“Implementation of a RC5 block cipher algorithm and implementing an attack on it”
-
Upload
ramona-hopkins -
Category
Documents
-
view
50 -
download
1
description
Transcript of “Implementation of a RC5 block cipher algorithm and implementing an attack on it”
““Implementation of a RC5 block cipher algorithm Implementation of a RC5 block cipher algorithm and implementing an attack on it”and implementing an attack on it”
Cryptography Team Presentation 1Cryptography Team Presentation 1
About RC5About RC5
◦Fast symmetric block cipher
◦Same key for encryption and decryption
◦Plaintext and ciphertext are fixed-length bit sequences (blocks)
Parameters of RC5Parameters of RC5
◦RC5 – w/r/b E.g. RC5 – 32/16/10◦w = 32 bits◦r = 16 rounds◦b = 10-byte (80-bit) secret key variable◦ t = 2 (r + 1) = 2 (16 + 1) = 34 rounds
Important parameters in detailsImportant parameters in details“w”(bits) – variable word size
Allowable choice for “w” in RC5– 16,32 and 64 Suggested 32 “Two” word input (plaintext) block size – 64-bit plaintext “Two” word output (ciphertext) block size – 64-bit ciphertext
Design accepts all w > 0 Variable word size can exploit longer word length of
processors like 64 – bit processors.
Important parameters in detailsImportant parameters in details“r” – variable number of rounds
Tradeoff between high speed and high security. Allowed values 0-255 Suggested – 12
Higher the number of rounds provides increased level of security.
“S” – Expanded key table – derived from user’s secret key. “t” – The size of table “S” (depends on “r”)◦ t = 2 ( r + 1 ) words.
Important parameters in detailsImportant parameters in details“b” – variable length secret cryptographic key◦The number of bytes in the secret key K.◦16 bytes suggested with allowed values from 0 – 255
“K” – The b-byte secret key : K[0], K[1], ..., K[b-1].
Discussion on parametersDiscussion on parametersRC5 cannot be secure for all possible values◦r = 0
No rounds of security will provide no encryption◦r = 1
One round will provide very less security As a matter of fact, it can be easily broken
◦b = 0 No key, no security
◦Maximum allowable parameter values will be overkill.◦Nominal Choice Proposed
RC5 – 32/12/16
Notation and RC5 Primitive OpsNotation and RC5 Primitive OpsThree Primitive operations(and their inverses)◦Two’s complement addition of words, modulo 2w
‘+’ Inverse op , subtraction, ‘-’
◦Bit-wise exclusive OR of words, denoted by ⊕◦A left-rotation of words
x <<< y , cyclic rotation of word x left by y bits One word of the intermediate results is cyclically rotated by an
amount determined bits of another intermediate results. The inverse operation is right-rotation, x>>>y
NoteNoteWe see that rotations are ‘rotations by variable
amount’ that is plaintext dependent
We know that on modern microprocessors, a variable rotation takes constant-time◦Time is independent of the rotation amount y
No other non-linear operations in RC5
Strength,therefore, relies on data-dependent rotations
RC5 AlgorithmRC5 AlgorithmThree parts:-◦Key Expansion◦Encryption Algorithm◦Decryption Algorithm
RC5 Algorithm – Key ExpansionRC5 Algorithm – Key ExpansionRequirements of key expansion◦Filling the expanded key table array S[0…t – 1] with
random binary words “t” – Size of table “S” => 2 ( r+1 )
◦S table is not an “S-box” like DES. Entries in S sequentially, one at a time.
◦Random binary words are derived from the K.
RC5 Algorithm – Key ExpansionRC5 Algorithm – Key ExpansionStarting with two magic constants◦Two word-sized binary constants ◦Pw = Odd((e - 2) 2w )
◦ Qw = Odd((φ – 1) 2w ) e = 2.718281828459… (base of natural logarithms) Φ = 1.618033988749… (golden ratio),
◦Where, Odd(x) is the odd integer nearest to x◦For w = 16 and 32 in hexadecimal form
P16 = b7e1 Q16 = 9e37 P32 = b7e15163 Q32 = 9e3779b9
RC5 Algorithm – Key ExpansionRC5 Algorithm – Key ExpansionConverting the Secret Key from Bytes to Words
◦c = ceiling(b/u) words◦Pseudo code for conversion:-
Image Source: http://people.csail.mit.edu/rivest/Rivest-rc5rev.pdf
RC5 Algorithm – Key ExpansionRC5 Algorithm – Key ExpansionInitializing the S Array◦Initialization to a particular fixed(key- independent)
Image Source: http://people.csail.mit.edu/rivest/Rivest-rc5rev.pdf
RC5 Algorithm – Key ExpansionRC5 Algorithm – Key ExpansionMixing in the Secret Key◦Pseudo code:-
Image Source: http://people.csail.mit.edu/rivest/Rivest-rc5rev.pdf
RC5 AlgorithmRC5 AlgorithmEncryption Algorithm◦Two w-bit words are denoted as A and B
A = A + S[0];B = B + S[1];for i = 1 to r do
A = (( A ⊕ B ) <<< B ) + S[ 2 * i ];B = (( B ⊕ A) <<< A ) + S[ 2 * i + 1];
The output is in the registers A and B.Work is done on both A and B, unlike DESwhere only half input is updated.
Image Source: http://en.wikipedia.org/wiki/File:RC5_InfoBox_Diagram.svg
RC5 AlgorithmRC5 AlgorithmDecryption Algorithm◦(easily derived from encryption)◦Two w-bit words are denoted as A and B
for i = r downto 1 doB = (( B – S[ 2 * i + 1 ]) >>> A) ⊕ A;A = (( A – S[ 2 * i ] >>> B) ⊕ B;
B = B - S[1];A = A - S[0];
The output is in the registers A and B.
Important NotesImportant NotesData dependent rotations – amount of rotation is not
pre-determined.The behavior of each round is different as the
rotation amount is different. ◦Each round ends by adding expanded key from S
It was experimentally[1] determined that after eight rounds in RC5-32, each message bit affected some rotation amount.
[1]: Rivest, R. L. (1994). "The RC5 Encryption Algorithm" (pdf). Proceedings of the Second International Workshop on Fast Software Encryption (FSE) 1994e. pp. 86–96.
Next PresentationNext PresentationDifferential Attack will be performed.◦Difficult because bits are rotated to “random” positions in
each round.
Analysis of the requirements of the attack.
Analysis of the results of the attack.
ReferencesReferences Rivest, R. L. (1994). "The RC5 Encryption Algorithm" (pdf).
Proceedings of the Second International Workshop on Fast Software Encryption (FSE) 1994e. pp. 86–96. http://people.csail.mit.edu/rivest/Rivest-rc5rev.pdf
RC5 Encryption Diagram◦ http://en.wikipedia.org/wiki/File:RC5_InfoBox_Diagram.svg◦ http://en.wikipedia.org/wiki/RC5