Lecture 4: DES and block ciphers

Similar documents
Lecture 12: Block ciphers

A block cipher enciphers each block with the same key.

Block Ciphers and Feistel cipher

7 Cryptanalysis. 7.1 Structural Attacks CA642: CRYPTOGRAPHY AND NUMBER THEORY 1

Symmetric Crypto Systems

Cristina Nita-Rotaru. CS355: Cryptography. Lecture 9: Encryption modes. AES

Cryptography and Network Security Prof. D. Mukhopadhyay Department of Computer Science and Engineering Indian Institute of Technology, Kharagpur

Modern Cryptography Lecture 4

Block ciphers. Block ciphers. Data Encryption Standard (DES) DES: encryption circuit

Symmetric Crypto Systems

Public-key Cryptography: Theory and Practice

Cryptography Lecture 4 Block ciphers, DES, breaking DES

Codes and Cryptography. Jorge L. Villar. MAMME, Fall 2015 PART XII

Attacks on DES , K 2. ) L 3 = R 2 = L 1 f ( R 1, K 2 ) R 4 R 2. f (R 1 = L 1 ) = L 1. ) f ( R 3 , K 4. f (R 3 = L 3

Chapter 1 - Linear cryptanalysis.

U.C. Berkeley CS276: Cryptography Luca Trevisan February 5, Notes for Lecture 6

Impossible Differential-Linear Cryptanalysis of Reduced-Round CLEFIA-128

Menu. Lecture 5: DES Use and Analysis. DES Structure Plaintext Initial Permutation. DES s F. S-Boxes 48 bits Expansion/Permutation

Improved Impossible Differential Cryptanalysis of Rijndael and Crypton

Introduction on Block cipher Yoyo Game Application on AES Conclusion. Yoyo Game with AES. Navid Ghaedi Bardeh. University of Bergen.

CSc 466/566. Computer Security. 5 : Cryptography Basics

Stream ciphers. Pawel Wocjan. Department of Electrical Engineering & Computer Science University of Central Florida

CTR mode of operation

Structural Cryptanalysis of SASAS

Solution of Exercise Sheet 7

Differential-Linear Cryptanalysis of Serpent

SOBER Cryptanalysis. Daniel Bleichenbacher and Sarvar Patel Bell Laboratories Lucent Technologies

Impossible Differential Cryptanalysis of Mini-AES

Complementing Feistel Ciphers

Analysis of SHA-1 in Encryption Mode

Lecture Notes. Advanced Discrete Structures COT S

Symmetric Ciphers. Mahalingam Ramkumar (Sections 3.2, 3.3, 3.7 and 6.5)

Towards Provable Security of Substitution-Permutation Encryption Networks

Cryptanalysis of Patarin s 2-Round Public Key System with S Boxes (2R)

An average case analysis of a dierential attack. on a class of SP-networks. Distributed Systems Technology Centre, and

Winter 2008 Introduction to Modern Cryptography Benny Chor and Rani Hod. Assignment #2

Permutation Generators Based on Unbalanced Feistel Network: Analysis of the Conditions of Pseudorandomness 1

CSA E0 235: Cryptography March 16, (Extra) Lecture 3

Cryptography. Lecture 2: Perfect Secrecy and its Limitations. Gil Segev

Notes for Lecture A can repeat step 3 as many times as it wishes. We will charge A one unit of time for every time it repeats step 3.

Distinguishing Attacks on a Kind of Generalized Unbalanced Feistel Network

Impossible Differential Attacks on 13-Round CLEFIA-128

A Pseudo-Random Encryption Mode

Introduction. CSC/ECE 574 Computer and Network Security. Outline. Introductory Remarks Feistel Cipher DES AES

CPSC 467: Cryptography and Computer Security

Lecture 9 - Symmetric Encryption

MATH 509 Differential Cryptanalysis on DES

Cryptography. pieces from work by Gordon Royle

Problem 1. k zero bits. n bits. Block Cipher. Block Cipher. Block Cipher. Block Cipher. removed

Cryptanalysis of the Light-Weight Cipher A2U2 First Draft version

Multi-Map Orbit Hopping Chaotic Stream Cipher

Lecture 17 - Diffie-Hellman key exchange, pairing, Identity-Based Encryption and Forward Security

Differential Attack on Five Rounds of the SC2000 Block Cipher

Cryptanalysis of Achterbahn

Number Theory in Cryptography

An Analytical Approach to S-Box Generation

CPSC 91 Computer Security Fall Computer Security. Assignment #3 Solutions

Breaking an encryption scheme based on chaotic Baker map

Scribe for Lecture #5

APPLYING QUANTUM SEARCH TO A KNOWN- PLAINTEXT ATTACK ON TWO-KEY TRIPLE ENCRYPTION

Cryptanalysis of block EnRUPT

Cryptanalysis of Hiji-bij-bij (HBB)

