Conventional Encryption: Modern Techniques

1
Conventional Encryption Modern Techniques

• Simplified DES
• Block cipher principles
• DES
• Block cipher design principles
• Block cipher modes of operation

2
Simplified DES
Simplified DES

• Baby DES, Teaching aid
• Block cipher
• 10-bit key
• 8-bit input (split into 2x4)
• 2 rounds
• 2 S-boxes (4 bits in, 2 bits out)
• Five stages
• Initial permutation (IP)
• Key-dependent scrambler (f)
• Mixes permutation and substitution
• 8-bit key
• Swap of L and R
• f again (different key)
• Inverse permutation (IP-1 )
• S-DES IP-1 ? fK2 ? SW ? fK1 ? IP
• S-DES-1 IP-1 ? fK1 ? SW ? fK2 ? IP

3
S-DES Key Generation
Simplified DES

• 10-bit key is a generator for two 8-bit
  (sub)keys, K1 and K2
• K1 permute10(K) ? paired circular left shift1 ?
  select and permute8
• K2 permute10(K) ? paired circular left shift2 ?
  select and permute8
• Permute10 (P10)
• 3 5 2 7 4 10 1 9 8 6
• Paired circular left shift1 (LS-1)
• 2 3 4 5 1 7 8 9 10 6
• Select and permute8 (P8)
• 6 3 7 4 8 5 10 9
• Paired circular left shift2 (LS-2) 4 5 1 2 3 9
  10 6 7 8

4
Simplified DES
Initial/Final Permutation Function fK

• Initial and Final Permutation
• IP 2 6 3 1 4 8 5 7
• IP-1 4 1 3 5 7 2 8 6
• Function fK
• Combination of substitution and permutation
• Let input8 L4 R4
• Let F 0,14 ? 0,14, not necessarily 1-1
• Then fK(L, R) (L ? F(R, Ki), R)

5
Mapping F
Simplified DES

• F takes a 4-bit input (n1,n2,n3,n4) expands it to
  8 bits (E/P)
• E/P 4 1 2 3 2 3 4 1
• View this as
• Then adds the key
• n4 k11 n1 k12 n2 k13 n3 k14n2 k15
  n3 k16 n4 k17 n1 k18
• View this as a matrix
• p0,0 p0,1 p0,2 p0,3 p1,0 p1,1 p1,2 p1,3
• First row is fed into S-box S0Second row is fed
  into S-box S1
• Each produces two bits
• Results are concatenated for 4-bit output

6
S-boxes and P4
Simplified DES

• S-box, S0 and S1 4?4 matrix of 2-bit entries
• Select row px,0, px,3 of Sx
• Select column px,1 and px,2 of Sx
• Concatenate and permute the
• resulting 2-bit S-box entries (P4)
• P4 2 4 3 1
• Complete the computation of f
• xor with L, append R
• F is applied only to R, but after swapping, F is
  applied to the former L

7
Analysis of S-DES
Simplified DES

• Exhaustive search (brute force) on key space is
  feasible
• How about the cryptanalysis Known plaintext
  attack?
• For each ciphertext bit, can write an equation
• ci g(p1, p2, , p8, k1, k2, , k10), i1,..,8
• 8 equations in 10 unknowns
• Due to S-boxes which provides the nonlinearity,
  polynomial equations become very complex (each
  equation may have many (like 29) terms ? makes
  cryptanalysis difficult)

8
Block Cipher Principles
Block Cipher Principles

• Stream Ciphers and Block Ciphers

• Stream cipher one bit or byte at a time
• Block cipher large block, typically 64 bits, at
  a time
• Block ciphers work on a block at a time, which is
  some number of bits. All of these bits have to be
  available before they can be processed
• Block ciphers broader range of applications than
  stream ciphers
• Large block thwarts statistical attacks

9
Motivation for Feistel Cipher Structure
Block Cipher Principles

• What is the most general form of block cipher?
• For n-bit block, consider the transformation, F
  2n ? 2n
• F must be reversible, i.e., 1-1 correspondence
• 2n! mappings ? mapping itself is a key ?key size
  O(n ? 2n) bit
• 64 bit block ? ? 270 ? 1021 bit key ? Not
  practical ? Need approximation
• In 1949, Claude Shannon introduced the idea of
  substitution-permutation (S-P) networks which
  form the basis of modern block ciphers

10
Motivation for Feistel Cipher Structure
Block Cipher Principles

• S-P network a special form of substitution-transp
  osition product cipher
• Product cipher
• Two or more basic ciphers are performed in such a
  way that the final result or product is
  cryptographically stronger than any of the
  component ciphers
• Feistel cipher
• In 1970s, Horst Feistel (IBM T.J. Watson
  Research Labs) invented a suitable (practical)
  structure which adapted Shannons S-P network
• Encryption and decryption use the same structure

