EE 595 (PMP) Introduction to Security and Privacy Lecutre #3

Introduction to . DES, AES and Modes of Operation. Lecture notes prepared by Professor Radha Poovendran Thursday, April 12, 2018

Tamara Bonaci Department of Electrical Engineering University of Washington, Seattle

Outline:

1. Polyalphabetic classical – Vigenere cipher – Permutation cipher 2. Cryptanalysis. 3. Data Standard (DES) 4. Triple DES 5. Advanced Encryption Standard (AES) 6. Encrypting large plaintexts: Modes of operation – Electronic Code Book (ECB) mode – Cipher Block Chaining (CBC) mode – Counter (CTR) mode

1 Review

Last time, we saw that the goal of a symmetric is to ensure that two parties Alice and Bob can communicate confidentially using a key K. Equivalently, the goal is to ensure that a third party Eve, who does not have knowledge of the key K, cannot determine the plaintext sent by Alice to Bob. Let’s recall that a cryptosystem is defined as a five-tuple (P, C, K, E, D). The set P is the set of possible plaintexts, C is the set of possible , and K is the set of possible keys. The sets E and D are the sets of possible encryption and decryption functions, respectively. In today’s lecture, we will first consider how we can model and analyze a behavior of an attacker, trying to break a cryptosystem. We will then describe two widely-used current symmetric-key cryptosystems, namely DES and AES. For each cryptosystem, we will show the parameter values (e.g., key length) that are specified by standards bodies such as the National Institute of Standards and Technology for real-world use. We will then block-chaining modes that can be used to encrypt longer messages while preserving the security guarantees of each of these cryptosystems.

2 Poly-alphabetic Classical Cryptosystems

A polyalphabetic cryptosystem is a cryptosystem where multiple alphabetic characters are encrypted at a time. In other words, each plaintext element is equivalent to n alphabetic characters. The Vigen‘ere cipher is the first polyalphabetic cryptosystem that we are encountering in this course.

1 2.1 The Vigen`ereCipher

The idea behind this cryptosystem is to use a vector of n keys, i.e., K = (K1,K2, .., Kn). n n P = C = K = (Z26) where (Z26) is an n-tuple. The difference between the Vigen`erecipher and the shift, substitution, and affine ciphers is that in the Vigen`erecipher each alphabetic character is not uniquely mapped to another alphabetic character.

y = eK (x1, x2, .., xn) = (x1 + K1, x2 + K2, .., xn + Kn) mod 26, (1)

dK (y1, y2, .., yn) = (y1 − K1, y2 − K2, .., yn − Kn) mod 26. (2)

Example Let the plaintext be vector, and let n = 4, K = (2, 4, 6, 7). From the correspondence table we have x = (21, 4, 2, 19, 14, 17), and the cipher is shown in Table 2.1.

PLAINTEXT: 21 4 2 19 14 17 KEY: 2 4 6 7 2 4 CIPHER: 23 8 8 0 16 21 XIIA QV

To decrypt, we use the same keyword, but modulo subtraction is performed instead of modulo addition. The number of possible keywords of length n is 26n, so even for small n an exhaustive search attack requires a long time.

2.2 The Permutation Cipher The idea of the permutation cipher (also known as the transposition cipher) cryptosystem is to generate the by altering the positions of the characters in the plaintext, i.e. to rearrange the alphabets using a permutation. In contrast to the substitution cipher, there is no replacement of characters (it is similar to just scrambling the letters of a word). Formally, we describe the permutation cipher cryptosystem as follows.

n Let P = C = (Z26) , where n is a positive integer. K includes all permutations of {1, ..., n}. For each permutation π ∈ K:

y = eπ(x1, ..., xn) = (xπ(1), ..., xπ(n)) (3)

x = dπ(y1, ..., yn) = (yπ−1(1), ..., yπ−1(n)). (4) π−1 denotes inverse permutation to π.

Example: For illustration, let’s consider n = 6, and permutation (the key) π is as follows:

j 1 2 3 4 5 6 π(j) 3 5 1 6 4 2

To obtain π−1, interchange the rows, and sort the columns such that the first row is in ascending order. We obtain: For encryption, if the plaintext is followashore, we first partition the plaintext into groups of six letters as: follow | ashore. Using the above key π, we re-arrange each group of six alphabets as: LOFWLO | HRAEOS. Similarly, the ciphertext can be decrypted using the inverse permutation π−1.

