Confusion and Diffusion Feistel Feistel Networks Feistel Network

Confusion and Diffusion Feistel Feistel Networks Feistel Network

Confusion and diffusion Feistel Claude Shannon (inventor of information theory) gave design criteria for symmetric ciphers (late 1940s): • Kerckhoff’s principle: only the key should be secret, not the Feistel (1970s) used Shannons ideas in designing ciphers. Standard algorithm design since then! • use confusion: hide local patterns in the language (simplest: Make product cipher by alternating substitution and permutation: digrams) • use diffusion: spread statistical structure of plaintext in c = Ek (m) = Sn ◦ Pn−1 ◦ · · · ◦ S2 ◦ P1 ◦ S1(m) long-range statistics of ciphertext The Vigenère cipher hides small-scale structure: digrams are encoded by different keys, but fails at diffusion: nothing is • Substitution: replace one (symbol/bitstring) by another - but moved/spread. reversibly Simple transposition ciphers are good at diffusion: they move • Permutation: change the order of (symbol/bitstring)s around, but difficult to achieve confusion. (reversible) Modern ciphers get both confusion (small-scale) and diffusion (large-scale), e.g. by combining substitution and transposition in a 1 product cipher. 2 Feistel networks Feistel network Plaintext (2·w bits) k 1 xor F A Feistel network: 1 split input in two halves L0; R0 2 perform n rounds: k i • Li ⊕ F (Ri ; ki ) xor F • swap halves 3 end with a swap where ki is a subkey for round i, generated from the main key k. k n xor F Ciphertext (2·w bits) 3 4 Feistel decryption Feistel decryption Same algorithm to decrypt, but keys in reverse order. Same algorithm to decrypt, but keys in reverse order. Works Output (plaintext) regardless of F ! Input (plaintext) RD = LE LD = RE 16 0 16 0 LE16 = RE15 = RD0 = LD1 LE K RE 0 0 1 LD = RE RD = LE 16 0 16 0 F F RE16 = LE15 ⊕ F (RE15; k16) RE K LE RD = LE LD = RE 1 2 1 15 1 K 15 1 1 RD1 = LD0 ⊕ F (RD0; k16) F F LE RE LD = RE RD = LE 2 2 = RE ⊕ F (RE ; k ) 14 2 K 14 2 16 15 16 2 = LE15 ⊕ F (RE15; k16) ⊕ F (RE15; k16) LE K RE 14 15 14 LD = RE RD = LE = LE15 2 14 2 14 F F . RE K LE RD = LE LD = RE . 15 15 16 1 15 K 1 15 15 F F RD = LE LE RE 16 0 16 16 LD = RE RD = LE 0 16 K 0 16 16 LD16 = RE0 RE LE 16 16 Input (ciphertext) Output (ciphertext) 5 6 Figure 3.6 Feistel Encryption and Decryption Feistel net parameters Feistel features • Block size (64-256 bits) • Key size (56-256 bits) • Fast implementation Larger ) greater security (diffusion) but slower. Feistel nets can typically be implemented efficiently (fast • Number of rounds (10-16) en/decryption) in both hardware and software. This makes it One is too little, more increase security, to a limit. (Depends easier to use. on F .) • Ease of analysis • Subkey generation algorithm Concise and clear description ) easier to analyse ) safer to trust. • Round function F Both should be complex to resist cryptanalysis. 7 8 Data Encryption Standard (1977) DES: Overview 64-bit plaintext 56-bit key • • • • • • • • • • • • • • • • • • Initial Permutation Permuted Choice 1 No longer standard, but instructive example of a Feistel net. K1 Round 1 Permuted Choice 2 Left circular shift • encrypts 64-bit blocks with 56-bit key K2 • hardware and software implementations Round 2 Permuted Choice 2 Left circular shift • one of the most analysed algorithms • unknown criteria for design (but more is known now) • US export control on implementations for long time (lifted now) K16 • based on Lucifer algorithm (Feistel/IBM, 1973) with 128-bit Round 16 Permuted Choice 2 Left circular shift keys and blocks, but scaled down by NSA 32-bit Swap Inverse Initial Permutation • • • • • • • • • 64-bit ciphertext 9 10 Figure 3.7 General Depiction of DES Encryption Algorithm DES: subkey generation DES: one round 32 bits 32 