Biometrics and Cryptography1 Introduction to Modern Symmetric-key Ciphers.
68
Biometrics and Cryptography 1 Introduction to Modern Symmetric- key Ciphers
-
Upload
caitlin-sullivan -
Category
Documents
-
view
235 -
download
0
Transcript of Biometrics and Cryptography1 Introduction to Modern Symmetric-key Ciphers.
Biometrics and Cryptography 1
Introduction to
Modern Symmetric-key Ciphers
Biometrics and Cryptography 2
Outline
❏ Stream Ciphers and Block Ciphers
❏ Diffusion and Confusion
❏ Components of block ciphers such as P-boxes, S-boxes and rounds.
❏ Feistel and non-Feistel ciphers.
❏ Two kinds of attacks particularly designed for modern block ciphers: differential and linear cryptanalysis.
Biometrics and Cryptography 3
Symmetric Key Cryptosystems• Stream ciphers
– Operate on the plaintext a single bit (or sometimes byte) at a time
– Simple substitution– Poly-alphabetic substitution– ORYX is the algorithm used to encrypt data sent over
digital cellular phones. t is a stream cipher based on three 32-bit Galois Linear Feedback Shift Register (LFSR)s. The cryptographic tag-team from Counterpane Systems (David Wagner, John Kelsey, and Bruce Schneier) have developed an attack on ORYX that requires approximately 24 bytes of known plaintext and about 216 initial guesses.
Symmetric Key Cryptosystems
• Stream ciphers– SEAL, designed by Don Coppersmith of IBM Corp, is probably
the fastest secure encryption algorithm available. The key setup process of SEAL requires several kilobytes of space and rather intensive computation involving SHA1, but only five operations per byte are required to generate the keystream. SEAL is particularly appropriate for disk encryption and similar applications where data must be read from the middle of a ciphertext stream. SEAL is patented, and can be licensed from IBM.
– RC4 algorithm is a stream cipher from RSA Data Security, Inc. There are no known attacks against RC4. RC4 is not patented by RSA Data Security, Inc; it is just protected as a trade secret. The 40-bit exportable version of RC4 has been broken by brute force! (used by WLAN IEEE 802.11 in WEP)
Biometrics and Cryptography 4
Symmetric Key Cryptosystems
• Block ciphers– Operate on the plaintext in groups of bits. The groups of bits are
called blocks.– Typical block size is 64 bits or multiple of it, e.g. 128 bits, 256 bits.– DES, AES – IDEA, developed in Zurich is generally regarded to be one of the
best and most secure block algorithm available to the public today. It utilizes a 128-bit key and is designed to be resistant to differential cryptanalysis. Some attacks have been made against reduced round IDEA.
Biometrics and Cryptography 5
Symmetric Key Cryptosystems
• Block ciphers– Blowfish is a block cipher designed by Bruce Schneier, and is
perhaps one of the most secure algorithms available. – RC5 is a group of algorithms designed by RSA that can take on a
variable block size, key size, and number of rounds. RC5 generally has a 64-bit block size. David Wagner, John Kelsey, and Bruce Schneier have found weak keys in RC5, with the probability of selecting a weak key to be 2-10r, where r is the number of rounds. For sufficiently large r values (greater than 10), this is not a problem as long as you are not trying to build a hash function based on RC5. Kundsen has also found a differential attack on RC5.
– Different modes of operation
Biometrics and Cryptography 6
5.7
5-1 MODERN BLOCK CIPHERS5-1 MODERN BLOCK CIPHERS
A symmetric-key modern block cipher encrypts an A symmetric-key modern block cipher encrypts an n-bit block of plaintext or decrypts an n-bit block of n-bit block of plaintext or decrypts an n-bit block of ciphertext. The encryption or decryption algorithm ciphertext. The encryption or decryption algorithm uses a k-bit key. uses a k-bit key.
5.1.1 Substitution or Transposition5.1.2 Block Ciphers as Permutation Groups5.1.3 Components of a Modern Block Cipher5.1.4 Product Ciphers5.1.5 Two Classes of Product Ciphers5.1.6 Attacks on Block Ciphers
Topics discussed in this section:Topics discussed in this section:
5.8
Figure 5.1 A modern block cipher
5.1 Continued
5.9
5.1 Continued
Example 5.1
How many padding bits must be added to a message of 100 How many padding bits must be added to a message of 100 characters if 8-bit ASCII is used for encoding and the block characters if 8-bit ASCII is used for encoding and the block cipher accepts blocks of 64 bits?cipher accepts blocks of 64 bits?
