Chapter 3 – Block Ciphers and the
Data Encryption Standard
• Simplified DES
• Block Ciphers (Feistel cipher)
• Data Encryption Standard (DES)
• Differential & Linear Cryptanalysis
• Block Ciphers Design Principles
2
Simplified DES
1
• Similar properties and structure to DES with smaller parameters
• Education scheme by professor Edward Schaefer of Santa Clara University
• Encryption takes an 8-bit block of plaintext and a 10-bit key as input and produces 8-bit block of ciphertext as output
• Decryption reverses the process with the same 10-bit key
Simplified DES
2
• Scheme
– Ciphertext = IP-1(f k2(SW(fk1(IP(plaintext))))) • K1=P8(Shift(P10(key))) • K2=P8(Shift(Shift(P10(key)))) – Plaintext = IP-1(f k1(SW(fk2(IP(ciphertext )))))4
• Key generation
6
Simplified DES
5
• Key generation example
• P10(k1k2k3k4k5k6k7k8k9k10)=(k3k5k2k7k4k10k1k9k8k6) • P8(k1k2k3k4k5k6k7k8k9k10)=(k6k3k7k4k8k5k10k9) • K=(10100 00010) – P10(10100 00010)=(10000 01100) – LS-1(10000)=(00001) – LS-1(01100)=(11000) – K1=P8(00001 11000)=(1010 0100) • Similarly – K2= P8(LS-2(00001) LS-2(11000))=P8(00100 00011) =(0100 0011)
• Detail
encryption
8
Simplified DES
7
• 5 functions involved
– IP, fk1(L, R), SW, fk2(L,R), IP-1 – IP(i1i2i3i4 i5i6i7i8)=(i2i6i3i1i4i5i8i7) – IP-1(i 2i6i3i1i4i5i8i7)=(i1i2i3i4 i5i6i7i8)– SW: switch the left and right 4 bits – fk(L, R) = (LF(R, SK), R)
• L: left 4 bits; R: right 4 bits • : XOR
• F: a mapping involving E/P, S0 box, S1 box, P4 • SK: subkey
Simplified DES
8
• F function:
– EP(n1n2n3n4)=(n4n1n2n3n2n3n4n1)
– Let 8-bit subkey K1=(k11k12k13k14k15k16k17k18) – E/P K1 : 18 1 14 3 17 4 13 2 16 3 12 1 15 2 11 4
k
n
k
n
k
n
k
n
k
n
k
n
k
n
k
n
10
• E/P K1 (rename): • S0 box:
• S1 box:
• The 1st 4 bit (1st row) are fed into S0 box to produce a 2-bit output
• The last 4 bit (2nd row) are fed into S1 box to produce another 2-bit output
Simplified DES
9
3 , 1 3 , 0 2 , 1 2 , 0 1 , 1 1 , 0 0 , 1 0 , 0p
p
p
p
p
p
p
p
2 3 1 3 3 1 2 0 0 1 2 3 2 3 0 1 0 s 3 0 1 2 0 1 0 3 3 1 0 2 3 2 1 0 1 s• P4
(n
1n
2n
3n
4)=(n
2n
4n
3n
1)
12
Simplified DES
11
• Encryption example
• 8-bit plain text: (1011 1101)
• IP(1011 1101)=(0111
1110
)
• EP(n
1n
2n
3n
4)=(n
4n
1n
2n
3n
2n
3n
4n
1)
• EP(
1110
)=(0111 1101)
• Let 8-bit subkey K
1=
(1010 0100) • E/P
K
1 : 0 1 0 1 0 0 1 1 1 1 0 1 0 1 1 0 • E/P
K1 :• (P00,P03)=(11) 3, (P01,P02)=(10) 2
– From S0 box, row 3, column 2, gets 3 (11) in binary
• (P10,P13)=(11) 3, (P11,P12)=(00) 0
– From S1 box, row 3, column 0, gets 2 (10) in binary
• After S0, S1 boxes, we get (1110)
• P4(1110)=(1011) // end of F function
Simplified DES
12
0 1 0 1 0 0 1 1 1 1 0 1 0 1 1 0 14
• f
k1(L, R) = (L
F(R, SK), R)
– = ((0111) (1011), 1110) – = (1100 1110)
• SW(1100 1110)=(1110 1100)
• Starting the fk2 function
• EP(1100)=(0110 1001)
• K
2=
(0100 0011) • E/P
K2 :Simplified DES
13
1 1 0 0 1 0 0 1 0 0 1 1 0 1 0 0 • E/P
K2 :• (P00,P03)=(00) 0, (P01,P02)=(01) 1
– From S0 box, row 0, column 1, gets 0 (00) in binary
• (P10,P13)=(10) 2, (P11,P12)=(01) 1
– From S1 box, row 2, column 1, gets 0 (00) in binary
• After S0, S1 boxes, we get (0000)
• P4(0000)=(0000) // end of F function
Simplified DES
14
0 0 1 1 0 0 1 016
• f
k2(L, R) = (L
F(R, SK), R)
– = ((1110) (0000), 1100) – = (1110 1100)
• IP
-1(1110 1100)=
(0111 0101)
– Ciphertext of plain text: (1011 1101)
– using keys: K1=(1010 0100), K2=(0100 0011)
Block Ciphers
1
• block ciphers
process messages in into
blocks, each of which is then en/decrypted
• like a substitution on very big characters
– 64-bits or more
• stream ciphers
process messages a bit or
byte at a time when en/decrypting
• many current ciphers are block ciphers
• hence are focus of course
18
Block Cipher Principles
• most symmetric block ciphers are based on a
Feistel Cipher Structure
• needed since must be able to decrypt ciphertext to recover messages efficiently
