Chapter 6 – Contemporary
Symmetric Ciphers
• Triple DES
• Blowfish
• RC5
• Characteristics of advanced
symmetric block ciphers
2
Symmetric Ciphers
1
Cipher Year Text size Key size
Feistel 1973 64 -bit 128 -bit
DES 1977 64 56
S-DES 1996 8 10
3DES 1999 64 168/2, 3 Keys
Symmetric Ciphers
2
Cipher Year Text size Key size
3DES 1999 64 168/2, 3 Keys
Blowfish 1993 64 32-448 variable
RC5 1994 32/64/128 0-2040 bits
4
Triple DES
1
• clearly a replacement for DES was needed
– theoretical attacks that can break it • Differential: O(247) chosen plaintext
• Linear: O(247) known plaintext
– demonstrated exhaustive key search attacks • Brute force: O(255)
Triple DES
2
• Alternative:
– New algorithms • E.g. AES
– Use multiple encryption of current ciphers • E.g. 3DES
6
Triple DES
3
Why Triple-DES?
1
8
Why Triple-DES?
2
• why not Double-DES?
– NOT same as some other single-DES use,
– EK2[EK1[P]]!= EK3[P], proved in 1992
• but have meet-in-the-middle attack [1977] – works against any block encryption cipher
– since X = EK1[P] = DK2[C]
– attack by encrypting P with all keys and store – then decrypt C with keys and match X value
Triple-DES with Two-Keys
1
• hence must use 3 encryptions
– would seem to need 3 distinct keys
• but can use 2 keys with E-D-E sequence
– C = EK1[DK2[EK1[P]]]
– no encrypt & decrypt equivalent in security – if K1=K2 then can work with single DES
10
Triple-DES with Two-Keys
2
• No current known practical attacks • [Coppersmith94]
– Brute-force key search: 2112 5 * 1033 – Estimated differential cryptanalysis
• Exceeds 1052
• [Merkel and Hellman81]
– 256 with 256 chosen plaintext-cipher text pairs
• [Oorschot,Wiener94] – (256)264/n = 2120-log
Triple-DES with Three-Keys
• although are no practical attacks on two-key
Triple-DES have some indications
• can use Triple-DES with Three-Keys to
avoid even these
– C = EK3[DK2[EK1[P]]]
• has been adopted by some Internet
applications, eg PGP, S/MIME
12
Blowfish
1
• a symmetric block cipher designed by
Bruce Schneier in 1993/94
• characteristics
– fast implementation on 32-bit CPUs
– compact in use of memory, < 5K memory
– simple structure eases analysis/implementation – variable security by varying key size
14
• Single Blowfish round
Blowfish Encryption
• uses two primitives: addition(modulo 232) & XOR
• data is divided into two 32-bit halves L0 & R0
for i = 1 to 16 do Ri = Li-1 XOR Pi; Li = F[Ri] XOR Ri-1; L17 = R16 XOR P18; R17 = L16 XOR i17; • where
F[a,b,c,d] = ((S1,a + S2,b) XOR S3,c) +
16
Blowfish subkey & S-box
1
• uses a 32 to 448 bit key ( 1 to 14 32-bit words)
• used to generate
– 18 32-bit subkeys stored in K-array Kj
– four 8x32 S-boxes stored in Si,j
• key schedule consists of:
– initialize P-array and then 4 S-boxes using pi – XOR P-array with key bits (reuse as needed)
– loop repeatedly encrypting data using current P & S and replace successive pairs of P then S values
Blowfish subkey & S-box
2
• the keys are stored in a K-array
– K1, K2, …, Kj, 1j 14
• the subkeys are stored in a P-array
– P1, P2, …, P18
• the four S-boxes, eahc with 256 32-bit entries
– S1,0, S1,1, …, S1,255 – S2,0, S2,1, …, S2,255 – S3,0, S3,1, …, S3,255 – S4,0, S4,1, …, S4,255
18
Blowfish subkey & S-box
3
• The steps in generating P-array and S-boxes are:
• Initialize first the P-array and then the four S-boxes using the bits of the fractional part of the constant
– P1 = 243F6A88 – P2 = 85A308D3 – …
– S4,255 = 3AC372E6
• Perform a bitwise XOR of the P-array & K-array
Blowfish subkey & S-box
4
• Update P-array and S-boxes
– P1 , P2 = EP,S[0] – P3 , P4 = EP,S[P1 || P2 ] – … – P17 , P18 = EP,S[P15 || P16 ] – S1,0 , S1,1 = EP,S[P17 || P18 ] – … – S4,254 , S4,255 = EP,S[S4,252 || S4,253 ]
• A total of 521 execution of Blowfish encryption required
– Not suitable for frequently changing keys
20
Blowfish Discussion
1
• analysis very difficult
– S-boxes dependent on key
– subkeys and S-boxes generated using cipher itself • changing both halves in each round increases
security
• provided key is large enough, brute-force key search is not practical, especially given the high key schedule cost
