Generalized in a Straightforward Way to Include More Than One Round

A REPORT

BLOCK CIPHERS

(Literature Survey)

A Report on BLOCK CIPHERS (Literature Survey)

ANUJ PRATEEK R GURUPRASAD BITS, PILANI NAL, BANGALORE

Reviewed by: Dr Vidyadhar Mudkavi NAL, BANGALORE

OCTOBER 2006

NATIONAL AEROSPACE LABORATORIES BANGALORE

ACKNOWLEDGEMENT

I would like to extend my deep gratitude to Dr. A. R. Upadhya, Director, NAL and Dr. Ranjan Moodithaya, Head KTMD, NAL for granting me the permission and resources, which were indispensable for writing this report.

I am also extremely grateful to Dr. M. R. Nayak, Head, TS and Dr. R. M. Jha, Scientist, ALD for their kind permission and very useful suggestions to work in this very interesting area.

I would also like to express my deep gratitude to Dr. Vidyadhar Mudkavi, Scientist, CTFD and Dr. U. N. Sinha, Head, FSD for their guidance, technical help and constant motivation throughout the writing of the report.

I would like to extend my acknowledgement to Dr. S. Bhogle who provided the initial motivation to carry out this report.

Last but not the least; I would like to extend my special thanks to Mr. R. Guruprasad for contributing immensely to the SECTION ONE. It would not be wrong to say that it is completely his work. I would also like to thank him for providing me various resources from his lab and in person too.

CONTENT

S.No. TITLE Page No.

A ABSTRACT & INTRODUCTION I

B SECTION ONE III 1 INTRODUCTION TO CRYPTOGRAPHY 1 2 EVOLUTION OF CRYPTOGRAPHY 6 3 CHARACTERSTICS OF A GOOD CIPHER 9 REFERENCES R-I

C SECTION TWO IV 4 PRODUCT CIPHERS 11 5 BLOCK MODES 13 6 FEISTEL NETWORK 17 7 S-BOX 19 REFERENCES R-II

D SECTION THREE V 8 LUCIFER 23 9 DES 25 10 IDEA 32 11 CAST 34 12 LOKI 37 13 SERPENT 41 14 DEAL 45 15 MARS 47 16 SQUARE 55 17 AES 58 18 ANUBIS 66 19 CMEA 72 20 PHELIX 74 21 TIGER 78 22 OTHER ALGORITHMS 80 REFERENCES R-III

E SECTION FOUR VI 23 CRYPTANALYSIS 84 24 DIFFERENTIAL CRYPTANALYSIS 96 25 LINEAR CRYPTANALYSIS 99 REFERENCES R-V

26 CONCLUSION 100 27 FUTURE APPLICATION 100

ABSTRACT & INTRODUCTION

ABSTRACT

This document is a literature survey about block ciphers, especially based on Feistel Network, presented in form of a report. The report concentrates on providing a starting point for designing strong, secure, and efficient cryptosystems. Various design issues and algorithms have been described in the report. Description about various forms of cryptanalysis has also been provided. Report explains the key players of design of block ciphers in detail. The report will provide as a excellent reference material for anyone who wants to design a Feistel network based block cipher.

KEYWORDS: Evolution, Good Cipher Characteristics, Product Ciphers, Feistel Network, S-Box, LUCIFER, DES, IDEA, CAST, LOKI97, SERPENT, DEAL, MARS, SQUARE, AES, ANUBIS, CMEA, PHELIX, TIGER, Cryptanalysis, Differential & Linear Cryptanalysis

INTRODUCTION

Horst Feistel in his famous article, “Cryptography & Computer Privacy,” published in Scientific American, in May 1973, rightly wrote in the very first paragraph of the article, “There is growing concern that computers now constitute a dangerous threat to individual privacy. Since many computers contain personal data and are accessible from distant terminals, they are viewed as unexcelled means of assembling large amount of information about individual or a group. It is asserted that it will soon be feasible to compile dossiers in depth of an entire citizenry, where until recently the material for such dossiers was scattered in many separate locations under widely diverse jurisdictions. It will be argued here, however, a computer system can be adapted to guard its content from everyone but authorized individuals by enciphering the materials in forms highly resistant to cipher breaking.”

Feistel clearly reflected in his words that as the amount of digital content is growing, the need of secrecy and authorized access to the information is increasing and future systems should be able to answer these needs. In modern era, these needs have been answered by cryptography, the science and cryptosystem, the product. In these all years the need has grown manifold in various forms and so has the elicit activities related to acquiring unauthorized information has grown. Every science has its advantages and disadvantages, so has cryptography. People involved in various illegal businesses have started using cryptosystems to mask their activities and this has forced law implementers to force the evolution of cryptanalysis i.e. the science of unmasking the crypts. Not arguing on the pros and cons of cryptography, the thing that remains as a concern for learners of this science is development of secure cryptosystems.

Cryptography is divided into category and two of the broad categories of general interest are private and public key cryptography. This report talks about private key cryptography and in particular, the sub-sub domain known as Feistel Network based block ciphers.

ABSTRACT & INTRODUCTION

The report has been divided into four parts, named as sections. The report flows in a way that the key concepts that are required in design of mentioned cryptosystems are touched and they appear in a progressive sequence. The report neither goes into deep mathematical aspects like efficiency analysis and attack testing etc nor does it sways away from the basic mathematics.

The first section introduces cryptography, evolution of cryptography and the desired characteristics of a cryptosystem, in brief.

The second section briefs product ciphers, Modes of operation of block ciphers, Feistel Network and S-boxes. Feistel Networks fall in the broad category of product ciphers which is a sub-domain of block ciphers. As any block ciphers have various modes of operation, they are introduced too in this section. S-boxes constitute a very important part of Feistel Network, are most prone to attacks, and hence make place in the section.

The third section, the major part of this report, presents various cryptographic algorithms that have come in the modern age. Algorithms are introduced, explained and the attacks have been mentioned. Algorithms that were picked for presentation includes LUCIFER, DES, IDEA, CAST, LOKI, SERPENT, DEAL, MARS, SQUARE, AES, ANUBIS, CMEA, PHELIX, and TIGER. These algorithms provide a strong base for development of new algorithms and show the variety of attacks that can be made on them. CMEA, PHELIX, and TIGER are odd among the mentioned algorithms but have been included for completeness and the lessons that they teach. CMEA provides an insight of embedded-efficient algorithms. PHELIX and TIGER show the other side of private key encryption namely stream ciphers and use hashes. At the end of this section, an introduction about various algorithms existing today is mentioned, though the details are omitted as they are covered more or less by the mentioned detailed algorithms. The last part of the section will help in improving the general knowledge about the algorithms, will provide with the names of key people in the field, and lastly will provide a place to look for reference.

The last section or section four introduces cryptanalysis. The section briefs about various methodologies of cryptanalysis. In addition, at the end talks about differential and linear cryptanalysis, the most powerful types of attacks on present day cryptosystems.

The report will serve as an excellent reference to anyone who wants to develop a cryptosystem of the type mentioned, whether an advanced reader or an amateur. It is not as everything related to the design has been covered but yes most have been and after reading the report, the reader will know how to proceed and where to look for help. Lastly, the report does not guarantee that the reader will be able to actualize the concept, but yes, a step would be taken in direction of actualization.

“Every science needs effort but cryptography is not a mere science, but broader, it is an art; one needs to feel it, imagine it, and breathe it.”

SECTION ONE

SECTION - I

Introduction to Cryptography Evolution of Cryptography Characteristics of a Good Cipher

- R. Guruprasad - Anuj Prateek

III

INTRODUCTION TO CRYPTOGRAPHY

1. INTRODUCTION TO CRYPTOGRAPHY

The word “cryptography” is a Greek word and means “secret writing.” Earlier cryptography was used primarily by the military for the purposes of espionage. Cryptography is defined as the science of devising methods that allow information to be sent in a secure form in such a way that the only person able to retrieve this information is the intended recipient.

With the advances in modern communication, technology has enabled businesses and individuals to transport information at a very low cost via public networks such as the Internet. This development comes at the cost of potentially exposing the data transmitted over such a medium. Therefore, it becomes imperative for businesses to make sure that sensitive data is transferred from one point to another in an airtight, secure manner over public networks. Cryptography helps to achieve this goal by making messages unintelligible to all but the intended recipient.

Cryptography as a technique can be summarized by the set {P, C, K, E, D} where,

• P = Plaintext space • C = Ciphertext Space • K = Key Space • E = Encryption Function Space • D = De-Encryption Function Space

The basic principle is this: A message being sent is known as plaintext. The message is then coded using a cryptographic algorithm. This process is called encryption. An encrypted message is known as ciphertext, and is turned back into plaintext by the process of decryption.

Figure 1.1 Schematic of cryptosystem

It must be assumed that any eavesdropper has access to all communications between the sender and the recipient. A method of encryption is only secure if even with this complete access, the eavesdropper is still unable to recover the original plaintext from the ciphertext. In the last few decades, cryptographic algorithms, being mathematical by nature, have become sufficiently advanced that computers can only handle them. This in effect means that plaintext is binary in form, and can therefore be anything; a picture, a voice, an e-mail or even a video. The actual mathematical function used to encrypt and decrypt messages is called a cryptographic algorithm or cipher. This is only part of the system used to send and receive secure messages.

INTRODUCTION TO CRYPTOGRAPHY

1.1 GROUPS OF ALGORITHMS

Cryptographic algorithms are classified into various groups and a brief description is given here.

1.1.1 RESTRICTED ALGORITHM

If, as with most historical ciphers, the security of the message being sent relies on the algorithm itself remaining secret, then that algorithm is known as a restricted algorithm. One of the major drawbacks of such algorithm is that a large or changing group of users cannot utilize them, as every time one user leaves the group, everyone must change algorithm and if the algorithm is compromised in any way, a new algorithm must be implemented.

1.1.2 KEY-BASED ALGORITHM

Practically all modern cryptographic systems make use of a key. Algorithms that use a key system allow all details of the algorithm to be widely available. This is because all of the security lies in the key. With a key-based algorithm, the plaintext is encrypted and decrypted by the algorithm, which uses a certain key, and the resulting ciphertext is dependant on the key, and not the algorithm.

1.1.3 SYMMETRIC ALGORITHM

Symmetric algorithms have one key that is used to both encrypt and decrypt the message. This presents one major problem that is the transfer of the key between encrypter and the decrypter can be compromised by the attacker. There are two types of symmetric algorithms namely Stream and Block ciphers. Stream ciphers operate on plaintext one bit at a time. Block ciphers operate on groups of bits called blocks. The major advantages and disadvantages of this kind of algorithm are given next.

Advantages,

• Very fast relative to public key cryptography • Considered secure, provided the key is relatively strong • The ciphertext is compact

Disadvantages,

• The administration of the keys can become extremely complicated • A large number of keys is needed to communicate securely with a large group of people • Non-repudiation is not possible • The key is subject to interception by hackers

1.1.4 ASYMMETRIC ALGORITHM

Asymmetric algorithm is the algorithm in which the encryption and decryption keys are different. The encryption key is known as the public key and the decryption key is

INTRODUCTION TO CRYPTOGRAPHY

known as the private key. This type of algorithm is also called as Public Key Encryption. This type of algorithm has a number of advantages over traditional symmetric ciphers i.e. security of the key transmission is no more a concern. A disadvantage of public-key algorithms is that they are more computationally intensive than symmetric algorithms, and therefore encryption and decryption take longer. The advantages and disadvantages of this kind of algorithm are given next.

Advantages,

• Considered very secure • No form of secret sharing is required, thus reducing key administration to a minimum • Supports non-repudiation • The number of keys managed by each user is much less compared to secret key cryptography.

Disadvantages,

• Much slower compared to secret key cryptography • The ciphertext is much larger than the plaintext, relative to secret key cryptography

Another disadvantage of public-key cryptography is that anyone can send a message using someone’s public key, it is, and then necessary to prove that this message came from whom it claims to have been sent by. A message encrypted by someone’s private key, can be decrypted by anyone with his or her public key. This means that if the sender encrypted a message with his private key, and then encrypted the resulting ciphertext with the recipient’s public key, the recipient would be able to decrypt the message with first their private key, and then the sender’s public key, thus recovering the message and proving it came from the correct sender. This concept gives birth to the digital signing. This process is very time-consuming, and therefore rarely used. A much more common method of digitally signing a message is using a method called one-way hashing.

1.1.5 ONE-WAY HASHING

A one-way hash function is a mathematical function that takes a message string of any length and returns a smaller fixed-length string. These functions are designed in such a way that not only is it very difficult to deduce the message from its hashed version, but also that even given that all hashes are a certain length, it is extremely hard to find two messages that hash to the same value. In fact, to find two messages with the same hash from a 128-bit hash function, 264 hashes would have to be tried. In other words, the hash value of a file is a small unique ‘fingerprint’.

If H= hash value, f= hash function, M= original message/pre-string H = f(M). If one knows M then H is easy to compute. However knowing H and f, it is not easy to compute M, and is generally computationally unfeasible. As long as there is a low risk of collision, and the hash is very hard to reverse, then a one-way hash function proves extremely useful for a number of aspects of cryptography. If a message is one-way

INTRODUCTION TO CRYPTOGRAPHY

hashed, the result will be a much shorter but still unique (statistically) number. This can be used as proof of ownership of a message without having to reveal the contents of the actual message. Hash-functions can also be used to prove that no changes have been made to a file, as adding even one character to a file would completely change its hash value. The above method is greatly preferable to encrypting the whole message with a private key, as the hash of a message will normally be considerably smaller than the message itself. This means that it will not significantly slow down the decryption process in the same way that decrypting the entire message with the sender’s public key, and then decrypting it again with the recipient’s private key would.

1.1.6 ONE TIME PAD

The one-time pad was invented by Major Joseph Mauborgne and Gilbert Bernam in 1917. This is the most secure category of algorithm available today. The pad is a non- repeating random string of letters. Each letter on the pad is used once only to encrypt one corresponding plaintext character. After use, the pad is in light of good practice never re-used. The message remains secure as long as the pad is secure. This is because a random key added to a non-random message produces completely random ciphertext. There are two major drawbacks of one-time pad and they are,

• It is extremely hard to generate truly random numbers, and a pad that has even a couple of non-random properties is theoretically breakable. • The length of the pad must be the same as the length of the message, which means it cannot be used for large amount of consequent data.

1.1.7 STEGANOGRAPHY

Steganography is not a method of encrypting data, but hiding the data within other data so that it can pass undetected. Traditionally this was achieved with invisible ink, microfilm or taking the first letter from each word of a message. This is now achieved by hiding the message within a graphics or sound file. This is not cryptography however, and although it would fool a human, a computer would be able to detect this very quickly and reproduce the original message.

1.1.8 HYBRID CRYPTOSYSTEM

Though we have various encryption methodologies to increase the security, hybrid cryptography systems are also proposed. The basic principle of hybrid systems is to encrypt plaintext with a symmetric algorithm; the symmetric algorithm’s key is then itself encrypted with a public-key algorithm such as RSA. The RSA-encrypted key and symmetric algorithm-encrypted message are then sent to the recipient, who uses his private RSA key to decrypt the symmetric algorithm’s key, and then that key to decrypt the message. This is considerably faster than using RSA throughout, and allows a different symmetric key to be used each time, considerably enhancing the security of the symmetric algorithm.

INTRODUCTION TO CRYPTOGRAPHY

When we talk of cryptography, looking at the enormous amount of the digital data we have, we confine ourselves to the security of the digital data. The security of the digital data can also be called as e-security. For the security of the digital data there are certain requirements that needs to be fulfilled and the table given next summarizes and defines them.

Levels of security Definition How to achieve Ensures the protection of Confidentiality Cryptography sensitive and private data Establishes and verifies Authentication/Verification that the communicating Public or secret key parties are who they say cryptography they are Ensures that the data has Data Integrity not been altered or Message Digests manipulated Ensures that information Message Digest + Non-repudiation cannot be disowned Digital Signatures Table 1.1 Security requirements

1.2 COMMON OPERATIONS

There are some common types of operations that cryptographic algorithms generally do (especially the block ciphers). Some of them are briefed next.

1.2.1 SUBSTITUTION

Substitution operations replace bits in the plaintext with other bits decided upon by the algorithm, to produce ciphertext. This substitution then just has to be reversed to produce plaintext from ciphertext. This can be made increasingly complicated. For instance one plaintext character could correspond to one of a number of ciphertext characters (homophonic substitution), or each character of plaintext is substituted by a character of corresponding position in a length of another text (running cipher).

1.2.2 TRANSPOSITION

Transposition (or permutation) does not alter any of the bits in plaintext, but instead move their positions around within it. If the resultant ciphertext is then put through more transpositions, the result is increasingly secure.

1.2.3 XOR

XOR is an exclusive-or operation. It is a Boolean operator such that if one of two bits is true, then so is the result, but if both are true or both are false then the result is false.

Other than these an encryption function is required that forms the core of the algorithm. In case of public key encryption, these operations are not done generally and rather mathematical infeasibility of various problems is utilized.

EVOLUTION OF CRYPTOGRAPHY

2. EVOLUTION OF CRYPTOGRAPHY

As per Carl Ellison, cryptography is the science of encrypting and decrypting information, dates as far back as 1900 BC when a scribe in Egypt first used a derivation of the standard hieroglyphics of the day to communicate.

Various noble names are since then attached to cryptography but the major one are of those who helped in the growth of these science. On of the geniuses Julius Caesar (100-44 BC) used a simple substitution with the normal alphabet in government communications, and later, Sir Francis Bacon in 1623, who invented the bilateral cipher, known today as a 5-bit binary encoding. The bilateral encryption was a advance technique and he used variation in type face to carry each bit of the encoding. Thomas Jefferson, invented a wheel cipher in the 1790's, which was redeveloped as the Strip Cipher, M-138-A, used by the US Navy during World War II.

For all the historical personalities involved in the evolution of cryptography, it is William Frederick Friedman, founder of Riverbank Laboratories, cryptanalyst for the US government, and lead code-breaker of Japan’s World War II Purple Machine, who is honored as the father of US cryptanalysis. In 1918, Friedman authored The Index of Coincidence and Its Applications in Cryptography, which is still considered, by many in this field, as the premiere work on cryptograph written this century.

In late 1920s and into the early 1930s, the US Federal Bureau of Investigation (FBI) established an office designed to deal with the increasing use of cryptography by criminals. At that time, the criminal threat involved the importation of liquor. According to a report written in the mid-1930s by Mrs. Elizabeth Friedman, a cryptanalyst employed by the US government like her husband, William F. Friedman, the cryptography employed by bootleggers were of a complexity never even attempted by any government for its most secret communications. At no time during the World War, when secret methods of communication reached their highest development, were there used such involved ramifications as are to be found in some of the correspondence of West Coast rum running vessels.

Although cryptography was employed during World War I, two of the more notable machines were employed during World War II: the Germans’ Enigma machine, developed by Arthur Scherbius, and the Japanese Purple Machine, developed using techniques first discovered by Herbert O. Yardley.

In the 1970s, Dr. Horst Feistel established the precursor to today’s Data Encryption Standard (DES) with his ‘family’ of ciphers, the ‘Feistel ciphers’, while working at IBM’s Watson Research Laboratory. Id. In 1976, The National Security Agency (NSA) worked with the Feistel ciphers to establish FIPS PUB-46, known today as DES. Today, triple-DES is the security standard used by U.S. financial institutions. In 1976, two contemporaries of Feistel, Whitfield Diffie, and Martin Hellman first introduced the idea of public key cryptography in a publication entitled "New Directions in Cryptography.” Public key cryptography is what PGP, today's industry standard, uses in its software.

EVOLUTION OF CRYPTOGRAPHY

In the September 1977 issue of The Scientific American, Ronald L. Rivest, Adi Shamir, and Leonard M. Adleman introduced to the world their RSA cipher, applicable to public key cryptography and digital signatures. In the mid-1980s, ROT13 was employed by USENET groups to prevent the viewing of “objectionable material by innocent eyes,” and soon thereafter, a 1990 discovery by Xuejia Lai and James Massey proposed a new, stronger, 128-bit key cipher designed to replace the aging DES standard: IDEA. Called the International Data Encryption Algorithm, IDEA, this algorithm was designed to work more efficiently with “general purpose” computers used by everyday households and businesses.

Concerned by the proliferation of cryptography, the FBI renewed its effort to gain access to plaintext messages of US citizens. In response, Phil Zimmerman released his first version of Pretty Good Privacy (PGP) in 1991 as a freeware product, which uses the IDEA algorithm. PGP, free program providing military-grade algorithms to the Internet community, has evolved into a cryptographic standard because of such widespread use.

The initial versions of PGP were geared towards the more computer literate individual, but to the individual nonetheless. Phil Zimmerman could be compared to Henry Ford in his efforts to provide PGP to every home by making it free, and therefore, affordable. Today, PGP's updated version is offered free to the public.

Most recently, in 1994, Professor Ron Rivest, co-developer of RSA cryptography, published a new algorithm, RC5, on the Internet. Although he claims RC5 is stronger than DES, the algorithm is still relatively new. In the same year, Peter Shor devised an algorithm, which lets quantum computers determine the factorization of large integers quickly.

In 1995, NSA published SHA1 hash algorithm as part of its Digital Signature Standard but was soon attacked. In the next 4 years, various algorithms like OpenPGP, Ciphersaber, and DeCSS etc were released.

In January 2000, U.S. Government announced restrictions on export of cryptography are relaxed (although not removed). This allows many US companies to stop the long running, and rather ridiculous process of having to create US and international copies of their software. Few months later RSA was released in public domain. By this time DES had tolerated many attacks and was finally broke and Rijndael was accepted as the new encryption standard, called as AES. In 2001, a sad incident occurred which on its brighter side helped the growth of cryptography. U.S. was not able to respond to terrorist attacks hampered by lack of secure communications.

In 2003, the CRYPTREC project started and the next year MD5 was found vulnerable to practical collision attack. It was followed by a dark year for SHA1 was found certificationally weak and the same year WEP was broken.

Many new algorithms and attack methods have been developed since then and still no one is sure if our communication is secure. Probably the next age of cryptography will be the advent of highly complex mathematics, may be a new one, or will be the invention of a working Quantum Computer, but sadly cryptography, though tried is not able to become a fortuneteller.

EVOLUTION OF CRYPTOGRAPHY

The graph shown below displays the timeline of major break through in cryptography,

Figure 2.1 Break through in cryptography

The next trend, whose advent is due probably in this century only and is already mentioned, is quantum cryptography. Quantum cryptography uses quantum mechanics for secure communications. Unlike traditional cryptography, which employs various mathematical techniques to restrict eavesdroppers from learning the contents of encrypted messages, quantum cryptography is based on the physics of information. Eavesdropping can be viewed as measurements on a physical object, in this case the carrier of the information. Using quantum phenomena such as quantum superposition’s or quantum entanglement one can design and implement a communication system that can always detect eavesdropping. This is because measurements on the quantum carrier of information disturbs it and therefore leaves traces.

Well Quantum cryptography is a long way to go but still we have some intrusion of physics in cryptography. Relativity, a noble idea by Einstein has given birth to Relative Cryptography adding the time dimension and securing the process very much.

To end with this section I would like to mention that now cryptography is moving towards pure mathematics consisting of elliptical curves and high order fields and in coming future are going to govern the way cryptography evolves.

CHARACTERISTICS OF A GOOD CIPHER

3. CHARACTERISTICS OF A GOOD CIPHER

In cryptography, confusion and diffusion are two properties of the operation of a secure cipher, which were identified by Shannon in his paper, "Communication Theory of Secrecy Systems" published in 1949.

