block cipher - wikipedia, the free encyclopedia.pdf
TRANSCRIPT
-
6/15/2015 BlockcipherWikipedia,thefreeencyclopedia
https://en.wikipedia.org/wiki/Block_cipher 1/14
BlockcipherFromWikipedia,thefreeencyclopedia
Incryptography,ablockcipherisadeterministicalgorithmoperatingonfixedlengthgroupsofbits,calledblocks,withanunvaryingtransformationthatisspecifiedbyasymmetrickey.Blockciphersareimportantelementarycomponentsinthedesignofmanycryptographicprotocols,andarewidelyusedtoimplementencryptionofbulkdata.
Themoderndesignofblockciphersisbasedontheconceptofaniteratedproductcipher.ProductciphersweresuggestedandanalyzedbyClaudeShannoninhisseminal1949publicationCommunicationTheoryofSecrecySystemsasameanstoeffectivelyimprovesecuritybycombiningsimpleoperationssuchassubstitutionsandpermutations.[1]Iteratedproductcipherscarryoutencryptioninmultiplerounds,eachofwhichusesadifferentsubkeyderivedfromtheoriginalkey.OnewidespreadimplementationofsuchciphersiscalledaFeistelnetwork,namedafterHorstFeistel,andnotablyimplementedintheDEScipher.[2]Manyotherrealizationsofblockciphers,suchastheAES,areclassifiedassubstitutionpermutationnetworks.[3]
ThepublicationoftheDEScipherbytheU.S.NationalBureauofStandards(nowNationalInstituteofStandardsandTechnology,NIST)in1977wasfundamentalinthepublicunderstandingofmodernblockcipherdesign.Inthesameway,itinfluencedtheacademicdevelopmentofcryptanalyticattacks.BothdifferentialandlinearcryptanalysisaroseoutofstudiesontheDESdesign.Today,thereisapaletteofattacktechniquesagainstwhichablockciphermustbesecure,inadditiontobeingrobustagainstbruteforceattacks.
Evenasecureblockcipherissuitableonlyfortheencryptionofasingleblockunderafixedkey.Amultitudeofmodesofoperationhavebeendesignedtoallowtheirrepeateduseinasecureway,commonlytoachievethesecuritygoalsofconfidentialityandauthenticity.However,blockciphersmayalsobeusedasbuildingblocksinothercryptographicprotocols,suchasuniversalhashfunctionsandpseudorandomnumbergenerators.
Contents
1Definition2Design
2.1Iteratedblockciphers2.2Substitutionpermutationnetworks2.3Feistelciphers2.4LaiMasseyciphers2.5Operations
2.5.1ARXaddrotatexor2.5.2otheroperations
3Modesofoperation4Padding5Cryptanalysis
5.1Bruteforceattacks5.2Differentialcryptanalysis5.3Linearcryptanalysis5.4Integralcryptanalysis5.5Othertechniques
6Provablesecurity
-
6/15/2015 BlockcipherWikipedia,thefreeencyclopedia
https://en.wikipedia.org/wiki/Block_cipher 2/14
6Provablesecurity6.1Standardmodel6.2Idealciphermodel
7Practicalevaluation8Notableblockciphers
8.1Lucifer/DES8.2IDEA8.3RC58.4Rijndael/AES8.5Blowfish
9Generalizations9.1Tweakableblockciphers9.2Formatpreservingencryption
10Relationtoothercryptographicprimitives11Seealso12References13Furtherreading14Externallinks
Definition
Ablockcipherconsistsoftwopairedalgorithms,oneforencryption,E,andtheotherfordecryption,D.[4]Bothalgorithmsaccepttwoinputs:aninputblockofsizenbitsandakeyofsizekbitsandbothyieldannbitoutputblock.ThedecryptionalgorithmDisdefinedtobetheinversefunctionofencryption,i.e.,D=E1.Moreformally,[5][6]ablockcipherisspecifiedbyanencryptionfunction
whichtakesasinputakeyKofbitlengthk,calledthekeysize,andabitstringPoflengthn,calledtheblocksize,andreturnsastringCofnbits.Piscalledtheplaintext,andCistermedtheciphertext.ForeachK,thefunctionEK(P)isrequiredtobeaninvertiblemappingon{0,1}n.TheinverseforEisdefinedasafunction
takingakeyKandaciphertextCtoreturnaplaintextvalueP,suchthat
Forexample,ablockcipherencryptionalgorithmmighttakea128bitblockofplaintextasinput,andoutputacorresponding128bitblockofciphertext.Theexacttransformationiscontrolledusingasecondinputthesecretkey.Decryptionissimilar:thedecryptionalgorithmtakes,inthisexample,a128bitblockofciphertexttogetherwiththesecretkey,andyieldstheoriginal128bitblockofplaintext.[7]
ForeachkeyK,EKisapermutation(abijectivemapping)overthesetofinputblocks.Eachkeyselects
onepermutationfromthepossiblesetof .[8]
Design
-
6/15/2015 BlockcipherWikipedia,thefreeencyclopedia
https://en.wikipedia.org/wiki/Block_cipher 3/14
Iteratedblockciphers
Mostblockcipheralgorithmsareclassifiedasiteratedblockcipherswhichmeansthattheytransformfixedsizeblocksofplaintextintoidenticalsizeblocksofciphertext,viatherepeatedapplicationofaninvertibletransformationknownastheroundfunction,witheachiterationreferredtoasaround.[9]
Usually,theroundfunctionRtakesdifferentroundkeysKiassecondinput,whicharederivedfromtheoriginalkey:
where istheplaintextand theciphertext,withrbeingtheroundnumber.
