DOCSLIB.ORG

Applications of Search Techniques to Cryptanalysis and the Construction of Cipher Components. James David Mclaughlin Submitted F

Total Page:16

File Type:pdf, Size:1020Kb

Download full-text PDF Read full-text
Applications of Search Techniques to Cryptanalysis and the Construction of Cipher Components. James David Mclaughlin Submitted F Applications of search techniques to cryptanalysis and the construction of cipher components. James David McLaughlin Submitted for the degree of Doctor of Philosophy (PhD) University of York Department of Computer Science September 2012 2 Abstract In this dissertation, we investigate the ways in which search techniques, and in particular metaheuristic search techniques, can be used in cryptology. We address the design of simple cryptographic components (Boolean functions), before moving on to more complex entities (S-boxes). The emphasis then shifts from the construction of cryptographic arte- facts to the related area of cryptanalysis, in which we first derive non-linear approximations to S-boxes more powerful than the existing linear approximations, and then exploit these in cryptanalytic attacks against the ciphers DES and Serpent. Contents 1 Introduction. 11 1.1 The Structure of this Thesis . 12 2 A brief history of cryptography and cryptanalysis. 14 3 Literature review 20 3.1 Information on various types of block cipher, and a brief description of the Data Encryption Standard. 20 3.1.1 Feistel ciphers . 21 3.1.2 Other types of block cipher . 23 3.1.3 Confusion and diffusion . 24 3.2 Linear cryptanalysis. 26 3.2.1 The attack. 27 3.3 Differential cryptanalysis. 35 3.3.1 The attack. 39 3.3.2 Variants of the differential cryptanalytic attack . 44 3.4 Stream ciphers based on linear feedback shift registers . 48 3.5 A brief introduction to metaheuristics . 52 3.5.1 Hill-climbing . 55 3.5.2 Simulated annealing . 57 3.5.3 Memetic algorithms . 58 3.5.4 Ant algorithms . 64 3.5.5 Metaheuristics in cryptography . 67 3.6 Cryptanalysis with metaheuristic search. 69 3.6.1 Metaheuristic attacks on knapsack ciphers . 69 2 3.6.2 The Permuted Perceptron Problem . 69 3.6.3 Metaheuristic attacks on block ciphers . 80 3.6.4 An attack with a quasi-metaheuristic methodology. 92 3.6.5 Attacks using non-metaheuristic search algorithms. 94 4 Evolving balanced Boolean functions with optimal resistance to alge- braic and fast algebraic attacks, maximal algebraic degree, and very high nonlinearity. 95 4.1 Introduction . 95 4.2 Preliminaries . 99 4.3 The experiments . 102 4.3.1 Representing candidates as truth tables . 102 4.3.2 Choosing a cost function . 105 4.3.3 Adding algebraic degree to the cost function. 109 4.3.4 Equivalence classes . 110 4.4 Summary of achievements, and avenues for future research . 111 5 Using evolutionary computation to create vectorial Boolean functions with low differential uniformity and high nonlinearity. 113 5.1 Introduction . 113 5.1.1 Technical background . 114 5.1.2 The use of metaheuristics in this field. 117 5.2 Experiments with simulated annealing . 119 5.2.1 Refining the annealing cost functions for differential uniformity . 120 5.2.2 Relating nonlinearity and differential cost functions. 122 5.3 Experiments with memetic algorithms . 126 5.4 Experiments with ant colony optimisation . 131 5.5 Conclusions, and directions for future research. 137 6 Nonlinear cryptanalysis and metaheuristic search for S-box approxima- tions. 139 6.1 Introduction. 140 6.1.1 Linear cryptanalysis - the three main phases of an Algorithm 2 attack.144 6.2 How nonlinear approximations affect the attack . 153 3 6.2.1 How unbalanced nonlinear components in the approximation affect the attack. 153 6.2.2 How the related approximations affect the attack. 157 6.3 New statistical frameworks and cryptanalytic techniques. 161 6.3.1 Adapting the new analysis phase to nonlinear cryptanalysis of substitution- permutation networks. 161 6.3.2 The theoretical complexity of the new attack. 168 6.3.3 When the cipher is not a substitution-permutation network. 175 6.4 The use of simulated annealing to evolve nonlinear approximations. 179 6.5 Experiments on various ciphers, and application to their cryptanalyses. 184 6.5.1 AES. 184 6.5.2 Serpent. 185 6.5.3 DES. 202 6.5.4 PRESENT. 207 6.6 Conclusions, and directions for future research. 208 7 Evaluation and conclusions 210 7.1 Single-output Boolean functions (Chapter 4). 210 7.2 Vectorial Boolean functions (Chapter 5). 