Sebery J.Cryptography.An introduction to computer security.1989
.pdf
3.2 DES Family 101
Encryption |
|
|
|
|
|
|
m 1 |
|
m 2 |
|
m 3 |
|
m l |
IV |
Ek |
|
Ek |
|
. . . |
Ek |
|
|
|
|
|
|
|
|
c 1 |
|
c 2 |
|
c l |
|
Decryption |
|
|
|
|
|
|
|
c 1 |
|
c |
2 |
|
c |
|
|
|
|
|
l |
|
IV |
D k |
|
D k |
|
. . . |
D k |
|
|
|
|
|
|
|
m 1 |
|
m 2 |
|
|
|
m l |
Fig. 3.12. CBC mode
{Electronic codebook mode (ECB) { a data block m of arbitrary length is divided into 64-bit blocks m1; m2; : : : ; m`. The last block, if it is shorter than 64 bits, needs to be padded to the full length of 64 bits. The DES algorithm is applied independently to each block using the same cryptographic key k producing ciphertext
c = (c1; : : : ; c`) = (Ek(m1); : : : ; Ek(m`)):
The decryption in the ECB mode is
m = (m1; : : : ; m`) = (Dk(c1); : : : ; Dk(c`)):
As the blocks are independent, the receiver of ciphertext blocks is not able to determine the correct order of the blocks, or to detect duplicates or missing blocks.
{Cipher block chaining mode (CBC) { the initial vector IV needs to be known at both sides but does not need to be secret (Figure 3.12). For encryption, cryptograms are created for the current message block and the previous cryptogram according to the following equation:
ci = Ek(mi ci 1)
where c1 = Ek(m1 IV ) and i = 2; : : : ; `. The decryption process unravels the ciphertext
mi = Dk(ci) ci 1
102 3 PRIVATE-KEY CRYPTOSYSTEMS
Encryption
|
|
m 1 |
m 2 |
m l-1 |
|
m l |
IV |
Ek |
Ek |
|
. . . |
Ek |
|
|
|
c 1 |
c 2 |
c l-1 |
|
c l |
Decryption |
|
|
|
c l-1 |
|
|
|
|
c 1 |
c 2 |
c |
l |
|
IV |
Ek |
Ek |
|
. . . |
Ek |
|
|
|
m 1 |
m 2 |
m l-1 |
m l |
|
Fig. 3.13. CFB mode
IV .
{Cipher feedback mode (CFB) { in this mode cryptograms are equal to (Figure 3.13)
ci = mi Ek(ci 1);
where c1 = m1 Ek(IV ) and i = 2; : : : ; `. The decryption uses the Ek function as well therefore
mi = ci Ek(ci 1)
and the decryption Dk is never used. Note that the sequence Ek (ci) mimics a random key in the one-time pad system.
{ Output feedback mode (OFB) { |
if |
|
the |
pseudorandom string Ek(ci) (i = |
||||||||
1; : : : ; `) in CFB is simpli ed to the string Ei |
(IV ), then this mode of op- |
|||||||||||
|
|
|
|
|
|
|
|
|
k |
|
|
|
eration becomes OFB, where Ei |
= |
E |
k |
|
E |
k |
|
: : : E . |
||||
k |
|
|
|
|
|
|
|
|
k |
|||
|
|
|
|
Æ |
|
|
Æ |
|
Æ |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
i |
|
|
|
|
CBC and CFB modes are useful for |message{z-integrity} checking as any interference with the original contents of the transmission will generate, after the decryption, a number of meaningless messages. Assume that we have received a ciphertext sequence (c1; : : : ; cj 1; c0j; cj+1; : : :) where the cryptogram cj was modi ed (accidently or otherwise) during the transmission. For the both modes, the messages mj and mj+1 cannot be recovered.
3.2 DES Family 103
3.2.5 Triple DES
As soon as the DES algorithm was published, it was clear that the proposed cipher was intentionally weakened by the use of a relatively short 56-bit cryptographic key [153]. The exhaustive search of the key space is possible as documented in [529].
To thwart the exhaustive search attack on the key space, the key length must be increased. Consider double DES encryption with two independent keys or c = Ek1 (Ek2 (m)) where k1; k2 are 56-bit independent keys. Clearly, the exhaustive search becomes infeasible as the key space contains now 2112 candidates. However, assume that the attacker knows a valid pair (m; c) obtained under the double DES. The attacker can produce two sets
E = fe = Ek1 (m)jk1 2 Kg
and
D = fd = Ek21(c)jk2 2 Kg
where K is the set of DES keys with 256 elements, Ek21 is the DES decryption for the key k2. Observe that for the correct pair of keys partial encryption/decryption must be the same or e = d. This also means that the pair (m; c) allows the attacker to create 256 possible pairs of keys among which there must be the correct one. This obviously reduces the exhaustive search to 256 candidates which is far smaller than the expected 2112. Needless to say, a second pair of (message, cryptogram) points out with a high probability the correct pair of keys.
