sign in sign up
<<
Home , Key size

Data Standard (DES)

Lecturers: Mark D. Ryan and David Galindo. 2017. Slide: 16 (DES), adopted in 1976

DES has 56 bit keys. You can re-use a as often as you want. You can encrypt text that is as long as you want*.

* In any modern encryption system, there are theoretical limits on the number of times you use the key, and length of the . But the limits are huge. They are generally not a concern in practice.

Lecturers: Mark D. Ryan and David Galindo. Cryptography 2017. Slide: 17 DES

Data Encryption Standard (DES) adopted in 1976

Key size (56 bits) is too small for today’s computers (can be broken within hours on very powerful computers)

Variants (e.g. 3DES) still provide good security, although nowadays AES considered more secure and is more efficient.

Lecturers: Mark D. Ryan and David Galindo. Cryptography 2017. Slide: 18 Design parameters

Block length is 64 bits • Key length is is 56 bits • I Actually, the key length is often said to be 64 bits. But 8 of those bits are parity bits. So the effective key length is 56 bits.

DES consists of 16 “rounds”. Each round uses a roundkey, • also called a subkey, derived from the main key.

Subkey length is 48 bits for each subkey K1,..., K16. Subkeys are derived from the 56 bit key via the “”.

Lecturers: Mark D. Ryan and David Galindo. Cryptography 2017. Slide: 19 Notation for DES operations

Have three special operations: Cyclic shifts on bitstring blocks: Will denote by b <<< n the • move of the bits of block b by n to the left. Bits that would have fallen out are added at the right side of the b. b >>> n is defined similarly Permutations on the position of bits: Written down as output • order of the input bits. Example: the permutation 4 1 2 3 means that the fourth input bit becomes the first output bit, • the first input bit becomes the second output bit, • the second input bit becomes the third output bit, and • the third input bit becomes the fourth output bit. Sometimes,• we use the word “permutation” for bit re-arrangements that include duplication or dropping of bits, even though that is not a proper permutation.

Lecturers: Mark D. Ryan and David Galindo. Cryptography 2017. Slide: 20 Key schedule

Have different keys for each round, computed by so-called Key schedule 64-bit key is actually 56-bit key plus 8 parity bits First apply a permutation PC-1 which removes the parity bits. • This results in 56 bits. Split result into half to obtain (C0, D0) • For each round i = 1, ..., 16, we compute •

Ci = Ci 1 <<< pi − Di = Di 1 <<< pi − where  1 if i = 1, 2, 9, 16 p = i 2 otherwise

Now we join Ci and Di together, and apply a permutation • PC-2 which produces a 48-bit output, to obtain Ki .

Lecturers: Mark D. Ryan and David Galindo. Cryptography 2017. Slide: 21 Feistel : a way of doing block

Invented in 1971 at IBM Important class of ciphers (eg Blowfish, DES, 3DES) Same encryption scheme applied iteratively for several rounds Important step: Derive next message state from previous message state via special function called Feistel function Encryption is organised as a series of “rounds”. Each round works as follows: Split input in half • Apply Feistel function to the right half • Compute xor of result with old left half to be new left half • Swap old right and new left half, unless we are in the last • round

Lecturers: Mark D. Ryan and David Galindo. Cryptography 2017. Slide: 22 Overview of DES

R Block Li−1 i−1

Ki Initial Permutation IP F

L0 R0

Li Ri

L16 R16

Final Permutation IP−1

Ciphertext block

Lecturers: Mark D. Ryan and David Galindo. Cryptography 2017. Slide: 23 DES , continued

Formal definition: Split plaintext block in two equal pieces M = (L0, R0) • For each round i = 1, 2,..., 16 compute •

Li = Ri 1 − Ri = Li 1 F (Ki , Ri 1) − ⊕ −

The is C = (R16, L16) •

R Li−1 i−1

Ki F

Li Ri

Lecturers: Mark D. Ryan and David Galindo. Cryptography 2017. Slide: 24 Decryption

Works as encryption, but with a reversed order of keys

Split ciphertext block in two equal pieces C = (R16, L16) • For each round i = 16, 15,..., 1 compute •

Ri 1 = Li − Li 1 = Ri F (Ki , Li ) − ⊕

Plaintext is M = (L0, R0) •

Lecturers: Mark D. Ryan and David Galindo. Cryptography 2017. Slide: 25 DES Feistel function

Four stage procedure: Expansion permutation: Expand 32-bit message half block to • 48 bit block by doubling 16 bits and permuting them Round key addition: Compute xor of this 48 bit block with • round key Ki S-Box: Split 48 bit into eight 6-bit blocks. Each of them is • given as input to eight substitution boxes, which substitute 6-bit block by 4-bit block. P-Box: Combine these eight 4-bit blocks to 32-bit block and • apply another permutation.

