Outline

• Symmetric Crypto
• Stream Ciphers
• A5/1
• RC4
• HW Exercise
• Block Ciphers
• Feistel Cipher
• Start DES

Symmetric Key Crypto

• Stream cipher -- based on one-time pad
  • Except that key is relatively short
  • Key is stretched into a long keystream
  • Keystream is used just like a one-time pad
• Block cipher -- based on codebook concept
  • Block cipher key determines a codebook
  • Each key yields a different codebook
  • Employs both "confusion" and "diffusion"

Stream Ciphers

• Once upon a time, stream ciphers were predominant kind of ciphers
• Today, though, they are not as popular as block ciphers
• Well discuss two stream cipher:
  • A5/1, which is based on shift registers. It is used in GSM mobile phone system
  • RC4, which is based on a changing lookup table. Used in SSL, WEP, WPA, etc.

A5/1: Shift Registers

A5/1 uses three shift registers

• `X`: 19 bits `(x_0,x_1,x_2, ...,x_(18))`
• `Y`: 22 bits `(y_0,y_1,y_2, ...,y_(21))`
• `Z`: 23 bits `(z_0,z_1,z_2, ...,z_(22))`

A5/1: Keystream

• At each step: `m = maj(x_8, y_(10), z_(10))`
  • Examples: maj(0,1,0) = 0 and maj(1,1,0) = 1 (take the majority of on bits)
• If `x_8 = m` then `X` steps
  • `t = x_(13) oplus x_(16) oplus x_(17) oplus x_(18)`
  • `x_i = x_(i-1)` for `i = 18,17,...,1` and `x_0 = t`
• If `y_(10) = m` then `Y` steps
  • `t = y_(20) oplus y_(21)`
  • `y_i = y_(i-1)` for `i = 21,20,...,1` and `y_0 = t`
• If `z_(10) = m` then `Z` steps
  • `t = z_7 oplus z_(20) oplus z_(21) oplus z_(22)`
  • `z_i = z_(i-1)` for `i = 22,21,...,1` and `z_0 = t`
• Keystream bit is `x_(18) oplus y_(21) oplus z_(22)`.

A5/1

• Each variable here is a single bit
• Key is used as initial fill of registers
• Each register steps (or not) based on `maj(x_8, y_(10), z_(10))`
• Keystream bit is XOR of rightmost bits of registers

A5/1 Example

• In this example, `m = maj(x_8, y_(10), z_(10)) = maj(1,0,1) = 1`
• Register `X` steps, `Y` does not step, and `Z` steps
• Keystream bit is XOR of right bits of registers
• Here, keystream bit will be `0 oplus 1 oplus 0 = 1`

Shift Register Crypto

• Shift register crypto is efficiently implemented in hardware
• Often, slow though if implemented in software
• In the past, it was very popular
• Today, more crypto is done in software due to fast processors
• Shift register crypto still used in some circumstances, for example, in resource-constrained devices.

RC4

• The RC4 cipher uses a self-modifying lookup table
• This table always contains a permutation of the byte values 0,1,...,255
• Initialize the permutation using key
• At each step, RC4 does the following:
  • Swaps elements in current lookup table
  • Selects a keystream byte from table
• Each step of RC4 produces a byte, so is efficient when implemented in software
• Each step of A5/1 produces only a bit, which is easier to implement in hardware, but causes problems when done in more byte- and word-oriented software.

RC4 Initialization

• S[] will be a permutation of 0,1,...,255
• key[] contains N bytes of key

for (i = 0 ; i < 256; i++) {
    S[i] = i;
    K[i] = key[i % N];
}
j = 0;
for (i = 0 ; i < 256; i++) {
    j = (j + S[i] + K[i]) % 256;
    swap(S[i], S[j]);
}
i = 0;
j = 0; //these used in keystream

RC4 Keystream

• For each keystream byte, swap elements in table and select byte:

  i = (i + 1) % 256;
  j = (j + S[i]) % 256;
  swap(S[i], S[j]);
  t = (S[i] + S[j]) % 256;
  keystreamByte = S[t];
  
  

• Use keystream bytes like a one-time pad
• Note: first 256 bytes should be discarded
  • Otherwise, related key attack exists

Stream Ciphers

• Stream ciphers were popular in the past
• Efficient in hardware
• Speed was needed to keep up with voice data, etc.
• Today, processors are fast, so software-based crypto is usually more than fast enough
• Future of stream ciphers?
• Shamir declared "the death of stream ciphers"
• This may be greatly exaggerated...

HW Problem

Exercise Ch2, 23: Consider the ciphertext QJKES REOGH GXXRE OXEO, which was generated using an affine cipher (mod 26). Determine the constants `a` and `b` and decipher the message. Hint: "t" (coded as 19) encrypts to "H" (coded as 7) and "o" (coded as 14) encrypts to "E" (coded as 4).

Solution. Using the hint, we know `a(19)+b = 7 mod 26` and `a(14)+b = 4 mod 26`. Subtracting these two equations gives `5a = 3 mod 26`. i.e., `5a = 26m + 3` for some `m` a natural number less than 26. Notice `5a = 26m + 3 = m + 3 = 0 mod 5`, so we see `m=2` works. So `a = 11` and substituting back into the equation gives `11(19) +b = 7 mod 26`. Solving for `b`, we have `b = 7 - 209 =-20 mod 26 = 6 mod 26`. Using this, we can decode the message. Starting with, `y = 11x+6 mod 26`, and solving for `x`, we get `y - 6 = 11x mod 26`. The multiplicative inverse of `11 mod 26` is a number `z` such `11z = 1 mod 26`. Now `11z = 26m + 1 = 4m+1 = 0 mod 11` and so `m=8`, giving `11z = 26(8) + 1` and `z=19`. Hence, `19(y-6) = x mod 26`. Q (coded as `16`) comes from `19(16-6)mod 26 = 8` which is i. Continuing we get: ifyou bowat allbo wlow

(Iterated) Block Cipher

• Plaintext and ciphertext consist of fixed-sized blocks
• Ciphertext obtained from plaintext by iterating a round function
• Input to round function consists of key and output of the previous round
• Usually implemented in software

Feistel Cipher: Encryption

• Feistel cipher is a type of block cipher, not a specific block cipher
• Split plaintext block into left and right halves: `P = (L_0,R_0)`
• For each round i = 1,2,...,n, compute:
  `L_i= R_(i-1)`
  `R_i= L_(i-1) oplus F(R_(i-1),K_i)`
  where `F` is round function and `K_i` is subkey
• Ciphertext: `C = (L_n,R_n)`

Feistel Cipher: Decryption

• Start with ciphertext `C = (L_n,R_n)`
• For each round `i = n, n-1,...,1`, compute: `R_(i-1) = L_i`
  `L_(i-1) = R_i oplus F(R_(i-1),K_i)`
  where `F` is round function and `K_i` is subkey
• Plaintext: `P = (L_0, R_0)`
• Formula "works" for any function `F`
• But only secure for certain functions `F`

Data Encryption Standard

• DES developed in 1970's
• Based on IBM's Lucifer cipher
• DES was U.S. government standard
• DES development was controversial
• NSA secretly involved
• Design process was secret
• Key length reduced from 128 to 56 bits
• Subtle changes to Lucifer algorithm

About DES

• DES is a Feistel cipher with...
  • 64 bit block length
  • 56 bit key length
  • 16 rounds
  • 48 bits of key used each round (subkey)
• Each round is simple (for a block cipher)
• Security depends heavily on "S-boxes"
• Each S-boxes maps 6 bits to 4 bits