ECE 646 – Lecture 7

Data Standard Secret- DES

NBS public request for a standard Secret agreement between IBM & NSA, 1974 cryptographic Obligations of IBM: May 15, 1973, August 27, 1974 • Algorithm developed in secret by IBM The algorithm must be: • NSA reserved a right to monitor the development and propose changes • secure • No software implementations, just hardware chips • public - completely specified • IBM not allowed to ship implementations to certain - easy to understand countries - available to all users • License required to ship to carefully selected • economic and efficient in hardware customers in approved countries • able to be validated Obligations of NSA: • exportable • of approval

1 DES - chronicle of events Controversies surrounding DES 1973 - NBS issues a public request for proposals for Unknown Slow Too short a standard cryptographic algorithm design in software key 1975 - first publication of the IBMs algorithm criteria and request for comments Only Most criteria Theoretical 1976 - NBS organizes two workshops to evaluate hardware reconstructed designs implementations the algorithm from of DES breaking certified 1977 - official publication as analysis machines FIPS PUB 46: 1990 1993 1983, 1987, 1993 - recertification of the algorithm 1998 Reinvention Software, firmware for another five years Practical of differential and hardware 1993 - software implementations allowed to be validated DES cracker treated equally built

Life of DES DES - external look

1980 1990 2000 2010 2020 2030 block 1977 1999 Triple DES DES 112, 168 bit 168 bit only 64 bits American 56 bit key AES - Rijndael standards AES 2002 128, 192, and 256 bit keys DES key contest 56 bits IDEA Other 64 bits popular RC5 RC6 block

CAST Mars

2 Typical Flow Diagram of DES – high-level internal structure a Secret-Key Round Key[0] Initial transformation

i:=1

Round Key[i] Cipher Round i:=i+1 #rounds times i<#rounds?

Round Key[#rounds+1] Final transformation

Classical Feistel Network IP DES Main Loop L0 R0 Feistel Structure K1 plaintext = L0R0 f for i=1 to n { L1 R1 K2 Li=Ri-1 f L =R Ri=Li-1Å f(Ri-1, Ki) n+1 n } L2 R2 Rn+1=LnÅ f(Rn, Kn+1) ...... Ln+1 = Rn Rn+1 = Ln L15 R15 K16 ciphertext = Ln+1Rn+1 f

R16 L16

IP-1

3 Feistel Structure IP-1 Decryption IP

L0 R0 R16 L16 Encryption Decryption K1 K16 f f

Ln Rn Ln Rn L1 R1 R15 L15 f Kn+1 f Kn+1 K2 K15 f f

L2 R2 R14 L14 Ln+1 Rn+1 Ln+1 Rn+1 ......

L15 R15 R1 L1 Ln+1, Rn+1 ? ? K16 K1 f f f Kn+1

R16 L16 L0 R0

-1 Ln, Rn ? ? IP IP

Mangler Function of DES, F

4 Notation for

Input

i1 i2 i3 i4 i5 i6 i7 i8 i9 i10 … i56 i57 i58 i59 i60 i61 i62 i63 i64

58 50 42 34 26 18 10 2 … 5 63 55 47 39 31 23 15 7

i58 i50 i42 i34 i26 i18 i10 i2 … i5 i63 i55 i47 i39 i31 i23 i15 i7

Output

Notation for S-boxes

Input

i1 i2 i3 i4 i5 i6

i1 i6 determines a row number in the S-box table, 0..3

i2 i3 i4 i5 determine a column in the S-box table, 0..15 o1 o2 o3 o4 is a binary representation of a number from 0..15 in the given row and the given column

o1 o2 o3 o4 Output

5 General design criteria of DES

1. Randomness

2. Avalanche property changing a single bit at the input changes on average half of the bits at the output

3. Completeness property every output bit is a complex function of all input bits (and not just a subset of input bits)

4. Nonlinearity encryption function is non-affine for any value of the key

5. output bits are statistically independent of any subset of input bits

Completeness property Linear Transformations Every output bit is a complex function of all input bits Transformations that fulfill the condition: (and not just a subset of input bits) T(X[m x 1]) = Y[n x 1] = A[n x m] × X[m x 1]

