05. Block Ciphers

Main bulk encryption algorithms used in commercial applications. AES is one example of such algorithm.

Principles

Block ciphers are symmetric key ciphers where each block of plaintext encrypted with the same key.

A block is a set of plaintext symbols of a fixed size, typically 64 to 256 bits in modern ciphers.

They are used in configurations called modes of operation.

Notation

Criteria

Shannon defined two encryption techniques:

Repeated use of techniques can be used using the concept of a product cipher.

Product & Iterated Ciphers

Product Cipher

Cryptosystem where encryption performed by applying/composing several sub-encryption algorithms: output of one block used as input to next block.

Often composed of simple functions fif_i for 1ir1 \le i \le r such that each fif_i has its own key KiK_i.

C=E(P,K)=fr((f2(f1(P,K1),K2)),Kr) C = E(P, K) = f_r(\dots(f_2(f_1(P, K_1), K_2)\dots), K_r)

Iterated Cipher

Special product ciphers called iterated ciphers where:

Encryption

Given plaintext block PP, round function gg, round keys K1,K2,,KrK-1, K_2, \dots, K_r, the ciphertext block CC is derived through rr rounds:

W0=PW1=g(W0,K1)W2=g(W1,K2)Wr=g(Wr1,Kr)=C \begin{aligned} W_0 &= P \\ W_1 &= g(W_0, K_1) \\ W_2 &= g(W_1, K_2) \\ \dots W_r &= g(W_{r - 1}, K_r) = C \end{aligned}

Decryption

There must be an inverse function g1g^{-1} such that g1(g(W,Ki),Ki)=Wg^{-1}(g(W, K_i), K_i) = W for all keys KiK_i and blocks WW.

Wr=CWr1=g1(Wr,Kr)Wr2=g1(Wr1,Kr1)W0=g1(W1,Kr)=P \begin{aligned} W_r &= C \\ W_{r - 1} &= g^{-1}(W_r, K_r) \\ W_{r - 2} &= g^{-1}(W_{r - 1}, K_{r - 1}) \\ \dots W_0 &= g^{-1}(W_1, K_r) = P \end{aligned}

Types of Iterated Ciphers

Substitution-Permutation Network (SPN) e.g. Advanced Encryption Standard (AES).

Feistel Cipher e.g. Data Encryption Standard (DES).

Substitution-Permutation Network

Block length nn must allow each block to be split into mm sub-blocks of length ll: n=lmn = lm.

Substitution πS\pi_S (called substitution box or S-box) operates on sub-blocks of length ll bits:

πS:{0,1}l{0,1}l \pi_S: \{ 0, 1 \}^l \rightarrow \{ 0, 1 \}^l

i.e. mapping some binary number of size ll bits to another.

Permutation πP\pi_P (called permutation-box or P-box) swaps the inputs from {1,,n}\{ 1, \dots, n \}:

πP:{1,,n}{1,,n} \pi_P: \{ 1, \dots, n \} \rightarrow \{ 1, \dots, n \}

i.e. swapping the order of bits in the entire block around.

Operation

  1. Round key KiK_i XORed with current state block WiW_i: KiWiK_i \oplus W_i
  2. Each sub-block substituted applying πS\pi_S
  3. The whole block permuted using πP\pi_P

Example

Substitution-Permutation Network

Feistel Cipher

Round function swaps the two halves of the block to form a new right hand half.

Encryption

Feistel Cipher Network

Plaintext block P=W0P = W_0 split into two halves (L0,R0)(L_0, R_0).

For each round:

The output is the ciphertext block C=WR=(Lr,Rr)C = W_R = (L_r, R_r).

Decryption

Split CC into two halves, (Lr,Rr)(L_r, R_r).

For each round:

ff does not need to be inverted: xx=0x \oplus x = 0, so applying by applying ff twice it can be decrypted.

The choice of ff is critical for security; is is the only non-linear part of the encryption.

Differential and Linear Cryptanalysis

Differential cryptanalysis: chosen plaintext attack using correlation in the differences between two input plaintexts and their corresponding ciphertexts.

Liner cryptanalysis: known plaintext attack that theoretically break DES.

Modern block ciphers normally immune to both attacks.

Avalanche Effects

Key avalanche: a small change in key (with the same plaintext) should result in a large change in ciphertext.

