Chap. 6: Contemporary
Symmetric Ciphers
Jen-Chang Liu, 2004
Adapted from
Lecture slides by Lawrie Brown
"I am fairly familiar with all the forms of
secret writings, and am myself the author
of a trifling monograph upon the subject,
in which I analyze one hundred and sixty
separate ciphers," said Holmes.
—The Adventure of the Dancing Men,
Sir Arthur Conan Doyle
Outline





Characteristics of advanced symmetric block
cipher
Triple DES
Blowfish
RC5
RC4 stream cipher
Feistel cipher
+
• Key
• Key length
• subkey generation
• block
• block length
• two halves of block
• no. of round
• encryption algorithm
• S-box
• XOR
+
+
Key features not found in DES
• Key
• Key length
• subkey generation
• block
• block length
• two halves of block
• no. of round
• encryption algorithm
• S-box
• XOR
Variable length key : Blowfish, RC5
Complex subkey generation process:
Blowfish
Variable plain/ciphertext block length:
RC5
Operate on both halves each round:
Blowfish, RC5
Variable no. of round: RC5
Key-dependent S-box: Blowfish
Data/key-dependent rotation: RC5
Mixed operation: more than one
arithmetic and Boolean operations
Outline





Characteristics of advanced symmetric block
cipher
Triple DES
Blowfish
RC5
RC4 stream cipher
Triple DES

clear a replacement for DES was needed




theoretical attacks that can break it
demonstrated exhaustive key search attacks
AES is a new cipher alternative
prior to this alternative was to use multiple
encryption with DES implementations
Double-DES ?

why not Double-DES?
56x2=112 bits key
Q1: Is that possible EK 2 [ EK1 [ P]]  EK 3 [ P]
for some K3 ?
Space of mapping
1. The whole space of mapping
64-bit plaintext
mapping
64-bit ciphertext
2. Space of mapping defined by DES
56-key => 256 mapping
264! > 10347380000000000000000
256 < 1017
264!
256
Double-DES is likely to produce
a new mapping !
Q2: meet-in-the-middle attack


DES: O(256) to attack
2DES: O(2112) to attack?
1. Given a (P,C)
2. Encrypt P with 256 keys
K1
3. Decrypt C with 256 keys
X
000…00000 0101…0101
000…00001 1101…0111
000…00010
…
000…00011
0001…0110
…
…
111…11111
X
000…00000
000…00001
0001…0110 000…00010
000…00011
…
111…11111
…
Match!
K2
Triple-DES

3 DES encryption with 3 keys (56x3=168 bits)

Avoid meet-in-the-middle attack with O(256)
complexity
3
E


E-D-E application of DES: PGP, S/MIME
Backward compatible with DES: K3=K2 or K1=K2
3
Standardized 3DES

3DES standardized in ANSI X9.17 & ISO8732

2 56-bit keys
Compatible with DES
Attack on 3DES

Idea: if A and C are known, then it becomes
an attack on double DES
0100…101
1001…011
…
0110…100
1001…001
K1,1
a
K2
K1,2
1. Given n known (P,C) pairs
2. Select an arbitrary a for A
0110…000
1110…011
K1,1
K1,2
1100…111
1011…001
…
0100…101
1101…010
3. Search 256 keys for K1
4. Search 256 keys for K2
Complexity of attack on 3DES

Brute-force key search: 2112
Known plaintext-ciphertext attack on
previous slide: 2120 / n

No practical attack is known for now

Outline





Characteristics of advanced symmetric block
cipher
Triple DES
Blowfish
RC5
RC4 stream cipher
Blowfish


a symmetric block cipher designed by Bruce
Schneier in 1993/94
Characteristics





64-bit block cipher
Variable length key (32 bits to 448 bits)
Complex subkey generation
Key-dependent S-boxes
Simple operations – fast implementation


Modulo 232 addition
Bitwise XOR
Blowfish
+
+
+
+
+
+
+
+
+
18 subkeys Pi
+
+
+
Blowfish single round
256-entry S-box, 32-bit output/entry
+
+
Modulo 232 addition
+
Subkey and S-box generation

uses a 32 to 448 bit key

1 word = 32 bits, 1 to 14 words
K1, K2, K3, K4, …, Kj

1<= j <= 14
to generate

18 32-bit subkeys stored in P-array
P1, P2, P3, P4, …, P18

four 256 entry S-boxes, 1 word in each entry
S1,0, S1,1, S1,2, S1,3, …, S1,255
S2,0, S2,1, S2,2, S2,3, …, S2,255
Totally 1024 words
S3,0, S3,1, S3,2, S3,3, …, S3,255
S4,0, S4,1, S4,2, S4,3, …, S4,255
Subkey and S-box generation
1. initialize P-array and then 4 S-boxes using p
用p的小數點依序填入 P 和 S 陣列
P1 = 243F6A88 P2 = 85A308D3 …
S4,255 = 3AC372E6
2. XOR P-array with K-array (reuse as needed)
P1, P2, P3, P4, … P14, P15, P16, P17, P18
+
+
+
+
+
+
+
+
+
K1, K2, K3, K4, …, K14 ,K1, K2, K3, K4
(Suppose input key is 14 words)
Subkey and S-box generation
3. loop repeatedly encrypting data using
current P & S and replace successive pairs of
P then S values
P1, P2 = EP,S [0]
用現在P,S值當參數的 Blowfish, 加密 0
更新 P1, P2
P3, P4 = EP,S [P1 || P2]
…
S1,0, S1,1 = EP,S [P17 || P18]
…
S4,254, S4,255 = EP,S [S4,252 || S4,253]
Totally 521 executions of Blowfish encryption
=> not suitable for frequent key changes
Blowfish Encryption
+ and  do not commute
+
+
+
+
+
+
+
+
+
Discussion



key dependent S-boxes and subkeys,
generated using cipher itself, makes analysis
very difficult
changing both halves in each round
increases security (c.f. Feistel cipher)
brute-force key search is not practical
(maximally 448 bits)
Discussion (cont.)

