ECE 646 Lecture 7. Data Encryption Standard DES. Secret-Key Ciphers. Secret agreement between IBM & NSA, 1974

Transcription

1 C 646 Lecture 7 Secret-Key Ciphers Data Standard DS NBS public request for a standard cryptographic algorithm May 15, 1973, August 27, 1974 The algorithm must be: secure public - completely specified - easy to understand - available to all users economic and efficient in hardware able to be validated exportable Secret agreement between IBM & NSA, 1974 Obligations of IBM: Algorithm developed in secret by IBM NSA reserved a right to monitor the development and propose changes No software implementations, just hardware chips IBM not allowed to ship implementations to certain countries License required to ship to carefully selected customers in approved countries Obligations of NSA: seal of approval 1

2 DS - chronicle of events NBS issues a public request for proposals for a standard cryptographic algorithm first publication of the IBM s algorithm and request for comments NBS organizes two workshops to evaluate the algorithm official publication as FIPS PUB 46: Data Standard 1983, 1987, recertification of the algorithm for another five years software implementations allowed to be validated Controversies surrounding DS Unknown design criteria Most criteria reconstructed from cipher analysis 1990 Reinvention of differential cryptanalysis Slow in software Only hardware implementations certified 1993 Software, firmware and hardware treated equally Too short key Theoretical designs of DS breaking machines 1998 Practical DS cracker built Life of DS DS - external look American standards Other popular algorithms DS 56 bit key IDA RC5 AS 2002 contest Blowfish Serpent Twofish RC6 Triple DS 112, 168 bit 168 bit only AS - Rijndael 128, 192, and 256 bit keys plaintext block 64 bits DS 56 bits ciphertext block 64 bits key CAST Mars 2

3 Round Key[0] Typical Flow Diagram of a Secret-Key Block Cipher Initial transformation i:=1 DS high-level internal structure Round Key[i] Cipher Round i<#rounds? i:=i+1 #rounds times Round Key[#rounds+1] Final transformation Classical Feistel Network plaintext = L 0 R 0 for i=1 to n { L i =R i-1 R i =L i-1 Å f(r i-1, K i ) } L n+1 = R n R n+1 = L n ciphertext = L n+1 R n+1 IP L 0 R 0 f L 1 R 1 f L 2 R 2 L 15 R 15 f K 1 K 2 K 16 DS Main Loop Feistel Structure L n+1 =R n R n+1 =L n Å f(r n, K n+1 ) R 16 L 16 IP -1 3

4 Feistel Structure IP -1 Decryption IP Decryption L 0 R 0 f K 1 R 16 L 16 f K 16 L n R n L n R n f K n+1 f K n+1 L 1 f R 1 K 2 R 15 f L 15 K 15 L n+1 R n+1 L n+1 R n+1 L 2 R 2 R 14 L 14 L n+1, R n+1?? L 15 R 15 f K 16 R 1 L 1 f K 1 f K n+1 R 16 L 16 L 0 R 0 L n, R n?? IP IP -1 Mangler Function of DS, F 4

5 Notation for Permutations Input i 1 i 2 i 3 i 4 i 5 i 6 i 7 i 8 i 9 i 10 i 56 i 57 i 58 i 59 i 60 i 61 i 62 i 63 i i 58 i 50 i 42 i 34 i 26 i 18 i 10 i 2 i 5 i 63 i 55 i 47 i 39 i 31 i 23 i 15 i 7 Output Notation for S-boxes Input i 1 i 2 i 3 i 4 i 5 i 6 i 1 i 6 determines a row number in the S-box table, 0..3 i 2 i 3 i 4 i 5 determine a column in the S-box table, o 1 o 2 o 3 o 4 is a binary representation of a number from in the given row and the given column o 1 o 2 o 3 o 4 Output 5

