Symmetric Cryptography
Block Ciphers and Stream Ciphers
Stream Ciphers
K Seeded by a key K the stream cipher Stream ⃗z generates a random bit-stream z. Cipher A stream of plain-text bits p is XORed with the pseudo-random stream to obtain the cipher text stream c ⃗c=⃗p⊕⃗z and ⃗p=⃗c⊕⃗z ⃗c cipher text ⃗p plain text
The same stream generator (using the same seed) ⃗z key stream used for both encryption and decryption
Stream Ciphers
K →¯zk
¯c=¯p⊕¯z k
¯ci=¯pi ⊕¯z k
¯c j=¯p j ⊕¯zk
Attacker has access to ¯ci and ¯c j
¯ci⊕¯c j=(¯pi⊕¯zk )⊕(¯p j⊕¯z k)=¯pi⊕ ¯p j ● XORing two cipher-texts encrypted using the same seed results in XOR of corresponding plain-texts ● Redundancy in plain-text structure can be easily used to determine both plain- texts ● And hence, the key stream ● Never reuse seed? ● Impractical ● Extend seed using an initial value (IV) which can be sent in the clear ● Never reuse IV Block Ciphers
● C=E(P,K)
● P=D(C,K)
● E() and D() are algorithms
● P is a block of “plain text” (m bits)
● C is the corresponding “cipher text” (also m bits)
● K is the secret key (k bits long)
● (k,m) block cipher – k-bit keysize, m-bit blocksize
● (m+k)-bit input, m-bit output
Desired Properties
● The most efficient attack should be the brute-force attack (complexity depends only on key length)
● Knowledge of any number of plain-cipher text pairs, still does not reveal any information regarding any bit of the key. – Even if attacker has the ability to choose plain-text/cipher-text – Think of the cipher as encryption/decryption black boxes (with key inside the boxes). Attacker with access to the black-boxes can
● input any plain text to encryption block to get cipher text, and ● can input any cipher text to get corresponding plain text – The attacker should still not be able to determine the key
Confusion and Diffusion
● Confusion is “making the relationship between the ciphertext and the symmetric key as complex and involved as possible.”
● Diffusion refers to “dissipating the statistical structure of plaintext over bulk of ciphertext.”
● A block cipher with good confusion and diffusion properties will meet the desired goals
Block Cipher Properties: Another Perspective
● m+k input bits
● m output bits
● If ith input bit is changed what is the probability that the jth output bit changes? ● 1≤i≤m+k and 1≤ j≤m ● The probability should be as close to 0.5 as possible for all 1≤i≤m+k and 1≤ j≤m
Feistel Structure
Li−1 Ri−1 Ri Li
F F + K i + K i
Li Ri Ri−1 Li−1 Encryption Decryption
Li=Ri−1 Ri−1=Li
Ri=Li−1⊕F (Ri−1 , Ki) Li−1= Ri⊕F (Li , Ki)
● Block ciphers constructed from repeated Feistel rounds ● Each round has the same F block, but a different round key ● Why? ● F() need not be invertible for the block cipher to be invertible! ● F() can be made as complex/non-linear as desired
Feistel Block Cipher (16 Rounds)
L0 R0
F K 1
L1 R1
F K 2
L2 R2
L15 R15 K F 16
L16 R16
Encrypting Bulk Data
● For example, a file, or a packet
● Segment data into blocks of size m bits (block size)
● Encrypt each block using the same key – Key set-up is expensive ● Issues – Encrypted file/packet should reveal as little information as possible regarding the contents of the file/packet
Block Cipher Modes
● Electronic Codebook (ECB)
● Cipher Blockchaining (CBC)
● Cipher Feedback (CFB)
● Output Feedback (OFB)
● Counter mode (CTR)
ECB Mode Ci=E(P i) ECB Mode P i= D(Ci)
P 1 P 2 P n C1 C2 Cn
E E ... E D D ... D
C1 C2 Cn P1 P 2 P n
● Sender to receiver: n blocks C1 to Cn
● Identical plain-text bocks produce identical cipher-text blocks
● This can reveal some information regarding the plain text
● Encryption/Decryption can be parallelized
P = E(C )⊕C where C =IV Ci=E(P i⊕Ci−1) where C0=IV i i i−1 0 C P P P C1 2 C Cn 1 2 3 P n n−1 + + + + D D D ... IV E E ... E IV + + +
C0 C1 C2 Cn−1 Cn P1 P2 P n
CBCCBC ModeMode
● Sender to Receiver: IV, and C1 to Cn
● Tx error in Ck affects decryption of Pk and Pk+1
● Encryption/decryption can not be parallelized
● A change in any bit of any plain-text block will dramatically modify the all following cipher text blocks (useful for key based message authentication)
● What happens if a bit of the IV is modified in transit?
● IV should be encrypted in ECB mode (recommended)
Ci=E(Ci−1)⊕P i , C0= IV P i= E(Ci−1)⊕Ci , C0= IV IV IV E E ... E E E ... E + + + + + + P P P P P 1 2 n P 1 2 n C Cn C Cn C1 2 Cn−1 C1 2 Cn−1 CFBCFB ModeMode
● Sender to Receiver: IV, and C1 to Cn
● Tx error in Ck affects decryption of Pk and Pk+1
● Encryption/decryption can not be parallelized
● A change in any bit of any plain-text block will dramatically modify the all following cipher text blocks (useful for key based message authentication)
● Block cipher used in encryption mode for both
encryption and decryption (advantages?) Oi= E(Oi−1) ,O0=IV C =P ⊕O i i i Pi=Ci⊕Oi
IV O1 O2 IV O1 O2 E E E E E E ... OFBOFB ModeMode ... + + + + + + P 1 P 2 P 3 P 1 P 2 P 3 C1 C2 C3 C1 C2 C3
● Converts a block cipher into a stream cipher
● Not parallelizable
● If a bit of any cipher text is inverted the corresponding plain-text bit will be inverted.
● Preferable for encrypting streaming data over noisy channels
● If data integrity is crucial then some additional
mechanism should be used to ensure that. CTRCTR ModeMode ● Can be parallelized (like ECB)
● Same plain-text will not produce same cipher text (unlike ECB)
● Two of the most recommended modes are currently CTR and CBC
Counter X Ci=P i⊕ E( X +i) P i=Ci⊕ E( X +i) X+1 X+2 X+3 X+1 X+2 X+3
E E E E E E ...... + + + + + + P 1 P2 P 3 P 1 P 2 P 3 C1 C2 C3 C1 C2 C3
Summary
● ECB: Random access, but reveals patterns in plain text
● CBC: Useful for MAC. Encrypt IV
● CFB: Useful for MAC.
● OFB: Stream Cipher
● CTR: Random Access without revealing plain- text patterns.
Summary
● Do not use stream cipher if integrity is crucial – Attacker can modify specific bits – Use only if noise resilience is necessary – If integrity is necessary an additional mechanism is to be used ● For the same reason watch out for CTR mode – Use only if random access is necessary – If integrity is also essential it can be achieved with an extra cost
● An additional block cipher operation instead of XOR ● Use E(X+i) as a key for encrypting block I. ● CBC/CFB for message authentication