Data Security and Encryption
(CSE348)
1
Lecture # 9
2
Review
– Data Encryption Standard (DES)
– Strengths of DES
– Differential & Linear Cryptanalysis
– block cipher design principles
3
DES Encryption Overview
4
DES Encryption Overview
• The overall scheme for DES encryption is
illustrated in Stallings Figure
• which takes as input 64-bits of data and of key
• The left side shows the basic process for
enciphering a 64-bit data block which consists of:
• an initial permutation (IP) which shuffles the
64-bit input block
• 16 rounds of a complex key dependent round
function involving substitutions &
permutations
• a final permutation, being the inverse of IP
5
DES Encryption Overview
• The right side shows the handling of the 56-bit
key and consists of:
• an initial permutation of the key (PC1) which
selects 56-bits out of the 64-bits input, in two
28-bit halves
• 16 stages to generate the 48-bit subkeys using
a left circular shift and a permutation of the
two 28-bit halves
6
Initial Permutation IP
• The initial permutation and its inverse are defined by
Tables 3.2a and 3.2b
• The tables are to be interpreted as follows:
• The input to a table consists of 64 bits numbered left
to right from 1 to 64
• The 64 entries in the permutation table contain a
permutation of the numbers from 1 to 64
7
Initial Permutation IP
• Each entry in the permutation table indicates the
position of a numbered input bit in the output
– which also consists of 64 bits
• Bit numbering for DES reflects IBM mainframe practice
• and is the opposite of what we now mostly use
8
Initial Permutation IP
• Numbers from Bit 1 (leftmost, most significant) to bit
32/48/64 etc (rightmost, least significant).
• For example, a 64-bit plaintext value of “675a6967
5e5a6b5a” (written in left & right halves) after
permuting with IP becomes “ffb2194d 004df6fb”
• example values are specified using hexadecimal
9
Initial Permutation IP
 first step of the data computation
 IP reorders the input data bits
 even bits to LH half, odd bits to RH half
 quite regular in structure (easy in h/w)
 example:
IP(675a6967 5e5a6b5a) = (ffb2194d 004df6fb)
10
DES Round Structure
• We now review the internal structure of the DES
round function F
• which takes R half & subkey, and processes them
• The round key Ki is 48 bits
• The R input is 32 bits
11
DES Round Structure
• This R input is first expanded to 48 bits by using a
table that defines a permutation
• Plus an expansion that involves duplication of 16 of
the R bits
12
DES Round Structure
• The resulting 48 bits are XORed with Ki
• This 48-bit result passes through a substitution
function that produces a 32-bit output
• which is permuted as defined by Table 3.2d.
• follows the classic structure for a feistel cipher
13
DES Round Structure
• The s-boxes provide the “confusion” of data and key
values
• Whilst the permutation P then spreads this as widely
as possible
• So each S-box output affects as many S-box inputs in
the next round as possible, giving “diffusion”
14
DES Round Structure
• uses two 32-bit L & R halves
• as for any Feistel cipher can describe as:
Li = Ri–1
Ri = Li–1  F(Ri–1, Ki)
• F takes 32-bit R half and 48-bit subkey:
– expands R to 48-bits using perm E
– adds to subkey using XOR
– passes through 8 S-boxes to get 32-bit result
– finally permutes using 32-bit perm P
15
DES Round Structure
16
Substitution Boxes S
• The substitution consists of a set of eight S-boxes,
each of which accepts 6 bits as input and produces 4
bits as output
• These transformations are defined in Stallings Table
which is interpreted as follows:
• The first and last bits of the input to box Si form a 2bit binary number to select one of four substitutions
defined by the four rows in the table for Si
17
Substitution Boxes S
• The middle four bits select one of the sixteen
columns
• The decimal value in the cell selected by the row and
column is then converted to its 4-bit representation
to produce the output
• E.g, in S1, for input 011001, the row is 01 (row 1) and
the column is 1100 (column 12)
• The value in row 1, column 12 is 9, so the output is
1001
18
Substitution Boxes S
19
Substitution Boxes S
20
Substitution Boxes S
•
•
•
•
•
•
The example lists 8 6-bit values
18 in hex is 011000 in binary
09 hex is 001001 binary
12 hex is 010010 binary
3d hex is 111101 binary etc.