Frequently,keywhiteningisusedinadditiontothis.Atthebeginningandtheend,thedataismodifiedwithkeymaterial(oftenwithXOR,butsimplearithmeticoperationslikeaddingandsubtractingarealsoused):
Givenoneofthestandarditeratedblockcipherdesignschemes,itisfairlyeasytoconstructablockcipherthatiscryptographicallysecure,simplybyusingalargenumberofrounds.However,thiswillmakethecipherinefficient.Thus,efficiencyisthemostimportantadditionaldesigncriterionforprofessionalciphers.Further,agoodblockcipherisdesignedtoavoidsidechannelattacks,suchasinputdependentmemoryaccessesthatmightleaksecretdataviathecachestateortheexecutiontime.Inaddition,theciphershouldbeconcise,forsmallhardwareandsoftwareimplementations.Finally,theciphershouldbeeasilycryptanalyzable,suchthatitcanbeshowntohowmanyroundsthecipherneedstobereducedsuchthattheexistingcryptographicattackswouldworkand,conversely,thatthenumberofactualroundsislargeenoughtoprotectagainstthem.
Substitutionpermutationnetworks
Oneimportanttypeofiteratedblockcipherknownasasubstitutionpermutationnetwork(SPN)takesablockoftheplaintextandthekeyasinputs,andappliesseveralalternatingroundsconsistingofasubstitutionstagefollowedbyapermutationstagetoproduceeachblockofciphertextoutput.[10]Thenonlinearsubstitutionstagemixesthekeybitswiththoseoftheplaintext,creatingShannon'sconfusion.Thelinearpermutationstagethendissipatesredundancies,creatingdiffusion.[11][12]
Asubstitutionbox(Sbox)substitutesasmallblockofinputbitswithanotherblockofoutputbits.Thissubstitutionmustbeonetoone,toensureinvertibility(hencedecryption).AsecureSboxwillhavethepropertythatchangingoneinputbitwillchangeabouthalfoftheoutputbitsonaverage,exhibitingwhatisknownastheavalancheeffecti.e.ithasthepropertythateachoutputbitwilldependoneveryinputbit.[13]
Apermutationbox(Pbox)isapermutationofallthebits:ittakestheoutputsofalltheSboxesofoneround,permutesthebits,andfeedsthemintotheSboxesofthenextround.AgoodPboxhasthepropertythattheoutputbitsofanySboxaredistributedtoasmanySboxinputsaspossible.
Ateachround,theroundkey(obtainedfromthekeywithsomesimpleoperations,forinstance,usingSboxesandPboxes)iscombinedusingsomegroupoperation,typicallyXOR.
-
6/15/2015 BlockcipherWikipedia,thefreeencyclopedia
https://en.wikipedia.org/wiki/Block_cipher 4/14
AsketchofaSubstitutionPermutationNetworkwith3rounds,encryptingaplaintextblockof16bitsintoaciphertextblockof16bits.TheSboxesaretheSis,thePboxesarethesameP,andtheroundkeysaretheKis.
Manyblockciphers,suchasDESandBlowfishutilizestructuresknownasFeistelciphers
Decryptionisdonebysimplyreversingtheprocess(usingtheinversesoftheSboxesandPboxesandapplyingtheroundkeysinreversedorder).
Feistelciphers
InaFeistelcipher,theblockofplaintexttobeencryptedissplitintotwoequalsizedhalves.Theroundfunctionisappliedtoonehalf,usingasubkey,andthentheoutputisXORedwiththeotherhalf.Thetwohalvesarethenswapped.[14]
Let betheroundfunctionandlet bethesubkeysfortherounds respectively.
Thenthebasicoperationisasfollows:[14]
Splittheplaintextblockintotwoequalpieces,( , )
Foreachround ,compute
.
Thentheciphertextis .
Decryptionofaciphertext isaccomplishedbycomputingfor
.
Then istheplaintextagain.
OneadvantageoftheFeistelmodelcomparedtoasubstitutionpermutationnetworkisthattheroundfunction doesnothavetobeinvertible.[15]
LaiMasseyciphers
TheLaiMasseyschemeofferssecuritypropertiessimilartothoseoftheFeistelstructure.Italsosharesitsadvantagethattheroundfunction doesnothavetobeinvertible.Anothersimilarityisthatisalsosplitstheinputblockintotwoequalpieces.However,theroundfunctionisappliedtothedifferencebetweenthetwo,andtheresultisthenaddedtobothhalfblocks.
Let betheroundfunctionand ahalfroundfunctionandlet bethesubkeysfortherounds
respectively.
-
6/15/2015 BlockcipherWikipedia,thefreeencyclopedia
https://en.wikipedia.org/wiki/Block_cipher 5/14
TheLaiMasseyscheme.ThearchetypicalcipherutilizingitisIDEA.
Thenthebasicoperationisasfollows:
Splittheplaintextblockintotwoequalpieces,( , )
Foreachround ,compute
where and
Thentheciphertextis.
Decryptionofaciphertext isaccomplishedbycomputingfor
where and
Then istheplaintextagain.
