Download - 18 block ciphers implemented slides
Introduction Substitution-permutation networks Feistel Networks The Data Encryption Standard
New Kid on the BlockPractical Construction of Block Ciphers
Foundations of CryptographyComputer Science Department
Wellesley College
Fall 2016
Introduction Substitution-permutation networks Feistel Networks The Data Encryption Standard
Table of contents
Introduction
Substitution-permutation networks
Feistel Networks
The Data Encryption Standard
Introduction Substitution-permutation networks Feistel Networks The Data Encryption Standard
Block ciphers
• Recall that block cipher is ane�cient, keyed permutationF : {0, 1}n ⇥ {0, 1}` ! {0, 1}`.
• That is, Fk(x)def= F (k , x) is a
bijection and both it and itsinversion F
�1
k are e�cientlycomputable for all k .
• Here n is the key length and ` isblock length.
*Both the key and block lengths are constant, so we are living in the world of
concrete rather than asymptotic security.
Introduction Substitution-permutation networks Feistel Networks The Data Encryption Standard
Security requirements for block ciphers
Remark. Concrete security requirements are quite stringent. A blockcipher is generally considered “good” if the best known attack (withoutpreprocessing) has time complexity equivalent to a brute-force attack forthe key. Recall
Definition 3.28. Let F : {0, 1}⇤ ⇥ {0, 1}⇤ ! {0, 1}⇤ an e�cient keyedpermutation. We say that F is a strong pseudorandom permutation if forall probabilistic polynomial-time distinguishers D, there exists a negligiblefunction negl such that:
���Pr[DFk (·),F�1
k (·)(1n) = 1]� Pr[D f (·),f �1
(·)(1n) = 1]��� negl(n),
where k {0, 1}n is chosen uniformly at random and f is chosenuniformly at random from the set of permutations mapping n-bit stringsto n-bit strings.
Remark. Block ciphers are designed (at the very least) to behave as(strong) pseudorandom permutations.
Introduction Substitution-permutation networks Feistel Networks The Data Encryption Standard
Twin goals of modern encryption
•Confusion: Make the statical relationship between theciphertext and the key value as complex as possible.
•di↵usion: Dissipate the statistical structure of the plaintextthroughout the ciphertext.
• A Substitution-Permutation Network SPN) attempts both;substitution for confusion and permutation for di↵usion.
*Both ideas and promotion of substitution-permutation networks are due to
Claude Shannon.
Introduction Substitution-permutation networks Feistel Networks The Data Encryption Standard
A single round of a substitution-permutation network
• We fix a public “substitutionfunction” S called an S-box, andlet the key k define the functionf (x) = S(k � x).
• For example, suppose SPN has a64-bit clock length based on acollection of 8-bit S-boxes,S
1
, . . . , S8
:
1. Key mixing: Set x := x � k .2. Substitution: Set
x := S
1
(x1
) k . . . k S8
(x8
),where xi is the ith byte of x .
3. Permutation: Permute thebits of x to obtain the outputof round.
Introduction Substitution-permutation networks Feistel Networks The Data Encryption Standard
The full substitution-permutation network
• The output of each round isfed as input to the nextround.
• After the last round there isa final key-mixing step(x := x � k).*
• Di↵erent round keys areused in each round whichare derived from the actualor master key according to akey schedule.
*Since we assume the S-boxes and the mixing permutations are public, without
this final key-mixing the last substitution and permutations steps would be
useless.
Introduction Substitution-permutation networks Feistel Networks The Data Encryption Standard
Substitution-permutation networks are invertible
Proposition 6.3 Let F be a keyedfunction defined by an SPN inwhich the S-boxes are allpermutations. Then regardlessofthe key schedule and number ofrounds, Fk is a permutation forany k .
Proof. We show that given the
output of the SPN and the key, it
is possible to invert any single
round. The mixing permutation is
clearly invertible and all the
S-box are permutations, so these
too can be inverted. The result is
then XORed with the appropriate
sub-key to obtain the input.
Introduction Substitution-permutation networks Feistel Networks The Data Encryption Standard
The avalanche e↵ect
The avalanche e↵ect: A smallchange in either the plaintext orthe key produces a significantchange in the ciphertext.One way to induce the avalanchee↵ect in a SPN is to ensure:
1. The S-boxes are designed sothat changing a single inputbit changes at least two bits
in the output.
