Professional Documents
Culture Documents
K
i
Eight S-boxes
P-box
Output
7/3/01
DESign Principles: Inverses
Equations for round i:
In other words:
So decryption is the
same as encryption
Last round, no swap:
really is the same
L
i-1
R
i-1
L
i
R
i
f
L
i
R
i 1
R
i
L
i 1
f R
i 1
R
i 1
L
i
L
i 1
R
i
f L
i
7/3/01
MoDES of Operation
ECB: Electronic CodeBook mode:
Encrypt each 64-bit block independently
Attacker could build codebook
CBC: Cipher Block Chaining mode:
Encryption: C
i
= E
K
(P
i
C
i-1
)
Decryption: P
i
= C
i-1
D
K
(C
i
)
CFB, OFB: allow byte-wise encryption
Cipher FeedBack, Output FeedBack
7/3/01
PeDEStrian attacks
Obvious attack: guess the key. 2
56
keys
Complementation Property: 2
55
keys
1 million per second: 1100 years
Store E
K
(P
1
) for all K: 512 petabytes
Time/Memory Tradeoff (Hellman, 1980):
1 terabyte
5 days
7/3/01
DEStroying Security
Differential Cryptanalysis (1990):
Say you know plaintext, ciphertext pairs
Difference d
P
= P
1
P
2
, d
C
= C
1
C
2
Distribution of d
C
s given d
P
may reveal key
Need lots of pairs to get lots of good d
P
s
Look at pairs, build up key in pieces
Could find some bits, brute-force for rest
7/3/01
DEServing of Praise
Against 8-round DES, attack requires:
2
14
= 16,384 chosen plaintexts, or
2
38
known plaintext-ciphertext pairs
Against 16-round DES, attack requires:
2
47
chosen plaintexts, or
Roughly 2
55.1
known plaintext-ciphertext pairs
Differential cryptanalysis not effective
Designers knew about it
7/3/01
DESperate measures
Linear cryptanalysis:
Look at algorithm structure: find places
where, if you XOR plaintext and ciphertext
bits together, you get key bits
S-boxes not linear, but can approximate
Need 2
43
known pairs; best known attack
DES apparently not optimized against this
Still, not an easy-to-mount attack
7/3/01
DESuetude
Weakest link is size of key
Attacks take advantage of encryption speed
1993: Weiner: $1M machine, 3.5 hours
1998: EFFs Deep Crack: $250,000
92 billion keys per second; 4 days on average
1999: distributed.net: 23 hours
OK for some things (e.g., short time horizon)
DES sliDES into wiDESpread DESuetude
7/3/01
Triple-DES
Run DES three times:
ECB mode:
If K
2
= K
3
, this is DES
Backwards compatibility
Known not to be just DES with K
4
(1992)
Has 112 bits of security, not 3 56 = 168
Why? Whats the attack?
Whats wrong with Double-DES?
C
i
E
K
3
D
K
2
E
K
1
P
i
7/3/01
DESpair
Double-DES: C
i
= E
B
(E
A
(P
i
))
Given P
1
, C
1
: Note that D
B
(C
1
) = E
A
(P
1
)
Make a list of every E
K
(P
1
).
Try each L: if D
L
(C
1
) = E
K
(P
1
), then
maybe K = A, L = B. (2
48
Ls might work.)
Test with P
2
, C
2
: if it checks, it was
probably right.
Time roughly 2
56
. Memory very large.
7/3/01
Advanced Encryption Standard
DES cracked, Triple-DES slow: what next?
1997: AES announced, call for algorithms
August 1998: 15 candidate algorithms
August 1999: 5 finalists
October 2000: Rijndael selected
Two Belgians: Joan Daemen, Vincent Rijmen
May 2001: Comment period ended
Summer 2001: Finalized, certified until 06
7/3/01
AESthetics
Similar to DES: block cipher (with
different modes), but 128-bit blocks
128-bit, 192-bit, or 256-bit key
Mix of permutations, S-boxes
S-boxes based on modular arithmetic with
polynomials:
Non-linear
Easy to analyze, prove attacks fail
7/3/01
AES: State array
input bytes State array output bytes
in
0
in
4
in
8
in
12
s
0,0
s
0,1
s
0,2
s
0,3
out
0
out
4
out
8
out
12
in
1
in
5
in
9
in
13
s
1,0
s
1,1
s
1,2
s
1,3
out
1
out
5
out
9
out
13
in
2
in
6
in
10
in
14
s
2,0
s
2,1
s
2,2
s
2,3
out
2
out
6
out
10
out
14
in
3
in
7
in
11
in
15
s
3,0
s
3,1
s
3,2
s
3,3
out
3
out
7
out
11
out
15
Figure 3. State array input and output.
