1. Session 3 Symmetric ciphers 2 part 2

2. Triple DES Ordinary DES is now considered obsolete ‒Its key length is only 56 bits. ‒With today’s technology, it is possible to recover the key by means of a ”brute force attack” (enumeration of all the possible keys). Solution: triple DES. 2/89

3. Triple DES – mode 1 (EEE) The data are enciphered with the first key, then enciphered with the second key, and finally enciphered with the third key. 3/89

4. Triple DES – mode 2 (EDE) The data are enciphered with the first key, then deciphered with the second key, and finally enciphered again with the third key. Goal: compatibility with a single DES (set k 1 =k 2 =k 3 =k). 4/89

5. Triple DES – mode 2 (EDE) 5/89

6. Triple DES - security Equivalent key length: ‒Of Double DES – only 57 bits (so called Meet-in-the-middle attack is possible that reduces the size of the key from 112 to effective 57 bits). ‒Of Triple DES – 112 bits, instead of 168 bits, but this is an acceptable length. 6/89

7. Triple DES - security A variant of Triple DES (called 2-key Triple DES, or 2TDES), with k 1 =k 3 is widely used in ATM devices. Due to certain chosen plaintext and known plaintext attacks on this scheme, its equivalent key length is 80 instead of 112 for the ordinary TDES. 7/89

8. KASUMI The KASUMI algorithm is the core of the standardised UMTS Confidentiality and Integrity algorithms. Within the security architecture of the UMTS system there are two standardised algorithms based on KASUMI: ‒a confidentiality algorithm f 8, and ‒an integrity algorithm f 9. 8/89

9. KASUMI KASUMI is a Feistel cipher with 8 rounds. It operates on a 64-bit data block and uses a 128-bit key. Encipherment (1): ‒The 64 bit input I is divided into two 32-bit strings L 0 and R 0, where I = L 0 || R 0 ‒Then for each integer i with 1≤i ≤8, we define R i = L i-1, L i = R i-1  f i (L i-1, RK i ) 9/89

10. KASUMI Encipherment (2): ‒This constitutes the i-th round function of KASUMI, where f i denotes the round function with L i-1 and round key RK i as inputs. ‒The result OUTPUT is equal to the 64-bit string (L 8 || R 8 ) offered at the end of the 8-th round. 10/89

11. KASUMI The whole algorithm: 11/89

12. KASUMI The FO function: 12/89

13. KASUMI The FI function: 13/89

14. KASUMI The FL function 14/89

15. KASUMI The f-function has a 32-bit input and a 32-bit output. Each f-function of KASUMI is composed of two functions: ‒an FL-function and ‒An FO-function. An FO-function is defined as a network that makes use of three applications of an Fl-function. 15/89

16. KASUMI An Fl-function has a 16-bit input and a 16-bit output. Each Fl-function comprises a network that makes use of two applications of a function S9 and two applications of a function S7. The functions S7 and S9 are also called "S-boxes of KASUMI". 16/89

17. KASUMI In this manner KASUMI decomposes into a number of subfunctions (FL, FO and FI) that are used in conjunction with associated subkeys (KL, KO and KI). The Kl-key KI i,j splits into two halves KI i,j,1 and KI i,j,2. 17/89

18. KASUMI Each f-function f i takes a 32-bit input and returns a 32-bit output O under the control of a round key RK i, where the round key comprises the triplet (KL i, KO i, KI i ). 18/89

19. KASUMI The f-function f i itself is constructed from two subfunctions: an FL-function FL i and an FO-function FO i with associated subkeys KL i (used with FL i ) and subkeys KO i and KI i (used with FO i ). 19/89

20. KASUMI The f-function f i has two different forms depending on whether it is an even round or an odd round. For odd rounds i =1, 3, 5 and 7, the f-function is defined as: f i (i,RK i ) = FO i (FL i (I,KL i ),KO i,KL i ) For even rounds, i =2, 4, 6 and 8, the f-function is defined as: f i (i,RK i ) =FL i (FO i (I,KO i,KI i ),KL i ) 20/89

21. KASUMI FL functions (1) ‒The input to the function FL i comprises a 32-bit data input I and a 32-bit subkey KL i. ‒The subkey is split into two 16-bit subkeys, KL i,1 and KL i,2, where: KL i = KL i,1 ll KL i,2 ‒The input data l is split into two 16-bit halves, L and R, where l =L||R. 21/89

