Block Ciphers

All the afternoon Mungo had been working on

Stern's code, principally with the aid of the latest
messages which he had copied down at the
Nevin Square drop. Stern was very confident.
He must be well aware London Central knew
about that drop. It was obvious that they didn't
care how often Mungo read their messages, so
confident were they in the impenetrability of the
code.
—Talking to Strange Men, Ruth Rendell
 Modern Block Ciphers
 now look at modern block ciphers
 one of the most widely used types of
cryptographic algorithms
 provide secrecy /authentication services
 focus on DES (Data Encryption Standard)
 to illustrate block cipher design principles
 Block vs Stream Ciphers
 block ciphers process messages in blocks,
each of which is then en/decrypted
 like a substitution on very big characters

64-bits or more
 stream ciphers process messages a bit or
byte at a time when en/decrypting
 many current ciphers are block ciphers
 broader range of applications
 Block Cipher Principles
 most symmetric block ciphers are based on a
Feistel Cipher Structure
 needed since must be able to decrypt ciphertext
to recover messages efficiently
 block ciphers look like an extremely large
substitution
 would need table of 264 entries for a 64-bit block
 instead create from smaller building blocks
 using idea of a product cipher
Ideal Block Cipher
Claude Shannon and Substitution-
Permutation Ciphers
 Claude Shannon introduced idea of substitution-
permutation (S-P) networks in 1949 paper
 form basis of modern block ciphers
 S-P nets are based on the two primitive
cryptographic operations seen before:

substitution (S-box)

permutation (P-box)
 provide confusion & diffusion of message & key
 Confusion and Diffusion
 cipher needs to completely obscure
statistical properties of original message
 a one-time pad does this
 more practically Shannon suggested
combining S & P elements to obtain:
 diffusion – dissipates statistical structure
of plaintext over bulk of ciphertext
 confusion – makes relationship between
ciphertext and key as complex as possible
 Feistel Cipher Structure
 Horst Feistel devised the feistel cipher

based on concept of invertible product cipher
 partitions input block into two halves

process through multiple rounds which

perform a substitution on left data half

based on round function of right half & subkey

then have permutation swapping halves
 implements Shannon’s S-P net concept
Feistel Cipher Structure
Feistel Cipher Design Elements
 block size
 key size
 number of rounds
 subkey generation algorithm
 round function
 fast software en/decryption
 ease of analysis
Feistel Cipher Decryption
Data Encryption Standard (DES)
 most widely used block cipher in world
 adopted in 1977 by NBS (now NIST)

as FIPS PUB 46
 encrypts 64-bit data using 56-bit key
 has widespread use
 has been considerable controversy over
its security
 DES History
 IBM developed Lucifer cipher

by team led by Feistel in late 60’s

used 64-bit data blocks with 128-bit key
 then redeveloped as a commercial cipher
with input from NSA and others
 in 1973 NBS issued request for proposals
for a national cipher standard
 IBM submitted their revised Lucifer which
was eventually accepted as the DES
 DES Design Controversy
 althoughDES standard is public
 was considerable controversy over design

in choice of 56-bit key (vs Lucifer 128-bit)

and because design criteria were classified
 subsequent events and public analysis
show in fact design was appropriate
 use of DES has flourished

especially in financial applications

still standardised for legacy application use
DES Encryption Overview
 Initial Permutation IP
 firststep of the data computation
 IP reorders the input data bits
 even bits to LH half, odd bits to RH half
 quite regular in structure (easy in h/w)
 example:

IP(675a6967 5e5a6b5a) = (ffb2194d

004df6fb)
 DES Round Structure
 uses two 32-bit L & R halves
 as for any Feistel cipher can describe as:
Li = Ri–1
Ri = Li–1  F(Ri–1, Ki)
F takes 32-bit R half and 48-bit subkey:

expands R to 48-bits using perm E

adds to subkey using XOR

passes through 8 S-boxes to get 32-bit result

finally permutes using 32-bit perm P
DES Round Structure
 Substitution Boxes S
 have eight S-boxes which map 6 to 4 bits
 each S-box is actually 4 little 4 bit boxes

outer bits 1 & 6 (row bits) select one row of 4

inner bits 2-5 (col bits) are substituted

result is 8 lots of 4 bits, or 32 bits
 row selection depends on both data & key

feature known as autoclaving (autokeying)
 example:

S(18 09 12 3d 11 17 38 39) = 5fd25e03
 DES Key Schedule
 forms subkeys used in each round

initial permutation of the key (PC1) which
selects 56-bits in two 28-bit halves

16 stages consisting of:
• rotating each half separately either 1 or 2 places
depending on the key rotation schedule K
• selecting 24-bits from each half & permuting them
by PC2 for use in round function F
 note practical use issues in h/w vs s/w
 DES Decryption
 decrypt must unwind steps of data computation
 with Feistel design, do encryption steps again
using subkeys in reverse order (SK16 … SK1)

IP undoes final FP step of encryption

1st round with SK16 undoes 16th encrypt round

….

