Applied Cryptology 2.2: SPN and Feistel

Cihangir Tezcan

20 Oct 202029:07

Summary

TLDRThis script delves into the intricacies of block ciphers, focusing on two main types: SPN (Substitution-Permutation Network) and Feistel networks. It explains the structure and function of each, using AES and PRESENT as SPN examples, and highlighting their layers of encryption. It also touches on cipher design considerations, such as platform suitability, security vs. speed, and the evolution of encryption standards from DES to AES. The lecture underscores the importance of key length in security, illustrating the impracticality of brute force attacks on modern ciphers like AES-256, and briefly mentions cryptanalysis techniques.

Takeaways

🔑 Block ciphers can be classified into two types: SPN (Substitution-Permutation Network) and Feistel networks, each with unique structures and characteristics.
🔄 In an SPN cipher, the process involves key addition, substitution for confusion, permutation for diffusion, and repeated rounds to produce the ciphertext.
🔒 AES (Advanced Encryption Standard) is an example of an SPN cipher widely used for its security and efficiency, with varying key lengths affecting the number of encryption rounds.
🔑 The security of a block cipher is based on the secrecy of the key, assuming all details of the encryption algorithm are public, which is known as Kerckhoffs's principle.
🛡️ Feistel ciphers, such as the DES (Data Encryption Standard), involve a round function and a swap operation, with the encryption and decryption processes being similar, differing only in the order of round keys.
🔩 The design of block ciphers must consider factors like platform suitability (hardware vs. software), security vs. speed trade-offs, and the target application's specific requirements.
🌐 Light-weight cryptography focuses on creating secure algorithms suitable for devices with limited memory and computational power, such as those used in IoT (Internet of Things).
🚫 DES is no longer recommended for secure encryption due to its short key length of 56 bits, making it vulnerable to brute force attacks.
🔍 Cryptanalysis techniques, such as differential cryptanalysis and linear cryptanalysis, are used to find weaknesses in cryptographic algorithms to improve their security.
💡 The key length of a cipher is crucial for security; longer keys like those in AES (128, 192, 256 bits) provide a significantly higher number of possible keys and thus greater security.
⏱️ The time complexity of breaking a cipher through exhaustive search increases exponentially with key length, making longer keys like AES-256 practically unbreakable with current technology.

Q & A

What are the two main types of block ciphers discussed in the script?
-The two main types of block ciphers discussed are SPN (Substitution-Permutation Network) and Feistel ciphers.
What is the purpose of the key addition layer in an SPN cipher?
-The key addition layer in an SPN cipher combines the key material with the plaintext, providing an initial mixing of the key into the data before the rounds of substitution and permutation.
Can you explain the role of the substitution layer in an SPN cipher?
-The substitution layer in an SPN cipher provides confusion by substituting certain inputs with specific outputs, creating a complex relationship between the plaintext and the ciphertext.
What does the permutation layer in an SPN cipher achieve?
-The permutation layer in an SPN cipher provides diffusion by rearranging the bits of the data, ensuring that changes in one bit of the plaintext affect multiple bits in the ciphertext.
Why is the round key addition after each round important in SPN ciphers?
-The round key addition after each round is important because it prevents an attacker from easily reversing the cipher's operations without knowing the key, thus maintaining the security of the encryption.
What is the block size and key length of the PRESENT cipher mentioned in the script?
-The block size of the PRESENT cipher is 64 bits, and the key length can be either 80 bits or 128 bits, although 128 bits is recommended for better security.
What is the main advantage of Feistel ciphers in terms of encryption and decryption processes?
-The main advantage of Feistel ciphers is that the encryption and decryption algorithms are identical, with only the order of the round keys changing, which simplifies the implementation.
How does the security of a block cipher compare to an exhaustive search attack?
-The security of a block cipher is upper-bounded by the exhaustive search attack, which requires 2^k encryptions for a k-bit key cipher. Any weakness that allows breaking the cipher with fewer operations is considered a successful cryptanalysis attack.
What is the significance of the DES (Data Encryption Standard) in the history of cryptography?
-DES was a widely used encryption standard developed by IBM in the 1970s, but its key length was reduced to 56 bits by the NSA, making it vulnerable to brute force attacks. It was eventually replaced by the AES due to security concerns.
Why is the key length important in determining the security of a block cipher?
-The key length is crucial for the security of a block cipher because it determines the number of possible keys an attacker must try in a brute force attack. A longer key length exponentially increases the difficulty of such attacks, thus enhancing security.
What are some of the hardware options available for performing exhaustive search attacks?
-Some hardware options for performing exhaustive search attacks include CPUs, GPUs, FPGAs (Field Programmable Gate Arrays), and ASICs (Application-Specific Integrated Circuits), each with their own advantages in terms of speed, cost, and efficiency.

