Twofish

1
Twofish

• Twofish A 128-Bit Block Cipher,Bruce Schneier,
  John Kelsey, Doug Whiting, David Wagner, Chris
  Hall, Niels Ferguson http//www.counterpane.com/tw
  ofish.pdf
• 128 bits block, with key of variable length up to
  256 bits.
• Uses 16 rounds of Feistel Network

2
Twofish

• Goals (per NIST)
• A 128-bit symmetric block cipher.
• Key lengths of 128 bits, 192 bits, and 256 bits.
• No weak keys.
• Efficiency, both on the Intel Pentium Pro and
  other software and hardware platforms.
• Flexible design e.g., accept additional key
  lengths be implementable on a wide variety of
  platforms and applications and be suitable for a
  stream cipher, hash function, and MAC.
• Simple design, both to facilitate ease of
  analysis and ease of implementation.

3
Twofish

• Additional goals
• Accept any key length up to 256 bits.
• Encrypt data in less than 500 clock cycles per
  block on an Intel Pentium, Pentium Pro, and
  Pentium II, for a fully optimized version of the
  algorithm.
• Be capable of setting up a 128-bit key (for
  optimal encryption speed) in less than the time
  required to encrypt 32 blocks on a Pentium,
  Pentium Pro, and Pentium II.
• Encrypt data in less than 5000 clock cycles per
  block on a Pentium, Pentium Pro, and Pentium II
  with no key setup time.

4
Twofish

• Additional goals
• Not contain any operations that make it
  inefficient on other 32-bit microprocessors.
• Not contain any operations that make it
  inefficient on 8-bit and 16-bit microprocessors.
• Not contain any operations that reduce its
  efficiency on proposed 64-bit microprocessors
  e.g., Merced.
• Not include any elements that make it
  inefficient in hardware.
• Have a variety of performance tradeoffs with
  respect to the key schedule.

5
Twofish

• Additional goals
• Encrypt data in less than less than 10
  milliseconds on a commodity 8-bit microprocessor.
• Be implementable on a 8-bit microprocessor with
  only 64 bytes of RAM.
• Be implementable in hardware using less than
  20,000 gates.
• Cryptographic Goals
• 16-round Twofish (without whitening) should have
  no chosen-plaintext attack requiring fewer than
  280 chosen plaintexts and less than 2N time,
  where N is the key length.
• 12-round Twofish (without whitening) should have
  no related-key attack requiring fewer than 264
  chosen plaintexts, and less than 2N/2 time, where
  N is the key length.

6
Twofish

• Flexibility Goals
• Have variants with a variable number of rounds.
• Have a key schedule that can be precomputed for
  maximum speed, or computed on-the-fly for maximum
  agility and minimum memory requirements.
  Additionally, it should be suitable for dedicated
  hardware applications e.g., no large tables.
• Be suitable as a stream cipher, one-way hash
  function, MAC, and pseudo-random number
  generator, using well-understood construction
  methods.
• Have a family-key variant to allow for
  different, non-interoperable, versions of the
  cipher.

7
Public Key Cryptography

• Symmetric Key Algorithms
• Key agreement and change
• Trust on all parties that have the key
• Trust in the security level
• Trust in not misusing keys
• Public-key cryptography involves the use of two
  keys
• a public-key, which may be known by anybody, and
  can be used to encrypt messages, and verify
  signatures
• a private-key, known only to the recipient, used
  to decrypt messages, and sign (create) signatures

8
Public Key Cryptography

• Public-key is easily computed from the private
  key and other information about the cipher (a
  polynomial time (P-time) problem)
• Knowing the public-key and public description of
  the cipher, it is still computationally
  infeasible to compute the private key (an NP-time
  problem)
• The public-key may be distributed to anyone
  wishing to communicate securely with its owner
  (although secure distribution of the public-key
  is a non-trivial problem - the key distribution
  problem)

9
Public Key Cryptography

• Have three important classes of public-key
  algorithms
• Public-Key Distribution Schemes (PKDS) - where
  the scheme is used to securely exchange a single
  piece of information (whose value depends on the
  two parties, but cannot be set). This value is
  normally used as a session key for a private-key
  scheme
• Signature Schemes - used to create a digital
  signature only, where the private-key signs
  (create) signatures, and the public-key verifies
  signatures
• Public Key Schemes (PKS) - used for encryption,
  where the public-key encrypts messages, and the
  private-key decrypts messages.
• Any public-key scheme can be used as a PKDS, just
  by selecting a message which is the required
  session key
• Many public-key schemes are also signature
  schemes (provided encryption decryption can be
  done in either order)

