Beruflich Dokumente
Kultur Dokumente
3
Playfair Key Matrix
• Use a 5 x 5 matrix.
• Fill in letters of the key (w/o duplicates).
• Fill the rest of matrix with other letters.
• E.g., key = MONARCHY.
M O N A R
C H Y B D
E F G I/J K
L P Q S T
U V W X Z
4
Vigenère Cipher
• Simplest polyalphabetic substitution cipher
• Consider the set of all Caesar ciphers:
{ Ca, Cb, Cc, ..., Cz }
• Key: e.g. security
• Encrypt each letter using Cs, Ce, Cc, Cu, Cr,
Ci, Ct, Cy in turn.
• Repeat from start after Cy.
• Decryption simply works in reverse.
5
Basic idea of modern block ciphers
1
Block Ciphers
7
Ideal Block Cipher
10
The Feistel
Cipher
Structure
i
Round i
Li-1 Ri-1
ki
f
+
Li Ri
Mathematical Description of
Round i
Let Li 1 and Ri 1 be the input of round i, and
Li and Ri the output.
We have
Li : Ri 1
Ri : Li 1 F ( Ri 1 , Ki )
Or, (Li , Ri ) : i ( Li 1 , Ri 1 ), where
i : ( x, y ) ( x F ( y , ki ), y ).
: ( x, y ) ( y, x ).
Note that i 1 i and 1 .
13
Feistel Cipher
Goes through a number of rounds, say 16 rounds.
A Feistel cipher encrypts a plaintext block m as:
c : E k ( m) : 16 2 1 ( m)
The decryption will be:
Dk ( c ) 11 1 21 1 161 1 1 ( c )
1 2 16 ( c )
The descryption algorithm is the same as the
encryption algorithm, but uses round keys in the
reverse order.
14
DES: The Data Encryption Standard
15
Design Principles of DES
• To achieve high degree of diffusion and
confusion.
• Diffusion: making each plaintext bit affect
as many ciphertext bits as possible.
• Confusion: making the relationship
between the encryption key and the
ciphertext as complex as possible.
1
DES Encryption
Overview
Round Keys Generation
• Main key: 64 bits.
• 56-bits are selected and permuted using Permuted
Choice One (PC1); and then divided into two 28-bit
halves.
• In each round:
– Left-rotate each half separately by either 1 or 2
bits according to a rotation schedule.
– Select 24-bits from each half, and permute the
combined 48 bits.
– This forms a round key.
Permuted Choice One (PC1)
57 49 41 33 25 17 9
1 58 50 42 34 26 18
10 2 59 51 43 35 27
19 11 3 60 52 44 36
63 55 47 39 31 23 15
7 62 54 46 38 30 22
14 6 61 53 45 37 29
21 13 5 28 20 12 4
19
Initial Permutation IP
• IP: the first step of the encryption.
• It reorders the input data bits.
• The last step of encryption is the inverse of IP.
• IP and IP-1 are specified by tables (see
Stallings book, Table 3.2) or
http://en.wikipedia.org/wiki/DES_supplementar
y_material
Round i
Li-1 Ri-1
32
ki
F 48
32 32
+
Li Ri
The F function of DES
The L and R each have 32 bits, and the round key K 48 bits.
F ( R, K ) P S E ( R) K
22
The F function of DES
The Expansion Permutation E
The S-Boxes
• Eight S-boxes each map 6 to 4 bits
• Each S-box is specified as a 4 x 16 table
– each row is a permutation of 0-15
– outer bits 1 & 6 of input are used to select one
of the four rows
– inner 4 bits of input are used to select a
column
• All the eight boxes are different.
Box S1
0 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15
0 14 4 13 1 2 15 11 8 3 10 6 12 5 9 0 7
1 0 15 7 4 14 2 13 1 10 6 12 11 6 5 3 8
2 4 1 14 8 13 6 2 11 15 12 9 7 3 10 5 0
3 15 12 8 2 4 9 1 7 5 11 3 14 10 0 6 13
26
Permutation Function P
P
16 7 20 21
29 12 28 17
1 15 23 26
5 18 31 10
2 8 24 14
32 27 3 9
19 13 30 6
22 11 4 25
1
Avalanche Effect
• Avalanche effect:
– A small change in the plaintext or in the key results in a
significant change in the ciphertext.
– an evidence of high degree of diffusion and confusion
– a desirable property of any encryption algorithm
• Differential cryptanalysis
– Possible to find a key with 247 plaintext-ciphertext samples
– Known-plaintext attack
• Liner cryptanalysis:
– Possible to find a key with 243 plaintext-ciphertext samples
– Known-plaintext attack
29
DES Cracker
• DES Cracker:
– A DES key search machine
– contains 1536 chips
– Cost: $250,000.
– could search 88 billion keys per second
– won RSA Laboratory’s “DES Challenge II-2” by
successfully finding a DES key in 56 hours.
• DES is feeling its age. A more secure
cipher is needed.
30
Multiple Encryption with DES
C = EK2(EK1(P))
• Decryption: P = DK1(DK2(C))
• Key length: 56 x 2 = 112 bits
• This should have thwarted brute-force attacks?
• Wrong!
