Symmetric-Key Encryption

giantsneckspiffyΗλεκτρονική - Συσκευές

13 Οκτ 2013 (πριν από 3 χρόνια και 5 μήνες)

73 εμφανίσεις

Symmetric-KeyEncryption
Wen-GueyTzeng
DepartmentofComputerScience
NationalChiaoTungUniversity
Symmetric-Keyp.1/17
Denition
Providesecurecommunicationbetweentwocommunication
partnerswhoshareasecretkey.

K,M,C:spacesofkeys,plaintexts,ciphertexts.

Encryptionfunction:E:K×M→C;

Decryptionfunction:D:K×C→M;

Foreachk∈Kandm∈M,D
k
(E
k
(m))=m;

E
−1
k
=D
k
;

E
k
andD
k
arepoly-timecomputable.

Securityproblem(informal):givenE,Dandc=E(k,m),
computem=D(k,c);
Symmetric-Keyp.2/17
Twotypes

Streamcipher:bitbybit,characterbycharacter.

Blockcipher:blockbyblock.Ifthemessagelengthis
longerthantheblocksize,themessageispartitionedto
blocksand
modesofoperations
areused.
Symmetric-Keyp.3/17
Streamcipher
1.E:K×M→C,whereMisthesetof
characters
.
2.E

(k,m)=c
1
c
2
,wherem=m
1
m
2
,k=k
1
k
2
,
andc
i
=E
k
i
(m
i
).
Vernam'sone-timepad
(bitbybit)

E

(k,m)=c
1
c
2
,wherec
i
=m
i
⊕k
i
.
Remarks

Eachk
i
ischosenuniformlyandindependentlyfrom{0,1}.

|k|=|m|,kcannotbere-used.

Notpracticalinmostcases.

Computationalversion:k=PRG(s),wheresistheshared
secretkey(shortseed).
Symmetric-Keyp.4/17
Security
Withoutknowingk
i
,theprobabilityofobtainingm
i
fromc
i
isat
mostmax{p
b
},wherep
b
=Pr[M
i
=b],b=0,1.

Foranyalgorithm,Pr[A(C
i
)=M
i
]≤max{p
i
}.

LetPr[A(0)=0]=randPr[A(1)=0]=s,
Pr[A(C
i
)=M
i
)]=
Pr[A(0)=0,M
i
=0,C
i
=0]+Pr[A(0)=1,M
i
=1,C
i
=0]
+Pr[A(1)=0,M
i
=0,C
i
=1]+Pr[A(1)=1,M
i
=1,C
i
=1]
=rp
0
/2+(1−r)p
1
/2+sp
0
/2+(1−s)p
1
/2
=(r+s)(p
0
−p
1
)/2+p
1

For0≤r+s≤2,Pr[A(C
i
)=M
i
)]≤max{p
0
,p
1
}.
Symmetric-Keyp.5/17
Blockciphers
1.LikestreamcipherexceptM=C={0,1}
n
.
2.Foraxedk,E
k
isapermutationfrom{0,1}
n
→{0,1}
n
.
Bestblockcipher

k:apermutationrandomlychosenamongallpermutations
from{0,1}
n
→{0,1}
n
.

ThekeyspaceKisofsize(2
n
)!≃2
(n−1.44)2
n
.Ittakes
(n−1.44)2
n
bitstodenoteakey.
Practicalblockcipher

Typically,kisabout64-,128-,or256-bitlong.

ThesetofpermutationsdenotedbyKlookslikethesetof
allpermutations.
Symmetric-Keyp.6/17
DES
1.DataEncryptionStandard:USAstandard,1977.
2.DES:{0,1}
56
×{0,1}
64
→{0,1}
64
.
3.kismappedtok
1
,k
2
,...,k
16
,wherek
i
∈{0,1}
48
.
4.f
i
:{0,1}
32
→{0,1}
32
:P(S(E(x)⊕k
i
)),1≤i≤16.
5.φ
i
:{0,1}
32
×{0,1}
32
→{0,1}
32
×{0,1}
32
:
(x,y)→(x⊕f
i
(y),y).

Note:φ
i
◦φ
i
(x,y)=(x,y),thatis,φ
−1
i

i
.
6.µ:{0,1}
32
×{0,1}
32
→{0,1}
32
×{0,1}
32
:
(x,y)→(y,x);
7.
E
k
(x)=IP
−1
◦φ
16
◦µ◦φ
15
◦◦µ◦φ
1
◦IP(x)
.
8.
D
k
(y)=IP
−1
◦φ
1
◦µ◦φ
2
◦◦µ◦φ
16
◦IP(y)
.
Symmetric-Keyp.7/17
Securitydiscussion

Thekeyspaceofsize2
56
istoosmalltoday.