Outlines

00:00

🔒 Introduction to Block Ciphers and SPN Structure

This paragraph introduces the concept of block ciphers and delves into the Substitution-Permutation Network (SPN) structure. It explains that SPNs consist of three layers: key addition, substitution, and permutation, which are repeated multiple times to achieve encryption. The paragraph uses the AES and PRESENT ciphers as examples of SPNs. It also discusses the importance of the initial and final key addition layers in preventing attackers from easily reversing the encryption process. The security principle of Kerckhoffs's assumption is highlighted, which states that the encryption algorithm can be public knowledge, with only the key remaining secret.

05:03

🔄 Understanding the Permutation-Substitution Network (Feistel Ciphers)

The second paragraph explores the Feistel cipher structure, which is an alternative to SPNs. It describes the round function and the data swapping operation that characterizes Feistel ciphers. The paragraph provides an illustration of how data is divided, processed through a round function, and then swapped to provide confusion and diffusion. An example of a Feistel cipher, the CLAWIA block cipher, is given, showing how bits are manipulated across multiple rounds. The pros of Feistel ciphers are noted, such as the identical encryption and decryption algorithms, with only the order of round keys differing.

10:03

🛡️ Design Considerations for Block Ciphers

This paragraph discusses various factors to consider when designing block ciphers, such as the platform (hardware vs. software), the need for lightweight cryptography, and the trade-off between security and speed. It touches on the importance of cipher design in hardware implementation, affecting the number of gates and area required, and the impact on power and latency. The paragraph also mentions the significance of designing for specific use cases, such as the Internet of Things, where devices may have limited memory and computational power.

15:04

🚫 The Data Encryption Standard (DES) and Its Limitations

The fourth paragraph examines the history and shortcomings of the Data Encryption Standard (DES). Initially designed by IBM with a 128-bit key, the NSA reduced it to 56 bits, making it vulnerable to brute force attacks. The paragraph details the involvement of the NSA in modifying the S-boxes of DES and the subsequent discovery of cryptanalysis techniques like differential cryptanalysis. It emphasizes that DES is no longer considered secure and should not be used.

20:06

🔓 The Evolution of Cryptanalysis and the Rise of AES

This paragraph delves into the development of cryptanalysis, starting with the exhaustive search attack and moving on to more sophisticated techniques like differential and linear cryptanalysis. It discusses the impact of these techniques on the security of DES and the eventual introduction of the Advanced Encryption Standard (AES), which emerged from a competition and offers longer key lengths and a larger block size, making it more secure against known attacks.

25:09

💡 The Importance of Key Length in Block Cipher Security

The sixth paragraph emphasizes the significance of key length in determining the security of a block cipher. It provides a comparison of the number of possible keys for DES, PRESENT, and AES with different key lengths, illustrating the exponential increase in security with longer keys. The discussion includes the impracticality of brute force attacks on ciphers with sufficiently long keys, even with powerful computational resources like GPUs, and the potential for collaborative efforts to break weaker ciphers like PRESENT with 80-bit keys.

Mindmap

Keywords

💡SPN (Substitution-Permutation Network)

SPN, which stands for Substitution-Permutation Network, is a cryptographic concept that describes a type of block cipher structure. It consists of three layers: key addition, substitution, and permutation. The video script explains that SPN ciphers like AES or PRESENT are composed of these layers to provide confusion and diffusion, which are essential for the security of the encryption process. The script uses the example of the PRESENT cipher to illustrate how an SPN operates, emphasizing its simplicity and the role of the S-box in creating confusion.

💡Block Cipher

A block cipher is an encryption method that applies a deterministic algorithm along with a symmetric key to encrypt a block of text, rather than encrypting one bit at a time. The script discusses block ciphers in the context of SPN and Feistel networks, highlighting their use in secure communication. Block ciphers are fundamental to the video's theme, as they form the basis for the encryption algorithms being analyzed.

💡Feistel Cipher

A Feistel Cipher is a type of symmetric key block cipher that uses a repeating round function created by Horst Feistel. The script introduces this concept by explaining its structure, which includes a round function and a swap operation. It is used to contrast with SPN ciphers, showing an alternative approach to cryptographic design that also aims to provide security through confusion and diffusion.

💡Key Schedule

The key schedule in cryptography refers to the way in which a cipher generates round keys from a main key. The script mentions the key schedule algorithm, which provides round keys for each round of encryption in both SPN and Feistel ciphers. It is crucial for understanding how encryption keys are managed and used throughout the encryption process.

💡Confusion and Diffusion

Confusion and diffusion are two primary goals in the design of block ciphers. Confusion provides security by making the relationship between the key and the ciphertext as complex as possible, while diffusion spreads the influence of a single plaintext bit over many ciphertext bits. The script explains these concepts in the context of the SPN's substitution layer and permutation layer, respectively.

