Article Directory
Traditional Block Cipher Structure
Stream Ciphers and Block Ciphers
A sequence cipher is also called a stream cipher (Stream Ciphers), which refers to a cipher that encrypts one bit or one byte of a digital data stream at a time. The autokeyed Vigenère cipher and Vernam cipher we introduced in " Symmetric Encryption Algorithm (1) (Replacement Algorithm, Caesar, Playfair, Hill Cipher, Polyalphabetic Cipher) " are sequence ciphers. The serial cipher uses the key to generate a key stream Z=Z1Z2Z3..., and then uses this key stream to encrypt the plaintext X=X0X1X2... in turn.
If the idea of one-time pad is adopted, the key stream is random and has the same length as the plaintext, then the attacker cannot crack it by any means other than mastering the key stream. However, the key stream must be provided to two users through some independent and secure channels in advance, but this kind of completely random key stream generation with very long length is very difficult (logistical problems).
Therefore, for practical reasons, the bitstream generator is implemented as an algorithmic program so that encrypted bitstreams can be produced by two users, as shown in the following diagram:
The bit stream generator is an algorithm controlled by a key, and we require it to generate a relatively strong key stream. That is, it is difficult for an attacker to predict later parts of the keystream based on known parts. Two users only need to share the generation key , and both can generate the keystream.
Block cipher (block cipher) divides the number sequence encoded by the plaintext message into groups of length n, and each group is transformed into an output number sequence of equal length under the control of the key. Usually, the packet size will be 64 bits or 128 bits. The block diagram of a block cipher is shown below:
In general, block ciphers are more widely used than sequence ciphers . Most network-based symmetric encryption applications use block ciphers.
Feistel Cipher
Several important symmetric block encryption algorithms currently in use are based on a symmetric structure called Feistel block cipher .
In a block cipher, we convert an n-bit plaintext block into an n-bit ciphertext block. In order to ensure that the encryption is reversible (or nonsingular) (can be decrypted), we need to generate unique ciphertext blocks. For a grouping of n bits, we have a total of 2 n 2^n2n possible ciphertext blocks (reversible encryption). A set of reversible and irreversible encryptions when n=2 is listed below:
The figure below illustrates the operation of a block cipher when n=4. A 4-bit input produces one of 16 possible ciphertext blocks, which are mapped back to the corresponding input when decrypted:
The mapping rules for this process are defined by a mapping table:
We call such a block cipher an ideal block cipher because it allows the largest number of encrypted mappings from plaintext blocks.
But for the ideal block cipher, if n is relatively small, such as 4 in the above example, then it is almost equivalent to the traditional substitution cipher, which means it can be cracked by analyzing the statistical properties. If n is large enough and arbitrary reversible substitutions between plaintext and ciphertext are allowed , then the statistical characteristics of the plaintext are masked and this type of cryptanalysis becomes infeasible. But it is obviously impractical to realize such a sufficiently large and arbitrarily reversible ideal block cipher.
And another problem with this approach is that the mapping rules themselves contain keys . For example, for the above mapping table, our key is actually the ciphertext in the second column, and the length is (4 bits) × (16 rows) = 64 bits.
Based on these problems, Feistel pointed out that what we need is an approximation to an ideal block cipher system with a large n value , and can be constructed with easy-to-implement devices.
Feistel proposed that we can use the concept of product ciphers to approximate an ideal block cipher, that is, execute two or more encryption algorithms in sequence, so that the final product result is more robust than a single encryption algorithm result. The essence of this method is to use a block cipher with key length k and block length n, allowing 2 k 2^k2k possible transformations instead of2 n 2^n2n conversions.
In fact, Feistel's design was based on Shannon's proposal to design a product cipher that uses confusion and diffusion alternately.
In cryptography, confusion and diffusion are the two main methods for designing cryptographic algorithms. Such a definition first appeared in Claude Shannon's 1945 paper "A Mathematical Theory of Cryptography".
In Claude Shannon's definition, obfuscation is an encryption operation that makes the relationship between the key and the ciphertext as vague as possible; and diffusion is mainly used to make the relationship between the plaintext and the ciphertext as possible Any small change in the plaintext will make the ciphertext very different.
A common way to achieve obfuscation is substitution . Diffusion is an encryption operation that spreads the influence of one plaintext symbol to multiple ciphertext symbols in order to hide the statistical properties of plaintext . The simplest form of diffusion is permutation .
Wikipedia
An example of diffusion is
yn = ( ∑ i = 1 kmn + k ) mod 26 y_n=\left(\sum_{i=1}^k m_{n+k}\right)\ {\rm mod}\ 26Yn=(i=1∑kmn + k) m o d 26
That is, using the next consecutive kkk characters to get a ciphertext character.