Operations
ARXaddrotatexor
ManymodernblockciphersandhashesareARXalgorithmstheirroundfunctioninvolvesonlythreeoperations:modularaddition,rotationwithfixedrotationamounts,andXOR(ARX).ExamplesincludeSalsa20andSpeckandBLAKE.ManyauthorsdrawanARXnetwork,akindofdataflowdiagram,toillustratesucharoundfunction.[16]
TheseARXoperationsarepopularbecausetheyarerelativelyfastandcheapinhardwareandsoftware,andalsobecausetheyruninconstanttime,andarethereforeimmunetotimingattacks.Therotationalcryptanalysistechniqueattemptstoattacksuchroundfunctions.
otheroperations
OtheroperationsoftenusedinblockciphersincludedatadependentrotationsasinRC5andRC6,asubstitutionboximplementedasalookuptableasinDataEncryptionStandardandAdvancedEncryptionStandard,apermutationbox,andmultiplicationasinIDEA.
Modesofoperation
Ablockcipherbyitselfallowsencryptiononlyofasingledatablockofthecipher'sblocklength.Foravariablelengthmessage,thedatamustfirstbepartitionedintoseparatecipherblocks.Inthesimplestcase,knownastheelectroniccodebook(ECB)mode,amessageisfirstsplitintoseparateblocksofthecipher'sblocksize(possiblyextendingthelastblockwithpaddingbits),andtheneachblockis
-
6/15/2015 BlockcipherWikipedia,thefreeencyclopedia
https://en.wikipedia.org/wiki/Block_cipher 6/14
Insecureencryptionofanimageasaresultofelectroniccodebookmodeencoding.
encryptedanddecryptedindependently.However,suchanaivemethodisgenerallyinsecurebecauseequalplaintextblockswillalwaysgenerateequalciphertextblocks(forthesamekey),sopatternsintheplaintextmessagebecomeevidentintheciphertextoutput.[17]
Toovercomethislimitation,severalsocalledblockciphermodesofoperationhavebeendesigned[18][19]andspecifiedinnationalrecommendationssuchasNIST80038A[20]andBSITR02102[21]
andinternationalstandardssuchasISO/IEC10116.[22]Thegeneralconceptistouserandomizationoftheplaintextdatabasedonanadditionalinputvalue,frequentlycalledaninitializationvector,tocreatewhatistermedprobabilisticencryption.[23]Inthepopularcipherblockchaining(CBC)mode,forencryptiontobesecuretheinitializationvectorpassedalongwiththeplaintextmessagemustbearandomorpseudorandomvalue,whichisaddedinanexclusiveormannertothefirstplaintextblockbeforeitisbeingencrypted.Theresultantciphertextblockisthenusedasthenewinitializationvectorforthenextplaintextblock.Inthecipherfeedback(CFB)mode,whichemulatesaselfsynchronizingstreamcipher,theinitializationvectorisfirstencryptedandthenaddedtotheplaintextblock.Theoutputfeedback(OFB)moderepeatedlyencryptstheinitializationvectortocreateakeystreamfortheemulationofasynchronousstreamcipher.Thenewercounter(CTR)modesimilarlycreatesakeystream,buthastheadvantageofonlyneedinguniqueandnot(pseudo)randomvaluesasinitializationvectorstheneededrandomnessisderivedinternallybyusingtheinitializationvectorasablockcounterandencryptingthiscounterforeachblock.[20]
Fromasecuritytheoreticpointofview,modesofoperationmustprovidewhatisknownassemanticsecurity.[24]Informally,itmeansthatgivensomeciphertextunderanunknownkeyonecannotpracticallyderiveanyinformationfromtheciphertext(otherthanthelengthofthemessage)overwhatonewouldhaveknownwithoutseeingtheciphertext.Ithasbeenshownthatallofthemodesdiscussedabove,withtheexceptionoftheECBmode,providethispropertyundersocalledchosenplaintextattacks.
Padding
SomemodessuchastheCBCmodeonlyoperateoncompleteplaintextblocks.Simplyextendingthelastblockofamessagewithzerobitsisinsufficientsinceitdoesnotallowareceivertoeasilydistinguishmessagesthatdifferonlyintheamountofpaddingbits.Moreimportantly,suchasimplesolutiongivesrisetoveryefficientpaddingoracleattacks.[25]Asuitablepaddingschemeisthereforeneededtoextendthelastplaintextblocktothecipher'sblocksize.Whilemanypopularschemesdescribedinstandardsandintheliteraturehavebeenshowntobevulnerabletopaddingoracleattacks,[25][26]asolutionwhichaddsaonebitandthenextendsthelastblockwithzerobits,standardizedas"paddingmethod2"inISO/IEC97971,[27]hasbeenprovensecureagainsttheseattacks.[26]
Cryptanalysis
Bruteforceattacks
-
6/15/2015 BlockcipherWikipedia,thefreeencyclopedia
https://en.wikipedia.org/wiki/Block_cipher 7/14
Duetoablockcipher'scharacteristicasaninvertiblefunction,itsoutputbecomesdistinguishablefromatrulyrandomoutputstringovertimeduetothebirthdayattack.Thispropertyresultsinthecipher'ssecuritydegradingquadratically,andneedstobetakenintoaccountwhenselectingablocksize.Thereisatradeoffthoughaslargeblocksizescanresultinthealgorithmbecominginefficienttooperate.[28]EarlierblockcipherssuchastheDEShavetypicallyselecteda64bitblocksize,whilenewerdesignssuchastheAESsupportblocksizesof128bitsormore,withsomecipherssupportingarangeofdifferentblocksizes.[29]
Differentialcryptanalysis
Linearcryptanalysis
Linearcryptanalysisisaformofcryptanalysisbasedonfindingaffineapproximationstotheactionofacipher.Linearcryptanalysisisoneofthetwomostwidelyusedattacksonblockcipherstheotherbeingdifferentialcryptanalysis.
