Presentation is loading. Please wait.

Presentation is loading. Please wait.

Cryptography Lecture 4 Stefan Dziembowski

Published byRodger Mathews Modified over 8 years ago

Similar presentations

Presentation on theme: "Cryptography Lecture 4 Stefan Dziembowski"— Presentation transcript:

1 Cryptography Lecture 4 Stefan Dziembowski www.dziembowski.net stefan@dziembowski.net

2 Plan 1.History of DES 2.Design of DES 3.3DES 4.AES

3 On the previous lecture encryption decryption Today: we show how to construct a block cipher!

4 We show how to construct a secure block cipher Why secure? Someone important say “it is secure”. (But is he honest?) Many people tried to break it and they failed...

5 DES (Digital Encryption Standard) Key length: –effective: 56 bits –formally: 64 bits (8 bits for checking parity). Block length: 64 bits

6 History of DES First version designed by IBM in 1973-74, based on a Lucifer cipher (by Horst Feistel). National Security Agency (NSA) played some role in the design of DES. Made public in 1975. Approved as a US federal standard in November 1976.

7 Criticism of DES The key is to short (only 56 bits). Unclear role of NSA in the design –hidden backdoor? –2 56 -- feasible for NSA, infeasible for the others (in the 1970s)?

8 The role of NSA The United States Senate Select Committee on Intelligence (1978): "In the development of DES, NSA convinced IBM that a reduced key size was sufficient; indirectly assisted in the development of the S-box structures; and certified that the final DES algorithm was, to the best of their knowledge, free from any statistical or mathematical weakness.” "NSA did not tamper with the design of the algorithm in any way. IBM invented and designed the algorithm, made all pertinent decisions regarding it, and concurred that the agreed upon key size was more than adequate for all commercial applications for which the DES was intended."

9 Security of DES The main weakness is the short key (brute-force attacks are possible). Also the block length is too small. Besides of this – a very secure design: after more than 30 decades still the most practical attack is brute-force! The only attacks so far: –differential cryptoanalysis –linear cryptoanalysis are rather theoretical.

10 Brute-force attacks on DES 1977 Diffie and Hellman proposed a machine costing 20 million $ breaking DES in 1 day. 1993 Wiener proposed a machine costing 1 million $ breaking DES in 7 hours. 1997 DESCHALL Project broke a “DES Challenge” (published by RSA) in 96 days using idle cycles of thousands of computers across the Internet. 1998 a DES-cracker was built by the Electronic Frontier Foundation (EFF), at the cost of approximately 250,000$ COPACOBANA (the Cost-Optimized Parallel COde Breaker) breaks DES in 1 week and costs 10,000$

11 DES-cracker COPACOBANA

12 Theoretical attacks on DES – differential cryptoanalysis Biham and Shamir (late 1980s): differential cryptoanalysis They show how to break DES using a chosen-plaintext attack. DES plaintext ciphertext 2 47 times Not very practical...

13 Differential cryptoanalysis – an interesting observation A small change in the design of DES would make the differential cryptoanalysis much more sucessful. Moral NSA and IBM knew it!

14 Theoretical attacks on DES – linear cryptoanalysis Matsui (early 1990s): linear cryptoanalysis uses a known-plaintext attack 2 43 (plaintext, ciphertext) pairs the plaintexts don’t need to be chosen by the adversary.

15 initial permutation (IP) Feistel network final permutation (IP -1 ) key k input output 64 bits

16 f2f2 f1f1 R0R0 L0L0 R1R1 L1L1 f 16 R 16 L 16... 16 rounds 56 bit key k2k2... k 16 key schedule k1k1 32 bits subkeys (48 bits): here no twist

17 A nice propery of Feistel rounds f RiRi LiLi R i+1 := L i xor f(R i )L i+1 := R i f RiRi (L i xor f (R i )) xor f(L i+1 ) Even if f is not easily invertible, each round can be easily inverted! = LiLi inversion:

18 f2f2 f1f1 R0R0 L0L0 R1R1 L1L1 f3f3 R3R3 L3L3 R2R2 L2L2 f3f3 R3R3 L3L3 f2f2 f1f1 R0R0 L0L0 R2R2 L2L2 R1R1 L1L1 Hence: the Feistel network can be “inverted”! Example: 3 round Feistel network

19 f3f3 f2f2 f1f1 R0R0 L0L0 R1R1 L1L1 f3f3 R3R3 L3L3 R2R2 L2L2 R3R3 L3L3 R0R0 L0L0 Without a “twist” in the last round: R2R2 L2L2 R1R1 L1L1 f2f2 f1f1

20 f2f2 f1f1 R0R0 L0L0 R1R1 L1L1 f 16 R 16 L 16... 56 bit key k 15... k1k1 key schedule k 16 How to decrypt? Reverse the key schedule!