Formal requirement: or

For all values of i and j, i=1..64, j=1..64 T(X1 Å X2) = T(X1) Å T(X2) there exist inputs X1 and X2, such that

X1 x1 x2 x3 . . . xi-1 0 xi+1 . . . x63 x64 Affine Transformations X2 x1 x2 x3 . . . xi-1 1 xi+1 . . . x63 x64 Transformations that fulfill the condition:

Y1 = DES(X1) y1 y2 y3 . . . yj-1 yj yj+1 . . . y63 y64 T(X[m x 1]) = Y[n x 1] = A[n x m] × X[m x 1] Å B[n x 1] Y2 = DES(X2) y1 y2 y3 . . . yj-1 yj yj+1 . . . y63 y64

6 Linear Transformations of DES Design of S-boxes

IP, IP-1, E, PC1, PC2, SHIFT S[0..15] e.g., IP(X1 Å X2) = IP(X1 ) Å IP( X2) S

Non-Linear and non-affine in out = S[in] transformations of DES S • 16! » 2 × 1013 possibilities There are no such matrices A and B that • precisely defined initially unpublished criteria [4x6] [4x1] • resistant against differential cryptanalysis S(X[6x1]) = A[4x6] × X[6x1] Å B[4x1] (attack known to the designers and rediscovered in the open research in 1990 by E. Biham and A. Shamir)

Theoretical design of the specialized DES breaking machine machine to break DES known ciphertext key counter Round key Project: Michael Wiener, Entrust Technologies, key 1 1993, 1997 Encryption Round 1 Key Scheduling Round 1 Method: exhaustive key search attack Basic component: specialized integrated circuit Encryption Round 2 Key Scheduling Round 2 in CMOS technology, 75 MHz Round ...... Checks: 200 mln keys per second key 2 Costs: $10 Encryption Round 16 Key Scheduling Round 16 Total cost Estimated time Round plaintext key 16 $ 1 mln 35 minutes $ 100.000 6 hours comparator known plaintext

7 Deep Crack Deep Crack Electronic Frontier Parameters Foundation, 1998 Number of ASIC chips 1800 Total cost: $220,000 Average time of search: Clock frequency 40 MHz 4.5 days/key Number of clock cycles per key 16

Number of search units per ASIC 24

Search speed 90 bln keys/s

1800 ASIC chips, 40 MHz clock Average time to recover the key 4.5 days

COPACOBANA COPACOBANA Cost-Optimized Parallel Breaker • Based on Xilinx FPGAs (Field Programmable Gate Arrays) Ruhr University, Bochum, University of Kiel, , 2006 • ver. 1 – based on 120 Spartan 3 FPGAs • ver. 2 – based on 128 Virtex 4 SX 35 FPGAs Cost: € 8980 (ver. 1) • Description, FAQ, and news available at http://www.copacobana.org/

• For ver. 1 based on Spartan FPGAs Clock frequency = 136 MHz Average search time for a single DES key = 6.4 days Worst case search time for a single DES key = 12.8 days

8 Secure key length today and in 20 years Secure key length - discussion (against an intelligence agency with the budget of $300M) • increasing key length in a newly developed cipher key length costs NOTHING • increasing effective key length, assuming the use of 128 bits IDEA, minimum key length in AES an existing cipher has a limited influence on the efficiency of implementation (Triple DES) 112 bits Triple DES with three different keys It is economical to use THE SAME 100 bits Secure key length in 2027 secure key length FOR ALL aplications 94 bits Secure key length in 2018 The primary barriers blocking the use of symmetric ciphers 80 bits with a secure key length have been of the political nature (e.g., export policy of USA) 56 bits DES

9 Triple DES EDE mode with two keys Triple DES EDE mode with three keys encryption decryption Diffie, encryption decryption Diffie, Hellman, Hellman, plaintext ciphertext 1977 plaintext ciphertext 1977

