1 Chapter 3 – Block Ciphers and the Data Encryption Standard Modern Block Ciphers now look at modern block ciphers one of the most widely used types.

11

Chapter 3 – Block Ciphers and Chapter 3 – Block Ciphers and the Data Encryption Standardthe Data Encryption Standard

Modern Block CiphersModern Block Ciphers

now look at modern block ciphersnow look at modern block ciphersone of the most widely used types of one of the most widely used types of cryptographic algorithms cryptographic algorithms provide secrecy /authentication servicesprovide secrecy /authentication servicesfocus on DES (Data Encryption Standard)focus on DES (Data Encryption Standard)to illustrate block cipher design principlesto illustrate block cipher design principles

22

Block vs Stream CiphersBlock vs Stream Ciphers

block ciphers process messages in blocks, block ciphers process messages in blocks, each of which is then en/decrypted each of which is then en/decrypted

like a substitution on very big characterslike a substitution on very big characters 64-bits or more 64-bits or more

stream ciphers stream ciphers process messages a bit or process messages a bit or byte at a time when en/decryptingbyte at a time when en/decrypting

many current ciphers are block ciphersmany current ciphers are block ciphers broader range of applicationsbroader range of applications

33

Block Cipher PrinciplesBlock Cipher Principles

most symmetric block ciphers are based on a most symmetric block ciphers are based on a Feistel Cipher StructureFeistel Cipher Structure

must be able to must be able to decryptdecrypt ciphertext to recover ciphertext to recover messages efficientlymessages efficiently

block ciphers look like an extremely large block ciphers look like an extremely large substitution substitution

would need a table of 2would need a table of 26464 entries for a 64-bit entries for a 64-bit block block

instead create from smaller building blocks instead create from smaller building blocks using idea of a product cipher using idea of a product cipher

44

Ideal Block CipherIdeal Block Cipher

55

Claude Shannon and Substitution-Claude Shannon and Substitution-Permutation CiphersPermutation Ciphers

Claude Shannon introduced idea of substitution-Claude Shannon introduced idea of substitution-permutation (S-P) networks in 1949 paperpermutation (S-P) networks in 1949 paper

form basis of modern block ciphers form basis of modern block ciphers S-P nets are based on the two primitive S-P nets are based on the two primitive

cryptographic operations seen before: cryptographic operations seen before: substitutionsubstitution (S-box) (S-box) permutation permutation (P-box)(P-box)

provide provide confusionconfusion & & diffusiondiffusion of message & key of message & key

66

Confusion and DiffusionConfusion and Diffusion

cipher needs to completely obscure cipher needs to completely obscure statistical properties of original messagestatistical properties of original message

a one-time pad does thisa one-time pad does this more practically Shannon suggested more practically Shannon suggested

combining S & P elements to obtain:combining S & P elements to obtain: diffusiondiffusion – dissipates statistical structure – dissipates statistical structure

of plaintext over bulk of ciphertextof plaintext over bulk of ciphertext confusionconfusion – makes relationship between – makes relationship between

ciphertext and key as complex as possibleciphertext and key as complex as possible

77

Feistel Cipher StructureFeistel Cipher Structure

Horst Feistel devised the Horst Feistel devised the feistel cipherfeistel cipher based on concept of invertible product cipherbased on concept of invertible product cipher

partitions input block into two halvespartitions input block into two halves process through multiple rounds whichprocess through multiple rounds which perform a substitution on left data halfperform a substitution on left data half based on round function of right half & subkeybased on round function of right half & subkey then have permutation swapping halvesthen have permutation swapping halves

implements Shannon’s S-P net conceptimplements Shannon’s S-P net concept

88

Feistel Cipher StructureFeistel Cipher Structure

99

Feistel Cipher Design ElementsFeistel Cipher Design Elements

block size block size key size key size number of rounds number of rounds subkey generation algorithmsubkey generation algorithm round function round function fast software en/decryptionfast software en/decryption ease of analysisease of analysis

