Session 3: Secret key cryptography – block ciphers – part 2

1. Session 3: Secret key cryptography – block ciphers – part 2

2. KASUMI • The KASUMI algorithm is the core of the standardised UMTS Confidentiality and Integrity algorithms. • Within the security architecture of the UMTS system there are two standardised algorithms: • A confidentiality algorithm f8, and • an integrity algorithm f9. • Each of these algorithms is based on the KASUMI algorithm.

3. KASUMI • KASUMI is a Feistel cipher with 8 rounds. • It operates on a 64-bit data block and uses a 128-bit key. • Encryption: • The 64 bit input I is divided into two 32-bit strings L0 and R0, where I = L0 || R0 • Then for each integer iwith 1≤i≤8, we define • Ri= Li-1, Li= Ri-1fi(Li-1, RKi) • This constitutes the i-th round function of KASUMI, where fidenotes the round function with Li-1and round key RKias inputs. • The result OUTPUT is equal to the 64-bit string (L8 || R8)offered at the end of the 8-th round.

4. KASUMI The whole algorithm:

5. KASUMI The FO function:

6. KASUMI The FI function:

7. KASUMI The FL function

8. KASUMI • The f-function has a 32-bit input and a 32-bit output. • Each f-function of KASUMI is composed of two functions: • an FL-function and • An FO-function. • An FO-function is defined as a network that makes use of three applications of an Fl-function. • An Fl-function has a 16-bit input and a 16-bit output. • Each Fl-function comprises a network that makes use of two applications of a function S9 and two applications of a function S7. • The functions S7 and S9 are also called "S-boxes of KASUMI".

9. KASUMI • In this manner KASUMI decomposes into a number of subfunctions (FL, FO and FI) that are used in conjunction with associated subkeys (KL, KO and KI). • The Kl-key KIi,j splits into two halves KIi,j,1 and KIi,j,2.

10. KASUMI • Each f-function fi takes a 32-bit input and returns a 32-bit output O under the control of a round key RKi, where the round key comprises the triplet (KLi, KOi, KIi). • The f-function fi itself is constructed from two subfunctions: an FL-function FLi and an FO-function FOi with associated subkeys KLi (used with FLi) and subkeys KOi and KIi (used with FOi).

11. KASUMI • The f-function fi has two different forms depending on whether it is an even round or an odd round. • For odd rounds i=1, 3, 5 and 7, the f-function is defined as: • fi(i,RKi) = FOi(FLi(I,KLi),KOi,KLi) • For even rounds, i=2, 4, 6 and 8, the f-function is defined as: • fi(i,RKi) =FLi(FOi(I,KOi,KIi),KLi)

12. KASUMI • FL functions: • The input to the function FLi comprises a 32-bit data input I and a 32-bit subkey KLi. • The subkey is split into two 16-bit subkeys, KLi,1 and KLi,2, where: • KLi = KLi,1 ll KLi,2

13. KASUMI • The input data l is split into two 16-bit halves, L and R, where l=L||R. • The FL functions make use of the following simple operations: • ROL(D) the left circular rotation of a data block D by-one bit. • D1D2 the bitwise OR operation of two data blocks D1 and D2. • D1D2 the bitwise AND operation of two data blocks D1 and D2.

14. KASUMI • Then the 32-bit output value of the FL-function is defined as L’ ll R’, where: • L’=L  ROL(R’KLi,2) • R’=R ROL(LKLi,1)

15. KASUMI • FO functions: • The input to function FOi comprises a 32-bit data input I and two sets of subkeys: • A 48-bit KOi and • 48-bit KIi. • The 32-bit data input is split into two halves, L0 and R0, where I= L0 ll R0, while the 48-bit subkeys are subdivided into three 16-bit subkeys, where: • KOi=KOi,1 ll KOi,2 ll KOi,3 and • KIi=KIi,1 ll KIi,2 ll KIi,3

16. KASUMI • For each integer j with 1≤j≤3 the operation of the jth round of the function FOi is defined as: • Rj=FIi,j(Lj-1 KOi,j,KIi,j)  Rj-1 • Lj=Rj-1 • Output from the FOi function is defined as the 32-bit data block L3 ll R3.

