ECE 646 Lecture 7. Secret-Key Ciphers. Data Encryption Standard DES

Transcription

1 ECE 646 Lecture 7 Secret-Key Ciphers Data Encryption Standard DES 1

2 NBS public request for a standard cryptographic algorithm May 15, 1973, August 27, 1974 The algorithm must be: secure public - completely specified - easy to understand - available to all users economic and efficient in hardware able to be validated exportable Secret agreement between IBM & NSA, 1974 Obligations of IBM: Algorithm developed in secret by IBM NSA reserved a right to monitor the development and propose changes No software implementations, just hardware chips IBM not allowed to ship implementations to certain countries License required to ship to carefully selected customers in approved countries Obligations of NSA: seal of approval 2

3 DES - chronicle of events NBS issues a public request for proposals for a standard cryptographic algorithm first publication of the IBM s algorithm and request for comments NBS organizes two workshops to evaluate the algorithm official publication as FIPS PUB 46: Data Encryption Standard 1983, 1987, recertification of the algorithm for another five years software implementations allowed to be validated Controversies surrounding DES Unknown design criteria Most criteria reconstructed from cipher analysis 1990 Reinvention of differential cryptanalysis Slow in software Only hardware implementations certified 1993 Software, firmware and hardware treated equally Too short key Theoretical designs of DES breaking machines 1998 Practical DES cracker built 3

4 Life of DES American standards DES 56 bit key AES 2002 contest Triple DES 112, 168 bit 168 bit only AES - Rijndael 128, 192, and 256 bit keys Other popular algorithms IDEA RC5 Blowfish CAST Serpent Twofish RC6 Mars DES - external look plaintext block 64 bits DES ciphertext block key 56 bits 64 bits 4

5 Typical Flow Diagram of a Secret-Key Block Cipher Round Key[0] Initial transformation i:=1 Round Key[i] Cipher Round i<#rounds? i:=i+1 #rounds times Round Key[#rounds+1] Final transformation DES high-level internal structure 5

6 Classical Feistel Network plaintext = L 0 R 0 for i=1 to n { L i =R i-1 R i =L i-1 Å f(r i-1, K i ) } L n+1 = R n R n+1 = L n ciphertext = L n+1 R n+1 L 0 R 0 f IP K 1 DES Main Loop Feistel Structure L 1 R 1 f L 2 R L 15 R 15 f K 2 K 16 L n+1 =R n R n+1 =L n Å f(r n, K n+1 ) R 16 L 16 IP -1 6

7 Feistel Structure Encryption Decryption L n R n L n R n f K n+1 f K n+1 L n+1 R n+1 L n+1 R n+1 L n+1, R n+1?? f K n+1 L n, R n?? IP -1 Decryption IP L 0 R 0 R 16 L 16 f K 1 f K 16 L 1 R 1 R 15 L 15 f K 2 f K 15 L 2 R R 14 L L 15 R 15 R 1 L 1 f K 16 f K 1 R 16 L 16 L 0 R 0 IP IP -1 7

8 Mangler Function of DES, F 8

9 Notation for Permutations Input i 1 i 2 i 3 i 4 i 5 i 6 i 7 i 8 i 9 i 10 i 56 i 57 i 58 i 59 i 60 i 61 i 62 i 63 i i 58 i 50 i 42 i 34 i 26 i 18 i 10 i 2 i 5 i 63 i 55 i 47 i 39 i 31 i 23 i 15 i 7 Output 9

10 Notation for S-boxes Input i 1 i 2 i 3 i 4 i 5 i 6 i 1 i 6 determines a row number in the S-box table, 0..3 i 2 i 3 i 4 i 5 determine a column in the S-box table, o 1 o 2 o 3 o 4 is a binary representation of a number from in the given row and the given column o 1 o 2 o 3 o 4 Output 10

11 1. Randomness General design criteria of DES 2. Avalanche property changing a single bit at the input changes on average half of the bits at the output 3. Completeness property every output bit is a complex function of all input bits (and not just a subset of input bits) 4. Nonlinearity encryption function is non-affine for any value of the key 5. Correlation immunity output bits are statistically independent of any subset of input bits 11

