Encryption Schemes Second Pass Brice Toth 21 November 2001

Introduction Background Info Stream Ciphers Private-key Methods Public-key Methods Block Ciphers Types of Attacks

Constructions of Secure Encryption Schemes Key ideas: –Using any pseudorandom function, one can construct secure private-key encryption schemes –Using any trapdoor one-way permutation, one can construct secure public-key encryption schemes –Secure schemes must employ a probabilistic (randomized) encryption algorithm so that one cannot distinguish two encryptions of the same message

Stream Ciphers Typically there are less Stream Ciphers in use than Block Ciphers –Difficult to use correctly Basis: –Pseudorandom Generators –Keys –States –XOR

Stream Ciphers Basic Construction: –Key-generation/Initial State Uniformly select R (random number) and generate key pair (r,r) and set initial state to t=0 –Encrypting Plaintext Encrypt plaintext x with key r and state t such that l=|x| and p is the l-bit suffix of the encryption algorithm with input r and 1^(t+l) so that ciphertext is x  p, and new state is t+l –Decrypting Ciphertext Decrypt ciphertext y with key r and state t such that l=|y| and p is the l-bit suffix again so that the plaintext is y  p

Stream Ciphers Why are they so hard to use? –Must never reuse a key If key is reused, same stream of output generated –Must keep track of states –Must always depend on other things: Some way to agree on keys Authentication Synchronization

Stream Ciphers Some examples: –A5 –RC4 –SOBER –WAKE –SEAL –Panama

Private-key Methods Basic Construction: –Block Cipher with length n for message x –Generate key by selecting seed s and applying function f s –Encryption algorithm selects a uniform string r and produces ciphertext (r,x  f s (r)) –Decrypt ciphertext (r,y) using key s by computing y  f s (r)

Public-key Methods Basic Construction: –Key generation selects a random permutation p from a collection of trapdoor permutations, along with a trapdoor  (p serves as the public-key and  serves as the private-key) –When encrypting a bit b, the encryption algorithm randomly selects an element r in the domain of p and produces ciphertext (p(r),b  r)

Public-key Methods –Decrypting occurs by taking ciphertext (y, s) and computing the inverse using  or s  r(p -1 (y)) The security of the scheme follows from the one-way feature of the collection p

Block Ciphers Basis: –Take blocks of input and encrypt entire block –Reusable keys –Different modes Keep in mind potential problem areas: –Block padding –Initialization vectors –Codebook attacks, use the right modes

Block Ciphers Modes of Operation: –Different characteristics Error propagation Resynchronization Block resolution Efficiency Increase in data size –4 Modes defined in Federal Information Processing Standards

Block Ciphers Electronic Code Book – separately encrypt each block, patterns recognizable, “codebook” can be built up Cipher Block Chaining – XOR plaintext with previous ciphertext block, then encrypt, use initialization vector for first block, makes identical inputs look different

Block Ciphers Ciphertext Feedback – take previous ciphertext, encrypt, then XOR with plaintext Output Feedback – encrypt previous output, then XOR with plaintext to get ciphertext, uses counters to determine where to take from output

Block Ciphers Basic Construction: –Generate key pair –Encrypt plaintext Break message into consecutive blocks of length l (possibly have to augment the last block with some padding) Encrypt each block with encryption key r –Decrypt ciphertext Decrypt each block with decryption key d and concatenate blocks less padding to get plaintext

Block Ciphers The Basic Construction results in ciphertexts that reveal the exact length of the original plaintext –This is acceptable and completely hiding the length is futile –Encryption schemes that hide some information about the length of the plaintext can easily be constructed

Block Ciphers Some examples: –DES –Blowfish –IDEA –SAFER –CAST –AES (Rijndael)

Block Ciphers - AES Advanced Encryption Standard National Institute of Standards and Technology search for standard replacement for DES –Requirements: 128 bit blocksize 128, 192, 256 bit keys –Finalists announced in August 1999

Block Ciphers - AES –Serpent –Rijndael –Twofish –Mars –RC6 Winner: Rijndael

Block Ciphers - AES Joan Daemen and Vincent Rijmen (Belgium) Based on an algorithm called Square Supports keys which are multiples of 32 bits and block sizes which are multiples of 64 bits Number of rounds changes based on key size Generally faster than the other candidates

Block Ciphers - AES Key Schedule for Rijndael: –Expand cipher key (varies depending on key length, uses linear recurrence relations) –Round keys are taken from the expanded cipher key –Round keys are then rotated, passed through the S-box, and XOR’d with a round dependent constant (constants based on similar computation to S-box)

Block Ciphers - AES Variable rounds: –9 if both block and key are 128 bits –11 if either block or key is 192 bits and neither are longer than that –13 if either block or key is 256 bits –etc

Block Ciphers - AES Using Rijndael: 1.Perform Add Round Key Step (XOR a subkey with the block) 2.Perform rounds: 1.Byte Sub (each byte of the block is replaced by its substitute from an S-box) 2.Shift Row 1.Bytes are arranged in a rectangle and shifted, ex. from to

Block Ciphers - AES The S-box is:

Block Ciphers - AES 3.Mix Column –Matrix multiplication performed where each column is multiplied by: Add round key (XOR subkey for current round) »An extra final round is added where the mix column step is omitted

Block Ciphers - AES

Types of Attacks Passive Attacks –Adversary eavesdrops on the line and possibly gets the sender to encrypt a message of the adversary’s choice and/or gets the sender to decrypt a ciphertext of the adversary’s choice Key-oblivious: choice of plaintext does not depend on the key Key-dependent: choice of plaintext does depend on the key

Types of Attacks Chosen Plaintext Attacks –Attacker obtains the encryption of any plaintext of its choice (under the key being attacked) Chosen Ciphertext Attacks –Attacker obtains the decryption of any ciphertext of its choice (under the key being attacked)