the data encryption standardrjchen/crypto2017/2_des.pdf3 1 introduction in 1973, nbs, later to...
TRANSCRIPT
1
The Data Encryption Standard
2
Outline
1. Introduction
2. DES
3. Breaking DES
4. Meet-in-the-Middle Attacks
3
1 Introduction
In 1973, NBS, later to become NIST, issued a public request seeking a crypto algo to become a national standard.
In 1974, IBM submitted an algo called LUCIFER.
The NBS forwarded it to NSA, which reviewed it and, after some modifications, returned a version that was essentially the DES.
In 1975, NBS released DES, as well as a free license for its use.
In 1977, NBS made it the official data encryption standard.
4
Introduction
From 1975 on, there has been controversy surrounding DES. Some regarded the key size as too small. Many were worried about NSA’s involvement.
In 1990, Eli Biham and Adi Shamir showed how their method of differential cryptanalysis could be used to attack DES. The DES algo involves 16 rounds; differential cryptanaysis would be more efficient than exhaustively searching all possible keys if the algo used at most 15 rounds.
5
Introduction
The DES has lasted for a long time, but is becoming outdated. Brute force searches, though expensive, can now break the system. Therefore, NIST replaced it with a new system in the year 2000.
The DES is a block cipher; namely, it breaks the plaintext into blocks of 64 bits, and encrypts each block separately.
6
2 DES
Description of DES
DES is a special type of iterated cipher called a Feistel cipher.
In a Feistel cipher, each state ui is divided into two halves of equal length, say Li and Ri.
Round function g: g(Li-1, Ri-1, Ki)=(Li, Ri), where
Invertible:
).,( 11
1
iiii
ii
KRfLR
RL
.
),(
1
1
ii
iiii
LR
KLfRL
7
Plaintext
Ciphertext
L0
L16=R15
R15=L14 xor f(R14,K15)
R2=L0 xor f(R0,K1)
R1=L0 xor f(R0,K1)
R0
R16=L15 xor f(R15,K16)
L15=R14
L1=R0
L2=R1
IP
f
f
IP-1
f
K1
K2
K16
Overview of DES
One round
8
DES
Initial permutation IP: IP(x)=L0R0
Inverse permutation IP-1: y=IP-1(R16L16)
Note L16 and R16 are swapped before IP-1 is applied.
Each Li and Ri is 32 bits in length.
The function
takes as input a 32-bit string (the right half of the current state) and a round key.
Key schedule (K1,K2,…,K16) consists of 48-bit round keys that are derived from the 56-bit key, K.
324832 }1,0{}1,0{}1,0{: f
9
IP: Initial Permutation IP-1: Inverse Initial Permutation
10
DES
Suppose we denote the first argument of f function
(Figure A) by A, and the second argument by J.
A is expanded to 48-bit according to a fixed expansion function E.
Compute and write the result as concatenation of eight 6-bit strings B=B1B2B3B4B5B6B7B8.
The next step uses eight S-boxes (S1,…,S8),
Given a bitstring of length 6, Bj=b1b2b3b4b5b6.
b1b6 determine the row r of Sj, and b2b3b4b5 determine the column c of Sj. We compute Cj=Sj(Bj).
The bitstring C=C1C2C3C4C5C6C7C8 is permuted according to the permutation P. Then f (A,J)=P(C).
JA )E(
46 }1,0{}1,0{: iS
11
A (32-bit)
E(A) (48-bit)
J (48-bit)
f(A,J) (32-bit)
E
+
B1 B2 B3 B4 B5 B6 B7 B8
S1 S2 S3 S4 S5 S6 S7 S8
C1 C2 C3 C4 C5 C6 C7 C8
P
Figure A The DES f function
Bi : 6-bit
Ci : 4-bit
12
S1
14 4 13 1 2 15 11 8 3 10 6 12 5 9 0 7
0 15 7 4 14 2 13 1 10 6 12 11 9 5 3 8
4 1 14 8 13 6 2 11 15 12 9 7 3 10 5 0
15 12 8 2 4 9 1 7 5 11 3 14 10 0 6 13
S2
15 1 8 14 6 11 3 4 9 7 2 13 12 0 5 10
3 13 4 7 15 2 8 14 12 0 1 10 6 9 11 5
0 14 7 11 10 4 13 1 5 8 12 6 9 3 2 15
13 8 10 1 3 15 4 2 11 6 7 12 0 5 14 9
S3
10 0 9 14 6 3 15 5 1 13 12 7 11 4 2 8
13 7 0 9 3 4 6 10 2 8 5 14 12 11 15 1
13 6 4 9 8 15 3 0 11 1 2 12 5 10 14 7
1 10 13 0 6 9 8 7 4 15 14 3 11 5 2 12
S4
7 13 14 3 0 6 9 10 1 2 8 5 11 12 4 15
13 8 11 5 6 15 0 3 4 7 2 12 1 10 14 9
10 6 9 0 12 11 7 13 15 1 3 14 5 2 8 4
3 15 0 6 10 1 13 8 9 4 5 11 12 7 2 14 S-boxes
Example B
13
S5
2 12 4 1 7 10 11 6 8 5 3 15 13 0 14 9
14 11 2 12 4 7 13 1 5 0 15 10 3 9 8 6
4 2 1 11 10 13 7 8 15 9 12 5 6 3 0 14
11 8 12 7 1 14 2 13 6 15 0 9 10 4 5 3
S6
12 1 10 15 9 2 6 8 0 13 3 4 14 7 5 11
10 15 4 2 7 12 9 5 6 1 13 14 0 11 3 8
9 14 15 5 2 8 12 3 7 0 4 10 1 13 11 6
4 3 2 12 9 5 15 10 11 14 1 7 6 0 8 13
S7
4 11 2 14 15 0 8 13 3 12 9 7 5 10 6 1
13 0 11 7 4 9 1 10 14 3 5 12 2 15 8 6
1 4 11 13 12 3 7 14 10 15 6 8 0 5 9 2
6 11 13 8 1 4 10 7 9 5 0 15 14 2 3 12
S8
13 2 8 4 6 15 11 1 10 9 3 14 5 0 12 7
1 15 13 8 10 3 7 4 12 5 6 11 0 14 9 2
7 11 4 1 9 12 14 2 0 6 10 13 15 3 5 8
2 1 14 7 4 10 8 13 15 12 9 0 3 5 6 11 S-boxes
14
DES
Example B: We show how to compute an output of
S-box S1 with input 101000.