12 Completeness property Every output bit is a complex function of all input bits (and not just a subset of input bits) Formal requirement: For all values of i and j, i=1..64, j=1..64 there exist inputs X 1 and X 2, such that X 1 x 1 x 2 x 3... x i-1 0 x i+1... x 63 x 64 X 2 x 1 x 2 x 3... x i-1 1 x i+1... x 63 x 64 Y 1 = DES(X 1 ) y 1 y 2 y 3... y j-1 y j y j+1... y 63 y 64 Y 2 = DES(X 2 ) y 1 y 2 y 3... y j-1 y j y j+1... y 63 y 64 Linear Transformations Transformations that fulfill the condition: T(X [m x 1] ) = Y [n x 1] = A [n x m] X [m x 1] or T(X 1 Å X 2 ) = T(X 1 ) Å T(X 2 ) Affine Transformations Transformations that fulfill the condition: T(X [m x 1] ) = Y [n x 1] = A [n x m] X [m x 1] Å B [n x 1] 12

13 Linear Transformations of DES IP, IP -1, E, PC1, PC2, SHIFT e.g., IP(X 1 Å X 2 ) = IP(X 1 ) Å IP( X 2 ) Non-Linear and non-affine transformations of DES There are no such matrices A [4x6] and B [4x1] that S S(X [6x1] ) = A [4x6] X [6x1] Å B [4x1] Design of S-boxes S[0..15] S in out = S[in] 16!» possibilities precisely defined initially unpublished criteria resistant against differential cryptanalysis (attack known to the designers and rediscovered in the open research in 1990 by E. Biham and A. Shamir) 13

14 Project: Method: Theoretical design of the specialized machine to break DES Basic component: Michael Wiener, Entrust Technologies, 1993, 1997 exhaustive key search attack specialized integrated circuit in CMOS technology, 75 MHz Checks: 200 mln keys per second Costs: $10 Total cost $ 1 mln $ Estimated time 35 minutes 6 hours DES breaking machine known ciphertext key counter Round key Encryption Round 1 key 1 Key Scheduling Round 1 Encryption Round Round key 2 Key Scheduling Round plaintext Encryption Round 16 comparator Round key 16 known plaintext Key Scheduling Round 16 14

15 Deep Crack Electronic Frontier Foundation, 1998 Total cost: $220,000 Average time of search: 4.5 days/key 1800 ASIC chips, 40 MHz clock Deep Crack Parameters Number of ASIC chips 1800 Clock frequency 40 MHz Number of clock cycles per key 16 Number of search units per ASIC Search speed Average time to recover the key bln keys/s 4.5 days 15

16 COPACOBANA Cost-Optimized Parallel COde Breaker Ruhr University, Bochum, University of Kiel, Germany, 2006 Cost: 8980 (ver. 1) COPACOBANA Based on Xilinx FPGAs (Field Programmable Gate Arrays) ver. 1 based on 120 Spartan 3 FPGAs ver. 2 based on 128 Virtex 4 SX 35 FPGAs Description, FAQ, and news available at For ver. 1 based on Spartan FPGAs Clock frequency = 136 MHz Average search time for a single DES key = 6.4 days Worst case search time for a single DES key = 12.8 days 16

17 17

18 Secure key length today and in 20 years (against an intelligence agency with the budget of $300M) key length 128 bits IDEA, minimum key length in AES 112 bits Triple DES with three different keys 99 bits Secure key length in bits 80 bits Skipjack Secure key length in bits DES Secure key length - discussion increasing key length in a newly developed cipher costs NOTHING increasing effective key length, assuming the use of an existing cipher has a limited influence on the efficiency of implementation (Triple DES) It is economical to use THE SAME secure key length FOR ALL aplications The primary barriers blocking the use of symmetric ciphers with a secure key length have been of the political nature (e.g., export policy of USA) 18

