Block Ciphers and Modes of Operation

Overview

Block Ciphers and Modes of Operation Lesson contents Design structures for block ciphers: Feistel Network (FN) and Substitution & Permutation Network (SPN) Gerardo Pelosi The Feistel Network structure Department of Electronics, Information and Bioengineering (DEIB) Data Encryption Standard (DES) Politecnico di Milano Security of DES, Double-DES, Triple-DES, DES-X gerardo.pelosi - at - polimi.it Modes of Operation to guarantee Conﬁdentiality: ECB, CBC, OFB, CFB, CTR

G. Pelosi, A. Barenghi (DEIB) Block Ciphers and Modes of Operation 1 / 48 G. Pelosi, A. Barenghi (DEIB) Block Ciphers and Modes of Operation 2 / 48

Design of Symmetric-key Ciphers: Confusion & Diffusion Design of Symmetric-key Ciphers: Confusion & Diffusion Building on the weaknesses of Historical ciphers, C. Shannon stated the following (very general and informal) design principles to thwart cryptanalysis based on statistical properties of ptxs and ctxs Diffusion refers to the property that the statistical distribution of “groups of pxt A symmetric cipher should be composed as the iterative application of letters” frequencies (due to the redundancy of the ptx language) should operations that realize Confusion & Diffusion of the plaintext symbols be dissipated, as much as possible, into flat distribution statistics, i.e. the ctx should appear as random data. Confusion Ideally, keeping the same key, the change of a single bit in the plaintext make the relation between the key, plaintext and ciphertext as complex as drives the change of all bits in ciphertext possible. Ideally, each digit of the key influences the correspondence between pxt and cxt letters in a non-predictable way In contrast to confusion, diffusion spreads (diffuse) the influence of a single plaintext letter over many (or every) cxt letters Replacing every letter with the one next to it on the typewriter Ciphers suffering from poor diffusion can usually be broken by means keyboard is an insecure example of confusion by substitution of Known Plaintext Attacks (e.g., simple permutation ciphers) Ciphers that do not offer effective confusion are vulnerable to frequency analysis

G. Pelosi, A. Barenghi (DEIB) Block Ciphers and Modes of Operation 3 / 48 G. Pelosi, A. Barenghi (DEIB) Block Ciphers and Modes of Operation 4 / 48 Purposes of a block cipher Modern Block Ciphers Block ciphers operate on a block of plaintext m∈M (m = hm1,..., mni, Security desiderata with m ∈{0, 1}), to produce a block of ciphertext (c = hc ,..., c i ∈ C, i 1 n Provide nontrivial blending of plaintext and ciphertext (confusion) with ci ∈{0, 1}) through a key-parametric transformation Provide statistical flatness of the output (diffusion) (either Ek () or Dk ()) The block size n is in the [64, 256] bit range Be analyzable in a clear and formal way to ensure sound security ptx size might not be multiple a of block size → padding needed! A structure based on the repetition of a short sequence of steps Possible padding strategies: (round) is preferable to a monolithic design Known non-data values (e.g. nulls) A number indicating the size of the pad (may require an extra block) Efficiency desiderata A number indicating the size of the ptx (may require an extra block) Provide efficient encryption and decryption For ptxs longer than a single block, the scheme used to apply () Ek Possibly reuse SW/HW resources for both Ek () and Dk () (or Dk ()) is called mode of operation (lower code size or silicon area)

G. Pelosi, A. Barenghi (DEIB) Block Ciphers and Modes of Operation 5 / 48 G. Pelosi, A. Barenghi (DEIB) Block Ciphers and Modes of Operation 6 / 48

