BLOCK CIPHERS

1
 Cryptography

¾ characterize cryptographic system by:

z type of encryption operations used
• substitution / transposition / product

z number of keys used

• single
single-
i l -key
k or private
i t / two-
two
t -key
k or public
bli

z way in which plaintext is processed

• block / stream
2
 Modern Block Ciphers
¾ now look at modern block ciphers
¾ one of the most widely used types of
cryptographic algorithms
¾ provide secrecy /authentication services
¾ focus on DES (Data Encryption Standard)
¾ to illustrate block cipher design principles

3
 Block vs Stream Ciphers
¾ block ciphers process messages in blocks,
each of which is then en/decrypted
¾ like a substitution on very big characters
z 64--bits or more
64
¾ stream ciphers process messages a bit or
byte at a time when en/decrypting
¾ many currentt ciphers
i h are bl
block
k ciphers
i h
¾ broader rangeg of applications
pp
4
 Block Cipher Principles
¾ most symmetric block ciphers are based on a
Feistel Cipher Structure
¾ needed since must be able to decrypt ciphertext
to recover messages efficiently
¾ block ciphers look like an extremely large
substitution
¾ would need table of 264 entries for a 64
64--bit block
¾ instead create from smaller building blocks
¾ using idea of a product cipher

5
6
Ideal Block Cipher

7
Claude Shannon and Substitution-
Substitution-
Permutation Ciphers
¾ Claude Shannon introduced idea of substitution-
substitution-
permutation (S-
(S-P) networks in 1949 paper
¾ form basis of modern block ciphers
¾ S-P nets are based on the two primitive
cryptographic operations seen before:
z substitution (S-box)
z permutation (P-box)
¾ id confusion
provide f i & diffusion
diff i off message & key
k

8
 Confusion and Diffusion
¾ cipher needs to completely obscure
statistical p
properties
p of original
g messageg
¾ a one-
one-time pad does this
¾ more practically Shannon suggested
combining S & P elements to obtain:
¾ diffusion
diff i – dissipates
di i t statistical
t ti ti l structure
t t
of plaintext over bulk of ciphertext
¾ confusion – makes relationship between
p
ciphertext and keyy as complex
p as p
possible
9
 Feistel Cipher Structure
¾ Horst Feistel devised the feistel cipher
z based on concept of invertible product cipher
¾ partitions input block into two halves
z process through multiple rounds which
z perform a substitution on left data half
p
z based on round function of right half & subkey
z then have permutation swapping halves
¾ implements Shannon’s S-
S-P net concept
10
Feistel Cipher Structure

11
Feistel Cipher Design Elements
¾ block size
¾ keyy size
¾ number of rounds
¾ subkey generation algorithm
¾ round function
¾ fast software en/decryption
¾ ease of analysis

12
Feistel Cipher Decryption

13
Data Encryption Standard (DES)

¾ most widely used block cipher in world

¾ adopted in 1977 by NBS (now NIST)
z as FIPS PUB 46
¾ encrypts 64-bit data using 56
64- 56--bit key
¾ has widespread use
¾ has been considerable controversy over
its security
y

14
 DES History
¾ IBM developed Lucifer cipher
z byy team led byy Feistel in late 60
60’s
’s
z used 6464--bit data blocks with 128
128--bit key
¾ then redeveloped as a commercial cipher
with input from NSA and others
¾ iin 1973 NBS iissued d requestt ffor proposals
l
for a national cipher standard
¾ IBM submitted their revised Lucifer which
was eventually y accepted
p as the DES
15
 DES Design Controversy
¾ although
lth hDES standard
t d d iis public
bli
¾ was considerable controversy
y over design
g
z in choice of 56
56--bit key ((vs
vs Lucifer 128
128--bit)
z and because design criteria were classified
¾ subsequent events and public analysis
show in fact design was appropriate
¾ use of DES has flourished
z especially in financial applications
z still standardised for legacy
g y application use
16
DES Encryption Overview

