Anda di halaman 1dari 42

# 3.

Stream Ciphers

## Introduction to block ciphers

DES
On the security of DES
Strengthening DES

## Introduction to block ciphers

DES
On the security of DES
Strengthening DES

## Understanding Cryptography by Christof Paar and Jan Pelzl, Springer.

Cryptography I by Dan Boneh, http://coursera.org/.

Cryptology

Cryptography

Symmetric
Ciphers
Block Ciphers

Asymmetric
Ciphers

Stream
Ciphers

Cryptanalysis

Protocols

## A cipher (or cryptosystem) defined over (K,M,C) is a pair of efficient algorithms

(E,D) where E: KxM -> C and D: KxC ->M so that for any m M, k K:
D(k, E(k,m))=m (consistency property)
efficient depends on the application: in must run in a certain time or use a certain
amount of computing power.
Algorithm E is a randomized algorithm.
Algorithm D is always deterministic.

## Introduction to block ciphers

K
x0,x1, xb

Stream
Cipher

y0,y1, yb

x0 ,
x1 ,

xb

K
Block Cipher

Stream ciphers:
Encrypt bits individually
Usually small and fast common in embedded devices (e.g., A5/1 for GSM/UMTS phones)

Block Ciphers:
Always encrypt a full block (several bits)
Are common for Internet applications.

y0 ,
y1 ,

yb

## Introduction to block ciphers

Claude Shannon: There are two properties that strong encryption algorithms
must posses:
1. Confusion: An encryption operation where the relationship between key and ciphertext is
obscured.
Today, a common element for achieving confusion is substitution, which is found in both AES and
DES.
2. Diffusion: An encryption operation where the influence of one plaintext symbol is spread over
many ciphertext symbols with the goal of hiding statistical properties of the plaintext.
A simple diffusion element is the bit permutation, which is frequently used within DES.

## Both operations by themselves cannot provide security. The idea is to

concatenate confusion (substitution) and diffusion (permutation) elements to
build so called product ciphers.

m
Confusion

Key expansion

m
Diffusion
m

Confusion

Diffusion
c

## Most of todays block ciphers are product ciphers as

they consist of rounds which are applied repeatedly
to the data.
The other important part of a block cipher is the key
expansion.

Cipher

Stream
Block

Block/key size

Speed (MB/sec)

RC4

126

Salsa20/12

643

Sosemanuk

727

3DES

64/168

13

AES

128/128

109

## Introduction to block ciphers

DES
On the security of DES
Strengthening DES

DES

n bits
PT Block

n bits
CT Block

E, D
Key

k Bits

Canonical examples:
3DES: n = 64 bits, k = 168 bits
AES: n = 128 bits, k = 128, 192, 256 bits
DES: n = 64 bits, k = 56 bits

DES

## Early 1970s: Horst Feistel designs Lucifer at IBM

key-len = 128 bits ; block-len = 128 bits

## 1973: NBS asks for block cipher proposals.

IBM submits variant of Lucifer.

## 1976: NBS adopts DES as a federal standard

key-len = 56 bits ; block-len = 64 bits

## 1997: DES broken by exhaustive search

2000: NIST adopts Rijndael as AES to replace DES
DES remains widely deployed in legacy systems.
3DES and DESX are secure ciphers that are based on DES.

DES

Top description:
Two permutations.
Key expansion.
Feistel network.

input

k16
IP-1

64 bits

Feistel
network

k2
Feistel
network

IP

k1
Feistel
network

64 bits

key expansion

output

DES

## Given functions f1, , fd: {0,1}n {0,1}n

Goal: build invertible function F: {0,1}2n {0,1}2n

n-bits

L0

L1

f2

f1

R1

R2
L2

input
Question1: who is being encrypted? R0 or L0?
Question2: what kind of encryption is being used?