Plaintext avalanche: a small change in plaintext should result in a large change in ciphertext: changing one bit should change all bits in the ciphertext with a probability of 1/21/2.

Key avalanche is related to Shannon’s notion of confusion, plaintext avalanche to Shannon’s notion of diffusion.

DES

Designed by IBM researchers, became US standard in 1976. 16-round Feistel cipher with key length of 56 bits and data block length of 64 bits.

The key length is actually 64 bits, but the last bit of every byte is redundant.

Encryption

PP is an input plaintext block of 64 bits:

  1. All bits of PP permuted using an initial fixed permutation of IPIP
  2. 16 rounds of Feistel operations applied, denoted by function ff
    • Each round uses a different 48-bit subkey
    • The subkey is defined by a series of permutations and shifts
  3. A final fixed inverse permutation IP1IP^{-1} is applied

The 64-bit ciphertext block CC is the output.

Decryption requires only reversing the order in which the subkeys are applied.

Feistel Operation

  1. 32 bits expanded to 48 bits using a padding scheme which repeats some bits
  2. XOR the 48 bits with the 48-bit subkey
  3. Break 48 bits into 8 blocks of 6 bits
  4. Each block WiW_i transformed using substitution table SiS_i, resulting in blocks of length 44 and hence a total of 32 bits.
    • A transformation table is used to determine the output value
    • If the input block is W=x1x2x3x4x5x6W = x_1x_2x_3x_4x_5x_6, the row number is given by x1x6x_1x_6 and the column number by x2x3x4x5x_2x_3x_4x_5
  5. A permutation is applied to the result

Brute Force Attacks

Testing all the possible 2k2^k keys (where kk is the size of the key KK). k=56k = 56 is fairly small, requiring only 2k/2=2552^{k}/2 = 2^{55} trials on average - this was criticized from the start.

The key can be identified by using a small number of ciphertext blocks and looking for low entropy in the decrypted plaintext.

Double Encryption

Let K1K_1 and K2K_2 be two block cipher keys.

Encryption: C=E(E(P,K1),K2)C = E(E(P, K_1), K_2).

If both keys have length kk, exhaustive attacks require 22k12^{2k - 1} trials on average.

Meet-in-the-Middle Attack

Let (P,C)(P, C) is a single plaintext-ciphertext pair:

  1. For each key KK, store C=E(P,K)C' = E(P, K) in memory
  2. For any key KK', check if D(C,K)=CD(C, K') = C' (i.e. matches any ciphertext stored in memory)
    • If this is found, KK is K1K_1 and KK' is K2K_2
    • Check if key values work for other (P,C)(P, C) pairs

Requirements:

Expensive but still much cheaper than brute-forcing 21112^{111} keys.

Triple Encryption

Requires three keys: C=E(D(E(P,K1),K2),K3)C = E(D(E(P, K_1), K_2), K_3). (symmetric so decryption/encryption doesn’t matter? TODO)

This increases the computational requirements enough to make it secure against MITM attacks.

NIST SP 800-131A (2015) approves two-key triple DES, where K1=K3K_1 = K_3, only for legacy use. three-key triple DES is approved.

OpenSSL removed triple DES in 2016. Office 365 stopped using triple DES in 2018.

AES

Designed in an open competition after controversy over DES. Winning submission is ‘Rijndael’.

Algorithm

State Matrix

16-byte data block size arranged in a 4×44 \times 4 matrix.

Mixture of finite field operations in GF(28)GF(2^8) and bit string operations.

Round Transformation

Each round has four basic operations:

  1. ByteSub (non-linear substitution): substitute each byte wth a different value using a substitution table
  2. ShiftRow (permutation): rotate first row right by zero bytes, second row right by one byte… (bytes wrap to left)
  3. MixColumn (diffusion): each column is replaced with result of it being multiplied by a matrix
  4. AddRoundKey: XORs array with round key

Substitution-permutation network with block length of n=128n = 128 and sub-block length of l8l - 8.

S-box uses look-up table.

Key Schedule

Master key is 128/192/256 bits.

Each of the 10/12/14 rounds uses a 128-bit subkey. There is one subkey per round plus one initial subkey, all derived from the master key.

Security

Some weaknesses but no significant break; most serious real attacks can reduce effective key size by around two bits.

Vulnerable to related-key attack: attacker obtains a ciphertext encrypted with a key related to an actual key in a specified way.

Comparisons with DES