• block ciphers look like an extremely large substitution
• would need table of 264 entries for a 64-bit block
• instead create from smaller building blocks • using idea of a product cipher
Claude Shannon and
Substitution-Permutation Ciphers
• in 1949 Claude Shannon introduced idea of substitution-permutation (S-P) networks
– modern substitution-transposition product cipher
• these form the basis of modern block ciphers • S-P networks are based on the two primitive
cryptographic operations we have seen before:
– substitution (S-box) – permutation (P-box)
20
Confusion and Diffusion
• cipher needs to completely obscure statistical properties of original message
• a one-time pad does this
• more practically Shannon suggested combining elements to obtain:
• diffusion – dissipates statistical structure of plaintext over bulk of ciphertext
• confusion – makes relationship between ciphertext and key as complex as possible
Feistel Cipher Structure
• Horst Feistel devised the feistel cipher
– based on concept of invertible product cipher
• partitions input block into two halves
– process through multiple rounds which – perform a substitution on left data half
– based on round function of right half & subkey – then have permutation swapping halves
• implements Shannon’s substitution-permutation network concept
22
Feistel Cipher Structure
Substitution Permutation
Feistel Cipher Design Principles
• block size
– increasing size improves security, but slows cipher
• key size
– increasing size improves security, makes exhaustive key searching harder, but may slow cipher
• number of rounds
– increasing number improves security, but slows cipher
• subkey generation
– greater complexity can make analysis harder, but slows cipher
• round function
– greater complexity can make analysis harder, but slows cipher
• fast software en/decryption & ease of analysis
24
Data Encryption Standard (DES)
• most widely used block cipher in world
• adopted in 1977 by NBS (now NIST)
– as FIPS PUB 46
• encrypts 64-bit data using 56-bit key
• has widespread use
• has been considerable controversy over its
security
26
DES History
• IBM developed Lucifer cipher
– by team led by Feistel
– used 64-bit data blocks with 128-bit key
• then redeveloped as a commercial cipher with input from NSA and others
• in 1973 NBS issued request for proposals for a national cipher standard
• IBM submitted their revised Lucifer which was eventually accepted as the DES
DES Design Controversy
• although DES standard is public
• was considerable controversy over design
– in choice of 56-bit key (vs Lucifer 128-bit) – and because design criteria were classified
• subsequent events and public analysis show
in fact design was appropriate
• DES has become widely used, esp in
financial applications
28
Initial Permutation IP
• first step of the data computation
• IP reorders the input data bits
• even bits to LH half, odd bits to RH half
• quite regular in structure (easy in h/w)
• see text Table 3.2
• example:
– 64 bits, 4 bits for each symbol
30
32
DES Round Structure
• uses two 32-bit L & R halves
• as for any Feistel cipher can describe as:
Li = Ri–1
Ri = Li–1 xor F(Ri–1, Ki)
• takes 32-bit R half and 48-bit subkey and:
– expands R to 48-bits using perm E – adds to subkey
– 48 bits partitioned into 8 6-bit inputs to the 8 s-boxes – passes through 8 S-boxes to get 32-bit result
34
DES S Boxes
• 6 bits input to S
1box
0
1100
1
– 01 ->1, row # 1; 1100 ->12, column #12
36
DES Key Schedule
• forms subkeys used in each round • consists of:
– initial permutation of the key (PC1) which selects 56-bits in two 28-bit halves
• Table 3.4 (a), (b)
– 16 stages consisting of:
• selecting 28-bits from each half, Ci, Di
• rotating each half separately either 1 or 2 places depending on the key rotation schedule K
38
40
DES Decryption
