sign in sign up
<<
Home , Data Encryption Standard, Don Coppersmith, Hasty Pudding cipher, LOKI97, MARS (cipher), RC6

The Long Road to the Advanced Standard

Jean-Luc Cooke CertainKey Inc. [email protected], http://www.certainkey.com/˜jlcooke

Abstract 1 Introduction

This paper will start with a brief background of the Advanced Encryption Standard (AES) process, lessons learned from the Data Encryp- tion Standard (DES), other U.S. government Two decades ago the state-of-the-art in cryptographic publications and the fifteen first the private sector was—we round candidate . The focus of the know now—far behind the public sector. presentation will lie in presenting the general ’s knowledge of the Data design of the five final candidate algorithms, Encryption Standard’s (DES) resilience to and the specifics of the AES and how it dif- the then unknown Differential Cryptanaly- fers from the Rijndael design. A presentation sis (DC), the design principles used in the on the AES modes of operation and Secure Secure Hash (SHA) in Digital Hash Algorithm (SHA) family of algorithms Signature Standard (DSS) being case and will follow and will include discussion about point[NISTDSS][NISTDES][DC][NISTSHA1]. how it is directly implicated by AES develop- ments. The selection and design of the DES was shrouded in controversy and suspicion. This very controversy has lead to a fantastic acceler- Intended Audience ation in private sector cryptographic advance- ment. So intrigued by the NSA’s modifica- tions to the algorithm, researchers— This paper was written as a supplement to a academic and industry alike—powerful tools presentation at the Ottawa International Linux in assessing block strength were devel- Symposium. The reader should have at least oped. Some of these tools proved useful in un- first year university level knowledge of alge- derstanding more about the changes made by bra and physics. Someone with no knowledge the NSA. of mathematics can still benefit from this paper and its associated presentation. This topic of Taking an objective look at the standardization cryptography is covered lightly. Care is taken practices of the USA NSA and NIST organi- to enough useful technical information zations, one can make broad assumptions on to be interesting to a technical audience and where the American state is focusing its - beneficial to others. analytic resources. Ottawa Linux Symposium 2002 74

1.1 What the NSA/NIST has Taught Us from IBM or the NSA. Reducing the effec- tive strength of the algorithm and the omi- By the mid-1970’s the private sector began nous change to possibly the single most crucial having an interest in digital cryptography. sub-component of the algorithm had everyone Even if the clearly false IBM statement “global second-guessing the DES. market for computers estimated at 10” had In the subsequent years after the 1976 DES been proven correct, most of the computers announcement, Shamir and Biham published in operation at the time were terminal servers. their paper on Differential (DC) The terminals connected to these servers were (1994, ISBN-0387979301). In this paper, the carrying progressively more sensitive data. Fi- two cryptographers of RSA fame (‘S’ to be pre- nancial records, payroll information, trade se- cise), outlined how to correlate input changes crets, and intellectual property; all crucial to to the output of several variants of the DES. At the success of a business were exposed to the then end of the day, the Lucifer algorithm fell hot new hobby of wire tapping with gator clips. to the attack of DC while DES remained unbro- Before the US government moved to create ken. To the shock of sceptics, the NSA appears a single encryption standard the private sec- to have not weakened the DES for their evil tor was taking its first steps into design cryp- purposes but in fact made it impervious to an tographic algorithms. In what would become attack not to be publicized for another eighteen crypto folklore, the NSA quietly send out let- years. ters of solicitation to a few hand picked cryp- After the announcement of DC, the Lucifer tographic experts and laboratories. It is im- co-designer Don Coppersmith confessed to portant to realize that previous to this the only knowledge of DC at the time of DES standard- communication a mathematician would have ization. This kept the sky from falling on the with the NSA was in the form of a “cease and heads of the crypto sceptics as you can well desist or be thrown in jail for conspiracy” let- imagine. ters.

Of the few responses received by the NSA, only one had actually met the minimum stan- dards set out by the NSA in their solicita- 2 Obsolescence of the DES tion. The Lucifer designed by Don Coppersmith, Horst Fiestel and company at IBM was the winner practically by default. A 56bit key space did not provide sufficient There were two distinct differences between protection in lieu of the personal computer ex- the Lucifer algorithm submitted by IBM and plosion of the late 1980’s and 1990’s. The the final DES design. threat of attack was no longer from a sin- gle powerful computer, but from thousands of • The effective key space was reduced by commodity computers coordinating their ef- several orders of magnitude. forts. In comes the Triple-DES. Encrypting the data with three distinct keys resulted in a three- • The core substitution boxes were re- fold increase in key material, a three-fold in- designed. crease in computational effort required for en- cryption, and a 5.2 × 1033 increase in the key These changes were made without comment space. Ottawa Linux Symposium 2002 75

Figure 1: The DES Cipher Figure 2: The 3DES Cipher

E = 3DESk1,k2,k3(D) −1 (1) E = DESk1(DESk2 (DESk3(D)))

By the mid 1990’s, TripleDES was no longer sufficient. The security of the algorithm was assumed to be good, but there were other short- comings with TripleDES.

