Embed Size (px)
Citation preview
Session 3: Secret key cryptography – block
ciphers – part 2
KASUMI
The KASUMI algorithm is the core of the standardised UMTS Confidentiality and Integrity algorithms.
Within the security architecture of the UMTS system there are two standardised algorithms: • A confidentiality algorithm f8, and
• an integrity algorithm f9.
Each of these algorithms is based on the KASUMI algorithm.
KASUMI KASUMI is a Feistel cipher with 8 rounds. It operates on a 64-bit data block and uses a
128-bit key. Encryption:
• The 64 bit input I is divided into two 32-bit strings L0 and R0, where I = L0 || R0
• Then for each integer i with 1≤i≤8, we define
• Ri = Li-1, Li = Ri-1 fi(Li-1, RKi )
• This constitutes the i-th round function of KASUMI, where fi denotes the round function with Li-1 and round key RKi as inputs.
• The result OUTPUT is equal to the 64-bit string (L8 || R8) offered at the end of the 8-th round.
KASUMIThe whole algorithm:
KASUMIThe FO function:
KASUMIThe FI function:
KASUMI
The FL function
KASUMI The f-function has a 32-bit input and a 32-bit output. Each f-function of KASUMI is composed of two functions:
• an FL-function and• An FO-function.
An FO-function is defined as a network that makes use of three applications of an Fl-function.
An Fl-function has a 16-bit input and a 16-bit output. Each Fl-function comprises a network that makes use of
two applications of a function S9 and two applications of a function S7.
The functions S7 and S9 are also called "S-boxes of KASUMI".
KASUMI
In this manner KASUMI decomposes into a number of subfunctions (FL, FO and FI) that are used in conjunction with associated subkeys (KL, KO and KI).
The Kl-key KIi,j splits into two halves KIi,j,1 and KIi,j,2.
KASUMI
Each f-function fi takes a 32-bit input and returns a 32-bit output O under the control of a round key RKi, where the round key comprises the triplet (KLi, KOi, KIi).
The f-function fi itself is constructed from two subfunctions: an FL-function FLi and an FO-function FOi with associated subkeys KLi (used with FLi) and subkeys KOi and KIi (used with FOi).
KASUMI
The f-function fi has two different forms depending on whether it is an even round or an odd round.
For odd rounds i=1, 3, 5 and 7, the f-function is defined as:• fi(i,RKi) = FOi(FLi(I,KLi),KOi,KLi)
For even rounds, i=2, 4, 6 and 8, the f-function is defined as:• fi(i,RKi) =FLi(FOi(I,KOi,KIi),KLi)
KASUMI
FL functions: The input to the function FLi comprises a
32-bit data input I and a 32-bit subkey KLi.
The subkey is split into two 16-bit subkeys, KLi,1 and KLi,2, where:
KLi = KLi,1 ll KLi,2
KASUMI
The input data l is split into two 16-bit halves, L and R, where l=L||R.
The FL functions make use of the following simple operations:• ROL(D) the left circular rotation of a data block D by-
one bit.
• D1D2 the bitwise OR operation of two data blocks D1 and D2.
• D1D2 the bitwise AND operation of two data blocks D1 and D2.
KASUMI
Then the 32-bit output value of the FL-function is defined as L’ ll R’, where:
L’=L ROL(R’KLi,2)
R’=R ROL(LKLi,1)
KASUMI FO functions: The input to function FOi comprises a 32-bit data input I
and two sets of subkeys:
• A 48-bit KOi and
• 48-bit KIi. The 32-bit data input is split into two halves, L0 and R0,
where I= L0 ll R0, while the 48-bit subkeys are subdivided into three 16-bit subkeys, where:
KOi=KOi,1 ll KOi,2 ll KOi,3 and KIi=KIi,1 ll KIi,2 ll KIi,3
KASUMI
For each integer j with 1≤j≤3 the operation of the jth round of the function FOi is defined as:
Rj=FIi,j(Lj-1 KOi,j,KIi,j) Rj-1
Lj=Rj-1
Output from the FOi function is defined as the 32-bit data block L3 ll R3.
KASUMI
FI functions: An Fl-function FIi,j takes a 16-bit data input I and
a 16-bit subkey KIi,j. The input I is split into two unequal components,
a 9-bit left half L0 and a 7-bit right half R0, where I=L0 ll R0.
Similarly, the key KIi,j is split into a 7-bit component KIi,j,1 and a 9-bit component Kli,j,2, where KIi,j= KIi,j,1 ll KIi,j,2.
KASUMI
Each Fl-function FIi,j uses two S-boxes: S7, which maps a 7-bit input to a 7-bit output and S9, which maps a 9-bit input to a 9-bit output.
