ECE 646 Lecture 6 Data Encryption Standard Required Reading: I. W. Stallings, "Cryptography and Network-Security," 5th Edition, Chapter 3: Block Ciphers and the Data Encryption Standard Chapter 6.1: Multiple Encryption and Triple DES II. A. Menezes, P. van Oorschot, and S. Vanstone, Handbook of Applied Cryptography, Chapter 7.4: DES
NBS public request for a standard cryptographic algorithm May 15, 1973, August 27, 1974 The algorithm must be: secure public - completely specified - easy to understand - available to all users economic and efficient in hardware able to be validated exportable IBM s early work, 1971-1974 Selected members of the team: Horst Feistel, Karl Meyer, Don Coppersmith - cryptographers Alan Konheim head of the Information Theory group at Watson Research Labs in Yorktown Heights, NY Walter Tuchman head of the product group at IBM Kingston, NY Developed algorithms: subsequent versions of the algorithm known initially as Demon, then Lucifer, and finally given an official name DSD-1 most of the versions used a 128-bit key
DES - chronicle of events 1973 - NBS issues a public request for proposals for a standard cryptographic algorithm 1975 - first publication of the IBM s algorithm and request for comments 1976 - NBS organizes two workshops to evaluate the algorithm 1977 - official publication as FIPS PUB 46: Data Encryption Standard 1983, 1987, 1993 - recertification of the algorithm for another five years 1993 - software implementations allowed to be validated Controversies surrounding DES Unknown design criteria Most criteria reconstructed from cipher analysis 1990 Reinvention of differential cryptanalysis Slow in software Only hardware implementations certified 1993 Software, firmware and hardware treated equally Too short key Theoretical designs of DES breaking machines 1998 Practical DES cracker built
Secret agreement between IBM & NSA, 1974 Obligations of IBM: Algorithm developed in secret by IBM NSA reserved a right to monitor the development and propose changes No software implementations, just hardware chips IBM not allowed to ship implementations to certain countries License required to ship to carefully selected customers in approved countries Obligations of NSA: seal of approval Life of DES 1970 1980 1990 2000 Time DES developed by IBM and NSA In common use for over 20 years transision to a new standard Federal and banking standard Over 300 validated implementations Former de facto world-wide standard
Most popular secret-key ciphers American standards 1980 1990 2000 2010 2020 2030 1977 1999 DES 56 bit key AES 2002 contest Triple DES 112, 168 bit 168 bit only AES - Rijndael 128, 192, and 256 bit keys Other popular algorithms IDEA RC5 Blowfish CAST Serpent Twofish RC6 Mars DES - external look plaintext block 64 bits DES ciphertext block key 56 bits 64 bits
DES high-level internal structure L 0 R 0 f IP K 1 DES Main Loop Feistel Structure L 1 R 1 f L 2 R 2...... L 15 R 15 f K 2 K 16 L n+1 =R n R n+1 =L n f(r n, K n+1 ) R 16 L 16 IP -1
Feistel Structure Encryption Decryption L n R n L n R n f K n+1 f K n+1 L n+1 R n+1 L n+1 R n+1 L n+1, R n+1?? f K n+1 L n, R n?? IP -1 Decryption IP L 0 R 0 R 16 L 16 f K 1 f K 16 L 1 R 1 R 15 L 15 f K 2 f K 15 L 2 R 2...... R 14 L 14...... L 15 R 15 R 1 L 1 f K 16 f K 1 R 16 L 16 L 0 R 0 IP IP -1
Classical Feistel Network plaintext = L 0 R 0 for i=1 to n { L i =R i-1 R i =L i-1 f(r i-1, K i ) } L n+1 = R n R n+1 = L n ciphertext = L n+1 R n+1 Mangler Function of DES, F
Notation for Permutations Input i 1 i 2 i 3 i 4 i 5 i 6 i 7 i 8 i 9 i 10 i 56 i 57 i 58 i 59 i 60 i 61 i 62 i 63 i 64 58 50 42 34 26 18 10 2 5 63 55 47 39 31 23 15 7 i 58 i 50 i 42 i 34 i 26 i 18 i 10 i 2 i 5 i 63 i 55 i 47 i 39 i 31 i 23 i 15 i 7 Output
