18 block ciphers implemented slides

Introduction Substitution-permutation networks Feistel Networks The Data Encryption Standard

New Kid on the BlockPractical Construction of Block Ciphers

Foundations of CryptographyComputer Science Department

Wellesley College

Fall 2016


Table of contents

Introduction

Substitution-permutation networks

Feistel Networks

The Data Encryption Standard


Block ciphers

• Recall that block cipher is ane�cient, keyed permutationF : {0, 1}n ⇥ {0, 1}` ! {0, 1}`.

• That is, Fk(x)def= F (k , x) is a

bijection and both it and itsinversion F

�1

k are e�cientlycomputable for all k .

• Here n is the key length and ` isblock length.

*Both the key and block lengths are constant, so we are living in the world of

concrete rather than asymptotic security.


Security requirements for block ciphers

Remark. Concrete security requirements are quite stringent. A blockcipher is generally considered “good” if the best known attack (withoutpreprocessing) has time complexity equivalent to a brute-force attack forthe key. Recall

Definition 3.28. Let F : {0, 1}⇤ ⇥ {0, 1}⇤ ! {0, 1}⇤ an e�cient keyedpermutation. We say that F is a strong pseudorandom permutation if forall probabilistic polynomial-time distinguishers D, there exists a negligiblefunction negl such that:

��Pr[DFk (·),F�1

k (·)(1n) = 1]� Pr[D f (·),f �1

(·)(1n) = 1]�� negl(n),

where k {0, 1}n is chosen uniformly at random and f is chosenuniformly at random from the set of permutations mapping n-bit stringsto n-bit strings.

Remark. Block ciphers are designed (at the very least) to behave as(strong) pseudorandom permutations.


Twin goals of modern encryption

•Confusion: Make the statical relationship between theciphertext and the key value as complex as possible.

•di↵usion: Dissipate the statistical structure of the plaintextthroughout the ciphertext.

• A Substitution-Permutation Network SPN) attempts both;substitution for confusion and permutation for di↵usion.

*Both ideas and promotion of substitution-permutation networks are due to

Claude Shannon.


A single round of a substitution-permutation network

• We fix a public “substitutionfunction” S called an S-box, andlet the key k define the functionf (x) = S(k � x).

• For example, suppose SPN has a64-bit clock length based on acollection of 8-bit S-boxes,S

1

, . . . , S8

:

1. Key mixing: Set x := x � k .2. Substitution: Set

x := S

1

(x1

) k . . . k S8

(x8

),where xi is the ith byte of x .

3. Permutation: Permute thebits of x to obtain the outputof round.


The full substitution-permutation network

• The output of each round isfed as input to the nextround.

• After the last round there isa final key-mixing step(x := x � k).*

• Di↵erent round keys areused in each round whichare derived from the actualor master key according to akey schedule.

*Since we assume the S-boxes and the mixing permutations are public, without

this final key-mixing the last substitution and permutations steps would be

useless.


Substitution-permutation networks are invertible

Proposition 6.3 Let F be a keyedfunction defined by an SPN inwhich the S-boxes are allpermutations. Then regardlessofthe key schedule and number ofrounds, Fk is a permutation forany k .

Proof. We show that given the

output of the SPN and the key, it

is possible to invert any single

round. The mixing permutation is

clearly invertible and all the

S-box are permutations, so these

too can be inverted. The result is

then XORed with the appropriate

sub-key to obtain the input.


The avalanche e↵ect

The avalanche e↵ect: A smallchange in either the plaintext orthe key produces a significantchange in the ciphertext.One way to induce the avalanchee↵ect in a SPN is to ensure:

1. The S-boxes are designed sothat changing a single inputbit changes at least two bits

in the output.

2. The mixing permutationsare designed so that the theoutput bits an any S-box areused as input to multiple

S-boxes in the next round.

(a) Two plaintexts di↵er by one bit (all

zeros and a one followed by 63 zeros.)

(b) The two keys also di↵er by just one

bit.


How this works in practice

• Suppose 8-bit S-boxes andand the mixing permutationsare chosen as above for a128-bit block size SPN.

• Now consider two inputsthat di↵er by a single bit.


LUCIFER

• In the early 1970s, HorstFeistel developed a sequenceof fixed transpositions andkey-dependent, multipartitenon-linear substitutions(LUCIFER) that produced athorough amalgamation.

• In this simplified illustrationof LUCIFER we see a plaintext input of a single 1 andfourteen 0s transformed bythe non-linear S-boxes intoan avalance of eleven 1s.

• Feistel was successfulenough to upset the NSA.


Attacking a one-round substitution-permutation network

• Suppose the SPN F consistsof a single full round and nofinal key-mixing.

• An adversary can easily learnthe secret key k given only asingle input/output pair(x , y = Fk(y)). How?


Attacking a one-round substitution-permutation networkwith key-mixing

The attacker fixes a pair, (x , y) could simple try all 64-bit possibilities forsecond-round mixing key, k

2

, then use above attack to construct 264candidate keysk

1

k k2

. Additional pairs narrow the fieldBut the attacker can do better:

1. First enumerate over all possiblefirst bytes of k

2

.

2. Then XOR each with of these withthe first byte of y to obtaincandidates for the outputs of thefirst S-box.

3. Backing each of these up throughthe first S-box, the adversary has256 candidates for the the first bitof x � k

1

and hence 256 candidatesfor the first byte of k

1

.


