Ch3 Block Ciphers and DES_blackboard

7/25/2019 Ch3 Block Ciphers and DES_blackboard

1/37

Modern Block Ciphers

Introduction to Network

Security


2/37

Basic idea of modern block ciphers

From classical ciphers, we learn two techniques thatmay improve security:

Encrypt multiple letters at a time

Use multiple ciphertet alphabets !"olyalphabetic ciphers# $ombinin% these two techniques

encrypt ei%ht !or more# letters at a time called a block cipher

and use an etremely lar%e number of ciphertetalphabets

will be called modes of operation

1


3/37

&hat is 'implified (E'

Developed 1996 as a teaching tool Santa Clara University

ro!" #dward Schae!er$akes an %&'it 'lock plainte(t) a 1* +'it key

and produces an %&'it 'lock o! cipherte(t

Decryption takes the %&'it 'lock o!

cipherte(t) the sa,e 1*&'it key andproduces the original %&'it 'lock o!plainte(t


4/37

')(E' 'cheme

*"

fk

'&

fk

*" ) +

"+

"-

*"

fk

'&

fk

*" ) +'.*F/

'.*F/

"-

Encryption Decryption

-)bit plaintet -)bit plaintet

-)bit ciphertet -)bit ciphertet

0+ 0+

01 01


5/37

Five Functions to Encrypt

I + an initial per,utation

!k

& a co,ple() -&input !unction

S. + a si,ple per,utation that swaps the twony'les

!k & a co,ple() -&input !unction/ again

I + inverse per,utation o! the initial per,utation


6/37

0ey 2eneration

"+

"-

"-

3')+ 3')+

3')1 3')1

-

-

4 4

4 4

4 4

0+

01

+

Operations

!5# 5pply permutation "+:

!B# 5pply 3')+ !left shift +# to each 4)bit %roup6

!$# 5pply permutation "-:

!(# 5pply 3')1 !left shift 1# to each 4)bit %roup6


7/37

Encryption (etail* "

E7"

' '+

"8

E7"

' '+

"8

'&

* " )+

0 +

0 1

8

8

-

8 8

1 1

8

!5# 5pply epansion7permutation E7" to input 8 bits

!B# 5dd the -)bit key !use 9;#!$# "ass the left 8 bits throu%h ')bo ' and theri%ht 8 bits throu%h ')bo '+!(# 5pply permutation "8:

The permutation IP-1

The permutation IP


8/37

')bo peration!+# First and fourth bits %ive row number

!1# 'econd and third bits %ive column number! ( 8-bits )

3et 3, ; be the left 8 bits and ri%ht 8 bits of the input6 /henF

0ey! 3 , ; # = !3 9; f!;, 0ey#, ;#


9/37

Block $iphers

*n %eneral, a block cipher replaces a block of > plaintet bitswith a block of > ciphertet bits6 !E6%6, > = ?8 or +1-6#

5 block cipher is a monoalphabetic cipher6

Each block may be viewed as a hu%e character6

/he @alphabetA consists of 1>%i%antic characters6

Each particular cipher is a one)to)one mappin% from theplaintet @alphabetA to the ciphertet @alphabetA6

/here are 1> such mappin%s6

5 secret key indicates which mappin% to use6

9


10/37

*deal Block $ipher

5n idealblock cipher would allow us to useany of these 1> mappin%s6

/he key space would be etremely lar%e6

But this would require a key of lo%1!1># bits6

*f > = ?8,lo%1!1># C > 1>C +1+bits C +++2B6

*nfeasible1*


11/37

"ractical Block $iphers

Dodern block ciphers use a key of 0 bits to specify arandomsubset of 10 mappin%s6

*f 0 C >,

10is much smaller than 1> But is still very lar%e6

*f the selection of the 10 mappin%s is random, the

resultin% cipher will be a %ood approimation of theidealblock cipher6

.orst Feistel, in+s, proposed a method to achievethis6

11


12/37

/he Feistel $ipher 'tructure

*nput: a data block and a key

"artition the data block into two halves 3 and;6

2o throu%h a number of rounds6 *n each round,

; does not chan%e6

3 %oes throu%h an operation that depends on ;

and a round key derived from the key6

1-


13/37

$he

0eistelCipherStructure i


14/37

ound i

2

!

3i&1 i&1

ki

3i

i


15/37

Dathematical (escription of;ound i

14

1 1

1

1 1

1

Let and be the input of round , and

and the output.

We have

:

( , )

:

:

( , )

Or, (

i i

i i

i i

i i

i

i

i i

i

iL R

L R i

L R

L

L

R

R L F R K

=

=

=

o1

1 1

, where

: ( , ) ( , ).

: ( , ) ( , ).

Not

,

e

)

that and .

( , )

i

i

i

i

i

x y y

x y y x

x F y k

R

= =


16/37

Feistel $ipher

16

16 2 1

1 1 1 1

1 2 1

Goes through a nuber of rounds, sa! 16 rounds.

