0 views

Original Title: Mod2 Crypt

Uploaded by Akil Kumar

Mod2 Crypt

Module 2 SIC

© All Rights Reserved

- Lesson 1493761882
- ch03
- Unit 1
- A Des Example
- Introduction NS Report
- Buick i an David Cryptology Cryptanalysis
- Final Project Report
- Master Resume
- A new approach to ward off Error Propagation Effect of AES –
- 716
- Cloud Data Security using Elliptical Curve Cryptography
- Mod3 Crypto
- Mod1 Cryptography
- C02 Wireless Transmission 1
- Advanced Computer Networks 2012 June (2006 Ad)
- Advanced Computer Networks 2009 Nov (2006 Ad)
- DBMS LOCK Emea the Traffic Lights Sessions
- Bucklimng of Composite Plates
- Essential Oils Extraction Bioactivities and Their Uses for Food Preservation.pdf
- CBSE Class 11 Phyiscs MCQs - Set 7

You are on page 1of 72

STANDARD

BLOCK VS STREAM CIPHERS

block ciphers process messages in blocks, each of

which is then en/decrypted

like a substitution on very big characters

64-bits or more

stream ciphers process messages a bit or byte at

a time when en/decrypting

many current ciphers are block ciphers

BLOCK CIPHERS

A block cipher operates on a plaintext block of n bits to

produce a ciphertext block of n bits.

A block cipher is an encryption/decryption scheme in which a

block of plaintext is treated as a whole and used to produce a

ciphertext block of equal length

Typically, a block size of 64 or 128 bits is used

FEISTEL CIPHER STRUCTURE

It is a design model

A cryptographic system based on Feistel cipher

structure uses the same algorithm for both encryption

and decryption.

BLOCK CIPHER PRINCIPLES

most symmetric block ciphers are based

on a Feistel Cipher Structure

block ciphers look like an extremely large

substitution

would need table of 264 entries for a 64-bit

block

instead create from smaller building

blocks

using idea of a product cipher

IDEAL BLOCK CIPHER

CLAUDE SHANNON AND

SUBSTITUTION-PERMUTATION

CIPHERS

Claude Shannon introduced idea of

substitution-permutation (S-P) networks

in 1949 paper

form basis of modern block ciphers

cryptographic operations seen before:

(S-box)

substitution

permutation (P-box)

provide confusion & diffusion of message

& key

CONFUSION AND DIFFUSION

cipher needs to be completely obscure statistical

properties of original message

a one-time pad does this

more practically Shannon suggested combining S & P

elements to obtain:

In diffusion, the statistical structure of the plaintext is

dissipated into long-range statistics of the ciphertext.

This is achieved by having each plaintext digit affect

the value of many ciphertext digits; generally, this is

equivalent to having each ciphertext digit be affected by

many plaintext digits

On the other hand, confusion seeks to make the

relationship between the statistics of the ciphertext

and the value of the encryption key as complex as

possible, again to thwart attempts to discover the key.

Thus, even if the attacker can get some handle on the

statistics of the ciphertext, the way in which the key

was used to produce that ciphertext is so complex as to

make it difficult to deduce the key. This is achieved by

the use of a complex substitution algorithm.

FEISTEL CIPHER ENCRYPTION

The input block to each round is divided into two halves

that can be denoted as L and R for the left half and the

right half.

In each round, the right half of the block, R, goes through

that depends on R and the encryption key. First, we apply

an encrypting function f that takes two input the key K

and R. The function produces the output f(R,K). Then, we

XOR the output of the mathematical function with L.

In real implementation of the Feistel Cipher, such as DES,

round, a round-dependent key (a subkey) is derived from

the encryption key. This means that each round uses a

different key, although all these subkeys are related to the

original key.

The permutation step at the end of each round

swaps the modified L and unmodified R.

Therefore, the L for the next round would be R of

the current round. And R for the next round be

the output L of the current round.

Above substitution and permutation steps form a

round. The number of rounds are specified by

the algorithm design.

Once the last round is completed then the two

sub blocks, R and L are concatenated in this

order to form the ciphertext block.

