1. 1 Chapter 3 Block Ciphers & The Data Encryption Standard

2. 2 Contents Block Cipher Principles The Data Encryption Standard The Strength of DES Differential and Linear Cryptananlysis Block Cipher Design Principles

3. 3 Block Cipher principles Stream Ciphers and Block Ciphers Motivation for the Feistel Cipher Structure The Feistel Cipher

4. 4 Stream Ciphers and Block Ciphers Stream cipher  encrypts one bit or one byte at a time.  Vigenère cipher, Verman cipher Block cipher  encrypts a block of plaintext as a whole  to produce a ciphertext block of equal length.  Typical block size: 64 or 128 bits

5. 5 Motivation for the Feistel Cipher Structure A block cipher operates on a plaintext block of n bits to produ ce a ciphertext block of n bits.  Each plaintext must produce a unique ciphertext block (for decryption to be possible).  Such transformation is called reversible or nonsingular. Reversible MappingIrreversible Mapping PlaintextCiphertextPlaintextCiphertext 00110011 01100110 001001 11011101

6. 6 Motivation for the Feistel Cipher Structure The logic of a general substitution cipher. (for n = 4 )

7. 7 Motivation for the Feistel Cipher Structure A practical problem with the general substitution cipher  If a small block size is used, then the system is equivalent to a cl assical substitution cipher.  Such systems are vulnerable to a statistical analysis of the plaintext.  If block size is sufficiently large and an arbitrary reversible substit ution is allowed, then statistical analysis is infeasible.  This is not practical from a performance point of view.  For n -bit block cipher, the key size is n X 2 n bits.  For n = 4, the key size is 4 x 16 = 64 bits.  For n = 64, the key size is 64 x 2 n 16 = 64 bits

8. 8 The Feistel Cipher Feistel proposed the use of a cipher that alternates substitutions and permutations. In fact, this is a practical application of a proposal by Claude Shannon to develop a product cipher that alternates confusion and diffusion functions.

9. 9 Diffusion and Confusion Shannon suggests two methods for frustrating statistical cryptanalysis.  Diffusion and Confusion

10. 10 Diffusion and Confusion Diffusion  To make the statistical relationship between the plaintext and cip hertext as complex as possible in order to thwart attempts to d iscover the key. Confusion  To make the relationship between the statistics of the ciphertext and the value of the encryption key as complex as possible to th wart attempts to discover the key.

11. 11 Diffusion and Confusion Diffusion can be achieved by  a permutation followed by a function. Confusion can be achieved by  a substitution.

12. 12 Feistel Cipher Structure Feistel structure  Input  Plaintext : 2w bits  A Key K  Output  Ciphertext : 2w bits

13. 13 Feistel Cipher Structure The input is divided into two halves L 0 and R 0 and they pass through n rounds. Round i  Input: L i-1, R i-1, and K i (round key)  Output: L i and R i  A substitution is performed on the left half L i-1.  A permutation is performed by swapping the two halves.

14. 14 Feistel Cipher Structure Design features  Block size  The larger it is, the securer the cipher is but the slower the cipher is.  64 or 128 bits  Key size  The larger it is, the securer the cipher is but the slower the cipher is.  64 or 128 bits  Number of rounds  The larger it is, the securer the cipher is but the slower the cipher is.  16 rounds is typical.

15. 15 Feistel Cipher Structure Design features  Subkey generation  The more complex it is, the securer the cipher is but the slower …  Round function  The more complex it is, the securer the cipher is but the slower …  Fast software encryption/decryption  Ease of analysis

16. 16 Feistel Decryption Algorithm Decryption is the same as the encryption except that the subkeys are used in reverse order.

17. 17 Feistel Cipher Structure Round i

18. 18 The Data Encryption Standard DES Encryption  Initial Permutation  Details of Single Round  Key Generation The Avalanche Effect

19. 19 The Data Encryption Standard The most widely used encryption.  Adopted in 1977 by NIST  FIPS PUB 46 Data are encrypted in 64-bit blocks using a 56-bit key.

20. 20 DES Encryption DES is a Feistel cipher with the exception of IP and IP -1.

21. 21 Initial Permutation The permutation  X = IP(M) The inverse permutation  Y = IP -1 (X) = IP -1 (IP(M))  The original ordering is restored

22. 22 Single Round F function  R i-1 is expanded to 48-bits using E.  The result is XORed with the 48-bit round key.  The 48-bit is substituted by a 32-bit.  The 32-bit is permuted by P.