💡Ciphertext

Ciphertext, also known as enciphered text, is the output of an encryption algorithm. The script discusses how ciphertext is obtained at the end of the encryption process in both SPN and Feistel ciphers. It also touches on the security aspect, explaining how the use of round keys in the encryption process protects the ciphertext from being easily decrypted without the key.

💡Lightweight Cryptography

Lightweight cryptography refers to cryptographic algorithms designed to be efficient in terms of computation, power usage, and memory requirements, making them suitable for use in constrained environments like IoT devices. The script mentions lightweight cryptography when discussing the PRESENT and CLAWIA ciphers, which are designed for such applications.

💡Differential Cryptanalysis

Differential cryptanalysis is a form of cryptanalysis that attempts to exploit the probability of certain differences between the plaintexts to reveal the key. The script refers to this technique when discussing the security of the DES algorithm and how it was affected by the NSA's tweaking of the S-boxes, which was intended to counteract such attacks.

💡Exhaustive Search Attack

An exhaustive search attack, also known as a brute force attack, involves trying all possible keys until the correct one is found. The script explains this attack in the context of the security of block ciphers, stating that the security of a cipher is upper-bounded by the time it would take to perform an exhaustive search, which is 2^k encryptions for a k-bit key.

💡DES (Data Encryption Standard)

DES, or Data Encryption Standard, was a symmetric-key algorithm for the encryption of electronic data, which was originally designed by IBM and later became a standard after being modified by the NSA. The script discusses DES in the context of its historical significance and vulnerabilities, particularly due to its short key length, which made it susceptible to brute force attacks.

💡AES (Advanced Encryption Standard)

AES, or Advanced Encryption Standard, is a symmetric encryption standard adopted by the U.S. government. The script mentions AES as the successor to DES and highlights its use of longer key lengths and a larger block size, making it more secure against modern cryptographic attacks.

Highlights

Introduction of two types of block ciphers: SPN (Substitution Permutation Network) and Feistel ciphers.

Explanation of SPN's three layers: key addition, substitution, and permutation.

AES and PRESENT as examples of SPN ciphers.

Importance of round keys in preventing attackers from obtaining intermediate values.

The principle of Kerckhoffs's assuming all details of the encryption algorithm are public except the key.

PRESENT cipher as a standard for lightweight cryptography with a block size of 64 bits and key lengths of 80 or 128 bits.

The simplicity and hardware orientation of the PRESENT cipher.

Feistel ciphers introduced by Horst Feistel, consisting of a round function and a swap operation.

The encryption and decryption process of Feistel ciphers being identical except for the order of round keys.

Comparison of SPN and Feistel ciphers in terms of their pros and cons, including the impact of a single round on the input.

Considerations for block cipher design, such as platform, security versus speed, and hardware implementation.

The concept of lightweight cryptography and its focus on secure algorithms with minimal resource requirements.

The history and development of the Data Encryption Standard (DES), including NSA's involvement and its eventual deprecation.

Differential cryptanalysis as a technique to find weaknesses in cryptographic algorithms.

The impact of key length on security and the exponential increase in possible keys with longer key lengths.

The use of various computational devices for exhaustive search attacks, including CPUs, GPUs, FPGAs, and ASICs.

The impracticality of brute force attacks on ciphers with sufficiently long key lengths, even with modern computational power.