FEISTEL CIPHER STRUCTURE

FEISTEL CIPHER DESIGN ELEMENTS

block size

key size

number of rounds

subkey generation algorithm

round function

fast software en/decryption

ease of analysis

FEISTEL CIPHER DECRYPTION

FEISTEL CIPHER DECRYPTION

The process of decryption with a Feistel cipher is

essentially the same as the encryption process.

The rule is as follows: Use the ciphertext as input

to the algorithm, but use the subkeys Ki in

reverse order.

That is, use Kn in the first round, Kn1 in the

second round, and so on until K1 is used in the

last round.

This is a nice feature because it means we need

not implement two different algorithms, one for

encryption and one for decryption.

DATA ENCRYPTION

STANDARD (DES)

most widely used block cipher in world

DES is an implementation of a Feistel Cipher.

It uses 16 round Feistel structure.

The block size is 64-bit.

Though, key length is 64-bit, DES has an effective key

length of 56 bits, since 8 of the 64 bits of the key are not

used by the encryption algorithm

adopted in 1977 by NBS (now NIST)

as FIPS PUB 46

DES HISTORY

IBM developed Lucifer cipher

by team led by Feistel in late 60s

used 64-bit data blocks with 128-bit key

then redeveloped as a commercial cipher with

input from NSA and others

in 1973 NBS issued request for proposals for a

national cipher standard

IBM submitted their revised Lucifer which was

eventually accepted as the DES

DES ENCRYPTION OVERVIEW

STEPS:LEFT-HAND SIDE OF THE

FIGURE

The processing of the plaintext proceeds in three phases.

permutation (IP) that rearranges the bits to produce the

permuted input.

This is followed by a phase consisting of sixteen rounds

and substitution functions.

The output of the last (sixteenth) round consists of 64

key. The left and right halves of the output are swapped

to produce the preoutput.

Finally, the preoutput is passed through a permutation

produce the 64-bit ciphertext.

STEPS: RIGHT-HAND SIDE OF THE

FIGURE

Initially, the key is passed through a permutation

function.

Then, for each of the sixteen rounds, a subkey (Ki ) is

produced by the combination of a left circular shift and a

permutation.

The permutation function is the same for each round, but

a different sub key is produced because of the repeated

shifts of the key bits.

INITIAL PERMUTATION IP

first step of the data computation

IP reorders the input data bits

example:

004df6fb)

INITIAL PERMUTATION

DETAILS OF SINGLE ROUND

DES ROUND STRUCTURE

uses two 32-bit L & R halves

as for any Feistel cipher can describe as:

Li = Ri1

Ri = Li1 F(Ri1, Ki)

F takes 32-bit R half and 48-bit subkey:

expands R to 48-bits using perm E

adds to subkey using XOR

passes through 8 S-boxes to get 32-bit result

finally permutes using 32-bit perm P

DES ROUND STRUCTURE

SUBSTITUTION BOXES S

have eight S-boxes which map 6 to 4 bits

The first and last bits of the input to box form a 2-bit

binary number to select one of four substitutions

defined by the four rows.

The middle four bits select one of the sixteen columns.

The decimal value in the cell selected by the row and

column is then converted to its 4-bit representation to

produce the output.

For example, in S1, for input 011001, the row is 01 (row

1) and the column is 1100 (column 12).The value in row

1, column 12 is 9, so the output is 1001.

DES KEY SCHEDULE

forms subkeys used in each round

initial permutation of the key (PC1) which selects 56-

bits in two 28-bit halves

16 stages consisting of:

rotating each half separately either 1 or 2 places

depending on the key rotation schedule K

selecting 24-bits from each half & permuting them by PC2

note practical use issues in h/w vs s/w

DES DECRYPTION

decryption must unwind steps of data

computation

with Feistel design, do encryption steps again

using subkeys in reverse order (SK16 SK1)

IP undoes final FP step of encryption

1st round with SK16 undoes 16th encrypt round

.