22. KASUMI FL functions (2) ‒The FL functions make use of the following simple operations: ROL(D ) the left circular rotation of a data block D by-one bit. D 1  D 2 the bitwise OR operation of two data blocks D 1 and D 2. D 1  D 2 the bitwise AND operation of two data blocks D 1 and D 2. 22/89

23. KASUMI FL functions (3) ‒Then the 32-bit output value of the FL function is defined as L’ ll R ’, where: L’=L  ROL(R ’  KL i,2 ) R ’=R  ROL(L  KL i,1 ) 23/89

24. KASUMI FO functions (1) ‒The input to the function FO i comprises a 32-bit data input I and two sets of subkeys: a 48-bit KO i and a 48-bit KI i. 24/89

25. KASUMI FO functions (2) ‒The 32-bit data input is split into two halves, L 0 and R 0, where I = L 0 ll R 0, while the 48-bit subkeys are subdivided into three 16-bit subkeys, where: KO i =KO i,1 ll KO i,2 ll KO i,3 and KI i =KI i,1 ll KI i,2 ll KI i,3 25/89

26. KASUMI FO functions (3) ‒For each integer j with 1≤j ≤3 the operation of the j th round of the function FO i is defined as: R j =FI i,j (L j -1  KO i,j,KI i,j )  R j -1 L j =R j -1 ‒Output from the FO i function is defined as the 32-bit data block L 3 ll R 3. 26/89

27. KASUMI FI functions (1) ‒An Fl-function FI i,j takes a 16-bit data input I and a 16-bit subkey KI i,j. ‒The input I is split into two unequal components, a 9-bit left half L 0 and a 7-bit right half R 0, where I =L 0 ll R 0. ‒Similarly, the key KI i,j is split into a 7-bit component KI i,j,1 and a 9-bit component Kl i,j,2, where KI i,j = KI i,j,1 ll KI i,j,2. 27/89

28. KASUMI FI functions (2) ‒Each Fl-function FI i,j uses two S-boxes: S7, which maps a 7-bit input to a 7-bit output and S9, which maps a 9-bit input to a 9-bit output. ‒Fl-functions also use two additional functions, which are designated by ZE (appends 2 zeros before the MSB of a 7-bit string) and TR (discards 2 MSB of a 9-bit string). 28/89

29. KASUMI FI functions (3) ‒The function FI i,j is defined by the following series of operations: L 1 = R 0 R 1 =S9[L 0 ]  ZE(R 0 ) L 2 =R 1  KI i,j,2 R 2 =S7[L 1 ]  TR(R 1 )  KI i,j,1 L 3 =R 2 R 3 =S9[L 2 ]  ZE(R 2 ) L 4 =S7[L 3 ]  TR(R 3 )R 4 =R 3 ‒The output of the FI i,j function is the 16-bit data block L 4 ll R 4. 29/89

30. KASUMI FI functions (4) ‒The key schedule of KASUMI contains linear transforms and is rather simple. ‒That was a consequence of performance requirements. 30/89

31. Rijndael - AES In 2001, Rijndael was accepted by NIST as the Advanced Encryption Standard (AES) that was to replace DES. Rijndael was designed for block and key lengths of 128, 192 and 256 bits. AES supports only the 128 bit version. 31/89

32. Rijndael - AES Consists of 10 rounds for a 128 bit key, 12 rounds for a 192 bit key, and 14 rounds for a 256 bit key. We consider a 128 bit version, i.e. the AES. 32/89

33. Rijndael - AES Each round has a round key, derived from the original key. There is also a 0th round key, which is the original key. A round starts with an input of 128 bits and produces an output of 128 bits. 33/89

34. Rijndael - AES There are four basic steps, called layers, that are used to form the rounds: The ByteSub Transformation (BS) ‒This non-linear layer is for resistance to differential and linear cryptanalysis attacks. 34/89

35. Rijndael - AES The ShiftRow Transformation (SR) ‒This linear mixing step causes diffusion of the bits over multiple rounds. The MixColumn Transformation (MC) ‒This layer has a purpose similar to ShiftRow. AddRoundKey (ARK) ‒The round key is XoRed with the result of the above layer. 35/89

