“it seems that our competence to secure the net cannot keep up with our desire to use it.” by...
TRANSCRIPT
“It seems that our competence
to secure the net cannot keep up with our desire to use it.”
by ARJEN K. LENSTRAin ‘Securing the Net – The Fruits of Incompetence’, published in First
Monday, 1996, http://www.firstmonday.org/issues/issue4/lenstra/ as of Nov 1, 2009
1
2
Stream Cipher Streaming Cipher: encrypts data unit by unit,
where a unit is of certain number of bits (Example: If the unit be a bit, a stream cipher encrypts data unit by unit. Or if the unit be a byte, it encrypts byte by byte)
simpler and faster than block cipher; but less secure
Two Modes of Stream Cipher: Synchronous Stream Cipher: Sender uses a
key to encrypt. Receiver uses the same key to decrypt.
Self-Synchronizing Stream Cipher: The key stream generator (KSG) generates a key, which depends upon the original key and the cipher output.
3
Key Stream Generator (KSG)
Pseudorandom Byte GeneratorKey Stream of
bytes
The stream of bytes cannot be determined, if the Key is not known.
The stream is deterministic.
The stream repeats after a long chain of bits.
4
Self-Synchronizing Stream Cipher
Plaintext
Stream of bytes
Ciphertext
In a stream Cipher, a key must not be repeated.
5
RC 4: Example of a Stream Cipher RC4: A byte by byte encryption
algorithm, used in SSL (Secure socket Layer) WEP (Wired Equivalent Privacy)
Developed in 1987 by Ron Rivest for RSA
Sept 1994: RC4 algorithm: Developed in 1987 by Ron Rivest for RSA
6
RC4: Key and the Temporary Vector Key: 1 to 256 octets First byte of Key: K[0]; Second byte
of key: K[1] …… No of bytes of key = kbytes A 256 byte Temporary vector: T[0] to
T[255] If kbytes = 256, for i = 0 to 255, T[i] =
K[i] If kbytes < 256, for i=0 to 255, T[i] = K[i mod kbytes]
7
RC4: The State Vector
A 256 byte State vector: S[0] to S[255] INITIALIZATION: For i = 0 to 255, S[i] = i Initial PERMUTATION of S: j = 0; For i = 0 to 255, j = (j + S[i] + T[i]) mod
256 Swap (S[i] and S[j]).
After initial permutation, the key is not used.
8
Stream Encryption mth byte of Plaintext P[m] i = j = 0; m = 0 while (true){ i = (i + 1) mod 256; j = (j + S[i]) mod 256; swap (S[i], S[j]); t = (S[i] + S[j]) mod 256; k = S[t]; C[m] = P[m] k; m = m + 1 }
9
Strength of RC4 For decryption, xor k with the next
byte of ciphertext. For a key length of 128 bits or
more, RC4 is secure. The weakness in WEP: due to the
weakness of the protocol for key generation ( not due to weakness in RC4).
Reference: Fluhrer, S.; Mantin, I.; and Shamir, A. “Weakness in the Key Scheduling Algorithm of RC4,” Proceedings, Workshop in Selected Areas of Cryptography, 2001
9
Symmetric Key Ciphers Symmetric key ciphers: efficient,
secure Problem: How to share a key
securely between the sender and the receiver?
If 100 persons want to send message securely to one another 4950 different keys are required (Reference: Niels Ferguson and Bruce Schneier ,” Practical Cryptography”, Wiley 2003)
Other Symmetric Ciphers DES: ‘arguably the most widely used and
successful encryption algorithm in the world’ (Reference: Bruce Schneier, John Kelsey, Doug Whiting, David Wagner, Chris Hall, Niels Ferguson,” Two fish: A 128-Bit Block Cipher”, 15 June 1998, http://www.schneier.com/twofish.html)
AES: October 2, 2000: RIJNDAEL selected as AES; issued as FIPS PUB 197 standard in Nov-2001
RC4: A Stream Cipher; Developed in 1987 by Ron Rivest for RSA; used in SSL and WEP
Other Symmetric Ciphers: Blowfish: designed in 1993 by Bruce Schiener as a
licence-free replacement for DES Five Finalists for the AES competition: MARS, RC6,
RIJNDAEL, SERPENT, TWOFISH 11
AES Selection Process June 1998: 21 proposals Aug 20, 1998: shortlisted to 15 proposals shortlist in Aug-99:
MARS (IBM) - complex, fast, high security margin RC6 (USA) - v. simple, v. fast, low security margin Rijndael (Belgium) - clean, fast, good security margin
--academic Serpent (Euro) – slow (1/3rd the speed of AES), clean,
highest security margin out of the 5 finalists --academic
Twofish (USA) – complex, Feistel, DES-like structure; v. fast (as fast as AES), high security margin– key dependent S-boxes; Uses whitening: at both the start and the end of the cipger process, add key-material to data
12
BLOWFISH
13
Blowfish (also known as puffer, globefish, or swellfish) is called fugu in Japanese. It blows itself up when threatened. The costliest and the ideal of gourmet dining, fugu is known to have a deadly poison (tetrodoxin) in its ovary and the liver. Only specially licensed cooks who know exactly how to cut up fugu are allowed to cook fugu.
Tetrodoxin is 1250 times deadlier than cynide and has no known anti-dote.Reference: http://www1.american.edu/TED/blowfish.htm as of Nov 1, 2009
BLOWFISH 1993: designed by Bruce Schiener as a
licence-free replacement for DES a Feistel Network, iterating a simple
encryption function 16 times. a symmetric block cipher. It has a 64-bit
block size a variable key length from 32 bits to 448
bits Uses simple operations that are efficient on
microprocessors. e.g. exclusive-or, addition, table lookup (four indexed array data lookups per round), modular- multiplication. 14
BLOWFISH ….2 does not use variable-length shifts or bit-wise
permutations, or conditional jumps. Employs precomputable subkeys:
On large-memory systems, these subkeys can be precomputed for faster operation.
Not precomputing the subkeys will result in slower operation, but it should still be possible to encrypt data without any precomputations.
It is significantly faster than most encryption algorithms when implemented on 32-bit microprocessors with large data caches.
15
BLOWFISH
DES operates on Right Half whereas Blowfish: operates on Left Half of data
(DES is designed for Big-Endians machines, whereas Blowfish is designed for Little endian; Intel processors are Little Endian.
