1. 密碼學與網路安全 第3章 區塊加密法及 資料加密標準
密碼學與網路安全 第3章 區塊加密法及 資料加密標準

2. 現代區塊加密法 最廣為使用的密碼演算法 提供保密 secrecy / 認證authentication服務 最廣為使用的DES
DES：資料加密標準（Data Encryption Standard）
Modern block ciphers are widely used to provide encryption of quantities of information, and/or a cryptographic checksum to ensure the contents have not been altered. We continue to use block ciphers because they are comparatively fast, and because we know a fair amount about how to design them. Will use the widely known DES algorithm to illustrate some key block cipher design principles.

3. 區塊與串流加密法 區塊加密法會將一小段明文視為一體，然後產生長度相同的密文區塊 每個區塊的大小通常是64或128位元
串流加密法是一次加密資料流裡的一個位元或是位元組(如維吉尼亞加密法)
目前許多加密法都是區塊加密法
與網路相關的對稱式密碼應用，大多使用區塊加密技術
Block ciphers work a on block / word at a time, which is some number of bits. All of these bits have to be available before the block can be processed. Stream ciphers work on a bit or byte of the message at a time, hence process it as a “stream”. Block ciphers are currently better analysed, and seem to have a broader range of applications, hence focus on them

4. 區塊加密法 大多數對稱式區塊加密演算法都是以菲仕托(飛石頭)區塊加密架構Feistel Cipher Structure為基礎
區塊加密法會對n位元的明文區塊，產生n位元的密文區塊
明文區塊可能會有2n種，若要讓加密程序可逆，就必須讓每個明文區塊產生唯一的密文區塊

5. 理想的區塊加密法(任意替代)
Feistel refers to an n-bit general substitution as an ideal block cipher, because it allows for the maximum number of possible encryption mappings from the plaintext to ciphertext block. A 4-bit input produces one of 16 possible input states, which is mapped by the substitution cipher into a unique one of 16 possible output states, each of which is represented by 4 ciphertext bits. The encryption and decryption mappings can be defined by a tabulation, as shown in Stallings Figure 3.1. It illustrates a tiny 4-bit substitution to show that each possible input can be arbitrarily mapped to any output - which is why its complexity grows so rapidly.

6. 理想的區塊加密法問題
請問前一圖的金鑰的大小為何？
區塊小  易被破解，退化成單套字母加密法。
區塊大會如何？

7. 夏農Shannon的替代與重排加密 夏農在1949年的論文提出(S-P) network「替代－重排網路」的想法 替代運算(S-box)
重排運算(P-box)
以「混淆」和「擴散」 confusion & diffusion 等兩種函數來建構乘積加密法
Claude Shannon’s 1949 paper has the key ideas that led to the development of modern block ciphers. Critically, it was the technique of layering groups of S-boxes separated by a larger P-box to form the S-P network, a complex form of a product cipher. He also introduced the ideas of confusion and diffusion, notionally provided by S-boxes and P-boxes (in conjunction with S-boxes).

8. 混淆和擴散 Confusion and Diffusion
夏農的著眼點是要抵擋統計分析的攻擊破解
夏農的理想加密法是密文的統計資訊與金鑰本身完全無關(圖3.1之任意加密法屬之)
擴散 － 明文的統計結構會消失在密文的廣泛統計資訊裡 (把明文與密文間的關係弄複雜)
方法：每個明文的位元會影響很多的密文位元
混淆 － 要把密文的統計結果與金鑰之間的關係盡量弄得複雜
目的都是為了避免金鑰被發現
The terms diffusion and confusion were introduced by Claude Shannon to capture the two basic building blocks for any cryptographic system. Every block cipher involves a transformation of a block of plaintext into a block of ciphertext, where the transformation depends on the key. The mechanism of diffusion seeks to make the statistical relationship between the plaintext and ciphertext as complex as possible in order to thwart attempts to deduce the key. Confusion seeks to make the relationship between the statistics of the ciphertext and the value of the encryption key as complex as possible, again to thwart attempts to discover the key.
So successful are diffusion and confusion in capturing the essence of the desired attributes of a block cipher that they have become the cornerstone of modern block cipher design.

