Embed Size (px)
Citation preview
1
IDEA, RC5
Modes of operation of block ciphers
ECE 646 - Lecture 8
Required Reading:
I. W. Stallings, "Cryptography and Network-Security," 5th Edition, Chapter 6 Block Cipher Operation
II. A. Menezes, P. van Oorschot, and S. Vanstone, “Handbook of Applied Cryptography”, 7.6 IDEA 7.7.2 RC5 7.2.2 Modes of Operation
IDEA
2
IDEA X. Lai, J. Massey ETH, 1990-91
• 128-bit key (billion machines each checking billion keys per second still would require 10 trillion years, to check all keys
• used in PGP (Pretty Good Privacy) - the most popular public domain program for secure e-mail
• constructed to provide an absolute resistance against differential cryptanalysis
Three basic operations:
X
K
Y = X ⊕ K
K
Y = X · K mod (216+1)
X X
K
Y = X + K mod 216
IDEA
·
Corresponding inverse operations:
Y
K
X = Y ⊕ K
K-1
X = Y · K-1 mod (216+1)
Y Y
-K
X = Y+(- K) mod 216
·
where 0 represents 216
Half-round of IDEA: Transformation
Forward transformation:
Inverse transformation:
Xa
Ka · · Kb Kc Kd
Ya Yb Yc Yd
Xb Xc Xd
Ya
Ka-1 · · -Kc -Kb Kd
-1
Xa Xb Xc Xd
Yb Yc Yd
3
Half-round of IDEA: Sub-encryption
Forward transformation
MANGLER FUNCTION
Xa Xb
Ya = Xa ⊕ Wout
Yb = Xb ⊕ Wout
Win = Xa ⊕ Xb
Wout
Xd Xc
Vin = Xc ⊕ Xd
Vout
Ke
Kf
Yd = Xd ⊕ Vout
Yc = Xc ⊕ Vout
Half-round of IDEA: Sub-encryption
Inverse transformation
MANGLER FUNCTION
Ya Yb
Xa = Ya ⊕ Wout
Yb = Yb ⊕ Wout
Win = Xa ⊕ Xb
Wout
Yd Yc
Vin = Xc ⊕ Xd
Vout
Ke
Kf
Xd = Yd ⊕ Vout
Xc = Yc ⊕ Vout
Ke
Vin Win
IDEA Mangler Function
·
·
Vout Wout
Kf
4
IDEA - Key Scheduling
128 bit
K
Z1 Z2 Z3 Z4 Z5 Z6 Z7 Z8
K
Z9 Z10 Z11 Z12 Z13 Z14 Z15 Z16
Rotate 25 positions left
Rotate 25 positions left . . . . . . . . .
RC5
5
RC5 Ron Rivest, MIT, 1994
• variable key length (40 bits in the former export version, 128 bits to achieve the same strength as IDEA)
• variable block size (depends on the processor word length)
• variable number of rounds (determines resistance to linear and differential cryptanalysis; for 9 rounds this resistance is greater than for DES)
• simplicity of description
(Ron’s Code 5, Rivest’s Cipher 5)
One of the fastest ciphers
Basic operations: C=A<<<B
Rotation by a variable number of bits
RC5
Addition modulo 2w
where w is the size of operands A and B C = A + B mod 2w
A
B
C
+
w
w
w
w
A
B
C
A<<<B
RC5 w/r/b w - word size in bits
input/output block = 2 words = 2⋅w bits Typical value: w=32 ⇒ 64-bit input/output block
r - number of rounds
b - key size in bytes
key size in bits = 8⋅b bits
Recommended version: RC5 32/12/16 64 bit block 12 rounds 128 bit key
0 ≤ b ≤ 255
w = 16, 32, 64
6
Encryption
Split M into two halves A and B
A = A + S[0] B = B + S[1]
for i= 1 to r do { A= ((A⊕B) <<< B) + S[2i] B= ((B⊕A) <<< A) + S[2i+1] }
C= A || B
RC5 Decryption
Split C into two halves A and B
for i= r downto 1 do { B= ((B-S[2i+1]) >>> A) ⊕ A A= ((A - S[2i])>>>B) ⊕ B }
B = B - S[1] A = A - S[0]
M= A || B
RC5 - Key Scheduling
k bits of the main key
2⋅ r + 2 round keys = (2 ⋅ r + 2 ) ⋅ w bits
Two magic constants:
Pw = Odd ((e-2) ⋅ 2w)
Qw = Odd ((ϕ-1) ⋅ 2w)
e - base of natural logarithms e = 2.7182...