19 Triple DES EDE mode with two keys encryption plaintext decryption ciphertext Diffie, Hellman, 1977 E encryption 56 K1 D decryption 56 K1 D decryption 56 K2 E encryption 56 K2 E encryption 56 K1 D decryption 56 K1 ciphertext plaintext Triple DES EDE mode with three keys encryption plaintext decryption ciphertext Diffie, Hellman, 1977 E encryption 56 K1 D decryption 56 K1 D decryption 56 K2 E encryption 56 K2 E encryption 56 K3 D decryption 56 K3 ciphertext plaintext 19

20 Best Attacks Against Triple DES Version with three keys (168 bits of key) Meet-in-the-middle attack 2 32 known plaintexts steps 2 90 single DES encryptions, and 2 88 memory Effective key size = Version with two keys (112 bits of key) Effective key size = 2 80 Advantages: Triple DES secure key length (112 or 168 bits) increased compared to DES resistance to linear and differential cryptanalysis possibility of utilizing existing implementations of DES Disadvantages: relatively slow, especially in software 20

21 Advanced Encryption Standard AES Why a new standard? 1. Old standard insecure against brute-force attacks 2. Straightforward fixes lead to inefficient implementations Triple DES in K1 K2 K3 out 3. New trends in fast software encryption use of basic instructions of the microprocessor 4. New ways of assessing cipher strength differential cryptanalysis linear cryptanalysis 21

22 Why a contest? Focus the effort of cryptographic community Small number of specialists in the open research Stimulate the research on methods of constructing secure ciphers Avoid backdoor theories Speed-up the acceptance of the standard External format of the AES algorithm plaintext block 128 bits AES key 128, 192, 256 bits 128 bits ciphertext block 22

23 Each team submits Rules of the contest Detailed cipher description Justification of design decisions Tentative results of cryptanalysis Source code in C Source code in Java Test vectors June 1998 AES Contest Effort 15 Candidates from USA, Canada, Belgium, France, Germany, Norway, UK, Isreal, Korea, Japan, Australia, Costa Rica August final candidates Mars, RC6, Rijndael, Serpent, Twofish October winner: Rijndael Belgium Round 1 Security Software efficiency Round 2 Security Hardware efficiency 23

24 AES contest - First Round 15 June 1998 Deadline for submitting candidates 21 submissions, 15 fulfilled all requirements August 1998 March 1999 August st AES Conference in Ventura, CA Presentation of candidates 2nd AES Conference in w Rome, Italy Review of results of the First Round analysis NIST announces five final candidates AES: Candidate algorithms North America (8) Europe (4) Asia (2) Canada: CAST-256 Deal USA: Costa Rica: Mars RC6 Twofish Safer+ HPC Frog Germany: Magenta Belgium: Rijndael France: DFC Israel, UK, Norway: Serpent Korea: Crypton Japan: E2 Australia (1) Australia: LOKI97 24

25 USA AES Finalists (1) Mars - IBM C. Burwick, D. Coppersmith, E. D Avignon, R. Gennaro, S. Halevi, C. Jutla, S. M. Matyas, L. O Connor, M. Peyravian, D. Safford, N. Zunic RC6 - RSA Data Security, Inc. R. Rivest - MIT M. Robshaw, R. Sidney, Y. L. Yin - RSA Twofish - Counterpane Systems B. Schneier, J. Kelsey, C. Hall, N. Ferguson - Counterpane, D.Whiting - Hi/fn, D. Wagner - Berkeley Europe AES Finalists (2) Rijndael - J. Daemen, V. Rijmen Katholieke Universiteit Leuven Belgium Serpent - R. Anderson, Cambridge, England E. Biham - Technion, Israel L. Knudsen, University of Bergen, Norway 25

26 How NIST has made a final decision? BASIC CRITERIA = security software efficiency hardware efficiency flexibility Security 26

27 Security: Theoretical attacks better than exhaustive key search Serpent Twofish Mars without 16 mixing rounds Rijndael RC # of rounds in the attack/total # of rounds Security: Theoretical attacks better than exhaustive key search Serpent Twofish Mars Rijndael RC6 28% 72% 38% 62% 69% 31% 70% 30% 75% 25% # of rounds in the attack/total # of rounds 100% 27

28 Security Margin NIST Report: Security High Serpent MARS Twofish Adequate Rijndael RC6 Simple Complex Complexity Efficiency - What s more important: software or hardware? 28