9. 菲仕托加密架構 由Horst Feistel根據可逆的乘積(product)加密法所設計 輸入是長度為2w位元的明文區塊以及金鑰K
明文區塊分成L0、R0兩部分，這兩部分經過n回合的處理之後，會結合而成為密文區塊
實作了夏農的替代與重排運算

10. 菲仕托加密架構
替代運算
會先將右半部資料代入「回合函數 round function」F，再以XOR運算結合F的結果和左半部的資料
每一回合的回合函數都相同，但輸出會受到子金鑰Ki影響
重排運算
替代運算完成之後，接著會執行重排運算 ，也就是對調左右兩部分的資料
Stallings Figure 3.2 illustrates the classical feistel cipher structure, with data split in 2 halves, processed through a number of rounds which perform a substitution on left half using output of round function on right half & key, and a permutation which swaps halves, as listed previously.

11. 菲仕托加密設計元素 設計參數 額外考量 區塊大小 (DES 64, AES 128) 金鑰大小 (128) 回合個數 (16)
子金鑰產生演算法
回合函數
額外考量
快速軟體加解密
演算法要容易分析(但DES沒有)

12. 菲仕托解密演算法 出題紙筆練習 將加密演算法相反順序執行即成解密演算法 正確性證明 密文為輸入 相反順序用金鑰 加密:
(明文)
菲仕托解密演算法
將加密演算法相反順序執行即成解密演算法
密文為輸入
相反順序用金鑰
正確性證明
加密:
LE16 = RE15
RE16 = LE15 F(RE15, K16)
解密：
LD1 = RD0 = LE16 = RE15
RD1 = LD0F(RD0, K16)
= RE16F(RE15, K16)
= [LE15 F(RE15, K16) ] F(RE15, K16)
= LE15
The process of decryption with a Feistel cipher, as shown in Stallings Figure 3.3, is essentially the same as the encryption process. The rule is as follows: Use the ciphertext as input to the algorithm, but use the subkeys Ki in reverse order. That is, use Kn in the first round, Kn–1 in the second round, and so on until K1 is used in the last round. This is a nice feature because it means we need not implement two different algorithms, one for encryption and one for decryption.
出題紙筆練習
(密文)

13. 資料加密標準（DES） 目前最廣為使用的區塊加密法
在1997年由美國國家標準局（NBS, National Bureau of Standards ）採用
NBS現更名為美國國家標準與技術研究院（NIST, National Institute of Standards and Technology）
DES是NIST發佈的第46項聯邦資訊處理標準（FIPS PUB 46）
以56位元的金鑰加密64位元的資料區塊
DES非常廣為使用，因此安全性也就成為爭論不休的話題
The most widely used private key block cipher, is the Data Encryption Standard (DES). It was adopted in 1977 by the National Bureau of Standards as Federal Information Processing Standard 46 (FIPS PUB 46). DES encrypts data in 64-bit blocks using a 56-bit key. The DES enjoys widespread use. It has also been the subject of much controversy its security.

14. DES的歷史 IBM發展出路塞佛Lucifer魔王加密法 再與美國國家安全局的專家發展出商業化產品
由菲仕托在60年代末期主持的計畫
以128位元金鑰長度作用在64位元資料區塊
再與美國國家安全局的專家發展出商業化產品
美國國家標準局在1973年公開徵求美國國家加密標準
IBM以Tuchman 和Meyer的計畫成果參加徵選。實作於單晶片中，金鑰變為56位元，在1977年被美國國家標準局採用，即是DES
In the late 1960s, IBM set up a research project in computer cryptography led by Horst Feistel. The project concluded in 1971 with the development of the LUCIFER algorithm. LUCIFER is a Feistel block cipher that operates on blocks of 64 bits, using a key size of 128 bits.
Because of the promising results produced by the LUCIFER project, IBM embarked on an effort, headed by Walter Tuchman and Carl Meyer, to develop a marketable commercial encryption product that ideally could be implemented on a single chip. It involved not only IBM researchers but also outside consultants and technical advice from NSA. The outcome of this effort was a refined version of LUCIFER that was more resistant to cryptanalysis but that had a reduced key size of 56 bits, to fit on a single chip.
In 1973, the National Bureau of Standards (NBS) issued a request for proposals for a national cipher standard. IBM submitted the modified LUCIFER. It was by far the best algorithm proposed and was adopted in 1977 as the Data Encryption Standard.

