"Feistel and Coppersmith Rule: Sixteen Rounds and

“Feistel and Coppersmith rule: Sixteen rounds and one hell of an avalanche.
”
-- Stephan Eisvogel in de.comp.security
Block ciphers:
DES and AES
- basics
- operation of DES
- cryptanalysis of DES
- multiple encryption and the 3DES
- AES
Block ciphers
an n bit block cipher is a function E: {0, 1}n x {0, 1}k Æ {0, 1}n,
such that for each K ∈ {0, 1}k, E(X, K) = EK(X) is an invertible
mapping from {0, 1}n to {0, 1}n
the inverse of EK(X) is denoted by DK(Y), where Y = EK(X)
two other views:
k bit key
n bit input EE n bit output

…
…
Block cipher basics
possible ciphertexts
possible ciphertexts
possible plaintexts
possible plaintexts
permutation permutation
defined by K defined by K’
© Levente Buttyán 2
1
Trade-offs in block size
attacks based on small block size

– text dictionary attack
• plaintext-ciphertext pairs become known for a fixed key
• the “larger” the dictionary the greater the chance of locating a
random ciphertext in it
• if n is small, then it is feasible to build “large” dictionaries
– matching ciphertext attacks
• if a dictionary of size about 2n/2 have been created, and about 2n/2
ciphertexts are subsequently given, then one expects to locate a
ciphertext in the dictionary with high probability (birthday paradox)
Æ larger block size is more secure

Block cipher basics
disadvantages of large block size

– more costly to implement (in terms of gates or low level
instructions)
Exhaustive key search and key size
given a small number of plaintext-ciphertext pairs encrypted

under a key K, K can be recovered by exhaustive key search
with 2k-1 processing complexity (expected number of
operations)
– input: (X, Y), (X’, Y’), …
– progress through the entire key space
• for each trial key K’, decrypt Y
• if the result is not X, then throw away K’
• if the result is X, then check the other pairs (X’, Y’), …
• if K’ does not work for at least one pair, then throw away K’
– if K’ worked for all pairs (X, Y), (X’, Y’), …, then output K’ as the
target key
Block cipher basics
– on average, the target key is found after searching half of the key
space
if the plaintexts are known to contain redundancy, then
ciphertext-only exhaustive key search is possible with a
relatively small number of ciphertexts
2
How to build a “strong” block cipher?
complex encryption function can be built by composing several

simple operations which offer complementary – but individually
insufficient – protection
simple operations:
– elementary arithmetic operations
– logical operations (e.g., XOR)
– modular multiplication
– transpositions
– substitutions
– etc.
let’s combine two or more transformations in a manner that the
Block cipher basics
resulting cipher is more secure than the individual components
Example: SP networks
an SP (substitution-permutation) network is a product cipher

composed of stages each involving key controlled substitutions (non-
linear look-up tables) and permutations
X
… … … … K1
SS SS SS SS
… … … …
PP
… … … …
…
… … … … Kr
Block cipher basics
SS SS SS SS
… … … …
PP
… … … …
© Levente Buttyán Y 6
3
DES – Data Encryption Standard
X (64)
input size: 64
Initial
InitialPermutation
Permutation output size: 64
(32) (32)
key size: 56
16 rounds
+ FF (48)
Feistel structure
K1
+ FF (48)
Key Scheduler
K2
(56)
K
+ FF (48)
K3
Block ciphers / DES
+ FF (48)
K16
Initial
InitialPermutation
-1
Permutation-1
Y (64)
DES round function F
key
++++++ ++++++ ++++++ ++++++ ++++++ ++++++ ++++++ ++++++ injection
S1
S1 S2
S2 S3
S3 S4
S4 S5
S5 S6
S6 S7
S7 S8
S8
PP
– Si – substitution box (S-box)

Block ciphers / DES
– P – permutation box (P-box)
4
DES key scheduler
K
(56)
Permuted
PermutedChoice
Choice11
(28) (28)
Left shift(s) Left shift(s)

