# Block Ciphers & DES

(1)

(2)

2

## Simplified DES

### 1

• Similar properties and structure to DES with smaller parameters

• Education scheme by professor Edward Schaefer of Santa Clara University

• Encryption takes an 8-bit block of plaintext and a 10-bit key as input and produces 8-bit block of ciphertext as output

• Decryption reverses the process with the same 10-bit key

(3)

## Simplified DES

### • Scheme

– Ciphertext = IP-1(f k2(SW(fk1(IP(plaintext))))) • K1=P8(Shift(P10(key))) • K2=P8(Shift(Shift(P10(key)))) – Plaintext = IP-1(f k1(SW(fk2(IP(ciphertext )))))

(4)

4

(5)

(6)

6

## Simplified DES

### 5

• Key generation example

• P10(k1k2k3k4k5k6k7k8k9k10)=(k3k5k2k7k4k10k1k9k8k6) • P8(k1k2k3k4k5k6k7k8k9k10)=(k6k3k7k4k8k5k10k9) • K=(10100 00010) – P10(10100 00010)=(10000 01100) – LS-1(10000)=(00001) – LS-1(01100)=(11000) – K1=P8(00001 11000)=(1010 0100) • Similarly – K2= P8(LS-2(00001) LS-2(11000))=P8(00100 00011) =(0100 0011)

(7)

(8)

8

## Simplified DES

### • 5 functions involved

– IP, fk1(L, R), SW, fk2(L,R), IP-1 – IP(i1i2i3i4 i5i6i7i8)=(i2i6i3i1i4i5i8i7) – IP-1(i 2i6i3i1i4i5i8i7)=(i1i2i3i4 i5i6i7i8)

– SW: switch the left and right 4 bits – fk(L, R) = (LF(R, SK), R)

• L: left 4 bits; R: right 4 bits •  : XOR

• F: a mapping involving E/P, S0 box, S1 box, P4 • SK: subkey

(9)

## Simplified DES

### • F function:

– EP(n1n2n3n4)=(n4n1n2n3n2n3n4n1)

– Let 8-bit subkey K1=(k11k12k13k14k15k16k17k18) – E/P  K1 : 18 1 14 3 17 4 13 2 16 3 12 1 15 2 11 4

### n

       

(10)

10

• E/P  K1 (rename): • S0 box:

• S1 box:

• The 1st 4 bit (1st row) are fed into S0 box to produce a 2-bit output

• The last 4 bit (2nd row) are fed into S1 box to produce another 2-bit output

## Simplified DES

### 9

3 , 1 3 , 0 2 , 1 2 , 0 1 , 1 1 , 0 0 , 1 0 , 0

### p

             2 3 1 3 3 1 2 0 0 1 2 3 2 3 0 1 0 s              3 0 1 2 0 1 0 3 3 1 0 2 3 2 1 0 1 s

(11)

• P4

1

2

3

4

2

4

3

1

(12)

12

## Simplified DES

1

2

3

4

4

1

2

3

2

3

4

1

1

### =

(1010 0100) • E/P

### K

1 : 0 1 0 1 0 0 1 1 1 1 0 1 0 1 1 0        

(13)

• E/P

### 

K1 :

• (P00,P03)=(11)  3, (P01,P02)=(10)  2

– From S0 box, row 3, column 2, gets 3 (11) in binary

• (P10,P13)=(11)  3, (P11,P12)=(00)  0

– From S1 box, row 3, column 0, gets 2 (10) in binary

• After S0, S1 boxes, we get (1110)

• P4(1110)=(1011) // end of F function

## Simplified DES

### 12

0 1 0 1 0 0 1 1 1 1 0 1 0 1 1 0        

(14)

14

k1

### F(R, SK), R)

– = ((0111)  (1011), 1110) – = (1100 1110)

• SW(1100 1110)=(1110 1100)

• Starting the fk2 function

• EP(1100)=(0110 1001)

2

### =

(0100 0011) • E/P

K2 :

## Simplified DES

### 13

1 1 0 0 1 0 0 1 0 0 1 1 0 1 0 0        

(15)

• E/P

### 

K2 :

• (P00,P03)=(00)  0, (P01,P02)=(01)  1

– From S0 box, row 0, column 1, gets 0 (00) in binary

• (P10,P13)=(10)  2, (P11,P12)=(01)  1

– From S1 box, row 2, column 1, gets 0 (00) in binary

• After S0, S1 boxes, we get (0000)

