Cryptography AES, IDEA, BlowFish etc.

Lecture Outline
AES Other block ciphers

A"#ance" Encryption Stan"ar"

In 1997, NIST made a formal call for algorithms stipulating that the AES ould specif! an unclassified, publicl! disclosed encr!ption algorithm, a"ailable ro!alt!# free, orld ide$ %oal& replace 'ES for both go"ernment and pri"ate# sector encr!ption$ The algorithm must implement s!mmetric ke! cr!ptograph! as a block cipher and (at a minimum) support block si*es of 1+,#bits and ke! si*es of 1+,#, 19+#, and +-.#bits$ In 199,, NIST announced a group of 1- AES candidate algorithms$

AES Selection %rocess

In 1999, out of 1-, the selction as narro ed to candidates& /A0S, 01., 0i2ndael, Serpent, and T ofish$ All the fi"e protocols ere thought to be secure 1riteria for selecting AES& securit!, robustness, speed On October +, +333, NIST announced that it has selected Rijndael (in"ented b! 4oan 'aemen and 5incent 0i2men) to propose for the AES$ 6ebruar! +331, 6I7S 197 (AES) as published for public re"ie and comments$

Q ui ckTi me and a TI FF ( U ncompr essed) decompressor are needed to see t hi s pi ctur e.

AES E#aluation' Criteria (or Initial Selection

Securit!&
8 randomness, soundness, results of cr!ptanal!sis during e"aluation

1ost&
8 ro!alt!#free, computational efficienc!, memor! re9uirement

6le:ibilt! ;ard are < soft are suitabilit! Simplicit!

&

AES E#aluation
1riteria of the final e"aluation
8 general securit! 8 soft are implementation performance 8 hard are implementation (si*e < performance) 8 restricted#space en"ironments 8 attacks on implementations 8 encr!ption "s$ decr!ption

AES E#aluation
1riteria of the final e"aluation (continued)
8 ke! agilit! 8 other "ersatilit! and fle:ibilit!
= parameter fle:ibilit! = possibilit! of optimi*ing cipher elements for particular en"ironments

8 potential for instruction#le"el parallelism

,i-n"ael Features
'esigned to be efficient in both hard are and soft are across a "ariet! of platforms$ Not a 6eistel Net ork >ses a "ariable block si*e, 128,192, 256bits, ke! si*e of 128-, 192-, or 256-bits. 5ariable number of rounds (13, 1+, 1?)&
8 13 if @ A B A 1+, bits 8 1+ if either @ or B is 19+ and the other is 19+ 8 1? if either @ or B is +-. bits

Note& AES uses a 1+,#bit block si*e$

O#er#iew o( ,i-n"ael/AES
5ariable number of rounds (13, 1+, 1?)&
8 13 if B is 1+, bits 8 1+ if B is 19+ bites 8 1? if B is +-. bits

1+,#bit round ke! used for each round&

8 1+, bits A 1. b!tes A ? ords 8 needs NrC1 round ke!s for Nr rounds 8 needs ?? ords for 1+,#bit ke! (13 rounds)

State& ? b! ? arra! of b!tes

8 1+, bits A 1. b!tes

,i-an"ael' 1igh2Le#el Description

State A D Add0oundBe!(State, Be!3) (op1) for r A 1 to Nr # 1 Sub@!tes(State, S#bo:) (op+) Shift0o s(State) (opE) /i:1olumns(State) (op?) Add0oundBe!(State, Be!r) endfor Sub@!tes(State, S#bo:) Shift0o s(State) Add0oundBe!(State, Be!Nr) F A State

10

A"",oun" 3ey
State is represente" as (ollows 41) 5ytes6'
S3,3 S1,3 S+,3 SE,3 S3,1 S1,1 S+,1 SE,1 S3,+ S1,+ S+,+ SE,+ S3,E S1,E S+,E SE,E

A"",oun"3ey4State, 3ey6'

7ey

state

state 11

Su5Bytes
@!te substitution using non#linear S#@o: (independentl! on each b!te)$ S#bo: is represented as a 1.:1. arra!, ro s and columns inde:ed b! he:adecimal bits , b!tes replaced as follo s& , b!tes defines a he:adecimal number rc, then sr,c A binar!(S#bo:(r, c)) ;o is AES S#bo: different from 'ES S#bo:G 8 Onl! one S#bo: 8 S#bo:es based on modular arithmetic ith pol!nomials, can be defined algebraicall!, not random 8 Eas! to anal!*e, pro"e attacks fail

