Session 3: Secret key cryptography – block ciphers – part 2
KASUMI The KASUMI algorithm is the core of the standardised UMTS Confidentiality and Integrity algorithms. Within the security architecture of the UMTS system there are two standardised algorithms: A confidentiality algorithm f8, and an integrity algorithm f9. Each of these algorithms is based on the KASUMI algorithm.
KASUMI KASUMI is a Feistel cipher with 8 rounds. It operates on a 64-bit data block and uses a 128-bit key. Encryption: The 64 bit input I is divided into two 32-bit strings L0 and R0, where I = L0 || R0 Then for each integer i with 1≤i≤8, we define R i = L i-1, L i = R i-1 f i (L i-1, RK i ) This constitutes the i-th round function of KASUMI, where f i denotes the round function with L i-1 and round key RK i as inputs. The result OUTPUT is equal to the 64-bit string (L8 || R8) offered at the end of the 8-th round.
KASUMI The whole algorithm:
KASUMI The FO function:
KASUMI The FI function:
KASUMI The FL function
KASUMI The f-function has a 32-bit input and a 32-bit output. Each f-function of KASUMI is composed of two functions: an FL-function and An FO-function. An FO-function is defined as a network that makes use of three applications of an Fl-function. An Fl-function has a 16-bit input and a 16-bit output. Each Fl-function comprises a network that makes use of two applications of a function S9 and two applications of a function S7. The functions S7 and S9 are also called "S-boxes of KASUMI".
KASUMI In this manner KASUMI decomposes into a number of subfunctions (FL, FO and FI) that are used in conjunction with associated subkeys (KL, KO and KI). The Kl-key KI i,j splits into two halves KI i,j,1 and KI i,j,2.
KASUMI Each f-function f i takes a 32-bit input and returns a 32-bit output O under the control of a round key RK i, where the round key comprises the triplet (KL i, KO i, KI i ). The f-function f i itself is constructed from two subfunctions: an FL-function FL i and an FO- function FO i with associated subkeys KL i (used with FL i ) and subkeys KO i and KI i (used with FO i ).
KASUMI The f-function f i has two different forms depending on whether it is an even round or an odd round. For odd rounds i=1, 3, 5 and 7, the f- function is defined as: f i (i,RK i ) = FO i (FL i (I,KL i ),KO i,KL i ) For even rounds, i=2, 4, 6 and 8, the f- function is defined as: f i (i,RK i ) =FL i (FO i (I,KO i,KI i ),KL i )
KASUMI FL functions: The input to the function FL i comprises a 32-bit data input I and a 32-bit subkey KL i. The subkey is split into two 16-bit subkeys, KL i,1 and KL i,2, where: KL i = KL i,1 ll KL i,2
KASUMI The input data l is split into two 16-bit halves, L and R, where l=L||R. The FL functions make use of the following simple operations: ROL(D) the left circular rotation of a data block D by- one bit. D 1 D 2 the bitwise OR operation of two data blocks D 1 and D 2. D 1 D 2 the bitwise AND operation of two data blocks D 1 and D 2.
KASUMI Then the 32-bit output value of the FL- function is defined as L’ ll R’, where: L’=L ROL(R’ KL i,2 ) R’=R ROL(L KL i,1 )
KASUMI FO functions: The input to function FO i comprises a 32-bit data input I and two sets of subkeys: A 48-bit KO i and 48-bit KI i. The 32-bit data input is split into two halves, L 0 and R 0, where I= L 0 ll R 0, while the 48-bit subkeys are subdivided into three 16-bit subkeys, where: KO i =KO i,1 ll KO i,2 ll KO i,3 and KI i =KI i,1 ll KI i,2 ll KI i,3
KASUMI For each integer j with 1≤j≤3 the operation of the jth round of the function FO i is defined as: R j =FI i,j (L j-1 KO i,j,KI i,j ) R j-1 L j =R j-1 Output from the FOi function is defined as the 32-bit data block L 3 ll R 3.
