![Linear Cryptanalysis
Linear Cryptanalysis
find linear approximations with prob p != ½
find linear approximations with prob p != ½
P[i
P[i1
1,i
,i2
2,...,i
,...,ia
a]
]
C[j
C[j1
1,j
,j2
2,...,j
,...,jb
b] =
] =
K[k
K[k1
1,k
,k2
2,...,k
,...,kc
c]
]
where i
where ia
a,j
,jb
b,k
,kc
c are bit locations in P,C,K
are bit locations in P,C,K
gives linear equation for key bits
gives linear equation for key bits
get one key bit using max likelihood alg
get one key bit using max likelihood alg
using a large number of trial encryptions
using a large number of trial encryptions
effectiveness given by:
effectiveness given by: |p–
|p–1
1
/
/2
2|
|](https://image.slidesharecdn.com/ch03desnemo-250319061539-7babaa72/85/data-encryption-standard-algorithm-in-cryptography-by-william-stallings-47-320.jpg)
![DES Design Criteria
DES Design Criteria
as reported by Coppersmith in [COPP94]
as reported by Coppersmith in [COPP94]
7 criteria for S-boxes provide for
7 criteria for S-boxes provide for
non-linearity
non-linearity
resistance to differential cryptanalysis
resistance to differential cryptanalysis
good confusion
good confusion
3 criteria for permutation P provide for
3 criteria for permutation P provide for
increased diffusion
increased diffusion](https://image.slidesharecdn.com/ch03desnemo-250319061539-7babaa72/85/data-encryption-standard-algorithm-in-cryptography-by-william-stallings-48-320.jpg)
Ad
More Related Content
Similar to data encryption standard algorithm in cryptography by william stallings (20)
Recently uploaded (20)
Ad
data encryption standard algorithm in cryptography by william stallings
- 1. Cryptography and Cryptography and Network Security Network Security Chapter 3 Chapter 3 Fifth Edition Fifth Edition by William Stallings by William Stallings Lecture slides by Lawrie Brown Lecture slides by Lawrie Brown
- 2. Chapter 3 – Block Ciphers and Chapter 3 – Block Ciphers and the Data Encryption Standard the Data Encryption Standard All the afternoon Mungo had been working on All the afternoon Mungo had been working on Stern's code, principally with the aid of the latest Stern's code, principally with the aid of the latest messages which he had copied down at the messages which he had copied down at the Nevin Square drop. Stern was very confident. Nevin Square drop. Stern was very confident. He must be well aware London Central knew He must be well aware London Central knew about that drop. It was obvious that they didn't about that drop. It was obvious that they didn't care how often Mungo read their messages, so care how often Mungo read their messages, so confident were they in the impenetrability of the confident were they in the impenetrability of the code. code. — —Talking to Strange Men, Talking to Strange Men, Ruth Rendell Ruth Rendell
- 3. Modern Block Ciphers Modern Block Ciphers now look at modern block ciphers now look at modern block ciphers one of the most widely used types of one of the most widely used types of cryptographic algorithms cryptographic algorithms provide secrecy /authentication services provide secrecy /authentication services focus on DES (Data Encryption Standard) focus on DES (Data Encryption Standard) to illustrate block cipher design principles to illustrate block cipher design principles
- 4. Block vs Stream Ciphers Block vs Stream Ciphers block ciphers process messages in blocks, block ciphers process messages in blocks, each of which is then en/decrypted each of which is then en/decrypted like a substitution on very big characters like a substitution on very big characters 64-bits or more 64-bits or more stream ciphers stream ciphers process messages a bit or process messages a bit or byte at a time when en/decrypting byte at a time when en/decrypting many current ciphers are block ciphers many current ciphers are block ciphers better analysed better analysed broader range of applications broader range of applications
- 5. Block vs Stream Ciphers Block vs Stream Ciphers
- 6. Block Cipher Principles Block Cipher Principles most symmetric block ciphers are based on a most symmetric block ciphers are based on a Feistel Cipher Structure Feistel Cipher Structure needed since must be able to needed since must be able to decrypt decrypt ciphertext ciphertext to recover messages efficiently to recover messages efficiently block ciphers look like an extremely large block ciphers look like an extremely large substitution substitution would need table of 2 would need table of 264 64 entries for a 64-bit block entries for a 64-bit block instead create from smaller building blocks instead create from smaller building blocks using idea of a product cipher using idea of a product cipher
- 7. Ideal Block Cipher Ideal Block Cipher permutation permutation
- 8. Claude Shannon and Substitution- Claude Shannon and Substitution- Permutation Ciphers Permutation Ciphers Claude Shannon introduced idea of substitution- Claude Shannon introduced idea of substitution- permutation (S-P) networks in 1949 paper permutation (S-P) networks in 1949 paper form basis of modern block ciphers form basis of modern block ciphers S-P nets are based on the two primitive S-P nets are based on the two primitive cryptographic operations seen before: cryptographic operations seen before: substitution substitution (S-box) (S-box) permutation permutation (P-box) (P-box) provide provide confusion confusion & & diffusion diffusion of message & key of message & key
- 9. Confusion and Diffusion Confusion and Diffusion cipher needs to completely obscure cipher needs to completely obscure statistical properties of original message statistical properties of original message a one-time pad does this a one-time pad does this more practically Shannon suggested more practically Shannon suggested combining S & P elements to obtain: combining S & P elements to obtain: diffusion diffusion – dissipates statistical structure – dissipates statistical structure of plaintext over bulk of ciphertext of plaintext over bulk of ciphertext confusion confusion – makes relationship between – makes relationship between ciphertext and key as complex as possible ciphertext and key as complex as possible
- 10. Feistel Cipher Structure Feistel Cipher Structure Horst Feistel devised the F Horst Feistel devised the Feistel cipher eistel cipher based on concept of invertible product cipher based on concept of invertible product cipher partitions input block into two halves partitions input block into two halves process through multiple rounds which process through multiple rounds which perform a substitution on left data half perform a substitution on left data half based on round function of right half & based on round function of right half & subkey subkey then have permutation swapping halves then have permutation swapping halves implements Shannon’s S-P net concept implements Shannon’s S-P net concept
- 11. Feistel Cipher Structure Feistel Cipher Structure
- 12. Feistel Cipher Structure Feistel Cipher Structure
- 13. Feistel Cipher Design Elements Feistel Cipher Design Elements block size block size key size key size number of rounds number of rounds subkey generation algorithm subkey generation algorithm round function round function fast software en/decryption fast software en/decryption ease of analysis ease of analysis
