Presentation is loading. Please wait.

Presentation is loading. Please wait.

“It seems that our competence to secure the net cannot keep up with our desire to use it.” by ARJEN K. LENSTRA in ‘Securing the Net – The Fruits of Incompetence’,

Similar presentations


Presentation on theme: "“It seems that our competence to secure the net cannot keep up with our desire to use it.” by ARJEN K. LENSTRA in ‘Securing the Net – The Fruits of Incompetence’,"— Presentation transcript:

1 “It seems that our competence to secure the net cannot keep up with our desire to use it.”
by ARJEN K. LENSTRA in ‘Securing the Net – The Fruits of Incompetence’, published in First Monday, 1996, as of Nov 1, 2009

2 Stream Cipher Two Modes of Stream Cipher:
Streaming Cipher: encrypts data unit by unit, where a unit is of certain number of bits (Example: If the unit be a bit, a stream cipher encrypts data unit by unit. Or if the unit be a byte, it encrypts byte by byte) simpler and faster than block cipher; but less secure Two Modes of Stream Cipher: Synchronous Stream Cipher: Sender uses a key to encrypt. Receiver uses the same key to decrypt. Self-Synchronizing Stream Cipher: The key stream generator (KSG) generates a key, which depends upon the original key and the cipher output.

3 Key Stream Generator (KSG)
Pseudorandom Byte Generator Key Stream of bytes The stream of bytes cannot be determined, if the Key is not known. The stream is deterministic. The stream repeats after a long chain of bits.

4 Self-Synchronizing Stream Cipher
Plaintext  Stream of bytes Ciphertext In a stream Cipher, a key must not be repeated.

5 RC 4: Example of a Stream Cipher
RC4: A byte by byte encryption algorithm, used in SSL (Secure socket Layer) WEP (Wired Equivalent Privacy) Developed in 1987 by Ron Rivest for RSA Sept 1994: RC4 algorithm: Developed in 1987 by Ron Rivest for RSA

6 RC4: Key and the Temporary Vector
Key: 1 to 256 octets First byte of Key: K[0]; Second byte of key: K[1] …… No of bytes of key = kbytes A 256 byte Temporary vector: T[0] to T[255] If kbytes = 256, for i = 0 to 255, T[i] = K[i] If kbytes < 256, for i=0 to 255, T[i] = K[i mod kbytes]

7 RC4: The State Vector A 256 byte State vector: S[0] to S[255]
INITIALIZATION: For i = 0 to 255, S[i] = i Initial PERMUTATION of S: j = 0; For i = 0 to 255, j = (j + S[i] + T[i]) mod 256 Swap (S[i] and S[j]). After initial permutation, the key is not used.

8 Stream Encryption mth byte of Plaintext P[m] i = j = 0; m = 0
while (true){ i = (i + 1) mod 256; j = (j + S[i]) mod 256; swap (S[i], S[j]); t = (S[i] + S[j]) mod 256; k = S[t]; C[m] = P[m]  k; m = m }

9 Strength of RC4 For decryption, xor k with the next byte of ciphertext. For a key length of 128 bits or more, RC4 is secure. The weakness in WEP: due to the weakness of the protocol for key generation ( not due to weakness in RC4). Reference: Fluhrer, S.; Mantin, I.; and Shamir, A. “Weakness in the Key Scheduling Algorithm of RC4,” Proceedings, Workshop in Selected Areas of Cryptography, 2001

10 Symmetric Key Ciphers Symmetric key ciphers: efficient, secure
Problem: How to share a key securely between the sender and the receiver? If 100 persons want to send message securely to one another  4950 different keys are required (Reference: Niels Ferguson and Bruce Schneier ,” Practical Cryptography”, Wiley 2003)

11 Other Symmetric Ciphers
DES: ‘arguably the most widely used and successful encryption algorithm in the world’ (Reference: Bruce Schneier, John Kelsey, Doug Whiting, David Wagner, Chris Hall, Niels Ferguson,” Two fish: A 128-Bit Block Cipher”, 15 June 1998, AES: October 2, 2000: RIJNDAEL selected as AES; issued as FIPS PUB 197 standard in Nov-2001 RC4: A Stream Cipher; Developed in 1987 by Ron Rivest for RSA; used in SSL and WEP Other Symmetric Ciphers: Blowfish: designed in 1993 by Bruce Schiener as a licence-free replacement for DES Five Finalists for the AES competition: MARS, RC6, RIJNDAEL, SERPENT, TWOFISH

12 AES Selection Process June 1998: 21 proposals
Aug 20, 1998: shortlisted to 15 proposals shortlist in Aug-99: MARS (IBM) - complex, fast, high security margin RC6 (USA) - v. simple, v. fast, low security margin Rijndael (Belgium) - clean, fast, good security margin --academic Serpent (Euro) – slow (1/3rd the speed of AES), clean, highest security margin out of the 5 finalists --academic Twofish (USA) – complex, Feistel, DES-like structure; v. fast (as fast as AES), high security margin– key dependent S-boxes; Uses whitening: at both the start and the end of the cipger process, add key-material to data

13 BLOWFISH Blowfish (also known as puffer, globefish, or swellfish) is called fugu in Japanese. It blows itself up when threatened. The costliest and the ideal of gourmet dining, fugu is known to have a deadly poison (tetrodoxin) in its ovary and the liver. Only specially licensed cooks who know exactly how to cut up fugu are allowed to cook fugu. Tetrodoxin is 1250 times deadlier than cynide and has no known anti-dote. Reference: as of Nov 1, 2009

14 BLOWFISH 1993: designed by Bruce Schiener as a licence-free replacement for DES a Feistel Network, iterating a simple encryption function 16 times. a symmetric block cipher. It has a 64-bit block size a variable key length from 32 bits to 448 bits Uses simple operations that are efficient on microprocessors. e.g. exclusive-or, addition, table lookup (four indexed array data lookups per round), modular- multiplication.

