Cryptography 2012

Lecture 3

Block ciphers
Input from previous round
Design principles
SP and Feistel networks S−box S−box S−box S−box

DES P−box
AES/Rijndael
Output to next round
Modes of operation
Design principles

Traditional cryptographic development

Design of a cryptographic system was often iterative:

crypto- crypt- analysis crypto-

graphy analysis of attack graphy

Goal algorithm, attack stronger improved

protocol method goal algorithm,
protocol

crypt-
analysis

”Cryptosystem design was based on clever ad hoc ideas. The security of a

cryptosystem rested solely on the cleverness of the designer; a
cryptosystem was deeded secure until it was broken” (Luby, Rackoff 1988)
Design principles

Modern cryptographic development

”More recently, researchers have formalized the notions of cryptographic

protocols and security and today cryptography is an integral part of
computational complexity” (Luby, Rackoff 1988)

Provable security from 10000 feet

Requirements formally stated in an adversarial model: e.g.,
indistinguishability under adaptive chosen ciphertext against
probabilistic polynomial adversaries
Proofs via reduction to underlying hard problem: turn (reduce)
successful attack on system into successful attack on assumed hard
problem.
Exact security: reductions with tight bounds rather than asymptotic.

More on this later in the course.

Design principles

Understanding block ciphers

Modern block ciphers are built to withstand the attacks used on classical
ciphers. Those attacks were based on:
simple relationship between key and ciphertext
simple connection between statistics of ciphertext and statistics of
plaintext
A good starting point for the understanding of block ciphers is to
understand why the classical ciphers failed.

Modern block ciphers are also designed to withstand more powerful

attacks
linear cryptanalysis
differential cryptanalysis
Linear and differential cryptanalysis can be used to exploit very small
statistical characteristics in a cipher’s input and output.
Design principles

Classical cryptanalysis, revisited

Example
Keys in the whole key space were not tried one by one. Rather, we
separated out a small subspace that likely contained the correct key, and
discarded the rest at a time.
Simple substitution, where Z=e and then H=o are identified.
Design principles

Classical cryptanalysis, revisited

Example
To separate out that key subspace, we use a statistic of C that
is simple to compute.
reflects variations in K based on M’s known language statistics.
Examples are mono-, bi-, trigram frequency, IC.

Example
We try to separate out a subspace with a simple description.
‘the keys k0 k1 · · · k25 such that k4 = Z.’

Example
Small parts of C can be solved locally due to redundancy in M.
ioT ⇒ T=n?
AunYreY ⇒ A=h, Y=d??
Design principles

Design principles: Diffusion and Confusion

To counter various methods of cryptanalysis, at least the following should

be true:
Ciphertexts should show as little statistical regularity as possible.
C = EK (M ) should be hard to solve for K , given C and M.
for M, given C.

The basic, general design principles first identified by Shannon in the

1940’s:
diffusion ∼ transposition — spread out redundancy
confusion ∼ substitution — make key ↔ ciphertext relation
complex
Design principles

Diffusion

Aim: ‘Spread out’ redundancy of M all over C.

Benefits:
Longer C is needed to use statistical characteristics.
Larger parts of C must be considered at once.
(Some) Implementation principles:
Make each ci depend on many mj ’s,
i.e. each mj contributing to many ci ’s.
Use transposition as a part of design.
Larger blocksize benefitial.
Negative side-effect: Propagation of synchronisation errors and
transmission errors.
But handling such errors is not a task of encryption.
Design principles

Confusion

Aim: Prohibit simple conclusions about K from simple statistics of C.

Benefits: It becomes harder to
limit key search space from observing C.
obtain parts of K from parts of C.
solve C = EK (M ) for K given C and M.
(Some) Implementation principles:
Make each ci depend on all parts {k0 , k1 , k2 , · · · } of K , rather than a
small subset.
Ensure C is non-linear in parts ki ’s of K .
Negative side-effect: Complexity comes with costs:
speed, circuit size, power requirement, memory requirement, ease of
use, etc.
Design principles

Avalanche Effect

One desired effect of good confusion and diffusion is:

A small change in either M or K should result in a large
”unpredictable” change in C.

