Cryptography CS 555: Department of Computer Sciences Purdue University
Cryptography CS 555: Department of Computer Sciences Purdue University
Lecture 7
Fall 2003/Lecture 7 1
Announcements
• Distributed Data Mining Group meeting
– Profs. Chris Clifton & Mike Atallah
– meets on Wednesdays from 2pm to 3pm
– privacy-preserving data mining
– mailing list: ddm
• My office hour:
– Tuesday 3pm to 4pm,
– Wednesday 11:30am to 12:30pm
Fall 2003/Lecture 7 2
Review of semantic security
Challenger Attacker
1. picks random k, M C=Ek[M]
CiC
{ Dk[Ci]
M’
repeat n times
Attacker wins game if M=M’
Fall 2003/Lecture 7 3
Semantic Security against
Eavesdroppers
• A cipher is (t,) semantically secure against
eavesdroppers if no t-time attacker wins the
following game with prob. 0.5 +
Challenger Attacker
1. picks random k 2. picks M0, M1 of equal length
M0 , M 1
• AES
• Other block ciphers
Fall 2003/Lecture 7 5
Recommended Reading
• Stinson: 3.6
• Stallings: 5.1 and 5.2,
6.2 (for Blowfish) 6.5
(for RC4)
Fall 2003/Lecture 7 6
Advanced Encryption Standard
• In 1997, NIST made a formal call for algorithms
stipulating that the AES would specify an
unclassified, publicly disclosed encryption
algorithm, available royalty-free, worldwide.
• Goal: replace DES for both government and
private-sector encryption.
• The algorithm must implement symmetric key
cryptography as a block cipher and (at a minimum)
support block sizes of 128-bits and key sizes of
128-, 192-, and 256-bits.
• In 1998, NIST announced a group of 15 AES
candidate algorithms.
Fall 2003/Lecture 7 7
AES Selection Process
• In 1999, out of 15, the selction was narrowed to
5 candidates: MARS, RC6, Rijndael, Serpent,
and Twofish.
• All the five protocols were thought to be secure
• Criteria for selecting AES: security, robustness,
speed Qui ckTi m e™ and a TI FF ( Uncom pr es sed) decom pr es sor ar e needed t o see t hi s pi ct ur e.
Fall 2003/Lecture 7 8
AES Evaluation: Criteria for Initial
Selection
• Security:
– randomness, soundness, results of cryptanalysis
during evaluation
• Cost:
– royalty-free, computational efficiency, memory
requirement
• Flexibilty
• Hardware & software suitability
• Simplicity
Fall 2003/Lecture 7 9
AES Evaluation
Fall 2003/Lecture 7 10
AES Evaluation
Fall 2003/Lecture 7 11
Rijndael Features
• Designed to be efficient in both hardware
and software across a variety of platforms.
• Not a Feistel Network
• Uses a variable block size, 128,192, 256-
bits, key size of 128-, 192-, or 256-bits.
• Variable number of rounds (10, 12, 14):
– 10 if B = K = 128 bits
– 12 if either B or K is 192 and the other is 192
– 14 if either B or K is 256 bits
• Note: AES uses a 128-bit block size.