Little Endian: increasing numeric significance with increasing memory addresses or increasing time; The LSB is at the lowest address. The other bytes follow in increasing order of significance.
Big Endian: MSB stored at the lowest address and the next byte value in significance is stored at the next memory location. )
Blowfish algorithm consists of two parts: key expansion and data encryption. 16
Blowfish Key Schedule Algorithm (Sub-Keys Generation Algorithm)
Data encryption consists of a simple function iterated 16 times. Each round consists of a key-dependent permutation, and a key- and data-dependent
substitution. Blowfish uses a large number of
subkeys. These keys must be precomputed before any data encryption or decryption.
17
Subkeys: The P-array consists of 18 32-bit
subkeys:P(1), P(2),..., P(18).
There are four 32-bit S-boxes with 256 entries each:
S1,0, S1,1,..., S1,255; S2,0, S2,1,..,, S2,255; S3,0, S3,1,..., S3,255; S4,0, S4,1,..,, S4,255.
18
Key Expansion Given a key of a maximum of 448 bits Key Schedule: generates 18x4 + 256x4x4 = 4168
bytes of subkeys Uses the fractional part of π. π = 3.1415926535 8979323846 2643383279
5028841971..(Reference: http://www.eveandersson.com/pi/digits/pi-digits as of Nov 1, 2009)
To initialize 18 sub-keys and 4 S-boxes, we need 18*32 + 4*256*32 = 576 + 32768 = 33344 binary digits of, or 33,344/4 = 8,366 hex digits of π.
fractional part of π in HEX digits:19
Key Expansion Algorithm:Given the key K (keysize= an integer multiple of 32 bits)
1. Repeat the key K to generate K’ of length 18x32 bits: K’ = (K K K K….)
2. Initialize first the P-array and then the four S-boxes, in order, with the hexadecimal digits of the fractional part of π (i.e. π - 3):P(1) = 0x243F6A88,
P(2) = 0x85A308D3,
P(3) = 0x13198A2E,
P(4) = 0x03707344,
.
S1 = (0xD1310BA6, 0x98DFB5AC, 0x2FFD72DB, 0x D01ADFB7, 0xB8E1AFED, ……)
.
3. XOR P(1) with the first 32 bits of the key K’, XOR P(2) with the second 32-bits of the key, and so on for all the 18 P’s.
20
Key Expansion Algorithm: …2
4. Consider a 64-bit all zero data. Encrypt the all-zero string with the Blowfish algorithm, using the subkeys P’s obtained in step (3) and S’s obtained in step (2). The output will be a 64-bit string.
5. Replace P(1) and P(2) with the output of step (4).
6. Encrypt the output of step (4) using the Blowfish algorithm with the subkeys, obtained after modification of step (5). Again we shall get a 64-bit string as the output.
7. Replace P(3) and P(4) with the output of step (5).
8. Continue the process, replacing all entries of the P array, and then all four S-boxes in order, with the output of the continuously changing Blowfish algorithm.
In total, 521 iterations are required to generate all required subkeys. Applications can store the subkeys rather than execute this derivation process multiple times.
21
Blowfish Key Expansion Algorithm Process …3Reference: P.K. Yuen,” Practical Cryptology and Web security”, Pearson/Addison Wesley 2006, pp 394
22
BlowfishData Encryption Algorithm Blowfish has 16 rounds. The input is a 64-bit data element,
x. Divide x into two 32-bit halves: xL,
xR. Then, for i = 1 to 16:
xL = xL XOR P(i) xR = F(xL) XOR xR Swap xL and xR
After the sixteenth round, swap xL and xR again to undo the last swap.
23
Data Encryption Algorithm Process first, second and the last rounds Reference: P.K. Yuen,” Practical Cryptology and Web security”, Pearson/Addison Wesley 2006, pp 392
24
BlowfishData Encryption Algorithm ..3
Then, xR = xR XOR P(17) and xL = xL XOR P(18).
Finally, recombine xL and xR to get the ciphertext.
Decryption is exactly the same as encryption, except that P(1), P(2),..., P(18) are used in the reverse order.
25
BlowfishRound Function
ROUND FUNCTION F INPUTS: 32 bit data L
S1[], S2[], S3[], S4[]:four 32-bit S-boxes with 256 entries each
1. Divide L into four 8-bit parts:L = (a, b, c, d)
2. Output B =( (S1[a] + S2[b] mod 232 ) S3[c] ) + S4[d] mod
232
26
BlowfishThe Round Function Process …….2 Reference: P.K. Yuen,” Practical Cryptology and Web security”, Pearson/Addison Wesley 2006, pp 393
27
8366 HEX DIGITS of π - 3 Reference: http://www.herongyang.com/crypto/cipher_blowfish_4.html
