IDEA, RC5. Modes of operation of block ciphers

Transcription

1 C Lecture 8 IDA, RC5 Modes of operation of block ciphers Required Reading: I. W. Stallings, "Cryptography and Network-Security," 5th dition, Chapter 6 Block Cipher Operation II. A. Menezes, P. van Oorschot, and S. Vanstone, Handbook of Applied Cryptography, 7.6 IDA RC Modes of Operation

2 IDA IDA X. Lai, J. Massey TH, bit key (billion machines each checking billion keys per second still would require 10 trillion years, to check all keys used in PGP (Pretty Good Privacy) - the most popular public domain program for secure constructed to provide an absolute resistance against differential cryptanalysis

3 Three basic operations: IDA X X X Y = X Y = X + mod 2 16 Y = X mod ( ) where 0 represents 2 16 Corresponding inverse operations: Y Y Y - -1 X = Y X = Y+(- ) mod 2 16 X = Y -1 mod ( ) Half-round of IDA: Transformation Forward transformation: X a X b X c X d a b c d Y a Y b Y c Y d Inverse transformation: Y a Y b Y c Y d -1 a - c - b -1 d X a X b X c X d

4 Half-round of IDA: Sub-encryption Forward transformation X a X b X c X d W in = X a X b V in = X c X d MANGLR FUNCTION e f W out V out Y a = X a W out Y b = X b W out Y c = X c V out Y d = X d V out Half-round of IDA: Sub-encryption Inverse transformation Y a Y b Y c Y d W in = X a X b V in = X c X d MANGLR FUNCTION e f W out V out X a = Y a W out Y b = Y b W out X c = Y c V out X d = Y d V out

5 IDA Mangler Function W in V in e f W out V out

6 IDA - ey Scheduling 128 bit Z 1 Z 2 Z 3 Z 4 Z 5 Z 6 Z 7 Z 8 Rotate 25 positions left Z 9 Z 10 Z 11 Z 12 Z 13 Z 14 Z 15 Z 16 Rotate 25 positions left RC5

7 RC5 Ron Rivest, MIT, 1994 (Ron s Code 5, Rivest s Cipher 5) variable key length (40 bits in the former export version, 128 bits to achieve the same strength as IDA) variable block size (depends on the processor word length) variable number of rounds (determines resistance to linear and differential cryptanalysis; for 9 rounds this resistance is greater than for DS) simplicity of description Basic operations: Rotation by a variable number of bits RC5 One of the fastest ciphers B w A w A<<<B C w C=A<<<B w Addition modulo 2 w where w is the size of operands A and B + A B C C = A + B mod 2 w

8 RC5 w/r/b w - word size in bits w = 16, 32, 64 input/output block = 2 words = 2 w bits Typical value: w=32 64-bit input/output block r - number of rounds b - key size in bytes key size in bits = 8 b bits 0 b 255 Recommended version: RC5 32/12/16 64 bit block 12 rounds 128 bit key ncryption RC5 Decryption Split M into two halves A and B A = A + S[0] B = B + S[1] for i= 1 to r do { A= ((A B) <<< B) + S[2i] B= ((B A) <<< A) + S[2i+1] } C= A B Split C into two halves A and B for i= r downto 1 do { B= ((B-S[2i+1]) >>> A) A A= ((A - S[2i])>>>B) B } B = B - S[1] A = A - S[0] M= A B

9 RC5 - ey Scheduling k bits of the main key 2 r + 2 round keys = (2 r + 2 ) w bits Two magic constants: P w = Odd ((e-2) 2 w ) Q w = Odd ((ϕ-1) 2 w ) ϕ - golden ratio = e - base of natural logarithms e = x-y x y x y = y x-y = RC5 ey Scheduling

10 RC5 - ey Scheduling Initialize and Convert Initialize S[0] = P w for i=1 to t-1 do S[i] = S[i-1] + Q w Convert for i=0 to c-1 do L[i] = 0; t = 2 r b c = w Copy key bits directly to the memory positions represented by L. RC5 - ey Scheduling Mix Mix i = j = 0 A = B = 0 do 3 max{t, c} times { A = S[i] = (S[i] + A + B) <<< 3 B = L[j] = (L[j] + A + B) <<< (A+B) i = (i+1) mod t j = (j+1) mod c }

11 RC5 - Resistance to differential and linear cryptanalysis Plaintext requirement # rounds Differential Cryptanalysis Linear Cryptanalysis > >2 64 Differential cryptanalysis cannot be applied to RC5 with #rounds 13 Linear cryptanalysis cannot be applied to RC5 with #rounds 7 Resistance of modern ciphers against known attacks Proprietary ciphers built into application software mostly insecure, seconds on a PC Propriatery ciphers with unknown specification uncertain, may be hard to verify Past 40-bit international version eys recoverable in less than of ciphers one hour using a small network of computers worth less than $10,000 DS Triple DS, DSX, RC5 eys can be recovered within 24 hours using a specialized machine based on FPGAs worth less than $100,000 All known attacks impractical

