# Classical Encryption Techniques - PowerPoint

Document Sample

```					 Modern Block Ciphers

CSE 651: Introduction to Network
Security
Summary
• Block Ciphers (Chapter 3)
• Feistel Cipher Structure (Chapter 3)
• DES: Data Encryption Standard (Ch. 3)
• 3DES (Ch 6.1)
• AES: Advanced Encryption Standard (Ch.
5.2)

2
Monoalphabetic Substitution Cipher

• Shuffle the letters and map each plaintext letter to a
different random ciphertext letter:
Plain letters: abcdefghijklmnopqrstuvwxyz
Cipher letters: DKVQFIBJWPESCXHTMYAUOLRGZN
Plaintext: ifwewishtoreplaceletters
Ciphertext: WIRFRWAJUHYFTSDVFSFUUFYA
• What does a key look like?

3
Playfair Key Matrix
•   Use a 5 x 5 matrix.
•   Fill in letters of the key (w/o duplicates).
•   Fill the rest of matrix with other letters.
•   E.g., key = MONARCHY.
M     O     N     A     R
C     H     Y     B     D
E     F     G     I/J   K
L     P     Q     S     T
U     V     W     X     Z
4
Vigenère Cipher
• Simplest polyalphabetic substitution cipher
• Consider the set of all Caesar ciphers:
{ Ca, Cb, Cc, ..., Cz }
• Key: e.g. security
• Encrypt each letter using Cs, Ce, Cc, Cu, Cr,
Ci, Ct, Cy in turn.
• Repeat from start after Cy.
• Decryption simply works in reverse.

5
Basic idea of modern block ciphers

• From classical ciphers, we learn two techniques
that may improve security:
– Encrypt multiple letters at a time
– Use multiple ciphertext alphabets (Polyalphabetic
ciphers)
• Combining these two techniques
– encrypt eight (or more) letters at a time
• called a block cipher
– and use an extremely large number of ciphertext
alphabets
• will be called modes of operation
1
Block Ciphers
• In general, a block cipher replaces a block of N plaintext bits
with a block of N ciphertext bits. (E.g., N = 64 or 128.)
• A block cipher is a monoalphabetic cipher.
• Each block may be viewed as a gigantic character.
• The “alphabet” consists of 2N gigantic characters.
• Each particular cipher is a one-to-one mapping from the
plaintext “alphabet” to the ciphertext “alphabet”.
• There are 2N! such mappings.
• A secret key indicates which mapping to use.

7
Ideal Block Cipher

• An ideal block cipher would allow us to use
any of these 2N! mappings.
– The key space would be extremely large.
• But this would require a key of log2(2N!) bits.
• If N = 64,
log2(2N!) ≈ N x 2N ≈ 1021 bits ≈ 1011 GB.
• Infeasible!
8
Practical Block Ciphers
• Modern block ciphers use a key of K bits to specify a
random subset of 2K mappings.
• If K ≈ N,
– 2K is much smaller than 2N!
– But is still very large.
• If the selection of the 2K mappings is random, the
resulting cipher will be a good approximation of the
ideal block cipher.
• Horst Feistel, in1970s, proposed a method to achieve
this.
9
The Feistel Cipher Structure
• Input: a data block and a key
• Partition the data block into two halves L and
R.
• Go through a number of rounds.
• In each round,
– R does not change.
– L goes through an operation that depends on R
and a round key derived from the key.

10
The Feistel
Cipher
Structure
i


Round i
Li-1        Ri-1

f     ki

+

Li           Ri
Mathematical Description of
Round i
 Let Li 1 and Ri 1 be the input of round i, and
Li and Ri the output.
 We have
Li : Ri 1
Ri : Li 1  F ( Ri 1 , K i )
 Or,      (Li , Ri ) :   i ( Li 1 , Ri 1 ), where
i : ( x, y )  ( x  F ( y , ki ), y ).
