b b block ciphers
play

B.b) Block Ciphers 2 B.24 Definition An encryption algorithm Enc: - PowerPoint PPT Presentation

Jan 24, 2024 •39 likes •709 views

1 B.b) Block Ciphers 2 B.24 Definition An encryption algorithm Enc: {0,1} n K {0,1} n is called a block cipher . The positive integer n denotes the block size ( block length ). 3 B.25 Remark and Convention The encryption

  1. 1 B.b) Block Ciphers

  2. 2 B.24 Definition • An encryption algorithm Enc: {0,1} n × K → {0,1} n is called a block cipher . • The positive integer n denotes the block size ( block length ).

  3. 3 B.25 Remark and Convention • The encryption transformation and the decryption transformations are permutations over {0,1} n . • Usually, block ciphers are symmetric. In this course we only treat symmetric block ciphers. • To prevent elementary attacks (e.g., elementary frequency analysis; cf. the attack on the improved variant of Cesar ’ s cipher) the block size n should not be too small. • Typical block sizes are n = 64 and n = 128. • For many widespread block ciphers K = {0,1} m .

  4. 4 B.26 ECB mode (Electronic Code Book mode) Goal: Encrypt a bit string b 1 ,b 2 , … ,b M • 1 st Step: Padding w If M is not a multiple of the block length n append some bits (padding bits) b M+1 , … ,b nt to this bit string w Partition b 1 ,b 2 , … ,b nt into t non-overlapping blocks p 1 ,p 2 , … ,p t (More precisely, p 1 =(b 1 ,b 2 , … ,b n ), p 2 =(b n+1 ,b n+2 , … ,b 2n ), … ∈ {0,1} n .)

  5. 5 B.26 ECB mode (continued) Note: (i) The receiver must be able to determine the padding bits unambiguously. (ii) Example (padding): b M+1 = 1, b M+2 = … = b nt =0 (iii) In various padding schemes padding bits are always appended, even if M is a multiple of n. (iv) Depending on the concrete application non- random padding bits may allow the receiver to perform an integrity check after decryption.

  6. 6 B.26 ECB mode (continued) • 2 nd Step: Encrypt the plaintext blocks p 1 , … ,p t p 1 p 2 p t Enc Enc Enc k k k c 1 c 2 ... c t c j = Enc(p j ,k)

  7. 7 B.26 ECB mode (continued) The receiver receives the encrypted message c 1 , … ,c t Decryption: 1 st Step: The receiver computes p j = Dec(c j ,k) for j = 1,2, … ,t 2 nd Step (integrity check if the application permits; optional): The receiver checks whether the format of the decrypted message is syntactically o.k. 3 rd Step: The receiver removes the padding bits, obtaining the original plaintext message.

  8. 8 B.27 ECB mode: Significant Properties • In the ECB mode identical plaintext blocks are encrypted to identical ciphertext blocks. This property allows elementary attacks. Note that w Reordering the ciphertext blocks yields reordered plaintext blocks after decryption. w Doubling a particular ciphertext block gives a doubled plaintext block after decryption. w If the plaintext blocks represent the colour of (one or several) pixels in a coarse graphics an adversary might be able to recognize its main contours without breaking the cipher. Details: blackboard Example: Exercises

  9. 9 B.27 (continued) • Error propagation: Bit errors in a single ciphertext block only affect the decryption of this particular block. • Note: For a strong block cipher even a single bit flip causes about n / 2 bit errors in the decrypted block in average.

  10. 10 B.28 ECB mode: Fields of Application • Encryption of 1-block messages • Occasionally: Encryption of short messages in smart card communication (Note: Smart card applications often determine the number of plaintext blocks and the syntax within these blocks, leaving little variability. This prevents attacks as mentioned in B.27). • Key derivation

  11. 11 B.29 Chip-based Electronic Purse Systems Simplified description Involved parties • Electronic purses (smart cards that store units that represent money) • merchant terminals (often supported by smart cards that perform the sensitive operations) • background system Functionality: cashless payment (offline transactions)

  12. 12 B.29 (continued) Cashless Payment: • The merchant terminal displays the price pr and transmits an accordant message to the electronic purse. • The electronic purse w reduces its balance by pr units w transmits a payment record to the merchant terminal, confirming this action • The merchant terminal w stores this payment record (offline system) w submits the collected records periodically to the background system • The background system books money to the merchant ’ s account

  13. 13 B.29 (continued) Loading the electronic purse: • The holder of the electronic purse pays cash or with book money x € • The background system increases the balance of the electronic purse by x units (1 unit = 1 € ).