Encoding 100 characters using 8-bit ASCII results in an 800-Encoding 100 characters using 8-bit ASCII results in an 800-bit message. The plaintext must be divisible by 64. If | M | and bit message. The plaintext must be divisible by 64. If | M | and |Pad| are the length of the message and the length of the |Pad| are the length of the message and the length of the padding,padding,
SolutionSolution
5.10
A modern block cipher can be designed to act as a substitution cipher or a transposition cipher.
5.1.1 Substitution or Transposition
To be resistant to exhaustive-search attack, a modern block cipher needs to bedesigned as a substitution cipher.
Note
5.11
Example 5.2
5.1.1 Continued
Suppose that we have a block cipher where Suppose that we have a block cipher where nn = 64. If there = 64. If there are 10 1’s in the ciphertext, are 10 1’s in the ciphertext, how many trial-and-error testshow many trial-and-error tests does Eve need to do to recover the plaintext from the does Eve need to do to recover the plaintext from the intercepted ciphertext in each of the following cases?intercepted ciphertext in each of the following cases? a. The cipher is designed as a substitution cipher.a. The cipher is designed as a substitution cipher.
a.a. In the first case, Eve has no idea how many 1’s are in the In the first case, Eve has no idea how many 1’s are in the plaintext. Eve needs to try all possible plaintext. Eve needs to try all possible 226464 64-bit blocks to 64-bit blocks to find one that makes sense. find one that makes sense.
SolutionSolution
5.12
Is a modern block cipher a group?
5.1.2 Block Ciphers as Permutation Groups
Full-Size Key Transposition Block CiphersIn a full-size key transposition cipher We need to have n! possible keys, so the key should have log2 n! bits.
Example 5.3
Show the model and the set of permutation tables for a 3-bit Show the model and the set of permutation tables for a 3-bit block transposition cipher where the block size is 3 bits.block transposition cipher where the block size is 3 bits.
SolutionSolutionThe set of permutation tables has 3! = 6 elements, as shown in The set of permutation tables has 3! = 6 elements, as shown in Figure 5.2. Figure 5.2.
5.13
Figure 5.2 A transposition block cipher modeled as a permutation
5.1.2 Continued
5.14
5.1.2 Continued
A full-size key n-bit transposition cipher or a substitution block cipher can be modeled
as a permutation, but their key sizes are different:
Note
Transposition: the key is log2n! bits long. Substitution: the key is log2(2n)!bits long.
5.15
Modern block ciphers normally are keyed substitution ciphers in which the key allows only partial mappings from the possible inputs to the possible outputs.
5.1.3 Components of a Modern Block Cipher
A P-box (permutation box) parallels the traditional transposition cipher for characters. It transposes bits.
P-Boxes
5.16
Figure 5.4 Three types of P-boxes
5.1.3 Continued
5.17
Example 5.5
5.1.3 Continued
Figure 5.5 The possible mappings of a 3 × 3 P-box
Figure 5.5 shows all 6 possible mappings of a 3 × 3 P-box.Figure 5.5 shows all 6 possible mappings of a 3 × 3 P-box.
Straight 3 × 3 P-Boxes
5.18
5.1.3 Continued
Table 5.1 Example of a permutation table for a straight 64 × 64 P-box
Straight P-Boxes
5.19
Example 5.6
5.1.3 Continued
Design an 8 × 8 permutation table for a straight P-box that Design an 8 × 8 permutation table for a straight P-box that moves the two middle bits (bits 4 and 5) in the input word to moves the two middle bits (bits 4 and 5) in the input word to the two ends (bits 1 and 8) in the output words. Relative the two ends (bits 1 and 8) in the output words. Relative positions of other bits should not be changed.positions of other bits should not be changed.