211 7.3 Nonlinear approximations and nonlinear cryptanalysis (Chapter 6). 212 7.4 A unified view... 214 A Truth tables of evolved filter functions 216 B The proof of Theorem 5.1.18 218 B.0.1 Preliminaries. 218 B.0.2 Constructing the equivalent bijection. 219 B.0.3 Consequences for genetic/memetic and ant algorithms . 240 C Errors in the description of the Dunkelman/Keller approximation 243 4 List of Figures 3.1 The Data Encryption Standard (DES). 22 3.2 The Heys substitution-permutation network. 25 3.3 The linear approximation table for the example S-box in the Heys toy cipher. 30 3.4 A linear approximation to the first three rounds of the Heys SPN. 31 3.5 Difference distribution table (DDT) for the Heys S-box. 36 3.6 A differential characteristic linked across several rounds of the Heys SPN. 38 3.7 Diagram showing the operation of a linear feedback shift register. 49 3.8 Diagram showing the operation of a combiner-based stream cipher. 50 3.9 Diagram showing the operation of a filter-based stream cipher. 51 3.10 Diagram depicting a boomerang attack. 84 6.1 Diagram of a 1R nonlinear approximation to the Heys toy cipher. 143 6.2 Diagram showing the full 16-round DES and Matsui's approximation for rounds 2 to 15. 154 6.3 Diagram showing part of the Heys cipher during linear cryptanalysis. 158 6.4 Graphs comparing an approximated and an exact means of calculating ad- vantage in nonlinear attacks. 173 6.5 Diagram showing the first three rounds of DES in Matsui's attack. 176 6.6 Diagram showing the last three rounds of DES in Matsui's attack. 176 6.7 Graph showing mean advantages for linear and nonlinear attacks on four round SPN. 197 6.8 Graph showing average advantages based on mean rank for linear and non- linear attacks on four round SPN. 198 5 List of Tables 4.1 Annealed and previously-known Boolean functions for n ≤ 11. 107 4.2 First set of annealed Boolean functions for 12 ≤ n ≤ 16. 109 4.3 Best annealed and previously-known functions for 12 ≤ n ≤ 16. 110 4.4 Equivalence classes of functions with the best annealed profiles. 110 5.1 Differential properties of annealed S-boxes with different cost functions. 122 5.2 Nonlinearity properties of annealed S-boxes with different cost functions. 124 5.3 Annealed S-boxes with n = 5 in large-scale experiments. 125 5.4 Annealed S-boxes with n = 6 in large-scale experiments. 125 5.5 Comparison of best-known and evolved S-box nonlinearities for 5 ≤ n ≤ 8. 126 5.6 Results of memetic algorithm experiments using cycle crossover and roulette- wheel selection. 127 5.7 Results of memetic algorithm experiments using cycle crossover and rank selection. 128 5.8 Results of memetic algorithm experiments using PMX crossover and roulette- wheel selection. 129 5.9 Results of memetic algorithm experiments using PMX crossover and rank selection. 130 5.10 Results of varying crossover probabilities in memetic algorithm experiments. 131 5.11 Results of varying population sizes in memetic algorithm experiments. 131 5.12 First set of experiments with Ant System. 133 5.13 First set of experiments with Dorigo's Ant Colony System and cycle-index. 133 5.14 First set of experiments with Dorigo's Ant Colony System and increment- index. 133 5.15 First set of experiments with Luke's Ant Colony System and cycle-index. 133 6 5.16 First set of experiments with Luke's Ant Colony System and increment-index.134 5.17 Experiments varying the evaporation rate for Ant System and increment- index. 134 5.18 Experiments varying the evaporation rate for Ant System and cycle-index. 134 5.19 Experiments varying evaporation rate and elitist pheromone update in Luke ACS (cycle). 135 5.20 Experiments varying evaporation rate and elitist pheromone update in Luke ACS (increment). 135 5.21 Experiments varying evaporation rate and elitist pheromone update in Dorigo ACS (cycle). 135 5.22 Experiments varying evaporation rate and elitist pheromone update in Dorigo ACS (increment). 136 5.23 Performance of ant algorithms for different numbers of ants. 137 6.1 Linear approximation to DES S5. 159 6.2 First nonlinear approximation to Serpent S3. 159 6.3 Second nonlinear approximation to Serpent S3. 159 6.4 Positions of data bits in hypothetical nonlinear attack on DES. 177 6.5 Recurring key bits in hypothetical nonlinear attack on DES (i). 177 6.6 Recurring key bits in hypothetical nonlinear attack on DES (ii). 