Design Issues of Block Ciphers The objectives of this part is to - PDF document

Design Issues of Block Ciphers The objectives of this part is to show certain design issues of block ciphers. 1

Block Ciphers and Stream Ciphers A one-key cipher is a 5-tuple ( M , C , K , E k , D k ) , where • M , C , K are respectively the plaintext space, ci- phertext space, and key space; • Any k ∈ K could be the encryption and decryp- tion key; and • E k and D k are encryption and decryption trans- formations with D k ( E k ( m )) = m for each m ∈ M . Classification: For any message m , if the correspond- ing ciphertext c := E k ( m ) is time-invariant, the one- key cipher is called a block cipher. Otherwise, it is called a stream cipher. 2

An Example of Block Ciphers • M = C = { 0 , 1 } ∗ . • K = { 0 , 1 } 256 . • A message is divided into blocks m i , each with 256 bits. Encryption is then done block by block: E k ( m i ) = m i ⊕ k. • Each ciphertext block c i (i.e., E k ( m i ) ) is decrypted: D k ( c i ) = c i ⊕ k. Question: Why this is a block cipher? Question: Is this block cipher secure? Why? Remark: Examples of stream ciphers will be seen later. 3

Design Issues of One-key Block Ciphers A one-key ( M , C , K , E k , D k ) : • You have to design all the five building blocks. • The security of your cipher should depend only on the confidentiality of the key k . (We assume that the encryption algorithm E k and decryption algorithm D k are known to the enemy.) • It should be secure in the computational sense. • It should be fast in hardware and software. Question: How do you design a one-key cipher meet- ing these requirements? 4

Linear Functions Notation: Let F 2 denote the set { 0 , 1 } and let F n 2 = { ( x 1 , x 2 , · · · , x n ) | x i ∈ F 2 } . We always associate F n 2 with the bitwise exclusive-or operation, also denoted + . Linear functions: Let f be a function from F n 2 to F m 2 , where n and m are positive integers. f is called linear if f ( x + y ) = f ( x ) + f ( y ) for all x, y ∈ F n 2 . Example: Let f ( x ) = x 1 + x 2 + · · · + x n , where x = ( x 1 , · · · , x n ) ∈ F n 2 . Then f is a linear function from F n 2 to F 2 . Note that + denotes the modulo-2 addition. 5

Linear Functions Linear function by circular shift: Let i be any posi- tive integer. Define a function RS i from F n 2 to F n 2 by RS i (( x 0 , x 1 , · · · , x n − 1 )) = ( x (0 − i ) mod n , x (1 − i ) mod n , · · · , x ( n − 1 − i ) mod n ) for any x = ( x 0 , x 1 , · · · , x n − 1 ) ∈ F n . Example: RS 1 (( x 0 , x 1 , · · · , x n − 1 )) = ( x n − 1 , x 0 , x 1 , · · · , x n − 2 ) Lemma: RS i is linear with respect to the bitwise exclusive- or. Proof: Trivial. 6

Nonlinear Functions Definition: Any function that is not linear is called a nonlinear function. Example: The following function from F 4 2 to F 2 is nonlinear: f ( x 1 , x 2 , x 3 , x 4 ) = x 1 + x 2 + x 3 + x 4 + x 1 x 2 x 3 x 4 is nonlinear. Remark: The degree of the Boolean function indi- cates the degree of nonlinearity. 7

Shannon’s First Design Idea: Diffusion Diffusion: Each plaintext block bit or key bit affects many bits of the ciphertext block. x plaintext k E (x) k key y ciphertext Example: Suppose that x , y and k all have 8 bits. If = f 1 ( x 1 , x 2 , k 1 , k 2 ) y 1 = f 2 ( x 2 , x 3 , k 2 , k 3 ) y 2 = f 3 ( x 3 , x 4 , k 3 , k 4 ) y 3 = f 4 ( x 4 , x 5 , k 4 , k 5 ) y 4 = f 5 ( x 5 , x 6 , k 5 , k 6 ) y 5 = f 6 ( x 6 , x 7 , k 6 , k 7 ) y 6 = f 7 ( x 7 , x 8 , k 7 , k 8 ) y 7 = f 8 ( x 8 , x 1 , k 8 , k 1 ) y 8 where the f i are some functions, then it has very bad diffusion, because each plaintext bit or key bit affects only two bits in the output block y . 8