17
 Initial Permutation IP
¾ firststep of the data computation
¾ IP reorders the input data bits
¾ even bits to LH half, odd bits to RH half
¾ quite regular in structure (easy in h/w)
¾ example:

IP(675a
IP(675 a6967 5e
5e5a6b5a) = (ffb2194
(ffb2194d
d
004df
004 df6
6fb)

18
19
20
Consider the following
g 64 bit input
p M:

21
 DES Round Structure
¾ uses two 32
32--bit L & R halves
¾ as for any Feistel cipher can describe as:
Li = Ri–1
Ri = Li–1 ⊕ F(Ri–1, Ki)
¾F takes 32-
32-bit R half and 48-
48-bit subkey:
z expands R to 4848--bits using perm E
z adds to subkey using XOR
z passes through 8 S-boxes to get 32 32--bit result
z finallyy permutes
p usingg 32-
32-bit p
perm P
22
s

23
Single round of DES algorithm

24
DES Round Structure

25
 Substitution Boxes S
¾ have eight S
S--boxes which map 6 to 4 bits
¾ each S-
S-box is actually 4 little 4 bit boxes
z outer bits 1 & 6 (row bits) select one row of 4
z inner bits 2-5 (col bits) are substituted
z result is 8 lots of 4 bits, or 32 bits
¾ row selection
l ti d depends
d on b
both
th d
data
t & kkey
z feature known as autoclaving (autokeying)
¾ example:
z S(18
S(
(18 09 12 3d
3d 11 17 38 39
39)) = 5fd
fd25
25e
e03
26
27
28
 DES Key Schedule
¾ forms subkeys used in each round
z initial permutation of the key (PC1
(PC1) which
selects 56-
56-bits in two 28
28--bit halves
z 16 stages consisting of:
• rotating each half separately either 1 or 2 places
depending on the key rotation schedule K
• selecting 24
24--bits from each half & permuting them
by PC2
PC2 for use in round function F
¾ note practical use issues in h/w vs s/w
29
30
31
32
 DES Decryption
¾ decrypt must unwind steps of data computation
¾ with Feistel design, do encryption steps again
using subkeys in reverse order (SK16
(SK16 … SKSK11)
z IP undoes final FP step of encryption
z 1st round with SK16
SK16 undoes 16 16th
th encrypt round
z ….
z 16th
16 th round with SK
SK11 undoes 1st encrypt round
z then final FP undoes initial encryption IP
z thus recovering original data value

33
 Avalanche Effect
¾ key desirable property of encryption alg
¾ where a change of one input or key bit
results in changing approx half output bits
¾ making attempts to “home-
“home-in” by guessing
keys
y impossible
p
¾ DES exhibits strong avalanche

34
35
 Strength of DES – Key Size
¾ 56
56--bitkeys have 256 = 7.2 x 1016 values
¾ brute force search looks hard
¾ recent advances have shown is possible
z in 1997 on Internet in a few months
z in 1998 on dedicated h/w (EFF) in a few days
z in 1999 above combined in 22 22hrs!
hrs!
¾ still
till
mustt b
be able
bl tto recognize
i plaintext
l i t t
¾ must now consider alternatives to DES
36
 Strength
g of DES

‰ Key
K size
i

‰ Nature of DES algorithm

‰ Timing
g Attack

37
 Strength of DES – Analytic
Attacks
¾ now have several analytic attacks on DES
¾ these utilise some deep structure of the cipher
z by gathering information about encryptions
z can eventually recover some/all of the sub-
sub-key bits
z if necessary then exhaustively search for the rest
¾ generally these are statistical attacks
¾ include
z differential cryptanalysis
z linear cryptanalysis

