1. 1 Chapter 3 – Block Ciphers and the Data Encryption Standard Modern Block Ciphers  now look at modern block ciphers  one of the most widely used types of cryptographic algorithms  provide secrecy /authentication services  focus on DES (Data Encryption Standard)  to illustrate block cipher design principles

2. 2 Block vs Stream Ciphers  block ciphers process messages in blocks, each of which is then en/decrypted  like a substitution on very big characters 64-bits or more 64-bits or more  stream ciphers process messages a bit or byte at a time when en/decrypting  many current ciphers are block ciphers  broader range of applications

3. 3 Block Cipher Principles  most symmetric block ciphers are based on a Feistel Cipher Structure  must be able to decrypt ciphertext to recover messages efficiently  block ciphers look like an extremely large substitution  would need a table of 2 64 entries for a 64-bit block  instead create from smaller building blocks  using idea of a product cipher

4. 4 Ideal Block Cipher

5. 5 Claude Shannon and Substitution- Permutation Ciphers  Claude Shannon introduced idea of substitution- permutation (S-P) networks in 1949 paper  form basis of modern block ciphers  S-P nets are based on the two primitive cryptographic operations seen before: substitution (S-box) substitution (S-box) permutation (P-box) permutation (P-box)  provide confusion & diffusion of message & key

6. 6 Confusion and Diffusion  cipher needs to completely obscure statistical properties of original message  a one-time pad does this  more practically Shannon suggested combining S & P elements to obtain:  diffusion – dissipates statistical structure of plaintext over bulk of ciphertext  confusion – makes relationship between ciphertext and key as complex as possible

7. 7 Feistel Cipher Structure  Horst Feistel devised the feistel cipher based on concept of invertible product cipher based on concept of invertible product cipher  partitions input block into two halves process through multiple rounds which process through multiple rounds which perform a substitution on left data half perform a substitution on left data half based on round function of right half & subkey based on round function of right half & subkey then have permutation swapping halves then have permutation swapping halves  implements Shannon’s S-P net concept

8. 8 Feistel Cipher Structure

9. 9 Feistel Cipher Design Elements  block size  key size  number of rounds  subkey generation algorithm  round function  fast software en/decryption  ease of analysis

10. 10 Feistel Cipher Decryption

11. 11 DES History  IBM developed Lucifer cipher by team led by Feistel in late 60’s by team led by Feistel in late 60’s used 64-bit data blocks with 128-bit key used 64-bit data blocks with 128-bit key  then redeveloped as a commercial cipher with input from NSA and others  in 1973 NBS issued request for proposals for a national cipher standard  IBM submitted their revised Lucifer which was eventually accepted as the DES

12. The same algorithm is used both to encipher and to decipher. Most widely used cipher ever Security based on Shannon’s Theory – Confusion : a piece of information is changed so that the output bits have no obvious relationship to the input bits. – Disfussion : To spread the effect of one plaintext bit to other bits in the ciphertext. 12

13. Block Cipher: – Block size= 64 bits. – Key Length= 56 bits (64 bits contains the bits 8, 16, 24, 32, 40, 48, 56, 64 for the odd parity check) Advantages of DES: – DES can be implemented by software and hardware for its simple arithmetic and logical operations. – High Speed 13

14. DES 14 In: 64 bits, Out: 64 bits, Key: 56 bits

15. IP (Initial Permutation) 15  The table should be read left-to-right, top-to- bottom.  T = t 1 t 2... t 64  T 0 = t 58 t 50... t 7 = L 0 R 0

16. IP  1 (Final Permutation) IP  1 is the inverse of IP. All tables are fixed. 16

17. Function f 17

18. E (Bit-Selection Table) In: 32 bits, Out: 48 bits 18

19. P (Permutation) In: 32 bits, Out: 32 bits 19

20. S-boxes (Selection Functions) 20

21. Each S-box S j maps a 6-bit block b 1 b 2 b 3 b 4 b 5 b 6 into a 4-bit block. (In: 6 bits, Out: 4 bits) The integer corresponding to b 1 b 6 selects a row and the integer corresponding to b 2 b 3 b 4 b 5 selects a column. Example: (100001) 2 for S-box 1 Row # = (11) 2 = 3 and Column # = (0000) 2 = 0 Ourput= 15= (1111)2. 21

22. Key Calculation 22 K 1, K 2,..., K 16 : 48 bits/each

23. PC-1 (Key Permutation) 23 In: 64 bits (with 8 parity bits), Out: 56 bits

24. PC-2 (Key Permutation) In: 56 bits, Out: 48 bits 24

25. LS i (Left Circular Shift) Iterationi Number ofLeft Shifts 11 21 32 42 52 62 72 82 91 102 112 122 132 142 152 161 25

26. Deciphering Deciphering is performed using the same algorithm, except that K 16 is used in the first iteration, K 15 in the second iteration, and so on. The last round of enciphering: 26

27. Deciphering The first round of deciphering: 27

28. Deciphering The last round of enciphering: LE 16 = RE 15 RE 16 = LE 15  f(RE 15, K 16 ) The first round of deciphering: LD 1 = RD 0 = LE 16 = RE 15 RD 1 = LD 0  f(RD 0, K 16 ) = RE 16  f(RE 15, K 16 ) = (LE 15  f(RE 15, K 16 ))  f(RE 15, K 16 ) = LE 15  (f(RE 15, K 16 )  f(RE 15, K 16 )) = LE 15  0 = LE 15 Thus, the output of the first round of deciphering is the swap of the input to the sixteenth round of the enciphering. 28

29. The order of subkeys is the reverse order (k 16, k 15, …, k 1 ). – Key shift 改成 shift right circularly. – 每一個 round 的 shift bit 數為 (1, 0), (2, 1), (3, 2), (4, 2), (5, 2), (6, 2), (7, 2), (8, 2), (9, 1), (10, 2), (11, 2), (12, 2), (13, 2), (14, 2), (15, 2), (16, 1). 29

30. Weakness of DES Complements: If C= E k (P), then ¬C= E  k (¬P), where ¬x is the cpmplement of x. – Reduce the complexity for finding keys from 2^56 to 2^55. Weak Keys(4): – 56 bits key left and right half are all 0 or 1,then it would cause all subkeys are the same. 30

31. Semi-Weak Keys: – the encryption using two different keys could get the same result [E k (P)= E k ’(P)] 31