Confusion and Diffusion Feistel Feistel Networks Feistel Network

Home , Confusion and diffusion

Confusion and diﬀusion Feistel Claude Shannon (inventor of information theory) gave design criteria for symmetric ciphers (late 1940s): • Kerckhoﬀ’s principle: only the key should be secret, not the Feistel (1970s) used Shannons ideas in designing ciphers. Standard algorithm design since then! • use confusion: hide local patterns in the language (simplest: Make product cipher by alternating substitution and permutation: digrams)

• use diﬀusion: spread statistical structure of plaintext in c = Ek (m) = Sn ◦ Pn−1 ◦ · · · ◦ S2 ◦ P1 ◦ S1(m) long-range statistics of ciphertext

The Vigenère cipher hides small-scale structure: digrams are encoded by different keys, but fails at diffusion: nothing is • Substitution: replace one (symbol/bitstring) by another - but moved/spread. reversibly Simple transposition ciphers are good at diffusion: they move • Permutation: change the order of (symbol/bitstring)s around, but difficult to achieve confusion. (reversible) Modern ciphers get both confusion (small-scale) and diffusion (large-scale), e.g. by combining substitution and transposition in a

1 product cipher. 2

Feistel networks Feistel network

Plaintext (2·w bits)

k 1 xor F A Feistel network:

1 split input in two halves L0, R0

2 perform n rounds: k i • Li ⊕ F (Ri , ki ) xor F • swap halves 3 end with a swap

where ki is a subkey for round i, generated from the main key k. k n xor F

Ciphertext (2·w bits)

3 4 Feistel decryption Feistel decryption Same algorithm to decrypt, but keys in reverse order. Same algorithm to decrypt, but keys in reverse order. Works

Output (plaintext) regardless of F !

Input (plaintext) RD = LE LD = RE 16 0 16 0 LE16 = RE15 = RD0 = LD1 LE K RE 0 0 1 LD = RE RD = LE 16 0 16 0 F F RE16 = LE15 ⊕ F (RE15, k16)

RE K LE RD = LE LD = RE 1 2 1 15 1 K 15 1 1 RD1 = LD0 ⊕ F (RD0, k16) F F

LE RE LD = RE RD = LE 2 2 = RE ⊕ F (RE , k ) 14 2 K 14 2 16 15 16 2 = LE15 ⊕ F (RE15, k16) ⊕ F (RE15, k16)

LE K RE 14 15 14 LD = RE RD = LE = LE15 2 14 2 14 F F . RE K LE RD = LE LD = RE . 15 15 16 1 15 K 1 15 15 F F RD = LE LE RE 16 0 16 16 LD = RE RD = LE 0 16 K 0 16 16 LD16 = RE0 RE LE 16 16

Input (ciphertext)

Output (ciphertext) 5 6 Figure 3.6 Feistel Encryption and Decryption

Feistel net parameters Feistel features

• Block size (64-256 bits) • Key size (56-256 bits) • Fast implementation Larger ⇒ greater security (diﬀusion) but slower. Feistel nets can typically be implemented eﬃciently (fast • Number of rounds (10-16) en/decryption) in both hardware and software. This makes it One is too little, more increase security, to a limit. (Depends easier to use. on F .) • Ease of analysis • Subkey generation algorithm Concise and clear description ⇒ easier to analyse ⇒ safer to trust. • Round function F Both should be complex to resist cryptanalysis.