2 j 1 2 3 4 5 6 π−1(j) 3 6 1 5 2 4

3 Cryptanalysis

Now that we are familiar with some simple classical cryptosystems, we might be interested in how secure these cryptosystems are (or how could one go about breaking them). In doing so, we turn to cryptanalysis, and start by considering one of the most important assumptions in the modern , namely the Kerchoff’s principle.

3.1 Kerchoff’s Principle:

The Kerchoff’s principle was introduced in 1883 by A. Kerchoff, and it states that in assessing the security of a cryptosystem, one should always assume that an attacker know the details of the cryptosystem being used. In other words, an attacker knows the tuple (P, C, K, E, D) defining the cryptosystem. Therefore, the security of the system should always be based on the key, and not on the obscurity of a cryptographic algorithm.

3.2 Attack models

An attacker can have different goals when attacking a channel between communicating parties. For example, an attacker may wish to:

1. Read one specific message. 2. Find the encryption/decryption key, and thus read all of the exchanged messages. 3. Corrupt Alice’s message into another message in such a way that Bob thinks that Alice has sent the altered message. 4. Masquerade as Alice in order to communicate with Bob such that Bob believes he is communicating with Alice.

For each of these goals, there are four main types of attacks that an attacker can use, and those types differ in the amount of information an attacker has available when trying to determine the key. Those four attack types are as follows.

Type of attack Description Ciphertext only attack Eve only observes the ciphertext y Known plaintext attack Eve knows the ciphertext y corresponding to plaintext x Chosen plaintext attack Eve has temporary access to an encryption box. The encryption box takes as input any chosen plaintext x and outputs the ciphertext y Chosen ciphertext attack Eve has temporary access to a decryption box. The decryption box takes as input any chosen ciphertext y and outputs the plaintext x Based on these models, we can analyze the security of every cryptosystem.

3.3 Cryptanalysis of the Shift Cipher

– Ciphertext only: Let K = 3 and the plaintext be shift. We then get VKLIW as the cipher (for a right shift). Assume Eve knows only the ciphertext V KLIW . Eve also knows that a shift cipher algorithm is used for encryption. Given the small cardinality of the key space, Eve can try all the possible 26 shifts in right direction. Upon shifting, the following plaintexts are obtained:

3 1stleft shift 2ndleft shift 3rdleft shift vkliw −→ ujkhv −→ tijgu −→ shift, and so on. Since “shift” is the only dictionary word in the list of 26 possible words, Eve assumes that it is indeed the plaintext that was encrypted. Therefore, Eve can also infer the original key K = 3.

– Known plaintext: If Eve knows a (plaintext, ciphertext) pair, then Eve can find the key by subtracting the plaintext from the ciphertext mod 26. For instance, if Eve knows that plaintext b corresponds to ciphertext E, then Eve can determine that K = 3.

– Chosen plaintext: Choose letter a as plaintext; the resulting ciphertext will be the key. For example, if the ciphertext is P then K = 15.

– Chosen cipher: Choose A as the ciphertext. The plaintext is then the negative of the key K.

3.4 Remarks on Letter Distribution of the English Language English language text has different frequencies for different alphabets. An estimate of relative frequencies (probabilities) of the 26 letters are as indicated in Table 3.4. Note that the letter e has the maximum relative frequency of 0.127.

Table 1. Probabilities of occurrence of the 26 letters of the English language alphabet.

A B C D E F G H I J K L M 0.082 0.015 0.028 0.043 0.127 0.022 0.020 0.061 0.070 0.002 0.008 0.040 0.024 N O P R S T U V W X Y Z 0.067 0.075 0.019 0.001 0.060 0.063 0.091 0.028 0.010 0.023 0.001 0.020 0.001

Similarly we can define frequencies of digrams, trigrams, initial letters, final letters, etc. More generally, we can then use the statistical properties of the English language to perform cryptanalysis. A key observation here that the vowels ”a, e, i, o” and the letters ”t, s, b, h, d” have relatively high probability of appearance in the English language. Table 3.4 indicates the rank order of vowels based on their frequencies, and Table 3.4 the rank order of consonants ”t, s, d, n, h” based on their frequencies.