15 BLOWFISH ….2 does not use variable-length shifts or bit-wise permutations, or conditional jumps.  Employs precomputable subkeys: On large-memory systems, these subkeys can be precomputed for faster operation. Not precomputing the subkeys will result in slower operation, but it should still be possible to encrypt data without any precomputations. It is significantly faster than most encryption algorithms when implemented on 32-bit microprocessors with large data caches.

16 BLOWFISH DES operates on Right Half whereas Blowfish: operates on Left Half of data (DES is designed for Big-Endians machines, whereas Blowfish is designed for Little endian; Intel processors are Little Endian. Little Endian: increasing numeric significance with increasing memory addresses or increasing time; The LSB is at the lowest address. The other bytes follow in increasing order of significance. Big Endian: MSB stored at the lowest address and the next byte value in significance is stored at the next memory location. ) Blowfish algorithm consists of two parts: key expansion and data encryption.

17 Blowfish Key Schedule Algorithm (Sub-Keys Generation Algorithm)
Data encryption consists of a simple function iterated 16 times. Each round consists of a key-dependent permutation, and a key- and data-dependent substitution. Blowfish uses a large number of subkeys. These keys must be precomputed before any data encryption or decryption.

18 Subkeys: The P-array consists of bit subkeys: P(1), P(2),..., P(18). There are four 32-bit S-boxes with 256 entries each: S1,0, S1,1,..., S1,255; S2,0, S2,1,..,, S2,255; S3,0, S3,1,..., S3,255; S4,0, S4,1,..,, S4,255.

19 Key Expansion Given a key of a maximum of 448 bits
Key Schedule: generates 18x x4x4 = 4168 bytes of subkeys Uses the fractional part of π. π = (Reference: as of Nov 1, 2009) To initialize 18 sub-keys and 4 S-boxes, we need 18*32 + 4*256*32 = = binary digits of, or 33,344/4 = 8,366 hex digits of π. fractional part of π in HEX digits: Multiply (π-3) with 16. The integral part will be 2. Subtract 2. Multiply the remainder with 16. The integral part will be 4. Subtract 4. Multiply the remainder with 16. The integral part will be 3. Subtract 3. Multiply the remainder with 16. The integral part will be 15. Subtract 15 (i.e.F). …..

20 Key Expansion Algorithm:
Given the key K (keysize= an integer multiple of 32 bits) 1. Repeat the key K to generate K’ of length 18x32 bits: K’ = (K K K K….) 2. Initialize first the P-array and then the four S-boxes, in order, with the hexadecimal digits of the fractional part of π (i.e. π - 3): P(1) = 0x243F6A88, P(2) = 0x85A308D3, P(3) = 0x13198A2E, P(4) = 0x , . S1 = (0xD1310BA6, 0x98DFB5AC, 0x2FFD72DB, 0x D01ADFB7, 0xB8E1AFED, ……) 3. XOR P(1) with the first 32 bits of the key K’, XOR P(2) with the second 32-bits of the key, and so on for all the 18 P’s.

21 Key Expansion Algorithm: …2
Consider a 64-bit all zero data. Encrypt the all-zero string with the Blowfish algorithm, using the subkeys P’s obtained in step (3) and S’s obtained in step (2). The output will be a 64-bit string. Replace P(1) and P(2) with the output of step (4). Encrypt the output of step (4) using the Blowfish algorithm with the subkeys, obtained after modification of step (5). Again we shall get a 64-bit string as the output. Replace P(3) and P(4) with the output of step (5). Continue the process, replacing all entries of the P array, and then all four S-boxes in order, with the output of the continuously changing Blowfish algorithm. In total, 521 iterations are required to generate all required subkeys. Applications can store the subkeys rather than execute this derivation process multiple times.

22 Blowfish Key Expansion Algorithm Process …3 Reference: P. K
Blowfish Key Expansion Algorithm Process …3 Reference: P.K. Yuen,” Practical Cryptology and Web security”, Pearson/Addison Wesley 2006, pp 394

23 Blowfish Data Encryption Algorithm
Blowfish has 16 rounds. The input is a 64-bit data element, x. Divide x into two 32-bit halves: xL, xR. Then, for i = 1 to 16: xL = xL XOR P(i) xR = F(xL) XOR xR Swap xL and xR After the sixteenth round, swap xL and xR again to undo the last swap.

24 Data Encryption Algorithm Process first, second and the last rounds Reference: P.K. Yuen,” Practical Cryptology and Web security”, Pearson/Addison Wesley 2006, pp 392

25 Blowfish Data Encryption Algorithm ..3
Then, xR = xR XOR P(17) and xL = xL XOR P(18). Finally, recombine xL and xR to get the ciphertext. Decryption is exactly the same as encryption, except that P(1), P(2),..., P(18) are used in the reverse order.

26 Blowfish Round Function
ROUND FUNCTION F INPUTS: 32 bit data L S1[], S2[], S3[], S4[]:four 32-bit S-boxes with 256 entries each Divide L into four 8-bit parts: L = (a, b, c, d) Output B =( (S1[a] + S2[b] mod 232 )  S3[c] ) + S4[d] mod 232

27 Blowfish The Round Function Process ……. 2 Reference: P. K
Blowfish The Round Function Process …….2 Reference: P.K. Yuen,” Practical Cryptology and Web security”, Pearson/Addison Wesley 2006, pp 393