1010

Feistel Cipher DecryptionFeistel Cipher Decryption

1111

DES HistoryDES History

IBM developed Lucifer cipherIBM developed Lucifer cipher by team led by Feistel in late 60’sby team led by Feistel in late 60’s used 64-bit data blocks with 128-bit keyused 64-bit data blocks with 128-bit key

then redeveloped as a commercial cipher then redeveloped as a commercial cipher with input from NSA and otherswith input from NSA and others

in 1973 NBS issued request for proposals in 1973 NBS issued request for proposals for a national cipher standardfor a national cipher standard

IBM submitted their revised Lucifer which IBM submitted their revised Lucifer which was eventually accepted as the DESwas eventually accepted as the DES

1212

The same algorithm is used both to encipher anThe same algorithm is used both to encipher and to decipher.d to decipher.

Most widely used cipher everMost widely used cipher ever Security based on Shannon’s Theory Security based on Shannon’s Theory

Confusion : a piece of information is changed so that tConfusion : a piece of information is changed so that the output bits have no obvious relationship to the inpuhe output bits have no obvious relationship to the input bits.t bits.

Disfussion : To spread the effect of one plaintext bit to Disfussion : To spread the effect of one plaintext bit to

other bits in the ciphertextother bits in the ciphertext..

1313

Block Cipher:Block Cipher: Block size= 64 bits.Block size= 64 bits.

Key Length= 56 bits (64 bits contains the bits 8, 16, Key Length= 56 bits (64 bits contains the bits 8, 16,

24, 32, 40, 48, 56, 64 for the odd parity check)24, 32, 40, 48, 56, 64 for the odd parity check)

Advantages of DES:Advantages of DES: DES can be implemented by software and hardware DES can be implemented by software and hardware

for its simple arithmetic and logical operations.for its simple arithmetic and logical operations.

High SpeedHigh Speed

1414

DESDES IP

L 0 R 0

R 1 = L 0 f (R 0 , K 1)L 1 = R 0

R 2 = L 1 f (R 1 , K 2)L 2 = R 1

R 15 = L 14 f (R 14 , K 1 5)L 15 = R 14

R 16 = L 15 f (R 1 5 , K 1 6) L 1 6 = R 15

64

32 32

K 1

K 2

K 16

f 4832

f

f

IP -1

output

T

In: 64 bits,

Out: 64 bits,

Key: 56 bits

1515

IP (Initial Permutation) IP (Initial Permutation)

The table should be read left-to-right, top-to-The table should be read left-to-right, top-to-bottom.bottom.

TT = = tt11tt22 ... ... tt6464 TT00 = = tt5858tt5050 ... ... tt7 7 = = LL00RR00

1616

IPIP11 (Final Permutation) (Final Permutation)

IPIP11 is the inverse of IP. is the inverse of IP. All tables are fixed.All tables are fixed.

1717

Function Function ff

S 1 S 2 S 3 S 4 S 5 S 6 S 7 S 8

P

32

32

48

f(R i-1 , K i)

E

48 48

32

K i

R i-1

1818

E (Bit-Selection Table) E (Bit-Selection Table)

In: 32 bits, Out: 48 bitsIn: 32 bits, Out: 48 bits

1919

P (Permutation) P (Permutation)

In: 32 bits, Out: 32 bitsIn: 32 bits, Out: 32 bits

2020

S-boxes (Selection Functions) S-boxes (Selection Functions)

2121

Each S-box SEach S-box Sjj maps a 6-bit block maps a 6-bit block bb11bb22bb33bb44bb55bb66 int int

o a 4-bit block. (In: 6 bits, Out: 4 bits)o a 4-bit block. (In: 6 bits, Out: 4 bits) The integer corresponding to The integer corresponding to bb11bb66 selects a row selects a row

and the integer corresponding to and the integer corresponding to bb22bb33bb44bb55 selects selects

a column.a column. Example: (100001)Example: (100001)22 for S-box 1 for S-box 1

Row # = (11)Row # = (11)22= 3 and Column # = (0000)= 3 and Column # = (0000)22= 0 Ou= 0 Ou

rput= 15= (1111)2. rput= 15= (1111)2.

