Introduction to Cryptography: Private-Key Encryption in Practice and DES Algorithm, Study notes of Cryptography and System Security

A lecture note from cs 120/csci e-177: introduction to cryptography course. It focuses on private-key encryption schemes used in practice, specifically stream ciphers and block ciphers. The note covers the differences between them, their design principles, and the data encryption standard (des) as an example of a block cipher. It also discusses modes of operation and cryptanalysis of des.

Typology: Study notes

2010/2011

Uploaded on 11/02/2011

thecoral
thecoral 🇺🇸

4.5

(30)

395 documents

1 / 4

Toggle sidebar

This page cannot be seen from the preview

Don't miss anything!

bg1
CS 120/CSCI E-177: Introduction to Cryptography
Salil Vadhan and Alon Rosen Nov. 7, 2006
Lecture Notes 13:
Private-Key Encryption in Practice
Recommended Reading.
KatzLindell, Chapter 5.
FIPS publication describing DES (link on webpage).
FIPS publication describing AES.
1 Stream Ciphers vs. Block Ciphers
Unlike what we've seen, private-key (aka symmetric) encryption schemes used in practice
generally
- are not be based on nice computational problems
- are not proven secure via reductions
- are designed for a particular input length (so can only be treated with concrete security)
- but are extremely ecient
Stream Ciphers
Essentially meant to be pseudorandom generators, used for stateful encryption.
Examples: linear feedback shift registers (not secure, but used as component in better
stream ciphers), RC4, SEAL, ...
Extremely simple and fast
Practical issues: can generate pseudorandom bits oine and decrypt very quickly without
buering, but requires synchronization
Block ciphers
For every key
k {0,1}n
,
Ek:{0,1}` {0,1}`
is a permutation, and both
Ek
and
E1
k
can be computed quickly given
k
. (
n
=
key length
,
`
=
block length
)
Examples: DES, AES/Rijndael, IDEA, ...
Main tools for private-key encryption in practice.
Have both stateless modes and stateful/stream-like modes.
How are they designed?
More of an art than science. Intuition/experience of designers, public critique important.
1
pf3
pf4

Partial preview of the text

Download Introduction to Cryptography: Private-Key Encryption in Practice and DES Algorithm and more Study notes Cryptography and System Security in PDF only on Docsity!

CS 120/CSCI E-177: Introduction to Cryptography

Salil Vadhan and Alon Rosen Nov. 7, 2006

Lecture Notes 13:

Private-Key Encryption in Practice

Recommended Reading.

  • KatzLindell, Chapter 5.
  • FIPS publication describing DES (link on webpage).
  • FIPS publication describing AES.

1 Stream Ciphers vs. Block Ciphers

  • Unlike what we've seen, private-key (aka symmetric) encryption schemes used in practice generally - are not be based on nice computational problems - are not proven secure via reductions - are designed for a particular input length (so can only be treated with concrete security) - but are extremely ecient
  • Stream Ciphers

 Essentially meant to be pseudorandom generators, used for stateful encryption.  Examples: linear feedback shift registers (not secure, but used as component in better stream ciphers), RC4, SEAL, ...  Extremely simple and fast  Practical issues: can generate pseudorandom bits oine and decrypt very quickly without buering, but requires synchronization

  • Block ciphers

 For every key k ∈ { 0 , 1 }n, Ek : { 0 , 1 }^ → { 0 , 1 }^ is a permutation, and both Ek and E k−^1 can be computed quickly given k. (n=key length, ` = block length)  Examples: DES, AES/Rijndael, IDEA, ...  Main tools for private-key encryption in practice.  Have both stateless modes and stateful/stream-like modes.

  • How are they designed?

 More of an art than science. Intuition/experience of designers, public critique important.

 Diusion: have each output bit aected by many input bits, each input bit inuence many output bits  often achieved by repeating many rounds that involve swapping bits.  Confusion: avoid structured relationships (especially linearity) between input and out- put/key that are exploited in known attacks.  Output should be random-looking, have good statistical properties.  Simplicity.  Eciency  extremely fast in hardware & software on wide variety of platforms.

2 The Data Encryption Standard (DES)

  • Designed by IBM and the NSA, standardized in 1977.
  • Most widespread block cipher  used by federal agencies, banks (ATM machines), SSL, ...
  • Key length 56, block length 64.
  • Computation of DESk(m) is done by 16-round Feistel network:

 (0 , r 0 ) ∈ { 0 , 1 }^32 × { 0 , 1 }^32 is xed permutation of bit positions of m.  (i, ri) = (ri− 1 , `i− 1 ⊕ fki− 1 (ri− 1 )). Feistel transformation  Subkey ki− 1 ∈ { 0 , 1 }^48 consists of xed permuted subset of bits of k.  Computation of round function fk(r): ∗ r ∈ { 0 , 1 }^32 expanded to E(r) ∈ { 0 , 1 }^48 by repeating some bits and permuting bits. ∗ E(r) ⊕ k broken into 6-bit blocks B 1 ,... , B 8. ∗ Cj = Sj (Bj ) for hardwired S-box Sj : { 0 , 1 }^6 → { 0 , 1 }^4. (Main source of DES's security.) ∗ fk(r) = xed permutation of bits of C 1 · · · C 8.

  • Inversion: each Feistel transformation is a permutation, the inverse of the Feistel transforma- tion is easy to compute given the subkey.
  • Speed: ≈ 10 Mbits/sec in software, > 1 Gbit/sec in hardware!

3 Modes of Operation

  • Described for DES, but apply to any block cipher.
  • Electronic Codebook Mode (ECB Mode): To encrypt message m, break m into blocks m 1 , m 2 ,... of size 64, output c 1 , c 2 ,.. ., where ci = DESk(mi).
  • Cipher-Block Chaining Mode (CBC Mode): c 0 ← {R 0 , 1 }^64 , ci = DESk(ci− 1 ⊕ mi).
  • Counter Mode (CTR Mode): ci = DESk(IV + i mod 2^64 ) ⊕ mi.
  • Output Feedback Mode (OFB Mode): ci = mi ⊕ zi, where z 0 R ← { 0 , 1 }^64 , zi = DESk(zi− 1 ). (Stream cipher).

∗ Sometimes, next word formed by a left-shift and S-box applied to entries of previous word.

  • Design criteria:

 Protection against known attack methods (e.g. linear and dierential cryptanalysis).  Eciency (hardware and software) on wide range of platforms.  Simplicity.

  • Only time will tell how good it really is!

6 Theory vs. Practice

  • Why do people use block ciphers over provable constructions?

 Eciency  provable constructions much slower (modular arithmetic), require larger keys. For a key length k, the security of block ciphers seem to grow like Θ(2k) and the security of provable number-theoretic constructions seems to grow like 2 Θ(k 1 / (^3) )

 History  block ciphers standardized before modern cryptography developed (in contrast to public-key crypto).

How can we bridge the gap?

  • Approach 1 (Most common): Model block ciphers as families of pseudorandom permutations (as in BellareRogaway)
  • Can critique existing uses of block ciphers, e.g. some modes of operation secure (like CBC, CTR), some insecure (like ECB).
  • Can give some justication for Feistel network (converts PRFs to PRPs). − A very strong assumption, hard to evaluate!
  • Approach 2 (Not so common): View block ciphers as one-way functions and apply provable constructions.
  • OWF assumption much weaker, easier to evaluate. − Resulting constructions unlikely to be as ecient. − Possibly not using full strength of block ciphers.
  • Approach 3 (Occassionally used): Forget modelling and proofs, just take main ideas & under- standing of goals from theory.