• Confusion refers to making the relationship between the key and the ciphertext as complex and involved as possible. Substitution has been identified as a mechanism for primarily confusion.

• Diffusion refers to the property that redundancy in the statistics of the plaintext is "dissipated" in the statistics of the ciphertext. Diffusion is associated with dependency of bits of the output on bits of the input. In a cipher with good diffusion, flipping an input bit should change each output bit with a probability of one-half. Transposition (rearranging the order of symbols) is a technique for diffusion.

Another aspect is the avalanche effect that refers to a desirable property of cryptographic algorithms, typically block ciphers, and cryptographic hash functions. The avalanche effect is evident if, when an input is changed slightly the output changes significantly. In the case of quality block ciphers, such a small change in either the key or the plaintext should cause a drastic change in the ciphertext. This is very similar to diffusion but was formerly introduced by Feistel long after Shannon’s diffusion.

If a block cipher or cryptographic hash function does not exhibit the avalanche effect to a significant degree, then it has poor randomization, and thus a cryptanalyst can make predictions about the input, being given only the output. This may be sufficient to break the algorithm, partially or completely.

The Strict Avalanche Criterion (SAC) is a property of Boolean functions. The SAC builds on the concepts of completeness and avalanche. Webster and Tavares introduced SAC in 1985. A function is said to satisfy the strict avalanche criterion if, whenever a single input bit is complemented, each of the output bits should change with a probability of one-half.

Another criteria called as Bit independence criterion (BIC) states that output bits j & k should change independently when any single input bit i is inverted, for all i, j and k.

Completeness of the Boolean or other function is also highly desirable. It means that the value of a output bit should depend upon all the input bits.

Shannon has outlined the parameter on which a secrecy system should be evaluated and they are given next,

• Amount of secrecy • Size of key • Complexity of enciphering and deciphering operations

CHARACTERISTICS OF A GOOD CIPHER

• Propagation of errors • Expansion of message

According to Shannon the cipher’s characteristics to qualify as a good cipher can also be summarized as follows,

• The amount of secrecy should determine the amount of labor appropriate for the encryption and decryption. • The set of keys and encryption algorithm should be free of complexity. • The implementation of the process should be as simple as possible.

The expectations that go with any standard good algorithm are mentioned next,

• Provides a high level of security • The security depends on keys, not the secrecy of the algorithm • The security is capable of being evaluated • The algorithm is completely specified and easy to understand • It is efficient to use and adaptable • Must be available to all users • Must be exportable

However, the outline mentioned here seem to be very simple the concepts are at the heart of all the modern cryptographic algorithm and failure to comply with these leaves the cryptographic algorithm vulnerable to attacks.

REFERENCES

I. REFERENCES

The list of the references used in this section is provided here. Some of the references are not available in general and only available on some organizations websites. If reader is not able to trace them, author of the report can be contacted freely. It has been tried that the contact of the original authors, whose work have been referenced is provided.

1. Mohan Atreya, “Introduction to cryptography.” ([email protected])

2. Oli Cooper, “An Introduction to Modern Cryptography.” ([email protected])

3. Shireen Hebert, “A Brief History of Cryptography.”

4. Wikipedia website has been used as a reference in this section of the report. Timeline of cryptography has been referred from it. (http://en.wikipedia.com)

Apart from the references mentioned, “SAC '96 Presented Papers,” were also referred in the report. RSA Labs website was also referred in the report. Chapter seven of J. Daemon’s PhD thesis was also used in some parts of SECTION THREE. GOOGLE scholar and search was also useful in providing various definitions, which were later referred to in the report. (Details of them are not provided, as the contribution was minor. For details, Author of the report can be contacted.)

R-I

SECTION TWO

SECTION - II

Product Ciphers Block Modes Feistel Network S-Box

- Anuj Prateek

PRODUCT CIPHER

4. PRODUCT CIPHER

A product cipher is a popular type of block cipher that works by executing in sequence a number of simple transformations such as substitution, permutation, and modular arithmetic. Product ciphers usually consist of iterations of several rounds of the same algorithm. While the individual operations are not themselves secure, it is hoped that a sufficiently long chain would imbue the cipher with sufficient confusion and diffusion properties as to make it resistant to cryptanalysis. The concept of product ciphers is due to Claude Shannon, who presented the idea in his foundational paper, Communication Theory of Secrecy Systems. A product cipher that uses only substitutions and permutations is called a SP-network.

Examples of modern product ciphers include LUCIFER, DES, SP-networks, LOKI, FEAL, PES, Khufu, and Khafre. The so-called Feistel ciphers are a class of product ciphers, which operate on one-half of the ciphertext at each round, and then swap the ciphertext halves after each round. LUCIFER, DES, LOKI, and FEAL are examples of Feistel ciphers.

The following table compares the main parameters of several product ciphers,

BLOCK CIPHER KEY LENGTH # ROUNDS LENGTH LUCIFER 128 128 16 DES 64 56 16 LOKI 64 64 16 FEAL 64 128 2x, x>=5 PES 64 128 8 Table 4.1 Comparison of parameters of some block ciphers Until date, none has proved product ciphers mathematically completely secure. So in practice one begins by demonstrating that the cipher ``looks highly random''. For example, the cipher must be nonlinear, and it must produce ciphertext, which functionally depends on every bit of the plaintext and the key. A product cipher should act as a ``mixing'' function which combines the plaintext, key, and ciphertext in a complex nonlinear fashion. The fixed per-round substitutions of the product cipher are referred to as S-boxes. For example, LUCIFER has two S-boxes, and DES has eight S-boxes. The nonlinearity of a product cipher reduces to a careful design of these S-boxes.

Let E be a product cipher that maps N-bit blocks to N-bit blocks. Let E_K(X) be the encryption of X under key K. Then, for any fixed K, the map sending X to E_K(X) is a permutation of the set of N-bit blocks. Denote this permutation by P_K. The set of all N-bit permutations is called the symmetric group and is written S_{2^N}. The collection of all these permutations P_K, where K ranges over all possible keys, is denoted E(S_{2^N}). If E were a random mapping from plaintexts to ciphertexts then we would expect E(S_{2^N}) to generate a large subset of S_{2^N}. Coppersmith and Grossman have shown that a very simple product cipher can generate the alternating group A_{2^N} given a sufficient number of rounds. (The alternating group is half of the symmetric group: it consists of all ``even'' permutations, i.e., all

PRODUCT CIPHER

permutations that can be written as an even number of swaps.) Even and Goldreich were able to extend these results to show that Feistel ciphers can generate A_{2^N}, given a sufficient number of rounds. The security of multiple encipherments also depends on the group-theoretic properties of a cipher. Multiple encipherment is an extension over single encipherment if for keys K1, K2 there does not exist a third key K3 such that E_K2(E_K1(X)) == E_(K3)(X) which indicates that encrypting twice with two independent keys K1, K2 is equal to a single encryption under the third key K3. If for every K1, K2 there exists a K3 such that equation (mentioned just before) is true then we say that E is a group.

The goal of the designer of E is to ensure that P_K appears to be a random element of S_{2^N}, the symmetric group. Let R be an element of S_{2^N} selected randomly. P_K and R are indistinguishable if an observer given P_K and R in some order cannot distinguish between these two permutations in polynomial time. That is, with time- bounded resources, the observer cannot determine which of the permutations is produced by E: the optimal decision is no better than simply guessing. Luby and Rack off have shown that classes of Feistel ciphers are secure in this sense when the round mapping is replaced by random Boolean functions.

The most secure class of product cipher appears to be those that follow Feistel Network. To look at making the Feistel ciphers very secure one has to concentrate mainly on the design of the S-boxes. Lastly, the length of the data can be more than the block length of the cipher, so to encrypt the whole data taking in account added security and error propagation, various modes of block ciphers have been presented. These modes have their individual properties and the choice is independent on the requirement.

BLOCK CIPHER MODES OF OPERATION

5. BLOCK CIPHER, MODES OF OPERATION

A block cipher operates on blocks of fixed length, often 64, or 128 bits. Few messages are so short, and so some method of handling many chunks of longer messages is required. To encrypt longer messages, several modes of operation have been invented. The earliest modes described in the literature (e.g., ECB, CBC, OFB and CFB) provide only confidentiality, and do not ensure message integrity. Other modes have since been designed which ensure both confidentiality and message integrity, such as CCM mode, EAX mode and OCB mode. Tweakable narrow-block encryption (LRW) mode and wide-block encryption (CMC and EME) modes are designed to encrypt sectors of a disk securely.

5.1 MODES

5.1.1 ELECTRONIC CODEBOOK MODE (ECB)

The simplest of the encryption modes is the electronic codebook (ECB) mode. The message is divided into blocks and each encrypted separately. The disadvantage of this method is that identical plaintext blocks are encrypted into identical ciphertext blocks; thus, it does not hide data patterns well and hence does not guarantee serious message confidentiality, and hence it is not recommended for use in cryptographic protocols. The diagram given next depicts the ECB mode encryption. Decryption can be viewed in the same fashion.

All the modes except ECB require an initialization vector, or IV i.e. a sort of 'dummy block' to start the process for the first real block, and to provide some randomization for the process. IV is generally not kept secret. The important thing associated with IV is that it should never be reused with the same key.

5.1.2 CIPHER-BLOCK CHAINING (CBC)

In the cipher-block chaining (CBC) mode, each block of plaintext is XORed with the previous ciphertext block before being encrypted. This way, each ciphertext block is dependent on all plaintext blocks processed up to that point. In addition, to make each message unique, an initialization vector is used in the first block. The following formulas can summarize the CBC,

For encryption, = (⊕ iiki − ), 01 = IVCCPEC

For decryption, = (⊕ iiki − ,) 01 = IVCCCDP

CBC is the most commonly used mode of operation. Its main drawbacks are that encryption is sequential, and the message must be padded to a multiple of the cipher block size. A one-bit change in a plaintext affects all following ciphertext blocks, and a plaintext can be recovered from just two adjacent blocks of ciphertext. Consequently, decryption can be parallelized, and a one-bit change to the ciphertext causes complete corruption of the corresponding block of plaintext, and inverts the corresponding bit in the following block of plaintext.

BLOCK CIPHER MODES OF OPERATION

5.1.3 PROPAGATING CIPHER-BLOCK CHAINING

The propagating cipher-block chaining mode was designed to cause small changes in the ciphertext to propagate indefinitely when decrypting, as well as when encrypting. The encryption and decryption functions are shown next,

= (⊕⊕ iiiki −− ), ⊕ 0011 = IVCPCPPEC

= () ⊕ ⊕ iiiki −− , ⊕ 0011 = IVCPCPCDP

5.1.4 CIPHER FEEDBACK (CFB)

The cipher feedback (CFB) mode makes a block cipher into a self-synchronizing stream cipher. The cipher can be summarized by the equations given next,

= iKi −1)( ⊕ PCEC i = )( ⊕ CCDP iKi −1 i C0

Changes in the plaintext propagate forever in the ciphertext, and encryption cannot be parallelized while decryption can be. When decrypting, a one-bit change in the ciphertext affects two plaintext blocks, a one-bit change in the corresponding plaintext block, and complete corruption of the following plaintext block. Later plaintext blocks are decrypted normally. Because each stage of the CFB mode depends on the encrypted value of the previous ciphertext XORed with the current plaintext value, a form of pipelining is possible, since the only encryption step, which requires the plaintext, is the final XOR. This is useful for applications that require low latency between the arrival of plaintext and the output of the corresponding ciphertext, such as certain applications of streaming media. CFB shares two advantages over CBC mode with the stream cipher modes OFB and CTR that is the block cipher is only used in the encrypting direction, and the message does not need to be padded to a multiple of the cipher block size.

5.1.5 OUTPUT FEEDBACK (OFB)

The output feedback (OFB) mode makes a block cipher into a synchronous stream cipher; it generates key stream blocks, which are then XORed with the plaintext blocks to get the ciphertext. Just as with other stream ciphers, flipping a bit in the ciphertext produces a flipped bit in the plaintext at the same location. This property allows many error-correcting codes to function normally even when applied before encryption. Because of the symmetry of the XOR operation, encryption and decryption are the same,

= ⊕ OPC iii ⊕= OCP iii

BLOCK CIPHER MODES OF OPERATION

= OEO )( iki −1 0 = IVO

Each output feedback block ciphers operation depends on all the previous operations and hence it cannot be performed in parallel.

5.1.6 COUNTER (CTR)

Like OFB, counter mode turns a block cipher into a stream cipher. It generates the next key stream block by encrypting successive values of a "counter.” The counter can be any simple function, which produces a sequence, which is guaranteed not to repeat for a long time, although an actual counter is the simplest and most popular. CTR mode has similar characteristics to OFB, but also allows a random access property during decryption, and is believed to be as secure as the block cipher being used. The nonce here is the same thing as the initialization vector (IV). The IV/nonce and the counter can be concatenated, added, or XORed together to produce the actual unique counter block for encryption.

Many more modes of operation for block ciphers have been suggested. Some of them have been accepted, fully described (even standardized), and are in use. Others have been found insecure, and are never be used.

5.2 RELATED ISSUES

Apart from these modes of operations of the block cipher, other issues need to be answered in the context and are described next.

5.2.1 INTEGRITY PROTECTION AND ERROR PROPAGATION

None of the block ciphers modes of operation above provide any integrity protection in their operation. This means that an attacker who does not know the key may still be able to modify the data stream in ways useful to them, without any surety, those alterations will be detected. It is now generally well understood that wherever data is encrypted, it is nearly always essential to provide integrity protection, as the risks from not doing so are high. For such secure operation, the IV and ciphertext generated by these modes should be authenticated with a secure MAC, which must be checked by the receiver prior to decryption.

5.2.2 PADDING

A block cipher works on units of a fixed size, but messages come in a variety of lengths so some modes (mainly CBC) require that the final block be padded before encryption. Several padding schemes exist. The simplest is to add null bytes to the plaintext to bring its length up to a multiple of the block size, but care must be taken that the original length of the plaintext can be recovered. Another method that is a bit more complex and followed in DES is to add a single one bit followed by enough zero bits to fill out the block. Most sophisticated are CBC-specific schemes such as

BLOCK CIPHER MODES OF OPERATION

ciphertext stealing or residual block termination, which do not cause any extra ciphertext; these schemes are relatively complex. Another possibilities is to append a byte with value 128 (hex 80), followed by as many zero bytes as needed to fill the last block, or pad the last block with n bytes all with value n. CFB, OFB and CTR modes do not require any special measures to handle messages whose lengths are not multiples of the block size, since they all work by XORing the plaintext with the output of the block cipher. The last partial block of plaintext is XORed with the first few bytes of the last key stream block, producing a final ciphertext block that is of the same size as the final partial plaintext block. This characteristic of stream ciphers makes them suitable for applications that require the encrypted ciphertext data to be of the same size as the original plaintext data, and for applications that transmit data in streaming form where it is inconvenient to add padding bytes.

FEISTEL NETWORK

6. FEISTEL NETWORK

A Feistel network is a block cipher with a particular structure, named after IBM cryptographer Horst Feistel; it is also commonly known as a Feistel cipher. A large proportion of block ciphers use the scheme. The Feistel structure has the advantage that encryption and decryption operations are very similar, even identical in some cases, requiring only a reversal of the key schedule. Therefore, the size of the code or circuitry required to implement such a cipher is nearly halved. Feistel networks and similar constructions are product ciphers, and so combine multiple rounds of repeated operations, such as,

• Bit-shuffling (often called permutation boxes or P-boxes) • Simple non-linear functions (often called substitution boxes or S-boxes) • Linear mixing (in the sense of modular algebra) using XOR

These operations produce large amount of Shannon’s confusion and diffusion. Bit shuffling creates the diffusion effect, while substitution is used for confusion. Feistel networks were first seen commercially in IBM's Lucifer cipher, designed by Feistel and Don Coppersmith.

In cryptography, an SP-network, or substitution-permutation network (SPN), is a series of linked mathematical operations used in block cipher algorithms. These networks consist of S-boxes and P-boxes that transform blocks of input bits into output bits. It is common for these transformations to be operations that are efficient to perform in hardware, such as exclusive or (XOR). S-boxes substitute or transform input bits into output bits. A good S-box will have the property that changing one input bit will change about half of the output bits. It will also have the property that each output bit will depend on every input bit. P-boxes permute or transpose bits across S-box inputs. In addition, at each round the key is combined using some group operation, typically XOR.

Many modern symmetric block ciphers are based on Feistel networks, and the structure and properties of Feistel ciphers have been extensively explored by cryptographers. Specifically, Michael Luby and Charles Rackoff analyzed the Feistel block cipher construction, and proved that if the round function is a cryptographically secure pseudorandom function, with Ki used as the seed, then 3 rounds is sufficient to make the block cipher a pseudorandom permutation, while 4 rounds is sufficient to make it a "strong" pseudorandom permutation (which means that it remains pseudorandom even to an adversary who gets oracle access to its inverse permutation). Because of this, very important result of Luby and Rackoff, Feistel ciphers are sometimes inaccurately called Luby-Rackoff block ciphers.

Assume that the block cipher uses the alphabet {0, 1} and ‘t’ be the block length. fk is assumed to be the encryption function with the key k. The Feistel cipher that is constructed from these is a block cipher of block length 2t and alphabet {0, 1}. Let r>=1 be the number of rounds that will be used. Assuming K be the key space, we define some function that generates the round keys from the key k i.e. k1,…,kr.

FEISTEL NETWORK

The encryption function fk of the Feistel cipher for key k belongs to K works as follows. Let p be a plaintext of length 2t is split into two equal parts of length t; i.e. p = (L0, R0), where L0 is the left half and vice-versa. Then the sequence,

(Li, Ri) = (Ri-1, Li-1 XOR fk(Ri-1)), i<=i<=r

is constructed and Ek(L0, R0) = (Rr, Lr) is set. As said earlier the decryption can be easily done by repeating the steps (sometimes some inverses may come into picture) and using the keys in reverse direction.

Clearly, the security of the Feistel cipher depends upon the security of internal block cipher. This security is increased by the iterated operation.

Unbalanced Feistel ciphers use a modified structure where L0 and R0 are not of equal lengths. The Skipjack encryption algorithm is an example of such a cipher. The Texas Instruments Digital Signature Transponder uses a proprietary unbalanced Feistel cipher to perform challenge-response authentication. The Feistel construction is also used in cryptographic algorithms other than block ciphers. For example, the Optimal Asymmetric Encryption Padding (OAEP) scheme uses a simple Feistel network to randomize ciphertexts in certain asymmetric key encryption schemes.

S-BOX

7. S-BOX

A substitution box (or S-box) is a basic component of symmetric key algorithms. In block ciphers, they are typically used to obscure the relationship between the plaintext and the ciphertext. In many cases, the S-boxes are carefully chosen to resist cryptanalysis. In general, an S-box takes some number of input bits, m, and transforms them into some number of output bits, n by an m×n S-box, implemented as a lookup table. Fixed tables are normally used, as in the Data Encryption Standard (DES), but in some ciphers, the tables are generated dynamically from the key; e.g. the Blowfish and the Twofish encryption algorithms.

S-box becomes very important in the block ciphers, as they are the points, which are most susceptible to differential attacks. Research has already indicated that even small modifications to an S-box could significantly weaken the cipher. Therefore, it becomes necessary to pay enough attention to design an S-box. The reason why it has still not been removed from the ciphers is that still any other better option to create confusion property is not available.

Although S-boxes can be used, in different ways within an encipherment round, whether they are used directly in the plaintext-to-ciphertext path or in a Feistel, round structure does not significantly change the properties an S-box is required to have.

It is noted that some simple algorithms to construct S-boxes with good properties for a single round lead to S-boxes which, when iterated, have bad properties. Thus, it is not enough that S(x) lack these particular types of structure; S(S(x)) must do so as well, and so on.

An S-box where S(x+a) can be S(x) plus anything, depending on x, would be good against linear cryptanalysis as well as differential cryptanalysis; this is what led to the search for ways to make an S-box with a "flat XOR profile", which is precisely what, if adhered to too rigidly, makes higher powers of that same S-box unsafe. Again, one way to keep the chance of problems within bounds is simply to use a large and random S-box, since then its higher powers are also random. However, it is possible to design an S-box to have a nearly flat XOR profile and resist this danger, where an especially designed S-box is desired in order to have security with the smallest possible S-box size.

7.1 BENT FUNCTION

Although a "flat XOR profile" may not be ideal for cryptography in practice, it still is important to understand how one may be achieved, as a starting point. A perfectly flat XOR profile is the defining property of a bent function.

In the binary domain, the basic definition of a bent function is as follows,

• The function gives a single-bit value as a result, from a multi-bit argument. • This value is zero for half the possible arguments, and one for half the possible arguments.

S-BOX

• If one varies i over all possible values of the argument of the function, then for any j not equal to zero, f(i) and f(i XOR j) are the same exactly half the time, and different exactly half the time.

A function returning a multi-bit result is bent when each of its bits is a bent function of the type described above, and in addition each of those functions is orthogonal to each other; that is, varying i over all possible values, where m and n are the numbers of any two bits in the result, and m and n are not equal, f(i,m) and f(i,n) are the same exactly half the time, and different exactly half the time.

Bent functions are not trivial to construct for all orders, although simple methods have been given to construct functions that approach being bent. And, almost all large random S-boxes approximate this behavior as well.

It is easy to see that it is impossible to construct a bent function, according to that definition, with 2, 4, or 8 possible arguments. Another definition of bent functions, however, does not appear to have that limitation, one that is expressed in terms of the Walsh transform.

The binary Walsh functions are constructed using a recursion that is essentially the same one used to produce Hadamard matrices. That recursion, of course, is the one that repeatedly applies the pattern,

------| same | same | ------| same | opposite | ------

For example,

______| 1 1| | 1 1 1 1| | 1 1 1 1 1 1 1 1| ______| 1|__ | 1|__| 1|__ | 1|__| 1|__| 1|__| 1|______| 1 1|__ __ | 1 1|__ __| 1 1|______| 1|__ __| 1| | 1|__ __| 1 1|__ __| 1| ______| 1 1 1 1|______| 1|__| 1|__ __| 1|__| 1| ______| 1 1|______| 1 1| ______| 1|__ __| 1|__| 1 1|__

S-BOX

Another way to construct the binary Walsh functions is like this,

______| 1 1 1 1 1 1 1 1|

______| 1 1 1 1|______

______| 1 1|__ __| 1 1|______| 1 1|______| 1 1|

______| 1|__| 1|__| 1|__| 1|______| 1|__| 1|__ __| 1|__| 1|

Apart from these, various researchers have presented various faces of S-box and some of them are briefed next.

Ayoub has shown in his paper that when the permutation is also selected at random, i.e. user keyed, the resulting network retains, with a very high probability, the completeness property, i.e. every output bit is a function of all input bits.

Pieprzyk and Finkelstein showed that one could get permutations of maximum nonlinearity by generation of permutations at random.

Meier and Staffelbach classified the criteria of nonlinearity for Boolean functions in view of their suitability for cryptographic design. The classification is set up in terms of the largest transformation group leaving a criterion invariant. In this respect, two criteria turn out to be of special interest, the distance to linear structures and the distance to affine functions, which are shown to be invariant under all affine transformations. With regard to these criteria, an optimum class of functions is considered. These functions simultaneously have maximum distance to affine functions and maximum distance to linear structures, as well as minimum correlation to affine functions. The functions with these properties are proved to coincide with certain functions known in combinatorial theory, where they are called bent functions. With respect to linear structures, a function f has optimum nonlinearity if for every nonzero vector ‘a’ in GF(2)n the values f(x+a) and f(x) are equal for exactly half of the arguments x in GF(2)n. If a function satisfies this property it is called perfect nonlinear with respect to linear structures, or briefly perfect nonlinear.