6 1. Randomness General design criteria of DS 2. Avalanche property changing a single bit at the input changes on average half of the bits at the output 3. Completeness property every output bit is a complex function of all input bits (and not just a subset of input bits) 4. Nonlinearity encryption function is non-affine for any value of the key 5. Correlation immunity output bits are statistically independent of any subset of input bits Completeness property very output bit is a complex function of all input bits (and not just a subset of input bits) Formal requirement: For all values of i and j, i=1..64, j=1..64 there exist inputs X 1 and X 2, such that X 1 x 1 x 2 x 3 x i-1 0 x i+1 x 63 x 64 X 2 x 1 x 2 x 3 x i-1 1 x i+1 x 63 x 64 Y 1 = DS(X 1 ) y 1 y 2 y 3 y j-1 y j y j+1 y 63 y 64 Y 2 = DS(X 2 ) y 1 y 2 y 3 y j-1 y j y j+1 y 63 y 64 Linear Transformations Transformations that fulfill the condition: T(X [m x 1] ) = Y [n x 1] = A [n x m] X [m x 1] or T(X 1 Å X 2 ) = T(X 1 ) Å T(X 2 ) Affine Transformations Transformations that fulfill the condition: T(X [m x 1] ) = Y [n x 1] = A [n x m] X [m x 1] Å B [n x 1] 6

7 Linear Transformations of DS IP, IP -1,, PC1, PC2, SHIFT e.g., IP(X 1 Å X 2 ) = IP(X 1 ) Å IP( X 2 ) S Design of S-boxes S[0..15] Non-Linear and non-affine transformations of DS in out = S[in] There are no such matrices A [4x6] and B [4x1] that S S(X [6x1] ) = A [4x6] X [6x1] Å B [4x1] 16!» possibilities precisely defined initially unpublished criteria resistant against differential cryptanalysis (attack known to the designers and rediscovered in the open research in 1990 by. Biham and A. Shamir) Project: Method: Theoretical design of the specialized machine to break DS Basic component: Michael Wiener, ntrust Technologies, 1993, 1997 exhaustive key search attack specialized integrated circuit in CMOS technology, 75 MHz Checks: 200 mln keys per second Costs: $10 Total cost $ 1 mln $ stimated time 35 minutes 6 hours plaintext DS breaking machine known ciphertext key counter Round key Round 1 key 1 Key Scheduling Round 1 Round 2. Round 16 comparator Round key 2 Round key 16 known plaintext Key Scheduling Round 2. Key Scheduling Round 16 7

8 Deep Crack lectronic Frontier Foundation, 1998 Total cost: $220,000 Average time of search: 4.5 days/key Deep Crack Parameters Number of ASIC chips 1800 Clock frequency 40 MHz Number of clock cycles per key ASIC chips, 40 MHz clock Number of search units per ASIC Search speed Average time to recover the key bln keys/s 4.5 days COPACOBANA Cost-Optimized Parallel COde Breaker Ruhr University, Bochum, University of Kiel, Germany, 2006 Cost: 8980 (ver. 1) COPACOBANA Based on Xilinx FPGAs (Field Programmable Gate Arrays) ver. 1 based on 120 Spartan 3 FPGAs ver. 2 based on 128 Virtex 4 SX 35 FPGAs Description, FAQ, and news available at For ver. 1 based on Spartan FPGAs Clock frequency = 136 MHz Average search time for a single DS key = 6.4 days Worst case search time for a single DS key = 12.8 days 8

9 Secure key length today and in 20 years (against an intelligence agency with the budget of $300M) key length 93 bits 128 bits IDA, minimum key length in AS 112 bits Triple DS with three different keys 99 bits Secure key length in bits Skipjack 56 bits DS Secure key length in 2017 Secure key length - discussion increasing key length in a newly developed cipher costs NOTHING increasing effective key length, assuming the use of an existing cipher has a limited influence on the efficiency of implementation (Triple DS) It is economical to use TH SAM secure key length FOR ALL aplications The primary barriers blocking the use of symmetric ciphers with a secure key length have been of the political nature (e.g., export policy of USA) 9

