Symmetric Key Cryptography Jooyoung Lee School of Computing (GSIS), KAIST
Outline 1. Introduction to Symmetric Key Crypto 2. Stream Ciphers 3. Block Ciphers 3.1 DES 3.2 AES 3.3 Modes of Operations 3.4 Key Exhaustive Search and Meet-in-the-Middle Attack
(Symmetric Key) Cryptography Message Privacy: concealing the content of messages via encryption schemes, modes of operations etc. Message Integrity: preventing an adversary from making unnoticed changes to the message via message authentication codes, authenticated modes of operation etc.
Communication Over an Insecure Channel Oscar (bad) x Alice (good) x insecure channel x Bob (good)
Symmetric Key Cryptography Oscar (bad) y Alice (good) x y y x encryption insecure channel decryption e( ) d( ) Bob (good) k k secure channel x, y, k are called plaintext, ciphertext, key, resp. The set of all possible keys is called the key space We write y = e k (x) and x = d k (y) d k (e k (x)) = x for every key k The problem of transmitting a message securely is reduced to the problems of transmitting a key secretly and of storing the key in a secure fashion.
A Message is a Binary String: ASCII Code ASCII Code Row Number Column Number 000 001 010 011 100 101 110 111 0000 NUL DLE 0 @ P ` p 0001 SOH DC1! 1 A Q a q 0010 STX DC2 " 2 B R b r 0011 ETX DC3 # 3 C S c s 0100 EOT DC4 $ 4 D T d t 0101 ENQ NAK % 5 E U e u 0110 ACK SYN & 6 F V f v 0111 BELL ETB ' 7 G W g w 1000 BS CAN ( 8 H X h x 1001 HT EM ) 9 I Y i y 1010 LF SUB * : J Z j z 1011 VT ESC + ; K [ k 1100 FF FS, < L \ l { 1101 CR GS - = M ] m 1110 SO RS. > N ^ n } ~ 1111 SI US /? O _ o DEL Ex) A" The isascii represented code of a character by is found 1000001". by combining its Column Number (given in 3-bit binary) with its Row Number (given in 4-bit binary).
Key Length Should be Secure against Exhaustive Key Search Definition (Basic Exhaustive Key Search) Let (x, y) denote the pair of plaintext and cipher text, and let K = {k 1,..., k N } be the key space of all possible keys k i. Exhaustive key search checks for every k i K whether or not d ki (y) = x. If the equality holds, a possible correct key is found; if not, proceed with the next key. If an encryption algorithm uses n-bit keys, then exhaustive key search requires O(2 n ) computational steps If there is a smart attack whose complexity is less than O(2 n ), then the encryption algorithm is said broken"
Key Length How many key bits are enough? Only relevant if exhaustive key search is the best known attack The key lengths for symmetric and asymmetric algorithms are dramatically different Time for exhaustive key search on symmetric algorithms Key length Security estimation 56-64 bits short term: a few hours or days 112-128 bits long term: several decades w/o quantum computers 256 bits long term: several decades with quantum comp. alg.
Stream Ciphers vs. Block Ciphers Source: C. Paar and J. Pelzl, Understanding Cryptography, Springer, 2010 Stream ciphers encrypt bits individually Block ciphers encrypt an entire block of plaintext bits at a time with the same key Each key defines a permutation on {0, 1} b Most block ciphers have a block length of 128 bits (AES) or 64 bits (DES, 3DES)
Design Principles for Block Ciphers Confusion: the influence of one key bit is spread over many ciphertext bits. Diffusion: the influence of one plaintext bit is spread over many ciphertext bits. The goal of diffusion is to hide statistical properties of the plaintext. Achieved by substitution boxes (S-boxes) and permutation boxes (P-boxes). Iteration: substitution and permutation boxes are iterated, producing a product cipher. Confusion Diffusion x Block Cipher y1=1011 1001 y2=0110 1100 x1=0010 1011 Block x2=0000 1011 Cipher y1=1011 1001 y2=0110 1100 k1=0010 1011 k2=0000 1011 k
SP Network vs. Feistel Network SP Network Feistel Network L R f K0 f K1 f K2 f K3 S T http://en.wikipedia.org/wiki/file:substitutionpermutationnetwork2.png Round function f also uses an SPN. It should behave like a random function.