E D E D K1 K1 K1 K1 encryption 56 decryption 56 encryption 56 decryption 56

D E D E K2 K2 K2 K2 decryption 56 encryption 56 decryption 56 encryption 56

E D E D K1 K1 K3 K3 encryption 56 decryption 56 encryption 56 decryption 56

ciphertext plaintext ciphertext plaintext

Triple DES Best Attacks Against Triple DES Advantages: • Version with three keys (168 bits of key) • secure key length (112 or 168 bits) Meet-in-the-middle attack • increased compared to DES resistance to linear 232 known and differential cryptanalysis 113 2 steps • possibility of utilizing existing implementations of DES 290 single DES , and 288 memory Disadvantages: Effective = 2112 • relatively slow, especially in software • Version with two keys (112 bits of key) Effective key size = 280

10 Why a new standard? 1. Old standard insecure against brute-force attacks

2. Straightforward fixes lead to inefficient implementations Advanced Encryption Standard K1 K2 K3 AES • Triple DES in out 3. New trends in fast software encryption • use of basic instructions of the microprocessor 4. New ways of assessing cipher strength • differential cryptanalysis •

Why a contest? External format of the AES algorithm

• Focus the effort of cryptographic community plaintext block

Small number of specialists in the open research 128 bits

• Stimulate the research on methods of constructing secure ciphers AES key

• Avoid theories 128, 192, 256 bits

128 bits • Speed-up the acceptance of the standard

ciphertext block

11 Rules of the contest AES Contest Effort

Each team submits June 1998 15 Candidates Round 1 Detailed Justification Tentative from USA, Canada, Belgium, Security France, Germany, Norway, UK, Isreal, Software efficiency cipher of design results Korea, Japan, Australia, Costa Rica description decisions of cryptanalysis August 1999 Round 2 5 final candidates Security Source Mars, RC6, Rijndael, Serpent, Twofish Source Test Hardware efficiency code code vectors in C in Java October 2000 1 winner: Rijndael Belgium

AES contest - First Round AES: Candidate algorithms North America (8) Europe (4) Asia (2) 15 June 1998 Deadline for submitting candidates 21 submissions, Canada: Germany: Korea: 15 fulfilled all requirements CAST-256 Magenta Crypton Deal August 1998 1st AES Conference in Ventura, CA Belgium: Japan: USA: Presentation of candidates Mars Rijndael RC6 March 1999 2nd AES Conference in w Rome, Italy Twofish France: Safer+ Australia (1) Review of results of the First Round DFC HPC analysis Israel, UK, Costa Rica: Australia: August 1999 NIST announces five final candidates Norway: LOKI97 Frog Serpent

12 AES Finalists (1) AES Finalists (2) USA Mars - IBM Europe C. Burwick, D. Coppersmith, E. DAvignon, R. Gennaro, S. Halevi, C. Jutla, S. M. Matyas, Rijndael - J. Daemen, V. Rijmen L. OConnor, M. Peyravian, D. Safford, Katholieke Universiteit Leuven N. Zunic Belgium RC6 - RSA Data Security, Inc. R. Rivest - MIT Serpent - R. Anderson, Cambridge, England M. Robshaw, R. Sidney, Y. L. Yin - RSA E. Biham - Technion, Israel L. Knudsen, University of Bergen, Norway Twofish - Counterpane Systems B. Schneier, J. Kelsey, C. Hall, N. Ferguson - Counterpane, D.Whiting - Hi/fn, D. Wagner - Berkeley

How NIST has made a final decision?

BASIC CRITERIA = security Security software efficiency hardware efficiency flexibility

13 Security: Theoretical attacks better Security: Theoretical attacks better than exhaustive key search than exhaustive key search

Serpent 9 23 32 Serpent 28% 72%

Twofish 6 10 16 Twofish 38% 62%

Mars 11 5 16 without 16 mixing rounds Mars 69% 31%

Rijndael 7 3 10 Rijndael 70% 30%

RC6 15 5 20 RC6 75% 25% 0 5 10 15 20 25 30 35 0 10 20 30 40 50 60 70 80 90 100 # of rounds in the attack/total # of rounds # of rounds in the attack/total # of rounds × 100%

NIST Report: Security Security Margin

MARS High Serpent Efficiency - Twofish Whats more important: software or hardware? Rijndael Adequate RC6