178 6.7 Comparison of success probabilities in linear cryptanalysis according to the formulae of Matsui and Sel¸cuk. 190 6.8 Linear cryptanalysis: success probabilities for 44 attacked key bits. 190 6.9 Linear cryptanalysis: success probabilities for 108 attacked key bits. 190 6.10 Linear cryptanalysis: success probabilities for 140 attacked key bits. 191 6.11 Comparison of attack complexities for linear, multidimensional linear, and nonlinear attacks on reduced-round Serpent (part 1). 193 6.12 Comparison of attack complexities for linear, multidimensional linear, and nonlinear attacks on reduced-round Serpent (part 2). 194 6.13 Comparison of attack complexities for linear, multidimensional linear, and nonlinear attacks on reduced-round Serpent (part 3). 195 6.14 Nonlinear approximations to Serpent S3 with output bitmask 0101. 199 6.15 Nonlinear approximations to Serpent S3 with output bitmask 1100. 200 6.16 Nonlinear approximations to Serpent S3 with input bitmask 0011.
Load more

Recommended publications
  • Improved Cryptanalysis of the Reduced Grøstl Compression Function, ECHO Permutation and AES Block Cipher
    Improved Cryptanalysis of the Reduced Grøstl Compression Function, ECHO Permutation and AES Block Cipher Florian Mendel1, Thomas Peyrin2, Christian Rechberger1, and Martin Schl¨affer1 1 IAIK, Graz University of Technology, Austria 2 Ingenico, France [email protected],[email protected] Abstract. In this paper, we propose two new ways to mount attacks on the SHA-3 candidates Grøstl, and ECHO, and apply these attacks also to the AES. Our results improve upon and extend the rebound attack. Using the new techniques, we are able to extend the number of rounds in which available degrees of freedom can be used. As a result, we present the first attack on 7 rounds for the Grøstl-256 output transformation3 and improve the semi-free-start collision attack on 6 rounds. Further, we present an improved known-key distinguisher for 7 rounds of the AES block cipher and the internal permutation used in ECHO. Keywords: hash function, block cipher, cryptanalysis, semi-free-start collision, known-key distinguisher 1 Introduction Recently, a new wave of hash function proposals appeared, following a call for submissions to the SHA-3 contest organized by NIST [26]. In order to analyze these proposals, the toolbox which is at the cryptanalysts' disposal needs to be extended. Meet-in-the-middle and differential attacks are commonly used. A recent extension of differential cryptanalysis to hash functions is the rebound attack [22] originally applied to reduced (7.5 rounds) Whirlpool (standardized since 2000 by ISO/IEC 10118-3:2004) and a reduced version (6 rounds) of the SHA-3 candidate Grøstl-256 [14], which both have 10 rounds in total.
    [Show full text]
  • Improved Rectangle Attacks on SKINNY and CRAFT
    Improved Rectangle Attacks on SKINNY and CRAFT Hosein Hadipour1, Nasour Bagheri2 and Ling Song3( ) 1 Department of Mathematics and Computer Science, University of Tehran, Tehran, Iran, [email protected] 2 Electrical Engineering Department, Shahid Rajaee Teacher Training University, Tehran, Iran, [email protected] 3 Jinan University, Guangzhou, China [email protected] Abstract. The boomerang and rectangle attacks are adaptions of differential crypt- analysis that regard the target cipher E as a composition of two sub-ciphers, i.e., 2 2 E = E1 ◦ E0, to construct a distinguisher for E with probability p q by concatenat- ing two short differential trails for E0 and E1 with probability p and q respectively. According to the previous research, the dependency between these two differential characteristics has a great impact on the probability of boomerang and rectangle distinguishers. Dunkelman et al. proposed the sandwich attack to formalise such dependency that regards E as three parts, i.e., E = E1 ◦ Em ◦ E0, where Em contains the dependency between two differential trails, satisfying some differential propagation with probability r. Accordingly, the entire probability is p2q2r. Recently, Song et al. have proposed a general framework to identify the actual boundaries of Em and systematically evaluate the probability of Em with any number of rounds, and applied their method to accurately evaluate the probabilities of the best SKINNY’s boomerang distinguishers. In this paper, using a more advanced method to search for boomerang distinguishers, we show that the best previous boomerang distinguishers for SKINNY can be significantly improved in terms of probability and number of rounds.
