Cryptography CS 555

Lecture 7

Department of Computer Sciences

Purdue University

Fall 2003/Lecture 7 1
Announcements
• Distributed Data Mining Group meeting
– Profs. Chris Clifton & Mike Atallah
– meets on Wednesdays from 2pm to 3pm
– privacy-preserving data mining
– mailing list: ddm
• My office hour:
– Tuesday 3pm to 4pm,
– Wednesday 11:30am to 12:30pm

Fall 2003/Lecture 7 2
 Review of semantic security

• Plaintext recovery security against

adaptive chosen-ciphertext attackers

Challenger Attacker
1. picks random k, M C=Ek[M]

CiC
{ Dk[Ci]

M’
repeat n times
Attacker wins game if M=M’
Fall 2003/Lecture 7 3
Semantic Security against
Eavesdroppers
• A cipher is (t,) semantically secure against
eavesdroppers if no t-time attacker wins the
following game with prob.  0.5 + 

Challenger Attacker
1. picks random k 2. picks M0, M1 of equal length
M0 , M 1

3. picks random b{0,1}

C=Ek[Mb]
b’ {0,1}

Attacker wins game if b=b’

Fall 2003/Lecture 7 4
Lecture Outline

• AES
• Other block ciphers

Fall 2003/Lecture 7 5
Recommended Reading

• Stinson: 3.6
• Stallings: 5.1 and 5.2,
6.2 (for Blowfish) 6.5
(for RC4)

Fall 2003/Lecture 7 6
Advanced Encryption Standard
• In 1997, NIST made a formal call for algorithms
stipulating that the AES would specify an
unclassified, publicly disclosed encryption
algorithm, available royalty-free, worldwide.
• Goal: replace DES for both government and
private-sector encryption.
• The algorithm must implement symmetric key
cryptography as a block cipher and (at a minimum)
support block sizes of 128-bits and key sizes of
128-, 192-, and 256-bits.
• In 1998, NIST announced a group of 15 AES
candidate algorithms.

Fall 2003/Lecture 7 7
AES Selection Process
• In 1999, out of 15, the selction was narrowed to
5 candidates: MARS, RC6, Rijndael, Serpent,
and Twofish.
• All the five protocols were thought to be secure
• Criteria for selecting AES: security, robustness,
speed Qui ckTi m e™ and a TI FF ( Uncom pr es sed) decom pr es sor ar e needed t o see t hi s pi ct ur e.

• On October 2, 2000, NIST announced that it has

selected Rijndael (invented by Joan Daemen
and Vincent Rijmen) to propose for the AES.
• February 2001, FIPS 197 (AES) was published
for public review and comments.

Fall 2003/Lecture 7 8
AES Evaluation: Criteria for Initial
Selection
• Security:
– randomness, soundness, results of cryptanalysis
during evaluation
• Cost:
– royalty-free, computational efficiency, memory
requirement
• Flexibilty
• Hardware & software suitability
• Simplicity

Fall 2003/Lecture 7 9
AES Evaluation

• Criteria of the final evaluation

– general security
– software implementation performance
– hardware implementation (size &
performance)
– restricted-space environments
– attacks on implementations
– encryption vs. decryption

Fall 2003/Lecture 7 10
AES Evaluation

• Criteria of the final evaluation (continued)

– key agility
– other versatility and flexibility
• parameter flexibility
• possibility of optimizing cipher elements for
particular environments
– potential for instruction-level parallelism

Fall 2003/Lecture 7 11
Rijndael Features
• Designed to be efficient in both hardware
and software across a variety of platforms.
• Not a Feistel Network
• Uses a variable block size, 128,192, 256-
bits, key size of 128-, 192-, or 256-bits.
• Variable number of rounds (10, 12, 14):
– 10 if B = K = 128 bits
– 12 if either B or K is 192 and the other is  192
– 14 if either B or K is 256 bits
• Note: AES uses a 128-bit block size.

