11
Chapter 3 – Block Ciphers and Chapter 3 – Block Ciphers and the Data Encryption Standardthe Data Encryption Standard
Modern Block CiphersModern Block Ciphers
now look at modern block ciphersnow look at modern block ciphersone of the most widely used types of one of the most widely used types of cryptographic algorithms cryptographic algorithms provide secrecy /authentication servicesprovide secrecy /authentication servicesfocus on DES (Data Encryption Standard)focus on DES (Data Encryption Standard)to illustrate block cipher design principlesto illustrate block cipher design principles
22
Block vs Stream CiphersBlock vs Stream Ciphers
block ciphers process messages in blocks, block ciphers process messages in blocks, each of which is then en/decrypted each of which is then en/decrypted
like a substitution on very big characterslike a substitution on very big characters 64-bits or more 64-bits or more
stream ciphers stream ciphers process messages a bit or process messages a bit or byte at a time when en/decryptingbyte at a time when en/decrypting
many current ciphers are block ciphersmany current ciphers are block ciphers broader range of applicationsbroader range of applications
33
Block Cipher PrinciplesBlock Cipher Principles
most symmetric block ciphers are based on a most symmetric block ciphers are based on a Feistel Cipher StructureFeistel Cipher Structure
must be able to must be able to decryptdecrypt ciphertext to recover ciphertext to recover messages efficientlymessages efficiently
block ciphers look like an extremely large block ciphers look like an extremely large substitution substitution
would need a table of 2would need a table of 26464 entries for a 64-bit entries for a 64-bit block block
instead create from smaller building blocks instead create from smaller building blocks using idea of a product cipher using idea of a product cipher
44
Ideal Block CipherIdeal Block Cipher
55
Claude Shannon and Substitution-Claude Shannon and Substitution-Permutation CiphersPermutation Ciphers
Claude Shannon introduced idea of substitution-Claude Shannon introduced idea of substitution-permutation (S-P) networks in 1949 paperpermutation (S-P) networks in 1949 paper
form basis of modern block ciphers form basis of modern block ciphers S-P nets are based on the two primitive S-P nets are based on the two primitive
cryptographic operations seen before: cryptographic operations seen before: substitutionsubstitution (S-box) (S-box) permutation permutation (P-box)(P-box)
provide provide confusionconfusion & & diffusiondiffusion of message & key of message & key
66
Confusion and DiffusionConfusion and Diffusion
cipher needs to completely obscure cipher needs to completely obscure statistical properties of original messagestatistical properties of original message
a one-time pad does thisa one-time pad does this more practically Shannon suggested more practically Shannon suggested
combining S & P elements to obtain:combining S & P elements to obtain: diffusiondiffusion – dissipates statistical structure – dissipates statistical structure
of plaintext over bulk of ciphertextof plaintext over bulk of ciphertext confusionconfusion – makes relationship between – makes relationship between
ciphertext and key as complex as possibleciphertext and key as complex as possible
77
Feistel Cipher StructureFeistel Cipher Structure
Horst Feistel devised the Horst Feistel devised the feistel cipherfeistel cipher based on concept of invertible product cipherbased on concept of invertible product cipher
partitions input block into two halvespartitions input block into two halves process through multiple rounds whichprocess through multiple rounds which perform a substitution on left data halfperform a substitution on left data half based on round function of right half & subkeybased on round function of right half & subkey then have permutation swapping halvesthen have permutation swapping halves
implements Shannon’s S-P net conceptimplements Shannon’s S-P net concept
88
Feistel Cipher StructureFeistel Cipher Structure
99
Feistel Cipher Design ElementsFeistel Cipher Design Elements
block size block size key size key size number of rounds number of rounds subkey generation algorithmsubkey generation algorithm round function round function fast software en/decryptionfast software en/decryption ease of analysisease of analysis
1010
Feistel Cipher DecryptionFeistel Cipher Decryption
1111
DES HistoryDES History
IBM developed Lucifer cipherIBM developed Lucifer cipher by team led by Feistel in late 60’sby team led by Feistel in late 60’s used 64-bit data blocks with 128-bit keyused 64-bit data blocks with 128-bit key
then redeveloped as a commercial cipher then redeveloped as a commercial cipher with input from NSA and otherswith input from NSA and others
in 1973 NBS issued request for proposals in 1973 NBS issued request for proposals for a national cipher standardfor a national cipher standard
IBM submitted their revised Lucifer which IBM submitted their revised Lucifer which was eventually accepted as the DESwas eventually accepted as the DES
1212
The same algorithm is used both to encipher anThe same algorithm is used both to encipher and to decipher.d to decipher.
