1. Chapter 3  Symmetric Key Cryptosystems 1 Overview  Modern symmetric-key cryptosystems o Data Encryption Standard (DES)  Adopted in 1976  Block size = 64 bits  Key length = 56 bits o Advanced Encryption Standard (AES)  Adopted in 2000  Block sizes = 128, 192, or 256 bits  Key lengths = 128, 192, or 256 bits

2. Chapter 3  Symmetric Key Cryptosystems 2 DES - History  1973: NBS (now NIST) solicits proposals for crypto algorithm which: o Provides a high level of security o Completely specified and easy to understand o Is available royalty-free o Is efficient

3. Chapter 3  Symmetric Key Cryptosystems 3 DES – History (cont)  1974 o IBM submits variant of Lucifer algorithm o NBS asks NSA for comments on the algorithm o NSA likes the algorithm with modifications  Key size reduced from 128 to 56 bits  Minor changes in details of the algorithm  1976 o DES approved (unclassified communications) o To be reviewed every five years

4. Chapter 3  Symmetric Key Cryptosystems 4 DES – History (cont)  1983: NBS recertifies DES  1987: NBS recertifies DES  1988: NBS becomes NIST  1993: NIST recertifies DES  1998: NIST begins AES competition

5. Chapter 3  Symmetric Key Cryptosystems 5 DES - Overview  Adopted as U.S. government standard in 1976  Block cipher, symmetric key o 64-bit block size, 56-bit key o Simple algorithm

6. Chapter 3  Symmetric Key Cryptosystems 6 DES - Keys  Any 56-bit string can be a DES key  There are 2 56 keys o 72,057,594,037,927,936 DES keys  Test one trillion keys per second o 2 hours to find the key  A very small number of “weak keys”

7. Chapter 3  Symmetric Key Cryptosystems 7 DES – The Algorithm  To encrypt a 64-bit plaintext block  An initial permutation o 16 rounds of substitution, transposition o 48-bit subkey added to each round, o Subkeys derived from 56-bit DES key o Final permutation

8. Chapter 3  Symmetric Key Cryptosystems 8 DES – Algorithm Overview

9. Chapter 3  Symmetric Key Cryptosystems 9 DES Initial Permutation  Permutes 64 bits of the plaintext  58 th bit is moved to position 1  50 th bit is moved to position 2 ….  7 th bit is moved to position 64

10. Chapter 3  Symmetric Key Cryptosystems 10 DES Initial Perm Example

11. Chapter 3  Symmetric Key Cryptosystems 11 DES – Subkey Generation  DES key: 64-bits (eight parity bits)  A 56-bit DES key o 11010001101010101000101011101010101000100011010101010101  The 64-bit representation o 1101000111010100101000110101110010101010000100011101010010101010  Sixteen 48-bit subkeys generated from 64- bit DES key (one for each round)

12. Chapter 3  Symmetric Key Cryptosystems 12 DES – Subkey (cont)  64-bit DES key o 1101000111010100101000110101110010101010000100011101010010101010  A key permutation removes eight parity bits and  The 57th bit is moved to position 1  The 49th bit is moved to position 2 …  The 4th bit is moved to position 56

13. Chapter 3  Symmetric Key Cryptosystems 13 DES Key Perm Example  64-bit “key” to 56-bit DES key

14. Chapter 3  Symmetric Key Cryptosystems 14 DES – Subkey Gen (cont)  56 key bits (after permutation) divided into two 28-bit halves  Each half circularly shifted left by one bit (rounds 1,2,9 and 16) or 2 bits (all other rounds)  Halves recombined into 56 bit string

15. Chapter 3  Symmetric Key Cryptosystems 15 DES – Compression Perm  Compression permutation selects 48 bits  14th bit goes to output 1  17th bit goes to output 2 ….  32nd bit goes to output 48

16. Chapter 3  Symmetric Key Cryptosystems 16 DES Compression Perm Example

17. Chapter 3  Symmetric Key Cryptosystems 17 DES Round 1 Subkey

18. Chapter 3  Symmetric Key Cryptosystems 18 DES - Subkey Overview

19. Chapter 3  Symmetric Key Cryptosystems 19 DES – Rounds  Each of 16 rounds takes 64-bit block of input to 64-bit block of output  The output from initial perm is input to round one  Round one output is input to round two  Round two output is input to round three   Round 16 output is ciphertext

20. Chapter 3  Symmetric Key Cryptosystems 20 DES – Round 1 Subkey 1 Input block (64) L 1 (32)R 1 (32) EP XOR S-box P-box XOR L 2 (32)R 2 (32) Output block (64)

21. Chapter 3  Symmetric Key Cryptosystems 21 DES Rounds  64-bit input divided into two 32-bit halves  Right half sent through expansion perm which produces 48 bits by o Rearranging the input bits o Repeating some input bits more than once

22. Chapter 3  Symmetric Key Cryptosystems 22 DES – Expansion Permutation

23. Chapter 3  Symmetric Key Cryptosystems 23 DES – XOR Operation  XOR is applied to the 48-bit output of expansion perm and subkey  The resulting 48-bits go to S-boxes

24. Chapter 3  Symmetric Key Cryptosystems 24 DES – S-boxes  S-boxes perform substitution  8 different S-boxes  Each S-box maps 6 bits to 4 bits  Bits 1-6 are input to S-box 1  Bits 7-12 are input to S-box 2, etc.

