Overview of

Cryptography
Modern Ciphers
 Block ciphers vs. Stream Ciphers
 Block ciphers operate on a block of data
 entire block must be available before processing
 Modern Ciphers
 Stream ciphers
process messages one
bit or byte at a time
when en/decrypting
 need not wait the
entire block

 Most ciphers are block ciphers

– but it is possible to use a block cipher
as a stream cipher (in some modes of
operations that we will see later)
DES (Data Encryption
Standard)
 most widely used block cipher in world
 adopted in 1977 by NBS (now NIST)
 as FIPS PUB 46
 encrypts 64-bit data using 56-bit key
 had widespread use
 There has been considerable controversy over its
security
DES – Black box view
DES History
 IBM developed Lucifer cipher
 by team led by Horst Feistel (1971)
 used 64-bit data blocks with 128-bit key
 then redeveloped as a commercial cipher with input from
NSA and others
 in 1973 NBS issued request for proposals for a national
cipher standard
 IBM submitted their revised Lucifer which was eventually
accepted as the DES
 56-bit key size!
 recertified in 1983, 1987 and 1993
 3-DES (triple DES) has been issued as a new standard in
1999
DES Controversy

 Controversy over design

 inchoice of 56-bit key (vs Lucifer 128-bit)
 design criteria (of the S-boxes) were classified
 S-boxes were fine
 but 56-bits became problem for DES as time
goes by
 due to advances in cryptanalysis and electronics
 back in 1998 a project funded ($220K) by EFF
(Electronic Frontier Foundation) broke DES in less
than three days
Design of DES

 is not our concern in this course

 neither the details of cryptanalysis of DES
 will give only basic characteristics of DES in the next
few slides
DES Characteristics

 DES is basically a product cipher

 several rounds of substitutions and permutations
 actually not that simple 
 originally designed for hardware implementation
 software implementations validated in 1993
 but software DES is slow
DES Characteristics

 DES shows strong avalanche effect

 one bit change in the input affects on average half of the output bits
 to make attacks based on guessing difficult
 S-boxes are non-linear
 provides confusion
 i.e. makes relationship between ciphertext and key as complex as possible
Other Important Symmetric
Ciphers
 AES (Rjindael)
 3DES (Triple DES)
 Blowfish
 RC5
 IDEA
 RC4
What happened after DES
 Replacement for DES was needed
 vulnerability to cryptanalysis and practical brute-
force attacks
 AES is the new standard (will see)
 But took some time to standardize and deploy
 Meanwhile, some other ciphers are also used in
practice (will briefly discuss too)
 But we still needed an immediate replacement
of DES that can be standardized and deployed
easily
 This was 3DES
3DES (Triple DES)

 Another method for a strong cipher

 use multiple encryption with DES with different keys
 to preserve the investment in DES
 for quicker deployment
 Triple DES is chosen as a standard method
 Standardized by ANSI, ISO and NIST
Why not double DES?
 Double DES
 use DES two times with
two different keys
 Does not work due to meet-in-the-middle attack (which is a
known-plaintext attack)
 X = EK1[P] = DK2[C]
 Try all possible K1’s on P to create all possible X’s and store them
sorted
 Try all possible K2’s on C and match with above table
 may create some false-alarms, so do the same attack for another
plaintext-ciphertext pair
 If the same K1-K2 pairs match for the second plaintext-ciphertext pair,
then the correct keys are most probably found
 complexity of this attack is close to the complexity of the single-DES
brute-force attack, so double-DES is useless
3DES (Triple-DES)
 Three stages of DES
 with two different keys
 some attacks are possible but impractical
 Merkle and Hellman, 1981
 256 trials, but requires 256 plaintext-ciphertext pairs
 Oorschot and Wiener, 1990
 2120/n trials, where n is the number of plaintext-ciphertext pairs
 with three different keys
 Attack complexity increases and becomes impractical
Triple-Des with two/three keys

Caution: There
is an error in
the book

 E-D-E sequence
 use of decryption at the second stage does not reduce/increase the
security
 Why decryption in the middle stage?
Triple-DES with three keys
 For those who feel some concern about the attacks on two-key 3-DES
 E-D-E sequence
C = EK3[DK2[EK1[P]]]
 has been adopted by some Internet applications, eg PGP, S/MIME
Blowfish
 Developed by Bruce Schneier
 author of the book Applied Cryptography
 64-bit of block size
 Key size is variable
 one to fourteen 32-bit blocks
 32 to 448 bits
 provides a good trade-off between security and performance

