 In fact, one of the later slides will compare them. We'll come back and compare them. Let's just summarize the operations. We generate keys or round keys, sub keys. So we take our original key and apply some operations to generate sub keys, k1 and k2 in our case, because we have two rounds. The operations of p10, p8, and the shift are defined. They're fixed. They are known by everyone. They're public. They're known by a malicious user. So an attacker knows what they are, and they never change. To encrypt, we apply our initial permutation at the start of the operation. We apply some function, and that's got many detailed steps, using sub key 1. Swap the halves. Apply the same function, and then swap using k2, and then to finish the inverse initial permutation. And decryption is the same steps. IP, the function, swap the halves, the function, inverse IP. So encryption and decryption are the same code or the same algorithm. Just that we use the keys in the opposite order. And of course, we have the ciphertext on input, and we get the plaintext out. It's not the purpose to remember all these operations or the permutations. It's just to demonstrate that all that we're really doing is the simple operations we saw in classical ciphers. We're doing transpositions or permutations. And in the S-box, we're doing a substitution. So in the function f of k, the dark gray box, there's two S-boxes in there that define we take four bits in, and we get two bits out. They were defined here. So a substitution box. So the cipher is a combination of substitutions and transpositions. And you should have tried this and got to the ciphertext. If you've got any troubles with that, then again, the operations are very simple. It's just a matter of being careful with performing those operations, making it clear in your notes so that you don't make some simple mistakes. The answer, I think the entire steps are on the website for that example. So you can check your answer. So in summary, simplified desks and educational encryption algorithm, it can be expressed as some equation where those operations are defined. For example, to encrypt, we take some plain text. We apply the initial permutation. On the output of that, we apply our function using k1, subkey k1. The output of that, we swap the halves. Then we apply our function, the same function again, but use k2 as an input. And then when we're done, the inverse initial permutation. And then the second equation is the decryption operation. And you see it's the same, exactly the same, except here we use k2 and then k1. Of course, we've only got a 10-bit key. Brute force is easy. We've only got 1,024 possible keys to try. So from that perspective, it's insecure. But the algorithms or the steps themselves considered good for such a simple, small cipher. And when we come to the real desk, it's the same. Even though the key may not be secure, the algorithm itself is considered secure. For example, if you took, if you knew a pair of plaintexts and ciphertexts, even with simplified desks, try and work out what the key is, not easy. So now how do we compare that to the real desk, the thing that is used or has been used in practice? Some of the characteristics, simplified desks, we used an 8-bit block. Real desk operates on 64-bits. So we take 64-bits of plaintext at a time. And when we split it into halves, we have 32 and 32 bits, the left and the right half. Real desk has a 56-bit key. And I've said before, in fact, it's a 64-bit key, but eight of those bits are not used in the algorithm. They're just used for a parity check. So effectively, there's 56-bits for security purposes. And there are 16 rounds. We had two rounds, two applications of this function f. Desk has 16 rounds. And as a result, we generate 16 round keys. And they're all 48-bits in length. So there's an algorithm that takes our 56-bit key and generates 16 round keys. The initial permutation, because our blocks are 64-bits, is also a 64-bit permutation. Our function f, uppercase f, operates on 32-bits, whereas if you look in simplified desks, I think the light gray box, you'll see it operates on four bits at a time. And we had two S-boxes, S0 and S1. There are eight S-boxes because we have more bits coming in. And again, if you write real desk as an equation, we see we take the plaintext, an initial permutation just at the start, apply some function using K1, swap the halves, apply the same function using K2, swap the halves, and just keep doing that. You do that, apply that function 16 times. So the function with key 15, swap the halves, the function with key 16, and at the end, the inverse initial permutation. And the decryption is the same. So that we're not shown here the decryption. Same equation except here we'd use K16, 15, 14, K2, K1. We use the keys in the opposite order. We'll just quickly go through, and I'll show you some of the desk details. We're not going to go through in any detail, but just to give you an illustration that it's the same as in simplified desks, but bigger. The encryption algorithm, initial permutation, round one with K1, round two with K2, round 16 with K16. And then we finish with the inverse IP. And of course, we take a key as an input, and we generate those round keys using, for example, permutations and left shifts. We saw a left shift in simplified desks to get K1 and K2 and so on. And same in simplified desks. The operations, those permutations are defined and fixed. So they're always these values. For example, the initial permutation, the first bit, if you read it row by row, moves to the 40th position here. The