Symmetric Cryptography

CS461/ECE422

1
 Outline
• Overview of Cryptosystem design
• Commercial Symmetric systems
– DES
– AES
• Modes of block and stream ciphers

2
 Reading
• Section 2.4-2.6 and 12.2 in Security in
Computing
• Chapter 9 from Computer Science: Art and
Science
• Applied Cryptography, Bruce Schneier
• Lecture notes by Prof. Michael Backes on
DES and AES
3
Shannon's Guide to Good Ciphers
• Amount of secrecy should determine amount
of labor appropriate for encryption and
decryption
• The set of keys and enciphering algorithm
should be free from complexity
• The implementation should be as simple as
possible
• Errors in ciphering should not propagate
• Size of the enciphered text should be no larger
than the original
4
 Commercial Encryption Guides
• Cryptosystem should be based on sound
mathematics
• It has been analyzed by many experts
• It has stood the “test of time”

5
 Stream, Block Ciphers
• E encipherment function
– Ek(b) encipherment of message b with key k
– In what follows, m = b1b2 …, each bi of fixed length
• Block cipher
– Ek(m) = Ek(b1)Ek(b2) …
• Stream cipher
– k = k1k 2 …
– Ek(m) = Ek1(b1)Ek2(b2) …
– If k1k2 … repeats itself, cipher is periodic and the length
of its period is one cycle of k1k2 …
6
 Examples
• Vigenère cipher
– |bi| = 1 character, k = k1k2 … where |ki| = 1 character
– Each bi enciphered using ki mod length(k)
– Stream cipher
• DES
– |bi| = 64 bits, |k| = 56 bits
– Each bi enciphered separately using k

Observe that “block” or “stream” refers to successive keys used---

block means same key, stream means keys change from message
block to message block
7
 Confusion and Diffusion
• Confusion
– Interceptor should not be able to predict how
ciphertext will change by changing one character
• Diffusion
– Cipher should spread information from plaintext
over cipher text
– See avalanche effect

8
 Avalanche Effect
• Key desirable property of an encryption algorithm
• Where a change of one input or key bit results in
changing approx half of the output bits
• If the change were small, this might provide a way
to reduce the size of the key space to be searched
• DES exhibits strong avalanche

9
 Overview of the DES
• A block cipher:
– encrypts blocks of 64 bits using a 56 bit key
– outputs 64 bits of ciphertext
• A product cipher
– basic unit is the bit
– performs both substitution (S-box) and transposition
(permutation) (P-box) on the bits
• Cipher consists of 16 rounds (iterations) each with
a round key generated from the user-supplied key

Slide #9-10
 Feistel Network
• Structured to enable use of same S-box and P-
box for encryption and decryption
– Change only key schedule
• Major feature is key division and swapping
– L(i) = R(i-1)
• left half next stage is right half from last stage
– R(i) = L(i-1) xor F(K(i), R(i-1))
• Right half next stage is left half last step XOR’d with
function of right half last stage and stage key
11
 Mathematical Description
• Let Li and Ri denote the output half-blocks of the ith round.
• So Li −1 and Ri −1 are the input of the ith round.
• We have
Li = Ri −1
Ri = Li −1 ⊕ F ( Ri −1 , K i )
• O r, (Li,Ri) = μ oφi (Li−1,Ri−1),w here
Lii−1−1).
φi :(Li−1,Ri−1)→ (Li−1 ⊕ F (Ri−1,K i),R
μ :(Li−1,Ri−1)→ (Ri−1,Li−1). simple transposition
• N ote thatφi−1 = φi and μ −1 = μ .
€ 12
 Feistel Cipher
• Goes through a number of rounds, say 16 rounds.
• A Feistel cipher encrypts a block m as:
E k (m) = μ o μ oφ16 oL o μ oφ2 o μ oφ1 (m) = c
• The decryption will be:
D k (c) = φ1−1 o μ −1 oφ2−1 oL o μ −1 oφ16−1 o μ −1 o μ −1 (c)
= μ o μ oφ1 o μ oφ2 oL o μ oφ16 (c)
• The descryption
decryption algorithm is the same as the
encryption algorithm, but uses round keys in the
reverse order.
13
Feistel Network Structure
CIPHERTEXT