36. Rijndael - AES 36/89 One round of AES

37. Rijndael - AES AES encipherment: ‒ARK, using the 0th round key. ‒Nine rounds of BS, SR, MC, ARK using round keys 1 to 9. ‒A final round: BS, SR, ARK, using the 10th round key (i.e. the final round uses the ByteSub, ShiftRow, and AddRoundKey steps but omits MixColumn). ‒The 128-bit output is the ciphertext block. 37/89

38. Rijndael - AES 38/89

39. Rijndael - AES The 128 input bits are grouped into 16 bytes of 8 bits each a 00, a 10, a 20, a 30, a 01, a 11, …, a 33. These are arranged into a 4x4 byte matrix: 39/89

40. Rijndael - AES The operations that are performed in the field GF(2 8 ) use the following generating polynomial (Rijndael polynomial): f (X )=1+X+X 3 +X 4 +X 8 Each byte, except the zero byte has a multiplicative inverse in GF(2 8 ). 40/89

41. Rijndael - AES The ByteSub transformation: ‒In this step, each of the bytes in the matrix is changed to another byte by means of the S-box. ‒If we write a byte as 8 bits: abcdefgh, we can look for the entry in the abcd row and efgh column of the S-box (the rows and columns are numbered from 0 to 15). ‒This entry, when converted to binary, is the output. 41/89

42. Rijndael - AES The output of ByteSub is again a 4x4 matrix of bytes 42/89

43. Rijndael - AES The ShiftRow Transformation: –The four rows of the matrix are shifted cyclically to the left by offsets of 0, 1, 2, and 3, to obtain 43/89

44. Rijndael - AES The MixColumn Transformation ‒Regard a byte as an element of GF(2 8 ). ‒Then the output of the ShiftRow step is a 4x4 matrix [c i,j ] with entries in GF(2 8 ). ‒We multiply from the left the matrix [c i,j ] by a special matrix, whose entries are the elements of GF(2 8 ), to produce the output [d i,j ]. 44/89

45. Rijndael - AES 45/89

46. Rijndael - AES The RoundKey Addition ‒The round key, derived from the key, consists of 128 bits, which are arranged in a 4x4 matrix [k i,j ] of bytes. ‒This is XORed with the output of the MixColumn step. 46/89

47. Rijndael - AES 47/89

48. Rijndael - AES The key schedule (1) ‒The original key consists of 128 bits, which are arranged into a 4x4 matrix of bytes. ‒This matrix is expanded by adjoining 40 more columns, as follows. ‒Label the first four columns W(0), W(1), W(2), W(3). ‒The new columns are generated recursively. 48/89

49. Rijndael - AES The key schedule (2) ‒Suppose columns up through W(i -1) have been defined. ‒If i is not a multiple of 4, then W(i )=W(i -4)  W(i -1) ‒If i is a multiple of 4, then W(i )=W(i -4)  T(W(i -1)) 49/89

50. Rijndael - AES The key schedule (3) ‒T(W(i -1)) is the transformation of W(i -1) obtained as follows (1) Let the elements of the column W(i -1) be a, b, c, d. Shift these cyclically to obtain b, c, d, a. Now replace each of these bytes with the corresponding element in the S-box from the ByteSub step, to get 4 bytes e, f, g, h. 50/89

51. Rijndael - AES The key schedule (4) ‒T(W(i -1)) is the transformation of W(i -1) obtained as follows (2) Finally, compute the round constant r(i )=00000010 (i -1)/4 in GF(2 8 ). ‒Then T(W(i - 1)) is the column vector (e  r(i ),f,g,h). 51/89

52. Rijndael - AES The key schedule (5) ‒In this way columns W(4),..., W(43) are generated from the initial four columns. ‒The round key for the i th round consists of the columns W(4i ), W(4i +1), W(4i +2), W(4i +3). 52/89

53. Rijndael - AES The S-box was obtained on the basis of the multiplicative inverse of input in GF(2 8 ). The only exception is S(0)=0, since 0 has no multiplicative inverse. 53/89

54. Rijndael - AES Deciphering (1) ‒Each of the steps ByteSub, ShiftRow, MixColumn, and AddRoundKey is invertible: The inverse of ByteSub is another lookup table, called InvByteSub. The inverse of ShiftRow is obtained by shifting the rows to the right instead of to the left, yielding InvByteSub. 54/89

55. Rijndael - AES Deciphering (2) –Since the 4x4 matrix used in MixColumn is invertible, the inverse of MixColumn exists. –The transformation InvMixColumn is multiplication by the matrix 55/89

