 We're talking about block ciphers and we've mentioned that one of the the earliest ones and widely used was desk the data encryption standard To demonstrate how it worked. We went through an example of simplified desks so a cut-down version just a toy version of the real desk and We went through an example where we took an 8-bit input plain text and produced an 8-bit output ciphertext It used two rounds So we went through those steps of key generation encryption Remember it's really made up of permutations and substitutions P-boxes and S-boxes the permutations just tell us to rearrange the bits in a fixed manner It's always used in the same permutations and the substitutions again a fixed The S-boxes defined that take some bits in and Substitute them with some other bits as defined by these two matrices and we went through and Our example we went through took a long time to go through for one round and I gave you the solution for the the ciphertext So we got to a point where we swapped the halves and then you do everything again which you did for homework and You should have got this at the end of the second function The last operation is the inverse initial permutation You take this in and the ciphertext the answer was these 8-bit 0 1 1 0 1 1 1 0 1 1 1 So that's the simplified desks and real desks uses some The same concepts, but on larger blocks and more times more rounds Just briefly the inverse initial permutation. What is it? How do you find it? write an inverse operation if you apply the the normal operation on some input So we take some input we apply IP We get some output Then if we apply the inverse we should get back to the original input That's what an inverse is that is if we take Eight bits apply IP. What is IP in this case? It's defined We get the bits Rearranged such that the second bit becomes the first bit and so on The inverse of that should be such that when we take our output output eight bits Apply the inverse we should get our bits back in the original order That's what the inverse defines So you need to work out what that is and I can't remember what is it for one something for one three five seven two eight Six something. Okay All right, so just remember an inverse operation is that if we apply that operation Followed by the inverse we get the original input as output. That was a minor thing Any questions on simplified desks? So maybe unsimplified desks the real one first in simplified desks We got to write the operations as a set of functions for example to obtain the ciphertext We take as input plaintext We apply the operation of the inverse of the initial permutation We apply some function f Using key k1. So that's a shortcut way. We can write that Where that function is in fact a set of steps Much more complex then where we swap the halves Then we apply the function again, but using k2 as input and then we do the inverse Initial permutation and If you look at the decryption It can be written as this take the ciphertext apply IP apply our function with k2 swap the halves Apply the same function with k1 inverse initial permutation They are the same operations between encryption and decryption The only difference is that we use the different inputs So of course encryption takes plaintext decryption takes ciphertext and we use the keys in the different order So that's a nice feature of algorithms which When they encrypt and decrypt operations are the same we can use the same code the same hardware to implement it That's useful How good is simplified desks? It has a 10-bit key meaning there is a thousand and twenty-four keys You can do a brute force attack very easily. So that's not good The operations that it use it's quite hard If you know a pair of plaintext ciphertext so you know that this Ciphertext was generated by encrypting this plaintext Then it's hard to find the key There's no proof of how hard it is, but It's just demonstrating these concepts of permutations and substitutions makes it hard to find The key given a pair of plaintext ciphertext So that's a good feature Compare it to real desks, which is what we care about some numbers here that compare S simplified desks takes 8-bit blocks real desks 64 bits. So we take 64 bits of plaintext at a time Real desks uses 16 rounds That is not just two, but we do it 16 times But it's the same thing the same function is just repeated 16 times Few other numbers there we actually start with And I've said it before we start with a 64-bit key We throw away eight of the bits giving us effectively a 56-bit key and we generate 16 round keys So 16 sub-keys in simplified desks we created K1 and K2 just two round keys The initial permutation is 64 bits and a few other numbers there. There are eight S-boxes, not two And the encryption algorithm Basically looks the same as simplified desks, but extended. Take the plaintext and initial permutation Apply our function with K1 Swap apply the function with K2 swap and so on keep repeating and do that 16 times and then the inverse initial permutation those details and again just here for reference listed in the next few slides, so These are taken from the textbook some pictures that show the design of real desks But if you have a look you'll see it follows what we've seen with simplified desks IP round 1 round 2 round 16 and then the inverse To do that we generate keys sub-keys The key generation uses left shifts and permutations What is the initial permutation was defined here again known? known to the attacker as well as those encrypting and And the inverse But since we have 64 bits it tells us if you write those 64 bits down how to rearrange them The 58th bit goes into the first position the 50th bit into the second position and so on expand and permutate the different P functions The details of one round Which is the same as? The same concepts as simplified desks take our left and right half Expand and permutate XOR with a key S box permutate XOR with a left half So that's the same concepts that we saw with simplified desks And there are different