Session 3

1. Session 3 Symmetric ciphers 2 part 2

2. Triple DES • Ordinary DES is now considered obsolete • Its key length is only 56 bits. • With today’s technology, it is possible to recover the key by means of a ”brute force attack” (enumeration of all the possible keys). • Solution: triple DES.

3. Triple DES – mode 1 (EEE) • The data are enciphered with the first key, then enciphered with the second key, and finally enciphered with the third key.

4. Triple DES – mode 2 (EDE) • The data are enciphered with the first key, then deciphered with the second key, and finally enciphered again with the third key. • Goal: compatibility with a single DES (set k1=k2=k3=k).

5. Triple DES – mode 2 (EDE)

6. Triple DES - security • Equivalent key length: • Of Double DES – only 57 bits (so called Meet-in-the-middle attack is possible that reduces the size of the key from 112 to effective 57 bits). • Of Triple DES – 112 bits, instead of 168 bits, but this is an acceptable length.

7. Triple DES - security • A variant of Triple DES (called 2-key Triple DES, or 2TDES), with k1=k3 is widely used in ATM devices. • Due to certain chosen plaintext and known plaintext attacks on this scheme, its equivalent key length is 80 instead of 112 for the ordinary TDES.

8. KASUMI • The KASUMI algorithm is the core of the standardised UMTS Confidentiality and Integrity algorithms. • Within the security architecture of the UMTS system there are two standardised algorithms based on KASUMI: • a confidentiality algorithm f8, and • an integrity algorithm f9.

9. KASUMI • KASUMI is a Feistel cipher with 8 rounds. • It operates on a 64-bit data block and uses a 128-bit key. • Encipherment (1): • The 64 bit input Iis divided into two 32-bit strings L0and R0, where I = L0|| R0 • Then for each integer iwith 1≤i ≤8, we define • Ri= Li-1, Li= Ri-1fi(Li-1, RKi)

10. KASUMI • Encipherment (2): • This constitutes the i-th round function of KASUMI, where fidenotes the round function with Li-1and round key RKias inputs. • The result OUTPUT is equal to the 64-bit string (L8|| R8)offered at the end of the 8-th round.

11. KASUMI The whole algorithm:

12. KASUMI The FO function:

13. KASUMI The FI function:

14. KASUMI The FL function

15. KASUMI • The f-function has a 32-bit input and a 32-bit output. • Each f-function of KASUMI is composed of two functions: • an FL-function and • An FO-function. • An FO-function is defined as a network that makes use of three applications of an Fl-function.

16. KASUMI • An Fl-function has a 16-bit input and a 16-bit output. • Each Fl-function comprises a network that makes use of two applications of a function S9 and two applications of a function S7. • The functions S7 and S9 are also called "S-boxes of KASUMI".

17. KASUMI • In this manner KASUMI decomposes into a number of subfunctions (FL, FO and FI) that are used in conjunction with associated subkeys (KL, KO and KI). • The Kl-key KIi,j splits into two halves KIi,j,1 and KIi,j,2.

18. KASUMI • Each f-function fi takes a 32-bit input and returns a 32-bit output O under the control of a round key RKi, where the round key comprises the triplet (KLi, KOi, KIi).

19. KASUMI • The f-function fi itself is constructed from two subfunctions: an FL-function FLi and an FO-function FOi with associated subkeys KLi (used with FLi) and subkeys KOi and KIi (used with FOi).

20. KASUMI • The f-function fi has two different forms depending on whether it is an even round or an odd round. • For odd rounds i=1, 3, 5 and 7, the f-function is defined as: fi(i,RKi) = FOi(FLi(I,KLi),KOi,KLi) • For even rounds, i=2, 4, 6 and 8, the f-function is defined as: fi(i,RKi) =FLi(FOi(I,KOi,KIi),KLi)

21. KASUMI • FL functions (1) • The input to the function FLi comprises a 32-bit data input I and a 32-bit subkeyKLi. • The subkey is split into two 16-bit subkeys, KLi,1 and KLi,2, where: KLi= KLi,1llKLi,2 • The input data l is split into two 16-bit halves, L and R, where l =L||R.

22. KASUMI • FL functions (2) • The FL functions make use of the following simple operations: • ROL(D ) the left circular rotation of a data block D by-one bit. • D1D2 the bitwise OR operation of two data blocks D1 and D2. • D1D2 the bitwise AND operation of two data blocks D1 and D2.

23. KASUMI • FL functions (3) • Then the 32-bit output value of the FL function is defined as L’ llR ’, where: L’=L  ROL(R ’KLi,2) R ’=R ROL(LKLi,1)

24. KASUMI • FO functions (1) • The input to the function FOi comprises a 32-bit data input I and two sets of subkeys: • a 48-bit KOi and • a 48-bit KIi.

25. KASUMI • FO functions (2) • The 32-bit data input is split into two halves, L0 and R0, where I = L0llR0, while the 48-bit subkeys are subdivided into three 16-bit subkeys, where: KOi=KOi,1ll KOi,2ll KOi,3 and KIi=KIi,1ll KIi,2ll KIi,3

26. KASUMI • FO functions (3) • For each integer j with 1≤j ≤3 the operation of the j thround of the function FOi is defined as: Rj=FIi,j(Lj-1KOi,j,KIi,j) Rj-1 Lj=Rj-1 • Output from the FOi function is defined as the 32-bit data block L3llR3.

