Topic 1.2
Symmetric encryption – Block ciphers
Douglas Stebila
CO 487/687: Applied Cryptography
Fall 2022
CO 487/687 Fall 2022
1.2: Symmetric encryption – Block ciphers
01
Map of cryptographic primitives
CO 487/687 Fall 2022
1.2: Symmetric encryption – Block ciphers
2
Overview of block ciphers
Advanced Encryption Standard (AES)
Data Encryption Standard (DES)
Feistel networks
Construction of DES
Problems with DES
Trying to save DES: Multiple encryption
CO 487/687 Fall 2022
1.2: Symmetric encryption – Block ciphers
3
Outline
Overview of block ciphers
Advanced Encryption Standard (AES)
Data Encryption Standard (DES)
Feistel networks
Construction of DES
Problems with DES
Trying to save DES: Multiple encryption
CO 487/687 Fall 2022
1.2: Symmetric encryption – Block ciphers
4
Stream ciphers
key
keystream generator
keystream
plaintext
⊕
ciphertext
A stream cipher is a symmetric-key encryption scheme in which each successive character
of plaintext determines a single character of ciphertext.
Examples:
• Substitution cipher
• Vigenère cipher
• One-time pad
• Enigma
CO 487/687 Fall 2022
1.2: Symmetric encryption – Block ciphers
5
Block ciphers
A block cipher is a symmetric-key encryption
scheme in which a fixed-length block of
plaintext determines an equal-sized block of
ciphertext.
Examples:
• DES
• AES
CO 487/687 Fall 2022
1.2: Symmetric encryption – Block ciphers
6
Some Desirable Properties of Block Ciphers
Design principles described by Claude Shannon in 1949:
• Security:
• Diffusion: each ciphertext bit should depend on all plaintext bits.
• Confusion: the relationship between key and ciphertext bits should be complicated.
• Key length: should be small, but large enough to preclude exhaustive key search.
• Efficiency:
• Simplicity (easier to implement and analyze).
• High encryption and decryption rate.
• Suitability for hardware or software.
CO 487/687 Fall 2022
1.2: Symmetric encryption – Block ciphers
7
Outline
Overview of block ciphers
Advanced Encryption Standard (AES)
Data Encryption Standard (DES)
Feistel networks
Construction of DES
Problems with DES
Trying to save DES: Multiple encryption
CO 487/687 Fall 2022
1.2: Symmetric encryption – Block ciphers
8
The Advanced Encryption Standard (AES)
• www.nist.gov/aes
• Sept. 1997: Call issued for AES candidate algorithms.
• Requirements:
•
•
•
•
Key sizes: 128, 192 and 256 bits.
Block size: 128 bits.
Efficient on both hardware and software platforms.
Availability on a worldwide, non-exclusive, royalty-free basis.
CO 487/687 Fall 2022
1.2: Symmetric encryption – Block ciphers
9
The AES Standardization Process
• Aug. 1998: 15 submissions in Round 1.
• Aug. 1999: NIST selects five finalists:
• MARS, RC6, Rijndael, Serpent, Twofish.
• 1999: NSA performs a hardware efficiency comparison.
• Oct. 2, 2000: Rijndael is selected.
• Dec. 2001: The AES standard is officially adopted (FIPS 197).
• Rijndael is an iterated block cipher, based on a substitution-permutation network
design.
CO 487/687 Fall 2022
1.2: Symmetric encryption – Block ciphers
10
Substitution-Permutation Networks
plaintext
k1
S
A substitution-permutation network (SPN) is
a multiple-round iterated block cipher where
each round consists of a substitution
