sign in sign up
<<
Home , Product cipher

ECE596C: Handout #6

Product and Block Ciphers

Electrical and Computer Engineering, University of Arizona, Loukas Lazos

Abstract. In this lecture we the idea of a product introduced by Shan- non. This idea is exploited in block ciphers such as the Advanced Standard. We also present the basic principles of Substitution-Permutation Networks (SPNs), and examine the structure of DES.

1 Product Cryptosystems

1 Let two endomorphic cryptosystems be S1 = {P, P, K1, E1, D1}, S2 = {P, P, K2, , D2}. The product cryptosystem of S1,S2 is defined to be the cryptosystem:

S1 × S2 = {P, P, K1 × K2, E, D} (1)

The for such system is (K1, K2) with K1 ∈ K1 and K2 ∈ K2. The encryption in a product cryptosystem is defined as:

y = e(K1,K2)(x) = eK2 (eK1 (x)). (2) and the decryption function is applying the keys in the reverse order:

x = d(K1,K2) = dK1 (dK2 (y)). (3) Example of a product cipher–Multiplicative Cipher × Shift Cipher:

Definition 1. Let P = C = Z26 and

K = {a ∈ Z26 : gcd(a, 26) = 1} (4) For a ∈ K the encryption and decryption rules are defined as follows:

ea(x) = ax mod 26 (5) −1 da(y) = a y mod 26. (6)

Let M be a multiplicative cipher and let S be a Shift cipher, with keys for both ciphers chosen equiprobably from the respective keyspaces. It is very easy to see that the product M × S is nothing more but the Affine cipher. It can also be shown that the cyptosystem S × M is equivalent to an affine cipher. When S × M = M × S we say that the two cryptosystems commute. Regardless, the associative property always holds for cryptosystems. That is, (S1 × S2) × S3 = S1 × (S2 × S3).

Definition 2. A cryptosystem is called idempotent if S × S = S.

1 A cryptosystem is called endomorphic if C = P. 2 ECE 596C: for Secure Communications with Applications to Network Security

Examples of idempotent cryptosystems are the Shift, Substitution, Affine, Hill, Vig´enere and Permutation ciphers.

Question: Does a product of any idempotent cryptosystems has an increased level of security com- pared to a single encryption system?

Lemma 1. If two cryptosystems are idempotent and they commute, then the product cryptosystem is also idempotent. Handout # 6 3

2 Block Ciphers

In a the plaintext is split into blocks , and each block is processed separately. A common design for such cipher is that of an iterative cipher where each block is passed through a number of rounds of encryption according to a . From a key K of some length we derive Nr subkeys denoted by K1, K2 ...KNr Let g be the round function (publicly known) that takes as an input the current key Kr and the state from the previous round wr−1.

w0 ← x w1 ← g(w0, K1) w2 ← g(w1, K2) . ← . . ← . . ← . wNr−1 ← g(wNr−2, KNr−1) wN r ← g(wNr−1, KNr) y ← wNr.

Necessary condition for decryption is that g is injective when the second argument is fixed. The decryption rule is:

− g 1(g(w,y),y) = w (7) The decryption is accomplished by recovering the plaintext in reverse order from encryption.

wNr ← y wNr−1 ← g−1(wNr, KNr) wNr−2 ← g−1(wNr−1, KNr−1) . ← . . ← . . ← . w1 ← g−1(w2, K2) w0 ← g−1(w1, K1) x ← w0.

2.1 Substitution-Permutation Networks (SPN)

Idea: Diffusion and Confusion principle from Shannon.

Let ℓ, m be two positive integer numbers, and the plaintext/ciphertecxt be blocks of length ℓm. An SPN is built into two components, denoted as πS, πP .

