C 646 - Lecture 8 IDA, RC5 Modes of operation of block ciphers Required Reading: I. W. Stallings, "Cryptography and Network-Security," 5th dition, Chapter 6 Block Cipher Operation II. A. Menezes, P. van Oorschot, and S. Vanstone, Handbook of Applied Cryptography, 7.6 IDA 7.7.2 RC5 7.2.2 Modes of Operation
IDA IDA X. Lai, J. Massey TH, 1990-91 128-bit key (billion machines each checking billion keys per second still would require 10 trillion years, to check all keys used in PGP (Pretty Good Privacy) - the most popular public domain program for secure e-mail constructed to provide an absolute resistance against differential cryptanalysis
Three basic operations: IDA X X X Y = X Y = X + mod 2 16 Y = X mod (2 16 +1) where 0 represents 2 16 Corresponding inverse operations: Y Y Y - -1 X = Y X = Y+(- ) mod 2 16 X = Y -1 mod (2 16 +1) Half-round of IDA: Transformation Forward transformation: X a X b X c X d a b c d Y a Y b Y c Y d Inverse transformation: Y a Y b Y c Y d -1 a - c - b -1 d X a X b X c X d
Half-round of IDA: Sub-encryption Forward transformation X a X b X c X d W in = X a X b V in = X c X d MANGLR FUNCTION e f W out V out Y a = X a W out Y b = X b W out Y c = X c V out Y d = X d V out Half-round of IDA: Sub-encryption Inverse transformation Y a Y b Y c Y d W in = X a X b V in = X c X d MANGLR FUNCTION e f W out V out X a = Y a W out Y b = Y b W out X c = Y c V out X d = Y d V out
IDA Mangler Function W in V in e f W out V out
IDA - ey Scheduling 128 bit Z 1 Z 2 Z 3 Z 4 Z 5 Z 6 Z 7 Z 8 Rotate 25 positions left Z 9 Z 10 Z 11 Z 12 Z 13 Z 14 Z 15 Z 16 Rotate 25 positions left RC5
RC5 Ron Rivest, MIT, 1994 (Ron s Code 5, Rivest s Cipher 5) variable key length (40 bits in the former export version, 128 bits to achieve the same strength as IDA) variable block size (depends on the processor word length) variable number of rounds (determines resistance to linear and differential cryptanalysis; for 9 rounds this resistance is greater than for DS) simplicity of description Basic operations: Rotation by a variable number of bits RC5 One of the fastest ciphers B w A w A<<<B C w C=A<<<B w Addition modulo 2 w where w is the size of operands A and B + A B C C = A + B mod 2 w
RC5 w/r/b w - word size in bits w = 16, 32, 64 input/output block = 2 words = 2 w bits Typical value: w=32 64-bit input/output block r - number of rounds b - key size in bytes key size in bits = 8 b bits 0 b 255 Recommended version: RC5 32/12/16 64 bit block 12 rounds 128 bit key ncryption RC5 Decryption Split M into two halves A and B A = A + S[0] B = B + S[1] for i= 1 to r do { A= ((A B) <<< B) + S[2i] B= ((B A) <<< A) + S[2i+1] } C= A B Split C into two halves A and B for i= r downto 1 do { B= ((B-S[2i+1]) >>> A) A A= ((A - S[2i])>>>B) B } B = B - S[1] A = A - S[0] M= A B
RC5 - ey Scheduling k bits of the main key 2 r + 2 round keys = (2 r + 2 ) w bits Two magic constants: P w = Odd ((e-2) 2 w ) Q w = Odd ((ϕ-1) 2 w ) ϕ - golden ratio = e - base of natural logarithms e = 2.7182... x-y x y x y = y x-y = 1.6180... RC5 ey Scheduling
RC5 - ey Scheduling Initialize and Convert Initialize S[0] = P w for i=1 to t-1 do S[i] = S[i-1] + Q w Convert for i=0 to c-1 do L[i] = 0; t = 2 r + 2 8 b c = w Copy key bits directly to the memory positions represented by L. RC5 - ey Scheduling Mix Mix i = j = 0 A = B = 0 do 3 max{t, c} times { A = S[i] = (S[i] + A + B) <<< 3 B = L[j] = (L[j] + A + B) <<< (A+B) i = (i+1) mod t j = (j+1) mod c }