operation followed by a permutation
operation.
S
S
S
Round 1
k2
S
S
S
S
Round 2
CO 487/687 Fall 2022
1.2: Symmetric encryption – Block ciphers
11
Advanced Encryption Standard
• AES is an SPN where the “permutation” operation consists of two linear
transformations (one of which is a permutation).
• All operations are byte oriented.
• The block size of AES is 128 bits.
• Each round key is 128 bits.
• A key schedule is used to generate the round keys.
• AES accepts three different key lengths. The number of rounds depends on the key
length:
key length
128
192
256
CO 487/687 Fall 2022
number of rounds h
10
12
14
1.2: Symmetric encryption – Block ciphers
12
General structure of the cipher
As with the previous ciphers we have studied:
• The substitution operation (S-box) is the only non-linear component of the cipher.
• The permutation operations (permutation and linear transformation) spread out the
non-linearities in each round.
CO 487/687 Fall 2022
1.2: Symmetric encryption – Block ciphers
13
AES Round Operations
• Each round updates a variable called State which consists of a 4 × 4 array of bytes
(note: 4 · 4 · 8 = 128, the block size).
• State is initialized with the 128-bit plaintext:
a0,0
a1,0
a2,0
a3,0
a0,1
a1,1
a2,1
a3,1
a0,2
a1,2
a2,2
a3,2
a0,3
a1,3
a2,3
a3,3
←−
plaintext
• After h rounds are completed, one final additional round key is XOR-ed with State to
produce the ciphertext (key whitening).
• The AES round function uses four operations:
• AddRoundKey (key mixing)
• SubBytes (S-box)
• ShiftRows (permutation)
• 2022
MixColumns (matrix multiplication
/ linear
transformation)
CO 487/687 Fall
1.2: Symmetric
encryption
– Block ciphers
14
Add Round Key
Bitwise-XOR each byte of State with the corresponding byte of the round key.
CO 487/687 Fall 2022
1.2: Symmetric encryption – Block ciphers
15
Substitute Bytes
Take each byte in State and replace it with the output of the S-box.
S : {0, 1}8 → {0, 1}8 is a fixed and public function.
CO 487/687 Fall 2022
1.2: Symmetric encryption – Block ciphers
16
The AES S-box
00
10
20
30
40
50
60
70
80
90
a0
b0
c0
d0
e0
f0
CO 487/687 Fall 2022
0
1
2
3
4
5
6
7
8
9
a
b
c
d
e
f
63
ca
b7
04
09
53
d0
51
cd
60
e0
e7
ba
70
e1
8c
7c
82
fd
c7
83
d1
ef
a3
0c
81
32
c8
78
3e
f8
a1
77
c9
93
23
2c
00
aa
40
13
4f
3a
37
25
b5
98
89
7b
7d
26
c3
1a
ed
fb
8f
ec
dc
0a
6d
2e
66
11
0d
f2
fa
36
18
1b
20
43
92
5f
22
49
8d
1c
48
69
bf
6b
59
3f
96
6e
fc
4d
9d
97
2a
06
d5
a6
03
d9
e6
6f
47
f7
05
5a
b1
33
38
44
90
24
4e
b4
f6
8e
42
c5
f0
cc
9a
a0
5b
85
f5
17
88
5c
a9
c6
0e
94
68
30
ad
34
07
52
6a
45
bc
c4
46
c2
6c
e8
61
9b
41
01
d4
a5
12
3b
cb
f9
b6
a7
ee
d3
56
dd
35
1e
99
67
a2
e5
80
d6
be
02
da
7e
b8
ac
f4
74
57
87
2d
2b
af
f1
e2
b3
39
7f
21
3d
14
62
ea
1f
b9
e9
0f
fe
9c
71
eb
29
4a
50
10
64
de
91
65
4b
86
ce
b0
d7
a4
d8
27
e3
4c
3c
ff
5d
5e
95
7a
bd
c1
55
54
ab
72
31
b2
2f
58
9f
f3
19
0b
e4
ae
8b
1d
28
bb
76
c0
15
75
84
cf
a8
d2
73
db
79
08
8a
9e
df
16
1.2: Symmetric encryption – Block ciphers
17
Shift Rows
Permute the bytes of State by applying a cyclic shift to each row.
CO 487/687 Fall 2022
1.2: Symmetric encryption – Block ciphers
18
Mix Columns
This step is the most mathematically complicated step in the algorithm.
  