16th round with SK1 undoes 1st encrypt round

then final FP undoes initial encryption IP

thus recovering original data value

AVALANCHE EFFECT

key desirable property of encryption alg

where a change of one input or key bit results in

changing approx half output bits

making attempts to home-in by guessing keys

impossible

DES exhibits strong avalanche

STRENGTH OF DES KEY SIZE

56-bit keys have 256 = 7.2 x 1016 values

brute force search looks hard

in 1997 on Internet in a few months

in 1998 on dedicated h/w (EFF) in a few days

in 1999 above combined in 22hrs!

still must be able to recognize plaintext

must now consider alternatives to DES

STRENGTH OF DES

ANALYTIC ATTACKS

now have several analytic attacks on DES

these utilise some deep structure of the

cipher

by gathering information about encryptions

can eventually recover some/all of the sub-key

bits

if necessary then exhaustively search for the

rest

generally these are statistical attacks

include

differentialcryptanalysis

linear cryptanalysis

related key attacks

STRENGTH OF DES TIMING

ATTACKS

attacks actual implementation of cipher

use knowledge of consequences of

implementation to derive information about

some/all subkey bits

specifically use fact that calculations can take

varying times depending on the value of the

inputs to it

particularly problematic on smartcards

DIFFERENTIAL CRYPTANALYSIS

one of the most significant recent (public)

advances in cryptanalysis

known by NSA in 70's cf DES design

Murphy, Biham & Shamir published in 90s

powerful method to analyse block ciphers

used to analyse most current block ciphers with

varying degrees of success

DES reasonably resistant to it, cf Lucifer

DIFFERENTIAL CRYPTANALYSIS

a statistical attack against Feistel ciphers

uses cipher structure not previously used

influenced by both input & key

hence cannot trace values back through cipher

without knowing value of the key

differential cryptanalysis compares two related

pairs of encryptions

DIFFERENTIAL

CRYPTANALYSIS COMPARES

PAIRS OF difference

with a known ENCRYPTIONS

in the input

searching for a known difference in output

when same subkeys are used

DIFFERENTIAL CRYPTANALYSIS

have some input difference giving some output

difference with probability p

if find instances of some higher probability

input / output difference pairs occurring

can infer subkey that was used in round

(with decreasing probabilities)

DIFFERENTIAL CRYPTANALYSIS

DIFFERENTIAL CRYPTANALYSIS

perform attack by repeatedly encrypting plaintext pairs

with known input XOR until obtain desired output XOR

when found

if intermediate rounds match required XOR have a right

pair

if not then have a wrong pair, relative ratio is S/N for attack

can then deduce keys values for the rounds

right pairs suggest same key bits

wrong pairs give random values

for large numbers of rounds, probability is so low that

more pairs are required than exist with 64-bit inputs

Biham and Shamir have shown how a 13-round iterated

characteristic can break the full 16-round DES

LINEAR CRYPTANALYSIS

another recent development

also a statistical method

must be iterated over rounds, with decreasing

probabilities

developed by Matsui et al in early 90's

based on finding linear approximations

can attack DES with 243 known plaintexts, easier

but still in practise infeasible

LINEAR CRYPTANALYSIS

find linear approximations with prob p !=

P[i1,i2,...,ia] C[j1,j2,...,jb] =

K[k1,k2,...,kc]

where ia,jb,kc are bit locations in

P,C,K

gives linear equation for key bits

DES DESIGN CRITERIA

as reported by Coppersmith in [COPP94]

7 criteria for S-boxes provide for

non-linearity

resistanceto differential cryptanalysis

good confusion

3 criteria for permutation P provide for

increased diffusion

BLOCK CIPHER DESIGN

basic principles still like Feistels in 1970s

number of rounds

more is better, exhaustive search best attack

function f:

provides confusion, is nonlinear, avalanche

have issues of how S-boxes are selected

key schedule

complex subkey creation, key avalanche

ADVANCED

ENCRYPTION

STANDARD

ORIGINS

clear a replacement for DES was needed

have theoretical attacks that can break it

have demonstrated exhaustive key search attacks

can use Triple-DES but slow, has small

blocks

US NIST issued call for ciphers in 1997

15 candidates accepted in Jun 98

5 were shortlisted in Aug-99

Rijndael was selected as the AES in Oct-2000

issued as FIPS PUB 197 standard in Nov-

2001

AES REQUIREMENTS

private key symmetric block cipher

128-bit data, 128/192/256-bit keys

stronger & faster than Triple-DES

active life of 20-30 years (+ archival use)

