Session 3

1 / 89

# Session 3 - PowerPoint PPT Presentation

Session 3. Symmetric ciphers 2 part 2. Triple DES. Ordinary DES is now considered obsolete Its key length is only 56 bits. With today’s technology, it is possible to recover the key by means of a ”brute force attack” (enumeration of all the possible keys). Solution: triple DES.

I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.

## PowerPoint Slideshow about 'Session 3' - stasia

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.

- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript

### Session 3

Symmetric ciphers 2

part 2

Triple DES
• Ordinary DES is now considered obsolete
• Its key length is only 56 bits.
• With today’s technology, it is possible to recover the key by means of a ”brute force attack” (enumeration of all the possible keys).
• Solution: triple DES.
Triple DES – mode 1 (EEE)
• The data are enciphered with the first key, then enciphered with the second key, and finally enciphered with the third key.
Triple DES – mode 2 (EDE)
• The data are enciphered with the first key, then deciphered with the second key, and finally enciphered again with the third key.
• Goal: compatibility with a single DES (set k1=k2=k3=k).
Triple DES - security
• Equivalent key length:
• Of Double DES – only 57 bits (so called Meet-in-the-middle attack is possible that reduces the size of the key from 112 to effective 57 bits).
• Of Triple DES – 112 bits, instead of 168 bits, but this is an acceptable length.
Triple DES - security
• A variant of Triple DES (called 2-key Triple DES, or 2TDES), with k1=k3 is widely used in ATM devices.
• Due to certain chosen plaintext and known plaintext attacks on this scheme, its equivalent key length is 80 instead of 112 for the ordinary TDES.
KASUMI
• The KASUMI algorithm is the core of the standardised UMTS Confidentiality and Integrity algorithms.
• Within the security architecture of the UMTS system there are two standardised algorithms based on KASUMI:
• a confidentiality algorithm f8, and
• an integrity algorithm f9.
KASUMI
• KASUMI is a Feistel cipher with 8 rounds.
• It operates on a 64-bit data block and uses a 128-bit key.
• Encipherment (1):
• The 64 bit input Iis divided into two 32-bit strings L0and R0, where I = L0|| R0
• Then for each integer iwith 1≤i ≤8, we define
• Ri= Li-1, Li= Ri-1fi(Li-1, RKi)
KASUMI
• Encipherment (2):
• This constitutes the i-th round function of KASUMI, where fidenotes the round function with Li-1and round key RKias inputs.
• The result OUTPUT is equal to the 64-bit string (L8|| R8)offered at the end of the 8-th round.
KASUMI

The whole algorithm:

KASUMI

The FO function:

KASUMI

The FI function:

KASUMI

The FL function

KASUMI
• The f-function has a 32-bit input and a 32-bit output.
• Each f-function of KASUMI is composed of two functions:
• an FL-function and
• An FO-function.
• An FO-function is defined as a network that makes use of three applications of an Fl-function.
KASUMI
• An Fl-function has a 16-bit input and a 16-bit output.
• Each Fl-function comprises a network that makes use of two applications of a function S9 and two applications of a function S7.
• The functions S7 and S9 are also called "S-boxes of KASUMI".
KASUMI
• In this manner KASUMI decomposes into a number of subfunctions (FL, FO and FI) that are used in conjunction with associated subkeys (KL, KO and KI).
• The Kl-key KIi,j splits into two halves KIi,j,1 and KIi,j,2.
KASUMI
• Each f-function fi takes a 32-bit input and returns a 32-bit output O under the control of a round key RKi, where the round key comprises the triplet (KLi, KOi, KIi).
KASUMI
• The f-function fi itself is constructed from two subfunctions: an FL-function FLi and an FO-function FOi with associated subkeys KLi (used with FLi) and subkeys KOi and KIi (used with FOi).
KASUMI
• The f-function fi has two different forms depending on whether it is an even round or an odd round.
• For odd rounds i=1, 3, 5 and 7, the f-function is defined as:

fi(i,RKi) = FOi(FLi(I,KLi),KOi,KLi)

