Upload
divine-serpent
View
213
Download
0
Embed Size (px)
Citation preview
7/31/2019 3 Cipher Security
1/8
Cipher Security
Entropy: it is the amount of information in a message measured by the average number of bits
needed to encode all possible messages using an optimal encoding.
Let there be n messages X1, X2, , Xn occurring with possibilities p(X1), p(X2), , p(Xn) such
that:
1The entropy (H(X)) in bits is calculated as:
1
Suppose we have 2 possibilities with probabilities (, ), we need:
12 2 12 2 1
1 bit is required to encode these messages (possibilities). If we have 4 possibilities with
probabilities (1/8, 1/2, 1/4, 1/8), then:
18 8 12 2
14 4
18 8 1
34
Such messages are encoded as follows:
1. The message with the highest probability (1/2) is encoded with 1 bit (say 0)2. The message with the next highest probability (1/4) is encoded with 2 bits the first one is
different from the one in step 1 (10)
3. The message with the next highest probability (1/8) is encoded with 3 bits, the first isdifferent from the one is step 1 and the second is different from the one is step 2 (110)
4. The steps above are continued until only one message is left. For the last message, thelast bit is simply inverted (111)
The above optimum encoding results in the following encoding (assuming leftmost bittransmitted first):
Message Probability Message Code
1/2 0
1/4 10
1/8 110
1/8 111
Table (1): Optimal encoding of the messages
The receiver has no difficulty decoding this message. If a 0 is received, then this is the end of the
message, if a 1 is received, then the receiver continues receiving bits until a zero is received or 3
bits are received and then decodes the message according to the table above. This encoding is
more efficient than using 2 bits to encode all the messages. This is due to the unequalprobabilities of the messages. For instance suppose 10,000 messages are to be transmitted, we
expect half of them to be the message with the code 0 one quarter of the messages the message
with the code 10 and the rest (one quarter) is divided equally between the messages 110 and 111.
Such an encoding results in an average of 1 bits/message.
If an event has a probability = 1, the entropy is then 0, i.e. we dont need to encode such a
message as it is the only possible value. The entropy is maximized when all the n messages are
equally probable (1/n), we then have:
7/31/2019 3 Cipher Security
2/8
1
1
Taking the English language for example, if all the letters have equal probabilities, the entropy is
26 4.7 However due to the structure of the language, the entropy of the characters for words with a large
number of letters is in the range 1.0 to 1.5 bits, i.e. we can delete letters from the message and
still be able to understand it. mst ids cn b xprsd n fwr ltrs, bt th xprnc s mst nplsnt
This is due to the fact that:
1. Some letters appear more than others2. Some diagrams appear more than others (is, he) and some are even invalid (qz)3. Triagrams have similar behavior as diagrams (the, you compared to qqq, qzf, zmy)4. Even words have a structure Programming language is more likely than language
programming
Let the probability of a message Mi be p(Mi) and 1.Let the probability of a ciphertext Cj be p(Cj) and 1.Let the probability of using any key Kn be p(Kn) and 1.Assume the cryptanalyst received a ciphertext Cx. The probability of the message My for the
cryptanalyst is p(My|Cx) (i.e. the probability of the messageMy given that the ciphertext was Cx
received).
Perfect secrecy is achieved when:
| i.e. the reception of the ciphertext adds no new information at all.
Example: Consider a system with 4 messages and 4 keys each with equal probability (1/4) as
shown in the figure:
Figure (1): Illustration of perfect secrecy
Reception ofC2 means either M1 was sent using K2 or M2 with K3 or M3 with K4 or M4 with K1.
Hence, the probability of the message M1 (and actually all the other messages) is still . If
message M4 (for instance) cannot lead to the ciphertext C2, then the probability ofM1 becomes1/3, i.e. some information has been obtained.
The problem with the redundancy in languages is that some messages are not probable (i.e.
meaningless) hence their probability is 0. These increase the probability of other messages and
thus the cryptanalyst can guess which were sent with some additional information.
M1
M2
M3
M4
C1
C2
C3
C4
K1
K1
K1
K1
K2
K2
K2
K2
K3
K3
K3
K3
K4
K4
K4
K4
7/31/2019 3 Cipher Security
3/8
The redundancy can be reduce
encryption stages, then it beco
the result from substitutions or
Feistel proposed the use of the
Figure (2): Feistel
d by re-encoding (zipping) the information or by
es difficult to find which messages are improbab
transpositions).