Simple Complex Complexity

14 Software or hardware?

SOFTWARE HARDWARE security of data during transmission speed random key Efficiency indicators low cost generation access control to keys flexibility (new cryptoalgorithms, tamper resistance protection against new attacks) (viruses, internal attacks)

Primary efficiency indicators Efficiency parameters Latency Throughput = Speed Hardware Software Mi+2

Mi Mi+1

Mi Time to Speed Memory Speed Area Encryption/ encrypt/decrypt Encryption/ decryption a single block decryption of data Number of bits Power Ci+2 encrypted/decrypted Ci consumption Ci+1 in a unit of time

Ci

Block_size · Number_of_blocks_processed_simultaneously Throughput = Latency

15 Efficiency in software: Code submitted by authors 200 MHz Pentium Pro, Borland C++ Speed [Mbits/s] 128-bit key 192-bit key 30 256-bit key 25 Efficiency in software 20 15 10 5 0 Rijndael RC6 Twofish Mars Serpent

NIST Report: Software Efficiency NIST Report: Software Efficiency Encryption and Decryption Speed Encryption and decryption speed in software on smart cards 32-bit 64-bit DSPs 8-bit 32-bit processors processors processors processors

Rijndael RC6 Rijndael Rijndael high Twofish Rijndael Twofish high RC6 Rijndael Mars Mars RC6 Mars medium RC6 RC6 Mars Mars Twofish medium Twofish low Serpent Serpent Serpent low Serpent Twofish Serpent

16 Efficiency in software

Strong dependence on: 1. Instruction set architecture (e.g., variable rotations) Efficiency in hardware 2. Programming language (assembler, C, Java) 3. Compiler

4. Programming style

Primary ways of implementing cryptography Which way to go? in hardware ASIC FPGA ASICs FPGAs Application Specific Field Programmable Integrated Circuit Gate Array Off-the-shelf High performance • designs must be sent • bought off the shelf Low development costs for expensive and time and reconfigured by consuming fabrication designers themselves Low power Short time to the market in semiconductor foundry • no physical layout design; • designed all the way design ends with Low cost (but only from behavioral description a bitstream used in high volumes) Reconfigurability to physical layout to configure a device

17 Efficiency in hardware: FPGA Virtex 1000: Speed ASIC implementations: NSA Throughput [Mbit/s] 700 500 606 128-bit key scheduling 431 444 George Mason University 450 414 University of Southern California 600 3-in-1 (128, 192, 256 bit) key scheduling 400 353 Worcester Polytechnic Institute 500 443 350 294 300 400 250 300 177 173 202 202 200 149 143 200 150 104 112 102 105 105 103 104 88 57 100 62 61 100 57 50 0 0 Serpent Rijndael Twofish Serpent RC6 Mars Rijndael Serpent Twofish RC6 Mars I8 I1 I1

NIST Report + GMU Report: Selecting the Winner Hardware Efficiency GMU FPGA Results Straw Poll @ AES 3 conference Speed

High Rijndael Serpent

Twofish Medium RC6

Low MARS Rijndael second best in FPGAs, selected as a winner due to much better performance in software Small Medium Large Area 72

18 Input, internal state, and output Order of within input, internal state, and output arrays 128 bits = 16 bytes

a0,0 a1,0 a2,0 a3,0 a0,1 a1,1 a2,1 a3,1 a0,2 a1,2 a2,2 a3,2 a0,3 a1,3 a2,3 a3,3

column 0 column 1 column 2 column 3

a0,0 a0,1 a0,2 a0,3

a1,0 a1,1 a1,2 a1,3

a2,0 a2,1 a2,2 a2,3

a3,0 a3,1 a3,2 a3,3

SubBytes S-box: substitution values for the xy (in hexadecimal notation)

S-box

a0,0 a0,1 a0,2 a0,3 b0,0 b0,1 b0,2 b0,3

a1,0 a1,1 a1,2 a1,3 b1,0 b1,1 a1,2 b1,3 ai,j bi,j a2,0 a2,1 a2,2 a2,3 b2,0 b2,1 b2,2 b2,3

a3,0 a3,1 a3,2 a3,3 b3,0 b3,1 b3,2 b3,3

• Bytes are transformed by applying an invertible S-box • One single S-box for the complete cipher