second bit on the input moves to the 8th bit here, and so on. And the inverse, we see that the 40th bit moves to the first position, the 8th bit to the second position, and so on. You'll see some pattern there, those permutations. On their own, they don't add any security, but they assist in getting the correct ciphertext out. And again, the permutations, the expanded permutator defined, the different permutation functions are defined. And a single round, our function f of K, we take our halves, expand and permutate the right half, XOR with the key, S box, permutate, XOR with the left half, and we get our output. If you look back and compare the simplified desks, it's the same algorithm, the same steps. There are eight S boxes, not just two. We have 48 bits in. Each S box takes six bits as an input, so six lines here, and produces four bits as output. So we get 32 bits out. And the S boxes are defined. And similar, you look up the row and the column based upon the input, and it gives you the value of the output, a four-bit output. It's shown here as a number between zero and 15, a four-bit value. And the other operations. That's... For the block ciphers, the symmetric ciphers, that's the only one we're going to go through in any detail. In some later ciphers, maybe after the midterm, we'll see asymmetric cryptography. We'll go through some details, but they're in fact much simpler than this. There are many other ciphers, block ciphers. They have similar design principles. So let's comment about the issues with design of the real desks and the potential for attacks. One measure of the security of cipher, and it's related to the measure of how good it is against or the concept of diffusion and confusion, is called the avalanche effect. An avalanche is when something, say, starts falling, a small stone starts falling at the top of the mountain, and it knocks on other stones, and they knock on more stones. And at the end, many things are falling. It's a large fall of rocks and so on. It's known. So you start with something small and it contributes to changing many things as it goes. This effect is desirable in ciphers. And it's defined as a small change of the input should produce a large change on the output. That's the idea. So, for example, a small change in the key, if we have some cipher, we take one key and click with our cipher, we get some ciphertext. If we change that key by just one bit, then what we'd like is that the ciphertext as an output is changed by many bits. Changing just one bit on the input should change many bits on the output. That's desirable. It turns out that desk has this avalanche effect. That is, when you make a small change on the input, it'll make a big change on the output. And from that perspective, it's good in terms of security. Desk is considered strongly a strong algorithm. One of the reasons is because it exhibits the avalanche effect. Let's demonstrate with an example we will not calculate. We'll do two different cases. The first case, we take some plaintext input and it's shown in hexadecimal here. It's a 64-bit block. We take this plaintext one and we have a key, some key which will use the same value in both operations. We'll encrypt plaintext one with a key and we'll get some ciphertext. And then we'll do the same operation. We'll encrypt plaintext two with the same key and we'll get some ciphertext. The difference between plaintext one and two is just one bit. It's at 64 bits. In hexadecimal, we see all those digits are the same except the first digit. So in hexadecimal, if we convert to binary, plaintext one is... each digit is four bits, so zero here followed by two and followed by all the other bits, whereas plaintext two is zero, zero, zero, one and all the other bits are the same. So there's only one bit that differs in the input of the two different plaintexts. So we encrypt p1 with some key, get some ciphertext. We encrypt p2 with the same key and get some ciphertext and then compare the ciphertext. And this shows that it compares the output of not just the final ciphertext but each round. Remember in desks there are 16 rounds. So this is the input. Our plaintext one at the top and plaintext two below it. That's the input to our desks. And at the end, the output is here. This is ciphertext one, this is ciphertext two. But in fact we see the output of each operation or at least each round in this case. If this is the input to desks after the first round the output will be these two values. You can see that's similar. Almost the same. Turns out the only difference the number of bits which are different if we convert these two hexadecimal values to binary there's only one bit difference. So in the input there's one bit difference. The delta, the difference is one. And after the first round there's one bit difference. But in desks we of course we apply, we repeat the operation 16 times. After the second round there are five bits different in the output. And after the third round 18 bits and then we do seven we around 30, 32 bits differ. And at the end 32 bits differ in this example. Which is exactly what we want. What we want is if we change one bit on the input then we should randomly change bits on the output ciphertext. And if it's randomly changing bits half of them we'd expect to change on average. If you've got 64 bits of ciphertext then a different ciphertext a different ciphertext should differ by on average 32 bits, half of those bits. So we encrypt p1 we get out to the output at the end here c1 some value and also if we encrypt p2 with the same key we get c2 we want so if we have some