Dominik Farhan

Block ciphers

Fixed-size blocks. Longer messages are divided to blocks and encrypted accordingly.

Trivial examples

Caesar — small number of keys, small blocks, no interaction between letters
Vigener cipher
Permutations of the alphabet in general

Security of block ciphers

Hard to define: usually attacks go around the definition, or it is too strict so no reasonable cipher fits into it.

Idea: the cipher is not distinguishable from a random permutation.

Most ciphers produce only even permutations.

Usually, a cipher is considered secure if $\nexists \text{ a distinguisher with } Pr{\left[\text{sucess}\right]} \geq \frac{2}{3}$ and $\text{runtime }< 2^{\text{security level}}$ NOTE: this isn’t covering chosen-key and related-key attacks

Iterated ciphers

SPNs

S-boxes small lookup tables, invertible

whitening xor at the beginning and at the end. Prevents the attacker from influencing S-boxes.

p-box permutation of the block

upgradable by using some invertible linear transformations instead of permutations

SPN, GaborPete, CC BY-SA 3.0, via Wikimedia Commons

Feistel networks

Construction with noninvertible S-boxes.

Decryption is again a Feistel network, but with reversed key order. This allows some very elegant implementations.

The left and the right part are switched after each round.

Feistel Cipher Diagram: Amirki, CC BY-SA 3.0, via Wikimedia Commons

DES (Data Encryption Standard)

History

In the 70s by IBM, ordered by National Bureau for Standards.

56-bit key (or 64 bit but each byte has a parity bit — NSA trolling)

64-bit blocks.

NSA influenced S-boxes to make the cipher stronger.

Structure

Feistel network with 16 rounds working with 32-bit half-blocks.

Initial and Final Permutation (IP & FP) — useless

Feistel function in DES, board from the 4th lecture, by Martin Mareš, http://mj.ucw.cz/vyuka/2021/kry/.

Key schedule

bit mapping

16 boxes

another mapping and we have a round-key

then continue to another box/round

Key schedule in DES, board from the 4th lecture, by Martin Mareš, http://mj.ucw.cz/vyuka/2021/kry/.

Critique of DES

Kyes: all ones, all zeros, $\text{\#e}1\text{e}1...$ , and $\text{\#}1\text{e}1\text{e}...$ are weak.

There also exist key pairs (semi-weak keys) such that ( $K, K’$ ) produces ( $K_1, K_2, K_1,...$ ) and ( $K_2, K_1, K_2,...$ )

DES has complementarity property

E_{\neg k}(\neg x) = \neg E_k(x)

Keys are so short that it's unsafe.

you can even pay for a service that breaks DES for you.

Small blocks, collisions every $2^{32}$ .

Differential cryptoanalysis needs $2^{47}$ chosen plaintexts (the S-boxes chosen by NSA made it stronger so Differential cryptoanalysis isn’t so easy-peasy.)

Linear cryptoanalysis $2^{43}$ known plaintexts.

Put all together it’s broken.

Tries to save the day

2-DES won’t help because we can meet-in-the-middle

3-DES

sometimes with $K_1 = K_3$ , in such case security level is $80$ , in cases where all keys are different security level is $112$ .

AES (Advanced Encryption Standard)

1997 NIST (successor of NBS) announces a competition. They get 15 proposals, it takes a few years to choose the best one.

criteria: security, speed, easiness of implementation

2001 Rijndael wins, renamed AES

128-bit blocks, key 128 (10 rounds), 192 (12) or 256 (14) bits

SPN with linear transformation

inner state and round key are both 4x4 matrices

Round

bytesub, s-boxes work in $GF(2^8)$ field + affine transformation with rotations and xors
shift row, shifts to the left
mix column, not in the last round
Add round key, xor with the key

Before the first round we add round key.

Inverse round

The following operations commute:

add round key and inv mix Column (when $K_i$ is replaced with it’s mix)
inv shift row and inv byt sub

The performance is great. The cipher is fast and also has a nice algebraic structure (maybe too nice).

Critique

simple algebraic structure
small margin of safety (small number of rounds). There are attacks on smaller number of rounds. Someday they might be extended.
Collisions likely after $2^{64}$ blocks, recommended to change key every $2^{32}$ blocks.
$128$ -bit key is to weak against quantum computers.

Serpent

Very conservative. Blocks $128$ b, key $128-256$ b, $32$ rounds SPN + linear transformations. It's slow.

Twofish

$128$ b blocks, key up to $256$ b, $16$ round Feistel network, slow init, S-boxes are computed from the key.