243F6A8885A308D313198A2E03707344A4093822299F31D0082EFA98EC4E6C89452821E638D01377BE5466CF34E90C6CC0AC29B7C97C50DD3F84D5B5B54709179216D5D98979FB1BD1310BA698DFB5AC2FFD72DBD01ADFB7B8E1AFED6A267E96BA7C9045F12C7F9924A19947B3916CF70801F2E2858EFC16636920D871574E69A458FEA3F4933D7E0D95748F728EB658718BCD5882154AEE7B54A41DC25A59B59C30D5392AF26013C5D1B023286085F0CA417918B8DB38EF8E79DCB0603A180E6C9E0E8BB01E8A3ED71577C1BD314B2778AF2FDA55605C60E65525F3AA55AB945748986263E8144055CA396A2AAB10B6B4CC5C341141E8CEA15486AF7C72E993B3EE1411636FBC2A2BA9C55D741831F6CE5C3E169B87931EAFD6BA336C24CF5C7A325381289586773B8F48986B4BB9AFC4BFE81B6628219361D809CCFB21A991487CAC605DEC8032EF845D5DE98575B1DC262302EB651B8823893E81D396ACC50F6D6FF383F442392E0B4482A484200469C8F04A9E1F9B5E21C66842F6E96C9A670C9C61ABD388F06A51A0D2D8542F68960FA728AB5133A36EEF0B6C137A3BE4BA3BF0507EFB2A98A1F1651D39AF017666CA593E82430E888CEE8619456F9FB47D84A5C33B8B5EBEE06F75D885C12073401A449F56C16AA64ED3AA62363F77061BFEDF72429B023D37D0D724D00A1248DB0FEAD349F1C09B075372C980991B7B25D479D8F6E8DEF7E3FE501AB6794C3B976CE0BD04C006BAC1A94FB6409F60C45E5C9EC2196A246368FB6FAF3E6C53B51339B2EB3B52EC6F6DFC511F9B30952CCC814544AF5EBD09BEE3D004DE334AFD660F2807192E4BB3C0CBA85745C8740FD20B5F39B9D3FBDB5579C0BD1A60320AD6A100C6402C7279679F25FEFB1FA3CC8EA5E9F8DB3222F83C7516DFFD616B152F501EC8AD0552AB323DB5FAFD23876053317B483E00DF829E5C57BBCA6F8CA01A87562EDF1769DBD542A8F6287EFFC3
28
8366 HEX DIGITS of π – 3 …..2 AC6732C68C4F5573695B27B0BBCA58C8E1FFA35DB8F011A010FA3D98FD2183B84AFC
B56C2DD1D35B9A53E479B6F84565D28E49BC4BFB9790E1DDF2DAA4CB7E3362FB1341CEE4C6E8EF20CADA36774C01D07E9EFE2BF11FB495DBDA4DAE909198EAAD8E716B93D5A0D08ED1D0AFC725E08E3C5B2F8E7594B78FF6E2FBF2122B648888B812900DF01C4FAD5EA0688FC31CD1CFF191B3A8C1AD2F2F2218BE0E1777EA752DFE8B021FA1E5A0CC0FB56F74E818ACF3D6CE89E299B4A84FE0FD13E0B77CC43B81D2ADA8D9165FA2668095770593CC7314211A1477E6AD206577B5FA86C75442F5FB9D35CFEBCDAF0C7B3E89A0D6411BD3AE1E7E4900250E2D2071B35E226800BB57B8E0AF2464369BF009B91E5563911D59DFA6AA78C14389D95A537F207D5BA202E5B9C5832603766295CFA911C819684E734A41B3472DCA7B14A94A1B5100529A532915D60F573FBC9BC6E42B60A47681E6740008BA6FB5571BE91FF296EC6B2A0DD915B6636521E7B9F9B6FF34052EC585566453B02D5DA99F8FA108BA47996E85076A4B7A70E9B5B32944DB75092EC4192623AD6EA6B049A7DF7D9CEE60B88FEDB266ECAA8C71699A17FF5664526CC2B19EE1193602A575094C29A0591340E4183A3E3F54989A5B429D656B8FE4D699F73FD6A1D29C07EFE830F54D2D38E6F0255DC14CDD20868470EB266382E9C6021ECC5E09686B3F3EBAEFC93C9718146B6A70A1687F358452A0E286B79C5305AA5007373E07841C7FDEAE5C8E7D44EC5716F2B8B03ADA37F0500C0DF01C1F040200B3FFAE0CF51A3CB574B225837A58DC0921BDD19113F97CA92FF69432477322F547013AE5E58137C2DADCC8B576349AF3DDA7A94461460FD0030EECC8C73EA4751E41E238CD993BEA0E2F3280BBA1183EB3314E548B384F6DB9086F420D03F60A04BF2CB8129024977C79
29
8366 HEX DIGITS of π – 3 …..3 5679B072BCAF89AFDE9A771FD9930810B38BAE12DCCF3F2E5512721F2E6B7124501AD
DE69F84CD877A5847187408DA17BC9F9ABCE94B7D8CEC7AEC3ADB851DFA63094366C464C3D2EF1C18473215D908DD433B3724C2BA1612A14D432A65C45150940002133AE4DD71DFF89E10314E5581AC77D65F11199B043556F1D7A3C76B3C11183B5924A509F28FE6ED97F1FBFA9EBABF2C1E153C6E86E34570EAE96FB1860E5E0A5A3E2AB3771FE71C4E3D06FA2965DCB999E71D0F803E89D65266C8252E4CC9789C10B36AC6150EBA94E2EA78A5FC3C531E0A2DF4F2F74EA7361D2B3D1939260F19C279605223A708F71312B6EBADFE6EEAC31F66E3BC4595A67BC883B17F37D1018CFF28C332DDEFBE6C5AA56558218568AB9802EECEA50FDB2F953B2AEF7DAD5B6E2F841521B62829076170ECDD4775619F151013CCA830EB61BD960334FE1EAA0363CFB5735C904C70A239D59E9E0BCBAADE14EECC86BC60622CA79CAB5CABB2F3846E648B1EAF19BDF0CAA02369B9655ABB5040685A323C2AB4B3319EE9D5C021B8F79B540B19875FA09995F7997E623D7DA8F837889A97E32D7711ED935F166812810E358829C7E61FD696DEDFA17858BA9957F584A51B2272639B83C3FF1AC24696CDB30AEB532E30548FD948E46DBC312858EBF2EF34C6FFEAFE28ED61EE7C3C735D4A14D9E864B7E342105D14203E13E045EEE2B6A3AAABEADB6C4F15FACB4FD0C742F442EF6ABBB5654F3B1D41CD2105D81E799E86854DC7E44B476A3D816250CF62A1F25B8D2646FC8883A0C1C7B6A37F1524C369CB749247848A0B5692B285095BBF00AD19489D1462B17423820E0058428D2A0C55F5EA1DADF43E233F70613372F0928D937E41D65FECF16C223BDB7CDE3759CBEE74604085F2A7CE77326EA607808419F8509EE8EFD85561D99735A969A7AAC50C06C25A04ABFC800BCADC9E447A2EC3453484FDD567050E1E9EC9DB73DBD3105588CD
30
8366 HEX DIGITS of π – 3 …..4 675FDA79E3674340C5C43465713E38D83D28F89EF16DFF20153E21E78FB03D4AE6E39F2