All-Or-Nothing Transforms Using Quasigroups

On Correlation Between the Order of S-boxes and the Strength of DES

Linear Cryptanalysis of Reduced-Round Speck

CSCI3381-Cryptography

Enhancing the Signal to Noise Ratio

9 Knapsack Cryptography

Cryptanalysis of a Message Authentication Code due to Cary and Venkatesan

Lecture Notes, Week 6

Exam Security January 19, :30 11:30

Block ciphers And modes of operation. Table of contents

Extended Criterion for Absence of Fixed Points

AES side channel attacks protection using random isomorphisms

CPSC 467: Cryptography and Computer Security

A Five-Round Algebraic Property of the Advanced Encryption Standard

Lecture 5: Pseudorandom functions from pseudorandom generators

Lecture Notes. Advanced Discrete Structures COT S

CPSC 467: Cryptography and Computer Security

Lecture 1: Perfect Secrecy and Statistical Authentication. 2 Introduction - Historical vs Modern Cryptography

Lecture 7: ElGamal and Discrete Logarithms

Chapter 2. A Look Back. 2.1 Substitution ciphers

8.1 Principles of Public-Key Cryptosystems

Module 2 Advanced Symmetric Ciphers

Division Property: a New Attack Against Block Ciphers

Practice Final Exam Winter 2017, CS 485/585 Crypto March 14, 2017

Computational security & Private key encryption

Jay Daigle Occidental College Math 401: Cryptology

Linear Cryptanalysis of Reduced-Round PRESENT

Solutions for week 1, Cryptography Course - TDA 352/DIT 250

Cryptanalysis of the SIMON Family of Block Ciphers

Concurrent Error Detection in S-boxes 1

CS 4770: Cryptography. CS 6750: Cryptography and Communication Security. Alina Oprea Associate Professor, CCIS Northeastern University

Efficient FPGA Implementations and Cryptanalysis of Automata-based Dynamic Convolutional Cryptosystems

Klein s and PTW Attacks on WEP

Information Security

Lectures 2+3: Provable Security

How Fast can be Algebraic Attacks on Block Ciphers?

Cryptography 2017 Lecture 2

Truncated differential cryptanalysis of five rounds of Salsa20

Transcription:

Lecture 4: DES and block ciphers Johan Håstad, transcribed by Ernir Erlingsson 2006-01-25 1 DES DES is a 64 bit block cipher with a 56 bit key. It selects a 64 bit block and modifies it depending on the key, i.e. {0, 1} 64 {0, 1} 64. 1.1 General properties of DES The cryptographer s favorite operation, xor, is present in most cryptosystems. It is easily invertible, but at the same time gives immense security since if either input is unknown so is the output. In other words, if we have an equation of the form c = a b then it is quite hard to discern c if we only know a. If we know both inputs we of course know the output but that is true for any function. Breaking a cryptosystem solely based on xor is, however, pretty straightforward. Breaking it is equivalent to solving a linear system of equations mod 2, and this can be done quite efficiently. One common method that applies is gaussian elimination. To prevent this, traditionally, a non-linear table is employed to obfuscate the data, {0, 1} a {0, 1} b. In DES it is done by eight fixed substitution boxes, a.k.a. S-boxes. 1av10

bits bits L R f 48 k (XOR) L bits bits Figure 1: Single Round of the DES algorithm (Encryption) The figure above shows a simplified illustration of a single iteration of the DES algorithm, which is used when encrypting data. The figure below shows its inverse, which is used when decrypting data. Both are performed 16 times in a single encryption/decryption. L R bits bits R k 48 f (XOR) L R bits bits Figure 2: Single Inverse Round of the DES algorithm (Decryption) In cryptographic terms the figures above are commonly known as a Feistel 2av10

networks 1. Next we need to specify the function f. Note that the ability to decrypt is independent of f and hence the only interesting property is to provide security. The function f consists of the following steps. 1. Expand R to 48 bits. 2. Apply xor with 48 bits from the key, which are selected depending on the current iteration number. 3. Divide the 48 bit result into eight different parts of 6 bits each, and through the use of the eight respective S-boxes, project each part into a part of only four bits {0, 1} 6 {0, 1} 4. 4. Permute the resulting bits. Consult the figure below for an illustration of the four steps. R ( bits) E R (48 bits) K (48 bits) 6 bits 6 bits S1 S2 S3 S4 S5 S6 S7 S8 4 bits 4 bits P R ( bits) Figure 3: Subcomponents of f 1 See table 3.2, 3.4 and figure 3.8 in Cryptography and Network security, Stallings 3av10

