1 chapter 3 secret key cryptography instructor: 孫宏民 [email protected] [email protected]...

1

Chapter 3 Secret Key Cryptography

Instructor: 孫宏民[email protected]

Room: EECS 6402, Tel:03-5742968, Fax : 886-3-572-3694

mailto:[email protected]

2

Conventional Ciphers(1)

• (a) Transposition cipherReorder plaintext letters to form ciphertext

Ex. Write message into a 54 matrix by row, read it out by column. permutation of input

Ex. TSINGHUAUNIVERSITY

T G U E T

S N H A N V R I Y

I U I S

TGUETSNHANVRIYIUIS

3


• (b)Substitution cipher: Each letter m of M is replaced

by some letter c = f(m) to form C permutation of alpha

bet– There are four types of substitution ciphers:

• Simple substitution A single one-to-one mapping from plaintext to ciphertext characters• Homophonic substitution The mapping is one-to-many• Polyalphabetic substitution Multiple one-to-one mapping• Polygram substitution Permit arbitrary substitutions for groups of characters

4


• (c) Combination of (a) and (b)

Ex. Data Encryption Standard (DES)

(a) (b) (a) (b) .... 16 times each

5

Simple Substitution Ciphers

• Ex. Keyword mixed alphabet The cipher alphabet is constructed by first listing the

keyword (INFORMATION in this example), omitting duplicates, and then listing the remaining letters of the alphabet in order.

TSINGHUAUNIVERSITY

SQBHATUIUHBVRPQBSY

A B C D E F G H I J K L M

I N F O R M A T B C D E G

N O P Q R S T U V W X Y Z

H J K L P Q S U V W X Y Z

6

• Ex. f(a) = ak mod n (k and n are relatively prime) When n = 26 and k = 9,

TSINGHUAUNIVERSITY

PGUNCLYAYNUHKXGUPI


A J S B K T C L U D M V E


N W F O X G P Y H Q Z I R

7

• Ciphers may also use nonstandard ciphertext alphabets.

• Ciphertext:

8

• For English, in principle, it takes at most 27 or 28 letters to break a simple substitution cipher by frequency analysis.

9

Homophonic Substitution Ciphers

• Map each character a of the plaintext alphabet into a set of ciphertext elements f(a).

Each ci is picked at random from the set of f(mi).

M = m1 m2 m3 …

C = c1 c2 c3 …

ab

10


• Ex. Suppose that the English letters are enciphered as integers between 0 and 99, where the number of integers assigned to a letter is proportional to the relative frequency of the letter, and no integer is assigned to more than one letter.

A 17 19 34 41 56 60 67 83

I 08 22 53 65 88 90

L 03 44 76

N 02 09 15 27 32 40 59

O 01 11 23 28 42 54 70 80

P 33 91

T 05 10 20 29 45 58 64 78 99

11


• One possible encipherment of PLAINPILOT is:

• This cipher is much more difficult to solve than simple substitution ciphers.

M = P L A I N P I L O T

C = 91 44 56 65 59 33 08 76 28 78

12

Second-Order Homophonic Cipher • Given enough ciphertext, most ciphers are breakable. T

here will be a single key K that deciphers C into meaningful plaintext.

• It is possible to construct ciphers such that a ciphertext will decipher into more than one meaningful message under different keys.

• Ex. Second-order homophonics

E I L M S

E 10 22 18 02 11

I 12 01 25 05 20

L 19 06 23 13 07

M 03 16 08 24 15

S 17 09 21 14 04

M = S M I L E

X = L I M E S

C = 21 16 05 19 11

13

Polyalphabetic Substitution Ciphers

• For simple substitution ciphers, the single-letter frequency distribution of the plaintext letters is preserved in the ciphertext.

• Homophonic substitutions conceal this distribution by defining multiple ciphertext elements for each plaintext letter.

• Polyalphabetic substitution ciphers conceal it by using multiple substitutions.

• Most polyalphabetic ciphers are periodic substitution ciphers.

14

Vigenère and Beaufort Ciphers(1)

• Vigenère cipher

Key: K = k1 ... Kd fi(a) = (a + ki) mod n

• Ex. Key: BAND

• The Vigenère Tableau facilitates encryption and decryption (see the table on next page).