Nyberg proposed that a perfect nonlinear S-box is a substitution transformation with evenly distributed directional derivatives. Since the method of differential cryptanalysis presented by E. Biham and A. Shamir makes use of misbalanced direction derivatives, the perfect nonlinear S-boxes are immune to this attack. The main result is that for a perfect nonlinear S-box the number of input variables is at least twice the number of output variables.

S-BOX

Dawson and Tavares presented the desired properties of the S-box. The properties mentioned by them are given next,

Static Properties:

• The partial information about the inputs and outputs does not reduce the uncertainty in an unknown output. • The partial information about the inputs and outputs does not reduce the uncertainty in a known output. • The uncertainty in a data value is reduced by the minimum amount possible when it passes through an S-box.

Dynamic Properties:

The dynamic properties are similar to the static properties except that they deal with the changes in inputs and outputs.

Forre presented a set of cryptographic properties of S-boxes based on information theory. Dawson & Tavares extended Forre's ideas to define an expanded set of design criteria for cryptographically strong S-boxes. The authors viewed an S-box in two different ways: static view, which models an S-box when the inputs are steady and dynamic view, which models an S-box when the inputs change. Forre's criteria, however, apply to the static model only. In the Dawson & Tavares, design framework both an S-box and its inverse were designed to have low information leakage. The expanded set of design criteria was developed at a "single" bit level, where information leakage between a single output bit ant the input bits or between a single output bit and the rest of the output, bits were computed. Sivabalan, Tavares & Peppard extended the design criteria to a "multiple" bit level, where information leakage between one or more output bits and the input bits or between one or more output bits and the rest of the output bits are considered.

Youssef and Tavares mentioned that one of the requirements in substitution-box design is to have a regular S-box (also known as a balanced s-box). This means that each output symbol should appear an equal number of times when the input is varied over all possible values.

Various other comments on S-boxes and their design are present in the literature but the one mentioned here are necessary. S-boxes play a very crucial role in a Block Cipher and hence the construction proper care should be taken in the design of S-box, else the crypto system is left highly susceptible to various attacks, primarily differential and linear cryptanalysis.

REFERENCES

II. REFERENCES

1. NEWSGROUPS: sci.crypt, talk.politics.crypto at Google

2. Horst Feistel, “Cryptography and Computer Privacy,” Scientific American, May 1973, Volume 228, Number 5

3. Terry Ritter, “S-Box Design: A Literature Survey.” (http://www.ciphersbyritter.com/)

4. Wikipedia website has been used as a reference in this section of the report. S- box and product ciphers introduction has been referred from it. (http://en.wikipedia.com)

R-II

SECTION THREE

SECTION - III

LUCIFER, DES, IDEA, CAST, LOKI97, SERPENT, DEAL, MARS, SQUARE, AES, ANUBIS, CMEA, PHELIX, TIGER

Other Algorithms

-Anuj Prateek

LUCIFER

8. LUCIFER The First Block Cipher

DESIGNER: IBM; Horst Feistel and his colleagues YEAR: 1970’s BLOCK LENGTH: 128 bits KEY LENGTH: 128 bits

8.1 INTRODUCTION: In cryptography, Lucifer was the name given to several of the earliest civilian block ciphers, developed by Horst Feistel and his colleagues at IBM. Lucifer was a direct precursor to the Data Encryption Standard. One version, alternatively named DTD-1, saw commercial use in the 1970s for electronic banking. The name "Lucifer" was apparently a pun on "Demon.” This was in turn a truncation of "Demonstration", the name for a privacy system Feistel was working on. The operating system used could not handle the longer name. IBM submitted the Feistel- network version of Lucifer as a candidate for DES (compare the more recent AES process). After some redesign (a reduction to a 56-bit key and 64-bit block, but strengthened against differential cryptanalysis) it became the Data Encryption Standard in 1977. Before LUCIFER came into existence, Hill Cipher, Playfair etc existed in the cryptographic world, but since LUCIFER gave birth to DES it can be considered as the first block cipher in the sense of success.

8.2 ALGORITHM:

The F-function in LUCIFER had a high degree of symmetry, and could be implemented in terms of operations on one byte of the right half of the message at a time.

Each of the 16-round uses a 72-bit subkey. The subkey for the first round consists of the first byte of the key repeated twice, followed by the next seven bytes of the key. The key left is rotated by seven bytes and the subkey for the next round is generated.

The right half of the block is XORed with the last eight bytes of the subkey for the round. Based on the bits of the first byte of the subkey for that round, nibbles in the eight bytes of that result are swapped for those bytes, which correspond to a 1 bit.

S-box 0 is used for the most significant nibble of each of these eight bytes, and S-box 1 is used for the least significant nibble of each byte,

Input: 0 1 2 3 4 5 6 7 S-box 0 output: 12 15 7 10 14 13 11 0 S-box 1 output: 7 2 14 9 3 11 0 4

Input: 8 9 10 11 12 13 14 15 S-box 0 output: 2 6 3 1 9 4 5 8 S-box 1 output: 12 13 1 10 6 15 8 5

LUCIFER

The 64 bits of the result are permutated, numbered from 0 (for the most significant bit) to 63 (for the least significant bit), by the following permutation,

In general, in each round, the f-function is calculated using that round's subkey and the left half of the block. The result is then XORed to the right half of the block, which is the only part of the block altered for that round. After every round except the last one, the right and left halves of the block are swapped.

8.3 SECURITY: Although LUCIFER has a larger block and key size than DES, it is considerably more vulnerable to attacks from differential cryptanalysis, and is also weak due to the regular nature of its key schedule. However, this does not mean that the LUCIFER algorithm is useless. If a reasonably good stream cipher is used both before and after LUCIFER, its weaknesses essentially become irrelevant, and its strengths are still present. It might indeed be argued that this kind of precaution ought to be used with DES as well.

DES & TDES

9. DATA ENCRYPTION STANDARD, & TRIPLE DATA ENCRYPTION STANDARD

DESIGNER: IBM Team, which included Feistel, Walter Tuchman, Don Coppersmith, Alan Konheim, Carl Meyer, Mike Matyas, Roy Adler, Edna Grossman, Bill Notz, Lynn Smith, and Bryant Tuckerman. DATE: Jan 1977 KEYSIZE: 56 bits BLOCK SIZE: 64 bits

9.1 INTRODUCTION: A DES key consists of 64 binary digits ("0"s or "1"s) of which 56 bits are randomly generated and used directly by the algorithm. The other 8 bits, which are not used by the algorithm, may be used for error detection. The eight error detecting bits are set to make the parity of each 8-bit byte of the key odd, i.e. there is an odd number of "1"s in each 8-bit byte. A TDEA key consists of three DES keys, which are also referred to as a key bundle. These two were reaccepted and ascertained as the encryption standard for symmetric key encryption by NIST on Oct 25, 1999 and was approved by then Secretary of Commerce but now it has been replaced by AES. DES depends upon Feistel Network and uses 16 rounds of encryption. It is anticipated that NSA had involvement behind small key size of DES, which made it weak. DES was derived from LUCIFER and LOKI97; ICE etc are its successors.

9.2 ALGORITHM:

The block to be encrypted is subjected to Initial Permutation IP and then the rounds that are 16 in number are applied. At the end, Final Permutation FP is applied and it is inverse of IP. The key-dependent computation is defined in terms of a function f, called the cipher function, and a function KS, called the key schedule. Function f is defined in terms of primitive functions, which are called the selection functions Si, and the permutation function P. The diagram given on the next page describes DES. In the diagram, for given two blocks L and R of bits, LR denotes the block consisting of the

bits of L followed by the bits of R. Since concatenation is associative, B1B B2B ...B8, denotes the block consisting of the bits of B1B followed by the bits of B2B … followed by

the bits of B8B . The computation, which uses the permuted input block as its input to produce the preoutput block consists, but for a final interchange of blocks, of 16 iterations of a calculation that is described in terms of the cipher function f which operates on two blocks, one of 32 bits and one of 48 bits, and produces a block of 32 bits. Let the 64 bits of the input block to iteration consist of a 32-bit block L followed by a 32 bit block R. Then the input block is LR and let K be a block of 48 bits chosen from the 64-bit key. Then the output L'R' of an iteration with input LR is defined by,

= RL nn −1

nn −1 ⊕= −1 KRfLR nn ),(

K is chosen independently in every round and is computed as follows,

n = KEYnKSK ),( Giving out preoutput block LR 1616 at the end. For decryption, the same procedure is followed in opposite direction.

DES & TDES

Figure 9.1 Schematic of DES encryption.

DES & TDES

The next diagram describes the function f,

Figure 9.2 Schematic of function f In the above diagram, E, is a permutation function, which takes in 32-bits and outputs 48-bits. The E-bit selection table is given below,

Each of the unique selection functions S1, S2...S8, takes a 6-bit block as input, yields a 4-bit block as output, and is illustrated by using a table containing the recommended S1:

DES & TDES

If S1 is the function defined in this table and B is a block of 6 bits, then S1(B) is determined as follows, the first and last bits of B represent in base 2 a number in the range 0 to 3. Let that number be i. The middle 4 bits of B represent in base 2 a number in the range 0 to 15. Let that number be j. Look up in the table the number in the i'th row and j'th column. It is a number in the range 0 to 15 and is uniquely represented by a 4-bit block. That block is the output S1(B) of S1 for the input B. The permutation function P yields a 32-bit output from a 32-bit input by permuting the bits of the input block. The following table defines such a function,

So in brief function f is defined as,

= BSBSBSPKRf 882211 ))()....()((),(

For the case of TDES using three keys K1, K2 and K3 the DES is applied 3 times leading to,

= KKK 123 IEDEO )))((( Where I is a 64-bit block.

As the decryption function, we have similarly,

= KKK 321 IDEDO )))(((

Various tables and functions used in the DES encryption, which were not shown earlier for brevity is shown next,

DES & TDES

The key schedule that is common to both the algorithms is described in the diagram given on next page. It uses permuted choice 1 and 2 and those tables are shown next.

DES & TDES

Figure 9.3 Schematic of Key Schedule.

The number of left sifts done at each round is shown next,

DES & TDES

Figure 9.4 Left Sift at a round. 9.3 SECURITY: Although more information has been published on the cryptanalysis of DES than any other block cipher, the most practical attack to date is still a brute force approach. Various minor cryptanalytic properties are known, and three theoretical attacks are possible which, while having a theoretical complexity less than a brute force attack, require an unrealistic amount of known or chosen plaintext to carry out, and is not a concern in practice. In 1993, Wiener had proposed a key-search machine costing US$1 million, which would find a key within 7 hours. The vulnerability of DES was practically demonstrated in the late 1990s. The feasibility of cracking DES quickly was demonstrated in 1998 when a custom DES-cracker was built by the Electronic Frontier Foundation (EFF), a cyberspace civil rights group, at the cost of approximately US$250,000. The only other confirmed DES cracker was the COPACOBANA machine (Cost-Optimized Parallel Code Breaker) built more recently by teams of the Universities of Bochum and Kiel, both in Germany. The three types of attack that are possible on DES are Differential Cryptanalysis, Linear Cryptanalysis, and Improved Davies’ Attack. These all require 239 to 254 known and chosen plaintexts. DES also shows complementation property and has four weak keys for which encryption and decryption has same effect. Apart from them 6 pair of semi- weak keys also exist in which encryption with one is equivalent to decryption with other, moreover DES is not even close to groups. The block size of 64-bit makes DES vulnerable to matching ciphertext attack until and unless TDES in inner-CBC mode is used but is this case, efficient key-recovery attacks can be mounted. DES is also weakened by the small key length, which is attributed to NSA interference with IBM.

9.4 DISADVANTAGES: This is one of the most studied and analyzed algorithms, which has exposed many of its loopholes. A number of attacks are already described in various papers and practical implementations of few have been shown. In present scenario this does not remains secure in anyway, though TDES does promises some security.

IDEA

10. IDEA

DESIGNER: Xuejia Lai and James Massey YEAR: 1990 KEY LENGTH: 128 bits BLOCK LENGTH: 64 bits

10.1 INTRODUCTION: IDEA at the time of birth was called the Proposed Encryption Standard (PES). In 1991, Lai and Massey strengthened the algorithm against differential cryptanalysis and called the result Improved PES (IPES). The name of IPES was changed to International Data Encryption Algorithm (IDEA) in 1992. IDEA is perhaps best known for its implementation in PGP.

10.2 ALGORITHM:

IDEA consists of eight rounds using 52 subkeys. Each round uses six subkeys, with the remaining four being used for the output transformation.

Firstly, the 128-bit key is divided into eight 16-bit keys to provide the first eight subkeys. The bits of the original key are then shifted 25 bits to the left, and then it is again split into eight subkeys. This shifting and then splitting is repeated until all 52 subkeys (SK1-SK52) have been created. The 64-bit plaintext block is split into four (B1-B4) parts.

A round then consists of the following steps (OB stands for output block),

OB1 = B1 * SK1 (multiply 1st sub-block with 1st subkey) OB2 = B2 + SK2 (add 2nd sub-block to 2nd subkey) OB3 = B3 + SK3 OB4 = B4 * SK4 (multiply 3rd sub-block with 3rd subkey) OB5 = OB1 XOR OB3 (XOR results of steps 1 and 3) OB6 = OB2 XOR OB4 OB7 = OB5 * SK5 (multiply result of step 5 with 5th subkey) OB8 = OB6 + OB7 (add results of steps 5 and 7) OB9 = OB8 * SK6 (multiply result of step 8 with 6th subkey) OB10 = OB7 + OB9 OB11 = OB1 XOR OB9 (XOR results of steps 1 and 9) OB12 = OB3 XOR OB9 OB13 = OB2 XOR OB10 OB14 = OB4 XOR OB10

The input to the next round is the four sub-blocks OB11, OB13, OB12, OB14 in that order. After the eighth round, the four final output blocks (F1-F4) are used in a final transformation to produce four sub-blocks of ciphertext (C1-C4) that are then rejoined to form the final 64-bit block of ciphertext.

C1 = F1 * SK49 C2 = F2 + SK50 C3 = F3 + SK51 C4 = F4 * SK52

Ciphertext = C1 & C2 & C3 & C4.

IDEA

10.3 SECURITY: Not only is IDEA approximately twice as fast as DES, but it is also considerably more secured. Using a brute-force approach, there are 2128 possible keys. Various successful attacks have been mentioned on IDEA, namely truncated differential attack and differential-linear attack.

CAST

11. CAST

DESIGNER: C. Adams YEAR: MAY 1997 KEY SIZE: Variable

11.1 INTRODUCTION: CAST-128 encryption algorithm is a DES-like Substitution- Permutation Network (SPN) cryptosystem, which appears to have good resistance to differential cryptanalysis, linear cryptanalysis, and related-key cryptanalysis. This cipher also possesses a number of other desirable cryptographic properties, including avalanche, Strict Avalanche Criterion (SAC), Bit Independence Criterion (BIC), no complementation property, and an absence of weak and semi-weak keys. It thus appears to be a good. Its design is very similar to Blowfish's, with key- dependent S-Boxes, a non-invertible f function.

11.2 ALGORITHM:

(Due to the complex nature of the algorithm, here the description is given via certain assumptions and pseudo codes.)

The input is plaintext m1...m64 and key K = k1...k128. The output is ciphertext c1...c64. The algorithm can be summarized as,

• (Key schedule) Compute 16 pairs of subkeys {Kmi, Kri} from K • (L0, R0) Å (m1...m64). (Split the plaintext into left and right 32-bit halves L0 = m1...m32 and R0 = m33...m64.) • (16 rounds) for i from 1 to 16, compute Li and Ri as follows: o Li = Ri-1; o Ri = Li-1 ^ f(Ri-1, Kmi, Kri); (f is of Type 1, Type 2, or Type 3, depending on i). • c1...c64 <-- (R16, L16). (Exchange final blocks L16, R16 and concatenate to form the ciphertext.)

Decryption is identical to the encryption algorithm given above, except that the rounds (and therefore the subkey pairs) are used in reverse order to compute (L0, R0) from (R16, L16).

CAST-128 uses a pair of subkeys per round: a 32-bit quantity Km is used as a "masking" key and a 5-bit quantity Kr is used as a "rotation" key.

Three different round functions are used in CAST-128. The rounds are as follows (where "D" is the data input to the f function and "Ia" - "Id" are the most significant byte through least significant byte of I, respectively). Note that "+" and "-" are addition and subtraction modulo 2**32, "^" is bitwise XOR, and "<<<" is the circular left-shift operation.

Type 1: I = ((Kmi + D) <<< Kri) f = ((S1[Ia] ^ S2[Ib]) - S3[Ic]) + S4[Id]

CAST

Type 2: I = ((Kmi ^ D) <<< Kri) f = ((S1[Ia] - S2[Ib]) + S3[Ic]) ^ S4[Id] Type 3: I = ((Kmi - D) <<< Kri) f = ((S1[Ia] + S2[Ib]) ^ S3[Ic]) - S4[Id]

Rounds 1, 4, 7, 10, 13, and 16 use f function Type 1. Rounds 2, 5, 8, 11, and 14 use f function Type 2. Rounds 3, 6, 9, 12, and 15 use f function Type 3.

CAST-128 uses eight substitution boxes: s-boxes S1, S2, S3, and S4 are round function s-boxes; S5, S6, S7, and S8 are key schedule s-boxes. Although eight s- boxes require 8 KBytes of storage, note that only 4 KBytes are required during actual encryption / decryption since subkey generation is typically done prior to any data input. (S-boxes are not shown in this document to save space.)

Assuming a 128-bit key x0x1x2x3x4x5x6x7x8x9xAxBxCxDxExF, where x0 represents the most significant byte and xF represents the least significant byte, let z0..zF be intermediate (temporary) bytes, and let Si[] represent s-box i and let "^" represent XOR addition. The key generation for the key assumed is as follows,

z0z1z2z3 = x0x1x2x3 ^ S5[xD] ^ S6[xF] ^ S7[xC] ^ S8[xE] ^ S7[x8] z4z5z6z7 = x8x9xAxB ^ S5[z0] ^ S6[z2] ^ S7[z1] ^ S8[z3] ^ S8[xA] z8z9zAzB = xCxDxExF ^ S5[z7] ^ S6[z6] ^ S7[z5] ^ S8[z4] ^ S5[x9] zCzDzEzF = x4x5x6x7 ^ S5[zA] ^ S6[z9] ^ S7[zB] ^ S8[z8] ^ S6[xB] K1 = S5[z8] ^ S6[z9] ^ S7[z7] ^ S8[z6] ^ S5[z2] K2 = S5[zA] ^ S6[zB] ^ S7[z5] ^ S8[z4] ^ S6[z6] K3 = S5[zC] ^ S6[zD] ^ S7[z3] ^ S8[z2] ^ S7[z9] K4 = S5[zE] ^ S6[zF] ^ S7[z1] ^ S8[z0] ^ S8[zC] x0x1x2x3 = z8z9zAzB ^ S5[z5] ^ S6[z7] ^ S7[z4] ^ S8[z6] ^ S7[z0] x4x5x6x7 = z0z1z2z3 ^ S5[x0] ^ S6[x2] ^ S7[x1] ^ S8[x3] ^ S8[z2] x8x9xAxB = z4z5z6z7 ^ S5[x7] ^ S6[x6] ^ S7[x5] ^ S8[x4] ^ S5[z1] xCxDxExF = zCzDzEzF ^ S5[xA] ^ S6[x9] ^ S7[xB] ^ S8[x8] ^ S6[z3] K5 = S5[x3] ^ S6[x2] ^ S7[xC] ^ S8[xD] ^ S5[x8] K6 = S5[x1] ^ S6[x0] ^ S7[xE] ^ S8[xF] ^ S6[xD] K7 = S5[x7] ^ S6[x6] ^ S7[x8] ^ S8[x9] ^ S7[x3] K8 = S5[x5] ^ S6[x4] ^ S7[xA] ^ S8[xB] ^ S8[x7] z0z1z2z3 = x0x1x2x3 ^ S5[xD] ^ S6[xF] ^ S7[xC] ^ S8[xE] ^ S7[x8] z4z5z6z7 = x8x9xAxB ^ S5[z0] ^ S6[z2] ^ S7[z1] ^ S8[z3] ^ S8[xA] z8z9zAzB = xCxDxExF ^ S5[z7] ^ S6[z6] ^ S7[z5] ^ S8[z4] ^ S5[x9] zCzDzEzF = x4x5x6x7 ^ S5[zA] ^ S6[z9] ^ S7[zB] ^ S8[z8] ^ S6[xB] K9 = S5[z3] ^ S6[z2] ^ S7[zC] ^ S8[zD] ^ S5[z9] K10 = S5[z1] ^ S6[z0] ^ S7[zE] ^ S8[zF] ^ S6[zC] K11 = S5[z7] ^ S6[z6] ^ S7[z8] ^ S8[z9] ^ S7[z2] K12 = S5[z5] ^ S6[z4] ^ S7[zA] ^ S8[zB] ^ S8[z6] x0x1x2x3 = z8z9zAzB ^ S5[z5] ^ S6[z7] ^ S7[z4] ^ S8[z6] ^ S7[z0] x4x5x6x7 = z0z1z2z3 ^ S5[x0] ^ S6[x2] ^ S7[x1] ^ S8[x3] ^ S8[z2] x8x9xAxB = z4z5z6z7 ^ S5[x7] ^ S6[x6] ^ S7[x5] ^ S8[x4] ^ S5[z1] xCxDxExF = zCzDzEzF ^ S5[xA] ^ S6[x9] ^ S7[xB] ^ S8[x8] ^ S6[z3] K13 = S5[x8] ^ S6[x9] ^ S7[x7] ^ S8[x6] ^ S5[x3] K14 = S5[xA] ^ S6[xB] ^ S7[x5] ^ S8[x4] ^ S6[x7] K15 = S5[xC] ^ S6[xD] ^ S7[x3] ^ S8[x2] ^ S7[x8] K16 = S5[xE] ^ S6[xF] ^ S7[x1] ^ S8[x0] ^ S8[xD] z0z1z2z3 = x0x1x2x3 ^ S5[xD] ^ S6[xF] ^ S7[xC] ^ S8[xE] ^ S7[x8] z4z5z6z7 = x8x9xAxB ^ S5[z0] ^ S6[z2] ^ S7[z1] ^ S8[z3] ^ S8[xA] z8z9zAzB = xCxDxExF ^ S5[z7] ^ S6[z6] ^ S7[z5] ^ S8[z4] ^ S5[x9] zCzDzEzF = x4x5x6x7 ^ S5[zA] ^ S6[z9] ^ S7[zB] ^ S8[z8] ^ S6[xB] K17 = S5[z8] ^ S6[z9] ^ S7[z7] ^ S8[z6] ^ S5[z2] K18 = S5[zA] ^ S6[zB] ^ S7[z5] ^ S8[z4] ^ S6[z6] K19 = S5[zC] ^ S6[zD] ^ S7[z3] ^ S8[z2] ^ S7[z9] K20 = S5[zE] ^ S6[zF] ^ S7[z1] ^ S8[z0] ^ S8[zC] x0x1x2x3 = z8z9zAzB ^ S5[z5] ^ S6[z7] ^ S7[z4] ^ S8[z6] ^ S7[z0] x4x5x6x7 = z0z1z2z3 ^ S5[x0] ^ S6[x2] ^ S7[x1] ^ S8[x3] ^ S8[z2]

