Block Ciphers: DES, AES

Guevara Noubir http://www.ccs.neu.edu/home/noubir/Courses/CSG252/F04

Textbook: —Cryptography: Theory and Applications“,

Douglas Stinson, Chapman & Hall/CRC Press, 2002

Reading: Chapter 3

Outline

n Substitution-Permutation Networks

n Linear Cryptanalysis

n Differential Cryptanalysis

n DES

n AES

n Modes of Operation

CSG252 Classical Cryptography 2

Block Ciphers

n Typical design approach: n Product cipher: substitutions and permutations

n Leading to a non-idempotent cipher n Iteration:

n Nr: number of rounds → 1 2 Nr n Key schedule: k k , k , …, k , n Subkeys derived according to publicly known algorithm i n w : state n Round function r r-1 r n w = g(w , k ) 0 n w : plaintext x n Required property of g: ? n Encryption and Decryption sequence

CSG252 Classical Cryptography 3

1 SPN: Substitution Permutation Networks

n SPN: special type of iterated cipher (w/ small change) n Block length: l x m

n x = x(1) || x(2) || … || x(m) n x(i) = (x(i-1)l+1, …, xil) n Components: π l → l n Substitution cipher s: {0, 1} {0, 1} π → n Permutation cipher (S-box) P: {1, …, lm} {1, …, lm} n Outline: n Iterate Nr times: m substitutions; 1 permutation; ⊕ sub-key; n Definition of SPN cryptosytems: n P = ?; C = ?; K ⊆ ?; n Algorithm: n Designed to allow decryption using the same algorithm n What are the parameters of the decryption algorithm?

CSG252 Classical Cryptography 4

SPN: Example

n l = m = 4; Nr = 4; n Key schedule:

n k: (k1, …, k32) 32 bits r n k : (k4r-3, …, k4r+12)

z 0 1 2 3 4 5 6 7 8 9 A B C D E F π S(z) E 4 D 1 2 F B 8 3 A 6 C 5 9 0 7

z 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 π P(z) 1 5 9 13 2 6 10 14 3 7 11 15 4 8 12 16

n K = 0011 1010 1001 0100 1101 0110 0011 1111 n x = 0010 0110 1011 0111 n y = 1011 1100 1101 0110

CSG252 Classical Cryptography 5

Linear Cryptanalysis

n Assumption: n Assume there exists a probabilistic linear relationship between a subset of plaintext bits and a subset of state bits immediately preceding the last substitution n Attacker has a large amount of plaintext-ciphertext encrypted using the same key n Principle: n Consider a set of potential sub-keys, whenever a sub- key verifies the linear relation, increment its counter n The sub-key best matching probability could contain the correct values of key bits

CSG252 Classical Cryptography 6

2 Piling-up Lemma

n Given:

n X1, X2, … independent random variables ≤ ≤ n Pr[Xi=0] = pi ; Pr[Xi=1] = 1-pi; 0 pi 1 ε n Let i = pi - ² denote the bias of the distribution

n Piling-up Lemma: ε ⊕ ⊕ n Let i1,i2,…,ik denote the bias of the random variable Xi1 Xi2 … ⊕ k Xik. Then: ε = k −1 ε i1,i2,...,ik 2 ∏ ij j=1

n Corollary: ε ε n If ij= 0 for one variable Ω i1,i2,…,ik =0

CSG252 Classical Cryptography 7

Linear Approximations of S-boxes

n S-box: Π m → n n S: {0, 1} {0, 1} n Input:

n X = (x1, …, xm)

n Each coordinate defines a random variable Xi with bias 0 n Variables Xis are independent n Output:

n Y = (y1, …, yn) n Variables Yis are not independent from each other and Xis ≠ Π n If (y1, …, yn) S(x1, …, xm) Ω Pr[X1= x1, …, Xm= xm, Y1= y1, …, Yn= yn, ] = ? Π n If (y1, …, yn) = S(x1, …, xm) Ω Pr[X1= x1, …, Xm= xm, Y1= y1, …, Yn= yn, ] = ? ⊕ ⊕ ⊕ ⊕ ⊕ n Therefore: one can compute the bias of: Xi1 … Xik Yj1 … Yjl