2. The mixing permutationsare designed so that the theoutput bits an any S-box areused as input to multiple
S-boxes in the next round.
(a) Two plaintexts di↵er by one bit (all
zeros and a one followed by 63 zeros.)
(b) The two keys also di↵er by just one
bit.
Introduction Substitution-permutation networks Feistel Networks The Data Encryption Standard
How this works in practice
• Suppose 8-bit S-boxes andand the mixing permutationsare chosen as above for a128-bit block size SPN.
• Now consider two inputsthat di↵er by a single bit.
Introduction Substitution-permutation networks Feistel Networks The Data Encryption Standard
LUCIFER
• In the early 1970s, HorstFeistel developed a sequenceof fixed transpositions andkey-dependent, multipartitenon-linear substitutions(LUCIFER) that produced athorough amalgamation.
• In this simplified illustrationof LUCIFER we see a plaintext input of a single 1 andfourteen 0s transformed bythe non-linear S-boxes intoan avalance of eleven 1s.
• Feistel was successfulenough to upset the NSA.
Introduction Substitution-permutation networks Feistel Networks The Data Encryption Standard
Attacking a one-round substitution-permutation network
• Suppose the SPN F consistsof a single full round and nofinal key-mixing.
• An adversary can easily learnthe secret key k given only asingle input/output pair(x , y = Fk(y)). How?
Introduction Substitution-permutation networks Feistel Networks The Data Encryption Standard
Attacking a one-round substitution-permutation networkwith key-mixing
The attacker fixes a pair, (x , y) could simple try all 64-bit possibilities forsecond-round mixing key, k
2
, then use above attack to construct 264candidate keysk
1
k k2
. Additional pairs narrow the fieldBut the attacker can do better:
1. First enumerate over all possiblefirst bytes of k
2
.
2. Then XOR each with of these withthe first byte of y to obtaincandidates for the outputs of thefirst S-box.
3. Backing each of these up throughthe first S-box, the adversary has256 candidates for the the first bitof x � k
1
and hence 256 candidatesfor the first byte of k
1
.
Introduction Substitution-permutation networks Feistel Networks The Data Encryption Standard
Feistel: An alternative to substitution-permutationnetworks
• A Feistel network gives a way toconstruct invertible functions fromnon-invertible components.
• The goal is a block cipher that hasan “unstructured” behavior”*.Requiring all components to beinvertible inherently introducesstructure.
• Like SPNs, Feistel networks operatein a series of rounds each with akeyed round function constructedfrom S-boxes and permutations.
*So it looks random.
Introduction Substitution-permutation networks Feistel Networks The Data Encryption Standard
Feistel round functions
• The ith round function, f̂i takes asinput a sub-key ki and an `/2-bitstring and outputs an `/2-bitstring.
• A master key k determines a seriesof round keys ki . The roundfunction fi : {0, 1}`/2 ! {0, 1}`/2 is
defined by fi (R)def= f̂i (ki ,R).
• The output of the ith round(Li ,Ri ) is
Li := Ri�1
and Ri := Li�1
�fi (Ri�1
).
*So it looks random.
Introduction Substitution-permutation networks Feistel Networks The Data Encryption Standard
Feistel networks are invertible
Proposition 6.4. Let F be akeyed function defined by aFeistel network. Then regardlessof the round functions {f̂i} andthe number of rounds, Fk is ane�ciently invertible permutationfor all k .Proof. We need only show thateach round is invertible if the {fi}are known.Given (Li ,Ri ), we first computeRi�1
:= Li . Then compute
Li�1
= Ri � fiRi � 1).
Introduction Substitution-permutation networks Feistel Networks The Data Encryption Standard
The return of LUCIFER
• LUCIFER was redesign as a 16round Feistel network on 128-bitblocks and 128-bit keys and wassubmitted by IBM as a candidatefor the Data Encryption Standard.
• It became DES after the NationalSecurity Agency reduced its blocksize to 64 bits and its key size to56 bits* and was adopted as theFederal Information ProcessingStandard for the US in 1977.
