Cast-128, RC2 RC4, RC5

4/10/2011
CAST-128
 Developed by Carlisle Adams and Stafford Tavares
 64-bit block size and key size varies from 40- to 128-bits in
8-bit increments
 Classical Feistel network structure
 Sixteen rounds
 Two subkeys per round, one 32-bit (Kmi), one 5-bit (Kri)
 Three different round functions
 Four operations: addition(+) and subtraction(-) modulo
232, XOR, and (variable) circular left rotate (<<<)
 5-bit subkey (Kri) determines rotate amount
 Encryption
L0||R0 = Plaintext
for i = 1 to 16 do
Li = Ri-1
Ri = Li-1  Fi[Ri-1, Kmi, Kri];
Ciphertext = L16||R16
Mukesh Chinta, Asst Prof, CSE
CAST Round Function F

 The Function F is designed to have
good confusion, diffusion and avalanche
properties.
 It uses S-box substitutions, mod 2 I
Ia Ib Ic Id
addition and subtraction, exclusive OR
operations and key dependent rotation.
 The strength of F depends primarily on
strength of S-Boxes and further use of
Boolean, arithmetic and rotate
operations provide extra strength. 
Mukesh Chinta, Asst Prof, CSE, VNRVJIET 1

4/10/2011
CAST Encryption
 The function F includes the use of four S-boxes, each of size 8 x

32, the left circular rotation operation and four operation
functions that vary depending on the round number, labelled as
f1i, f2i, f3i and f4i.
 If, I refers to the intermediate 32-bit value after the left circular
rotation function and the labels Ia, Ib, Ic and Id refers to the 4
bytes of I, where Ia is the most significant and Id is the least
significant then, function F is defined as follows:
Rounds 1,4 I=(Kmi+ Ri-1)<<<Kri)
7,10,13,16 F=((S1[Ia]S2[Ib])-S3[Ic])+S4[Id]
Rounds 2,5 I=(KmiRi-1)<<<Kri)
8,11,14 F=((S1[Ia]-S2[Ib])+S3[Ic])S4[Id]
Rounds 3,6 I=(Kmi-Ri-1)<<<Kri)
9,12,15 F=((S1[Ia]+S2[Ib])S3[Ic])-S4[Id]

4/10/2011
CAST-128 S-Boxes
 CAST-128 uses eight 8 32 S-boxes.
 Four of these, S-box 1 thru S-box 4 are used in the
encryption/decryption process and S-box 5 thru S-box
8 are used in the subkey generation.
 Each S-box is an array of 32 columns by 256 rows
where, the 8-bit input selects a row in the array and 32-
bit value in that row is the output.
 S-boxes contain fixed (predefined) values and are
carefully designed to have a high degree of
nonlinearity.
CAST-128 Subkey Generation

 Label the 128-bit (16-byte) key as:
x0x1x3x4x5x6x7x8xAxBxCxDxExF
 Symbol Definitions
Km1, …, Km16 Sixteen 32-bit masking subkeys (one per round)
Kr1, …, Kr16 Sixteen 32-bit rotate subkeys (one per round), of
which only, least significant 5 bits of each are used.
z0, …, zF Intermediate (temporary) bytes
K1, …, K32 Intermediate (temporary) words
 K1 thru K32 are calculated from the key using
S-boxes 5 thru 8
 Then subkeys are defined as
for i = 1 to 16 do
Kmi = Ki;
Kri = K16+i;

4/10/2011
z0z1z2z3 = x0x1x2x3  S5[xD]  S6[xF]  S7[xC]  S8[xE]  S7[x8]

