Block Ciphers: DES, AES
Guevara Noubir http://www.ccs.neu.edu/home/noubir/Courses/CSG252/F04
Textbook: —Cryptography: Theory and Applications“,
Douglas Stinson, Chapman & Hall/CRC Press, 2002
Reading: Chapter 3
Outline
n Substitution-Permutation Networks
n Linear Cryptanalysis
n Differential Cryptanalysis
n DES
n AES
n Modes of Operation
CSG252 Classical Cryptography 2
Block Ciphers
n Typical design approach: n Product cipher: substitutions and permutations
n Leading to a non-idempotent cipher n Iteration:
n Nr: number of rounds → 1 2 Nr n Key schedule: k k , k , …, k , n Subkeys derived according to publicly known algorithm i n w : state n Round function r r-1 r n w = g(w , k ) 0 n w : plaintext x n Required property of g: ? n Encryption and Decryption sequence
CSG252 Classical Cryptography 3
1 SPN: Substitution Permutation Networks
n SPN: special type of iterated cipher (w/ small change) n Block length: l x m
n x = x(1) || x(2) || … || x(m) n x(i) = (x(i-1)l+1, …, xil) n Components: π l → l n Substitution cipher s: {0, 1} {0, 1} π → n Permutation cipher (S-box) P: {1, …, lm} {1, …, lm} n Outline: n Iterate Nr times: m substitutions; 1 permutation; ⊕ sub-key; n Definition of SPN cryptosytems: n P = ?; C = ?; K ⊆ ?; n Algorithm: n Designed to allow decryption using the same algorithm n What are the parameters of the decryption algorithm?
CSG252 Classical Cryptography 4
SPN: Example
n l = m = 4; Nr = 4; n Key schedule:
n k: (k1, …, k32) 32 bits r n k : (k4r-3, …, k4r+12)
z 0 1 2 3 4 5 6 7 8 9 A B C D E F π S(z) E 4 D 1 2 F B 8 3 A 6 C 5 9 0 7
z 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 π P(z) 1 5 9 13 2 6 10 14 3 7 11 15 4 8 12 16
n K = 0011 1010 1001 0100 1101 0110 0011 1111 n x = 0010 0110 1011 0111 n y = 1011 1100 1101 0110
CSG252 Classical Cryptography 5
Linear Cryptanalysis
n Assumption: n Assume there exists a probabilistic linear relationship between a subset of plaintext bits and a subset of state bits immediately preceding the last substitution n Attacker has a large amount of plaintext-ciphertext encrypted using the same key n Principle: n Consider a set of potential sub-keys, whenever a sub- key verifies the linear relation, increment its counter n The sub-key best matching probability could contain the correct values of key bits
CSG252 Classical Cryptography 6
2 Piling-up Lemma
n Given:
n X1, X2, … independent random variables ≤ ≤ n Pr[Xi=0] = pi ; Pr[Xi=1] = 1-pi; 0 pi 1 ε n Let i = pi - ² denote the bias of the distribution