## Cryptography I, Dan Boneh

Rd-1

Rd
fd

Ld-1

n-bits

R0

Ld

output

DES

n-bits

L0

L1

f2

f1

R1

R2
L2

Rd-1

Rd
fd

Ld-1

n-bits

R0

input

Ld
output

Claim: for all f1, , fd: {0,1}n {0,1} Feistel network F: {0,1}2n {0,1}2n is
invertible.
Proof: construct inverse

Li-1

fi

Ri-1

Ri
Li

inverse

Ri

Ri-1 = Li

fi

Ri-1

## Li-1Li = fi(Li) Ri Li-1

Cryptography I, Dan Boneh

DES

## main operation of DES

f-Function inputs: Ri-1 and round key
ki
4 Steps:

1.Expansion E
2.XOR with round key
3.S-box substitution
4.Permutation

## Understanding Cryptography by Christof Paar and Jan Pelzl

DES

1.Expansion E
main purpose: increases diffusion

DES

## 2.XOR Round Key

Bitwise XOR of the round key and the output of the
expansion function E
Round keys are derived from the main key in the
DES keyschedule (in a few slides)

## Understanding Cryptography by Christof Paar and Jan Pelzl

DES

3.S-Box substitution

## Eight substitution tables.

6 bits of input, 4 bits of output.
Non-linear and resistant to differential cryptanalysis.
Crucial element for DES security!

## Understanding Cryptography by Christof Paar and Jan Pelzl

DES

4.Permutation P
Bitwise permutation.
Introduces diffusion.
Output bits of one S-Box effect several S-Boxes in
next round
Diffusion by E, S-Boxes and P guarantees that after
Round 5 every bit is a function of each key bit and
each plaintext bit.

## Understanding Cryptography by Christof Paar and Jan Pelzl

DES

Top description:
Two permutations.
Key expansion.
Feistel network.

input

k16
IP-1

64 bits

Feistel
network

k2
Feistel
network

IP

k1
Feistel
network

64 bits

key expansion

output

DES

## Derives 16 round keys (or subkeys) ki of 48

bits each from the original 56 bit key.

## Understanding Cryptography by Christof Paar and Jan Pelzl

DES

Top description:
Two permutations.
Key expansion.
Feistel network.

input

k16
IP-1

64 bits

Feistel
network

k2
Feistel
network

IP

k1
Feistel
network

64 bits

key expansion

output

DES

## Permutations are easy to implement in harware, but not in software.

They do not increase the security.
It is not exactly clear why they are part of the standard: it is supposed that thay
would have facilitated implementation in the harware of the 70s.

IP-1

IP
58
60
62
64
57
59
61
63

50
52
54
56
49
51
53
55

42
44
46
48
41
43
45
47

34
36
38
40
33
35
37
39

26
28
30
32
25
27
29
31

18
20
22
24
17
19
21
23

10
12
14
16
9
11
13
15

2
4
6
8
1
3
5
7

DES

Top description:
Two permutations.
Key expansion.
Feistel network.

input
What is left to do?

k16

IP-1

64 bits

Feistel
network

k2
Feistel
network

IP

k1
Feistel
network

64 bits

key expansion

output

DES

Top description:
Two permutations.
Inverse key expansion.
Feistel network.

input

k1
IP-1

64 bits

Feistel
network-1

k15
Feistel
network-1

IP

k16
Feistel
network-1

64 bits

Inverse key
expansion

output

DES

## Inverse key schedule:

[C16, D16] =[C0, D0].

k
PC-1
K16

PC-2

Transform 1

K15

PC-2

.
.
.

C16

D16

RS1

RS1

C15

D15

RS2

RS2

.
.
.

.
.
.

RS15 RS15
K1

PC-2

C1

D1

DES

n-bits

L0

L1

f2

f1

R1

R2
L2

R15

R16
f16

L15

input

n-bits

R0

L16
output

input

n-bits

R16

R15

f15

f16

L15

L14
R14

L1

L0
f1

R1

n-bits

L16

R0
output

## Introduction to block ciphers

DES
On the security of DES
Strengthening DES

## On the security of DES

Analytical attacks:

Ciphertext-only attacks.
Known plaintext.
Chosen ciphertext.
Chosen plaintext.

