Data Encryption Standard (DES) - Departamento de...

Códigos y Criptografía Francisco Rodríguez Henríquez

Data Encryption Standard(DES)


Overview

• Classical Cryptography– Simple Cryptosystems– Cryptanalysis of Simple Cryptosystems

• Shannon’s Theory of Secrecy

• Modern Encryption Systems DES, AES. RSA.

• Signature Scheme(s)


Cryptosystem

A cryptosystem is a five-tuple (P,C,K,E,D), wherethe following are satisfied:

1. P is a finite set of possible plaintexts.2. C is a finite set of possible ciphertexts.3. K, the key space, is a finite set of possible keys4. ∀K∈K, ∃EK∈E (encryption rule), ∃DK∈D

(decryption rule).Each EK: P→C and DK: C→P are functionssuch that ∀x∈P, DK(EK(x)) = x.


Notation

• Alphabet {0, 1} (bits)• Plaintext and ciphertext ∈ {0, 1}*• New operation: XOR (EXOR, ⊕)

0 ⊕ 0 = 0, 1 ⊕ 1 = 0,0 ⊕ 1 = 1, 1 ⊕ 0 = 1,

bitwise addition modulo 2.


Data Encryption Standard (DES)

• Financial companies found the need for acryptographic algorithm that would have the blessingof the US government (=NSA)

• First call for candidates in May 73, followed by anew call in August 74

• Not very many submissions (Why?)– IBM submitted Lucifer

• NSA worked with IBM in redesigning the algorithm



• 1973, NBS solicits proposals for cryptosystemsfor “unclassified” documents.

• 1974, NBS repeats request.IBM responds with modification of LUCIFER.NBS asks NSA to evaluate.IBM holds patent for DES.

• 1975, details of the algorithm published, publicdiscussion begins.

• 1976 Adapted as a standard for all unclassifiedgovernment communications.


• 1983, no problem.• 1987, passed, but

– NSA says that DES soon will be vulnerable tobrute-force attack. This is the last time.

– Business lobbies to keep it, since so the had muchinvested.

• 1993, still passed (no alternatives).• 1997, call for proposals: AES.



• Originally designed to be efficient in hardware(4 bit was the norm in 1974).

• A LOT of money has been invested in hardware.• First publicly available algorithm certified by NSA

as secure.Certificate to be renewed every 5 years.



DES

• DES became a federal standard in November 76– NBS (NIST) hardware standard in January 77– ANSI X3.92-1981 (hardware + software)– ANSI X3.106-1983 (modes of operation)– Australia AS2805.5-1985

• Used in most EFT and EFTPOS from bankingindustry– It was reconfirmed as a standard for 5 years twice– Currently 3DES is recommended


• DES has proven a well designed code• 56 bits has been proven inadequate

– EFF built a cracker for around $200,000– Increase the key to 112 bits?

• The best way known to cryptanalyze DES is(after brute force) the differential analysis– NSA new this from the design??

DES


DES

• Uses Feistelprinciple

• Manysimilarities withLucifer

• Improves on theS-Boxes


DES

• It operates in 64 bitsblocks with 56 bitskeys

• Uses 16 rounds,each roundcomputed by afunction f


• A round can be described as:– Li = Ri-1

• The key generation is performed– An initial permutation PC1 which selects 56 bits and

divide them in two halves– In each round

• Select 24 bits from each half using a permutation function PC2• Rotate left each half by one or two position

)))(((11 KRLR iiii

ESP !!=""



• The algorithm Uses blocks of size 64 bits. Key of length 56 (well, 64,

but 8 bits are just check bits) Initial permutation IP. 16 rounds. Final permutation IP-1

(IP and IP-1 have minorcryptographic value).



• Key schedule K1, K2,…, K16 Discard the parity-check bits of K. Compute PC-1(K) = C0D0,

where PC-1 is a fixed permutation,C0, D0 left and right halves, 28-bit each.

For i = 1, 2, …, 16:Ci := LSi(Ci-1), Di := LSi(Di-1),where LSi left cyclic shift of one(i= 1, 2, 9, 16) or two positions (else),Ki := PC-2(CiDi),PC-2 fixed permutation selecting 48 bits.