pictures that try to illustrate that the S boxes are given there. There are eight S boxes It's looked because it's a larger matrix. It's a slightly different way to look up I think it takes six bits in and produces four bits out and a few other details Let's go to the design issues Is it good? What are its weaknesses is what we care about? First we'll say that generally people consider desks to be a strong algorithm The key is bad. The key length is too short. It's brute force attacks are easy but the algorithm design itself is Consider it was designed 40 years ago or so is considered Still good today effectively that is there are no Large weaknesses that have been found in it that have been publicly available There are some theoretical attacks on it But we'll see that they're not really practical and except for a brute force attack One way to measure How good a cipher is there are different ways? Okay, how do we know if one's better than another? One way we'll introduce here is called the avalanche effect So we'll explain it and then we'll say that desk has this feature which is a good thing Remember, we'd like cipher text to be random on the output So we take some structured plain text produce random-looking output the avalanche effect is Some way to measure that if we take two different inputs which are similar that Those the resulting outputs will be very different And in fact it can be used to measure how good that is as the cipher is applied So I'll explain it with a couple of examples first Just some basic concepts With real desk we take 64 bits in Just a reminder and we get 64 bits out consider two outputs and Two inputs, so we take p1 as in and what comes out when we encrypt with des Is C1 and we take a different plain text p2 and encrypt using the same key we get C2 so Des with say key k1 In Crip plain text one we get C1 encrypt plain text p2 we get C2 In both cases using the same key k1 What we'd like is the two different plain text Which are very similar? Should produce two different cipher text which are very different or Again random-looking cipher text How different should C1 and C2 be if we compare two different cipher texts? How many bits do you expect to be different? 64 bits would be different So it let's say c1 is all zeros you would expect C2 to be all ones So think about the two cipher texts that come out and think if you want to measure How how are they different by how much are they different on average if you compare two different cipher texts How many bits do you expect to be different? It should be about half on average if you think about it Let's say that the cipher texts are random a random sequence of bits C1 and C2 is another random sequence of bits On average you would expect half of them to be different not all of them They would expect half of them to be different So what would we aim for if we compare the two C1 and C2 Generally differ If we compare any two cipher text values, we'd expect them to be differ by different in 32 of those 64 bits That's a the aim that we like if we were producing a measure of random cipher texts They all always differ not just by one bit if I think c1 and c2 differ by just one bit Yes, they are different, but we say they're very close to each other Okay, sometimes they may be different by just one bit Some may be different by 64 bits Some by 60 bits on average if we compare all sets of cipher text pairs Then we'd expect them to be different by 32 bits If you don't believe me or if you don't understand that then try it choose some random ciphers random numbers But let's say with four bits Get to choose two random four bit values and compare the number of bits Count how many are different is the first bit and the first bit the same and so on then do it again with another pair of Random four bit values and count how many are different and keep doing it many times And take the average number of bits which are different and you should get about two in that case half of the number of bits sometimes Many bits will be different sometimes few bits will be different on average half of the bits should be different So that's what we expect Given that The avalanche effect is the way to measure that if we take two inputs which are very similar Maybe differ by just one bit We'd like the two outputs to be very different and by very different. We mean on average differ by 32 bits That's what we'd like and We can use this to measure does this algorithm have the avalanche effect does it a Small change lead to a large Difference an avalanche is something small moves at the top of the mountain and it has an impact on other Parts of the mountain and at the end there's a large impact that is all the the snow or rocks are falling down The same here a small change in the bits at the start Should cause many bits to change as we go through and apply our cipher such as at the end We have many bits different. That's the idea Let's see the example to explain that The way to test Take our cipher Take two different inputs say two different plain text values and in this example plain text one is this it's written in hexadecimal, but a 64-bit value and plain text two is another 64-bit value where it turns out they differ by just one bit if you convert Those numbers to binary you'll see here the first will be what? 0 0 0 0 and the second would be 0 0 0 1 All the other bits would be the same so they the two different plain text inputs differ by one bit We'll encrypt them with des Using the same key and this is the output after we go through each round in des I Explain what this means so we start with two different plain text P1 and P2 and This column Delta shows us the number of bits which are currently different Currently, it's one to start with Remember des uses 16 rounds and this table reports after each round The the current output and counts the number of bits so if you encrypt P1 after the first round you end up with 3cf so on And if you encrypt a P2 you would end up with a very similar value In fact after the first round