ollowing block cipher structure:
Encryption and Decryption Proposal with n+1 roun
using multiple
le (qqq can be
s
7/31/2019 3 Cipher Security
4/8
How Feistel Encryption/Decryption works
For encryption:
,
For decryption:
, , , , This can be generalized for any step i as follows:
For encryption:
1 , , 2
For the decryption we want:
3 4
From (2), adding (XOR) F(LEi, Ki) to both sides:
, 5
From (3):
6From (4):
7We can rewrite (7) as:
8Substituting (6), (7) and (8) in (5):
, 9All we need is to make
10and
11
The Data Encryption Standard (DES)
Standardized by the US Department of Commerce under the National Bureau ofStandards in 1997 for commercial, secure communications
Proposed by IBM, based on an algorithm called Lucifer. Uses 56 bits key (+8 bits used as parity bits) and 16 rounds. DES is an implementation of the Feistel proposal. It is a 64-bit encryption algorithm. Referring to figure (3) the algorithm works as follows:
1. Data is inputted as a 64 bits block2. Data is permutated using the Initial Permutation (IP)3. Data is divided into left (L) and Right (R) 32 bits blocks4. Data then enter a cycle which will be repeated 16 times5. The R block is expanded and permuted to form a 48 bits block6. The block of 48 bits is XORed with the 48 bits of the key (key explained later)
7/31/2019 3 Cipher Security
5/8
7. The output of the XOR (48 bits) is passed to the 8 substitution (S) boxes whichaccept 6 input bits and produce 4 output bits each (output = 4bits8boxes = 32 bits)
8. The substituted bits are then permuted9. The permuted bits are XORed with the L block and the result is stored in a
temporary storage
10.The R block is copied to the L block11.The temp block is copied to the R block12.This is the end of the round13. If this is not round 16, go to step 5, otherwise go to step 1414.The L and R blocks are swapped and passed to the inverse Permutation (IP-1)15.The result is the ciphertext
Figure (3): The Logical Structure of DES
For the key, 64 bits (actually 56 since 8 are ignored) are passed to Permuted Choice 1 (PC-1)
which selects and permutes 56 bits. The 56 bits are split into 2 blocks of 28 bits (C and D) which
are stored in shift registers. Every round, the shift registers are shifted to the left (with feedback)
1 or 2 positions depending on the round number. The output from the shift registers is then
reduced and permuted using Permuted Choice 2 (PC-2) to produce the 48 bits key for that round.
Reducing the number of bits is achieved by deleting some bits whereas expanding the block is
achieved by repeating some bits.
7/31/2019 3 Cipher Security
6/8
The IP and IP-1
permutations are shown in tables (2) and (3). Taking table (2) as an example, the
first bit of the output is the 58th
bit from the input followed by the 50th, 42
ndand so on. The last bit
is the 7th
bit from the input. The same logic is used to calculate the output of IP-1
from table (3).
58 50 42 34 26 18 10 2
60 52 44 36 28 20 12 4
62 54 46 38 30 22 14 664 56 48 40 32 24 16 8
57 49 41 33 25 17 9 1
59 51 43 35 27 19 11 3
61 53 45 37 29 21 13 5
63 55 47 39 31 23 15 7
Table (2): IP Permutation
40 8 48 16 56 24 64 32
39 7 47 15 55 23 63 31
38 6 46 14 54 22 62 30
37 5 45 13 53 21 61 29
36 4 44 12 52 20 60 28
35 3 43 11 51 19 59 27
34 2 42 10 50 18 58 26
33 1 41 9 49 17 57 2
Table (3): IP-1
Permutations
The expansion function (E) is shown in table (4). Note that some bits are repeated to increase the
size of the block from 32 to 48 bits. The permutation (P) is shown in table (5).
32 1 2 3 4 5 32 1
4 5 6 7 8 9 4 5
8 9 10 11 12 13 8 9
12 13 14 15 16 17 12 1316 17 18 19 20 21 16 17
20 21 22 23 24 25 20 21
24 25 26 27 28 29 24 25
28 29 30 31 32 1 28 29
Table (4): Expansion Function E
16 7 20 21
29 12 28 17
1 15 23 26
5 18 31 10
2 8 24 1432 27 3 9
19 13 30 6
22 11 4 25
Table (5): Permutation (P)
The substitution boxes (S1 to S8) are given in tables (6) to (13). The input is a 6-bits value. The
first and last bits select one of the rows while the 4 bits in the middles select one of the columns.
7/31/2019 3 Cipher Security
7/8
The decimal value at the intersection of the selected row and column is the output and is encoded
using 4 bits (note that the decimal value never exceeds 15).
