Session 3: Secret key cryptography

1
Session 3 Secret key cryptography block
ciphers part 1
2
Block ciphers - definition

• Block cipher encryption provides confidentiality
  by transforming a plaintext message into a
  ciphertext message, by means of a special
  function.
• The precise function implemented by the block
  cipher is determined by a secret key.

3
Block ciphers - definition

• The principal difference between a stream cipher
  and a block cipher
• A stream cipher contains memory, embodied in its
  current state.
• A block cipher is memoryless outside its current
  block and therefore has no current state.

4
Block ciphers - definition

• Block ciphers operation
• A plaintext message is partitioned into a series
  of blocks.
• These blocks are then encrypted one block at a
  time.
• A block cipher can also be used as a component in
  a stream cipher, message authentication codes
  (MACs), hash functions, and signature schemes.

5
Block ciphers - definition

• Block cipher encryption is a form of
  symmetric-key encryption.
• Both transmitter and receiver of the ciphertext
  have knowledge of the secret key.
• Example the substitution cipher, and the
  transposition cipher are essentially block
  ciphers.

6
Block ciphers - definition

• A block cipher is a vectorial Boolean function E
  0, 1K 0, 1N ? 0, 1N that takes two
  inputs
• a K-bit key k
• an N-bit plaintext P.
• It returns an N-bit ciphertext C E(k, P).

7
Block ciphers - definition

• For any block cipher, and any key k, the function
  Ek is a permutation on 0, 1N.
• This means that it is a bijection - a
  one-to-one mapping of 0, 1N to 0, 1N.
• Since it is a bijection, it has an inverse,
• Since E is invertible, decryption is possible.

8
Block ciphers - definition

• Both the cipher and its inverse E-1 should be
  easily computable
• Given k, P, we can compute E(k, P).
• Given k, C, we can compute E-1(k,C).
• The key k should be chosen uniformly at random.

9
Block ciphers - design

• The aim of the block cipher design is to make it
  practically impossible to retrieve the plaintext
  from the ciphertext without knowledge of the
  K-bit secret key.
• Since decryption is only possible if the
  encryption function is invertible (i.e. if it is
  a bijection) the choice of possible N-bit block
  ciphers is restricted to one of (2N)! block
  ciphers.

10
Block ciphers - design

• Of all these (2N)! block ciphers, only 2K are
  used, because of the parameterization by the key.
• In practice, these 2K block ciphers that are
  actually used constitute an infinitesimally small
  fraction of (2N)! possible block ciphers.

11
Example N3, K2

• A 3-bit block cipher with 2 bits of key.
• There are (2N)! 8! 40320 possible
  permutations, of which only 2K 22 4
  permutations are used.
• Let these permutations be
• k00, p0(4,6,1,8,5,7,3,2)
• k01, p1(5,2,7,1,8,6,4,3)
• k10, p2(8,6,2,1,3,4,5,7)
• k11, p3(3,8,6,2,4,7,5,1)

12
Example (cont.)

• Let us choose k00, which means
• k00, p0(4,6,1,8,5,7,3,2)
• or
• The corresponding block cipher, Ek

Addr. Value
0 010
1 111
2 110
3 000
4 100
5 001
6 101
7 011
13
Example (cont.)

• The inverse permutation
• P0(3,8,7,1,5,2,6,4)
• or
• The corresponding inverse block cipher, Ek-1

Addr. Value
0 011
1 101
2 000
3 111
4 100
5 110
6 010
7 001
14
Example (cont.)

• Let us encipher X101.
• The corresponding address is 5.
• YEk(X)Ek(5)001.
• Deciphering Y001.
• The corresponding address is 1.
• Ek-1(Y)Ek-1(1) 101X.

15
Block ciphers - design

• The problem of block cipher design
• determine which set of 2K block ciphers to choose
  such that, for an unknown fixed key, it is
  virtually impossible to say anything about the
  ciphertext resulting from a known or chosen
  plaintext
• given prior knowledge of a few plaintext/ciphertex
  t pairs it should be impossible to say anything
  about the fixed key.