SolutionSolutionWe need a straight P-box with the table [4 1 2 3 6 7 8 5]. We need a straight P-box with the table [4 1 2 3 6 7 8 5]. The relative positions of input bits 1, 2, 3, 6, 7, and 8 have not The relative positions of input bits 1, 2, 3, 6, 7, and 8 have not been changed, but the first output takes the fourth input and been changed, but the first output takes the fourth input and the eighth output takes the fifth input.the eighth output takes the fifth input.
5.20
5.1.3 Continued
A compression P-box is a P-box with n inputs and m outputs where m < n. Example of a 32 × 24 permutation table:
An expansion P-box is a P-box with n inputs and m outputs where m > n. Example of a 12 × 16 permutation table:
5.21
5.1.3 ContinuedP-Boxes: Invertibility
A straight P-box is invertible, but compression and expansion P-boxes are not.
Note
5.22
Example 5.7
5.1.3 Continued
Figure 5.6 shows how to invert a permutation table Figure 5.6 shows how to invert a permutation table represented as a one-dimensional table.represented as a one-dimensional table.
Figure 5.6 Inverting a permutation table
5.23
Figure 5.7 Compression and expansion P-boxes are non-invertible
5.1.3 Continued
5.24
5.1.3 Continued
S-BoxAn S-box (substitution box) can be thought of as a miniature substitution cipher.
An S-box is an m × n substitution unit, where m and n are not necessarily the same.
Note
5.25
Example 5.8
5.1.3 Continued
In an S-box with three inputs and two outputs, we haveIn an S-box with three inputs and two outputs, we have
The S-box is linear because The S-box is linear because aa1,11,1 = = aa1,21,2 = = aa1,31,3 = = aa2,12,1 = 1 and = 1 and
aa2,22,2 = = aa2,32,3 = 0. The relationship can be represented by = 0. The relationship can be represented by
matrices, as shown below:matrices, as shown below:
5.26
Example 5.9
5.1.3 Continued
In an S-box with In an S-box with three inputsthree inputs and and two outputstwo outputs, we have, we have
The S-box is nonlinear because there is no linear relationship The S-box is nonlinear because there is no linear relationship between the inputs and the outputs.between the inputs and the outputs.
5.27
Example 5.10
5.1.3 Continued
The following table defines the input/output relationship for The following table defines the input/output relationship for an S-box of size 3 × 2. The leftmost bit of the input defines the an S-box of size 3 × 2. The leftmost bit of the input defines the row; the two rightmost bits of the input define the column. row; the two rightmost bits of the input define the column. The two output bits are values on the cross section of the The two output bits are values on the cross section of the selected row and column.selected row and column.
Based on the table, an input of 010 yields the output 01. An Based on the table, an input of 010 yields the output 01. An input of 101 yields the output of 00.input of 101 yields the output of 00.
5.28
5.1.3 ContinuedS-Boxes: Invertibility
An S-box may or may not be invertible. In an invertible S-box, the number of input bits should be the same as the number of output bits. Figure 5.8 shows an example of an invertible S-box. For example, if the input to the left box is 001, the output is 101. The input 101 in the right table creates the output 001, which shows that the two tables are inverses of each other.
Figure 5.8 S-box tables for Example 5.11
5.29
5.1.3 Continued
Exclusive-Or
An important component in most block ciphers is the exclusive-or operation.
Figure 5.9 Invertibility of the exclusive-or operation
5.30
5.1.3 ContinuedExclusive-Or (Continued)
The inverse of a component in a cipher makes sense if the component represents a unary operation (one input and one output). For example, a keyless P-box or a keyless S-box can be made invertible because they have one input and one output. An exclusive operation is a binary operation. The inverse of an exclusive-or operation can make sense only if one of the inputs is fixed (is the same in encryption and decryption). For example, if one of the inputs is the key, which normally is the same in encryption and decryption, then an exclusive-or operation is self-invertible, as shown in Figure 5.9.
5.31
5.1.3 Continued
Circular Shift
Another component found in some modern block ciphers is the circular shift operation.
Figure 5.10 Circular shifting an 8-bit word to the left or right
5.32
5.1.3 Continued
Swap
The swap operation is a special case of the circular shift operation where k = n/2.
Figure 5.11 Swap operation on an 8-bit word
5.33
5.1.3 ContinuedSplit and Combine
Two other operations found in some block ciphers are split and combine.
