Block Ciphers and Data Block Ciphers and Data Encryption Standard Encryption Standard (Class-L8, L18, L9,L10 (Class-L8, L18, L9,L10 ) )
Block Ciphers and Data Block Ciphers and Data Encryption Standard Encryption Standard
(Class-L8, L18, L9,L10 )(Class-L8, L18, L9,L10 )
Algorithm Types• It defines what size of plain text
should be encrypted in each step of algorithm
– Stream Cipher– Block Cipher
Stream Cipher• Plaintext is encrypted one bit at a time• Suppose message is “Pay 101” in ASCII• In binary it can be a series of 1 and 0; • Every bit will be applied with a encryption
algorithms• Let Say binary data is 10010101
– Apply XOR with a key operation will get a cipher text
Block Ciphers• A block of bits is encrypted at one
go• Suppose a plaint text is
FOUR_AND_FOUR• It can be encrypted in blocks of
“FOUR”, “_AND_”, and “FOUR”
How to use a block cipher?
• Block ciphers encrypt fixed size blocks
– E.g. DES encrypts 64-bit blocks • We need some way to encrypt a message of
arbitrary length
– E.g. a message of 1000 bytes• NIST defines five ways to do it
– Called modes of operations
5
Algorithm Modes (L18)• It is a combination of a series of
the basic algorithm steps on block cipher and kind of feedback from the previous steps
Five Modes of Operation
– Electronic codebook mode (ECB)
– Cipher block chaining mode (CBC) – most
popular
– Output feedback mode (OFB)
– Cipher feedback mode (CFB)
– Counter mode (CTR)
7
Electronic Code Book (ECB)
• The plaintext is broken into blocks, P1, P2, P3, ...• Each block contains 64 bits each• Each block is encrypted independently of the other
blocks • For all blocks in a message, the same key is used for
encryption• At the Receiver end, the incoming data is divided into
64-bit blocks and used the same key for decryption
8
Remarks on ECB
• Strength: it’s simple.• Weakness:
– Repetitive information contained in the plaintext may show in the ciphertext, if aligned with blocks.
– If the same message (e.g., an SSN) is encrypted (with the same key) and sent twice, their cipher texts are the same.
• Typical application: secure transmission of short pieces of information
9
Cipher Block Chaining (CBC)
1 2 3
1
The plaintext is broken into blocks: , , , ... Each plaintext block is XORed chained with the previous
ciphertext block before encryption (hence the name):
E
i K i i
P P P
C C P
0
1
IV
Use an Initial Vector IV to start the process. Decryption : D ( ) Application : general block-oriented transmission.
i i K i
C
P C C
10
Cipher Block Chaining (CBC)
11
Remarks on CBC
• The encryption of a block depends on the current and all blocks before it.
• So, repeated plaintext blocks are encrypted differently.
• Initialization Vector (IV)– Must be known to both the sender & receiver– Typically, IV is either a fixed value or is sent encrypted
in ECB mode before the rest of ciphertext.
12
13
Cipher feedback mode (basic version)
• Plaintext blocks: p1, p2, …
• Key: k• Basic idea: construct key stream k1, k2, k3, …• Encryption:
0
1
IV
( ), for 1
, for 1
i k i
i i i
c
k E c i
c p k i
Cipher Feedback (CFB) Mode
1 2 3 4
1 2 3 4
The plaintext is a sequence of of bits (where block-size): , , , , Encryption is used to generate a sequence of keys,
each of bits: , , , , The ci
segments ss P P P P
s K K K K
1 2 3 4phertext is , , , , , where How to generate the key stream?
i i i
C C C CC P K
14
Generating Key Stream for CFB
1
1 1
The input to the block cipher is a shift register ; its value at stage is denoted as .
Initially, an initial vector (IV). For 1, shift-left- -bits( ) .