Shannon’s First Design Idea: Diffusion Diffusion: Each plaintext block bit or key bit affects many bits of the ciphertext block. x plaintext k E (x) k key y ciphertext Example: Suppose that x , y and k all have 8 bits. If = x 1 + x 2 + x 3 + x 4 + k 1 + k 2 + k 3 + k 4 y 1 = x 2 + x 3 + x 4 + x 5 + k 2 + k 3 + k 4 + k 5 y 2 = x 3 + x 4 + x 5 + x 6 + k 3 + k 4 + k 5 + k 6 y 3 = x 4 + x 5 + x 6 + x 7 + k 4 + k 5 + k 6 + k 7 y 4 = x 5 + x 6 + x 7 + x 8 + k 5 + k 6 + k 7 + k 8 y 5 = x 6 + x 7 + x 8 + x 1 + k 6 + k 7 + k 8 + k 1 y 6 = x 7 + x 8 + x 1 + x 2 + k 7 + k 8 + k 1 + k 2 y 7 = x 8 + x 1 + x 2 + x 3 + k 8 + k 1 + k 2 + k 3 y 8 then it has very good diffusion, because each plaintext bit or key bit affects half of the bits in the output block y . 9

Shannon’s Second Design Idea: Confusion Confusion: Each bit of the ciphertext block has highly nonlinear relations with the plaintext block bits and the key bits. x plaintext k E (x) k key y ciphertext Example: Suppose that x , y and k all have 8 bits. If = x 1 + x 2 + x 3 + x 4 + k 1 + k 2 + k 3 + k 4 y 1 = x 2 + x 3 + x 4 + x 5 + k 2 + k 3 + k 4 + k 5 y 2 = x 3 + x 4 + x 5 + x 6 + k 3 + k 4 + k 5 + k 6 y 3 = x 4 + x 5 + x 6 + x 7 + k 4 + k 5 + k 6 + k 7 y 4 = x 5 + x 6 + x 7 + x 8 + k 5 + k 6 + k 7 + k 8 y 5 = x 6 + x 7 + x 8 + x 1 + k 6 + k 7 + k 8 + k 1 y 6 = x 7 + x 8 + x 1 + x 2 + k 7 + k 8 + k 1 + k 2 y 7 = x 8 + x 1 + x 2 + x 3 + k 8 + k 1 + k 2 + k 3 y 8 then it has bad confusion, as they are linear relations. Remark: Nonlinear functions are responsible for con- fusion. 10

An Important Design Paradigm Iteration: In order to design E k and D k such that 1. they have good diffusion and confusion with re- spect to the secret key bits and message block bits, and 2. they are fast in software and hardware, we could design a simple function f k and define E k ( m ) = f k 16 ( f k 15 ( · · · f k 2 ( f k 1 ( m )) · · · )) where k 1 , k 2 , · · · and k 16 are binary string computed from the secret key k according to an algorithm. 11

The Finite Field GF( 2 8 ) Primitive polynomial: p ( x ) = x 8 + x 4 + x 3 + x + 1 ∈ GF(2)[ x ] , which is irreducible and has “other” properties. 1. Every element of GF(2 8 ) is a polynomial: a ( x ) = a 0 + a 1 x + a 2 x 2 + · · · + a 7 x 7 ∈ GF(2)[ x ] . 2. For any two elements, a 0 + a 1 x + a 2 x 2 + · · · + a 7 x 7 a ( x ) = b 0 + b 1 x + b 2 x 2 + · · · + b 7 x 7 , b ( x ) = the addition and multiplication are defined to be 7 ( a i + b i ) x i ∈ GF(2)[ x ] � a ( x ) + b ( x ) = i =0 and a ( x ) × b ( x ) = a ( x ) b ( x ) mod p ( x ) . x − 1 has optimal nonlinerity. 12