Introduction to Modern Symmetric-key Ciphers Chapter 5 Introduction to Modern Symmetric-key Ciphers Copyright © The McGraw-Hill Companies, Inc. Permission required for reproduction or display. 1.#

Objectives To distinguish between traditional and modern symmetric-key ciphers To introduce modern block ciphers and discuss their characteristics To explain why modern block ciphers need to be designed as substitution ciphers To introduce components of block ciphers such as P-boxes and S-boxes To discuss product ciphers and distinguish between two classes of product ciphers: Feistel and non-Feistel ciphers

Objectives – cont’d To discuss two kinds of attacks particularly designed for modern block ciphers: differential and linear cryptanalysis To introduce stream ciphers and to distinguish between synchronous and nonsynchronous stream ciphers To discuss linear and nonlinear feedback shift registers for implementing stream ciphers

Modern Block Ciphers Block ciphers Plaintexts are encrypted/decrypted in fixed-size block units Key has also has a fixed size value

Substitution or Transposition A modern block cipher is using a substitution cipher or a transposition cipher To be resistant to exhaustive-search attack, a modern block cipher needs to be designed as a substitution cipher

Substitution or Transposition Example Substiution cipher: Eve has no idea how many 1’s are in the plaintext. Eve needs to try all possible 264 64-bit blocks to find one that makes sense Transposition cipher: Eve knows that there are exactly 10 1’s in the plaintext. Eve can launch an exhaustive-search attack using only those 64-bit blocks that have exactly 10 1’s Suppose that we have a block cipher where n = 64. If there are 10 1’s in the ciphertext, how many trial-and-error tests does Eve need to do to recover the plaintext from the intercepted ciphertext in each of the following cases? a. The cipher is designed as a substitution cipher. b. The cipher is designed as a transposition cipher.

Substitution or Transposition Full-size key cipher A cipher where the key is long enough to choose every possible mapping from the input to the output Usually a partial-size key ciphers are still understandable Full-size key transposition block cipher With block size of n, we need to have n! possible keys, so the key should have log2 n! bits

Substitution or Transposition Full-size key transposition block cipher Example 5.2 Show the model and the set of permutation tables for a 3-bit block transposition cipher where the block size is 3 bits Among 23 key mappings, we use only 6 mappings

Substitution or Transposition Full-size key substitution block cipher A full-size key substitution cipher does not transpose bits; it substitutes bits We can model the substitution cipher as a permutation if we can decode the input and encode the output, where decoding means transforming an n-bit integer into a 2n-bit string with a single 1 and (2n – 1) 0’s and encoding is the reverse of decoding The substitution cipher can be modeled as a permutation of 2n! objects

Substitution or Transposition Full-size key substitution block cipher Example 5.4: the model for a 3-bit block substitution cipher The key space is also much longer than 8! = 40,320

Substitution or Transposition A full-size key n-bit transposition cipher or a substitution block cipher can be modeled as a permutation, but their key sizes are different: Transposition: the key is log2 n! bits long. Substitution: the key is log2 (2n)! bits long. A partial-key cipher is a group under the composition operation if it is a subgroup of the corresponding full-size key cipher.

Algebraic Structures Cryptography requires sets of integers and specific operations that are defined for those sets The combination of the set and the operations that are applied to the elements of the set is called an algebraic structure

Groups A group (G) is a set of elements with a binary operation (•) that satisfies four properties (or axioms). Closure Associativity Existence of identity Existence of inverse A commutative (or abelian) group satisfies an extra property, commutativity

Groups Closure Associativity Commutativity Existence of identity If a and b are elements of G, then c = a  b is also an element of G Associativity If a, b and c are elements of G, then (ab)c = a(bc) Commutativity For all a and b in G, a  b = b  a Existence of identity For all a in G, there exists an element e, called the identity element, such that ea = ae = a Existence of inverse For each a in G, there exists an element a’, called the inverse of a, such that aa’ = a’a = e

Groups

Groups Example 4.2 The set of residue integers with the addition operator, G = < Zn , +>, is a commutative group Identity: 0 Inverse of n: -n Zn = {0, 1, 2, …, n-1}

Groups Example 4.2 The set Zn* with the multiplication operator, G = < Zn*, ×> is also an abelian group Identity: 1 Inverse of n: can be found according to the extended Euclidean algorithm Zn* is a subset of Zn where each element has its multiplicative inverse Z13 = {0, 1, 2, …, 12} Z13* = {1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12}