Modern Design Strategies Modern Design Strategies: Feistel Networks and SPNs

Glossary Feistel Networks Cipher state: The result of each operation performed by the cipher Invented by Horst Feistel (in ’50-’60), it splits the cipher state in two Initialized with the ptx; contains the ctx at the end of the computation parts and acts on one of them per round Round: basic sequence of operations applied to the cipher state, a The decryption employs the same cipher structure, except for a number of times (involves blending the key into the state) reversal in the key schedule Key schedule: procedure expanding the original user key into key material to be used in each round Substitution Permutation Networks (SPNs) A SPN implements the confusion-diﬀusion principles suggested by High level structure Shannon with distinct enc/dec transformations Expand the user key into a set of subkeys and combine them with The round of a SPN acts on the whole cipher state with: the cipher state during the execution of the round primitive A “non-linear” function providing Confusion represented as a lookup Iterate the application of the Round. table, a.k.a.: Substitution-Box (S-box) A “linear” function providing Diﬀusion, f.i., a bitwise permutation, or Repeating the round increases the complexity of the dependency pairs of rotate & xor operations relations among the user key bits and the bits of the cipher state The addition of a part of the key schedule

G. Pelosi, A. Barenghi (DEIB) Block Ciphers and Modes of Operation 7 / 48 G. Pelosi, A. Barenghi (DEIB) Block Ciphers and Modes of Operation 8 / 48 Feistel Network Structural Properties Definition Properties of a Feistel network: A Feistel network transforms an n-bit ptx block m=hL , R i, into an n-bit 0 0 the round transformation is invertible regardless of the choice of ctx block c=hR , L i through an r-round process (r≥1) defined as the r r the function F. Indeed, for the i-th round: repetition of r − 1 equal stages plus a final one; where the sub-blocks Li , R are n/2-bit long. i Li = Ri−1, Ri = Li−1 ⊕ F(ki , Ri−1) Feistel(hL, Ri, k) 1 for i ← 0 to r − 2 we can also write 2 temp ← L 3 L ← R Ri−1 = Li , Li−1 = Ri ⊕ F(ki , Li ) 4 R ← temp ⊕ F(k , R) // L = R , R = L ⊕ F(k , R ) i i i−1 i i−1 i i−1 Note that the last round block halves are swapped hR , L i, and 5 R ← R ⊕ F(k , L) r−1 r−1 r−1 not in their usual left-right order hL, Ri 6 return hR, Li // Note: the last round block halves are swapped where F is an arbitrary function (non-linear and possibly non-invertible) Applying the Feistel network on a ctx (using the subkeys in reverse order, i.e. kr−1 through k0) provides the ptx and each subkey ki , 0≤i≤r − 1, is computed from key schedule of the cipher key k

G. Pelosi, A. Barenghi (DEIB) Block Ciphers and Modes of Operation 9 / 48 G. Pelosi, A. Barenghi (DEIB) Block Ciphers and Modes of Operation 10 / 48

Feistel Network Feistel Network Description Block Diagram Confusion: provided by the key-dependent F function

Diﬀusion: obtained adding the F-processed part Ri to Li

Enc: r-1 Ciphers based on a Feistel Network DES: block-size: 64-bit, key-size:56-bit, rounds: 16. Standard encryption algorithm employed by the US-government for unclassified documents from 1976 to 2000 Blowfish: block-size: 64-bit, key-size: 32–448 bits (4–56 bytes), rounds: 16. Part of the key schedule used to generate S-Boxes in the F, very demanding Dec: r-1 key-schedule Twofish: evolution of blowfish, block-size: 128-bit, key-size: 128, 192 o 256 bits, rounds: 16 CAST5: block-size: 128-bit, key-size: 40–128 bits (5–16 bytes), rounds: 12 Figure: The structure of a Feistel Network (16, with key-size ≥ 80 bits). Only arithmetic operations and key-dependent bit-rotations employed in the F map. Efficient SW implementation

G. Pelosi, A. Barenghi (DEIB) Block Ciphers and Modes of Operation 11 / 48 G. Pelosi, A. Barenghi (DEIB) Block Ciphers and Modes of Operation 12 / 48 Feistel Network DES Structure

