Symmetric Key Cryptography -...

Symmetric Key Cryptography

Jooyoung Lee

School of Computing (GSIS), KAIST

Outline

1. Introduction to Symmetric Key Crypto2. Stream Ciphers3. Block Ciphers

3.1 DES3.2 AES3.3 Modes of Operations3.4 Key Exhaustive Search and Meet-in-the-Middle Attack

(Symmetric Key) Cryptography

I Message Privacy: concealing the content of messages viaencryption schemes, modes of operations etc.

I Message Integrity: preventing an adversary from makingunnoticed changes to the message via message authenticationcodes, authenticated modes of operation etc.

Communication Over an Insecure Channel

Oscar(bad)

Bob(good)

insecure channelAlice(good)

x x

x

Symmetric Key Cryptography

Oscar(bad)

secure channel

Bob(good)

insecure channelencryptione(·)

decryptiond(·)

Alice(good)

x y y x

y

k k

I x , y , k are called plaintext, ciphertext, key, resp.I The set of all possible keys is called the key spaceI We write y = ek (x) and x = dk (y)I dk (ek (x)) = x for every key k

The problem of transmitting a message securely is reduced tothe problems of transmitting a key secretly and of storing thekey in a secure fashion.

A Message is a Binary String: ASCII CodeASCII Code

Column Number 000 001 010 011 100 101 110 111

RowNumber

0000 NUL DLE ◊ 0 @ P ` p0001 SOH DC1 ! 1 A Q a q0010 STX DC2 " 2 B R b r

0011 ETX DC3 # 3 C S c s0100 EOT DC4 $ 4 D T d t0101 ENQ NAK % 5 E U e u0110 ACK SYN & 6 F V f v0111 BELL ETB ' 7 G W g w1000 BS CAN ( 8 H X h x1001 HT EM ) 9 I Y i y1010 LF SUB * : J Z j z1011 VT ESC + ; K [ k {1100 FF FS , < L \ l |1101 CR GS - = M ] m }1110 SO RS . > N ^ n ~1111 SI US / ? O _ o DEL

The ASCII code of a character is found by combining its Column Number (given in 3-bit binary) with its Row Number (given in 4-bit binary).The Column Number forms bits 6, 5 and 4 of the ASCII, and the Row Number forms bits 3, 2, 1 and 0 of the ASCII.

Example of use: to get ASCII code for letter "n", locate it in Column 110, Row 1110. Hence its ASCII code is 1101110.

The Control Code mnemonics are given in italics above; e.g. CR for Carriage Return, LF for Line Feed, BELL for the Bell, DEL for Delete.

The Space is ASCII 0100000, and is shown as ◊ here.

Microprocessor Systems 1 (3D1) CS3D11ASCII Code Table, Page 1 of1

Ex) “A" is represented by “1000001".

Key Length

Should be Secure against Exhaustive Key Search

Definition (Basic Exhaustive Key Search)Let (x , y) denote the pair of plaintext and cipher text, and letK = {k1, . . . , kN} be the key space of all possible keys ki .Exhaustive key search checks for every ki ∈ K whether or not

dki (y) = x .

If the equality holds, a possible correct key is found; if not,proceed with the next key.

I If an encryption algorithm uses n-bit keys, then exhaustivekey search requires O(2n) computational steps

I If there is a smart attack whose complexity is less thanO(2n), then the encryption algorithm is said “broken"

Key Length

How many key bits are enough?

I Only relevant if exhaustive key search is the best knownattack

I The key lengths for symmetric and asymmetric algorithmsare dramatically different

Time for exhaustive key search on symmetric algorithms

Key length Security estimation56-64 bits short term: a few hours or days112-128 bits long term: several decades w/o quantum computers256 bits long term: several decades with quantum comp. alg.