29 Software or hardware? SOFTWARE security of data during transmission HARDWARE speed low cost flexibility (new cryptoalgorithms, protection against new attacks) random key generation access control to keys tamper resistance (viruses, internal attacks) Efficiency indicators 29

30 Primary efficiency indicators Software Hardware Speed Memory Speed Area Power consumption Efficiency parameters Latency Throughput = Speed M i+2 M i Encryption/ decryption C i Time to encrypt/decrypt a single block of data M i+1 M i Encryption/ decryption Number of bits C i+2 encrypted/decrypted C i+1 in a unit of time C i Throughput = Block_size Number_of_blocks_processed_simultaneously Latency 30

31 Efficiency in software Efficiency in software: Code submitted by authors 200 MHz Pentium Pro, Borland C++ Speed [Mbits/s] 128-bit key 192-bit key bit key Rijndael RC6 Twofish Mars Serpent 31

32 NIST Report: Software Efficiency Encryption and Decryption Speed 32-bit processors 64-bit processors DSPs high RC6 Rijndael Twofish Rijndael Twofish medium Rijndael Mars Twofish Mars RC6 Mars RC6 low Serpent Serpent Serpent NIST Report: Software Efficiency Encryption and decryption speed in software on smart cards high medium low 8-bit processors Rijndael RC6 Mars Twofish Serpent 32-bit processors Rijndael RC6 Mars Twofish Serpent 32

33 Efficiency in software Strong dependence on: 1. Instruction set architecture (e.g., variable rotations) 2. Programming language (assembler, C, Java) 3. Compiler 4. Programming style Efficiency in hardware 33

34 Primary ways of implementing cryptography in hardware ASIC Application Specific Integrated Circuit designs must be sent for expensive and time consuming fabrication in semiconductor foundry designed all the way from behavioral description to physical layout FPGA Field Programmable Gate Array bought off the shelf and reconfigured by designers themselves no physical layout design; design ends with a bitstream used to configure a device Which way to go? ASICs High performance Low power Low cost (but only in high volumes) FPGAs Off-the-shelf Low development costs Short time to the market Reconfigurability 34

35 Efficiency in hardware: FPGA Virtex 1000: Speed Throughput [Mbit/s] Serpent I George Mason University University of Southern California Worcester Polytechnic Institute 149 Rijndael Twofish Serpent RC6 Mars I ASIC implementations: NSA group bit key scheduling 3-in-1 (128, 192, 256 bit) key scheduling Rijndael Serpent Twofish RC6 Mars I1 35

36 NIST Report + GMU Report: Hardware Efficiency Speed High Rijndael Serpent Medium Twofish RC6 Low MARS Small Medium Large Area Selecting the Winner GMU FPGA Results Straw AES 3 conference Rijndael second best in FPGAs, selected as a winner due to much better performance in software 72 36

37 Input, internal state, and output 128 bits = 16 bytes a 0,0 a 1,0 a 2,0 a 3,0 a 0,1 a 1,1 a 2,1 a 3,1 a 0,2 a 1,2 a 2,2 a 3,2 a 0,3 a 1,3 a 2,3 a 3,3 column 0 column 1 column 2 column 3 a 0,0 a 0,1 a 0,2 a 0,3 a 1,0 a 1,1 a 1,2 a 1,3 a 2,0 a 2,1 a 2,2 a 2,3 a 3,0 a 3,1 a 3,2 a 3,3 Order of bytes within input, internal state, and output arrays 37

38 SubBytes S-box a 0,0 a 0,1 a 0,2 a 0,3 a 1,0 a 1,1 a 1,2 a 1,3 i,j a 2,0 a 2,1 a 2,2 a 2,3 a 3,0 a 3,1 a 3,2 a 3,3 b 0,0 b 0,1 b 0,2 b 0,3 b 1,0 b 1,1 ba 1,2 b 1,3 i,j b 2,0 b 2,1 b 2,2 b 2,3 b 3,0 b 3,1 b 3,2 b 3,3 Bytes are transformed by applying an invertible S-box One single S-box for the complete cipher S-box: substitution values for the byte xy (in hexadecimal notation) 38