- 14. Data Encryption Standard (DES) Data Encryption Standard (DES) most widely used block cipher in world most widely used block cipher in world adopted in 1977 by NBS (now NIST) adopted in 1977 by NBS (now NIST) as FIPS PUB 46 as FIPS PUB 46 encrypts 64-bit data using 56-bit key encrypts 64-bit data using 56-bit key has widespread use has widespread use has been considerable controversy over has been considerable controversy over its security its security
- 15. DES History DES History IBM developed Lucifer cipher IBM developed Lucifer cipher by team led by Feistel in late 60’s by team led by Feistel in late 60’s used 64-bit data blocks with 128-bit key used 64-bit data blocks with 128-bit key then redeveloped as a commercial cipher then redeveloped as a commercial cipher with input from NSA and others with input from NSA and others in 1973 NBS issued request for proposals in 1973 NBS issued request for proposals for a national cipher standard for a national cipher standard IBM submitted their revised Lucifer which IBM submitted their revised Lucifer which was eventually accepted as the DES was eventually accepted as the DES
- 16. DES Design Controversy DES Design Controversy although DES standard is public although DES standard is public was considerable controversy over design was considerable controversy over design in choice of 56-bit key (vs Lucifer 128-bit) in choice of 56-bit key (vs Lucifer 128-bit) and because design criteria were classified and because design criteria were classified subsequent events and public analysis subsequent events and public analysis show in fact design was appropriate show in fact design was appropriate use of DES has flourished use of DES has flourished especially in financial applications especially in financial applications still standardised for legacy application use still standardised for legacy application use
- 17. DES Encryption Overview DES Encryption Overview
- 18. Initial Permutation IP Initial Permutation IP first step of the data computation first step of the data computation IP reorders the input data bits IP reorders the input data bits even bits to LH half, odd bits to RH half even bits to LH half, odd bits to RH half quite regular in structure (easy in h/w) quite regular in structure (easy in h/w) no cryptographic value no cryptographic value example: example: IP(675a6967 5e5a6b5a) = (ffb2194d 004df6fb) IP(675a6967 5e5a6b5a) = (ffb2194d 004df6fb)
- 19. DES Round Structure DES Round Structure uses two 32-bit L & R halves uses two 32-bit L & R halves as for any Feistel cipher can describe as: as for any Feistel cipher can describe as: L Li i = = R Ri i–1 –1 R Ri i = = L Li i–1 –1 F( F(R Ri i–1 –1, , K Ki i) ) F takes 32-bit R half and 48-bit subkey: F takes 32-bit R half and 48-bit subkey: expands R to 48-bits using perm E expands R to 48-bits using perm E adds to subkey using XOR adds to subkey using XOR passes through 8 S-boxes to get 32-bit result passes through 8 S-boxes to get 32-bit result finally permutes using 32-bit perm P finally permutes using 32-bit perm P
- 20. DES Round Structure DES Round Structure Expansion Permutation Right Half i-1 32 48 Keyed Substitution (8 S-Boxes) 48 Round Key i 48 32 32 32 Transposition (P-Box) Mangled Right Half i-1 Left Half i-1 32 32 Right Half i Left Half i Mangler Function F Left Half Key i-1 Right Half Key i-1 Left Shift(s) i Left Shift(s) i Contraction Permutation (permuted choice 2) 28 28 Left Half Key i-1 Right Half Key i-1 48
- 21. DES Round Structure DES Round Structure
- 22. DES Expansion Permutation DES Expansion Permutation 1 2 3 4 5 6 7 8 11 12 13 14 15 16 17 18 9 10 21 22 23 24 25 26 27 28 19 20 31 32 29 30 1 2 3 4 5 6 7 8 11 12 13 14 15 16 17 18 9 10 21 22 23 24 25 26 27 28 19 20 31 32 29 30 28 29 24 25 21 20 16 17 13 12 4 5 8 9 32 1 Right Half i-1 R half expanded to same length as 48-bit R half expanded to same length as 48-bit subkey subkey consider R as 8 nybbles (4 bits each) consider R as 8 nybbles (4 bits each) expansion permutation expansion permutation copies each nybble into the middle of a 6-bit copies each nybble into the middle of a 6-bit block block copies the end bits of the two adjacent copies the end bits of the two adjacent nybbles into the two end bits of the 6-bit block nybbles into the two end bits of the 6-bit block
- 23. Substitution Boxes S Substitution Boxes S have eight S-boxes which map 6 to 4 bits have eight S-boxes which map 6 to 4 bits each S-box is actually 4 little 4 bit boxes each S-box is actually 4 little 4 bit boxes outer bits 1 & 6 ( outer bits 1 & 6 (row row bits) select one row of 4 bits) select one row of 4 inner bits 2-5 ( inner bits 2-5 (col col bits) are substituted bits) are substituted result is 8 lots of 4 bits, or 32 bits result is 8 lots of 4 bits, or 32 bits row selection depends on both data & key row selection depends on both data & key feature known as autoclaving (autokeying) feature known as autoclaving (autokeying) example: example: S(18 09 12 3d 11 17 38 39) = 5fd25e03 S(18 09 12 3d 11 17 38 39) = 5fd25e03
- 24. Substitution Boxes S Substitution Boxes S Si control input symbol output symbol input symbol each of the eight s- each of the eight s- boxes is different boxes is different each s-box reduces each s-box reduces 6 bits to 4 bits 6 bits to 4 bits so the 8 s-boxes so the 8 s-boxes implement the 48-bit implement the 48-bit to 32-bit contraction to 32-bit contraction substitution substitution
- 25. Permutation Box P Permutation Box P P-box at end of each round P-box at end of each round Increases diffusion/avalanche effect Increases diffusion/avalanche effect S1 S2 S3 S4 S5 S6 S7 S8 16 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 16 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 16 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 16 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32
- 26. DES Round in Full DES Round in Full 1 2 3 4 5 6 7 8 11 12 13 14 15 16 17 18 9 10 21 22 23 24 25 26 27 28 19 20 31 32 29 30 1 2 3 4 5 6 7 8 11 12 13 14 15 16 17 18 9 10 21 22 23 24 25 26 27 28 19 20 31 32 29 30 28 29 24 25 21 20 16 17 13 12 4 5 8 9 32 1 1 2 3 4 5 6 7 8 11 12 13 14 15 16 17 18 9 10 21 22 23 24 25 26 27 28 19 20 31 32 29 30 33 34 35 36 37 38 41 42 43 44 45 46 47 48 39 40 1 2 3 4 5 6 7 8 11 12 13 14 15 16 17 18 9 10 21 22 23 24 25 26 27 28 19 20 31 32 29 30 33 34 35 36 37 38 41 42 43 44 45 46 47 48 39 40 S4 control input symbol output symbol 1 2 3 4 5 6 7 8 11 12 13 14 15 16 17 18 9 10 21 22 23 24 25 26 27 28 19 20 31 32 29 30 S3 control input symbol output symbol input symbol S5 control input symbol output symbol input symbol S6 control input symbol output symbol input symbol S7 control input symbol output symbol input symbol S8 control input symbol output symbol input symbol S1 control input symbol output symbol input symbol S2 control input symbol output symbol input symbol 1 2 3 4 5 6 7 8 11 12 13 14 15 16 17 18 9 10 21 22 23 24 25 26 27 28 19 20 31 32 29 30 Right Half i-1 Round Key i 1 2 3 4 5 6 7 8 11 12 13 14 15 16 17 18 9 10 21 22 23 24 25 26 27 28 19 20 31 32 29 30 1 2 3 4 5 6 7 8 11 12 13 14 15 16 17 18 9 10 21 22 23 24 25 26 27 28 19 20 31 32 29 30 1 2 3 4 5 6 7 8 11 12 13 14 15 16 17 18 9 10 21 22 23 24 25 26 27 28 19 20 31 32 29 30 O + O + Left Half i-1 Right Half i
- 27. DES Key Schedule DES Key Schedule forms subkeys used in each round forms subkeys used in each round initial permutation of the key (PC1) which initial permutation of the key (PC1) which selects 56-bits in two 28-bit halves selects 56-bits in two 28-bit halves 16 stages consisting of: 16 stages consisting of: • rotating rotating each half each half separately either 1 or 2 places separately either 1 or 2 places depending on the depending on the key rotation schedule key rotation schedule K K • selecting 24-bits from each half & permuting them selecting 24-bits from each half & permuting them by PC2 for use in round function F by PC2 for use in round function F note practical use issues in h/w vs s/w note practical use issues in h/w vs s/w
