3 Cipher Security

7/31/2019 3 Cipher Security

1/8

Cipher Security

Entropy: it is the amount of information in a message measured by the average number of bits

needed to encode all possible messages using an optimal encoding.

Let there be n messages X1, X2, , Xn occurring with possibilities p(X1), p(X2), , p(Xn) such

that:

1The entropy (H(X)) in bits is calculated as:

1

Suppose we have 2 possibilities with probabilities (, ), we need:

12 2 12 2 1

1 bit is required to encode these messages (possibilities). If we have 4 possibilities with

probabilities (1/8, 1/2, 1/4, 1/8), then:

18 8 12 2

14 4

18 8 1

34

Such messages are encoded as follows:

1. The message with the highest probability (1/2) is encoded with 1 bit (say 0)2. The message with the next highest probability (1/4) is encoded with 2 bits the first one is

different from the one in step 1 (10)

3. The message with the next highest probability (1/8) is encoded with 3 bits, the first isdifferent from the one is step 1 and the second is different from the one is step 2 (110)

4. The steps above are continued until only one message is left. For the last message, thelast bit is simply inverted (111)

The above optimum encoding results in the following encoding (assuming leftmost bittransmitted first):

Message Probability Message Code

1/2 0

1/4 10

1/8 110

1/8 111

Table (1): Optimal encoding of the messages

The receiver has no difficulty decoding this message. If a 0 is received, then this is the end of the

message, if a 1 is received, then the receiver continues receiving bits until a zero is received or 3

bits are received and then decodes the message according to the table above. This encoding is

more efficient than using 2 bits to encode all the messages. This is due to the unequalprobabilities of the messages. For instance suppose 10,000 messages are to be transmitted, we

expect half of them to be the message with the code 0 one quarter of the messages the message

with the code 10 and the rest (one quarter) is divided equally between the messages 110 and 111.

Such an encoding results in an average of 1 bits/message.

If an event has a probability = 1, the entropy is then 0, i.e. we dont need to encode such a

message as it is the only possible value. The entropy is maximized when all the n messages are

equally probable (1/n), we then have:


2/8

1

1

Taking the English language for example, if all the letters have equal probabilities, the entropy is

26 4.7 However due to the structure of the language, the entropy of the characters for words with a large

number of letters is in the range 1.0 to 1.5 bits, i.e. we can delete letters from the message and

still be able to understand it. mst ids cn b xprsd n fwr ltrs, bt th xprnc s mst nplsnt

This is due to the fact that:

1. Some letters appear more than others2. Some diagrams appear more than others (is, he) and some are even invalid (qz)3. Triagrams have similar behavior as diagrams (the, you compared to qqq, qzf, zmy)4. Even words have a structure Programming language is more likely than language

programming

Let the probability of a message Mi be p(Mi) and 1.Let the probability of a ciphertext Cj be p(Cj) and 1.Let the probability of using any key Kn be p(Kn) and 1.Assume the cryptanalyst received a ciphertext Cx. The probability of the message My for the

cryptanalyst is p(My|Cx) (i.e. the probability of the messageMy given that the ciphertext was Cx

received).

Perfect secrecy is achieved when:

| i.e. the reception of the ciphertext adds no new information at all.

Example: Consider a system with 4 messages and 4 keys each with equal probability (1/4) as

shown in the figure:

Figure (1): Illustration of perfect secrecy

Reception ofC2 means either M1 was sent using K2 or M2 with K3 or M3 with K4 or M4 with K1.

Hence, the probability of the message M1 (and actually all the other messages) is still . If

message M4 (for instance) cannot lead to the ciphertext C2, then the probability ofM1 becomes1/3, i.e. some information has been obtained.

The problem with the redundancy in languages is that some messages are not probable (i.e.

meaningless) hence their probability is 0. These increase the probability of other messages and

thus the cryptanalyst can guess which were sent with some additional information.

