© Information Security Group, ICU1 Block Cipher- introduction  DES Description: Feistel, S-box Exhaustive Search, DC and LC Modes of Operation  AES Description: SPN, Branch number Security and Efficiency Modes of Operation  Other Ciphers Linear layer Confusion layer

© Information Security Group, ICU2 DES (Data Encryption Standard) DES (Data Encryption Standard)

© Information Security Group, ICU3 Shannon’s Communication Theory for Secrecy System (1949)  Confusion: The ciphertext statistics should depend on the plaintext statistics in a manner too complicated to be exploited by the enemy cryptanalyst  Diffusion: Each digit of the plaintext should influence many digits of the ciphertext, and/or Each digit of the secret key should influence many digits of the the ciphertext.  Block cipher:  A repetition of confusion(Substitution) and diffusion(Permutation)  Iteration: Weak  Strong Claude Shannon

© Information Security Group, ICU4 Block Cipher  Definition:  Let B n denote the set of bit strings of length n.  A block cipher is an encryption algorithm E such that E K is a permutation of B n for each key K  Characteristics  Based on Shannon’s Theorem(1949)  Same P => Same C  {|P| = |C|}  64 bit, |P|  |K|  56 bit  Memoryless configuration  Operate as stream cipher depending on mode  Shortcut cryptanalysis (DC, LC etc) in 90’s * DC: Differential Cryptanalysis, LC: Linear Cryptanalysis

© Information Security Group, ICU5 Design Criteria of DES  Provide a high level of security  Completely specify and easy to understand  Security must depend on hidden key, not algorithm  Available to all users  Adaptable for use in diverse applications  Economically implementable in electronic device  Efficient to use  Able to be validated  Exportable * Federal Register, May 15, 1973

© Information Security Group, ICU6 DES(Data Encryption Standard)  Based on Lucifer (1972)  Developed by IBM and intervened by NSA  Adopted Federal Standard by NIST, revised every 5 years (~’98),  64bit block cipher, 56bit key  16 Round, Nonlinearity : S-box  Cryptanalysis like DC, LC, etc. after 1992 * DC:Differential Cryptanalysis, LC : Linear Cryptanalysis

© Information Security Group, ICU7 FIPS Documents  FIPS PUB 46-3, Data Encryption Standard”, 1977(83,88,93) (*)  FIPS PUB 81, “DES modes of operation”,1980(*)  FIPS PUB 74, “Guidelines for implementing and using the NBS Data Encryption Standard”, 1981(*)  FIPS PUB 113, “Computer Data Authentication”, 1985  FIPS PUB 140-2, “Security Requirements for Cryptographic Modules”, 2001 * Federal Notice (July 26, 2004) Announcing Proposed Withdrawal of Federal Information Processing Standard (FIPS) for the Data Encryption Standard (DES) and Request for Comments NIST determined that the strength of the DES algorithm is no longer sufficient to adequately protect Federal government information. As a result, NIST proposes to withdraw FIPS 46-3, and the associated FIPS 74 and FIPS 81. Future use of DES by Federal agencies is to be permitted only as a component function of the Triple Data Encryption Algorithm (TDEA). TDEA may be used for the protection of Federal information; however, NIST encourages agencies to implement the faster and stronger algorithm specified by FIPS 197, Advanced Encryption Standard (AES) instead. NIST proposes issuing TDEA implementation guidance as a NIST Recommendation via its ``Special Publication'' series (rather than as a FIPS) as Special Publication , Recommendation for Implementation of the Triple Data Encryption Algorithm (TDEA). “ FIPS: Federal Information Processing Standard

© Information Security Group, ICU8 Involution structure  If we apply its operation 2 times, it returns to the original value, e.g., f(f(x)) = x.  Type of f -1 (x) = f(x) x1x1 x2x2 (a) (b) y1y1 y2y2 y 1 =x 1  x 2 (c)  y 1 =x 1  g(x 2 ) or x 1  g(x 2,k) (d)  g x1x1 x1x1 x1x1 x2x2 x2x2 x2x2 y2y2 y 2 = x 2 y1y1

© Information Security Group, ICU9 2 Building blocks of DES Round Function Key Scheduler PlaintextKey Ciphertext * Feistel Network

© Information Security Group, ICU10 Structure of DES P K IP f FP PC-2 C 16 Round PC-1 Rot R0(32) L0(32) R16L16 PC Round function Key Scheduling

© Information Security Group, ICU11 Enciphering Computation * Decryption is done by executing round key in the reverse order.

© Information Security Group, ICU12 f-function of DES

© Information Security Group, ICU13 Initial Permutation(IP) cf.) The 58th bit of x is the first bit of IP(x)

© Information Security Group, ICU14 Final Permutation(FP=IP -1 )  The IP (FP) has no cryptographic significance

© Information Security Group, ICU15 P Permutation  Permutes the order of 32 bits

© Information Security Group, ICU16 E Expansion  Expands 32 -> 48 bits by duplicating 16 bits twice cf.) The first 4 bits are expanded into 6 bits by adding the last bit of the last 4 bits at first and the first bit of the second 4 bits at last.

© Information Security Group, ICU17 Permutated Choice-1(PC-1)  64 -> 56 bits cf.) Do not use the parity check bits

© Information Security Group, ICU18 Permutated Chioce-2 (PC-2)  56 -> 48 bits

© Information Security Group, ICU19 Rnd Rot  Total rotation = 28  After final rotations, the final round keys return to the input of the 1st round keys. Rotation Schedule

© Information Security Group, ICU20 DES S-boxes  8 S-boxes (6 -> 4 bits)  each row : permutation of 0-15  4 rows : choose by MSB & LSB of input  some known design criteria  not linear (affine)  Any one bit of the inputs changes at least two output bits  S(x) and S(x  ) differs at least 2bits  S(x)  S(x  11ef00) for any ef  Resistance against DC etc.  The actual design principles have never been revealed (U.S. classified information)

© Information Security Group, ICU21 DES S-boxes(I)  Input values mapping order L R  S 1 ( )=11=(1011) 2

© Information Security Group, ICU22 DES S-boxes(II)  S1-box  S2-box e.g.) S 2 (010010)= ?

© Information Security Group, ICU23 DES S-boxes(III)  S3-box  S4-box S4-box is most linear than others.

© Information Security Group, ICU24 Criticism of DES  Short key size : 112 -> 56 bits by NSA  Classified design criteria  Revision of standard every 5 yrs after 1977 by NIST  No more standard

© Information Security Group, ICU25 Cryptographic properties  (P,C) dependency with fixed Key : after 5 round  (K,C) dependency with fixed plaintext : after 5 round  Avalanche effect  Cyclic Test : Random function  Algebraic structure : Not a group i.e., E(K 1, E(K 2,P))  E(K 3,P)

© Information Security Group, ICU26 Known Weakness of DES  Complementary Prop. If C= E(K,P), C = E(K, P)  Weak Key : 4 keys E(K, E(K,P))=P  Semi-weak Keys : 12 keys (6 pairs) E(K 1, E(K 2,P))=P  Key Exhaustive Search : 2 55