Modern Cryptography• 1977: Data Encryption Standard (DES) adopted

by the U.S. Federal Information Processing for encrypting unclassified information

• 1976: Diffie and Hellman, introduced the revolutionary concept of public-key cryptography. Security is based on the intractability of the discrete logarithm problem

• 1978: Rivest, Shamir, and Adleman (RSA), perhaps the most well-known scheme; security is based on the the intractability of factoring large integers.

Simplified DES• Encryption

Takes an 8-bit block of plaintext and a 10-bit key as input and produces an 8-bit of cipher.

• DecryptionTakes an 8-bit block of cipher and the same 10-bit key as input and produces an 8-bit of original plaintext.

• Both substitution and transposition operations are used

• It is a complex, multi-phase algorithm

Five Functions of Simplified DES

• IP: Initial permutation• fk: Key-dependent scrambler (Mangler(complex)

function))– Use a 8-bit key – Perform both permutation and substitution

• SW ( simple permutation function) – Swap the two halves of data

• fk again (different key) • IP-1: Inverse permutation

S-DES AlgorithmWe can concisely express the encryotio algorithm as a

composition of functin: IP-1 ° fk2°

SW ° fk1

° IP

OR AS: • Cipher = IP-1(fk2

(SW(fk1(IP(plaintext)))))

• K1 = P8(Shift(P10(key)))

• K2 = P8(Shift(Shift(P10(key))))

• Plaintext = IP-1(fk1(SW(fk2

(IP(ciphertext)))))

Key Generation

Key Generation

10-Bit Key: Make up by sender

P10: Permutation 10 (Constant)

P8: Permutation 8 (Constant)

1 0 1 0 0 0 0 0 1 0

3 5 2 7 4 10 1 9 8 6

6 3 7 4 8 5 10 9

Example of Key GenerationBit Position 1 2 3 4 5 6 7 8 9 1010-bit key 1 0 1 0 0 0 0 0 1 0P10 3 5 2 7 4 10 1 9 8 6split 1 0 0 0 0 0 1 1 0 0LS-1 0 0 0 0 1 1 1 0 0 0P8 6 3 7 4 8 5 10 9K1 1 0 1 0 0 1 0 0

LS-2 0 0 1 0 0 0 0 0 1 1P8 6 3 7 4 8 5 10 9K2 0 1 0 0 0 0 1 1

Encryption

8-Bit Plaintext: Make up by sender

IP: Initial Permutation (constant)

IP-1: Inversed Permutation (constant)

1 1 1 1 0 0 1 1

2 6 3 1 4 8 5 7

4 1 3 5 7 2 8 6

Encryption

S0 Box (constant) S1 Box (constant)

E/P: Expansion/Permutation Rule (constant)

P4: Permutation 4 (constant)4 1 2 3 2 3 4 1

1 0 3 23 2 1 00 2 1 33 1 3 2

0 1 2 32 0 1 33 0 1 02 1 0 3

2 4 3 1

Example of Encryption

X:8-bit Plaintext 1 1 1 1 0 0 1 1IP8: Initial permutation vector 2 6 3 1 4 8 5 7Permutation of X 1 0 1 1 1 1 0 1Splitting into L0,R0 1 0 1 1 1 1 0 1E/P 8: Expansion permutation of R0 4 1 2 3 2 3 4 1EP(0): Expanded R0 1 1 1 0 1 0 1 1K1: Key 1 1 0 1 0 0 1 0 0EP(R0) xor K1 0 1 0 0 1 1 1 1

Example of Encryption

EP(R0) xor K1 0 1 0 0 1 1 1 1Re-arrange in 2X4 matrix 0 1 0 0

1 1 1 1

Mapping values from S0 and S1 Box 1 0 3 2 0 1 2 33 2 1 0 2 0 1 30 2 1 3 3 0 1 03 1 3 2 2 1 0 3

Subtitute with S box entry 1 1 1 1P4: Permutation 4 2 4 3 1F(R0,SK1) 1 1 1 1

Example of Encryption

F(R0,SK1) 1 1 1 1L0 1 0 1 1L0 xor F(R0,SK1) 0 1 0 0f1,R0 0 1 0 0 1 1 0 1Switch: L1,R1 1 1 0 1 0 1 0 0