KASUMI FI functions: An Fl-function FI i,j takes a 16-bit data input I and a 16-bit subkey KI i,j. The input I is split into two unequal components, a 9-bit left half L 0 and a 7-bit right half R 0, where I=L 0 ll R 0. Similarly, the key KI i,j is split into a 7-bit component KI i,j,1 and a 9-bit component Kl i,j,2, where KI i,j = KI i,j,1 ll KI i,j,2.
KASUMI Each Fl-function FI i,j uses two S-boxes: S7, which maps a 7-bit input to a 7-bit output and S9, which maps a 9-bit input to a 9-bit output. Fl-functions also use two additional functions, which are designated by ZE (appends 2 zeros before the MSB of a 7- bit string) and TR (discards 2 MSB of a 9-bit string).
KASUMI The function FI i,j is defined by the following series of operations: L 1 = R 0 R 1 =S9[L 0 ] ZE(R 0 ) L 2 =R 1 KI i,j,2 R 2 =S7[L 1 ] TR(R 1 ) KI i,j,1 L 3 =R 2 R 3 =S9[L 2 ] ZE(R 2 ) L 4 =S7[L 3 ] TR(R 3 )R 4 =R 3 The output of the FI i,j function is the 16- bit data block L 4 ll R 4.
KASUMI The S-boxes S7 and S9 are obtained as linear transforms of power functions over the corresponding fields, with Kasami’s exponents. The key schedule of KASUMI contains linear transforms and is rather simple. That was a consequence of performance requirements.
Rijndael - AES In 2001, Rijndael was accepted by NIST as the Advanced Encryption Standard (AES) that was to replace DES and be implemented everywhere, from operating systems, browsers to banking applications. Designed for key lengths of 128, 192 and 256 bits.
Rijndael - AES Consists of 10 rounds for a 128 bit key, 12 rounds for a 192 bit key, and 14 rounds for a 256 bit key. We consider a 128 bit version, for simplicity. Each round has a round key, derived from the original key. There is also a 0th round key, which is the original key. A round starts with an input of 128 bits and produces an output of 128 bits.
Rijndael - AES There are four basic steps, called layers, that are used to form the rounds: The ByteSub Transformation (BS): This non-linear layer is for resistance to differential and linear cryptanalysis attacks. The ShiftRow Transformation (SR): This linear mixing step causes diffusion of the bits over multiple rounds. The MixColumn Transformation (MC): This layer has a purpose similar to ShiftRow. AddRoundKey (ARK): The round key is XoRed with the result of the above layer.
Rijndael - AES
Rijndael encryption: ARK, using the 0th round key. Nine rounds of BS, SR, MC, ARK using round keys 1 to 9. A final round: BS, SR, ARK, using the 10th round key. The final round uses the ByteSub, ShiftRow, and AddRoundKey steps but omits MixColumn. The 128-bit output is the ciphertext block.
Rijndael - AES
The 128 input bits are grouped into 16 bytes of 8 bits each a 00, a 10, a 20, a 30, a 01, a 11, …, a 33. These are arranged into a 4x4 byte matrix:
Rijndael - AES The operations that are performed in the field GF(2 8 ) use the following generating polynomial (Rijndael polynomial): f(X)=1+X+X 3 +X 4 +X 8 Each byte, except the zero byte has a multiplicative inverse in GF(2 8 ).
Rijndael - AES The ByteSub transformation: In this step, each of the bytes in the matrix is changed to another byte by means of the S- box. If we write a byte as 8 bits: abcdefgh, we can look for the entry in the abcd row and efgh column of the S-box (the rows and columns are numbered from 0 to 15). This entry, when converted to binary, is the output.
Rijndael - AES The output of ByteSub is again a 4x4 matrix of bytes
Rijndael - AES The ShiftRow Transformation: The four rows of the matrix are shifted cyclically to the left by offsets of 0, 1, 2, and 3, to obtain
Rijndael - AES The MixColumn Transformation Regard a byte as an element of GF(2 8 ). Then the output of the ShiftRow step is a 4x4 matrix [c i,j ] with entries in GF(2 8 ). We multiply from the left the matrix [c i,j ] by a special matrix, whose entries are the elements of GF(2 8 ), to produce the output [d i,j ].
