BLOCK CIPHER & THE DATA ENCRYPTION STANDARD · BLOCK CIPHER & THE DATA ENCRYPTION STANDARD ......
Transcript of BLOCK CIPHER & THE DATA ENCRYPTION STANDARD · BLOCK CIPHER & THE DATA ENCRYPTION STANDARD ......
BLOCK CIPHER & THE DATA
ENCRYPTION STANDARD
Tran Song Dat Phuc
Department of Computer Science
Seoul National University of Science and Technology
2013-2014
Outline
Stream Cipher
Block Cipher
The Feistel Cipher Structure
The Data Encryption Standard (DES)
Security of DES
Block Cipher Design Principles
Summary
Stream Cipher
A stream cipher is one that encrypts a digital
data stream one bit or one byte at a time.
Stream Cipher
The stream cipher encrypts the plaintext to
produce the ciphertext, in which a cryptographic
key and algorithm are applied to each binary
digit in a data stream, one bit at a time.
To meet the need of producing the keystream
for independence and secure channel, the bit-
stream generator is implemented for both users.
The two users share the generating key, and each
can produce the keystream.
Block Cipher
A block cipher is one in which a block of
plaintext is treated as whole and produce a
ciphertext block of equal length.
A block are typically 64 or 128 bits.
As with a stream cipher, the two uses share a
symmetric encryption key.
A block of multiple bits are enciphered each time.
In some modes of operation (CFB, OFB, CTR), a
block cipher can be used to achieve the same
effect as a stream cipher.
Block Cipher
The block cipher encrypts a block of plaintext or
message m into a block of ciphertext c due to a
secret key k.
Block Cipher
The encryption process is denoted as:
c = ENCk(m)
The decryption has reversed the encryption
process, which use the same user-supplied key.
m = DECk(c)
Block Cipher
A block cipher has two important parameters:
- Block size b: determines the space of all possible
permutations that a block cipher might conceivable.
- Key size k: determines the number of permutations
that are actually generated.
With a key, a b-bit block cipher maps 2b b-bit inputs
onto the same 2b outputs.
Block Cipher
In the block cipher, substitution and permutation
are two main properties.
The mix of them is an important component of
most block cipher designs.
Most block cipher contain vary kinds of combination
of substitution and permutation.
Block Cipher
Substitution: Each plaintext element or group of
elements is uniquely replaced by a corresponding
ciphertext element or group of elements.
Permutation: A sequence of plaintext elements
is replaced by a permutation. No elements are
added or deleted or replaced, just the order of
the elements is changed.
The Feistel Cipher Structure
Substitution: often use to provide confusion
with cipher.
- Designed around an arithmetic function, such as
integer addition or integer multiplication.
- Typically, substitution is achieved with a suitably
designed, such as S-boxes.
- S-boxes is designed carefully which have specific
security properties, functions and can operate
quickly in practice.
The Feistel Cipher Structure
Permutation: often use to provide a good diffusion
in a cipher.
- Often performed at a bit level; individual bits can be
moved into a new ordering.
- At the downside, bit level permutation can slow
down the performance of cipher; cause manipulating
individual bit is complex and not easy to operate.
Block Cipher
The ideal block cipher
Block Cipher
The ideal block cipher allows for the maximum
number of possible encryption mappings from
the plaintext block.
But it is really good, really perfect ???
If the size of the block is small (ex. n = 4)
vulnerable to statistical analysis of plaintext
The large block size is not practical, consider
the key size
for an n-bit ideal block cipher, the length of
key is n x 2n bits
Block Cipher
For a 64-bit block, to thwart statistical attack, it
needs 64 x 264 = 270 ≈ 1021 bits
impossible.
Is there a feasible way (related in block size and
key size) to make a stronger cipher block ???
The Feistel Cipher Structure
Feistel develops a block cipher with key size k-
bits and block length of b-bits, has 2k possible
keys and each key specifies a permutation of 2b
input.