ThediscoveryisattributedtoMitsuruMatsui,whofirstappliedthetechniquetotheFEALcipher(MatsuiandYamagishi,1992).[30]
Integralcryptanalysis
Integralcryptanalysisisacryptanalyticattackthatisparticularlyapplicabletoblockciphersbasedonsubstitutionpermutationnetworks.Unlikedifferentialcryptanalysis,whichusespairsofchosenplaintextswithafixedXORdifference,integralcryptanalysisusessetsorevenmultisetsofchosenplaintextsofwhichpartisheldconstantandanotherpartvariesthroughallpossibilities.Forexample,anattackmightuse256chosenplaintextsthathaveallbut8oftheirbitsthesame,butalldifferinthose8bits.SuchasetnecessarilyhasanXORsumof0,andtheXORsumsofthecorrespondingsetsofciphertextsprovideinformationaboutthecipher'soperation.Thiscontrastbetweenthedifferencesofpairsoftextsandthesumsoflargersetsoftextsinspiredthename"integralcryptanalysis",borrowingtheterminologyofcalculus.
Othertechniques
Inadditiontolinearanddifferentialcryptanalysis,thereisagrowingcatalogofattacks:truncateddifferentialcryptanalysis,partialdifferentialcryptanalysis,integralcryptanalysis,whichencompassessquareandintegralattacks,slideattacks,boomerangattacks,theXSLattack,impossibledifferentialcryptanalysisandalgebraicattacks.Foranewblockcipherdesigntohaveanycredibility,itmustdemonstrateevidenceofsecurityagainstknownattacks.
Provablesecurity
Whenablockcipherisusedinagivenmodeofoperation,theresultingalgorithmshouldideallybeaboutassecureastheblockcipheritself.ECB(discussedabove)emphaticallylacksthisproperty:regardlessofhowsecuretheunderlyingblockcipheris,ECBmodecaneasilybeattacked.Ontheotherhand,CBCmodecanbeproventobesecureundertheassumptionthattheunderlyingblockcipherislikewisesecure.Note,however,thatmakingstatementslikethisrequiresformalmathematicaldefinitionsforwhatitmeansforanencryptionalgorithmorablockcipherto"besecure".Thissectiondescribestwocommonnotionsforwhatpropertiesablockciphershouldhave.Eachcorrespondstoamathematicalmodelthatcanbeusedtoprovepropertiesofhigherlevelalgorithms,suchasCBC.
-
6/15/2015 BlockcipherWikipedia,thefreeencyclopedia
https://en.wikipedia.org/wiki/Block_cipher 8/14
Thedevelopmentoftheboomerangattackenableddifferentialcryptanalysistechniquestobeappliedtomanyciphersthathadpreviouslybeendeemedsecureagainstdifferentialattacks
Thisgeneralapproachtocryptographyprovinghigherlevelalgorithms(suchasCBC)aresecureunderexplicitlystatedassumptionsregardingtheircomponents(suchasablockcipher)isknownasprovablesecurity.
Standardmodel
Informally,ablockcipherissecureinthestandardmodelifanattackercannottellthedifferencebetweentheblockcipher(equippedwitharandomkey)andarandompermutation.
Tobeabitmoreprecise,letEbeannbitblockcipher.Weimaginethefollowinggame:
1. Thepersonrunningthegameflipsacoin.Ifthecoinlandsonheads,hechoosesarandomkeyKanddefinesthefunctionf=EK.Ifthecoinlandsontails,hechoosesarandompermutationonthesetofnbitstrings,anddefinesthefunctionf=.
2. TheattackerchoosesannbitstringX,andthepersonrunningthegametellshimthevalueoff(X).
3. Step2isrepeatedatotalofqtimes.(Eachoftheseqinteractionsisaquery.)4. Theattackerguesseshowthecoinlanded.Hewinsifhisguessiscorrect.
Theattacker,whichwecanmodelasanalgorithm,iscalledanadversary.Thefunctionf(whichtheadversarywasabletoquery)iscalledanoracle.
Notethatanadversarycantriviallyensurea50%chanceofwinningsimplybyguessingatrandom(orevenby,forexample,alwaysguessing"heads").ThereforeletPE(A)denotetheprobabilitythattheadversaryAwinsthisgameagainstE,anddefinetheadvantageofAas2(PE(A)1/2).ItfollowsthatifAguessesrandomly,itsadvantagewillbe0ontheotherhand,ifAalwayswins,thenitsadvantageis1.TheblockcipherEisapseudorandompermutation(PRP)ifnoadversaryhasanadvantagesignificantlygreaterthan0,givenspecifiedrestrictionsonqandtheadversary'srunningtime.IfinStep2aboveadversarieshavetheoptionoflearningf1(X)insteadoff(X)(butstillhaveonlysmalladvantages)thenEisastrongPRP(SPRP).AnadversaryisnonadaptiveifitchoosesallqvaluesforXbeforethegamebegins(thatis,itdoesnotuseanyinformationgleanedfrompreviousqueriestochooseeachXasitgoes).