Stream Ciphers vs. Block Ciphers

Source: C. Paar and J. Pelzl, Understanding Cryptography, Springer, 2010

I Stream ciphers encrypt bits individuallyI Block ciphers encrypt an entire block of plaintext bits at a

time with the same keyI Each key defines a permutation on {0,1}b

I Most block ciphers have a block length of 128 bits (AES) or64 bits (DES, 3DES)

Design Principles for Block CiphersI Confusion: the influence of one key bit is spread over

many ciphertext bits.I Diffusion: the influence of one plaintext bit is spread over

many ciphertext bits.I The goal of diffusion is to hide statistical properties of the

plaintext.I Achieved by substitution boxes (S-boxes) and permutation

boxes (P-boxes).I Iteration: substitution and permutation boxes are iterated,

producing a product cipher.

Confusion

k1=0010 1011

y

k2

DES

Block Cipher

x

k1 k2

DESDESy

k3

DES

x

k1

DES

k2=0000 1011

y1=1011 1001

y2=0110 1100

Diffusion

x1=0010 1011

y

k2

DES

Block Cipher

x

k1 k2

DESDESy

k3

DES

k

k1

DES

x2=0000 1011

y1=1011 1001

y2=0110 1100

SP Network vs. Feistel Network

SP Network

http://en.wikipedia.org/wiki/File:SubstitutionPermutationNetwork2.png

Feistel Network

f⊕K1

f⊕K2

f⊕K3

TS

RL

f⊕K0

I Round function f also uses an SPN. It should behave like arandom function.

Confusion and Diffusion

I Failure to achieve confusion property might allow for anattack that is faster than key exhaustive search

I What if a 2n-bit key n-bit block cipher is represented by

Ek1||k2(x) = Fk1(x)||Fk2(x),

for some keyed function F?

I Failure to achieve diffusion property might allow for astatistical attack (letter frequency analysis)

A Substitution Cipher Using an Arbitrary Table

Idea: Substitute each letter of the alphabet with another one byan arbitrary table

ExampleA B C D E F G H I J K L Mk d w g u z b y s m t f eN O P Q R S T U V W X Y Zx v r a i h j c n o l q p

I What is the encryption of “SEVEN YEARS AGO"?I What is the key of this cipher?I How many keys can be used?I How this cipher can be attacked?

Cryptanalysis of a Substitution Cipher

Observation: Each plaintext symbol always maps to the sameciphertext symbol

1. Frequency of letters in English text (%)E T A O N R I S H D L F C

13.11 10.47 8.15 8.00 7.10 6.83 6.35 6.10 5.26 3.79 3.39 2.92 2.76M U G Y P W B V K X J Q Z

2.54 2.46 1.99 1.98 1.98 1.54 1.44 0.92 0.42 0.17 0.13 0.12 0.08

2. Most common English bigrams (frequency per 1000 words)

th he an re er in on at nd st es en of te ed168 132 92 91 88 86 71 68 61 53 52 51 49 46 46

Stream Ciphers


1. Synchronous stream ciphers use a key stream thatdepends only on the key (most stream ciphers)

2. Asynchronous stream ciphers use a key stream thatdepends on the key and the ciphertext

Remark

1. Block ciphers are used more often than stream ciphers2. Stream ciphers tend to be more efficient than block

ciphers: suitable for highly constrained environments

Stream Ciphers


Definition (Stream cipher encryption and decryption)The plaintext, the ciphertext and the key stream consist ofindividual bits, i.e., xi , yi , si ∈ {0,1}.

I Encryption: yi = esi (xi) = (xi + si mod 2)(= xi ⊕ si)

I Decryption: xi = dsi (yi) = (yi + si mod 2)(= yi ⊕ si)

Remark

1. Encryption and decryption are the same functions2. The generation of the key stream is the central issue for

the security of stream ciphers (randomness)

Generating “Random" Key Streams

1. True Random Number Generators (TRNG)I Based on physical random processes: coin flipping,

semiconductor noise, thermal noise, etcI Generate 0 and 1 with probability 1/2I Typically used to generate session keys and nonces