15. DES的設計爭議 DES成為標準之前就遭受強烈的批評 至今這些批評都尚未平息： 不過後來的一些事件似乎顯示DES的內部架構非常強固
LUCIFER使用128位元金鑰，但提交的版本卻是56位元金鑰
DES內部架構的設計規範（也就是S-boxes）被列為機密
不過後來的一些事件似乎顯示DES的內部架構非常強固
業界依然廣泛使用DES
尤其是金融方面的應用
NIST建議將DES用在傳統的舊系統

16. DES加密流程
64bit啟始金鑰中後來只用56bit，8bit可當同位元檢查
序列金鑰產生方式
循環左移 重排
Feistel 架構

17. 啟始重排程序（IP） DES加密運算的第一階段 IP會重新組合輸入的資料位元 偶數位元排到左半部，奇數位元排到右半部 範例： IP
啟始重排程序（IP）
IP-1
DES加密運算的第一階段
IP會重新組合輸入的資料位元
偶數位元排到左半部，奇數位元排到右半部
範例：
IP(675a6967 5e5a6b5a) = (ffb2194d 004df6fb)
The initial permutation and its inverse are defined by tables, as shown in Stallings Tables 3.2a and 3.2b, respectively. The tables are to be interpreted as follows. The input to a table consists of 64 bits numbered left to right from 1 to 64. The 64 entries in the permutation table contain a permutation of the numbers from 1 to 64. Each entry in the permutation table indicates the position of a numbered input bit in the output, which also consists of 64 bits.
Note that the bit numbering for DES reflects IBM mainframe practice, and is the opposite of what we now mostly use - so be careful! Numbers from Bit 1 (leftmost, most significant) to bit 32/48/64 etc (rightmost, least significant).
Note that examples are specified using hexadecimal.
Here a 64-bit plaintext value of “675a6967 5e5a6b5a” (written in left & right halves) after permuting with IP becomes “ffb2194d 004df6fb”.

18. DES的回合結構 使用L（左）、R（右）各32位元資料 如同任何標準的菲仕托加密法，每個回合的處理程序都可表示成以下的方程式：
Li = Ri–1
Ri = Li–1  F(Ri–1, Ki)
回合金鑰Ki是48位元，輸入的R是32位元：
R會以擴充式重排程序（E）擴充成48位元
產生的48位元會與Ki進行XOR運算
結果會以重排函數（P）傳給替代程序，替代程序會產生32位元的輸出

19. P
DES的F function
E BIT-SELECTION TABLE
Stallings Figure 3.6 illustrates the internal structure of the DES round function F. The R input is first expanded to 48 bits by using expansion table E that defines a permutation plus an expansion that involves duplication of 16 of the R bits (Stallings Table 3.2c). The resulting 48 bits are XORed with Ki. This 48-bit result passes through a substitution function comprising 8 S-boxes which each map 6 input bits to 4 output bits, producing a 32-bit output, which is then permuted by permutation P as defined by Stallings Table 3.2d.

20. 替代運算S-boxes 整個替代運算是由8個S-boxes所組成 每個S-boxes接受6位元的輸入，產生4位元的輸出：
替代運算S-boxes
整個替代運算是由8個S-boxes所組成
每個S-boxes接受6位元的輸入，產生4位元的輸出：
輸入到盒子Si的第一個與最後一個位元，組合成一個2位元的二進位數值
中間4個位元所形成的數值會用來選取表格裡16行的某一行
由此行列選出的十進位數值，會表示成4位元的二進位形式輸出
範例：S1(011011) = 0101

