Gaspare FERRARO

CybersecNatLab
Matteo ROSSI
Politecnico di Torino

Block Ciphers

1 https://cybersecnatlab.it
 License & Disclaimer
2

License Information Disclaimer

This presentation is licensed under the ➢ We disclaim any warranties or representations
Creative Commons BY-NC License as to the accuracy or completeness of this
material.
➢ Materials are provided “as is” without
warranty of any kind, either express or
implied, including without limitation,
warranties of merchantability, fitness for a
particular purpose, and non-infringement.
➢ Under no circumstances shall we be liable for
To view a copy of the license, visit: any loss, damage, liability or expense incurred
http://creativecommons.org/licenses/by-nc/3.0/legalcode or suffered which is claimed to have resulted
from use of this material.

© CINI – 2021 Rel. 14.03.2021

 Goal
3

➢ Introduce the definitions and concepts of block ciphers

➢ Present the functioning and vulnerabilities of the two
standard block ciphers DES and AES

© CINI – 2021 Rel. 14.03.2021

 Prerequisites
4

➢ Lecture:
➢ CR_1.2 – XOR Cipher

© CINI – 2021 Rel. 14.03.2021

 Outline
5

➢ Block Ciphers General Structure

➢ The Data Encryption Standard
➢ Weaknesses of DES and the introduction of 3DES
➢ The Advanced Encryption Standard

© CINI – 2021 Rel. 14.03.2021

 Outline
6

➢ Block Ciphers General Structure

➢ The Data Encryption Standard
➢ Weaknesses of DES and the introduction of 3DES
➢ The Advanced Encryption Standard

© CINI – 2021 Rel. 14.03.2021

 Introduction
7

➢ A block cipher is an algorithm that allows the

encryption of blocks of fixed length

Encryption Key 𝑘

𝑛-bit message 𝑚 Block cipher 𝑛-bit ciphertext 𝑐

© CINI – 2021 Rel. 14.03.2021

 Introduction
8

➢ The length of a message is called the blocksize of the

cipher
➢ Note: there is no strict rule on the length of the
key, that in general depends on the block cipher

© CINI – 2021 Rel. 14.03.2021

 Keyed Permutations
9

➢ A block cipher can be referenced in general as a

keyed permutation, more particularly:
➢ It is a permutation over all the n-bit strings, because it
maps each possible block to some other block
➢ It is keyed because the key determines exactly which block
is mapped to which

© CINI – 2021 Rel. 14.03.2021

 Keyed Permutations - Example
10

© CINI – 2021 Rel. 14.03.2021

 Keyed Permutations - Example
11

➢ Consider the permutation in the

following image
➢ Here the blocksize is 4 bit (the
length of a digit in hex)
➢ Each character of the string
(block) is mapped to the new
character in the direction of its
arrow
➢ Example: the string 𝐵75𝐸210𝐷
is mapped to 365024𝐸𝐶

© CINI – 2021 Rel. 14.03.2021

 Block Ciphers in practice
12

➢ In practice, all modern block ciphers are designed as

iterated ciphers
➢ Iterated ciphers have two common components:
➢ A key schedule algorithm, that produces 𝑟 subkeys from a
master key
➢ A round function 𝐹(𝑚𝑒𝑠𝑠𝑎𝑔𝑒, 𝑘𝑒𝑦), that is iterated 𝑟
times over the input message

© CINI – 2021 Rel. 14.03.2021

 Block Ciphers in practice
13

User’s key 𝑘

Key schedule algorithm

𝑘1 𝑘2 𝑘𝑟−1 𝑘𝑟

𝑚2 𝑚3 𝑚𝑟−1 𝑚𝑟
Plaintext 𝑚 𝐹 𝐹 … 𝐹 𝐹 Ciphertext 𝑐

𝐹 𝑚1 , 𝑘1 𝐹 𝑚2 , 𝑘2 𝐹 𝑚𝑟−1 , 𝑘𝑟−1 𝐹 𝑚𝑟 , 𝑘𝑟

© CINI – 2021 Rel. 14.03.2021

 Remarks on iterated ciphers
14

➢ Does iteration enable the implementation of a

secure block cipher? Nobody knows
➢ There are heuristic evidences that iterating simple
functions makes a cipher secure
➢ Not every function is good for iteration (e.g., linear
functions)
➢ In general, analyzing the security of block cipher is
considered a hard problem