28 8366 HEX DIGITS of π - 3 Reference: http://www. herongyang
243F6A8885A308D313198A2E A F31D0082EFA98EC4E6C E638D01377BE5466CF34E90C6CC0AC29B7C97C50DD3F84D5B5B D5D98979FB1BD1310BA698DFB5AC2FFD72DBD01ADFB7B8E1AFED6A267E96BA7C9045F12C7F9924A19947B3916CF70801F2E2858EFC D871574E69A458FEA3F4933D7E0D95748F728EB658718BCD AEE7B54A41DC25A59B59C30D5392AF26013C5D1B F0CA417918B8DB38EF8E79DCB0603A180E6C9E0E8BB01E8A3ED71577C1BD314B2778AF2FDA55605C60E65525F3AA55AB E CA396A2AAB10B6B4CC5C341141E8CEA15486AF7C72E993B3EE FBC2A2BA9C55D741831F6CE5C3E169B87931EAFD6BA336C24CF5C7A B8F48986B4BB9AFC4BFE81B D809CCFB21A991487CAC605DEC8032EF845D5DE98575B1DC262302EB651B E81D396ACC50F6D6FF383F442392E0B4482A C8F04A9E1F9B5E21C66842F6E96C9A670C9C61ABD388F06A51A0D2D8542F68960FA728AB5133A36EEF0B6C137A3BE4BA3BF0507EFB2A98A1F1651D39AF017666CA593E82430E888CEE F9FB47D84A5C33B8B5EBEE06F75D885C A449F56C16AA64ED3AA62363F77061BFEDF72429B023D37D0D724D00A1248DB0FEAD349F1C09B075372C980991B7B25D479D8F6E8DEF7E3FE501AB6794C3B976CE0BD04C006BAC1A94FB6409F60C45E5C9EC2196A246368FB6FAF3E6C53B51339B2EB3B52EC6F6DFC511F9B30952CCC814544AF5EBD09BEE3D004DE334AFD660F E4BB3C0CBA85745C8740FD20B5F39B9D3FBDB5579C0BD1A60320AD6A100C6402C F25FEFB1FA3CC8EA5E9F8DB3222F83C7516DFFD616B152F501EC8AD0552AB323DB5FAFD B483E00DF829E5C57BBCA6F8CA01A87562EDF1769DBD542A8F6287EFFC3

29 8366 HEX DIGITS of π – …..2 AC6732C68C4F B27B0BBCA58C8E1FFA35DB8F011A010FA3D98FD2183B84AFCB56C2DD1D35B9A53E479B6F84565D28E49BC4BFB9790E1DDF2DAA4CB7E3362FB1341CEE4C6E8EF20CADA36774C01D07E9EFE2BF11FB495DBDA4DAE909198EAAD8E716B93D5A0D08ED1D0AFC725E08E3C5B2F8E7594B78FF6E2FBF2122B648888B812900DF01C4FAD5EA0688FC31CD1CFF191B3A8C1AD2F2F2218BE0E1777EA752DFE8B021FA1E5A0CC0FB56F74E818ACF3D6CE89E299B4A84FE0FD13E0B77CC43B81D2ADA8D9165FA CC A1477E6AD206577B5FA86C75442F5FB9D35CFEBCDAF0C7B3E89A0D6411BD3AE1E7E E2D2071B35E226800BB57B8E0AF BF009B91E D59DFA6AA78C14389D95A537F207D5BA202E5B9C CFA911C819684E734A41B3472DCA7B14A94A1B A532915D60F573FBC9BC6E42B60A47681E BA6FB5571BE91FF296EC6B2A0DD915B E7B9F9B6FF34052EC B02D5DA99F8FA108BA47996E85076A4B7A70E9B5B32944DB75092EC AD6EA6B049A7DF7D9CEE60B88FEDB266ECAA8C71699A17FF CC2B19EE A575094C29A E4183A3E3F54989A5B429D656B8FE4D699F73FD6A1D29C07EFE830F54D2D38E6F0255DC14CDD EB266382E9C6021ECC5E09686B3F3EBAEFC93C B6A70A1687F358452A0E286B79C5305AA E07841C7FDEAE5C8E7D44EC5716F2B8B03ADA37F0500C0DF01C1F040200B3FFAE0CF51A3CB574B225837A58DC0921BDD19113F97CA92FF F547013AE5E58137C2DADCC8B576349AF3DDA7A FD0030EECC8C73EA4751E41E238CD993BEA0E2F3280BBA1183EB3314E548B384F6DB9086F420D03F60A04BF2CB C79

30 8366 HEX DIGITS of π – …..3 5679B072BCAF89AFDE9A771FD B38BAE12DCCF3F2E F2E6B ADDE69F84CD877A DA17BC9F9ABCE94B7D8CEC7AEC3ADB851DFA C464C3D2EF1C D908DD433B3724C2BA1612A14D432A65C AE4DD71DFF89E10314E5581AC77D65F11199B043556F1D7A3C76B3C11183B5924A509F28FE6ED97F1FBFA9EBABF2C1E153C6E86E34570EAE96FB1860E5E0A5A3E2AB3771FE71C4E3D06FA2965DCB999E71D0F803E89D65266C8252E4CC9789C10B36AC6150EBA94E2EA78A5FC3C531E0A2DF4F2F74EA7361D2B3D F19C A708F71312B6EBADFE6EEAC31F66E3BC4595A67BC883B17F37D1018CFF28C332DDEFBE6C5AA AB9802EECEA50FDB2F953B2AEF7DAD5B6E2F841521B ECDD F151013CCA830EB61BD960334FE1EAA0363CFB5735C904C70A239D59E9E0BCBAADE14EECC86BC60622CA79CAB5CABB2F3846E648B1EAF19BDF0CAA02369B9655ABB A323C2AB4B3319EE9D5C021B8F79B540B19875FA09995F7997E623D7DA8F837889A97E32D7711ED935F E358829C7E61FD696DEDFA17858BA9957F584A51B B83C3FF1AC24696CDB30AEB532E30548FD948E46DBC312858EBF2EF34C6FFEAFE28ED61EE7C3C735D4A14D9E864B7E342105D14203E13E045EEE2B6A3AAABEADB6C4F15FACB4FD0C742F442EF6ABBB5654F3B1D41CD2105D81E799E86854DC7E44B476A3D816250CF62A1F25B8D2646FC8883A0C1C7B6A37F1524C369CB A0B5692B285095BBF00AD19489D1462B E D2A0C55F5EA1DADF43E233F F0928D937E41D65FECF16C223BDB7CDE3759CBEE F2A7CE77326EA F8509EE8EFD85561D99735A969A7AAC50C06C25A04ABFC800BCADC9E447A2EC FDD567050E1E9EC9DB73DBD CD

