Data Encryption Standard (DES)

Códigos y Criptografía Francisco Rodríguez Henríquez Overview

• Classical Cryptography – Simple Cryptosystems – Cryptanalysis of Simple Cryptosystems • Shannon’s Theory of Secrecy • Modern Encryption Systems . DES, AES. . RSA. • Signature Scheme(s)

Códigos y Criptografía Francisco Rodríguez Henríquez Cryptosystem

A cryptosystem is a five-tuple (P,C,K,E,D), where the following are satisfied: 1. P is a finite set of possible plaintexts. 2. C is a finite set of possible ciphertexts. 3. K, the key space, is a finite set of possible keys

4. ∀K∈K, ∃EK∈E (encryption rule), ∃DK∈D (decryption rule). Each EK: P→C and DK: C→P are functions such that ∀x∈P, DK(EK(x)) = x.

Códigos y Criptografía Francisco Rodríguez Henríquez Notation

• Alphabet {0, 1} (bits) • Plaintext and ciphertext ∈ {0, 1}* • New operation: XOR (EXOR, ⊕) 0 ⊕ 0 = 0, 1 ⊕ 1 = 0, 0 ⊕ 1 = 1, 1 ⊕ 0 = 1, bitwise addition modulo 2.

Códigos y Criptografía Francisco Rodríguez Henríquez Data Encryption Standard (DES)

• Financial companies found the need for a cryptographic algorithm that would have the blessing of the US government (=NSA) • First call for candidates in May 73, followed by a new call in August 74 • Not very many submissions (Why?) – IBM submitted Lucifer • NSA worked with IBM in redesigning the algorithm

Códigos y Criptografía Francisco Rodríguez Henríquez Data Encryption Standard (DES)

• 1973, NBS solicits proposals for cryptosystems for “unclassified” documents. • 1974, NBS repeats request. IBM responds with modification of LUCIFER. NBS asks NSA to evaluate. IBM holds patent for DES. • 1975, details of the algorithm published, public discussion begins. • 1976 Adapted as a standard for all unclassified government communications. Códigos y Criptografía Francisco Rodríguez Henríquez Data Encryption Standard (DES)

• 1983, no problem. • 1987, passed, but – NSA says that DES soon will be vulnerable to brute-force attack. This is the last time. – Business lobbies to keep it, since so the had much invested. • 1993, still passed (no alternatives). • 1997, call for proposals: AES.

Códigos y Criptografía Francisco Rodríguez Henríquez Data Encryption Standard (DES)

• Originally designed to be efficient in hardware (4 bit was the norm in 1974). • A LOT of money has been invested in hardware. • First publicly available algorithm certified by NSA as secure. Certificate to be renewed every 5 years.

Códigos y Criptografía Francisco Rodríguez Henríquez DES

• DES became a federal standard in November 76 – NBS (NIST) hardware standard in January 77 – ANSI X3.92-1981 (hardware + software) – ANSI X3.106-1983 (modes of operation) – Australia AS2805.5-1985 • Used in most EFT and EFTPOS from banking industry – It was reconfirmed as a standard for 5 years twice – Currently 3DES is recommended

Códigos y Criptografía Francisco Rodríguez Henríquez DES

• DES has proven a well designed code • 56 bits has been proven inadequate – EFF built a cracker for around $200,000 – Increase the key to 112 bits? • The best way known to cryptanalyze DES is (after brute force) the differential analysis – NSA new this from the design??

Códigos y Criptografía Francisco Rodríguez Henríquez DES

• Uses Feistel principle • Many similarities with Lucifer • Improves on the S-Boxes

Códigos y Criptografía Francisco Rodríguez Henríquez DES

• It operates in 64 bits blocks with 56 bits keys • Uses 16 rounds, each round computed by a function f

Códigos y Criptografía Francisco Rodríguez Henríquez Data Encryption Standard (DES)

• A round can be described as:

– Li = Ri-1 = ! P(S(E( ) ! )) Ri Li"1 Ri"1 K i • The key generation is performed – An initial permutation PC1 which selects 56 bits and divide them in two halves – In each round • Select 24 bits from each half using a permutation function PC2 • Rotate left each half by one or two position

Códigos y Criptografía Francisco Rodríguez Henríquez Data Encryption Standard (DES)

• The algorithm . Uses blocks of size 64 bits. . Key of length 56 (well, 64, but 8 bits are just check bits) . Initial permutation IP. . 16 rounds. . Final permutation IP-1 (IP and IP-1 have minor cryptographic value).