M = INFO RMAT ION

K = BAND BAND BAN

C = JNSR SMNW JOA

15

Vigenère and Beaufort Ciphers(2)

• Beaufort cipher

Key: K = k1 ... kd fi(a) = (ki a) mod n

• Ex. Key: D


D C B A Z Y X W V U T S R


Q P O N M L K J I H G F E

PlaintextPlaintext

CiphertextCiphertext

PlaintextPlaintext

CiphertextCiphertext

16

Vigenère Tableau

17

Running-Key Ciphers

• The key is as long as the plaintext message.• One method is to use the text in a book as a key

sequence. The key is the title of the book and the starting position (section, paragraph, etc.).

• EX:

M = T H E T R E A S U R E I S B U R I E D A T T W

K = T H E K E Y I S A S L O N G A S T H E P L A I

C = M O I D V C I K U J P W F H U J B L H P E T E

18

Rotor Machine 24

321

2625

87654

11109

1312

161514

191817

222120

23

21

10191

153

168

202614

4227

511

129

17

21823

246

25

13

20

315461

165

231214

19222

1811

132425

8107

269

21

17

8

2220172618

411133

10

245

23

129

191625

21156

172

14

24

2625

321

87654

11109

1312

161514

191817

222120

23

2425

321

26

87654

11109

1312

161514

191817

222120

23YZ

DCBA

IHGFE

LKJ

NM

QPO

TSR

WVU

XYZ

DCBA

IHGFE

LKJ

NM

QPO

TSR

WVU

X

Fast rotorMedium rotorSlow rotor

Initial setting

19

Rotor Machine

• The machine consists of a set of independently rotating cylinders through which electrical pulses can flow. Each cylinder has 26 input pins and 26 output pins.

• Consider a machine with a single cylinder. After each input key is depressed, the cylinder rotates one position and thus a different substitution cipher is defined. After 26 letters of plaintext, the cylinder will be back to the initial position. The period is 26.

20

Rotor Machine

• For a machine with three cylinders, the one farthest from the operator rotates one pin position per keystroke. For every complete rotation of the outer cylinder, the inner cylinder rotates one pin position. Thus there are 263 = 17576 different substitution alphabets used before system repeats.

• Rotor machines were used by the Germans during World War II.

21

Rotor Machine 24

321

2625

87654

11109

1312

161514

191817

222120

23

21

10191

153

168

202614

4227

511

129

17

21823

246

25

13

20

315461

165

231214

19222

1811

132425

8107

269

21

17

81426

2425

321

26

87654

11109

1312

161514

191817

222120

23YZ

DCBA

IHGFE

LKJ

NM

QPO

TSR

WVU

XYZ

DCBA

IHGFE

LKJ

NM

QPO

TSR

WVU

X

Fast rotorMedium rotorSlow rotor

2425

321

87654

11109

1312

161514

191817

222120

23

2220172618

411133

10

245

23

129

191625

21156

172

Setting after one keystroke

22

Vernam Cipher and One-Time Pads

• Vernam designed a system (in 1918) which works on binary data rather than letters. To encipher:

ci = mi ki

To decipher:

ci ki = mi ki ki = mi

Thus enciphering and deciphering are performed with the same operation.

• Mauborgne suggested using a random key that was as long as the message, and the key tape is used only once. Such a scheme, known as a one-time pad, is unbreakable.

23

Vernam Cipher and One-Time Pads

• The only drawback of the cipher is that it requires a long key sequence.

• EX:

M = 11000 C = 01010

K = 10010 K = 10010

C = 01010 M = 11000

24

Polygram Substitution Ciphers

• All of the preceding substitution ciphers encipher a single letter of plaintext at a time.

• By enciphering larger blocks of letters, polygram substitution ciphers make cryptanalysis harder by destroying the significance of single-letter frequencies.

25

Playfair Cipher

• The key is a 55 matrix of 25 letters (J was not used). Each pair of plaintext letters m1m2 is enciphered as follows:– 1. If m1 and m2 are in the same row, then c1 and c2 are

the two characters to the right of m1 and m2, respectively.