12

S25o8 9a5le
0 1 2 3 4 5 6 7 8 9 A B C D E F 0 63 C% B7 !( !' 3 $! " C$ 6! #! #7 B% 7! #" &C 1 7C &2 F$ C7 &3 $" #F %3 !C &" 32 C& 7& 3# F& %" 2 77 C' '3 23 2C !! %% (! 3 (F 3% 37 2 B '& &' 3 4 5 6 7 8 9 A B C D E F 7B F2 6B 6F C 3! !" 67 2B F# $7 %B 76 7$ F% ' (7 F! %$ $( %2 %F 'C %( 72 C! 26 36 3F F7 CC 3( % # F" 7" $& 3" " C3 "& '6 ! '% !7 "2 &! #2 #B 27 B2 7 "% "B 6# % %! 2 3B $6 B3 2' #3 2F &( ED 2! FC B" B 6% CB B# 3' (% (C & CF FB (3 ($ 33 & ( F' !2 7F ! 3C 'F %& &F '2 '$ 3& F BC B6 $% 2" "! FF F3 $2 #C F '7 (( "7 C( %7 7# 3$ 6( $ "' 73 $C 22 2% '! && (6 ## B& "( $# # !B $B !% (' !6 2( C C2 $3 %C 62 '" ' #( 7' 6$ &$ $ (# %' 6C 6 F( #% 6 7% %# !& 2# "C %6 B( C6 #& $$ 7( "F (B B$ &B &% 66 (& !3 F6 !# 6" 3 7 B' &6 C" "$ '# "" 6' $' &# '( 'B "# &7 #' C# 2& $F !$ BF #6 (2 6& (" '' 2$ !F B! ( BB "6

E8a:ple' he8a &! is replace" with he8a ED

1!

Shi(t,ows
S3,3 S1,3 S+,3 SE,3 S3,1 S1,1 S+,1 SE,1 S3,+ S1,+ S+,+ SE,+ S3,E S1,E S+,E SE,E S3,3 S3,1 S1,1 S1,+ S+,+ S+,E SE,E SE,3 S3,+ S1,E S+,3 SE,1 S3,E S1,3 S+,1 SE,+

1$

;i8Colu:ns
Interpret each column as a "ector of length ?$ Each column of State is replaced b! another column obtained b! multipl!ing that column ith a matri: in a particular field$

1&

3ey E8pansion
Be!E:pansion (b!te ke!H1.I, ord H??I) word tempJ for (iA3JiK?JiCC) HiIA(ke!H?LiI, ke!H?LiC1I, ke!H?LiC+I, ke!H?LiCEI) for (iA?J iK??J iCC) temp A Hi#1IJ if (I mod ? A 3) temp A SubMord(0otMord(temp)) 0conHiN?IJ HiI A Hi#?I tempJ

1)

3ey E8pansion
0otMord(Hb!te3, b!te1, b!te+, b!teEI) A Hb!te1, b!te+, b!teE, b!te, 3I SubMord(Hb!te3, b!te1, b!te+, b!teEI) A HSbo:Hb!te1I, Sbo:Hb!te1I, Sbo:Hb!te+I, Sbo:Hb!teEII 0conH2I A (01H2I, 3, 3, 3)

13

01H2I 31 3+ 3? 3, 13 +3 ?3 ,3 1@ E.

1*

,i-an"ael' 1igh2Le#el Description

State A D Add0oundBe!(State, Be!3) (op1) for r A 1 to Nr # 1 Sub@!tes(State, S#bo:) (op+) Shift0o s(State) (opE) /i:1olumns(State) (op?) Add0oundBe!(State, Be!r) endfor Sub@!tes(State, S#bo:) Shift0o s(State) Add0oundBe!(State, Be!Nr) F A State

1+

Su::ary o( ,i-n"ael
0i2ndaelOs strength is in design simplicit!, rich algebraic structure, and efficienc!$ Algorithms composed of three la!ers 8 Pinear diffusion 8 Non#linear diffusion 8 Be! mi:ing

1.

Decryption
The decr!ption algorithm is not identical ith the encr!ption algorithm, but uses the same ke! schedule$ There is also a a! of implementing the decr!ption ith an algorithm that is e9ui"alent to the encr!ption algorithm (each operation replaced ith its in"erse), ho e"er in this case, the ke! schedule must be changed$

20

,i-an"el Cryptanalysis
0esistant to linear and differential cr!ptanal!sis 'ifferential trail 8 7robabilit! that a gi"en difference aO pattern at input produces an output difference of bO 8 1hoose S#bo: and multiplication pol!nomial to minimi*e ma:imum difference probabilit!

21

,i-n"ael Cryptanalysis
Academic break on eaker "ersion of the cipher, 9 rounds 0e9uires +++? ork and +,- chosen related-key plainte:ts$ Attack not practical$

22

AES Encryption ;o"es

E1@ 1@1 16@ O6@ 1T0

2!

;o"ern Bloc7 Ciphers

5ariable ke! length /i:ed operators& use more than one arithmetic andNor @ooleanJ this can pro"ide non#linearit! 'ata dependent rotation Be!#dependent S#bo:es Pength! ke! schedule algorithm 5ariable plainte:tNcipherte:t block length 5ariable number of rounds Operation on both data hal"es each round 5ariable 6 function ("aries from round to round) Be!#dependent rotation

2$

International Data Encryption Algorith: 4IDEA6

Originall! designed b! /asse! and Pai at ET; (Qurich), 1993$ @ased on mi:ing operations from different algebraic groups (DO0, addition mod +1. , multiplication mod +1. C1)$ All operations are on 1.#bit sub#blocks, ith no permutations used$ Speed& faster than 'ES in soft are$