M1

M2

M3

M4

C1

C2

C3

C4

K1

K1

K1

K1

K2

K2

K2

K2

K3

K3

K3

K3

K4

K4

K4

K4


3/8

The redundancy can be reduce

encryption stages, then it beco

the result from substitutions or

Feistel proposed the use of the

Figure (2): Feistel

d by re-encoding (zipping) the information or by

es difficult to find which messages are improbab

transpositions).

ollowing block cipher structure:

Encryption and Decryption Proposal with n+1 roun

using multiple

le (qqq can be

s


4/8

How Feistel Encryption/Decryption works

For encryption:

,

For decryption:

, , , , This can be generalized for any step i as follows:

For encryption:

1 , , 2

For the decryption we want:

3 4

From (2), adding (XOR) F(LEi, Ki) to both sides:

, 5

From (3):

6From (4):

7We can rewrite (7) as:

8Substituting (6), (7) and (8) in (5):

, 9All we need is to make

10and

11

The Data Encryption Standard (DES)

Standardized by the US Department of Commerce under the National Bureau ofStandards in 1997 for commercial, secure communications

Proposed by IBM, based on an algorithm called Lucifer. Uses 56 bits key (+8 bits used as parity bits) and 16 rounds. DES is an implementation of the Feistel proposal. It is a 64-bit encryption algorithm. Referring to figure (3) the algorithm works as follows:

1. Data is inputted as a 64 bits block2. Data is permutated using the Initial Permutation (IP)3. Data is divided into left (L) and Right (R) 32 bits blocks4. Data then enter a cycle which will be repeated 16 times5. The R block is expanded and permuted to form a 48 bits block6. The block of 48 bits is XORed with the 48 bits of the key (key explained later)


5/8

7. The output of the XOR (48 bits) is passed to the 8 substitution (S) boxes whichaccept 6 input bits and produce 4 output bits each (output = 4bits8boxes = 32 bits)

8. The substituted bits are then permuted9. The permuted bits are XORed with the L block and the result is stored in a

temporary storage

10.The R block is copied to the L block11.The temp block is copied to the R block12.This is the end of the round13. If this is not round 16, go to step 5, otherwise go to step 1414.The L and R blocks are swapped and passed to the inverse Permutation (IP-1)15.The result is the ciphertext

Figure (3): The Logical Structure of DES

For the key, 64 bits (actually 56 since 8 are ignored) are passed to Permuted Choice 1 (PC-1)

which selects and permutes 56 bits. The 56 bits are split into 2 blocks of 28 bits (C and D) which

are stored in shift registers. Every round, the shift registers are shifted to the left (with feedback)

1 or 2 positions depending on the round number. The output from the shift registers is then

reduced and permuted using Permuted Choice 2 (PC-2) to produce the 48 bits key for that round.

Reducing the number of bits is achieved by deleting some bits whereas expanding the block is

achieved by repeating some bits.


6/8

The IP and IP-1

permutations are shown in tables (2) and (3). Taking table (2) as an example, the

first bit of the output is the 58th

bit from the input followed by the 50th, 42

ndand so on. The last bit

is the 7th

bit from the input. The same logic is used to calculate the output of IP-1

from table (3).

58 50 42 34 26 18 10 2

60 52 44 36 28 20 12 4

62 54 46 38 30 22 14 664 56 48 40 32 24 16 8

57 49 41 33 25 17 9 1

59 51 43 35 27 19 11 3

61 53 45 37 29 21 13 5

63 55 47 39 31 23 15 7

Table (2): IP Permutation

40 8 48 16 56 24 64 32

39 7 47 15 55 23 63 31

38 6 46 14 54 22 62 30

37 5 45 13 53 21 61 29

36 4 44 12 52 20 60 28

35 3 43 11 51 19 59 27

34 2 42 10 50 18 58 26

33 1 41 9 49 17 57 2

Table (3): IP-1

Permutations

The expansion function (E) is shown in table (4). Note that some bits are repeated to increase the

size of the block from 32 to 48 bits. The permutation (P) is shown in table (5).

32 1 2 3 4 5 32 1

4 5 6 7 8 9 4 5

8 9 10 11 12 13 8 9

12 13 14 15 16 17 12 1316 17 18 19 20 21 16 17

20 21 22 23 24 25 20 21

24 25 26 27 28 29 24 25

28 29 30 31 32 1 28 29

Table (4): Expansion Function E

16 7 20 21

29 12 28 17

1 15 23 26

5 18 31 10

2 8 24 1432 27 3 9

19 13 30 6

22 11 4 25

Table (5): Permutation (P)

The substitution boxes (S1 to S8) are given in tables (6) to (13). The input is a 6-bits value. The

first and last bits select one of the rows while the 4 bits in the middles select one of the columns.


7/8

The decimal value at the intersection of the selected row and column is the output and is encoded

using 4 bits (note that the decimal value never exceeds 15).