Figure 5.12 Split and combine operations on an 8-bit word
5.34
5.1.4 Continued
Diffusion hides the relationship between the ciphertext and the plaintext.
Note
• Diffusion: to obscure the statistical structure of the plaintext from the ciphertext.
– By having each ciphertext digit be affected by more than one plaintext digit
– In other words, to have the statistical structure of the plaintext be dissipated into long-range statistics of the ciphertext.
– e.g. )26(mod1
k
iinn my
– where message M = m1, m2, … and a ciphertext letter yn is obtained by adding k successive plaintext (English) letters.
5.35
5.1.4 Continued
Confusion hides the relationship between the ciphertext and the key.
Note
• Confusion: to obscure the statistical dependence between the encryption key and the ciphertext
– to thwart attempts to discover the key – simple linear substitution generates little confusion – This can be achieved by using complex substitution
algorithms.
5.36
Figure 5.14 Diffusion and confusion in a block cipher
5.1.4 Continued
5.37
RoundsDiffusion and confusion can be achieved using iterated product ciphers where each iteration is a combination of S-boxes, P-boxes, and other components.
5.1.4 Continued
5.38
Figure 5.13 A product cipher made of two rounds
5.1.4 Continued
5.39
Block Cipher Operation (Simplified)
Block of plaintext
S S S S
S S S S
S S S S
Key
Add some secret key bitsto provide confusion
Each S-box permutes its input bits in a “random-looking” way to provide diffusion (spread plaintext bits throughout ciphertext)
repeat for several rounds
Block of ciphertextProcedure must be reversible
(for decryption)
5.40
Modern block ciphers are all product ciphers, but they are divided into two classes.
1. Feistel ciphers
2. Non-Feistel ciphers
5.1.5 Two Classes of Product Ciphers
5.41
Feistel CiphersFeistel designed a very intelligent and interesting cipher that has been used for decades. A Feistel cipher can have three types of components: self-invertible, invertible, andnoninvertible.
5.1.5 Feistel ciphers
5.42
Figure 5.15 The first thought in Feistel cipher design
5.1.5 Feistel ciphers
Diffusion hides the relationship between the ciphertext and the plaintext.
Note
5.43
Example 5.12
5.1.3 Feistel ciphers
This is a trivial example. The plaintext and ciphertext are This is a trivial example. The plaintext and ciphertext are each 4 bits long and the key is 3 bits long. Assume that the each 4 bits long and the key is 3 bits long. Assume that the function takes function takes the first and third bits of the keythe first and third bits of the key, interprets , interprets these two bits these two bits as a decimal number, squares the number, and as a decimal number, squares the number, and interprets the result as a 4-bit binary patterninterprets the result as a 4-bit binary pattern. Show the . Show the results of encryption and decryption if the original plaintext results of encryption and decryption if the original plaintext is 0111 and the key is 101. is 0111 and the key is 101. f(K) = f(f(K) = f(110011) = (2^) = (2^11++11)^2=9=1001)^2=9=1001
The function extracts the first and second bits to get 11 in The function extracts the first and second bits to get 11 in binary or 3 in decimal. The result of squaring is 9, which is binary or 3 in decimal. The result of squaring is 9, which is 1001 in binary.1001 in binary.
SolutionSolution
5.44
Figure 5.16 Improvement of the previous Feistel design
5.1.5 Feistel ciphers
5.45
Figure 5.17 Final design of a Feistel cipher with two rounds
5.1.5 Feistel ciphers
5.46
Non-Feistel CiphersA non-Feistel cipher uses only invertible components. A component in the encryption cipher has the corresponding component in the decryption cipher.
5.1.5 Non-Feistel Ciphers
5.47
5.1.6 Attacks on Block Ciphers
Differential CryptanalysisEli Biham and Adi Shamir introduced the idea of differential cryptanalysis. This is a chosen-plaintext attack.
Linear CryptanalysisLinear cryptanalysis was presented by Mitsuru Matsui in 1993. The analysis uses known plaintext attacks.