b1b6=10 which is 2
b2b3b4b5=0100 which is 4
Output is row 2 and column 4 of S1.
Note: rows are numbered 0,1,2,3 and columns are 0,1,2,…15
So the output is 13 which is 1101 in binary.
15
DES The expansion function E is specified by the
following table:
If A=(a1,a2,…,a32) then
E(A)=(a32,a1,a2,a3,a4,a5,a4,…,a31,a32,a1).
E bit-selection table
32 1 2 3 4 5
4 5 6 7 8 9
8 9 10 11 12 13
12 13 14 15 16 17
16 17 18 19 20 21
20 21 22 23 24 25
24 25 26 27 28 29
28 29 30 31 32 1
16
DES
The permutation P is as follows:
If C=(c1,c2,…,c32) then
P(C)=(c16,c7,c20,c21,c29,…,c11,c4,c25).
P
16 7 20 21
29 12 28 17
1 15 23 26
5 18 31 10
2 8 24 14
32 27 3 9
19 13 30 6
22 11 4 25
17
DES
Key scheduling:
18
DES
31
19
3 Breaking DES
The S-boxes, being the non-linear components of the cryptosystem, are vital to its security.
DES was to make differential cryptanalysis infeasible.
Differential cryptanalysis was known to IBM when they design DES, but it was kept secret for almost 20 years until Biham and Shamir invented the technique in the early 1990’s.
The most pertinent criticism of DES is that the size of
the keyspace, 256, is too small.
20
Breaking DES
Many people try to design a special purpose machine
to do exhaustive key search.
Eg: “DES Cracker” contained 1536 chips and could
search 88 billion keys per second. It won RSA
Laboratory’s “DES Challenge II-2” by
successfully finding a DES key in 56 hours.
21
Breaking DES
Other than exhaustive key search, differential cryptanalysis and linear cryptanalysis are the most important attacks. (linear attack is more efficient)
In 1994, Matsui implemented the attack by using 243 plaintext-ciphertext pairs with the same key. It took 40 days to generate the pairs and 10 days to find the key.
DES is still secure theoretically due to the
extremely large number of pairs required. An adversary is impossible to collect that amount of pairs.
22
Breaking DES
There are two main approaches to achieving increased security.
1. Use DES multiple times – Triple DES
2. Find a new system that employs a larger key size
than 56 bits – AES (Rijndael)
The idea behind multiple DES schemes:
1. Double DES encrypts the plaintext by first encrypting
with one key and then encrypting again using a
different key.(one might guess that Double DES
should double the keyspace to 2112. However,
this in not true! See meet-in-the-middle attack)
23
Breaking DES
2. Triple DES (a level of security eq. to a 112-bit key)
There are two ways Triple DES can be implemented:
(1) Choose three keys, K1, K2, K3 and perform
EK1(EK2(EK3(m))).
(2) Choose two keys, K1 and K2, and perform
EK1(DK2(EK1(m))
Both versions of Triple DES are resistant to
meet-in-the-middle attacks. However, there are other
attacks on (2).
24
4 Meet-in-the-Middle Attacks
Starting with plaintext message m, the ciphertext is
c=Ek2(Ek1(m)). To decrypt, simply compute
m=Dk1(Dk2(c)). Eve will need to discover both k1 and
k2 to decrypt their messages. Does this provide greater
security? No
25
Meet-in-the-Middle Attacks
Assume Eve has intercepted a message m and a doubly
encrypted ciphertext c=Ek2(Ek1(m)). She wants to find
k1 and k2. She first computes and stores Ek(m) for all
possible keys k. She then computes Dk(c) for all
possible keys k. Finally, she compares the two lists. If
there are several matches, she then takes another
plaintext-ciphertext pair and do further test …