Chapter 3 – Block Ciphers and the Data Encryption Standard Jen-Chang Liu, 2005 Adopted from lecture slides by Lawrie Brown.

Chapter 3 – Block Ciphers and the Data Encryption Standard

Jen-Chang Liu, 2005

Adopted from lecture slides by Lawrie Brown

All the afternoon Mungo had been working on Stern's code, principally with the aid of the latest messages which he had copied down at the Nevin Square drop. Stern was very confident. He must be well aware London Central knew about that drop. It was obvious that they didn't care how often Mungo read their messages, so confident were they in the impenetrability of the code.—Talking to Strange Men, Ruth Rendell

Who’s Ruth Rendell?

Ruth Rendell (露絲．藍黛兒)

英國推理小說家，曾獲得英國推理作家協會金匕首獎：

１９７６年《看不見的惡魔》 A Demon in my View 新雨出版社

１９８６年《肉慾生香》 Live Flesh 新雨出版社為西班牙導演阿莫多瓦電影愛慾情狂原著，

Textbook Exercise 2.2 之來源

http://www.twbooks.co.uk/authors/rendell.html



History of DES (Data Encryption Standard)

DES: The most widely used symmetric cipher 1977 adopted by Federal Information Processing Standard 46 (FIPS 46)

64-bit blocks and 56-bit key

Replaced by

3DES (chap. 6) , AES (chap. 5)

Motivation: Study of DES provides an understanding of the principles used in other symmetric ciphers

FIPS approved encryption algorithms

4 FIPS approved algorithms

AES: FIPS 197, Nov. 2001

Triple DES: FIPS 46-3, Oct. 1999

DES: FIPS 46, 1977DES is permitted in legacy systems only

Skipjack: FIPS 185, Feb. 1994

http://csrc.nist.gov/CryptoToolkit/tkencryption.html

加密程式認證流程

Recall: Symmetric Cipher Model

Recall: Block vs. Stream Ciphers

block ciphers process messages in into blocks, each of which is then en/decrypted

stream ciphers process messages a bit or byte at a time when en/decrypting A block cipher can be changed into a

stream cipher Ex. Cipher Feedback Mode of DES

…

Outline Simplified DES (S-DES) Block Cipher Principles The Data Encryption Standard (DES) The Strength of DES Differential and Linear Cryptoanalysis Block Cipher Design Principles Block Cipher: Mode of Operation

Simplified DES DES: 64-bit block, 56-bit key Simplified DES: 8-bit block, 10-bit key

Has similar properties and structure to DES, repeated substitution and permutation

Helps to understand DES

S-DES

10111101(8-bit plaintext)

1011101011 (10-bit key)

11011001(8-bit ciphertext)

S-DES overview

Initial permutation8-bit subkey

Complex function(substitution+ permutation)

SWitch left/righthalves

the same data

Mathematical form Encryption

Decryption

xt)))))IP(plainte(SW(f(f(IPciphertext12 KK

-1

ext)))))IP(ciphert(SW(f(f(IPplaintext21 KK

-1

• Encryption and decryption go through the same functions, but the order of subkeys are reversed

=> The same hardware/software for encryption/decryption

Key generation

permutation1 2 3 4 5 6 7 8 9 10

3 5 2 7 4 10 1 9 8 6

1 0 1 0 0 0 0 0 1 0

1

Key:

010 0 0 0 1 0 0

Left shift1 bit (rotate) 0 0 0 0 1 1 1 0 0 0

permutation(8 out of 10)

1 2 3 4 5 6 7 8 9 10

6 3 7 4 8 5 10 91 0 10 0 1 0 0K1

Left shift2 bit (rotate) 0 0 1 0 00 0 0 1 1

permutation(8 out of 10)

1 2 3 4 5 6 7 8 9 10

6 3 7 4 8 5 10 9

0 1 0 0 0 0 1 1K2

Details of encryption

One round

L R

RL F(R,K1)

Output after IP (Initial Permutation):

L R1 0 1 1 1 1 0 1

1 1 0 1? ? ? ?