BDB83ADF7E93D5A68948140F7F64C261C94692934411520F77602D4F7BCF46B2ED4A20068D40824713320F46A43B7D4B7500061AF1E39F62E9724454614214F74BF8B88404D95FC1D96B591AF70F4DDD366A02F45BFBC09EC03BD97857FAC6DD031CB850496EB27B355FD3941DA2547E6ABCA0A9A28507825530429F40A2C86DAE9B66DFB68DC1462D7486900680EC0A427A18DEE4F3FFEA2E887AD8CB58CE0067AF4D6B6AACE1E7CD3375FECCE78A399406B2A4220FE9E35D9F385B9EE39D7AB3B124E8B1DC9FAF74B6D185626A36631EAE397B23A6EFA74DD5B43326841E7F7CA7820FBFB0AF54ED8FEB397454056ACBA48952755533A3A20838D87FE6BA9B7D096954B55A867BCA1159A58CCA9296399E1DB33A62A4A563F3125F95EF47E1C9029317CFDF8E80204272F7080BB155C05282CE395C11548E4C66D2248C1133FC70F86DC07F9C9EE41041F0F404779A45D886E17325F51EBD59BC0D1F2BCC18F41113564257B7834602A9C60DFF8E8A31F636C1B0E12B4C202E1329EAF664FD1CAD181156B2395E0333E92E13B240B62EEBEB92285B2A20EE6BA0D99DE720C8C2DA2F728D012784595B794FD647D0862E7CCF5F05449A36F877D48FAC39DFD27F33E8D1E0A476341992EFF743A6F6EABF4F8FD37A812DC60A1EBDDF8991BE14CDB6E6B0DC67B55106D672C372765D43BDCD0E804F1290DC7CC00FFA3B5390F92690FED0B667B9FFBCEDB7D9CA091CF0BD9155EA3BB132F88515BAD247B9479BF763BD6EB37392EB3CC1159798026E297F42E312D6842ADA7C66A2B3B12754CCC782EF11C6A124237B79251E706A1BBE64BFB63501A6B101811CAEDFA3D25BDD8E2E1C3C9444216590A121386D90CEC6ED5ABEA2A64AF674EDA86A85FBEBFE98864E4C3FE9DBC8057F0F7C08660787BF86003604DD1FD8346F6381FB07745AE04D736FCCC83426B33F01EAB71B08041873C005E5F77A057BEBDE8AE24
31
8366 HEX DIGITS of π – 3 …..5
55464299BF582E614E58F48FF2DDFDA2F474EF388789BDC25366F9C3C8B38E74B475F25546FCD9B97AEB26618B1DDF84846A0E79915F95E2466E598E20B457708CD55591C902DE4CB90BACE1BB8205D011A862487574A99EB77F19B6E0A9DC09662D09A1C4324633E85A1F0209F0BE8C4A99A0251D6EFE101AB93D1D0BA5A4DFA186F20F2868F169DCB7DA83573906FEA1E2CE9B4FCD7F5250115E01A70683FAA002B5C40DE6D0279AF88C27773F8641C3604C0661A806B5F0177A28C0F586E0006058AA30DC7D6211E69ED72338EA6353C2DD94C2C21634BBCBEE5690BCB6DEEBFC7DA1CE591D766F05E4094B7C018839720A3D7C927C2486E3725F724D9DB91AC15BB4D39EB8FCED54557808FCA5B5D83D7CD34DAD0FC41E50EF5EB161E6F8A28514D96C51133C6FD5C7E756E14EC4362ABFCEDDC6C837D79A323492638212670EFA8E406000E03A39CE37D3FAF5CFABC277375AC52D1B5CB0679E4FA33742D382274099BC9BBED5118E9DBF0F7315D62D1C7EC700C47BB78C1B6B21A19045B26EB1BE6A366EB45748AB2FBC946E79C6A376D26549C2C8530FF8EE468DDE7DD5730A1D4CD04DC62939BBDBA9BA4650AC9526E8BE5EE304A1FAD5F06A2D519A63EF8CE29A86EE22C089C2B843242EF6A51E03AA9CF2D0A483C061BA9BE96A4D8FE51550BA645BD62826A2F9A73A3AE14BA99586EF5562E9C72FEFD3F752F7DA3F046F6977FA0A5980E4A91587B086019B09E6AD3B3EE593E990FD5A9E34D7972CF0B7D9022B8B5196D5AC3A017DA67DD1CF3ED67C7D2D281F9F25CFADF2B89B5AD6B4725A88F54CE029AC71E019A5E647B0ACFDED93FA9BE8D3C48D283B57CCF8D5662979132E28785F0191ED756055F7960E44E3D35E8C15056DD488F46DBA03A161250564F0BDC3EB9E153C9057A297271AECA93A072A1B3F6D9B1E6321F5F59C66FB26DCF3197533D928B155FDF5035634828ABA3CBB28517711C20AD9F8ABCC5167CCAD925F4DE817513830DC8E379D58629320F991EA7A90C2FB3E7BCE
32
8366 HEX DIGITS of π – 3 …..6 Extracted from the source code provided in BLOWFISH by MARKUS HAHN
5121CE64774FBE32A8B6E37EC3293D4648DE53696413E680A2AE0810DD6DB22469852DFD09072166B39A460A6445C0DD586CDECF1C20C8AE5BBEF7DD1B588D40CCD2017F6BB4E3BBDDA26A7E3A59FF453E350A44BCB4CDD572EACEA8FA6484BB8D6612AEBF3C6F47D29BE463542F5D9EAEC2771BF64E6370740E0D8DE75B1357F8721671AF537D5D4040CB084EB4E2CC34D2466A0115AF84E1B0042895983A1D06B89FB4CE6EA0486F3F3B823520AB82011A1D4B277227F8611560B1E7933FDCBB3A792B344525BDA08839E151CE794B2F32C9B7A01FBAC9E01CC87EBCC7D1F6CF0111C3A1E8AAC71A908749D44FBD9AD0DADECBD50ADA380339C32AC69136678DF9317CE0B12B4FF79E59B743F5BB3AF2D519FF27D9459CBF97222C15E6FC2A0F91FC719B941525FAE59361CEB69CEBC2A8645912BAA8D1B6C1075EE3056A0C10D25065CB03A442E0EC6E0E1698DB3B4C98A0BE3278E9649F1F9532E0D392DFD3A0342B8971F21E1B0A74414BA3348CC5BE7120C37632D8DF359F8D9B992F2EE60B6F470FE3F11DE54CDA541EDAD891CE6279CFCD3E7E6F1618B166FD2C1D05848FD2C5F6FB2299F523F357A632762393A8353156CCCD02ACF081625A75EBB56E16369788D273CCDE96629281B949D04C50901B71C65614E6C6C7BD327A140A45E1D006C3F27B9AC9AA53FD62A80F00BB25BFE235BDD2F671126905B2040222B6CBCF7CCD769C2B53113EC01640E3D338ABBD602547ADF0BA38209CF746CE7677AFA1C52075606085CBFE4E8AE88DD87AAAF9B04CF9AA7E1948C25C02FB8A8C01C36AE4D6EBE1F990D4F869A65CDEA03F09252DC208E69FB74E6132CE77E25B578FDFE33AC372E6
33
REFERENCES http://www.herongyang.com/crypto/cipher_blo
wfish.html http://pocketbrief.net/related/BlowfishEncryptio
n.pdf
34
TWOFISH
35
“Key dependent S-boxes are something new in a cipher design.”
