1Towards modern ciphersData Encryption Standardand its extensionsECE 646 - Lecture 7Required Reading:I.W. Stallings, "Cryptography and Network-Security,"4th Edition,Chapter 3: Block Ciphers andthe Data Encryption StandardChapter 6.1: Multiple Encryption and Triple DESII.A. Menezes, P. van Oorschot, and S. Vanstone,“Handbook of Applied Cryptography” ,Chapters 7.4: DESLevels of SecurityDefinition: Unconditional SecurityA cryptosystem is unconditionally secure if itcannot be broken even with infinitecomputational resources.Q: Which actual cryptosystems areunconditionally secure?2Levels of SecurityDefinition: Computational SecurityA cryptosystem is “computational secure”if best possible algorithm for breakingrequires N operations, where N is verylarge and known.Q: Which actual cryptosystems are“computational secure”?One-time PadVernam CipherGilbert Vernam, AT&TMajor Joseph Mauborgne1926ci= mi kimikici011101101010010101101011101110111011010111011010101011011111111000011All bits of the key must be chosen at randomand never reusedOne-time PadEquivalent versionci= mi+ kimod 26mikiciTO BE OR NOT TO BEAX TC VI URD WM OFTL UG JZ HFW PK PJAll letters of the key must be chosen at randomand never reused3Perfect CipherClaude ShannonCommunication Theory of Secrecy Systems, 1948m Mc CP(M=m | C=c) = P(M = m)The codebreaker can guess a message withthe same probability without knowing a ciphertextas with the knowledge of the ciphertextIs substitution cipher a perfect cipher?C = XRZP(M=ADD | C=XRZ) = 0P(M=ADD) 0Is one-time pad a perfect cipher?C = XRZP(M=ADD | C=XRZ) 0P(M=ADD) 0M might be equal toCAT, PET, SET, ADD, BBC, AAA, HOT,HIS, HER, BET, WAS, NOW, etc.4S-PNetworksSSSS. . . .PSSSS. . . .PSSSS. . . ..............Shannon Product Ciphers• Computationally secure ciphers based on theidea of diffusion and confusion• Confusionrelationship between plaintext and ciphertext isobscured, e.g. through the use of substitutions• Diffusionspreading influence of one plaintext letter to manyciphertext letters, e.g. through the use ofpermutationsBasic operations of S-P networksPermutationP-boxS-boxSubstitution00011100110010000111011011105Avalanche effectSSSS. . . .PSSSS. . . .PSSSS. . . ..............m1m2m3m4m5m6m7m8m9m10m11m12m61m62m63m64m1c1 c1c2 c2c3c4c5 c5c6c7 c7c8 c8c9c10c11 c11c12c61 c61c62c63c64 c64LUCIFER. . . .P. . . .P. . . ..............Horst Feistel, Walt TuchmanIBMS0S1k1,1S0S1k2,1S0S1k3,1S0S1k32,1S0S1k32,2S0S1k32,16S0S1k2,2S0S1k1,2S0S1k1,16S0S1K2,16S0S1K3,2S0S1k3,1616 roundsm1m2m3m4m5m6m7m8m9m10m11m12m125m126m127m128c1c2c3c4c5c6c7c8c9c10c11c12c125c126c127c128LUCIFER- external lookLUCIFER128 bitsplaintext block128 bitsciphertext blockkey512 bits6NBS public request for a standardcryptographic algorithmMay 15, 1973, August 27, 1974The algorithm must be:• secure• public- completely specified- easy to understand- available to all users• economic and efficient in hardware• able to be validated• exportableDES - chronicle of events1973 - NBS issues a public request for proposals fora standard cryptographic algorithm1975 - first publication of the IBM’s algorithmand request for comments1976 - NBS organizes two workshops to evaluatethe algorithm1977 - official