• For even rounds, i=2, 4, 6 and 8, the f-function is defined as:

fi(i,RKi) =FLi(FOi(I,KOi,KIi),KLi)

KASUMI
• FL functions (1)
• The input to the function FLi comprises a 32-bit data input I and a 32-bit subkeyKLi.
• The subkey is split into two 16-bit subkeys, KLi,1 and KLi,2, where:

KLi= KLi,1llKLi,2

• The input data l is split into two 16-bit halves, L and R, where l =L||R.
KASUMI
• FL functions (2)
• The FL functions make use of the following simple operations:
• ROL(D ) the left circular rotation of a data block D by-one bit.
• D1D2 the bitwise OR operation of two data blocks D1 and D2.
• D1D2 the bitwise AND operation of two data blocks D1 and D2.
KASUMI
• FL functions (3)
• Then the 32-bit output value of the FL function is defined as L’ llR ’, where:

L’=L  ROL(R ’KLi,2)

R ’=R ROL(LKLi,1)

KASUMI
• FO functions (1)
• The input to the function FOi comprises a 32-bit data input I and two sets of subkeys:
• a 48-bit KOi and
• a 48-bit KIi.
KASUMI
• FO functions (2)
• The 32-bit data input is split into two halves, L0 and R0, where I = L0llR0, while the 48-bit subkeys are subdivided into three 16-bit subkeys, where:

KOi=KOi,1ll KOi,2ll KOi,3 and

KIi=KIi,1ll KIi,2ll KIi,3

KASUMI
• FO functions (3)
• For each integer j with 1≤j ≤3 the operation of the j thround of the function FOi is defined as:

Rj=FIi,j(Lj-1KOi,j,KIi,j) Rj-1

Lj=Rj-1

• Output from the FOi function is defined as the 32-bit data block L3llR3.
KASUMI
• FI functions (1)
• An Fl-function FIi,j takes a 16-bit data input I and a 16-bit subkeyKIi,j.
• The input I is split into two unequal components, a 9-bit left half L0 and a 7-bit right half R0, where I =L0llR0.
• Similarly, the key KIi,j is split into a 7-bit component KIi,j,1 and a 9-bit component Kli,j,2, where KIi,j= KIi,j,1ll KIi,j,2.
KASUMI
• FI functions (2)
• Each Fl-function FIi,j uses two S-boxes: S7, which maps a 7-bit input to a 7-bit output and S9, which maps a 9-bit input to a 9-bit output.
• Fl-functions also use two additional functions, which are designated by ZE (appends 2 zeros before the MSB of a 7-bit string) and TR (discards 2 MSB of a 9-bit string).
KASUMI
• FI functions (3)
• The function FIi,j is defined by the following series of operations:

L1= R0R1=S9[L0]ZE(R0)

L2=R1KIi,j,2R2=S7[L1]TR(R1)KIi,j,1

L3=R2R3=S9[L2]ZE(R2)

L4=S7[L3]TR(R3)R4=R3

• The output of the FIi,j function is the 16-bit data block L4llR4.
KASUMI
• FI functions (4)
• The key schedule of KASUMI contains linear transforms and is rather simple.
• That was a consequence of performance requirements.
Rijndael - AES
• In 2001, Rijndael was accepted by NIST as the Advanced Encryption Standard (AES) that was to replace DES.
• Rijndael was designed for block and key lengths of 128, 192 and 256 bits.
• AES supports only the 128 bit version.
Rijndael - AES
• Consists of 10 rounds for a 128 bit key, 12 rounds for a 192 bit key, and 14 rounds for a 256 bit key.
• We consider a 128 bit version, i.e. the AES.
Rijndael - AES
• Each round has a round key, derived from the original key.
• There is also a 0th round key, which is the original key.
• A round starts with an input of 128 bits and produces an output of 128 bits.
Rijndael - AES
• There are four basic steps, called layers, that are used to form the rounds:
• The ByteSub Transformation (BS)
• This non-linear layer is for resistance to differential and linear cryptanalysis attacks.
Rijndael - AES
• The ShiftRow Transformation (SR)
• This linear mixing step causes diffusion of the bits over multiple rounds.
• The MixColumn Transformation (MC)
• This layer has a purpose similar to ShiftRow.
• The round key is XoRed with the result of the above layer.
Rijndael - AES