38
 Strength of DES – Timing
Attacks
¾ attacks actual implementation of cipher
¾ use knowledge of consequences of
implementation to derive information about
some/all
/ ll subkey
bk bitbits
¾ specifically
p y use fact that calculations can
take varying times depending on the value
of the inputs to it
¾ particularly problematic on smartcards
39
 Differential Cryptanalysis
¾ one of the most significant recent (public)
yp y
advances in cryptanalysis
¾ known by NSA in 70 70's
's cf DES design
¾ Murphy,
Murphy Biham & Shamir published in 90 90’s’s
s
¾ powerful method to analyse block ciphers
¾ used to analyse most current block ciphers
y g degrees
with varying g of success
¾ DES reasonably resistant to it, cf Lucifer

40
 Differential Cryptanalysis
¾a statistical attack against Feistel ciphers
¾ uses cipher structure not previously used
¾ design of S S--P networks has output of
function f influenced by both input & key
¾ hence cannot trace values back through
cipher without knowing value of the key
¾ differential
diff i l cryptanalysis
l i compares two
related ppairs of encryptions
yp
41
 Differential Cryptanalysis
Compares Pairs of Encryptions
¾ witha known difference in the input
¾ searching for a known difference in output
¾ when same subkeys are used

42
This attack is known as Differential
Cryptanalysis because the analysis
p
compares differences between two related
encryptions, and looks for a known
difference in leading to a known difference
out with some (pretty small but still significant)
probability If a number of such differences are
probability.
determined, it is feasible to determine the
subkey used in the function f.

43
 Differential Cryptanalysis
¾ have some input difference giving some
output difference with probability p
¾ if find instances of some higher probability
i
input t / output
t t difference
diff pairs
i occurring
i
¾ can infer subkey y that was used in round
¾ then must iterate process over many
rounds (with decreasing probabilities)

44
Differential Cryptanalysis

45
 Differential Cryptanalysis
¾ perform attack by repeatedly encrypting plaintext pairs
with known input XOR until obtain desired output XOR
¾ when found
z if intermediate rounds match required XOR have a right pair
z if not then have a wrongg pair,
pair
p , relative ratio is S/N for attack
¾ can then deduce keys values for the rounds
z right pairs suggest same key bits
z wrong pairs give random values
¾ for large numbers of rounds, probability is so low that
more pairs are required than exist with 6464--bit inputs
¾ Biham and Shamir have shown how a 13 13--round iterated
characteristic can break the full 16
16--round DES
46
 Linear Cryptanalysis
¾ another recent development
¾ also a statistical method
¾ must be iterated over rounds, with
decreasing probabilities
¾ developed by Matsui et al in early 90 90's
's
¾ based on finding linear approximations
¾ can attack DES with 243 known plaintexts
plaintexts,
easier but still in practise infeasible
47
 Linear Cryptanalysis
¾ find linear approximations with prob p != ½
P[i
[ 1,
,i2, ,ia] ⊕ C[j
,...,
,...,i [j1,j2,
,...,j
,...,
,jb] =
,j
K[k1,k2,...,
,...,k
kc]
where ia,jb,kc are bit locations in P,C,K
¾ gives linear equation for key bits
¾ get one key bit using max likelihood alg
¾ using a large number of trial encryptions
¾ effectiveness given by: |p
|p––1 /2 |
48
 DES Design Criteria
¾ as reported by Coppersmith in [COPP
[COPP94
94]]
¾ criteria for S
S--boxes provide for
z non-linearity
non-
z resistance to differential cryptanalysis
z good confusion
g
¾ criteria for permutation P provide for
z i
increased
d diff
diffusion
i

49
50
51
52
 Block Cipher Design
¾ basic
principles still like Feistel’s in 1970
1970’s
’s
¾ number of rounds
z more is better, exhaustive search best attack
¾ function f:
z provides “confusion”, is nonlinear, avalanche
z have issues of how S-
S-boxes are selected
¾ key
y schedule
z complex subkey creation, key avalanche

53
54
 Summary
¾ have considered:
z block vs stream ciphers
z Feistel cipher design & structure
z DES
• details
• strength
z Differential & Linear Cryptanalysis
z block cipher design principles

55