Professional Documents
Culture Documents
CS641
Modern Cryptology A linear transformation on the entire block helps mixing the
information well.
Lecture 4 A non-linear transformation is needed to make it secure.
Therefore, a combination of the two is desirable.
A large number of encryption algorithms use both.
Theorem
Let u 2 Zb , u 6= 0, and K 2 Zb⇥b . Then, over random choices of K, K · u
Since encrypted text is required to be decrypted, all transformations
is a random vector in Zb .
done during encryption need to be invertible.
This is easy for linear transformations, but non-linear transformations
Given u and c with u 6= 0, let ith entry of u, ui , be non-zero. are typically not invertible.
Let Ki be the ith column of K. So we have to find non-linear transformations that are invertible.
P c = K · u equals the probability that
Probability that There is a generic way of doing it given by Feistel.
Ki = u1i (c 1j6=ib uj Kj ). Plain Text
L0 R0
g 1
(b, a0 ) = (a0 f (b), b).
We can use any number of rounds — generally, greater number of
rounds provide more security.
Therefore, we can use Feistel structure to ensure invertibility given
any transformation f .
Designed in 1974 by a group of IBM engineers led by Walter A block cipher with blocksize = 64 bits, or 8 bytes.
Tuchman. Key size = 56 bits.
Adopted by National Bureau of Standards (US) in 1976 as standard This size was sufficient in 1970s to be resistant against brute-force
and named Data Encryption Standard (DES). attacks.
One of the most widely used encryption algorithm until 2001. Uses Feistel structure with 16 rounds.
Function f Function f
S-boxes S-1
S-1 0000 0001 0010 0011 0100 0101 0110 0111
00 14 4 13 1 2 15 11 8
01 0 15 7 4 14 2 13 1
10 4 1 14 8 13 6 2 11
11 15 12 8 2 4 9 1 7
Only nonlinear operation in entire algorithm S-1 1000 1001 1010 1011 1100 1101 1110 1111
There are eight S-boxes, each mapping six bits to four bits. 00 3 10 6 12 5 9 0 7
Each of the eight boxes are distinct transformations. 01 10 6 12 11 9 5 3 8
10 15 12 9 7 3 10 5 0
11 5 11 3 14 10 0 6 13
CS641
Why 56 bit key size? Why not 64 bits?
I Key is stored in 64 bits. In each byte, msb is used to do parity check of Modern Cryptology
seven bits of key.
I To catch any error occurring in other seven bits.
Lecture 5
Why so small S-boxes?
I To store S-box tables in hardware so that algorithm can be executed
fast.
I Same reason for other choices of operations.
Brute-force attack to find out the key requires 256 ⇡ 1017 operations.
Frequency analysis based methods do not work at all since variations
in frequencies are flattened out by 64 bit blocksize and a sequence of
linear transformations.
We can assume stronger forms of attacks: known-plaintext, chosen
plaintext etc.
We start with easier versions of DES by restricting number of rounds.
L0R0 is plaintext and L1 R1 is ciphertext.
Since L1 = R0 , half of plaintext is visible in ciphertext, so security
already compromised.
Under a known-plaintext attack, it can be completely broken.
ai bi yi
Plaintext goes through multiple transformations during encryption. Texts in all lines marked orange are known.
Let us analyze which of these transformed texts can be computed In particular, we know the output of S-boxes as well as output of
when both plaintext and ciphertext are known. Expansion.
Since i is known, we can look up the table for Si to find out which
Output of E(expansion) is E(R0), and inputs can produce i as output.
Let E (R0 ) = ↵1 ↵2 · · · ↵8 with |↵i | = 6. it will be 48 bits output
As already observed, table for each Si has exactly four occurrences of
This gets XORed with key k1 = k1,1 k1,2 · · · k1,8 with |k1,i | = 6 and
i.
i = ↵i k1,i .
Let Xi be the set of inputs to Si that produce i as output.
Six bit string i is input to ith S-box.
i is a output of S-Box, input is Bi which is 6 bits We have: |Xi | = 4.