DES Round DES - structure It takes a 64-bit block hLi−1, Ri−1i and a 48-bit subkey ki to compute L = R , R = L ⊕ F(k , R ), where P C i i−1 i i−1 i i−1 I F T T F(k , R ) = P-box(S-box(k ⊕ E-box(R )) P P i i−1 i i−1 X X 1 E-box(Ri−1) expands Ri−1 from 32 into 48 bits (hb1b2 ... b8i, each bi is 16-round Feistel cryptosystem with 64-bit wide cipher state: 6 bits) via a fixed expansion that simply duplicates some bits Cipher key: 64 bits; only 56 bits are used. One bit per byte is a parity bit. 2 Adds the 48-bit round key: hb1b2 ... b8i←ki ⊕hb1b2 ... b8i 3 Map the 48-bit word into a 32-bit one via applying 8 fixed S-boxes. Key schedule: produces hk1,..., k16i, 48 bits each. Each round key is obtained through bitwise permutation and selection of the initial 56 bits. For each bi , ci = Si (bi ), where Si maps 6 into 4 bits DES-peculiar feature: k0 = k15 Si are the only non-linear component of DES. The fixed permutations IP, FP=IP−1, have no effect on the security; Si described as a 4×16 look-up tables: 1st and 2nd input bit → row IP and FP were motivated by the ease of laying out the circuit wires index, 3rd to 6th bit → column index, each cell contains 4 output bits 4 Apply a fixed bitwise permutation specified by the P-box

G. Pelosi, A. Barenghi (DEIB) Block Ciphers and Modes of Operation 13 / 48 G. Pelosi, A. Barenghi (DEIB) Block Ciphers and Modes of Operation 14 / 48

DES Round DES Properties

F-function Complementation property Li = Ri−1, Ri = Li−1 ⊕ F(ki, Ri−1) //half − word (Li , Ri ) size :32−bit Inverting the bit values of the input ptx m and key k, yields a ctx equal to

F(ki, Ri−1) = P-box(S-box(ki ⊕ E-box(Ri−1)) //output size :32−bit bitwise inversion of the result of DES(k, m)

E-box stage DES(k, m) = DES(k, m), ∀ m ∈ M, ∀ k ∈ K 4 × 8 = 32 bits → 6 × 8 = 48 bits Chosen-ptx attack bitwise XOR with the 6 × 8 = 48-bit round Collect ptx-ctx pairs (m1,c1), (m1,c2), with c1=DES(k,m1), c2=DES(k,m1) subkey Noting that c = DES(k, m ) ⇔ c = DES(k, m ) S-box stage 2 1 2 1 6 × 8 = 48 bits → Test for any ke, if either DES(ke, m1) yields c1 or c2. 4 × 8 = 32 bits If not, discard both ke and ¬ke), with a single DES computation. P-box stage Exhaustive key search down to 256−1 trials (...not that useful in practice!) 32 bits → 32 bits

G. Pelosi, A. Barenghi (DEIB) Block Ciphers and Modes of Operation 15 / 48 G. Pelosi, A. Barenghi (DEIB) Block Ciphers and Modes of Operation 16 / 48 DES Properties DES Properties

