Lecture Four - University of Massachusetts AmherstReviewed by US government (NSA), industry and...
43
Lecture Four Today’s Topics Historic Symmetric ciphers Modern symmetric ciphers DES, AES Asymmetric ciphers RSA Next class: Protocols
Transcript of Lecture Four - University of Massachusetts AmherstReviewed by US government (NSA), industry and...
Lecture Four
Today’s Topics
Historic Symmetric ciphers Modern symmetric ciphers
DES, AES
Asymmetric ciphers RSA
Next class: Protocols
Shift cipher: each plaintext characters is replaced by a character k to the right. (When k=3, it’s a Caesar cipher). “Watch out for Brutus!” => “Jngpu bhg sbe Oehghf!” Only 25 choices! Not hard to break by brute force.
Substitution Cipher: each character in plaintext is replaced by a corresponding character of ciphertext. E.g., cryptograms in newspapers.
plaintext code: a b c d e f g h i f k l m n o p q r s t u v w x y z ciphertext code: m n b v c x z a s d f g h j k l p o i u y t r e w q
26! Possible pairs. Is is really that hard to break?
Example Ciphers
Substitution ciphers
The Caesar cipher has a small key space, but doesn’t create a statistical independence between the plaintext and the ciphertext.
The best ciphers allow no statistical attacks, thereby forcing a brute force, exhaustive search; all the security lies with the key space.
As cryptographic algorithms matured, the statistical independence between the plaintext and cipher text increased.
Ciphers
The caesar cipher, hill cipher, and playfair cipher all work with a single alphabet for doing substitutions
They are monoalphabetic substitutions.
A more complex (and more robust) alternative is to use different substitution mappings on various portions of the plaintext. Polyalphabetic substitutions.
More ciphers
Vigenère cipher: each character of plaintext is encrypted with a different a cipher key.
In the simplest version, each key is a shift cipher Plaintext: a b c d e f g h i f k l m n o p q r s t u v w x y z C1(k=6): f g h i j k l m n o p q r s t u v w x y z a b c d e
C2(k=20): t u v w x y z a b c d e f g h i j k l m n o p q r s Plaintext is encrypted as sequence of C1,C2,C1,C2,…
The example above has a period of 2: there are two alphabets used.
Breaking the Vigenère cipher
We assume the algorithm is known. (Safest assumption!) The ciphers keys repeat with period t. We need to find that
period. Once we find the period, we can attack each shift cipher
independently. (Shift ciphers are cake to break).
We must look for occurrences in the ciphertext of plaintext that is repeated in a multiple of the cipher key.
the man is in the plane on the ground. QER ASX AS SD QER SDFWD WE QER SDFWED
period = 10.
Breaking the Vigenère cipher
themanisintheplaneontheground QERASXASSDQERSDFWDWEQERSDFWED
period = 10. Chances of this happening three times are small.
More formally, we can apply statistical measures, like auto-correlation, to the ciphertext.
Intuitively, guess period is no larger than L. For each letter of ciphertext, Ci , count how often
Ci=Ci+T, where 1<T<L. Plot the counts for all Ts, the period will appear as a
spike on the graph.
Permutation (i.e., transposition)
Permuting the plaintext is another type of cipher technique; also referred to as permutation.
Take the input, rearrange the output in a specific way.
E.g., by writing the letters in a rectangle 1 3 2 4 5 6 7 8 <- key!(simple)
t h e l a u n c h c o d e i s i n t h e d e s k = thn eoh hct lde aed uie nss cik
You can even do this twice with the same key. Better, but… Using the technique simply is weak as it preserves the frequencies
of the letters. The stronger, modern ciphers combine permutations and
substitutions.
Rotors
Rotor machines have a keyboard and a series of rotors to mechanically assist in the encryption of text. Each rotor is an arbitrary permutation of the alphabet Output of one rotor is connected to the input of the next. For each character, the rotors shift like an odometer. Initial position of the rotors is the key.
For one rotor, period = 26 For two rotors, period = 262 = 676 three, period = 263 = 17,576 for six, 266 = 308,915,776 Not bad!
