feistel des lawrie brown

8/9/2019 Feistel Des Lawrie Brown

1/39

Cryptography andCryptography and

Network SecurityNetwork Security

Chapter 3Chapter 3

Fifth EditionFifth Edition

by William Stallingsby William Stallings

Lecture slides by Lawrie BrownLecture slides by Lawrie Brown


2/39


3/39


4/39

Block vs Strea CiphersBlock vs Strea Ciphers

block ciphers process messages inblock ciphers process messages in

blocks" each of which is then en/decryptedblocks" each of which is then en/decrypted

like a substitution on very big characterslike a substitution on very big characters #$%bits or more#$%bits or more

stream ciphersstream ciphers process messages a bit orprocess messages a bit or

byte at a time when en/decryptingbyte at a time when en/decrypting

many current ciphers are block ciphersmany current ciphers are block ciphers better analysedbetter analysed

broader range of applicationsbroader range of applications


5/39

Block vs Strea CiphersBlock vs Strea Ciphers


6/39

Block Cipher !rinciplesBlock Cipher !rinciples

most symmetric block ciphers are based on amost symmetric block ciphers are based on a"eistel Cipher Structure"eistel Cipher Structure

needed since must be able toneeded since must be able to decryptdecryptcipherte&tcipherte&t

to recover messages efficientlyto recover messages efficiently block ciphers look like an e&tremely largeblock ciphers look like an e&tremely large

substitutionsubstitution would need table of 'would need table of '#$#$entries for a #$%bit blockentries for a #$%bit block instead create from smaller building blocksinstead create from smaller building blocks using idea of a product cipherusing idea of a product cipher


7/39

#deal Block Cipher#deal Block Cipher


8/39

Claude Shannon and Su$stitution%Claude Shannon and Su$stitution%

!erutation Ciphers!erutation Ciphers (laude Shannon introduced idea of substitution%(laude Shannon introduced idea of substitution%

permutation S%)! networks in *+$+ paperpermutation S%)! networks in *+$+ paper

form basis of modern block ciphersform basis of modern block ciphers

S%) nets are based on the two primitiveS%) nets are based on the two primitive

cryptographic operations seen before,cryptographic operations seen before, substitutionsubstitutionS%bo&!S%bo&!

permutationpermutation )%bo&!)%bo&! provideprovide confusionconfusion-- diffusiondiffusionof message - keyof message - key


9/39


10/39

"eistel Cipher Structure"eistel Cipher Structure

orst Feistel devised theorst Feistel devised the &eistel cipher&eistel cipher based on concept of invertible product cipherbased on concept of invertible product cipher

partitions input block into two halvespartitions input block into two halves process through multiple rounds whichprocess through multiple rounds which

perform a substitution on left data halfperform a substitution on left data half

based on round function of right half - subkeybased on round function of right half - subkey then have permutation swapping halvesthen have permutation swapping halves

implements Shannon0s S%) net conceptimplements Shannon0s S%) net concept


11/39


12/39

"eistel Cipher Design Eleents"eistel Cipher Design Eleents

block si1eblock si1e key si1ekey si1e number of roundsnumber of rounds subkey generation algorithmsubkey generation algorithm round functionround function fast software en/decryptionfast software en/decryption ease of analysisease of analysis


13/39

Data Encryption Standard 'DES(Data Encryption Standard 'DES(

most widely used block cipher in worldmost widely used block cipher in world adopted in *+22 by 3BS now 34S5!adopted in *+22 by 3BS now 34S5!

as F4)S )6B $#as F4)S )6B $#

encrypts #$%bit data using 7#%bit keyencrypts #$%bit data using 7#%bit key has widespread usehas widespread use

has been considerable controversy overhas been considerable controversy overits securityits security