Fl-functions also use two additional functions, which are designated by ZE (appends 2 zeros before the MSB of a 7-bit string) and TR (discards 2 MSB of a 9-bit string).
KASUMI
The function FIi,j is defined by the following series of operations:
L1= R0 R1=S9[L0]ZE(R0) L2=R1KIi,j,2 R2=S7[L1]TR(R1)KIi,j,1
L3=R2 R3=S9[L2]ZE(R2) L4 =S7[L3]TR(R3) R4=R3
The output of the FIi,j function is the 16-bit data block L4 ll R4.
KASUMI
The S-boxes S7 and S9 are obtained as linear transforms of power functions over the corresponding fields, with Kasami’s exponents.
The key schedule of KASUMI contains linear transforms and is rather simple.
That was a consequence of performance requirements.
Rijndael - AES
In 2001, Rijndael was accepted by NIST as the Advanced Encryption Standard (AES) that was to replace DES and be implemented everywhere, from operating systems, browsers to banking applications.
Designed for key lengths of 128, 192 and 256 bits.
Rijndael - AES
Consists of 10 rounds for a 128 bit key, 12 rounds for a 192 bit key, and 14 rounds for a 256 bit key.
We consider a 128 bit version, for simplicity. Each round has a round key, derived from the
original key. There is also a 0th round key, which is the
original key. A round starts with an input of 128 bits and
produces an output of 128 bits.
Rijndael - AES There are four basic steps, called layers, that are used to
form the rounds: The ByteSub Transformation (BS): This non-linear layer
is for resistance to differential and linear cryptanalysis attacks.
The ShiftRow Transformation (SR): This linear mixing step causes diffusion of the bits over multiple rounds.
The MixColumn Transformation (MC): This layer has a purpose similar to ShiftRow.
AddRoundKey (ARK): The round key is XoRed with the result of the above layer.
Rijndael - AES
Rijndael - AES
Rijndael encryption: ARK, using the 0th round key. Nine rounds of BS, SR, MC, ARK using round
keys 1 to 9. A final round: BS, SR, ARK, using the 10th
round key. The final round uses the ByteSub, ShiftRow,
and AddRoundKey steps but omits MixColumn.
The 128-bit output is the ciphertext block.
Rijndael - AES
Rijndael - AES
The 128 input bits are grouped into 16 bytes of 8 bits each • a00, a10, a20, a30, a01, a11, …, a33.
These are arranged into a 4x4 byte matrix:
3,32,31,30,3
3,22,21,20,2
3,12,11,10,1
3,02,01,00,0
aaaa
aaaa
aaaa
aaaa
Rijndael - AES
The operations that are performed in the field GF(28) use the following generating polynomial (Rijndael polynomial):• f(X)=1+X+X3+X4+X8
Each byte, except the zero byte has a multiplicative inverse in GF(28).
Rijndael - AES
The ByteSub transformation:• In this step, each of the bytes in the matrix is
changed to another byte by means of the S-box.
• If we write a byte as 8 bits: abcdefgh, we can look for the entry in the abcd row and efgh column of the S-box (the rows and columns are numbered from 0 to 15).
• This entry, when converted to binary, is the output.
Rijndael - AES
The output of ByteSub is again a 4x4 matrix of bytes
3,32,31,30,3
3,22,21,20,2
3,12,11,10,1
3,02,01,00,0
bbbb
bbbb
bbbb
bbbb
Rijndael - AES
The ShiftRow Transformation:• The four rows of the matrix are shifted cyclically to
the left by offsets of 0, 1, 2, and 3, to obtain
2,31,30,33,3
1,20,23,22,2
0,13,12,11,1
3,02,01,00,0
3,32,31,30,3
3,22,21,20,2
3,12,11,10,1
3,02,01,00,0
bbbb
bbbb
bbbb
bbbb
cccc
cccc
cccc
cccc
Rijndael - AES
The MixColumn Transformation• Regard a byte as an element of GF(28).
• Then the output of the ShiftRow step is a 4x4 matrix [ci,j] with entries in GF(28).
• We multiply from the left the matrix [ci,j] by a special matrix, whose entries are the elements of GF(28), to produce the output [di,j].
Rijndael - AES
3,32,31,30,3
3,22,21,20,2
3,12,11,10,1
3,02,01,00,0
3,32,31,30,3
3,22,21,20,2
3,12,11,10,1
3,02,01,00,0
00000010000000010000000100000011
00000011000000100000000100000001
00000001000000110000001000000001
00000001000000010000001100000010
dddd
dddd
dddd
dddd
cccc
cccc
cccc
cccc
Rijndael - AES
The RoundKey Addition• The round key, derived from the key, consists
of 128 bits, which are arranged in a 4x4 matrix [ki,j] of bytes.
