1Data Encryption Standardand its extensionsECE 646 - Lecture 7 2Review of Lecture 6•Historical Ciphers•Substitution Cipher–Monoalphabetic–Polyalphabetic•Letter Frequency Analysis•One Time Pad3Levels of SecurityDefinition: Unconditional SecurityA cryptosystem is unconditionally secure if it cannot be broken even with infinite computational resources.Q: Which actual cryptosystems are unconditionally secure? 4Levels of SecurityDefinition: Computational SecurityA cryptosystem is “computational secure” if best possible algorithm for breaking requires N operations, where N is very large and known.Q: Which actual cryptosystems are “computational secure”?5Levels of SecurityDefinition: Relative SecurityA cryptosystem is “relative secure” if its security relies on a well studied, very hard problem.Q: Which actual cryptosystems are “relative secure”? 6Data Encryption Standard7NBS public request for a standard cryptographic algorithmMay 15, 1973, August 27, 1974The algorithm must be:• secure• public - completely specified - easy to understand - available to all users• economic and efficient in hardware• able to be validated• exportable 8DES - chronicle of events1973 - NBS issues a public request for proposals for a standard cryptographic algorithm1975 - first publication of the IBM’s algorithm and request for comments1976 - NBS organizes two workshops to evaluate the algorithm1977 - official publication as FIPS PUB 46: Data Encryption Standard1983, 1987, 1993 - recertification of the algorithm for another five years1993 - software implementations allowed to be validated9Controversies surrounding DESUnknowndesigncriteriaToo shortkeySlowin softwareReinventionof differentialcryptanalysisMost criteriareconstructedfrom cipheranalysisTheoreticaldesignsof DES breakingmachinesOnlyhardwareimplementationscertifiedSoftware, firmwareand hardwaretreated equallyPracticalDES cracker built199019981993 10Life of DESDES developed by IBM and NSAIn common use for over 20 yearsTime1970 198019902000Federal and banking standardtransisionto a new standardOver 300 validated implementationsDe facto world-wide standard11Most popular secret-key ciphers1980 1990200020102020 2030Triple DESDESAES - RijndaelAmericanstandardsOtherpopularalgorithmsIDEAAEScontest197719992001BlowfishRC5CASTTwofishRC6MarsSerpent128, 192, and 256 bit keys56 bit key112, 168 bit keys 12DES - external lookDES64 bitsplaintext block64 bitsciphertext blockkey56 bits13Recall: S-P NetworksSSSS. . . .PSSSS. . . .PSSSS. . . .............. 14Confusion / Diffusion•Confusion–relationship between cleartext and ciphertext is obscured–e.g. substitution (Shift Cipher, Enigma)•Diffusion–spreading influence of one cleartext letter to many ciphertext letters–e.g. permutations15Recall: Avalanche effectSSSS. . . .PSSSS. . . .PSSSS. . . ..............m1m2m3m4m5m6m7m8m9m10m11m12m61m62m63m64m1 →c1→ c1c2 → c2c3c4c5 → c5c6c7 → c7c8 → c8c9c10c11 → c11c12c61 → c61c62c63c64 → c64 16Iterated Product Cipher•Combine confusion with diffusion•Multiple “Rounds” of confusion and diffusion•Option to iterate over the same round or unroll all roundsDiff-1 Conf-1 Diff-2Conf-217Initial transformationFinal transformation#rounds timesRound Key[i]i:=i+1Round Key[0]i:=1i<#rounds?Cipher RoundRound Key[#rounds+1]Typical Flow Diagram of a Secret-Key Block Cipherincl conf and diff 18DES – high-level internal structure19Ln+1=RnRn+1=Ln⊕ f(Rn, Kn+1)L0R0fK1L1fK2L2R2L15R15fK16R16L16. . .. . .IP-1IPR1DES Main LoopFeistel Structure 20LnRnfLn+1Rn+1Kn+1LnRnfLn+1Rn+1Kn+1fKn+1Feistel StructureEncryption Decryption????Ln+1, Rn+1Ln, Rn21L0R0fK1L1fK2L2R2L15R15fK16R16L16. . .. . .IPIP-1R1R16L16fK16R15fK15R14L14R1L1fK1L0R0. . .. . .IP-1IPL15Decryption 22Mangler Function of DES, F23 24Notation for Permutationsi1 i2 i3 i4 i5 i6 i7 i8 i9 i10 … i56 i57 i58 i59 i60 i61 i62 i63 i64 58 50 42 34 26 18 10 2 … 5 63 55 47 39 31 23 15 7i58 i50 i42 i34 i26 i18 i10 i2 … i5 i63 i55 i47 i39 i31 i23 i15 i7 InputOutput25 26Notation for S-boxesi1 i2 i3 i4 i5 i6InputOutputo1 o2 o3 o4i1 i6 determines a row number in the S-box table, 0..3i2 i3 i4 i5determine a column in the S-box table, 0..15o1 o2 o3 o4is a binary representation of a number from 0..15 in the given row and the given column27 2829General design criteria of DES1. Randomness2. Avalanche property changing a single bit at the input changes on average half of the bits at the output3. Completeness property every output bit is a complex function of all input bits (and not just a subset of input bits)4. Nonlinearity encryption function is non-affine for any value of the key5. Correlation immunity output bits are statistically independent of any subset of input bits 30Completeness property Every output bit is a complex function of all input bits (and not just a subset of input bits)Formal requirement:For all values of i and j, i=1..64, j=1..64there exist inputs X1 and X2, such thatX1 x1 x2 x3 . . . xi-1 0 xi+1 . . . x63 x64X2 x1 x2 x3 . . . xi-1 1 xi+1 . . . x63 x64Y1 = DES(X1) y1 y2 y3 . . . yj-1 yj yj+1 . . . y63 y64Y2 = DES(X2) y1’ y2’ y3’ . . . yj-1’ yj yj+1’ . . . y63’ y64’31Linear TransformationsTransformations that fulfill the condition:T(X[m x 1]) = Y[n x 1] = A[n x m] ⋅ X[m x 1]orT(X1 ⊕ X2) = T(X1) ⊕ T(X2) Affine TransformationsTransformations that fulfill the condition:T(X[m x 1]) = Y[n x 1] = A[n x m] ⋅ X[m x 1] ⊕ B[n x 1] 32Linear Transformations of DESIP, IP-1, E, PC1, PC2, SHIFTe.g., IP(X1 ⊕ X2) = IP(X1 ) ⊕ IP( X2) Non-Linear and non-affine transformations of DESSThere are no such matrices A[4x6] and B[4x1] thatS(X[6x1]) = A[4x6] ⋅ X[6x1] ⊕ B[4x1]33Design of S-boxesSS[0..15]inout = S[in]• 16! ≈ 2 ⋅ 1013 possibilities• precisely defined initially unpublished criteria • resistant against differential cryptanalysis (attack known to the designers and rediscovered in the open research in 1990 by E. Biham and A. Shamir) 34keyschedulingencryption/decryptionoutputinputImplementation of a secret-key cipher in hardwareRound keys computed on-the-flykeyround keys35keyschedulingencryption/decryptionmemory of round keysoutputinputImplementation of a secret-key cipherRound keys precomputedkey 36registercombinationallogicone
View Full Document