This observation leads us to the conclusion that to expand the key space, at least triple encryption (triple DES) must be applied. The following list shows possible implementations of the triple DES:
{Ek1 (Ek2 (Ek3 (m))) { the implementation with three independent keys, i.e. encryption is used three times (EEE triple DES).
{Ek1 (Ek21(Ek3 (m))) { the implementation with three independent keys. The encryption transformation uses the sequences encrypt, decrypt, and encrypt of DES (EDE triple DES).
{Ek1 (Ek21(Ek1 (m))) { the triple encryption-decryption-encryption DES with two independent keys.
104 3 PRIVATE-KEY CRYPTOSYSTEMS
The triple DES with two independent keys is recommended in the ANSI X.9.17 and ISO 8732 standards for banking key management. The two-key triple DES is subject to a known-plaintext attack described in [394].
3.3 Modern Private-Key Cryptographic Algorithms
This Section presents ve cryptographic algorithms that are good examples of di erent approaches to the design modern ciphers. The ve algorithms are: FEAL, IDEA, RC6, Rijndael, and Serpent. The FEAL algorithm belongs to the DES family of ciphers with both S-boxes and key scheduling replaced by functions which can be run very fast. The IDEA algorithm uses a modi ed Feistel structure with cryptographic operations performed by carefully selected algebraic group operations. The RC6 algorithm again uses the Feistel structure with heavy use of word instructions (rotation, shifting, and bit-by-bit Boolean instructions). The Rijndael algorithm uses a S-P network with operations performed in GF(28). The Serpent algorithm is another example of S-P network with S-boxes derived from those used in DES with extensive use of word shift and rotation.
3.3.1 Fast Encryption Algorithm (FEAL)
The FEAL is Japanese encryption algorithm designed by researchers from NTT Japan [469]. The main objective was to design an algorithm that would be as secure as DES but much faster. The FEAL algorithm processes 64-bit messages using a 64-bit key (Figure 3.14). It applies four Feistel permutations (rounds) with the function f shown in Figure 3.15. The function f uses two S-functions: S0 and S1 of the form
S0(x; y) = ((x + y mod 256) 2) and S1(x; y) = ((x + y + 1 mod 256) 2)
where (x s) stands for rotation of the word x by s positions to the left. The key schedule applies another function fk which is also based on Sf0 and Sf1 (Figure 3.16).
In the literature the original FEAL is called FEAL-4 because it uses 4 rounds. There are also other versions with more rounds such as FEAL-8 or FEAL-32. The generic name FEAL-N refers to the FEAL with N rounds.
3.3 |
Modern Private-Key Cryptographic Algorithms |
105 |
Plaintext (ciphertext) block 64-bit |
Key Block 64-bit |
|
|
|
|
|
{(K8 , K9 , KA , KB )} |
32-bit |
32-bit |
|
32-bit |
|
32-bit |
(K 4, K5 , K6 , K7 ) |
A 0 |
B0 |
|
|
|
||||
L 0 |
|
|
|
R 0 |
f k |
|
{R 4} |
|
|
|
{L 4} |
|
|
L 0 |
|
|
K0 |
|
K0 , K1 |
|
|
|
|
|
|
||
|
|
{K 3} |
R 0 |
A 1 |
B1 |
|
{R 4} |
|
|
||||
|
|
f |
||||
|
|
|
|
{L 4} |
f k |
|
|
|
|
K1 |
|
K2 , K3 |
|
L 1 |
|
|
|
A 2 |
B2 |
|
|
|
{K 2} |
R 1 |
|||
{R 3} |
|
|
f k |
|||
|
|
f |
{L 3} |
|
||
|
|
|
|
|
|
|
|
|
|
|
|
K4 , K5 |
|
L 2 |
|
|
K2 |
|
A 3 |
B3 |
|
|
{K 1} |
R 2 |
f k |
||
{R 2} |
|
|
|
|||
|
|
f |
{L 2} |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
K6 , K7 |
|
L 3 |
|
|
K3 |
|
A 4 |
B4 |
|
|
|
f k |
|||
|
|
{K 1} |
R 3 |
|
||
{R 1} |
|
|
|
|||
|
|
f |
{L 1} |
|
|
|
|
|
|
|
K8 , K9 |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
A 5 |
B5 |
|
|
|
|
|
f k |
|
|
|
|
|
(K 8, K9 , KA , KB ) |
|
|
|
|
|
|
|
|
|
|
|
|
|
{(K4 , K5 , K6 , K7 )} |
B6 |
|
Ciphertext (Plaintext) block 64-bit |
|
|||||
KA, KB |
|
|||||
Legend : |
{ |
} |
= Deciphering |
|
||
|
|
|||||
|
|
|
= Exclusive OR operation |
|
|
|
( ) |
= Data concatenation |
A i , Bi , Li , Ri |
= 32-bit data |
Ki |
= 16-bit intermediate key |
Fig. 3.14. FEAL algorithm
3.3.2 IDEA
IDEA stands for International Data Encryption Algorithm. The algorithm was designed by researchers from Swiss Federal Institute of Technology in 1990 [295, 296]. The algorithm uses a modi ed Feistel structure with eight rounds and the message block size of 64-bits. Cryptographic keys are 128-bit long.