CAST

x8x9xAxB = z4z5z6z7 ^ S5[x7] ^ S6[x6] ^ S7[x5] ^ S8[x4] ^ S5[z1] xCxDxExF = zCzDzEzF ^ S5[xA] ^ S6[x9] ^ S7[xB] ^ S8[x8] ^ S6[z3] K21 = S5[x3] ^ S6[x2] ^ S7[xC] ^ S8[xD] ^ S5[x8] K22 = S5[x1] ^ S6[x0] ^ S7[xE] ^ S8[xF] ^ S6[xD] K23 = S5[x7] ^ S6[x6] ^ S7[x8] ^ S8[x9] ^ S7[x3] K24 = S5[x5] ^ S6[x4] ^ S7[xA] ^ S8[xB] ^ S8[x7] z0z1z2z3 = x0x1x2x3 ^ S5[xD] ^ S6[xF] ^ S7[xC] ^ S8[xE] ^ S7[x8] z4z5z6z7 = x8x9xAxB ^ S5[z0] ^ S6[z2] ^ S7[z1] ^ S8[z3] ^ S8[xA] z8z9zAzB = xCxDxExF ^ S5[z7] ^ S6[z6] ^ S7[z5] ^ S8[z4] ^ S5[x9] zCzDzEzF = x4x5x6x7 ^ S5[zA] ^ S6[z9] ^ S7[zB] ^ S8[z8] ^ S6[xB] K25 = S5[z3] ^ S6[z2] ^ S7[zC] ^ S8[zD] ^ S5[z9] K26 = S5[z1] ^ S6[z0] ^ S7[zE] ^ S8[zF] ^ S6[zC] K27 = S5[z7] ^ S6[z6] ^ S7[z8] ^ S8[z9] ^ S7[z2] K28 = S5[z5] ^ S6[z4] ^ S7[zA] ^ S8[zB] ^ S8[z6] x0x1x2x3 = z8z9zAzB ^ S5[z5] ^ S6[z7] ^ S7[z4] ^ S8[z6] ^ S7[z0] x4x5x6x7 = z0z1z2z3 ^ S5[x0] ^ S6[x2] ^ S7[x1] ^ S8[x3] ^ S8[z2] x8x9xAxB = z4z5z6z7 ^ S5[x7] ^ S6[x6] ^ S7[x5] ^ S8[x4] ^ S5[z1] xCxDxExF = zCzDzEzF ^ S5[xA] ^ S6[x9] ^ S7[xB] ^ S8[x8] ^ S6[z3] K29 = S5[x8] ^ S6[x9] ^ S7[x7] ^ S8[x6] ^ S5[x3] K30 = S5[xA] ^ S6[xB] ^ S7[x5] ^ S8[x4] ^ S6[x7] K31 = S5[xC] ^ S6[xD] ^ S7[x3] ^ S8[x2] ^ S7[x8] K32 = S5[xE] ^ S6[xF] ^ S7[x1] ^ S8[x0] ^ S8[xD]

For masking and rotating the subkeys following operation is carried out,

Let Km1... Km16 be 32-bit masking subkeys (one per round). Let Kr1… Kr16 be 32-bit rotate subkeys (one per round); only the least significant 5 bits are used in each round.

for (i=1; i<=16; i++) { Kmi = Ki; Kri = K16+i; }

The CAST-128 encryption algorithm has been designed to allow a key size that can vary from 40 bits to 128 bits, in 8-bit increments (that is, the allowable key sizes are 40, 48, 56, 64... 112, 120, and 128 bits. For variable keysize operation, the specification is as follows:

• For key sizes up to and including 80 bits (i.e., 40, 48, 56, 64, 72, and 80 bits), the algorithm is exactly as specified but uses 12 rounds instead of 16 • For key sizes greater than 80 bits, the algorithm uses the full 16 rounds • For key sizes less than 128 bits, the key is padded with zero bytes (in the rightmost, or least significant, positions) out to 128 bits (since the CAST-128 key schedule assumes an input key of 128 bits).

11.3 SECURITY: David Wagner, John Kelsey, and Bruce Schneier have discovered a related-key attack on the 64-bit version of CAST that requires approximately 217 chosen plaintexts, 1 related query, and 248 offline computations. The attack is infeasible at best. Moreover, due to the complex nature, one-way function etc- CAST is susceptible to design loopholes. The best version of CAST is still secure and in use.

LOKI97

12. LOKI97

DESIGNER: Lawrie Brown, Josef Pieprzyk, & Jennifer Seberry YEAR: 1990 as LOKI89 and then updated in 1991 & 1997 BLOCK LENGTH: 128 bits KEY LENGTH: 128, 192, & 256 bits

12.1 INTRODUCTION: The algorithm was submitted to RIPE for evaluation but was not selected and various attacks and weakness were exposed which led to its updation. It is similar to DES and uses 16 round keys in the Feistel Network but differs in the choice of S-boxes, permutations and expansions. The encryptions key schedule uses 48 rounds of unbalanced Feistel Network operating on four 64-bit words. The rounds involve a function f, which uses S-P Network. The permutations are designed to "mix" the outputs of the S-boxes as quickly as possible, promoting the avalanche and completeness properties, essential for a good Feistel cipher. However, unlike their equivalents in the DES, they are intended to be as clean and simple as possible, aiding the analysis of the design. In LOKI91 initial and final key whitening were removed and the S-boxes were replaced. The key schedule was also altered. The design of LOKI97 was the final design published in 1998 by Lawrie Brown & Josef Pieprzyk. LOKI97 was submitted to NIST as a candidate for AES.

12.2 ALGORITHM:

The data computation is initialized by dividing the 128-bit plaintext input value [L|R] into two 64-bit words,

L0 = L & R0 = R.

These are then processed through 16 rounds (i = 1, 16) of a balanced Feistel network.

= ⊗ ( + SKSKRfLR ), ii −1 i− i− i−13231 ii − i− ++= SKSKRL 3231 i

Each round uses XOR (addition modulo 2) and integer addition + (modulo 264) of the 64-bit data values, along with the output of the complex nonlinear function f(A, B) which provides maximal avalanche between all its input bits.

The decryption computation involves splitting the ciphertext into two 64-bit words,

[L16|R16],

In addition, then running the rounds in reverse i.e. use 16 rounds (i = 1, 16).

= −⊗ SKSKLfRL ),( −1 ii iii −133 −1 3 −−= SKSKRR iiii −23

LOKI97

The diagram given next depicts the rounds involved,

Figure 12.1 Schematic of rounds of LOKI97

The key schedule is initialized, based on the size of the key supplied, into the four 64- bit words, [k40|k30|k20|k10] as follows,

Given a 256-bit key, [ka|kb|kc|kd], let, [k40|k30|k20|k10] = [ka|kb|kc|kd], Given a 192-bit key, [ka|kb|kc], let, [k40|k30|k20|k10] = [ka|kb|kc|f(ka, kb)], Given a 128-bit key, [ka|kb], let, [k40|k30|k20|k10] = [ka|kb| f(kb, ka)|f(ka, kb)].

This is followed by the 48 rounds,

LOKI97

The integer addition (module 264) of K1 + K3 + (Delta* i) forms an incompatible group with the XOR used to compute the previous subkey, as in the data computation. It includes multiples mod 264 of Delta, a value derived from the golden ratio by taking the integer part after multiplying it by 263, and used to reduce any symmetry problems in the key schedule. Decryption is equivalent to encryption with the subkeys used in reverse order with (additive) inverses of the SK3i-2 and SK3i subkeys. These will need to be precomputed in encrypt order first.

The non-linear function f(A, B) takes two 64-bit input values A and B, processes them using two layers of S-boxes with the highest possible non-linearity, to produce a 64- bit output. The two permutations are used to ensure maximal avalanche between all bits in the function. It is specified as follows,

= BBAKPESaPSbBAf ))))),,(((((),(

The function is depicted in the diagram below,

Figure 12.2 Schematic of function used in LOKI97

KP(A, B) is a very simple keyed permutation which splits its 64-bit input A into two 32-bit words, and uses the lower (rightmost) 32-bits of input B to decide whether to exchange corresponding pairs of bits in these words (if key bit is 1), or not (if key bit is 0). It may be computed as

= ¬ ¬ SKrArSKrArSKrAlSKrAlSKrArAlKP ))]&(|)&((|))&(|)&[(()],|([

E() is an expansion function, which selects overlapping groups of 13 bits (S1) or 11 bits (S2), so that at least some bits influence 2 S-boxes simultaneously, and with the proceeding addition, means all bits have some influence on multiple S-boxes. E creates a 96-bit output value from the 64 inputs bits as follows,

LOKI97

[4-0, 63-56|58-48|52-40|42-32|34-24| 28-16|18-8|12-0]. Sa(), Sb()are two columns of S-boxes, composed by concatenating boxes S1 and S2, with Sa()=[S1,S2,S1,S2,S2,S1,S2,S1], and Sb()=[S2,S2,S1,S1,S2,S2,S1,S1]. In Sa() the inputs are data+key from the output of E, whilst in Sb() the upper bits are pure key bits (from the lower, rightmost 32-bits of B).

P() is the permutation to diffuse S-Box outputs across full 64-bit width, using a regular, Latin-square, pattern.. P maps input bits [63-0] to output bits,

The S-boxes chosen for LOKI97 use cubing in a Galois field GF(2n) with n odd, as this has some highly desirable properties. In order to use odd sized inputs, S1 uses 13 input bits, and S2 uses 11. These are alternated as specified above to combine to work on an even sized input block. The input value is inverted (so that a 0 or 1 input does not give 0 or 1 output), and the output values are masked down to select the lower 8 output bits only. The S-box functions are,

⊕= FFFxxS 3 GFinFF 13 )2(,&)2911mod)1((][1

⊕= FFxxS 3 GFinFFAA 11)2(,&)7mod)7((][2

12.3 SECURITY: Though the designers tried to use no simple functions, strong keys etc, successful attacks have been made on LOKI97. Differential and linear cryptanalysis is devised by Knudsen and Rijmen, which renders it weak. The advantages LOKI97 offers is its computational efficiency and capability to work in any block mode. The generated S-boxes also offer some advantages above the others. The S-box design and key schedule can be used to develop other algorithms.

SERPENT

13. SERPENT

DESIGNER: Ross Anderson, Eli Biham, Lars Knudsen KEY-SIZE: 128 bit BLOCK-SIZE: 256 bit

13.1 INTRODUCTION: SERPENT uses S-boxes similar to those of DES in a new structure that simultaneously allows a more rapid avalanche, a more efficient bitslice implementation, and an easy analysis. The key feature is that it is as fast as DES. This algorithm was first released at the fifth International Workshop on Fast Software Encryption, the version was called SERPENT 0, and after modification of S-boxes and key schedule, the final version SERPENT 1 was released. Version 0 used S-boxes from original DES and was as fast as DES and as secure as Triple DES. Bitslicing was originally used by DES to provide parallelism in DES but here it is incorporated to increase the efficiency. This algorithm was one of the major candidates for AES.

13.2 ALGORITHM:

Serpent is a 32-round SP-network operating on four 32-bit words, thus giving a block size of 128 bits. All values used in the cipher are represented as bit streams. The indices of the bits are counted from 0 to bit 127 in one 128-bit word, 0 to bit 127 in 128 bit blocks, 0 to bit 255 in 256 bit keys, and so on. For internal computation, all values are represented in little-endian_ where the first word (word 0) is the least significant word, the last word is the most significant, and where bit 0 is the least significant bit of word 0. Externally, each block is written as a plain 128-bit hex number. User keys, which are shorter than 256 bits, are mapped by appending 1 to the MSB end. In the process, SERPENT encrypts 128-bit plaintext P to 128-bit ciphertext ^ ^ C in 32 rounds in the control of 33 128-bit subkeys0,.....KK 32 . The cipher process includes following steps, ^ 0 = PIPB )( ^ ^ +1 = BRB iii )( ^ = BFPC 32 )( ^^ i i i iKSLXR =⊕= 30,....,0))()( ^ ^^ i i i )()( 32 iKKXSXR =⊕⊕= 31

Here i represent the round, Si represents the S-box used, and L is the linear transformation used.

IP and FP are present only to make the process computationally efficient and the final permutation is the inverse of initial permutation as in case of DES. Only 8 S-boxes are provided and they are used in turn in repetition. Though the rounds appear individually weaker than DES, they are stronger by a factor of more than 2.5 in terms of probability for example in case of best 6-round characteristic.

SERPENT

The S-boxes of SERPENT are 4-bit permutations and hold the following properties,

• Each differential characteristic has a probability of at most 1/6 and a one-bit input difference will never lead to a one-bit output difference, • Each linear characteristic has a probability in the range ± 4/12/1 and a linear relation between one single bit in the input and one single bit in the output has a probability in the range ± 8/12/1 , • The nonlinear order of the output bits as a function of the input bits is the maximum, namely 3.

The design of S-boxes is inspired by RC-4. A matrix with 32 arrays each with 16 entries is used and the matrix is initialized with 32 rows of DES S-boxes and transformed by swapping the entries in the rth array depending on the value of the entries in the (r+1)st array and on an initial string representing a key. If the resulting array has the desired (differential and linear) properties, the array it is taken as an array in a SERPENT S-box. The procedure is repeated until 8 S-boxes are not generated. This is summarized in the pseudo code given below,

Decryption is different from encryption in that the inverse of the S-boxes is used in the reverse order, as well as the inverse linear transformation and reverse order of the subkeys are used.

13.2.1 BITSLICE MIXING IMPLEMENTATION:

The cipher consists simply of 32 rounds. The plaintext becomes the first intermediate

data 0 = PB , after which the 32 rounds are applied, where each round i ∈ }31,...,0{ consists of three operations,

• Key Mixing: At each round, a 128-bit subkey Ki is exclusive or’ed with the current intermediate data Bi • S-Boxes: The 128-bit combination of input and key is considered as four 32- bit words. The S-box, which is implemented as a sequence of logical operations (as it would be in hardware) is applied to these four words, and the result is four output words. The CPU is thus employed to execute the 32

copies of the S-box simultaneously, resulting with ( ⊕ KBS iii ) • Linear Transformation: The 32 bits in each of the output words are linearly mixed, by

SERPENT

3210 = ⊕ KBSXXXX iii )(,,,

XX 00 <<<= 13

XX 22 <<<= 3

⊕⊕= XXXX 2011

233 XXXX 0 <<⊕⊕= )3(

XX 11 <<<= 1

XX 33 <<<= 7

⊕⊕= XXXX 3100

XXXX 1322 <<⊕⊕= )7(

XX 00 <<<= 5

XX 22 <<<= 22

i+ = ,,, XXXXB 32101

Here <<< stands for rotation and << denotes sift. In the last round, this linear transformation is replaced ˆ ˆ by 31732 31)( ⊕⊕= KKBSB 32 , and at each stage, )( = ii )( = KKIPandBBIP ii . The selected linear transformation increases the avalanche effect and can be used with minimum pipeline stall in the modern processors.

13.2.2 KEY SCHEDULE:

The user supplied 256-bit key is expanded to 33 128-bit keys ...., KKK 3210 . The key is written as eight 32-bit words ...WW −− 18 and then these are expanded to intermediate keys called as prekeys by affine recurrence relation,

= ( ⊕⊕ ⊕ ⊕φ ⊕ iWWWWW <<<11) −8 −5 −3 iiiii −1 φ = Fractional Part + bexei 9377990..2/)15(

The round keys are calculated from prekeys by using S-boxes in bit-slice mode in the following way,

SERPENT

In the end 32-bit values Kj are renumbered 128-bit subkeys Ki where ∈ ,....,0{ ri }, as follows,

= ,,,{ KKKKK iiiii +++ 3424144 }

13.3 SECURITY: 2256 plain texts are needed at least to mount a plaintext attack making it secure against linear or differential attacks. Dictionary attack will need at least 2128 plaintexts. After minimum 264 blocks of encryption can a repetition be expected with considerable probability. Key-collision attacks for key length k can be mounted with efficiency of 2k/2 but this is a nature of block cipher and not dependent on the design. The algorithm is made secure against higher order and truncated key differential attack also. Davies’ and related key attack probability is very less. Timing and electromagnetic leak attacks are also well considered.

13.4 DISADVANTAGES: Attack based on fault analysis has not been answered and an exploiter can use these very easily.

DEAL

14. DEAL 128-BIT BLOCK CIPHER

DESIGNER: Lars R. Knudsen YEAR: 1998 KEY-SIZE: 128, 192, 256 bit BLOCK-SIZE: 128 bit BASED ON: DES

14.1 INTRODUCTION: DEAL uses an r round Feistel cipher, which uses the DES in the round function. The result is a 128-bit block cipher with r.64 bits of round keys, which are derived from the user-selected key in a key schedule algorithm. The key schedule design accepts keys of three different lengths. For the first two key sizes it is recommend to use r = 6 and for 256 bit keys to use r = 8. Unlike DES, all key bits input to DEAL are effective and no parity check is done. The matching ciphertext attack needs an input of about 2^64 ciphertext blocks to succeed. DEAL is as fast as triple DES in that it uses six encryptions to encrypt two 64-bit plaintext blocks and it can be implemented using existing DES implementations.

14.2 ALGORITHM:

Let C = EB(A) denote the encrypted value of 64-bit A using the DES with key B and let Y = EAZ(X) denote the encryption of 64-bit X using DEAL with key Z. The plaintext P is divided into blocks Pi of 128-bits each P = P1, P2, P3…..Pn. The key L schedule takes the key K and returns r DES keys RKi for i = 1, 2, 3…..r. Let X and XR denote the left respectively right halves of X. The ciphertexts are computed as follows,

L RL R Set 0 i , 0 == PXPX i and compute for j = 1… r. L L R j = jRK −1 )( ⊕ XXEX j−1 j R L j = XX j−1 L R Set = ri || XXC r

Consequently one round of DEAL looks like,

Figure 14.1 Schematic of one round of DEAL

DEAL

To speed up DEAL the initial and final permutations of DES i.e. applied by & IPIP −1 can be omitted.

The key schedule of DEAL takes as input s keys K1, K2…Ks for s = 2, 3, 4 … each Ki of 64-bits and returns r DES keys RKi. Firstly, the s keys are expanded to r keys by repetition and XOR the keys with a new constant for every repetition. Then the expanded list of keys is encrypted using the DES in CBC mode with a fixed key and with the initial value set to zero. The resulting ciphertext blocks form the subkeys RKi. With various block length this key length varies and next it is shown with 192- bit block length i.e. used in DEAL-192,

1 = K KERK 1),(

2 K 2 ⊕= RKKERK 1),(

3 K 3 ⊕= RKKERK 2 ),(

4 K KERK 1 ⊕〉〈⊕= RK3 ),1(

5 K KERK 2 ⊕〉〈⊕= RK4 ),2(

6 K KERK 3 ⊕〉〈⊕= RK5 ),4(

Here, i〉〈 is 64-bit ordinal string indexed from 0 in which the (i – 1)th bit is set and all the others are cleared.

i〉〈 is introduced to make sure that for an initial key no same subkeys are generated. The design principles of the key schedule are first the subkeys should depend on many master key bits but without requiring too much work second on input s 64-bit (master) keys any s consecutive subkeys should have entropy of 56.s bits and finally there should be no obvious related and weak keys and the complementation property should not hold.

14.3 ALTERNATIVES: Use of MISTY structure instead of Feistel will introduce higher degree of parallelism at hardware level. DEAL can also be used in DES-X mode where an additional key is XORed to the plaintext and to the ciphertext and one may use DES-X in round function but both the alternatives will make key structure complex.

14.4 SECURITY: There is an attack on six-round DEAL with independent round keys, which requires about 2121 DES-encryptions using about 270 chosen plaintexts. This attach is faster than brute force on DEAL-192 and brute force is faster on DEAL- 128. DEAL-8 does not have any faster attack then meet-in-middle exhaustive key search attack. Matching ciphertext attack needs 264 ciphertext blocks at least. Any other form of attacks will be unrealistic either in terms of memory or in terms of time.

14.5 DISADVANTAGE: Due to complex key structure, it cannot be used in hash functions.

MARS

15. MARS

DESIGNER: IBM Corporation; Carolynn Burwick, Don Coppersmith, Edward D’Avignon, Rosario Gennaro, Shai Halevi, Charanjit Jutla, Stephen M. Matyas Jr., Luke O’Connor, Mohammad Peyravian, David Safford, and Nevenko Zunic. YEAR: 1999 BLOCK SIZE: 128 bits KEY SIZE: Variable (200 - 400 bits)

15.1 INTRODUCTION: IBM expected it to be immune to all types of attack, stronger than TDES, and computationally very efficient. MARS works with 32-bit words and utilizes Type-3 Feistel Network. MARS uses various operations, which have their advantages and disadvantages. IBM argues that the disadvantages of one operation are solved by other operations.

MARS takes as input (and produces as output) four 32-bit data words. The cipher itself is word oriented, in that all the internal operations are performed on 32-bit words, and hence the internal structure is endian-neutral. When the input (or output) of the cipher is a byte stream, little endian byte ordering is used to interpret each four bytes as one 32-bit word. A high-level structure is depicted in the diagram given next,

Figure 15.1 High-level structure of MARS

MARS

The cipher consists of a “cryptographic core” of keyed transformation, which is wrapped with two layers providing rapid key avalanche. The first phase provides rapid mixing and key avalanche, to frustrate chosen-plaintext attacks, and to make it harder to “strip out” rounds of the cryptographic core in linear and differential attacks. It consists of addition of key words to the data words, followed by eight rounds of S- box based, unkeyed type-3 Feistel mixing (in “forward mode”). The second phase is the “cryptographic core” of the cipher, consisting of sixteen rounds of keyed type-3 Feistel transformation. To ensure that encryption and decryption have the same strength, we perform the first eight rounds in “forward mode” while the last eight rounds are performed in “backwards mode.” The last phase again provides rapid mixing and key avalanche, this time to protect against chosen-ciphertext attacks. This phase is essentially the inverse of the first phase, consisting of eight rounds of the same type-3 Feistel mixing as in the first phase (except in “backwards mode”), followed by subtraction of key words from the data words.

In the algorithm D[] is an array of 4 32-bit data words. Initially D contains the plaintext words, and at the end of the encryption process, it contains the ciphertext words. K[] is the expanded key array, consisting of 40 32-bit words. S[] is an S-box, consisting of 512 32-bit words. The first 256 entries in S are denoted by S0 and the last 256 entries by S1.

15.2 ALGORITHM:

In the first phase a key word is added to each data word, and then eight rounds of unkeyed type-3 Feistel mixing is performed, combined with some additional mixing operations. In each round, one data word (called the source word) is used to modify the other three data words (called the target words). The four bytes of the source word are viewed as indices into two S-boxes, S0 and S1, each consisting of 256 32-bit words, and XOR or add is used on corresponding S-box entries and the other three data words.

Denoting the four bytes of the source words by b0, b1, b2, b3 (where b0 is the lowest byte), b0, b2 are used as indices into the S-box S0 and b1, b3 as indices into the S-box S1. Firstly, S0[b0 is XORed into the first target word, and then S1[b1] is added to the same word. S0[b2] is added to the second target word and XORed with S1[b3] to the third target word. Finally, the source word is rotated by 24 positions to the right.

For the next rounds the four words are rotated, so that the current first target word becomes the next source word, the current second target word becomes the next first target word, the current third target word becomes the next second target word, and the current source word become the next third target word.