they differ just by one bit same as the input But then if you encrypt Again, that is you use the second round of des so this is internal to des you get the other two different outputs, but they differ by five bits and if you try measure after the third round and keep looking after about four or five rounds you'll see the difference between the outputs is around 30 or Varying around 32 so it gets up to 34 37 it comes down And then goes up and down. We'd like it to average out to be around 32 Because that's what we'd expect two different inputs produces on average 32 bits are different on the output What this is showing is two things first after applying des all 16 rounds The input values differed by one bit the output values differed by 32 bits Which is right on the average that we expect that's a good thing Two different inputs will produce two completely different outputs But another characteristic we see in here is that internally in des After just three or four rounds we start to get completely different outputs So the subsequent rounds Really are not doing much In terms of adding randomness to the output But they are included just to make sure for sure that it will be random on the output The point is that we get to this random looking output quite quickly, which is a good thing If des was designed to just use two rounds instead of 16 Then in this case the output would differ just by five bits, which would be bad in That the output is very similar And the input is very similar But if we go for four rounds then it would have differed by 34 bits, which is good If we implemented just six rounds also is quite good Remember that we only expect on average to be 32 sometimes it will be more sometimes slightly less But we around 32 is what we expect so this is showing that Two things that des has this avalanche effect in that two different very similar inputs produce two different by a lot outputs two random looking ciphertext and that the use of rounds helps After a few rounds, it's maybe not so good after two or three, but after four or five six It achieves our aim Another ciphers can be tested in a similar way and see well, how many rounds do we need? Do we need 16? Why not go to 32 rounds or a hundred rounds? Any Performance is a problem the more rounds the more time it takes to encrypt so it's a trade-off between Few rounds to make it encrypt fast and more rounds to make it more secure So the designers chose 16 as this reasonable trade-off of you want more than enough to be secure Seems like five or six are enough in this simple case This was changing the plaintext by one bit The alternative Encrypt the same plaintext, but use a different key. So the second example shows that case plaintext are the same to start the Delta is zero But we use a different key by differs by just one bit as we go through we see we get to our about Close to 32 after a few rounds So it's the avalanche effect is present in deaths small changes lead to large changes That's a good thing about the design of deaths and there's one measure of That it is a good design and it's something we saw I'll jump back to it just To remind you It's something we saw the concept here Remember in our rose column cipher. We had an example where we encrypt once We get some output which had some structure The characters were differing by seven But we encrypt again. We apply a second round and we get a more random looking output This is this concept of repeating the the basic operations Can give more random output as we go? So a so death is good with respect to the avalanche effect The key size of death is bad It actually starts out you must choose a 64 bit key But eight bits are used for parody check, which means you only use 56 bits in the encryption So an attacker really only needs to work out 56 bits 56 to the power of 56 is about seven. What is it? 70 million billion keys in 1998 The an organization built a machine which would break deaths using brute force within three days It costs 250,000 US dollars Nowadays it's considered too too easy for brute force attack. So 56 bits is too short how to improve that use a longer key and we'll see shortly that there are versions or modifications to deaths instead of encrypt deaths with a 56 bit key encrypt two times Using two different keys Effectively effectively doubling the length of the key Doubling what the attacker needs to guess not sorry doubling the length of the key Make it much harder for the attacker to guess and even triple deaths three deaths We'll explain that in a bit of depth in the next few slides Use the same algorithm, but use a longer key. There are other theoretical attacks on deaths And we will not get a chance to cover them. I do not understand all of their details timing attacks involve looking at how long it takes the hardware to encrypt something and When you encrypt using two different inputs it may take a different amount of time and Try and work out by measuring the time it takes the computer to encrypt or decrypt and try and work back What is the key given those time differences? That's the general concept of timing attacks By observing how long it takes the implementation to encrypt or decrypt you can learn something about what the input was There are no known useful attacks on deaths in terms of timing attacks Timing attacks can be Prevented quite easily by just adding some random variations to the implementation, but they reduce the performance There are some theoretical attack attacks called differential crypt analysis and linear crypt analysis differential crypt analysis Looks at similar to the avalanche effect effect take two different plain text and observe how they're modified as we encrypt them and Try and use that information to work out what the key was the attacks on deaths Can defeat deaths that is find the key By applying 2 to the power of 47 encryptions Remember brute force would take 2 to the power of 56 in the worst case We're 56 bit key brute force would take 2 to the power of 56 encryptions or on average 2 to