The DES secret key should be randomly chosen, but there are some particular Semi-Weak Keys values that should not be used as the key schedule creates 16 identical subkeys Also a Semi-Weak key pair hk, k0i causes the composition of two DES (Weak Keys) or only two diﬀerent values for 16 subkeys (Semi-weak keys) encryptions employing k and k0 to compute the original ptx Weak Keys DES(k, DES(k0, m)) = m, ∀ m ∈ M Encrypting a ptx twice with a weak key k, yields the original ptx. DES(k, DES(k, m)) = m, ∀ m ∈ M There are 6 semi-weak key pairs: There are 4 weak keys (Group1) written with 64-bit, including the 8 rightmost parity bits h 0x 011F011F010E010E, 0x 1F011F010E010E01 i If the implementation does not check the parity bits of k, h 0x 01E001E001F101F1, 0x E001E001F101F101 i 4 extra key values are weak (Group2) h 0x 01FE01FE01FE01FE, 0x FE01FE01FE01FE01 i Group1 Group2 h 0x 1FE01FE00EF10EF1, 0x E01FE01FF10EF10E i 0x 0101010101010101 0x 0000000000000000 h 0x 1FFE1FFE0EFE0EFE, 0x FE1FFE1FFE0EFE0E i 0x FEFEFEFEFEFEFEFE 0x FFFFFFFFFFFFFFFF h 0x E0FEE0FEF1FEF1FE, 0x FEE0FEE0FEF1FEF1 i 0x E0E0E0E0F1F1F1F1 0x E1E1E1E1F0F0F0F0 0x 1F1F1F1F0E0E0E0E 0x 1E1E1E1E0F0F0F0F

G. Pelosi, A. Barenghi (DEIB) Block Ciphers and Modes of Operation 17 / 48 G. Pelosi, A. Barenghi (DEIB) Block Ciphers and Modes of Operation 18 / 48

DES Properties DES Breaking

DES is not a group

Given a ptx m and a pair of keys k1, k2, the set of DES (biijective) transformations is not closed under composition: Due to the computational power available today, that employs also specialized parallel hardware, DES has become insecure ∀m @ k3 s.t. DES(k3, m) = DES(k2, DES(k1, m)) Brute Forcing DES The above condition means that encrypting a ptx m through applying DES twice Given a ptx-ctx pair, an exhaustive key search needs to perform on average with two diﬀerent keys, is not the same as encrypting m once with a third key 255 DES encryptions: Computing 1 encryption per micro-second K.W. Campbell and M.J. Wiener, DES is not a group, Advances in ⇒ 255 ≈ 3.6 1010 [DES/s] ≈ 1142 [DES/year] Cryptology - Crypto’92, Springer-Verlag (1993), pp. 512-520 Employing 106 devices in parallel gives a break in ≈ 10 hours N.B.: Given the ptx space {0, 1}64, which has n=264 elements, a DES with a 64 64 64 ﬁxed key is one out of (2 )! permutations Sn:{0, 1} 7→{0, 1} . The composition of two DES with distinct keys is still a permutation Sn, but in general it cannot be thought as computed by a DES with another key

G. Pelosi, A. Barenghi (DEIB) Block Ciphers and Modes of Operation 19 / 48 G. Pelosi, A. Barenghi (DEIB) Block Ciphers and Modes of Operation 20 / 48 DES Breaking Double DES (2DES)

Brute Forcing DES 1998: Electronic Frontier Foundation (EFF) broke the DES employing DES is not a group → multiple applications of the primitive with diﬀerent ad-hoc ASIC hw (EFF DES Cracker: [92 109 [keys/sec]) in 56 hours keys seems to be a good strategy to improve the security for less than 250K USD 2DES 1999: EFF provided a DES breaking in 23 hours (245 109 [key/s]) employing a distributed breaker with 105 computers Double DES cipher consists of applying the DES primitive twice 2008: a German company, SciEngines GmbH, reduced the time to def. c = 2DES(k , k , m) = DES(k , DES(k , m)) break DES in about 20 hours (292 109 [key/s]), using a cluster of 16 1 2 1 2 devices, each equipped with 8 FPGAs Spartan-3 5000’s, for a total nevertheless, this structure is vulnerable to meet-in-the-middle attacks: cost of about than 5K Euros, with a power consumption ≤ 850 −1 watts (peak) c = DES(k1, DES(k2, m)) ⇐⇒ DES (k1, c) = DES(k2, m)

To increase the resistance of the standard cipher against brute force attacks, in 1998 the Triple DES was standardized by the US institutions: ANSI and NIST

