KEAMANAN INFORMASI DAN JARINGAN SYMMET (1)
PART 1: SYMMETRIC CIPHERS
CHAPTER 4
BASIC CONCEPTS IN NUMBER THEORY AND FINITE FIELDS
CHAPTER 5
ADVANCED ENCRYPTION STANDARD
CHAPTER 6
BLOCK CIPHER OPERATION
CHAPTER 7
PSEUDORANDOM NUMBER GENERATION AND STREAM CIPHERS
MADIS SARALITA - 5112100038
Keamanan Informasi dan Jaringan (C)
CHAPTER 4
CHAPTER 4
BASIC CONCEPTS IN NUMBER THEORY AND FINITE FIELDS
4.1 DIVISIBILITY AND THE DIVISION ALGORITHM
DIVISIBILITY
Rules of divisibility for integers
If a|1, then a = ± 1.
If a|b and b|a , then a = ±b.
Any b ≠ 0 divides 0.
If a|b and b|c, then a|c.
If b|g and b|h, then b|(mg+nh) for arbitrary integers m and n.
If b|g, then g is of the form g = b x g1 for some integer g1.
If b|h, then h is of the form h = b x h1 for some integer h1.
mg + nh = mbg1 + nbh1 = b x (mg1 + nh1)
THE DIVISION ALGORITHM
a = qn + r where
Example :
Known that a = 23; n = 5;
0 ≤ r < n;
q = ⌊𝑎/𝑛⌋
a = qn + r
23 = 4 * 5 + 3
So, we get r = 3; q = 4
4.2 THE EUCLIDEAN ALGORITHM
Relatively prime : If the common factor is 1.
GREATEST COMMON DIVI SOR
In general, gcd(a, b) = gcd(|a|, |b|).
Example : gcd(48, 36) = gcd (|48|, |36|) = 12
If relatively prime, gcd(a, b) = 1.
Example : 8 and 15
The positive divisor of
8
: 1, 2, 4, and 8
15
: 1, 3, 5, and 15
So, the only integer of both is 1.
FINDING THE GREATEST COMMON DIVISOR
Example : gcd(30, 24)
a = q1b + r1
b = q 2 r1 + r 2
30 = 1 x 24 + 6
24 = 4 x 6 + 0
4.3 MODULAR ARITHMETIC
THE MODULUS
a = qn + r
where
a = ⌊𝑎/𝑛⌋ x n + (a mod n)
0 ≤ r < n;
q = ⌊𝑎/𝑛⌋
Congruent modulo n
If (a mod n) = (b mod n) , then a = b (mod n)2
If a = 0 (mod n), then n|a
PROPERTIES OF CONGRUENCES
Rules :
a ≡ b (mod n) if n|(a – b)
a ≡ b (mod n) implies b ≡ a (mod n)
a ≡ b (mod n) and b ≡ c (mod n) imply a ≡ c (mod n)
MODULAR ARITHMETIC O PERATIONS
Rules :
[(a mod n) + (b mod n)] mod n = (a + b) mod n
[(a mod n) - (b mod n)] mod n = (a - b) mod n
[(a mod n) x (b mod n)] mod n = (a x b) mod n
d = gcd(24, 6)
d = gcd(6, 0) = 6
POPERTIES OF MO DULAR ARITHMETIC
if (a + b) ≡ (a + c) (mod n) then b ≡ c (mod n)
if (a * b) ≡ (a * c) (mod n) then b ≡ c (mod n) if a is relatively prime to n
EUCLIDEAN ALGORITHM REVISITED
gcd(a, b) = gcd(b, a mod b)
THE EXTENDED EUCLIDE AN ALGORITHM
ax + by = d = gcd(a, b)
ri = ri-2 - ri-1 qi
4.4 GROUPS, RINGS, AND FIELDS
GROUPS
A group is denoted by G
Using multiplication operation that make a pair of each order (a, b) in G.
RINGS
A ring is denoted by R
Using addition and multiplication operation.
There are multiplicative identity and no zero divisors.
FIELD
A field is denoted by F
Same with rings, using addition and multiplication operation.
There are multiplicative inverse for each a in f, except 0.
4.5 FINITE FIELDS OF THE FORM GF(P)
GF IS GALOIS FIELD
Finite Fields of Order p
if (a * b) ≡ (a * c)(mod p) then b ≡ c (mod p)
Rules :
GF(p) consists of p elements.
Over the set, binary operation of addition and multiplcation are defined.
We can do addition, subtraction, multiplication, and division without leaving the set.
If elemet is not 0, it will have a multiplicative inverse.
4.6 POLYNOMIAL ARITHMETIC
ORDINARY POLYNOMIAL ARITHMETIC
The variable is not evaluated
Polynomial addition, subtraction, multiplication, and division are not allowed
Polynomial is allowed if the coefficients are elements of a field.
POLYNOMIAL FORM
POLYNOMIAL ARITHMETI C WITH COEFFICIENTS IN ZP
Polynomial addition, subtraction, multiplication, and division are allowed
FINDING THE GREATEST COMMON DIVISOR
We can find the greatest common divisor of two polynomials with Euclidean algorithm if coeffisients are
elements of field.
