block cipher & the data encryption standard · block cipher & the data encryption standard...

BLOCK CIPHER & THE DATA

ENCRYPTION STANDARD

Tran Song Dat Phuc

Department of Computer Science

Seoul National University of Science and Technology

2013-2014

Outline

Stream Cipher

Block Cipher

The Feistel Cipher Structure

The Data Encryption Standard (DES)

Security of DES

Block Cipher Design Principles

Summary

Stream Cipher

A stream cipher is one that encrypts a digital

data stream one bit or one byte at a time.

Stream Cipher

The stream cipher encrypts the plaintext to

produce the ciphertext, in which a cryptographic

key and algorithm are applied to each binary

digit in a data stream, one bit at a time.

To meet the need of producing the keystream

for independence and secure channel, the bit-

stream generator is implemented for both users.

The two users share the generating key, and each

can produce the keystream.

Block Cipher

A block cipher is one in which a block of

plaintext is treated as whole and produce a

ciphertext block of equal length.

A block are typically 64 or 128 bits.

As with a stream cipher, the two uses share a

symmetric encryption key.

A block of multiple bits are enciphered each time.

In some modes of operation (CFB, OFB, CTR), a

block cipher can be used to achieve the same

effect as a stream cipher.

Block Cipher

The block cipher encrypts a block of plaintext or

message m into a block of ciphertext c due to a

secret key k.

Block Cipher

The encryption process is denoted as:

c = ENCk(m)

The decryption has reversed the encryption

process, which use the same user-supplied key.

m = DECk(c)

Block Cipher

A block cipher has two important parameters:

- Block size b: determines the space of all possible

permutations that a block cipher might conceivable.

- Key size k: determines the number of permutations

that are actually generated.

With a key, a b-bit block cipher maps 2b b-bit inputs

onto the same 2b outputs.

Block Cipher

In the block cipher, substitution and permutation

are two main properties.

The mix of them is an important component of

most block cipher designs.

Most block cipher contain vary kinds of combination

of substitution and permutation.

Block Cipher

Substitution: Each plaintext element or group of

elements is uniquely replaced by a corresponding

ciphertext element or group of elements.

Permutation: A sequence of plaintext elements

is replaced by a permutation. No elements are

added or deleted or replaced, just the order of

the elements is changed.


Substitution: often use to provide confusion

with cipher.

- Designed around an arithmetic function, such as

integer addition or integer multiplication.

- Typically, substitution is achieved with a suitably

designed, such as S-boxes.

- S-boxes is designed carefully which have specific

security properties, functions and can operate

quickly in practice.


Permutation: often use to provide a good diffusion

in a cipher.

- Often performed at a bit level; individual bits can be

moved into a new ordering.

- At the downside, bit level permutation can slow

down the performance of cipher; cause manipulating

individual bit is complex and not easy to operate.

Block Cipher

The ideal block cipher

Block Cipher

The ideal block cipher allows for the maximum

number of possible encryption mappings from

the plaintext block.

But it is really good, really perfect ???

If the size of the block is small (ex. n = 4)

vulnerable to statistical analysis of plaintext

The large block size is not practical, consider

the key size

for an n-bit ideal block cipher, the length of

key is n x 2n bits

Block Cipher

For a 64-bit block, to thwart statistical attack, it

needs 64 x 264 = 270 ≈ 1021 bits

impossible.

Is there a feasible way (related in block size and

key size) to make a stronger cipher block ???


Feistel develops a block cipher with key size k-

bits and block length of b-bits, has 2k possible

keys and each key specifies a permutation of 2b

input.

The Feistel cipher refers to the conceptions of

diffusion and confusion of Claude Shannon.


Two terms of confusion and diffusion that aim to

build a good block cipher, is introduced in 1949 by

Claude Shannon.

- Confusion: to make the relation between the

cipher-text and the key becomes very complex and

involved one.

- Diffusion: the statistical structure of the plaintext

is dissipated by long-range statistics of the cipher-

text (to make the relation between the plaintext

and cipher-text becomes complex and unable to

exploit).


S-P Network of Shannon

- Consist of the repeated application of

carefully chosen substitutions, permutations

and key materials.

- Key schedule (KS): present a series of

round keys to each round of encryption;

these round keys are computed from user

supplied encryption key.


The Feistel Network based on some features

and design parameters:

- Block size: Larger block sizes means greater security,

but reduce the speed of encryption / decryption. (64bits)

- Key size: Larger key size means greater security, but

also decrease the encryption / decryption speed. (128bits)

- Number of rounds: The multiple rounds offer

increasing security. (16 rounds)

- Subkey generation algorithm: Greater complexity lead

to greater difficulty of cryptanalysis.

- Round function F: greater complexity means greater

resistance to cryptanalysis.


Plaintext block of length 2w-bits

Key K, subkey Ki

Two halves Li and Ri

16 rounds is used.


Feistel Encryption Algorithm:

- The input plaintext block is divided into two halves L0

and R0 , that pass through n rounds of processing and then

combined to produce the ciphertext block.

