BLOCK CIPHER & THE DATA ENCRYPTION STANDARD
Tran Song Dat Phuc Department of Computer Science Seoul National University of Science and Technology 2013-2014
Outline
Stream Cipher Block Cipher The Feistel Cipher Structure The Data Encryption Standard (DES) Security of DES Block Cipher Design Principles Summary Stream Cipher
A stream cipher is one that encrypts a digital data stream one bit or one byte at a time. Stream Cipher
The stream cipher encrypts the plaintext to produce the ciphertext, in which a cryptographic key and algorithm are applied to each binary digit in a data stream, one bit at a time.
To meet the need of producing the keystream for independence and secure channel, the bit- stream generator is implemented for both users.
The two users share the generating key, and each can produce the keystream. Block Cipher
A block cipher is one in which a block of plaintext is treated as whole and produce a ciphertext block of equal length.
A block are typically 64 or 128 bits.
As with a stream cipher, the two uses share a symmetric encryption key.
A block of multiple bits are enciphered each time.
In some modes of operation (CFB, OFB, CTR), a block cipher can be used to achieve the same effect as a stream cipher.
Block Cipher
The block cipher encrypts a block of plaintext or message m into a block of ciphertext c due to a secret key k.
Block Cipher
The encryption process is denoted as:
c = ENCk(m)
The decryption has reversed the encryption process, which use the same user-supplied key.
m = DECk(c)
Block Cipher
A block cipher has two important parameters:
- Block size b: determines the space of all possible permutations that a block cipher might conceivable. - Key size k: determines the number of permutations that are actually generated.
With a key, a b-bit block cipher maps 2b b-bit inputs onto the same 2b outputs.
Block Cipher
In the block cipher, substitution and permutation are two main properties.
The mix of them is an important component of most block cipher designs.
Most block cipher contain vary kinds of combination of substitution and permutation. Block Cipher
Substitution: Each plaintext element or group of elements is uniquely replaced by a corresponding ciphertext element or group of elements.
Permutation: A sequence of plaintext elements is replaced by a permutation. No elements are added or deleted or replaced, just the order of the elements is changed. The Feistel Cipher Structure
Substitution: often use to provide confusion with cipher.
- Designed around an arithmetic function, such as integer addition or integer multiplication. - Typically, substitution is achieved with a suitably designed, such as S-boxes. - S-boxes is designed carefully which have specific security properties, functions and can operate quickly in practice.
The Feistel Cipher Structure
Permutation: often use to provide a good diffusion in a cipher.
- Often performed at a bit level; individual bits can be moved into a new ordering.
- At the downside, bit level permutation can slow down the performance of cipher; cause manipulating individual bit is complex and not easy to operate. Block Cipher
The ideal block cipher Block Cipher
The ideal block cipher allows for the maximum number of possible encryption mappings from the plaintext block. But it is really good, really perfect ???
If the size of the block is small (ex. n = 4) vulnerable to statistical analysis of plaintext
The large block size is not practical, consider the key size for an n-bit ideal block cipher, the length of key is n x 2n bits Block Cipher
For a 64-bit block, to thwart statistical attack, it needs 64 x 264 = 270 ≈ 1021 bits impossible.
Is there a feasible way (related in block size and key size) to make a stronger cipher block ???
The Feistel Cipher Structure
Feistel develops a block cipher with key size k- bits and block length of b-bits, has 2k possible keys and each key specifies a permutation of 2b input.
The Feistel cipher refers to the conceptions of diffusion and confusion of Claude Shannon. The Feistel Cipher Structure Two terms of confusion and diffusion that aim to build a good block cipher, is introduced in 1949 by Claude Shannon. - Confusion: to make the relation between the cipher-text and the key becomes very complex and involved one. - Diffusion: the statistical structure of the plaintext is dissipated by long-range statistics of the cipher- text (to make the relation between the plaintext and cipher-text becomes complex and unable to exploit). The Feistel Cipher Structure
S-P Network of Shannon
- Consist of the repeated application of carefully chosen substitutions, permutations and key materials.
- Key schedule (KS): present a series of round keys to each round of encryption; these round keys are computed from user supplied encryption key.
The Feistel Cipher Structure
The Feistel Network based on some features and design parameters:
- Block size: Larger block sizes means greater security, but reduce the speed of encryption / decryption. (64bits) - Key size: Larger key size means greater security, but also decrease the encryption / decryption speed. (128bits) - Number of rounds: The multiple rounds offer increasing security. (16 rounds) - Subkey generation algorithm: Greater complexity lead to greater difficulty of cryptanalysis. - Round function F: greater complexity means greater resistance to cryptanalysis.
The Feistel Cipher Structure
Plaintext block of length 2w-bits
Key K, subkey Ki
Two halves Li and Ri
16 rounds is used. The Feistel Cipher Structure
Feistel Encryption Algorithm:
- The input plaintext block is divided into two halves L0 and R0 , that pass through n rounds of processing and then combined to produce the ciphertext block.