4.7 FINITE FIELDS OF THE FORM GF(2 N )
GF(2n) consists of 2n elements
Over the set, binary operation of addition and multiplcation are defined.
We can do addition, subtraction, multiplication, and division without leaving the set.
If elemet is not 0, it will have a multiplicative inverse.
The elements of GF(2n) can be defined as the set of all polynomials of degree n-1 or less with binary coefficients.
SOURCE :
W. Stallings, Cryptography And Network Security Principles And Practice Fifth Edition, New York: Prentice
Hall, 2011.
Pertanyaaan : Mengapa ada bentuk GF(p) dan GF(2n)? Apa perbedaannya?
CHAPTER 5
CHAPTER 5
ADVANCED ENCRYPTION STANDARD
5.1 FINITE FIELD ARITHMETIC
Performed on 8-bit bytes.
Arithmetic operations of addition, multiplication, and division are finished with GF(2 n)
Using ordinary rules of polynomial arithmetic.
Using XOR operation.
Polynomial m(x) is irreducible if and only if m(x) cannot be expressed as a product of two polynomials which
both of degree is lower than m(x).
5.2 AES STRUCTURE
GENERAL STRUCTURE
State, defines the current condition (state) of the block. That is the block of bytes that are currently
being worked on.
The state starts off being equal to the block, however it changes as each round of the algorithms
executes. Plainly said this is the block in progress.
DETAILED STRUCTURE
AES is not a Feistel Structure.
AES is symmetric key block cipher.
The structure is quite simple.
It uses a fixed 128-bit block cipher and three key lengths supported by AES as this was an NIST design
requirement.
The number of internal rounds of the cipher is a function of the key length according to this table.
Key Lengths
Rounds = Nr
128 bit
10
192 bit
12
256 bit
14
AES processes the entire block data as a single matrix using substitutions and permutation.
To substitute bytes, AES uses S-box.
Shift the rows use simple permutation.
Mix columns use substitution that the aritmetic over GF(2n).
Add round key use simple bitwise XOR
The key is just used in AddRoundKey.
Easily reversible in each stage.
The decryption algorithmm use expanded key in reverse order.
Same state in encryption and decryption.
The final round consists of three stages.
AES is an iterated symmetric block cipher, which means that:
o AES works by repeating the same defined steps multiple times.
o AES is a secret key encryption algorithm.
o AES operates on a fixed number of bytes
5.3 AES TRANSFORMATION FUNCTIONS
SUBSTITUTE BYTES TRANSFORMATION
Forward substitute byte transformation is called with SubBytes.
The process in forward and inverse transformations, state is mapped into a new byte.
It is a non linear byte Substitution, with the help of a substation table (s-box), which is generated by
multiplicative inverse and affine transformation.
S-Box
SHIFT ROWS TRANSFORMATION
Forward shift row transformation is called with ShiftRows.
Here, first row of state is not changed.
The next row of state will shift to the left circularly.
The inverse shift row transformation is called with InvShiftRows.
Here, for each the last three rows, the rows will shift circularly in the opposite direction.
It is simple byte transpositions, the bytes in the last three rows of the state, depending upon the row
location, are cyclically shifted; the offset of the left shift varies from zero to three bytes.
Shift Row
MIXCOLUMNS TRANSFORMATION
The forward mix column transformation is called with MixColumns.
The process in forward and inverse transformations, each column is operated individually.
Each byte of column is mapped into new value.
The product is obtained by summing one row and one column of element.
Rules for MixColumn transformation on a single column
The inverse mix column transformation is called with InvMixColumns
This round is equivalent to a matrix multiplication of each columns of the states.
A fix matrix is multiplied to each column vector. In his operation the bytes are taken as polynomials
rather than numbers.
Mix Column
In standard, MixColumn is defined by ordering each column of state to be four-term-polynomial with
coefficient in GF(28).
Block diagram of the AES working process
ADDROUNDKEY TRANSFORMATION
The forward add round key transformation is called with AddRoundKey.
Here, 128 bits of state are bitwise XORed with 128 bits of the round key.
The first matrix is state.
The second matrix is round key.
The inverse add round key transformation is forward the round key transformation.
It is a simple XOR between the present state and the round key. This transformation is its own inverse.
The encryption process consists of several steps. Initially an addroundkey operation is performed then
a round function is applied to the data block (consisting of bytesub, shiftrows, mixcolumns and
addroundkey transformation, respectively). This round operation is performed iteratively (Nr times)
depending on the length of the key. The decryption operation has exactly the same sequence of
transformations as the one in the encryption operation. The transformations Inv-Bytesub, the
InvShiftrows, the InvMixcolumns, and the Addroundkey allow the form of the key schedules to be
identical for encryption and decryption.
5.4 AES KEY EXPANSION
KEY EXPANSION ALGORI THM
The input is a four-word (16-byte) key.
This algorithm produces a linear array of 44 words (176 bytes).
The key is copied into the first four words of the expanded key.
In four words, remainder of the expanded key is filled at a time.
Simple XOR is used in three out of four cases.
Prior to encryption or decryption the key must be expanded. The expanded key is used in the Add
Round Key function.
Each time the Add Round Key function is called a different part of the expanded key is XORed against
the state. In order for this to work the Expanded Key must be large enough so that it can provide key
material for every time the Add Round Key function is executed. The Add Round Key function gets
called for each round as well as one extra time at the beginning of the algorithm.