Let i = Si ( i ) with | i | = 4.
and output is 4 bits.
String i 2 Xi .
Each i and ↵i is known.
Let Ki = {↵i | 2 Xi }.
Since k1,i = ↵i i, we have k1,i 2 Ki , and |Ki | = 4.
L0 R0 is plaintext and L2 R2 is ciphertext. Texts in all lines marked orange are known.
Under a known-plaintext attack, the intermediate block L1 R1 is In particular, we know the output of S-boxes as well as output of
known since L1 = R0 and R1 = L2 . Expansion for both the rounds.
Parts of plaintext are no longer visible in the output. Using the same strategy as for one round, we can extract key k1 as
This can be easily broken as well. well as k2 easily.
CS641
Modern Cryptology
Lecture 6
XOR values in all lines marked green are known. XOR values in all remaining lines are known now.
Only two additional values become known. Particularly, in third round, actual values of output from E and XOR
values of output from S-boxes is known.
Choose R0 = R00 .
This gives a way to break the encryption.
Define
Let E (R2 ) = ↵1 ↵2 · · · ↵8 and E (R20 ) = ↵10 ↵20 · · · ↵80 with 0 0 0
Xi = {( , )| = and Si ( ) Si ( 0 ) = 0
i }.
|↵i | = 6 = |↵i0 |. i i i
Since S-boxes are non-linear, fixing input XOR does not fix output
XOR.
So we look for a likely XOR value.
Examining S1 carefully, we find that if the XOR of two inputs is
001100, then of the 64 possible pairs, 14 result in XOR of the output
pair to be 1110.
If we consider random input pairs that have input XOR to second
round S1 as 001100, then we expect that with probability 14/64, the
XOR of the output will be 1110.
Ensuring that input XOR to remaining S-boxes in second round is all
zeroes, we can predict the XOR of the second round output of
S-boxes with probability 14/64.
We will use hexadecimal notation to represent 32-bit values.
We can now repeat the analysis of three round DES.
It does not work directly though.
Manindra Agrawal CS641: Lecture 6 14 / 15 Manindra Agrawal CS641: Lecture 6 15 / 15
DES: Four Rounds
Define
0 0 0
Xi = {( , )| = i i and Si ( ) Si ( 0 ) = }.
14
Since ( i , i0 ) 2 Xi with probability 64 , we have k4,i 2 Ki with
probability 14 64 .
14 12.5 26.5
`+ `= `.
64 64 64
(00828000, 60000̄, 14 14
64 , 60000̄, 0̄0̄, 1, 0̄0̄, 60000̄, 64 , 60000̄, 00828000).
To break r -round DES, we need an r 2 round characteristic:
I We recover kr using this characteristic.
I If the probability of characteristic is p, and we use ` paintext block
pairs, kr ,i will be present in about p` + (1 p) 4` Xi ’s. Another 3-round characteristic:
I Any other a 6= kr ,i will be present in about 4` pairs.
I So kr ,i is present is roughly 34 p` additional pairs. (40080̄, 04000̄, 14 , 04000̄, 0̄0̄, 1, 0̄0̄, 04000̄, 14 , 04000̄, 40080̄).
I We need ` ⇡ 20 p in order to ensure that kr ,i is most frequently
occurring value.
This technique is called di↵erential cryptanalysis. A 5-round characteristic:
I Proposed by Biham and Shamir in 1990.
(405C 0̄, 04000̄, 14 , 04000̄, 00540̄, 128
5
, 00540̄, 0̄0̄, 1, 0̄0̄, 00540̄,
5 1
128 , 00540̄, 04000̄, 4 , 04000̄, 405C 0̄)
This can be concatenated r times to create a 2r -round characteristic. Concatenating for 13-rounds gives a characteristic with probability
1
The probability of 2r -round characteristic will be 1 ⇡ 2147 .
(234)r .
(234)6
Can be used against 16-round DES: The number of plaintext pairs required to break it are ⇡ 252 , which is
I 1
Probability of characteristic will be (234) 1
7 ⇡ 255 .
less than brute-force.