- Each round i has as input Li-1 and Ri-1 from previous

round, with the subkey Ki from the overall K.

- The substitution is performed on the left half of data.

- A round function F is applied to the right half of data.

- It is done by taking the X-OR operation between the

output of function F and the left half of data.

- The permutation is performed through the interchange

of the two halves of data.

All rounds have the same structure.


Feistel Decryption Algorithm: - The process of the Feistel’s decryption is the same as

the encryption process, in reverse order of subkey Ki.

- The input ciphertext use Kn in the first round, Kn-1 in

the second until K1 in the last round.

Data Encryption Standard (DES)

DES (Data Encryption Standard) is a block cipher

which most widely used in world.

Adopted in 1977 by NBS (now is NIST)

Encrypts 64 bits block using 56 bits key.

DES is an example of a Feistel cipher.

DES

DES with round function components;

the bit expansion E, the S-boxes S and the

bit permutation P.

- DES has 16rounds and user supplied key

is 56bits (k = 56).

- Initial Permutation(IP) has 64bit input

block, happen only once before first round.

- IP-1 use to maintain the property that

encryption network can be reused for

decryption.

Initial Permutation(IP) Suggests how the transposition in IP should proceed.

The IP replaces the 1st bit of the plaintext block with the 58th bit of the original plaintext block, the 2nd bit with the 50th bit and so on.

DES IP and its inverse IP-1

Round Function

Each iteration of round function takes 32-bit inputs

and returns 32-bits output.

- 32-bit input is expanded to 48-bit by the bit

expansion E.

- Processed 48-bit is combined with round key.

- 48 bits that result, then, are split into 8 groups of 6

bits, input to 8 different S-boxes. Each S-box returns

4 bits which concatenated with others, will give a 32-

bits result.

- 32-bit received is applied by bit-level permutation P,

after all, provide a 32-bit output from round function.

Round Function

Key Transformation

Round Key Process

64-bit

Key

56-bit

Key split

28-bit left

semikey

28-bit right

semikey

shift

shift

28-bit shifted

left semi-key

28-bit shifted

right semi-key

Compression

Permutation 48-bit

semi-key

Remove parity

bit

Key Transformation

The Initial Key consists of 64 bits.

Before the DES process starts, every 8th bit of the key is discarded to produce a 56 bit key.

Bit positions (8, 16, 24, 32, 40, 48, 56, 64) are discarded.

These bits can be used for parity checking to ensure that the key does not contain any error.

Key Transformation

Remove parity bit (64 bits -> 56 bits)

Key Transformation

For each round, 56 bit key is available

From this 56 bit key, a different 48-bit sub key is

generated during each round using a process

called as Key Transformation

In this method, a 56 bit key is divided into two

halves, each of 28 bits

These halves are circularly shifted by 1 or 2

positions, depending on the round

Key Transformation Permutation on 56 bits key

Number of key bit shift

Key Transformation

Round 1 – Key bit shift

Key Transformation

Compression Permutation : the Key Transformation

process involves permutation as well as selection of

a 48 bits sub-set of the original 56-bit key.

* 18 bits number is discarded.

Expansion Permutation

The RPT is expanded from 32 bits to 48 bits.

The RPT is divided into 8 blocks, with each

block consists of 4 bits.

For per 4-bit block, 2 more bits are added.

Expansion Permutation Division of 32 bit RPT into Eight 4-bits block

RPT Expansion Process

Expansion Permutation

Expansion Permutation (48bits)

The S-Boxes After 48-bits expansion combine with 48-bits key

(XOR operation), the 48-bits output is split into 8

S-Boxes.

8 S-Boxes are different, each S-Box takes a 6 bits

input and returns a 4-bits output. Eight 4-bits will

concatenate together, then give 32-bits result.

The S-box consists of 4rows labeled p0 to p3. Each

row represents a permutation {0, …, 15}.

The S-Boxes DES S-Boxes in Hexadecimal Notation

The S-Boxes

The 6-bits input is split into two parts:

- The outer 2 bits are use to choose a row of S-box.

- The inner 4 bits are use to pick a column of S-box.

Ex: 6bits input to S-box 5 is 001101

. The 2 outer bits is 01 (row p1).

. The 4 inner bits is 0110 (column 6).

. The entry in S-box 5 row p1, column 6 is d in

hexadecimal notation, convert to binary as an output.

S5[001101] = 1101

The P-Box Permutation

The 32-bits output of S-box is permuted by P-Box.

P-Box Table

Ex: Input S(B) = 0101 1100 1000 0010 1011 0101 1001 0111

Output P(B) = 0010 0011 0100 1010 1010 1001 1011 1011

XOR and Swap

DES The Avalanche Effect:

- A change in one bit of either the plaintext or the key

should produce a change in many bits of the ciphertext.

DES Design Criteria

S-Box: this design provide confusion and

diffusion of bits from each round to the next.

P-Box: this design provide diffusion of bits.

