Outline Computer Science 418 1 Product Ciphers Product Ciphers, Block Ciphers, DES 2 Block Ciphers Mike Jacobson Department of Computer Science 3 The Data Encryption Standard University of Calgary History of DES Description of DES Week 4 Multiple DES Encryption Mike Jacobson (University of Calgary) Computer Science 418 Week 4 1 / 32 Mike Jacobson (University of Calgary) Computer Science 418 Week 4 2 / 32 Product Ciphers Product Ciphers Product Ciphers Properties of Product Ciphers If different ciphers are used in a product cipher, ciphertexts of one cipher Shannon also introduced the idea of product ciphers (multiple encryption): need to have the correct format to be plaintexts for the next cipher to be applied. This is composition of encryption maps. Definition 1 (Product cipher) The product of two ciphers is the result of applying one cipher followed by Applying a product cipher potentially increases security. E.g. n-fold the other. encryption with one cipher and n keys potentially corresponds to a cipher that has n times longer keys. AKA superencipherment and various other names. Of course it also results in a loss of speed by a factor of n, but this might be worth it for added security. Mike Jacobson (University of Calgary) Computer Science 418 Week 4 3 / 32 Mike Jacobson (University of Calgary) Computer Science 418 Week 4 4 / 32 Product Ciphers Product Ciphers Caveat Confusion and Diffusion Shannon suggested applying two simple ciphers with a fixed mixing transformation (transposition) in between to: Be careful with this reasoning! diffuse language redundancy into long term statistics, and to Note 1 confuse the cryptanalyst by making relation between redundancy of The product of two substitution ciphers is a substitution cipher. The the ciphertext C and the description of the key K very complex. product of two transposition ciphers is a transposition cipher. Definition 2 (Confusion) Make the relationship between the key and ciphertext as complex as Such ciphers are closed under encryption, so multiple encryption under possible (accomplished by applying substitutions or S-boxes). different keys provides no extra security: Definition 3 (Diffusion) E.g. double encryption C = EK1 (EK2 (M)) = EK3 (M) for a third key K3 Dissipate the statistical properties of the plaintext across the ciphertext (accomplished by applying applying transpositions or P-boxes). Mike Jacobson (University of Calgary) Computer Science 418 Week 4 5 / 32 Mike Jacobson (University of Calgary) Computer Science 418 Week 4 6 / 32 Product Ciphers Product Ciphers Examples of Product Ciphers Lucifer: P-boxes and S-boxes Since Lucifer was set up in hardware, they called the chips which did the • ADFGX/ADFGVX Ciphers (employed by the Germans in WW I). permutation \P-boxes" and those that did the substitution \S-boxes." • Hayhanen Cipher | Hayanan was a Russian spy caught in New York in the 1950's. The FBI couldn't break it! P−box S−box 1 0 n n 0 0 2 =8 2 =8 Example 4 0 0 0 0 n=3 0 0 n=3 0 0 1 1 IBM's Lucifer system, uses permutations (transpositions) on large blocks 0 1 0 0 2 2 for the mixing transformation, and substitution on small blocks for 0 0 3 3 0 LOW BASE 1 HIGH BASE − confusion. 0 1 − 4 4 TO TO − 0 0 − 5 5 1 1 0 0 6 6 TRANSFORMER LOW HIGH TRANSFORMER Feistel originally wanted to call the product cipher \Dataseal". IBM 0 0 7 7 instead shortened the term demonstration cipher to \Demon." Later, it 0 0 0 0 was changed to Lucifer, because it retained the \evil atmosphere" of 0 0 Demon, and contained the word cipher. 0 0 Mike Jacobson (University of Calgary) Computer Science 418 Week 4 7 / 32 Mike Jacobson (University of Calgary) Computer Science 418 Week 4 8 / 32 Product Ciphers Product Ciphers Lucifer: Complete Cipher Error Propagation The Lucifer system simply consisted of a number of P and S boxes in alternation. Lucifer demonstrates graphically not only the difffusion properties of PPPPPP Lucifer, but also the idea of error propagation. 1 1 0 S S S S S 1 0 0 Definition 5 (Error Propagation) 0 1 0 S S S S S 1 The degree to which a change in the input leads to changes in the output. 0 1 0 0 0 S S S S S 1 0 1 Good error propagation is a desirable property of a cryptosystem (a user 0 0 can easily tell if a message has been modified). 0 S S S S S 1 0 1 Not good for decryption though (one error in the process should still 0 1 mostly decrypt correctly). 