I The number of plaintext pairs required would be ⇡ 259 , worse than Therefore, 16 is the minimum number of rounds that makes DES fully
brute-force. resistant against di↵erential cryptanalysis.
Ri 1 [15] Ki [22] Li 1 [7, 18, 24, 29] Ri [7, 18, 24, 29] = 0
12
with probability 64 .
12
Using previous equation for round 1, we get that with probability 64 : Since we know R0 , L0 , R3 , and R2 = L3 , we can do following:
I Guess six bits of K3 that go into S5.
R0 [15] K1 [22] L0 [7, 18, 24, 29] = R1 [7, 18, 24, 29] I For ` choices of plaintext block, and using the guess of K3 , compute
= L2 [7, 18, 24, 29] how many times is LHS zero.
= R3 [7, 18, 24, 29] f (R2 , K3 )[7, 18, 24, 29] If guess for K3 is wrong, the equation will be satisfied roughly half the
time.
where f (R, K ) is the non-linear function of DES. If guess is correct, either LHS would be zero about 12
times or LHS
64 `
Therefore, would be 1 about 12 64 ` times.
This gives us six bits of K3 and one bit of K1 .
R0 [15] L0 [7, 18, 24, 29] R3 [7, 18, 24, 29] f (R2 , K3 )[7, 18, 24, 29] = K1 [22]
Doing the same for third round gives one bit of K3 and six bits of K1 ,
with probability 12 resulting in a total of 14 bits of key overall.
64 .
K8 [44] K9 [22] K11 [22] K12 [44] K13 [22] K15 [22]
Lecture 8
1.2
The equation holds with probability ⇡ 222
.
Using ⇡ 247 plaintext blocks, 14 bits of key can be recovered.
Remaining 42 bits can be found by brute-force, resulting in overall
complexity of ⇡ 247 .
Definition
A set of elements G with binary operation · defined on elements such that: Definition
A group (G , ·) with following additional property: a · b = b · a for any
1 a · b 2 G for any a, b 2 G [closure] a, b 2 G [commutativity]
2 (a · b) · c = a · (b · c) for any a, b, c 2 G [associativity]
3 There exists e 2 G such that a · e = e · a = a for any a 2 G [identity] Example groups of last slide are all commutative.
4 There exists b 2 G such that a · b = e for any a 2 G [inverse] Not all groups are commutative though:
I (GLn (Q), ·) is a non-commutative group of all n ⇥ n invertible matrices
with rational entries under multiplication.
Groups capture properties of + and ⇤ operations in a field. I (Sn , ) is a non-commutative group of all permutations of [1, n] under
I (Q, +), (R, +), (C, +), (Z, +) are groups composition.
I (Q\{0}, ⇤), (R\{0}, ⇤), and (C\{0}, ⇤) are groups but (Z\{0}, ⇤) is
not.
Definition
A set of elements R with two binary operations + and ⇤ defined on Definition
elements such that: A set of elements F with two binary operations + and ⇤ defined on
1 (R, +) is a commutative group. elements such that:
2 (R\{0}, ⇤) satisfies closure, associativity, and identity properties. 1 (F , +) is a commutative group.
3 a ⇤ (b + c) = a ⇤ b + a ⇤ c for any a, b, c 2 R [distributivity] 2 (F \{0}, ⇤) is a commutative group.
3 a ⇤ (b + c) = a ⇤ b + a ⇤ c for any a, b, c 2 F [distributivity]
Rings capture arithmetic without division:
I (Q, +, ⇤), (R, +, ⇤), (C, +, ⇤), (Z, +, ⇤) are rings. Fields are commutative rings that admit division:
(R, +, ⇤) is commutative ring if multiplication operation is also I (Q, +, ⇤), (R, +, ⇤), and (C, +, ⇤) are fields but (Z, +, ⇤) is not.
commutative: The set of non-zero elements of F is represented as F ⇤ .
