Presentation is loading. Please wait.

Presentation is loading. Please wait.

Cryptography Lecture 4 Stefan Dziembowski

Similar presentations


Presentation on theme: "Cryptography Lecture 4 Stefan Dziembowski"— Presentation transcript:

1 Cryptography Lecture 4 Stefan Dziembowski www.dziembowski.net stefan@dziembowski.net

2 Plan 1.History of DES 2.Design of DES 3.3DES 4.AES

3 On the previous lecture encryption decryption Today: we show how to construct a block cipher!

4 We show how to construct a secure block cipher Why secure? Someone important say “it is secure”. (But is he honest?) Many people tried to break it and they failed...

5 DES (Digital Encryption Standard) Key length: –effective: 56 bits –formally: 64 bits (8 bits for checking parity). Block length: 64 bits

6 History of DES First version designed by IBM in 1973-74, based on a Lucifer cipher (by Horst Feistel). National Security Agency (NSA) played some role in the design of DES. Made public in 1975. Approved as a US federal standard in November 1976.

7 Criticism of DES The key is to short (only 56 bits). Unclear role of NSA in the design –hidden backdoor? –2 56 -- feasible for NSA, infeasible for the others (in the 1970s)?

8 The role of NSA The United States Senate Select Committee on Intelligence (1978): "In the development of DES, NSA convinced IBM that a reduced key size was sufficient; indirectly assisted in the development of the S-box structures; and certified that the final DES algorithm was, to the best of their knowledge, free from any statistical or mathematical weakness.” "NSA did not tamper with the design of the algorithm in any way. IBM invented and designed the algorithm, made all pertinent decisions regarding it, and concurred that the agreed upon key size was more than adequate for all commercial applications for which the DES was intended."

9 Security of DES The main weakness is the short key (brute-force attacks are possible). Also the block length is too small. Besides of this – a very secure design: after more than 30 decades still the most practical attack is brute-force! The only attacks so far: –differential cryptoanalysis –linear cryptoanalysis are rather theoretical.

10 Brute-force attacks on DES 1977 Diffie and Hellman proposed a machine costing 20 million $ breaking DES in 1 day. 1993 Wiener proposed a machine costing 1 million $ breaking DES in 7 hours. 1997 DESCHALL Project broke a “DES Challenge” (published by RSA) in 96 days using idle cycles of thousands of computers across the Internet. 1998 a DES-cracker was built by the Electronic Frontier Foundation (EFF), at the cost of approximately 250,000$ COPACOBANA (the Cost-Optimized Parallel COde Breaker) breaks DES in 1 week and costs 10,000$

11 DES-cracker COPACOBANA

12 Theoretical attacks on DES – differential cryptoanalysis Biham and Shamir (late 1980s): differential cryptoanalysis They show how to break DES using a chosen-plaintext attack. DES plaintext ciphertext 2 47 times Not very practical...

13 Differential cryptoanalysis – an interesting observation A small change in the design of DES would make the differential cryptoanalysis much more sucessful. Moral NSA and IBM knew it!

14 Theoretical attacks on DES – linear cryptoanalysis Matsui (early 1990s): linear cryptoanalysis uses a known-plaintext attack 2 43 (plaintext, ciphertext) pairs the plaintexts don’t need to be chosen by the adversary.

15 initial permutation (IP) Feistel network final permutation (IP -1 ) key k input output 64 bits

16 f2f2 f1f1 R0R0 L0L0 R1R1 L1L1 f 16 R 16 L 16... 16 rounds 56 bit key k2k2... k 16 key schedule k1k1 32 bits subkeys (48 bits): here no twist

17 A nice propery of Feistel rounds f RiRi LiLi R i+1 := L i xor f(R i )L i+1 := R i f RiRi (L i xor f (R i )) xor f(L i+1 ) Even if f is not easily invertible, each round can be easily inverted! = LiLi inversion:

18 f2f2 f1f1 R0R0 L0L0 R1R1 L1L1 f3f3 R3R3 L3L3 R2R2 L2L2 f3f3 R3R3 L3L3 f2f2 f1f1 R0R0 L0L0 R2R2 L2L2 R1R1 L1L1 Hence: the Feistel network can be “inverted”! Example: 3 round Feistel network

19 f3f3 f2f2 f1f1 R0R0 L0L0 R1R1 L1L1 f3f3 R3R3 L3L3 R2R2 L2L2 R3R3 L3L3 R0R0 L0L0 Without a “twist” in the last round: R2R2 L2L2 R1R1 L1L1 f2f2 f1f1

20 f2f2 f1f1 R0R0 L0L0 R1R1 L1L1 f 16 R 16 L 16... 56 bit key k 15... k1k1 key schedule k 16 How to decrypt? Reverse the key schedule!