RC5 - Resistance to differential and linear cryptanalysis Plaintext requirement # rounds 4 5 9 6 7 12 13 Differential Cryptanalysis Linear Cryptanalysis 2 22 2 26 2 32 2 37 2 46 2 63 >2 64 2 37 2 47 2 57 >2 64 Differential cryptanalysis cannot be applied to RC5 with #rounds 13 Linear cryptanalysis cannot be applied to RC5 with #rounds 7 Resistance of modern ciphers against known attacks Proprietary ciphers built into application software mostly insecure, seconds on a PC Propriatery ciphers with unknown specification uncertain, may be hard to verify Past 40-bit international version eys recoverable in less than of ciphers one hour using a small network of computers worth less than $10,000 DS Triple DS, DSX, RC5 eys can be recovered within 24 hours using a specialized machine based on FPGAs worth less than $100,000 All known attacks impractical
State of research regarding the security of secret-key ciphers limited number of researchers actively involved in cryptanalysis and design of new ciphers number of published ciphers > number of researchers evaluations of the cipher strength given by designers typically unreliable Honest cipher = the best known attack is an exhaustive key search attack One can rely only on ciphers analyzed by a large group of qualified researchers Modes of Operation
Block vs. stream ciphers M 1, M 2,, M n m 1, m 2,, m n Block cipher Internal state - IS Stream cipher C 1, C 2,, C n c 1, c 2,, c n C i =f (M i ) c i = f (m i, IS i ) IS i+1 =g (m i, IS i ) very block of ciphertext is a function of only one corresponding block of plaintext very block of ciphertext is a function of the current block of plaintext and the current internal state of the cipher Typical stream cipher Sender key initialization vector (seed) Receiver key initialization vector (seed) Pseudorandom ey Generator Pseudorandom ey Generator k i keystream k i keystream m i plaintext c i ciphertext c i ciphertext m i plaintext
Standard modes of operation of block ciphers Block ciphers Stream ciphers CB mode Counter mode OFB mode CFB mode CBC mode CB (lectronic CodeBook) mode
lectronic CodeBook Mode CB ncryption M 1 M 2 M 3 M N-1 M N C 1 C 2 C 3 C N-1 C N C i = (M i ) for i=1..n lectronic CodeBook Mode CB Decryption C 1 C 2 C 3 C N-1 C N D D D D D M 1 M 2 M 3 M N-1 M N C i = (M i ) for i=1..n
Criteria for Comparison of Modes of Operation hiding repeating message blocks speed capability for parallel processing and pipelining during encryption / decryption use of block cipher operations (encryption only or both) capability for preprocessing during encryption / decryption capability for random access for the purpose of reading / writing number of plaintext and ciphertext blocks required for exhaustive key search error propagation in the message after modifying / deleting one block / byte / bit of the corresponding ciphertext Block Cipher Modes of Operation Basic Features (1) Hiding repeating plaintext blocks Basic speed Capability for parallel processing and pipelining CB CTR OFB CFB CBC Cipher operations Preprocessing Random access