Two diagrams of the Enigma
http://fn2.freenet.edmonton.ab.ca/~jsavard/crypto/roto02.htm
Modern Cryptography
Symmetric key algorithm Examples: DES (Data Encryption Standard) IDEA (International Data Encryption Alg.) AES (Advanced Encryption Standard)
Public/Private key algorithm Examples: RSA (El Gamal, Elliptical curves)
Diffusion and Confusion (remember: P= plaintext, C= ciphertext)
The operations of cryptographic algorithms can be explained with two terms:
Diffusion spreads the influence of single bits of P over as much C as possible. For instance, if we flip a bit of P, each of the bits of C should
have about a ½ chance of flipping as well. Permutation is a tool for diffusion.
Confusion obscures the relationship between P and C; it eliminates redundancies and statistical patterns Substitution (that is table-look up) is a tool for confusion.
Confusion alone is sufficient for security, but expensive in terms of storage. A 128-bit key-dependent lookup table of 64-bit blocks of P to C requires 1041 bytes of memory.
Symmetric Key Algorithms
There are two basic cipher structures:
Block ciphers Plaintext is treated as n-bit blocks of data Ciphertext is same length as plaintext Can be made to behave as a stream cipher
Stream ciphers Encrypts one bit/byte at a time Useful if you have a never ending, bursty stream of data. Often easier to analyze mathematically Block ciphers can be made to behave as stream ciphers
Feistel Ciphers (also called Feistel Networks)
Most block ciphers are Feistel Networks
Approximate substitution cipher behavior using a combination of substitution and permutation (confusion and diffusion)
Defined in terms of Block size Key size Number of rounds Subkey generation algorithm Round function F
Two other considerations Speed in software/hardware Ease of analysis
Feistel Networks Consists of n –rounds. All rounds are identical.
Pi is broken in to two halves Li and Ri.
The key K is broken in to sub-keys Ki , one for each round.
A round function F is applied to Ri using Ki Li = Ri-1 Ri = Li-1 xor F ( Ri-1 , Ki )
Decryption is essentially the same as encryption using sub-keys Ki in reverse order.
L0 Plaintext
R0
F ⊕
F ⊕
F ⊕
L1
Li
Ln Rn
Ri
R1
Ln+1 Rn+1
Key1
Keyi
Keyn
Ciphertext
Round 1
Round i
Round n
Often Feistel networks make use of substitution boxes, called S-boxes. (for instance, in the function F)
The strength of a Feistel network is tied to the design of it’s S-boxes.
The design of the S-box can influence resistance against linear and differential cryptanalysis.
In general, an S-Box substitutes p input bits for q output bits.
For example: Given bits “110011” as input and an S-box
Take first and last bits “11” to choose row 3 (in decimal counting from 0)
Take middle four bits “1001”: column 9. E.g., the value from S-box 6
of DES is 14 (“1110”). Substitute “1110” for “110011”
Feistel Networks
14 1 7 6 8 … 4 10 1 13 … … 8 12 3 7
6
11
1001
S-Box 6 from DES
Data Encryption Standard (DES) Adopted by the US govt in ‘76, dropped recently for AES. A 16-round Feistel-network with an initial and final permutation of the
data.
Block cipher: data is encrypted in 64-bit blocks Symmetric Key algorithm, key length is 56-bits.
The 56-bit key is transformed in to sixteen 48-bit subkeys.
DES consists of initial permutation of the 64 bits (from the P-box) 16 identical "rounds" of operation where the data is confused and diffused
with the key and the previous round. A final permutation (from the P-box). Same algorithm for encryption and decryption (sub-keys are used in reverse
order for decryption).
DES The operation of each round is
identical, taking the output of the previous round as input.
During each round, the rightmost 32 bits of the input are moved to the left 32 bits of the output.
Then a function f() is run on the left and right halves, and the key.
The key is shifted for each round.
A final permutation finishes it.
Classic Feistel cipher operation!
Curious about DES and f()?