Table 2. Rank order of the probabilities of occurrence of the vowels.

E 0.0127 A 0.082 I 0.075 O 0.070 U 0.028

Table 3. Probabilities of most frequently occurring consonants.

T 0.091 S 0.063 N 0.067 H 0.061 D 0.043

4 3.5 Cryptanalysis of the Affine Cipher

– Ciphertext only attack: Let’s assume Eve that has intercepted the following ciphertext:

FMXVEDKAPHFERBNDKRXRSREFMORUDSDKDVSH VUFEDKAPRKDLYEVLRHHR

The most frequent letters are R with 8 occurrences, D with 7, E,K,H with 5 and F,V,S with 4. First guess is that R = e and D = t. Given the encryption function

eK (x) = ax + b (5)

we get the following linear system:

4a + b = 17 (6) 19a + b = 3. (7)

Solving the system we obtain the unique solution a = 6, b = 19 (note that a solution must be in Z26). But for the affine cipher a has to be relatively prime to 26. Given that gcd(26, 6) = 2, a = 6, b = 19 is not a valid key. Second guess R = e and E = t. Solving the linear system yields a = 13 which again is not a legal key. Third guess is R = e and K = t, which yields a = 3, and b = 5. Since this is a valid key we decrypt the entire ciphertext to see if we get a meaningful English text.

algorithms are quite general definitions of arithmetic processes

Note: Besides the statistical analysis, Eve could have tried all possible 312 pairs (a, b) that constitute a valid key for the affine cipher.

– Known plaintext attack: Let Eve know that uw = 20 22, has cipher KQ = 10 16. She can then setup the following system of linear equations:

10 = 20a + b (mod 26), (8) 16 = 22a + b (mod 26). (9)

Equations 8 and 9 give: 6 = 2a mod 26. i.e. 2a = q × 26 + 6 ⇒ a = 3, 16. But gcd(16, 26) 6= 1 ⇒ a = 3. From Equation 8 we can now get b as follows:

10 = 20 × 3 + b (mod 26), (10) i.e. − 50 = b (mod 26) (11) i.e. b = q × 26 + (−50) ⇒ q = 2 ⇒ b = 2. (12)

Hence Eve only needs to know two pairs of (cipher, plaintext) pairs.

– Chosen plaintext: If Eve can choose ab = 0 1 as plaintext, the cipher will be:

0 × a + b ≡ b (mod 26), (13) 1 × a + b ≡ a + b (mod 26). (14)

and Eve can easily find the key K.

– Chosen ciphertext: Eve chooses AB as cipher, and proceeds as above.

5 a a a ... a 0 0 0 ... 0 + K1 K2 K3 ... Kn K1 K2 K3 ... Kn

3.6 Cryptanalysis of the Vigen´ereCipher – Known plaintext attack: If Eve knows at least n (ciphertext, plaintext) pairs, then by subtracting the plaintext from the ciphertext she can get the vector of n keys. – Chosen plaintext attack: Eve can simply choose aa..a as plaintext, and she readily gets K as cipher: | {z } n Note: Eve does not have to choose x = aa...a as plaintext, as any known plaintext will reveal the key | {z } n K. – Chosen ciphertext attack: Eve chooses y = AAA..A as ciphertext, and the plaintext obtained is then | {z } n the negative of the key K.

A A A ... A 0 0 0 ... 0 - K1 K2 K3 ... Kn −K1 −K2 −K3 ... −Kn

Again, Eve does not need choose AAA..A as the ciphertext, as any chosen ciphertext will do. | {z } n

4 (DES)

The Data Encryption Standard was designed by IBM in collaboration with NIST. In 1977, NIST published DES as a standard for use in commercial and non-classified applications. The most recent standards for DES are contained in the NIST Federal Information Processing Standards Publications (FIPS PUB) 46-3. DES takes as input a 64-bit plaintext and a 56-bit key, and gives as output a 64-bit ciphertext. Hence, the plaintext space P and the ciphertext space C both consist of all 64-bit strings; formally, we write P = C = {0, 1}64. The set of possible keys K is equal to the set of all 56-bit strings, i.e., K = {0, 1}56. We first describe encryption in DES, followed by decryption in DES, and then discuss the Triple DES cryptosystem.

