Twofish - PowerPoint PPT Presentation

1 / 22
About This Presentation
Title:

Twofish

Description:

Twofish: A 128-Bit Block Cipher,Bruce Schneier, John Kelsey, Doug Whiting, David ... A 128-bit symmetric block cipher. Key lengths of 128 bits, 192 bits, and 256 bits. ... – PowerPoint PPT presentation

Number of Views:1371
Avg rating:3.0/5.0
Slides: 23
Provided by: and6165
Category:
Tags: bit | twofish

less

Transcript and Presenter's Notes

Title: Twofish


1
Twofish
  • Twofish A 128-Bit Block Cipher,Bruce Schneier,
    John Kelsey, Doug Whiting, David Wagner, Chris
    Hall, Niels Ferguson http//www.counterpane.com/tw
    ofish.pdf
  • 128 bits block, with key of variable length up to
    256 bits.
  • Uses 16 rounds of Feistel Network

2
Twofish
  • Goals (per NIST)
  • A 128-bit symmetric block cipher.
  • Key lengths of 128 bits, 192 bits, and 256 bits.
  • No weak keys.
  • Efficiency, both on the Intel Pentium Pro and
    other software and hardware platforms.
  • Flexible design e.g., accept additional key
    lengths be implementable on a wide variety of
    platforms and applications and be suitable for a
    stream cipher, hash function, and MAC.
  • Simple design, both to facilitate ease of
    analysis and ease of implementation.

3
Twofish
  • Additional goals
  • Accept any key length up to 256 bits.
  • Encrypt data in less than 500 clock cycles per
    block on an Intel Pentium, Pentium Pro, and
    Pentium II, for a fully optimized version of the
    algorithm.
  • Be capable of setting up a 128-bit key (for
    optimal encryption speed) in less than the time
    required to encrypt 32 blocks on a Pentium,
    Pentium Pro, and Pentium II.
  • Encrypt data in less than 5000 clock cycles per
    block on a Pentium, Pentium Pro, and Pentium II
    with no key setup time.

4
Twofish
  • Additional goals
  • Not contain any operations that make it
    inefficient on other 32-bit microprocessors.
  • Not contain any operations that make it
    inefficient on 8-bit and 16-bit microprocessors.
  • Not contain any operations that reduce its
    efficiency on proposed 64-bit microprocessors
    e.g., Merced.
  • Not include any elements that make it
    inefficient in hardware.
  • Have a variety of performance tradeoffs with
    respect to the key schedule.

5
Twofish
  • Additional goals
  • Encrypt data in less than less than 10
    milliseconds on a commodity 8-bit microprocessor.
  • Be implementable on a 8-bit microprocessor with
    only 64 bytes of RAM.
  • Be implementable in hardware using less than
    20,000 gates.
  • Cryptographic Goals
  • 16-round Twofish (without whitening) should have
    no chosen-plaintext attack requiring fewer than
    280 chosen plaintexts and less than 2N time,
    where N is the key length.
  • 12-round Twofish (without whitening) should have
    no related-key attack requiring fewer than 264
    chosen plaintexts, and less than 2N/2 time, where
    N is the key length.

6
Twofish
  • Flexibility Goals
  • Have variants with a variable number of rounds.
  • Have a key schedule that can be precomputed for
    maximum speed, or computed on-the-fly for maximum
    agility and minimum memory requirements.
    Additionally, it should be suitable for dedicated
    hardware applications e.g., no large tables.
  • Be suitable as a stream cipher, one-way hash
    function, MAC, and pseudo-random number
    generator, using well-understood construction
    methods.
  • Have a family-key variant to allow for
    different, non-interoperable, versions of the
    cipher.

7
Public Key Cryptography
  • Symmetric Key Algorithms
  • Key agreement and change
  • Trust on all parties that have the key
  • Trust in the security level
  • Trust in not misusing keys
  • Public-key cryptography involves the use of two
    keys
  • a public-key, which may be known by anybody, and
    can be used to encrypt messages, and verify
    signatures
  • a private-key, known only to the recipient, used
    to decrypt messages, and sign (create) signatures

8
Public Key Cryptography
  • Public-key is easily computed from the private
    key and other information about the cipher (a
    polynomial time (P-time) problem)
  • Knowing the public-key and public description of
    the cipher, it is still computationally
    infeasible to compute the private key (an NP-time
    problem)
  • The public-key may be distributed to anyone
    wishing to communicate securely with its owner
    (although secure distribution of the public-key
    is a non-trivial problem - the key distribution
    problem)

9
Public Key Cryptography
  • Have three important classes of public-key
    algorithms
  • Public-Key Distribution Schemes (PKDS) - where
    the scheme is used to securely exchange a single
    piece of information (whose value depends on the
    two parties, but cannot be set). This value is
    normally used as a session key for a private-key
    scheme
  • Signature Schemes - used to create a digital
    signature only, where the private-key signs
    (create) signatures, and the public-key verifies
    signatures
  • Public Key Schemes (PKS) - used for encryption,
    where the public-key encrypts messages, and the
    private-key decrypts messages.
  • Any public-key scheme can be used as a PKDS, just
    by selecting a message which is the required
    session key
  • Many public-key schemes are also signature
    schemes (provided encryption decryption can be
    done in either order)