" #eiste$ %ipher en%r!pts a p$ainte&t b$o%' as:

: ( ) : ( )

he de%r!ption wi$$ be:

* ( )

k

k

m

c m m

c

= =

=

o o o

o

o o3 o o

o o3 o o 11 16

1 2 16

( )

( )

he des%r!ption a$gorith is the sae as the

en%r!ption a$gorith, but uses round 'e!s in the

reverse order.

c

c

=

o

o o o o3 o o

o

o


17/37

(E': /he (ata Encryption 'tandard

Dost widely used block cipher in the world6

5dopted by >*'/ in +6

Based on the Feistel cipher structure with +?

rounds of processin%6 Block = ?8 bits

0ey = 4? bits

&hat is specific to (E' is the desi%n of the Ffunction and how round keys are derived fromthe main key6

15


18/37

(esi%n "rinciples of (E'

/o achieve hi%h de%ree of diffusionandconfusion6

(iffusion: makin% each plaintet bit affectas many ciphertet bits as possible6

$onfusion: makin% the relationship

between the encryption key and theciphertet as comple as possible6

1


19/37

(E' Encryption

verview


20/37

;ound 0eys 2eneration

Dain key: ?8 bits6

4?)bits are selected and permuted usin% "ermuted$hoice ne !"$+#G and then divided into two8-bit

ha!"es6 *n each round:

3eft)rotate each ha!fseparately by either + or 1bits accordin% to a rotation schedule6

'elect 18)bits from each half, and permute thecombined 8- bits6

/his forms a round key6


21/37

"ermuted $hoice ne !"$+#

-1

45 9 1 77 -4 15 9

1 4% 4* - 7 -6 1%

1* - 49 41 7 74 -519 11 7 6* 4- 76

67 44 5 79 71 -7 14

5 6- 4 6 7% 7* --1 6 61 47 4 75 -9

-1 17 4 -% -* 1-


22/37

*nitial "ermutation *"

*": the first step of the encryption6

*t reorders the input data bits6

/he last step of encryption is the inverse of *"6

*" and *")+are specified by tables !see'tallin%s book, /able


23/37

ound i

2

0

3i&1 i&1

ki

3i

i


24/37

-

( )( )

he and ea%h have +2 bits, and the round 'e! - bits.

he fun%tion, on input and , produ%es +2 bits:

( , )

where :

(

e&pands +2 bits o

)

t

he fun%tion of *

L R K

F R K

F R K P S E K

E

R

F

=

- bits/

: shrin's it ba%' to +2 bits/

: perutes the +2 bits.

S

P


25/37

/he F function of (E'


26/37

/he Epansion "ermutation E


27/37

/he ')Boes

Ei%ht ')boes each map ? to 8 bits

Each ')bo is specified as a 8 +? table each row is a permutation of )+4

outer bits + I ? of input are used to select oneof the four rows

inner 8 bits of input are used to select a

column 5ll the ei%ht boes are different6


28/37

-%

0 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15

1 1+ 1 2 10 11 - + 1 6 12 0 3

10 3 1 2 1+ 1 1 6 12 11 6 0 + -

1 1 - 1+ 6 2 11 10 12 3 + 1 0

10 12 - 2 1 3 0 11 + 1 1 6 1+

Box S1

80or e(a,ple) S11*1*1*: ; 6 ; *11*"

0

1

2

3


29/37

"ermutation Function "

1

P

+? 1 1+

1 +1 1- +

+ +4 1< 1?4 +-


30/37

5valanche Effect

5valanche effect:

5 small chan%e in the plaintet or in the key results in asi%nificant chan%e in the ciphertet6

an evidence of hi%h de%ree of diffusion and confusion

a desirable property of any encryption al%orithm

(E' ehibits a stron% avalanche effect

$han%in% + bit in the plaintet affects


31/37

71

5ttacks on (E'

Brute)force key search

>eeds only two plaintet)ciphertet samples

/ryin% + key per microsecond would take +J years onavera%e, due to the lar%e key space siKe, 14?C 61L++?6

(ifferential cryptanalysis

"ossible to find a key with 18Fplaintet)ciphertet samples

0nown)plaintet attack

3iner cryptanalysis:

"ossible to find a key with 18


32/37

7-

DE# $rac%er

(E' $racker:5 (E' key search machine

contains +4


33/37

Dultiple Encryption with (E'

*n 1+, >*'/ published the 5dvanced Encryption

'tandard !5E'# to replace (E'6

But users in commerce and finance are not ready to %iveup on (E'6

5s a temporary solution to (E'Ns security problem, one

may encrypt a messa%e !with (E'# multiple times usin%multiple keys:

1(E' is not much securer than the re%ular (E'

'o,


34/37

1(E'

$onsider 1(E' with two keys:

$ = E01!E0+!"##

(ecryption: " = (0+!(01!$##

0ey len%th: 4? 1 = ++1 bits

/his should have thwarted brute)force attacksO &ron%

7


35/37

Deet)in)the)Diddle 5ttack on 1(E'

1)(E': $ = E01!E0+!"##

2iven a known pair !", $#, attack as follows: Encrypt " with all 14?possible keys for 0+6

(ecrypt $ with all 14?possible keys for 016

*f E0+N!"# = (01N!$#, try the keys on another !"N, $N#6

*f works, !0+N, 01N# = !0+, 01# with hi%h probability6 /akes !14?# stepsG not much more than attackin% +)(E'6

74

E0+" $E01


36/37

76

( )( )

( )( )

1 2 1

1 2 1

1 2

" straightforward ip$eentation wou$d be :

: ( )

4n pra%ti%e : : ( )

"$so referred to as * en%r!ption

5eason : if , then

+*

+*(. with 2 'e!s

k k k

k k k

c E E E m

c E D E m

k k

=

=

=

g

1*.

hus, a +* software %an be used as a sing$e6*.

tandardi7ed in "N4 8.13 9 4O -3+2.

No pra%ti%a$ atta%'s are 'nown.

=


37/37

75

( )( )+ 2 1

1 +

1 2 +

n%r!ption: : ( ) .

4f , it be%oes +* with 2 'e!s.

4f , it be%oes the regu$ar *. o, it is ba%'ward %opatib$e with both +* with 2 'e!s

and

+*(. with + 'e!sk k k

c E D E m

k k

k k k

=

=

= =

the regu$ar *.

oe internet app$i%ations adopt +* with three 'e!s/

e.g. G and ;

Documents

Ch3 Block Ciphers and DES_blackboard