ASSESSMENT SYSTEM – ADVANCED CRYPTO-1

Fall 2024
Grading Policy

• Quizzes 10% (expect any lecture day from next

week onwards)
• Assignments 10%
• Mid Terms 30%
• ESE 40%

(Note: Minor adjustment in grading %age

possible as per NUST statutes)

Advanced Cryptography – 1, Fall 2024. Dr Muhammad Tayyab Ali, R&D Wing

MCS
 Advanced Cryptography -1
Fall 2024

Lecture 4 – Data Encryption Standard

(DES)

Advanced Cryptography – 1, Fall 2024. Dr Muhammad Tayyab Ali, R&D Wing

MCS
 Content of this Chapter

• Introduction to DES
• Overview of the DES
Algorithm
• Internal Structure of DES
• Decryption
• Security of DES

3/29

Advanced Cryptography – 1, Fall 2024. Dr Muhammad Tayyab Ali, R&D Wing

MCS
 Content of this Chapter

• Introduction to DES
• Overview of the DES
Algorithm
• Internal Structure of DES
• Decryption
• Security of DES

4/29

Advanced Cryptography – 1, Fall 2024. Dr Muhammad Tayyab Ali, R&D Wing

MCS
  Classification of the Field of Cryptology

Cryptology

Cryptography Cryptanalysis

Symmetric Ciphers Asymmetric Ciphers Hash Functions Protocols

/ Public Key
Cryptography

MD5, SSL/TLS,
Block Ciphers Stream Ciphers
SHA-1/2, S/MIME
SHA 256

AES, A5/2, RC4

DES, RC5
RSA,AlGamal, Diffie-
5/36
Hellman Merkle, DSA
You are here! Advanced Cryptography – 1, Fall 2024. Dr Muhammad Tayyab Ali, R&D Wing
MCS
  DES Facts

• Data Encryption Standard (DES) encrypts blocks of size 64 bit.

• Developed by IBM based on the cipher Lucifer under influence of the
National Security Agency (NSA), the design criteria for DES have not
been published
• Standardized 1977 by the National Bureau of Standards (NBS)
today called National Institute of Standards and Technology
(NIST)
• Most popular block cipher for most of the last 30 years.
• By far best studied symmetric algorithm.
• Nowadays considered insecure due to the small key length
of 56 bit.
• But: 3DES yields very secure cipher, still widely used today.
• Replaced by the Advanced Encryption Standard (AES) in 2000

• For a more detailed history see Chapter 3.1 in

6/29
Understanding Cryptography
Advanced Cryptography – 1, Fall 2024. Dr Muhammad Tayyab Ali, R&D Wing
MCS
  Block Cipher Primitives: Confusion and Diffusion

• Claude Shannon: There are two primitive operations with which strong
encryption algorithms can be built:
1. Confusion: An encryption operation where the relationship
between key and ciphertext is obscured.
Today, a common element for achieving confusion is substitution,
which is found in both AES and DES.

2. Diffusion: An encryption operation where the influence of one

plaintext symbol is spread over many ciphertext symbols with the
goal of hiding statistical properties of the plaintext.
A simple diffusion element is the bit permutation, which is
frequently used within DES.

• Both operations by themselves cannot provide security. The idea is to

concatenate confusion and diffusion elements to build so called product
ciphers.

7/29

Advanced Cryptography – 1, Fall 2024. Dr Muhammad Tayyab Ali, R&D Wing

MCS
Advanced Cryptography – 1, Fall 2024. Dr Muhammad Tayyab Ali, R&D Wing
MCS
  Product Ciphers

• In cryptography, a product cipher combines two or more

transformations in a manner intending that the resulting
cipher is more secure than the individual components to
make it resistant to cryptanalysis.
• Most of today‘s block ciphers are product ciphers as they
consist of rounds which are applied repeatedly to the data.

• Can reach excellent diffusion: changing of one bit of

plaintext results on average in the change of half the
output bits.

Example:

single bit many bit

flip flips

9/29

Advanced Cryptography – 1, Fall 2024. Dr Muhammad Tayyab Ali, R&D Wing

MCS
 Content of this Chapter

• Introduction to DES
• Overview of the DES Algorithm
• Internal Structure of DES
• Decryption
• Security of DES

10/
29
Advanced Cryptography – 1, Fall 2024. Dr Muhammad Tayyab Ali, R&D Wing
MCS
  Overview of the DES Algorithm

x
64

56
DES k

64

• Encrypts blocks of size 64 bits.