RATIONALE
There are some criteria that used by Rijndae developers to make the key algorithm will be resistant to known
by cryptanalytic attacks. The criteria is the following below :
Calculations of many round-key bits is not enabled by the knowledge of the cipher key or round key.
An invertible transformation.
Speed of processor.
Usage of round constants.
Diffusion round keys from the cipher key differences.
Prohibit the determination of round key differences from cipher key differneces.
Description should be simple.
5.5 AN AES EXAMPLE
Key:
Plaintext:
Ciphertext:
RESULTS
0123456789abcdeffedcba9876543210
0f1571c947d9e8590cb7add6af7f6798
ff0b844a0853bf7c6934ab4364148fb9
AVALANCHE EFFECT
Avalanche effect is important characteristic for encryption algorithm. This property can be seen when
changing one bit in plaintext and then watching the change in the outcome of at least half of the bits in the
cipher text. One purpose for the avalanche effect is that by changing only one bit there is large change then
it is harder to perform an analysis of cipher text, when trying to come up with an attack. First we start
calculate avalanche effect for AES S-box.
Avalanche Effect in AES: Change in Plaintext
Avalanche Effect in AES: Change in Key
5.6 AES IMPLEMENTATION
EQUIVALENT INVERSE CIPHER
Has the same sequence of transformations as the encryption algorithm.
A change in key schedule is needed to achieve this equivalence.
INTERCHANGING INVSHIFTROWS AND INVSUBBYTES
INTERCHANGING ADDROUNDKEY AND INVMIXCOLUMNS
IMPLEMENTATION ASPEC TS
8-BIT PROCESSOR
AES can be very efficiently on 8-bit processor.
AddRoundKey is a bytewise XOR operation.
ShiftRows is a simple byte-shifting operation.
SubBytes operates at the byte level and only requires a table of 256 bytes.
32-BIT
PROCESSOR
More efficient if operations are defined on 32-bit words
Define the four transformations of a round in algebraic form.
Requires only four table lookups and four XORs per column per round, plus 4 Kbytes to store the
table.
SOURCE :
[1] W. Stallings, Cryptography And Network Security Principles And Practice Fifth Edition, New York: Prentice Hall,
2011.
[2] M. N. T. Amish Kumar, “Effective Implementation and Avalanche Effect Of AES,” International Journal of
Security, Privacy and Trust Management (IJSPTM), vol. 1, pp. 3-4, 2012.
[3] E. K. Kavitha, “Performance Evaluation of Cryptographic Algorithms: AES and DES for Implementation of
Secured Customer Relationship Management (CRM) System,” IOSR Journal of Computer Engineering
(IOSRJCE), vol. 7, no. 4, pp. 1-7, 2012.
[4] A. Berent, “Advanced Encryption Standard by Example”.
[5] D. P. N. C. Jayant P. Bhoge, “Avalanche Effect of AES Algorithm,” (IJCSIT) International Journal of Computer
Science and Information Technologies, vol. 5, no. 3, pp. 3101-3103, 2014.
Pertanyaan : Apa perbedaan antara DES, AES dan Rijndael?
CHAPTER 6
CHAPTER 6
BLOCK CIPHER OPERATION
6.1 MULTIPLE ENCRYPTION AND TRIPLE DES
DOUBLE DES
P = Plaintext
K1, K2 = Keys
C = Ciphertext
The keys will be performed in reverse order
TRIPLE DES WITH TWO KEYS
Triple encryption that use three keys. Encrypt – decrypt – encrypt (EDE) sequence :
3DES single key, to decrypt data encrypted by users of the older single DES.
TRIPLE DES WITH THRE E KEYS
3DES three key, has an effective key length of 168 bits
6.2 ELECTRONIC CODE BOOK
BLOCK
Electronic code book (ECB) is a simplest mode.
Here, one block handles plaintext at a time.
Using the same key while encrypting each block of plaintext.
There is a unique ciphertext in every b-block of plaintext.
In decryption, one block will be performed at a time and using the same key.
Each block encrypted independently.
Identical plaintexts encrypted similarly.
No chaining, no error propagation.
Does not hide data patterns, unsuitable for long messages.
Example: pixel map using ECB
Susceptible to replay attacks.
Example: a wired transfer transaction can be replayed by resending the original message)
Define ECB mode
CIPHER MODES OF OPERATION
Electronic Codebook (ECB)
Cipher-Block Chaining (CBC)
Cipher Feedback (CFB)
Output Feedback (OFB)
Counter (CTR)
6.3 CIPHER BLOCK CHAINING MODE
Input to the encryption algorithm is the XOR of the current plaintext block.
Each block use the same key.
Input to the encryption function no fixed relationship for each plaintext block.
Allows random access to ciphertext.
Decryption is parallelizable.
Plaintext block xj requires ciphertext blocks cj and cj-1
Identical messages: changing the first plaintext block results in different ciphertext.
Chaining: Ciphertext block cj depends on xj and all preceding plaintext blocks (dependency contained in cj1).
Error propagation: Single bit error on cj may flip the corresponding bit on xj+1, but changes xj significantly.