Confusion and Diffusion Failure to achieve confusion property might allow for an attack that is faster than key exhaustive search What if a 2n-bit key n-bit block cipher is represented by E k1 k 2 (x) = F k1 (x) F k2 (x), for some keyed function F? Failure to achieve diffusion property might allow for a statistical attack (letter frequency analysis)
A Substitution Cipher Using an Arbitrary Table Idea: Substitute each letter of the alphabet with another one by an arbitrary table Example A B C D E F G H I J K L M k d w g u z b y s m t f e N O P Q R S T U V W X Y Z x v r a i h j c n o l q p What is the encryption of SEVEN YEARS AGO"? What is the key of this cipher? How many keys can be used? How this cipher can be attacked?
Cryptanalysis of a Substitution Cipher Observation: Each plaintext symbol always maps to the same ciphertext symbol 1. Frequency of letters in English text (%) E T A O N R I S H D L F C 13.11 10.47 8.15 8.00 7.10 6.83 6.35 6.10 5.26 3.79 3.39 2.92 2.76 M U G Y P W B V K X J Q Z 2.54 2.46 1.99 1.98 1.98 1.54 1.44 0.92 0.42 0.17 0.13 0.12 0.08 2. Most common English bigrams (frequency per 1000 words) th he an re er in on at nd st es en of te ed 168 132 92 91 88 86 71 68 61 53 52 51 49 46 46
Stream Ciphers Source: C. Paar and J. Pelzl, Understanding Cryptography, Springer, 2010 1. Synchronous stream ciphers use a key stream that depends only on the key (most stream ciphers) 2. Asynchronous stream ciphers use a key stream that depends on the key and the ciphertext Remark 1. Block ciphers are used more often than stream ciphers 2. Stream ciphers tend to be more efficient than block ciphers: suitable for highly constrained environments
Stream Ciphers Source: C. Paar and J. Pelzl, Understanding Cryptography, Springer, 2010 Definition (Stream cipher encryption and decryption) The plaintext, the ciphertext and the key stream consist of individual bits, i.e., x i, y i, s i {0, 1}. Encryption: y i = e si (x i ) = (x i + s i mod 2)(= x i s i ) Decryption: x i = d si (y i ) = (y i + s i mod 2)(= y i s i ) Remark 1. Encryption and decryption are the same functions 2. The generation of the key stream is the central issue for the security of stream ciphers (randomness)
Generating Random" Key Streams 1. True Random Number Generators (TRNG) Based on physical random processes: coin flipping, semiconductor noise, thermal noise, etc Generate 0 and 1 with probability 1/2 Typically used to generate session keys and nonces 2. Pseudorandom Number Generators (PRNG) Computed from an initial seed value Have good statistical properties 3. Cryptographically Secure PRNG (CSPRNG) PRNG with unpredictability: given N output bits s i, s i+1,..., s N 1, it should be hard to predict the next bit s N
An Unbreakable Stream Cipher As a stream cipher TRNG: a key stream should be shared between Alice and Bob used in OTP CSPRNG: a key should be shared between Alice and Bob One-Time Pad(OTP) A stream cipher for which 1. the key stream s 0, s 1, s 2... is generated by a TRNG, and 2. the key stream is only known to the legitimate communicating parties, and 3. every key stream bit s i is only used once is called a one-time pad. The one-time pad is unconditionally secure (i.e., cannot be broken even with infinite computational resources). Then what is the main drawback of OTP?
PRNG: Linear Feedback Shift Registers (LFSR) Feedback coefficients: p 0,..., p m 1 {0, 1} (degree= m) Initial values: s 0,..., s m 1 {0, 1} Recursive relation: s i+m = ( m 1 j=0 p j s i+j mod 2), i 0 Characteristic polynomial: P(x) = x m + p m 1 x m 1 + + p 1 x + p 0 Linear Feedback Shift Registers (LFSRs) Very efficient, easy to implement! Concatenated flip-flops (FF), i.e., a shift register together with a feedback path Feedback computes fresh input by XOR of certain state bits Degree m given by number of storage elements Source: C. Paar and J. Pelzl, Understanding Cryptography, Springer, 2010
PRNG: Linear Feedback Shift Registers (LFSR) Linear Feedback Shift Registers (LFSRs): Example with m=3 Source: C. Paar and J. Pelzl, Understanding Cryptography, Springer, 2010 Example Maximum output length (of 2 3-1=7) achieved only for certain feedback configurations,.e.g., the one shown here. clk FF 2 FF 1 FF 0 =s i 0 1 0 0 LFSR 1. output With described an initial by recursive stateequation: of (s 2, s 1, s 0 ) = (1, 0, 0), 1 compute 0 1 s i 0for s i + 3 = i = si + 10, +. s. i. mod, 14. 2 2 1 0 1 3 1 1 0 2. What is the period of this LFSR sequence? 3. Can we construct an LFSR with period > 7? 4 1 1 1 5 0 1 1 4. As a stream cipher, what is the weakness6of this 0 LFSR? 0 1 7 1 0 0 8 0 1 0
PRNG: Linear Feedback Shift Registers (LFSR) Theorem The maximum sequence length generated by an LFSR of degree m is 2 m 1. Proof. The m internal register bits of an LFSR determine the next bit. Therefore, as soon as an LFSR has a previous state, it starts to repeat. Since the m internal register bits can only take 2 m 1 states, the maximum sequence length before repetition is 2 m 1. Remark For any m > 0, there is a polynomial of degree m over GF(2) called primitive". Each primitive polynomial generates a sequence of the maximum length 2 m 1.