the power of 55 This attack is much better in that it takes less operations and therefore less time 2 to the power of 47 is What maybe 250? Times less than a brute force attack so if a brute force attack took Took one year then this attack would take maybe one or two days That's the comparison So it's faster to break deaths, but the problem is that to work you must have some chosen plain texts What's a chosen plain text? Remember that confusing slide on the different attack classifications Chosen plain text. What's the definition? What's a chosen plain text attack? If you can't remember go to that slide that lists them Go back and find chosen plain text We know the algorithm. We know the ciphertext in all cases and We've been able to choose a plain text Get someone to encrypt that with the same key and get the corresponding ciphertext Maybe we'll just explain that a bit more So brute force on deaths how many operations to brute force the worst case is That we have to try every possible key with 56 bits 8 bits are unused with 56 bits 2 to the 56 I'll say operations Whether it's an encryption or a decryption it doesn't matter because they in fact take the same amount of time So to break deaths it takes two to the power of 56 operations We could convert that to time if we knew how fast our computer was to do one operation But we usually compare in terms of how many encrypts or decrypts What's the average case? By worst case. I mean the attacker tries all the keys and Once they get the right key they stop the worst case is that The last key that they try is the right key Okay, we try every possible key We're very very very unlucky and the last one we try is the correct key. That's the worst case What's the best case? One Okay, I start choosing keys to try randomly and I'm very very very lucky and the first one I choose is correct That's the best case What's the average case? It's half of the worst case That is sometimes will be very very very lucky sometimes very very unlucky and other times in between If we take the average of all those cases it will be half of the worst case And that's what we often care about either the worst or average case It'll be two to the power of 56 divided by two operations which is To the power of 55 okay Not much difference really if it takes me One day in the worst case it takes me half a day in the average case We save a bit but not much That's the brute force on deaths To do a brute force. What do we need to know? What does the attacker need to know? the algorithm That we're using deaths. Well, we always know that what else They don't know the key They're trying to find it to do the brute force attack not after but before We need to know the ciphertext That's it really All we do is take the ciphertext decrypt using deaths and then check if the plaintext is correct or not And we assume that we can check that it's correct or not. If not try another key Let's consider a different attack there. What was a linear crypt analysis? where we had We said known plaintext Come back that is sorry differential crypt analysis this one where we have chosen plaintext I've made a mistake don't copy me chosen It's right the full name differential crypt analysis It's a chosen plaintext attack. Okay, so there's some attack where they take advantage of When you encrypt two different plaintext values you compare how the output Differs and how the algorithm Progresses and try and work out from that some part of the key and you do it many times you can eventually find the key The analysis of this says that on the average case They can do it in 2 to the power of 47 operations. So that's the measure of time So it's much better than brute force. It's faster 2 to the power of 8 times faster Or 256 times faster than brute force. So that's good in this attack but What is known by the attacker in this case? Again, we assume the attacker knows we're using des It knows the ciphertext doesn't know the Doesn't know the key chosen plaintext means that in addition we know that There's some plaintext. I don't know as P1 and some ciphertext C1 and The ciphertext was obtained by Encrypting the plaintext with the same key as what we're looking for Okay So the key we're looking for Was used to encrypt P1 and obtain C1 and we as the attacker know P1 and C1 We don't know the key. We're trying to find it and this P1 Was chosen by us That is I chose the exact plaintext As the attacker for example what I did somehow is I chose the plaintext to have some structure which I know Will start to reveal a weakness in the algorithm. I Choose a plaintext and somehow I get the person to encrypt that and send me the ciphertext Maybe that's possible. Okay you the encryption is happening as part of some Or I Get you to believe that the plaintext is from someone who you are communicating with you encrypt it and send the ciphertext and Now I've discovered that plaintext and ciphertext. I still don't know the key So there are ways in which we can get someone else to encrypt This attack assumes that I can choose the plaintext and find the corresponding ciphertext, but I don't know the key I'm trying to find it and I chose the plaintext based upon my my knowledge of the weakness of the algorithm and I've Don't just do one pair, but I have another pair I've managed to do it multiple times This attack assumes how many pairs are known Not 47 2 to the power of 47 P2 to the power of 47 C2 to the power of 47 So this is a theoretical attack Where it assumes the attacker knows the algorithm the ciphertext plus 2 to the power of 47 Pairs of plaintext ciphertext where all of those pairs the attacker got to choose the plaintext That's practically impossible for the attacker to be able to do that It would take a long time to get someone to encrypt that many pairs So this is a theoretical attack and the weakness is that the attacker needs so many pairs of plaintext ciphertext So it's faster than brute force Only if we know all these pairs and 2 to the power of 47 is what? Again close to a million billion