ECE596C: Handout #7 - University of Arizona
ECE596C: Handout #7 - University of Arizona
ECE596C: Handout #7 - University of Arizona
You also want an ePaper? Increase the reach of your titles
YUMPU automatically turns print PDFs into web optimized ePapers that Google loves.
<strong>ECE596C</strong>: <strong>Handout</strong> <strong>#7</strong><br />
Analysis <strong>of</strong> DES and the AES Standard<br />
Electrical and Computer Engineering, <strong>University</strong> <strong>of</strong> <strong>Arizona</strong>,<br />
Loukas Lazos<br />
Abstract. In this lecture we analyze the security properties <strong>of</strong> DES and present the AES<br />
cryptosystem.<br />
1 On the Security <strong>of</strong> DES<br />
1.1 The Avalanche Effect<br />
For any encryption/decryption algorithm, a desirable property is that a small change in either the<br />
plaintext or the key should result in a significant change in the produced ciphertext (WHY?). DES<br />
indeed exhibits a strong avalanche effect. The avalanche effect can be illustrated by considering the<br />
following two experiments:<br />
Experiment 1<br />
– Pick two plaintexts that differ at only one bit.<br />
– Encrypt both plaintexts with the same key.<br />
– XOR the two ciphertexts and count the number <strong>of</strong> ones.<br />
Example:<br />
and<br />
x 1 = 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000,<br />
x 2 = 10000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000,<br />
K = 00000001 1001011 0100100 11000100 0011100 0011000 0011100 0110010,<br />
yields two ciphertexts that differ at 35 bits after the third round in DES, and a final difference <strong>of</strong><br />
34 bits after all 16 rounds have been executed.<br />
Experiment 2<br />
– Pick two keys that differ at only one bit.<br />
– Encrypt the same plaintext using the two different keys.<br />
– XOR the two ciphertexts and count the number <strong>of</strong> ones.<br />
Example:<br />
and<br />
x = 01101000 10000101 00101111 01111010 000010011 01110110 11101011 10100100,<br />
K 1 = 1110010 1111011 1101111 0011000 0011101 0000100 0110001 1101100,<br />
K 2 = 0110010 1111011 1101111 0011000 0011101 0000100 0110001 1101100,<br />
yields two ciphertexts that differ to 26 bits after the third round in DES, and a final difference <strong>of</strong><br />
35 bits after all 16 rounds have been executed.
2 ECE 596C: Cryptography for Secure Communications with Applications to Network Security<br />
1.2 The strength <strong>of</strong> 56-Bit keys<br />
With a key length <strong>of</strong> 56 bits, there are 2 56 possible keys, i.e. approximately 7.2×10 16 keys. With<br />
today’s technology breaking a DES encryption via brute-force attack has been proved feasible. In<br />
1998 the Electronic Frontier Foundation (EFF) developed a DES cracker worth a quarter million<br />
dollars, that broke DES in 56 hours. The DES cracker searched 88 billion keys per second.<br />
In 1999, DES was cracked within 22 hours and 15 minutes by using the idle cycles <strong>of</strong> 100,000<br />
networked computers worldwide. The network was capable <strong>of</strong> searching 245 billion keys per second.<br />
In 2007, researchers from Germany developed an FPGA based machine called COPACOBANA,<br />
with <strong>of</strong>f-the-self components that can break a DES encryption in 6.4 days (on average).<br />
Given the short key length, the DES scheme cannot be considered secure. However, note that the<br />
adversary must have an estimate <strong>of</strong> the plaintext to perform a brute-force attack. Without plaintext<br />
knowledge or a plaintext estimate, it is not possible to determine when the right DES key is found.<br />
2 The AES Standard<br />
The Advanced Encryption Standard (AES) standard was adopted by NIST in December <strong>of</strong> 2001.<br />
It was designed by two Belgian scientists, Rinjmen and Daemen (it is also known as the Rijmen cipher).<br />