State of machine given by 4x4 array of bytes
7/3/01
AES: Pseudocode
Ciphe r(byt e in[ 4 * N b], b yte out[ 4 * N b], w ord w [Nb * (Nr + 1)] )
begin
byte state [4,Nb ]
state = in
AddRo undKe y(sta te, w ) // Se e Sec . 5.1 .4
for r ound = 1 s tep 1 to N r 1
SubByte s(sta te) // Se e Sec . 5.1 .1
Shift Rows( state ) // Se e Sec . 5.1 .2
MixCo lumns (stat e) // Se e Sec . 5.1 .3
AddRo undKe y(sta te, w + ro und * Nb )
end f or
SubBy tes(s tate)
Shift Rows( state )
AddRo undKe y(sta te, w + Nr * Nb)
out = stat e
end
7/3/01
AES: SubBytes() (S-Box)
0 , 0
s
1 , 0
s
2 , 0
s
3 , 0
s
'
0 , 0
s
'
1 , 0
s
'
2 , 0
s
'
3 , 0
s
0 , 1
s
1 , 1
s
2 , 1
s
3 , 1
s
'
0 , 1
s
'
1 , 1
s
'
2 , 1
s
'
3 , 1
s
0 , 2
s
1 , 2
s
2 , 2
s
3 , 2
s
'
0 , 2
s
'
1 , 2
s
'
2 , 2
s
'
3 , 2
s
0 , 3
s
1 , 3
s
2 , 3
s
3 , 3
s
'
0 , 3
s
'
1 , 3
s
'
2 , 3
s
'
3 , 3
s
Figure 7. SubBytes() applies the S-box to each byte of the State.
c r
s
,
'
,c r
s
Non-linear, based on polynomial arithmetic
7/3/01
AES: ShiftRows()
S S
0 , 0
s
1 , 0
s
2 , 0
s
3 , 0
s
0 , 0
s
1 , 0
s
2 , 0
s
3 , 0
s
0 , 1
s
1 , 1
s
2 , 1
s
3 , 1
s
1 , 1
s
2 , 1
s
3 , 1
s
0 , 1
s
0 , 2
s
1 , 2
s
2 , 2
s
3 , 2
s
2 , 2
s
3 , 2
s
0 , 2
s
1 , 2
s
0 , 3
s
1 , 3
s
2 , 3
s
3 , 3
s
3 , 3
s
0 , 3
s
1 , 3
s
2 , 3
s
Figure 9. ShiftRows() cycl ically shifts the last three rows in the State
ShiftRows()
0 , r
s
1 , r
s
2 , r
s
3 , r
s
'
0 , r
s
'
0 , r
s
'
2 , r
s
'
3 , r
s
'
1 , r
s
'
0 , r
s
7/3/01
AES: MixColumns()
0 , 0
s
1 , 0
s
2 , 0
s
3 , 0
s
'
0 , 0
s
'
1 , 0
s
'
2 , 0
s
'
3 , 0
s
0 , 1
s
1 , 1
s
2 , 1
s
3 , 1
s
'
0 , 1
s
'
1 , 1
s
'
2 , 1
s
'
3 , 1
s
0 , 2
s
1 , 2
s
2 , 2
s
3 , 2
s
'
0 , 2
s
'
1 , 2
s
'
2 , 2
s
'
3 , 2
s
0 , 3
s
1 , 3
s
2 , 3
s
3 , 3
s
'
0 , 3
s
'
1 , 3
s
'
2 , 3
s
'
3 , 3
s
Figure 10. MixColumns() operates on the State column-by-column.
MixColumns()
c
s
, 0
c
b
, 0
c
s
, 1
c
s
, 2
c
s
, 3
'
, 0 c
s
'
, 1 c
s
'
, 2 c
s
'
, 3 c
s
7/3/01
AES: AddRoundKey()
Key schedule: expand N
b
-word key to
4 words per round for (6 + N
b
) rounds
(N
b
could be 4, 6, or 8)
0 , 0
s
1 , 0
s
2 , 0
s
3 , 0
s
'
0 , 0
s
'
1 , 0
s
'
2 , 0
s
'
3 , 0
s
0 , 1
s
1 , 1
s
2 , 1
s
3 , 1
s
'
0 , 1
s
'
1 , 1
s
'
2 , 1
s
'
3 , 1
s
0 , 2
s
1 , 2
s
2 , 2
s
3 , 2
s
'
0 , 2
s
'
1 , 2
s
'
2 , 2
s
'
3 , 2
s
0 , 3
s
1 , 3
s
2 , 3
s
3 , 3
s
l
w
1 l
w
2 l
w
3 l
w
'
0 , 3
s
'
1 , 3
s
'
2 , 3
s
'
3 , 3
s
Figure 11. AddRoundKey() XORs each co lumn of the State with a
word from the key schedule.
c
s
, 0
c
s
, 1
c
s
, 2
c
s
, 3
'
, 0 c
s
'
, 1 c
s
'
, 2 c
s
'
, 3 c
s
w
l+c
Nb round l *
7/3/01
Not just a CAESar Shift
A byte B=b
7
b
6
b
5
b
4
b
3
b
2
b
1
b
0
is a polynomial
b
7
x
7
+b
6
x
6
+b
5
x
5
+b
4
x
4
+b
3
x
3
+b
2
x
2
+b
1
x
1
+b
0
x
0
Can add, subtract, multiply polynomials
Coefficients are manipulated mod 2
Do polynomial division, get remainders
Can work mod a particular polynomial
AES uses a particular prime polynomial
7/3/01
KafkAESque Complexity
S-box: input is a byte B
First take B
-1
(mod p)
Next, do a linear transformation on the bits
Finally, XOR with a fixed byte
MixColumns() also uses polynomials
S-box can be done with a lookup table
Easier to analyze then random S-boxes
used in DES
7/3/01
Suggested Reading
Chapter references are to Stallings
Modular Arithmetic: Sections 7.1-7.3, 7.5
Big-Oh Notation: Appendix 6A
DES: Chapter 3
Double-DES, Triple-DES: Section 4.1
AES: The AES home page:
http://csrc.nist.gov/encryption/aes/