- Pawel Chodowiec, Kris Gaj,in ” Implementation of the Twofish Cipher Using FPGA Devices”, page 3,
http://bass.gmu.edu/crypto/Twofish_hardware.PDF, as of Nov 1, 2009
“There is no such thing as a key-dependent S-box, only a complicated multi-stage nonlinear function that is implemented as a key-dependent S-box for efficiency.”
--Bruce Schneier, John Kelsey, Doug Whiting, David Wagner, Chris Hall, Niels Ferguson,
in ” Two fish: A 128-Bit Block Cipher”, page 57, http://www.schneier.com/twofish.html , as of Nov 1, 2009
TwoFish is a block cipher by Counterpane Labs, designed by
Bruce Schneier, John Kelsey, Doug Whiting, David Wagner, Chris Hall, and Niels Ferguson, published in 1998.
one of the five Advanced Encryption Standard (AES) finalists, and was not selected as AES.
unpatented, and the source code is uncopyrighted and license-free;
uses Feistel structure has a 128-bit block size, a key size of 128, 192 or 256 bit
36
TwoFish optimized for 32-bit CPUs. On most software platforms Twofish is slightly
slower than Rijndael for 128-bit keys, but somewhat faster for 256-bit keys.
Has a key schedule that can be precomputed for maximum speed, or computed on-the-fly for maximum agility and minimum memory requirements.
suitable for dedicated hardware applications: e.g. it has no large tables. a block cipher, which can also be used as a
stream cipher, one-way hash function, MAC and pseudo-random number generator.
(Reference: B. Schneier and D. Whiting,” A Performance Comparison of the Five AES Finalists”, http://www.schneier.com/paper-aes-comparison.html)
37
Components used by TwoFish1. four different 8-by-8-bit S-boxes:
pre-computed and key-dependent built using two fixed 8-by-8-bit permutations and
key material.
2. Key-dependent MDS (maximum distance separable) matrix:
Notes:
1. During encryption, the four bytes output from the four S-boxes is multiplied by a 4-by-4 MDS matrix over GF(28). This matrix multiply is the principal diffusion mechanism in Twofish.
2. For software implementation on a modern microprocessor, the MDS matrix multiply is normally implemented using four lookup tables, each consisting of 256 32-bit words, so the particular coefficients used in the matrix do not affect performance.
38
Components used by TwoFish …23. 32-bit Pseudo-Hadamard transform (PHT)
to mix the outputs from its two parallel 32-bit g functions. This PHT can be executed in two opcodes on most modern microprocessors, including the Pentium family.
4. Whitening: the technique of xoring key material before the first round and after the last round
Twofish xors a subkey before the first Feistel round, and another sub-key after the last Feistel round. These subkeys are calculated in the same manner as the round subkeys, but are not used anywhere else in the cipher.
5. Key: Twofish can accept keys of any byte length up to 256 bits.
For key sizes, other than the three defined sizes of 128, 192 and 256 bits, the key is padded at the end with zero bytes to the next larger length that is defined.
For example, an 80-bit key m0; : : : ;m9 would be extended by setting mi = 0 for i = 10; : : : ; 15 and treating it as a 128-bit key.
39
Writing plaintext of 128 bits as four 32-bit
words The plaintext is split into four 32-bit words. The 16 bytes of plaintext p0; : : : ; p15 are first split into 4
words P0; : : : ; P3 of 32 bits each using the little-endian convention.
P0 = p3.224 + p2.216 + p1.28 + p0.20 P1 = p7.224 + p6.216 + p5.28 + p4.20 P2 = p11.224 + p10.216 + p9.28 + p8.20 P3 = p15.224 + p14.216 + p13.28 + p12.20 Similarly the given key is used to generate 32-bit sub-keys.
The sub-keys are generated in pairs: K2i and K2i + 1 for i = 0 to i = n, where the value of n is defined in a later slide to be 19.
40
Data Encryption Algorithm1. Input Whitening step: The four data words Po …. P3 are xored
with four key words. R0,i = Pi Ki i =0…3
The 16 Rounds use the function F.2. Round # 0:
Function F has inputs of r = 0, R0,0 and R0,1
where r = Round #Function F has two outputs called F0,0 and F0,1
Round # r: for 0 ≤ r ≤ 15For the r-th round, the inputs would be r, Rr,0 and Rr,1
Function F has 3 steps for Rr,0 and 4 steps for Rr,1.
Function F has two outputs called Fr,0 and Fr,1
Fr,0, Fr,1 = F(Rr,0, Rr,1, r)
41
Outputs of round r: Rr+1,0 = ROR(Fr,0 Rr,2 , 1)
where ROR(*,1) means a rotation to the right by one bit. Rr+1,1 = ROL(Rr,3 , 1) Fr,1
Rr+1,2 = Rr,0
Rr+1,3 = Rr,1
These will be the inputs for the next ( i.e. the (r+1)st) round.
Note: The next slide shows the Data Encryption Algorithm process. Reference: Figure 1, page 6 from Bruce Schneier, John Kelsey, Doug Whiting, David
Wagner, Chris Hall, Niels Ferguson,” Two fish: A 128-Bit Block Cipher”, 15 June 1998, http://www.schneier.com/twofish.html
42
43
Data Encryption Algorithm ….2
3. Undo the last swap of the 15th round.
4. Output Whitening:Ci = = R16.(i+2)mod4 Ki+4 i =0…3
5. The four words of ciphertext are then written as 16 bytes c0; : : : ; c15 using the same little-endian conversion used for the plaintext.
ci =
44
Twofish Decryption
Decryption process:1. Apply subkeys in the reverse
order.2. Since we are moving from C
(ciphertext) towards P (Plaintext), some of the processes have to be re-adjusted a little, as shown in the Figure on the next slide.