© CINI – 2021 Rel. 14.03.2021

 Standard Encryption Algorithms
15

➢ In the next sections we will present:

➢ the two standard block cipher algorithms DES and AES
➢ their internal descriptions
➢ their weaknesses

© CINI – 2021 Rel. 14.03.2021

 Outline
16

➢ Block Ciphers General Structure

➢ The Data Encryption Standard (DES)
➢ Weaknesses of DES and the introduction of 3DES
➢ The Advanced Encryption Standard

© CINI – 2021 Rel. 14.03.2021

 The Data Encryption Standard (DES)
17

➢ Developed between 1973 and 1975 by IBM

➢ FIPS standard from 1977
➢ 64-bit blocks and 56-bit keys
➢ Broken for the first time in public in 1997
➢ Officially retired in 2005

© CINI – 2021 Rel. 14.03.2021

 DES – Overview
18

➢ The DES algorithm can be summarized as follows:

➢ The key schedule algorithm produces 16 round keys of
48 bits each
➢ A permutation 𝐼𝑃 (Initial Permutation) is applied to the 64-
bit input
➢ 16 rounds of an iterated round function are performed
➢ The inverse permutation of 𝐼𝑃, called 𝐹𝑃 (Final
Permutation), is applied

© CINI – 2021 Rel. 14.03.2021

 𝑥 y

DES – Round Function

19

➢ The input is split into two blocks 𝑥 and 𝑦 of a same length

➢ A round function 𝑅 is applied 16 times and has the form of:
➢ 𝑅(𝑥, 𝑦, 𝑘) = (𝑦, 𝑥 ⊕ 𝐹(𝑦, 𝑘))
➢ Where:
➢ 𝑘 is the round key, generated by the key schedule algorithm
➢ 𝐹 is a function involving substitutions, permutations and XOR, that
returns a 32-bit value
➢ ⊕ is the bitwise XOR operation
➢ At the end of a round we will have:
➢ (𝑥, 𝑦) = 𝑅(𝑥, 𝑦, 𝑘)
➢ This structure is called a Feistel Network

© CINI – 2021 Rel. 14.03.2021

 DES – Round Function
20

➢ The 𝐹 function is composed of:

➢ An Expansion function that maps
32 bits to 48 bits.
➢ A XOR between the expanded
block and the subkey.
➢ 8 substitution boxes (𝑆1-𝑆8) with
6-bit input and 4-bit output
➢ A final Permutation

© CINI – 2021 Rel. 14.03.2021

 Outline
21

➢ Block Ciphers General Structure

➢ The Data Encryption Standard
➢ Weaknesses of DES and the introduction of 3DES
➢ The Advanced Encryption Standard

© CINI – 2021 Rel. 14.03.2021

 DES – Weaknesses
22

➢ Nowadays 56-bit keys are not strong enough: with relatively-

low budget, they can be bruteforced in a matter of hours.
➢ There are some (known) keys 𝑘, called weak keys, such that
𝐸(𝑘, 𝐸(𝑘, 𝑚)) = 𝑚
➢ Example: alternating ones + zeros (0𝑥0101010101010101)
➢ There are some (known) pair of keys 𝑘1 , 𝑘2 , called semi-
weak keys such that 𝐸(𝑘2 , 𝐸(𝑘1 , 𝑚)) = 𝑚
➢ Example: 0𝑥011𝐹011𝐹010𝐸010𝐸 and 0𝑥1𝐹011𝐹010𝐸010𝐸01

© CINI – 2021 Rel. 14.03.2021

 DES – The introduction of 3DES
23

➢ In order to avoid bruteforce attacks, in 1995 the Triple-

DES (3DES) was introduced, 3DES:
➢ Takes three 56-bit keys (a 168-bit key in total) and a 64-bit
messages
➢ Its encryption routine is:
𝐸3𝐷𝐸𝑆 𝑚, 𝑘1 , 𝑘2 , 𝑘3 = 𝐸 𝑘1 , 𝐷 𝑘2 , 𝐸 𝑘3 , 𝑚
➢ 𝐸 and 𝐷 are the encryption and decryption functions of DES
➢ Note: this is compatible with the standard DES by using
𝑘1 = 𝑘2 = 𝑘3
© CINI – 2021 Rel. 14.03.2021
 3DES – Why not 2DES?
24