Transcripts

00:02

so we said that there are

00:03

uh two types that we can classify block

00:06

ciphers into

00:08

spn and face that so let's start with

00:10

spn

00:11

in other words substitution permutation

00:13

network around

00:15

a spn consists of three layers

00:18

key addition which combines key material

00:20

with the plain text

00:22

substitution layer which provides

00:24

confusion

00:25

and permutation layer which provides

00:27

diffusion block

00:29

ciphers like aes or present are examples

00:32

of

00:32

spn which are going to be which we are

00:35

going to

00:37

analyze in this course frequently

00:41

so i try to draw a picture of what an

00:45

spn looks like

00:46

so you have the plain text block here

00:49

at first layer initially you have to

00:52

combine it with the

00:53

key so you have the key and the key

00:56

schedule algorithm which provides round

00:58

keys

00:59

so you combine your first round key with

01:02

your plain text block

01:04

most of the time we use simple

01:05

operations like xor operation here

01:08

then the actual run starts which

01:10

consists of substitution permutation and

01:12

again add round key

01:14

here again this is the confusion layer

01:16

this is the permutation layer and this

01:18

is the key addition layer

01:20

so one round consists of these three

01:22

layers you repeat it many times

01:25

and at the end you obtain the cipher

01:27

text so

01:30

as you can see initially

01:33

at the beginning and at the end you have

01:35

the add run key because

01:37

if you don't use this layer for instance

01:40

assume that there is no add-on key here

01:42

and you have the ciphertext block here

01:45

and an adversary captures the ciphertext

01:47

block

01:48

they can go upwards and

01:52

perform the inverse of the permutation

01:54

and inverse of the substitution layer so

01:57

they can reach to here so this means

01:59

that these layers has no effect

02:01

but once you use the round key here and

02:03

since the attacker does not know this

02:05

value

02:06

they cannot obtain the value here so

02:08

they cannot capture the intermediate

02:10

values

02:11

uh going upwards or even if they know

02:13

what the plaintext block is

02:15

they cannot go forward since they don't

02:17

know the key so this is why we are

02:19

using the cachos principle we are

02:22

assuming that

02:22

all of the details of the encryption

02:25

algorithm is

02:26

public and only secret information is

02:29

the key

02:30

so this is why the attacker cannot

02:33

capture

02:34

plain text block from ciphertext or

02:36

intermediate values and so on

02:37

or the key so

02:41

here's an example for an spn cipher

02:45

this is present which is iso iec

02:48

standard for lightweight cryptography

02:52

this standard contains only two block

02:55

ciphers present

02:56

and clavia so present cipher is really

03:00

simple

03:01

it is designed for hardware the block

03:03

size is 64 bits

03:05

and in this picture each line actually

03:07

represents a single bit so there are 64

03:10

lines here

03:12

key length is 80 bits or 128 bits

03:16

it depends on the user but the algorithm

03:20

doesn't change much the key schedule

03:22

algorithm is very similar in both cases

03:25

so

03:26

in my opinion there is no point of using

03:28

the 80 bit key because

03:30

you will be losing a lot of security at

03:32

this point because

03:34

uh i believe that it is not that hard

03:37

to perform brute force attacks for the

03:40

8-bit key which

03:41

i will be briefly mention this

03:46

briefly mentioning this before the end

03:47

of this lecture

03:49

so you have a

03:52

key but here you will be using 64 bits

03:56

of that key which is the round key and

04:00

you have an s box here this is

04:03

actually the confusion layer you have

04:06

the same

04:07

box which has four bits of input and

04:10

four bits of

04:11

output and you repeat this operation 16

04:14

times

04:14

and the definition of this box is given

04:17

here in the hexadecimal notation

04:19

so for instance if the input of this s

04:22

box

04:22

is zeros here so you have zero zero zero

04:27

0 this means that in hexadecimal

04:29

notation your input is 0.

04:31

so the output will be c in the

04:35

integer notation this is 12 but in the

04:38

bit notation if the rightmost

04:40

bit is the least significant bit which

04:42

is the case most of the time in

04:44

cryptography

04:45

this means that 12 will be represented

04:48

as

04:49

one one zero zero so if your input is

04:53

all zeros you end up with one one zero

04:55

zero

04:56

so you repeat this process 16 times

05:00

so this is your confusion layer because

05:02

you're substituting some input with some

05:04

odd with an output so you create some

05:07

confusion here

05:08

but as you can see the these four bits

05:12

only affect these four bits

05:14

so there's not much of a diffusion here

05:16

this is the reason

05:17

why we have we are having a permutation

05:20

layer

05:21

afterwards so this line saying that this

05:24

bit

05:24

goes here but this bit goes here

05:28

and this one goes there and so on so

05:30

you're kind of

05:31

shuffling the places of bits so this is

05:34

your just one rod so after the end of

05:38

this one round you have 64 bits here

05:40

take it put the top now exercise with

05:44

the next front key

05:45

perform the s box operations again and

05:48

perform the permutations and so on and

05:49

so forth

05:50

how many times for this cipher it is

05:53

chosen as 31.