In addition, after each of four specific rounds one of the target words is added back into the source word. Specifically, after the first and fifth rounds, the third target word back is added back into the source word, and after the second and sixth round the first target word is added back into the source word. The reasons for these extra mixing operations are to eliminate some easy differential attacks against the mixing phase, to break the symmetry in the mixing phase and to get faster avalanche. The forward mixing phase is depicted in the figure given next,

MARS

Figure 15.2 Forward mixing phase of MARS

The “cryptographic core” of the MARS cipher is a type-3 Feistel network, consisting of sixteen rounds. In each round, a keyed E-function (E for expansion) which is based on a novel combination of multiplication, data-dependent rotations, and an S-box lookup is used. This function takes as input one data word and returns three data words as output. In each round one data word is used as the input to the E-function, and the three output words from the E-function are added or XORed to the other three data words. In addition, the source word is rotated by 13 positions to the left.

To ensure that the cipher has the same resistance to chosen ciphertext attacks as it has for chosen plaintext attacks, the three outputs from the E-function are used in a different order in the first eight rounds than in the last eight rounds. Namely, in the first eight rounds, the first and second outputs of the E-function are added to the first and second target words, respectively, and the third output is XORed into the third target word. In the last eight rounds, the first and second outputs of the E-function are added to the third and second target words, respectively, and the third output is XORed into the first target word. The diagram given next depicts the Feistel Type-3 Network used in the main keyed transformation,

MARS

Figure 15.3 Type-III Feistel used in key transformation

The next diagram depicts the E-function,

Figure 15.4 E-function of MARS

MARS

The E-function takes as input one data word and uses two more key words to produce three output words. In this function, three temporary variables are used, denoted by L, M, and R (for left, middle, and right). These are also referred as the three “lines” in the function.

Initially, R is set to hold the value of the source word rotated by 13 positions to the left, and M is set to hold the sum of the source word and the first key word. The lowest nine bits of M are viewed as an index to a 512-entry S-box S (which is obtained by concatenating S0 and S1 from the mixing phase), and L is set to hold the value of the corresponding S-box entry.

Then the second key word is multiplied (constrained to contain an odd integer) into R and then R is rotated by five positions to the left. Then R is XORed into L, and the five lowest bits of R are viewed as a rotation amount between 0 and 31, and M is rotated to the left by this amount. Next, R is rotated by five more positions to the left and XORed into L. Finally, the five lowest bits of R are again viewed as a rotation amount and L is rotated to the left by this amount. The first output word of the E- function is L, the second is M, and the third is R.

The backwards mixing phase is the same as the decryption of the forward mixing phase, except that the data words are processed in different order. Namely, the output from the forward unkeyed mixing is fed into the input of the backwards unkeyed mixing in reverse order and then these two phases cancel each other.

As in the forward mixing, here too in each round one source word is used to modify the other three target words. Denoting the four bytes of the source words by b0, b1, b2, b3 as before b0, b2 are used as indices into the S-box S0 and b1, b3 are used as indices into the S-box S1. S1[b0] is XORed into the first target word, S0[b3] is subtracted from the second data word, S1[b2] from the third target word and then S0[b1]is XORed into the third target word. Finally, the source word is rotated by 24 positions to the left.

For the next rounds, the four words are rotated, so that the current first target word becomes the next source word, the current second target word becomes the next first target word, the current third target word becomes the next second target word, and the current source word become the next third target word.

In addition, before each of four specific rounds one of the target words is subtracted from the source word: before the fourth and eighth rounds, the first target word is subtracted from the source word, and before the third and seventh round, the third target word is subtracted from the source word.

The backwards mixing phase is depicted in figure given next,

MARS

Figure 15.5 Backward mixing phase of MARS

The decryption process is the inverse of the encryption process.

In the design of the S-box S, the entries of S are generated in a “pseudorandom fashion” and tested that the resulting S-box has good differential and linear properties.

The pseudo code for the key expansion routine that MARS uses is given next,

MARS

The S-Box used by MARS is given next,

MARS

15.3 SECURITY: The algorithm is secure against most of the attacks and provides a number of flexibilities but the complex implementations leave it susceptible to design faults. MARS utilizes virtually every technique know to the cryptographer in one algorithm. Until now, no successful practical attack has been made on MARS but a number of papers have been published depicting its weaknesses. MARS offers a unique flexibility for extension and that leaves the suspicion of design loopholes in the algorithm. Whatever be the case it was rendered unfit for Advanced Encryption Standard.

SQUARE

16. SQUARE

DESIGNER: Joan Daemen, Lars Knudsen, Vincent Rijmen BLOCK LENGTH: 128 bits KEY LENGTH: 128 bits

16.1 INTRODUCTION: The algorithm has a reciprocal structure like THREEWAY and SHARK. SQUARE has a modular design and can be extended to higher block lengths. The designers of SQUARE proposed it only for study purpose and were not very sure about its security. SQUARE has served as the starting point for RIJNDAEL, which was later adopted as AES. Square is an iterated block cipher with a block length and a key length of 128-bits each. The round transformation of Square is composed of four distinct transformations. It is however important to note that these four building blocks can be efficiently combined in a single set of table-lookups and XOR operations. The basic building blocks of the cipher are five different invertible transformations that operate on a 4 X 4 array of bytes. The element of a state ‘a’ in row ‘i’ and column ‘j’ is specified as ai, j. Both indexes start from 0.

16.2 ALGORITHM:

SQUARE has a linear transformation θ that operates separately on the 4 rows of the state.

θ θ )(: ⇔= , = ⊕ − ⊕ − ⊕ − acacacacbab ijijijijji 3,32,21,10,

The multiplication is carried out in GF(28). Index of c is taken modulo 4. Due to characteristic of GF(28) being 2, the addition is equivalent to XOR. The rows of the 2 3 state can be denoted by polynomial i )( iii 2,1,0, ⊕⊕⊕= i 3, xaxaxaaxa . Using this j notation and defining )( ⊕= jj xcxc , θ can be described as a polynomial multiplication,

4 θ i =⇔= i 1mod)()()()( ⊕ iforxxaxcxbab <≤ 40 In addition, the inverse d(x) can be defined by, xcxd ⊕= x4 )1(mod1)()(

The Nonlinear transform γ is a byte substitution identical for all the bytes.

γ γ )(: ⇔= , ji = γ (aSbab , ji )

Sγ is an invertible 8-bit substitution table or S-box. The inverse of γ consists of the −1 application of the inverse substitution Sγ to all bytes of a state.

SQUARE

A byte permutation is defined by π ⇔ π )(: ⇔ = abab ,, ijji and π exists in an involution i.e. = ππ −1 .

A bitwise round key addition is also defined as t = σσ t )]([:][ ⊕=⇔ kabakbk t . Here σ k t ][ is inverse of itself. The round keys k t are derived from the cipher key K. k 0 equals the cipher key K and the other round keys are derived by an inverse affine transformationψ t =ψ (: kk t−1) .

Based on these all transformations the encryption is defined. The building blocks are t t composed into the round transformation denoted by = kk ][][ ooo θγπσρ . Square is defined as eight rounds proceeded by a key addition σ[k 0 ] and byθ −1 . SQUARE cipher is hence described as,

8 7 6 5 4 3 2 1 −10 = kkkkkkkkkkSQUARE ][][][][][][][][][][ ooooooooo θσρρρρρρρρ

The inverse cipher is of the same structure of the cipher with exception of key schedule and is described as,

−1 − − − − − − − − − 011121314151617181 SQUARE = kkkkkkkkkk ][][][][][][][][][][ ooooooooo θσρρρρρρρρ

With,

−1 t −−−− 1111 t −− 11 t ρ k ][ = ooo k ][ = ooo σπγθσπγθ k ][

−1 −1 Considering the operations on bits and bytes = oo γππγ and −1 t −1 t t −− 11 t sinceθ +=⊕ θθ (()( kaka )), we have k ][ = oo σσθθσ ([ k )]. Based on these t t −− 11 the round transformation can be defined as, = kk ][][' ooo θγπσρ which of same structure as ρ . Using the algebraic properties, we can derive,

− 110 0 1 oo = kkkk )]([)](['][][ oo θθσθρρσθ

This equation can be generalized in a straightforward way to include more than one round. Now with t = θ (kk 8−t ) we have,

−1 8 7 6 5 4 3 2 1 0 SQUARE = kkkkkkkkkk ][][']['][']['][']['][']['][ ooooooooo θσρρρρρρρρ

During encryption, the θ −1 before σ[k 0 ] in Square can be incorporated in the first 1 −10 1 0 −1 round. As kk oo = k ooo θσγπσθσρ ([][][][ k )] , the initial θ can be omitted by discarding θ in the first round and applying θ (k 0 ) instead of k 0 . The same is true for inverse cipher also.

SQUARE

16.3 SECURITY: The differential and linear cryptanalysis of the algorithm was done by the designers themselves and it was found that if wide tail strategy is used for choosing γ (& xcS ) the algorithm is quite secure against these methods of cryptanalysis. The designers found the algorithm susceptible to various types of attacks and have mentioned it in their paper, and have proposed that commercial use of the algorithm should be avoided and the algorithm should rather be used for study purpose and development of new algorithm. As such, dedicated attacks prove most efficient against SQUARE cipher.

AES

17. ADVANCED ENCRYPTION STANDARD (RIJNDAEL)

DESIGNER: Joan Daemen & Vincent Rijmen YEAR: 1998, accepted as AES in May 2002 BLOCK SIZE: 128 bits KEY SIZE: 128, 192, & 256 bits

17.1 INTRODUCTION: AES is the standardization of Rijndael algorithm. Rijndael algorithm was one of the candidates for AES and provides more flexibility over AES but now days both AES and Rijndael are used as alternates. Rijndael was derived from SQUARE and its successors include Crypton, Anubis, and GRANDCRU etc. AES treats a byte as an entity to be processed.

AES operates internally on 2-D array of bytes called as state. The State consists of four rows of bytes, each containing Nb bytes, where Nb is the block length divided by 32. In the State array denoted by the symbol s, each individual byte has two indices, with its row number r in the range,

0 ≤ r < 4

Moreover, its column number c in the range 0 ≤ c < Nb. This allows an individual byte of the State to be referred to as either sr, c or s[r, c]. For this standard, Nb=4, i.e.

0 ≤ c < 4

State is also referred in terms of array of 32-bit words, w0...w3, where, w0 = s0, 0 s1, 0 s2, 0 s3, 0 w2 = s0, 2 s1, 2 s2, 2 s3, 2 and so on.

In the algorithm addition is carried over modulo two field i.e. XOR operation in terms of computers and the multiplication is done over GF (28) i.e. multiplication modulo irreducible polynomial of degree 8. In AES this polynomial is,

m(x) = x8 + x 4 + x3 + x +1 or {01} {1b} in hexadecimal notation.

The modular reduction by m(x) ensures that the result will be a binary polynomial of degree less than 8, and thus can be represented by a byte. The inverse of any non-zero binary polynomial b(x) of 8-degree can be found using a variation of extended Euclidean algorithm. The multiplication of b(x) with x can be reduced if necessary, by the subtraction of polynomial m(x). This can be implemented by left sift and XOR operations and is denoted by xtime().

Four-term polynomials can be defined, with coefficients that are finite field elements as, 3 2 )( 3 2 +++= axaxaxaxa 01 , denoted in word form as [a0, a1, a2, a3].

Addition is performed by adding the finite field coefficients of like powers of x. This addition corresponds to an XOR operation between the corresponding bytes in each of the words. To demonstrate multiplication assume another polynomial,

AES

3 2 )( 3 2 +++= bxbxbxbxb 01 Then the multiplication •ba will give,

= =• • ⊕ • = • ⊕ • •⊕ bababacbabacbac 201102210111000

= •⊕• ⊕ • = • ⊕ • •= bacbabacbababac 336322353122134

In next step, c(x) is reduced modulo polynomial of degree four to reduce it to 4-byte word. In case of AES to accomplish this x4+1 is used, so that,

i 4 )1mod( =+ xxx i 4mod

Hence, the modular product •ba in 4 terms is defined by 3 2 )( 3 2 +++= dxdxdxdxd 01 with,

In addition, in the matrix for the operation hence can be written as,

To obtain the result as a polynomial that can be inverted AES uses,

The length of input, output and state block is 128 and hence Nb = 4. The length of the Cipher Key, K, is 128, 192, or 256 bits. The key length is represented by Nk = 4, 6, or 8. Nb and Nk reflect the number or 32-bit words in the state or key. The number of rounds to be performed during the execution of the algorithm is dependent on the key size. The number of rounds is represented by Nr, where Nr =10 when Nk = 4, Nr = 12 when Nk = 6, and Nr = 14 when Nk = 8. For both its Cipher and Inverse Cipher, the AES algorithm uses a round function that is composed of four different byte-oriented transformations,

• Byte substitution using a substitution table (S-box),

• Shifting rows of the State array by different offsets,

AES

• Mixing the data within each column of the State array, and

• Adding a Round Key to the State

17.2 ALGORITHM:

At the start of the Cipher, the input is copied to the State array. After an initial Round Key addition, the State array is transformed by implementing a round function 10, 12, or 14 times (depending on the key length), with the final round differing slightly from the first Nr -1 rounds. The final State is then copied to the output. The round function is parameterized using a key schedule that consists of a one-dimensional array of four-byte words derived using the Key Expansion routine. The cipher is briefed in the diagram given next, the individual transformations SubBytes(), ShiftRows(), MixColumns(), and AddRoundKey() process the State. The array w[] contains the key schedule in the pseudo code. The final round does not include the MixColumns() transformation.

17.2.1 SubBytes() Transformation: It is a non-linear byte substitution that operates independently on each byte of the State using a substitution table (S-box). The S-box is shown next,

AES

Figure 17.1 S-box used in AES

The S-box is invertible and constructed by two transforms,

• Take the multiplicative inverse in the finite field GF(28); the element {00} is mapped to itself.

• Apply the following affine transformation (over GF(2) ),

= ⊕ iii + ⊕ i+ ⊕ i+ ⊕ i+ 8mod)7(8mod)6(8mod)5(8mod)4( ⊕ i iforcbbbbbb ≤≤ 80 th Here bi is the i bits of the byte and ci is either {63} or {01100011}.

In matrix form the affine can be represented as,

Using the value x in row and y in column, the value of substitution caused by S-box of AES on Sx, y can be found using the S-box presented earlier.

17.2.2 ShiftRows() Transformation: In this transformation, the bytes in the last three rows of the State are cyclically shifted over different numbers of bytes (offsets). The first row, r = 0, is not shifted. Specifically,

' , = SS + Nbrshiftcrcr mod)),((, Nb &40 ≤<< Nborfor (), = rNbrshift

AES

The figure given next demonstrates the effect of this transformation on the state,

Figure 17.2 Effect of transformation on the state

17.2.3 MixColumns() Transformation: This transformation operates on the State column-by-column, treating each column as a four-term polynomial. The columns are considered as polynomials over GF(28) and multiplied modulo x4 + 1 with a fixed polynomial a(x), given by,

3 2 xxxxa +++= }02{}01{}01{}03{)( In addition, in matrix form, this can be written as,

Because of this multiplication, the four bytes in a column are replaced by the following,

17.2.4 AddRoundKey() Transformation: In this transformation, a Round Key is added to the State by a simple bitwise XOR operation. Each Round Key consists of Nb words from the key schedule. Those Nb words are each added into the columns of the State, such that,

' ' ' ' ,0 ,1 ,2 ,3 cccc = ,3,2,1,0 cccc ⊕ wssssssss * +cNbround 0][],,,[],,,[ <≤ Nbcfor

AES

Here [wi] are the key schedule words, and round is a value in the range 0≤ round ≤ Nr. In the Cipher, the initial Round Key addition occurs when round = 0, prior to the first application of the round function. The application of the transformation to the Nr rounds of the Cipher occurs when 1≤ round ≤ Nr. The action is illustrated in the diagram given next,

Figure 17.3 Action of AddRoundKey()

17.2.5 Key Expansion: The AES algorithm takes the Cipher Key, K, and performs a Key Expansion routine to generate a key schedule. The Key Expansion generates a total of Nb (Nr + 1) words: the algorithm requires an initial set of Nb words, and each of the Nr rounds requires Nb words of key data. The resulting key schedule consists of a linear array of 4-byte words, denoted [wi ], with i in the range 0 ≤ i < Nb(Nr + 1). The key expansion is shown in the pseudo code given next,

AES

17.2.6 SubWord(): This is a function that takes a four-byte input word and applies the S-box to each of the four bytes to produce an output word. The function RotWord()takes a word [a0,a1,a2,a3] as input, performs a cyclic permutation, and returns the word [a1,a2,a3,a0]. The round constant word array, Rcon[i], contains the i-1 i-1 values given by [x ,{00},{00},{00}], with x being powers of x (x is denoted as {02}) in the field GF(28). The first Nk words of the expanded key are filled with the Cipher Key. Every following word, w[i], is equal to the XOR of the previous word, w[i-1], and the word Nk positions earlier, w[i-Nk]. For words in positions that are a multiple of Nk, a transformation is applied to w[i-1] prior to the XOR, followed by an XOR with a round constant, Rcon[i]. This transformation consists of a cyclic shift of the bytes in a word (RotWord()), followed by the application of a table lookup to all four bytes of the word (SubWord()). In case of AES-256, Nk = 8 and i-4 is a multiple of Nk, and SubWord() is applied to w[i-1] prior to the XOR.

The Cipher transformations in encryption can be inverted and then implemented in reverse order to produce a straightforward Inverse Cipher for the AES algorithm. The individual transformations used in the Inverse Cipher - InvShiftRows(), InvSubBytes(),InvMixColumns(), and AddRoundKey() can easily be implemented in a reverse fashion. The implementation can be achieved by reversing the transformations directly. The pseudo code demonstrating the decryption is given next,

The inverse S-box that the decryption uses is given next,

AES

Figure 17.4 Inverse S-box of AES

Another decryption method called as equivalent inverse can also be implemented. This involves changing the key schedule slightly.

17.3 SECURITY: No weak keys have yet been identified for AES and no restriction exists on key selection other than the length. Until date, AES remains the standard of private key encryption as defined by NIST and no known successful attacks are identified. The most successful attack candidate is XSL but cryptographers view differs on the attack. If any other reservations are there, they are quantum computers but their advent is still not confirmed in near future.

ANUBIS

18. ANUBIS

DESIGNER: Paulo S. L. M. Barreto & Vincent Rijmen BLOCK LENGTH: 128 bits KEY LENGTH: 32N (N = 4…10)

18.1 INTRODUCTION: The most interesting thing about the cipher is that it is named after the Egyptian god of entombing and embalming, which the designers interpreted to include encryption. They claim that violators of the cipher will be cursed. It was designed as an entrant for NESSIE cryptographic project. The cipher is a uniform substitution-permutation network whose inverse only differs from the forward operation in the key schedule. The design of both the round transformation and the key schedule is based upon the Wide Trail strategy and permits a wide variety of implementation tradeoffs. Although ANUBIS is not a Feistel cipher, its structure is designed so that by choosing all round transformation components to be involutions. ANUBIS was designed according to the Wide Trail Strategy in which the round transformation of a block cipher is composed of different invertible transformations, each with its own functionality and requirements. The linear diffusion layer ensures that after a few rounds all the output bits depend on all the input bits. The nonlinear layer ensures that this dependency is of a complex and nonlinear nature. The round key addition introduces the key material. One of the advantages of the Wide Trail strategy is that the different components can be specified quite independently from one another. The Wide Trail Strategy in used in the design of the key scheduling algorithm as well.

18.2 PRELIMINARIES:

The finite field GF(28) is represented as GF(2)[x]/p(x), where )( xxxxxp 2348 ++++= 1 is the first primitive polynomial of degree 8. The polynomial p(x) was chosen so that g(x) = x is a generator of GF(2^8). An 7 6 5 4 3 2 element, 7 6 5 4 3 2 +++++++= uxuxuxuxuxuxuxuu 01 , of GF(2^8) where

i ∈GFu )2( for all i = 7,...,0 are denoted by the numerical value 7 6 5 4 3 2 7 6 5 4 3 2 2222222 +++++++ uuuuuuuu 01 , written in hexadecimal notation.

8 8 Μ mXn GF )]2([ denotes the set of m X n matrix over GF(2 ).

n 10 aaavdm m+1),.....,( denotes the m X n Vandermonde matrix whose second column consists of elements 10 ,....., aaa m−1 , i.e.

If m is a power of 2, had( 10 ,....., aaa m−1 ) denotes the m X m Hadamard matrix with

elements = ah ⊕ jiij .

ANUBIS

The Hamming distance between two vectors u & v from the n-dimensional vector space GF( )2 np is the number of coordinates where u and v differ. The Hamming np weight of an element h (aw ) of an element ∈GFa )2( is the Hamming distance between a and the null vector ofGF( )2 np , i.e. the number of nonzero components of a. A linear [n, k, d] code over GF(2p) is a k-dimensional subspace of the vector space (GF(2p))n, where the Hamming distance between any two distinct subspace vectors is at least d (and d is the largest number with this property). A generator matrix G for a linear [n, k, d] code C is a k times n matrix whose rows form a basis for C. A generator matrix is in echelon or standard form if it has the form = [ AIG −knkXkXk )( ] , where I kXk is the identity matrix of order k. Linear [n,k,d] codes obey the {Singleton bound}, d <= n - k + 1. A code that meets the bound is called a maximal distance separable (MDS) code. A linear [n, k, d] code C with generator matrix

= [ AIG −knkXkXk )( ] is MDS if, and only if, every square submatrix formed from rows and columns of A is nonsingular.

A product of m distinct Boolean variables is called an m-th order product of the variables. Every Boolean function GFf n → GF 2()2(: ) can be written as a sum over GF(2) of distinct m-order products of its arguments, 0 <=- m <= n; is called the algebraic normal form of f. The {nonlinear order} of f, denoted f, is the maximum order of the terms appearing in its algebraic normal form. A linear Boolean function is a Boolean function of nonlinear order 1, i.e. its algebraic normal form only involves n n isolated arguments. Given α in GF(2) , denoted by α GFI → GF 2()2(: ) the linear Boolean function consisting of the sum of the argument bits selected by the bits of α .

n−1 α )( α •⊕= xxI ii i=0

n n A mapping GFS → a [),2()2(: xSxGF ] is called a substitution box or S-box for short. The nonlinear order of an S-box S, denoted byvs , is the minimum nonlinear order over all linear combinations of the components of S,

s = α o SIvv )}(min{ α∈gf )2( n

The difference table of an S-box is defined as,

n s ∈= =⊕⊕ bcSacSGFcbae }][][|)2({#),(

The delta parameter of an S-box is defined as,

1 δ s •= s bae ),(max ≠ ,0 ba es )0,0(

The product δ • es 0,0( ) is called differential uniformity of S. The correlation c(f, g) between two Boolean functions f and g can be calculated as follows,

ANUBIS

The lambda parameter of the S-box is defined as the maximal value for the correlation between linear functions of input bits and linear functions of output bits of S,

The branch number β of a linear mapping θ GF kp → GF )2()2(: mp is defined as,

p Given an [k + m, k, d] linear code over GF(2 ) with generator matrix = [ kXk MIG kXm ] , the linear mapping θ GF kp → GF )2()2(: mp is defined by,

θ )( • Maa

Has the branch number β θ )( = d ; if the code is MDS, such a mapping is called an optimal diffusion mapping.

For a given sequence mm +1 ..... −1 oooo ffff nn with m<=n, the notation n =nr =mr ≡Ο mmr +1 ..... −1 oooo fffff nn is used. If m ≡Ο nnr +1 ..... −1 oooo fffff mm is equal to the previous one then and if m>n then both the expressions stand for identity mapping.

18.3 ALGORITHM:

The ANUBIS cipher is an iterated `involutional' block cipher that operates on a 128- bit cipher state. It uses a variable-length, 32N-bit cipher key 4 <= N <= 10, and consists of a series of applications of a key-dependent round transformation to the cipher state.