Exhaustivesearchofallkeysisimplementableinhardware.

Therearesomeweakkeys.

Someattackshavebeenfound:linearattack,differential
attack.
Response

ThenewUSstandardAES(AdvancedEncryption
Standard)wasproposedin2000.

AESistheRijndaelcipher,proposedbytwoBelgium
scientists.

MandCare128-bitlong.

Thekeylengthis128-,192-,or256-bitlong.
Symmetric-Keyp.8/17
AES

Byte-oriented

Operationonblocks(32bits,or4bytes)

N
b
:theblocklength

N
k
:thekeylength

N
r
:thenumberofroundsdependsonN
b
andN
k
.For
example,N
b
=N
k
=4(128bitseach),thereare10rounds.

State:intermediateresults,arrangedas4bytes(stateword)
byN
b
/4.
Symmetric-Keyp.9/17
Algorithm(byteString,plaintextBlock,key)
1.InitState(plaintextBlock,state);
2.AddKey(state,key
0
);
3.fori=1toN
r
−1
4.SubBytes(state);
5.ShiftRows(state);
6.MixColumns(state);
7.AddKey(state,key
i
)
8.SubBytes(state)
9.ShiftRows(state)
10.AddKey(state,key
N
r
)
11.return(state)
Symmetric-Keyp.10/17
SubBytes

Theonlynon-lineartransformationstep

Substituteeachbyteofstatebytebybytewiththefunction
S
RD
(theS-box)

S
RD
(x)=g◦f(x)=g(f(x)).

f:F
2
8
→F
2
8
:x7−→



x
−1
ifx6=0
0ifx=0

x
−1
isdoneon"modX
8
+X
4
+X
3
+X+1"

g:F
2
8
→F
2
8
:x7−→Ax+b,whereAisa8x8boolean
matrix

(S
RD
)
−1
=f
−1
◦g
−1
=f◦g
−1
Symmetric-Keyp.11/17
ShiftRows
Example,N
b
=4(words)
a
b
c
d
e
f
g
h
i
j
k
l
m
n
o
p
7−→
a
b
c
d
f
g
h
e
k
l
i
j
p
m
n
o
Symmetric-Keyp.12/17
MixColumns

Operateoneachcolumnofstate

Letacolumnbe(a
0
,a
1
,a
2
,a
3
)

a(X)=a
3
X
3
+a
2
X
2
+a
1
X+a
0
(coefcientsareoverF
2
8
)

Axedpolynomial:c(X)=03X
3
+01X
2
+01X+02

a(X)7−→a(X)c(X)mod(X
4
+1)
Symmetric-Keyp.13/17
AddKey
(state,roundkey)7−→state⊕roundkey
Symmetric-Keyp.14/17
Keyschedule
Thesecretkeykismappedtok
0
,k
1
,...,k
N
r
.
Symmetric-Keyp.15/17
Modesofoperations
Letamessagebem=m
1
m
2
m
l
.Thelastblockm
l
is
padded.
1.ECB(electroniccodebook)mode:

ecbE(k,m)=E(k,m
1
)E(k,m
2
)E(k,m
l
).

ecbD(k,c)=D(k,c
1
)D(k,c
2
)D(k,c
l
).
2.CBC(cipherblockchaining)mode:

cbcE(k,m)=c
0
c
1
c
2
c
l
,where
c
i
=E(k,m
i
⊕c
i−1
),c
0
israndom.

cbcD(k,c
0
c
1
c
l
)=m
1
m
2
m
l
,where
m
i
=D(k,c
i
)⊕c
i−1
Symmetric-Keyp.16/17
3CFB(cipherfeedback)mode:

cfbE(k,m,x
1
)=c
1
c
2
c
l
,where
c
i
=m
i
⊕msb
r
(E(k,x
i
)),x
i+1
=lsb
n−r
(x
i
)||c
i
.
4OFB(outputfeedback)mode:

ofbE(k,m,x
1
)=c
1
c
2
c
l
,where
c
i
=m
i
⊕msb
r
(E(k,x
i
)),x
i+1
=E(k,x
i
).
Discussion:transmissionerrororloss

Errorpropagationforbiterrors.

Self-synchronizationforlossofanentireblock.

Self-synchronizationforbitloss.
Whatisagoodmode?(efciencyandsecurity)
Symmetric-Keyp.17/17