16th round with SK1 undoes 1st encrypt round

then final FP undoes initial encryption IP

thus recovering original data value
 Avalanche Effect
 key desirable property of encryption alg
 where a change of one input or key bit
results in changing approx half output bits
 making attempts to “home-in” by guessing
keys impossible
 DES exhibits strong avalanche
 Strength of DES – Key Size
 56-bit keys have 256 = 7.2 x 1016 values
 brute force search looks hard
 recent advances have shown is possible

in 1997 on Internet in a few months

in 1998 on dedicated h/w (EFF) in a few days

in 1999 above combined in 22hrs!
 still
must be able to recognize plaintext
 must now consider alternatives to DES
 Strength of DES – Analytic
Attacks
 now have several analytic attacks on DES
 these utilise some deep structure of the cipher

by gathering information about encryptions

can eventually recover some/all of the sub-key bits

if necessary then exhaustively search for the rest
 generally these are statistical attacks
 include

differential cryptanalysis

linear cryptanalysis

related key attacks
 Strength of DES – Timing
Attacks
 attacks actual implementation of cipher
 use knowledge of consequences of
implementation to derive information about
some/all subkey bits
 specifically use fact that calculations can
take varying times depending on the value
of the inputs to it
 particularly problematic on smartcards
 Differential Cryptanalysis
 one of the most significant recent (public)
advances in cryptanalysis
 known by NSA in 70's cf DES design
 Murphy, Biham & Shamir published in 90’s
 powerful method to analyse block ciphers
 used to analyse most current block ciphers
with varying degrees of success
 DES reasonably resistant to it, cf Lucifer
 Differential Cryptanalysis
a statistical attack against Feistel ciphers
 uses cipher structure not previously used
 design of S-P networks has output of
function f influenced by both input & key
 hence cannot trace values back through
cipher without knowing value of the key
 differential cryptanalysis compares two
related pairs of encryptions
 Differential Cryptanalysis
Compares Pairs of Encryptions
 witha known difference in the input
 searching for a known difference in output
 when same subkeys are used
 Differential Cryptanalysis
 have some input difference giving some
output difference with probability p
 if find instances of some higher probability
input / output difference pairs occurring
 can infer subkey that was used in round
 then must iterate process over many
rounds (with decreasing probabilities)
Differential Cryptanalysis
 Differential Cryptanalysis
 perform attack by repeatedly encrypting plaintext pairs
with known input XOR until obtain desired output XOR
 when found

if intermediate rounds match required XOR have a right pair

if not then have a wrong pair, relative ratio is S/N for attack
 can then deduce keys values for the rounds

right pairs suggest same key bits

wrong pairs give random values
 for large numbers of rounds, probability is so low that
more pairs are required than exist with 64-bit inputs
 Biham and Shamir have shown how a 13-round iterated
characteristic can break the full 16-round DES
 Linear Cryptanalysis
 another recent development
 also a statistical method
 must be iterated over rounds, with
decreasing probabilities
 developed by Matsui et al in early 90's
 based on finding linear approximations
 can attack DES with 243 known plaintexts,
easier but still in practise infeasible
 Linear Cryptanalysis
 find linear approximations with prob p != ½
P[i1,i2,...,ia]  C[j1,j2,...,jb] =
K[k1,k2,...,kc]
where ia,jb,kc are bit locations in P,C,K
 gives linear equation for key bits
 get one key bit using max likelihood alg
 using a large number of trial encryptions
 effectiveness given by: |p–1/2|
 DES Design Criteria
 as reported by Coppersmith in [COPP94]
 7 criteria for S-boxes provide for

non-linearity

resistance to differential cryptanalysis

good confusion
3 criteria for permutation P provide for

increased diffusion
 Block Cipher Design
 basic
principles still like Feistel’s in 1970’s
 number of rounds

more is better, exhaustive search best attack
 function f:

provides “confusion”, is nonlinear, avalanche

have issues of how S-boxes are selected
 key schedule

complex subkey creation, key avalanche
 Multiple Encryption & DES
 clear a replacement for DES was needed

theoretical attacks that can break it

demonstrated exhaustive key search attacks
 AES is a new cipher alternative
 prior to this alternative was to use multiple
encryption with DES implementations
 Triple-DES is the chosen form
 Double-DES?
 could use 2 DES encrypts on each block
 C = EK2(EK1(P))
 issueof reduction to single stage
 and have “meet-in-the-middle” attack

works whenever use a cipher twice
 since X = EK1(P) = DK2(C)

attack by encrypting P with all keys and store

then decrypt C with keys and match X value

can show takes O(256) steps
 Triple-DES with Two-Keys
 hence must use 3 encryptions

would seem to need 3 distinct keys
 but can use 2 keys with E-D-E sequence

C = EK1(DK2(EK1(P)))

nb encrypt & decrypt equivalent in security

if K1=K2 then can work with single DES
 standardized in ANSI X9.17 & ISO8732
 no current known practical attacks
 Triple-DES with Three-Keys
 although are no practical attacks on two-
key Triple-DES have some indications
 can use Triple-DES with Three-Keys to
avoid even these
 C = EK3(DK2(EK1(P)))
 hasbeen adopted by some Internet
applications, eg PGP, S/MIME
 Advanced Encryption Standard

"It seems very simple."