10 Triple DS D mode with two keys encryption plaintext ciphertext Diffie, Hellman, 1977 Triple DS D mode with three keys encryption plaintext ciphertext Diffie, Hellman, 1977 encryption 56 K1 D 56 K1 encryption 56 K1 D 56 K1 D 56 K2 encryption 56 K2 D 56 K2 encryption 56 K2 encryption 56 K1 D 56 K1 encryption 56 K3 D 56 K3 ciphertext plaintext ciphertext plaintext Best Attacks Against Triple DS Version with three keys (168 bits of key) Meet-in-the-middle attack 2 32 known plaintexts steps 2 90 single DS encryptions, and 2 88 memory ffective key size = Version with two keys (112 bits of key) Advantages: Triple DS secure key length (112 or 168 bits) increased compared to DS resistance to linear and differential cryptanalysis possibility of utilizing existing implementations of DS Disadvantages: relatively slow, especially in software ffective key size =

11 Why a new standard? 1. Old standard insecure against brute-force attacks Advanced Standard AS 2. Straightforward fixes lead to inefficient implementations K1 K2 K3 Triple DS 3. New trends in fast software encryption use of basic instructions of the microprocessor 4. New ways of assessing cipher strength in differential cryptanalysis linear cryptanalysis out Why a contest? Focus the effort of cryptographic community Small number of specialists in the open research xternal format of the AS algorithm plaintext block 128 bits Stimulate the research on methods of constructing secure ciphers Avoid backdoor theories AS key 128, 192, 256 bits Speed-up the acceptance of the standard 128 bits ciphertext block 11

12 ach team submits Detailed cipher description Source code in C Rules of the contest Justification of design decisions Source code in Java Tentative results of cryptanalysis Test vectors June 1998 AS Contest ffort 15 Candidates from USA, Canada, Belgium, France, Germany, Norway, UK, Isreal, Korea, Japan, Australia, Costa Rica August final candidates Mars, RC6, Rijndael, Serpent, Twofish October winner: Rijndael Belgium Round 1 Security Software efficiency Round 2 Security Hardware efficiency AS contest - First Round 15 June 1998 Deadline for submitting candidates 21 submissions, 15 fulfilled all requirements August 1998 March 1999 August st AS Conference in Ventura, CA Presentation of candidates 2nd AS Conference in w Rome, Italy Review of results of the First Round analysis NIST announces five final candidates AS: Candidate algorithms North America (8) urope (4) Asia (2) Canada: CAST-256 Deal USA: Mars RC6 Twofish Safer+ HPC Costa Rica: Frog Germany: Magenta Belgium: Rijndael France: DFC Israel, UK, Norway: Serpent Korea: Crypton Japan: 2 Australia (1) Australia: LOKI97 12

13 AS Finalists (1) USA Mars - IBM C. Burwick, D. Coppersmith,. D Avignon, R. Gennaro, S. Halevi, C. Jutla, S. M. Matyas, L. O Connor, M. Peyravian, D. Safford, N. Zunic RC6 - RSA Data Security, Inc. R. Rivest - MIT M. Robshaw, R. Sidney, Y. L. Yin - RSA Twofish - Counterpane Systems B. Schneier, J. Kelsey, C. Hall, N. Ferguson - Counterpane, D.Whiting - Hi/fn, D. Wagner - Berkeley urope AS Finalists (2) Rijndael - J. Daemen, V. Rijmen Katholieke Universiteit Leuven Belgium Serpent - R. Anderson, Cambridge, ngland. Biham - Technion, Israel L. Knudsen, University of Bergen, Norway How NIST has made a final decision? BASIC CRITRIA = security software efficiency hardware efficiency flexibility Security 13