4.1 Encryption in DES DES encryption consists of the following three steps: – Initial permutation, – Iterated round function, and – Final permutation, which are illustrated in Figure 1. The encryption takes a plaintext string x and key K as inputs, and gives as output a ciphertext y. 1. Initial permutation: The initial permutation is applied to the plaintext x. This step reorders the bits of the plaintext, and the output of it is a 64-bit string. This string is written as (L0,R0), where L0 and R0 are the left and right 32 bits, respectively. The initial permutation is fixed and is specified by the design of DES. It was chosen by the designers to make DES easier to implement in hardware.

6 Plaintext Key

Initial permutation (IP)

L0 R0 K1

Round 1 F (L0,R0,K1)

L1 R1 K2

Round 2 F (L1,R1,K2)

. . . .

L15 R15 K16

Round 16 F (L15,R15,K16)

L16 R16

Inv. IP

Ciphertext

Fig. 1. Block diagram of DES encryption.

7 2. Iterated round function: This step consists of 16 rounds of operations. For each i = 1, 2,..., 16, the inputs to the round are the left and right bit strings Li−1 and Ri−1, and the round key Ki. The first round key K1 is computed using the key K, an every other round key Ki is computed as a function of the previous round key, Ki−1 for i = 2,..., 16. The output of the round is (Li,Ri), and the procedure for computing (Li,Ri) is described in detail below. 3. Final permutation: The final permutation is applied to the output of the 16th round of iterated round function, (L16,R16), in order to obtain the ciphertext. The final permutation is fixed and is equal to the inverse of the initial permutation.

Computation of each round of DES encryption. The i-th round of DES takes as input (Li−1,Ri−1) and the round key Ki, and gives output (Li,Ri), where

Li = Ri−1

Ri = Li−1 ⊕ f(Ri−1,Ki)

Here, ⊕ denotes bitwise XOR (e.g., 0 ⊕ 0 = 0, 1 ⊕ 1 = 0, and 0 ⊕ 1 = 1 ⊕ 0 = 1). The procedure is illustrated in Figure 1. The function f is an “S-box”. The S-box combines and “randomizes” the right block and the round key. This computation is illustrated in Figure 2.

Li−1 Ri−1

f Key, Ki

Li Ri

Fig. 2. Block diagram of one round of DES encryption.

The goal of the 16 rounds of DES is to randomize the original plaintext x. At each round, the two blocks Li−1 and Ri−1 are swapped, and f(Ri−1,Ki) is added to further randomize Ri. Since f is computed using the round key, which is unknown to the adversary, the output of each block will be unpredictable to the adversary. The number of rounds is equal to 16 for security purposes; it was shown by Biham and Shamir that a technique called differential cryptanalysis can break DES when the number of rounds is fewer than 16 (see B. Schneier, Applied Cryptography).

Example of DES encryption. Define a 64-bit plaintext x and 56-bit key K in hexadecimal as

x = f3f308755ea138fb K = 36cfd336a3963d42

Then the ciphertext computed using DES is given by

Y = d162ffec85b98da5.

This ciphertext was computed using the online tools at http://tripledes.online-domain-tools.com/?do=form-submit.

8 4.2 Decryption in DES Decryption in DES has the same basic structure as encryption and is accomplished via three steps, namely, Initial permutation, Iterated round function, and Final permutation. 1. Initial permutation: The inverse of the final permutation is applied to the ciphertext, in order to obtain (L16,R16). 2. Iterated round function: For i = 1,..., 16, (Li−1,Ri−1) are computed from (Li,Ri) as

Ri−1 = Li

Li−1 = Ri ⊕ f(Li,Ki)