"It is very simple. But if you don't know what
the key is it's virtually indecipherable."
—Talking to Strange Men, Ruth Rendell
 Origins
 clear a replacement for DES was needed

have theoretical attacks that can break it

have demonstrated exhaustive key search attacks
 can use Triple-DES – but slow, has small blocks
 US NIST issued call for ciphers in 1997
 15 candidates accepted in Jun 98
 5 were shortlisted in Aug-99
 Rijndael was selected as the AES in Oct-2000
 issued as FIPS PUB 197 standard in Nov-2001
 AES Requirements
 private key symmetric block cipher
 128-bit data, 128/192/256-bit keys
 stronger & faster than Triple-DES
 active life of 20-30 years (+ archival use)
 provide full specification & design details
 both C & Java implementations
 NIST have released all submissions &
unclassified analyses
 AES Evaluation Criteria
 initial criteria:

security – effort for practical cryptanalysis

cost – in terms of computational efficiency

algorithm & implementation characteristics
 final criteria

general security

ease of software & hardware implementation

implementation attacks

flexibility (in en/decrypt, keying, other factors)
 AES Shortlist
 after testing and evaluation, shortlist in Aug-99:

MARS (IBM) - complex, fast, high security margin

RC6 (USA) - v. simple, v. fast, low security margin

Rijndael (Belgium) - clean, fast, good security margin

Serpent (Euro) - slow, clean, v. high security margin

Twofish (USA) - complex, v. fast, high security margin
 then subject to further analysis & comment
 saw contrast between algorithms with

few complex rounds verses many simple rounds

which refined existing ciphers verses new proposals
 The AES Cipher - Rijndael
 designed by Rijmen-Daemen in Belgium
 has 128/192/256 bit keys, 128 bit data
 an iterative rather than feistel cipher

processes data as block of 4 columns of 4 bytes

operates on entire data block in every round
 designed to be:

resistant against known attacks

speed and code compactness on many CPUs

design simplicity
 Rijndael
 data block of 4 columns of 4 bytes is state
 key is expanded to array of words
 has 9/11/13 rounds in which state undergoes:

byte substitution (1 S-box used on every byte)

shift rows (permute bytes between groups/columns)

mix columns (subs using matrix multipy of groups)

add round key (XOR state with key material)

view as alternating XOR key & scramble data bytes
 initial XOR key material & incomplete last round
 with fast XOR & table lookup implementation
Rijndael
 Byte Substitution
 a simple substitution of each byte
 uses one table of 16x16 bytes containing a
permutation of all 256 8-bit values
 each byte of state is replaced by byte indexed
by row (left 4-bits) & column (right 4-bits)

eg. byte {95} is replaced by byte in row 9 column 5

which has value {2A}
 S-box constructed using defined transformation
of values in GF(28)
 designed to be resistant to all known attacks
Byte Substitution
 Shift Rows
 a circular byte shift in each each

1st row is unchanged

2nd row does 1 byte circular shift to left

3rd row does 2 byte circular shift to left

4th row does 3 byte circular shift to left
 decrypt inverts using shifts to right
 since state is processed by columns, this step
permutes bytes between the columns
Shift Rows
 Mix Columns
 each column is processed separately
 each byte is replaced by a value
dependent on all 4 bytes in the column
 effectively a matrix multiplication in GF(28)
using prime poly m(x) =x8+x4+x3+x+1
Mix Columns
 Mix Columns
 can express each col as 4 equations

to derive each new byte in col
 decryption requires use of inverse matrix

with larger coefficients, hence a little harder
 have an alternate characterisation

each column a 4-term polynomial

with coefficients in GF(28)

and polynomials multiplied modulo (x4+1)
 Add Round Key
 XOR state with 128-bits of the round key
 again processed by column (though
effectively a series of byte operations)
 inverse for decryption identical

since XOR own inverse, with reversed keys
 designed to be as simple as possible

a form of Vernam cipher on expanded key

requires other stages for complexity / security
Add Round Key
AES Round
 AES Key Expansion
 takes 128-bit (16-byte) key and expands
into array of 44/52/60 32-bit words
 start by copying key into first 4 words
 then loop creating words that depend on
values in previous & 4 places back

in 3 of 4 cases just XOR these together

1st word in 4 has rotate + S-box + XOR round
constant on previous, before XOR 4th back
AES Key Expansion
 Key Expansion Rationale
 designed to resist known attacks
 design criteria included

knowing part key insufficient to find many more

invertible transformation

fast on wide range of CPU’s

use round constants to break symmetry

diffuse key bits into round keys

enough non-linearity to hinder analysis

simplicity of description
 AES Decryption
 AES decryption is not identical to
encryption since steps done in reverse
 but can define an equivalent inverse
cipher with steps as for encryption

