Cryptography Reference
In-Depth Information
DES computations. Given that with today's technology even 2
56
DES operations re-
quire several days with special hardware, performing 2
88
encryptions is completely
out of reach. Note that the number of plaintexts (which Oscar is not supposed to
know in most circumstances) corresponds to 32 GByte of data, the collection of
which is also a formidable task in most real-world situations.
A particular attractive feature of key whitening is that the additional computa-
tional load is negligible. A typical block cipher implementation in software requires
several hundred instructions for encrypting one input block. In contrast, a 64-bit
XOR operation only takes 2 instructions on a 32-bit machine, so that the perfor-
mance impact due to key whitening is in the range of 1% or less in most cases.
5.4 Discussion and Further Reading
Modes of Operation
After the AES selection process, the US National Institute of
Standards and Technology (NIST) supported the process of evaluating new modes of
operations in a series of special publications and workshops [124]. Currently, there
are eight approved block cipher modes: five for confidentiality (ECB, CBC, CFB,
OFB, CTR), one for authentication (CMAC) and two combined modes for confi-
dentiality and authentication (CCM, GCM). The modes are widely used in practice
and are part of many standards, e.g., for computer networks or banking.
Other Applications for Block Ciphers
The most important application of block
ciphers in practice, in addition to data encryption, is
Message Authentication Codes
(MACs)
, which are discussed in Chap. 12. The schemes CBC-MAC, OMAC and
PMAC are constructed with a block cipher.
Authenticated Encryption (AE)
uses
block ciphers to both encrypt and generate a MAC in order to provide confidentiality
and authentication, respectively. In addition to the GCM introduced in this chapter,
other AE modes include the
EAX
mode,
OCB
mode, and
GC
mode.
Another application is the
Cryptographically Secure Pseudo Random Number
Generators (CSPRNG)
built from block ciphers. In fact, the stream cipher modes
introduced in this chapter, OFB, CFB and CTR mode, form CSPRNGs. There are
also standards such as [4, Appendix A.2.4] which explicitly specify random number
generators from block ciphers.
Block ciphers can also be used to build
cryptographic hash functions
,asdis-
cussed in Chap. 11.
Extending Brute-Force Attacks
Even though there are no algorithmic shortcuts
to brute-force attacks, there are methods which are efficient if several exhaustive key
searches have to be performed. Those methods are called time-memory tradeoff at-
tacks (TMTO). The general idea is to encrypt a fixed plaintext under a large number
of keys and to store certain intermediate results. This is the precomputation phase,
which is typically at least as complex as a single brute-force attack and which results
in large lookup tables. In the online phase, a search through the tables takes place
which is considerably faster than a brute-force attack. Thus, after the precomputa-