16
Block ciphers - design

• Any effective block cipher scheme must be
  realized efficiently in time and space, with as
  little implementation cost as possible.
• The practical trade-off is to design a block
  cipher which is both sufficiently secure, and
  satisfactorily efficient in terms of
  hardware/software space and time resources.

17
Block ciphers - design

• A block cipher with a secret key is considered
  perfect if, for all plaintexts P and ciphertexts
  C, it holds that Pr(PC)Pr(P).
• If, for a fixed K-bit key, an N-bit block cipher
  is used to encrypt ?K/N? plaintexts, then the
  cipher can always be chosen to be the
  one-time pad.
• In this special case, the encryption is provably
  secure and the block cipher is perfect.

18
Block ciphers - design

• In most situations the one-time pad is
  impractical as far too many secret keys must be
  used.
• Therefore it is highly desirable to securely
  encrypt T plaintexts using the same, fixed K-bit
  secret key, where T gtgt ?K/N? .

19
Block ciphers - design

• Most modern block ciphers seek to maximize T,
  whilst still achieving an acceptable security.
• This is achieved via a combination of
• confusion, which makes the relationship between
  key and ciphertext as complicated as possible,
  and
• diffusion, which seeks to eliminate any
  redundancy in the plaintext. Diffusion also makes
  it difficult for any attacker to partially
  approximate the cipher.

20
Block ciphers - design

• Confusion
• The relation between the key and the ciphertext
  must be as complex as possible.
• Thus, the statistics of the ciphertext is not
  significantly influenced by the plaintext
  statistics.
• Confusion is achieved by means of substitution
  (through non linear functions, so called S
  boxes).

21
Block ciphers - design

• Diffusion
• Diffusion annihilates the influence of the
  redundancy of the plaintext on the ciphertext.
• It is achieved by making every letter of the
  ciphertext dependent on as much plaintext letters
  as possible (by means of linear transformations
  such as permutations).

22
Block ciphers - design

• Theoretically, the ideal block cipher, from a
  security viewpoint, would involve one very large,
  well-chosen N-bit Substitution Box (S-Box), keyed
  by K key bits and,
• ideally, it would be impossible to decompose this
  S-box into smaller sub-units.
• Such a block cipher would have a huge
  implementation complexity.

23
Block ciphers - design

• Any practical block cipher combines relatively
  small sub-units to confuse (S-boxes) and diffuse
  (linear transformation layers) the plaintext.
• These sub-units are applied iteratively as keyed
  rounds, parameterized by sub-keys, which are
  derived from the master K-bit key.
• This decomposition into practical sub-units
  constitutes a trade-off between security and
  acceptable complexity.

24
Block ciphers - design

• A key-schedule is needed to derive round keys
  from a master key.
• It is an accepted design principle that
  encryption using a block cipher, selected via a
  randomly-chosen key, should look like encryption
  by a randomly-chosen invertible function over N
  bits.

25
Block ciphers - design

• Basic design types of block ciphers
• Feistel ciphers
• Substitution-permutation networks.
• Both design philosophies have their advantages
  and disadvantages.
• It is possible to combine these design types in a
  single block cipher (rarely used, e.g. SC2000).
• There is no agreement about the best design
  philosophy for block ciphers.

26
Feistel ciphers

• A basic Feistel cipher takes 2t plaintext bits,
  and is a permutation, F, which uses m round
  permutations, Fi
• Where ? is a composition of functions, i.e.

27
Feistel ciphers

• Round i acts on t bits, R (right), by means of
  the keyed nonlinear function, fi, and XORs the
  result with other t bits, L (left).
• The L and R halves are then swapped.
• After the i-th round, we have
• L R becomes the new input L,R to the round
  i 1.

28
Feistel ciphers

• F and the Fi must be permutations, but the fi
  need not be.
• It takes two rounds before all plaintext bits
  have been acted on in a nonlinear way.
• In the decryption process, the same functions are
  used, but with the round keys used in reverse
  order.