• decrypt must unwind steps of data computation • with Feistel design, do encryption steps again
• using subkeys in reverse order (SK16 … SK1)
• note that IP undoes final FP step of encryption • 1st round with SK16 undoes 16th encrypt round • ….
• 16th round with SK1 undoes 1st encrypt round • then final FP undoes initial encryption IP
Avalanche Effect
• key desirable property of encryption
algorithm
• where a change of one input or key bit
results in changing approx half output bits
• making attempts to “home-in” by guessing
keys impossible
42
Strength of DES – Key Size
• 56-bit keys have 2
56= 7.2 x 10
16values
• brute force search looks hard
• recent advances have shown is possible
– in 1997 on Internet in a few months
– in 1998 on dedicated h/w (EFF) in a few days – in 1999 above combined in 22hrs!
• still must be able to recognize plaintext
• now considering alternatives to DES
44
Strength of DES – Analytic Attacks
• now have several analytic attacks on DES
• these utilise some deep structure of the cipher
– by gathering information about encryptions
– can eventually recover some/all of the sub-key bits – if necessary then exhaustively search for the rest
• generally these are statistical attacks • include
– differential cryptanalysis: 247 chosen plaintext – linear cryptanalysis: 247 known plaintext
Differential Cryptanalysis
• one of the most significant recent (public)
advances in cryptanalysis
• known by NSA in 70's cf DES design
• Murphy, Biham & Shamir published 1990
• powerful method to analyse block ciphers
• used to analyse most current block ciphers
with varying degrees of success
46
Differential Cryptanalysis
• a statistical attack against Feistel ciphers
• uses cipher structure not previously used
• design of S-P networks has output of
function f influenced by both input & key
• hence cannot trace values back through
cipher without knowing values of the key
• Differential Cryptanalysis compares two
Differential Cryptanalysis Compares
Pairs of Encryptions
• with a known difference in the input
• searching for a known difference in output
• when same subkeys are used
48
Differential Cryptanalysis
• have some input difference giving some
output difference with probability p
• if find instances of some higher probability
input / output difference pairs occurring
• can infer subkey that was used in round
• then must iterate process over many rounds
(with decreasing probabilities)
50
Differential Cryptanalysis
• perform attack by repeatedly encrypting plaintext pairs with known input XOR until obtain desired output XOR • when found
– if intermediate rounds match required XOR have a right pair – if not then have a wrong pair, relative ratio is S/N for attack
• can then deduce keys values for the rounds
– right pairs suggest same key bits – wrong pairs give random values
• for large numbers of rounds, probability is so low that more pairs are required than exist with 64-bit inputs • Biham and Shamir have shown how a 13-round iterated
Linear Cryptanalysis
• another recent development
• also a statistical method
• must be iterated over rounds, with
decreasing probabilities
• developed by Matsui et al in early 90's
• based on finding linear approximations
• can attack DES with 2
47known plaintexts,
52
Linear Cryptanalysis
• find linear approximations with prob p != ½
P[i1,i2,...,ia](+)C[j1,j2,...,jb] = K[k1,k2,...,kc]
where ia,jb,kc are bit locations in P,C,K
• gives linear equation for key bits
• get one key bit using max likelihood alg • using a large number of trial encryptions • effectiveness given by: |p–½|
Block Cipher Design Principles
• basic principles still like Feistel in 1970’s
• number of rounds
– more is better, exhaustive search best attack
• function f:
– provides “confusion”, is nonlinear, avalanche
• key schedule
54
Modes of Operation
• block ciphers encrypt fixed size blocks
