Data Encryption Standard Symmetric Cryptography Block cipher • Block ciphers break up the plaintext in blocks of fixed length n bits and encrypt one block at time • E: {0,1}n →{0,1}n D: {0,1}n →{0,1}n • E is a permutation (one-to-one, invertible) DES 2 Data Encryption Standard (DES) K! K! 56" 56" DES" DES" P! 64" 64" C! C! 64" 64" P! ! The input key K is actually specified as a 64-bit key, 8 bits of which (bits 8; 16, …, 64) may be used as parity bits. ! The 256 keys implement (at most) 256 of the 264! possible permutations on 64-bit blocks. DES 3 Block Ciphers Built by Iteration key k key expansion k1 k2 k3 kn , .) , , .) .) , .) , m 1 2 3 n c k R(k R(k R(k R( R(k,m) is called a round function for 3DES (n=48), for AES-128 (n=10) DES 4 Data Encryption Standard • On May 15, 1973, National Bureau of Standards published a solicitation for cryptosystems in the Federal Register • DES was published in the Federal Register of March 17, 1975 • DES was developed by IBM as a modification of LUCIFER • DES was considered a standard for “unclassified” applications on January 15, 1977 after much public discussion • DES has been reviewed every 5 years • The most recent review was January 1994 • It is not a standard since 1998. DES 5 Basic idea: Feistel Network n n Given functions f1, …, fd: {0,1} ⟶ {0,1} Goal: build invertible function F: {0,1}2n ⟶ {0,1}2n n-bits R0 R1 R2 Rd-1 Rd f1 f2 n-bits fd L 0 L1 L2 Ld-1 Ld input output ⎧ L R ⎪ i = i−1 In symbols: ⎨ R = L ⊕ f R ⎩⎪ i i−1 i ( i−1) DES 6 Feistel net is invertible n n Theorem: for all f1, …, fd: {0,1} ⟶ {0,1} Feistel network F: {0,1}2n ⟶ {0,1}2n is invertible R R Proof: construct inverse i-1 i fi Li-1 Li ⎧ R L ⎪ i−1 = i In symbols: ⎨ L = R ⊕ f L ⎩⎪ i−1 i i ( i ) Ri Ri-1 fi Li Li-1 DES 7 Decryption circuit n-bits R d Rd-1 Rd-2 R1 R0 n-bits fd fd-1 f 1 Ld Ld-1 Ld-2 L1 L0 • Inversion is basically the same circuit, with f1, …, fd applied in reverse order • General method for building invertible functions (block ciphers) from arbitrary functions. • Used in many block ciphers … but not AES DES 8 Luby-Rackoff ‘85 Theorem. Let f: K × {0,1}n ⟶ {0,1}n be a secure PRF 3-round Feistel F: K3 × {0,1}2n ⟶ {0,1}2n is a secure PRP R 0 R1 R2 R3 f f f L0 L1 L2 L3 input output 3 independent f(k , R ) f(k , R ) f(k , R ) 0 0 1 1 2 2 keys DES 9 DES: 16 round Feistel net 32 32 f1, …, f16: {0,1} ⟶ {0,1} , fi(x) = F( ki, x ) From K k key expansion k k k 1 2 16 16 round IP IP-1 64bits 64 bits Feistel network input To invert, use keys in reverse order output DES 10 Round function F Ri-1 32 Ki Expansion E 48 48 8 × 6 bit 6 Substitution S1 S2 S3 S4 S5 S6 S7 S8 (S-box) 4 8 × 4 bit 32 F(Ri-1, Ki) = P(S(E(Ri-1) Ki ) P Permutation S() is a look-up table 32 DES 11 S-boxes B Si D B = b1b2b3b4b5b6 Row → b1b6 (outer bits) Column → b2b3b4b5 (inner bits) DES 12 S-boxes 6 4 Si: {0,1} ⟶ {0,1} S5(011011) → 1001 DES 13 S-box: a bad choice Suppose: Si(x1, x2, …, x6) = ( x2⨁x3, x1⨁x4⨁x5, x1⨁x6, x2⨁x3⨁x6 ) or written equivalently: Si(x) = Aix (mod 2) 0 1 1 0 0 0 x1 x2⨁x3 1 0 0 1 1 0 × x = x ⨁x ⨁x 2 1 4 5 1 0 0 0 0 1 x3 x1⨁x6 0 1 1 0 0 1 x4 x2⨁x3⨁x6 x5 We say that Si is a linear function. x6 DES 14 S-box: a bad choice Then entire DES cipher would be linear: fixed binary matrix B s.t. 832 m DES(k,m) = 64 B × k1 = c (mod 2) k 2 k16 But then: DES(k,m1) ⨁ DES(k,m2) ⨁ DES(k,m3) = ⎛ m ⎞ ⎛ m ⎞ ⎛ m ⎞ ⎛ m ⊕ m ⊕ m ⎞ B ⋅⎜ 1 ⎟ ⊕ B ⋅⎜ 2 ⎟ ⊕ B ⋅⎜ 3 ⎟ = B ⋅⎜ 1 2 3 ⎟ ⎝ k ⎠ ⎝ k ⎠ ⎝ k ⎠ ⎝ k ⎠ DES 15 Choosing S-box and P-box • Choosing S-boxes and P-box at random would result in an insecure block cipher – (key recovery after ≈224 outputs) [BS’89] • Several rules used in choice of S and P boxes: – No output bit should be close to a linear function of the input bits – S-boxes are 4-to-1 maps DES 16 Key SchedulingK ! R e PC2 guarantee 64 Permutation and compression that, at each round, a PC1 (generate the first sub-key) different subset of bits is extracted 56 ! Each bit of the key participates to 14 28 i 28 Left rotation rounds on average R R (1 bit per round = 1, 2, 9, 28 28 16; 2 bit otherwisei) 56 PC2 Permutation and compression 48 Ki (i-th subkey) DES 17 DES in practice • DES can be efficiently implemented either in hardware or in software – Arithmetic operations are • exclusive-or • E, S-boxes, IP, IP-1, key scheduling can be done in constant time by table-lookup (sw) or by hard-wiring them into a circuit • One very important DES application is in banking transactions – DES is used to encrypt PINs and account transactions carried out at ATM – DES is also used in government organizations and for inter-bank transactions DES 18 Empirical properties of DES Empirically, DES fulfills these reqs: • Each CT bits depends on all key bits and PT bits • There are no evident statistical relationships between CT and PT • The change of one bit in the PT (CT) causes the change of every bit in the CT (PT) with 0.5 probability DES 19 Strength of DES data storage processing attack method complexity complexity complexity exhaustive – 1 256 1 (table lookup) precomputation exhaustive 1 – negligible 255 search linear 243 (85%) – for texts 243 cryptanalysis 238 (10%) – for texts 250 differential – 247 for texts 247 cryptanalys 255 – for texts 255 DES 20 .