Secret Key Cryptography

1
 Block Cipher Scheme

Encrypt

Plaintext Cipher
block Secret key block
of length N of length N
Decrypt

2
 Generic Block Encryption
• Convert a plaintext block into an encrypted block: one-
to-one
– Key length too short?
– Block Length: Long enough to avoid known-plaintext attack,
but not too long (performance)
• 64 bit typical
• Output should look random
– No correlation between plaintext and ciphertext
– Spread bits around
• A single input bit should have influence on all the bits of the output
• Be able to change any one of the output with a probability of about
50%

3
Example of Block Encryption

4
 Generic Block Encryption

• Two kinds of simple transformations (k-bit

blocks)
– A Substitution specifies, for each of the 2k possible
values of the input, the k-bit output.
– A Permutation specifies, for each of the k input
bits, the output position to which it goes.
– Round: a combination of substitution and
permutation
• Given the key, an encryption mechanism must
be efficient to reverse
5
 DES (Data Encryption Standard)
• Published in 1977, standardized in 1979
• Key: 64 bit quantity = 8-bit parity + 56-bit key
• 64-bit input block, 64-bit output block
• Efficient to implement in hardware but relatively
slow if implemented in software

64 bit M 64 bit C
DES
Encryption

56 bits 6
 Basic Structure of DES
56-bit Key
64-bit
48-bitInput
K1
Generate 16 48-bit per-round keys
Permutation Initial Permutation
48-bit K1
Round 1
48-bit K2
Round 2
…... 48-bit K16
Round 16

Swap Swap left and right halves

Permutation Final Permutation

64-bit Output 7
 Permutation of the Data
• Initial Permutation (IP)
• View the input as M: 8(-byte) x 8(-bit) matrix
• Transform M into M1 in two steps
– Transpose row x into column (9-x), 0<x<9
– Apply permutation on the rows:
• For even column y, it becomes row y/2;
• For odd column y, it becomes row (5+y/2).
• Final Permutation FP = IP-1
• IP and FP are not random-looking permutation
• IP and FP do essentially nothing to enhance DES’s
security
8
Permutation of the Data

9
 Generating the Per-Round Keys
Initial Permutation of the 56 useful bits of the key

C i-1 28 bits D i-1 28 bits

Circular Left Shift Circular Left Shift

One
round Permutation Round 1,2,9,16:
with Discard single shift
Others: two bits
48 bits
Ki
Ci 28 bits Di 28 bits
10
• Also see Fig. 3-5 of the textbook
Initial Permutation of Key

11
 DES Round

• Apply the same operations (keys in reverse order: k16, k15, …, k1)
– Input: Rn+1 | Ln+1: swap operation
– Output: Rn | Ln: The swap operation at the end will produce the correct result
12
 Expansion of R from 32 bits to 48 bits

• Taking the adjacent bits and concatenating

them to the chunk

13
 The Mangler Function
4 4 4 4 4 4 4 4
K

R 6 6 6 6 6 6 6 6 6 6 6 6 6 6 6 6

+ + + + + + + +

S1 S2 S3 S4 S5 S6 S7 S8 The permutation produces

“spread” among the
4 4 4 4 4 4 4 4 chunks/S-boxes!

Permutation

• Also see Figure 3-8 of the textbook 14

 S-Box (Substitute and Shrink)
• 48 bits ==> 32 bits. (8*6 ==> 8*4)
• 2 bits used to select amongst 4 substitutions for the rest of
the 4-bit quantity

2 bits I1
row I2
O1
I3 Si O2
I4 O3
I5 O4

4 bits I6 An integer
between 0 and 15
column i = 1,…8.

• Also see Figure 3-8 of the textbook 15

 S1

Example: input: 100110 output: ???