25. Chapter 3  Symmetric Key Cryptosystems 25 DES – Inside an S-box  Each S-box has 4 rows, 16 columns  S-box 1  First and last input bits specify the row  Middle four input bits specify the column

26. Chapter 3  Symmetric Key Cryptosystems 26 DES – Inside S-box (cont)  S-box entry is the four-bit output  Examples with S-box 1  011010  row 0, column 13  9 = 1001 (output)  110010  row 2, column 9  12 = 1100 (output)  000011  row 1, column 1  15 = 1111 (output)

27. Chapter 3  Symmetric Key Cryptosystems 27 DES – S-boxes

28. Chapter 3  Symmetric Key Cryptosystems 28 DES – S-boxes Example

29. Chapter 3  Symmetric Key Cryptosystems 29 DES – P-box  32-bit output of S-boxes goes to P-box  P-box permutes the bits o The first bit is moved to position 16 o The second bit is moved to position 7 o The third bit is moved to position 20 : o The thirty-second bit is moved into position 25

30. Chapter 3  Symmetric Key Cryptosystems 30 DES – P-box Example

31. Chapter 3  Symmetric Key Cryptosystems 31 DES – Second XOR Operation  Output of P-box is XORed with the left half of 64-bit input block  32-bit output of the XOR operation: o 01101111011011000110111010010010

32. Chapter 3  Symmetric Key Cryptosystems 32 DES – Rounds  64-bit output from round 1 is input for round 2  Output from round 2 is input for round 3 :  Output from round 16 is passed through a final permutation

33. Chapter 3  Symmetric Key Cryptosystems 33 DES – Final Perm  Final permutation is inverse of initial perm o 40th bit is moved into the 1st position o 8th bit is moved into the 2nd position : o 25th bit is moved into the 64th position  Output of final permutation is ciphertext

34. Chapter 3  Symmetric Key Cryptosystems 34 DES – Encryption Overview

35. Chapter 3  Symmetric Key Cryptosystems 35 DES - Decryption  Same algorithm and key as encryption  Subkeys are applied in opposite order o Subkey 16 used in first round o Subkey 15 used in second round : o Subkey 1 used in 16th round

36. Chapter 3  Symmetric Key Cryptosystems 36 DES - Summary  DES still widely used  56-bit key o 1998, EFF built $220,000 DES cracker, requires about 4 days/key  DES also important historically  Late 90’s AES competition produced several strong crypto algorithms

37. Chapter 3  Symmetric Key Cryptosystems 37 AES - History  1997: NIST requests proposals for a new Advanced Encryption Standard (AES) to replace DES  NIST required that the algorithm be: o A symmetric-key cryptosystem o A block cipher o Capable of supporting a block size of 128 bits o Capable of supporting key lengths of 128, 192, and 256 bits o Available on a worldwide, non-exclusive, royalty-free basis  Evaluation criteria: o Security - soundness of the mathematical basis and the results of analysis by the research community o Computational efficiency, memory requirements, flexibility, and simplicity

38. Chapter 3  Symmetric Key Cryptosystems 38 AES – Round 1 of the Competition  NIST selects 15 submissions for evaluation: o CAST-256 (Entrust Technologies, Inc.) o Crypton (Future Systems, Inc.) o DEAL (Richard Outerbridge, Lars Knudsen) o DFC (Centre National pour la Recherche Scientifique—Ecole Normale Superieure) o E2 (Nippon Telegraph and Telephone Corporation) o Frog (TecApro Internacional S.A.) o HPC (Rich Schroeppel) o Loki97 (Lawrie Brown, Josef Pieprzyk, Jennifer Seberry) o Magenta (Deutsche Telekom AG) o MARS (IBM) o RC6 (RSA Laboratories) o Rijndael (Joan Daemen, Vincent Rijmen) o SAFER+ (Cylink Corporation) o Serpent (Ross Anderson, Eli Biham, Lars Knudsen) o Twofish (Bruce Schneier, John Kelsey, Doug Whiting, David Wagner, Chris Hall, Niels Ferguson)

39. Chapter 3  Symmetric Key Cryptosystems 39 AES – Round 1 Results  After eight months of analysis and public comment, NIST: o Eliminated DEAL, Frog, HPC, Loki97, and Magenta  Had what NIST considered major security flaws  Were among the slowest algorithms submitted o Eliminated Crypton, DFC, E2, and SAFER+  Had what NIST considered minor security flaws  Had unimpressive characteristics on the other evaluation criteria o Eliminated CAST-256  Had mediocre speed and large ROM requirements  Five candidates, MARS, RC6, Rijndael, Serpent, and Twofish, advanced to the second round