What’s f()? For round i Take 48 bits of the shifted key Expand the right 32-bits of the data to 48 bits XOR the two together, and then send it through the S-Box
(the predefined substitution table). The S-BOX produces 32 new bits, which is XORed with
the left half of the data.
Then Li= Ri-1 Ri = Li-1 ⊕ f (Ri, Ki)
Incredibly, this process is reversible.
DES An initial permutation (IP) Key transformation 16 rounds of:
Expansion permutation of input (Avalanche Effect)
Expands 32 bits to 48 bits, thus a single bit affects 2 substitutions. Dependency of output bits on input bits spread faster
S-box substitution (confusion)
P-box permutation (diffusion) A final permutation (IP-1)
More on DES
Exhaustive search is the best way to break it; there are 256 (about 7x1017 ) keys.
Originally, complaints that the NSA fixed the S-boxes to provide a backdoor. This has never been found, the S-boxes appear to be strong against even differential cryptanalysis (Which means the NSA knew about DC before 1978. It was first described publicly in 1990.)
In 1999, a machine was built by the EFF for $250K that broke a DES code in 22 hours with exhaustive search.
Reasonable for a small business to buy even then.
Stronger ciphers exist… too many to cover here.
Triple DES (3-DES) The keyspace of DES is too small.
3-DES was designed to use the widely installed base of DES Why not just use DES twice?
Subject to meet-in-the-middle attack A known plaintext attack is one order of magnitude harder in double DES than single
DES Alright, how about using 3 keys?
Key space unwieldy? We require backwards compatibility with DES…
3-DES: Choose two 64-bit keys K1 and K2, and encrypt as follows:
Ek1(Dk2(Ek1(P))) = C There is no advantage to using decryption for the second stage. BUT, if K1
= K2 we have backwards compatibility Ek1(Dk1(Ek1(P))) == Ek1(P)
Provides us with a key space of 2112 possible keys
Other Block Ciphers
International Data Encryption Algorithm Used in PGP (Pretty Good Privacy) Works on 64-bit input blocks, taken as four 16-bit blocks Uses a 128-bit key
Uses a total of 52 16-bit subkeys, 4 per round Decryption uses same algorithm
Different subkey generation Blowfish
Developed by Bruce Schneier Variable Key length Very fast, compact, simple
Twofish Also developed by Schneier Variation of blowfish Competitor for AES (it lost…)
Other Block Ciphers
GOST (Soviet Union) CAST SAFER Skipjack (Used in clipper chip) Khufu LOKI There are many others as well…
Advanced Encryption Standard
Designed to replace DES Organized by NIST Chosen from five candidate algorithms Reviewed by US government (NSA), industry and academia Required a four-year process to pick the algorithm
Winning algorithm “Rijndael” chosen 2 Oct 2000 pronounced “rhine-dahl” or “rain-doll”
Designed by Joan Daemen and Vincent Rijmen (Belgium).
Rijndael’s strengths
Good performer in hardware and software in both feedback and non-feedback modes
Good key setup time and key agility Low memory requirements (smart cards) Simplicity Flexible key and block size [128,192,256] bit Variable number of rounds Round structure lends itself to instruction-level
parallelism If you could crack a DES key in one second, it would take
149 trillion years to crack a AES key by brute force at the same speed
AES
Rijndael is an iterated block cipher with a variable block length and a variable key length.
Rijndael does NOT have the Feistel structure Each round consists of three uniform layers.
Builtin defenses against linear and differential cryptanalysis (wide-tail strategy…)
The algorithm works on blocks of plaintext of b bits The plaintext will be converted to ciphertext, and the
current state refers to any intermediate cipher result. We can right the state as a rectangular array of bytes, (4
rows)-by-(b/32 columns) i.e., 32 bits per column E.g. for 128-bit block size, b/32 = 4.