21 We need to describe the following 1.The key schedule algorithm. 2.The functions f.

22 DES key schedule k k2k2... k 16 key schedule k1k1 each subkey k i consists of some bits of k 56 bits 48 bits

23 half-block X 32 bits expansion 48 bits subkey K i 48 bits Y xor Ki S1S1 S2S2 S3S3 S4S4 S5S5 S6S6 S7S7 S8S8 half-block Y permutation P 32 bits “S – boxes” S i : {0,1} 6 → {0,1} 4 “confusion” “diffusion” function f:

24 The expansion function 3212345 456789 8910111213 121314151617 161718192021 202122232425 242526272829 28293031321

25 Permutation P 1672021 29122817 1152326 5183110 282414 322739 1913306 2211425

26 The substitution boxes (S-boxes) S5S5 Middle 4 bits of input 0000000100100011010001010110011110001001101010111100110111101111 Outer bits 000010110001000001011110101011011010000101001111111101000011101001 011110101100101100010001111101000101010000111110100011100110000110 100100001000011011101011010111100011111001110001010110001100001110 111011100011000111000111100010110101101111000010011010010001010011 G Example of an S-box

27 How to increase the key size? Multiple encryption. For example double encryption is defined as: F’ (k,k’) (x) := F k’ (F k (x)) F k F k’ x F k’ (F k (x)) F k (x) Does it work? Double encryption – not really... Triple encryption is much better!

28 Double encryption Double encryption can be broken using –time O(2 n ), –space O(2 n ), –and a small number of (plaintext,ciphertext) pairs. The attack is called “meet in the middle”. n = block length = key length

29 Meet-in-the middle attack – the idea x k1k1 k2k2 knkn F k1 (x) F k2 (x) F kn (x) y F -1 k1 (x) F -1 k2 (x) F -1 kn (x) k1k1 k2k2 knkn Given (x,y) find (k,k’) such that y = F k’ (F k (x)) just find a pair of equal values F k (x) and F -1 k’ (x) How? sort both lists!...

30 Meet-in-the middle attack – the algorithm Given: (x,y), find (k,k’) such that y = F k’ (F k (x)) 1.Set S = Ø. 2.For each k compute z = F k (x) and store (z,k) in a list L. 3.For each k compute z = F -1 k (y) and store (z,k’) in a list L’. 4.Sort L and L’ by their first components. 5.Let S denote the list of all pairs all pairs (k,k’) such that for some z we have (z,k) є L and (z,k’) є L’. 6.Output S.

31 Meet-in-the middle attack – an analysis [1/2] n = block length = key length P (a random pair (k,k’) satisfies y = F k’ (F k (x))) ≈ 2 -n The number of all pairs (k,k’) is equal to 2 2n. Therefore E(|S|) ≈ 2 2n · 2 -n = 2 n So, we have around 2 n “candidates” for the correct pair (k,k’). How to eliminate the “false positives”? Repeat the same attack for another pair (x’,y’).

32 Meet-in-the middle attack – an analysis [1/2] The probability that (k,k’) is a false positive for (x,y) and for (x’,y’) is around 2 -n · 2 -n = 2 -2n. Hence, the expected number of “false positives” is around 2 2n · 2 -2n = 1 An additional pair (x’’,y’’) allows to eliminate the false positive.

33 Triple encryption F’ (k1,k2,k3) (x) := F k3 (F -1 k2 (F k1 (x))) F k1k1 F k2k2 xF k1 (x) F F k2 (F k1 (x)) k3k3 F k3 (F k2 (F 1 (x))) Sometimes k 1 = k 3.

34 Triple DES (3DES) is a standard cipher. Disadvantages: rather slow, small block size.

35 Advanced Encryption Standard (AES) Competition for AES announced in January 1997 by the US National Institute of Standards and Technology (NIST) 15 ciphers submitted 5 finalists: MARS, RC6, Rijndael, Serpent, and Twofish October 2, 2000: Rijandel selected as the winner. November 26, 2001: AES becomes an official standard. Authors : Vincent Rijmen, Joan Daemen (from Belgium) Key sizes: 128, 192 or 256 bit, block size: 128 bits

36 DES – the conclusion The design of DES is extremally good. The only weaknesses: short key and small block length. Enormous impact on research in crptography!