– 2. If m1 and m2 are in the same column, then c1 and c2 are the two characters below m1 and m2, respectively.

26

Playfair Cipher

– 3. If m1 and m2 are in different rows and column, then

c1 and c2 are the other two corners of the rectangle

having m1 and m2 as corners, where c1 is in m1's row

and c2 is in m2's row.

– 4. If m1 = m2, null letter (e.g., X) is inserted into the

plaintext between m1 and m2 .

– 5. If the plaintext has an odd number of characters, a null letter is appended to the end of the plaintext.

27

Playfair Cipher

• Ex. Keyword: MONARCHY

• Playfair cipher was invented in 1854 and was used by the British during World War I.

M O N A R

C H Y B D

E F G I/J K

L P Q S T

U V W X Z

28

Hill Cipher

• To encipher:

C = KM mod n

• To decipher:

K1C mod n = K1KM mod n = M

• where C, K, and M are d1, dd, d1 matrices,

respectively.

29

Hill Cipher• Ex. d = 2

Suppose M = EG (4, 6) (or YQ)

• To decipher:

• Hill cipher is easy to break.

917

2015 ,

53

23 1KK

16

24 26 mod

6

4

53

23

2

1

c

c

6

4 26 mod

16

24

917

2015

30

Data Encryption Standard (DES)

• DES was published in 1977 by the National Bureau of Standards (since renamed to the National Institute of Standards and Technology) for use in commercial and unclassified (hmm…) U.S. Government.

• It was designed by IBM based on their own Lucifer cipher and input from NSA.

• DES enciphers 64-bit blocks of data with a 56-bit key.

• DES has been implemented both in software and in hardware.

31

• The same algorithm is used both to encipher and to decipher.

• Most widely used cipher ever• Security based on Shannon’s Theory

– Confusion : a piece of information is changed so that the output bits have no obvious relationship to the input bits.

– Disfussion : To spread the effect of one plaintext bit to

other bits in the ciphertext.

32

• Block Cipher:

– Block size= 64 bits.

– Key Length= 56 bits (64 bits contains the bits 8, 16,

24, 32, 40, 48, 56, 64 for the odd parity check)

• Advantages of DES: – DES can be implemented by software and hardware

for its simple arithmetic and logical operations.

– High Speed

33

DES IP

L 0 R 0

R 1 = L 0 f (R 0 , K 1)L 1 = R 0

R 2 = L 1 f (R 1 , K 2)L 2 = R 1

R 15 = L 14 f (R 14 , K 1 5)L 15 = R 14

R 16 = L 15 f (R 1 5 , K 1 6) L 1 6 = R 15

64

32 32

K 1

K 2

K 16

f 4832

f

f

IP -1

output

T

In: 64 bits,

Out: 64 bits,

Key: 56 bits

34

IP (Initial Permutation)

• The table should be read left-to-right, top-to-bottom.

• T = t1t2 ... t64 T0 = t58t50 ... t7 = L0R0

35

IP1 (Final Permutation)

• IP1 is the inverse of IP.• All tables are fixed.

36

Function f

S 1 S 2 S 3 S 4 S 5 S 6 S 7 S 8

P

32

32

48

f(R i-1 , K i)

E

48 48

32

K i

R i-1

37

E (Bit-Selection Table)

• In: 32 bits, Out: 48 bits

38

P (Permutation)


39

S-boxes (Selection Functions)

40

• Each S-box Sj maps a 6-bit block b1b2b3b4b5b6 into a 4-bit block. (In: 6 bits, Out: 4 bits)

• The integer corresponding to b1b6 selects a row and the integer corresponding to b2b3b4b5 selects a column.

• Example: (100001)2 for S-box 1

• Row # = (11)2= 3 and Column # = (0000)2= 0 Ourput= 15= (1111)2.