n Piling-up Lemma: ε ⊕ ⊕ n Let i1,i2,…,ik denote the bias of the random variable Xi1 Xi2 … ⊕ k Xik. Then: ε = k −1 ε i1,i2,...,ik 2 ∏ ij j=1
n Corollary: ε ε n If ij= 0 for one variable Ω i1,i2,…,ik =0
CSG252 Classical Cryptography 7
Linear Approximations of S-boxes
n S-box: Π m → n n S: {0, 1} {0, 1} n Input:
n X = (x1, …, xm)
n Each coordinate defines a random variable Xi with bias 0 n Variables Xis are independent n Output:
n Y = (y1, …, yn) n Variables Yis are not independent from each other and Xis ≠ Π n If (y1, …, yn) S(x1, …, xm) Ω Pr[X1= x1, …, Xm= xm, Y1= y1, …, Yn= yn, ] = ? Π n If (y1, …, yn) = S(x1, …, xm) Ω Pr[X1= x1, …, Xm= xm, Y1= y1, …, Yn= yn, ] = ? ⊕ ⊕ ⊕ ⊕ ⊕ n Therefore: one can compute the bias of: Xi1 … Xik Yj1 … Yjl
CSG252 Classical Cryptography 8
Example Π S Table
X1 X2 X3 X4 Y1 Y2 Y3 Y4 ⊕ ⊕ 0 0 0 0 1 1 1 0 • Pr[X1 X4 Y2=0]= ? ⊕ ⊕ ⊕ 0 0 0 1 0 1 0 0 • Pr[X3 X4 Y1 Y4=0]= ? 0 0 1 0 1 1 0 1 • In general one computes the 0 0 1 1 0 0 0 1 biases for all possible subsets: 0 1 0 0 0 0 1 0 4 4 0 1 0 1 1 1 1 1 ⊕ ⊕ ⊕ 0 1 1 0 1 0 1 1 ( ai X i ) ( biYi ) i=1 i=1 0 1 1 1 1 0 0 0 • Derive a table (a, b) Ω Number of 1 0 0 0 0 0 1 1 1 0 0 1 1 0 1 0 times we get a 0: NL(a, b) Entry for a=3, b=9: 2 1 0 1 0 0 1 1 0 ε 1 0 1 1 1 1 0 0 Bias (a, b) = (NL(a, b)-8)/16 1 1 0 0 0 1 0 1 1 1 0 1 1 0 0 1 NL(3, 9) = 2 1 1 1 0 0 0 0 0 NL(2, E) = 2 1 1 1 1 0 1 1 1
CSG252 Classical Cryptography 9
3 Linear Attack on SPN
n Approach:
n Find a set of linear approximations of S-boxes that can be used to derive a linear approximation of the SPN (excluding the last round)
n Derive the bias value using pilling-up lemma
n This linear approximation depends on some subset of the key bits
n For each possible pair (plaintext, ciphertext), and each key increment the counter of the subkey if the approximation equation gives a 0
n Hopefully the correct value for sub-keys will have the expected bias
CSG252 Classical Cryptography 10
Example
n Approximation equations: = 1 ⊕ 1 ⊕ 1 ⊕ 1 T1 U5 U 7 U8 V6 n T1 has bias ³ = 2 ⊕ 2 ⊕ 2 n T2 has bias -³ T2 U6 V6 V8 n T3 has bias -³ = 3 ⊕ 3 ⊕ 3 T3 U6 V6 V8 n T has bias -1/4 4 = 3 ⊕ 3 ⊕ 3 T4 U14 V14 V16
n If T1, T2, T3, T4, were independentthen the bias of ⊕ ⊕ ⊕ n T1 T2 T3 T4 would be -1/32 n We will make this non-rigorous approximations, because it seems to work in practice
⊕ ⊕ ⊕ ⊕ ⊕ ⊕ 3 ⊕ 3 ⊕ 3 ⊕ 3 ⊕ 1 ⊕ 1 n T1 T2 T3 T4 = X5 X7 X8 V 6 V 8 V 14 V 16 K 5 K 7 ⊕ 1 ⊕ 2 ⊕ 3 ⊕ 3 ⊕ ⊕ ⊕ 4 ⊕ 4 ⊕ 4 ⊕ 4 ⊕ K 8 K 6 K 6 K 14 = X5 X7 X8 U 6 U 14 U 8 U 16 1 ⊕ 1 ⊕ 1 ⊕ 2 ⊕ 3 ⊕ 3 ⊕ 4 ⊕ 4 ⊕ 4 ⊕ 4 K 5 K 7 K 8 K 6 K 6 K 14 K 6 K 8 K 14 K 16
