Download - Des1
![Page 1: Des1](https://reader035.vdocuments.net/reader035/viewer/2022070303/54b6dc1e4a7959703e8b47b9/html5/thumbnails/1.jpg)
Block Ciphers
![Page 2: Des1](https://reader035.vdocuments.net/reader035/viewer/2022070303/54b6dc1e4a7959703e8b47b9/html5/thumbnails/2.jpg)
IFETCE/M.E CSE/NE7202-NIS/Unit 2 2
Learning Outcomes
• Recognise the different components of the cryptographic process
• Identify some of the factors involved in selecting a cryptographic algorithm
• Describe the model of a stream cipher• Appreciate the types of application where a stream cipher is
most appropriate• Describe the model of a block cipher• Recall the basic design features and history of DES• Comment on the security issues surrounding modern use of
DES
![Page 3: Des1](https://reader035.vdocuments.net/reader035/viewer/2022070303/54b6dc1e4a7959703e8b47b9/html5/thumbnails/3.jpg)
IFETCE/M.E CSE/NE7202-NIS/Unit 2 3
Overview• Block Cipher Principles
– Stream and Block Ciphers– Ideal Block Cipher– The Feistel Cipher
• The Data Encryption Standard– DES Details– DES Design Issues – The Strength of DES– Differential and Linear Cryptanalysis
![Page 4: Des1](https://reader035.vdocuments.net/reader035/viewer/2022070303/54b6dc1e4a7959703e8b47b9/html5/thumbnails/4.jpg)
4
A symmetric classification
1 …… 1 …… 0 ……0 ……0
E
1……...1……..1…….0…….1
100110110100010111010010
1100100111010100100010011
E E E E
100110110100010111010010
110010011101010010001001
100110 110100 010111 010010
E E E E
110010 011101 010010 001001
… … … …
Stream cipher Block cipher
![Page 5: Des1](https://reader035.vdocuments.net/reader035/viewer/2022070303/54b6dc1e4a7959703e8b47b9/html5/thumbnails/5.jpg)
Stream Ciphers
Call the plaintext stream P, the ciphertext stream C, and the key stream K.
5
![Page 6: Des1](https://reader035.vdocuments.net/reader035/viewer/2022070303/54b6dc1e4a7959703e8b47b9/html5/thumbnails/6.jpg)
1. Block ciphers
![Page 7: Des1](https://reader035.vdocuments.net/reader035/viewer/2022070303/54b6dc1e4a7959703e8b47b9/html5/thumbnails/7.jpg)
IFETCE/M.E CSE/NE7202-NIS/Unit 2
Model of a block cipher• Encrypt a block of plaintext as a whole to
produce same sized ciphertext• Typical block sizes are 64 or 128 bits• Modes of operation used to apply block
ciphers to larger plaintexts
7
block of ciphertext
![Page 8: Des1](https://reader035.vdocuments.net/reader035/viewer/2022070303/54b6dc1e4a7959703e8b47b9/html5/thumbnails/8.jpg)
IFETCE/M.E CSE/NE7202-NIS/Unit 2
Reversible and Irreversible Mappings
• n-bit block cipher takes n bit plaintext and produces n bit ciphertext
• 2n possible different plaintext blocks• Encryption must be reversible (decryption possible)• Each plaintext block must produce unique ciphertext
block• Total transformations is 2n!
8
![Page 9: Des1](https://reader035.vdocuments.net/reader035/viewer/2022070303/54b6dc1e4a7959703e8b47b9/html5/thumbnails/9.jpg)
IFETCE/M.E CSE/NE7202-NIS/Unit 2
General Block Substitution
9
![Page 10: Des1](https://reader035.vdocuments.net/reader035/viewer/2022070303/54b6dc1e4a7959703e8b47b9/html5/thumbnails/10.jpg)
IFETCE/M.E CSE/NE7202-NIS/Unit 2
Encryption/Decryption Tables
10
![Page 11: Des1](https://reader035.vdocuments.net/reader035/viewer/2022070303/54b6dc1e4a7959703e8b47b9/html5/thumbnails/11.jpg)
IFETCE/M.E CSE/NE7202-NIS/Unit 2
Ideal Block Cipher
• n-bit input maps to 2n possible input states• Substitution used to produce 2n output states• Output states map to n-bit output• Ideal block cipher allows maximum number of
possible encryption mappings from plaintext block
• Problems with ideal block cipher:– Small block size: equivalent to classical substitution cipher;
cryptanalysis based on statistical characteristics feasible– Large block size: key must be very large;
performance/implementation problems
11
![Page 12: Des1](https://reader035.vdocuments.net/reader035/viewer/2022070303/54b6dc1e4a7959703e8b47b9/html5/thumbnails/12.jpg)
IFETCE/M.E CSE/NE7202-NIS/Unit 2
Practical Block Ciphers
• Modern block ciphers use a key of K bits to specify a random subset of 2K mappings.
