Lecture 3 Cryptography
Lecture 3 Cryptography
Block
Ciphers
March 8, 2010
Design Philosophy of
Block Ciphers
March 8, 2010
Perfect Secrecy
A cryptosystem has perfect secrecy if
March 8, 2010
Block Cipher
In a block cipher the message is broken into
blocks, each of which is then encrypted
March 8, 2010
Shannon’s Theory of Secrecy Systems
Claude Shannon wrote some of the pivotal papers on
modern cryptology theory in 1949:
E k : {0,1}n {0,1}n , c p k
March 8, 2010
Vernam One-Time Pad
p { 0 ,1 } n
To encrypt a plaintext , Alice
chooses a key k randomly with uniform
distribution
{ 0 ,1 } n from the set c pk
. She computes the cipher text
March 8, 2010
Vernam One-Time Pad
This cryptosystem was invented and
patented in 1917 by Gilbert Vernam.
However, it was not until 1949 that
Shannon proved that the Vernam one-time
pad has perfect secrecy.
Unfortunately, the one-time pad is not
very efficient. To secretly communicate a
plaintext of length n, Alice and Bob must
randomly generate and exchange a key of
length n. This is the reason for the name
"one-time pad". Each key can be used only
once.
March 8, 2010
Substitution-Permutation Ciphers
In his 1949 paper Shannon also introduced
the idea of substitution-permutation (S-P)
networks, which now form the basis of
modern block ciphers
An S-P network is the modern form of a
substitution-transposition product cipher
S-P networks are based on the two primitive
cryptographic operations
March 8, 2010
Substitution-Permutation Ciphers
Substitution Operation
A binary word is replaced by some other
binary word
The whole substitution function forms the
key
if use n bit words, the key is (2n)! bits,
grows rapidly
Can also think of this as a large lookup
table, with n address lines (hence 2^(n)
addresses), each n bits wide being the
output value
March 8, 2010
Substitution-Permutation Ciphers
March 8, 2010
Substitution-Permutation Ciphers
Permutation Operation
A binary word has its bits reordered
(permuted)
The re-ordering forms the key
If use n bit words, the key is n! bits, which
grows more slowly, and hence is less secure
than substitution
March 8, 2010
Substitution-Permutation Ciphers
March 8, 2010
Substitution-Permutation Ciphers
Shannon combined these two primitives
and called these mixing transformations
March 8, 2010
Substitution-Permutation Ciphers
March 8, 2010
Confusion and diffusion
In Shannon's original definitions,
confusion refers to making the
relationship between the key and
the ciphertext as complex and as
involved as possible; diffusion
refers to the property that
redundancy in the statistics of
the plaintext is "dissipated" in the
statistics of the ciphertext.
March 8, 2010
Diffusion:
the theory given by Shannon
“The statistical structure of the plaintext is
spread (dissipated) into long-range statistics
of the ciphertext.”
Achieved by having each plaintext digit affect the
value of many ciphertext digits.
Objective is to globalize the local affects.
Diffusion implies that if we change just one
character in the PT we cause a big change in the
CT
Thus we need a large amount of CT to capture
redundancy in PT
March 8, 2010
Diffusion:
Diffusion complicates the statistics of the
ciphertext, and makes it difficult to discover
the key of the encryption process.
March 8, 2010
Confusion
“Attempts to make the relationship
between the ciphertext and the
encryption key as complex as possible.”
Good confusion can only be achieved when
each character of the ciphertext depends on
several parts of the key, and this dependence
appears to be random to the observer.
Even if an attacker can have some handle on
the statistics of the ciphertext, it is very
difficult to deduce the key.