• This is XORed with the output of the MixColumn step.
Rijndael - AES
3,32,31,30,3
3,22,21,20,2
3,12,11,10,1
3,02,01,00,0
3,32,31,30,3
3,22,21,20,2
3,12,11,10,1
3,02,01,00,0
3,32,31,30,3
3,22,21,20,2
3,12,11,10,1
3,02,01,00,0
eeee
eeee
eeee
eeee
kkkk
kkkk
kkkk
kkkk
dddd
dddd
dddd
dddd
Rijndael - AES
The key schedule:• The original key consists of 128 bits, which
are arranged into a 4x4 matrix of bytes.
• This matrix is expanded by adjoining 40 more columns, as follows.
• Label the first four columns W(0), W(1), W(2), W(3).
• The new columns are generated recursively.
Rijndael - AES
• Suppose columns up through W(i-1) have been defined.
• If i is not a multiple of 4, then• W(i)=W(i-4)W(i-1)
• If i is a multiple of 4, then• W(i)=W(i-4)T(W(i-1))
Rijndael - AES
T(W(i-1)) is the transformation of W(i-1) obtained as follows:• Let the elements of the column W(i-1) be a, b,c,d.
• Shift these cyclically to obtain b,c,d,a.
• Now replace each of these bytes with the corresponding element in the S-box from the ByteSub step, to get 4 bytes e,f,g,h.
• Finally, compute the round constant
• r(i)=00000010(i-1)/4
• in GF(28).
Rijndael - AES
Then T(W(i - 1)) is the column vector• (er(i),f,g,h) .
In this way columns W(4), ..., W(43) are generated from the initial four columns.
The round key for the ith round consists of the columns
W(4i), W(4i+1), W(4i+2), W(4i+3).
Rijndael - AES
The S-box was obtained on the basis of the multiplicative inverse of input.
The only exception is S(0)=0, since 0 has no multiplicative inverse.
Rijndael - AES
Decryption:• Each of the steps ByteSub, ShiftRow,
MixColumn, and AddRoundKey is invertible:• The inverse of ByteSub is another lookup table,
called InvByteSub.
• The inverse of ShiftRow is obtained by shifting the rows to the right instead of to the left, yielding InvByteSub.
Rijndael - AES
The inverse of MixColumn exists because the 4x4 matrix used in MixColumn is invertible.
The transformation InvMixColumn is given by multiplication by the matrix
00001110000010010000110100001011
00001011000011100000100100001101
00001101000010110000111000001001
00001001000011010000101100001110
Rijndael - AES
AddRoundKey is its own inverse. The decryption process:
• ARK, using the 10th round key.
• Nine rounds of IBS, ISR, IMC, IARK, using round keys 9 to 1.
• A final round: IBS, ISR, ARK, using the 0th round key.
The fact that encryption and decryption are not identical processes leads to the expectation that there are no weak keys, in contrast to DES and several other algorithms.
Modes of operation
Block ciphers operate over highly reduced information sets.
They are adequate for enciphering short messages, such as keys, identifications, signatures, passwords, etc.
But they are totally inadequate for enciphering great quantities of data, such as very formatted text, listings, programs, tables, documents and especially images, because the structure of these documents can be determined easily.
Modes of operation By convention, the direct use of a block
cipher is called Electronic Codebook Mode (ECB).
Other modes of operation of block ciphers are:• Cipher Block Chaining mode, CBC.
• Cipher Feedback mode, CFB.
• Output Feedback mode, OFB.
• Counter mode, CTR.
Modes of operation
It is supposed that the block length is n. In the following illustrations of modes of
operation, DES is used as an example. However, any block cipher can be used
instead of DES.
Modes of operation
Cipher block chaining:• An n bit shift register is loaded with a random
initial vector (IV), which is not kept secret.
• In such a way, the block cipher is converted into a stream cipher, by changing IV equal messages can be enciphered in different ways, error propagation is limited and the size of the key space is not changed.
Modes of operation
Modes of operation Cipher feedback mode
• An n bit shift register is loaded with a random initial vector (IV) that is not kept secret.
• The plaintext is divided into blocks of m bits. • The sum modulo 2 is performed over blocks of m bits,
where m can vary between 1 and n. • The shift register of n bits is shifted left m bits after
each operation of block encipherment. • In this mode, the block cipher is converted into a
stream cipher, equal messages can be enciphered in different ways by changing IV, error propagation is limited, the key space size is not changed, and the cipher is self-synchronising.
