What is Simplified DES (S-DES)

Developed in 1996 as a teaching tool

Santa Clara University

Prof. Edward Schaefer

Encryption: Takes an 8-bit block plaintext, a 10 bit key and produces an 8-bit block of ciphertext Decryption: takes the 8-bit block of ciphertext, the same 10-bit key and produces the original 8-bit block of plaintext

NETWORK SECURITY
Simplified DES

Encryption Algorithm: Five Functions

S-DES Scheme

IP an initial permutation
fk - a complex, 2-input function SW a simple permutation that swaps the two halves of the data fk - a complex, 2-input function; again

IP-1 inverse permutation of the initial permutation

Encryption Algorithm

Encryption Algorithm

Input to function fK

Encryption Algorithm:

IP 1 f K2 SW f K1 IP

the data passing through the encryption algorithm

an 8-bit key.

Possibilities for key

a 16-bit key, consisting of two 8-bit subkeys, one used for each occurrence of fK. a single 8-bit key could have been used, with the same key used twice in the algorithm. a 10-bit key from which two 8-bit subkeys are generated

OR 1 Ciphertext= IP ( f K ( SW ( f K ( IP ( plain text)))))

2 1

where

K1

P8( Shift( P10(key)))

K2

P8(Shift(Shift( P10(key))))

Decryption is the reverse of encryption:

Plaintext= IP 1 ( f K ( SW ( f K ( IP (ciphertext))))) 1 2

Encryption Algorithm: Key Generation

Key Generation

In S-DES, a 10-bit key is used From this key, two 8-bit subkeys are produced for use in particular stages of the encryption and decryption algorithm.

Process:
the key is first subjected to a permutation (P10) then a shift operation is performed The output of the shift operation
passes through a permutation

function (P8) that produces an 8bit output for the first subkey (K1). also feeds into another shift and another instance of P8 to produce the second subkey (K2).

Encryption Algorithm: Key Generation

Permutation Function (P10) First, permute the 10-bit key k1,k2,k3,k4,k5,k6,k7,k8,k9,k10:

Encryption Algorithm: Key Generation

Permutation Function (P10)

P10(k1,k2,k3,k4,k5,k6,k7,k8,k9,k10) =(k3,k5,k2,k7,k4,k10,k1,k9,k8,k6)

P10 3 5 2 7 4 10 1 9 8 6

Or it may be represented in such a form

Example: the key (1010000010) is permuted to (1000001100).

P10 3 5 2 7 4 10 1 9 8 6

Encryption Algorithm: Key Generation

Encryption Algorithm: Key Generation

Shift Operation (LS-1)

circular shift (LS-1), or rotation, separately on the 1st 5 bits and the 2nd 5 bits. Example:
the

Permutation Function (P8)

picks out and

permutes 8 out of 10 bits according to the following rule:

given key (1010000010) is first permuted to (1000001100). Perform shift operation (LS-1), the result is (00001 11000).
The

P8 8

10

Our example

result is subkey K1. yields (10100100)

Encryption Algorithm: Key Generation

S-DES Encryption

Sub key K2 Generation

Take the pair of 5-bit strings produced by the two LS-1 functions Perform a circular left shift of 2 bit positions on each 5bit string. In our example, the value (00001 11000) becomes (00100 00011). Finally, P8 function is applied again to produce K2. In our example, the result is (01000011)

1. 2. 3. 4.

S-DES encryption involves the sequential application of five functions: Initial Permutation (IP) Complex function (f k ) Switch Function (SW) Complex function (f k ) again Final Permutation (IP -1)

5.

Inverse of Initial Permutation

S-DES Encryption: Initial Permutation (IP)

S-DES Encryption: Final Permutation (IP-1)

Input to the algorithm: an 8-bit block of plaintext Apply permutation using the following IP function:

At the end of the algorithm, the inverse permutation is used:

IP 1 4

IP-1 5 7

This retains all 8 bits of the plaintext but mixes them up.

It may be verified, that IP-1(IP(X)) = X.

S-DES Encryption: Function (f k)

S-DES Encryption: Function (f k)

Example: Suppose the output of the IP stage is (1011 1101) and F(1101,SK) = (1110) for some key SK.

The most complex component of S-DES A combination of permutation and substitution functions. Assume

L and R be the leftmost 4 bits and rightmost 4 bits of the 8 bit input to fK F be a mapping (not necessarily one to one) from 4-bit strings to 4-bit strings.

Then f K(1011 1101) = (0101 1101) because (1011) (1110) = (0101).

f k ( L, R )
where SK is a subkey and function

(L

F ( R, SK ), R)

is the bit-by-bit exclusive-OR

S-DES Encryption: Function (f k)

Mapping F The input is a 4-bit number (n1 n2 n3 n4). Operations
1.
2.

S-DES Encryption: Function (f k)

Mapping F : an expansion/permutation (E/P)operation

3.