45
Differences between the Twofish Encryption and Decryption processes
46
(a) Encryption (b) Decryption
FUNCTION FThe function F is a key-dependent permutation on 64-bit values.INPUTS: two 32-bit input words R0 and R1, and the round number r.
Note: r is used to select the appropriate subkeys. R0 is passed through the g function, which yields T0. R1 is rotated left by 8 bits and then passed through the g
function to yield T1. T0 = g(R0) T1 = g(ROL(R1; 8))
The results T0 and T1 are then combined in a PHT and two words of the expanded key are added.
F0 = (T0 + T1 + K2r+8) mod 232
F1 = (T0 + 2T1 + K2r+9) mod 232
where (F0; F1) is the result of F.
47
FUNCTION g1. The INPUT word X is split into four bytes x0, x1, x2 and x3.
2. Each byte is run through its own key-dependent S-box to produce 8 bits of output.
yi = Si[xi] for i = 0…..3
3. The four results are interpreted as a vector of length 4 over GF(28), and multiplied by the 4x4 MDS matrix (using the field GF(28) for the computations).
y] = (y0, y1, y2, y3)
z] = (z0, z1, z2, z3)
z] = [MDS] y]
The resulting vector z] is interpreted as a 32-bit word which is the OUTPUT of g.
Z = z0.28.0 + z1.28.1 + z2.28.2 + z3.28.3
48
Notes about FUNCTION g ….2NOTES: We represent GF(28) as GF(2)[x]/v(x)
where v(x) = x8+x6+x5+x3+1 is a primitive polynomial of degree 8 over GF(2).
Addition in GF(28) corresponds to a xor of the bytes. The MDS matrix is given by:
where the elements have been written as hexadecimal byte
values using the above defined correspondence.
49
Two Fish
KEY SCHEDULE:
Using the given key to define three vectors
The key schedule has to generate 40 words of expanded key K0; : : : ;K39
(4 words each for initial and the last whitening plus 2 words each for each of the 16 rounds. )
the 4 key-dependent S-boxes used in the g function. Designed for keys of length N = 128, N = 192, and N = 256. Keys of any length shorter than 256 bits can be used by
padding them with zeroes until the next larger designed key length.
Let k = N/64. Thus k may have a value of 2, 3 or 4. Each vector will have k elements. Each element is of 32-bits.
50
Two Fish
KEY SCHEDULE
Using the given key to define three vectors …….2 The given key M consists of 8k bytes ( ie 16, 24 or 32)
m0; : : : ;m8k-1. The bytes are first converted into 2k (ie 4, 6 or 8) words of 32
bits each, called M0, M1, M2, M3 … and then into two word vectors of length k.
Me = (M0, M2, ……;M2k-2)Mo = (M1, M3 ….M2k-1)
A third word-vector S of length k is also derived from the key. For i = (k-1) …0, each 32-bit word Si is computed as follows:
Take the key bytes in groups of 8, interpreting them as a 8x1 vector mi] over GF(28).
Generate a 4x1 vector si] as follows:
si] = [RS]. mi]
where RS is a 4x8 matrix derived from the Reed–Solomon code. Consider the 4 byte-elements of si] into a 32-bit word Si
51
Two Fish
KEY SCHEDULE
Using the given key to define three vectors …..3
si] = [RS]. mi]where
si] is a 4x1 vector. si] = (si,0, si,1, si,2, si,3)
Note: si,3 is the MSB.
[RS] is a 4x8 matrix mi] is a 8x1 vector with key bytes. mi]= (m8i, m8i+1,
……..m8i+7 ) with i varying from 0 to (k-1).
si] will yield 4 bytes, which can be combined into a 32-bit word Si
Example: A key of 128 bits has 16 bytes and two words S0 and S1 will be created by this process.
52
Two Fish
KEY SCHEDULE
Using the given key to define three vectors …..4
The 32-bit words Si can be put together in a word-vector S as follows:
S = (Sk-1; Sk-2; : : : ; S0) Note that S lists the words in “reverse" order. For the RS matrix multiply, GF(28) is represented by GF(2)
[x]/w(x), wherew(x) = x8+x6+x3+x2+1
is another primitive polynomial of degree 8 over GF(2).
The three vectors Me, Mo and S are used for generating sub-keys. 53
Key Expansion
K2i and K2i+1 Me and Mo:
word-vectors, as defined in slide 50. derived directly from the given key For a 128-bit key, for example, M3, M2, M1 and M0 are
32-bit parts, where M3 is the MS 32 bits and M0 is the LS 32 bits
Using h Function: ρ = 224 + 216 + 28 + 20
Ai = h(2i ρ; Me) Bi = ROL(h((2i + 1).ρ;Mo); 8)The constant ρ: used here to duplicate bytes; it has the
property that for i = 0; : : : ; 255, the word i ρ consists of four equal bytes, each with the value i.
54
Key Expansion
K2i and K2i+1 …….2
The values Ai and Bi are combined in a PHT. (The second value is rotated by 9 bits.)
K2i = (Ai + Bi) mod 232
K2i+1 = ROL((Ai + 2Bi) mod 232; 9)
K2i and K2i+1 form two words of the expanded key. By choosing i =0 to i = 19, all the 40 values of 32-bit sub-keys can be generated.
Note: The function h uses two byte-substitution boxes, called q0 and q1, as shown on the next slide for an example of a 128-bit key.
55
Key Expansion Process for a 128-bit key Reference: Pawel Chodowiec, Kris Gaj,” Implementation of the Twofish Cipher Using FPGA Devices”, page 6, http://bass.gmu.edu/crypto/Twofish_hardware.PDF, as of Nov 1, 2009 …………3
56
FUNCTION h: for a key of length 64.k INPUT: A 32-bit word X and a word-vector L] =
(…….L1, L0) of length k OUTPUT: A 32-bit word ZPROCESS of h:
k stages of the Function h: Each stage: The four bytes of X are each passed through a
fixed Byte-Substitution-box, and xored with a byte derived from L].