Kn

K n −1

K0

PLAINTEXT
14
Encrypt Decrypt
DES : The Big Picture
Parity bits dropped
(1 per byte)

15
Generation of Round Keys
• Round keys are 48 bits
each
• LSH == left shift
• PC-1, PC-2 ==
permutations

Slide #9-16
Encryption

IP −1 Inverse permutation

€ Slide #9-17
 The f (or F) Function
Ri−1

padding
€
Ri−1 substitution

permutation ( particular transposition)

Slide #9-18
 Substitution boxes
• Key non-linear element to DES security
• have eight S-boxes which map 6 to 4 bits
• each S-box is actually 4 little 4 bit boxes
– outer bits 1 & 6 (rowbits) select one row (in 4 boxes)
– inner bits 2-5 (colbits) select column (narrows to 1 box)
– result is 8 lots of 4 bits, or 32 bits
• row selection depends on both data & key
– feature known as autoclaving (autokeying)
• Note xor of key to create 6 bits used for selection

19
• For example, S1(101010) = 6 = 0110.

20
 DES Decryption
• decrypt must unwind steps of data computation

• with Feistel design, do encryption steps again

21
 Controversy
• Considered too weak
– Diffie, Hellman said in a few years technology would
allow DES to be broken in days
• Design using 1999 technology published
– Design decisions not public
• Some of the design decisions underlying the S-Boxes are
unknown
• S-boxes may have backdoors
• Key size reduced from 112 bits in original Lucifer design to 56
bits

22
 Undesirable Properties
• 4 weak keys
– They are their own inverses
– i.e. DESk(m) = c  DESk(c) = m
– All 0’s. All 1’s. First half 1’s second half 0’s. Visa versa.
• 12 semi-weak keys
– Each has another semi-weak key as inverse
– i.e. DESk1(m) = c  DESk2(c) = m
• Possibly weak keys
– Result in same subkeys being used in multiple rounds
• Complementation property
– DESk(m) = c  DESk(m) = c
23
 Differential Cryptoanalysis
• Was not reported in open literature until 1990
– Tracks probabilities of difference inputs matching differences in outputs
• Chosen ciphertext attack
– Analyzes “pairs” of crafted plaintext and resulting ciphertext, “only”
2^{47} pairs needed (e.g. a billion times more efficient than brute force)
• Uncovered some facts about DES
– Small changes in S-boxes weaken DES against differential analysis
– Replacing key shifts with fully independent keys does not strengthen
DES against differential analysis
• Suggests DES designers knew about differential analysis

24
 Differential Cryptoanalysis
• Lucifer – IBM precursor to DES
– Broken in 30 pairs
• FEAL-N
– DES with different numbers of iterations
– FEAL-4 broken in 20 pairs
– FEAL-8 broken in 10,000 pairs

25
 Current Status of DES
• A design for computer system and an associated
software that could break any DES-enciphered
message in a few days was published in 1998
• Several challenges to break DES messages solved
using distributed computing see 1999 article
• National Institute of Standards and Technology
(NIST) selected Rijndael as Advanced Encryption
Standard (AES), successor to DES
– Designed to withstand attacks that were successful on
DES
– It can use keys of varying length (128, 196, or 256)
26
 Want to know more about DES?
• For a more detailed discussion on DES, see the
slides for lecture 8 of a previous year’s
Information Assurance course at:
– http://www.cs.uiuc.edu/class/fa05/cs498sh/slides/lectur
e8-crypto.pdf
• Bruce Schneier, Applied Cryptography.
• William Stallings, Cryptography and Network
Security, Second Edition, Prentice Hall, 1998.

