Lecture 4. Cryptography I: Conventional Encryption

Cryptography is the art and science (and maybe engineering, too) of keeping information secure. Cryptanalysis is the opposite of cryptography, and together are they called cryptology.

Major cryptographic operations are encryption and decryption, which can be illustrated:

            encryption key               decryption key
                  |                            |
                  V                            V
plaintext   +------------+  ciphertext   +------------+  original
----------> | encryption | ------------> | decryption | ----------->
            +------------+               +------------+  plaintext

In most cryptosystems, the decryption key is the same as the encryption key and those systems are called symmetric or conventional cryptosystems, and such systems may be dated back to Julius Caesar's days. The other type of cryptosystem is called the public-key cryptosystem, in which the decryption key is different from the encryption key and it is intractable to compute one from the other. The first public-key cryptography was described by W. Diffie and M. Hellman in 1976, which can be used to exchange secret keys rather than to encrypt bulky data. Other public-key algorithms such as RSA and Knapsack soon followed.

In conventional cryptosystems, the encryption keys should be kept secret and hence the keys are often called the secret keys. In public-key cryptosystems, the encryption key can be made public so that anyone can use the key to encrypt messages, but only the person with the corresponding decryption key can decrypt the messages, and hence encryption keys and decryption keys are called public keys and private keys.

This lecture presents Conventional Encryption, and we'll look at Public-key Cryptography later.

We'll start with some of the classical ciphers, and see how they affected the development of modern symmetric encryption algorithms. We'll then look at the most widely used data encryption algorithm: Data Encryption Standard (DES). Algorithmic details, characteristics, design considerations, possible attacks, and the applications of DES will be discussed. Next, we'll look at some other symmetric algorithms: IDEA, RC5, Blowfish.

Contents

Simple ciphers and cipher design criteria
Data Encryption Standard (DES)
Other block ciphers

1. Simple ciphers and cipher design criteria

Substitution

Monoalphabetic substitution cipher:

1-to-1 between plaintext characters and ciphertext characters

Shifted alphabet

Caesar's cipher:  abcdefghijklmnopqrstuvwxyz
	          defghijklmnopqrstuvwxyzabc

Plaintext:        secret
Ciphertext:       vhfuhw

Permuted alphabet

                  abcdefghijklmnopqrstuvwxyz
                  yntbwrlzjemqpchvfxoiauksdg

Plaintext:        secret
Ciphertext:       owtxwi

weakness: vulnerable to analysis of

homophonic substitution cipher: 1-to-N mapping
polygram substitution cipher: mapping between character blocks
polyalphabetic substitution cipher:
- shift by a keyword
```
	key:        beauty
	plaintext:  aaaaaabbbbbbabcabc
	ciphertext: beautycfbvuzbfcuua
		
```
- rotor machines using multiple rotors:
- One-time pads if every plaintext character is transformed using a different substitution function, and the substitution functions are independent from each other.

Transposition

Simple columnar transposition cipher

plaintext: thisistheplaintext   

		thisis
		thepla
		intext
	
ciphertext: tti hhn iet spe ilx sat

Simple columnar transposition cipher + permuted columns

plaintext: thisistheplaintext   

key:		beauty (231546)
		thisis
		thepla
		intext
	
ciphertext: iet tti hhn ilx spe sat

multiple stages of transpositions with different column sizes

plaintext: thisistheplaintext   

key 1:		beauty (231546)
		thisis
		thepla
		intext

key 2:		thank (52143)
		iettt
		ihhni
		lxspe
		sat##
	
ciphertext: thst ehxa tie# tnp# iils

Desirable properties of ciphers

Repeating monoalphabetic substitutions by permuted alphabet doesn't increase cryptographic strength at all.
Multi-stage transposition helps.
Combining substitution and transposition results in even stronger ciphers.
Cryptographic strength of most simple ciphers depends on the secrecy of algorithms and key parameters both.
New ciphers are devised to resist known attacks.

Confusion and Diffusion by C. E. Shannon
- confusion: obscuring the relationship between the plaintext and the ciphertext.
- diffusion: spreading the information from the plaintext over the entire ciphertext.
Avalanche effects: a small change in either the plaintext or the key produces a change in many bits of the ciphertext
Repetition of nonlinear transformations ( --> product cipher)
Cryptographic strength should depend on the secrecy of the key, not the secrecy of algorithms.
Shorter keys are better unless it weakens the cryptographic strength seriously.
Algorithms should yield efficient implementation in hardware and/or software.

