Title: Block Ciphers and the Advanced Encryption Standard
1Chapter 3
- Block Ciphers and the Advanced Encryption Standard
2Outline
- 3.1 Introduction
- 3.2 Substitution-Permutation Networks
- 3.3 Linear cryptanalysis
- 3.4 Differential cryptanalysis
- 3.5 The Data Encryption Standard
- 3.6 The Advanced Encryption Standard
- 3.7 Modes of Operation
33.1 Introduction
- A commonly used design for modern-day block
ciphers is that of an iterated cipher - The cipher requires the specification of a round
function and a key schedule, and the encryption
of a plaintext will proceed through Nr similar
rounds.
4Introduction
- random key K used to construct Nr round keys
(also called subkeys), which are denoted
K1,,KNr. - key schedule (K1,,KNr) constructed from K using
a fixed, public algorithm. - round function g takes two inputs a round key
(Kr) and a current state (wr-1). - wrg(wr-1,Kr) is the next state.
- plaintext x the initial state w0.
- ciphertext y the state after all Nr rounds done.
5Introduction
- Encryption operations Decryption operations
Note function g is injective (one-to-one)
63.2 Substitution-Permutation Networks (SPN)
- Cryptosystem 3.1 SPN
- and Nr are positive integers
- is a permutation
- is a permutation.
- , and consist of all possible
key schedules that could be derived from an
initial key K using the key scheduling algorithm. - For a key schedule , we encrypt the
plaintext x using Algorithm 3.1.
7Substitution-Permutation Networks
ur is the input to the S-boxes in round r. vr
is the output of the S-boxes in round r. wr is
obtained from vr by applying . ur1 is
constructed from wr by xor-ing with the round key
Kr1 (called round key mixing). The very first
and last operations are xors with subkeys (called
whitening).
8Substitution-Permutation Networks
- Example 3.1
- Suppose . Let be defined as
follows, where the input and the output are
written in hexadecimal - Let be defined as follows
- See Figure 3.1 for a pictorial representation of
this particular SPN, where Sir means i-th round,
r-th S-box.
9Figure 3.1 A substitution-permutation network
10Substitution-Permutation Networks
- Key schedule suppose we begin with a 32-bit key
. For , define Kr to consist of
16 consecutive bits of K, beginning with k4r-3. - K 0011 1010 1001 0100 1101 0110 0011 1111
- Round keys
- K1 0011 1010 1001 0100
- K2 1010 1001 0100 1101
- K3 1001 0100 1101 0110
- K4 0100 1101 0110 0011
- K5 1101 0110 0011 1111
11Substitution-Permutation Networks
- Suppose the plaintext is x 0010 0110 1011 0111.
- Then the encryption of x proceeds as follows
- w0 0010 0110 1011 0111
- K1 0011 1010 1001 0100
- u1 0001 1100 0010 0011
- v1 0100 0101 1101 0001
- w1 0010 1110 0000 0111
- K2 1010 1001 0100 1101
- u2 1000 0111 0100 1010
- v2 0011 1000 0010 0110
- w2 0100 0001 1011 1000
12Substitution-Permutation Networks
- K3 1001 0100 1101 0110
- u3 1101 0101 0110 1110
- v3 1001 1111 1011 0000
- w3 1110 0100 0110 1110
- K4 0100 1101 0110 0011
- u4 1010 1001 0000 1101
- v4 0110 1010 1110 1001
- K5 1101 0110 0011 1111, and
- y 1011 1100 1101 0110
- is the ciphertext.
133.3 Linear Cryptanalysis
- We want to find a probabilistic linear
relationship between a subset of plaintext bits
and a subset of data bits preceding the last
round. This relation behaves in a non-random
fashion. - The attacker has a lot of plaintext-ciphertext
pairs (known plaintext attack). - For each candidate subkey, we partially decrypt
the cipher and check if the relation holds. If
the relation holds then increment its
corresponding counter. At the end, the candidate
key that counts furthest from ½ is the most
likely subkey.
14Linear Cryptanalysis
- 3.3.1 The Piling-up Lemma
- Suppose X1, X2, are independent random variables
from 0,1. And - The independence of Xi, Xj implies
15Linear Cryptanalysis
- Now consider .
- The bias of Xi is defined to be the quantity
- And we have
16Linear Cryptanalysis
- Let denote the bias of .
- Lemma 3.1 (Piling-up lemma) Let
denote the bias of the random variable . Then -
- Corollary 3.2 Let denote the bias of the
random variable . Suppose that
for some j. Then .