AES: Definitions:
text
a
0,0
a
1,1
a
0,1
a
3,0
a
2,0
a
1,0
a
1,3
a
0,3
a
3,2
a
2,2
a
1,2
a
0,2
a
3,1
a
2,1
a
3,3
a
2,3
State
Key: The shared secret cipher key used for encryption of size K bits
As with the state it is also considered as a rectangular array of bytes: (4 rows)-by-(K/32 columns)
RoundKey: The zeroth subkey is the original
key. The next subkeys do the following: (for a 128-bit key,) each column has
8 bits, 4 bytes in a row.
Key
text
K
0,0
K
1,1
K
0,1
K
3,0
K
2,0
K
1,0
K
1,3
K
0,3
K
3,2
K
2,2
K
1,2
K
0,2
K
3,1
K
2,1
K
3,3
K
2,3
Key or Round Key
4 bytes 4 bytes 4 bytes 4 bytes
Shift 1 byte
S-box
XOR
XOR
Round constant
4 bytes 4 bytes 4 bytes 4 bytes
An initial Round Key addition Nr-1 rounds (Where Nr is dependent on Nb and Nk. Nr is always
between 10 and 14 rounds) A final round In psuedo-code:
Rijndael(state,Key) { KeyExpansion(Key,expKey) AddRoundKey(State,expKey) for(i = 0;i<Nr;i++) { Round(State,expKey + Nb*i) } FinalRound(State,expKey + Nb*Nr)
}
AES: The cipher structure
AES: functions
KeyExpansion() The cipher key is expanded to a linear array of
(Nb*(Nr+1)) 4-byte words AddRoundKey()
The State is XORd with with the round key (which is derived from the cipher key)
FinalRound() is identical to Round() without the MixColumn() function (which we will see shortly)…
AES The Round structure
Again, in pseudo C
Round(State,RoundKey) { ByteSub(State) ShiftRow(State) MixColumn(State) AddRoundKey(State,RoundKey)
}
ByteSub() A non-linear byte substitution (basically an S-box).
ShiftRow() The rows of the State are cyclically shifted based on block size.
MixColumn() Each column is multiplied as a matrix against a fixed polynomial.
AddRoundKey() The State is XORd with with the round key (which is derived from the cipher key).
text
K
0,0
K
1,1
K
0,1
K
3,0
K
2,0
K
1,0
K
1,3
K
0,3
K
3,2
K
2,2
K
1,2
K
0,2
K
3,1
K
2,1
K
3,3
K
2,3
text
b
0,0
b
1,1
b
0,1
b
3,0
b
2,0
b
1,0
b
1,3
b
0,3
b
3,2
b
2,2
b
1,2
b
0,2
b
3,1
b
2,1
b
3,3
b
2,3
text
a
0,0
a
1,1
a
0,1
a
3,0
a
2,0
a
1,0
a
1,3
a
0,3
a
3,2
a
2,2
a
1,2
a
0,2
a
3,1
a
2,1
a
3,3
a
2,3
text
a
0,0
a
1,1
a
0,1
a
3,0
a
2,0
a
1,0
a
1,3
a
0,3
a
3,2
a
2,2
a
1,2
a
0,2
a
3,1
a
2,1
a
3,3
a
2,3
text
b
0,0
b
1,1
b
0,1
b
3,0
b
2,0
b
1,0
b
1,3
b
0,3
b
3,2
b
2,2
b
1,2
b
0,2
b
3,1
b
2,1
b
3,3
b
2,3
c(x)
text
a
0,0
a
1,1
a
0,1
a
3,0
a
2,0
a
1,0
a
1,3
a
0,3
a
3,2
a
2,2
a
1,2
a
0,2
a
3,1
a
2,1
a
3,3
a
2,3
text
b
0,0
b
1,1
b
0,1
b
3,0
b
2,0
b
1,0
b
1,3
b
0,3
b
3,2
b
2,2
b
1,2
b
0,2
b
3,1
b
2,1
b
3,3
b
2,3
No cyclic shift
cyclic shift by C1(1)
cyclic shift by C2(1)
cyclic shift by C3(1)
text
a
0,0
a
1,1
a
0,1
a
3,0
a
2,0
a
1,0
a
1,3
a
0,3
a
3,2
a
i , j
a
1,2
a
0,2
a
3,1
a
2,1
a
3,3
a
2,3
text
b
0,0
b
1,1
b
0,1
b
3,0
b
2,0
b
1,0
b
1,3
b
0,3
b
3,2
b
i , j
b
1,2
b
0,2
b
3,1
b
2,1
b
3,3
b
2,3
S-box
ByteSub
MixColumn
ShiftRow
AddRoundKey
AES Rijndael decryption
Inverse transforms are performed on C. The order of transforms, however is identical to encryption
Slower than encryption (by about 30%) Since the inverse cipher is not used in many applications
(MAC,CFB,OFB), the developers consider this not a big problem.
