Conventional crypto - Noack Block ciphers Structure of a multiround block cipher Structure of each...
-
Upload
bryan-carr -
Category
Documents
-
view
214 -
download
0
Transcript of Conventional crypto - Noack Block ciphers Structure of a multiround block cipher Structure of each...
![Page 1: Conventional crypto - Noack Block ciphers Structure of a multiround block cipher Structure of each round Chaining modes for block ciphers Differential.](https://reader035.fdocuments.us/reader035/viewer/2022072015/56649eda5503460f94be8bf1/html5/thumbnails/1.jpg)
Conventional crypto - Noack
Block ciphers
Structure of a multiround block cipherStructure of each round
Chaining modes for block ciphersDifferential and linear cryptanalysis
![Page 2: Conventional crypto - Noack Block ciphers Structure of a multiround block cipher Structure of each round Chaining modes for block ciphers Differential.](https://reader035.fdocuments.us/reader035/viewer/2022072015/56649eda5503460f94be8bf1/html5/thumbnails/2.jpg)
Conventional crypto - Noack
Structure of multiround block ciphers
These are private-key symmetric ciphers – same key for encrypt and decryptEach single round must be invertibleKey scheduling rounds do not need to be invertibleIf key is constant from block to block, this is a monoalphabetic, but with huge alphabetStrength comes from confusion and diffusion repeatedly applied
Single round Key scheduling round Inverse of single round
Single round
Single round
Key scheduling round
Key scheduling round
Inverse of single round
Inverse of single round
KeyPlaintext
input
Plaintextoutput
Ciphertext out Ciphertext in
![Page 3: Conventional crypto - Noack Block ciphers Structure of a multiround block cipher Structure of each round Chaining modes for block ciphers Differential.](https://reader035.fdocuments.us/reader035/viewer/2022072015/56649eda5503460f94be8bf1/html5/thumbnails/3.jpg)
Conventional crypto - Noack
Structure of a single round
Invertible operations can includeBitwise exclusive or
Addition modulo blocksize
Galois field but not conventional multiplication
permutation
PartiallyEncrypted text
From previous round
Nonfeedback network ofInvertible operations
Key for this roundFrom key scheduler
PartiallyEncrypted textTo next round
XOR
A
C
KXOR
A
C
KExample of an invertibleoperationIf C = K xor AThen A = K xor C
![Page 4: Conventional crypto - Noack Block ciphers Structure of a multiround block cipher Structure of each round Chaining modes for block ciphers Differential.](https://reader035.fdocuments.us/reader035/viewer/2022072015/56649eda5503460f94be8bf1/html5/thumbnails/4.jpg)
Conventional crypto - Noack
The Feistel block is a reversible round
One-way(nonreversible)
blockXOR
One-way(nonreversible)
blockXOR
Left halfi Right halfi
Left halfi+1
Left halfi
Left halfi+1Right halfi+1
Right halfi
Right halfi+1
Note: This block is reversibleThe direction of signal flow does not change in the one-way blockThe XOR is a reversible device
![Page 5: Conventional crypto - Noack Block ciphers Structure of a multiround block cipher Structure of each round Chaining modes for block ciphers Differential.](https://reader035.fdocuments.us/reader035/viewer/2022072015/56649eda5503460f94be8bf1/html5/thumbnails/5.jpg)
Conventional crypto - Noack
More on the Feistel block
Characteristics and limitationsEssentially any one-way function can be used – doesn’t have to be
reversible
Because the block scrambles only one half the partial text at a time it is possibly weaker than other ciphers, but more rounds (typically 16) can be used
The one-way function is half the width of the block, so a 64-bit block can be encrypted efficiently with a 32-bit processor
The Feistel block is vulnerable to differential cryptanalysis, which is a chosen-plaintext attack. With enough rounds, it is usable.
