data encryption standard - unipi.it encryption standard • on may 15, 1973, national bureau of...
TRANSCRIPT
Data Encryption Standard
Symmetric Cryptography
Block cipher
• Block ciphers break up the plaintext in blocks of fixed length n bits and encrypt one block at time
• E: {0,1}n →{0,1}n D: {0,1}n →{0,1}n
• E is a permutation (one-to-one, invertible)
DES 2
Data Encryption Standard (DES)
DES 3
DES"P! C!
K!
64" 64"
56"
DES"C! P!
K!
64" 64"
56"
! The input key K is actually specified as a 64-bit key, 8 bits of which (bits 8; 16, …, 64) may be used as parity bits.
! The 256 keys implement (at most) 256 of the 264! possible permutations on 64-bit blocks.
Block Ciphers Built by Iteration
R(k,m) is called a round function
for 3DES (n=48), for AES-128 (n=10)
key k
key expansion
k1 k2 k3 kn
R(k
1, .)
R(k
2, .)
R(k
3, .)
R(k
n, .) m c
DES 4
Data Encryption Standard
• On May 15, 1973, National Bureau of Standards published a solicitation for cryptosystems in the Federal Register
• DES was published in the Federal Register of March 17, 1975
• DES was developed by IBM as a modification of LUCIFER
• DES was considered a standard for “unclassified” applications on January 15, 1977 after much public discussion
• DES has been reviewed every 5 years
• The most recent review was January 1994
• It is not a standard since 1998.
DES 5
Basic idea: Feistel Network
DES 6
Given functions f1, …, fd: {0,1}n ⟶ {0,1}n
Goal: build invertible function F: {0,1}2n ⟶ {0,1}2n
input output
Rd-1
Ld-1
Rd
Ld
R0
L0
n-bits n-bits
R1
L1
�
f1
R2
L2
�
f2 � �
fd
In symbols: Li = Ri−1Ri = Li−1⊕ fi Ri−1( )
⎧⎨⎪
⎩⎪
Feistel net is invertible
DES 7
Theorem: for all f1, …, fd: {0,1}n ⟶ {0,1}n Feistel network F: {0,1}2n ⟶ {0,1}2n is invertible
Proof: construct inverse
In symbols:
Ri−1 = Li
Li−1 = Ri ⊕ fi Li( )⎧⎨⎪
⎩⎪
Ri-1
Li-1
Ri
Li
�
fi
Ri
Li
Ri-1
Li-1
�
fi
Decryption circuit
DES 8
R1
L1
R0
L0
Rd
Ld
n-bits n-bits
Rd-1
Ld-1
�
fd
Rd-2
Ld-2
�
fd-1 � �
f1
• Inversion is basically the same circuit, with f1, …, fd applied in reverse order
• General method for building invertible functions (block ciphers) from arbitrary functions.
• Used in many block ciphers … but not AES
Luby-Rackoff ‘85
Theorem.
Let f: K × {0,1}n ⟶ {0,1}n be a secure PRF � 3-round Feistel F: K3 × {0,1}2n ⟶ {0,1}2n is a secure PRP
R3
L3
R0
L0
input
R1
L1
�
f R2
L2
�
f
�
f
output
f(k0, R0) f(k1, R1) f(k2, R2) 3 independent keys
DES 9
DES: 16 round Feistel net
DES 10
f1, …, f16: {0,1}32 ⟶ {0,1}32 , fi(x) = F( ki, x )
input
64 b
its
output
64 b
its
16 round Feistel network IP IP-1
k
key expansion
k1 k2 k16 �
To invert, use keys in reverse order
From K
Round function F
DES 11
Ri-1
Ki E
�
S1 S2 S3 S4 S5 S6 S7 S8
P
32
48 48
8 × 6 bit
Substitution (S-box)
8 × 4 bit
Permutation
Expansion
6
4
F(Ri-1, Ki) = P(S(E(Ri-1) � Ki ) S() is a look-up table
32
32
S-boxes
DES 12
B = b1b2b3b4b5b6 Row → b1b6 (outer bits) Column → b2b3b4b5
(inner bits)
Si B D
S-boxes
DES 13
Si: {0,1}6 ⟶ {0,1}4
S5(011011) → 1001
S-box: a bad choice
DES 14
Suppose: Si(x1, x2, …, x6) = ( x2⨁x3, x1⨁x4⨁x5, x1⨁x6, x2⨁x3⨁x6 )
or written equivalently: Si(x) = Ai�x (mod 2)
We say that Si is a linear function.
0 1 1 0 0 0 1 0 0 1 1 0 1 0 0 0 0 1 0 1 1 0 0 1
x1 x2 x3 x4 x5 x6
× = x2⨁x3
x1⨁x4⨁x5 x1⨁x6
x2⨁x3⨁x6
S-box: a bad choice
DES 15
Then entire DES cipher would be linear: �fixed binary matrix B s.t.
But then: DES(k,m1) ⨁ DES(k,m2) ⨁ DES(k,m3) =
B m k1 k2
k16
× = c
832
64
�
DES(k,m) = (mod 2)
B ⋅ m1
k
⎛
⎝⎜
⎞
⎠⎟ ⊕B ⋅ m2
k
⎛
⎝⎜
⎞
⎠⎟ ⊕B ⋅
m3
k
⎛
⎝⎜
⎞
⎠⎟ = B ⋅
m1⊕m2 ⊕m3
k
⎛
⎝⎜
⎞
⎠⎟
Choosing S-box and P-box
• Choosing S-boxes and P-box at random would result in an insecure block cipher – (key recovery after ≈224 outputs) [BS’89]
• Several rules used in choice of S and P boxes: – No output bit should be close to a linear function
of the input bits – S-boxes are 4-to-1 maps
DES 16
Key Scheduling
DES 17
K
R R
PC1
PC2
64
28 28
Ki (i-th subkey)
56
48
i
Permutation and compression (generate the first sub-key)
Permutation and compression
Left rotation (1 bit per round = 1, 2, 9, 16; 2 bit otherwisei) 28 28
56
! R e PC2 guarantee that, at each round, a different subset of bits is extracted
! Each bit of the key participates to 14 rounds on average
DES in practice
• DES can be efficiently implemented either in hardware or in software – Arithmetic operations are
• exclusive-or • E, S-boxes, IP, IP-1, key scheduling can be done in constant
time by table-lookup (sw) or by hard-wiring them into a circuit
• One very important DES application is in banking transactions – DES is used to encrypt PINs and account transactions
carried out at ATM – DES is also used in government organizations and for
inter-bank transactions
DES 18
Empirical properties of DES
Empirically, DES fulfills these reqs: • Each CT bits depends on all key bits and PT bits • There are no evident statistical relationships
between CT and PT • The change of one bit in the PT (CT) causes the
change of every bit in the CT (PT) with 0.5 probability
DES 19
Strength of DES
DES 20
attack method data complexity
storage complexity
processing complexity
exhaustive precomputation – 1 256 1 (table lookup)
exhaustive search 1 – negligible 255
243 (85%) – for texts 243 linear cryptanalysis 238 (10%) – for texts 250
– 247 for texts 247 differential cryptanalys 255 – for texts 255