Conventional Encryption: Algorithms

Presentation on theme: "Conventional Encryption: Algorithms"— Presentation transcript:

Conventional Encryption: Algorithms
Some of the most important symmetric block ciphers in current use Triple DES IDEA Blowfish RC5 CAST-128 RC2

Multiple Encryption with DES
Triple DES Multiple Encryption with DES Double DES C = EK2[EK1[P]]; D = DK1[DK2[C]] 112 bit key is safe from brute force attack Need to examine if  K3 s.t. EK2[EK1[P]] = EK3[P] The answer is No!! (Proved in 1992) # of mappings between 64-bit blocks = 264! = DES defines one mapping for each different key, for a total # of mappings: 256 <1017 If DES is used twice with different keys, it will produce one of the many mappings that is not defined by a single application of DES

Meet In The Middle Attack
Triple DES Meet In The Middle Attack Let X = EK1(P). Clearly X = DK2(C) Given a known <P, C>, construct a table of size 256 with all values of K1 and EK1(P) Sort on EK1(P) Now decrypt C with all values of K2. Check all results against table Any match is a candidate <K1, K2> pair If this pair is checked with another plaintext-ciphertext pair, it can be determined with the probability (If this pair is correct with another plaintext-ciphertext pair, it is a correct key with the probability ) Total effort is O(256), not 2112 (Not much better than the 255 required for single DES)

Triple DES C = EK3(DK2(EK1(P)))
No cryptographic significance to middle decrypt operation backwards compatible with existing single DES (K1 = K2 = K3) Two-key Triple DES (K1 = K3) or three-key triple DES Security of Triple DES no known practical attacks brute force search impossible meet-in-the-middle attacks need 256 plaintext-ciphertext pairs per key A popular current alternative Major disadvantage is speed (3x slower)

International Data Encryption Algorithm (IDEA)
Xuejia Lai and James Massey, ETH (Swiss Federal Institute of Technology), 1991 Patented patent is held by Ascom-Tech Non-commercial use of IDEA is free. Commercial licenses can be obtained by contacting Ascom-Tech Used in PGP 128-bit key, 64-bit block Variant Feistel network (not Feistel) Eight rounds + final transformation

IDEA IDEA Basic Operations Uses three operations. Each operation is performed on two 16-bit inputs to produce a single 16-bit output Bit-by-bit XOR (  ) (Unsigned 16-bit integers) addition modulo ( ) (Unsigned 16-bit integers) multiplication modulo (except that a block of all zeros is treated as representing (  ) Three operations are incompatible in the sense that No pair of the three operations satisfies a distributive law. e.g., a (b  c)  (a b)  (a c) No pair of the three operations satisfies an associative law. e.g., a (b  c)  (a b)  c In IDEA, confusion is achieved by using these three separate operations in combination Provides a complex transformation of the input, making cryptanalysis much more difficult (than with a DES which uses just a single XOR)

IDEA Basic Operations - Examples
Examples for 2-bit operands

IDEA Basic Building Block, MA
Basic building block is the Multiplication/Addition (MA) structure F1,F2: Two 16-bit values derived from the plaintext Z5,Z6: Two 16-bit subkeys derived from the key G1,G2: Two 16-bit outputs In IDEA, diffusion is provided by MA Each output bit depends on every bit of inputs (plaintext-derived inputs and subkey inputs) This MA structure is repeated eight times, providing very effective diffusion

Overall IDEA Encryption Structure

Single Round of IDEA (1st Round)
Transformation Sub-encryption

Output Transformation Stage of IDEA

Subkey Generation 52 16-bit subkeys are generated from the 128-bit key
IDEA Subkey Generation 52 16-bit subkeys are generated from the 128-bit key The first eight subkeys, Z1, Z2, …, Z8, are taken directly from the key Then a circular left shift of 25 bit positions is applied to the key, and the next eight keys are extracted. This procedure is repeated until all 52 subkeys are generated

IDEA IDEA Decryption Use the same structure (algorithm) as the encryption, but with different subkeys Decryption subkeys U1, …, U52 are derived from encryption subkeys

Encryption and Decryption Subkeys
IDEA Encryption and Decryption Subkeys Zj-1: multiplicative inverse; Zj  Zj-1 = 1 -Zj : additive inverse; -Zj Zj = 0