M 00000000 M ′ 00001000 M 00000000

↓ ↓ ↓
K : 01010101 → E K : 01010101 → E K ′ : 01000100 → E
↓ ↓ ↓
C 10010110 C ′ 11100101 C ′′ 01010111

In terms of bits, a change of one input bit should change about half the bits
of output.
(If all bits changed, that would be predictable...)
Block ciphers

Block ciphers

A block cipher is an encryption function for fixed-size blocks of data.

Typical size is 128 bits(16 bytes).
Block ciphers are symmetric (secret) key functions. Typical key sizes are
128 or 256 bits.
For security reasons, block ciphers are rarely used directly. Instead they
are used in one of many block cipher modes.

Examples of block ciphers

AES (Rijndael)
Serpent, Twofish, RC6, MARS (AES finalists)
3DES
DES
and many more...
Block ciphers

Block ciphers

A block cipher with block size n is, for a given key, a permutation on the set
of n-bit strings {0, 1}n , i.e., a bijection {0, 1}n → {0, 1}n .

How many such ciphers exist; i.e. which is the key length if we can index
them all by key?

The number of block ciphers is 2n !. If all were used, i.e., one key for each,
key length needs to be log2 (2n !). For n = 128, this would mean key length
≈ 1040 .

Typical modern key sizes are 128, and 256, which means practical block
ciphers only use a small subset of all possible permutations.
Block ciphers

The ideal block cipher

Definition: ideal block cipher

The ideal block cipher is a family (indexed by keys) of random
permutations.

Generation of a random permutation: maintain a table of pairs

(previous input, returned value).

For each input x,

if (x , y ) present in table, return y ,
else return a random value r different from all y values in table and
add (x , r ) to table.
We cannot implement this; instead we strive for ciphers that cannot be
distinguished from random permutations.
Block ciphers

Security of block ciphers

Definition: secure block cipher
A secure block cipher is one that no reasonable adversary can distinguish
from the ideal block cipher.

let E : {0, 1}k → {0, 1}n → {0, 1}n be a block cipher, and
I be the set of all permutations {0, 1}n → {0, 1}n
Select a random k , and select a permutation I ∈ I uniformly at random.
Now, given black box access to either Ek or I the adversary should not be
able to determine which it has access to. We say that a block cipher is a
pseudo random permutation (PRP) if the probability of distinguishing is
negligible.

We will return to the definitions of reasonable and negligible later in the

course.
Block ciphers

Typical block cipher design

plain block

K1
Round 1

K2 key
2 K
scheduling

Kn
n

cipher block

Each round i
takes subkey Ki derived from K by key scheduling.
contains Permutation-box for diffusion by transposition,
Substitution-box for confusion.
Block ciphers

Substitution-Permutation Networks (Shannon 1949)

Schematic structure of each round:

Input from previous round

S−box S−box S−box S−box

P−box

Output to next round

All parts may depend on subkey Ki for the round.

S-boxes map k-bit subblocks to k-bit subblocks bijectively, providing
confusion. (k=4 as example in the figure.)
P-box transposes bits across k-bit subblock boundaries, providing
diffusion.
Block ciphers

Aside: bits and operations

From now on, plaintexts and ciphertexts are sequences of bits
(ASCII-coded text, images, audio or video streams . . .).

A basic operation is xor, denoted by ⊕ (addition modulo 2).

0 ⊕ 0 = 0, 0 ⊕ 1 = 1
1 ⊕ 0 = 1, 1 ⊕ 1 = 0

For a and b bitstrings of length n, a ⊕ b denotes a bitvector of length n

defined by bitwise xor.

