mirror of
https://github.com/calofmijuck/blog.git
synced 2025-12-06 22:53:51 +00:00
[PUBLISHER] upload files #116
* PUSH NOTE : 03. Symmetric Key Cryptography (2).md * PUSH ATTACHMENT : is-03-feistel-function.png * PUSH ATTACHMENT : is-03-ecb-encryption.png * PUSH ATTACHMENT : is-03-cbc-encryption.png * PUSH ATTACHMENT : is-03-cfb-encryption.png * PUSH ATTACHMENT : is-03-ofb-encryption.png * PUSH ATTACHMENT : is-03-ctr-encryption.png
This commit is contained in:
GitHub
@@ -28,8 +28,8 @@ attachment:
|
|||||||
### Modules
|
### Modules
|
||||||
|
|
||||||
- **S-box**: a substitution module
|
- **S-box**: a substitution module
|
||||||
- Usually for confusion
|
- Usually for confusion, also gives diffusion
|
||||||
- $m \times n$ lookup box is needed, since it should be invertible
|
- $m \times n$ lookup box is used for implementation
|
||||||
- **P-box**: a permutation module
|
- **P-box**: a permutation module
|
||||||
- Usually for diffusion
|
- Usually for diffusion
|
||||||
- Compared to the number of input bits,
|
- Compared to the number of input bits,
|
||||||
@@ -42,28 +42,28 @@ attachment:
|
|||||||
- Standardized in 1979.
|
- Standardized in 1979.
|
||||||
- Block size is $64$ bits ($8$ bytes)
|
- Block size is $64$ bits ($8$ bytes)
|
||||||
- $64$ bits input $\rightarrow$ $64$ bits output
|
- $64$ bits input $\rightarrow$ $64$ bits output
|
||||||
- Key is $56$ bits, but there are $8$ bits representing parity, so total of $64$ bits
|
- Key is $56$ bits, and every $8$th bit is a parity bit.
|
||||||
- Every $8$th bit is a parity bit
|
- Thus $64$ bits in total
|
||||||
|
|
||||||
### Encryption
|
### Encryption
|
||||||
|
|
||||||
1. From the $56$-bit key, generate $16$ different $48$ bit keys $k_1, \dots, k_{16}$.
|
1. From the $56$-bit key, generate $16$ different $48$ bit keys $k_1, \dots, k_{16}$.
|
||||||
2. The plaintext message goes through the P-box.
|
2. The plaintext message goes through an initial permutation.
|
||||||
3. The output goes through $16$ rounds, and in the round $i$, key $k_i$ is used.
|
3. The output goes through $16$ rounds, and key $k_i$ is used in round $i$.
|
||||||
4. After $16$ rounds, split the output into two $32$ bit halves and swap them.
|
4. After $16$ rounds, split the output into two $32$ bit halves and swap them.
|
||||||
5. The output goes through the inverse of the P-box from Step 1.
|
5. The output goes through the inverse of the permutation from Step 1.
|
||||||
|
|
||||||
Let $L_{i-1} \parallel R_{i-1}$ be the output of round $i-1$, where $L_{i-1}$ and $R_{i-1}$ are $32$ bit halves. Also let $f$ be the Feistel function.
|
Let $L_{i-1} \parallel R_{i-1}$ be the output of round $i-1$, where $L_{i-1}$ and $R_{i-1}$ are $32$ bit halves. Also let $f$ be the Feistel function.[^1]
|
||||||
|
|
||||||
In each round $i$,
|
In each round $i$, the following operation is performed:
|
||||||
|
|
||||||
$$
|
$$
|
||||||
L_i = R_{i - 1}, \qquad R_i = L_{i-1} \oplus f(k_i, R_{i-1})
|
L_i = R_{i - 1}, \qquad R_i = L_{i-1} \oplus f(k_i, R_{i-1}).
|
||||||
$$
|
$$
|
||||||
|
|
||||||
#### The Feistel Function
|
#### The Feistel Function
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
The Feistel function takes $32$ bit data and divides it into eight $4$ bit chunks. Each chunk is expanded to $6$ bits using a P-box. Now, we have 48 bits of data, so apply XOR with the key for this round. Next, each $6$-bit block is compressed back to $4$ bits using a S-box. Finally, there is a (straight) permutation at the end, resulting in $32$ bit data.