32
Meet-in-the-Middle Attack on 2DES
• 2-DES: C = EK2(EK1(P))
P EK1 EK2 C
33
3DES with 2 keys
A straightforward implementation would be :
c : Ek1 Ek2 Ek1 (m)
In practice : c : Ek1 Dk2 Ek1 (m)
Also referred to as EDE encryption
Reason : if k1 k2 , then 3DES 1DES.
Thus, a 3DES software can be used as a single-DES.
Standardized in ANSI X9.17 & ISO 8732.
No practical attacks are known.
34
3DES with 3 keys
Encryption: c : Ek3 Dk2 Ek1 (m) .
If k1 k3 , it becomes 3DES with 2 keys.
If k1 k2 k3 , it becomes the regular DES.
So, it is backward compatible with both 3DES with 2 keys
and the regular DES.
Some internet applications adopt 3DES with three keys;
e.g. PGP and S / MIME.
35
AES: Advanced Encryption
Standard
AES: Advanced Encryption Standard
• In1997, NIST began the process of choosing a
replacement for DES and called it the
Advanced Encryption Standard.
• Requirements: block length of 128 bits, key
lengths of 128, 192, and 256 bits.
• In 2000, Rijndael cipher (by Rijmen and
Daemen) was selected.
• An iterated cipher, with 10, 12, or 14 rounds.
• Rijndael allows various block lengths.
• But AES allows only one block size: 128 bits.
37
Modulo-2 Arithmetic
There are only two numbers : 0 and 1.
0 1 0 1 0 1
0 0 1 0 0 1 0 0 0
1 1 0 1 1 0 1 0 1
Example: a 10001001 x 7 x 3 1 A( x ).
b 10000010 x 7 x B( x ).
Addition and substraction are simply bitwise XOR:
a b 10001001 10000010 00001011 A( x ) B( x ).
a b 10001001 10000010 00001011 A( x ) B ( x ).
39
Byte-oriented operations
Multiplication (): "regular" polynomial multiplication ()
modulo a fixed modulus P ( x ), where
P( x ) x 8 x 4 x 3 x 1 100011011.
a b A( x ) B ( x ) mod P( x )
x14 x10 x 8 x 7 x 4 x mod P ( x )
x6 x5 x 4 x3 x 2 x 1
a b 10001001 10000010 mod 100011011
= 100010110010010 mod 100011011
01111111
40
Byte-oriented operations
For any byte a (viewed as a polynomial), there is
a unique byte b (also viewed as a polynomial) such that
a b 1.
This element b is called the inverse of a, and is
denoted by a 1.
Mathematically, the set of all polynomials of degrees 7
forms a field, GF(28 ), under the operation of addition and
multiplication mod P( x), where P( x) is a fixed modulus.
41
Structure of Rijndael
N b : block size (number of words). For AES, Nb 4.
N k : key length (number of words).
N r : number of rounds, depending on Nb , N k .
Assume: N b 4, N k 4, N r 10.
state: a variable of 4 words, holding the data block,
viewed as a 4 4 matrix of bytes; each column is a word.
Key schedule: 11 round keys key0 , key1 , , key10
computed from the main key k .
42
Rijndael algorithm input: plaintext m, key k
1 state m
2 AddKey( state, key0 )
3 for i 1 to N r 1 do
4 SubBytes(state)
5 ShiftRows(state)
6 Mixcolumns(state)
7 AddKey( state, keyi )
8 SubBytes(state)
9 ShiftRows(state)
10 AddKey( state, key N r )
11 return(state)
43
Figure 5.1 AES Encryption and Decryption
44
AddKey(state, keyi )
45
SubBytes(state)
Each byte z in the state matrix is substituted with
another byte SRD ( z ) Az 1 b.
46
That is, treat z as an element in GF(28 ).
Find its multiplicative inverse z 1 in GF(28 ).
Now treat z 1 as a vector of 0/1.
Multiply A with z 1 , and add the result to b.
10001111 1
11000111 1
11100011 0
11110001 0
A and b
11111000 0
01111100 1
00111110 1
00011111 0
47
ShiftRows(state)
Left-shift row i circularly by i bytes, 0 i 3.
a b c d a b c d
e f g h f g h e
i j k l k l i j
m n o p p m n o
48
MixColumns(state)
Operate on each column of the state matrix.
Each column a ( a0 , a1 , a2 , a3 ) is substituted with
(b0 , b1 , b2 , b3 ), where
b0 02 03 01 01 a0
b 01 02 03
01 a
1 1
b2 01 01 02 03 a2
b3 03 01 01 02 a3
Using finite-field multiplication and addition.
49
Math behind MixColumns(state)
Operate on each column of the state matrix.
Each column a (a0 , a1 , a2 , a3 ) is viewed as a
polynomial :
a( x) a3 x 3 a2 x 2 +a1 x a0
A fixed polynomial: c( x) 03 x 3 01x 2 +01x 02.
Compute b( x) b3 x 3 b2 x 2 +b1 x b0
= a ( x) c( x) mod (x 4 1)
(a0 , a1 , a2 , a3 ) is substituted with (b0 , b1, b2 , b3 )
50
Rijndael Decryption
Each step of Rijndael encryption is invertible.
51
A Rijndael Animation by Enrique
Zabala
52