SlideShare a Scribd company logo

sheet4.pdf

A
aminasouyah

sheet4

Engineering
1 of 28
Download to read offline
January 17, 2012 1 Cryptography and Network Security Lecture 3: Block ciphers and DES Ion Petre Department of IT, Åbo Akademi University Spring 2012 http://users.abo.fi/ipetre/crypto/
January 17, 2012 2 Data Encryption Standard  We focus now on the most widely used symmetric cipher: DES  DES has been replaced by AES as a standard  We will use DES to illustrate the principles of modern symmetric ciphers  Adopted in 1977 by the National Bureau of Standards (US), nowadays NIST  Originates from an IBM project from late 1960s led by Feistel  Project ended in 1971 with the development of LUCIFER (key 128 bits)  LUCIFER was then refined with the help of NSA to produce DES (key 56 bits)  Immediate criticism: the reduction in key length was enormous and the internal details of the design were (and remained) classified information  1994: DES is reaffirmed as a standard for 5 more years  1999: DES should only be used for legacy systems and 3DES should replace it
January 17, 2012 3 Block cipher principles  Stream cipher is one that encrypts a digital data stream one bit (or byte) at a time  Example: autokey Vigenère system  Block cipher is one in which the plaintext is divided in blocks and one block is encrypted at one time producing a ciphertext of equal length  Similar to substitution ciphers on very big characters: 64 bits or 128 bits are typical block lengths  Many modern ciphers are block ciphers
January 17, 2012 4 Principle: Substitution-Permutation Ciphers  Claude Shannon (1949) introduced idea of substitution-permutation (S-P) networks  These form the basis for modern substitution-transposition product cipher  S-P networks are based on the two primitive cryptographic operations we have seen before:  substitution (S-box)  permutation (P-box)  The goal is to provide confusion and diffusion of message
January 17, 2012 5 Confusion and Diffusion  Cipher need to completely obscure statistical properties of original message  A one-time pad does this  More practically Shannon (1949) suggested to combine elements to obtain:  Diffusion – dissipates statistical structure of plaintext over bulk of ciphertext  Makes the statistical relationship plaintext - ciphertext as complex as possible  Achieved by requiring that every digit of the plaintext affects many digits of the ciphertext (equivalently, every digit of the ciphertext is affected by many digits of the plaintext)  Confusion – makes relationship between ciphertext and key as complex as possible  Makes it difficult to discover the key starting from the ciphertext  The principles of confusion and diffusion are the most essential concepts in the design of modern block ciphers – they defend against statistical attacks
January 17, 2012 6 Feistel Cipher Structure  Most modern block encryption algorithms use the Feistel structure  Horst Feistel was the leader of the IBM team that worked in late 1960s on LUCIFER  He devised the so-called “feistel cipher”  Algorithm structure – perform n rounds, each round has the following structure (for encryption and decryption):  Input is of length 2w (bits), key is K  Divide the input into two halves L0 and R0  L1= R0, R1=L0 ⊕ f(R0,K)  In the next round use (L1, R1) instead of (L0, R0), etc.  Function f is the same in all rounds but uses a different subkey in each round – the subkey of each round is generated from the key
January 17, 2012 7 Feistel Cipher Structure ⊕ ⊕ ⊕
January 17, 2012 8 Feistel Cipher Design Principles  block size  increasing size improves security, but slows cipher  key size  increasing size improves security, makes exhaustive key searching harder, but may slow cipher  number of rounds  increasing number improves security, but slows cipher  subkey generation  greater complexity can make analysis harder, but slows cipher  round function  greater complexity can make analysis harder, but slows cipher  fast software en/decryption & ease of analysis  are more recent concerns for practical use and testing
January 17, 2012 9 Feistel Cipher Decryption vs Encryption: the same algorithm (with keys in reverse order) ⊕ ⊕ ⊕ ⊕ ⊕ ⊕ ⊕ ⊕
January 17, 2012 10 Feistel decryption  Decryption is the same as encryption and does not require any property for function f (not even to be invertible)  LD/RD – left/right half in the decryption algorithm  LE/RE – left/right half in the encryption algorithm  ⊕ denotes XOR: 0⊕0=0, 1⊕1=0, 0⊕1= 1⊕0=1 Decryption •Input: The ciphertext (LD0, RD0)= (RE16, LE16) •Round i (1 to 16) performs on input (LDi-1, RDi-1) the operations: –LDi=RDi-1, RDi=LDi-1⊕f(RDi-1,K16-i) –This is the input to next round •The key of round i is K16-i, •This algorithm is CORRECT – after round i we have LDi=RE16-i, RDi=LE16-i: •PROOF: •Input to the first round: –LD0=RE16, RD0=LE16 •Induction: assume it holds for i-1, prove it for i –LDi-1=RE16-i+1, RDi-1=LE16-i+1 Then: –LDi=RDi-1=LE16-i+1=RE16-i –RDi=LDi-1 ⊕ f(RDi-1, K16-i)=RE16-i+1 ⊕ f(LE16-i+1, K16-i)= =(LE16-i ⊕f(RE16-i,K16-i+1)) ⊕f(RE16-i,K16-i)=LE16-i –Result: (RE16-i, LE16-i) •Output: the plaintext (RD16, LD16)=(LE0, RE0) Encryption •Input: the plaintext (LE0, RE0) •Round i (1 to 16) performs on input (LEi-1, REi-1) the operations: –LEi=REi-1, REi=LEi-1⊕f(REi-1,Ki) –This is the input to next round •The key of round i is Ki, •Output: the ciphertext (RE16, LE16)
January 17, 2012 11 DES  DES encryption/decryption  Strength of DES  Design principles  Cryptanalysis
January 17, 2012 12 DES encryption scheme  The plaintext (64 bits) passes through an initial permutation IP (on 64 bits)  Then follow 16 identical rounds – in each round a different subkey is used; each subkey is generated from the key  After round 16, swap the left half with the right half  Apply the inverse of the initial permutation IP-1 (on 64 bits)
January 17, 2012 13 DES encryption scheme
January 17, 2012 14 Initial permutation and its inverse
January 17, 2012 15 Details of a single round of DES  Consider L the left half of the input to the round and R its right half – each of them have 32 bits  As in any Feistel cipher the overall processing is Li=Ri-1, Ri=Li-1⊕ F(Ri-1,Ki)  The round subkey Ki has 48 bits (details later on how it is generated)  R is expanded from 32 to 48 bits using an “expansion permutation” E – this is a table that defines a permutation, duplicating in the same time 16 of the bits in R  These 48 bits are XORED with the subkey Ki  The 48-bit result passes through a substitution function that produces a 32- bit output  Apply then a permutation P
January 17, 2012 16 A single round of DES
January 17, 2012 17 The scheme of the function F(R,K) in DES
January 17, 2012 18 Details of a single round of DES