TripleDES was too slow. The private sector’s obsession with higher digital communication bandwidths had made the integration of en- cryption at the data link layer far too costly. Economic conditions then predicted that all data would be encrypted at least once by 2006. Current economic conditions make this predic- tion conservative.

Private sector dependence on secure data com- Figure 3: The OSI Network Stack munication was going to continue to grow be- yond the capabilities of DES/TripleDES. A new standard with greater security and a long Ottawa Linux Symposium 2002 76 lifetime needed to be decided to mitigate the • CAST-256 - Entrust Technologies Ltd. impact of migrating to a new standard. “We need to act fast before we’re in serious trou- http://www.entrust.com/ ble.” AESCD1 Another issue with DES and subsequently TripleDES, was a design limitation. DES AESCD2 was not designed to be efficient in software. The ubiquity of software in modern computer and communication technology dictated an ef- ficient hardware as well as software implemen- –The Communications Security tation for this new standard. Establishment (CSE)—Canadian equivalent to the US NSA—has 3 AES Round One adopted the CAST5 algorithm as their confidential government data encryption algorithm. Contrasting the algorithm solicitation process CSE website: used in selecting the DES, a very public an- http://www.cse.dnd.ca/ nouncement was made by the NSA/NIST for cipher designs. Appearing at private sector security and cryptography tradeshows, it was –CAST5 is synonymous with CAST- made very clear this time the standard was go- 128 ing to be a very public affair.

The NSA/NIST set out minimum requirements –CAST-256 is an extension to for block cipher submission[NISTAESWWW] CAST5 for inclusion to the AES

AESCD1 • Crypton - Future Systems AESCD2 AESCD3 http://www.future.co.kr/ . AESCD1 AESCD2 • Size efficiency of hardware/software im- plementation • Speed efficiency of hardware/software implementation –At the time of AES, this algorithm • Minimum 128bit block sizes submission would be allowed to ENTER the US, but not leave. Is • Key sizes up to 256 bits something wrong here? • Resilience to all known modern attacks. • DEAL - Outerbridge, Knudsen Fifteen algorithms met these requirements. Ottawa Linux Symposium 2002 77

http://www.ii.uib.no/˜larsr/newblock.html • FROG - TecApro

AESCD1 http://www.tecapro.com/aesfrog.htm AESCD2 AESCD1 AESCD2 –This is one of two submission co- authored by Knudsen. See also Ser- pent! –At the time of AES, this algorithm –Georgoudis is an amateur cryptogra- submission would be allowed to EN- pher, the only one in Puerto-Rico in TER the US, but not leave. Is some- all likelihood! FROG was the first thing wrong here? cipher he ever designed, and it was accepted to the AES process! • DFC - Centre National pour la Recherche –At the time of AES, this algorithm Scientifique - Ecole Normale Superieure submission would be allowed to EN- TER the US, but not leave. Is some- http://www.dmi.ens.fr/˜vaudenay/dfc.html thing wrong here? Or is Puerto- Rico’s special status with the US ex- AESCD1 empt them for this? Isn’t it nice we AESCD2 live in the “free world” and don’t have to worry about such ugliness?

• HPC - Schroeppel –Vive la resistance! –At the time of AES, this algorithm http://www.cs.arizona.edu/˜rcs/hpc/ submission would be allowed to EN- TER the US, but not leave. Is some- AESCD1 thing wrong here? AESCD2 • - Nippon Telegraph and Telephone

http://info.isl.ntt.co.jp/e2/ –An academic’s block cipher. AESCD1 Schroeppel’s paper goes into great detail on the theoretical advantages AESCD2 of his . Not a very practical cipher, underlines the ‘openness’ of the AES submission –At the time of AES, this algorithm process. submission would be allowed to EN- –Bonus question: Hasty Pudding and TER the US, but not leave. Is some- Harvard University - what’s the con- thing wrong here? nection? Ottawa Linux Symposium 2002 78

• LOKI97 - Brown, Pieprzyk, Beberry –At the time of AES, this algorithm submission would be allowed to EN- http://www.unsw.adfa.edu.au/˜lpb TER the US, but not leave. Is some- /research// thing wrong here? • MARS - IBM AESCD1 http://www.research.ibm.com/security AESCD2 /mars.html

AESCD1 AESCD2 –At the time of AES, this algorithm submission would be allowed to EN- TER the US, but not leave. Is some- thing wrong here? –The Lucifer/DES design team (most • MAGENTA - Deutsche Telekom of it) returns. A lot was expected from this team.