provide full specification & design details

both C & Java implementations

NIST have released all submissions &

unclassified analyses

AES EVALUATION CRITERIA

initial criteria:

security effort for practical cryptanalysis

cost in terms of computational efficiency

algorithm & implementation characteristics

final criteria

general security

ease of software & hardware implementation

implementation attacks

flexibility (in en/decrypt, keying, other factors)

AES SHORTLIST

after testing and evaluation, shortlist in Aug-

99:

MARS (IBM) - complex, fast, high security margin

RC6 (USA) - v. simple, v. fast, low security margin

Rijndael (Belgium) - clean, fast, good security margin

Serpent (Euro) - slow, clean, v. high security margin

Twofish (USA) - complex, v. fast, high security margin

then subject to further analysis & comment

saw contrast between algorithms with

fewcomplex rounds verses many simple rounds

which refined existing ciphers verses new proposals

THE AES CIPHER - RIJNDAEL

designed by Rijmen-Daemen in Belgium

has 128/192/256 bit keys, 128 bit data

an iterative rather than feistel cipher

processes data as block of 4 columns of 4 bytes

operates on entire data block in every round

designed to be:

resistantagainst known attacks

speed and code compactness on many CPUs

design simplicity

RIJNDAEL

data block of 4 columns of 4 bytes is state

key is expanded to array of words

byte substitution (1 S-box used on every byte)

shift rows (permute bytes between groups/columns)

mix columns (subs using matrix multipy of groups)

add round key (XOR state with key material)

view as alternating XOR key & scramble data bytes

initial XOR key material & incomplete last

round

with fast XOR & table lookup implementation

RIJNDAEL

BYTE SUBSTITUTION

a simple substitution of each byte

uses one table of 16x16 bytes containing a

permutation of all 256 8-bit values

each byte of state is replaced by byte indexed

by row (left 4-bits) & column (right 4-bits)

eg.byte {95} is replaced by byte in row 9 column 5

which has value {2A}

S-box constructed using defined

transformation of values in GF(28)

designed to be resistant to all known attacks

BYTE SUBSTITUTION

SHIFT ROWS

a circular byte shift in each each

1strow is unchanged

2nd row does 1 byte circular shift to left

3rd row does 2 byte circular shift to left

4th row does 3 byte circular shift to left

decrypt inverts using shifts to right

since state is processed by columns, this

step permutes bytes between the columns

SHIFT ROWS

MIX COLUMNS

each column is processed separately

each byte is replaced by a value dependent on all

4 bytes in the column

effectively a matrix multiplication in GF(28) using

MIX COLUMNS

MIX COLUMNS

can express each col as 4 equations

to derive each new byte in col

decryption requires use of inverse matrix

with larger coefficients, hence a little harder

have an alternate characterisation

each column a 4-term polynomial

with coefficients in GF(28)

and polynomials multiplied modulo (x4+1)

ADD ROUND KEY

XOR state with 128-bits of the round key

again processed by column (though effectively a

series of byte operations)

