software security seminar - 1 chapter 14. still other block ciphers 2002. 11. 21. 발표자 :...
TRANSCRIPT
Software Security Seminar - 1
Chapter 14. Still Other Block Ciphers
2002. 11. 21.발표자 : 최두호
Applied Cryptography
Software Security Seminar - 2
Contents
10.7 SXAL8/MBAL10.8 RC510.9 Oher Block Algorithms10.10 Theory of Block Cipher Design10.11 Using One-Way Hash Functions10.12 Choosing a Block Algorithm
Software Security Seminar - 3
SXAL8/MBAL
64-bit block algorithm from Japan SXAL8 : basic algorithm MBAL : expanded version with a variable block length
Software Security Seminar - 4
RC5
Block cipher with a variety of parameters: block size, key size, and number of rounds
Needed operations : XOR, addition, and rotations (Assume that the little endian mode)
Input block : 64-bit data A|BKey : 2r+2 32-bit words – S0 , S1 , … , S2r+1
( +, - : mod 232
: XOR>>>, <<< : right rotation, left rotation )
Software Security Seminar - 5
RC5(conti.)
Encryption :A = A + S0
B = B + S1
For i = 1 to r :A = ((AB)<<<B) + S2i
B = ((BA)<<<A) + S2i+1
Decryption :For i = r to 1 :
B = ((B- S2i+1)>>>A)A
A = ((A- S2i)>>>B)B
A = A + S0
B = B + S1
Software Security Seminar - 6
Other Block Algorithms
CRYPTO-MECCANO Rao-Nam algorithm Li-Wang algorithm CALC TEA(Tiny Encryption Algorithm) MacGuffin 기타 등등…………………………………… .
Software Security Seminar - 7
Theory of Block Cipher Design
1. Confusion and DiffusionConfusion : plaintext, key, ciphertext 사이의 관계를 숨기는 것Diffusion : plaintext 와 key 가 ciphertext 전체에 다 영향을
미치도록 하는 것
Software Security Seminar - 8
Theory of Block Cipher Design(conti.)
예 ) DES 에서… .
Diffusion
Confusion
Software Security Seminar - 9
Theory of Block Cipher Design(conti.)
Confusion ~ SubstitutionDiffusion ~ Permutation SPN 구조 = Substitution-Permutation Network예 ) AES
DES : Iterated Block Cipher
Software Security Seminar - 10
Theory of Block Cipher Design(conti.)
2. Feistel NetworksWhat is Feistel Network? In DES
f
L R
L’ R’
f
L’ R’
L R
DES, Lucifer, FEAL, Khufu, Khafre, LOKI, GOST, CAST, Blowfish,…
f need not be invertible
Software Security Seminar - 11
Theory of Block Cipher Design(conti.)
3. Simple RelationSimple Relation :If EK(P)=C then Ef(K)(g(P,K))=h(C,K)
f, g, h : simple function (simple = easy to compute )
예 )In DES :If EK(P)=C and P’, C’, K’ : bit-wise complements fo P, C, K
Then EK’(P’)=C’
Software Security Seminar - 12
Theory of Block Cipher Design(conti.)
4. Group StructureEK : member of group
Composition : the operation
얼마나 Group Structure 가까우냐 ?Group Structure 에 가까울수록 multiple encryption 은 통계학적
관점에서 시간 낭비다 .
Software Security Seminar - 13
Theory of Block Cipher Design(conti.)
4. Weak KeysIn a good block cipher, all keys are equally strong
5. Strength against Differential and Linear Cryptoanalysis
Software Security Seminar - 14
Theory of Block Cipher Design(conti.)
6. S-Box DesignS-Box 가 크면 클수록 좋다 . 그러나 , memory 문제 Confusion 과 Diffusion 을 반복하여… .
Software Security Seminar - 15
Theory of Block Cipher Design(conti.)
Choose randomly : small random S-Box 보다 large random S-Box 가 좋다 .
Choose and test : Man-made : Intuitive techniques Math-made : Generate S-boxes according to mathematical pr
inciples security proof against differential and linear cryptoanalysis
Software Security Seminar - 16
Using One-Way Hash Functions
Ci = PiH(K, Ci-1)
Pi = CiH(K, Ci-1)
The security of this scheme depends on the security of the one-way function
Software Security Seminar - 17
Using One-Way Hash Functions(conti.)
Karn
Plain text : P = PlPr 32-byte block
Key : K = KlKr 96-byte key
Encryption:Cr=PrH(Pl, Kl)
Cl=PlH(Cr, Kr)
C = ClCr
Decryption:Pl=ClH(Cr, Kr)
Pr=CrH(Pl, Kl)
P = PlPr
Software Security Seminar - 18
Using One-Way Hash Functions(conti.)
Luby-RackoffMichael Luby and Charles Rackoff showed that Karn is n
ot secure
(1) Key KlKr, Plaintext L0R0
(2) R1 = R0H(Kl, L0)
(3) L1 = L0H(Kr, R1)
(4) R2 = R1H(Kl, L1)
(5) L1 R2
Software Security Seminar - 19
Using One-Way Hash Functions(conti.)
Message Digest Cipher(MDC)Use MD5, SHA CFB mode
Hash
Function
Plaintext
Ciphertext
Key
Software Security Seminar - 20
Using One-Way Hash Functions(conti.)
A good one-way hash function doesn’t necessarily make a secure encryption algorithm
Linear cryptoanalysis is not a viable attack against one-way hash functions
Software Security Seminar - 21
Choosing a Block Algorithm
Software Security Seminar - 22
THE END