Lecture 7: Block Ciphers (product ciphers, iterated ciphers, substitution-permutation networks, Feistel ciphers, standard security properties, DES, AES)

Question 1

What type of cipher is a block cipher?

Answer 1

Symmetric key ciphers where each block of plaintext is encrypted with SAME key

Question 2

What is the block in the block cipher?

Answer 2

set of plaintext symbols of fixed size

Question 3

What is the typical block size in modern block ciphers?

Answer 3

between 64 and 256 bits

Question 4

Give the notation of a plaintext block in a block cipher

Answer 4

P (length = n bits)

Question 5

Give the notation of a ciphertext block in a block cipher

Answer 5

C (length = n bits)

Question 6

Give the notation of a key in a block cipher

Answer 6

K (length = k bits)

Question 7

How is encryption denoted as in block ciphers?

Answer 7

C = E(P,K)

Question 8

How is decryption denoted as in block ciphers?

Answer 8

P = D(C,K)

Question 9

What are Claude Shannon’s two important encryption techniques called?

Answer 9

1. confusion

2. diffusion

Question 10

What is the encryption technique of confusion?

Answer 10

involving substitution to make the relationship between K and C as complex as possible
→ mitigate possibilities of statistical analysis succeeding

Question 11

What is the encryption technique of diffusion?

Answer 11

involving transformations to dissipate the statistical properties of P across C

Question 12

Explain the product cipher

Answer 12

Cryptosystem where encryption is formed by applying (also composing) several sub-encryption functions

Most block ciphers are composition of simple functions fi, for 1 <= i <= r s.t. Each fi has its own key Ki → onion

C = E(P,K) = fr(…(f2(f1(P,K1),K2)…),Kr)

last output as 1st input for next round

Question 13

What are modern block ciphers which are special product ciphers called?

Answer 13

Iterated ciphers

Question 14

Briefly outline encryption for the iterated cipher

Answer 14

Encryption divided into r similar rounds

Given plaintext block P, round function g and round keys K1, K2, … Kr, ciphertext block C is derived through r rounds

Repeating with diff keys and same function

W0 = P
W1 = g(W0, K1) = g(P,K1)
W2 = g(W1,K2)
...
Wr = g(Wr-1,K1) = C

Question 15

Briefly outline how the sub-encryption functions of the iterated cipher

Answer 15

all the same function g, called round function

Question 16

Briefly outline how the key Ki is derived i.t.o iterated cipher

Answer 16

Derived from overall master key K using key schedule process

Question 17

What is Ki call in terms of the iterated cipher

Answer 17

round key/subkey

Question 18

Explain decryption process for iterated cipher

Answer 18

Reverse of encryption process

Inverse function g-1 must exist s.t. g-1(g(W,Ki),Ki) = W for all keys Ki and blocks W

See slide 11 of set 7 for eqns

Question 19

What does SPN stand for?

Answer 19

Substitution-permutation network

Question 20

What must block length n allow for in SPN?

Answer 20

each block to be split into m sub-blocks of length l → n = l x m

Question 21

What is AES an example of?

Answer 21

SPN

Question 22

What is SPN a type of?

Answer 22

iterated cipher

Question 23

What are the two operations of SPN?

Answer 23

Substitution πs

Permutation πp

Question 24

What is substitution πs in terms of SPN?

Answer 24

Substitution πs (substitution box/s-box) operates on sub-blocks of length l bits: πs : {0,1}’ → {0,1}’

Question 25

What is permutation πp in terms of SPN?

Answer 25

Permutation πp (permutation box/p-box) swaps inputs from {1,…,n} similarly to transposition ciphers: πp : {1,…,n} → {1,…,n}

Question 26

What are the steps in the SPN round function?

Answer 26

1. Round key Ki is XORed with current state block Wi: Ki ⊕ Wi
2. Each sub-block is substituted by applying πs
3. The whole block is permuted using πp

Question 27

Briefly explain the illustration of the round function on slide 15 of set 7

Answer 27

TODO

Question 28

What type of cipher is the feistel cipher?

Answer 28

iterated cipher

Question 29

What is DES an example of

Answer 29

feistel cipher

Question 30

Briefly outline the round function of the feistel cipher

Answer 30

Swaps 2 halves of block and forms new right hand half

Question 31

What is the feistel cipher sometimes called?