(28) (28)
(48)
K1 Permuted
PermutedChoice
Choice22
Left shift(s) Left shift(s)

Block ciphers / DES
(48)
K2 Permuted
PermutedChoice
Choice22
…
each key bit is used in around 14 out of 16 rounds

Feistel structure illustrated

L0 R0 L0 K1 R0
K1
+ FF + FF
R1 K2 L1
L1 K2 R1
FF +
+ FF
untwisted ladder
twisted ladder
K3
L2 R2
L2 R2
+ FF
…
…
Block ciphers / DES
Rr-1 Kr Lr-1
Lr-1 Kr Rr-1
FF +
+ FF
Rr Lr Rr Lr
5
Properties of Feistel ciphers
round i maps (Li-1, Ri-1) into (Li, Ri) as follows:
Li = Ri-1
Ri = Li-1 ⊕ F(Ri-1, Ki)
a Feistel cipher is always invertible even if F is not invertible:

Ri-1 = Li
Li-1 = Ri ⊕ F(Ri-1, Ki) = Ri ⊕ F(Li, Ki)
decryption can be achieved using the same r-round process with the
round keys used in reverse order (Kr through K1)
L Ki R
Block ciphers / DES
+ FF
L ⊕ F(R, K) Ki
+ FF
L R
Complementation property of DES
Y = DESK(X) implies Y* = DESK*(X*)

– where X* denotes the bitwise complement of X
R*
E Li-1* Ri-1*
E(R*) = E(R)* Ki*
+ K*
F(Ri-1, Ki)
E(R)* + K* = E(R) + K + FF
S
Block ciphers / DES
S( E(R) + K )
Li* Ri*
P
F
P(S( E(R) + K )) = F(R, K)
6
Consequences of the complementation prop.
assume an attacker can mount a chosen-plaintext attack

the attacker chooses a plaintext X, and obtains Y1 = DESK(X)
and Y2 = DESK(X*)
by the complementation property, the attacker knows that
DESK*(X) = Y2*
the attacker then runs an exhaustive key search
– for each trial key K’, he computes Y’ = DESK’(X)
• if Y’ = Y1, then K’ is possibly the target key (should be further tested)
• if Y’ = Y2*, then K’* is possibly the target key (should be further
tested)
• otherwise throw away both K’ and K’*
Block ciphers / DES
expected number of keys required before success is reduced

from 255 to 254
still impractical as an attack
DES weak keys and semi-weak keys
a weak key is a key K such that DESK(DESK(X)) = X

– there are 4 DES weak keys:
0101 0101 0101 0101
FEFE FEFE FEFE FEFE
1F1F 1F1F 0EOE 0E0E
E0E0 E0E0 F1F1 F1F1
a semi-weak key pair is a pair (K1, K2) such that

DESK1(DESK2(X)) = X
– there are 6 pairs of DES semi-weak keys
why are these keys weak?

Block ciphers / DES
– for each weak key K, there exist 232 fix points of DESK,
i.e., plaintext X such that DESK(X) = X
– for 4 out of the 12 semi-weak keys, there exist 232 anti-fix points,
i.e., plaintext X such that DESK(X) = X*
7
Linear and differential cryptanalysis of DES
linear cryptanalysis (LC)

– linear cryptanalysis is the most powerful attack against DES to
date
– requires an enormous number (~243) known plaintext-ciphertext
pairs Æ infeasible in practical environments
– could work in a ciphertext only model if plaintexts are redundant
Block ciphers / Cryptanalysis of DES
(e.g., contain parity bits)
differential cryptanalysis (DC)