• If K ≈ N, – 2K is much smaller than 2N!
– But is still very large.
• If the selection of the 2K mappings is random, the resulting cipher will be a good approximation of the ideal block cipher.
• Horst Feistel, in1970s, proposed a method to achieve this.
12
![Page 13: Des1](https://reader035.vdocuments.net/reader035/viewer/2022070303/54b6dc1e4a7959703e8b47b9/html5/thumbnails/13.jpg)
IFETCE/M.E CSE/NE7202-NIS/Unit 2
Feistel Structure for Block Ciphers
• Feistel proposed applying two or more simple ciphers in sequence so final result is cryptographically stronger than component ciphers
• n-bit block length; k-bit key length; 2k transformations
• Feistel cipher alternates: substitutions, transpositions(permutations)
• Applies concepts of diffusion and confusion• Applied in many ciphers today
13
![Page 14: Des1](https://reader035.vdocuments.net/reader035/viewer/2022070303/54b6dc1e4a7959703e8b47b9/html5/thumbnails/14.jpg)
IFETCE/M.E CSE/NE7202-NIS/Unit 2
Diffusion and Confusion• Diffusion
– Statistical nature of plaintext is reduced in ciphertext– E.g. A plaintext letter affects the value of many ciphertext
letters– How: repeatedly apply permutation (transposition) to data,
and then apply function
• Confusion– Make relationship between ciphertext and key as complex as
possible– Even if attacker can find some statistical characteristics of
ciphertext, still hard to find key– How: apply complex (non-linear) substitution algorithm
14
![Page 15: Des1](https://reader035.vdocuments.net/reader035/viewer/2022070303/54b6dc1e4a7959703e8b47b9/html5/thumbnails/15.jpg)
IFETCE/M.E CSE/NE7202-NIS/Unit 2
Feistel Structure for Block Ciphers
• Approach:– Plaintext split into halves– Subkeys (or round keys) generated from
key– Round function, F, applied to right half– Apply substitution on left half using XOR– Apply permutation: interchange to halves
15
![Page 16: Des1](https://reader035.vdocuments.net/reader035/viewer/2022070303/54b6dc1e4a7959703e8b47b9/html5/thumbnails/16.jpg)
The Feistel Cipher Structure
i
16
![Page 17: Des1](https://reader035.vdocuments.net/reader035/viewer/2022070303/54b6dc1e4a7959703e8b47b9/html5/thumbnails/17.jpg)
Round i
+
f
Li-1 Ri-1
ki
Li Ri
17
![Page 18: Des1](https://reader035.vdocuments.net/reader035/viewer/2022070303/54b6dc1e4a7959703e8b47b9/html5/thumbnails/18.jpg)
IFETCE/M.E CSE/NE7202-NIS/Unit 2
Using the Feistel Structure
• Exact implementation depends on various design features– Block size, e.g. 64, 128 bits: larger values leads to more
diffusion– Key size, e.g. 128 bits: larger values leads to more
confusion, resistance against brute force– Number of rounds, e.g. 16 rounds– Subkey generation algorithm: should be complex– Round function F: should be complex
• Other factors include fast encryption in software and ease of analysis
• Tradeoff: security vs performance
18
![Page 19: Des1](https://reader035.vdocuments.net/reader035/viewer/2022070303/54b6dc1e4a7959703e8b47b9/html5/thumbnails/19.jpg)
IFETCE/M.E CSE/NE7202-NIS/Unit 2 September, 2006
Feistel decryption
• same as encryption, except
• ciphertext is input
• use keys in reverse order
• at each round the output is equal to the corresponding value of the encryption process with the two halves of the value swapped
