Cryptology
Cryptography
Symmetric
Ciphers
Block
Ciphers
Asymmetric
Ciphers
Stream
Ciphers
Cryptanalysis
Protocols
K
x0,x1,
xb
Stream
Cipher
y0,y1, yb
x0,
x1,
xb
K
Block
Cipher
Stream
ciphers:
Encrypt
bits
individually
Usually
small
and
fast
common
in
embedded
devices
(e.g.,
A5/1
for
GSM/UMTS
phones)
Block
Ciphers:
Always
encrypt
a
full
block
(several
bits)
Are
common
for
Internet
applicaBons.
y0,
y1,
yb
Claude
Shannon:
There
are
two
proper-es
that
strong
encryp-on
algorithms
must
posses:
1.
Confusion:
An
encryp-on
opera-on
where
the
rela-onship
between
key
and
ciphertext
is
obscured.
Today,
a
common
element
for
achieving
confusion
is
subsBtuBon,
which
is
found
in
both
AES
and
DES.
2.
Diusion:
An
encryp-on
opera-on
where
the
inuence
of
one
plaintext
symbol
is
spread
over
many
ciphertext
symbols
with
the
goal
of
hiding
sta-s-cal
proper-es
of
the
plaintext.
A
simple
diusion
element
is
the
bit
permutaBon,
which
is
frequently
used
within
DES.
m
Confusion
Key expansion
m
Diusion
m
Confusion
Diusion
c
Cipher
Stream
Block
Block/key size
Speed (MB/sec)
RC4
126
Salsa20/12
643
Sosemanuk
727
3DES
64/168
13
AES
128/128
109
DES
n bits
PT Block
n bits
CT Block
E, D
Key
k Bits
Canonical
examples:
3DES:
n
=
64
bits,
k
=
168
bits
AES:
n
=
128
bits,
k
=
128,
192,
256
bits
DES:
n
=
64
bits,
k
=
56
bits
DES
DES
Top
descrip-on:
Two
permuta-ons.
Key
expansion.
Feistel
network.
input
k16
IP-1
64 bits
Feistel
network
k2
Feistel
network
IP
k1
Feistel
network
64 bits
key expansion
output
DES
L1
f2
L0
f1
R1
R2
L2
input
Ques-on1:
who
is
being
encrypted?
R0
or
L0?
Ques-on2:
what
kind
of
encryp-on
is
being
used?
Rd-1
Ld-1
fd
n-bits n-bits
R0
Rd
Ld
output
DES
L1
f2
L0
f1
R1
R2
L2
input
Rd-1
Ld-1
fd
n-bits n-bits
R0
Rd
Ld
output
Claim:
for
all
f1,
,
fd:
{0,1}n
{0,1}
n
Feistel
network
F:
{0,1}2n
{0,1}2n
is
inverBble.
Proof:
construct
inverse
Li-1
fi
Ri-1
Ri
inverse
Li
Cryptography
I,
Dan
Boneh
DES
L1
f2
L0
f1
R1
R2
L2
Rd-1
Rd
fd
Ld-1
Ld
n-bits n-bits
R0
input
output
Claim:
for
all
f1,
,
fd:
{0,1}n
{0,1}
n
Feistel
network
F:
{0,1}2n
{0,1}2n
is
inverBble.
Proof:
construct
inverse
Li-1
fi
Ri-1
Ri
Li
inverse
Ri
Ri-1 = Li
fi
Ri-1
DES
1.Expansion
E
2.XOR
with
round
key
3.S-box
subs-tu-on
4.Permuta-on
DES
1.Expansion
E
main
purpose:
increases
diusion
DES
DES
3.S-Box subs-tu-on
DES
4.Permuta-on
P
Bitwise
permuta-on.
Introduces
diusion.
Output
bits
of
one
S-Box
eect
several
S-Boxes
in
next
round
Diusion
by
E,
S-Boxes
and
P
guarantees
that
ayer
Round
5
every
bit
is
a
func-on
of
each
key
bit
and
each
plaintext
bit.
DES
Top
descrip-on:
Two
permuta-ons.
Key
expansion.
Feistel
network.
input
k16
IP-1
64 bits
Feistel
network
k2
Feistel
network
IP
k1
Feistel
network
64 bits
key expansion
output
DES
DES
Top
descrip-on:
Two
permuta-ons.
Key
expansion.
Feistel
network.
input
k16
IP-1
64 bits
Feistel
network
k2
Feistel
network
IP
k1
Feistel
network
64 bits
key expansion
output
DES
58
60
62
64
57
59
61
63
50
52
54
56
49
51
53
55
42
44
46
48
41
43
45
47
IP
34
26
36
28
38
30
40
32
33
25
35
27
37
29
39
31
IP-1
18
20
22
24
17
19
21
23
10
12
14
16
9
11
13
15
2
4
6
8
1
3
5
7
DES
Top
descrip-on:
Two
permuta-ons.
Key
expansion.