Download ppt "Cryptography Lecture 4 Stefan Dziembowski"

Similar presentations

DES The Data Encryption Standard (DES) is a classic symmetric block cipher algorithm. DES was developed in the 1970’s as a US government standard The block.

DES The Data Encryption Standard (DES) is a classic symmetric block cipher algorithm. DES was developed in the 1970’s as a US government standard The block.
1 Lecture 3: Secret Key Cryptography Outline concepts DES IDEA AES.

1 Lecture 3: Secret Key Cryptography Outline concepts DES IDEA AES.
Data Encryption Standard (DES)

Data Encryption Standard (DES)
1 CIS 5371 Cryptography 5b. Pseudorandom Objects in Practice Block Ciphers.

1 CIS 5371 Cryptography 5b. Pseudorandom Objects in Practice Block Ciphers.
Cryptography and Network Security Chapter 3

Cryptography and Network Security Chapter 3
The Advanced Encryption Standard (AES) Simplified.

The Advanced Encryption Standard (AES) Simplified.
Rachana Y. Patil 1 Data Encryption Standard (DES) (DES)

Rachana Y. Patil 1 Data Encryption Standard (DES) (DES)
Data Encryption Standard (DES)

Data Encryption Standard (DES)
Symmetric Encryption Example: DES Weichao Wang. 2 Overview of the DES A block cipher: – encrypts blocks of 64 bits using a 64 bit key – outputs 64 bits.

Symmetric Encryption Example: DES Weichao Wang. 2 Overview of the DES A block cipher: – encrypts blocks of 64 bits using a 64 bit key – outputs 64 bits.
Modern Cryptography.

Modern Cryptography.
CMSC 414 Computer (and Network) Security Lecture 5 Jonathan Katz.

CMSC 414 Computer (and Network) Security Lecture 5 Jonathan Katz.
Foundations of Network and Computer Security J J ohn Black Lecture #5 Sep 7 th 2007 CSCI 6268/TLEN 5831, Fall 2007.

Foundations of Network and Computer Security J J ohn Black Lecture #5 Sep 7 th 2007 CSCI 6268/TLEN 5831, Fall 2007.
Advanced Encryption Standard(AES) Presented by: Venkata Marella Slide #9-1.

Advanced Encryption Standard(AES) Presented by: Venkata Marella Slide #9-1.
DES 1 Data Encryption Standard DES 2 Data Encryption Standard  DES developed in 1970’s  Based on IBM Lucifer cipher  U.S. government standard  DES.

DES 1 Data Encryption Standard DES 2 Data Encryption Standard  DES developed in 1970’s  Based on IBM Lucifer cipher  U.S. government standard  DES.
1 Overview of the DES A block cipher: –encrypts blocks of 64 bits using a 64 bit key –outputs 64 bits of ciphertext A product cipher –basic unit is the.

1 Overview of the DES A block cipher: –encrypts blocks of 64 bits using a 64 bit key –outputs 64 bits of ciphertext A product cipher –basic unit is the.
CSE331: Introduction to Networks and Security Lecture 18 Fall 2002.

CSE331: Introduction to Networks and Security Lecture 18 Fall 2002.
1 CS 255 Lecture 4 Attacks on Block Ciphers Brent Waters.

1 CS 255 Lecture 4 Attacks on Block Ciphers Brent Waters.
CS470, A.SelcukLucifer & DES1 Block Ciphers Lucifer & DES CS 470 Introduction to Applied Cryptography Instructor: Ali Aydin Selcuk.

CS470, A.SelcukLucifer & DES1 Block Ciphers Lucifer & DES CS 470 Introduction to Applied Cryptography Instructor: Ali Aydin Selcuk.
Introduction to Symmetric Block Cipher Jing Deng Based on Prof. Rick Han’s Lecture Slides Dr. Andreas Steffen’s Security Tutorial.

Introduction to Symmetric Block Cipher Jing Deng Based on Prof. Rick Han’s Lecture Slides Dr. Andreas Steffen’s Security Tutorial.
Foundations of Network and Computer Security J J ohn Black Lecture #6 Sep 10 th 2007 CSCI 6268/TLEN 5831, Fall 2007.

Foundations of Network and Computer Security J J ohn Black Lecture #6 Sep 10 th 2007 CSCI 6268/TLEN 5831, Fall 2007.

Similar presentations

Ads by Google