Códigos y Criptografía Francisco Rodríguez Henríquez Data Encryption Standard (DES)

• Key schedule K1, K2,…, K16 . Discard the parity-check bits of K.

. Compute PC-1(K) = C0D0, where PC-1 is a fixed permutation, C0, D0 left and right halves, 28-bit each. . For i = 1, 2, …, 16: Ci := LSi(Ci-1), Di := LSi(Di-1), where LSi left cyclic shift of one (i= 1, 2, 9, 16) or two positions (else), Ki := PC-2(CiDi), PC-2 fixed permutation selecting 48 bits.

Códigos y Criptografía Francisco Rodríguez Henríquez Data Encryption Standard (DES)

• PC-1(K) = C0D0 57 49 41 33 25 17 9 1 58 50 42 34 26 18 10 2 59 51 43 35 27 19 11 3 60 52 44 36

63 55 47 39 31 23 15 7 62 54 46 38 30 22 14 6 61 53 45 37 29

Códigos y Criptografía21 13 5 28 20 12 4Francisco Rodríguez Henríquez Data Encryption Standard (DES)

• Ki := PC-2(Ci Di) 14 17 11 24 1 5 48 bits are 3 28 15 6 21 10 Chosen from The 56-bit 23 19 12 4 26 8

String CiDi 16 7 27 20 13 2 According to the table shown here 41 52 31 37 47 55 30 40 51 45 33 48 44 49 39 56 34 53 46 42 50 36 29 32 Códigos y Criptografía Francisco Rodríguez Henríquez Data Encryption Standard (DES)

• x0 = IP(m) = L0R0. • 16 Rounds, i = 1, 2, …, 16: Li := Ri-1, Ri := Li-1 ⊕ f (Ri-1 , Ki), where f (Ri-1 , Ki) = P(S(E(Ri-1) ⊕ Ki)), with operations E (expansion), S (S-box lookup), and P some (permutation). -1 • c = IP (L16R16).

Códigos y Criptografía Francisco Rodríguez Henríquez Data Encryption Standard (DES)

• x0 = IP(m) = L0R0 Initial Permutation 58 50 42 34 26 18 10 2 60 52 44 36 28 20 12 4 62 54 46 38 30 22 14 6 64 56 48 40 32 24 16 8 57 49 41 33 25 17 9 1 59 51 43 35 27 19 11 3 61 53 45 37 29 21 13 5 63 55 47 39 31 23 15 7 Códigos y Criptografía Francisco Rodríguez Henríquez Data Encryption Standard (DES)

• f (Ri-1 , Ki) = P(S(E(Ri-1) ⊕ Ki)) Expansion: R is expanded 32 1 2 3 4 5to E(R) from 4 5 6 7 8 9Originally 32 8 9 10 11 12 13bits to 48 bits. 12 13 14 15 16 17 16 17 18 19 20 21 20 21 22 23 24 25 24 25 26 27 28 29 28 29 30 31 32 1 Códigos y Criptografía Francisco Rodríguez Henríquez Data Encryption Standard (DES)

• f (Ri-1 , Ki) = P(S(E(Ri-1) ⊕ Ki)) S-box lookup

. There are 8 S-boxes: S1,…, S8 For example S5:

2 12 4 1 7 10 11 6 8 5 3 15 13 0 14 9 14 11 2 12 4 7 13 1 5 0 15 10 3 9 8 6 4 2 1 11 10 13 7 8 15 9 12 5 6 3 0 14 11 8 12 7 1 14 2 13 6 15 0 9 10 4 5 3

. 4×16 array of 4-bit binary numbers.

Códigos y Criptografía Francisco Rodríguez Henríquez Data Encryption Standard (DES)

• f (Ri-1 , Ki) = P(S(E(Ri-1) ⊕ Ki))

. E(Ri-1) ⊕ Ki = B1B2…B7B8. . For j = 1, 2,…, 8, let

Bj = b1 b2 b3 b4 b5b6.

. In S-box Sj: b1 b6 binary coordinate of a row r, b2 b3 b4 b5 bin. coord. of a column c.

. Replace Bj with Sj(r, c).