- 28. DES Key Schedule DES Key Schedule 1 2 3 4 5 6 7 8 11 12 13 14 15 16 17 18 9 10 21 22 23 24 25 26 27 28 19 20 31 32 29 30 33 34 35 36 37 38 41 42 43 44 45 46 47 48 39 40 51 52 53 54 55 56 57 58 49 50 61 62 59 60 63 64 1 2 3 4 5 6 7 8 11 12 13 14 15 16 17 18 9 10 21 22 23 24 25 26 27 28 19 20 31 32 29 30 33 34 35 36 37 38 41 42 43 44 45 46 47 48 39 40 51 52 53 54 55 56 49 50 64-bit key with parity bits 56-bit key 1 2 3 4 5 6 7 11 12 13 14 15 17 18 9 10 21 22 23 25 26 27 28 19 20 31 29 30 33 34 35 36 37 38 41 42 43 44 45 46 47 39 51 52 53 54 55 49 50 57 58 61 62 59 60 63 permuted choice 1 1 2 3 4 5 6 7 8 11 12 13 14 15 16 17 18 9 10 21 22 23 24 25 26 27 28 19 20 31 32 29 30 33 34 35 36 37 38 41 42 43 44 45 46 47 48 39 40 51 52 53 54 55 56 49 50 1 2 3 4 5 6 7 8 11 12 13 14 15 16 17 18 9 10 21 22 23 24 25 26 27 28 19 20 31 32 29 30 33 34 35 36 37 38 41 42 43 44 45 46 47 48 39 40 51 52 53 54 55 56 49 50 Left Shift 1 2 3 4 5 6 7 8 11 12 13 14 15 16 17 18 9 10 21 22 23 24 25 26 27 28 19 20 31 32 29 30 33 34 35 36 37 38 41 42 43 44 45 46 47 48 39 40 51 52 53 54 55 56 49 50 1 2 3 4 5 6 7 8 11 12 13 14 15 16 17 10 21 23 24 26 27 28 19 20 31 32 29 30 33 34 36 37 41 42 44 45 46 47 48 39 40 51 52 53 55 56 49 50 1 2 3 4 5 6 7 8 11 12 13 14 15 16 17 18 9 10 21 22 23 24 25 26 27 28 19 20 31 32 29 30 33 34 35 36 37 38 41 42 43 44 45 46 47 48 39 40 permuted choice 2 48-bit subkey
- 29. DES Decryption DES Decryption decrypt must unwind steps of data computation decrypt must unwind steps of data computation with Feistel design, do encryption steps again with Feistel design, do encryption steps again using subkeys in reverse order (SK16 … SK1) using subkeys in reverse order (SK16 … SK1) IP undoes final FP step of encryption IP undoes final FP step of encryption 1st round with SK16 undoes 16th encrypt round 1st round with SK16 undoes 16th encrypt round … …. . 16th round with SK1 undoes 1st encrypt round 16th round with SK1 undoes 1st encrypt round then final FP undoes initial encryption IP then final FP undoes initial encryption IP thus recovering original data value thus recovering original data value
- 30. DES Round Decryption DES Round Decryption Left half i-1 Right half i-1 Left half i Right half i Round key i Mangler Function F O + Decryption
- 32. Avalanche Effect Avalanche Effect key desirable property of encryption alg key desirable property of encryption alg where a change of where a change of one one input or key bit input or key bit results in changing approx results in changing approx half half output bits output bits making attempts to “home-in” by guessing making attempts to “home-in” by guessing keys impossible keys impossible DES exhibits strong avalanche DES exhibits strong avalanche
- 33. Avalanche in DES Avalanche in DES
- 34. Strength of DES – Key Size Strength of DES – Key Size 56-bit keys have 2 56-bit keys have 256 56 = 7.2 x 10 = 7.2 x 1016 16 values values brute force search looks hard brute force search looks hard recent advances have shown is possible recent advances have shown is possible in 1997 on Internet in a few months in 1997 on Internet in a few months in 1998 on dedicated h/w (EFF) in a few days in 1998 on dedicated h/w (EFF) in a few days in 1999 above combined in 22hrs! in 1999 above combined in 22hrs! still must be able to recognize plaintext still must be able to recognize plaintext must now consider alternatives to DES must now consider alternatives to DES
- 35. Strength of DES – Analytic Strength of DES – Analytic Attacks Attacks now have several analytic attacks on DES now have several analytic attacks on DES these these utilise some deep structure of the cipher utilise some deep structure of the cipher by gathering information about encryptions by gathering information about encryptions can eventually recover some/all of the sub-key bits can eventually recover some/all of the sub-key bits if necessary then exhaustively search for the rest if necessary then exhaustively search for the rest generally these are statistical attacks generally these are statistical attacks differential cryptanalysis differential cryptanalysis linear cryptanalysis linear cryptanalysis related key attacks related key attacks
- 36. Strength of DES – Timing Strength of DES – Timing Attacks Attacks attacks actual implementation of cipher attacks actual implementation of cipher use knowledge of consequences of use knowledge of consequences of implementation to derive information about implementation to derive information about some/all subkey bits some/all subkey bits specifically use fact that calculations can specifically use fact that calculations can take varying times depending on the value take varying times depending on the value of the inputs to it of the inputs to it particularly problematic on smartcards particularly problematic on smartcards
- 37. Differential Cryptanalysis Differential Cryptanalysis one of the most significant recent (public) one of the most significant recent (public) advances in cryptanalysis advances in cryptanalysis known by NSA in 70's cf DES design known by NSA in 70's cf DES design Murphy, Biham & Shamir published in 90’s Murphy, Biham & Shamir published in 90’s powerful method to analyse block ciphers powerful method to analyse block ciphers used to analyse most current block ciphers used to analyse most current block ciphers with varying degrees of success with varying degrees of success DES reasonably resistant to it, cf Lucifer DES reasonably resistant to it, cf Lucifer
- 38. Differential Cryptanalysis Differential Cryptanalysis a statistical attack against Feistel ciphers a statistical attack against Feistel ciphers uses cipher structure not previously used uses cipher structure not previously used design of S-P networks has output of design of S-P networks has output of function function f f influenced by both input & key influenced by both input & key hence cannot trace values back through hence cannot trace values back through cipher without knowing value of the key cipher without knowing value of the key differential cryptanalysis “eliminates” key differential cryptanalysis “eliminates” key by using differenced input by using differenced input
- 39. Differential Cryptanalysis Differential Cryptanalysis Compares Pairs of Encryptions Compares Pairs of Encryptions differential cryptanalysis compares two differential cryptanalysis compares two related pairs of encryptions related pairs of encryptions with a known difference in the input with a known difference in the input searching for a known difference in output searching for a known difference in output when same subkeys are used when same subkeys are used
- 40. Differential Cryptanalysis Differential Cryptanalysis Compares Pairs of Encryptions Compares Pairs of Encryptions Let m Let mi-1 i-1 be the left half of the input to round be the left half of the input to round i, and m i, and mi i be the right half be the right half f(m f(mi i,K ,Ki i) = P(S(K ) = P(S(Ki i XOR E(m XOR E(mi i))), where P is ))), where P is the PBox transposition, S is the Sbox the PBox transposition, S is the Sbox substitution, and E is the expansion perm. substitution, and E is the expansion perm.