For all a, b and c:

1. closed a ⊕ b ∈ {0, 1}
2. zero element 0⊕a=a⊕0=a
3. inverse a⊕a=0
4. associativity (a ⊕ b ) ⊕ c = a ⊕ (b ⊕ c )
Block ciphers

Groups

A set S with an operation ·, (S , ·), is called a group if properties 1 to 4

holds, i.e., for all a, b, c ∈ S
1. closed a·b ∈S
2. zero element ∃ 0 ∈ S . 0 · a = a · 0 = a
3. inverse ∃ a −1 ∈ S . a · a −1 = a −1 · a = 0
4. associativity (a · b) · c = a · (b · c )

Clearly {0, 1} with ⊕ forms a group. The result generalizes to bitstrings of

length n, {0, 1}n .

The group properties allow us to establish the following fundamental result:

(a ⊕ b ) ⊕ b = a ⊕ (b ⊕ b ) = a ⊕ 0 = a .
Block ciphers

Feistel Networks
Blocks treated in two halves:
input left half (Li −1 ) right half (Ri −1 )

Ki
Li = Ri −1
cipher func.
⊕
f Ri = Li −1 ⊕ f (Ki , Ri −1 )

output left half(Li ) right half (Ri )

Remarks
Cipher function f is the same for every round.
The security of a Feistel network relies on the properties of f .
f need not be invertible for the round to be invertible, instead it relies
on (a ⊕ b) ⊕ b = b.
Last round does not swap left and right half (allows the same network
to be used for decryption).
Block ciphers

Feistel Networks, decryption

Fact
Decryption = encryption with subkeys in reverse order.

Proof.
We first consider last round (L and R not swapped):

Rn = Rn−1
Ln = Ln−1 ⊕ f (Kn , Rn−1 )

Now apply round transformation with subkey Kn+1 = Kn :

Ln+1 = Rn = Rn−1
Rn+1 = Ln ⊕ f (Kn+1 , Rn ) = Ln−1
| {z } |{z}
=Kn =Rn−1

This undoes last round; block n + 1 equals result of n − 1-round

encryption. Result follows by induction on n.
DES

Data Encryption Standard (DES)

The block cipher DES was designed by IBM in the early 70’s.
It was the standard encryption algorithm for civilian applications
(banking, government records, . . .) for more than 25 years. (US
standard since 1977). New standard is AES.
Advances in hardware and parallel computation have made single
encryption (key length 56 bits) insecure. The current standard
requires triple encryption (key length 168 or 112 bits).
DES withstood intense cryptanalysis well for 25 years. The best
practical attack is still exhaustive key search. (Much ‘better’
theoretical attacks exist.)
Most design considerations unknown.
Fairly slow by modern standards; very slow in software (around 80
cycles per byte).
DES

DES Algorithm Outline

Block size is 64 bits.

First step is a fixed permutation IP of the
input block. (Motivation unknown).
Then a 16-round Feistel network.
Key length is 56 bits (plus 8 bits for parity
checks).
Key scheduling algorithm derives from
one 56-bit key sixteen 48-bit subkeys
K1 , · · · , K16 .
Each Ki consists of bits chosen from 48
bit positions in the 56-bit key.
Finally, the inverse of IP is applied.
It remains to describe Feistel cipher
function f .
DES

DES cipher function f (Ki , Ri )

⊕ (xor) mixes key and

data
S-boxes provide confusion
and non-linearity
S-boxes, expansion and
permutation P provide
diffusion
DES

Decryption

DES is (almost) a Feistel network, so

decryption is done using the same algorithm,
except that the subkeys are used in reverse
order K16 , K15 , · · · K1 .
This property is one of main advantages
of Feistel networks for hardware
implementations and made DES chips
significantly simpler.
It is also good for software, but with all its
bit operations DES is anyhow slow in
software.
DES

Is DES secure?

DES is not secure by our definition of block cipher security, PRP.

Complementation property
DES has a complementation property that ensures that

E (K , M ) = E (K , M )
This property can successfully be used to distinguish DES from the ideal
block cipher. How?