Blowfish Designed by Bruce Schneier, 1993
Freely available (Unpatented; Royalty-free; No license required; Free source code available) Used in SSH, OpenBSD, IPSec Block cipher: 64-bit block Variable key length; 32 bits to 448 bits Fast encryption (much faster than DES and IDEA) Compact Simple

Subkey and S-Box Generation
Blowfish Subkey and S-Box Generation The key ranging from 32 bits to 448 bits (1 to bit words) is stored in a K-array: K1, K2, …, Kj  j  14 The bit subkeys are stored in the P-array: P1, P2, …, P18 There are 4 S-boxes, each with 8x32(=256) 32-bit entries P-array and then 4 S-boxes are initialized with fractional part of : S1,0, S1,1, …, S1,255 S2,0, S2,1, …, S2,255 S3,0, S3,1, …, S3,255 S4,0, S4,1, …, S4,255 P1= 243F6A8816 P2= 85A308D316    S4,254= 578FDFE316 S4,255= 3AC372E616

Subkey and S-Box Initialization
Blowfish Subkey and S-Box Initialization P-array is XORed with K-array (reusing K-array if necessary): P1 = P1  K1, P2 = P2  K2, …, Pj = Pj  Kj, Pj+1 = Pj+1  K1, Pj+2 = Pj+2  K2, … Then update P-array and S-boxes as follows: Where EP,S[Y] is the ciphertext produced by encrypting Y using Blowfish with the P and S arrays 521 executions in total are required to produce the final P and S arrays P1, P2 = EP,S[0] P3, P4 = EP,S[P1 || P2]    P17, P18 = EP,S[P15 || P16] S1,0, S1,1 = EP,S[P17 || P18] S4,254, S4,255 = EP,S[P4,252 || P4,253]

Blowfish Encryption/Decryption
Slight variant of classic Feistel network L and R are both processed in each round 16 rounds Two extra XORs at the end

Single Blowfish Round Uses addition modulo 232 and XOR
Round function processes four bytes F(a, b, c, d) = ((S1,a + S2,b)  S3,c) + S4,d Followed by Feistel swap

Characteristics of Blowfish
Key-dependent S-Boxes Operations are performed on both halves of data Time-consuming subkey generation process Makes it bad for rapid key switching, but makes brute force expensive Perfect avalanche effect Fast

RC5 RC5 Designed by Ronald Rivest (MIT Prof.) for RSA Data Security Secret-key block cipher Parameterized algorithm Features Data-dependent rotations Variable block size Variable key size Variable number of rounds

Motivations Suitable for hardware and software Fast
RC5 Motivations Suitable for hardware and software Fast Adaptable to processors of different word lengths Variable number of rounds Variable-length key Simple Low memory usage High security Emphasis of data-dependent rotations

Parameterization RC5 is word-oriented Representation
Two-word input and two-word output Representation Word size: w (16,32,64) Number of rounds: r (0,1, …, 255) Number of bytes in key K: b (0,1, …, 255) RC5 algorithm notation: RC5-w/r/b RC5 algorithm example: RC5-32/16/7 Similar to DES Two 32-bit word inputs and outputs 16 rounds 7-byte (56-bit) key RC5-32/12/16 “nominal” version

RC5 Key Expansion RC5 performs complex operations on the secret key to generate a total of t subkeys, which are stored in S array, S[0],S[1], …, S[t-1] Each subkey is one word (w bits) in length Two subkeys are used in each round, and two more subkeys are used outside the r-round  t = 2r+2 In key expansion, magic constants are used Pw = Odd((e - 2)2w); e= …. (base of natural logarithms) Qw = Odd(( - 1)2w); = …. (golden ratio = (1+sqr(5))/2) Odd(x): odd integer nearest to x Example w Pw B7E1 B7E B7E151628AED2A6B Qw 9E37 9E3779B9 9E3779B97F4A7C15

Key Expansion Algorithm
RC5 Key Expansion Algorithm Step-1: Convert secret key bytes to words b byte key K, (K[0], K[1], …, K[b-1]) is converted to word array L[0], L[1], …, L[c-1] Step-2: Initialize subkey array S (S[0], S[1], …, S[t-1]) S[0] = Pw; for i=1 to t-1 do s[i] = s[i-1] + Qw; Step-3: Mix the secret key into subkey array S i=j=X=Y=0; Do 3*max(t, c) times: X=S[i]=(S[i]+X+Y)<<<3; Y=L[j]=(L[j]+X+Y)<<<(X+Y); i=(i+1) mod t; j=(j+1) mod c; Note: <<<  cyclic rotate left

