Block ciphers Product ciphers • ‘Product’ = permutation + substitution • Iterated cipher = many rounds – Key schedule: • Key K is used to construct Nr round keys (subkeys) K1, …, KNr – Round function g: • stater = g(stater-1, Kr) • state0 = x The Encryption and Decryption Encryption Decryption Substitution-permutation network Attacks on block ciphers • Linear cryptanalysis • Differential cryptanalysis • (self-reading) The Data Encryption Standard (DES) History of DES • May 1973, the ational Institute of Standards and Technology ( IST) published a solicitation for cryptosystems • The Data Encryption Standard (DES), first version in 1975, developed by IBM, then became the standard in 1977 • DES was used for 20 years until AES appeared DES description • A type of iterated cipher • Block length: – Plaintext: 64 bits, – key: 56 bits, – Ciphertext :64 bits • Steps: – Initial permutation (IP) – 16 rounds of transformations – Inverse permutation (IP-1) DES—encryption process ? ? DES input-output Properties of four DES modes • ECB: identical plaintext blocks to get identical ciphertext blocks • ECB and OFB: any change in block xi only affects cipher block yi, not other In some situation such as unreliable communication channel, this is a good property E.g., OFB is used to encrypt satellite transmissions • CBC and CFB: if a block xi is changed, the cipher block yi and all subsequent blocks are changed This property is good for authentication E.g., these two modes can be used to generate Message Authentication Code (MAC) 27 Triple DES Three times slower, but can be billions of times more secure if used properly Key and Key can not be same, Key and can not be same 28 Advanced Encryption Standard (AES) 29 Advanced Encryption Standard (AES) • • • • Intended to replace DES Block length is 128 bits Key length is 128, or 192, or 256 bits Iterated cipher: Nr=10/12/14 rounds for key length 128/192/256 respectively • Of course, very secure No better known attack other than exhaustive key search 30 History of AES • In 1997, NIST needed an advanced encryption standard (AES) to replace DES • From 1998 to 2000, many cryptosystem candidates submitted The final ones were: MARS, RC6, Rijndael, Serpent, and Twofish • In 2000, Rijndael was selected for the AES Then become the standard in 2001 31 Advanced Encryption Standard (AES) • A private key encryption scheme • An US Federal Information Processing Standard (FIPS) PUB 197 http://csrc.nist.gov/publications/fips/fips197/fips197.pdf) • AES has a fixed block size of 128 bits and a key size of 128, 192 or 256 bits • Each block passes through certain number of rounds of operations, depending on the key length • Each round contains four transformations, SubBytes, ShiftRows, MixColumns, AddRoundKey AES—brief description • Given a plaintext x (length 128 bits), initialize State to be x, and perform an operation ADDROU DKEY, which is xors the RoundKey with State • For each of first Nr-1 rounds, perform a substitution operation called SUBBYTES on State using an S-box; perform a permutation SHIFTROWS on State; State perform an operation MIXCOLUM S on State; and perform ADDROU DKEY on State • (Final round) perform SUBBYTES; perform SHIFTROWS; and perform ADDROU DKEY, all are on State 33 • Define the ciphertext y to be State AES States • Transition of input (message) bytes1 http://csrc.nist.gov/publications/fips/fips197/fips-197.pdf SubBytes Transformation1 S-box was derived from the calculations of binary polynomials based on some mathematical theories http://csrc.nist.gov/publications/fips/fips197/fips-197.pdf ShiftRows Transformation1 http://csrc.nist.gov/publications/fips/fips197/fips-197.pdf MixColumns Transformation1 A lookup table, derived from the calculations of binary polynomials based on some mathematical theories, is available http://csrc.nist.gov/publications/fips/fips197/fips-197.pdf AddRoundKey Transformation1 Kl is a subkey originated from a key seed via a deterministic key expansion algorithm http://csrc.nist.gov/publications/fips/fips197/fips-197.pdf AES Decryption • Each transformation is invertible, • Decryption can be done by performing the inverse of each operation in the opposite order from that for encryption, and using inverse S-Box and MixColunms and round keys in the reverse order Criteria for the selection of a cryptosystem 1) Security 2) Cost (speed and memory requirements) – – – Software Hardware Smart card 3) Algorithm and implementation characteristics • Rijndael was chosen for AES with the combination of all criteria 40 The end 41 ... 61 63 50 52 54 56 49 51 53 55 42 44 46 48 41 43 45 47 34 36 38 40 33 35 37 39 26 28 30 32 25 27 29 31 18 20 22 24 17 19 21 23 10 12 14 16 11 13 15 40 39 38 37 36 35 34 33 48 47 46 45 44 43 42... bits 56 bits) 57 49 41 33 58 50 42 10 59 51 19 11 60 63 55 47 39 62 54 46 14 61 53 21 13 28 25 34 43 52 31 38 45 20 (56 bits 48 bits) 17 26 18 35 27 44 36 23 15 30 22 37 29 12 Note: removing... bit 8,16,…,64 14 17 28 23 19 16 41 52 30 40 44 49 46 42 11 24 15 21 10 12 26 27 20 13 31 37 47 55 51 45 33 48 39 56 34 53 50 36 29 32 Note: removing bit 9,18,22,25 ,35 ,38 , 43, 54 19 Analysis of DES