But when we only have one block, there is no prior block to change as a result of the data.. Another proposal for eliminating data expansion consists of ciphering blocks until the last s
Trang 1A message of arbitrary size can always be partitioned into some number of whole blocks, with possibly some space remaining in the final block Since partial blocks cannot be ciphered, some random padding can be introduced
to fill out the last block, and this naturally expands the ciphertext In this case it may also be necessary to introduce some sort of structure which will indicate the number of valid bytes in the last block
Block Partitioning without Expansion
Proposals for using a block cipher supposedly without data expansion may
involve creating a tiny stream cipher for the last block One scheme is to re-encipher the ciphertext of the preceding block, and use the result as the
confusion sequence Of course, the cipher designer still needs to address the
situation of files which are so short that they have no preceding block
Because the one-block version is in fact a stream cipher, we must be very careful to never re-use a confusion sequence But when we only have one block, there is no prior block to change as a result of the data In this case,
ciphering several very short files could expose those files quickly
Furthermore, it is dangerous to encipher a CRC value in such a block,
because exclusive-OR enciphering is transparent to the field of mod 2
polynomials in which the CRC operates Doing this could allow an
Opponent to adjust the message CRC in a known way, thus avoiding
authentication exposure
Another proposal for eliminating data expansion consists of ciphering blocks until the last short block, then re-positioning the ciphering window to end at the last of the data, thus re-ciphering part of the prior block This is a form of chaining and establishes a sequentiality requirement which requires that the
last block be deciphered before the next-to-the-last block Or we can make
enciphering inconvenient and deciphering easy, but one way will be a
problem And this approach cannot handle very short messages: its
minimum size is one block Yet any general-purpose ciphering routine will
encounter short messages Even worse, if we have a short message, we still need to somehow indicate the correct length of the message, and this must expand the message, as we saw before Thus, overall, this seems a somewhat dubious technique
On the other hand, it does show a way to chain blocks for authentication in a large-block cipher: We start out by enciphering the data in the first block
Then we position the next ciphering to start inside the ciphertext of the
Trang 2previous block Of course this would mean that we would have to decipher the message in reverse order, but it would also propagate any ciphertext changes through the end of the message So if we add an authentication field
at the end of the message (a keyed value known on both ends), and that value is recovered upon deciphering (this will be the first block deciphered)
we can authenticate the whole message But we still need to handle the last block padding problem and possibly also the short message problem
Block Size and Plaintext Randomization
Ciphering raw plaintext data can be dangerous when the cipher has a small block size Language plaintext has a strong, biased distribution of symbols and ciphering raw plaintext would effectively reduce the number of possible plaintexts blocks Worse, some plaintexts would be vastly more probable than others, and if some known plaintext were available, the most-frequent blocks might already be known In this way, small blocks can be vulnerable
to classic codebook attacks which build up the ciphertext equivalents for many of the plaintext phrases This sort of attack confronts a particular block size, and for these attacks Triple-DES is no stronger than simple DES,
because they both have the same block size
The usual way of avoiding these problems is to randomize the plaintext block with an operating mode such as CBC This can ensure that the
plaintext data which is actually ciphered is evenly distributed across all possible block values However, this also requires an IV which thus expands the ciphertext
Another approach is to apply data compression to the plaintext before
enciphering If this is to be used instead of plaintext randomization, the
designer must be very careful that the data compression does not contain regular features which could be exploited by The Opponents
An alternate approach is to use blocks of sufficient size for them to be
expected to have a substantial amount of uniqueness or "entropy." If we expect plaintext to have about one bit of entropy per byte of text, we might want a block size of at least 64 bytes before we stop worrying about an uneven distribution of plaintext blocks This is now a practical block size
Boolean
TRUE or FALSE; one bit of information
Boolean Function
Trang 3A function which produces a Boolean result The individual output bits of an S-box can each be considered to be separate Boolean functions
Boolean Function Nonlinearity
The number of bits which must change in the truth table of a Boolean
function to reach the closest affine Boolean function This is the Hamming distance from the closest "linear" function
Typically computed by using a fast Walsh-Hadamard transform on the