RC5 RC5 Key Expansion

RC5 Encryption RC5 uses 3 primitive operations Encryption
Addition, Subtraction (of words): modulo 2w Bitwise XOR Left, right circular rotation Encryption LE0 = A + S[0]; RE0 = B + S[1]; for i = 1 to r do LEi = ((LEi-1  REi-1) <<< REi-1) + S[2i]; REi = ((REi-1  LEi) <<< LEi) + S[2i+1];

RC5 Decryption for i = r downto 1 do
for i = r downto 1 do RDi-1 = ((RDi – S[2i+1] >>> LDi)  LDi) ; LDi-1 = ((LDi – S[2i] >>> Rdi-1)  RDi-1) ; B = RD0 - S[1]; A = LD0 - S[0];

CAST-128 Developed by Carlisle Adams and Stafford Tavares
Used in IPSec 64-bit block, 40- to 128-bit keys (in 8-bit increments) Classical Feistel network structure Sixteen rounds Two subkeys per round, one 32-bit (Kmi), one 5-bit (Kri) Three different round functions Four operations: addition(+) and subtraction(-) modulo 232, XOR, and (variable) circular left rotate (<<<) 5-bit subkey (Kri) determines rotate amount Encryption Decryption: same as encryption with the keys applied in reverse order L0||R0 = Plaintext for i = 1 to 16 do Li = Ri-1 Ri = Li-1  Fi[Ri-1, Kmi, Kri]; Ciphertext = L16||R16

CAST-128 Round Function F Definition of F  I Ia Ib Ic Id
Rounds 1,4 I=(Kmi+ Ri-1)<<<Kri) 7,10,13,16 F=((S1[Ia]S2[Ib])-S3[Ic])+S4[Id] Rounds 2,5 I=(KmiRi-1)<<<Kri) 8,11, F=((S1[Ia]-S2[Ib])+S3[Ic])S4[Id] Rounds 3,6 I=(Kmi-Ri-1)<<<Kri) 9,12, F=((S1[Ia]+S2[Ib])S3[Ic])-S4[Id]

CAST-128 S-Boxes CAST-128 uses 8 S-boxes
Four of these, S-box 1 thru S-box 4 are used in the encryption/decryption process S-box 5 thru S-box 8 are used in the subkey generation S-boxes contain fixed (predefined) values Each S-box contains bit values

CAST-128 Subkey Generation
Label the 128-bit (16-byte) key as: x0x1x3x4x5x6x7x8xAxBxCxDxExF Symbol Definitions Km1, …, Km16 Sixteen 32-bit masking subkeys (one per round) Kr1, …, Kr16 Sixteen 32-bit rotate subkeys (one per round), of which only the least significant 5 bits of each are used z0, …, zF Intermediate (temporary) bytes K1, …, K32 Intermediate (temporary) words K1 thru K32 are calculated from the key using S-boxes 5 thru 8 (See next pages) Then subkeys are defined as for i = 1 to 16 do Kmi = Ki; Kri = K16+i;