2
b0
b  1
 1 
 =
 b2   1
3
b3
CO 487/687 Fall 2022
3
2
1
1
1
3
2
1
  
a0
1


1   a1 

· 
3   a2 
a3
2
1.2: Symmetric encryption – Block ciphers
19
Mix Columns (as a bit operation)
  
b0
2
b  1
 1 
 =
b2  1
b3
3
•
•
•
•
3
2
1
1
1
3
2
1
   

1
a0
2a0 + 3a1 + 1a2 + 1a3

  
1
 a1  1a0 + 2a1 + 3a2 + 1a3 
· =

3 a2  1a0 + 1a1 + 2a2 + 3a3 
2
a3
3a0 + 1a1 + 1a2 + 2a3
Each ai and bi is a byte. Regard bytes as 8-bit arrays.
Each addition operation is a bitwise exclusive or.
Multiplication by 1 is the identity.
Multiplication by 2 is the following operation:
• If the left-most bit is 0, then perform a cyclic left shift
(e.g. 01100111 7→ 11001110)
• If the left-most bit is 1, then discard the 1, insert a 0 on the right, and XOR with 0x1b =
00011011
(e.g. 11001110 7→ 10011100 ⊕ 00011011
= 10000111)
CO 487/687 Fall 2022
1.2: Symmetric
encryption – Block ciphers
20
Mix Columns (as a matrix operation)
  
b0
2
b  1
 1 
 =
b2  1
b3
3
3
2
1
1
1
3
2
1

   
1
a0
2a0 + 3a1 + 1a2 + 1a3
  

1
 a1  1a0 + 2a1 + 3a2 + 1a3 

· =
3 a2  1a0 + 1a1 + 2a2 + 3a3 
3a0 + 1a1 + 1a2 + 2a3
2
a3
Alternatively, we can regard MixColumns as a matrix transformation in GF(28 ):
• Regard all bytes as polynomials in the finite field GF(28 ) = F2 [x]/(x8 + x4 + x3 + x + 1).
• Regard all integers in the matrix (1, 2, 3) as bytes via their binary representations (e.g.
3 = 00000011 = x + 1).
• Perform all additions and multiplications in the finite field GF(28 ).
CO 487/687 Fall 2022
1.2: Symmetric encryption – Block ciphers
21
Mix Columns (as a polynomial operation)
  