Expansion/permutation4 -> 8

4 1 2 3 2 3 4 1

1 1 1 0 1 0 1 1

Idea of E/P 1 23 4

42

31

S0

S1

S-Box (S0): 4 -> 2

01 00 11 1011 10 01 0000 10 01 1111 01 11 10

1 1 1 01 0 1 1

00011011

00 01 10 11

1 10 1

Attacks on S-DES Brute-force attack

10-bit key => 210=1024 possible keys Try all keys, analyze if the result is a

reasonable plaintext Cryptanalysis

Known plaintext-ciphertext attackPlaintext bits: p1 p2 p3 p4 p5 p6 p7 p8

Ciphertext bits: c1 c2 c3 c4 c5 c6 c7 c8

Unknown key: k1 k2 k3 k4 k5 k6 k7 k8 k9 k108 equations,10 unknowns

Non-linear S-Box 4-bit input, 2-bit output

01 00 11 1011 10 01 0000 10 01 1111 01 11 10

00011011

00 01 10 11

Input bits: (a, b, c, d) Output bits: (q, r)

(a,d)

(b,c)

q=(abcd+ab+ac+b+d) mod 2

r=(abcd+abd+ab+ac+ad+a+c+1) mod 2

Preview to DES

S-DES DES

round

(56-bit)

48-bit subkey


Problem Why do we need a block cipher, such as

S-DES, with such a complex structure?

General 4-bit block cipherReceiver must have theCode book (4x24 bits)

Blockbox

This cipher is not secure! => we need larger block

Block Cipher Principles General transform for n-bit block cipher

Reversible transform

Plaintext blockp1 p2 p3 p4 … pn

0 0 0 0 …0 00 0 0 0 …0 10 0 0 0 …1 00 0 0 0 …1 1

1 1 1 1 …1 1

.

.1 1 1 1 …1 0

2n input

Ciphertext blockc1 c2 c3 c4 … cn

0 0 0 0 …0 00 0 0 0 …0 10 0 0 0 …1 00 0 0 0 …1 1

1 1 1 1 …1 1

.

.1 1 1 1 …1 0

2n output

…

2n! transforms

DES: 64-bitHow to deliver the codebook?

2nxn bitcodebook

Block Cipher Principles (cont.)

For the general block ciphers, the transform itself is the key Key size = n x 2n

DES: 64-bit block Key size: 64 x 264 =1021 bits

Block Cipher Principles (cont.)

Answer: We need an approximation to the ideal block cipher with large n Build up out of components that are easily

realizable Example:

General 4-bitcipher:4x24 =64 bitskey

Simple math. Structure: Hill cipher-like

4

3

2

1

4

3

2

1

44434241

34333231

24232221

14131211

c

c

c

c

p

p

p

p

kkkk

kkkk

kkkk

kkkk

16 bits key, but vulnerable to attacks

Claude Shannon’s design principles

Strongly ideal cipher: all statistics of the ciphertext are independent of the plaintext and key Assume attacker has knowledge of he statistical

properties of the plaintext However, we can not use the arbitrary

substitution cipher with large key

T(p1, p2, …, pn, Key)

p1

p2

p3

p4

… pn

c1

c2

c3

c4

…cn

Two principles: Confusion and Diffusion

1949, Shannon suggested combining elements to obtain: Diffusion(擴散 ) – dissipates statistical structure

of plaintext over bulk of ciphertext Each ciphertext digit is affected by many plaintext digits

Confusion(混淆 ) – makes relationship between ciphertext and key as complex as possible

use complex substitution algorithm

)26(mod 1

n

iij pcEx.