0000 0001 0010 0011 0100 0101 0110 0111 1000 1001 1010 1011 1100 1101 1110 1111

00 14 4 13 1 2 15 11 8 3 10 6 12 5 9 0 7

01 0 15 7 4 14 2 13 1 10 6 12 11 9 5 3 8

10 4 1 14 8 13 6 2 11 15 12 9 7 3 10 5 0

11 15 12 8 2 4 9 1 7 5 11 3 14 10 0 6 13

Table (6): Substitution Box S1

0000 0001 0010 0011 0100 0101 0110 0111 1000 1001 1010 1011 1100 1101 1110 1111

00 15 1 8 14 6 11 3 4 9 7 2 13 12 0 5 10

01 3 13 4 7 15 2 8 14 12 0 1 10 6 9 11 5

10 0 14 7 11 10 4 13 1 5 8 12 6 9 3 2 15

11 13 8 10 1 3 15 4 2 11 6 7 12 0 5 14 9


0000 0001 0010 0011 0100 0101 0110 0111 1000 1001 1010 1011 1100 1101 1110 1111

00 10 0 9 14 6 3 15 5 1 13 12 7 11 4 2 8

01 13 7 0 9 3 4 6 10 2 8 5 14 12 11 15 1

10 13 6 4 9 8 15 3 0 11 1 2 12 5 10 14 7

11 1 10 13 0 6 9 8 7 4 15 14 3 11 5 2 12


0000 0001 0010 0011 0100 0101 0110 0111 1000 1001 1010 1011 1100 1101 1110 1111

00 7 13 14 3 0 6 9 10 1 2 8 5 11 12 4 15

01 13 8 11 5 6 15 0 3 4 7 2 12 1 10 14 9

10 10 6 9 0 12 11 7 13 15 1 3 14 5 2 8 4

11 3 15 0 6 10 1 13 8 9 4 5 11 12 7 2 14


0000 0001 0010 0011 0100 0101 0110 0111 1000 1001 1010 1011 1100 1101 1110 1111

00 2 12 4 1 7 10 11 6 8 5 3 15 13 0 14 9

01 14 11 2 12 4 7 13 1 5 0 15 10 3 9 8 6

10 4 2 1 11 10 13 7 8 15 9 12 5 6 3 0 14

11 11 8 12 7 1 14 2 13 6 15 0 9 10 4 5 3


0000 0001 0010 0011 0100 0101 0110 0111 1000 1001 1010 1011 1100 1101 1110 1111

00 12 1 10 15 9 2 6 8 0 13 3 4 14 7 5 11

01 10 15 4 2 7 12 9 5 6 1 13 14 0 11 3 8

10 9 14 15 5 2 8 12 3 7 0 4 10 1 13 11 6

11 4 3 2 12 9 5 15 10 11 14 1 7 6 0 8 13


0000 0001 0010 0011 0100 0101 0110 0111 1000 1001 1010 1011 1100 1101 1110 1111

00 4 11 2 14 15 0 8 13 3 12 9 7 5 10 6 1

01 13 0 11 7 4 9 1 10 14 3 5 12 2 15 8 6

10 1 4 11 13 12 3 7 14 10 15 6 8 0 5 9 2

11 6 11 13 8 1 4 10 7 9 5 0 15 14 2 3 12



8/8

0000 0001 0010 0011 0100 0101 0110 0111 1000 1001 1010 1011 1100 1101 1110 1111

00 13 2 8 4 6 15 11 1 10 9 3 14 5 0 12 7

01 1 15 13 8 10 3 7 4 12 5 6 11 0 14 9 2

10 7 11 4 1 9 12 14 2 0 6 10 13 15 3 5 8

11 2 1 14 7 4 10 8 13 15 12 9 0 3 5 6 11


For the key, the Permutation Choice 1 and 2 are shown in tables (6) and (7) respectively. Note

that only 56 bits are used while the other 8 bits are ignored.

Left

57 49 41 33 25 17 9

1 58 50 42 34 26 18

10 2 59 51 43 35 27

19 11 3 60 52 44 36

Right

63 55 47 39 31 23 15

7 62 54 46 38 30 22

14 6 61 53 45 37 29

21 13 5 28 20 12 4

Table (14): Permutation Choice 1 (PC-1)

14 17 11 24 1 5

3 28 15 6 21 10

23 19 12 4 26 8

16 7 27 20 13 2

41 52 31 37 47 55

30 40 51 45 33 48

44 49 39 56 34 53

46 42 50 36 29 32

Table (15): Permutation Choice 2 (PC-2)

Finally, table (16) shows the number of shifts the registers perform each round for the key.

Round Number 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16

Number of Shifts 1 1 2 2 2 2 2 2 1 2 2 2 2 2 2 1

Table (16): Shifts Schedule

Documents

3 Cipher Security