CSG252 Classical Cryptography 11
x K1 u1 v1 w1 K2 u2 v2 w2 K3 u3 v3 w3 K4 u4 v4 K5 y
4 Example (Cont.)
n If the key bits in: 1 ⊕ 1 ⊕ 1 ⊕ 2 ⊕ 3 ⊕ 3 ⊕ 4 ⊕ 4 ⊕ 4 ⊕ 4 n K 5 K 7 K 8 K 6 K 6 K 14 K 6 K 8 K 14 K 16 are fixed n Then the random variable: ⊕ ⊕ ⊕ 4 ⊕ 4 ⊕ 4 ⊕ 4 ± n X5 X7 X8 U 6 U 14 U 8 U 16 has bias 1/32 n This allows us to derive 8 bits for last subkey: 5 5 n K (2) and K (2) n Outline of alg: 5 5 n Build a table for all possible 256 values of K (2) and K (4) n For each (x, y) pair of plaintext and ciphertext; for each candidate subkey: u4 u4 n Obtain the values of (2) and (4) by decrypting y ⊕ ⊕ ⊕ 4 ⊕ 4 ⊕ 4 ⊕ 4 n Compute x5 x7 x8 u 6 u 14 u 8 u 16 5 5 n If equal 0 : increment counter of corresponding K (2) and K (2) 5 n The table entry that has bias close to 1/32 is the right value for K (2) 5 and K (2)
CSG252 Classical Cryptography 13
Requirements for Linear Cryptanalysis
n A bias of ε requires: -2 n T = cε pairs of plaintext-ciphertext
n For the previous example T = 8000 was usually successful Ω c ≈ 8
CSG252 Classical Cryptography 14
Differential Cryptanalysis
n Similar to Linear Cryptanalysis: n Compares the x-or of two inputs to the x-or of the corresponding two outputs: x‘ = x⊕x* and y‘ = y⊕y* n Adversary has a large number of chosen plaintext tuples (x, x*, y, y*) s.t. x‘ is fixed n Approach: n For each candidate key: decrypt y, and y* n For each candidate key: compute the values of certain state bits n If the state bits match the most likely value for the input x-or then increment the candidate key counter
n Proposed Encryption Standard (PES) which is the original proposal for the International Data Encryption Standard (IDEA used in PGP) was modified to resist to this kind of attacks
n GSM A3 algorithm is sensitive to this kind of attacks n SIM card secret key can be recovred=> GSM cloning
CSG252 Classical Cryptography 15
5 Differential Cryptanalysis
n ∆(x‘) = {(x, x⊕x‘) : x ∈ {0, 1}m } ∈ ∆ Π ⊕ Π n ND(x‘, y‘) = |{ (x, x*) (x‘) : S(x) S(x*) = y‘}| n Similarly to Linear cryptanalysis build the table: N (a, b) D N (a',b') n Define propagation ratio: R (a',b') = D p 2m
n Differential Trail: n Is multi-round combination n Permutations and key XORs do not impact the differential n Sub-key recovery and filtering n Example:
n Rp(1011, 0010) = ²; Rp(0100, 0110) = 3/8; Rp(0010, 0101) = 3/8; Rp(0010, 0101) = 3/8 n Propagation ratio of differential trail: 27/1024 n Complete attack requires between 50 and 100 tuples to find sub-key
CSG252 Classical Cryptography 16
x K1 u1 v1 w1 K2 u2 v2 w2 K3 u3 v3 w3 K4 u4 v4 K5 y
Today‘s Block Encryption Algorithms
n Key size: n Two short => easy to guess n Block size: n Two short easy to build a table by the attacker: (plaintext, ciphertext) n Reasonable size: 64 bits n Properties: n One-to-one mapping n Mapping should look random to someone who doesn‘t have the key n Efficient to compute/reverse n How? n Substitution (small chunks) & permutation (long chunks) n Multiple rounds
CSG252 Classical Cryptography 18
6 Data Encryption Standard (DES)
n Developed by IBM for the US government
n Based on Lucifer (64-bits, 128-bits key in 1971)
n To respond to the National Bureau of Standards CFP (now called NIST)
n Modified characteristics (with help from NSA):
n 64-bits block size, 56 bits key length
n Concerns about trapdoors, key size, sbox structure
n Adopted in 1977 as the DES (FIPS PUB 46, ANSI X3.92) and reaffirmed in 1994 for 5 more years
n Today replaced by AES
CSG252 Classical Cryptography 19
Plaintext: 64 IP 32 32
L 0 R0 48 f K1 Feistel Cipher:
L1 = R0 R = L ⊕ f(R , K ) 1 0 0 1 Li = Ri-1 ⊕ Ri = Li-1 f(Ri-1, Ki) f K2
⊕ L2 = R1 R2 = L1 f(R1, K2)
⊕ L15 = R14 R15 = L14 f(R14, K15)
f K16
⊕ L = R R16 = L15 f(R15, K16) 16 15
IP-1 Ciphertext
Feistel Cipher
n Function f does not have to be injective!
n Li = Ri-1 ⊕ n Ri = Li-1 f(Ri-1, Ki)
n How can we invert one round?