  14. 14 B.29 (continued) Security requirements: • The merchant terminal must only accept payment records from authentic electronic purses. (Otherwise an adversary could use duplicates of electronic purses for which he could increase the balance himself.) • The merchant must not be able to generate new payment records or submit authentic payment records more than once. • Only the background system shall be able to load electronic purses.

  15. 15 B.30 Example Scenario: A smart card terminal shares a key k with each smart card that supports a particular application, e.g. that belongs to a particular electronic payment system. Goal: The smart card shall convince the terminal that it is authentic. Straight-forward solution: The smart card transmits k as a password. The terminal believes a smart card to be authentic if it sends k. Drawback of this solution: An adversary might monitor exchanged messages, learning k.

  16. 16 B.30 (continued) Better solution: Dynamic Authentication Smart Card Terminal generates a random number R R C:=Enc(R,k) C checks whether C = Enc(R,k) if yes: the terminal takes the smart card for authentic

  17. 17 B.30 (continued) • This is the most elementary challenge-response protocol. • Monitoring messages from authentic smart cards does not help to pass the challenge response protocol since the challenge R changes from run to run. • Monitoring old messages only provides (plaintext, ciphertext) pairs for known plaintext attacks on Enc.

  18. 18 B.31 Example For sensitive applications smart cards usually have individual keys so that a successful attack on one smart card does not compromise the all the others. Goal: Perform the challenge-response-protocol from B.30 with card-individual keys. Straight-forward solution: The terminal stores the individual keys of all smart cards. This solution is appropriate for w online systems with one key list on a central server w offline systems with a small number of smart cards Drawback of this solution: For widespread offline applications thousands or even millions of keys had to be stored. Moreover, the list had to be updated whenever a new smart card is issued.

  19. 19 B.31 (continued) More efficient solution: Each smart card has an individual card number C_Nr and an individual key k C . The terminals have a master key k M . Key derivation: k C = Enc(C-Nr,k M ) Note: (I) Alternatively, k C might be a given by a function value of the right-hand side. (ii) There also exist key derivation mechanisms that apply one-way functions (cf. Chapter C). The challenge response protocol from Example B.30 now reads as follows:

  20. 20 B.31 (continued) Smart Card Terminal generates a random number R R C:=Enc(R,k C ) C || C_Nr k C :=Enc(C_Nr,k M ) checks whether C = Enc(R,k C ) if yes: the terminal takes the smart card for authentic

  21. 21 B.32 CBC mode (Cipher Block Chaining mode) • 1 nd Step: Padding (as in ECB mode) • 2 nd Step: Encrypt the plaintext blocks p 1 , … ,p t p 1 p 2 p t IV . . . Enc Enc Enc k k k c 1 c 2 c t . . . c j = Enc(p j ⊕ c j-1 ,k)

  22. 22 B.32 CBC mode (continued) The receiver receives the encrypted message c 1 , … ,c t Decryption: 1 st Step: The receiver computes p j = Dec(c j ,k) ⊕ c j-1 for j = 1,2, … ,t with c 0 := IV 2 nd Step (integrity check if the application permits; optional): The receiver checks whether the format of the decrypted message is syntactically correct. 3 rd Step: The receiver removes the padding bits, obtaining the original plaintext message. Note: Step 2 and Step 3 are the same as for the ECB mode

  23. 23 B.33 CBC mode: Significant Properties • Different IVs cause different ciphertexts even for identical plaintexts and identical key. Varying the IV prevents replay attacks where an active adversary sends “ old ” authentic ciphertexts, which he has previously intercepted. • The ciphertext block c j depends on IV,p 1 , … ,p j . Unlike in the ECB mode rearranging or doubling ciphertext blocks will presumably not give meaningful plaintext. • Decryption may be parallelized.