16
 8 S-Boxes

• Logic behind the selection of the S-Boxes remains

unpublished secret
• Is it a good idea technically to publish it?
• For details, see p. 72 – p. 73 of the textbook

17
 DES Standard

• Design process of DES was not more public

– If published the design process, this will involve many cryptanalytic
attacks

18
 DES Design Controversy
• Although DES standard is public, there was
considerable controversy over design
– in choice of 56-bit key
– and because design criteria were classified
• Subsequent events and public analysis show in fact
design was appropriate
• 16 Weak and Semi-Weak Keys
– C0 and D0 are: all ones, all zeros, alternating ones and
zeros, alternating zeros and ones
• DES has become widely used, especially in financial
applications
19
 International Data Encryption
Algorithm (IDEA)
• ETH Zurich, 1991
• Encrypt a 64-bit block of plaintext into a 64-bit
block of ciphertext
• 128-bit key
• Both DES and IDEA have the property that
encryption and decryption are identical except
for key expansion

20
 Basic Structure of IDEA
128-bit Key
64-bit Input
key expansion

k1k2k3k4
Round 1
k5k6
Round 2
…...
Round 16
k49k50k51k52
Round 17

64-bit Output 21
 IDEA Primitive Operations

• Map two 16-bit quantities into a 16-bit

quantity
• Three operations:
– Bitwise exclusive or: ⊕
– Slightly modified add + mod 216
– Slightly modified multiply ⊗ mod(216+1)
– reversible

22
 Key Expansion
• Generation of Key 1 through 8

• Generation of Key 9 through 16

23
 Key Expansion
• The 128-bit key is expanded into 52 16-bit keys K1, K2, …
K52
• Once the key are generated, the encryption and decryption
operations are the same
• Chop off 16 bits at a time to get 8 16-bit keys
• Start at bit 25, chop (and wrap around) again to get next 8 16-
bit keys
• Offsetting 25 more bits, repeat, until 52 keys are generated

24
 One Round
• 17 rounds, even and odd
• 64 bits input are divided into 4 16-bit quantities, Xa, Xb, Xc,
and Xd
• Odd round
– Use four of Ki
• Even round
– Use two of Ki

25
 IDEA: Odd Round
• Xa’ = Xa ⊗ Ka
• Xb’ = Xc + Kc
• Xc’ = Xb + Kb
• Xd’ = Xd ⊗ Kd
• To decrypt, use the inverse (relative to the
operations) of the keys

26
IDEA: Even Round

27
 IDEA: Even Round
• Mangler: Yout, Zout = f (Yin, Zin, Ke, Kf)
• First step:
– Yin = Xa ⊕ Xb
– Zin = Xc ⊕ Xd
• Second Step, mangler:
– Yout = ((Ke ⊗ Yin) + Zin) ⊗ Kf
– Zout = (Ke ⊗ Yin) + Yout
• Third step:
– Xa’ = Xa ⊕ Yout, Xb’ = Xb ⊕ Yout,
– Xc’ = Xc ⊕ Zout, Xd’ = Xd ⊕ Zout
28
 IDEA Decryption
• Decryption
– Use the same keys
– Use the exact operations as encryption
• The same code can perform either encryption or
decryption given different expanded keys

29
Advanced Encryption Standard
(AES)

30
 Origins
• clearly a replacement for DES was needed
– have theoretical attacks that can break it
– DES’s key was too small
– have demonstrated exhaustive key search attacks
• can use Triple-DES – but slow with small blocks
• US NIST issued call for ciphers in 1997
• 15 candidates accepted in Jun 98
• 5 were short-listed in Aug-99
• Algorithm Rijndael was selected as the AES in Oct-
2000
• issued as FIPS PUB 197 standard in Nov-2001

31
 AES Requirements
• private key symmetric block cipher
• 128-bit data, 128/192/256-bit keys
• stronger & faster than Triple-DES
• active life of 20-30 years (+ archival use)
• provide full specification & design details
• both C & Java implementations
• NIST have released all submissions & unclassified
analyses

32