sign in sign up
<<
Home , Feistel cipher

Organisation Organisation Overview Block Overview Block Ciphers Historic Ciphers Security of Block ciphers Historic Ciphers Security of Block ciphers Symmetric Ciphers Symmetric Ciphers Assume and decryption use the same . Players Will discuss how to distribute key to all parties later Symmetric ciphers unusable for authentication of sender Have the following main players: Alice: sender of an encrypted message Kinds of symmetric ciphers: • Bob: intended receiver of encrypted message. Assumed to the Block : Symmetric cipher operating on fixed-length • • key. groups of bits, called blocks Eve: (Passive) attacker intercepting messages and trying to Symmetric cipher encrypting • • identify or keys continuously. Digits are encrypted one at a time, differently Mallory: (Active) attacker intercepting and modifying for each bit. • messages to identify plaintexts or keys

Eve, Mallory Key Key

Encryption Decryption

Alice Bob

Eike Ritter 2013/14 25 Eike Ritter Cryptography 2013/14 26 Organisation Organisation Overview Block Ciphers Overview Block Ciphers Historic Ciphers Security of Block ciphers Historic Ciphers Security of Block ciphers Symmetric Ciphers Symmetric Ciphers Feistel Cipher Feistel Cipher, continued

Formal definition: Split plaintext block in two equal pieces M = (L , R ) Invented in 1971 at IBM • 0 ) For each round i = 0, 1,..., r 1 compute Important class of ciphers (eg Blowfish, DES, 3DES) • − Same encryption scheme applied iteratively for several rounds Li+1 = Ri Important step: Derive round key from original key via special Ri+1 = Li F (Ki , Ri ) function called Feistel function ⊕ The is C = (R , L ) Each round works as follows: • r r Split input in half R • Li i Apply Feistel function to the right half • Compute xor of result with old left half to be new left half Ki • F Swap old right and new left half, unless we are in the last • round

Li+1 Ri+1

Eike Ritter Cryptography 2013/14 27 Eike Ritter Cryptography 2013/14 28 Organisation Organisation Overview Block Ciphers Overview Block Ciphers Historic Ciphers Security of Block ciphers Historic Ciphers Security of Block ciphers Symmetric Ciphers Symmetric Ciphers Decryption DES

Works as encryption, but with a reversed order of keys Split ciphertext block in two equal pieces C = (R , L ) • r R (DES) adopted in 1976 For each round i = r, r 1,..., 1 compute • − too small for today’s computers (can be broken within 10 hours) Ri 1 = Li − Variants still provide good security Li 1 = Ri F (Ki 1, Li ) − ⊕ − Plaintext is M = (L , R ) • 0 0

Eike Ritter Cryptography 2013/14 29 Eike Ritter Cryptography 2013/14 30 Organisation Organisation Overview Block Ciphers Overview Block Ciphers Historic Ciphers Security of Block ciphers Historic Ciphers Security of Block ciphers Symmetric Ciphers Symmetric Ciphers Overview of DES Design parameters

R Plaintext Block Li i

Ki Initial Permutation IP F Block length is 64 bits • R Number of rounds R is 16 L0 0 • L R Key length is is 56 bits i+1 i+1 • Round key length is 48 bit for each subkey K ,..., K . • 0 15 L16 Subkeys are derived from 56 bit key via special . R16

1 Final Permutation IP−

Ciphertext block

Eike Ritter Cryptography 2013/14 31 Eike Ritter Cryptography 2013/14 32 Organisation Organisation Overview Block Ciphers Overview Block Ciphers Historic Ciphers Security of Block ciphers Historic Ciphers Security of Block ciphers Symmetric Ciphers Symmetric Ciphers DES Feistel function DES Feistel function, continued

Four stage procedure: Expansion permutation: Expand 32-bit message half block to • 48 bit block by doubling 16 bits and permuting them Round key addition: Compute xor of this 48 bit block with • round key Ki S-Box: Split 48 bit into eight 6-bit blocks. Each of them is • given as input to eight substitution boxes, which substitute 6-bit block by 4-bit block. P-Box: Combine these eight 4-bit blocks to 32-bit block and • apply another permutation.