7 8 Data Encryption Standard (1977) DES: Overview 64-bit plaintext 56-bit key

• • • • • • • • • • • • • • • • • • Initial Permutation Permuted Choice 1 No longer standard, but instructive example of a Feistel net. K1 Round 1 Permuted Choice 2 Left circular shift • encrypts 64-bit blocks with 56-bit key

K2 • hardware and software implementations Round 2 Permuted Choice 2 Left circular shift • one of the most analysed algorithms • unknown criteria for design (but more is known now) • US export control on implementations for long time (lifted now) K16 • based on Lucifer algorithm (Feistel/IBM, 1973) with 128-bit Round 16 Permuted Choice 2 Left circular shift keys and blocks, but scaled down by NSA 32-bit Swap

Inverse Initial Permutation • • • • • • • • •

64-bit ciphertext

9 10 Figure 3.7 General Depiction of DES Encryption Algorithm

DES: subkey generation DES: one round

32 bits 32 bits 28 bits 28 bits

Li-1 Ri-1 Ci-1 Di-1

Expansion/permutation Left shift(s) Left shift(s) • Each round uses subkey ki based on k, which is 64 bits (E table) • Permuted Choice 1 (PC1) discards parity bits (so 56 remain) 48 Permutation/contraction XOR K and permutes F 48 i (Permuted Choice 2) • Split in two 28-bit halves C0, D0 48 • Each round: Substition/choice (S-box) • Ci = LSi (Ci−1), Di = LSi (Di−1) where LSi is a left circular 32 shift of h1, 1, 2, 2,..., 2, 1, 2,..., 2, 2, 1i bits Permutation • ki = PC2(Ci · Di ) where PC2 is Permuted Choice 2 (permutes (P)

and discards) 56 ⇒ 48 bits 32

XOR

Li Ri Ci Di

11 12 Figure 3.8 Single Round of DES Algorithm DES: the F-box Breaking DES by brute force

R (32 bits)

E 1977: estimated breakable in 1 day by $20M machine 1981: estimated breakable in 2 days by $50M machine 48 bits K (48 bits) + 1997: broken in 96 days by 70 000 machines, testing 7 billion keys/s (DESCHALL project) 1998: less than 56 hours by special hardware, $250K incl design and development (“Deep Crack”) S1 S2 S3 S4 S5 S6 S7 S8 1999: 22 h 15 min, “Deep Crack” + 100 000 machines, testing 245 billion keys/s 2007: 6.4 days, $10K hardware, 120 FPGAs P (COPACOBANA project)

32 bits

13 14 Figure 3.9 Calculation of F(R, K)

Properties of DES Avalanche eﬀect Small changes in m or k give big changes in c, and changes increase for each round

• Decryption: like Feistel (keys in reverse order) Example: one bit change in plaintext or key • Symmetry: • c = DES(m, k) iff c = DES(m, k) where x is the bitwise Change in plaintext Change in key negation of x Round Bits that differ Round Bits that differ • cuts search space in half 0 1 0 0 • Weak keys: 1 6 1 2 • key cause involution: Ek (Ek (m)) = m 2 21 2 14 • four for DES: h0, 0i, h−1, 0i, h0, −1i, h−1, −1i 3 35 3 28 • Semi-weak keys: 4 39 4 32 • such that E (E (m)) = m . . . . k1 k2 . . . . • 6 such pairs for DES (few enough to check for) 14 46 14 26 15 29 15 34 16 34 16 35

15 16 Feistel net design criteria Other modern ciphers

• S-box design • very careful for DES (see below) • in general: randomly, randomly with testing, careful E.g. IDEA, Blowfish, CAST, . . . hand-crafting, mathematically • variable key length • Number of rounds • DES: brute force requires2 55 tests • mixed operations (not only xor, not distributive/associative) • for DES with 16 rounds, differential cryptanalysis requires2 55.1 • data dependent rotations instead of S-boxes operations due to S-box design • key dependent rotations and S-boxes • with 15 rounds, differential cr.an. would beat brute force • Differential cryptanalysis invented ca 1990 – but turns out • variable F , block length, number of rounds IBM and NSA had it secretly since 1974 • operations on both halves • Round function F : but (many) are just improvements of Feistel nets! • strict avalance criterion: any output bit changes with p = 1/2 if a single input bit changes • bit independence criterion: any two output bits should change independently when a single input bit changes

17 18