After the k-stages: Finally, the bytes are once again passed through a fixed Byte-
Substitution-box and the four bytes are multiplied by the MDS matrix just as in
g. The output of this product is a 4-element byte-vector z].
OUTPUT:
57
FUNCTION h: for a key of length 64.k …2
X is divided into 4 bytes yk,0, yk,1, yk,2, yk,3. Similarly Li is divided into 4 bytes li,0, li,1, li,2,
li,3. If k = 4 we have
y3;0 = q1[y4;0] l3;0
y3;1 = q0[y4;1] l3;1
y3;2 = q0[y4;2] l3;2
y3;3 = q1[y4;3] l3;3
If k ≥ 3 we havey2;0 = q1[y3;0] l2;0
y2;1 = q1[y3;1] l2;1
y2;2 = q0[y3;2] l2;2
y2;3 = q0[y3;3] l2;3
58
FUNCTION h: for a key of length 64.k ….3
In all cases we have y0 = q1[q0[q0[y2;0] l1;0] l0;0] y1 = q0[q0[q1[y2;1] l1;1] l0;1] y2 = q1[q1[q0[y2;2] l1;2] l0;2] y3 = q0[q1[q1[y2;3] l1;3] l0;3]
Here q0 and q1 are fixed permutations on 8-bit values that we will define shortly.
The resulting 4x1 vector of yi's is multiplied by the MDS matrix, just as in the g function to yield a new 4x1 vector z].
y] = (y0, y1, y2, y3) z] = (z0, z1, z2, z3)
y3 is the MSB in the above vector.
z] = [MDS] y] OUTPUT: 32-bit word Z –formed from z], as shown in slide 56.
59
FUNCTION h process: for a key of length 64.k ….4
Reference:Figure 2, page 9 from Bruce Schneier, John Kelsey, Doug Whiting, David Wagner, Chris Hall, Niels Ferguson,” Two fish: A 128-Bit Block Cipher”, 15 June 1998, http://www.schneier.com/twofish.html
60Xa
FUNCTION h process:
for a key of length 64.k ….5
61
Xa
FUNCTION h: for a key of length 64.k ….6
Notes: The multiplication is performed (byte by byte) in the Galois field GF (28). The primitive polynomial is x8 + x6 + x5 + x3 + 1.
where the MDS matrix is given by:
OUTPUT: A 32-bit word Z formed by concatening 4 bytes of the vector z].
62
The Permutations q0 and q1 The permutations q0 and q1 are fixed permutations on 8-bit values.
They are constructed from four different 4-bit permutations each. INPUT value x, we define the corresponding OUTPUT value y as
follows: Split the INPUT byte x into two nibbles:
a1 = a0 b0
b1 = a0 ROR4(b0; 1) 8 a0 mod 16 Each nibble is passed through its own 4-bit fixed S-box: a2; b2 = t0[a1]; t1[b1] a3 = a2 b2
b3 = a2 ROR4(b2; 1) 8 a2mod 16 Again using the 4-bit fixed S-boxes:
a4; b4 = t2[a3]; t3[b3]
OUTPUT: Combine the two nibbles a4 and b4 into a byte: y = 16 b4 + a4
63
Permutation q: Use appropriate t0, t1, t2 and t3 for q0 and q1. Reference: Pawel Chodowiec, Kris Gaj,” Implementation of the Twofish Cipher Using FPGA Devices”, page 4, http://bass.gmu.edu/crypto/Twofish_hardware.PDF, as of Nov 1, 2009
64
The Permutations q0 and q1 ……..2
ROR4 rotates 4-bit values.
For the permutation q0 the 4-bit S-boxes are given byt0 = [ 8 1 7 D 6 F 3 2 0 B 5 9 E C A 4 ]t1 = [ E C B 8 1 2 3 5 F 4 A 6 7 0 9 D ]t2 = [ B A 5 E 6 D 9 0 C 8 F 3 2 4 7 1 ]t3 = [ D 7 F 4 1 2 6 E 9 B 3 0 8 5 C A ]where each 4-bit S-box is represented by a list of the
entries using hexadecimal notation. (The entries for the inputs 0; 1; : : : ; 15 are listed in order.)
Similarly, for q1 the 4-bit S-boxes are given byt0 = [ 2 8 B D F 7 6 E 3 1 9 4 0 A C 5 ]t1 = [ 1 E 2 B 4 C 3 7 6 D A 5 F 9 0 8 ]t2 = [ 4 C 7 5 1 6 9 A 0 E D 8 2 B 3 F ]t3 = [ B 9 5 1 C 3 D E 6 4 7 F 2 0 8 A ] 65
Key dependent S-boxes Y = S[X] where both X and Y are 32 bit
words.
Function h is used for generating Y from X.Function h: INPUT: A 32-bit word X and a word-vector L] = (…….L1,
L0) of length k OUTPUT: A 32-bit word Z
L] = S] Note: S] is obtained in slide 52.
Y = S[X] = h(X, S])That is, for i = 0; : : : ; 3, the key-dependent S-
boxSi is formed by the mapping from xi to yi in the h
function.66
Key dependent S-boxesfor a 128-bit key ( i.e. k = 2) Split X into four bytes a, b, c, d. X1 =( q0[a], q1[b], q0[c], q1[d]) X2= X1 s0 s0 and s1 are from
slide 51
Split X2 into four bytes a2, b2, c2, d2.
X3 =( q0[a2], q0[b2], q1[c2], q1[d2])
X4= X3 s1 67
Key dependent S-boxesfor a 128-bit key ( i.e. k = 2) ………2
Split X4 into four bytes a4, b4, c4, d4.
(a5, b5, c5, d5) =( q1[a4], q0[b4], q1[c4], q0[d4])
The four S-boxes are given as follows:
a5 = q1[a4] = S0[a]
b5 = q0[b4]= S1[b]
c5 = q1[c4] = S2[c]
d5 = q0[d4]= S3[d]
From slide 51s0 = (s00, s01, s02, s03)
s1 = (s10, s11, s12, s13)
68
Key dependent S-boxes for a 128-bit key ………3
69
Key dependent S-boxes for a 128-bit key Reference: Pawel Chodowiec, Kris Gaj,” Implementation of the Twofish Cipher Using FPGA Devices”, page 4, http://bass.gmu.edu/crypto/Twofish_hardware.PDF, as of Nov 1, 2009 …4
70
Serpent“ Finally, we considered making available
cognate algorithms with the same structure as Serpent but with block sizes of (say) 64, 256 and 512 bits. In the end we decided not include these in our submission for a number of reasons, of which by far the most important was that we …..did not have the resources to test variants with other block lengths with the thoroughness that would have been appropriate.”
