We won't talk in much detail about modern symmetric ciphers in this course.
There are a couple reasons for this.
One is that I want to get on to uses of ciphers,
which I think is more important and more interesting for most people.
Very few people today need to implement a cipher.
You really should use library implementations of ciphers in any serious application.
It's certainly useful to understand more about what's going on beneath the scenes.
But even few people should be designing new ciphers.
You would have to have very unique requirements to think
that you're better off designing a new cipher yourself than using
a standard well-accepted carefully analyzed cipher.
Most of the time we've used ciphers as black boxes
that are taking in messages and keys and outputing ciphertext
and assuming that they have the properties that we need.
Certainly we've proven that no cipher really does.
We've shown that the only way for a cipher to be perfect
is if the key space is at least as big as the message space.
That's impractical for any useful use.
We can group modern ciphers into two types.
There are stream ciphers and block ciphers.
The different is that with a stream cipher we've got a stream of data,
and our cipher can encrypt small chunks at a time.
You can think of the data streaming through the cipher encrypting
encrypting usually at the level of one byte at a time,
whereas with the block cipher we think of our data in larger chunks,
and the cipher encrypts a block at a time.
Usually a block size is at least 64 bits and can be longer up to 128 or 256 bits.
These are sort of really the same thing.
The only difference is changing the block size.
If the block size is small enough, it would become a stream cipher.
If the block size is large enough, we can think of it as a block cipher.
But there are enough differences in the way you build ciphers
that different ciphers are designed for each purpose.
The most important block cipher today is known as AES,
and this stands for the Advanced Encryption Standard.
AES is a block cipher. It works on blocks of 128 bits.
AES is the result of the competition that was run by the United States
National Institute of Standards in Technology, more commonly known as NIST.
This competition was started in 1997 to find a cipher to replace DES,
which was the Data Encryption Standard, which had been a standard for the previous 30 years.
That contest ran from 1997. They had a very open process.
This is very unlike the process that was used to select DES as the previous recommended cipher.
This lead to 15 submissions for round 1.
Some of these were actually completely broken.
Others were rejected for other reasons.
This was narrowed down to five finalists, none of which were seriously broken,
and one winner, which was selected.
The main criteria for selecting the winner of AES were the security of the ciphers,
and this is really the hardest thing to measure.
We've seen that other than the one-time pad
provable security is not achievable for most ciphers
and not achievable for any cipher that was a candidate for AES.
The way this was measured was trying to estimate the security.
The main metric for measuring security was looking at
the actual number of rounds in the cipher and dividing it by the minimum number of rounds
that were breakable in some sense.
Breakable here is very much the academic of breakable.
You didn't need to be able to extract a message or a key.
Anything that showed you could reduce the search space even a little bit would be enough
to show that it was breakable for that number of rounds.
The other properties were easier to compare and measure, which were speed--
implementing it both in hardware and in software--and simplicity.
Simplicity is usually against security.
To have higher security we want more confusion.
We want to do more transformations to the data. That goes against simplicity.
Simplicity aids the analysis to make it more clear whether the cipher is secure or not.
The winner of the AES competition was a cipher known as Rijndael,
which was developed by two Belgian cryptographers.
The good thing about it winning AES is now we don't have to figure out how
to pronounce it correctly in Belgian. It's now called AES.
The best known current break against AES is very theoretical,
so with 128-bit keys, that would be a brute-force attack that tries every possible key.
It would require on average 2^127 attempts.
You're expected within half the 128-bit keys.
You've got 2^128 total keys. You expect to find a break after testing half of them
So they expect it costs a brute-force attack 2^127.
The best known attack removes less than 1 bit of security.
That's the best known today.
And 126 bits of security is well beyond what's practical to imagine implementing
even with a huge amount of computing resources.