different pairs of plaintext Ciphertext, so it's a theoretical attack in this case. We call them plain known plaintext pairs Maybe again. I make this mistake chosen plaintext Not just known Not just any plaintext, but plaintext values which I as the attacker got to choose chosen plaintext pairs and That's hard for the attacker to do in practice to be able to get someone to encrypt all those pairs that I get to choose So in fact attacks on ciphers. We don't just measure with respect to time We measure with respect to how much information is needed to do the attack Linear crypt analysis. There's another type of attack. The idea is that the Substitutions and permutations try to write an equation that Think you try to write a linear equation that takes as an input the plaintext and produces the ciphertext and Then solve that equation or invert it That's the idea. There's an attack that Will break des and about the same time as this one about 2 to the power of 47 operations It requires 2 to the power of 43 known plaintext known plaintext are plaintext values of any Structure they don't have to be chosen by the attacker. So that's a little bit better, but still 2 to the power of 43 is Again a million billion different Messages have to be encrypted So it's not practical So there are theoretical attacks on desk, but only known successful ones are really Well, the only practical ones are brute force questions before we move on from normal des so this is Coming back to those classifications of attacks. We've given an example of a chosen plaintext The the idea is for the linear approximations and not not of course simple linear equations, but To try and Because it is not a linear equation because the substitution box the S box is non-linear Therefore you cannot write a linear equation, but get an approximate linear equation that can try and then help so Try and write any form of equation that will help you with discovering the key or plaintext without With just the ciphertext, but they're not something you just easily write down that very complex approximations Desk was designed many years ago. It was designed in private by that mean by that we mean that The design decisions were not made open to the public So the research community when they were designing were not aware of how the designers chose the different parts of it Like how do they choose the S boxes? How did they choose those permutations? So that's a problem with desks and therefore there are many questions about is it secure? Maybe the designers designed it such that they know of a weakness But no one else knows off It turns out after a lot of analysis people believe that the S boxes are good They they were designed well They provide increased confusion so we'll come back and define confusion and Diffusion as provided by the permutations So remember we skipped one slide diffusion versus and confusion Diffusion is maybe the simpler one to think of diffusion is if you take Inputs a plaintext inputs that Inputs should affect many possible output Characters we should diffuse the that input across all the possible outputs It's related to the for example the frequency analysis of our letters Remember if there was a letter a in our input in the Caesar cipher Then there'll be a corresponding letter that occurs at the same frequency in the ciphertext We'd like to diffuse those statistics spread them out. That's what diffusion means Let's go back to the definition Where was it? principles diffusion is about Reduce the statistical nature of the plaintext when we get the ciphertext If the plaintext has twelve percent ease We'd like the ciphertext not to have 12% of one character. We'd like to have the character spread out That's the concept of diffusion and the way is that The value of a particular plaintext letter if we consider our traditional ciphers should affect many output ciphertext letters and at the the way to apply diffusion is to use permutations and and Repeat them followed by some function like the round function in deaths So the design of deaths follows this concept Spread the statistics of the plaintext out across the ciphertext. So they're no longer present Confusion make the relationship between the ciphertext and the key confusing or Complex is a better way That is if you know the ciphertext is still should be hard to find the key So that's maybe the simplest view of confusion is to make the relationship between those two entities very very complex Because again the attacker knows the ciphertext they want to find the key So that relationship between them should be hard for the attacker to find the key If it was a very simple relationship Maybe we could write a linear equation that given the ciphertext work back and find the key the way to implement confusion generally is to use complex non-linear substitution algorithms like the S boxes in death the S boxes provide confusion and The concept of many permutations followed by a function the round function provides diffusion There are hard concepts to understand sometimes Claude Shannon come up with these concepts remember Shannon Capacity the Shannon capacity the same guy come up with consult concepts of Confusion and diffusion and also analysis of the one-time pad because it turns out Analyzing communication systems the amount of bits we can send across a link is similar to analyzing how can we represent? Plain-text bits which have some structure in efficient manners of ciphertext which have no structure so there's similar concepts of Encrypting information and trying to send as many bits as possible across some channel and Shannon Studied a lot of those features Enough on death. I think let's scroll back to the end to summarize I think Des was one of the earliest Widely used in symmetric key block ciphers and has influenced many other ciphers It's no longer recommended or used because of the key is too short But one concept we can do because the key is too short is to have a longer key But use the same algorithm because many people use desk There were many