2&

IDEA
'esign goals& 8 @lock Pength& deter statistical anal!sis 8 Be! Pength& deter e:hausti"e search 6eatures& 8 1+,#bit ke! 8 .? bit blocks 8 , rounds, 8 operates on 1.#bit numbers

2)

IDEA' Encryption
.?#bit data block is di"ided in ? parts& D1 D+ DE D? In each of eight rounds ith 1? steps the sub# blocks are DO0d, added, multiplied ith one another and ith si: 1.#bit sub#blocks of ke! material, and the second and third sub#blocks are s apped$ 6inall! some more ke! material is combined ith the sub#blocks$

2*

IDEA 3ey Sche"ule

Total of -+ subke!s& .L,C? Subke! is generated b! di"iding the 1+, bits ke! in , : 1. bits ke!s$ E"er! time more subke!s are needed, rotate left the ke! +- bits and di"ide again in , subke!s$ The decr!ption ke!s are a little more difficult to generate$

2+

IDEA Cryptanalysis
1urrentl! there is no kno n practical attack against I'EA$ Appears secure against differential cr!ptanal!sis$ Be! length protects against e:hausti"e search$ I'EA has eak ke!s, a"oided at ke! generation$

2.

Blow(ish
A s!mmetric block cipher designed b! @ruce Schneier in 199EN9?$ 6ast implementation on E+#bit 17>s$ 1ompact& runs in less than -B of memor!$ Simple to implement and anal!*e its strength$ 5ariable securit!& can gi"e it larger ke!s$

!0

Blow(ish 3ey <eneration

@lock si*e is .? Number of rounds is 1. >ses a ke! of "ariable si*e, from E+ to ??, bits$ The ke! is used to generate& 8 1, E+#bit subke!s stored in 7#arra!s 8 ? ,:E+ S#bo:es stored in S#arra!s 0e9uires -+1 encr!ptions, so it has a slo reke!ing$

!1

Blow(ish Cryptanalysis
Be! dependent S#bo:es and subke!s, generated using cipher itself, makes anal!sis "er! difficult$ 1hanging both hal"es in each round increases securit!$ 7ro"ided ke! is large enough, brute#force ke! search is not practical$

!2

Blow(ish Spee"
Fro: www.counterpane.com
Algorith: Blow(ish ,C& DES IDEA 9riple2DES Cloc7 cycles per roun" . 12 1+ &0 1+ = roun"s 1) 1) 1) + $+ = o( cloc7 cycles per 5yte encrypte" 1+ 2! $& &0 10+ (ree ,SA security &)25it 7ey Asco:2Systec

!!

,C&
7roprietar! cipher o ned b! 0SA 'ata Securit! (designed b! 0on 0i"est)$ 5er! fast, operates on ords$ 5ariable ke! si*e, block si*e and number of rounds$ 1lean and simple design$ Po memor! re9uirement$ 'ata#dependent rotations that strengthen the algorithm against cr!ptanal!sis$

!$

,C& Features
01- is a famil! of ciphers rc-# NrNb 8 M A ord si*e in bits (1.NE+N.?) nb dataA+ 8 0 A number of rounds (3$$+--) 8 @ A number of b!tes in the ke! (3$$+--) Nominal "ersion is 01-#E+N1+N1. 8 E+#bit ords so encr!pts .?#bit data blocks 8 >sing 1+ rounds 8 1. b!tes (1+,#bit) secret ke!

!&

,C& 3ey Sche"ule

01- uses +rC+ subke! ords ( #bits) subke!s are stored in arra! s[i], iA3$$T#1 Initiali*e S to a fi:ed pseudorandom "alue The b!te ke! is copied (little#endian) into a c# ord arra! P A mi:ing operation then combines P and S to form the final S arra!

!)

,C& Encryption
P3 A A C SH3I 03 A @ C SH1I for i A 1 to r do Pi A ((Pi#1 0i#1) KKK 0i#1) C SH+ L iI 0i A ((0i#1 Pi) KKK Pi) C SH+ L i C 1I
0otation is main source of non#linearit! : KKK ! c!clic rotation of ord : left b! ! bits : RRR ! c!clic rotation of ord : right b! ! bits

!*

,C& Decryption
for i A 1 down to r do 0i#1 A ((0i#1 # SH+ L i C1I) RRR Pi) Pi Pi#1 A ((Pi 8 SH+ L iI) KKK 0i#1) 0i#1 @ A 03 8 SH1I A A P3 8 SH3I
: KKK ! c!clic rotation of ord : left b! ! bits : RRR ! c!clic rotation of ord : right b! ! bits

!+

,C& Encryption ;o"es

01- @lock 1ipher, is E1@ mode$ 01-#1@1, is 1@1 mode$ 01-#1@1#7A', is 1@1 ith padding b! b!tes ith "alue being the number of padding b!tes$ 01-#1TS, a "ariant of 1@1 hich is the same si*e as the original message, uses cipherte:t stealing to keep si*e same as original, handles plainte:t of an! si*e and produces cipherte:t of e9ual si*e$

!.

Su::ary
AES (1+, block si*e, ke! si*e 1+,, 19+, +-.) ne encr!ption standard that replaced 'ES$ No practical kno n attack e:ist$

$0