 : ( x, y )  ( y, x ).
 Note that i 1  i and  1  .
13
Feistel Cipher
 Goes through a number of rounds, say 16 rounds.
 A Feistel cipher encrypts a plaintext block m as:
c : Ek (m ) :     16    2    1 (m )
 The decryption will be:
Dk (c )  11   1  21   1  11   1   1 (c)
6

     1    2    16 ( c)
 The descryption algorithm is the same as the
encryption algorithm, but uses round keys in the
reverse order.
14
DES: The Data Encryption Standard

• Most widely used block cipher in the world.
• Adopted by NIST in 1977.
• Based on the Feistel cipher structure with 16
rounds of processing.
• Block = 64 bits
• Key = 56 bits
• What is specific to DES is the design of the F
function and how round keys are derived from
the main key.

15
Design Principles of DES
• To achieve high degree of diffusion and
confusion.
• Diffusion: making each plaintext bit affect
as many ciphertext bits as possible.
• Confusion: making the relationship
between the encryption key and the
ciphertext as complex as possible.

1
DES Encryption
Overview
Round Keys Generation
• Main key: 64 bits.
• 56-bits are selected and permuted using Permuted
Choice One (PC1); and then divided into two 28-bit
halves.
• In each round:
– Left-rotate each half separately by either 1 or 2
bits according to a rotation schedule.
– Select 24-bits from each half, and permute the
combined 48 bits.
– This forms a round key.
Permuted Choice One (PC1)

57   49   41   33   25   17    9
1   58   50   42   34   26   18
10    2   59   51   43   35   27
19   11    3   60   52   44   36
63   55   47   39   31   23   15
7   62   54   46   38   30   22
14    6   61   53   45   37   29
21   13    5   28   20   12    4

19
Initial Permutation IP
•   IP: the first step of the encryption.
•   It reorders the input data bits.
•   The last step of encryption is the inverse of IP.
•   IP and IP-1 are specified by tables (see
Stallings book, Table 3.2) or
http://en.wikipedia.org/wiki/DES_supplementar
y_material
Round i
Li-1             Ri-1

32

F             ki
48
32        32
+

Li                Ri
The F function of DES
 The L and R each have 32 bits, and the round key K 48 bits.

 The F function, on input R and K , produces 32 bits:

F ( R, K )  P  S  E ( R )  K  

where E : expands 32 bits to 48 bits;
S : shrinks it back to 32 bits;
P : permutes the 32 bits.

22
The F function of DES
The Expansion Permutation E
The S-Boxes
• Eight S-boxes each map 6 to 4 bits
• Each S-box is specified as a 4 x 16 table
– each row is a permutation of 0-15
– outer bits 1 & 6 of input are used to select one
of the four rows
– inner 4 bits of input are used to select a
column
• All the eight boxes are different.
Box S1

0       1   2   3   4 5 6       7       8 9 10 11 12 13 14 15
0 14        4 13    1   2 15 11         8   3 10   6 12    5   9   0   7
1       0 15    7   4 14    2 13        1 10   6 12 11     6   5   3   8
2       4   1 14    8 13    6   2 11 15 12         9   7   3 10    5   0
3 15 12         8   2   4   9   1       7   5 11   3 14 10     0   6 13

• For example, S1(101010) = 6 = 0110.

26
Permutation Function P
P
16   7    20   21
29   12   28   17
1   15   23   26
5   18   31   10
2   8    24   14
32   27   3    9
19   13   30   6
22   11   4    25

1
Avalanche Effect
• Avalanche effect:
– A small change in the plaintext or in the key results in a
significant change in the ciphertext.
– an evidence of high degree of diffusion and confusion
– a desirable property of any encryption algorithm

• DES exhibits a strong avalanche effect
– Changing 1 bit in the plaintext affects 34 bits in the
ciphertext on average.
– 1-bit change in the key affects 35 bits in the ciphertext on
average.