17Linear Cryptanalysis
- 3.3.2 Linear Approximations of S-boxes
- Consider an S-box .
- Let the input m-tuple be X(x1,,xm). And the
output n-tuple be Y(y1,,yn). - We can see that
-
-
- Now we can compute the bias of the form
- using the formulas stated above.
18Linear Cryptanalysis
- Example 3.2 We use the S-box as Example 3.1.
19Linear Cryptanalysis
- Consider . The probability that
can be determined by counting the number of rows
in which , and then dividing by 16. - It is seen that
- Hence, the bias is 0.
- If we instead analyze , we find that the
bias is 3/8.
20Linear Cryptanalysis
- We can record the bias of all 28256 possible
random variables. - We represent the relevant random variable in the
form -
- where .
- We treat (a1,a2,a3,a4) and (b1,b2,b3,b4) as
hexadecimal digit (they are called input sum and
output sum, respectively)
21Linear Cryptanalysis
- Let NL(a,b) denote the number of binary
eight-tuples (x1,x2,x3,x4,y1,y2,y3,y4) s.t - and
- The bias is computed as .
- The table of all NL is called the linear
approximation table (Figure 3.2).
22 Example 3.2
Figure 3.2 Linear approximation table values of
NL(a,b)-8
23Linear Cryptanalysis
- 3.3.3 Linear Attack on an SPN
- Linear cryptanalysis requires a set of linear
approximations of S-boxes that can be used to
derive a linear approximation of the entire SPN
(excluding the last round). - Figure 3.3 illustrates the structure of the
approximation we will use. - Arrows are the random variables involved in the
approximations and the labeled S-boxes (active
S-boxes) are used in the approximations.
24Figure 3.3 A linear approximation of an SPN
25Linear Cryptanalysis
- The approximation incorporates four active
S-boxes - In S12, has bias ¼
- In S22, has bias -¼
- In S32, has bias -¼
- In S34, has bias -¼
- have biases that are high in absolute value.
Further, we will see their XOR will lead to
cancellations of intermediate random variables.
26Linear Cryptanalysis
- Using Piling-up lemma, has bias
equal to 23(1/4)(-1/4)3-1/32. - Note we assume the four r.v are independent.
- Then can be expressed in terms of
plaintext bits, bits of u4 (input to the last
round) and key bits as follows
27Linear Cryptanalysis
- XOR the right side and we get
-
-
- Then replace by and key bits
- Now substitute them into 3.1
28Linear Cryptanalysis
- The expression above only involves plaintext
bits, bits of u4 and key bits. - Suppose the key bits are fixed. Then
- has the (fixed) value 0 or 1.
- It follows that
- has bias -1/32 or 1/32 where the sign depends on
the key bits (0 or 1).
29Linear Cryptanalysis
- The fact that (3.3) has bias bounded away from 0
allows us to carry out linear attack. - Suppose that we have T plaintext-ciphertext pairs
(denoted by ), all use the same unknown key,
K. The attack will allow us to obtain the eight
key bits, -
- There are 28256 possibilities for the eight key
bits. We refer to a binary 8-tuple as a candidate
subkey.
30Linear Cryptanalysis
- For each and for each candidate subkey, we
compute a partial decryption of y and obtain the
resulting value for . - Then we compute the value
- We maintain an array of counters indexed by the
256 possible candidate subkeys, and increment the
counter corresponding to a particular subkey when
(3.4) has the value 0. - In the end, we expect most counters will have a
value close to T/2, but the correct candidate
subkey will close to T/2T/32.
31Linear Cryptanalysis
- The attack is presented as Algorithm 3.2.
- L1 and L2 are hexadecimal value.
- is the inverse of the S-box.
- The output, maxkey, contains the most likely
subkey. - In general, it is suggested that a linear attack
based on a linear approximation having bias
will be successful if the number of
plaintext-ciphertext pairs is approximately
for some small constant c.
32 - Algorithm 3.2 LINEARATTACK( )
333.5 The Data Encryption Standard
- DES was developed at IBM, as a modification of an
earlier system known as Lucifer. - DES was first published in the Federal Register
of March 17, 1975. - DES was adopted as a standard for unclassified
applications on January 15, 1977.