G. Pelosi, A. Barenghi (DEIB) Block Ciphers and Modes of Operation 21 / 48 G. Pelosi, A. Barenghi (DEIB) Block Ciphers and Modes of Operation 22 / 48

Double DES (2DES) Double DES (2DES) Key pair sieving Meet-in-the-middle with the meet-in-the-middle analysis, there is a set of candidate key pairs This analysis technique trades the number of DES encryptions employed in S={hk(2,i), k(1,j)i,..., } an exhaustive key search with storage. Given a ptx-ctx pair, hm, ci 112 Obs: given m, c=DES(k(1,j), DES(k(2,i)(m)), there are 2 possible 64 −1 key values and 2 possible ctxs values c, therefore there are up to c = DES(k1, DES(k2, m)) ⇔ DES (k1, c) = DES(k2, m) 2112 48 264 =2 key values hk(1,j), k(2,i)i associated to the pair hm, ci Through employing a second ptx-ctx pair hm0, c0i, it is possible to check for all k candidate key values k ∈{0,..., 256−1} compute 2 (2,i) which key pair in S is the correct one Ai =DES(k(2,i), m) and store Ai Obs. c0 may have a value in the range {0,..., 264−1}, but the set S this costs 256 DES encryptions and 256 memory cells (with 64-bit size) limits the number of such values to 248 (one for each possible key pair 56 for every k1 candidate key values k(1,j)∈{0,..., 2 −1} compute in S). Thus, the probability to have more than one key pairs in S that −1 248 1 Bj =DES (k(1,j), c) and check all the equalities Ai =Bj . 0 possible mappings/tot. mappings yield to the same c is given by: = 264 = 216 . If an equality Ai =Bj holds, then store the key pair hk(2,i), k(1,j)i in the worst case, this costs 256 decryptions The 2DES cipher employs a 112-bit key but it is vulnerable to a Known ptx attack with a cost of ≈ 257 DES enc.s, thus, it is not better than the single DES !!! G. Pelosi, A. Barenghi (DEIB) Block Ciphers and Modes of Operation 23 / 48 G. Pelosi, A. Barenghi (DEIB) Block Ciphers and Modes of Operation 24 / 48 Triple DES (TDES) Triple DES (TDES)

The standardized TDES provides a simple method to eﬀectively increase the key size w.r.t. DES without designing a completely new block cipher

3DES −1 c = DES(k1, DES (k2, DES(k3, m))) The improved primitive employs: The standards deﬁne three keying options: a ”key bundle” with three DES keys: k1, k2 and k3, each of 56 bits (excluding parity bits) Keying opt. 1 (3DES3): All three keys are independent an iterated application of the DES primitive to deﬁne both the Keying opt. 2 (3DES2): k1 and k2 are independent, and k3=k1 encryption and the decryption transformation Keying opt. 3 (no longer recommended): All three keys are identical, i.e., k =k =k c = 3DES(k , k , k , m) def.= DES(k , DES−1(k , DES(k , m))) 1 2 3 1 2 3 1 2 3 it used to provide backward compatibility with DES, because the 1st −1 def. −1 −1 and 2nd applications of DES cancel out m = 3DES (k1, k2, k3, m) = DES (k3, DES(k2, DES (k1, c))) where DES−1 indicates the inverse DES transformation (i.e., the application of the key schedule in reverse order)

G. Pelosi, A. Barenghi (DEIB) Block Ciphers and Modes of Operation 25 / 48 G. Pelosi, A. Barenghi (DEIB) Block Ciphers and Modes of Operation 26 / 48

Triple DES (TDES) Triple DES (TDES)