31 8366 HEX DIGITS of π – …..4 675FDA79E C5C E38D83D28F89EF16DFF20153E21E78FB03D4AE6E39F2BDB83ADF7E93D5A F7F64C261C F77602D4F7BCF46B2ED4A20068D F46A43B7D4B AF1E39F62E F74BF8B88404D95FC1D96B591AF70F4DDD366A02F45BFBC09EC03BD97857FAC6DD031CB850496EB27B355FD3941DA2547E6ABCA0A9A F40A2C86DAE9B66DFB68DC1462D EC0A427A18DEE4F3FFEA2E887AD8CB58CE0067AF4D6B6AACE1E7CD3375FECCE78A399406B2A4220FE9E35D9F385B9EE39D7AB3B124E8B1DC9FAF74B6D185626A36631EAE397B23A6EFA74DD5B E7F7CA7820FBFB0AF54ED8FEB ACBA A3A20838D87FE6BA9B7D096954B55A867BCA1159A58CCA E1DB33A62A4A563F3125F95EF47E1C CFDF8E F7080BB155C05282CE395C11548E4C66D2248C1133FC70F86DC07F9C9EE41041F0F404779A45D886E17325F51EBD59BC0D1F2BCC18F B A9C60DFF8E8A31F636C1B0E12B4C202E1329EAF664FD1CAD181156B2395E0333E92E13B240B62EEBEB92285B2A20EE6BA0D99DE720C8C2DA2F728D B794FD647D0862E7CCF5F05449A36F877D48FAC39DFD27F33E8D1E0A EFF743A6F6EABF4F8FD37A812DC60A1EBDDF8991BE14CDB6E6B0DC67B55106D672C372765D43BDCD0E804F1290DC7CC00FFA3B5390F92690FED0B667B9FFBCEDB7D9CA091CF0BD9155EA3BB132F88515BAD247B9479BF763BD6EB37392EB3CC E297F42E312D6842ADA7C66A2B3B12754CCC782EF11C6A124237B79251E706A1BBE64BFB63501A6B101811CAEDFA3D25BDD8E2E1C3C A121386D90CEC6ED5ABEA2A64AF674EDA86A85FBEBFE98864E4C3FE9DBC8057F0F7C BF DD1FD8346F6381FB07745AE04D736FCCC83426B33F01EAB71B C005E5F77A057BEBDE8AE24

32 8366 HEX DIGITS of π – …..5 BF582E614E58F48FF2DDFDA2F474EF388789BDC25366F9C3C8B38E74B475F25546FCD9B97AEB26618B1DDF84846A0E79915F95E2466E598E20B457708CD55591C902DE4CB90BACE1BB8205D011A A99EB77F19B6E0A9DC09662D09A1C E85A1F0209F0BE8C4A99A0251D6EFE101AB93D1D0BA5A4DFA186F20F2868F169DCB7DA FEA1E2CE9B4FCD7F E01A70683FAA002B5C40DE6D0279AF88C27773F8641C3604C0661A806B5F0177A28C0F586E AA30DC7D6211E69ED72338EA6353C2DD94C2C21634BBCBEE5690BCB6DEEBFC7DA1CE591D766F05E4094B7C A3D7C927C2486E3725F724D9DB91AC15BB4D39EB8FCED FCA5B5D83D7CD34DAD0FC41E50EF5EB161E6F8A28514D96C51133C6FD5C7E756E14EC4362ABFCEDDC6C837D79A EFA8E406000E03A39CE37D3FAF5CFABC277375AC52D1B5CB0679E4FA33742D BC9BBED5118E9DBF0F7315D62D1C7EC700C47BB78C1B6B21A19045B26EB1BE6A366EB45748AB2FBC946E79C6A376D26549C2C8530FF8EE468DDE7DD5730A1D4CD04DC62939BBDBA9BA4650AC9526E8BE5EE304A1FAD5F06A2D519A63EF8CE29A86EE22C089C2B843242EF6A51E03AA9CF2D0A483C061BA9BE96A4D8FE51550BA645BD62826A2F9A73A3AE14BA99586EF5562E9C72FEFD3F752F7DA3F046F6977FA0A5980E4A91587B086019B09E6AD3B3EE593E990FD5A9E34D7972CF0B7D9022B8B5196D5AC3A017DA67DD1CF3ED67C7D2D281F9F25CFADF2B89B5AD6B4725A88F54CE029AC71E019A5E647B0ACFDED93FA9BE8D3C48D283B57CCF8D E28785F0191ED756055F7960E44E3D35E8C15056DD488F46DBA03A F0BDC3EB9E153C9057A297271AECA93A072A1B3F6D9B1E6321F5F59C66FB26DCF D928B155FDF ABA3CBB C20AD9F8ABCC5167CCAD925F4DE DC8E379D F991EA7A90C2FB3E7BCE