23. 23 Single Round  Expansion E  32 bits  48 bits  16 bits are reused.  Permutation P

24. 24 Single Round  Substitution  48 bits  32 bits  8 S-boxes  Each S-box gets 6 bits and outputs 4 bits.

25. 25 Single Round Each S-box is given in page 79.  Outer bits 1 & 6 (row bits) select one rows  Inner bits 2-5 (col bits) are substituted  Example : Input : 011001  the row is 01 (row 1)  the column is 1100 (column 12)  Output is 1001

26. 26 Key Generation A 64-bit key used as input  Every 8 th bit is ignored.  Thus, the key is 56 bits. PC1 permute 56 bits into two 28-bit halves.

27. 27 Key Generation In each round, each 28 bits are rotated left and 24 bits are selected from each half.

28. 28 Key Generation

29. 29 Key Generation

30. 30 DES Decryption Decryption uses the same algorithm as encryption.  Feistel cipher  Roundkey schedule is reversed.

31. 31 The Avalanche Effect A small change of plaintext or key produces a significant change in the ciphertext. DES exhibits a strong avalanche effect.

32. 32 The Avalanche Effect Example Plaintext 100000000 Plaintext 21000000000000000 Key000000011001011010010011000100011100001100000111000110010

33. 33 The Avalanche Effect Example plaintext0110100010000101001011110111101000010011011101101110101110100100 Key 1111001011110111101111001100000111010000100011000111011100 Key 2011001011110111101111001100000111010000100011000111011100

34. 34 The Strength of DES The Use of 56-bit keys The Nature of the DES Algorithm Timing Attacks

35. 35 The Use of 56-bit Keys If the key length is 56-bit, we have 2 56 = 7.2 x 10 16 keys. In 1998, Electronic Frontier Foundation (EFF) announced ‘DES cracker’ which can attack DES in 3 days.  It was built for less than $250,000. Alternatives to DES  AES (key size is 128 ~ 256 bit) and triple DES (112 ~ 168 bit)

36. 36 Differential and Linear Cryptanalysis Differential Cryptanalysis  History  Differential Cryptanalysis Attack Linear Cryptanalysis

37. 37 Differential Cryptanalysis One of the most significant advances in cryptanalysis in recen t years is differential cryptanalysis.

38. 38 History Murphy, Biham & Shamir published 1990. The first published attack that is capable of breaking DES in l ess than 2 55 complexity.  As reported, can successfully cryptanalyze DES with an effort on the order of 2 47, requiring chosen plaintexts. This is a powerful tool, but it does not do very well against D ES  Differential cryptanalysis was known to IBM as early as 1974

39. 39 Differential Cryptanalysis Attack The differential cryptanalysis attack is complex. Change in notation for DES  Original plaintext block : m  Two halves : m 0, m 1 At each round for DES, only one new 32-bit block is created.  The intermediate message halves are related.

40. 40 Differential Cryptanalysis Attack Start with two messages m and m’, and consider the differenc e between the intermediate message halves :  With a known XOR difference Then

41. 41 Differential Cryptanalysis Attack The Overall strategy is based one these considerations for a si ngle round.  The procedure is  to begin with two plaintext message m and m’ with a given difference.  to trace through a probable pattern of differences after each round t o yield a probable difference for the ciphertext.

42. 42 Differential Cryptanalysis Attack Actually, there are two probable differences for the two 32-bit halve s. Next, submit m and m’ for encryption to determine the actual differe nce under the unknown key. And compare the result to the probable difference. If there is a match,  Then, suspect that all the probable patterns at all the intermediate roun ds are correct. With that assumption, can make some deductions about the key bits.

43. 43 Linear Cryptanalysis another recent development also a statistical method must be iterated over rounds, with decreasing probabilities developed by Matsui et al in early 90's based on finding linear approximations can attack DES with 2 47 known plaintexts, still in practise infea sible

44. 44 Linear Cryptanalysis find linear approximations with prob p != ½ P[i1,i2,...,ia](+)C[j1,j2,...,jb] = K[k1,k2,...,kc] where ia,jb,kc are bit locations in P,C,K gives linear equation for key bits get one key bit using max likelihood alg using a large number of trial encryptions effectiveness given by: |p –½ |

45. 45 Block Cipher Design Principles DES Design Criteria Number of Rounds Design of Function F  Design Criteria for F  S-Box Design Key Schedule Algorithm

46. 46 Block Cipher Design Principles Although much progress has been made that are cryptographi cally strong, the basic principles have not changed all.