  24. 24 B.33 (continued) • Error propagation / error recovery: Since p j only depends on c j-1 and c j bit errors and even losses of blocks are compensated two blocks later. • Often the IV does not need to be kept secret but its integrity must be ensured. Note: p 1 = Dec(c 1 ,k) ⊕ IV implies p 1 * := p 1 ⊕ (IV ⊕ IV*) = Dec(c 1 ,k) ⊕ IV* for any IV*

  25. 25 B.34 Forging the IV (Attack) Assumption: The adversary is able to read and to alter messages that are exchanged between the sender and the receiver. Attack: (i) The sender transmits (c 1 , … ,c t ; IV ) (ii) The adversary alters the message to (c 1 , … ,c t ; IV*) (iii) The receiver decrypts the altered ciphertext and obtains p 1 * := p 1 ⊕ (IV ⊕ IV*),p 2 , … ,p t Example: Exercises

  26. 26 B.35 CBC mode: Fields of Application • Encryption of long messages, e.g. applied in the SSL protocol • MACs (Message Authentication Codes; cf. B.48)

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Block Ciphers Eli Biham - May 3, 2005 c 83 Block Ciphers (4) Block Ciphers and Stream

Block Ciphers Eli Biham - May 3, 2005 c 83 Block Ciphers (4) Block Ciphers and Stream

Block Ciphers Eli Biham - May 3, 2005 c 83 Block Ciphers (4) Block Ciphers and Stream Ciphers In practical ciphers the plaintext M is divided into fixed-length blocks M = M 1 M 2 . . . M N . Then, each block M i is encrypted to the

1.11k views • 63 slides
Players Will discuss how to distribute key to all parties later Symmetric ciphers unusable for

Players Will discuss how to distribute key to all parties later Symmetric ciphers unusable for

Organisation Organisation Overview Block Ciphers Overview Block Ciphers Historic Ciphers Security of Block ciphers Historic Ciphers Security of Block ciphers Symmetric Ciphers Symmetric Ciphers Assume encryption and decryption use the

425 views • 5 slides
One Time Pad, Block Ciphers, One Time Pad, Block Ciphers, Basic Ciphers Basic Ciphers

One Time Pad, Block Ciphers, One Time Pad, Block Ciphers, Basic Ciphers Basic Ciphers

One Time Pad, Block Ciphers, One Time Pad, Block Ciphers, Basic Ciphers Basic Ciphers Encryption Modes Encryption Modes Shift Cipher Brute%force attack can easily break Ahmet Burak Can Substitution Cipher Hacettepe University

191 views • 6 slides
Block Ciphers and DES S-DES DES Details DES Design Other Ciphers CSS441: Security and

Block Ciphers and DES S-DES DES Details DES Design Other Ciphers CSS441: Security and

CSS441 Block Ciphers Principles DES Block Ciphers and DES S-DES DES Details DES Design Other Ciphers CSS441: Security and Cryptography Sirindhorn International Institute of Technology Thammasat University Prepared by Steven Gordon on 20

788 views • 50 slides
Iterative Block Ciphers from Tweakable Block Ciphers with Long Tweaks Ryota Nakamichi and Tetsu

Iterative Block Ciphers from Tweakable Block Ciphers with Long Tweaks Ryota Nakamichi and Tetsu

Iterative Block Ciphers from Tweakable Block Ciphers with Long Tweaks Ryota Nakamichi and Tetsu Iwata Nagoya University, Japan FSE 2020 November 913, 2020, Virtual 1 / 19 Block Ciphers block cipher (BC) E : K { 0 , 1 } n { 0

530 views • 24 slides
Block Ciphers and Stream Ciphers In practical ciphers the plaintext M is divided into fixed-length

Block Ciphers and Stream Ciphers In practical ciphers the plaintext M is divided into fixed-length

Block Ciphers and Stream Ciphers In practical ciphers the plaintext M is divided into fixed-length blocks M = M 1 M 2 . . . M N . Then, each block M i is encrypted to the ciphertext block C i = E K ( M i ), and the results are concatenated to the

334 views • 8 slides
Handout 2 Summary of this handout: Symmetric Ciphers Overview Block Ciphers Feistel Ciphers

Handout 2 Summary of this handout: Symmetric Ciphers Overview Block Ciphers Feistel Ciphers

06-20008 Cryptography The University of Birmingham Autumn Semester 2012 School of Computer Science Eike Ritter 2 October, 2012 Handout 2 Summary of this handout: Symmetric Ciphers Overview Block Ciphers Feistel Ciphers DES II.