- 41. Differential Cryptanalysis Takes Differential Cryptanalysis Takes Advantage of Linearity Advantage of Linearity f(m f(mi i,K ,Ki i) = P(S(K ) = P(S(Ki i XOR E(m XOR E(mi i))), where P is the ))), where P is the PBox transposition, S is the Sbox PBox transposition, S is the Sbox substitution, and E is the expansion perm. substitution, and E is the expansion perm. So E(m So E(mi i) XOR E(m’ ) XOR E(m’i i) = E(m ) = E(mi i XOR m’ XOR m’i i), i.e., ), i.e., the expansion permutation preserves the expansion permutation preserves differences (E is linear) differences (E is linear) XOR with K XOR with Ki i also preserves differences also preserves differences E changes the input in a known way, so E changes the input in a known way, so difference changes in known way difference changes in known way
- 42. Differential Cryptanalysis Takes Differential Cryptanalysis Takes Advantage of Non-Uniformity Advantage of Non-Uniformity For all pairs of inputs with the same For all pairs of inputs with the same difference, compute differences in output difference, compute differences in output Build a table with Build a table with Δ Δx as row index and x as row index and Δ Δy as y as column index, with frequency in cells (i.e., column index, with frequency in cells (i.e., T( T(Δ Δx, x,Δ Δy) = # times inputs x and x’ have y) = # times inputs x and x’ have outputs y and y’ outputs y and y’ with with Δ Δx = x XOR x’ and x = x XOR x’ and Δ Δy = y XOR y’ y = y XOR y’ Rows have non-uniformity, so some output Rows have non-uniformity, so some output differences are more likely than others for a differences are more likely than others for a given input difference given input difference
- 43. Differential Cryptanalysis Differential Cryptanalysis have some input difference giving some have some input difference giving some output difference with probability p output difference with probability p if find instances of some higher probability if find instances of some higher probability input / output difference pairs occurring input / output difference pairs occurring can infer subkey that was used in round can infer subkey that was used in round then must iterate process over many then must iterate process over many rounds (with decreasing probabilities) rounds (with decreasing probabilities)
- 45. Differential Cryptanalysis Differential Cryptanalysis perform attack by repeatedly encrypting plaintext pairs perform attack by repeatedly encrypting plaintext pairs with known input XOR until obtain desired output XOR with known input XOR until obtain desired output XOR when found when found if intermediate rounds match required XOR have a if intermediate rounds match required XOR have a right pair right pair if not then have a if not then have a wrong pair wrong pair, relative ratio is S/N for attack , relative ratio is S/N for attack can then deduce keys values for the rounds can then deduce keys values for the rounds right pairs suggest same key bits right pairs suggest same key bits wrong pairs give random values wrong pairs give random values for large numbers of rounds, probability is so low that for large numbers of rounds, probability is so low that more pairs are required than exist with 64-bit inputs more pairs are required than exist with 64-bit inputs Biham and Shamir have shown how a 13-round iterated Biham and Shamir have shown how a 13-round iterated characteristic can break the full 16-round DES characteristic can break the full 16-round DES
- 46. Linear Cryptanalysis Linear Cryptanalysis another recent development another recent development also a statistical method also a statistical method must be iterated over rounds, with must be iterated over rounds, with decreasing probabilities decreasing probabilities developed by Matsui et al in early 90's developed by Matsui et al in early 90's based on finding linear approximations based on finding linear approximations can attack DES with can attack DES with 2 243 43 known plaintexts, known plaintexts, easier but still in practise infeasible easier but still in practise infeasible
- 47. Linear Cryptanalysis Linear Cryptanalysis find linear approximations with prob p != ½ find linear approximations with prob p != ½ P[i P[i1 1,i ,i2 2,...,i ,...,ia a] ] C[j C[j1 1,j ,j2 2,...,j ,...,jb b] = ] = K[k K[k1 1,k ,k2 2,...,k ,...,kc c] ] where i where ia a,j ,jb b,k ,kc c are bit locations in P,C,K are bit locations in P,C,K gives linear equation for key bits gives linear equation for key bits get one key bit using max likelihood alg get one key bit using max likelihood alg using a large number of trial encryptions using a large number of trial encryptions effectiveness given by: effectiveness given by: |p– |p–1 1 / /2 2| |
- 48. DES Design Criteria DES Design Criteria as reported by Coppersmith in [COPP94] as reported by Coppersmith in [COPP94] 7 criteria for S-boxes provide for 7 criteria for S-boxes provide for non-linearity non-linearity resistance to differential cryptanalysis resistance to differential cryptanalysis good confusion good confusion 3 criteria for permutation P provide for 3 criteria for permutation P provide for increased diffusion increased diffusion
- 49. Block Cipher Design Block Cipher Design basic principles still like Feistel’s in 1970’s basic principles still like Feistel’s in 1970’s number of rounds number of rounds more is better – make exhaustive search best more is better – make exhaustive search best attack attack function f: function f: provides “confusion”, is nonlinear, avalanche provides “confusion”, is nonlinear, avalanche have issues of how S-boxes are selected have issues of how S-boxes are selected key schedule key schedule complex subkey creation, key avalanche complex subkey creation, key avalanche
- 50. Summary Summary have considered: have considered: block vs stream ciphers block vs stream ciphers Feistel cipher design & structure Feistel cipher design & structure DES DES • details details • strength strength Differential & Linear Cryptanalysis Differential & Linear Cryptanalysis block cipher design principles block cipher design principles
Editor's Notes
- #1: Lecture slides by Lawrie Brown for “Cryptography and Network Security”, 5/e, by William Stallings, Chapter 3 – “Block Ciphers and the Data Encryption Standard”.
- #2: Intro quote.
- #3: The objective of this chapter is to illustrate the principles of modern symmetric ciphers. For this purpose, we focus on the most widely used symmetric cipher: the Data Encryption Standard (DES). Although numerous symmetric ciphers have been developed since the introduction of DES, and although it is destined to be replaced by the Advanced Encryption Standard (AES), DES remains the most important such algorithm. Further, a detailed study of DES provides an understanding of the principles used in other symmetric ciphers. This chapter begins with a discussion of the general principles of symmetric block ciphers. Next, we cover full DES. Following this look at a specific algorithm, we return to a more general discussion of block cipher design.
- #4: Block ciphers work a on block / word at a time, which is some number of bits. All of these bits have to be available before the block can be processed. Stream ciphers work on a bit or byte of the message at a time, hence process it as a “stream”. Block ciphers are currently better analysed, and seem to have a broader range of applications, hence focus on them.
- #5: A block cipher is one in which a block of plaintext is treated as a whole and used to produce a ciphertext block of equal length. Typically, a block size of 64 or 128 bits is used. As with a stream cipher, the two users share a symmetric encryption key (Figure 3.1b). A stream cipher is one that encrypts a digital data stream one bit or one byte at a time. In the ideal case, a one-time pad version of the Vernam cipher would be used (Figure 2.7), in which the keystream (k ) is as long as the plaintext bit stream (p).
- #6: Most symmetric block encryption algorithms in current use are based on a structure referred to as a Feistel block cipher. A block cipher operates on a plaintext block of n bits to produce a ciphertext block of n bits. An arbitrary reversible substitution cipher for a large block size is not practical, however, from an implementation and performance point of view. In general, for an n-bit general substitution block cipher, the size of the key is n x 2n. For a 64-bit block, which is a desirable length to thwart statistical attacks, the key size is 64x 264 = 270 = 1021 bits. In considering these difficulties, Feistel points out that what is needed is an approximation to the ideal block cipher system for large n, built up out of components that are easily realizable.
- #7: Feistel refers to an n-bit general substitution as an ideal block cipher, because it allows for the maximum number of possible encryption mappings from the plaintext to ciphertext block. A 4-bit input produces one of 16 possible input states, which is mapped by the substitution cipher into a unique one of 16 possible output states, each of which is represented by 4 ciphertext bits. The encryption and decryption mappings can be defined by a tabulation, as shown in Stallings Figure 3.2. It illustrates a tiny 4-bit substitution to show that each possible input can be arbitrarily mapped to any output - which is why its complexity grows so rapidly.
- #8: Feistel proposed that we can approximate the ideal block cipher by utilizing the concept of a product cipher, which is the execution of two or more simple ciphers in sequence in such a way that the final result or product is cryptographically stronger than any of the component ciphers. In particular, Feistel proposed the use of a cipher that alternates substitutions and permutations, as a practical application of a proposal by Claude Shannon. Claude Shannon’s 1949 paper has the key ideas that led to the development of modern block ciphers. Critically, it was the technique of layering groups of S-boxes separated by a larger P-box to form the S-P network, a complex form of a product cipher. He also introduced the ideas of confusion and diffusion, notionally provided by S-boxes and P-boxes (in conjunction with S-boxes).