Below we give the structure of the Festel cipher:
The left side of the figure is the encryption process, while the right side is the decryption process. The input of the encryption algorithm is of length 2 w 2w2 w bits of plaintext block and keyKKK. _ The plaintext block is divided into two equal parts,LE 0 LE_0L E0Sum RE 0 RE_0RE0, in each round i = 1 , 2 , … , ni=1, 2,\dots,ni=1 ,2 ,…,n , we calculate
LE i = RE i − 1 LE_i=RE_{i-1}L Ei=REi−1
RE i = LE i − 1 ⊕ F ( RE i − 1 , K i ) RE_i=LE_{i-1}\oplus {\rm F}(RE_{i-1}, K_i)REi=L Ei−1⊕F (R Ei−1,Ki)
And when decrypting, our method is exactly the same, except the order of the keys is reversed :
LD i = RD i − 1 LD_i=RD_{i-1}LDi=RDi−1
R D i = L D i − 1 ⊕ F ( R D i − 1 , K n − i + 1 ) RD_i=LD_{i-1}\oplus {\rm F}(RD_{i-1}, K_{n-i+1}) RDi=LDi−1⊕F(RDi−1,Kn−i+1)
From the figure we can also notice that the iiAfter i rounds of encryption, we will getLE i ∣ ∣ RE i LE_i||RE_iL Ei∣ ∣ R Ei, and the corresponding 16 − i 16-i1 6−LD 16 − i ∣ ∣ RD 16 − i = RE i ∣ ∣ LE i LD_{16-i}||RD_{16-i}=RE_i || LE_iLD16−i∣ ∣ R D16−i=REi∣ ∣ L Ei. Next, let's calculate in detail to see if the above results are correct.
After the last round of encryption we have
LE 16 = RE 15 LE_{16}=RE_{15}L E1 6=RE1 5
WE 16 = AND 15 ⊕ F ( WE 15 , K 16 ) WE_{16}=AND_{15}\oplus {\rm F}(WE_{15}, K_{16})RE1 6=L E1 5⊕F (R E1 5,K1 6)
After the two parts are exchanged, the final ciphertextRE 16 ∣ ∣ LE 16 RE_{16}||LE_{16}RE1 6∣ ∣ L E1 6, so the input of the decryption process is RE 16 ∣ ∣ LE 16 RE_{16}||LE_{16}RE1 6∣ ∣ L E1 6.
In the first round of decryption:
LD 1 = RD 0 = LE 16 = RE 15 LD_1=RD_0=LE_{16}=RE_{15}LD1=RD0=L E1 6=RE1 5
R D 1 = L D 0 ⊕ F ( R D 0 , K 16 ) = R E 16 ⊕ F ( R E 15 , K 16 ) = [ L E 15 ⊕ F ( R E 15 , K 16 ) ] ⊕ F ( R E 15 , K 16 ) = L E 15 \begin{aligned} RD_1=&LD_0\oplus {\rm F}(RD_0, K_{16}) \\ =& RE_{16} \oplus {\rm F}(RE_{15}, K_{16}) \\ =& [LE_{15}\oplus {\rm F}(RE_{15}, K_{16})] \oplus {\rm F}(RE_{15}, K_{16}) \\ =& LE_{15} \end{aligned} RD1====LD0⊕F(RD0,K1 6)RE1 6⊕F (R E1 5,K1 6)[ L E1 5⊕F (R E1 5,K1 6) ]⊕F (R E1 5,K1 6)L E1 5
The last step calculation uses the following properties of XOR:
[ A ⊕ B ] ⊕ C = A ⊕ [ B ⊕ C ] [A \oplus B] \oplus C=A\oplus[B \oplus C][A⊕B]⊕C=A⊕[B⊕C]
D ⊕ D = 0 D\oplus D=0D⊕D=0
E ⊕ 0 = E E \oplus 0=E AND⊕0=AND
In the above derivation we should also notice that the function FFF is not involved in the actual calculation, which means it isnot required to be an invertible function, even if it always outputs a constant, we can successfully decrypt it.
The realization of Festo structure involves the selection of the following parameters:
- Block size : Larger block size means higher security ( stronger diffusion ), but also leads to slower encryption and decryption.
- Key size : Similar to the block size, a larger key size means higher security ( stronger obfuscation ), but it also leads to slower encryption and decryption.
- Number of rounds : The more rounds, the more secure it can be, usually choose 16.
- Subkey generation algorithm : The more complex the subkey generation algorithm, the more difficult it is for cryptanalysis.
- Round function F : Of course, the more complex the security, the better.
Although it seems that the more complex the design, the better, but more complex things also mean higher costs. We also need to consider the following two factors:
- Fast software encryption/decryption : In many cases, encryption is embedded in applications or utility functions, therefore, the execution speed of the algorithm needs to be considered.
- Ease of analysis : While we want to make our algorithms as difficult to cryptanalyse as possible, there are also great benefits to making algorithms easy to analyze. That is, if an algorithm can be explained succinctly, it is easier to analyze the algorithm for its vulnerabilities and thus improve it.
References
Cryptography and Network Security: Principles and Practice, 7th Edition, ISBN 978-0-13-444428-4, by William Stallings, published by Pearson Education.