588 views • 10 slides
B) Symmetric Ciphers B.a) Fundamentals B.b) Block Ciphers B.c) Stream Ciphers 2 B.a)

B) Symmetric Ciphers B.a) Fundamentals B.b) Block Ciphers B.c) Stream Ciphers 2 B.a)

1 B) Symmetric Ciphers B.a) Fundamentals B.b) Block Ciphers B.c) Stream Ciphers 2 B.a) Fundamentals 3 B.1 Definition A mapping Enc: P K C for which k := Enc( ,k): P C is bijective for each k K is called an

1.1k views • 32 slides
Block ciphers, stream ciphers (start on:) Asymmetric cryptography CS 161: Computer Security Prof.

Block ciphers, stream ciphers (start on:) Asymmetric cryptography CS 161: Computer Security Prof.

Block ciphers, stream ciphers (start on:) Asymmetric cryptography CS 161: Computer Security Prof. Raluca Ada Popa Jan 31, 2018 Announcements Project 1 is out, due Feb 14 midnight Recall: Block cipher A function E : {0, 1} k {0, 1} n

553 views • 32 slides
T-79.159 Cryptography and Data Security Lecture 3: 3.1 Introduction to block ciphers 3.2 DES

T-79.159 Cryptography and Data Security Lecture 3: 3.1 Introduction to block ciphers 3.2 DES

T-79.159 Cryptography and Data Security Lecture 3: 3.1 Introduction to block ciphers 3.2 DES 3.3 IDEA 3.4 AES Kaufman et al: Chapter 3 Stallings: Chapters 3, 5 1 Block ciphers Confidentiality primitive Threat: recover the plaintext

774 views • 15 slides
Block ciphers, stream ciphers (start on:) Asymmetric cryptography CS 161: Computer Security Prof.

Block ciphers, stream ciphers (start on:) Asymmetric cryptography CS 161: Computer Security Prof.

Block ciphers, stream ciphers (start on:) Asymmetric cryptography CS 161: Computer Security Prof. Raluca Ada Popa Sept 15, 2016 Announcements Project due Sept 20 Recall: Block cipher A function E : {0, 1} k {0, 1} n {0, 1} n . Once

417 views • 30 slides
T-79.159 Cryptography and Data Security Lecture 4: 4.1 Stream ciphers 4.2 Block cipher

T-79.159 Cryptography and Data Security Lecture 4: 4.1 Stream ciphers 4.2 Block cipher

T-79.159 Cryptography and Data Security Lecture 4: 4.1 Stream ciphers 4.2 Block cipher confidentiality modes of operation Kaufman et al: Ch 4 Stallings: Ch 6, Ch 3 1 Stream ciphers Stream ciphers are generally faster than block

535 views • 12 slides
Perfect Block Ciphers With Small Blocks Louis Granboulan 1 , 2 Thomas Pornin 3 1 cole Normale

Perfect Block Ciphers With Small Blocks Louis Granboulan 1 , 2 Thomas Pornin 3 1 cole Normale

Block ciphers with non-standard sizes Choosing uniformly a random permutation P ERMUTATOR Sampling following the Hypergeometric Distribution Security Analysis Perfect Block Ciphers With Small Blocks Louis Granboulan 1 , 2 Thomas Pornin 3 1

550 views • 23 slides
Design Issues of Block Ciphers The objectives of this part is to show certain design issues of

Design Issues of Block Ciphers The objectives of this part is to show certain design issues of

Design Issues of Block Ciphers The objectives of this part is to show certain design issues of block ciphers. 1 Block Ciphers and Stream Ciphers A one-key cipher is a 5-tuple ( M , C , K , E k , D k ) , where M , C , K are respectively the

461 views • 12 slides
How to Operationally Detect the Misuse of Stream Ciphers (and even Block Ciphers Sometimes) and

How to Operationally Detect the Misuse of Stream Ciphers (and even Block Ciphers Sometimes) and

Introduction Cryptology Basics Detection Cryptanalysis The Word Case The Excel Case Conclusion How to Operationally Detect the Misuse of Stream Ciphers (and even Block Ciphers Sometimes) and Break them Eric Filiol, filiol@esiea.fr ESIEA -

808 views • 64 slides
Contents Introduction Classification of Symmetric Ciphers Types of Attacks

Contents Introduction Classification of Symmetric Ciphers Types of Attacks

Contents Introduction Classification of Symmetric Ciphers Types of Attacks Properties of Secure Ciphers Components of Block Ciphers Classes of Block Ciphers DES AES Secure Communication using

606 views • 27 slides
The 128-bit Blockcipher CLEFIA Taizo Shirai 1 , Kyoji Shibutani 1 , Toru Akishita 1 Shiho

The 128-bit Blockcipher CLEFIA Taizo Shirai 1 , Kyoji Shibutani 1 , Toru Akishita 1 Shiho

The 128-bit Blockcipher CLEFIA Taizo Shirai 1 , Kyoji Shibutani 1 , Toru Akishita 1 Shiho Moriai 1 , Tetsu Iwata 2 1 Sony Corporation 2 Nagoya University Direction for designing a new blockcipher Priority for Choosing an algorithm 1.