no url available • RC6 - RSA Laboratories

AESCD1 http://www.rsasecurity.com/rsalabs/aes/

AESCD2 AESCD1 AESCD2

–Author unknown . . . and for good reason! At the first AES conference, –RC6, based on RC5, based on the presenter from DT had night- RC4. Principle designer Ron mare of nightmares happen. The Rivest, the R in RSA, the man MAGENTA cipher was cracked in behind MD1/2/3/4/5, RC1/2/3/4/5/6 real-time! Discussions in the au- and many other publications. If dience between Biham and others there ever was a crypto rock star, this led to a mountable attack before the is he. presentation was even over! A pa- per was written and published within • Rijndael - Daeman, Rijman twenty-four hours. And the kicker of it all was there were rumours that http://www.esat.kuleuven.ac.be/˜rijmen MAGENTA had been used in pro- /rijndael/ duction DT equipment for years but the algorithm was never published. AESCD1 Chalk one up to security though non- obscurity. AESCD2 Ottawa Linux Symposium 2002 79

http://www.counterpane.com/twofish.html

AESCD1 –Two Flemish Belgians (as apposed to the French Belgians) designed Ri- AESCD2 jndael. Cinderella story: no big names, modest track record, and Eu- ropean nationalities. –Based loosely on . B. –At the time of AES, this algorithm Schneier we know from his seminal submission would be allowed to EN- introductory work on cryptography TER the US, but not leave. Is some- “Applied Cryptography” and his au- thing wrong here? thoring of the most widely analyzed • Safer+ - Cylink Corporation private sector cipher BlowFish.

mailto:[email protected] 4 AES Round Two

AESCD1 The finalists are: AESCD2 • MARS

–Based on the Safer cipher. –Stands for: Multiplication Addition • - Anderson, Biham, Knudsen Rotation Subtraction. These are the primitive operations used by the ci- http://www.cl.cam.ac.uk/˜rja14 pher. /serpent.html –No surprise the cipher made it this far. Don Coppersmith and team have AESCD1 the longest track record and the dis- AESCD2 tinction of designing the DES. • RC6

–Strong cipher, big name authors. Bi- AESCD3 ham co-authored the famous paper on Differential Cryptanalysis. This is one of two Knudsen co- authored in the AES—see DEAL. –No surprise here. • - Counterpane (Schneier, –Stands for: Ron’s Cipher number Kelsey, Whiting, Wagner, Hall, Ferguson) 6. has written many ciphers the entire world uses daily. Ottawa Linux Symposium 2002 80

Remember Distributed.net had a dis- would they wave royalties, other- tributed effort to crack RC5? Well wise they only allow use of RC6 for RC6 makes RC5 look easy to crack, research and educational purposes. and difficult to implement. • Rijndael –The frightening simplicity of the RC6 encryption operation can be summed up in 10 lines of ANSI-C for a 32-bit computer: AESCD3

rc6_encrypt() { {A,B,C,D} = B=B + S[0]; D=D + S[0]; –The cipher name is a play on words for (i=0; i

Figure 4: High level design of all AES finalists

–No surprise here. –Those who know Bruce know he doesn’t have a good chance of win- Figure 5: 2nd AES Conference Survey ning a seat on the United Nations if he ever chose to run. But still, cryp- • ‘‘If only one algorithm were to be selected tographers respect his abilities more as the AES, which should it be?” than his tact and Two Fish made it this far on its own merits. • ‘‘If a back-up algorithm were to be se- lected, which should it be?” All five finalist algorithms were of excellent design. At a high level, they were all very sim- Results from question one showed a clear pref- ilar. erence for Rijndael, Serpent coming in a dis- tant second, and MARS, RC6 and TwoFish ac- • Employed a strong key expansion algo- cumulating few votes combined than Serpent. rithm The four finalists were not as favoured to be- • Pre- and post-whitening to protect the in- come the AES for several reasons. ner cipher rounds from “unfolding” • Judicial combinations of linear and differ- • RC6’s simplicity in software came at an ential operations to thwart any differential unacceptable cost to hardware. In smart- or linier cryptanalysis cards, efficient 32bit multiplication con- sumes far too much surface area. • Constructed from sound mathematical principles • MARS was a strong cipher, with a very complex structure that was not conducive to straightforward analysis. Like RC6, it 5 The Winner - Rijndael also used 32bit multiplies. • Serpent’s popularity was justified, their A Flemish cipher chosen to be an design used the DES s-boxes so hotly con- American standard, what is the world coming tested for the past two decades. These S- to? After the last AES conference where the boxes have been so heavily analyzed (sig- five finalists presented their closing comments, nificantly by one of the Serpent authors) the NSA/NIST distributed a questionnaire: that it would simply be unwise to create a Ottawa Linux Symposium 2002 82

