This action might not be possible to undo. Are you sure you want to continue?
Developed in 1996 as a teaching tool
Santa Clara University
Prof. Edward Schaefer
Encryption: Takes an 8-bit block plaintext, a 10 –bit key and produces an 8-bit block of ciphertext Decryption: takes the 8-bit block of ciphertext, the same 10-bit key and produces the original 8-bit block of plaintext
Encryption Algorithm: Five Functions
IP – an initial permutation
fk - a complex, 2-input function SW – a simple permutation that swaps the two halves of the data fk - a complex, 2-input function; again
IP-1 – inverse permutation of the initial permutation
Input to function fK
IP 1 f K2 SW f K1 IP
the data passing through the encryption algorithm
an 8-bit key.
Possibilities for key
a 16-bit key, consisting of two 8-bit subkeys, one used for each occurrence of fK. a single 8-bit key could have been used, with the same key used twice in the algorithm. a 10-bit key from which two 8-bit subkeys are generated
OR 1 Ciphertext= IP ( f K ( SW ( f K ( IP ( plain text)))))
P8( Shift( P10(key)))
Decryption is the reverse of encryption:
Plaintext= IP 1 ( f K ( SW ( f K ( IP (ciphertext))))) 1 2
Perform shift operation (LS-1).k2.k7.k4. The 6 3 7 4 P8 8 5 10 9 Our example result is subkey K1.k9.k7.k4.k2.k5.k8. two 8-bit subkeys are produced for use in particular stages of the encryption and decryption algorithm.k10. Example: the Permutation Function (P8) picks out and permutes 8 out of 10 bits according to the following rule: given key (1010000010) is first permuted to (1000001100).k4.k9.k8.Encryption Algorithm: Key Generation Key Generation In S-DES. the result is (00001 11000).k10: Encryption Algorithm: Key Generation Permutation Function (P10) P10(k1.k6) P10 3 5 2 7 4 10 1 9 8 6 Or it may be represented in such a form Example: the key (1010000010) is permuted to (1000001100). Process: the key is first subjected to a permutation (P10) then a shift operation is performed The output of the shift operation passes through a permutation function (P8) that produces an 8bit output for the first subkey (K1). yields (10100100) 2 .k5.k3. a 10-bit key is used From this key. separately on the 1st 5 bits and the 2nd 5 bits. also feeds into another shift and another instance of P8 to produce the second subkey (K2).k1. P10 3 5 2 7 4 10 1 9 8 6 Encryption Algorithm: Key Generation Encryption Algorithm: Key Generation Shift Operation (LS-1) circular shift (LS-1). Encryption Algorithm: Key Generation Permutation Function (P10) First. permute the 10-bit key k1.k7.k5.k6.k2.k10) =(k3.k8.k6. or rotation.k9.k3.
R) is the bit-by-bit exclusive-OR 3 . f k ( L. 3. the value (00001 11000) becomes (00100 00011). 2. The most complex component of S-DES A combination of permutation and substitution functions. In our example. Then f K(1011 1101) = (0101 1101) because (1011) (1110) = (0101). that IP-1(IP(X)) = X.SK) = (1110) for some key SK. the inverse permutation is used: 2 6 3 IP 1 4 8 5 7 4 1 3 IP-1 5 7 2 8 6 This retains all 8 bits of the plaintext but mixes them up. 4. R ) where SK is a subkey and function (L F ( R.Encryption Algorithm: Key Generation S-DES Encryption Sub key K2 Generation Take the pair of 5-bit strings produced by the two LS-1 functions Perform a circular left shift of 2 bit positions on each 5bit string. S-DES encryption involves the sequential application of five functions: Initial Permutation (IP) Complex function (f k ) Switch Function (SW) Complex function (f k ) again Final Permutation (IP -1) 5. the result is (01000011) 1. Finally. P8 function is applied again to produce K2. Inverse of Initial Permutation S-DES Encryption: Initial Permutation (IP) S-DES Encryption: Final Permutation (IP-1) Input to the algorithm: an 8-bit block of plaintext Apply permutation using the following IP function: At the end of the algorithm. SK ). It may be verified. S-DES Encryption: Function (f k) S-DES Encryption: Function (f k) Example: Suppose the output of the IP stage is (1011 1101) and F(1101. Assume L and R be the leftmost 4 bits and rightmost 4 bits of the 8 bit input to fK F be a mapping (not necessarily one to one) from 4-bit strings to 4-bit strings. In our example.