Groups Example 4.3 Let us define a set G = < {a, b, c, d}, •> and the operation as shown in Table 4.1 Identity: a Inverse: we can find in the table such that (a, a), (b, d), (c, c)

Permutation Group The set is the set of all permutations, and The operation is composition: applying one permutation after another Composition (o) of permutation

Permutation Group Operation table for permutation group Identity: (1, 2, 3) Inverse can be found from the table Commutativity property is not satisfied

Permutation Group A set of permutations with the composition operation is a group This implies that using two permutations one after another cannot strengthen the security of a cipher, because we can always find another permutation that can do the same job because of the closure property

Groups Finite group Order of a group: |G| Subgroups The set has a finite number of elements Order of a group: |G| The number of elements in the group Subgroups A subset H of a group G is a subgroup of G if H itself is a group with respect to the same operation on G Let G = <S,> and H = <T,> are groups and T is a nonempty subset of S, then H is a subgroup of G

Groups Example Is the group H = <Z10, +> a subgroup of the group G = <Z12, +>?  No Although H is a subset of G, the operations defined for these two groups are different. The operation in H is addition modulo 10 and the operation in G is addition modulo 12

Groups Cyclic subgroups If a subgroup of a group can be generated using the power of an element, the subgroup is called the cyclic subgroup Power of an element means repeatedly applying the group operation to the element a0 = e The set made from this process is denoted by <a>

Groups Four cyclic subgroups made from the group G = <Z6, +> H4 = G

Groups Cyclic subgroups made from the group G = <Z10∗, ×> H3 = G Z10* = {1, 3, 7, 9}

Groups A cyclic group is a group that is its own cyclic subgroup The element that generates the group itself is called a generator If g is a generator, then the elements in a finite cyclic subgroup can be written as

Groups The group G = <Z6, +> is a cyclic group with two generators, g = 1 and g = 5 The group G = <Z10∗, ×> is a cyclic group with two generators, g = 3 and g = 7

Groups Lagrange’s Theorem Order of an element: ord(a) Assume that G is a group, and H is a subgroup of G If the order of G and H are |G| and |H|, respectively, then, |H| divides |G|. Order of an element: ord(a) The smallest integer n such that an = e The order of an element is the order of the cyclic group it generates

Groups Order of an element: ord(a) In the group G = <Z6, +>, the orders of the elements are: ord(0) = 1, ord(1) = 6, ord(2) = 3, ord(3) = 2, ord(4) = 3, ord(5) = 6 In the group G = <Z10∗, ×>, the orders of the elements are: ord(1) = 1, ord(3) = 4, ord(7) = 4, ord(9) = 2

Components of a Modern Block Cipher Modern block ciphers normally are keyed substitution ciphers in which the key allows only partial mappings from the possible inputs to the possible outputs

Components of a Modern Block Cipher P-Boxes A P-box (permutation box) transposes bits in a block It parallels the traditional transposition cipher for characters 3 types of P-boxes

Components of a Modern Block Cipher P-Boxes possible mappings of a 3 × 3 P-box Example of a permutation table for a straight P-box

Components of a Modern Block Cipher Compression P-Boxes P-box with n inputs and m outputs where m < n Example of a 32 × 24 permutation table

Components of a Modern Block Cipher Expansion P-Boxes P-box with n inputs and m outputs where m > n Example of a 12 × 16 permutation table

Components of a Modern Block Cipher Invertibility of P-Boxes A straight P-box is invertible, but compression and expansion P-boxes are not.

Components of a Modern Block Cipher Inverting a permutation table

Components of a Modern Block Cipher Compression and expansion P-boxes are non-invertible

S-Box An S-box (substitution box) can be thought of as a miniature substitution cipher An S-box is an m × n substitution unit, where m and n are not necessarily the same

S-Box S-boxes y1 = f1(x1, x2, …, xn) y2 = f2(x1, x2, …, xn) … In an S-box with n inputs (x1, x2, …, xn) and m outputs (y1, y2, …, ym), the relationship between the inputs and outputs are represented as y1 = f1(x1, x2, …, xn) y2 = f2(x1, x2, …, xn) … ym = fm(x1, x2, …, xn)

S-Box Linear S-boxes y1 = a1,1x1  a1,2x2  …  a1,nxn The relationship between the inputs and outputs are represented as y1 = a1,1x1  a1,2x2  …  a1,nxn y2 = a2,1x1  a2,2x2  …  a2,nxn … ym = am,1x1  am,2x2  …  am,nxn