January 17, 2012 19 The substitutions in the DES rounds: S-boxes  There are 8 S-boxes, each of them accepting a 6-bit input and producing 4-bit output  The S-boxes are 4 x 16 tables (shown on the next slide) and are used as follows:  The first and the last bit of the input to the S-box form a 2-bit binary number that selects the row of the S-box (rows are from 0 to 3)  The middle four bits select the column of the S-box (columns are from 0 to 15)  The decimal value in the selected entry of the S-box is converted to its 4-bit binary representation to produce the output
January 17, 2012 20 Definition of S-boxes  Example: consider the input 011001to S-box S1  The row is 011001: 01 (i.e. 1)  The column is 011001: 1100 (i.e. 12)  The value in the selected cell is 9  Output is 1001  Note that each row of each S-box is in fact an invertible substitution on 4 bits (permutation of numbers from 0 to 15)  Note also that the output of the S-box is immediately permuted in DES so that it spreads in the ciphertext
January 17, 2012 21 Subkey generation  In the general scheme of DES is shown that a 64-bit key is used – the bits of the key are numbered from 1 to 64.  The algorithm ignores every 8th bit – thus, the key for DES is effectively 56-bit long  Before round 1 of DES, they key is permuted according to a table labeled Permuted Choice One (see next slide) – the resulting 56-bit key is split into its two 28-bit halves labeled C0 and D0  In each round, Ci-1 and Di-1 are separately subjected to a circular left shift of one or two bits according to the table on the next slide – the shifted values will be input to next round  The shifted values serve as input to Permuted Choice Two (see next slide) which produces a 48-bit output: the subkey of the current round
January 17, 2012 22 Subkey generation  In the general scheme of DES is shown that a 64-bit key is used – the bits of the key are numbered from 1 to 64.  The algorithm ignores every 8th bit – thus, the key for DES is effectively 56-bit long  Before round 1 of DES, they key is permuted according to a table labeled Permuted Choice One – the resulting 56-bit key is split into its two 28-bit halves labeled C0 and D0  In each round, Ci-1 and Di-1 are separately subjected to a circular left shift of one or two bits according to the table on the next slide – the shifted values will be input to next round  The shifted values serve as input to Permuted Choice Two which produces a 48-bit output: the subkey of the current round
January 17, 2012 23 DES decryption  Like in any Feistel cipher, decryption works just like encryption with the subkeys used in reverse order
January 17, 2012 24 Analysis of DES  Avalanche effect: this is a desirable property of any encryption algorithm  A small change (even 1 bit) in the plaintext should produce significant change in the ciphertext  Example: consider two blocks of 64 zeros and in the second block rewrite 1 on the first position. Encrypt them both with DES: depending on the key, the result may have 34 different bits!  A small change (even 1 bit) in the key should produce significant change in the ciphertext  Example: a change of one bit in the DES key may produce 35 different bits in the encryption of the same plaintext
January 17, 2012 25 Strength of DES  Two main concerns with DES: the length of the key and the nature of the algorithm  The key is rather short: 56 bits – there are 256 possible keys, around 7.2 x 1016  In average, only half of the keys have to be tried to break the system  In principle it should take long time to break the system  Things are quicker with dedicated hardware: 1998 – a special machine was built for less than 250 000 $ breaking DES in less than 3 days, 2006 – estimates are that a hardware costing around 20.000$ may break DES within a day  DES has no export restrictions from NSA!  40-bit RC4 key is also insecure  128-but keys seem to be secure  Important difficulty in breaking any system: unless the plaintext is known, we have to recognize when we have broken the system: we have to recognize the plaintext when we find it  This is not trivial if the file is binary, compressed, etc.  Automated procedures to do that are needed (and indeed some exist)
January 17, 2012 26 Strength of DES  Nature of the algorithm  There has always been a concern about the design of DES, especially about the design of S-boxes – perhaps they have been designed in such a way as to ensure a trapdoor to the algorithm – break it without having to search for the key  The design criteria for the S-boxes (and for the rest of the algorithm) have been classified information and NSA was involved in the design  Many regularities and unexpected behavior of the S-boxes have been reported  On the other hand, changing the S-boxes slightly seems to weaken the algorithm  No fatal weaknesses in the S-boxes have been (publicly) reported so far
January 17, 2012 27 Cryptanalysis of DES  There are ways to break DES significantly quicker than with the brute-force attack: differential and linear cryptanalysis  Differential cryptanalysis  Published in the open literature after 1990: Murphy and then Biham and Shamir (published a book on this)  Idea: Knowing the XOR of the message halves before and after a round, one may try to deduce the subkey used in that round  DES can be broken in 247 steps, requiring 247 chosen plaintexts  The need for so many chosen plaintexts makes its applicability limited  This attack seems to have been known to the DES design team and NSA 20 years before it was published in the open literature!  Linear cryptanalysis  More recent attack (Matsui, 1993): find linear approximations to describe the transformations in DES  Can find the DES key given 247 known plaintexts  Still impractical method
DES cryptanalysis chronology (Wikipedia) July 1990 Biham and Shamir rediscover differential cryptanalysis, and apply it to a 15-round DES- like cryptosystem. 1992 Biham and Shamir report the first theoretical attack with less complexity than brute force: differential cryptanalysis. However, it requires an unrealistic 247 chosen plaintexts. 1994 The first experimental cryptanalysis of DES is performed using linear cryptanalysis (Matsui, 1994). June 1997 The DESCHALL Project breaks a message encrypted with DES for the first time in public. July 1998 The EFF's DES cracker (Deep Crack) breaks a DES key in 56 hours. January 1999 Together, Deep Crack and distributed.net break a DES key in 22 hours and 15 minutes. November 2001 The Advanced Encryption Standard is published in FIPS 197 May 2002 The AES standard becomes effective May 2005 NIST withdraws FIPS 46-3 (see Federal Register vol 70, number 96) April 2006 The FPGA based parallel machine COPACOBANA of the Universities of Bochum and Kiel, Germany, breaks DES in 9 days at $10,000 hardware cost. Within a year software improvements reduced the average time to 6.4 days. November 2008 The successor of COPACOBANA, the RIVYERA machine reduced the average time to less than one single day. 28