bits here whatever they are then if we'd like c1 and c2 to be different on average then half of those bits should be different values. And that's what this counts here. But 32 bits were different which is exactly half in this case on average we'd like half. Sometimes it would not give us exactly 32. Changing one bit on input produces many bits changing on output. It doesn't show us which bits but it just counts the number of bits. We could determine by converting this to binary if you want. So in fact the goal is to produce half of the bits to be different which we achieve. In fact after about round 4 we achieve that. So we could have from that perspective stopped at round 4 after we do round 4 from the perspective of the avalanche effect of round 4. We've changed half of the bits but we keep going it doesn't hurt in terms of security it does hurt in terms of performance the more rounds you do the longer it takes to encrypt something. If we stopped after one round this cipher would not exhibit the avalanche effect because we'd have one bit change on the input if we performed just one round then the two ciphertext values c1 and c2 would be different and then an attacker can potentially use that information to take the ciphertext pairs and work out what this plaintext was. If we stopped after round 2 then 5 bits different again they are similar c1 and c2 would be similar 18 bits after 4 rounds then we start to get significant differences. So that's an illustration of the avalanche effect. Small change on input large change on output this is the case where we change one bit in the input plaintext where we keep the key fixed the same value we can do the same by keeping the same plaintext but changing the key value. Take one plaintext value encrypt it using c1 and then take the same plaintext and encrypt it using c2 where c2 differs from c1 by just one bit one bit change on input and in this example it produces 30 bits change on output around our half around 32 or close to 32 so same plaintext here but 2 different keys after 1 round we got 3 bits different 11, 25 and now we're around or close to our desirable goal of 32 bits different. If a wrapper exhibits the avalanche effect then we consider it's good in terms of security if it doesn't then that's a potential flaw that an attacker can take advantage of and DESC does exhibit the avalanche effect and also indicates that using 16 rounds is a good design choice if the designer chose to use 2 rounds it would not be a good choice why not use 10 rounds well it would be good from the avalanche effect it would be better in terms of performance but they need to make some decision somewhere and say the more we do the better for security but worse for performance and the decision was 16 seemed reasonable in that case you could do 100 rounds and it would be more secure but it would take more time to process the other part of the security of DESC so it's considered that the algorithm itself is secure but what about the key length what about brute force attack so from a security perspective only 56 bits are used for encryption 8 bits are for parity check so from the attacker only really needs to guess 56 bits we only care about those 56 bits so how long does a brute force attack take with a 56 bit key so 2 to the power of 56 possible keys which is that 70 billion or 70 million 70 million billion you can work it out what it is many, so 16 zeros that's the number of possible keys so what if we attempt to decrypt we've got a ciphertext we decrypt with the first possible key check the plaintext does it make sense if not, move on to the next one just try all the keys until we get plaintext that makes sense on average we'd have to try half of those keys to get the right plaintext so when DESC was designed or after it was released in 1977 people estimated how much it would cost to build a machine a computer perform a brute force attack they didn't build it, they estimated so this is what 40 35 years ago they estimated it would cost them about $20 million at that time which is quite expensive for a computer to build a computer that would break it in 10 hours in 1998 so 14 years ago the, what is it? the electronic frontiers foundation they built a machine that broke DESC so they performed a brute force attack it cost them $250,000 US and it took them 3 days to get the key so at that time DESC was considered insecure because for you and I this is expensive but for an organisation that wants to get secret information or a government organisation to break DESC so brute force attack was possible in that case so EFF just used commodity off the shelf computers and put them together and broke it in 3 days so 56 bits is considered too short against a brute force attack it's not long enough we need more bits so that's the primary problem with DESC the algorithm is considered secure people don't know of any well there are no known flaws in the algorithm that make it easy to break but the key length is too short so people took advantage of that they knew that the algorithm was secure or they assume the algorithm is secure they have implementations of the algorithm in software and hardware so, but the key length is too short so we developed triple DESC or three DESC which uses DESC but three times and there's two different ways you effectively instead of have a 56 bit key you either double the key length have two 56 bit keys or you can even triple the key length two well this is called 128 bit so two times 64 bits but of course some are used for parity check so to increase the key length just apply DESC multiple times using