• P4(0000)=(0000) // end of F function

## Simplified DES

0 0 1 1 0 0 1 0

(16)

16

k2

### F(R, SK), R)

– = ((1110)  (0000), 1100) – = (1110 1100)

-1

### (0111 0101)

– Ciphertext of plain text: (1011 1101)

– using keys: K1=(1010 0100), K2=(0100 0011)

(17)

## Block Ciphers

### • like a substitution on very big characters

– 64-bits or more

(18)

18

## Block Cipher Principles

• most symmetric block ciphers are based on a

Feistel Cipher Structure

• needed since must be able to decrypt ciphertext to recover messages efficiently

• block ciphers look like an extremely large substitution

• would need table of 264 entries for a 64-bit block

• instead create from smaller building blocks • using idea of a product cipher

(19)

### Substitution-Permutation Ciphers

• in 1949 Claude Shannon introduced idea of substitution-permutation (S-P) networks

– modern substitution-transposition product cipher

• these form the basis of modern block ciphers • S-P networks are based on the two primitive

cryptographic operations we have seen before:

– substitution (S-box) – permutation (P-box)

(20)

20

## Confusion and Diffusion

• cipher needs to completely obscure statistical properties of original message

• a one-time pad does this

• more practically Shannon suggested combining elements to obtain:

• diffusion – dissipates statistical structure of plaintext over bulk of ciphertext

• confusion – makes relationship between ciphertext and key as complex as possible

(21)

## Feistel Cipher Structure

• Horst Feistel devised the feistel cipher

– based on concept of invertible product cipher

• partitions input block into two halves

– process through multiple rounds which – perform a substitution on left data half

– based on round function of right half & subkey – then have permutation swapping halves

• implements Shannon’s substitution-permutation network concept

(22)

22

## Feistel Cipher Structure

Substitution Permutation

(23)

## Feistel Cipher Design Principles

• block size

– increasing size improves security, but slows cipher

• key size

– increasing size improves security, makes exhaustive key searching harder, but may slow cipher

• number of rounds

– increasing number improves security, but slows cipher

• subkey generation

– greater complexity can make analysis harder, but slows cipher

• round function

– greater complexity can make analysis harder, but slows cipher

• fast software en/decryption & ease of analysis

(24)

24

(25)

– as FIPS PUB 46

(26)

26

## DES History

• IBM developed Lucifer cipher

– by team led by Feistel

– used 64-bit data blocks with 128-bit key

• then redeveloped as a commercial cipher with input from NSA and others

• in 1973 NBS issued request for proposals for a national cipher standard

• IBM submitted their revised Lucifer which was eventually accepted as the DES

(27)

## DES Design Controversy

### • was considerable controversy over design

– in choice of 56-bit key (vs Lucifer 128-bit) – and because design criteria were classified

(28)

28

(29)

## Initial Permutation IP

### • example:

– 64 bits, 4 bits for each symbol

(30)

30

(31)
(32)

32

(33)

## DES Round Structure

• uses two 32-bit L & R halves

• as for any Feistel cipher can describe as:

Li = Ri–1

Ri = Li–1 xor F(Ri–1, Ki)

• takes 32-bit R half and 48-bit subkey and:

– expands R to 48-bits using perm E – adds to subkey

– 48 bits partitioned into 8 6-bit inputs to the 8 s-boxes – passes through 8 S-boxes to get 32-bit result

(34)

34

(35)

## DES S Boxes

1

### 1

– 01 ->1, row # 1; 1100 ->12, column #12

(36)

36

## DES Key Schedule

• forms subkeys used in each round • consists of:

– initial permutation of the key (PC1) which selects 56-bits in two 28-bit halves

• Table 3.4 (a), (b)

– 16 stages consisting of:

• selecting 28-bits from each half, Ci, Di

• rotating each half separately either 1 or 2 places depending on the key rotation schedule K

(37)
(38)

38

(39)
(40)

40

## DES Decryption

• decrypt must unwind steps of data computation • with Feistel design, do encryption steps again

• using subkeys in reverse order (SK16 … SK1)

• note that IP undoes final FP step of encryption • 1st round with SK16 undoes 16th encrypt round • ….

• 16th round with SK1 undoes 1st encrypt round • then final FP undoes initial encryption IP

(41)

(42)

42

(43)

## Strength of DES – Key Size

56

16

### • recent advances have shown is possible

– in 1997 on Internet in a few months

– in 1998 on dedicated h/w (EFF) in a few days – in 1999 above combined in 22hrs!