Fk again

L1,R1 1 1 0 1 0 1 0 0E/P 8: Expanded permutation 4 1 2 3 2 3 4 1Expanded permutation of R1 0 0 1 0 1 0 0 0K2: Key 2 0 1 0 0 0 0 1 1E/P(R1) xor K2 0 1 1 0 1 0 1 1

Fk again

Re-arrange in 2X4 matrix 0 1 1 01 0 1 1

S0 and S1 Box 1 0 3 2 0 1 2 33 2 1 0 2 0 1 30 2 1 3 3 0 1 03 1 3 2 2 1 0 3

Output of S boxes 1 0 0 1P4 2 4 3 1F(R1,SK2) 0 1 0 1

Fk again

F(R1,SK2) 0 1 0 1L1 1 1 0 1L1 xor F(R1,SK2) 1 0 0 0f2,R1 ->L2, R2 1 0 0 0 0 1 0 0IP-1 4 1 3 5 7 2 8 6Ciphertext 0 1 0 0 0 0 0 1

Data Encryption Standard (DES)

• National Bureau of Standards and Technology (NIST) adopted DES in 1977 based on LUCIFER developed by IBM.

• DES has flourished and is widely used, especially in financial application.

• Text length: 64 bits. Thus the plaintext is divide into 64-bit blocks.

• The key is 64 bit long. However, the bit positions 8, 16,….,64 are parity of the previous 7 bits. Hence, the key is really a 56 bit long binary string.

From S-DES to DESEncryption Scheme

• S-DESIP-1 o fk2

o SW o fk1 o IP

• DESIP-1 o fk16

o SW o fk15 o SW.....

o SW o fk1

o IP

From S-DES to DESkey

• S-DES– 10-bit key is used– From which two 8-bit keys are calculated

• DES– 56-bit key is used– From which 16 48-bit keys are calculated

From S-DES to DESData block

• S-DES– Each block is 8 bits– Each half is 4 bits

• DES– Each block is 64 bits– Each half is 32 bits

From S-DES to DESexpansion of right half

• S-DES– 4-bit right half is expanded to 8 bits– After xor with the key, it is arranged into 2X4

matrix• DES

– 32-bit right half is expanded to 48 bits– After xor with the key, it is arranged into 8X6

matrix

From S-DES to DESS box

• S-DES– Use 1st and 4th bit for row, 2nd and 3rd bit for column– There are 2 S Boxes, each is 4 X 4– Entries in S box are 0 - 3

• DES– Use 1st and 6th bit for row, 2nd thru 6th bit for column– There are 8 S Boxes, each is 4 X 16– Entries in S box are 0 - 15

DES: Key generation for each round (key schedule)

1. The parity bits are stripped away.2. The bits are permuted by PC-13. Result is split in to left half (Ci) and right half (Di)

(i: round of calculation)4. Left shift Ci and Di separately. Left shift by one

position if i=1, 2, 9, or 16; otherwise shift by 25. Combine the two halves after shifting and permute

by PC-2. The result is sub key i (48 bits)6. Use result of (4) as input for next sub key

Key Permuted Choice 1

PC-1: Permutation of 56 bits

Key Permuted Choice 2

PC-2: Permutation of 48 bits

The following bits are discarded9 18 22 25 35 38 43 54

Key Shifting

Schedule of left shift

DES – Permutation Function• Before first rounds, the plaintext bits are permuted

using an initial permutation. IP

• Hence, at the end of the 16 rounds the inverse permutation is applied. IP-1

Data Encryption Standard

• The algorithm has 16 rounds. Each round has the following architecture:

Li and Ri are 32-bit long

Details of Single Round

Mangler Function F(R,K)

DES: Expansion Function

• The 32 bits of Ri are permuted and 16 of them are repeated twice to obtain a 48 bit string.

DES: S Boxes.

• S blocks takes in as input 6-bit arguments and outputs four bits.

• This is the substitution part of the cipher.

DES – Input to S Boxes1 2 3 4 5 6 Row Column

1 1 1 0 0 1 0 2 92 1 0 0 1 1 1 3 33 0 1 1 1 1 0 0 154 1 1 1 1 0 1 3 145 0 1 0 0 0 0 0 86 0 0 0 1 0 1 1 27 0 1 1 0 0 0 0 128 1 1 0 1 0 1 3 10

DES: S Boxes (1-4)

DES: S Boxes (5-8)

DES – Output of S BoxesRow Column S Box Entry 1 2 3 4

2 9 12 1 1 0 03 3 1 0 0 0 10 15 8 1 0 0 03 14 2 0 0 1 00 8 8 1 0 0 01 2 4 0 1 0 00 12 5 0 1 0 13 10 9 1 0 0 1

DES – Permutation 32

• After substitution, the function output is now 32 bits and it goes through a fixed permutation.

