KEMBAR78
Private-Key Encryption Overview | PDF | Cryptography | Security Technology
0% found this document useful (0 votes)
111 views4 pages

Private-Key Encryption Overview

The document discusses private-key encryption used in practice, including stream ciphers versus block ciphers, the Data Encryption Standard (DES), modes of operation for block ciphers, cryptanalysis of DES, and the Advanced Encryption Standard (AES). It notes that practical private-key encryption schemes are designed for efficiency rather than being based on rigorous proofs, and that block ciphers like DES and AES are the main tools for private-key encryption despite not having reductions.
Copyright
© Attribution Non-Commercial (BY-NC)
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
0% found this document useful (0 votes)
111 views4 pages

Private-Key Encryption Overview

The document discusses private-key encryption used in practice, including stream ciphers versus block ciphers, the Data Encryption Standard (DES), modes of operation for block ciphers, cryptanalysis of DES, and the Advanced Encryption Standard (AES). It notes that practical private-key encryption schemes are designed for efficiency rather than being based on rigorous proofs, and that block ciphers like DES and AES are the main tools for private-key encryption despite not having reductions.
Copyright
© Attribution Non-Commercial (BY-NC)
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 4

CS 120/CSCI E-177: Introduction to Cryptography Salil Vadhan and Alon Rosen Nov.

7, 2006

Lecture Notes 13: Private-Key Encryption in Practice


Recommended Reading.
KatzLindell, Chapter 5. FIPS publication describing DES (link on webpage). FIPS publication describing AES.

1 Stream Ciphers vs. Block Ciphers


Unlike what we've seen, private-key (aka symmetric) encryption schemes used in practice generally - are not be based on nice computational problems - are not proven secure via reductions - are designed for a particular input length (so can only be treated with concrete security) - but are extremely ecient Stream Ciphers

 Essentially meant to be pseudorandom generators, used for stateful encryption.  Examples: linear feedback shift registers (not secure, but used as component in better
stream ciphers), RC4, SEAL, ...

 Extremely simple and fast  Practical issues: can generate pseudorandom bits oine and decrypt very quickly without
buering, but requires synchronization

Block ciphers
1  For every key k {0, 1}n , Ek : {0, 1} {0, 1} is a permutation, and both Ek and Ek

can be computed quickly given k . (n=key length,

= block length)

 Examples: DES, AES/Rijndael, IDEA, ...  Main tools for private-key encryption in practice.  Have both stateless modes and stateful/stream-like modes.
How are they designed?

 More of an art than science. Intuition/experience of designers, public critique important.

 Diusion: have each output bit aected by many input bits, each input bit inuence  Confusion: avoid structured relationships (especially linearity) between input and output/key that are exploited in known attacks.

many output bits  often achieved by repeating many rounds that involve swapping bits.

 Output should be random-looking, have good statistical properties.  Simplicity.  Eciency  extremely fast in hardware & software on wide variety of platforms.

2 The Data Encryption Standard (DES)


Designed by IBM and the NSA, standardized in 1977. Most widespread block cipher  used by federal agencies, banks (ATM machines), SSL, ... Key length 56, block length 64. Computation of DESk (m) is done by 16-round Feistel network:

   

( 0 , r0 ) {0, 1}32 {0, 1}32 is xed permutation of bit positions of m. ( i , ri ) = (ri1 ,


i1

fki1 (ri1 )). Feistel transformation

Subkey ki1 {0, 1}48 consists of xed permuted subset of bits of k . Computation of round function fk (r):

r {0, 1}32 expanded to E(r) {0, 1}48 by repeating some bits and permuting bits. E(r) k broken into 6-bit blocks B1 , . . . , B8 . Cj = Sj (Bj ) for hardwired  S -box Sj : {0, 1}6 {0, 1}4 . (Main source of DES's security.) fk (r) = xed permutation of bits of C1 C8 . Inversion: each Feistel transformation is a permutation, the inverse of the Feistel transformation is easy to compute given the subkey. Speed: 10 Mbits/sec in software, > 1 Gbit/sec in hardware!

