2 Symmetric key cryptography
2.1 Block ciphers algorithms

Block ciphers transform the group of symbols of the plaintext into the group of symbols of the cipher text. So the encryption is realized block by block of the plaintext.

Symbols of the plaintext are grouped into the block of the plaintext and cryptographic transformation is applied to this block based on the key. The result of the encryption is the block of the cipher text with the same size as the size of the plaintext block.

It is possible that the plaintext size will not be exactly a multiple of the block length; in this case usually a padding-scheme is applied to fill up the last block. However, depending on the operation mode, padding might not be needed. The principle of the encryption and decryption based on the block cipher is shown in the following figure.

image
Fig. 2.2. Block cipher scheme

Most block ciphers are based on the concept of an iterated product cipher. These ciphers carries out the encryption in multiple rounds, each of them repeats a series of operations on the data applying a different subkey derived from the original key. The operations applied in each round normally comprises: substitution, permutation and key-mixing. These ciphers are known as substitution-permutation networks (SPN) and Feistel ciphers. Since the substitution box is the only non-linear part of most ciphers, the substitution boxes in must be chosen very carefully to protect against cryptanalysis attacks.

Decryption is realized by analogical approach. This transformation is applied on the ciphertext block by using the same key k (in the case of secret key algorithms) as was used in encryption process. The result of this process is decrypted plaintext block.

Typically, the size of the plaintext block is 64 or 128 bits and the ciphertext block is the same size.

The advantages of block ciphers:

The most widely used block secret key algorithms include:

It is not recommended to use the same secret key bits for encrypting the same plaintext parts. If an algorithm is used for some number of identical plaintext blocks, the result is some number of identical ciphertext blocks. There are ways to blur and mix plaintext blocks with ciphertext blocks, preventing blockwise modification attacks. These methods are called the block cipher modes of operations.

Modes of operation

Block Ciphers can be used in a variety of ways, with different secrecy properties and error recovery properties. These modes apply to almost all of different block ciphers in existence. The choice of encryption mode affects the speed, the security against adversaries and the error propagation.

ECB: Electronic Code Book

It is the basic cipher, without any modification. The message is split into blocks, and each plaintext block is encrypted separately, independently of the others. Therefore, there is no interdependency between blocks and in consequence this mode is not recommended. The use of this mode introduces some drawbacks:

The plaintext structural information is exposed

It is susceptible to attacker blockwise modification: blocks can be reordered and the reordering or repetition of blocks can change the message.

Any ciphertext encrypted with the same key can be used as source material for the attacker.

A typical example of weakness of encryption using ECB mode is encoding a bitmap image (for example a .bmp file). Even a strong encryption algorithm that uses ECB mode cannot blur efficiently its content.

image
Fig 2.3. Plaintext bmp image and the corresponding ECB encrypted

The Cipher Block Chaining Mode

The Cipher Block Chaining (CBC) mode combines (“chaining”) plaintext blocks with the previous ciphertext blocks. It requires an IV to combine with the first plaintext block.

In the encryption process, the IV is exclusive-ORed with the first plaintext block before encryption. The result is then encrypted and the output is the first block of the ciphertext. For later blocks the prior ciphertext is used instead of the IV. The consequence of the chaining operation is that ciphertext block cj depends on plaintext block pj and the previous ciphertext block cj-1. It is easy to see that this dependence is equivalent to say that cj depends on the actual and all the preceding plaintext blocks.

image
Fig 2.4 CBC encryption and decryption mode

The use of CBC solves the disadvantages of ECB, but introduces the following two drawbacks

The Cipher Feedback Mode (CFB)

According to NIST definition, “Cipher Feedback (CFB) mode is a confidentiality mode that features the feedback of successive ciphertext segments into the input blocks of the forward cipher to generate output blocks that are exclusive-ORed with the plaintext to produce the ciphertext, and vice versa”. An important parameter in this mode is s, an integer such that 1 ≤ sL, being L the block length of the block.

The first input block is the IV. Basically, the encryption process in CFB mode take as input the L-s least significant bits of the previous input concatenated with the s bits of most recent ciphertext, encrypts this new input, and then the s most significant bits are exclusive-ORed with the corresponding s bits of the plaintext block to generate the next ciphertext block. Next figure illustrates this operation mode

image
Fig 2.5 CFB encryption mode

In the case s=1, CFB makes a block cipher into a stream cipher by encrypting single bits

The possibility to apply this mode of operation in parallel is the same as in CBC mode; that is to say, multiple forward cipher operations cannot be performed in parallel, but the CFB decryption can be performed in parallel some plaintext values instantly one at a time, for which ciphertext feedback is a method.

Regarding error propagation, a single bit error on cj may flip the corresponding bit on pj, but changes pj+1 significantly.

The Output Feedback Mode (OFB)

The output feedback mode operates in the following way:

The first input block is the initial vector (IV). The corresponding input block is encrypted and the leftmost s bits of the output of this encryption are used for two different functions. On the one hand is the input of the next block, and in the other hand the s bits are exclusive-ORed with the s bits of the plaintext block to generate the ciphertext block. Thus, the successive output blocks are produced from applying the forward cipher function to the previous output blocks, and the output blocks are exclusive-ORed with the corresponding plaintext blocks to generate the ciphertext blocks.

In fact, OFB is a form of stream cipher. Next figure illustrate the procedure

image
Fig 2.6 OFB encryption mode

It is easy to prove that this mode does not propagate errors; a single bit error on cj only affects the corresponding bit of pj.

Regarding CFB, the main advantage of OFB is the following:

If the IV is known, it is possible to preprocess the output blocks before knowing the plaintext (or ciphertext data in decryption)

And the drawbacks are:

Neither the encryption nor the decryption can be performed in parallel, since each input block depends on the results of the previous cipher function

An active attacker can make controlled changes to plaintext since there is no error propagation

The Counter Mode (CTR)

This mode is based on the encryption of a set of input blocks called counters. The output blocks are exclusive-ORed with the plaintext to generate the ciphertext and vice versa. In general, given the initial counter block for a message, the successive counter blocks are derived by applying an incrementing function. Usually, the counter is split into two sections: message number and block number within the message. It is essential that counter never repeat for any given key. CTR mode is illustrated in the following figure.

image
Fig 2.7 CTR encryption mode

It is easy to prove that this mode does not propagate errors; if a block is modified due to a transmission error; only this block will be decrypted erroneously.

The main advantages of this mode are:

Both CTR encryption and CTR decryption are highly parallelizable; there are no linkage between stages.

Preprocessing is possible: the cipher functions can be applied before knowing the plaintext (or ciphertext data in decryption)

The main drawback is

An active attacker can make controlled changes to plaintext

General comments

CBC mode is the most suitable for general file or packet encryption. When there are important requirements of high-speed data, CTR is the best option. In the case that error propagation is not desirable and the transmission line is noisy, OFB is a good option. And, in the case of risk of byte or bit deletion, a good choice is the use of CFB with s=8, or s=1.