3.

Data Encryp-on Standard

 Introduc-on to block ciphers

DES
On the security of DES
Strengthening DES

 Introduc-on to block ciphers

DES
On the security of DES
Strengthening DES

General course presenta-on

Course lectures are the most important.

Understanding Cryptography by Christof Paar and Jan Pelzl, Springer.

Cryptography I by Dan Boneh, hCp://coursera.org/.

Introduc-on to block ciphers

Cryptology

Cryptography

Symmetric
Ciphers
Block Ciphers

Asymmetric
Ciphers

Stream
Ciphers

Cryptanalysis

Protocols

Introduc-on to block ciphers

A cipher (or cryptosystem) dened over (K,M,C) is a pair of ecient algorithms

(E,D) where E: KxM -> C and D: KxC ->M so that for any m M, k K:
D(k, E(k,m))=m (consistency property)
ecient depends on the applica-on: in must run in a certain -me or use a certain
amount of compu-ng power.
Algorithm E is a randomized algorithm.
Algorithm D is always determinis-c.

Introduc-on to block ciphers

K
x0,x1, xb

Stream
Cipher

y0,y1, yb

x0,
x1,

xb

K
Block Cipher

Stream ciphers:
Encrypt bits individually
Usually small and fast common in embedded devices (e.g., A5/1 for GSM/UMTS phones)

Block Ciphers:
Always encrypt a full block (several bits)
Are common for Internet applicaBons.

y0,
y1,

yb

Introduc-on to block ciphers

Claude Shannon: There are two proper-es that strong encryp-on algorithms
must posses:
1. Confusion: An encryp-on opera-on where the rela-onship between key and ciphertext is
obscured.
Today, a common element for achieving confusion is subsBtuBon, which is found in both AES and
DES.
2. Diusion: An encryp-on opera-on where the inuence of one plaintext symbol is spread over
many ciphertext symbols with the goal of hiding sta-s-cal proper-es of the plaintext.
A simple diusion element is the bit permutaBon, which is frequently used within DES.

Both opera-ons by themselves cannot provide security. The idea is to

concatenate confusion (subs-tu-on) and diusion (permuta-on) elements to
build so called product ciphers.

Understanding Cryptography by Christof Paar and Jan Pelzl

Introduc-on to block ciphers

m
Confusion

Key expansion

m
Diusion
m

Confusion
Diusion
c

Most of todays block ciphers are product ciphers as

they consist of rounds which are applied repeatedly
to the data.
The other important part of a block cipher is the key
expansion.

Introduc-on to block ciphers

AMD Opteron, 2.2 GHz (Linux), Crypto++ 5.6.0. [Wei Dai]

Cipher

Stream
Block

Block/key size

Speed (MB/sec)

RC4

126

Salsa20/12

643

Sosemanuk

727

3DES

64/168

13

AES

128/128

109

Cryptography I, Dan Boneh

 Introduc-on to block ciphers

DES
On the security of DES
Strengthening DES

DES

n bits
PT Block

n bits
CT Block

E, D
Key

k Bits

Canonical examples:
3DES: n = 64 bits, k = 168 bits
AES: n = 128 bits, k = 128, 192, 256 bits
DES: n = 64 bits, k = 56 bits

DES

Early 1970s: Horst Feistel designs Lucifer at IBM

key-len = 128 bits ; block-len = 128 bits

1973: NBS asks for block cipher proposals.

IBM submits variant of Lucifer.

1976: NBS adopts DES as a federal standard

key-len = 56 bits ; block-len = 64 bits

1997: DES broken by exhaus-ve search

2000: NIST adopts Rijndael as AES to replace DES
DES remains widely deployed in legacy systems.
3DES and DESX are secure ciphers that are based on DES.

DES

Top descrip-on:
Two permuta-ons.
Key expansion.
Feistel network.

input

k16
IP-1

64 bits

Feistel
network

k2
Feistel
network

IP

k1
Feistel
network

64 bits

key expansion

output

DES

Given func-ons f1, , fd: {0,1}n {0,1}n

Goal: build inver-ble func-on F: {0,1}2n {0,1}2n

L1

f2

L0

f1

R1

R2
L2

input
Ques-on1: who is being encrypted? R0 or L0?
Ques-on2: what kind of encryp-on is being used?

