Lecture 3: Block Ciphers: Practical

Instantiation of PRP

CS6903: Modern Cryptography

Spring 2010

Nitesh Saxena
DES – Data Encryption Standard
„ Encrypts by series of substitution and transpositions.
„ Based on Feistel Structure
„ Worldwide standard for more than 20 years.
„ Has a history of controversy.
„ Designed by IBM (Lucifer) with later help
(interference?) from NSA.
„ No longer considered secure for highly sensitive
applications.
„ Replacement standard AES (advanced encryption
standard) recently completed.

3/1/2011 Lecture 1 - Introduction 2

DES - Overview

3/1/2011 Lecture 1 - Introduction 3

DES – Each iteration.

3/1/2011 Lecture 1 - Introduction 4

DES – Function F

3/1/2011 Lecture 1 - Introduction 5

3/1/2011 Lecture 1 - Introduction 6
Operation Tables of DES (Key Schedule,
PC-1, PC-2)

3/1/2011 Lecture 1 - Introduction 7

Operation Tables (IP, IP-1, E and P)

3/1/2011 Lecture 1 - Introduction 8

 S-boxes: S1
0000 0001 0010 0011 0100 0101 0110 0111 1000 1001 1010 1011 1100 1101 1110 1111

00 14 4 13 1 2 15 11 8 3 10 6 12 5 9 0 7
01 0 15 7 4 14 2 13 1 10 6 12 11 9 5 3 8
10 4 1 14 8 13 6 2 11 15 12 9 7 3 10 5 0
11
15 12 8 2 4 9 1 7 5 11 3 14 10 0 6 13
Sj

Is the table entry from

row : b1b 2
S (b1b 2b3b 4b5b 6)
column : b 3b 4 b 5b 6
S (011001) = 6 d = 0110
3/1/2011 Lecture 1 - Introduction 9
DES Decryption
„ Same as the encryption algorithm with the
“reversed” key schedule – NEXT!

3/1/2011 Lecture 1 - Introduction 10

 x Plain text
Initial permutation (IP)
L0 R0
Round-1 (key K1)
R0 L 0 ⊕ F ( R 0, K 1)

Rounds 2-15

L15 R15
Round-16 (key K16)
R15 L15 ⊕ F ( R15, K 16)
swap
L15 ⊕ F ( R15, K 16) R15
IP inverse
3/1/2011
y Cipher text
Lecture 1 - Introduction 11
 encrypt
L15 ⊕ F ( R15, K 16) R15
IP inverse
y Cipher text
IP
L15 ⊕ F ( R15, K 16) R15

Round-1 (K16)

decrypt
R15 L15 ⊕ F ( R15, K 16) ⊕ F ( R15, K 16)

R15 L15
b⊕b = 0
Since
b⊕0 = b
3/1/2011 Lecture 1 - Introduction 12
DES Security
„ S-Box design not well understood (secret).
„ Has survived some recent sophisticated
attacks (differential cryptanalysis)
„ Key is too short. Hence is vulnerable to brute
force attack.
„ 1998 distributed attack took 3 months.
„ $1,000,000 machine will crack DES in 35
minutes – 1997 estimate. $10,000 – 2.5 days.

3/1/2011 Lecture 1 - Introduction 13

DES Cracking machine
„

3/1/2011 Lecture 1 - Introduction 14

Super-encryption.
„ If key length is a concern, then instead of
encrypting once, encrypt twice!!
C = EK2(EK1(P))
P = DK2(DK1(C))
„ Does this result in a larger key space?
„ Encrypting with multiple keys is known as
super-encryption.
„ May not always be a good idea.

3/1/2011 Lecture 1 - Introduction 15

Double DES
K1 K2

X
P E E C
Encryption

K2 K1

X
C D D P
Decryption

„ Double DES is almost as easy to break as

single DES (Needs more memory though)!

3/1/2011 Lecture 1 - Introduction 16

Double DES – Meet-in-the-middle
Attack (due to Diffie-Hellman)
„ Based on the observation that, if
C = EK2(EK1(P))
Then
X = EK1(P) = DK2(C).
„ Given a known (P, C) pair, encrypt P with all possible

values of K and store result in table T.

„ Next, decrypt C with all possible keys K and check

result. If match occurs then check key pair with new

known (P, C) pair. If match occurs, you have found
the keys. Else continue as before.
„ Process will terminate successfully.

3/1/2011 Lecture 1 - Introduction 17

Meet-in-the-middle Explanation.
„ The first match does not say anything as we
have 264 ciphertexts and 2112 keys.
„ On the average 2112 / 264 = 248 keys will
produce same ciphertext.
„ So there could be 248 possible candidates
„ We can use a second pair (P’,C’)
„ So, probability that false alarm will survive
two known (P, C) pairs is 248 / 264 = 2-16.
„ One can always check a third pair to further
reduce the chance of a false alarm.

3/1/2011 Lecture 1 - Introduction 18

 Triple DES
K1 K2 K1

P A B
E D E C
Encryption

K1 K2 K1

C B A
D E D P
Decryption

„ Triple DES (2 keys) requires 2112 search. Is

reasonably secure.
„ 3 keys requires 2112.
3/1/2011 Lecture 1 - Introduction 19
DES Encryption modes
„ Electronic Code Book (ECB)
„ Cipher Block Chain (CBC)

3/1/2011 Lecture 1 - Introduction 20

Electronic Code Book (ECB) Mode
„ Although DES encrypts 64 bits (a block) at a time, it
can encrypt a long message (file) in Electronic Code
Book (ECB) mode.
Time = 1 Time = 2 Time = N
P1 P2 PN

K
DES
Encrypt K
DES
Encrypt
• • • K
DES
Encrypt

C1 C2 CN

C1 C2 CN

DES DES DES

K Decrypt K Decrypt K Decrypt

• • •
P1 P2 PN

„ If same key is used then identical plaintext blocks

map to identical ciphertext.
3/1/2011 Lecture 1 - Introduction 21
Cipher Block Chain (CBC) Mode.
Time = 1 Time = 2 Time = N
IV P1 P2 PN

+ + CN-1 +

DES DES DES

K
Encrypt
K
Encrypt • • • K
Encrypt

C1 C2 CN

C1 C2 CN

DES DES DES

K
Decrypt
K
Decrypt • • • K
Decrypt

IV + + CN-1 +

P1 P2 PN

3/1/2011 Lecture 1 - Introduction 22