Block Ciphers and Stream Ciphers In practical ciphers the plaintext M is divided into fixed-length blocks M = M 1 M 2 . . . M N . Then, each block M i is encrypted to the ciphertext block C i = E K ( M i ), and the results are concatenated to the ciphertext C = C 1 C 2 . . . C N . There are two major kind of ciphers, which differ in the way the plaintexts are encrypted: Block Ciphers † � Eli Biham - May 3, 2005 c 83 Block Ciphers (4) � Eli Biham - May 3, 2005 c 84 Block Ciphers (4) Stream Ciphers Block Ciphers The blocks are encrypted sequentially, each block is encrypted by a distinct All the blocks are encrypted in the same way, under exactly the same transfor- transformation, which might depend on mation (no memory): C 1 = E ( M 1 ), C 2 = E ( M 2 ), etc. Encryption transformation should not be vulnerable to known plaintext attacks. 1. the previous encrypted blocks, Attacker should not be able to collect (almost) all the plaintext/ciphertext blocks pairs, keep the transformation table T ( M ) = C , and use it to en- 2. the previous transformation, crypt/decrypt if they do not know the mathematical formulation of the trans- formation (and in particular the key). 3. the block number, Thus, the block size should be large , and the number of distinct possible 4. the key. values in a plaintext block should be larger than the minimal allowed complexity of an attack. This information from one block is kept in memory between the encryption In the past blocks of 64 bits were used, which have 2 64 possibilities, whose of this block and the succeeding block, for use during the encryption of the table storing costs at least 2 64 known plaintexts and memory space. succeeding block. Nowadays, the standard block size is 128 bits. Usually, stream ciphers use blocks of either one bit or eight bits (one character). � Eli Biham - May 3, 2005 c 85 Block Ciphers (4) � Eli Biham - May 3, 2005 c 86 Block Ciphers (4) Block Ciphers The Data Encryption Standard - DES Block ciphers are substitution ciphers in which the plaintext and the cipher- 1. The most widely used cipher in civilian applications. text blocks are binary vectors of length N . When N = 64 there are 2 64 different plaintexts/ciphertexts, and when N = 128 there are 2 128 different 2. Developed by IBM; Evolved from Lucifer. plaintexts/ciphertexts. 3. Accepted as an US NBS standard in 1977, and later as an international For each key the encryption function E K ( · ) is a permutation from { 0 , 1 } N to standard. itself. 4. A block cipher with N = 64 bit blocks . D K ( · ) is the decryption function (the inverse permutation), such that D K ( E K ( · )) = E K ( D K ( · )) = Identity. 5. 56-bit keys (eight bytes, in each byte seven bits are used; the eighth bit can be used as a parity bit). 6. Exhaustive search requires 2 56 encryption steps (2 55 on average). � Eli Biham - May 3, 2005 c 87 Block Ciphers (4) � Eli Biham - May 3, 2005 c 88 Block Ciphers (4) The Data Encryption Standard - DES (cont.) DES Outline ✄✆☎✂✝ ). The round- 7. Iterates a round-function 16 times in 16 rounds ( �✂✁ Plaintext (P) Key (K) function mixes the data with the key. IP PC-1 C D K1 8. Each round, the key information entered to the round function is called a F ROL1 ROL1 subkey . The subkeys K 1 , . . . , K 16 are computed by a key scheduling PC-2 K2 algorithm . F ROL1 ROL1 PC-2 K3 F ROL2 ROL2 PC-2 Ki F ROL ROL PC-2 K13 F ROL2 ROL2 PC-2 K14 F ROL2 ROL2 PC-2 K15 F ROL2 ROL2 PC-2 K16 F ROL1 ROL1 PC-2 FP Ciphertext (T) c † c † � Eli Biham - May 3, 2005 89 Block Ciphers (4) � Eli Biham - May 3, 2005 90 Block Ciphers (4)
