DOUBLE DES

— Given a plaintext P and two encryption keys K1 and K2 , ciphertext C is generated as

o C = E(K2 , E(K1 , P ))
— Decryption requires that the keys be applied in reverse order:
o P = D(K1 , D(K2 , C ))
— For DES, this scheme apparently involves a key length of 56 * 2 = 112 bits, resulting in
a dramatic increase in cryptographic strength

MEET-IN-THE-MIDDLE ATTACK
— The use of double DES results in a mapping that is not equivalent to a single DES
encryption
— The meet-in-the-middle attack algorithm will attack this scheme and does not depend
on any particular property of DES but will work against any block encryption cipher
— Given a known pair, (P, C), the attack proceeds as follows:
o First, encrypt P for all possible values of K1 and store results in a sorted table
o Next, decrypt C using all possible values of K2
o As each decryption, check the table for a match.
o If a match occurs, then test the two resulting keys against a new known
plaintext–ciphertext pair
o If the two keys produce the correct ciphertext, accept them as the correct keys.

TRIPLE-DES WITH TWO-KEYS

— Obvious counter to the meet-in-the-middle attack is to use three stages of encryption
with three different keys
— This raises the cost of the meet-in-the-middle attack to 2112, which is impractical
— Has the drawback of requiring a key length of 56 x 3 = 168 bits, which may be
somewhat unwieldy
 — As an alternative Tuchman proposed a triple encryption method that uses only two keys

TRIPLE DES WITH THREE KEYS

— Many researchers now feel that three-key 3DES is the preferred alternative

— A number of Internet-based applications have adopted three-key 3DES including PGP

and S/MIME
WHY BLOCK CIPHER OPERATIONS
— Block encryption can only be performed on a single block of data
— Block size is usually small (16 bytes blocks for AES)
— Message to be sent is usually large (web page + assets ≈ 500kB)
— Need a way to repeatedly apply the cipher with the same key to a large message
o By using different modes of operation, messages of an arbitrary length can be
split into blocks and encrypted using a block cipher.
o Each mode of operation describes how a block cipher is repeatedly applied to
encrypt a message and each has certain advantages and disadvantages.
MODES OF OPERATION
— A technique for enhancing the effect of a cryptographic algorithm or adapting the
algorithm for an application
— To apply a block cipher in a variety of applications, five modes of operation have been
defined by NIST
o The five modes are intended to cover a wide variety of applications of
encryption for which a block cipher could be used
o These modes are intended for use with any symmetric block cipher, including
triple DES and AES
BLOCK CIPHER MODES OF OPERATIONS

ELECTRONIC CODEBOOK MODE (ECB)

— Ideal for a short amount of data

— If the same b -bit block of plaintext appears more than once in a message, it always
produces the same ciphertext
— Weak for lengthy messages, e.g.,
o If it is known that the message always starts out with certain predefined fields
o If the message has repetitive elements with a period of repetition a multiple of b
bits
CRITERIA AND PROPERTIES FOR EVALUATING AND CONSTRUCTING BLOCK
CIPHER MODES OF OPERATION THAT ARE SUPERIOR TO ECB:
— Overhead: The additional operations for the encryption and decryption operation when
compared to encrypting and decrypting in the ECB mode.
— Error recovery: The property that an error in the i-th ciphertext block is inherited by
only a few plaintext blocks after which the mode resynchronizes.
 — Error propagation: The property that an error in the i-th ciphertext block is inherited
by the i-th and all subsequent plaintext blocks.
— Diffusion: How the plaintext statistics are reflected in the ciphertext
— Security: Whether or not the ciphertext blocks leak information about the plaintext
blocks
CIPHER BLOCK CHAINING (CBC)