CSG252 Classical Cryptography 8

Example Π S Table

X1 X2 X3 X4 Y1 Y2 Y3 Y4 ⊕ ⊕ 0 0 0 0 1 1 1 0 • Pr[X1 X4 Y2=0]= ? ⊕ ⊕ ⊕ 0 0 0 1 0 1 0 0 • Pr[X3 X4 Y1 Y4=0]= ? 0 0 1 0 1 1 0 1 • In general one computes the 0 0 1 1 0 0 0 1 biases for all possible subsets: 0 1 0 0 0 0 1 0 4 4 0 1 0 1 1 1 1 1 ⊕ ⊕ ⊕ 0 1 1 0 1 0 1 1 ( ai X i ) ( biYi ) i=1 i=1 0 1 1 1 1 0 0 0 • Derive a table (a, b) Ω Number of 1 0 0 0 0 0 1 1 1 0 0 1 1 0 1 0 times we get a 0: NL(a, b) Entry for a=3, b=9: 2 1 0 1 0 0 1 1 0 ε 1 0 1 1 1 1 0 0 Bias (a, b) = (NL(a, b)-8)/16 1 1 0 0 0 1 0 1 1 1 0 1 1 0 0 1 NL(3, 9) = 2 1 1 1 0 0 0 0 0 NL(2, E) = 2 1 1 1 1 0 1 1 1

CSG252 Classical Cryptography 9

3 Linear Attack on SPN

n Approach:

n Find a set of linear approximations of S-boxes that can be used to derive a linear approximation of the SPN (excluding the last round)

n Derive the bias value using pilling-up lemma

n This linear approximation depends on some subset of the key bits

n For each possible pair (plaintext, ciphertext), and each key increment the counter of the subkey if the approximation equation gives a 0

n Hopefully the correct value for sub-keys will have the expected bias

CSG252 Classical Cryptography 10

Example

n Approximation equations: = 1 ⊕ 1 ⊕ 1 ⊕ 1 T1 U5 U 7 U8 V6 n T1 has bias ³ = 2 ⊕ 2 ⊕ 2 n T2 has bias -³ T2 U6 V6 V8 n T3 has bias -³ = 3 ⊕ 3 ⊕ 3 T3 U6 V6 V8 n T has bias -1/4 4 = 3 ⊕ 3 ⊕ 3 T4 U14 V14 V16

n If T1, T2, T3, T4, were independentthen the bias of ⊕ ⊕ ⊕ n T1 T2 T3 T4 would be -1/32 n We will make this non-rigorous approximations, because it seems to work in practice

⊕ ⊕ ⊕ ⊕ ⊕ ⊕ 3 ⊕ 3 ⊕ 3 ⊕ 3 ⊕ 1 ⊕ 1 n T1 T2 T3 T4 = X5 X7 X8 V 6 V 8 V 14 V 16 K 5 K 7 ⊕ 1 ⊕ 2 ⊕ 3 ⊕ 3 ⊕ ⊕ ⊕ 4 ⊕ 4 ⊕ 4 ⊕ 4 ⊕ K 8 K 6 K 6 K 14 = X5 X7 X8 U 6 U 14 U 8 U 16 1 ⊕ 1 ⊕ 1 ⊕ 2 ⊕ 3 ⊕ 3 ⊕ 4 ⊕ 4 ⊕ 4 ⊕ 4 K 5 K 7 K 8 K 6 K 6 K 14 K 6 K 8 K 14 K 16

CSG252 Classical Cryptography 11

x K1 u1 v1 w1 K2 u2 v2 w2 K3 u3 v3 w3 K4 u4 v4 K5 y

4 Example (Cont.)

n If the key bits in: 1 ⊕ 1 ⊕ 1 ⊕ 2 ⊕ 3 ⊕ 3 ⊕ 4 ⊕ 4 ⊕ 4 ⊕ 4 n K 5 K 7 K 8 K 6 K 6 K 14 K 6 K 8 K 14 K 16 are fixed n Then the random variable: ⊕ ⊕ ⊕ 4 ⊕ 4 ⊕ 4 ⊕ 4 ± n X5 X7 X8 U 6 U 14 U 8 U 16 has bias 1/32 n This allows us to derive 8 bits for last subkey: 5 5 n K (2) and K (2) n Outline of alg: 5 5 n Build a table for all possible 256 values of K (2) and K (4) n For each (x, y) pair of plaintext and ciphertext; for each candidate subkey: u4 u4 n Obtain the values of (2) and (4) by decrypting y ⊕ ⊕ ⊕ 4 ⊕ 4 ⊕ 4 ⊕ 4 n Compute x5 x7 x8 u 6 u 14 u 8 u 16 5 5 n If equal 0 : increment counter of corresponding K (2) and K (2) 5 n The table entry that has bias close to 1/32 is the right value for K (2) 5 and K (2)