Blowfish Discussion
2
• Fast to execute
22
RC5
• a proprietary cipher owned by RSA Data Security Inc. (RSADSI)
• designed by Ronald Rivest (of RSA fame) • used in various RSADSI products
• can vary key size / data size / no rounds • very clean and simple design
• easy implementation on various CPUs • yet still regarded as secure
RC5 Ciphers
• RC5 is a family of ciphers RC5-w/r/b
– w = word size in bits (16/32/64), data block=2w
– r = number of rounds (0..255)
– b = number of bytes in key (0..255)
• nominal version is RC5-32/12/16
– ie 32-bit words so encrypts 64-bit data blocks
– using 12 rounds
24
RC5 Key Expansion
1
• RC5 uses t=2r+2 subkey words (w-bits) – E.g. r=12, t=26
• subkeys are stored in array S[i], i=0..t-1 • then the key schedule consists of
– initializing S to a fixed pseudorandom value, based on
constants e and phi
– the byte key (array K, e.g. b=16) is copied (little-endian
machine) into a c-word array L (e.g. c=4)
– a mixing operation then combines L and S to form the
RC5 Key Expansion
2
little endian machine
26
RC5 Encryption
2
• split input into two halves A & B
L0 = A + S[0];
R0 = B + S[1];
for i = 1 to r do
Li = ((Li-1 XOR Ri-1) <<< Ri-1) + S[2 x i]; Ri = ((Ri-1 XOR Li) <<< Li) + S[2 x i + 1];
• 3 primitive operations
– Addition(subtraction) of modulo 2w
– Bitwise XOR
28
RC5 Encryption
3
• Not Feistel structure, but each round is like
2 DES rounds
• Note rotation is main source of
non-linearity ( <<<, >>> )
• need reasonable number of rounds (eg
12-16)
• Decryption is easily derived from
encryption
RC5 Modes
• RFC2040 defines 4 modes used by RC5
– RC5 Block Cipher, is ECB mode – RC5-CBC, is CBC mode
– RC5-CBC-PAD, is CBC with padding by bytes with value being the number of padding bytes – RC5-CTS, a variant of CBC which is the same
size as the original message, uses ciphertext stealing to keep size same as original
30
Block Cipher Characteristics
• features seen in modern block ciphers are:
– variable key length / block size / no rounds – mixed operators, data/key dependent rotation – key dependent S-boxes
– more complex key scheduling
– operation of full data in each round
Stream Ciphers
1
• process the message bit by bit (as a stream) • typically have a (pseudo) random key stream • combined (XOR) with plaintext bit by bit
• randomness of key stream completely destroys any statistically properties in the message
– Ci = Mi XOR KeyStreami
• what could be simpler!!!!
• but must never reuse stream key
32
Stream Ciphers
2
Stream Ciphers
3
• Speed comparisons of symmetric
34
Stream Cipher Properties
• some design considerations are:
– key stream has long period with no repetitions – statistically random, e,g, equal # of 1s and 0s – depends on large enough key, .e.g., K>=128 bits – large linear complexity
– correlation immunity – confusion
– diffusion
RC4
1
• a proprietary cipher owned by RSA DSI
• another Ron Rivest design, simple but effective • variable key size, byte-oriented stream cipher • widely used (web SSL/TLS, wireless WEP)
• key forms random permutation of all 8-bit values • uses that permutation to scramble input info
36
RC4 Key Schedule
• starts with an array S of numbers: 0..255 • use key to well and truly shuffle
• S forms internal state of the cipher
• input: key k of length l bytes; output: S[0]…S[255] for i = 0 to 255 do
S[i] = i
j = 0
for i = 0 to 255 do
38
RC4 Encryption
• encryption continues shuffling S array values • sum of shuffled pair selects " key stream" value • S[t] XOR with next byte of message to en/decrypt
i = j = 0
for each message byte Mi
i = (i + 1) (mod 256)
j = (j + S[i]) (mod 256) swap(S[i], S[j])
t = (S[i] + S[j]) (mod 256)
RC4 Security
• claimed secure against known attacks
– have some analyses, none practical
• result is very non-linear
• since RC4 is a stream cipher, must never
reuse a key
• have a concern with WEP, but due to key
handling rather than RC4 itself
40
Summary
• have considered:
– some other modern symmetric block ciphers – Triple-DES
– Blowfish – RC5
– briefly introduced stream ciphers – RC4