4. Design Principles of Block Ciphers and Differential Attacks

Transcription

1 4. Design Principles of Block Ciphers and Differential Attacks Nonli near 28-bits Trans forma tion 28-bits Model of Block Gong

2 A. Introduction to Block Ciphers A Block Cipher Algorithm: E and D are a pair of encryption and decryption operators that satisfy E : 2 n n F2 F2, F = GF2 D o E m = m where m is an n-bit message, i.e., E maps an n-bit message to an n-bit cipher tet. Design Principles of Block Ciphers Diffussion and Confusion Shannon Diffussion:: each plaintet digit affects many cipher tet digits, or each ciphertet digit is affected by many plaintet digits. Confusion: Make the statistical relationship between a plaintet and the corresponding ciphertet as comple as possible in order to thread attempts to deduce the Gong 2

3 Diffussion Message Encryption key Confussion Cipher Differential cryptanalysis attack: Making use of that fact that the differences of the output at each round will be propagated into the net round. Mathematical Interpretation of Diffusion and Confussion: C = E = f, k, F, k F, C F k f : F " F F n 2 n 2 Nonlinearlity of f: n 2 n Gong 3 n 2 f is far from the linear functions The Strict Avalanche Criterion: one bit change in the plaintet or the key should produce a significant change in the ciphertet. n 2

4 B. Development of Block Ciphers DES Data Encryption Standard, NIST 976 IDEA International Data Encryption Algorithm, Lai and Massey 99 RC5, Rivest 994 AES Advanced Encryption Standard and RIJDAEL, NIST, 2 NISSIE New European Schemes for Signatures, Integrity, and Encryption, called the cryptographic primitives in many areas, Gong 4

5 AES Selection AES: Advanced Encryption Standard, A Crypto Algorithm for the 2 Century, NIST 5 AES Candidates, Aug Top 5 AES Candidates, Aug 999. Third AES Candidate Conference, April 2, New York. October 2, the final candidate: RIJNDAEL, by Joan Daemen, Vincent Gong 5

6 5. Block Ciphers: DES, AES and Triple DES A. DES Data Encryption Standard, NIST bit 32-bit A A f k: DES key Figure. DES Viewed as the FSR with Gong 6

7 DES: Load 64-bit message 64-bit message 64-bit cipher 56-bit key IP IP - PC 32-bit 32-bit a a f output only a 7 a 6 K 48-bit 28-bit 28-bit 28-bit C D << << 28-bit 28-bit PC2 28-bit Key schedule Figure 2. Round Operation in Gong 7

8 Notation in Figure 2: IP: initial permutation IP - : the inverse of IP PC: permuted choice PC2: permuted choice 2 <<: left shifts for round, 2, 9, 6 shift, the rest of rounds shift 2 a 2 = f ai, ki ai, =,, L,5. i i where f is a nonlinear function given by the so-called S-boes described Gong 8

9 PC for the key schedule: Initial Permutation IP: PC2 for the key schedule: Gong 9

10 f is defined by this serial operations E 32bit 48-bit K i 48-bit 48-bit 8 S-boes 32-bit Permutation P of S 32 Figure 3. Round Gong

11 A k 32-bit E 48-bit 48-bit 6-bit bit 32-bit Permutation P Figure 4. DES S-Boes Gong

12 Epansion permutation E: S-boes mapping: 6-bit: a a a 2 a 3 a 4 a 5 a a 5 : to select row,, 2, 3 a a 2 a 3 a 4 : to select column,,..., 5 32-bit Permutation P: 6,7,2,2,29,2,28,7,,5, 23,26,5,8,3,, 2,8,24,4,32,27,3,9,9,3,3, Gong 2

13 S-bo S-bo S-bo S-bo S-bo S-bo S-bo S-bo Gong 3

14 Remark. Special properties of S-bo 4 G.Gong and S.W. Golomb, IEEE-IT, 999 S-bo 4: Polynomial Representation Const f 4 f f f Gong 4

15 S-bo 4: Hadamard transform S-bo 4: Avalanche Transform Gong 5

16 Eample. Message = key = Cipher Gong 6

17 AES Advanced Encryption Standard RIJNDAEL 28-bit or more m message k session key 28-bit or more, mied with a permutation 8-bit... P P P P P P 8-bit 28-bit Permutation 28-bit c cipher Figure. A round operation for AES candidates: SAFER, Gong 7