Thesedefinitionshaveprovenusefulforanalyzingvariousmodesofoperation.Forexample,onecandefineasimilargameformeasuringthesecurityofablockcipherbasedencryptionalgorithm,andthentrytoshow(throughareductionargument)thattheprobabilityofanadversarywinningthisnewgameisnotmuchmorethanPE(A)forsomeA.(ThereductiontypicallyprovideslimitsonqandtherunningtimeofA.)Equivalently,ifPE(A)issmallforallrelevantA,thennoattackerhasasignificantprobabilityofwinningthenewgame.Thisformalizestheideathatthehigherlevelalgorithminheritstheblockcipher'ssecurity.
Idealciphermodel
Practicalevaluation
-
6/15/2015 BlockcipherWikipedia,thefreeencyclopedia
https://en.wikipedia.org/wiki/Block_cipher 9/14
Blockciphersmaybeevaluatedaccordingtomultiplecriteriainpractice.Commonfactorsinclude:[31][32]
Keyparameters,suchasitskeysizeandblocksize,bothwhichprovideanupperboundonthesecurityofthecipher.Theestimatedsecuritylevel,whichisbasedontheconfidencegainedintheblockcipherdesignafterithaslargelywithstoodmajoreffortsincryptanalysisovertime,thedesign'smathematicalsoundness,andtheexistenceofpracticalorcertificationalattacks.Thecipher'scomplexityanditssuitabilityforimplementationinhardwareorsoftware.Hardwareimplementationsmaymeasurethecomplexityintermsofgatecountorenergyconsumption,whichareimportantparametersforresourceconstraineddevices.Thecipher'sperformanceintermsofprocessingthroughputonvariousplatforms,includingitsmemoryrequirements.Thecostofthecipher,whichreferstolicensingrequirementsthatmayapplyduetointellectualpropertyrights.Theflexibilityofthecipher,whichincludesitsabilitytosupportmultiplekeysizesandblocklengths.
Notableblockciphers
Lucifer/DES
Luciferisgenerallyconsideredtobethefirstcivilianblockcipher,developedatIBMinthe1970sbasedonworkdonebyHorstFeistel.ArevisedversionofthealgorithmwasadoptedasaU.S.governmentFederalInformationProcessingStandard:FIPSPUB46DataEncryptionStandard(DES).[33]ItwaschosenbytheU.S.NationalBureauofStandards(NBS)afterapublicinvitationforsubmissionsandsomeinternalchangesbyNBS(and,potentially,theNSA).DESwaspubliclyreleasedin1976andhasbeenwidelyused.
DESwasdesignedto,amongotherthings,resistacertaincryptanalyticattackknowntotheNSAandrediscoveredbyIBM,thoughunknownpubliclyuntilrediscoveredagainandpublishedbyEliBihamandAdiShamirinthelate1980s.Thetechniqueiscalleddifferentialcryptanalysisandremainsoneofthefewgeneralattacksagainstblockcipherslinearcryptanalysisisanother,butmayhavebeenunknowneventotheNSA,priortoitspublicationbyMitsuruMatsui.DESpromptedalargeamountofotherworkandpublicationsincryptographyandcryptanalysisintheopencommunityanditinspiredmanynewcipherdesigns.
DEShasablocksizeof64bitsandakeysizeof56bits.64bitblocksbecamecommoninblockcipherdesignsafterDES.Keylengthdependedonseveralfactors,includinggovernmentregulation.Manyobserversinthe1970scommentedthatthe56bitkeylengthusedforDESwastooshort.Astimewenton,itsinadequacybecameapparent,especiallyafteraspecialpurposemachinedesignedtobreakDESwasdemonstratedin1998bytheElectronicFrontierFoundation.AnextensiontoDES,TripleDES,tripleencryptseachblockwitheithertwoindependentkeys(112bitkeyand80bitsecurity)orthreeindependentkeys(168bitkeyand112bitsecurity).Itwaswidelyadoptedasareplacement.Asof2011,thethreekeyversionisstillconsideredsecure,thoughtheNationalInstituteofStandardsandTechnology(NIST)standardsnolongerpermittheuseofthetwokeyversioninnewapplications,duetoits80bitsecuritylevel.[34]
IDEA
-
6/15/2015 BlockcipherWikipedia,thefreeencyclopedia
https://en.wikipedia.org/wiki/Block_cipher 10/14
Oneround(twohalfrounds)oftheRC5blockcipher
TheInternationalDataEncryptionAlgorithm(IDEA)isablockcipherdesignedbyJamesMasseyofETHZurichandXuejiaLaiitwasfirstdescribedin1991,asanintendedreplacementforDES.
IDEAoperateson64bitblocksusinga128bitkey,andconsistsofaseriesofeightidenticaltransformations(around)andanoutputtransformation(thehalfround).Theprocessesforencryptionanddecryptionaresimilar.IDEAderivesmuchofitssecuritybyinterleavingoperationsfromdifferentgroupsmodularadditionandmultiplication,andbitwiseexclusiveor(XOR)whicharealgebraically"incompatible"insomesense.
ThedesignersanalysedIDEAtomeasureitsstrengthagainstdifferentialcryptanalysisandconcludedthatitisimmuneundercertainassumptions.Nosuccessfullinearoralgebraicweaknesseshavebeenreported.Asof2012,thebestattackwhichappliestoallkeyscanbreakfull8.5roundIDEAusinganarrowbicliquesattackaboutfourtimesfasterthanbruteforce.