• final permutation (swap) realigns 2 halves
![Page 20: Des1](https://reader035.vdocuments.net/reader035/viewer/2022070303/54b6dc1e4a7959703e8b47b9/html5/thumbnails/20.jpg)
IFETCE/M.E CSE/NE7202-NIS/Unit 2
Feistel Example
20
![Page 21: Des1](https://reader035.vdocuments.net/reader035/viewer/2022070303/54b6dc1e4a7959703e8b47b9/html5/thumbnails/21.jpg)
IFETCE/M.E CSE/NE7202-NIS/Unit 2
Data Encryption Standard
• Symmetric block cipher– 56-bit key, 64-bit input block, 64-bit output block
• One of most used encryption systems in world– Developed in 1977 by NBS/NIST– Designed by IBM (Lucifer) with input from NSA– Principles used in other ciphers, e.g. 3DES, IDEA
• Simplified DES (S-DES)– Cipher using principles of DES– Developed for education (not real world use)
21
![Page 22: Des1](https://reader035.vdocuments.net/reader035/viewer/2022070303/54b6dc1e4a7959703e8b47b9/html5/thumbnails/22.jpg)
IFETCE/M.E CSE/NE7202-NIS/Unit 2
Simplied DES
• Input (plaintext) block: 8-bits• Output (ciphertext) block: 8-bits• Key: 10-bits• Rounds: 2• Round keys generated using permutations and
left shifts• Encryption: initial permutation, round function,
switch halves• Decryption: Same as encryption, except round
keys used in opposite order22
![Page 23: Des1](https://reader035.vdocuments.net/reader035/viewer/2022070303/54b6dc1e4a7959703e8b47b9/html5/thumbnails/23.jpg)
IFETCE/M.E CSE/NE7202-NIS/Unit 2
S-DES Algorithm
23
![Page 24: Des1](https://reader035.vdocuments.net/reader035/viewer/2022070303/54b6dc1e4a7959703e8b47b9/html5/thumbnails/24.jpg)
IFETCE/M.E CSE/NE7202-NIS/Unit 2
S-DES Operations
• P10 (permutate)Input : 1 2 3 4 5 6 7 8 9 10
Output: 3 5 2 7 4 10 1 9 8 6
• P8 (select and permutate)Input : 1 2 3 4 5 6 7 8 9 10
Output: 6 3 7 4 8 5 10 9
• P4 (permutate)Input : 1 2 3 4
Output: 2 4 3 124
![Page 25: Des1](https://reader035.vdocuments.net/reader035/viewer/2022070303/54b6dc1e4a7959703e8b47b9/html5/thumbnails/25.jpg)
IFETCE/M.E CSE/NE7202-NIS/Unit 2
S-DES Operations
• EP (expand and permutate)Input : 1 2 3 4
Output: 4 1 2 3 2 3 4 1
• IP (initial permutation)
Input : 1 2 3 4 5 6 7 8
Output: 2 6 3 1 4 8 5 7
• IP-1 (inverse of IP)• LS-1 (left shift 1 position)• LS-2 (left shift 2 positions)
25
![Page 26: Des1](https://reader035.vdocuments.net/reader035/viewer/2022070303/54b6dc1e4a7959703e8b47b9/html5/thumbnails/26.jpg)
IFETCE/M.E CSE/NE7202-NIS/Unit 2
S-DES Key Generation
26
![Page 27: Des1](https://reader035.vdocuments.net/reader035/viewer/2022070303/54b6dc1e4a7959703e8b47b9/html5/thumbnails/27.jpg)
IFETCE/M.E CSE/NE7202-NIS/Unit 2
S-DES Encryption Details
27
![Page 28: Des1](https://reader035.vdocuments.net/reader035/viewer/2022070303/54b6dc1e4a7959703e8b47b9/html5/thumbnails/28.jpg)
IFETCE/M.E CSE/NE7202-NIS/Unit 2
S-DES S-Boxes• S-DES (and DES) perform substitutions using S-
Boxes• S-Box considered as a matrix: input used to select
row/column; selected element is output
• 4-bit input: bit1; bit2; bit3; bit4
• bit1bit4 species row (0, 1, 2 or 3 in decimal)
• Bit2bit4 species column
• 2-bit output
28
![Page 29: Des1](https://reader035.vdocuments.net/reader035/viewer/2022070303/54b6dc1e4a7959703e8b47b9/html5/thumbnails/29.jpg)
IFETCE/M.E CSE/NE7202-NIS/Unit 2
S-DES Example
• Plaintext: 01110010
• Key: 1010000010
• Ciphertext?