0 S S S S S 0 0 1 Mike Jacobson (University of Calgary) Computer Science 418 Week 4 9 / 32 Mike Jacobson (University of Calgary) Computer Science 418 Week 4 10 / 32 Product Ciphers Block Ciphers Error Propagation in Lucifer Block Ciphers All modern ciphers in use are block ciphers (although not necessarily used as such | we'll talk about modes of operation of block ciphers later). Example 6 Lucifer has good diffusion and error propagation. The thicker lines in the graphic indicate `1' bits. The `1' input bit dissipates over the entire Definition 7 (Block cipher) ciphertext. Encrypts plaintext blocks of some fixed length to ciphertext blocks of some fixed (possibly different) length. Aso, if the first `1' bit is changed to a `0', then half the bits in the output are affected. Usually, a message M will be larger than the plaintext block length, and must hence be divided into a series of sequential message blocks Note: All modern symmetric key ciphers in use are product ciphers. M1; M2;:::; Mn of the desired length. A block cipher operates on these blocks one at a time. Mike Jacobson (University of Calgary) Computer Science 418 Week 4 11 / 32 Mike Jacobson (University of Calgary) Computer Science 418 Week 4 12 / 32 Block Ciphers The Data Encryption Standard History of DES Examples of Block Ciphers NIST Publications • NIST: National Institute of Standards and Technology (formerly Example 8 National Bureau of Standards (NBS)) The shift cipher is a block cipher where the blocks consists of one • FIPS: Federal Information Processing Register character (i.e. 8 bits on 32-bit architecture, 16 bits on 64-bit architecture). Everything about NIST's cryptographic standards, recommendations, and guidance can be found at the NIST Cryptographic Toolkit website Two main block ciphers in use today: http://csrc.nist.gov/CryptoToolkit. 1 DES (obsolete, so now used in triple encipherment as 3DES) Extremely useful website for the practicing cryptographer. 2 AES There is a link on the \external links" page on the course website. Mike Jacobson (University of Calgary) Computer Science 418 Week 4 13 / 32 Mike Jacobson (University of Calgary) Computer Science 418 Week 4 14 / 32 The Data Encryption Standard History of DES The Data Encryption Standard History of DES DES Documents History of DES • DES was developed by IBM around 1972. • NBS made solicitations to IBM in 1973/1974 concerning the use of this as a public standard, in response to corporate needs for securing • Original DES publication: FIPS 46 (January 15, 1977) information. • Second DES publication: FIPS 46-2 (December 30, 1993) • IBM and the National Security Agency (NSA) secretly evaluated DES for security. • Current DES publication: FIPS 46-3 (October 25, 1999) • DES was approved in 1978, and it is still in use, although no longer endorsed. • The Advanced Encryption Standard (AES), approved in October 2000, has now replaced it. Mike Jacobson (University of Calgary) Computer Science 418 Week 4 15 / 32 Mike Jacobson (University of Calgary) Computer Science 418 Week 4 16 / 32 The Data Encryption Standard Description of DES The Data Encryption Standard Description of DES Specifications Overview −1 DESkey (M) = IP (S16(S15(::: (S2(S1(IP(M)))) ::: ))) • DES is a block cipher that encrypts 64-bit plaintext blocks to 64-bit 1 The 64 plaintext bits are permuted in a fixed order (transposition ciphertext blocks using using 64-bit keys. cipher). 2 The block is divided into two 32-bit words L and R : • Note that 8 of the key bits are parity bits, resulting in 56 actual bits of 0 0 the key. 3 The block undergoes 16 substitution \rounds." In each round, one word is transformed using XOR and a substitution function, after • So M = C = f0; 1g64 and K = f0; 1; g56. which the two words are swapped. 4 In the last round, the two words are not swapped. 5 The original permutation is reversed. Mike Jacobson (University of Calgary) Computer Science 418 Week 4 17 / 32 Mike Jacobson (University of Calgary) Computer Science 418 Week 4 18 / 32 The Data Encryption Standard Description of DES The Data Encryption Standard Description of DES Diagram of DES Initial Permutation IP INPUT INITIAL PERMUTATION L0 R 0 K 1 + f L10 = R R 10 = L + f(R01 , K ) See FIPS publication for precise specification. K 2 + f Notation: first bit of the output is the 58th bit of the input. L21 = R R 21 = L + f(R12 , K ) K n + f L15 = R 14 R 15 = L 14 + f(R 14 , K 15 ) K 16 + f R 16 = L 15 + f(R15 , K 16 ) L16 = R 15 INVERSE INITIAL PERMUTATION OUTPUT Mike Jacobson (University of Calgary) Computer Science 418 Week 4 19 / 32 Mike Jacobson (University of Calgary) Computer Science 418 Week 4 20 / 32 The Data Encryption Standard Description of DES The Data Encryption Standard Description of DES Substitution Rounds The Function f f accepts as input Ri (32 bits) and the ith round subkey Ki (48 bits).