Initialization Vector need not be secret, but its integrity should be protected.
Define CBC mode
CBC is an appropriate mode for encrypting messages of length greater than b bits because the chaining
mechanism.
CBC mode can be used for authentucation.
6.4 CIPHER FEEDBACK MODE
To convert a block cipher into a stream cipher, we can use :
Cipher feedback (CFB) mode
Output feedback (OFB) mode
Counter (CTR) mode
Allows random access to ciphertext.
Decryption is parallelizable.
Plaintext block xj requires ciphertext blocks cj and cj-1
Identical messages: as in CBC.
Chaining: Similar to CBC.
Error propagation: Single bit error on cj may flip the corresponding bit on xj, but changes xj+1 significantly.
Initialization Vector need not be secret (XORed with x 1).
Define CFB mode
6.5 OUTPUT FEEDBACK MODE
Preprocessing possible (keep enc/decrypting previous output block).
No random access, not parallelizable.
Identical messages: same as CBC
No chaining dependencies
Error propagation: Single bit error on cj may only affect the corresponding bit of xj
Initialization Vector need not be secret, but should be changed if a previously used key is to be used again.
Define OFB mode
6.6 COUNTER MODE
Preprocessing possible (inc/decrement and enc/decrypt counter).
Allows random access.
Both encryption & decryption are parallelizable.
Encrypted counter is sufficient to enc/decrypt.
Identical messages: changing nonce results in different ciphertext.
No chaining dependencies.
No error propagation.
Nonce should be random, and should be changed if a previously used key is to be used again.
Define CTR mode
Advantages of CTR mode :
o Hardware efficiency
o Software efficiency
o Preprocessing
o Random access
o Provable security
o Simplicity
6.7 XTS-AES MODE FOR BLOCK-ORIENTED STORAGE DEVICES
The XTS-AES mode is base concept of a tweakable block cipher.
STORAGE ENCRYPTION REQUIREMENTS
1.
2.
3.
4.
5.
6.
7.
The ciphertext is freely available.
No change of data layout.
Data can be accessed in fixed size blocks.
Performing 16-byte block in encryption.
No metadata used.
Same plaintext is encrypted to different ciphertext at different locations.
To decrypt and encrypt data can be finished by constructing a standard conformant device.
OPERATION ON A SINGLE BLOCK
Encrypt and decrypt a single block
DEFINE XTS-AES MODE
SOURCE :
[1] W. Stallings, Cryptography And Network Security Principles And Practice Fifth Edition, New York: Prentice Hall,
2011.
[2] M. Kantarcioglu, “Modes of Operation”.
Pertanyaan : Dari semua mode yang ada, mode manakah yang cocok untuk mendukung security dan performance
yang baik? Mengapa?
CHAPTER 7
CHAPTER 7
PSEUDORANDOM NUMBER GENERATION AND STREAM CIPHERS
7.1 PRINCIPLES OF PSEUDORANDOM NUMBER GENERATION
THE USE OF RANDOM NU MBERS
Many uses of random numbers in cryptography
o nonces in authentication protocols to prevent replay
o keystream for a one-time pad
These values should be
o statistically random, uniform distribution, independent
o unpredictability of future values from previous values
True random numbers provide this
Psuedo => Deterministic, reproducible, generated by a formula
RANDOMNESS
To validate that a sequence of numbers is random :
1. Uniform distribution
Sum of frequency of ones and zero should be approximately equal.
2. Independece
No subsequence can be inferred from the others in the sequence.
UNPREDICTABILITY
Each number is statistically independent of other numbers with ‘true’ random sequences, so this sequence
will be unpredictable.
TRNGS, PRNGS, AND PR FS
TRUE RANDOM NUMBER GENERATOR (TRNG)
Takes input from a source that is effectively random.
The sources is referred to entropy source.
There are conversion process of an analog source to a binary output.
There are additional processing to overcome any bias in the source.
PSEUDORANDOM NUMBER GENERATOR (PRNG)
Takes input from a fixed value that called by seed.
With deterministic algorithm, a sequence of output bits is produced.
Input value determine the output of bit stream.
Have two different forms :
o Pseudorandom number generator
An algorithm that is used to produce an open-ended sequence of bits.
o Pseudorandom Function (PRF)
A function to produce a pseudorandom string of bits from some fixed length.
PRNG REQUIREMENTS
PRNG generates numbers that have the characteristic of randomness as following below :
o Uniformity
o Scalability
o Consistency
Basic knowledge of statistical analysis
o Frequency test
To determine number of ones and zeros in a sequence, it should be same for a truly random
sequence.
o Runs test
To determine number of runs of ones and zeros of various length for a random sequences.
Two forms of unpredictability :
o Forward unpredictability
o Backward unpredictability
ALGORITHM DESIGN
Purpose-Built Algorithms
Purpose : to generate pseudorandom bit streams.