29
![Page 30: Des1](https://reader035.vdocuments.net/reader035/viewer/2022070303/54b6dc1e4a7959703e8b47b9/html5/thumbnails/30.jpg)
IFETCE/M.E CSE/NE7202-NIS/Unit 2
S-DES Summary
• Educational encryption algorithm• S-DES expressed as functions:
ciphertext = IP-1(fK2 (SW (fK1 (IP (plaintext)))))
plaintext = IP-1(fK1 (SW (fK2 (IP (ciphertext)))))
• Security of S-DES:–10-bit key, 1024 keys: brute force easy–If know plaintext and corresponding ciphertext, can we determine key? Very hard
30
![Page 31: Des1](https://reader035.vdocuments.net/reader035/viewer/2022070303/54b6dc1e4a7959703e8b47b9/html5/thumbnails/31.jpg)
Comparing DES and S-DESS-DES
• 8-bit blocks• 10-bit key: 2 x 8-bit round
keys• IP: 8-bits• F operates on 4 bits• 2 S-Boxes• 2 rounds
DES• 64-bit blocks• 56-bit key: 16 x 48-bit
round keys• IP: 64 bits• F operates on 32 bits• 8 S-Boxes• 16 rounds
31
S-DES encryption:
ciphertext = IP-1(fK2 (SW (fK1 (IP (plaintext)))))
DES encryption:
ciphertext = IP-1(fK16 (SW (fK15 (SW (: : : (fK1 (IP (plaintext))))))))
![Page 32: Des1](https://reader035.vdocuments.net/reader035/viewer/2022070303/54b6dc1e4a7959703e8b47b9/html5/thumbnails/32.jpg)
IFETCE/M.E CSE/NE7202-NIS/Unit 2
Design Principles of DES
• To achieve high degree of diffusion and confusion.
• Diffusion: making each plaintext bit affect as many ciphertext bits as possible.
• Confusion: making the relationship between the encryption key and the ciphertext as complex as possible.
1
![Page 33: Des1](https://reader035.vdocuments.net/reader035/viewer/2022070303/54b6dc1e4a7959703e8b47b9/html5/thumbnails/33.jpg)
IFETCE/M.E CSE/NE7202-NIS/Unit 2
General DES Encryption Algorithm
33
![Page 34: Des1](https://reader035.vdocuments.net/reader035/viewer/2022070303/54b6dc1e4a7959703e8b47b9/html5/thumbnails/34.jpg)
IFETCE/M.E CSE/NE7202-NIS/Unit 2
Permutation Tables for DES
34
![Page 35: Des1](https://reader035.vdocuments.net/reader035/viewer/2022070303/54b6dc1e4a7959703e8b47b9/html5/thumbnails/35.jpg)
IFETCE/M.E CSE/NE7202-NIS/Unit 2
Permutation Tables for DES
35
![Page 36: Des1](https://reader035.vdocuments.net/reader035/viewer/2022070303/54b6dc1e4a7959703e8b47b9/html5/thumbnails/36.jpg)
IFETCE/M.E CSE/NE7202-NIS/Unit 2
Single Round of DES Algorithm
Introduction to Cryptography and Security Mechanisms 2005
36
![Page 37: Des1](https://reader035.vdocuments.net/reader035/viewer/2022070303/54b6dc1e4a7959703e8b47b9/html5/thumbnails/37.jpg)
IFETCE/M.E CSE/NE7202-NIS/Unit 2
Calculation of F(R,K)
Introduction to Cryptography and Security Mechanisms 2005
37
![Page 38: Des1](https://reader035.vdocuments.net/reader035/viewer/2022070303/54b6dc1e4a7959703e8b47b9/html5/thumbnails/38.jpg)
IFETCE/M.E CSE/NE7202-NIS/Unit 2
The S-Boxes
• Eight S-boxes each map 6 to 4 bits • Each S-box is specified as a 4 x 16 table
– each row is a permutation of 0-15– outer bits 1 & 6 of input are used to select
one of the four rows – inner 4 bits of input are used to select a
column
• All the eight boxes are different.