The S-box produces 2-bit output. p03) = (00) and (p01. k12. S-DES Encryption: Function (f k) Mapping F : an expansion/permutation (E/P)operation 3. k16. column 2 of S0. producing the output of F 4 1 2 E/P 3 2 3 4 1 Or write in the following fashion: S-DES Encryption: Function (f k) S-DES Encryption: Function (f k) Mapping F : exclusive-OR with 8-bit sub-key1 Mapping F : S-boxes S0 and S1 The 8-bit subkey K1 = (k11. in base 2. is the 2-bit output. p13) and (p11. 4. For example. Similarly. 2. if (p00. The entry in that row and column. p02) = (10) the output is from row 0. The outputs of S0 and S1 undergo permutation (P4).S-DES Encryption: Function (f k) Mapping F The input is a 4-bit number (n1 n2 n3 n4). (p10. k13. k14. which is 3. p12) are used to index into a row and column of S1 to produce an additional 2 bits. Operations 1. an expansion/permutation exclusive-OR with 8-bit sub-key1 Perform S-box operation S0 on four bits of the result and S1 on the remaining four bits. k15. or (11) in binary. k17. k18) is added to this value using XOR: The first 4 bits (1st row of the preceding matrix) are fed into the S-box S0 to produce a 2-bit output The remaining 4 bits (2nd row) are fed into S1 to produce another 2-bit output Two S-boxes are defined as Rename these bits as: S-DES Encryption: Function (f k) S-DES Encryption: Function (f k) Mapping F : S-boxes S0 and S1 Mapping F : S-boxes S0 and S1 The 1st and 4th input bits are treated as a 2-bit number that specify a row of the S-box The 2nd and 3rd input bits specify a column of the S-box. 4 .
c8).k7. The key input is K2. S0. 5 .t) Then the operation of S0 is defined in the following equations: q = abcd + ab + ac + b + d r = abcd + abd + ab + ac + ad + a + c + 1 5 6 7 8 9 10 11 12 13 14 15 where all additions are made modulo 2.s.k5.b. S-DES: Analysis S-DES: Analysis Brute-force attack Cryptanalytic attack: Known Plaintext attack certainly feasible With a 10-bit key. If we know plaintext (p1.p11. Given a ciphertext.p6.c7.p3.k10) is unknown.c.k8. the E/P.d) and (p10. S1. an attacker can try each possibility and analyze the result to determine if it is reasonable plaintext.S-DES Encryption: Function (f k) S-DES Encryption: Switch Function (SW) Mapping F : Permutation P4 The 4 bits produced by S0 and S1 undergo a further permutation as follows: 2 4 P4 3 1 The function f K only alters the leftmost 4 bits of input.x.p5.p02.p2.k9. there are only 210 = 1024 possibilities. The switch function SW interchanges the left and right bits so that the 2nd instance of f K operates on a different 4 bits.k3.y.z). then we can express this problem as a system of 8 nonlinear equations with 10 unknowns. In the 2nd instance.p12. This is the output of the Function F. Let 4-bit output be (q. and P4 functions are the same. q r 1 0 a 0 0 d 0 0 b 0 0 c 0 1 S-DES: Analysis S-DES: Analysis Truth Table for S-box S0: 0 1 2 3 4 0 0 1 1 1 1 0 0 0 1 0 1 1 0 1 1 1 0 1 0 1 0 0 0 1 1 1 1 1 0 0 0 0 0 0 0 1 1 1 1 1 1 1 1 0 0 1 1 1 1 0 0 0 0 1 1 1 1 1 1 0 0 1 1 0 0 1 1 0 0 1 1 0 1 0 1 0 1 0 1 0 1 0 1 0 1 Cryptanalytic attack: Known Plaintext attack rename (p00.r.c6.k4. The nonlinearity comes from the S-boxes. It is useful to write down equations for these boxes. and key (k1.p03)=(a.c3.c5.k6.c4. Similar equations define S1.p7.p01.p4.k2.c2.p13)=(w.p8) and respective cipher text (c1.
There is an initial permutation of 56 bits followed by a sequence of shifts and permutations of 48 bits. instead of F acting on 4 bits (n1n2n3n4). from which 16 48-bit subkeys are calculated. 6 . the output of 48 bits can be depicted as A 56-bit key is used. The 1 st and last bit of a row of the preceding matrix picks out a row of an S-box. note that a polynomial equation in 10 unknowns in binary arithmetic can have 210 possible terms.. corresponding to 8 S-boxes.S-DES: Analysis q (a d b c)(a d b c )(a d b c) (a d b c )(a d b c)(a d b c)(a d b c ) (a d b)(a d b )(a d c)(a d b c ) (a db bd )(a bd d c cd bc) abd a b d a bd abc ac d acd bcd b c d (abd (1 a)(1 b)d ) (1 a)b(1 d ) abc (a(1 c)d ac(1 d )) (bc(1 d ) (1 b)(1 c)d ) (d ad bd ) (b ab bd abd ) abc (ad ac) (bc d bd cd ) (d ad b ab bd ) (abd acd ac bc d bd cd abcd abc) abcd ac ab b d S-DES: Analysis Alternating linear maps with these nonlinear maps results in very complex polynomial expressions for the cipher-text bits. On average. it acts on 32 bits (n1n2.. S-DES: Relationship to DES S-DES: Relationship to DES DES operates on 64-bit blocks of input.n32). Each S-box has 4 rows and 16 columns.. After the initial expansion/permutation. S-DES: Relationship to DES This matrix is added (XOR) to a 48-bit subkey. and the middle 4 bits pick out a column.SW f K1 SW IP Within the encryption algorithm. we might therefore expect each of the 8 equations to have 2 9 terms. There 8 rows. Encryption scheme can be defined as IP 1 f K16 SW f K15 SW . making cryptanalysis difficult. To visualize the scale of the problem.
This action might not be possible to undo. Are you sure you want to continue?