39 ShiftRows a b c d e f g h i j k l m n o p no shift cyclic shift left by C1=1 cyclic shift left by C2=2 cyclic shift left by C3=3 a b c d f g h e k l i j p m n o MixColumns a 0,0 a 0,1 a 0,20,j a 0,3 a 1,0 a 1,1 a 1,2 a 1,3 1,j a 2,0 a 2,1 2,2 a a 2,3 a 3,0 a 3,1 a 2,j 3,2 a 3,3 a 3,j b 0,0 b 0,1 ba 0,j 0,2 b 0,3 b 1,0 b 1,1 ba 1,2 b 1,3 1,j b 2,0 b 2,1 a 2,2 b 2,3 b b 3,0 b 3,1 a 2,j 3,2 b 3,3 b 3,j High diffusion A difference in 1 input byte propagates to all 4 output bytes A difference in 2 input bytes propagates to at least 3 output bytes Any linear relation between input and output bits involves bits from at least 5 different bytes (branch number = 5) 39

40 AddRoundKey a 0,0 a 0,1 a 0,2 a 0,3 a 1,0 a 1,1 a 1,2 a 1,3 a 2,0 a 2,1 a 2,2 a 2,3 a 3,0 a 3,1 a 3,2 a 3,3 + k 0,0 k 0,1 k 0,2 k 0,3 k 1,0 k 1,1 k 1,2 k 1,3 k 2,0 k 2,1 k 2,2 k 2,3 k 3,0 k 3,1 k 3,2 k 3,3 = b 0,0 b 0,1 b 0,2 b 0,3 b 1,0 b 1,1 b 1,2 b 1,3 b 2,0 b 2,1 b 2,2 b 2,3 b 3,0 b 3,1 b 3,2 b 3,3 simple bitwise addition (xor) of round keys Number of rounds Key length Block length 128 bits Nk=4 192 bits Nk=6 256 bits Nk=8 128 bits Nb=4 192 bits Nb=6 256 bits Nb= required by the standard non-standard extensions 40

41 Pseudocode for AES encryption Modes of Operation of Block Ciphers 41

42 Block vs. stream ciphers M 1, M 2,, M n m 1, m 2,, m n K Block cipher K Internal state - IS Stream cipher C 1, C 2,, C n c 1, c 2,, c n C i =f K (M i ) c i = f K (m i, IS i ) IS i+1 =g K (m i, IS i ) Every block of ciphertext is a function of only one corresponding block of plaintext Every block of ciphertext is a function of the current block of plaintext and the current internal state of the cipher Typical stream cipher Sender key initialization vector (seed) Receiver key initialization vector (seed) Pseudorandom Key Generator Pseudorandom Key Generator k i keystream k i keystream m i plaintext c i ciphertext c i ciphertext m i plaintext 42

43 Standard modes of operation of block ciphers Block ciphers Stream ciphers ECB mode Counter mode OFB mode CFB mode CBC mode ECB (Electronic CodeBook) mode 43

44 Electronic CodeBook Mode ECB Encryption M 1 M 2 M 3 M N-1 M N K K K K K E E E E E... C 1 C 2 C 3 C N-1 C N C i = E K (M i ) for i=1..n Electronic CodeBook Mode ECB Decryption C 1 C 2 C 3 C N-1 C N K K K K K D D D D D... M 1 M 2 M 3 M N-1 M N M i = E K (C i ) for i=1..n 44

45 Criteria for Comparison of Modes of Operation hiding repeating message blocks speed capability for parallel processing and pipelining during encryption / decryption use of block cipher operations (encryption only or both) capability for preprocessing during encryption / decryption capability for random access for the purpose of reading / writing number of plaintext and ciphertext blocks required for exhaustive key search error propagation in the message after modifying / deleting one block / byte / bit of the corresponding ciphertext Block Cipher Modes of Operation Basic Features (1) Hiding repeating plaintext blocks Basic speed Capability for parallel processing and pipelining Cipher operations Preprocessing Random access ECB CTR OFB CFB CBC No s ECB Encryption and decryption Encryption and decryption No R/W 45