Notation for S-boxes Input i 1 i 2 i 3 i 4 i 5 i 6 i 1 i 6 determines a row number in the S-box table, 0..3 i 2 i 3 i 4 i 5 determine a column in the S-box table, 0..15 o 1 o 2 o 3 o 4 is a binary representation of a number from 0..15 in the given row and the given column o 1 o 2 o 3 o 4 Output
1. Randomness General design criteria of DES 2. Avalanche property changing a single bit at the input changes on average half of the bits at the output 3. Completeness property every output bit is a complex function of all input bits (and not just a subset of input bits) 4. Nonlinearity encryption function is non-affine for any value of the key 5. Correlation immunity output bits are statistically independent of any subset of input bits Completeness property Every output bit is a complex function of all input bits (and not just a subset of input bits) Formal requirement: For all values of i and j, i=1..64, j=1..64 there exist inputs X 1 and X 2, such that X 1 x 1 x 2 x 3... x i-1 0 x i+1... x 63 x 64 X 2 x 1 x 2 x 3... x i-1 1 x i+1... x 63 x 64 Y 1 = DES(X 1 ) y 1 y 2 y 3... y j-1 y j y j+1... y 63 y 64 Y 2 = DES(X 2 ) y 1 y 2 y 3... y j-1 y j y j+1... y 63 y 64
Linear Transformations Transformations that fulfill the condition: T(X [m x 1] ) = Y [n x 1] = A [n x m] X [m x 1] or T(X 1 X 2 ) = T(X 1 ) T(X 2 ) Affine Transformations Transformations that fulfill the condition: T(X [m x 1] ) = Y [n x 1] = A [n x m] X [m x 1] B [n x 1] Linear Transformations of DES IP, IP -1, E, PC1, PC2, SHIFT e.g., IP(X 1 X 2 ) = IP(X 1 ) IP( X 2 ) Non-Linear and non-affine transformations of DES There are no such matrices A [4x6] and B [4x1] that S S(X [6x1] ) = A [4x6] X [6x1] B [4x1]
Design of S-boxes S[0..15] S in out = S[in] 16! 2 10 13 possibilities precisely defined initially unpublished criteria resistant against differential cryptanalysis (attack known to the designers and rediscovered in the open research in 1990 by E. Biham and A. Shamir) Typical Flow Diagram of a Secret-Key Block Cipher Round Key[0] Initial transformation i:=1 Round Key[i] Cipher Round i<#rounds? i:=i+1 #rounds times Round Key[#rounds+1] Final transformation
Implementation of a secret-key cipher in hardware Round keys computed on-the-fly input key encryption/decryption key scheduling round keys output Implementation of a secret-key cipher Round keys precomputed input key key scheduling encryption/decryption memory of round keys output
Basic iterative architecture of secret key ciphers input key Key scheduling round keys multiplexer register combinational logic output one round Theoretical design of the specialized machine to break DES Project: Michael Wiener, Entrust Technologies, 1993, 1997 Method: exhaustive key search attack Basic component: specialized integrated circuit in CMOS technology, 75 MHz Checks: 200 mln keys per second Costs: $10 Total cost $ 1 mln $ 100.000 Estimated time 35 minutes 6 hours
DES breaking machine known ciphertext key counter Round key Encryption Round 1 key 1 Key Scheduling Round 1 Encryption Round 2.... Round key 2 Key Scheduling Round 2.... plaintext Encryption Round 16 comparator Round key 16 known plaintext Key Scheduling Round 16 Deep Crack Electronic Frontier Foundation, 1998 Total cost: $220,000 Average time of search: 4.5 days/key 1800 ASIC chips, 40 MHz clock
Deep Crack Parameters Number of ASIC chips 1800 Clock frequency 40 MHz Number of clock cycles per key 16 Number of search units per ASIC 24 Search speed Average time to recover the key 90 bln keys/s 4.5 days COPACOBANA Cost-Optimized Parallel COde Breaker Ruhr University, Bochum, University of Kiel, Germany, 2006 Cost: 8980 (ver. 1)
