Dan Boneh Block ciphers The data encryption standard (DES) Online Cryptography Course Dan Boneh

Dan Boneh Block ciphers: crypto work horse E, D CT Block n bits PT Block n bits Key k Bits Canonical examples: 1.3DES: n= 64 bits, k = 168 bits 2.AES: n=128 bits, k = 128, 192, 256 bits

Dan Boneh Block Ciphers Built by Iteration R(k,m) is called a round function for 3DES (n=48), for AES-128 (n=10) key k key expansion k1k1 k2k2 k3k3 knkn R(k 1,  )R(k 2,  )R(k 3,  )R(k n,  ) m c

Dan Boneh The Data Encryption Standard (DES) Early 1970s: Horst Feistel designs Lucifer at IBM key-len = 128 bits ; block-len = 128 bits 1973: NBS asks for block cipher proposals. IBM submits variant of Lucifer. 1976: NBS adopts DES as a federal standard key-len = 56 bits ; block-len = 64 bits 1997: DES broken by exhaustive search 2000: NIST adopts Rijndael as AES to replace DES Widely deployed in banking (ACH) and commerce

Dan Boneh DES: core idea – Feistel Network Given functions f 1, …, f d : {0,1} n {0,1} n Goal: build invertible function F: {0,1} 2n {0,1} 2n In symbols: inputoutput R d-1 L d-1 RdRd RdRd LdLd LdLd R0R0 R0R0 L0L0 L0L0 n-bits R1R1 R1R1 L1L1 L1L1 ⊕ f1f1 f1f1 R2R2 R2R2 L2L2 L2L2 ⊕ f2f2 f2f2 ⋯ ⊕ fdfd fdfd

Dan Boneh Claim: for all f 1, …, f d : {0,1} n {0,1} n Feistel network F: {0,1} 2n {0,1} 2n is invertible Proof: construct inverse R i-1 L i-1 RiRi RiRi LiLi LiLi ⊕ fifi fifi inverse R i-1 = L i L i-1 = f i (L i ) R i inputoutput R d-1 L d-1 RdRd RdRd LdLd LdLd R0R0 R0R0 L0L0 L0L0 n-bits R1R1 R1R1 L1L1 L1L1 ⊕ f1f1 f1f1 R2R2 R2R2 L2L2 L2L2 ⊕ f2f2 f2f2 ⋯ ⊕ fdfd fdfd

Dan Boneh Claim: for all f 1, …, f d : {0,1} n {0,1} n Feistel network F: {0,1} 2n {0,1} 2n is invertible Proof: construct inverse R i-1 L i-1 RiRi RiRi LiLi LiLi ⊕ fifi fifi inverse inputoutput R d-1 L d-1 RdRd RdRd LdLd LdLd R0R0 R0R0 L0L0 L0L0 n-bits R1R1 R1R1 L1L1 L1L1 ⊕ f1f1 f1f1 R2R2 R2R2 L2L2 L2L2 ⊕ f2f2 f2f2 ⋯ ⊕ fdfd fdfd RiRi RiRi LiLi LiLi R i-1 L i-1 ⊕ fifi fifi

Dan Boneh Decryption circuit Inversion is basically the same circuit, with f 1, …, f d applied in reverse order General method for building invertible functions (block ciphers) from arbitrary functions. Used in many block ciphers … but not AES R1R1 R1R1 L1L1 L1L1 R0R0 R0R0 L0L0 L0L0 RdRd RdRd LdLd LdLd n-bits R d-1 L d-1 ⊕ fdfd fdfd R d-2 L d-2 ⊕ f d-1 ⋯ ⊕ f1f1 f1f1

Dan Boneh “Thm:” (Luby-Rackoff ‘85): f: K × {0,1} n {0,1} n a secure PRF ⇒ 3-round Feistel F: K 3 × {0,1} 2n {0,1} 2n a secure PRP R3R3 R3R3 L3L3 L3L3 R0R0 R0R0 L0L0 L0L0 input R1R1 R1R1 L1L1 L1L1 ⊕ f f R2R2 R2R2 L2L2 L2L2 ⊕ f f ⊕ f f output

Dan Boneh DES: 16 round Feistel network f 1, …, f 16 : {0,1} 32 {0,1} 32, f i (x) = F ( k i, x ) input 64 bits output 64 bits 16 round Feistel network IP IP -1 k k key expansion k1k1 k1k1 k2k2 k2k2 k 16 ⋯ To invert, use keys in reverse order

Dan Boneh The function F(k i, x) S-box: function {0,1} 6 {0,1} 4, implemented as look-up table.

Dan Boneh The S-boxes S i : {0,1} 6 {0,1} 4

Dan Boneh Example: a bad S-box choice Suppose: S i (x 1, x 2, …, x 6 ) = ( x 2 x 3, x 1 x 4 x 5, x 1 x 6, x 2 x 3 x 6 ) or written equivalently: S i (x) = A i ⋅ x (mod 2) We say that S i is a linear function x1x2x3x4x5x6x1x2x3x4x5x6 x1x2x3x4x5x6x1x2x3x4x5x6. = x2x3x1x4x5x1x6x2x3x6x2x3x1x4x5x1x6x2x3x6 x2x3x1x4x5x1x6x2x3x6x2x3x1x4x5x1x6x2x3x6

Dan Boneh Example: a bad S-box choice Then entire DES cipher would be linear: ∃ fixed binary matrix B s.t. But then: DES(k,m 1 ) DES(k,m 2 ) DES(k,m 3 ) B B m k 1 k 2 k 16 m k 1 k 2 k 16. = c c ⋮ DES(k,m) = = DES(k, m 1 m 2 m 3 ) B B B = B m1km1k m1km1k m2km2k m2km2k m3km3k m3km3k m1m2m3kkkm1m2m3kkk m1m2m3kkkm1m2m3kkk (mod 2)

Dan Boneh Choosing the S-boxes and P-box Choosing the S-boxes and P-box at random would result in an insecure block cipher (key recovery after ≈2 24 outputs) [BS’89] Several rules used in choice of S and P boxes: No output bit should be close to a linear func. of the input bits S-boxes are 4-to-1 maps ⋮

Dan Boneh End of Segment