Answer 31

Feistel network

Question 32

Explain the encryption process for the feistel cipher

Answer 32

1. Split plaintext block P = W_0 into 2 halves (L_0, R_0)
2. For each round, perform:
   Li = R_i-1
   Ri = L_i-1 ⊕ f(R_i-1, K_i)
3. Output ciphertext block C = W_r = (L_r, R_r)

See slide 17 of set 7 for diagram

Question 33

Explain the decryption process for the feistel cipher

Answer 33

1. Split ciphertex block C into 2 halves (Lr, Rr)
2. For each round, perform:
   Li-1 = Ri ⊕ f(Li, Ki)
   Ri-1 = Li
3. Output plaintext block P = (L0,R0)

Question 34

Do we need to invert f when decrypting for the feister cipher?

Answer 34

no

decrypt for any function f

Question 35

What aspect of the feister cipher makes is secure?

Answer 35

f since it’s the only non-linear part of encryption

Question 36

Briefly outline differential cryptanalysis

Answer 36

Chosen plaintext attack

Based on idea that difference between 2 input plaintexts can be correlated to the difference between 2 output ciphertexts → since SPN has linearity in its design

Question 37

Briefly outline linear cryptanalysis - what type of attack?

Answer 37

Known plaintext attack

Question 38

Can linear cryptanalysis theoretically break DES?

Answer 38

yes

Question 39

Are modern block ciphers immune to both differential and linear cryptanalysis?

Answer 39

yes

Question 40

Explain what a key avalanche is. What notion is it related to?

Answer 40

Small change in key (with same plaintext) should result in large change in ciphertext

Related to Shannon’s notion confusion

Question 41

Explain what a plaintext avalanche is. What notion is it related to?

Answer 41

Small change in plaintext should result in large change in ciphertext

Changing 1 bit of plaintext should change each of the bits in the ciphertext with probability of ½

Related to Shannon’s notion of diffusion

Question 42

Give the encryption steps for DES

Answer 42

1. ALL bits of P permuted using initial fixed permutation IP
2. 16 rounds of Feistel operation applied, denoted by func f
3. Final fixed inverse permutation IP^(-1) applied

Question 43

What is the input for DES’ encryption?

Answer 43

P is input plaintext block of 64 bits

Question 44

What is the output of DES’ encryption?

Answer 44

Output ciphertext block C of 64 bits

Question 45

Comment on the key used in the second step of the encryption process of DES

Answer 45

Different 48-bit subkey for each round

Question 46

Explain the Feistel operation

Answer 46

For each round:

1. Expand 32 bits to 48 bits
2. XOR 48 bits to 48-bit subkey
3. Break 48 bits into 8 blocks of 6 bits → Wi
4. Put each block Wi into its substitution table Si, resulting into blocks of length 4
5. Apply permutation to result into 32 (= 4 x 8) bits

See slide 24 of set 7 for diagram

Question 47

Explain the s-box example of slide 25 of set 7

Answer 47

TODO

Not sure!

Question 48

Outline the key schedule for DES

Answer 48

Each of 16 rounds involves 48 bits of 56-bit key

Each 48-bit subkey is defined by series of permutations and shifts on full 56-bit key
Generates subkeys

For a 56-bit key, get 16 48-bit subkeys

Generation details depend on implementation

Question 49

How many keys do you need to test in a brute fore attack on DES?

Answer 49

Testing all possible 2^k keys to find key K → k = |K|

2^56 DES keys to test

On average, take (2^56)/2 = 255 trial samples to find key → trying all keys with last bit = 0

Question 50

How is the key identified in brute force attack on DES?

Answer 50

using small number of ciphertext blocks or by looking for low entropy in decrypted plaintext

Question 51

Is the key size good enough for DES?

Answer 51

No, short 56-bit key sized critisized

Question 52

Explain double encryption for DES

Answer 52

Let K1 and K2 be 2 block cipher keys

Encryption: C = E(E(P,K1)(,K2)

If both keys have length k, then exhaustive attack requires 2^(2k-1) trials on average → Fix 1 bit so have half left to try

Time-memory trade off which reduces it suing MITM attack

Question 53

Does brute force become difficult in double encryption for DES?

