Outline for April 16, 1997

1. Greetings and Felicitations
   1. Remember, talks about what you could do are at the end of this week
2. History
   1. IBM did Lucifer, submitted it in response to NIST CFP
   2. NIST (really, NSA) suggested some minor changes; major one was to make key 56 bits, not 112.
3. Show the cipher
   1. Product cipher with 64 bits in, 64 bits out, and 16 48-bit round keys generated from 56 bit key
   2. Note S-boxes are real heart of algorithm
4. Known attacks and weaknesses
   1. Complementation property: DES_k(m) = (DES_k'(m'))' where x' is the bitwise complement of x;
   2. Weak, semiweak keys
   3. If it's a group, multiple encipherment worthless (as group is closed under composition)
   4. differential cryptanalysis: first version unusable as at 16 rounds, more plaintext/ciphertext pairs needed than exhaustive key trial; but for 15 rounds, cuts this time. Later versions cut it to 2⁴⁷ tries. Works by comparing xors of results with xors of corresponding plaintext.. Designers of DES knew about this one, hence the design of the S-boxes
   5. linear cryptanalysis drops required chosen plaintext/ciphertext pairs to 2⁴²; not known to designers of DES.
5. DES Modes
   1. ECB
   2. CBC
   3. note that OFB and CFB exist, essentially use DES as a pseudorandom bitstream generator; OFB feeds back before xor, CFB after
   4. Triple DES and EDE mode