Security of LFSR as CPRNG In a known-plaintext attack, an attacker is assumed to know some plaintext and the corresponding ciphertext. This means the attacker knows a certain number of key stream bits. When the initial values are used as a key: vulnerable to a known-plaintext attack (with m key stream bits). When the feedback coefficients are used as a key: vulnerable to a known-plaintext attack (solving a system of linear equations defined by 2m key stream bits).
Problems 1. (a) Find every irreducible polynomial of degree 3 over GF(2). (b) Describe the LFSR defined by each irreducible polynomial. (c) With IV = (1, 1, 1), compute the first 10 output bits. 2. With the recurrence s i+3 = s i+1 + s i and a secret IV, it produces 110... (The first bit is the last produced one.) What is the next three output bits? 3. An LFSR of degree 4 with the maximum sequence length produces 01101011... What is the next four output bits?
An Example of CSPRNG: Trivium Trivium uses LFSRs as its building blocks A Modern Stream Cipher - Trivium Three nonlinear LFSRs (NLFSR) of length 93, 84, 111 Source: C. Paar and J. Pelzl, Understanding Cryptography, Springer, 2010 XOR-Sum of all three NLFSR outputs generates key stream s i Initialization: Small in Hardware: 1. Load 80-bit IV into A Total register count: 288 2. Load 80-bit key into B Non-linearity: 3 AND-Gates 3. c 109 = 7 XOR-Gates c 110 = c(4 111 with = three 1 inputs) and all other bits are set to 0 25/27 Chapter 2 of Understanding Cryptography by Christof Paar and Jan Pelzl 4. Clock the cipher 4 x 288 = 1152 times
History of DES The National Bureau of Standards (NBS) initiates a request for proposals for a standardized cipher in the US (1972) IBM submits a block cipher designed based on Lucifer that encrypts 64-bit blocks using 128-bit keys (1974) Lucifer is a family of ciphers developed by Horst Feistel in the late 1960s The NBS requests the help of the National Security Agency (NSA) Key length reduced from 128 bit to 56 bit The NBS releases all specs of the modified IBM cipher as the Data Encryption Standards (DES) (1977) Due to its short key length, it is used until 1999, and replaced by Advanced Encryption Standard (AES)
Security of DES Exhaustive Key Search Feasible due to short key length (56-bit keys) Can break DES in 6.4 days at a cost of $10,000 (2008) Analytical Attack Differential cryptanalysis(dc) and linear cryptanalysis(lc) We say a block cipher is broken" when an analytical attack is faster than exhaustive key search DES is secure against DC, but if the number of rounds is small... DES is broken by LC, but it is not practical 2 43 plaintext-ciphertext pairs are needed
single bit flip Overview of the DES Algorithm many bit flips Source: C. Paar and J. Pelzl, Understanding Cryptography, Springer, 2010
DES Encryption Source: C. Paar and J. Pelzl, Understanding Cryptography, Springer, 2010
DES Encryption Source: C. Paar and J. Pelzl, Understanding Cryptography, Springer, 2010
DES Encryption 16-round Feistel structure 1. Input: L 0 R 0 2. (L i, R i ) = (R i 1, L i 1 f (R i 1, k i )) for i = 1,..., 16 3. Output: L 16 R 16 Property The Feistel structure is a permutation for any keys k i. Property Encryption and decryption of the Feistel structure (with no swap in the last round) differ only in key schedule.