b0
2
b  1
 1 
 =
b2  1
b3
3
3
2
1
1
1
3
2
1
   

1
a0
2a0 + 3a1 + 1a2 + 1a3

  
1
 a1  1a0 + 2a1 + 3a2 + 1a3 
· =

3 a2  1a0 + 1a1 + 2a2 + 3a3 
2
a3
3a0 + 1a1 + 1a2 + 2a3
A third alternative is to regard MixColumns as a polynomial multiplication.
• The MixColumns matrix is a cyclic matrix: each row is a rotation of the previous row.
• Multiplication by a cyclic N × N matrix corresponds to polynomial multiplication
modulo XN − 1.
• Regard the column of ai ’s as a polynomial in GF(28 )[X]: a0 + a1 X + a2 X2 + a3 X3
• Modulo X4 − 1, we compute
(02 + 01 · X + 01 · X2 + 03 · X3 ) · (a0 + a1 X + a2 X2 + a3 X3 )
to obtain b0 + b1 X + b2 X2 + b3 X3
CO 487/687 Fall 2022
1.2: Symmetric encryption – Block ciphers
22
AES Encryption
• From the key k, derive h + 1 round keys k0 , k1 , . . . , kh via the key schedule.
• The encryption function:
State ← plaintext
for i = 1 . . . h − 1 do
State ← State ⊕ ki−1
State ← SubBytes(State)
State ← ShiftRows(State)
State ← MixColumns(State)
State ← State ⊕ kh−1
State ← SubBytes(State)
State ← ShiftRows(State)
State ← State ⊕ kh
ciphertext ← State
• Note that in the final round, MixColumns is not applied.
CO 487/687 Fall 2022
1.2: Symmetric encryption – Block ciphers
23
AES key schedule (for 128-bit keys)
• For 128-bit keys, AES has ten rounds, so
we need eleven subkeys.
• Each ki is a 32-bit word (viewed as a
4-byte array).
• Each group of four ki ’s forms a 128-bit
subkey.
• The first round subkey (k0 , k1 , k2 , k3 )
equals the actual AES key.
http://crypto.stackexchange.com/q/20
CO 487/687 Fall 2022
1.2: Symmetric encryption – Block ciphers
24
Key schedule core (for 128-bit keys)
The functions fi : {0, 1}32 → {0, 1}32 are defined as follows:
• Left-shift the input cyclically by 8 bits.
• Apply the AES S-box to each byte.
• Bitwise XOR the left-most byte with a constant which varies by round according to the
following table.
• Output the result.
CO 487/687 Fall 2022
Round
constant
Round
constant
1
2
3
4
5
0x01
0x02
0x04
0x08
0x10
6
7
8
9
10
0x20
0x40
0x80
0x1B
0x36
1.2: Symmetric encryption – Block ciphers
25
Outline
Overview of block ciphers
Advanced Encryption Standard (AES)
Data Encryption Standard (DES)
Feistel networks
Construction of DES
Problems with DES
Trying to save DES: Multiple encryption
CO 487/687 Fall 2022
1.2: Symmetric encryption – Block ciphers
26
Data Encryption Standard (DES)
• 1972: NBS (now NIST: National Institute of Standards and Technology) solicits
proposals for encryption algorithms for the protection of computer data.
• 1974: IBM submits a variant of Lucifer (based on a Feistel network) as a DES candidate.
• 1975: NSA (National Security Agency) (allegedly) “fixes” DES
• Reduces the key size from 64 bits to 56 bits.
“We sent the S-boxes off to Washington. They came back and were all different.”
• 1977: DES adopted as US Federal Information Processing Standard (FIPS 46).
• 1981: DES adopted as a US banking standard (ANSI X3.92).
CO 487/687 Fall 2022
1.2: Symmetric encryption – Block ciphers
27
Overview of DES
Block cipher with 64-bit blocks, 56-bit key, and 16 rounds of operation.
Plaintext
(64 bits)
Initial permutation
16−round
Feistel
network
Key
Schedule
Key
(56 bits)
Initial permutation−1
Ciphertext
CO 487/687 Fall 2022
(64 bits)
1.2: Symmetric encryption – Block ciphers
28
Cryptanalysis of DES
“DES did more to galvanize the field of cryptanalysis than anything else. Now there
was an algorithm to study.”
—Bruce Schneier
• Brute force attacks (try every key):
•
•
•
•
•
(1977 estimate) $20 million machine to find keys in one day
(1993 estimate) $1 million machine to find keys in 7 hours
(1999) EFF DES Cracker: $250,000 machine, 4.5 days per key
