Lecture 7: Block Ciphers (product ciphers, iterated ciphers, substitution-permutation networks, Feistel ciphers, standard security properties, DES, AES) Flashcards
What type of cipher is a block cipher?
Symmetric key ciphers where each block of plaintext is encrypted with SAME key
What is the block in the block cipher?
set of plaintext symbols of fixed size
What is the typical block size in modern block ciphers?
between 64 and 256 bits
Give the notation of a plaintext block in a block cipher
P (length = n bits)
Give the notation of a ciphertext block in a block cipher
C (length = n bits)
Give the notation of a key in a block cipher
K (length = k bits)
How is encryption denoted as in block ciphers?
C = E(P,K)
How is decryption denoted as in block ciphers?
P = D(C,K)
What are Claude Shannon’s two important encryption techniques called?
- confusion
2. diffusion
What is the encryption technique of confusion?
involving substitution to make the relationship between K and C as complex as possible
→ mitigate possibilities of statistical analysis succeeding
What is the encryption technique of diffusion?
involving transformations to dissipate the statistical properties of P across C
Explain the product cipher
Cryptosystem where encryption is formed by applying (also composing) several sub-encryption functions
Most block ciphers are composition of simple functions fi, for 1 <= i <= r s.t. Each fi has its own key Ki → onion
C = E(P,K) = fr(…(f2(f1(P,K1),K2)…),Kr)
last output as 1st input for next round
What are modern block ciphers which are special product ciphers called?
Iterated ciphers
Briefly outline encryption for the iterated cipher
Encryption divided into r similar rounds
Given plaintext block P, round function g and round keys K1, K2, … Kr, ciphertext block C is derived through r rounds
Repeating with diff keys and same function
W0 = P W1 = g(W0, K1) = g(P,K1) W2 = g(W1,K2) ... Wr = g(Wr-1,K1) = C
Briefly outline how the sub-encryption functions of the iterated cipher
all the same function g, called round function
Briefly outline how the key Ki is derived i.t.o iterated cipher
Derived from overall master key K using key schedule process
What is Ki call in terms of the iterated cipher
round key/subkey
Explain decryption process for iterated cipher
Reverse of encryption process
Inverse function g-1 must exist s.t. g-1(g(W,Ki),Ki) = W for all keys Ki and blocks W
See slide 11 of set 7 for eqns
What does SPN stand for?
Substitution-permutation network
What must block length n allow for in SPN?
each block to be split into m sub-blocks of length l → n = l x m
What is AES an example of?
SPN
What is SPN a type of?
iterated cipher
What are the two operations of SPN?
Substitution πs
Permutation πp
What is substitution πs in terms of SPN?
Substitution πs (substitution box/s-box) operates on sub-blocks of length l bits: πs : {0,1}’ → {0,1}’
What is permutation πp in terms of SPN?
Permutation πp (permutation box/p-box) swaps inputs from {1,…,n} similarly to transposition ciphers: πp : {1,…,n} → {1,…,n}
What are the steps in the SPN round function?
- Round key Ki is XORed with current state block Wi: Ki ⊕ Wi
- Each sub-block is substituted by applying πs
- The whole block is permuted using πp
Briefly explain the illustration of the round function on slide 15 of set 7
TODO
What type of cipher is the feistel cipher?
iterated cipher
What is DES an example of
feistel cipher
Briefly outline the round function of the feistel cipher
Swaps 2 halves of block and forms new right hand half
What is the feistel cipher sometimes called?
Feistel network
Explain the encryption process for the feistel cipher
- Split plaintext block P = W_0 into 2 halves (L_0, R_0)
- For each round, perform:
Li = R_i-1
Ri = L_i-1 ⊕ f(R_i-1, K_i) - Output ciphertext block C = W_r = (L_r, R_r)
See slide 17 of set 7 for diagram
Explain the decryption process for the feistel cipher
- Split ciphertex block C into 2 halves (Lr, Rr)
- For each round, perform:
Li-1 = Ri ⊕ f(Li, Ki)
Ri-1 = Li - Output plaintext block P = (L0,R0)
Do we need to invert f when decrypting for the feister cipher?
no
decrypt for any function f
What aspect of the feister cipher makes is secure?
f since it’s the only non-linear part of encryption
Briefly outline differential cryptanalysis
Chosen plaintext attack
Based on idea that difference between 2 input plaintexts can be correlated to the difference between 2 output ciphertexts → since SPN has linearity in its design
Briefly outline linear cryptanalysis - what type of attack?
Known plaintext attack
Can linear cryptanalysis theoretically break DES?
yes
Are modern block ciphers immune to both differential and linear cryptanalysis?
yes
Explain what a key avalanche is. What notion is it related to?
Small change in key (with same plaintext) should result in large change in ciphertext
Related to Shannon’s notion confusion
Explain what a plaintext avalanche is. What notion is it related to?
Small change in plaintext should result in large change in ciphertext
Changing 1 bit of plaintext should change each of the bits in the ciphertext with probability of ½
Related to Shannon’s notion of diffusion
Give the encryption steps for DES
- ALL bits of P permuted using initial fixed permutation IP
- 16 rounds of Feistel operation applied, denoted by func f
- Final fixed inverse permutation IP^(-1) applied
What is the input for DES’ encryption?
P is input plaintext block of 64 bits
What is the output of DES’ encryption?