ϕ - golden ratio =
y x-y
x
x y =
y x-y = 1.6180...
RC5 – Key Scheduling
7
RC5 - Key Scheduling Initialize and Convert
Initialize t = 2 ⋅ r + 2
c = 8⋅b
w
S[0] = Pw for i=1 to t-1 do S[i] = S[i-1] + Qw
Convert
for i=0 to c-1 do L[i] = 0;
Copy key bits directly to the memory positions represented by L.
Mix
i = j = 0 A = B = 0 do 3 ⋅ max{t, c} times { A = S[i] = (S[i] + A + B) <<< 3 B = L[j] = (L[j] + A + B) <<< (A+B) i = (i+1) mod t j = (j+1) mod c }
RC5 - Key Scheduling Mix
RC5 - Resistance to differential and linear cryptanalysis
Plaintext requirement
# rounds
Differential Cryptanalysis
Linear Cryptanalysis
4 5 9 6 7 12 13
222 226 232 237 246 263 >264
237 247 257 >264
Differential cryptanalysis cannot be applied to RC5 with #rounds ≥ 13
Linear cryptanalysis cannot be applied to RC5 with #rounds ≥ 7
8
Resistance of modern ciphers against known attacks
Proprietary ciphers built into application software
Propriatery ciphers with unknown specification
Past 40-bit “international” version of ciphers
DES
Triple DES, DESX, RC5
mostly insecure, seconds on a PC
uncertain, may be hard to verify
Keys recoverable in less than one hour using a small network
of computers worth less than $10,000
Keys can be recovered within 24 hours using a specialized machine based on FPGAs
worth less than $100,000
All known attacks impractical
State of research regarding the security of secret-key ciphers
• limited number of researchers actively involved in cryptanalysis and design of new ciphers • number of published ciphers > number of researchers
• evaluations of the cipher strength given by designers typically unreliable
“Honest” cipher = the best known attack is an exhaustive key search attack
One can rely only on ciphers analyzed by a large group of qualified researchers
Modes of Operation
9
Block vs. stream ciphers
Stream cipher
Internal state - IS Block cipher
K K
M1, M2, …, Mn m1, m2, …, mn
C1, C2, …, Cn c1, c2, …, cn
Ci=fK(Mi) ci = fK(mi, ISi) ISi+1=gK(mi, ISi)
Every block of ciphertext is a function of only one
corresponding block of plaintext
Every block of ciphertext is a function of the current block
of plaintext and the current internal state of the cipher
Typical stream cipher Sender Receiver
Pseudorandom Key Generator
mi
plaintext
ci
ciphertext
ki keystream
key initialization vector (seed)
Pseudorandom Key Generator
mi plaintext
ci
ciphertext
ki keystream
key initialization vector (seed)
Standard modes of operation of block ciphers
Block ciphers Stream ciphers
ECB mode Counter mode OFB mode CFB mode CBC mode
10
ECB (Electronic CodeBook) mode
Electronic CodeBook Mode – ECB Encryption
M1 M2 M3
E
Ci = EK(Mi) for i=1..N
MN-1 MN
E E E E . . .
C1 C2 C3 CN-1 CN
K K K K K
Electronic CodeBook Mode – ECB Decryption
C1 C2 C3
D
Ci = EK(Mi) for i=1..N
CN-1 CN
D D D D . . .
M1 M2 M3 MN-1 MN
K K K K K
11
Criteria for Comparison of Modes of Operation • hiding repeating message blocks • speed • capability for parallel processing and pipelining during encryption / decryption • use of block cipher operations (encryption only or both) • capability for preprocessing during encryption / decryption • capability for random access for the purpose of reading / writing • number of plaintext and ciphertext blocks required for exhaustive key search • error propagation in the message after modifying / deleting one block / byte / bit of the corresponding ciphertext
ECB OFB CFB CBC CTR Hiding repeating plaintext blocks Basic speed
Capability for parallel processing and pipelining
Cipher operations
Preprocessing
Random access
Block Cipher Modes of Operation Basic Features (1)
Block Cipher Modes of Operation Basic Features (2)
ECB OFB CFB CBC CTR
Security against the exhaustive key search attack
Minimum number of the message and ciphertext blocks needed
Integrity
Error propagation in the decrypted message
Modification of j-bits
Deletion of j bits
12
Counter Mode
Counter Mode - CTR Encryption
m1 m2 m3
E
ci = mi ⊕ ki ki = EK(IV+i-1) for i=1..N
mN-1 mN
. . .