27
 AES Background
• Clear a replacement for DES was needed
– Can use Triple-DES –but slow with small blocks
• US NIST issued call for ciphers in 1997
– 15 candidates accepted in Jun 98
– 5 were short-listed in Aug-99
• Rijndael was selected as AES in Oct-2000
– issued as FIPS PUB 197 standard in Nov-2001
– http://csrc.nist.gov/publications/fips/fips197/fips
-197.pdf

28
 AES Requirements
• Private key symmetric block cipher
– 128-bit data, 128/192/256-bit keys
• Stronger & faster than Triple-DES
• Active life of 20-30 years (+ archival use)
• Provide full specification & design details
• Both C & Java implementations
• NIST have released all submissions &
unclassified analyses

29
 AES Evaluation Criteria
• Initial criteria:
– security –effort to practically cryptanalyse
– cost –computational
– algorithm & implementation characteristics
• Final criteria
– general security
– software & hardware implementation ease
– implementation attacks
– flexibility (in en/decrypt, keying, other factors)

30
 AES Shortlist
• Shortlist August-99:
– MARS (IBM) -complex, fast, high security margin
– RC6 (USA) -v. simple, v. fast, low security margin
– Rijndael(Belgium) -clean, fast, good security margin
– Serpent (Euro) -slow, clean, v. high security margin
– Twofish(USA) -complex, v. fast, high security margin
• Subject to further analysis & comment
• Saw contrast between algorithms with
– few complex rounds verses many simple rounds
– refined existing ciphers verses new proposals

31
 The AES Cipher - Rijndael
• Designed by Rijmen-Daemenin Belgium
– Has 128/192/256 bit keys, 128 bit data
• An iterative rather than feistel cipher
– treats data in 4 groups of 4 bytes
– 4x4 matrix in column major order
– operates an entire block in every round
• Designed to be:
– resistant against known attacks
– speed and code compactness on many CPUs
– Simple design
32
 AES Overview
• 128 bit block worked on using 4x4 byte matrix
– Block partitioned into 4 subblocks, each processed separately
• Processing on each block comprised of several rounds
– 10 for 128-bit key, 12 for 192-bit key, 14 for 256-bit key
• Each round has four steps
– SubBytes : 8-bit substitution, the “Rijindael S-box”

– ShiftRows : each row of matrix has applied circular shifts

• Row i shifted i positions – each output column has a byte from each input
column
AES Overview
 More on AES
• Observe that each step is invertible, so decryption given
key bits is straightforward
• All operations can be combined into XOR and table
lookups -hence very fast & efficient
Rijndael Diagram

36
Note key expansion pre-step
 Byte Substitution
• A simple substitution of each byte
• Uses one table of 16x16 bytes containing a
permutation of all 256 8-bit values
• Each byte of state is replaced by byte in row
(left 4-bits) & column (right 4-bits)
• S-box is constructed using a defined transformation
of the values in GF(2 )
8

• Designed to be resistant to all known attacks

37
 Shift Rows
• A circular byte shift in each row
– 1 row is unchanged
st

– 2 row does 1 byte circular shift to left

nd

– 3rd row does 2 byte circular shift to left

– 4th row does 3 byte circular shift to left
• Decrypt does shifts to right
• Since state is stored by columns, this step
permutes bytes between the columns

38
 Mix Columns
• Each column is processed separately
• Each byte is replaced by a value dependent
on all 4 bytes in the column
• Effectively a matrix multiplication in GF(2 )
8

using prime poly m(x) =x8+x4+x3+x+1

39
 Add Round Key
• XOR state with 128-bits of the round key
• Again processed by column (though
effectively a series of byte operations)
• Inverse for decryption is identical since XOR
is own inverse, just with correct round key
• Designed to be as simple as possible

40
AES Round

41
 AES Key Expansion
• Each round uses a different key
– Key expansion takes 128 bit key and “expands” into a number of
separate round keys
• Recall round key creation in DES
• Key expansion is also performed in rounds
– Operations each round include
• Left shift by 8-bits
• Rijandael S-box substitution of all bytes
• XOR of leading byte with special code whose value depends on iteration number

