Week 4
Week 4
18
other form of symmetric ciphers, stream ciphers, are discussed in Chapter 8.
Next, we
cover full DES. Following this look at a specific algorithm, we return to a more
general
discussion of block cipher design.
18
Stream Cipher
For practical reasons the bit-
In the ideal case, a one-time
stream generator must be
pad version of the Vernam
Encrypts a digital data implemented as an
cipher would be used, in
stream one bit or one byte algorithmic procedure so
which the keystream is as
at a time that the cryptographic bit
long as the plaintext bit
stream can be produced by
stream
both users
Examples: If the cryptographic It must be
•Autokeyed Vigenère cipher keystream is random, computationally
•Vernam cipher then this cipher is impractical to predict
unbreakable by any future portions of the
means other than bit stream based on
acquiring the previous portions of
keystream the bit stream
•Keystream must be
provided to both users in
advance via some
independent and secure
channel The two users need
•This introduces
insurmountable logistical
only share the
problems if the intended generating key and
data traffic is very large each can produce the
keystream
A stream cipher is one that encrypts a digital data stream one bit or one
byte at
a time. Examples of classical stream ciphers are the autokeyed Vigenère
cipher
and the Vernam cipher. In the ideal case, a one-time pad version of the
Vernam
cipher would be used (Figure 3.7), in which the keystream (ki ) is as long as
the
plaintext bit stream (pi ). If the cryptographic keystream is random, then this
cipher
is unbreakable by any means other than acquiring the keystream. However,
the
keystream must be provided to both users in advance via some independent
and
secure channel. This introduces insurmountable logistical problems if the
intended
data traffic is very large.
19
Accordingly, for practical reasons, the bit-stream generator must be
implemented as an algorithmic procedure, so that the cryptographic bit stream
can be produced by both users. In this approach (Figure 4.1a), the bit-stream
generator is a key-controlled algorithm and must produce a bit stream that is
cryptographically strong. That is, it must be computationally impractical to
predict future portions of the bit stream based on previous portions of the bit
stream. The two users need only share the generating key, and each can
produce
the keystream.
19
Block Cipher
A block of
plaintext is treated
Typically a block
as a whole and
size of 64 or 128
used to produce a
bits is used
ciphertext block of
equal length
The majority of
As with a stream network-based
cipher, the two symmetric
users share a cryptographic
symmetric applications make
encryption key use of block
ciphers
Far more effort has gone into analyzing block ciphers. In general, they seem
applicable to a broader range of applications than stream ciphers. The vast
majority
of network-based symmetric cryptographic applications make use of block
ciphers. Accordingly, the concern in this chapter, and in our discussions
throughout
the book of symmetric encryption, will primarily focus on block ciphers.
20
© 2020 Pearson Education, Inc., Hoboken, NJ. All rights reserved.
21
© 2020 Pearson Education, Inc., Hoboken, NJ. All rights reserved.
22
Table 4.1
Encryption and Decryption Tables for Substitution Cipher
of Figure 4.2
23
Feistel Cipher
• Feistel proposed the use of a cipher that
alternates substitutions and permutations
•Each plaintext element or group of elements
Substitutions is uniquely replaced by a corresponding
ciphertext element or group of elements
Feistel proposed [FEIS73] that we can approximate the ideal block cipher by
utilizing
the concept of a product cipher, which is the execution of two or more simple
ciphers
in sequence in such a way that the final result or product is cryptographically
stronger
than any of the component ciphers. The essence of the approach is to
develop a block
cipher with a key length of k bits and a block length of n bits, allowing a total
of 2k
possible transformations, rather than the 2n ! transformations available with
the ideal
block cipher.
24
replaced
by a corresponding ciphertext element or group of elements.
24
Diffusion and Confusion
• Terms introduced by Claude Shannon to capture
the two basic building blocks for any
cryptographic system
• Shannon’s concern was to thwart cryptanalysis
based on statistical analysis
Diffusion cannot obtain relation between them
•The statistical structure of the plaintext is dissipated into long-range statistics of the
ciphertext
•This is achieved by having each plaintext digit affect the value of many ciphertext
digits
Confusion
•Seeks to make the relationship between the statistics of the ciphertext and the value
of the encryption key as complex as possible
•Even if the attacker can get some handle on the statistics of the ciphertext, the way in
which the key was used to produce that ciphertext is so complex as to make it
difficult to deduce the key
25
cipher,
all statistics of the ciphertext are independent of the particular key used. The
arbitrary
substitution cipher that we discussed previously (Figure 4.2) is such a cipher,
but as we have seen, it is impractical.
Other than recourse to ideal systems, Shannon suggests two methods for
frustrating statistical cryptanalysis: diffusion and confusion. In diffusion, the
statistical structure of the plaintext is dissipated into long-range statistics of the
ciphertext. This is achieved by having each plaintext digit affect the value of
many
ciphertext digits; generally, this is equivalent to having each ciphertext digit be
affected by many plaintext digits.
25
As [ROBS95b] points out, so successful are diffusion and confusion in
capturing
the essence of the desired attributes of a block cipher that they have become
the
cornerstone of modern block cipher design.
25
XOR the function with itself =0
All rounds have the same structure. A substitution is performed on the left
half
of the data. This is done by applying a round function F to the right half of
26
the data
and then taking the exclusive-OR of the output of that function and the left half
of the
data. The round function has the same general structure for each round but is
parameterized
by the round subkey Ki . Another way to express this is to say that F is a
function
of right-half block of w bits and a subkey of y bits, which produces an output
value
of length w bits: F (REi , Ki+1 ). Following this substitution, a permutation is
performed
that consists of the interchange of the two halves of the data. This structure is
a particular
form of the substitution-permutation network (SPN) proposed by Shannon.