12 State of research regarding the security of secret-key ciphers limited number of researchers actively involved in cryptanalysis and design of new ciphers number of published ciphers > number of researchers evaluations of the cipher strength given by designers typically unreliable Honest cipher = the best known attack is an exhaustive key search attack One can rely only on ciphers analyzed by a large group of qualified researchers Modes of Operation

13 Block vs. stream ciphers M 1, M 2,, M n m 1, m 2,, m n Block cipher Internal state - IS Stream cipher C 1, C 2,, C n c 1, c 2,, c n C i =f (M i ) c i = f (m i, IS i ) IS i+1 =g (m i, IS i ) very block of ciphertext is a function of only one corresponding block of plaintext very block of ciphertext is a function of the current block of plaintext and the current internal state of the cipher Typical stream cipher Sender key initialization vector (seed) Receiver key initialization vector (seed) Pseudorandom ey Generator Pseudorandom ey Generator k i keystream k i keystream m i plaintext c i ciphertext c i ciphertext m i plaintext

14 Standard modes of operation of block ciphers Block ciphers Stream ciphers CB mode Counter mode OFB mode CFB mode CBC mode CB (lectronic CodeBook) mode

15 lectronic CodeBook Mode CB ncryption M 1 M 2 M 3 M N-1 M N C 1 C 2 C 3 C N-1 C N C i = (M i ) for i=1..n lectronic CodeBook Mode CB Decryption C 1 C 2 C 3 C N-1 C N D D D D D M 1 M 2 M 3 M N-1 M N C i = (M i ) for i=1..n

16 Criteria for Comparison of Modes of Operation hiding repeating message blocks speed capability for parallel processing and pipelining during encryption / decryption use of block cipher operations (encryption only or both) capability for preprocessing during encryption / decryption capability for random access for the purpose of reading / writing number of plaintext and ciphertext blocks required for exhaustive key search error propagation in the message after modifying / deleting one block / byte / bit of the corresponding ciphertext Block Cipher Modes of Operation Basic Features (1) Hiding repeating plaintext blocks Basic speed Capability for parallel processing and pipelining CB CTR OFB CFB CBC Cipher operations Preprocessing Random access

17 Block Cipher Modes of Operation Basic Features (2) CB CTR OFB CFB CBC Security against the exhaustive key search attack Minimum number of the message and ciphertext blocks needed rror propagation in the decrypted message Modification of j-bits Deletion of j bits Integrity Counter Mode

18 Counter Mode - CTR ncryption IV IV+1 IV+2 IV+N-2 IV+N-1 k 1 k 2 k 3 k N-1 k N m 1 m 2 m 3 m N-1 m N c 1 c 2 c 3 c N-1 c N c i = m i k i k i = (IV+i-1) for i=1..n Counter Mode - CTR Decryption IV IV+1 IV+2 IV+N-2 IV+N-1 k 1 k 2 k 3 k N-1 k N c 1 c 2 c 3 c N-1 c N m 1 m 2 m 3 m N-1 m N m i = c i k i k i = (IV+i-1) for i=1..n

19 IV Counter Mode - CTR IV counter counter 1 L 1 L IN IN OUT 1 L OUT 1 L c i c i IS 1 = IV m i m i c i = (IS i ) m i IS i+1 = IS i +1 m 1 m 2 m 3 J-bit Counter Mode - CTR IV IV+1 IV+2 IV+N-2 IV+N-1 j k 1 k 2 k 3 k N-1 k N j j j j j j j j j m N-1 m j N j j j j c 1 c 2 c 3 c N-1 c N c i = m i k i k i = (IV+i-1)[1..j] for i=1..n

20 IV J-bit Counter Mode - CTR IV counter counter 1 L 1 L IN IN OUT OUT j bits L-j bits j bits L-j bits 1 j L 1 j L c i c i m i m i OFB (Output FeedBack) Mode

21 IV Output Feedback Mode - OFB ncryption k 1 k 2 k 3 k N-1 k N m 1 m 2 m 3 m N-1 m N c 1 c 2 c 3 c N-1 c N c i = m i k i k i = (k i-1 ) for i=1..n, and k 0 = IV IV Output Feedback Mode - OFB Decryption k 1 k 2 k 3 k N-1 k N c 1 c 2 c 3 c N-1 c N m 1 m 2 m 3 m N-1 m N m i = c i k i k i = (k i-1 ) for i=1..n, and k 0 = IV

22 Output Feedback Mode - OFB IV IV 1 L 1 L IN IN OUT 1 L IS 1 = IV c i = (IS i ) m i IS i+1 = (IS i ) OUT 1 L c i c i m i m i J-bit Output Feedback Mode - OFB IV shift shift IV L-j bits j bits L-j bits j bits 1 L-j L 1 L-j L IN IN OUT j bits L-j bits OUT j bits L-j bits 1 j L 1 j L c i c i m i m i

23 CFB (Cipher FeedBack) Mode IV Cipher Feedback Mode - CFB ncryption k 1 k 2 k 3 k N-1 k N m 1 m 2 m 3 m N-1 m N c 1 c 2 c 3 c N-1 c N c i = m i k i k i = (c i-1 ) for i=1..n, and c 0 = IV