Códigos y Criptografía Francisco Rodríguez Henríquez Data Encryption Standard (DES)

• Properties of S-boxes in DES (per NSA) – Each S-box has 6 input bits and 4 output bits. This was the largest that could be put on one chip back in 1974. – All rows of all the S-boxes are permutations of 0, 1, …, 15 – S-Boxes are not affine transformations of their input – Change in an input bit changes at least two output bits of the S-box – For any x and any S-box S, S(x), S(x ⊕001100) differs by at least two bits

Códigos y Criptografía Francisco Rodríguez Henríquez Data Encryption Standard (DES)

• f (Ri-1 , Ki) = P(S(E(Ri-1) ⊕ Ki)) P fixed permutation 16 7 20 21 29 12 28 17 1 15 23 26 5 18 31 10 2 8 24 14 32 27 3 9 19 13 30 6 22 11 4 25 . Result: bitstring of length 32!!

Códigos y Criptografía Francisco Rodríguez Henríquez Data Encryption Standard (DES)

-1 • c = IP (L16R16) 14 17 11 24 1 5 3 28 15 6 21 10 23 19 12 4 26 8 16 7 27 20 13 2 41 52 31 37 47 55 30 40 51 45 33 48 44 49 39 56 34 53 46 42 50 36 29 32

Códigos y Criptografía Francisco Rodríguez Henríquez Data Encryption Standard (DES)

• How do we decrypt?: Decryption is performed by exactly the

same procedure, except that the keys K1,…, K16 are used in reverse order. The reason why this works is the following:

• The first decryption step takes R16L16 and gives the output:

[L16] [R16 ⊕ f(L16, K16)]. But we know from the encryption procedure that:

L16 = R15; R16 = L15 ⊕ f(R15, K16). Therefore,

[L16] [R16 ⊕ f(L16, K16)] = [R15][L15 ⊕ f(R15, K16) ⊕ f(L16, K16)]

= [R15][L15 ⊕ f(R15, K16) ⊕ f(R15, K16)]

= [R15][L15 ] Códigos y Criptografía Francisco Rodríguez Henríquez Data Encryption Standard (DES)

• Similarly, the second step of decryption sends R15L15

to R14L14. Continuing we see that the decryption

process leads us back to R0L0 as desired. • Note that the encryption process is essentially the same as the encryption process. Therefore both, the sender and the receiver use a common key and they can use identical machines.

Códigos y Criptografía Francisco Rodríguez Henríquez Data Encryption Standard (DES)

• DES is efficient 1992, DEC fabricated a 50K transistor chip that could encrypt at the rate 1Gbit/sec using a clock rate of 250 MHz. Cost $300. • The Avalanche Effect Small change in either the plaintext or the key produces a significant change in the ciphertext.

Códigos y Criptografía Francisco Rodríguez Henríquez Data Encryption Standard (DES)

• Strength of DES: the S-boxes . DES permutations don’t form a group, they generate a group of size at least 102499. . Double encryption using 2 different keys is not stronger (surprise) than a single encryption (meet-in-the-middle attack) . Triple-DES (3-DES) is stronger and very popular recently.

Códigos y Criptografía Francisco Rodríguez Henríquez Data Encryption Standard (DES)

• The DES controversy . Why 56 is the key length? LUCIFER had 128. The key space 256 is too small. . Why 16 rounds? . Why were the criteria for the S-boxes classified? Did NSA put “trapdoors” into the S-boxes? No evidence of “trapdoors” so far.

Códigos y Criptografía Francisco Rodríguez Henríquez Data Encryption Standard (DES)

• Attacks on DES . 1977, Diffie & Hellman suggested a VLSI chip that could test 106 keys/sec. A machine with 106 chips could test the entire key space in 10 hours. Cost: $20,000,000. . 1990, differential cryptanalysis, Eli Biham, Adi Shamir (Israel). . 1993, linear cryptanalysis, Mitsuru Masui (Japan).

Códigos y Criptografía Francisco Rodríguez Henríquez ATTACKS ON DES: Meet-in the middle attack

• Birthdays Attacks: If there are 23 people in a room: what is the probability that at least two of them have the same birthday? • Answer: Compute the probability that they all have different birthdays.

Códigos y Criptografía Francisco Rodríguez Henríquez ATTACKS ON DES: Meet-in the middle attack

• The first person uses up one day, so the second person has probability (1-1/365) of having a different birthday. There are two days removed for the third person, so the probability is (1-2/365) that the third birhtday differs from the first two. Therefore the probability of all 3people having different birthdays is (1-1/365)(1-2/365).

Códigos y Criptografía Francisco Rodríguez Henríquez ATTACKS ON DES: Meet-in the middle attack

• Continuing in this way, we see that the probability that all 23 people have different birthdays is (1-1/365) (1-2/365)… (1-22/365) = 0.493. Therefore the probability of at least two having the same birthday is 1- 0.493 = 0.507. • If there are 30 people, the probability is around 70%. • More generally, suppose we have n objects, where n is large. There are r people and each chooses an object (with replacement). If r ! 1 . 777 n then the probability is 50% that at least two people choose the same object.

