Information Theory - GUC

COMM1003

Information Theory

Dr. Wassim Alexan

Spring 2019

Lecture 8

DES: The Feistel Structure

Fig. 1. The Feistel structure of DES.(Paar and Pelzl, Cryptography – A Textbook for Students and Practitioners)

Wassim Alexan 2

DES: The f –Function

Fig. 2. Block diagram of the f–function.(Paar and Pelzl, Cryptography – A Textbook for Students and Practitioners)

Wassim Alexan 3

DES: The f –Function Internals → The P Permutation

◆ The 32–bit output of the S–boxes is permuted bitwise according to the P permutation

◆ Unlike the initial permutation IP and its inverse IP-1, the P permutation introduces diffusion because the four output bits of each S–box are permuted in such a way that they affect several S–boxes in the following round

Fig. 3. The P permutation within the f–function.(Paar and Pelzl, Cryptography – A Textbook for Students and Practitioners)

Wassim Alexan 4

Question 1

Q. There are substitutions and permutations in each of the 16 rounds of DES. Is this arrangement any more secure than if all the permutations are first grouped together, followed by all the substitutions?

Wassim Alexan 5

Answer to Question 1

Q. There are substitutions and permutations in each of the 16 rounds of DES. Is this arrangement any more secure than if all the permutations are first grouped together, followed by all the substitutions?

A. Yes, this arrangement is much more secure because a sequence of permuta-tions can be replaced by a single permutation. Similarly, a continuous sequence of S–boxes can be replaced by a single S–box.

Wassim Alexan 6

DES: The Key Schedule

◆ The key schedule derives 16 sub keys ki, each consisting of 48 bits, from the original 56–bit key

◆ Note that the DES input key is often stated as a 64–bit key, where every 8th bit is used as an off parity over the preceding 7 bits

◆ It is not clear why DES was specified this way, but those 8 parity bits are not actual key bits and do not increase the security of DES

Fig. 4. Location of the 8 parity bits for a 64–bit input key.(Paar and Pelzl, Cryptography – A Textbook for Students and Practitioners)

Wassim Alexan 7


◆ The 64–bit input key is first reduced to 56 bits by ignoring every 8th bit

◆ This is carried out by the initial PC - 1 permutation (PC - 1 stands for permuted choice 1)

◆ The exact bit connections that are realized by PC - 1 are given in Fig. 5

Fig. 5. Initial key permutation PC - 1.(Paar and Pelzl, Cryptography – A Textbook for Students and Practitioners)

Wassim Alexan 8


◆ The resulting 56–bit key is split into two halves C0 and D0 and the actual key schedule starts as shown in Fig. 6 (next slide)

◆ The two 28–bit halves are cyclically shifted (i.e. rotated), left by one or two bit positions, depending on the round i according to the following rules

1. In rounds i = 1, 2, 9 and 16, the two halves are rotated left by one bit2. In the other rounds, the two halves are rotated left by two bits

Wassim Alexan 9

Fig. 6. Key schedule for DES encryption.(Paar and Pelzl, Cryptography – A Textbook for Students and Practitioners)

Wassim Alexan 10


◆ To derive the 48–bit sub keys ki, the two halves are permuted bitwise again with PC - 2 (PC - 2 stands for permuted choice 2)

◆ PC - 2 permutes the 56 input bits coming from Ci and Di and ignores 8 of them

◆ The exact bit connections that are realized by PC - 2 are given in Fig. 7

◆ Note that every sub key ki is a selection of 48 permuted bits of the input key k

◆ The key schedule is simply a method of realizing the 16 permutations systematically

Fig. 7. Round key permutation PC - 2.(Paar and Pelzl, Cryptography – A Textbook for Students and Practitioners)

Wassim Alexan 11

Question 2

What is the output of the first round of the DES algorithm when the plaintext and the key are both all zeros?