Answer 53

yes

Question 54

Explain the steps of the MITM attack

Answer 54

Let (P,C) be single plaintext-ciphertext pair

1. For each key K, store C’ = E(P,K) in memory
2. Check if D(C,K’)=C’ for any K’

IDEA: given final ciphertext block, try every key to decrypt and see if matches ciphertext block previously stored

K from 1. Is K1 and K’ from 2. Is K2

3. Check if key values in 2. Work other (P,C) pairs

Question 55

What does MITM stand for?

Answer 55

Man in the middle

Question 56

What is the general idea of the MITM attack?

Answer 56

try all keys for encryption, try all keys for decryption, find match

Question 57

When MITM is applied to double DES, outline how many plaintext blocks required for each key

Answer 57

Storage of 1 plaintext block for every key → storage of 2^56 64-bit blocks

Question 58

When MITM is applied to double DES, outline number of encryption operations

Answer 58

Single encryption for every key → 2^56 encryption operations

Question 59

When MITM is applied to double DES, outline number of decryption operations

Answer 59

Single decryption for every key → 2^56 decryption operations

Question 60

Compare the easiness of MITM to brute for in terms of DES

Answer 60

MITM expensive but much easier than brute for search through 2^(2*56-1) = 2^111 keys

Question 61

Comment on the security of triple encryption for DES

Answer 61

Much better security → 3-key triple DES remains approved

3 keys: K1, K2, K3

Question 62

Give the encryption function for triple encryption for DES

Answer 62

Encryption: C = E(D(E,(P,K1),K2)K3) → encrypt plaintext with K1, decrypt result with K2, encrypt result with K3

Question 63

Is triple encryption secure against MITM attacks?

Answer 63

Yes → too expense/too much energy to do ops

Question 64

What is the size of the data block in AES?

Answer 64

128-bits

Question 65

What is the size of the master key in AES?

Answer 65

128-, 192- or 256-bit

Question 66

How many rounds are there in AES’s encryption/decryption?

Answer 66

10, 12 or 14 rounds (for 128-, 192-, 256-bit master key respectively)

Question 67

What sort of design is AES?

Answer 67

Byte-based

Question 68

Explain SPN for AES

Answer 68

1. Initial round key addition
2. 10, 12, or 14 (encryption/decryption) rounds w.r.t to length of master key
3. Final round

Question 69

Give the state matrix for a 16-byte data block size.

Answer 69

See slide 39 of set 7

Question 70

What operations are used for state matricies?

Answer 70

Mixture of finite field operations in GF(2^8) and bit string operations

Question 71

In terms of AES, what are the 4 basic operations of round transformation?

Answer 71

ByteSub → non-linear substitution
ShiftRow → (permutation)
MixColumn → diffusion
AddRoundKey

Question 72

What is block length and sub-block length for SPN in terms of round transformation

Answer 72

Substitution-permutation network with block length n=128 and sub-block length l=8

Question 73

In terms of AES and round transformation, what is s-box and what is it defined in?

Answer 73

S-box is look-up table, mathematically defined in GF(2^8)

Question 74

Explain the key schedule for AES (number of keys, sizes at each step)

Answer 74

Master key is 128 bits (resp. 192 and 256)

Each of 10 (resp. 12 and 14) rounds uses 128-bit subkey

1 subkey per round + 1 initial subkey
11 subkeys in total (resp. 13 and 15)

Deriving 128-bit subkeys from master key

Question 75

What is a related key attack?

Answer 75

requiring attacker to obtain ciphertext encrypted with a key related to the actual key in a specific way

Question 76

Comment on AES’ security

Answer 76

Some cracks have appeared but no significant breaks

Most serious attacks reduce effective key size by around 2 bits → ½ chance to determine bit as either 0 or 1. Difficult to know if first bit is 0

Question 77

Compare AES’ and DES’ data block size

Answer 77

DES: 64 bits
AES: 128 bits

Question 78

Compare AES’ and DES’ key size

Answer 78

DES: 56 bits
AES: 128, 192 or 256 bits (variation)

Question 79

Compare AES’ and DES’ cipher type

Answer 79

Both iterated ciphers

Question 80

Compare AES’ and DES’ operation structure

Answer 80

DES has Feistel structure while AES has SPN

Question 81

Compare AES’ and DES’ units

Answer 81

DES is bit-based and AES is byte-based

Question 82

Compare AES’ and DES’ speed

Answer 82

AES is substantially faster in both hardware and software → AES popular

Question 83

What are block ciphers the building blocks of?

Answer 83

confidentiality and authentication