z4z5z6z7 = x8x9xAxB  S5[z0]  S6[z2]  S7[z1]  S8[z3]  S8[xA]
z8z9zAzB = xCxDxExF  S5[z7]  S6[z6]  S7[z5]  S8[z4]  S5[x9]
zCzDzEzF = x4x5x6x7  S5[zA]  S6[z9]  S7[zB]  S8[z8]  S6[xB]
K1 = S5[z8]  S6[z9]  S7[z7]  S8[z6]  S5[z2]
K2 = S5[zA]  S6[zB]  S7[z5]  S8[z4]  S6[z6]
K3 = S5[zC]  S6[zD]  S7[z3]  S8[z2]  S7[z9]
K4 = S5[zE]  S6[zF]  S7[z1]  S8[z0]  S8[zC]
x0x1x2x3 = z8z9zAzB  S5[z5]  S6[z7]  S7[z4]  S8[z6]  S7[z0]
x4x5x6x7 = z0z1z2z3  S5[x0]  S6[x2]  S7[x1]  S8[x3]  S8[z2]
x8x9xAxB = z4z5z6z7  S5[x7]  S6[x6]  S7[x5]  S8[x4]  S5[z1]
xCxDxExF = zCzDzEzF  S5[xA]  S6[x9]  S7[xB]  S8[x8]  S6[z3]
K5 = S5[x3]  S6[x2]  S7[xC]  S8[xD]  S5[x8]
K6 = S5[x1]  S6[x0]  S7[xE]  S8[xF]  S6[xD]
K7 = S5[x7]  S6[x6]  S7[x8]  S8[x9]  S7[x3]
K8 = S5[x5]  S6[x4]  S7[xA]  S8[xB]  S8[x7]
K9 = S5[z3]  S6[z2]  S7[zC]  S8[zD]  S5[z9]
K10 = S5[z1]  S6[z0]  S7[zE]  S8[zF]  S6[zC]
K11 = S5[z7]  S6[z6]  S7[z8]  S8[z9]  S7[z2]
K12 = S5[z5]  S6[z4]  S7[zA]  S8[zB]  S8[z6]
K13 = S5[x8]  S6[x9]  S7[x7]  S8[x6]  S5[x3]
K14 = S5[xA]  S6[xB]  S7[x5]  S8[x4]  S6[x7]
K15 = S5[xC]  S6[xD]  S7[x3]  S8[x2]  S7[x8]
K16 = S5[xE]  S6[xF]  S7[x1]  S8[x0]  S8[xD]

K17 = S5[z8]  S6[z9]  S7[z7]  S8[z6]  S5[z2]
K18 = S5[zA]  S6[zB]  S7[z5]  S8[z4]  S6[z6]
K19 = S5[zC]  S6[zD]  S7[z3]  S8[z2]  S7[z9]
K20 = S5[zE]  S6[zF]  S7[z1]  S8[z0]  S8[zC]
K21 = S5[x3]  S6[x2]  S7[xC]  S8[xD]  S5[x8]
K22 = S5[x1]  S6[x0]  S7[xE]  S8[xF]  S6[xD]
K23 = S5[x7]  S6[x6]  S7[x8]  S8[x9]  S7[x3]
K24 = S5[x5]  S6[x4]  S7[xA]  S8[xB]  S8[x7]
K25 = S5[z3]  S6[z2]  S7[zC]  S8[zD]  S5[z9]
K26 = S5[z1]  S6[z0]  S7[zE]  S8[zF]  S6[zC]
K27 = S5[z7]  S6[z6]  S7[z8]  S8[z9]  S7[z2]
K28 = S5[z5]  S6[z4]  S7[zA]  S8[zB]  S8[z6]
K29 = S5[x8]  S6[x9]  S7[x7]  S8[x6]  S5[x3]
K30 = S5[xA]  S6[xB]  S7[x5]  S8[x4]  S6[x7]
K31 = S5[xC]  S6[xD]  S7[x3]  S8[x2]  S7[x8]
K32 = S5[xE]  S6[xF]  S7[x1]  S8[x0]  S8[xD]

4/10/2011
RC-2
 Uses 64 bit plaintext and ciphertext blocks and a key length varying
from 8 to 1024 bits
 A set of operations are performed on the secret key to produce 128
bytes of subkey.
 It uses addition, bitwise exclusive-or, bitwise complement, bitwise
AND and left circular rotation operations for encryption
 64-bit plaintext is stored in 4 16-bit words R[0],R[1],R[2] and R[3]
 Algorithm consists of 18 rounds of two types: mixing and mashing.
 Each mixing round uses four subkey words and all of them are used
in the 16 mixing rounds
 Subkeys are selected in data dependent manner for the two mashing
rounds.
 Decryption is performed as the inverse of encryption and keys are
used in reverse order
 RC2 is vulnerable to a related-key attack using 234 chosen plaintexts
Stream Ciphers
 process message bit by bit (as a stream)
 have a pseudo random keystream
 combined (XOR) with plaintext bit by bit
 randomness of stream key completely
destroys statistically properties in message
 Ci = Mi XOR StreamKeyi
 but must never reuse stream key
 otherwise can recover messages (cf book
cipher)

4/10/2011
Stream Cipher Structure
Stream Cipher Properties

 some design considerations are:
 long period with no repetitions
 statistically random
 depends on large enough key
 large linear complexity
 properly designed, can be as secure as a block
cipher with same size key
 but usually simpler & faster

