0% found this document useful (0 votes)
46 views62 pages

Lecture 3 Data Encryption Standard (DES) and Advanced Encrption Standard

The document discusses modern block ciphers like the Data Encryption Standard (DES) and their design principles, providing details on DES's structure, key schedule, encryption and decryption processes, and analyses of its strength against different types of attacks. It also covers the origins and requirements of the Advanced Encryption Standard (AES) competition to replace DES and issues with DES's smaller key size.

Uploaded by

Nurdin Yussuf
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PPT, PDF, TXT or read online on Scribd
0% found this document useful (0 votes)
46 views62 pages

Lecture 3 Data Encryption Standard (DES) and Advanced Encrption Standard

The document discusses modern block ciphers like the Data Encryption Standard (DES) and their design principles, providing details on DES's structure, key schedule, encryption and decryption processes, and analyses of its strength against different types of attacks. It also covers the origins and requirements of the Advanced Encryption Standard (AES) competition to replace DES and issues with DES's smaller key size.

Uploaded by

Nurdin Yussuf
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PPT, PDF, TXT or read online on Scribd
You are on page 1/ 62

Data Encryption

Standard3
Modern Block Ciphers

 now look at modern block ciphers


 one of the most widely used types of cryptographic
algorithms
 provide secrecy /authentication services
 focus on DES (Data Encryption Standard)
 to illustrate block cipher design principles
Block vs Stream Ciphers

 block ciphers process messages in blocks, each of which


is then en/decrypted
 like a substitution on very big characters
 64-bits or more
 stream ciphers process messages a bit or byte at a time
when en/decrypting
 many current ciphers are block ciphers
 broader range of applications
Block Cipher Principles

 most symmetric block ciphers are based


on a Feistel Cipher Structure
 needed since must be able to decrypt
ciphertext to recover messages efficiently
 block ciphers look like an extremely large
substitution
 would need table of 264 entries for a 64-
bit block
 instead create from smaller building
blocks
 using idea of a product cipher
Ideal Block Cipher
Claude Shannon and Substitution-
Permutation Ciphers

 Claude Shannon introduced idea of


substitution-permutation (S-P) networks
in 1949 paper
 form basis of modern block ciphers
 S-P nets are based on the two primitive
cryptographic operations seen before:
 substitution (S-box)
 permutation (P-box)
 provide confusion & diffusion of message
& key
Confusion and Diffusion

 cipher needs to completely obscure statistical


properties of original message
 a one-time pad does this
 more practically Shannon suggested combining S & P
elements to obtain:
 diffusion – dissipates statistical structure of plaintext
over bulk of ciphertext
 confusion – makes relationship between ciphertext and
key as complex as possible
Feistel Cipher Structure

 Horst Feistel devised the feistel cipher


 based on concept of invertible product cipher
 partitions input block into two halves
 process through multiple rounds which
 perform a substitution on left data half
 based on round function of right half & subkey
 then have permutation swapping halves
 implements Shannon’s S-P net concept
Feistel Cipher Structure
Feistel Cipher Design Elements

 block size
 key size
 number of rounds
 subkey generation algorithm
 round function
 fast software en/decryption
 ease of analysis
Feistel Cipher Decryption
Data Encryption Standard
(DES)
 most widely used block cipher in world
 adopted in 1977 by NBS (now NIST)
 as FIPS PUB 46
 encrypts 64-bit data using 56-bit key
 has widespread use
 has been considerable controversy over its security
DES History

 IBM developed Lucifer cipher


 by team led by Feistel in late 60’s
 used 64-bit data blocks with 128-bit key
 then redeveloped as a commercial cipher with input
from NSA and others
 in 1973 NBS issued request for proposals for a national
cipher standard
 IBM submitted their revised Lucifer which was
eventually accepted as the DES
DES Design Controversy

 although DES standard is public


 was considerable controversy over design
 in choice of 56-bit key (vs Lucifer 128-bit)
 and because design criteria were classified
 subsequent events and public analysis show in fact design was appropriate
 use of DES has flourished
 especially in financial applications
 still standardised for legacy application use
DES Encryption Overview
DES Round Structure

 uses two 32-bit L & R halves


 as for any Feistel cipher can describe as:
Li = Ri–1
Ri = Li–1  F(Ri–1, Ki)
 F takes 32-bit R half and 48-bit subkey:
 expands R to 48-bits using perm E
 adds to subkey using XOR
 passes through 8 S-boxes to get 32-bit result
 finally permutes using 32-bit perm P
DES Key Schedule