Algorithms based on existing cryptographic algorithms
o Three broad categories of cryptographic algorithms to create PRNGs :
o Symmetric block ciphers
o Asymmetric ciphers
o Hash functions and message authentication codes
7.2 PSEUDORANDOM NUMBER GENERATORS
LINEAR CONGRUENTIAL GENERATORS
Parameter :
m
a
c
X0
the modulus
the multiplier
the increment
the starting value, or seed
m>0
0
CHAPTER 4
BASIC CONCEPTS IN NUMBER THEORY AND FINITE FIELDS
CHAPTER 5
ADVANCED ENCRYPTION STANDARD
CHAPTER 6
BLOCK CIPHER OPERATION
CHAPTER 7
PSEUDORANDOM NUMBER GENERATION AND STREAM CIPHERS
MADIS SARALITA - 5112100038
Keamanan Informasi dan Jaringan (C)
CHAPTER 4
CHAPTER 4
BASIC CONCEPTS IN NUMBER THEORY AND FINITE FIELDS
4.1 DIVISIBILITY AND THE DIVISION ALGORITHM
DIVISIBILITY
Rules of divisibility for integers
If a|1, then a = ± 1.
If a|b and b|a , then a = ±b.
Any b ≠ 0 divides 0.
If a|b and b|c, then a|c.
If b|g and b|h, then b|(mg+nh) for arbitrary integers m and n.
If b|g, then g is of the form g = b x g1 for some integer g1.
If b|h, then h is of the form h = b x h1 for some integer h1.
mg + nh = mbg1 + nbh1 = b x (mg1 + nh1)
THE DIVISION ALGORITHM
a = qn + r where
Example :
Known that a = 23; n = 5;
0 ≤ r < n;
q = ⌊𝑎/𝑛⌋
a = qn + r
23 = 4 * 5 + 3
So, we get r = 3; q = 4
4.2 THE EUCLIDEAN ALGORITHM
Relatively prime : If the common factor is 1.
GREATEST COMMON DIVI SOR
In general, gcd(a, b) = gcd(|a|, |b|).
Example : gcd(48, 36) = gcd (|48|, |36|) = 12
If relatively prime, gcd(a, b) = 1.
Example : 8 and 15
The positive divisor of
8
: 1, 2, 4, and 8
15
: 1, 3, 5, and 15
So, the only integer of both is 1.
FINDING THE GREATEST COMMON DIVISOR
Example : gcd(30, 24)
a = q1b + r1
b = q 2 r1 + r 2
30 = 1 x 24 + 6
24 = 4 x 6 + 0
4.3 MODULAR ARITHMETIC
THE MODULUS
a = qn + r
where
a = ⌊𝑎/𝑛⌋ x n + (a mod n)
0 ≤ r < n;
q = ⌊𝑎/𝑛⌋
Congruent modulo n
If (a mod n) = (b mod n) , then a = b (mod n)2
If a = 0 (mod n), then n|a
PROPERTIES OF CONGRUENCES
Rules :
a ≡ b (mod n) if n|(a – b)
a ≡ b (mod n) implies b ≡ a (mod n)
a ≡ b (mod n) and b ≡ c (mod n) imply a ≡ c (mod n)
MODULAR ARITHMETIC O PERATIONS
Rules :
[(a mod n) + (b mod n)] mod n = (a + b) mod n
[(a mod n) - (b mod n)] mod n = (a - b) mod n
[(a mod n) x (b mod n)] mod n = (a x b) mod n
d = gcd(24, 6)
d = gcd(6, 0) = 6
POPERTIES OF MO DULAR ARITHMETIC
if (a + b) ≡ (a + c) (mod n) then b ≡ c (mod n)
if (a * b) ≡ (a * c) (mod n) then b ≡ c (mod n) if a is relatively prime to n
EUCLIDEAN ALGORITHM REVISITED
gcd(a, b) = gcd(b, a mod b)
THE EXTENDED EUCLIDE AN ALGORITHM
ax + by = d = gcd(a, b)
ri = ri-2 - ri-1 qi
4.4 GROUPS, RINGS, AND FIELDS
GROUPS
A group is denoted by G
Using multiplication operation that make a pair of each order (a, b) in G.
RINGS
A ring is denoted by R
Using addition and multiplication operation.
There are multiplicative identity and no zero divisors.
FIELD
A field is denoted by F
Same with rings, using addition and multiplication operation.
There are multiplicative inverse for each a in f, except 0.
4.5 FINITE FIELDS OF THE FORM GF(P)
GF IS GALOIS FIELD
Finite Fields of Order p
if (a * b) ≡ (a * c)(mod p) then b ≡ c (mod p)
Rules :
GF(p) consists of p elements.
Over the set, binary operation of addition and multiplcation are defined.
We can do addition, subtraction, multiplication, and division without leaving the set.
If elemet is not 0, it will have a multiplicative inverse.
4.6 POLYNOMIAL ARITHMETIC
ORDINARY POLYNOMIAL ARITHMETIC
The variable is not evaluated
Polynomial addition, subtraction, multiplication, and division are not allowed
Polynomial is allowed if the coefficients are elements of a field.
POLYNOMIAL FORM
POLYNOMIAL ARITHMETI C WITH COEFFICIENTS IN ZP
Polynomial addition, subtraction, multiplication, and division are allowed
FINDING THE GREATEST COMMON DIVISOR
We can find the greatest common divisor of two polynomials with Euclidean algorithm if coeffisients are
elements of field.
4.7 FINITE FIELDS OF THE FORM GF(2 N )
GF(2n) consists of 2n elements
Over the set, binary operation of addition and multiplcation are defined.