• Uses a key of size 56 bits.
• Symmetric cipher: uses same key for encryption and
decryption
• Uses 16 rounds which all perform the identical
operation
• Different subkey in each round derived from main key
11/

• In Block Ciphers, Subkeys for each round are

29
derived from
Advanced Cryptography – 1, Fall 2024. Dr Muhammad Tayyab Ali, R&D Wing
the main key, by a Key Schedule AlgorithmMCS
  The DES Feistel Network (1)

• DES structure is a Feistel network

• Advantage: encryption and

decryption differ only in
keyschedule

• Bitwise initial permutation, then 16 rounds

1.Plaintext is split into 32-bit halves Li and Ri
2. Ri is fed into the function f, the output of which is then
XORed with Li
3.Left and right half are swapped
• Rounds can be expressed as:
• Q: Which half being encrypted?
12/
29
Advanced Cryptography – 1, Fall 2024. Dr Muhammad Tayyab Ali, R&D Wing
MCS
  The DES Feistel Network (2)

• L and R swapped again at the end of the cipher, i.e., after

round 16 followed by a final permutation

13/
29
Advanced Cryptography – 1, Fall 2024. Dr Muhammad Tayyab Ali, R&D Wing
MCS
 Content of this Chapter

• Introduction to DES
• Overview of the DES
Algorithm
• Internal Structure of DES
• Decryption
• Security of DES

14/
29
Advanced Cryptography – 1, Fall 2024. Dr Muhammad Tayyab Ali, R&D Wing
MCS
  Initial and Final Permutation

• Bitwise Permutations.
• Inverse operations.
• Described by tables IP and IP-1.

Initial Permutation Final

Permutation

15/
29
Advanced Cryptography – 1, Fall 2024. Dr Muhammad Tayyab Ali, R&D Wing
MCS
  The f-Function

• main operation of DES

• f-Function inputs:
Ri-1 and round key ki

• 4 Steps:
1.Expansion E
2.XOR with round
key
3.S-box substitution
4.Permutation

16/
29
Advanced Cryptography – 1, Fall 2024. Dr Muhammad Tayyab Ali, R&D Wing
MCS
  The Expansion Function E
1. Expansion E
• main purpose:
increases diffusion
!

17/
29
Advanced Cryptography – 1, Fall 2024. Dr Muhammad Tayyab Ali, R&D Wing
MCS
  Add Round Key

2. XOR Round Key

• Bitwise XOR of the round key and

the output of the expansion
function E

• Round keys are derived from the

main key in the DES keyschedule
(in a few slides)

18/
29
Advanced Cryptography – 1, Fall 2024. Dr Muhammad Tayyab Ali, R&D Wing
MCS
  The DES S-Boxes
3. S-Box substitution
• Eight substitution tables (Avalanche
effect?).
• 6 bits of input, 4 bits of output.
• Non-linear and resistant to
differential cryptanalysis
(1990 !!! ).
• Crucial element for DES security!
• Find all S-Box tables and S-Box design
criteria in Understanding Cryptography
Chapter 3.

19/
29
Advanced Cryptography – 1, Fall 2024. Dr Muhammad Tayyab Ali, R&D Wing
MCS
  The Permutation P
4. Permutation P
• Bitwise permutation.
• Introduces diffusion.
• Output bits of one S-Box effect several S-
Boxes in next round
• Diffusion by E, S-Boxes and P guarantees
that after Round 5 every bit is a function
of each key bit and each plaintext bit.

20/
29
Advanced Cryptography – 1, Fall 2024. Dr Muhammad Tayyab Ali, R&D Wing
MCS
  Key Schedule (1)

• Derives 16 round keys (or subkeys) ki of 48 bits each

from the56 bit
original
key.
!
• The input key size of the DES is 64 bit: 56 bit key and 8 bit
parity:

• Parity bits are removed in a first permuted choice PC-1:

(note that the bits 8, 16, 24, 32, 40, 48, 56 and 64 are not
used at all)

21/
29
Advanced Cryptography – 1, Fall 2024. Dr Muhammad Tayyab Ali, R&D Wing
MCS
  Key Schedule (2)
• Split key into 28-bit halves C0 and D0.

• In rounds i = 1, 2, 9 ,16, the two halves are

each rotated left by one bit.

• In all other rounds where the two halves are

each rotated left by two bits.

• In each round i permuted choice PC-2

selects a permuted subset of 48 bits of Ci
and Di as round key ki, i.e. each ki is a
permutation of k!