CSG252 Classical Cryptography 13

Requirements for Linear Cryptanalysis

n A bias of ε requires: -2 n T = cε pairs of plaintext-ciphertext

n For the previous example T = 8000 was usually successful Ω c ≈ 8

CSG252 Classical Cryptography 14

Differential Cryptanalysis

n Similar to Linear Cryptanalysis: n Compares the x-or of two inputs to the x-or of the corresponding two outputs: x‘ = x⊕x* and y‘ = y⊕y* n Adversary has a large number of chosen plaintext tuples (x, x*, y, y*) s.t. x‘ is fixed n Approach: n For each candidate key: decrypt y, and y* n For each candidate key: compute the values of certain state bits n If the state bits match the most likely value for the input x-or then increment the candidate key counter

n Proposed Encryption Standard (PES) which is the original proposal for the International Data Encryption Standard (IDEA used in PGP) was modified to resist to this kind of attacks

n GSM A3 algorithm is sensitive to this kind of attacks n SIM card secret key can be recovred=> GSM cloning

CSG252 Classical Cryptography 15

5 Differential Cryptanalysis

n ∆(x‘) = {(x, x⊕x‘) : x ∈ {0, 1}m } ∈ ∆ Π ⊕ Π n ND(x‘, y‘) = |{ (x, x*) (x‘) : S(x) S(x*) = y‘}| n Similarly to Linear cryptanalysis build the table: N (a, b) D N (a',b') n Define propagation ratio: R (a',b') = D p 2m

n Differential Trail: n Is multi-round combination n Permutations and key XORs do not impact the differential n Sub-key recovery and filtering n Example:

n Rp(1011, 0010) = ²; Rp(0100, 0110) = 3/8; Rp(0010, 0101) = 3/8; Rp(0010, 0101) = 3/8 n Propagation ratio of differential trail: 27/1024 n Complete attack requires between 50 and 100 tuples to find sub-key

CSG252 Classical Cryptography 16

x K1 u1 v1 w1 K2 u2 v2 w2 K3 u3 v3 w3 K4 u4 v4 K5 y

Today‘s Block Encryption Algorithms

n Key size: n Two short => easy to guess n Block size: n Two short easy to build a table by the attacker: (plaintext, ciphertext) n Reasonable size: 64 bits n Properties: n One-to-one mapping n Mapping should look random to someone who doesn‘t have the key n Efficient to compute/reverse n How? n Substitution (small chunks) & permutation (long chunks) n Multiple rounds

CSG252 Classical Cryptography 18

6 Data Encryption Standard (DES)

n Developed by IBM for the US government

n Based on Lucifer (64-bits, 128-bits key in 1971)

n To respond to the National Bureau of Standards CFP (now called NIST)

n Modified characteristics (with help from NSA):

n 64-bits block size, 56 bits key length

n Concerns about trapdoors, key size, sbox structure

n Adopted in 1977 as the DES (FIPS PUB 46, ANSI X3.92) and reaffirmed in 1994 for 5 more years

n Today replaced by AES

CSG252 Classical Cryptography 19

Plaintext: 64 IP 32 32

L 0 R0 48 f K1 Feistel Cipher:

L1 = R0 R = L ⊕ f(R , K ) 1 0 0 1 Li = Ri-1 ⊕ Ri = Li-1 f(Ri-1, Ki) f K2

⊕ L2 = R1 R2 = L1 f(R1, K2)

⊕ L15 = R14 R15 = L14 f(R14, K15)

f K16

⊕ L = R R16 = L15 f(R15, K16) 16 15

IP-1 Ciphertext

Feistel Cipher

n Function f does not have to be injective!

n Li = Ri-1 ⊕ n Ri = Li-1 f(Ri-1, Ki)

n How can we invert one round?

