1

CIS 5371 Cryptography

6. Practical Constructions of Symmetric-Key Primitives

Based on: Jonathan Katz and Yehuda Lindell Introduction to Modern Cryptography

2

Stream ciphers

A stream cipher is a pair of deterministic algorithms (Init, GetBits), where

Init takes input a seed and an optional and outputs an initial state . That is,

:= Init ( GetBits takes as input and outputs a bit and an

updated state . That is, ) := GetBits(

3

Linear Feedback Shift Registers (LFSR)

x𝑠4 x𝑠3 x𝑠2 x𝑠1

:= ,

:=

(Linear feedback

Output: = , = ,

x𝑠0

4

Reconstruction attacks

Solve for unknowns:

So we must use nonlinear feedback

:= ,

:= , some nonlinear function

5

Self-shrinking generator

The self-shrinking generator uses alternating output bits of a single register to control its final output.

1. Clock two bits from the LFSR.2. If the pair is 10 output a zero.3. If the pair is 11 output a one.4. Otherwise, output nothing.5. Return to step one.

6

Self-shrinking generator, Example

Use polynomial: x8 + x4 + x3 + x2 + 1

Initial state: 1 0 1 1 0 1 1 0.

t 8 7 6 5 4 3 2 1 Out1 Out2

0 1 0 1 1 0 1 1 0 n/a n/a

1 1 1 0 1 1 0 1 1 0n/a

2 1 1 1 0 1 1 0 1 1

3 1 1 1 1 0 1 1 0 10

4 1 1 1 1 1 0 1 1 0

7

Other nonlinear stream ciphers

Trivium, eSTREAM project --see textbook These are hardware implementations of PRNG Next we shall consider a software implementation.

8

RC4

Init for RC4 (key scheduling) Algorithm 6.1Input 16 byte key Output Initial state , is a permutation of ,

for to ,

for to

Swap and Return

9

RC4

GetBits for RC4 (Algorithm 6.2)Input:

Output: byte y, updated state

Swap and

Return 𝑦

10

Attacks on RC4 There are several attacks on RC4 known for some

time and therefore this stream cipher should not be used anymore.

A serious attack occurs when an IV is prepended to the to the key. This attack can be used to recover the key (regardless of it length). This attack was used to break the WEP encryption standard, and was influential in getting the standard replaced---see textbook for details of the attack.

11

Block ciphers A block cipher is an efficient keyed permutation is a bijection, and and its inverse are efficiently

computable given . Block ciphers should be viewed as pseudorandom

permutations rather than as encryption schemes. They are a basic building blocks for symmetric key

applications.

12

Block ciphers We refer to as the key length and as the block

length of These are now constants (fixed) whereas earlier

they where functions of the security parameter. This takes us away from the asymptotic security to

concrete security.

13

Substitution-Permutation Networks

A block cipher must behave like a random permutation.

However there are permutations on -bit strings, so representing an arbitrary permutation with block length requires roughly

Thus, we need to somehow construct a concise function that behaves like a random function

14

The   confusion −diffusion   paradigm Idea (Shannon): construct a random looking

permutation with large block length using smaller random looking substitutions with small length.

A substitution-permutation network is an implementation of this paradigm.

15

The   confusion −diffusion   paradigm The substitution component refers to small random

functions called S-boxes and the permutation component refers to the mixing of the outputs of the random functions.

The permutation component involves the reordering of the output bits and are called mixing permutations.

16

An example, 1 Suppose we want to have block length 128 bits, and

use 16 substitutions that have block length 8 bits. The key will specify the 16 substitutions. For input we parse as and set The “round” functions are said to introduce

confusion.

17

An example, 2

A diffusion step then mixes the bits of the output. For example the bits of are shuffled to get .

The confusion-diffusion process is repeated several times

A substitution-permutation network is an implementation of this paradigm.

18

An example, 3

Consider an SPN network with 64 bit block length and 8 bit -boxes, . Evaluating the cipher proceeds in a number of rounds in which: Key mixing: set , where is the current “round sub-key”. Substitution: set Permutation: Permute the bits of to get the output for the

next round.

19

Substitution-permutation networkExample 3, single round

20

The   confusion −diffusion   paradigm The basic idea is to break the input up into small

parts and then feed these parts through different S-boxes (random permutations).

The outputs are then mixed together. The process is repeated a given number of times,

called a rounds. The S-boxes introduce confusion into the

construction. In order to spread the confusion throughout, the

results are mixed together, achieving diffusion.

21

Any  SPN   is   invertible  It suffices to invert each round.Given the SPN output for a round and the key we:

First invert the mixing permutation

Then invert the -box permutations

Finally XOR the result with the appropriate sub-key to get the round input.

22

The avalanche effect An important property in any block cipher is that

small changes to the input must result in large changes to the output.

To ensure this, block ciphers are designed so that small changes in the input propagate quickly to very large changes in the intermediate values.

23

The avalanche effectIt is easy to demonstrate that the avalanche effect holds in a substitution-permutation network, when the following hold:

1. The -boxes are designed so that any change of at least a single bit to the input to an -box results in a change of at least two bits in the output.

2. The mixing permutations are designed so that the output bits of any given -box are spread into different -boxes in the next round.

24

Feistel Networks A Feistel* network is an alternative way of

constructing a block cipher. The low-level building blocks (S-boxes, mixing

permutations and key schedule) are the same. The difference is in the high-level design. The advantage of Feistel networks over

substitution permutation networks is that they enable the use of S-boxes that are not necessarily invertible.

* Horst Feistel who did pioneering research while working for IBM

25

Feistel Networks This is important because a good block cipher has

chaotic behavior (it should look random). Requiring that all of the components of the

construction be invertible inherently introduces structure, which contradicts the need for chaos.

26

Feistel Networks A Feistel network is thus a way of constructing

an invertible function from non-invertible components.

This seems like a contradiction in terms---if you cannot invert the components, how can you invert the overall structure.

Nevertheless, the Feistel design ingeniously overcomes this obstacle.

27

A Feistel network1. For input , denote by and the first and second

halves of respectively.2. Let and .3. For to (where is the number of rounds in the

network):a) Let and , where denotes the -function in the -th

round of the network.b) Let and c) The output is .

28

mmm

mmm

mmmmmm

mmmmm

Feistel Network.