17. KASUMI • FI functions: • An Fl-function FIi,j takes a 16-bit data input I and a 16-bit subkey KIi,j. • The input I is split into two unequal components, a 9-bit left half L0 and a 7-bit right half R0, where I=L0 ll R0. • Similarly, the key KIi,j is split into a 7-bit component KIi,j,1 and a 9-bit component Kli,j,2, where KIi,j= KIi,j,1 ll KIi,j,2.

18. KASUMI • Each Fl-function FIi,j uses two S-boxes: S7, which maps a 7-bit input to a 7-bit output and S9, which maps a 9-bit input to a 9-bit output. • Fl-functions also use two additional functions, which are designated by ZE (appends 2 zeros before the MSB of a 7-bit string) and TR (discards 2 MSB of a 9-bit string).

19. KASUMI • The function FIi,j is defined by the following series of operations: • L1= R0R1=S9[L0]ZE(R0) • L2=R1KIi,j,2R2=S7[L1]TR(R1)KIi,j,1 • L3=R2 R3=S9[L2]ZE(R2) • L4 =S7[L3]TR(R3) R4=R3 • The output of the FIi,j function is the 16-bit data block L4 ll R4.

20. KASUMI • The S-boxes S7 and S9 are obtained as linear transforms of power functions over the corresponding fields, with Kasami’s exponents. • The key schedule of KASUMI contains linear transforms and is rather simple. • That was a consequence of performance requirements.

21. Rijndael - AES • In 2001, Rijndael was accepted by NIST as the Advanced Encryption Standard (AES) that was to replace DES and be implemented everywhere, from operating systems, browsers to banking applications. • Designed for key lengths of 128, 192 and 256 bits.

22. Rijndael - AES • Consists of 10 rounds for a 128 bit key, 12 rounds for a 192 bit key, and 14 rounds for a 256 bit key. • We consider a 128 bit version, for simplicity. • Each round has a round key, derived from the original key. • There is also a 0th round key, which is the original key. • A round starts with an input of 128 bits and produces an output of 128 bits.

23. Rijndael - AES • There are four basic steps, called layers, that are used to form the rounds: • The ByteSub Transformation (BS): This non-linear layer is for resistance to differential and linear cryptanalysis attacks. • The ShiftRow Transformation (SR): This linear mixing step causes diffusion of the bits over multiple rounds. • The MixColumn Transformation (MC): This layer has a purpose similar to ShiftRow. • AddRoundKey (ARK): The round key is XoRed with the result of the above layer.

24. Rijndael - AES

25. Rijndael - AES • Rijndael encryption: • ARK, using the 0th round key. • Nine rounds of BS, SR, MC, ARK using round keys 1 to 9. • A final round: BS, SR, ARK, using the 10th round key. • The final round uses the ByteSub, ShiftRow, and AddRoundKey steps but omits MixColumn. • The 128-bit output is the ciphertext block.

26. Rijndael - AES

27. Rijndael - AES • The 128 input bits are grouped into 16 bytes of 8 bits each • a00, a10, a20, a30, a01, a11, …, a33. • These are arranged into a 4x4 byte matrix:

28. Rijndael - AES • The operations that are performed in the field GF(28) use the following generating polynomial (Rijndael polynomial): • f(X)=1+X+X3+X4+X8 • Each byte, except the zero byte has a multiplicative inverse in GF(28).

29. Rijndael - AES • The ByteSub transformation: • In this step, each of the bytes in the matrix is changed to another byte by means of the S-box. • If we write a byte as 8 bits: abcdefgh, we can look for the entry in the abcd row and efgh column of the S-box (the rows and columns are numbered from 0 to 15). • This entry, when converted to binary, is the output.

30. Rijndael - AES • The output of ByteSub is again a 4x4 matrix of bytes

31. Rijndael - AES • The ShiftRow Transformation: • The four rows of the matrix are shifted cyclically to the left by offsets of 0, 1, 2, and 3, to obtain

32. Rijndael - AES • The MixColumn Transformation • Regard a byte as an element of GF(28). • Then the output of the ShiftRow step is a 4x4 matrix [ci,j] with entries in GF(28). • We multiply from the left the matrix [ci,j] by a special matrix, whose entries are the elements of GF(28), to produce the output [di,j].