Rijndael - AES
The RoundKey Addition The round key, derived from the key, consists of 128 bits, which are arranged in a 4x4 matrix [k i,j ] of bytes. This is XORed with the output of the MixColumn step.
Rijndael - AES
The key schedule: The original key consists of 128 bits, which are arranged into a 4x4 matrix of bytes. This matrix is expanded by adjoining 40 more columns, as follows. Label the first four columns W(0), W(1), W(2), W(3). The new columns are generated recursively.
Rijndael - AES Suppose columns up through W(i-1) have been defined. If i is not a multiple of 4, then W(i)=W(i-4) W(i-1) If i is a multiple of 4, then W(i)=W(i-4) T(W(i-1))
Rijndael - AES T(W(i-1)) is the transformation of W(i-1) obtained as follows: Let the elements of the column W(i-1) be a, b,c,d. Shift these cyclically to obtain b,c,d,a. Now replace each of these bytes with the corresponding element in the S-box from the ByteSub step, to get 4 bytes e,f,g,h. Finally, compute the round constant r(i)= (i-1)/4 in GF(2 8 ).
Rijndael - AES Then T(W(i - 1)) is the column vector (e r(i),f,g,h). In this way columns W(4),..., W(43) are generated from the initial four columns. The round key for the ith round consists of the columns W(4i), W(4i+1), W(4i+2), W(4i+3).
Rijndael - AES The S-box was obtained on the basis of the multiplicative inverse of input. The only exception is S(0)=0, since 0 has no multiplicative inverse.
Rijndael - AES Decryption: Each of the steps ByteSub, ShiftRow, MixColumn, and AddRoundKey is invertible: The inverse of ByteSub is another lookup table, called InvByteSub. The inverse of ShiftRow is obtained by shifting the rows to the right instead of to the left, yielding InvByteSub.
Rijndael - AES The inverse of MixColumn exists because the 4x4 matrix used in MixColumn is invertible. The transformation InvMixColumn is given by multiplication by the matrix
Rijndael - AES AddRoundKey is its own inverse. The decryption process: ARK, using the 10th round key. Nine rounds of IBS, ISR, IMC, IARK, using round keys 9 to 1. A final round: IBS, ISR, ARK, using the 0th round key. The fact that encryption and decryption are not identical processes leads to the expectation that there are no weak keys, in contrast to DES and several other algorithms.
Modes of operation Block ciphers operate over highly reduced information sets. They are adequate for enciphering short messages, such as keys, identifications, signatures, passwords, etc. But they are totally inadequate for enciphering great quantities of data, such as very formatted text, listings, programs, tables, documents and especially images, because the structure of these documents can be determined easily.
Modes of operation By convention, the direct use of a block cipher is called Electronic Codebook Mode (ECB). Other modes of operation of block ciphers are: Cipher Block Chaining mode, CBC. Cipher Feedback mode, CFB. Output Feedback mode, OFB. Counter mode, CTR.
Modes of operation It is supposed that the block length is n. In the following illustrations of modes of operation, DES is used as an example. However, any block cipher can be used instead of DES.
Modes of operation Cipher block chaining: An n bit shift register is loaded with a random initial vector (IV), which is not kept secret. In such a way, the block cipher is converted into a stream cipher, by changing IV equal messages can be enciphered in different ways, error propagation is limited and the size of the key space is not changed.
Modes of operation
Cipher feedback mode An n bit shift register is loaded with a random initial vector (IV) that is not kept secret. The plaintext is divided into blocks of m bits. The sum modulo 2 is performed over blocks of m bits, where m can vary between 1 and n. The shift register of n bits is shifted left m bits after each operation of block encipherment. In this mode, the block cipher is converted into a stream cipher, equal messages can be enciphered in different ways by changing IV, error propagation is limited, the key space size is not changed, and the cipher is self-synchronising.
Modes of operation
Output feedback mode An n bit shift register is loaded with an initial vector (IV) that may be non-random but it must be unique to every message to be encrypted. IV is not kept secret. Plaintext is divided in m bit blocks. The sum modulo 2 is performed, bit by bit, over blocks, whose length can vary between 1 and n. The shift register shifts left m bits after each block encipherment. In this mode, the block cipher is converted into a stream cipher and is used as a running key generator, equal messages can be enciphered in different ways by changing IV, there is no error propagation and the cipher is not self-synchronising.