Códigos y Criptografía Francisco Rodríguez Henríquez A Birthday Attack on Discrete Logarithms

Suppose we want to solve αx ≡ β mod p. We can do this with high probability by a birthday attack. 1. Make two lists, both of length around p1/2: 2. The first list contains numbers αk mod p for approximately p1/2 randomly chosen values of k. 3. The second list contains numbers β α-l mod p for approximately p1/2 randomly chosen values of l.

Códigos y Criptografía Francisco Rodríguez Henríquez A Birthday Attack on Discrete Logarithms

There is a good chance that there is a match between some element on the first list and some element on the second list. If so, we have αk ≡ β α-l mod p, hence αk+l ≡ β mod p Therefore, x ≡ k + l mod (p-1) is the desired discrete logarithm (why?)

Códigos y Criptografía Francisco Rodríguez Henríquez ATTACKS ON DES: Meet-in the middle attack Assume Eve has intercepted a message m and a doubly encrypted ciphertext c = Ek2(Ek1(m)). She wants to find k1 and k2. She first computes and stores Ek(m) for all possible keys k. She then computes Dk(c) for all possible keys k. Finally she compares both lists. She knows as a fact (but why?) that there will be at least one match, since the correct pair of keys should be one of them.

Códigos y Criptografía Francisco Rodríguez Henríquez DES

• The standard is public, the design criteria is classified • One of the biggest controversies is the key size (56 bits) – W Diffie, M Hellman "Exhaustive Cryptanalysis of the NBS Data Encryption Standard" IEEE Computer 10(6), June 1977, pp74-84 – M Hellman "DES will be totally insecure within ten years" IEEE Spectrum 16(7), Jul 1979, pp 31-41 • Another controversy: is there a trapdoor?

Códigos y Criptografía Francisco Rodríguez Henríquez Data Encryption Standard (DES)

• Attacks on DES . The Electronic Frontier Foundation (EFF). . July 17, 1998, the EFF DES Cracker broke the DES-encrypted message in 56 hours. 1,536 chips, testing 88×109 keys/sec. Cost < $250,000. . January 19, 1999, Distributed.Net, a worldwide coalition of computer enthusiasts, worked with EFF's DES Cracker and a worldwide network of nearly 100,000 PCs on the Internet, broke the DES-encrypted message in 22 hours and 15 minutes. Códigos y Criptografía Francisco Rodríguez Henríquez DES Modes of Operation

• Block modes: – Electronic Codebook Book (ECB) • Message is broken into independent blocks of 64 bits • This is the most natural mode of operation for DES – Cipher Block Chaining (CBC) • Message is broken in independent blocks of 64 bits, but next input depends of previous output

• Ci= Ek (Pi⊕Ci-1), with C-1=IV

• Pi= Dk (Ci)⊕Ci-1, (why??)

Códigos y Criptografía Francisco Rodríguez Henríquez DES Modes of Operation

• Stream Modes – Cipher FeedBack (CFB) • The message is xored with the feedback of encrypting

the previous block: P = |P1P2…P8|

• Ci=Pi⊕L8(Ek(Ci-1)), with C-1=IV; (these are 8 bits blocks!!) – Output feedback • The feedback is independent of the message

• Ci=Pi⊕Ek(Oi-1), with O-1=IV

Códigos y Criptografía Francisco Rodríguez Henríquez Limitation of the modes

• ECB – repetitions in message can be reflected in ciphertext • if aligned with message block • particularly with data such graphics • or with messages that change very little, which become a code-book analysis problem – weakness is because enciphered message blocks are independent of each other

Códigos y Criptografía Francisco Rodríguez Henríquez DES Modes of Operation

• CBC – use result of one encryption to modify input of next • hence each ciphertext block is dependent on all message blocks before it • thus a change in the message affects the ciphertext block after the change as well as the original block – to start need an Initial Value (IV) which must be known by both sender and receiver • however if IV is sent in the clear, an attacker can change bits of the first block, and change IV to compensate • hence either IV must be a fixed value (as in EFTPOS) or it must be sent encrypted in ECB mode before rest of message – Out of Sync Problems!!