Then, -mos
i
i i i
i
xi x
xi x s x C
K s
t-significant-bits(E ( )).K ix
15
Encryption in CFB Mode
16
Decryption in CFB Mode1 2 3 4 Generate key stream , , , ,
the same way as for encryption. Then decrypt each ciphertext segment as:
i i i
K K K K
P C K
17
Remark on CFB• The block cipher is used as a stream cipher. • Appropriate when data arrives in bits/bytes.• s can be any value; a common value is s = 8.• A ciphertext segment depends on the current and
all preceding plaintext segments.• A corrupted ciphertext segment during
transmission will affect the current and next several plaintext segments.
18
19
Output feedback mode (basic version)
• Plaintext blocks: p1, p2, …
• Key: k• Basic idea: construct key stream k1, k2, k3, …• Encryption:
0
1
IV
( ), for 1
, for 1
i k i
i i i
k
k E k i
c p k i
Output Feedback (OFB) Mode
1 1
Very similar to Cipher Feedback in structure.
But rather than is fed back to the next stage.
As in CFB, the input to the block cipher is a shift register ; its value at stage
i iK C
x i
1
1 1
is denoted as .
Initially, an initial vector (IV). For 1, shift-left- -bits( ) .
Then, -most-significant-bits(E ( )).
i
i i i
i K i
x
xi x s x K
K s x
20
Cipher Feedback
Output Feedback
21
Remark on OFB• The block cipher is used as a stream cipher. • Appropriate when data arrives in bits/bytes.• Advantage:
– more resistant to transmission errors; a bit error in a ciphertext segment affects only the decryption of that segment.
• Disadvantage: – Cannot recover from lost ciphertext segments; if a ciphertext
segment is lost, all following segments will be decrypted incorrectly (if the receiver is not aware of the segment loss).
• IV should be generated randomly each time and sent with the ciphertext.
22
Counter Mode (CTR)• Plaintext blocks: p1, p2, p3, …
• Key: k• Basic idea: construct key stream k1, k2, k3, …• Encryption:
T1 = IV
Ti = Ti-1 + 1
Ci = Pi E♁ K(Ti)
C = (IV, C1, C2, C3, ...)23
Remark on CTR• Strengthes:
– Needs only the encryption algorithm
– Fast encryption/decryption; blocks can be processed (encrypted or decrypted) in parallel; good for high speed links
– Random access to encrypted data blocks
• IV should not be reused.
24
Data Encryption Standard (DES)
• most widely used block cipher in world • adopted in 1977 by NBS (now NIST)• encrypts 64-bit data using 56-bit key• has widespread use• has been considerable controversy
over its security
DES History• IBM developed Lucifer cipher
– by team led by Feistel in late 60’s– used 64-bit data blocks with 128-bit key
• then redeveloped as a commercial cipher with input from NSA and others
• in 1973 NBS issued request for proposals for a national cipher standard
• IBM submitted their revised Lucifer which was eventually accepted as the DES
DES Design Controversy• although DES standard is public• was considerable controversy over design
– in choice of 56-bit key (vs Lucifer 128-bit)– and because design criteria were classified
• subsequent events and public analysis show in fact design was appropriate
• use of DES has flourished– especially in financial applications– still standardised for legacy application use
DES : Basic Principles• DES is a Block Cipher.• It Encrypts data in blocks of size
64 bits each• 64 bits of plain text goes as the
input to DES, which produces 64 bits of Cipher Text.
• The key length is 56 Bits.
How Does DES Works ???
Key Size (56 Bits) How ???
• The Initial Key Consists of 64 bits.• • Before the DES process starts, every 8th bit of
the key is discarded to produce a 56 bit key.
• Bit positions (8, 16, 24, 32, 40,48,56,64) are discarded.
• These bits can be used for parity checking to ensure that the key does not contain any error
56 Bit key1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16
17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32
33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48
49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64
Key Discarding Process
DES - Basics• DES uses the two basic techniques of
cryptography – Substitution Technique (confusion) and Transposition Technique (diffusion).