2. Pseudorandom Number Generators (PRNG)I Computed from an initial seed valueI Have good statistical properties

3. Cryptographically Secure PRNG (CSPRNG)I PRNG with unpredictability: given N output bits

si , si+1, . . . , sN−1, it should be hard to predict the next bit sN

An Unbreakable Stream Cipher

As a stream cipher

I TRNG: a key stream should be shared between Alice andBob⇒ used in OTP

I CSPRNG: a key should be shared between Alice and Bob

One-Time Pad(OTP)A stream cipher for which

1. the key stream s0, s1, s2 . . . is generated by a TRNG, and2. the key stream is only known to the legitimate

communicating parties, and3. every key stream bit si is only used once

is called a one-time pad. The one-time pad is unconditionallysecure (i.e., cannot be broken even with infinite computationalresources). Then what is the main drawback of OTP?

PRNG: Linear Feedback Shift Registers (LFSR)

I Feedback coefficients: p0, . . . ,pm−1 ∈ {0,1} (degree= m)I Initial values: s0, . . . , sm−1 ∈ {0,1}I Recursive relation: si+m = (

∑m−1j=0 pj · si+j mod 2), i ≥ 0

I Characteristic polynomial:P(x) = xm + pm−1xm−1 + · · ·+ p1x + p0

Linear Feedback Shift Registers (LFSRs)

• Concatenated flip-flops (FF), i.e., a shift register together with a feedback path

• Feedback computes fresh input by XOR of certain state bits

• Degree m given by number of storage elements

• If pi = 1, the feedback connection is present (“closed switch), otherwise there is

not feedback from this flip-flop (“open switch”)

• Output sequence repeats periodically

• Maximum output length: 2m-1Chapter 2 of Understanding Cryptography by Christof Paar and Jan Pelzl21/27


I Very efficient, easy to implement!

PRNG: Linear Feedback Shift Registers (LFSR) Linear Feedback Shift Registers (LFSRs): Example with m=3

• LFSR output described by recursive equation:

• Maximum output length (of 23-1=7) achieved only for certain

feedback configurations, .e.g., the one shown here.

Chapter 2 of Understanding Cryptography by Christof Paar and Jan Pelzl

clk FF2

FF1

FF0=s

i

0 1 0 0

1 0 1 0

2 1 0 1

3 1 1 0

4 1 1 1

5 0 1 1

6 0 0 1

7 1 0 0

8 0 1 0

2mod13 iiisss += ++

22/27


Example

1. With an initial state of (s2, s1, s0) = (1,0,0), compute si fori = 0, . . . ,14.

2. What is the period of this LFSR sequence?3. Can we construct an LFSR with period > 7?4. As a stream cipher, what is the weakness of this LFSR?

PRNG: Linear Feedback Shift Registers (LFSR)

TheoremThe maximum sequence length generated by an LFSR ofdegree m is 2m − 1.

Proof.The m internal register bits of an LFSR determine the next bit.Therefore, as soon as an LFSR has a previous state, it starts torepeat. Since the m internal register bits can only take 2m − 1states, the maximum sequence length before repetition is2m − 1.

RemarkFor any m > 0, there is a polynomial of degree m over GF (2)called “primitive". Each primitive polynomial generates asequence of the maximum length 2m − 1.

Security of LFSR as CPRNG

I In a known-plaintext attack, an attacker is assumed toknow some plaintext and the corresponding ciphertext.

I This means the attacker knows a certain number of keystream bits.

I When the initial values are used as a key: vulnerable to aknown-plaintext attack (with m key stream bits).

I When the feedback coefficients are used as a key:vulnerable to a known-plaintext attack (solving a system oflinear equations defined by 2m key stream bits).

Problems

1. (a) Find every irreducible polynomial of degree 3 over GF (2).(b) Describe the LFSR defined by each irreducible polynomial.(c) With IV = (1,1,1), compute the first 10 output bits.

2. With the recurrence si+3 = si+1 + si and a secret IV , itproduces 110.... (The first bit is the last produced one.)What is the next three output bits?