March 8, 2010
Confusion and diffusion
Substitution has been identified as a
mechanism for primarily confusion
March 8, 2010
Substitution-Permutation Ciphers
Shannons mixing transformations are a special
form of product ciphers where
S-Boxes
provide confusion of input bits
P-Boxes
provide diffusion across S-box inputs
March 8, 2010
Avalanche effect (Due to Diffusion)
where changing one input bit results in changes of
approx half the output bits
March 8, 2010
Practical Substitution-Permutation
Networks
In practice we need to be able to decrypt
messages, as well as to encrypt them,
hence either:
have to define inverses for each of our S
& P-boxes, but this doubles the
code/hardware needed, or define a
structure that is easy to reverse, so can
use basically the same code or hardware
for both encryption and decryption
March 8, 2010
Practical Substitution-Permutation
Networks
Horst Feistel, working at IBM Thomas J
Watson Research Labs devised just such a
structure in early 70's, which we now call
a feistel cipher
The idea is to partition the input block
into two halves, L(i-1)and R(i-1), and use
only R(i-1) in each round i (part) of the
cipher
The function g incorporates one stage of
the S-P network, controlled by part of the
key K(i) known as the ith subkey
March 8, 2010
Practical Substitution-Permutation Networks
March 8, 2010
March 8, 2010
Lucifer
In cryptography, Lucifer was the name given
to several of the earliest civilian block
ciphers, developed by Horst Feistel and his
colleagues at IBM. Lucifer was a direct
precursor to the Data Encryption Standard.
One version, alternatively named DTD-1, saw
commercial use in the 1970s for electronic
banking.
March 8, 2010
Cryptography after
WW2
Academia largely disinterested
NSA Largest Employer of mathematicians in
the world.
IBM hired by Lloyds of London to arrange
security for a cash dispensing network (early
ATM machines.)
March 8, 2010
Cryptography after
WW2
IBM developed “Lucifer” cipher
Symmetric Algorithm
explicit encrypt/decrypt
112 bit key
Substitution and transposition within
8-character blocks
March 8, 2010
Structure of Lucifer
The exact realization of a Feistel network
depends on the choice of the following
parameters and design features:
Block size - increasing size improves security, but slows cipher
Key size - increasing size improves security, makes exhaustive
key searching harder, but may slow cipher
Number of rounds - increasing number improves security, but
slows cipher
Subkey generation algorithm - greater complexity can make
analysis harder, but slows cipher
Round function - greater complexity can make analysis harder,
but slows cipher
Fast software en/decryption - more recent concern for
practical use
Ease of analysis - for easier validation & testing of strength
March 8, 2010
Structure of Lucifer
LUCIFER enciphered blocks of 128 bits,
and it used a 128-bit key
The F-function in LUCIFER had a high degree
of symmetry, and could be implemented in
terms of operations on one byte of the right
half of the message at a time.
March 8, 2010
Structure of Lucifer
Subkey generation
Each round uses a 72-bit subkey. The subkey
for the first round consists of the first byte of
the key repeated twice, followed by the next
seven bytes of the key. Rotate the key left by
seven bytes, then generate the subkey for the
next round.
March 8, 2010
Structure of Lucifer
The f-function
XOR the right half of the block with the last
eight bytes of the subkey for the round.
Based on the bits of the first byte of the subkey
for that round, swap nibbles in the eight
bytes of that result for those bytes which
correspond to a 1 bit.
March 8, 2010
Structure of Lucifer
The f-function
Use S-box 0 for the most significant nibble of
each of these eight bytes, and S-box 1 for the
least significant nibble of each byte:
March 8, 2010
Structure of Lucifer
Input: 0 1 2 3 4 5 6 7
S-box 0 output: 12 15 7 10 14 13 11 0
S-box 1 output: 7 2 14 9 3 11 0 4
Input: 8 9 10 11 12 13 14 15
S-box 0 output:2 6 3 1 9 4 5 8
S-box 1 output:12 13 1 10 6 15 8 5
March 8, 2010
Structure of Lucifer
Permute the 64 bits of the result, numbered
from 0 (for the most significant bit) to 63 (for
the least significant bit), by the following
permutation:
March 8, 2010
Structure of Lucifer
The General Structure
LUCIFER has sixteen rounds. In each round,
the f-function is calculated using that round's
subkey and the left half of the block. The
result is then XORed to the right half of the
block, which is the only part of the block
altered for that round.
After every round except the last one, the
right and left halves of the block are swapped
March 8, 2010
Structure of Lucifer
March 8, 2010
Structure of Lucifer
Comments
Although LUCIFER has a larger block and
key size than DES, it is considerably more
vulnerable to attacks from differential
cryptanalysis, and is also weak due to the
regular nature of its key schedule.