Each of which is replaced following the process
detailed above using the appropriate S-box
21
DES Key Schedule
 The DES Key Schedule generates the subkeys needed
for each data encryption round
 64-bit key is used as input to the algorithm, though
every eighth bit is ignored, as indicated by the lack of
shading in Table 3.4a.
22
DES Key Schedule
 It is first processed by Permuted Choice One
(Stallings Table 3.4b)
 The resulting 56-bit key is then treated as two 28-bit
quantities C & D
23
DES Key Schedule
 In each round, these are separately processed
through a circular left shift (rotation) of 1 or 2 bits as
shown in Stallings Table 3.4d
 These shifted values serve as input to the next round
of the key schedule
24
DES Key Schedule
 They also serve as input to Permuted Choice Two
(Stallings Table 3.4c)
 which produces a 48-bit output that serves as input
to the round function F
25
DES Key Schedule
 The 56 bit key size comes from security
considerations as we know now
 It was big enough so that an exhaustive key search
was about as hard as the best direct attack
 a form of differential cryptanalysis called a T-attack,
known by the IBM & NSA researchers, but no bigger
26
DES Key Schedule
 The extra 8 bits were then used as parity (error
detecting) bits
 which makes sense given the original design use for
hardware communications links
 However we hit an incompatibility with simple s/w
implementations since the top bit in each byte is 0
(since ASCII only uses 7 bits)
 but the DES key schedule throws away the bottom
bit
27
DES Decryption
• As with any Feistel cipher, DES decryption uses the
same algorithm as encryption
• except that the subkeys are used in reverse order
SK16 .. SK1.
• If you trace through the DES overview diagram can
see how each decryption step top to bottom with
reversed subkeys
• undoes the equivalent encryption step moving from
bottom to top
28
DES Decryption
• decrypt must unwind steps of data computation
• with Feistel design, do encryption steps again using
subkeys in reverse order (SK16 … SK1)
–
–
–
–
–
–
IP undoes final FP step of encryption
1st round with SK16 undoes 16th encrypt round
….
16th round with SK1 undoes 1st encrypt round
then final FP undoes initial encryption IP
thus recovering original data value
29
Chapter 5 –Advanced Encryption Standard
"It seems very simple."
"It is very simple. But if you don't know what the
key is it's virtually indecipherable."
—Talking to Strange Men, Ruth Rendell
30
Origins
• The Advanced Encryption Standard (AES)
• Published by NIST (National Institute of Standards
and Technology) in 2001
• AES is a symmetric block cipher
• That is intended to replace DES as the approved
standard for a wide range of applications
31
Origins
• The AES cipher (& other candidates) form the latest
generation of block ciphers
• Now we see a significant increase in the block size from the old standard of 64-bits up to 128-bits
• keys from 128 to 256-bits
• In part this has been driven by the public
demonstrations of exhaustive key searches of DES
32
Origins
• Whilst triple-DES is regarded as secure and well
understood
• it is slow, especially in s/w
• In a first round of evaluation, 15 proposed algorithms
were accepted
• A second round narrowed the field to 5 algorithms
33
Origins
• NIST completed its evaluation process and published
a final standard (FIPS PUB 197) in November of 2001
• NIST selected Rijndael as the proposed AES algorithm
• The two researchers who developed and submitted
Rijndael for the AES are both cryptographers from
Belgium
– Dr. Joan Daemen and Dr. Vincent Rijmen
34
Origins
• clear a replacement for DES was needed
– have theoretical attacks that can break it
– have demonstrated exhaustive key search attacks
•
•
•
•
•
•
can use Triple-DES – but slow, has small blocks
US NIST issued call for ciphers in 1997
15 candidates accepted in Jun 98
5 were shortlisted in Aug-99
Rijndael was selected as the AES in Oct-2000
issued as FIPS PUB 197 standard in Nov-2001
35
The AES Cipher - Rijndael