• PC-1(K) = C0D057 49 41 33 25 17 9 1 58 50 42 34 26 1810 2 59 51 43 35 2719 11 3 60 52 44 36

63 55 47 39 31 23 15 7 62 54 46 38 30 2214 6 61 53 45 37 2921 13 5 28 20 12 4



• Ki := PC-2(Ci Di)14 17 11 24 1 5 3 28 15 6 21 1023 19 12 4 26 816 7 27 20 13 2

41 52 31 37 47 5530 40 51 45 33 4844 49 39 56 34 5346 42 50 36 29 32


48 bits areChosen fromThe 56-bitString CiDiAccording to the table shown here


• x0 = IP(m) = L0R0.• 16 Rounds, i = 1, 2, …, 16:

Li := Ri-1, Ri := Li-1 ⊕ f (Ri-1 , Ki),wheref (Ri-1 , Ki) = P(S(E(Ri-1) ⊕ Ki)),with operations E (expansion),S (S-box lookup), and P some(permutation).

• c = IP-1(L16R16).



• x0 = IP(m) = L0R0Initial Permutation

58 50 42 34 26 18 10 260 52 44 36 28 20 12 462 54 46 38 30 22 14 664 56 48 40 32 24 16 857 49 41 33 25 17 9 159 51 43 35 27 19 11 361 53 45 37 29 21 13 563 55 47 39 31 23 15 7



• f (Ri-1 , Ki) = P(S(E(Ri-1) ⊕ Ki))Expansion:

32 1 2 3 4 5 4 5 6 7 8 9 8 9 10 11 12 1312 13 14 15 16 1716 17 18 19 20 2120 21 22 23 24 2524 25 26 27 28 2928 29 30 31 32 1


R is expandedto E(R) fromOriginally 32 bits to 48 bits.


• f (Ri-1 , Ki) = P(S(E(Ri-1) ⊕ Ki)) S-box lookup

There are 8 S-boxes: S1,…, S8For example S5:

2 12 4 1 7 10 11 6 8 5 3 15 13 0 14 914 11 2 12 4 7 13 1 5 0 15 10 3 9 8 6 4 2 1 11 10 13 7 8 15 9 12 5 6 3 0 1411 8 12 7 1 14 2 13 6 15 0 9 10 4 5 3

4×16 array of 4-bit binary numbers.



• f (Ri-1 , Ki) = P(S(E(Ri-1) ⊕ Ki)) E(Ri-1) ⊕ Ki = B1B2…B7B8.

For j = 1, 2,…, 8, let Bj = b1 b2 b3 b4 b5b6.

In S-box Sj:b1 b6 binary coordinate of a row r,b2 b3 b4 b5 bin. coord. of a column c.

Replace Bj with Sj(r, c).



• Properties of S-boxes in DES (per NSA)– Each S-box has 6 input bits and 4 output bits. This

was the largest that could be put on one chip backin 1974.

– All rows of all the S-boxes are permutations of 0,1, …, 15

– S-Boxes are not affine transformations of theirinput

– Change in an input bit changes at least two outputbits of the S-box

– For any x and any S-box S, S(x), S(x ⊕001100)differs by at least two bits



• f (Ri-1 , Ki) = P(S(E(Ri-1) ⊕ Ki))P fixed permutation

16 7 20 21 29 12 28 17 1 15 23 26 5 18 31 10 2 8 24 14 32 27 3 919 13 30 6 22 11 4 25

Result: bitstring of length 32!!



• c = IP-1(L16R16)14 17 11 24 1 5 3 28 15 6 21 1023 19 12 4 26 816 7 27 20 13 241 52 31 37 47 5530 40 51 45 33 4844 49 39 56 34 5346 42 50 36 29 32



• How do we decrypt?: Decryption is performed by exactly thesame procedure, except that the keys K1,…, K16 are used inreverse order. The reason why this works is the following:

• The first decryption step takes R16L16 and gives the output:[L16] [R16 ⊕ f(L16, K16)]. But we know from the encryptionprocedure that:L16 = R15; R16 = L15 ⊕ f(R15, K16). Therefore,

[L16] [R16 ⊕ f(L16, K16)] = [R15][L15 ⊕ f(R15, K16) ⊕ f(L16, K16)]

= [R15][L15 ⊕ f(R15, K16) ⊕ f(R15, K16)]

= [R15][L15 ]



• Similarly, the second step of decryption sends R15L15

to R14L14. Continuing we see that the decryption

process leads us back to R0L0 as desired.

• Note that the encryption process is essentially the

same as the encryption process. Therefore both, the

sender and the receiver use a common key and they

can use identical machines.