3. An LFSR of degree 4 with the maximum sequence lengthproduces 01101011.... What is the next four output bits?

An Example of CSPRNG: TriviumTrivium uses LFSRs as its building blocks

A Modern Stream Cipher - Trivium

• Three nonlinear LFSRs (NLFSR) of length 93, 84, 111

• XOR-Sum of all three NLFSR outputs generates key stream si

• Small in Hardware:

• Total register count: 288

• Non-linearity: 3 AND-Gates

• 7 XOR-Gates (4 with three inputs)

Chapter 2 of Understanding Cryptography by Christof Paar and Jan Pelzl25/27


Initialization:1. Load 80-bit IV into A2. Load 80-bit key into B3. c109 = c110 = c111 = 1 and all other bits are set to 04. Clock the cipher 4 x 288 = 1152 times

History of DES

I The National Bureau of Standards (NBS) initiates a requestfor proposals for a standardized cipher in the US (1972)

I IBM submits a block cipher designed based on Lucifer thatencrypts 64-bit blocks using 128-bit keys (1974)

I Lucifer is a family of ciphers developed by Horst Feistel inthe late 1960s

I The NBS requests the help of the National SecurityAgency (NSA)

I Key length reduced from 128 bit to 56 bitI The NBS releases all specs of the modified IBM cipher as

the Data Encryption Standards (DES) (1977)I Due to its short key length, it is used until 1999, and

replaced by Advanced Encryption Standard (AES)

Security of DES

Exhaustive Key Search

I Feasible due to short key length (56-bit keys)I Can break DES in 6.4 days at a cost of $10,000 (2008)

Analytical Attack

I Differential cryptanalysis(DC) and linear cryptanalysis(LC)I We say a block cipher is “broken" when an analytical attack

is faster than exhaustive key searchI DES is secure against DC, but if the number of rounds is

small...I DES is broken by LC, but it is not practical

I 243 plaintext-ciphertext pairs are needed

Overview of the DES Algorithmsingle bit flip many bit flips


DES Encryption


DES Encryption


DES Encryption

16-round Feistel structure

1. Input: L0||R0

2. (Li ,Ri) = (Ri−1,Li−1 ⊕ f (Ri−1, ki)) for i = 1, . . . ,163. Output: L16||R16

PropertyThe Feistel structure is a permutation for any keys ki .

PropertyEncryption and decryption of the Feistel structure (with no swapin the last round) differ only in key schedule.

DES Encryption

14/29 Chapter 3 of Understanding Cryptography by Christof Paar and Jan Pelzl

Initial and Final Permutation

• Bitwise Permutations.

• Inverse operations.

• Described by tables IP and IP-1.

Initial Permutation Final Permutation


I Does not increase the security of DESI Probably for efficient hardware implementation

DES EncryptionThe f -function

Initial Permutation Final Permutation

Expansion E


DES Encryption

S-box substitution Permutation P


ExampleWhat is S1(100101)?

DES Key Schedule Algorithm

Permuted Choice PC-1


DES Key Schedule Algorithm

Permuted Choice PC-2

I In rounds i = 1,2,9,16:two halves rotated left by one bit

I The other rounds: two halvesrotated left by two bits

I Note that (C0,D0) = (C16,D16)


DES Decryption

Reversed key schedule

I In rounds i = 2,9,16:two halves rotated right byone bit

I The other rounds: two halvesrotated right by two bits

I With the same round keys inreverse order, the encryptionand the decryption functionsare the same!


DES DecryptionI In rounds i = 1,2,9,16:

1-bit Left RotationI The other rounds: 2-bit

I No rotation in round 1I In rounds i = 2,9,16:

1-bit Right RotationI The other rounds: 2-bit


History of AES

I US NIST(National Institute of Standards and Technology)announced 3DES should be used instead of DES (1996)

I However, 3DES is slow and block size is too small forcertain applications (hash functions etc.)

