3.

Stream Ciphers

Introduction to block ciphers

DES
On the security of DES
Strengthening DES

Introduction to block ciphers

DES
On the security of DES
Strengthening DES

General course presentation

Course lectures are the most important.

Understanding Cryptography by Christof Paar and Jan Pelzl, Springer.

Cryptography I by Dan Boneh, http://coursera.org/.

Introduction to block ciphers

Cryptology

Cryptography

Symmetric
Ciphers
Block Ciphers

Asymmetric
Ciphers

Stream
Ciphers

Cryptanalysis

Protocols

Introduction to block ciphers

A cipher (or cryptosystem) defined over (K,M,C) is a pair of efficient algorithms

(E,D) where E: KxM -> C and D: KxC ->M so that for any m M, k K:
D(k, E(k,m))=m (consistency property)
efficient depends on the application: in must run in a certain time or use a certain
amount of computing power.
Algorithm E is a randomized algorithm.
Algorithm D is always deterministic.

Introduction to block ciphers

K
x0,x1, xb

Stream
Cipher

y0,y1, yb

x0 ,
x1 ,

xb

K
Block Cipher

Stream ciphers:
Encrypt bits individually
Usually small and fast common in embedded devices (e.g., A5/1 for GSM/UMTS phones)

Block Ciphers:
Always encrypt a full block (several bits)
Are common for Internet applications.

y0 ,
y1 ,

yb

Introduction to block ciphers

Claude Shannon: There are two properties that strong encryption algorithms
must posses:
1. Confusion: An encryption operation where the relationship between key and ciphertext is
obscured.
Today, a common element for achieving confusion is substitution, which is found in both AES and
DES.
2. Diffusion: An encryption operation where the influence of one plaintext symbol is spread over
many ciphertext symbols with the goal of hiding statistical properties of the plaintext.
A simple diffusion element is the bit permutation, which is frequently used within DES.

Both operations by themselves cannot provide security. The idea is to

concatenate confusion (substitution) and diffusion (permutation) elements to
build so called product ciphers.

Understanding Cryptography by Christof Paar and Jan Pelzl

Introduction to block ciphers

m
Confusion

Key expansion

m
Diffusion
m

Confusion

Diffusion
c

Most of todays block ciphers are product ciphers as

they consist of rounds which are applied repeatedly
to the data.
The other important part of a block cipher is the key
expansion.

Introduction to block ciphers

AMD Opteron, 2.2 GHz (Linux), Crypto++ 5.6.0. [Wei Dai]

Cipher

Stream
Block

Block/key size

Speed (MB/sec)

RC4

126

Salsa20/12

643

Sosemanuk

727

3DES

64/168

13

AES

128/128

109

Cryptography I, Dan Boneh

Introduction to block ciphers

DES
On the security of DES
Strengthening DES

DES

n bits
PT Block

n bits
CT Block

E, D
Key

k Bits

Canonical examples:
3DES: n = 64 bits, k = 168 bits
AES: n = 128 bits, k = 128, 192, 256 bits
DES: n = 64 bits, k = 56 bits

DES

Early 1970s: Horst Feistel designs Lucifer at IBM

key-len = 128 bits ; block-len = 128 bits

1973: NBS asks for block cipher proposals.

IBM submits variant of Lucifer.

1976: NBS adopts DES as a federal standard

key-len = 56 bits ; block-len = 64 bits

1997: DES broken by exhaustive search

2000: NIST adopts Rijndael as AES to replace DES
DES remains widely deployed in legacy systems.
3DES and DESX are secure ciphers that are based on DES.

DES

Top description:
Two permutations.
Key expansion.
Feistel network.

input

k16
IP-1

64 bits

Feistel
network

k2
Feistel
network

IP

k1
Feistel
network

64 bits

key expansion

output

DES

Given functions f1, , fd: {0,1}n {0,1}n

Goal: build invertible function F: {0,1}2n {0,1}2n

n-bits

L0

L1

f2

f1

R1

R2
L2

input
Question1: who is being encrypted? R0 or L0?
Question2: what kind of encryption is being used?