After the 16 rounds, (L0,R0) is obtained. The derivation of the decryption rule at each round is given below. 3. Final permutation: The inverse of the initial permutation is applied to (L0,R0), resulting in the plaintext. Computation of each round of DES decryption. At round i of the DES decryption, we are given (Li,Ri) and need to compute (Li−1,Ri−1). From the encryption rule, (Li−1,Ri−1) and (Li,Ri) are related by

Li = Ri−1 (15)

Ri = Li−1 ⊕ f(Ri−1,Ki) (16) We then have

Li = Ri−1 ⇒ Ri−1 = Li (17)

Ri = Li−1 ⊕ f(Ri−1,Ki) (18)

⇒ Li−1 = Ri ⊕ f(Ri−1,Ki) (19)

= Ri ⊕ f(Li,Ki) (20)

Eq. (19) follows by XORing both sides of (18) with f(Ri−1,Ki), using the fact that a ⊕ a = 0 for any bit string a. Substituting Eq. (17) into Eq. (19) yields Eq. (20).

Li Ri

Key, Ki f

Li−1 Ri−1

Fig. 3. Block diagram of one round of DES decryption.

Security of DES. The main security drawback of DES is the use of a 56-bit key. A brute-force search over the 256 possible keys is possible using existing hardware. Indeed, customized hardware has been developed to discover a DES key in a matter of hours. A symmetric-key cryptosystem with a longer key was therefore needed, which motivated the Advanced Encryption Standard discussed below.

9 4.3 Triple DES DES uses a 56-bit key. Since exhaustive search over 256 possible keys is within the limits of modern computing power, a modification of DES, denoted Triple DES, has been designed to increase the size of the key space while maintaining the basic functionality of DES. Like DES, Triple DES has plaintext space P = {0, 1}64 and ciphertext space C = {0, 1}64. The main difference is that Triple DES uses three keys, KA, KB, and KC . In order to encrypt using triple DES, the

ciphertext Y is given by Y = EKC (DKB (EKA (x))). This encryption is illustrated in Figure 4. Note that the middle operation is DES decryption using the key KB.

x E D E Y

KA KB KC

Fig. 4. Triple DES encryption.

In order to decrypt a ciphertext Y that was encrypted using Triple DES, the plaintext is given by x =

DKA (EKB (DKC (Y ))). Depending on the key length, different relationships between the keys KA, KB, and KC have been prescribed, as shown in Table 4. Triple DES greatly increases the workload of an attacker attempting to perform exhaustive search.

Table 4. Relationship between triple DES keys based on the key length.

Key Length Relationship Between Keys 56 bits KA = KB = KC 112 bits KA = KC , KB independent of KA and KC 168 bits KA, KB , and KC are independent of each other

Example of triple DES encryption. Consider triple DES with key length 112 bits. Define a 64-bit plaintext x and 112-bit key K in hexadecimal as

x = f3f308755ea138fb K = bf39f2a2540e3cc98930b403f2a2

so that KA = KC = bf39f2a2540e3c and KB = c98930b403f2a2. The resulting ciphertext is given by

Y = 3ae59e80eea44e03.

The ciphertext was computed using the online tool at http://tripledes.online-domain-tools.com/?do=form-submit.

5 Advanced Encryption Standard

The Advanced Encryption Standard (AES) is a symmetric-key cipher selected by the National Institute of Standard and Technology (NIST) in 2007. AES is based on the Rijndael cipher designed by Joan Daemen and Vincent Rijmen. AES has a fixed block size of 128 bits and three different key sizes, namely 128, 192, and 256 bits. Like DES, AES is an iterated , but its design principle is based on a substitution- permutation network. The cipher has a algorithm which takes a key of length 128 (or 192, 256) and generates round keys of length 128 bits for each round.