    [Show full text]
  • Key-Dependent Approximations in Cryptanalysis. an Application of Multiple Z4 and Non-Linear Approximations
    KEY-DEPENDENT APPROXIMATIONS IN CRYPTANALYSIS. AN APPLICATION OF MULTIPLE Z4 AND NON-LINEAR APPROXIMATIONS. FX Standaert, G Rouvroy, G Piret, JJ Quisquater, JD Legat Universite Catholique de Louvain, UCL Crypto Group, Place du Levant, 3, 1348 Louvain-la-Neuve, standaert,rouvroy,piret,quisquater,[email protected] Linear cryptanalysis is a powerful cryptanalytic technique that makes use of a linear approximation over some rounds of a cipher, combined with one (or two) round(s) of key guess. This key guess is usually performed by a partial decryp- tion over every possible key. In this paper, we investigate a particular class of non-linear boolean functions that allows to mount key-dependent approximations of s-boxes. Replacing the classical key guess by these key-dependent approxima- tions allows to quickly distinguish a set of keys including the correct one. By combining different relations, we can make up a system of equations whose solu- tion is the correct key. The resulting attack allows larger flexibility and improves the success rate in some contexts. We apply it to the block cipher Q. In parallel, we propose a chosen-plaintext attack against Q that reduces the required number of plaintext-ciphertext pairs from 297 to 287. 1. INTRODUCTION In its basic version, linear cryptanalysis is a known-plaintext attack that uses a linear relation between input-bits, output-bits and key-bits of an encryption algorithm that holds with a certain probability. If enough plaintext-ciphertext pairs are provided, this approximation can be used to assign probabilities to the possible keys and to locate the most probable one.
    [Show full text]
  • Vector Boolean Functions: Applications in Symmetric Cryptography
    Vector Boolean Functions: Applications in Symmetric Cryptography José Antonio Álvarez Cubero Departamento de Matemática Aplicada a las Tecnologías de la Información y las Comunicaciones Universidad Politécnica de Madrid This dissertation is submitted for the degree of Doctor Ingeniero de Telecomunicación Escuela Técnica Superior de Ingenieros de Telecomunicación November 2015 I would like to thank my wife, Isabel, for her love, kindness and support she has shown during the past years it has taken me to finalize this thesis. Furthermore I would also liketo thank my parents for their endless love and support. Last but not least, I would like to thank my loved ones such as my daughter and sisters who have supported me throughout entire process, both by keeping me harmonious and helping me putting pieces together. I will be grateful forever for your love. Declaration The following papers have been published or accepted for publication, and contain material based on the content of this thesis. 1. [7] Álvarez-Cubero, J. A. and Zufiria, P. J. (expected 2016). Algorithm xxx: VBF: A library of C++ classes for vector Boolean functions in cryptography. ACM Transactions on Mathematical Software. (In Press: http://toms.acm.org/Upcoming.html) 2. [6] Álvarez-Cubero, J. A. and Zufiria, P. J. (2012). Cryptographic Criteria on Vector Boolean Functions, chapter 3, pages 51–70. Cryptography and Security in Computing, Jaydip Sen (Ed.), http://www.intechopen.com/books/cryptography-and-security-in-computing/ cryptographic-criteria-on-vector-boolean-functions. (Published) 3. [5] Álvarez-Cubero, J. A. and Zufiria, P. J. (2010). A C++ class for analysing vector Boolean functions from a cryptographic perspective.
    [Show full text]
  • Hamming Weight Attacks on Cryptographic Hardware – Breaking Masking Defense?