I NIST called for proposals for a new Advanced EncryptionStandard (AES) as an open process (1997)

I RequirementsI 128-bit block sizeI 128, 192, 256-bit key supportedI security relative to other submissionsI efficiency in software and hardware

I 15 algorithms collected (1998)I 5 finalists announced (1999)

I Mars(IBM), RC6(RSA), Rijndael(J.Daemen, V.Rijmen),Serpent(R.Anderson, et.al.),Twofish(B.Schneier et.al.)

I Rijndael was chosen as the AES (2000)

Overview of the AES Algorithm

k1 k2

DES-1

DES

k3

DES

AES

x

y

k

128

128

128/192/256

key lengths # rounds128 10192 12256 14


AES Round Function


AES Round Function: Byte Substitution LayerS-box: Bi = S(Ai)

k1 k2

DES-1DES

k3

DES

AES

x

y

k

128

128

128/192/256

GF(28)inverse

Affinemapping

Ai B'i Bi

1. In GF (28) (finite field of 28 elements), B′i = (Ai)−1

I GF (28) = GF (2)[x ]/ < x8 + x4 + x3 + x + 1 >

2. In GF (2)8 (vector space over GF (2)),

b0b1b2b3b4b5b6b7

=

1 0 0 0 1 1 1 11 1 0 0 0 1 1 11 1 1 0 0 0 1 11 1 1 1 0 0 0 11 1 1 1 1 0 0 00 1 1 1 1 1 0 00 0 1 1 1 1 1 00 0 0 1 1 1 1 1

b′0b′1b′2b′3b′4b′5b′6b′7

+

11000110

AES Round Function: Byte Substitution Layer

S-box Table LookupS(xy) is...(in hexadecimal notation)

AES Round Function: Diffusion Layer

ShiftRows Sublayer

B0 B4 B8 B12

B1 B5 B9 B13

B2 B6 B10 B14

B3 B7 B11 B15

−→

B0 B4 B8 B12

B5 B9 B13 B1

B10 B14 B2 B6

B15 B3 B7 B11

no shift1 pos.←2 pos.←3 pos.←

MixColumn Sublayer

In GF (28),C0 C4 C8 C12

C1 C5 C9 C13

C2 C6 C10 C14

C3 C7 C11 C15

=

02 03 01 0101 02 03 0101 01 02 0303 01 01 02

B0 B4 B8 B12

B5 B9 B13 B1

B10 B14 B2 B6

B15 B3 B7 B11

AES Key Schedule Algorithm

k

I RC[i] = x i−1 in GF (28)

Source: C. Paar and J. Pelzl, Understanding

Cryptography, Springer, 2010

AES Decryption


AES Decryption

Inv MixColumn Sublayer

In GF (28),B0 B4 B8 B12

B5 B9 B13 B1

B10 B14 B2 B6

B15 B3 B7 B11

=

0E 0B 0D 0909 0E 0B 0D0D 09 0E 0B0B 0D 09 0E

C0 C4 C8 C12

C1 C5 C9 C13

C2 C6 C10 C14

C3 C7 C11 C15

Inv ShiftRows Sublayer

B0 B4 B8 B12

B5 B9 B13 B1

B10 B14 B2 B6

B15 B3 B7 B11

−→

B0 B4 B8 B12

B1 B5 B9 B13

B2 B6 B10 B14

B3 B7 B11 B15

no shift1 pos.→2 pos.→3 pos.→

Inv Byte Substitution LayerIt is possible to construct an inverse such that Ai = S−1(Bi)⇒ It is usually realized as a lookup table

AES Design Considerations

I In a Feistel cipher, half the bits are moved, but not changedduring each round. AES treats all bits uniformly, makingthe effect of diffusing the input bits faster.

I The S-box was constructed in an explicit and simplealgebraic way.

I The ShiftRow step resist the truncated differential analysisand the Square attack.

I The MixColumn causes diffusion among the bytes.I A change in one input byte results in all four output bytes

changing.I Changes in two input bytes results in at least three output

bytes changing.