464 views • 19 slides
1 X.800 Security Services X.800 Security Services X.800 Security Services Data integrity

1 X.800 Security Services X.800 Security Services X.800 Security Services Data integrity

Course Overview Course Requirements EECS 498-7/8 Cryptography and Network Security: www.citi.umich.edu/u/honey/security Principles and Practice (Third Edition) Computer Security Monday & Friday, 9:00 10:30 William Stallings

670 views • 19 slides
Counter-in-Tweak: Authenticated Encryption Modes for Tweakable Block Ciphers Thomas Peyrin 1

Counter-in-Tweak: Authenticated Encryption Modes for Tweakable Block Ciphers Thomas Peyrin 1

TBCs and AE NSIV Generic Composition EPWC MAC CTRT Encryption Conclusion Counter-in-Tweak: Authenticated Encryption Modes for Tweakable Block Ciphers Thomas Peyrin 1 Yannick Seurin 2 1 NTU, Singapore 2 ANSSI, France August 15, 2016

1.29k views • 102 slides
Structural attacks on block ciphers Sondre Rnjom NSM/UiB September 2, 2017 1 Preliminaries 2

Structural attacks on block ciphers Sondre Rnjom NSM/UiB September 2, 2017 1 Preliminaries 2

Structural attacks on block ciphers Sondre Rnjom NSM/UiB September 2, 2017 1 Preliminaries 2 Subspaces in block ciphers 3 From subspace trails to invariant subspaces in Simpira 4 Zero-di ff erence cryptanalysis of AES Preliminaries Block

2.18k views • 146 slides
Using SEED Cipher Algorithm with SRTP Seokung Yoon (KISA) Goal / Motivation Goal : The SEED

Using SEED Cipher Algorithm with SRTP Seokung Yoon (KISA) Goal / Motivation Goal : The SEED

Using SEED Cipher Algorithm with SRTP Seokung Yoon (KISA) Goal / Motivation Goal : The SEED cipher algorithm would be the default cipher together with AES in SRTP Motivation In Korea, many companies provide VoIP service and we

294 views • 6 slides
Cryptanalysis of the counter mode of operation Ferdinand Sibleyras joint work with Gatan

Cryptanalysis of the counter mode of operation Ferdinand Sibleyras joint work with Gatan

Introduction The counter mode Missing difference problem Cryptanalysis Conclusion Cryptanalysis of the counter mode of operation Ferdinand Sibleyras joint work with Gatan Leurent Inria, quipe SECRET April 10, 2018 1 / 29 Introduction

975 views • 74 slides
Skinny A Family of Lightweight Tweakable Block Ciphers for the IoT C. Beierle, J. Jean, S.

Skinny A Family of Lightweight Tweakable Block Ciphers for the IoT C. Beierle, J. Jean, S.

Skinny A Family of Lightweight Tweakable Block Ciphers for the IoT C. Beierle, J. Jean, S. Klbl, G. Leander, A. Moradi, T. Peyrin, Y. Sasaki, P. Sasdrich, S.M. Sim Horst Grtz Institute for IT-Security, Ruhr University Bochum, Germany

1.18k views • 41 slides
The Simeck Family of Lightweight Block Ciphers Gangqiang Yang , Bo Zhu, Valentin Suder, Mark D.

The Simeck Family of Lightweight Block Ciphers Gangqiang Yang , Bo Zhu, Valentin Suder, Mark D.

The Simeck Family of Lightweight Block Ciphers Gangqiang Yang , Bo Zhu, Valentin Suder, Mark D. Aagaard, and Guang Gong Electrical and Computer Engineering, University of Waterloo Sept 15, 2015 Yang, Zhu, Suder, Aagaard, Gong Simeck Family

537 views • 30 slides

More recommend