Códigos y Criptografía Francisco Rodríguez Henríquez Limitation of the modes

• CFB – when data is bit or byte oriented, want to operate on it at that level, so use a stream mode – the block cipher is use in encryption mode at both ends, with input being a feed-back copy of the ciphertext – can vary the number of bits feed back, trading off efficiency for ease of use – again errors propogate for several blocks after the error is detected.

Códigos y Criptografía Francisco Rodríguez Henríquez Limitation of the modes

• OFB – also a stream mode, but intended for use where the error feedback is a problem, or where the encryptions want to be done before the message is available – is superficially similar to CFB, but the feedback is from the output of the block cipher and is independent of the message, a variation of a Vernam cipher – again an IV is needed – sender and receiver must remain in sync, and some recovery method is needed to ensure this occurs – although originally specified with varying m-bit feedback in the standards, subsequent research has shown that only 64-bit OFB should ever be used (and this is the most efficient use anyway),

Códigos y Criptografía Francisco Rodríguez Henríquez DES Weak Keys

• with many block ciphers there are some keys that should be avoided, because of reduced cipher complexity • these keys are such that the same sub-key is generated in more than one round • Weak Keys: – The same sub-key is generated for every round – DES has 4 weak keys

Códigos y Criptografía Francisco Rodríguez Henríquez DES Weak Keys

• Semi-Weak Keys – only two sub-keys are generated on alternate rounds – DES has 12 of these (in 6 pairs) • Demi-Semi Weak Keys – have four sub-keys generated • None of these cause a problem since they are a tiny fraction of all available keys • However they MUST be avoided by any key generation program

Códigos y Criptografía Francisco Rodríguez Henríquez DES variations

• Double DES: – Use 2 keys: K1 and K2.

– Encryption is EK1(EK2(P)) – Is double DES reducible to DES? (Crypto 92) • Triple DES – Use 2 or 3 keys – Encryption:

• EK1(EK2(EK3(P))))

• EK1(DK2(EK1(P))))

Códigos y Criptografía Francisco Rodríguez Henríquez Cryptanalysis of DES

• If you can choose the plaintext: – Brute Force: try all 256 possible keys • No memory necessary • The encryption with all keys may be too slow – Build a dictionary • Each plaintext may result in 264 different ciphertext. • Encrypt the known plaintext with all possible keys • You have a look up table • Very effective if you can inject plaintext and want to find many different keys

Códigos y Criptografía Francisco Rodríguez Henríquez Cryptanalysis of DES

• There are some algorithms that trade memory/space requirements • Linear Cryptanalysis – Linear approximation to describe DES – DES can be broke: • It requires around 243 plaintext-ciphertext pairs to find the key. • M. Matsui, Eurocrypt 93 – Assuming you have a n bits plaintext and ciphertext, and a m bits key

Códigos y Criptografía Francisco Rodríguez Henríquez Cryptanalysis of DES

• Linear cryptanalisis – Find bit locations α’s on plain, β’s on ciphertext and γ’s on key such that

(x $ x $...$ x ) $ ( y $ y $...$ y ) = ( $ $...$ ) 1 1 a K! K! K! # # # " 1 " 2 " b 1 1 c has a probability higher than .5 – Use many different plaintext and analyze the left hand side. Infer the right hand side.

Códigos y Criptografía Francisco Rodríguez Henríquez Cryptanalysis of DES

• Differential cryptanalysis: – First suggested by Murphy for the cryptanalysis of FEAL-4 – Biham and Shamir officially introduced them around 1990 – Assume that we label each left and right part of any block

in the 16 rounds of DES as xi, starting from x0 and x1. – Assume that we have two known plaintext x and x’, and we know Δx = x⊕x’

– DES in each round produces xi+1 = xi-1 ⊕F(xi,Ki)

Códigos y Criptografía Francisco Rodríguez Henríquez Cryptanalysis of DES

• Biham and Shamir observed that with a xed key, the diferential behavior of DES does not exhibit pseudo- randomness • If we fix the XOR of two plaintexts P and P* at P’ then T’ (which is equal to T⊕ T*) is not uniformly distributed. • In contrast, the XOR of two uniformly distributed random numbers would itself be uniformly distributed

Códigos y Criptografía Francisco Rodríguez Henríquez Cryptanalysis of DES

• Differential cryptanalysis is efficient when the cryptanalyst can choose plaintexts and obtain ciphertexts (chosen plaintext cryptanalysis) • The known plaintext differential cryptanalysis is also possible, however, often the size of the known text pairs is very large • The method searches for plaintext, ciphertext pairs whose difference is constant, and investigates the dierential behavior of the cryptosystem • The difference of two elements P1 and P2 is defined as P1 P2 (bit-wise XOR operation) for DES. • The difference may be defined differently if the method is applied to some other cryptosystem.