Most widely used cipher everMost widely used cipher ever Security based on Shannon’s Theory Security based on Shannon’s Theory
Confusion : a piece of information is changed so that tConfusion : a piece of information is changed so that the output bits have no obvious relationship to the inpuhe output bits have no obvious relationship to the input bits.t bits.
Disfussion : To spread the effect of one plaintext bit to Disfussion : To spread the effect of one plaintext bit to
other bits in the ciphertextother bits in the ciphertext..
1313
Block Cipher:Block Cipher: Block size= 64 bits.Block size= 64 bits.
Key Length= 56 bits (64 bits contains the bits 8, 16, Key Length= 56 bits (64 bits contains the bits 8, 16,
24, 32, 40, 48, 56, 64 for the odd parity check)24, 32, 40, 48, 56, 64 for the odd parity check)
Advantages of DES:Advantages of DES: DES can be implemented by software and hardware DES can be implemented by software and hardware
for its simple arithmetic and logical operations.for its simple arithmetic and logical operations.
High SpeedHigh Speed
1414
DESDES IP
L 0 R 0
R 1 = L 0 f (R 0 , K 1)L 1 = R 0
R 2 = L 1 f (R 1 , K 2)L 2 = R 1
R 15 = L 14 f (R 14 , K 1 5)L 15 = R 14
R 16 = L 15 f (R 1 5 , K 1 6) L 1 6 = R 15
64
32 32
K 1
K 2
K 16
f 4832
f
f
IP -1
output
T
In: 64 bits,
Out: 64 bits,
Key: 56 bits
1515
IP (Initial Permutation) IP (Initial Permutation)
The table should be read left-to-right, top-to-The table should be read left-to-right, top-to-bottom.bottom.
TT = = tt11tt22 ... ... tt6464 TT00 = = tt5858tt5050 ... ... tt7 7 = = LL00RR00
1616
IPIP11 (Final Permutation) (Final Permutation)
IPIP11 is the inverse of IP. is the inverse of IP. All tables are fixed.All tables are fixed.
1717
Function Function ff
S 1 S 2 S 3 S 4 S 5 S 6 S 7 S 8
P
32
32
48
f(R i-1 , K i)
E
48 48
32
K i
R i-1
1818
E (Bit-Selection Table) E (Bit-Selection Table)
In: 32 bits, Out: 48 bitsIn: 32 bits, Out: 48 bits
1919
P (Permutation) P (Permutation)
In: 32 bits, Out: 32 bitsIn: 32 bits, Out: 32 bits
2020
S-boxes (Selection Functions) S-boxes (Selection Functions)
2121
Each S-box SEach S-box Sjj maps a 6-bit block maps a 6-bit block bb11bb22bb33bb44bb55bb66 int int
o a 4-bit block. (In: 6 bits, Out: 4 bits)o a 4-bit block. (In: 6 bits, Out: 4 bits) The integer corresponding to The integer corresponding to bb11bb66 selects a row selects a row
and the integer corresponding to and the integer corresponding to bb22bb33bb44bb55 selects selects
a column.a column. Example: (100001)Example: (100001)22 for S-box 1 for S-box 1
Row # = (11)Row # = (11)22= 3 and Column # = (0000)= 3 and Column # = (0000)22= 0 Ou= 0 Ou
rput= 15= (1111)2. rput= 15= (1111)2.