Weak keys
DES has a number of weak keys. Weak keys are keys that cause one or
more round keys to be equal. The all 0 key is one example of this.
Any key generation algorithm for DES must avoid the weak keys.
DES

Brute force attacks on DES

DES is not secure in its simplest usage.

Key size is 56 bits, i.e., key space size = 256 ≈ 7 · 1016 .
The fastest attack is brute-force.
The parallel machine DES Cracker ($0.25M in 1998) by EFF can
search keys at speed
28 [boards] × 64 [chips/board] × 60M [keys/chip·sec] = 108G
[keys/sec]
or about 4 days to cover half the key space.
distributed.net organized idle CPU time of 100,000 computers to
search 250G [key/sec]. Together with DES Cracker, they cracked
DES in 22 hours (January 2000).
DES

Cryptanalysis of DES

During its 25 years of dominance, DES was subject to much cryptanalytic

effort. Main results:
Differential cryptanalysis. Chosen plaintext attack that can break DES
with 247 chosen plaintext/ciphertext pairs.
Linear cryptanalysis can break DES with 243 plaintext/ciphertext pairs.
Neither of these attacks is practical. Best attack against DES is still brute
force, but that is feasible.
In 1997, NIST announced a world-wide competition for a new Advanced
Encryption Standard.
AES

AES: Minimum Requirements

Secret-key block encryption algorithm.

Block size 128 bits (other sizes optional).
(Larger block size makes more efficient, more secure ciphers.)
Variable key length of 128, 192, and 256 bits.
(Partly a caution against future attacks.)
Significantly more efficient and secure than Triple-DES.
Publicly defined and evaluated.
Available worldwide, royalty-free.
AES

Evaluation Criteria

Security
Candidates with major attacks with less work than exhaustive key
search were eliminated. So were ones with significantly many ‘weak
keys’.
Resistance against known and future attacks was considered in terms
of attacks on simplified (reduced-round) variants and security
margins.
Indistinguishability from random permutations was tested statistically.
Simplicity and cleanness of algorithm and mathematical bases of
designs were valued.
Specialised attacks on smart-card implementation (power-,
timing-analysis).
AES

Rijndael/AES

In 2000, the cipher Rijndael was selected the winner of AES competition.
It
has variable block and key sizes: 128bit block size and 128, 192, and
256 bit key sizes were selected for the AES standard.
is a Substitution-Permutation network cipher with 10, 12, or 14 rounds
corresponding to the different key sizes.
has an elegant, clean mathematical specification.
is aggressively designed for speed. It is fast in both software (in the
order of 10 cycles/byte) and hardware (several GByte/sec in ASIC).
is also well suited for smart-cards implementation.
AES

Rijndael/AES outline

We consider block size 128 bits and 10 rounds.

1 Generate subkeys K0 , K1 . . . K10 , where K0 = K and Ki is obtained
from Ki −1 using a recurrence with permutations, xor-ing and
constants.
2 The algorithm uses a 16 byte state s as follows:
s = M ⊕ K0
for r = 1 to 10 do
s = byteSub(s)
s = shiftRow(s)
if r ≤ 9 then s = mixCols(s)
s = s ⊕ Kr
return s
AES

byteSub
s = m ⊕ k0
for r = 1 to 10 do
s = byteSub(s)
s = shiftRow(s)
if r ≤ 9 then s = mixCols(s)
s = s ⊕ Kr
return s

Each byte b of s is replaced by S (b), where S is a fixed byte array

containing a permutation of 0 . . . 255.
1 This adds non-linearity and thus confusion.
2 This fixed permutation can be interpreted in terms of an operation on
polynomials over a finite field GF28 . Can be used to argue Rijndael is
resistant against differential/linear cryptanalysis.
Note the separation in simple implementation/sophisticated conceptual
design.
AES

shiftRow
s = m ⊕ k0
for r = 1 to 10 do
s = byteSub(s)
s = shiftRow(s)
if r ≤ 9 then s = mixCols(s)
s = s ⊕ Kr
return s

