sul documento

Titolo originale

Copyright

Formati disponibili

Condividi questo documento

Condividi o incorpora il documento

Opzioni di condivisione

Hai trovato utile questo documento?

Questo contenuto è inappropriato?

Copyright:

Formati disponibili

Chapter 3 Symmetric Key Crypto Stream Ciphers Block Ciphers Block Cipher

Caricato da

Copyright:

Formati disponibili

Chapter 3

Symmetric Key Crypto

Chapter 3 Symmetric Key Crypto 1

Chapter 3 Symmetric Key Crypto

Chapter 3 Symmetric Key Crypto

Chapter 3 Symmetric Key Crypto

Chapter 3 Symmetric Key Crypto

Chapter 3 Symmetric Key Crypto

Chapter 3 Symmetric Key Crypto

Chapter 3 Symmetric Key Crypto

Chapter 3 Symmetric Key Crypto

Chapter 3 Symmetric Key Crypto

Chapter 3 Symmetric Key Crypto

 Y: 22 bits (y0, y1, y2, ………, y21)

 Z: 23 bits (z0, z1, z2, ………….,z22)

Chapter 3 Symmetric Key Crypto

Chapter 3 Symmetric Key Crypto

 In this example, m = maj(x8, y10, z10) = maj(1,0,1) = 1

Chapter 3 Symmetric Key Crypto

Chapter 3 Symmetric Key Crypto

Chapter 3 Symmetric Key Crypto

Chapter 3 Symmetric Key Crypto

Chapter 3 Symmetric Key Crypto

Chapter 3 Symmetric Key Crypto

Chapter 3 Symmetric Key Crypto

Chapter 3 Symmetric Key Crypto

Chapter 3 Symmetric Key Crypto

Chapter 3 Symmetric Key Crypto

Chapter 3 Symmetric Key Crypto

Chapter 3 Symmetric Key Crypto

Chapter 3 Symmetric Key Crypto

Chapter 3 Symmetric Key Crypto

 DES is a Feistel cipher

Chapter 3 Symmetric Key Crypto

L R key Next Slide

Chapter 3 Symmetric Key Crypto

Chapter 3 Symmetric Key Crypto BACK 34

 Right half key bits, RK

Chapter 3 Symmetric Key Crypto

Chapter 3 Symmetric Key Crypto

Chapter 3 Symmetric Key Crypto

Chapter 3 Symmetric Key Crypto

Key # of possible keys Execution time Execution time

Chapter 3 Symmetric Key Crypto

Chapter 3 Symmetric Key Crypto

Chapter 3 Symmetric Key Crypto

 But practically, Triple DES is

Chapter 3 Symmetric Key Crypto

Chapter 3 Symmetric Key Crypto

Chapter 3 Symmetric Key Crypto

Chapter 3 Symmetric Key Crypto

Chapter 3 Symmetric Key Crypto

Chapter 3 Symmetric Key Crypto

Chapter 3 Symmetric Key Crypto

Chapter 3 Symmetric Key Crypto

 ByteSub is AES’s “S-box”

Chapter 3 Symmetric Key Crypto

Chapter 3 Symmetric Key Crypto

Chapter 3 Symmetric Key Crypto

 Implemented as a (big) lookup table

Chapter 3 Symmetric Key Crypto

Chapter 3 Symmetric Key Crypto

Chapter 3 Symmetric Key Crypto