Cryptography I, Dan Boneh

Rd-1
Ld-1

fd

n-bits n-bits

R0

Rd
Ld
output

DES

L1

f2

L0

f1

R1

R2
L2

input

Rd-1
Ld-1

fd

n-bits n-bits

R0

Rd
Ld
output

Claim: for all f1, , fd: {0,1}n {0,1} n Feistel network F: {0,1}2n {0,1}2n
is inverBble.
Proof: construct inverse

Li-1

fi

Ri-1

Ri

inverse

Li
Cryptography I, Dan Boneh

DES

L1

f2

L0

f1

R1

R2
L2

Rd-1

Rd

fd

Ld-1

Ld

n-bits n-bits

R0

input

output

Claim: for all f1, , fd: {0,1}n {0,1} n Feistel network F: {0,1}2n {0,1}2n
is inverBble.
Proof: construct inverse

Li-1

fi

Ri-1

Ri
Li

inverse

Ri

Ri-1 = Li

fi

Ri-1

Li-1L i = fi(Li) Ri Li-1

Cryptography I, Dan Boneh

DES

main opera-on of DES

f-Func-on inputs: Ri-1 and round key
ki
4 Steps:

1.Expansion E
2.XOR with round key
3.S-box subs-tu-on
4.Permuta-on

Understanding Cryptography by Christof Paar and Jan Pelzl

DES

1.Expansion E
main purpose: increases diusion

Understanding Cryptography by Christof Paar and Jan Pelzl

DES

2.XOR Round Key

Bitwise XOR of the round key and the output of the
expansion func-on E
Round keys are derived from the main key in the
DES keyschedule (in a few slides)

Understanding Cryptography by Christof Paar and Jan Pelzl

DES

3.S-Box subs-tu-on

Eight subs-tu-on tables.

6 bits of input, 4 bits of output.
Non-linear and resistant to dieren-al cryptanalysis.
Crucial element for DES security!

Understanding Cryptography by Christof Paar and Jan Pelzl

DES

4.Permuta-on P
Bitwise permuta-on.
Introduces diusion.
Output bits of one S-Box eect several S-Boxes in
next round
Diusion by E, S-Boxes and P guarantees that ayer
Round 5 every bit is a func-on of each key bit and
each plaintext bit.

Understanding Cryptography by Christof Paar and Jan Pelzl

DES

Top descrip-on:
Two permuta-ons.
Key expansion.
Feistel network.

input

k16
IP-1

64 bits

Feistel
network

k2
Feistel
network

IP

k1
Feistel
network

64 bits

key expansion

output

DES

Derives 16 round keys (or subkeys) ki of 48

bits each from the original 56 bit key.

Understanding Cryptography by Christof Paar and Jan Pelzl

DES

Top descrip-on:
Two permuta-ons.
Key expansion.
Feistel network.

input

k16
IP-1

64 bits

Feistel
network

k2
Feistel
network

IP

k1
Feistel
network

64 bits

key expansion

output

DES

Permuta-ons are easy to implement in harware, but not in soyware.

They do not increase the security.
It is not exactly clear why they are part of the standard: it is supposed that thay
would have facilitated implementa-on in the harware of the 70s.

58
60
62
64
57
59
61
63

50
52
54
56
49
51
53
55

42
44
46
48
41
43
45
47

IP
34 26
36 28
38 30
40 32
33 25
35 27
37 29
39 31

IP-1
18
20
22
24
17
19
21
23

10
12
14
16
9
11
13
15

2
4
6
8
1
3
5
7

DES

Top descrip-on:
Two permuta-ons.
Key expansion.
Feistel network.

input
What is leN to do?

k16
IP-1

64 bits

Feistel
network

k2
Feistel
network

IP

k1
Feistel
network

64 bits

key expansion

output

DES

Top descrip-on:
Two permuta-ons.
Inverse key expansion.
Feistel network.

input

k1
IP-1

64 bits

Feistel
network-1

k15
Feistel
network-1

IP

k16
Feistel
network-1

64 bits

Inverse key
expansion

output

DES

Inverse key schedule:

[C16, D16] =[C0, D0].

k
K16

PC-1
PC-2

Transform 1

K
15

PC-2

.
.
.

K1

C16

D16

RS1

RS1

C15

D15

RS2

RS2

.
.
.

.
.
.