56. Rijndael - AES Deciphering (3) ‒AddRoundKey is its own inverse. ‒The deciphering process: ARK, using the 10th round key. Nine rounds of IBS, ISR, IMC, IARK, using round keys 9 to 1. A final round: IBS, ISR, ARK, using the 0th round key. 56/89

57. Rijndael - AES Deciphering (4) ‒The fact that enciphering and deciphering are not identical processes leads to the expectation that there are no so called “weak keys”, in contrast to DES and several other algorithms. 57/89

58. Modes of operation of block ciphers Block ciphers operate over highly reduced information sets. They are adequate for enciphering short messages, such as keys, identifications, signatures, passwords, etc. 58/89

59. Modes of operation of block ciphers Block ciphers are totally inadequate for enciphering great quantities of data, such as very formatted text, listings, programs, tables, documents and especially images, because the structure of these documents can be determined easily. 59/89

60. Modes of operation of block ciphers By convention, the direct use of a block cipher is called Electronic Codebook Mode (ECB). Other modes of operation: ‒Cipher Block Chaining mode, CBC. ‒Cipher Feedback mode, CFB. ‒Output Feedback mode, OFB. ‒Counter mode, CTR. 60/89

61. Modes of operation of block ciphers It is supposed that the block length is n. In the following illustrations of modes of operation, DES is used as an example. However, any block cipher can be used instead of DES. 61/89

62. Modes of operation of block ciphers Cipher block chaining ‒An n bit shift register is loaded with a random initial vector (IV), which is not kept secret. ‒In such a way, the output of the block cipher depends not only on the current input, but also on all the previous inputs. 62/89

63. Modes of operation of block ciphers 63/89 Cipher block chaining

64. Modes of operation of block ciphers Cipher feedback mode (1) ‒An n bit shift register is loaded with a random initial vector (IV) that is not kept secret, but it must be unique to every message to be enciphered. ‒The plaintext is divided into blocks of m bits. 64/89

65. Modes of operation of block ciphers Cipher feedback mode (2) ‒The sum modulo 2 is performed over blocks of m bits, where m can vary between 1 and n. ‒The shift register of n bits is shifted left m bits after each operation of block encipherment. ‒In this mode, the block cipher is converted into a stream cipher. ‒Such a cipher is self-synchronizing, i.e. error propagation is limited. 65/89

66. Modes of operation of block ciphers Cipher feedback mode (3) ‒Unlike the CBC mode, both encipherment and the decipherment side use the block cipher that performs enciphering. ‒This enables use of any keyed function instead of the block cipher, e.g. a hash function. 66/89

67. Modes of operation of block ciphers 67/89 Cipher feedback mode

68. Modes of operation of block ciphers Output feedback mode (1) ‒An n bit shift register is loaded with an initial vector (IV) that is not kept secret but it must be unique to every message to be enciphered. ‒The plaintext is divided into m bit blocks. ‒The sum modulo 2 is performed, bit by bit, over blocks, whose length can vary between 1 and n. 68/89

69. Modes of operation of block ciphers Output feedback mode (2) ‒The shift register shifts left m bits after each block encipherment. ‒In this mode, the block cipher is also converted into a stream cipher. ‒But unlike CFB, this cipher is NOT self- synchronising. 69/89

70. Modes of operation of block ciphers Output feedback mode (3) ‒The encipherment and the decipherment side in the OFB mode are exactly the same (they use a block cipher that performs enciphering, the same as in the CFB mode). ‒Therefore, any keyed function may be used instead of the block cipher, e.g. a hash function. 70/89

71. Modes of operation of block ciphers 71/89 Output feedback mode

72. Modes of operation of block ciphers Counter mode (1) ‒Counter mode creates an output key stream that is XoRed with blocks of plaintext to produce ciphertext. ‒The output stream in CTR is not linked to previous output streams. 72/89

73. Modes of operation of block ciphers Counter mode (2) ‒CTR starts with the plaintext divided into m-bit blocks, P = [P 1, P 2,...]. ‒m can vary between 1 and n. ‒We begin with an initial value X 1, which has a length equal to the block length n of the cipher, e.g. 64 bits. 73/89