S-Box Examples Linear S-box with three inputs and two outputs that has can be represented by

S-Box Examples S-box with three inputs and two outputs with where multiplication and addition is in GF(2) The S-box is nonlinear because there is no linear relationship between the inputs and the outputs

S-Box Examples S-box of size 3 × 2, where substitutions are defined by the following table Mapping: 010  01, 101  00

S-Box Invertibility An S-box may or may not be invertible In an invertible S-box, the number of input bits should be the same as the number of output bits Mapping: 010  01, 101  00

S-Box Examples an invertible S-box the two tables are inverses of each other

Exclusive-Or An important component in most block ciphers is the exclusive-or operation Exclusive-Or is Closed Commutative Identity: 00..0 Inverse of x : x

Exclusive-Or Exclusive-Or is invertible

Circular Shift Another component found in some modern block ciphers is the circular shift operation Example

Circular Shift Swap Example The swap operation is a special case of the circular shift operation where k = n/2 Example

Split and Combine Two other operations found in some block ciphers are split and combine

Product Ciphers Shannon introduced the concept of a product cipher A product cipher is a complex cipher combining substitution, permutation, and other components discussed in previous sections

Product Ciphers Diffusion Confusion is to hide the relationship between the ciphertext and the plaintext Confusion is to hide the relationship between the ciphertext and the key

Product Ciphers Rounds Diffusion and confusion can be achieved using iterated product ciphers where each iteration is a combination of S-boxes, P-boxes, and other components

Product Ciphers A product cipher with two rounds

Product Ciphers Diffusion Confusion p8 affects bit 2 and 4 after round 1 p8 affects bit 1, 3, 6, 7 after round 2 Confusion k3 of K1 affects bit 3 and 7 after round 1 k3 of K1 affects bit 2, 3, 4, 7 after round 2

Product Ciphers Modern block ciphers are all product ciphers, but they are divided into two classes Feistel ciphers Ciphers that have both invertible and non-invertible components Non-Feistel ciphers Ciphers that have only invertible components

Feistel Ciphers Feistel structure(basic) Mixer : combining of a non-invertible function f and XOR XOR can cancel the non-invertible function during decryption (self-invertible)

Feistel Ciphers Example 5.12 The plaintext and ciphertext are each 4 bits long and the key is 3 bits long Assume that the function (f) takes the first and third bits of the key, interprets these two bits as a decimal number, squares the number, and interprets the result as a 4-bit binary pattern P = 0111 and when K = 101, f(K) = 1001

Feistel Ciphers Feistel structure(enhanced) We can make mixer more complex by adding keyless components (parts of the plaintext or ciphertext) The input to f must be exactly the same in encryption and decryption

Feistel Ciphers Feistel structure with two rounds

Non-Feistel Ciphers Non-Feistel structure A non-Feistel cipher uses only invertible components A component in the encryption cipher has the corresponding component in the decryption cipher

Attacks on Block Ciphers Differential Cryptanalysis Proposed by Eli Biham and Adi Shamir This is a chosen-plaintext attack Analyzes the weakness of the encryption algorithm structure and tries to get encryption key Analyzes the relationship between the plaintext differences and ciphertext differences

Attacks on Block Ciphers Differential Cryptanalysis: Example 5.13 Assume that the cipher is made only of one exclusive-or operation Without knowing the value of the key, Eve can easily find the relationship between plaintext differences (P1  P2 ) and ciphertext differences (C1  C2)

Attacks on Block Ciphers Differential Cryptanalysis: Example 5.13 S-box is added to make it hard to find the relationship between plaintext differences and ciphertext differences The attacker can create a probabilistic relationship

Attacks on Block Ciphers Differential Cryptanalysis: Example 5.13 Probabilistic relationship between plaintext differences and ciphertext differences = X1  X2

Attacks on Block Ciphers Differential Cryptanalysis: Example 5.13 The attacker can create a probabilistic relationship: Differential distribution table (XOR profile) = X1  X2

Attacks on Block Ciphers Differential Cryptanalysis: Example 5.13 Launching a chosen-plaintext attack Eve chooses plaintexts that have the highest probability in the differential distribution table For example, Eve knows that if P1  P2 = 001, then C1  C2 = 11 with the probability of 0.50 (50 percent) Guessing the key value She tries C1 = 00 and gets P1 = 010 (chosen-ciphertext attack) and also tries C2 = 11 and gets P2 = 011 (another chosen-ciphertext attack)

Attacks on Block Ciphers Differential Cryptanalysis: Example 5.13 Guessing the key value Now she tries to work backward, based on the first pair, P1 and C1 The two tests confirm that K = 011 or K =101 When X1=101, it can not be (P1P2) = (X1X2) = 001 for any cases of X2 (000 or 110), so 101 is dropped

A more detailed differential cryptanalysis is given in Appendix N. Attacks on Block Ciphers Differential Cryptanalysis Differential cryptanalysis is based on a nonuniform differential distribution table of the S-boxes in a block cipher. A more detailed differential cryptanalysis is given in Appendix N.