26
Feistel Cipher Design Features
• Block size
• Larger block sizes mean greater • Round function F
security but reduced • Greater complexity generally
encryption/decryption speed for a means greater resistance to
given algorithm cryptanalysis
• Block size: Larger block sizes mean greater security (all other things
being
equal) but reduced encryption/decryption speed for a given algorithm. The
greater security is achieved by greater diffusion. Traditionally, a block size of
64 bits has been considered a reasonable tradeoff and was nearly universal
in
block cipher design. However, the new AES uses a 128-bit block size.
• Key size: Larger key size means greater security but may decrease
encryption/
decryption speed. The greater security is achieved by greater resistance to
brute-force attacks and greater confusion. Key sizes of 64 bits or less are
now
27
widely considered to be inadequate, and 128 bits has become a common size.
• Number of rounds: The essence of the Feistel cipher is that a single round
offers inadequate security but that multiple rounds offer increasing security.
A typical size is 16 rounds.
27
Feistel Example
28
Data Encryption Standard (DES)
Over the years, DES became the dominant symmetric encryption algorithm,
especially in financial applications. In 1994, NIST reaffirmed DES for federal
29
use
for another five years; NIST recommended the use of DES for applications
other
than the protection of classified information. In 1999, NIST issued a new
version
of its standard (FIPS PUB 46-3) that indicated that DES should be used only
for
legacy systems and that triple DES (which in essence involves repeating the
DES
algorithm three times on the plaintext using two or three different keys to
produce
the ciphertext) be used. We study triple DES in Chapter 7. Because the
underlying
encryption and decryption algorithms are the same for DES and triple DES, it
remains important to understand the DES cipher. This section provides an
overview.
For the interested reader, Appendix C provides further detail.
29
7 bit key + party bit
The overall scheme for DES encryption is illustrated in Figure 4.5. As with
any encryption
scheme, there are two inputs to the encryption function: the plaintext to be
encrypted and the key. In this case, the plaintext must be 64 bits in length
and the
key is 56 bits in length.
Looking at the left-hand side of the figure, we can see that the processing
of the plaintext proceeds in three phases. First, the 64-bit plaintext passes
through
an initial permutation (IP) that rearranges the bits to produce the permuted
input .
This is followed by a phase consisting of sixteen rounds of the same function,
which
involves both permutation and substitution functions. The output of the last
(sixteenth)
round consists of 64 bits that are a function of the input plaintext and the
key. The left and right halves of the output are swapped to produce the
30
preoutput .
Finally, the preoutput is passed through a permutation [IP -1 ] that is the inverse
of
the initial permutation function, to produce the 64-bit ciphertext. With the
exception
of the initial and final permutations, DES has the exact structure of a Feistel
cipher, as shown in Figure 4.3.
The right-hand portion of Figure 4.5 shows the way in which the 56-bit key is
used. Initially, the key is passed through a permutation function. Then, for
each of
the sixteen rounds, a subkey (Ki ) is produced by the combination of a left
circular
shift and a permutation. The permutation function is the same for each round,
but a
different subkey is produced because of the repeated shifts of the key bits.
As with any Feistel cipher, decryption uses the same algorithm as encryption,
except that the application of the subkeys is reversed. Additionally, the initial
and
final permutations are reversed.
30
Table 4.2
DES
Example
(Table can be found on page
106 in the textbook)
Note: DES subkeys are shown as eight 6-bit values in hex format
© 2020 Pearson Education, Inc., Hoboken, NJ. All rights reserved.
We now work through an example and consider some of its implications. Although
you are not expected to duplicate the example by hand, you will find it informative
to study the hex patterns that occur from one step to the next.
Plaintext: 02468aceeca86420
Key: 0f1571c947d9e859
Ciphertext: da02ce3a89ecac3b
Table 4.2 shows the progression of the algorithm. The first row shows the 32-bit
values of the left and right halves of data after the initial permutation. The next 16
rows show the results after each round. Also shown is the value of the 48-bit subkey
generated for each round. Note that Li = Ri-1 . The final row shows the left- and
right-hand values after the inverse initial permutation. These two values combined
form the ciphertext.
31
Table 4.5
Average Time Required for Exhaustive Key Search
© 2020 Pearson Education, Inc., Hoboken, NJ. All rights reserved. (Table can be found on page 109 in the textbook)
Since its adoption as a federal standard, there have been lingering concerns
about
the level of security provided by DES. These concerns, by and large, fall into
two
areas: key size and the nature of the algorithm.
With a key length of 56 bits, there are 256 possible keys, which is
approximately
7.2 * 1016 keys. Thus, on the face of it, a brute-force attack appears
impractical.
Assuming that, on average, half the key space has to be searched, a single
machine
performing one DES encryption per microsecond would take more than a
thousand
years to break the cipher.
32
As far back as 1977, Diffie and Hellman postulated that the technology
existed to build a parallel machine with 1 million encryption devices, each of
which
could perform one encryption per microsecond [DIFF77]. This would bring the
average search time down to about 10 hours. The authors estimated that the
cost
would be about $20 million in 1977 dollars.
With these results in mind, Table 4.5 shows how much time is required for
a brute-force attack for various key sizes. As can be seen, a single PC can
break
DES in about a year; if multiple PCs work in parallel, the time is drastically
shortened.
And today’s supercomputers should be able to find a key in about an hour.
Key sizes of 128 bits or greater are effectively unbreakable using simply a
brute-force
approach. Even if we managed to speed up the attacking system by a factor
of 1 trillion (1012 ), it would still take over 100,000 years to break a code using
32
a
128-bit key.
32
Feistel Function
33
DES Algorithm
34
Key Schedule
35
Permutation Choices
36
P-Boxes
37
S-Box
38