ℓ ℓ πS : {0, 1} → {0, 1} , (8) and

πP : {1,...ℓm} → {1,...,ℓm}. (9) 4 ECE 596C: Cryptography for Secure Communications with Applications to Network Security

The component πS is essentially a and is known as an S-box, while the com- ponent πP is a permutation cipher used to permute the letters of the input text. At each round, the state is whitened by an XOR operation with a key according to the key schedule. An SPN network is depicted in figure 1.

Fig. 1. An SPN network with 4 rounds.

Illustration of an SPN via an example: Assume that for an SPN ℓ = m = Nr = 4 and πS be:

x 0 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 πS(x) 14 4 13 1 2 15 11 8 3 10 6 12 5 9 0 7

Define also the permutation πP be: Handout # 6 5

x 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 πp(x) 1 5 9 13 2 6 10 14 3 7 11 15 4 8 12 16

Let also the key schedule be derived from a 32-bit key K in a cyclic manner by considering 16 consecutive bits beginning from bit k4r−3 where r denotes the round. Assume that the initial key is:

K = 0011 1010 1001 0100 1101 0110 0011 1111 (10) and the plaintext be x = 0010 0110 1011 0111. (11) Find the : 6 ECE 596C: Cryptography for Secure Communications with Applications to Network Security

2.2 Properties of SPN

– S-boxes are very easy to implement in the form of a look-up table. – Storage requirement is ℓ2ℓ since we have to store 2ℓ values of length ℓ each. Hence S-boxes have to be small.

3 The

DES became a standard in 1973. It was developed at IBM and is a modification of an earlier cipher called . It is a special type of cipher known as the .

3.1 Description of a Feistel cipher

– At each state ui divide the text into two halves of equal length, denoted as Li,Ri. – The round function g performs the following transformations

− Li = Ri 1 (12) − −

Ri = Li 1 ⊕ f(Ri 1, Ki) (13)

¡ ¢ £

¡ ¢ £ ¤

¥

§ ¡

¦

¡

¤ ¡

Fig. 2. One round of a Feistel Cipher.

Question: Does the function f need to be injective?

Handout # 6 7

¨  



©  

Fig. 3. The algorithm for the generation of the Key schedule in DES. Source: Wikipedia.

3.2 Description of DES DES is a 16-round Feistel cipher, with a block length of 64 bits. The key used is a 56-bit long key from which a key schedule of 16 48-bit keys are derived. To generate a DES cipher the following steps are followed. The algorithm for the derivation of the key schedule is shown on figure 3

1. Apply an initial permutation IP on the plaintext and generate IP (x) = L0R0. 2. Take the right half of the current state as an input to function f along with subkey Ki. 3. Perform an ⊕ operation between the left half of the current state and the ouput of function f and set the result as the right half of the next state. 4. Set the right half of the current state as the left half of the next state. 5. Repeat steps 1-3 for 16 rounds. 6. Perform the reverse permutation IP −1 on the output of the 16th state.

The construction of the f function is critical. It basically follows the principle of an SPN network with consecutive, XOR, substitution and permutation operations. The structure of function f is depicted in figure 4.

1. Expand the input to a bitstring of length 48 according to a fixed expansion function E. Expansion function is a permutation with 16 bits appearing twice. 8 ECE 596C: Cryptography for Secure Communications with Applications to Network Security

Fig. 4. The f function of the DES cipher. Source: Wikipedia.

2. XOR the expanded bitstring with the subkey. 3. Break the bitstring to 8 blocks of 6 bits each 4. Pass each block through an S-box that takes as an input 6 bits and gives an output of 4 bits 5. Permute the entire bitstring.

The S-box calculation

There are 8 S-boxes that are 4 × 16 look up tables. Assume that the input to the S-box is B = b1b2b3b4b5b6.

1. The bits b1b6 define the row r of the S-box. 2. The bits b2b3b4b5 define the column c of the S-box. 3. The number S(r, c) is represented using four bits and becomes the output of the S-box. Handout # 6 9

Fig. 5. The first S-box for the DES cipher.