18 RIJNDAEL's Operators: Algebraic structure: a finite field F = GF2 8, defined by the primitive polynomial m = Let α be a root of m, i.e., mα = in F. Operations in the matri ring: M 4 F = { X = ij 4" 4 ij F} For each matri in M 4 F, the elements are taken from F, i.e., each element has 8-bit or one byte, and each row or column can be considered as a word, 32-bit. So, all of computation are performed in Gong 8

19 @G. Gong 9 A. Three Basic Operators. ByteSub transform S on M 4 F: for S is a byte-wise operation: where for where and, 4 F M X ij = F y y y y =,,, 7 L y T y S o = = y y " " # % & " # % & " # % & = y y y y y y y y y T 4 4 = ij S X S

20 Let A denote the 8 by 8 - matri from the affine transformation T, c =,,,,,,, and t represents the transpose of the vector. Then the inverse of S is given by where S " " " " X = S ij 4 4 = # ot ij 4 4 t t " ij = ij T y = A y c. and 2. Shift row transform R and its inverse & R X = % # " R ' & X = % # Gong 2

21 @G. Gong 2 3. Mi column transform linear transform on F 4 and the inverse of L: X L X L = " # % & = ' ' ' ' ' ' ' ' L " # % & = ' L " = = " = " 3 3 = " where

22 @G. Gong 22 B. Composition of Operators, X M 4 F X S R X G o = X R S X G = o X G L X H o = X L G X H = o For = L GX

23 H H - L - " ij 4 4 G T " 4 4 R - Shift row R T " # 4 4 Mied column L " ij 4 4 Figure 2. Diagram of H and G Gong 23

24 C. Key Schedule The total number of round key bits is equal to the block length times the number of rounds plus. For a 28-bit version, it needs rounds. Thus 48-bit, or 44-word round key is needed. Let { Ki} i= be a sequence of words, i.e., K i F, which consists of 4 bytes; - K, K, K 2, K 3 be a 28-bit session key, where each word 4 K i F, consisting of 4 bytes. The sequence {K i } will be used as the round keys. We write Ki = ki, ki, ki2, ki3, i =,, L,43, kij Gong 24

25 3 bytes zeros α S >> >>: right shift S: operate on bytes : bit-wise addition K K4 i K4 i 2 4 i K 4 i 3 K 4 i K 4 i K4 i 2 K4 i 3 Figure 3. Key schedule: from the i-th segment of 4-word to the ith segment of Gong 25

26 Initial state: K F, K, K2, K3 4 Epansion step: For i =, 2,...,, compute K 4i = K4 i" " S k 4i",3, S k 4i",, S k 4i",, S k 4i, 2 i,,, 4 K4 i j = K4i j K4 i j in F, j =,,2,3. We arrange {K i } into a matri K of by 4 as K = j K4 i j i, 3. Let K i = 3 K4i, K4i, K4i 2, K4i, i =,, L, the ith row vector of K. Then K i will be a key for ith round, i Gong 26

27 For eample, for i =, K4 = K S k 3,3, S k 3,, S k 3,, S k 3, 2,,, K 5 = K4 K K 6 = K5 K2 K 7 = K6 K3 Thus K = K4, K5, K6, Gong 27

28 D. RIJNDAEL Encryption and Decryption We consider the 28-bit version. Message format: a message M of 28 bits, represented as 6 bytes. M = m m, m, m, m, m, m, m, m, m, m, m where m ij F. It forms the message matri M: , m, m 2 23, m, m 3 33, M & m m = m % m 2 3 m m m m 2 3 m m m m m m m m # " In other words, the message can be read from M column by column. The number of rounds: Ciphertet: C = c ij 4 4 which are computed in Figure 4 and output the elements in C column by Gong 28

29 Encryption M: message K Decryption C G - K 9 H... H K K 9 9 H -... H - K 9 K 8 G K Figure 4 Figure 5 C: Gong 29 M K

30 Encryption: M = M K in M 4 F M i = H M K, i =,2, L,9 M K = G M 9 The ciphertet is C = M. i i Decryption: C = C K = G C C K 9 C i = H Ci K i, i = 2, 3, L, The plaintet is M = Gong 3

31 @G. Gong 3 E. Word-Operation of RIJNDAEL not in the standard, Gong 2 Note that the order of the SubByte transform S and the shift row transform can be changed. In this way, we can represent RIJNDAEL in word operations, see Figure 6. Sometimes, we also say that S is the S-boes of RIJNDAEL. In other words, in the Rijdael cipher, all S-boes are the same, which is the inverse operation in the finite field GF2 8 followed by an affine transformation. The representation of RIJNDAEL in word operations: 4 3 2,,, F y y y y Y = For, the word operation W of Rijndael is defined as " # % & " # % & = ' = 3 2 y T y T y T y T Y S L y W