29
Feistel ciphers

• Example of a round

30
Feistel ciphers

• Examples of Feistel design
• LUCIFER (author Horst Feistel)
• DES (Data Encryption Standard)
• MISTY1
• KASUMI (used in UMTS)
• CAMELLIA
• FEAL
• etc.

31
Substitution-permutation networks

• A substitution-permutation network (SPN)
  separates the role of confusion and diffusion in
  the cipher.
• The cipher is also decomposed into iterative
  rounds.
• Each round comprises a layer of non linear
  functions (often S-boxes), followed by a linear
  layer (often a permutation).
• The non linear layer provides the confusion.
• The linear layer provides the diffusion.

32
Substitution-permutation networks

• The separating of the tasks of confusion and
  diffusion allows the designer to maximise
  nonlinearity for the non linear layer, and
  maximise information spread for the diffusion
  layer.
• Examples of SPN design
• AES (Rijndael) (Advanced Encryption Standard)
• IDEA
• etc.

33
Non linear transformations

• Non linearity in block ciphers is usually
  introduced by means of tables, so called S-boxes.
• There are also designs without explicit S-boxes.
  Instead, integer addition and multiplication,
  discrete logarithm and exponentiation, etc. are
  used (examples of such ciphers are IDEA, RC6,
  etc.)

34
Non linear transformations

• S-boxes can be very simple. For example, S-boxes
  of Rijndael and Camellia are essentially X-1 over
  GF(28).
• Regarding the relation with the key, S-boxes
  can be
• Key dependent
• Key independent.

35
Non linear transformations

• Almost perfect non linear functions (APN)
  resistant to certain attacks against block
  ciphers (differential and linear cryptanalysis)
• Let f(x) be a mapping GF(pn)?GF(pn).
• Let N(a,b) denote the number of solutions
  x?GF(pn) of the equation f(xa)f(x)b, a,b
  ? GF(pn).
• Let ?f maxN(a,b) a,b?GF(pn), a?0.

36
Non linear transformations

• For linear functions, f(xa)f(x)f(a).
• So, f(xa)-f(x)f(x)f(a)-f(x)f(a).
• Thus for linear functions bf(a), which means
  that every x satisfies the equation.
• A completely contrary case only 1 solution of
  the equation the most nonlinear function
  f(x).

37
Non linear transformations

• If ?f k , the mapping is called differentially k
  uniform.
• For applications in cryptography, ?f should be as
  small as possible.
• If p is odd, there exist functions for which ?f
  1 ? perfect nonlinear functions (PN).
• Functions of the form f(x)xd over GF(pn), p
  prime, are of special interest.

38
Non linear transformations

• Theorem 1
• f(x)xd is a mapping over GF(pn), pgt2.
• Then f(x) is 1-uniform (PN) in the following
  cases
• d2
• dpk1, n/(n,k) is odd
• d(3k1)/2, p3, k odd, (n,k)1.
• Since for the most interesting case, p2, PN
  functions do not exist, we use APN.

39
Non linear transformations

• APN functions ? ?f 2.
• For p 2, if x is a solution of f(xa)-f(x)b,
  so is xa.
• Thus ?f 2 is the smallest possible value when
  p2.
• This means that the restricted meaning of
  almost is not justified in this case.

40
Non linear transformations

• Theorem 2
• f(x)xd is a mapping over GF(2n).
• Then f(x) is APN in the following cases
• n2m1
• d2n-2
• d2k1, (n,k)1, 1?k?m (Golds function)
• d22k-2k1, (n,k)1, 2?k?m (Kasamis function)
• d2m3 (Welchs function)
• d2m 2m/2 - 1 (even m), 2m 2(3m1)/2 - 1 (odd
  m) (Nihos function)

41
Non linear transformations

• Theorem 2 (cont.)
• n2m
• d2k1, (n,k)1, 1?k?m (Golds function)
• d22k-2k1, (n,k)1, 2?k?m (Kasamis function).
• An exponent d is equivalent to d if there is t
  such that d2td.
• An S-box can be obtained by means of a linear
  transform of a power function xd of this type.
• The Hamming weight of d is equal to the non
  linear order of the S-box obtained from xd.