21. PC-1
PC-2
產生金鑰
產生每一回合所用的子金鑰
64 bit 金鑰經「重排選擇1」（PC-1）變成56bit
產生的56位元金鑰會分成兩段各28位元的資料
每一回合的資料都會分別循環左移（或向左旋轉）一或兩個位元
移動過的值會成為下一回合的輸入，也會是「重排選擇2」（PC-2）的輸入
PC-2會產生48位元的輸出，此輸出也是函數F(Ri–1, Ki)的輸入

22. DES解密
DES的解密演算法幾乎與加密相同
除了要反向使用子金鑰

23. 崩塌效應Avalanche Effect 任何加密演算法會因明文或金鑰的細微變動，會造成密文的重大變化
如果變化很小，就減少了明文或金鑰被找到的機會
DES就具備了很強的崩塌效應
A desirable property of any encryption algorithm is that a small change in either the plaintext or the key should produce a significant change in the ciphertext. In particular, a change in one bit of the plaintext or one bit of the key should produce a change in many bits of the ciphertext. If the change were small, this might provide a way to reduce the size of the plaintext or key space to be searched. DES exhibits a strong avalanche effect, as may be seen in Stallings Table 3.5.

24. DES的強度 － 金鑰長度 56位元的金鑰可以有256把可能的金鑰，數量大約是7.2 × 1016 表面上來看，暴力攻擊法似乎不可行
但是recent advances have shown is possible
在1997年只需要幾個月
在1998年的特定硬體（EFF）只需要幾天
在1999年只需要幾天
破解金鑰不只是找出所有可能的金鑰，還必須能夠正確辨認出明文
已經必須考慮DES的替代方案

25. DES演算法的本質 必須考量破解者根據DES演算法的特性而能破解的可能性 重點在每個回合重複使用的8個取代表格（S-boxes）
計時破解法
差異破解法
線性破解法
相關的金鑰攻擊
Another concern is the possibility that cryptanalysis is possible by exploiting the characteristics of the DES algorithm. The focus of concern has been on the eight substitution tables, or S-boxes, that are used in each iteration. These techniques utilise some deep structure of the cipher by gathering information about encryptions so that eventually you can recover some/all of the sub-key bits, and then exhaustively search for the rest if necessary. Generally these are statistical attacks which depend on the amount of information gathered for their likelihood of success. Attacks of this form include differential cryptanalysis. linear cryptanalysis, and related key attacks.

26. DES的強度 － 計時破解法 加密或解密演算法的執行時間，會隨著輸入的不同而有輕微的差異
計時破解法就根據解密的執行時間，而獲取金鑰或明文的相關資訊
原因：金鑰位元中為1的個數會影響加解密的時間
目前尚未利用此法破解
We will discuss timing attacks in more detail later, as they relate to public-key algorithms. However,the issue may also be relevant for symmetric ciphers. A timing attack is one in which information about the key or the plaintext is obtained by observing how long it takes a given implementation to perform decryptions on various ciphertexts. A timing attack exploits the fact that an encryption or decryption algorithm often takes slightly different amounts of time on different inputs. The AES analysis process has highlighted this attack approach, and showed that it is a concern particularly with smartcard implementations, though DES appears to be fairly resistant to a successful timing attack.

27. 差異破解法 差異破解法是近幾年密碼破解領域最大的發展 早在1974年DES的設計人員就已經知道差異破解法
Murphy(墨兒飛)、Biham & Shamir都在90年代發表過論文
破解區塊加密的有力工具
是第一個能夠在複雜度低於255就破解DES的方法(需要247個選定明文)
DES的S-boxes和重排函數P能夠抵擋差異破解法
Biham & Shamir show Differential Cryptanalysis can be successfully used to cryptanalyse the DES with an effort on the order of 247 encryptions, requiring 247 chosen plaintexts. They also demonstrated this form of attack on a variety of encryption algorithms and hash functions.
Differential cryptanalysis was known to the IBM DES design team as early as 1974 (as a T attack), and influenced the design of the S-boxes and the permutation P to improve its resistance to it. Compare DES’s security with the cryptanalysis of an eight-round LUCIFER algorithm which requires only 256 chosen plaintexts, verses an attack on an eight-round version of DES requires 214 chosen plaintexts.

