1 / 75

Session 3: Secret key cryptography – block ciphers – part 1

Session 3: Secret key cryptography – block ciphers – part 1. Block ciphers - definition. Block cipher encryption provides confidentiality by transforming a plaintext message into a ciphertext message, by means of a special function.

mio
Download Presentation

Session 3: Secret key cryptography – block ciphers – part 1

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Session 3: Secret key cryptography – block ciphers – part 1

  2. Block ciphers - definition • Block cipher encryption provides confidentiality by transforming a plaintext message into a ciphertext message, by means of a special function. • The precise function implemented by the block cipher is determined by a secret key.

  3. Block ciphers - definition • The principal difference between a stream cipher and a block cipher: • A stream cipher contains memory, embodied in its current state. • A block cipher is memoryless outside its current block and therefore has no current state.

  4. Block ciphers - definition • Block ciphers operation: • A plaintext message is partitioned into a series of blocks. • These blocks are then encrypted one block at a time. • A block cipher can also be used as a component in a stream cipher, message authentication codes (MACs), hash functions, and signature schemes.

  5. Block ciphers - definition • Block cipher encryption is a form of symmetric-key encryption. • Both transmitter and receiver of the ciphertext have knowledge of the secret key. • Example: the substitution cipher, and the transposition cipher are essentially block ciphers.

  6. Block ciphers - definition • A block cipher is a vectorial Boolean function E : {0, 1}K × {0, 1}N→ {0, 1}N that takes two inputs: • a K-bit key k ; • an N-bit plaintext P. • It returns an N-bit ciphertext C = E(k, P).

  7. Block ciphers - definition • For any block cipher, and any key k, the function Ek is a permutation on {0, 1}N. • This means that it is a bijection - a one-to-one mapping of {0, 1}N to {0, 1}N. • Since it is a bijection, it has an inverse, • Since E is invertible, decryption is possible.

  8. Block ciphers - definition • Both the cipher and its inverse E−1 should be easily computable: • Given k, P, we can compute E(k, P). • Given k, C, we can compute E−1(k,C). • The key k should be chosen uniformly at random.

  9. Block ciphers - design • The aim of the block cipher design is to make it practically impossible to retrieve the plaintext from the ciphertext without knowledge of the K-bit secret key. • Since decryption is only possible if the encryption function is invertible (i.e. if it is a bijection) the choice of possible N-bit block ciphers is restricted to one of (2N)! block ciphers.

  10. Block ciphers - design • Of all these (2N)! block ciphers, only 2K are used, because of the parameterization by the key. • In practice, these 2K block ciphers that are actually used constitute an infinitesimally small fraction of (2N)! possible block ciphers.

  11. Example: N=3, K=2 • A 3-bit block cipher with 2 bits of key. • There are (2N)! = 8! = 40320 possible permutations, of which only 2K = 22 = 4 permutations are used. • Let these permutations be: • k=00, p0=(4,6,1,8,5,7,3,2) • k=01, p1=(5,2,7,1,8,6,4,3) • k=10, p2=(8,6,2,1,3,4,5,7) • k=11, p3=(3,8,6,2,4,7,5,1)

  12. Example (cont.) • Let us choose k=00, which means: • k=00, p0=(4,6,1,8,5,7,3,2) • or: • The corresponding block cipher, Ek:

  13. Example (cont.) • The inverse permutation: • P0’=(3,8,7,1,5,2,6,4) • or: • The corresponding inverse block cipher, Ek-1:

  14. Example (cont.) • Let us encipher X=101. • The corresponding address is 5. • Y=Ek(X)=Ek(5)=001. • Deciphering: Y=001. • The corresponding address is 1. • Ek-1(Y)=Ek-1(1)= 101=X.

  15. Block ciphers - design • The problem of block cipher design: • determine which set of 2K block ciphers to choose such that, for an unknown fixed key, it is virtually impossible to say anything about the ciphertext resulting from a known or chosen plaintext; • given prior knowledge of a few plaintext/ciphertext pairs it should be impossible to say anything about the fixed key.

  16. Block ciphers - design • Any effective block cipher scheme must be realized efficiently in time and space, with as little implementation cost as possible. • The practical trade-off is to design a block cipher which is both sufficiently secure, and satisfactorily efficient in terms of hardware/software space and time resources.

  17. Block ciphers - design • A block cipher with a secret key is considered perfect if, for all plaintexts P and ciphertexts C, it holds that Pr(P|C)=Pr(P). • If, for a fixed K-bit key, an N-bit block cipher is used to encrypt K/N plaintexts, then the cipher can always be chosen to be the one-time pad. • In this special case, the encryption is provably secure and the block cipher is perfect.

  18. Block ciphers - design • In most situations the one-time pad is impractical as far too many secret keys must be used. • Therefore it is highly desirable to securely encrypt T plaintexts using the same, fixed K-bit secret key, where T >> K/N .

  19. Block ciphers - design • Most modern block ciphers seek to maximize T, whilst still achieving an acceptable security. • This is achieved via a combination of: • confusion, which makes the relationship between key and ciphertext as complicated as possible, and • diffusion, which seeks to eliminate any redundancy in the plaintext. Diffusion also makes it difficult for any attacker to partially approximate the cipher.