41

Key Calculation

PC-128

PC-2

PC-2

K

28

C 0 D 0

LS 1LS 1

C 1 D 1

K 1

K 2

LS 2LS 2

C 2 D 2

LS 16LS 16

C 16 D 16

PC-2 K 16

K1, K2, ..., K16 : 48 bits/each

42

PC-1 (Key Permutation)

In: 64 bits (with 8 parity bits), Out: 56 bits

43

PC-2 (Key Permutation)


44

LSi (Left Circular Shift) Iteration

i

Number ofLeft Shifts

1 1

2 1

3 2

4 2

5 2

6 2

7 2

8 2

9 1

10 2

11 2

12 2

13 2

14 2

15 2

16 1

45

Deciphering

• Deciphering is performed using the same algorithm, except that K16 is used in the first iteration, K15 in the second iteration, and so on.

• The last round of enciphering:

R 15L 15

R 16 = L 15 f (R 1 5 , K 1 6) L 1 6 = R 15

K 16f

IP -1

output

46

Deciphering

• The first round of deciphering:

IP

L 0 R 0

R 1 = L 0 f (R 0 , K 1 6)L 1 = R 0

K 16f

47

Deciphering

• The last round of enciphering:

LE16 = RE15

RE16 = LE15 f(RE15, K16)

• The first round of deciphering:

LD1 = RD0 = LE16 = RE15

RD1 = LD0 f(RD0, K16)

= RE16 f(RE15, K16)

= (LE15 f(RE15, K16)) f(RE15, K16)

= LE15 (f(RE15, K16) f(RE15, K16))

= LE15 0

= LE15

• Thus, the output of the first round of deciphering is the swap of the input to the sixteenth round of the enciphering.

48

• The order of subkeys is the reverse order (k16, k1

5, …, k1).– Key shift 改成 shift right circularly.– 每一個 round 的 shift bit 數為 (1, 0), (2, 1), (3, 2), (4, 2),

(5, 2), (6, 2), (7, 2), (8, 2), (9, 1), (10, 2), (11, 2), (12, 2), (13, 2), (14, 2), (15, 2), (16, 1).

49

Weakness of DES

• Complements: If C= Ek(P), then ¬C= Ek(¬P), where ¬x is the cpmplement of x.– Reduce the complexity for finding keys from 256 to 25

5.• Weak Keys(4):

– 56 bits key left and right half are all 0 or 1,then it would cause all subkeys are the same.

50

• Semi-Weak Keys:– the encryption using two different keys could get the sa

me result [Ek(P)= Ek’(P)]

51

Security of DES

• Differential Cryptanalysis Attacks– 1990 Biham & Shamir prevent.– Belong Chosen-plaintext attacks.– Results: it is secure that DES have 16 rounds

52

International Data Encryption Algorithm (IDEA)

• IDEA was originally called IPES (Improved Proposed Encryption Standard).

• IDEA encrypts a 64-bit block of plaintext into a 64-bit block of ciphertext using a 128-bit key.

• IDEA is similar to DES in some ways. Both of them operate in rounds, and both have a complicated mangler function that does not have to be reversible in order for decryption to work.

53

Basic Structure of IDEA

54

Primitive operations

• Bitwise exclusive(⊕)• A slightly modified add(+)

– Addition in IDEA is done by throwing away carries, which is equivalent to saying addition is mod216

• A slightly modified multiply(⊗)– Multiplication in IDEA is done by first calculating the

32-bit result, and then taking the remainder when divided by 216+1.

– Multiplication mod 216+1 is reversible, in the sense that every number x between 1 and 216 has an inverse y.

55

– The number 0, which can be expressed in 16 bits, would not have an inverse. And the number 216, which is in the proper range for mod 216+1 arthmetic, cannot be expressed in 16 bits. So both problems are solved by treating 0 as an encoding for 216.

• the only part of IDEA that isn’t necessarily reversible is the mangler function, and it is truly marvelous to note how IDEA’s design manages not to require a reversible mangler function.

56

Key Expansion

• The 128-bit key is expanded into 52 keys(16-bit),K1,K2,…,K52.

• The 52 encryption keys are generated by writing out the 128-bit key and, staring from the left, chopping off 16-bit at a time. This generates eight 16-bit keys.

57

• The next eight keys are generated by staring at bit 25, and wrapping around to the beginning when the end is reached.

• The next eight keys are generated by offsetting 25 more bit, and so forth, until 52 keys are generated.

