Académique Documents
Professionnel Documents
Culture Documents
Stream Ciphers
Cryptology
Cryptography
Symmetric
Ciphers
Block Ciphers
Asymmetric
Ciphers
Stream
Ciphers
Cryptanalysis
Protocols
K
x0,x1, xb
Stream
Cipher
y0,y1, yb
x0 ,
x1 ,
xb
K
Block Cipher
Stream ciphers:
Encrypt bits individually
Usually small and fast common in embedded devices (e.g., A5/1 for GSM/UMTS phones)
Block Ciphers:
Always encrypt a full block (several bits)
Are common for Internet applications.
y0 ,
y1 ,
yb
Claude Shannon: There are two properties that strong encryption algorithms
must posses:
1. Confusion: An encryption operation where the relationship between key and ciphertext is
obscured.
Today, a common element for achieving confusion is substitution, which is found in both AES and
DES.
2. Diffusion: An encryption operation where the influence of one plaintext symbol is spread over
many ciphertext symbols with the goal of hiding statistical properties of the plaintext.
A simple diffusion element is the bit permutation, which is frequently used within DES.
m
Confusion
Key expansion
m
Diffusion
m
Confusion
Diffusion
c
Cipher
Stream
Block
Block/key size
Speed (MB/sec)
RC4
126
Salsa20/12
643
Sosemanuk
727
3DES
64/168
13
AES
128/128
109
DES
n bits
PT Block
n bits
CT Block
E, D
Key
k Bits
Canonical examples:
3DES: n = 64 bits, k = 168 bits
AES: n = 128 bits, k = 128, 192, 256 bits
DES: n = 64 bits, k = 56 bits
DES
DES
Top description:
Two permutations.
Key expansion.
Feistel network.
input
k16
IP-1
64 bits
Feistel
network
k2
Feistel
network
IP
k1
Feistel
network
64 bits
key expansion
output
DES
n-bits
L0
L1
f2
f1
R1
R2
L2
input
Question1: who is being encrypted? R0 or L0?
Question2: what kind of encryption is being used?
Rd-1
Rd
fd
Ld-1
n-bits
R0
Ld
output
DES
n-bits
L0
L1
f2
f1
R1
R2
L2
Rd-1
Rd
fd
Ld-1
n-bits
R0
input
Ld
output
Claim: for all f1, , fd: {0,1}n {0,1} Feistel network F: {0,1}2n {0,1}2n is
invertible.
Proof: construct inverse
Li-1
fi
Ri-1
Ri
Li
inverse
Ri
Ri-1 = Li
fi
Ri-1
DES
1.Expansion E
2.XOR with round key
3.S-box substitution
4.Permutation
DES
1.Expansion E
main purpose: increases diffusion
DES
DES
3.S-Box substitution
DES
4.Permutation P
Bitwise permutation.
Introduces diffusion.
Output bits of one S-Box effect several S-Boxes in
next round
Diffusion by E, S-Boxes and P guarantees that after
Round 5 every bit is a function of each key bit and
each plaintext bit.
DES
Top description:
Two permutations.
Key expansion.
Feistel network.
input
k16
IP-1
64 bits
Feistel
network
k2
Feistel
network
IP
k1
Feistel
network
64 bits
key expansion
output
DES
DES
Top description:
Two permutations.
Key expansion.
Feistel network.
input
k16
IP-1
64 bits
Feistel
network
k2
Feistel
network
IP
k1
Feistel
network
64 bits
key expansion
output
DES
IP-1
IP
58
60
62
64
57
59
61
63
50
52
54
56
49
51
53
55
42
44
46
48
41
43
45
47
34
36
38
40
33
35
37
39
26
28
30
32
25
27
29
31
18
20
22
24
17
19
21
23
10
12
14
16
9
11
13
15
2
4
6
8
1
3
5
7
DES
Top description:
Two permutations.
Key expansion.
Feistel network.
input
What is left to do?
k16
IP-1
64 bits
Feistel
network
k2
Feistel
network
IP
k1
Feistel
network
64 bits
key expansion
output
DES
Top description:
Two permutations.
Inverse key expansion.
Feistel network.
input
k1
IP-1
64 bits
Feistel
network-1
k15
Feistel
network-1
IP
k16
Feistel
network-1
64 bits
Inverse key
expansion
output
DES
k
PC-1
K16
PC-2
Transform 1
K15
PC-2
.
.
.
C16
D16
RS1
RS1
C15
D15
RS2
RS2
.
.
.
.
.
.
RS15 RS15
K1
PC-2
C1
D1
DES
n-bits
L0
L1
f2
f1
R1
R2
L2
R15
R16
f16
L15
input
n-bits
R0
L16
output
input
n-bits
R16
R15
f15
f16
L15
L14
R14
L1
L0
f1
R1
n-bits
L16
R0
output
Analytical attacks:
Ciphertext-only attacks.
Known plaintext.
Chosen ciphertext.
Chosen plaintext.
The first criticism of DES was that it changed the keylength of the cipher from 128 in
the IBM version to 56.
Definition of brute force attacks (aka exhaustive key search attacks):
Input: at least one pair (m,c)
Output: k, such as c=DES(m,k)
Attack: test all 256 possible keys until fulfilling the condition: 1 , = , = 0, 1, , 256 1.
Theorem:
Suppose DES is an ideal cipher ( 256 random invertible functions), then m, c there is at most one key k
s.t. c = DES(k, m) with prob. 1 1/256 99.5%
Proof:
Union bound
Pr : = , = ,
256
0,1 56 Pr
1
1
=
264 28
, = ,
Theorem:
Given a block cipher with a key length of k and block size n and t pairs of CT/PT, then the expected
number (or the probability) of false keys is:
2k-tn
History of attacks:
In 1977 it was (under-)estimated that it would cost only $20.000.000.
In 1993 Michael Wiener proposed a design that would cost $1.000.000 and find the key in 1,5 days.
In 1998 Electronic Frontier Foundation built a hardware machine, Deep crack, that broke the key in 15
days and cost $250.000.
In 2006 Universities of Bochum and Kiel, in Germany, build COPACABANA(120 FPGAs), that breaks DES in
less than 7 days for around $10.000.
In some situations we wish to increase the security of block ciphers, e.g., if a cipher
such as DES is available in hardware or software for legacy reasons in a given
application.
Two approaches are possible
Multiple encryption
theoretically much more secure, but sometimes in practice increases the security very little
Key whitening
Assuming a key length of k bits, an exhaustive key search would require 2k2k = 22k
encryptions or decryptions.
Phase I: for the given (x1, y1) the left encryption is brute-forced for all kL,i, i=1,2, ..., 2k
and a lookup table with 2k entry (each n+k bits wide) is computed
the lookup table should be ordered by the result of the encryption (zL,i)
Phase II: the right encryption is brute-forced (using decryption) and for each zR,I it is
checked whether zR,i is equal to any zL,i value in the table of the first phase
Computational Complexity
Number of encryptions and decryptions 2k+2k = 2k+1
Number of storage locations: 2k
Triple encryption using DES is often used in practice to extend the effective key length
of DES to 112.
m
= (3, 2, 1, )
Alternative version:
= (3, 1 2, 1, )
Advantage: choosing k1=k2= k3 performs single encryption.
Makes block ciphers such as DES much more resistant against brute-force attacks.
k1
DES
k2
k3
= 3 (2, 1 ))
key-len = 64+56+64 = 184 bits
but easy attack in time 264+56 = 2120
It does not strengthen block ciphers against most analytical attacks such as linear and
differential cryptanalysis => It is not a cure for inherently weak ciphers.
The additional computational load is negligible.