inverse for decryption identical

since XOR own inverse, with reversed keys

designed to be as simple as possible

a form of Vernam cipher on expanded key

requires other stages for complexity / security

ADD ROUND KEY

AES ROUND

AES KEY EXPANSION

takes 128-bit (16-byte) key and expands into

array of 44/52/60 32-bit words

start by copying key into first 4 words

in 3 of 4 cases just XOR these together

1st word in 4 has rotate + S-box + XOR round constant

on previous, before XOR 4th back

AES KEY EXPANSION

KEY EXPANSION RATIONALE

designed to resist known attacks

design criteria included

knowing part key insufficient to find many more

invertible transformation

fast on wide range of CPUs

use round constants to break symmetry

diffuse key bits into round keys

enough non-linearity to hinder analysis

simplicity of description

AES DECRYPTION

AES decryption is not identical to encryption

since steps done in reverse

but can define an equivalent inverse cipher with

steps as for encryption

but using inverses of each step

with a different key schedule

works since result is unchanged when

swap byte substitution & shift rows

swap mix columns & add (tweaked) round key

AES DECRYPTION

IMPLEMENTATION ASPECTS

can efficiently implement on 8-bit CPU

byte substitution works on bytes using a table of 256

entries

shift rows is simple byte shift

add round key works on byte XORs

mix columns requires matrix multiply in GF(28)

which works on byte values, can be simplified to use

table lookups & byte XORs

IMPLEMENTATION ASPECTS

can efficiently implement on 32-bit CPU

redefine steps to use 32-bit words

can precompute 4 tables of 256-words

then each column in each round can be computed

using 4 table lookups + 4 XORs

at a cost of 4Kb to store tables

designers believe this very efficient

implementation was a key factor in its selection

as the AES cipher

- Lesson 1493761882Uploaded bysanthi saranya
- ch03Uploaded byEli Priyatna
- Unit 1Uploaded byLivingston Sathya
- A Des ExampleUploaded bynagaraj
- Introduction NS ReportUploaded byYasser Al-mohammed
- Buick i an David Cryptology CryptanalysisUploaded by!nCrypted!
- Final Project ReportUploaded byAbhi Bhattacharya
- Master ResumeUploaded byGopi Ramena
- A new approach to ward off Error Propagation Effect of AES –Uploaded bydecker4449
- 716Uploaded byJorge
- Cloud Data Security using Elliptical Curve CryptographyUploaded byEditor IJRITCC

- DBMS LOCK Emea the Traffic Lights SessionsUploaded bypiciul7001
- Bucklimng of Composite PlatesUploaded bykiran_wakchaure
- Essential Oils Extraction Bioactivities and Their Uses for Food Preservation.pdfUploaded byAlexRivera
- CBSE Class 11 Phyiscs MCQs - Set 7Uploaded byAditya Manideep
- HDF5 R12.TutorUploaded byGiuseppe Onorevoli
- Economides, M.J., Watters, L.T. and Norman, S.D. - Petroleum Well ConstructionUploaded byArief Budiman Hermani
- BL Catalogue Ind 05 2014 EngUploaded byLaptuca Gabriel
- CAMA_LAB_10MEL68.pdfUploaded byshreedharkolekar
- Introduction to VissimUploaded byaldojudin
- Oracle SaaS Architecture.pdfUploaded byhalicarnas
- cmeadmUploaded bykhinhkha
- Classical ControlUploaded byQasim Ali
- antennas and types of radarUploaded byapi-273774225
- Oil & Gas - High ResolutionUploaded bySubhra S Sanyal
- Vijay ResumeUploaded bySaka Srikanth
- DoT Technical Circular-Bus Stop Design Standard Drawings 21Feb2012Uploaded byAnonymous zmYUcSP
- CS8251Uploaded byKamali Baskaran
- Avs Fencing Catalogue 2011Uploaded byAVSFencing
- Thermador T24IR800SPUploaded byPurcellMurray
- Erp-bpr-pdfUploaded byDavid
- Barringer Analyzer ReliabilityUploaded byTessfaye Wolde Gebretsadik
- Ccna TotalUploaded byJagpreet Singh Randhawa
- Principles of motors.docxUploaded byFabrizzio Reyes M
- Electrical power engineering Midterm W2014Uploaded bytlp5613
- fs-8000a_2Uploaded byly082319
- 14313_ch6 M61A1 GUN INSTALLATION.pdfUploaded bySeth Pulgar
- Das & Okubo-Lie Groups and Lie Algebras for Physicists.pdfUploaded byAlfredo Echegollen Guzmán
- centurywebsites-smallwebsitequotationUploaded byAritra G Moulik
- Gotthard Base Tunnel (1)Uploaded byAhmed Rabie
- IH61W-MHS_BIOS_120903Uploaded byoscar