• DES consists of 16 Steps, each of which is known as round
• Each round performs the steps of Substitution and Transposition
Level of steps in DES1. The 64 bit plain text block is handed
over to an Initial Permutation (IP) function
2. The IP is performed on plain text3. The IP produces two halves of the
permuted block: – LPT (Left Plain Text) – RPT (Right Plain Text)
Level of steps in DES4. Each of LPT and RPT go through 16
rounds of encryption process
5. In the End, LPT and RPT are rejoined, and a Final Permutation (FP) is performed on the combined block
6. The result produces 64-bit cipher text.
Broad Level steps in DES
DES Encryption Overview
Initial Permutation (IP)• IP happens only once and it happens
before the first round• It suggests how the transposition in IP
should proceed• It says that the IP replaces the first bit
of the original plain text block with the 58th bit of the original plain text block
• 2nd bit with 50th bit and so on.
Idea of IP
IP TABLE58 50 42 34 26 18 10 2 60 52 44 36 28 20 12 4
62 54 46 38 30 22 14 6 64 56 48 40 32 24 16 8
57 49 41 33 25 17 9 1 59 51 43 35 27 19 11 3
61 53 45 37 29 21 13 5 63 55 47 39 31 23 15 7
Initial Permutation IP• The resulting 64 bits text block is
divided into two half blocks (each 32 bits)
• 16 rounds are performed on these two blocks
Permutation on 56 Bit Key
57 49 41 33 25 17 9 1 58 50 42 34 26 18
10 2 59 51 43 35 27 19 11 3 60 52 44 36
63 55 47 39 31 23 15 7 62 54 46 38 30 22
14 6 61 53 45 37 29 21 13 5 28 20 12 4
Details Of one Round in DES
Step 1 : Key Transformation
• For each round, 56 bit key is available
• From this 56 bit key, a different 48-bit sub key is generated during each round using a process called as Key Transformation
• In this method, a 56 bit key is divided into two halves, each of 28 bits
• These halves are circularly shifted by 1 or 2 positions, depending on the round
Number of Key bits shifted per round
Round 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16Shift 1 1 2 2 2 2 2 2 1 2 2 2 2 2 2 1
56 Bit key
57 49 41 33 25 17 9 1 58 50 42 34 26 18
10 2 59 51 43 35 27 19 11 3 60 52 44 36
63 55 47 39 31 23 15 7 62 54 46 38 30 22
14 6 61 53 45 37 29 21 13 5 28 20 12 4
56 Bit key
57 49 41 33 25 17 9 1 58 50 42 34 26 18
10 2 59 51 43 35 27 19 11 3 60 52 44 36
63 55 47 39 31 23 15 7 62 54 46 38 30 22
14 6 61 53 45 37 29 21 13 5 28 20 12 4
After Round-1• 56 Bit Key:
49 41 33 25 17 9 1 58 50 42 34 26 18 10
2 59 51 43 35 27 19 11 3 60 52 44 36 5755 47 39 31 23 15 7 62 54 46 38 30 22 14
6 61 53 45 37 29 21 13 5 28 20 12 4 63
How to Select 48 bit Key from 56 Bit key
• Since the Key Transformation process involves permutation as well as selection of a 48 bit sub-set of the original 56-bit key, It is called as Compression Permutation
14 17 11 24 1 5 3 28 15 6 21 10
23 19 12 4 26 8 16 7 27 20 13 2
41 52 31 37 47 55 30 40 51 45 33 48
44 49 39 56 34 53 46 42 50 36 29 32
18 bit number is discarded
Step 2 : Expansion Permutation
• The RPT is expanded from 32 bits to 48 bits
• The RPT is divided into 8 blocks, with each block consists of 4 bits
• For per 4-bit block, 2 more bits are added.