The input, R, is expanded to 48 bits by duplicating 16 bits from it, while the 48 key bits are selected from among the 56 possible, through the use of two 28-bit registers. As previously mentioned and seen above, DES has eight different S-boxes. Certain conspiracy theories exist that state that these are deliberately flawed by the National Security Agency in the US to allow the agency to exploit these flaws to facilitate cracking data encrypted with DES. To this day, however, no proof has been found to back these theories, even after excruciating crypto-analysis by hundreds of well respected scientists. But still to this day conspiracy theories are alive and well, but most of them point to the suspicious DES key-length of 56 bits. A perceptive student might have noticed that DES permutes the bits on two different occasions, E and P (in the figure above), and this might at first seem redundant. But the fact is that E is in fact not much of a permutation, in fact it permutes the date very little. To see the need for some permutation let us look at the situation when we have no expansion P, the S-boxes map 4 bits to 4 bits and we have no permutation E. In this situation the four least significant bits of all quantities would live their own life and not be influenced by the other bits. The effective block size would be 8 bits as 4 bits of each of L and R would mix and we would not have a good block cipher. The role of P is thus to spread changes within the block and there is one design criteria of the S-boxes with a similar aim. It was required that two blocks which differ only in a single bit should produce very different outputs. In particular it was required that for any two inputs, x and x which differ only in a single bit, then S(x) and S(x ) should differ in at least 2 bits. It is interesting to note that this is a severe restriction and in fact few functions satisfy this property. 2 Modes Modes refers to how block ciphers are used in a broader perspective, i.e. in different encryption modes given a plaintext message with blocks M 1,M 2,... The following subsections contain brief descriptions of some different available modes. Note, however, that the list presented here is far from exhaustive. 2.1 ECB (Electronic Code Book) ECB is the simplest encryption mode, it simply encrypts each message block independently. This method s main advantage is that it is very easy to 4av10

implement. C i = E k (M i ) The equation above can be described in layman terms as, crypto text block C i is equal to the plaintext block M i encrypted by a block cipher E and key k. The main disadvantage of this method is that identical plaintext blocks are encrypted to identical ciphertext blocks. 2.2 CBC (Cipher Block Chaining) In CBC mode, each block of plaintext is XORed with the previous ciphertext block before being encrypted. Thus an arbitrary ciphertext block is dependent on all plaintext blocks up to that point. C i = E k [M i C i 1 ] We set C 0 = N, which is a random initialization vector and is transmitted with the other crypto-blocks. M1 M2 M3 N C1 C2 C3 Figure 4: CBC is designed to make the cipher blocks appear randomized, thus making it impossible to notice repeats in the plaintext, and also make it impossible to change the order of the blocks. The main drawback with this method is that it cannot be parallelized since it is sequential. A possible solution it the use of Counter mode (CTR), which is presented briefly in the next subsection. 5av10

2.3 CTR (Counter mode) This mode turns a block cipher into a stream cipher. It generates the next key stream block by encrypting successive values of a "counter", which is sent as part of the message. C 0 = CTR C i = E k [CTR + i] M i This has the same problems as one time tape with regards to malleability and resending of messages. 3 DES security One important (and often missed) security aspect is that of repeating blocks. I f we have T possible blocks, then if the blocks are uniformly distributed the first repeat is expected to occur after T sent blocks. As uniform distribution is rare, in practice we would happen much sooner. 3.1 Is DES secure? The answer to this question is "not really". Since the creation of DES technology has advanced forward at a fast pace, enabling even todays supercomputer s the ability to brute force compute an arbitrary DES key in a reasonable amount of time (days or weeks). And not to mention specially built machines to break DES, which are constantly cheaper and better. This is of course all due to the DES algorithm s short key length of 56 bits, giving 2 56 possible keys. 3.2 Is DES employed in conjunction with CBC secure? The security of DES of any other block cipher is essentially a matter of faith. The only hard evidence that it is indeed secure lies in the fact that nobody knows how to break it. When analyzing modes one can use a different approach. One assumes that the block cipher is secure and then proves that the mode has certain property. In such cases one usually works with a very strong notion of security. Consider the following game. You are given a black box and you are told that the box, given x, either computes E k (x) for a fixed randomly chosen key k or it gives F (x) for a permutation, F picked uniformly at random from 6av10