Recommended

Data Encryption standard in cryptography
Data Encryption standard in cryptographyData Encryption standard in cryptography
Data Encryption standard in cryptographyNithyasriA2
 
chap3.pdf
chap3.pdfchap3.pdf
chap3.pdfNickySanthosh1
 
4255596.ppt
4255596.ppt4255596.ppt
4255596.pptShahidMehmood285010
 
Information and data security block cipher and the data encryption standard (...
Information and data security block cipher and the data encryption standard (...Information and data security block cipher and the data encryption standard (...
Information and data security block cipher and the data encryption standard (...Mazin Alwaaly
 
Ch03
Ch03Ch03
Ch03Joe Christensen
 
Final report
Final reportFinal report
Final reportJagbir Kalirai
 
Network Security Lec4
Network Security Lec4Network Security Lec4
Network Security Lec4Federal Urdu University
 
block ciphers
block ciphersblock ciphers
block ciphersAsad Ali
 

Recommended

Data Encryption standard in cryptography
Data Encryption standard in cryptographyData Encryption standard in cryptography
Data Encryption standard in cryptographyNithyasriA2
 
chap3.pdf
chap3.pdfchap3.pdf
chap3.pdfNickySanthosh1
 
4255596.ppt
4255596.ppt4255596.ppt
4255596.pptShahidMehmood285010
 
Information and data security block cipher and the data encryption standard (...
Information and data security block cipher and the data encryption standard (...Information and data security block cipher and the data encryption standard (...
Information and data security block cipher and the data encryption standard (...Mazin Alwaaly
 
Ch03
Ch03Ch03
Ch03Joe Christensen
 
Final report
Final reportFinal report
Final reportJagbir Kalirai
 
Network Security Lec4
Network Security Lec4Network Security Lec4
Network Security Lec4Federal Urdu University
 
block ciphers
block ciphersblock ciphers
block ciphersAsad Ali
 
cryptography and network security chap 3
cryptography and network security chap 3cryptography and network security chap 3
cryptography and network security chap 3Debanjan Bhattacharya
 
Cryptography and Network Security William Stallings Lawrie Brown
Cryptography and Network Security William Stallings Lawrie BrownCryptography and Network Security William Stallings Lawrie Brown
Cryptography and Network Security William Stallings Lawrie BrownInformation Security Awareness Group
 
CNS2 unit 2.pdf
CNS2 unit 2.pdfCNS2 unit 2.pdf
CNS2 unit 2.pdfPadamata Rameshbabu
 
Module 1-Block Ciphers and the Data Encryption Standard.pptx
Module 1-Block Ciphers and the Data Encryption Standard.pptxModule 1-Block Ciphers and the Data Encryption Standard.pptx
Module 1-Block Ciphers and the Data Encryption Standard.pptxSridharCS7
 
Medern Symmetric -Key Ciphers (AES, DES)
Medern Symmetric -Key Ciphers (AES, DES)Medern Symmetric -Key Ciphers (AES, DES)
Medern Symmetric -Key Ciphers (AES, DES)maharajdey
 
Unit 2
Unit 2Unit 2
Unit 2KRAMANJANEYULU1
 
Renas Rajab Asaad
Renas Rajab AsaadRenas Rajab Asaad
Renas Rajab AsaadRenas Rekany
 
Chapter 3-block-cipher-des1
Chapter 3-block-cipher-des1Chapter 3-block-cipher-des1
Chapter 3-block-cipher-des1Shiraz316
 
icwet1097
icwet1097icwet1097
icwet1097Sapna Agarwal
 
DES.ppt
DES.pptDES.ppt
DES.pptRizwanBasha12
 
section-8.ppt
section-8.pptsection-8.ppt
section-8.pptDeepakPrajapati868260
 
Data Encryption Standards (1).pptx
Data Encryption Standards (1).pptxData Encryption Standards (1).pptx
Data Encryption Standards (1).pptxSanthosh Prabhu
 
sheet7.pdf
sheet7.pdfsheet7.pdf
sheet7.pdfaminasouyah
 
paper7.pdf
paper7.pdfpaper7.pdf
paper7.pdfaminasouyah
 
lecture6.pdf
lecture6.pdflecture6.pdf
lecture6.pdfaminasouyah
 
doc7.pdf
doc7.pdfdoc7.pdf
doc7.pdfaminasouyah
 
1 DES.pdf
1 DES.pdf1 DES.pdf
1 DES.pdfnitin571047
 
Using Cipher Key to Generate Dynamic S-Box in AES Cipher System
Using Cipher Key to Generate Dynamic S-Box in AES Cipher SystemUsing Cipher Key to Generate Dynamic S-Box in AES Cipher System
Using Cipher Key to Generate Dynamic S-Box in AES Cipher SystemCSCJournals
 
4-BlockCipher-DES-CEN451-BSE-Spring2022-17042022-104521am.pdf
4-BlockCipher-DES-CEN451-BSE-Spring2022-17042022-104521am.pdf4-BlockCipher-DES-CEN451-BSE-Spring2022-17042022-104521am.pdf
4-BlockCipher-DES-CEN451-BSE-Spring2022-17042022-104521am.pdfNAWAZURREHMANAWAN
 
Cyber security
Cyber securityCyber security
Cyber securityBHARAT CHAURASIA
 
paper10.pdf
paper10.pdfpaper10.pdf
paper10.pdfaminasouyah
 
paper9.pdf
paper9.pdfpaper9.pdf
paper9.pdfaminasouyah
 

More Related Content

Similar to sheet4.pdf

cryptography and network security chap 3
cryptography and network security chap 3cryptography and network security chap 3
cryptography and network security chap 3Debanjan Bhattacharya
 
Module 1-Block Ciphers and the Data Encryption Standard.pptx
Module 1-Block Ciphers and the Data Encryption Standard.pptxModule 1-Block Ciphers and the Data Encryption Standard.pptx
Module 1-Block Ciphers and the Data Encryption Standard.pptxSridharCS7
 
Medern Symmetric -Key Ciphers (AES, DES)
Medern Symmetric -Key Ciphers (AES, DES)Medern Symmetric -Key Ciphers (AES, DES)
Medern Symmetric -Key Ciphers (AES, DES)maharajdey
 