05:55

so take this picture and repeat it 31

05:58

times

05:59

from top to the bottom and at the end of

06:02

course at the final

06:03

round key edition and this is your

06:07

blog cipher presence so this is a very

06:10

simple

06:11

and a good example for the spn site

06:14

of course we haven't mentioned the

06:16

details of the key schedule

06:18

but we will be talking about it next

06:20

week so we are just

06:22

trying to see the main idea here

06:25

let's move on to phase star ciphers

06:29

these ciphers are introduced by

06:30

horseface that

06:32

a round of a face down network consists

06:34

of a run function

06:36

and the swept operation so the b bits

06:39

input is divided into two halves run

06:42

function is applied to one house and the

06:44

other

06:44

the output is exhored to the other half

06:47

and the places of this

06:48

house are swapped key material is used

06:51

inside the run function most of the time

06:54

so again i try to draw a picture for you

06:58

so the main idea for the general

07:01

face style ciphers you have the plain

07:03

text block and you divided

07:05

it into into two so left part and the

07:08

right part

07:09

so you have the key schedule algorithm

07:11

again so you have the key which provides

07:13

round keys

07:14

so in a single round you take the right

07:17

part

07:19

and you move it to the left part

07:22

also you'd have the right part and have

07:24

a round function here you are performing

07:27

a substitution and permutation

07:29

operations so that you provide

07:32

uh confusion and diffusion here and the

07:34

output is the exhort to the left part

07:36

but left part becomes the right part for

07:39

the next round

07:40

so each round one half is not affected

07:43

moves to the second round but the other

07:46

half is

07:46

modified and goes to the other house so

07:50

this is your select operation

07:52

here's an example but this is an example

07:55

for a generalized

07:56

face stud network so instead of two

07:58

lines

07:59

you can see that there are four lines

08:01

here so this

08:03

this is the picture of the clavia block

08:06

cipher which is again the

08:08

iss standard for lightweight

08:10

cryptography

08:12

this cipher has a block size of 128 bits

08:15

so each line here

08:16

actually represents 32 bits of

08:18

information

08:19

so as you can see the leftmost parts

08:23

these 32 bits goes to right most part

08:26

without any effect but it affects the

08:31

second line here and this one goes

08:34

here without taking an effect on it but

08:38

it affects the

08:39

right most part and it goes here and so

08:41

on so you repeat this process

08:44

many times depends on how many runs the

08:47

cipher is

08:50

generally in the face cyphers most of

08:53

the time we

08:54

don't perform the final swap operation

08:56

in the final round

08:58

because uh that has no cryptographic

09:01

importance to us

09:04

so there is no

09:07

answer for which one is better it

09:09

depends on

09:11

your application actually but if you

09:14

need to

09:14

compare these two types

09:17

let's look at the pros for the face

09:20

style ciphers

09:21

encryption algorithm is identical to the

09:23

decryption algorithm

09:24

only the order of the round keys change

09:27

this is important because if we go back

09:29

to the picture here

09:31

for instance in the encryption part you

09:34

have the plain text block so you follow

09:36

this picture from top to bottom

09:38

so you have a run function here so this

09:41

right part goes inside this function and

09:44

you

09:44

obtain the output but when you are

09:47

decrypting

09:48

you have the ciphertext parts left and

09:50

right this right part

09:53

also goes to the run function in this

09:55

way so the

09:57

direction of the arrows does not change

09:59

when you are encrypting or decrypting so

10:01

this is the

10:02

uh plural of the phase the cipher

10:06

but this is not for valid for

10:09

substitution permutation networks

10:10

because

10:12

uh look at the picture here once you're

10:14

at the top you are going

10:15

the encryption goes in this direction

10:17

but the person who is decrypting has the

10:19

ciphertext so

10:20

in order to go to from bottom to top

10:24

you need the inverses of all of these

10:26

operations

10:31

uh a pro for the spn is a single round

10:34

affects the whole

10:35

input but so this

10:39

we will have the inverses of these

10:41

statements in the cons

10:43

for the phase star a single round only

10:45

affects the half of the input

10:47

and for the spn decryption procedure

10:50

requires the inverses of the

10:51

substitution and permutation layers

10:54

so this might take

10:58

more uh i mean this can produce

11:01

larger code size if you are performing

11:04

this operation in software

11:05

or this may might mean that you need

11:08

more gates if you are

11:09

doing it on a hardware but of course uh

11:13

this is not always the case because this

11:15

also depends on the mode of operation

11:17

that you are going to use

11:19

in the real world so we haven't talked

11:21

about mode of operations yet

11:23

uh but we will be talking about them

11:28

i think two weeks later so this uh

11:31

mean will mean uh more sense

11:34

at that point currently we are focused

11:37

on b bits input and b with output

11:39

but when we are going to be working on

11:42

larger

11:43

inputs like one gigabyte for instance we

11:45

need to

11:46

talk about mode of operations and again

11:48

this will be

11:51

in two weeks

11:54

another thing to consider when we are

11:57

designing a block cipher is that

11:59

the the platform that we are going to

12:01

use these

12:02

algorithms and

12:04

[Music]

12:05

we might maybe divide it into hardware

12:08

versus software

12:10

hardware implementations can easily work

12:13

on bits

12:15

but since most programming languages

12:17

focus on bytes

12:18

bit operations are more costly on

12:21

software because

12:22

getting the information about the single

12:24

bit or shifting the

12:26

bits and so on is not that easy on

12:28

software but it is much

12:29

easier on hardware cipher design also

12:32

determines the number of cases required

12:34

to perform encryption on hardware

12:36

so a number of gates determine the area

12:39

required so

12:40

the cost of this implementation on

12:43

hardware

12:45

will depend on your design so it is

12:48

important

12:49

how you design the cipher so actually

12:51

for this reason we have the lightweight

12:53

cryptography area

12:55

where you're trying to

12:58

[Music]