4.

an expansion/permutation exclusive-OR with 8-bit sub-key1 Perform S-box operation S0 on four bits of the result and S1 on the remaining four bits. The S-box produces 2-bit output. The outputs of S0 and S1 undergo permutation (P4), producing the output of F

E/P 3 2

Or write in the following fashion:

S-DES Encryption: Function (f k)

S-DES Encryption: Function (f k)

Mapping F : exclusive-OR with 8-bit sub-key1

Mapping F : S-boxes S0 and S1

The 8-bit subkey K1 = (k11, k12, k13, k14, k15, k16, k17, k18) is added to this value using XOR:

The first 4 bits (1st row of the preceding matrix) are fed into the S-box S0 to produce a 2-bit output The remaining 4 bits (2nd row) are fed into S1 to produce another 2-bit output Two S-boxes are defined as

Rename these bits as:

S-DES Encryption: Function (f k)

S-DES Encryption: Function (f k)

Mapping F : S-boxes S0 and S1

Mapping F : S-boxes S0 and S1

The 1st and 4th input bits are treated as a 2-bit number that specify a row of the S-box The 2nd and 3rd input bits specify a column of the S-box.

For example,
if (p00, p03) = (00) and (p01, p02) = (10) the output is from row 0, column 2 of S0, which is 3, or (11) in binary. Similarly, (p10, p13) and (p11, p12) are used to index into a row and column of S1 to produce an additional 2 bits.

The entry in that row and column, in base 2, is the 2-bit output.

S-DES Encryption: Function (f k)

S-DES Encryption: Switch Function (SW)

Mapping F : Permutation P4

The 4 bits produced by S0 and S1 undergo a further permutation as follows:

P4 3

The function f K only alters the leftmost 4 bits of input. The switch function SW interchanges the left and right bits so that the 2nd instance of f K operates on a different 4 bits. In the 2nd instance, the E/P, S0, S1, and P4 functions are the same. The key input is K2.

This is the output of the Function F.

S-DES: Analysis

S-DES: Analysis

Brute-force attack

Cryptanalytic attack: Known Plaintext attack

certainly feasible

With a 10-bit key, there are only 210 = 1024 possibilities. Given a ciphertext, an attacker can try each possibility and analyze the result to determine if it is reasonable plaintext.

If we know plaintext (p1,p2,p3,p4,p5,p6,p7,p8) and respective cipher text (c1,c2,c3,c4,c5,c6,c7,c8), and key (k1,k2,k3,k4,k5,k6,k7,k8,k9,k10) is unknown, then we can express this problem as a system of 8 nonlinear equations with 10 unknowns. The nonlinearity comes from the S-boxes. It is useful to write down equations for these boxes.

r
1 0

a
0 0

d
0 0

b
0 0

c
0 1

S-DES: Analysis

S-DES: Analysis
Truth Table for S-box S0:

0 1 2 3 4

0 0

1 1 1 1 0
0 0 1 0 1 1 0 1 1

1 0 1 0 1
0 0 0 1 1 1 1 1 0

0 0 0 0 0
0 1 1 1 1 1 1 1 1

0 0 1 1 1
1 0 0 0 0 1 1 1 1

1 1 0 0 1
1 0 0 1 1 0 0 1 1

0 1 0 1 0
1 0 1 0 1 0 1 0 1

Cryptanalytic attack: Known Plaintext attack

rename (p00,p01,p02,p03)=(a,b,c,d) and (p10,p11,p12,p13)=(w,x,y,z). Let 4-bit output be (q,r,s,t) Then the operation of S0 is defined in the following equations: q = abcd + ab + ac + b + d r = abcd + abd + ab + ac + ad + a + c + 1

5 6 7 8 9 10 11
12 13 14 15

where all additions are made modulo 2. Similar equations define S1.

S-DES: Analysis
q (a d b c)(a d b c )(a d b c) (a d b c )(a d b c)(a d b c)(a d b c ) (a d b)(a d b )(a d c)(a d b c ) (a db bd )(a bd d c cd bc) abd a b d a bd abc ac d acd bcd b c d (abd (1 a)(1 b)d ) (1 a)b(1 d ) abc (a(1 c)d ac(1 d )) (bc(1 d ) (1 b)(1 c)d ) (d ad bd ) (b ab bd abd ) abc (ad ac) (bc d bd cd ) (d ad b ab bd ) (abd acd ac bc d bd cd abcd abc) abcd ac ab b d

S-DES: Analysis

Alternating linear maps with these nonlinear maps results in very complex polynomial expressions for the cipher-text bits, making cryptanalysis difficult. To visualize the scale of the problem, note that a polynomial equation in 10 unknowns in binary arithmetic can have 210 possible terms.

On average, we might therefore expect each of the 8 equations to have 2 9 terms.

S-DES: Relationship to DES

S-DES: Relationship to DES

DES operates on 64-bit blocks of input. Encryption scheme can be defined as

IP 1 f K16 SW f K15 SW ...SW f K1 SW IP

Within the encryption algorithm, instead of F acting on 4 bits (n1n2n3n4), it acts on 32 bits (n1n2..n32). After the initial expansion/permutation, the output of 48 bits can be depicted as

A 56-bit key is used, from which 16 48-bit subkeys are calculated. There is an initial permutation of 56 bits followed by a sequence of shifts and permutations of 48 bits.

S-DES: Relationship to DES

This matrix is added (XOR) to a 48-bit subkey. There 8 rows, corresponding to 8 S-boxes.

Each S-box has 4 rows and 16 columns. The 1 st and last bit of a row of the preceding matrix picks out a row of an S-box, and the middle 4 bits pick out a column.