Attacks on DES
• Brute-force key search
– Needs only two plaintext-ciphertext samples
– Trying 1 key per microsecond would take 1000+ years on
average, due to the large key space size, 256 ≈ 7.2×1016.

• Differential cryptanalysis
– Possible to find a key with 247 plaintext-ciphertext samples
– Known-plaintext attack

• Liner cryptanalysis:
– Possible to find a key with 243 plaintext-ciphertext samples
– Known-plaintext attack

29
DES Cracker
• DES Cracker:
– A DES key search machine
– contains 1536 chips
– Cost: \$250,000.
– could search 88 billion keys per second
– won RSA Laboratory’s “DES Challenge II-2” by
successfully finding a DES key in 56 hours.
• DES is feeling its age. A more secure
cipher is needed.
30
Multiple Encryption with DES

• In 2001, NIST published the Advanced Encryption
Standard (AES) to replace DES.

• But users in commerce and finance are not ready to give
up on DES.

• As a temporary solution to DES’s security problem, one
may encrypt a message (with DES) multiple times using
multiple keys:
– 2DES is not much securer than the regular DES
– So, 3DES with either 2 or 3 keys is used
31
2DES
• Consider 2DES with two keys:
C = EK2(EK1(P))

• Decryption:   P = DK1(DK2(C))
• Key length: 56 x 2 = 112 bits
• This should have thwarted brute-force attacks?
• Wrong!

32
Meet-in-the-Middle Attack on 2DES
• 2-DES:        C = EK2(EK1(P))

P       EK1           EK2       C

• Given a known pair (P, C), attack as follows:
– Encrypt P with all 256 possible keys for K1.
– Decrypt C with all 256 possible keys for K2.
– If EK1’(P) = DK2’(C), try the keys on another (P’, C’).
– If works, (K1’, K2’) = (K1, K2) with high probability.
– Takes O(256) steps; not much more than attacking 1-DES.
33
3DES with 2 keys
 A straightforward implementation would be :

 
c : Ek1 Ek2 Ek1 (m)   
 
 In practice : c : Ek1 Dk2 Ek1 (m)   
 Also referred to as EDE encryption
 Reason : if k1  k2 , then 3DES  1DES.
Thus, a 3DES software can be used as a single-DES.
 Standardized in ANSI X9.17 & ISO 8732.
 No practical attacks are known.

34
3DES with 3 keys
 
 Encryption: c : Ek3 Dk2 Ek1 (m) .  
 If k1  k3 , it becomes 3DES with 2 keys.
 If k1  k2  k3 , it becomes the regular DES.
 So, it is backward compatible with both 3DES with 2 keys
and the regular DES.
 Some internet applications adopt 3DES with three keys;
e.g. PGP and S / MIME.

35
Standard
AES: Advanced Encryption Standard
• In1997, NIST began the process of choosing a
replacement for DES and called it the
• Requirements: block length of 128 bits, key
lengths of 128, 192, and 256 bits.
• In 2000, Rijndael cipher (by Rijmen and
Daemen) was selected.
• An iterated cipher, with 10, 12, or 14 rounds.
• Rijndael allows various block lengths.
• But AES allows only one block size: 128 bits.

37
Modulo-2 Arithmetic
 There are only two numbers : 0 and 1.

 Addition, substraction and multiplication are as below:

 0 1            0 1             0 1
0 0 1            0 0 1           0 0 0
1 1 0           1 1 0            1 0 1

 Note: addition = substraction = XOR.
Byte-oriented operations
 Each byte is viewed as a polynomial of degree  7.

 Example:   a  10001001  x 7  x 3  1  A( x ).

b  10000010  x 7  x  B ( x ).

 Addition and substraction are simply bitwise XOR:

a  b  10001001  10000010  00001011  A( x )  B( x ).

a  b  10001001  10000010  00001011  A( x )  B ( x ).