CSG252 Classical Cryptography 21

7 One DES Round

Key (56 bits) 28 28 L Shift Shift i-1 Ri-1 32 32 Compression Permutation Expansion Permutation 48 48

S-Box Substitution

P-Box Permutation

Key (56 bits)

⊕ Li = Ri-1 Ri = Li-1 f(Ri-1, Ki)

CSG252 Classical Cryptography 22

S-Box Substitution

48-Bit Input

S-Box 1 S-Box 2 S-Box 3 S-Box 4 S-Box 5 S-Box 6 S-Box 7 S-Box 8

32-Bit Output

n S-Box heart of DES security n S-Box: 4x16 entry table

n Input 6 bits: b1b2b3b4b5b6 n 2 bits (b1b6): determine the table row (1-4) n 4 bits (b2b3b4b5): determine the table entry n Output: 4 bits

n Example: S1(101000) = 1101 n S-Boxes are optimized against Differential cryptanalysis

CSG252 Classical Cryptography 23

Double/Triple DES

K1 K2 n Double DES P X C E E n Vulnerable to Meet-in-the-

Middle Attack [DH77] K2 K1 C X P D D

K1 K2 K1 n Triple DES P A B C E D E n Used two keys K1 and K2

n Compatible with simple DES K1 K2 K1 (K1=K2) C A B E D E D n Used in ISO 8732, PEM

CSG252 Classical Cryptography 24

8 DES Linear/Differential Cryptanalysis

n Differential cryptanalysis

n —Rediscovered“ by E. Biham & A. Shamir in 1990

n Based on a chosen-plaintext attack:

n Analyse the difference between the ciphertexts of two plaintexts which have a known fixed difference

n The analysis provides information on the key

n 8-round DES broken with 214 chosen plaintext and complexity 29

n 16-round DES requires 247 chosen plaintext and complexity 237

n DES design took into account this kind of attacks n Linear cryptanalysis

n Uses linear approximations of the DES cipher (M. Matsui 1993)

n Applied to DES: 43 n Requires 2 known plaintext encrypted with the same key

n Time: 40 days to generate the pairs, 10 days to find the key

CSG252 Classical Cryptography 25

Breaking DES

n Electronic Frontier Foundation built a —DES Cracking Machine“ [1998] n Attack: brute force n Inputs: two ciphertext n Architecture:

n PC

n Array of custom chips that can compute DES 24search units/chip x 64chips/board x 27 boards n Power:

n Searches 92 billion keys per second

n Takes 4.5 days for half the key space

n Successfully broke —DES Challenge II-2“ in 56 hours n Cost:

n $130‘000 (all the material: chips, boards, cooling, PC etc.)

n $80‘000 (development from scratch)

CSG252 Classical Cryptography 26

The Advanced Encryption Standard (AES) http://csrc.nist.gov/CryptoToolkit/aes/rijndael/Rijndael.pdf

n AES = Rijndael n Designed by Rijmen-Daemen (Belgium) n Key size: 128/192/256 bit n Block size: 128 bits of data n Properties: iterativerather than Feistelcipher n Treats data in 4 groups of 4 bytes n Operates on an entire block in every round n Designed to be: n Resistant against known attacks n Speed and code compactness on many CPUs n Design simplicity

CSG252 Classical Cryptography 27

9 AES Outline

n Algorithm: 1. Initialize State ← x ⊕ RoundKey; 2. For each of the Nr-1 rounds: 1. SubBytes(State); 2. ShiftRows(State); 3. MixColumns(State); 4. AddRoundKey(State); 3. Last round: 1. SubBytes(State); 2. ShiftRows(State); 3. AddRoundKey(State); 4. Output y ← State

CSG252 Classical Cryptography 28

Finite Fields - Break

n GF(2) = Z2 n ∈ n GF(2 ) = { (an-1, …, a1, a0) | ai GF(2) } n Addition can be carried out bit by bit

n Multiplication mod a primitive polynomial n n Generation of GF(2 ): done by polynomial modulo a primitive polynomial of degree n, m(x) n Elements of GF(2) can be represented as a polynomial (an-1, …, a1, a0) = a(x) ≡ n-1 an-1x + . . . + a1x + a0 mod m(x) n n Textbook Notation: F2 = Z2[x]/m(x) 8 4 3 n AES uses n=8, and m(x) = x +x +x +x+1

CSG252 Classical Cryptography 29

Primitive Polynomial

n A polynomial f(x) over a field Q is said to be irreducible if f(x) cannot be factored over Q

n A polynomial f(x) over a field Q is said to be primitive if every root of f(x) generates the extension field

n Over GF(2) a polynomial is primitive if the smallest k for which f(x) divides xk+1 is k = 2n-1

n Example. 4 3 2 n f(x) = x +x +x +x+1 over GF(2) f(x) is irreducible but not primitive 4 n g(x) = x + x+1 g(x) is primitive