• DES is efficient1992, DEC fabricated a 50K transistor chip thatcould encrypt at the rate 1Gbit/sec using a clock rateof 250 MHz. Cost $300.

• The Avalanche EffectSmall change in either the plaintext or the keyproduces a significant change in the ciphertext.



• Strength of DES: the S-boxes DES permutations don’t form a group, they

generate a group of size at least 102499. Double encryption using 2 different keys is not

stronger (surprise) than a single encryption(meet-in-the-middle attack)

Triple-DES (3-DES) is stronger and verypopular recently.



• The DES controversy Why 56 is the key length? LUCIFER had 128.

The key space 256 is too small. Why 16 rounds? Why were the criteria for the S-boxes classified?

Did NSA put “trapdoors” into the S-boxes?No evidence of “trapdoors” so far.



• Attacks on DES 1977, Diffie & Hellman suggested a VLSI chip that

could test 106 keys/sec. A machine with 106 chipscould test the entire key space in 10 hours. Cost:$20,000,000.

1990, differential cryptanalysis, Eli Biham, AdiShamir (Israel).

1993, linear cryptanalysis, Mitsuru Masui (Japan).



• Birthdays Attacks: If there are 23 people in aroom: what is the probability that at least twoof them have the same birthday?

• Answer: Compute the probability that they allhave different birthdays.

ATTACKS ON DES:Meet-in the middle attack


• The first person uses up one day, so thesecond person has probability (1-1/365) ofhaving a different birthday. There are twodays removed for the third person, so theprobability is (1-2/365) that the third birhtdaydiffers from the first two. Therefore theprobability of all 3people having differentbirthdays is (1-1/365)(1-2/365).




• Continuing in this way, we see that the probabilitythat all 23 people have different birthdays is

(1-1/365) (1-2/365)… (1-22/365) = 0.493.Therefore the probability of at least two having the same birthday

is 1- 0.493 = 0.507.• If there are 30 people, the probability is around 70%.• More generally, suppose we have n objects, where n is large.

There are r people and each chooses an object (withreplacement). If then the probability is 50%that at least two people choose the same object.

nr 777.1!


A Birthday Attack on DiscreteLogarithms

Suppose we want to solve αx ≡ β mod p. We can dothis with high probability by a birthday attack.

1. Make two lists, both of length around p1/2:2. The first list contains numbers αk mod p for

approximately p1/2 randomly chosen values of k.3. The second list contains numbers β α-l mod p for

approximately p1/2 randomly chosen values of l.


A Birthday Attack on DiscreteLogarithms

There is a good chance that there is a matchbetween some element on the first list andsome element on the second list. If so, wehave αk ≡ β α-l mod p, hence αk+l ≡ β mod p

Therefore, x ≡ k + l mod (p-1) is the desireddiscrete logarithm (why?)



Assume Eve has intercepted a message m and adoubly encrypted ciphertext c = Ek2(Ek1(m)).She wants to find k1 and k2. She first computesand stores Ek(m) for all possible keys k. Shethen computes Dk(c) for all possible keys k.Finally she compares both lists. She knows asa fact (but why?) that there will be at least onematch, since the correct pair of keys should beone of them.


• The standard is public, the design criteria is classified• One of the biggest controversies is the key size (56

bits)– W Diffie, M Hellman "Exhaustive Cryptanalysis of the

NBS Data Encryption Standard" IEEE Computer 10(6),June 1977, pp74-84

– M Hellman "DES will be totally insecure within ten years"IEEE Spectrum 16(7), Jul 1979, pp 31-41

• Another controversy: is there a trapdoor?

DES


• Attacks on DES The Electronic Frontier Foundation (EFF). July 17, 1998, the EFF DES Cracker broke the

DES-encrypted message in 56 hours. 1,536 chips,testing 88×109 keys/sec. Cost < $250,000.

January 19, 1999, Distributed.Net, a worldwidecoalition of computer enthusiasts, worked withEFF's DES Cracker and a worldwide network ofnearly 100,000 PCs on the Internet, broke theDES-encrypted message in 22 hours and 15minutes.



DES Modes of Operation

• Block modes:– Electronic Codebook Book (ECB)

• Message is broken into independent blocks of 64 bits• This is the most natural mode of operation for DES

– Cipher Block Chaining (CBC)• Message is broken in independent blocks of 64 bits, but

next input depends of previous output• Ci= Ek (Pi⊕Ci-1), with C-1=IV• Pi= Dk (Ci)⊕Ci-1, (why??)


