Block Ciphers & DES

Chapter 3 – Block Ciphers and the

Data Encryption Standard

• Simplified DES

• Block Ciphers (Feistel cipher)

• Data Encryption Standard (DES)

• Differential & Linear Cryptanalysis

• Block Ciphers Design Principles

2

Simplified DES

₁

• Similar properties and structure to DES with smaller parameters

• Education scheme by professor Edward Schaefer of Santa Clara University

• Encryption takes an 8-bit block of plaintext and a 10-bit key as input and produces 8-bit block of ciphertext as output

• Decryption reverses the process with the same 10-bit key

Simplified DES

₂

• Scheme

– Ciphertext = IP-1_(f k2(SW(fk1(IP(plaintext))))) • K₁=P8(Shift(P10(key))) • K₂=P8(Shift(Shift(P10(key)))) – Plaintext = IP-1_(f k1(SW(fk2(IP(ciphertext )))))

4

• Key generation

6

Simplified DES

₅

• Key generation example

• P10(k₁k₂k₃k₄k₅k₆k₇k₈k₉k₁₀)=(k₃k₅k₂k₇k₄k₁₀k₁k₉k₈k₆) • P8(k₁k₂k₃k₄k₅k₆k₇k₈k₉k₁₀)=(k₆k₃k₇k₄k₈k₅k₁₀k₉) • K=(10100 00010) – P10(10100 00010)=(10000 01100) – LS-1(10000)=(00001) – LS-1(01100)=(11000) – K₁=P8(00001 11000)=(1010 0100) • Similarly – K₂= P8(LS-2(00001) LS-2(11000))=P8(00100 00011) =(0100 0011)

• Detail

encryption

8

Simplified DES

₇

• 5 functions involved

– IP, f_k1(L, R), SW, f_k2(L,R), IP-1 – IP(i₁i₂i₃i₄ i₅i₆i₇i₈)=(i₂i₆i₃i₁i₄i₅i₈i₇) – IP-1_(i 2i6i3i1i4i5i8i7)=(i1i2i3i4 i5i6i7i8)

– SW: switch the left and right 4 bits – f_k(L, R) = (LF(R, SK), R)

• L: left 4 bits; R: right 4 bits •  : XOR

• F: a mapping involving E/P, S₀ box, S₁ box, P4 • SK: subkey

Simplified DES

₈

• F function:

– EP(n₁n₂n₃n₄)=(n₄n₁n₂n₃n₂n₃n₄n₁)

– Let 8-bit subkey K₁=(k₁₁k₁₂k₁₃k₁₄k₁₅k₁₆k₁₇k₁₈) – E/P  K₁ : 18 1 14 3 17 4 13 2 16 3 12 1 15 2 11 4

k

n

k

n

k

n

k

n

k

n

k

n

k

n

k

n

       

10

• E/P  K₁ (rename): • S0 box:

• S1 box:

• The 1st 4 bit (1st row) are fed into S0 box to produce a 2-bit output

• The last 4 bit (2nd row) are fed into S1 box to produce another 2-bit output

Simplified DES

₉

3 , 1 3 , 0 2 , 1 2 , 0 1 , 1 1 , 0 0 , 1 0 , 0

p

p

p

p

p

p

p

p

             2 3 1 3 3 1 2 0 0 1 2 3 2 3 0 1 0 s              3 0 1 2 0 1 0 3 3 1 0 2 3 2 1 0 1 s

• P4

(n

₁

n

₂

n

₃

n

₄

)=(n

₂

n

₄

n

₃

n

₁

)

12

Simplified DES

₁₁

• Encryption example

• 8-bit plain text: (1011 1101)

• IP(1011 1101)=(0111

1110

)

• EP(n

₁

n

₂

n

₃

n

₄

)=(n

₄

n

₁

n

₂

n

₃

n

₂

n

₃

n

₄

n

₁

)

• EP(

1110

)=(0111 1101)

• Let 8-bit subkey K

₁

=

(1010 0100) • E/P



K

₁ : 0 1 0 1 0 0 1 1 1 1 0 1 0 1 1 0        

• E/P



K₁ :