March 8, 2010
DES
Data Encryption Standard
March 8, 2010
DES
The Data Encryption Standard (DES) is a
cipher (a method for encrypting information)
that was selected by NBS as an official
Federal Information Processing Standard
(FIPS) for the United States in 1976 and
which has subsequently enjoyed widespread
use internationally.
March 8, 2010
General
Designers IBM
First published 1975 (standardized
on January 1977)
Derived from Lucifer
Successors Triple DES, G-
DES,
DES-X, LOKI89, ICE
Cipher detail
Key sizes 56 bits, Block sizes 64 bits
Structure Feistel network, Rounds 16
March 8, 2010
General
March 8, 2010
Brute-force attacks on DES
1977
Diffie and Hellman proposed a machine costing
20 million $ breaking DES in 1 day.
1993
Wiener proposed a machine costing 1 million $
breaking DES in 7 hours.
1997
DESCHALL Project broke a “DES Challenge”
(published by RSA) in 96 days using idle cycles
of thousands of computers across the Internet.
March 8, 2010
Brute-force attacks on DES
COPACOBANA (the Cost-Optimized Parallel
COde Breaker) breaks DES in 1 week and costs
10,000$
1998
DES-cracker was built by the Electronic
Frontier Foundation (EFF), at the cost of
approximately 250,000$
March 8, 2010
Theoretical attacks on DES – differential
cryptoanalysis
Biham and Shamir (late 1980s):
differential cryptanalysis
plaintext
ciphertext
DES Not very practical...
March 8, 2010
Theoretical attacks on DES – differential
cryptoanalysis
Moral
NSA and IBM knew it!
March 8, 2010
Theoretical attacks on DES – linear
cryptanalysis
Matsui (early 1990s):
Linear Cryptanalysis
uses a known-plaintext attack , 2^43
(plaintext, ciphertext) pairs
input
output
March 8, 2010
March 8, 2010
subkeys 32 bits 32 bits
(48 bits):
L0 R0
k1 f1
56 bit
key L1 R1
k2 f2
16 rounds
key
schedule
...
...
k16 f16
here no twist
L16 R16
March 8, 2010
A nice propery of Feistel rounds
Even if f is not easily invertible, each round can be easily inverted!
Li Ri
inversion:
f
March 8, 2010
Li
Hence: the Feistel network can be “inverted”!
Example: 3 round Feistel network
L0 R0 L3 R3
f1 f3
L1 R1 L2 R2
f2 f2
L2 R2 L1 R1
f3 f1
L3 R3 L0 R0
March 8, 2010
Without a “twist” in the last round:
L0 R0 L3 R3
f1 f3
L1 R1 L2 R2
f2 f2
L2 R2 L1 R1
f3 f1
L3 R3 L0 R0
March 8, 2010
How to decrypt?
Reverse the key schedule!
L0 R0
k16 f1
56 bit
key L1 R1
k15 f2
key
schedule
...
k1 ...
f16
March 8, 2010
L16 R16
DES key schedule
48 bits
k1
56 bits
k2
key
schedule
...
k16
March 8, 2010
1. Set the round number R to 1.
2. Split the current 56-bit key, K, up
into two 28-bit blocks, L (the left-hand
half) and R (the right-hand half).
3. Rotate L left by the number of bits
specified in the table below, and rotate
R left by the same number of bits as
well.
4. Join L and R together to get the new
K.
March 8, 2010
5. Apply Permuted Choice 2
(PC-2) to K to get the final K[R],
where R is the round number we
are on.
March 8, 2010
Once the key scheduling has been
performed, the next step is to prepare
the plaintext for the actual encryption.
This is done by passing the plaintext
through a permutation called the Initial
Permutation, or IP for short. This table
also has an inverse, called the Inverse
Initial Permutation, or IP^(-1).
Sometimes IP^(-1) is also called the
Final Permutation.