58

One Round

• IDEA has 17 rounds, where the odd-numbered rounds are different from the even-numbered rounds.

• Each round takes the input, a 64-bit quantity, and treats it as four 16-bit quantities, which we’ll call xa, xb, xc, and xd. Mathematical functions are performed on xa, xb, xc, xd to yield new versions of xa, xb, xc, xd

• The odd rounds use four of the Ki, which we’ll call Ka, Kb, Kc, and Kd . The even rounds use two Ki , which we’ll call Ke, Kf.

59

Odd round

60

• Note that this is easily reversible. To get from the new Xa to the old Xa, we perform ⊗ with the multiplicative inverse of Ka, mod 216+1. Likewise with Xd. To get the old Xb, given the new Xc, we add the additive inverse of Kb, i.e. we subtract Kb.

61

Even round

62

• The even round is its own inverse! When performing decryption, the same keys are used as when performing encryption (not the mathematical inverses of the keys, as in the odd rounds).

• Ex. the new

first output = first input ⊕ Yout

first output = (new Xa) ⊕ Yout

first output = (Xa ⊕ Yout) ⊕ Yout = Xa

With an input of new Xa, we get an output of Xa.

outaa YXX

63

Inverse key for decryption

• Since we are working backwards, the first decryption keys should be inverses of the last-used encryption keys. Given that the final keys used are K49, K50, K51, K52, in an odd round, the first four decryption keys will be inverses of the keys K49-K52. K49 is used in ⊗, so the decryption key K1 will be the multiplicative inverse of K49 mod 216+1. And the decryption key K4 is the multiplicative inverse of K52. Decryption keys K2 and K3 are the additive inverse of K50 and K51.

64

AES

• On January 2, 1997, NIST announced a contest to select a new encryption standard to be used for protecting sensitive, non-classified, U.S. government information.

• After lots of investigation and discussion in the cryptographic community, NIST chose an algorithm called Rijndael, named sfter two Belgian cryptographers who developed and submitted it.

65

AES

• As of 26 November 2001, AES, a standardization of Rijndael, is a Federal Information Processing Standard.

66

The Rijndael Cipher Algorithm

67

Mathematical preliminaries

• The field GF(28)Example: (57)16x6+x4+x2+x+1

AdditionMultiplicationMultiplication by x

• Polynomials with coefficients in GF(28)Multiplication by x

68

Addition

• Sum of two elements: the sum of coefficients with modulus 2

• Example: ’57’+’83’=‘D4’(x6+x4+x2+x+1)+(x7+x+1)=x7+x6+x4+x2

69

Multiplication

• Multiplication in GF(28): multiplication of polynomials modulo x8+x4+x3+x+1 or (11B)16 .

• Example: ’57’’83’=‘C1’ (x6+x4+x2+x+1) (x7+x+1) =

x13+x11+x9+x8+x6+x5+x4+x3+1x13+x11+x9+x8+x6+x5+x4+x3+1 modulo x8+x4+x3+x+1 =

x7+x6+1

70

Some Properties

• Multiplication is associative with a neutral element ‘01’.

• Inverse: b-1(x)=a(x) mod m(x) with a(x)b(x) mod m(x)= 1

• a(x)(b(x)+c(x))=a(x)b(x)+a(x)c(x).

• The set of 256 possible byte values, with addition and the

multiplication defined as above has the structure of the

finite field GF(28).

71

Multiplication by x

• Multiply b(x) with the polynomial x: b7x8+b6x7+b5x6+b4x5+b3x4+b2x3+b1x2+b0x

• If b7=0, the reduction is identity operation; if b7=1, m(x) must be subtracted (i.e. EXORed).

• That is, multiplication by x (‘02’) can be implemented by a left shift and a conditional EXOR with’1B’.