• (P₀₀,P₀₃)=(11)  3, (P₀₁,P₀₂)=(10)  2

– From S0 box, row 3, column 2, gets 3  (11) in binary

• (P₁₀,P₁₃)=(11)  3, (P₁₁,P₁₂)=(00)  0

– From S1 box, row 3, column 0, gets 2  (10) in binary

• After S0, S1 boxes, we get (1110)

• P4(1110)=(1011) // end of F function

Simplified DES

₁₂

0 1 0 1 0 0 1 1 1 1 0 1 0 1 1 0        

14

• f

_k1

(L, R) = (L



F(R, SK), R)

– = ((0111)  (1011), 1110) – = (1100 1110)

• SW(1100 1110)=(1110 1100)

• Starting the f_k2 function

• EP(1100)=(0110 1001)

• K

₂

=

(0100 0011) • E/P



K₂ :

Simplified DES

₁₃

1 1 0 0 1 0 0 1 0 0 1 1 0 1 0 0        

• E/P



K₂ :

• (P₀₀,P₀₃)=(00)  0, (P₀₁,P₀₂)=(01)  1

– From S0 box, row 0, column 1, gets 0  (00) in binary

• (P₁₀,P₁₃)=(10)  2, (P₁₁,P₁₂)=(01)  1

– From S1 box, row 2, column 1, gets 0  (00) in binary

• After S0, S1 boxes, we get (0000)

• P4(0000)=(0000) // end of F function

Simplified DES

₁₄

0 0 1 1 0 0 1 0

16

• f

_k2

(L, R) = (L



F(R, SK), R)

– = ((1110)  (0000), 1100) – = (1110 1100)

• IP

-1

_{(1110 1100)=}

_{(0111 0101)}

– Ciphertext of plain text: (1011 1101)

– using keys: K₁=(1010 0100), K₂=(0100 0011)

Block Ciphers

₁

• block ciphers

process messages in into

blocks, each of which is then en/decrypted

• like a substitution on very big characters

– 64-bits or more

• stream ciphers

process messages a bit or

byte at a time when en/decrypting

• many current ciphers are block ciphers

• hence are focus of course

18

Block Cipher Principles

• most symmetric block ciphers are based on a

Feistel Cipher Structure

• needed since must be able to decrypt ciphertext to recover messages efficiently

• block ciphers look like an extremely large substitution

• would need table of 264 _{entries for a 64-bit block}

• instead create from smaller building blocks • using idea of a product cipher

Claude Shannon and

Substitution-Permutation Ciphers

• in 1949 Claude Shannon introduced idea of substitution-permutation (S-P) networks

– modern substitution-transposition product cipher

• these form the basis of modern block ciphers • S-P networks are based on the two primitive

cryptographic operations we have seen before:

– substitution (S-box) – permutation (P-box)

20

Confusion and Diffusion

• cipher needs to completely obscure statistical properties of original message

• a one-time pad does this

• more practically Shannon suggested combining elements to obtain:

• diffusion – dissipates statistical structure of plaintext over bulk of ciphertext

• confusion – makes relationship between ciphertext and key as complex as possible

Feistel Cipher Structure

• Horst Feistel devised the feistel cipher

– based on concept of invertible product cipher

• partitions input block into two halves

– process through multiple rounds which – perform a substitution on left data half

– based on round function of right half & subkey – then have permutation swapping halves

• implements Shannon’s substitution-permutation network concept

22

Feistel Cipher Structure

Substitution Permutation

Feistel Cipher Design Principles

• block size

– increasing size improves security, but slows cipher

• key size

– increasing size improves security, makes exhaustive key searching harder, but may slow cipher

• number of rounds

– increasing number improves security, but slows cipher

• subkey generation

– greater complexity can make analysis harder, but slows cipher

• round function

– greater complexity can make analysis harder, but slows cipher

• fast software en/decryption & ease of analysis

24

Data Encryption Standard (DES)

• most widely used block cipher in world

• adopted in 1977 by NBS (now NIST)

– as FIPS PUB 46

• encrypts 64-bit data using 56-bit key

• has widespread use

• has been considerable controversy over its

security

26

DES History

• IBM developed Lucifer cipher

– by team led by Feistel

– used 64-bit data blocks with 128-bit key

• then redeveloped as a commercial cipher with input from NSA and others

• in 1973 NBS issued request for proposals for a national cipher standard

• IBM submitted their revised Lucifer which was eventually accepted as the DES

DES Design Controversy

• although DES standard is public

• was considerable controversy over design

– in choice of 56-bit key (vs Lucifer 128-bit) – and because design criteria were classified

