Cryptography

Funny and serious stuff

The language of cryptography

symmetric key crypto: sender, receiver keys identicalpublic-key crypto: encryption key public, decryption key

secret (private)

plaintext plaintextciphertext

KA

encryptionalgorithm

decryption algorithm

Alice’s encryptionkey

Bob’s decryptionkey

KB

Symmetric key cryptography

Substitution cipher: substituting one thing for another- e.g. Caesar cipher substituting every letter of a plaintext by a letter that is K letters later (allowing wrap around).

For example if K = 3 than the letter “a” in plaintext becomes “d” in ciphertext.

Value of K serves as the key. This cipher is pretty easy to break as there are only 25 possible key values.

Symmetric key cryptographyImprovement over the Caesar cipher is monoalphabetic

cipher: substitute one letter for another but without a specific pattern :

plaintext: abcdefghijklmnopqrstuvwxyz

ciphertext: mnbvcxzasdfghjklpoiuytrewq

Plaintext: bob. i love you. aliceciphertext: nkn. s gktc wky. mgsbc

E.g.:

Q: How hard to break this simple cipher?: brute force (how hard?) other?

Symmetric key cryptography

• Polyalphabetic encryption –

Using multiple monoalphabetic ciphers, with a specific monoalphabetic cipher to encode a letter in a specific position in the plaintext message. For example we may use two Caesar ciphers with k1 =5 and k2=19 in repeating pattern C1, C2, C2, C1, C2

To break such a cipher it is necessary to know the keys and the pattern.

Symmetric key cryptography

symmetric key crypto: Bob and Alice share (know) same (symmetric) key: K

• e.g., key is knowing substitution pattern in mono alphabetic substitution cipher

• Q: how do Bob and Alice agree on key value?

plaintextciphertext

KA-B

encryptionalgorithm

decryption algorithm

A-B

KA-B

plaintextmessage, m

K (m)A-B

K (m)A-Bm = K ( )

A-B

Symmetric key crypto: DES

DES: Data Encryption Standard• US encryption standard [NIST 1993]• 56-bit symmetric key, 64-bit plaintext input• How secure is DES?

– DES Challenge: 56-bit-key-encrypted phrase (“Strong cryptography makes the world a safer place”) decrypted (brute force) in 4 months

– no known “backdoor” decryption approach• making DES more secure:

– use three keys sequentially (3-DES) on each datum– use cipher-block chaining

Symmetric key crypto: DES

initial permutation 16 identical “rounds” of

function application, each using different 48 bits of key

final permutation

DES operation

Chapter 2Chapter 2Symmetric Symmetric Encryption Encryption Message Message

ConfidentialityConfidentiality

OutlineOutline

• Symmetric Encryption Principles• Symmetric Encryption Algorithms• Cipher Block Modes of Operation• Location of Encryption Devices• Key Distribution

Symmetric Encryption Symmetric Encryption PrinciplesPrinciples

• An encryption scheme has five ingredients:– Plaintext– Encryption algorithm– Secret Key– Ciphertext– Decryption algorithm

• Security depends on the secrecy of the key, not the secrecy of the algorithm

Symmetric Encryption Symmetric Encryption PrinciplesPrinciples

CryptographyCryptography

• Classified along three independent dimensions:– The type of operations used for

transforming plaintext to ciphertext– The number of keys used

• symmetric (single key)• asymmetric (two-keys, or public-key encryption)

– The way in which the plaintext is processed

CryptanalysisCryptanalysis• Ciphertext only:

– most difficult,– brute force approach of trying all possible

keys,– the easiest to defend,

• Ciphertext and plaintext pair:– known pattern in a file as well,– probable-word attack (e.g. placement of

certain key words in the header of a file)– key can be deduced,

CryptanalysisCryptanalysis

• Chosen plaintext:– analyst get the source system to insert into

the system a message chosen by the analyst,– plaintext message chosen by cryptanalyst,

together with its corresponding decrypted plaintext generated with the secret key,