Attacks on Block Ciphers Linear Cryptanalysis was presented by Mitsuru Matsui in 1993 The analysis uses known-plaintext attacks S-box can be represented by a linear transformation in which each output is a linear function of input Example 5.14:

Attacks on Block Ciphers Linear Cryptanalysis Example 5.20 Solving key bits The real block ciphers are more complex and usually S-boxes are not linear

Modern Stream Ciphers Stream ciphers Encryption/decryption bit-by-bit or character-by-character In a modern stream cipher, encryption and decryption are done r bits at a time a plaintext bit stream P = pn …p2 p1, a ciphertext bit stream C = cn …c2 c1, and a key bit stream K = kn …k2 k1, in which pi , ci , and ki are r-bit words Synchronous Stream Ciphers Nonsynchronous Stream Ciphers

Modern Stream Ciphers Stream ciphers Synchronous Stream Ciphers Nonsynchronous Stream Ciphers

Modern Stream Ciphers Synchronous stream ciphers The key is independent of the plaintext or ciphertext One-time pads

Modern Stream Ciphers Synchronous stream ciphers Example 5.17: what is the pattern in the ciphertext of a one-time pad cipher in each of the following cases? (a) The plaintext is made of n 0’s. (b) The plaintext is made of n 1’s. (c) The plaintext is made of alternating 0’s and 1’s. (d) The plaintext is a random string of bits.

Modern Stream Ciphers Synchronous stream ciphers Solution (a) Because 0  ki = ki , the ciphertext stream is the same as the key stream. If the key stream is random, the ciphertext is also random. The patterns in the plaintext are not preserved in the ciphertext.

Modern Stream Ciphers Synchronous stream ciphers Solution (b) Because 1  ki = ki where ki is the complement of ki , the ciphertext stream is the complement of the key stream. If the key stream is random, the ciphertext is also random. Again the patterns in the plaintext are not preserved in the ciphertext.

Modern Stream Ciphers Synchronous stream ciphers Solution (c) In this case, each bit in the ciphertext stream is either the same as the corresponding bit in the key stream or the complement of it. Therefore, the result is also a random string if the key stream is random (d) In this case, the ciphertext is definitely random because the exclusive-or of two random bits results in a random bit.

Modern Stream Ciphers Synchronous stream ciphers Feedback shift register (FSR) Consists of m cells with a single bit for each The cells are initialized to an m-bit value (seed) Whenever an output bit is needed, every bit shifted one cell to the right

Modern Stream Ciphers Linear FSR bm is a linear function of bm-1 , … b1 , b0 bm = cm-1 bm-1 + c2 b2 + c1 b1 + c0 b0 (c0 ≠ 0) or bm = cm-1 bm-1  c2 b2  c1 b1  c0 b0 (c0 ≠ 0)

Modern Stream Ciphers Linear FSR Example 5.18: Create a linear feedback shift register with 5 cells in which b5 = b4  b2  b0

Modern Stream Ciphers Linear FSR Example 5.19: Create a linear feedback shift register with 4 cells in which b4 = b1  b0 . Show the value of output for 20 transitions (shifts) if the seed is (0001).

Modern Stream Ciphers Linear FSR Cell values and key sequence for Example 5.19 Note that the key stream is 100010011010111 10001…. This looks like a random sequence at first glance, but if we go through more transitions, we see that the sequence is periodic. It is a repetition of 15 bits as shown below

The maximum period of an LFSR is to 2m − 1. Modern Stream Ciphers Linear FSR The key stream generated from a LFSR is a pseudorandom sequence in which the sequence is repeated after N bits The maximum period of an LFSR is to 2m − 1.

Modern Stream Ciphers Non-linear FSR b4 = (b3 AND b2) OR (b1 AND b0) Has the same structure as an LFSR except that the bm is the non-linear function of bm-1 , … , b1 , b0 Fro example: Finding an NLFSR that has the maximum period is difficult b4 = (b3 AND b2) OR (b1 AND b0)