33 8366 HEX DIGITS of π – 3 …..6 Extracted from the source code provided in BLOWFISH by MARKUS HAHN
5121CE64774FBE32A8B6E37EC3293D4648DE E680A2AE0810DD6DB DFD B39A460A6445C0DD586CDECF1C20C8AE5BBEF7DD1B588D40CCD2017F6BB4E3BBDDA26A7E3A59FF453E350A44BCB4CDD572EACEA8FA6484BB8D6612AEBF3C6F47D29BE463542F5D9EAEC2771BF64E E0D8DE75B1357F AF537D5D4040CB084EB4E2CC34D2466A0115AF84E1B A1D06B89FB4CE6EA0486F3F3B823520AB82011A1D4B277227F B1E7933FDCBB3A792B344525BDA08839E151CE794B2F32C9B7A01FBAC9E01CC87EBCC7D1F6CF0111C3A1E8AAC71A908749D44FBD9AD0DADECBD50ADA380339C32AC DF9317CE0B12B4FF79E59B743F5BB3AF2D519FF27D9459CBF97222C15E6FC2A0F91FC719B941525FAE59361CEB69CEBC2A BAA8D1B6C1075EE3056A0C10D25065CB03A442E0EC6E0E1698DB3B4C98A0BE3278E9649F1F9532E0D392DFD3A0342B8971F21E1B0A74414BA3348CC5BE7120C37632D8DF359F8D9B992F2EE60B6F470FE3F11DE54CDA541EDAD891CE6279CFCD3E7E6F1618B166FD2C1D05848FD2C5F6FB2299F523F357A A CCCD02ACF081625A75EBB56E D273CCDE B949D04C50901B71C65614E6C6C7BD327A140A45E1D006C3F27B9AC9AA53FD62A80F00BB25BFE235BDD2F B B6CBCF7CCD769C2B53113EC01640E3D338ABBD602547ADF0BA38209CF746CE7677AFA1C CBFE4E8AE88DD87AAAF9B04CF9AA7E1948C25C02FB8A8C01C36AE4D6EBE1F990D4F869A65CDEA03F09252DC208E69FB74E6132CE77E25B578FDFE33AC372E6

34 REFERENCES http://www.herongyang.com/crypto/cipher_blowfish.html

35 TWOFISH “Key dependent S-boxes are something new in a cipher design.”
Pawel Chodowiec, Kris Gaj, in ” Implementation of the Twofish Cipher Using FPGA Devices”, page 3, as of Nov 1, 2009 “There is no such thing as a key-dependent S-box, only a complicated multi-stage nonlinear function that is implemented as a key-dependent S-box for efficiency.” --Bruce Schneier, John Kelsey, Doug Whiting, David Wagner, Chris Hall, Niels Ferguson, in ” Two fish: A 128-Bit Block Cipher”, page 57, , as of Nov 1, 2009

36 TwoFish is a block cipher by Counterpane Labs, designed by Bruce Schneier, John Kelsey, Doug Whiting, David Wagner, Chris Hall, and Niels Ferguson, published in 1998. one of the five Advanced Encryption Standard (AES) finalists, and was not selected as AES. unpatented, and the source code is uncopyrighted and license-free; uses Feistel structure has a 128-bit block size, a key size of 128, 192 or 256 bit

37 TwoFish optimized for 32-bit CPUs. On most software platforms Twofish is slightly slower than Rijndael for 128-bit keys, but somewhat faster for 256-bit keys. Has a key schedule that can be precomputed for maximum speed, or computed on- the-fly for maximum agility and minimum memory requirements. suitable for dedicated hardware applications: e.g. it has no large tables. a block cipher, which can also be used as a stream cipher, one-way hash function, MAC and pseudo-random number generator. (Reference: B. Schneier and D. Whiting,” A Performance Comparison of the Five AES Finalists”,

38 Components used by TwoFish
four different 8-by-8-bit S-boxes: pre-computed and key-dependent built using two fixed 8-by-8-bit permutations and key material. Key-dependent MDS (maximum distance separable) matrix: Notes: 1. During encryption, the four bytes output from the four S-boxes is multiplied by a 4- by-4 MDS matrix over GF(28). This matrix multiply is the principal diffusion mechanism in Twofish. 2. For software implementation on a modern microprocessor, the MDS matrix multiply is normally implemented using four lookup tables, each consisting of bit words, so the particular coefficients used in the matrix do not affect performance.

39 Components used by TwoFish …2
3. 32-bit Pseudo-Hadamard transform (PHT) to mix the outputs from its two parallel 32-bit g functions. This PHT can be executed in two opcodes on most modern microprocessors, including the Pentium family. 4. Whitening: the technique of xoring key material before the first round and after the last round Twofish xors a subkey before the first Feistel round, and another sub- key after the last Feistel round. These subkeys are calculated in the same manner as the round subkeys, but are not used anywhere else in the cipher. 5. Key: Twofish can accept keys of any byte length up to 256 bits. For key sizes, other than the three defined sizes of 128, 192 and 256 bits, the key is padded at the end with zero bytes to the next larger length that is defined. For example, an 80-bit key m0; : : : ;m9 would be extended by setting mi = 0 for i = 10; : : : ; 15 and treating it as a 128-bit key.

40 Writing plaintext of 128 bits as four 32-bit words
The plaintext is split into four 32-bit words. The 16 bytes of plaintext p0; : : : ; p15 are first split into 4 words P0; : : : ; P3 of 32 bits each using the little-endian convention. P0 = p p p p0.20 P1 = p p p p4.20 P2 = p p p p8.20 P3 = p p p p12.20 Similarly the given key is used to generate 32-bit sub-keys. The sub-keys are generated in pairs: K2i and K2i + 1 for i = 0 to i = n, where the value of n is defined in a later slide to be 19.