implementations in hardware and eventually software Therefore it made sense to try and reuse all that that experience and code But just extend it to use a longer key. So the concept of multiple encryption with deaths Since deaths is vulnerable to brute force Try to reuse deaths with a key which is not vulnerable to brute force and The first approach or the first idea is to use double deaths And I'll draw a picture in a moment or we'll see a picture basically Encrypt your plain text with one key a 56 bit key get some output Then encrypt that again with desk again, but using a different key another 56 bit key and You get the eventual ciphertext the attacker must guess both keys Both keys are 56 bits. So the attacker must guess a hundred and twelve bit Value so it's effectively doubled the length of the key By using two keys There's a weakness in that which will go through it's subject to a an attack Which makes it not very good makes it not much better than normal deaths Therefore people come up with triple deaths use desks three times encrypt with one key Encrypt again with a second key encrypt again with a third key. So we use three keys and It turns out that there are variations of that you can use it with two different keys or three different keys and It can lead to the strength that's equivalent to having a hundred and sixty-eight bit key So we'll lead to that in the next few slides Let's look at double deaths and see why it's not good the idea of double deaths or double encryption not just for deaths, but any cipher is Take our plain text Encrypt using our cipher with key K1 You get some output X Then encrypt that output X again using a different key K2 then you get your cipher text If we consider desks then the input plain text is 64 bits the cipher text that comes out is 64 bits and the intermediate value X is 64 bits in Desk K1 is effectively 56 bits K2 is 56 bits So the key length is 112 bits to decrypt We do the same, but of course opposite cipher text decrypt using K2 first we get X Decrypt the X using K1 and you get the final plain text. So that's the idea of double encryption Note that X will be the same at both of these points X is just this intermediate value Y is X the same Encrypt the plain text with K1 and you get X Some value if you decrypt the cipher text with K2, it's really going backwards from here Follow this one backwards see if you go backwards using K2 you end up here so decrypting The cipher text with K2 will also produce X And it turns out that's where a weakness is in this approach of double encryption and a what's called a meet in the middle attack Can be used Let's use an example to to illustrate such an attack We will not do it on desks of course We'll do it on some other cipher just to illustrate the concept of meet in the middle attack I'll find my example and Let me just look at your hand out so I can see what example you have in front of you You have an example one page Which is this if you scroll through a few pages One table I'll show it on the screen Called example five bit block cipher. We'll use that for our example. Let me show the Example and just explain it first So we're not going to use desks, but this same concept of double encryption applies to any block cipher So I've created a block cipher which is on this table and We really it's We'll use this just to look up the values and the way to read this is that The left column is the plain text So if we have some plain text in like five zeros it takes a five bit block to keep it small At the top is the possible keys. We have a three bit key. So there are eight possible keys and The way to understand how this block cipher works is that we just do a look up If we have our plain text in of five zeros and we encrypt with a key zero zero zero then the plain text out will be This value that's the way to understand this block cipher It specifies for every possible plain text For every possible key the output cipher text values So think of it as a lookup table and we'll just use it as Rather than having to understand the details of how to generate these values. I just created them randomly For example, you want to encrypt plain text zero zero zero zero one with the key zero zero one you look up that row and column and You get the output cipher text So it's just a simple one for reference keep it in front of you and We'll see how that Cipher if we use it in the double mode Can be subject to a meet in the middle attack. Let's go through an example of this attack What can we call our cipher anyone give it a name? It's not death. It's some other cipher The idea let's call it ABC All right Steve was a little bit Boring ABC even better the idea is that So that cipher defined by that table takes plain text in and we take what five bits plain text three bit key and Produces five bits of cipher text and let's call it ABC brute force attack so ignoring How the cipher works brute force attack worst case How many possible keys to the power of three so? brute force on that Would think about the worst case in this to compare it would take Two to the power of three operations Okay, of course, that's easy, but later we'll expand it to deaths where we have say 56 bits and also the double version So now let's consider that same cipher, but used in double encryption where we use it twice and The way that it would be used is like this. We have our ABC We take our plain text in it's also five bits We encrypt with K1 Three bits we get a value out I Just for reference to note it as X X will be how many bits? Also five bits. So we just use our cipher to look up and find five bits bits But then we encrypt again We apply the same cipher on X and we get out cipher text Which is five bits and in the second encryption we use a different key K2 that's how we use double encryption Encrypt two times, but use a different key each time Proof force attack, how many keys does the Attacker need to try two to the power of six Okay, two to the power of six so effectively we have Three bits in the first key three