The Feistel cipher refers to the conceptions of
diffusion and confusion of Claude Shannon.
The Feistel Cipher Structure
Two terms of confusion and diffusion that aim to
build a good block cipher, is introduced in 1949 by
Claude Shannon.
- Confusion: to make the relation between the
cipher-text and the key becomes very complex and
involved one.
- Diffusion: the statistical structure of the plaintext
is dissipated by long-range statistics of the cipher-
text (to make the relation between the plaintext
and cipher-text becomes complex and unable to
exploit).
The Feistel Cipher Structure
S-P Network of Shannon
- Consist of the repeated application of
carefully chosen substitutions, permutations
and key materials.
- Key schedule (KS): present a series of
round keys to each round of encryption;
these round keys are computed from user
supplied encryption key.
The Feistel Cipher Structure
The Feistel Network based on some features
and design parameters:
- Block size: Larger block sizes means greater security,
but reduce the speed of encryption / decryption. (64bits)
- Key size: Larger key size means greater security, but
also decrease the encryption / decryption speed. (128bits)
- Number of rounds: The multiple rounds offer
increasing security. (16 rounds)
- Subkey generation algorithm: Greater complexity lead
to greater difficulty of cryptanalysis.
- Round function F: greater complexity means greater
resistance to cryptanalysis.
The Feistel Cipher Structure
Plaintext block of length 2w-bits
Key K, subkey Ki
Two halves Li and Ri
16 rounds is used.
The Feistel Cipher Structure
Feistel Encryption Algorithm:
- The input plaintext block is divided into two halves L0
and R0 , that pass through n rounds of processing and then
combined to produce the ciphertext block.
- Each round i has as input Li-1 and Ri-1 from previous
round, with the subkey Ki from the overall K.
- The substitution is performed on the left half of data.
- A round function F is applied to the right half of data.
- It is done by taking the X-OR operation between the
output of function F and the left half of data.
- The permutation is performed through the interchange
of the two halves of data.
All rounds have the same structure.
The Feistel Cipher Structure
Feistel Decryption Algorithm: - The process of the Feistel’s decryption is the same as
the encryption process, in reverse order of subkey Ki.
- The input ciphertext use Kn in the first round, Kn-1 in
the second until K1 in the last round.
Data Encryption Standard (DES)
DES (Data Encryption Standard) is a block cipher
which most widely used in world.
Adopted in 1977 by NBS (now is NIST)
Encrypts 64 bits block using 56 bits key.
DES is an example of a Feistel cipher.
DES
DES with round function components;
the bit expansion E, the S-boxes S and the
bit permutation P.
- DES has 16rounds and user supplied key
is 56bits (k = 56).
- Initial Permutation(IP) has 64bit input
block, happen only once before first round.
- IP-1 use to maintain the property that
encryption network can be reused for
decryption.
Initial Permutation(IP) Suggests how the transposition in IP should proceed.
The IP replaces the 1st bit of the plaintext block with the 58th bit of the original plaintext block, the 2nd bit with the 50th bit and so on.
DES IP and its inverse IP-1
Round Function
Each iteration of round function takes 32-bit inputs
and returns 32-bits output.
- 32-bit input is expanded to 48-bit by the bit
expansion E.
- Processed 48-bit is combined with round key.
- 48 bits that result, then, are split into 8 groups of 6
bits, input to 8 different S-boxes. Each S-box returns
4 bits which concatenated with others, will give a 32-
bits result.
- 32-bit received is applied by bit-level permutation P,
after all, provide a 32-bit output from round function.
Round Function
Key Transformation
Round Key Process
64-bit
Key
56-bit
Key split
28-bit left
semikey
28-bit right
semikey
shift
shift
28-bit shifted
left semi-key
28-bit shifted
right semi-key
Compression
Permutation 48-bit
semi-key
Remove parity
bit
Key Transformation
The Initial Key consists of 64 bits.