![Page 6: Conventional crypto - Noack Block ciphers Structure of a multiround block cipher Structure of each round Chaining modes for block ciphers Differential.](https://reader035.fdocuments.us/reader035/viewer/2022072015/56649eda5503460f94be8bf1/html5/thumbnails/6.jpg)
Conventional crypto - Noack
The equations for the Feistel block
CommentsThese equations are valid for any Feistel block, regardless of the
particular one-way function used
They are the basis for differential and linear cryptanalysis
A large number of present-day ciphers, but not all, use Feistel
The direct transformationLi+1 = Li F(Ri, Ki )Ri+1 = Li
The inverse transformationLi = Li+1 F(Li+1, Ki )Ri = Li+1
The recurrence relation used in differential cryptanalysisLi+2 = Li+1 F(Li, Ki )
![Page 7: Conventional crypto - Noack Block ciphers Structure of a multiround block cipher Structure of each round Chaining modes for block ciphers Differential.](https://reader035.fdocuments.us/reader035/viewer/2022072015/56649eda5503460f94be8bf1/html5/thumbnails/7.jpg)
Conventional crypto - Noack
The one-way function for DES
ComponentsE-box – expansion and
permutationS-box – substitution – a 64
by 4 bit memory or arrayP-box – expansion and
permutationE and P boxes were
hardwiredS-boxes were in on-chip
ROM – 256 bytes per round
E-boxExpand/permute
64x4S-box
48-bit-wide XOR
P-box –permute only
32
48
6
32
4
6
4
48
Per-stage keyword
Input half
Output half
![Page 8: Conventional crypto - Noack Block ciphers Structure of a multiround block cipher Structure of each round Chaining modes for block ciphers Differential.](https://reader035.fdocuments.us/reader035/viewer/2022072015/56649eda5503460f94be8bf1/html5/thumbnails/8.jpg)
Conventional crypto - Noack
DES – the Data Encryption Standard
Standardized by NBS (NIST) in mid-1970’sKey length is 56 bits – brute force of 255 = 32 x 1015
This size has always been suspect – special-purpose machines to break it have been made for less than $250K.
Original standard required hardware implementation, now almost always done in software
The permutation operations are inefficient in software – the S-boxes are no problem
Suspicion centers on whether the S-boxes contain trapdoors and whether governments and big corporations have built cryptanalysis tools
Cryptanalysis almost certainly yes, trapdoors likely notDifferential crypto was known but not public at developmentStandard is still in use as Triple DES – 168-bit keys
![Page 9: Conventional crypto - Noack Block ciphers Structure of a multiround block cipher Structure of each round Chaining modes for block ciphers Differential.](https://reader035.fdocuments.us/reader035/viewer/2022072015/56649eda5503460f94be8bf1/html5/thumbnails/9.jpg)
Conventional crypto - Noack
Chaining algorithms
ECB (Electronic CodeBook) modeBasic methodSusceptible to known plaintext if structure of early blocks is known
Example is .gifs, .jpgs, .doc
Can still be recovered if block is missing
Blockencryption
Blockencryption
Blockencryption
Blockencryption
Session key – same for all blocks
P0
C0
P1 P2 Pn
C1 C2 Cn
![Page 10: Conventional crypto - Noack Block ciphers Structure of a multiround block cipher Structure of each round Chaining modes for block ciphers Differential.](https://reader035.fdocuments.us/reader035/viewer/2022072015/56649eda5503460f94be8bf1/html5/thumbnails/10.jpg)
Conventional crypto - Noack
ECB and its inverse
Blockencryption
Blockencryption
Blockencryption
Blockencryption
Session key – same for all blocks
P0
C0
P1 P2 Pn
C1 C2 Cn
Blockencryption
Blockencryption
Blockencryption
Blockencryption
Session key – same for all blocks
C0
P0
C1 C2 Pn
P1 P2 Pn
![Page 11: Conventional crypto - Noack Block ciphers Structure of a multiround block cipher Structure of each round Chaining modes for block ciphers Differential.](https://reader035.fdocuments.us/reader035/viewer/2022072015/56649eda5503460f94be8bf1/html5/thumbnails/11.jpg)
Conventional crypto - Noack
Other chaining modes
CBC – Cipher block chainingCFB – Partial block fed forward each timeOFB – Partial block fed forward, but block is not
related to text, just IVCounter – Counter is encrypted, then result is
XORed with plaintext – another stream mode