19 ShiftRows MixColumns

2 3 1 1 1 2 3 1 no shift 1 1 2 3 a b c d a b c d a0,0 a0,1 aa0,20,ja0,3 b0,0 b0,1 a0,2 b0,3 3 1 1 2 b0,j cyclic shift left by C1=1 e f g h f g h e a1,0 a1,1 aa1,2 a1,3 b1,0 b1,1ba1,2 b1,3 cyclic shift left by C2=2 1,j 1,j i j k l k l i j a2,0 a2,1 a2,2 a2,3 b2,0 b2,1 a2,2 b2,3 cyclic shift left by C3=3 a2,j b2,j m n o p p m n o a3,0 a3,1 a3,2 a3,3 b3,0 b3,1 a3,2 b3,3 a3,j b3,j High diffusion A difference in 1 input byte propagates to all 4 output bytes A difference in 2 input bytes propagates to at least 3 output bytes Any linear relation between input and output bits involves bits from at least 5 different bytes (branch number = 5)

AddRoundKey Number of rounds Key length a0,0 a0,1 a0,2 a0,3 k0,0 k0,1 k0,2 k0,3 b0,0 b0,1 b0,2 b0,3 Block 128 bits 192 bits 256 bits a1,0 a1,1 a1,2 a1,3 k1,0 k1,1 k1,2 k1,3 b1,0 b1,1 b1,2 b1,3 length Nk=4 Nk=6 Nk=8 + = a2,0 a2,1 a2,2 a2,3 k2,0 k2,1 k2,2 k2,3 b2,0 b2,1 b2,2 b2,3 128 bits 10 12 14 a3,0 a3,1 a3,2 a3,3 k3,0 k3,1 k3,2 k3,3 b3,0 b3,1 b3,2 b3,3 Nb=4 required by the standard 192 bits 12 12 14 • simple bitwise addition (xor) of round keys Nb=6 256 bits Nb=8 14 14 14 non-standard extensions

20 Pseudocode for AES encryption

Modes of Operation of Block Ciphers

Block vs. stream ciphers Typical

M1, M2, …, Mn m1, m2, …, mn Sender Receiver initialization initialization key key vector () vector (seed) Internal state - IS Block K K Stream cipher Pseudorandom Pseudorandom cipher Key Key Generator Generator

C1, C2, …, Cn c1, c2, …, cn ki ki keystream

Ci=fK(Mi) ci = fK(mi, ISi) ISi+1=gK(mi, ISi) mi ci ci Every block of ciphertext mi Every block of ciphertext is a function of the current block plaintext ciphertext ciphertext plaintext is a function of only one of plaintext and the current internal state corresponding block of plaintext of the cipher

21 Standard modes of operation of block ciphers

Block ciphers Stream ciphers

ECB (Electronic CodeBook) mode ECB mode Counter mode OFB mode CFB mode CBC mode

Electronic CodeBook Mode – ECB Electronic CodeBook Mode – ECB Encryption Decryption

M1 M2 M3 MN-1 MN C1 C2 C3 CN-1 CN

K E K E K E K E K E K D K D K D K D K D ......

C1 C2 C3 CN-1 CN M1 M2 M3 MN-1 MN

Ci = EK(Mi) for i=1..N Mi = EK(Ci) for i=1..N

22 Criteria for Comparison of Modes of Operation Block Cipher Modes of Operation Basic Features (1) • hiding repeating message blocks ECB CTR OFB CFB CBC • speed Hiding repeating No • capability for parallel processing and pipelining plaintext blocks

during encryption / decryption Basic speed sECB • use of block cipher operations (encryption only or both) Capability • capability for preprocessing for parallel Encryption processing and during encryption / decryption and pipelining decryption • capability for random access for the purpose of reading / writing Cipher Encryption operations and • number of plaintext and ciphertext blocks required for decryption exhaustive key search Preprocessing No • error propagation in the message after modifying / deleting Random R/W one block / byte / bit of the corresponding ciphertext access

Block Cipher Modes of Operation Basic Features (2)

ECB CTR OFB CFB CBC Security against the exhaustive key search attack

Minimum number of 1 plaintext the message block, and ciphertext 1 ciphertext Counter Mode blocks block needed Error propagation in the decrypted message

Modification of j-bits L bits Deletion of j bits Current and all subsequent Integrity No

23 Counter Mode - CTR Counter Mode - CTR Encryption Decryption IV IV+1 IV+2 IV+N-2 IV+N-1 IV IV+1 IV+2 IV+N-2 IV+N-1 ......