46 Block Cipher Modes of Operation Basic Features (2) ECB CTR OFB CFB CBC Security against the exhaustive key search attack Minimum number of the message and ciphertext blocks needed 1 plaintext block, 1 ciphertext block Error propagation in the decrypted message Modification of j-bits Deletion of j bits Integrity L bits Current and all subsequent No Counter Mode 46

47 Counter Mode - CTR Encryption IV IV+1 IV+2 IV+N-2 IV+N-1... K K K K K E E E E E... k 1 k 2 k 3 k N-1 k N m 1 m 2 m 3 m N-1 m N c 1 c 2 c 3 c N-1 c N c i = m i Å k i k i = E K (IV+i-1) for i=1..n Counter Mode - CTR Decryption IV IV+1 IV+2 IV+N-2 IV+N-1... K K K K K E E E E E... k 1 k 2 k 3 k N-1 k N c 1 c 2 c 3 c N-1 c N m 1 m 2 m 3 m N-1 m N m i = c i Å k i k i = E K (IV+i-1) for i=1..n 47

48 IV Counter Mode - CTR IV counter counter 1 L 1 L IN IN K E K E OUT 1 L OUT 1 L c i c i IS 1 = IV m i m i c i = E K (IS i ) Å m i IS i+1 = IS i +1 m 1 m 2 m 3 J-bit Counter Mode - CTR IV IV+1 IV+2 IV+N-2 IV+N-1... K K K K K E E E E E... j k 1 k 2 k 3 k N-1 k N j j j j j j j j j m N-1 m N j j j j j c 1 c 2 c 3 c N-1 c N c i = m i Å k i k i = E(IV+i-1)[1..j] for i=1..n 48

49 IV J-bit Counter Mode - CTR IV counter counter 1 L 1 L IN IN K E K E OUT OUT j bits L-j bits j bits L-j bits 1 j L 1 j L c i c i m i m i Block Cipher Modes of Operation Basic Features (1) Hiding repeating plaintext blocks Basic speed Capability for parallel processing and pipelining ECB CTR OFB CFB CBC No s ECB Encryption and decryption Yes»j/L s ECB Encryption and decryption Cipher operations Preprocessing Random access Encryption and decryption No R/W Encryption only Yes R/W 49

50 Block Cipher Modes of Operation Basic Features (2) ECB CTR OFB CFB CBC Security against the exhaustive key search attack Minimum number of the message and ciphertext blocks needed 1 plaintext 1 plaintext block, block, 1 ciphertext 1 ciphertext block block Error propagation in the decrypted message Modification of j-bits Deletion of j bits Integrity L bits Current and all subsequent No j bits Current and all subsequent No OFB (Output FeedBack) Mode 50

51 IV E Output Feedback Mode - OFB Encryption... E E E E... k 1 k 2 k 3 k N-1 k N m 1 m 2 m 3 m N-1 m N c 1 c 2 c 3 c N-1 c N c i = m i Å k i k i =E K (k i-1 ) for i=1..n, and k 0 = IV IV E Output Feedback Mode - OFB Decryption... E E E E... k 1 k 2 k 3 k N-1 k N c 1 c 2 c 3 c N-1 c N m 1 m 2 m 3 m N-1 m N m i = c i Å k i k i =E K (k i-1 ) for i=1..n, and k 0 = IV 51

52 Output Feedback Mode - OFB IV IV 1 L 1 L IN IN K E K E OUT 1 L IS 1 = IV c i = E K (IS i ) Å m i IS i+1 = E K (IS i ) OUT 1 L c i c i m i m i J-bit Output Feedback Mode - OFB IV shift shift IV L-j bits j bits L-j bits j bits 1 L-j L 1 L-j L IN IN K E K E OUT j bits L-j bits OUT j bits L-j bits 1 j L 1 j L c i c i m i m i 52

