Chapter 3 – Block Ciphers and the Data Encryption Standard
Jen-Chang Liu, 2005
Adopted from lecture slides by Lawrie Brown
All the afternoon Mungo had been working on Stern's code, principally with the aid of the latest messages which he had copied down at the Nevin Square drop. Stern was very confident. He must be well aware London Central knew about that drop. It was obvious that they didn't care how often Mungo read their messages, so confident were they in the impenetrability of the code.—Talking to Strange Men, Ruth Rendell
Who’s Ruth Rendell?
Ruth Rendell (露絲.藍黛兒)
英國推理小說家,曾獲得英國推理作家協會金匕首獎:
1976年 《看不見的惡魔 》 A Demon in my View 新雨出版社
1986年 《肉慾生香 》 Live Flesh 新雨出版社為西班牙導演 阿莫多瓦電影 愛慾情狂 原著,
Textbook Exercise 2.2 之來源
History of DES (Data Encryption Standard)
DES: The most widely used symmetric cipher 1977 adopted by Federal Information Processing Standard 46 (FIPS 46)
64-bit blocks and 56-bit key
Replaced by
3DES (chap. 6) , AES (chap. 5)
Motivation: Study of DES provides an understanding of the principles used in other symmetric ciphers
FIPS approved encryption algorithms
4 FIPS approved algorithms
AES: FIPS 197, Nov. 2001
Triple DES: FIPS 46-3, Oct. 1999
DES: FIPS 46, 1977DES is permitted in legacy systems only
Skipjack: FIPS 185, Feb. 1994
加密程式認證流程
Recall: Symmetric Cipher Model
Recall: Block vs. Stream Ciphers
block ciphers process messages in into blocks, each of which is then en/decrypted
stream ciphers process messages a bit or byte at a time when en/decrypting A block cipher can be changed into a
stream cipher Ex. Cipher Feedback Mode of DES
…
Outline Simplified DES (S-DES) Block Cipher Principles The Data Encryption Standard (DES) The Strength of DES Differential and Linear Cryptoanalysis Block Cipher Design Principles Block Cipher: Mode of Operation
Simplified DES DES: 64-bit block, 56-bit key Simplified DES: 8-bit block, 10-bit key
Has similar properties and structure to DES, repeated substitution and permutation
Helps to understand DES
S-DES
10111101(8-bit plaintext)
1011101011 (10-bit key)
11011001(8-bit ciphertext)
S-DES overview
Initial permutation8-bit subkey
Complex function(substitution+ permutation)
SWitch left/righthalves
the same data
Mathematical form Encryption
Decryption
xt)))))IP(plainte(SW(f(f(IPciphertext12 KK
-1
ext)))))IP(ciphert(SW(f(f(IPplaintext21 KK
-1
• Encryption and decryption go through the same functions, but the order of subkeys are reversed
=> The same hardware/software for encryption/decryption
Key generation
permutation1 2 3 4 5 6 7 8 9 10
3 5 2 7 4 10 1 9 8 6
1 0 1 0 0 0 0 0 1 0
1
Key:
010 0 0 0 1 0 0
Left shift1 bit (rotate) 0 0 0 0 1 1 1 0 0 0
permutation(8 out of 10)
1 2 3 4 5 6 7 8 9 10
6 3 7 4 8 5 10 91 0 10 0 1 0 0K1
Left shift2 bit (rotate) 0 0 1 0 00 0 0 1 1
permutation(8 out of 10)
1 2 3 4 5 6 7 8 9 10
6 3 7 4 8 5 10 9
0 1 0 0 0 0 1 1K2
Details of encryption
One round
L R
RL F(R,K1)
Output after IP (Initial Permutation):
L R1 0 1 1 1 1 0 1
1 1 0 1? ? ? ?
