Conventional crypto - Noack

Block ciphers

Structure of a multiround block cipherStructure of each round

Chaining modes for block ciphersDifferential and linear cryptanalysis

Conventional crypto - Noack

Structure of multiround block ciphers

These are private-key symmetric ciphers – same key for encrypt and decryptEach single round must be invertibleKey scheduling rounds do not need to be invertibleIf key is constant from block to block, this is a monoalphabetic, but with huge alphabetStrength comes from confusion and diffusion repeatedly applied

Single round Key scheduling round Inverse of single round

Single round

Single round

Key scheduling round

Key scheduling round

Inverse of single round

Inverse of single round

KeyPlaintext

input

Plaintextoutput

Ciphertext out Ciphertext in

Conventional crypto - Noack

Structure of a single round

Invertible operations can includeBitwise exclusive or

Addition modulo blocksize

Galois field but not conventional multiplication

permutation

PartiallyEncrypted text

From previous round

Nonfeedback network ofInvertible operations

Key for this roundFrom key scheduler

PartiallyEncrypted textTo next round

XOR

A

C

KXOR

A

C

KExample of an invertibleoperationIf C = K xor AThen A = K xor C

Conventional crypto - Noack

The Feistel block is a reversible round

One-way(nonreversible)

blockXOR

One-way(nonreversible)

blockXOR

Left halfi Right halfi

Left halfi+1

Left halfi

Left halfi+1Right halfi+1

Right halfi

Right halfi+1

Note: This block is reversibleThe direction of signal flow does not change in the one-way blockThe XOR is a reversible device

Conventional crypto - Noack

More on the Feistel block

Characteristics and limitationsEssentially any one-way function can be used – doesn’t have to be

reversible

Because the block scrambles only one half the partial text at a time it is possibly weaker than other ciphers, but more rounds (typically 16) can be used

The one-way function is half the width of the block, so a 64-bit block can be encrypted efficiently with a 32-bit processor

The Feistel block is vulnerable to differential cryptanalysis, which is a chosen-plaintext attack. With enough rounds, it is usable.

Conventional crypto - Noack

The equations for the Feistel block

CommentsThese equations are valid for any Feistel block, regardless of the

particular one-way function used

They are the basis for differential and linear cryptanalysis

A large number of present-day ciphers, but not all, use Feistel

The direct transformationLi+1 = Li F(Ri, Ki )Ri+1 = Li

The inverse transformationLi = Li+1 F(Li+1, Ki )Ri = Li+1

The recurrence relation used in differential cryptanalysisLi+2 = Li+1 F(Li, Ki )

Conventional crypto - Noack

The one-way function for DES

ComponentsE-box – expansion and

permutationS-box – substitution – a 64

by 4 bit memory or arrayP-box – expansion and

permutationE and P boxes were

hardwiredS-boxes were in on-chip

ROM – 256 bytes per round

E-boxExpand/permute

64x4S-box

48-bit-wide XOR

P-box –permute only

32

48

6

32

4

6

4

48

Per-stage keyword

Input half

Output half

Conventional crypto - Noack

DES – the Data Encryption Standard

Standardized by NBS (NIST) in mid-1970’sKey length is 56 bits – brute force of 255 = 32 x 1015

This size has always been suspect – special-purpose machines to break it have been made for less than $250K.

Original standard required hardware implementation, now almost always done in software

The permutation operations are inefficient in software – the S-boxes are no problem

Suspicion centers on whether the S-boxes contain trapdoors and whether governments and big corporations have built cryptanalysis tools

Cryptanalysis almost certainly yes, trapdoors likely notDifferential crypto was known but not public at developmentStandard is still in use as Triple DES – 168-bit keys

Conventional crypto - Noack

Chaining algorithms

ECB (Electronic CodeBook) modeBasic methodSusceptible to known plaintext if structure of early blocks is known

Example is .gifs, .jpgs, .doc

Can still be recovered if block is missing

Blockencryption

Blockencryption

Blockencryption

Blockencryption

Session key – same for all blocks

P0

C0

P1 P2 Pn

C1 C2 Cn

Conventional crypto - Noack

ECB and its inverse

Blockencryption

Blockencryption

Blockencryption

Blockencryption

Session key – same for all blocks

P0

C0

P1 P2 Pn

C1 C2 Cn

Blockencryption

Blockencryption

Blockencryption

Blockencryption

Session key – same for all blocks

C0

P0

C1 C2 Pn

P1 P2 Pn

Conventional crypto - Noack

Other chaining modes

CBC – Cipher block chainingCFB – Partial block fed forward each timeOFB – Partial block fed forward, but block is not

related to text, just IVCounter – Counter is encrypted, then result is

XORed with plaintext – another stream mode