14 Security: Theoretical attacks better than exhaustive key search Security: Theoretical attacks better than exhaustive key search Serpent Serpent 28% 72% Twofish Twofish 38% 62% Mars without 16 mixing rounds Mars 69% 31% Rijndael Rijndael 70% 30% RC RC6 75% 25% # of rounds in the attack/total # of rounds # of rounds in the attack/total # of rounds 100% NIST Report: Security Security Margin High Adequate Serpent Rijndael RC6 MARS Twofish fficiency - What s more important: software or hardware? Simple Complex Complexity 14

15 Software or hardware? SOFTWAR low cost flexibility (new cryptoalgorithms, protection against new attacks) security of data during transmission HARDWAR speed random key generation access control to keys tamper resistance (viruses, internal attacks) fficiency indicators Primary efficiency indicators fficiency parameters Software Hardware Latency Throughput = Speed M i+2 M i M i+1 Speed Memory Speed Area Power consumption / C i Time to encrypt/decrypt a single block of data M i / Number of bits C i+2 encrypted/decrypted C i+1 in a unit of time C i Throughput = Block_size Number_of_blocks_processed_simultaneously Latency 15

16 fficiency in software fficiency in software: Code submitted by authors 200 MHz Pentium Pro, Borland C++ Speed [Mbits/s] 128-bit key 192-bit key bit key Rijndael RC6 Twofish Mars Serpent NIST Report: Software fficiency and Decryption Speed 32-bit processors 64-bit processors DSPs NIST Report: Software fficiency and speed in software on smart cards 8-bit processors 32-bit processors high medium RC6 Rijndael Mars Twofish Rijndael Twofish Mars RC6 Rijndael Twofish Mars RC6 high medium Rijndael RC6 Mars Twofish Rijndael RC6 Mars low Serpent Serpent Serpent low Serpent Twofish Serpent 16

17 fficiency in software Strong dependence on: 1. Instruction set architecture (e.g., variable rotations) 2. Programming language (assembler, C, Java) 3. Compiler fficiency in hardware 4. Programming style Primary ways of implementing cryptography in hardware ASIC Application Specific Integrated Circuit designs must be sent for expensive and time consuming fabrication in semiconductor foundry designed all the way from behavioral description to physical layout FPGA Field Programmable Gate Array bought off the shelf and reconfigured by designers themselves no physical layout design; design ends with a bitstream used to configure a device ASICs High performance Low power Low cost (but only in high volumes) Which way to go? FPGAs Off-the-shelf Low development costs Short time to the market Reconfigurability 17

18 fficiency in hardware: FPGA Virtex 1000: Speed Throughput [Mbit/s] Serpent I George Mason University University of Southern California Worcester Polytechnic Institute 149 Rijndael Twofish Serpent RC6 Mars I ASIC implementations: NSA group bit key scheduling 3-in-1 (128, 192, 256 bit) key scheduling Rijndael Serpent Twofish RC6 Mars I1 Speed NIST Report + GMU Report: Hardware fficiency GMU FPGA Results Selecting the Winner Straw AS 3 conference High Rijndael Serpent Medium Twofish RC6 Low Small MARS Medium Large Area Rijndael second best in FPGAs, selected as a winner due to much better performance in software 72 18

19 Input, internal state, and output 128 bits = 16 bytes Order of bytes within input, internal state, and output arrays a 0,0 a 1,0 a 2,0 a 3,0 a 0,1 a 1,1 a 2,1 a 3,1 a 0,2 a 1,2 a 2,2 a 3,2 a 0,3 a 1,3 a 2,3 a 3,3 column 0 column 1 column 2 column 3 a 0,0 a 0,1 a 0,2 a 0,3 a 1,0 a 1,1 a 1,2 a 1,3 a 2,0 a 2,1 a 2,2 a 2,3 a 3,0 a 3,1 a 3,2 a 3,3 SubBytes S-box: substitution values for the byte xy (in hexadecimal notation) S-box a 0,0 a 0,1 a 0,2 a 0,3 a 1,0 a 1,1 a 1,2 a 1,3 i,j a 2,0 a 2,1 a 2,2 a 2,3 a 3,0 a 3,1 a 3,2 a 3,3 b 0,0 b 0,1 b 0,2 b 0,3 b 1,0 b 1,1 ba 1,2 b 1,3 i,j b 2,0 b 2,1 b 2,2 b 2,3 b 3,0 b 3,1 b 3,2 b 3,3 Bytes are transformed by applying an invertible S-box One single S-box for the complete cipher 19