![Page 39: Des1](https://reader035.vdocuments.net/reader035/viewer/2022070303/54b6dc1e4a7959703e8b47b9/html5/thumbnails/39.jpg)
IFETCE/M.E CSE/NE7202-NIS/Unit 2
Definition of DES S-Boxes
39
![Page 40: Des1](https://reader035.vdocuments.net/reader035/viewer/2022070303/54b6dc1e4a7959703e8b47b9/html5/thumbnails/40.jpg)
IFETCE/M.E CSE/NE7202-NIS/Unit 2
Definition of DES S-Boxes
40
![Page 41: Des1](https://reader035.vdocuments.net/reader035/viewer/2022070303/54b6dc1e4a7959703e8b47b9/html5/thumbnails/41.jpg)
IFETCE/M.E CSE/NE7202-NIS/Unit 2
Round Keys Generation
• Main key: 64 bits.• 56-bits are selected and permuted using Permuted
Choice One (PC1); and then divided into two 28-bit halves.
• In each round:
– Left-rotate each half separately by either 1 or 2 bits according to a rotation schedule.
– Select 24-bits from each half, and permute the combined 48 bits.
– This forms a round key.
![Page 42: Des1](https://reader035.vdocuments.net/reader035/viewer/2022070303/54b6dc1e4a7959703e8b47b9/html5/thumbnails/42.jpg)
IFETCE/M.E CSE/NE7202-NIS/Unit 2
DES Key Schedule Calculation
42
![Page 43: Des1](https://reader035.vdocuments.net/reader035/viewer/2022070303/54b6dc1e4a7959703e8b47b9/html5/thumbnails/43.jpg)
IFETCE/M.E CSE/NE7202-NIS/Unit 2
Avalanche Effect
• Avalanche effect:– A small change in the plaintext or in the key results in a
significant change in the ciphertext.
– an evidence of high degree of diffusion and confusion
– a desirable property of any encryption algorithm
• DES exhibits a strong avalanche effect– Changing 1 bit in the plaintext affects 34 bits in the
ciphertext on average.
– 1-bit change in the key affects 35 bits in the ciphertext on average.
![Page 44: Des1](https://reader035.vdocuments.net/reader035/viewer/2022070303/54b6dc1e4a7959703e8b47b9/html5/thumbnails/44.jpg)
IFETCE/M.E CSE/NE7202-NIS/Unit 2
The Avalanche Effect
• Following examples show the number of bits that change in output when two different inputs are used, differing by 1 bit
• Plaintext 1: 02468aceeca86420• Plaintext 2: 12468aceeca86420• Ciphertext difference: 32 bits• Key 1: 0f1571c947d9e859• Key 2: 1f1571c947d9e859• Ciphertext difference: 30
44
![Page 45: Des1](https://reader035.vdocuments.net/reader035/viewer/2022070303/54b6dc1e4a7959703e8b47b9/html5/thumbnails/45.jpg)
IFETCE/M.E CSE/NE7202-NIS/Unit 2
Avalanche Eect in DES: Change in Plaintext
45
![Page 46: Des1](https://reader035.vdocuments.net/reader035/viewer/2022070303/54b6dc1e4a7959703e8b47b9/html5/thumbnails/46.jpg)
IFETCE/M.E CSE/NE7202-NIS/Unit 2
Avalanche Eect in DES: Change in Key
46
![Page 47: Des1](https://reader035.vdocuments.net/reader035/viewer/2022070303/54b6dc1e4a7959703e8b47b9/html5/thumbnails/47.jpg)
IFETCE/M.E CSE/NE7202-NIS/Unit 2
Key Size
• Although 64 bit initial key, only 56 bits used in encryption (other 8 for parity check)
• 256 = 7.2 × 1016– 1977: estimated cost $US20m to build machine to
break in 10 hours– 1998: EFF built machine for $US250k to break in 3
days– Today: 56 bits considered too short to withstand
brute force attack
• 3DES uses 128-bit keys
47
![Page 48: Des1](https://reader035.vdocuments.net/reader035/viewer/2022070303/54b6dc1e4a7959703e8b47b9/html5/thumbnails/48.jpg)
IFETCE/M.E CSE/NE7202-NIS/Unit 2
Attacks on DES
• Timing Attacks– Information gained about key/plaintext by observing how long