It has been adopted by the US government as the default encryption cipher, wherever encryption<br />
is required (details can be found at http://csrc.nist.gov/publications/fips/fips197/fips-<br />
197.pdf)<br />
2.1 Description <strong>of</strong> the cipher<br />
The AES is a block cipher with a block length <strong>of</strong> 128 bits (as opposed to 64 bits in DES). It can<br />
operate with three different key lengths; 128 bits, 192 bits and 256 bits. Like DES, it is also an<br />
iterative cipher with a number <strong>of</strong> rounds that depends on the key length. 10 rounds for a key length<br />
<strong>of</strong> 128 bits, 12 rounds for a key length <strong>of</strong> 192 bits and 14 rounds for a key length <strong>of</strong> 256 bits.<br />
In AES, all operations are performed on a byte basis. Blocks <strong>of</strong> 128 bits are split to 16 bytes<br />
which are organized into 4x4 arrays, which are also referred to as states. The following operations<br />
take place<br />
– Key Expansion using Rijndael’s key schedule<br />
– Initial Round<br />
1. AddRoundKey<br />
– Nr −1 Rounds<br />
1. SubBytes:anon-linearsubstitutionstepwhereeachbyteisreplacedwithanotheraccording<br />
to a lookup table.<br />
2. ShiftRows: a transposition step where each row <strong>of</strong> the state is left-shifted cyclically a<br />
number <strong>of</strong> steps equal to the row number.<br />
3. MixColumns: a mixing operation which operates on the columns <strong>of</strong> the state, combining<br />
the four bytes in each column.<br />
4. AddRoundKey: each byte <strong>of</strong> the state is XORed with the round key.<br />
– Final round<br />
1. SubBytes<br />
2. ShiftRows<br />
3. AddRoundKey
<strong>Handout</strong> # 7 3<br />
2.2 The SubBytes transformation<br />
This is a typical S-box lookup table operation. For example, if s 1,1 = {53}, then the substitution<br />
value would be determined by the intersection <strong>of</strong> the row with index 5 and the column with index<br />
3 in Fig. 7. This would result in s ′ 1,1 = {ed}.<br />
Fig.1. The SubBytes transformation.<br />
Fig.2. The SubBytes lookup table.<br />
2.3 The ShiftRows Transformation<br />
In the ShiftRows transformation, the bytes in each row <strong>of</strong> the state are cyclically shifted over a<br />
number <strong>of</strong> bytes equal to the row number.
4 ECE 596C: Cryptography for Secure Communications with Applications to Network Security<br />
Fig.3. The ShiftRows tranformation.<br />
2.4 The MixColumns Transformation<br />
The MixColumns transformation operates on the state column-by-column, treating each column<br />
as a four-term polynomial GF(2 8 ) and multiplied modulo x 4 +1 with a fixed polynomial a(x).<br />
Fig.4. The MixColumns transformation.<br />
2.5 Key Expansion<br />
The AES algorithm takes the cipher key K and expands it to generate a key schedule. The total<br />
number <strong>of</strong> keys generated is equal to (Nr +1), each <strong>of</strong> which is 16 bytes long. The key scheduling<br />
is word oriented with each word consisting <strong>of</strong> 4 bytes. For a 10 round AES, we need a total <strong>of</strong> 11*4<br />
= 44 words to be generated from an initial key <strong>of</strong> 4 words.<br />
Key Expansion transformations,
<strong>Handout</strong> # 7 5<br />
Algorithm 1 Key Expansion Algorithm<br />
1: INPUT K<br />
2: RCon[1] ← 01000000<br />
3: RCon[2] ← 02000000<br />
4: RCon[3] ← 04000000<br />
5: RCon[4] ← 08000000<br />
6: RCon[5] ← 10000000<br />
7: RCon[6] ← 20000000<br />
8: RCon[7] ← 40000000<br />
9: RCon[8] ← 80000000<br />
10: RCon[9] ← 1B000000<br />
11: RCon[10] ← 36000000<br />
12: for i ← 0 to 3 do<br />
w[i] ← (key[4i],key[4i+1],key[4i+2],key[4i+3])<br />
13: end for<br />
14: for i → 4 to 43 do<br />
15: temp ← w[i−1]<br />
16: if i ≡ 0 (mod 4) then<br />
17: temp ← SubWord(RotWord(temp)) ⊕RCon[ i 4 ]<br />
18: end if<br />
19: w[i] ← w[i−4]⊕temp<br />
20: end for<br />
21: return (w[0],...,w[43])<br />
