Presentation is loading. Please wait.

Presentation is loading. Please wait.

Cryptography Lecture 17.

Published byCory Evans Modified over 5 years ago

Similar presentations

Presentation on theme: "Cryptography Lecture 17."— Presentation transcript:

1 Cryptography Lecture 17

2 Feistel networks

3 Feistel networks Build (invertible) permutation from non-invertible components One round: Keyed round function f: {0,1}n x {0,1}l/2 {0,1}l/2 Fk1(L0, R0)  (L1, R1) where L1 = R0; R1 = L0  fk1(R0) Always invertible!

4 L0 R0 fk L1 R1

5 Security? Security of 1-round Feistel?
Security of 2-round Feistel (with independent keys)? Security of 3/4-round Feistel? (When round functions are random and independent)

6 Data Encryption Standard (DES)
Standardized in 1977 56-bit keys, 64-bit block length 16-round Feistel network Same round function (“mangler function”) in all rounds Different sub-keys in each round, each derived from the master key The round function is basically an SPN!

7 DES mangler function

8 DES mangler function S-boxes Mixing permutation Each S-box is 4-to-1
Changing 1 bit of input changes at least 2 bits of output Mixing permutation The 4 bits of output from any S-box affect the input to 6 S-boxes in the next round

9 Key schedule 56-bit master key, 48-bit subkey in each round
Each subkey takes 24 bits from the left half of the master key, and 24 bits from the right half of the master key

10 Avalanche effect Consider 1-bit difference in left half of input
After 1 round, 1-bit difference in right half S-boxes cause a 2-bit difference, implying a 3-bit difference overall after 2 rounds Mixing permutation spreads differences into different S-boxes

11 Security of DES DES is extremely well-designed
Except for some attacks that require large amounts of plaintext, no attacks better than brute-force are known But … parameters are too small!

12 56-bit key length A concern as soon as DES was released
Brute-force search over 256 keys is possible 1997: 1000s of computers, 96 days 1998: distributed.net, 41 days 1999: Deep Crack ($250,000), 56 hours Today: 48 FPGAs, ~1 day

13 64-bit block length Birthday collisions relatively likely
E.g., encrypt 230 ( 1 billion) records using CTR mode; chances of a collision are  260/264 = 1/16

14 Increasing key length? DES has a key that is too short How to fix?
Design new cipher Tweak DES so that it takes a larger key Build new cipher using DES as a black box

15 Double encryption Let F: {0,1}n x {0,1}l  {0,1}l
(i.e., n=56, l=64 for DES) Define F2 : {0,1}2n x {0,1}l  {0,1}l as follows: F2k1, k2(x) = Fk1(Fk2(x)) (still invertible) If best attack on F takes time 2n, can we hope that the best attack on F2 takes time 22n?

16 Meet-in-the-middle attack
No! There is an attack taking 2n time… (And 2n memory) The attack applies any time a block cipher can be “factored” into 2 independent components

17 Triple encryption Define F3 : {0,1}3n x {0,1}l  {0,1}l as follows: F3k1, k2, k3(x) = Fk1(Fk2(Fk3(x))) What is the best attack now?

18 Two-key triple encryption
Define F3 : {0,1}2n x {0,1}l  {0,1}l as follows: F3k1, k2(x) = Fk1(Fk2(Fk1(x))) Best attack takes time 22n – optimal given the key length! This approach is taken by triple-DES

19 Advanced encryption standard (AES)
Public design competition run by NIST Began in Jan 1997 15 algorithms submitted Workshops in 1998, 1999 Narrowed to 5 finalists Workshop in early 2000; winner announced in late 2000 Factors besides security taken into account

20 AES 128-bit block length 128-, 192-, and 256-bit key lengths
Basically an SPN structure! 1-byte S-box (same for all bytes) Mixing permutation replaced by invertible linear transformation If two inputs differ in b bytes, outputs differ in ≥ 5-b bytes No attacks better than brute-force known

Download ppt "Cryptography Lecture 17."

Similar presentations

CMSC 414 Computer and Network Security Lecture 4 Jonathan Katz.