34The Data Encryption Standard
- 3.5.1 Description of DES
- DES is a special type of iterated cipher called a
Feistel cipher. - In a Feistel cipher, each state ui is divided
into two halves of equal length, say Li and Ri. - Round function g g(Li-1, Ri-1, Ki)(Li, Ri),
where - Invertible
35 One round
Overview of DES
36The Data Encryption Standard
- Initial permutation IP IP(x)L0R0
- Inverse permutation IP-1 yIP-1(R16L16)
- Note L16 and R16 are swapped before IP-1 is
applied. - Each Li and Ri is 32 bits in length.
- The function
-
- takes as input a 32-bit string (the right half
of the current state) and a round key. - Key schedule (K1,K2,,K16) consists of 48-bit
round keys that are derived from the 56-bit key,
K.
37The Data Encryption Standard
- Suppose we denote the first argument of f
function (Figure 3.7) by A, and the second
argument by J. - A is expanded to 48-bit according to a fixed
expansion function E. - Compute and write the result as
concatenation of eight 6-bit strings
BB1B2B3B4B5B6B7B8. - The next step uses eight S-boxes (S1,,S8),
Given a bitstring of length 6,
Bjb1b2b3b4b5b6. - b1b6 determine the row r of Sj, and b2b3b4b5
determine the column c of Sj. We compute
CjSj(Bj). - The bitstring CC1C2C3C4C5C6C7C8 is permuted
according to the permutation P. Then f (A,J)P(C).
38 Figure 3.7 The DES f function
39 S1 S1 S1 S1 S1 S1 S1 S1 S1 S1 S1 S1 S1 S1 S1 S1
14 4 13 1 2 15 11 8 3 10 6 12 5 9 0 7
0 15 7 4 14 2 13 1 10 6 12 11 6 5 3 8
4 1 14 8 13 6 2 11 15 12 9 7 3 10 5 0
15 12 8 2 4 9 1 7 5 11 3 14 10 0 6 13
Example 3.4
S2 S2 S2 S2 S2 S2 S2 S2 S2 S2 S2 S2 S2 S2 S2 S2
15 1 8 14 6 11 3 4 9 7 2 13 12 0 5 10
3 13 4 7 15 2 8 14 12 0 1 10 6 9 11 5
0 14 7 11 10 4 13 1 5 8 12 6 9 3 2 15
13 8 10 1 3 15 4 2 11 6 7 12 0 5 14 9
S3 S3 S3 S3 S3 S3 S3 S3 S3 S3 S3 S3 S3 S3 S3 S3
10 0 9 14 6 3 15 5 1 13 12 7 11 4 2 8
13 7 0 9 3 4 6 10 2 8 5 14 12 11 15 1
13 6 4 9 8 15 3 0 11 1 2 12 5 10 14 7
1 10 13 0 6 9 8 7 4 15 14 3 11 5 2 12
S4 S4 S4 S4 S4 S4 S4 S4 S4 S4 S4 S4 S4 S4 S4 S4
7 13 14 3 0 6 9 10 1 2 8 5 11 12 4 15
13 8 11 5 6 15 0 3 14 7 2 12 1 10 14 9
10 6 9 0 12 11 7 13 15 1 3 14 5 2 8 4
3 15 0 6 10 1 13 8 9 4 5 11 12 7 2 14
S-boxes
40 S5 S5 S5 S5 S5 S5 S5 S5 S5 S5 S5 S5 S5 S5 S5 S5
2 12 4 1 7 10 11 6 8 5 3 15 13 0 14 9
14 11 2 12 4 7 13 1 5 0 15 10 3 9 8 6
4 2 1 11 10 13 7 8 15 9 12 5 6 3 0 14
11 8 12 7 1 14 2 13 6 15 0 9 10 4 5 3
S6 S6 S6 S6 S6 S6 S6 S6 S6 S6 S6 S6 S6 S6 S6 S6
12 1 10 15 9 2 6 8 0 13 3 4 14 7 5 11
10 15 4 2 7 12 9 5 6 1 13 14 0 11 3 8
9 14 15 5 2 8 12 3 7 0 4 10 1 13 11 6
4 3 2 12 9 5 15 10 11 14 1 7 6 0 8 13
S7 S7 S7 S7 S7 S7 S7 S7 S7 S7 S7 S7 S7 S7 S7 S7
4 11 2 14 15 0 8 13 3 12 9 7 5 10 6 1
13 0 11 7 4 9 1 10 14 3 5 12 2 15 8 6
1 4 11 13 12 3 7 14 10 15 6 8 0 5 9 2
6 11 13 8 1 4 10 7 9 5 0 15 14 2 3 12
S8 S8 S8 S8 S8 S8 S8 S8 S8 S8 S8 S8 S8 S8 S8 S8
13 2 8 4 6 15 11 1 10 9 3 14 5 0 12 7
1 15 13 8 10 3 7 4 12 5 6 11 0 14 9 2
7 11 4 1 9 12 14 2 0 6 10 13 15 3 5 8
2 1 14 7 4 10 8 13 15 12 9 0 3 5 6 11
S-boxes
41The Data Encryption Standard
- Example 3.4 We show how to compute an output of
S-box S1 with input 101000. - b1b610 which is 2
- b2b3b4b51000 which is 4
- Output is row 2 and column 4 of S1.