– SubWord: transformation that takes a four-byte input word and applies the S-box to each <strong>of</strong><br />
the four bytes to produce an output word.<br />
– RotWord: transformation that takes a word [a 0 ,a 1 ,a 2 ,a 3 ] as input, performs a cyclic permutation,<br />
and returns the word [a 1 ,a 2 ,a 3 ,a 0 ].<br />
– Rcon[i] :, A constant array <strong>of</strong> ten words<br />
2.6 Example<br />
Key, K = 66 50 3c 41 67 22 63 46 25 77 5d 27 26 55 3c 7a<br />
w[0] = 66 50 3c 41, w[1] = 67 22 63 46, w[2] = 25 77 5d 27, w[3] = 26 55 3c 7a<br />
for i = 4, temp = w[3] = 26 55 3c 7a.<br />
Because i ≡ 0 (mod 4)<br />
temp ← SubWord(RotWord(temp))) ⊕RCon[1]<br />
temp ← 55 3c 7a 26⊕01 00 00 00 = 54 3c 7a 26<br />
w[4] ← w[0]⊕temp = 66 50 3c 41⊕54 3c 7a 26 = 32 6c 46 67<br />
for i = 5, temp = w[4] = 32 6c 46 67.<br />
w[5] ← w[1]⊕w[4] = 67 22 63 46⊕32 6c 46 67 = 55 4e 25 21
IV = y§<br />
+<br />
d¤<br />
6 ECE 596C: Cryptography for Secure Communications with Applications to Network Security<br />
x<br />
x¢<br />
y¥ y¦<br />
IV = y£<br />
+<br />
+<br />
+<br />
y<br />
(a)<br />
d¤<br />
(b)<br />
e¡<br />
Fig.5. The diagram for the CBC mode <strong>of</strong> operation. (a) Encryption, (b) Decryption<br />
e¡<br />
3 Modes <strong>of</strong> operation<br />
y¢<br />
x¦<br />
DES has four modes <strong>of</strong> operation that were standardized in 1980. These modes can be used with<br />
minor modifications with any block cipher. A brief description <strong>of</strong> the four modes <strong>of</strong> operation is<br />
x¥<br />
outlined as follows.<br />
3.1 Electronic Codebook Mode (ECB)<br />
Each plaintext block is encrypted with the same key K, producing a stream <strong>of</strong> ciphers. Identical<br />
plaintext blocks yield identical ciphers. What is the vulnerability <strong>of</strong> an ECB mode <strong>of</strong> operation? Do<br />
you see any advantage in using the ECB mode <strong>of</strong> operation?<br />
3.2 Cipher Block Chaining Mode (CBC)<br />
In CBC operation mode, each plaintext x i is XORed with the last ciphertext before being encrypted<br />
with the same key K. The first plaintext is encrypted with an initialization vector IV, <strong>of</strong> the same<br />
length as the plaintext. The encrypting rule under the CBC operation mode becomes<br />
y i = e K (y i−1 ⊕x i ), y 0 = IV. (1)<br />
In CBC operation mode, if any block <strong>of</strong> the plaintext is changed, the entire ciphertext sequence<br />
will be changed. Think <strong>of</strong> how we can use this property to provide Message Authentication. In figure<br />
5 we show the encryption/decryption schematics <strong>of</strong> the CBC operation mode.<br />
CBC is the most common mode <strong>of</strong> operation. What are the advantages and disadvantages <strong>of</strong><br />
CBC mode <strong>of</strong> operation?<br />
3.3 Output Feedback Mode (OFB)<br />
In OFB mode, a keystream is generated which is XORed to the plaintext in order to produce the<br />
ciphertext. This is a synchronous stream cipher mode <strong>of</strong> operation. The keystream is generated using<br />
the DES encryption algorithm,
<strong>Handout</strong> # 7 7<br />
The ciphertext is then computed as:<br />
z i = e K (z i−1 ), z 0 = IV. (2)<br />
y i = x i ⊕z i . (3)<br />
The OFB mode can be used as a pseudo-random number generator. Given that much faster<br />
stream ciphers exist in the literature, the OFB mode is not used in practical applications.<br />
3.4 Cipher Feedback Mode (CFB)<br />
The CFB mode <strong>of</strong> opertion is very similar to the OFB mode, with the difference being in the<br />
generation <strong>of</strong> the keystream. In CFB, the ciphertext is encrypted to produce the keystream elements<br />
z i .<br />
The ciphertext is then computed as:<br />
z i = e K (y i−1 ), y 0 = IV. (4)<br />
y i = x i ⊕z i . (5)<br />
Given that much faster stream ciphers exist in the literature, the OFB mode is not used in<br />
practical applications.