24 IV Cipher Feedback Mode - CFB Decryption k 1 k 2 k 3 k N-1 k N m 1 m 2 m 3 m N-1 m N c 1 c 2 c 3 c N-1 c N m i = c i k i k i = (c i-1 ) for i=1..n, and c 0 = IV Cipher Feedback Mode - CFB IV IV 1 L 1 L IN IN IS 1 = IV OUT 1 L c i = (IS i ) m i IS i+1 = c i OUT 1 L c i c i m i m i

25 shift J-bit Cipher Feedback Mode - CFB IV shift L-j bits j bits L-j bits j bits 1 L-j L 1 L-j L IV IN IN OUT j bits L-j bits OUT j bits L-j bits 1 j L 1 j L c i c i m i m i CBC (Cipher Block Chaining) Mode

26 Cipher Block Chaining Mode - CBC ncryption IV m 1 m 2 m 3 m N-1 m N c 1 c 2 c 3 c N-1 c N c i = (m i c i-1 ) for i=1..n c 0 =IV Cipher Block Chaining Mode - CBC Decryption c 1 c 2 c 3 c N-1 c N IV D D D D D m 1 m 2 m 3 m N-1 m N m i = D (c i ) c i-1 for i=1..n c 0 =IV

27 Comparison among various modes Block Cipher Modes of Operation Basic Features (1) Hiding repeating plaintext blocks Basic speed Capability for parallel processing and pipelining Cipher operations Preprocessing Random access CB CTR OFB CFB CBC No Yes Yes Yes Yes s CB s CB j/l s CB j/l s CB s CB ncryption and decryption ncryption and decryption ncryption and decryption ncryption only None ncryption only Decryption only ncryption only Decryption only ncryption and decryption No Yes Yes No No R/W R/W No R only R only

28 Block Cipher Modes of Operation Basic Features (2) CB CTR OFB CFB CBC Security against the exhaustive key search attack Minimum number of the message and ciphertext blocks needed 1 plaintext block, 1 ciphertext block 1 plaintext block, 1 ciphertext block 2 plaintext blocks, 2 ciphertext blocks (for j=l) 1 plaintext block, 2 ciphertext blocks (for j=l) 1 plaintext block, 2 ciphertext blocks rror propagation in the decrypted message Modification of j-bits Deletion of j bits Integrity L bits j bits j bits L+j bits L+j bits Current and all subsequent Current and all subsequent Current and all subsequent L bits Current and all subsequent No No No No No New modes of operation

29 valuation Criteria for Modes of Operation Security fficiency Functionality Security valuation criteria (1) fficiency resistance to attacks proof of security random properties of the ciphertext number of calls of the block cipher capability for parallel processing memory/area requirements initialization time capability for preprocessing

30 valuation criteria (2) Functionality security services - confidentiality, integrity, authentication flexibility - variable lengths of blocks and keys - different amount of precomputations - requirements on the length of the message vulnerability to implementation errors requirements on the amount of keys, initialization vectors, random numbers, etc. error propagation and the capability for resynchronization patent restrictions CBC IV m 1 m 2 m 3 m N-1 m N c 1 c 2 c 3 c N-1 c N Problems: - No parallel processing of blocks from the same packet - No speed-up by preprocessing - No integrity or authentication

31 Counter mode IV IV+1 IV+2 IV+N-1 IV+N k 0 k 1 k 2 k N-1 k N m 0 m 1 m 2 m N-1 m N c 0 c 1 c 2 c N-1 c N Features: + Potential for parallel processing + Speed-up by preprocessing - No integrity or authentication Properties of existing and new cipher modes Proof of security CBC CFB OFB New standard Parallel processing Preprocessing Integrity and authentication Resistance to implementation errors decryption only

32 OCB - Offset Codebook Mode IV 0 M 1 M 2 M N-1 M N Control sum length Z 1 Z 2 Z N-1 g(l) Z N Z N L Z 1 Z 2 Z N-1 M N τ bits R C 1 C 2 C N-1 C N T Z i =f(l, R, i) New modes of block ciphers 1. CCM - Counter with CBC-MAC developed by R. Housley, D. Whiting, N. Ferguson in 2002 assures simultaneous confidentiality and authentication not covered by any patent part of the I i standard for wireless networks 2. GCM Galois/Counter Mode developed by D. McGrew and J. Viega in 2005 assures simultaneous confidentiality and authentication not covered by any patent used in the I 802.1A (MACsec) thernet security, ANSI (INCITS) Fibre Channel Security Protocols (FC-SP), I P tape storage, and ITF IPSec standards

33 Properties of new modes of operation CBC CFB OFB CTR CCM GCM Proof of security Parallel processing only decryption Half of operations Preprocessing Integrity and authentication Half of Half of operations operations Resistance to implementation errors FIPS standards: Modes of operation of block ciphers Timeline CBC, CFB, OFB, CB FIPS 81 (for DS) CTR (counter mode) Dec For arbitrary block cipher CCM May 2004 GCM SP A SP A SP B SP D Nov 2007 Contests: Apr NIST 10 modes submitted to the contest (including, CTR, OCB, IACBC, IAPM) Patent issues. Attacks: Aug DCM mode developed by NSA several days after the publication