CAST-128 Subkey Generation
z0z1z2z3 = x0x1x2x3  S5[xD]  S6[xF]  S7[xC]  S8[xE]  S7[x8] z4z5z6z7 = x8x9xAxB  S5[z0]  S6[z2]  S7[z1]  S8[z3]  S8[xA] z8z9zAzB = xCxDxExF  S5[z7]  S6[z6]  S7[z5]  S8[z4]  S5[x9] zCzDzEzF = x4x5x6x7  S5[zA]  S6[z9]  S7[zB]  S8[z8]  S6[xB] K1 = S5[z8]  S6[z9]  S7[z7]  S8[z6]  S5[z2] K2 = S5[zA]  S6[zB]  S7[z5]  S8[z4]  S6[z6] K3 = S5[zC]  S6[zD]  S7[z3]  S8[z2]  S7[z9] K4 = S5[zE]  S6[zF]  S7[z1]  S8[z0]  S8[zC] x0x1x2x3 = z8z9zAzB  S5[z5]  S6[z7]  S7[z4]  S8[z6]  S7[z0] x4x5x6x7 = z0z1z2z3  S5[x0]  S6[x2]  S7[x1]  S8[x3]  S8[z2] x8x9xAxB = z4z5z6z7  S5[x7]  S6[x6]  S7[x5]  S8[x4]  S5[z1] xCxDxExF = zCzDzEzF  S5[xA]  S6[x9]  S7[xB]  S8[x8]  S6[z3] K5 = S5[x3]  S6[x2]  S7[xC]  S8[xD]  S5[x8] K6 = S5[x1]  S6[x0]  S7[xE]  S8[xF]  S6[xD] K7 = S5[x7]  S6[x6]  S7[x8]  S8[x9]  S7[x3] K8 = S5[x5]  S6[x4]  S7[xA]  S8[xB]  S8[x7] K9 = S5[z3]  S6[z2]  S7[zC]  S8[zD]  S5[z9] K10 = S5[z1]  S6[z0]  S7[zE]  S8[zF]  S6[zC] K11 = S5[z7]  S6[z6]  S7[z8]  S8[z9]  S7[z2] K12 = S5[z5]  S6[z4]  S7[zA]  S8[zB]  S8[z6] K13 = S5[x8]  S6[x9]  S7[x7]  S8[x6]  S5[x3] K14 = S5[xA]  S6[xB]  S7[x5]  S8[x4]  S6[x7] K15 = S5[xC]  S6[xD]  S7[x3]  S8[x2]  S7[x8] K16 = S5[xE]  S6[xF]  S7[x1]  S8[x0]  S8[xD]

CAST-128 Subkey Generation
z0z1z2z3 = x0x1x2x3  S5[xD]  S6[xF]  S7[xC]  S8[xE]  S7[x8] z4z5z6z7 = x8x9xAxB  S5[z0]  S6[z2]  S7[z1]  S8[z3]  S8[xA] z8z9zAzB = xCxDxExF  S5[z7]  S6[z6]  S7[z5]  S8[z4]  S5[x9] zCzDzEzF = x4x5x6x7  S5[zA]  S6[z9]  S7[zB]  S8[z8]  S6[xB] K17 = S5[z8]  S6[z9]  S7[z7]  S8[z6]  S5[z2] K18 = S5[zA]  S6[zB]  S7[z5]  S8[z4]  S6[z6] K19 = S5[zC]  S6[zD]  S7[z3]  S8[z2]  S7[z9] K20 = S5[zE]  S6[zF]  S7[z1]  S8[z0]  S8[zC] x0x1x2x3 = z8z9zAzB  S5[z5]  S6[z7]  S7[z4]  S8[z6]  S7[z0] x4x5x6x7 = z0z1z2z3  S5[x0]  S6[x2]  S7[x1]  S8[x3]  S8[z2] x8x9xAxB = z4z5z6z7  S5[x7]  S6[x6]  S7[x5]  S8[x4]  S5[z1] xCxDxExF = zCzDzEzF  S5[xA]  S6[x9]  S7[xB]  S8[x8]  S6[z3] K21 = S5[x3]  S6[x2]  S7[xC]  S8[xD]  S5[x8] K22 = S5[x1]  S6[x0]  S7[xE]  S8[xF]  S6[xD] K23 = S5[x7]  S6[x6]  S7[x8]  S8[x9]  S7[x3] K24 = S5[x5]  S6[x4]  S7[xA]  S8[xB]  S8[x7] K25 = S5[z3]  S6[z2]  S7[zC]  S8[zD]  S5[z9] K26 = S5[z1]  S6[z0]  S7[zE]  S8[zF]  S6[zC] K27 = S5[z7]  S6[z6]  S7[z8]  S8[z9]  S7[z2] K28 = S5[z5]  S6[z4]  S7[zA]  S8[zB]  S8[z6] K29 = S5[x8]  S6[x9]  S7[x7]  S8[x6]  S5[x3] K30 = S5[xA]  S6[xB]  S7[x5]  S8[x4]  S6[x7] K31 = S5[xC]  S6[xD]  S7[x3]  S8[x2]  S7[x8] K32 = S5[xE]  S6[xF]  S7[x1]  S8[x0]  S8[xD]

CAST-128 S-Box S1 CAST-128 S-Box S1

RC2 Developed by Ron Rivest (RSA Data Security) 64-bit block cipher
Variable key size (from one byte up to 128 bytes) Designed to be easy to implement on 16-bit microprocessor Use 16-bit word, 16-bit arithmetic (addition, XOR, AND, ~, rotate) Non-Feistel 18 rounds (mixing/mashing) Used in S/MIME