42
Non linear transformations

• Example Use the Kasami exponent to design a
  7-bit S-box.
• n7, m3, 2?k?3.
• Let us choose k2. (2,7)1.
• Then d22k-2k1 24-22113.
• The Hamming weight of d131011012 is 3, so the
  non linear order of the S-box will be 3.
• We now pick an irreducible polynomial of degree
  n7, f(x)x7x1.

43
Non linear transformations

• Example (cont.)
• We also pick polynomials a(x) and b(x) at random,
  deg a(x)ltn, deg b(x)ltn. For example, let
  a(x)x5x4x1, b(x)x4x.
• The general linear function F(x)axb is used to
  transform xd linearly, i.e. S(x)F(x)?xdF(xd)axd
  b, a,b,x?GF(27).
• Thus, the S-box is S(x)a(x)xdb(x) mod f(x),
  x0,,2n-1.

44
Non linear transformations

• Example (cont.)
• For any primitive element ?, the field elements
  of GF(27) determined by f(x)x7x1 are
• ?01?0000001 ?7 ? 1 ?000011
• ?1 ??0000010 ?8 ?2? ?0000110
• ?2 ?2 ?0000100 ?9 ?3?2 ?0001100
• ?3 ?3 ?0001000 ?10 ?4?3 ?0011000
• ?4 ?4 ?0010000 ?11 ?5?4 ?0110000
• ?5 ?5 ?0100000 ?12 ?6?5 ?1100000
• ?6 ?6 ?1000000 ?13 ?6?1 ?1000011

45
Non linear transformations

• Example (cont.)
• Then (?i)13 ?(i?13) mod 127
• (?0)131?0000001
• (?1)13?13 ?6?1?1000011
• (?2)13?26 ?6?5?21?1100101
• (?3)13?39 ?5?4?3 ??0111010
• (?10)13?130 mod 127?3?0001000

46
Non linear transformations

• Example (cont.)
• Every (?i)d ?(i?d) mod 127 should now be
  multiplied by a(x) mod f(x) and b(x) is added to
  the result. So we finally get
• ?00000001?a(x)b(x)? ?51?0100001
• ?10000010? ((x5x4x1)(x6x1)(x4x)) mod
  (x7x1) ??5?3?2?0101100
• The addresses should be given in the increasing
  order, from 0000000 to 1111111, and the
  corresponding values of S are given for every
  address ? S-box.

47
Commonly used designs

• Feistel ciphers
• DES (triple DES, etc.)
• KASUMI
• Substitution-permutation networks
• Rijndael (AES)
• IDEA

48
DES

• The block cipher most implemented in practice is
  (still, as triple DES) DES (Data Encryption
  Standard), introduced in USA by NBS (National
  Bureau of Standards) in 1974.
• The length of the block in this cipher is 64 bits
  and the length of the key is 56 bits.
• DES works alternatively over two halves of the
  block to be enciphered.

49
DES

• First, an initial fixed permutation of the input
  block is performed.
• Then the block is divided into two halves.
• After that, a modular operation is realized 16
  times (rounds").
• This operation consists of summing modulo 2 the
  left part with a function of the right part
  F(Ki), managed by the subkey Ki, i1,,16, where
  i is the ordinal number of the round.
• After that, the left and the right parts are
  interchanged.

50
DES

• The initial permutation is represented in the
  following way in the standard FIPS 46-3
• 58 50 42 34 26 18 10 2 60 52 44 36 28 20 12 4
• 62 54 46 38 30 22 14 6 64 56 48 40 32 24 16 8
• 57 49 41 33 25 17 9 1 59 51 43 35 27 19 11 3
• 61 53 45 37 29 21 13 5 63 55 47 39 31 23 15 7
• This means that the 58th bit of input becomes the
  1st bit of output, 50th bit of input becomes the
  2nd bit of output, etc.

51
DES
52
DES

• In the round 16 the interchange is omitted.
• There is a final permutation, inverse to the
  initial one.
• DES realizes an involution and because of that it
  is not necessary to invert the function F in the
  deciphering algorithm.
• The function F contains non linear operations.

