Presentation is loading. Please wait.

Presentation is loading. Please wait.

Introduction to Modern Cryptography Lecture 2 Symmetric Encryption: Stream & Block Ciphers.

Published by Modified over 9 years ago

Similar presentations

Presentation on theme: "Introduction to Modern Cryptography Lecture 2 Symmetric Encryption: Stream & Block Ciphers."— Presentation transcript:

1 Introduction to Modern Cryptography Lecture 2 Symmetric Encryption: Stream & Block Ciphers

2 Stream Ciphers Start with a secret key (“seed”) Generate a keying stream i-th bit/byte of keying stream is a function of the key and the first i-1 ciphertext bits. Combine the stream with the plaintext to produce the ciphertext (typically by XOR)

3 =  Example of Stream Encryption Key Ciphertext Stream Plaintext

4 Example of Stream Decryption =  Key Plaintext Stream Ciphertext

5 Real Cipher Streams Most pre-WWII machines German Enigma Linear Feedback Shift Register A5 – encrypting GSM handset to base station communication RC-4 (Ron’s Code)

6 Terminology Stream cipher is called synchronous if keystream does not depend on the plaintext (depends on key alone). Otherwise cipher is called asynchronous.

7 Current Example: RC-4 Part of the RC family Claimed by RSA as their IP Between 1987 and 1994 its internal was not revealed – little analytic scrutiny Preferred export status Code released anonymously on the Internet Used in many systems: Lotus Notes, SSL, etc.

8 RC4 Properties Variable key size stream cipher with byte oriented operations. Based on using a random looking permutation. 8-16 machine operations per output byte. Very long cipher period (over 10 100 ). Widely believed to be secure. Used for encryption in SSL web protocol.

9 RC-4 Initialization 1.j=0 2.S 0 =0, S 1 =1, …, S 255 =255 3.Let the key be (bytes) k 0,…,k 255 (repeating bits if necessary) 4.For i=0 to 255 j = (j + S i + k i ) mod 256 Swap S i and S j

10 RC-4 Key-stream Creation Generate an output byte B by: i = (i+1) mod 256 j = (j +S i ) mod 256 Swap S i and S j t = (S i + S j ) mod 256 B = S t B is XORed with next plaintext byte

11 Block Ciphers Encrypt a block of input to a block of output Typically, the two blocks are of the same length Most symmetric key systems block size is 64 In AES block size is 128 Different modes for encrypting plaintext longer than a block

12 Real World Block Ciphers DES, 3-DES AES (Rijndael) RC-2 RC-5 IDEA Blowfish, Cast Gost

13 ECB Mode Encryption (Electronic Code Book) P1P1 EkEk C1C1 P2P2 EkEk C2C2 P3P3 EkEk C3C3 encrypt each plaintext block separately

14 Properties of ECB Simple and efficient Parallel implementation possible Does not conceal plaintext patterns Active attacks are possible (plaintext can be easily manipulated by removing, repeating, or interchanging blocks).

15 CBC Mode Encryption (Cipher Block Chaining) P1P1 EkEk C1C1 P2P2 EkEk C2C2 P3P3 EkEk C3C3 S0S0 Previous ciphertext is XORed with current plaintext before encrypting current block. An initialization vector S 0 is used as a “seed” for the process. Seed can be “openly” transmitted.

16 Properties of CBC Asynchronous stream cipher Errors in one ciphertext block propagate Conceals plaintext patterns No parallel implementation known Plaintext cannot be easily manipulated. Standard in most systems: SSL, IPSec etc.

17 OFB Mode (Output FeedBack) An initialization vector s 0 is use as a ``seed'’ for a sequence of data blocks s i

18 Properties of OFB Synchronous stream cipher Errors in ciphertext do not propagate Pre-processing is possible Conceals plaintext patterns No parallel implementation known Active attacks by manipulating plaintext are possible

19 AES Proposed Modes CTR (Counter) mode (OFB modification): Parallel implementation, offline pre- processing, provable security, simple and efficient OCB (Offset Codebook) mode - parallel implementation, offline preprocessing, provable security (under specific assumptions), authenticity

20 Strengthening a Given Cipher Design multiple key lengths – AES Whitening - the DESX idea Iterated ciphers – Triple DES (3-DES), triple IDEA and so on

21 Triple Cipher - Diagram P E k1 C E k2 E k3

22 Iterated Ciphers Plaintext undergoes encryption repeatedly by underlying cipher Ideally, aach stage uses a different key In practice triple cipher is usually C= E k1 (E k2 (E k1 (P))) [EEE mode] or C= E k1 (D k2 (E k1 (P))) [EDE mode] EDE is more common in practice

23 Necessary Condition For some block ciphers iteration does not enhance security Example – substitution cipher Consider a block cipher: blocks of size b bits, and key of size k The number of all possible functions mapping b bits to b bits is (2 b ) 2 b

24 Necessary Condition (cont.) The number of all possible encryption functions (bijections) is 2 b ! The number of encryption functions in our cipher is at most 2 k. Claim: The bijections are a group G under the  operation (composition) Claim: If the encryptions of a cipher form a sub- group of G then iterated cipher does not increases security.