  20. Block ciphers - design • Confusion: • The relation between the key and the ciphertext must be as complex as possible. • Thus, the statistics of the ciphertext is not significantly influenced by the plaintext statistics. • Confusion is achieved by means of substitution (through non linear functions, so called S boxes).

  21. Block ciphers - design • Diffusion: • Diffusion annihilates the influence of the redundancy of the plaintext on the ciphertext. • It is achieved by making every letter of the ciphertext dependent on as much plaintext letters as possible (by means of linear transformations such as permutations).

  22. Block ciphers - design • Theoretically, the ideal block cipher, from a security viewpoint, would involve one very large, well-chosen N-bit Substitution Box (S-Box), keyed by K key bits and, • ideally, it would be impossible to decompose this S-box into smaller sub-units. • Such a block cipher would have a huge implementation complexity.

  23. Block ciphers - design • Any practical block cipher combines relatively small sub-units to confuse (S-boxes) and diffuse (linear transformation layers) the plaintext. • These sub-units are applied iteratively as keyed rounds, parameterized by sub-keys, which are derived from the master K-bit key. • This decomposition into practical sub-units constitutes a trade-off between security and acceptable complexity.

  24. Block ciphers - design • A key-schedule is needed to derive round keys from a master key. • It is an accepted design principle that encryption using a block cipher, selected via a randomly-chosen key, should look like encryption by a randomly-chosen invertible function over N bits.

  25. Block ciphers - design • Basic design types of block ciphers: • Feistel ciphers • Substitution-permutation networks. • Both design philosophies have their advantages and disadvantages. • It is possible to combine these design types in a single block cipher (rarely used, e.g. SC2000). • There is no agreement about the best design philosophy for block ciphers.

  26. Feistel ciphers • A basic Feistel cipher takes 2t plaintext bits, and is a permutation, F, which uses m round permutations, Fi: • Where ◦ is a composition of functions, i.e.

  27. Feistel ciphers • Round i acts on t bits, R (right), by means of the keyed nonlinear function, fi, and XORs the result with other t bits, L (left). • The L and R halves are then swapped. • After the i-th round, we have: • [L’ R’] becomes the new input [L,R] to the round i + 1.

  28. Feistel ciphers • F and the Fi must be permutations, but the fi need not be. • It takes two rounds before all plaintext bits have been acted on in a nonlinear way. • In the decryption process, the same functions are used, but with the round keys used in reverse order.

  29. Feistel ciphers • Example of a round:

  30. Feistel ciphers • Examples of Feistel design: • LUCIFER (author: Horst Feistel) • DES (Data Encryption Standard) • MISTY1 • KASUMI (used in UMTS) • CAMELLIA • FEAL • etc.

  31. Substitution-permutation networks • A substitution-permutation network (SPN) separates the role of confusion and diffusion in the cipher. • The cipher is also decomposed into iterative rounds. • Each round comprises a layer of non linear functions (often S-boxes), followed by a linear layer (often a permutation). • The non linear layer provides the confusion. • The linear layer provides the diffusion.

  32. Substitution-permutation networks • The separating of the tasks of confusion and diffusion allows the designer to maximise nonlinearity for the non linear layer, and maximise information spread for the diffusion layer. • Examples of SPN design: • AES (Rijndael) (Advanced Encryption Standard) • IDEA • etc.

  33. Non linear transformations • Non linearity in block ciphers is usually introduced by means of tables, so called S-boxes. • There are also designs without explicit S-boxes. Instead, integer addition and multiplication, discrete logarithm and exponentiation, etc. are used (examples of such ciphers are IDEA, RC6, etc.)

  34. Non linear transformations • S-boxes can be very simple. For example, S-boxes of Rijndael and Camellia are essentially X-1 over GF(28). • Regarding the relation with the key, S-boxes can be • Key dependent • Key independent.

  35. Non linear transformations • Almost perfect non linear functions (APN) – resistant to certain attacks against block ciphers (differential and linear cryptanalysis): • Let f(x) be a mapping: GF(pn)→GF(pn). • Let N(a,b) denote the number of solutions xGF(pn) of the equation f(x+a)–f(x)=b, a,b GF(pn). • Let f = max{N(a,b) | a,bGF(pn), a≠0}.

  36. Non linear transformations • For linear functions, f(x+a)=f(x)+f(a). • So, f(x+a)-f(x)=f(x)+f(a)-f(x)=f(a). • Thus for linear functions b=f(a), which means that every x satisfies the equation. • A completely contrary case: only 1 solution of the equation – the “most nonlinear” function f(x).

  37. Non linear transformations • If f =k , the mapping is called differentially k uniform. • For applications in cryptography, f should be as small as possible. • If p is odd, there exist functions for which f = 1 → perfect nonlinear functions (PN). • Functions of the form f(x)=xd over GF(pn), p prime, are of special interest.