2. Data Encryption Standard (DES)

History

IBM developed 128-bit block cipher called LUCIFER in 1971
NBS (National Bureau of Standard, now NIST) issued RFP for commercial cipher in 1973
IBM proposal based on a refinement of LUCIFER was adopted in 1977 as the Data Encryption Standard

Characteristics

block cipher: transforms 64 bit input into a 64 bit output.
56 bit key is used: 8 byte key where one bit of each byte is the parity bit
cipher using substitution and permutation (transposition)
16-round of transformations
key bits are modified and reused in each round
slow in software because of bit permutations

DES algorithm

Algorithm outline

Single Iteration of DES

DES tables

Initial permutation 
	58, 50, 42, 34, 26, 18, 10,  2,
	60, 52, 44, 36, 28, 20, 12,  4,
	62, 54, 46, 38, 30, 22, 14,  6,
	64, 56, 48, 40, 32, 24, 16,  8,
	57, 49, 41, 33, 25, 17,  9,  1,
	59, 51, 43, 35, 27, 19, 11,  3,
	61, 53, 45, 37, 29, 21, 13,  5,
	63, 55, 47, 39, 31, 23, 15,  7

Inverse initial permutation 
	40,  8, 48, 16, 56, 24, 64, 32,
	39,  7, 47, 15, 55, 23, 63, 31,
	38,  6, 46, 14, 54, 22, 62, 30,
	37,  5, 45, 13, 53, 21, 61, 29,
	36,  4, 44, 12, 52, 20, 60, 28,
	35,  3, 43, 11, 51, 19, 59, 27,
	34,  2, 42, 10, 50, 18, 58, 26,
	33,  1, 41,  9, 49, 17, 57, 25

Expansion permutation
	32,  1,  2,  3,  4,  5,
	 4,  5,  6,  7,  8,  9,
	 8,  9, 10, 11, 12, 13,
	12, 13, 14, 15, 16, 17,
	16, 17, 18, 19, 20, 21,
	20, 21, 22, 23, 24, 25,
	24, 25, 26, 27, 28, 29,
	28, 29, 30, 31, 32,  1 

Permuted choice 1
	57, 49, 41, 33, 25, 17,  9,
	 1, 58, 50, 42, 34, 26, 18,
	10,  2, 59, 51, 43, 35, 27,
	19, 11,  3, 60, 52, 44, 36,

	63, 55, 47, 39, 31, 23, 15,
	 7, 62, 54, 46, 38, 30, 22,
	14,  6, 61, 53, 45, 37, 29,
	21, 13,  5, 28, 20, 12,  4

Left rotation table
	1,2,4,6,8,10,12,14,15,17,19,21,23,25,27,28

Permuted choice 2
	14, 17, 11, 24,  1,  5,
	 3, 28, 15,  6, 21, 10,
	23, 19, 12,  4, 26,  8,
	16,  7, 27, 20, 13,  2,
	41, 52, 31, 37, 47, 55,
	30, 40, 51, 45, 33, 48,
	44, 49, 39, 56, 34, 53,
	46, 42, 50, 36, 29, 32

S-boxes
	/* S1 */
	14,  4, 13,  1,  2, 15, 11,  8,  3, 10,  6, 12,  5,  9,  0,  7,
	 0, 15,  7,  4, 14,  2, 13,  1, 10,  6, 12, 11,  9,  5,  3,  8,
	 4,  1, 14,  8, 13,  6,  2, 11, 15, 12,  9,  7,  3, 10,  5,  0,
	15, 12,  8,  2,  4,  9,  1,  7,  5, 11,  3, 14, 10,  0,  6, 13,

	/* S2 */
	15,  1,  8, 14,  6, 11,  3,  4,  9,  7,  2, 13, 12,  0,  5, 10,
	 3, 13,  4,  7, 15,  2,  8, 14, 12,  0,  1, 10,  6,  9, 11,  5,
	 0, 14,  7, 11, 10,  4, 13,  1,  5,  8, 12,  6,  9,  3,  2, 15,
	13,  8, 10,  1,  3, 15,  4,  2, 11,  6,  7, 12,  0,  5, 14,  9,

	/* S3 */
	10,  0,  9, 14,  6,  3, 15,  5,  1, 13, 12,  7, 11,  4,  2,  8,
	13,  7,  0,  9,  3,  4,  6, 10,  2,  8,  5, 14, 12, 11, 15,  1,
	13,  6,  4,  9,  8, 15,  3,  0, 11,  1,  2, 12,  5, 10, 14,  7,
	 1, 10, 13,  0,  6,  9,  8,  7,  4, 15, 14,  3, 11,  5,  2, 12,

	/* S4 */
	 7, 13, 14,  3,  0,  6,  9, 10,  1,  2,  8,  5, 11, 12,  4, 15,
	13,  8, 11,  5,  6, 15,  0,  3,  4,  7,  2, 12,  1, 10, 14,  9,
	10,  6,  9,  0, 12, 11,  7, 13, 15,  1,  3, 14,  5,  2,  8,  4,
	 3, 15,  0,  6, 10,  1, 13,  8,  9,  4,  5, 11, 12,  7,  2, 14,

