Outline

• DES
• Quiz
• 3DES
• AES
• Other Block Ciphers

Introduction

• Last Wednesday, we began talk about block ciphers.
• Here ciphertext and plaintext consist of fixed sized blocks.
• Ciphertext obtained from plaintext by iterating a round function
• Input to the round function consists of key and output of the previous round
• We looked at the particular example of the Feistel cipher which is often a starting point for more complicated block ciphers.
• In the cipher, the plaintext is split into a left and right half.
• A round consists of making the left half of the next round the right half of the previous round, then making the new right half an XOR of the old left half with some function of the key and the old right half.
• The ciphertext is the result after performing this operation for a fixed number of rounds.
• One cipher which makes use of the ideas of a Feistel cipher is DES, which we consider next.

Data Encryption Standard

• DES developed in 1970's
• Based on IBM's Lucifer cipher
• DES was U.S. government standard
• DES development was controversial
• NSA secretly involved
• Design process was secret
• Key length reduced from 128 to 56 bits
• Subtle changes to Lucifer algorithm

About DES

• DES is a Feistel cipher with...
  • 64 bit block length
  • 56 bit key length
  • 16 rounds
  • 48 bits of key used each round (subkey)
• Each round is simple (for a block cipher)
• Security depends heavily on "S-boxes"
• Each S-boxes maps 6 bits to 4 bits

One Round of DES

DES S-box

• DES makes use of eight "substitution boxes: or S-boxes
• Each S-box maps 6 bits to 4 bits
• So applying each S-Box to a different 6 bits in a 48 bit number will produce a 32 bit number
• Below is a picture of S-box number 1:
  

DES P-box

• This box just computes a permutations of the inputs bits:

  Input 32 bits
   0  1  2  3  4  5  6  7  8  9 10 11 12 13 14 15
  16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31
  
  Output 32 bits
  15  6 19 20 28 11 27 16  0 14 22 25  4 17 30  9
   1  7 23 13 31 26  2  8 18 12 29  5 21 10  3 24
  

DES Subkey Bits

• 56 bit DES key, bits are numbered 0,1,2,...,55
• We split this key in to left and right half bits as follows...
• Left Half Bits:

  49 42 35 28 21 14  7  
   0 50 43 36 29 22 15
   8  1 51 44 37 30 23
  16  9  2 52 45 38 31
  

• Right Half Bits:

  55 48 41 34 27 20 13
   6 54 47 40 33 26 19
  12  5 53 46 39 32 25
  18 11  4 24 17 10  3
  

DES Subkey

• For rounds `i=1,2,...,16`
• Let LK = (LK circular shift left by `r_i`)
• Let RK = (RK circular shift left by `r_i`)
• Left half of subkey `K_i` is of LK bits

  13 16 10 23  0  4  2 27 14  5 20  9
  22 18 11  3 25  7 15  6 26 19 12  1
  

• Right half of subkey `K_i` is RK bits

  12 23  2  8 18 26  1 11 22 16  4 19
  15 20 10 27  5 24 17 13 21  7  0  3
  

More on determining `K_i`

• For rounds 1, 2, 9 and 16 the shift `r_i` is 1, and in all other rounds `r_i` is 2
• Bits 8,17,21,24 of LK omitted each round
• Bits 6,9,14,25 of RK omitted each round
• Compression permutation yields 48 bit subkey `K_i` from 56 bits of LK and RK
• Key schedule generates subkey

DES Last Word (Almost)

• An initial permutation before round 1
• Halves are swapped after last round
• A final permutation (inverse of initial perm) applied to `(R_16, L_16)`
• None of this serves security purpose

Security of DES

• Security depends heavily on S-boxes
• Everything else in DES is linear
• More than thirty years of intense analysis has revealed no "back door"
• Best attacks only slightly better than essentially exhaustive key search
• Designers of DES knew what they were doing
• Designers of DES were way ahead of their time

Quiz

Which of the following is true?

1. Caesar's cipher is a simple substitution cipher.
2. The cipher used by Project Venona we discussed, was a codebook cipher.
3. A5/1, at its heart, makes use of random permutations.

Block Cipher Notation

• P = plaintext block
• C = ciphertext block
• Encrypt P with key K to get ciphertext C:
  `C = E(P, K)`
• Decrypt C with key K to get plaintext P
  `P = D(C, K)`
• Note: `P = D(E(P, K), K)` and `C = E(D(C, K), K)` But `P ne D(E(P, K1), K2)` and `C ne E(D(C, K1), K2)` when `K1 ne K2`

Triple DES

• Today, 56 bit DES key is too small
• Exhaustive key search is feasible.
• But DES is everywhere, so what to do?
• Triple DES or 3DES (112 bit key)
  C = E(D(E(P,K1),K2),K1)
  P = D(E(D(C,K1),K2),K1)
• Why Encrypt-Decrypt-Encrypt with 2 keys?
• Backward compatible: E(D(E(P,K),K),K) = E(P,K)
• This 112 bit keying option versus the known attacks is estimated by NIST to have 80 bits of security.
• The best attacks against three separate keys give about 84 bits of security.
• The electronic payment industry, Microsoft OneNote, and Microsoft Outlook 2007 use 3DES.