12:59

design secure algorithms secure

13:01

encryption algorithms that require

13:04

less number of cases let's say but also

13:07

you are focusing on the

13:09

power and energy needs of this algorithm

13:11

the latency and troops and so on

13:14

but this is uh the topic of another

13:17

course

13:17

actually i'm teaching it this semester

13:19

also so if you're interested

13:21

you can watch the uh videos of that

13:24

course too

13:25

which is available again in this

13:27

platform

13:28

and that course is titled uh lightweight

13:31

cryptography for the internet of things

13:34

code size or record memory is not a big

13:36

problem for software

13:37

implementations due to the fast cpus and

13:39

large ram again

13:40

our desktop computers laptops

13:44

smartphones or tablets has huge

13:48

amount of computational power and all of

13:50

them comes with more than one or two

13:52

gigabytes of

13:53

memory but again for lightweight

13:55

cryptography

13:56

we have very small devices that has like

14:00

64 bytes of memory and so on so your in

14:04

design should depend on the platform

14:06

that you are going to use it

14:09

security versus speed is another design

14:11

consideration

14:12

speed is generally measured as

14:14

throughput

14:16

adding more security measures for

14:17

instance increasing the number of runs

14:19

increases the security but reduces the

14:22

speed

14:23

cyphers performing well on hardware or

14:25

software may not be suitable for

14:27

constraint devices for rfid systems or

14:30

sensor networks due to the limited

14:32

memory battery or computational power

14:35

hence we also need lightweight cyphers

14:37

ciphers for this kind of platforms

14:40

and currently needs this performing a

14:44

standardization process so there's a

14:46

competition going on

14:48

and at the end one or more lightweight

14:51

ciphers

14:51

will be standardized by nist which

14:55

probably will end in two or three years

15:00

so let's move to uh probably the most

15:03

hurt

15:04

encryption algorithm which is this short

15:07

for data encryption standard

15:09

it was designed by ibm in 1970s it was

15:12

based on an earlier design by faceta

15:15

in 1976 nsa tweaked the algorithm by

15:19

changing its

15:20

s-boxes and after that

15:23

it became a standard so an essays

15:26

tweak here is actually a good

15:29

tweak because this way uh the cipher

15:33

becomes

15:34

more secure we will talk about it when

15:37

we are talking about differential

15:38

cryptanalysis

15:40

but nsa also shortens the key of the

15:42

algorithm

15:43

ibm was using algorithms that has

15:46

key length of 128 bits at the time

15:49

but after this tv key length beca became

15:53

56 bits which is very short even for

15:55

that time

15:56

which actually allows brute force

15:58

attacks that that i'm going to mention

16:01

in a few minutes

16:02

so uh this is why we have to

16:05

[Music]