CryptanalysisCryptanalysis

• Chosen ciphertext:– purported ciphertext chosen by the

analyst, together with its corresponding decrypted plaintext generated with the secret key

Computational security of an encryption

• The cost of breaking the cipher exceeds the value of the encrypted information,

• the time required to break the cipher exceeds the useful lifetime of the information

Average time required Average time required for exhaustivefor exhaustive key key

search search Key Size (bits)

Number of Alternative Keys

Time required at 106 Decryption/µs

32 232 = 4.3 x 109 2.15 milliseconds

56 256 = 7.2 x 1016 10 hours

128 2128 = 3.4 x 1038 5.4 x 1018 years

168 2168 = 3.7 x 1050 5.9 x 1030 years

Feistel Cipher StructureFeistel Cipher Structure

• Virtually all conventional block encryption algorithms, including DES have a structure first described by Horst Feistel of IBM in 1973

• The realization of a Feistel Network depends on the choice of the following parameters and design features (see next slide):

Feistel Cipher StructureFeistel Cipher Structure• Block size: larger block sizes mean greater

security• Key Size: larger key size means greater

security• Number of rounds: multiple rounds offer

increasing security• Subkey generation algorithm: greater

complexity will lead to greater difficulty of cryptanalysis.

• Fast software encryption/decryption: the speed of execution of the algorithm becomes a concern

Symmetric Encryption Symmetric Encryption AlgorithmsAlgorithms

• Data Encryption Standard (DES)– The most widely used encryption

scheme– The algorithm is referred to as the Data

Encryption Algorithm (DEA)– DES is a block cipher– The plaintext is processed in 64-bit

blocks– The key is 56-bits in length

DESDES

• The overall processing at each iteration:– Li = Ri-1

– Ri = Li-1 F(Ri-1, Ki)

• Concerns about:– The algorithm and the key length

(56-bits)

Time to break a code Time to break a code (10(1066 decryptions/µs) decryptions/µs)

Triple DEATriple DEA

• Uses three keys and three executions of the DES algorithm (encrypt-decrypt-encrypt)

• C = ciphertext• P = Plaintext• EK[X] = encryption of X using key K• DK[Y] = decryption of Y using key K

• Effective key length of 168 bits

C = EK3[DK2[EK1[P]]]

Triple DEATriple DEA

AES: Advanced Encryption Standard

• new (Nov. 2001) symmetric-key NIST standard, replacing DES

• processes data in 128 bit blocks

• 128, 192, or 256 bit keys

• brute force decryption (try each key) taking 1 sec on DES, takes 149 trillion years for AES

Origins

• clear a replacement for DES was needed– have theoretical attacks that can break it– have demonstrated exhaustive key search attacks

• can use Triple-DES – but slow with small blocks• US NIST issued call for ciphers in 1997• 15 candidates accepted in Jun 98 • 5 were short-listed in Aug-99 • Rijndael was selected as the AES in Oct-2000• issued as FIPS PUB 197 standard in Nov-2001

AES Requirements

• private key symmetric block cipher • 128-bit data, 128/192/256-bit keys • stronger & faster than Triple-DES • active life of 20-30 years (+ archival use) • provide full specification & design details • both C & Java implementations• NIST have released all submissions & unclassified

analyses

AES Evaluation Criteria

• initial criteria:– security – effort to practically cryptanalyse

– cost – computational

– algorithm & implementation characteristics

• final criteria– general security

– software & hardware implementation ease

– implementation attacks

– flexibility (in en/decrypt, keying, other factors)

AES Shortlist

• after testing and evaluation, shortlist in Aug-99: – MARS (IBM) - complex, fast, high security margin – RC6 (USA) - v. simple, v. fast, low security margin – Rijndael (Belgium) - clean, fast, good security margin – Serpent (Euro) - slow, clean, v. high security margin – Twofish (USA) - complex, v. fast, high security margin

