ECE596C: Handout #7

Analysis of DES and the AES Standard

Electrical and Computer Engineering, University of Arizona, Loukas Lazos

Abstract. In this lecture we analyze the security properties of DES and present the AES cryptosystem.

1 On the Security of DES

1.1 The Avalanche Effect For any encryption/decryption algorithm, a desirable property is that a small change in either the plaintext or the key should result in a significant change in the produced ciphertext (WHY?). DES indeed exhibits a strong avalanche effect. The avalanche effect can be illustrated by considering the following two experiments:

Experiment 1 – Pick two plaintexts that differ at only one bit. – Encrypt both plaintexts with the same key. – XOR the two ciphertexts and count the number of ones. Example:

x1 = 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000, x2 = 10000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000, and K = 00000001 1001011 0100100 11000100 0011100 0011000 0011100 0110010, yields two ciphertexts that differ at 35 bits after the third round in DES, and a final difference of 34 bits after all 16 rounds have been executed.

Experiment 2 – Pick two keys that differ at only one bit. – Encrypt the same plaintext using the two different keys. – XOR the two ciphertexts and count the number of ones. Example:

x = 01101000 10000101 00101111 01111010 000010011 01110110 11101011 10100100, and

K1 = 1110010 1111011 1101111 0011000 0011101 0000100 0110001 1101100, K2 = 0110010 1111011 1101111 0011000 0011101 0000100 0110001 1101100, yields two ciphertexts that differ to 26 bits after the third round in DES, and a final difference of 35 bits after all 16 rounds have been executed. 2 ECE 596C: Cryptography for Secure Communications with Applications to Network Security

1.2 The strength of 56-Bit keys With a key length of 56 bits, there are 256 possible keys, i.e. approximately 7.2 × 1016 keys. With today’s technology breaking a DES encryption via brute-force attack has been proved feasible. In 1998 the Electronic Frontier Foundation (EFF) developed a DES cracker worth a quarter million dollars, that broke DES in 56 hours. The DES cracker searched 88 billion keys per second.

In 1999, DES was cracked within 22 hours and 15 minutes by using the idle cycles of 100,000 networked computers worldwide. The network was capable of searching 245 billion keys per second.

In 2007, researchers from Germany developed an FPGA based machine called COPACOBANA, with off-the-self components that can break a DES encryption in 6.4 days (on average).

Given the short key length, the DES scheme cannot be considered secure. However, note that the adversary must have an estimate of the plaintext to perform a brute-force attack. Without plaintext knowledge or a plaintext estimate, it is not possible to determine when the right DES key is found.

2 The AES Standard

The Advanced Encryption Standard (AES) standard was adopted by NIST in December of 2001. It was designed by two Belgian scientists, Rinjmen and Daemen (it is also known as the Rijmen ci- pher). It has been adopted by the US government as the default encryption cipher, wherever encryp- tion is required (details can be found at http://csrc.nist.gov/publications/fips/fips197/fips- 197.pdf)

2.1 Description of the cipher The AES is a block cipher with a block length of 128 bits (as opposed to 64 bits in DES). It can operate with three different key lengths; 128 bits, 192 bits and 256 bits. Like DES, it is also an iterative cipher with a number of rounds that depends on the key length. 10 rounds for a key length of 128 bits, 12 rounds for a key length of 192 bits and 14 rounds for a key length of 256 bits. In AES, all operations are performed on a byte basis. Blocks of 128 bits are split to 16 bytes which are organized into 4x4 arrays, which are also referred to as states. The following operations take place – Key Expansion using Rijndael’s key schedule – Initial Round 1. AddRoundKey – Nr − 1 Rounds 1. SubBytes: a non-linear substitution step where each byte is replaced with another according to a lookup table. 2. ShiftRows: a transposition step where each row of the state is left-shifted cyclically a number of steps equal to the row number. 3. MixColumns: a mixing operation which operates on the columns of the state, combining the four bytes in each column. 4. AddRoundKey: each byte of the state is XORed with the round key. – Final round 1. SubBytes 2. ShiftRows 3. AddRoundKey Handout#7 3

2.2 The SubBytes transformation

This is a typical S-box lookup table operation. For example, if s1,1 = {53}, then the substitution value would be determined by the intersection of the row with index 5 and the column with index ′ 3 in Fig. 7. This would result in s1,1 = {ed}.

Fig. 1. The SubBytes transformation.

Fig. 2. The SubBytes lookup table.

2.3 The ShiftRows Transformation In the ShiftRows transformation, the bytes in each row of the state are cyclically shifted over a number of bytes equal to the row number. 4 ECE 596C: Cryptography for Secure Communications with Applications to Network Security

Fig. 3. The ShiftRows tranformation.

2.4 The MixColumns Transformation The MixColumns transformation operates on the state column-by-column, treating each column as a four-term polynomial GF (28) and multiplied modulo x4 + 1 with a fixed polynomial a(x).

Fig. 4. The MixColumns transformation.