16:07

stop using this algorithm in 1990s

16:11

so this algorithm is currently known as

16:13

data encryption algorithm dea

16:15

since it is no longer a standard and

16:17

actually this is a very important topic

16:20

a lot of people still think that this is

16:22

a standard and

16:23

it is secure i know a lot of people

16:25

still using this algorithm

16:28

but it hasn't it provides no security at

16:31

all

16:31

it became useless after 1990s since

16:34

its short key is susceptible to brute

16:36

force attacks which i haven't mentioned

16:39

in a few minutes so let's look at nsa's

16:42

involvement

16:43

in 1976 nsa tv i tweaked ibm's initial

16:47

design by changing

16:48

the s-boxes but didn't explain to ibm

16:52

why

16:52

they made such a change ibm people

16:55

analyzed this tv and they discovered an

16:57

attack that breaks their initial design

16:59

and they called it t attack they shared

17:02

their discovery with nsa

17:04

and they say ask them not to share this

17:05

knowledge with public for they had known

17:07

this

17:08

attack type for some time and were using

17:11

it to listen

17:12

other countries and uh

17:15

biham and xiaomi's rediscovery of

17:17

differential cryptanalysis in 1990s is

17:19

the first

17:20

public announcement of this technique

17:23

and later on we

17:25

we learned that even a japanese people

17:29

even knew it

17:31

during second world war uh this

17:34

technique

17:35

they were using this kind of techniques

17:36

in second world war

17:38

but uh every country kept this

17:42

information to themselves

17:44

so biham and xiaomi's discovery of

17:46

differential cryptanalysis was the first

17:48

public announcement

17:49

of this technique actually biham

17:51

received a

17:54

fellowship from iacr

17:58

uh

18:02

international association of

18:03

cryptographic research a few years ago

18:06

and during his keynote speech he thanked

18:09

all of the

18:10

secrecy services who has known this

18:12

technique and kept it to themselves

18:14

so that biham and shamir can

18:18

present it for the first time publicly

18:22

main idea in differential crypt analysis

18:24

is to find the weakness so that a small

18:26

change in the

18:27

input provides an anticipated change in

18:29

the output with high probability

18:32

and we will be actually talking about

18:34

this

18:35

uh in the week that we are

18:38

talking about cryptanalysis so the main

18:41

picture of

18:43

this is as follows you have the key and

18:45

key schedule algorithm which

18:47

only contains permutations and rotations

18:52

and as i told you that this is a face

18:56

style cipher you have left and right

18:58

part you have an initial permutation

19:00

which is

19:01

which has no cryptographic importance it

19:03

is just used for the

19:05

receiving the data from the hardware in

19:07

a

19:09

good way let's say so you have some

19:11

functions like expansion and so on

19:14

and you have here s boxes and the

19:16

permutation

19:18

so you have 16 rounds for this

19:27

so what should be the key size

19:30

this is a good question uh an attacker

19:32

that captures a single ciphertext

19:35

can try to decrypt it with every

19:37

possible key to check

19:38

if it is if it provides a meaningful

19:40

plain text

19:42

such an attack is called exhaust

19:43

research or brute force attack so this

19:46

attack does not use any weakness in the

19:49

design

19:50

so it is just a brute force attack by

19:52

trying every possible key

19:55

exhaustive search is a generic attack in

19:57

other words valid for every cipher

19:59

for a key bit key cipher the attacker is

20:02

required to perform

20:03

at most 2k encryptions and decryptions

20:06

or decryptions sorry

20:07

so i mean you can capture plain text

20:09

below can perform the brute force

20:11

attacks but most of the time

20:12

most probably you will get a plain text

20:15

block and the corresponding ciphertext

20:17

block so

20:18

all you need to do is to perform two to

20:20

decay encryptions and check if the

20:22

ciphertext

20:23

you obtained is the same as the one you

20:26

captured

20:27

the security of a block cipher is upper

20:30

bounded by

20:30

exhaustive search attack which is to

20:33

decay

20:34

encryptions so this quantity is referred

20:36

to as time complexity

20:38

so you can break every cipher with two

20:41

to the k encryptions

20:43

so any weakness that you find that makes

20:46

it

20:47

easier to break the cipher that requires

20:49

less than 2 to decay encryptions

20:51

is a

20:54

cryptanalysis attack actually so which

20:57

is which would be better than

20:58

brute force so let's look at

21:02

the security of deaths bihar and xiaomi

21:04

provided the first hierarchical attack

21:06

in 1992

21:08

the differential crypto analysis but

21:11

this required this was better than

21:14

exhaust distort but however the

21:16

attack required two to the four to seven

21:18

chosen plaintext to be captured

21:20

which is actually unrealistic in real

21:22

life

21:23

so attack wasn't that successful as

21:27

expected because of the nsa's tv of the

21:30

s boxes

21:31

massive provided the first experimental

21:34

cryptons of tests by introducing linear

21:36

cryptanalysis

21:38

and in 1997 industrial project

21:42

which is around seven to eight thousand

21:45

pieces connected by the internet breaks

21:47

a message

21:48

encrypted with test for the first time

21:49

in public

21:51

in 1998 eff's desk record which is a

21:55

machine containing

21:57

around 2000 custom chips which can break

22:01

a

22:01

desky in 56 hours

22:05

and so which is very practical so in

22:08

1999

22:10

this is only allowed in legacy systems

22:12

and

22:13

uh a transition to triple desks which is

22:16

just using the des algorithm

22:19

three times is suggested so

22:24

but uh at those times a competition

22:28

is made and which was called advanced

