Cryptography Lecture 17.

Slides:



Advertisements
Similar presentations
CMSC 414 Computer and Network Security Lecture 4 Jonathan Katz.
Advertisements

1 CIS 5371 Cryptography 5b. Pseudorandom Objects in Practice Block Ciphers.
Cryptography and Network Security Chapter 3
CMSC 414 Computer (and Network) Security Lecture 5 Jonathan Katz.
Advanced Encryption Standard(AES) Presented by: Venkata Marella Slide #9-1.
1 Overview of the DES A block cipher: –encrypts blocks of 64 bits using a 64 bit key –outputs 64 bits of ciphertext A product cipher –basic unit is the.
1 CS 255 Lecture 4 Attacks on Block Ciphers Brent Waters.
Lecture 23 Symmetric Encryption
Lecture 2.2: Private Key Cryptography II CS 436/636/736 Spring 2012 Nitesh Saxena.
CS555Spring 2012/Topic 91 Cryptography CS 555 Topic 9: Block Cipher Construction & DES.
ECE454/CS594 Computer and Network Security Dr. Jinyuan (Stella) Sun Dept. of Electrical Engineering and Computer Science University of Tennessee Fall 2011.
The Data Encryption Standard - see Susan Landau’s paper: “Standing the test of time: the data encryption standard.” DES - adopted in 1977 as a standard.
Chapter 20 Symmetric Encryption and Message Confidentiality.
Chapter 20 Symmetric Encryption and Message Confidentiality.
Block ciphers Structure of a multiround block cipher
1 Lect. 7 : Data Encryption Standard. 2 Data Encryption Standard (DES)  DES - History 1976 – adopted as a federal standard 1977 – official publication.
Dr. Reuven Aviv, Nov 2008 Conventional Encryption 1 Conventional Encryption & Message Confidentiality Acknowledgements for slides Henric Johnson Blekinge.
TE/CS 536 Network Security Spring 2005 – Lecture 8 Security of symmetric algorithms.
Lecture 23 Symmetric Encryption
Symmetric Encryption Lesson Introduction ●Block cipher primitives ●DES ●AES ●Encrypting large message ●Message integrity.
DES Analysis and Attacks CSCI 5857: Encoding and Encryption.
DATA & COMPUTER SECURITY (CSNB414) MODULE 3 MODERN SYMMETRIC ENCRYPTION.
Block Cipher- introduction
The Advanced Encryption Standard Part 1: Overview
Practical Aspects of Modern Cryptography Josh Benaloh & Brian LaMacchia.
Symmetric Cryptography
Chapter3: Block Ciphers and the Data Encryption Standard
Triple DES.
School of Computer Science and Engineering Pusan National University
6b. Practical Constructions of Symmetric-Key Primitives.
Classical Encryption techniques
Simplified IDEA Cryptography and Network Security.
Lecture 2.2: Private Key Cryptography II
Lecture 3: Symmetric Key Encryption
NET 311 Information Security
Cryptography after DES
Symmetric Key Block Ciphers
Homework 2 Statistics Harry Hagrid Minimum Value Maximum Value
Cryptography Basics and Symmetric Cryptography
Cryptography Lecture 18.
Cryptography and Network Security Chapter 3
Cryptography Lecture 16.
Cryptography Lecture 19.
AES Objectives ❏ To review a short history of AES
Block cipher & Fiestel Structure
ICS 454: Principles of Cryptography
Fifth Edition by William Stallings
Cryptography Lecture 17.
ADVANCED ENCRYPTION STANDARDADVANCED ENCRYPTION STANDARD
Chapter -2 Block Ciphers and the Data Encryption Standard
Chapter -3 ADVANCED ENCRYPTION STANDARD & BLOCK CIPHER OPERATION
Advanced Encryption Standard
Cryptography Lecture 8.
SYMMETRIC ENCRYPTION.
Block Ciphers (Crypto 2)
Advanced Encryption Standard
Differential Cryptanalysis
Cryptography and Network Security Chapter 5 Fifth Edition by William Stallings Lecture slides by Lawrie Brown.
Cryptography Lecture 13.
Cryptography Lecture 16.
Modern Cryptography.
SOHAIL SHAHUL HAMEED Dr. BHARGAVI GOSWAMI
Florida State University
ICS 555: Block Ciphers & DES Sultan Almuhammadi.
Advanced Encryption Standard
Feistel Cipher Structure
Data Encryption Standard (DES)
Blowfish Encryption Algorithm
Presentation transcript:

Cryptography Lecture 17

Feistel networks

Feistel networks Build (invertible) permutation from non-invertible components One round: Keyed round function f: {0,1}n x {0,1}l/2 {0,1}l/2 Fk1(L0, R0)  (L1, R1) where L1 = R0; R1 = L0  fk1(R0) Always invertible!

L0 R0  fk L1 R1

Security? Security of 1-round Feistel? Security of 2-round Feistel (with independent keys)? Security of 3/4-round Feistel? (When round functions are random and independent)

Data Encryption Standard (DES) Standardized in 1977 56-bit keys, 64-bit block length 16-round Feistel network Same round function (“mangler function”) in all rounds Different sub-keys in each round, each derived from the master key The round function is basically an SPN!

DES mangler function

DES mangler function S-boxes Mixing permutation Each S-box is 4-to-1 Changing 1 bit of input changes at least 2 bits of output Mixing permutation The 4 bits of output from any S-box affect the input to 6 S-boxes in the next round

Key schedule 56-bit master key, 48-bit subkey in each round Each subkey takes 24 bits from the left half of the master key, and 24 bits from the right half of the master key

Avalanche effect Consider 1-bit difference in left half of input After 1 round, 1-bit difference in right half S-boxes cause a 2-bit difference, implying a 3-bit difference overall after 2 rounds Mixing permutation spreads differences into different S-boxes …

Security of DES DES is extremely well-designed Except for some attacks that require large amounts of plaintext, no attacks better than brute-force are known But … parameters are too small!

56-bit key length A concern as soon as DES was released Brute-force search over 256 keys is possible 1997: 1000s of computers, 96 days 1998: distributed.net, 41 days 1999: Deep Crack ($250,000), 56 hours Today: 48 FPGAs, ~1 day

64-bit block length Birthday collisions relatively likely E.g., encrypt 230 ( 1 billion) records using CTR mode; chances of a collision are  260/264 = 1/16

Increasing key length? DES has a key that is too short How to fix? Design new cipher Tweak DES so that it takes a larger key Build new cipher using DES as a black box

Double encryption Let F: {0,1}n x {0,1}l  {0,1}l (i.e., n=56, l=64 for DES) Define F2 : {0,1}2n x {0,1}l  {0,1}l as follows: F2k1, k2(x) = Fk1(Fk2(x)) (still invertible) If best attack on F takes time 2n, can we hope that the best attack on F2 takes time 22n?

Meet-in-the-middle attack No! There is an attack taking 2n time… (And 2n memory) The attack applies any time a block cipher can be “factored” into 2 independent components

Triple encryption Define F3 : {0,1}3n x {0,1}l  {0,1}l as follows: F3k1, k2, k3(x) = Fk1(Fk2(Fk3(x))) What is the best attack now?

Two-key triple encryption Define F3 : {0,1}2n x {0,1}l  {0,1}l as follows: F3k1, k2(x) = Fk1(Fk2(Fk1(x))) Best attack takes time 22n – optimal given the key length! This approach is taken by triple-DES

Advanced encryption standard (AES) Public design competition run by NIST Began in Jan 1997 15 algorithms submitted Workshops in 1998, 1999 Narrowed to 5 finalists Workshop in early 2000; winner announced in late 2000 Factors besides security taken into account

AES 128-bit block length 128-, 192-, and 256-bit key lengths Basically an SPN structure! 1-byte S-box (same for all bytes) Mixing permutation replaced by invertible linear transformation If two inputs differ in b bytes, outputs differ in ≥ 5-b bytes No attacks better than brute-force known