The 16 bytes of s are viewed as a 4 × 4 matrix

s0 s4 s8 s12
s1 s5 s9 s13
s2 s6 s10 s14
s3 s7 s11 s15
Left shift row i with i positions for i = 0, 1, 2, 3.
This transposition step and mixCols guarantees high diffusion over
multiple rounds.
AES

mixCols
s = m ⊕ k0
for r = 1 to 10 do
s = byteSub(s)
s = shiftRow(s)
if r ≤ 9 then s = mixCols(s)
s = s ⊕ Kr
return s

Each of the columns of s is multiplied (in GF28 ) with the fixed matrix

02 03 01 01
01 02 03 01
01 02 02 03
03 01 01 02

Also this operation can be interpreted in terms of polynomials.

AES

Rijndael, summary

Each round is invertible, since each step is invertible.

Thus the cipher as a whole (several rounds) is invertible.
The last round does not apply mixCols. Because of this, the structure
of a decryption round can be made the same as encryption.
The conceptual specification is for mathematical analysis. The
description is transformed differently to efficient algorithms for 32-bit
and 8-bit processors (32-bit word table lookup and byte oriented
logical operations, respectively).
AES

Security of AES
During the selection process attacks on AES were found:
7 round attack on 128-bit keys,
8 round attack on 192-bit keys,
9 round attack on 256-bit keys
Leaves a 3 to 5 rounds security margin, but 70% of the cipher broken for
128-bit keys.

New powerful attacks have been found:

12 round attack on 192-bit keys using related keys and 2176
operations,
14 round attack on 256-bit keys using related keys and 2119
operations,
10 round attack on 256-bit keys using related keys and 245 operations.
These attacks are all theoretical and not practical. Nevertheless, it means
that AES is theoretically broken.
AES

Side-channel attacks on AES

In 2005 Osvik, Shamir and Tromer (and Bernstein independently)
presented cache attacks on AES.
Osvik, et al. demonstrate how a (unprivileged) process on a computer can
deduce the key used in AES encryption in, e.g., (privileged) cryptographic
file systems.

The basic idea is as follows:

all processes (privileged and unprivileged) share cache
memory access patterns of AES implementations are susceptible to
cryptanalysis; several lookup tables are precomputed and stored in
memory
it’s possible to probe (via cache misses) the memory access pattern
from another process
knowing which parts of the lookup tables were used over several
encryptions with the same key makes it possible to deduce the key
AES

Side-channel attacks on AES

The side channel attacks on AES are particularly nasty, since the bypass
all theory by attacking the implementation. Osvik et al. demonstrate a
practical attack om dm-crypt, the linux encrypting file system.

The attack achieves full key recovery using only 800 accesses to an
encrypted file, 65ms of measurements and 3 seconds of analysis!

Conclusion: there is no way of implementing AES in software that is both

fast and secure.
AES

Crypto in hardware

New Intel instruction set

From the Westmere architecture (released January, 2010), Intel
processors include the AES-NI instruction set, which performs AES
operations in hardware. Six new instructions:
AESENC, AESENCLAST: Encryption round.
AESDEC, AESDECLAST: Decryption round.
AESIMC, AESKEYGENASSIST: Key expansion.

Benefits
Three times faster encryption/decryption (or more).
Avoids side channel attacks in software implementations (cache
access patterns for lookup tables).
Modes

Simplest usage of a block cipher

Plaintext is divided into full size blocks (with padding of last block) and
each block is independently en(de)crypted.

plaintext ciphertext

encryption
M0 M1 M2 ··· 7−→ C0 C1 C2 ··· [Ci = EK (Mi )]

This usage is called Electronic Codebook Mode (ECB) and has several
problems.

Since each block is independently en(de)crypted, an attacker can

identify resending of same message.
see stereotypes and patterns in plaintext if the same key is reused.
build a table of corresponding plain and cipher blocks in a known
plaintext attack.
Modes

Illustration of problems with ECB

As an example, let us encrypt an image file (in this case, an image in .ppm
format).