74. Modes of operation of block ciphers Counter mode (3) ‒X 1 is enciphered using the key K to produce n bits of output, whose leftmost m-bits are extracted and XoRed with P 1 to produce m bits of ciphertext, C 1. 74/89

75. Modes of operation of block ciphers Counter mode (4) ‒Rather than update the register X 2 to contain the output of the block cipher, we simply take X 2 =X 1 +1. ‒In this way, X 2 does not depend on previous output. ‒CTR then creates new output stream by enciphering X 2. 75/89

76. Modes of operation of block ciphers Counter mode (5) ‒In this mode, the block cipher is also converted into a stream cipher. ‒This cipher is not self-synchronising. ‒Both the enciphering and the deciphering side use the block cipher that performs enciphering. ‒Major advantage of CTR Enciphering/deciphering can be done in parallel for each state of the counter – very fast! 76/89

77. Modes of operation of block ciphers 77/89 Counter mode

78. Security of block ciphers The decomposition of encipherment/decipherment into subprocesses provides the cryptanalyst the possibility for an attack. No practical block cipher is provably secure. Consequently, new design criteria are being discovered, often as a response to emerging novel attacks on block ciphers. 78/89

79. Security of block ciphers The development of theoretical knowledge about block ciphers: ‒Typically, a block cipher design is proposed according to widely-accepted and well-founded rules. ‒This forces the cryptanalysts to attempt to attack the cipher in a new way. ‒These new attacks, if successful, lead in turn to the extending of the set of design criteria. 79/89

80. Security of block ciphers There exist accepted security models, which can be used for analyzing a block cipher. The most widely used ones are: ‒Unconditional Security (Perfect Secrecy). ‒Security Against a Polynomial Attack. ‒“Provable” Security. ‒Practical Security. ‒Historical Security. 80/89

81. Security of block ciphers Unconditional Security (Shannon) (1) ‒An adversary has unlimited computational resources. ‒Secure encryption only exists if the size of the key is as large as the number of bits to be enciphered. 81/89

82. Security of block ciphers Unconditional Security (Shannon) (2) ‒Perfect secrecy is possible only if no more than  K /N  plaintexts are enciphered using a fixed key (e.g. the one-time pad). ‒Not a useful model for practical block ciphers. 82/89

83. Security of block ciphers Security Against a Polynomial Attack (1) ‒It is assumed that the adversary is a probabilistic algorithm, which runs in polynomial time. ‒Security is claimed with respect to the feasibility of breaking the cryptosystem. ‒The origin of the model is in complexity theory considerations: adversaries are assumed to possess only polynomial computational resources - polynomial in the size of the input to the cipher in bits. 83/89

84. Security of block ciphers Security Against a Polynomial Attack (2) ‒The model typically conducts worst-case and asymptotic analyses to determine whether polynomial attacks on a cipher exist. ‒Even if such attacks do exist, it is not guaranteed that they are practical. 84/89

85. Security of block ciphers “Provable” Security (1) ‒Tries to show that breaking a block cipher is as difficult as solving some well known hard problem (e.g. discrete log or factoring). ‒The problem: there is a fundamental open question in computer science as to whether these hard problems are in P or in NP. 85/89

86. Security of block ciphers “Provable” Security (2) ‒In fact, provable security requires a proof that P  NP, and the existence of one-way functions. ‒This is an asymptotic complexity measure - one is assessing the level of complexity as the input size, in bits, tends to infinity. ‒Very useful for practical analysis of the cipher. 86/89

87. Security of block ciphers “Provable” Security (3) ‒A block cipher may be shown to be provably secure against a known subclass of attacks. ‒Example: provable security against linear and differential cryptanalysis. ‒This does not mean that the cipher is secure against all attacks. 87/89

88. Security of block ciphers Practical Security ‒A block cipher is considered practically secure if the best known attack against it requires too much resources. ‒A very practical model: it is possible to test the cipher with different known attacks, and then give an assessment of its strength against such attacks in terms of time/space resources needed. ‒The model says nothing about the security level with respect to yet unknown attacks. 88/89

89. Security of block ciphers Historical Security ‒T ries to assess the security level of a block cipher according to how much cryptanalytic attention the cipher has attracted over the years. ‒If a cipher has been under scrutiny for many years without any serious security flaws found in it, that inspires a certain confidence in the cipher. ‒Drawback: the effort spent on breaking a cipher cannot always be measured reliably from the time passed. 89/89