Types of padding

non-zero and then only zeros
repeat the byte containing the size of padding
add $p-1$ zeros and then $p$

Block Cipher Modes

ECB (Electronic Codebook)

Visual proof that using ECB is a bad idea, en:User:Lunkwill, Attribution, via Wikimedia Commons

Each block is encrypted independently of the other blocks.

If two blocks are identical then the corresponding cipher blocks are the same.

No IV, so it’s deterministic

It is possible to swap blocks, change one block without influencing other

So this is the worst block cipher mode which could be made. — Martin Mareš.

ECB wiring, Martin Mareš's Notes on Cryptography (in Czech), http://mj.ucw.cz/vyuka/1920/kry/kry-2019.pdf

CBC (Cipher Block Chaining)

Uses IV.

XORs preceding block to the current.

Decryption can be parallelized and random access. But changes of blocks are not possible because you have to recalculate everything after the changed block.

The most frequently used mode.

CBC wiring, Martin Mareš's Notes on Cryptography (in Czech), http://mj.ucw.cz/vyuka/1920/kry/kry-2019.pdf

Leak

After about $2^{keysize/2}$ there are two same blocks.

E_K (X_i \oplus Y_{i-1}) = E_k (X_j \oplus Y_{j-1})

X_i \oplus X_j = Y_{i-1} \oplus Y_{j-1}

this leaks blocksize bits of information on the plaintext.

CTR (Counter)

Turns block cipher into a stream cipher.

IVs need to be random (when using the same key).

Easily parallelized.

CTR wiring, Martin Mareš's Notes on Cryptography (in Czech), http://mj.ucw.cz/vyuka/1920/kry/kry-2019.pdf

Leak

Every keystream is different which leaks some fraction of information over a long period of time.

OFB (Output FeedBack)

Uses IV and then the output of the preceding key stream is used to create key-stream for the next block.

Problem: we're following some cycle in a permutation, there’s a possibility we hit some short cycle.

OFB wiring, Martin Mareš's Notes on Cryptography (in Czech), http://mj.ucw.cz/vyuka/1920/kry/kry-2019.pdf

Padding Oracle (on CBC)

The attacker is able to know if the message had a valid padding.

Assume the padding: repeat the byte containing the size of the padding

We will try all the possible values in the last byte of the padding. There is exactly one solution to obtain padding of size 1 in the block. With this, we can recover the size of the original padding. Now we need to recover the previous byte. We’ll be flipping the previous byte until we create in it p+1. Thus, we recovered it. We recover the whole block like this. Then we discard the block and repeat the process on the previous block.

This allows us to recover the block in $256 \cdot \text{bytes in a block}$

Some versions of TLS permit padding oracles.

Ciphertext Stealing

Stream ciphers

There aren’t many of them.

eSTREAM project

European project that tried to find good SW and HW stream ciphers.

Linear-Feedback Shift Registers (LFSR)

Example of LFSR, KCAuXy4p, CC0, via Wikimedia Commons

for well-chosen keys, the period is $2^n -1$ .

problem

Known plaintext allows for recovery of the initial state of the register from the first few bits. We can solve it with nonlinear registers!

Nonlinear-feedback shift registers

the next state is determined by a non-linear function of the current.

Usually, it is hard to ensure a long period.

Some workarounds:

nonlinear combinations of multiple registers (LCM of their periods)
a register is controlled by another register working as a clock
the controlled is shifted only when the clock-register outputs 1

Most ciphers based on it are weak. A5/1 — used in GSM and broken.

Trivium

$3$ registers of different lengths, $288$ bits total.

Uses AND and XOR for nonlinear function.

init:

fill in $80$ b key, $80$ b IV, constants
do $1152$ steps

no known attack with complexity lower than $2^{80}$ , but the same variants with shorter inits are already broken.

Interestingly, the computation can be parallelized.

Elegant structure of Trivium

RC4 (Rivest 1987)

good SW implementation, based on permutating

Believed to be a strong cipher many years ago, but it’s broken through KPA

ChaCha20 (Bernstein 2008)

A very similar cipher was a finalist of eSTREAM (it was called Salsa20).

Why 20? Well, 20 is the number of rounds.

ChaCha20 produces 1 block of keystream (and it isn’t bijective) given the following params:

256b key
64b nonce
64b block counter

It is similar to CTR mode.

Internal state is a 4x4 matrix of 32-bit values

ARX stands for addition, rotation, XOR. After 20 rounds of this, magic it should produce a good pseudorandom keystream. The output of this is summed with the initial state so it's uninvertible.

Symmetric ciphers