block cipher

1

CClassicallassical &&ontemporyontemporyryptologyryptology Block CipherBlock CipherBlock CipherBlock Cipher

Today’s most widely used ciphers are in the class Today’s most widely used ciphers are in the class of Block Ciphersof Block Ciphers– Define a block of computer bits which represent several Define a block of computer bits which represent several

characterscharacters

– Encipher the complete block at one timeEncipher the complete block at one time

AlgorithmAlgorithm

Block of BitsBlock of Bits

Block of BitsBlock of Bits

KEYKEY

2

CClassicallassical &&ontemporyontemporyryptologyryptology Modes of OperationModes of OperationModes of OperationModes of Operation

Before examining the details of any specific block Before examining the details of any specific block cipher algorithm, it is useful to consider how such cipher algorithm, it is useful to consider how such algorithms are usedalgorithms are used

There are 3 operational modes:There are 3 operational modes:– Electronic Code Book (ECB)Electronic Code Book (ECB)– Cipher Block Chaining (CBC)Cipher Block Chaining (CBC)– Output Feedback Mode (OFM)Output Feedback Mode (OFM)

These modes have become international These modes have become international standards for implementing any block cipherstandards for implementing any block cipher

3

CClassicallassical &&ontemporyontemporyryptologyryptology

Electronic Code BookElectronic Code BookElectronic Code BookElectronic Code Book

Simplest mode of operationSimplest mode of operation– each block is enciphered into a ciphertext each block is enciphered into a ciphertext

block using one keyblock using one key

Ek

M1

C1

Key Ek

M2

C2

Ek

Mm

Cm

Problem:if Mi = Mj thenCi = Cj

4


Cipher Block ChainingCipher Block ChainingCipher Block ChainingCipher Block Chaining

The input to each block stage is the The input to each block stage is the current block XORed with the current block XORed with the previous stage cipher blockprevious stage cipher block

Key Ek

M1

C1

Ek

M2

C2

Ek

Mm

Cm

5


Output Feedback ModeOutput Feedback ModeOutput Feedback ModeOutput Feedback Mode

The block cipher is used as a stream The block cipher is used as a stream ciphercipher– it produces the random key streamit produces the random key stream

RiEk Ri+1

KEYMi

Ci

6

CClassicallassical &&ontemporyontemporyryptologyryptology General StructureGeneral StructureGeneral StructureGeneral Structure

In 1973, Feistel suggest a form of product cipher that In 1973, Feistel suggest a form of product cipher that has become the architecture of choice for almost all has become the architecture of choice for almost all symmetric block ciphers in use today. symmetric block ciphers in use today.

– The overall process involves several stages of a substitution The overall process involves several stages of a substitution followed by a transposition. followed by a transposition.

– The master key is subdivided into a set of subkeys – one for The master key is subdivided into a set of subkeys – one for each stage. each stage.

– At each stage the data block is divided into a left and a right At each stage the data block is divided into a left and a right segment, the segments are swapped, and one segment is segment, the segments are swapped, and one segment is mixed with subkey for that stage. mixed with subkey for that stage.

– Another name for this type of cipher is a substitution-Another name for this type of cipher is a substitution-permutation (SP) cipher. permutation (SP) cipher.

7


Data Encryption Data Encryption StandardStandard

Data Encryption Data Encryption StandardStandard

In the mid-70’s the US government decided that a In the mid-70’s the US government decided that a powerful standard cipher system was necessary. powerful standard cipher system was necessary.

– The National Bureau of Standards put out a request for the The National Bureau of Standards put out a request for the development of such a cipher. development of such a cipher.

– Several companies went to work and submitted proposals. Several companies went to work and submitted proposals. The winner was IBM with their cipher system called Lucifer.The winner was IBM with their cipher system called Lucifer.

– With some modifications suggested by With some modifications suggested by the National Security the National Security Agency, in 1977, Lucifer became known as the Data Agency, in 1977, Lucifer became known as the Data Encryption Standard or DES. Encryption Standard or DES.