Expansion/permutation4 -> 8
4 1 2 3 2 3 4 1
1 1 1 0 1 0 1 1
Idea of E/P 1 23 4
42
31
S0
S1
S-Box (S0): 4 -> 2
01 00 11 1011 10 01 0000 10 01 1111 01 11 10
1 1 1 01 0 1 1
00011011
00 01 10 11
1 10 1
Attacks on S-DES Brute-force attack
10-bit key => 210=1024 possible keys Try all keys, analyze if the result is a
reasonable plaintext Cryptanalysis
Known plaintext-ciphertext attackPlaintext bits: p1 p2 p3 p4 p5 p6 p7 p8
Ciphertext bits: c1 c2 c3 c4 c5 c6 c7 c8
Unknown key: k1 k2 k3 k4 k5 k6 k7 k8 k9 k108 equations,10 unknowns
Non-linear S-Box 4-bit input, 2-bit output
01 00 11 1011 10 01 0000 10 01 1111 01 11 10
00011011
00 01 10 11
Input bits: (a, b, c, d) Output bits: (q, r)
(a,d)
(b,c)
q=(abcd+ab+ac+b+d) mod 2
r=(abcd+abd+ab+ac+ad+a+c+1) mod 2
Preview to DES
S-DES DES
round
(56-bit)
48-bit subkey
Outline Simplified DES (S-DES) Block Cipher Principles The Data Encryption Standard (DES) The Strength of DES Differential and Linear Cryptoanalysis Block Cipher Design Principles Block Cipher: Mode of Operation
Problem Why do we need a block cipher, such as
S-DES, with such a complex structure?
General 4-bit block cipherReceiver must have theCode book (4x24 bits)
Blockbox
This cipher is not secure! => we need larger block
Block Cipher Principles General transform for n-bit block cipher
Reversible transform
Plaintext blockp1 p2 p3 p4 … pn
0 0 0 0 …0 00 0 0 0 …0 10 0 0 0 …1 00 0 0 0 …1 1
1 1 1 1 …1 1
.
.1 1 1 1 …1 0
2n input
Ciphertext blockc1 c2 c3 c4 … cn
0 0 0 0 …0 00 0 0 0 …0 10 0 0 0 …1 00 0 0 0 …1 1
1 1 1 1 …1 1
.
.1 1 1 1 …1 0
2n output
…
2n! transforms
DES: 64-bitHow to deliver the codebook?
2nxn bitcodebook
Block Cipher Principles (cont.)
For the general block ciphers, the transform itself is the key Key size = n x 2n
DES: 64-bit block Key size: 64 x 264 =1021 bits
Block Cipher Principles (cont.)
Answer: We need an approximation to the ideal block cipher with large n Build up out of components that are easily
realizable Example:
General 4-bitcipher:4x24 =64 bitskey
Simple math. Structure: Hill cipher-like
4
3
2
1
4
3
2
1
44434241
34333231
24232221
14131211
c
c
c
c
p
p
p
p
kkkk
kkkk
kkkk
kkkk
16 bits key, but vulnerable to attacks
Claude Shannon’s design principles
Strongly ideal cipher: all statistics of the ciphertext are independent of the plaintext and key Assume attacker has knowledge of he statistical
properties of the plaintext However, we can not use the arbitrary
substitution cipher with large key
T(p1, p2, …, pn, Key)
p1
p2
p3
p4
… pn
c1
c2
c3
c4
…cn
Two principles: Confusion and Diffusion
1949, Shannon suggested combining elements to obtain: Diffusion(擴散 ) – dissipates statistical structure
of plaintext over bulk of ciphertext Each ciphertext digit is affected by many plaintext digits
Confusion(混淆 ) – makes relationship between ciphertext and key as complex as possible
use complex substitution algorithm
)26(mod 1
n
iij pcEx.