a different key each time we'll show some examples of that and see why triple DESC is needed and why double DESC using just two operations doesn't work maybe a bit later but definitely today what about other attacks and we're not going to describe them I don't know how some of them work in details but people have tried to do different types of attacks in theory mainly against DESC not doing a brute force but trying to take advantage of knowledge of the algorithm the implementation of the algorithm to try and break the cipher one type of attack is called a timing attack the encryption is implemented they're in software or hardware and each operation the X or the the S box takes some time what a timing attack does is they try to measure how long each operation takes and from that depending upon the input plain text the input to each operation it may take different time so from the timing of each operation try and work out what the plain text or key is so observing in a very small detail of nanoseconds so on what your hardware is doing while it's encrypting something with DESC and if you can make out if you can work out encrypting this sequence of bits or applying this operation took 5 nanoseconds but then the next round it took 7 nanoseconds then that difference in time can potentially be used to work out eventually what the plain text or the key was possible in theory but not very useful in practice A because it's hard to implement it's hard to get that information so when I'm encrypting something to measure what my computer is doing is not easy and B because it's quite easy usually to prevent the way that the implementations prevent or stop timing attacks is to add some randomness to the implementation so when your CPU is doing some processing different add some random delays in there which slows down the encryption but prevents a timing attack so in practice it's not useful against DESC another type of attack differential crypt analysis is to look at when you encrypt two different plain text blocks similar like the avalanche look how they evolve as you encrypt them after each round and from the differences try and then work out okay if you know the ciphertext and plain text try and work out what the key or the other plain text was in theory again it turns out if you use such approaches then there are techniques that can break DESC in 2 to the power of 47 encryptions our brute force attack takes 2 to the power of 56 so that's let's say that's the limit we'd need to do better than that brute force maximum number of operations is 2 to the 56 so when comparing attacks we normally don't talk about time we talk about how many operations how many encryption or decryption operations so brute force we need 2 to the power of 56 different operations in the worst case turns out if we can break DESC that is find the key of the plain text in less operations then that's better from the attacker's perspective with differential crypt analysis there are techniques that can break it in 2 to the power of 47 compared to 2 to the 55 that's the average this is the maximum let's write the average which is would take us 256 times less to break the cipher because the difference is a factor of 8 that is this attack is 2 to the power of 8 times faster than a brute force attack because if it takes 2 to the 55 operations here this takes 2 to the 47 operations that's 2 to the power of 8 a factor of difference or 256 so if our brute force attack took a year on some computer then this would take a day or two still not significant okay 256 times is okay but it's not not great in some cases the problem with such an attack is that it takes advantage of and requires chosen plain text remember when we spoke in one of the first lectures in general the types of attacks the more information the attacker has the easier it is to attack and we listed the what do we have we had chosen plain text chosen cipher text a combination of the two so depending upon what the attacker could know it made it easier as they knew more information in this case if the attacker can choose plain text get the corresponding cipher text for each of those plain text values then using that information they can try and find the key and they can find the key in 2 to the 47 operations so long as they have about 2 to the power of 47 plain text values which in practice is impossible 2 to the power of 47 different plain text and the corresponding cipher text to get those values is almost impossible that is what 100 it's almost it's almost a million billion different plain text values 10 to the power of almost 10 to the power of 50 so in theory possible but in practice not very convenient because the attacker would need to get those plain text values store them somewhere and then they perform the attack another approach linear crypt analysis is to try to find some linear approximation some equations that approximate the relationship between the cipher text and key or cipher text and plain text and from that try and work out what the key is and it turns out using that the technique is a little bit better 2 to the 43 operations so 16 times better or faster than this but actually sorry that's wrong using 2 to the 43 known plain text I think in terms of the effort it's similar to this one around 2 to the 47 but for it to work again you need a lot of known plain text less than this but not many so in theory attacks are possible in practice desk the algorithm is considered secure but the key length is too short that's the problem so brute force is possible finally about the design of desk it was designed as we