10
RSA
  • Named after their inventors Ron Rivest, Adi
    Shamir and L. Adleman
  • R L Rivest, A Shamir, L Adleman, "On Digital
    Signatures and Public Key Cryptosystems",
    Communications of the ACM, vol 21 no 2,
    pp120-126, Feb 1978
  • Public-key scheme which may be used for
    encrypting messages, exchanging keys, and
    creating digital signatures

11
RSA
  • Based on exponentiation in a finite (Galois)
    field over integers modulo a prime
  • exponentiation takes O((log n)3) operations
  • Security relies on the difficulty of calculating
    factors of large numbers
  • factorization takes O(e log n log log n)
    operations
  • (same as for discrete logarithms)
  • Main patent expired in 2000

12
RSA
  • Uses Euler ? function
  • ?(n) (0?bltn) g.c.d.(b,n) 1)
  • If p is prime than ?(p) ?
  • ?(mn) ?(m) ?(n), if g.c.d.(m,n) 1
  • RSA uses a generalization of Fermats Little
    Theorem due to Euler
  • If g.c.d.(a, m) 1, then a?(m)1 mod m

13
RSA
  • Key-Generation by each user consists of
  • Selecting two large primes at random (100
    digit), p, q
  • Calculating the system modulus Rpq p, q primes
  • selecting at random the encryption key e (usually
    3),
  • e lt R, gcd(e, ?(R)) 1
  • solving the congruence to find the decryption key
    d,
  • ed 1 mod ?(R) 0 ? d ? R
  • publishing the public encryption key K1e,R
  • securing the private decryption key K2d,p,q

14
RSA
  • Encryption of a message M to obtain ciphertext C
    is
  • C Me mod R
  • Decryption of a ciphertext C to recover the
    message M is
  • M Cd Me.d M1n?(R) M mod R
  • Note we still would need to prove that this
    holds for g.c.d.(M, R) ? 1

15
RSA
  • Example
  • p 11, q 47
  • R 517, ?(R) 460
  • e 3, d 307
  • M 26, C 1756 mod 517 515
  • M (large number) mod 517 26

16
RSA
  • The security of the RSA scheme rests on the
    difficulty of factoring the modulus of the scheme
    R
  • Best known factorization algorithm
    (Brent-Pollard) takes
  • operations on number R whose largest prime
    factor is p
  • Number Field Sieve takes an asymptotically
    heuristic running time of

17
RSA
  • Using Brent Pollard
  • Decimal Digits in R Bit Operations to Factor R
  • 20 7200
  • 40 3.11e06
  • 60 4.63e08
  • 80 3.72e10
  • 100 1.97e12
  • 120 7.69e13
  • 140 2.35e15
  • 160 5.92e16
  • 180 1.26e18
  • 200 (600 bits) 2.36e19

18
RSA
  • Most (all!!) computers can't directly handle
    numbers larger than 32-bits (64-bits on the very
    newest)
  • Need to use multiple precision arithmetic
    libraries to handle numbers this large
  • Multi-Precision Arithmetic
  • Involves libraries of functions that work on
    multiword (multiple precision) numbers
  • Classic references are in Knuth vol 2 -
    "Seminumerical Algorithms"
  • multiplication digit by digit

19
RSA
  • Multi-Precision Arithmetic
  • Exponentiation using square and multiply
  • A number of well known multiple precision
    libraries available - so don't reinvent the
    wheel!!!!
  • Can use special tricks when doing modulo
    arithmetic, especially with the modulo reductions

20
RSA
  • Primality Testing and RSA
  • The first stage of key-generation for RSA
    involves finding two large primes p, q
  • Because of the size of numbers used, must find
    primes by trial and error
  • Modern primality tests utilize properties of
    primes eg
  • an-1 1 mod n where GCD(a,n)1
  • all primes numbers 'n' will satisfy this equation
  • some composite numbers will also satisfy the
    equation, and are called pseudo-primes.

21
RSA
  • Primality Testing and RSA
  • Most modern tests guess at a prime number 'n',
    then take a large number (eg 100) of numbers 'a',
    and apply this test to each. If it fails the
    number is composite, otherwise it is is probably
    prime.
  • There are a number of stronger tests which will
    accept fewer composites as prime than the above
    test. eg

22
RSA
  • Chinese Remainder
  • a significant improvement in decryption speed for
    RSA can be obtained by using the Chinese
    Remainder theorem to work modulo p and q
    respectively
  • since p,q are only half the size of Rp.q and
    thus the arithmetic is much faster
  • CRT is used in RSA by creating two equations from
    the decryption calculation
  • M Cd mod R as follows
  • M1 M mod p (C mod p)d mod (p-1)
  • M2 M mod q (C mod q)d mod (q-1)
  • then the pair of equations M M1 mod p, M M2
    mod q has a unique solution by the CRT, given by
  • M ((M2 q - M1)u mod q p M1 where p.u mod q
    1
Write a Comment
User Comments (0)
About PowerShow.com