10 5.1 AES Encryption Algorithm We describe AES with 128-bit block size and of 128 bits, so that P = {0, 1}128, C = {0, 1}128, and 128 K = {0, 1} . A plaintext of 128 bits is divided as m = m0m1...m15 where each m0 is a byte and we write the plaintext block as follows   m0 m1 m2 m3  m4 m5 m7  State =   .  m8 m9 m10 m11  m12 m13 m14 m15 The entries in the above 4 × 4 matrix are considered as elements in GF (28) where GF (28) is a Galois field with 28 elements. Like DES, AES consists of multiple rounds. The input to the first round is the plaintext and the output of the final round is the ciphertext. The number of rounds Nr depends on the length of the key; for key lengths 128, 192, and 256, Nr = 10, 12, and 14, respectively. Each round function of AES is composed of four different transformations, namely: – SubBytes, – ShiftRows, – MixColumns, and – AddRoundKey. We briefly describe these transformations below.

      m0 m1 m2 m3 a0,0 a0,1 a0,2 a0,3 b0,0 b0,1 b0,2 b0,3 MixColumns  m4 m5 m6 m7  SubBytes  a1,0 a1,1 a1,2 a1,3  ShiftRows  b1,0 b1,1 b1,2 b1,3    −→   −→   ↓  m8 m9 m10 m11   a2,0 a2,1 a2,2 a1,3   b2,0 b2,1 b2,2 b1,3  m12 m13 m14 m15 a3,0 a3,1 a3,2 a3,3 b3,0 b3,1 b3,2 b3,3     d0,0 d0,1 d0,2 d0,3 c0,0 c0,1 c0,2 c0,3  d1,0 d1,1 d1,2 d1,3  AddRoundKey  c1,0 c1,1 c1,2 c1,3    ←−    d2,0 d2,1 d2,2 d1,3   c2,0 c2,1 c2,2 c1,3  d3,0 d3,1 d3,2 d3,3 c3,0 c3,1 c3,2 c3,3

Fig. 5. AES Round Function Transition.

1. SubBytes: This is a nonlinear substitution layer where each byte in the matrix is replaced by using 8-bit substitution-box. Usually the substitution layer is implemented as a look-up table. 2. ShiftRows: In this phase, the rows of the matrix are cyclically shifted to the left. Each byte in second, third and fourth rows are shifted one, two and three, respectively to the left. 3. MixColumns: This transformation operates on each column of the state. A column is considered a polynomial over GF (28) and multiplicative modulo x4 + 1 with a fixed polynomial. 4. AddRoundKey: In this phase a round key is added to the state by performing bitwise XOR operations. The round keys are obtained from the key scheduling algorithm, described in Section 3.5.3 of Kaufman, Perlman, and Speciner. Note that the round keys are different for different rounds.

The round transformations are invertible for the decryption purpose. The AES encryption algorithm is given as AES encrypt below.

Example of AES encryption. Define a 128-bit plaintext x and 128-bit key K in hexadecimal as

x = 6f531e11f950e24c6dfeac34acaf766d K = e1adf1f89ce60b77ac4544ba27be8b26

11 Algorithm 1 AES encryption algorithm

1: procedure AES Encrypt(Plaintext, Key, Nr) 2: State ← P laintext 3: State ← AddRoundKey(State, RoundKey) 4: for i = 1,...,Nr do 5: State ← SubBytes(State) 6: State ← ShiftRows(State) 7: State ← MixColumns(State) 8: State ← AddRoundKey(State, RoundKey) 9: end for 10: State ← SubBytes(State) 11: State ← ShiftRows(State) 12: State ← AddRoundKey(State, RoundKey) 13: Ciphertext ← State 14: return Ciphertext 15: end procedure

Then the ciphertext computed using AES is given by

Y = 004d879da0723a0ea1eb86329ba2db68.

As in the DES examples, this ciphertext was computed at http://tripledes.online-domain-tools.com/?do=form-submit.

5.2 AES Decryption Algorithm

The decryption function of AES is composed of four inverse transformations, which are the inverse transformations of ShiftRows, SubBytes, MixColumns, and AddRoundKey. The decryption algorithm of AES is given as AES Decrypt below.