The F -Function The Initial Permutation (IP) The following tables describe for each output bit the number of the input bit input (32 bits) whose value enters to the output bit. For example, in IP , the 58’th bit in the input becomes the first bit of the output. E 48 bits subkey (48 bits) FP=IP − 1 : IP: S1E S2E S3E S4E S5E S6E S7E S8E S1K S2K S3K S4K S5K S6K S7K S8K 58 50 42 34 26 18 10 2 40 8 48 16 56 24 64 32 60 52 44 36 28 20 12 4 39 7 47 15 55 23 63 31 62 54 46 38 30 22 14 6 38 6 46 14 54 22 62 30 S1I S2I S3I S4I S5I S6I S7I S8I 64 56 48 40 32 24 16 8 37 5 45 13 53 21 61 29 57 49 41 33 25 17 9 1 36 4 44 12 52 20 60 28 S1 S2 S3 S4 S5 S6 S7 S8 59 51 43 35 27 19 11 3 35 3 43 11 51 19 59 27 S1O S2O S3O S4O S5O S6O S7O S8O 61 53 45 37 29 21 13 5 34 2 42 10 50 18 58 26 63 55 47 39 31 23 15 7 33 1 41 9 49 17 57 25 P output (32 bits) � Eli Biham - May 3, 2005 c 91 Block Ciphers (4) � Eli Biham - May 3, 2005 c 92 Block Ciphers (4) The P Permutation and the E Expansion The S Boxes P Permutes the order of 32 bits. E Expands 32 bits to 48 bits by duplicating S box S1 : 16 bits twice. 14 4 13 1 2 15 11 8 3 10 6 12 5 9 0 7 0 15 7 4 14 2 13 1 10 6 12 11 9 5 3 8 P : E : 4 1 14 8 13 6 2 11 15 12 9 7 3 10 5 0 16 7 20 21 32 1 2 3 4 5 15 12 8 2 4 9 1 7 5 11 3 14 10 0 6 13 29 12 28 17 4 5 6 7 8 9 1 15 23 26 8 9 10 11 12 13 5 18 31 10 12 13 14 15 16 17 S box S2 : 2 8 24 14 16 17 18 19 20 21 32 27 3 9 20 21 22 23 24 25 15 1 8 14 6 11 3 4 9 7 2 13 12 0 5 10 19 13 30 6 24 25 26 27 28 29 3 13 4 7 15 2 8 14 12 0 1 10 6 9 11 5 22 11 4 25 28 29 30 31 32 1 0 14 7 11 10 4 13 1 5 8 12 6 9 3 2 15 13 8 10 1 3 15 4 2 11 6 7 12 0 5 14 9 � Eli Biham - May 3, 2005 c 93 Block Ciphers (4) � Eli Biham - May 3, 2005 c 94 Block Ciphers (4) The S Boxes (cont.) The S Boxes (cont.) S box S3 : S box S5 : 10 0 9 14 6 3 15 5 1 13 12 7 11 4 2 8 2 12 4 1 7 10 11 6 8 5 3 15 13 0 14 9 13 7 0 9 3 4 6 10 2 8 5 14 12 11 15 1 14 11 2 12 4 7 13 1 5 0 15 10 3 9 8 6 13 6 4 9 8 15 3 0 11 1 2 12 5 10 14 7 4 2 1 11 10 13 7 8 15 9 12 5 6 3 0 14 1 10 13 0 6 9 8 7 4 15 14 3 11 5 2 12 11 8 12 7 1 14 2 13 6 15 0 9 10 4 5 3 S box S4 : S box S6 : 7 13 14 3 0 6 9 10 1 2 8 5 11 12 4 15 12 1 10 15 9 2 6 8 0 13 3 4 14 7 5 11 13 8 11 5 6 15 0 3 4 7 2 12 1 10 14 9 10 15 4 2 7 12 9 5 6 1 13 14 0 11 3 8 10 6 9 0 12 11 7 13 15 1 3 14 5 2 8 4 9 14 15 5 2 8 12 3 7 0 4 10 1 13 11 6 3 15 0 6 10 1 13 8 9 4 5 11 12 7 2 14 4 3 2 12 9 5 15 10 11 14 1 7 6 0 8 13 � Eli Biham - May 3, 2005 c 95 Block Ciphers (4) � Eli Biham - May 3, 2005 c 96 Block Ciphers (4) The S Boxes (cont.) The S Boxes (cont.) S box S7 : How to interpret the S boxes : The representation of the S boxes use the first and sixth bits of the input as a 4 11 2 14 15 0 8 13 3 12 9 7 5 10 6 1 line index (between 0 and 3), and the four middle bits as the row index (between 13 0 11 7 4 9 1 10 14 3 5 12 2 15 8 6 0 and 15). 1 4 11 13 12 3 7 14 10 15 6 8 0 5 9 2 Thus, the input values which correspond to the standard description of the S 6 11 13 8 1 4 10 7 9 5 0 15 14 2 3 12 boxes are 0 2 4 6 8 10 12 14 16 18 20 22 24 26 28 30 S box S8 : 1 3 5 7 9 11 13 15 17 19 21 23 25 27 29 31 13 2 8 4 6 15 11 1 10 9 3 14 5 0 12 7 32 34 36 38 40 42 44 46 48 50 52 54 56 58 60 62 1 15 13 8 10 3 7 4 12 5 6 11 0 14 9 2 33 35 37 39 41 43 45 47 49 51 53 55 57 59 61 63 7 11 4 1 9 12 14 2 0 6 10 13 15 3 5 8 2 1 14 7 4 10 8 13 15 12 9 0 3 5 6 11 c c � Eli Biham - May 3, 2005 97 Block Ciphers (4) � Eli Biham - May 3, 2005 98 Block Ciphers (4)
Recommend
More recommend