– It has since been replaced by the Advanced Encryption It has since been replaced by the Advanced Encryption Standard (AES) Standard (AES)

8

CClassicallassical &&ontemporyontemporyryptologyryptology Basic StructureBasic StructureBasic StructureBasic Structure

DES works on 64 bit blocks of plaintext using a 56 bit key DES works on 64 bit blocks of plaintext using a 56 bit key to produce 64 bit blocks of ciphertext. to produce 64 bit blocks of ciphertext.

– It is a substitution-permutation cipher with 16 SP stages. It is a substitution-permutation cipher with 16 SP stages.

The key for DES is an arbitrary 56 bit string of The key for DES is an arbitrary 56 bit string of 0’s and 1’s0’s and 1’s

– there are 2there are 25656 possible strings (greater than 10 possible strings (greater than 101616))– often it is given as a 7 letter wordoften it is given as a 7 letter word

DES expands this key to 64 bits by adding 8 DES expands this key to 64 bits by adding 8 additional 0’s and 1’sadditional 0’s and 1’s

– bits 8, 16, 24, 32, 40, 48, 56, and 64 are added so that each 8 bit bits 8, 16, 24, 32, 40, 48, 56, and 64 are added so that each 8 bit block has odd parity (odd number of 1’s)block has odd parity (odd number of 1’s)

– the key is divided, shifted, and shuffled 16 times to form 16 the key is divided, shifted, and shuffled 16 times to form 16 different (but related) subkeys each of which is 48 bits longdifferent (but related) subkeys each of which is 48 bits long

9

CClassicallassical &&ontemporyontemporyryptologyryptology Key GenerationKey GenerationKey GenerationKey Generation

Each of the 16 stages uses a 48 bit Each of the 16 stages uses a 48 bit subkey which is derived from the subkey which is derived from the initial 64 bit key.initial 64 bit key.

– The key passes through a PC-1 block The key passes through a PC-1 block (Permuted Choice 1) which extracts (Permuted Choice 1) which extracts the original 56 bits supplied by the the original 56 bits supplied by the user. user.

– The 56 bits are divided into left and The 56 bits are divided into left and right halves. Each half is shifted left right halves. Each half is shifted left by 1 or 2 bit positions (it varies by 1 or 2 bit positions (it varies depending on the stage). depending on the stage).

– The new 56 bits are compressed The new 56 bits are compressed using PC-2 (Permuted Choice 2) by using PC-2 (Permuted Choice 2) by throwing out 8 bits to create the 48 throwing out 8 bits to create the 48 bit key for the given stage.bit key for the given stage.

64 bit key

PC-1

28 bit C0 28 bit D0

Left Shift Left Shift

28 bit C1 28 bit D1

Left Shift Left Shift

PC-2 K1

10

CClassicallassical &&ontemporyontemporyryptologyryptology DES StagesDES StagesDES StagesDES Stages

Each stage of DES is performs the same set of Each stage of DES is performs the same set of operations using a different subkey acting on operations using a different subkey acting on the output of the previous stage. the output of the previous stage. – Those operations are defined in three “boxes” Those operations are defined in three “boxes”

called the expansion box (Ebox), the substitution called the expansion box (Ebox), the substitution box (Sbox), and the permutation box (Pbox). box (Sbox), and the permutation box (Pbox).

11

CClassicallassical &&ontemporyontemporyryptologyryptology Example StageExample StageExample StageExample Stage

E Box

Left 32 bits Right 32 bits

Key BoxXOR

48 bits

48 bits

56 bits

Key

S Boxes

48 bits

P Box

32 bits

32 bits

XOR

32 bits

32 bits

The E-Box expands (from 32 to 48 bits)and permutates

The E-Box output is XORed withpart of the key

There are 8 S-Boxes and each one accepts6 bits of input and produces 4 bits of output

The P-Box is a simple permutation

Finally, the left side is XORed with theresult and both sides are passed on tothe next round

12

CClassicallassical &&ontemporyontemporyryptologyryptology E-BoxE-BoxE-BoxE-Box

The EBox expands its 32-bit input into 48-bits The EBox expands its 32-bit input into 48-bits by duplicating some of the input bits. by duplicating some of the input bits.