Feistel
network.
input
What
is
leN
to
do?
k16
IP-1
64 bits
Feistel
network
k2
Feistel
network
IP
k1
Feistel
network
64 bits
key expansion
output
DES
Top
descrip-on:
Two
permuta-ons.
Inverse
key
expansion.
Feistel
network.
input
k1
IP-1
64 bits
Feistel
network-1
k15
Feistel
network-1
IP
k16
Feistel
network-1
64 bits
Inverse
key
expansion
output
DES
k
K16
PC-1
PC-2
Transform 1
K
15
PC-2
.
.
.
K1
C16
D16
RS1
RS1
C15
D15
RS2
RS2
.
.
.
.
.
.
RS15
RS15
PC-2
C1
D1
DES
L1
f2
L0
f1
R1
R2
L2
R15
L15
f16
n-bits n-bits
R0
input
R16
L16
output
input
R15
f15
R16
f16
L15
L14
R14
L1
R1
f1
n-bits n-bits
L16
L0
R0
output
Analy-cal aCacks:
Ciphertext-only
aCacks.
Known
plaintext.
Chosen
ciphertext.
Chosen
plaintext.
The
rst
cri-cism
of
DES
was
that
it
changed
the
keylength
of
the
cipher
from
128
in
the
IBM
version
to
56.
Deni-on
of
brute
force
aCacks
(aka
exhaus-ve
key
search
aCacks):
Input:
at
least
one
pair
(m,c)
Output:
k,
such
as
c=DES(m,k)
ACack:
test
all
256
possible
keys
un-l
fullling
the
condi-on:
1(,)=,
=0, 1, , 2561.
Theorem:
Suppose
DES
is
an
ideal
cipher
(
256
random
inver-ble
func-ons),
then
m,
c
there
is
at
most
one
key
k
s.t.
c
=
DES(k,
m)
with
prob.
1
1/256
99.5%
Proof:
Union bound
Pr( :=(,)=(,)){0,1}56Pr((,)=(,))
2561/264=1/28
Theorem:
Given
a
block
cipher
with
a
key
length
of
k
and
block
size
n
and
t
pairs
of
CT/PT,
then
the
expected
number
(or
the
probability)
of
false
keys
is:
2k-tn
History
of
aCacks:
In
1977
it
was
(under-)es-mated
that
it
would
cost
only
$20.000.000.
In
1993
Michael
Wiener
proposed
a
design
that
would
cost
$1.000.000
and
nd
the
key
in
1,5
days.
In
1998
Electronic
Fron-er
Founda-on
built
a
hardware
machine,
Deep
crack,
that
broke
the
key
in
15
days
and
cost
$250.000.
In
2006
Universi-es
of
Bochum
and
Kiel,
in
Germany,
build
COPACABANA(120
FPGAs),
that
breaks
DES
in
less
than
7
days
for
around
$10.000.
In
some
situa-ons
we
wish
to
increase
the
security
of
block
ciphers,
e.g.,
if
a
cipher
such
as
DES
is
available
in
hardware
or
soyware
for
legacy
reasons
in
a
given
applica-on.
Two
approaches
are
possible
Mul-ple
encryp-on
theore-cally
much
more
secure,
but
some-mes
in
prac-ce
increases
the
security
very
liCle
Key
whitening
Assuming
a
key
length
of
k
bits,
an
exhaus-ve
key
search
would
require
2k2k
=
22k
encryp-ons
or
decryp-ons.
Phase
I:
for
the
given
(x1,
y1)
the
ley
encryp-on
is
brute-forced
for
all
kL,i,
i=1,2,
...,
2k
and
a
lookup
table
with
2k
entry
(each
n+k
bits
wide)
is
computed
the
lookup
table
should
be
ordered
by
the
result
of
the
encryp-on
(zL,i)
Phase
II:
the
right
encryp-on
is
brute-forced
(using
decryp-on)
and
for
each
zR,I
it
is
checked
whether
zR,i
is
equal
to
any
zL,i
value
in
the
table
of
the
rst
phase
Computa-onal
Complexity
Number
of
encryp-ons
and
decryp-ons
2k+2k
=
2k+1
Number
of
storage
loca-ons:
2k
Triple
encryp-on
using
DES
is
oyen
used
in
prac-ce
to
extend
the
eec-ve
key
length
of
DES
to
112.
m
=(3,(2,(1,)))
Alterna-ve
version:
=(3,1 (2,(1,)))
Advantage:
choosing
k1=k2=
k3
performs
single
encryp-on.
Makes block ciphers such as DES much more resistant against brute-force aCacks.
k1
DES
k2
c
k3
=3(2,1))
key-len
=
64+56+64
=
184
bits
but
easy
aCack
in
-me
264+56
=
2120
It
does
not
strengthen
block
ciphers
against
most
analy-cal
aCacks
such
as
linear
and
dieren-al
cryptanalysis
=>
It
is
not
a
cure
for
inherently
weak
ciphers.
The
addi-onal
computa-onal
load
is
negligible.