Fall 2003/Lecture 7 12
Overview of Rijndael/AES
• Variable number of rounds (10, 12, 14):
– 10 if K is 128 bits
– 12 if K is 192 bites
– 14 if K is 256 bits
• 128-bit round key used for each round:
– 128 bits = 16 bytes = 4 words
– needs Nr+1 round keys for Nr rounds
– needs 44 words for 128-bit key (10 rounds)
• State: 4 by 4 array of bytes
– 128 bits = 16 bytes

Fall 2003/Lecture 7 13
Rijandael: High-Level Description
State = X
AddRoundKey(State, Key0) (op1)
for r = 1 to Nr - 1
SubBytes(State, S-box) (op2)
ShiftRows(State) (op3)
MixColumns(State) (op4)
AddRoundKey(State, Keyr)
endfor
SubBytes(State, S-box)
ShiftRows(State)
AddRoundKey(State, KeyNr)
Y = State

Fall 2003/Lecture 7 14
AddRound Key
S0,0 S0,1 S0,2 S0,3
State is represented as follows (16 bytes):
S1,0 S1,1 S1,2 S1,3

S2,0 S2,1 S2,2 S2,3

S3,0 S3,1 S3,2 S3,3

AddRoundKey(State, Key):

key state state

Fall 2003/Lecture 7 15
SubBytes
• Byte substitution using non-linear S-Box (independently
on each byte).
• S-box is represented as a 16x16 array, rows and
columns indexed by hexadecimal bits
• 8 bytes replaced as follows: 8 bytes defines a
hexadecimal number rc, then sr,c = binary(S-box(r, c))
• How is AES S-box different from DES S-box?
– Only one S-box
– S-boxes based on modular arithmetic with
polynomials, can be defined algebraically, not random
– Easy to analyze, prove attacks fail

Fall 2003/Lecture 7 16
S-box Table
0 1 2 3 4 5 6 7 8 9 A B C D E F
0 63 7C 77 7B F2 6B 6F C5 30 01 67 2B FE D7 AB 76
1 CA 82 C9 7D FA 59 47 F0 AD D4 A2 AF 9C A4 72 C0
2 B7 FD 93 26 36 3F F7 CC 34 A5 E5 F1 71 D8 31 15
3 04 C7 23 C3 18 96 05 9A 07 12 80 E2 EB 27 B2 75
4 09 83 2C 1A 1B 6E 5A A0 52 3B D6 B3 29 E3 2F 84
5 53 D1 00 ED 20 FC B1 5B 6A CB BE 39 4A 4C 58 CF
6 D0 EF AA FB 43 4D 33 85 45 F9 02 7F 50 3C 9F A8
7 51 A3 40 8F 92 9D 38 F5 BC B6 DA 21 10 FF F3 D2
8 CD 0C 3 EC 5F 97 44 17 C4 A7 7E 3D 64 5D 19 73
9 60 81 4F DC 22 2A 90 88 46 EE B8 14 DE 5E 0B DB
A E0 32 3A 0A 49 06 24 5C C2 D3 AC 62 91 95 E4 79
B E7 C8 37 6D 8D D5 4E A9 6C 56 F4 EA 65 7A AE 08
C BA 78 25 2E 1C A6 B4 C6 E8 DD 74 1F 4B BD 8B 8A
D 70 3E B5 66 48 03 F6 0E 61 35 57 B9 86 C1 1D 9E
E E1 F8 98 11 69 D9 8E 94 9B 1E 87 E9 CE 55 28 DF
F 8C A1 89 0D BF E6 42 68 41 99 2D 0F B0 54 BB 16

Example: hexa 53 is replaced with hexa ED

Fall 2003/Lecture 7 17
ShiftRows

S0,0 S0,1 S0,2 S0,3 S0,0 S0,1 S0,2 S0,3

S1,0 S1,1 S1,2 S1,3 S1,1 S1,2 S1,3 S1,0

S2,0 S2,1 S2,2 S2,3 S2,2 S2,3 S2,0 S2,1

S3,0 S3,1 S3,2 S3,3 S3,3 S3,0 S3,1 S3,2

Fall 2003/Lecture 7 18
MixColumns
• Interpret each column as a vector of length 4.
• Each column of State is replaced by another
column obtained by multiplying that column with a
matrix in a particular field.