whole new net of S-boxes. And for you To understand how GF works, start by forget- Ditributed.Net people, the cracking effort ting everything you learned in grade school— which brute forced a DES key in 22 hours for many of us this is easily done. Next, under- used an optimization technique called “bit stand that arithmetic in GF is undefined unless slicing.” This technique performed 32 you specify the field. In Rijndael this field is parallel 4x4 DES S-box substitutions in called GF (28). Meaning, there are 256 possi- only a few instructions. Reducing each S- ble values, each value represented by 8 bits, no Box to a Karnough map of bit-wise oper- 7 or 9 bit values exist in GF (28). ators and performing transformations on four 32bit words is how the optimization There are several ways of representing values was accomplished. Effectively transform- in GF below we demonstrate a few: ing a 32bit Single Instruction Single Data (SISD) processor into a Single Instruction Multiple Data (SIMD) processor. Serpent 01010101 = 0550 used this “bit slicing” technique on its = x6 + x4 + x2 + 1 128bit (4 x 32bit) blocks. They overcame 10101010 = 0AA” (2) the speed limitation of DES by using the = x7 + x5 + x3 + x AES block size requirement and a modern 11110001 = 0F 10 optimization technique. Quite clever! = x7 + x6 + x4 + x5 + 1

• TwoFish’s limitations lay in the extra overhead required for full speed optimiza- We define the addition operation. In GF (28) tion. A key and block dependent set of this is what we commonly know as the lookup tables are created at the start of the explosive-or (XOR) operation. encryption/decryption operation. C = A + B 00000000 = 00000001 + 00000001 Rijndael’s design was very tight. Not as sim- 00010001 = 00010000 + 00000001 ple to implement in software as RC6, but the (3) overall simplicity of its sub-components made it the clear favourite. Hardware implementa- Notice addition and subtraction are identical in tions could be made so small, that two parallel this “new math.” implementations of the Rijndael algorithm can fit on a single 8-bit ! 1 + 1 − 1 = 1 (4) 1 XOR 1 XOR 1 = 1 5.1 One Plus One Equals Zero

Next, we define the “multiply by x” operation. The cipher achieves its small footprint and sim- This is where things get a bit strange. To keep plicity from its use of Galois Field (GF) the- closure in GF (28) we need to define a primi- ory. Also known as “primitive polynomials” tive polynomial (analogous to prime numbers or linier feedback shift registers (LFSR), arith- in an integer field) to “divide” our result by to metic in GF requires a minimum of hardware extract our “remainder.” resources—the principal motivation for their use in cell phone and network telecommunica- Multiplying a GF (28) polynomial by x is as tions. simple as sifting the bits to the left by one. Ottawa Linux Symposium 2002 83

C = A • x x3 + x2 + x = x2 + x + 1 • x 00001110 = 00000111 • 00000010 00D0 = 0070 • 0020 Figure 6: The Rijndael ByteSub Layer (5)

In the case where A’s most significant bit (x7) } is high, we immediately know the value will gf8_mult(a,b) { no longer be in GF (28). We perform a modulo rslt = 1; operation with our primitive polynomial on this while (b != 0) { new C value to return it to GF (28). if (b & 1) rslt = rslt ^ a; a = xtime(a); } P = x8 + x4 + x3 + x + 1 return rslt; = 100011011 (6) } = 011B0 You now know how to do math in the crazy Notice that ‘00’ will always map itself back to world of Galois Fields. ‘00’ and only after 255 multiplications by ‘02’ will a value return to its starting value. (Equa- 5.2 Inside Rijndael tions 6 and 7.)

Using Knuth’s binary exponentiation tech- The Rijndael algorithm’s round function con- nique where successive squaring of B are used sists of 4 layers: b to calculate a in log2(b) loops. • ByteSub(data)

Knuth_modExp(a,b) { • ShiftRow(data) rslt = 1; while (b != 0) { • MixColumn(data) if (b & 1) rslt = rslt * a; • BlendKey(data,exp) a = a * a; } return rslt; 5.2.1 ByteSub }

This operation performs a level substitu- Using this same technique of binary GF (28) tion. Unlike DES, this substitution is based on multiplication where successive multiplica- a single bijective transformation defined below. tions by x are used to calculate a • b. See Figure 6 and Equation 8. xtime(x) { if (x & 0x80) 5.2.2 ShiftRow return (x << 1) ^ 0x1b; else This layer does not alter the value of the data, return (x << 1); it simply moves it about in preparation for later Ottawa Linux Symposium 2002 84

