software security seminar - 1 chapter 14. still other block ciphers 2002. 11. 21. 발표자 :...

Software Security Seminar - 1

Chapter 14. Still Other Block Ciphers

2002. 11. 21.발표자 : 최두호

Applied Cryptography


Contents

10.7 SXAL8/MBAL10.8 RC510.9 Oher Block Algorithms10.10 Theory of Block Cipher Design10.11 Using One-Way Hash Functions10.12 Choosing a Block Algorithm


SXAL8/MBAL

64-bit block algorithm from Japan SXAL8 : basic algorithm MBAL : expanded version with a variable block length


RC5

Block cipher with a variety of parameters: block size, key size, and number of rounds

Needed operations : XOR, addition, and rotations (Assume that the little endian mode)

Input block : 64-bit data A|BKey : 2r+2 32-bit words – S0 , S1 , … , S2r+1

( +, - : mod 232

: XOR>>>, <<< : right rotation, left rotation )


RC5(conti.)

Encryption :A = A + S0

B = B + S1

For i = 1 to r :A = ((AB)<<<B) + S2i

B = ((BA)<<<A) + S2i+1

Decryption :For i = r to 1 :

B = ((B- S2i+1)>>>A)A

A = ((A- S2i)>>>B)B

A = A + S0

B = B + S1


Other Block Algorithms

CRYPTO-MECCANO Rao-Nam algorithm Li-Wang algorithm CALC TEA(Tiny Encryption Algorithm) MacGuffin 기타 등등…………………………………… .


Theory of Block Cipher Design

1. Confusion and DiffusionConfusion : plaintext, key, ciphertext 사이의 관계를 숨기는 것Diffusion : plaintext 와 key 가 ciphertext 전체에 다 영향을

미치도록 하는 것


Theory of Block Cipher Design(conti.)

예 ) DES 에서… .

Diffusion

Confusion



Confusion ~ SubstitutionDiffusion ~ Permutation SPN 구조 = Substitution-Permutation Network예 ) AES

DES : Iterated Block Cipher



2. Feistel NetworksWhat is Feistel Network? In DES

f

L R

L’ R’

f

L’ R’

L R

DES, Lucifer, FEAL, Khufu, Khafre, LOKI, GOST, CAST, Blowfish,…

f need not be invertible



3. Simple RelationSimple Relation :If EK(P)=C then Ef(K)(g(P,K))=h(C,K)

f, g, h : simple function (simple = easy to compute )

예 )In DES :If EK(P)=C and P’, C’, K’ : bit-wise complements fo P, C, K

Then EK’(P’)=C’



4. Group StructureEK : member of group

Composition : the operation

얼마나 Group Structure 가까우냐 ?Group Structure 에 가까울수록 multiple encryption 은 통계학적

관점에서 시간 낭비다 .



4. Weak KeysIn a good block cipher, all keys are equally strong

5. Strength against Differential and Linear Cryptoanalysis



6. S-Box DesignS-Box 가 크면 클수록 좋다 . 그러나 , memory 문제 Confusion 과 Diffusion 을 반복하여… .



Choose randomly : small random S-Box 보다 large random S-Box 가 좋다 .

Choose and test : Man-made : Intuitive techniques Math-made : Generate S-boxes according to mathematical pr

inciples security proof against differential and linear cryptoanalysis


Using One-Way Hash Functions

Ci = PiH(K, Ci-1)

Pi = CiH(K, Ci-1)

The security of this scheme depends on the security of the one-way function


Using One-Way Hash Functions(conti.)

Karn

Plain text : P = PlPr 32-byte block

Key : K = KlKr 96-byte key

Encryption:Cr=PrH(Pl, Kl)

Cl=PlH(Cr, Kr)

C = ClCr

Decryption:Pl=ClH(Cr, Kr)

Pr=CrH(Pl, Kl)

P = PlPr



Luby-RackoffMichael Luby and Charles Rackoff showed that Karn is n

ot secure

(1) Key KlKr, Plaintext L0R0

(2) R1 = R0H(Kl, L0)

(3) L1 = L0H(Kr, R1)

(4) R2 = R1H(Kl, L1)

(5) L1 R2



Message Digest Cipher(MDC)Use MD5, SHA CFB mode

Hash

Function

Plaintext

Ciphertext

Key



A good one-way hash function doesn’t necessarily make a secure encryption algorithm

Linear cryptoanalysis is not a viable attack against one-way hash functions


Choosing a Block Algorithm


THE END

software security seminar - 1 chapter 14. still other block ciphers 2002. 11. 21. 발표자 :...

Documents