- Each round i has as input Li-1 and Ri-1 from previous round, with the subkey Ki from the overall K. - The substitution is performed on the left half of data. - A round function F is applied to the right half of data. - It is done by taking the X-OR operation between the output of function F and the left half of data. - The permutation is performed through the interchange of the two halves of data. All rounds have the same structure. The Feistel Cipher Structure
Feistel Decryption Algorithm: - The process of the Feistel’s decryption is the same as the encryption process, in reverse order of subkey Ki.
- The input ciphertext use Kn in the first round, Kn-1 in the second until K1 in the last round.
Data Encryption Standard (DES)
DES (Data Encryption Standard) is a block cipher which most widely used in world.
Adopted in 1977 by NBS (now is NIST)
Encrypts 64 bits block using 56 bits key.
DES is an example of a Feistel cipher.
DES
DES with round function components; the bit expansion E, the S-boxes S and the bit permutation P. - DES has 16rounds and user supplied key is 56bits (k = 56). - Initial Permutation(IP) has 64bit input block, happen only once before first round. - IP-1 use to maintain the property that encryption network can be reused for decryption.
Initial Permutation(IP) Suggests how the transposition in IP should proceed.
The IP replaces the 1st bit of the plaintext block with the 58th bit of the original plaintext block, the 2nd bit with the 50th bit and so on.
DES IP and its inverse IP-1
Round Function
Each iteration of round function takes 32-bit inputs and returns 32-bits output. - 32-bit input is expanded to 48-bit by the bit expansion E. - Processed 48-bit is combined with round key. - 48 bits that result, then, are split into 8 groups of 6 bits, input to 8 different S-boxes. Each S-box returns 4 bits which concatenated with others, will give a 32- bits result. - 32-bit received is applied by bit-level permutation P, after all, provide a 32-bit output from round function. Round Function Key Transformation
Round Key Process 28-bit left semikey
64-bit Remove parity 56-bit split Key bit Key 28-bit right semikey
shift 28-bit shifted left semi-key
Compression 48-bit Permutation semi-key 28-bit shifted shift right semi-key Key Transformation
The Initial Key consists of 64 bits.
Before the DES process starts, every 8th bit of the key is discarded to produce a 56 bit key.
Bit positions (8, 16, 24, 32, 40, 48, 56, 64) are discarded.
These bits can be used for parity checking to ensure that the key does not contain any error. Key Transformation
Remove parity bit (64 bits -> 56 bits)
Key Transformation
For each round, 56 bit key is available
From this 56 bit key, a different 48-bit sub key is generated during each round using a process called as Key Transformation
In this method, a 56 bit key is divided into two halves, each of 28 bits
These halves are circularly shifted by 1 or 2 positions, depending on the round Key Transformation Permutation on 56 bits key
Number of key bit shift
Key Transformation
Round 1 – Key bit shift
Key Transformation
Compression Permutation : the Key Transformation process involves permutation as well as selection of a 48 bits sub-set of the original 56-bit key.
* 18 bits number is discarded.
Expansion Permutation
The RPT is expanded from 32 bits to 48 bits.
The RPT is divided into 8 blocks, with each block consists of 4 bits.
For per 4-bit block, 2 more bits are added.
Expansion Permutation Division of 32 bit RPT into Eight 4-bits block
RPT Expansion Process
Expansion Permutation
Expansion Permutation (48bits)
The S-Boxes After 48-bits expansion combine with 48-bits key (XOR operation), the 48-bits output is split into 8 S-Boxes.
8 S-Boxes are different, each S-Box takes a 6 bits input and returns a 4-bits output. Eight 4-bits will concatenate together, then give 32-bits result.
The S-box consists of 4rows labeled p0 to p3. Each row represents a permutation {0, …, 15}.
The S-Boxes DES S-Boxes in Hexadecimal Notation
The S-Boxes
The 6-bits input is split into two parts: - The outer 2 bits are use to choose a row of S-box. - The inner 4 bits are use to pick a column of S-box.
Ex: 6bits input to S-box 5 is 001101 . The 2 outer bits is 01 (row p1). . The 4 inner bits is 0110 (column 6). . The entry in S-box 5 row p1, column 6 is d in hexadecimal notation, convert to binary as an output.
S5[001101] = 1101 The P-Box Permutation
The 32-bits output of S-box is permuted by P-Box.
P-Box Table
Ex: Input S(B) = 0101 1100 1000 0010 1011 0101 1001 0111 Output P(B) = 0010 0011 0100 1010 1010 1001 1011 1011
XOR and Swap
DES DES The Avalanche Effect: - A change in one bit of either the plaintext or the key should produce a change in many bits of the ciphertext. DES DES Design Criteria
S-Box: this design provide confusion and diffusion of bits from each round to the next.