fast
Outline





Characteristics of advanced symmetric block
cipher
Triple DES
Blowfish
RC5
RC4 stream cipher
RC5

designed by Ronald Rivest (of RSA fame)





used in RSA Data Security, Inc.’s products
can vary key size / data size / no rounds
very clean and simple design
easy implementation on various CPUs
yet still regarded as secure
RC5 Ciphers

RC5 is a family of ciphers RC5-w/r/b




w = word size in bits (16/32/64), block data=2w
r = number of rounds (0..255)
b = number of bytes in key (0..255)
nominal version is RC5-32/12/16



i.e. 32-bit words so encrypts 64-bit data blocks
using 12 rounds
with 16 bytes (128-bit) secret key
subkey
w
+
Simple operations:
w
+
1. Addition: modulo 2w
2. Bitwise XOR
3. Circular shift (rotation):
x <<< y, x is left rotate y bits
(nonlinear and data dependent !!!)
A Substitution-permutation round:
+
+
1. Substitution depends on both
words
2. Permutation depends on both
words
3. Substitution depends on key
RC5 Key Expansion

RC5 uses t=2r+2 subkey words (w-bits)
(決定subkeys
大小和個數)
RC5 subkey initialization
e = 2.718281828459…
 Pw=Odd[(e-2)2w] = B7E1 (16 bits)
B7E15163 (32 bits)
f = 1.618033988749…
 Qw=Odd[(f -1)2w] = 9E37 (16 bits)
9E3779B9 (32 bits)
/* initialize subkey array */
S[0] = Pw
for i=1 to t-1 do
S[i] = S[i-1] + Qw
RC5 Decryption
+
+
+
+
+
+
+
+
RC5 Modes

RFC2040 defines 4 modes used by RC5




RC5 Block Cipher, is ECB mode
RC5-CBC, is CBC (cipher block chaining) mode
RC5-CBC-PAD, is CBC with padding by bytes with
value being the number of padding bytes
RC5-CTS, a variant of CBC which is the same size
as the original message, uses ciphertext stealing
to keep size same as original
Plaintext message may not be a multiple of the block size
RC5 ciphertext stealing mode
Ciphertext chaining
Not transmitted
Summary: Block Cipher
Characteristics

features seen in modern block ciphers are:






variable key length / block size / no rounds
mixed operators, data/key dependent rotation
key dependent S-boxes
more complex key scheduling
operation of full data in each round
varying non-linear functions
Outline





Characteristics of advanced symmetric block
cipher
Triple DES
Blowfish
RC5
RC4 stream cipher
Stream cipher diagram
+
Recall: One-time pad in Chap. 2
+
Stream Cipher Properties

some design considerations are:

A pseudorandom number generator produces a
deterministic stream that eventually repeats


Keystream should approximate a true random
stream


The period should be long
Ex. Approximately equal number of 1s and 0s
The key needs to be sufficiently long

Ex. 128 bits or longer key to avoid brute-force attack
Advantage of stream cipher

Fasters than block ciphers
Disadvantage of stream cipher

never reuse stream key
Ciphertext 1 = plaintext 1  keystream
Ciphertext 2 = plaintext 2  keystream
Ciphertext 1  Ciphertext 2
= (plaintext 1  keystream)  (plaintext 2  keystream)
= plaintext 1  plaintext 2
If plaintexts are text string, credit card no., or other
streams with known properties, then cryptanalysis
may be successful
RC4



Designed by Ron Rivest in 1987, owned by RSA DSI
variable key size, byte-oriented stream cipher
widely used (web SSL/TLS, wireless WEP)




SSL: secure sockets layer
TLS: transport layer security
WEP: wired equivalent privacy
Main steps:


key forms random permutation of all 8-bit values (state
vector S[0],S[1],…,S[255])
uses that permutation to scramble input info processed a
byte at a time
RC4 Key Schedule



starts with an array S of numbers: 0…255
S forms internal state of the cipher
given a key K of length keylen bytes (1 to 256
bytes)
253 254
RC4 key scheduling and stream
generation
j=0, for i=0 to 255
i=0, j=0
While(1){ i=i+1 mod 256, …}
Plaintext  k = ciphertext
RC4 Encryption



encryption continues shuffling array values
sum of shuffled pair selects "stream key" value
XOR with next byte of message to en/decrypt
i = j = 0
for each message byte Mi
i = (i + 1) (mod 256)
j = (j + S[i]) (mod 256)
swap(S[i], S[j])
t = (S[i] + S[j]) (mod 256)
Ci = Mi XOR S[t]
RC4 Security


The period of RC4 > 10100
claimed secure against known attacks




have some analyses, none practical
result is very non-linear
since RC4 is a stream cipher, must never
reuse a key
have a concern with WEP, but due to key
handling rather than RC4 itself