– most general cryptanalytic tool to date against iterated block
ciphers (including DES, FEAL, IDEA)
– primarily a chosen-plaintext attack
– in case of DES, it requires ~247 chosen plaintext-ciphertext pairs
Æ infeasible in practical environments
DES was optimized against DC when it was designed

it can, however, be improved with respect to LC (apparently the
designers of DES was not aware of this attack at that time)
The basic idea of DC
consider a single S-box Si of DES

fix an input difference ∆x
determine the distribution of the output differences
DDTSi(∆x, ∆y) = |{ x : Si(x) ⊕ Si(x⊕∆x) = ∆y }|
this distribution will not be uniform !!!
example:
S1 and ∆x = 110100
∆Y DDTS1(∆x,∆y) ∆Y DDTS1(∆x,∆y)
0000 0 1000 6
0001 8 1001 0
0010 16 1010 0
0011 6 1011 0
0100 2 1100 0
0101 0 1101 8
0110 0 1110 0
0111 12 1111 6
8
let INSi(∆x, ∆y) = { x : Si(x) ⊕ Si(x⊕∆x) = ∆y }
– note: DDTSi(∆x, ∆y) = |INSi(∆x, ∆y)|
example: S1 and ∆x = 110100
∆Y INS1(∆x, ∆y) DDTS1(∆x, ∆y)
0000 0
0001 000011, 001111, 011110, 011111, 101010, 101011, 8

110111, 111011
0010 000100, 000101, 001110, 010001, 010010, 010100, 16
011010, 011011, 100000, 100101, 010110, 101110,
101111, 110000, 110001, 111010
0011 000001, 000010, 010101, 100001, 110101, 110110 6
0100 010011, 100111 2
0101 0
0110 0
0111 000000, 001000, 001101, 010111, 011000, 011101, 12
100011, 101001, 101100, 110100, 111001, 111100
1000 001001, 001100, 011001, 101101, 111000, 111101 6
1001 0
1010 0
1011 0
1100 0
1101 000110, 010000, 010110, 011100, 100010, 100100, 8
101000, 110010
1110 0
1111 000111, 001010, 001011, 110011, 111110, 111111 6
there are 64 possible input differences (∆x) and 8 S-boxes

Æ there are 64*8 = 512 such tables
these can be computed easily with a computer
assume that x and x’ are input to Si and the results are y and y’
assume that we don’t know x, x’, y, and y’, but we know

∆x = x⊕x’ and ∆y = y⊕y’
then the possible values of x (and x’) are listed in INSi(∆x, ∆y)
∆x ( = x⊕x’)
Si x, x’ ∈ INSi(∆x, ∆y)
∆y ( = y⊕y’)
9
Breaking the round function F
X, X’ diff: ∆X = X⊕X’
E
E(X), E(X’) diff: E(X) ⊕ E(X’) = E(∆X)
+ K
E(X) ⊕ K, E(X’) ⊕ K diff: E(X) ⊕ K ⊕ E(X’) ⊕ K = E(∆X)
S
P-1(Y), P-1(Y’) diff: P-1(Y) ⊕ P-1(Y’) = P-1(∆Y)
P
Y, Y’ diff: ∆Y = Y⊕Y’
assume we know X, X’, Y, Y’

then we know the input and output differences of each S-box
Æ if K = K1K2…K8, then E(X)i ⊕ Ki ∈ INSi(E(∆X)i, P-1(∆Y)i)
Æ Ki ∈ { B ⊕ E(X)i : B ∈ INSi(E(∆X)i, P-1(∆Y)i) } for all i = 1, 2, …, 8
Breaking the round function F
let Ti(X, X’, ∆Y) = { B ⊕ E(X)i : B ∈ INSi(E(X⊕X’)i, P-1(∆Y)i) }

given a triplet X, X’, ∆Y, we know that Ki ∈ Ti(X, X’, ∆Y) for
every i
if we have J triplets, then we know that for every i

J
Ki ∈ ∩ Ti(X(j), X’(j), ∆Y(j))
j=1
only the right value of Ki will appear in every Ti(X(j), X’(j), ∆Y(j)) !!!
keep 64 counters for every Ki (i = 1, 2, …, 8 Æ 512 counters)

increment counter v if v ∈ Ti(X(j), X’(j), ∆Y(j)) for some j
at the end, there will be a single counter v* with value J for
every i Æ Ki = v*
10
Breaking the 3-round DES
L0, L0’ R 0, R 0’ = R 0
K1
consider the round function of the last round:

+ FF X = L3
X’ = L3’
K2 ∆Y = (R3 ⊕ L2) ⊕ (R3‘ ⊕ L2’)
= R3 ⊕ R3’ ⊕ L0 ⊕ F(R0, K1) ⊕ L0’ ⊕ F(R0, K1)
+ FF = R3 ⊕ R3’ ⊕ L0 ⊕ L0’
K3 if we know several (L0R0, R3L3) pairs (such that

L2, L2’ R0 is the same for all pairs), then we can
∆Y X, X’ determine K3
+ FF
the remaining 8 bits of the key can be
R 3, R 3’ L3, L3’ determined with exhaustive key search
What about more than 3 rounds ?

L0, L0’ R 0, R 0’ consider the round function of the last round:
K1
X = L3
X’ = L3’
+ FF ∆Y = (Rr ⊕ Lr-1) ⊕ (Rr‘ ⊕ Lr-1’)
= Rr ⊕ Rr’ ⊕ Lr-1 ⊕ Lr-1’
K2 = ∆Rr ⊕ ∆Lr-1 = ?
it is possible to find difference pairs (∆P, ∆C)

+ FF such that Pr{ ∆Lr-1Rr-1 = ∆C | ∆L0R0 = ∆P } > 2-n
algorithm:
– choose many input pairs with difference ∆P, and
ask for their encryption (chosen plaintext attack)
…
– for each pair, assume that the difference before

the last round is ∆C, and
– determine the set of possible values for Kr
Kr • if your assumption was correct, then the right value
Lr-1, Lr-1’ will surely be in the set of possible values
• if your assumption was incorrect, then every key
∆Y X, X’
+ FF appears in the set with uniform probability
Æ the right value of Kr will appear most frequently
Rr, Rr’ Lr, Lr’

11
Preliminaries for LC
Piling-up lemma:
Let X1, X2, …, Xn be independent random variables, such that
Xi ∈ {0, 1} and Pr{Xi = 0} = ½ + qi. Then
Pr{X1 ⊕ X2 ⊕ … ⊕ Xn = 0} = ½ + 2n-1q1q2…qn
Proof: BOOK, page 60.
notations:
⊕ – bitwise XOR
⊗ – binary scalar product: x⊗y = x1y1 ⊕ x2y2 ⊕ … ⊕ xnyn
Linear Approximation Table: for an m bit to n bit S-box S, let
LATS(a, b) = |{ x : a⊗x = b⊗S(x) }| - 2m-1
Linear approximations
for an S-box S:
a⊗x ⊕ b⊗S(x) = 0
with probability
2-m|{ x : a⊗x ⊕ b⊗S(x) = 0 }| =
2-m(LATS(a, b) + 2m-1) =
½ + 2-mLATS(a, b) =
½+q
for an S = (S1, S2, … , Sk) S-box layer:

– assuming that ai⊗x ⊕ bi⊗Si(x) = 0 with prob. ½+qi
– we have
A⊗X ⊕ B⊗S(X) = 0 with prob. ½ + 2k-1q1q2…qk = ½ + Q
where
A = (a1a2…ak)
B = (b1b2…bk)
12
X’ for the round function F:
E X = E⊗X’ ⊕ K
S(X) = P-1⊗Y’
+ K
– using the approximation of the S-box
X = E⊗X’ ⊕ K
layer:
S A⊗(E⊗X’ ⊕ K) ⊕ B⊗P-1⊗Y’ = 0
S(X) = P-1⊗Y’ (A⊗E)⊗X’ ⊕ (B⊗P-1)⊗Y’ ⊕ A⊗K = 0
P A’⊗X’ ⊕ B’⊗Y’ ⊕ G⊗K = 0
with prob. ½ + Q
Y’
for the whole cipher:

– let us assume that for every round i
Ki-1
A’i⊗X’i ⊕ B’i⊗Y’i ⊕ Gi⊗Ki = 0
X’i-1 with prob. ½ + Qi
+ FF
– due to the Feistel structure we have