implementation takes to decrypt– No known useful attacks on DES
• Differential Cryptanalysis– Observe how pairs of plaintext blocks evolve– Break DES in 247 encryptions (compared to 255); but require
247 chosen plaintexts
• Linear Cryptanalysis– Find linear approximations of the transformations– Break DES using 243 known plaintexts
48
![Page 49: Des1](https://reader035.vdocuments.net/reader035/viewer/2022070303/54b6dc1e4a7959703e8b47b9/html5/thumbnails/49.jpg)
IFETCE/M.E CSE/NE7202-NIS/Unit 2
DES Algorithm Design
• S-Boxes provide non-linearity: important part of DES, generally considered to be secure
• S-Boxes provide increased confusion
• Permutation P chosen to increase diffusion
49
![Page 50: Des1](https://reader035.vdocuments.net/reader035/viewer/2022070303/54b6dc1e4a7959703e8b47b9/html5/thumbnails/50.jpg)
IFETCE/M.E CSE/NE7202-NIS/Unit 2
Multiple Encryption with DES
• DES is vulnerable to brute force attack• Alternative block cipher that makes use of
DES software/equipment/knowledge: encrypt multiple times with different keys
• Options:1. Double DES: not much better than single DES
2. Triple DES (3DES) with 2 keys: brute force 2112
3. Triple DES with 3 keys: brute force 2168
50
![Page 51: Des1](https://reader035.vdocuments.net/reader035/viewer/2022070303/54b6dc1e4a7959703e8b47b9/html5/thumbnails/51.jpg)
IFETCE/M.E CSE/NE7202-NIS/Unit 2
Double Encryption
• For DES, 2 × 56-bit keys, meaning 112-bit key length• Requires 2111 operations for brute force?• Meet-in-the-middle attack makes it easier
51
![Page 52: Des1](https://reader035.vdocuments.net/reader035/viewer/2022070303/54b6dc1e4a7959703e8b47b9/html5/thumbnails/52.jpg)
IFETCE/M.E CSE/NE7202-NIS/Unit 2
Meet-in-the-Middle Attack
• Double DES Encryption: C = E(K2;E(K1; P))
• Say X = E(K1; P) = D(K2; C)
• Attacker knows two plaintext, ciphertext pairs (Pa; Ca) and (Pb; Cb)1. Encrypt Pa using all 256 values of K1 to get multiple values of X
2. Store results in table and sort by X
3. Decrypt Ca using al 256 values of K2
4. As each decryption result produced, check against table
5. If match, check current K1;K2 on Cb. If Pb obtained, then accept the keys
• With two known plaintext, ciphertext pairs, probability of successful attack is almost 1
• Encrypt/decrypt operations required: 256 (twice as many as single DES)
52
![Page 53: Des1](https://reader035.vdocuments.net/reader035/viewer/2022070303/54b6dc1e4a7959703e8b47b9/html5/thumbnails/53.jpg)
Introduction to Cryptography and Security Mechanisms 2005
53
Triple DES
ciphertext
EncryptUsing DES
plaintext
Key K1
DecryptUsing DES
EncryptUsing DES
Key K2
Key K1
1
Key K = K1 and K2
3
2
4
![Page 54: Des1](https://reader035.vdocuments.net/reader035/viewer/2022070303/54b6dc1e4a7959703e8b47b9/html5/thumbnails/54.jpg)
IFETCE/M.E CSE/NE7202-NIS/Unit 2
Triple Encryption
• 2 keys, 112 bits• 3 keys, 168 bits• Why E-D-E? To be compatible with single DES:
C = E(K1;D(K1;E(K1; P))) = E(K1; P)
54
![Page 55: Des1](https://reader035.vdocuments.net/reader035/viewer/2022070303/54b6dc1e4a7959703e8b47b9/html5/thumbnails/55.jpg)
IFETCE/M.E CSE/NE7202-NIS/Unit 2 55
DES today
• Well accepted that a DES key can be found by anyone determined enough.
• Differential and linear cryptanalysis provide academic attacks on DES.