CSG252 Classical Cryptography 21
7 One DES Round
Key (56 bits) 28 28 L Shift Shift i-1 Ri-1 32 32 Compression Permutation Expansion Permutation 48 48
S-Box Substitution
P-Box Permutation
Key (56 bits)
⊕ Li = Ri-1 Ri = Li-1 f(Ri-1, Ki)
CSG252 Classical Cryptography 22
S-Box Substitution
48-Bit Input
S-Box 1 S-Box 2 S-Box 3 S-Box 4 S-Box 5 S-Box 6 S-Box 7 S-Box 8
32-Bit Output
n S-Box heart of DES security n S-Box: 4x16 entry table
n Input 6 bits: b1b2b3b4b5b6 n 2 bits (b1b6): determine the table row (1-4) n 4 bits (b2b3b4b5): determine the table entry n Output: 4 bits
n Example: S1(101000) = 1101 n S-Boxes are optimized against Differential cryptanalysis
CSG252 Classical Cryptography 23
Double/Triple DES
K1 K2 n Double DES P X C E E n Vulnerable to Meet-in-the-
Middle Attack [DH77] K2 K1 C X P D D
K1 K2 K1 n Triple DES P A B C E D E n Used two keys K1 and K2
n Compatible with simple DES K1 K2 K1 (K1=K2) C A B E D E D n Used in ISO 8732, PEM
CSG252 Classical Cryptography 24
8 DES Linear/Differential Cryptanalysis
n Differential cryptanalysis
n —Rediscovered“ by E. Biham & A. Shamir in 1990
n Based on a chosen-plaintext attack:
n Analyse the difference between the ciphertexts of two plaintexts which have a known fixed difference
n The analysis provides information on the key
n 8-round DES broken with 214 chosen plaintext and complexity 29
n 16-round DES requires 247 chosen plaintext and complexity 237
n DES design took into account this kind of attacks n Linear cryptanalysis
n Uses linear approximations of the DES cipher (M. Matsui 1993)
n Applied to DES: 43 n Requires 2 known plaintext encrypted with the same key
n Time: 40 days to generate the pairs, 10 days to find the key
CSG252 Classical Cryptography 25
Breaking DES
n Electronic Frontier Foundation built a —DES Cracking Machine“ [1998] n Attack: brute force n Inputs: two ciphertext n Architecture:
n PC
n Array of custom chips that can compute DES 24search units/chip x 64chips/board x 27 boards n Power:
n Searches 92 billion keys per second
n Takes 4.5 days for half the key space
n Successfully broke —DES Challenge II-2“ in 56 hours n Cost:
n $130‘000 (all the material: chips, boards, cooling, PC etc.)
n $80‘000 (development from scratch)
CSG252 Classical Cryptography 26
The Advanced Encryption Standard (AES) http://csrc.nist.gov/CryptoToolkit/aes/rijndael/Rijndael.pdf
n AES = Rijndael n Designed by Rijmen-Daemen (Belgium) n Key size: 128/192/256 bit n Block size: 128 bits of data n Properties: iterativerather than Feistelcipher n Treats data in 4 groups of 4 bytes n Operates on an entire block in every round n Designed to be: n Resistant against known attacks n Speed and code compactness on many CPUs n Design simplicity
CSG252 Classical Cryptography 27
9 AES Outline
n Algorithm: 1. Initialize State ← x ⊕ RoundKey; 2. For each of the Nr-1 rounds: 1. SubBytes(State); 2. ShiftRows(State); 3. MixColumns(State); 4. AddRoundKey(State); 3. Last round: 1. SubBytes(State); 2. ShiftRows(State); 3. AddRoundKey(State); 4. Output y ← State
CSG252 Classical Cryptography 28
Finite Fields - Break
n GF(2) = Z2 n ∈ n GF(2 ) = { (an-1, …, a1, a0) | ai GF(2) } n Addition can be carried out bit by bit