Lecturers: Mark D. Ryan and David Galindo. Cryptography 2017. Slide: 26 DES Feistel function, continued

Source: Wikipedia

Lecturers: Mark D. Ryan and David Galindo. Cryptography 2017. Slide: 27 S-boxes

S-boxes: An S-box substitution is a table lookup. Input is 6 • bit, output is 4 bit. Works as follows: Strip out outer bits of input and join them. This two-bit • number is the row index. Four inner bits indicate column number. • Output is corresponding entry in table •

Lecturers: Mark D. Ryan and David Galindo. Cryptography 2017. Slide: 28 Confusion and diffusion The design of DES aims to provide confusion and diffusion. I Confusion means that each bit of the ciphertext should depend on several parts of the key, obscuring the connections between the two. I Diffusion means that if we change a single bit of the plaintext, then (statistically) half of the bits in the ciphertext should change.

A related property is “non-linearity”. If a cipher has this property, it means that the ciphertext is not a “linear” combination of the key and the plaintext. (That would be weak. More precisely, it would be vulnerable to linear differential .)

Permutations and XOR are linear operations. So some non-linear operations need to be used as well. The S-box of DES is a non-linear operation.

Lecturers: Mark D. Ryan and David Galindo. Cryptography 2017. Slide: 29 Choice of S-boxes

Because of their non-linearity, the S-boxes are the core of DES in terms of cryptographic strength.

Motivation for the choice of the particular S-boxes not known until 1990s. It includes the following constraints: I No single output bit should be too close to a linear combination of the input bits. I If two inputs to an S-box differ in exactly one bit, their outputs must differ in at least two bits. I If two inputs to an S-box differ in the two middle bits, their outputs must differ in at least two bits. I If two inputs to an S-box differ in their rst two bits and are identical in their last two bits, the two outputs must be different.

Lecturers: Mark D. Ryan and David Galindo. Cryptography 2017. Slide: 30 DES is not secure by today’s standards In any practical encryption system, such as DES, an attacker could try to enumerate all the keys, and test them all. What prevents this in practice is that it would take too long. How long depends on the key size.

In the 1970s, the assumption was that you could test at most 1 million keys per second. In that case it would take you more than 2000 years to crack a DES key.

DES keys are too short for today’s standards. In 2012, a system with 48 Xilinx Virtex-6 LX240T FPGAs was announced, each FPGA containing 40 fully pipelined DES cores running at 400 MHz, able to test 8 x 1011 keys/sec. The system can exhaustively search the entire 56-bit DES key space in about 28 hours.

AES has 128 bit keys. That is vastly more. Even if you could build a system capable of testing 8 x 1011 keys/sec, it would take 25,000 years to test them all. Lecturers: Mark D. Ryan and David Galindo. Cryptography 2017. Slide: 31 DES, “2DES” and 3DES

DES a good design, but as it only has 56 bit keys, it has only approximately 256 security. (There are some cryptanalytic attacks on DES, but not very serious ones, so let’s say its security is about 256.) How about using DES twice? Take a 112-bit key, split it into two keys K1 and K2 and encrypt M like this:

EncK1 (EncK2 (M))

Would that give us 2112 security?

Lecturers: Mark D. Ryan and David Galindo. Cryptography 2017. Slide: 32 “2DES” is not significantly more secure than DES

Suppose we have a pair (M, C) consisting of a valid plaintext-ciphertext pair. With approximately 257 work, we can find the 112-bit key K1K2 used in 2DES. Here is how to do it. 56 I Try all 2 possible keys K2, and store all the results 56 EncK2 (M). Sort them in order. This is 2 work for the encryption, and 256 log(256) for the sorting. 56 I Try all the 2 possible keys K1, computing DecK1 (C). For

each such value, check if it is one of the stored EncK2 (M). That is 256 work for the Dec, and log(256) work for the checking. The total work is not much more than 257.

Lecturers: Mark D. Ryan and David Galindo. Cryptography 2017. Slide: 33 I Why Enc-Dec-Enc instead of Enc-Enc-Enc? Enc-Dec-Enc gives us an option of setting K1 = K2 = K3, which is then equivalent to DES. So if you have 3DES, you can make it do DES. This could be useful in some circumstances. I How much security does 3DES give us? It doesn’t give us 2168 of security, because the same meet-in-the-middle attack as we had for “2DES” is possible. It is said to give us 2118 of security.

3DES is good, but slow 3DES takes the same idea, but uses DES three times. That gives us a 168-bit key. Take the 168-bit key, split it into three keys K1, K2 and K3, and encrypt M like this:

EncK1 (DecK2 (EncK3 (M)))

Lecturers: Mark D. Ryan and David Galindo. Cryptography 2017. Slide: 34 3DES is good, but slow 3DES takes the same idea, but uses DES three times. That gives us a 168-bit key. Take the 168-bit key, split it into three keys K1, K2 and K3, and encrypt M like this:

EncK1 (DecK2 (EncK3 (M)))

I Why Enc-Dec-Enc instead of Enc-Enc-Enc? Enc-Dec-Enc gives us an option of setting K1 = K2 = K3, which is then equivalent to DES. So if you have 3DES, you can make it do DES. This could be useful in some circumstances. I How much security does 3DES give us? It doesn’t give us 2168 of security, because the same meet-in-the-middle attack as we had for “2DES” is possible. It is said to give us 2118 of security.

Lecturers: Mark D. Ryan and David Galindo. Cryptography 2017. Slide: 35