Chapter 3-block-cipher-des1
Chapter 3-block-cipher-des1Chapter 3-block-cipher-des1
Chapter 3-block-cipher-des1Shiraz316
 
Data Encryption Standards (1).pptx
Data Encryption Standards (1).pptxData Encryption Standards (1).pptx
Data Encryption Standards (1).pptxSanthosh Prabhu
 
Using Cipher Key to Generate Dynamic S-Box in AES Cipher System
Using Cipher Key to Generate Dynamic S-Box in AES Cipher SystemUsing Cipher Key to Generate Dynamic S-Box in AES Cipher System
Using Cipher Key to Generate Dynamic S-Box in AES Cipher SystemCSCJournals
 
4-BlockCipher-DES-CEN451-BSE-Spring2022-17042022-104521am.pdf
4-BlockCipher-DES-CEN451-BSE-Spring2022-17042022-104521am.pdf4-BlockCipher-DES-CEN451-BSE-Spring2022-17042022-104521am.pdf
4-BlockCipher-DES-CEN451-BSE-Spring2022-17042022-104521am.pdfNAWAZURREHMANAWAN
 

Similar to sheet4.pdf (20)

cryptography and network security chap 3
cryptography and network security chap 3cryptography and network security chap 3
cryptography and network security chap 3
 
Cryptography and Network Security William Stallings Lawrie Brown
Cryptography and Network Security William Stallings Lawrie BrownCryptography and Network Security William Stallings Lawrie Brown
Cryptography and Network Security William Stallings Lawrie Brown
 
CNS2 unit 2.pdf
CNS2 unit 2.pdfCNS2 unit 2.pdf
CNS2 unit 2.pdf
 
Module 1-Block Ciphers and the Data Encryption Standard.pptx
Module 1-Block Ciphers and the Data Encryption Standard.pptxModule 1-Block Ciphers and the Data Encryption Standard.pptx
Module 1-Block Ciphers and the Data Encryption Standard.pptx
 
Medern Symmetric -Key Ciphers (AES, DES)
Medern Symmetric -Key Ciphers (AES, DES)Medern Symmetric -Key Ciphers (AES, DES)
Medern Symmetric -Key Ciphers (AES, DES)
 
Unit 2
Unit 2Unit 2
Unit 2
 
Renas Rajab Asaad
Renas Rajab AsaadRenas Rajab Asaad
Renas Rajab Asaad
 
Chapter 3-block-cipher-des1
Chapter 3-block-cipher-des1Chapter 3-block-cipher-des1
Chapter 3-block-cipher-des1
 
icwet1097
icwet1097icwet1097
icwet1097
 
DES.ppt
DES.pptDES.ppt
DES.ppt
 
section-8.ppt
section-8.pptsection-8.ppt
section-8.ppt
 
Data Encryption Standards (1).pptx
Data Encryption Standards (1).pptxData Encryption Standards (1).pptx
Data Encryption Standards (1).pptx
 
sheet7.pdf
sheet7.pdfsheet7.pdf
sheet7.pdf
 
paper7.pdf
paper7.pdfpaper7.pdf
paper7.pdf
 
lecture6.pdf
lecture6.pdflecture6.pdf
lecture6.pdf
 
doc7.pdf
doc7.pdfdoc7.pdf
doc7.pdf
 
1 DES.pdf
1 DES.pdf1 DES.pdf
1 DES.pdf
 
Using Cipher Key to Generate Dynamic S-Box in AES Cipher System
Using Cipher Key to Generate Dynamic S-Box in AES Cipher SystemUsing Cipher Key to Generate Dynamic S-Box in AES Cipher System
Using Cipher Key to Generate Dynamic S-Box in AES Cipher System
 
4-BlockCipher-DES-CEN451-BSE-Spring2022-17042022-104521am.pdf
4-BlockCipher-DES-CEN451-BSE-Spring2022-17042022-104521am.pdf4-BlockCipher-DES-CEN451-BSE-Spring2022-17042022-104521am.pdf
4-BlockCipher-DES-CEN451-BSE-Spring2022-17042022-104521am.pdf
 
Cyber security
Cyber securityCyber security
Cyber security
 

More from aminasouyah

More from aminasouyah (20)

paper10.pdf
paper10.pdfpaper10.pdf
paper10.pdf
 
paper9.pdf
paper9.pdfpaper9.pdf
paper9.pdf
 
paper8.pdf
paper8.pdfpaper8.pdf
paper8.pdf
 
paper6.pdf
paper6.pdfpaper6.pdf
paper6.pdf
 
paper5.pdf
paper5.pdfpaper5.pdf
paper5.pdf
 
paper4.pdf
paper4.pdfpaper4.pdf
paper4.pdf
 
paper3.pdf
paper3.pdfpaper3.pdf
paper3.pdf
 
paper2.pdf
paper2.pdfpaper2.pdf
paper2.pdf
 
paper1.pdf
paper1.pdfpaper1.pdf
paper1.pdf
 
sheet6.pdf
sheet6.pdfsheet6.pdf
sheet6.pdf
 
sheet5.pdf
sheet5.pdfsheet5.pdf
sheet5.pdf
 
sheet3.pdf
sheet3.pdfsheet3.pdf
sheet3.pdf
 
sheet2.pdf
sheet2.pdfsheet2.pdf
sheet2.pdf
 
sheet1.pdf
sheet1.pdfsheet1.pdf
sheet1.pdf
 
doc4.pdf
doc4.pdfdoc4.pdf
doc4.pdf
 
doc6.pdf
doc6.pdfdoc6.pdf
doc6.pdf
 
doc5.pdf
doc5.pdfdoc5.pdf
doc5.pdf
 
doc5.pdf
doc5.pdfdoc5.pdf
doc5.pdf
 
doc4.pdf
doc4.pdfdoc4.pdf
doc4.pdf
 
doc3.pdf
doc3.pdfdoc3.pdf
doc3.pdf
 

Recently uploaded

The Most Attractive Pune Call Girls Budhwar Peth 8250192130 Will You Miss Thi...
The Most Attractive Pune Call Girls Budhwar Peth 8250192130 Will You Miss Thi...The Most Attractive Pune Call Girls Budhwar Peth 8250192130 Will You Miss Thi...
The Most Attractive Pune Call Girls Budhwar Peth 8250192130 Will You Miss Thi...ranjana rawat
 
