Now Midterm is on March 1 Final Exam is Monday May 1 7 PM Location Right here 1 Harry Hagrid Cryptography CS 555 Topic 17 DES 3DES 2 Recap Goals for This Week Practical Constructions of Symmetric Key Primitives ID: 916058
Download Presentation The PPT/PDF document "Course Business Homework 2 Due" is the property of its rightful owner. Permission is granted to download and print the materials on this web site for personal, non-commercial use only, and to display it on your personal computer provided you do not modify the materials and that you retain all copyright notices contained in the materials. By downloading content from our website, you accept the terms of this agreement.
Slide1
Course Business
Homework 2 Due NowMidterm is on March 1Final Exam is Monday, May 1 (7 PM) Location: Right here
1
Harry
Hagrid
Slide2Cryptography
CS 555Topic 17: DES, 3DES2
Slide3Recap
Goals for This Week:Practical Constructions of Symmetric Key PrimitivesLast Class: Block CiphersToday’s Goals: DES/3DES
Data Encryption Standard
3
Slide4Feistel Networks
Alternative to Substitution Permutation NetworksAdvantage: underlying functions need not be invertible, but the result is still a permutation
4
Slide5L
i+1 = RiRi+1
≔L
(
Ri)
Proposition: the function is invertible.
5
Slide6Data Encryption Standard
Developed in 1970s by IBM (with help from NSA)Adopted in 1977 as Federal Information Processing Standard (US)Data Encryption Standard (DES): 16-round Feistel Network. Key Length: 56 bits
Vulnerable to brute-force attacks in modern times1.5 hours at 14 trillion keys/second (e.g., Antminer
S9)6
Slide7DES Round
7
Slide8DES Mangle Function
Expand E: 32-bit input
48-bit output (duplicates 16 bits)S-boxes: S
1,…,S8
Input: 6-bitsOutput: 4 bits
Not a permutation!4-to-1 functionExactly four inputs mapped to each possible output
8
Slide9Mangle Function
9
32 bit input
48-bit sub key
48 bit output of expand
XOR block before
Applying S-Boxes
Each S-box outputs 4 bits
Slide10S-Box Representation as Table
00
01
10
11
0000
0001
0010
0011
0100
0101
0110
S(x)=1101
….
….
….
….
….
1111
10
x =
1
0110
1
S(x) = Table[
0110
,
11
]
4 columns (
2 bits
)
16 columns (
4 bits
)
Slide11S-Box Representation
00
01
10
11
0000
0001
0010
0011
0100
0101
0110
S(x)=1101
….
….
….
….
….
1111
11
x =
1
0110
1
S(x) = T[
0110
,
11
]
4 columns (
2 bits
)
16 columns (
4 bits
)
Each column is permutation
Slide12Pseudorandom Permutation Requirements
Consider a truly random permutation
Let inputs x and x’ differ on a single bit
We expect outputs F(x) and F(x’) to differ on approximately half of their bits F(x) and F(x’) should be (essentially) independent.
A pseudorandom permutation must exhibit the same behavior!Requirement: DES Avalanche Effect!
12
Slide13DES Avalanche Effect
Permutation the end of the mangle function helps to mix bitsSpecial S-box property #1Let x and x’ differ on one bit then Si(x) differs from S
i(x’) on two bits.
13
Slide14Avalanche Effect Example
Consider two 64 bit inputs(Ln,Rn) and (L
n’,R’n=
Rn)Ln and L
n’ differ on one bitThis is worst case exampleLn+1 = Ln+1’=R
nBut now R’n+1 and Rn+1 differ on one bit
Even if we are unlucky E(R’n+1) and E(Rn+1) differ on 1 bit
Rn+2 and R’n+2
differ on two bits Ln+2 = R’
n+1 and Ln+2’ = R’n+1 differ in one bit
14
Slide15Avalanche Effect Example
R
n+2 and R’n+2
differ on two bitsL
n+2 = Rn+1 and Ln+2’ =
R’n+1 differ in one bit
Rn+3 and R’n+3
differ on four bits since we have different inputs to two of the S-boxesL
n+3 = R’n+2 and Ln+2’ = R’
n+2 now differ on
two bitsSeven rounds we expect all 32 bits in right half to be “affected” by input change
…DES has sixteen rounds
15
Slide16Attack on One-Round DES
Given input output pair (x,y)y=(L1,R1)
X=(L0,R0)
Note: R0=L1Note: R1
=L0
where f is the Mangling Function with key k
1
Conclusion:
16
Slide17Attack on One-Round DES
17
Four possible inputs
Trivial to Recover
Slide18Attack on Two-Round DES
Output y =(L2,R2)Note:
Also,
Thus,
So we can still attack the first round key k1 as before as
and
are known
Note:
Also,
and
Thus
,
So we can
attack
the
second
round key
k2
as before as
and
are known
18
Slide19Attack on Three-Round DES
We
know all of the values
,
and
.
Leads to attack in time
2
n/2
(See details in textbook)
Remember that DES is 16 rounds
19
Slide20DES Security
Best Known attack is brute-force 256Except under unrealistic conditions (e.g., 243 known plaintexts)Brute force is not too difficult on modern hardware
Attack can be accelerated further after precomputationOutput is a few terabytesSubsequently keys are cracked in 2
38 DES evaluations (minutes) Precomputation costs amortize over number of DES keys cracked
Even in 1970 there were objections to the short key length for DES20
Slide21Double DES
Let Fk(x) denote the DES block cipherA new block cipher F’ with a key
of length 2n can be defined by
Can you think of an attack better than brute-force?
21
Slide22Meet in the Middle Attack
Goal
: Given (x,
) try to find secret key
k in time and space
.
Solution?
See
Homework
1
22
Slide23Triple DES Variant 1
Let Fk(x) denote the DES block cipherA new block cipher F’ with a key
of length 2n can be defined by
Meet-in-the-Middle Attack Requires time
and space
23
Slide24Triple DES Variant 1
Let Fk(x) denote the DES block cipherA new block cipher F’ with a key
of length 2n can be defined by
Meet-in-the-Middle Attack Requires time
and space
24
Allows backward compatibility with DES by setting k
1
=k
2
=k
3
Slide25Triple DES Variant 2
Let Fk(x) denote the DES block cipherA new block cipher F’ with a key
of length 2n can be defined by
Meet-in-the-Middle Attack still requires time
and space
Key length is still just 112 bits (128 bits is recommended)
25
Just two keys!
Slide26Triple DES Variant 1
Standardized in 1999
Still widely used, but it is relatively slow (three block cipher operations)
Current gold standard: AES
26
Slide27Next Class
Read Katz and Lindell 6.2.5-6.3AES & Differential Cryptanalysis + Hash Functions27