11
Product Ciphers
Block Cipher Principles

• Apply confusion and diffusion operations to
  thwart cryptanalysis based on statistical
  analysis
• Diffusion
• Dissipate statistical structure of the plaintext
  into long-range statistics of the ciphertext
• Spread the statistics over a range of bits, i.e.,
  let each part of the plaintext affect a large
  part of the ciphertext, thus making the
  statistical relationship as difficult as possible
• Thwarts frequency analysis
• Can be achieved by repeatedly performing some
  permutation followed by applying a function to
  that permutation
• Confusion
• Make statistical relationship between the
  ciphertext and key as difficult as possible
• Thwarts attempts to discover the key
• Can be achieved by using a complex, non-linear,
  substitution operation (S-box)

12
Feistel Cipher Structure
Block Cipher Principles

• Input block is partitioned into two halves, Li-1
  and Ri-1
• In round i, Li Ri-1 Ri Li-1 ? F(Ki,
  Ri-1)
• Substitution followed by permutation
• Multiple rounds

13
Feistel Cipher Design Parameters/Features
Block Cipher Principles

• Block size
• Increasing size improves security, but slows
  cipher
• Key size
• Increasing size improves security, makes
  exhaustive key searching harder, but may slow
  cipher
• Number of rounds
• Increasing number improves security, but slows
  cipher
• Subkey generation algorithm
• Greater complexity can make analysis harder, but
  slows cipher
• Round function
• Greater complexity can make analysis harder, but
  slows cipher
• Fast software encryption/decryption
• Ease of analysis

14
Feistel Decryption Algorithm
Block Cipher Principles

• Essentially same as the encryption
• Same algorithm but use the subkeys Ki in reverse
  order
• F need not be a reversible function

15
DES History
DES

• In 1973, NBS (NIST) issues a public request for
  proposals for a national cipher standard, which
  must be
• Secure
• Public
• Completely specified
• Easy to understand
• Available to all users
• Economic and efficient in hardware
• Able to be validated
• Exportable
• IBM submitted Lucifer (Feistel) (which was
  redesigned to become the DES)
• In 1977, adopted by NBS (NIST) as DES (Data
  Encryption Standard, Federal Information
  Processing Standard 46)

16
DES Basics
DES

• Block cipher (64-bit block)
• Uses 56-bit key (out of 64 bits)
• 16 rounds
• 48-bit subkeys
• Feistel structure (except initial and final
  permutations)

17
Overall Scheme of DES Encryption
DES
18
Initial / Inverse Initial Permutation
DES
19
Single Round of DES
DES
20
DES Round Function
DES

• Operates on 32-bit units
• 32-bit ? 48-bit expansion/permutation (E table)
• XOR with 48 bit subkey
• S-box computation returns 32 bits
• Round permutation (P)
• Followed by
• Feistel XOR and swap

21
F(R,K) and S-Boxes
DES
22
S-Box Details
DES

• Eight S-boxes, each maps 6 bits to 4 bits
• One S-box contains 64 entries, each 4-bits
• Can be viewed as four permutations of 0, , 15
• The particular permutation is selected with the
  additional bits added by the E table

23
Definition of DES S-Boxes
24
DES Key Generation
DES
25
DES Key Generation - 2
DES

• Parity bits (8, 16, , 64) are discarded (out of
  64-bit key)
• 56-bit key is split into 28-bit L and R
• 16 48-bit subkeys (K1, K2, , K16) are generated
  by various circular left shifts of L and R
• Bits are permuted and selected

26
DES Decryption
DES

• Just as in S-DES, apply the subkeys in reverse
  order
• The Feistel structure does the rest

27
DES Avalanche Effect
DES

• In any good cipher, any change in the key or
  plaintext, no matter how large or small, should
  change approximately half the ciphertext bits
• Examples
• (a) Change one bit in the plaintext with the same
  key
• (b) Change one bit in the key with the same
  plaintext
• After 3 or 4 rounds, approximately half of the
  ciphertext bits are changed
• After 16 rounds, a lot of scrambling has taken
  place

28
Strength of DES
DES

• 56-bits key is susceptible to exhaustive key
  search due to rapid advances in computing speed
• Have demonstrated breaks
• 1997 on a large network of computers in a few
  months
• 1998 on dedicated H/W in a few days
  (www.eff.org/descracker)
• EFF (Electronic Frontier Foundation) DES Cracker
• 250K cost, won the RSA DES Challenge II Contest
  in less than 3 days
• 1999 above combined in 22 hours !!
• DES also theoretically broken using Differential
  or Linear Cryptoanalysis
• DES Controversy
• Did NSA leave a backdoor?
• Although the standard is public, the design
  criteria used are classified