Fall 2003/Lecture 7 12
Overview of Rijndael/AES
• Variable number of rounds (10, 12, 14):
– 10 if K is 128 bits
– 12 if K is 192 bites
– 14 if K is 256 bits
• 128-bit round key used for each round:
– 128 bits = 16 bytes = 4 words
– needs Nr+1 round keys for Nr rounds
– needs 44 words for 128-bit key (10 rounds)
• State: 4 by 4 array of bytes
– 128 bits = 16 bytes
Fall 2003/Lecture 7 13
Rijandael: High-Level Description
State = X
AddRoundKey(State, Key0) (op1)
for r = 1 to Nr - 1
SubBytes(State, S-box) (op2)
ShiftRows(State) (op3)
MixColumns(State) (op4)
AddRoundKey(State, Keyr)
endfor
SubBytes(State, S-box)
ShiftRows(State)
AddRoundKey(State, KeyNr)
Y = State
Fall 2003/Lecture 7 14
AddRound Key
S0,0 S0,1 S0,2 S0,3
State is represented as follows (16 bytes):
S1,0 S1,1 S1,2 S1,3
Fall 2003/Lecture 7 16
S-box Table
0 1 2 3 4 5 6 7 8 9 A B C D E F
0 63 7C 77 7B F2 6B 6F C5 30 01 67 2B FE D7 AB 76
1 CA 82 C9 7D FA 59 47 F0 AD D4 A2 AF 9C A4 72 C0
2 B7 FD 93 26 36 3F F7 CC 34 A5 E5 F1 71 D8 31 15
3 04 C7 23 C3 18 96 05 9A 07 12 80 E2 EB 27 B2 75
4 09 83 2C 1A 1B 6E 5A A0 52 3B D6 B3 29 E3 2F 84
5 53 D1 00 ED 20 FC B1 5B 6A CB BE 39 4A 4C 58 CF
6 D0 EF AA FB 43 4D 33 85 45 F9 02 7F 50 3C 9F A8
7 51 A3 40 8F 92 9D 38 F5 BC B6 DA 21 10 FF F3 D2
8 CD 0C 3 EC 5F 97 44 17 C4 A7 7E 3D 64 5D 19 73
9 60 81 4F DC 22 2A 90 88 46 EE B8 14 DE 5E 0B DB
A E0 32 3A 0A 49 06 24 5C C2 D3 AC 62 91 95 E4 79
B E7 C8 37 6D 8D D5 4E A9 6C 56 F4 EA 65 7A AE 08
C BA 78 25 2E 1C A6 B4 C6 E8 DD 74 1F 4B BD 8B 8A
D 70 3E B5 66 48 03 F6 0E 61 35 57 B9 86 C1 1D 9E
E E1 F8 98 11 69 D9 8E 94 9B 1E 87 E9 CE 55 28 DF
F 8C A1 89 0D BF E6 42 68 41 99 2D 0F B0 54 BB 16
Fall 2003/Lecture 7 17
ShiftRows
Fall 2003/Lecture 7 18
MixColumns
• Interpret each column as a vector of length 4.
• Each column of State is replaced by another
column obtained by multiplying that column with a
matrix in a particular field.
Fall 2003/Lecture 7 19
Key Expansion
KeyExpansion (byte key[16], word w[44])
word temp;
for (i=0;i<4;i++)
w[i]=(key[4*i], key[4*i+1], key[4*i+2], key[4*i+3])
for (i=4; i<44; i++)
temp = w[i-1];
if (I mod 4 = 0)
temp = SubWord(RotWord(temp)) Rcon[i/4];
w[i] = w[i-4] temp;
Fall 2003/Lecture 7 20
Key Expansion
RotWord([byte0, byte1, byte2, byte3])
= [byte1, byte2, byte3, byte, 0]
SubWord([byte0, byte1, byte2, byte3])
= [Sbox[byte1], Sbox[byte1], Sbox[byte2], Sbox[byte3]]
Rcon[j] = (RC[j], 0, 0, 0)
j 1 2 3 4 5 6 7 8 9 10
RC[j] 01 02 04 08 10 20 40 80 1B 36
Fall 2003/Lecture 7 21
Rijandael: High-Level Description
State = X
AddRoundKey(State, Key0) (op1)
for r = 1 to Nr - 1
SubBytes(State, S-box) (op2)
ShiftRows(State) (op3)
MixColumns(State) (op4)
AddRoundKey(State, Keyr)
endfor
SubBytes(State, S-box)
ShiftRows(State)
AddRoundKey(State, KeyNr)
Y = State
Fall 2003/Lecture 7 22
Summary of Rijndael
Fall 2003/Lecture 7 23
Decryption
• The decryption algorithm is not identical with the
encryption algorithm, but uses the same key
schedule.
• There is also a way of implementing the
decryption with an algorithm that is equivalent to
the encryption algorithm (each operation
replaced with its inverse), however in this case,
the key schedule must be changed.
Fall 2003/Lecture 7 24
Rijandel Cryptanalysis
• Resistant to linear and differential cryptanalysis
• Differential trail
– Probability that a given
difference a’ pattern at input
produces an output
difference of b’
– Choose S-box and
multiplication polynomial to
minimize maximum
difference probability
Fall 2003/Lecture 7 25
Rijndael Cryptanalysis
• Academic break on weaker version of the
cipher, 9 rounds
• Requires 2224 work and 285 chosen related-
key plaintexts.
