Symmetric Key Algorithms Definition A symmetric key algorithm is an encryption algorithm where the same key is used for encrypting and decrypting. 1
Block cipher and stream cipher There are two main families of symmetric key algorithm: Block cipher The input is a set of bits, i.e. larger then 64 Stream cipher The input is a single bit/byte or 32 bits Structure of a Block Cipher The block cipher is divided in two distinct parts, the key schedule and the data path Secret key KEY SCHEDULE plaintext DATA PATH ciphertext 2
The Data Path In order of having a regular structure the data path is composed by a function called round that is repeated a fixed number of time. This is necessary since no function has been found that exhibit the necessary property in a single application The Key Schedule The key schedule elaborates the secret key and derive from it the round keys used by the round Generally the secret key is not used as it is in the round in order of increasing the dependency of each bits of the cipher text from every bits of the secret key 3
Example The most popular block cipher is the Data Encryption Standard (DES) It has been designed in the 70 s by IBM and a magic touch from NSA (National Security Agency) DES structure The DES is structured in two parts: key schedule and data path The block size is 64 bits, while the secret key is 56 bits The round function is inspired by the Feistel function 4
Feistel round Depending on the properties of the function, the round is iterated a certain number of times The function f does not need to be invertible! It can be seen deriving the equations of L i and R i as functions of L i+1 and R i+1 L i R i + f L i+1 R i+1 ROUND KEY DES Structure The DES round is iterated 16 times An initial transformation is applied before the first round it is just a bit rearrangement not useful for security, it helps hw design Before output data the inverse of the initial transformation is applied 5
DES round 4 transformations compose the f function of DES: Expansion S Key addition 1 SBOX Permutation S 2 S 3 32 EXPANSION 48 48 + 48 S 4 S 5 S 6 32 PERMUTATION 32 ROUND KEY S 7 S 8 DES Expansion The right word is expanded from 32 bits to 48 The E-box simply duplicates some bits, those in positions 1, 4, 5, 9, 10, 14, 15 32 1 2 3 4 5 6 7 8 9 10. 48 1 2 3 4 5 6 7 8 9 10 11 12.. 6
DES Sboxes The criteria of the design of the SBOXes has been hidden for a long time, the only way for representing them is trough the use of a look up table. The 8 SBOXes are all different and indicated with S1 S8 All take a 6 bit input and return a 4 bit output DES permutation The 32 bit output of the SBOX are permutated, all bits are used once, no bits are discharged A simple rearrangement of the bits 7
DES key schedule SECRET KEY 64 PC - 1 The key schedule is very simple and has the property to give the original key as final output SUB KEY 1 48... C 0 56 D 0 28 28 LS 1 LS 1 C 1 D 1 28 28 PC - 2 LS 2 LS 2 28 28...... 28 28 LS 16 LS 16 SUB KEY 16 48 PC - 2 C 16 D 16 28 28 DES key schedule PC-1 extracts 56 bits ignoring the 8th bits of every byte, so 64 bits are used to store the key and the 8th of every byte can be used to check the parity PC-2 extracts a fixed set of bits in order of obtaining 48 bits round key The key is shifted one bit position for round 1, 2, 9 and 16, two bit position in the other rounds 8
DES decryption Due to the Feistel structure in order of decrypting a ciphertext it is necessary just applying the same round 16 time feeding round keys in reverse order Weak keys The secret key should be randomly chosen, but there are some particular values that should not be used 4 Weak keys: all 0, all 1, half 0 half 1 12 Semi weak keys: C=E k (P)=P In the form 7 zeros, 7 ones combinations 0000000 11111111 0000000 1111111 Possible weak keys Complement keys E k (P)= C => E k (P )= C where A = not(a) 9
DES is not a Group The transformation executed by the DES is not a group If DES forms a group then: E k2 (E k1 (P)) = E k3 (P) Proven in 1992, IBM states that was known by design How to test the security Is a block cipher secure? Consider key space and block size, is brute force feasible? Consider mathematical attacks Implementation attacks 10
How to break DES Due to the available power computation DES is not safe today Brute force: Given a cipher text and a plain text How much does it takes to try all the keys? 2^56 encryption! Brute Force Attack Estimation How many days does it takes to compute 2^56 encryption? If 1 encryption per millisecond 833,999,931 per microsecond 833,999 per nanosecond 833 If 100 devices in parallel 8 days Solutions? 3DES 11
Trade time and memory space Select a plaintext, encrypt it with all possible keys: (56 + 64 bits) * 2^56 memory space = 8646911284551352320 bit= 1,006,632,960 GByte Force the plaintext in the communication, get the cipher text, find the corresponding key in the data base 3DES Triple DES is the application of DES three time The most used is the EDE, first DES encryption then decryption, then encryption again Otherwise EEE is the other possibility 12
3DES 3DES is interesting since no changes to the basic algorithm are required, just a reuse of the available hw/sw Sometimes it is used a 3DES with only two keys (called two key 3DES): C=E k1 (D k2 (E k1 (P))) Security of 3DES First consider doubledes, application of the DES two times with different key. A simple brute force costs 2^112 encryption But there is another attack called meetin-the-middle that could trade time with memory space 13
Meet-in-the-middle Given a pair (C,P) First compute all possible M i =E ki (P) and store them, 2^56 encryption, 2^56 M i stored Decrypt P for all possible key, and check for all M j =D kj (C) if M j =M i, if so mark M i and write the value j There are now a set of candidate pairs (i,j) With a second couple (C,P ) check which (i,j) is the right couple The cost is 2^56 encryption 2^56 decryption (thus 2^57 operations) 2^56 memory space How this impact to 3DES? Consider the first two operations as a unique brute force that cost 2^112 encryption, then it is necessary other 2^56 decryption and 2^56 memory space The cost of breaking 3DES is then something like 2^112 operations and 2^56 memory space 14
How to implement DES The hardware structure is quite straightforward Simply implement the architecture divided in two parts, key schedule and round logic Since SBOX logic is unknown then the implementation of it is just a LUT HW improvement If the throughput is not satisfactory it is possible to pipeline the round, in order of increasing the clock frequency Generally the round is divided in two or three stages 15
HW improvement If latency is the constraints instead of throughput, it is possible to execute two rounds per clock cycles if the critical path allows it SW implementation DES is not software friendly, there are many operations bit oriented All the substitutions are stored in precomputed tables The key schedule is generally computed in advance and the round keys are stored in a table 16
Theoretical attacks To test the robustness of a block cipher there are some well known attacks that should be tested: Linear cryptanalysis Differential cryptanalysis Linear cryptanalysis Every block cipher should exhibit a good non linear properties If not linear cryptanalysis could find the relation between known plaintext, corresponding cipher text and bits of the key 17
Differential cryptanalysis Selects a set of pair of plaintext, where the elements of the pair have a fixed difference The difference propagates in the DES in a particular manner Build a set of probabilities on the difference of the cipher text pair Collect a certain number of plaintext/ciphertext, the statistics will validate guess of the right bits of the key 18