RC2 Key Expansion RC2 assumes 128 (64 word) byte key buffer
For byte operation, key array is L[0], …, L[127]; each L[i] is a byte For word operation, key array is K[0], …, K[63]; each K[i] is a 16-bit word These are alternative views of the same key buffer Key expansion Assume that exactly T bytes of key are supplied, 1  T  128 The purpose of key expansion algorithm is to modify the key buffer so that each bit of the expanded key depends in a complicated way on every bit of the supplied input key Key expansion begins by placing the supplied T-byte key into bytes L[0], …, L[T-1] of the key buffer L array is then computed making use of an auxiliary array P P array is a random permutation of values of 0,…,255, which is constructed based on p= … (See next page) The computation is for i = T to 127 do L[i] = P[L[i-1] + L[i-T]]; L[128-T] = P[L[128-T]] For i = 127 – T down to 0 do L[i]=P[L[i+1]  L[i+T]];

PiTable (P-array) Here is the P array in hexadecimal notation:
RC2 PiTable (P-array) Here is the P array in hexadecimal notation: a b c d e f 00: d9 78 f9 c4 19 dd b5 ed 28 e9 fd 79 4a a0 d8 9d 10: c6 7e b e 62 4c b fb a2 20: 17 9a 59 f5 87 b3 4f d 8d d 32 30: bd 8f 40 eb 86 b7 7b 0b f c 6b 4e 82 40: 54 d ce 60 b2 1c c0 14 a7 8c f1 dc 50: ca 1f 3b be e4 d1 42 3d d4 30 a3 3c b6 26 60: 6f bf 0e da f2 1d 9b bc 70: f8 11 c7 f6 90 ef 3e e7 06 c3 d5 2f c8 66 1e d7 80: 08 e8 ea de ee f7 84 aa 72 ac 35 4d 6a 2a 90: 96 1a d2 71 5a b 9f d0 5e a4 ec a0: c2 e0 41 6e 0f 51 cb cc af 50 a1 f b0: 99 7c 3a b8 b4 7a fc b c0: 2d 5d fa 98 e3 8a 92 ae 05 df c ba c9 d0: d3 00 e6 cf e1 9e a8 2c f 58 e2 89 a9 e0: 0d b ab 33 ff b0 bb 48 0c 5f b9 b1 cd 2e f0: c5 f3 db 47 e5 a5 9c 77 0a a fe 7f c1 ad

RC2 RC2 Encryption Encryption algorithm takes a 64-bit input stored in R[0], R[1], R[2], R[3], and places the result back in R[0] thru R[3]. Algorithm consists of 18 rounds of two types: mixing and mashing Mixing round: R[0] = R[0] + K[j] + (R[3] & R[2]) + ((~R[3] & R[1]); R[0] = R[0] <<< 1; j = j + 1; R[1] = R[1] + K[j] + (R[0] & R[3]) + ((~R[0] & R[2]); R[1] = R[1] <<< 2; R[2] = R[2] + K[j] + (R[1] & R[0]) + ((~R[1] & R[3]); R[2] = R[2] <<< 3; R[3] = R[3] + K[j] + (R[2] & R[1]) + ((~R[2] & R[0]); R[3] = R[3] <<< 5; Here j is the global variable; K[j] is the first subkey word that has not yet been used

RC2 Encryption Mashing round RC2
Initialize j to zero Perform five mixing rounds (j = 20) Perform one mashing round Perform six mixing rounds (j = 44) Perform five mixing rounds (j=64) Decryption: Inverse operation of encryption with the keys used in reverse order R[0] = R[0] + K[R[3] & 63]; R[1] = R[1] + K[R[0] & 63]; R[2] = R[2] + K[R[1] & 63]; R[3] = R[3] + K[R[2] & 63];

Key features found in advanced symmetric block ciphers (not in DES) Variable key length Blowfish, RC5, CAST-128, RC2 Mixed operators More than one arithmetic and/or Boolean operator, especially ones that are not associative or distributive These operators provide nonlinearity as an alternative to S-boxes Data-dependent rotation Provide excellent confusion and diffusion RC5 Key-dependent rotation CAST-128