25 Meet in the Middle Attack Double ciphers are rarely used due to this attack Attack requires –Known plaintext –2 k+1 encryptions and decryptions –|k|2 |k| storage space A square root of trivial attacking time at the expense of storage

26 Meet in the Middle (cont.) Given a plaintext-ciphertext pair (p,c) –Compute & store the table of D k2 (c) for all k 2 takes 2 k decryptions, |k|2 |k| storage. –For every k 1, test if E k1 (p) is in table –Every hit gives a possible k 1,k 2 pair –May have to repeat several times Meet in the middle is applicable to any iterated cipher, reducing the trivial processing time by 2 k encryptions

27 Two or Three Keys Sometimes only two keys are used in 3- DES Identical key must be at beginning and end Legal advantage (export license) due to smaller overall key size Used as a KEK in the BPI protocol which secures the DOCSIS cable modem standard

28 Adversary’s Goals Final goal: recover key Intermediate goals: –Reduce key space –Discover plaintext patterns –Recover portions of plaintext –Change ciphertext to produce meaningful plaintext, without breaking the system (active attack)

29 Generic Attacks Exhaustive search –Type: ciphertext only –Time: 2 |k| decryptions per ciphertext –Storage: constant Table lookup –Type: chosen plaintext –Time: offline 2 |k| decryptions, online constant –Storage: 2 |k| ciphertexts

30 The Problem Break ECB mode (known fixed cleartext header) The idea: –Define f(k) = Enc k (constant) –Invert f(k) New Problem: Invert f

31 Time/Space Tradeoffs 1 st Simple solution: –Time 2 |k| - exhaustive search per message 2 nd Simple solution: –Precompute all 2 |k| values of f(k) –Store in lookup table (hash table) –Requires O(1) time per inversion –Requires space O(2 |k| )

32 Hellman (again): can we do better? If it so happened that f is a permutation: –Choose L=2 |k|/2 random start points s 1, …, s L –For every such point, compute t i =f(f(…f(s i )…)), repeated L times. –Store a lookup table of values (t i,s i ), i=1, …, L, indexed by t i.

33 Searching for k given f(k) Let s=x = f(k) Repeat until f(x) = s, if f(x) = s then x = k –If x = t i for some i, let x = s i –otherwise let x = f(x) Claim: for an arbitrary permutation and arbitrary k, the probability that this inverts k is constant

34 Why? Values of f(k) on a small cycle will be inverted Consider what happens when we add the i’th chain (s i, t i ): –If we cover a constant times L new values then we’re done –If not, assume that the previous chains have covered less than a constant of the L 2 values The uncovered values must themselves lie on chains whose average length is a constant times L (as all values lie on some chain) Thus, we have a constant probability of covering at least a constant fraction of L new values

35 All this does not work when f is not a permutation Hellman’s ingenious idea: –Don’t invert f(x), invert g(f(x)) for some known random function g. –Obviously, if you can invert g(f(x)) then you can invert f(x). –Note that if f is not a permutation then g(f) is not a permutation either

36 Inverting g(f(x)) Not a permutation: –Choose L=2 |k|/3 random start points s 1, …, s L –For every such point, compute t i =f(f(…f(s i )…)), repeated L times. –Store a lookup table of values (t i,s i ), i=1, …, L, indexed by t i. Claim: we cover by chains at least a constant fraction of L 2 = 2 2|k|/3 Consider the last chain added, we’ve covered at most 2 2|k|/3 values until now, so with constant probability, the new L=2 |k|/3 values on the new chain will be entirely new.

37 Hellman’s next idea Use many different g’s –Every g will cover a random 2 2|k|/3 set of values. –So, choose L=2 |k|/3 g’s Space required: L 2 = 2 2|k|/3 Time required: L 2 = 2 2|k|/3

Download ppt "Introduction to Modern Cryptography Lecture 2 Symmetric Encryption: Stream & Block Ciphers."