RC5
RC5isablockcipherdesignedbyRonaldRivestin1994which,unlikemanyotherciphers,hasavariableblocksize(32,64or128bits),keysize(0to2040bits)andnumberofrounds(0to255).Theoriginalsuggestedchoiceofparameterswereablocksizeof64bits,a128bitkeyand12rounds.
AkeyfeatureofRC5istheuseofdatadependentrotationsoneofthegoalsofRC5wastopromptthestudyandevaluationofsuchoperationsasacryptographicprimitive.RC5alsoconsistsofanumberofmodularadditionsandXORs.ThegeneralstructureofthealgorithmisaFeistellikenetwork.Theencryptionanddecryptionroutinescanbespecifiedinafewlinesofcode.Thekeyschedule,however,ismorecomplex,expandingthekeyusinganessentiallyonewayfunctionwiththebinaryexpansionsofbotheandthegoldenratioassourcesof"nothingupmysleevenumbers".ThetantalisingsimplicityofthealgorithmtogetherwiththenoveltyofthedatadependentrotationshasmadeRC5anattractiveobjectofstudyforcryptanalysts.
12roundRC5(with64bitblocks)issusceptibletoadifferentialattackusing244chosenplaintexts.[35]1820roundsaresuggestedassufficientprotection.
Rijndael/AES
DEShasbeensupersededasaUnitedStatesFederalStandardbytheAES,adoptedbyNISTin2001aftera5yearpubliccompetition.ThecipherwasdevelopedbytwoBelgiancryptographers,JoanDaemenandVincentRijmen,andsubmittedunderthenameRijndael.
AEShasafixedblocksizeof128bitsandakeysizeof128,192,or256bits,whereasRijndaelcanbespecifiedwithblockandkeysizesinanymultipleof32bits,withaminimumof128bits.Theblocksizehasamaximumof256bits,butthekeysizehasnotheoreticalmaximum.AESoperatesona44columnmajorordermatrixofbytes,termedthestate(versionsofRijndaelwithalargerblocksizehaveadditionalcolumnsinthestate).
-
6/15/2015 BlockcipherWikipedia,thefreeencyclopedia
https://en.wikipedia.org/wiki/Block_cipher 11/14
Blowfish
Blowfishisablockcipher,designedin1993byBruceSchneierandincludedinalargenumberofciphersuitesandencryptionproducts.Blowfishhasa64bitblocksizeandavariablekeylengthfrom1bitupto448bits.[36]Itisa16roundFeistelcipheranduseslargekeydependentSboxes.NotablefeaturesofthedesignincludethekeydependentSboxesandahighlycomplexkeyschedule.
SchneierdesignedBlowfishasageneralpurposealgorithm,intendedasanalternativetotheageingDESandfreeoftheproblemsandconstraintsassociatedwithotheralgorithms.AtthetimeBlowfishwasreleased,manyotherdesignswereproprietary,encumberedbypatentsorwerecommercial/governmentsecrets.Schneierhasstatedthat,"Blowfishisunpatented,andwillremainsoinallcountries.Thealgorithmisherebyplacedinthepublicdomain,andcanbefreelyusedbyanyone."Blowfishprovidesagoodencryptionrateinsoftwareandnoeffectivecryptanalysisofthefullroundversionhasbeenfoundtodate.
Generalizations
Tweakableblockciphers
M.Liskov,R.Rivest,andD.Wagnerhavedescribedageneralizedversionofblockcipherscalled"tweakable"blockciphers.[37]Atweakableblockcipheracceptsasecondinputcalledthetweakalongwithitsusualplaintextorciphertextinput.Thetweak,alongwiththekey,selectsthepermutationcomputedbythecipher.Ifchangingtweaksissufficientlylightweight(comparedwithausuallyfairlyexpensivekeysetupoperation),thensomeinterestingnewoperationmodesbecomepossible.Thediskencryptiontheoryarticledescribessomeofthesemodes.
Formatpreservingencryption
Blockcipherstraditionallyworkoverabinaryalphabet.Thatis,boththeinputandtheoutputarebinarystrings,consistingofnzeroesandones.Insomesituations,however,onemaywishtohaveablockcipherthatworksoversomeotheralphabetforexample,encrypting16digitcreditcardnumbersinsuchawaythattheciphertextisalsoa16digitnumbermightfacilitateaddinganencryptionlayertolegacysoftware.Thisisanexampleofformatpreservingencryption.Moregenerally,formatpreservingencryptionrequiresakeyedpermutationonsomefinitelanguage.Thismakesformatpreservingencryptionschemesanaturalgeneralizationof(tweakable)blockciphers.Incontrast,traditionalencryptionschemes,suchasCBC,arenotpermutationsbecausethesameplaintextcanencrypttomultipledifferentciphertexts,evenwhenusingafixedkey.
Relationtoothercryptographicprimitives
Blockcipherscanbeusedtobuildothercryptographicprimitives,suchasthosebelow.Fortheseotherprimitivestobecryptographicallysecure,carehastobetakentobuildthemtherightway.
Streamcipherscanbebuiltusingblockciphers.OFBmodeandCTRmodeareblockmodesthatturnablockcipherintoastreamcipher.
Cryptographichashfunctionscanbebuiltusingblockciphers.[38][39]Seeonewaycompressionfunctionfordescriptionsofseveralsuchmethods.Themethodsresembletheblockciphermodesofoperationusuallyusedforencryption.