Asymmetric key Cryptography
One problem with symmetric key algorithms is you need a secure method of telling your partner the key.
Plus, you need a separate key for everyone you might communicate with.
Public-Key algorithms use a public-key and private-key pair over a message. Only the public-key can decrypt a message encrypted with the
private key. Similarly, only the private key can decrypt a message decrypted
with the public key.
Public-key Crypto
If you know my public key, then only I can read your message.
If you can decrypt a message with my public key, then I must have written it.
First proposed by Whitfield Diffie and Martin Hellman, and independently by Ralph Merkle in the late 1970s.
(And by the NSA some time before that.) Generally, these algorithms are much slower than
symmetric key algorithms.
Public-key Crypto
A crucial feature is that the private key is difficult to determine from the public key, and the robustness against chosen-plaintext attacks.
In practice, a hybrid of symmetric and public-key approaches is used.
RSA is the most widely used public-key algorithm. Let’s discuss RSA, and then come back to a general
discussion of public-key crypto.
Rivest, Shamir, and Adleman (RSA)
Relies on the difficulty of factoring large numbers. Choose two large prime numbers, p and q. Compute n = pq and z = (p-1)(q-1). Choose a number, e, less than n, which has no common factors (other
than 1) with z. (in other words, e and z are relatively prime). Find a number, d, such that ed-1 is exactly divisible (i.e., with no
remainder) by z ed ≡ 1 (mod z).
The public key that made available to the world is the pair of numbers (n,e);
the private key is the pair of numbers (n,d).
RSA
Private key = (n,d) Public key = (n,e)
Encryption of a character Mi Ci = Mi
e(mod n) Decryption of a cipher character Ci
Mi = Cid (mod n)
RSA
Does this actually work out? Trust us…It does…
Are you going to explain why this actually works? Well…no…
How does this actually work out? If anyone is interested in the slides from last year, just ask… All you need is some basic number theory. And lots of free time…
But for those of you still skeptical that it does work, we offer an example…
Example encryption and decrypt
Choose two primes p=47 and q=71. Then, n=pq= 3337. Choose e, relatively prime to z=46x70=3220
how about 79. We need a d such that ed ≡ 1 (mod z), in other words, d=
e-1 mod z. d= 79 -1 (mod 3220) = 1019
Public key (3337,79). Private key (3337,1019)
Encrypt 688 -> 68879 mod 3337 = 1570. Decrypt 1570 -> 15701019 mod 3337 = 688
because Mk(p-1)(q-1) (mod n) = 1 when p and q are prime,
Theorem: Cd (mod n) =M
Proof: Reason Cd (mod n)
= (Me )d (mod n) C = Me(mod n)
= Med (mod n) (a b) c = a bc
= Mkz+1 (mod n) ed ≡ 1 (mod z) and ed = kz+1
= MMkz (mod n) ab+1 = aab
= MMk(p-1)(q-1) (mod n) z = (p-1)(q-1)
=M
One last thing
Private key = (n,d) Public key = (n,e) Encryption of a character M
C = Me(mod n) Decryption of a cipher character C
M = Cd (mod n)
Given the public key, we can choose M, and then calculate C. Since we know n, why not solve for d?
Because it’s very difficult to calculate e, it’s called the discrete logarithm. (just like: x=ya, find a=logyx?)
It seems to be as hard as factoring primes, and the best known algorithm takes time exponential with the size of the prime.