Call Girls Pimpri Chinchwad Call Me 7737669865 Budget Friendly No Advance Boo...
Call Girls Pimpri Chinchwad Call Me 7737669865 Budget Friendly No Advance Boo...Call Girls Pimpri Chinchwad Call Me 7737669865 Budget Friendly No Advance Boo...
Call Girls Pimpri Chinchwad Call Me 7737669865 Budget Friendly No Advance Boo...roncy bisnoi
 
Call Girls Service Nashik Vaishnavi 7001305949 Independent Escort Service Nashik
Call Girls Service Nashik Vaishnavi 7001305949 Independent Escort Service NashikCall Girls Service Nashik Vaishnavi 7001305949 Independent Escort Service Nashik
Call Girls Service Nashik Vaishnavi 7001305949 Independent Escort Service NashikCall Girls in Nagpur High Profile
 
Booking open Available Pune Call Girls Koregaon Park 6297143586 Call Hot Ind...
Booking open Available Pune Call Girls Koregaon Park 6297143586 Call Hot Ind...Booking open Available Pune Call Girls Koregaon Park 6297143586 Call Hot Ind...
Booking open Available Pune Call Girls Koregaon Park 6297143586 Call Hot Ind...Call Girls in Nagpur High Profile
 
247267395-1-Symmetric-and-distributed-shared-memory-architectures-ppt (1).ppt
247267395-1-Symmetric-and-distributed-shared-memory-architectures-ppt (1).ppt247267395-1-Symmetric-and-distributed-shared-memory-architectures-ppt (1).ppt
247267395-1-Symmetric-and-distributed-shared-memory-architectures-ppt (1).pptssuser5c9d4b1
 
Call for Papers - African Journal of Biological Sciences, E-ISSN: 2663-2187, ...
Call for Papers - African Journal of Biological Sciences, E-ISSN: 2663-2187, ...Call for Papers - African Journal of Biological Sciences, E-ISSN: 2663-2187, ...
Call for Papers - African Journal of Biological Sciences, E-ISSN: 2663-2187, ...Christo Ananth
 
MANUFACTURING PROCESS-II UNIT-2 LATHE MACHINE
MANUFACTURING PROCESS-II UNIT-2 LATHE MACHINEMANUFACTURING PROCESS-II UNIT-2 LATHE MACHINE
MANUFACTURING PROCESS-II UNIT-2 LATHE MACHINESIVASHANKAR N
 
Microscopic Analysis of Ceramic Materials.pptx
Microscopic Analysis of Ceramic Materials.pptxMicroscopic Analysis of Ceramic Materials.pptx
Microscopic Analysis of Ceramic Materials.pptxpurnimasatapathy1234
 
(RIA) Call Girls Bhosari ( 7001035870 ) HI-Fi Pune Escorts Service
(RIA) Call Girls Bhosari ( 7001035870 ) HI-Fi Pune Escorts Service(RIA) Call Girls Bhosari ( 7001035870 ) HI-Fi Pune Escorts Service
(RIA) Call Girls Bhosari ( 7001035870 ) HI-Fi Pune Escorts Serviceranjana rawat
 
MANUFACTURING PROCESS-II UNIT-5 NC MACHINE TOOLS
MANUFACTURING PROCESS-II UNIT-5 NC MACHINE TOOLSMANUFACTURING PROCESS-II UNIT-5 NC MACHINE TOOLS
MANUFACTURING PROCESS-II UNIT-5 NC MACHINE TOOLSSIVASHANKAR N
 
The Most Attractive Pune Call Girls Manchar 8250192130 Will You Miss This Cha...
The Most Attractive Pune Call Girls Manchar 8250192130 Will You Miss This Cha...The Most Attractive Pune Call Girls Manchar 8250192130 Will You Miss This Cha...
The Most Attractive Pune Call Girls Manchar 8250192130 Will You Miss This Cha...ranjana rawat
 
Extrusion Processes and Their Limitations
Extrusion Processes and Their LimitationsExtrusion Processes and Their Limitations
Extrusion Processes and Their Limitations120cr0395
 
Call Girls Service Nagpur Tanvi Call 7001035870 Meet With Nagpur Escorts
Call Girls Service Nagpur Tanvi Call 7001035870 Meet With Nagpur EscortsCall Girls Service Nagpur Tanvi Call 7001035870 Meet With Nagpur Escorts
Call Girls Service Nagpur Tanvi Call 7001035870 Meet With Nagpur EscortsCall Girls in Nagpur High Profile
 
AKTU Computer Networks notes --- Unit 3.pdf
AKTU Computer Networks notes --- Unit 3.pdfAKTU Computer Networks notes --- Unit 3.pdf
AKTU Computer Networks notes --- Unit 3.pdfankushspencer015
 
UNIT-II FMM-Flow Through Circular Conduits
UNIT-II FMM-Flow Through Circular ConduitsUNIT-II FMM-Flow Through Circular Conduits
UNIT-II FMM-Flow Through Circular Conduitsrknatarajan
 
Porous Ceramics seminar and technical writing
Porous Ceramics seminar and technical writingPorous Ceramics seminar and technical writing
Porous Ceramics seminar and technical writingrakeshbaidya232001
 
Sheet Pile Wall Design and Construction: A Practical Guide for Civil Engineer...
Sheet Pile Wall Design and Construction: A Practical Guide for Civil Engineer...Sheet Pile Wall Design and Construction: A Practical Guide for Civil Engineer...
Sheet Pile Wall Design and Construction: A Practical Guide for Civil Engineer...Dr.Costas Sachpazis
 
(ANVI) Koregaon Park Call Girls Just Call 7001035870 [ Cash on Delivery ] Pun...
(ANVI) Koregaon Park Call Girls Just Call 7001035870 [ Cash on Delivery ] Pun...(ANVI) Koregaon Park Call Girls Just Call 7001035870 [ Cash on Delivery ] Pun...
(ANVI) Koregaon Park Call Girls Just Call 7001035870 [ Cash on Delivery ] Pun...ranjana rawat
 

Recently uploaded (20)

The Most Attractive Pune Call Girls Budhwar Peth 8250192130 Will You Miss Thi...
The Most Attractive Pune Call Girls Budhwar Peth 8250192130 Will You Miss Thi...The Most Attractive Pune Call Girls Budhwar Peth 8250192130 Will You Miss Thi...
The Most Attractive Pune Call Girls Budhwar Peth 8250192130 Will You Miss Thi...
 