    Hamming Weight Attacks on Cryptographic Hardware { Breaking Masking Defense? Marcin Gomu lkiewicz1 and Miros law Kuty lowski12 1 Cryptology Centre, Poznan´ University 2 Institute of Mathematics, Wroc law University of Technology, ul. Wybrzeze_ Wyspianskiego´ 27 50-370 Wroc law, Poland Abstract. It is believed that masking is an effective countermeasure against power analysis attacks: before a certain operation involving a key is performed in a cryptographic chip, the input to this operation is com- bined with a random value. This has to prevent leaking information since the input to the operation is random. We show that this belief might be wrong. We present a Hamming weight attack on an addition operation. It works with random inputs to the addition circuit, hence masking even helps in the case when we cannot control the plaintext. It can be applied to any round of the encryption. Even with moderate accuracy of measuring power consumption it de- termines explicitly subkey bits. The attack combines the classical power analysis (over Hamming weight) with the strategy of the saturation at- tack performed using a random sample. We conclude that implementing addition in cryptographic devices must be done very carefully as it might leak secret keys used for encryption. In particular, the simple key schedule of certain algorithms (such as IDEA and Twofish) combined with the usage of addition might be a serious danger. Keywords: cryptographic hardware, side channel cryptanalysis, Ham- ming weight, power analysis 1 Introduction Symmetric encryption algorithms are often used to protect data stored in inse- cure locations such as hard disks, archive copies, and so on.
    [Show full text]
  • Lecture Note 8 ATTACKS on CRYPTOSYSTEMS I Sourav Mukhopadhyay
    Lecture Note 8 ATTACKS ON CRYPTOSYSTEMS I Sourav Mukhopadhyay Cryptography and Network Security - MA61027 Attacks on Cryptosystems • Up to this point, we have mainly seen how ciphers are implemented. • We have seen how symmetric ciphers such as DES and AES use the idea of substitution and permutation to provide security and also how asymmetric systems such as RSA and Diffie Hellman use other methods. • What we haven’t really looked at are attacks on cryptographic systems. Cryptography and Network Security - MA61027 (Sourav Mukhopadhyay, IIT-KGP, 2010) 1 • An understanding of certain attacks will help you to understand the reasons behind the structure of certain algorithms (such as Rijndael) as they are designed to thwart known attacks. • Although we are not going to exhaust all possible avenues of attack, we will get an idea of how cryptanalysts go about attacking ciphers. Cryptography and Network Security - MA61027 (Sourav Mukhopadhyay, IIT-KGP, 2010) 2 • This section is really split up into two classes of attack: Cryptanalytic attacks and Implementation attacks. • The former tries to attack mathematical weaknesses in the algorithms whereas the latter tries to attack the specific implementation of the cipher (such as a smartcard system). • The following attacks can refer to either of the two classes (all forms of attack assume the attacker knows the encryption algorithm): Cryptography and Network Security - MA61027 (Sourav Mukhopadhyay, IIT-KGP, 2010) 3 – Ciphertext-only attack: In this attack the attacker knows only the ciphertext to be decoded. The attacker will try to find the key or decrypt one or more pieces of ciphertext (only relatively weak algorithms fail to withstand a ciphertext-only attack).