Output ciphertext block C of 64 bits
Comment on the key used in the second step of the encryption process of DES
Different 48-bit subkey for each round
Explain the Feistel operation
For each round:
- Expand 32 bits to 48 bits
- XOR 48 bits to 48-bit subkey
- Break 48 bits into 8 blocks of 6 bits → Wi
- Put each block Wi into its substitution table Si, resulting into blocks of length 4
- Apply permutation to result into 32 (= 4 x 8) bits
See slide 24 of set 7 for diagram
Explain the s-box example of slide 25 of set 7
TODO
Not sure!
Outline the key schedule for DES
Each of 16 rounds involves 48 bits of 56-bit key
Each 48-bit subkey is defined by series of permutations and shifts on full 56-bit key
Generates subkeys
For a 56-bit key, get 16 48-bit subkeys
Generation details depend on implementation
How many keys do you need to test in a brute fore attack on DES?
Testing all possible 2^k keys to find key K → k = |K|
2^56 DES keys to test
On average, take (2^56)/2 = 255 trial samples to find key → trying all keys with last bit = 0
How is the key identified in brute force attack on DES?
using small number of ciphertext blocks or by looking for low entropy in decrypted plaintext
Is the key size good enough for DES?
No, short 56-bit key sized critisized
Explain double encryption for DES
Let K1 and K2 be 2 block cipher keys
Encryption: C = E(E(P,K1)(,K2)
If both keys have length k, then exhaustive attack requires 2^(2k-1) trials on average → Fix 1 bit so have half left to try
Time-memory trade off which reduces it suing MITM attack
Does brute force become difficult in double encryption for DES?
yes
Explain the steps of the MITM attack
Let (P,C) be single plaintext-ciphertext pair
- For each key K, store C’ = E(P,K) in memory
- Check if D(C,K’)=C’ for any K’
IDEA: given final ciphertext block, try every key to decrypt and see if matches ciphertext block previously stored
K from 1. Is K1 and K’ from 2. Is K2
- Check if key values in 2. Work other (P,C) pairs
What does MITM stand for?
Man in the middle
What is the general idea of the MITM attack?
try all keys for encryption, try all keys for decryption, find match
When MITM is applied to double DES, outline how many plaintext blocks required for each key
Storage of 1 plaintext block for every key → storage of 2^56 64-bit blocks
When MITM is applied to double DES, outline number of encryption operations
Single encryption for every key → 2^56 encryption operations
When MITM is applied to double DES, outline number of decryption operations
Single decryption for every key → 2^56 decryption operations
Compare the easiness of MITM to brute for in terms of DES
MITM expensive but much easier than brute for search through 2^(2*56-1) = 2^111 keys
Comment on the security of triple encryption for DES
Much better security → 3-key triple DES remains approved
3 keys: K1, K2, K3
Give the encryption function for triple encryption for DES
Encryption: C = E(D(E,(P,K1),K2)K3) → encrypt plaintext with K1, decrypt result with K2, encrypt result with K3
Is triple encryption secure against MITM attacks?
Yes → too expense/too much energy to do ops
What is the size of the data block in AES?
128-bits
What is the size of the master key in AES?
128-, 192- or 256-bit
How many rounds are there in AES’s encryption/decryption?
10, 12 or 14 rounds (for 128-, 192-, 256-bit master key respectively)
What sort of design is AES?
Byte-based
Explain SPN for AES
- Initial round key addition
- 10, 12, or 14 (encryption/decryption) rounds w.r.t to length of master key
- Final round
Give the state matrix for a 16-byte data block size.
See slide 39 of set 7
What operations are used for state matricies?
Mixture of finite field operations in GF(2^8) and bit string operations
In terms of AES, what are the 4 basic operations of round transformation?
ByteSub → non-linear substitution
ShiftRow → (permutation)
MixColumn → diffusion
AddRoundKey
What is block length and sub-block length for SPN in terms of round transformation
Substitution-permutation network with block length n=128 and sub-block length l=8
In terms of AES and round transformation, what is s-box and what is it defined in?
S-box is look-up table, mathematically defined in GF(2^8)
Explain the key schedule for AES (number of keys, sizes at each step)
Master key is 128 bits (resp. 192 and 256)
Each of 10 (resp. 12 and 14) rounds uses 128-bit subkey
1 subkey per round + 1 initial subkey
11 subkeys in total (resp. 13 and 15)
Deriving 128-bit subkeys from master key
What is a related key attack?
requiring attacker to obtain ciphertext encrypted with a key related to the actual key in a specific way
Comment on AES’ security
Some cracks have appeared but no significant breaks
Most serious attacks reduce effective key size by around 2 bits → ½ chance to determine bit as either 0 or 1. Difficult to know if first bit is 0
Compare AES’ and DES’ data block size
DES: 64 bits
AES: 128 bits
Compare AES’ and DES’ key size
DES: 56 bits
AES: 128, 192 or 256 bits (variation)
Compare AES’ and DES’ cipher type
Both iterated ciphers
Compare AES’ and DES’ operation structure
DES has Feistel structure while AES has SPN
Compare AES’ and DES’ units
DES is bit-based and AES is byte-based
Compare AES’ and DES’ speed
AES is substantially faster in both hardware and software → AES popular
What are block ciphers the building blocks of?
confidentiality and authentication