We can do addition, subtraction, multiplication, and division without leaving the set.
If elemet is not 0, it will have a multiplicative inverse.
The elements of GF(2n) can be defined as the set of all polynomials of degree n-1 or less with binary coefficients.
SOURCE :
W. Stallings, Cryptography And Network Security Principles And Practice Fifth Edition, New York: Prentice
Hall, 2011.
Pertanyaaan : Mengapa ada bentuk GF(p) dan GF(2n)? Apa perbedaannya?
CHAPTER 5
CHAPTER 5
ADVANCED ENCRYPTION STANDARD
5.1 FINITE FIELD ARITHMETIC
Performed on 8-bit bytes.
Arithmetic operations of addition, multiplication, and division are finished with GF(2 n)
Using ordinary rules of polynomial arithmetic.
Using XOR operation.
Polynomial m(x) is irreducible if and only if m(x) cannot be expressed as a product of two polynomials which
both of degree is lower than m(x).
5.2 AES STRUCTURE
GENERAL STRUCTURE
State, defines the current condition (state) of the block. That is the block of bytes that are currently
being worked on.
The state starts off being equal to the block, however it changes as each round of the algorithms
executes. Plainly said this is the block in progress.
DETAILED STRUCTURE
AES is not a Feistel Structure.
AES is symmetric key block cipher.
The structure is quite simple.
It uses a fixed 128-bit block cipher and three key lengths supported by AES as this was an NIST design
requirement.
The number of internal rounds of the cipher is a function of the key length according to this table.
Key Lengths
Rounds = Nr
128 bit
10
192 bit
12
256 bit
14
AES processes the entire block data as a single matrix using substitutions and permutation.
To substitute bytes, AES uses S-box.
Shift the rows use simple permutation.
Mix columns use substitution that the aritmetic over GF(2n).
Add round key use simple bitwise XOR
The key is just used in AddRoundKey.
Easily reversible in each stage.
The decryption algorithmm use expanded key in reverse order.
Same state in encryption and decryption.
The final round consists of three stages.
AES is an iterated symmetric block cipher, which means that:
o AES works by repeating the same defined steps multiple times.
o AES is a secret key encryption algorithm.
o AES operates on a fixed number of bytes
5.3 AES TRANSFORMATION FUNCTIONS
SUBSTITUTE BYTES TRANSFORMATION
Forward substitute byte transformation is called with SubBytes.
The process in forward and inverse transformations, state is mapped into a new byte.
It is a non linear byte Substitution, with the help of a substation table (s-box), which is generated by
multiplicative inverse and affine transformation.
S-Box
SHIFT ROWS TRANSFORMATION
Forward shift row transformation is called with ShiftRows.
Here, first row of state is not changed.
The next row of state will shift to the left circularly.
The inverse shift row transformation is called with InvShiftRows.
Here, for each the last three rows, the rows will shift circularly in the opposite direction.
It is simple byte transpositions, the bytes in the last three rows of the state, depending upon the row
location, are cyclically shifted; the offset of the left shift varies from zero to three bytes.
Shift Row
MIXCOLUMNS TRANSFORMATION
The forward mix column transformation is called with MixColumns.
The process in forward and inverse transformations, each column is operated individually.
Each byte of column is mapped into new value.
The product is obtained by summing one row and one column of element.
Rules for MixColumn transformation on a single column
The inverse mix column transformation is called with InvMixColumns
This round is equivalent to a matrix multiplication of each columns of the states.
A fix matrix is multiplied to each column vector. In his operation the bytes are taken as polynomials
rather than numbers.
Mix Column
In standard, MixColumn is defined by ordering each column of state to be four-term-polynomial with
coefficient in GF(28).
Block diagram of the AES working process
ADDROUNDKEY TRANSFORMATION
The forward add round key transformation is called with AddRoundKey.
Here, 128 bits of state are bitwise XORed with 128 bits of the round key.
The first matrix is state.
The second matrix is round key.
The inverse add round key transformation is forward the round key transformation.
It is a simple XOR between the present state and the round key. This transformation is its own inverse.
The encryption process consists of several steps. Initially an addroundkey operation is performed then
a round function is applied to the data block (consisting of bytesub, shiftrows, mixcolumns and
addroundkey transformation, respectively). This round operation is performed iteratively (Nr times)
depending on the length of the key. The decryption operation has exactly the same sequence of
transformations as the one in the encryption operation. The transformations Inv-Bytesub, the
InvShiftrows, the InvMixcolumns, and the Addroundkey allow the form of the key schedules to be
identical for encryption and decryption.
5.4 AES KEY EXPANSION
KEY EXPANSION ALGORI THM
The input is a four-word (16-byte) key.
This algorithm produces a linear array of 44 words (176 bytes).
The key is copied into the first four words of the expanded key.
In four words, remainder of the expanded key is filled at a time.
Simple XOR is used in three out of four cases.
Prior to encryption or decryption the key must be expanded. The expanded key is used in the Add
Round Key function.
Each time the Add Round Key function is called a different part of the expanded key is XORed against
the state. In order for this to work the Expanded Key must be large enough so that it can provide key
material for every time the Add Round Key function is executed. The Add Round Key function gets
called for each round as well as one extra time at the beginning of the algorithm.