- #9: The terms diffusion and confusion were introduced by Claude Shannon to capture the two basic building blocks for any cryptographic system. Shannon's concern was to thwart cryptanalysis based on statistical analysis. Every block cipher involves a transformation of a block of plaintext into a block of ciphertext, where the transformation depends on the key. The mechanism of diffusion seeks to make the statistical relationship between the plaintext and ciphertext as complex as possible in order to thwart attempts to deduce the key. Confusion seeks to make the relationship between the statistics of the ciphertext and the value of the encryption key as complex as possible, again to thwart attempts to discover the key. So successful are diffusion and confusion in capturing the essence of the desired attributes of a block cipher that they have become the cornerstone of modern block cipher design.
- #10: Horst Feistel, working at IBM Thomas J Watson Research Labs devised a suitable invertible cipher structure in early 70's. One of Feistel's main contributions was the invention of a suitable structure which adapted Shannon's S-P network in an easily inverted structure. It partitions input block into two halves which are processed through multiple rounds which perform a substitution on left data half, based on round function of right half & subkey, and then have permutation swapping halves. Essentially the same h/w or s/w is used for both encryption and decryption, with just a slight change in how the keys are used. One layer of S-boxes and the following P-box are used to form the round function.
- #11: Stallings Figure 3.3 illustrates the classical feistel cipher structure, with data split in 2 halves, processed through a number of rounds which perform a substitution on left half using output of round function on right half & key, and a permutation which swaps halves, as listed previously. The LHS side of this figure shows the flow during encryption, the RHS in decryption. The inputs to the encryption algorithm are a plaintext block of length 2w bits and a key K. The plaintext block is divided into two halves, L0 and R0. The two halves of the data pass through n rounds of processing and then combine to produce the ciphertext block. Each round i has as inputs Li–1 and Ri–1, derived from the previous round, as well as a subkey Ki, derived from the overall K. In general, the subkeys K are different from K and from each other. The process of decryption with a Feistel cipher is essentially the same as the encryption process. The rule is as follows: Use the ciphertext as input to the algorithm, but use the subkeys Ki in reverse order. That is, use Kn in the first round, Kn–1 in the second round, and so on until K1 is used in the last round. This is a nice feature because it means we need not implement two different algorithms, one for encryption and one for decryption. See discussion in text for why using the same algorithm with a reversed key order produces the correct result, noting that at every round, the intermediate value of the decryption process is equal to the corresponding value of the encryption process with the two halves of the value swapped.
- #12: Stallings Figure 3.3 illustrates the classical feistel cipher structure, with data split in 2 halves, processed through a number of rounds which perform a substitution on left half using output of round function on right half & key, and a permutation which swaps halves, as listed previously. The LHS side of this figure shows the flow during encryption, the RHS in decryption. The inputs to the encryption algorithm are a plaintext block of length 2w bits and a key K. The plaintext block is divided into two halves, L0 and R0. The two halves of the data pass through n rounds of processing and then combine to produce the ciphertext block. Each round i has as inputs Li–1 and Ri–1, derived from the previous round, as well as a subkey Ki, derived from the overall K. In general, the subkeys K are different from K and from each other. The process of decryption with a Feistel cipher is essentially the same as the encryption process. The rule is as follows: Use the ciphertext as input to the algorithm, but use the subkeys Ki in reverse order. That is, use Kn in the first round, Kn–1 in the second round, and so on until K1 is used in the last round. This is a nice feature because it means we need not implement two different algorithms, one for encryption and one for decryption. See discussion in text for why using the same algorithm with a reversed key order produces the correct result, noting that at every round, the intermediate value of the decryption process is equal to the corresponding value of the encryption process with the two halves of the value swapped.
- #13: The exact realization of a Feistel network depends on the choice of the following parameters and design features: block size - increasing size improves security, but slows cipher key size - increasing size improves security, makes exhaustive key searching harder, but may slow cipher number of rounds - increasing number improves security, but slows cipher subkey generation algorithm - greater complexity can make analysis harder, but slows cipher round function - greater complexity can make analysis harder, but slows cipher fast software en/decryption - more recent concern for practical use ease of analysis - for easier validation & testing of strength
- #14: The most widely used private key block cipher, is the Data Encryption Standard (DES). It was adopted in 1977 by the National Bureau of Standards as Federal Information Processing Standard 46 (FIPS PUB 46). DES encrypts data in 64-bit blocks using a 56-bit key. The DES enjoys widespread use. It has also been the subject of much controversy its security.
- #15: In the late 1960s, IBM set up a research project in computer cryptography led by Horst Feistel. The project concluded in 1971 with the development of the LUCIFER algorithm. LUCIFER is a Feistel block cipher that operates on blocks of 64 bits, using a key size of 128 bits. Because of the promising results produced by the LUCIFER project, IBM embarked on an effort, headed by Walter Tuchman and Carl Meyer, to develop a marketable commercial encryption product that ideally could be implemented on a single chip. It involved not only IBM researchers but also outside consultants and technical advice from NSA. The outcome of this effort was a refined version of LUCIFER that was more resistant to cryptanalysis but that had a reduced key size of 56 bits, to fit on a single chip. In 1973, the National Bureau of Standards (NBS) issued a request for proposals for a national cipher standard. IBM submitted the modified LUCIFER. It was by far the best algorithm proposed and was adopted in 1977 as the Data Encryption Standard.
- #16: Before its adoption as a standard, the proposed DES was subjected to intense & continuing criticism over the size of its key & the classified design criteria. Recent analysis has shown despite this controversy, that DES is well designed. DES is theoretically broken using Differential or Linear Cryptanalysis but in practise is unlikely to be a problem yet. Also rapid advances in computing speed though have rendered the 56 bit key susceptible to exhaustive key search, as predicted by Diffie & Hellman. DES has flourished and is widely used, especially in financial applications. It is still standardized for legacy systems, with either AES or triple DES for new applications.
- #17: The overall scheme for DES encryption is illustrated in Stallings Figure 3.4, which takes as input 64-bits of data and of key. The left side shows the basic process for enciphering a 64-bit data block which consists of: - an initial permutation (IP) which shuffles the 64-bit input block - 16 rounds of a complex key dependent round function involving substitutions & permutations - a final permutation, being the inverse of IP The right side shows the handling of the 56-bit key and consists of: - an initial permutation of the key (PC1) which selects 56-bits out of the 64-bits input, in two 28-bit halves - 16 stages to generate the 48-bit subkeys using a left circular shift and a permutation of the two 28-bit halves
- #18: The initial permutation and its inverse are defined by tables, as shown in Stallings Tables 3.2a and 3.2b, respectively. The tables are to be interpreted as follows. The input to a table consists of 64 bits numbered left to right from 1 to 64. The 64 entries in the permutation table contain a permutation of the numbers from 1 to 64. Each entry in the permutation table indicates the position of a numbered input bit in the output, which also consists of 64 bits. Note that the bit numbering for DES reflects IBM mainframe practice, and is the opposite of what we now mostly use - so be careful! Numbers from Bit 1 (leftmost, most significant) to bit 32/48/64 etc (rightmost, least significant). For example, a 64-bit plaintext value of “675a6967 5e5a6b5a” (written in left & right halves) after permuting with IP becomes “ffb2194d 004df6fb”. Note that example values are specified using hexadecimal.
