1Extensions of DESModes of operation of block ciphersECE 646 - Lecture 8Properties and securityof DES2General design criteria of DES1. Randomness2. Avalanche propertychanging a single bit at the input changes on average half of the bitsat the output3. Completeness propertyevery output bit is a complex function of all input bits (and not justa subset of input bits)4. Nonlinearityencryption function is non-affine for any value of the key5. Correlation immunityoutput bits are statistically independent of any subset of input bitsCompleteness propertyEvery output bit is a complex function of all input bits (and not just a subset of input bits)Formal requirement:For all values of i and j, i=1..64, j=1..64there exist inputs X1and X2, such thatX1x1x2x3. . . xi-10 xi+1. . . x63x64X2x1x2x3. . . xi-11 xi+1. . . x63x64Y1= DES(X1) y1y2y3. . . yj-1yjyj+1. . . y63y64Y2= DES(X2) y1’ y2’ y3’ . . . yj-1’ yjyj+1’ . . . y63’ y64’3Linear TransformationsTransformations that fulfill the condition:T(X[m x 1]) = Y[n x 1]= A[n x m]⋅ X[m x 1]orT(X1⊕ X2) = T(X1) ⊕ T(X2) Affine TransformationsTransformations that fulfill the condition:T(X[m x 1]) = Y[n x 1]= A[n x m]⋅ X[m x 1]⊕ B[n x 1]Linear Transformations of DESIP, IP-1, E, PC1, PC2, SHIFTe.g., IP(X1⊕ X2) = IP(X1) ⊕ IP( X2)Non-Linear and non-affine transformations of DESSThere are no such matrices A[4x6]and B[4x1]thatS(X[6x1]) = A[4x6]⋅ X[6x1]⊕ B[4x1]4Design of S-boxesSS[0..15]inout = S[in]• 16! ≈ 2 ⋅ 1013possibilities• precisely defined initially unpublished criteria • resistant against differential cryptanalysis(attack known to the designers and rediscoveredin the open research in 1990 by E. Biham and A. Shamir)Initial transformationFinal transformation#rounds timesRound Key[i]i:=i+1Round Key[0]i:=1i<#rounds?Cipher RoundRound Key[#rounds+1]Typical Flow Diagram of a Secret-Key Block Cipher5keyschedulingencryption/decryptionoutputinputImplementation of a secret-key cipher in hardwareRound keys computed on-the-flykeyround keyskeyschedulingencryption/decryptionmemory of round keysoutputinputImplementation of a secret-key cipherRound keys precomputedkey6registercombinationallogicone roundmultiplexerBasic iterative architecture of secret key ciphersround keysKey schedulinginputoutputkeyTheoreticaldesign of the specialized machine to break DESProject: Michael Wiener, Entrust Technologies, 1993, 1997Method: exhaustive key search attackBasic component: specialized integrated circuit in CMOS technology, 75 MHzChecks: 200 mln keys per secondCosts: $10Total cost Estimated time$ 1 mln$ 100.00035 minutes6 hours7DES breaking machineplaintextknown ciphertextknown plaintext. . . .keykey counter. . . .Encryption Round 1Key Scheduling Round 1Encryption Round 2Encryption Round 16Key Scheduling Round 2Key Scheduling Round 16Round key 1Round key 2Round key 16comparatorElectronic Frontier Foundation, 19981800 ASIC chips, 40 MHz clockTotal cost: $220,000Average time of search:4.5 days/keyDeep Crack8Deep CrackParametersNumber of ASIC chips 1800Number of search units per ASIC24Clock frequency40 MHzNumber of clock cycles per key16Search speed90 bln keys/sAverage time to recover the key4.5 daysMinimum length of the key for symmetric ciphersI. Panel of experts, January 1996M. Blaze, W. Diffie, R. Rivest, B. Schneier, T. Shimomura,E. Thompson, M. WienerReport:“Minimal Key Lengths for Symmetric Ciphersto Provide Adequate Commercial Security”II. National Academy of Sciences, National Research Council, May 1996Report:“ Cryptography's Role in Securing the Information Society”9Minimum key length for symmetric-key ciphersIntruder Budget ToolsTimeSecurekey lengthHackerSmall businesstiny$400 $10,000CorporatedepartmentBig companyIntelligenceagency$300 K$10 M$300 MPCFPGAFPGAFPGAFPGAASICASICASIC40 bits56 bits4550556070751 weekinfeasible5 hrs38 years12 min18 months24 sec 19 days18 sec3 hrs7 sec 13 hrs5 ms 6 min0.2 ms12 secSecure key length today and in 20 yearskey lengthSecure key length in 200280 bits94 bitsSecure key length in 2022128 bits IDEA, minimum key length in AES120 bits DESX112 bits Triple DES with two keys56 bits DES80 bits Skipjack10Secure key length - discussion• increasing key length in a newly developed cipher costs NOTHING• increasing effective key length, assuming the use of an existing cipher has a limited influence on the efficiency of implementation (DESX, Triple DES)It is economical to use THE SAME secure key length FOR ALL aplicationsThe primary barriers blocking the use of symmetric cipherswith a secure key length have been of the political nature(e.g., export policy of USA)Other attacks• differential cryptanalysisBiham, Shamir 1991• linear cryptanalysisMatsui, 199311Differential cryptanalysisEncryption modulekeyM1M1* M2M2* MN-1MN-1* MNMN*. . .C1C1* C2C2* CN-1CN-1* CNCN*. . .Mi ⊕ Mi* = const• access to the encryption module with the key inside• analysis of trilions of pairs plaintext-ciphertextDifferential cryptanalysis of DESBiham, Shamir 1991Requirements:• access to the encryption module with the key inside• time for encryption of 247= 1,4 · 1014 plaintext blocks= 1 million gigabytes of plaintextConclusions:• attack impossible to mount• DES specially designed (IBM, NSA) to be resistantagainst differential cryptanalysis12What if creators of DES did not knowabout differential cryptanalysis...Required number of plaintext blocksOriginal DES 247= 1 mln GBIdentity permutationin place of P 219= 4 MBOrder of S-boxes 238= 2,000 GBXOR replaced by addition 231= 2 GBS-boxesExpansion function E eliminated 226= 64 MBrandom 221= 16 MBone position changed 233= 8 GBModifications:Differential and linear cryptanalysis- discussion• Attacks infeasible for correctly designed ciphers• Resistance against these attacks does not implyresistance against other unknown methods of attack• Perfect tool for comparing strengths of various ciphers13Triple DESEEE modeEDE modeDESencryptionDESencryptionDESencryptionplaintextciphertextDESencryptionDES-1decryptionDESencryptionplaintextciphertext56K156K256K356K156K256K1168 bits of the key112 bits of the keyDiffie, Hellman, 1977Triple DESAdvantages:• secure key length (112 or 168 bits)• increased compared to DES resistance to linearand differential cryptanalysis• possibility of utilizing existing implementations of DESDisadvantages:• relatively slow, especially in software14DESXRivest, 1988DESplaintextciphertextKaKKbKEY = (K, Ka)120
View Full Document
Unlocking...