3DES

• Why not C = E(E(P,K),K) ?
  • Trick question --- it's still just 56 bit key
• Why not C = E(E(P,K1),K2) ?
  • There is a (semi-practical) known plaintext attack against this:
    • Pre-compute table of E(P,K1) for every possible key K1 (resulting table has `2^(56)` entries)
    • Then for each possible K2 compute D(C,K2) until a match in table is found
    • When match is found, have E(P,K1) = D(C,K2)
    • Result gives us keys: C = E(E(P,K1),K2)

Advanced Encryption Standard

• Replacement for DES
• AES competition (late 90s)
  • NSA openly involved
  • Transparent process
  • Many strong algorithms proposed
  • Rijndael Algorithm ultimately selected (pronounced like Rain Doll or Rhine Doll)
• Iterated block cipher (like DES)
• Not a Feistel cipher (unlike DES)

AES Overview

• Block size: 128 bits (others in Rijndael)
• Key length: 128, 192 or 256 bits (independent of block size)
• 10 to 14 rounds (depends on key length)
• Each round uses 4 functions (3 layers)
  • ByteSub (nonlinear layer)
  • ShiftRow (linear mixing layer)
  • MixColumn (nonlinear layer)
  • AddRoundKey (key addition layer)

AES ByteSub

• Treat 128 bit block as 4x4 byte array:
  
• ByteSub is AES's S-box
• Bytesub can be viewed as a nonlinear (but invertible) composition of two math operations

AES S-box

We'll view it as a table lookup based on the two hex digits of the byte `a_(ij)`.

AES ShiftRow

• This operation computes a cyclic shift of the 128 bits viewed as a 4 x 4 matrix:
  
• In the above, the first row doesn't shift, the second row left-shifts by, the third row by two, and the last row by three.

AES MixColumn

• Invertible, nonlinear operation applied to each column
  `((a_(0i)),(a_(1i)),(a_(2i)),(a_(3i))) -> mbox(MixColumn) -> ((b_(0i)),(b_(1i)),(b_(2i)),(b_(3i)))`
• Again, serves a similar purpose to DES S-boxes.
• We view it also as being implemented as a big table lookup

AES AddRoundKey

• Similar to DES, a key schedule algorithm is used to generate a 128 subkey for each round.
• Let `k_(ij)` denote the `ij`th byte of this subkey viewed as a 4 x 4 matrix.
• The current block is then XOR'd with this subkey as:
  

AES Decryption

• To decrypt, the AES algorithm must be invertible
• The inverse of AddRoundKey is easy, since `oplus` is its own inverse
• MixColumn is invertible (inverse is also implemented as a lookup table)
• Inverse of ShiftRow is easy (cyclic shift the other direction)
• ByteSub is invertible (inverse is also implemented as a lookup table)

A Few Other Block Ciphers

We now consider a few other block ciphers...

• Briefly...
  • IDEA
  • Blowfish
  • RC6
• More detailed
  • TEA

IDEA

• Invented by James Massey
• One of the giants of modern crypto (Berlekamp-Massey Algorithm, SAFER, etc.)
• IDEA has 64-bit block, 128-bit key
• IDEA uses mixed-mode arithmetic (`mod 2` and `mod 2^(16)`)
• Combine different math operations (also Lai-Massey Multiplication, similar to but not quite, `mod 2^(16)` multiplication)
• These operations provide sufficient nonlinearity so S_box is not needed.
• IDEA was the first to use this approach which has now come into vogue.

Blowfish

• Blowfish encrypts 64-bit blocks
• Key is variable length, up to 448 bits
• Invented by Bruce Schneier
• Almost a Feistel cipher `R_i = L_(i-1) oplus K_i` `L_i = R_(i-1) oplus F(L_(i-1) oplus K_i)`
• The round function F uses 4 S-boxes
• Each S-box maps 8 bits to 32 bits
• S-boxes determined by the key
• S-boxes can be shown to be strong.

RC6

• Invented by Ron Rivest
• Variables
  • Block size
  • Key size
  • Number of rounds
• An AES finalist
• Uses data dependent rotations, which is unusual, as usually algorithms don't depend on the plaintext

Tiny Encryption Algorithm (TEA)

• 64 bit block, 128 bit key
• Assumes 32-bit arithmetic
• Number of rounds is variable (32 is considered secure)
• Uses weak (but conceptually simpler) round function, so large number of rounds required

TEA Encryption

• Assuming 32 rounds:

  (K[0],K[1],K[2],K[3]) = 128 bit key;
  (L,R) = plaintext (64-bit block);
  delta = 0x9e3779b9;
  sum = 0;
  for (i = 1; i<=32; i++) {
      sum += delta;
      L += ((R<<4)+K[0]) ⊕ (R+sum) ⊕ ((R>>5)+K[1]);
      R += ((L<<4)+K[2]) ⊕ (L+sum) ⊕ ((L>>5)+K[3]);
  }
  ciphertext = (L,R);
  

• Here << is a left, non-cyclic shift; >> is a right, non-cyclic shift.

TEA Decryption

• Assuming 32 rounds:

  (K[0],K[1],K[2],K[3]) = 128 bit key;
  (L,R) = ciphertext (64-bit block);
  delta = 0x9e3779b9;
  sum = delta << 5
  for (i = 1; i<=32; i++) {
      R -= ((L<<4)+K[2]) ⊕ (L+sum) ⊕ ((L>>5)+K[3]);
      L -= ((R<<4)+K[0]) ⊕ (R+sum) ⊕ ((R>>5)+K[1]);
      sum -= delta;
  }
  plaintext = (L,R);
  

TEA Comments

• Almost a Feistel cipher
• Uses + and - instead of XOR
• Simple, easy to implement, fast, low memory requirement, etc.
• Possibly has a related key attack
• eXtended TEA (XTEA) eliminates related key attack (slightly more complex)
• Simplified TEA (STEA) -- insecure version used as an example for cryptanalysis