• Stream Modes– Cipher FeedBack (CFB)

• The message is xored with the feedback of encryptingthe previous block: P = |P1P2…P8|

• Ci=Pi⊕L8(Ek(Ci-1)), with C-1=IV; (these are 8 bitsblocks!!)

– Output feedback• The feedback is independent of the message• Ci=Pi⊕Ek(Oi-1), with O-1=IV



Limitation of the modes

• ECB– repetitions in message can be reflected in

ciphertext• if aligned with message block• particularly with data such graphics• or with messages that change very little, which become

a code-book analysis problem– weakness is because enciphered message blocks

are independent of each other


• CBC– use result of one encryption to modify input of next

• hence each ciphertext block is dependent on all message blocksbefore it

• thus a change in the message affects the ciphertext block after thechange as well as the original block

– to start need an Initial Value (IV) which must be knownby both sender and receiver

• however if IV is sent in the clear, an attacker can change bits of thefirst block, and change IV to compensate

• hence either IV must be a fixed value (as in EFTPOS) or it must besent encrypted in ECB mode before rest of message

– Out of Sync Problems!!



• CFB– when data is bit or byte oriented, want to operate on it at

that level, so use a stream mode– the block cipher is use in encryption mode at both ends,

with input being a feed-back copy of the ciphertext– can vary the number of bits feed back, trading off

efficiency for ease of use– again errors propogate for several blocks after the error is

detected.



• OFB– also a stream mode, but intended for use where the

error feedback is a problem, or where the encryptionswant to be done before the message is available

– is superficially similar to CFB, but the feedback isfrom the output of the block cipher and is independentof the message, a variation of a Vernam cipher

– again an IV is needed– sender and receiver must remain in sync, and some

recovery method is needed to ensure this occurs– although originally specified with varying m-bit

feedback in the standards, subsequent research hasshown that only 64-bit OFB should ever be used (andthis is the most efficient use anyway),



DES Weak Keys

• with many block ciphers there are some keysthat should be avoided, because of reducedcipher complexity

• these keys are such that the same sub-key isgenerated in more than one round

• Weak Keys:– The same sub-key is generated for every round– DES has 4 weak keys


• Semi-Weak Keys– only two sub-keys are generated on alternate rounds– DES has 12 of these (in 6 pairs)

• Demi-Semi Weak Keys– have four sub-keys generated

• None of these cause a problem since they are a tinyfraction of all available keys

• However they MUST be avoided by any keygeneration program

DES Weak Keys


DES variations

• Double DES:– Use 2 keys: K1 and K2.– Encryption is EK1(EK2(P))– Is double DES reducible to DES? (Crypto 92)

• Triple DES– Use 2 or 3 keys– Encryption:

• EK1(EK2(EK3(P))))• EK1(DK2(EK1(P))))


Cryptanalysis of DES

• If you can choose the plaintext:– Brute Force: try all 256 possible keys

• No memory necessary• The encryption with all keys may be too slow

– Build a dictionary• Each plaintext may result in 264 different ciphertext.• Encrypt the known plaintext with all possible keys• You have a look up table• Very effective if you can inject plaintext and want to

find many different keys


• There are some algorithms that trade memory/spacerequirements

• Linear Cryptanalysis– Linear approximation to describe DES– DES can be broke:

• It requires around 243 plaintext-ciphertext pairs to find the key.• M. Matsui, Eurocrypt 93

– Assuming you have a n bits plaintext and ciphertext, and am bits key



• Linear cryptanalisis– Find bit locations α’s on plain, β’s on ciphertext

and γ’s on key such that

has a probability higher than .5– Use many different plaintext and analyze the left

hand side. Infer the right hand side.

)...()...()...(1121

11KKKyyyxxx

cba !!!"""###

$$$=$$$$$$$



• Differential cryptanalysis:– First suggested by Murphy for the cryptanalysis of FEAL-4– Biham and Shamir officially introduced them around 1990– Assume that we label each left and right part of any block

in the 16 rounds of DES as xi, starting from x0 and x1.– Assume that we have two known plaintext x and x’, and

we know Δx = x⊕x’– DES in each round produces xi+1 = xi-1 ⊕F(xi,Ki)



• Biham and Shamir observed that with a xed key, thediferential behavior of DES does not exhibit pseudo-randomness

• If we fix the XOR of two plaintexts P and P* at P’then T’ (which is equal to T⊕ T*) is not uniformlydistributed.