One roundof AES

Rijndael - AES
• AES encipherment:
• ARK, using the 0th round key.
• Nine rounds of BS, SR, MC, ARK using round keys 1 to 9.
• A final round: BS, SR, ARK, using the 10th round key (i.e. the final round uses the ByteSub, ShiftRow, and AddRoundKey steps but omits MixColumn).
• The 128-bit output is the ciphertext block.
Rijndael - AES
• The 128 input bits are grouped into 16 bytes of 8 bits each

a00, a10, a20, a30, a01, a11, …, a33.

• These are arranged into a 4x4 byte matrix:
Rijndael - AES
• The operations that are performed in the field GF(28) use the following generating polynomial (Rijndael polynomial):

f (X )=1+X+X 3+X 4+X 8

• Each byte, except the zero byte has a multiplicative inverse in GF(28).
Rijndael - AES
• The ByteSub transformation:
• In this step, each of the bytes in the matrix is changed to another byte by means of the S-box.
• If we write a byte as 8 bits: abcdefgh, we can look for the entry in the abcd row and efgh column of the S-box (the rows and columns are numbered from 0 to 15).
• This entry, when converted to binary, is the output.
Rijndael - AES
• The output of ByteSub is again a 4x4 matrix of bytes
Rijndael - AES
• The ShiftRow Transformation:
• The four rows of the matrix are shifted cyclically to the left by offsets of 0, 1, 2, and 3, to obtain
Rijndael - AES
• The MixColumn Transformation
• Regard a byte as an element of GF(28).
• Then the output of the ShiftRow step is a 4x4 matrix [ci,j] with entries in GF(28).
• We multiply from the left the matrix [ci,j] by a special matrix, whose entries are the elements of GF(28), to produce the output [di,j].
Rijndael - AES
• The round key, derived from the key, consists of 128 bits, which are arranged in a 4x4 matrix [ki,j] of bytes.
• This is XORed with the output of the MixColumn step.
Rijndael - AES
• The key schedule (1)
• The original key consists of 128 bits, which are arranged into a 4x4 matrix of bytes.
• This matrix is expanded by adjoining 40 more columns, as follows.
• Label the first four columns W(0), W(1), W(2), W(3).
• The new columns are generated recursively.
Rijndael - AES
• The key schedule (2)
• Suppose columns up through W(i-1) have been defined.
• If i is not a multiple of 4, then
• W(i)=W(i-4)W(i-1)
• If i is a multiple of 4, then
• W(i)=W(i-4)T(W(i-1))
Rijndael - AES
• The key schedule (3)
• T(W(i-1)) is the transformation of W(i-1) obtained as follows (1)
• Let the elements of the column W(i-1) be a, b, c, d.
• Shift these cyclically to obtain b, c, d, a.
• Now replace each of these bytes with the corresponding element in the S-box from the ByteSub step, to get 4 bytes e, f, g, h.
Rijndael - AES
• The key schedule (4)
• T(W(i-1)) is the transformation of W(i-1) obtained as follows (2)
• Finally, compute the round constant

r(i)=00000010(i-1)/4

in GF(28).

• Then T(W(i - 1)) is the column vector

(e r(i),f,g,h) .

Rijndael - AES
• The key schedule (5)
• In this way columns W(4), ..., W(43) are generated from the initial four columns.
• The round key for the ithround consists of the columns

W(4i ), W(4i +1), W(4i +2), W(4i +3).

