- 87 Views
- Uploaded on
- Presentation posted in: General

CIS 5371 Cryptography

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.

- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -

CIS 5371 Cryptography

5a. Pseudorandom Objects in Practice

Block Ciphers

Based on: Jonathan Katz and Yehuda LindellIntroduction to Modern Cryptography

- Block ciphers should be viewed as pseudorandom permutations and not as encryption schemes.
- Block ciphers should be viewed as basic building blocks for symmetric key applications as not just as encryption schemes themselves.

- Although we consider block ciphers as pseudorandom permutations, practical constructions of block ciphers do not quite meet the definition.
- Practical block ciphers are defined for one (or a few) key and block lengths.
- This is in contrast to Definition 3.28 that refers to all possible key and block lengths.

- A block cipher is that it should behave like a random permutation.
- However, for a block cipher with input and output length of bits, the size of the table needed for holding the random permutation is roughly .
- Thus, we need to somehow construct a concise function that behaves like a random function

- A substitution-permutationnetwork is a direct implementation of this paradigm.
- The substitution component refers to small random functions, called S-boxes and the permutation component refers to the mixing of the outputs of the random functions.
- The permutation involves the reordering of the output bits and are called mixing permutations.

- The secret key
- One possibility is to have the key specify the S-boxes and mixing permutations.
- Another possibility is to mix the key into the computation in between each round of substitution-permutation. This option is commonly used.

- The basic idea is to break the input up into small parts and then feed these parts through different S-boxes (random permutations).
- Theoutputs are then mixed together
- The process is repeated a given number of times, called a rounds.
- The S-boxes introduce confusioninto the construction.
- In order to spread the confusion throughout, the results are mixed together, achieving diffusion.

- An important property in any block cipher is that small changes to the input must result in large changes to the output.
- To ensure this, block ciphers are designed so that small changes in the input propagate quickly to very large changes in the intermediate values.

It is easy to demonstrate that the avalanche effect holds in a substitution-permutation network, when the following hold:

The S-boxes are designed so that any change of at least a single bit to the input to an S-box results in a change of at least two bits in the output.

The mixing permutations are designed so that the output bits of any given S-box are spread into different S-boxes in the next round.

- A Feistel network is an alternative way of constructing a block cipher.
- The low-level building blocks (S-boxes, mixing permutations and key schedule) are the same.
- The difference is in the high-level design.
- The advantage of Feistelnetworks over substitution permutation networks is that they enable the use of S-boxes that are not necessarily invertible.

- This is important because a good block cipher has chaotic behavior (it should look random).
- Requiring that all of the components of the construction be invertible inherently introduces structure, which contradicts the need for chaos.

- A Feistelnetwork is thus a way of constructing an invertible function from non-invertible components.
- This seems like a contradiction in terms---if you cannot invert the components, how can you invert the overall structure.
- Nevertheless, the Feisteldesign ingeniously overcomes this obstacle.

- For input , denote by and the first and second halves of respectively.
- Let and .
- For to (where is the number of rounds in the network):
- Let and , where denotes the -functionin the -thround of the network.
- Let and
- The output is .

.

mm

mmm

m

mm

mmm

m

mmm

mmm