40. Chapter 3  Symmetric Key Cryptosystems 40 AES – Results  Analysis and public comment on the five finalists  October 2000: NIST: o Eliminates MARS  High security margin o Eliminates RC6  Adequate security margin, fast encryption and decryption on 32-bit platforms o Eliminates Serpent  High security margin o Eliminates Twofish  High security margin o Selects Rijndael  Adequate security margin, fast encryption, decryption, and key setup speeds, low RAM and ROM requirements

41. Chapter 3  Symmetric Key Cryptosystems 41 AES – Rijndael Algorithm  Symmetric-key block cipher o Block sizes are 128, 192, or 256 bits o Key lengths are 128, 192, or 256 bits  Performs several rounds of operations to transform each block of plaintext into a block of ciphertext o The number of rounds depends on the block size and the length of the key:  Nine regular rounds if both the block and key are 128 bits  Eleven regular rounds if either the block or key are 192 bits  Thirteen regular rounds if either the block or key is 256 bits o One, slightly different, final round is performed after the regular rounds

42. Chapter 3  Symmetric Key Cryptosystems 42 AES – Rijndael Algorithm (cont)  For a 128-bit block of plaintext and a 128-bit key the algorithm performs: o An initial AddRoundKey (ARK) operation o Nine regular rounds composed of four operations:  ByteSub (BSB)  ShiftRow (SR)  MixColumn (MC)  AddRoundKey (ARK) o One final (reduced) round composed of three operations:  ByteSub (BSB)  ShiftRow (SR)  AddRoundKey (ARK)

43. Chapter 3  Symmetric Key Cryptosystems 43 AES – Rijndael Overview

44. Chapter 3  Symmetric Key Cryptosystems 44 AES – Rijndael Keys  Keys are expressed as 128-bit (or bigger) quantities  Keyspace contains at least 2 128 elements: o 340,282,366,920,938,463,463,374,607,431,768,211,4 56  Exhaustive search at one trillion keys per second takes: o 1x10 19 years (the universe is thought to be about 1x10 10 years old)

45. Chapter 3  Symmetric Key Cryptosystems 45 AES – Rijndael Keys (cont)  Blocks and keys are represented as a two- dimensional array of bytes with four rows and four columns: o Block = 128 bits = 16 bytes = b 0, b 1,..., b 15 o Key = 128 bits = 16 bytes = k 0, k 1,..., k 15

46. Chapter 3  Symmetric Key Cryptosystems 46 AES - The ByteSub Operation  An S-box is applied to each of the 16 input bytes independently  Each byte is replaced by the output of the S-box:

47. Chapter 3  Symmetric Key Cryptosystems 47 AES – The Rijndael S-box

48. Chapter 3  Symmetric Key Cryptosystems 48 AES – The Rijndael S-box (cont)  The input to the S-box is one byte:  Example 1: o b 0 = 01101011 (binary) = 6b (hex) o b’ 0 = row 6, column b = 7f (hex) = 01111111 (binary)  Example 2: o b 1 = 00001000 (binary) = 08 (hex) o b’ 1 = row 0, column 8 = 30 (hex) = 00110000 (binary)  Example 3: o b 2 = 11111001 (binary) = f9 (hex) o b’ 2 = row f, column 9 = 99 (hex) = 10011001 (binary)

49. Chapter 3  Symmetric Key Cryptosystems 49 AES - ShiftRow Operation  Each row of the input is circularly left shifted: o First row by zero places o Second row by one place o Third row by two places o Fourth row by three places

50. Chapter 3  Symmetric Key Cryptosystems 50 AES - The MixColumn Operation  The four bytes in each input column are replaced with four new bytes:

51. Chapter 3  Symmetric Key Cryptosystems 51 AES - The AddRoundKey Operation  Each byte of the input block is XORed with the corresponding byte of the round subkey:

52. Chapter 3  Symmetric Key Cryptosystems 52 AES – Rijndael Overview

53. Chapter 3  Symmetric Key Cryptosystems 53 AES Summary  The research community participated very actively and expertly in the design and evaluation of the candidate algorithms  The AES selection process served to raise public awareness of cryptography and its importance  The AES algorithm is starting to be widely used  The AES should offer useful cryptographic protection for at least the next few decades

54. Chapter 3  Symmetric Key Cryptosystems 54 Summary  DES (56-bit keys): Each 64-bit block of plaintext goes through: o Initial permutation o Sixteen rounds of substitution and transposition operations o Final permutation  AES (128-bit keys): Each 128-bit block of plaintext goes through: o An initial AddRoundKey (ARK) operation o Nine rounds of operations (BSB, SR, MC, ARK) o One final (reduced) round