41 Data Encryption Algorithm
1. Input Whitening step: The four data words Po …. P3 are xored with four key words. R0,i = Pi  Ki i =0…3 The 16 Rounds use the function F. 2. Round # 0: Function F has inputs of r = 0, R0,0 and R0,1 where r = Round # Function F has two outputs called F0,0 and F0,1 Round # r: for 0 ≤ r ≤ 15 For the r-th round, the inputs would be r, Rr,0 and Rr,1 Function F has 3 steps for Rr,0 and 4 steps for Rr,1. Function F has two outputs called Fr,0 and Fr,1 Fr,0, Fr,1 = F(Rr,0, Rr,1, r)

42 Outputs of round r: Rr+1,0 = ROR(Fr,0 Rr,2 , 1) where ROR(*,1) means a rotation to the right by one bit.  Rr+1,1 = ROL(Rr,3 , 1)  Fr,1 Rr+1,2 = Rr,0 Rr+1,3 = Rr,1 These will be the inputs for the next ( i.e. the (r+1)st) round. Note: The next slide shows the Data Encryption Algorithm process. Reference: Figure 1, page 6 from Bruce Schneier, John Kelsey, Doug Whiting, David Wagner, Chris Hall, Niels Ferguson,” Two fish: A 128-Bit Block Cipher”, 15 June 1998,

43

44 Data Encryption Algorithm ….2
3. Undo the last swap of the 15th round. 4. Output Whitening: Ci = = R16.(i+2)mod4  Ki+4 i =0…3 5. The four words of ciphertext are then written as 16 bytes c0; : : : ; c15 using the same little-endian conversion used for the plaintext. ci =

45 Twofish Decryption Decryption process: 1. Apply subkeys in the reverse order. 2. Since we are moving from C (ciphertext) towards P (Plaintext), some of the processes have to be re-adjusted a little, as shown in the Figure on the next slide.

46 Differences between the Twofish Encryption and Decryption processes
(a) Encryption (b) Decryption

47 FUNCTION F The function F is a key-dependent permutation on 64-bit values. INPUTS: two 32-bit input words R0 and R1, and the round number r Note: r is used to select the appropriate subkeys. R0 is passed through the g function, which yields T0. R1 is rotated left by 8 bits and then passed through the g function to yield T1. T0 = g(R0) T1 = g(ROL(R1; 8)) The results T0 and T1 are then combined in a PHT and two words of the expanded key are added. F0 = (T0 + T1 + K2r+8) mod 232 F1 = (T0 + 2T1 + K2r+9) mod 232 where (F0; F1) is the result of F.

48 FUNCTION g 1. The INPUT word X is split into four bytes x0, x1, x2 and x3. 2. Each byte is run through its own key-dependent S-box to produce 8 bits of output. yi = Si[xi] for i = 0…..3  3. The four results are interpreted as a vector of length 4 over GF(28), and multiplied by the 4x4 MDS matrix (using the field GF(28) for the computations). y] = (y0, y1, y2, y3) z] = (z0, z1, z2, z3) z] = [MDS] y] The resulting vector z] is interpreted as a 32-bit word which is the OUTPUT of g. Z = z z z z3.28.3

49 Notes about FUNCTION g ….2
We represent GF(28) as GF(2)[x]/v(x) where v(x) = x8+x6+x5+x3+1 is a primitive polynomial of degree 8 over GF(2). Addition in GF(28) corresponds to a xor of the bytes. The MDS matrix is given by: where the elements have been written as hexadecimal byte values using the above defined correspondence.

50 Two Fish KEY SCHEDULE: Using the given key to define three vectors
The key schedule has to generate 40 words of expanded key K0; : : : ;K39 (4 words each for initial and the last whitening plus 2 words each for each of the 16 rounds. ) the 4 key-dependent S-boxes used in the g function. Designed for keys of length N = 128, N = 192, and N = 256. Keys of any length shorter than 256 bits can be used by padding them with zeroes until the next larger designed key length. Let k = N/64. Thus k may have a value of 2, 3 or 4. Each vector will have k elements. Each element is of 32-bits.

51 Two Fish KEY SCHEDULE Using the given key to define three vectors …….2
The given key M consists of 8k bytes ( ie 16, 24 or 32) m0; : : : ;m8k-1. The bytes are first converted into 2k (ie 4, 6 or 8) words of 32 bits each, called M0, M1, M2, M3 … and then into two word vectors of length k. Me = (M0, M2, ……;M2k-2) Mo = (M1, M3 ….M2k-1) A third word-vector S of length k is also derived from the key. For i = (k-1) …0, each 32-bit word Si is computed as follows: Take the key bytes in groups of 8, interpreting them as a 8x1 vector mi] over GF(28). Generate a 4x1 vector si] as follows: si] = [RS]. mi] where RS is a 4x8 matrix derived from the Reed–Solomon code. Consider the 4 byte-elements of si] into a 32-bit word Si

52 Two Fish KEY SCHEDULE Using the given key to define three vectors …..3
si] = [RS]. mi] where si] is a 4x1 vector. si] = (si,0, si,1, si,2, si,3) Note: si,3 is the MSB. [RS] is a 4x8 matrix mi] is a 8x1 vector with key bytes. mi]= (m8i, m8i+1, ……..m8i+7 ) with i varying from 0 to (k-1).  si] will yield 4 bytes, which can be combined into a 32-bit word Si Example: A key of 128 bits has 16 bytes and two words S0 and S1 will be created by this process.

53 Two Fish KEY SCHEDULE Using the given key to define three vectors …..4
The 32-bit words Si can be put together in a word-vector S as follows: S = (Sk-1; Sk-2; : : : ; S0) Note that S lists the words in “reverse" order. For the RS matrix multiply, GF(28) is represented by GF(2)[x]/w(x), where w(x) = x8+x6+x3+x2+1 is another primitive polynomial of degree 8 over GF(2).  The three vectors Me, Mo and S are used for generating sub-keys.

54 Key Expansion K2i and K2i+1
Me and Mo: word-vectors, as defined in slide 50. derived directly from the given key For a 128-bit key, for example, M3, M2, M1 and M0 are 32-bit parts, where M3 is the MS 32 bits and M0 is the LS 32 bits Using h Function: ρ = Ai = h(2i ρ; Me) Bi = ROL(h((2i + 1).ρ;Mo); 8) The constant ρ: used here to duplicate bytes; it has the property that for i = 0; : : : ; 255, the word i ρ consists of four equal bytes, each with the value i.

