Structures have been found in DES that were undoubtedly inserted to strengthen the system against certain types of attack. Structures have also been found that appear to weaken the system.— Lexar Corporation, “An Evaluation of the DES”, 1976.Block Ciphers
❖Stream ciphers•Encrypt small (bit or byte) units one at a time•Everything we have seen so far•Require less buffering❖Block ciphers•Encrypt large chunks (64+ bits) at once•Must buffer enough to get a block before encrypting❖There are ways to convert block ciphers to stream ciphers and vice versaBlock ciphers2
❖Consider a block cipher with 64 bit blocks❖264possible plaintext blocks ➠must have at least 264corresponding ciphertext blocks •There are 264! possible mappings❖Why not just create a random mapping?•Need a 264 entry 64-bit table ≈1021bits •At $30/TB (for disk), this costs $37.5 billion!•And would require about 200 million disks…•Need to distribute new table if compromised❖Instead, approximateideal random mapping using components controlled by a keyBlock cipher3
❖Diffusion•Small change in plaintext changes lots of ciphertext•Statistical properties of plaintext hidden in ciphertext❖Confusion•Statistical relationship between key and ciphertext as complex as possible•Described by Claude Shannon in 1945➡Need to design functions that produce output that is diffuse and confusedGoals: diffusion and confusion4
❖Encrypt in rounds•Input to each round is splitL0= left half of inputR0= right half of input•For each round:Li= Ri-1Ri= Li-1⊕F(Ri-1, Ki)❖Substitution: S-box❖Permutation: P-box❖Proceed for nrounds❖After final round, undo last permutationC= Rn|| LnFeistel cipher structure5PlaintextRoundKiSubstitutionPermutationRi-1Li-1RiLiF⊕
❖Inputs to decryption engine•LD0= left half of ciphertext•RD0= right half of ciphertext❖For each round•LDi= RDi-1•RDi= LDi-1⊕F(RDi-1,Kn-i+1)❖Repeat for nrounds❖Last round•P = RDn|| LDnDecryption6PlaintextRoundKnSubstitutionPermutationRDi-1LDi-1RDiLDiF⊕
❖For decryption to work:•F must be deterministicand solely a function of its inputs (key and block)•F could certainlyproduce identical values for a given K and more than one block•F could even be a constant function!•This wouldn’t lead to strong encryption....❖For security: •Hide patterns in plaintext•Hide patterns in key❖Coming up with a goodF is hard!