|
The Feistel function takes $32$ bit data and divides it into eight $4$ bit chunks. Each chunk is expanded to $6$ bits using a P-box. Now, we have 48 bits of data, so apply XOR with the key for this round. Next, each $6$-bit block is compressed back to $4$ bits using a S-box. Finally, there is a (straight) permutation at the end, resulting in $32$ bit data.
|
||||||
|
|
||||||
@@ -108,10 +108,10 @@ Thus $F$ and $G$ are inverses of each other, thus $f$ doesn't have to be inverti
|
|||||||
Also, note that
|
Also, note that
|
||||||
|
|
||||||
$$
|
$$
|
||||||
G(L_i \parallel R_i) = F(L_i \oplus f(R_i) \parallel R_i),
|
G(L_i \parallel R_i) = F(L_i \oplus f(R_i) \parallel R_i).
|
||||||
$$
|
$$
|
||||||
|
|
||||||
so evaluating the decryption round is actually equivalent to running the encryption round with upper/lower $32$ bit halves swapped. Hence the reason for swapping each $32$ bit halves.
|
Notice that evaluating $G$ is equivalent to evaluating $F$ on a encrypted block, with their upper/lower $32$ bit halves swapped. We get $L_i \oplus f(R_i) \parallel R_i$ exactly when we swap each halves of $F(L_i \parallel R_i)$. Thus, we can use the same hardware for encryption and decryption, which is the reason for swapping each $32$ bit halves.
|
||||||
|
|
||||||
## Advanced Encryption Standard (AES)
|
## Advanced Encryption Standard (AES)
|
||||||
|
|
||||||
@@ -130,7 +130,7 @@ Each round consists of the following:
|
|||||||
- **AddRoundKey**: XOR with round key
|
- **AddRoundKey**: XOR with round key
|
||||||
|
|
||||||
The first and last rounds are a little different.
|
The first and last rounds are a little different.
|
||||||
- Before the first round, AddRoundKey is done.
|
- AddRoundKey is done before the first round.
|
||||||
- The last round does not have MixColumns.
|
- The last round does not have MixColumns.
|
||||||
|
|
||||||
The objectives of AES:
|
The objectives of AES:
|
||||||
@@ -138,7 +138,7 @@ The objectives of AES:
|
|||||||
- Code must be compact, and should run fast on many CPUs
|
- Code must be compact, and should run fast on many CPUs
|
||||||
- Design must be simple
|
- Design must be simple
|
||||||
|
|
||||||
### Modules
|
### Layers
|
||||||
|
|
||||||
#### SubBytes
|
#### SubBytes
|
||||||
|
|
||||||
@@ -157,7 +157,7 @@ The objectives of AES:
|
|||||||
- For each column, each byte is replaced by a value
|
- For each column, each byte is replaced by a value
|
||||||
- The value depends on all 4 bytes of the column
|
- The value depends on all 4 bytes of the column
|
||||||
- Each column is processed separately
|
- Each column is processed separately
|
||||||
- Thus effectively, it is a matrix multiplication (Hill cipher)
|
- Thus effectively, it is a matrix multiplication (Hill cipher).[^2]
|
||||||
|
|
||||||
#### AddRoundKey
|
#### AddRoundKey
|
||||||
|
|
||||||
@@ -171,7 +171,7 @@ These 4 modules are all invertible!
|
|||||||
- Why is there a AddRoundKey at the beginning?
|
- Why is there a AddRoundKey at the beginning?
|
||||||
- Why is the last round different?
|
- Why is the last round different?
|
||||||
|
|
||||||
Both are for engineering purposes, to make the encryption and decryption process the same. (Check!)
|
Both are for engineering purposes, to make the encryption and decryption process the same.[^3]
|
||||||
|
|
||||||
## Modes of Operations
|
## Modes of Operations
|
||||||
|
|
||||||
@@ -179,14 +179,14 @@ AES, DES use fixed block size for encryption. How do we encrypt longer messages?
|
|||||||
|
|
||||||
### Electronic Codebook Mode (ECB)
|
### Electronic Codebook Mode (ECB)
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
- Codebook is a mapping table.