3DES3

−1 c = DES(k1, DES (k2, DES(k3, m))) The 3DES with k16=k26=k3 can also be attacked with the meet-in-the middle 3DES2 strategy considering a single hm, ci pair: DES−1(k , c) = DES−1(k , DES(k , m)) def. −1 1 2 3 c = 3DES2(k1, k2, k1, m) = DES(k1, DES (k2, DES(k1, m))) 112 −1 storage for 2 values: {h hk2, k3i, DES (k2, DES(k3, m)) i} The 3DES2 with k16=k2 can also be attacked with a meet-in-the middle 56 −1 for each value of k1, 2 DES computations and lookups in the previous strategy having the same costs of attacking the 3DES3 table to ﬁnd a match The 3DES2 cipher is the preferred choice as it employs a 112-bit DES(k , DES−1(k , c)) = DES(k , m) 2 1 3 key and requires 2112 DES encryptions for a known ptx attack 56 storage for 2 values: {hk3, DES(k3, m))i} 112 −1 2 DES(k2, DES (k1, c)) comp.s and lookups to ﬁnd a match

The 3DES3 cipher employs a 168-bit key and requires ≈2112 DES encryptions for a known ptx attack

G. Pelosi, A. Barenghi (DEIB) Block Ciphers and Modes of Operation 27 / 48 G. Pelosi, A. Barenghi (DEIB) Block Ciphers and Modes of Operation 28 / 48 Triple DES (TDES) Theoretical Attacks

2DES is 2× slower than DES,2 × key length and the same security margin (≈ 256 DES enc.s) 3DES3 is 3× slower than DES,3 × key length and a double 112 security margin (≈ 2 DES enc.s) Better techniques for the cryptanalysis of the DES are: 3DES2 is 3× slower than DES,2 × key length and a double linear cryptanalysis security margin (≈ 2112 DES enc.s) diﬀerential cryptanalysis DES-X (Quantitative examples in next lectures) It is a variant on the DES block cipher to increase the complexity of a known ptx These techniques are currently applied to test the robustness of every attack using a technique called pre-whitening. Three independent keys are used. block cipher The ﬁst key k has 56-bit size, while the other keys k1, k2 have 64-bit size def. c = DES-X(k, k1, k2, m) = k2 ⊕ DES(k, m ⊕ k1)

−1 def. −1 m = DES-X (k, k1, k2, c) = k1 ⊕ DES (k, c ⊕ k2) DES-X is ≈ as fast as DES, with a 184-bit key and a security margin ≈ 2120 DES

G. Pelosi, A. Barenghi (DEIB) Block Ciphers and Modes of Operation 29 / 48 G. Pelosi, A. Barenghi (DEIB) Block Ciphers and Modes of Operation 30 / 48

Theoretical Attacks Modes of Operation

Linear cryptanalysis Definition Finds approximated linear relations (i.e., Boolean equalities) among some A Mode of operation specifies the way to encrypt a message m∈M of bits of the ptx and some bits in input to the last round of the cipher. It arbitrary length through employing a block cipher recovers (in a subsequent step) the values of some bits of the secret key. Currently, there are modes of operations to guarantee Confidentiality of messages: 243 known ptx-ctx pairs to find a DES key [Matsui, 1993] Electronic CodeBook mode (ECB) Cipher Block Chaining mode (CBC)–most popular–not entirely secure Differential cryptanalysis Output FeedBack mode (OFB) Finds how differences between two input ptxs propagate within the cipher Cipher FeedBack mode (CFB) up to the beginning of the last round. In a subsequent step, this Counter mode (CTR) knowledge is exploited to obtain the values of some bits in the last subkey. Authentication of messages: CMAC Both confidentiality and authentication: CCM and GCM 247 chosen ptx-ctx pairs to find a DES key, [Biham and Shamir, 1990] We will present the last two categories after the study of Hash functions!