28 29 30 31 32 1

24 25 26 27 28 29

20 21 22 23 24 25

16 17 18 19 20 21

12 13 14 15 16 17

8 9 10 11 12 13

4 5 6 7 8 9

32 1 2 3 4 5

EBox

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32

Right 32 bits

Note the duplicationNote the duplication

13

CClassicallassical &&ontemporyontemporyryptologyryptology S-BoxesS-BoxesS-BoxesS-Boxes

The SBoxes are the real source of the power of DES. The SBoxes are the real source of the power of DES. – There are 8 different Sboxes There are 8 different Sboxes

– Each Sbox accepts 6-bits of input and produces 4-bits of Each Sbox accepts 6-bits of input and produces 4-bits of output. output.

– An Sbox has 16 columns and 4 rows where each element An Sbox has 16 columns and 4 rows where each element in the box is a 4-bit block usually given in its decimal in the box is a 4-bit block usually given in its decimal representation. representation.

15 12 8 2 4 9 1 7 5 11 3 14 10 0 6 13

4 1 14 8 13 6 2 11 15 12 9 7 3 10 5 0

0 15 7 4 14 2 13 1 10 6 12 11 9 5 3 8

14 4 13 1 2 15 11 8 3 10 6 12 5 9 0 7

Column0 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15

Row

0

1

2

3

14


Working with the Working with the S-BoxesS-Boxes

Working with the Working with the S-BoxesS-Boxes

Each 6-bit input to an S-Box is divided into a Each 6-bit input to an S-Box is divided into a row and a column index. row and a column index. – The row index is given by bits 1 and 6 and the bits 2 The row index is given by bits 1 and 6 and the bits 2

to 5 supply the column index.to 5 supply the column index.

– The output of the S-Box is the value stored at the The output of the S-Box is the value stored at the addressed row/columnaddressed row/column

S213 8 10 1 3 15 4 2 11 6 7 12 0 5 14 9

0 14 7 11 10 4 13 1 5 8 12 6 9 3 2 5

3 13 4 7 15 2 8 14 12 0 1 10 6 9 11 5

15 1 8 14 6 11 3 4 9 7 2 13 12 0 5 10

0 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15

0

1

2

3

Input: 0 1 1 1 1 0 Input: 0 1 1 1 1 0 Column 15Column 15

Row 0Row 0

10

Output: 1 0 1 0 Output: 1 0 1 0

15

CClassicallassical &&ontemporyontemporyryptologyryptology P-BoxP-BoxP-BoxP-Box

After the S-Box operation there are just 32-bits After the S-Box operation there are just 32-bits remaining which are rearranged according to remaining which are rearranged according to the permutation table:the permutation table:

22 11 4 25

19 13 30 6

32 27 3 9

2 8 24 14

5 18 31 10

1 15 23 26

29 12 28 17

16 7 20 21

PBox

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32

SBox Outputs

16

CClassicallassical &&ontemporyontemporyryptologyryptology Final StepFinal StepFinal StepFinal Step

The final operation places the original RHS 32-The final operation places the original RHS 32-bits on the LHS and XORs the original LHS bits on the LHS and XORs the original LHS with the 32-bit output of the Pboxwith the 32-bit output of the Pbox

This process is repeated 16 times using a This process is repeated 16 times using a different subkey each timedifferent subkey each time

17


DES ImplementationsDES ImplementationsDES ImplementationsDES Implementations

DES could be used in any one of the three standard block cipher DES could be used in any one of the three standard block cipher implementation modes: OFM, CBC, or ECB.implementation modes: OFM, CBC, or ECB.

