RC4, cont.
RC4 uses an arrangement of the numbers 0 to 255 (8 bits each) in an array S which changes over time S is a self-modifying lookup table It consists of two processes A Key-based initialization Algorithm to
set up the initial permutation of S base
One Round of DES
Unit 3 - 41
DES Last Word (Almost)
An initial permutation is applied to the plaintext before round one and its inverse is applied after the final round. Halves are swapped after last round so the actual ciphertext is (R16,L16) instead of
Security of DES
Security of DES depends a lot on S-boxes Everything else in DES is linear Thirty years of intense analysis has revealed no back door Attacks today use exhaustive key search Conclusions Designers of DES knew what they were doing Designers o
Breaking DES
In June 1997 a DES encrypted challenge message, sponsored by RSA Data Security Inc., was broken using a distributed brute force attack involving 10,000 computers -the key was recovered in 96 days. Several more DES Challenges have been broken,
Deep Crack
The machine, shown here running, tests over 90 billion keys per second, taking an average of less than 5 days to discover a DES key
Pictures from http:/www.cryptography.com/resources/whitepapers/DES-photos.html
Unit 3 - 47
Block Cipher Notation
Triple DES
Today, 56 bit DES key is too small But DES is everywhere: What to do? Triple DES or 3DES (112 bit key) C = E(D(E(P,K1),K2),K1) P = D(E(D(C,K1),K2),K1) Why use Encrypt-Decrypt-Encrypt (EDE) with 2 keys? Backward compatible: E(D(E(P,K),K),K) = E(
Advanced Encryption Standard
Since DES was becoming less reliable as new cryptanalysis techniques were developed, the National Institute of Standards and Technology (NIST) put out a notice in early 1999 requesting submissions for a new encryption standard
Initial Step
The process begins by grouping the plaintext bits into a column array by bytes.
The first four bytes form the first column; the second four bytes form the second column, and so on. If the block size is 128 bits then this becomes a 4x4 array.
DES Subkey - Shifting
For rounds i=1,2,.,16 Let LK = (LK circular shift left by ri) Let RK = (RK circular shift left by ri) ri is 1 for rounds 1,2,9 and 16, and in all other rounds ri is 2
Unit 3 - 39
DES Subkey - Compression
Each half key LK and RK is nu
RC4 Keystream Generation
After the initialization phase, each keystream byte is generated by swapping table elements and select byte according to the following algorithm
i = (i + 1) mod 256 j = (j + S[i]) mod 256 swap(S[i], S[j ]) t = (S[i] + S[j ]) mod 2
Block Ciphers
An iterated block cipher splits the plaintext into fixed sized blocks and generates fixed sized blocks of ciphertext. The ciphertext is obtained from the plaintext by iterating a function F over some number of rounds. The function F, which d
Stream Ciphers
Stream ciphers were big in the past Efficient in hardware Speed needed to keep up with voice, etc. Today, processors are fast, so software-based crypto is fast enough Future of stream ciphers? Little effort to develop new stream ciphers in
Feistel Cipher
To decrypt run the process backward. For i = n, n 1, . . . , 1, the decryption rule is
Ri1 = Li Li1 = Ri F(Ri1 , Ki )
The final result is the original plaintext:
P = (L0, R0)
Any round function F will work in a Feistel cipher, provided that
DES Numerology
DES is a Feistel cipher
64 bit block length 56 bit key length 16 rounds 48 bits of key used each round (subkey)
Each round is simple (for a block cipher) Security depends primarily on S-boxes Each S-boxes maps 6 bits to 4 bits
Unit 3 - 29
O
One Round of DES
Each stage of DES is performs the same set of operations using a different subkey acting on the output of the previous stage. Those operations are defined in three processes: Expansion permutation process, expands (from 32 to 48 bits) and
Key schedule generates subkey
Each of the 16 stages uses a 48 bit subkey which is derived from the initial 64 bit key. The 56 bits are divided into left (LK) and right halves (RK). Each half is shifted left by 1 or 2 bit positions (it varies depending on
AES S-box
Last 4 bits of input
First 4 bits of input
Unit 3 - 57
AES ShiftRow
A row shift operation is applied to the output of the S-box in which the four rows of the column array are cyclically shifted to the left. The first row is shifted by 0, the sec
AES MixColumn
Column mixing is accomplished by a matrix multiplication operation. The shifted column array is multiplied by a fixed matrix Nonlinear, invertible operation
Unit 3 - 59
AES MixColumn
The mix column transformation mixes one column at a time.
AES AddRoundKey
The final operation adds a subkey derived from the original key to the column array This completes one round of AES RoundKey (subkey) determined by key schedule algorithm
Unit 3 - 61
Recall
Each round uses 4 functions (in 3 layers)
ByteSub
Symmetric Key Crypto
Stream cipher like a one-time pad Key is relatively short Key is stretched into a long keystream Keystream is then used like a one-time pad Employ confusion only Block cipher based on transposition and codebook concept Block cipher ke
Stream Ciphers
A stream cipher is one that encrypts a digital data stream one bit or one byte at a time. A stream cipher takes a key K of length n bits and stretches it into a long keystream (stream cipher function). To encrypt, this keystream is then XOR
Stream Ciphers, cont.
To decrypt ciphertext C, the same keystream S is again used p0 = c0 s0, p1 = c1 s1, p2 = c2 s2, . . . .
Unit 3 - 7
Stream Ciphers, cont.
Well discuss two examples of stream cipher A5/1
Based on shift registers Used in GSM mobile phon
Shift Register
A shift register is a hardware device which:
shifts bits saves bits
For example, a 4-bit shift register looks like:
input shift save input input 0
1101 110 0110
1 1
output output One step output
0
Unit 3 - 9
A5/1
A5/1 consists of 3 shift re
A5/1, cont.
When register X steps, the following occur
t = x13 x16 x17 x18 xi = xi 1 for i = 18, 17, 16, . . . , 1 x0 = t
This can be illustrated as
x0 x1 x2 x3 x4 x5 x6 x7 x8 x9 x10 x11 x12 x13 x14 x15 x16 x17 x18
t t
x18
x0 x1 x2 x3 x4 x5 x6 x7 x8 x9 x1
A5/1, cont.
Let us define the majority vote function as: Given three bits x, y and z
0 maj( x, y, z ) = 1
if the majority of x, y, and z are 0 otherwise
For examples: maj(0,1,0) = 0
and
maj(1,1,0) = 1
A5/1 is implemented in hardware, and at each clock pu
Shift Register Crypto
Shift register-based crypto is efficient in hardware Harder to implement in software In the past, very popular Today, more is done in software due to faster processors Shift register crypto still used some
Unit 3 - 17
RC4
RC4 was dev