C = A • x mod P = 10000001 • x mod P = 0810 • 0020 mod 011B0 = 100000010 mod 100011011 (7) = 100000010 − 100011011 = 100000010 XOR 100011011 = 00011001

        y0 1 0 0 0 1 1 1 1 x0 1          y1   1 1 0 0 0 1 1 1   x1   1           y2   1 1 1 0 0 0 1 1   x2   0           y   1 1 1 1 0 0 0 1   x   0   3     3      =     +   (8)  y4   1 1 1 1 1 0 0 0   x4   0           y   0 1 1 1 1 1 0 0   x   1   5     5             y6   0 0 1 1 1 1 1 0   x6   1  y7 0 0 0 1 1 1 1 1 x7 0

gers. The requirement of co-primality to x4 +1 is required to make this transformation invert- ible. Invertible operations are nice to have if you ever want to recover the data you’re en- crypting! See Figure 8 and Equations 9, 10, Figure 7: The Rijndael ShiftRow Layer 11, 12, 13, and 14. encryption rounds. It is required to have every bit of input effect every bit of output. See Fig- c(x) = 0030x3 +0 010x2 +0 010x1 +0 020x0 ure 7. (9)

b(x) = c(x) ⊗ a(x) (10) 5.2.3 MixColumn

This operation is a bit more complex. Defin-  b   02 03 01 01   a  ing a column as a polynomial of GF (28) co- 0 0  b   01 02 03 01   a  efficients, a cross product of this value by a  1  =    1  (11)  b   01 01 02 03   a  constant polynomial co-prime to x4 + 1 is per-  2     2  b 03 01 01 02 a formed. What did I mean by that? 3 3

A column of Rijndael data contains 4 . 8 Each byte represents a polynomial in GF (2 ). d(x) = 00B0x3 +0 0D0x2 +0 090x1 +0 0E0x0 The column however represents a polynomial (12) of polynomials. When two numbers are co- prime, they do not share any factors other than 1, this applies to all number fields, not just inte- b(x) = d(x) ⊗ a(x) (13) Ottawa Linux Symposium 2002 85

5.4 Implementation

Efficient implementation of the Rijndael algo- rithm lies in efficient implementation of the Rijndael sub-round transformation. The sub- Figure 8: The Rijndael MixColumn Layer round transformation has several layers. The ByteSub layer is best implemented as a lookup table, the ShiftRow layer by cyclic array offsets and the BlendKey layer is a trivial matter.

The MixColumn operation requires a bit more Figure 9: The Rijndael BlendKey Layer thought. The following code segment demon- strates how to mix a single column. This oper- ation would be performed several times though a single sub-round which is itself executed sev-       a0 0E 0D 0B 09 b0 eral times in a single round, which in turn is ex-  a   09 0E 0D 0B   b  ecuted several times in a single block encryp-  1     1    =      a2   0B 09 0E 0D   b2  tion operation. This procedure will net you a 3 a3 0D 0B 09 0E b3 nice (!) O(n ) time complexity if implemented (14) in serial!

5.2.4 BlendKey void MixOneColumn(char a[4]) { char Tmp, T; An XOR operation with the expanded key is Tmp = a[0] ^ a[1] ^ a[2] ^ a[3]; performed on each byte in the cipher’s block T = a[0] ^ a[1]; T = xtime(T); of data. See Figure 9 and Equation 15. a[0] ^= T ^ Tmp; T = a[1] ^ a[2]; T = xtime(T); a[1] ^= T ^ Tmp;  b   e   a  0 0 0 T = a[2] ^ a[3]; T = xtime(T);  b   e   a   1   1   1  a[2] ^= T ^ Tmp;   =   ⊕   (15)  b2   e2   a2  T = a[3] ^ a[0]; T = xtime(T); b3 e3 a3 a[3] ^= T ^ Tmp; } 5.3 The Sub-Round Function

These operations are combined to create the There is room for a significant increase in Rijndael sub-round transformation (see Equa- speed if the implementer is willing to sacrifice tion 16). This sub-round operation is per- size. Collapsing the ByteSub and MixColumn formed anywhere from four to eight times each operations into a single 8x32 lookup table and round depending on the block size specified. a little coaxing of the equations, the entire sub- The Round function is performed any where round transformation can be reduced to four from 10 to 14 times depending on the key and lookups, four 32bit XORs, and three cyclic bit block sizes specified. rotations by 8. Ottawa Linux Symposium 2002 86

        b0,j 02 03 01 01 S [a0,j] e0,j  b   01 02 03 01   S [a ]   e   1,j     1,j−C1   1,j    =     ⊕   (16)  b2,j   01 01 02 03   S [a2,j−C2]   e2,j  b3,j 03 01 01 02 S [a3,j−C3] e3,j

The question remains, did the NSA/NIST do  S [v] •0 020  their job? Was the AES a success? The NSA’s  S [v]    responsibility to monitor domestic and interna- T0 [v] =   (17)  S [v]  tional communication would naturally lead to S [v] •0 030 developing a into such a widely used algorithm.

