Beruflich Dokumente
Kultur Dokumente
”
-- Stephan Eisvogel in de.comp.security
Block ciphers:
DES and AES
- basics
- operation of DES
- cryptanalysis of DES
- multiple encryption and the 3DES
- AES
Block ciphers
an n bit block cipher is a function E: {0, 1}n x {0, 1}k Æ {0, 1}n,
such that for each K ∈ {0, 1}k, E(X, K) = EK(X) is an invertible
mapping from {0, 1}n to {0, 1}n
the inverse of EK(X) is denoted by DK(Y), where Y = EK(X)
two other views:
k bit key
possible ciphertexts
possible ciphertexts
possible plaintexts
possible plaintexts
permutation permutation
defined by K defined by K’
© Levente Buttyán 2
1
Trade-offs in block size
© Levente Buttyán 3
– on average, the target key is found after searching half of the key
space
if the plaintexts are known to contain redundancy, then
ciphertext-only exhaustive key search is possible with a
relatively small number of ciphertexts
© Levente Buttyán 4
2
How to build a “strong” block cipher?
© Levente Buttyán 5
Example: SP networks
SS SS SS SS
… … … …
PP
… … … …
…
… … … … Kr
Block cipher basics
SS SS SS SS
… … … …
PP
… … … …
© Levente Buttyán Y 6
3
DES – Data Encryption Standard
X (64)
input size: 64
Initial
InitialPermutation
Permutation output size: 64
(32) (32)
key size: 56
16 rounds
+ FF (48)
Feistel structure
K1
+ FF (48)
Key Scheduler
K2
(56)
K
+ FF (48)
K3
Block ciphers / DES
+ FF (48)
K16
Initial
InitialPermutation
-1
Permutation-1
Y (64)
© Levente Buttyán 7
key
++++++ ++++++ ++++++ ++++++ ++++++ ++++++ ++++++ ++++++ injection
S1
S1 S2
S2 S3
S3 S4
S4 S5
S5 S6
S6 S7
S7 S8
S8
PP
© Levente Buttyán 8
4
DES key scheduler
K
(56)
Permuted
PermutedChoice
Choice11
(28) (28)
(48)
K1 Permuted
PermutedChoice
Choice22
(48)
K2 Permuted
PermutedChoice
Choice22
…
+ FF + FF
R1 K2 L1
L1 K2 R1
FF +
+ FF
untwisted ladder
twisted ladder
K3
L2 R2
L2 R2
+ FF
…
…
Block ciphers / DES
Rr-1 Kr Lr-1
Lr-1 Kr Rr-1
FF +
+ FF
Rr Lr Rr Lr
© Levente Buttyán 10
5
Properties of Feistel ciphers
round i maps (Li-1, Ri-1) into (Li, Ri) as follows:
Li = Ri-1
Ri = Li-1 ⊕ F(Ri-1, Ki)
decryption can be achieved using the same r-round process with the
round keys used in reverse order (Kr through K1)
L Ki R
Block ciphers / DES
+ FF
L ⊕ F(R, K) Ki
+ FF
L R
© Levente Buttyán 11
R*
E Li-1* Ri-1*
E(R*) = E(R)* Ki*
+ K*
F(Ri-1, Ki)
E(R)* + K* = E(R) + K + FF
S
Block ciphers / DES
S( E(R) + K )
Li* Ri*
P
F
© Levente Buttyán 12
6
Consequences of the complementation prop.
© Levente Buttyán 13
– for each weak key K, there exist 232 fix points of DESK,
i.e., plaintext X such that DESK(X) = X
– for 4 out of the 12 semi-weak keys, there exist 232 anti-fix points,
i.e., plaintext X such that DESK(X) = X*
© Levente Buttyán 14
7
Linear and differential cryptanalysis of DES
© Levente Buttyán 15
example:
S1 and ∆x = 110100
∆Y DDTS1(∆x,∆y) ∆Y DDTS1(∆x,∆y)
0000 0 1000 6
0001 8 1001 0
0010 16 1010 0
0011 6 1011 0
0100 2 1100 0
0101 0 1101 8
0110 0 1110 0
0111 12 1111 6
© Levente Buttyán 16
8
The basic idea of DC
let INSi(∆x, ∆y) = { x : Si(x) ⊕ Si(x⊕∆x) = ∆y }
– note: DDTSi(∆x, ∆y) = |INSi(∆x, ∆y)|
example: S1 and ∆x = 110100
∆Y INS1(∆x, ∆y) DDTS1(∆x, ∆y)
0000 0
Block ciphers / Cryptanalysis of DES
assume that x and x’ are input to Si and the results are y and y’
Block ciphers / Cryptanalysis of DES
∆x ( = x⊕x’)
Si x, x’ ∈ INSi(∆x, ∆y)
∆y ( = y⊕y’)
© Levente Buttyán 18
9
Breaking the round function F
X, X’ diff: ∆X = X⊕X’
E
E(X), E(X’) diff: E(X) ⊕ E(X’) = E(∆X)
+ K
Block ciphers / Cryptanalysis of DES
S
P-1(Y), P-1(Y’) diff: P-1(Y) ⊕ P-1(Y’) = P-1(∆Y)
P
Y, Y’ diff: ∆Y = Y⊕Y’
J
Ki ∈ ∩ Ti(X(j), X’(j), ∆Y(j))
j=1
only the right value of Ki will appear in every Ti(X(j), X’(j), ∆Y(j)) !!!