Modes of operation
Modes of operation Output feedback mode
• An n bit shift register is loaded with an initial vector (IV) that may be non-random but it must be unique to every message to be encrypted. IV is not kept secret.
• Plaintext is divided in m bit blocks. • The sum modulo 2 is performed, bit by bit, over
blocks, whose length can vary between 1 and n. • The shift register shifts left m bits after each block
encipherment. • In this mode, the block cipher is converted into a
stream cipher and is used as a running key generator, equal messages can be enciphered in different ways by changing IV, there is no error propagation and the cipher is not self-synchronising.
Modes of operation
Modes of operation
Counter mode• Just like OFB, CTR creates an output key
stream that is XoRed with chunks of plaintext to produce ciphertext.
• The main difference between CTR and OFB lies in the fact that the output stream Oj in CTR is not linked to previous output streams.
Modes of operation
CTR starts with the plaintext broken into 8-bit pieces, P= [P1, P2, ...].
We begin with an initial value X1, which has a length equal to the block length of the cipher, for example, 64 bits.
Now, X1 is encrypted using the key K to produce 64 bits of output, and the leftmost 8-bits of the ciphertext are extracted and XoRed with P1 to produce 8 bits of ciphertext, C1.
Modes of operation
Now, rather than update the register X2 to contain the output of the block cipher, we simply take X2=X1+1.
In this way, X2 does not depend on previous output.
CTR then creates new output stream by encrypting X2.
Modes of operation
General CTR procedure:
• Xj=Xj-1+1
• Oj=L8(Ek(Xj))
• Cj=PjOj
Modes of operation
Security of block ciphers
The decomposition of encryption/decryption into sub-processes provides the cryptanalyst the possibility for an attack.
No practical block cipher is provably secure.
Consequently, new design criteria are being discovered, often as a response to emerging novel attacks on block ciphers.
Security of block ciphers
The development of theoretical knowledge about block ciphers:• Typically, a block cipher design is proposed
according to widely-accepted and well-founded rules.
• This forces the cryptanalyst to attempt to attack the cipher in a new way.
• These new attacks, if successful, lead in turn to the extending of the set of design criteria.
Security of block ciphers
There exist accepted security models, which can be used for analyzing a block cipher. The most widely used ones are:• Unconditional Security (Perfect Secrecy).
• Security Against a Polynomial Attack.
• “Provable” Security.
• Practical Security.
• Historical Security.
Security of block ciphers
Unconditional Security (Shannon): • An adversary has unlimited computational
resources.
• Secure encryption only exists if the size of the key is as large as the number of bits to be enciphered.
• Perfect secrecy is possible only if no more than K/N plaintexts are enciphered using a fixed key (e.g. the one-time pad).
• Not a useful model for practical block ciphers.
Security of block ciphers Security Against a Polynomial Attack:
• It is assumed that the adversary is a probabilistic algorithm, which runs in polynomial time.
• Security is claimed with respect to the feasibility of breaking the cryptosystem.
• The origin of the model is in complexity theory considerations: adversaries are assumed to possess only polynomial computational resources — polynomial in the size of the input to the cipher in bits.
• The model typically conducts worst-case and asymptotic analyses to determine whether polynomial attacks on a cipher exist.
• Even if such attacks do exist, it is not guaranteed that they are practical.
• The model tends to provide an understanding as to the type (class) of problem embodied by a block cipher.
Security of block ciphers “Provable” Security:
• Tries to show that breaking a block cipher is as difficult as solving some well known hard problem (e.g. discrete log or factoring).
• The problem: there is a fundamental open question in computer science as to whether these hard problems are in P or in NP.
• In fact, provable security requires a proof that P NP, and the existence of one-way functions.
• This is an asymptotic complexity measure — one is assessing the level of complexity as the input size, in bits, tends to infinity.
• Very useful for practical analysis of the cipher.
Security of block ciphers
“Provable” Security (cont.):• A block cipher may be shown to be provably
secure against a known sub-class of attacks.
• Example: provable security against linear and differential cryptanalysis.
• This does not mean that the cipher is secure against all attacks.
Security of block ciphers
Practical Security:• A block cipher is considered practically
secure if the best known attack against it requires too much resources.
• A very practical model: it is possible to test the cipher with different known attacks, and then give an assessment of its strength against such attacks in terms of time/space resources needed.
• The model says nothing about the security level with respect to yet unknown attacks.
Security of block ciphers
Historical Security:• Tries to assess the security level of a block
cipher according to how much cryptanalytic attention the cipher has attracted over the years.
• If a cipher has been under scrutiny for many years without any serious security flaws found in it, that inspires a certain confidence in the cipher.
• Drawback: the effort spent on breaking a cipher cannot always be measured reliably from the time passed.