• Designed to resist known attacks

42
 AES Decryption
• AES decryption is not identical to encryption
since steps done in reverse
• But can define an equivalent inverse cipher
with steps as for encryption
– but using inverses of each step
– with a different key schedule
• Works since result is unchanged when
– swap byte substitution & shift rows
– swap mix columns & add (tweaked) round key

43
 Implementation Issues
• Can be efficiently implemented on 8-bit CPU
– Byte substitution works on bytes using a table of
256 entries
– Shift rows is simple byte shifting
– Add round key works on byte XORs
– Mix columns requires matrix multiply in GF(28)
on byte values, can be simplified to use a table
lookup

44
 Block Ciphers
• Encipher, decipher multiple bits at once
• Each block enciphered independently
– Called Electronic Code Book Mode (ECB)

45
 ECB Problem
• Problem: identical plaintext blocks produce
identical ciphertext blocks
– Example: two database records
• MEMBER: HOLLY INCOME $100,000
• MEMBER: HEIDI INCOME $100,000
– Encipherment:
• ABCQZRME GHQMRSIB CTXUVYSS RMGRPFQN
• ABCQZRME ORMPABRZ CTXUVYSS RMGRPFQN
– Fails to hide patterns in plaintext

46
 Example of ECB failure
• Pixelmap image of Tux encoded by ECB,
and not

Tux ECB encoding Non-ECB encoding

 Solutions
• Insert information about block’s position
into the plaintext block, then encipher
• Cipher Block Chaining (CBC):
– Exclusive-or current plaintext block with
previous ciphertext block:
• c0 = Ek(m0  I)
• ci = Ek(mi  ci–1) for i > 0
where I is the initialization vector

48
 Decryption of CBC
• Suppose n blocks encrypted. Then

• Since is known, we recover by

c n = E k (mn ⊕c n −1 )
so
Dk (c n ) = Dk (E k (mn ⊕c n −1 ))
= mn ⊕c n −1

c n −1 mn
€ €Dk (c n ) ⊕c n −1 = mn ⊕(c n −1 ⊕c n −1) = mn ⊕0 = mn
€
€
€
CBC Mode Encryption

50
CBC Mode Decryption

51
 Self-Healing Property
• If one block of ciphertext is altered, the error propagates
for at most two blocks
• Initial message
– 3231343336353837 3231343336353837
3231343336353837 3231343336353837
• Received as (underlined 4c should be 4b)
– ef7c4cb2b4ce6f3b f6266e3a97af0e2c
746ab9a6308f4256 33e60b451b09603d
• Which decrypts to
– efca61e19f4836f1 3231333336353837
3231343336353837 3231343336353837
– Incorrect bytes underlined
– Plaintext “heals” after 2 blocks

52
 How does self-healing work?
• Suppose c i becomes corrupted in
transmission (e.g. after encryption) Note
that

so the ith and (i+1)st message blocks are

corrupted. The (i+2)nd block is free from the
corrupted ciphertext
 Propagating Cipher-Block Chaining
• Similar to CBC, designed to have small errors in ciphertext propagate,
making it easier to detect that an error has occurred and so the resultant
plaintext be rejected (used in Kerberos 4 and WASTE)
 Multiple Encryptions
• Double encryption not generally used
– Meet-in-the-middle attack
• C = Ek2(Ek1(P))
• Generate and store all possible 1st encryptions (cycle through all keys)
• Generate and store all possible 1 st decryptions (cycle through all keys)
• Look for bit pattern match
• Requires only O(2|K|+1 log(|K|) )work instead of 22|K|

E1(P) D1(P)
EE2(P) ED2(P)
P E3(P) D3(P) C

… …

E2^|K|(P) D2^|K|(P)
55
encrypt decrypt
 Multiple Encryptions
• Encrypt-Decrypt-Encrypt Mode (3 keys: k, k k’)
– c = DESk(DESk–1(DESk’’(m)))
– Also called Triple DES or 3DES when used with 3 keys
– 168 bits of key, but effective key length of 112 due to meet-in-the
middle
– Not yet practical to break but AES much faster
– This is ANSI X9.52 standard --- because using : k= k,=kin a
3DES machine is equivalent to DES

