RC4, cont.
RC4 uses an arrangement of the numbers 0 to 255 (8 bits each) in an array S which changes over time S is a self-modifying lookup table It consists of two processes A Key-based initialization Algorithm to
set up the initial permutation of S base
RC4 Keystream Generation
After the initialization phase, each keystream byte is generated by swapping table elements and select byte according to the following algorithm
i = (i + 1) mod 256 j = (j + S[i]) mod 256 swap(S[i], S[j ]) t = (S[i] + S[j ]) mod 2
Block Ciphers
An iterated block cipher splits the plaintext into fixed sized blocks and generates fixed sized blocks of ciphertext. The ciphertext is obtained from the plaintext by iterating a function F over some number of rounds. The function F, which d
Stream Ciphers
Stream ciphers were big in the past Efficient in hardware Speed needed to keep up with voice, etc. Today, processors are fast, so software-based crypto is fast enough Future of stream ciphers? Little effort to develop new stream ciphers in
Feistel Cipher
To decrypt run the process backward. For i = n, n 1, . . . , 1, the decryption rule is
Ri1 = Li Li1 = Ri F(Ri1 , Ki )
The final result is the original plaintext:
P = (L0, R0)
Any round function F will work in a Feistel cipher, provided that
DES Numerology
DES is a Feistel cipher
64 bit block length 56 bit key length 16 rounds 48 bits of key used each round (subkey)
Each round is simple (for a block cipher) Security depends primarily on S-boxes Each S-boxes maps 6 bits to 4 bits
Unit 3 - 29
O
One Round of DES
Each stage of DES is performs the same set of operations using a different subkey acting on the output of the previous stage. Those operations are defined in three processes: Expansion permutation process, expands (from 32 to 48 bits) and
Key schedule generates subkey
Each of the 16 stages uses a 48 bit subkey which is derived from the initial 64 bit key. The 56 bits are divided into left (LK) and right halves (RK). Each half is shifted left by 1 or 2 bit positions (it varies depending on
DES Subkey - Shifting
For rounds i=1,2,.,16 Let LK = (LK circular shift left by ri) Let RK = (RK circular shift left by ri) ri is 1 for rounds 1,2,9 and 16, and in all other rounds ri is 2
Unit 3 - 39
DES Subkey - Compression
Each half key LK and RK is nu
One Round of DES
Unit 3 - 41
DES Last Word (Almost)
An initial permutation is applied to the plaintext before round one and its inverse is applied after the final round. Halves are swapped after last round so the actual ciphertext is (R16,L16) instead of
Security of DES
Security of DES depends a lot on S-boxes Everything else in DES is linear Thirty years of intense analysis has revealed no back door Attacks today use exhaustive key search Conclusions Designers of DES knew what they were doing Designers o
Breaking DES
In June 1997 a DES encrypted challenge message, sponsored by RSA Data Security Inc., was broken using a distributed brute force attack involving 10,000 computers -the key was recovered in 96 days. Several more DES Challenges have been broken,
Deep Crack
The machine, shown here running, tests over 90 billion keys per second, taking an average of less than 5 days to discover a DES key
Pictures from http:/www.cryptography.com/resources/whitepapers/DES-photos.html
Unit 3 - 47
Block Cipher Notation
Triple DES
Today, 56 bit DES key is too small But DES is everywhere: What to do? Triple DES or 3DES (112 bit key) C = E(D(E(P,K1),K2),K1) P = D(E(D(C,K1),K2),K1) Why use Encrypt-Decrypt-Encrypt (EDE) with 2 keys? Backward compatible: E(D(E(P,K),K),K) = E(
Advanced Encryption Standard
Since DES was becoming less reliable as new cryptanalysis techniques were developed, the National Institute of Standards and Technology (NIST) put out a notice in early 1999 requesting submissions for a new encryption standard
Initial Step
The process begins by grouping the plaintext bits into a column array by bytes.
The first four bytes form the first column; the second four bytes form the second column, and so on. If the block size is 128 bits then this becomes a 4x4 array.
AES S-box
Last 4 bits of input
First 4 bits of input
Unit 3 - 57
AES ShiftRow
A row shift operation is applied to the output of the S-box in which the four rows of the column array are cyclically shifted to the left. The first row is shifted by 0, the sec
AES MixColumn
Column mixing is accomplished by a matrix multiplication operation. The shifted column array is multiplied by a fixed matrix Nonlinear, invertible operation
Unit 3 - 59
AES MixColumn
The mix column transformation mixes one column at a time.
AES AddRoundKey
The final operation adds a subkey derived from the original key to the column array This completes one round of AES RoundKey (subkey) determined by key schedule algorithm
Unit 3 - 61
Recall
Each round uses 4 functions (in 3 layers)
ByteSub
IDEA
The International Data Encryption Algorithm (IDEA), Invented by James Massey One of the giants of modern crypto IDEA has 64-bit block, 128-bit key IDEA uses mixed-mode arithmetic addition modulo 2 (XOR) with addition modulo 216 Combine different math
AES Decryption
To decrypt, process must be invertible Inverse of MixAddRoundKey is easy, since is its own inverse MixColumn is invertible (inverse matrix multiplication) Inverse of ShiftRow is easy (cyclic shift the other direction) ByteSub is invertible
RC6
Invented by Ron Rivest Variables Block size Key size Number of rounds An AES finalist Uses data dependent rotations Unusual to rely on data as part of algorithm
Unit 3 - 67
Tiny Encryption Algorithm (TEA)
64 bit block, 128 bit key Assumes 32-bit arith
TEA Encryption
Assuming 32 rounds:
(K[0],K[1],K[2],K[3]) = 128 bit key (L,R) = plaintext (64-bit block) delta = 0x9e3779b9 sum = 0 for i = 1 to 32 sum += delta L += (R<4)+K[0]) (R+sum) (R>5)+K[1]) R += (L<4)+K[2]) (L+sum) (L>5)+K[3]) next i ciphertext = (
Multiple Blocks
How to encrypt multiple blocks? A new key for each block? As bad as (or worse than) a one-time pad! Encrypt each block independently? Make encryption depend on previous block(s), i.e., chain the blocks together? How to handle partial block
TEA comments
Almost a Feistel cipher Uses + and - instead of (XOR) Simple, easy to implement, fast, low memory requirement, etc. Possibly a related key attack eXtended TEA (XTEA) eliminates related key attack (slightly more complex) Simplified TEA (STEA)
ECB Mode
Notation: C=E(P,K) Given plaintext P0,P1,Pm, Obvious way to use a block cipher is
Encrypt C0 = E(P0, K), C1 = E(P1, K), C2 = E(P2, K), Decrypt P0 = D(C0, K), P1 = D(C1, K), P2 = D(C2, K),
For a fixed key K, this is an electronic version of a code