2.5 Key Expansion The AES algorithm takes the cipher key K and expands it to generate a key schedule. The total number of keys generated is equal to (Nr + 1), each of which is 16 bytes long. The key scheduling is word oriented with each word consisting of 4 bytes. For a 10 round AES, we need a total of 11*4 = 44 words to be generated from an initial key of 4 words. Key Expansion transformations, Handout#7 5

Algorithm 1 Key Expansion Algorithm 1: INPUT K 2: RCon[1] ← 01000000 3: RCon[2] ← 02000000 4: RCon[3] ← 04000000 5: RCon[4] ← 08000000 6: RCon[5] ← 10000000 7: RCon[6] ← 20000000 8: RCon[7] ← 40000000 9: RCon[8] ← 80000000 10: RCon[9] ← 1B000000 11: RCon[10] ← 36000000 12: for i ← 0 to 3 do w[i] ← (key[4i],key[4i + 1],key[4i + 2],key[4i + 3]) 13: end for 14: for i → 4 to 43 do 15: temp ← w[i − 1] 16: if i ≡ 0 (mod 4) then i 17: temp ← SubWord(RotWord(temp)) ⊕RCon[ 4 ] 18: end if 19: w[i] ← w[i − 4] ⊕ temp 20: end for 21: return (w[0],...,w[43])

– SubWord: transformation that takes a four-byte input word and applies the S-box to each of the four bytes to produce an output word. – RotWord: transformation that takes a word [a0,a1,a2,a3] as input, performs a cyclic permu- tation, and returns the word [a1,a2,a3,a0]. – Rcon[i] :, A constant array of ten words

2.6 Example Key, K = 66 50 3c 41 67 22 63 46 25 77 5d 27 26 55 3c 7a

w[0] = 66 50 3c 41, w[1] = 67 22 63 46, w[2] = 25 77 5d 27, w[3] = 26 55 3c 7a

for i = 4, temp = w[3] = 26 55 3c 7a.

Because i ≡ 0 (mod 4)

temp ← SubWord(RotWord(temp))) ⊕RCon[1]

temp ← 55 3c 7a 26 ⊕ 01 00 00 00 = 54 3c 7a 26

w[4] ← w[0] ⊕ temp = 66 50 3c 41 ⊕ 54 3c 7a 26 = 32 6c 46 67

for i = 5, temp = w[4] = 32 6c 46 67. w[5] ← w[1] ⊕ w[4] = 67 22 63 46 ⊕ 32 6c 46 67 = 55 4e 25 21

6 ECE 596C: Cryptography for Secure Communications with Applications to Network Security

¢

x x ¦

y ¥ y

£ ¤

IV = y + + d¤ d ¡ e¡ e

IV = y § + +

¢ y y ¦

x ¥ x

(a) (b)

Fig. 5. The diagram for the CBC mode of operation. (a) Encryption, (b) Decryption

3 Modes of operation

DES has four modes of operation that were standardized in 1980. These modes can be used with minor modifications with any block cipher. A brief description of the four modes of operation is outlined as follows.

3.1 Electronic Codebook Mode (ECB) Each plaintext block is encrypted with the same key K, producing a stream of ciphers. Identical plaintext blocks yield identical ciphers. What is the vulnerability of an ECB mode of operation? Do you see any advantage in using the ECB mode of operation?

3.2 Cipher Block Chaining Mode (CBC)

In CBC operation mode, each plaintext xi is XORed with the last ciphertext before being encrypted with the same key K. The first plaintext is encrypted with an initialization vector IV, of the same length as the plaintext. The encrypting rule under the CBC operation mode becomes

yi = eK (yi−1 ⊕ xi), y0 = IV. (1) In CBC operation mode, if any block of the plaintext is changed, the entire ciphertext sequence will be changed. Think of how we can use this property to provide Message Authentication. In figure 5 we show the encryption/decryption schematics of the CBC operation mode. CBC is the most common mode of operation. What are the advantages and disadvantages of CBC mode of operation?

3.3 Output Feedback Mode (OFB) In OFB mode, a keystream is generated which is XORed to the plaintext in order to produce the ciphertext. This is a synchronous stream cipher mode of operation. The keystream is generated using the DES encryption algorithm, Handout#7 7

zi = eK (zi−1), z0 = IV. (2) The ciphertext is then computed as:

yi = xi ⊕ zi. (3) The OFB mode can be used as a pseudo-random number generator. Given that much faster stream ciphers exist in the literature, the OFB mode is not used in practical applications.

3.4 Cipher Feedback Mode (CFB)

The CFB mode of opertion is very similar to the OFB mode, with the difference being in the generation of the keystream. In CFB, the ciphertext is encrypted to produce the keystream elements zi.

zi = eK (yi−1), y0 = IV. (4) The ciphertext is then computed as:

yi = xi ⊕ zi. (5) Given that much faster stream ciphers exist in the literature, the OFB mode is not used in practical applications.