Before the DES process starts, every 8th bit of the key is discarded to produce a 56 bit key.
Bit positions (8, 16, 24, 32, 40, 48, 56, 64) are discarded.
These bits can be used for parity checking to ensure that the key does not contain any error.
Key Transformation
Remove parity bit (64 bits -> 56 bits)
Key Transformation
For each round, 56 bit key is available
From this 56 bit key, a different 48-bit sub key is
generated during each round using a process
called as Key Transformation
In this method, a 56 bit key is divided into two
halves, each of 28 bits
These halves are circularly shifted by 1 or 2
positions, depending on the round
Key Transformation Permutation on 56 bits key
Number of key bit shift
Key Transformation
Round 1 – Key bit shift
Key Transformation
Compression Permutation : the Key Transformation
process involves permutation as well as selection of
a 48 bits sub-set of the original 56-bit key.
* 18 bits number is discarded.
Expansion Permutation
The RPT is expanded from 32 bits to 48 bits.
The RPT is divided into 8 blocks, with each
block consists of 4 bits.
For per 4-bit block, 2 more bits are added.
Expansion Permutation Division of 32 bit RPT into Eight 4-bits block
RPT Expansion Process
Expansion Permutation
Expansion Permutation (48bits)
The S-Boxes After 48-bits expansion combine with 48-bits key
(XOR operation), the 48-bits output is split into 8
S-Boxes.
8 S-Boxes are different, each S-Box takes a 6 bits
input and returns a 4-bits output. Eight 4-bits will
concatenate together, then give 32-bits result.
The S-box consists of 4rows labeled p0 to p3. Each
row represents a permutation {0, …, 15}.
The S-Boxes DES S-Boxes in Hexadecimal Notation
The S-Boxes
The 6-bits input is split into two parts:
- The outer 2 bits are use to choose a row of S-box.
- The inner 4 bits are use to pick a column of S-box.
Ex: 6bits input to S-box 5 is 001101
. The 2 outer bits is 01 (row p1).
. The 4 inner bits is 0110 (column 6).
. The entry in S-box 5 row p1, column 6 is d in
hexadecimal notation, convert to binary as an output.
S5[001101] = 1101
The P-Box Permutation
The 32-bits output of S-box is permuted by P-Box.
P-Box Table
Ex: Input S(B) = 0101 1100 1000 0010 1011 0101 1001 0111
Output P(B) = 0010 0011 0100 1010 1010 1001 1011 1011
XOR and Swap
DES
DES The Avalanche Effect:
- A change in one bit of either the plaintext or the key
should produce a change in many bits of the ciphertext.
DES
DES Design Criteria
S-Box: this design provide confusion and
diffusion of bits from each round to the next.
P-Box: this design provide diffusion of bits.
Number of Rounds: DES use 16 rounds of
Feistel Cipher. The cipher-text is thoroughly a
random function of plaintext and cipher-text.
DES Weakness Weakness in S-Box:
- Two specifically chosen inputs to an S-Box can
create same output.
Weakness in P-Box:
- Initial and final permutations have no security
benefit.
- The first and fourth bits of every 4-bits are repeated.
Weakness in Key:
- Weak keys create same 16 round keys.
- Semi-weak keys create only 2 different round keys.
- Possible weak keys create 4 distinct round keys.
- Key complement.
Weakness in Key There are 4 weak keys of DES.
After parity-bit drop operation, a key consist either
of all 0s, all 1s, or half 0s and half 1s.
Weak key create same 16 round key.
Ex: Encrypt a plaintext block 2 times with a same key
Weakness in Key
Semi-weak key of DES create only 2 different round
keys.
Weakness in Key
Semi-weak key of DES
Weakness in Key
DES uses 56-bits key means there are 256 possible key.
In the key domain (256), definitely half of the keys are
complement of the other half.
The key complement can be made by inverting(changing
0 to 1 or 1 to 0) each bit in the key.