Division of 32 bit RPT into Eight 4-bit block
RPT Expansion Process
Expansion Permutation Table
32 1 2 3 4 5 4 5 6 7 8 9
8 9 10 11 12 13 12 13 14 15 16 17
16 17 18 19 20 21 20 21 22 23 24 25
24 25 26 27 28 29 28 29 30 31 32 1
Expansion Permutation Table
32 1 2 3 4 5 4 5 6 7 8 9
8 9 10 11 12 13 12 13 14 15 16 17
16 17 18 19 20 21 20 21 22 23 24 25
24 25 26 27 28 29 28 29 30 31 32 1
S-Box Substitution• It is a Process that accepts the 48-
bit input from the XOR operation involving the compressed key and Expanded RPT and Produces a 32 bit output using Substitution Technique
Way to S-Box Substitution
S-Box Substitution
Selecting an Entry in a S-Box based on the 6-bit
input
Example
P-Box Permutation• The output of S-box Contains 32
bits• These 32 bits are permuted using
P-Box
P-Box Permutation16 7 20 21 29 12 28 17 1 15 23 26 5 18 31 10
2 8 24 14 32 27 3 9 19 13 30 6 22 11 4 25
XOR and SWAP
Final Permutation (IP inverse)
40 8 48 16 56 24 64 32 39 7 47 15 55 23 63 31
38 6 46 14 54 22 62 30 37 5 45 13 53 21 61 29
36 4 44 12 52 20 60 28 35 3 43 11 51 19 59 27
34 2 42 10 50 18 58 26 33 1 41 9 49 17 57 25
DES Example - KeyK = 581FBC94D3A452EAX = 3570E2F1BA4682C7
K = ( 0101 1000 0001 1111 1011 1100 1001 0100
1101 0011 1010 0100 0101 0010 1110 1010 )C0 = ( 10111100110100
01101001000101 )
D0 = ( 11010010001011
10100001111111 )
DES Example - KeyC1 = ( 0111 1001 1010 0011 0100 1000 1011 )
D1 = ( 1010 0100 0101 1101 0000 1111 1111 )
K1 = ( 001001 111010 000101 101001
111001 011000 110111 011010 )
C2 = ( 1111 0011 0100 0110 1001 0001 0110 )
D2 = ( 0100 1000 1011 1010 0001 1111 1111 )
K2 = ( 110110 101001 000111 011101
110101 111011 011101 001000 )
DES Example - DataK=581FBC94D3A452EAX=3570E2F1BA4682C7
X = (x1, x2, x3, …, x64)
= ( 0011 0101 0111 0000 1110 0010 1111 00011011 1010 0100 0110 1000 0010 1100 0111)
This plaintext X is first subjected to an Initial Permutation – IP which givesL0 = ( 1010 1110 0001 1011 1010 0001 1000 1001)
A E 1 B A 1 8 9R0 = ( 1101 1100 0001 111 0001 0000 1111 0100)
D C 1 F 1 0 F 4
DES Example - DataE(R0) = ( 011011 111000 000011 111110
100010 100001 01110 101001)1 = E(R0) K1
= ( 010010 000010 000110 010111011011 111001 101001 110011)
S501(1101) = S5
1(13) = 9 = 1001
S611(1100) = S6
3(12) = 6 = 0110
S711(0100) = S7
3(4) = 1 = 0001
S811(1001) = S8
3(9) = 12 = 1100
DES Example - DataB1 = (1010 0001 1110 1100 1001 0110 0001 1100)
P(B1) = (0010 1011 1010 0001 0101 0011 0110 1100)
R1 = P(B1) L0
= (1000 0101 1011 1010 1111 0010 1110 0101)
8 5 B A F 2 E 5
DES Example - DataL1 = (1101 1100 0001 1111 0001 0000 1111 0100)
D C 1 F 1 0 F 4E(R1) = ( 110000 001011 110111 110101
011110 100101 011100 001011)
2 = E(R1) K2
= ( 000110 100010 110000 101000101011 011110 000001 000011)
DES Example - DataS1
00(0011) = S11(3) = 1 = 0001
S210(0001) = S2
3(1) = 14 = 1110
S310(1000) = S3
3(8) = 11 = 1011
S410(0100) = S4
3(4) = 12 = 1100
S511(0101) = S5
1(5) = 14 = 1110
S600(1111) = S6
3(15) = 11 = 1011
S701(0000) = S7
3(0) = 13 = 1101
S801(0001) = S8
3(1) = 15 = 1111
DES Example - DataB2 = (0001 1110 1011 1100 1110 1011 1101 1111)
P(B2) = (0101 1111 0011 1110 0011 1001 1111 0111)
R2 = P(B2) L1
= (1000 0011 0010 0001 0010 1001 0000 0011)
8 3 2 1 2 9 0 3
L2 = R1 = (1000 0101 1011 1010 1111 0010 1110 0101)
8 5 B A F 2 E 5
DES Example - Data - Done !