(2006) COPACOBANA: $10,000 machine, 4.5 days per key
(2012) Cloudcracker.com: $200 and 11.5 hours per key
• Non-brute-force attacks:
• Differential cryptanalysis (Eli Biham & Adi Shamir, 1991): 249 chosen plaintexts
• Linear cryptanalysis (Mitsuru Matsui, 1993): 243 known plaintexts
Basically, DES is (believed to be) secure against everything except brute-force key search.
CO 487/687 Fall 2022
1.2: Symmetric encryption – Block ciphers
29
Outline
Overview of block ciphers
Advanced Encryption Standard (AES)
Data Encryption Standard (DES)
Feistel networks
Construction of DES
Problems with DES
Trying to save DES: Multiple encryption
CO 487/687 Fall 2022
1.2: Symmetric encryption – Block ciphers
30
The Feistel network design
m
m0
m1
f1
k1
• DES uses a Feistel network design.
m1
• Plaintext is divided into two halves.
m2
• Key is used to generate subkeys k1 , k2 , . . . , kh
f2
m2
m3
mh
mh+1
k2
• fi is a component function whose output value
depends on ki and mi
c
CO 487/687 Fall 2022
1.2: Symmetric encryption – Block ciphers
31
Feistel Ciphers: A Class of Block Ciphers
Components of a Feistel cipher:
• Parameters: n (half the block length), h (number of rounds), ℓ (key size).
• M = {0, 1}2n , C = {0, 1}2n , K = {0, 1}ℓ .
• A key scheduling algorithm which determines subkeys k1 , k2 , . . . , kh from a key k.
• Each subkey ki defines a component function fi : {0, 1}n → {0, 1}n .
CO 487/687 Fall 2022
1.2: Symmetric encryption – Block ciphers
32
Components of a Feistel Cipher
Encryption takes h rounds:
• Plaintext is m = (m0 , m1 ), where mi ∈ {0, 1}n .
• Round 1: (m0 , m1 ) 7→ (m1 , m2 ), where m2 = m0 ⊕ f1 (m1 ).
• Round 2: (m1 , m2 ) 7→ (m2 , m3 ), where m3 = m1 ⊕ f2 (m2 ).
..
.
• Round h: (mh−1 , mh ) 7→ (mh , mh+1 ), where mh+1 = mh−1 ⊕ fh (mh ).
• Ciphertext is c = (mh , mh+1 ).
Decryption: Given c = (mh , mh+1 ) and k, to find m = (m0 , m1 ):
• Compute mh−1 = mh+1 ⊕ fh (mh ).
• Similarly, compute mh−2 , . . . , m1 , m0 .
CO 487/687 Fall 2022
1.2: Symmetric encryption – Block ciphers
33
Feistel Cipher (notes)
• No restrictions on the functions fi in order for the encryption procedure to be
invertible.
• Underlying principle: Take something “simple” and use it several times; hope that the
result is “complicated”
• Implementation:
• Encryption: Only need to implement one round; the same code can be used for each
round.
• Decryption uses the same code as for encryption. (Use subkeys in reverse order.)
CO 487/687 Fall 2022
1.2: Symmetric encryption – Block ciphers
34
Outline
Overview of block ciphers
Advanced Encryption Standard (AES)
Data Encryption Standard (DES)
Feistel networks
Construction of DES
Problems with DES
Trying to save DES: Multiple encryption
CO 487/687 Fall 2022
1.2: Symmetric encryption – Block ciphers
35
Overview of DES
Feistel cipher with n = 32, h = 16, ℓ = 56.
Plaintext
(64 bits)
Initial permutation
16−round
Feistel
network
Key
Schedule
Key
(56 bits)
Initial permutation−1
Ciphertext
CO 487/687 Fall 2022
(64 bits)
1.2: Symmetric encryption – Block ciphers
36
Initial permutation
In
Out
1
40
2
8
3
48
4
16
5
56
6
24
7
64
8
32
9
39
10
7
11
47
12
15
13
55
14
23
15
63
16
31
In
Out
17
38
18
6
19
46
20
14
21
54
22
22
23
62
24
30
25
37
26
5
27
45
28
13
29
53
30
21
31
61
32
29
In
Out
33
36
34
4
35
44
36
12
37
52
38
20
39
60
40
28
41
35
42
3
43
43
44
11
45
51
46
19
47
59
48
27
In
Out
49
34
50
2
51
42
52
10
53
50
54
18
55
58
56
26
57
33
58
1
59
41
60
9
61
49
62
17
63
57
64
25
Credit: Wikipedia
CO 487/687 Fall 2022
1.2: Symmetric encryption – Block ciphers
37
Key scheduling algorithm
Round
number
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
CO 487/687 Fall 2022
Left shift each half
by this many bits
1
1
2
2
2
2
2
2