DES Encryption Bitwise Permutations. Inverse operations. Described by tables IP and IP -1. Initial Permutation Final Permutation 14/29 Chapter 3 of Understanding Source: C. Cryptography Paar andby J. Christof Pelzl, Understanding Paar and Jan Pelzl Cryptography, Springer, 2010 Does not increase the security of DES Probably for efficient hardware implementation
DES Encryption The f -function Expansion E Source: C. Paar and J. Pelzl, Understanding Cryptography, Springer, 2010
DES Encryption S-box substitution Permutation P Example What is S 1 (100101)? Source: C. Paar and J. Pelzl, Understanding Cryptography, Springer, 2010
DES Key Schedule Algorithm Permuted Choice PC-1 Source: C. Paar and J. Pelzl, Understanding Cryptography, Springer, 2010
DES Key Schedule Algorithm Permuted Choice PC-2 In rounds i = 1, 2, 9, 16: two halves rotated left by one bit The other rounds: two halves rotated left by two bits Note that (C 0, D 0 ) = (C 16, D 16 ) Source: C. Paar and J. Pelzl, Understanding Cryptography, Springer, 2010
DES Decryption Reversed key schedule In rounds i = 2, 9, 16: two halves rotated right by one bit The other rounds: two halves rotated right by two bits With the same round keys in reverse order, the encryption and the decryption functions are the same! Source: C. Paar and J. Pelzl, Understanding Cryptography, Springer, 2010
DES Decryption In rounds i = 1, 2, 9, 16: 1-bit Left Rotation The other rounds: 2-bit No rotation in round 1 In rounds i = 2, 9, 16: 1-bit Right Rotation The other rounds: 2-bit Source: C. Paar and J. Pelzl, Understanding Cryptography, Springer, 2010
History of AES US NIST(National Institute of Standards and Technology) announced 3DES should be used instead of DES (1996) However, 3DES is slow and block size is too small for certain applications (hash functions etc.) NIST called for proposals for a new Advanced Encryption Standard (AES) as an open process (1997) Requirements 128-bit block size 128, 192, 256-bit key supported security relative to other submissions efficiency in software and hardware 15 algorithms collected (1998) 5 finalists announced (1999) Mars(IBM), RC6(RSA), Rijndael(J.Daemen, V.Rijmen), Serpent(R.Anderson, et.al.),twofish(b.schneier et.al.) Rijndael was chosen as the AES (2000)
Overview of the AES Algorithm x 128 AES 128/192/256 k y 128 DES ES -1 key lengths # rounds 128 10 k2 192 k3 12 256 14 Source: C. Paar and J. Pelzl, Understanding Cryptography, Springer, 2010
AES Round Function Source: C. Paar and J. Pelzl, Understanding Cryptography, Springer, 2010
AES Round Function: Byte Substitution Layer S-box: B i = S(A i ) GF(2 8 ) inverse Affine mapping Ai B'i Bi 1. In GF(2 8 ) (finite field of 2 8 elements), B i = (A i ) 1 GF(2 8 ) = GF(2)[x]/ < x 8 + x 4 + x 3 + x + 1 > x 2. In GF(2) 8 (vector space over GF(2)), 128 b 0 b 1 b 2 b 3 b 4 b 5 b 6 b 7 1 0 0 0 1 AES 1 1 1 k 1 1 0 0 0 1 1 1 1 1 1 0 0 0 128 1 1 y = 1 1 1 1 0 0 0 1 1 1 1 1 1 0 0 0 0 1 1 1 1 1 0 0 0 0 1 1 1 DES DES -1 1 1 0 0 0 0 1 1 1 1 DES 1 128/192/256 b 0 b 1 b 2 b 3 b 4 b 5 b 6 b 7 + 1 1 0 0 0 1 1 0
AES Round Function: Byte Substitution Layer S-box Table Lookup S(xy) is...(in hexadecimal notation)
AES Round Function: Diffusion Layer ShiftRows Sublayer B 0 B 4 B 8 B 12 B 1 B 5 B 9 B 13 B 2 B 6 B 10 B 14 B 3 B 7 B 11 B 15 B 0 B 4 B 8 B 12 B 5 B 9 B 13 B 1 B 10 B 14 B 2 B 6 B 15 B 3 B 7 B 11 no shift 1 pos. 2 pos. 3 pos. MixColumn Sublayer In GF(2 8 ), C 0 C 4 C 8 C 12 C 1 C 5 C 9 C 13 C 2 C 6 C 10 C 14 C 3 C 7 C 11 C 15 = 02 03 01 01 01 02 03 01 01 01 02 03 03 01 01 02 B 0 B 4 B 8 B 12 B 5 B 9 B 13 B 1 B 10 B 14 B 2 B 6 B 15 B 3 B 7 B 11