	/* S5 */
	 2, 12,  4,  1,  7, 10, 11,  6,  8,  5,  3, 15, 13,  0, 14,  9,
	14, 11,  2, 12,  4,  7, 13,  1,  5,  0, 15, 10,  3,  9,  8,  6,
	 4,  2,  1, 11, 10, 13,  7,  8, 15,  9, 12,  5,  6,  3,  0, 14,
	11,  8, 12,  7,  1, 14,  2, 13,  6, 15,  0,  9, 10,  4,  5,  3,

	/* S6 */
	12,  1, 10, 15,  9,  2,  6,  8,  0, 13,  3,  4, 14,  7,  5, 11,
	10, 15,  4,  2,  7, 12,  9,  5,  6,  1, 13, 14,  0, 11,  3,  8,
	 9, 14, 15,  5,  2,  8, 12,  3,  7,  0,  4, 10,  1, 13, 11,  6,
	 4,  3,  2, 12,  9,  5, 15, 10, 11, 14,  1,  7,  6,  0,  8, 13,

	/* S7 */
	 4, 11,  2, 14, 15,  0,  8, 13,  3, 12,  9,  7,  5, 10,  6,  1,
	13,  0, 11,  7,  4,  9,  1, 10, 14,  3,  5, 12,  2, 15,  8,  6,
	 1,  4, 11, 13, 12,  3,  7, 14, 10, 15,  6,  8,  0,  5,  9,  2,
	 6, 11, 13,  8,  1,  4, 10,  7,  9,  5,  0, 15, 14,  2,  3, 12,

	/* S8 */
	13,  2,  8,  4,  6, 15, 11,  1, 10,  9,  3, 14,  5,  0, 12,  7,
	 1, 15, 13,  8, 10,  3,  7,  4, 12,  5,  6, 11,  0, 14,  9,  2,
	 7, 11,  4,  1,  9, 12, 14,  2,  0,  6, 10, 13, 15,  3,  5,  8,
	 2,  1, 14,  7,  4, 10,  8, 13, 15, 12,  9,  0,  3,  5,  6, 11

32-bit permutation function P used on the output of the S-boxes
	16,  7, 20, 21,
	29, 12, 28, 17,
	 1, 15, 23, 26,
	 5, 18, 31, 10,
	 2,  8, 24, 14,
	32, 27,  3,  9,
	19, 13, 30,  6,
	22, 11,  4, 25

decryption is the same as encryption but with subkeys K_i used in reverse order:

DES design considerations

P-box is chosen for faster diffusion.
S-boxes are chosen for cryptographic strength and easy implementation in circuits.
In five rounds, each ciphertext bit becomes a complex function of all plaintext bits and all key bits.
Each bit change in plaintext or key results in changes approximately in 32 bit positions of the ciphertext.
S-boxes are chosen to resist differential cryptanalysis attack.

Attacks on DES (Is DES safe?)

Exhaustive key search by special hardware
- Estimation by Diffie and Hellman in 1977:
  $20,000,000 machine can exhaust the key space in one day.
- Eberle described a 1 Gbit/s DES chip of $300 in 1992:
  $1,000,000 machine can exhaust the key space in eight days.
- Wiener gave the detailed design of a key search machine in 1993:
  $1,000,000 machine can exhaust the key space in 3.5 hours.
  (see des_key_search.ps)
- Recently (07/18/98) it was reported that EFF built a DES cracker, which was built for less than $250,000. It took the machine less than 3 days to crack a DES key. (see EFF DES Cracker Project)
- DES Challenge III Broken in Record 22 Hours with a network of 100,000 PCs.
This attack assumes one known pair of plaintext and ciphertext; the attack is still possible without known plaintext but with some known pattern of plaintext (such as ASCII) and it may take longer.
Solution: 3DES (or DES-EDE) using two keys -- E_K1(D_K2(E_K1(P)))
Differential cryptanalysis by Biham and Shamir in 1992 (see DifferentialCryptanalysis.ps)
- examine ciphertext pairs whose plaintext pairs have particular differences
- recover some parts (32 bits) of K₁₆ (48 bits) and apply exhaustive key search for the remaining 24 bits
- uses approximately 2⁴⁷ plaintext pairs
- 6-round DES was broken in 0.3 sec using 240 ciphertexts
- 8-round DES was broken in 2 min using 1500 ciphertexts
- Minor changes in the S-boxes or their order can make DES much easier to break
- Attacks applicable to a wide range of encryption algorithms and cryptographic hash functions.
- First published in 1990, but Don Coppersmith claimed that it was known to DES design team in 1974.
- Not a serious threat in practice because of the data requirement
Linear cryptanalysis by M. Matsui in 1993
- linear approximation of block cipher actions
- XOR some plaintext and ciphertext bits together, get a bit that is XOR of some of the key bits
- recover 26 key bits by above method and apply exhaustive key search for the remaining 30 bits
- needs approximately 2⁴³ known plaintexts
- recovered a key in 50 days using 12 HP9735 workstations
- Not a serious threat in practice because of the data requirement