Wassim Alexan 12

Answer to Question 2: The Logic

◆ Because all inputs are 0 and IP, PC - 1, PC - 2 and the sub key rotations are all simple permutations, we can ignore them knowing that they will output zeros

◆ Because the sub keys consist of all zeros, we can ignore them from the f function calculation (since a⊕0 = a)

◆ We can also ignore the E expansion, since it is guaranteed to produce all zeros, thus

L0 = 0L1 = R0 = 0

(1)

◆ R1 is calculated as follows

R1 = L0⊕ f (R0)

= 0⊕ f (0)= f (0)

(2)

Wassim Alexan 13


◆ Now, we just need to calculate the output of the f function

f (0) = P (S1(0), S2(0), S3(0), S4(0), S5(0), S6(0), S7(0), S8(0)) (3)

◆ The output of the S–boxes, as a bit stream is given as

1110, 1111, 1010, 0111, 0010, 1100, 0100, 1101 (4)

◆ To finish calculating R1, we need to apply P

P(1110, 1111, 1010, 0111, 0010, 1100, 0100, 1101) =

(1101, 1000, 1101, 1000, 1101, 1011, 1011, 1100)(5)

◆ Thus, L1 and R1 are as follows

L1 = (0000, 0000, 0000, 0000, 0000, 0000, 0000, 0000)2

R1 = (1101, 1000, 1101, 1000, 1101, 1011, 1011, 1100) 2

(6)

Wassim Alexan 14


◆ Which are better represented in hexadecimal as

L1 = (0, 0, 0, 0, 0, 0, 0, 0)16

R1 = (D, 8, D, 8, D, B, B, C)16

(7)

◆ Keeping in mind that the hexadecimal base allows us to count from 0 to F as follows: 0 1 2 3 4 5 6 7 8 9 A B C D E F

Wassim Alexan 15

Answer to Question 2: The f –Function

Fig. 8. Block diagram of the f–function.(Paar and Pelzl, Cryptography – A Textbook for Students and Practitioners)

Wassim Alexan 16

Answer to Question 2: The S–Boxes

Fig. 9. The S–boxes lookup tables.(Paar and Pelzl, Cryptography – A Textbook for Students and Practitioners)

Wassim Alexan 17

DES: The Complementation Property

◆ Given a bitstream x, and letting x denote the bitwise complement, i.e. the bitstream obtained by flipping all bits of x

◆ The complementation property of DES is then given by

DESK(x) = DESK(x) (8)

Wassim Alexan 18

DES: The Complementation Property Proof

◆ First note that x ⊕ y = x ⊕ y and that x ⊕ y = x ⊕ y. The initial and final permutations (IP and IP-1) do not have any influence on our computations, so we will not consider them. We can write one round of DES as

(CL, CR) ← (PR, PL ⊕ F(PR, K)) (9)

where PL and PR denote the left and right half of the plaintext, respectively; While CL and CR denote the left and right half of the ciphertext and K denotes the key. From our knowledge of the key schedule algorithm, we see that if we take the bitwise complement of the key, then each subkey will turn into its bit-wise complement as well. Furthermore, from DES f -function definition, we can see that if we complement its input and the subkey, then the input of the S–boxes and thus the output will remain the same. We can thus write

(CL, CR) ← (PR, PL ⊕ F(PR, K)) = (PR, PL ⊕ F (PR, K)) (10)

Wassim Alexan 19

DES: The Complementation Property Proof

◆ If we extend this to the whole Feistel scheme, then we can conclude that

DESK(x) = DESK(x) (11)

Wassim Alexan 20

DES: Decryption

◆ Decryption of DES is essentially the same function as its encryption

◆ This is because DES is based on a Feistel network

◆ Compared to its encryption, only the key schedule is reversed

◆ In decryption round 1, sub key 16 is needed; in round 2, sub key 15 is needed, etc...