bits in the second key or effective length of six bits of our key There are two to the power of six possible combinations So let's say the first key was zero zero zero Then there are two to the power of three combinations for the second key And then if the first key was zero zero one then there is another two to the power of three combinations for the second key So in total there are two to the power of six keys Two to the power of the key length times two So that's the idea of doubling encryption and I'll just write as a note if we're using desk Brute force on single desk is two to the power of 56 and on double desk Brute force would be two to the power of to the power of 112 That's the idea which is not subject to a brute force attack to the power of 112 is Two to the power of 56 times Longer than a brute force attack on single desk. So that is secure Considered quite secure to the power of 12 But there's another attack that will go through that makes it weak and the attack is called the meat in the middle attack I think we can get it started today meat in the middle It's not a man in the middle attack. We'll see that in another topic There's something called the man in the middle attack. This is the meat in the middle attack It requires the attacker to know some pairs of plain text ciphertext. So it's a known plain text attack So we're attacking this double desk Let's say we know What do we know? We know a plain text ciphertext pair as the attacker and I'll give you the value that we know we know this pair that is we know that the the person with the secret key The six-bit key effectively took some plain text zero one one zero one and encrypted it and got one one one one one So we know those values. We don't know the key. That's what we're trying to find a Brute force attack would try all possible keys, but we want to see if we can do an attack which takes less Attempts less than two to the power of six and then we'll apply it to real deaths So what we do in a meet in the middle attack is first we We know that there's two operations the first encrypt in the second We do a brute force attack on the first operation That is on the first key. So we think We'll show you how we obtain the values. Let's consider P1 the plain text and Let's do a brute force on that using the single version of the cipher So with the key how many possible keys are there? With a single version of the cipher with a single version there are eight. It's a three-bit key. I'll list them what we do as the attacker is take this plain text and Try to encrypt it with every possible key for the single bit version of the single operation version How do you do that look it up in the table? Okay So what we're doing in terms of our picture as the attacker is here. We have a plain text Let's try every possible value of K1 There are eight possible values and we'll get eight output values of what we'll say is X Let's do that first and then see how it helps us so think of this is The first key value that we get out and we'll denote the output. We'll call it X 11 What's the output when we encrypt 0 1 1 0 1 with key 0 0 0 you need to look it up here Okay, so that's the encryption the 0 0 0 is the key find 0 1 1 0 1 It's hard to find it's here, isn't it? Okay, it's easier to see up on your printout so find the plain text and Look for the key and you get this value as output then in the next key It's the same plain text. We'll get this value as output and so on. We'll get eight Different outputs with the eight different keys. Let's list them So in fact, we'll get this row of outputs as we encrypt and so on So I'll write them down so we have them What do we get? We'll call this X The intermediate value X 1 To using the second key explain the notation in a moment. What do we get? You need to look it up and I've got the answers in front of me So we don't have to look up all the time But if you look up We're just grabbing This row is that right? 0 0 1 1 1 the next one we 1 0 1 1 0 and So on if you look at that row the last one. I'll just write here is let's call it X 1 8 It's our first value of X, but for the 8th key How many operations so far in our attack? Eight operations we did there. We did eight encrypts. So so far. We'll keep track Eight operations or two to the power of three in this case. We have to try for every three-bit key We're going to try and do this attack such that it will take us less operations than two to the power of six That's our aim so We do that for our plain text now So think what we've done in terms of our double cipher is that we've taken some plain text and obtained eight values of X If we take the corresponding cipher text, which we know and We decrypted so I think go back from here with different values of K2 what we should get is Eventually one of the values of X should match one of the values that we obtained from encrypting because For the correct key When we encrypt using K1 We get the value X and then we encrypt at value of X with K2 We get the cipher text Therefore if we decrypt the cipher text with the correct key, we'll get a value of X Which is the same as when we encrypt the plain text with the correct key We'll see that as we get to the answer or get to the the next step. So let's decrypt C with Different values of K2 and we know the value of C C1 and let's try all different keys Actually, I will not write the keys just to say space you you know them that we're going to try these eight keys again Okay, so the keys are the same as here and when we decrypt 1111 with the first key. What do we get? Look in the table, but go backwards Decrypt that cipher text with zero zero zero that is the key is zero zero zero the cipher text Look it up in this column all ones. Is it there? The plain text when we decrypt should be one zero zero zero one Decryption is going in the inverse operation Given the cipher text given the key. What was the plain text? one zero zero zero one and In the next case the same cipher text all ones the second key Where is it somewhere there? here The