AES Key Schedule Algorithm k RC[i] = x i 1 in GF (2 8 ) Source: C. Paar and J. Pelzl, Understanding Cryptography, Springer, 2010
AES Decryption Source: C. Paar and J. Pelzl, Understanding Cryptography, Springer, 2010
AES Decryption Inv MixColumn Sublayer In GF(2 8 ), B 0 B 4 B 8 B 12 B 5 B 9 B 13 B 1 B 10 B 14 B 2 B 6 B 15 B 3 B 7 B 11 = Inv ShiftRows Sublayer B 0 B 4 B 8 B 12 B 5 B 9 B 13 B 1 B 10 B 14 B 2 B 6 B 15 B 3 B 7 B 11 0E 0B 0D 09 09 0E 0B 0D 0D 09 0E 0B 0B 0D 09 0E B 0 B 4 B 8 B 12 B 1 B 5 B 9 B 13 B 2 B 6 B 10 B 14 B 3 B 7 B 11 B 15 C 0 C 4 C 8 C 12 C 1 C 5 C 9 C 13 C 2 C 6 C 10 C 14 C 3 C 7 C 11 C 15 no shift 1 pos. 2 pos. 3 pos. Inv Byte Substitution Layer It is possible to construct an inverse such that A i = S 1 (B i ) It is usually realized as a lookup table
AES Design Considerations In a Feistel cipher, half the bits are moved, but not changed during each round. AES treats all bits uniformly, making the effect of diffusing the input bits faster. The S-box was constructed in an explicit and simple algebraic way. The ShiftRow step resist the truncated differential analysis and the Square attack. The MixColumn causes diffusion among the bytes. A change in one input byte results in all four output bytes changing. Changes in two input bytes results in at least three output bytes changing.
AES Design Considerations The Key Schedule involves nonlinear mixing of the key bits using the S-box. Even though an attacker knows part of the key, it cannot deduce the remaining bits. It ensures that two distinct keys do not have a large number of round keys in common. The round constants eliminates symmetries in the encryption process by making each round different. Until recently, there have been no known attacks that are better than exhaustive key search up to six rounds. It was felt that four extra rounds provide a large enough security margin of safety.
DES vs. AES DES AES Feistel Network SP Network 8 different S-boxes: A single S-box not 1-1 (6-bit to 4-bit) 1-1 (8-bit to 8-bit) Design principle unclear Algebraic structure Encryption=Decryption Encryption Decryption using round keys in reverse order
Modes of Operation A block cipher by itself allows encryption only of a single data block of the cipher s block length. In order to encrypt a variable-length message, the data must first be partitioned into separate cipher blocks. Typically, the last block must also be extended to match the cipher s block length using a suitable padding scheme. The method of encrypting each of these blocks is called a mode of operation. A mode of operation generally uses randomization based on an additional input value, often called an initialization vector.
Modes of Operation ECB, CBC, OFB, and CFB were specified in FIPS 81, DES Modes of Operation" (1981). NIST added CTR mode in SP800-38A, Recommendation for Block Cipher Modes of Operation" (2001). NIST added XTS-AES in SP800-38E, Recommendation for Block Cipher Modes of Operation: The XTS-AES Mode for Confidentiality on Storage Devices" (2010). ECB, CBC, OFB, CFB, CTR, and XTS modes only provide confidentiality. Some modern modes of operation combine encryption and authentication in an efficient way, and are known as authenticated modes of operation.