29
EFF DES Cracker
DES
DES Cracker "Deep Crack" custom microchip
DES Cracker circuit board fitted with Deep Crack
chips
30
DES Design Criteria
Block Cipher Design Principles

• Although the standard for DES is public the
  design criteria used are classified
• A few have since been made public (released)
• A few have been derived or deduced (by reverse
  engineering)
• What we know is based mostly on D. Coppersmith,
  The Data Encryption Standard (DES) and Its
  Strength Against Attacks, IBM J. of R. and D.
  (May 1994)

31
DES S-Box Design Criteria
Block Cipher Design Principles

• The S-box is the only source of nonlinearity in
  DES
• No S-box output bit should be too close to a
  linear function of the input bits (or any subset
  of them)
• if we select any output bit and any subset of the
  input bits, then the fraction of inputs for which
  the output bit is the xor of the input bits
  should be close to ½
• Each row of an S-box should be a permutation
• If two inputs to an S-box differ in exactly one
  bit, then the outputs must differ in at least two
  bits
• If two inputs to an S-box differ in exactly the
  middle two bits, then the outputs must differ in
  at least two bits
• If two inputs to an S-box differ in their first
  two bits and are identical in their last two
  bits, then the two outputs should not be the same
• Etc.
• The first criteria is for nonlinearity, and the
  others have mostly to do with providing good
  confusion properties and resistance to
  differential cryptanalysis

32
Some Other Design Criteria
Block Cipher Design Principles

• Some design criteria for P to increase the
  diffusion
• 16 rounds is required to thwart the differential
  cryptanalysis attack (with 16 rounds differential
  cryptanalysis attack is less efficient than the
  brute-force key search attack)
• Additional design criteria for F (and hence for
  S-box)
• Strict Avalanche Criterion (SAC) Any output bit
  j should change with probability ½ when any input
  bit i is changed for all i, j
• Bit Independence Criterion (BIC) Output bits j
  and k should change independently when any single
  input bit i is changed, for all i, j, k
• Key schedule should guarantee key/ciphertext SAC
  and BIC
• DES Avalanche Property
• Changing a single bit in the input changes on
  average half of the bits at the output
• DES Completeness Property
• Every output bit should be a complex function of
  all input bits (and not just a subset of input
  bits)

33
Block Cipher Modes of Operation
Block Cipher Modes of Operation

• Electronic Codebook (ECB)
• Cipher Block Chaining (CBC)
• Cipher Feedback (CFB)
• Output Feedback (OFB)

34
Electronic Codebook (ECB)
Block Cipher Modes of Operation

• Each plaintext block is independently encrypted
  with the same key
• Last block is padded appropriately
• Useful for transmission of a single block (e.g.
  session key) or a small number of blocks
• Called a codebook because, for a given key, each
  block of plaintext produces a unique ciphertext
• May not be secure for lengthy message
• Same plaintext blocks always produce the same
  ciphertext block

35
Electronic Codebook (ECB) Mode
Block Cipher Modes of Operation
36
Cipher Block Chaining (CBC)
Block Cipher Modes of Operation

• An appropriate mode for encrypting messages of
  length greater than 64 bits
• Same plaintext blocks produce different
  ciphertext blocks
• Prior to encrypting a plaintext block, xor it
  with the previous ciphertext block
• Ci DES(K, Ci-1 ? Pi)
• Pi DES-1(K, Ci) ? Pi-1
• For first block, need initialization vector, IV
• IV must be known to sender and receiver (often
  all 0s)
• Each ciphertext block is dependent on all message
  blocks before it
• Most common mode of use when data available in
  advance (email, ftp, web, )

37
Cipher Block Chaining (CBC) Mode
Block Cipher Modes of Operation
38
Cipher Feedback (CFB) Mode
Block Cipher Modes of Operation

• Allows use of DES as a stream cipher (appropriate
  when data inherently arrives in bits/bytes)
• Start with IV
• Encrypt
• XOR (MSB) j bits of output with j bit plaintext
• Result is ciphertext
• Shift IV by j bits, insert ciphertext

J-bit CFM Mode (Encryption)
39
Cipher Feedback Decryption
Block Cipher Modes of Operation

• Reverse steps
• Start with IV
• Encrypt
• XOR j bits of output with j bit ciphertext
• Result is plaintext
• Shift IV by j bits, insert ciphertext

40
Output Feedback (OFB) Mode
Block Cipher Modes of Operation

• Encrypt IV
• Shift IV by j bits, insert j bits of DES output
• XOR same j bits of output with j bit plaintext
• Result is ciphertext
• Decryption reverses these steps
• Errors do not propagate in OFB
• This makes OFB vulnerable to modification

41
Output Feedback (OFB) Mode
Block Cipher Modes of Operation
42
Chapter 3 Homework

• P.3.2
• P.3.6
• P.3.7
• P.3.12
• P.3.13
• Due by April 3, 2002