- #19: Stallings Figure 3.3 illustrates the classical feistel cipher structure, with data split in 2 halves, processed through a number of rounds which perform a substitution on left half using output of round function on right half & key, and a permutation which swaps halves, as listed previously. The LHS side of this figure shows the flow during encryption, the RHS in decryption. The inputs to the encryption algorithm are a plaintext block of length 2w bits and a key K. The plaintext block is divided into two halves, L0 and R0. The two halves of the data pass through n rounds of processing and then combine to produce the ciphertext block. Each round i has as inputs Li–1 and Ri–1, derived from the previous round, as well as a subkey Ki, derived from the overall K. In general, the subkeys K are different from K and from each other. The process of decryption with a Feistel cipher is essentially the same as the encryption process. The rule is as follows: Use the ciphertext as input to the algorithm, but use the subkeys Ki in reverse order. That is, use Kn in the first round, Kn–1 in the second round, and so on until K1 is used in the last round. This is a nice feature because it means we need not implement two different algorithms, one for encryption and one for decryption. See discussion in text for why using the same algorithm with a reversed key order produces the correct result, noting that at every round, the intermediate value of the decryption process is equal to the corresponding value of the encryption process with the two halves of the value swapped.
- #20: We now review the internal structure of the DES round function F, which takes R half & subkey, and processes them. The round key Ki is 48 bits. The R input is 32 bits. This R input is first expanded to 48 bits by using a table that defines a permutation plus an expansion that involves duplication of 16 of the R bits (Table 3.2c). The resulting 48 bits are XORed with Ki This 48-bit result passes through a substitution function that produces a 32-bit output, which is permuted as defined by Table 3.2d. This follows the classic structure for a feistel cipher. Note that the s-boxes provide the “confusion” of data and key values, whilst the permutation P then spreads this as widely as possible, so each S-box output affects as many S-box inputs in the next round as possible, giving “diffusion”.
- #21: We now review the internal structure of the DES round function F, which takes R half & subkey, and processes them. The round key Ki is 48 bits. The R input is 32 bits. This R input is first expanded to 48 bits by using a table that defines a permutation plus an expansion that involves duplication of 16 of the R bits (Table 3.2c). The resulting 48 bits are XORed with Ki This 48-bit result passes through a substitution function that produces a 32-bit output, which is permuted as defined by Table 3.2d. This follows the classic structure for a feistel cipher. Note that the s-boxes provide the “confusion” of data and key values, whilst the permutation P then spreads this as widely as possible, so each S-box output affects as many S-box inputs in the next round as possible, giving “diffusion”.
- #22: Stallings Figure 3.7 illustrates the internal structure of the DES round function F. The R input is first expanded to 48 bits by using expansion table E that defines a permutation plus an expansion that involves duplication of 16 of the R bits (Stallings Table 3.2c). The resulting 48 bits are XORed with key Ki . This 48-bit result passes through a substitution function comprising 8 S-boxes which each map 6 input bits to 4 output bits, producing a 32-bit output, which is then permuted by permutation P as defined by Stallings Table 3.2d.
- #23: Stallings Figure 3.7 illustrates the internal structure of the DES round function F. The R input is first expanded to 48 bits by using expansion table E that defines a permutation plus an expansion that involves duplication of 16 of the R bits (Stallings Table 3.2c). The resulting 48 bits are XORed with key Ki . This 48-bit result passes through a substitution function comprising 8 S-boxes which each map 6 input bits to 4 output bits, producing a 32-bit output, which is then permuted by permutation P as defined by Stallings Table 3.2d.
- #24: The substitution consists of a set of eight S-boxes, each of which accepts 6 bits as input and produces 4 bits as output. These transformations are defined in Stallings Table 3.3, which is interpreted as follows: The first and last bits of the input to box Si form a 2-bit binary number to select one of four substitutions defined by the four rows in the table for Si. The middle four bits select one of the sixteen columns. The decimal value in the cell selected by the row and column is then converted to its 4-bit representation to produce the output. For example, in S1, for input 011001, the row is 01 (row 1) and the column is 1100 (column 12). The value in row 1, column 12 is 9, so the output is 1001. The example lists 8 6-bit values (ie 18 in hex is 011000 in binary, 09 hex is 001001 binary, 12 hex is 010010 binary, 3d hex is 111101 binary etc), each of which is replaced following the process detailed above using the appropriate S-box. ie S1(011000) lookup row 00 col 1100 in S1 to get 5 S2(001001) lookup row 01 col 0100 in S2 to get 15 = f in hex S3(010010) lookup row 00 col 1001 in S3 to get 13 = d in hex S4(111101) lookup row 11 col 1110 in S4 to get 2 etc
- #25: The substitution consists of a set of eight S-boxes, each of which accepts 6 bits as input and produces 4 bits as output. These transformations are defined in Stallings Table 3.3, which is interpreted as follows: The first and last bits of the input to box Si form a 2-bit binary number to select one of four subostitutions defined by the four rows in the table for Si. The middle four bits select one of the sixteen columns. The decimal value in the cell selected by the row and column is then converted to its 4-bit representation to produce the output. For example, in S1, for input 011001, the row is 01 (row 1) and the column is 1100 (column 12). The value in row 1, column 12 is 9, so the output is 1001. The example lists 8 6-bit values (ie 18 in hex is 011000 in binary, 09 hex is 001001 binary, 12 hex is 010010 binary, 3d hex is 111101 binary etc), each of which is replaced following the process detailed above using the appropriate S-box. ie S1(011000) lookup row 00 col 1100 in S1 to get 5 S2(001001) lookup row 01 col 0100 in S2 to get 15 = f in hex S3(010010) lookup row 00 col 1001 in S3 to get 13 = d in hex S4(111101) lookup row 11 col 1110 in S4 to get 2 etc
- #26: The substitution consists of a set of eight S-boxes, each of which accepts 6 bits as input and produces 4 bits as output. These transformations are defined in Stallings Table 3.3, which is interpreted as follows: The first and last bits of the input to box Si form a 2-bit binary number to select one of four substitutions defined by the four rows in the table for Si. The middle four bits select one of the sixteen columns. The decimal value in the cell selected by the row and column is then converted to its 4-bit representation to produce the output. For example, in S1, for input 011001, the row is 01 (row 1) and the column is 1100 (column 12). The value in row 1, column 12 is 9, so the output is 1001. The example lists 8 6-bit values (ie 18 in hex is 011000 in binary, 09 hex is 001001 binary, 12 hex is 010010 binary, 3d hex is 111101 binary etc), each of which is replaced following the process detailed above using the appropriate S-box. ie S1(011000) lookup row 00 col 1100 in S1 to get 5 S2(001001) lookup row 01 col 0100 in S2 to get 15 = f in hex S3(010010) lookup row 00 col 1001 in S3 to get 13 = d in hex S4(111101) lookup row 11 col 1110 in S4 to get 2 etc
- #27: The DES Key Schedule generates the subkeys needed for each data encryption round. A 64-bit key is used as input to the algorithm, though every eighth bit is ignored, as indicated by the lack of shading in Table 3.4a. It is first processed by Permuted Choice One (Stallings Table 3.4b). The resulting 56-bit key is then treated as two 28-bit quantities C & D. In each round, these are separately processed through a circular left shift (rotation) of 1 or 2 bits as shown in Stallings Table 3.4d. These shifted values serve as input to the next round of the key schedule. They also serve as input to Permuted Choice Two (Stallings Table 3.4c), which produces a 48-bit output that serves as input to the round function F. The 56 bit key size comes from security considerations as we know now. It was big enough so that an exhaustive key search was about as hard as the best direct attack (a form of differential cryptanalysis called a T-attack, known by the IBM & NSA researchers), but no bigger. The extra 8 bits were then used as parity (error detecting) bits, which makes sense given the original design use for hardware communications links. However we hit an incompatibility with simple s/w implementations since the top bit in each byte is 0 (since ASCII only uses 7 bits), but the DES key schedule throws away the bottom bit! A good implementation needs to be cleverer!