-
6/15/2015 BlockcipherWikipedia,thefreeencyclopedia
https://en.wikipedia.org/wiki/Block_cipher 12/14
Cryptographicallysecurepseudorandomnumbergenerators(CSPRNGs)canbebuiltusingblockciphers.[40][41]
SecurepseudorandompermutationsofarbitrarilysizedfinitesetscanbeconstructedwithblockciphersseeFormatPreservingEncryption.
Messageauthenticationcodes(MACs)areoftenbuiltfromblockciphers.CBCMAC,OMACandPMACaresuchMACs.
Authenticatedencryptionisalsobuiltfromblockciphers.ItmeanstobothencryptandMACatthesametime.Thatistobothprovideconfidentialityandauthentication.CCM,EAX,GCMandOCBaresuchauthenticatedencryptionmodes.
Justasblockcipherscanbeusedtobuildhashfunctions,hashfunctionscanbeusedtobuildblockciphers.ExamplesofsuchblockciphersareSHACAL,BEARandLION.
Seealso
CiphersecuritysummaryTopicsincryptography
References1. Shannon,Claude(1949)."CommunicationTheoryofSecrecySystems"
(http://netlab.cs.ucla.edu/wiki/files/shannon1949.pdf)(PDF).BellSystemTechnicalJournal28(4):656715.2. vanTilborg,HenkC.A.Jajodia,Sushil,eds.(2011).EncyclopediaofCryptographyandSecurity
(http://books.google.com/books?id=UuNKmgv70lMC&pg=PA455).Springer.ISBN9781441959058.,p.455.
3. vanTilborg&Jajodia2011,p.1268.4. Cusick,ThomasW.&Stanica,Pantelimon(2009).CryptographicBooleanfunctionsandapplications
(http://books.google.com/books?id=OAkhkLSxxxMC&pg=PA158).AcademicPress.pp.158159.ISBN9780123748904.
5. Menezes,AlfredJ.vanOorschot,PaulC.Vanstone,ScottA.(1996)."Chapter7:BlockCiphers".HandbookofAppliedCryptography(http://www.cacr.math.uwaterloo.ca/hac/).CRCPress.ISBN0849385237.
6. Bellare,MihirRogaway,Phillip(11May2005),IntroductiontoModernCryptography(http://www.cs.ucdavis.edu/~rogaway/classes/227/spring05/book/main.pdf)(LECTURENOTES),chapter3.
7. Chakraborty,D.&RodriguezHenriquezF.(2008)."BlockCipherModesofOperationfromaHardwareImplementationPerspective".InKo,etinK.CryptographicEngineering(http://books.google.com/books?id=nErZY4vYHIoC&pg=PA321).Springer.p.321.ISBN9780387718163.
8. Menezes,vanOorschot&Vanstone1996,section7.2.9. Junod,Pascal&Canteaut,Anne(2011).AdvancedLinearCryptanalysisofBlockandStreamCiphers
(http://books.google.com/books?id=pMnRhjStTZoC&pg=PA2).IOSPress.p.2.ISBN9781607508441.10. Keliher,Liametal.(2000)."ModelingLinearCharacteristicsofSubstitutionPermutationNetworks".In
Hays,Howard&Carlisle,Adam.Selectedareasincryptography:6thannualinternationalworkshop,SAC'99,Kingston,Ontario,Canada,August910,1999:proceedings(http://books.google.com/books?id=qxurbiN0CcYC&pg=PA79).Springer.p.79.ISBN9783540671855.
11. Baigneres,Thomas&Finiasz,Matthieu(2007)."Dial'C'forCipher".InBiham,Eli&Yousseff,Amr.Selectedareasincryptography:13thinternationalworkshop,SAC2006,Montreal,Canada,August1718,2006:revisedselectedpapers(http://books.google.com/books?id=yb99g5G7FS4C&pg=PA77).Springer.p.77.ISBN9783540744610.
12. Cusick,ThomasW.&Stanica,Pantelimon(2009).CryptographicBooleanfunctionsandapplications(http://books.google.com/books?id=OAkhkLSxxxMC&pg=PA164).AcademicPress.p.164.ISBN9780123748904.
13. Katz,JonathanLindell,Yehuda(2008).Introductiontomoderncryptography
-
6/15/2015 BlockcipherWikipedia,thefreeencyclopedia
https://en.wikipedia.org/wiki/Block_cipher 13/14
(http://books.google.com/books?id=TTtVKHdOcDoC&pg=PA166).CRCPress.ISBN9781584885511.,pages166167.
14. Katz&Lindell2008,pp.170172.15. Katz&Lindell2008,p.171.16. Aumasson,JeanPhilippeBernstein,DanielJ.(20120918)."SipHash:afastshortinputPRF"
(https://131002.net/siphash/siphash.pdf)(PDF).p.5.17. Menezes,Oorschot&Vanstone1996,pp.228230,Chapter7.18. "BlockCipherModes"(http://csrc.nist.gov/groups/ST/toolkit/BCM/index.html).NISTComputerSecurity
ResourceCenter.19. Menezes,vanOorschot&Vanstone1996,pp.228233.20. MorrisDworkin(December2001),"RecommendationforBlockCipherModesofOperationMethodsand
Techniques"(http://csrc.nist.gov/publications/nistpubs/80038a/sp80038a.pdf)(PDF),SpecialPublication80038A(NationalInstituteofStandardsandTechnology(NIST))
21. "KryptographischeVerfahren:EmpfehlungenundSchlssellngen",BSITR02102(TechnischeRichtlinie)(Version1.0),June20,2008
22. ISO/IEC10116:2006InformationtechnologySecuritytechniquesModesofoperationforannbitblockcipher(http://www.iso.org/iso/iso_catalogue/catalogue_tc/catalogue_detail.htm?csnumber=38761)
23. Bellare&Rogaway2005,p.101,section5.3.24. Bellare&Rogaway2005,section5.6.25. SergeVaudenay(2002)."SecurityFlawsInducedbyCBCPaddingApplicationstoSSL,IPSEC,WTLS...".
