ECE 646 – Lecture 7 Data Encryption Standard Secret-Key Ciphers DES NBS public request for a standard Secret agreement between IBM & NSA, 1974 cryptographic algorithm Obligations of IBM: May 15, 1973, August 27, 1974 • Algorithm developed in secret by IBM The algorithm must be: • NSA reserved a right to monitor the development and propose changes • secure • No software implementations, just hardware chips • public - completely specified • IBM not allowed to ship implementations to certain - easy to understand countries - available to all users • License required to ship to carefully selected • economic and efficient in hardware customers in approved countries • able to be validated Obligations of NSA: • exportable • seal of approval 1 DES - chronicle of events Controversies surrounding DES 1973 - NBS issues a public request for proposals for Unknown Slow Too short a standard cryptographic algorithm design in software key 1975 - first publication of the IBMs algorithm criteria and request for comments Only Most criteria Theoretical 1976 - NBS organizes two workshops to evaluate hardware reconstructed designs implementations the algorithm from cipher of DES breaking certified 1977 - official publication as analysis machines FIPS PUB 46: Data Encryption Standard 1990 1993 1983, 1987, 1993 - recertification of the algorithm 1998 Reinvention Software, firmware for another five years Practical of differential and hardware 1993 - software implementations allowed to be validated DES cracker cryptanalysis treated equally built Life of DES DES - external look 1980 1990 2000 2010 2020 2030 plaintext block 1977 1999 Triple DES DES 112, 168 bit 168 bit only 64 bits American 56 bit key AES - Rijndael standards AES 2002 128, 192, and 256 bit keys DES key contest 56 bits IDEA Serpent Other 64 bits popular RC5 Twofish algorithms Blowfish RC6 ciphertext block CAST Mars 2 Typical Flow Diagram of DES – high-level internal structure a Secret-Key Block Cipher Round Key[0] Initial transformation i:=1 Round Key[i] Cipher Round i:=i+1 #rounds times i<#rounds? Round Key[#rounds+1] Final transformation Classical Feistel Network IP DES Main Loop L0 R0 Feistel Structure K1 plaintext = L0R0 f for i=1 to n { L1 R1 K2 Li=Ri-1 f L =R Ri=Li-1Å f(Ri-1, Ki) n+1 n } L2 R2 Rn+1=LnÅ f(Rn, Kn+1) . Ln+1 = Rn Rn+1 = Ln L15 R15 K16 ciphertext = Ln+1Rn+1 f R16 L16 IP-1 3 Feistel Structure IP-1 Decryption IP L0 R0 R16 L16 Encryption Decryption K1 K16 f f Ln Rn Ln Rn L1 R1 R15 L15 f Kn+1 f Kn+1 K2 K15 f f L2 R2 R14 L14 Ln+1 Rn+1 Ln+1 Rn+1 . L15 R15 R1 L1 Ln+1, Rn+1 ? ? K16 K1 f f f Kn+1 R16 L16 L0 R0 -1 Ln, Rn ? ? IP IP Mangler Function of DES, F 4 Notation for Permutations Input i1 i2 i3 i4 i5 i6 i7 i8 i9 i10 … i56 i57 i58 i59 i60 i61 i62 i63 i64 58 50 42 34 26 18 10 2 … 5 63 55 47 39 31 23 15 7 i58 i50 i42 i34 i26 i18 i10 i2 … i5 i63 i55 i47 i39 i31 i23 i15 i7 Output Notation for S-boxes Input i1 i2 i3 i4 i5 i6 i1 i6 determines a row number in the S-box table, 0..3 i2 i3 i4 i5 determine a column in the S-box table, 0..15 o1 o2 o3 o4 is a binary representation of a number from 0..15 in the given row and the given column o1 o2 o3 o4 Output 5 General design criteria of DES 1. Randomness 2. Avalanche property changing a single bit at the input changes on average half of the bits at the output 3. Completeness property every output bit is a complex function of all input bits (and not just a subset of input bits) 4. Nonlinearity encryption function is non-affine for any value of the key 5. Correlation immunity output bits are statistically independent of any subset of input bits Completeness property Linear Transformations Every output bit is a complex function of all input bits Transformations that fulfill the condition: (and not just a subset of input bits) T(X[m x 1]) = Y[n x 1] = A[n x m] × X[m x 1] Formal requirement: or For all values of i and j, i=1..64, j=1..64 T(X1 Å X2) = T(X1) Å T(X2) there exist inputs X1 and X2, such that X1 x1 x2 x3 . xi-1 0 xi+1 . x63 x64 Affine Transformations X2 x1 x2 x3 . xi-1 1 xi+1 . x63 x64 Transformations that fulfill the condition: Y1 = DES(X1) y1 y2 y3 . yj-1 yj yj+1 . y63 y64 T(X[m x 1]) = Y[n x 1] = A[n x m] × X[m x 1] Å B[n x 1] Y2 = DES(X2) y1 y2 y3 . yj-1 yj yj+1 . y63 y64 6 Linear Transformations of DES Design of S-boxes IP, IP-1, E, PC1, PC2, SHIFT S[0..15] e.g., IP(X1 Å X2) = IP(X1 ) Å IP( X2) S Non-Linear and non-affine in out = S[in] transformations of DES S • 16! » 2 × 1013 possibilities There are no such matrices A and B that • precisely defined initially unpublished criteria [4x6] [4x1] • resistant against differential cryptanalysis S(X[6x1]) = A[4x6] × X[6x1] Å B[4x1] (attack known to the designers and rediscovered in the open research in 1990 by E. Biham and A. Shamir) Theoretical design of the specialized DES breaking machine machine to break DES known ciphertext key counter Round key Project: Michael Wiener, Entrust Technologies, key 1 1993, 1997 Encryption