20 ShiftRows MixColumns a b c d e f g h i j k l m n o p no shift cyclic shift left by C1=1 cyclic shift left by C2=2 cyclic shift left by C3=3 a b c d f g h e k l i j p m n o a 0,0 a 0,1 a 0,20,j a 0,3 a 1,0 a 1,1 a 1,2 a 1,3 1,j a 2,0 a 2,1 2,2 a a 2,3 a 3,0 a 3,1 a 2,j 3,2 a 3,3 a 3,j b 0,0 b 0,1 ba 0,j 0,2 b 0,3 b 1,0 b 1,1 a 1,2 b b 1,3 1,j b 2,0 b 2,1 a 2,2 b 2,3 b b 3,0 b 3,1 a 2,j 3,2 b 3,3 b 3,j High diffusion A difference in 1 input byte propagates to all 4 output bytes A difference in 2 input bytes propagates to at least 3 output bytes Any linear relation between input and output bits involves bits from at least 5 different bytes (branch number = 5) AddRoundKey a 0,0 a 0,1 a 0,2 a 0,3 a 1,0 a 1,1 a 1,2 a 1,3 a 2,0 a 2,1 a 2,2 a 2,3 a 3,0 a 3,1 a 3,2 a 3,3 + k 0,0 k 0,1 k 0,2 k 0,3 k 1,0 k 1,1 k 1,2 k 1,3 k 2,0 k 2,1 k 2,2 k 2,3 k 3,0 k 3,1 k 3,2 k 3,3 = b 0,0 b 0,1 b 0,2 b 0,3 b 1,0 b 1,1 b 1,2 b 1,3 b 2,0 b 2,1 b 2,2 b 2,3 b 3,0 b 3,1 b 3,2 b 3,3 simple bitwise addition (xor) of round keys Block length 128 bits Nb=4 192 bits Nb=6 256 bits Nb=8 Number of rounds 128 bits Nk=4 Key length 192 bits Nk=6 256 bits Nk= required by the standard non-standard extensions 20

21 Pseudocode for AS encryption Modes of Operation of Block Ciphers Block vs. stream ciphers Typical stream cipher K M 1, M 2,, M n Block cipher K m 1, m 2,, m n Internal state - IS Stream cipher Sender key initialization vector (seed) Pseudorandom Key Generator Receiver key initialization vector (seed) Pseudorandom Key Generator C 1, C 2,, C n c 1, c 2,, c n k i keystream k i keystream C i =f K (M i ) c i = f K (m i, IS i ) IS i+1 =g K (m i, IS i ) very block of ciphertext is a function of only one corresponding block of plaintext very block of ciphertext is a function of the current block of plaintext and the current internal state of the cipher m i plaintext c i ciphertext c i ciphertext m i plaintext 21

22 Standard modes of operation of block ciphers Block ciphers CB mode Stream ciphers Counter mode OFB mode CFB mode CBC mode CB (lectronic CodeBook) mode lectronic CodeBook Mode CB lectronic CodeBook Mode CB Decryption M 1 M 2 M 3 M N-1 M N C 1 C 2 C 3 C N-1 C N K K K K K K K K K K D D D D D C 1 C 2 C 3 C N-1 C N M 1 M 2 M 3 M N-1 M N C i = K (M i ) for i=1..n M i = K (C i ) for i=1..n 22

