Академический Документы
Профессиональный Документы
Культура Документы
Claude Shannon (inventor of information theory) gave design criteria for symmetric ciphers (late 1940s): Kerckhos principle: only the key should be secret, not the algorithm use confusion: hide local patterns in the language (simplest: digrams) use diusion: spread statistical structure of plaintext in long-range statistics of ciphertext The Vigenre cipher hides small-scale structure: digrams are encoded by dierent keys, but fails at diusion: nothing is moved/spread. Simple transposition ciphers are good at diusion: they move around, but dicult to achieve confusion. Modern ciphers get both confusion (small-scale) and diusion (large-scale), e.g. by combining substitution and transposition in a product cipher.
Feistel
Feistel (1970s) used Shannons ideas in designing ciphers. Standard design since then! Make product cipher by alternating substitution and permutation: c = Ek (m) = Sn Pn1 S2 P1 S1 (m)
reversibly
Permutation: change the order of (symbol/bitstring)s
(reversible)
Feistel networks
Plaintext (2w bits) k1
Feistel network
A Feistel network:
1 2
xor
ki
Feistel decryption
Same algorithm to decrypt, but keys in reverse order.
Output (plaintext)
Feistel decryption
Same algorithm to decrypt, but keys in reverse order. Works regardless of F !
LE0
K1 F
RE1
RE16 = LE15 F (RE15 , k16 ) RD1 = LD0 F (RD0 , k16 ) = RE16 F (RE15 , k16 ) = LE15 F (RE15 , k16 ) F (RE15 , k16 ) = LE15 . . . RD16 = LE0 LD16 = RE0
K2
F LE2
RE2
LE14
K15
RE15
F K16
LD1 = RE15
F LE16
RE16
LD0 = RE16
RE16
Feistel features
Block size (64-256 bits) Key size (56-256 bits) Fast implementation
Feistel nets can typically be implemented eciently (fast en/decryption) in both hardware and software. This makes it easier to use.
Ease of analysis
DES: Overview
K1
Permuted Choice 2
Round 2
K2
Permuted Choice 2
Round 16
K16
Permuted Choice 2
32-bit Swap
10
Li-1
Ri-1
Ci-1
Di-1
Each round uses subkey ki based on k, which is 64 bits Permuted Choice 1 (PC1) discards parity bits (so 56 remain)
Expansion/permutation (E table) 48
Left shift(s)
Left shift(s)
and permutes
Split in two 28-bit halves C0 , D0 Each round: Ci = LSi (Ci1 ), Di = LSi (Di1 ) where LSi is a left circular shift of 1, 1, 2, 2, . . . , 2, 1, 2, . . . , 2, 2, 1 bits ki = PC 2(Ci Di ) where PC 2 is Permuted Choice 2 (permutes and discards) 56 48 bits
XOR
48
48
Ki
Substition/choice (S-box)
32
Permutation (P)
32
XOR
Li
Ri
Ci
Di
11
12
1977: estimated breakable in 1 day by $20M machine 1981: estimated breakable in 2 days by $50M machine
K (48 bits)
48 bits
1997: broken in 96 days by 70 000 machines, testing 7 billion keys/s (DESCHALL project) 1998: less than 56 hours by special hardware, $250K incl design and development (Deep Crack)
S1
S2
S3
S4
S5
S6
S7
S8
1999: 22 h 15 min, Deep Crack + 100 000 machines, testing 245 billion keys/s 2007: 6.4 days, $10K hardware, 120 FPGAs (COPACOBANA project)
P
32 bits
13
14
Properties of DES
Avalanche eect
Small changes in m or k give big changes in c, and changes increase for each round
Decryption: like Feistel (keys in reverse order) Symmetry: c = DES(m, k) i c = DES(m, k) where x is the bitwise negation of x cuts search space in half Weak keys: key cause involution: Ek (Ek (m)) = m four for DES: 0, 0 , 1, 0 , 0, 1 , 1, 1 Semi-weak keys: such that Ek1 (Ek2 (m)) = m 6 such pairs for DES (few enough to check for)
Example: one bit change in plaintext or key Change in plaintext Round Bits that dier 0 1 1 6 2 21 3 35 4 39 . . . . . . 14 15 16
16
46 29 34
15