• Encrypt-Encrypt-Encrypt Mode (3 keys: k, k, k)

– c = DESk(DESk (DESk(m)))
– Same cryptographic strength as E-D-E

56
 Stream Ciphers
• Often (try to) implement one-time pad by
xor’ing each bit of key with one bit of
message
– Example:
m = 00101
k = 10010
c = 10111
• But how to generate a good key?
57
 Synchronous Stream Ciphers
• n-stage Linear Feedback Shift Register:
consists of
– n bit register r = r0…rn–1
– n bit tap sequence t = t0…tn–1
– Use:
• Use rn–1 as key bit
• Compute x = r0t0  …  rn–1tn–1
• Shift r one bit to right, dropping rn–1, x becomes r0

58
 Operation
…

r0 … rn–1  bi
…
ci

r0´ … rn–1´ ri´ = ri–1,

0<i≤n

Feedback
r0t0  …  rn–1tn–1 Function
59
 Example
• 4-stage LFSR; t = 1001
r r3 new bit computation new r
0010 0 (0&1)(0&0)(1&0)(0&1) = 0 0001
0001 1 (0&1)(0&0)(0&0)(1&1) = 1 1000
1000 0 (1&1)(0&0)(0&0)(0&1) = 1 1100
1100 0 (1&1)(1&0)(0&0)(0&1) = 1 1110
1110 0 (1&1)(1&0)(1&0)(0&1) = 1 1111
1111 1 (1&1)(1&0)(1&0)(1&1) = 0 0111

– Key sequence has period of 15 (010001111010110)

60
 LFSR Period
• For n bit register
– Maximum possible period is 2n-1
– -1 because 0’s will only yield 0’s
• Not all tap sequences will yield this period
– Large theory on computing maximal period
feedback functions

61
 NLFSR
• n-stage Non-Linear Feedback Shift
Register: consists of
– n bit register r = r0…rn–1
– Use:
• Use rn–1 as key bit
• Compute x = f(r0, …, rn–1); f is any function
• Shift r one bit to right, dropping rn–1, x becomes r0
Note same operation as LFSR but more general
bit replacement function
62
 Example
• 4-stage NLFSR; f(r0, r1, r2, r3) = (r0 & r2) | r3
r ki new bit computation new r
1100 0 (1 & 0) | 0 = 0 0110
0110 0 (0 & 1) | 0 = 0 0011
0011 1 (0 & 1) | 1 = 1 1001
1001 1 (1 & 0) | 1 = 1 1100
1100 0 (1 & 0) | 0 = 0 0110
0110 0 (0 & 1) | 0 = 0 0011
0011 1 (0 & 1) | 1 = 1 1001
– Key sequence has period of 4 (far smaller than the
theoretical max!)
63
 Eliminating Linearity
• NLFSRs not common
– No body of theory about how to design them to have
long period
• Alternate approach: output feedback mode
– For E encipherment function, k key, r register:
• Compute r= Ek(r); use rto  with plaintext block
• Set r to r and iterate, repeatedly enciphering register and using
as key bits, until message enciphered
– Variant: use a counter that is incremented for each
encipherment rather than a register

64
OFB Mode

65
 Counter Mode
• Register is nonce and counter
• Supports “random access”

bi−1 bi bi+1

€ € €

66
 Characteristics of OFB/Counter
• Losing Synchronicity in OFB is fatal
– All later decryptions will be garbled
• OFB needs an initialization vector
• Counter mode lets you generate a bit in the
middle of the stream
• RC4 is a well-known stream cipher that
uses OFB. Used in WEP

67
 Key Points
• Historical Ciphers
– Give examples of linguistic attacks
– Substitution and transposition ciphers
• Symmetric key ciphers
– AES and DES
– Today's workhorse algorithms
– Crypto analysis attacks on algorithms
– Product ciphers
68