said at the start of this this topic designed or standardised by NIST in the US but designed originally by IBM and the NSA in the US and the design was done in private that is a company and an organisation come up with a design known else knew how they made the decisions why did they choose the S boxes as they were why did they choose 16 rounds not 20 rounds and therefore there are some questions about the motivation and some people had doubts as to whether possibly it was designed such that some organisations could break it if they knew about the motivation for the design but it turns out in most cases it's considered still considered secure after a lot of analysis it's been around for 40 years people have tried to break it but it's still considered quite secure turns out the S boxes work quite well they provide confusion in the output people have done analysis to show that if you took the S box of des and changed it by just a small amount the output would be much less secure which suggests that the design is designed in a way that it produces a secure output so the S boxes were designed to provide confusion in the output whereas permutations to increase the diffusion in the output is a summary of the design principles of des algorithm is secure key length is not we're going to look at the extensions the algorithm is good key length is not so the first approach is you apply the algorithm two times and use two different keys that effectively increases the key length doubles it the same algorithm which is an advantage leading to triple des and then we'll list some other ciphers but we'll do that after the break because it takes to give some example there it takes a fair bit of time which I think we'll not try to rush it right now let's try and look at another example we'll come back to that how long have we got 20 minutes let's start it and then we'll do the example after the break that may be easier so since people consider the algorithm for des to be good but the key length not to be good they wanted to design a new cipher that uses the same algorithm but increases the key length the advantage is that of using the same algorithm is that you know it's good you don't have to test it much more and you've already got software implementation so you can reuse the software and hardware so that's an advantage of continuing to use des and the approach quite simply is encrypt multiple times but with different keys and we'll go through the cases double des is you encrypt twice so we'll see on subsequent slides single des we take des we encrypt let's instead of give the name let's just say e to encrypt we take some plain text as input and we get cipher text as output and we take a 64 bit key that's single des or normal des so for double encryption take our plain text encrypt that with a 64 bit key let's say k1 and then take the output of that encrypt that with a different 64 bit key k2 and get our cipher text that's all so the same algorithm here this is des used encrypt with a 64 bit key we get a 64 bit output then encrypt that 64 bit output again using a different key and we get our cipher text again still 64 bit blocks on input and output double des from a brute force attack in single des they need to try 64 bit key 2 to the power of 64 or we know that in fact only 56 bits are relevant but we often refer to it as a 64 bit key with double des the attacker has to guess both of the key values because there's no good knowing just one because if you know k1 you need to then work out what value of k2 is given to give the cipher text so in double des the attacker would need to know both key values k1 is 64 bits k2 is 64 bits effectively we have 128 bits that the attacker needs to guess so they're 2 to the power of 128 possible keys as opposed to 2 to the power of 64 possible keys so that's the idea of combining the ciphers together use the same algorithm just apply it twice and use a different key each time let's work that out let's simplify and let's say we have a 3 bit key even simpler 2 bit key instead we have a cipher that takes a 2 bit key as an input so the values we know there are 4 values so the attacker has to guess which key it is so if it takes a 2 bit key then there are 4 possible 2 to the power of 2 4 possible keys so a brute force attack in the worst case we need to try all 4 apply the same algorithm we have a 2 bit key here and another 2 bit key here so what are the possible values k1 and k2 can be any of those 4 values how many combinations do we have we have 16 combinations because we could have 00 and 00 k1 and this value of k2 we have 00 01 00 and then so there are 4 values then we have 01 00 so effectively we have a 4 bit key in this case so 2 plus 2 and so the number of keys is 2 to the power of 2 plus 2 in this case which is 16 and hence if we have a 64 bit key it increases the length up to 128 bits it doubles the length the problem with double des although the key length is doubled the amount of effort to break it is not doubled is not much stronger than the amount of effort needed to break single des we'd expect we'd hope if we had 2 to the power of 64 for single des then we'd hope we'd take 2 to the power of 128 operations to double des but it turns out that's not true there's another attack that we can perform such on double des the amount of effort to break it is about the same as single des about twice as single des 2 times the effort is about the same that is if it takes 1 day to break single des and 2 days to break double des then they're both considered insecure 1 day 2 days no one cares, that's still insecure same as 1 