➢ Despite having 112-bit keys, 2DES is vulnerable to a Meet-in-the-Middle

(MITM) attack
➢ Consider 𝐸2𝐷𝐸𝑆 (𝑘1 , 𝑘2 , 𝑚) = 𝐸 𝑘2 , 𝐸 𝑘1 , 𝑚 , it holds:
➢ 𝐸 𝑘2 , 𝐸 𝑘1 , 𝑚 =𝐶→
➢ 𝐷 𝑘2 , 𝐸 𝑘2 , 𝐸 𝑘1 , 𝑚 = 𝐷 𝑘2 , 𝐶 →
➢ 𝐸(𝑘1 , 𝑚) = 𝐷(𝑘2 , 𝐶)
➢ We can simply precompute a table of all the 56-bit keys encryptions and
use the DES decryption function to find a match
➢ In this way, 2DES can be broken just in the double of time of DES by using the
previous equivalence

© CINI – 2021 Rel. 14.03.2021

 Meet-in-the-Middle attack
25

➢ Despite having 112-bit keys, 2DES is vulnerable to a Meet-in-

the-Middle (MitM) attack
➢ This vulnerability shows that two independent 56-bit keys
does not really improve the security of the cipher, as they are
equivalent of a single 57-bit key, instead of a 112-bit one, in
terms of time needed the attack a ciphertext (2 ∗ 256 = 257 )
➢ Note that also 3DES is vulnerable to MITM: in a similar way its
security can be reduced to a single 112-bit key instead of
168!

© CINI – 2021 Rel. 14.03.2021

 Outline
26

➢ Block Ciphers General Structure

➢ The Data Encryption Standard
➢ Weaknesses of DES and the introduction of 3DES
➢ The Advanced Encryption Standard (AES)

© CINI – 2021 Rel. 14.03.2021

 The Advanced Encryption Standard
27

➢ In 1999 the Advanced Encryption Standard (AES) was

proposed
➢ In 2001 AES was approved as a standard
➢ AES takes 128-bit messages, and has 3 versions
with 128, 192, and 256-bit keys, respectively
➢ No (significant) vulnerability is known on the
AES encryption function

© CINI – 2021 Rel. 14.03.2021

 AES – Structure
28

➢ AES is an iterated cipher but has not a Feistel

structure (as DES): it is a Substitution-Permutation
Network (SPN)
➢ The 3 versions of AES have 10, 12 and 14 rounds,
respectively, for 128, 192, 256 bits in the key
➢ In principle, the different versions of AES trade-off
efficiency and security
© CINI – 2021 Rel. 14.03.2021
 AES – Sub.-Perm. Networks
29

➢ Substitution-Permutation Networks are based on

Shannon's Confusion-Diffusion principle:
➢ Diffusion: changing a bit in the plaintext should result in a
random change in the whole ciphertext. This is in general
performed via permutation
➢ Confusion: like diffusion, but for the key-ciphertext
relation; in general, obtained using substitutions

© CINI – 2021 Rel. 14.03.2021

 AES – General Structure
30

➢ In AES, the 16-bytes plaintext is

arranged in a 4 × 4 matrix called the
state matrix
➢ The Key Expansion algorithm
generates Nr + 1 keys (where Nr is
the number of rounds), each as a 4 ×
4 matrix

© CINI – 2021 Rel. 14.03.2021

 AES – Round Structure
31

➢ AES has 4 major components in the round function:

➢ AddRoundKey: an element-wise XOR between the state
matrix and the round key matrix
➢ SubBytes: an element-wise substitution using a
(fixed) table on the state matrix
➢ ShiftRows: a cyclical shift of the rows of the state matrix
➢ MixColumns: a (sort of) matrix multiplication of the state
matrix with a fixed matrix

© CINI – 2021 Rel. 14.03.2021

 AES – Remarks
32

➢ By design, MixColumns is always

omitted in the last round
➢ Confusion is obtained via the
SubBytes operation
➢ Diffusion is obtained with the
combination of ShiftRows and
MixColumns

© CINI – 2021 Rel. 14.03.2021

 What next
33

➢ In the next lecture:

➢ Using block ciphers to encrypt more than one block
(modes of operation)
➢ Common mistakes and vulnerabilities in implementing
block ciphers
➢ Stream ciphers and their relationship with block ciphers
➢ Basic vulnerabilities of stream ciphers

© CINI – 2021 Rel. 14.03.2021

 Gaspare FERRARO
CybersecNatLab
Matteo ROSSI
Politecnico di Torino

Block Ciphers

34 https://cybersecnatlab.it