publication asFIPS PUB 46: Data Encryption Standard1983, 1987, 1993 - recertification of the algorithmfor another five years1993 - software implementations allowed to be validatedControversies surrounding DESUnknowndesigncriteriaToo shortkeySlowin softwareReinventionof differentialcryptanalysisMost criteriareconstructedfrom cipheranalysisTheoreticaldesignsof DES breakingmachinesOnlyhardwareimplementationscertifiedSoftware, firmwareand hardwaretreated equallyPracticalDES crackerbuilt1990199819937Life of DESDES developed byIBM and NSAIn common use forover 20 yearsTime1970 198019902000Federal and banking standardtransisionto a new standardOver 300 validated implementationsDe facto world-wide standardMost popular secret-key ciphers198019902000201020202030Triple DESDESAES - RijndaelAmericanstandardsOtherpopularalgorithmsIDEAAEScontest197719992001BlowfishRC5CASTTwofishRC6MarsSerpent128, 192, and 256 bit keys56 bit key112, 168 bit keysDES - external lookDES64 bitsplaintext block64 bitsciphertext blockkey56 bits8DES – high-level internal structureLn+1=RnRn+1=Ln f(Rn, Kn+1)L0R0fK1L1fK2L2R2L15R15fK16R16L16. . .. . .IP-1IPR1DES Main LoopFeistel StructureLnRnfLn+1Rn+1Kn+1LnRnfLn+1Rn+1Kn+1fKn+1Feistel StructureEncryption Decryption????Ln+1, Rn+1Ln, Rn9L0R0fK1L1fK2L2R2L15R15fK16R16L16. . .. . .IPIP-1R1R16L16fK16R15fK15R14L14R1L1fK1L0R0. . .. . .IP-1IPL15DecryptionClassical Feistel Networkplaintext = L0R0for i=1 to n{Li=Ri-1Ri=Li-1 f(Ri-1, Ki)}Ln+1= RnRn+1= Lnciphertext = Ln+1Rn+1Mangler Function of DES, F10Notation for Permutationsi1i2i3i4i5i6i7i8i9i10… i56i57i58i59i60i61i62i63i6458 50 42 34 26 18 10 2 … 5 63 55 47 39 31 23 15 7i58i50i42i34i26i18i10i2… i5i63i55i47i39i31i23i15i7InputOutput11Notation for S-boxesi1i2i3i4i5i6InputOutputo1o2o3o4i1i6determines a row number in the S-box table, 0..3i2i3i4i5determine a column in the S-box table, 0..15o1o2o3o4is a binary representation of a numberfrom 0..15 in the given row and the given column12General design criteria of DES1. Randomness2.Avalanche propertychanging a single bit at the input changes on average half of the bitsat the output3. Completeness propertyevery output bit is a complex function of all input bits (and not justa subset of input bits)4. Nonlinearityencryption function is non-affine for any value of the key5. Correlation immunityoutput bits are statistically independent of any subset of input bitsCompleteness propertyEvery output bit is a complex function of all input bits(and not just a subset of input bits)Formal requirement:For all values of i and j, i=1..64, j=1..64there exist inputs X1and X2, such thatX1x1x2x3. . . xi-10 xi+1. . . x63x64X2x1x2x3. . . xi-11 xi+1. . . x63x64Y1= DES(X1) y1y2y3. . . yj-1yjyj+1. . . y63y64Y2= DES(X2) y1’ y2’ y3’ . . . yj-1’ yjyj+1’ . . . y63’ y64’Linear TransformationsTransformations that fulfill the condition:T(X[m x 1]) = Y[n x 1]= A[n x m] X[m x 1]orT(X1 X2) = T(X1) T(X2)Affine TransformationsTransformations that fulfill the condition:T(X[m x 1]) = Y[n x 1]= A[n x m] X[m x 1] B[n x 1]13Linear Transformations of DESIP, IP-1, E, PC1, PC2, SHIFTe.g.,IP(X1 X2) = IP(X1) IP( X2)Non-Linear and non-affinetransformations of DESSThere are no such
View Full Document