• DES is still in use in many applications.• Triple DES or AES are commonly
recommended instead of DES .
![Page 56: Des1](https://reader035.vdocuments.net/reader035/viewer/2022070303/54b6dc1e4a7959703e8b47b9/html5/thumbnails/56.jpg)
AES
56
![Page 57: Des1](https://reader035.vdocuments.net/reader035/viewer/2022070303/54b6dc1e4a7959703e8b47b9/html5/thumbnails/57.jpg)
IFETCE/M.E CSE/NE7202-NIS/Unit 2
Advanced Encryption Standard• NIST called for proposals for new standard in 1997
– Aims: security, efficient software/hardware implementations, low memory requirements, parallel processing
– Candidate algorithms from around the world
– Rijndael chosen, standard called AES created in 2001
• AES:– Block size: 128 bits (others possible)
– Key size: 128, 192, 256 bits
– Rounds: 10, 12, 14 (depending on key)
– Operations: XOR with round key, substitutions using S-Boxes, mixing using Galois Field arithmetic
• Widely used in file encryption, network communications• Generally considered secure
57
![Page 58: Des1](https://reader035.vdocuments.net/reader035/viewer/2022070303/54b6dc1e4a7959703e8b47b9/html5/thumbnails/58.jpg)
IFETCE/M.E CSE/NE7202-NIS/Unit 2 58
Design requirements of AES
• The selection would be a public process and the chosen algorithm and design details would be made freely available for public use.
• The block size should be 128 bits.• The block cipher would be designed to offer variable
key lengths of 128, 192 and 256 bits, to allow for future developments in exhaustive key search efforts.
• The block cipher had to operate at a faster speed than Triple DES across a number of different platforms.
In 1998 NIST issued a call for proposals for a new block cipher standard, to be referred to as the Advanced Encryption Standard or AES.
![Page 59: Des1](https://reader035.vdocuments.net/reader035/viewer/2022070303/54b6dc1e4a7959703e8b47b9/html5/thumbnails/59.jpg)
IFETCE/M.E CSE/NE7202-NIS/Unit 2 59
Development of AES
• 15 candidate proposals, quickly reduced to 11 in August 1998.
• In April 1999, after a public consultation process, this was reduced to five candidates: MARS, RC6, Rijndael, SERPENT and TWOFISH.
• In October 2000 the winning algorithm Rijndael was selected.
• Federal Information Processing Standard FIPS 197, the Advanced Encryption Standard, published early 2001. This standard specifies AES (Rijndael) as a FIPS-approved symmetric encryption algorithm that may be used by U.S. Government organizations (and others) to protect sensitive information.
• AES now widely adopted and supported.
![Page 60: Des1](https://reader035.vdocuments.net/reader035/viewer/2022070303/54b6dc1e4a7959703e8b47b9/html5/thumbnails/60.jpg)
60
AES encryption round
Byte substitution
Shift rows
Mix columns
AES S-box
Key schedule
round key++
key
current state
new state
![Page 61: Des1](https://reader035.vdocuments.net/reader035/viewer/2022070303/54b6dc1e4a7959703e8b47b9/html5/thumbnails/61.jpg)
IFETCE/M.E CSE/NE7202-NIS/Unit 2
Other Block Ciphers
• Blowfish (Schneier, open)
• Twosh (Schneier et al., open)
• IDEA (patented)
• Skipjack (NSA, Clipper)
• . . .
61
![Page 62: Des1](https://reader035.vdocuments.net/reader035/viewer/2022070303/54b6dc1e4a7959703e8b47b9/html5/thumbnails/62.jpg)
IFETCE/M.E CSE/NE7202-NIS/Unit 2 62
Summary
• Stream ciphers and block ciphers are different types of symmetric encryption algorithm. They offer slightly different properties and are therefore suitable for different applications.– Simple stream ciphers are fast and do not propagate errors,
making them suitable for poor quality channels and for applications where errors are intolerable.
– Block ciphers do propagate errors (to a limited extent), but are quite flexible and can be used in different ways in order to provide different security properties (in some cases to achieve some of the benefits of stream ciphers).
• The properties of cryptographic algorithms are not only affected by algorithm design, but also by the ways in which the algorithms are used. Different modes of operation can significantly change the properties of a block cipher.