• subsequent events and public analysis show

in fact design was appropriate

• DES has become widely used, esp in

financial applications

28

Initial Permutation IP

• first step of the data computation

• IP reorders the input data bits

• even bits to LH half, odd bits to RH half

• quite regular in structure (easy in h/w)

• see text Table 3.2

• example:

– 64 bits, 4 bits for each symbol

30

32

DES Round Structure

• uses two 32-bit L & R halves

• as for any Feistel cipher can describe as:

L_i = R_i–1

R_i = L_i–1 xor F(R_i–1, K_i)

• takes 32-bit R half and 48-bit subkey and:

– expands R to 48-bits using perm E – adds to subkey

– 48 bits partitioned into 8 6-bit inputs to the 8 s-boxes – passes through 8 S-boxes to get 32-bit result

34

DES S Boxes

• 6 bits input to S

₁

box

0

1100

1

– 01 ->1, row # 1; 1100 ->12, column #12

36

DES Key Schedule

• forms subkeys used in each round • consists of:

– initial permutation of the key (PC1) which selects 56-bits in two 28-bit halves

• Table 3.4 (a), (b)

– 16 stages consisting of:

• selecting 28-bits from each half, C_i, D_i

• rotating each half separately either 1 or 2 places depending on the key rotation schedule K

38

40

DES Decryption

• decrypt must unwind steps of data computation • with Feistel design, do encryption steps again

• using subkeys in reverse order (SK16 … SK1)

• note that IP undoes final FP step of encryption • 1st round with SK16 undoes 16th encrypt round • ….

• 16th round with SK1 undoes 1st encrypt round • then final FP undoes initial encryption IP

Avalanche Effect

• key desirable property of encryption

algorithm

• where a change of one input or key bit

results in changing approx half output bits

• making attempts to “home-in” by guessing

keys impossible

42

Strength of DES – Key Size

• 56-bit keys have 2

56

_{= 7.2 x 10}

16

_values

• brute force search looks hard

• recent advances have shown is possible

– in 1997 on Internet in a few months

– in 1998 on dedicated h/w (EFF) in a few days – in 1999 above combined in 22hrs!

• still must be able to recognize plaintext

• now considering alternatives to DES

44

Strength of DES – Analytic Attacks

• now have several analytic attacks on DES

• these utilise some deep structure of the cipher

– by gathering information about encryptions

– can eventually recover some/all of the sub-key bits – if necessary then exhaustively search for the rest

• generally these are statistical attacks • include

– differential cryptanalysis: 247 _{chosen plaintext} – linear cryptanalysis: 247 _{known plaintext}

Differential Cryptanalysis

• one of the most significant recent (public)

advances in cryptanalysis

• known by NSA in 70's cf DES design

• Murphy, Biham & Shamir published 1990

• powerful method to analyse block ciphers

• used to analyse most current block ciphers

with varying degrees of success

46

Differential Cryptanalysis

• a statistical attack against Feistel ciphers

• uses cipher structure not previously used

• design of S-P networks has output of

function f influenced by both input & key

• hence cannot trace values back through

cipher without knowing values of the key

• Differential Cryptanalysis compares two

Differential Cryptanalysis Compares

Pairs of Encryptions

• with a known difference in the input

• searching for a known difference in output

• when same subkeys are used

48

Differential Cryptanalysis

• have some input difference giving some

output difference with probability p

• if find instances of some higher probability

input / output difference pairs occurring

• can infer subkey that was used in round

• then must iterate process over many rounds

(with decreasing probabilities)

50

Differential Cryptanalysis

• perform attack by repeatedly encrypting plaintext pairs with known input XOR until obtain desired output XOR • when found

– if intermediate rounds match required XOR have a right pair – if not then have a wrong pair, relative ratio is S/N for attack

• can then deduce keys values for the rounds

– right pairs suggest same key bits – wrong pairs give random values

• for large numbers of rounds, probability is so low that more pairs are required than exist with 64-bit inputs • Biham and Shamir have shown how a 13-round iterated

