|
|
|
|
Secret key
algorithms use the same key for both encryption and decryption (or
one is easily derivable from the other). This is the more
straightforward approach to data encryption, it is mathematically
less complicated than public key cryptography, and has been used for
many centuries.
The following terminology is often used when
symmetric ciphers are examined.
- S-boxes: lookup tables that map n bits to
m bits (where n and m often are equal).
There are several ways of constructing good S-boxes for
ciphers, as well as several ways of measuring them. Some designers
use a rigorous mathematical approach by using bent
functions (or related) to create S-boxes which can be proven
to be resistant against some particular attacks. Other designers
use heuristic approaches, which may lead to S-boxes that are more
difficult to handle in mathematical proofs, but can have
additional benefits (such as several different implementation
options).
The S-box may even be the only non-linear part
of the cipher. This is the case in the block cipher DES, and thus
may be regarded as the single most important part of the
algorithm. In fact, many consider DES's S-boxes so good that they
use them in their own designs (for example, Serpent).
- Feistel networks: a Feistel network is a general
device of constructing block ciphers from simple functions. The
original idea was used in the block cipher Lucifer, invented by
Horst Feistel. Several variations have been devised from the
original version.
Put simply, the standard Feistel network
takes a function from n bits to n bits and produces
an invertible function from 2n bits to 2n bits. The
basic function upon which the structure is based is often called
the round function. The essential property of Feistel networks
that makes them so useful in cipher design is that the round
function need not be invertible, but the resulting function always
is.
If the round function depends on, say, k bits
of a key, then the Feistel cipher requires rk bits of the
key where r is the number of rounds used.
The
security of the Feistel structure is not obvious, but analysis of
DES has shown that it is a good way to construct ciphers. It is
compulsory that a Feistel cipher has enough rounds, but just
adding more rounds does not always guarantee security.
- The operation of taking the user key and expanding it into
rk bits for the Feistel rounds is called key
scheduling. This is often a non-linear operation, so that
finding out any of the rk bits of the round keys does not
directly provide any information about the actual user key. There
are many ciphers that have this basic structure; Lucifer, DES, and
Twofish, just to name a few.
- Expansion, Permutation: these are common tools in
mixing bits in a round function. They are linear operations, and
thus not sufficient to guarantee security. However, when used with
good non-linear S-boxes (as in DES) they are vital for the
security because they propagate the non-linearity uniformly over
all bits.
- bit slice operations (bitwise logic operations XOR,
AND, OR, NOT and bit permutations): The idea of bitslice
implementations of block ciphers is due to Eli Biham. It is common
practice in vector machines to achieve parallel operation.
However, Biham applied it on serial machines by using large
registers as available in modern computers. The term "bitslice" is
due to Matthew Kwan.
Basically all block ciphers can be
written in bitslice manner, but operations such as addition and
multiplication may become very slow. On the other hand,
permutations are almost free as they just require naming
of the registers again and this can be done one the coding level.
Thus, for example, in DES exhaustive key search using bitslice
techniques, one can increment the current key in a fraction of the
time than is usually needed for key scheduling.
The AES
finalist Serpent is designed to be implemented using bitslice
operations only. This makes it particularly efficient on modern
architectures with many registers.
The One-Time Pad The one-time pad (OTP) is the only
cipher that has been proven to be unconditionally secure, i.e.
unbreakable in practice. It has also be proven that any unbreakable,
unconditionally secure, cipher must in principle be a one-time pad.
The Vernam cipher (invented by G. Vernam in 1917) is a
famous instance of an OTP. This cipher is very simple: take a stream
of bits that contains the plaintext message, and a secret random
bit-stream of the same length as the plaintext which is considered
the key. To encrypt the plaintext with the key, sequentially
exclusive-or each pair of key bit and plaintext bit to obtain the
ciphertext bit. If the key is truly random, it can be proven
that the attacker has no means of deciding whether some guessed
plaintext is more likely than any other when having only the
ciphertext and no knowledge of the plaintext.