72

Example

• ‘57’ ‘13’ =‘FE’

‘57’ ’02’=xtime(57)=‘AE’

‘57’ ’04’=xtime(AE)=‘47’

‘57’ ’08’=xtime(47)=‘8E’

‘57’ ’10’=xtime(8E)=‘07’

‘57’ ‘13’ =‘57’(‘01’’02’’10’) = ‘57’’AE’’07’=‘FE’

73

Polynomials with coefficients in GF(28)

• Two polynomials over GF(28):a(x)=a3x3+a2x2+a1x+a0

b(x)=b3x3+b2x2+b1x+b0

• Their product c(x)=c6x6+c5x5+c4x4+c3x3+c2x2+c1x+c0

c0=a0 b0

c1=a1 b0 a0 b1

c2=a2 b0 a1 b1 a0 b2

c3=a3 b0 a2 b1 a1 b2+ a0 b3

c4=a3 b1 a2 b2 a1 b3

c5=a3 b2 a2 b3

c6=a3 b3

74


• By reducing c(x) modulo a polynomial of degree 4, the result can be reduced to a polynomial of degree below 4.

• M(x)=x4+1 and

xi mod x4+1=xi mod 4.

75


• Product of a( x ) and b( x ):

d( x ) = a( x ) b( x )= d3x3+d2x2+d1x+d0

d0 = ab0 ab1 ab2 ab3




76


circulant matrix:

77

Multiplication by x

• Multiply b( x ) by the polynomial x: b3x4+b2x3+b1x2+b0x

• x b( x ) modulo 1+x4= b2x3+b1x2+b0x+b3

• It is equivalent to multiplication by a matrix with all ai =‘00’ except a1 =‘01’. Let c( x ) = xb( x ). We have:

78

Specification

• Variable block length and key length• Block length and the key length can be

128, 192, or 256 bits.• The state: the intermediate cipher result.• The Cipher Key is similarly picture as a

rectangular array with four rows.

79

The state and the Cipher Key

80

The rounds

• The number of rounds is denoted by Nr and depends on the values Nb and Nk. It is given in Table 1.

81

The cipher

• The cipher Rijndael consists of• An initial Round Key addition;• Nr-1 Rounds;• A final round.

• In pseudo C code,Rijndael(State,CipherKey){KeyExpansion(CipherKey,ExpandedKey) ;AddRoundKey(State,ExpandedKey);For( i=1 ; i<Nr ; i++ )

Round(State,ExpandedKey + Nb*i) ;FinalRound(State,ExpandedKey + Nb*Nr);}

82

The cipher• The key expansion can be done on beforehand and

Rijndael can be specified in terms of the Expanded Key.

Rijndael(State,ExpandedKey){AddRoundKey(State,ExpandedKey);For( i=1 ; i<Nr ; i++ )

Round(State,ExpandedKey + Nb*i) ;FinalRound(State,ExpandedKey + Nb*Nr);}

83

The round transformation

Round(State,RoundKey){ByteSub(State);ShiftRow(State);MixColumn(State);AddRoundKey(State,RoundKey);}

84

The final round

FinalRound(State,RoundKey)

{

ByteSub(State) ;

ShiftRow(State) ;

AddRoundKey(State,RoundKey);

}

85

The ByteSub transformation(1/2)

1. Taking the multiplicative inverse in GF(28). 2. Applying an affine transformation defined by:

86

The ByteSub transformation(2/2)

87

The ShiftRow transformation(1/2)

88

The ShiftRow transformation(2/2)

89

The MixColumn transformation(1/2)

• The columns of the State are considered as polynomials over GF(28) and multiplied modulo x4+1 with a fixed polynomial c(x)= ‘03’x3+‘01’x2+‘01’x+‘02’.

• This can be written as a matrix multiplication. Let b(x) = c(x) a(x),

90

The MixColumn transformation(2/2)

91

The Round Key addition

92

Key schedule

• The Round Keys are derived from the Cipher Key by means of the key schedule. This consists of two components: the Key Expansion and the Round Key Selection. The basic principle is the following:• The total number of Round Key bits is equal to the block len

gth multiplied by the number of rounds plus 1. (e.g., for a block length of 128 bits and 10 rounds, 1408 Round Key bits are needed).

• The Cipher Key is expanded into an Expanded Key.• Round Keys are taken from this Expanded Key in the followi

ng way: the first Round Key consists of the first Nb words, the second one of the following Nb words, and so on.