Algorithm 2 AES decryption algorithm

1: procedure AES Decrypt(Ciphertext, Key, Nr) 2: State ← Ciphertext 3: State ← AddRoundKey(State, RoundKey)−1 4: for i = Nr − 1 down to 1 do 5: State ← SubBytes(State)−1 6: State ← ShiftRows(State)−1 7: State ← MixColumns(State)−1 8: State ← AddRoundKey(State, RoundKey)−1 9: end for 10: State ← SubBytes(State)−1 11: State ← ShiftRows(State)−1 12: State ← AddRoundKey(State, RoundKey)−1 13: P laintext ← State 14: return P laintext 15: end procedure

6 Encrypting Large Plaintext: Modes of Operation

Thus far, we considered the encryption of plain texts with specific length (64 bits for DES, 128 bits for AES). In practice, however, plaintexts will typically be (much) larger than 128 bits. In order to encrypt

12 larger plaintexts without increasing the size of the key, while still providing the same security guarantees as DES and/or AES, the plaintext is broken into blocks of equal size (e.g., 64 bits if DES is to be used, or 128 bits if AES is to be used). The ciphertext is then generated by performing encryption operations on smaller blocks. There are many methods for computing the ciphertext based on the ciphertexts of each block; these methods are called modes of operation.

6.1 Electronic Code Book (ECB) mode Electronic Code Book (ECB) is the most straightforward approach to encrypting a large plaintext. ECB divides the plaintext x into m blocks, each consisting of n bits. If the plaintext length L is not a multiple of n, then ECB pads the plaintext with n − (L mod n) bits according to a prespecified rule. We denote the blocks as x1, . . . , xm. The block size n depends on the cryptosystem that is used. For DES, the blocks should be 64 bits, while the blocks should be 128 bits for AES. In ECB, the encryption function EK (·) is applied to each block separately, and we let Yi = EK (xi) for i = 1, . . . , m. The ciphertext Y corresponding to plaintext x is equal to the concatenation of the blocks: Y = Y1||Y2|| · · · ||Ym. Hence, under ECB, the plaintext is divided into m blocks, each block is encrypted separately using the key K, and the ciphertext is formed by combining the blocks. To decrypt, divide the ciphertext into m blocks, Y = Y1|| · · · ||Ym, and perform decryption on each ciphertext block to obtain xi = DK (Yi). The plaintext is given by x = x1|| · · · ||xm. ECB is illustrated in Figure 6.

x1 x2 x3 x4 x5

K E K E K E K E K E

Y1 Y2 Y3 Y4 Y5

Fig. 6. ECB mode for encryption

Problems with ECB mode: While ECB is straightforward to compute, it also potentially leaks information regarding the plaintext when the attacker knows the block size (which is a reasonable assumption, since the block size is usually defined by standards). In particular, if two plaintext blocks are the same (i.e., xi = xj for some i 6= j), then the corresponding ciphertext blocks will be the same, since Yi = EK (xi) = EK (xj) = Yj. Ensuring that repeated blocks of plaintext do not result in repeated blocks of ciphertext is a desirable property of modes of operation. Two such modes of operation, CBC and Counter, are described below.

6.2 Cipher Block Chaining (CBC) mode CBC mode was created to address the security flaw in ECB, namely, the fact that two identical blocks of plaintext will also yield identical blocks of ciphertext. CBC avoids this problem by introducing dependencies between the blocks of ciphertext, so that each ciphertext block acts as an input to encryption of the next block of plaintext. Hence, even if two plaintext blocks are identical, the corresponding ciphertext blocks will be different because the preceding blocks of plaintext are different. We formalize the definition and argument as follows.

Encryption in CBC mode. Encryption in CBC mode is illustrated in Figure 7. As in ECB, the plaintext x is divided into m blocks of size n, denoted x1, . . . , xm. If the plaintext length L is not a multiple of n, then

13 CBC pads the plaintext with n − (L mod n) bits according to a prespecified padding rule. The first step is to randomly generate an IV . The encryption of the first block is equal to EK (x1 ⊕ IV ). For each subsequent block xi, i > 1, the ciphertext Yi is given as Yi = EK (Yi−1 ⊕ xi). Thus each block of ciphertext is obtained by XOR-ing the ciphertext of the previous block with the current plaintext, and then encrypting using key K. The output is the ciphertext Y = Y1|| · · · ||Ym, together with IV .