Ki Y’i = X’i-1 ⊕ X’i+1 (i = 2, …, r-1)
Y’1 = PL ⊕ X’2
Y’i X’i
+ FF
– summing up the first r-1 approximations
A’1⊗X’1 ⊕ B’1⊗(PL ⊕ X’2) ⊕
Ki+1
⊕i=2,..,r-1 (A’i⊗X’i ⊕ B’i⊗(X’i-1 ⊕ X’i+1)) ⊕
X’i+1
+ FF ⊕i=1,..,r-1 Gi⊗Ki = 0
with prob. ½ + 2r-2Q1Q2…Qr-1 = ½ + Q
13
for the whole cipher (cont’d):
B’1⊗PL ⊕ (A’1 ⊕ B’2)⊗X’1 ⊕

⊕i=2,..,r-2 (B’i-1 ⊕ A’i ⊕ B’i+1)⊗X’i ⊕
+ FF
(B’r-2 ⊕ A’r-1)⊗X’r-1 ⊕
⊕i=1,..,r-1 Gi⊗Ki = 0
X’r-1 – assuming that B’i-1 ⊕ A’i ⊕ B’i+1 = 0 for all

+ FF i = 2, …, r-2, and using X’1 = PR and X’r-1 =
CL ⊕ F(CR, Kr), we get:
Kr
π⊗P ⊕ γ⊗C ⊕ φ⊗F(CR, Kr) = κ⊗K
with prob. ½ + Q
+ FF
CL CR
Algorithm of LC
consider a linear approximation

π⊗P ⊕ γ⊗C ⊕ φ⊗F(CR, Kr) = κ⊗K
which holds with prob. ½ + Q
take N plaintext-ciphertext pairs (P, C) (known plaintext attack)
for every possible value v of Kr
– compute π⊗P ⊕ γ⊗C ⊕ φ⊗F(CR, v) for every (P, C) pair

– let Tv be the number of pairs for which the result is 0
– if v is the wrong value, then the result is 0 for about half of the
pairs Æ |Tv - N/2| ~ 0
– if v is the right value, then the result is κ⊗K for about N(½ + Q)
pairs
• if κ⊗K = 0, then Tv ~ N(½ + Q)
• if κ⊗K = 1, then Tv ~ N(½ - Q)
• in any case |Tv - N/2| ~ |NQ|
select the value v* for which |Tv* - N/2| is maximal
output Kr = v*
14
Multiple encryption and 3DES
if a block cipher is susceptible to exhaustive key search (e.g., DES),
then encryption of the same message more than once may increase
security
K1 K2
M
X E/D
E/D E/D
E/D Y
Block ciphers / Multiple encryption
double encryption
K1 K2 K3
A B
X E/D
E/D E/D
E/D E/D
E/D Y
triple encryption
– stage keys may not be independent

• e.g., two-key 3DES: K1 = K3
– a stage cipher may be either a block cipher or its corresponding decryption
function
• e.g., 3DES-EDE (encryption-decryption-encryption)
DES is not a group
group property
– given any two keys K1 and K2, there exists a third key K3, such
that DESK1(DESK2(X)) = DESK3(X) for all X
if DES was a group, then multiple encryption would be

equivalent to single encryption Æ approaches like 3DES to
strengthen DES would be useless
15
Meet-in-the-middle attack on double enc.
a naïve exhaustive key search attack on double encryption tries

all 22k keys
a known-plaintext meet-in-the-middle attack defeats double
encryption using an order of 2k operations and 2k storage
– attack time is reduced at the cost of substantial space
meet-in-the-middle attack:
– input: known plaintext-ciphertext pairs (X, Y), (X’, Y’), …