RS15 RS15
PC-2

C1

D1

DES

Encryp-on with Feistel Network:

L1

f2

L0

f1

R1

R2
L2

R15
L15

f16

n-bits n-bits

R0

input

R16
L16
output

Decryp-on with Feistel Network:

input

R15

f15

R16

f16

L15

L14
R14

L1
R1

f1

n-bits n-bits

L16

L0
R0
output

 Introduc-on to block ciphers

DES
On the security of DES
Strengthening DES

On the security of DES

Analy-cal aCacks:

Ciphertext-only aCacks.
Known plaintext.
Chosen ciphertext.
Chosen plaintext.

On the security of DES

None un-l 1990.

In 1990 Eli Biham and Adi Shamir discover dierenBal cryptanalysis => only 247
chosen plaintexts and their corresponding ciphertexts are needed to break k.
In 1993 Mitsuru Matsui discoveres linear cryptanalysis => only 243 chosen
plaintexts and their corresponding ciphertexts are needed to break the cipher.
The aCacks men-oned above are dicult to implement => DES is considered secure
from the perspec-ve of analy-cal aCacks.

On the security of DES

The rst cri-cism of DES was that it changed the keylength of the cipher from 128 in
the IBM version to 56.
Deni-on of brute force aCacks (aka exhaus-ve key search aCacks):
Input: at least one pair (m,c)
Output: k, such as c=DES(m,k)
ACack: test all 256 possible keys un-l fullling the condi-on: 1(,)=, =0, 1, , 2561.

Theorem:
Suppose DES is an ideal cipher ( 256 random inver-ble func-ons), then m, c there is at most one key k
s.t. c = DES(k, m) with prob. 1 1/256 99.5%

Proof:

Union bound

Pr( :=(,)=(,)){0,1}56Pr((,)=(,))
2561/264=1/28

On the security of DES

Theorem:
Given a block cipher with a key length of k and block size n and t pairs of CT/PT, then the expected
number (or the probability) of false keys is:
2k-tn

On the security of DES

History of aCacks:
In 1977 it was (under-)es-mated that it would cost only $20.000.000.
In 1993 Michael Wiener proposed a design that would cost $1.000.000 and nd the key in 1,5 days.
In 1998 Electronic Fron-er Founda-on built a hardware machine, Deep crack, that broke the key in 15
days and cost $250.000.
In 2006 Universi-es of Bochum and Kiel, in Germany, build COPACABANA(120 FPGAs), that breaks DES in
less than 7 days for around $10.000.

 Introduc-on to block ciphers

DES
On the security of DES
Strengthening DES

On the security of DES

In some situa-ons we wish to increase the security of block ciphers, e.g., if a cipher
such as DES is available in hardware or soyware for legacy reasons in a given
applica-on.
Two approaches are possible
Mul-ple encryp-on
theore-cally much more secure, but some-mes in prac-ce increases the security very liCle
Key whitening

On the security of DES

The main problem of DES is the length of the key.

If we double encrypt the keylength doubles:
m

Assuming a key length of k bits, an exhaus-ve key search would require 2k2k = 22k
encryp-ons or decryp-ons.

On the security of DES

A Meet-in-the-Middle aCack requires 2k+2k = 2k+1 opera-ons!

Phase I: for the given (x1, y1) the ley encryp-on is brute-forced for all kL,i, i=1,2, ..., 2k
and a lookup table with 2k entry (each n+k bits wide) is computed
the lookup table should be ordered by the result of the encryp-on (zL,i)
Phase II: the right encryp-on is brute-forced (using decryp-on) and for each zR,I it is
checked whether zR,i is equal to any zL,i value in the table of the rst phase

Computa-onal Complexity
Number of encryp-ons and decryp-ons 2k+2k = 2k+1
Number of storage loca-ons: 2k

Double encryp-on is not much more secure then single

encryp-on!

On the security of DES

Triple encryp-on using DES is oyen used in prac-ce to extend the eec-ve key length
of DES to 112.
m

=(3,(2,(1,)))
Alterna-ve version:
=(3,1 (2,(1,)))
Advantage: choosing k1=k2= k3 performs single encryp-on.

No prac-cal aCack known today.

Used in many legacy applica-ons, i.e., in banking systems.

On the security of DES

Makes block ciphers such as DES much more resistant against brute-force aCacks.

k1

DES
k2

c
k3

=3(2,1))
key-len = 64+56+64 = 184 bits
but easy aCack in -me 264+56 = 2120
It does not strengthen block ciphers against most analy-cal aCacks such as linear and
dieren-al cryptanalysis => It is not a cure for inherently weak ciphers.
The addi-onal computa-onal load is negligible.

 Introduc-on to block ciphers

DES
On the security of DES
Strengthening DES