2222
Key Calculation Key Calculation
PC-128
PC-2
PC-2
K
28
C 0 D 0
LS 1LS 1
C 1 D 1
K 1
K 2
LS 2LS 2
C 2 D 2
LS 16LS 16
C 16 D 16
PC-2 K 16
K1, K2, ..., K16 : 48 bits/each
2323
PC-1 (Key Permutation)PC-1 (Key Permutation)
In: 64 bits (with 8 parity bits), Out: 56 bits
2424
PC-2 (Key Permutation)PC-2 (Key Permutation)
In: 56 bits, Out: 48 bitsIn: 56 bits, Out: 48 bits
2525
LSLSii (Left Circular Shift) (Left Circular Shift) Iteration Iteration
ii
Number ofLeft ShNumber ofLeft Shiftsifts
11 11
22 11
33 22
44 22
55 22
66 22
77 22
88 22
99 11
1010 22
1111 22
1212 22
1313 22
1414 22
1515 22
1616 11
2626
Deciphering Deciphering
Deciphering is performed using the same Deciphering is performed using the same algorithm, except that algorithm, except that KK1616 is used in the first is used in the first
iteration, iteration, KK1515 in the second iteration, and so on. in the second iteration, and so on.
The last round of enciphering:The last round of enciphering:R 15L 15
R 16 = L 15 f (R 1 5 , K 1 6) L 1 6 = R 15
K 16f
IP -1
output
2727
Deciphering Deciphering
The first round of deciphering:The first round of deciphering:
IP
L 0 R 0
R 1 = L 0 f (R 0 , K 1 6)L 1 = R 0
K 16f
2828
Deciphering Deciphering The last round of enciphering:The last round of enciphering:
LELE1616 = = RERE1515
RERE1616 = = LELE1515 ff((RERE1515, , KK1616)) The first round of deciphering:The first round of deciphering:
LDLD11 = = RDRD00 = = LELE1616 = = RERE1515
RDRD11 = = LDLD00 ff((RDRD00, , KK1616))
= = RERE1616 ff((RERE1515, , KK1616))
= (= (LELE1515 ff((RERE1515, , KK1616)) )) ff((RERE1515, , KK1616))
= = LELE1515 ( (ff((RERE1515, , KK1616) ) ff((RERE1515, , KK1616))))
= = LELE1515 0 0
= = LELE1515
Thus, the output of the first round of deciphering is the swap of the Thus, the output of the first round of deciphering is the swap of the input to the sixteenth round of the enciphering. input to the sixteenth round of the enciphering.
2929
The order of subkeys is the reverse order (kThe order of subkeys is the reverse order (k1616, k, k11
55, …, k, …, k11).). Key shiftKey shift 改成改成 shift right circularly.shift right circularly. 每一個每一個 roundround的的 shift bitshift bit 數為數為 (1, 0), (2, 1), (3, 2), (4, 2),(1, 0), (2, 1), (3, 2), (4, 2),
(5, 2), (6, 2), (7, 2), (8, 2), (9, 1), (10, 2), (11, 2), (12, (5, 2), (6, 2), (7, 2), (8, 2), (9, 1), (10, 2), (11, 2), (12, 2), (13, 2), (14, 2), (15, 2), (16, 1).2), (13, 2), (14, 2), (15, 2), (16, 1).
3030
Weakness of DES Weakness of DES
Complements: If C= EComplements: If C= Ekk(P), then ¬C= E(P), then ¬C= Ekk(¬P), where ¬x i(¬P), where ¬x i
s the cpmplement of x.s the cpmplement of x. Reduce the complexity for finding keys from 2^56 to 2Reduce the complexity for finding keys from 2^56 to 2
^55.^55. Weak Keys(4):Weak Keys(4):
56 bits key left and right half are all 0 or 1,then it woul56 bits key left and right half are all 0 or 1,then it would cause all subkeys are the same.d cause all subkeys are the same.
3131
Semi-Weak Keys:Semi-Weak Keys: the encryption using two different keys could get the sathe encryption using two different keys could get the sa
me result [Eme result [Ekk(P)= E(P)= Ekk’(P)]’(P)]