bj = kj ⊕ T0[a0,j]⊕ However, the NSA also has the responsibility ROR (T [a ]⊕ 8 0 1,j−C1 (18) of protecting American interests for the pub- ROR8(T0[a2,j−C2]⊕ lic as well as private sectors. A strong algo- ROR8(T0[a3,j−C3]))) rithm would be conducive to one goal but not the other. At a cost of 4 kilobytes of lookup tables, this can be further reduced to four lookups and four The winning block cipher design was not of 32bit XORs. American origin. It is strange how an Amer- ican standard came from Belgium. Still, it would appear as though the best cipher won the day. Rijndael is fast (30Mbit/sec ANSI-C, P3 b = k ⊕ T [a ] ⊕ T [a ] j j 0 0,j 1 1,j−C1 (19) 450), simple (see Equation 19), and efficient in ⊕T2[a2,j−C2] ⊕ T3[a3,j−C3] hardware as well as software, and widely con- sidered to be secure. At first glance, this seems far too simple a How are these the contradictions in the respon- transformation to be secure. One is left search- sibilities of the NSA reconciled by the AES ing for a backdoor but can find no place to hide standard? The answer is simple; an impervi- it. ous block cipher is insufficient to insure the to- tal security of transmitted data. 5.5 What did/can the NSA do? There are three broad classes of digital encryp- Unlike the DES, the AES publication has no tion algorithms: changes to the Rijndael algorithm other than limiting the block size from any one of 128, • Message digest or hash algorithms such as 192 or 256bits to 128bits. I have written an- MD5 and SHA-1 operate without the use other paper suggesting that block sizes and key of a key. These algorithms are ‘blenders,’ sizes be identical or the possibility of multiple they reduce input data to a fixed length bi- keys mapping one plaintext input to another nary sequence. These sequences are con- ciphertext output would exist. Don Copper- structed such that any minute change to smith took the time to explain there are circum- the input significantly changes the output. stances where having a larger key to block size would be preferable. • Block ciphers such as TripleDES and Ottawa Linux Symposium 2002 87

AES operate with a single key. With this communicating over channel C using in- key, data is encrypted in such a way that it formation k only known to A and B. can only be decrypted with the same key. – Assume a symmetric algorithm c = • Public-key algorithms operate using two Ek(d) exists with no possible crypt- distinct but mathematically related keys. analytic attack. That is, d cannot be An operation performed by one key can recovered from c unless k is known. only be undone by its complement. This – System A opens and communicates facilitates the confidential exchange of c = E (d) with n = H(c) bits of small pieces of data and the authentication k information though C to B. of data origin. – System C cannot recover d since The laws of thermodynamics state the energy only c is known. in a closed system remains constant. The con- – System B can recover d since c and nection of matter, energy, information and en- k are known. tropy are well understood. Extending these – B now obtains information d pos- laws to the realm of system-level security as sessed by A and not C. applied by cryptography one can come to three conclusions: – This information or entropy was communicated to B though channel C using entropy held only by A and • Message digest algorithms The laws per- B. mits the existence of a perfect message di- gest algorithm. A hash algorithm with no We have not contradicted ourselves, thus mountable attack other then brute force; we cannot disprove the existence of a per- in this case the parallel collision attack. fect block cipher.

• Block ciphers The laws permits the exis- • Public-Key tence of a perfect block cipher. A cipher Now consider our two closed systems A with no mountable attach other than brute and B with channel C communicating force. with no .

• Public-key algorithms The laws do not – Assume a perfect public-key algo- permit the existence of a perfect public- rithm c = Ppub(d), d = Ppri(c). That key algorithm. Looking purely at the flow is, d cannot be recovered from c un- of information required to conserve con- less pri is known. fidentiality of key pieces of data, the re- A strictions the law places on reality forbids – System opens and communicates c = P (d) n = H(c) such an algorithm to exist. pub with bits of information though C to B.

To demonstrate this we consider two scenar- – System C cannot recover d since ios, confidential exchange with a block ci- only c and pub are known. pher/shared secret and with a public-key. – System B can recover d since c and pri are known. • Block Cipher – B now obtains information d pos- Consider two closed systems A and B sessed by A and not C. Ottawa Linux Symposium 2002 88

– This information or entropy was 6 Modes of Operation communicated to B though channel C using entropy common to all A, B Equally important to the good design of a block and C. cipher is how it is used to encrypt data. In 1980 the NSA/NIST published a set of stan- dard modes of operation for the DES.

The publication detailed 4 modes of operation. There are three characteristics that differ from Here we have our contradiction, A gave B each mode: the primitive data unit, the prop- more entropy than was ever transmitted though erty of memory and the property of state. S C and possessed by A. So this tells us at least e modes operate at the bit level, others at the one of our assumptions was flawed, either no block level. Some modes operate with a mem- entropy was transmitted or there can be no per- ory of all data previously encrypted and others fect public-key algorithm. are memoryless. Some modes operate with a state variable, which is altered after each en- What does this mean for RSA, ElGamal, cryption operation while others are completely Diffie-Hellman, Elliptic curve systems, and stateless. other public-key algorithms? The strength of public-key algorithms stem from our ignorance of their underlying mathematics. Any amateur • Encrypted Cipher Block (ECB) cryptographer could have told you that, this was just a loose formalization proving it. –Data unit: block. –Memoryless: yes. Will come to the res- cue? Simply replacing our ignorance of math- –Stateless: yes. ematics with our ignorance of physics is not a lasting solution. The Standard Model of sub- • Cipher Block Chaining (CBC) atomic particles explains the communication –Data unit: block. of force (Gravity, Electro-weak and Strong nu- clear forces) as an exchange of virtual particles. –Memoryless: no.