33. Rijndael - AES

34. Rijndael - AES • The RoundKey Addition • The round key, derived from the key, consists of 128 bits, which are arranged in a 4x4 matrix [ki,j] of bytes. • This is XORed with the output of the MixColumn step.

35. Rijndael - AES

36. Rijndael - AES • The key schedule: • The original key consists of 128 bits, which are arranged into a 4x4 matrix of bytes. • This matrix is expanded by adjoining 40 more columns, as follows. • Label the first four columns W(0), W(1), W(2), W(3). • The new columns are generated recursively.

37. Rijndael - AES • Suppose columns up through W(i-1) have been defined. • If i is not a multiple of 4, then • W(i)=W(i-4)W(i-1) • If i is a multiple of 4, then • W(i)=W(i-4)T(W(i-1))

38. Rijndael - AES • T(W(i-1)) is the transformation of W(i-1) obtained as follows: • Let the elements of the column W(i-1) be a, b,c,d. • Shift these cyclically to obtain b,c,d,a. • Now replace each of these bytes with the corresponding element in the S-box from the ByteSub step, to get 4 bytes e,f,g,h. • Finally, compute the round constant • r(i)=00000010(i-1)/4 • in GF(28).

39. Rijndael - AES • Then T(W(i - 1)) is the column vector • (er(i),f,g,h) . • In this way columns W(4), ..., W(43) are generated from the initial four columns. • The round key for the ith round consists of the columns • W(4i), W(4i+1), W(4i+2), W(4i+3).

40. Rijndael - AES • The S-box was obtained on the basis of the multiplicative inverse of input. • The only exception is S(0)=0, since 0 has no multiplicative inverse.

41. Rijndael - AES • Decryption: • Each of the steps ByteSub, ShiftRow, MixColumn, and AddRoundKey is invertible: • The inverse of ByteSub is another lookup table, called InvByteSub. • The inverse of ShiftRow is obtained by shifting the rows to the right instead of to the left, yielding InvByteSub.

42. Rijndael - AES • The inverse of MixColumn exists because the 4x4 matrix used in MixColumn is invertible. • The transformation InvMixColumn is given by multiplication by the matrix

43. Rijndael - AES • AddRoundKey is its own inverse. • The decryption process: • ARK, using the 10th round key. • Nine rounds of IBS, ISR, IMC, IARK, using round keys 9 to 1. • A final round: IBS, ISR, ARK, using the 0th round key. • The fact that encryption and decryption are not identical processes leads to the expectation that there are no weak keys, in contrast to DES and several other algorithms.

44. Modes of operation • Block ciphers operate over highly reduced information sets. • They are adequate for enciphering short messages, such as keys, identifications, signatures, passwords, etc. • But they are totally inadequate for enciphering great quantities of data, such as very formatted text, listings, programs, tables, documents and especially images, because the structure of these documents can be determined easily.

45. Modes of operation • By convention, the direct use of a block cipher is called Electronic Codebook Mode (ECB). • Other modes of operation of block ciphers are: • Cipher Block Chaining mode, CBC. • Cipher Feedback mode, CFB. • Output Feedback mode, OFB. • Counter mode, CTR.

46. Modes of operation • It is supposed that the block length is n. • In the following illustrations of modes of operation, DES is used as an example. • However, any block cipher can be used instead of DES.

47. Modes of operation • Cipher block chaining: • An n bit shift register is loaded with a random initial vector (IV), which is not kept secret. • In such a way, the block cipher is converted into a stream cipher, by changing IV equal messages can be enciphered in different ways, error propagation is limited and the size of the key space is not changed.

48. Modes of operation

49. Modes of operation • Cipher feedback mode • An n bit shift register is loaded with a random initial vector (IV) that is not kept secret. • The plaintext is divided into blocks of m bits. • The sum modulo 2 is performed over blocks of m bits, where m can vary between 1 and n. • The shift register of n bits is shifted left m bits after each operation of block encipherment. • In this mode, the block cipher is converted into a stream cipher, equal messages can be enciphered in different ways by changing IV, error propagation is limited, the key space size is not changed, and the cipher is self-synchronising.

50. Modes of operation