2. What did we do in the last lecture?
● What topics did we discuss?
● Which did you find interesting?
● Which did you find challenging?
2
3. Content
● Overview
● Modes of Operation
● Increasing Security of Block Ciphers
● Challenges of Symmetric Cryptography
3
4. Content
● Overview
● Modes of Operation
● Increasing Security of Block Ciphers
● Challenges of Symmetric Cryptography
4
5. The field of Cryptology
5
Cryptology
Cryptography Cryptanalysis
Symmetric
Cryptography
Asymmetric
Cryptography
Protocols
Block Ciphers
Stream
Ciphers
6. The field of Cryptography
6
Number
Theory
Complexity
Theory
Information
Theory
Algorithms
(Symmetric) Cryptography
Confidentiality Integrity Authenticity Non-repudiation
Mathematics Computer Science Physics Electrical Engineering
Risk Management Security
8. Symmetric Cryptography - Analogy
● Safe with a strong lock, only Alice and Bob have a copy of the (shared) key
○ Alice encrypts, i.e. locks the safe with her key
○ Bob decrypts, i.e. unlocks the safe with his key
8
9. Formal definition of symmetric Cryptography
Let n be a security parameter, K the key space, M the plaintext space, and C the
ciphertext space. Symmetric cryptography consists of three algorithms:
● Key Generation := returns on input {0,1}n
a key k K
∈
k ← Gen({0,1}n
)
● Encryption := returns on input k and message m M
∈ a ciphertext c C
∈
c ← Enck(m)
● Decryption := returns on input k and c = Enck (m) C
∈ a message m M
∈
Deck(Enck(m)) = m, for all k K, and m M
∈ ∈
9
10. The field of Cryptology - Block ciphers
10
Cryptology
Cryptography Cryptanalysis
Symmetric
Cryptography
Asymmetric
Cryptography
Protocols
Block Ciphers
Stream
Ciphers
11. Block ciphers
11
Plaintext of length n-bit
Plaintext
Block 0 of x-bit
Plaintext
Block 1 of x-bit
Plaintext
Block n of x-bit
…
Enc() Enc() Enc()
…
Ciphertext
Block 0 of x-bit
Ciphertext
Block 1 of x-bit
Ciphertext
Block n of x-bit
…
Ciphertext of length n-bit
12. How are the blocks in Block ciphers encrypted?
● There are several ways, so called Modes of Operation
○ Electronic Code Book (ECB)
○ Cipher Block Chaining (CBC)
○ Output Feedback (OFB)
○ Cipher Feedback (CFB)
○ Counter (CTR)
○ Galois Counter Mode (GCM)
12
Note!
In addition to confidentiality, some of these modes provide
authenticity and integrity of blocks.
13. What if plaintext length not a block size
multiple?
● Padding extends plaintext to a multiple of block size
● ECB and CFB require that plaintext length is a multiple of the block size
● Several ways of doing padding in practice
○ One possible padding method is to append a single “1” bit to the plaintext and then to append
as many “0” bits as necessary to reach a multiple of the block length
○ If the plaintext is an exact multiple of the block length, a full extra padding block is appended
13
14. The field of Cryptology - Modes of Operation
14
Cryptology
Cryptography Cryptanalysis
Symmetric
Cryptography
Asymmetric
Cryptography
Protocols
Block Ciphers
Stream
Ciphers
Modes of
Operation
ECB / CBC / OFB /
CBF / CTR / GCM
15. Content
● Overview
● Modes of Operation
● Increasing Security of Block Ciphers
● Challenges of Symmetric Cryptography
15
16. Acknowledgement
● Most of the following slides are based on “Understanding Cryptography - A
Textbook for Students and Practitioners” by Christof Paar and Jan Pelzl
● The slides were prepared by Amir Moradi, Christof Paar and Jan Pelzl
● The slides were modified and adapted by Devrim Unal and Jurlind Budurushi
16
17. Terms of use
● The slides can used free of charge. All copyrights for the slides remain with
the authors
● The title of the accompanying book “Understanding Cryptography” by
Springer and the author’s names must remain on each slide
● If the slides are modified, appropriate credits to the book authors and the
book title must remain within the slides
● It is not permitted to reproduce parts or all of the slides in printed form
whatsoever without written consent by the authors
17
18. Overview of Modes of Operation
18
Modes of
Operation
Probabilistic Deterministic
Cipher Block
Chaining CBC
Output
Feedback OFB
Cipher
Feedback CFB
Counter CTR
Galois Counter
Mode GCM
Electronic Code
Book ECB