– compute Mi = Ei(X) for all possible key values K1 = i and store all
(Mi, i) pairs in a table
– compute M’j = Dj(Y) for all possible key values K2 = j and check for
hits M’j = Mi against entries in the stored table
• M’j need not be stored, it can be checked as it is generated
– each hit identifies a candidate solution key pair (i, j)
– using a second plaintext-ciphertext pair (X’, Y’), discard false hits
– for an L stage cascade of random ciphers, the expected number of
false key hits when t plaintext-ciphertext pairs are available is
2Lk-tn, where n and k are the block and key sizes, resp.
AES – Advanced Encryption Standard
NIST selected Rijndael (designed by Joan Daemen and Vincent

Rijmen) as a successor of DES (3DES) in November 2001
Rijndael parameters
– key size 128 192 256
– input/output size 128 128 128
– number of rounds 10 12 14
– round key size 128 128 128
Block ciphers / AES (Rijndael)
not Feistel structure

decryption algorithm is different from encryption algorithm
(optimized for encryption)
single 8 bit to 8 bit S-box
key injection (bitwise XOR)
16
General structure of encryption/decryption
plaintext plaintext
add round key w[0..3] add round key
round 10
substitute bytes inverse subs bytes
inverse shift rows

round 1
shift rows
mix columns inverse mix columns

round 9
inverse subs bytes
expanded key
inverse shift rows
substitute bytes
round 9
shift rows
mix columns inverse mix columns

round 1
inverse subs bytes
substitute bytes
round 10
shift rows inverse shift rows

ciphertext ciphertext
Shift row and mix column
shift row
s00 s01 s02 s03 s00 s01 s02 s03
s10 s11 s12 s13 LROT1 s11 s12 s13 s10
s20 s21 s22 s23 LROT2 s22 s23 s20 s21
s30 s31 s32 s33 LROT3 s33 s30 s31 s32
mix column
2311
1231
x =
1123
3112
multiplications and additions

s00 s01 s02 s03 are performed over GF(28) s’00 s’01 s’02 s’03
s10 s11 s12 s13 s’10 s’11 s’12 s’13
s20 s21 s22 s23 s’20 s’21 s’22 s’23
s30 s31 s32 s33 s’30 s’31 s’32 s’33
17
Key expansion
k0 k4 k8 k12
k1 k5 k9 k13 function g
k2 k6 k10 k14 - rotate word
k3 k7 k11 k15 - substitute bytes
- XOR with round constant
w0 w1 w2 w3 gg
+ + + +
w4 w5 w6 w7 gg
+ + + +
w8 w9 w10 w11
…
Summary
block cipher basics

– trade-offs in block size
– trade-offs in key size, exhaustive key search
– product ciphers, SP networks
DES
– operation
– properties (Feistel structure, complementation, weak keys)
– differential and linear cryptanalysis
– multiple encryption and the 3DES
– meet-in-the middle attack on 2DES
AES
– operation
18

"Feistel and Coppersmith Rule: Sixteen Rounds and

Hochgeladen von

Dokumentinformationen

Originalbeschreibung:

Originaltitel

Copyright

Verfügbare Formate

Dieses Dokument teilen

Dokument teilen oder einbetten

Freigabeoptionen

Stufen Sie dieses Dokument als nützlich ein?

Sind diese Inhalte unangemessen?

Copyright:

Verfügbare Formate

"Feistel and Coppersmith Rule: Sixteen Rounds and

Hochgeladen von

Copyright:

Verfügbare Formate

“Feistel and Coppersmith rule: Sixteen rounds and one hell of an avalanche.

n bit input EE n bit output

 attacks based on small block size

Æ larger block size is more secure

 disadvantages of large block size

Exhaustive key search and key size

 given a small number of plaintext-ciphertext pairs encrypted

 complex encryption function can be built by composing several

resulting cipher is more secure than the individual components

 an SP (substitution-permutation) network is a product cipher

DES round function F

– Si – substitution box (S-box)

– P – permutation box (P-box)

Left shift(s) Left shift(s)

Left shift(s) Left shift(s)

 each key bit is used in around 14 out of 16 rounds

Feistel structure illustrated

 a Feistel cipher is always invertible even if F is not invertible:

Complementation property of DES

 Y = DESK(X) implies Y* = DESK*(X*)