|
- Codebook is a mapping table.
|
||||||
- For the $i$-th plaintext block, we use key $k$ to encrypt and obtain the $i$-th ciphertext block.
|
- For the $i$-th plaintext block, we use key $k$ to encrypt and obtain the $i$-th ciphertext block.
|
||||||
- **Uses the same key for all blocks**
|
- **Uses the same key for all blocks**
|
||||||
- Adjacent blocks are independent of each other.
|
- Adjacent blocks are independent of each other.
|
||||||
- Advantages
|
- Advantages
|
||||||
- Good when run in parallel
|
- Fast when run in parallel
|
||||||
- Limitations
|
- Limitations
|
||||||
- Repetitions in messages (if aligned with the block) may lead to repetitions in the ciphertext
|
- Repetitions in messages (if aligned with the block) may lead to repetitions in the ciphertext
|
||||||
- Susceptible to *cut-and-paste attacks*
|
- Susceptible to *cut-and-paste attacks*
|
||||||
@@ -198,7 +198,7 @@ Since the same key is used for all blocks, once a mapping from plaintext to ciph
|
|||||||
|
|
||||||
### Cipher Block Chaining Mode (CBC)
|
### Cipher Block Chaining Mode (CBC)
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
- Two identical messages produce to different ciphertexts.
|
- Two identical messages produce to different ciphertexts.
|
||||||
- This prevents chosen plaintext attacks
|
- This prevents chosen plaintext attacks
|
||||||
@@ -234,8 +234,8 @@ Since the same key is used for all blocks, once a mapping from plaintext to ciph
|
|||||||
- If the IV is the same, then the encryption of the same plaintext is the same.
|
- If the IV is the same, then the encryption of the same plaintext is the same.
|
||||||
- Thus IVs should be random.
|
- Thus IVs should be random.
|
||||||
- IV are not required to be secret, but
|
- IV are not required to be secret, but
|
||||||
- No IVs should be reused under the same key
|
- **No IVs should be reused under the same key**
|
||||||
- IV changes should be unpredictable
|
- **IV changes should be unpredictable**
|
||||||
- On IV reuse, same message will generate the same ciphertext if key isn't changed
|
- On IV reuse, same message will generate the same ciphertext if key isn't changed
|
||||||
- If IV is predictable, CBC is vulnerable to chosen plaintext attacks.
|
- If IV is predictable, CBC is vulnerable to chosen plaintext attacks.
|
||||||
- Define Eve's new message $m' = \mathrm{IV} _ {\mathrm{E}} \oplus \mathrm{IV} _ {\mathrm{A}} \oplus g$, where
|
- Define Eve's new message $m' = \mathrm{IV} _ {\mathrm{E}} \oplus \mathrm{IV} _ {\mathrm{A}} \oplus g$, where
|
||||||
@@ -248,12 +248,12 @@ Since the same key is used for all blocks, once a mapping from plaintext to ciph
|
|||||||
|
|
||||||
### Cipher Feedback Mode (CFB)
|
### Cipher Feedback Mode (CFB)
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
- The message is treated as a stream of bits; similar to stream cipher
|
- The message is treated as a stream of bits; similar to stream cipher
|
||||||
- **Result of the encryption is fed to the next stage.**
|
- **Result of the encryption is fed to the next stage.**
|
||||||
- Standard allows any number of bits to be fed to the next stage
|
- Standard allows any number of bits to be fed to the next stage
|
||||||
- It is most efficient to use all $64$ bits (CFB-64)
|
- It is most efficient to use all bits.
|
||||||
- Initialization vector is used.
|
- Initialization vector is used.
|
||||||
- Same requirements on the IV as CBC mode.
|
- Same requirements on the IV as CBC mode.
|
||||||
- Should be randomized, and should not be predictable.
|
- Should be randomized, and should not be predictable.
|
||||||
@@ -277,13 +277,13 @@ Since the same key is used for all blocks, once a mapping from plaintext to ciph
|
|||||||
- CFB mode is self-recovering.
|
- CFB mode is self-recovering.
|
||||||
- 1 bit error in the ciphertext corrupts some number of blocks.
|
- 1 bit error in the ciphertext corrupts some number of blocks.