I (Mn (Q), +, ·) is a non-commutative ring where Mn (Q) is set of n ⇥ n
matrices with rational entries.
Let F [x] be the set of all polynomials in x with coefficients from field
F.
Then, (F [x], +, ⇤) is a commutative ring where arithmetic is over
Let Fp = {0, 1, . . . , p 1} for a prime p.
polynomials.
Then, (Fp , +, ⇤) is a field where arithmetic is modulo p:
I (Fp , +) is a commutative group with (additive) inverse of a 2 Fp being Let F (x) be the set of rational functions in x, that is:
p a for a 6= 0. ⇢
f (x)
I (Fp⇤ , ⇤) is a commutative group with (multiplicative) inverse of a 2 Fp⇤ F (x) = | f (x), g (x) 2 F [x], g (x) 6= 0 .
being b 2 Fp where ab + rp = 1. g (x)
Theorem
Let (G , ·) be a finite commutative group. Then for every a 2 G : a|G | = e.
Lemma
If order of a equals k, then for every ` such that a` = e: k | `. Let m = |G | and b1 , . . ., bm be all elements of G .
Consider the sequence of elements ab1 , ab2 , . . ., abm .
Let m = gcd(k, `) = uk + v ` for some u, v 2 Z. Each is in G and distinct:
I
Then am = auk+v ` = (ak )u · (a` )v = e. If abi = abj then bi = bj .
Qm Qm Qm
By definition of order, k m. Therefore, i=1 bi = i=1 abi = am i=1 bi .
This shows m
a = e.
Since m | k, m = k showing k | `.
Corollary
For a finite group of size m, order of every element divides m.
Theorem
Cyclic Groups For a finite field F , (F ⇤ , ⇤) is a cyclic group.
Let (G , ·) be a commutative group. G is cyclic if there exists a 2 G such
that G = {ai | i 2 Z}. Element a is called generator of the group. If G is Qt ri
Let m = |F ⇤ | and m = i=1 pi where pi are prime numbers and
finite, then order a equals |G |. ri 1.
Let Si = {a | a 2 F ⇤ and order of a divides piri }.
(Z, +) is a cyclic group with generator 1. Si is also a group.
(Fp , +) is a cyclic group with generator 1, and order of 1 is p. Si is a cyclic group:
(Q, +) is not a cyclic group. I Let ai 2 Si be an element with maximum order pisi , for some si ri .
I Order of every element of Si will divide pisi .
(Fp d , +) is not a cyclic group for d > 1. si
I Therefore, every element of Si satisfies the equation y pi = 1.
I By field property, |Si | pisi .
I Since ai has pisi distinct powers, all in Si , ai is generator of Si .
History
CS641 By the end of 1990s, key size of DES became amenable to brute-force
attack:
Modern Cryptology I In 1999, a distributed brute-force search recovered DES key within one
day
Lecture 9 In 1997, National Institute of Standards and Technology (US),
announced a worldwide call for a new standard algorithm.
Fifteen proposals were submitted and eventually Rijndael, developed
by two Belgian cryptographers, Vincent Rijmen and Joan Deamen,
was adopted as Advanced Encryption Standard (AES) in 2001.
ByteSub
( ShiftRow
1 2 3 2 3
aij if aij 6= 0 a00 a01 a02 a03 a00 a01 a02 a03
bij =
0 otherwise 6a10 a11 a12 a13 7 6a11 a12 a13 a10 7
6 7)6 7.
4a20 a21 a22 a23 5 4a22 a23 a20 a21 5
cij = T · bij + c
a30 a31 a32 a33 a33 a30 a31 a32
T is a fixed 8 ⇥ 8 invertible matrix over F2 and c is a fixed column vector
over F2 .
A left-rotation of i columns is applied on ith row
In ⇤ ,
F256 1/aij = aij254 since aij255 = 1. Each column in new matrix consists of one element from every
The only non-linear operation. column of old matrix
Easily seen to be invertible.