RATIONALE
There are some criteria that used by Rijndae developers to make the key algorithm will be resistant to known
by cryptanalytic attacks. The criteria is the following below :
Calculations of many round-key bits is not enabled by the knowledge of the cipher key or round key.
An invertible transformation.
Speed of processor.
Usage of round constants.
Diffusion round keys from the cipher key differences.
Prohibit the determination of round key differences from cipher key differneces.
Description should be simple.
5.5 AN AES EXAMPLE
Key:
Plaintext:
Ciphertext:
RESULTS
0123456789abcdeffedcba9876543210
0f1571c947d9e8590cb7add6af7f6798
ff0b844a0853bf7c6934ab4364148fb9
AVALANCHE EFFECT
Avalanche effect is important characteristic for encryption algorithm. This property can be seen when
changing one bit in plaintext and then watching the change in the outcome of at least half of the bits in the
cipher text. One purpose for the avalanche effect is that by changing only one bit there is large change then
it is harder to perform an analysis of cipher text, when trying to come up with an attack. First we start
calculate avalanche effect for AES S-box.
Avalanche Effect in AES: Change in Plaintext
Avalanche Effect in AES: Change in Key
5.6 AES IMPLEMENTATION
EQUIVALENT INVERSE CIPHER
Has the same sequence of transformations as the encryption algorithm.
A change in key schedule is needed to achieve this equivalence.
INTERCHANGING INVSHIFTROWS AND INVSUBBYTES
INTERCHANGING ADDROUNDKEY AND INVMIXCOLUMNS
IMPLEMENTATION ASPEC TS
8-BIT PROCESSOR
AES can be very efficiently on 8-bit processor.
AddRoundKey is a bytewise XOR operation.
ShiftRows is a simple byte-shifting operation.
SubBytes operates at the byte level and only requires a table of 256 bytes.
32-BIT
PROCESSOR
More efficient if operations are defined on 32-bit words
Define the four transformations of a round in algebraic form.
Requires only four table lookups and four XORs per column per round, plus 4 Kbytes to store the
table.
SOURCE :
[1] W. Stallings, Cryptography And Network Security Principles And Practice Fifth Edition, New York: Prentice Hall,
2011.
[2] M. N. T. Amish Kumar, “Effective Implementation and Avalanche Effect Of AES,” International Journal of
Security, Privacy and Trust Management (IJSPTM), vol. 1, pp. 3-4, 2012.
[3] E. K. Kavitha, “Performance Evaluation of Cryptographic Algorithms: AES and DES for Implementation of
Secured Customer Relationship Management (CRM) System,” IOSR Journal of Computer Engineering
(IOSRJCE), vol. 7, no. 4, pp. 1-7, 2012.
[4] A. Berent, “Advanced Encryption Standard by Example”.
[5] D. P. N. C. Jayant P. Bhoge, “Avalanche Effect of AES Algorithm,” (IJCSIT) International Journal of Computer
Science and Information Technologies, vol. 5, no. 3, pp. 3101-3103, 2014.
Pertanyaan : Apa perbedaan antara DES, AES dan Rijndael?
CHAPTER 6
CHAPTER 6
BLOCK CIPHER OPERATION
6.1 MULTIPLE ENCRYPTION AND TRIPLE DES
DOUBLE DES
P = Plaintext
K1, K2 = Keys
C = Ciphertext
The keys will be performed in reverse order
TRIPLE DES WITH TWO KEYS
Triple encryption that use three keys. Encrypt – decrypt – encrypt (EDE) sequence :
3DES single key, to decrypt data encrypted by users of the older single DES.
TRIPLE DES WITH THRE E KEYS
3DES three key, has an effective key length of 168 bits
6.2 ELECTRONIC CODE BOOK
BLOCK
Electronic code book (ECB) is a simplest mode.
Here, one block handles plaintext at a time.
Using the same key while encrypting each block of plaintext.
There is a unique ciphertext in every b-block of plaintext.
In decryption, one block will be performed at a time and using the same key.
Each block encrypted independently.
Identical plaintexts encrypted similarly.
No chaining, no error propagation.
Does not hide data patterns, unsuitable for long messages.
Example: pixel map using ECB
Susceptible to replay attacks.
Example: a wired transfer transaction can be replayed by resending the original message)
Define ECB mode
CIPHER MODES OF OPERATION
Electronic Codebook (ECB)
Cipher-Block Chaining (CBC)
Cipher Feedback (CFB)
Output Feedback (OFB)
Counter (CTR)
6.3 CIPHER BLOCK CHAINING MODE
Input to the encryption algorithm is the XOR of the current plaintext block.
Each block use the same key.
Input to the encryption function no fixed relationship for each plaintext block.
Allows random access to ciphertext.
Decryption is parallelizable.
Plaintext block xj requires ciphertext blocks cj and cj-1
Identical messages: changing the first plaintext block results in different ciphertext.
Chaining: Ciphertext block cj depends on xj and all preceding plaintext blocks (dependency contained in cj1).
Error propagation: Single bit error on cj may flip the corresponding bit on xj+1, but changes xj significantly.
Initialization Vector need not be secret, but its integrity should be protected.