DES – After Permutation 32

0 0 0 01 0 1 11 1 0 10 0 0 01 1 0 01 0 0 10 0 0 01 0 0 0

Output of Mangler function

1. The 32-bit output of Mangler function is xor with the original left half.

2. Result of (1) is the right half (R1)

3. Original right half becomes new left half (L1)

4. Concatenation of L1 and R1 is input to round 2

Cipher Text

• Repeat for another 15 rounds• Apply permutation IP-1 at the end of 16th

round.• Use the same algorithm for decryption,

except the sub keys are used in reversed order. (k16 for round 1, key15 for round 2, etc....)

DES Reviewed

An initial permutation is applied to the plain text. The result is split into two halves (L0,R0). We apply a function and call it a round:L1=R0, R1=L0f(R0,K0)From the initial key K we derive subkeys: Ki (basically shifts of the initial key).

Mangler Function ReviewedA is the 32 bit input, J is the 48 bit subkey. E is a trivial expansion of the input to 48 bits (bits 4,5 are repeated, bits 8,9 are repeated, bits 12,13 are repeated… and there is a circular shift of 1 bit to the right.The S-Boxes map 6 bits onto 4, finally a permutation is applied.

The Avalanche Effect of DES1 bit of Plaintext is changed 1 bit of Key is changed

RoundNumber of Bits

that differsNumber of Bits

that differs0 1 01 6 22 21 143 35 284 39 325 34 306 32 327 31 358 29 349 42 4010 44 3811 32 3112 30 3313 30 2814 26 2615 29 3416 34 35

The Strength/Weakness of DES• Number of possible keys = 256

• Which is equivalent to 7.2 X 1016

• On Average half the key space has to be searched

• Estimated single machine brute-force search

Key serch machine cost Expected search time$100,000 35 hours

$1,000,000 3.5 hours$10,000,000 21 minutes

The Strength/Weakness of DES• Parallel computing and improvement in

computing power makes DES breakable.• Downside of brute-force search: if plaintext

is compressed or is a numeric file, it is difficult to recognize. Some knowledge about plaintext is needed.

DES: Comments• The security of the system depends on the number of

rounds. For example, if the number of rounds is 8 then DES can be broken quite easily by differential cryptanalysis.

• 56 bit keys have become easier to break by exhaustive search. That is if you have one single copy of a plaintext and the corresponding cipher state, then one can try all possible keys before a match occurs.

• Modified DES (e.g., triple DES) protocols are used.• DES will be replaced Advanced Encryption System

(AES).

AES• As DES is getting very old, NIST began a public

process to choose a new cipher to be called AES (Advanced Encryption Standard).

• AES algorithms should have 3 key sizes: 128, 192, 256 bits, and operate on block sizes of 128 bits.

• The algorithm would be selected by choosing the fastest cipher,

• Additional considerations are memory requirements, suitability to smart cards, etc…

• In 1999, the finalist were announced....

Five Finalist for AESAugust, 1999

• MARS—developed by IBM• RC6™—developed by RSA Laboratories• Rijndael—developed by Joan Daemen and

Vincent Rijmen of Belgium• Serpent—developed by Ross Anderson, Eli Biham

and Lars Knudsen of the United Kingdom, Israel and Norway respectively

• Twofish—developed by Bruce Schneier, etc.In 2000, the winner was decided ........

AES Winner: Rijndael• Designed by a Belgian group.• Originally had variable block size as well as variable key

size.• For the AES proposal, only the 128 bit block variant was

used.• The number of rounds depends on the key size, 9 round for

128 bits, 11 for 192 bits, 13 for 256 bits.• Rijndael was the fastest cipher which was not shown to

have obvious weaknesses.• Some features of Rijndael’s design are considered to be

novel, which in cryptography, is not always good.

Security of Rijndael

• Rijndael is a new cipher, so there are limited results, but so far the news is good.

• The use of matrix multiplication is unique and untested by time. Some controversy has been raised about this.

• Rijndael had the lowest memory requirements and the fastest encryption of all the five finalists.