53 Block Cipher Modes of Operation Basic Features (1) Hiding repeating plaintext blocks Basic speed Capability for parallel processing and pipelining Cipher operations Preprocessing Random access ECB CTR OFB CFB CBC No Yes Yes s ECB Encryption and decryption Encryption and decryption»j/l s ECB Encryption and decryption Encryption only»j/l s ECB None Encryption only No Yes Yes R/W R/W No Block Cipher Modes of Operation Basic Features (2) ECB CTR OFB CFB CBC Security against the exhaustive key search attack Minimum number of the message and ciphertext blocks needed 1 plaintext block, 1 ciphertext block 1 plaintext block, 1 ciphertext block 2 plaintext blocks, 2 ciphertext blocks (for j=l) Error propagation in the decrypted message Modification of j-bits Deletion of j bits Integrity L bits j bits j bits Current and all subsequent Current and all subsequent Current and all subsequent No No No 53

54 CFB (Cipher FeedBack) Mode IV E Cipher Feedback Mode - CFB Encryption... E E E E... k 1 k 2 k 3 k N-1 k N m 1 m 2 m 3 m N-1 m N c 1 c 2 c 3 c N-1 c N c i = m i Å k i k i =E K (c i-1 ) for i=1..n, and c 0 = IV 54

55 IV E Cipher Feedback Mode - CFB Decryption... E E E E... k 1 k 2 k 3 k N-1 k N m 1 m 2 m 3 m N-1 m N c 1 c 2 c 3 c N-1 c N m i = c i Å k i k i =E K (c i-1 ) for i=1..n, and c 0 = IV Cipher Feedback Mode - CFB IV IV 1 L 1 L IN IN K E IS 1 = IV K E OUT 1 L c i = E K (IS i ) Å m i IS i+1 = c i OUT 1 L c i c i m i m i 55

56 J-bit Cipher Feedback Mode - CFB IV IV shift shift L-j bits j bits L-j bits j bits 1 L-j L 1 L-j L IN IN K E K E OUT j bits L-j bits OUT j bits L-j bits 1 j L 1 j L c i c i m i m i Block Cipher Modes of Operation Basic Features (1) Hiding repeating plaintext blocks Basic speed Capability for parallel processing and pipelining Cipher operations Preprocessing Random access ECB CTR OFB CFB CBC No Yes Yes Yes s ECB»j/L s ECB»j/L s ECB»j/L s ECB Encryption and decryption Encryption and decryption Encryption and decryption Encryption only None Encryption only Decryption only Encryption only No Yes Yes No R/W R/W No R only 56

57 Block Cipher Modes of Operation Basic Features (2) ECB CTR OFB CFB CBC Security against the exhaustive key search attack Minimum number of the message and ciphertext blocks needed 1 plaintext block, 1 ciphertext block 1 plaintext block, 1 ciphertext block 2 plaintext blocks, 2 ciphertext blocks (for j=l) 1 plaintext block, 2 ciphertext blocks (for j=l) Error propagation in the decrypted message Modification of j-bits Deletion of j bits Integrity L bits j bits j bits L+j bits Current and all subsequent Current and all subsequent Current and all subsequent L bits No No No No CBC (Cipher Block Chaining) Mode 57

58 Cipher Block Chaining Mode - CBC Encryption IV m 1 m 2 m 3... m N-1 m N E E E E E... c 1 c 2 c 3 c N-1 c N c i = E K (m i Å c i-1 ) for i=1..n c 0 =IV Cipher Block Chaining Mode - CBC Decryption c 1 c 2 c 3 c N-1 c N IV D D D... D D... m 1 m 2 m 3 m N-1 m N m i = D K (c i ) Å c i-1 for i=1..n c 0 =IV 58

59 Block Cipher Modes of Operation Basic Features (1) Hiding repeating plaintext blocks Basic speed Capability for parallel processing and pipelining Cipher operations Preprocessing Random access ECB CTR OFB CFB CBC No Yes Yes Yes Yes s ECB»j/L s ECB»j/L s ECB»j/L s ECB»s ECB Encryption and decryption Encryption and decryption Encryption and decryption Encryption only None Encryption only Decryption only Encryption only Decryption only Encryption and decryption No Yes Yes No No R/W R/W No R only R only Block Cipher Modes of Operation Basic Features (2) ECB CTR OFB CFB CBC Security against the exhaustive key search attack Minimum number of the message and ciphertext blocks needed 1 plaintext block, 1 ciphertext block 1 plaintext block, 1 ciphertext block 2 plaintext blocks, 2 ciphertext blocks (for j=l) 1 plaintext block, 2 ciphertext blocks (for j=l) 1 plaintext block, 2 ciphertext blocks Error propagation in the decrypted message Modification of j-bits Deletion of j bits Integrity L bits j bits j bits L+j bits L+j bits Current and all subsequent Current and all subsequent Current and all subsequent L bits Current and all subsequent No No No No No 59