March 8, 2010
March 8, 2010
These tables are used just like PC-1 and
PC-2 were for the key scheduling. By
looking at the table it becomes apparent
why one permutation is called the
inverse of the other. For example, let's
examine how bit 32 is transformed under
IP. In the table, bit 32 is located at the
intersection of the column labeled 4 and
the row labeled 25. So this bit becomes
bit 29 of the 64-bit block after the
permutation. Now let's apply IP^(-1). In
IP^(-1), bit 29 is located at the
intersection of the column labeled 7 and
the row labeled 25. So this bit becomes
bit 32 after the permutation. And this is
the bit position that we started with
before the first permutation. So IP^(-1)
really
March 8, 2010 is the inverse of IP. It does the
function f:
32 bits 48 bits
half-block X subkey Ki
expansion
half-block Y
48 bits
Y xor Ki
“confusion”
“S – boxes”
Si : {0,1}6 → {0,1}4 S1 S2 S3 S4 S5 S6 S7 S8
“diffusion”
permutation P
March 8, 2010
32 bits
The expansion function
32 1 2 3 4 5
4 5 6 7 8 9
8 9 10 11 12 13
12 13 14 15 16 17
16 17 18 19 20 21
20 21 22 23 24 25
24 25 26 27 28 29
28 29 30 31 32 1
March 8, 2010
The substitution boxes
(S-boxes)
Example of an S-box
March 8, 2010
The substitution boxes
(S-boxes)
March 8, 2010
Encryption Function
Once the key scheduling and plaintext
preparation have been completed, the
actual encryption or decryption is
performed by the main DES algorithm.
The 64-bit block of input data is first
split into two halves, L and R. L is the
left-most 32 bits, and R is the right-most
32 bits. The following process is repeated
16 times, making up the 16 rounds of
standard DES. We call the 16 sets of
halves L[0]-L[15] and R[0]-R[15].
March 8, 2010
R[I-1] - where I is the
round number,
starting at 1 - is taken
and fed into the E-Bit
Selection Table, which
is like a permutation,
except that some of
the bits are used more
than once. This
expands the number
R[I-1] from 32 to 48
bits to prepare for the
next step.
March 8, 2010
The 48-bit R[I-1] is XORed with K[I] and
stored in a temporary buffer so that R[I-
1] is not modified.
March 8, 2010
The result from the previous stage is now
passed into the P Permutation
March 8, 2010
This number is now XORed with L[I-1], and moved
into R[I]. R[I-1] is moved into L[I].
March 8, 2010
Some Remarks on DES
In a good cipher system, each bit of the CT
should depend upon on all bits of the PT. The
expansion “E” is designed so that it will
happen in a few rounds.
The purpose of the IP is not completely
clear. It has no Cryptographic purpose.
The S-boxes are the heart of the algorithm
and provide the security.
March 8, 2010
S-box design was somewhat of a mystery until IBM
published the following criteria in the early 1990’s:
Each S-box has 6 input bits and 4 output bits. This was
the largest that could be put on one chip in 1974.
The outputs of the S-boxes should not be close to being
linear functions of the inputs.
Each row of an S-box contains all numbers from 0 to 15
If two inputs to an S-box differ by 1 bit, the outputs
must differ by 2 bits.
If two inputs to an S-box differ in their first two bits but
have the same last 2 bits, the outputs must be unequal.
There are 32 pairs of inputs having a given XOR. For
each of these pairs, compute the XOR of the outputs. No
more than eight of these output XORs should be the
same. (This is to avoid differential cryptanalysis)
A similar criterion to previous but involving three S-
boxes
March 8, 2010
DES is not a group
One possible way of effectively increasing
the key size of DES is to double encrypt. That
is if we take two keys k1 and k2 and encrypt
a PT by Ek2(Ek1(P)).
If an attacker has sufficient memory, double
encryption can provide little extra protection
against some attacks.
But if a cryptosystem is such that double
encryption is equivalent to a single
encryption then double encryption will not
provide any extra protection.
For affine ciphers and for RSA double
encrypting with two keys k1 and k2 is
equivalent to encrypting with a third key k3.
March 8, 2010
DES is not a group
Is the same true for DES??
Namely is there a key K3 such that E k3 = Ek2
Ek1
This question is often rephrased as “Is DES
a group” Another way of asking is “Is DES
closed under composition”.
Fortunately it turns out that DES is
not a group
March 8, 2010