CBC PROPERTIES

— Identical plaintexts result in identical ciphertexts when the same plaintext is enciphered
using the same key and IV. Changing at least one of [k, IV, m0] affects this.
— Rearrangement of ciphertext blocks affects decryption. As ciphertext part c j depends on
all of [p0, p1, · · · , pj].
— Error propagation:
o Bit error in ciphertext cj affects deciphering of cj and cj+1. Recovered block pj
typically results in random bits.
o Bit errors in recovered block pj+1 are precisely where cj was in error
o Attacker can cause predictable bit changes in pj+1 by altering cj.
— Bit recovery:
o CBC is self-synchronising if a bit error occurs in cj but not cj+1, then cj+2
correctly decrypts to pj+2.
CIPHER FEEDBACK MODE
 — For AES, DES, or any block cipher, encryption is performed on a block of b bits In the
case of DES b = 64; In the case of AES b = 128

S-BIT CIPHER FEEDBACK (CFB) MODE

OUTPUT FEEDBACK (OFB) MODE

OFB PROPERTIES
— Identical plaintext results in identical ciphertext when the same plaintext is enciphered
using the same key and IV/nonce
o Chaining Dependencies: (Same as a stream cipher) The key stream is plaintext
independent.
o Error propagation: (Same as a stream cipher) Bit errors in ciphertext blocks
cause errors in the same position in the plaintext.
o Error recovery: (Same as a stream cipher) Recovers from bit errors, but not bit
loss
o Throughput: Key stream may be calculated independently — e.g.
precomputed — before encryption/decryption.
 o IV must change: Otherwise it becomes a two-time pad.

COUNTER (CTR) MODE

CTR PROPERTIES
— Identical plaintext results in identical ciphertext when the same plaintext is enciphered
using the same key and IV/Couter.
o Chaining Dependencies: (Same as a stream cipher) The key stream is plaintext
independent.
o Error propagation: (Same as a stream cipher) Bit errors in ciphertext blocks
cause errors in the same position in the plaintext.
o Error recovery: (Same as a stream cipher) Recovers from bit errors, but not bit
loss(misalignment of key stream)
o Throughput: Both encryption and decryption can be randomly accessed and/or
parallelised: the best we could hope for.
o IV must change: Otherwise it becomes a two-time pad

ADVANTAGES OF CTR
— Can do in parallel
o Hardware efficiency
o Software efficiency
— Pre-processing
— Random access
o Blocks can be encrypted/decrypted independently
— Provable security
o As secure as other modes
— Simplicity
o Encryption algorithm only
FEEDBACK CHARACTERISTICS OF MODES OF OPERATION
— The input registers are updated according to the output register
— Both OFB and CTR produce output that is independent of both the plaintext and the
ciphertext.

XTS-AES MODE FOR BLOCK-ORIENTED STORAGE DEVICES

— Approved as an additional block cipher mode of operation by NIST in 2010
— Mode is also an IEEE Standard, IEEE Std 1619-2007
o Standard describes a method of encryption for data stored in sector-based
devices where the threat model includes possible access to stored data by the
adversary Has received widespread industry support
— XEX-based Tweaked-codebook mode with ciphertext Stealing (XTS)
— Xor–encrypt–xor (XEX)
TWEAKABLE BLOCK CIPHERS
— XTS-AES mode is based on the concept of a tweakable block cipher
— General structure:
— Has three inputs:
 — Tweak need not be kept secret
o Purpose is to provide variability

TWEAKABLE BLOCK CIPHER

XTS-AES OPERATION ON SINGLE BLOCK

XTS-AES MODE

— Suitable for parallel operation, like CTR

— If the last block has less than 128 bits, the last two blocks use a cipher-text-stealing
technique instead of padding.
SUMMARY
— Multiple encryption and triple DES
o Double DES
o Triple DES with two keys
o Triple DES with three keys
— Electronic code book
— Cipher block chaining mode
— Cipher feedback mode
— Output feedback mode
— Counter mode
— XTS-AES mode for block-oriented storage devices
o Storage encryption requirements
o Operation on a single block
o Operation on a sector