1 / 73

Session 3

Session 3. Symmetric ciphers 2 part 1. Block ciphers - definition. Block cipher encipherment provides confidentiality by transforming a plaintext message into a ciphertext message, by means of a special function.

haruki
Download Presentation

Session 3

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Session 3 Symmetric ciphers 2 part 1

  2. Block ciphers - definition • Block cipher encipherment provides confidentiality by transforming a plaintext message into a ciphertext message, by means of a special function. • The precise function implemented by the block cipher is determined by a secret key.

  3. Block ciphers - definition • The principal difference between a stream cipher and a block cipher: • A stream cipher contains memory, embodied in its current state. • A block cipher is memoryless outside its current block and therefore has no current state.

  4. Block ciphers - definition • Block ciphers operation: • A plaintext message is partitioned into a series of blocks. • These blocks are then enciphered one block at a time. • A block cipher can also be used as a component in a stream cipher, message authentication code (MAC), hash function, and a signature scheme.

  5. Block ciphers - definition • Block cipher encipherment is a form of symmetric-key encipherment. • Both transmitter and receiver of the ciphertext have knowledge of the secret key. • Example: the transposition cipher is essentially a block cipher.

  6. Block ciphers - definition • A block cipher is a vectorial Boolean function E : {0, 1}K × {0, 1}N→ {0, 1}N that takes two inputs: • a K-bit key k ; • an N-bit plaintext P. • It returns an N-bit ciphertext C = E(k, P ).

  7. Block ciphers - definition • For any block cipher, and any key k, the function Ekis a permutation on {0, 1}N. • This means that it is a bijection - a one-to-one mapping of {0, 1}N to {0, 1}N. • Since it is a bijection, it has an inverse, • Since E is invertible, decipherment is possible.

  8. Block ciphers - definition • Both the cipher and its inverse E−1 should be easily computable: • Given k, P, we can compute E(k, P ). • Given k, C, we can compute E−1(k,C). • The key k should be chosen uniformly at random.

  9. Block ciphers - design • The aim of the block cipher design is to make it practically impossible to retrieve the plaintext from the ciphertext without knowledge of the K-bit secret key.

  10. Block ciphers - design • Since decipherment is only possible if the encipherment function is invertible (i.e. if it is a bijection), the choice of possible N-bit block ciphers is restricted to one of (2N )! block ciphers.

  11. Block ciphers - design • Of all these (2N )! block ciphers, only 2K are used, because of the parameterization by the key. • In practice, these 2K block ciphers that are actually used constitute an infinitesimally small fraction of (2N )! possible block ciphers.

  12. Example: N=3, K=2 (1) • A 3-bit block cipher with 2 bits of key. • There are (2N)! = 8! = 40320 possible permutations, of which only 2K = 22 = 4 permutations are used.

  13. Example: N=3, K=2 (2) • Let these permutations be: k=00, p0=(4,6,1,8,5,7,3,2) k=01, p1=(5,2,7,1,8,6,4,3) k=10, p2=(8,6,2,1,3,4,5,7) k=11, p3=(3,8,6,2,4,7,5,1)

  14. Example: N=3, K=2 (3) • Let us choose k=00, which means: • k=00, p0=(4,6,1,8,5,7,3,2) • or: • The corresponding block cipher, Ek:

  15. Example: N=3, K=2 (4) • The inverse permutation: • P0’=(3,8,7,1,5,2,6,4) • or: • The corresponding inverse block cipher, Ek-1:

  16. Example: N=3, K=2 (5) • Let us encipher X=101. • The corresponding address is 5. • Y=Ek(X )=Ek(5)=001. • Deciphering: Y=001. • The corresponding address is 1. • Ek-1(Y )=Ek-1(1)= 101=X.

  17. Block ciphers - design • The problem of block cipher design: • determine which set of 2K block ciphers to choose such that, for an unknown fixed key, it is virtually impossible to say anything about the ciphertext resulting from a known or chosen plaintext; • given prior knowledge of a few plaintext/ciphertext pairs it should be impossible to say anything about the fixed key.

  18. Block ciphers - design • Any effective block cipher scheme must be realized efficiently in time and space, with as little implementation cost as possible. • The practical trade-off is to design a block cipher which is both sufficiently secure, and satisfactorily efficient in terms of hardware/software space and time resources.

  19. Block ciphers - design • A block cipher with a secret key is considered perfect if, for all plaintexts P and ciphertexts C, it holds that Pr(P |C )=Pr(P ). • If, for a fixed K-bit key, an N-bit block cipher is used to encipher K /N plaintexts, then the cipher is the one-time pad.

  20. Block ciphers - design • In this special case, the encipherment is provably secure and the block cipher is perfect. • In most situations the one-time pad is impractical as far too many secret keys must be used.

  21. Block ciphers - design • Therefore it is highly desirable to securely encipher T plaintexts using the same, fixed K-bit secret key, where T>> K /N . • Most modern block ciphers seek to maximize T, still achieving an acceptable security.

  22. Block ciphers - design • This is achieved via a combination of: • confusion, which makes the relationship between the key and the ciphertext as complicated as possible, and • diffusion, which seeks to eliminate influence of any redundancy in the plaintext. Diffusion also makes it difficult for any attacker to partially approximate the cipher.

  23. Block ciphers - design • Confusion: • The relation between the key and the ciphertext must be as complex as possible. • Thus, the statistics of the ciphertext are not significantly influenced by the plaintext statistics. • Confusion is achieved by means of substitution (through non-linear functions, so called S-boxes).