2222

Key Calculation Key Calculation

PC-128

PC-2

PC-2

K

28

C 0 D 0

LS 1LS 1

C 1 D 1

K 1

K 2

LS 2LS 2

C 2 D 2

LS 16LS 16

C 16 D 16

PC-2 K 16

K1, K2, ..., K16 : 48 bits/each

2323

PC-1 (Key Permutation)PC-1 (Key Permutation)

In: 64 bits (with 8 parity bits), Out: 56 bits

2424

PC-2 (Key Permutation)PC-2 (Key Permutation)

In: 56 bits, Out: 48 bitsIn: 56 bits, Out: 48 bits

2525

LSLSii (Left Circular Shift) (Left Circular Shift) Iteration Iteration

ii

Number ofLeft ShNumber ofLeft Shiftsifts

11 11

22 11

33 22

44 22

55 22

66 22

77 22

88 22

99 11

1010 22

1111 22

1212 22

1313 22

1414 22

1515 22

1616 11

2626

Deciphering Deciphering

Deciphering is performed using the same Deciphering is performed using the same algorithm, except that algorithm, except that KK1616 is used in the first is used in the first

iteration, iteration, KK1515 in the second iteration, and so on. in the second iteration, and so on.

The last round of enciphering:The last round of enciphering:R 15L 15

R 16 = L 15 f (R 1 5 , K 1 6) L 1 6 = R 15

K 16f

IP -1

output

2727

Deciphering Deciphering

The first round of deciphering:The first round of deciphering:

IP

L 0 R 0

R 1 = L 0 f (R 0 , K 1 6)L 1 = R 0

K 16f

2828

Deciphering Deciphering The last round of enciphering:The last round of enciphering:

LELE1616 = = RERE1515

RERE1616 = = LELE1515 ff((RERE1515, , KK1616)) The first round of deciphering:The first round of deciphering:

LDLD11 = = RDRD00 = = LELE1616 = = RERE1515

RDRD11 = = LDLD00 ff((RDRD00, , KK1616))

= = RERE1616 ff((RERE1515, , KK1616))

= (= (LELE1515 ff((RERE1515, , KK1616)) )) ff((RERE1515, , KK1616))

= = LELE1515 ( (ff((RERE1515, , KK1616) ) ff((RERE1515, , KK1616))))

= = LELE1515 0 0

= = LELE1515

Thus, the output of the first round of deciphering is the swap of the Thus, the output of the first round of deciphering is the swap of the input to the sixteenth round of the enciphering. input to the sixteenth round of the enciphering.

2929

The order of subkeys is the reverse order (kThe order of subkeys is the reverse order (k1616, k, k11

55, …, k, …, k11).). Key shiftKey shift 改成改成 shift right circularly.shift right circularly. 每一個每一個 roundround的的 shift bitshift bit 數為數為 (1, 0), (2, 1), (3, 2), (4, 2),(1, 0), (2, 1), (3, 2), (4, 2),

(5, 2), (6, 2), (7, 2), (8, 2), (9, 1), (10, 2), (11, 2), (12, (5, 2), (6, 2), (7, 2), (8, 2), (9, 1), (10, 2), (11, 2), (12, 2), (13, 2), (14, 2), (15, 2), (16, 1).2), (13, 2), (14, 2), (15, 2), (16, 1).

3030

Weakness of DES Weakness of DES

Complements: If C= EComplements: If C= Ekk(P), then ¬C= E(P), then ¬C= Ekk(¬P), where ¬x i(¬P), where ¬x i

s the cpmplement of x.s the cpmplement of x. Reduce the complexity for finding keys from 2^56 to 2Reduce the complexity for finding keys from 2^56 to 2

^55.^55. Weak Keys(4):Weak Keys(4):

56 bits key left and right half are all 0 or 1,then it woul56 bits key left and right half are all 0 or 1,then it would cause all subkeys are the same.d cause all subkeys are the same.

3131

Semi-Weak Keys:Semi-Weak Keys: the encryption using two different keys could get the sathe encryption using two different keys could get the sa

me result [Eme result [Ekk(P)= E(P)= Ekk’(P)]’(P)]