23 Criteria for Comparison of Modes of Operation hiding repeating message blocks speed capability for parallel processing and pipelining during encryption / use of block cipher operations (encryption only or both) capability for preprocessing during encryption / capability for random access for the purpose of reading / writing number of plaintext and ciphertext blocks required for exhaustive key search error propagation in the message after modifying / deleting one block / byte / bit of the corresponding ciphertext Hiding repeating plaintext blocks Basic speed Capability for parallel processing and pipelining Cipher operations Preprocessing Random access Block Cipher Modes of Operation Basic Features (1) CB CTR OFB CFB CBC No s CB and and No R/W Block Cipher Modes of Operation Basic Features (2) CB CTR OFB CFB CBC Security against the exhaustive key search attack Minimum number of the message and ciphertext blocks needed 1 plaintext block, 1 ciphertext block rror propagation in the decrypted message Counter Mode Modification of j-bits Deletion of j bits Integrity L bits Current and all subsequent No 23

24 Counter Mode - CTR N-2 +N-1 K K K K K k 1 k 2 k 3 k N-1 k N Counter Mode - CTR Decryption N-2 +N-1 K K K K K k 1 k 2 k 3 k N-1 k N m 1 m 2 m 3 m N-1 m N c 1 c 2 c 3 c N-1 c N c 1 c 2 c 3 c N-1 c N c i = m i Å k i k i = K (+i-1) for i=1..n m 1 m 2 m 3 m N-1 m N m i = c i Å k i k i = K (+i-1) for i=1..n K counter IN OUT 1 L m i c i Counter Mode - CTR c i K counter 1 L 1 L IS 1 = c i = K (IS i ) Å m i IS i+1 = IS i +1 IN OUT 1 L m i m 1 m 2 m 3 J-bit Counter Mode - CTR N-2 +N-1 K K K K K j k 1 k 2 k 3 k N-1 k N j j j j j j j j j m N-1 m N j j j j j c 1 c 2 c 3 c N-1 c N c i = m i Å k i k i = (+i-1)[1..j] for i=1..n 24

25 K J-bit Counter Mode - CTR counter counter 1 L 1 L IN IN K OUT OUT j bits L-j bits j bits L-j bits 1 j L 1 j L c i c i m i m i Hiding repeating plaintext blocks Basic speed Capability for parallel processing and pipelining Cipher operations Preprocessing Random access Block Cipher Modes of Operation Basic Features (1) CB CTR OFB CFB CBC No s CB and and No R/W Yes»j/L s CB and only Yes R/W Block Cipher Modes of Operation Basic Features (2) CB CTR OFB CFB CBC Security against the exhaustive key search attack Minimum number of the message and ciphertext blocks needed 1 plaintext block, 1 ciphertext block 1 plaintext block, 1 ciphertext block rror propagation in the decrypted message OFB (Output FeedBack) Mode Modification of j-bits Deletion of j bits Integrity L bits No j bits Current and Current and all subsequent all subsequent No 25

26 Output Feedback Mode - OFB Output Feedback Mode - OFB Decryption k 1 k 2 k 3 k N-1 k N k 1 k 2 k 3 k N-1 k N m 1 m 2 m 3 m N-1 m N c 1 c 2 c 3 c N-1 c N c 1 c 2 c 3 c N-1 c N m 1 m 2 m 3 m N-1 m N c i = m i Å k i k i = K (k i-1 ) for i=1..n, and k 0 = m i = c i Å k i k i = K (k i-1 ) for i=1..n, and k 0 = Output Feedback Mode - OFB J-bit Output Feedback Mode - OFB shift shift 1 L 1 L L-j bits j bits L-j bits j bits 1 L-j L 1 L-j L K IN OUT 1 L IS 1 = c i = K (IS i ) Å m i IS i+1 = K (IS i ) K IN OUT 1 L K IN OUT j bits L-j bits 1 j L K IN OUT j bits L-j bits 1 j L c i c i c i c i m i m i m i m i 26