14/39

DES )istoryDES )istory

4B8 developed Lucifer cipher4B8 developed Lucifer cipher by team led by Feistel in late #90sby team led by Feistel in late #90s used #$%bit data blocks with *':%bit keyused #$%bit data blocks with *':%bit key

then redeveloped as a commercial cipherthen redeveloped as a commercial cipherwith input from 3S; and otherswith input from 3S; and others

in *+2< 3BS issued re=uest for proposalsin *+2< 3BS issued re=uest for proposals

for a national cipher standardfor a national cipher standard 4B8 submitted their revised Lucifer which4B8 submitted their revised Lucifer which

was eventually accepted as the DESwas eventually accepted as the DES


15/39

DES Design ControversyDES Design Controversy

although DES standard is publicalthough DES standard is public was considerable controversy over designwas considerable controversy over design

in choice of 7#%bit key vs Lucifer *':%bit!in choice of 7#%bit key vs Lucifer *':%bit! and because design criteria were classifiedand because design criteria were classified

subse=uent events and public analysissubse=uent events and public analysisshow in fact design was appropriateshow in fact design was appropriate

use of DES has flourisheduse of DES has flourished especially in financial applicationsespecially in financial applications still standardised for legacy application usestill standardised for legacy application use


16/39

DES Encryption *verviewDES Encryption *verview


17/39

#nitial !erutation #!#nitial !erutation #!

first step of the data computationfirst step of the data computation

4) reorders the input data bits4) reorders the input data bits

even bits to L half" odd bits to > halfeven bits to L half" odd bits to > half =uite regular in structure easy in h/w!=uite regular in structure easy in h/w!

e&ample,e&ample,

IP(675a6967 5e5a6b5a) = (ffb2194d 004df6fb)IP(675a6967 5e5a6b5a) = (ffb2194d 004df6fb)


18/39

DES Round StructureDES Round Structure

uses two halves

as for any Feistel cipher can describe as,as for any Feistel cipher can describe as,

!!ii?? $$ii.*.*

$$ii?? !!ii.*.*FF$$ii.*.*"" %%ii!!

F takes half and $:%bit subkey, e&pands > to $:%bits using perm Ee&pands > to $:%bits using perm E adds to subkey using @A>adds to subkey using @A> passes through : S%bo&es to get


19/39

DES Round StructureDES Round Structure


20/39


21/39


22/39


23/39

DES E+apleDES E+aple


24/39

-valanche in DES-valanche in DES


25/39

-valanche E&&ect-valanche E&&ect

key desirable property of encryption algkey desirable property of encryption alg

where a change ofwhere a change of oneone input or key bitinput or key bit

results in changing appro&results in changing appro& hal&hal&output bitsoutput bitsmaking attempts to home%inG by guessingmaking attempts to home%inG by guessing

keys impossiblekeys impossible

DES e&hibits strong avalancheDES e&hibits strong avalanche


26/39

Strength o& DES ,ey Si.eStrength o& DES ,ey Si.e

7#%bit keys have '7#%bit keys have '7#7#? 2' & *9? 2' & *9*#*#valuesvalues

brute force search looks hardbrute force search looks hard

recent advances have shown is possiblerecent advances have shown is possible in *++2 on 4nternet in a few monthsin *++2 on 4nternet in a few months

in *++: on dedicated h/w EFF! in a few daysin *++: on dedicated h/w EFF! in a few days

in *+++ above combined in ''hrsHin *+++ above combined in ''hrsH still must be able to recogni1e plainte&tstill must be able to recogni1e plainte&t

must now consider alternatives to DESmust now consider alternatives to DES


27/39

Strength o& DES -nalyticStrength o& DES -nalytic

-ttacks-ttacks now have several analytic attacks on DESnow have several analytic attacks on DES thesethese utilise some deep structure of the cipherutilise some deep structure of the cipher

by gathering information about encryptionsby gathering information about encryptions

can eventually recover some/all of the sub%key bitscan eventually recover some/all of the sub%key bits if necessary then e&haustively search for the restif necessary then e&haustively search for the rest

generally these are statistical attacksgenerally these are statistical attacks differential cryptanalysisdifferential cryptanalysis linear cryptanalysislinear cryptanalysis related key attacksrelated key attacks