cipherplaintext ciphertext

key

diffusion

confusion

Feistel cipher How to construct a practical block

cipher with reasonable key size? most symmetric block ciphers are

based on a Feistel Cipher Structure using idea of a product cipher Alternate substitutions and

permutations

Feistel cipher Structure

+

+

+

Complexsubstitution

permutationswitch

Substitution-Permutation

network

Feistel Cipher Design Principles

block size : typically 64~128 bits increasing size improves security, but slows cipher

key size : typically 64~128 bits increasing size improves security, makes exhaustive

key searching harder, but may slow cipher number of rounds : typically 16 rounds

increasing number improves security, but slows cipher

subkey generation greater complexity can make analysis harder, but

slows cipher round function

greater complexity can make analysis harder, but slows cipher

fast software en/decryption & ease of analysis are more recent concerns for practical use and testing

Feistel Cipher Decryption

… …

+

+

+

+

RE1 = LE0 F(RE0, K1)

RE1 F(RE0, K1) = LE0 F(RE0, K1) F(RE0, K1) = LE0


Data Encryption Standard (DES)

most widely used block cipher in world adopted in 1977 by NBS (now NIST)

as FIPS PUB 46 encrypts 64-bit data using 56-bit key

256 possible transforms out of 264! arbitrary transforms

has been considerable controversy over its security

DES History IBM developed Lucifer cipher

by team led by Feistel used 64-bit data blocks with 128-bit key

then redeveloped as a commercial cipher with input from NSA and others

in 1973 NBS issued request for proposals for a national cipher standard

IBM submitted their revised Lucifer which was eventually accepted as the DES

DES Design Controversy although DES standard is public was considerable controversy over

design in choice of 56-bit key (vs Lucifer 128-bit) and design criteria of internal structure of

DES were classified subsequent events and public analysis

show in fact design was appropriate DES has become widely used, esp in

financial applications

DES Encryption

Initial Permutation (IP) IP reorders the input data bits even bits to LH half, odd bits to RH half

Initial permutation table:

Single round of DES

subkey

Simplified DES DES

DES Round Structure uses two 32-bit L & R halves as for any Feistel cipher can describe as:

Li = Ri–1

Ri = Li–1 F(Ri–1, Ki) takes 32-bit R half and 48-bit subkey and:

expands R to 48-bits using perm E adds to subkey passes through 8 S-boxes to get 32-bit result finally permutes this using 32-bit perm P

DES Round Structure

6x8

4x8=32

Expansion and S-box indexing

Expansion

S-Box

n1 n2 n3 n4

n5 n6 n7 n8

...…

n29 n30 n31 n32

n32

n4

.

.n28

n5

n9

.

.n1

Index into S-Box S1

(n32, n5)(n1, n2, n3, n4)

Ex. 011001 -> 9 (1001)

Substitution Boxes S have eight S-boxes which map 6 to 4 bits each S-box is actually 4 little 4 bit boxes

outer bits 1 & 6 (row bits) select one rows inner bits 2-5 (col bits) are substituted result is 8 lots of 4 bits, or 32 bits

row selection depends on both data & key feature known as autoclaving (autokeying)

example:S(18 09 12 3d 11 17 38 39) = 5fd25e03

DES Key Schedule forms subkeys used

in each round initial permutation of

the key (PC1) which selects 56-bits in two 28-bit halves

16 stages consisting of:

selecting 24-bits from each half

permuting them by PC2 for use in function f

rotating each half separately either 1 or 2 places depending on the key rotation schedule K

Initial permutation 1

56-bit key

…Round i

DES Decryption Decryption: encryption

steps again using subkeys in

reverse order (SK16 … SK1)

How effective is DES? - Avalanche Effect 雪崩效應

A change of one bit of the plaintext or key results in changing in many bits of the ciphertext

cipherplaintext ciphertext

key

Abbreviations FIPS: Federal Information Processing

Standard NIST: National Institute of Standards

and Technology NBS: National Bureau of Standards

Chapter 3 – Block Ciphers and the Data Encryption Standard Jen-Chang Liu, 2005 Adopted from lecture slides by Lawrie Brown.

Documents

simplified des des

study of des

triple des

data slide

key simplified des

round slide

encryptiondecryption

ciphertext slide