• The Rijndael proposal for AES defined a cipher
• In which the block length and the key length can be
independently specified to be 128,192,or 256 bits
• The AES specification uses the same three key size
alternatives
• But limits the block length to 128 bits
36
The AES Cipher - Rijndael
• Rijndael is an academic submission
• Based on the earlier Square cipher, from Belgium
academics Dr Joan Daemen and Dr Vincent Rijmen
• It is an iterative cipher (operates on entire data block
in every round)
• Rather than feistel (operate on halves at a time)
37
The AES Cipher - Rijndael
• Was designed to have characteristics of:
– Resistance against all known attacks
– Speed and code compactness on a wide range of platforms
– Design simplicity
38
The AES Cipher - Rijndael
• designed by Rijmen-Daemen in Belgium
• has 128/192/256 bit keys, 128 bit data
• an iterative rather than feistel cipher
– processes data as block of 4 columns of 4 bytes
– operates on entire data block in every round
• designed to be:
– resistant against known attacks
– speed and code compactness on many CPUs
– design simplicity
39
AES
Encryption
Process
40
AES Structure
 The input to the AES encryption and decryption
algorithms is a single 128-bit block
 depicted in FIPS PUB 197, as a square matrix of bytes
 This block is copied into the State array
 which is modified at each stage of encryption or
decryption
41
AES Structure
 After the final stage, State is copied to an output
 The key is expanded into 44/52/60 lots of 32-bit
words
 with 4 used in each round
 The ordering of bytes within a matrix is by column
42
AES Structure
 So, for example, the first four bytes of a 128-bit
plaintext input to the encryption cipher occupy the
first column of the in matrix
 the second four bytes occupy the second column,
and so on
 Similarly, the first four bytes of the expanded key,
which form a word, occupy the first column of the w
matrix
43
AES Structure
 The data computation then consists of an “add round
key” step, then 9/11/13 rounds with all 4 steps
 and a final 10th /12th /14th step of byte subs + mix
cols + add round key
 This can be viewed as alternating XOR key &
scramble data bytes operations
 All of the steps are easily reversed, and can be
efficiently implemented using XOR’s & table lookups
44
AES Structure
 data block of 4 columns of 4 bytes is state
 key is expanded to array of words
 has 9/11/13 rounds in which state undergoes:
 byte substitution (1 S-box used on every byte)
 shift rows (permute bytes between groups/columns)
 mix columns (subs using matrix multiply of groups)
 add round key (XOR state with key material)
 view as alternating XOR key & scramble data bytes
 initial XOR key material & incomplete last round
 with fast XOR & table lookup implementation
45
AES Structure
Figure 5.3 AES Encryption and Decryption
46
AES Structure
 Stallings Figure 5.3 shows the structure of AES in
more detail
 The cipher consists of N rounds, where the
number of rounds depends on the key length:
 10 rounds for a 16-byte key;
 12 rounds for a 24-byte key;
 and 14 rounds for a 32-byte key
47
AES Structure
 The first N – 1 rounds consist of four distinct
transformation functions:
 SubBytes,
 ShiftRows,
 MixColumns,
 AddRoundKey,
 which are described subsequently
48
AES Structure
 The final round contains only 3 transformation
 There is a initial single transformation
(AddRoundKey) before the first round
 Which can be considered Round 0
 Each transformation takes one or more 4 x 4
matrices as input and produces a 4 x 4 matrix as
output
49
AES Structure
 Figure 5.1 shows that the output of each round is
a 4 x 4 matrix
 with the output of the final round being the
ciphertext
 Also, the key expansion function generates N + 1
round keys
 each of which is a distinct 4 x 4 matrix
 Each round key serve as one of the inputs to the
AddRoundKey transformation in each round
50
Some Comments on AES
1. an iterative rather than feistel cipher
2. key expanded into array of 32-bit words
1. four words form round key in each round