  38. Non linear transformations • Theorem 1: • f(x)=xd is a mapping over GF(pn), p>2. • Then f(x) is 1-uniform (PN) in the following cases: • d=2; • d=pk+1, n/(n,k) is odd; • d=(3k+1)/2, p=3, k odd, (n,k)=1. • Since for the most interesting case, p=2, PN functions do not exist, we use APN.

  39. Non linear transformations • APN functions →f = 2. • For p = 2, if x is a solution of f(x+a)-f(x)=b, so is x+a. • Thus f = 2 is the smallest possible value when p=2. • This means that the restricted meaning of “almost” is not justified in this case.

  40. Non linear transformations • Theorem 2: • f(x)=xd is a mapping over GF(2n). • Then f(x) is APN in the following cases: • n=2m+1: • d=2n-2; • d=2k+1, (n,k)=1, 1km; (Gold’s function) • d=22k-2k+1, (n,k)=1, 2km; (Kasami’s function) • d=2m+3; (Welch’s function) • d=2m + 2m/2 − 1 (even m), 2m + 2(3m+1)/2 − 1 (odd m); (Niho’s function)

  41. Non linear transformations • Theorem 2 (cont.): • n=2m: • d=2k+1, (n,k)=1, 1km; (Gold’s function) • d=22k-2k+1, (n,k)=1, 2km; (Kasami’s function). • An exponent d’ is equivalent to d if there is t such that d’=2td. • An S-box can be obtained by means of a linear transform of a power function xd of this type. • The Hamming weight of d is equal to the non linear order of the S-box obtained from xd.

  42. Non linear transformations • Example: Use the Kasami exponent to design a 7-bit S-box. • n=7, m=3, 2k3. • Let us choose k=2. (2,7)=1. • Then d=22k-2k+1 = 24-22+1=13. • The Hamming weight of d=1310=11012 is 3, so the non linear order of the S-box will be 3. • We now pick an irreducible polynomial of degree n=7, f(x)=x7+x+1.

  43. Non linear transformations • Example (cont.): • We also pick polynomials a(x) and b(x) at random, deg a(x)<n, deg b(x)<n. For example, let a(x)=x5+x4+x+1, b(x)=x4+x. • The general linear function F(x)=ax+b is used to transform xd linearly, i.e. S(x)=F(x)◦xd=F(xd)=axd+b, a,b,xGF(27). • Thus, the S-box is S(x)=a(x)xd+b(x) mod f(x), x=0,…,2n-1.

  44. Non linear transformations • Example (cont.): • For any primitive element , the field elements of GF(27) determined by f(x)=x7+x+1 are: • 0=1→0000001 7= +1 →000011 • 1= →0000010 8= 2+ →0000110 • 2= 2→0000100 9= 3+2→0001100 • 3= 3→0001000 10= 4+3→0011000 • 4= 4→0010000 11= 5+4→0110000 • 5= 5→0100000 12= 6+5→1100000 • 6= 6→1000000 13= 6++1 →1000011 …

  45. Non linear transformations • Example (cont.): • Then (i)13= (i13) mod 127: • (0)13=1→0000001 • (1)13=13= 6++1→1000011 • (2)13=26= 6+5+2+1→1100101 • (3)13=39= 5+4+3+ →0111010 • … • (10)13=130 mod 127=3→0001000 • …

  46. Non linear transformations • Example (cont.): • Every (i)d= (id) mod 127 should now be multiplied by a(x) mod f(x) and b(x) is added to the result. So we finally get: • 0=0000001→a(x)+b(x)→ 5+1→0100001 • 1=0000010→((x5+x4+x+1)(x6+x+1)+(x4+x)) mod (x7+x+1) →5+3+2→0101100 • The addresses should be given in the increasing order, from 0000000 to 1111111, and the corresponding values of S are given for every address → S-box.

  47. Commonly used designs • Feistel ciphers: • DES (triple DES, etc.) • KASUMI • … • Substitution-permutation networks: • Rijndael (AES) • IDEA • …

  48. DES • The block cipher most implemented in practice is (still, as triple DES) DES (Data Encryption Standard), introduced in USA by NBS (National Bureau of Standards) in 1974. • The length of the block in this cipher is 64 bits and the length of the key is 56 bits. • DES works alternatively over two halves of the block to be enciphered.

  49. DES • First, an initial fixed permutation of the input block is performed. • Then the block is divided into two halves. • After that, a modular operation is realized 16 times (“rounds"). • This operation consists of summing modulo 2 the left part with a function of the right part F(Ki), managed by the subkey Ki, i=1,…,16, where i is the ordinal number of the round. • After that, the left and the right parts are interchanged.

  50. DES • The initial permutation is represented in the following way in the standard FIPS 46-3: • 58 50 42 34 26 18 10 2 60 52 44 36 28 20 12 4 • 62 54 46 38 30 22 14 6 64 56 48 40 32 24 16 8 • 57 49 41 33 25 17 9 1 59 51 43 35 27 19 11 3 • 61 53 45 37 29 21 13 5 63 55 47 39 31 23 15 7 • This means that the 58th bit of input becomes the 1st bit of output, 50th bit of input becomes the 2nd bit of output, etc.

More Related