We encrypt the image

file using AES. (File
split into 16 byte
blocks, which are all
encrypted.) The result,
again interpreted as an
image, is to the right.

There seems to be more to encryption than a good block cipher . . .

We need to discuss modes of operation.
Modes

ECB is not IND-CPA

Let E denote ECB together with any block cipher.

$
k ←K
m0 , m1 ← A(Ek )
$
b ← {0, 1}
c ← Ek (mb )
b′ ← A(c )

Adversary A
Select any two messages m0 and m1 and use Ek to encrypt m0 ,
c0 = Ek (m0 ). Return m0 and m1 . In the guessing phase compare c with
c0 . Since Ek is deterministic we have that if c = c0 then b = 0 (b = 1
otherwise). Thus, return c = c0 as guess.

What is the probability that the adversary wins?

Modes

CBC (Cipher Block Chaining) mode

Setting
Plaintext M0 M1 M2 M3 · · · is divided into full size blocks.
Both sender and receiver store one previous cipher block.
Sender and receiver agree on initialization vector C−1 . (Typically
chosen at random by sender and sent as first ciphertext block.)

Encryption and decryption

Ci = EK (Mi ⊕ Ci −1 ), i ≥ 0.
Mi = DK (Ci ) ⊕ Ci −1 , i ≥ 0.

Check that this works!

Modes

Security of CBC

CBC is IND-CPA given that the underlying block cipher is a PRP, i.e.,
indistinguishable from a random permutation.
If adversary makes q queries to the encryption function then the
advantage of the adversary is q 2 /2n . This is an example of exact security.
Exact security should not necessarily be interpretated as a tight bound,
rather be contrasted to the asymptotic case.

Actual bounds give hints to safe use of the cipher. For instance, the above
bound implies that we should not encrypt more that 2n/2 blocks, where n is
the block size, before chnging key. This is not much for DES (232 = 4Gb —
less than a DVD)!

Note: CBC is not IND-CCA

Modes

Home assignment 1

Home assignment 1 is on the web, ready to be attacked.

Deadline next Monday (November 11).
Discusses a CCA side-channel attack on CBC mode.
Shows vulnerability in widely used software (OpenSSL).
Password to IMAP mail accounts discovered in less than one hour.
Attack easily prevented – once you realize the problem!
Variant of the attack recently applied to many web applications.
Modes

Image encryption, revisited

Here is the same image file as before, encrypted using AES in CBC mode.
Modes

Aside: Stream ciphers

Another class of ciphers (which we will return to):

Plaintext = stream of bits/bytes/blocks: m0 m1 m2 · · · .
Keystream k0 k1 k2 · · · generated identically at both ends (depending
on secret key).
ciphertext c0 c1 c2 · · · given by ci = mi ⊕ ki .

ki ki
⊕ ⊕
mi ci ci mi

key stream 0100101001110...

plaintext 1010101101011...
ciphertext 1110000100101...
Advantage: simple, very fast.
Problem: security depends on the “randomness” of keystream.
Modes

CTR (Counter) mode

Not one of the original standard block cipher modes; therefore less used.
Recently a NIST standard.
Block-oriented stream cipher.
For each message, a nonce must be chosen. Must be unique!
Keystream generation and encryption:

Ki = EK (nonce||i ), i≥0
Ci = Mi ⊕ Ki , i ≥ 0.

possible setup: 48 bit message number + 16 bit additional nonce data

+ 64 bit counter.
Decryption is identical to encryption (DK not used!).
Underlying idea: Block cipher behaves like a random permutation.

CTR mode is IND-CPA

Modes

Which mode should I use?

Use CBC mode with random IV

The suggestion is based on the problems of guaranteeing that the nonce

is unique. In the experience of Schneier et al. failures in ensuring
uniqueness is a common source for insecurities in practice.

Unless you need random write access, then se CTR mode.

CBC allows for random read access, but not random write access. Why?