5.48
Example 5.13
5.1.6 Differential Cryptanalysis
Assume that the cipher is made only of one exclusive-or Assume that the cipher is made only of one exclusive-or operation, as shown in Figure 5.18. Without knowing the operation, as shown in Figure 5.18. Without knowing the value of the key, Eve can easily find the value of the key, Eve can easily find the relationshiprelationship between between plaintext differences and ciphertext differences, if by plaintext differences and ciphertext differences, if by plaintext difference plaintext difference we mean we mean P1 P1 P2 P2 and by and by ciphertext ciphertext differencedifference, we mean , we mean C1C1 C2 C2. The following proves that C1 . The following proves that C1 C2 = P1 C2 = P1 P2: P2:
Figure 5.18 Diagram for Example 5.13
5.49
Example 5.14
5.1.6 Continued
We add one S-box to Example 5.13, as shown in Figure 5.19. S-We add one S-box to Example 5.13, as shown in Figure 5.19. S-box prevents Eve from finding a box prevents Eve from finding a definitedefinite relationship between relationship between the plaintext differences and the cipher text differences. the plaintext differences and the cipher text differences.
Figure 5.19 Diagram for Example 5.14
5.50
Example 5.14 Continued
5.1.6 Continued
Eve now can create a probabilistic relationship. Eve now can create a probabilistic relationship.
Table 5.4 Differential input/output
5.51
Example 5.15
5.1.6 Continued
The heuristic result of Example 5.14 can create probabilistic The heuristic result of Example 5.14 can create probabilistic information for Eve as shown in Table 5.5. information for Eve as shown in Table 5.5.
Table 5.5 Differential distribution table
5.52
or X1=111
If X1 = 101 K = 111
Example 5.16
5.1.6 Continued
Looking at Table 5.5, Eve knows that if PLooking at Table 5.5, Eve knows that if P11 P P22 = 001, then C = 001, then C11
CC22 = 11 with the probability of 0.50 (50 percent). She tries C = 11 with the probability of 0.50 (50 percent). She tries C11 = =
00 and gets 00 and gets PP11 = 010 = 010 (chosen-ciphertext attack). She also tries C (chosen-ciphertext attack). She also tries C22
= 11 and gets P= 11 and gets P22 = 011 (another chosen-ciphertext attack). Now = 011 (another chosen-ciphertext attack). Now
she tries to work backward, based on the first pair, Pshe tries to work backward, based on the first pair, P11 and C and C11,,
The two tests confirm that K = 011 or K =101.The two tests confirm that K = 011 or K =101.
101
5.53
5.1.6 Continued
Differential cryptanalysis is based on a nonuniform differential distribution table of the S-boxes in a
block cipher.
Note
5.54
Figure 5.20 A simple cipher with a linear S-box
5.1.6 Linear Cryptanalysis
5.55
5.1.6 Continued
Solving for three unknowns, we get.
This means that three known-plaintext attacks can find the values of k0, k1, and k2 .
5.56
5-2 MODERN STREAM CIPHERS5-2 MODERN STREAM CIPHERS
In a modern stream cipher, encryption and decryptionIn a modern stream cipher, encryption and decryptionare done r bits at a time. We have a plaintext bit are done r bits at a time. We have a plaintext bit stream P = pstream P = pnn…p…p2 2 pp11, a ciphertext bit stream , a ciphertext bit stream
C = cC = cnn…c…c2 2 cc11, and a key bit stream K = k, and a key bit stream K = knn…k…k2 2 kk11, in , in
which pwhich pii , c , cii , and k , and kii are r-bit words. are r-bit words.
5.2.1 Synchronous Stream Ciphers5.2.2 Nonsynchronous Stream Ciphers
Topics discussed in this section:Topics discussed in this section:
5.57
5.2 Continued
In a modern stream cipher, each r-bit word in the plaintext stream is enciphered using an r-bit word in the key stream to create the corresponding r-bit
word in the ciphertext stream.
Note
Figure 5.20 Stream cipher
5.58
5.2.1 Synchronous Stream Ciphers
In a synchronous stream cipher the key is independent of the plaintext or ciphertext.
Note
Figure 5.22 One-time pad
5.59
Example 5.17
5.2.1 Continued
What is the pattern in the ciphertext of What is the pattern in the ciphertext of a one-time pad cipher a one-time pad cipher in each of the following cases?in each of the following cases?
a.a.The plaintext is made of The plaintext is made of nn 0’s. 0’s.
b.b.The plaintext is made of The plaintext is made of nn 1’s. 1’s.