  24. Block ciphers - design • Diffusion: • Diffusion annihilates the influence of the redundancy of the plaintext on the ciphertext. • It is achieved by making every symbol of the ciphertext dependent on as much plaintext letters as possible (by means of linear transformations such as permutations).

  25. Block ciphers - design • Theoretically, the ideal block cipher, from a security viewpoint, would involve one very large, well-chosen N-bit Substitution Box (S-Box), keyed by K key bits.

  26. Block ciphers - design • Ideally, it would be impossible to decompose this S-box into smaller sub-units. • Such a block cipher would have a huge implementation complexity.

  27. Block ciphers - design • Any practical block cipher combines relatively small sub-units to confuse (S-boxes) and diffuse (linear transformation layers) the plaintext. • These sub-units are applied iteratively as keyed rounds, parameterized by sub-keys, which are derived from the master K-bit key.

  28. Block ciphers - design • This decomposition into practical sub-units constitutes a trade-off between security and acceptable complexity. • A key-schedule is needed to derive round keys from a master key.

  29. Block ciphers - design • It is an accepted design principle that encipherment using a block cipher, selected via a randomly-chosen key, should look like encipherment by a randomly-chosen invertible function over N bits.

  30. Block ciphers - design • Basic design types of block ciphers: • Feistel ciphers • Substitution-permutation networks. • Both design philosophies have their advantages and disadvantages.

  31. Block ciphers - design • It is possible to combine these design types in a single block cipher (rarely used, e.g. SC2000). • There is no agreement about the best design philosophy for block ciphers.

  32. Feistel ciphers • A basic Feistel cipher takes 2t plaintext bits, and is a permutation F, which uses m round permutations Fi: where ◦ is a composition of functions, i.e.

  33. Feistel ciphers • Round i acts on t bits, R (right), by means of the keyed nonlinear function, fi, and XORs the result with other t bits, L (left). • The L and R halves are then swapped.

  34. Feistel ciphers • After the i-thround, we have: • [L’ R ’] becomes the new input [L,R ] to the round i + 1.

  35. Feistel ciphers • F and the Fi must be permutations, but the fi need not be. • It takes two rounds before all plaintext bits have been acted on in a nonlinear way. • In the decipherment process, the same functions are used, but with the round keys used in reverse order.

  36. Feistel ciphers • Example of a round:

  37. Feistel ciphers • Examples of Feistel designs: • LUCIFER (author: Horst Feistel) • DES (Data Encryption Standard) • MISTY1 • KASUMI (used in UMTS) • CAMELLIA • FEAL • etc.

  38. Substitution-permutation networks • A substitution-permutation network (SPN) separates the role of confusion and diffusion in the cipher. • The cipher is also decomposed into iterative rounds.

  39. Substitution-permutation networks • Each round comprises a layer of non-linear functions (often S-boxes), followed by a linear layer (often a permutation). • The non linear layer provides the confusion. • The linear layer provides the diffusion.

  40. Substitution-permutation networks • The separating of the tasks of confusion and diffusion allows the designer to maximize nonlinearity for the non linear layer, and maximize information spread for the diffusion layer.

  41. Substitution-permutation networks • Examples of SPN design: • AES (Rijndael) (Advanced Encryption Standard) • IDEA • etc.

  42. Commonly used designs • Feistel ciphers: • DES (triple DES, etc.) • KASUMI • … • Substitution-permutation networks: • Rijndael (AES) • IDEA • …

  43. DES • The block cipher most implemented in practice is (still, as triple DES) DES (Data Encryption Standard), introduced in USA by NBS (National Bureau of Standards) in 1974. • The length of the block in this cipher is 64 bits and the length of the key is 56 bits. • DES works alternatively over two halves of the block to be enciphered.

  44. DES • First, an initial fixed permutation of the input block is performed. • Then the block is divided into two halves. • After that, a modular operation is realized 16 times (“rounds").

  45. DES • This operation consists of summing modulo 2 the left part with a function of the right part F (Ki), managed by the subkey Ki, i=1,…,16, where i is the ordinal number of the round. • After that, the left and the right parts are interchanged.

  46. DES • The initial permutation is represented in the following way in the standard FIPS 46-3: 58 50 42 34 26 18 10 2 60 52 44 36 28 20 12 4 62 54 46 38 30 22 14 6 64 56 48 40 32 24 16 8 57 49 41 33 25 17 9 1 59 51 43 35 27 19 11 3 61 53 45 37 29 21 13 5 63 55 47 39 31 23 15 7 • This means that the 58th bit of input becomes the 1st bit of output, 50th bit of input becomes the 2nd bit of output, etc.

  47. DES

  48. DES • In the round 16 the interchange is omitted. • There is a final permutation, inverse to the initial one.

  49. DES • DES realizes an involution and because of that it is not necessary to invert the function F in the deciphering algorithm. • The function F contains non linear operations.

  50. DES • The final permutation: 40 8 48 16 56 24 64 32 39 7 47 15 55 23 63 31 38 6 46 14 54 22 62 30 37 5 45 13 53 21 61 29 36 4 44 12 52 20 60 28 35 3 43 11 51 19 59 27 34 2 42 10 50 18 58 26 33 1 41 9 49 17 57 25 • The 40th bit of input becomes the 1st bit of output, etc.

More Related