Rijndael - AES
• The S-box was obtained on the basis of the multiplicative inverse of input in GF(28).
• The only exception is S(0)=0, since 0 has no multiplicative inverse.
Rijndael - AES
• Deciphering (1)
• Each of the steps ByteSub, ShiftRow, MixColumn, and AddRoundKey is invertible:
• The inverse of ByteSub is another lookup table, called InvByteSub.
• The inverse of ShiftRow is obtained by shifting the rows to the right instead of to the left, yielding InvByteSub.
Rijndael - AES
• Deciphering (2)
• Since the 4x4 matrix used in MixColumn is invertible, the inverse of MixColumn exists.
• The transformation InvMixColumn is multiplication by the matrix
Rijndael - AES
• Deciphering (3)
• AddRoundKey is its own inverse.
• The deciphering process:
• ARK, using the 10th round key.
• Nine rounds of IBS, ISR, IMC, IARK, using round keys 9 to 1.
• A final round: IBS, ISR, ARK, using the 0th round key.
Rijndael - AES
• Deciphering (4)
• The fact that enciphering and deciphering are not identical processes leads to the expectation that there are no so called “weak keys”, in contrast to DES and several other algorithms.
Modes of operation of block ciphers
• Block ciphers operate over highly reduced information sets.
• They are adequate for enciphering short messages, such as keys, identifications, signatures, passwords, etc.
Modes of operation of block ciphers
• Block ciphers are totally inadequate for enciphering great quantities of data, such as very formatted text, listings, programs, tables, documents and especially images, because the structure of these documents can be determined easily.
Modes of operation of block ciphers
• By convention, the direct use of a block cipher is called Electronic Codebook Mode (ECB).
• Other modes of operation:
• Cipher Block Chaining mode, CBC.
• Cipher Feedback mode, CFB.
• Output Feedback mode, OFB.
• Counter mode, CTR.
Modes of operation of block ciphers
• It is supposed that the block length is n.
• In the following illustrations of modes of operation, DES is used as an example.
• However, any block cipher can be used instead of DES.
Modes of operation of block ciphers
• Cipher block chaining
• An n bit shift register is loaded with a random initial vector (IV), which is not kept secret.
• In such a way, the output of the block cipher depends not only on the current input, but also on all the previous inputs.
Modes of operation of block ciphers
• Cipher feedback mode (1)
• An n bit shift register is loaded with a random initial vector (IV) that is not kept secret, but it must be unique to every message to be enciphered.
• The plaintext is divided into blocks of m bits.
Modes of operation of block ciphers
• Cipher feedback mode (2)
• The sum modulo 2 is performed over blocks of m bits, where m can vary between 1 and n.
• The shift register of n bits is shifted left m bits after each operation of block encipherment.
• In this mode, the block cipher is converted into a stream cipher.
• Such a cipher is self-synchronizing, i.e. error propagation is limited.
Modes of operation of block ciphers
• Cipher feedback mode (3)
• Unlike the CBC mode, both encipherment and the decipherment side use the block cipher that performs enciphering.
• This enables use of any keyed function instead of the block cipher, e.g. a hash function.
Modes of operation of block ciphers
• Output feedback mode (1)
• An n bit shift register is loaded with an initial vector (IV) that is not kept secret but it must be unique to every message to be enciphered.
• The plaintext is divided into m bit blocks.
• The sum modulo 2 is performed, bit by bit, over blocks, whose length can vary between 1 and n.
Modes of operation of block ciphers
• Output feedback mode (2)
• The shift register shifts left m bits after each block encipherment.
• In this mode, the block cipher is also converted into a stream cipher.
• But unlike CFB, this cipher is NOT self-synchronising.
Modes of operation of block ciphers
• Output feedback mode (3)
• The encipherment and the decipherment side in the OFB mode are exactly the same (they use a block cipher that performs enciphering, the same as in the CFB mode).
• Therefore, any keyed function may be used instead of the block cipher, e.g. a hash function.
Modes of operation of block ciphers
• Counter mode (1)
• Counter mode creates an output key stream that is XoRed with blocks of plaintext to produce ciphertext.
• The output stream in CTR is not linked to previous output streams.
Modes of operation of block ciphers
• Counter mode (2)
• CTR starts with the plaintext divided into m-bit blocks, P = [P1, P2, ...].
• m can vary between 1 and n.
• We begin with an initial value X1, which has a length equal to the block length nof the cipher, e.g. 64 bits.
Modes of operation of block ciphers