Modes of operation
Counter mode Just like OFB, CTR creates an output key stream that is XoRed with chunks of plaintext to produce ciphertext. The main difference between CTR and OFB lies in the fact that the output stream O j in CTR is not linked to previous output streams.
Modes of operation CTR starts with the plaintext broken into 8-bit pieces, P= [P 1, P 2,...]. We begin with an initial value X 1, which has a length equal to the block length of the cipher, for example, 64 bits. Now, X 1 is encrypted using the key K to produce 64 bits of output, and the leftmost 8- bits of the ciphertext are extracted and XoRed with P 1 to produce 8 bits of ciphertext, C 1.
Modes of operation Now, rather than update the register X 2 to contain the output of the block cipher, we simply take X 2 =X In this way, X 2 does not depend on previous output. CTR then creates new output stream by encrypting X 2.
Modes of operation General CTR procedure: X j =X j-1 +1 O j =L 8 (E k (X j )) C j =P j O j
Modes of operation
Security of block ciphers The decomposition of encryption/decryption into sub- processes provides the cryptanalyst the possibility for an attack. No practical block cipher is provably secure. Consequently, new design criteria are being discovered, often as a response to emerging novel attacks on block ciphers.
Security of block ciphers The development of theoretical knowledge about block ciphers: Typically, a block cipher design is proposed according to widely-accepted and well- founded rules. This forces the cryptanalyst to attempt to attack the cipher in a new way. These new attacks, if successful, lead in turn to the extending of the set of design criteria.
Security of block ciphers There exist accepted security models, which can be used for analyzing a block cipher. The most widely used ones are: Unconditional Security (Perfect Secrecy). Security Against a Polynomial Attack. “Provable” Security. Practical Security. Historical Security.
Security of block ciphers Unconditional Security (Shannon): An adversary has unlimited computational resources. Secure encryption only exists if the size of the key is as large as the number of bits to be enciphered. Perfect secrecy is possible only if no more than K/N plaintexts are enciphered using a fixed key (e.g. the one-time pad). Not a useful model for practical block ciphers.
Security of block ciphers Security Against a Polynomial Attack: It is assumed that the adversary is a probabilistic algorithm, which runs in polynomial time. Security is claimed with respect to the feasibility of breaking the cryptosystem. The origin of the model is in complexity theory considerations: adversaries are assumed to possess only polynomial computational resources — polynomial in the size of the input to the cipher in bits. The model typically conducts worst-case and asymptotic analyses to determine whether polynomial attacks on a cipher exist. Even if such attacks do exist, it is not guaranteed that they are practical. The model tends to provide an understanding as to the type (class) of problem embodied by a block cipher.
Security of block ciphers “Provable” Security: Tries to show that breaking a block cipher is as difficult as solving some well known hard problem (e.g. discrete log or factoring). The problem: there is a fundamental open question in computer science as to whether these hard problems are in P or in NP. In fact, provable security requires a proof that P NP, and the existence of one-way functions. This is an asymptotic complexity measure — one is assessing the level of complexity as the input size, in bits, tends to infinity. Very useful for practical analysis of the cipher.
Security of block ciphers “Provable” Security (cont.): A block cipher may be shown to be provably secure against a known sub-class of attacks. Example: provable security against linear and differential cryptanalysis. This does not mean that the cipher is secure against all attacks.
Security of block ciphers Practical Security: A block cipher is considered practically secure if the best known attack against it requires too much resources. A very practical model: it is possible to test the cipher with different known attacks, and then give an assessment of its strength against such attacks in terms of time/space resources needed. The model says nothing about the security level with respect to yet unknown attacks.
Security of block ciphers Historical Security: Tries to assess the security level of a block cipher according to how much cryptanalytic attention the cipher has attracted over the years. If a cipher has been under scrutiny for many years without any serious security flaws found in it, that inspires a certain confidence in the cipher. Drawback: the effort spent on breaking a cipher cannot always be measured reliably from the time passed.