- #28: The DES Key Schedule generates the subkeys needed for each data encryption round. A 64-bit key is used as input to the algorithm, though every eighth bit is ignored, as indicated by the lack of shading in Table 3.4a. It is first processed by Permuted Choice One (Stallings Table 3.4b). The resulting 56-bit key is then treated as two 28-bit quantities C & D. In each round, these are separately processed through a circular left shift (rotation) of 1 or 2 bits as shown in Stallings Table 3.4d. These shifted values serve as input to the next round of the key schedule. They also serve as input to Permuted Choice Two (Stallings Table 3.4c), which produces a 48-bit output that serves as input to the round function F. The 56 bit key size comes from security considerations as we know now. It was big enough so that an exhaustive key search was about as hard as the best direct attack (a form of differential cryptanalysis called a T-attack, known by the IBM & NSA researchers), but no bigger. The extra 8 bits were then used as parity (error detecting) bits, which makes sense given the original design use for hardware communications links. However we hit an incompatibility with simple s/w implementations since the top bit in each byte is 0 (since ASCII only uses 7 bits), but the DES key schedule throws away the bottom bit! A good implementation needs to be cleverer!
- #29: The DES Key Schedule generates the subkeys needed for each data encryption round. A 64-bit key is used as input to the algorithm, though every eighth bit is ignored, as indicated by the lack of shading in Table 3.4a. It is first processed by Permuted Choice One (Stallings Table 3.4b). The resulting 56-bit key is then treated as two 28-bit quantities C & D. In each round, these are separately processed through a circular left shift (rotation) of 1 or 2 bits as shown in Stallings Table 3.4d. These shifted values serve as input to the next round of the key schedule. They also serve as input to Permuted Choice Two (Stallings Table 3.4c), which produces a 48-bit output that serves as input to the round function F. The 56 bit key size comes from security considerations as we know now. It was big enough so that an exhaustive key search was about as hard as the best direct attack (a form of differential cryptanalysis called a T-attack, known by the IBM & NSA researchers), but no bigger. The extra 8 bits were then used as parity (error detecting) bits, which makes sense given the original design use for hardware communications links. However we hit an incompatibility with simple s/w implementations since the top bit in each byte is 0 (since ASCII only uses 7 bits), but the DES key schedule throws away the bottom bit! A good implementation needs to be cleverer!
- #30: As with any Feistel cipher, DES decryption uses the same algorithm as encryption except that the subkeys are used in reverse order SK16 .. SK1. If you trace through the DES overview diagram can see how each decryption step top to bottom with reversed subkeys, undoes the equivalent encryption step moving from bottom to top.
- #31: As with any Feistel cipher, DES decryption uses the same algorithm as encryption except that the subkeys are used in reverse order SK16 .. SK1. If you trace through the DES overview diagram can see how each decryption step top to bottom with reversed subkeys, undoes the equivalent encryption step moving from bottom to top.
- #32: Can now work through an example, and consider some of its implications. In this example, the plaintext is a hexadecimal palindrome, with: Plaintext: 02468aceeca86420 Key: 0f1571c947d9e859 Ciphertext: da02ce3a89ecac3b Table 3.5 shows the progression of the algorithm. The first row shows the 32-bit values of the left and right halves of data after the initial permutation. The next 16 rows show the results after each round. Also shown is the value of the 48-bit subkey generated for each round. The final row shows the left and right-hand values after the inverse initial permutation. These two values combined form the ciphertext.
- #33: A desirable property of any encryption algorithm is that a small change in either the plaintext or the key should produce a significant change in the ciphertext. In particular, a change in one bit of the plaintext or one bit of the key should produce a change in many bits of the ciphertext. If the change were small, this might provide a way to reduce the size of the plaintext or key space to be searched. DES exhibits a strong avalanche effect, as may be seen in Stallings Table 3.5.
- #34: A desirable property of any encryption algorithm is that a small change in either the plaintext or the key should produce a significant change in the ciphertext. In particular, a change in one bit of the plaintext or one bit of the key should produce a change in many bits of the ciphertext. This is referred to as the avalanche effect. Using the example from Table 3.5, Table 3.6 shows the result when the fourth bit of the plaintext is changed, so that the plaintext is 12468aceeca86420. The second column of the table shows the intermediate 64-bit values at the end of each round for the two plaintexts. The third column shows the number of bits that differ between the two intermediate values. The table shows that after just three rounds, 18 bits differ between the two blocks. On completion, the two ciphertexts differ in 32 bit positions. Table 3.7 in the text shows a similar test using the original plaintext of with two keys that differ in only the fourth bit position. Again, the results show that about half of the bits in the ciphertext differ and that the avalanche effect is pronounced after just a few rounds.
- #35: Since its adoption as a federal standard, there have been lingering concerns about the level of security provided by DES in two areas: key size and the nature of the algorithm. With a key length of 56 bits, there are 256 possible keys, which is approximately 7.2*1016 keys. Thus a brute-force attack appeared impractical. However DES was finally and definitively proved insecure in July 1998, when the Electronic Frontier Foundation (EFF) announced that it had broken a DES encryption using a special-purpose "DES cracker" machine that was built for less than $250,000. The attack took less than three days. The EFF has published a detailed description of the machine, enabling others to build their own cracker [EFF98]. There have been other demonstrated breaks of the DES using both large networks of computers & dedicated h/w, including: - 1997 on a large network of computers in a few months - 1998 on dedicated h/w (EFF) in a few days - 1999 above combined in 22hrs! It is important to note that there is more to a key-search attack than simply running through all possible keys. Unless known plaintext is provided, the analyst must be able to recognize plaintext as plaintext. Clearly must now consider alternatives to DES, the most important of which are AES and triple DES.
- #36: Another concern is the possibility that cryptanalysis is possible by exploiting the characteristics of the DES algorithm. The focus of concern has been on the eight substitution tables, or S-boxes, that are used in each iteration. These techniques utilise some deep structure of the cipher by gathering information about encryptions so that eventually you can recover some/all of the sub-key bits, and then exhaustively search for the rest if necessary. Generally these are statistical attacks which depend on the amount of information gathered for their likelihood of success. Attacks of this form include differential cryptanalysis. linear cryptanalysis, and related key attacks.
- #37: We will discuss timing attacks in more detail later, as they relate to public-key algorithms. However, the issue may also be relevant for symmetric ciphers. A timing attack is one in which information about the key or the plaintext is obtained by observing how long it takes a given implementation to perform decryptions on various ciphertexts. A timing attack exploits the fact that an encryption or decryption algorithm often takes slightly different amounts of time on different inputs. The AES analysis process has highlighted this attack approach, and showed that it is a concern particularly with smartcard implementations, though DES appears to be fairly resistant to a successful timing attack.
- #38: Biham & Shamir show Differential Cryptanalysis can be successfully used to cryptanalyse the DES with an effort on the order of 247 encryptions, requiring 247 chosen plaintexts. Although 247 is certainly significantly less than 255, the need for the adversary to find 247 chosen plaintexts makes this attack of only theoretical interest. They also demonstrated this form of attack on a variety of encryption algorithms and hash functions. Differential cryptanalysis was known to the IBM DES design team as early as 1974 (as a T attack), and influenced the design of the S-boxes and the permutation P to improve its resistance to it. Compare DES’s security with the cryptanalysis of an eight-round LUCIFER algorithm which requires only 256 chosen plaintexts, verses an attack on an eight-round version of DES requires 214 chosen plaintexts.