n Multiplication mod a primitive polynomial n n Generation of GF(2 ): done by polynomial modulo a primitive polynomial of degree n, m(x) n Elements of GF(2) can be represented as a polynomial (an-1, …, a1, a0) = a(x) ≡ n-1 an-1x + . . . + a1x + a0 mod m(x) n n Textbook Notation: F2 = Z2[x]/m(x) 8 4 3 n AES uses n=8, and m(x) = x +x +x +x+1
CSG252 Classical Cryptography 29
Primitive Polynomial
n A polynomial f(x) over a field Q is said to be irreducible if f(x) cannot be factored over Q
n A polynomial f(x) over a field Q is said to be primitive if every root of f(x) generates the extension field
n Over GF(2) a polynomial is primitive if the smallest k for which f(x) divides xk+1 is k = 2n-1
n Example. 4 3 2 n f(x) = x +x +x +x+1 over GF(2) f(x) is irreducible but not primitive 4 n g(x) = x + x+1 g(x) is primitive
CSG252 Classical Cryptography 30
10 Test Irreducibility
n To show x8+x4+x3+x+1 is irreducible:
n If the number of terms is odd over GF(2), then it cannot be divisible by x+1 2 n Try dividing by polynomials of degree 2, x + x + 1 3 3 2 n Try polynomials of degree 3, x +x+1 and x +x +1 4 3 2 4 3 n Try polynomials of degree 4, x +x +x +x+1, x +x +1, x4+x2+1, x4+x+1
n Do not require any more testing beyond degree 4
CSG252 Classical Cryptography 31
Test Primitivity
n To show x4+x3+x2+x+1 is not primitive: n Take α to be a root of the polynomial, that is, α 4 = α3 + α2 + α + 1 5 4 3 2 3 2 3 2 n α = α + α + α + α = α + α + α + 1 + α + α + α = 1 n To show x8+x4+x3+x+1 is primitive n Take α to be a root of the polynomial, that is, α 8 = α4 + α3 + α + 1 (00011011)=(1b) 9 5 4 2 n α = α + α + α + α (00110110)=(36) 12 7 5 3 n α = α + α + α + α + 1 (10101011)=(ab)
CSG252 Classical Cryptography 32
Multiplication in GF(28)
n α 9 ∗ α 12 = α 9+12 = α 21 mod 127
n (36) ∗ (ab) = (00110110) ∗ (10101011) = 11110010
CSG252 Classical Cryptography 33
11 AES (Continued)
n State: 16 bytes structured in a array
S0,0 S0,1 S0,2 S0,3
S1,0 S1,1 S1,2 S1,3
S2,0 S2,1 S2,2 S2,3
S3,0 S3,1 S3,2 S3,3
8 n Each byte is seen as an element of F28=GF(2 ) n F28 finite field of 256 elements n Operations
n Elements of F28 are viewed as polynomials of degree 7 with coefficients {0, 1} n Addition: polynomials addition Ω XOR n Multiplication: polynomials multiplication modulo x8+ x4+ x3+x+1
CSG252 Classical Cryptography 34
SubBytes
Input: a = (a7 a6 a5 a4 a3 a2 a1 a0) Output: b = (b7 b6 b5 b4 b3 b2 b1 b0) If a ≠ 0 then a ← a-1;
»b0 ÿ »1 0 0 0 1 1 1 1ÿ»a0 ÿ »1ÿ … Ÿ … Ÿ… Ÿ … Ÿ …b1 Ÿ …1 1 0 0 0 1 1 1Ÿ…a1 Ÿ …1Ÿ …b Ÿ …1 1 1 0 0 0 1 1Ÿ…a Ÿ …0Ÿ … 2 Ÿ … Ÿ… 2 Ÿ … Ÿ b 1 1 1 1 0 0 0 1 a 0 … 3 Ÿ = … Ÿ… 3 Ÿ + … Ÿ …b Ÿ …1 1 1 1 1 0 0 0Ÿ…a Ÿ …0Ÿ … 4 Ÿ … Ÿ… 4 Ÿ … Ÿ …b5 Ÿ …0 1 1 1 1 1 0 0Ÿ…a5 Ÿ …1Ÿ …b Ÿ …0 0 1 1 1 1 1 0Ÿ…a Ÿ …1Ÿ … 6 Ÿ … Ÿ… 6 Ÿ … Ÿ …b7 ⁄Ÿ …0 0 0 1 1 1 1 1⁄Ÿ …a7 ⁄Ÿ …0⁄Ÿ SubBytes is non-linear Example: SubBytes(0x53) = 0xED; // note that 0x53-1 = 0xCA SubBytes can also be defined as a 16x16 table
CSG252 Classical Cryptography 35
ShiftRows
S0,0 S0,1 S0,2 S0,3 S0,0 S0,1 S0,2 S0,3
S1,0 S1,1 S1,2 S1,3 S1,1 S1,2 S1,3 S1,0 ←
S2,0 S2,1 S2,2 S2,3 S2,2 S2,3 S2,0 S2,1
S3,0 S3,1 S3,2 S3,3 S3,3 S3,0 S3,1 S3,2
CSG252 Classical Cryptography 36
12 MixColumn