AdvancesinCryptologyEUROCRYPT2002,Proc.InternationalConferenceontheTheoryandApplicationsofCryptographicTechniques(SpringerVerlag)(2332):534545.
26. KennethG.PatersonGavenJ.Watson(2008)."ImmunisingCBCModeAgainstPaddingOracleAttacks:AFormalSecurityTreatment".SecurityandCryptographyforNetworksSCN2008,LectureNotesinComputerScience(SpringerVerlag)(5229):340357.
27. ISO/IEC97971:InformationtechnologySecuritytechniquesMessageAuthenticationCodes(MACs)Part1:Mechanismsusingablockcipher(http://www.iso.org/iso/iso_catalogue/catalogue_ics/catalogue_detail_ics.htm?csnumber=50375),ISO/IEC,2011
28. Martin,KeithM.(2012).EverydayCryptography:FundamentalPrinciplesandApplications(http://books.google.com/books?id=5DZ_vvgl4oC&pg=PA114).OxfordUniversityPress.p.114.ISBN9780199695591.
29. Paar,Cristofetal.(2010).UnderstandingCryptography:ATextbookforStudentsandPractitioners(http://books.google.com/books?id=f24wFELSzkoC&pg=PA30).Springer.p.30.ISBN9783642041006.
30. Matsui,M.andYamagishi,A."AnewmethodforknownplaintextattackofFEALcipher".AdvancesinCryptologyEUROCRYPT1992.
31. Menezes,vanOorschot&Vanstone1996,p.227.32. JamesNechvatal,ElaineBarker,LawrenceBassham,WilliamBurr,MorrisDworkin,JamesFoti,Edward
Roback(October2000),ReportontheDevelopmentoftheAdvancedEncryptionStandard(AES)(http://csrc.nist.gov/archive/aes/round2/r2report.pdf)(PDF),NationalInstituteofStandardsandTechnology(NIST)
33. FIPSPUB463DataEncryptionStandard(DES)(http://csrc.nist.gov/publications/fips/fips463/fips463.pdf)(Thisisthethirdedition,1999,butincludeshistoricalinformationinthepreliminarysection12.)
34. NISTSpecialPublication80057RecommendationforKeyManagementPart1:General(Revised),March,2007(http://csrc.nist.gov/publications/nistpubs/80057/sp80057Part1revised2_Mar082007.pdf)
35. BiryukovA.andKushilevitzE.(1998).ImprovedCryptanalysisofRC5.EUROCRYPT1998.36. BruceSchneier(1993)."DescriptionofaNewVariableLengthKey,64BitBlockCipher(Blowfish)"
(http://www.schneier.com/paperblowfishfse.html).37. M.Liskov,R.Rivest,andD.Wagner."TweakableBlockCiphers"
(http://www.cs.colorado.edu/~jrblack/class/csci7000/f03/papers/tweakcrypto02.pdf)(PDF).Crypto2002.38. ISO/IEC101182:2010InformationtechnologySecuritytechniquesHashfunctionsPart2:Hash
functionsusingannbitblockcipher(http://www.iso.org/iso/iso_catalogue/catalogue_tc/catalogue_detail.htm?csnumber=44737)
39. Menezes,vanOorschot&Vanstone1996,Chapter9:HashFunctionsandDataIntegrity.40. NISTSpecialPublication80090ARecommendationforRandomNumberGenerationUsingDeterministic
RandomBitGenerators(http://csrc.nist.gov/publications/nistpubs/80090A/SP80090A.pdf)41. Menezes,vanOorschot&Vanstone1996,Chapter5:PseudorandomBitsandSequences.
-
6/15/2015 BlockcipherWikipedia,thefreeencyclopedia
https://en.wikipedia.org/wiki/Block_cipher 14/14
Furtherreading
Knudsen,LarsR.&(2011).TheBlockCipherCompanion(http://books.google.com/books?id=YiZKt_FcmYQC).Springer.ISBN9783642173417.
Externallinks
Alistofmanysymmetricalgorithms,themajorityofwhichareblockciphers.(http://www.users.zetnet.co.uk/hopwood/crypto/scan/cs.html)Theblockcipherlounge(http://www.mat.dtu.dk/people/Lars.R.Knudsen/bc.html)Whatisablockcipher?(http://www.rsa.com/rsalabs/node.asp?id=2168)fromRSAFAQ
Retrievedfrom"https://en.wikipedia.org/w/index.php?title=Block_cipher&oldid=663735007"
Categories: Blockciphers Cryptographicprimitives
Thispagewaslastmodifiedon24May2015,at00:25.TextisavailableundertheCreativeCommonsAttributionShareAlikeLicenseadditionaltermsmayapply.Byusingthissite,youagreetotheTermsofUseandPrivacyPolicy.WikipediaisaregisteredtrademarkoftheWikimediaFoundation,Inc.,anonprofitorganization.