93

Key expansion• The Expanded Key is a linear array of 4-byte words and is

denoted by W[Nb*(Nr+1)]. The first NK words contain the Cipher Key. All other words are defined recursively in terms of words with smaller indices.

For Nk 6, we have:KeyExpansion(byte Key[4*Nk] word W[Nb*(Nr+1)]) { for(i =

0; i < Nk; i++)W[i] = (Key[4*i],Key[4*i+1],Key[4*i+2],Key[4*i+3]);for(i = Nk; i < Nb * (Nr + 1); i++) {

temp = W[i - 1];if (i % Nk == 0)temp = SubByte(RotByte(temp)) ^ Rcon[i / Nk];W[i] = W[i - Nk] ^ temp; } }

94

Key expansionFor Nk > 6, we have:KeyExpansion(byte Key[4*Nk] word W[Nb*(Nr+1)]) {

for(i = 0; i < Nk; i++)W[i] = (key[4*i],key[4*i+1],key[4*i+2],key[4*i+3]);

for(i = Nk; i < Nb * (Nr + 1); i++){ temp = W[i - 1];if (i % Nk == 0)temp = SubByte(RotByte(temp)) ^ Rcon[i / Nk];else if (i % Nk == 4)temp = SubByte(temp);W[i] = W[i - Nk] ^ temp; }

}

95

Round Key selection

• Round key i is given by the Round Key buffer words W[Nb*ito W[Nb*(i+1)].

96

Strength against known attacks

• Symmetry properties and weak keys of the DES typeRound constants are different in each round

to eliminate symmetry in the cipher.The cipher and its inverse use different

components to eliminates the possibility for weak and semi-weak keys, as existing for DES.

The non-linearity of the key expansion eliminates the possibility of equivalent keys.

97


• Differential cryptanalysis(DC)First described by Eli Biham and Adi Shamir in 1991.A differential propagation is composed of differential tr

ails(DT), where its prop ratio(PR) is the sum of the PRs of all DTs that have the specified initial and final difference patterns.

Necessary condition to be resistant against DC: No DT with predicated PR > 21-n, n the block length.

For Rijndael: No 4-round DT with predicated PR above 2-150 (no 8-round trails with PR above 2-300 ).

98


• Linear cryptanalysis(LC)First described by Mitsuru Matsui in 1994.An input-output correlation is composed of linear trails

(LT) that have the specified initial and final selection patterns.

Necessary condition to be resistant against LC: No LTs with a correlation coefficients > 2n/2

For Rijndael: No 4-round LTs with a correlation above 2-75 (no 8-round trails with a correlation above 2-150).

99


• Interpolation attacks Introduced by Jakobsen and Knudsen in 1997.The attacker constructs polynomials using cipher inpu

t/output pairs. If the polynomials have a small degree, only a few pairs are necessary to solve for the coefficients of the polynomial.

The expression for the S-box is given by63+8fX127+b5X191+01X223+f4X239+25X247+f9X251+09X253+05X254

100


• Other attacks considered:Truncated differentialsThe Square attackRelated-key attacksWeak keys as in IDEA

101

Advantages and limitations

• Advantages Implementation aspects

Rijndael can be implemented to run at speeds unusually fast on a Pentium (Pro). Trade-off between table size/performance.

Rijndael can be implemented on a smart card in a small code, using a small amount of RAM and a small number of cycles.

The round transformation is parallel by design.As the cipher does not make use of arithmetic operations, it h

as no bias towards processor architectures.

102


• AdvantagesSimplicity of design

The cipher is fully “self-supporting”.The cipher does not base its security on obscure and not

well understood arithmetic operations.The tight cipher design does not leave enough room to hide

a trapdoor.Variable block length and extensions

Block lengths and key length both range from 128 to 256 in steps of 32 bits.

Round number can be also modified as a parameter.

103


• LimitationsThe inverse cipher is less suited to be

implemented on a smart card than the cipher itself: it takes more code and cycles.

In software, the cipher and its inverse make use of different code and/or tables.

In hardware, the inverse cipher can only partially re-use the circuitry that implements the cipher.

1 chapter 3 secret key cryptography instructor: 孫宏民 [email protected] [email protected]...

Documents