28. 差異破解法 差異破解法很複雜。簡單來說，是藉由觀察加密法每一回合對一組文字區塊所作的行為
我們先改變DES的表示法，將原本的明文區塊m分為m0與m1
如果將每回合產生的新區塊命名為mi (2 ≦ i ≦ 17)，中間的訊息就有以下的關聯：

29. 差異破解法 先從m與m‘ 兩個訊息開始使用差異破解法
它們之間的XOR差距是∆m = m ⊕ m‘，而且中間形式的一半差距為∆m = mi ⊕ mi‘，即可得到：

30. 差異破解法 差異破解法的整體策略是以單一回合為基礎 破解的程序會先選取特定差距的兩段明文m與m‘
再追蹤每個回合
看某個輸入差距樣式會產生出什麼密文差距樣式
在不知道金鑰的情況下實際加密m與m‘來觀察輸出的差距
再比較結果與之前得到的密文差距樣式

31. 線性破解法 線性破解法是最近所發展的破解技巧 原理是尋找描述DES轉換行為的線性近似值，用這個方法來破解DES的金鑰
需要243個已知明文（差異破解法需要247個選定明文 ）
雖有進步，但少有研究指出其為有效

32. 線性破解法 線性破解法的目的是找到具有以下形式的有效線性方程式： 能得到金鑰位元的線性方程式 還可以試著找出更多類似的關係來解出金鑰位元
P[i1,i2,...,ia]  C[j1,j2,...,jb] = K[k1,k2,...,kc]
ia,jb,kc是P、C、K裡固定且唯一的位元位置
能得到金鑰位元的線性方程式
還可以試著找出更多類似的關係來解出金鑰位元

33. DES的設計標準 由Coppersmith在1994年提出 [COPP94] 7項S-boxes的設計準則 3項重排程序P的設計準則
DES的設計標準
由Coppersmith在1994年提出 [COPP94]
7項S-boxes的設計準則
任何輸出位元不應是其輸入位元的線性函數
S-boxes每列應包含所有可能的16種輸出組合
3項重排程序P的設計準則
目的是希望增加這個演算法的混淆程度
Although much progress has been made in designing block ciphers that are cryptographically strong, the basic principles have not changed all that much since the work of Feistel and the DES design team in the early 1970s. Some of the criteria used in the design of DES were reported in [COPP94], and focused on the design of the S-boxes and on the P function that distributes the output of the S boxes, as summarized above. See text for further details.

34. 區塊加密法的設計 菲仕托加密法的強度來自 即使函數F很脆弱，但只要回合數夠多就不易破解 函數F的基本原則
S-boxes之間的關係應該是非線性，而且應該無法以線性函數來逼近模擬
崩塌準則
The cryptographic strength of a Feistel cipher derives from three aspects of the design: the number of rounds, the function F, and the key schedule algorithm. Briefly discuss these.
The greater the number of rounds, the more difficult it is to perform cryptanalysis, even for a relatively weak F. In general, the criterion should be that the number of rounds is chosen so that known cryptanalytic efforts require greater effort than a simple brute-force key search attack. This criterion is attractive because it makes it easy to judge the strength of an algorithm and to compare different algorithms.
The function F provides the element of confusion in a Feistel cipher, want it to be difficult to “unscramble” the substitution performed by F. One obvious criterion is that F be nonlinear. The more nonlinear F, the more difficult any type of cryptanalysis will be. We would like it to have good avalanche properties, or even the strict avalanche criterion (SAC). Another criterion is the bit independence criterion (BIC). One of the most intense areas of research in the field of symmetric block ciphers is that of S-box design. Would like any change to the input vector to an S-box to result in random-looking changes to the output. The relationship should be nonlinear and difficult to approximate with linear functions.
A final area of block cipher design, and one that has received less attention than S-box design, is the key schedule algorithm. With any Feistel block cipher, the key schedule is used to generate a subkey for each round. Would like to select subkeys to maximize the difficulty of deducing individual subkeys and the difficulty of working back to the main key. The key schedule should guarantee key/ciphertext Strict Avalanche Criterion and Bit Independence Criterion.

35. 總結
區塊與串流加密法的異同
菲仕托
DES
差異破解與線性破解
區塊加密的設計原則