Cryptography after DES Modern Ciphers Cryptography after DES

Designing a new cipher Competing requirements Code footprint Key agility Efficient software and hardware implementation Speed Flexibility Security Code footprint: Ciphers that require large amounts of RAM cannot be implemented in constrained environments. Key agility: When the cipher has to use a new key, the key schedule needs to be computed. The computational cost of initializing a cipher can be quite high. Flexibility: Different key/ block sizes allow tuning a cipher for the security vs. efficiency trade-off most adequate for the intended

Skipjack Developed by NSA For use with the Clipper chip Caused controversy: Secret specification Push for Government-based key escrow Being implemented in some constrained environments.

Skipjack 64-bit block size 80-bit keys 32 rounds 8 rounds of “Rule A,” followed by 8 rounds of “Rule B”, and repeat The round function is a Feistel network; the encryption and decryption use different algorithms

Skipjack Rules The above notation means the following: There are 4 16-bit words at any given time being processed by Skipjack. Let W1(i) be the value stored in word W1 after i steps. Then in the i+1 step, W2(i+1) becomes G( W1(i) ), W3(i+1) becomes W2(i), W4(i+1) becomes W3(i) and W1(i+1) becomes G( W1(i) )

Round function G Each execution of the round function performs two updates of the values of the high and low bytes of the 16-bit word. The round function is a Feistel network

Decryption round function G-1 As with other Feistel networks, the inversion of the round function is obtained by reversing the key scheduling algorithm.

The function F The function F is given by table lookup As in other ciphers, the design of F takes into consideration several goals: Achieves high diffusion and confusion parameters Achieves avalanche effect Is far from a linear function The avalanche effect is how fast the statistics of the function the satisfaction of the SAC Strict Avalanche Criterium: Each bit of the cipher-text has 50% of probability of changing value for each bit of the plaintext that changes value. A linear function is a function that commutes with XOR: F( c_1 XOR c_2) = F( c_1) XOR F( c_2 )

Key scheduling algorithm Extremely simple n-th byte of CV = (n mod 10)-th byte of Key The notation CV stands for “crypto-variable”, an NSA idiosyncratic terminology for KEY.

Product Ciphers and Triple-DES Increasing key length Product Ciphers and Triple-DES

Product cipher Consider a cipher E() with key length t bits. Take two keys k1 and k2 and encrypt a message m by first encrypting it with k1 and then with k2 : C = Ek2( Ek1(m)) Does the key length increase to 2t imply a corresponding gain in security?

Man-in-the-Middle Consider the following strategy to find the keys of a product cipher: Obtain some pairs (Pi, Ci) of plaintext and ciphertext encrypted with the product cipher. Ci = Enc(K’’,Enc(K’,Pi)) iff Dec(K’’, Ci) = Enc(K’, Pi) Encrypt P1 with all possible keys K’. Decrypt C1 with all possible keys K’’. Select key pairs s.t. D(K’’, C1) = E(K’, C2)

Attack ... K’’ K’ Dec(K2t,C1) Enc(K2t,P1) Dec(K2t-1,C1) Enc(K2t-1,P1) Dec(K4,C1) Enc(K4,P1) Dec(K3,C1) Enc(K3,P1) Dec(K2,C1) Enc(K2,P1) Dec(K1,C1) Enc(K1,P1) K’’ K’ In the example, encrypting P1 with K1 matches decrypting C1 with the K3 : The pair (K1, K3) is a candidate for the double encryption The table has 2t+1 entries, not 22t Security equivalent to using a key only one or two bits longer! In order to make finding pairs more efficient, proceed as follows. Compute A1 = Enc(K1, P1). Then interpret the block

Time/memory trade-off In order to optimize finding matches: Compute A1 = Enc(K’, P1). Interpret A1 as an address location and store the value K’ there. Compute B1 = Dec(K’’, C1). Interpret B1 as an address location and store the value K’’ there. If a key K’ and a key K’’ try to occupy the same address, output (K’, K’’) as a possible key pair. Time/memory trade-off: Use only part of the block value to address. Store only part of the key data.

Triple-DES 3-DES is usually implemented as a encryption followed by a decryption (with a different key) followed by another encryption: DES-EDE Two- and three-key variants, to accomplish 112 and 168-bit keys: DES(K1, DES-1(K2, DES(K1, m))) DES(K3, DES-1(K2, DES(K1, m)))

Attacking triple encryption Merkle devised the following attack. For each key K’, compute P(K’) = Dec(K’’, 0). For each K’, get P(K’) encrypted (using 3-encryption). Apply previous attack on double encryption, with P1 = 0, to find candidates (K’’, K’’’) for each K’. Conclusion: 23t computations not required Many pairs of plaintext/ciphertext required. Note: This is a chosen-plaintext attack, while the previous attack on double-encryption was a given plaintext attack. Also, the attack requires massive amounts of CHOSEN plaintext-ciphertext pairs.