0000 0001 0010 0011 0100 0101 0110 0111 1000 1001 1010 1011 1100 1101 1110 1111
00 14 4 13 1 2 15 11 8 3 10 6 12 5 9 0 7
01 0 15 7 4 14 2 13 1 10 6 12 11 9 5 3 8
10 4 1 14 8 13 6 2 11 15 12 9 7 3 10 5 0
11 15 12 8 2 4 9 1 7 5 11 3 14 10 0 6 13
Table (6): Substitution Box S1
0000 0001 0010 0011 0100 0101 0110 0111 1000 1001 1010 1011 1100 1101 1110 1111
00 15 1 8 14 6 11 3 4 9 7 2 13 12 0 5 10
01 3 13 4 7 15 2 8 14 12 0 1 10 6 9 11 5
10 0 14 7 11 10 4 13 1 5 8 12 6 9 3 2 15
11 13 8 10 1 3 15 4 2 11 6 7 12 0 5 14 9
Table (7): Substitution Box S2
0000 0001 0010 0011 0100 0101 0110 0111 1000 1001 1010 1011 1100 1101 1110 1111
00 10 0 9 14 6 3 15 5 1 13 12 7 11 4 2 8
01 13 7 0 9 3 4 6 10 2 8 5 14 12 11 15 1
10 13 6 4 9 8 15 3 0 11 1 2 12 5 10 14 7
11 1 10 13 0 6 9 8 7 4 15 14 3 11 5 2 12
Table (8): Substitution Box S3
0000 0001 0010 0011 0100 0101 0110 0111 1000 1001 1010 1011 1100 1101 1110 1111
00 7 13 14 3 0 6 9 10 1 2 8 5 11 12 4 15
01 13 8 11 5 6 15 0 3 4 7 2 12 1 10 14 9
10 10 6 9 0 12 11 7 13 15 1 3 14 5 2 8 4
11 3 15 0 6 10 1 13 8 9 4 5 11 12 7 2 14
Table (9): Substitution Box S4
0000 0001 0010 0011 0100 0101 0110 0111 1000 1001 1010 1011 1100 1101 1110 1111
00 2 12 4 1 7 10 11 6 8 5 3 15 13 0 14 9
01 14 11 2 12 4 7 13 1 5 0 15 10 3 9 8 6
10 4 2 1 11 10 13 7 8 15 9 12 5 6 3 0 14
11 11 8 12 7 1 14 2 13 6 15 0 9 10 4 5 3
Table (10): Substitution Box S5
0000 0001 0010 0011 0100 0101 0110 0111 1000 1001 1010 1011 1100 1101 1110 1111
00 12 1 10 15 9 2 6 8 0 13 3 4 14 7 5 11
01 10 15 4 2 7 12 9 5 6 1 13 14 0 11 3 8
10 9 14 15 5 2 8 12 3 7 0 4 10 1 13 11 6
11 4 3 2 12 9 5 15 10 11 14 1 7 6 0 8 13
Table (11): Substitution Box S6
0000 0001 0010 0011 0100 0101 0110 0111 1000 1001 1010 1011 1100 1101 1110 1111
00 4 11 2 14 15 0 8 13 3 12 9 7 5 10 6 1
01 13 0 11 7 4 9 1 10 14 3 5 12 2 15 8 6
10 1 4 11 13 12 3 7 14 10 15 6 8 0 5 9 2
11 6 11 13 8 1 4 10 7 9 5 0 15 14 2 3 12
Table (12): Substitution Box S7
7/31/2019 3 Cipher Security
8/8
0000 0001 0010 0011 0100 0101 0110 0111 1000 1001 1010 1011 1100 1101 1110 1111
00 13 2 8 4 6 15 11 1 10 9 3 14 5 0 12 7
01 1 15 13 8 10 3 7 4 12 5 6 11 0 14 9 2
10 7 11 4 1 9 12 14 2 0 6 10 13 15 3 5 8
11 2 1 14 7 4 10 8 13 15 12 9 0 3 5 6 11
Table (13): Substitution Box S8
For the key, the Permutation Choice 1 and 2 are shown in tables (6) and (7) respectively. Note
that only 56 bits are used while the other 8 bits are ignored.
Left
57 49 41 33 25 17 9
1 58 50 42 34 26 18
10 2 59 51 43 35 27
19 11 3 60 52 44 36
Right
63 55 47 39 31 23 15
7 62 54 46 38 30 22
14 6 61 53 45 37 29
21 13 5 28 20 12 4
Table (14): Permutation Choice 1 (PC-1)
14 17 11 24 1 5
3 28 15 6 21 10
23 19 12 4 26 8
16 7 27 20 13 2
41 52 31 37 47 55
30 40 51 45 33 48
44 49 39 56 34 53
46 42 50 36 29 32
Table (15): Permutation Choice 2 (PC-2)
Finally, table (16) shows the number of shifts the registers perform each round for the key.
Round Number 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16
Number of Shifts 1 1 2 2 2 2 2 2 1 2 2 2 2 2 2 1
Table (16): Shifts Schedule