Block Cipher Modes of Operation Basic Features (2) CB CTR OFB CFB CBC Security against the exhaustive key search attack Minimum number of the message and ciphertext blocks needed rror propagation in the decrypted message Modification of j-bits Deletion of j bits Integrity Counter Mode
Counter Mode - CTR ncryption IV IV+1 IV+2 IV+N-2 IV+N-1 k 1 k 2 k 3 k N-1 k N m 1 m 2 m 3 m N-1 m N c 1 c 2 c 3 c N-1 c N c i = m i k i k i = (IV+i-1) for i=1..n Counter Mode - CTR Decryption IV IV+1 IV+2 IV+N-2 IV+N-1 k 1 k 2 k 3 k N-1 k N c 1 c 2 c 3 c N-1 c N m 1 m 2 m 3 m N-1 m N m i = c i k i k i = (IV+i-1) for i=1..n
IV Counter Mode - CTR IV counter counter 1 L 1 L IN IN OUT 1 L OUT 1 L c i c i IS 1 = IV m i m i c i = (IS i ) m i IS i+1 = IS i +1 m 1 m 2 m 3 J-bit Counter Mode - CTR IV IV+1 IV+2 IV+N-2 IV+N-1 j k 1 k 2 k 3 k N-1 k N j j j j j j j j j m N-1 m j N j j j j c 1 c 2 c 3 c N-1 c N c i = m i k i k i = (IV+i-1)[1..j] for i=1..n
IV J-bit Counter Mode - CTR IV counter counter 1 L 1 L IN IN OUT OUT j bits L-j bits j bits L-j bits 1 j L 1 j L c i c i m i m i OFB (Output FeedBack) Mode
IV Output Feedback Mode - OFB ncryption k 1 k 2 k 3 k N-1 k N m 1 m 2 m 3 m N-1 m N c 1 c 2 c 3 c N-1 c N c i = m i k i k i = (k i-1 ) for i=1..n, and k 0 = IV IV Output Feedback Mode - OFB Decryption k 1 k 2 k 3 k N-1 k N c 1 c 2 c 3 c N-1 c N m 1 m 2 m 3 m N-1 m N m i = c i k i k i = (k i-1 ) for i=1..n, and k 0 = IV
Output Feedback Mode - OFB IV IV 1 L 1 L IN IN OUT 1 L IS 1 = IV c i = (IS i ) m i IS i+1 = (IS i ) OUT 1 L c i c i m i m i J-bit Output Feedback Mode - OFB IV shift shift IV L-j bits j bits L-j bits j bits 1 L-j L 1 L-j L IN IN OUT j bits L-j bits OUT j bits L-j bits 1 j L 1 j L c i c i m i m i
CFB (Cipher FeedBack) Mode IV Cipher Feedback Mode - CFB ncryption k 1 k 2 k 3 k N-1 k N m 1 m 2 m 3 m N-1 m N c 1 c 2 c 3 c N-1 c N c i = m i k i k i = (c i-1 ) for i=1..n, and c 0 = IV
IV Cipher Feedback Mode - CFB Decryption k 1 k 2 k 3 k N-1 k N m 1 m 2 m 3 m N-1 m N c 1 c 2 c 3 c N-1 c N m i = c i k i k i = (c i-1 ) for i=1..n, and c 0 = IV Cipher Feedback Mode - CFB IV IV 1 L 1 L IN IN IS 1 = IV OUT 1 L c i = (IS i ) m i IS i+1 = c i OUT 1 L c i c i m i m i
shift J-bit Cipher Feedback Mode - CFB IV shift L-j bits j bits L-j bits j bits 1 L-j L 1 L-j L IV IN IN OUT j bits L-j bits OUT j bits L-j bits 1 j L 1 j L c i c i m i m i CBC (Cipher Block Chaining) Mode
Cipher Block Chaining Mode - CBC ncryption IV m 1 m 2 m 3 m N-1 m N c 1 c 2 c 3 c N-1 c N c i = (m i c i-1 ) for i=1..n c 0 =IV Cipher Block Chaining Mode - CBC Decryption c 1 c 2 c 3 c N-1 c N IV D D D D D m 1 m 2 m 3 m N-1 m N m i = D (c i ) c i-1 for i=1..n c 0 =IV
Comparison among various modes Block Cipher Modes of Operation Basic Features (1) Hiding repeating plaintext blocks Basic speed Capability for parallel processing and pipelining Cipher operations Preprocessing Random access CB CTR OFB CFB CBC No Yes Yes Yes Yes s CB s CB j/l s CB j/l s CB s CB ncryption and decryption ncryption and decryption ncryption and decryption ncryption only None ncryption only Decryption only ncryption only Decryption only ncryption and decryption No Yes Yes No No R/W R/W No R only R only