 forms subkeys used in each round


 initial permutation of the key (PC1) which selects 56-bits
in two 28-bit halves
 16 stages consisting of:
 rotating each half separately either 1 or 2 places depending
on the key rotation schedule K
 selecting 24-bits from each half & permuting them by PC2 for
use in round function F
 note practical use issues in h/w vs s/w
DES Decryption

 decrypt must unwind steps of data


computation
 with Feistel design, do encryption steps again
using subkeys in reverse order (SK16 … SK1)
 IP undoes final FP step of encryption
 1st round with SK16 undoes 16th encrypt round
 ….
 16th round with SK1 undoes 1st encrypt round
 then final FP undoes initial encryption IP
 thus recovering original data value
Strength of DES – Key Size

 56-bit keys have 256 = 7.2 x 1016 values


 brute force search looks hard
 recent advances have shown is possible
 in 1997 on Internet in a few months
 in 1998 on dedicated h/w (EFF) in a few days
 in 1999 above combined in 22hrs!
 still must be able to recognize plaintext
 must now consider alternatives to DES
Strength of DES – Analytic
Attacks
 now have several analytic attacks on DES
 these utilise some deep structure of the
cipher
 by gathering information about encryptions
 can eventually recover some/all of the sub-key
bits
 if necessary then exhaustively search for the rest
 generally these are statistical attacks
 include
 differential cryptanalysis
 linear cryptanalysis
 related key attacks
Strength of DES – Timing
Attacks
 attacks actual implementation of cipher
 use knowledge of consequences of implementation to
derive information about some/all subkey bits
 specifically use fact that calculations can take varying
times depending on the value of the inputs to it
 particularly problematic on smartcards
Differential Cryptanalysis

 one of the most significant recent (public) advances in


cryptanalysis
 known by NSA in 70's cf DES design
 Murphy, Biham & Shamir published in 90’s
 powerful method to analyse block ciphers
 used to analyse most current block ciphers with varying
degrees of success
 DES reasonably resistant to it, cf Lucifer
Differential Cryptanalysis

 a statistical attack against Feistel ciphers


 uses cipher structure not previously used
 design of S-P networks has output of function f
influenced by both input & key
 hence cannot trace values back through cipher without
knowing value of the key
 differential cryptanalysis compares two related pairs of
encryptions
Differential Cryptanalysis

 have some input difference giving some output


difference with probability p
 if find instances of some higher probability input /
output difference pairs occurring
 can infer subkey that was used in round
 then must iterate process over many rounds (with
decreasing probabilities)
Differential Cryptanalysis
Differential Cryptanalysis

 perform attack by repeatedly encrypting plaintext pairs


with known input XOR until obtain desired output XOR
 when found
 if intermediate rounds match required XOR have a right pair
 if not then have a wrong pair, relative ratio is S/N for attack
 can then deduce keys values for the rounds
 right pairs suggest same key bits
 wrong pairs give random values
 for large numbers of rounds, probability is so low that more
pairs are required than exist with 64-bit inputs
 Biham and Shamir have shown how a 13-round iterated
characteristic can break the full 16-round DES
Linear Cryptanalysis

 another recent development


 also a statistical method
 must be iterated over rounds, with decreasing
probabilities
 developed by Matsui et al in early 90's
 based on finding linear approximations
 can attack DES with 243 known plaintexts, easier but still
in practise infeasible
Linear Cryptanalysis

 find linear approximations with prob p != ½

P[i1,i2,...,ia]  C[j1,j2,...,jb]
= K[k1,k2,...,kc]
where ia,jb,kc are bit locations
in P,C,K
 gives linear equation for key bits
 get one key bit using max likelihood alg
 using a large number of trial encryptions
 effectiveness given by: |p–1/2|
DES Design Criteria

 as reported by Coppersmith in [COPP94]


 7 criteria for S-boxes provide for
 non-linearity
 resistance to differential cryptanalysis
 good confusion
 3 criteria for permutation P provide for
 increased diffusion
Summary
 have considered:
 block vs stream ciphers
 Feistel cipher design & structure
 DES
 details
 strength
 Differential & Linear Cryptanalysis
 block cipher design principles
Advance
Encryption
Standard
Topics

 Origin of AES

 Basic AES

 Inside Algorithm
Origins

 A replacement for DES was needed


 Key size is too small

 Can use Triple-DES – but slow, small block

 US NIST issued call for ciphers in 1997

 15 candidates accepted in Jun 98

 5 were shortlisted in Aug 99


AES Security

 AES was designed after DES.