10
RSA

• Named after their inventors Ron Rivest, Adi
  Shamir and L. Adleman
• R L Rivest, A Shamir, L Adleman, "On Digital
  Signatures and Public Key Cryptosystems",
  Communications of the ACM, vol 21 no 2,
  pp120-126, Feb 1978
• Public-key scheme which may be used for
  encrypting messages, exchanging keys, and
  creating digital signatures

11
RSA

• Based on exponentiation in a finite (Galois)
  field over integers modulo a prime
• exponentiation takes O((log n)3) operations
• Security relies on the difficulty of calculating
  factors of large numbers
• factorization takes O(e log n log log n)
  operations
• (same as for discrete logarithms)
• Main patent expired in 2000

12
RSA

• Uses Euler ? function
• ?(n) (0?bltn) g.c.d.(b,n) 1)
• If p is prime than ?(p) ?
• ?(mn) ?(m) ?(n), if g.c.d.(m,n) 1
• RSA uses a generalization of Fermats Little
  Theorem due to Euler
• If g.c.d.(a, m) 1, then a?(m)1 mod m

13
RSA

• Key-Generation by each user consists of
• Selecting two large primes at random (100
  digit), p, q
• Calculating the system modulus Rpq p, q primes
  
• selecting at random the encryption key e (usually
  3),
• e lt R, gcd(e, ?(R)) 1
• solving the congruence to find the decryption key
  d,
• ed 1 mod ?(R) 0 ? d ? R
• publishing the public encryption key K1e,R
• securing the private decryption key K2d,p,q

14
RSA

• Encryption of a message M to obtain ciphertext C
  is
• C Me mod R
• Decryption of a ciphertext C to recover the
  message M is
• M Cd Me.d M1n?(R) M mod R
• Note we still would need to prove that this
  holds for g.c.d.(M, R) ? 1

15
RSA

• Example
• p 11, q 47
• R 517, ?(R) 460
• e 3, d 307
• M 26, C 1756 mod 517 515
• M (large number) mod 517 26

16
RSA

• The security of the RSA scheme rests on the
  difficulty of factoring the modulus of the scheme
  R
• Best known factorization algorithm
  (Brent-Pollard) takes
• operations on number R whose largest prime
  factor is p
• Number Field Sieve takes an asymptotically
  heuristic running time of

17
RSA

• Using Brent Pollard
• Decimal Digits in R Bit Operations to Factor R
• 20 7200
• 40 3.11e06
• 60 4.63e08
• 80 3.72e10
• 100 1.97e12
• 120 7.69e13
• 140 2.35e15
• 160 5.92e16
• 180 1.26e18
• 200 (600 bits) 2.36e19

18
RSA

• Most (all!!) computers can't directly handle
  numbers larger than 32-bits (64-bits on the very
  newest)
• Need to use multiple precision arithmetic
  libraries to handle numbers this large
• Multi-Precision Arithmetic
• Involves libraries of functions that work on
  multiword (multiple precision) numbers
• Classic references are in Knuth vol 2 -
  "Seminumerical Algorithms"
• multiplication digit by digit

19
RSA

• Multi-Precision Arithmetic
• Exponentiation using square and multiply
• A number of well known multiple precision
  libraries available - so don't reinvent the
  wheel!!!!
• Can use special tricks when doing modulo
  arithmetic, especially with the modulo reductions

20
RSA

• Primality Testing and RSA
• The first stage of key-generation for RSA
  involves finding two large primes p, q
• Because of the size of numbers used, must find
  primes by trial and error
• Modern primality tests utilize properties of
  primes eg
• an-1 1 mod n where GCD(a,n)1
• all primes numbers 'n' will satisfy this equation
  
• some composite numbers will also satisfy the
  equation, and are called pseudo-primes.

21
RSA

• Primality Testing and RSA
• Most modern tests guess at a prime number 'n',
  then take a large number (eg 100) of numbers 'a',
  and apply this test to each. If it fails the
  number is composite, otherwise it is is probably
  prime.
• There are a number of stronger tests which will
  accept fewer composites as prime than the above
  test. eg

22
RSA

• Chinese Remainder
• a significant improvement in decryption speed for
  RSA can be obtained by using the Chinese
  Remainder theorem to work modulo p and q
  respectively
• since p,q are only half the size of Rp.q and
  thus the arithmetic is much faster
• CRT is used in RSA by creating two equations from
  the decryption calculation
• M Cd mod R as follows
• M1 M mod p (C mod p)d mod (p-1)
• M2 M mod q (C mod q)d mod (q-1)
• then the pair of equations M M1 mod p, M M2
  mod q has a unique solution by the CRT, given by
  
• M ((M2 q - M1)u mod q p M1 where p.u mod q
  1