8 The cipher state is internally viewed as a matrix inΜ X 44 GF 2([ )] , and the cipher key 8 as a matrix in Μ NX 4 GF 2([ )]. Therefore, 128-bit data blocks and 32N-bit cipher keys (externally represented as byte arrays) must be mapped to and from the internal 48 N 8 matrix format. This is done by function μ GF )2(: Μ→ NX 4 GF 2([ )] and its inverse,

8 8 The functionγ Μ NX 4 GF Μ→ NX 4 GF 2([)]2([: )], 4<=N<=10, consists of the parallel 8 8 application of a nonlinear substitution box GFS → a [)]2()2(: xSxGF ] to all bytes of the argument individually,

ANUBIS

The substitution box is pseudo-randomly chosen.

8 8 Mapping τ a Μ X 44 GF Μ→ X 44 GF 2([)]2([:)( )]simply transposes its argument,

In addition, it clearly shows that it is a involution.

8 8 The diffusion layerθ Μ NX 4 GF Μ→ NX 4 GF 4)],2([)]2([: N ≤≤ 10, is a linear mapping based on the [8, 4, 5] MDS code with generator matrix GH = [I, H] where H=had(01, 02, 04}, 06), i.e.

So that,

A simple inspection shows that matrix H is symmetric and unitary. Therefore, theta is an involution for N = 4.

The affine key addition,

8 Consists of the bitwise addition (XOR) of a key matrix k Μ∈ NX 4 GF 2([ )],

This mapping is also used to introduce round constants in the key schedule, and is obviously an involution.

8 8 Permutationπ Μ NX 4 GF Μ→ NX 4 GF 4)],2([)]2([: N ≤≤ 10, cyclically shifts each column of its argument independently, so that column j is shifted downwards by j positions,

The key extraction function,

is a linear mapping based on the [N+4, N, 5] MDS code with generator matrix t V = IVG ][ where V = vdmN(01, 02, 06, 08), i.e.

So that,

ANUBIS

The r-th round constant (r > 0) is a matrix,

Defined as,

The key schedule expands the cipher key,

0 R r 8 onto a sequence of round keys, ,...... , KwithKK Μ∈ X 44 GF 2([ )],

r r the composite mappings ψ ≡ cc &][][ ≡ oo γωτφσ are called, respectively, the r-th round key evolution function and the key selection function. The initial gamma applied to compute K0 plays no cryptographic role and is only kept for simplicity.

ANUBIS is defined for the cipher key K in GF(28)4N as the transformation ANUBIS [K]:GF(28)16--> GF(28)16 given by,

Where,

The standard number of rounds R is defined as R = 8 + N for 32N-bit keys, 4<=N<=10. The composite mapping,

is called the round function for the r-th round, and the related mapping,

is called the last round function.

ANUBIS

r r The cipher is a true involution and since τ γ = γ oo τ and o K = K )]([][ oθθσσθ . Another thing that proves the involution is the theorem that if, _ 0 _ R _ R R ≡≡ 0 ,, ≡ θ −rR 0),( << RrKKandKKKK Then, _ 0 _ R − 01 R α R = α R ,...... ,[],....,[ KKKK ].

From all we have seen we can argue that the ANUBIS cipher has involutional structure, in the sense that the only difference between the cipher and its inverse is in the key schedule.

18.4 SECURITY: Neither the algorithm is weak from the point of block or key length nor is it weak from the point of K-security. The cipher is also hermetically secure. The differential and linear cryptanalysis does not have any space left to attack. In all, this appears to be the most secure algorithm. The only weakness that may be exploited in the future (considering its recent advent) is due to its design complexity, which might have left some security loopholes. ANUBIS is expected, for all key lengths defined, to behave as good as can be expected from a block cipher with the given block and key lengths (in the sense of being K-secure and hermetic). This implies among other things, the following,

• The most efficient key-recovery attack for ANUBIS is exhaustive key search. • Obtaining information from given plaintext-ciphertext pairs about other plaintext-ciphertext pairs cannot be done more efficiently than by determining the key by exhaustive key search. • The expected effort of exhaustive key search depends on the bit length of the cipher key and is 2m-1 applications of ANUBIS for m-bit keys.

18.5 COMPARISON BETWEEN AES & ANUBIS:

RIJNDAEL ANUBIS Block size (bits) 128, 192, or 256 always 128 128, 160, 192, 224, 256, Key size (bits) 128, 192, or 256 288, or 320 Number of rounds 10, 12, or 14 12, 13, 14, 15, 16, 17, or 18 key evolution (variant of the round function), Key schedule dedicated a priori algorithm plus key selection (projection) GF(28) reduction x8 + x4 + x3 + x2 + 1 x8 + x4 + x3 + x + 1 (0x11B) polynomial (0x11D) mapping u -> u-1 over Origin of the S- GF(28), pseudo-random involution box plus affine transform Origin of the successive entries of the S- polynomials xi over GF(28) round constants box

ANUBIS

Table 18.1 Comparison of AES and ANUBIS

CMEA

19. CELLULAR MESSAGE ENCRYPTION ALGORITHM

DESIGNER: Telecommunication Industry Association (TIA) YEAR: 1992 BLOCK LENGTH: Variable KEY LENGTH: 64 bits

19.1 INTRODUCTION: CMEA is a byte oriented encryption algorithm is used to encrypt digital cellular phone data. CMEA is used to encrypt the control channel of cellular phones. It is distinct from ORYX, an also insecure stream cipher that is used to encrypt data transmitted over digital cellular phones. The standard has been designed to fit into Tomorrow's digital cellular systems [TIA92] and has since then been updated to TIA95. It is still the most widely used encryption method in cellular industry. Note that CMEA is not used to protect voice communications. Instead, it is intended to protect sensitive control data, such as the digits dialed by the cellphone user. Finally, compromise of the control channel contents could lead to any confidential data the user types on the keypad like calling card PIN numbers may be an especially widespread concern, and credit card numbers, bank account numbers, and voicemail PIN numbers are also at risk. CMEA is quite simple, and appears to be optimized for 8-bit microprocessors with severe resource limitations.

19.2 ALGORITHM:

CMEA consists of three layers. The first layer performs one non-linear pass on the block; this effects left-to-right diffusion. The second layer is a purely linear, unkeyed operation intended to make changes propagate in the opposite direction. One can think of the second step as XORing the right half of the block onto the left half. The third layer performs a final nonlinear pass on the block from left to right; in fact, it is the inverse of the first layer.

CMEA obtains the non-linearity in the first and third layer from an 8-bit keyed lookup table known as the T-box. The T-box calculates its 8-bit output as,

= +⊕ 10 + ⊕ + 32 + ⊕ + 54 + 76 )))))))))))((((((((((()( ++⊕ xKKxKKxKKxKKxCCCCxT

Here, x is the given input block and Ki represent the eight 8-byte keys. In this equation, C is an unkeyed 8-bit lookup table known as the CaveTable; all operations are performed using 8-bit arithmetic. The algorithm encrypts an n-byte message

P n−1,....,0 to a ciphertext C n−1,....,0 under the key K 7,....,0 as follows,

y0 ← 0 nifor −← 1,...,0 ' iii ⊕+← iyTPP )( ' i+1 +← Pyy ii ifor ← ,....,0 '" ' PPP 1−− inii ∨⊕← )1(

CMEA

z0 ← 0 for ni −← 1,...,0 " +1 +1 +← Pzz iii " ii i ⊕−← izTPC )(

Here all operations are byte-wide arithmetic: + and - are addition and subtraction modulo 256, ⊕ Stands for logical bitwise exclusive or, and ∨ represents a logical bitwise or.

The CaveTable is given next,

CMEA generally operates in ECB mode and cannot be used in block chaining mode.

19.3 SECURITY: CMEA is very weak towards chosen-plaintext attacks and can be broken very easily by 338 chosen plaintexts on an average. CMEA can also be broken with a known-plaintext attack with around 50 known plaintexts. The complexity of cryptanalysis is around 235 and can easily be parallelized. However, due to closed- door design and implementation the attack and break is not very common. Due to its efficiency, CMEA remains the encryption standard in cellular world waiting for advent of a newer algorithm.

PHELIX

20. PHELIX

DESIGNER: Doug Whiting, Bruce Schneier, Stefan Lucks, and Frederic Muller

20.1 INTRODUCTION: PHELIX is a high-speed stream cipher with a built-in MAC functionality. It is efficient in both hardware and software. The keystream generation function is made significantly faster, per message byte, than a block cipher. PHELIX works almost twice as fast as AES. PHELIX has a state that consists of nine words of 32 bits each. The state is broken up into two groups: 5 “active" state words, which participate in the block update function, and 4 “old" state words that are only used in the keystream output function. A single round of PHELIX consists of adding (or XORing) one active state word into the next, and rotating the first word. Multiple rounds are applied in a cyclical pattern to the active state. The horizontal lines of the rounds wind themselves in helical fashion through the five active state words. Twenty rounds make up one block. PHELIX actually uses two intertwined helices; a single block contains two full turns of each of the helices.

During each block, several other activities occur. During block i, one word of keystream is generated (Si), two words of key material are added (Xi,0 and Xi1), and one word of plaintext is added (Pi). The output state of one block is used as input to the next. The ciphertext is created by XORing the plaintext with the keystream. At the start of an encryption, a starting state is derived from the key and nonce. The key words Xi,j depend on the key, the length of the input key, the nonce, and the block number i. State-guessing attacks are made more difficult by adding key material at double the rate at which key stream material is extracted. At the end of the message, some extra processing is done, after which a 128-bit MAC tag is produced to authenticate the message. A diagram depicting a block of PHELIX is given next,

Figure 20.1 Schematic of a block of PHELIX

PHELIX

20.2 ALGORITHM:

The PHELIX encryption function takes as input a variable-length key U of up to 256 bits, a 128-bit nonce N, and a plaintext P. The decryption function takes the key, nonce, ciphertext, and tag, and produces either the plaintext message or an error if the authentication failed. A sequence of bytes xi is identified with a sequence of words Xj by the relations,

Let l(x) denote the length of a string of bytes x. The input key U consists of a sequence of bytes u0, u1… ul(U)-1 with 0<=l(U)<=32. The key is processed through the key mixing function to produce the working key which consists of 8 words K0,…,K7. The nonce N consists of 16 bytes, interpreted as four words N0… N3. Applications, which use shorter nonce, have to 0-pad their nonce to the full 16-byte length. The plaintext P and ciphertext C are both sequences of bytes of the same length, with the restriction that 0<=l(P) < 264. Both are manipulated as a sequence of words, Pi and Ci, respectively. The last word of the plaintext and ciphertext might be only partially used. The “extra" plaintext bytes in the last word are taken to be zero. The “extra" ciphertext bytes are irrelevant and never used. In the case of zero-length plaintexts, no data is encrypted and only a MAC is generated.

PHELIX consists of a sequence of blocks. The blocks are numbered sequentially, which assigns each block a unique number i. At the start of block i, the active state i)( i)( consists of five words, 0 ,..., ZZ 4 at the end of the block, the active state consists of, i+ )1( i+ )1( 0 ,..., ZZ 4 , which forms the input to the next block with number i+1. Block i also uses as input two key words Xi,0 and Xi,1, the plaintext word Pi, and a previous state i− )4( word Z4 . All values are 32-bit words; exclusive or is denoted by ⊕ , addition modulo 232 is denoted by , and rotation by <<<. The block function actually consists of two applications of a \half-block" function H, defined as,

PHELIX

Given the function H, the block function, is computed as follows,

)( ii − )4( Each block produces one word of keystream, i : 4 += ZYS 4 . The ciphertext words are defined by :.= ⊕ SPC iii

The expanded key words are derived from the working key K0,…,K7, the nonce N0,…,N3, the input key length l(U), and the block number i. The nonce is firstly 32 extended to 8 words by defining k = kN )4mod(: − Nk−4 2(mod ) for k=4,…,7. The key words for block i are then defined by,

32 ' where all additions are taken modulo 2 . Here X i encodes bits 31 to 62 of the value i+8; this is not the same as the upper 32 bits of i+8.

The PHELIX encryption is started by setting,

Eight blocks are then applied, using block number i = -8…-1. For these blocks, the generated keystream words are discarded.

After the initialization, the plaintext is encrypted. Let k := lower_bound((l(P)+3)/4) be the number of words in the plaintext. The encryption consists of k blocks numbered 0 to k-1. Each block generates one word of keystream, which is used to encrypt one word of the plaintext. Depending on l(P) mod 4, between 1 and 4 of the bytes of the last keystream word are used.

Just after the block that encrypted the last plaintext byte, one of the state words is k )( modified. The internal state word Z0 is XORed with the value 0x912d94f1. Using this modified state, eight blocks, numbered k,…, k + 7 are applied for post-mixing. For these blocks, the plaintext word Pi is defined as l(P) mod 4, and the generated keystream is discarded . After the post-mixing, four more blocks, numbered k+8,…,k+11, are applied, using the same plaintext input word (i.e., l(P) mod 4). The keystream words generated by these four blocks form the MAC tag.

PHELIX

The key mixing converts a variable-length input key U to the fixed-length working key, K. First, the PHELIX block function is used to create a round function R that maps 128 bits to 128 bits, as follows,

The input key U is first extended with 32 - l(U) zero bytes. The 32 key bytes are converted to 8 words K32,…,K39. Further key words are defined by the equation,

for i = 7,…, 0. The words K0,…,K7 form the working key of the cipher. (This recursion defines a Feistel-type cipher on 256-bit blocks.)

Decryption is almost identical to encryption. The only differences are as follows,

• The keystream Si generated after the first application of the H function in each block is used to decrypt the ciphertext, producing the plaintext word that is used in the second application of the H function within the block. The implementation must insure that any unused bytes of the final plaintext word are taken as zero for purposes of computing the block function, regardless of value of the extra keystream bytes. • Once the tag has been generated, it is compared to the tag provided. If the two values are not identical, all generated data (i.e., the keystream, plaintext, and tag) is destroyed.

20.3 SECURITY: No true workable method of attack has yet been identified. Either a successful attack on PHELIX will occur when an attacker can predict a keystream bit he has not seen with a probability slightly higher than 50%, or when he can create a forged or altered message that is accepted by the recipient with a probability substantially higher than 2-128.

TIGER

21. TIGER

DESIGNER: Ross Anderson and Eli Biham

21.1 INTRODUCTION: TIGER is one of the latest hash functions available and has not been broken yet. It is designed to run quickly on 64-bit processors without being too slow on existing machines. It is claimed to be as fast as SHA-1 on 32-bit machines. Its main operation is table lookup into four S-boxes each from eight bits to 64-bits. For drop-in compatibility, the outer structure of the MD family is adopted. The message is padded by a single ‘1’ bit followed by a string of ‘0’ and finally the message length as a 64-bit word. The result is divided into n 512-bit blocks. The size of the hash value and of the intermediate state is three words or 192-bits. The memory size required by Tiger is only slightly more than the size of the four S boxes.

21.2 ALGORITHM:

(Due to the complex nature of the algorithm, here the description is given via certain assumptions and pseudo codes.)

In Tiger, all the computations are on 64-bit words in little-endian/2’s complement representation. Three 64-bit registers called a, b, and c are used as the intermediate hash values. These registers are initialized to h0, which is,

a = 0x0123456789ABCDEF b = 0xFEDCBA9876543210 c = 0xF096A5B4C3B2E187

Each successive 64-bit message block is divided into eight 64-bit words,

xxx 7,...... ,1,0 and the following computation is performed to update hi to hi+1 . This computation consists of three passes and between each of them, there is a key schedule, an invertible transformation of the input data, which prevents an attacker forcing sparse inputs in all three rounds. Finally, there is a feedforward stage in which the new values of a, b, and c are combined with their initial values to give hi+1 .

Where,

save_abc saves the value of hi , aa=a; bb=b; cc=a;

pass(a, b, c, 5) is composed of round(a, b, c, mul) i.e.

TIGER

Here, c_i is the ith byte of c (0<=i<=7) and T1 to t4 are the S-boxes.

Hence the pass(a, b, c, 5) looks like,

key_schedule is,

feedforward is,

The resultant registers a, b, c are the 192 bits of the intermediate-hash value hi+1 .

21.3 SECURITY: Strong avalanche effect comes after 3-rounds and comes more fast if short words are used. The heavy non-linearity is introduces by the S-boxes. The key schedule ensures that changing a small number of bits in a message affects many bits during the various passes. These combined helps the algorithm to be resistant against Dobbertin’s differential attack that was made against MD4. The birthday attack is prevented by the feedforward functionality.

OTHER ALGORITHMS

22. OTHER ALGORITHMS

22.1 BLOCK CIPHERS

22.1.1 3-WAY 3-Way is a simple and fast cipher designed by Joan Daemen. 3-Way features a 96-bit key length and a 96-bit block length. 3-Way is an iterated block cipher that repeats some relatively simple operations a specified number of rounds. David Wagner, John Kelsey, and Bruce Schneier of Counterpane Systems have discovered a related key attack on 3-Way that requires one related key query and about 222 chosen plaintexts.

22.1.2 BLOWFISH Blowfish is a block cipher designed by Bruce Schneier, author of Applied Cryptography. Blowfish combines a Feistel network, key-dependent S-Boxes, and a non-invertible F function to create what is perhaps one of the most secure algorithms available. The only known attacks against Blowfish are based on its weak key classes.

22.1.3 FEAL Developed by the Nippon Telephone & Telegraph as an improvement to DES, the Fast Data Encipherment Algorithm (FEAL) is very insecure. FEAL-4, FEAL-8, and FEAL-N are all susceptible to a variety of cryptanalytic attacks, some requiring as little as 12 chosen plaintexts. FEAL is patented.

22.1.4 GOST GOST is a cryptographic algorithm from Russia that appears to be the Russian analog to DES both politically and technologically. Its designers took no chances, iterating the GOST algorithm for 32 rounds and using a 256-bit key. Although GOST's conservative design inspires confidence, John Kelsey has discovered a key-relation attack on GOST. There are also weak keys in GOST, but there are too few to be a problem when GOST is used with its standard set of S-boxes.

22.1.5 MACGUFFIN MacGuffin is a cipher developed by Matt Blaze and Bruce Schneier as an experiment in cipher design. It uses a Feistel network, but does not split the input evenly, instead dividing the 64-bit block into one 16-bit part and another 48-bit part. This is called a generalized unbalanced Feistel network (GUFN). A differential attack on MacGuffin has been found that requires approximately 251.5 chosen plaintexts.

22.1.6 MISTY Misty is a cryptographic algorithm developed by Mitsubishi Electric after they broke DES in 1994. It is designed to withstand linear and differential cryptanalysis, but has not yet been cryptanalysed. It is being considered for inclusion into the SET 2.0 standard.

22.1.7 MMB MMB was designed as an alternative to IDEA that uses a 128-bit block instead of IDEA's 64-bit block. It was designed using the same principles as IDEA. Unfortunately, it is not as secure as IDEA and several attacks exist against it. Its author, Joan Daemen, abandoned it and designed 3-Way.

OTHER ALGORITHMS

22.1.8 RC2 RC2, like RC4, was formerly a trade secret, but code purporting to be RC2 was posted to sci.crypt. David Wagner, John Kelsey, and Bruce Schneier have discovered a related-key attack on RC2 that requires 1 related-key query and approximately 234 chosen plaintexts.

22.1.9 RC5 RC5 is a group of algorithms designed by Ron Rivest of RSA Data Security that can take on a variable block size, key size, and number of rounds. The block size is generally dependent on the word size of the machine the particular version of RC5 was designed to run on; on 32-bit processors (with 32-bit words), RC5 generally has a 64-bit block size. David Wagner, John Kelsey, and Bruce Schneier have found weak keys in RC5, with the probability of selecting a weak key to be 2-10r, where r is the number of rounds. For sufficiently large r-values (greater than 10), this is not a problem as long as one is not trying to build a hash function based on RC5. Kundsen has also found a differential attack on RC5.

22.1.10 RC6 RC6 is Ronald Rivest's AES submission. Like all AES ciphers, RC6 works on 128-bit blocks. It can accept variable length keys. It is very similar to RC5, incorporating the results of various studies on RC5 to improve the algorithm. The studies of RC5 found that not all bits of data are used to determine the rotation amount (rotation is used extensively in RC5); RC6 uses multiplication to determine the rotation amount and uses all bits of input data to determine the rotation amount, strengthening the avalanche effect.

22.1.11 REDOC There are two versions of the REDOC algorithm, REDOC II, and REDOC III. REDOC II is considered secure; an attack has been made against one round of REDOC II, but could not be extended to all 10 recommended rounds. REDOC II is interesting in that it uses data masks to select the values in the S-boxes. REDOC II uses a 160-bit key and works on an 80-bit block. REDOC III was an attempt to make the painfully slow REDOC II faster. REDOC III, like REDOC III, operates on an 80- bit block, but can accept keys up to 20480 bits. However, REDOC III falls to differential cryptanalysis.

22.1.12 SAFER Safer was developed by Robert Massey at the request of Cylink Corporation. There are several different versions of Safer, with 40, 64, and 128-bit keys. A weakness in the key schedule was corrected, with an S being added to the original Safer K designation to create Safer SK. There are some attacks against reduced round variants of Safer. Safer is secure against differential and linear cryptanalysis. However, Bruce Schneier, author of Applied Cryptography, recommends against using Safer because, "Safer was designed for Cylink, and Cylink is tainted by the NSA."

22.1.13 SKIPJACK In what surely signals the end of the Clipper chip project, the NSA has released Skipjack, its formerly secret encryption algorithm, to the public. Skipjack uses an 80- bit key.

OTHER ALGORITHMS

22.1.14 TINY ENCRYPTION ALGORITHM (TEA) TEA is a cryptographic algorithm designed to minimize memory footprint, and maximize speed. However, the cryptographers from Counterpane Systems have discovered three related-key attacks on TEA, the best of which requires only 223 chosen plaintexts and 1 related key query. The problems arise from the overly simple key schedule. Each TEA key can be found to have three other equivalent keys, as described in a paper by David Wagner, John Kelsey, and Bruce Schneier. This precludes the possibility of using TEA as a hash function. Roger Needham and David Wheeler have proposed extensions to TEA that counter the above attacks.

22.1.15 TWOFISH Twofish is Counterpane Systems' AES submission. Designed by the Counterpane Team (Bruce Schneier, John Kelsey, Doug Whiting, David Wagner, Chris Hall, and Niels Ferguson), Twofish has undergone extensive analysis by the Counterpane Team.

22.2 STREAM CIPHERS

22.2.1 ORYX ORYX is the algorithm used to encrypt data sent over digital cellular phones. It is a stream cipher based on three 32-bit Galois LFSRs. It is distinct from CMEA, which is a block cipher used to encrypt the cellular data control channel. The cryptographic tag-team from Counterpane Systems (David Wagner, John Kelsey, and Bruce Schneier) have developed an attack on ORYX that requires approximately 24 bytes of known plaintext and about 216 initial guesses.

22.2.2 SEAL SEAL, designed by Don Coppersmith of IBM Corp, is probably the fastest secure encryption algorithm available. The key setup process of SEAL requires several kilobytes of space and rather intensive computation involving SHA1, but only five operations per byte are required to generate the keystream. SEAL is particularly appropriate for disk encryption and similar applications where data must be read from the middle of a ciphertext stream.

22.3 HASH ALGORITHMS

22.3.1 MD2 MD2 is generally considered a dead algorithm. It was designed to work on 8-bit processors and, in today's 32-bit world, is rarely used. It produces a 128-bit digest. MD2 is different in design from MD4 and MD5, in that it first pads the message so that its length in bits is divisible by 256. It then adds a 256-bit checksum. If this checksum is not added, the MD2 function has been found to have collisions. There are no known attacks on the full version of MD2.