## None until 1990.

In 1990 Eli Biham and Adi Shamir discover differential cryptanalysis => only 247
chosen plaintexts and their corresponding ciphertexts are needed to break k.
In 1993 Mitsuru Matsui discoveres linear cryptanalysis => only 243 chosen
plaintexts and their corresponding ciphertexts are needed to break the cipher.
The attacks mentioned above are difficult to implement => DES is considered secure
from the perspective of analytical attacks.

## On the security of DES

The first criticism of DES was that it changed the keylength of the cipher from 128 in
the IBM version to 56.
Definition of brute force attacks (aka exhaustive key search attacks):
Input: at least one pair (m,c)
Output: k, such as c=DES(m,k)
Attack: test all 256 possible keys until fulfilling the condition: 1 , = , = 0, 1, , 256 1.

Theorem:
Suppose DES is an ideal cipher ( 256 random invertible functions), then m, c there is at most one key k
s.t. c = DES(k, m) with prob. 1 1/256 99.5%

Proof:

Union bound

Pr : = , = ,
256

0,1 56 Pr

1
1
=
264 28

, = ,

## On the security of DES

Theorem:
Given a block cipher with a key length of k and block size n and t pairs of CT/PT, then the expected
number (or the probability) of false keys is:
2k-tn

## On the security of DES

History of attacks:
In 1977 it was (under-)estimated that it would cost only \$20.000.000.
In 1993 Michael Wiener proposed a design that would cost \$1.000.000 and find the key in 1,5 days.
In 1998 Electronic Frontier Foundation built a hardware machine, Deep crack, that broke the key in 15
days and cost \$250.000.
In 2006 Universities of Bochum and Kiel, in Germany, build COPACABANA(120 FPGAs), that breaks DES in
less than 7 days for around \$10.000.

## Introduction to block ciphers

DES
On the security of DES
Strengthening DES

## On the security of DES

In some situations we wish to increase the security of block ciphers, e.g., if a cipher
such as DES is available in hardware or software for legacy reasons in a given
application.
Two approaches are possible
Multiple encryption
theoretically much more secure, but sometimes in practice increases the security very little
Key whitening

## The main problem of DES is the length of the key.

If we double encrypt the keylength doubles:
m

Assuming a key length of k bits, an exhaustive key search would require 2k2k = 22k
encryptions or decryptions.

## A Meet-in-the-Middle attack requires 2k+2k = 2k+1 operations!

Phase I: for the given (x1, y1) the left encryption is brute-forced for all kL,i, i=1,2, ..., 2k
and a lookup table with 2k entry (each n+k bits wide) is computed
the lookup table should be ordered by the result of the encryption (zL,i)
Phase II: the right encryption is brute-forced (using decryption) and for each zR,I it is
checked whether zR,i is equal to any zL,i value in the table of the first phase

Computational Complexity
Number of encryptions and decryptions 2k+2k = 2k+1
Number of storage locations: 2k

encryption!

## On the security of DES

Triple encryption using DES is often used in practice to extend the effective key length
of DES to 112.
m

= (3, 2, 1, )
Alternative version:
= (3, 1 2, 1, )
Advantage: choosing k1=k2= k3 performs single encryption.

## No practical attack known today.

Used in many legacy applications, i.e., in banking systems.

## On the security of DES

Makes block ciphers such as DES much more resistant against brute-force attacks.

k1

DES
k2

k3

= 3 (2, 1 ))
key-len = 64+56+64 = 184 bits
but easy attack in time 264+56 = 2120
It does not strengthen block ciphers against most analytical attacks such as linear and
differential cryptanalysis => It is not a cure for inherently weak ciphers.
The additional computational load is negligible.

## Introduction to block ciphers

DES
On the security of DES
Strengthening DES