If we encrypt the complement of the text with the
complement of the key, we can get the complement of
the cipher-text. Do not test all 256 key, we just need to
test half of them and complement the result.
Cryptanalysis
A good block cipher is one for which the best
attack is an exhaustive search.
The time required to exhaust all possible keys is
the time to perform all 2k encryption operations
During exhaustive search, the keys are often
changed to tighten the security.
Security Of DES
The Use of 56-bit key:
- Key length 56 bits, there are 256 possible keys
→ thwart brute-force attack (even if just half of key space
to be searched)
- But with the development of super-computer afterwards,
DES show definitively insecure.
. 1977, Diffie and Hellman created a machine which can
break DES in about 10hours, cost $20 millions.
. 1998, Electronic Frontier Foundation(EFF) with the “DES
Cracker” machine broke DES less than 3days, just cost
$250.000.
- Some alternatives of DES (AES, triple DES) give stronger
security.
Security Of DES
The Nature of DES Algorithm:
- The design of S-Boxes (8 substitution tables)
- Until now, no one has so far succeeded in discovering
the weaknesses in the S-Boxes.
Timing Attacks:
- A timing attack is one in which information about the
key or the plaintext is obtained by observing how long
does it takes a implementation to perform decryptions on
various ciphertexts.
- Encryption and decryption algorithm takes slightly
different amounts of time on different inputs.
- DES appears to be fairly resistant to this attack.
Security Of DES
Differential Cryptanalysis:
- Differential cryptanalysis exploits the high probability of
certain occurrences of plaintext differences and differences
into the last round of the cipher.
- Design S-Boxes and 16 rounds aim to make DES specifically
resistant to this type of attack.
- The scheme can successfully cryptanalyze DES with an
effort on the order 247 chosen plaintexts.
Security Of DES
Linear cryptanalysis:
- Linear cryptanalysis tries to take advantage of high
probability of linear expressions involving plaintext bits,
ciphertext bits and subkey bits.
- DES is easier to be attacked by linear cryptanalysis than
by differential cryptanalysis.
- S-boxes are not very resistant to linear cryptanalysis.
DES can be broken by using 243 pairs known plaintexts.
- Cause finding so many pairs is very unlikely, this attack
still leaves infeasible as an attack of DES.
Security Of DES
The size of the key space, 256, is “too small” to be
really secure.
Brute-Force Attack:
- Combining short cipher key in DES with the key
complement weakness, it is clear that DES can be
broken using average 255 encryptions.
Block Cipher Design Principles
DES Design Criteria:
- S-Boxes design provides good confusion properties to
thwart differential cryptanalysis.
- P-Function design increases diffusion of the algorithm
for DES.
Number of rounds:
- The greater the number of rounds, the more difficult it
is to perform cryptanalysis.
- This criterion are intended to frustrate the brute-force
attack.
- The strength of any algorithm that satisfies the criterion
can be judged solely on key length.
Block Cipher Design Principles
Design of Function F:
- The function F provides the element of confusion in a
cipher block.
- The more nonlinear F, the more difficult any type of
cryptanalysis will be.
- Function F also offers the good avalanche properties.
S-Boxes Design:
- Any change to the input vector to an S-Box to result in
random-looking changes to the output.
- Larger S-Boxes, by and large, are more resistant to
differential and linear cryptanalysis.
Block Cipher Design Principles
Key Schedule Algorithm:
- The key is used to generate one subkey for each round.
- Select subkeys to maximize the difficulty of deducing
individual subkeys and the difficulty of working back to the
main key.
Summary
Block cipher is an Enc/ Dec scheme in which a
block of cipher is treated as a whole and produce
the ciphertext block of equal length.
The Data Encryption Standard (DES) has been the
most widely used Enc algorithm until recently.
DES uses 64-bits length and 56-bits key size.
Two methods of cryptanalysis - differential and
linear cryptanalysis - are showed infeasible attacks
on DES.