53
DES

• The final permutation
• 40 8 48 16 56 24 64 32
• 39 7 47 15 55 23 63 31
• 38 6 46 14 54 22 62 30
• 37 5 45 13 53 21 61 29
• 36 4 44 12 52 20 60 28
• 35 3 43 11 51 19 59 27
• 34 2 42 10 50 18 58 26
• 33 1 41 9 49 17 57 25
• The 40th bit of input becomes the 1st bit of
  output, etc.

54
DES
55
DES

• The expansion algorithm from 32 to 48 bits
• 32 1 2 3 4 5 4 5 6 7 8 9
• 8 9 10 11 12 13 12 13 14 15 16 17
• 16 17 18 19 20 21 20 21 22 23 24 25
• 24 25 26 27 28 29 28 29 30 31 32 1
• The first bit of the resulting 48 bit vector is
  the 32nd bit of the input vector, etc.

56
DES

• The function F is a set of following operations
• The first manipulation consists of producing a
  vector of 48 bits from the initial 32 bits by
  means of a linear expansion.
• Next, the local key of 48 bits is combined with
  the obtained vector by means of the sum modulo 2,
  bit by bit.
• Thus another vector of 48 bits is obtained, which
  is divided in 8 groups of 6 bits each.
• Each group serves as input to 8 functions called
  S-boxes.
• These boxes are responsible for the non linearity
  of DES.
• The output of each S-box are 4 bits.
• When a single input bit is changed, at least 2
  output bits are changed.

57
DES

• S1
• 14 4 13 1 2 15 11 8 3 10 6 12 5 9 0 7
• 0 15 7 4 14 2 13 1 10 6 12 11 9 5 3 8
• 4 1 14 8 13 6 2 11 15 12 9 7 3 10 5 0
• 15 12 8 2 4 9 1 7 5 11 3 14 10 0 6 13

58
DES

• S2
• 15 1 8 14 6 11 3 4 9 7 2 13 12 0 5 10
• 3 13 4 7 15 2 8 14 12 0 1 10 6 9 11 5
• 0 14 7 11 10 4 13 1 5 8 12 6 9 3 2 15
• 13 8 10 1 3 15 4 2 11 6 7 12 0 5 14 9

59
DES

• S3
• 10 0 9 14 6 3 15 5 1 13 12 7 11 4 2 8
• 13 7 0 9 3 4 6 10 2 8 5 14 12 11 15 1
• 13 6 4 9 8 15 3 0 11 1 2 12 5 10 14 7
• 1 10 13 0 6 9 8 7 4 15 14 3 11 5 2 12

60
DES

• S4
• 7 13 14 3 0 6 9 10 1 2 8 5 11 12 4 15
• 13 8 11 5 6 15 0 3 4 7 2 12 1 10 14 9
• 10 6 9 0 12 11 7 13 15 1 3 14 5 2 8 4
• 3 15 0 6 10 1 13 8 9 4 5 11 12 7 2 14

61
DES

• S5
• 2 12 4 1 7 10 11 6 8 5 3 15 13 0 14 9
• 14 11 2 12 4 7 13 1 5 0 15 10 3 9 8 6
• 4 2 1 11 10 13 7 8 15 9 12 5 6 3 0 14
• 11 8 12 7 1 14 2 13 6 15 0 9 10 4 5 3

62
DES

• S6
• 12 1 10 15 9 2 6 8 0 13 3 4 14 7 5 11
• 10 15 4 2 7 12 9 5 6 1 13 14 0 11 3 8
• 9 14 15 5 2 8 12 3 7 0 4 10 1 13 11 6
• 4 3 2 12 9 5 15 10 11 14 1 7 6 0 8 13

63
DES

• S7
• 4 11 2 14 15 0 8 13 3 12 9 7 5 10 6 1
• 13 0 11 7 4 9 1 10 14 3 5 12 2 15 8 6
• 1 4 11 13 12 3 7 14 10 15 6 8 0 5 9 2
• 6 11 13 8 1 4 10 7 9 5 0 15 14 2 3 12

