COMM1003

Information Theory

Dr. Wassim Alexan

Spring 2019

Lecture 7

Symmetric Cryptography

◆ Classical ciphers

◆ Electro–mechanical ciphers

◆ Modern ciphers

◆ The Data Encryption Standard (DES)◆ The Triple Data Encryption Standard (3DES)◆ Blowfish◆ The Advanced Encryption Standard (AES)

Wassim Alexan 2

Symmetric Cryptography: Stream Versus Block Ciphers

◆ Symmetric cryptography is split into stream and block ciphers

◆ Fig. 1 depicts the operational differences between stream and block ciphers when we want to encrypt b bits at a time, where b is the width of the block cipher

Fig. 1. Principles of encrypting b bits with a stream cipher (left) and a block cipher (right).(Paar and Pelzl, Cryptography – A Textbook for Students and Practitioners)

Wassim Alexan 3

Stream Ciphers

◆ Stream ciphers encrypt bits individually

◆ This is carried out by adding a bit from a key stream to a plaintext bit

◆ There are synchronous stream ciphers where the key stream depends only on the key, and asynchronous ones where the key stream depends on the ciphertext as well

◆ If the dotted line in Fig. 2 is present, then the stream cipher is an asynchronous one

Fig. 2. Synchronous and asynchronous stream ciphers.(Paar and Pelzl, Cryptography – A Textbook for Students and Practitioners)

Wassim Alexan 4

Block Ciphers

◆ Block ciphers encrypt an entire block of plaintext bits at a time with the same key

◆ This means that the encryption of any plaintext bit in a given block depends on every other plaintext bit in the same block

◆ In practice, the vast majority of block ciphers either have a block length of 128 bits (16 bytes), such as the Advanced Encryption Standard, or a block length of 64 bits (8 bytes) such as the Data Encryption Standard (DES) or the triple DES (3DES) algorithm

Wassim Alexan 5

Stream and Block Ciphers: Facts

◆ In practice and especially for encrypting computer communication on the internet, block ciphers are used more often than stream ciphers

◆ Stream ciphers tend to be small and fast, and are thus perfect for applications with limited computational resources (e.g. cell phones or other small embedded devices)

◆ A prominent example of stream ciphers is the A5/1 cipher, which is part of the GSM mobile phone standard and is used for voice encryption

◆ However, some stream ciphers are also used for encrypting Internet traffic, such as the RC4 cipher

Wassim Alexan 6

Stream and Block Ciphers: Facts

◆ Traditionally, it was assumed that stream ciphers tend to encrypt more efficiently than block ciphers

◆ Efficient for software–optimized stream ciphers means that they need fewer processing cycles to encrypt one bit of plaintext

◆ Efficient for hardware–optimized stream ciphers means that they need fewer gates or a smaller chip area

◆ However, modern block ciphers such as the AES are also very efficient in software

◆ Moreover, for hardware, the block cipher PRESENT is extremely efficient

Wassim Alexan 7

Block Ciphers: Features

◆ Block size: A larger block size means greater security

◆ Key size: A larger key size means greater security

◆ Number of rounds: Multiple rounds offer increased security

◆ Encryption modes: Define how messages larger than the block size are encrypted → Very important for the security of the encrypted message

Wassim Alexan 8

Confusion and Diffusion

◆ Claude Shannon introduced two primitive operations with which strong encryption algorithms can be built:

◆ Confusion is an encryption operation where the relationship between the key and the ciphertext is hidden

◆ Today, a common element for achieving confusion is substitution, which is found in DES and AES

◆ Diffusion is an encryption operation where the influence of one plaintext bit is spread over many ciphertext bits, with the goal of hiding the statistical properties of the plaintext

◆ A simple diffusion element is bit permutation, which is used in DES

Wassim Alexan 9

Confusion and Diffusion

◆ Ciphers which use either confusion only (e.g. Caesar cipher, ROT13) or diffusion only (e.g. the Railfence cipher) are rather weak, while the concatenation of several of any of those produces more secure ciphers (e.g. the Enigma machine)

◆ Ciphers using several concatenated encryptions of confusion and diffusion elements are called product ciphers and offer a much higher degree of security

◆ All of today’s block ciphers are product ciphers as they consist of rounds, entailing substitutions and permutations, which are applied repeatedly to the data

Wassim Alexan 10

Confusion and Diffusion

Fig. 3. Principle of an N round product cipher, where each round performs a confusion and a diffusion operation.(Paar and Pelzl, Cryptography – A Textbook for Students and Practitioners)

Wassim Alexan 11

Confusion and Diffusion

◆ Modern ciphers possess excellent diffusion properties

◆ On a cipher level this means that a change of a single bit in the plaintext results on

average in the change of half the output bits (i.e. the second ciphertext looks statistically independent of the first one)