    [Show full text]
  • Chapter 3 – Block Ciphers and the Data Encryption Standard
    Chapter 3 –Block Ciphers and the Data Cryptography and Network Encryption Standard Security All the afternoon Mungo had been working on Stern's Chapter 3 code, principally with the aid of the latest messages which he had copied down at the Nevin Square drop. Stern was very confident. He must be well aware London Central knew about that drop. It was obvious Fifth Edition that they didn't care how often Mungo read their messages, so confident were they in the by William Stallings impenetrability of the code. —Talking to Strange Men, Ruth Rendell Lecture slides by Lawrie Brown Modern Block Ciphers Block vs Stream Ciphers now look at modern block ciphers • block ciphers process messages in blocks, each one of the most widely used types of of which is then en/decrypted cryptographic algorithms • like a substitution on very big characters provide secrecy /hii/authentication services – 64‐bits or more focus on DES (Data Encryption Standard) • stream ciphers process messages a bit or byte at a time when en/decrypting to illustrate block cipher design principles • many current ciphers are block ciphers – better analysed – broader range of applications Block vs Stream Ciphers Block Cipher Principles • most symmetric block ciphers are based on a Feistel Cipher Structure • needed since must be able to decrypt ciphertext to recover messages efficiently • bloc k cihiphers lklook like an extremely large substitution • would need table of 264 entries for a 64‐bit block • instead create from smaller building blocks • using idea of a product cipher 1 Claude
    [Show full text]
  • Indistinguishability Amplification
    Indistinguishability Amplification Ueli Maurer Krzysztof Pietrzak Renato Renner [email protected] [email protected] [email protected] ETH Z¨urich ENS Paris Cambridge Abstract A random system is the abstraction of the input-output behavior of any kind of discrete system, in particular cryptographic systems. Many aspects of cryptographic security analyses and proofs can be seen as the proof that a certain random system (e.g. a block cipher) is indistinguishable from an ideal system (e.g. a random permutation), for different types of distinguishers. This paper presents a new generic approach to proving upper bounds on the distinguishing ad- vantage of a combined system, assuming upper bounds of various types on the component systems. For a general type of combination operation of systems (including the combination of functions or the cascade of permutations), we prove two amplification theorems. The first is a direct-product theorem, similar in spirit to the XOR-Lemma: The distinguishing advantage (or security) of the combination of two (possibly stateful) systems is twice the product of the individual distinguishing advantages, which is optimal. The second theorem states that the combination of systems is secure against some strong class of distinguishers, assuming only that the components are secure against some weaker class of attacks. As a corollary we obtain tight bounds on the adaptive security of the cascade and parallel composition of non-adaptively (or only random-query) secure component systems. A key technical tool of the paper is to show a tight two-way correspondence, previously only known to hold in one direction, between the distinguishing advantage of two systems and the probability of provoking an appropriately defined event on one of the systems.
    [Show full text]
  • Feistel Like Construction of Involutory Binary Matrices with High Branch Number
    Feistel Like Construction of Involutory Binary Matrices With High Branch Number Adnan Baysal1,2, Mustafa C¸oban3, and Mehmet Ozen¨ 3 1TUB¨ ITAK_ - BILGEM,_ PK 74, 41470, Gebze, Kocaeli, Turkey, [email protected] 2Kocaeli University, Department of Computer Engineering, Faculty of Engineering, Institute of Science, 41380, Umuttepe, Kocaeli, Turkey 3Sakarya University, Faculty of Arts and Sciences, Department of Mathematics, Sakarya, Turkey, [email protected], [email protected] August 4, 2016 Abstract In this paper, we propose a generic method to construct involutory binary matrices from a three round Feistel scheme with a linear round function. We prove bounds on the maximum achievable branch number (BN) and the number of fixed points of our construction. We also define two families of efficiently implementable round functions to be used in our method. The usage of these families in the proposed method produces matrices achieving the proven bounds on branch numbers and fixed points. Moreover, we show that BN of the transpose matrix is the same with the original matrix for the function families we defined. Some of the generated matrices are Maximum Distance Binary Linear (MDBL), i.e. matrices with the highest achievable BN. The number of fixed points of the generated matrices are close to the expected value for a random involution. Generated matrices are especially suitable for utilising in bitslice block ciphers and hash functions. They can be implemented efficiently in many platforms, from low cost CPUs to dedicated hardware. Keywords: Diffusion layer, bitslice cipher, hash function, involution, MDBL matrices, Fixed points. 1 Introduction Modern block ciphers and hash functions use two basic layers iteratively to provide security: confusion and diffusion.