The practical
problem is that the key does not have small constant length, but the
same length as the message, and one part of a key should never be
used twice (or the cipher can be broken). So, we just have traded
the problem of exchanging secret data for the problem of exchanging
secret random keys of the same length. However, this cipher has
allegedly been in widespread use since its invention, and even more
since the security proof by C. Shannon in 1949. Although admittedly
the security of this cipher had been conjectured earlier, it was
Shannon who actually found a formal proof for it.
More
information can found, for example, in the book by D. Stinson href="books.html#books">Cryptography: Theory and
Practice.
DES The Data Encryption Standard (DES) is an
algorithm developed in the mid-1970s. It was turned into a
standard by the US National Institute
of Standards and Technology (NIST), and was also adopted by
several other governments worldwide. It was and still is widely
used, especially in the financial industry.
DES is a block
cipher with 64-bit block size. It uses 56-bit keys. This makes it
suspectible to exhaustive key search with modern computers and
special-purpose hardware. DES is still strong enough to keep most
random hackers and individuals out, but it is easily breakable with
special hardware by government, criminal organizations, or major
corporations. DES is getting too weak, and should not be used in new
applications.
A variant of DES, Triple-DES (also
3DES) is based on using DES three times (normally in an
encrypt-decrypt-encrypt sequence with three different, unrelated
keys). The Triple-DES is arguably much stronger than (single) DES,
however, it is rather slow compared to some new block ciphers.
Nevertheless, even though DES seems to be of little interest
for applications of today there are many reasons for considering it
still important. It was the first block cipher which was widely
deployed in the public sector. Thus it played an important role in
making strong cryptography available to the public.
Also,
the design was exceptionally good for a cipher that was meant to be
used only a few years. DES proved to be a very strong cipher and it
took over a decade for any interesting cryptanalytical attacks
against it to develop (not to underestimate the pioneering efforts
that lead to this breakthrough). The development of differential
cryptanalysis and linear cryptanalysis opened ways to really
understand the design of block ciphers.
Although at the time
of DES's introduction its design philosophy was held secret, it did
not discourage its analysis - to the contrary. Some information has
been published about its design, and one of the original designers,
Don Coppersmith, has commented that they discovered ideas similar to
differential cryptanalysis already while designing DES in 1974.
However, it was just matter of time that these fundamental ideas
were re-discovered.
Even today, when DES is no longer
considered a practical solution, it is often used to describe new
cryptanalytical techniques. It is remarkable that even today, there
are no cryptanalytical techniques that would completely break DES in
a structural way, indeed, the only real weakness known is the short
key size (and perhaps the small block size).
AES In response to the growing feasibility of
attacks against DES, NIST
launched a call for proposals for an official successor that meets
21st century security needs. This successor is to be called the
Advanced Encryption Standard (AES). Five
algorithms made it into the second round, from which Rijndael was
selected to be final standard. We will now have a quick look at each
of them and their cryptographic peculiarities.
All the
ciphers have 128 bit block size and they support 128,
192 and 256 bit keys. The rather large key sizes are
probably required to give means for construction of efficient hash
functions.
- The AES,
Rijndael,
the design of two Belgian cryptographers, Joan Daemen and Vincent
Rijmen.
Rijndael follows the tradition of square ciphers
(it is based on ideas similar to the Square cipher). NIST gave as
its reasons for selecting Rijndael that it performs very well in
hardware and software across a wide range of environments in all
possible modes. It has excellent key setup time and has low memory
requirements, in addition its operations are easy to defend
against power and timing attacks.
NIST stated that all
five finalists had adequate security and that there was nothing
wrong with the other four ciphers. After all analysis and received
comments were considered, NIST considered Rijndael the best choice
for the AES. The other four finalists are mentioned below.
- MARS
by Zunic et. al., IBM.
This is an interesting new design
(using a special type of a Feistel network), which depends heavily
on the instruction sets available on modern 32-bit processors.
This has the benefit that on these target machines it is
efficient, but it may lead to implementation difficulties in
cheaper architectures like smart cards.
- RC6
by Rivest, Robshaw and Yin, RSA Laboratories.
RC6 follows
the ideas of RC5 - but with many improvements. For example, it
attempts to avoid some of the differential attacks against RC5's
data dependent rotations. However, there are some attacks that get
quite far, and it is unclear whether RC6 is well enough analyzed
yet.
