BLOCK CIPHER & THE DATA ENCRYPTION STANDARD Tran Song Dat Phuc Department of Computer Science Seoul National University of Science and Technology 2013-2014 Outline Stream Cipher Block Cipher The Feistel Cipher Structure The Data Encryption Standard (DES) Security of DES Block Cipher Design Principles Summary Stream Cipher A stream cipher is one that encrypts a digital data stream one bit or one byte at a time. Stream Cipher The stream cipher encrypts the plaintext to produce the ciphertext, in which a cryptographic key and algorithm are applied to each binary digit in a data stream, one bit at a time. To meet the need of producing the keystream for independence and secure channel, the bit- stream generator is implemented for both users. The two users share the generating key, and each can produce the keystream. Block Cipher A block cipher is one in which a block of plaintext is treated as whole and produce a ciphertext block of equal length. A block are typically 64 or 128 bits. As with a stream cipher, the two uses share a symmetric encryption key. A block of multiple bits are enciphered each time. In some modes of operation (CFB, OFB, CTR), a block cipher can be used to achieve the same effect as a stream cipher. Block Cipher The block cipher encrypts a block of plaintext or message m into a block of ciphertext c due to a secret key k. Block Cipher The encryption process is denoted as: c = ENCk(m) The decryption has reversed the encryption process, which use the same user-supplied key. m = DECk(c) Block Cipher A block cipher has two important parameters: - Block size b: determines the space of all possible permutations that a block cipher might conceivable. - Key size k: determines the number of permutations that are actually generated. With a key, a b-bit block cipher maps 2b b-bit inputs onto the same 2b outputs. Block Cipher In the block cipher, substitution and permutation are two main properties. The mix of them is an important component of most block cipher designs. Most block cipher contain vary kinds of combination of substitution and permutation. Block Cipher Substitution: Each plaintext element or group of elements is uniquely replaced by a corresponding ciphertext element or group of elements. Permutation: A sequence of plaintext elements is replaced by a permutation. No elements are added or deleted or replaced, just the order of the elements is changed. The Feistel Cipher Structure Substitution: often use to provide confusion with cipher. - Designed around an arithmetic function, such as integer addition or integer multiplication. - Typically, substitution is achieved with a suitably designed, such as S-boxes. - S-boxes is designed carefully which have specific security properties, functions and can operate quickly in practice. The Feistel Cipher Structure Permutation: often use to provide a good diffusion in a cipher. - Often performed at a bit level; individual bits can be moved into a new ordering. - At the downside, bit level permutation can slow down the performance of cipher; cause manipulating individual bit is complex and not easy to operate. Block Cipher The ideal block cipher Block Cipher The ideal block cipher allows for the maximum number of possible encryption mappings from the plaintext block. But it is really good, really perfect ??? If the size of the block is small (ex. n = 4) vulnerable to statistical analysis of plaintext The large block size is not practical, consider the key size for an n-bit ideal block cipher, the length of key is n x 2n bits Block Cipher For a 64-bit block, to thwart statistical attack, it needs 64 x 264 = 270 ≈ 1021 bits impossible. Is there a feasible way (related in block size and key size) to make a stronger cipher block ??? The Feistel Cipher Structure Feistel develops a block cipher with key size k- bits and block length of b-bits, has 2k possible keys and each key specifies a permutation of 2b input. The Feistel cipher refers to the conceptions of diffusion and confusion of Claude Shannon. The Feistel Cipher Structure Two terms of confusion and diffusion that aim to build a good block cipher, is introduced in 1949 by Claude Shannon. - Confusion: to make the relation between the cipher-text and the key becomes very complex and involved one. - Diffusion: the statistical structure of the plaintext is dissipated by long-range statistics of the cipher- text (to make the relation between the plaintext and cipher-text becomes complex and unable to exploit). The Feistel Cipher Structure S-P Network of Shannon - Consist of the repeated application of carefully chosen substitutions, permutations and key materials. - Key schedule (KS): present a series of round keys to each round of