Feistel: An alternative to substitution-permutationnetworks

• A Feistel network gives a way toconstruct invertible functions fromnon-invertible components.

• The goal is a block cipher that hasan “unstructured” behavior”*.Requiring all components to beinvertible inherently introducesstructure.

• Like SPNs, Feistel networks operatein a series of rounds each with akeyed round function constructedfrom S-boxes and permutations.

*So it looks random.


Feistel round functions

• The ith round function, f̂i takes asinput a sub-key ki and an `/2-bitstring and outputs an `/2-bitstring.

• A master key k determines a seriesof round keys ki . The roundfunction fi : {0, 1}`/2 ! {0, 1}`/2 is

defined by fi (R)def= f̂i (ki ,R).

• The output of the ith round(Li ,Ri ) is

Li := Ri�1

and Ri := Li�1

�fi (Ri�1

).

*So it looks random.


Feistel networks are invertible

Proposition 6.4. Let F be akeyed function defined by aFeistel network. Then regardlessof the round functions {f̂i} andthe number of rounds, Fk is ane�ciently invertible permutationfor all k .Proof. We need only show thateach round is invertible if the {fi}are known.Given (Li ,Ri ), we first computeRi�1

:= Li . Then compute

Li�1

= Ri � fiRi � 1).


The return of LUCIFER

• LUCIFER was redesign as a 16round Feistel network on 128-bitblocks and 128-bit keys and wassubmitted by IBM as a candidatefor the Data Encryption Standard.

• It became DES after the NationalSecurity Agency reduced its blocksize to 64 bits and its key size to56 bits* and was adopted as theFederal Information ProcessingStandard for the US in 1977.

• Believe it or not, it remains in wideuse today in its triple-DESincarnation.

*Which means that it is now vulnerable to brute-force attacks.


The Data Encryption Standard

• DES is a 16-round Feistel networkwith a block length of 64 bits anda key length of 56 bits.

• The same function, f̂ called theDES mangler function, is used forall 16 rounds.

• It takes a 48-bit round key derivedfrom the 56-bit master using arelatively simple key schedule.

• We give a high-level overview ofthe main components of DES. Ahomework exercise is available forthose interested in more details.


The DES mangler function

• Computation of f̂ (ki ,R) withki 2 {0, 1}48 and R 2 {0, 1}32begins by duplicating half the bitsof R to obtain R

0 := E (R), E theexpansion function.

• The expanded R

0 is XORed with k

and the resulting value is dividedinto 8 6-bit-blocks. Each block ispassed through a di↵erent S-box.*

• Finally a mixing permutation isapplied to the bits and it o↵ to thenext round.

*The S-boxes are publicly known, but unlike our previous SPNs, they are not

invertible.


The DES mangler function

• The eight S-boxes at the core ofthe mangler function were verycarefully designed. Even slightmodification would make DESmore vulnerable to attack.*

• The resulting mangler functionensures the DES exhibits a strongavalanche e↵ect. In fact, theavalanche example above was fromDES.

*The Feistel version of LUCIFER was susceptible to di↵erential cryptanalysis;

for about half the keys, the cipher could be broken with 236 chosen plaintexts

and 236 time complexity. This is one of the reasons NSA redesigned them.


Time to worry: Security of DES

• After 30 years of intensive study, the best known practical attack onDES is exhaustive search.* However, a 56-bit key isn’t very big.

• A second concern is the relatively short bock length of DES. Theproof of security for CTR mode (Theorem 3.32) show that evenwhen a completely random function is used an attacker can break itwith probability 2q2/2` if it obtains q plaintext/ciphertext pairs.

*In your homework you get the chance to investigate some theoretical attack,

but these require a large number of input/output pairs which would be di�cult

to obtain.


Double encryption

• Let F be a block cipher withan n-bit key length and `-bitblock length. Define a newblock cipher with a keylength of 2n by

F

0k1

,k2

(x)def= Fk

2

(Fk1

(x)).

• For the case where F isDES, we obtain a cipher F 0

call 2DES that takes a112-bit key. Exhaustivesearch is now out of reach.


Meet in the middle attackSay adversary is given a singleinput/output pair (x , y), wherey = F

0k⇤1

,k⇤2

(x) = Fk⇤2

(Fk⇤1

(x)) forunknown k

⇤1

, k⇤2

.

1. For each k

1

2 {0, 1}n computez := Fk

1

(x) and store (z , k1

) in listL.

2. For each k

2

2 {0, 1}n computez := F

�1

k2

(x) and store (z , k2

) inlist L0.

3. Entries (z1

, k1

) 2 L and(z

2

, k2

) 2 L

0 are a match if z1

= z

2

.

The attack takes O(n · 2n) time and requires space O((n + `) · 2n) spaceand finds pairs (k

1

, k2

) with

Fk1

(x) = F

�1

k2

(y).


Triple DES with two keys

• An obvious counter to themeet-in-the-middle attack is to usethree stages of encryption withthree di↵erent keys.

• As an alternative, Tuchmanproposed a triple encryption usingonly two keys

y = Fk1

(F�1

k2 (Fk1

(x))).

• Triple-DES’s relatively small blocklength and the fact that is slowsince it requires 3 full block-cipheroperations, led to its replacementby the Advanced Encryption

Standard.

Documents

18 block ciphers implemented slides