but using inverses of each step

with a different key schedule
 works since result is unchanged when

swap byte substitution & shift rows

swap mix columns & add (tweaked) round key
AES Decryption
 Implementation Aspects
 can efficiently implement on 8-bit CPU

byte substitution works on bytes using a table
of 256 entries

shift rows is simple byte shift

add round key works on byte XOR’s

mix columns requires matrix multiply in GF(28)
which works on byte values, can be simplified
to use table lookups & byte XOR’s
 Implementation Aspects
 can efficiently implement on 32-bit CPU

redefine steps to use 32-bit words

can precompute 4 tables of 256-words

then each column in each round can be
computed using 4 table lookups + 4 XORs

at a cost of 4Kb to store tables
 designers believe this very efficient
implementation was a key factor in its
selection as the AES cipher
 Blowfish
a symmetric block cipher designed by
Bruce Schneier in 1993/94
 characteristics

fast implementation on 32-bit CPUs, 18 clock
cycles per byte

compact in use of memory, less than 5KB

simple structure for analysis/implementation

variable security by varying key size
• Allows tuning for speed/security tradeoff
 Blowfish Key Schedule

 uses a 32 to 448 bit key

 used to generate

18 32-bit subkeys stored in P-array: P1 to P18
 S-boxes stored in Si,j,
• i=1..4
• j=0..255
 Blowfish Encryption
 uses two primitives: addition & XOR
 data is divided into two 32-bit halves L0 & R0
for i = 1 to 16 do
Ri = Li-1 XOR Pi;
Li = F[Ri] XOR Ri-1;
L17 = R16 XOR P18;
R17 = L16 XOR i17;
 where
F[a,b,c,d] = ((S1,a + S2,b) XOR S3,c) + S4,a
Break 32-bit Ri into (a,b,c,d)
 Discussion
 provided key is large enough, brute-force key
search is not practical, especially given the high
key schedule cost
 key dependent S-boxes and subkeys make
analysis very difficult

Very few cryptoanalysis results on blowfish
 changing both halves in each round increases
security

Some study shows improved avalanche effects
 Modes of Operation
 block ciphers encrypt fixed size blocks

eg. DES encrypts 64-bit blocks with 56-bit key
 need some way to en/decrypt arbitrary
amounts of data in practise
 ANSI X3.106-1983 Modes of Use (now
FIPS 81) defines 4 possible modes
 subsequently 5 defined for AES & DES
 have block and stream modes
Electronic Codebook Book (ECB)
 message is broken into independent
blocks which are encrypted
 each block is a value which is substituted,
like a codebook, hence name
 each block is encoded independently of
the other blocks
Ci = DESK1(Pi)
 uses: secure transmission of single values
Electronic Codebook Book (ECB)
 Advantages and Limitations of
ECB
 message repetitions may show in ciphertext

if aligned with message block

particularly with data such graphics

or with messages that change very little, which
become a code-book analysis problem
 weakness is due to the encrypted message
blocks being independent
 main use is sending a few blocks of data
Cipher Block Chaining (CBC)
 message is broken into blocks
 linked together in encryption operation
 each previous cipher blocks is chained
with current plaintext block, hence name
 use Initial Vector (IV) to start process
Ci = DESK1(Pi XOR Ci-1)
C-1 = IV
 uses: bulk data encryption, authentication
Cipher Block Chaining (CBC)
 Message Padding
 at end of message must handle a possible
last short block

which is not as large as blocksize of cipher

pad either with known non-data value (eg nulls)

or pad last block along with count of pad size
• eg. [ b1 b2 b3 0 0 0 0 5]
• means have 3 data bytes, then 5 bytes pad+count

this may require an extra entire block over
those in message
 there are other, more esoteric modes, which
avoid the need for an extra block
 Advantages and Limitations of
CBC
a ciphertext block depends on all blocks
before it
 any change to a block affects all following
ciphertext blocks
 need Initialization Vector (IV)

which must be known to sender & receiver

if sent in clear, attacker can change bits of first block,
and change IV to compensate

hence IV must either be a fixed value (as in EFTPOS)

or must be sent encrypted in ECB mode before rest of
message
 Cipher FeedBack (CFB)
 message is treated as a stream of bits
 added to the output of the block cipher
 result is feed back for next stage (hence name)
 standard allows any number of bit (1,8, 64 or
128 etc) to be feed back

denoted CFB-1, CFB-8, CFB-64, CFB-128 etc
 most efficient to use all bits in block (64 or 128)
Ci = Pi XOR DESK1(Ci-1)
C-1 = IV
 uses: stream data encryption, authentication
Cipher FeedBack (CFB)
 Advantages and Limitations of
CFB
 appropriate when data arrives in bits/bytes
 most common stream mode
 limitation is need to stall while do block
encryption after every n-bits
 note that the block cipher is used in
encryption mode at both ends
 errors propogate for several blocks after
the error
 Output FeedBack (OFB)
 message is treated as a stream of bits
 output of cipher is added to message
 output is then feed back (hence name)
 feedback is independent of message
 can be computed in advance
Ci = Pi XOR Oi
Oi = DESK1(Oi-1)
O-1 = IV
 uses: stream encryption on noisy channels
Output FeedBack (OFB)
 Advantages and Limitations of
OFB
 bit errors do not propagate
 more vulnerable to message stream modification
 a variation of a Vernam cipher