Fixating a quantum-coupled photon will cause –Stateless: no. its complement to fixate in the opposite spin. • Output Feed Back (OFB) The communication between these two pho- tons is suspected to be in the form of some sort –Data unit: bit. of virtual particle. The key in usurping the in- formation between these two parties would lie –Memoryless: yes. in detecting the energy state of the virtual par- –Stateless: yes. ticles exchange between the two coupled pho- tons. • Cipher Feed Back (CFB)

It doesn’t matter how many ways you skin –Data unit: bit. Schrödinger’s Cat. At the end of the day even –Memoryless: no. his feline must obey the laws of thermodynam- ics. –Stateless: no. Ottawa Linux Symposium 2002 89

Figure 11: The Tweaked CBC Mode of Opera- Figure 10: The CBC Mode of Operation tion

These modes of operation are sound and math- ematically provable. However, security is not the only concern in today’s de- ployments. There are serious performance re- strictions when using the stronger CBC and CFB modes versus the ECB and OFB modes.

The memoryless modes of operation make par- allelism possible. A stateless and memory- less cipher mode leaves an attacker with many opportunities for attacks that do not require breaking any encryption algorithms. The ex- Figure 12: The CTR Mode of Operation change was clear, security for performance.

The CBC mode of operation is the most com- monly used, in file and network encryption. vate sector’s security and speed requirements. The CFB mode is commonly used by network encryption protocols such as SSH where trans- The counter (CTR) mode of operation— mitting an entire 128bit block to communicate designed by Diffie and Hellman in 1979— a single byte of data would be wasteful. provides protection from the kinds of attacks mountable against ECB and OFB modes as The author of this paper has another publica- CBC does, but with high parallelism. tion where he recommends a ‘tweak’ to the classic CBC mode of operation. The Tweaked- The NSA/NIST has also made known their in- CBC mode proposed reduces the format pars- tention of standardizing on another mode of ing and API requirements by implicitly en- operation to be used not for confidentiality crypting the CBC (IV) in but for authentication. Message Authentica- the ciphertext payload. While the decryption tion Codes (MAC) exist today using the mem- operation will implicitly assign the IV after the ory/state based modes of operation mentioned first block is processed and discarded. above. However, confidentiality and authen- tication are always viewed as orthogonal to The core requirements of the AES were high each other. One should not assume authentic- security and high throughput. A new mode of ity when dealing with confidentiality and visa operation was needed to accommodate the pri- versa. Ottawa Linux Symposium 2002 90

7 Message Digest Algorithms With the publication of the AES however, a 160bit hash algorithm with an effective strength of 80bits is mismatched with the 128, 192 and 256 bit key strengths of AES. The Message digest algorithms have followed a his- NSA has stepped up and published new al- tory of their own. Hash algorithms are suscep- gorithms to SHA family in a draft processing tible to a statistical attack known as the Birth- standard. These algorithms are named SHA- day Paradox. 256, SHA-384 and SHA-512 with 256, 384 How many people do you need in room before and 512bit digests and effective strengths of the probability of two people having the same 128, 192, 256bits respectively. These hash al- birthday is over 50%? The answer is 20. gorithms posses effective strengths equal to the AES key sizes. Reword the question to “If two random 128bit values are being generated in parallel, how The SHA-384 algorithm is simply the SHA- many 128bit number generations are required 512 algorithm with a truncated digest. Many before the probability of two values match- of the SHA-512 core operations are 64bit addi- 128 64 ing?” The answer is 2 2 or 2 . tion, 64bit rotation and 64bit shifts. The SHA- 512 and SHA-384 were not designed with soft- In 1994, van Oorschot and Weiner published ware implementations on 32bit machines in a design for an MD5 collision machine that mind. could produce a collision in less than 30 days at a cost of $10M. Assuming that Moore’s law was obeyed from 1994 to 2002 (which is in fact 8 Summary a conservative assumption), the cost of such a machine by the time this paper was written was The Flemish Rijndael block cipher has been less than $200,000. Suffice it to say, 128bit chosen as the Advanced Encryption Standard message digest algorithms should no longer be out of an international of 15 modern al- considered cryptographically secure. gorithms obsoleting the decades old Data En- cryption Standard. The AES can be heavily The digest size of MD5 was not the only weak- optimized for speed or size in either hardware ness in it design. The NSA in its Digital or software forms. The cipher represents the Signature Standard (DSS) published what it state-of-the-art in private sector cryptography. called the Secure Hash Algorithm (SHA). SHA This possibility of backdoors for government was highly criticized by the private sector and agencies is negligible due to the simplistic de- academia, so an enhanced SHA-1 was pub- sign of the AES. lished in its place.