28/39

Strength o& DES /iingStrength o& DES /iing

-ttacks-ttacks

attacks actual implementation of cipherattacks actual implementation of cipher

use knowledge of conse=uences ofuse knowledge of conse=uences of

implementation to derive informationimplementation to derive informationabout some/all subkey bitsabout some/all subkey bits

specifically use fact that calculations canspecifically use fact that calculations can

take varying times depending on the valuetake varying times depending on the valueof the inputs to itof the inputs to it

particularly problematic on smartcardsparticularly problematic on smartcards


29/39

Di&&erential CryptanalysisDi&&erential Cryptanalysis

one of the most significant recent public!one of the most significant recent public!advances in cryptanalysisadvances in cryptanalysis

known by 3S; in 29Is cf DES designknown by 3S; in 29Is cf DES design8urphy" Biham - Shamir published in +90s8urphy" Biham - Shamir published in +90s powerful method to analyse block cipherspowerful method to analyse block ciphers used to analyse most current blockused to analyse most current block

ciphers with varying degrees of successciphers with varying degrees of success DES reasonably resistant to it" cf LuciferDES reasonably resistant to it" cf Lucifer


30/39


a statistical attack against Feistel ciphersa statistical attack against Feistel ciphers

uses cipher structure not previously useduses cipher structure not previously used

design of S%) networks has output ofdesign of S%) networks has output offunctionfunction ffinfluenced by both input - keyinfluenced by both input - key

hence cannot trace values back throughhence cannot trace values back through

cipher without knowing value of the keycipher without knowing value of the key differential cryptanalysis compares twodifferential cryptanalysis compares two

related pairs of encryptionsrelated pairs of encryptions


31/39


Copares !airs o& EncryptionsCopares !airs o& Encryptions

with a known difference in the inputwith a known difference in the input

searching for a known difference in outputsearching for a known difference in output

when same subkeys are usedwhen same subkeys are used


32/39


have some input difference giving somehave some input difference giving some

output difference with probability poutput difference with probability p

if find instances of some higher probabilityif find instances of some higher probabilityinput / output difference pairs occurringinput / output difference pairs occurring

can infer subkey that was used in roundcan infer subkey that was used in round

then must iterate process over manythen must iterate process over manyrounds with decreasing probabilities!rounds with decreasing probabilities!


33/39



34/39


perform attack by repeatedly encrypting plainte&t pairsperform attack by repeatedly encrypting plainte&t pairswith known input @A> until obtain desired output @A>with known input @A> until obtain desired output @A>

when foundwhen found if intermediate rounds match re=uired @A> have aif intermediate rounds match re=uired @A> have a right pairright pair if not then have aif not then have a wrong pairwrong pair" relative ratio is S/3 for attack" relative ratio is S/3 for attack

can then deduce keys values for the roundscan then deduce keys values for the rounds right pairs suggest same key bitsright pairs suggest same key bits wrong pairs give random valueswrong pairs give random values

for large numbers of rounds" probability is so low thatfor large numbers of rounds" probability is so low thatmore pairs are re=uired than e&ist with #$%bit inputsmore pairs are re=uired than e&ist with #$%bit inputs

Biham and Shamir have shown how a *


35/39

0inear Cryptanalysis0inear Cryptanalysis

another recent developmentanother recent development also a statistical methodalso a statistical method

must be iterated over rounds" withmust be iterated over rounds" withdecreasing probabilitiesdecreasing probabilities developed by 8atsui et al in early +9Isdeveloped by 8atsui et al in early +9Is based on finding linear appro&imationsbased on finding linear appro&imations can attack DES withcan attack DES with ''$


36/39


37/39


38/39

Block Cipher DesignBlock Cipher Design

basic principles still like Feistel0s in *+290sbasic principles still like Feistel0s in *+290s number of roundsnumber of rounds

more is better" e&haustive search best attackmore is better" e&haustive search best attack

function f,function f, provides confusionG" is nonlinear" avalancheprovides confusionG" is nonlinear" avalanche have issues of how S%bo&es are selectedhave issues of how S%bo&es are selected

key schedulekey schedule comple& subkey creation" key avalanchecomple& subkey creation" key avalanche


39/39

SuarySuary

have considered,have considered, block vs stream ciphersblock vs stream ciphers

Feistel cipher design - structureFeistel cipher design - structure

DESDES

detailsdetails

strengthstrength

Differential - Linear (ryptanalysisDifferential - Linear (ryptanalysis block cipher design principlesblock cipher design principles

feistel des lawrie brown

Documents