G. Pelosi, A. Barenghi (DEIB) Block Ciphers and Modes of Operation 31 / 48 G. Pelosi, A. Barenghi (DEIB) Block Ciphers and Modes of Operation 32 / 48 Modes of Operation Electronic Code Book (ECB)

Each block is encrypted independently to compose the ciphertext message c ∈ C as c = h c1, c2, ...i, where: The plaintext message m ∈ M is broken into blocks of equal size ci = Ek (mi ), i = 1, 2,... m=hm1, m2,...i The last part of m might be shorter than one block, thus padding is needed For a given key, this mode behaves like we have a gigantic codebook, in Possible padding: which each ptx block has an entry, hence the name Electronic Code Book Known non-data values (e.g. nulls) A number indicating the size of the pad A number indicating the size of the plaintext Note that the last two schemes may require an extra block

G. Pelosi, A. Barenghi (DEIB) Block Ciphers and Modes of Operation 33 / 48 G. Pelosi, A. Barenghi (DEIB) Block Ciphers and Modes of Operation 34 / 48

Electronic Code Book (ECB) Remarks on ECB

Strengths: The major disadvantage of this method is that identical ptx blocks are encrypted into identical ctx blocks; thus, it does not hide data patterns It’s simple, fast and amenable to massive parallelization well! One-bit errors in the ctx cause a single block error in the ptx Original ECB mode Other modes Weaknesses: If the same message is encrypted (under the same key) twice, the ctxs are the same Repetitive information contained in the ptx may show in the ctx (expecially if aligned with blocks!) Suﬀers from block insertion or deletion attacks. Can be compensated with a checksums over a number of ptx blocks Typical application: secure transmission of short pieces of information (e.g., a temporary encryption key)

G. Pelosi, A. Barenghi (DEIB) Block Ciphers and Modes of Operation 35 / 48 G. Pelosi, A. Barenghi (DEIB) Block Ciphers and Modes of Operation 36 / 48 Cipher Block Chaining (CBC) Cipher Block Chaining (CBC) A Chaining strategy is the easiest way to add ’context’ to each ctx block

Blocks are encrypted/decrypted via the following equations: c0 = IV mi = k (ci ) ⊕ ci−1, for i ≥ 1 ci = Ek (mi ⊕ ci−1), for i ≥ 1 D

The Initialization Vector (IV) ensures that two encryptions of the same ptx produce diﬀerent ctxs IV is a random value usually transmitted in clear from the encryptor to the decryptor as part of the ctx message IV may be ﬁxed value if the key k of the cipher is used only once IV can be sent encrypted in ECB mode before the rest of ctx blocks

G. Pelosi, A. Barenghi (DEIB) Block Ciphers and Modes of Operation 37 / 48 G. Pelosi, A. Barenghi (DEIB) Block Ciphers and Modes of Operation 38 / 48

Remarks on CBC Remarks on CBC

Strengths: Weaknesses: The encryption of a block depends on itself and all blocks before it. Its main drawback is that the encryption cannot be parallelized So, repeated ptx blocks are encrypted differently No recover against synchronization errors is possible: A ptx block can be recovered from two adjacent blocks of ctx ⇒ If a bit is inserted/added or lost from the cipher-text string, then all decryption can be parallelized subsequent blocks are garbled A one-bit change to the ctx corrupts the corresponding ptx block, and An adversary can alter a ctx block in such a way to arbitrarily modify inverts the corresponding bit in the next ptx block. the following ptx block. However this destroys the corresponding ptx Further error propagation is avoided (CBC is self-recovering for block. intra-block errors) Reusing the same IV/Key on two messages yields identical CTXs up insertion or deletion attacks aiming to replace/insert/delete some to the first difference in ptxs blocks are detected!

G. Pelosi, A. Barenghi (DEIB) Block Ciphers and Modes of Operation 39 / 48 G. Pelosi, A. Barenghi (DEIB) Block Ciphers and Modes of Operation 40 / 48 Stream based Modes Cipher FeedBack mode (CFB)