SolutionSolutiona.a. Because Because 0 0 kkii = = kkii , the ciphertext stream is the same as , the ciphertext stream is the same as
the key stream. If the key stream is random, the the key stream. If the key stream is random, the ciphertext is also random. The patterns in the plaintext ciphertext is also random. The patterns in the plaintext are not preserved in the ciphertext.are not preserved in the ciphertext.
b.b. BecauseBecause 1 1 kkii = = kkii wherewhere kkii is the complement ofis the complement of kki i , , the the
ciphertext stream is the complement of the key stream. If ciphertext stream is the complement of the key stream. If the key stream is random, the ciphertext is also random. the key stream is random, the ciphertext is also random. Again the patterns in the plaintext are not preserved in Again the patterns in the plaintext are not preserved in the ciphertext.the ciphertext.
5.60
Example 5.7
5.2.1 Continued
Solution: Solution:
c. In this case, each bit in the ciphertext stream is either the c. In this case, each bit in the ciphertext stream is either the same as the corresponding bit in the key stream or the same as the corresponding bit in the key stream or the complement of it. Therefore, the result is also a random complement of it. Therefore, the result is also a random string if the key stream is random.string if the key stream is random.
d. In this case, the ciphertext is definitely random because the d. In this case, the ciphertext is definitely random because the exclusive-or of two random bits results in a random bit.exclusive-or of two random bits results in a random bit.
(Continued)
c. The plaintext is made of alternating 0’s and 1’s.c. The plaintext is made of alternating 0’s and 1’s.
d. The plaintext is a random string of bits.d. The plaintext is a random string of bits.
5.61
Figure 5.23 Feedback shift register (FSR)
5.2.1 Continued
5.62
Figure 5.24 LSFR for Example 5.18
5.2.1 Confidentiality
Create a linear feedback shift register with 5 cells in which Create a linear feedback shift register with 5 cells in which bb55 = = bb44 bb22 bb00 ..
SolutionSolutionIf If ccii = 0, = 0, bbii has no role in calculation of has no role in calculation of bbmm. This means that . This means that bbii
is not connected to the feedback function. If is not connected to the feedback function. If ccii = 1, = 1, bbii is is
involved in calculation of involved in calculation of bbmm. In this example, c1 and c3 are . In this example, c1 and c3 are
0’s, which means that we have only three connections. Figure 0’s, which means that we have only three connections. Figure 5.24 shows the design.5.24 shows the design.
5.63
Example 5.19
5.2.1 Continued
Create a linear feedback shift register with 4 cells in which Create a linear feedback shift register with 4 cells in which bb44 = = bb11 bb00. Show the value of output for 20 transitions . Show the value of output for 20 transitions
(shifts) if the seed is (0001)(shifts) if the seed is (0001)22..
SolutionSolutionFigure 5.25 LFSR for Example 5.19
5.64
Table 4.6 Cell values and key sequence for Example 5.19
5.2.1 ContinuedExample 5.19 (Continued)
5.65
Table 4.6 Continued
5.2.1 ContinuedExample 5.19 (Continued)
5.66
5.2.1 Continued
Note that the key stream is Note that the key stream is 100010011010111 10001….100010011010111 10001…. This This looks like a random sequence at first glance, but if we go looks like a random sequence at first glance, but if we go through more transitions, we see that the sequence is through more transitions, we see that the sequence is periodic. It is a repetition of 15 bits as shown below:periodic. It is a repetition of 15 bits as shown below:
The key stream generated from a LFSR is a pseudorandom The key stream generated from a LFSR is a pseudorandom sequence in which the the sequence is repeated after sequence in which the the sequence is repeated after NN bits. bits.
The maximum period of an LFSR is to 2m − 1.
Note
Example 5.19 (Continued)
5.67
In a nonsynchronous stream cipher, each key in the key stream depends on previous plaintext or ciphertext.
5.2.2 Nonsynchronous Stream Ciphers
In a nonsynchronous stream cipher, the key depends on either the plaintext or ciphertext.
Note
Biometrics and Cryptography 68
Properties that one would like to have in an encryption scheme
• Easy to encrypt• Easy to decrypt• Provides fast encryption and decryption speed• Minimal bandwidth expansion• Generate diffusion and confusion (security)
