Constants in cryptographic algorithms – Block Ciphers and Their Modes of Operation
14.2.6 Constants in cryptographic algorithms
Specifications of cryptographic algorithms often contain constants. As an example, the SHA-2 family of hash functions specified in the FIPS 180-4 standard must set the initial hash value H(0) before the computation of the SHA algorithm begins. The initial hash value for the SHA-224 function is composed of these eight 32-bit constants:
| H0(0) = c1059ed8 | H 4(0) = ffc00b31 |
| H1(0) = 367cd507 | H 5(0) = 68581511 |
| H2(0) = 3070dd17 | H 6(0) = 64f98fa7 |
| H3(0) = f70e5939 | H 7(0) = befa4fa4 |
Similarly, the initial hash value for the SHA-256 function consists of the following eight 32-bit constants:
| H0(0) = 6a09e667 | H 4(0) = 510e527f |
| H1(0) = bb67ae85 | H 5(0) = 9b05688c |
| H2(0) = 3c6ef372 | H 6(0) = 1f83d9ab |
| H3(0) = a54ff53a | H 7(0) = 5be0cd19 |
While these constants may seem random at first, they were actually obtained by taking the first 32 bits of the fractional parts of the square roots of the first 8 primes [129]. This might sound counter-intuitive at first, especially if you recall our discussion about the role of entropy in cryptography in Chapter 3 A Secret to Share.
However, exactly because these constants were chosen in a deterministic manner, it is extremely unlikely that they were chosen for any specific reason. As a result, we need not be concerned whether they have any implications unknown to us on the security of SHA-224 and SHA-256 functions.
14.2.7 DES S-boxes
On March 17, 1975, the US National Bureau of Standards, the precursor of today’s NIST, published the Data Encryption Standard (DES), which quickly became one of the most used cryptographic algorithms worldwide.
As discussed previously, DES is a block cipher based on a Feistel network. At the heart of the DES round function, eight S-boxes ensure the algorithm’s security since they are the only non-linear components of the round function [168].
DES was specified in a process that involved a public competition where a cipher submitted by IBM was finally chosen in the second competition round, followed by a public discussion period of about six months. However, the National Bureau of Standards also consulted with the NSA.
After the original algorithm submitted by IBM was sent for review to the NSA, it came back with completely different S-boxes. The modifications were analyzed by the cryptographic community, and there was even an official review conducted on behalf of the US Senate’s Select Committee on Intelligence. Despite this, no statistical or mathematical weaknesses were found throughout the 1970s and the 1980s.
This suddenly changed in 1990 after two Israeli cryptographers Eli Biham and Adi Shamir published a novel method for breaking block ciphers called differential cryptanalysis [32]. When applying it to DES, cryptographers discovered that DES S-boxes were much more resistant against differential cryptanalysis than randomly chosen S-boxes could ever be.
When Don Coppersmith, one of the IBM cryptographers who designed DES, published original design criteria for DES S-boxes in 1994, the cryptographic community learned that the NSA and IBM knew about differential cryptanalysis as early as 1974. As a result, DES S-boxes were deliberately tweaked to resist differential cryptanalysis but the NSA requested to keep it a secret because the attack was applicable to a wide range of cryptographic algorithms and was considered by the NSA to be a serious risk to national security if it became public.
Fortunately for DES users, the tweak of the DES S-boxes turned out to increase the security of the algorithm. However, when unexplained constants are used, there is always the risk of a backdoor. What if Eve is involved in the specification of a cryptographic algorithm – as an example, she could participate in a public competition by submitting her own proposal – and knows a secret attack? She could propose constants that look random at the first sight but are actually carefully chosen to enable that attack.