27. KASUMI • FI functions (1) • An Fl-function FIi,j takes a 16-bit data input I and a 16-bit subkeyKIi,j. • The input I is split into two unequal components, a 9-bit left half L0 and a 7-bit right half R0, where I =L0llR0. • Similarly, the key KIi,j is split into a 7-bit component KIi,j,1 and a 9-bit component Kli,j,2, where KIi,j= KIi,j,1ll KIi,j,2.

28. KASUMI • FI functions (2) • Each Fl-function FIi,j uses two S-boxes: S7, which maps a 7-bit input to a 7-bit output and S9, which maps a 9-bit input to a 9-bit output. • Fl-functions also use two additional functions, which are designated by ZE (appends 2 zeros before the MSB of a 7-bit string) and TR (discards 2 MSB of a 9-bit string).

29. KASUMI • FI functions (3) • The function FIi,j is defined by the following series of operations: L1= R0R1=S9[L0]ZE(R0) L2=R1KIi,j,2R2=S7[L1]TR(R1)KIi,j,1 L3=R2R3=S9[L2]ZE(R2) L4=S7[L3]TR(R3)R4=R3 • The output of the FIi,j function is the 16-bit data block L4llR4.

30. KASUMI • FI functions (4) • The key schedule of KASUMI contains linear transforms and is rather simple. • That was a consequence of performance requirements.

31. Rijndael - AES • In 2001, Rijndael was accepted by NIST as the Advanced Encryption Standard (AES) that was to replace DES. • Rijndael was designed for block and key lengths of 128, 192 and 256 bits. • AES supports only the 128 bit version.

32. Rijndael - AES • Consists of 10 rounds for a 128 bit key, 12 rounds for a 192 bit key, and 14 rounds for a 256 bit key. • We consider a 128 bit version, i.e. the AES.

33. Rijndael - AES • Each round has a round key, derived from the original key. • There is also a 0th round key, which is the original key. • A round starts with an input of 128 bits and produces an output of 128 bits.

34. Rijndael - AES • There are four basic steps, called layers, that are used to form the rounds: • The ByteSub Transformation (BS) • This non-linear layer is for resistance to differential and linear cryptanalysis attacks.

35. Rijndael - AES • The ShiftRow Transformation (SR) • This linear mixing step causes diffusion of the bits over multiple rounds. • The MixColumn Transformation (MC) • This layer has a purpose similar to ShiftRow. • AddRoundKey (ARK) • The round key is XoRed with the result of the above layer.

36. Rijndael - AES One roundof AES

37. Rijndael - AES • AES encipherment: • ARK, using the 0th round key. • Nine rounds of BS, SR, MC, ARK using round keys 1 to 9. • A final round: BS, SR, ARK, using the 10th round key (i.e. the final round uses the ByteSub, ShiftRow, and AddRoundKey steps but omits MixColumn). • The 128-bit output is the ciphertext block.

38. Rijndael - AES

39. Rijndael - AES • The 128 input bits are grouped into 16 bytes of 8 bits each a00, a10, a20, a30, a01, a11, …, a33. • These are arranged into a 4x4 byte matrix:

40. Rijndael - AES • The operations that are performed in the field GF(28) use the following generating polynomial (Rijndael polynomial): f (X )=1+X+X 3+X 4+X 8 • Each byte, except the zero byte has a multiplicative inverse in GF(28).

41. Rijndael - AES • The ByteSub transformation: • In this step, each of the bytes in the matrix is changed to another byte by means of the S-box. • If we write a byte as 8 bits: abcdefgh, we can look for the entry in the abcd row and efgh column of the S-box (the rows and columns are numbered from 0 to 15). • This entry, when converted to binary, is the output.

42. Rijndael - AES • The output of ByteSub is again a 4x4 matrix of bytes

43. Rijndael - AES • The ShiftRow Transformation: • The four rows of the matrix are shifted cyclically to the left by offsets of 0, 1, 2, and 3, to obtain

44. Rijndael - AES • The MixColumn Transformation • Regard a byte as an element of GF(28). • Then the output of the ShiftRow step is a 4x4 matrix [ci,j] with entries in GF(28). • We multiply from the left the matrix [ci,j] by a special matrix, whose entries are the elements of GF(28), to produce the output [di,j].

45. Rijndael - AES

46. Rijndael - AES • The RoundKey Addition • The round key, derived from the key, consists of 128 bits, which are arranged in a 4x4 matrix [ki,j] of bytes. • This is XORed with the output of the MixColumn step.

47. Rijndael - AES

48. Rijndael - AES • The key schedule (1) • The original key consists of 128 bits, which are arranged into a 4x4 matrix of bytes. • This matrix is expanded by adjoining 40 more columns, as follows. • Label the first four columns W(0), W(1), W(2), W(3). • The new columns are generated recursively.

49. Rijndael - AES • The key schedule (2) • Suppose columns up through W(i-1) have been defined. • If i is not a multiple of 4, then • W(i)=W(i-4)W(i-1) • If i is a multiple of 4, then • W(i)=W(i-4)T(W(i-1))

50. Rijndael - AES • The key schedule (3) • T(W(i-1)) is the transformation of W(i-1) obtained as follows (1) • Let the elements of the column W(i-1) be a, b, c, d. • Shift these cyclically to obtain b, c, d, a. • Now replace each of these bytes with the corresponding element in the S-box from the ByteSub step, to get 4 bytes e, f, g, h.