Cryptography I, Dan Boneh

Rd-1

Rd
fd

Ld-1

n-bits

R0

Ld

output

DES

n-bits

L0

L1

f2

f1

R1

R2
L2

Rd-1

Rd
fd

Ld-1

n-bits

R0

input

Ld
output

Claim: for all f1, , fd: {0,1}n {0,1} Feistel network F: {0,1}2n {0,1}2n is
invertible.
Proof: construct inverse

Li-1

fi

Ri-1

Ri
Li

inverse

Ri

Ri-1 = Li

fi

Ri-1

Li-1Li = fi(Li) Ri Li-1

Cryptography I, Dan Boneh

DES

main operation of DES

f-Function inputs: Ri-1 and round key
ki
4 Steps:

1.Expansion E
2.XOR with round key
3.S-box substitution
4.Permutation

Understanding Cryptography by Christof Paar and Jan Pelzl

DES

1.Expansion E
main purpose: increases diffusion

Understanding Cryptography by Christof Paar and Jan Pelzl

DES

2.XOR Round Key

Bitwise XOR of the round key and the output of the
expansion function E
Round keys are derived from the main key in the
DES keyschedule (in a few slides)

Understanding Cryptography by Christof Paar and Jan Pelzl

DES

3.S-Box substitution

Eight substitution tables.

6 bits of input, 4 bits of output.
Non-linear and resistant to differential cryptanalysis.
Crucial element for DES security!

Understanding Cryptography by Christof Paar and Jan Pelzl

DES

4.Permutation P
Bitwise permutation.
Introduces diffusion.
Output bits of one S-Box effect several S-Boxes in
next round
Diffusion by E, S-Boxes and P guarantees that after
Round 5 every bit is a function of each key bit and
each plaintext bit.

Understanding Cryptography by Christof Paar and Jan Pelzl

DES

Top description:
Two permutations.
Key expansion.
Feistel network.

input

k16
IP-1

64 bits

Feistel
network

k2
Feistel
network

IP

k1
Feistel
network

64 bits

key expansion

output

DES

Derives 16 round keys (or subkeys) ki of 48

bits each from the original 56 bit key.

Understanding Cryptography by Christof Paar and Jan Pelzl

DES

Top description:
Two permutations.
Key expansion.
Feistel network.

input

k16
IP-1

64 bits

Feistel
network

k2
Feistel
network

IP

k1
Feistel
network

64 bits

key expansion

output

DES

Permutations are easy to implement in harware, but not in software.

They do not increase the security.
It is not exactly clear why they are part of the standard: it is supposed that thay
would have facilitated implementation in the harware of the 70s.

IP-1

IP
58
60
62
64
57
59
61
63

50
52
54
56
49
51
53
55

42
44
46
48
41
43
45
47

34
36
38
40
33
35
37
39

26
28
30
32
25
27
29
31

18
20
22
24
17
19
21
23

10
12
14
16
9
11
13
15

2
4
6
8
1
3
5
7

DES

Top description:
Two permutations.
Key expansion.
Feistel network.

input
What is left to do?

k16

IP-1

64 bits

Feistel
network

k2
Feistel
network

IP

k1
Feistel
network

64 bits

key expansion

output

DES

Top description:
Two permutations.
Inverse key expansion.
Feistel network.

input

k1
IP-1

64 bits

Feistel
network-1

k15
Feistel
network-1

IP

k16
Feistel
network-1

64 bits

Inverse key
expansion

output

DES

Inverse key schedule:

[C16, D16] =[C0, D0].

k
PC-1
K16

PC-2

Transform 1

K15

PC-2

.
.
.

C16

D16

RS1

RS1

C15

D15

RS2

RS2

.
.
.

.
.
.

RS15 RS15
K1

PC-2

C1

D1

DES

Encryption with Feistel Network:

n-bits

L0

L1

f2

f1

R1

R2
L2

R15

R16
f16

L15

input

n-bits

R0

L16
output

Decryption with Feistel Network:

input

n-bits

R16

R15

f15

f16

L15

L14
R14

L1

L0
f1

R1

n-bits

L16

R0
output

Introduction to block ciphers

DES
On the security of DES
Strengthening DES

On the security of DES

Analytical attacks:

Ciphertext-only attacks.
Known plaintext.
Chosen ciphertext.
Chosen plaintext.