Water Industry Process Automation & Control Monthly - April 2024
Water Industry Process Automation & Control Monthly - April 2024Water Industry Process Automation & Control Monthly - April 2024
Water Industry Process Automation & Control Monthly - April 2024
 
Call Girls Pimpri Chinchwad Call Me 7737669865 Budget Friendly No Advance Boo...
Call Girls Pimpri Chinchwad Call Me 7737669865 Budget Friendly No Advance Boo...Call Girls Pimpri Chinchwad Call Me 7737669865 Budget Friendly No Advance Boo...
Call Girls Pimpri Chinchwad Call Me 7737669865 Budget Friendly No Advance Boo...
 
Call Girls Service Nashik Vaishnavi 7001305949 Independent Escort Service Nashik
Call Girls Service Nashik Vaishnavi 7001305949 Independent Escort Service NashikCall Girls Service Nashik Vaishnavi 7001305949 Independent Escort Service Nashik
Call Girls Service Nashik Vaishnavi 7001305949 Independent Escort Service Nashik
 
Booking open Available Pune Call Girls Koregaon Park 6297143586 Call Hot Ind...
Booking open Available Pune Call Girls Koregaon Park 6297143586 Call Hot Ind...Booking open Available Pune Call Girls Koregaon Park 6297143586 Call Hot Ind...
Booking open Available Pune Call Girls Koregaon Park 6297143586 Call Hot Ind...
 
DJARUM4D - SLOT GACOR ONLINE | SLOT DEMO ONLINE
DJARUM4D - SLOT GACOR ONLINE | SLOT DEMO ONLINEDJARUM4D - SLOT GACOR ONLINE | SLOT DEMO ONLINE
DJARUM4D - SLOT GACOR ONLINE | SLOT DEMO ONLINE
 
247267395-1-Symmetric-and-distributed-shared-memory-architectures-ppt (1).ppt
247267395-1-Symmetric-and-distributed-shared-memory-architectures-ppt (1).ppt247267395-1-Symmetric-and-distributed-shared-memory-architectures-ppt (1).ppt
247267395-1-Symmetric-and-distributed-shared-memory-architectures-ppt (1).ppt
 
Call for Papers - African Journal of Biological Sciences, E-ISSN: 2663-2187, ...
Call for Papers - African Journal of Biological Sciences, E-ISSN: 2663-2187, ...Call for Papers - African Journal of Biological Sciences, E-ISSN: 2663-2187, ...
Call for Papers - African Journal of Biological Sciences, E-ISSN: 2663-2187, ...
 
MANUFACTURING PROCESS-II UNIT-2 LATHE MACHINE
MANUFACTURING PROCESS-II UNIT-2 LATHE MACHINEMANUFACTURING PROCESS-II UNIT-2 LATHE MACHINE
MANUFACTURING PROCESS-II UNIT-2 LATHE MACHINE
 
Microscopic Analysis of Ceramic Materials.pptx
Microscopic Analysis of Ceramic Materials.pptxMicroscopic Analysis of Ceramic Materials.pptx
Microscopic Analysis of Ceramic Materials.pptx
 
(RIA) Call Girls Bhosari ( 7001035870 ) HI-Fi Pune Escorts Service
(RIA) Call Girls Bhosari ( 7001035870 ) HI-Fi Pune Escorts Service(RIA) Call Girls Bhosari ( 7001035870 ) HI-Fi Pune Escorts Service
(RIA) Call Girls Bhosari ( 7001035870 ) HI-Fi Pune Escorts Service
 
MANUFACTURING PROCESS-II UNIT-5 NC MACHINE TOOLS
MANUFACTURING PROCESS-II UNIT-5 NC MACHINE TOOLSMANUFACTURING PROCESS-II UNIT-5 NC MACHINE TOOLS
MANUFACTURING PROCESS-II UNIT-5 NC MACHINE TOOLS
 
The Most Attractive Pune Call Girls Manchar 8250192130 Will You Miss This Cha...
The Most Attractive Pune Call Girls Manchar 8250192130 Will You Miss This Cha...The Most Attractive Pune Call Girls Manchar 8250192130 Will You Miss This Cha...
The Most Attractive Pune Call Girls Manchar 8250192130 Will You Miss This Cha...
 
Extrusion Processes and Their Limitations
Extrusion Processes and Their LimitationsExtrusion Processes and Their Limitations
Extrusion Processes and Their Limitations
 
Call Girls Service Nagpur Tanvi Call 7001035870 Meet With Nagpur Escorts
Call Girls Service Nagpur Tanvi Call 7001035870 Meet With Nagpur EscortsCall Girls Service Nagpur Tanvi Call 7001035870 Meet With Nagpur Escorts
Call Girls Service Nagpur Tanvi Call 7001035870 Meet With Nagpur Escorts
 
AKTU Computer Networks notes --- Unit 3.pdf
AKTU Computer Networks notes --- Unit 3.pdfAKTU Computer Networks notes --- Unit 3.pdf
AKTU Computer Networks notes --- Unit 3.pdf
 
UNIT-II FMM-Flow Through Circular Conduits
UNIT-II FMM-Flow Through Circular ConduitsUNIT-II FMM-Flow Through Circular Conduits
UNIT-II FMM-Flow Through Circular Conduits
 
Porous Ceramics seminar and technical writing
Porous Ceramics seminar and technical writingPorous Ceramics seminar and technical writing
Porous Ceramics seminar and technical writing
 
Sheet Pile Wall Design and Construction: A Practical Guide for Civil Engineer...
Sheet Pile Wall Design and Construction: A Practical Guide for Civil Engineer...Sheet Pile Wall Design and Construction: A Practical Guide for Civil Engineer...
Sheet Pile Wall Design and Construction: A Practical Guide for Civil Engineer...
 