DES applications

File encryption or data encryption
Secure Hashing: E_data(fixed-value) effects a secure hash function
UNIX password encryption repeats DES 25 times with modified expansion permutation by a random 12-bit value, thus making hardware key search (with commercial DES chip) impossible.
Electronic fund transfer (ATM)
PIN-based ATM
- Each terminal is assigned a terminal key K_T.
- Upon ATM card being inserted, the host generates a session key K_S and encrypts it with K_T and sends the encrypted key to the terminal.
- The terminal recovers the session key.
- User-entered PIN (often concatenated by counter or random value) and account information are encrypted with K_S and then sent to the host.
- Host decrypts PIN and account information, and verifies them.
- The terminal may encrypt the transaction message with K_S, or may send it clear but with MAC (message authentication code: E(H(message))) attached to provide message authentication.
Random number generation (ANSI X9.17)
DTi: date and time
Vi: seed value
Ri: generated pseudorandom number
K1, K2: DES-EDE keys
Ri = EDE_K1,K2(EDE_K1,K2(DTi) XOR Vi)
Vi+1 = EDE_K1,K2(EDE_K1,K2(DTi) XOR Ri)

3. Other block ciphers

International Data Encryption Algorithm (IDEA)

designed by X. Lai and J. Massey of Switzerland in 1991
128-bit key, 8-round, 64-bit block cipher
major operations: XOR, add mod 2¹⁶, multiply mod 2¹⁶+1
used in PGP
software implementation is faster than DES
implemented as a chip with an encryption rate 177 Mbit/s (fastest commercial DES chip: 200 Mbyte/s)

RC5 (Rivest Cipher 5)

designed by Ron Rivest in 1995
parameterized block cipher with secret key size, block size, number of rounds
major operations: XOR, add, data-dependent rotation
secure against differential and linear cryptanalysis
distinguished from DES-like ciphers by the data-dependent rotations
software implementations are faster than DES (?)
RC2 (block cipher), RC4 (stream cipher):
40-bit key version of these ciphers are exportable

Blowfish

designed by Bruce Schneier in 1994
variable length key (up to 448 bits), 16-round, 64-bit block cipher
major operations: XOR, add, table lookup
4 8*32 S-boxes
key-dependent permutation
key- and data-dependent substitution
no effective attacks yet
software implementation is faster than DES

SEED

��Ŵ�üǥ��(��)

128-bit key, 16-round, 128-bit block cipher

major operations: XOR, add, table lookup

2 8*8 S-boxes

Document in hwp, pdf

Block Ciphers (Chapter 7 of Handbook of Applied Cryptography, in PostScript)

Advanced Encryption Standard (AES) Development Effort

Initiated by NIST in 1997.
A process to develop a Federal Information Processing Standard (FIPS) for Advanced Encryption Standard (AES) specifying an Advanced Encryption Algorithm (AEA)

AES Home Page

**AES Round 1 Candidate Algorithms**
*(In alphabetical order, with links to each submitter's web page)*
Algorithm Name	Submitter Name(s)
CAST-256	Entrust Technologies, Inc. (represented by Carlisle Adams)
CRYPTON	Future Systems, Inc. (represented by Chae Hoon Lim)
DEAL	Richard Outerbridge, Lars Knudsen
DFC	CNRS - Centre National pour la Recherche Scientifique - Ecole Normale Superieure (represented by Serge Vaudenay)
E2	NTT - Nippon Telegraph and Telephone Corporation (represented by Masayuki Kanda)
FROG	TecApro Internacional S.A. (represented by Dianelos Georgoudis)
HPC	Rich Schroeppel
LOKI97	Lawrie Brown, Josef Pieprzyk, Jennifer Seberry
MAGENTA	Deutsche Telekom AG (represented by Dr. Klaus Huber)
MARS	IBM (represented by Nevenko Zunic)
RC6^TM	RSA Laboratories (represented by Burt Kaliski)
RIJNDAEL	Joan Daemen, Vincent Rijmen
SAFER+	Cylink Corporation (represented by Charles Williams)
SERPENT	Ross Anderson, Eli Biham, Lars Knudsen
TWOFISH	Bruce Schneier, John Kelsey, Doug Whiting, David Wagner, Chris Hall, Niels Ferguson

Round 2 [8/1999-5/2000] Candidate Algorithms: MARS, RC6, RIJNDAEL, SERPENT, TWOFISH