On the security of DES

None until 1990.

In 1990 Eli Biham and Adi Shamir discover differential cryptanalysis => only 247
chosen plaintexts and their corresponding ciphertexts are needed to break k.
In 1993 Mitsuru Matsui discoveres linear cryptanalysis => only 243 chosen
plaintexts and their corresponding ciphertexts are needed to break the cipher.
The attacks mentioned above are difficult to implement => DES is considered secure
from the perspective of analytical attacks.

On the security of DES

The first criticism of DES was that it changed the keylength of the cipher from 128 in
the IBM version to 56.
Definition of brute force attacks (aka exhaustive key search attacks):
Input: at least one pair (m,c)
Output: k, such as c=DES(m,k)
Attack: test all 256 possible keys until fulfilling the condition: 1 , = , = 0, 1, , 256 1.

Theorem:
Suppose DES is an ideal cipher ( 256 random invertible functions), then m, c there is at most one key k
s.t. c = DES(k, m) with prob. 1 1/256 99.5%

Proof:

Union bound

Pr : = , = ,
256

0,1 56 Pr

1
1
=
264 28

, = ,

On the security of DES

Theorem:
Given a block cipher with a key length of k and block size n and t pairs of CT/PT, then the expected
number (or the probability) of false keys is:
2k-tn

On the security of DES

History of attacks:
In 1977 it was (under-)estimated that it would cost only $20.000.000.
In 1993 Michael Wiener proposed a design that would cost $1.000.000 and find the key in 1,5 days.
In 1998 Electronic Frontier Foundation built a hardware machine, Deep crack, that broke the key in 15
days and cost $250.000.
In 2006 Universities of Bochum and Kiel, in Germany, build COPACABANA(120 FPGAs), that breaks DES in
less than 7 days for around $10.000.

Introduction to block ciphers

DES
On the security of DES
Strengthening DES

On the security of DES

In some situations we wish to increase the security of block ciphers, e.g., if a cipher
such as DES is available in hardware or software for legacy reasons in a given
application.
Two approaches are possible
Multiple encryption
theoretically much more secure, but sometimes in practice increases the security very little
Key whitening

On the security of DES

The main problem of DES is the length of the key.

If we double encrypt the keylength doubles:
m

Assuming a key length of k bits, an exhaustive key search would require 2k2k = 22k
encryptions or decryptions.

On the security of DES

A Meet-in-the-Middle attack requires 2k+2k = 2k+1 operations!

Phase I: for the given (x1, y1) the left encryption is brute-forced for all kL,i, i=1,2, ..., 2k
and a lookup table with 2k entry (each n+k bits wide) is computed
the lookup table should be ordered by the result of the encryption (zL,i)
Phase II: the right encryption is brute-forced (using decryption) and for each zR,I it is
checked whether zR,i is equal to any zL,i value in the table of the first phase

Computational Complexity
Number of encryptions and decryptions 2k+2k = 2k+1
Number of storage locations: 2k

Double encryption is not much more secure then single

encryption!

On the security of DES

Triple encryption using DES is often used in practice to extend the effective key length
of DES to 112.
m

= (3, 2, 1, )
Alternative version:
= (3, 1 2, 1, )
Advantage: choosing k1=k2= k3 performs single encryption.

No practical attack known today.

Used in many legacy applications, i.e., in banking systems.

On the security of DES

Makes block ciphers such as DES much more resistant against brute-force attacks.

k1

DES
k2

k3

= 3 (2, 1 ))
key-len = 64+56+64 = 184 bits
but easy attack in time 264+56 = 2120
It does not strengthen block ciphers against most analytical attacks such as linear and
differential cryptanalysis => It is not a cure for inherently weak ciphers.
The additional computational load is negligible.

Introduction to block ciphers

DES
On the security of DES
Strengthening DES