---Bruce Schneier, John Kelsey, Doug Whiting, David Wagner, Chris Hall, Niels Ferguson,
” Two fish: A 128-Bit Block Cipher”, 15 June 1998, http://www.schneier.com/twofish.html , as of Nov 1, 2009
71
Serpent Encryption AlgorithmIntroduction
one of the five finalists of the AES contest a 128-bit symmetric key block cipher supports key sizes of 128-bits, 192-bits and
256-bits 32 round substitution-permutation network For internal computation, all values are
represented in little-endian, where the first word (word 0) is the LS-word, and the last word is the MS-word, and where bit 0 is the LS-bit of word 0.
16-round Serpent is as secure as triple-DES, and twice as fast as DES; 32-round Serpent is even more secure than triple-DES, and is as fast as DES. (Reference: http://www.cl.cam.ac.uk/~rja14/Papers/serpent.pdf page 4 as of 1st Nov 2009)
72
SerpentThe Algorithm an initial permutation 32 rounds: In each round,
works on four 32-bit words Key-mixing operation applies one of its eight 4-bit to 4-bit S-boxes, 32
times, in parallel A linear transformation (except for the last round,
where the transformation is substituted with an additional mixing operation)
a final permutation FP (which is the inverse of IP).
Note: Each of the eight substitution boxes is used in 4 rounds.
73
SerpentThe Key
The given key length: 128, 192 or 256 bits;
short keys with less than 256 bits are mapped to full-length keys of 256 bits by appending one “1" bit to the MSB end, followed by as many “0" bits as required to make up 256 bits.
Generates 33 128-bit subkeys K0; : : : ; K32.
74
SerpentThe Notation The initial permutation IP: Bo = IP(P), where P
is the plaintext The rounds 0 to 31:
First (0th) Round: B1 = R0(B0), i-th round: Bi+1 = Ri(Bi) for i = 0 to 30 last (31st) round (in which the linear transformation is
replaced by an additional key mixing): B32 = R31(B31)
The Final permutation FP: C = FP(B32), where C is the ciphertext.
Ri (X) = L(Si mod8(X Ki) for i = 0 to 30, where L is a linear transformation
R31 (X) = Si mod8(X Ki) K32 for i = 31 75
S-BoxesReference: http://www.cl.cam.ac.uk/~rja14/Papers/serpent.pdf page 21 as of 1st Nov 2009
Starting with the 32-rows of DES S-boxes, the S-boxes for Serpent were created so that the resulting array has the desired -differential and linear- properties:
S0: 3 8 15 1 10 6 5 11 14 13 4 2 7 0 9 12 S1: 15 12 2 7 9 0 5 10 1 11 14 8 6 13 3 4 S2: 8 6 7 9 3 12 10 15 13 1 14 4 0 11 5 2 S3: 0 15 11 8 12 9 6 3 13 1 2 4 10 7 5 14 S4: 1 15 8 3 12 0 11 6 2 5 4 10 9 14 7 13 S5: 15 5 2 11 4 10 9 12 0 3 14 8 13 6 7 1 S6: 7 2 12 5 8 4 6 11 14 9 1 15 13 3 10 0 S7: 1 13 15 0 14 8 2 11 7 4 12 10 9 3 5 6
76
Inverse S-BoxesReference: http://www.cl.cam.ac.uk/~rja14/Papers/serpent.pdf page 21 as of 1st Nov 2009
InvS0: 13 3 11 0 10 6 5 12 1 14 4 7 15 9 8 2 InvS1: 5 8 2 14 15 6 12 3 11 4 7 9 1 13 10 0 InvS2: 12 9 15 4 11 14 1 2 0 3 6 13 5 8 10 7 InvS3: 0 9 10 7 11 14 6 13 3 5 12 2 4 8 15 1 InvS4: 5 0 8 3 10 9 7 14 2 12 11 6 4 15 13 1 InvS5: 8 15 2 9 4 1 13 14 11 6 5 3 7 12 10 0 InvS6: 15 10 1 13 5 3 6 0 4 9 14 7 2 12 8 11 InvS7: 3 0 6 13 9 14 15 8 5 12 11 7 10 1 4 2
77
Linear Transformation (LT)For i = 0 to 30: The four 32-bit output words from
the substitution box in a round are linearly mixed using LT:
INPUT for LT: X0;X1;X2;X3 := Si(Bi Ki) LT:
X0 := ROL(X0; 13); X2 := ROL(X2; 3)
X1 := X1 X0 X2; X3 := X3 X2 ShL(X0; 3) X1 := ROL(X1 ;1); X3 := ROL(X3; 7)
X0 := X0 X1 X3; X2 := X2 X3 ShL (X1; 7) X0 := ROL(X0; 5); X2 := ROL(X2 ; 22)
OUTPUT from LT: Bi+1 := X0; X1; X2; X3
For i = 31: B32 := S7(B31 K31) K32 78
Key Schedule Requirement: 132 2-bit words of subkeys. Padding: If the given key is less than 256 bits, append one
“1" bit to the MSB end, followed by as many “0" bits as required to make up 256 bits
Write this 256-bit key as eight 32-bit words as w−8, . . . , w−1
Expand the eight 32-bit words into 132 intermediate keys (called pre-keys) by the following affine recurrence for i = 0 to 131:
wi := ROL((wi−8 wi−5 wi−3 wi−1 ɸ i);11)
where ɸ = golden ratio = or 0x9e3779b9.
The underlying polynomial x8 + x7 + x5 + x3 + 1 is primitive.79
Key Schedule …..2
Use S-boxes to get 33 round keys as follows:
Renumber to get 128-bit subkeys Ki for i from 0 to 32:
80
Decryption
For Decryption: The inverse of the S-boxes must be
used in the reverse order. The inverse linear transformation
must be used. The subkeys must be used in the
reverse order.
81