(ANVI) Koregaon Park Call Girls Just Call 7001035870 [ Cash on Delivery ] Pun...
(ANVI) Koregaon Park Call Girls Just Call 7001035870 [ Cash on Delivery ] Pun...(ANVI) Koregaon Park Call Girls Just Call 7001035870 [ Cash on Delivery ] Pun...
(ANVI) Koregaon Park Call Girls Just Call 7001035870 [ Cash on Delivery ] Pun...
 

sheet4.pdf

  • 1. January 17, 2012 1 Cryptography and Network Security Lecture 3: Block ciphers and DES Ion Petre Department of IT, Åbo Akademi University Spring 2012 http://users.abo.fi/ipetre/crypto/
  • 2. January 17, 2012 2 Data Encryption Standard  We focus now on the most widely used symmetric cipher: DES  DES has been replaced by AES as a standard  We will use DES to illustrate the principles of modern symmetric ciphers  Adopted in 1977 by the National Bureau of Standards (US), nowadays NIST  Originates from an IBM project from late 1960s led by Feistel  Project ended in 1971 with the development of LUCIFER (key 128 bits)  LUCIFER was then refined with the help of NSA to produce DES (key 56 bits)  Immediate criticism: the reduction in key length was enormous and the internal details of the design were (and remained) classified information  1994: DES is reaffirmed as a standard for 5 more years  1999: DES should only be used for legacy systems and 3DES should replace it
  • 3. January 17, 2012 3 Block cipher principles  Stream cipher is one that encrypts a digital data stream one bit (or byte) at a time  Example: autokey Vigenère system  Block cipher is one in which the plaintext is divided in blocks and one block is encrypted at one time producing a ciphertext of equal length  Similar to substitution ciphers on very big characters: 64 bits or 128 bits are typical block lengths  Many modern ciphers are block ciphers
  • 4. January 17, 2012 4 Principle: Substitution-Permutation Ciphers  Claude Shannon (1949) introduced idea of substitution-permutation (S-P) networks  These form the basis for modern substitution-transposition product cipher  S-P networks are based on the two primitive cryptographic operations we have seen before:  substitution (S-box)  permutation (P-box)  The goal is to provide confusion and diffusion of message
  • 5. January 17, 2012 5 Confusion and Diffusion  Cipher need to completely obscure statistical properties of original message  A one-time pad does this  More practically Shannon (1949) suggested to combine elements to obtain:  Diffusion – dissipates statistical structure of plaintext over bulk of ciphertext  Makes the statistical relationship plaintext - ciphertext as complex as possible  Achieved by requiring that every digit of the plaintext affects many digits of the ciphertext (equivalently, every digit of the ciphertext is affected by many digits of the plaintext)  Confusion – makes relationship between ciphertext and key as complex as possible  Makes it difficult to discover the key starting from the ciphertext  The principles of confusion and diffusion are the most essential concepts in the design of modern block ciphers – they defend against statistical attacks
  • 6. January 17, 2012 6 Feistel Cipher Structure  Most modern block encryption algorithms use the Feistel structure  Horst Feistel was the leader of the IBM team that worked in late 1960s on LUCIFER  He devised the so-called “feistel cipher”  Algorithm structure – perform n rounds, each round has the following structure (for encryption and decryption):  Input is of length 2w (bits), key is K  Divide the input into two halves L0 and R0  L1= R0, R1=L0 ⊕ f(R0,K)  In the next round use (L1, R1) instead of (L0, R0), etc.  Function f is the same in all rounds but uses a different subkey in each round – the subkey of each round is generated from the key
  • 7. January 17, 2012 7 Feistel Cipher Structure ⊕ ⊕ ⊕
  • 8. January 17, 2012 8 Feistel Cipher Design Principles  block size  increasing size improves security, but slows cipher  key size  increasing size improves security, makes exhaustive key searching harder, but may slow cipher  number of rounds  increasing number improves security, but slows cipher  subkey generation  greater complexity can make analysis harder, but slows cipher  round function  greater complexity can make analysis harder, but slows cipher  fast software en/decryption & ease of analysis  are more recent concerns for practical use and testing
  • 9. January 17, 2012 9 Feistel Cipher Decryption vs Encryption: the same algorithm (with keys in reverse order) ⊕ ⊕ ⊕ ⊕ ⊕ ⊕ ⊕ ⊕
  • 10. January 17, 2012 10 Feistel decryption  Decryption is the same as encryption and does not require any property for function f (not even to be invertible)  LD/RD – left/right half in the decryption algorithm  LE/RE – left/right half in the encryption algorithm  ⊕ denotes XOR: 0⊕0=0, 1⊕1=0, 0⊕1= 1⊕0=1 Decryption •Input: The ciphertext (LD0, RD0)= (RE16, LE16) •Round i (1 to 16) performs on input (LDi-1, RDi-1) the operations: –LDi=RDi-1, RDi=LDi-1⊕f(RDi-1,K16-i) –This is the input to next round •The key of round i is K16-i, •This algorithm is CORRECT – after round i we have LDi=RE16-i, RDi=LE16-i: •PROOF: •Input to the first round: –LD0=RE16, RD0=LE16 •Induction: assume it holds for i-1, prove it for i –LDi-1=RE16-i+1, RDi-1=LE16-i+1 Then: –LDi=RDi-1=LE16-i+1=RE16-i –RDi=LDi-1 ⊕ f(RDi-1, K16-i)=RE16-i+1 ⊕ f(LE16-i+1, K16-i)= =(LE16-i ⊕f(RE16-i,K16-i+1)) ⊕f(RE16-i,K16-i)=LE16-i –Result: (RE16-i, LE16-i) •Output: the plaintext (RD16, LD16)=(LE0, RE0) Encryption •Input: the plaintext (LE0, RE0) •Round i (1 to 16) performs on input (LEi-1, REi-1) the operations: –LEi=REi-1, REi=LEi-1⊕f(REi-1,Ki) –This is the input to next round •The key of round i is Ki, •Output: the ciphertext (RE16, LE16)
  • 11. January 17, 2012 11 DES  DES encryption/decryption  Strength of DES  Design principles  Cryptanalysis
  • 12. January 17, 2012 12 DES encryption scheme  The plaintext (64 bits) passes through an initial permutation IP (on 64 bits)  Then follow 16 identical rounds – in each round a different subkey is used; each subkey is generated from the key  After round 16, swap the left half with the right half  Apply the inverse of the initial permutation IP-1 (on 64 bits)
  • 13. January 17, 2012 13 DES encryption scheme
  • 14. January 17, 2012 14 Initial permutation and its inverse
  • 15. January 17, 2012 15 Details of a single round of DES  Consider L the left half of the input to the round and R its right half – each of them have 32 bits  As in any Feistel cipher the overall processing is Li=Ri-1, Ri=Li-1⊕ F(Ri-1,Ki)  The round subkey Ki has 48 bits (details later on how it is generated)  R is expanded from 32 to 48 bits using an “expansion permutation” E – this is a table that defines a permutation, duplicating in the same time 16 of the bits in R  These 48 bits are XORED with the subkey Ki  The 48-bit result passes through a substitution function that produces a 32- bit output  Apply then a permutation P
  • 16. January 17, 2012 16 A single round of DES
  • 17. January 17, 2012 17 The scheme of the function F(R,K) in DES
  • 18. January 17, 2012 18 Details of a single round of DES