P(S( E(R) + K )) = F(R, K)

 assume an attacker can mount a chosen-plaintext attack

 expected number of keys required before success is reduced

DES weak keys and semi-weak keys

 a weak key is a key K such that DESK(DESK(X)) = X

 a semi-weak key pair is a pair (K1, K2) such that

 why are these keys weak?

 linear cryptanalysis (LC)

(e.g., contain parity bits)

 differential cryptanalysis (DC)

 DES was optimized against DC when it was designed

The basic idea of DC

 consider a single S-box Si of DES

0001 000011, 001111, 011110, 011111, 101010, 101011, 8

The basic idea of DC

 there are 64 possible input differences (∆x) and 8 S-boxes

 assume that we don’t know x, x’, y, and y’, but we know

E(X) ⊕ K, E(X’) ⊕ K diff: E(X) ⊕ K ⊕ E(X’) ⊕ K = E(∆X)

 assume we know X, X’, Y, Y’

Breaking the round function F

 let Ti(X, X’, ∆Y) = { B ⊕ E(X)i : B ∈ INSi(E(X⊕X’)i, P-1(∆Y)i) }

 if we have J triplets, then we know that for every i

 keep 64 counters for every Ki (i = 1, 2, …, 8 Æ 512 counters)

 consider the round function of the last round:

K3  if we know several (L0R0, R3L3) pairs (such that

What about more than 3 rounds ?

 it is possible to find difference pairs (∆P, ∆C)

– for each pair, assume that the difference before

Rr, Rr’ Lr, Lr’

Proof: BOOK, page 60.

 Linear Approximation Table: for an m bit to n bit S-box S, let

LATS(a, b) = |{ x : a⊗x = b⊗S(x) }| - 2m-1

 for an S = (S1, S2, … , Sk) S-box layer:

X’  for the round function F:

 for the whole cipher:

– due to the Feistel structure we have

 for the whole cipher (cont’d):

B’1⊗PL ⊕ (A’1 ⊕ B’2)⊗X’1 ⊕

X’r-1 – assuming that B’i-1 ⊕ A’i ⊕ B’i+1 = 0 for all

 consider a linear approximation

– compute π⊗P ⊕ γ⊗C ⊕ φ⊗F(CR, v) for every (P, C) pair

– stage keys may not be independent

attacks based on small block size

disadvantages of large block size

given a small number of plaintext-ciphertext pairs encrypted

complex encryption function can be built by composing several

an SP (substitution-permutation) network is a product cipher

each key bit is used in around 14 out of 16 rounds

a Feistel cipher is always invertible even if F is not invertible:

Y = DESK(X) implies Y* = DESK(X)

assume an attacker can mount a chosen-plaintext attack

expected number of keys required before success is reduced

a weak key is a key K such that DESK(DESK(X)) = X

a semi-weak key pair is a pair (K1, K2) such that

why are these keys weak?

linear cryptanalysis (LC)

differential cryptanalysis (DC)

DES was optimized against DC when it was designed

consider a single S-box Si of DES

there are 64 possible input differences (∆x) and 8 S-boxes

assume that we don’t know x, x’, y, and y’, but we know

assume we know X, X’, Y, Y’

let Ti(X, X’, ∆Y) = { B ⊕ E(X)i : B ∈ INSi(E(X⊕X’)i, P-1(∆Y)i) }

if we have J triplets, then we know that for every i

keep 64 counters for every Ki (i = 1, 2, …, 8 Æ 512 counters)

consider the round function of the last round:

K3 if we know several (L0R0, R3L3) pairs (such that

it is possible to find difference pairs (∆P, ∆C)

Linear Approximation Table: for an m bit to n bit S-box S, let

for an S = (S1, S2, … , Sk) S-box layer:

X’ for the round function F:

for the whole cipher:

for the whole cipher (cont’d):

consider a linear approximation

if DES was a group, then multiple encryption would be

a naïve exhaustive key search attack on double encryption tries

NIST selected Rijndael (designed by Joan Daemen and Vincent

not Feistel structure

block cipher basics