hence must never reuse the same sequence
(key+IV)
 sender & receiver must remain in sync
 originally specified with m-bit feedback
 subsequent research has shown that only full
block feedback (ie CFB-64 or CFB-128) should
ever be used
 Counter (CTR)
a “new” mode, though proposed early on
 similar to OFB but encrypts counter value
rather than any feedback value
 must have a different key & counter value
for every plaintext block (never reused)
Ci = Pi XOR Oi
Oi = DESK1(i)
 uses: high-speed network encryptions
Counter (CTR)
 Advantages and Limitations of
CTR
 efficiency

can do parallel encryptions in h/w or s/w

can preprocess in advance of need

good for bursty high speed links
 random access to encrypted data blocks
 provable security (good as other modes)
 but must ensure never reuse key/counter
values, otherwise could break (cf OFB)
 Stream Ciphers
 process message bit by bit (as a stream)
 have a pseudo random keystream
 combined (XOR) with plaintext bit by bit
 randomness of stream key completely
destroys statistically properties in message

Ci = Mi XOR StreamKeyi
 but must never reuse stream key

otherwise can recover messages (cf book
cipher)
Stream Cipher Structure
 Stream Cipher Properties
 some design considerations are:

long period with no repetitions

statistically random

depends on large enough key

large linear complexity
 properly designed, can be as secure as a
block cipher with same size key
 but usually simpler & faster
 RC4
 a proprietary cipher owned by RSA DSI
 another Ron Rivest design, simple but effective
 variable key size, byte-oriented stream cipher
 widely used (web SSL/TLS, wireless WEP)
 key forms random permutation of all 8-bit values
 uses that permutation to scramble input info
processed a byte at a time
 RC4 Key Schedule
 startswith an array S of numbers: 0..255
 use key to well and truly shuffle
 S forms internal state of the cipher

for i = 0 to 255 do
S[i] = i
T[i] = K[i mod keylen])
j = 0
for i = 0 to 255 do
j = (j + S[i] + T[i]) (mod 256)
swap (S[i], S[j])
 RC4 Encryption
 encryption continues shuffling array values
 sum of shuffled pair selects "stream key"
value from permutation
 XOR S[t] with next byte of message to
en/decrypt
i = j = 0
for each message byte Mi
i = (i + 1) (mod 256)
j = (j + S[i]) (mod 256)
swap(S[i], S[j])
t = (S[i] + S[j]) (mod 256)
Ci = Mi XOR S[t]
RC4 Overview
 RC4 Security
 claimed secure against known attacks

have some analyses, none practical
 resultis very non-linear
 since RC4 is a stream cipher, must never
reuse a key
 have a concern with WEP, but due to key
handling rather than RC4 itself
Confidentiality using Symmetric
Encryption
 traditionally
symmetric encryption is used
to provide message confidentiality
 Placement of Encryption
 have two major placement alternatives
 link encryption

encryption occurs independently on every link

implies must decrypt traffic between links

requires many devices, but paired keys
 end-to-end encryption

encryption occurs between original source
and final destination

need devices at each end with shared keys
Placement of Encryption
 Placement of Encryption
 when using end-to-end encryption must
leave headers in clear

so network can correctly route information
 hence although contents protected, traffic
pattern flows are not
 ideally want both at once

end-to-end protects data contents over entire
path and provides authentication

link protects traffic flows from monitoring
 Placement of Encryption
 canplace encryption function at various
layers in OSI Reference Model

link encryption occurs at layers 1 or 2

end-to-end can occur at layers 3, 4, 6, 7

as move higher less information is encrypted
but it is more secure though more complex
with more entities and keys
Encryption vs Protocol Level
 Traffic Analysis
 ismonitoring of communications flows
between parties

useful both in military & commercial spheres

can also be used to create a covert channel
 link encryption obscures header details

but overall traffic volumes in networks and at
end-points is still visible
 traffic padding can further obscure flows

but at cost of continuous traffic
 Key Distribution
 symmetric schemes require both parties to
share a common secret key
 issue is how to securely distribute this key
 often secure system failure due to a break
in the key distribution scheme
 Key Distribution
 given parties A and B have various key
distribution alternatives:
1. A can select key and physically deliver to B
2. third party can select & deliver key to A & B
3. if A & B have communicated previously can
use previous key to encrypt a new key
4. if A & B have secure communications with a
third party C, C can relay key between A & B
 Key Hierarchy
 typically
have a hierarchy of keys
 session key