Block Modes
Stream
Modes
19. ECB - Encryption / Decryption
● Each block is encrypted separately
19
Chapter 5 of Understanding Cryptography by Christof Paar and Jan Pelzl
● Encryption: yi = ek(xi), i ≥ 1
● Decryption: xi = ek
−1
(yi) = ek
−1
(ek(xi)), i ≥ 1
20. ECB - Advantages and disadvantages
● Advantages
○ No block synchronization between
sender and receiver required
○ Bit errors caused by noisy channels
only affect the corresponding block
but not succeeding blocks
○ Encryption and decryption can be
parallelized
○ High-speed implementations
20
Chapter 5 of Understanding Cryptography by Christof Paar and Jan Pelzl
● Disadvantages
○ Identical plaintexts result in identical
ciphertexts, i.e. adversary
recognizes if same text has been
sent twice
○ Plaintext blocks encrypted
independently, i.e. adversary may
reorder ciphertext blocks resulting in
valid plaintext
○ Statistical properties in the plaintext
are preserved in ciphertext
21. ECB - Substitution attack
● Once a plaintext-ciphertext pair (x,y) is known, a sequence of ciphertext
blocks can easily be manipulated
21
Chapter 5 of Understanding Cryptography by Christof Paar and Jan Pelzl
● Suppose an electronic bank transfer
○ Assumption: Encryption key between two banks does not change too frequently
○ Attack
■ Adversary sends 1$ transfers from his account at Bank A to his account at Bank B
repeatedly
■ Adversary check for ciphertext blocks that repeat, and stores blocks 1, 3, 4
■ Adversary replaces block 4 of other transfers with block 4 stored before
Transfers from some account in Bank A, are redirected to adversary’s account in
⇒
Bank B
22. ECB - Example of encrypting bitmaps
22
Chapter 5 of Understanding Cryptography by Christof Paar and Jan Pelzl
23. CBC - Encryption / Decryption
● The encryptions of all blocks are “chained together”
● The encryption is randomized by using a Initialization Vector (IV)
● IV should not be secret, but a nonce (random number only used once)
23
Chapter 5 of Understanding Cryptography by Christof Paar and Jan Pelzl
● Encryption: first block y1 = ek(x1 IV
⊕ ), other blocks yi = ek(xi y
⊕ i-1), i ≥ 2
● Decryption: first block x1 = ek
−1
(y1) IV
⊕ , other blocks xi = ek
−1
(yi) y
⊕ i-1, i ≥ 2
24. CBC - Substitution attack
24
Assume the previous attack on ECB, when does it and does not work for CBC?
Answer:
❖ It works if the IV is kept the same for several transfers.
❖ It does not work if IV is properly chosen for every
transfer, then CBC becomes a probabilistic encryption
scheme.
25. OFB - Encryption / Decryption
● Build synchronous stream cipher from block cipher
● Keystream generated blockwise, instead of bitwise
25
Chapter 5 of Understanding Cryptography by Christof Paar and Jan Pelzl
● Encryption
○ first block s1 = ek(IV) and y1 = s1 x
⊕ 1
○ other blocks si = ek(si-1) and yi = si x
⊕ i, i ≥ 2
● Decryption
○ first block s1 = ek(IV) and x1 = s1 y
⊕ 1
○ other blocks si = ek(si-1) and xi = si y
⊕ i, i ≥ 2
26. CFB - Encryption / Decryption
● Build asynchronous stream cipher from block cipher
● Keystream generated blockwise and is also a function of the ciphertext
26
Chapter 5 of Understanding Cryptography by Christof Paar and Jan Pelzl
● Encryption
○ first block y1 = ek(IV) x
⊕ 1
○ other blocks yi = ek(yi-1) x
⊕ i, i ≥ 2
● Decryption
○ first block x1 = ek(IV) y
⊕ 1
○ other blocks xi = ek(yi-1) s
⊕ i, i ≥ 2
27. CTR - Encryption / Decryption
● Build asynchronous stream cipher from block cipher
● Keystream generated blockwise
● Input is a counter that assumes a different value every new keystream block
● In contrast to OFB, CFB encryption/decryption can be parallelized
● Suitable for high throughput and fast implementations, e.g. network routers
27
Chapter 5 of Understanding Cryptography by Christof Paar and Jan Pelzl
● Encryption: yi = ek(IV || CTRi) ⊕ xi, i ≥ 1
● Decryption: xi = ek
−1
(IV || CTRi) ⊕ yi, i ≥ 1
28. GCM - Overview
● Provides three additional services to encryption/confidentiality
○ Message Authentication: Message received from original sender
○ Message Integrity: Message not tampered during transmission
○ Additional Authenticated Data (AAD): Not encrypted in this mode of operation. In practice,