K K K K K K K K K E E E E E E K E E E E ...... k k1 k2 k3 kN-1 N k1 k2 k3 kN-1 kN

m m m1 m2 m3 N-1 N c1 c2 c3 cN-1 cN

c1 c2 c3 cN-1 cN m1 m2 m3 mN-1 mN

ci = mi Å ki mi = ci Å ki

ki = EK(IV+i-1) for i=1..N ki = EK(IV+i-1) for i=1..N

Counter Mode - CTR J-bit Counter Mode - CTR IV IV IV IV+1 IV+2 IV+N-2 IV+N-1 counter counter . . . 1 L 1 L K K K K E K E E E E IN IN . . . K K E E k1 k2 k3 kN-1 kN j j j j j OUT OUT j j j j j 1 1 L L m1 m2 m3 mN-1 mN j j j j j ci ci

IS1 = IV c1 c2 c3 cN-1 cN mi mi ci = mi Å ki ci = EK(ISi) Å mi ISi+1 = ISi+1 ki = E(IV+i-1)[1..j] for i=1..N

24 J-bit Counter Mode - CTR Block Cipher Modes of Operation IV IV Basic Features (1)

ECB CTR OFB CFB CBC Hiding repeating counter counter No plaintext blocks Yes 1 L 1 L

Basic speed sECB »j/L×sECB IN IN Capability Encryption K E K E for parallel Encryption processing and and OUT OUT and pipelining decryption decryption j bits L-j bits j bits L-j bits 1 j 1 j L L Cipher Encryption Encryption and c operations only i ci decryption Preprocessing No Yes mi mi Random R/W R/W access

Block Cipher Modes of Operation Basic Features (2)

ECB CTR OFB CFB CBC Security against the exhaustive key search attack

Minimum number of 1 plaintext 1 plaintext the message block, block, OFB (Output FeedBack) Mode and ciphertext 1 ciphertext 1 ciphertext blocks block block needed Error propagation in the decrypted message

Modification of j-bits L bits j bits Deletion of j bits Current and Current and all subsequent all subsequent Integrity No No

25 Output Feedback Mode - OFB Output Feedback Mode - OFB IV Encryption IV Decryption ......

E E E E E E E E E E ......

k1 k2 k3 kN-1 kN k1 k2 k3 kN-1 kN

m1 m2 m3 mN-1 mN c1 c2 c3 cN-1 cN

c1 c2 c3 cN-1 cN m1 m2 m3 mN-1 mN

ci = mi Å ki mi = ci Å ki

ki =EK(ki-1) for i=1..N, and k0 = IV ki =EK(ki-1) for i=1..N, and k0 = IV

Output Feedback Mode - OFB J-bit Output Feedback Mode - OFB IV IV IV IV shift shift

L-j bits j bits L-j bits j bits

1 L 1 L 1 L-j L 1 L-j L

IN IN IN IN

K E K E K E K E

IS1 = IV OUT OUT OUT OUT j bits L-j bits j bits L-j bits 1 L 1 L 1 j L 1 j L ci = EK(ISi) Å mi ISi+1 = EK(ISi)

ci ci ci ci

mi mi mi mi

26 Block Cipher Modes of Operation Block Cipher Modes of Operation Basic Features (1) Basic Features (2)

ECB CTR OFB CFB CBC ECB CTR OFB CFB CBC Hiding repeating No Yes plaintext blocks Yes Security against the exhaustive key search attack

Basic speed sECB »j/L×sECB »j/L×sECB Minimum number of 1 plaintext 1 plaintext 2 plaintext Capability block, block, blocks, Encryption Encryption None the message for parallel 1 ciphertext 1 ciphertext 2 ciphertext and and and ciphertext processing blocks block block blocks and pipelining decryption decryption needed (for j=L)

Cipher Encryption Encryption Encryption Error propagation in the decrypted message operations and only only decryption Modification of j-bits L bits j bits j bits Preprocessing No Yes Yes Deletion of j bits Current and Current and Current and all subsequent all subsequent all subsequent Random R/W R/W No access Integrity No No No

Cipher Feedback Mode - CFB Encryption IV . . .