plain text will be zero zero one one zero so we're decrypting now So if we decrypt our five ones with the first key We'll get the plain text and we'll call it x to one First key, but the second value of x we've got now What's the next value? That's so people understand decrypt with the second key cipher text five ones key zero zero one therefore the plain text must be zero zero one one zero and Keep going and I'll write them down You can confirm What those values are? That's the last one what we'll call x to eight. How many operations then? Another eight so so far we have 16 operations Brute force what do we say two to the power of six two to the power of six is what? Brute force would take 64 operations so far. We haven't finished yet, but so far we've taken 16 operations eight encrypts and then eight decrypts How do we use that information? well the the idea is that if We've got the correct value of this is k1 and K2 then they must produce an x value, which is the same because Encrypting with k1 you get x Decrypting some the corresponding cipher text with k2 you get the same x So if you've got the correct k1 and k2 you must get an x value, which is identical Let's look in our Values of x's that we got In fact, we'll see several What do we see? Compare this x with all the x's here. Which ones are the same are there any? No, I think this x11 does not appear in this list. What about this x12? Yes It matches that we'll see that are there others. No, but what about I think this one 0100 Does it appear in this list? Yeah, the last one And I think there's one more. It's hard to look them up, but this one Does it also the last one? We have three matches three x values from our encryption Also appear in the x values for the decryption. What does that tell us? It tells the attacker That the possible keys are What do we got k1 and k2 there are three possible values k1 could be what is it here? 001 and k2 100 so it could be that that's the the two keys which were used Because with the correct keys the x values must be the same Because the result of encrypting one time gives us x and the result of decrypting the ciphertext must give us the same value But in this case there are three potential matches Another possible value of k1 is this 011 and 111 and a third possible value is 100 and also 111 One of those three values is the correct key We don't know which one yet. We didn't need to do it any encrypt or decrypt Decrypt operations there. We just compared values. So we will not count that as operations as The attacker we need to know now of those three values. Which one's the correct one? How do we do it? We don't we need to know more information But if we did know more What if we knew another pair of plaintext ciphertext Let's say we also know a second pair. What if we knew this was true then test it with these three keys That is take our plaintext p2 Encrypt it with zero zero one Take the output Encrypt that with one zero zero if we get their ciphertext That's most likely the key if we don't it's not the key try it Find which of those three keys is the correct one if we take P2 equals one one zero zero one Encrypt with K1 the potential K1 of zero zero one. What do we get? five zeros Now encrypt five zeros with potential K2 What do you get? one one zero one one I think we've found it Okay, that is these two values of K1 K2 a Correct with respect to our second known pair of plaintext ciphertext Now to be sure that at these two we should try the other two and You can try them and you'll see that we'll try the second one. What if we used the second key a Second potential pair that is we took the same plaintext p2 at one one zero zero one but the potential K1 of Zero one one. What do we get? zero Anyone give me the answer Encrypt plaintext with this key. I don't have it in front of me again One zero One zero one one one Okay, good and encrypt that with the potential K2 What do we get? 101 correct Is this pair K1 and K2 correct? No Because if they were correct, they must give this value They don't try it with a third potential pair and you'll find that that's not correct as well Leaving us with this one We've found the key The six bit key in this case Let's say we try them. I know we've run out of time, but let's I know you're enjoying it. So let's finish it K1 was what is it one zero zero X gives us someone will tell me this value zero zero one at the end and The final C all zeros You need to look these up on our table that of course doesn't match as well Which tells us this set of keys K1 K2 is wrong The second set was wrong. The first one is correct. In fact, we could have stopped there. It was highly likely that was the correct one How many operations here how many encrypts and decrypts? I think we did another six. Would that be right one? Encrypt one encrypt we did it in the worst case six more Total number of encrypt and decrypts two to the power of three Plus another two to the power of three plus six 22 and I meet in the middle two to the power of three plus two to the power of three plus another six We got 22 brute force would have taken us 64 We've cut it down to 22 with double deaths such meeting the middle attack in general takes two to the power of 56 plus two to the power of 56 plus a few more We had plus six but in general it's very few compared to two to the power of 56 Which is approximately to the power of 57 a meet in the middle attack on double deaths Takes about two to the power of 57 operations a brute force attack on single deaths takes two to the power of 56 operations Double deaths is twice as strong as single deaths twice as strong is not very strong if we can break single deaths for $10,000 then we can break double deaths for $20,000. That's the idea. So that's not good improvement Double deaths is subject to meet in the middle attack out of time. Have a look at Some of those steps make sure you can look them up on this table just to understand what was happening for the encryption And maybe we'll just summarize that on the the lecture next week