 Most of the known attacks on DES were already
tested on AES.
 Brute-Force Attack
 AES is definitely more secure than DES due to the
larger-size key.
 Statistical Attacks
 Numerous tests have failed to do statistical analysis
of the ciphertext
 Differential and Linear Attacks
 There are no differential and linear attacks on AES
as yet.
AES Competition
Requirements
 Private key symmetric block cipher

 128-bit data, 128/192/256-bit keys

 Stronger & faster than Triple-DES

 Provide full specification & design details

 Both C & Java implementations


AES Evaluation Criteria

 initial criteria:
 security – effort for practical cryptanalysis
 cost – in terms of computational efficiency
 algorithm & implementation characteristics

 final criteria
 general security
 ease of software & hardware implementation
 implementation attacks
 flexibility (in en/decrypt, keying, other factors)
AES Shortlist
 After testing and evaluation, shortlist in Aug-99
 MARS (IBM) - complex, fast, high security margin
 RC6 (USA) - v. simple, v. fast, low security margin
 Rijndael (Belgium) - clean, fast, good security margin
 Serpent (Euro) - slow, clean, v. high security margin
 Twofish (USA) - complex, v. fast, high security margin

 Found contrast between algorithms with


 few complex rounds versus many simple rounds
 Refined versions of existing ciphers versus new proposals

Rijndae: pronounce “Rain-Dahl”


The AES Cipher - Rijndael
 Rijndael was selected as the AES in Oct-2000
 Designed by Vincent Rijmen and Joan Daemen in
Belgium
 Issued as FIPS PUB 197 standard in Nov-2001

 An iterative rather than Feistel cipher


 processes data as block of 4 columns of 4 bytes (128 V. Rijmen
bits)
 operates on entire data block in every round

 Rijndael design:
 simplicity
 has 128/192/256 bit keys, 128 bits data
 resistant against known attacks
J. Daemen
 speed and code compactness on many CPUs
Topics

 Origin of AES

 Basic AES

 Inside Algorithm

 Final Notes
AES Conceptual Scheme

Plaintext (128 bits)

AES Key (128-256 bits)

Ciphertext (128 bits)

40
Multiple rounds
 Rounds are (almost) identical
 First and last round are a little different

41
High Level Description

No MixColumns
Overall Structure
128-bit values
 Data block viewed as 4-by-4 table of bytes
 Represented as 4 by 4 matrix of 8-bit bytes.
 Key is expanded to array of 32 bits words

1 byte

44
Data Unit
Unit Transformation
Changing Plaintext to State
SubBytes Operation
 The SubBytes operation involves 16 independent byte-
to-byte transformations. • Interpret the byte as two
hexadecimal digits xy
S1,1 = xy16 • SW implementation, use row (x)
and column (y) as lookup pointer

x’y’16
SubBytes Table
 Implement by Table Lookup
InvSubBytes Table
Sample SubByte
Transformation
 The SubBytes and InvSubBytes transformations are inverses of each other.
ShiftRows
 Shifting, which permutes the bytes.
 A circular byte shift in each each
 1st row is unchanged
 2nd row does 1 byte circular shift to left
 3rd row does 2 byte circular shift to left
 4th row does 3 byte circular shift to left
 In the encryption, the transformation is
called ShiftRows
 In the decryption, the transformation is
called InvShiftRows and the shifting is to
the right
ShiftRows Scheme
ShiftRows and InvShiftRows
MixColumns
 ShiftRows and MixColumns provide diffusion to the cipher
 Each column is processed separately
 Each byte is replaced by a value dependent on all 4 bytes in the column
 Effectively a matrix multiplication in GF(28) using prime poly m(x)
=x8+x4+x3+x+1
MixClumns Scheme

The MixColumns transformation operates at the column level; it


transforms each column of the state to a new column.
MixColumn and InvMixColumn
AddRoundKey

 XOR state with 128-bits of the round key

 AddRoundKey proceeds one column at a time.


 adds a round key word with each state column matrix
 the operation is matrix addition

 Inverse for decryption identical


 since XOR own inverse, with reversed keys

 Designed to be as simple as possible


AddRoundKey Scheme
AES Round
AES Key Scheduling
 takes 128-bits (16-bytes) key and expands into array of 44 32-bit words
Implementation Aspects

 The algorithms used in AES are so simple that


they can be easily implemented using cheap
processors and a minimum amount of memory.

 Very efficient

 Implementation was a key factor in its selection


as the AES cipher

 AES animation:
 http://www.cs.bc.edu/~straubin/cs381-05/blockciphers/
rijndael_ingles2004.swf

You might also like