Block ciphers Structure of a multiround block cipher Structure of each round Chaining modes for block ciphers Differential and linear cryptanalysis Conventional crypto - Noack

Structure of multiround block ciphers Plaintext output Plaintext input Key Single round Key scheduling round Inverse of single round Single round Key scheduling round Inverse of single round Single round Key scheduling round Inverse of single round Ciphertext out Ciphertext in These are private-key symmetric ciphers – same key for encrypt and decrypt Each single round must be invertible Key scheduling rounds do not need to be invertible If key is constant from block to block, this is a monoalphabetic, but with huge alphabet Strength comes from confusion and diffusion repeatedly applied Conventional crypto - Noack

Structure of a single round Partially Encrypted text From previous round Invertible operations can include Bitwise exclusive or Addition modulo blocksize Galois field but not conventional multiplication permutation Nonfeedback network of Invertible operations Key for this round From key scheduler Partially Encrypted text To next round XOR A C K A Example of an invertible operation If C = K xor A Then A = K xor C K XOR C Conventional crypto - Noack

The Feistel block is a reversible round Left halfi Right halfi Left halfi Right halfi One-way (nonreversible) block XOR One-way (nonreversible) block XOR Right halfi+1 Left halfi+1 Right halfi+1 Left halfi+1 Note: This block is reversible The direction of signal flow does not change in the one-way block The XOR is a reversible device Conventional crypto - Noack

More on the Feistel block Characteristics and limitations Essentially any one-way function can be used – doesn’t have to be reversible Because the block scrambles only one half the partial text at a time it is possibly weaker than other ciphers, but more rounds (typically 16) can be used The one-way function is half the width of the block, so a 64-bit block can be encrypted efficiently with a 32-bit processor The Feistel block is vulnerable to differential cryptanalysis, which is a chosen-plaintext attack. With enough rounds, it is usable. Conventional crypto - Noack

The equations for the Feistel block Comments These equations are valid for any Feistel block, regardless of the particular one-way function used They are the basis for differential and linear cryptanalysis A large number of present-day ciphers, but not all, use Feistel The direct transformation Li+1 = Li  F(Ri, Ki ) Ri+1 = Li The inverse transformation Li = Li+1  F(Li+1, Ki ) Ri = Li+1 The recurrence relation used in differential cryptanalysis Li+2 = Li+1  F(Li, Ki ) Conventional crypto - Noack

The one-way function for DES Input half 32 Per-stage keyword E-box Expand/permute 48 48 Components E-box – expansion and permutation S-box – substitution – a 64 by 4 bit memory or array P-box – expansion and permutation E and P boxes were hardwired S-boxes were in on-chip ROM – 256 bytes per round 48-bit-wide XOR 6 6 64x4 S-box 4 4 P-box –permute only 32 Output half Conventional crypto - Noack

DES – the Data Encryption Standard Standardized by NBS (NIST) in mid-1970’s Key length is 56 bits – brute force of 255 = 32 x 1015 This size has always been suspect – special-purpose machines to break it have been made for less than $250K. Original standard required hardware implementation, now almost always done in software The permutation operations are inefficient in software – the S-boxes are no problem Suspicion centers on whether the S-boxes contain trapdoors and whether governments and big corporations have built cryptanalysis tools Cryptanalysis almost certainly yes, trapdoors likely not Differential crypto was known but not public at development Standard is still in use as Triple DES – 168-bit keys Conventional crypto - Noack

Conventional crypto - Noack Chaining algorithms ECB (Electronic CodeBook) mode Basic method Susceptible to known plaintext if structure of early blocks is known Example is .gifs, .jpgs, .doc Can still be recovered if block is missing Block encryption Session key – same for all blocks P0 C0 P1 P2 Pn C1 C2 Cn Conventional crypto - Noack

Conventional crypto - Noack ECB and its inverse Block encryption Session key – same for all blocks P0 C0 P1 P2 Pn C1 C2 Cn Block encryption Session key – same for all blocks C0 P0 C1 C2 Pn P1 P2 Conventional crypto - Noack

Conventional crypto - Noack Other chaining modes CBC – Cipher block chaining CFB – Partial block fed forward each time OFB – Partial block fed forward, but block is not related to text, just IV Counter – Counter is encrypted, then result is XORed with plaintext – another stream mode Conventional crypto - Noack