4/10/2011
RC 4
 Designed by Ron Rivest in 1984 for RSA Data
Security
 widely used in data communication and
networking protocols including SSL/TLS and IEEE
802.11 wireless LAN standard
 Byte oriented stream cipher i.e., a byte of plaintext
is Xored with a byte of key to produce a byte of
ciphertext.
 Key size is variable and can contain any where
from 1 t0 256 bytes
 Simple design, yet effective
RC4 Key Schedule

 RC-4 is based on concept of state.
 At each moment, a state of 256 bytes is active, from which
one of the bytes is randomly selected to serve as key for
encryption
 starts with an array S of numbers: S[0] S[1] S[2]...S[255]
 S forms internal state of the cipher
 use key to well and truly shuffle
 RC4 operation includes two steps
Initialization
Key Stream generation
 Initialization is done once
 Permutation for creating key stream is repeated as long as
plaintext bytes are available to encrypt.

4/10/2011
Initialization
 Initialization is done in two steps
 Step-1: The state is initialized to values 0,1,....255. A key
array, T[0], T[1], .....T[255] is also created. If needed the
bytes are repeated until the K array is filled
for i = 0 to 255 do
S[i] = i
T[i] = K[i mod keylen]
 Step-2: The initialized state goes through a permutation
based on the values of the bytes in T[i]. The key byte is
used only in this step to define which elements to be
swapped and after this, the state bytes are completely
shuffled
j=0
for i = 0 to 255 do
j = (j + S[i] + T[i]) (mod 256)
swap (S[i], S[j])
RC4 Key Stream Generation

 Keys in key stream, the t’s are generated one by one.
 First the state is permuted based on the values of state
elements and values of i and j.
 Second, the values of two state elements in position i
and j are used to define the index of state element that
serves as t.
i = j = 0(Variables i and j are initialized to 0 before the first iteration)
for each message byte Mi
i = (i + 1) (mod 256)
j = (j + S[i]) (mod 256)
swap(S[i], S[j])
t = (S[i] + S[j]) (mod 256)
 The above code is repeated for every byte of plaintext
to create a new key element in the keystream

4/10/2011
RC4 Encryption and Decryption

 Once ‘t’ has been created, the plaintext byte
is encrypted with ‘t’ to create the ciphertext
byte.
for each message byte Mi
Ci = Mi XOR S[t]
 Decryption is the reverse process
RC4 Overview

4/10/2011
RC4 Security
 claimed secure against known attacks
 have some analyses, none practical
 result is very non-linear
 since RC4 is a stream cipher, must never
reuse a key
 have a concern with WEP, but due to key
handling rather than RC4 itself
RC5
 RC5 is a symmetric encryption algorithm developed by
Ron Rivest and was designed to have the following
characteristics:
a) Suitable for hardware or software
b) Fast
c) Adaptable to processors of different word lengths
d) Variable number of rounds
e) Variable-length key
f) Simple
g) Low memory requirement
h) High Security
i) Data dependent rotations

4/10/2011
RC5 Parameters
RC5 is word-oriented
Two-word input and two-word output
Representation
Word size: w (16,32,64)
Number of rounds: r (0,1, …, 255)
Number of bytes in key K: b (0,1, …, 255)
RC5 algorithm notation: RC5-w/r/b
For example, RC5-32/12/16 has 32-bit words (64-bit

plaintext and ciphertext blocks), 12 rounds in the
encryption and decryption algorithms, and a key length
of 16 bytes. This is considered as the nominal version
RC5 Key Expansion

 RC5 performs complex operations on the secret key to generate a total
of t subkeys, which are stored in a S-array, S[0],S[1], …, S[t-1]
 Each subkey is one word (w bits) in length
 Two subkeys are used in each round, and two more subkeys are used
outside the r-round  t = 2r+2
 In key expansion, magic constants are used
 Pw = Odd((e - 2)2w); e=2.718281828…. (base of natural
logarithms)
 Qw = Odd(( - 1)2w); =1.618033988…. (golden ratio =
(1+sqrt(5))/2)
 Odd(x): odd integer nearest to x
 Using allowable values of w, the constants are

w 16 32 64
Pw B7E1 B7E15163 B7E151628AED2A6B
Qw 9E37 9E3779B9 9E3779B97F4A7C15

4/10/2011
Key Expansion Algorithm

 Step-1: Convert secret key bytes to words
 b byte key K, (K[0], K[1], …, K[b-1]) is converted to word array L[0],
L[1], …, L[c-1]
 Step-2: Initialize subkey array S (S[0], S[1], …, S[t-1])
S[0] = Pw;
for i=1 to t-1 do
s[i] = s[i-1] + Qw;
 Step-3: Mix the secret key into subkey array S
i=j=X=Y=0;
Do 3*max(t, c) times: Note: <<<  cyclic rotate left
X=S[i]=(S[i]+X+Y)<<<3;
Y=L[j]=(L[j]+X+Y)<<<(X+Y);
i=(i+1) mod t;
j=(j+1) mod c;
RC5 Key Expansion