60 New modes of operation Evaluation Criteria for Modes of Operation Security Efficiency Functionality 60

61 Security Evaluation criteria (1) Efficiency resistance to attacks proof of security random properties of the ciphertext number of calls of the block cipher capability for parallel processing memory/area requirements initialization time capability for preprocessing Evaluation criteria (2) Functionality security services - confidentiality, integrity, authentication flexibility - variable lengths of blocks and keys - different amount of precomputations - requirements on the length of the message vulnerability to implementation errors requirements on the amount of keys, initialization vectors, random numbers, etc. error propagation and the capability for resynchronization patent restrictions 61

62 CBC IV m 1 m 2 m 3... m N-1 m N E E E E E... c 1 c 2 c 3 c N-1 c N Problems: - No parallel processing of blocks from the same packet - No speed-up by preprocessing - No integrity or authentication Counter mode IV IV+1 IV+2 IV+N-1 IV+N... E E E E E... k 0 k 1 k 2 k N-1 k N m 0 m 1 m 2 m N-1 m N c 0 c 1 c 2 c N-1 c Features: N + Potential for parallel processing + Speed-up by preprocessing - No integrity or authentication 62

63 Properties of existing and new cipher modes Proof of security CBC CFB OFB New standard Parallel processing Preprocessing Integrity and authentication Resistance to implementation errors decryption only OCB - Offset Codebook Mode IV 0 M 1 M 2 M N-1 M N Control sum length E Z 1 Z 2 Z N-1 g(l) Z N Z N L E E... E E E E Z 1 Z 2 Z N-1 M N t bits R C 1 C 2 C N-1 C N T Z i =f(l, R, i) 63

64 New modes of block ciphers 1. CCM - Counter with CBC-MAC developed by R. Housley, D. Whiting, N. Ferguson in 2002 assures simultaneous confidentiality and authentication not covered by any patent part of the IEEE i standard for wireless networks 2. GCM Galois/Counter Mode developed by D. McGrew and J. Viega in 2005 assures simultaneous confidentiality and authentication not covered by any patent used in the IEEE 802.1AE (MACsec) Ethernet security, ANSI (INCITS) Fibre Channel Security Protocols (FC-SP), IEEE P tape storage, and IETF IPSec standards Properties of new modes of operation CBC CFB OFB CTR CCM GCM Proof of security Parallel processing Preprocessing Integrity and authentication only decryption Half of operations Half of Half of operations operations Resistance to implementation errors 64

65 CAESAR Contest Confidentiality & Authentication Authenticated Ciphers Bob Alice N Message N Ciphertext Tag K AB Authenticated Cipher Encryption K AB Authenticated Cipher Decryption N Ciphertext Tag invalid or Message K AB - Secret key of Alice and Bob N Nonce or Initialization Vector 65

66 Confidentiality & Authentication Authenticated Ciphers Npub Nsec AD Message Npub Enc Nsec AD Ciphertext Tag Key AB Encryption Key AB Decryption Npub Enc Nsec AD Ciphertext or Tag Invalid Nsec AD Message Npub - Public Message Number Nsec - Secret Message Number Enc Nsec - Encrypted Secret Message Number AD - Associated Data K AB - Secret key of Alice and Bob IX.1997 X.2000 AES Cryptographic Standard Contests NESSIE I.2000 XII.2002 CRYPTREC 34 stream 4 HW winners ciphers + 4 SW winners 15 block ciphers 1 winner XI.2004 estream 51 hash functions 1 winner IV.2008 X.2007 X.2012 SHA-3 57 authenticated ciphers multiple winners I CAESAR time 66