◆ For example, assume we have a small block cipher with a block length of 8 bits. The encryption of two plaintexts x1 and x2, which differ only by a single bit, should roughly result in something as shown in Fig. 4

◆ Note that modern block ciphers have block lengths of 64 or 128 bits, but they show the same behavior if a single bit in the plaintext is flipped

Fig. 4. Principle of diffusion of a block cipher.(Paar and Pelzl, Cryptography – A Textbook for Students and Practitioners)

Wassim Alexan 12

History of the Data Encryption Standard (DES)

◆ 1967: Feistel networks are developed at IBM – Lucifer cipher is introduced, with block and key sizes of 128 bits

◆ 1972: NBS asks for an encryption standard

◆ 1975: IBM develops DES (modification of Lucifer), having a block size of 64 bits and a key size of 56 bits

◆ 1977: NSA suggests modifications

◆ 1977: NBS adopts DES as an encryption standard

◆ 2001: NIST adopts Rijndael as a replacement to DES, calling it AES

*NBS: National Bureau of Standards*NSA: National Security Agency*NIST: National Institute of Standards and Technology (a new name of NBS)

Wassim Alexan 13

DES

◆ DES is a block cipher which encrypts blocks of 64 bits with a key size of 56 bits

◆ DES is a symmetric cipher, i.e. the same key is used for encryption and decryption

◆ DES is an iterative algorithm, for each block of plaintext, encryption is handled in 16 rounds which all perform the same operation

Fig. 5. DES block cipher.(Paar and Pelzl, Cryptography – A Textbook for Students and Practitioners)

Wassim Alexan 14

DES

◆ Fig. 6 (next slide) shows the round structure of DES. In every round a different sub key is used

◆ All sub keys ki are derived from the main key k

◆ The structure in Fig. 6 is called a Feistel network

◆ This structure can lead to very strong ciphers if carefully designed

◆ Feistel networks are used in many modern block ciphers, since they allow for the advantage that encryption and decryption are almost the same operation

◆ Decryption requires only a reversed key schedule, which is an advantage in software and hardware implementations

Wassim Alexan 15

Fig. 6. Iterative structure of DES.(Paar and Pelzl, Cryptography – A Textbook for Students and Practitioners)

Wassim Alexan 16

DES Internal Workings

◆ After the initial bitwise permutation IP of a 64–bit plaintext x, the plaintext is split into two halves L0 and R0 (Fig. 7, slide 19)

◆ These 32–bit halves are the input to the Feistel network, which consists of 16 rounds

◆ The right half Ri is fed into the function f

◆ The output of the function f is XORed with the left 32–bit half Li

◆ Finally, the right and the left halves are swapped

◆ This process repeats in the next round and can be expressed as

Li = Ri-1,

Ri = Li-1 ⊕ f (Ri-1, ki),(1)

where i = 1, ..., 16.

Wassim Alexan 17

DES Internal Workings

◆ After round 16, the 32–bit halves L16 and R16 are swapped again, and the final permutation IP-1 is the last operation of DES

◆ In each round, a round key (sub key) ki is derived from the main 56–bit key using the key schedule

Wassim Alexan 18

DES: The Feistel Structure

Fig. 7. The Feistel structure of DES.(Paar and Pelzl, Cryptography – A Textbook for Students and Practitioners)

Wassim Alexan 19

DES: The Internal Structure

◆ The following components make up the internal structure of DES

◆ The initial and final permutations

◆ The actual DES rounds

◆ The f function

◆ The key schedule

Wassim Alexan 20

DES: The Initial and Final Permutations

◆ The initial and final permutations are bit–wise permutations and can be simply thought of as cross–wiring

◆ In hardware, these are very easily implemented, but are not particularly fast in software

◆ These permutations do not increase the security of DES at all, since they are inverses of each other

◆ The idea behind them is to arrange the plaintext, ciphertext and bits in a byte–wise manner so that data fetches are easier for 8–bit data busses, which were the state–of–the–art in the early 1970s

Wassim Alexan 21

DES: The Initial and Final Permutations

◆ Fig. 8 gives a graphical representation of the initial and final permutations, while Fig. 9 gives the exact permutations in table form (next slide)

Fig. 8. Examples for the bit swaps of the initial permutation (left) and the final permutation (right).(Paar and Pelzl, Cryptography – A Textbook for Students and Practitioners)

Wassim Alexan 22

DES: The Initial and Final Permutations

◆ The tables are read from left to right, top to bottom

◆ The first element in the IP table indicates that the input bit 58 is mapped to output position 1, input bit 50 is mapped to the second output position and so forth

Fig. 9. Initial permutation IP (left) and final permutation IP-1 (right).(Paar and Pelzl, Cryptography – A Textbook for Students and Practitioners)

Wassim Alexan 23

Exercise 1

Assuming that a plaintext input to the DES algorithm is as follows

1111111100000000000000000000000000000000000000000000000000000000

What would be the output of the initial permutation?