4/10/2011
RC5 Encryption
RC5 uses 3 primitive operations
•Addition, Subtraction (of
words): modulo 2w
 
•Bitwise XOR
•Left, right circular rotation
Encryption
LE0 = A + S[0];
RE0 = B + S[1];  
for i = 1 to r do
LEi = ((LEi-1  REi-1) <<< REi-1) + S[2i];
REi = ((REi-1  LEi) <<< LEi) + S[2i+1];
RC5 Decryption
for i = r downto 1 do
RDi-1 = ((RDi – S[2i+1] >>> LDi)  LDi) ;
LDi-1 = ((LDi – S[2i] >>> Rdi-1)  RDi-1) ;  
B = RD0 - S[1];
A = LD0 - S[0];
 

4/10/2011
RC5 Modes
To enhance the effectiveness of RC5 in interoperable
implementations, there are four different modes of
operation.
 RFC2040 defines 4 modes used by RC5
 RC5 Block Cipher, is ECB mode
 RC5-CBC, is CBC mode
 RC5-CBC-PAD, is CBC with padding by bytes with value
being the number of padding bytes
 RC5-CTS, a variant of CBC which is the same size as the
original message, uses ciphertext stealing to keep size
same as original

Cast-128, RC2 RC4, RC5

Transféré par

Informations du document

Titre original

Copyright

Formats disponibles

Partager ce document

Partager ou intégrer le document

Options de partage

Avez-vous trouvé ce document utile ?

Ce contenu est-il inapproprié ?

Droits d'auteur :

Formats disponibles

Cast-128, RC2 RC4, RC5

Transféré par

Droits d'auteur :

Formats disponibles

4/10/2011

CAST Round Function F

Mukesh Chinta, Asst Prof, CSE

Mukesh Chinta, Asst Prof, CSE, VNRVJIET 1

Mukesh Chinta, Asst Prof, CSE

 The function F includes the use of four S-boxes, each of size 8 x

Mukesh Chinta, Asst Prof, CSE

Mukesh Chinta, Asst Prof, CSE, VNRVJIET 2

Mukesh Chinta, Asst Prof, CSE

CAST-128 Subkey Generation

Mukesh Chinta, Asst Prof, CSE

Mukesh Chinta, Asst Prof, CSE, VNRVJIET 3

z0z1z2z3 = x0x1x2x3  S5[xD]  S6[xF]  S7[xC]  S8[xE]  S7[x8]

z0z1z2z3 = x0x1x2x3  S5[xD]  S6[xF]  S7[xC]  S8[xE]  S7[x8]

Mukesh Chinta, Asst Prof, CSE, VNRVJIET 4

Mukesh Chinta, Asst Prof, CSE

Mukesh Chinta, Asst Prof, CSE, VNRVJIET 5

Stream Cipher Structure

Mukesh Chinta, Asst Prof, CSE

Stream Cipher Properties

Mukesh Chinta, Asst Prof, CSE

Mukesh Chinta, Asst Prof, CSE, VNRVJIET 6

RC4 Key Schedule

Mukesh Chinta, Asst Prof, CSE, VNRVJIET 7

RC4 Key Stream Generation

Mukesh Chinta, Asst Prof, CSE, VNRVJIET 8

RC4 Encryption and Decryption

Mukesh Chinta, Asst Prof, CSE

Mukesh Chinta, Asst Prof, CSE

Mukesh Chinta, Asst Prof, CSE, VNRVJIET 9

Mukesh Chinta, Asst Prof, CSE

Mukesh Chinta, Asst Prof, CSE, VNRVJIET 10

For example, RC5-32/12/16 has 32-bit words (64-bit

Mukesh Chinta, Asst Prof, CSE

RC5 Key Expansion

 Using allowable values of w, the constants are

Mukesh Chinta, Asst Prof, CSE

Mukesh Chinta, Asst Prof, CSE, VNRVJIET 11

Key Expansion Algorithm

RC5 Key Expansion

Mukesh Chinta, Asst Prof, CSE

Mukesh Chinta, Asst Prof, CSE, VNRVJIET 12

Mukesh Chinta, Asst Prof, CSE

Mukesh Chinta, Asst Prof, CSE

Mukesh Chinta, Asst Prof, CSE, VNRVJIET 13

Mukesh Chinta, Asst Prof, CSE

Mukesh Chinta, Asst Prof, CSE, VNRVJIET 14

Vous aimerez peut-être aussi