Source: Wikipedia

Eike Ritter Cryptography 2013/14 33 Eike Ritter Cryptography 2013/14 34 Organisation Organisation Overview Block Ciphers Overview Block Ciphers Historic Ciphers Security of Block ciphers Historic Ciphers Security of Block ciphers Symmetric Ciphers Symmetric Ciphers DES-operations S-boxes

Have three special operations: Cyclic shifts on bitstring blocks: Will denote by b <<< n the • move of the bits of block b by n to the left. Bits that would S-boxes: An S-box substitution is a table lookup. Input is 6 have fallen out are added at the right side of the b. b >>> n • bit, output is 4 bit. Works as follows: is defined similarly Strip out outer bits of input and join them. This two-bit Permutations: Note: might duplicate or drop bits. Written • • number is the row index. down as output order of the input bits. Four inner bits indicate column number. Example: the permutation 4 1 2 3 means that • Output is corresponding entry in table the fourth input bit becomes the first output bit, • • the first input bit becomes the second output bit, • the second input bit becomes the third output bit, and • the third input bit becomes the fourth output bit. •

Eike Ritter Cryptography 2013/14 35 Eike Ritter Cryptography 2013/14 36 Organisation Organisation Overview Block Ciphers Overview Block Ciphers Historic Ciphers Security of Block ciphers Historic Ciphers Security of Block ciphers Symmetric Ciphers Symmetric Ciphers Key schedule

Have different keys for each round, computed by so-called Key schedule 64-bit key is actually 56-bit key plus 8 parity bits Definition Apply permutation to the 56-bit and split result into half to + • A function  : N R is called negligible if for all d there exists a obtain (C0, D0) → λd such that for all λ λd , For each round we compute ≥ • 1 (λ) Ci = Ci 1 <<< pi d − ≤ λ Di = Di 1 <<< pi − where 1 if i = 1, 2, 9, 16 p = i 2 otherwise  C and D are joined together and permuted again. • i i

Eike Ritter Cryptography 2013/14 37 Eike Ritter Cryptography 2013/14 38 Organisation Organisation Overview Block Ciphers Overview Block Ciphers Historic Ciphers Security of Block ciphers Historic Ciphers Security of Block ciphers Symmetric Ciphers Symmetric Ciphers

Definition Let be the set of all permutations on X , and E an efficient Definition F permutation over (K, X ) and let b 0, 1 . Define EXP(b) to be ∈ { } A efficient permutation over (K, X ) is a function the following game between the attacker and the challenger: If b = 0, the challenger chooses a k K at random, and if E : K X X ∈ × → b = 1, the challenger chooses a permutation f on X at such that random. there exists an efficient deterministic algorithm to compute The attacker does arbitrary computations. E(k, x) for any k and x; The attacker has access to a black box, which is a function The function E(k, ) is one-to-one for each k from X to X operated by the challenger. He can ask the There exists a function D : K X X which is efficiently challenger for the values g(x1),..., g(xn) during his × → computable, and D(k, E(k, x)) = x for all k and x. computation. If b = 0, the challenger answers the query g(xi ) by returning E(k, xi ), and if b = 1, the answer is f (xi ). Eventually the attacker outputs a bit b 0, 1 . 0 ∈ { } Eike Ritter Cryptography 2013/14 39 Eike Ritter Cryptography 2013/14 40 Organisation Overview Block Ciphers Historic Ciphers Security of Block ciphers Symmetric Ciphers

Definition An efficient permutation E : K X X is secure if for all efficient × → attackers A,

Adv[A, E] = Prk K [EXP(0) = 1] Prf [EXP(1) = 1] | ∈ − ∈F | is negligible.

Eike Ritter Cryptography 2013/14 41