AES Design Considerations

I The Key Schedule involves nonlinear mixing of the key bitsusing the S-box.

I Even though an attacker knows part of the key, it cannotdeduce the remaining bits.

I It ensures that two distinct keys do not have a large numberof round keys in common.

I The round constants eliminates symmetries in theencryption process by making each round different.

I Until recently, there have been no known attacks that arebetter than exhaustive key search up to six rounds. It wasfelt that four extra rounds provide a large enough securitymargin of safety.

DES vs. AES

DES AESFeistel Network SP Network

8 different S-boxes: A single S-boxnot 1-1 (6-bit to 4-bit) 1-1 (8-bit to 8-bit)

Design principle unclear Algebraic structureEncryption=Decryption Encryption 6=Decryption

using round keys in reverse order

Modes of Operation

I A block cipher by itself allows encryption only of a singledata block of the cipher’s block length.

I In order to encrypt a variable-length message, the datamust first be partitioned into separate cipher blocks.

I Typically, the last block must also be extended to match thecipher’s block length using a suitable padding scheme.

I The method of encrypting each of these blocks is called amode of operation.

I A mode of operation generally uses randomization basedon an additional input value, often called an initializationvector.

Modes of Operation

I ECB, CBC, OFB, and CFB were specified in FIPS 81,“DES Modes of Operation" (1981).

I NIST added CTR mode in SP800-38A, “Recommendationfor Block Cipher Modes of Operation" (2001).

I NIST added XTS-AES in SP800-38E, “Recommendationfor Block Cipher Modes of Operation: The XTS-AES Modefor Confidentiality on Storage Devices" (2010).

I ECB, CBC, OFB, CFB, CTR, and XTS modes only provideconfidentiality.

I Some modern modes of operation combine encryption andauthentication in an efficient way, and are known asauthenticated modes of operation.

Electronic Codebook Mode (ECB)

http://en.wikipedia.org/wiki/File:Ecb_encryption.pnghttp://en.wikipedia.org/wiki/File:Ecb_decryption.png

Electronic Codebook Mode (ECB)

I Both encryption and decryption algorithms are usedI Identical plaintext blocks map to identical ciphertext blocks

I images distinguishableI Susceptible to codebook attacks and replay attacksI Not recommended

http://en.wikipedia.org/wiki/File:Tux_ecb.jpg

Cipher Block Chaining Mode (CBC)

http://en.wikipedia.org/wiki/File:Cbc_encryption.pnghttp://en.wikipedia.org/wiki/File:Cbc_decryption.png

Cipher Block Chaining Mode (CBC)

I Invented by IBM in 1976I Both encryption and decryption algorithms are usedI An initialization vector is used

I IV does not need to be secret. However, in most cases, aninitialization vector should not be reused under the samekey

I Encryption cannot be parallelized / Decryption can beparallelized

I A one-bit change to the ciphertext causesI complete corruption of the corresponding block of plaintextI a one-bit change in the corresponding bit in the following

block of plaintext

Cipher Feedback Mode (CFB)

http://en.wikipedia.org/wiki/File:Cfb_encryption.pnghttp://en.wikipedia.org/wiki/File:Cfb_decryption.png

Cipher Feedback Mode (CFB)

I Makes a block cipher into an asynchronous stream cipherI Only an encryption algorithms is used

I Suitable for a block cipher for which decryption is slowerthan encryption

I An initialization vector is usedI Encryption cannot be parallelized / Decryption can be

parallelizedI A one-bit change in the ciphertext causes

I a one-bit change in the corresponding plaintext blockI complete corruption of the following plaintext block

Output Feedback Mode (OFB)

http://en.wikipedia.org/wiki/File:Ofb_encryption.pnghttp://en.wikipedia.org/wiki/File:Ofb_decryption.png

Output Feedback Mode (OFB)

I Makes a block cipher into a synchronous stream cipherI Only an encryption algorithms is usedI An initialization vector is usedI Encryption and decryption cannot be parallelized