bits 28 bits 28 bits Li-1 Ri-1 Ci-1 Di-1 Expansion/permutation Left shift(s) Left shift(s) • Each round uses subkey ki based on k, which is 64 bits (E table) • Permuted Choice 1 (PC1) discards parity bits (so 56 remain) 48 Permutation/contraction XOR K and permutes F 48 i (Permuted Choice 2) • Split in two 28-bit halves C0; D0 48 • Each round: Substition/choice (S-box) • Ci = LSi (Ci−1), Di = LSi (Di−1) where LSi is a left circular 32 shift of h1; 1; 2; 2;:::; 2; 1; 2;:::; 2; 2; 1i bits Permutation • ki = PC2(Ci · Di ) where PC2 is Permuted Choice 2 (permutes (P) and discards) 56 ) 48 bits 32 XOR Li Ri Ci Di 11 12 Figure 3.8 Single Round of DES Algorithm DES: the F-box Breaking DES by brute force R (32 bits) E 1977: estimated breakable in 1 day by $20M machine 1981: estimated breakable in 2 days by $50M machine 48 bits K (48 bits) + 1997: broken in 96 days by 70 000 machines, testing 7 billion keys/s (DESCHALL project) 1998: less than 56 hours by special hardware, $250K incl design and development (“Deep Crack”) S1 S2 S3 S4 S5 S6 S7 S8 1999: 22 h 15 min, “Deep Crack” + 100 000 machines, testing 245 billion keys/s 2007: 6.4 days, $10K hardware, 120 FPGAs P (COPACOBANA project) 32 bits 13 14 Figure 3.9 Calculation of F(R, K) Properties of DES Avalanche effect Small changes in m or k give big changes in c, and changes increase for each round • Decryption: like Feistel (keys in reverse order) Example: one bit change in plaintext or key • Symmetry: • c = DES(m; k) iff c = DES(m; k) where x is the bitwise Change in plaintext Change in key negation of x Round Bits that differ Round Bits that differ • cuts search space in half 0 1 0 0 • Weak keys: 1 6 1 2 • key cause involution: Ek (Ek (m)) = m 2 21 2 14 • four for DES: h0; 0i, h−1; 0i, h0; −1i, h−1; −1i 3 35 3 28 • Semi-weak keys: 4 39 4 32 • such that E (E (m)) = m . k1 k2 . • 6 such pairs for DES (few enough to check for) 14 46 14 26 15 29 15 34 16 34 16 35 15 16 Feistel net design criteria Other modern ciphers • S-box design • very careful for DES (see below) • in general: randomly, randomly with testing, careful E.g. IDEA, Blowfish, CAST, . hand-crafting, mathematically • variable key length • Number of rounds • DES: brute force requires2 55 tests • mixed operations (not only xor, not distributive/associative) • for DES with 16 rounds, differential cryptanalysis requires2 55:1 • data dependent rotations instead of S-boxes operations due to S-box design • key dependent rotations and S-boxes • with 15 rounds, differential cr.an. would beat brute force • Differential cryptanalysis invented ca 1990 – but turns out • variable F , block length, number of rounds IBM and NSA had it secretly since 1974 • operations on both halves • Round function F : but (many) are just improvements of Feistel nets! • strict avalance criterion: any output bit changes with p = 1=2 if a single input bit changes • bit independence criterion: any two output bits should change independently when a single input bit changes 17 18.

View Full Text

Details

  • File Type
    pdf
  • Upload Time
    -
  • Content Languages
    English
  • Upload User
    Anonymous/Not logged-in
  • File Pages
    5 Page
  • File Size
    -

Download

Channel Download Status
Express Download Enable

Copyright

We respect the copyrights and intellectual property rights of all users. All uploaded documents are either original works of the uploader or authorized works of the rightful owners.

  • Not to be reproduced or distributed without explicit permission.
  • Not used for commercial purposes outside of approved use cases.
  • Not used to infringe on the rights of the original creators.
  • If you believe any content infringes your copyright, please contact us immediately.

Support

For help with questions, suggestions, or problems, please contact us