• Counter mode (3)
• X1is enciphered using the key K to produce nbits of output, whose leftmost m-bits are extracted and XoRed with P1 to produce mbits of ciphertext, C1.
Modes of operation of block ciphers
• Counter mode (4)
• Rather than update the register X2 to contain the output of the block cipher, we simply take X2=X1+1.
• In this way, X2 does not depend on previous output.
• CTR then creates new output stream by enciphering X2.
Modes of operation of block ciphers
• Counter mode (5)
• In this mode, the block cipher is also converted into a stream cipher.
• This cipher is not self-synchronising.
• Both the enciphering and the deciphering side use the block cipher that performs enciphering.
• Enciphering/deciphering can be done in parallel for each state of the counter – very fast!
Security of block ciphers
• The decomposition of encipherment/decipherment into subprocesses provides the cryptanalyst the possibility for an attack.
• No practical block cipher is provably secure.
• Consequently, new design criteria are being discovered, often as a response to emerging novel attacks on block ciphers.
Security of block ciphers
• The development of theoretical knowledge about block ciphers:
• Typically, a block cipher design is proposed according to widely-accepted and well-founded rules.
• This forces the cryptanalysts to attempt to attack the cipher in a new way.
• These new attacks, if successful, lead in turn to the extending of the set of design criteria.
Security of block ciphers
• There exist accepted security models, which can be used for analyzing a block cipher. The most widely used ones are:
• Unconditional Security (Perfect Secrecy).
• Security Against a Polynomial Attack.
• “Provable” Security.
• Practical Security.
• Historical Security.
Security of block ciphers
• Unconditional Security (Shannon) (1)
• An adversary has unlimited computational resources.
• Secure encryption only exists if the size of the key is as large as the number of bits to be enciphered.
Security of block ciphers
• Unconditional Security (Shannon) (2)
• Perfect secrecy is possible only if no more than K /N plaintexts are enciphered using a fixed key (e.g. the one-time pad).
• Not a useful model for practical block ciphers.
Security of block ciphers
• Security Against a Polynomial Attack (1)
• It is assumed that the adversary is a probabilistic algorithm, which runs in polynomial time.
• Security is claimed with respect to the feasibility of breaking the cryptosystem.
• The origin of the model is in complexity theory considerations: adversaries are assumed to possess only polynomial computational resources - polynomial in the size of the input to the cipher in bits.
Security of block ciphers
• Security Against a Polynomial Attack (2)
• The model typically conducts worst-case and asymptotic analyses to determine whether polynomial attacks on a cipher exist.
• Even if such attacks do exist, it is not guaranteed that they are practical.
Security of block ciphers
• “Provable” Security (1)
• Tries to show that breaking a block cipher is as difficult as solving some well known hard problem (e.g. discrete log or factoring).
• The problem: there is a fundamental open question in computer science as to whether these hard problems are in P or in NP.
Security of block ciphers
• “Provable” Security (2)
• In fact, provable security requires a proof that P  NP, and the existence of one-way functions.
• This is an asymptotic complexity measure - one is assessing the level of complexity as the input size, in bits, tends to infinity.
• Very useful for practical analysis of the cipher.
Security of block ciphers
• “Provable” Security (3)
• A block cipher may be shown to be provably secure against a known subclass of attacks.
• Example: provable security against linear and differential cryptanalysis.
• This does not mean that the cipher is secure against all attacks.
Security of block ciphers
• Practical Security
• A block cipher is considered practically secure if the best known attack against it requires too much resources.
• A very practical model: it is possible to test the cipher with different known attacks, and then give an assessment of its strength against such attacks in terms of time/space resources needed.
• The model says nothing about the security level with respect to yet unknown attacks.
Security of block ciphers
• Historical Security
• Tries to assess the security level of a block cipher according to how much cryptanalytic attention the cipher has attracted over the years.
• If a cipher has been under scrutiny for many years without any serious security flaws found in it, that inspires a certain confidence in the cipher.
• Drawback: the effort spent on breaking a cipher cannot always be measured reliably from the time passed.