◆ Thus, when in the encryption mode, the key schedule has to generate the round keys as the sequence k16, k15, ..., k1

Wassim Alexan 21

DES: Security

◆ Shortly after the proposal of DES, two major criticisms against the cryptographic strength of DES were centered around the following arguments

1. The key space is too small, i.e. the algorithm is vulnerable against brute–force attacks

2. The design criteria of the S–boxes was kept secret and there might have existed an analytical attack that exploits mathematical properties of the S–boxes, but which is only known to the DES designers

◆ Nevertheless, despite very intensive cryptanalysis efforts over the lifetime of DES, current analytical attacks are not very efficient

◆ However, DES can relatively easily be broken with an exhaustive key–search attack, which renders it useless for many applications nowadays

Wassim Alexan 22

DES: Exhaustive Key Search

◆ Input: At least one pair of plaintext–ciphertext (x, y)

◆ Output: k, such that y = DESk(x)

◆ Attack: Test all 256 possible keys until the following condition is fulfilled:

DESki

-1 (y) = x, i = 0, 1, ..., 256- 1 (12)

◆ Note that there is a small chance of 1 216 that an incorrect key is found, i.e. a

key k which decrypts only the one ciphertext y correctly but not any subsequent ciphertexts

Wassim Alexan 23

Question 3

Q. Is there a way to be 100% sure that the key we find is actually the right key?

Wassim Alexan 24

Answer to Question 3

Q. Is there a way to be 100% sure that the key we find is actually the right key?

A. If we want to rule out this 1 216 possibility of getting a wrong key, we must

check our candidate key with a second plaintext–ciphertext pair

Wassim Alexan 25

DES: Security

◆ Regular computers are not particularly well–suited to perform the necessary 256 key tests

◆ But custom–built key–search machines are a viable option

◆ Thus, it is highly likely that large institutions (or governments) have long been able to build such brute–force crackers, which can break DES in a matter of days

◆ In 1977, Whitfield Diffie and Martin Hellman estimated that it was possible to build such a machine for $20,000,000

◆ It was clear from the beginning that, given enough funding, cracking DES would be possible

◆ In a 1993 Crypto conference, Michael Wiener proposed a very efficient design for such a machine and estimated its cost at $1,000,000 and its ability to crack DES in only 1.5 days

Wassim Alexan 26

DES: Security

◆ In 1998, the Electronic Frontier Foundation (EFF), built the hardware machine Deep Crack, which cost $ 250,000 and performed a brute–force attack against DES in 56 hours

Fig. 10. Deep Crack – The hardware exhaustive key–search machine that broke DES in 1998.(Paar and Pelzl, Cryptography – A Textbook for Students and Practitioners)

Wassim Alexan 27

DES: Security

◆ In 2006, the Cost–Optimized Parallel Code-Breaker (COPACOBANA) machine was built based on commercial integrated circuits by a team of researchers from the universities of Bochum and Kiel in Germany

◆ The COPACOBANA allows one to break DES in a short time and its hardware cost is in the $10,000 range

Fig. 11. COPACOBANA – A cost–optimized parallel code breaker.(Paar and Pelzl, Cryptography – A Textbook for Students and Practitioners)

Wassim Alexan 28

DES: Security

◆ In summary, a key size of 56 bits is too short to encrypt confidential data nowadays

◆ Thus, single DES should only be used for applications where only short–term security is needed (a few hours for example)

◆ However, variants of of DES, in particular 3DES, are still secure

Wassim Alexan 29

DES: A Wolfram Mathematica Example 1

key = GenerateSymmetricKey[Method → "DES"];

message =

"I hope that the final exam is not extremely hard!";

EncryptedMessage = Encrypt[key, message]

EncryptedObject data length: 56 bytesIV length: 64 bitsoriginal form: String

DecryptedMessage = Decrypt[key, EncryptedMessage]

I hope that the final exam is not extremely hard!

Wassim Alexan 30


key = GenerateSymmetricKey[Method → "DES"];

message = ;

Wassim Alexan 31


EncryptedMessage = Encrypt[key, message]

EncryptedObject data length: 1.7 MBIV length: 64 bitsoriginal form: Expression

DecryptedMessage = Decrypt[key, EncryptedMessage]

Wassim Alexan 32

Information Theory - GUC

Documents

Transcript of Information Theory - GUC