cipherplaintext ciphertext
key
diffusion
confusion
Feistel cipher How to construct a practical block
cipher with reasonable key size? most symmetric block ciphers are
based on a Feistel Cipher Structure using idea of a product cipher Alternate substitutions and
permutations
Feistel cipher Structure
+
+
+
Complexsubstitution
permutationswitch
Substitution-Permutation
network
Feistel Cipher Design Principles
block size : typically 64~128 bits increasing size improves security, but slows cipher
key size : typically 64~128 bits increasing size improves security, makes exhaustive
key searching harder, but may slow cipher number of rounds : typically 16 rounds
increasing number improves security, but slows cipher
subkey generation greater complexity can make analysis harder, but
slows cipher round function
greater complexity can make analysis harder, but slows cipher
fast software en/decryption & ease of analysis are more recent concerns for practical use and testing
Feistel Cipher Decryption
… …
+
+
+
+
RE1 = LE0 F(RE0, K1)
RE1 F(RE0, K1) = LE0 F(RE0, K1) F(RE0, K1) = LE0
Outline Simplified DES (S-DES) Block Cipher Principles The Data Encryption Standard (DES) The Strength of DES Differential and Linear Cryptoanalysis Block Cipher Design Principles Block Cipher: Mode of Operation
Data Encryption Standard (DES)
most widely used block cipher in world adopted in 1977 by NBS (now NIST)
as FIPS PUB 46 encrypts 64-bit data using 56-bit key
256 possible transforms out of 264! arbitrary transforms
has been considerable controversy over its security
DES History IBM developed Lucifer cipher
by team led by Feistel used 64-bit data blocks with 128-bit key
then redeveloped as a commercial cipher with input from NSA and others
in 1973 NBS issued request for proposals for a national cipher standard
IBM submitted their revised Lucifer which was eventually accepted as the DES
DES Design Controversy although DES standard is public was considerable controversy over
design in choice of 56-bit key (vs Lucifer 128-bit) and design criteria of internal structure of
DES were classified subsequent events and public analysis
show in fact design was appropriate DES has become widely used, esp in
financial applications
DES Encryption
Initial Permutation (IP) IP reorders the input data bits even bits to LH half, odd bits to RH half
Initial permutation table:
Single round of DES
subkey
Simplified DES DES
DES Round Structure uses two 32-bit L & R halves as for any Feistel cipher can describe as:
Li = Ri–1
Ri = Li–1 F(Ri–1, Ki) takes 32-bit R half and 48-bit subkey and:
expands R to 48-bits using perm E adds to subkey passes through 8 S-boxes to get 32-bit result finally permutes this using 32-bit perm P
DES Round Structure
6x8
4x8=32
Expansion and S-box indexing
Expansion
S-Box
n1 n2 n3 n4
n5 n6 n7 n8
...…
n29 n30 n31 n32
n32
n4
.
.n28
n5
n9
.
.n1
Index into S-Box S1
(n32, n5)(n1, n2, n3, n4)
Ex. 011001 -> 9 (1001)
Substitution Boxes S have eight S-boxes which map 6 to 4 bits each S-box is actually 4 little 4 bit boxes
outer bits 1 & 6 (row bits) select one rows inner bits 2-5 (col bits) are substituted result is 8 lots of 4 bits, or 32 bits
row selection depends on both data & key feature known as autoclaving (autokeying)
example:S(18 09 12 3d 11 17 38 39) = 5fd25e03
DES Key Schedule forms subkeys used
in each round initial permutation of
the key (PC1) which selects 56-bits in two 28-bit halves
16 stages consisting of:
selecting 24-bits from each half
permuting them by PC2 for use in function f
rotating each half separately either 1 or 2 places depending on the key rotation schedule K
Initial permutation 1
56-bit key
…Round i
DES Decryption Decryption: encryption
steps again using subkeys in
reverse order (SK16 … SK1)
How effective is DES? - Avalanche Effect 雪崩效應
A change of one bit of the plaintext or key results in changing in many bits of the ciphertext
cipherplaintext ciphertext
key
Abbreviations FIPS: Federal Information Processing
Standard NIST: National Institute of Standards
and Technology NBS: National Bureau of Standards