All transformations used in the algorithm are based on the following three operations in GF (216):
{bit-by-bit XOR operation (denoted by )
{addition modulo 216 (denoted by + )
{multiplication modulo (2n + 1) (denoted by )
106 3 PRIVATE-KEY CRYPTOSYSTEMS
|
b1 |
b |
|
b0 |
|
|
|
|
|
||
|
S 0 |
|
|
a 0 |
|
f (a , b) |
S 1 |
+ |
+ |
a1 |
|
|
|
|
a |
|
|
|
|
|
|
32 - bit |
|
|
|
|
|
|
|
32 - bit |
S 0 |
+ |
+ |
a 2 |
|
|
|
||||
|
S 1 |
|
|
a3 |
|
Fig. 3.15. Function f
a 0 |
|
a |
32 - bit |
|
a1 |
a 2 |
a3 |
||
|
|
|
|
|
|
+ |
|
+ |
32 - bit |
|
|
|
||
|
|
|
|
b0 |
|
S 1 |
+ |
|
|
|
|
|
|
b1 |
|
|
+ |
S 0 |
b |
|
|
|
|
b 2 |
S 0 |
+ |
|
+ |
S 1 |
|
|
|
|
b 3 |
|
|
|
32 - bit |
|
|
|
f k (a , b) |
|
|
Fig. 3.16. Function fk |
|
|
||
The algorithm applies an S-box which accepts two 16-bit input words and generates two 16-bit output words under control of two 16-bit words of the round key. The S-box is called the multiplication-addition (MA) structure and is a permutation for a xed key. The data ow during encryption is presented in Figure 3.17. Encryption applies eight rounds followed by the nal transformation. Each round takes a 64-bit input block (divided into four 16-bit words) and translates it into four output words using a 6-word round key. The rst four words of the round key are mixed with the input words (using and + operations) while the last two words control the MA structure that produces the the output words (note the swap of the internal words of the output).
3.3 Modern Private-Key Cryptographic Algorithms |
107 |
X 1 |
X 2 |
X 3 |
X 4 |
k(1) |
k(1) |
k(1)3 |
k(1)4 |
1 |
2 |
|
|
|
|
MA |
|
|
|
k(1)5 |
|
|
|
k(1)6 |
|
k(9)1 |
k(9)2 |
k(9)3 |
k(9)4 |
Y1 |
Y2 |
Y3 |
Y4 |
Fig. 3.17. IDEA general structure
Round 1
Rounds 2-8
Final
Transformation
The key schedule takes the 128-bit primary key K and generates 6-word round keys for eight rounds plus 4 words for the output transformation (all together 52 16-bit words). The key generation runs according to the following steps:
{The primary key is divided into eight 16-bit words so
K = (k1(1); : : : ; k6(1); k1(2); k2(2)):
{The primary key is rotated 25 bits left and the result is divided into the next 8 words. This step is repeated until all 52 key words have been generated.
The decryption process uses the same algorithm with rounds performed in reverse order. Note that the S-box is invertible if the same keys are applied (for encryption and decryption). Wherever mixing operations are applied (keys k1(i); k4(i)), the decryption uses their multiplicative inverses. On the other hand,
108 3 PRIVATE-KEY CRYPTOSYSTEMS
if the addition + is used, the additive inverse has to be used (keys k2(i); k3(i)). Also observe that the multiplication is modi ed in such a way that the key
ki(j) = 0 has its inverse. This is done by assigning ki(j) = 216 whose inverse is 216 modulo 216 + 1.
IDEA is a strong encryption algorithm. The only weakness reported so far is related to the existence of weak keys, i.e. a key is weak if it belongs to a set of keys in which membership can be eÆciently tested [118, 236].
3.3.3 RC6
RC6 was designed by researchers from MIT and RSA Laboratories and submitted as a candidate for the AES call. The description of the algorithm can be found at http://www.nist.gov/aes. RC6 is a strengthened version of the RC5 algorithm that maintains the eÆciency of RC5. RC6 is in fact a family of encryption algorithms indexed by three parameters (w; r; b), where w is the size of the word (typically forced by the underlying hardware architecture), r is the number of rounds used (which speci es the tradeo between eÆciency and security), and b is the length of the primary cryptographic key K (in bytes).