Number of Rounds: DES use 16 rounds of

Feistel Cipher. The cipher-text is thoroughly a

random function of plaintext and cipher-text.

DES Weakness Weakness in S-Box:

- Two specifically chosen inputs to an S-Box can

create same output.

Weakness in P-Box:

- Initial and final permutations have no security

benefit.

- The first and fourth bits of every 4-bits are repeated.

Weakness in Key:

- Weak keys create same 16 round keys.

- Semi-weak keys create only 2 different round keys.

- Possible weak keys create 4 distinct round keys.

- Key complement.

Weakness in Key There are 4 weak keys of DES.

After parity-bit drop operation, a key consist either

of all 0s, all 1s, or half 0s and half 1s.

Weak key create same 16 round key.

Ex: Encrypt a plaintext block 2 times with a same key

Weakness in Key

Semi-weak key of DES create only 2 different round

keys.

Weakness in Key

Semi-weak key of DES

Weakness in Key

DES uses 56-bits key means there are 256 possible key.

In the key domain (256), definitely half of the keys are

complement of the other half.

The key complement can be made by inverting(changing

0 to 1 or 1 to 0) each bit in the key.

If we encrypt the complement of the text with the

complement of the key, we can get the complement of

the cipher-text. Do not test all 256 key, we just need to

test half of them and complement the result.

Cryptanalysis

A good block cipher is one for which the best

attack is an exhaustive search.

The time required to exhaust all possible keys is

the time to perform all 2k encryption operations

During exhaustive search, the keys are often

changed to tighten the security.

Security Of DES

The Use of 56-bit key:

- Key length 56 bits, there are 256 possible keys

→ thwart brute-force attack (even if just half of key space

to be searched)

- But with the development of super-computer afterwards,

DES show definitively insecure.

. 1977, Diffie and Hellman created a machine which can

break DES in about 10hours, cost $20 millions.

. 1998, Electronic Frontier Foundation(EFF) with the “DES

Cracker” machine broke DES less than 3days, just cost

$250.000.

- Some alternatives of DES (AES, triple DES) give stronger

security.

Security Of DES

The Nature of DES Algorithm:

- The design of S-Boxes (8 substitution tables)

- Until now, no one has so far succeeded in discovering

the weaknesses in the S-Boxes.

Timing Attacks:

- A timing attack is one in which information about the

key or the plaintext is obtained by observing how long

does it takes a implementation to perform decryptions on

various ciphertexts.

- Encryption and decryption algorithm takes slightly

different amounts of time on different inputs.

- DES appears to be fairly resistant to this attack.

Security Of DES

Differential Cryptanalysis:

- Differential cryptanalysis exploits the high probability of

certain occurrences of plaintext differences and differences

into the last round of the cipher.

- Design S-Boxes and 16 rounds aim to make DES specifically

resistant to this type of attack.

- The scheme can successfully cryptanalyze DES with an

effort on the order 247 chosen plaintexts.

Security Of DES

Linear cryptanalysis:

- Linear cryptanalysis tries to take advantage of high

probability of linear expressions involving plaintext bits,

ciphertext bits and subkey bits.

- DES is easier to be attacked by linear cryptanalysis than

by differential cryptanalysis.

- S-boxes are not very resistant to linear cryptanalysis.

DES can be broken by using 243 pairs known plaintexts.

- Cause finding so many pairs is very unlikely, this attack

still leaves infeasible as an attack of DES.

Security Of DES

The size of the key space, 256, is “too small” to be

really secure.

Brute-Force Attack:

- Combining short cipher key in DES with the key

complement weakness, it is clear that DES can be

broken using average 255 encryptions.


DES Design Criteria:

- S-Boxes design provides good confusion properties to

thwart differential cryptanalysis.

- P-Function design increases diffusion of the algorithm

for DES.

Number of rounds:

- The greater the number of rounds, the more difficult it

is to perform cryptanalysis.

- This criterion are intended to frustrate the brute-force

attack.

- The strength of any algorithm that satisfies the criterion

can be judged solely on key length.


Design of Function F:

- The function F provides the element of confusion in a

cipher block.

- The more nonlinear F, the more difficult any type of

cryptanalysis will be.

- Function F also offers the good avalanche properties.

S-Boxes Design:

- Any change to the input vector to an S-Box to result in

random-looking changes to the output.

- Larger S-Boxes, by and large, are more resistant to

differential and linear cryptanalysis.


Key Schedule Algorithm:

- The key is used to generate one subkey for each round.

- Select subkeys to maximize the difficulty of deducing

individual subkeys and the difficulty of working back to the

main key.

Summary

Block cipher is an Enc/ Dec scheme in which a

block of cipher is treated as a whole and produce

the ciphertext block of equal length.

The Data Encryption Standard (DES) has been the

most widely used Enc algorithm until recently.

DES uses 64-bits length and 56-bits key size.

Two methods of cryptanalysis - differential and

linear cryptanalysis - are showed infeasible attacks

on DES.

block cipher & the data encryption standard · block cipher & the data encryption standard...

Documents