Engineering
CSE 3SE/CSE 5SE
Instructor: Sambuddho
Chakravarty
(Semester: Winter 2015)
Week 8: March 17 March 20
Romans
Ceaser Cipher / Substitution Cipher
Shift characters.
E.g.
PLAINTEXT: ABCDEFGHIJKLMNOPQRSTUVWXYZ
CIPHERTEXT: XYZABCDEFGHIJKLMNOPQRSTUVW
Input
Output
(via
Glowlamps)
Stream Ciphers
- OTP Stream Ciphers
M=C
C =M
G(k)
M
C
Unpredictability: Knowing some bits
of the key one should not be able to predict
the remaining bits.
k
k
C 2 = M1
M2
M2
(S1 || S2 || S3)
Salsa:
Block Ciphers
Message (M) divided into multiple blocks
n-bits
Input: n-bits
Output: nbits
Key: n-bits
C3
Mn
C4
f1(K1 ,
)
f2(K2 ,
)
f1(K1 ,
)
Kn
C2
E
Mn-1
K3
M4
M3
K2
C1
M2
K1
M1
fn(Kn ,
)
15/80
16/80
L0
f1
R1
L1
f2
n-bits n-bits
R0
R2
L2
input
In symbols: Ri = Fi(Ri-1)
L
Rd-1
Ld-1
fd
Goal:
Rd
Ld
output
Slides Courtesy
Dan Boneh
Decryption circuit
n-bits n-bits
Rd
fd
Ld
Rd-1
Ld-1
fd-1
Rd-2
Ld-2
R1
R0
f1
L1
L0
Slides Courtesy
Dan Boneh
DES:
fi(x) =
F( k , x )
i
64 bits
k1
input
IP
from key K)
key
expansion
k2
k16
16 round
Feistel network
IP-1
64 bits
output
Slides Courtes
Dan Boneh
DES challenge
msg =
CT
Goal:
c2
c3
c4
(250K $)
(10K $)
Slides Courtesy
Dan Boneh
S8
subs. perm.
layer layer
S2
S3
S8
S1
output
S2
S3
S1
kn
S1
k2
input
k1
S8
inversion
Slides Courtesy
Dan Boneh
AES-128 schematic
k1
k2
(1)ByteSu
b
(2)ShiftRo
w
k9
k0
(1)ByteSu
b
(2)ShiftRo
w
(3)MixColu
mn
inp
4
ut
(1)ByteSu
b
(2)ShiftRo
w
(3)MixColu
invertible
mn
10 rounds
k1
key
key expansion:
16 bytes 176 bytes
16 bytes
outp
ut
4
Slides Courtesy
Dan Boneh
(easily
ShiftRows:
MixColumns:
Slides Courtesy
Dan Boneh
Performance
Pre-compute
round functions
(24KB or 4KB)
largest
fastest:
table lookups
and xors
Pre-compute
S-box only (256
smaller
slower
smallest
slowest
bytes)
No pre-computation
Slides Courtesy
Dan Boneh
AES in hardware
AES instructions in Intel Westmere:
aesenc, aesenclast:
Slides Courtesy
Dan Boneh
Slides Courtesy
Dan Boneh
m0
enc
dec
m1
m0
m1
Courtesy
Roughly speaking: CT-size = PT-size + # random Slides
bits
Dan Boneh
Alice
m, n
E(k,m,n)=c
c, n
D(k,c,n)=m
nonce n:
Bob
Slides Courtesy
Dan
N Boneh
IV
m[0]
m[1]
m[2]
m[3]
E(k,)
E(k,)
E(k,)
E(k,)
c[0]
c[1]
ciphertext
c[2]
c[3]
Slides Courtesy
Dan Boneh
Decryption circuit
D(k,)
m[0]
c[1]
D(k,)
c[2]
D(k,)
c[3]
D(k,)
c[0]
IV
mbols:
m[1]
m[2]
m[3]
Slides Courtesy
Dan Boneh
Nonce-based CBC
m[0]
IV
m[1]
m[2]
m[3]
E(k1,)
E(k,)
E(k,)
E(k,)
E(k,)
nonce
c[0]
c[1]
c[2]
c[3]
ciphertext
IV
IV
msg
m[1]
m[L]
F(k,IV)F(k,IV+1)
F(k,IV+L)
m[0]
c[0]
c[1]
ciphertext
c[L]
Slides Courtesy
Dan Boneh
m[0]
m[1]
F(k,IV)F(k,IV+1)
IV
c[0]
c[1]
m[L]
F(k,IV+L)
c[L]
ciphertext
128 bits
counter
nonce
64 bits
64 bits
Message Integrity
Goal:
integrity,
no confidentiality.
Examples:
Protecting public binaries on disk.
Protecting banner ads on web pages.
Slides Courtesy
Dan Boneh
message m
Alice
Generate tag:
tag S(k, m)
tag
k
Bob
Verify tag:
?
V(k, m, tag) = `yes
Slides Courtesy
Dan Boneh
Generate tag:
tag CRC(m)
tag
Bob
Verify tag:
?
V(m, tag) = `yes
filename
F1
F2
t1 =
S(k,F1)
t2 =
S(k,F2)
filename
Fn
k derived from
users password
tn =
S(k,Fn)
Slides Courtesy
Dan Boneh
Slides Courtesy
Dan Boneh
F(k,)
m[1]
m[3]
m[4]
F(k,)
F(k,)
F(k,)
F(k1,)
tag
Slides Courtesy
Dan Boneh
NMAC
(nested MAC)
cascade
m[0]
>
m[1]
>
m[3]
>
m[4]
>
t ll
fpad
k1
>
tag
Slides Courtesy
Dan Boneh
NMAC
cascade
m[0]
>
m[1]
>
m[3]
>
m[4]
>
k1
Slides Courtesy:
Dan Boneh
>
>
tag
Get t = F(k,m)
Slides Courtesy
Dan Boneh
Slides Courtesy
Dan Boneh
PB:
H0
m[1]
H1
padding block
Slides Courtesy:
Dan Boneh
m[2]
H2
m[3] ll PB
10000 ll msg
len
64 bits
H3
H4
H(m)
If no space for PB
add another block
S( k, m ) = H(
kopad , H( kipad ll m )
Slides Courtesy
Dan Boneh
HMAC in pictures
kipad
IV
(fixed)
>
m[0]
>
m[1]
k1
>
m[2] ll PB
>
kopad
>
IV
(fixed)
k2
>
tag