Similar presentations

Block Cipher Modes of Operation and Stream Ciphers

Block Cipher Modes of Operation and Stream Ciphers
ECE454/CS594 Computer and Network Security

ECE454/CS594 Computer and Network Security
“Advanced Encryption Standard” & “Modes of Operation”

“Advanced Encryption Standard” & “Modes of Operation”
Encipherment Using Modern Symmetric-Key Ciphers. 8.2 Objectives ❏ To show how modern standard ciphers, such as DES or AES, can be used to encipher long.

Encipherment Using Modern Symmetric-Key Ciphers. 8.2 Objectives ❏ To show how modern standard ciphers, such as DES or AES, can be used to encipher long.
Modern Symmetric-Key Ciphers

Modern Symmetric-Key Ciphers
Modern Symmetric-Key Ciphers

Modern Symmetric-Key Ciphers
Modern Symmetric-Key Ciphers

Modern Symmetric-Key Ciphers
CS 483 – SD SECTION BY DR. DANIYAL ALGHAZZAWI (3) Information Security.

CS 483 – SD SECTION BY DR. DANIYAL ALGHAZZAWI (3) Information Security.
Computer Science CSC 474Dr. Peng Ning1 CSC 474 Information Systems Security Topic 2.2 Secret Key Cryptography.

Computer Science CSC 474Dr. Peng Ning1 CSC 474 Information Systems Security Topic 2.2 Secret Key Cryptography.
Cryptography and Network Security Chapter 5 Fifth Edition by William Stallings Lecture slides by Lawrie Brown.

Cryptography and Network Security Chapter 5 Fifth Edition by William Stallings Lecture slides by Lawrie Brown.
Cryptography and Network Security Chapter 6 Fifth Edition by William Stallings Lecture slides by Lawrie Brown.

Cryptography and Network Security Chapter 6 Fifth Edition by William Stallings Lecture slides by Lawrie Brown.
Symmetric Encryption Example: DES Weichao Wang. 2 Overview of the DES A block cipher: – encrypts blocks of 64 bits using a 64 bit key – outputs 64 bits.

Symmetric Encryption Example: DES Weichao Wang. 2 Overview of the DES A block cipher: – encrypts blocks of 64 bits using a 64 bit key – outputs 64 bits.
Cryptography and Network Security Chapter 6. Chapter 6 – Block Cipher Operation Many savages at the present day regard their names as vital parts of themselves,

Cryptography and Network Security Chapter 6. Chapter 6 – Block Cipher Operation Many savages at the present day regard their names as vital parts of themselves,
Cryptography1 CPSC 3730 Cryptography Chapter 6 Triple DES, Block Cipher Modes of Operation.

Cryptography1 CPSC 3730 Cryptography Chapter 6 Triple DES, Block Cipher Modes of Operation.
1 The AES block cipher Niels Ferguson. 2 What is it? Block cipher: encrypts fixed-size blocks. Design by two Belgians. Chosen from 15 entries in a competition.

1 The AES block cipher Niels Ferguson. 2 What is it? Block cipher: encrypts fixed-size blocks. Design by two Belgians. Chosen from 15 entries in a competition.
1 Overview of the DES A block cipher: –encrypts blocks of 64 bits using a 64 bit key –outputs 64 bits of ciphertext A product cipher –basic unit is the.

1 Overview of the DES A block cipher: –encrypts blocks of 64 bits using a 64 bit key –outputs 64 bits of ciphertext A product cipher –basic unit is the.
Modes of Operation CS 795. Electronic Code Book (ECB) Each block of the message is encrypted with the same secret key Problems: If two identical blocks.

Modes of Operation CS 795. Electronic Code Book (ECB) Each block of the message is encrypted with the same secret key Problems: If two identical blocks.
Introduction to Modern Cryptography Makeup Class Symmetric Encryption:

Introduction to Modern Cryptography Makeup Class Symmetric Encryption:
McGraw-Hill©The McGraw-Hill Companies, Inc., 2004 1 Security PART VII.

McGraw-Hill©The McGraw-Hill Companies, Inc., Security PART VII.
Kemal AkkayaWireless & Network Security 1 Department of Computer Science Southern Illinois University Carbondale CS 591 – Wireless & Network Security Lecture.

Kemal AkkayaWireless & Network Security 1 Department of Computer Science Southern Illinois University Carbondale CS 591 – Wireless & Network Security Lecture.

Similar presentations

Ads by Google