- Serpent
by Anderson, Biham and Knudsen.
Serpent has a basically
conservative but in many ways innovative design. It may be
implemented by bitslice (or vector) gate logic throughout. This
makes it rather complicated to implement from scratch, and writing
it in a non-bitslice way involves an efficiency penalty.
The 32 rounds lead to probably the highest security
margin on all AES candidates, while it is still fast enough for
all purposes.
- Twofish by
Schneier et. al., Counterpane Security.
Twofish is a new
block cipher designed by Counterpane (whose CEO is Bruce
Schneier). The design is highly delicate, with many alternative
ways of implementation. It is cryptanalysed in much detail, by the
very authoritative "extended Twofish team". It is basically a
Feistel cipher, but utilizes many different ideas.
This
cipher has key dependent S-boxes like Blowfish (another
cipher by Bruce Schneier).
Blowfish Blowfish was designed by Bruce Schneier. It
is a block cipher with 64-bit block size and variable length keys
(up to 448 bits). It has gained a fair amount of acceptance in a
number of applications, including Nautilus and PGPfone.
Blowfish utilizes the idea of randomized S-boxes: while
doing key scheduling, it generates large pseudo-random look-up
tables by doing several encryptions. The tables depend on the user
supplied key in a very complex way. This approach has been proven to
be highly resistant against many attacks such as differential and
linear cryptanalysis. Unfortunately it also means that it is not the
algorithm of choice for environments where large memory space
(something like than 4096 bytes) is not available..
The only known attacks against Blowfish are based on its
weak key classes.
IDEA IDEA (International Data Encryption Algorithm)
is an algorithm developed at ETH Zurich in Switzerland by Xuejia
Lai. It uses a 128 bit key, and it is generally considered to be
very secure. It has been one of the best publicly known algorithms
for some time (before the AES standard started its second round, see
above). It has been around now for several years, and no practical
attacks on it have been published despite of numerous attempts to
analyze it.
One of the best attacks uses the impossible
differential idea of Biham, Shamir and Biryukov. They can attack
only 4.5 rounds of IDEA and this poses no threat to the total
of 8.5 rounds used in IDEA.
IDEA is patented in the
United States and in most European countries.
RC4 RC4 is a stream cipher designed by Ron Rivest at
RSA Data Security, Inc. It used to be a trade secret, until someone
posted source code for an algorithm on the usenet, claiming it to be
equivalent to RC4. There is very strong evidence that the posted
algorithm is indeed equivalent to RC4. The algorithm is very fast.
Its security is unknown, but breaking it does not seem trivial
either. Because of its speed, it may have uses in certain
applications. It accepts keys of arbitrary length.
RC4 is
essentially a pseudo random number generator, and the output of the
generator is exclusive-ored with the data stream. For this reason,
it is very important that the same RC4 key never be used to encrypt
two different data streams.
Modes Of Operation Many commonly used ciphers are
block ciphers. Block ciphers transform a fixed-size block
of data (usually 64 bits) it into another fixed-size block (possibly
64 bits wide again) using a function selected by the key. If
the key, input block and output block have all n bits, a
block cipher basically defines a one-to-one mapping from
n-bit integers to permutations of n-bit integers.
If the same block is encrypted twice with the same key, the
resulting ciphertext blocks are also the same (this mode of
encryption is called electronic code book, or ECB).
This information could be useful for an attacker. To cause identical
plaintext blocks being encrypt to different ciphertext blocks, two
standard modes are commonly used:
- CBC (cipher block chaining): a ciphertext block is
obtained by first XORing the plaintext block with the previous
ciphertext block, and encrypting the resulting value. This way
leading blocks influence all trailing blocks, which increases the
number of plaintext bits one ciphertext bit depends on, but also
leads to synchronization problems if one block is lost.
- CFB (cipher feedback): the kth ciphertext block
is obtained by encrypting the (k-1)th ciphertext block and
XORing the result onto the plaintext. Interestingly, an CFB
feedback loop can also be used as a pseudo-random number generator
if one simply feeds one block of true random data with trailing
blocks of zeroes into the encryption routine (although the
expected period of this PRNG would be only about
2n/2 where n is the block size of the
cipher).