(44)

44

### Strength of DES – Analytic Attacks

• now have several analytic attacks on DES

• these utilise some deep structure of the cipher

– by gathering information about encryptions

– can eventually recover some/all of the sub-key bits – if necessary then exhaustively search for the rest

• generally these are statistical attacks • include

– differential cryptanalysis: 247 chosen plaintext – linear cryptanalysis: 247 known plaintext

(45)

(46)

46

(47)

(48)

48

(49)
(50)

50

## Differential Cryptanalysis

• perform attack by repeatedly encrypting plaintext pairs with known input XOR until obtain desired output XOR • when found

– if intermediate rounds match required XOR have a right pair – if not then have a wrong pair, relative ratio is S/N for attack

• can then deduce keys values for the rounds

– right pairs suggest same key bits – wrong pairs give random values

• for large numbers of rounds, probability is so low that more pairs are required than exist with 64-bit inputs • Biham and Shamir have shown how a 13-round iterated

(51)

47

(52)

52

## Linear Cryptanalysis

• find linear approximations with prob p != ½

P[i1,i2,...,ia](+)C[j1,j2,...,jb] = K[k1,k2,...,kc]

where ia,jb,kc are bit locations in P,C,K

• gives linear equation for key bits

• get one key bit using max likelihood alg • using a large number of trial encryptions • effectiveness given by: |p–½|

(53)

## Block Cipher Design Principles

### • number of rounds

– more is better, exhaustive search best attack

### • function f:

– provides “confusion”, is nonlinear, avalanche

(54)

54

## Modes of Operation

• block ciphers encrypt fixed size blocks

• eg. DES encrypts 64-bit blocks, with 56-bit key • need way to use in practise, given usually have

arbitrary amount of information to encrypt • four were defined for DES in ANSI standard

ANSI X3.106-1983 Modes of Use

• subsequently now have 5 for DES and AES • have block and stream modes

(55)
(56)

56

Ci = DESK1 (Pi)

(57)
(58)

58

### Advantages and Limitations of ECB

• repetitions in message may show in ciphertext

– if aligned with message block

– particularly with data such graphics

– or with messages that change very little, which become a code-book analysis problem

• weakness due to encrypted message blocks being independent

(59)

## Cipher Block Chaining (CBC)

• message is broken into blocks

• but these are linked together in the encryption operation

• each previous cipher blocks is chained with current plaintext block, hence name

• use Initial Vector (IV) to start process

Ci = DESK1(Pi XOR Ci-1) C-1 = IV

(60)

60

(61)

### Advantages and Limitations of CBC

• each ciphertext block depends on all message blocks

• thus a change in the message affects all ciphertext blocks after the change as well as the original block

• need Initial Value (IV) known to sender & receiver

– however if IV is sent in the clear, an attacker can change bits of the first block, and change IV to compensate

– hence either IV must be a fixed value (as in EFTPOS) or it must be sent encrypted in ECB mode before rest of message

• at end of message, handle possible last short block

– by padding either with known non-data value (eg nulls) – or pad last block with count of pad size

(62)

62

## Cipher FeedBack (CFB)

• message is treated as a stream of bits • added to the output of the block cipher

• result is feed back for next stage (hence name) • standard allows any number of bit (1,8 or 64 or

whatever) to be feed back

– denoted CFB-1, CFB-8, CFB-64 etc

• is most efficient to use all 64 bits (CFB-64)

Ci = Pi XOR DESK1(Ci-1) C-1 = IV

(63)
(64)

64

(65)

## Output FeedBack (OFB)

• message is treated as a stream of bits • output of cipher is added to message • output is then feed back (hence name) • feedback is independent of message • can be computed in advance

Ci = Pi XOR Oi Oi = DESK1(Oi-1) O-1 = IV

(66)

66

(67)

### Advantages and Limitations of OFB

• used when error feedback a problem or where need to encryptions before message is available

• superficially similar to CFB

• but feedback is from the output of cipher and is independent of message

• a variation of a Vernam cipher

– hence must never reuse the same sequence (key+IV)

• sender and receiver must remain in sync, and some recovery method is needed to ensure this occurs

• originally specified with m-bit feedback in the standards • subsequent research has shown that only OFB-64 should

(68)

68

## Counter (CTR)

### for every plaintext block (never reused)

Ci = Pi XOR Oi Oi = DESK1(i)

(69)
(70)

70

### • efficiency

– can do parallel encryptions – in advance of need

– good for bursty high speed links

(71)

## Summary

### • DES

– details – strength

Updating...

Updating...