Round 1 Key Scheduling Round 1 Method: exhaustive key search attack Basic component: specialized integrated circuit Encryption Round 2 Key Scheduling Round 2 in CMOS technology, 75 MHz Round . Checks: 200 mln keys per second key 2 Costs: $10 Encryption Round 16 Key Scheduling Round 16 Total cost Estimated time Round plaintext key 16 $ 1 mln 35 minutes $ 100.000 6 hours comparator known plaintext 7 Deep Crack Deep Crack Electronic Frontier Parameters Foundation, 1998 Number of ASIC chips 1800 Total cost: $220,000 Average time of search: Clock frequency 40 MHz 4.5 days/key Number of clock cycles per key 16 Number of search units per ASIC 24 Search speed 90 bln keys/s 1800 ASIC chips, 40 MHz clock Average time to recover the key 4.5 days COPACOBANA COPACOBANA Cost-Optimized Parallel COde Breaker • Based on Xilinx FPGAs (Field Programmable Gate Arrays) Ruhr University, Bochum, University of Kiel, Germany, 2006 • ver. 1 – based on 120 Spartan 3 FPGAs • ver. 2 – based on 128 Virtex 4 SX 35 FPGAs Cost: € 8980 (ver. 1) • Description, FAQ, and news available at http://www.copacobana.org/ • For ver. 1 based on Spartan FPGAs Clock frequency = 136 MHz Average search time for a single DES key = 6.4 days Worst case search time for a single DES key = 12.8 days 8 Secure key length today and in 20 years Secure key length - discussion (against an intelligence agency with the budget of $300M) • increasing key length in a newly developed cipher key length costs NOTHING • increasing effective key length, assuming the use of 128 bits IDEA, minimum key length in AES an existing cipher has a limited influence on the efficiency of implementation (Triple DES) 112 bits Triple DES with three different keys It is economical to use THE SAME 100 bits Secure key length in 2027 secure key length FOR ALL aplications 94 bits Secure key length in 2018 The primary barriers blocking the use of symmetric ciphers 80 bits Skipjack with a secure key length have been of the political nature (e.g., export policy of USA) 56 bits DES 9 Triple DES EDE mode with two keys Triple DES EDE mode with three keys encryption decryption Diffie, encryption decryption Diffie, Hellman, Hellman, plaintext ciphertext 1977 plaintext ciphertext 1977 E D E D K1 K1 K1 K1 encryption 56 decryption 56 encryption 56 decryption 56 D E D E K2 K2 K2 K2 decryption 56 encryption 56 decryption 56 encryption 56 E D E D K1 K1 K3 K3 encryption 56 decryption 56 encryption 56 decryption 56 ciphertext plaintext ciphertext plaintext Triple DES Best Attacks Against Triple DES Advantages: • Version with three keys (168 bits of key) • secure key length (112 or 168 bits) Meet-in-the-middle attack • increased compared to DES resistance to linear 232 known plaintexts and differential cryptanalysis 113 2 steps • possibility of utilizing existing implementations of DES 290 single DES encryptions, and 288 memory Disadvantages: Effective key size = 2112 • relatively slow, especially in software • Version with two keys (112 bits of key) Effective key size = 280 10 Why a new standard? 1. Old standard insecure against brute-force attacks 2. Straightforward fixes lead to inefficient implementations Advanced Encryption Standard K1 K2 K3 AES • Triple DES in out 3. New trends in fast software encryption • use of basic instructions of the microprocessor 4. New ways of assessing cipher strength • differential cryptanalysis • linear cryptanalysis Why a contest? External format of the AES algorithm • Focus the effort of cryptographic community plaintext block Small number of specialists in the open research 128 bits • Stimulate the research on methods of constructing secure ciphers AES key • Avoid backdoor theories 128, 192, 256 bits 128 bits • Speed-up the acceptance of the standard ciphertext block 11 Rules of the contest AES Contest Effort Each team submits June 1998 15 Candidates Round 1 Detailed Justification Tentative from USA, Canada, Belgium, Security France, Germany, Norway, UK, Isreal, Software efficiency cipher of design results Korea, Japan, Australia, Costa Rica description decisions of cryptanalysis August 1999 Round 2 5 final candidates Security Source Mars, RC6, Rijndael, Serpent, Twofish Source Test Hardware efficiency code code vectors in C in Java October 2000 1 winner: Rijndael Belgium AES contest - First Round AES: Candidate algorithms North America (8) Europe (4) Asia (2) 15 June 1998 Deadline for submitting candidates 21 submissions, Canada: Germany: Korea: 15 fulfilled all requirements CAST-256 Magenta Crypton Deal August 1998 1st AES Conference in Ventura, CA Belgium: Japan: USA: Presentation of candidates Mars Rijndael E2 RC6 March 1999 2nd AES Conference in w Rome, Italy Twofish France: Safer+ Australia (1) Review of results of the First Round DFC HPC analysis Israel, UK, Costa Rica: Australia: August 1999 NIST announces five final candidates Norway: LOKI97 Frog Serpent 12 AES Finalists (1) AES Finalists (2) USA Mars - IBM Europe C.