CSG252 Classical Cryptography 30

10 Test Irreducibility

n To show x8+x4+x3+x+1 is irreducible:

n If the number of terms is odd over GF(2), then it cannot be divisible by x+1 2 n Try dividing by polynomials of degree 2, x + x + 1 3 3 2 n Try polynomials of degree 3, x +x+1 and x +x +1 4 3 2 4 3 n Try polynomials of degree 4, x +x +x +x+1, x +x +1, x4+x2+1, x4+x+1

n Do not require any more testing beyond degree 4

CSG252 Classical Cryptography 31

Test Primitivity

n To show x4+x3+x2+x+1 is not primitive: n Take α to be a root of the polynomial, that is, α 4 = α3 + α2 + α + 1 5 4 3 2 3 2 3 2 n α = α + α + α + α = α + α + α + 1 + α + α + α = 1 n To show x8+x4+x3+x+1 is primitive n Take α to be a root of the polynomial, that is, α 8 = α4 + α3 + α + 1 (00011011)=(1b) 9 5 4 2 n α = α + α + α + α (00110110)=(36) 12 7 5 3 n α = α + α + α + α + 1 (10101011)=(ab)

CSG252 Classical Cryptography 32

Multiplication in GF(28)

n α 9 ∗ α 12 = α 9+12 = α 21 mod 127

n (36) ∗ (ab) = (00110110) ∗ (10101011) = 11110010

CSG252 Classical Cryptography 33

11 AES (Continued)

n State: 16 bytes structured in a array

S0,0 S0,1 S0,2 S0,3

S1,0 S1,1 S1,2 S1,3

S2,0 S2,1 S2,2 S2,3

S3,0 S3,1 S3,2 S3,3

8 n Each byte is seen as an element of F28=GF(2 ) n F28 finite field of 256 elements n Operations

n Elements of F28 are viewed as polynomials of degree 7 with coefficients {0, 1} n Addition: polynomials addition Ω XOR n Multiplication: polynomials multiplication modulo x8+ x4+ x3+x+1

CSG252 Classical Cryptography 34

SubBytes

Input: a = (a7 a6 a5 a4 a3 a2 a1 a0) Output: b = (b7 b6 b5 b4 b3 b2 b1 b0) If a ≠ 0 then a ← a-1;

»b0 ÿ »1 0 0 0 1 1 1 1ÿ»a0 ÿ »1ÿ … Ÿ … Ÿ… Ÿ … Ÿ …b1 Ÿ …1 1 0 0 0 1 1 1Ÿ…a1 Ÿ …1Ÿ …b Ÿ …1 1 1 0 0 0 1 1Ÿ…a Ÿ …0Ÿ … 2 Ÿ … Ÿ… 2 Ÿ … Ÿ b 1 1 1 1 0 0 0 1 a 0 … 3 Ÿ = … Ÿ… 3 Ÿ + … Ÿ …b Ÿ …1 1 1 1 1 0 0 0Ÿ…a Ÿ …0Ÿ … 4 Ÿ … Ÿ… 4 Ÿ … Ÿ …b5 Ÿ …0 1 1 1 1 1 0 0Ÿ…a5 Ÿ …1Ÿ …b Ÿ …0 0 1 1 1 1 1 0Ÿ…a Ÿ …1Ÿ … 6 Ÿ … Ÿ… 6 Ÿ … Ÿ …b7 ⁄Ÿ …0 0 0 1 1 1 1 1⁄Ÿ …a7 ⁄Ÿ …0⁄Ÿ SubBytes is non-linear Example: SubBytes(0x53) = 0xED; // note that 0x53-1 = 0xCA SubBytes can also be defined as a 16x16 table

CSG252 Classical Cryptography 35

ShiftRows

S0,0 S0,1 S0,2 S0,3 S0,0 S0,1 S0,2 S0,3

S1,0 S1,1 S1,2 S1,3 S1,1 S1,2 S1,3 S1,0 ←

S2,0 S2,1 S2,2 S2,3 S2,2 S2,3 S2,0 S2,1

S3,0 S3,1 S3,2 S3,3 S3,3 S3,0 S3,1 S3,2

CSG252 Classical Cryptography 36

12 MixColumn

n Input: n c: column index; n s: state; n Output: n s: new state n For i =0 to 3 ← n ti si, c; ← . ⊕ . ⊕ ⊕ n u0 x t0 (x+1) t1 t2 t3 ← . ⊕ . ⊕ ⊕ n u1 x t1 (x+1) t2 t3 t0 ← . ⊕ . ⊕ ⊕ n u2 x t2 (x+1) t3 t0 t1 ← . ⊕ . ⊕ ⊕ n u3 x t3 (x+1) t0 t1 t2 n For i =0 to 3 ← n si, c ui;