The collection of operation used in RC6 includes
{Integer addition modulo 2w denoted as + .
{Bit-by-bit XOR denoted by .
{Integer multiplication modulo 2w denoted by . The function f(a) = a (2a + 1).
{Rotation denoted by a <<< b. It rotates the word a to the left by the least
signi cant log2 w bits of b. Similarly, a >>> b denotes rotation of the word a to the right by the least signi cant log2 w bits of b.
RC6 consists of r rounds, and all operations are performed on four words (A; B; C; D) each of w bits (Figure 3.18). Encryption starts from adding keys K[0] and K[1] to words B and D, respectively. For each round the following operations are performed:
t = f (B) <<< log w; u = f(D) <<< log w;
A = ((A t) <<< u) + K[2i];
C = ((C u) <<< t) + K[2i + 1]:
|
|
3.3 |
Modern Private-Key Cryptographic Algorithms |
109 |
|
A |
B |
C |
|
D |
|
|
K[0] |
|
|
K[1] |
|
t |
|
u |
<<< |
f |
|
<<< |
f |
|
|
||
|
|
|
|||
<<< |
|
|
|
|
|
|
|
|
|
Repeat |
|
|
|
<<< |
|
for r |
|
|
|
|
|
|
|
K[2i] |
|
|
K[2i+1] |
rounds |
|
|
|
|
|
||
|
K[2r+2] |
|
K[2r+3] |
A |
B |
C |
D |
Fig. 3.18. Encryption in RC6
The vector (A; B; C; D) is rotated so (A; B; C; D) = (B; C; D; A). After r rounds, the cryptogram is (A + K[2r + 2]; B; C + K[2r + 3]; D).
The RC6 key schedule generates 2r+4 words (keys K[0]; : : : ; K[2r+3]) from the primary key K of b bytes. First, a suÆciently large array L of c words is allocated so it can hold the key K. Next, the key K is stored into L and the unused bits of the last word are lled by zeroes. So the rst word L[0] containsrst bytes of the key, and the last word L[c 1] contains the tail of the key padded with zeroes to the full size of the word. The key schedule uses two magic constants Pw and Qw . Pw is a word derived from the constant e, the base of the natural logarithm, while the word Qw is obtained from binary expansion of the Golden Ratio constant. For instance for w = 32, the words P32 =0xB7E15163 and Q32 =0x9E3779B9. Keys K[i] are rst initialized
K[0] = Pw and K[i] = K[i 1] + Qw
for i = 1; : : : ; 2r + 3. Next the four variables A; B; i; j are set to zero and the constant v = 3 max (c; 2r + 4) is computed. Round keys are calculated by repeating the following sequence of operation v times:
110 3 PRIVATE-KEY CRYPTOSYSTEMS
A = K[i] = (K[i] + A + B) <<< 3;
B = L[j] = (L[j] + A + B) <<< (A + B);
i = (i + 1) |
(mod 2r + 4); |
j = (j + 1) |
(mod c): |
Decryption follows the footsteps of encryption in reverse and applies the additive inverse of the keys. Each round starts from rotation (A; B; C; D) = (D; A; B; C) and
t = f (B) <<< log w; u = f(D) <<< log w;
A = ((A + ( K[2i])) >>> u) t;
C = ((C + ( K[2i + 1])) >>> t) u:
There is little work on the cryptographic strength of RC6 but the fact that it went through to the second round of the AES call indicates its quality (for more details go to http://www.nist.gov/aes). Some conclusions about its security can be derived from analysis done for RC5. For instance, Knudsen and Meier [282] demonstrated the existence of weak keys with respect to di erential cryptanalysis and showed some weaknesses in the structure of the cipher.
3.3.4 Rijndael
The Rijndael cipher is the winner of the AES race and was design by researchers from Belgium [119]. Its description is taken from the NIST Web site http://www.nist.gov/aes. The cipher works for three block sizes: 128, 192, and 256 bits. Rijndael applies the Shannon product cipher concept and is not based
on the Feistel structure. Cryptographic operations are based on arithmetic in GF (28).
Denote Nb and Nk as the number of 32-bit words in the message (cryptogram) and the key, respectively. The cipher uses a sequence of rounds, which varies depending on the length of message and key:
{If Nb = Nk = 4, the number of rounds is Nr = 10.
{If both Nb 6 and Nk 6 but not simultaneously equal to 4, Nr = 12.
{Otherwise, Nr = 14.
The cipher applies the following transformations:
{ByteSub { an input block with 4Nb bytes is subject to a byte-by-byte transformation using the S-box.