E E E E . . .
c1 c2 c3 cN-1 cN
IV IV+1 IV+2 IV+N-2 IV+N-1
k1 k2 k3 kN-1 kN
K K K K K
Counter Mode - CTR Decryption
c1 c2 c3
E
mi = ci ⊕ ki ki = EK(IV+i-1) for i=1..N
cN-1 cN
. . .
E E E E . . .
m1 m2 m3 mN-1 mN
IV IV+1 IV+2 IV+N-2 IV+N-1
k1 k2 k3 kN-1 kN
K K K K K
13
Counter Mode - CTR
E K
IN
OUT
counter
IV
1 L
ci
mi
E K
IN
OUT
counter
IV
1 L
ci
mi
1 L 1 L
IS1 = IV
ci = EK(ISi) ⊕ mi ISi+1 = ISi+1
J-bit Counter Mode - CTR
m1 m2 m3
E
ci = mi ⊕ ki ki = E(IV+i-1)[1..j] for i=1..N
mN-1 mN
. . .
E E E E . . .
c1 c2 c3 cN-1 cN
IV IV+1 IV+2 IV+N-2 IV+N-1
k1 k2 k3 kN-1 kN
K K K K K
j j j j j
j j j j j
j j j j j
J-bit Counter Mode - CTR
j bits L-j bits
E K
IN
OUT
counter
IV
1 j L
ci
mi
j bits L-j bits
E K
IN
OUT
counter
IV
1 j L
ci
mi
1 L 1 L
14
OFB (Output FeedBack) Mode
Output Feedback Mode - OFB Encryption
m1 m2 m3
E
ci = mi ⊕ ki ki =EK(ki-1) for i=1..N, and k0 = IV
mN-1 mN
. . .
E E E E . . .
c1 c2 c3 cN-1 cN
IV
k1 k2 k3 kN-1 kN
Output Feedback Mode - OFB Decryption
c1 c2 c3
E
mi = ci ⊕ ki ki =EK(ki-1) for i=1..N, and k0 = IV
cN-1 cN
. . .
E E E E . . .
m1 m2 m3 mN-1 mN
IV
k1 k2 k3 kN-1 kN
15
Output Feedback Mode - OFB
E K
IN
OUT 1 L
ci
mi
E K
IN
OUT 1 L
ci
mi
1 L 1 L
IV IV
IS1 = IV
ci = EK(ISi) ⊕ mi ISi+1 = EK(ISi)
J-bit Output Feedback Mode - OFB
j bits L-j bits
E K
IN
OUT
1 j L
ci
mi
j bits L-j bits
E K
IN
OUT
1 j L
ci
mi
L-j bits j bits L-j bits j bits
shift shift
1 L L-j 1 L L-j
IV IV
CFB (Cipher FeedBack) Mode
16
Cipher Feedback Mode - CFB Encryption
m1 m2 m3
E
mN-1 mN
. . .
E E E E . . .
c1 c2 c3 cN-1 cN
IV
ci = mi ⊕ ki ki =EK(ci-1) for i=1..N, and c0 = IV
k1 k2 k3 kN-1 kN
Cipher Feedback Mode - CFB Decryption
m1 m2 m3
E
mN-1 mN
. . .
E E E E . . .
c1 c2 c3 cN-1 cN
IV
mi = ci ⊕ ki ki =EK(ci-1) for i=1..N, and c0 = IV
k1 k2 k3 kN-1 kN
Cipher Feedback Mode - CFB
E K
IN
OUT 1 L
ci
mi
E K
IN
OUT 1 L
ci
mi
1 L 1 L
IV IV
IS1 = IV
ci = EK(ISi) ⊕ mi ISi+1 = ci
17
J-bit Cipher Feedback Mode - CFB
j bits L-j bits
E K
IN
OUT
1 j L
ci
mi
j bits L-j bits
E K
IN
OUT
1 j L
ci
mi
L-j bits j bits L-j bits j bits shift shift
1 L L-j 1 L L-j
IV IV
CBC (Cipher Block Chaining) Mode
Cipher Block Chaining Mode - CBC Encryption
m1 m2 m3
E
IV
ci = EK(mi ⊕ ci-1) for i=1..N c0=IV
mN-1 mN . . .
E E E E . . .
c1 c2 c3 cN-1 cN
18
Cipher Block Chaining Mode - CBC Decryption
mi = DK(ci) ⊕ ci-1 for i=1..N c0=IV
m1 m2 m3 mN-1 mN
IV . . .