Boolean-valued truth table of the function This produces the unexpected distance to every possible affine Boolean function (of the given length) Scanning those results for the maximum value implies the minimum
distance to some particular affine sequence
Especially useful in S-box analysis, where the nonlinearity for the table is often taken to be the minimum of the nonlinearity values computed for each output bit
Also see the Active Boolean Function Nonlinearity Measurement in
JavaScript page of the Ciphers By Ritter / JavaScript computation pages
Boolean Logic
The logic which applies to variables which have only two possible values Also the digital hardware devices which realize such logic, and are used to implement a electronic digital computers
Boolean Mapping
A mapping of some number n Boolean variables into some number m
Boolean results For example, an S-box
Break
The result of a successful cryptanalytic attack To destroy the advantage of a cipher in hiding information
A cipher is "broken" when the information in a message can be extracted without the key, or when the key itself can be recovered The strength of a cipher can be considered to be the minimum effort required for a break, by any possible attack A break is particularly significant when the work
involved need not be repeated on every message
The use of the term "break" can be misleading when an impractical amount
of work is required to achieve the break This case might be better described
a "theoretical" or "certificational" weakness
Trang 4Block Size
The amount of data in a block For example, the size of the DES block is 64 bits or 8 bytes or 8 octets
Brute Force Attack
A form of attack in which each possibility is tried until success is obtained Typically, a ciphertext is deciphered under different keys until plaintext is recognized On average, this may take about half as many decipherings as there are keys
Recognizing plaintext may or may not be easy Even when the key length of
a cipher is sufficient to prevent brute force attack, that key will be far too small to produce every possible plaintext from a given ciphertext (see
perfect secrecy) Combined with the fact that language is redundant, this means that very few of the decipherings will be words in proper form Of course, if the plaintext is not language, but is instead computer code,
compressed text, or even ciphertext from another cipher, recognizing a
correct deciphering can be difficult
Brute force is the obvious way to attack a cipher, and the way any cipher can
be attacked, so ciphers are designed to have a large enough keyspace to make this much too expensive to use in practice Normally, the design
strength of a cipher is based on the cost of a brute-force attack
Bug
Technical slang for "error in design or implementation." An unexpected system flaw Debugging is a normal part of system development and
interactive system design
Byte
A collection of eight bits Also called an "octet." A byte can represent 256 different values or symbols The common 7-bit ASCII codes used to
represent characters in computer use are generally stored in a byte; that is, one byte per character
Capacitor
A basic electronic component which acts as a reservoir for electrical power
in the form of voltage A capacitor thus acts to "even out" the voltage across its terminals, and to "conduct" voltage changes from one terminal to the other A capacitor "blocks" DC and conducts AC in proportion to frequency
Trang 5Capacitance is measured in Farads: A current of 1 Amp into a capacitance of
1 Farad produces a voltage change of 1 Volt per Second across the capacitor
Typically, two conductive "plates" or metal foils separated by a thin
insulator, such as air, paper, or ceramic An electron charge on one plate attracts the opposite charge on the other plate, thus "storing" charge A
capacitor can be used to collect a small current over long time, and then
release a high current for a short time, as used in a camera strobe or "flash." Also see inductor and resistor
CBC
CBC or Cipher Block Chaining is an operating mode for block ciphers CBC mode is essentially a crude meta-stream cipher which streams block
transformations
In CBC mode the ciphertext value of the preceding block is exclusive-OR combined with the plaintext value for the current block This has the effect
of distributing the combined block values evenly among all possible block values, and so prevents codebook attacks
On the other hand, ciphering the first block generally requires an IV or
initial value to start the process The IV necessarily expands the ciphertext, which may or may not be a problem And the IV must be dynamically
random-like so that statistics cannot be developed on the first block of each message sent under the same key
In CBC mode, each random-like confusing value is the ciphertext from each previous block Clearly this ciphertext is exposed to The Opponent, so there would seem to be little benefit associated with hiding the IV, which is just the first of these values But if The Opponent knows the first sent plaintext, and can intercept and change the message IV, The Opponent can manipulate the first block of received plaintext Because the IV does not represent a message enciphering, manipulating this value does not also change any
previous block
Accordingly, the IV may be sent enciphered or may be specifically
authenticated in some way Alternately, the complete body of the plaintext message may be authenticated, often by a CRC The CRC remainder should
be block ciphered, perhaps as part of the plaintext