CMSC 414 Computer and Network Security Lecture 4 Jonathan Katz.
1 CIS 5371 Cryptography 5b. Pseudorandom Objects in Practice Block Ciphers.

1 CIS 5371 Cryptography 5b. Pseudorandom Objects in Practice Block Ciphers.
Cryptography and Network Security Chapter 3

Cryptography and Network Security Chapter 3
CMSC 414 Computer (and Network) Security Lecture 5 Jonathan Katz.

CMSC 414 Computer (and Network) Security Lecture 5 Jonathan Katz.
Advanced Encryption Standard(AES) Presented by: Venkata Marella Slide #9-1.

Advanced Encryption Standard(AES) Presented by: Venkata Marella Slide #9-1.
1 Overview of the DES A block cipher: –encrypts blocks of 64 bits using a 64 bit key –outputs 64 bits of ciphertext A product cipher –basic unit is the.

1 Overview of the DES A block cipher: –encrypts blocks of 64 bits using a 64 bit key –outputs 64 bits of ciphertext A product cipher –basic unit is the.
1 CS 255 Lecture 4 Attacks on Block Ciphers Brent Waters.

1 CS 255 Lecture 4 Attacks on Block Ciphers Brent Waters.
Lecture 23 Symmetric Encryption

Lecture 23 Symmetric Encryption
Lecture 2.2: Private Key Cryptography II CS 436/636/736 Spring 2012 Nitesh Saxena.

Lecture 2.2: Private Key Cryptography II CS 436/636/736 Spring 2012 Nitesh Saxena.
CS555Spring 2012/Topic 91 Cryptography CS 555 Topic 9: Block Cipher Construction & DES.

CS555Spring 2012/Topic 91 Cryptography CS 555 Topic 9: Block Cipher Construction & DES.
ECE454/CS594 Computer and Network Security Dr. Jinyuan (Stella) Sun Dept. of Electrical Engineering and Computer Science University of Tennessee Fall 2011.

ECE454/CS594 Computer and Network Security Dr. Jinyuan (Stella) Sun Dept. of Electrical Engineering and Computer Science University of Tennessee Fall 2011.
The Data Encryption Standard - see Susan Landau’s paper: “Standing the test of time: the data encryption standard.” DES - adopted in 1977 as a standard.

The Data Encryption Standard - see Susan Landau’s paper: “Standing the test of time: the data encryption standard.” DES - adopted in 1977 as a standard.
Chapter 20 Symmetric Encryption and Message Confidentiality.

Chapter 20 Symmetric Encryption and Message Confidentiality.
Chapter 20 Symmetric Encryption and Message Confidentiality.

Chapter 20 Symmetric Encryption and Message Confidentiality.
Block ciphers Structure of a multiround block cipher

Block ciphers Structure of a multiround block cipher
1 Lect. 7 : Data Encryption Standard. 2 Data Encryption Standard (DES)  DES - History 1976 – adopted as a federal standard 1977 – official publication.

1 Lect. 7 : Data Encryption Standard. 2 Data Encryption Standard (DES)  DES - History 1976 – adopted as a federal standard 1977 – official publication.
Dr. Reuven Aviv, Nov 2008 Conventional Encryption 1 Conventional Encryption & Message Confidentiality Acknowledgements for slides Henric Johnson Blekinge.

Dr. Reuven Aviv, Nov 2008 Conventional Encryption 1 Conventional Encryption & Message Confidentiality Acknowledgements for slides Henric Johnson Blekinge.
TE/CS 536 Network Security Spring 2005 – Lecture 8 Security of symmetric algorithms.

TE/CS 536 Network Security Spring 2005 – Lecture 8 Security of symmetric algorithms.
Lecture 23 Symmetric Encryption

Lecture 23 Symmetric Encryption
Symmetric Encryption Lesson Introduction ●Block cipher primitives ●DES ●AES ●Encrypting large message ●Message integrity.

Symmetric Encryption Lesson Introduction ●Block cipher primitives ●DES ●AES ●Encrypting large message ●Message integrity.

Similar presentations

Ads by Google