Wassim Alexan 24

Exercise 1 Solutions

Based on the initial permutation table in Fig. 9, the output would be

0000000100000001000000010000000100000001000000010000000100000001

In table form, that would be

IP (x) =

0 0 0 0 0 0 0 10 0 0 0 0 0 0 10 0 0 0 0 0 0 10 0 0 0 0 0 0 10 0 0 0 0 0 0 10 0 0 0 0 0 0 10 0 0 0 0 0 0 10 0 0 0 0 0 0 1

Wassim Alexan 25

DES: The f –Function

◆ The f –function plays a crucial role for the security of DES

◆ In round i it takes the right half Ri-1 of the output of the previous round and the current sub key ki as input

◆ The output of the f –function is then used for encrypting the left half input bits Li-1

Wassim Alexan 26

Fig. 10. Block diagram of the f–function.(Paar and Pelzl, Cryptography – A Textbook for Students and Practitioners)

Wassim Alexan 27

DES: The f –Function Internals → The Expansion Function

◆ The Expansion function is a special type of permutation that takes 32 bits as input and outputs 48 bits

◆ This is done by partitioning the input into eight 4–bit blocks and then expanding each of those into 6–bit blocks

◆ Exactly 16 of the 32 input bits appear twice in the output, however, an input bit never appears twice in the same 6–bit output block

◆ The expansion box increases the diffusion behavior of DES, since certain input bits influence two different output locations

Wassim Alexan 28

Fig. 11. Examples for the bit swaps of the expansion function E (top). The expansion permutation E (bottom).(Paar and Pelzl, Cryptography – A Textbook for Students and Practitioners)

Wassim Alexan 29

DES: The f –Function Internals → The S–Boxes

◆ The 48–bit result of the expansion is then XORed with the sub key ki

◆ This result is then divided into eight 6–bit blocks which are fed into eight different substitution boxes (S–boxes)

◆ Each S–box is a lookup table that maps a 6–bit input to a 4–bit output

◆ The tables are read as follows: The MSB bit and the LSB of each 6–bit input select the row of the table, while the inner four bits select the column

◆ The integers 0, 1, 2, ..., 15 of each entry in the table represent the decimal notation of a 4–bit value

Wassim Alexan 30

DES: The f –Function Internals → The S–Boxes

Fig. 12. The S–boxes lookup tables.(Paar and Pelzl, Cryptography – A Textbook for Students and Practitioners)

Wassim Alexan 31

Example 1

Assume we have the input to S–box 1 as b = (100 101)2

◆ This indicates the row (11)2 = 3, which is the fourth row, as we begin counting from (00)2

◆ And the column (0010)2 = 2, which is the third column

◆ Thus, the output is going to be 8 = (1000)2

Fig. 11. Example of the decoding of the input (100 101)2 by S–box 1.(Paar and Pelzl, Cryptography – A Textbook for Students and Practitioners)

Wassim Alexan 32

Exercise 2

An important property which makes DES secure is that the S–boxes are nonlinear. In this exercise, you are required to verify this property by computing the output of S1 for several pairs of inputs:

◆ a) x1 = 000 000 and x2 = 000 001

◆ b) x1 = 111 111 and x2 = 100 000

◆ c) x1 = 101 010 and x2 = 010 101

Hint: Calculate S(x1) and S(x2), then S(x1)⊕ S(x2) and see if this is equal to S(x1 ⊕ x2) → Linear or not→ Nonlinear

Fig. 11. S–box 1.(Paar and Pelzl, Cryptography – A Textbook for Students and Practitioners)

Wassim Alexan 33

Exercise 2 Solutions

◆ a) x1 = 000 000 and x2 = 000 001

S1(00 0002)⊕ S1(00 0012) ≠ S1(00 0002 ⊕ 00 0012)

11102 ⊕ 00002 ≠ S1(000 0012)

11102 ≠ 00002

(2)

◆ b) x1 = 111 111 and x2 = 100 000

S1(111 1112)⊕ S1(100 0002) ≠ S1(111 1112 ⊕ 100 0002)

11012 ⊕ 01002 ≠ S1(011 1112)

10012 ≠ 10002

(3)

◆ c) x1 = 101 010 and x2 = 010 101

S1(101 0102)⊕ S1(010 1012) ≠ S1(101 0102 ⊕ 010 1012)

01102 ⊕ 11002 ≠ S1(111 1112)

10102 ≠ 11012

(4)

Wassim Alexan 34