32 28-bit m message k session key 96 or 256-bit 28-bit 96 or 256-bit 6 byte shift R 8-bit S S S S S S S S S S S S S S S S L L L L 32-bit 32-bit 32-bit 32-bit c cipher Figure 6. One round operation in RIJDAEL, represented by the word Gong 32

33 Figure 7. The effect of the shift row R corresponding to 6-byte Gong 33

34 Triple DES Approach: In order to preserve the eisting investment in software and equipment, one may use multiple encryption with DES and multiple keys. In the figures, E = DES encryption, D = DES decryption, where two out of three keys would be equal. Ciphertet is given by C = E K D 3 K E M 2 Gong 34

35 message M K K 2 K 3 E D E ciphertet C Triple DES Encryption ciphertet C K K 2 K 3 D E D message M Triple DES Gong 35

36 Block Cipher Modes: 6. Encryption Modes Electronic Codebook Mode ECB Cipher Block Chaining CBC Mode Block Cipher Used as Stream Cipher Modes: Cipher Feedback Mode CFB Counter Mode Gong 36

37 Encryption: Messages: M M 2 CBC Mode M N IV C N- K E K E K E Ciphertet: Decryption: C C 2 C N K D K D K D IV C N- M M 2 M N C = EK IV M, and Ci = EK Ci M i, i = 2, 3,..., N

38 CFB Mode Stream Cipher Mode IV K E K E C N- K E M M 2 M N C C 2 C N K = = EK IV, and Ki = EK Ci, i 2, 3,..., N Ci = Ki M i, i =, 3,..., Gong 38

39 Counter Mode Stream Cipher Mode Counter Counter Counter N K E K E K E M M 2 M N C C 2 C N Ki = EK Counter i, i =, 2,..., N Ci = Ki M i, i =, 3,..., Gong 39

40 7. Hashing Functions and MAC A hashing function is a map from n bits to m bits where m < n. An output of a hashing function is called a message digest when an input is considered as a message. If two n bits streams or messages have identical hashing values message digests, then it is said to be a collision. A hashing function is secure if it is hard to find a collision. The message digest can then, for eample, be input to a signature algorithm which generates or verifies the signature for the message. Signing the message digest rather than the message often improves the efficiency of the process because the message digest is usually much smaller in size than the message. The same hash algorithm must be used by the verifier of a digital signature as was used by the creator of the digital signature. Any change to the message in transit will, with very high probability, result in a different message digest, and the signature will fail to verify. A keyed hashing function is called a message authentication code Gong 4

41 MD5, Rivest 99 The MD5 message digest algorithm takes as input a message of arbitrary length and produces as output a 28-bit "fingerprint" or "message digest" of the input. It is conjectured that it is computationally infeasible to produce two messages having the same message digest, or to produce any message having a given prespecified target message digest. The MD5 algorithm is intended for digital signature applications, where a large file must be "compressed" in a secure manner before being encrypted with a private secret key under a public-key cryptosystem such as RSA. The MD5 algorithm is designed to be quite fast on 32-bit machines. In addition, the MD5 algorithm does not require any large substitution tables; the algorithm can be coded quite compactly. The MD5 algorithm is an etension of the MD4 message-digest Gong 4

42 SHA- 995, SHA-2, NIST SHA-: a Secure Hash Algorithm for computing a condensed representation of a message or a data file. When a message of any length < 2^64 bits is input, the SHA- produces a 6-bit output called a message digest. The SHA- is specified in the standard for use with the DSA in electronic mail, electronic funds transfer, software distribution, data storage, and other applications which require data integrity assurance and data origin authentication. The SHA- may also be used whenever it is necessary to generate a condensed version of a message. SHA-2 is the collective name of hash functions developed by the NIST, which contains three versions. The outputs of SHA-256, SHA-384, and SHA- 52 are 256 bits, 384 bits and 52 bits, respectively. MD5, SHA-, and SHA-2 have similar structures. Collisions have been found for MD5 and SHA- by a group of Chinese scholars in Gong 42

43 SHA- Gong 43

44 A. Padding Process: three Gong 44

45 @G. Gong 45

46 @G. Gong 46

47 One Iteration of Gong 47