- Note rows are numbered 0,1,2,3 and columns are
0,1,2,15 - So the output is 13 which is 1101 in binary.
42The Data Encryption Standard
- The expansion function E is specified by the
following table - If A(a1,a2,,a32) then
- E(A)(a32,a1,a2,a3,a4,a5,a4,,a31,a32,a1).
E bit-selection table E bit-selection table E bit-selection table E bit-selection table E bit-selection table E bit-selection table
32 1 2 3 4 5
4 5 6 7 8 9
8 9 10 11 12 13
12 13 14 15 16 17
16 17 18 19 20 21
20 21 22 23 24 25
24 25 26 27 28 29
28 29 30 31 32 1
43The Data Encryption Standard
- The permutation P is as follows
- If C(c1,c2,,c32) then
- P(C)(c16,c7,c20,c21,c29,,c11,c4,c25).
P P P P
16 7 20 21
29 12 28 17
1 15 23 26
5 18 31 10
2 8 24 14
32 27 3 9
19 13 30 6
22 11 4 25
44The Data Encryption Standard
45The Data Encryption Standard
46The Data Encryption Standard
- 3.5.2 Analysis of DES
- The S-boxes, being the non-linear components of
the cryptosystem, are vital to its security. - DES was to make differential cryptanalysis
infeasible. - Differential cryptanalysis was known to IBM when
they design DES, but it was kept secret for
almost 20 years until Biham and Shamir invented
the technique in the early 1990s. - The most pertinent criticism of DES is that the
size of the keyspace, 256, is too small.
47The Data Encryption Standard
- Many people try to design a special purpose
machine to do exhaustive key search. - Ex DES Cracker contained 1536 chips and could
search 88 billion keys per second. It won RSA
Laboratorys DES Challenge II-2 by successfully
finding a DES key in 56 hours. - Other than exhaustive key search, differential
cryptanalysis and linear cryptanalysis are the
most important attacks. (linear attack is more
efficient) - In 1994, Matsui implemented the attack by using
243 plaintext-ciphertext pairs with the same key.
It took 40 days to generate the pairs and 10 days
to find the key. - DES is still secure theoretically due to the
extremely large number of pairs required. An
adversary is impossible to collect that amount of
pairs.
483.6 The Advanced Encryption Standard
- On January 2, 1997, NIST began the process of
choosing a replacement for DES and called the
Advanced Encryption Standard, or AES. - It was required that the AES have a block length
of 128 bits, and supported key lengths of 128,
192, and 256 bits. - After several AES candidate conferences were
held. On Oct. 2, 2000, Rijndael was selected. - 3 main criteria security, cost, algorithm and
implementation characteristics
49The Advanced Encryption Standard
- 3.6.1 Description of AES
- Block length
- 128 bits (Nb4)
- 192 bits (Nb6)
- 256 bits (Nb8)
- Key length
- 128 bits (Nk4)
- 192 bits (Nk6)
- 256 bits (Nk8)
- Number of rounds Nr
-
S0,0 S0,1 S0,2 S0,3 S0,4 S0,5 S0,6 S0,7
S1,0 S1,1 S1,2 S1,3 S1,4 S1,5 S1,6 S1,7
S2,0 S2,1 S2,2 S2,3 S2,4 S2,5 S2,6 S2,7
S3,0 S3,1 S3,2 S3,3 S3,4 S3,5 S3,6 S3,7
50The Advanced Encryption Standard
- Overview of AES
- ADDROUNDKEY, which xors the RoundKey with State.
- For each of the first Nr-1 rounds perform
SUBBYTES(State), SHIFTROWS(State),
MIXCOLUMN(State), ADDROUNDKEY. - Final round SUBBYTES, SHIFTROWS, ADDROUNDKEY.
- All operations in AES are byte-oriented.
- The plaintext x consists of 16 byte, x0,x1,,x15.