55 Key Expansion K2i and K2i+1 …….2
The values Ai and Bi are combined in a PHT. (The second value is rotated by 9 bits.) K2i = (Ai + Bi) mod 232 K2i+1 = ROL((Ai + 2Bi) mod 232; 9) K2i and K2i+1 form two words of the expanded key. By choosing i =0 to i = 19, all the 40 values of 32-bit sub-keys can be generated. Note: The function h uses two byte-substitution boxes, called q0 and q1, as shown on the next slide for an example of a 128-bit key.

56 Key Expansion Process for a 128-bit key Reference: Pawel Chodowiec, Kris Gaj,” Implementation of the Twofish Cipher Using FPGA Devices”, page 6, as of Nov 1, …………3

57 FUNCTION h: for a key of length 64.k
INPUT: A 32-bit word X and a word-vector L] = (…….L1, L0) of length k OUTPUT: A 32-bit word Z PROCESS of h: k stages of the Function h: Each stage: The four bytes of X are each passed through a fixed Byte-Substitution-box, and xored with a byte derived from L]. After the k-stages: Finally, the bytes are once again passed through a fixed Byte-Substitution-box and the four bytes are multiplied by the MDS matrix just as in g. The output of this product is a 4-element byte-vector z]. OUTPUT:

58 FUNCTION h: for a key of length 64.k …2
X is divided into 4 bytes yk,0, yk,1, yk,2, yk,3. Similarly Li is divided into 4 bytes li,0, li,1, li,2, li,3. If k = 4 we have y3;0 = q1[y4;0]  l3;0 y3;1 = q0[y4;1]  l3;1 y3;2 = q0[y4;2]  l3;2 y3;3 = q1[y4;3]  l3;3 If k ≥ 3 we have y2;0 = q1[y3;0]  l2;0 y2;1 = q1[y3;1]  l2;1 y2;2 = q0[y3;2]  l2;2 y2;3 = q0[y3;3]  l2;3

59 FUNCTION h: for a key of length 64.k ….3
In all cases we have y0 = q1[q0[q0[y2;0]  l1;0]  l0;0] y1 = q0[q0[q1[y2;1]  l1;1]  l0;1] y2 = q1[q1[q0[y2;2] l1;2]  l0;2] y3 = q0[q1[q1[y2;3]  l1;3]  l0;3] Here q0 and q1 are fixed permutations on 8-bit values that we will define shortly. The resulting 4x1 vector of yi's is multiplied by the MDS matrix, just as in the g function to yield a new 4x1 vector z]. y] = (y0, y1, y2, y3) z] = (z0, z1, z2, z3) y3 is the MSB in the above vector. z] = [MDS] y] OUTPUT: 32-bit word Z –formed from z], as shown in slide 56.

60 FUNCTION h process: for a key of length 64. k …
FUNCTION h process: for a key of length 64.k ….4 Reference:Figure 2, page 9 from Bruce Schneier, John Kelsey, Doug Whiting, David Wagner, Chris Hall, Niels Ferguson,” Two fish: A 128-Bit Block Cipher”, 15 June 1998, Xa

61 FUNCTION h process: for a key of length 64.k ….5
Xa

62 FUNCTION h: for a key of length 64.k ….6
Notes: The multiplication is performed (byte by byte) in the Galois field GF (28). The primitive polynomial is x8 + x6 + x5 + x3 + 1. where the MDS matrix is given by: OUTPUT: A 32-bit word Z formed by concatening 4 bytes of the vector z].

63 The Permutations q0 and q1
The permutations q0 and q1 are fixed permutations on 8-bit values. They are constructed from four different 4-bit permutations each. INPUT value x, we define the corresponding OUTPUT value y as follows: Split the INPUT byte x into two nibbles: a1 = a0  b0 b1 = a0  ROR4(b0; 1)  8 a0 mod 16 Each nibble is passed through its own 4-bit fixed S-box: a2; b2 = t0[a1]; t1[b1] a3 = a2 b2 b3 = a2  ROR4(b2; 1)  8 a2mod 16 Again using the 4-bit fixed S-boxes: a4; b4 = t2[a3]; t3[b3] OUTPUT: Combine the two nibbles a4 and b4 into a byte: y = 16 b4 + a4

64 Permutation q: Use appropriate t0, t1, t2 and t3 for q0 and q1
Permutation q: Use appropriate t0, t1, t2 and t3 for q0 and q1. Reference: Pawel Chodowiec, Kris Gaj,” Implementation of the Twofish Cipher Using FPGA Devices”, page 4, as of Nov 1, 2009

65 The Permutations q0 and q1 ……..2
ROR4 rotates 4-bit values. For the permutation q0 the 4-bit S-boxes are given by t0 = [ D 6 F B 5 9 E C A 4 ] t1 = [ E C B F 4 A D ] t2 = [ B A 5 E 6 D 9 0 C 8 F ] t3 = [ D 7 F E 9 B C A ] where each 4-bit S-box is represented by a list of the entries using hexadecimal notation. (The entries for the inputs 0; 1; : : : ; 15 are listed in order.) Similarly, for q1 the 4-bit S-boxes are given by t0 = [ 2 8 B D F 7 6 E A C 5 ] t1 = [ 1 E 2 B 4 C D A 5 F ] t2 = [ 4 C A 0 E D 8 2 B 3 F ] t3 = [ B C 3 D E F A ]

66 Key dependent S-boxes Y = S[X] where both X and Y are 32 bit words.
Function h is used for generating Y from X. Function h: INPUT: A 32-bit word X and a word-vector L] = (…….L1, L0) of length k OUTPUT: A 32-bit word Z L] = S] Note: S] is obtained in slide 52. Y = S[X] = h(X, S]) That is, for i = 0; : : : ; 3, the key-dependent S-box Si is formed by the mapping from xi to yi in the h function.