The plaintext message m ∈ M is broken into blocks of j bits (1≤j≤ n): m = hm1, m2, m3, ...i A n-bit block cipher employed in CFB mode is provided with an n-bit Given a plaintext message m∈M as a sequence of blocks Input Shift Register (ISR) and an n-bit Output Shift Register (OSR). m=h m1, m2, ..., i the CFB, OFB and CTR modes of operation generate 1 The ISR is initially ﬁlled with an initialization vector (IV) a key stream k1, k2, k3 ... (each key has the size of a block) to mask the ptx m: 2 The encryption algorithm is run once to output n bits into OSR ci = mi ⊕ ki , for i ≥ 1 3 The leftmost j bits of OSR are then xor’ed with a group of j ptx bits 4 The result of this xor operation is sent over the network and fed back to the ISR, shifting the leftmost j bits out 5 The encryption algorithm is run again and the next group of j bits is encrypted in the same fashion

G. Pelosi, A. Barenghi (DEIB) Block Ciphers and Modes of Operation 41 / 48 G. Pelosi, A. Barenghi (DEIB) Block Ciphers and Modes of Operation 42 / 48

Cipher feedback mode (CFB) Remarks on CFB Encryption Decryption Strengths:   ISR0 ← IV ISR0 ← IV   The transmitted information comes in the form of arbitrarily size data  OSRi ← Ek (ISRi−1), for i ≥ 1  OSRi ← Ek (ISRi−1), for i ≥ 1 Used with j=1-bit, a one bit de-synchronization is automatically ci ← mi ⊕ j-leftmost bits of OSRi mi ← ci ⊕ j-leftmost bits of OSRi    ISRi ← (ISRi−1<

G. Pelosi, A. Barenghi (DEIB) Block Ciphers and Modes of Operation 43 / 48 G. Pelosi, A. Barenghi (DEIB) Block Ciphers and Modes of Operation 44 / 48 Output Feedback mode (OFB) Remarks on OFB

Strengths: The transmitted information comes in the form of arbitrarily size data The encryption process can be partially parallelized as the values of The Mode is similar to CFB, except that ISR is fed back with OSR instead OSR can be pre-computed of the ctx In OFB, the bit error(s) in the decrypted ctx block (or segment) Encryption Decryption occur in the same bit position(s) as in the ctx block (or segment); the   other bit positions are not aﬀected ISR0 ← IV ISR0 ← IV    OSRi ← Ek (ISRi−1), for i ≥ 1  OSRi ← Ek (ISRi−1), for i ≥ 1 Weaknesses: ci ← mi ⊕ j-leftmost bits of OSRi mi ← ci ⊕ j-leftmost bits of OSRi    ISRi ← (ISRi−1<

G. Pelosi, A. Barenghi (DEIB) Block Ciphers and Modes of Operation 45 / 48 G. Pelosi, A. Barenghi (DEIB) Block Ciphers and Modes of Operation 46 / 48

CounTeR mode (CTR) Remarks on CTR The plaintext message m ∈ M is broken into blocks of equal size m = h Strengths: m1, m2, ..., i The encryption proceeds for the i-th block, by encrypting the value of IV+i and then xor’ing this with the message block: Only the encryption primitive is needed  Fast encryption/decryption; blocks can be processed (encrypted or ctri ← IV + i, i ≥ 0  decrypted) in parallel; good for high speed links ti ← Ek (ctri )  ci ← mi ⊕ ti Random access to encrypted data blocks The Initialization Vector (IV) must be a random number to make sure Bit errors in a ctx block cause errors only in the same bit position(s) that two encryptions of the same ptx produce different ctxs of the decrypted block Weaknesses: IV should be unpredictable, and must not be reused an error in a certain ctx block affects the whole decrypted ctx block; however, no other block is affected What about insertion of alien ctx blocks or deletion of ctx blocks? Currently, to simplify the detection of errors (or intentional alterations) in the transmitted data the so-called authenticated modes of operations e.g., GCM (Galois Counter Mode) are used.

G. Pelosi, A. Barenghi (DEIB) Block Ciphers and Modes of Operation 47 / 48 G. Pelosi, A. Barenghi (DEIB) Block Ciphers and Modes of Operation 48 / 48