Stream Ciphers and Block Ciphers

Most current methods work by either one of these two principles:

• Depending on some key, a ‘wild’ bit sequence is created and normally used as a one-time pad, i.e., it is XORed with the plaintext. The method’s entire security lies in creating the bit sequence. For one thing, it has to behave statistically perfectly; second, it must never be possible to recover the entire sequence and certainly not the key from parts of it, or it would be vulnerable to plaintext attacks. These methods are called stream ciphers. As the name implies, they are well suited for online encryption of message channels. The one-time pad can even be computed in advance, if need be, to speed up the ciphering process in the event of message bursts.

A stream cipher is also suitable for encrypting entire hard disks; more about this in Section 7.4. Thanks to the XOR method, the same program or device can be used both for decryption and encryption. This is another aspect that gives XOR an advantage over other methods, such as bytewise addition. RC4, A5, and SEAL are good examples of stream ciphers; see also Chapter 5.

• A method working by the second principle groups bits and encrypts them jointly as a group. This is called ablock cipher, and used by methods like simple character substitutions, for example: they work with 8-bit blocks. Polyalphabetic methods use larger blocks (according to the period length). Myfcrypt program (Section 3.7) works with 256-byte blocks. In general, the bits of a block are linked in a complicated way, as we will see in our discussion of the DES algorithm.

In fact, the best-known and most secure algorithms are block ciphers. They have several advantages over stream ciphers:

• Confusion and diffusion can be combined, while stream ciphers normally use confusion only. So block ciphers can be more secure.

• They must never reuse a key bit sequence (see Section 5.1.1; OFB Mode).

• Block ciphers can be faster than stream ciphers.

You will find more information on how block ciphers are implemented in Section 5.1. Examples are DES, IDEA, RC5, and AES.

4.1. Basic Terms 127 . . . . . . . . . key key A N E J W I L Q P L A I N T E X T . . . R T E X T ) E ( C I P H generator Stream cipher K L A R D A R T E Y C O T X X T W L

Algorithm Algorithm Algorithm

block cipher

Figure 4.2: Block ciphers and stream ciphers.

Stream ciphers and block ciphers are also told apart by their purposes of use, which are not strictly defined. You can actually use a block cipher similarly to a stream cipher (e.g., in OFB mode; see Section 5.1.1).

We will look only at block algorithms in the following discussion.

4.1.4

Product Algorithms

Most modern block ciphers are product algorithms: simple, cryptologically relatively insecure steps are made one after the other. Such a step is called a round. You’ve already come across a seven-round product method. To really confuse you I’ll describe it like this:

• The first round is a polyalphabetic substitution with period 26. A fixed substitution scheme is rotated cyclically by 1 in each position of the period, which results in 26 substitutions.

• The second round is similar, except 26 substitutions follow one another (and are rotated only then), which results in a period length of 262_=676.

• The third round has an analogous period of 263_{=17 576; 676 identical} substitutions follow one another.

• The fourth round is a fixed substitution.

• The fifth round is the reversion of the third round, the sixth round is the reversion of the second round, and the seventh that of the first.

• Moreover, character pairs are flipped before the first round and after the seventh round, which corresponds to a particularly simple transposition. (More specifically, we have nine rounds here.)

You recognize the method? Right, it’s the Enigma. You already know that the Enigma is more secure than any substitution. The third round by itself is statistically easy to break: we look only at 676 identical substitutions and derive the other rotor positions from them. But exactly because this third round is combined with the other rounds, the method obtains the large period length of 17 576, which is so critical for its security.

So, cleverly combining simple methods increases the security dramatically. That’s similar to solving equations:

• Linear equations in the form ax+b=c are trivially solvable.

• To solve quadratic equations, we know the formula from school.

• To solve cubic equations, things are getting a bit more complex: we need several formulas with some kind of case differentiation.

• The solution formulas for fourth-order equations are pretty complex, but still solvable.

• In contrast, it has been proven that there is no generalized solution formula (except perhaps using fundamental operations and roots) for fifth- order equations and higher. This is a quality leap. Of course, there are still solution formulas for special fifth-order equations, and it should also be possible to write the general solution in closed form if you also use special, novel functions.

These statements are easily transferable to the cryptanalysis of product algo- rithms: product formation does not always increase the security; on the other hand, there appear to be ‘sound barriers’. For example, the most effective crypt- analyses against the DES algorithm get stuck after eight rounds when things get much harder.

4.1. Basic Terms 129

Nobody can prove when and why this is so; all there is are indications (for example, making differential cryptanalysis harder; see Section 4.4.2). Using product formation can sometimes even lead to the opposite. We will discuss an interesting example in the next section.

4.1.5

The Image Is Gone, But We Still See It

The following example of a repeated image transformation was taken from [Crutch]. I wrote an identical program; it is included on our Web site (it’s a program called book/trans/trans.c; see Appendix A.1) so that UNIX users can experience the same surprise on the screen I had. The program vividly demonstrates the effects of a product algorithm, and how one can get lulled into a false sense of security.

For the sake of simplicity, we take any square image (rectangular formats would also do the job, but they are more clumsy to handle). We take the image and do a simple transformation: the image is right-rotated by 90 degrees and distorted, as shown in Figure 4.3. We cut off the two protruding ends and paste them as follows.

We repeat this transformation until the image appears gray. I used the ‘Escher knot’ included as bitmap in the X Window system and changed it to 216×216 format. You can see the first few transformations in Figure 4.4.

The image will never turn uniformly gray, but it looks well mixed. Let’s con- tinue following up on the image series. We will see blurred rings that will disappear again after 24 rounds. Such diffuse appearances alternate with the

4.1. Basic Terms 131

Figure 4.5: The transformation apparently produces the original image after 72 rounds.

‘chaos’ cyclically. However, you will see a clear structure again after 64 rounds, which becomes gradually clearer to eventually peak in the original image after 72 iterations to our surprise (Figure 4.5).

How is this possible? A closer look at this method reveals that there should actually be chaos—a totally mixed-up image—after 72 rounds. Well, almost totally mixed—except for a raster with 216×216 dots, on which the origi- nal image forms again! Mathematically, the image is gray almost everywhere, except in the raster dots, and exactly these dots are represented on the screen. The image is no longer there, but we still see it!

Only thanks to the special property of the human brain to be able to construct an image from adjacent dots can we recognize the risk that could arise out of the use of this type of encryption mechanism. If we had transformed the bits of a text, we would have been deceived by an illusion. When bits within a close neighborhood are strongly correlated (i.e., when only very few randomly depend on one another), then it might be possible to reconstruct the original text. . .

Of course, this is a malicious, fabricated example. Still, we should bear it in mind. Product algorithms can have excellent properties, but they have to be studied as critically as all others. Mixing things or creating plain ‘chaos’ is

never a guarantee for security.