• Note: The total number of rotations:

4 x 1 + 12 x 2 = 28  D0 = D16 and C0 =
22/ C16!
29
Advanced Cryptography – 1, Fall 2024. Dr Muhammad Tayyab Ali, R&D Wing
MCS
 Content of this Chapter

• Introduction to DES
• Overview of the DES
Algorithm
• Internal Structure of DES
• Decryption
• Security of DES

23/
29
Advanced Cryptography – 1, Fall 2024. Dr Muhammad Tayyab Ali, R&D Wing
MCS
  Decryption
• In Feistel ciphers only the
keyschedule has to be
modified for decryption.
• Generate the same 16 round
keys in reverse order.
(for a detailed discussion on why this
works see Understanding Crptography
Chapter 3)

• Reversed key schedule:

As D0=D16 and C0=C16 the first round
key
can be generated by applying PC-2
right after PC-1 (no rotation here!).
All other rotations of C and D can be
reversed to reproduce the other round
keys resulting in:
• No rotation in round 1.
• One bit rotation to the right in
24/
29
rounds 2, 9 and 16.
• Two bit rotations to the right in Advanced Cryptography – 1, Fall 2024. Dr Muhammad Tayyab Ali, R&D Wing
MCS
 Content of this Chapter

• Introduction to DES
• Overview of the DES
Algorithm
• Internal Structure of DES
• Decryption
• Security of DES

25/
29
Advanced Cryptography – 1, Fall 2024. Dr Muhammad Tayyab Ali, R&D Wing
MCS
  Security of DES

• After proposal of DES two major criticisms arose:

1. Key space is too small (256 keys)
2. S-box design criteria have been kept secret: Are there
any hidden analytical attacks (backdoors), only
known to the NSA?

• Analytical Attacks: DES is highly resistent to both differential

(1990) and linear cryptanalysis, which have been published years
later than the DES. This means IBM and NSA had been aware
of these attacks for 16 years!
So far there is no known analytical attack which breaks DES in
realistic scenarios.

• Exhaustive key search: For a given pair of plaintext-ciphertext (x, y)

test all 256 keys until the condition DES -1(x)=y is fulfilled.
 Relatively easy given today’s computer technology!
26/
29
Advanced Cryptography – 1, Fall 2024. Dr Muhammad Tayyab Ali, R&D Wing
MCS
  History of Attacks on DES
Year Proposed/ implemented DES Attack
1977 Diffie & Hellman, (under-)estimate the costs of a key search machine
1990 Biham & Shamir propose differential cryptanalysis (247 chosen
ciphertexts)
1993 Mike Wiener proposes design of a very efficient key search
machine: Average search requires 36h. Costs: $1.000.000

1993 Matsui proposes linear cryptanalysis (243 chosen ciphertexts)

Jun. 1997 DES Challenge I broken, 4.5 months of distributed search
Feb. 1998 DES Challenge II--1 broken, 39 days (distributed search)
Jul. 1998 DES Challenge II--2 broken, key search machine Deep Crack built by
the Electronic Frontier Foundation (EFF): 1800 ASICs with 24 search
engines each, Costs: $250 000, 15 days average search time
(required 56h for the Challenge)
Jan. 1999 DES Challenge III broken in 22h 15min
(distributed search assisted by Deep
Crack)
2006- Reconfigurable key search machine COPACOBANA developed at the
27/2008 Universities in Bochum and Kiel (Germany), uses 120 FPGAs to break
29
DES in Advanced Cryptography – 1, Fall 2024. Dr Muhammad Tayyab Ali, R&D Wing
MCS
  Triple DES – 3DES

• Triple encryption using DES is often used in practice to extend the

effective key length of DES to 112. For more info on multiple
encryption and effective key lengths see Chapter 5 of Understanding
Cryptography.

• Alternative version of 3DES:

Advantage: choosing k1=k2=k3 performs single DES

encryption.
• No practical attack known today.
• Used in many legacy applications, i.e., in banking
systems.
28/
29
Advanced Cryptography – 1, Fall 2024. Dr Muhammad Tayyab Ali, R&D Wing
MCS
  Alternatives to DES

Algorithm I/O Bit key lengths remarks

DES ''replacement'',
AES / Rijndael 128 128/192/256
worldwide used
standard
Triple DES 64 112 (effective) conservative choice
Mars 128 128/192/256 AES finalist
RC6 128 128/192/256 AES finalist
Serpent 128 128/192/256 AES finalist
Twofish 128 128/192/256 AES finalist
IDEA 64 128 patented

29/
29
Advanced Cryptography – 1, Fall 2024. Dr Muhammad Tayyab Ali, R&D Wing
MCS
  Lessons Learned

• DES was the dominant symmetric encryption algorithm from the mid-
1970s to the mid-1990s. Since 56-bit keys are no longer secure,
the Advanced Encryption Standard (AES) was created.

• Standard DES with 56-bit key length can be broken relatively easily
nowadays through an exhaustive key search.

• DES is quite robust against known analytical attacks: In practice it is

very difficult to break the cipher with differential or linear
cryptanalysis.

• By encrypting with DES three times in a row, triple DES (3DES) is

created, against which no practical attack is currently known.

• The “default” symmetric cipher is nowadays often AES. In addition, the

other four AES finalist ciphers all seem very secure and
efficient.

30/
29
Advanced Cryptography – 1, Fall 2024. Dr Muhammad Tayyab Ali, R&D Wing
MCS