temporary key

used for encryption of data between users

for one logical session then discarded
 master key

used to encrypt session keys

shared by user & key distribution center
Key Distribution Scenario
 Key Distribution Issues
 hierarchies of KDC’s required for large
networks, but must trust each other
 session key lifetimes should be limited for
greater security
 use of automatic key distribution on behalf
of users, but must trust system
 use of decentralized key distribution
 controlling key usage
 Private-Key Cryptography
 traditional private/secret/single key
cryptography uses one key
 shared by both sender and receiver
 if this key is disclosed communications are
compromised
 also is symmetric, parties are equal
 hence does not protect sender from
receiver forging a message & claiming is
sent by sender
 Public-Key Cryptography
 probably most significant advance in the
3000 year history of cryptography
 uses two keys – a public & a private key
 asymmetric since parties are not equal
 uses clever application of number
theoretic concepts to function
 complements rather than replaces private
key crypto
 Why Public-Key
Cryptography?
 developed to address two key issues:

key distribution – how to have secure
communications in general without having to
trust a KDC with your key

digital signatures – how to verify a message
comes intact from the claimed sender
 public
invention due to Whitfield Diffie &
Martin Hellman at Stanford Uni in 1976

known earlier in classified community
 Public-Key Cryptography
 public-key/two-key/asymmetric cryptography
involves the use of two keys:

a public-key, which may be known by anybody, and
can be used to encrypt messages, and verify
signatures

a private-key, known only to the recipient, used to
decrypt messages, and sign (create) signatures
 is asymmetric because

those who encrypt messages or verify signatures
cannot decrypt messages or create signatures
Public-Key Cryptography
 Public-Key Characteristics
 Public-Key algorithms rely on two keys where:

it is computationally infeasible to find decryption key
knowing only algorithm & encryption key

it is computationally easy to en/decrypt messages
when the relevant (en/decrypt) key is known

either of the two related keys can be used for
encryption, with the other used for decryption (for
some algorithms)
Public-Key Cryptosystems
 Public-Key Applications
 can classify uses into 3 categories:

encryption/decryption (provide secrecy)

digital signatures (provide authentication)

key exchange (of session keys)
 some algorithms are suitable for all uses,
others are specific to one
Security of Public Key Schemes
 like private key schemes brute force exhaustive
search attack is always theoretically possible
 but keys used are too large (>512bits)
 security relies on a large enough difference in
difficulty between easy (en/decrypt) and hard
(cryptanalyse) problems
 more generally the hard problem is known, but
is made hard enough to be impractical to break
 requires the use of very large numbers
 hence is slow compared to private key schemes
 RSA
 by Rivest, Shamir & Adleman of MIT in 1977
 best known & widely used public-key scheme
 based on exponentiation in a finite (Galois) field
over integers modulo a prime

nb. exponentiation takes O((log n)3) operations (easy)
 uses large integers (eg. 1024 bits)
 security due to cost of factoring large numbers

nb. factorization takes O(e log n log log n) operations (hard)
 RSA Key Setup
 each user generates a public/private key pair by:
 selecting two large primes at random - p, q
 computing their system modulus n=p.q

note ø(n)=(p-1)(q-1)
 selecting at random the encryption key e
• where 1<e<ø(n), gcd(e,ø(n))=1
 solve following equation to find decryption key d

e.d=1 mod ø(n) and 0≤d≤n
 publish their public encryption key: PU={e,n}
 keep secret private decryption key: PR={d,n}
 RSA Use
 to encrypt a message M the sender:

obtains public key of recipient PU={e,n}

computes: C = Me mod n, where 0≤M<n
 to decrypt the ciphertext C the owner:

uses their private key PR={d,n}

computes: M = Cd mod n
 note that the message M must be smaller
than the modulus n (block if needed)
 Why RSA Works
 because of Euler's Theorem:

aø(n)mod n = 1 where gcd(a,n)=1
 in RSA have:

n=p.q

ø(n)=(p-1)(q-1)

carefully chose e & d to be inverses mod ø(n)

hence e.d=1+k.ø(n) for some k
 hence :
Cd = Me.d = M1+k.ø(n) = M1.(Mø(n))k
= M1.(1)k = M1 = M mod n
 RSA Example - Key Setup
1. Select primes: p=17 & q=11
2. Compute n = pq =17 x 11=187
3. Compute ø(n)=(p–1)(q-1)=16 x 10=160
4. Select e: gcd(e,160)=1; choose e=7
5. Determine d: de=1 mod 160 and d < 160
Value is d=23 since 23x7=161= 10x160+1
6. Publish public key PU={7,187}
7. Keep secret private key PR={23,187}
RSA Example - En/Decryption
 sample RSA encryption/decryption is:
 given message M = 88 (nb. 88<187)
 encryption:
C = 887 mod 187 = 11
 decryption:
M = 1123 mod 187 = 88
 Exponentiation
 can use the Square and Multiply Algorithm
 a fast, efficient algorithm for exponentiation
 concept is based on repeatedly squaring base
 and multiplying in the ones that are needed to
compute the result
 look at binary representation of exponent
 only takes O(log2 n) multiples for number n