MixColumn AddRoundKey
2 3 2 3 2 3 2 3 2 3 2 3
a00 a01 a02 a03 2 3 1 1 a00 a01 a02 a03 a00 a01 a02 a03 a00 a01 a02 a03 k00 k01 k02 k03
6a10 a11 a12 a13 7 61 2 3 17 6a10 a11 a12 a13 7 6a10
6 7)6 7·6 7. 6 a11 a12 a13 7 6a10
7)6 a11 a12 a13 7 6k10
7+6 k11 k12 k13 7
7.
4a20 a21 a22 a23 5 41 1 2 35 4a20 a21 a22 a23 5 4a20 a21 a22 a23 5 4a20 a21 a22 a23 5 4k20 k21 k22 k23 5
a30 a31 a32 a33 3 1 1 2 a30 a31 a32 a33 a30 a31 a32 a33 a30 a31 a32 a33 k30 k31 k32 k33
A fix matrix is multiplied to block matrix. Round key matrix is added to block matrix.
Viewing each column as a degree three polynomial in F256 [x], the Addition is bitwise XOR in F256 .
operation is same as multiplying column polynomial by fixed
Each round key matrix is derived from key using a fixed algorithm.
polynomial 3x 3 + x 2 + x + 2 modulo x 4 + 1.
Number of rounds are 10, 12, or 14 depending on key size chosen. MixColumn is only operation that “mixes” elements of a block.
There is one additional AddRoundKey operation performed before the Together with ShiftRow, in two rounds all elements get mixed up.
first round. Each operation is easily seen to be invertible, making decryption
Last round does not have MixColumn operation. possible.
In our analysis, we will focus on 10 round AES with 128 bit key, the ByteSub is only non-linear operation – its linear part chosen so that
most commonly used variant. at least one operation is not within F256 .
CS641
AES was designed to be resistant against di↵erential and linear Modern Cryptology
cryptanalysis.
A modified form of di↵erential cryptanalysis, called square attack,
Lecture 10
does break three round AES.
In this attack, we consider a set of 256 plaintext blocks being
encrypted simultaneously and trace patterns of byte values.
ShiftRow operation has following e↵ect on various patterns: AddRoundKey operation has following e↵ect on various patterns:
I P goes to P. I P goes to P.
I C goes to C. I C goes to C.
I Z goes to Z. I Z goes to Z.
I X goes to X. I X goes to X.
Input pattern: 2 3
P C C C Pattern movement (first round):
6P C C C7 2 3 2 3
6 7. P C C C P C C C
4P C C C5 6P C C C7 6P C C C7
P C C C 6 7 ByteSub
) 6 7
4P C C C5 4P C C C5
P C C C P C C C
Pattern movement (before first round): 2 3 2 3
P C C C P C C C
2 3 2 3 6P C C
P C C C P C C C 6 C77 ShiftRow
6C
6 C C P77
4P C C )
6P C
6 C C7 7 AddRoundKey
6P
6 C C C77 C5 4C C P C5
4P C )
C C5 4P C C C5 P C C C C P C C
P C C C P C C C
Square Attack: Three Rounds of AES Square Attack: Three Rounds of AES
Square Attack: Three Rounds of AES Square Attack: Three Rounds of AES
Input pattern: 2 3
P C C C Pattern movement (first round):
6C C C C7 2 3 2 3
6 7. P C C C P C C C
4C C C C5 6C C C C7 6C C C C7
C C C C 6 7 ByteSub
) 6 7
4C C C C5 4C C C C5
C C C C C C C C
Pattern movement (before first round): 2 3 2 3
P C C C P C C C
2 3 2 3 6C C C
P C C C P C C C 6 C77 ShiftRow
6C
6 C C C77
4C C C )
6C C
6 C C7 7 AddRoundKey
6C
6 C C C77 C5 4C C C C5
4C C )
C C5 4C C C C5 C C C C C C C C
C C C C C C C C
Square Attack: Four Rounds of AES Square Attack: Four Rounds of AES
Square Attack: Four Rounds of AES Square Attack: Four Rounds of AES