- Initially State is plaintext x (for 128-bit
case)
S0,0 S0,1 S0,2 S0,3
S1,0 S1,1 S1,2 S1,3
S2,0 S2,1 S2,2 S2,3
S3,0 S3,1 S3,2 S3,3
x0 x4 x8 x12
x1 x5 x9 x13
x2 x6 x10 x14
x3 x7 x11 x15
51The Advanced Encryption Standard
- SUBBYTES
- It performs a substitution on each byte of State
using an S-box, say . - is a 16x16 array (Figure 3.8). A byte is
represented as two hexadecimal digits XY. So XY
after substitution is .
52 Y X 0 1 2 3 4 5 6 7 8 9 A B C D E F
0 63 7C 77 7B F2 6B 6F C5 30 01 67 2B FE D7 AB 76
1 CA 82 C9 7D FA 59 47 F0 AD D4 A2 AF 9C A4 72 C0
2 B7 FD 93 26 36 3F F7 CC 34 A5 E5 F1 71 D8 31 15
3 04 C7 23 C3 18 96 05 9A 07 12 80 E2 EB 27 B2 75
4 09 83 2C 1A 1B 6E 5A A0 52 3B D6 B3 29 E3 2F 84
5 53 D1 00 ED 20 FC B1 5B 6A CB BE 39 4A 4C 58 CF
6 D0 EF AA FB 43 4D 33 85 45 F9 02 7F 50 3C 9F A8
7 51 A3 40 8F 92 9D 38 F5 BC B6 DA 21 10 FF F3 D2
8 CD 0C 13 EC 5F 97 44 17 C4 A7 7E 3D 64 5D 19 73
9 60 81 4F DC 22 2A 90 88 46 EE B8 14 DE 5E 0B DB
A E0 32 3A 0A 49 06 24 5C C2 D3 AC 62 91 95 E4 79
B E7 C8 37 6D 8D D5 4E A9 6C 56 F4 EA 65 7A AE 08
C BA 78 25 2E 1C A6 B4 C6 E8 DD 74 1F 4B BD 8B 8A
D 70 3E B5 66 48 03 F6 0E 61 35 57 B9 86 C1 1D 9E
E E1 F8 98 11 69 D9 8E 94 9B 1E 87 E9 CE 55 28 DF
F 8C A1 89 0D BF E6 42 68 41 99 2D 0F B0 54 BB 16
Example 3.5
Figure 3.8 The AES S-box
53The Advanced Encryption Standard
- The AES S-box can be defined algebraically. The
permutation incorporates operations in the
finite field - FIELDINV the multiplicative inverse of a filed
element - BINARYTOFIELD convert a byte to a field element
- FIELDTOBINARY inverse operation
-
-
- corresponds to the byte
54The Advanced Encryption Standard
- Algorithm 3.4 SUBBYTES(a7a6a5a4a3a2a1a0)
- external FIELDINV, BINARYTOFIELD, FIELDTOBINARY
- BINARYTOFILED(a7a6a5a4a3a2a1a0)
- if
- then FIELDINV(z)
- (a7a6a5a4a3a2a1a0) FIELDTOBINARY(z)
- (c7c6c5c4c3c2c1c0) (01100011)
- comment In the following loop, all subscripts
are to be - reduced modulo 8
- for to 7
- do
- return (b7b6b5b4b3b2b1b0)
55The Advanced Encryption Standard
- Example 3.5 (illustrates Algorithm 3.4)
- Suppose we begin with (hex) 53. In binary, its
01010011, - which represents the field element
-
- The multiplicative inverse (in ) can be
shown to be - Thus we have
-
56The Advanced Encryption Standard
- etc. The result is
- which is ED in hex.
- This computation can be checked by verifying the
entry in row 5 and column 3 of Figure 3.8.
57The Advanced Encryption Standard
- SHIFTROWS
- Row 0 no shift
- Row i shift Ci
S0,0 S0,1 S0,2 S0,3
S1,0 S1,1 S1,2 S1,3
S2,0 S2,1 S2,2 S2,3
S3,0 S3,1 S3,2 S3,3
S0,0 S0,1 S0,2 S0,3
S1,1 S1,2 S1,3 S1,0
S2,2 S2,3 S2,0 S2,1
S3,3 S3,0 S3,1 S3,2
Case Nb4 or 6
58The Advanced Encryption Standard
- MIXCOLUMNS (Algorithm 3.5)
- It is carried out on each of the four columns of
State. - Each column of State is replaced by a new column
which is formed by multiplying that column by a
certain matrix of elements of the field . - FIELDMULT computes two inputs product in the
field.