Block ciphers have also interesting
relationships to other classes of ciphers. For example:
- Stream ciphers. A stream cipher consists of a state
machine that outputs at each state transition one bit of
information. This stream of output bits is commonly called the
running key. The encryption can be implemented by just
exclusively-oring the running key to the plaintext message.
The state machine is nothing more than a pseudo-random
number generator. For example, we can build one from a block
cipher by encrypting repeatedly its own output. Typically, more
elaborate constructions are used for stream ciphers to obtain
high-speed.
Some of the more well-known stream ciphers are
RC4 and SEAL. Several stream ciphers are based on linear-feedback
shift registers (LFSR), such as A5/1 used in GSM. These have the
benefit of being very fast (several times faster than usual block
ciphers).
- SSSC (self-synchronizing stream ciphers): The class of
self-synchronizing stream ciphers has the convenient
property that it corrects the output stream after bit flips or
even dropped bits after a short time (say, a few hundred bits).
SSSC's can be constructed using block ciphers in a
CFB-related way. Assume that we have already encrypted n
bits of the message and know that much of the ciphertext (where
n denotes the block length of the cipher). Then we produce
a new running key (see above) bit by encrypting the n
ciphertext bits. Take one bit of the output of the cipher to be
the new running key bit. Now moving one bit further we can iterate
this procedure for the whole length of the message.
It is
easy to see that a one bit error in a ciphertext cannot affect the
decrypted plaintext after n bits. This makes the cipher
self-synchronizing.
The block cipher used should have
sufficiently large block size to avoid substitution attacks, for
example.
More information on cipher modes can
be found in the Handbook
of Applied Cryptography by Menezes et al.
Cryptography before the 1970's In this section some of
the famous ciphers of the past are listed, with links to more
complete information where possible.
- Fish was used by the German army in
WWII to encipher high-command communications. It was produced by a
stream cipher called the Lorentz machine. Fish was the name given
to it by British cryptanalysts. It was important because it caused
difficulties for British analysts, who finally developed a machine
called Colossus, which was arguably the first, or one of the
first, digital computers.
The Colossus machine may have
been an important factor in the planning and success of the Allied
attack on Normandy. Given the intelligence produced by
cryptanalysis of Fish, Allied forces knew the positions of pretty
much every German division.
- Enigma was another cipher used by
the Germans in World War II. The machine used several rotors and
looked like a typing machine. However, first Polish and then later
British mathematicians were able to keep up with the development
of the machine. Most communication using the basic version of
Enigma was deciphered by British analysts at Bletchley Park within
few hours of the interception. One of the strongest Enigma's were
used in submarine communication, but British analysts managed to
break them with great implications for the battle on the Atlantic.
There are several good books about Enigma and Bletchley
Park. In addition, the work of the major figure of British
cryptanalysis, Alan Turing, has been explained in many articles
and books. Recently his original notes about cryptanalysis from
that time has been released for the public.
This cipher,
or a variant of it, is used by the unix crypt(1) program. It is
unlikely that any variant of Enigma could be considered very
secure by todays standards.
- Vernam cipher is described in detail
above.
- Substitution cipher. This is
one of the basic pencil-and-paper methods. Make a table by first
listing your alphabet in order on the first row, and then making a
random permutation of the alphabet on the second row. You can then
encrypt any character of the alphabet by first looking it up on
the first row, and the writing down the random character on the
second row. The key of this method is the permutation of the
alphabet on the second row. Decryption works in reverse.
This method is suspectible to frequency analysis, as long
as the alphabet size is small. Modern block ciphers can be seen as
a variant of this idea, in the sense that they try hide the
message under a very large alphabet that depends on the key. In
the block cipher case the permutation is generated by the secret
key and the key space might not cover all the possible
permutations.
- Vigenere. This cipher uses clock
arithmetic to add together the key and the message. The difference
between OTP and Vigenere is that in Vigenere we explicitly reuse
the short key several times for one message.
Methods for
attacking Vigenere ciphers are the Kasiski test, index of
coincidence etc. These lead to effective methods which break even
very short message (relative to the key size of course).
- Hill cipher. The Hill cipher uses
matrices in clock arithmetic, and is highly suspectible to known
plaintext attacks.
| |
|