- #39: The differential cryptanalysis attack is complex. The rationale behind differential cryptanalysis is to observe the behavior of pairs of text blocks evolving along each round of the cipher, instead of observing the evolution of a single text block. Each round of DES maps the right-hand input into the left-hand output and sets the right-hand output to be a function of the left-hand input and the subkey for this round, which means you cannot trace values back through cipher without knowing the value of the key. Differential Cryptanalysis compares two related pairs of encryptions, which can leak information about the key, given a sufficiently large number of suitable pairs.
- #40: This attack is known as Differential Cryptanalysis because the analysis compares differences between two related encryptions, and looks for a known difference in leading to a known difference out with some (pretty small but still significant) probability. If a number of such differences are determined, it is feasible to determine the subkey used in the function f. In differential cryptanalysis, we start with two messages, m and m', with a known XOR difference dm = m xor m', and consider the difference between the intermediate message halves: dm = m xor m'. Then we have the equation from Stallings section 3.4 which shows how this removes the influence of the key, hence enabling the analysis. Suppose that many pairs of inputs to f with the same difference yield the same output difference if the same subkey is used. To put this more precisely, let us say that X may cause Y with probability p, if for a fraction p of the pairs in which the input XOR is X, the output XOR equals Y. We want to suppose that there are a number of values of X that have high probability of causing a particular output difference.
- #41: This attack is known as Differential Cryptanalysis because the analysis compares differences between two related encryptions, and looks for a known difference in leading to a known difference out with some (pretty small but still significant) probability. If a number of such differences are determined, it is feasible to determine the subkey used in the function f. In differential cryptanalysis, we start with two messages, m and m', with a known XOR difference dm = m xor m', and consider the difference between the intermediate message halves: dm = m xor m'. Then we have the equation from Stallings section 3.4 which shows how this removes the influence of the key, hence enabling the analysis. Suppose that many pairs of inputs to f with the same difference yield the same output difference if the same subkey is used. To put this more precisely, let us say that X may cause Y with probability p, if for a fraction p of the pairs in which the input XOR is X, the output XOR equals Y. We want to suppose that there are a number of values of X that have high probability of causing a particular output difference.
- #42: This attack is known as Differential Cryptanalysis because the analysis compares differences between two related encryptions, and looks for a known difference in leading to a known difference out with some (pretty small but still significant) probability. If a number of such differences are determined, it is feasible to determine the subkey used in the function f. In differential cryptanalysis, we start with two messages, m and m', with a known XOR difference dm = m xor m', and consider the difference between the intermediate message halves: dm = m xor m'. Then we have the equation from Stallings section 3.4 which shows how this removes the influence of the key, hence enabling the analysis. Suppose that many pairs of inputs to f with the same difference yield the same output difference if the same subkey is used. To put this more precisely, let us say that X may cause Y with probability p, if for a fraction p of the pairs in which the input XOR is X, the output XOR equals Y. We want to suppose that there are a number of values of X that have high probability of causing a particular output difference.
- #43: This attack is known as Differential Cryptanalysis because the analysis compares differences between two related encryptions, and looks for a known difference in leading to a known difference out with some (pretty small but still significant) probability. If a number of such differences are determined, it is feasible to determine the subkey used in the function f. In differential cryptanalysis, we start with two messages, m and m', with a known XOR difference dm = m xor m', and consider the difference between the intermediate message halves: dm = m xor m'. Then we have the equation from Stallings section 3.4 which shows how this removes the influence of the key, hence enabling the analysis. Suppose that many pairs of inputs to f with the same difference yield the same output difference if the same subkey is used. To put this more precisely, let us say that X may cause Y with probability p, if for a fraction p of the pairs in which the input XOR is X, the output XOR equals Y. We want to suppose that there are a number of values of X that have high probability of causing a particular output difference.
- #44: The overall strategy of differential cryptanalysis is based on these considerations for a single round. The procedure is to begin with two plaintext messages m and m’ with a given difference and trace through a probable pattern of differences after each round to yield a probable difference for the ciphertext. You submit m and m’ for encryption to determine the actual difference under the unknown key and compare the result to the probable difference. If there is a match, then suspect that all the probable patterns at all the intermediate rounds are correct. With that assumption, can make some deductions about the key bits. This procedure must be repeated many times to determine all the key bits.
- #45: Stallings Figure 3.7 illustrates the propagation of differences through three rounds of DES. The probabilities shown on the right refer to the probability that a given set of intermediate differences will appear as a function of the input differences. Overall, after three rounds the probability that the output difference is as shown is equal to 0.25*1*0.25=0.0625. Since the output difference is the same as the input, this 3 round pattern can be iterated over a larger number of rounds, with probabilities multiplying to be successively smaller.
- #46: Differential Cryptanalysis works by performing the attack by repeatedly encrypting plaintext pairs with known input XOR until obtain desired output XOR. See [BIHA93] for detailed descriptions. Attack on full DES requires an effort on the order of 247 encryptions, requiring 247 chosen plaintexts to be encrypted, with a considerable amount of analysis – in practise exhaustive search is still easier, even though up to 255 encryptions are required for this.
- #47: A more recent development is linear cryptanalysis. This attack is based on finding linear approximations to describe the transformations performed in DES. This method can find a DES key given 2^43 known plaintexts, as compared to 2^47 chosen plaintexts for differential cryptanalysis. Although this is a minor improvement, because it may be easier to acquire known plaintext rather than chosen plaintext, it still leaves linear cryptanalysis infeasible as an attack on DES. Again, this attack uses structure not seen before. So far, little work has been done by other groups to validate the linear cryptanalytic approach.
- #48: The objective of linear cryptanalysis is to find an effective linear equation relating some plaintext, ciphertext and key bits that holds with probability p<>0.5 as shown. Once a proposed relation is determined, the procedure is to compute the results of the left-hand side of the equation for a large number of plaintext-ciphertext pairs, in order to determine whether the sum of the key bits is 0 or 1, thus giving 1 bit of info about them. This is repeated for other equations and many pairs to derive some of the key bit values. Because we are dealing with linear equations, the problem can be approached one round of the cipher at a time, with the results combined. See [MATS93] for details.
- #49: Although much progress has been made in designing block ciphers that are cryptographically strong, the basic principles have not changed all that much since the work of Feistel and the DES design team in the early 1970s. Some of the criteria used in the design of DES were reported in [COPP94], and focused on the design of the S-boxes and on the P function that distributes the output of the S boxes, as summarized above. See text for further details.
- #50: The cryptographic strength of a Feistel cipher derives from three aspects of the design: the number of rounds, the function F, and the key schedule algorithm. Briefly discuss these. The greater the number of rounds, the more difficult it is to perform cryptanalysis, even for a relatively weak F. In general, the criterion should be that the number of rounds is chosen so that known cryptanalytic efforts require greater effort than a simple brute-force key search attack. This criterion is attractive because it makes it easy to judge the strength of an algorithm and to compare different algorithms. The function F provides the element of confusion in a Feistel cipher, want it to be difficult to “unscramble” the substitution performed by F. One obvious criterion is that F be nonlinear. The more nonlinear F, the more difficult any type of cryptanalysis will be. We would like it to have good avalanche properties, or even the strict avalanche criterion (SAC). Another criterion is the bit independence criterion (BIC). One of the most intense areas of research in the field of symmetric block ciphers is that of S-box design. Would like any change to the input vector to an S-box to result in random-looking changes to the output. The relationship should be nonlinear and difficult to approximate with linear functions. A final area of block cipher design, and one that has received less attention than S-box design, is the key schedule algorithm. With any Feistel block cipher, the key schedule is used to generate a subkey for each round. Would like to select subkeys to maximize the difficulty of deducing individual subkeys and the difficulty of working back to the main key. The key schedule should guarantee key/ciphertext Strict Avalanche Criterion and Bit Independence Criterion.
- #51: Chapter 3 summary.