@Yuan Xue CS 285 Network Security Block Cipher Principle Fall 2012 Yuan Xue

@Yuan Xue From Classical Ciphers to Modern Ciphers Classical Cipher  Modern Cipher (Block cipher) Alphabetic letters  Binary data  Easy to do Large block size, large key space Relationship between key and plaintext-to-ciphertext map needs to be complex (e.g., can not be a linear mapping)  How substitution should be specified? Design Principle Solution in a nutshell Substitution + Transposition  Feistel Network Illustrate Solution with DES design

@Yuan Xue An exercise before we start n-bit block Number of all possible plaintext? Number of all possible plaintext-to-ciphertext mapping? Number of keys needed? Required key length? K-bit key How many possible keys?

@Yuan Xue An example Encryption/ decryption mapping can be defined by a tabulation Ideal block cipher Maximum number of possible encryption mapping Each mapping constitutes the key How to design/represent the key and assign it to each mapping?

@Yuan Xue Another exercise Let X be a random variable with n values. Let the elements of its probability distribution P(X) be p 1, p 2, …, p n, such that p 1  p 2  …  p n. What is the average number of guesses needed to determine the value of X using an optimal strategy? This example shows how statistical information (of plaintext) helps to reduce the effort of hacking the text. For statistical analysis, we care more about the correlation statistics between the plaintext and the ciphertext. (mutual information)

@Yuan Xue Block Cipher Principle Statistical analysis Attacker has some knowledge of the statistical characteristics of the plaintext If the statistics are in any way reflected in the ciphtertext, then it reduces the complexity for the attacker to guess the plaintext Ideally, the statistics of plaintext and ciphertext is independent

@Yuan Xue Block Cipher Principle Design a symmetric key cryptographic scheme with enough security Using a reasonable large block size  Minimizes the correlation statistics between the plaintext and the ciphertext  Against frequency analysis With a reasonable size key  Against to brute-force attack where the attackers may search through all possible keys These two conditions are necessary but not sufficient The relationship among plaintext, ciphertext and key is also important  Intuitively, the mapping from plaintext to ciphertext via key should be “random”

@Yuan Xue Encryption Algorithm Security Unconditionally secure If the ciphertext generated by the algorithm does not contain enough information to determine uniquely the corresponding plaintext, no matter how much ciphertext is available, and how much time an opponents has.  One-time pad Computationally secure The cost of breaking the cipher exceeds the value of the encrypted information The time required to break the cipher exceeds the useful lifetime of the information

@Yuan Xue Secure Pseudorandom Function (PRF) Let F: K  X  Y be a PRF Funs[X,Y]: the set of all functions from X to Y S F = { F(k,  ) s.t. k  K }  Funs[X,Y] Intuition: a PRF is secure if a random function in Funs[X,Y] is indistinguishable from a random function in S F SFSF Size |K| Funs[X,Y] Size |Y| |X| Credit: Dan Boneh, “Introduction to Cryptography”

@Yuan Xue Secure Pseudorandom Permutation (PRP) Let E: K  X  Y be a PRP Perms[X]: the set of all one-to-one functions from X to Y S F = { E(k,  ) s.t. k  K }  Perms[X,Y] Intuition: a PRP is secure if a random function in Perms[X] is indistinguishable from a random function in S F k  K π  Perms[X] x  X π(x) or E(k,x) ? ??? Credit: Dan Boneh, “Introduction to Cryptography”

@Yuan Xue Block Cipher Principle Two methods Diffusion makes the statistical relationship between plaintext and the ciphertext as complex and as involved as possible  redundancy in the statistics of the plaintext is "dissipated" in the statistics of the ciphertext  Against frequency analysis  Avalanche effect Each plaintext bit affect as many as possible ciphertext bit Let’s see a demodemo Confusion makes the relationship between the key and the plaintext/ciphertext as complex and as involved as possible  Ideally, the relationship between plaintext/ciphertext is independent of the structure of the key

@Yuan Xue Block Cipher Principle Confusion makes the relationship between the key and the plaintext/ciphertext as complex and as involved as possible  Ideally, the relationship between plaintext/ciphertext is independent of the structure of the key  Hard to find the key even if one has a large number of plaintext-ciphertext pairs produced with the same key Hill cipher is a bad example  Arbitrary substitution cipher is a good (ideal) example  but it is not practical  Still we hope changing one bit of the key should change the ciphertext completely.

@Yuan Xue Block Cipher Principle Feistel Network  Product ciphers use the two classical encryption forms: substitution and transposition, alternatively in multiple rounds to achieve both confusion and diffusion respectively  Substitution is a mechanism primarily for confusion  Transposition + substitution is a technique for diffusion

@Yuan Xue Feistel Network Design features/parameters Block size Key size Number of rounds Subkey generation algorithm Round function (F)

@Yuan Xue Feistel Network The process of decryption with a Feistel cipher is essentially the same as the encryption process. Rule: Use the ciphertext as input to the algorithm, but use the subkeys in the reverse order