1
2
2
2
2
2
2
1
1.2: Symmetric encryption – Block ciphers
38
Permuted Choice #1
In
Out
1
8
2
16
3
24
4
56
5
52
6
44
7
36
8
9
7
10
15
11
23
12
55
13
51
14
43
15
35
16
In
Out
17
6
18
14
19
22
20
54
21
50
22
42
23
34
24
25
5
26
13
27
21
28
53
29
49
30
41
31
33
32
In
Out
33
4
34
12
35
20
36
28
37
48
38
40
39
32
40
41
3
42
11
43
19
44
27
45
47
46
39
47
31
48
In
Out
49
2
50
10
51
18
52
26
53
46
54
38
55
30
56
57
1
58
9
59
17
60
25
61
45
62
37
63
29
64
CO 487/687 Fall 2022
1.2: Symmetric encryption – Block ciphers
39
Permuted Choice #2
CO 487/687 Fall 2022
In
Out
1
5
2
24
3
7
4
16
5
6
6
10
7
20
8
18
9
10
12
11
3
12
15
13
23
14
1
In
Out
15
9
16
19
17
2
18
19
14
20
22
21
11
22
23
13
24
4
25
26
17
27
21
28
8
In
Out
29
47
30
31
31
27
32
48
33
35
34
41
35
36
46
37
28
38
39
39
40
32
41
25
42
44
In
Out
43
44
37
45
34
46
43
47
29
48
36
49
38
50
45
51
33
52
26
53
42
54
55
30
56
40
1.2: Symmetric encryption – Block ciphers
40
Structure of the component functions
mi
32 bits
Recall fi : {0, 1}32 → {0, 1}32 .
ki
48 bits
Expansion
table
48 bits
Note: The IP, key scheduling
algorithm, Expansion table,
S-boxes, and Permutation are fixed
and public knowledge.
S1
S2
S3
S4
S5
S6
S7
S8
Permutation
32 bits
fi(mi)
CO 487/687 Fall 2022
1.2: Symmetric encryption – Block ciphers
41
Expansion table
CO 487/687 Fall 2022
In
Out
1
2, 48
2
3
3
4
4
5, 7
5
6, 8
6
9
7
10
8
11, 13
In
Out
9
12, 14
10
15
11
16
12
17, 19
13
18, 20
14
21
15
22
16
23, 25
In
Out
17
24, 26
18
27
19
28
20
29, 31
21
30, 32
22
33
23
34
24
35, 37
In
Out
25
36, 38
26
39
27
40
28
41, 43
29
42, 44
30
45
31
46
32
1, 47
1.2: Symmetric encryption – Block ciphers
42
Permutation
In
Out
1
9
2
17
3
23
4
31
5
13
6
28
7
2
8
18
9
24
10
16
11
30
12
6
13
26
14
20
15
10
16
1
In
Out
17
8
18
14
19
25
20
3
21
4
22
29
23
11
24
19
25
32
26
12
27
22
28
7
29
5
30
27
31
15
32
21
CO 487/687 Fall 2022
1.2: Symmetric encryption – Block ciphers
43
DES S-boxes
S1
S2
S3
Columns denote middle four bits of
input. Rows denote outer two bits
of input.
S4
S5
S6
S7
S8
CO 487/687 Fall 2022
0
1
2
3
0
1
2
3
0
1
2
3
0
1
2
3
0
1
2
3
0
1
2
3
0
1
2
3
0
1
2
3
0
14
0
4
15
15
3
0
13
10
13
13
1
7
13
10
3
2
14
4
11
12
10
9
4
4
13
1
6
13
1
7
2
1
4
15
1
12
1
13
14
8
0
7
6
10
13
8
6
15
12
11
2
8
1
15
14
3
11
0
4
11
2
15
11
1
2
13
7
14
8
8
4
7
10
9
0
4
13
14
11
9
0
4
2
1
12
10
4
15
2
2
11
11
13
8
13
4
14
3
1
4
8
2
14
7
11
1
14
9
9
0
3
5
0
6
1
12
11
7
15
2
5
12
14
7
13
8
4
8
1
7
4
2
14
13
4
6
15
10
3
6
3
8
6
0
6
12
10
7
4
10
1
9
7
2
9
15
4
12
1
6
10
9
4
1.2: Symmetric encryption – Block ciphers
5
15
2
6
9
11
2
4
15
3
4
15
9
6
15
11
1
10
7
13
14
2
12
8
5
0
9
3
4
15
3
12
10
6
11
13
2
1
3
8
13
4
15
6
3
8
9
0
7
13
11
13
7
2
6
9
12
15
8
1
7
10
11
7
14
8
7
8
1
11
7
4
14
1
2
5
10
0
7
10
3
13
8
6
1
8
13
8
5
3
10
13
10
14
7
1
4
2
13
8
3
10
15
5
9
12
5
11
1
2
11
4
1
4
15
9
8
5
15
6
0
6
7
11
3
14
10
9
10
12
0
15
9
10
6
12
11
7
0
8
6
13
8
1
15
2
7
1
4
5
0
9
15
13
1
0
14
12
3
15
5
9
5
6
12
10
6
12
9
3
2
1
12
7
12
5
2
14
8
2
3
5
3
15
12
0
3
13
4
1
9
5
6
0
3
6
10
9
11
12
11
7
14
13
10
6
12
7
14
12
3
5
12
14
11
15
10
5
9
4
14
10
7
7
12
8
15
14
11
13
0
12
5
9
3
10
12
6
9
0
11
12
5
11
11
1
5
12
13
3
6
10
14
0
1
6
5
2
0
14
5
0
15
3
13
9
5
10
0
0
9
3
5
4
11
10
5
12
10
2
7
0
9
3
4
7
11
13
0
10
15
5
2
0
14
3
5
14
0
3
5
6
5
11
2
14
2
15
14
2
4
14
8
2
14
8
0
5
5
3
11
8
6
8
9
3
12
9
5
6
15
7
8
0
13
10
5
15
9
8
1
7
12
15
9
4
14
9
6
14
3
11
8
6
13
1
6
2
12
7
2
8
11
44
DES S-boxes
Substitution-boxes or S-boxes (S1 , S2 , S3 , S4 , S5 , S6 , S7 , S8 ):
• Each S-box is a function taking six input bits and producing four output bits.
• S-boxes are the only components of DES that are non-linear. (Without the S-boxes,
changing one plaintext bit would change very few ciphertext bits.)