© Levente Buttyán 20
10
Breaking the 3-round DES
L0, L0’ R 0, R 0’ = R 0
K1
X’ = L3’
K2 ∆Y = (R3 ⊕ L2) ⊕ (R3‘ ⊕ L2’)
= R3 ⊕ R3’ ⊕ L0 ⊕ F(R0, K1) ⊕ L0’ ⊕ F(R0, K1)
+ FF = R3 ⊕ R3’ ⊕ L0 ⊕ L0’
© Levente Buttyán 21
algorithm:
– choose many input pairs with difference ∆P, and
ask for their encryption (chosen plaintext attack)
…
11
Preliminaries for LC
Piling-up lemma:
Let X1, X2, …, Xn be independent random variables, such that
Xi ∈ {0, 1} and Pr{Xi = 0} = ½ + qi. Then
Pr{X1 ⊕ X2 ⊕ … ⊕ Xn = 0} = ½ + 2n-1q1q2…qn
Block ciphers / Cryptanalysis of DES
notations:
⊕ – bitwise XOR
⊗ – binary scalar product: x⊗y = x1y1 ⊕ x2y2 ⊕ … ⊕ xnyn
© Levente Buttyán 23
Linear approximations
for an S-box S:
a⊗x ⊕ b⊗S(x) = 0
with probability
2-m|{ x : a⊗x ⊕ b⊗S(x) = 0 }| =
2-m(LATS(a, b) + 2m-1) =
Block ciphers / Cryptanalysis of DES
½ + 2-mLATS(a, b) =
½+q
© Levente Buttyán 24
12
Linear approximations
E X = E⊗X’ ⊕ K
S(X) = P-1⊗Y’
Block ciphers / Cryptanalysis of DES
+ K
– using the approximation of the S-box
X = E⊗X’ ⊕ K
layer:
S A⊗(E⊗X’ ⊕ K) ⊕ B⊗P-1⊗Y’ = 0
S(X) = P-1⊗Y’ (A⊗E)⊗X’ ⊕ (B⊗P-1)⊗Y’ ⊕ A⊗K = 0
P A’⊗X’ ⊕ B’⊗Y’ ⊕ G⊗K = 0
with prob. ½ + Q
Y’
© Levente Buttyán 25
Linear approximations
© Levente Buttyán 26
13
Linear approximations
⊕i=1,..,r-1 Gi⊗Ki = 0
CL CR
© Levente Buttyán 27
Algorithm of LC
14
Multiple encryption and 3DES
if a block cipher is susceptible to exhaustive key search (e.g., DES),
then encryption of the same message more than once may increase
security
K1 K2
M
X E/D
E/D E/D
E/D Y
Block ciphers / Multiple encryption
double encryption
K1 K2 K3
A B
X E/D
E/D E/D
E/D E/D
E/D Y
triple encryption
group property
– given any two keys K1 and K2, there exists a third key K3, such
that DESK1(DESK2(X)) = DESK3(X) for all X
© Levente Buttyán 30
15
Meet-in-the-middle attack on double enc.
© Levente Buttyán 31
© Levente Buttyán 32
16
General structure of encryption/decryption
plaintext plaintext
add round key w[0..3] add round key
round 10
substitute bytes inverse subs bytes
round 9
inverse subs bytes
Block ciphers / AES (Rijndael)
expanded key
inverse shift rows
substitute bytes
round 9
shift rows
round 1
inverse subs bytes
substitute bytes
round 10
shift row
s00 s01 s02 s03 s00 s01 s02 s03
s10 s11 s12 s13 LROT1 s11 s12 s13 s10
s20 s21 s22 s23 LROT2 s22 s23 s20 s21
s30 s31 s32 s33 LROT3 s33 s30 s31 s32
mix column
Block ciphers / AES (Rijndael)
2311
1231
x =
1123
3112
17
Key expansion
k0 k4 k8 k12
k1 k5 k9 k13 function g
k2 k6 k10 k14 - rotate word
k3 k7 k11 k15 - substitute bytes
- XOR with round constant
w0 w1 w2 w3 gg
Block ciphers / AES (Rijndael)
+ + + +
w4 w5 w6 w7 gg
+ + + +
w8 w9 w10 w11
…
© Levente Buttyán 35
Summary
DES
– operation
– properties (Feistel structure, complementation, weak keys)
– differential and linear cryptanalysis
– multiple encryption and the 3DES
– meet-in-the middle attack on 2DES
AES
– operation
© Levente Buttyán 36
18