  • 19. January 17, 2012 19 The substitutions in the DES rounds: S-boxes  There are 8 S-boxes, each of them accepting a 6-bit input and producing 4-bit output  The S-boxes are 4 x 16 tables (shown on the next slide) and are used as follows:  The first and the last bit of the input to the S-box form a 2-bit binary number that selects the row of the S-box (rows are from 0 to 3)  The middle four bits select the column of the S-box (columns are from 0 to 15)  The decimal value in the selected entry of the S-box is converted to its 4-bit binary representation to produce the output
  • 20. January 17, 2012 20 Definition of S-boxes  Example: consider the input 011001to S-box S1  The row is 011001: 01 (i.e. 1)  The column is 011001: 1100 (i.e. 12)  The value in the selected cell is 9  Output is 1001  Note that each row of each S-box is in fact an invertible substitution on 4 bits (permutation of numbers from 0 to 15)  Note also that the output of the S-box is immediately permuted in DES so that it spreads in the ciphertext
  • 21. January 17, 2012 21 Subkey generation  In the general scheme of DES is shown that a 64-bit key is used – the bits of the key are numbered from 1 to 64.  The algorithm ignores every 8th bit – thus, the key for DES is effectively 56-bit long  Before round 1 of DES, they key is permuted according to a table labeled Permuted Choice One (see next slide) – the resulting 56-bit key is split into its two 28-bit halves labeled C0 and D0  In each round, Ci-1 and Di-1 are separately subjected to a circular left shift of one or two bits according to the table on the next slide – the shifted values will be input to next round  The shifted values serve as input to Permuted Choice Two (see next slide) which produces a 48-bit output: the subkey of the current round
  • 22. January 17, 2012 22 Subkey generation  In the general scheme of DES is shown that a 64-bit key is used – the bits of the key are numbered from 1 to 64.  The algorithm ignores every 8th bit – thus, the key for DES is effectively 56-bit long  Before round 1 of DES, they key is permuted according to a table labeled Permuted Choice One – the resulting 56-bit key is split into its two 28-bit halves labeled C0 and D0  In each round, Ci-1 and Di-1 are separately subjected to a circular left shift of one or two bits according to the table on the next slide – the shifted values will be input to next round  The shifted values serve as input to Permuted Choice Two which produces a 48-bit output: the subkey of the current round
  • 23. January 17, 2012 23 DES decryption  Like in any Feistel cipher, decryption works just like encryption with the subkeys used in reverse order
  • 24. January 17, 2012 24 Analysis of DES  Avalanche effect: this is a desirable property of any encryption algorithm  A small change (even 1 bit) in the plaintext should produce significant change in the ciphertext  Example: consider two blocks of 64 zeros and in the second block rewrite 1 on the first position. Encrypt them both with DES: depending on the key, the result may have 34 different bits!  A small change (even 1 bit) in the key should produce significant change in the ciphertext  Example: a change of one bit in the DES key may produce 35 different bits in the encryption of the same plaintext
  • 25. January 17, 2012 25 Strength of DES  Two main concerns with DES: the length of the key and the nature of the algorithm  The key is rather short: 56 bits – there are 256 possible keys, around 7.2 x 1016  In average, only half of the keys have to be tried to break the system  In principle it should take long time to break the system  Things are quicker with dedicated hardware: 1998 – a special machine was built for less than 250 000 $ breaking DES in less than 3 days, 2006 – estimates are that a hardware costing around 20.000$ may break DES within a day  DES has no export restrictions from NSA!  40-bit RC4 key is also insecure  128-but keys seem to be secure  Important difficulty in breaking any system: unless the plaintext is known, we have to recognize when we have broken the system: we have to recognize the plaintext when we find it  This is not trivial if the file is binary, compressed, etc.  Automated procedures to do that are needed (and indeed some exist)
  • 26. January 17, 2012 26 Strength of DES  Nature of the algorithm  There has always been a concern about the design of DES, especially about the design of S-boxes – perhaps they have been designed in such a way as to ensure a trapdoor to the algorithm – break it without having to search for the key  The design criteria for the S-boxes (and for the rest of the algorithm) have been classified information and NSA was involved in the design  Many regularities and unexpected behavior of the S-boxes have been reported  On the other hand, changing the S-boxes slightly seems to weaken the algorithm  No fatal weaknesses in the S-boxes have been (publicly) reported so far
  • 27. January 17, 2012 27 Cryptanalysis of DES  There are ways to break DES significantly quicker than with the brute-force attack: differential and linear cryptanalysis  Differential cryptanalysis  Published in the open literature after 1990: Murphy and then Biham and Shamir (published a book on this)  Idea: Knowing the XOR of the message halves before and after a round, one may try to deduce the subkey used in that round  DES can be broken in 247 steps, requiring 247 chosen plaintexts  The need for so many chosen plaintexts makes its applicability limited  This attack seems to have been known to the DES design team and NSA 20 years before it was published in the open literature!  Linear cryptanalysis  More recent attack (Matsui, 1993): find linear approximations to describe the transformations in DES  Can find the DES key given 247 known plaintexts  Still impractical method
  • 28. DES cryptanalysis chronology (Wikipedia) July 1990 Biham and Shamir rediscover differential cryptanalysis, and apply it to a 15-round DES- like cryptosystem. 1992 Biham and Shamir report the first theoretical attack with less complexity than brute force: differential cryptanalysis. However, it requires an unrealistic 247 chosen plaintexts. 1994 The first experimental cryptanalysis of DES is performed using linear cryptanalysis (Matsui, 1994). June 1997 The DESCHALL Project breaks a message encrypted with DES for the first time in public. July 1998 The EFF's DES cracker (Deep Crack) breaks a DES key in 56 hours. January 1999 Together, Deep Crack and distributed.net break a DES key in 22 hours and 15 minutes. November 2001 The Advanced Encryption Standard is published in FIPS 197 May 2002 The AES standard becomes effective May 2005 NIST withdraws FIPS 46-3 (see Federal Register vol 70, number 96) April 2006 The FPGA based parallel machine COPACOBANA of the Universities of Bochum and Kiel, Germany, breaks DES in 9 days at $10,000 hardware cost. Within a year software improvements reduced the average time to 6.4 days. November 2008 The successor of COPACOBANA, the RIVYERA machine reduced the average time to less than one single day. 28