• Security of DES crucially depends on their choice.
• DES with randomly selected S-boxes is easy to break.
CO 487/687 Fall 2022
1.2: Symmetric encryption – Block ciphers
45
Performance
Speed benchmarks for software implementation on an Intel Core i9 2.9 GHz six-core Coffee
Lake (8950HK) using OpenSSL 1.1.1c
SKES
RC4
ChaCha20
DES
3DES
AES (software)
AES (AES-NI)
CO 487/687 Fall 2022
Block length
(bits)
—
—
64
64
128
128
Key length
(bits)
128
256
56
(112)
128
128
Speed
(Mbytes/sec)
647
1497
101
38
185
1647
1.2: Symmetric encryption – Block ciphers
46
Outline
Overview of block ciphers
Advanced Encryption Standard (AES)
Data Encryption Standard (DES)
Feistel networks
Construction of DES
Problems with DES
Trying to save DES: Multiple encryption
CO 487/687 Fall 2022
1.2: Symmetric encryption – Block ciphers
47
DES Problem 1: Small Key Size
• Exhaustive search on key space takes 256 steps and can be easily parallelized.
CO 487/687 Fall 2022
1.2: Symmetric encryption – Block ciphers
48
Quick response question
Suppose you have one million (220 ) computers,
each of which runs at 2 GHz (i.e., 231 ) operations
per second second. Suppose it takes 215 cycles to
do one block of DES encryption. How long would
it take to do an exhaustive key search on DES’s
56-bit keys?
CO 487/687 Fall 2022
https://pollev.com/douglasstebila928
1.2: Symmetric encryption – Block ciphers
49
DES Problem 1: Small Key Size
• Exhaustive search on key space takes 256 steps and can be easily parallelized.
• DES challenges from RSA Security (3 known PT/CT pairs):
The unknown message is: ????????
• June 1997: Broken by Internet search (3 months).
• July 1998: Broken in 3 days by DeepCrack machine (1800 chips; $250,000).
• Jan 1999: Broken in 22 hrs, 15 min (DeepCrack + http://distributed.net).
CO 487/687 Fall 2022
1.2: Symmetric encryption – Block ciphers
50
DES Problem 2: Small Block Size
• If plaintext blocks are distributed “uniformly at random”, then the expected number
of ciphertext blocks observed before a collision occurs is ≈ 232 (by the birthday
paradox).
• Hence the ciphertext reveals some information about the plaintext.
• Small block length is also damaging to some authentication applications (more on
this later).
CO 487/687 Fall 2022
1.2: Symmetric encryption – Block ciphers
51
Sophisticated Attacks on DES
Differential cryptanalysis [Biham & Shamir 1989]:
• Recovers key given 247 chosen plaintext/ciphertext pairs.
• DES was designed to resist this attack.
• Differential cryptanalysis has been more effective on some other block ciphers.
Linear cryptanalysis [Matsui 1993]:
• Recovers key given 243 known plaintext/ciphertext pairs.
• Storing these pairs takes 131,000 Gbytes.
• Implemented in 1993: 10 days on 12 machines.
CO 487/687 Fall 2022
1.2: Symmetric encryption – Block ciphers
52
Outline
Overview of block ciphers
Advanced Encryption Standard (AES)
Data Encryption Standard (DES)
Feistel networks
Construction of DES
Problems with DES
Trying to save DES: Multiple encryption
CO 487/687 Fall 2022
1.2: Symmetric encryption – Block ciphers
53
Mitigating short keys: encrypt multiple times
• Multiple encryption: Re-encrypt the ciphertext one or more times using independent
keys, and hope that this operation increases the effective key length.
• Multiple encryption does not always increase security.
• Example: If Eπ denotes the simple substitution cipher with key π, then is Eπ1 ◦ Eπ2 any
more secure than Eπ ?
CO 487/687 Fall 2022
1.2: Symmetric encryption – Block ciphers
54
Double encryption
• Double-DES. Key is k = (k1 , k2 ), k1 , k2 ∈R {0, 1}56 .
• Encryption: c = Ek2 (Ek1 (m)).
(E = DES encryption, E−1 = DES decryption)
m
k1
k2