P-Box: this design provide diffusion of bits.
Number of Rounds: DES use 16 rounds of Feistel Cipher. The cipher-text is thoroughly a random function of plaintext and cipher-text. DES Weakness Weakness in S-Box: - Two specifically chosen inputs to an S-Box can create same output.
Weakness in P-Box: - Initial and final permutations have no security benefit. - The first and fourth bits of every 4-bits are repeated.
Weakness in Key: - Weak keys create same 16 round keys. - Semi-weak keys create only 2 different round keys. - Possible weak keys create 4 distinct round keys. - Key complement.
Weakness in Key There are 4 weak keys of DES. After parity-bit drop operation, a key consist either of all 0s, all 1s, or half 0s and half 1s. Weak key create same 16 round key.
Ex: Encrypt a plaintext block 2 times with a same key
Weakness in Key
Semi-weak key of DES create only 2 different round keys. Weakness in Key
Semi-weak key of DES Weakness in Key
DES uses 56-bits key means there are 256 possible key.
In the key domain (256), definitely half of the keys are complement of the other half.
The key complement can be made by inverting(changing 0 to 1 or 1 to 0) each bit in the key.
If we encrypt the complement of the text with the complement of the key, we can get the complement of the cipher-text. Do not test all 256 key, we just need to test half of them and complement the result. Cryptanalysis
A good block cipher is one for which the best attack is an exhaustive search.
The time required to exhaust all possible keys is the time to perform all 2k encryption operations
During exhaustive search, the keys are often changed to tighten the security. Security Of DES
The Use of 56-bit key: - Key length 56 bits, there are 256 possible keys → thwart brute-force attack (even if just half of key space to be searched) - But with the development of super-computer afterwards, DES show definitively insecure. . 1977, Diffie and Hellman created a machine which can break DES in about 10hours, cost $20 millions. . 1998, Electronic Frontier Foundation(EFF) with the “DES Cracker” machine broke DES less than 3days, just cost $250.000. - Some alternatives of DES (AES, triple DES) give stronger security.
Security Of DES
The Nature of DES Algorithm: - The design of S-Boxes (8 substitution tables) - Until now, no one has so far succeeded in discovering the weaknesses in the S-Boxes. Timing Attacks: - A timing attack is one in which information about the key or the plaintext is obtained by observing how long does it takes a implementation to perform decryptions on various ciphertexts. - Encryption and decryption algorithm takes slightly different amounts of time on different inputs. - DES appears to be fairly resistant to this attack.
Security Of DES
Differential Cryptanalysis:
- Differential cryptanalysis exploits the high probability of certain occurrences of plaintext differences and differences into the last round of the cipher.
- Design S-Boxes and 16 rounds aim to make DES specifically resistant to this type of attack.
- The scheme can successfully cryptanalyze DES with an effort on the order 247 chosen plaintexts.
Security Of DES
- Linear cryptanalysis tries to take advantage of high probability of linear expressions involving plaintext bits, ciphertext bits and subkey bits.
- DES is easier to be attacked by linear cryptanalysis than by differential cryptanalysis.
- S-boxes are not very resistant to linear cryptanalysis. DES can be broken by using 243 pairs known plaintexts.
- Cause finding so many pairs is very unlikely, this attack still leaves infeasible as an attack of DES.
Security Of DES
The size of the key space, 256, is “too small” to be really secure.
Brute-Force Attack: - Combining short cipher key in DES with the key complement weakness, it is clear that DES can be broken using average 255 encryptions.
Block Cipher Design Principles
DES Design Criteria: - S-Boxes design provides good confusion properties to thwart differential cryptanalysis. - P-Function design increases diffusion of the algorithm for DES.
Number of rounds: - The greater the number of rounds, the more difficult it is to perform cryptanalysis. - This criterion are intended to frustrate the brute-force attack. - The strength of any algorithm that satisfies the criterion can be judged solely on key length. Block Cipher Design Principles
Design of Function F: - The function F provides the element of confusion in a cipher block. - The more nonlinear F, the more difficult any type of cryptanalysis will be. - Function F also offers the good avalanche properties. S-Boxes Design: - Any change to the input vector to an S-Box to result in random-looking changes to the output. - Larger S-Boxes, by and large, are more resistant to differential and linear cryptanalysis. Block Cipher Design Principles
Key Schedule Algorithm:
- The key is used to generate one subkey for each round. - Select subkeys to maximize the difficulty of deducing individual subkeys and the difficulty of working back to the main key. Summary
Block cipher is an Enc/ Dec scheme in which a block of cipher is treated as a whole and produce the ciphertext block of equal length.
The Data Encryption Standard (DES) has been the most widely used Enc algorithm until recently. DES uses 64-bits length and 56-bits key size.
Two methods of cryptanalysis - differential and linear cryptanalysis - are showed infeasible attacks on DES.