3 Modes of Operation
Described for DES, but apply to any block cipher. Electronic Codebook Mode (ECB Mode): To encrypt message m, break m into blocks m1 , m2 , . . . of size 64, output c1 , c2 , . . ., where ci = DESk (mi ). Cipher-Block Chaining Mode (CBC Mode): c0 {0, 1}64 , ci = DESk (ci1 mi ). Counter Mode (CTR Mode): ci = DESk (IV + i mod 264 ) mi . Output Feedback Mode (OFB Mode): ci = mi zi , where z0 {0, 1}64 , zi = DESk (zi1 ). (Stream cipher).
2
R R

4 Cryptanalysis of DES
Typically focuses on key recovery  given (m1 , DESk (m1 )), . . . , (mq , DESk (mq )), nd k . the pairs (mi , ci ) are obtained by known plaintext attack, chosen plaintext attack or by listening on the communication channel. We have seen that the security against key recovery is not sucient but necessary. Exhaustive search: q = 2 suces, time = (2k ) . For all keys k , if c1 = DESk (m1 ) and c2 = DESk (m2 ), output k .

 1993: 56 hours using specialized $250K key-search machine.  A possible solution against the fact that the keyspace is small is to use several DES keys.
Triple DES (DESk1 (DES1 (DESk3 (m)))) seems better, but not as much as one might k2 hope. (the reason for the inverse is for backwards compatibility: when k2 = k3 , we get single DES)

Linear and Dierential cryptanalysis: q = 243 for DES. The idea is to try to nd relation between the input bits and the output bits, e.g. if the inputs dier by one bit, do we have correlation between the outputs?

 Impractical against DES  too much memory required.  But devastating for 8-round DES and other block ciphers.

5 Advanced Encryption Standard (AES)


Development initiated in 1997 by the National Institute of Standards and Technology (NIST). 15 submissions, several rounds of public analysis/discussion. Rijndael selected in October 2000, soon to be standardized. Block size = 128, variable key length = 128, 192, or 256, variable number of rounds = 10, 12, or 14, respectively. Computation of AESk (m):

 m written as 4 4 matrix of 8-bit values (viewed as elements of nite eld F of size 28 ).  Each round consists of:
Applying a substitution (S-box) to each matrix entry. (Inversion and ane transformation in F: S(x) = ax1 + b where a, b xed) S and S 1 are easy to compute. Left-shifting each row (0, 1, 2, 3 positions, respectively). An operation on each column (polynomial arithmetic over F: each column is viewed as a polynomial). This column substitution C and its inverse C 1 are easy to compute. XORing entire matrix with the round key ki .

 Round key generation:


Actual k written as initial part of an array, each entry consisting of a word  four 8-bit values, again viewed as elements of F. Usually, next word is XOR of previous word and an earlier word.
3

Sometimes, next word formed by a left-shift and S-box applied to entries of previous word. Design criteria:

 Protection against known attack methods (e.g. linear and dierential cryptanalysis).  Eciency (hardware and software) on wide range of platforms.  Simplicity.
Only time will tell how good it really is!

6 Theory vs. Practice


Why do people use block ciphers over provable constructions?

 Eciency  provable constructions much slower (modular arithmetic), require larger


keys. For a key length k , the security of block ciphers seem to grow like (2k ) and the 1/3 security of provable number-theoretic constructions seems to grow like 2(k ) to public-key crypto).

 History  block ciphers standardized before modern cryptography developed (in contrast How can we bridge the gap?
Approach 1 (Most common): Model block ciphers as families of pseudorandom permutations (as in BellareRogaway) + Can critique existing uses of block ciphers, e.g. some modes of operation secure (like CBC, CTR), some insecure (like ECB). + Can give some justication for Feistel network (converts PRFs to PRPs). A very strong assumption, hard to evaluate! Approach 2 (Not so common): View block ciphers as one-way functions and apply provable constructions. + OWF assumption much weaker, easier to evaluate. Resulting constructions unlikely to be as ecient. Possibly not using full strength of block ciphers. Approach 3 (Occassionally used): Forget modelling and proofs, just take main ideas & understanding of goals from theory.

You might also like