 Fast and compact

 Has been implemented in numerous products
 including GnuPG, SSH
 see http://www.schneier.com/blowfish-products.html
 no known practical security problems
RC5
 Ron’s Code 5
 developed by Ron Rivest who is also co-inventor
of RSA cryptosystem
 owned and extensively used by RSA Inc.
 highly parametric
 word oriented processing that uses primitive
operations that can be found in instruction
sets of almost all microprocessors
RC5-w/r/b
 RC5 is actually a family of algorithms
 Parameters: w, r, b
 w: Word size
 16, 32 or 64 bits
 block size is 2*w
 r: Number of rounds
 0 .. 255
 b: key size in octets
 0 .. 255
 RC5 as suggested by Rivest is
 RC5-32/12/16
 32-bit words (i.e. 64 bit blocks), 12 rounds, 128-bit key size
IDEA
 International Data Encryption Algorithm
 Lai and Massey of ETH Zurich (Swiss Federal Institute of Technology),
1990/91
 64-bit blocks, 128-bit key size
 one of the early 128-bit algorithms
 not US originated, so no export restrictions
 used widely in PGP
AES (Advanced Encryption
Standard)
 Replacement needed for DES
 reasons discussed before
 3DES is a solution, but temporary
 3DES is slow in software
 3DES uses small blocks that makes even slower
 Need a new standard cipher
AES Events in Chronological
Order
 NIST issued call for a standard cipher in 1997
 international
 15 candidates (out of 21) accepted in June 98
 A shortlist of 5 selected in August 99
 Rijndael (from Belgium) was selected as the AES
in October 2000
 issued as FIPS PUB 197 standard in November
2001
AES Requirements
 private key symmetric block cipher
 128-bit data (block size)
 128/192/256-bit keys
 stronger & faster than Triple-DES
 active life of 20-30 years
 provide full specification and design details
5 AES candidates
 MARS (IBM)
 RC6 (USA)
 Rijndael (Belgium)
 Serpent (Europe)
 Twofish (USA)

 Europe vs. USA

 commercial vs. academic
 US based ones were all of commercial origin
AES Evaluation Criteria
 final criteria (used to select the winner)
 general security
 NISTrelied on evaluation done by cryptographic
community
 software implementation performance
 execution speed, performance across different platforms
(8 to 64 bit platforms)
 hardware implementation
 not only timings, but also cost is important
 especially for restricted space environments (such as
smartcards)
 implementation (timing and power) attacks
The AES Cipher - Rijndael
 designed by Vincent Rijmen and Joan Daemen in Belgium (UCL)
 has 128/192/256 bit keys, 128 bit block size
 Characteristics
 resistant against known attacks
 speed and code compactness on many platforms
 design simplicity
Modes of Operations
 block ciphers encrypt fixed size blocks
 DES and 3DES encrypt 64-bit blocks
 AES uses 128-bit blocks
 in practise, we have arbitrary amount of
information to encrypt
 we use DES, 3DES, AES and other symmetric
ciphers in different modes in order to apply to
several data blocks
 NIST SP 800-38A defines 5 modes
 can be used with any block cipher
Electronic Codebook (ECB) Mode
 each block is
encrypted
independent
of the other
blocks
 using the
same key
 not so secure
for long
messages due
to repetitions
in code
Cipher Block Chaining (CBC)
 each previous
cipher blocks is
XORed with
current
plaintext
 each ciphertext
block depends
on all previous
blocks
 need
Initialization
Vector (IV)
known to sender
& receiver
Cipher Block Chaining (CBC)
 Initialization Vector (IV)
 both parties should agree on an IV
 for maximum security, IV should be protected for unauthorized changes
 Otherwise, attacker’s change in IV also changes the decrypted plaintext
 let’s see this on board
Cipher FeedBack (CFB)
 Message is treated as a stream of bits
 DES, AES (or any other block cipher) is used as a stream cipher
 standard allows any number of bit, s, (1,8 or more
until the block size) as the unit of
encryption/decryption
 But common value for s is 8.
 Plaintext is divided into block of s bits.
 uses IV
 as all other stream ciphers
 Result of encryption is fed back to the next stage
 transmission errors propagate
Cipher
FeedBack
(CFB) Mode
 Output FeedBack (OFB)
 another stream mode
 but, s-bit version does not exist anymore
 Full block is used in the encyption and decryption
 output of cipher is
 XORed with the message
 it is also the feedback
 feedback is independent of transmission, so
transmission errors do not propagate
 same IV should not be used twice for the same
key (general problem of using IV)
 otherwise, when two ciphertext blocks are XORed the
random sequence is cancelled and the attacker
obtains XOR of two plaintexts
 That is why IV is sometimes called as nonce (means
"used only once")
 IV