160−128 There are five approved modes of operation for SHA-1 digest size was 160bit, 2 2 or the AES, 4 were adopted from the DES. The 65,536 times more secure than MD5’s 128bit new mode of operation is called CTR and is digest. Also, the SHA-1 algorithm was con- highly parallelizable. Another mode of opera- structed in such a way that bit input into the tion for authentication is still to be announced. algorithm effected every possible output digest bit. This is not a characteristic of MD5. For The new Secure Hash Algorithms support 256, this reason, research into digest algorithms has 384 and 512bit digests, taking the Birthday stagnated. The private sector feels the NSA has Paradox into account their effective strengths done as good a job as conceivably possible. are 128, 192 and 256 bits respectively. The new Ottawa Linux Symposium 2002 91

Secure Hash Algorithms represent the state-of- [NISTAESWWW] The Advanced Encryption the-art in message digest algorithms. Standard Website, http://www.nist.gov/aes/, (a)

References [MD5] The MD5 Message Digest Algorithm, http://www.faqs.org/rfcs [CertKeyRes] CertainKey Online Resources, /rfc1321.html, (1992) http://www.certainkey.com /resources/ [NISTSHA1] The Secure Hash Standard, http://www.itl.nist.gov [CertKeyOLS2002] CertainKey At OLS /fipspubs/fip180-1.htm, (1995) 2002, http://www.certainkey.com /ols2002/, (2002) [NISTSHA2] The Secure Hash Standard, [Cooke2001] Functionally Equivalent Keys in http://csrc.nist.gov the Advanced Encryption Standard, /encryption/shs http://jlcooke.ca/aes /dfips-180-2.pdf, (2001) /aes_fek., (2001) [NISTDSS] The Standard, [Cooke2001b] Plaintext Dependency of http://csrc.nist.gov Functionally Equivalent Keys in the /publications/fips/fips186-2 Advanced Encryption Standard, /fips186-2.pdf, (2000) http://jlcooke.ca/aes /aes_fek2.pdf, (2001) [CAST128] The CAST-128 Encryption Algorithm, http://www.faqs.org [Thermo] Wolfram Research: World of /rfcs/rfc2144.html, (1997) Physics Online Reference, http://scienceworld.wolfram.com [CAST256] The CAST-256 Encryption /physics/ThermodynamicLaws.html Algorithm, http://www.faqs.org /rfcs/rfc2612.html, (1999) [NISTDES] The , http://csrc.nist.gov [AESCD1] AES CD-1: Documentation /publications/fips/fips46-3 /fips46-3.pdf, (1976-1999) [AESCD2] AES CD-2: Source Code [NISTMODEOP] DES Modes of Operation, [AESCD3] AES CD-3: Finalists http://www.itl.nist.gov /fipspubs/fip81.htm, (1980) [DC] Differential Cryptanalysis of the Data Encryption Standard, [NISTAES] The Advanced Encryption ISBN-0387979301, Shamir Biham, Standard, http://csrc.nist.gov (1994) /publications/fips/fips197 /fips-197.pdf, (2001) [DEAL] A 128-bit Block Cipher, http://www.ii.uib.no/˜larsr [NISTAESMODEOPS] Recommendation for /newblock.html, (1998) Block Cipher Modes of Operation, http://csrc.nist.gov [E2] The 1280bit Block Cipher E2, /publications/nistpubs/800-38a http://info.isl.ntt.co.jp/e2/, /sp800-38a.pdf, (2001) (1999) Ottawa Linux Symposium 2002 92

[HPC] The Hasty Pudding Cipher, http://www.cs.arizona.edu/˜rcs /hpc/, (1998)

[LOKI97] The LOKI97 Block Cipher, http://www.unsw.adfa.edu.au /˜lpb/research/loki97/, (1997)

[MARS] MARS - a candidate cipher for AES, http://www.research.ibm.com /security/mars.html, (1999)

[RC6] RC6 Block Cipher, http://www.rsasecurity.com /rsalabs/aes/, (1998)

[Rijndael] The Block Cipher Rijndael, http://www.esat.kuleuven.ac.be /˜rijmen/rijndael/, (1999)

[Serpent] Serpent, http://www.cl.cam.ac.uk/˜rja14 /serpent.html, (1998)

[TwoFish] TwoFish: A 128-bit Block Cipher, http://www.counterpane.com /twofish.html, (1998) Proceedings of the Ottawa Linux Symposium

June 26th–29th, 2002 Ottawa, Ontario Canada Conference Organizers Andrew J. Hutton, Steamballoon, Inc. Stephanie Donovan, Linux Symposium C. Craig Ross, Linux Symposium

Proceedings Formatting Team John W. Lockhart, Wild Open Source, Inc.

Authors retain copyright to all submitted papers, but have granted unlimited redistribution rights to all as a condition of submission.