    [Show full text]
  • Block Ciphers and the Data Encryption Standard
    Lecture 3: Block Ciphers and the Data Encryption Standard Lecture Notes on “Computer and Network Security” by Avi Kak ([email protected]) January 26, 2021 3:43pm ©2021 Avinash Kak, Purdue University Goals: To introduce the notion of a block cipher in the modern context. To talk about the infeasibility of ideal block ciphers To introduce the notion of the Feistel Cipher Structure To go over DES, the Data Encryption Standard To illustrate important DES steps with Python and Perl code CONTENTS Section Title Page 3.1 Ideal Block Cipher 3 3.1.1 Size of the Encryption Key for the Ideal Block Cipher 6 3.2 The Feistel Structure for Block Ciphers 7 3.2.1 Mathematical Description of Each Round in the 10 Feistel Structure 3.2.2 Decryption in Ciphers Based on the Feistel Structure 12 3.3 DES: The Data Encryption Standard 16 3.3.1 One Round of Processing in DES 18 3.3.2 The S-Box for the Substitution Step in Each Round 22 3.3.3 The Substitution Tables 26 3.3.4 The P-Box Permutation in the Feistel Function 33 3.3.5 The DES Key Schedule: Generating the Round Keys 35 3.3.6 Initial Permutation of the Encryption Key 38 3.3.7 Contraction-Permutation that Generates the 48-Bit 42 Round Key from the 56-Bit Key 3.4 What Makes DES a Strong Cipher (to the 46 Extent It is a Strong Cipher) 3.5 Homework Problems 48 2 Computer and Network Security by Avi Kak Lecture 3 Back to TOC 3.1 IDEAL BLOCK CIPHER In a modern block cipher (but still using a classical encryption method), we replace a block of N bits from the plaintext with a block of N bits from the ciphertext.
    [Show full text]
  • Block Ciphers
    Block Ciphers Chester Rebeiro IIT Madras CR STINSON : chapters 3 Block Cipher KE KD untrusted communication link Alice E D Bob #%AR3Xf34^$ “Attack at Dawn!!” message encryption (ciphertext) decryption “Attack at Dawn!!” Encryption key is the same as the decryption key (KE = K D) CR 2 Block Cipher : Encryption Key Length Secret Key Plaintext Ciphertext Block Cipher (Encryption) Block Length • A block cipher encryption algorithm encrypts n bits of plaintext at a time • May need to pad the plaintext if necessary • y = ek(x) CR 3 Block Cipher : Decryption Key Length Secret Key Ciphertext Plaintext Block Cipher (Decryption) Block Length • A block cipher decryption algorithm recovers the plaintext from the ciphertext. • x = dk(y) CR 4 Inside the Block Cipher PlaintextBlock (an iterative cipher) Key Whitening Round 1 key1 Round 2 key2 Round 3 key3 Round n keyn Ciphertext Block • Each round has the same endomorphic cryptosystem, which takes a key and produces an intermediate ouput • Size of the key is huge… much larger than the block size. CR 5 Inside the Block Cipher (the key schedule) PlaintextBlock Secret Key Key Whitening Round 1 Round Key 1 Round 2 Round Key 2 Round 3 Round Key 3 Key Expansion Expansion Key Key Round n Round Key n Ciphertext Block • A single secret key of fixed size used to generate ‘round keys’ for each round CR 6 Inside the Round Function Round Input • Add Round key : Add Round Key Mixing operation between the round input and the round key. typically, an ex-or operation Confusion Layer • Confusion layer : Makes the relationship between round Diffusion Layer input and output complex.
    [Show full text]
  • On the Decorrelated Fast Cipher (DFC) and Its Theory
    On the Decorrelated Fast Cipher (DFC) and Its Theory Lars R. Knudsen and Vincent Rijmen ? Department of Informatics, University of Bergen, N-5020 Bergen Abstract. In the first part of this paper the decorrelation theory of Vaudenay is analysed. It is shown that the theory behind the propo- sed constructions does not guarantee security against state-of-the-art differential attacks. In the second part of this paper the proposed De- correlated Fast Cipher (DFC), a candidate for the Advanced Encryption Standard, is analysed. It is argued that the cipher does not obtain prova- ble security against a differential attack. Also, an attack on DFC reduced to 6 rounds is given. 1 Introduction In [6,7] a new theory for the construction of secret-key block ciphers is given. The notion of decorrelation to the order d is defined. Let C be a block cipher with block size m and C∗ be a randomly chosen permutation in the same message space. If C has a d-wise decorrelation equal to that of C∗, then an attacker who knows at most d − 1 pairs of plaintexts and ciphertexts cannot distinguish between C and C∗. So, the cipher C is “secure if we use it only d−1 times” [7]. It is further noted that a d-wise decorrelated cipher for d = 2 is secure against both a basic linear and a basic differential attack. For the latter, this basic attack is as follows. A priori, two values a and b are fixed. Pick two plaintexts of difference a and get the corresponding ciphertexts.
    [Show full text]