DES
DES
c
−1
• Decryption: m = E−1
k1 (Ek2 (c)).
• Key size of Double-DES is ℓ = 112, so exhaustive key search takes 2112 steps
(infeasible).
• Note: Block length is unchanged.
CO 487/687 Fall 2022
1.2: Symmetric encryption – Block ciphers
55
Attack on Double-DES
Main idea: If c = Ek2 (Ek1 (m)), then E−1
k2 (c) = Ek1 (m). (Meet-in-the-middle)
1. Given: Known plaintext pairs (mi , ci ), i = 1, 2, 3, . . .
2. For each h2 ∈ {0, 1}56 :
−1
2.1 Compute E−1
h2 (c1 ), and store [Eh2 (c1 ), h2 ] in a table.
3. For each h1 ∈ {0, 1}56 do the following:
3.1 Compute Eh1 (m1 ).
3.2 Search for Eh1 (m1 ) in the table.
3.3 If Eh1 (m1 ) = E−1
h2 (c1 ):
• Check if Eh1 (m2 ) = E−1
h2 (c2 )
• Check if Eh1 (m3 ) = E−1
h2 (c3 )
..
.
If all checks pass, then output (h1 , h2 ) and STOP.
Complexity of the attack is ≈ 257 .
CO 487/687 Fall 2022
1.2: Symmetric encryption – Block ciphers
56
Analyzing the meet-in-the-middle attack
• Number of known plaintext/ciphertext pairs required to avoid false keys: 2 suffice,
with high probability
• Number of DES operations is ≈ 256 + 256 + 2 · 248 ≈ 257 .
• We are not counting the time to do the sorting and searching
• Space requirements: 256 (64 + 56) bits ≈ 1, 080, 863 Tbytes.
CO 487/687 Fall 2022
1.2: Symmetric encryption – Block ciphers
57
More details on attack cost
∼
m1
256
keys
256
264
∼
∼ 248
256
264
256
keys
c1
• Approximately 248 keys h1 encrypting m1 yield intermediate ciphertext equal to a
decryption of c1 under some key h2 .
• But with high probability Eh1 (m2 ) 6= Eh2 (c2 )
• So we have to do ∼ 248 DES operations for checking next pair
• In total 256 + 256 + ∼ 248 DES operations
CO 487/687 Fall 2022
1.2: Symmetric encryption – Block ciphers
58
Meet-in-the-middle attack with key size = block size = λ
∼
m1
2λ
2λ
2λ
keys
∼
∼ 2λ
2λ
2λ
2λ
keys
c1
• Approximately 2λ keys h1 encrypting m1 yield intermediate ciphertext equal to a
decryption of c1 under some key h2 .
• But with high probability Eh1 (m2 ) 6= Eh2 (c2 )
• So we have to do ∼ 2λ DES operations for checking next pair
• In total 2λ + 2λ + ∼ 2λ DES operations
CO 487/687 Fall 2022
1.2: Symmetric encryption – Block ciphers
59
Analyzing the meet-in-the-middle attack
Time-memory tradeoff. [Exercise] The attack can be modified to decrease the storage
requirements at the expense of time:
• Time: 256+s steps; memory: 256−s units, 1 ≤ s ≤ 55.
Conclusions:
• Double-DES has the same effective key length as DES.
• Double-DES is not much more secure than DES.
CO 487/687 Fall 2022
1.2: Symmetric encryption – Block ciphers
60
Three-key Triple encryption
• Triple-DES. Key is k = (k1 , k2 , k3 ), k1 , k2 , k3 ∈R {0, 1}56 .
• Encryption: c = Ek3 (Ek2 (Ek1 (m))).
(E = DES encryption, E−1 = DES decryption)
m
k1
k2
k3
DES
DES
DES
c
−1
−1
• Decryption: m = E−1
k1 (Ek2 (Ek3 (c))).
• Key length of Triple-DES is ℓ = 168, so exhaustive key search takes 2168 steps
(infeasible).
CO 487/687 Fall 2022
1.2: Symmetric encryption – Block ciphers
61
Three-key Triple DES
• Meet-in-the-middle attack takes ≈ 2112 steps. [Exercise]
• So, the effective key length of Triple-DES against exhaustive key search is ≤ 112 bits.
• No proof that Triple-DES is more secure than DES.
• Note: Block length is 64 bits, and now forms the weak link:
• Adversary stores a large table (of size ≤ 264 ) of (m, c) pairs (dictionary attack).
• To prevent this attack: change secret keys frequently.
• Triple-DES is widely deployed.
CO 487/687 Fall 2022
1.2: Symmetric encryption – Block ciphers
62
Some variants
EDE Triple-DES: for backward compatibility with DES
m
k1
k2
DES
DES
DES
k1
k2
k1
DES
DES
k3
−1
c
Two-key Triple-DES:
m
CO 487/687 Fall 2022
−1
1.2: Symmetric encryption – Block ciphers
DES
c
63