Códigos y Criptografía Francisco Rodríguez Henríquez Cryptanalysis of DES

• Differential cryptanalysis is applicable to the iterated ciphers with a weak round function (so-called Feistel ciphers). The summary of the technique: • Observe the difference between the two ciphertexts as a function of the difference between the corresponding plaintexts • Find the highest probability differential input (called characteristic) which can be traced through several rounds • Assign probabilities to the keys and locate the most probable key.

Códigos y Criptografía Francisco Rodríguez Henríquez Cryptanalysis of DES: S-box Non-Differential Uniformity • If the input to an S-box is a uniformly distributed random number, its output will be a uniformly distributed random number S1 E 4 D 1 2 F B 8 3 A 6 C 5 9 0 7 0 F 7 4 E 2 D 1 A 6 C B 9 5 3 8 4 1 E 8 D 6 2 B F C 9 7 3 A 5 0 F C 8 2 4 9 1 7 5 B 3 E A 0 6 D • Assuming the 56-bit key is chosen according to a uniform probability distribution, the input to any S-box in any round will be uniformly distributed over all 64 possible values The output of any S-box in any round therefore also uniformly distributed over its 16 possible values (0 to F) since each occurs 4 times in the S-box, once in each row. Códigos y Criptografía Francisco Rodríguez Henríquez Cryptanalysis of DES: S-box Non-Differential Uniformity

• Consider the differential behavior of an S-box, in which there are 642 = 4096 possible input pairs (x, x*) • As the 6-bit quantities x, x*, and x’ = x ⊕ x* each vary over their 64 possible values, the 4-bit quantities y = S(x), y* = S(x*), and y’ =y ⊕ y = S(x) ⊕ S(x*) each vary over their 16 possible values • The distribution on the differential output y’ can be computed for each of the eight S-boxes by counting the number of times each value y’ occurs as (x, x*) varies over its 4,096 possible values Códigos y Criptografía Francisco Rodríguez Henríquez Cryptanalysis of DES: S-box Non-Differential Uniformity

Códigos y Criptografía Francisco Rodríguez Henríquez Cryptanalysis of DES: S-box Non-Differential Uniformity • The 6-bit differential input x’ takes 64 values: 00 (hex) to 3F (hex) • The 4-bit differential output y’ takes 16 values: 0 (hex) to F (hex) Each row sums to 64 because each differential input x’ occurs for 64 of the 4,096 (x, x*) pairs. The first row has zeros in all but the first column, because when x’ = x ⊕ x* = 0, the same input occurs twice. Therefore, the same output must also occur both times and y’ = y ⊕ y* = 0

Códigos y Criptografía Francisco Rodríguez Henríquez Cryptanalysis of DES: S-box Non-Differential Uniformity The later rows are more interesting: For example, when x’ = 01, five of the sixteen possible y’ values 0, 1, 2, 4, 8 occur with zero probability (i.e., never occurs). A occurs with probability 16/64 9 and C occur with probability 10/64 This is a highly non-uniform distribution This differential non-uniformity is observed in all of the S-boxes S1, S2, … , S8

Códigos y Criptografía Francisco Rodríguez Henríquez Cryptanalysis of DES

• Differential analysis – Using that, we have

• Δ xi+1 = Δ xi-1 ⊕F(xi,Ki) ⊕F(x’i,Ki) – If F(xi,Ki) ⊕F(x’i,Ki) is a function of Δ xi with high probability, then:

• Knowing Δ xi-1 and Δ xi then we know Δ xi+1 – Test this hypotheses for different Δ x and start getting information about Ki – This can break DES with 247 chosen plaintext

Códigos y Criptografía Francisco Rodríguez Henríquez Summary of differential attack to DES

• DES reduced to 6 rounds can be broken by a chosen plaintext attack in less than 0.3 sec on a PC using 240 ciphertexts; the know plaintext version requires 236 ciphertexts. • DES reduced to 8 rounds can be broken by a chosen plaintext attack in less than 2 minutes on a PC by analyzing about 214 ciphertexts; the know plaintext version requires 238 ciphertexts. • Full DES can be broken by analyzing 236 ciphertexts from a larger pool of 247 chosen plaintexts. • Certain changes in DES may have catastrophic results

Códigos y Criptografía Francisco Rodríguez Henríquez Summary of differential attack to DES

Códigos y Criptografía Francisco Rodríguez Henríquez