COPACOBANA Based on Xilinx FPGAs (Field Programmable Gate Arrays) ver. 1 based on 120 Spartan 3 FPGAs ver. 2 based on 128 Virtex 4 SX 35 FPGAs Description, FAQ, and news available at http://www.copacobana.org/ For ver. 1 based on Spartan FPGAs Clock frequency = 136 MHz Average search time for a single DES key = 6.4 days Worst case search time for a single DES key = 12.8 days
Secure key length today and in 20 years (against an intelligence agency with the budget of $300M) key length 128 bits IDEA, minimum key length in AES 120 bits DESX 112 bits Triple DES with three different keys 100 bits Secure key length in 2031 86 bits 80 bits Skipjack Secure key length in 2010 56 bits DES
Secure key length - discussion increasing key length in a newly developed cipher costs NOTHING increasing effective key length, assuming the use of an existing cipher has a limited influence on the efficiency of implementation (DESX, Triple DES) It is economical to use THE SAME secure key length FOR ALL aplications The primary barriers blocking the use of symmetric ciphers with a secure key length have been of the political nature (e.g., export policy of USA) Other attacks differential cryptanalysis Biham, Shamir 1991 linear cryptanalysis Matsui, 1993
Differential cryptanalysis M 1 M 1 * M 2 M 2 *... M N-1 M N-1 * M N M N * M i M i * = const Encryption module key C 1 C 1 * C 2 C 2 *... C N-1 C N-1 * C N C N * access to the encryption module with the key inside analysis of trilions of pairs plaintext-ciphertext Differential cryptanalysis of DES Requirements: Biham, Shamir 1991 access to the encryption module with the key inside time for encryption of 2 47 = 1.4 10 14 plaintext blocks = 1 million gigabytes of plaintext Conclusions: attack impossible to mount DES specially designed (IBM, NSA) to be resistant against differential cryptanalysis
Requirements: Linear cryptanalysis of DES Matsui 1993 2 43 = 8.8 10 12 known plaintext blocks = 70.3 terabytes of known plaintext 2 43 operations probability of success 85% Conclusions: attack impossible to mount in practice What if creators of DES did not know about differential cryptanalysis... Required number of plaintext blocks Original DES 2 47 = 1 mln GB Modifications: Identity permutation in place of P 2 19 = 4 MB Order of S-boxes 2 38 = 2,000 GB XOR replaced by addition 2 31 = 2 GB S-boxes random 2 21 = 16 MB one position changed 2 33 = 8 GB Expansion function E eliminated 2 26 = 64 MB
Differential and linear cryptanalysis - discussion Attacks infeasible for correctly designed ciphers Perfect tool for comparing strengths of various ciphers Resistance against these attacks does not imply resistance against other unknown methods of attack Triple DES EDE mode with two keys encryption plaintext decryption ciphertext Diffie, Hellman, 1977 E encryption 56 K1 D decryption 56 K1 D decryption 56 K2 E encryption 56 K2 E encryption 56 K1 D decryption 56 K1 ciphertext plaintext
Triple DES EDE mode with three keys encryption plaintext decryption ciphertext Diffie, Hellman, 1977 E encryption 56 K1 D decryption 56 K1 D decryption 56 K2 E encryption 56 K2 E encryption 56 K3 D decryption 56 K3 ciphertext plaintext Best Attacks Against Triple DES Version with three keys (168 bits of key) Meet-in-the-middle attack 2 32 known plaintexts 2 113 steps 2 90 single DES encryptions, and 2 88 memory Effective key size = 2 112 Version with two keys (112 bits of key) Effective key size = 2 80
Advantages: Triple DES secure key length (112 or 168 bits) increased compared to DES resistance to linear and differential cryptanalysis possibility of utilizing existing implementations of DES Disadvantages: relatively slow, especially in software DESX Rivest, 1988 plaintext 64 DES 56 K a K KEY = (K, K a ) 120 bits 64 K b = hash function(k, K a ) K b ciphertext