Note 2 is x in and 3 is x1 in
59The Advanced Encryption Standard
- Algorithm 3.5 MIXCOLUMN(c)
- external FIELDMULT, BINARYTOFIELD, FIELDTOBINARY
- for to 3
- do BINARYTOFIELD(si,c)
- u0 FIELDMULT(x,t0) FIELDMULT(x1,t1)
t2 t3 - u1 FIELDMULT(x,t1) FIELDMULT(x1,t2)
t3 t0 - u2 FIELDMULT(x,t2) FIELDMULT(x1,t3)
t0 t1 - u3 FIELDMULT(x,t3) FIELDMULT(x1,t0)
t1 t2 - for to 3
- do si,c FIELDTOBINARY(ui)
60The Advanced Encryption Standard
- KEYEXPANSION (for 10-round AES)
- 10-round, 128-bit key
- We need 11 round keys, each of 16 bytes
- Key scheduling algorithm is word-oriented (4
bytes), so a round key consists of 4 words - The concatenation of round keys is called the
expanded key, which consists of 44 words, w0,
w1,, w43. - See Algorithm 3.6
61The Advanced Encryption Standard
- Notations of Algorithm 3.6
- Input 128-bit key, key, key0,,key15
- Output words, w
- ROTWORD a cyclic shift of four bytes B0,B1,B2,B3
- ROTWORD (B0,B1,B2,B3) (B1,B2,B3,B0)
- SUBWORD applies the S-box to each byte
- SUBWORD (B0,B1,B2,B3)(B0,B1,B2,B3)
- where BiSUBBYTES(Bi)
- RCon an array of 10 words, RCon1,,RCon10,
they are constants defined at the beginning
62 Algorithm 3.6 KEYEXPANSION(key)
- external ROTWORD, SUBWORD
- RCon1 01000000
- RCon2 02000000
- RCon3 04000000
- RCon4 08000000
- RCon5 10000000
- RCon6 20000000
- RCon7 40000000
- RCon8 80000000
- RCon9 1B000000
- RCon10 36000000
- for to 3
- do wi (key4i,key4i1,key4i2,key4
i3) - for to 43
- do temp wi-1
- if 0 (mod 4)
- then temp SUBWORD(ROTWORD(temp))
RCon1/4 - wi wi-4 temp
- return (w0,,w43)
63The Advanced Encryption Standard
- Above are the operations need to encrypt in AES.
- To decrypt, we perform all operations and the key
schedule in the reverse order. - Each operation, SHIFTROWS, SUBBYTES, MIXCOLUMNS
must be replaced by their inverse operations. - ADDROUNDKEY is its own reverse.
64The Advanced Encryption Standard
- 3.6.2 Analysis of AES
- AES is secure against all known attacks.
- Various aspects of design incorporate specific
features to against specific attacks. - Ex1 Finite field inversion in S-box yields
linear approximation and difference distribution
tables close to uniform. - Ex2 MIXCOLUMNS makes it impossible to find
differential and linear attacks that involve
few active S-boxes (wide trail strategy).
653.7 Modes of Operation
- Four modes of operation for DES
- Electronic codebook mode (ECB mode)
- Cipher feedback mode (CFB mode)
- Cipher block chaining mode (CBC mode)
- Output feedback mode (OFB mode)
- ECB mode corresponds to the naive use of a block
cipher - x1,x2,of 64-bit plaintext blocks, encrypted with
the same key K, producing a string of ciphertext
blocks, y1,y2,
66Modes of Operation
- CBC mode
- initialization vector IV and y0IV
-
-
Figure 3.9 CBC mode
67Modes of Operation
- OFB mode
- a synchronous stream cipher (cf. section 1.1.7)
- z0IV, then keystream z1z2
- encryption
68Modes of Operation
- CFB mode
- y0IV
- keystream
- encryption
Figure 3.10 CFB mode
69Modes of Operation
- Some properties
- In ECB and OFB modes, changing one 64-bit
plaintext block, xi, causes the corresponding
ciphertext block, yi, to be altered, but other
ciphertext blocks are not affected. - It is useful in some cases, like communicating on
an unreliable channel. - In CBC and CFB modes, if a plaintext block xi is
changed, then yi and all subsequent ciphertext
blocks will be affected. - These modes can be used to produce a message
authentication code (MAC). (see Chap 4)