Output
FeedBack
(OFB)

IV
Counter (CTR)
 similar to OFB but encrypts counter value
rather than any feedback value
 For the same key, the counter value should
not repeat
 same problem as in OFB
 efficient
 can do parallel encryptions
 Cryptographic part of the process (encryption
blocks) is performed in advance of need
 good for bursty high speed links
Counter
(CTR)
 Random Numbers
 Many uses of random numbers in cryptography
 nonces in authentication protocols to prevent replay
 session keys
 public key generation
 keystream for stream ciphers
 Characteristics of random numbers
 Statistical randomness
 Uniform distribution of zeros and ones
 İndependence of the bits in the sequence
 Unpredictability of future values from previous values
 True random numbers provide these but very hard
to obtain and use in practice
Pseudorandom Number
Generators (PRNGs)
 often use deterministic algorithmic techniques to create
“random numbers”
 although are not truly random
 can pass many tests of “randomness”
 known as “pseudorandom numbers”

created by “Pseudorandom Number
Generators (PRNGs)”
Pseudorandom Number Generators and
Psuedorandom Functions

 Not much different

 PRNG output is open-ended while PRF generates fixed size output
 PRNG is mostly context independent while PRF is context dependent
 Both may use feedback (there are some non-feedback ones too)
 When used in a cryptographic operation, seed must be kept secret
 PRNG/PRF Requirements
 Randomness
 Uniformity: the occurrence of zeros and ones must be equally likely
 Scalability: any subseqeunce must pass randomness tests as well
 Consistency: must not dependent on a particular seed value
 Unpredictability
 forward unpredictability (next bits cannot be learned using previous bits)
 backward unpredictability (seed cannot be learned using PRN sequence)
 There are some standard tests (total 15 of them) to check
randomness and unpredictability (NIST SP800-22)
 Characteristics of the seed
 secure
 if known adversary can determine output
 so must be random or pseudorandom number (there are some other
standard tests for seed randomness as well)
Linear Congruential Generator
 Common iterative technique using:
Xn+1 = (aXn + c) mod m
X0 is the seed
 Given suitable values of parameters can produce a
long random-like sequence
 Suitable criteria to have are:
 function generates a full-period (all values between 0 and
m-1)
 generated sequence should appear random
 Note that an attacker can reconstruct sequence
given a small number of values
 So, not a secure mechanism
 Stream Ciphers
 process the message bit by bit
 Simply stating
 a key and a Pseudo Random Number Generator (PRNG) is used to create
a (pseudo) random key stream
 keystream and the plaintext bitwise XORed to create the ciphertext
 ciphertext is XORed with the same keystream to restore the plaintext

keystream keystream
Some Stream Cipher Design
Considerations
 A PRNG should eventually repeat
 long period makes cryptanalysis difficult
 statistically randomness
 e.g. approx. equal number of 0’s and 1’s
 large enough key (128-bit would be good to guard against brute-force
attacks)
Stream Ciphers
 randomness of keystream destroys any
statistical properties in the message
 as in Vernam cipher and one-time pads
 Better than block ciphers in terms of
 code space (implementations are simple)
 throughput (faster per bit en/decryption)
 but must never use the same keystream more
than once
 otherwise the cryptanalyst can XOR two ciphertext
streams and find out XOR of two plaintext streams
 not so difficult to crack
Stream Ciphers
 are useful if data are transferred as a stream
 web browser
 voice
 video
 actually any block cipher can be used as a stream cipher
 CFB mode of operation (and OFB and CTR )
RC4
 Ron’s Code 4
 Yet another cipher designed by Ron Rivest
 owned by RSA Inc.
 was kept as a trade secret, but in 1994 anonymously posted on the
Internet
 variable key size, byte-oriented stream cipher
 simple but effective
 8 to 16 machine operations per output byte
 widely used (SSL/TLS, WEP/WPA)
 Some attacks reported, but not practical for key size greater
than 128-bit
 However, WEP has a problem due to RC4 key generation
 not a problem of RC4 in particular
and other symmetric ciphers

 CAST
 Skipjack
 Serpent
 Twofish
 RC6
 Mars
 SAFER+