E E E E E CFB (Cipher FeedBack) Mode . . . k1 k2 k3 kN-1 kN m1 m2 m3 mN-1 mN

c1 c2 c3 cN-1 cN

ci = mi Å ki

ki =EK(ci-1) for i=1..N, and c0 = IV

27 Cipher Feedback Mode - CFB Cipher Feedback Mode - CFB Decryption IV IV IV . . . 1 L 1 L E E E E E . . . IN IN K K k1 k2 k3 kN-1 kN E E IS1 = IV m1 m2 m3 mN-1 mN OUT OUT 1 L ci = EK(ISi) Å mi 1 L ISi+1 = ci

c1 c2 c3 cN-1 cN ci ci

mi = ci Å ki mi mi ki =EK(ci-1) for i=1..N, and c0 = IV

J-bit Cipher Feedback Mode - CFB Block Cipher Modes of Operation IV IV Basic Features (1)

shift shift ECB CTR OFB CFB CBC Hiding repeating L-j bits j bits L-j bits j bits No Yes Yes plaintext blocks Yes 1 L-j L 1 L-j L

Basic speed sECB »j/L×sECB »j/L×sECB »j/L×sECB IN IN Capability Encryption K E K E for parallel Encryption None Decryption processing and and only OUT OUT and pipelining decryption decryption j bits L-j bits j bits L-j bits 1 j 1 j L L Cipher Encryption Encryption Encryption Encryption operations and only only only decryption ci ci Preprocessing No Yes Yes No

Random R/W R/W No R only mi mi access

28 Block Cipher Modes of Operation Basic Features (2)

ECB CTR OFB CFB CBC Security against the exhaustive key search attack

Minimum number of 1 plaintext 1 plaintext 2 plaintext 1 plaintext the message block, block, blocks, block, CBC (Cipher Block Chaining) Mode and ciphertext 1 ciphertext 1 ciphertext 2 ciphertext 2 ciphertext blocks block block blocks blocks needed (for j=L) (for j=L) Error propagation in the decrypted message

Modification L+j bits of j-bits L bits j bits j bits Deletion of j bits Current and Current and Current and L bits all subsequent all subsequent all subsequent Integrity No No No No

Cipher Block Chaining Mode - CBC Cipher Block Chaining Mode - CBC Encryption Decryption c1 cN m1 m2 m3 mN-1 mN c2 c3 cN-1 . . . IV D D D D D ...... E E E E E IV . . .

m1 m2 m3 mN-1 mN c1 c2 c3 cN-1 cN

mi = DK(ci) Å ci-1 for i=1..N c0=IV ci = EK(mi Å ci-1) for i=1..N c0=IV

29 Block Cipher Modes of Operation Block Cipher Modes of Operation Basic Features (1) Basic Features (2)

ECB CTR OFB CFB CBC ECB CTR OFB CFB CBC Hiding repeating No Yes Yes Yes plaintext blocks Yes Security against the exhaustive key search attack

Basic speed sECB »j/L×sECB »j/L×sECB »j/L×sECB »sECB Minimum number of 1 plaintext 1 plaintext 2 plaintext 1 plaintext 1 plaintext Capability block, block, blocks, block, block, Encryption Encryption None Decryption Decryption the message for parallel 1 ciphertext 1 ciphertext 2 ciphertext 2 ciphertext 2 ciphertext and and only only and ciphertext processing blocks block block blocks blocks blocks and pipelining decryption decryption needed (for j=L) (for j=L)

