Chapter 3 – Block Ciphers and the Data Encryption Standard Jen-Chang Liu, 2004 Adopted from lecture slides by Lawrie Brown

Outline Simplified DES (S-DES) Block Cipher Principles The Data Encryption Standard (DES) The Strength of DES Brute-force attacks Timing attacks Differential Cryptanalysis Block Cipher Design Principles Block Cipher: Mode of Operation

Strength of DES ? Key size 56-bit keys have 2 56 = 7.2 x values brute force search looks hard Search at average 2 55 keys Design of S-box Is there weakness in the S-boxes? So far, no fatal weakness in the S-boxes is found

Weakness of DES – Key Size Brute force 1 DES encrypt./  s => 1142 year 1 million parallel machine => 10 hours 1977, Diffie and Hellman, $20 million dollars Recent advances 1997 on Internet in a few months 1998 on EFF ’ s DES Cracker in a less than 3 days Special purpose machine, $250, above combined in 22hrs!

Timing Attacks to DES Fact: encrypt/decrypt takes slightly different amount of times depending on different inputs attacks actual implementation of cipher 攻擊加解 密的硬體 Method: observe how long it takes to perform decryption on various ciphertext Ex. smartcards

Analytic Attacks Analytic attacks on DES These utilise some deep structure of the cipher by gathering information about encryptions can eventually recover some/all of the sub-key bits if necessary then exhaustively search for the rest Generally these are statistical attacks, include differential cryptanalysis Published in 1990, known to DES group early in 1974 It is complex … linear cryptanalysis related key attacks

Dataflow of DES Plaintext m Left m 0 Right m 1 m1m1 m 2 =m 0  f(m 1,K 1 ) Round 1 m 3 =m 1  f(m 2,K 2 ) m2m2 Round 2 … … m 17 =m 15  f(m 16,K 16 ) m 16 Round 16 Data flow m m 0,m 1 m2m2 m3m3 m 16 m 17 Substitution-permutation network … Data flow m ’ m 0 ’,m 1 ’ m 2 ’ m 3 ’ m 16 ’ m 17 ’ …

Recall: XOR Two binary streams … …  … Different bits will be labeled as 1 after XOR

XOR: Differential of messages Data flow m m 0,m 1 m2m2 m3m3 m 16 m 17 … Data flow m ’ m 0 ’,m 1 ’ m 2 ’ m 3 ’ m 16 ’ m 17 ’ … Δm 0 =m 0  m 0 ’ Δm 1 =m 1  m 1 ’ Δm 2 =m 2  m 2 ’ =m 0  f(m 1,K 1 )  m 0 ’  f(m 1 ’,K 1 ’ ) =Δm 0  [f(m 1,K 1 )  f(m 1 ’,K 1 ’ )] ? Assume subkey is the same f(Δm 1 ) = [f(m 1,K 1 )  f(m 1 ’,K 1 )] f(., K) f(Δm i ) ΔmiΔmi unknown p: probability

Differential Cryptanalysis p=0.0625

Differential Cryptanalysis perform attack by repeatedly encrypting plaintext pairs with known input XOR until obtain desired output XOR when found if intermediate rounds match required XOR have a right pair if not then have a wrong pair, relative ratio is S/N for attack can then deduce keys values for the rounds right pairs suggest same key bits wrong pairs give random values Complexity: order of 2 47, requiring 2 47 chosen plaintext Recall: brute-force 2 56

Outline Simplified DES (S-DES) Block Cipher Principles The Data Encryption Standard (DES) The Strength of DES Brute-force attacks Timing attacks Differential Cryptanalysis Block Cipher Design Principles Block Cipher: Mode of Operation

Block Cipher Design Principles basic principles still like Feistel in 1970 ’ s number of rounds more is better, exhaustive search best attack function f: provides “ confusion ”, is nonlinear, avalanche key schedule complex subkey creation, key avalanche

Modes of Operation block ciphers encrypt fixed size blocks eg. DES encrypts 64-bit blocks, with 56-bit key need way to use in practise, given usually have arbitrary amount of information to encrypt 5 modes of operation NIST Special Publication A

Electronic Codebook Book (ECB)

message is broken into independent blocks which are encrypted each block is a value which is substituted, like a codebook, hence name each block is encoded independently of the other blocks C i = DES K (P i ) uses: secure transmission of single values or short messages

Limitations of ECB repetitions in message may show in ciphertext if aligned with message block particularly with data such graphics or with messages that change very little, which become a code-book analysis problem weakness due to encrypted message blocks being independent

Cipher Block Chaining (CBC)

message is broken into blocks each previous cipher blocks is chained with current plaintext block, hence name use Initial Vector (IV) to start process C i = DES K (P i XOR C i-1 ) C -1 = IV uses: bulk data encryption, authentication

Advantages and Limitations of CBC each ciphertext block depends on all message blocks thus a change in the message affects all ciphertext blocks after the change as well as the original block need Initial Value (IV) known to sender & receiver it must be sent encrypted in ECB mode before rest of message if IV is sent in the clear, an attacker can change selected bits of IV, and therefore change plaintext P 1 at end of message, handle possible last short block by padding either with known non-data value (eg nulls) or pad last block with count of pad size eg. [ b1 b2 b ] <- 3 data bytes, then 5 bytes pad+count

Cipher FeedBack (CFB): stream mode DES block

Cipher FeedBack (CFB) message is treated as a stream of bits added to the output of the block cipher result is feed back for next stage (hence name) standard allows any number of bit (1,8 or 64 or whatever) to be feed back denoted CFB-1, CFB-8, CFB-64 etc is most efficient to use all 64 bits (CFB-64) C i = P i XOR DES K (C i-1 ) C -1 = IV uses: stream data encryption, authentication

Advantages and Limitations of CFB appropriate when data arrives in bits/bytes most common stream mode note that the block cipher is used in encryption mode at both ends errors propogate for several blocks after the error

Output FeedBack (OFB)

message is treated as a stream of bits output of cipher is added to message feedback is independent of plaintext can be computed in advance C i = P i XOR O i O i = DES K (O i-1 ) O -1 = IV uses: stream encryption over noisy channels

Advantages and Limitations of OFB used when error feedback is a problem or where need to encryptions before message is available Disadvantage: controlled changes to the recovered plaintext can be made 攔截 Ciphertext, 送出偽造的 C 1 = … C 1 = … <= 偽造的

Counter (CTR): ATM network and IPSec

Counter (CTR) similar to OFB but encrypts counter value rather than any feedback value must have a different key & counter value for every plaintext block (never reused) C i = P i XOR O i O i = DES K (i) Efficiency of CTR mode can do parallel encryptions on multiple blocks (c.f. feedback mode, wait for previous ciphertext) Preprocessing is possible

Summary block cipher design principles DES details strength Differential & Linear Cryptanalysis Modes of Operation ECB, CBC, CFB, OFB, CTR