– However DES is no longer a secure cipher. However DES is no longer a secure cipher. – Hence, alternative implementations of DES have been suggested in Hence, alternative implementations of DES have been suggested in

an effort to improve its overall security. The most common is an effort to improve its overall security. The most common is called Triple-DES. called Triple-DES.

– Triple-DES comes in two versions, one uses three keys and the Triple-DES comes in two versions, one uses three keys and the other only uses two keys.other only uses two keys.

The three key version first encrypts the message with Key1, decrypts The three key version first encrypts the message with Key1, decrypts the result with Key2, and finally encrypts that with K3the result with Key2, and finally encrypts that with K3

The two key version uses the same steps where K3 = K1.The two key version uses the same steps where K3 = K1.

EM

Key1

D

Key2

E

Key3

18

CClassicallassical &&ontemporyontemporyryptologyryptology S-DESS-DESS-DESS-DES

S-DES (Simplified-DES) was developed by Dr. S-DES (Simplified-DES) was developed by Dr. Edward Schaefer at Santa Clara University in Edward Schaefer at Santa Clara University in 1996. 1996. – It is simple enough so that you can explore the It is simple enough so that you can explore the

operation of DES and some of its weaknesses. operation of DES and some of its weaknesses.

– It operates on 8-bit data blocks (in other words, It operates on 8-bit data blocks (in other words, single characters) using a 10-bit key (only 2single characters) using a 10-bit key (only 21010 = = 1024 possibilities) and two stages 1024 possibilities) and two stages

19

CClassicallassical &&ontemporyontemporyryptologyryptology S-DES StructureS-DES StructureS-DES StructureS-DES Structure

In spite of the In spite of the simplifications, simplifications, S-DES looks S-DES looks much like our much like our

basic DES.basic DES.

8 bits

Plaintext block

IP

L0 R0

XOR F

L1 R1

XOR F

L2 R2

8 bits

IP-1

Ciphertext block

10 bit key

PC-1

C0 D0

Left Shift 1 bit Left Shift 1 bit

C1 D1

Left Shift 2 bits Left Shift 2 bits

C2 D2

PC-2

PC-2

K1

K2

1 2 3 4 5 6 7 82 6 3 1 4 8 5 7

1 2 3 4 5 6 7 84 1 3 5 7 2 8 6

20

CClassicallassical &&ontemporyontemporyryptologyryptology S-DES S-BoxesS-DES S-BoxesS-DES S-BoxesS-DES S-Boxes

The function F on the prior slide contains an The function F on the prior slide contains an EBox, PBox and 2 SBoxes (much like DES)EBox, PBox and 2 SBoxes (much like DES)

The two S-Boxes are given by:The two S-Boxes are given by:

The input is a 4 bit valueThe input is a 4 bit value

The first and last bitsThe first and last bits define the rowdefine the rowThe middle bits defineThe middle bits define the columnthe column

The output is a 2 bit valueThe output is a 2 bit value

21


S-DES Key GenerationS-DES Key GenerationS-DES Key GenerationS-DES Key Generation

The key generation mechanism begins with a 10-bit key which The key generation mechanism begins with a 10-bit key which is permuted by PC-1 into the order 3 5 2 7 4 10 1 9 8 6. is permuted by PC-1 into the order 3 5 2 7 4 10 1 9 8 6.

It is separated into 2 five bit segments and each segment is left It is separated into 2 five bit segments and each segment is left shift by one bit. shift by one bit.

PC-2 selects and rearranges 8 bits from the two five bit PC-2 selects and rearranges 8 bits from the two five bit segments – the bits in order are 6 3 7 4 8 5 10 9. The result is segments – the bits in order are 6 3 7 4 8 5 10 9. The result is subkey 1. subkey 1.

The two segments are now left shifted twice and PC-2 is The two segments are now left shifted twice and PC-2 is applied again to produce subkey 2.applied again to produce subkey 2.