39
Byte-oriented operations
 Multiplication ( ): "regular" polynomial multiplication ( )
modulo a fixed modulus P (x ), where
P( x )  x 8  x 4  x 3  x  1  100011011.
a  b  A( x )  B( x ) mod P( x )
 x14  x10  x 8  x 7  x 4  x mod P( x )
 x6  x5  x 4  x3  x 2  x  1
a  b  10001001  10000010 mod 100011011
= 100010110010010 mod 100011011
 01111111
40
Byte-oriented operations
 For any byte a (viewed as a polynomial), there is
a unique byte b (also viewed as a polynomial) such that
a  b  1.
 This element b is called the inverse of a, and is
denoted by a 1.
 Mathematically, the set of all polynomials of degrees  7
forms a field, GF(28 ), under the operation of addition and
multiplication mod P( x), where P( x) is a fixed modulus.

41
Structure of Rijndael
 N b : block size (number of words). For AES, N b  4.
 N k : key length (number of words).
 N r : number of rounds, depending on N b , N k .
 Assume: N b  4, N k  4, N r  10.
 state: a variable of 4 words, holding the data block,
viewed as a 4  4 matrix of bytes; each column is a word.
 Key schedule: 11 round keys key0 , key1 , , key10
computed from the main key k .

42
Rijndael algorithm  input: plaintext m , key k 
1   state  m
2   AddKey(state , key0 )
3   for i  1 to N r  1 do
4        SubBytes(state )
5        ShiftRows(state )
6        Mixcolumns(state )
7        AddKey( state, keyi )
8   SubBytes(state)
9   ShiftRows(state)
10   AddKey( state, key N r )
11    return(state)

43
Figure 5.1 AES Encryption and Decryption

44

state  state  keyi

45
SubBytes(state)
 Each byte z in the state matrix is substituted with
another byte SRD ( z )  Az 1  b.

 The substitution SRD ( z )  Az 1  b, called Rijndael's
S-box, is based on some mathematics in finite fields,
and can be specified as a table (Table 5.4 of Stallings).

46
 That is, treat z as an element in GF(28 ).
 Find its multiplicative inverse z 1 in GF(28 ).
 Now treat z 1 as a vector of 0/1.
 Multiply A with z 1 , and add the result to b.

10001111                1 
11000111                1 
11100011                0
11110001                0
A                  and b   
 11111000               0
 01111100               1 
 00111110               1 
 00011111               0
                         
47
ShiftRows(state)
 Left-shift row i circularly by i bytes, 0  i  3.

a    b    c   d a b c d
                         
e    f    g   h  f g h e

i     j   k   l  k l i j
                         
m    n    o   p  p m n o 

48
MixColumns(state)
 Operate on each column of the state matrix.
 Each column a  (a0 , a1 , a2 , a3 ) is substituted with
(b0 , b1 , b2 , b3 ), where

 b0   02          03 01 01     a0 
b     01          02 03 01    a 
 1                            1
 b2   01          01 02 03     a2 
                               
 b3   03          01 01 02     a3 
 Using finite-field multiplication and addition.

49
Math behind MixColumns(state)
 Operate on each column of the state matrix.
 Each column a  (a0 , a1 , a2 , a3 ) is viewed as a
polynomial :
a ( x )  a3 x3  a2 x 2 +a1 x  a0
 A fixed polynomial: c( x)  03x3  01x 2 +01x  02.
 Compute b( x)  b3 x  b2 x +b1 x  b0
3        2

= a( x)  c( x) mod (x 4  1)
 (a0 , a1 , a2 , a3 ) is substituted with (b0 , b1 , b2 , b3 )

50
Rijndael Decryption
 Each step of Rijndael encryption is invertible.

51
A Rijndael Animation by Enrique
Zabala

52

```
DOCUMENT INFO
Shared By:
Categories:
Stats:
 views: 66 posted: 4/29/2010 language: English pages: 52