22.3.2 MD4 Although MD4 is now considered insecure, its design is the basis for the design of most other cryptographic hashes and therefore merits description. First, the message to be operated on is padded so that its length in bits plus 448 is divisible by 512. Then, in what is called a Damgård/Merkle iterative structure, the message is processed with

OTHER ALGORITHMS

a compression function in 512-bit blocks to generate a digest value. In MD4, this digest is 128 bits long. Hans Dobbertin developed an attack on the full MD4 that will generate collisions in about a minute on most PCs.

22.3.3 MD5 While MD4 was designed for speed, a more conservative approach was taken in the design of MD5. However, applying the same techniques he used to attack MD4, Hans Dobbertin has shown that collisions can be found for the MD5 compression function in about 10 hours on a PC. While these attacks have not been extended to the full MD5 algorithm, they still do not inspire confidence in the algorithm. RSA is quick to point out that these collision attacks do not compromise the integrity of MD5 when used with existing digital signatures. MD5, like MD4, produces a 128-bit digest. The use of MD5, as well as MD4, is not recommended in new applications.

22.3.4 RIPEMD RIPEMD and its successors were developed by the European RIPE project. Its authors found collisions for a version of RIPEMD restricted to two rounds. This attack can also be applied to MD4 and MD5. The original RIPEMD algorithm was then strengthened and renamed to RIPEMD-160. As implied by the name, RIPEMD- 160 produces a 160-bit digest.

22.3.5 SHA1 SHA1 was developed by the NSA for NIST as part of the Secure Hash Standard (SHS). SHA1 is similar in design to MD4. The original published algorithm, known as SHA, was modified by NSA to protect against an unspecified attack; the updated algorithm is named SHA1. It produces a 160-bit digest, large enough to protect against "birthday" attacks, where two different messages are selected to produce the same signature, for the next decade.

22.3.6 SNEFRU Snefru is a hash function designed by Ralph Merkle, the designer of the Khufu and Khafre encryption algorithms. 2-round Snefru has been broken by Eli Biham. Snefru 2.5, the latest edition of the hash algorithm, can generate either a 128-bit or a 256-bit digest.

REFERENCES

III. REFERENCES

1. FIPS PUB 46-3

2. FIPS PUB 197

3. Johannes A. Buchmann, “Introduction to Cryptography,” second Edition, Springer Publication, 2004, ISBN 81-8182-232-9

4. Paulo S.L.M. Barreto & Vincent Rijmen, “The Anubis Block Cipher,” Submission to NESSIE project (http://www.cryptonessie.org/) 5. David Wagner, Bruce Schneier, & John Kelsey, “Cryptanalysis of the Cellular Message Encryption Algorithm.” ([email protected], [email protected], & [email protected])

6. Lars R. Knudsen, “DEAL - A 128-bit Block Cipher,” Submission to NIST as an AES candidate

7. Lawrie Brown, & Josef Pieprzyk, “Introducing the new LOKI97 Block Cipher,” Submission to NIST as an AES candidate (http://www.adfa.oz.au/˜lpb/research/loki97/)

8. IBM corporation, “MARS - a candidate cipher for AES,” Submission to NIST as an AES candidate, Sept 1999

9. Ross Anderson, Eli Biham, & Lars Knudsen, “Serpent: A Proposal for the Advanced Encryption Standard.” ([email protected], [email protected], & [email protected])

10. Joan Daemen, Lars Knudsen, & Vincent Rijmen, “The Block Cipher Square” ([email protected], [email protected], & [email protected])

11. Ross Anderson, & Eli Biham, “Tiger: A Fast New Hash Function” ([email protected] & [email protected])

12. C. Adams, “The CAST-128 Encryption Algorithm,” Network Working Group, Entrust Technologies.

13. Doug Whiting, Bruce Schneier, Stefan Lucks, & Frederic Muller, “PHELIX Fast Encryption and Authentication in a Single Cryptographic Primitive”

R-III

SECTION FOUR

SECTION - IV

Cryptanalysis Differential Cryptanalysis Linear Cryptanalysis

-Anuj Prateek

CRYPTANALYSIS

23. CRYPTANALYSIS

23.1 INTRODUCTION

The practice of obtaining the access to secret information is called cryptanalysis and in terms that are more general cryptanalysis is defined as code breaking in context of cryptography. The person or now a day machines that carry out cryptanalysis is called cryptanalyst or attacker.

23.1.1 HISTORY

• CLASSICAL CRYPTANALYSIS: William Friedman coined the term in 1920 though the method of breaking codes and ciphers is much older. Frequency analysis is the most basic method of cryptanalysis. Frequency analysis relies as much on linguistic knowledge as much on statistic. After and during World War II mathematics became important in cryptography and frequency analysis became very poor attack. Automation was applied for the first time with Bomba device and the Colossus. • MODERN CRYPTANALYSIS: Kahn mentioned the power of interception, bugging, side channel, and quantum attacks as a replacement for traditional attacks.

The results and impact of cryptanalysis has marked many events in history, like due to breaking of Zimmermann Telegram led to involvement of US in World War I. Similarly, during World War II, cryptanalysis of German Ciphers like Enigma Machine and Lorenz Cipher led to shortening of European war by a few months and US were benefited by cryptanalysis of Japanese PURPLE code. In 2004, US broke Iranian Ciphers and it led to war like sequences.

23.1.2 ASSUMPTIONS

Generally, cryptanalysis is done under certain assumption of knowledge i.e. about how much information is available or observed about the system under attack. It is assumed that cryptanalyst knows the system. Kerckoff gave this assumption and it appears as Kerckoff’s principle. Other assumptions include,

• Ciphertext-only attack (COA): The cryptanalyst has access to certain ciphertext. If an adversary were sending ciphertext continuously to maintain traffic-flow security, it would be very useful to be able to distinguish real messages from nulls. Even making an informed guess of the existence of real messages would facilitate traffic analysis. Most of the statistical attacks are based on it only. Early versions of Microsoft PPTP network, WEP, Akelarre etc were broken using COA. • Known-plaintext attack (KPA): The cryptanalyst knows certain ciphertext with the corresponding plaintext. Attacks like gardening attack are based on it. Classical ciphers and based ones are most prone to this kind of attack. • Chosen-plaintext attack (CPA): Cryptanalyst can get ciphertext corresponding to arbitrary set of plaintext and chosen-ciphertext is vice-versa. In the worst case, this reveals the key only. This appears, at first glance, to be an unrealistic

CRYPTANALYSIS

model but in practice, it is easily implemented in software or hardware and is used for a diverse range of applications. Chosen-plaintext attacks become extremely important in the context of public key cryptography. • Adaptive chosen plaintext/ciphertext: This is similar to chosen- plaintext/ciphertext and here cryptanalyst can choose subsequent plaintext/ciphertext based on the previous information. • Batch chosen plaintext/ciphertext: Here the cryptanalyst chooses all plaintexts before any of them is encrypted. This is often the meaning of an unqualified use of "chosen-plaintext attack.”

To the above three types of assumptions, the algorithms are not randomized or are deterministic, are most prone.

• Related-key attack: This is similar to chosen-plaintext; except the cryptanalyst can obtain ciphertexts encrypted under two different keys and knows the relation between the keys. WEP algorithm failed due to this kind of attack only. WPA solved the problem by using three levels of keys: master key, working key and RC4 key. The master WPA key was shared with each client and access point and was used in a protocol called TKIP to create new working keys frequently enough. The working keys were then combined with a longer, 48-bit IV to form the RC4 key for each packet. This design mimics the WEP approach enough to allow WPA to be used with first-generation Wi- Fi network cards, some of which implemented portions of WEP in hardware.

The success in cryptanalysis of block ciphers (applicable to other types also) is classified in various groups proposed by L. Knudsen in 1998 they are as follows,

• Total Break: Attacker deduces the secret key. • Global Deduction: Attacker discovers a functionally equivalent algorithm for encryption/decryption without knowing the key. • Instance Deduction: Attacker discovers additional plaintext to the shown one. • Distinguishing Algorithm: Attacker can distinguish the cipher from a random permutation

The attacks are characterized by the amount of resources they require and are in form of,

• Time taken • Memory consumed • Data required

The breaks that have order less than brute force i.e. exhaustive search are considered successful breaks and if they have non-practical order they are called certificational breaks.

In case of cryptanalysis of asymmetric algorithm, the problem is extended by mathematical difficulty of finding a solution in real order. Another distinguishing feature of asymmetric scheme is that the attacker has knowledge of public key, which can be possibly used to extract knowledge about secret key or plaintext.

CRYPTANALYSIS

In future, with the advent of quantum computers, it would be possible, as expected, to break any present encryption scheme or solve mathematically difficult time in real time, but still no valid proof of existence of such an algorithm or computer is in existence.

23.2 METHODS OF CRYPTANALYSIS & ATTACKS

23.2.1 FREQUENCY ANALYSIS

This method is mostly applied on classical ciphers. It involves the study of the frequency of letters or groups of letters in a ciphertext. Frequency analysis is based on the fact that, in any given stretch of written language, certain letters and combinations of letters occur with varying frequencies and there is a characteristic distribution of letters that is roughly the same for almost all samples of that language. In some ciphers, such properties of the natural language plaintext are preserved in the ciphertext, and these patterns have the potential to be exploited in a ciphertext-only attack. To defeat this attack, certain schemes were brought into picture around renaissance period; a few of them are as follows,

• Use of homophones: Several alternatives to the most common letters in otherwise monoalphabetic substitution ciphers should be used. • Polyalphabetic substitution, that is, the use of several alphabets, chosen in assorted, more or less devious, ways. • Polygraphic substitution, schemes where pairs or triplets of plaintext letters are treated as units for substitution, rather than single letters. (For example, in case of the Playfair cipher invented by Charles Wheatstone in the mid 1800s).

A disadvantage of all these attempts to defeat frequency-counting attacks is that it increases complication of enciphering and deciphering, leading to mistakes. Frequency analysis requires only a basic understanding of the statistics of the plaintext language and some problem solving skills, and, if performed by hand, some tolerance for extensive letter bookkeeping.

23.2.2 KASISKI EXAMINATION

In cryptanalysis, Kasiski examination or the Kasiski test is a method of attacking polyalphabetic substitution ciphers, such as the Vigenère cipher. It was independently developed by Charles Babbage and later Friedrich Kasiski. The Kasiski examination allows a cryptanalyst to deduce the length of the keyword used in the polyalphabetic substitution cipher. Once the length of the keyword is discovered, the cryptanalyst lines up the ciphertext in n columns, where n is the length of the keyword. Then, each column can be treated as the ciphertext of a monoalphabetic substitution cipher. As such, each column can be attacked with frequency analysis. The Kasiski examination involves looking for strings of characters that are repeated in the ciphertext. The strings should be three characters long or more for the examination to be successful. Then, the distances between consecutive occurrences of the strings are likely to be multiples of the length of the keyword. Thus finding more repeated strings narrows down the possible lengths of the keyword, since we can take the greatest common

CRYPTANALYSIS

divisor of all the distances. The reason this test works is that if a repeated string occurs in the plaintext, and the distance between them is a multiple of the keyword length, the keyword letters will line up in the same way with both occurrences of the string.

The difficulty of using the Kasiski examination lies in finding repeated strings. This is a very hard task to perform manually, but computers can make it much easier. However, human interaction is still required, since some repeated strings may just be coincidence, and the distances will have a greatest common divisor of one. A human cryptanalyst has to rule out the coincidences to find the correct length. Modern attacks on polyalphabetic ciphers are essentially identical to that described above, with the one improvement of coincidence counting.

23.2.3 INDEX OF COINCIDENCE

Coincidence counting is the technique invented by William F. Friedman. In this technique, we put two texts side-by-side and count the number of times that a letter appears in the same position in both texts. This count, as a ratio of the total, is known as the index of coincidence. The technique is used to cryptanalyze the Vigenère cipher, for example. Even though only ciphertext is available for testing, so that plaintext letter identities are disguised, coincidences in the ciphertext can be caused by corresponding coincidences in the plaintext. For a repeating-key polyalphabetic cipher arranged into a matrix, the coincidence rate within each column will usually be highest when the width of the matrix is a multiple of the key length, and this fact can be used to determine the key length, which is the first step in cracking the system. Coincidence counting can help determine when two texts are written in the same language, using the same alphabet. For such texts, the coincidence count will be distinctly higher than the coincidence count for texts in different languages, or using different alphabets, or gibberish texts. The technique has been applied to examine the purported Bible code. It can easily be imagined that this effect can be subtle. Nevertheless, this technique can be used effectively to identify when two texts contain meaningful information in the same language using the same alphabet. Mathematically we can compute the index of coincidence IC for a given letter- frequency distribution as,

IC = c ∑i=1 i nn i − )1( − /)1( cNN

Here, N is the length of the text and n1 through are nc the frequency of the c letters of the alphabet (e.g. C = 26 for monocase English). The expected IC for English text is around 1.7, for German 1.9. If all c were equally distributed then the expected IC would be 1.0.

The above description of the Index of Coincidence is related to the general concept of correlation. Various forms of Index of Coincidence have been devised; the "delta" IC (given by the formula above) in effect measures the autocorrelation of a single distribution, whereas a "kappa" IC is used when matching two text strings. Although in some applications constant factors such as c and N can be ignored, in more general

CRYPTANALYSIS

situations there is considerable value in truly indexing each IC against the value to be expected for the null hypothesis (usually: no match and a uniform random symbol distribution), so that in every situation the expected value for no correlation is 1.0. Thus, any form of IC can be expressed as the ratio of the number of coincidences actually observed to the number of coincidences expected (according to the null model), using the particular test setup. A related concept, the "bulge" of a distribution, measures the discrepancy between the observed IC and the null value of 1.0.

23.2.4 DIFFERENTIAL CRYPTANALYSIS

This is a general form of cryptanalysis applicable primarily to block ciphers, but also to stream ciphers and cryptographic hash functions. In the broadest sense, it is the study of how differences in an input can affect the resultant difference at the output. In the case of a block cipher, it refers to a set of techniques for tracing differences through the network of transformations, discovering where the cipher exhibits non- random behavior, and exploiting such properties to recover the secret key.

The discovery of differential cryptanalysis is attributed to Eli Biham and Adi Shamir in the late 1980s, who published a number of attacks against various block ciphers and hash functions, including a theoretical weakness in the DES. It was noted that DES is surprisingly resilient to differential cryptanalysis, in the sense that even small modifications to the algorithm would make it much more susceptible. In 1994, a member of the original IBM DES team, Don Coppersmith, published a paper stating that differential cryptanalysis was known to IBM as early as 1974, and that defending against differential cryptanalysis had been a design goal. According to author Steven Levy, IBM had discovered differential cryptanalysis on its own, and the NSA was apparently well aware of the technique. Within IBM, differential cryptanalysis was known as the "T-attack,” or "Tickle attack".

While DES was designed with resistance to differential cryptanalysis in mind, other contemporary ciphers proved to be vulnerable. An early target for the attack was the FEAL block cipher. The original proposed version with four rounds (FEAL-4) can be broken using only eight chosen plaintexts, and even a 31-round version of FEAL is susceptible to the attack.

Differential cryptanalysis is usually a CPA. The scheme can successfully cryptanalyze DES with an effort on the order 247 chosen plaintexts. There are, however, extensions that would allow a known plaintext or even a ciphertext-only attack. The basic method uses pairs of plaintext related by a constant difference; difference can be defined in several ways, but the XOR operation is usual. The differences of the corresponding ciphertexts are calculated to detect statistical patterns in their distribution. In the basic attack, one particular ciphertext difference is expected to be especially frequent; in this way, the cipher can be distinguished from random. Variations that are more sophisticated allow the key to be recovered faster than exhaustive search. To assume a difference, an analysis of the algorithm's internals is undertaken; the standard method is to trace a path of highly probable differences through the various stages of encryption, termed a differential characteristic.

CRYPTANALYSIS

23.2.5 LINEAR CRYPTANALYSIS

Linear cryptanalysis is a general form of cryptanalysis based on finding affine approximations to the action of a cipher. Attacks have been developed for block ciphers and stream ciphers. The discovery of linear cryptanalysis is attributed to Mitsuru Matsui, who first applied the technique to the FEAL cipher. Subsequently, Matsui published an attack on the DES, eventually leading to the first experimental cryptanalysis of the cipher reported in the open community. A variety of refinements to the attack has been suggested, including using multiple linear approximations or incorporating non-linear expressions. Evidence of security against linear cryptanalysis is usually expected of new cipher designs.

23.2.6 STATISTICAL CRYPTANALYSIS

Statistical cryptanalysis is not a very common method used by mathematicians but in the modern world, it has emerged as a hit-and-try approach. Since the development of cryptology in the industrial and academic worlds in the seventies, public knowledge and expertise have grown in a tremendous way, notably because of the increasing, nowadays almost ubiquitous, presence of electronic communication means in our lives. The methods employed by statistical cryptanalysis are unique to the algorithm or the cipher. Statistical attacks have been very well documented about DES, TEA, SEAL, and some other block ciphers.

23.2.7 BIRTHDAY ATTACK

Birthday attack is a kind of attack that exploits the mathematics behind the birthday paradox making use of space-time tradeoff. Specifically, if a function yields any of H different outputs with equal probability and H is sufficiently large, then after evaluating the function for about 2.1 • H different arguments we expect to obtain a pair of different arguments x1 and x2 with f(x1) = f(x2), known as a collision.

To show this, start with the Taylor series approximation to the probability of two people having the same birthday. In this case, the number of days in a year is replaced with the number of unique outputs, H,

_ (1)(1) −≈−= enpnp 2/))1(( •−− Hnn

Here n is the number of attempts at a collision. Inverting this expression,

1 Hpn ••= ln(2)( ) 1− p

And hence for p= 0.5,

pn = 1774.1)( H

CRYPTANALYSIS

Digital signatures are found to be most susceptible to a birthday attack. To avoid this attack, the output length of the hash function used for a signature scheme can be chosen large enough so that the birthday attack becomes computationally infeasible, i.e. about twice as large as needed to prevent an ordinary brute force attack.

The birthday attack can also be used to speed up the computation of discrete logarithms. Suppose x and y are elements of some group and y is a power of x. We want to find the exponent of x that gives y. A birthday attack computes xr for many randomly chosen integers r and computes yx − s for many randomly chosen integers s. After a while, a match will be found: xr = yx − s, which means y = xr + s. If the group has n elements, then the naive method of trying out all exponents takes about n / 2 steps on average; the birthday attack is considerably faster and takes fewer than 2N steps on average. Techniques based on repeated iteration can greatly reduce the storage requirements of a birthday attacks.

23.2.8 MAN-IN-MIDDLE ATTACK

Man-In-Middle attack (MITM) is an attack in which an attacker is able to read, insert, and modify at will, messages between two parties without either party knowing that the link between them has been compromised. MITM is particularly applicable to the DH key exchange protocol, when used without authentication. With an exception of Interlock protocol, all cryptographic systems that are secure against MITM attacks require an additional exchange or transmission of information over some kind of secure channel. Many key agreement methods with different security requirements for the secure channel have been developed. MITM may include one or more of,

• Eavesdropping, including traffic analysis and possibly known-plaintext attack. • Chosen-ciphertext attack, depending on what the receiver does with a message that it decrypts. • Substitution attack. • Relay attacks. • Denial of service attacks. • Phishing attacks.

MITM is typically used to refer to active manipulation of the messages, rather than passively eavesdropping.

Various defense against MITM are based on public keys, stronger mutual authentication, secret keys, passwords, etc MITM attacks are a potential problem in quantum cryptography as well. Hybrid protocols have been proposed to deal with it, especially for 3-stage quantum cryptography.

23.2.9 BRUTE FORCE ATTACK

Brute force attack is a method of defeating a cryptographic scheme by trying a large number of possibilities; for example, exhaustively working through all possible keys in order to decrypt a message. In most schemes, the theoretical possibility of a brute force attack is recognized, but it is set up in such a way that it would be computationally infeasible to carry out. Accordingly, one definition of "breaking" a

CRYPTANALYSIS

cryptographic scheme is to find a method faster than a brute force attack. The selection of an appropriate key length depends on the practical feasibility of performing a brute force attack. By obfuscating the data to be encoded, brute force attacks are made less effective as it is more difficult to determine when one has succeeded in breaking the code. In a brute force attack, the expected number of trials before the correct key is found is equal to half the size of the key space. For each trial of a candidate key the attacker needs to be able to recognize when he has found the correct key. The most straightforward way is to obtain a few corresponding plaintext and ciphertext pairs, that is, a known-plaintext attack. Alternatively, a ciphertext-only attack is possible by decrypting ciphertext using each candidate key, and testing the result for similarity to plaintext language. Though various physical limits have been argued about brute force, with the advent of various high-computational and multicore processors the possibility probability is increased. The most secure system against brute force is one-time pad.

23.2.10 POWER ANALYSIS

Power analysis is a form of side channel attack in which the attacker studies the power consumption of a cryptographic hardware device. It can yield information about the working of the device and sometimes even some key material. It was introduced in 1998 by Paul Kocher, Joshua Jaffe, and Benjamin Jun to open world. Generally, it is carried by plotting the graph of current consumption against time for hardware. Power analysis does not seek to find weaknesses in algorithms or protocols so much as in their implementations. It provides a way to "see inside" otherwise 'tamperproof' hardware. Power analysis can most easily distinguish conditional branches in the execution of the cryptographic program since a device does different things depending on which conditional branch is executed. As a defense, care should be taken to ensure there should be no differences in the conditional branches within cryptographic software implementations. All rotations, permutations, and logical operations should take the same time and draw equivalent power, no matter what the input. There are, however, some algorithms with inherently significant branching. To eliminate information leakage from these, software design should be highly enhanced. An alternative, in some cases, is to use a hard-wired hardware cryptographic device. Another alternative involves algorithmic modifications such that the cryptographic operations occur on data that is related to the actual value by some mathematical relationship that survives the cryptographic operation. This is called blinding, and usually implies an algorithm that is based on number theory, such as factoring or discrete logarithms.

A variation of power analysis attack is Differential power analysis (DPA) method of attacking a cryptosystem, which exploits the varying power consumption of microprocessors while executing cryptographic program code. It is a side-channel attack that uses generally statistical analysis of the power consumption.

23.2.11 MOD N CRYPTANALYSIS

In cryptography, mod n cryptanalysis is an attack applicable to block and stream ciphers. It is a form of partitioning cryptanalysis, which exploits unevenness in how the cipher operates over equivalence classes modulo n. The method was first

CRYPTANALYSIS

suggested in 1999 by John Kelsey, Bruce Schneier, and David Wagner and applied to RC5P and M6.

Example, Mod 3 analysis of RC5P, it was observed that for the operations in the cipher, rotation and addition, both on 32-bit words, were somewhat biased over congruence classes mod 3. For an illustration, consider left rotation by a single bit,

X =<<< { 31 32 XifXXifX >−+< 2,212,2,21 31}

Then, because 232 = 1 (mod 3) we can deduce that X<<<1 ≡ 2X (mod 3). Thus, left rotation by a single bit has a simple description modulo three. Analysis of other operations (data dependent rotation and modular addition) reveals similar, notable biases. Although there are some theoretical problems analyzing the operations in combination, the bias can be detected experimentally for the entire cipher. Experiments were conducted up to seven rounds, and based on this they conjecture as many as nineteen or twenty rounds of RC5P can be distinguished from random using this attack. There is also a corresponding method for recovering the secret.