year 2 years well we just buy a double the speed to computer or spend twice the money and we can break it so the effort needed to break double des is not proportional to the power of 128 it's about the same as single des and that's what led to triple des which increases the strength we want to explain why double des is not much better than single des then we'll finish on triple des so this is double des or double encryption to encrypt we take our plain text apply the encryption operation of des with a 64 bit key this could be confusing sometimes I say 64 bit key sometimes I say 56 bit key for des just remember des takes a 64 bit key as input but only uses 56 of those bits so in fact from a security perspective the attacker only needs to guess 56 bits I'll try and use 56 instead of 64 so we take a key as input we encrypt we get some values output let's say some value x then we encrypt that again using the same cipher but using a different key k2 we get our ciphertext and the decryption is the opposite take our ciphertext apply des the decryption form of des using k2 we get x where this x should be the same as that x because if we encrypt you look at this top picture and go backwards decrypt with k2 should give us x take x decrypt with k1 should give us p back and that's all this shows the decryption algorithm so if we encrypt our plaintext once with k1 we get x and similar if we take our ciphertext and decrypt with k2 we'll get the same value x and that's where a flaw in this algorithm comes in because what an attacker can do is what's called a meet in the middle attack try and find x and from that work out what the correct key is so since we have 256 bit keys giving us a key length of 112 bits we would hope that would take on average 2 to the power of 111 operations in a brute force attack but it turns out if we apply the meet in the middle attack it takes around about 2 to the power of 56 operations about the same as single desk how does it work we'll describe the approach here and then after the break I'll go through an example that illustrates it what the attacker does is first they need to know some pairs of plaintext ciphertext so the attacker must know here's a plaintext value p1 and it knows the corresponding ciphertext c1 which was obtained by encrypting with k1 and k2 so let's say in the past the users have encrypted some plaintext with k1 and k2 obtained some ciphertext and the attacker they don't know the key k1 and k2 but they have found the value of p1 and c1 they know a pair of plaintext ciphertext and possibly they most likely need to know multiple pairs more than just one so that's an assumption in this case that the attacker has somehow found some pairs of plaintext ciphertext so a known ciphertext a known plaintext attack they don't have to choose the values they just need to know any values and the aim of the attacker is to find k1 and k2 the attacker knows two plaintext ciphertext pairs in this case pa ca pbcb let's denote them what the attacker does is takes the first known plaintext pa and does a brute force attack using single des that is they encrypt with all known values or possible values of k1 to get multiple values of x this is our double des operation on the previous slide what the attacker does is that they take pa a known plaintext value they know that pa was encrypted with some key k1 and k2 and it produced ca as an output so what they do is they take pa and do a brute force attack they encrypt pa with all possible values of k1 how many possible values of k1 in our case 2 to the power of 56 56 bit key they need to try 2 to the power of 56 possible keys and as an output of that so this is just this operation they'll get 2 to the power of 56 values of x if we encrypt the same plaintext with all these keys these values of x as an output whatever the values are x1 up to x 2 to the power of 56 and then what they do so they store those values of x they may sort them in a table and then they take ca the ciphertext value and they come from the other direction they take ca and they decrypt ca using possible values of k2 and the value that they get as an output if it matches one of these values of x that it indicates that the value of k2 and the corresponding value of k1 is a possible is the possible key it may not be the exact key but it could be one of the it could be the key why there may be multiple shortly so coming back here first step take the known plaintext encrypt with all possible values of k1 you'll get many values of x next step take the corresponding known ciphertext decrypt with all possible values of k2 2 to the power of 56 values take ca and k2 and try all the values to the power of 56 getting confused and we'll get many values of x and remember that the value of x when we encrypt p with k1 and then encrypt x with k2 and get the ciphertext if we decrypt this value in the middle should be the same if we use the same key so if one of the values of x from this set matches one of the values of x from this set then that's an indication that the corresponding k1 and k2 is the correct key but it may be that there are multiple matches and if there are multiple matches you need to do the same step of the set of possible keys but using a different plaintext pair so using for example pb and cb so you do a brute force attack on k1 and then similar on k2 2 to the power of 56 operations and then it turns out most likely you'll find a pair of one value of k1 and a value of k2 that gives us the same x and that means that value of k1 and k2 can possibly be the key if they're not the same value of x it means those