n Input: n c: column index; n s: state; n Output: n s: new state n For i =0 to 3 ← n ti si, c; ← . ⊕ . ⊕ ⊕ n u0 x t0 (x+1) t1 t2 t3 ← . ⊕ . ⊕ ⊕ n u1 x t1 (x+1) t2 t3 t0 ← . ⊕ . ⊕ ⊕ n u2 x t2 (x+1) t3 t0 t1 ← . ⊕ . ⊕ ⊕ n u3 x t3 (x+1) t0 t1 t2 n For i =0 to 3 ← n si, c ui;
n Note:
n Multiplications are in F28
CSG252 Classical Cryptography 37
Key Expansion
n 10-round case (128 bits key)
n RCon[1-10] ← CONSTANTS
n For i = 0 to 3 do w[i] ← (key[4i], key[4i+1], key[4i+2], key[4i+3]) // w has 4 blocks of 32 bits
n For i = 4 to 43 do temp ← w[i-1] if i ≡ 0 (mod 4) then temp ← SubWord(RotWord(temp)) ⊕ RCon[i/4] w[i] ←w[i-4] ⊕ temp
n Return (w[0], …, w[43])
CSG252 Classical Cryptography 38
Implementation Aspects
n Can be efficiently implemented on a 8-bit CPU
n Byte substitution works on bytes using a table of 256 entries
n Shift rows is simple byte shifting
n Add round key works on byte XORs
n Mix columns requires matrix multiply in F28 which works on byte values, can be simplified to use a table lookup
CSG252 Classical Cryptography 39
13 Implementation Aspects
n Can be efficiently implement on 32-bit CPU
n Redefine steps to use 32-bit words
n Can pre-compute 4 tables of 256-words
n Then each column in each round can be computed using 4 table lookups + 4 XORs
n At a cost of 16Kb to store tables
n See Problem Set 4.
n Designers believe this very efficient implementation was a key factor in its selection as the AES cipher
CSG252 Classical Cryptography 40
Modes of Operation DES/AES: Electronic Codebook (ECB)
P1 P2 PN
K DES K DES ... K DES encrypt encrypt encrypt
C1 C2 CN
C1 C2 CN
K DES K DES ... K DES decrypt decrypt decrypt
P1 P2 PN
CSG252 Classical Cryptography 41
Cipher Block Chaining (CBC)
P1 P2 PN C IV N-1
DES DES DES K K ... K Encrypt Encrypt Encrypt
C1 C2 CN
C1 C2 CN
K DES K DES ... K DES Decrypt Decrypt Decrypt C IV N-1
P1 P2 PN
CSG252 Classical Cryptography 42
14 Cipher Feedback (CFB)
Shift register SR CN-1 SR 64-j bits | j bits 64-j bits | j bits 64-j bits | j bits 64 64 64 K DES K DES K DES Encrypt Encrypt Encrypt 64 64 ... 64 j bits | 64- j bits j bits | 64- j bits j bits | 64- j bits j P1 j j j j C P j j PN j j 1 2 C2 CN Shift register SR CN-1 SR 64-j bits | j bits 64-j bits | j bits 64-j bits | j bits
64 64 64 K DES K DES K DES Encrypt Encrypt Encrypt 64 64 ... 64 j bits | 64- j bits j bits | 64- j bits j bits | 64- j bits j P1 j j j P j C1 P2 j j N j j C2 CN
CSG252 Classical Cryptography 43
DES Modes: Output Feedback (OFB)
Shift register SR ON-1 SR 64-j bits | j bits 64-j bits | j bits 64-j bits | j bits
64 64 64 K DES K DES K DES Encrypt Encrypt Encrypt 64 64 ... 64 j bits | 64- j bits j bits | 64- j bits j bits | 64- j bits j P1 j j j P j C P2 j j N j j 1 C2 CN Shift register SR ON-1 SR 64-j bits | j bits 64-j bits | j bits 64-j bits | j bits
64 64 64 K DES K DES K DES Encrypt Encrypt Encrypt 64 64 ... 64 j bits | 64- j bits j bits | 64- j bits j bits | 64- j bits j C1 j j j j P C j j CN j j 1 2 P2 PN
CSG252 Classical Cryptography 44
Counter (CTR)
n A —new“ mode, though proposed early on
n Similar to OFB but encrypts counter value rather than any feedback value
n Must have a different key & counter value for every plaintext block (never reused)
Ci = Pi XOR Oi
Oi = DESK1(i) n Uses:
n High-speed network encryptions
CSG252 Classical Cryptography 45
15 CSG252 Classical Cryptography 46
16