27 Hiding repeating plaintext blocks Basic speed Capability for parallel processing and pipelining Cipher operations Preprocessing Random access Block Cipher Modes of Operation Basic Features (1) CB CTR OFB CFB CBC No Yes Yes s CB and and»j/l s CB and only»j/l s CB None only No Yes Yes R/W R/W No Block Cipher Modes of Operation Basic Features (2) CB CTR OFB CFB CBC Security against the exhaustive key search attack Minimum number of the message and ciphertext blocks needed rror propagation in the decrypted message Modification of j-bits Deletion of j bits Integrity 1 plaintext block, 1 ciphertext block 1 plaintext block, 1 ciphertext block 2 plaintext blocks, 2 ciphertext blocks (for j=l) L bits j bits j bits Current and Current and all subsequent all subsequent Current and all subsequent No No No Cipher Feedback Mode - CFB CFB (Cipher FeedBack) Mode k 1 k 2 k 3 k N-1 k N m 1 m 2 m 3 m N-1 m N c 1 c 2 c 3 c N-1 c N c i = m i Å k i k i = K (c i-1 ) for i=1..n, and c 0 = 27

28 Cipher Feedback Mode - CFB Decryption k 1 k 2 k 3 k N-1 k N m 1 m 2 m 3 m N-1 m N K Cipher Feedback Mode - CFB IN 1 L 1 L OUT 1 L IS 1 = c i = K (IS i ) Å m i IS i+1 = c i K IN OUT 1 L c 1 c 2 c 3 c N-1 c N c i c i m i = c i Å k i k i = K (c i-1 ) for i=1..n, and c 0 = m i m i K shift j bits J-bit Cipher Feedback Mode - CFB IN OUT L-j bits 1 j L m i c i c i K shift L-j bits j bits L-j bits j bits 1 L-j L 1 L-j L j bits IN OUT L-j bits 1 j L m i Hiding repeating plaintext blocks Basic speed Capability for parallel processing and pipelining Cipher operations Preprocessing Random access Block Cipher Modes of Operation Basic Features (1) CB CTR OFB CFB CBC No Yes Yes Yes s CB»j/L s CB»j/L s CB»j/L s CB and and and only None only Decryption only only No Yes Yes No R/W R/W No R only 28

29 Block Cipher Modes of Operation Basic Features (2) CB CTR OFB CFB CBC Security against the exhaustive key search attack Minimum number of the message and ciphertext blocks needed 1 plaintext block, 1 ciphertext block 1 plaintext block, 1 ciphertext block rror propagation in the decrypted message 2 plaintext blocks, 2 ciphertext blocks (for j=l) 1 plaintext block, 2 ciphertext blocks (for j=l) CBC (Cipher Block Chaining) Mode Modification of j-bits Deletion of j bits Integrity L bits j bits j bits L+j bits Current and Current and all subsequent all subsequent Current and all subsequent L bits No No No No Cipher Block Chaining Mode - CBC m 1 m 2 m 3 m N-1 m N Cipher Block Chaining Mode - CBC Decryption c 1 c 2 c 3 c N-1 c N D D D D D c 1 c 2 c 3 c N-1 c N m 1 m 2 m 3 m N-1 m N c i = K (m i Å c i-1 ) for i=1..n c 0 = m i = D K (c i ) Å c i-1 for i=1..n c 0 = 29