|
||||||
- Bit errors in the ciphertext will cause bit errors at the same position.
|
- Bit errors in the ciphertext will cause bit errors at the same position.
|
||||||
- Since this ciphertext is fed to the next block, the error is propagated
|
- Since this ciphertext is fed to the next block, the error is propagated.
|
||||||
- Some implementations (like CFB-8) use shift registers, so errors will be propagated as long as the erroneous bit is in the shift register.
|
- Some implementations (like CFB-8) use shift registers, so errors will be propagated as long as the erroneous bit is in the shift register.
|
||||||
- If the error is removed from the shift register, it automatically recovers.
|
- If the error is removed from the shift register, it automatically recovers.
|
||||||
|
|
||||||
### Output Feedback Mode (OFB)
|
### Output Feedback Mode (OFB)
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
- Very similar to stream cipher.
|
- Very similar to stream cipher.
|
||||||
- Initialization vector is used as a seed to generate the key stream.
|
- Initialization vector is used as a seed to generate the key stream.
|
||||||
@@ -316,14 +316,39 @@ Since the same key is used for all blocks, once a mapping from plaintext to ciph
|
|||||||
|
|
||||||
### Counter Mode (CTR)
|
### Counter Mode (CTR)
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
- Without chaining, we use a counter (typically incremented by $1$).
|
- Without chaining, we use a counter (typically incremented by $1$).
|
||||||
- Counter starts from the initialization vector.
|
- Counter starts from the initialization vector.
|
||||||
- Highly parallelizable.
|
- Highly parallelizable.
|
||||||
- Can decrypt from any arbitrary position.
|
- Can decrypt from any arbitrary position.
|
||||||
- Counter should not be repeated for the same key.
|
- Counter should not be repeated for the same key.
|
||||||
|
- Suppose that the same counter $ctr$ is used for encrypting $m_0$ and $m_1$.
|
||||||
|
- Encryption results are: $(ctr, E(k, ctr) \oplus m_0), (ctr, E(k, ctr) \oplus m_1)$.
|
||||||
|
- Then the attacker can obtain $m_0 \oplus m_1$.
|
||||||
|
|
||||||
|
## Modes of Operations Summary
|
||||||
|
|
||||||
|
|Criteria\Modes|ECB|CBC|CFB|OFB|CTR|
|
||||||
|
|:-:|:-:|:-:|:-:|:-:|:-:|
|
||||||
|
|IV|-|Yes|Yes|Yes|Counter|
|
||||||
|
|Encryption Parallelizable|Yes|No|No|Yes\*|Yes|
|
||||||
|
|Decryption Parallelizable|Yes|Yes|Yes|Yes\*|Yes|
|
||||||
|
|Random Read Access|Yes|Yes|Yes|No|Yes|
|
||||||
|
|Self-Recovering|-|Yes|Yes|-|-|
|
||||||
|
|
||||||
|
- OFB is parallelizable only if the keystream is generated in advance.
|
||||||
|
- We don't have to consider self-recovery if the ciphertext is not fed into the encryption of the next block.
|
||||||
|
- Errors in the ciphertext are not be propagated for ECB, OFB and CTR.
|
||||||
|
- **Random read access**
|
||||||
|
- Suppose that a part of the plaintext changes.
|
||||||
|
- In OFB, the *whole* keystream must be recalculated to fix the ciphertext.
|
||||||
|
- But for other modes, only a part of the ciphertext needs to be changed, using the information from the previous block if necesary.
|
||||||
|
|
||||||
---
|
---
|
||||||
|
|
||||||
Images are from [Wikipedia](https://en.wikipedia.org/wiki/Block_cipher_mode_of_operation).
|
Images are from [Wikipedia](https://en.wikipedia.org/wiki/Block_cipher_mode_of_operation).
|
||||||
|
|
||||||
|
[^1]: Some people call this function the *mangler* function.
|
||||||
|
[^2]: Over the finite field $\mathrm{GF}(2^8)$.
|
||||||
|
[^3]: See also a helpful [question](https://crypto.stackexchange.com/questions/1346/why-is-mixcolumns-omitted-from-the-last-round-of-aes) on cryptography SE.
|
||||||
|
|||||||
Reference in New Issue
Block a user