• In contrast, the XOR of two uniformly distributedrandom numbers would itself be uniformlydistributed



• Differential cryptanalysis is efficient when the cryptanalystcan choose plaintexts and obtain ciphertexts (chosen plaintextcryptanalysis)

• The known plaintext differential cryptanalysis is also possible,however, often the size of the known text pairs is very large

• The method searches for plaintext, ciphertext pairs whosedifference is constant, and investigates the dierential behaviorof the cryptosystem

• The difference of two elements P1 and P2 is defined as P1 P2(bit-wise XOR operation) for DES.

• The difference may be defined differently if the method isapplied to some other cryptosystem.



• Differential cryptanalysis is applicable to the iteratedciphers with a weak round function (so-called Feistelciphers). The summary of the technique:

• Observe the difference between the two ciphertextsas a function of the difference between thecorresponding plaintexts

• Find the highest probability differential input (calledcharacteristic) which can be traced through severalrounds

• Assign probabilities to the keys and locate the mostprobable key.



• If the input to an S-box is a uniformly distributed randomnumber, its output will be a uniformly distributed randomnumber

S1E 4 D 1 2 F B 8 3 A 6 C 5 9 0 70 F 7 4 E 2 D 1 A 6 C B 9 5 3 84 1 E 8 D 6 2 B F C 9 7 3 A 5 0F C 8 2 4 9 1 7 5 B 3 E A 0 6 D

• Assuming the 56-bit key is chosen according to a uniformprobability distribution, the input to any S-box in any roundwill be uniformly distributed over all 64 possible values

The output of any S-box in any round therefore also uniformlydistributed over its 16 possible values (0 to F) since eachoccurs 4 times in the S-box, once in each row.

Cryptanalysis of DES: S-boxNon-Differential Uniformity


• Consider the differential behavior of an S-box, inwhich there are 642 = 4096 possible input pairs (x,x*)

• As the 6-bit quantities x, x*, and x’ = x ⊕ x* eachvary over their 64 possible values, the 4-bit quantitiesy = S(x), y* = S(x*), and y’ =y ⊕ y = S(x) ⊕ S(x*)each vary over their 16 possible values

• The distribution on the differential output y’ can becomputed for each of the eight S-boxes by countingthe number of times each value y’ occurs as (x, x*)varies over its 4,096 possible values




• The 6-bit differential input x’ takes 64 values: 00(hex) to 3F (hex)

• The 4-bit differential output y’ takes 16 values: 0(hex) to F (hex)

Each row sums to 64 because each differential input x’occurs for 64 of the 4,096 (x, x*) pairs.

The first row has zeros in all but the first column,because when x’ = x ⊕ x* = 0, the same input occurstwice. Therefore, the same output must also occurboth times and y’ = y ⊕ y* = 0



The later rows are more interesting:For example, when x’ = 01, five of the sixteen possible

y’ values 0, 1, 2, 4, 8 occur with zero probability(i.e., never occurs).

A occurs with probability 16/649 and C occur with probability 10/64This is a highly non-uniform distributionThis differential non-uniformity is observed in all of

the S-boxes S1, S2, … , S8


• Differential analysis– Using that, we have

• Δ xi+1 = Δ xi-1 ⊕F(xi,Ki) ⊕F(x’i,Ki)– If F(xi,Ki) ⊕F(x’i,Ki) is a function of Δ xi with

high probability, then:• Knowing Δ xi-1 and Δ xi then we know Δ xi+1

– Test this hypotheses for different Δ x and startgetting information about Ki

– This can break DES with 247 chosen plaintext



• DES reduced to 6 rounds can be broken by a chosenplaintext attack in less than 0.3 sec on a PC using 240ciphertexts; the know plaintext version requires 236

ciphertexts.• DES reduced to 8 rounds can be broken by a chosen

plaintext attack in less than 2 minutes on a PC byanalyzing about 214 ciphertexts; the know plaintextversion requires 238 ciphertexts.

• Full DES can be broken by analyzing 236 ciphertextsfrom a larger pool of 247 chosen plaintexts.

• Certain changes in DES may have catastrophic results

Summary of differential attack to DES


Summary of differential attack to DES

Data Encryption Standard (DES) - Departamento de...

Documents

Transcript of Data Encryption Standard (DES) - Departamento de...