21 We need to describe the following 1.The key schedule algorithm. 2.The functions f.

22 DES key schedule k k2k2... k 16 key schedule k1k1 each subkey k i consists of some bits of k 56 bits 48 bits

23 half-block X 32 bits expansion 48 bits subkey K i 48 bits Y xor Ki S1S1 S2S2 S3S3 S4S4 S5S5 S6S6 S7S7 S8S8 half-block Y permutation P 32 bits “S – boxes” S i : {0,1} 6 → {0,1} 4 “confusion” “diffusion” function f:

24 The expansion function 3212345 456789 8910111213 121314151617 161718192021 202122232425 242526272829 28293031321

25 Permutation P 1672021 29122817 1152326 5183110 282414 322739 1913306 2211425

26 The substitution boxes (S-boxes) S5S5 Middle 4 bits of input 0000000100100011010001010110011110001001101010111100110111101111 Outer bits 000010110001000001011110101011011010000101001111111101000011101001 011110101100101100010001111101000101010000111110100011100110000110 100100001000011011101011010111100011111001110001010110001100001110 111011100011000111000111100010110101101111000010011010010001010011 G Example of an S-box

27 How to increase the key size? Multiple encryption. For example double encryption is defined as: F’ (k,k’) (x) := F k’ (F k (x)) F k F k’ x F k’ (F k (x)) F k (x) Does it work? Double encryption – not really... Triple encryption is much better!

28 Double encryption Double encryption can be broken using –time O(2 n ), –space O(2 n ), –and a small number of (plaintext,ciphertext) pairs. The attack is called “meet in the middle”. n = block length = key length

29 Meet-in-the middle attack – the idea x k1k1 k2k2 knkn F k1 (x) F k2 (x) F kn (x) y F -1 k1 (x) F -1 k2 (x) F -1 kn (x) k1k1 k2k2 knkn Given (x,y) find (k,k’) such that y = F k’ (F k (x)) just find a pair of equal values F k (x) and F -1 k’ (x) How? sort both lists!...

30 Meet-in-the middle attack – the algorithm Given: (x,y), find (k,k’) such that y = F k’ (F k (x)) 1.Set S = Ø. 2.For each k compute z = F k (x) and store (z,k) in a list L. 3.For each k compute z = F -1 k (y) and store (z,k’) in a list L’. 4.Sort L and L’ by their first components. 5.Let S denote the list of all pairs all pairs (k,k’) such that for some z we have (z,k) є L and (z,k’) є L’. 6.Output S.

31 Meet-in-the middle attack – an analysis [1/2] n = block length = key length P (a random pair (k,k’) satisfies y = F k’ (F k (x))) ≈ 2 -n The number of all pairs (k,k’) is equal to 2 2n. Therefore E(|S|) ≈ 2 2n · 2 -n = 2 n So, we have around 2 n “candidates” for the correct pair (k,k’). How to eliminate the “false positives”? Repeat the same attack for another pair (x’,y’).

32 Meet-in-the middle attack – an analysis [1/2] The probability that (k,k’) is a false positive for (x,y) and for (x’,y’) is around 2 -n · 2 -n = 2 -2n. Hence, the expected number of “false positives” is around 2 2n · 2 -2n = 1 An additional pair (x’’,y’’) allows to eliminate the false positive.

33 Triple encryption F’ (k1,k2,k3) (x) := F k3 (F -1 k2 (F k1 (x))) F k1k1 F k2k2 xF k1 (x) F F k2 (F k1 (x)) k3k3 F k3 (F k2 (F 1 (x))) Sometimes k 1 = k 3.

34 Triple DES (3DES) is a standard cipher. Disadvantages: rather slow, small block size.

35 Advanced Encryption Standard (AES) Competition for AES announced in January 1997 by the US National Institute of Standards and Technology (NIST) 15 ciphers submitted 5 finalists: MARS, RC6, Rijndael, Serpent, and Twofish October 2, 2000: Rijandel selected as the winner. November 26, 2001: AES becomes an official standard. Authors : Vincent Rijmen, Joan Daemen (from Belgium) Key sizes: 128, 192 or 256 bit, block size: 128 bits

36 DES – the conclusion The design of DES is extremally good. The only weaknesses: short key and small block length. Enormous impact on research in crptography!


Download ppt "Cryptography Lecture 4 Stefan Dziembowski"

Similar presentations


Ads by Google