the AAD string might include addresses and parameters of a network protocol
28
Chapter 5 of Understanding Cryptography by Christof Paar and Jan Pelzl
29. Content
● Overview
● Modes of Operation
● Increasing Security of Block Ciphers
● Challenges of Symmetric Cryptography
29
30. Intermezzo! Brute force revisited
● An exhaustive search for DES knowing one pair (m1,c1)
DESk
(i)
(m1) ≟ c1, i = 1,...,256
● However, brute force can produce false positive results
○ The likelihood of false positives related to the relative size of plaintext and ciphertext spaces
○ An attack is still possible, but several pairs plaintext-ciphertext are needed
30
Chapter 5 of Understanding Cryptography by Christof Paar and Jan Pelzl
m1 c1
plaintext space ciphertext space
DESk
(1)
(m1)
…
DESk
(2)
(m1)
DESk
(2^56)
(m1)
31. Intermezzo! Brute force example
● Assume a cipher with block size 64-bit and key size 80-bit
● Encrypting m1 with all possible keys yields 280
ciphertexts, however only 264
different ciphertexts exist
● Checking all keys for a pair (m1,c1), we find on average 280
/264
=216
keys that
perform the mapping enck(m1) = c1
31
Chapter 5 of Understanding Cryptography by Christof Paar and Jan Pelzl
Generalization: Given a block cipher block size of n bits, a key
size of k bits and t plaintext–ciphertext pairs (x1, y1), ... , (xt , yt),
the expected number of false keys which encrypt all plaintexts to
the corresponding ciphertexts is 2k−tn
● Assuming two pairs in the example, the likelihood for false key is 280-2*64
= 2-48
32. Approaches to increase security in Block ciphers
● In some situations we wish to increase the security of block ciphers, e.g., if a
cipher such as DES is available in hardware or software for legacy reasons in
a given application
● Two approaches are possible
○ Multiple encryption
○ Key whitening
32
Chapter 5 of Understanding Cryptography by Christof Paar and Jan Pelzl
33. Multiple encryption - Double encryption
● A plaintext m is first encrypted with a key k1, and the resulting ciphertext is
encrypted again using a second key k2
● Assuming a key length of n bits, an exhaustive key search would require 2n
*2n
= 22n
encryptions or decryptions
33
Chapter 5 of Understanding Cryptography by Christof Paar and Jan Pelzl
Enc()
m
k1
Enc() m
k2
34. Reminder! DES - Meet-in-the-Middle Attack
● Requires 2k
+ 2k
= 2k+1
operations, for given pair (m, c)
● Phase I
○ Brute force the left encryption for all k
○ Compute a lookup table with 2k
entries (each n+k bits)
● Phase II
○ Brute force the right encryption for all k
○ Check, enc(k1,i,m) ≟ dec(k2,j,c)
34
Chapter 5 of Understanding Cryptography by Christof Paar and Jan Pelzl
Note!
Double encryption is not much more than single encryption.
35. Multiple encryption - Triple encryption
● Reminder! 3DES
● Encrypt a block three times c = enc(k3,enc(k2, (enc(k1,m)))
● In practice a variant scheme is often used c = enc(k3,dec(k2, (enc(k1,m)))
● A Meet-in-the-Middle attack is still possible, and it reduces the effective key
size of triple encryption from 3k to 2k
Check
⇒ enc(k1,i to 2^n,m) ≟ dec(k2,j to 2^n, dec(k3,m to 2^n,c)), for n := key size
35
Chapter 5 of Understanding Cryptography by Christof Paar and Jan Pelzl
Note!
Triple encryption doubles the key size.
36. Key whitening
● In addition to the main k, two whitening keys k1 and k2 are used to XOR-
mask the plaintext and ciphertext
● It does not increase security against most analytical attacks, such as
linear and differential cryptanalysis
● It is not a solution for ciphers that are inherently weak
● The additional computational load is negligible
● Its’ main application are ciphers that are relatively strong against analytical
attacks, but possess a short key space, e.g. DES, called DESX
36
Chapter 5 of Understanding Cryptography by Christof Paar and Jan Pelzl
37. Content
● Overview
● Modes of Operation
● Increasing Security of Block Ciphers
● Challenges of Symmetric Cryptography
37
38. Challenges of Symmetric Cryptography
● Secret key(s) need to be exchanged securely before communication
● With n communication partners, (n * (n−1)) / 2 keys are needed
38
Alice Bob
kAB
David
kAD
kBD
Lola
kDL
kBL
kAL