Define CBC mode
CBC is an appropriate mode for encrypting messages of length greater than b bits because the chaining
mechanism.
CBC mode can be used for authentucation.
6.4 CIPHER FEEDBACK MODE
To convert a block cipher into a stream cipher, we can use :
Cipher feedback (CFB) mode
Output feedback (OFB) mode
Counter (CTR) mode
Allows random access to ciphertext.
Decryption is parallelizable.
Plaintext block xj requires ciphertext blocks cj and cj-1
Identical messages: as in CBC.
Chaining: Similar to CBC.
Error propagation: Single bit error on cj may flip the corresponding bit on xj, but changes xj+1 significantly.
Initialization Vector need not be secret (XORed with x 1).
Define CFB mode
6.5 OUTPUT FEEDBACK MODE
Preprocessing possible (keep enc/decrypting previous output block).
No random access, not parallelizable.
Identical messages: same as CBC
No chaining dependencies
Error propagation: Single bit error on cj may only affect the corresponding bit of xj
Initialization Vector need not be secret, but should be changed if a previously used key is to be used again.
Define OFB mode
6.6 COUNTER MODE
Preprocessing possible (inc/decrement and enc/decrypt counter).
Allows random access.
Both encryption & decryption are parallelizable.
Encrypted counter is sufficient to enc/decrypt.
Identical messages: changing nonce results in different ciphertext.
No chaining dependencies.
No error propagation.
Nonce should be random, and should be changed if a previously used key is to be used again.
Define CTR mode
Advantages of CTR mode :
o Hardware efficiency
o Software efficiency
o Preprocessing
o Random access
o Provable security
o Simplicity
6.7 XTS-AES MODE FOR BLOCK-ORIENTED STORAGE DEVICES
The XTS-AES mode is base concept of a tweakable block cipher.
STORAGE ENCRYPTION REQUIREMENTS
1.
2.
3.
4.
5.
6.
7.
The ciphertext is freely available.
No change of data layout.
Data can be accessed in fixed size blocks.
Performing 16-byte block in encryption.
No metadata used.
Same plaintext is encrypted to different ciphertext at different locations.
To decrypt and encrypt data can be finished by constructing a standard conformant device.
OPERATION ON A SINGLE BLOCK
Encrypt and decrypt a single block
DEFINE XTS-AES MODE
SOURCE :
[1] W. Stallings, Cryptography And Network Security Principles And Practice Fifth Edition, New York: Prentice Hall,
2011.
[2] M. Kantarcioglu, “Modes of Operation”.
Pertanyaan : Dari semua mode yang ada, mode manakah yang cocok untuk mendukung security dan performance
yang baik? Mengapa?
CHAPTER 7
CHAPTER 7
PSEUDORANDOM NUMBER GENERATION AND STREAM CIPHERS
7.1 PRINCIPLES OF PSEUDORANDOM NUMBER GENERATION
THE USE OF RANDOM NU MBERS
Many uses of random numbers in cryptography
o nonces in authentication protocols to prevent replay
o keystream for a one-time pad
These values should be
o statistically random, uniform distribution, independent
o unpredictability of future values from previous values
True random numbers provide this
Psuedo => Deterministic, reproducible, generated by a formula
RANDOMNESS
To validate that a sequence of numbers is random :
1. Uniform distribution
Sum of frequency of ones and zero should be approximately equal.
2. Independece
No subsequence can be inferred from the others in the sequence.
UNPREDICTABILITY
Each number is statistically independent of other numbers with ‘true’ random sequences, so this sequence
will be unpredictable.
TRNGS, PRNGS, AND PR FS
TRUE RANDOM NUMBER GENERATOR (TRNG)
Takes input from a source that is effectively random.
The sources is referred to entropy source.
There are conversion process of an analog source to a binary output.
There are additional processing to overcome any bias in the source.
PSEUDORANDOM NUMBER GENERATOR (PRNG)
Takes input from a fixed value that called by seed.
With deterministic algorithm, a sequence of output bits is produced.
Input value determine the output of bit stream.
Have two different forms :
o Pseudorandom number generator
An algorithm that is used to produce an open-ended sequence of bits.
o Pseudorandom Function (PRF)
A function to produce a pseudorandom string of bits from some fixed length.
PRNG REQUIREMENTS
PRNG generates numbers that have the characteristic of randomness as following below :
o Uniformity
o Scalability
o Consistency
Basic knowledge of statistical analysis
o Frequency test
To determine number of ones and zeros in a sequence, it should be same for a truly random
sequence.
o Runs test
To determine number of runs of ones and zeros of various length for a random sequences.
Two forms of unpredictability :
o Forward unpredictability
o Backward unpredictability
ALGORITHM DESIGN
Purpose-Built Algorithms
Purpose : to generate pseudorandom bit streams.
Algorithms based on existing cryptographic algorithms
o Three broad categories of cryptographic algorithms to create PRNGs :
o Symmetric block ciphers
o Asymmetric ciphers
o Hash functions and message authentication codes
7.2 PSEUDORANDOM NUMBER GENERATORS
LINEAR CONGRUENTIAL GENERATORS
Parameter :
m
a
c
X0
the modulus
the multiplier
the increment
the starting value, or seed
m>0
0