encryption; these round keys are computed from user supplied encryption key. The Feistel Cipher Structure The Feistel Network based on some features and design parameters: - Block size: Larger block sizes means greater security, but reduce the speed of encryption / decryption. (64bits) - Key size: Larger key size means greater security, but also decrease the encryption / decryption speed. (128bits) - Number of rounds: The multiple rounds offer increasing security. (16 rounds) - Subkey generation algorithm: Greater complexity lead to greater difficulty of cryptanalysis. - Round function F: greater complexity means greater resistance to cryptanalysis. The Feistel Cipher Structure Plaintext block of length 2w-bits Key K, subkey Ki Two halves Li and Ri 16 rounds is used. The Feistel Cipher Structure Feistel Encryption Algorithm: - The input plaintext block is divided into two halves L0 and R0 , that pass through n rounds of processing and then combined to produce the ciphertext block. - Each round i has as input Li-1 and Ri-1 from previous round, with the subkey Ki from the overall K. - The substitution is performed on the left half of data. - A round function F is applied to the right half of data. - It is done by taking the X-OR operation between the output of function F and the left half of data. - The permutation is performed through the interchange of the two halves of data. All rounds have the same structure. The Feistel Cipher Structure Feistel Decryption Algorithm: - The process of the Feistel’s decryption is the same as the encryption process, in reverse order of subkey Ki. - The input ciphertext use Kn in the first round, Kn-1 in the second until K1 in the last round. Data Encryption Standard (DES) DES (Data Encryption Standard) is a block cipher which most widely used in world. Adopted in 1977 by NBS (now is NIST) Encrypts 64 bits block using 56 bits key. DES is an example of a Feistel cipher. DES DES with round function components; the bit expansion E, the S-boxes S and the bit permutation P. - DES has 16rounds and user supplied key is 56bits (k = 56). - Initial Permutation(IP) has 64bit input block, happen only once before first round. - IP-1 use to maintain the property that encryption network can be reused for decryption. Initial Permutation(IP) Suggests how the transposition in IP should proceed. The IP replaces the 1st bit of the plaintext block with the 58th bit of the original plaintext block, the 2nd bit with the 50th bit and so on. DES IP and its inverse IP-1 Round Function Each iteration of round function takes 32-bit inputs and returns 32-bits output. - 32-bit input is expanded to 48-bit by the bit expansion E. - Processed 48-bit is combined with round key. - 48 bits that result, then, are split into 8 groups of 6 bits, input to 8 different S-boxes. Each S-box returns 4 bits which concatenated with others, will give a 32- bits result. - 32-bit received is applied by bit-level permutation P, after all, provide a 32-bit output from round function. Round Function Key Transformation Round Key Process 28-bit left semikey 64-bit Remove parity 56-bit split Key bit Key 28-bit right semikey shift 28-bit shifted left semi-key Compression 48-bit Permutation semi-key 28-bit shifted shift right semi-key Key Transformation The Initial Key consists of 64 bits. Before the DES process starts, every 8th bit of the key is discarded to produce a 56 bit key. Bit positions (8, 16, 24, 32, 40, 48, 56, 64) are discarded. These bits can be used for parity checking to ensure that the key does not contain any error. Key Transformation Remove parity bit (64 bits -> 56 bits) Key Transformation For each round, 56 bit key is available From this 56 bit key, a different 48-bit sub key is generated during each round using a process called as Key Transformation In this method, a 56 bit key is divided into two halves, each of 28 bits These halves are circularly shifted by 1 or 2 positions, depending on the round Key Transformation Permutation on 56 bits key Number of key bit shift Key Transformation Round 1 – Key bit shift Key Transformation Compression Permutation : the Key Transformation process involves permutation as well as selection of a 48 bits sub-set of the original 56-bit key. * 18 bits number is discarded. Expansion Permutation The RPT is expanded from 32 bits to 48 bits. The RPT is divided into 8 blocks, with each block consists of 4 bits. For per 4-bit block, 2 more bits are added. Expansion Permutation Division of 32 bit RPT into Eight 4-bits block RPT Expansion Process Expansion Permutation Expansion Permutation (48bits) The S-Boxes After 48-bits expansion combine with 48-bits key (XOR operation), the 48-bits output is split into 8 S-Boxes.