160 likes | 330 Views
Introduction to Block Ciphers. Liam Keliher Dept . Mathematics and Computer Science Mount Allison University. Terminology. Cryptography : Study of mathematical techniques to provide information security
E N D
Introduction to Block Ciphers Liam Keliher Dept. Mathematics and Computer Science Mount Allison University
Terminology • Cryptography: Study of mathematical techniques to provide information security • Cryptanalysis: Analysis of cryptographic methods, either to expose weaknesses or to prove strengths • Cryptology: Cryptography + Cryptanalysis • Primitive: Cryptographic building block – typically a mathematical function of some kind, e.g., • hash function • digital signature scheme • block cipher
ke kd plaintext (p) plaintext (p) ciphertext (c) encryption algorithm decryption algorithm Attacker A block cipher is an encryption/decryption algorithm ► parameterized by a (master) key known only to communicating parties ► input (plaintext) / output (ciphertext) are n-bit strings (n = block size)
Round R Round 2 Round 3 Round 1 subkeys k Most Block Ciphers are Product Ciphers plaintext (p) k1 k2 master key k3 kR ciphertext (c)
n/2 bits n/2 bits kr f n/2 bits n/2 bits Feistel Network ► Standard block cipher structure ► Consists of multiple rounds (simpler encryption steps) ► One round: input is split in half left input half copied to right half of output left input half forms input to round function, which depends on subkey for current round round function output is XORed with right half of input to produced left half of output
SPN-Based Block Ciphers Substitution-Permutation Network (SPN): ►Consists of multiple encryption rounds ► one round = three layers Subkey mixing (XOR) Substitution (s-boxes) Linear transformation
Well-known Block Ciphers • Data Encryption Standard (DES) • standardized by U.S. government in 1977 • Feistel network with 64-bit block and 56-bit key • extensivelycryptanalyzed (led to many new attacks) • Advanced Encryption Standard (AES) • selected as winner of NIST competition in 2001 • SPN structure with 128-bit block and 128/192/256-bit key • Camellia • successor to Japanese AES candidate E2 • Feistel network in which the round function is a mini SPN
Advanced Encryption Standard (AES) • Originally called Rijndael(“Rhine-doll”) from names of designers, Vincent Rijmen and Joan Daemen • Number of rounds is based on key size: • 128 bits 10 rounds • 192 bits 12 rounds • 256 bits 14 rounds • Widely adopted since 2001 • arguably the most implemented block cipher today • used in Mount Allison’s wireless network
Camellia • Block cipher introduced by NTT and Mitsubishi in August 2000 • used in Sony PSP, WinZIP, OpenSSH, etc. • Incorporated into numerous international standards (e.g., ISO/IET, IETF) • Considered competitive with the Advanced Encryption Standard (AES) for security and speed • Based on variation of Feistel network design above
S S S S S S S S Camellia Specifics • Block size: N=128 bits • Possible key sizes: 128, 192, 256 bits • Number of rounds depends on key size: 128 18 rounds / 192 or 256 24 rounds • Subkeys are same size as input block (128 bits) • Round function: kr 64-bit linear transformation
Breakdown of Camellia Round Function = XOR operation (bitwise addition modulo 2) = substitution box (s-box): invertible mapping {0,1}8 {0,1}8 [needs to be nonlinear] = linear transformation; fast way to combine s-box outputs S
Differential Cryptanalysis (DC) • Based on probability that a plaintext pair with a fixed XOR “difference” will produce an intermediate pair after (R-1) rounds with a fixed XOR difference • called differential probability (DP) • depends on (unknown) key, but average values can be used • Given fixed input/output differences with high DP, and enough captured plaintext-ciphertext pairs, attack can extract some or all of the key • DC was first successful attack on the Data Encryption Standard (an ancestor of Camellia) • Discovered in 1990 by Biham and Shamir
input (plaintext) difference Δp rounds 1 … (R-1) View this as a big s-box: Want to find (Δx, Δy) such that DP (Δx, Δy) is maximized Reason: data complexity (number of p-c pairs required for successful attack) is proportional to inverse of this DP value Δq round R Δc output (ciphertext) difference