all permutations. Your task is to tell which of the two is the case. If your probability of being correct is essentially 1/2 the block cipher is secure. One can prove that CBC used with a block crypto with such security properties have nice provably properties but do not discuss the details here. 4 Triple DES This is a known variant of DES and is very easy to implement given an implementation of DES. Its strength lies in the new key length of 168 bits which addresses the biggest weakness with standard DES albeit with an unorthodox key length like standard DES. Triple DES works by splitting the key into three parts, and like the name implies, apply the standard algorithm three times, i.e. E k1 E 1 k2 E k3[m]. This solution is actually better than applying E k1 E k2 E k3 [M], because it enables us to choose the k s in such a way that two cancel each other out, e.g. with k 1 = k 2, the result is simply E k3 [M] which is simply the standard DES algorithm. Thus is can be used in a network that also uses standard DES. But if Triple DES is a good idea, then surely Double DES is as well? Unfortunately Double DES can be broken with the same time complexity as standard DES. This is due to double DES s suspectibility to a "meet in the middle" attack, which operates by finding possible keys from each end of the algorithm and then search those sets for matches. The following subsection gives an example and (hopefully) clarifies the issue. 4.1 "Meet in the middle" example Let us assume that we are given a message M, its encryption C, anddouble DES was employed, i.e. C = E k1 (E k2 (M)). One calculates E k2 [M] for all k 2 and stores these values in a hash table. One then computes E 1 k 1 [C], for all k 1 looks for collisions in the hash table that can be investigated further. This approach uses time at most 2 57 so it is only marginally more expensive than single DES. On a more pessimistic note the procedure also uses 2 56 memory and that might be harder to come by. 7av10

5 Breaking DES Given a set of known plaintexts and cryptotexts, it is possible to analyze the pairs and construct and reduce the number of keys it is necessary to check. Example s of such an approach are: 1. Differential crypto-analysis. 2. 2. Linear crypto-analysis. 3. The former algorithm can successfully crypt-analyze DES by seeing 2 47 chosen plaintexts, the latter algorithm, however, requires 2 43 message blocks, which is 2 46 bytes, or 64 Tera bytes. An examination of the former algorithm is beyond the scope of this lecture, but the latter is presented in the following subsection, although very briefly. 5.1 Linear crypto-analysis Linear cryptanalysis is the method of combining linear equation which often apply. Although the S-boxes are not linear, they can often be approximated linearly with good results. For example, we could perhaps have that outbit[3] = inbit[2] + inbit[5] with a probability of 75%, where the probability is taken over the other inputs. Similar relations might hold with other bits. Using such relations, we can create a chain of equations, where each equation applies with 75% probability, and at the end relates the input data to the output data. Let us be more concrete with a toy example. Suppose we only have two iterations of a cipher where the inputs on the first round in 1 are equal to the message bits M the output of the first round, out 1, equals the inputs to the second round in 2 and the outputs from the second round out 2 equals the crypto bits C. The key bits on the two rounds are k 1 and k 2 respectively. Suppose that because of an S-box used on the first round we have out 1 [3] = in 1 [2] + in 1 [3] + k 1 [2] + k 1 [3] holding with probability.75. Assume for the second round we 2 Biham + Shamir 3 Matsui out 2 [2] + out 2 [4] = in 2 [3] + k 2 [3] 8av10

also with probability.75. Now the inputs for the first round is the clear text and the output of the second round is the cipher text and the inputs to the second round are the outputs of the first round. The last fact implies that out 1 [3] = in 2 [3]. Combining the equations we hence get an equation in 1 [2] + in 1 [3] + out 2 [2] + out 2 [4] = k 1 [2] + k 1 [3] + k 2 [3] which is correct with probability ( ) 2 3 + 4 ( ) 2 1 =5/8, 4 where the first terms comes from both equations being correct and the second from both being incorrect. This implies that sampling many times and each time looking at in 1 [2] + in 1 [3] + out 2 [2] + out 2 [4] = M[2] + M[3] + C[2] + C[4] we get a bit that with probability 5/8 equals k 1 [2] + k 1 [3] + k 2 [3] and thus given enough pairs of clear text and crypto texts we will eventually learn this bit of the key. As a general rule for combining equations we have the following fact. Its proof is by a calculation that we omit. For bits: A = B, the probability is 1+p 1 2 B = C, the probability is 1+p 2 2 this leads to: A = C with probability 1+p 1p 2 2 Through tedious equation puzzling, the Japanese crypto-analyst Matsui found a relationship between the in, out, and key bits, for full DES which are correct with probability 1 2 + 2 22. As we see below this will enable us to extract useful information after roughly 2 44 observed blocks of cleartext and cryptotext. 9av10

5.2 Fact from probability theory Suppose we are given a guess of a bit b which is correct with probability 1 +p, 2 how many independent guesses do we need until we are pretty sure to know the value of b? IfweseeN guesses, the expected number of correct guesses is N + Np. 2 The standard deviation of this number is N. We can view the expected advantage, Np, as a signal, and the standard deviation, N, as noise. When the signal is stronger than the noise, we should be able to do something useful. In our case this would mean which is equivalent to Np > N N p 2. This can be made rigorous and we leave the details to the interested reader. 10 av 10

2024 © sciencedocbox.com Privacy Policy | Terms of Service | Feedback