Fall 2003/Lecture 7 19
Key Expansion
KeyExpansion (byte key[16], word w[44])
word temp;
for (i=0;i<4;i++)
w[i]=(key[4*i], key[4*i+1], key[4*i+2], key[4*i+3])
for (i=4; i<44; i++)
temp = w[i-1];
if (I mod 4 = 0)
temp = SubWord(RotWord(temp))  Rcon[i/4];
w[i] = w[i-4]  temp;

Fall 2003/Lecture 7 20
Key Expansion
RotWord([byte0, byte1, byte2, byte3])
= [byte1, byte2, byte3, byte, 0]
SubWord([byte0, byte1, byte2, byte3])
= [Sbox[byte1], Sbox[byte1], Sbox[byte2], Sbox[byte3]]
Rcon[j] = (RC[j], 0, 0, 0)

j 1 2 3 4 5 6 7 8 9 10
RC[j] 01 02 04 08 10 20 40 80 1B 36

Fall 2003/Lecture 7 21
Rijandael: High-Level Description
State = X
AddRoundKey(State, Key0) (op1)
for r = 1 to Nr - 1
SubBytes(State, S-box) (op2)
ShiftRows(State) (op3)
MixColumns(State) (op4)
AddRoundKey(State, Keyr)
endfor
SubBytes(State, S-box)
ShiftRows(State)
AddRoundKey(State, KeyNr)
Y = State

Fall 2003/Lecture 7 22
Summary of Rijndael

• Rijndael’s strength is in design simplicity,

rich algebraic structure, and efficiency.
• Algorithms composed of three layers
– Linear diffusion
– Non-linear diffusion
– Key mixing

Fall 2003/Lecture 7 23
Decryption
• The decryption algorithm is not identical with the
encryption algorithm, but uses the same key
schedule.
• There is also a way of implementing the
decryption with an algorithm that is equivalent to
the encryption algorithm (each operation
replaced with its inverse), however in this case,
the key schedule must be changed.

Fall 2003/Lecture 7 24
Rijandel Cryptanalysis
• Resistant to linear and differential cryptanalysis
• Differential trail
– Probability that a given
difference a’ pattern at input
produces an output
difference of b’
– Choose S-box and
multiplication polynomial to
minimize maximum
difference probability

Fall 2003/Lecture 7 25
Rijndael Cryptanalysis
• Academic break on weaker version of the
cipher, 9 rounds
• Requires 2224 work and 285 chosen related-
key plaintexts.
• Attack not practical.

Fall 2003/Lecture 7 26
AES Encryption Modes

• ECB
• CBC
• CFB
• OFB
• CTR

Fall 2003/Lecture 7 27
Modern Block Ciphers
• Variable key length
• Mixed operators: use more than one arithmetic
and/or Boolean; this can provide non-linearity
• Data dependent rotation
• Key-dependent S-boxes
• Lengthy key schedule algorithm
• Variable plaintext/ciphertext block length
• Variable number of rounds
• Operation on both data halves each round
• Variable F function (varies from round to round)
• Key-dependent rotation

Fall 2003/Lecture 7 28
International Data Encryption
Algorithm (IDEA)
• Originally designed by Massey and Lai at
ETH (Zurich), 1990.
• Based on mixing operations from different
algebraic groups (XOR, addition mod 216 ,
multiplication mod 216 +1).
• All operations are on 16-bit sub-blocks, with
no permutations used.
• Speed: faster than DES in software.

Fall 2003/Lecture 7 29
IDEA
• Design goals:
– Block Length: deter statistical analysis
– Key Length: deter exhaustive search
• Features:
– 128-bit key
– 64 bit blocks
– 8 rounds,
– operates on 16-bit numbers

Fall 2003/Lecture 7 30
IDEA: Encryption

• 64-bit data block is divided in 4 parts:

X1 X2 X3 X4
• In each of eight rounds with 14 steps the sub-
blocks are XORd, added, multiplied with one
another and with six 16-bit sub-blocks of key
material, and the second and third sub-blocks
are swapped.
• Finally some more key material is combined
with the sub-blocks.

Fall 2003/Lecture 7 31
IDEA Key Schedule
• Total of 52 subkeys: 6*8+4
• Subkey is generated by dividing the 128 bits key
in 8 x 16 bits keys. Every time more subkeys are
needed, rotate left the key 25 bits and divide
again in 8 subkeys.
• The decryption keys are
a little more difficult to
generate.

Fall 2003/Lecture 7 32
IDEA Cryptanalysis

• Currently there is no known practical attack

against IDEA.
• Appears secure against differential
cryptanalysis.
• Key length protects against exhaustive
search.
• IDEA has weak keys, avoided at key
generation.