x1 x2 x3 x4 x5 x6 x7

IV ⊕ ⊕ ⊕ ⊕ ⊕ ⊕ ⊕

E E E E E E E Enc. with secret key

Y1 Y2 Y3 Y4 Y5 Y6 Y7

Fig. 7. CBC encryption

Remarks on CBC mode encryption. We observe that even if xi = xj for some i 6= j, Yi 6= Yj unless Yi−1 = Yj−1, which is mathematically unlikely if the cryptosystem is well-designed. We remark briefly on the role of the initialization vector, IV . In some implementations of CBC, IV is chosen to be a fixed value, or set to 0. This reduces the length of the message, since the IV is no longer sent with the ciphertext. On the other hand, if the same IV is used to encrypt each message, then encrypting the same plaintext twice the same key will result in the same ciphertext. This would allow an eavesdropper to infer that the same message was sent twice. Changing the value of IV at each encryption ensures that the ciphertexts will be different, even if the key and corresponding plaintexts are the same. Decryption in CBC mode. Decryption in CBC mode is similar to the encryption operation. Decryption of each ciphertext block Yi is performed using the previous ciphertext block Yi−1.

m1 m2 m3 m4 m5 m6 m7

IV ⊕ ⊕ ⊕ ⊕ ⊕ ⊕ ⊕

E E E E E E E Dec. with secret key

c1 c2 c3 c4 c5 c6 c7

Fig. 8. CBC decryption

6.3 Counter (CTR) mode

Counter mode provides an alternative approach to encrypting blocks of text, while still avoiding the problem of the same blocks of plaintext yielding the same ciphertext. The counter mode encryption is described as follows.

14 Encryption in CTR mode. As in the EBC and CBC modes, the plaintext x is divided into m blocks, denoted x1, . . . , xm, each consisting of n bits. If the plaintext length L is not a multiple of n, then CTR pads the plaintext with n − (L mod n) bits according to a prespecified padding rule. First, a string IV of n bits is generated uniformly at random. For each block of plaintext xi, the corresponding ciphertext is given by n Yi = EK (IV + i − 1) ⊕ xi, where ‘+’ denotes addition mod 2 . The CTR mode encryption is described in Figure 9.

IV IV+1 IV+2 IV+3 IV+4

K E K E K E K E K E

x1 ⊕ x2 ⊕ x3 ⊕ x4 ⊕ x5 ⊕

Y1 Y2 Y3 Y4 Y5

Fig. 9. Counter mode for encryption

Encryption in CTR mode can be interpreted as generating a different random string (EK (IV + i)) for each plaintext block, and then XOR-ing the plaintext with the random string. The resulting ciphertext will then appear random and uncorrelated with the original plaintext. As in CBC mode, both the ciphertext Y and the IV are sent to the receiver.

Decryption in CTR mode. In CTR mode, each block xi of the plaintext is decrypted by first computing EK (IV + i − 1). xi is then computed as xi = Yi ⊕ EK (IV + i − 1). In CTR mode, each block can be decrypted using knowledge of IV without decrypting any other blocks. This provides an advantage in applications where blocks arrive or are accessed out of order, since each block can be decrypted without waiting for the others.

IV IV+1 IV+2 IV+3 IV+4

K E K E K E K E K E

Y1 ⊕ Y2 ⊕ Y3 ⊕ Y4 ⊕ Y5 ⊕

x1 x2 x3 x4 x5

Fig. 10. Counter mode for decryption

15 Table 5. Application of Triple-DES and AES

Primitive Use in Real System Triple DES Electronic payment industry, Windows OS AES SSL/TLS, Wireless Sensor Net. IEEE 802.15.4, Zigbee network, CCMP CBC Mode SSL/TLS, Wireless Sensor Net. IEEE 802.15.4, Zigbee network CTR Mode CCMP (WEP2), IPSec, TLS 1.2, Wireless Sensor Network

Sources for Today’s Lecture:

1. Douglas R. Stinson, Cryptography, Theory and Practice, 3rd edition. CRC Press, 2005, p. 21–26 and 37–39 and 45–54 and 73–114. 2. Wade Trappe and Lawrence C. Washington Introduction to Cryptography with Coding Theory. Prentice Hall, 2002, p. 38–49 and 97–123 and 127–136 and and 250–260. 3. Charlie Kaufman, Radia Perlman, and Mike Speciner Network Security: Private Communication in Public World, 2nd Edition. Prentice Hall, 2002, p. 59–74 and 81–92 and 95–105.

16