Cipher Encryption Encryption Encryption Encryption Encryption Error propagation in the decrypted message operations and only only only and Modification decryption decryption L+j bits L+j bits of j-bits L bits j bits j bits Preprocessing No Yes Yes No No Current and Deletion of j bits Current and Current and Current and L bits all subsequent all subsequent all subsequent all subsequent Random R/W R/W No R only R only access Integrity No No No No No

Evaluation Criteria for Modes of Operation

Security

New modes of operation

Efficiency Functionality

30 Evaluation criteria (1) Evaluation criteria (2) Security Functionality • security services • resistance to attacks - confidentiality, integrity, authentication • proof of security • flexibility • random properties of the ciphertext - variable lengths of blocks and keys Efficiency - different amount of precomputations - requirements on the length of the message • number of calls of the block cipher • vulnerability to implementation errors • capability for parallel processing • requirements on the amount of keys, initialization • memory/area requirements vectors, random numbers, etc. • initialization time • error propagation and the capability for • capability for preprocessing resynchronization • patent restrictions

CBC Counter mode m1 m2 m3 mN-1 mN IV IV+1 IV+2 IV+N-1 IV+N ...... IV E E E E E . . .

k0 k1 k2 kN-1 kN E E E E E . . . m1 m2 mN-1 mN m0

c1 c2 c3 cN-1 cN c0 c1 c2 cN-1 cN Problems: Features: - No parallel processing of blocks from the same packet + Potential for parallel processing - No speed-up by preprocessing + Speed-up by preprocessing - No integrity or authentication - No integrity or authentication

31 Properties of existing and new cipher modes OCB - Offset Codebook Mode New CBC CFB OFB Control sum standard IV 0 M1 M2 MN-1 MN Proof of security length

Parallel processing decryption g(L) E only – Z Z2 ZN-1 ZN 1 ZN Preprocessing – – L E E . . . E E E Integrity and E authentication – – – Z1 Z2 ZN-1 MN t bits Resistance to implementation – R C1 C2 CN-1 CN T errors Zi=f(L, R, i)

New modes of block ciphers Properties of new modes of operation CBC CFB OFB CTR CCM GCM 1. CCM - Counter with CBC-MAC Proof of security • developed by R. Housley, D. Whiting, N. Ferguson in 2002 • assures simultaneous confidentiality and authentication • not covered by any patent Parallel processing only • part of the IEEE 802.11i standard for wireless networks decryption – Half of operations Preprocessing 2. GCM – Galois/Counter Mode – – Half of Half of • developed by D. McGrew and J. Viega in 2005 operations operations • assures simultaneous confidentiality and authentication Integrity and • not covered by any patent authentication – – – – • used in the IEEE 802.1AE (MACsec) Ethernet security, ANSI (INCITS) Fibre Channel Security Protocols (FC-SP), Resistance to implementation IEEE P1619.1 tape storage, and IETF IPSec standards – – – – errors

32 Confidentiality & Authentication Authenticated Ciphers

Bob Alice

N Message N Ciphertext Tag CAESAR K KAB Contest AB Authenticated Authenticated Cipher Cipher 2013-2018 Encryption Decryption

N Ciphertext Tag invalid or Message

KAB - Secret key of Alice and Bob N – Nonce or

Confidentiality & Authentication Cryptographic Standard Contests Authenticated Ciphers IX.1997 X.2000 AES 15 block ciphers ® 1 winner Npub Nsec AD Message NpubEnc AD Ciphertext Tag Nsec NESSIE I.2000 XII.2002

KKeyAB KKeyAB CRYPTREC Encryption Decryption XI.2004 IV.2008 34 stream 4 HW winners eSTREAM ciphers ® + 4 SW winners or X.2007 X.2012 Enc NpubNsec AD Ciphertext Tag Invalid Nsec AD Message 51 hash functions ® 1 winner SHA-3 I.2013 2018 57 authenticated ciphers ® multiple winners CAESAR Npub - Public Message Number Nsec - Secret Message Number Enc Nsec - Encrypted Secret Message Number 97 98 99 00 01 02 03 04 05 06 07 08 09 10 11 12 13 14 15 16 17 AD - Associated Data time KAB - Secret key of Alice and Bob

33