22:30

encryption competition

22:32

and the winner of that competition

22:34

become became the advanced encryption

22:36

standard

22:37

aes in short and uh

22:41

we always encourage people to use aes

22:43

instead of

22:44

triple dash so aes

22:48

is advanced encryption standard uh the

22:51

original name of the algorithm is random

22:53

but

22:54

which was designed by john damon and

22:56

vincent raymond uh

22:58

it was one of the finalists together

23:00

with sarpan two fish

23:01

rc-6 and mars but randolph won the

23:05

competition so

23:06

it is now known as the aes advanced

23:09

encryption standard

23:10

this time the key lengths are

23:14

longer than or larger than this you have

23:17

three options 128

23:20

192 and 256 bits

23:24

again as i told you this is good for

23:26

personal security this is

23:28

good for military use and as far as i

23:30

know no one uses this

23:32

uh middle value but

23:35

depending on the choice of the key

23:38

length

23:39

the number of rounds changes so if you

23:41

are using a longer key the number of

23:43

runs also increases so you obtain like

23:45

you get a performance drop

23:51

like from 10 rounds to 14 so you

23:54

get like 40 percent of

23:57

extra

24:00

competition block size is larger

24:04

128 bits there are many cryptanalysis

24:07

results on

24:08

aes but none of the known attacks

24:11

are effective so we believe that aes is

24:15

secure to use

24:17

so why are we interested in this key

24:20

length so if you look at 2 to the 56

24:23

which is the size of the possible

24:27

keys for the desk the number is this

24:31

and for present if you are using 80-bit

24:34

key this is the number of possible keys

24:36

and for aes 128 it is this

24:40

for 192-bit key it is this and

24:43

for 256 bits it is this

24:47

since this is an exponential increase

24:50

uh even if a technological breakthrough

24:53

happens that

24:54

somebody can break aes 128 in a single

24:59

second

24:59

which means that you can perform 2 to

25:02

the 128

25:04

as encryptions in one second such a

25:09

person would not be able to break as

25:13

256 because

25:16

if you can perform this many operations

25:18

in a second

25:19

this means that and in a year there is

25:22

around

25:23

2 to the 27 seconds so

25:26

this would mean that you need two to the

25:29

100 years

25:30

to break aes 256 and

25:33

2 to the 100 years is way longer than a

25:37

human lifetime so

25:40

how can we perform this exhaustive

25:43

search attacks

25:44

uh you can use cpus we have

25:47

uh everybody nowadays a desktop or

25:50

laptop computer so

25:51

these are the easiest computational

25:53

devices that we can

25:55

obtain gpus which were mainly used for

25:59

gaming today is very good for

26:02

scientific computing paralyzable

26:04

algorithms becomes faster compared to

26:06

cpus

26:07

depending on the algorithm you can get a

26:10

speed of

26:11

up to 10 or 100 times it depends on the

26:15

gpu and the

26:16

algorithm we you can also use fpgas

26:20

field programmable gateways for

26:23

exhaustive search

26:24

or you can use asics which are dedicated

26:26

hardwares

26:27

these can only perform the implemented

26:29

algorithm but they are

26:31

cost effective compared to fpgas or any

26:33

other devices in the list

26:36

so i just uh

26:41

calculated the performance of my cpus

26:44

and gpus for

26:45

uh for a brute force attack on present

26:48

80.

26:49

so a very old computer a laptop computer

26:52

has four cores

26:53

as you can see here which has clocked as

26:56

two gigahertz

26:57

by using this laptop from 2010 i can

27:00

perform

27:02

15 million present encryptions in a

27:05

second

27:06

so in order to perform two to the eight

27:08

encryptions i need

27:09

this many years for this laptop

27:12

to run itself and for a desktop computer

27:15

from those times the clock speed is

27:18

higher so you can perform

27:22

twice more encryptions in a second so it

27:25

will take this many years

27:26

for this cpu to break present

27:30

80. but if you look at the gpus

27:34

this laptop from 2010 has a gpu which

27:37

has

27:38

96 cores so as you can see even from

27:41

those dates

27:42

gpus were faster than cpus when

27:46

you're doing parallel computations

27:50

but if you use a again old but

27:53

a good gpu which has 1664 cores

27:58

and nowadays we have gpus that has more

28:01

than three thousand cores

28:02

and clocked as 2g guys but even for this

28:05

gpu

28:06

you need 84 million years

28:10

but again with a modern gpu

28:14

you can reduce this number to actually

28:16

10

28:17

million years and you might say that

28:19

still

28:20

you cannot break it 10 million years is

28:23

a long time

28:24

but this means that if video gamers on

28:27

the internet decides to break present

28:29

instead of playing a video game

28:31

they can break a present via brute force

28:34

attacks

28:36

in a in some days so for this reason

28:40

i never suggest use of 80-bit

28:43

keys for security because even if

28:46

video gamers can gather around on the

28:48

internet and break the cipher

28:51

secrecy services can perform very much

28:54

[Music]

28:57

large number of encryptions and with

28:59

dedicated devices you can

29:02

actually perform 8-bit brute force

29:04

attacks

29:05

in a few days

Weitere ähnliche Videos ansehen

Stream Cipher vs. Block Cipher

Introduction to Advanced Encryption Standard (AES)

Introduction to Data Encryption Standard (DES)

Symmetric Key Cryptography

LECTURE-11| MONOALPHABETIC SUBSTITUTION CIPHER

AES and DES Algorithm Explained | Difference between AES and DES | Network Security | Simplilearn

Rate This

★

★

★

★

★

5.0 / 5 (0 votes)

Ähnliche Tags

Block CiphersSPN NetworksFeistel NetworksCryptographyAES EncryptionDES AlgorithmSecurity AnalysisBrute Force AttacksLightweight CryptographyCryptanalysis TechniquesCipher Design

Benötigen Sie eine Zusammenfassung auf Englisch?