30 Hiding repeating plaintext blocks Basic speed Capability for parallel processing and pipelining Cipher operations Preprocessing Random access Block Cipher Modes of Operation Basic Features (1) CB CTR OFB CFB CBC No Yes Yes Yes Yes s CB»j/L s CB»j/L s CB»j/L s CB»s CB and and and only None only Decryption only only Decryption only and No Yes Yes No No R/W R/W No R only R only Block Cipher Modes of Operation Basic Features (2) CB CTR OFB CFB CBC Security against the exhaustive key search attack Minimum number of the message and ciphertext blocks needed rror propagation in the decrypted message Modification of j-bits Deletion of j bits Integrity 1 plaintext block, 1 ciphertext block 1 plaintext block, 1 ciphertext block 2 plaintext blocks, 2 ciphertext blocks (for j=l) 1 plaintext block, 2 ciphertext blocks (for j=l) 1 plaintext block, 2 ciphertext blocks L bits j bits j bits L+j bits L+j bits Current and Current and all subsequent all subsequent Current and all subsequent L bits Current and all subsequent No No No No No valuation Criteria for Modes of Operation Security New modes of operation fficiency Functionality 30

31 Security fficiency valuation criteria (1) resistance to attacks proof of security random properties of the ciphertext number of calls of the block cipher capability for parallel processing memory/area requirements initialization time capability for preprocessing valuation criteria (2) Functionality security services - confidentiality, integrity, authentication flexibility - variable lengths of blocks and keys - different amount of precomputations - requirements on the length of the message vulnerability to implementation errors requirements on the amount of keys, initialization vectors, random numbers, etc. error propagation and the capability for resynchronization patent restrictions m 1 m 2 m 3 CBC m N-1 m N m 0 m 1 m 2 Counter mode N-1 +N k 0 k 1 k 2 k N-1 k N m N-1 m N c 1 c 2 c 3 c N-1 c N Problems: - No parallel processing of blocks from the same packet - No speed-up by preprocessing - No integrity or authentication c 0 c 1 c 2 c N-1 c N Features: + Potential for parallel processing + Speed-up by preprocessing - No integrity or authentication 31

32 Properties of existing and new cipher modes New CBC CFB OFB standard Proof of security 0 OCB - Offset Codebook Mode M 1 M 2 M N-1 M N Control sum length Parallel processing Preprocessing only L Z 1 Z 2 Z N-1 g(l) Z N Z N Integrity and authentication Resistance to implementation errors R C 1 Z 1 C 2 Z 2 Z N-1 C N-1 C N Z i =f(l, R, i) M N t bits T New modes of block ciphers 1. CCM - Counter with CBC-MAC developed by R. Housley, D. Whiting, N. Ferguson in 2002 assures simultaneous confidentiality and authentication not covered by any patent part of the I i standard for wireless networks 2. GCM Galois/Counter Mode developed by D. McGrew and J. Viega in 2005 assures simultaneous confidentiality and authentication not covered by any patent used in the I 802.1A (MACsec) thernet security, ANSI (INCITS) Fibre Channel Security Protocols (FC-SP), I P tape storage, and ITF IPSec standards Properties of new modes of operation Proof of security Parallel processing Preprocessing Integrity and authentication Resistance to implementation errors CBC CFB OFB CTR CCM only Half of operations Half of Half of operations operations GCM 32

33 Confidentiality & Authentication Authenticated Ciphers Bob Alice CASAR Contest K AB N Message Authenticated Cipher K AB N Ciphertext Authenticated Cipher Decryption Tag N Ciphertext Tag invalid or Message K AB - Secret key of Alice and Bob N Nonce or Initialization Vector Confidentiality & Authentication Authenticated Ciphers Npub Nsec AD Message Key AB Npub nc Nsec AD Ciphertext Npub nc Nsec AD Ciphertext Key AB or Decryption Tag Tag Invalid Nsec AD Message Npub - Public Message Number Nsec - Secret Message Number nc Nsec - ncrypted Secret Message Number AD - Associated Data K AB - Secret key of Alice and Bob IX.1997 X.2000 AS Cryptographic Standard Contests NSSI I.2000 XII.2002 CRYPTRC 34 stream 4 HW winners ciphers + 4 SW winners 15 block ciphers 1 winner XI.2004 estram 51 hash functions 1 winner.2008 X.2007 X.2012 SHA-3 57 authenticated ciphers multiple winners I CASAR time 33