values of k1 and k2 are definitely not the key if we have multiple values we need to check which one's the correct one assuming we get one value here of x let's say x10 and here at x 1043 and they are the same and there are no other values of x in this set that match the values of x in this set if just this these values are the same then that tells us for sure that k2 1043 and k1 the 10th value combined is the key so the key that the normal user used was the 10th value of k1 and the 1043 value of k2 because they give the same value of x the value in the middle if it works if there's only one match here then how many operations did we do how many encrypt or decrypt operations were applied in that case we did a brute force attack on the first key how many operations 2 to the 56 operations here and then effectively we do in the worst case a brute force on k2 how many so 2 to the power of 56 plus another 2 to the power of 56 how many is that 2 to the power of 57 operations just twice as many as the normal attack and if we find the key in that case that's it we're done so we don't need 2 to the power of 112 operations we need 2 to the power of 56 operations or approximately which is twice as many as we need with single desks on average we need 2 to the power of 55 operations with double desks to break it we need 2 to the power of 56 operations and that's where double desks is not much secure than single desks because if single desks takes $10,000 to break then double desks takes $20,000 to break in the same time you just double the compute power so double desks is not considered secure let's try and go through an example of that but after the break the last 5 minutes let's look at one one example of the brute force attack this is not seen where is it unsuccessful this is just a few pictures from some different websites and some details about the attack that was performed on desks we said before that in 1977 they estimated it would take about $20 million to build a computer to break desks by brute force attack and in 1998 EFF the electronic frontiers foundation built a machine that broke desks called deep crack so using some commodity hardware it cost them less than $250,000 US dollars and in 56 hours it found a key so given some key it could find that by just trying them all it performed about $80 billion, $80 by 10 to the power of 9 keys per second so that's the speed it could perform that machine so it just tries many keys, gets the plain tax until it gets the right one some people have come up with other hardware to do it and this is one example this software from some German universities and some German company this is again still quite 6 years ago, 2006 but newer they just used some dedicated hardware to break desks and some FPGAs they had these boards of I think 12 or 16 FPGAs on a board like this so they dedicated hardware circuits to break desks to try many keys and each FPGA could do 400 million keys per second and they had 120 out of them 120 of them so 120 times that is the number of keys per second so they got it down to about 9 days so that's 6 years ago and it cost them $10,000 so because computers are becoming more powerful then the cost and the time to break the ciphers goes down and at about the same time a Pentium 4 at that stage so that's the typical computer then could do about 2 million keys per second whereas the FPGA 400 million about 200 times faster than a normal Pentium 4 given that here's some approximate numbers because approximately according to Moore's law the speed of computers doubles every one and a half years so if we assume that so your computer now in one and a half years time the same cost computer will be one and a half times faster in other words for the same power the same compute capabilities you have the cost every one and a half years if we assume that then now in 2012 using that old hardware $600 $625 to break desks so using the same approach so anyone can do that given that same simple analysis it's more complex than that but following that same simple approach then how much would it cost to break a longer key that was on a 56 bit key then every time you length by one bit you double the cost because you double the set of keys from 56 bits to 57 bits increase of one bit we've got twice as many keys and therefore with the same computer it would take twice or the same compute capabilities take twice as much cost because we have to build double the strength of computer so with 64 bits today about $160,000 this is in US dollars 70 bits so increased by 6 bits to just 70 bits you're at $10 million to break that using the same techniques what about in 15 years time so let's say you want to encrypt something now and you want it to be secure over the next 15 years so that no one in 5 years time can use a faster computer and break it or even in 15 years time then 70 bits in 15 years time $10,000 so not so hard for a small company to break that 100 bits in 15 years time with this increasing computer strength 10 what is it 10 trillion dollars so again even a a large government cannot break 100 bit key in 15 years time so nowadays 128 bits is considered secure and what's recommended because it's again much much harder to break than just 100 bits so that gives it an approximation of the amount of effort or cost involved in brute force attacks increase your key length by one bit you double the effort involved or double the cost involved so it doesn't take much to make it possible we'll have a break and after the break we'll go through an example of how to break double deaths check your quizzes ask me questions