D D D D D . . .
c1 c2 c3 cN-1 cN
Comparison among various modes
ECB OFB CFB CBC CTR Hiding repeating plaintext blocks Basic speed
Capability for parallel processing and pipelining
Cipher operations
Preprocessing
Random access
Block Cipher Modes of Operation Basic Features (1)
No Yes Yes Yes Yes
≈sECB sECB ≈j/L⋅sECB ≈j/L⋅sECB ≈sECB
Encryption and
decryption
Encryption and
decryption
None Decryption only
Decryption only
Encryption and
decryption
Encryption only
Encryption only
Encryption only
Encryption and
decryption No Yes Yes No No
R/W R/W R only R only No
19
Block Cipher Modes of Operation Basic Features (2)
ECB OFB CFB CBC CTR
Security against the exhaustive key search attack
Minimum number of the message and ciphertext blocks needed
Integrity
Error propagation in the decrypted message
1 plaintext block,
1 ciphertext block
1 plaintext block,
1 ciphertext block
2 plaintext blocks,
2 ciphertext blocks
(for j=L)
1 plaintext block,
2 ciphertext blocks
(for j=L)
1 plaintext block,
2 ciphertext blocks
Modification of j-bits
Deletion of j bits
No No No No No
L bits j bits j bits L+j bits L+j bits
Current and all subsequent
Current and all subsequent
Current and all subsequent L bits Current and
all subsequent
New modes of operation
Evaluation Criteria for Modes of Operation
Security
Efficiency Functionality
20
Evaluation criteria (1) Security
• resistance to attacks • proof of security • random properties of the ciphertext
• number of calls of the block cipher • capability for parallel processing • memory/area requirements • initialization time • capability for preprocessing
Efficiency
Functionality • security services - confidentiality, integrity, authentication • flexibility - variable lengths of blocks and keys - different amount of precomputations - requirements on the length of the message • vulnerability to implementation errors • requirements on the amount of keys, initialization vectors, random numbers, etc. • error propagation and the capability for resynchronization • patent restrictions
Evaluation criteria (2)
CBC m1 m2 m3
E
IV
Problems:
mN-1 mN . . .
E E E E . . .
c1 c2 c3 cN-1 cN
- No parallel processing of blocks from the same packet - No speed-up by preprocessing - No integrity or authentication
21
Counter mode
m0 m1 m2
E
mN-1 mN
. . .
E E E E . . .
c0 c1 c2 cN-1 cN
IV IV+1 IV+2 IV+N-1 IV+N
Features: + Potential for parallel processing + Speed-up by preprocessing - No integrity or authentication
k0 k1 k2 kN-1 kN
Properties of existing and new cipher modes CBC CFB OFB New
standard Proof of security
Preprocessing
Parallel processing
Integrity and authentication Resistance to implementation errors
decryption only
– –
–
– – –
–
E
IV
E
C1
M1
Z1
Z1
E
C2
M2
Z2
Z2
E
CN-1
MN-1
ZN-1
ZN-1
E
CN
MN
ZN
MN
. . . L
R
length
g(L)
Zi=f(L, R, i)
E
0
E
T
ZN
τ bits
Control sum
OCB - Offset Codebook Mode
22
New modes of block ciphers
1. CCM - Counter with CBC-MAC • developed by R. Housley, D. Whiting, N. Ferguson in 2002 • assures simultaneous confidentiality and authentication • not covered by any patent • part of the IEEE 802.11i standard for wireless networks
2. GCM – Galois/Counter Mode • developed by D. McGrew and J. Viega in 2005 • assures simultaneous confidentiality and authentication • not covered by any patent • used in the IEEE 802.1AE (MACsec) Ethernet security, ANSI (INCITS) Fibre Channel Security Protocols (FC-SP), IEEE P1619.1 tape storage, and IETF IPSec standards
Properties of new modes of operation CBC CFB OFB CCM
only decryption
– –
–
– – –
–
CTR
–
–
Half of operations
–
GCM
–
Half of operations
Half of operations
Proof of security
Preprocessing
Parallel processing
Integrity and authentication
Resistance to implementation errors
Modes of operation of block ciphers Timeline
1997 1998 1999 2000 2001 2002 2003 2004 2005 2006 2007 2008
FIPS standards:
Contests:
Attacks:
Nov 2007
Dec. 2001
CBC, CFB, OFB, ECB
CTR (counter mode) CCM
NIST Apr. 2001
DCM mode developed by NSA several days after the publication
Aug. 2001
SP 800-38B SP 800-38A
SP 800-38D
SP 800-38A
GCM
FIPS 81 (for DES) For arbitrary block cipher
10 modes submitted to the contest (including, CTR, OCB, IACBC, IAPM) Patent issues.
May 2004