• eg. DES encrypts 64-bit blocks, with 56-bit key • need way to use in practise, given usually have
arbitrary amount of information to encrypt • four were defined for DES in ANSI standard
ANSI X3.106-1983 Modes of Use
• subsequently now have 5 for DES and AES • have block and stream modes
56
Electronic Codebook Book (ECB)
• message is broken into independent blocks
which are encrypted
• each block is a value which is substituted, like
a codebook, hence name
• each block is encoded independently of the
other blocks
Ci = DESK1 (Pi)
• uses: secure transmission of single values
58
Advantages and Limitations of ECB
• repetitions in message may show in ciphertext
– if aligned with message block
– particularly with data such graphics
– or with messages that change very little, which become a code-book analysis problem
• weakness due to encrypted message blocks being independent
Cipher Block Chaining (CBC)
• message is broken into blocks
• but these are linked together in the encryption operation
• each previous cipher blocks is chained with current plaintext block, hence name
• use Initial Vector (IV) to start process
Ci = DESK1(Pi XOR Ci-1) C-1 = IV
60
Advantages and Limitations of CBC
• each ciphertext block depends on all message blocks
• thus a change in the message affects all ciphertext blocks after the change as well as the original block
• need Initial Value (IV) known to sender & receiver
– however if IV is sent in the clear, an attacker can change bits of the first block, and change IV to compensate
– hence either IV must be a fixed value (as in EFTPOS) or it must be sent encrypted in ECB mode before rest of message
• at end of message, handle possible last short block
– by padding either with known non-data value (eg nulls) – or pad last block with count of pad size
62
Cipher FeedBack (CFB)
• message is treated as a stream of bits • added to the output of the block cipher
• result is feed back for next stage (hence name) • standard allows any number of bit (1,8 or 64 or
whatever) to be feed back
– denoted CFB-1, CFB-8, CFB-64 etc
• is most efficient to use all 64 bits (CFB-64)
Ci = Pi XOR DESK1(Ci-1) C-1 = IV
64
Advantages and Limitations of CFB
• appropriate when data arrives in bits/bytes
• most common stream mode
• limitation is need to stall while do block
encryption after every n-bits
• note that the block cipher is used in
encryption mode at both ends
• errors propogate for several blocks after the
error
Output FeedBack (OFB)
• message is treated as a stream of bits • output of cipher is added to message • output is then feed back (hence name) • feedback is independent of message • can be computed in advance
Ci = Pi XOR Oi Oi = DESK1(Oi-1) O-1 = IV
66
Advantages and Limitations of OFB
• used when error feedback a problem or where need to encryptions before message is available
• superficially similar to CFB
• but feedback is from the output of cipher and is independent of message
• a variation of a Vernam cipher
– hence must never reuse the same sequence (key+IV)
• sender and receiver must remain in sync, and some recovery method is needed to ensure this occurs
• originally specified with m-bit feedback in the standards • subsequent research has shown that only OFB-64 should
68
Counter (CTR)
• a “new” mode, though proposed early on
• similar to OFB but encrypts counter value
rather than any feedback value
• must have a different key & counter value
for every plaintext block (never reused)
Ci = Pi XOR Oi Oi = DESK1(i)
70
Advantages and Limitations of CTR
• efficiency
– can do parallel encryptions – in advance of need
– good for bursty high speed links
• random access to encrypted data blocks
• provable security (good as other modes)
• but must ensure never reuse key/counter
Summary
• have considered:
• block cipher design principles
• DES
– details – strength