The confusion-diffusion paradigm and substitution-permutation networks were both introduced by Shannon [113]. The Feistel method of constructing a block cipher was presented by Feistel [54] when working on Lucifer, a block cipher predating DES. A theoretical analysis of the Feistel methodology was later given by Luby and Rackoff [91].
The full DES standard can be found at [102] and a more friendly description can be found in Kaufman et al. [84]. The most comprehensive presentation of AES can be found in the book written by its designers Daemen and Ri-jmen [44]. There are a large number of other good (and less good) block ciphers in the literature. For a broad but somewhat outdated overview of other ciphers, see [93, Chapter 7].
A recent analysis of the security of triple-DES is given by Bellare and Ro-gaway [22].
Differential cryptanalysis was introduced by Biham and Shamir [23] and its use on full DES was presented in [24]. Coppersmith [37] describes the DES design in light of the public discovery of differential cryptanalysis. Linear cryptanalysis was discovered by Matsui [92]. For more information on these advanced techniques, we refer to the excellent tutorial on differential and
6One may wonder why stream ciphers are preferred over block ciphers in the first place.
There are two main reasons. First, they are often faster (and our recommendation to use a block cipher in a “stream-cipher mode” will therefore cause some slowdown). The second reason is that implementors often prefer to use a stream cipher because no padding of the message is needed (recall that when encrypting with a block cipher, the plaintext message must be padded in order to make its length an exact multiple of the block size).
linear cryptanalysis by Heys [78]. A more concise presentation can be found in the textbook by Stinson [124].
Exercises
5.1 In our attack on a two-round substitution-permutation network, we con-sidered a block size of 64 bits and a network with 16S-boxes that take input of size 4 bits. Repeat the analysis for the case of 8S-boxes, each S-box taking an input of size 8 bits. Present an exact description of the complexity of the attack. Repeat the analysis again with a block size of 128 bits (andS-boxes that take input of size 8). Does the block size make any difference?
5.2 Our attack on a three-round substitution-permutation network does not recover the key but only shows how to distinguish it from a random permutation. Thus it is not a “complete break”. Despite this, show that using a three-round substitution-permutation network withcounter mode (see Section 3.6.4) can have disastrous effects on the security of encryption.
5.3 Consider a modified substitution-permutation network where instead of carrying out key-mixing, substitution and permutation in alternating order, firstR keys are mixed (via XOR), thenR substitution steps are carried out, and finallyR permutations are run. Analyze the security of this construction. Does it make a difference if the sameS-boxes and permutations are used in all steps or if they are different?
5.4 Show that in the DES structure, DESk(x) = DESk(x) for every key kand input x (where z denotes the bitwise complement ofz). This is called thecomplementary property of DES.
5.5 Use the previous exercise to show how it is possible to find the DES secret key in time 255 (i.e., half the time of a straightforward brute-force search). For your attack, you can assume that you are given an oracle that computes DES under the secret keyk.
5.6 Provide aformal proof that the initial and final permutationsIP and IP−1 have no effect on the security of DES (beyond slowing down at-tacks by a constant factor).
Hint: Show that any attack on DES without the permutations can be converted into an attack on DES with the permutations.
5.7 This exercise discusses problematic keys for DES; these keys are called weak keys:
(a) Assume that the DES secret keykequals 056. Show that for every x it holds thatDESk(DESk(x)) =x. Why does the use of such a key pose a security threat?
(b) Find three other DES keys with the same property. Present the keys and explain why they have the property.
(c) Is the existence of these 4 keys a threat to the security of DES?
Explain your answer.
5.8 Describe an algorithm that is given two sorted lists of length N and finds all values that appear in both lists in timeO(N). Recall that this is used in the attack on double-DES.
5.9 It has been proposed to use double-DES as a fixed-length collision-resistant hash function within the Merkle-Damg˚ard transform, in the following way. Define the hash function h : {0,1}112 → {0,1}64 as h(x1kx2) =DESx1(DESx2(064)) where|x1|=|x2|= 56.
(a) Write down an actual collision in this fixed-length hash function.
(b) In how much time is it possible to find a preimage for the hash function. That is, given some y ∈ {0,1}64 show how to find a pair (x1, x2) such thath(x1kx2) =y. Make your attack as quick as possible. Does your attack make it possible to find a preimage that “makes sense” (say, one that contains an English word)?
(c) What happens when h as above is used in the Merkle-Damg˚ard transform? Find the most effective attack that you can think of.
5.10 Describe a detailed attack on all of the following (silly) modifications to DES:
(a) TheS-boxes all output zeroes, irrespective of the input (b) The internalf function computes the identity function
(c) Instead of using different subkeys in every round, the same 48-bit key is used in every round of the Feistel structure.
If you claim insecurity, then describe a detailed attack and analyze its complexity.