I However, a keysteam can be computed in advanceI A one-bit change in the ciphertext causes only a one-bit

change in the corresponding plaintext block

Counter Mode (CTR)

http://en.wikipedia.org/wiki/File:Ctr_encryption.pnghttp://en.wikipedia.org/wiki/File:Ctr_decryption.png

Counter Mode (CTR)

I Makes a block cipher into a synchronous stream cipherI Only an encryption algorithms is usedI A nonce and a counter are used

I A counter produces a sequence which is guaranteed not torepeat for a long time

I Encryption and decryption can be parallelizedI A one-bit change in the ciphertext causes only a one-bit

change in the corresponding plaintext block

Cryptanalysis

Mathematical Analysis

Brute-ForceAttacks

Cryptanalysis

Classical Cryptanalysis

Social Engineering

Implementation Attacks

I Classical Analysis: tries to recover the plaintext x(or thekey k ) from the ciphertext y

I Mathematical Analysis: exploits the internal structure of theencryption method

I Exhaustive Key Search: treat the encryption algorithm as ablack box and test all possible keys

I Implementation Attacks: use power consumption,electromagnetic radiation, runtime behavior, etc.

I Social Engineering Attacks: include bribing, blackmailing,tricking, espionage, etc.

Cryptanalysis

An attacker looks for the weakest link in your cryptosystem.That means we have to choose strong algorithms and we haveto make sure that social engineering and implementationattacks are not practical.

Kerckhoffs’ PrincipleA cryptosystem should be secure even if the attacker knows alldetails about the system, with the exception of the secret key.In particular, the system should be secure when the attackerknows the encryption and decryption algorithms.

QuestionDoesn’t it improve the security to keep the details of analgorithm hidden? (This is called security by obscurity)

Exhaustive Key Search Revisited

Exhaustive Key SearchLet K = {k1, . . . , kN} be the key space. Given t plaintext-ciphertext pairs (x1, y1), . . . , (xt , yt), check for every ki ∈ Kwhether or not DESki (xj) = yj for all j = 1, . . . , t . If the equalityholds, a possible correct key is found; if not, proceed with thenext key.What if a wrong key k satisfies DESk (xj) = yj for j = 1, . . . , t?

TheoremGiven a block cipher with a key length of κ bits and block size ofn bits, as well as t plaintext-ciphertext pairs (x1, y1), . . . , (xt , yt),the expected number of false keys which encrypt all plaintextsto the corresponding ciphertexts is 2κ−tn.Choose t such that 2κ−tn � 1.

Increasing the Security of DES: Double Encryption

2DES

x y

k1 k2

DESDES

x

k1 k2

DESDESy

k3

DES

ExampleWhat is the size of the key space of 2DES?

Meet-in-the-middle Attack on 2DES

1. Table Computation: Given a plaintext-ciphertext pair (x1, y1),encrypt z = DESk (x1) for every k ∈ {0,1}56. Arrange thesevalues and store them in a list L.

2. Key Matching: Decrypt w = DES−1k (y1) for every k ∈ {0,1}56. If

for some k∗,

w∗ = DES−1k∗ (y1) = DESk∗∗(x1)

is in the list L, then we have

DESk∗ ◦ DESk∗∗(x1) = y1.

Problems

1. What is the expected number of false keys when we use threeplaintext-ciphertext pairs (x1, y1), (x2, y2), (x3, y3)?

2. What is the number of encryptions, decryptions, and memorylocations (of κ+ n-bits) with t = 3?

Increasing the Security of DES: Triple Encryption

3DES

x y

k1 k2

DESDES

x

k1 k2

DESDESy

k3

DES

ProblemApply the meet-in-the-middle attack to 3DES. What is thenumber of encryptions, decryptions, and memory locations (ofn-bits)?

Date post:	04-Sep-2018
Category:	Documents
Upload:	nguyentu
View:	223 times
Download:	0 times

Symmetric Key Cryptography -...

Documents