3. 4 different stages are used as shown
4. has a simple structure
5. only AddRoundKey uses key
6. AddRoundKey a form of Vernam cipher
7. each stage is easily reversible
8. decryption uses keys in reverse order
9. decryption does recover plaintext
10. final round has only 3 stages
51
Four Stages of AES
• Four different stages are used, one of permutation
and three of substitution:
– Substitute bytes: Uses an S-box to perform a byteby-byte substitution of the block
– ShiftRows: A simple permutation
– MixColumns: A substitution that makes use of
arithmetic over
– AddRoundKey: A simple bitwise XOR of the
current block with a portion of the expanded key
52
Substitute Bytes
• We now turn to a discussion of each of the four
transformations used in AES
• For each stage, we mention the forward (encryption)
algorithm
• The inverse (decryption) algorithm
• And the rationale for the design of that stage
53
Substitute Bytes
• The Substitute bytes stage uses an S-box to perform
a byte-by-byte substitution of the block
• There is a single 8-bit wide S-box used on every byte
• This S-box is a permutation of all 256 8-bit values
• Constructed using a transformation which treats the
values as polynomials in Finite Field GF(28)
– however it is fixed
54
Substitute Bytes
• So really only need to know the table when
implementing
• Decryption requires the inverse of the table. These
tables are given in Stallings Table 5.2.
• The table was designed to be resistant to known
cryptanalytic attacks
55
Substitute Bytes
• Specifically, the Rijndael developers sought a design
that has a low correlation between input bits and
output bits
• With the property that the output cannot be
described as a simple mathematical function of the
input
• With no fixed points and no “opposite fixed points”
56
Substitute Bytes
• a simple substitution of each byte
• uses one table of 16x16 bytes containing a
permutation of all 256 8-bit values
• each byte of state is replaced by byte indexed by row
(left 4-bits) & column (right 4-bits)
– eg. byte {95} is replaced by byte in row 9 column 5
– which has value {2A}
• S-box constructed using defined transformation of
values in GF(28)
• designed to be resistant to all known attacks
57
Substitute Bytes
58
Substitute Bytes
59
60
Substitute Bytes
61
Substitute Bytes
 As this diagram from Stallings Fig 5.5a shows
the Byte Substitution operates on each byte of
state independently
 with the input byte used to index a row/col in
the table to retrieve the substituted value
62
Substitute Bytes Example
Figure 5.5a example of the SubBytes transformation from the text
63
Shift Rows
• The ShiftRows stage provides a simple “permutation”
of the data
• whereas the other steps involve substitutions
• Further, since the state is treated as a block of
columns, it is this step which provides for diffusion of
values between columns
• It performs a circular rotate on each row of 0, 1, 2 &
3 places for respective rows
64
Shift Rows
• When decrypting it performs the circular shifts in the
opposite direction for each row
• This row shift moves an individual byte from one
column to another
• which is a linear distance of a multiple of 4 bytes,
and ensures that the 4 bytes of one column are
spread out to four different columns
65
Shift Rows
• a circular byte shift in each
–
–
–
–
1st row is unchanged
2nd row does 1 byte circular shift to left
3rd row does 2 byte circular shift to left
4th row does 3 byte circular shift to left
66
Shift Rows
67
Inverse Shift Rows
• Decrypt inverts using shifts to right
• since state is processed by columns, this step
permutes bytes between the columns
• The inverse shift row transformation, called
InvShiftRows, performs the circular shifts in the
opposite direction for each of the last three rows,
with a 1-byte
• circular right shift for the second row, and so on
68
Summary
– DES review
– the AES selection process
– the details of Rijndael – the AES cipher
– looked at the steps in each round
– Out of four AES stages, first two are discussed
• Substitute bytes
• Shift Rows
69