22

CClassicallassical &&ontemporyontemporyryptologyryptology Status of DESStatus of DESStatus of DESStatus of DES

When IBM first proposed DES it had a 128 bit When IBM first proposed DES it had a 128 bit keykey

– NSA required that the key be reduced to 56 bitsNSA required that the key be reduced to 56 bits

There have been several successful attacks on There have been several successful attacks on DESDES

– June 1997: Using the internet 14,000 to 78,000 computers broke June 1997: Using the internet 14,000 to 78,000 computers broke DES in 90 daysDES in 90 days

– Jan 1998: Using the internet again it only took 39 daysJan 1998: Using the internet again it only took 39 days– July 1998: a $210,000 machine called July 1998: a $210,000 machine called deep crackdeep crack was built and was built and

it broke DES in 56 hoursit broke DES in 56 hours

23

CClassicallassical &&ontemporyontemporyryptologyryptology Avalanche ConditionAvalanche ConditionAvalanche ConditionAvalanche Condition

One of the most important strength criteria is the One of the most important strength criteria is the avalanche condition: avalanche condition: there should be no correlation there should be no correlation between any input bits or key bits and the output bitsbetween any input bits or key bits and the output bits..

– This is important because if someone started trying different This is important because if someone started trying different keys, they should not be able to tell if they are close (within a keys, they should not be able to tell if they are close (within a few bits) to the actual key. few bits) to the actual key.

– There are two versions of the avalanche condition:There are two versions of the avalanche condition: Strict plaintext avalanche criterion (SPAC):Strict plaintext avalanche criterion (SPAC): each bit of the each bit of the

ciphertext block should change with the probability of one half ciphertext block should change with the probability of one half whenever any bit of the plaintext block is complemented. whenever any bit of the plaintext block is complemented.

Strict key avalanche criterion (SKAC.)Strict key avalanche criterion (SKAC.) for a fixed plaintext block, for a fixed plaintext block, each bit of the ciphertext block changes with a probability of one each bit of the ciphertext block changes with a probability of one half when any bit of the key changes.half when any bit of the key changes.

24

CClassicallassical &&ontemporyontemporyryptologyryptology DES ExampleDES ExampleDES ExampleDES Example

Input: ...............................................................*1

Permuted: .......................................*........................ 1

Round 1: .......*........................................................ 1

Round 2: .*..*...*.....*........................*........................ 5

Round 3: .*..*.*.**..*.*.*.*....**.....**.*..*...*.....*................. 18Round 4: ..*.*****.*.*****.*.*......*.....*..*.*.**..*.*.*.*....**.....** 28Round 5: *...**..*.*...*.*.*.*...*.***..*..*.*****.*.*****.*.*......*.... 29Round 6: ...*..**.....*.*..**.*.**...*..**...**..*.*...*.*.*.*...*.***..* 26Round 7: *****...***....**...*..*.*..*......*..**.....*.*..**.*.**...*..* Round 8: *.*.*.*.**.....*.*.*...**.*...*******...***....**...*..*.*..*... Round 9: ***.*.***...**.*.****.....**.*..*.*.*.*.**.....*.*.*...**.*...** Round 10: *.*..*.*.**.*..*.**.***.**.*...****.*.***...**.*.****.....**.*.. Round 11: ..******......*..******....*....*.*..*.*.**.*..*.**.***.**.*...* Round 12: *..***....*...*.*.*.***...****....******......*..******....*.... Round 13: **..*....*..******...*........*.*..***....*...*.*.*.***...****.. Round 14: *.**.*....*.*....**.*...*..**.****..*....*..******...*........*. Round 15: **.*....*.*.*...*.**.*..*.*.**.**.**.*....*.*....**.*...*..**.** Round 16: .*..*.*..*..*.**....**..*..*..****.*....*.*.*...*.**.*..*.*.**.* Output: ..*..**.*.*...*....***..***.**.*...*..*..*.*.*.**.*....*.*.*.**.

block cipher

Documents