• then subject to further analysis & comment• saw contrast between algorithms with

– few complex rounds verses many simple rounds – which refined existing ciphers verses new proposals

The AES Cipher - Rijndael

• designed by Rijmen-Daemen in Belgium • has 128/192/256 bit keys, 128 bit data • an iterative rather than feistel cipher

– treats data in 4 groups of 4 bytes– operates an entire block in every round

• designed to be:– resistant against known attacks– speed and code compactness on many CPUs– design simplicity

Rijndael

• processes data as 4 groups of 4 bytes (state)• has 9/11/13 rounds in which state undergoes:

– byte substitution (1 S-box used on every byte) – shift rows (permute bytes between groups/columns) – mix columns (subs using matrix multiply of groups) – add round key (XOR state with key material)

• initial XOR key material & incomplete last round• all operations can be combined into XOR and

table lookups - hence very fast & efficient

Rijndael

Byte Substitution

• a simple substitution of each byte• uses one table of 16x16 bytes containing a

permutation of all 256 8-bit values• each byte of state is replaced by byte in row (left 4-

bits) & column (right 4-bits)– eg. byte {95} is replaced by row 9 col 5 byte– which is the value {2A}

• S-box is constructed using a defined transformation of the values in GF(28)

• designed to be resistant to all known attacks

Shift Rows

• a circular byte shift in each row– 1st row is unchanged– 2nd row does 1 byte circular shift to left– 3rd row does 2 byte circular shift to left– 4th row does 3 byte circular shift to left

• decrypt does shifts to right• since state is processed by columns, this

step permutes bytes between the columns

Mix Columns

• each column is processed separately

• each byte is replaced by a value dependent on all 4 bytes in the column

• effectively a matrix multiplication in GF(28) using prime poly m(x) =x8+x4+x3+x+1

Add Round Key

• XOR state with 128-bits of the round key

• again processed by column (though effectively a series of byte operations)

• inverse for decryption is identical since XOR is own inverse, just with correct round key

• designed to be as simple as possible

AES Round

AES Key Expansion

• takes 128-bit (16-byte) key and expands into array of 44/52/60 32-bit words

• start by copying key into first 4 words• then loop creating words that depend on values in

previous & 4 places back– in 3 of 4 cases just XOR these together– every 4th has S-box + rotate + XOR constant of

previous before XOR together

• designed to resist known attacks

AES Decryption

• AES decryption is not identical to encryption since steps done in reverse

• but can define an equivalent inverse cipher with steps as for encryption– but using inverses of each step– with a different key schedule

• works since result is unchanged when– swap byte substitution & shift rows– swap mix columns & add (tweaked) round key

Implementation Aspects

• can efficiently implement on 8-bit CPU– byte substitution works on bytes using a table

of 256 entries– shift rows is simple byte shifting– add round key works on byte XORs– mix columns requires matrix multiply in GF(28)

which works on byte values, can be simplified to use a table lookup

Implementation Aspects

• can efficiently implement on 32-bit CPU– redefine steps to use 32-bit words

– can pre-compute 4 tables of 256-words

– then each column in each round can be computed using 4 table lookups + 4 XORs

– at a cost of 16Kb to store tables

• designers believe this very efficient implementation was a key factor in its selection as the AES cipher

Other Symmetric Block Other Symmetric Block CiphersCiphers

• International Data Encryption Algorithm (IDEA)– 128-bit key– Used in PGP

• Blowfish– Easy to implement– High execution speed – Runs in less than 5K of memory

Other Symmetric Block Other Symmetric Block CiphersCiphers

• RC5– Suitable for hardware and software– Fast, simple– Adaptable to processors of different word lengths– Variable number of rounds– Variable-length key– Low memory requirement– High security– Data-dependent rotations

• Cast-128– Key size from 40 to 128 bits– The round function differs from round to round