Electronic Codebook Mode (ECB) http://en.wikipedia.org/wiki/file:ecb_encryption.png http://en.wikipedia.org/wiki/file:ecb_decryption.png
Electronic Codebook Mode (ECB) Both encryption and decryption algorithms are used Identical plaintext blocks map to identical ciphertext blocks images distinguishable Susceptible to codebook attacks and replay attacks Not recommended http://en.wikipedia.org/wiki/file:tux_ecb.jpg
Cipher Block Chaining Mode (CBC) http://en.wikipedia.org/wiki/file:cbc_encryption.png http://en.wikipedia.org/wiki/file:cbc_decryption.png
Cipher Block Chaining Mode (CBC) Invented by IBM in 1976 Both encryption and decryption algorithms are used An initialization vector is used IV does not need to be secret. However, in most cases, an initialization vector should not be reused under the same key Encryption cannot be parallelized / Decryption can be parallelized A one-bit change to the ciphertext causes complete corruption of the corresponding block of plaintext a one-bit change in the corresponding bit in the following block of plaintext
Cipher Feedback Mode (CFB) http://en.wikipedia.org/wiki/file:cfb_encryption.png http://en.wikipedia.org/wiki/file:cfb_decryption.png
Cipher Feedback Mode (CFB) Makes a block cipher into an asynchronous stream cipher Only an encryption algorithms is used Suitable for a block cipher for which decryption is slower than encryption An initialization vector is used Encryption cannot be parallelized / Decryption can be parallelized A one-bit change in the ciphertext causes a one-bit change in the corresponding plaintext block complete corruption of the following plaintext block
Output Feedback Mode (OFB) http://en.wikipedia.org/wiki/file:ofb_encryption.png http://en.wikipedia.org/wiki/file:ofb_decryption.png
Output Feedback Mode (OFB) Makes a block cipher into a synchronous stream cipher Only an encryption algorithms is used An initialization vector is used Encryption and decryption cannot be parallelized However, a keysteam can be computed in advance A one-bit change in the ciphertext causes only a one-bit change in the corresponding plaintext block
Counter Mode (CTR) http://en.wikipedia.org/wiki/file:ctr_encryption.png http://en.wikipedia.org/wiki/file:ctr_decryption.png
Counter Mode (CTR) Makes a block cipher into a synchronous stream cipher Only an encryption algorithms is used A nonce and a counter are used A counter produces a sequence which is guaranteed not to repeat for a long time Encryption and decryption can be parallelized A one-bit change in the ciphertext causes only a one-bit change in the corresponding plaintext block
Cryptanalysis Cryptanalysis Classical Cryptanalysis Implementation Attacks Social Engineering Mathematical Analysis Brute-Force Attacks Classical Analysis: tries to recover the plaintext x(or the key k) from the ciphertext y Mathematical Analysis: exploits the internal structure of the encryption method Exhaustive Key Search: treat the encryption algorithm as a black box and test all possible keys Implementation Attacks: use power consumption, electromagnetic radiation, runtime behavior, etc. Social Engineering Attacks: include bribing, blackmailing, tricking, espionage, etc.
Cryptanalysis An attacker looks for the weakest link in your cryptosystem. That means we have to choose strong algorithms and we have to make sure that social engineering and implementation attacks are not practical. Kerckhoffs Principle A cryptosystem should be secure even if the attacker knows all details about the system, with the exception of the secret key. In particular, the system should be secure when the attacker knows the encryption and decryption algorithms. Question Doesn t it improve the security to keep the details of an algorithm hidden? (This is called security by obscurity)
Exhaustive Key Search Revisited Exhaustive Key Search Let K = {k 1,..., k N } be the key space. Given t plaintext -ciphertext pairs (x 1, y 1 ),..., (x t, y t ), check for every k i K whether or not DES ki (x j ) = y j for all j = 1,..., t. If the equality holds, a possible correct key is found; if not, proceed with the next key. What if a wrong key k satisfies DES k (x j ) = y j for j = 1,..., t? Theorem Given a block cipher with a key length of κ bits and block size of n bits, as well as t plaintext-ciphertext pairs (x 1, y 1 ),..., (x t, y t ), the expected number of false keys which encrypt all plaintexts to the corresponding ciphertexts is 2 κ tn. Choose t such that 2 κ tn 1.
k1 k2 k3 Increasing the Security of DES: Double Encryption 2DES x DES DES y k1 k2 Example What is the size of the key space of 2DES? x DES DES DES y
Meet-in-the-middle Attack on 2DES 1. Table Computation: Given a plaintext-ciphertext pair (x 1, y 1 ), encrypt z = DES k (x 1 ) for every k {0, 1} 56. Arrange these values and store them in a list L. 2. Key Matching: Decrypt w = DES 1 k (y 1 ) for every k {0, 1} 56. If for some k, is in the list L, then we have w = DES 1 k (y 1 ) = DES k (x 1 ) Problems DES k DES k (x 1 ) = y 1. 1. What is the expected number of false keys when we use three plaintext-ciphertext pairs (x 1, y 1 ), (x 2, y 2 ), (x 3, y 3 )? 2. What is the number of encryptions, decryptions, and memory locations (of κ + n-bits) with t = 3?
DES DES Increasing the Security of DES: Triple Encryption k1 k2 3DES x DES DES DES y k1 k2 k3 Problem Apply the meet-in-the-middle attack to 3DES. What is the number of encryptions, decryptions, and memory locations (of n-bits)?