The data encryption standard DES Online Cryptography Course Dan Boneh Block ciphers crypto work horse E D CT Block n bits PT Block n bits Key k Bits ID: 322261
Download Presentation The PPT/PDF document "Block ciphers" is the property of its rightful owner. Permission is granted to download and print the materials on this web site for personal, non-commercial use only, and to display it on your personal computer provided you do not modify the materials and that you retain all copyright notices contained in the materials. By downloading content from our website, you accept the terms of this agreement.
Slide1
Block ciphers
The data encryption standard (DES)
Online Cryptography Course Dan BonehSlide2
Block ciphers: crypto work horse
E, D
CT Block
n
bits
PT Block
n
bits
Key
k Bits
Canonical examples:
3DES: n= 64 bits, k = 168 bits
AES: n=128 bits, k = 128, 192, 256 bitsSlide3
Block Ciphers Built by IterationR(k,m) is called a round function
for 3DES (n=48), for AES-128 (n=10)
key k
key expansion
k1
k
2
k
3
k
n
R(k
1
,
)
R(k
2
, )
R(k
3
,
)
R(
k
n
,
)
m
cSlide4
The Data Encryption Standard (DES)Early 1970s: Horst Feistel designs Lucifer at IBM
key-len = 128 bits ; block-len = 128 bits
1973: NBS asks for block cipher proposals. IBM submits variant of Lucifer.1976: NBS adopts DES as a federal standard key-len = 56 bits ; block-len = 64 bits1997: DES broken by exhaustive search
2000: NIST adopts Rijndael as AES to replace DES
Widely deployed in banking (ACH) and commerceSlide5
DES: core idea – Feistel NetworkGiven functions f1, …, f
d: {0,1}n ⟶ {0,1}n
Goal: build invertible function F: {0,1}2n ⟶ {0,1}2n
In symbols:
input
output
R
d-1
L
d-1
R
d
L
d
R
0
L
0
n
-bits
n
-bits
R
1
L
1
⊕
f
1
R
2
L
2
⊕
f
2
⋯
⊕
f
dSlide6
Claim: for all f1, …, fd: {0,1}n ⟶ {0,1}n
Feistel network F: {0,1}2n
⟶ {0,1}2n is invertibleProof: construct inverse
Ri-1
L
i-1
R
i
L
i
⊕
f
i
inverse
R
i-1
= L
i
L
i-1
= f
i
(L
i
)
⨁
R
i
input
output
R
d-1
L
d-1
R
d
L
d
R
0
L
0
n
-bits
n
-bits
R
1
L
1
⊕
f
1
R
2
L
2
⊕
f
2
⋯
⊕
f
dSlide7
Claim: for all f1, …, fd: {0,1}n ⟶ {0,1}n
Feistel network F: {0,1}2n
⟶ {0,1}2n is invertibleProof: construct inverse
Ri-1
L
i-1
R
i
L
i
⊕
f
i
inverse
input
output
R
d-1
L
d-1
R
d
L
d
R
0
L
0
n
-bits
n
-bits
R
1
L
1
⊕
f
1
R
2
L
2
⊕
f
2
⋯
⊕
f
d
R
i
L
i
R
i-1
L
i-1
⊕
f
iSlide8
Decryption circuitInversion is basically the same circuit, with f1, …, fd
applied in reverse orderGeneral method for building invertible functions (block ciphers) from arbitrary functions. Used in many block ciphers … but not AES
R
1
L1
R
0
L
0
R
d
L
d
n
-bits
n
-bits
R
d-1
L
d-1
⊕
f
d
R
d-2
L
d-2
⊕
f
d-1
⋯
⊕
f
1Slide9
“Thm:” (Luby-Rackoff ‘85): f: K ×
{0,1}n ⟶ {0,1}n
a secure PRF ⇒ 3-round Feistel F: K3 × {0,1}2n ⟶ {0,1}2n
a secure PRP
R
3
L
3
R
0
L
0
input
R
1
L
1
⊕
f
R
2
L
2
⊕
f
⊕
f
outputSlide10
DES: 16 round Feistel networkf1, …, f
16: {0,1}32 ⟶ {0,1
}32 , fi(x) = F( ki, x )
input
64 bits
output
64 bits
16 round
Feistel
network
IP
IP
-1
k
k
ey expansion
k
1
k
2
k
16
⋯
To invert, use keys in reverse orderSlide11
The function F(ki, x)S-box: function {0,1}6
⟶ {0,1}4 , implemented as look-up table.Slide12
The S-boxesSi: {0,1}6 ⟶ {0,1}4
Slide13
Example: a bad S-box choiceSuppose: S
i(x1, x2, …, x6
) = ( x2⨁x3, x1⨁x4⨁x5, x1⨁x
6, x2⨁x
3⨁x6 )or written equivalently: Si(
x
) =
A
i
⋅
x
(mod 2)We say that S
i is a linear function.
0 1 1 0 0 01 0 0 1 1 01 0 0 0 0 10 1 1 0 0 1
x
1x2x
3x4x
5x6
.
=
x
2
⨁x
3
x
1
⨁x
4
⨁x
5
x
1
⨁x
6
x
2
⨁x3⨁x6 Slide14
Example: a bad S-box choiceThen entire DES cipher would be linear: ∃fixed binary matrix B
s.t.
But then: DES(k,m1) ⨁ DES(k,m2) ⨁ DES(k,m3)
B
m
k
1
k
2
k
16
.
=
c
832
64
⋮
DES(
k,m
) =
= DES(k, m
1
⨁m
2
⨁m
3
)
B
⨁ B ⨁ B = B
m
1
k
m
2
k
m
3
k
m
1
⨁m
2
⨁m3
k⨁k⨁k
(mod 2)Slide15
Choosing the S-boxes and P-boxChoosing the S-boxes and P-box at random would result in an insecure block cipher (key recovery after ≈224
outputs) [BS’89]Several rules used in choice of S and P boxes:
No output bit should be close to a linear func. of the input bitsS-boxes are 4-to-1 maps⋮Slide16
End of Segment