Y = (y1, y2,y3, …, y64)
= ( 1101 0111 0110 1001 1000 0010 0010 0100
0010 1000 0011 1110 0000 1010 1110 1010)
= ( D 7 6 9 8 2 2 4 2 8 3 E 0 A E A)
Strength of DES – Key Size
• 56-bit keys have 256 = 7.2 x 1016 values• brute force search looks hard• recent advances have shown is possible
– in 1997 on Internet in a few months – in 1998 on dedicated h/w (EFF) in a few days – in 1999 above combined in 22hrs!
• still must be able to recognize plaintext• must now consider alternatives to DES
Strength of DES – Analytic Attacks
• now have several analytic attacks on DES• these utilise some deep structure of the cipher
– by gathering information about encryptions – can eventually recover some/all of the sub-key bits – if necessary then exhaustively search for the rest
• generally these are statistical attacks• include
– differential cryptanalysis – linear cryptanalysis – related key attacks
Strength of DES – Timing Attacks
• attacks actual implementation of cipher• use knowledge of consequences of
implementation to derive information about some/all subkey bits
• specifically use fact that calculations can take varying times depending on the value of the inputs to it
Differential Cryptanalysis
• one of the most significant recent (public) advances in cryptanalysis
• known by NSA in 70's DES design• Murphy, Biham & Shamir published in 90’s• powerful method to analyse block ciphers • used to analyse most current block ciphers
with varying degrees of success• DES reasonably resistant to it, Lucifer
Differential Cryptanalysis
• uses cipher structure not previously used • design of S-P networks has output of
function f influenced by both input & key• hence cannot trace values back through
cipher without knowing value of the key • differential cryptanalysis compares two
related pairs of encryptions
Differential Cryptanalysis Compares Pairs of
Encryptions • with a known difference in the
input • searching for a known difference
in output• when same subkeys are used
Differential Cryptanalysis
• have some input difference giving some output difference with probability p
• if find instances of some higher probability input / output difference pairs occurring
• can infer subkey that was used in round• then must iterate process over many
rounds (with decreasing probabilities)
Differential Cryptanalysis
Differential Cryptanalysis
• perform attack by repeatedly encrypting plaintext pairs with known input XOR until obtain desired output XOR
• when found– if intermediate rounds match required XOR have a right pair– if not then have a wrong pair, relative ratio is S/N for attack
• can then deduce keys values for the rounds– right pairs suggest same key bits– wrong pairs give random values
• for large numbers of rounds, probability is so low that more pairs are required than exist with 64-bit inputs
• Biham and Shamir have shown how a 13-round iterated characteristic can break the full 16-round DES
Linear Cryptanalysis• another recent development • also a statistical method • must be iterated over rounds, with
decreasing probabilities• developed by Matsui et al in early 90's• based on finding linear approximations• can attack DES with 243 known plaintexts,
easier but still in practise infeasible
DES Design Criteria• as reported by Coppersmith in [COPP94]• 7 criteria for S-boxes provide for
– non-linearity– resistance to differential cryptanalysis– good confusion
• 3 criteria for permutation P provide for – increased diffusion
Block Cipher Design Principles
• number of rounds– more is better, exhaustive search best
attack• function f:
– provides “confusion”, is nonlinear– have issues of how S-boxes are selected
• key schedule– complex subkey creation