Linear Cryptanalysis

• another recent development

• also a statistical method

• must be iterated over rounds, with

decreasing probabilities

• developed by Matsui et al in early 90's

• based on finding linear approximations

• can attack DES with 2

47

_{known plaintexts,}

52

Linear Cryptanalysis

• find linear approximations with prob p != ½

P[i1,i2,...,ia](+)C[j1,j2,...,jb] = K[k1,k2,...,kc]

where ia,jb,kc are bit locations in P,C,K

• gives linear equation for key bits

• get one key bit using max likelihood alg • using a large number of trial encryptions • effectiveness given by: |p–½|

Block Cipher Design Principles

• basic principles still like Feistel in 1970’s

• number of rounds

– more is better, exhaustive search best attack

• function f:

– provides “confusion”, is nonlinear, avalanche

• key schedule

54

Modes of Operation

• block ciphers encrypt fixed size blocks

• eg. DES encrypts 64-bit blocks, with 56-bit key • need way to use in practise, given usually have

arbitrary amount of information to encrypt • four were defined for DES in ANSI standard

ANSI X3.106-1983 Modes of Use

• subsequently now have 5 for DES and AES • have block and stream modes

56

Electronic Codebook Book (ECB)

• message is broken into independent blocks

which are encrypted

• each block is a value which is substituted, like

a codebook, hence name

• each block is encoded independently of the

other blocks

C_i = DES_K1 (P_i)

• uses: secure transmission of single values

58

Advantages and Limitations of ECB

• repetitions in message may show in ciphertext

– if aligned with message block

– particularly with data such graphics

– or with messages that change very little, which become a code-book analysis problem

• weakness due to encrypted message blocks being independent

Cipher Block Chaining (CBC)

• message is broken into blocks

• but these are linked together in the encryption operation

• each previous cipher blocks is chained with current plaintext block, hence name

• use Initial Vector (IV) to start process

C_i = DES_K1(P_i XOR C_i-1) C_-1 = IV

60

Advantages and Limitations of CBC

• each ciphertext block depends on all message blocks

• thus a change in the message affects all ciphertext blocks after the change as well as the original block

• need Initial Value (IV) known to sender & receiver

– however if IV is sent in the clear, an attacker can change bits of the first block, and change IV to compensate

– hence either IV must be a fixed value (as in EFTPOS) or it must be sent encrypted in ECB mode before rest of message

• at end of message, handle possible last short block

– by padding either with known non-data value (eg nulls) – or pad last block with count of pad size

62

Cipher FeedBack (CFB)

• message is treated as a stream of bits • added to the output of the block cipher

• result is feed back for next stage (hence name) • standard allows any number of bit (1,8 or 64 or

whatever) to be feed back

– denoted CFB-1, CFB-8, CFB-64 etc

• is most efficient to use all 64 bits (CFB-64)

C_i = P_i XOR DES_K1(C_i-1) C_-1 = IV

64

Advantages and Limitations of CFB

• appropriate when data arrives in bits/bytes

• most common stream mode

• limitation is need to stall while do block

encryption after every n-bits

• note that the block cipher is used in

encryption mode at both ends

• errors propogate for several blocks after the

error

Output FeedBack (OFB)

• message is treated as a stream of bits • output of cipher is added to message • output is then feed back (hence name) • feedback is independent of message • can be computed in advance

C_i = P_i XOR O_i O_i = DES_K1(O_i-1) O_-1 = IV

66

Advantages and Limitations of OFB

• used when error feedback a problem or where need to encryptions before message is available

• superficially similar to CFB

• but feedback is from the output of cipher and is independent of message

• a variation of a Vernam cipher

– hence must never reuse the same sequence (key+IV)

• sender and receiver must remain in sync, and some recovery method is needed to ensure this occurs

• originally specified with m-bit feedback in the standards • subsequent research has shown that only OFB-64 should

68

Counter (CTR)

• a “new” mode, though proposed early on

• similar to OFB but encrypts counter value

rather than any feedback value

• must have a different key & counter value

for every plaintext block (never reused)

C_i = P_i XOR O_i O_i = DES_K1(i)

70

Advantages and Limitations of CTR

• efficiency

– can do parallel encryptions – in advance of need

– good for bursty high speed links

• random access to encrypted data blocks

• provable security (good as other modes)

• but must ensure never reuse key/counter

Summary

• have considered:

• block cipher design principles

• DES

– details – strength

• Differential & Linear Cryptanalysis

• Modes of Operation