eg. 75 = 74.71 = 3.7 = 10 mod 11

eg. 3129 = 3128.31 = 5.3 = 4 mod 11
 Exponentiation
c = 0; f = 1
for i = k downto 0
do c = 2 x c
f = (f x f) mod n
if bi == 1 then
c = c + 1
f = (f x a) mod n
return f
 Efficient Encryption
 encryption uses exponentiation to power e
 hence if e small, this will be faster

often choose e=65537 (216-1)

also see choices of e=3 or e=17
 but if e too small (eg e=3) can attack

using Chinese remainder theorem & 3
messages with different modulii
 if e fixed must ensure gcd(e,ø(n))=1

ie reject any p or q not relatively prime to e
 Efficient Decryption
 decryption uses exponentiation to power d

this is likely large, insecure if not
 canuse the Chinese Remainder Theorem
(CRT) to compute mod p & q separately.
then combine to get desired answer

approx 4 times faster than doing directly
 only
owner of private key who knows
values of p & q can use this technique
 RSA Key Generation
 users of RSA must:

determine two primes at random - p, q

select either e or d and compute the other
 primes
p,q must not be easily derived
from modulus n=p.q

means must be sufficiently large

typically guess and use probabilistic test
 exponents e, d are inverses, so use
Inverse algorithm to compute the other
 RSA Security
 possible approaches to attacking RSA are:

brute force key search (infeasible given size
of numbers)

mathematical attacks (based on difficulty of
computing ø(n), by factoring modulus n)

timing attacks (on running of decryption)

chosen ciphertext attacks (given properties of
RSA)
 Factoring Problem
 mathematical approach takes 3 forms:

factor n=p.q, hence compute ø(n) and then d

determine ø(n) directly and compute d

find d directly
 currently believe all equivalent to factoring

have seen slow improvements over the years
• as of May-05 best is 200 decimal digits (663) bit with LS

biggest improvement comes from improved algorithm
• cf QS to GHFS to LS

currently assume 1024-2048 bit RSA is secure
• ensure p, q of similar size and matching other constraints
 Timing Attacks
 developed by Paul Kocher in mid-1990’s
 exploit timing variations in operations

eg. multiplying by small vs large number

or IF's varying which instructions executed
 infer operand size based on time taken
 RSA exploits time taken in exponentiation
 countermeasures

use constant exponentiation time

add random delays

blind values used in calculations
 Chosen Ciphertext Attacks
• RSA is vulnerable to a Chosen
Ciphertext Attack (CCA)
• attackers chooses ciphertexts & gets
decrypted plaintext back
• choose ciphertext to exploit
properties of RSA to provide info to
help cryptanalysis
• can counter with random pad of
plaintext
• or use Optimal Asymmetric
Encryption Padding (OASP)
 Diffie-Hellman Key Exchange
 first
public-key type scheme proposed
 by Diffie & Hellman in 1976 along with the
exposition of public key concepts

note: now know that Williamson (UK CESG)
secretly proposed the concept in 1970
 is a practical method for public exchange
of a secret key
 used in a number of commercial products
Diffie-Hellman Key Exchange
 a public-key distribution scheme

cannot be used to exchange an arbitrary message

rather it can establish a common key

known only to the two participants
 value of key depends on the participants (and
their private and public key information)
 based on exponentiation in a finite (Galois) field
(modulo a prime or a polynomial) - easy
 security relies on the difficulty of computing
discrete logarithms (similar to factoring) – hard
 Diffie-Hellman Setup
 all users agree on global parameters:

large prime integer or polynomial q

a being a primitive root mod q
 each user (eg. A) generates their key
 chooses a secret key (number): xA < q
xA

compute their public key: yA = a mod q
 each user makes public that key yA
Diffie-Hellman Key Exchange
 shared session key for users A & B is K AB:
xA.xB
KAB = a mod q
xB
= yA mod q (which B can compute)
xA
= yB mod q (which A can compute)
 KAB is used as session key in private-key
encryption scheme between Alice and Bob
 if Alice and Bob subsequently communicate,
they will have the same key as before, unless
they choose new public-keys
 attacker needs an x, must solve discrete log
Diffie-Hellman Key Exchange Protocol
 Diffie-Hellman Example
 users Alice & Bob who wish to swap keys:
 agree on prime q=353 and a=3
 select random secret keys:

A chooses xA=97, B chooses xB=233
 compute respective public keys:
97

yA=3 mod 353 = 40 (Alice)
233

yB=3 mod 353 = 248 (Bob)
 compute shared session key as:
xA 97

KAB= yB mod 353 = 248 = 160 (Alice)
xB 233

KAB= yA mod 353 = 40 = 160 (Bob)
Man-in-the-middle (Bucket Bridge) attack
 Key Exchange Protocols
 users could create random private/public
D-H keys each time they communicate
 users could create a known private/public
D-H key and publish in a directory, then
consulted and used to securely
communicate with them
 both of these are vulnerable to a meet-in-
the-Middle Attack
 authentication of the keys is needed
 Elliptic Curve Cryptography
 majority of public-key crypto (RSA, D-H)
use either integer or polynomial arithmetic
with very large numbers/polynomials
 imposes a significant load in storing and
processing keys and messages
 an alternative is to use elliptic curves
 offers same security with smaller bit sizes
 newer, but not as well analysed
 Real Elliptic Curves
 an elliptic curve is defined by an
equation in two variables x & y, with
coefficients
 consider a cubic elliptic curve of form

y2 = x3 + ax + b

where x,y,a,b are all real numbers

also define zero point O
 have addition operation for elliptic curve

geometrically sum of Q+R is reflection of
intersection R
Real Elliptic Curve Example
 Finite Elliptic Curves
 Elliptic
curve cryptography uses curves
whose variables & coefficients are finite
 have two families commonly used:
 prime curves Ep(a,b) defined over Zp
• use integers modulo a prime
• best in software
 binary curves E2m(a,b) defined over GF(2n)
• use polynomials with binary coefficients
• best in hardware
 Elliptic Curve Cryptography
 ECC addition is analog of modulo multiply
 ECC repeated addition is analog of
modulo exponentiation
 need “hard” problem equiv to discrete log

Q=kP, where Q,P belong to a prime curve

is “easy” to compute Q given k,P

but “hard” to find k given Q,P

known as the elliptic curve logarithm problem
 Certicom example: E23(9,17)
 ECC Diffie-Hellman
 can do key exchange analogous to D-H
 users select a suitable curve E (a,b)
p
 select base point G=(x ,y )
1 1

with large order n s.t. nG=O
A& B select private keys nA<n, nB<n
 compute public keys: P =n G, P =n G
A A B B
 compute shared key: K=n P , K=n P
A B B A

same since K=nAnBG
 ECC Encryption/Decryption
 several alternatives, will consider simplest
 must first encode any message M as a point on
the elliptic curve Pm
 select suitable curve & point G as in D-H
 each user chooses private key nA<n
 and computes public key PA=nAG
 to encrypt Pm : Cm={kG, Pm+kPb}, k random
 decrypt Cm compute:
Pm+kPb–nB(kG) = Pm+k(nBG)–nB(kG) = Pm
 ECC Security
 relies on elliptic curve logarithm problem
 fastest method is “Pollard rho method”
 compared to factoring, can use much
smaller key sizes than with RSA etc
 for equivalent key lengths computations
are roughly equivalent
 hence for similar security ECC offers
significant computational advantages
 Comparable Key Sizes for
Equivalent Security
Symmetric ECC-based RSA/DSA
scheme scheme (modulus size in
(key size in bits) (size of n in bits) bits)

56 112 512
80 160 1024
112 224 2048
128 256 3072
192 384 7680
256 512 15360
 Key Management
 public-key encryption helps address key
distribution problems
 have two aspects of this:

distribution of public keys

use of public-key encryption to distribute
secret keys
 Distribution of Public Keys
 can be considered as using one of:

public announcement

publicly available directory

public-key authority

public-key certificates
 Public Announcement
 users
distribute public keys to recipients or
broadcast to community at large

eg. append PGP keys to email messages or
post to news groups or email list
 major weakness is forgery

anyone can create a key claiming to be
someone else and broadcast it

until forgery is discovered can masquerade as
claimed user
 Publicly Available Directory
 can obtain greater security by registering
keys with a public directory
 directory must be trusted with properties:

contains {name,public-key} entries

participants register securely with directory

participants can replace key at any time

directory is periodically published

directory can be accessed electronically
 still vulnerable to tampering or forgery
 Public-Key Authority
 improve security by tightening control over
distribution of keys from directory
 has properties of directory
 and requires users to know public key for
the directory
 then users interact with directory to obtain
any desired public key securely

does require real-time access to directory
when keys are needed
Public-Key Authority
 Public-Key Certificates
 certificates allow key exchange without
real-time access to public-key authority
 a certificate binds identity to public key

usually with other info such as period of
validity, rights of use etc
 with all contents signed by a trusted
Public-Key or Certificate Authority (CA)
 can be verified by anyone who knows the
public-key authorities public-key
Public-Key Certificates
Public-Key Distribution of Secret
Keys
 use previous methods to obtain public-key
 can use for secrecy or authentication
 but public-key algorithms are slow
 so usually want to use private-key
encryption to protect message contents
 hence need a session key
 have several alternatives for negotiating a
suitable session
 Simple Secret Key
Distribution
 proposed by Merkle in 1979

A generates a new temporary public key pair

A sends B the public key and their identity

B generates a session key K sends it to A
encrypted using the supplied public key

A decrypts the session key and both use
 problemis that an opponent can intercept
and impersonate both halves of protocol
Public-Key Distribution of Secret
Keys
 if have securely exchanged public-keys:
 Hybrid Key Distribution
 retain use of private-key KDC
 shares secret master key with each user
 distributes session key using master key
 public-key used to distribute master keys

especially useful with widely distributed users
 rationale

performance

backward compatibility