Block Cipher Modes of Operation Basic Features (2) CB CTR OFB CFB CBC Security against the exhaustive key search attack Minimum number of the message and ciphertext blocks needed 1 plaintext block, 1 ciphertext block 1 plaintext block, 1 ciphertext block 2 plaintext blocks, 2 ciphertext blocks (for j=l) 1 plaintext block, 2 ciphertext blocks (for j=l) 1 plaintext block, 2 ciphertext blocks rror propagation in the decrypted message Modification of j-bits Deletion of j bits Integrity L bits j bits j bits L+j bits L+j bits Current and all subsequent Current and all subsequent Current and all subsequent L bits Current and all subsequent No No No No No New modes of operation
valuation Criteria for Modes of Operation Security fficiency Functionality Security valuation criteria (1) fficiency resistance to attacks proof of security random properties of the ciphertext number of calls of the block cipher capability for parallel processing memory/area requirements initialization time capability for preprocessing
valuation criteria (2) Functionality security services - confidentiality, integrity, authentication flexibility - variable lengths of blocks and keys - different amount of precomputations - requirements on the length of the message vulnerability to implementation errors requirements on the amount of keys, initialization vectors, random numbers, etc. error propagation and the capability for resynchronization patent restrictions CBC IV m 1 m 2 m 3 m N-1 m N c 1 c 2 c 3 c N-1 c N Problems: - No parallel processing of blocks from the same packet - No speed-up by preprocessing - No integrity or authentication
Counter mode IV IV+1 IV+2 IV+N-1 IV+N k 0 k 1 k 2 k N-1 k N m 0 m 1 m 2 m N-1 m N c 0 c 1 c 2 c N-1 c N Features: + Potential for parallel processing + Speed-up by preprocessing - No integrity or authentication Properties of existing and new cipher modes Proof of security CBC CFB OFB New standard Parallel processing Preprocessing Integrity and authentication Resistance to implementation errors decryption only
OCB - Offset Codebook Mode IV 0 M 1 M 2 M N-1 M N Control sum length Z 1 Z 2 Z N-1 g(l) Z N Z N L Z 1 Z 2 Z N-1 M N τ bits R C 1 C 2 C N-1 C N T Z i =f(l, R, i) New modes of block ciphers 1. CCM - Counter with CBC-MAC developed by R. Housley, D. Whiting, N. Ferguson in 2002 assures simultaneous confidentiality and authentication not covered by any patent part of the I 802.11i standard for wireless networks 2. GCM Galois/Counter Mode developed by D. McGrew and J. Viega in 2005 assures simultaneous confidentiality and authentication not covered by any patent used in the I 802.1A (MACsec) thernet security, ANSI (INCITS) Fibre Channel Security Protocols (FC-SP), I P1619.1 tape storage, and ITF IPSec standards
Properties of new modes of operation CBC CFB OFB CTR CCM GCM Proof of security Parallel processing only decryption Half of operations Preprocessing Integrity and authentication Half of Half of operations operations Resistance to implementation errors FIPS standards: Modes of operation of block ciphers Timeline CBC, CFB, OFB, CB FIPS 81 (for DS) CTR (counter mode) Dec. 2001 For arbitrary block cipher CCM May 2004 GCM SP 800-38A SP 800-38A SP 800-38B SP 800-38D Nov 2007 Contests: Apr. 2001 NIST 10 modes submitted to the contest (including, CTR, OCB, IACBC, IAPM) Patent issues. Attacks: Aug. 2001 DCM mode developed by NSA several days after the publication 1997 1998 1999 2000 2001 2002 2003 2004 2005 2006 2007 2008