67 Key dependent S-boxes for a 128-bit key ( i.e. k = 2)
Split X into four bytes a, b, c, d. X1 =( q0[a], q1[b], q0[c], q1[d]) X2= X1 s s0 and s1 are from slide 51 Split X2 into four bytes a2, b2, c2, d2. X3 =( q0[a2], q0[b2], q1[c2], q1[d2]) X4= X3 s1

68 Key dependent S-boxes for a 128-bit key ( i.e. k = 2) ………2
Split X4 into four bytes a4, b4, c4, d4. (a5, b5, c5, d5) =( q1[a4], q0[b4], q1[c4], q0[d4]) The four S-boxes are given as follows: a5 = q1[a4] = S0[a] b5 = q0[b4]= S1[b] c5 = q1[c4] = S2[c] d5 = q0[d4]= S3[d] From slide 51 s0 = (s00, s01, s02, s03) s1 = (s10, s11, s12, s13)

69 Key dependent S-boxes for a 128-bit key ………3

70 Key dependent S-boxes for a 128-bit key Reference: Pawel Chodowiec, Kris Gaj,” Implementation of the Twofish Cipher Using FPGA Devices”, page 4, as of Nov 1, 2009 …4

71 Serpent “ Finally, we considered making available cognate algorithms with the same structure as Serpent but with block sizes of (say) 64, 256 and 512 bits. In the end we decided not include these in our submission for a number of reasons, of which by far the most important was that we …..did not have the resources to test variants with other block lengths with the thoroughness that would have been appropriate.” ---Bruce Schneier, John Kelsey, Doug Whiting, David Wagner, Chris Hall, Niels Ferguson, ” Two fish: A 128-Bit Block Cipher”, 15 June 1998, , as of Nov 1, 2009

72 Serpent Encryption Algorithm Introduction
one of the five finalists of the AES contest a 128-bit symmetric key block cipher supports key sizes of 128-bits, 192-bits and 256-bits 32 round substitution-permutation network For internal computation, all values are represented in little-endian, where the first word (word 0) is the LS-word, and the last word is the MS-word, and where bit 0 is the LS-bit of word 0. 16-round Serpent is as secure as triple-DES, and twice as fast as DES; 32-round Serpent is even more secure than triple-DES, and is as fast as DES. (Reference: page 4 as of 1st Nov 2009)

73 Serpent The Algorithm an initial permutation 32 rounds: In each round,
works on four 32-bit words Key-mixing operation applies one of its eight 4-bit to 4-bit S-boxes, 32 times, in parallel A linear transformation (except for the last round, where the transformation is substituted with an additional mixing operation) a final permutation FP (which is the inverse of IP). Note: Each of the eight substitution boxes is used in 4 rounds.

74 Serpent The Key The given key length: 128, 192 or 256 bits;
short keys with less than 256 bits are mapped to full-length keys of 256 bits by appending one “1" bit to the MSB end, followed by as many “0" bits as required to make up 256 bits. Generates bit subkeys K0; : : : ; K32.

75 Serpent The Notation The initial permutation IP: Bo = IP(P), where P is the plaintext The rounds 0 to 31: First (0th) Round: B1 = R0(B0), i-th round: Bi+1 = Ri(Bi) for i = 0 to 30 last (31st) round (in which the linear transformation is replaced by an additional key mixing): B32 = R31(B31) The Final permutation FP: C = FP(B32), where C is the ciphertext. Ri (X) = L(Si mod8(X  Ki) for i = 0 to 30, where L is a linear transformation R31 (X) = Si mod8(X  Ki)  K32 for i = 31

76 S-Boxes Reference: http://www. cl. cam. ac. uk/~rja14/Papers/serpent
S-Boxes Reference: page 21 as of 1st Nov 2009 Starting with the 32-rows of DES S-boxes, the S-boxes for Serpent were created so that the resulting array has the desired -differential and linear- properties: S0: S1: S2: S3: S4: S5: S6: S7:

77 Inverse S-Boxes Reference: http://www. cl. cam. ac
Inverse S-Boxes Reference: page 21 as of 1st Nov 2009 InvS0: InvS1: InvS2: InvS3: InvS4: InvS5: InvS6: InvS7:

78 Linear Transformation (LT)
For i = 0 to 30: The four 32-bit output words from the substitution box in a round are linearly mixed using LT: INPUT for LT: X0;X1;X2;X3 := Si(Bi  Ki) LT: X0 := ROL(X0; 13); X2 := ROL(X2; 3) X1 := X1  X0  X2; X3 := X3  X2  ShL(X0; 3) X1 := ROL(X1 ;1); X3 := ROL(X3; 7) X0 := X0  X1  X3; X2 := X2  X3  ShL (X1; 7) X0 := ROL(X0; 5); X2 := ROL(X2 ; 22) OUTPUT from LT: Bi+1 := X0; X1; X2; X3 For i = 31: B32 := S7(B31  K31)  K32

79 Key Schedule Requirement: 132 2-bit words of subkeys.
Padding: If the given key is less than 256 bits, append one “1" bit to the MSB end, followed by as many “0" bits as required to make up 256 bits Write this 256-bit key as eight 32-bit words as w−8, , w−1 Expand the eight 32-bit words into 132 intermediate keys (called pre-keys) by the following affine recurrence for i = 0 to 131: wi := ROL((wi−8  wi−5  wi−3  wi−1  ɸ  i);11) where ɸ = golden ratio = or 0x9e3779b9. The underlying polynomial x8 + x7 + x5 + x3 + 1 is primitive.

80 Key Schedule …..2 Use S-boxes to get 33 round keys as follows:
Renumber to get 128-bit subkeys Ki for i from 0 to 32:

81 Decryption For Decryption:
The inverse of the S-boxes must be used in the reverse order. The inverse linear transformation must be used. The subkeys must be used in the reverse order.


Download ppt "“It seems that our competence to secure the net cannot keep up with our desire to use it.” by ARJEN K. LENSTRA in ‘Securing the Net – The Fruits of Incompetence’,"

Similar presentations


Ads by Google