47. 47 DES Design Criteria Focused on the design of the S-boxes and on the P function. The criteria for the S-boxes.  No output bit of any S-box should be too close a linear function o f the input bits.  Each row of an S-box should include all 16 possible output bit co mbinations  If two inputs differ in exactly one bit, the outputs must differ in a t least two bits.  If two inputs differ in the two middle bits exactly, the outputs mu st differ in at least two bits.

48. 48 DES Design Criteria The criteria for the S-boxes (~ continue)  If two inputs differ in their first two bits and are identical in their last two bits, the two outputs must not be the same.  For any nonzero 6-bit difference between inputs, no more than 8 of the 32 pairs of inputs exhibiting that difference may result in t he same output difference.  This is a criterion similar to the previous one, but for the case of three S-boxes.

49. 49 DES Design Criteria The criteria for the permutation P  The four output bits from each S-box at round i are distributed so that two of them affect “middle bits” of round ( i + 1) and the other two affect end bits. The two mid dle bits of input to an S-box are not shared with adjacent S-boxes. The end bits are the two left-hand bits and the two right-hand bits, which are shared with adjacent S-boxes.  The four output bits from each S-box affect six different S-boxes on the next round, and no two affect the same S-boxes.  For two S-boxes j, k, if an output bit from S j affects a middle bit of S k on the next ro und, then an output bit from S k cannot affect a middle bit of S j. These criteria are intended to increase the diffusion of the algorithm.

50. 50 Number of Rounds The greater the number of rounds, the more difficult it is to p erform cryptanalysis, even for a relatively weak F. This criterion is attractive because it makes it easy to judge th e strength of an algorithm and to compare different algorithm s.

51. 51 Design of Function F The heart of a Feistel block cipher is the function F. The function F provides the element of confusion.  One obvious criterion is that F be nonlinear.  The more nonlinear F, the more difficult.  Have good avalanche properties.  Strict Avalanche Criterion (SAC)  The bit independence criterion (BIC)  States that output bits j and k should change independently when an y single input bit i is inverted, for all i, j, and k.

52. 52 S-Box Design One of the most intense areas of research. One obvious characteristic of the S-box is its size.  An n  m S-box has n input bits and m output bits.  DES has 6  4 S-boxes.  Blowfish has 8  32 S-boxes.  Larger S-boxes are more resistant to differential and linear crypta nalysis.  For practical reasons, a limit of n equal to about 8 to 10 is usually im posed.

53. 53 S-Box Design S-boxes are typically organized in a different manner than use d in DES.  An n  m S-box typically consists of 2 n rows of m bits each.  Example, in an 8  32 S-box  If the input is 00001001, the output consists of the 32 bits in row 9.

54. 54 S-Box Design Mister and Adams proposed for S-box design.  S-box should satisfy both SAC and BIC.  All linear combinations of S-box columns should be bent.  Bent functions  A special class of Boolean functions that are highly nonlinear according to certain mathematical criteria. Increasing interest in designing and analyzing S-boxes using b ent functions.

55. 55 S-Box Design Heys, H. and Tavares, S. proposed for S-boxes.  Guaranteed avalanche (GA) criterion  An S-box satisfies GA of order if, at least output bits change.  Conclude that a GA in the range of order 2 to order 5 provides st rong diffusion characteristics for the overall encryption algorithm.

56. 56 S-Box Design Best method of selecting the S-box entries.  Nyberg suggests the following approaches.  Random  Use some pseudorandom number generation or some table of random dig its to generate the entries in the S-boxes.  Random with testing  Choose S-box entries randomly, then test the results against various criteri a, and throw away those that do not pass.  Human-made  This is a more or less manual approach with only simple mathematics to s upport it.  This approach is difficult to carry through for large S-boxes.  Math-made  Generate S-boxes according to mathematical principles.

57. 57 Key Schedule Algorithm With any Feistel block cipher, the key is used to generate one subkey for each round. We would like to select subkeys to maximize the difficulty of d educing individual subkeys and the difficulty of working back t o the main key. No general principles have not been proposed. Hall suggests that the key schedule should guarantee key/cip hertext Strict Avalanche Criterion and Bit Indepence Criterion.