Fall 2003/Lecture 7 33
Blowfish

• A symmetric block cipher

designed by Bruce Schneier
in 1993/94.
• Fast implementation on 32-bit CPUs.
• Compact: runs in less than 5K of memory.
• Simple to implement and analyze its strength.
• Variable security: can give it larger keys.

Fall 2003/Lecture 7 34
Blowfish Key Generation

• Block size is 64
• Number of rounds is 16
• Uses a key of variable size,
from 32 to 448 bits.
• The key is used to generate:
– 18 32-bit subkeys stored in P-arrays
– 4 8x32 S-boxes stored in S-arrays
• Requires 521 encryptions, so it has a slow
rekeying.

Fall 2003/Lecture 7 35
Blowfish Cryptanalysis

• Key dependent S-boxes and subkeys,

generated using cipher itself, makes
analysis very difficult.
• Changing both halves in each
round increases security.
• Provided key is large enough, brute-force
key search is not practical.

Fall 2003/Lecture 7 36
Blowfish Speed

From www.counterpane.com

Algorithm Clock cycles # rounds # of clock cycles per

per round byte encrypted

Blowfish 9 16 18 free

RC5 12 16 23 RSA security

DES 18 16 45 56-bit key
IDEA 50 8 50 Ascom-Systec

Triple-DES  18 48 108

Fall 2003/Lecture 7 37
RC5

• Proprietary cipher owned by RSA Data

Security (designed by Ron Rivest).
• Very fast, operates on words.
• Variable key size, block size and number of
rounds.
• Clean and simple design.
• Low memory requirement.
• Data-dependent rotations that strengthen the
algorithm against cryptanalysis.

Fall 2003/Lecture 7 38
RC5 Features
• RC5 is a family of ciphers rc5-w/r/b
– W = word size in bits (16/32/64) nb data=2w
– R = number of rounds (0..255)
– B = number of bytes in the key (0..255)
• Nominal version is RC5-32/12/16
– 32-bit words so encrypts 64-bit data blocks
– Using 12 rounds
– 16 bytes (128-bit) secret key

Fall 2003/Lecture 7 39
RC5 Key Schedule
• RC5 uses 2r+2 subkey words (w-bits)
• subkeys are stored in array s[i], i=0..T-1
• Initialize S to a fixed pseudorandom value
• The byte key is copied (little-endian) into a c-
word array L
• A mixing operation then combines L and S to
form the final S array

Fall 2003/Lecture 7 40
RC5 Encryption
L0 = A + S[0]
R0 = B + S[1]
for i = 1 to r do
Li = ((Li-1  Ri-1) <<< Ri-1) + S[2 * i]
Ri = ((Ri-1  Li) <<< Li) + S[2 * i + 1]

• Rotation is main source of non-linearity

• x <<< y cyclic rotation of word x left by y bits
• x >>> y cyclic rotation of word x right by y bits

Fall 2003/Lecture 7 41
RC5 Decryption

for i = 1 down to r do
Ri-1 = ((Ri-1 - S[2 * i +1]) >>> Li)  Li
Li-1 = ((Li – S[2 * i]) <<< Ri-1)  Ri-1
B = R0 – S[1]
A = L0 – S[0]

•x <<< y cyclic rotation of word x left by y bits

•x >>> y cyclic rotation of word x right by y bits

Fall 2003/Lecture 7 42
RC5 Encryption Modes

• RC5 Block Cipher, is ECB mode.

• RC5-CBC, is CBC mode.
• RC5-CBC-PAD, is CBC with padding by bytes
with value being the number of padding bytes.
• RC5-CTS, a variant of CBC which is the same
size as the original message, uses ciphertext
stealing to keep size same as original, handles
plaintext of any size and produces ciphertext of
equal size.

Fall 2003/Lecture 7 43
Summary

• AES (128 block size,

key size 128, 192, 256)
new encryption standard
that replaced DES. No
practical known attack
exist.

Fall 2003/Lecture 7 44
Next Lecture…

• Hash functions: MD family, SHA1,

HMAC
• Recommended reading:
– Stinson 4.1, 4.2, 4.3
– Stallings Chapter 12
– BR: Chapter 6

Fall 2003/Lecture 7 45