1Data Encryption Standardand its extensionsDES, 3DES, DES-XECE 646 - Lecture 7NBS public request for a standard cryptographic algorithmMay 15, 1973, August 27, 1974The algorithm must be:• secure• public- completely specified- easy to understand- available to all users• economic and efficient in hardware• able to be validated• exportable2DES - chronicle of events1973 - NBS issues a public request for proposals for a standard cryptographic algorithm1975 - first publication of the IBM’s algorithmand request for comments1976 - NBS organizes two workshops to evaluate the algorithm1977 - official publication as FIPS PUB 46: Data Encryption Standard1983, 1987, 1993 - recertification of the algorithm for another five years1993 - software implementations allowed to be validatedControversies surrounding DESUnknowndesigncriteriaToo shortkeySlowin softwareReinventionof differentialcryptanalysisMost criteriareconstructedfrom cipheranalysisTheoreticaldesignsof DES breakingmachinesOnlyhardwareimplementationscertifiedSoftware, firmwareand hardwaretreated equallyPracticalDES cracker built1990199819933Life of DESDES developed by IBM and NSAIn common use for over 20 yearsTime1970 198019902000Federal and banking standardtransisionto a new standardOver 130 validated implementationsDe facto world-wide standardMost popular secret-key ciphers1980 19902000201020202030Triple DESDESAES - RijndaelAmericanstandardsOtherpopularalgorithmsIDEAAEScontest197719992001BlowfishRC5CASTTwofishRC6MarsSerpent128, 192, and 256 bit keys56 bit key112, 168 bit keys4DES - external lookDES64 bitsplaintext block64 bitsciphertext blockkey56 bitsDES – high-level internal structure5Ln+1=RnRn+1=Ln⊕ f(Rn, Kn+1)L0R0fK1L1fK2L2R2L15R15fK16R16L16. . .. . .IP-1IP-1R1DES Main LoopFeistel StructureLnRnfLn+1Rn+1Kn+1LnRnfLn+1Rn+1Kn+1fKn+1Feistel StructureEncryption Decryption????Ln+1, Rn+1Ln, Rn6LnRnfLn+1Rn+1Kn+1LnRnfLn+1Rn+1Kn+1Rn+1Ln+1fRnLnKn+1Feistel StructureEncryption DecryptionL0R0fK1L1fK2L2R2L15R15fK16R16L16. . .. . .IP-1IP-1R1R16L16fK16R15fK15R14L14R1L1fK1L0R0. . .. . .IP-1IP-1L15Decryption7Mangler Function of DES, F8Notation for Permutationsi1 i2i3i4i5i6i7i8i9i10… i56i57i58i59i60i61i62i63i6458 50 42 34 26 18 10 2 … 5 63 55 47 39 31 23 15 7i58 i50i42i34i26i18i10i2… i5i63i55i47i39i31i23i15i7InputOutput9Notation for S-boxesi1 i2i3i4i5i6InputOutputo1 o2o3o4i1i6determines a row number in the S-box table, 0..3i2i3i4i5determine a column in the S-box table, 0..15o1 o2o3o4is a binary representation of a number from 0..15 in the given row and the give column10General design criteria of DES1. Randomness2. Avalanche propertychanging a single bit at the input changes on average half of the bitsat the output3. Completeness propertyevery output bit is a complex function of all input bits (and not justa subset of input bits)4. Nonlinearityencryption function is non-affine for any value of the key5. Correlation immunityoutput bits are statistically independent of any subset of input bits11Completeness propertyEvery output bit is a complex function of all input bits (and not just a subset of input bits)Formal requirement:For all values of i and j, i=1..64, j=1..64there exist inputs X1and X2, such thatX1x1x2x3. . . xi-10 xi+1. . . x63x64X2x1x2x3. . . xi-11 xi+1. . . x63x64Y1= DES(X1) y1y2y3. . . yj-1yjyj+1. . . y63y64Y2= DES(X2) y1’ y2’ y3’ . . . yj-1’ yjyj+1’ . . . y63’ y64’Linear TransformationsTransformations that fulfill the condition:T(X[m x 1]) = Y[n x 1]= A[n x m]⋅ X[m x 1]orT(X1⊕ X2) = T(X1) ⊕ T(X2) Affine TransformationsTransformations that fulfill the condition:T(X[m x 1]) = Y[n x 1]= A[n x m]⋅ X[m x 1]⊕ B[n x 1]12Linear Transformations of DESIP, IP-1, E, PC1, PC2, SHIFTe.g., IP(X1⊕ X2) = IP(X1) ⊕ IP( X2)Non-Linear and non-affine transformations of DESSThere are no such matrices A[4x6]and B[4x1]thatS(X[6x1]) = A[4x6]⋅ X[6x1]⊕ B[4x1]Design of S-boxesSS[0..15]inout = S[in]• 16! ≈ 2 ⋅ 1013possibilities• precisely defined initially unpublished criteria • resistant against differential cryptanalysis(attack known to the designers and rediscoveredin the open research in 1990 by E. Biham and A. Shamir)13Initial transformationFinal transformation#rounds timesRound Key[i]i:=i+1Round Key[0]i:=1i<#rounds?Cipher RoundRound Key[#rounds+1]Typical Flow Diagram of a Secret-Key Block Cipherkeyschedulingencryption/decryptionoutputinputImplementation of a secret-key cipher in hardwareRound keys computed on-the-flykeyround keys14keyschedulingencryption/decryptionmemory of round keysoutputinputImplementation of a secret-key cipherRound keys precomputedkeyregistercombinationallogicone roundmultiplexerBasic iterative architecture of secret key ciphersround keysKey schedulinginputoutputkey15Theoreticaldesign of the specialized machine to break DESProject: Michael Wiener, Entrust Technologies, 1993, 1997Method: exhaustive key search attackBasic component: specialized integrated circuit in CMOS technology, 75 MHzChecks: 200 mln keys per secondCosts: $10Total cost Estimated time$ 1 mln$ 100.00035 minutes6 hoursDES breaking machineplaintextknown ciphertextknown plaintext. . . .keykey counter. . . .Encryption Round 1Key Scheduling Round 1Encryption Round 2Encryption Round 16Key Scheduling Round 2Key Scheduling Round 16Round key 1Round key 2Round key 16comparator16Electronic Frontier Foundation, 19981800 ASIC chips, 40 MHz clockTotal cost: $220,000Average time of search:4.5 days/keyDeep CrackDeep CrackParametersNumber of ASIC chips 1800Number of search units per ASIC24Clock frequency40 MHzNumber of clock cycles per key16Search speed90 bln keys/sAverage time to recover the key4.5 days17Minimum length of the key for symmetric ciphersI. Panel of experts, January 1996M. Blaze, W. Diffie, R. Rivest, B. Schneier, T. Shimomura,E. Thompson, M. WienerReport:“Minimal Key Lengths for Symmetric Ciphersto Provide Adequate Commercial Security”II. National Academy of Sciences, National Research Council, May 1996Report:“ Cryptography's Role in Securing the Information Society”Minimum key length for symmetric-key ciphersIntruder Budget ToolsTimeSecurekey lengthHackerSmall businesstiny$400 $10,000CorporatedepartmentBig companyIntelligenceagency$300 K$10 M$300 MPCFPGAFPGAFPGAFPGAASICASICASIC40 bits56 bits4550556070751 weekinfeasible5 hrs38 years12 min18 months24 sec 19 days18 sec3 hrs7 sec 13 hrs5 ms 6 min0.2 ms12 sec18Secure key length today and in 20 yearskey lengthSecure key length in
View Full Document
Unlocking...