n Note:

n Multiplications are in F28

CSG252 Classical Cryptography 37

Key Expansion

n 10-round case (128 bits key)

n RCon[1-10] ← CONSTANTS

n For i = 0 to 3 do w[i] ← (key[4i], key[4i+1], key[4i+2], key[4i+3]) // w has 4 blocks of 32 bits

n For i = 4 to 43 do temp ← w[i-1] if i ≡ 0 (mod 4) then temp ← SubWord(RotWord(temp)) ⊕ RCon[i/4] w[i] ←w[i-4] ⊕ temp

n Return (w[0], …, w[43])

CSG252 Classical Cryptography 38

Implementation Aspects

n Can be efficiently implemented on a 8-bit CPU

n Byte substitution works on bytes using a table of 256 entries

n Shift rows is simple byte shifting

n Add round key works on byte XORs

n Mix columns requires matrix multiply in F28 which works on byte values, can be simplified to use a table lookup

CSG252 Classical Cryptography 39

13 Implementation Aspects

n Can be efficiently implement on 32-bit CPU

n Redefine steps to use 32-bit words

n Can pre-compute 4 tables of 256-words

n Then each column in each round can be computed using 4 table lookups + 4 XORs

n At a cost of 16Kb to store tables

n See Problem Set 4.

n Designers believe this very efficient implementation was a key factor in its selection as the AES cipher

CSG252 Classical Cryptography 40

Modes of Operation DES/AES: Electronic Codebook (ECB)

P1 P2 PN

K DES K DES ... K DES encrypt encrypt encrypt

C1 C2 CN

C1 C2 CN

K DES K DES ... K DES decrypt decrypt decrypt

P1 P2 PN

CSG252 Classical Cryptography 41

Cipher Block Chaining (CBC)

P1 P2 PN C IV N-1

DES DES DES K K ... K Encrypt Encrypt Encrypt

C1 C2 CN

C1 C2 CN

K DES K DES ... K DES Decrypt Decrypt Decrypt C IV N-1

P1 P2 PN

CSG252 Classical Cryptography 42

14 Cipher Feedback (CFB)

Shift register SR CN-1 SR 64-j bits | j bits 64-j bits | j bits 64-j bits | j bits 64 64 64 K DES K DES K DES Encrypt Encrypt Encrypt 64 64 ... 64 j bits | 64- j bits j bits | 64- j bits j bits | 64- j bits j P1 j j j j C P j j PN j j 1 2 C2 CN Shift register SR CN-1 SR 64-j bits | j bits 64-j bits | j bits 64-j bits | j bits

64 64 64 K DES K DES K DES Encrypt Encrypt Encrypt 64 64 ... 64 j bits | 64- j bits j bits | 64- j bits j bits | 64- j bits j P1 j j j P j C1 P2 j j N j j C2 CN

CSG252 Classical Cryptography 43

DES Modes: Output Feedback (OFB)

Shift register SR ON-1 SR 64-j bits | j bits 64-j bits | j bits 64-j bits | j bits

64 64 64 K DES K DES K DES Encrypt Encrypt Encrypt 64 64 ... 64 j bits | 64- j bits j bits | 64- j bits j bits | 64- j bits j P1 j j j P j C P2 j j N j j 1 C2 CN Shift register SR ON-1 SR 64-j bits | j bits 64-j bits | j bits 64-j bits | j bits

64 64 64 K DES K DES K DES Encrypt Encrypt Encrypt 64 64 ... 64 j bits | 64- j bits j bits | 64- j bits j bits | 64- j bits j C1 j j j j P C j j CN j j 1 2 P2 PN

CSG252 Classical Cryptography 44

Counter (CTR)

n A —new“ mode, though proposed early on

n Similar to OFB but encrypts counter value rather than any feedback value

n Must have a different key & counter value for every plaintext block (never reused)

Ci = Pi XOR Oi

Oi = DESK1(i) n Uses:

n High-speed network encryptions

CSG252 Classical Cryptography 45

15 CSG252 Classical Cryptography 46

16