• Believe it or not, it remains in wideuse today in its triple-DESincarnation.
*Which means that it is now vulnerable to brute-force attacks.
Introduction Substitution-permutation networks Feistel Networks The Data Encryption Standard
The Data Encryption Standard
• DES is a 16-round Feistel networkwith a block length of 64 bits anda key length of 56 bits.
• The same function, f̂ called theDES mangler function, is used forall 16 rounds.
• It takes a 48-bit round key derivedfrom the 56-bit master using arelatively simple key schedule.
• We give a high-level overview ofthe main components of DES. Ahomework exercise is available forthose interested in more details.
Introduction Substitution-permutation networks Feistel Networks The Data Encryption Standard
The DES mangler function
• Computation of f̂ (ki ,R) withki 2 {0, 1}48 and R 2 {0, 1}32begins by duplicating half the bitsof R to obtain R
0 := E (R), E theexpansion function.
• The expanded R
0 is XORed with k
and the resulting value is dividedinto 8 6-bit-blocks. Each block ispassed through a di↵erent S-box.*
• Finally a mixing permutation isapplied to the bits and it o↵ to thenext round.
*The S-boxes are publicly known, but unlike our previous SPNs, they are not
invertible.
Introduction Substitution-permutation networks Feistel Networks The Data Encryption Standard
The DES mangler function
• The eight S-boxes at the core ofthe mangler function were verycarefully designed. Even slightmodification would make DESmore vulnerable to attack.*
• The resulting mangler functionensures the DES exhibits a strongavalanche e↵ect. In fact, theavalanche example above was fromDES.
*The Feistel version of LUCIFER was susceptible to di↵erential cryptanalysis;
for about half the keys, the cipher could be broken with 236 chosen plaintexts
and 236 time complexity. This is one of the reasons NSA redesigned them.
Introduction Substitution-permutation networks Feistel Networks The Data Encryption Standard
Time to worry: Security of DES
• After 30 years of intensive study, the best known practical attack onDES is exhaustive search.* However, a 56-bit key isn’t very big.
• A second concern is the relatively short bock length of DES. Theproof of security for CTR mode (Theorem 3.32) show that evenwhen a completely random function is used an attacker can break itwith probability 2q2/2` if it obtains q plaintext/ciphertext pairs.
*In your homework you get the chance to investigate some theoretical attack,
but these require a large number of input/output pairs which would be di�cult
to obtain.
Introduction Substitution-permutation networks Feistel Networks The Data Encryption Standard
Double encryption
• Let F be a block cipher withan n-bit key length and `-bitblock length. Define a newblock cipher with a keylength of 2n by
F
0k1
,k2
(x)def= Fk
2
(Fk1
(x)).
• For the case where F isDES, we obtain a cipher F 0
call 2DES that takes a112-bit key. Exhaustivesearch is now out of reach.
Introduction Substitution-permutation networks Feistel Networks The Data Encryption Standard
Meet in the middle attackSay adversary is given a singleinput/output pair (x , y), wherey = F
0k⇤1
,k⇤2
(x) = Fk⇤2
(Fk⇤1
(x)) forunknown k
⇤1
, k⇤2
.
1. For each k
1
2 {0, 1}n computez := Fk
1
(x) and store (z , k1
) in listL.
2. For each k
2
2 {0, 1}n computez := F
�1
k2
(x) and store (z , k2
) inlist L0.
3. Entries (z1
, k1
) 2 L and(z
2
, k2
) 2 L
0 are a match if z1
= z
2
.
The attack takes O(n · 2n) time and requires space O((n + `) · 2n) spaceand finds pairs (k
1
, k2
) with
Fk1
(x) = F
�1
k2
(y).
Introduction Substitution-permutation networks Feistel Networks The Data Encryption Standard
Triple DES with two keys
• An obvious counter to themeet-in-the-middle attack is to usethree stages of encryption withthree di↵erent keys.
• As an alternative, Tuchmanproposed a triple encryption usingonly two keys
y = Fk1
(F�1
k2 (Fk1
(x))).
• Triple-DES’s relatively small blocklength and the fact that is slowsince it requires 3 full block-cipheroperations, led to its replacementby the Advanced Encryption
Standard.