64
DES

• S8
• 13 2 8 4 6 15 11 1 10 9 3 14 5 0 12 7
• 1 15 13 8 10 3 7 4 12 5 6 11 0 14 9 2
• 7 11 4 1 9 12 14 2 0 6 10 13 15 3 5 8
• 2 1 14 7 4 10 8 13 15 12 9 0 3 5 6 11

65
DES

• Addressing of the DES S-boxes
• Let the addressing 6-tuple for any S-box be
  b1b2b3b4b5b6.
• The bits b1b6 determine the row of the S-box.
• The bits b2b3b4b5 determine the column of the
  S-box.
• Example
• Let the addressing 6-tuple of the 3rd S-box be
  001001.
• The row is 01, which means the 2nd row, since 00
  is the first row.
• The column is 0100, which means the 5th column,
  since the numbering starts from 0000.

66
DES

• Finally, the information passes through a
  "P-box", which is a fixed permutation, chosen in
  such a way that a maximum diffusion of bits is
  achieved through the whole 32 bit vector.
• The P-box
• 16 7 20 21 29 12 28 17 1 15 23 26 5 18 31 10
• 2 8 24 14 32 27 3 9 19 13 30 6 22 11 4 25
• 16th bit of input becomes the 1st bit of output,
  etc.

67
DES

• Although DES handles 64 bit keys, the first
  operation that is realized in the process of key
  expansion is their reduction to 56 bits, by
  eliminating one bit of every 8 bits.
• Then the remaining bits are reordered.
• Next, 16 subkeys necessary in the 16 rounds of
  the algorithm are obtained.

68
DES

• The reordering key permutation
• 57 49 41 33 25 17 9
• 1 58 50 42 34 26 18
• 10 2 59 51 43 35 27
• 19 11 3 60 52 44 36
• 63 55 47 39 31 23 15
• 7 62 54 46 38 30 22
• 14 6 61 53 45 37 29
• 21 13 5 28 20 12 4
• 57th bit of input becomes the 1st bit of output,
  etc. Every 8th bit of the initial 64 bit key is
  dropped.

69
DES

• During the deciphering process, the subkeys are
  used in the reverse order.
• The subkeys are generated in the following way
• First, the key of 56 bits is divided in two
  halves of 28 bits each.
• Then, the halves are rotated left 1 or 2 bits,
  depending on the round. Rotating left a number of
  positions depending on the round is recursive,
  which means that the initial vector for the i-th
  round is the output vector of the (i-1)st round.
• After the rotation, the halves are reunited,
  obtaining again 16 groups of 56 bits.
• Next, 48 bits of each group are selected to form
  the final 16 subkeys, in the process denominated
  "permutation with compression".

70
DES

• Iteration Number Number of Left Shifts
• 1 1
• 2 1
• 3 2
• 4 2
• 5 2
• 6 2
• 7 2
• 8 2
• 9 1
• 10 2
• 11 2
• 12 2
• 13 2
• 14 2
• 15 2
• 16 1

71
DES

• The choice of 48 bits of the i-th subkey from the
  corresponding 56 bits
• 14 17 11 24 1 5
• 3 28 15 6 21 10
• 23 19 12 4 26 8
• 16 7 27 20 13 2
• 41 52 31 37 47 55
• 30 40 51 45 33 48
• 44 49 39 56 34 53
• 46 42 50 36 29 32

72
DES

• For deciphering, DES should run backwards, which
  means that K16 subkey is used in the first round,
  K15 in the second, , K1 in the 16th round.

73
Triple DES mode 1

• The data is encrypted with the first key, then
  encrypted with the second key, and finally
  encrypted with the third key.

74
Triple DES mode 2

• The data is encrypted with the first key, then
  decrypted with the second key, and finally
  encrypted again with the first key.
• Goal compatibility with a single DES.

75
Triple DES - security

• Equivalent key length
• Of Double DES only 57 bits (so called
  Meet-in-the-middle attack is possible that
  reduces the size of the key from 112 to 57 bits).
• Of Triple DES 112 bits, instead of 168 bits,
  but this is an acceptable length.