23.2.11 XSL ATTACK

XSL attack is a method of cryptanalysis for block ciphers. The attack was first published in 2002 by Nicolas Courtois and Josef Pieprzyk. It is claimed to have the potential to break the AES. The method is heuristic and very technical, and so it has proved difficult to evaluate its complexity. In addition, the method is expected to have a high work-factor. In overview, the XSL attack relies on first analyzing the internals of a cipher and deriving a system of quadratic simultaneous equations. In the XSL attack, a specialized algorithm, termed XSL (eXtended Sparse Linearization), is then applied to solve these equations and recover the key. The attack is notable for requiring only a handful of known plaintexts. The S-boxes of AES are very susceptible to this kind of attack. Serpent, Camellia, KHAZAD, MISTY-1, KASUMI,

Solving multivariate quadratic equations (MQ) is an NP-hard problem in general. The XSL attack requires an efficient algorithm for tackling MQ. In 1999, Kipnis and Shamir showed that a the Hidden Field Equations scheme (HFE) could be reduced to a system of overdefined quadratic equations and then by using relinearisation can be solved. Relinearization, a technique where extra non-linear equations are added after linearization and the resultant system is solved by a second application of linearization. Relinearization proved general enough to be applicable to other schemes.

A variation called XL was proposed by Courtois et al. in 2000 for solving MQ, which increases the number of equations by multiplying them with all monomials of a certain degree. This scheme cannot work against AES due to the complexity it has.

Though XSL has now gained the status of showing certificational weakness, it is yet not accepted by everyone.

CRYPTANALYSIS

23.2.12 RUBBER-HOSE CRYPTANALYSIS

Rubber-hose cryptanalysis is a euphemism for the extraction of cryptographic secrets from a person by torture, in contrast to a mathematical or technical cryptanalytic attack. Although the term is flippant, its implications are not. In modern cryptosystems, human beings are often the weakest link. A direct attack on a cipher algorithm, or the cryptographic protocols used, will likely be much more expensive and difficult than targeting the users of the system. Thus, many cryptosystems and security systems are designed with special emphasis on keeping human vulnerability to a minimum, such as in key generation or key use, so that threats to operators or other personnel will be ineffective in breaking the system.

23.2.13 SIDE CHANNEL ATTACK

Side channel attack is any attack based on information gained from the physical implementation of a cryptosystem, rather than theoretical weaknesses in the algorithms. For example, timing information, power consumption, TEMPEST, architectural side effects, electromagnetic leaks, or even sound can provide an extra source of information, which can be exploited to break the system. Many side-channel attacks require considerable technical knowledge of the internal operation of the system on which the cryptography is implemented. Attempts to break a cryptosystem by deceiving or coercing people with legitimate access are not typically called side- channel attacks.

23.2.14 BOOMERANG ATTACK

The boomerang attack is a method for the cryptanalysis of block ciphers based on differential cryptanalysis. The attack was published in 1999 by David Wagner. The boomerang attack has allowed new avenues of attack for many ciphers previously deemed safe from differential cryptanalysis. Refinements on the boomerang attack have been published: the amplified boomerang attack, then the rectangle attack.

The boomerang attack is based on differential cryptanalysis. In differential cryptanalysis, an attacker exploits how differences in the input to a cipher (the plaintext) can affect the resultant difference at the output (the ciphertext). A high- probability "differential" (that is, an input difference that will produce a likely output difference) is needed that covers all, or nearly all, of the cipher. The boomerang attack allows differentials to be used which cover only part of the cipher.

The attack attempts to generate a so-called "quartet" structure at a point halfway through the cipher. For this purpose, say that the encryption action of the cipher, E can be split into two consecutive stages, E0 and E1 , so that = 01 (()( MEEME )) , where M is some plaintext message. Suppose we have two differentials for the two stages; assume,

* Δ→Δ , For E0 and,

* −1 ∇→∇ , For E1 .

CRYPTANALYSIS

The basic attack proceeds as follows,

• Choose a random plaintext P and calculate '= PP ⊕ Δ • Request the encryptions of P and P' to obtain = = PECandPEC )'(')( • Calculate ∇⊕= = CDandCD '' ⊕∇ • Request the decryptions of D and D' to obtain = −1 = −1 DEQandDEQ '(')( ) • Compare Q and Q'; when the differentials hold, ⊕ QQ '= Δ

KASUMI, a block cipher used in 3GPP was broken by a related-key rectangle attack, which breaks the full eight rounds of the cipher faster than exhaustive search. Various other algorithms were also affected by the advent of boomerang attack.

23.2.15 MEET-IN-MIDDLE ATTACK

The Meet-in-the-middle attack is a cryptographic attack, which, like the birthday attack, makes use of a space-time tradeoff. While the birthday attack attempts to find two values in the domain of a function that map to the same value in its range, the meet-in-the-middle attack attempts to find a value in each of the range and domain of the composition of two functions such that the forward mapping of one through the first function is the same as the inverse image of the other through the second function. Diffie and Hellman first developed it as an attack on an attempted expansion of a block cipher in 1977. When trying to improve the security of a block cipher, one might get the idea to simply use two independent keys to encrypt the data twice. Naively, one might think that this would double the security of the double-encryption scheme. Certainly, an exhaustive search of all possible combination of keys would take 22n attempts if each key is n bits long, compared to the 2n attempts required for a single key. Diffie and Hellman, however, devised a time-memory tradeoff that could break the scheme in only double the time to break the single-encryption scheme. The attack works by encrypting from one end and decrypting from the other end, thus meeting in the middle.

Assume the attacker knows a set of plaintext and ciphertext, P and C. That is,

= kk 12 PEEC ))(( were K1 and K2 are the two keys, the attacker can then compute EK(P) for all possible keys K and store the results in memory. Afterwards he can compute DK(C) for each K and compare with the table in memory. If he gets a match it is likely that he has discovered the two keys and he can verify it with a second set of plaintext and ciphertext. If the keysize is n, this attack uses only 2n + 1 encryptions (and O(2n) space) in contrast to the naive attack, which needs 22n encryptions (but only O(1) space).

23.2.16 SIDE ATTACK

Edna Grossman and Bryant Tuckerman in an IBM Technical Report originally published the idea of the slide attack in 1977. It is a form of cryptanalysis designed to deal with the prevailing idea that even weak ciphers can become very strong by increasing the number of rounds, which can ward off a differential attack. Grossman and Tuckerman demonstrated the attack on a weak block cipher named New Data Seal (NDS). David Wagner and Alex Biryukov coined the term slide attack in 1999.

CRYPTANALYSIS

The slide attack works in such a way as to make the number of rounds in a cipher irrelevant. Rather than looking at the data-randomizing aspects of the block cipher the slide attack works by analyzing the key schedule and exploiting weaknesses in it to break the cipher. The most common one is the key repeating in a cyclic manner. The only requirements for a slide attack to work on a cipher are that it can be broken down into multiple rounds of an identical F function. This probably means that it has a cyclic key schedule. The F function must be vulnerable to a known-plaintext attack. The slide attack is closely related to the related-key attack.

Assume the cipher takes n bit blocks and has a key-schedule using 1...KK m as keys of any length. The slide attack works by breaking the cipher up into identical permutation functions, F. This F function may consist of more than one round of the cipher; it is defined by the key-schedule. For example, if a cipher uses an alternating key schedule where it switches between a K1 and K2 for each round, the F function would consist of two rounds. Each of the Ki will appear at least once in F.

The next step is to collect 2n/2 plaintext-ciphertext pairs. Depending on the characteristics of the cipher, we may need fewer, but, by the birthday paradox, we expect to need no more than 2n / 2. These pairs, which say are denoted as (P, C) are then used to find a slid pair which say are denoted as (P0, C0)(P1, C1). A slid pair has the property that P0 = F(P1) and that C0 = F(C1). Once we have identified a slid pair, the cipher is broken because of the vulnerability to known-plaintext attacks. The key can easily be extracted from this pairing. The slid pair can be thought to be what happens to your message after one application of the function F. It is ’slid’ over one encryption round and this is where the attack gets its name.

Figure 23.1 Schematic of sliding in Side Attack

The process of finding a slid pair is somewhat different for each cipher but follows the same basic scheme. One uses the fact that it is relatively easy to extract the key from just a single iteration of F. Any pair of plaintext-ciphertext pairs, (P0, C0)(P1, C1) is picked and is checked to see what the keys corresponding to P0 = F(P1) and C0 = F(C1) are. If these keys match, a slid pair is found, if not the next pair is tried.

With so many methods of cryptanalysis, which have come into the picture, it is becoming more and more difficult to ensure security from an algorithm but still some exist which are immune to these methods. In future, we need to change the whole idea of encryption and develop some new concepts, which are highly resistant to these methods of cryptanalysis.

DIFFERENTIAL & LINEAR CRYPTANALYSIS

24. DIFFERENTIAL CRYPTANALYSIS

Differential Cryptanalysis is a potent cryptanalytic technique introduced by Biham and Shamir. Differential cryptanalysis is designed for the study and attack of DES- like cryptosystems. Differential cryptanalysis works on the principle that instead of saying "if this bit is 1 in the input, then that bit will be 0 (or 1) in the output", we say "changing this bit in the input changes (or does not change) that bit in the output". In fact, however, a complete pattern of which bits changes and do not change in the input and in the output is the subject of differential cryptanalysis. The basic principle of differential cryptanalysis, in its classic form, is, the cipher being attacked has a characteristic if there exists a constant X such that given many pairs of plaintexts A, B, such that, B=A XOR X, if a certain statement is true about the key, E(B,k) = E(A,k) XOR Y for some constant Y will be true with a probability somewhat above that given by random chance.

Generally, in cryptography, one refers to the message that is not encrypted as the plaintext, or P. One refers to the message that is encrypted as ciphertext T/C. Also vitally important to cryptography is the key K. It is by this set of information that one is supposed to decrypt T/C. The idea is that unless one has K, one cannot transform T into P (decryption). The whole system is called as cryptosystem and the person who tries to break it is called a cryptanalyst and is assumed familiar with the crypto scheme that is under attack.

Differential cryptanalysis works by what is called a known plaintext attack. It takes plaintext blocks that the cryptanalyst knows, and attempts to determine the nature of the encryption algorithm by encrypting them with a random key that the cryptanalyst pretends that they do not know. This method is useful because if for a large number of plaintexts, you can determine a certain behavior of the algorithm, you can help determine how changing the key affects the ciphertext, and in fact begin to guess bits of the key. In fact, that is how differential cryptanalysis works--by guessing bits of the key through various methods, until a brute force search on the remaining bits of the key becomes feasible and faster than other, more complex methods. One important note about differential cryptanalysis is that it always works using a pair of plaintexts or inputs, so that they may be compared. The inputs are always known. (Henceforth, the discussion is done in light of DES but presented in a general manner.)

As a preliminary, we need to know certain formulas that justify the focusing on the S boxes. Because the F function uses an expansion function, if we wish to use pairs of plaintext, we wish to have a function to relate the output of two different inputs to the Expansion E function. This formula is given by, E(X) .XOR. E(X*) = E(X .XOR. X*). Here X & X* are the plaintexts i.e. the inputs. X .XOR. X* is called as the difference between the two inputs. Further, the F box also has a P permutation. The formula, which relates two inputs into the P permutation, is given as, P(X) .XOR. P(X*) = P(X .XOR. X*).

Finally, a function to relate the XOR function that connects the different rounds is needed. This function is, (X .XOR Y) .XOR. (X* .XOR. Y*) = (X .XOR. X*) .XOR. (Y .XOR. Y*). Here Y & Y* are also some inputs like X & X*. The reason for these

DIFFERENTIAL & LINEAR CRYPTANALYSIS

formulas is so that we may focus on the most important and most controversial part of the DES crypto scheme, the S boxes. The S boxes are made controversial by their seeming arbitrariness in how they were chosen. However, the very choice of the S boxes provides the security to DES. As the above formulas show, the rest of the DES function is not overly hard to analyze, it merely comes down to several simple XOR functions.

Differential cryptanalysis begins by making what is called a difference distribution table for each S box. This table is a chart of input XOR and output XOR, and how many possible pairs exist with that status. An input XOR is the result of the XOR of two inputs into the S box (known). So if we take two known plaintexts, say A and A*, their difference is defined to be A .XOR. A*. Similarly, if we examine two outputs of the S box, we define the output XOR to be the XOR of the two outputs of that S box.

If we denote some input XOR as X, and some output XOR as Y, we say that X may cause Y by the S box if there is some pair of inputs which the input XOR = X and the output XOR = Y for that particular S box. If however, there is no such pair inputs to the S box which the input XOR = X and the output XOR = Y, we say that X may not cause Y by the S box.

In case of DES, in the table, there are 16 columns, for each possible output XOR. The 64 rows are each possible input XOR. The entries in the table are the number of input pairs with the corresponding input XOR and output XOR. Thus if X may cause Y by the S box, then in the X, Y location of the table, one should find some number greater than 0. If however, X may not cause Y by the S box, one should find 0 in the X, Y location of the difference distribution table of the S box.

Finally, in dealing with difference distribution tables, we say that X may cause Y with probability p by an S box "if for a fraction p of the pairs in which the input XOR of the S box equals X, the output XOR equals Y."

The reason that the difference distribution tables for the S boxes are important is that it allows us to find "possible input and output values of pairs given their input and output XOR." Thus by only knowing the difference between two inputs and the difference in their outputs, we can help determine what those two pairs are. The table is most useful if the entry for some input XOR and output XOR is 2, since the 2 pairs are duals (the order simply being reversed, say X, X* and X*, X).

Since the S boxes can now be analyzed through a pair of plaintexts, it makes sense to expand this to the entire F function. The subkey is some other vector of bits. This definition is quite similar to the previous definition, only expanded out for the entire F function instead of just being applied to one of the S boxes. This gives us a tool to determine some of the bits of the subkey used for the F function. As certain entries in the table correspond to only a pair and it is dual of inputs, some of the entries to the subkey used in that F function can be determined. Once a bit of the subkey is known, one can determine a bit of the entire 56-bit key in case of DES by simply going backwards in the key selection algorithm. It is because of this ability to determine bits of the key used that differential cryptanalysis is a powerful technique, especially for a small number of rounds.

DIFFERENTIAL & LINEAR CRYPTANALYSIS

An important lemma shows just how important the S boxes are to the security of DES. While one can use the difference distribution tables to determine the probability p that X may cause Y by an S box, one need some way to determine the probability p that X may cause Y by the F function. This lemma is,

In DES, if X may cause Y with probability p by the F function then every fixed input pair Z, Z* with X = Z .XOR. Z* causes the F function output XOR to be Y by the same fraction p of the possible subkey values.

The startling result of finding the key is done by a several step method. The first step is to choose an appropriate plaintext XOR. In other words, choose what the difference of two plaintexts will be, without necessarily deciding upon the two plaintexts. From the difference chosen, create an appropriate number of plaintext pairs with the chosen plaintext XOR. Encrypt the plaintexts, and keep the ciphertext pairs. For each of the ciphertext pairs kept, compute the expected output XOR of as many S boxes in the last round of DES as possible from the plaintext XOR. For each possible key value, count the number of pairs that result in the expected output XOR using this key value in the last round. The correct key value is the key value suggested by all the pairs. As one can probably tell, the amount of information one obtains is dependent on how many rounds are used for DES or similar algorithm. For a many round version, less information can be obtained, making analysis more difficult.

To summarize whatever was presented about differential cryptanalysis till now, briefing is presented next.

Differential cryptanalysis exploits the high probability of certain occurrences of plaintext differences and differences into the last round of the cipher. For example,

consider a system with input = 1....[ XXX n ] and output = 1....[ YYY n ] . Let two inputs to the system be X′ and X″ with the corresponding outputs Y′ and Y″, respectively. The input difference is given by ΔX = X′ ⊕ X″ where "⊕" represents a bit-wise exclusive-

OR of the n-bit vectors and, hence, Δ = Δ 1....[ ΔXXX n ]where ΔX = X′⊕ X″ with Xi′ and Xi″ representing the i-th bit of X′ and X″, respectively. Similarly, ΔY =

Y′ ⊕ Y″ is the output difference and Δ = Δ 1....[ ΔYYY n ] where ΔY = Y ′⊕Y ′ .

In an ideally randomizing cipher, the probability that a particular output difference ΔY n occurs given a particular input difference ΔX is 1/2 where n is the number of bits of X. Differential cryptanalysis seeks to exploit a scenario where a particular ΔY occurs given a particular input difference ΔX with a very high probability pD (i.e., much greater than 1/2n). The pair (ΔX, ΔY) is referred to as a differential.

This was a brief review about differential cryptanalysis and the details can be found from the references.

DIFFERENTIAL & LINEAR CRYPTANALYSIS

25. LINEAR CRYPTANALYSIS

Linear cryptanalysis is a different, but related technique. Instead of looking for isolated points at which a block cipher behaves like something simpler, it involves trying to create a simpler approximation to the block cipher as a whole. For a great many plaintext-ciphertext pairs, the key that would produce that pair from the simplified cipher is found, and key bits, which tend to be favored, are likely to have the value of the corresponding bit of the key for the real cipher. The principle is a bit like the summation of many one-dimensional scans to produce a two-dimensional slice through an object in computer-assisted tomography.

Linear cryptanalysis tries to take advantage of high probability occurrences of linear expressions involving plaintext bits, "ciphertext" bits (actually we use bits from the 2nd last round output), and subkey bits. It is a known plaintext attack, that is, it is premised on the attacker having information on a set of plaintexts and the corresponding ciphertexts. However, the attacker has no way to select which plaintexts (and corresponding ciphertexts) are available. However, in many applications and scenarios it is reasonable to assume that the attacker has knowledge of a random set of plaintexts and the corresponding ciphertexts.

The basic idea is to approximate the operation of a portion of the cipher with an expression that is linear where the linearity refers to a mod-2 bit-wise operation (i.e., XOR denoted by "⊕"). Such an expression is of the form,

⊕ XX ....⊕⊕ ⊕YX ⊕...... ⊕Y = 0 ii 2 u ji 1 jv where Xi represents the i-th bit of the input X = [X1, X2, ...] and Yj represents the j-th bit of the output Y = [Y1, Y2, ...]. This equation is representing the exclusive-OR "sum" of u input bits and v output bits.

The approach in linear cryptanalysis is to determine expressions of the form above which have a high or low probability of occurrence. (No obvious linearity such as above should hold for all input and output values or the cipher would be trivially weak.) If a cipher displays a tendency for equation mentioned to hold with high probability or not hold with high probability, this is evidence of the cipher’s poor randomization abilities. Consider that if the values for u+v are randomly selected and placed into the equation above, the probability that the expression would hold would be exactly 1/2. It is the deviation or bias from the probability of 1/2 for an expression to hold that is exploited in linear cryptanalysis, the further away that a linear expression is from holding with a probability of 1/2, the better the cryptanalyst is able to apply linear cryptanalysis. The probability of a linear expression holding deviates from 1/2 is referred as the linear probability bias. Hence, if the expression above holds with probability pL for randomly chosen plaintexts and the corresponding ciphertexts, then the probability bias is pL – 1/2. The higher the magnitude of the probability bias, |pL– 1/2|, the better the applicability of linear cryptanalysis with fewer known plaintexts required in the attack.

This was a brief review about linear cryptanalysis and the details can be found from the references.

CONCLUSION & FUTURE APPLICATION

26. CONCLUSION

There is a place for both symmetric and public-key algorithms in modern cryptography. Hybrid cryptosystems successfully combine aspects of both and seem to be secure and fast. Though both the domains of cryptography are important, one cannot deny that symmetric encryption is the starting point of cryptography and in near future need for better symmetric cryptosystems will arise. This also applies to cryptanalysis.

With coming of Shore’s algorithm and everyday advent of better computer systems, it will not take long when the existing cryptosystems will be broken. Differential and linear cryptanalysis is growing stronger day by day and newer methods of attacks are coming into picture. One cannot argue that a particular existing cryptosystem is actually secure. Atleast none has yet proved, be it AES or ANUBIS.

Apart from security, computational efficiency is equally important. Efficiency is being curbed by the heavily mathematical structures of the algorithms.

The report provides a ride over the most popular crypt algorithms and various design issues. The report also outlines the attack made on the existing cryptosystems and introduces the names of person involved. In all, the report provides a starting point to anyone who wants to design the next cryptosystem.

Lastly, an incredibly strong algorithm is not sufficient. For a system to be effective there must be effective management protocols involved, but it is out of scope for this report and the report follows the ideology,

“Given the best lock in the world, if one does not lock the door, who can stop the thieves?”

27. FUTURE APPLICATION

"The most effective door opening tool in any burglar’s toolkit remains the crowbar."

Loaded with the key issues of design of a symmetric cryptosystem based on Feistel Network the next step is to design a cryptosystem that may serve well for long in future, as has DES done. The basic need from the next cryptosystem is efficiency and high level of security. The next cryptosystem requires being safe from current attacks as well as tight enough to escape future ones.

Elliptic curves and quadratic curves are the next stop, which will provide the basis of design of cryptosystems in future tied with the concepts discussed in this report. Though quantum cryptography and related algorithms are also a good option, the realization is still far ahead in future.

“By the time privacy is required, cryptosystems will remain alive, and as everything changes with time, they will change to.”

100

REFERENCES

([email protected], [email protected], [email protected] mannheim.de, & [email protected])

14. “Cryptographic Algorithms: Block and Stream Ciphers, Hash Algorithms. Kremlin Encrypt Security Software: Encrypt and Protect Your Files, Folders, Emails, and Disks!” (http://www.kremlinencrypt.com/algorithms.htm/)

15. Wikipedia has been used as a reference in this section of the report. Introduction of the algorithms has generally been referred from it. (http://en.wikipedia.com)

R-IV

REFERENCES

IV. REFERENCES

1. Howard M. Heys, “A Tutorial on Linear and Differential Cryptanalysis” ([email protected])

2. Cetin Kaya Koc, “Differential Cryptanalysis,” Lecture Notes, Oregon State University

3. “Differential Cryptanalysis,” Tutorial (http://home.earthlink.net/~mylnir/)

4. “Extensions of Differential Cryptanalysis,” Tutorial (http://www.quadibloc.com/crypto/)

5. Terry Ritter, “Differential Cryptanalysis: A Literature Survey” (http://www.ciphersbyritter.com/)

6. Wikipedia has been used as a reference throughout this section of the report. Major part of cryptanalysis has been taken from it. (http://en.wikipedia.com)

R-V

Documentation Sheet National Aerospace Class Unrestricted Laboratories No. of copies 8

Title A Report On Block Ciphers (Literature Survey)

Author/s Anuj Prateek*, R Guruprasad

Division: Knowledge and Technology NAL Project No. Q-8-301 Management Division

Document No. PD KT 06 11 Date of issue Oct. 2006

Contents 113 Pages 20 Figures 4 Tables 29 References

External Participation : *BITS, Pilani

Sponsor : NIL

Approval : Head, KTMD

Remarks:

Keywords : Evolution, Good Cipher Characteristics, Product Ciphers, Feistel Network, S-Box, LUCIFER, DES, IDEA, CAST, LOKI97, SERPENT, DEAL, MARS, SQUARE, AES, ANUBIS, CMEA, PHELIX, TIGER, Cryptanalysis, Differential & Linear Cryptanalysis Abstract : This document is a literature survey about block ciphers, especially based on Feistel Network, presented in form of a report. It concentrates on providing a starting point for designing strong, secure, and efficient cryptosystems. Various design issues and algorithms have been described in the report. Description about the various forms of cryptanalysis has also been provided. The Report also explains the key players of design of block ciphers in detail. We are sure that this will prove to be an excellent reference material for anyone who wants to design a Feistel network based block cipher or someone interested to work in the area of cryptography and cryptanalysis.