• Attack not practical.
Fall 2003/Lecture 7 26
AES Encryption Modes
• ECB
• CBC
• CFB
• OFB
• CTR
Fall 2003/Lecture 7 27
Modern Block Ciphers
• Variable key length
• Mixed operators: use more than one arithmetic
and/or Boolean; this can provide non-linearity
• Data dependent rotation
• Key-dependent S-boxes
• Lengthy key schedule algorithm
• Variable plaintext/ciphertext block length
• Variable number of rounds
• Operation on both data halves each round
• Variable F function (varies from round to round)
• Key-dependent rotation
Fall 2003/Lecture 7 28
International Data Encryption
Algorithm (IDEA)
• Originally designed by Massey and Lai at
ETH (Zurich), 1990.
• Based on mixing operations from different
algebraic groups (XOR, addition mod 216 ,
multiplication mod 216 +1).
• All operations are on 16-bit sub-blocks, with
no permutations used.
• Speed: faster than DES in software.
Fall 2003/Lecture 7 29
IDEA
• Design goals:
– Block Length: deter statistical analysis
– Key Length: deter exhaustive search
• Features:
– 128-bit key
– 64 bit blocks
– 8 rounds,
– operates on 16-bit numbers
Fall 2003/Lecture 7 30
IDEA: Encryption
Fall 2003/Lecture 7 31
IDEA Key Schedule
• Total of 52 subkeys: 6*8+4
• Subkey is generated by dividing the 128 bits key
in 8 x 16 bits keys. Every time more subkeys are
needed, rotate left the key 25 bits and divide
again in 8 subkeys.
• The decryption keys are
a little more difficult to
generate.
Fall 2003/Lecture 7 32
IDEA Cryptanalysis
Fall 2003/Lecture 7 33
Blowfish
Fall 2003/Lecture 7 34
Blowfish Key Generation
• Block size is 64
• Number of rounds is 16
• Uses a key of variable size,
from 32 to 448 bits.
• The key is used to generate:
– 18 32-bit subkeys stored in P-arrays
– 4 8x32 S-boxes stored in S-arrays
• Requires 521 encryptions, so it has a slow
rekeying.
Fall 2003/Lecture 7 35
Blowfish Cryptanalysis
Fall 2003/Lecture 7 36
Blowfish Speed
From www.counterpane.com
Blowfish 9 16 18 free
Triple-DES 18 48 108
Fall 2003/Lecture 7 37
RC5
Fall 2003/Lecture 7 38
RC5 Features
• RC5 is a family of ciphers rc5-w/r/b
– W = word size in bits (16/32/64) nb data=2w
– R = number of rounds (0..255)
– B = number of bytes in the key (0..255)
• Nominal version is RC5-32/12/16
– 32-bit words so encrypts 64-bit data blocks
– Using 12 rounds
– 16 bytes (128-bit) secret key
Fall 2003/Lecture 7 39
RC5 Key Schedule
• RC5 uses 2r+2 subkey words (w-bits)
• subkeys are stored in array s[i], i=0..T-1
• Initialize S to a fixed pseudorandom value
• The byte key is copied (little-endian) into a c-
word array L
• A mixing operation then combines L and S to
form the final S array
Fall 2003/Lecture 7 40
RC5 Encryption
L0 = A + S[0]
R0 = B + S[1]
for i = 1 to r do
Li = ((Li-1 Ri-1) <<< Ri-1) + S[2 * i]
Ri = ((Ri-1 Li) <<< Li) + S[2 * i + 1]
Fall 2003/Lecture 7 41
RC5 Decryption
for i = 1 down to r do
Ri-1 = ((Ri-1 - S[2 * i +1]) >>> Li) Li
Li-1 = ((Li – S[2 * i]) <<< Ri-1) Ri-1
B = R0 – S[1]
A = L0 – S[0]
Fall 2003/Lecture 7 42
RC5 Encryption Modes
Fall 2003/Lecture 7 43
Summary
Fall 2003/Lecture 7 44
Next Lecture…
Fall 2003/Lecture 7 45