CS-446: Information Systems Security

Lecture # 4: Block Ciphers

Prof. Dr. Sufian Hameed
Department of Computer Science
FAST-NUCES

FAST-NUCES
 Block Cipher

FAST-NUCES
Modern Ciphers

Modern ciphers
Sophisticated design using substitutions and
permutations
Round-based encryption and decryption algorithms
Efficient implementations in hardware and software
Common classes of modern ciphers
Block ciphers = processing of fixed-length blocks
 Examples: DES, AES, Blowfish
Stream ciphers = processing of individual bits or bytes
 Examples: RC4, A5/1

FAST-NUCES
Block Cipher
 Encryption and decryption in blocks (e.g., 64 or 128 bit)
 Padding of short messages, splitting of long messages

 Different modes of operations: ECB, CBC, CTR, ...

Examples:
1. DES: n= 64 bits, k = 56 bits
2. 3DES: n= 64 bits, k = 168 bits
3. AES: n=128 bits, k = 128, 192, 256 bits
FAST-NUCES
Block Ciphers Built by Iteration
key k

key expansion

k1 k2 k3 kn

m c
R(k1, )

R(k2, )

R(k3, )

R(kn, )
R(k,m) is called a round function
for DES (n=16), 3DES (n=48) and AES-128 (n=10)
FAST-NUCES
Design Characteristics for Block Ciphers
Choice of blocklength n
n too long → complex algorithm, performance loss
n too short → weak encryption, easy to attack
Modern variants use n = 128 - 256 bit
Choice of the key length of k
Practical key length: 80 - 256 bit
k too short → systematic testing of all valid keys (Brute
Force attack)
Against Brute Force attacks, a minimum of 70-80 bit are
necessary

FAST-NUCES
Confusion and Diffusion (Recap)

What makes a cipher secure? Hard to tell

Confusion property
Complex relation between key and plaintext/ciphertext
✸ Hard to deduce key from plaintext/ciphertext pairs

Diffusion property
Complex relation between plaintext and ciphertext
✸ Hard to deduce bits of plaintext from ciphertext

FAST-NUCES
 Data Encryption Standard (DES)

FAST-NUCES
The Data Encryption Standard (DES)
Early 1970s: Horst Feistel designs Lucifer at IBM
key-len = 128 bits ; block-len = 128 bits

1973: National Bureau of Standards (NBS) asks for block

cipher proposals
IBM submits variant of Lucifer.
1976: NBS adopts DES as a federal standard
key-len = 56 bits ; block-len = 64 bits
Every 5 years:
DES review for decision about further usage
 Result: Until now, no modifications were made

FAST-NUCES
The Data Encryption Standard (DES)
Problem of DES:
 Usage of a key with a length of 56 bit
 Criticized for a key length too short for usage in practice

1997: DES broken by exhaustive search

2000: NIST adopts Rijndael as AES to replace DES

FAST-NUCES
DES Challenge
 1997: Internet search -- 3 months

 1998: by distributed.net in 41 days in early 1998.

 The plaintext was "The secret message is: Many hands make light work.“

 1998:  Electronic Frontier Foundation (EFF) machine (deep crack) -- 56

hours
 The text was revealed to be "The secret message is: It's time for those 128-, 192-,
and 256-bit keys.“

1999: combined search -- 22 hours

 The plaintext was See you in Rome (second AES Conference, March 22-23, 1999)

⇒ 56-bit ciphers should not be used !! (128-bit key ⇒ 272 days)

FAST-NUCES
DES: core idea – Feistel Network
DES is based on Feistal Network

Consists of invertible function F: {0,1}2n ⟶ {0,1}2n

n-bits

R0 R1 R2 Rd-1 Rd
f1 f2
⋯ fd
n-bits

L0 ⊕ L1
⊕ L2 Ld-1 ⊕ Ld

input output

In symbols:
FAST-NUCES
Inverse of Feistal Function

Feistel network F: {0,1}2n ⟶ {0,1}2n is invertible

Ri-1 Ri inverse
Ri-1 = Li
fi
Li-1 = fi(Li) ⨁ Ri
Li-1 ⊕ Li

⊕
Ri-1 Ri Ri Ri-1
inverse
fi
fi
Li-1 ⊕ Li Li Li-1

FAST-NUCES
Decryption circuit

⊕ ⊕ ⊕
n-bits

Rd Rd-1 Rd-2 R1 R0
fd fd-1
⋯ f1
n-bits

Ld Ld-1 Ld-2 L1 L0

Decryption is basically the same Inverted circuit,

with f1, …, fd applied in reverse order

FAST-NUCES
General Structure of DES

DES uses blocks of length n = 64 bit

Length of key k is 56 bit
Encryption takes place in 16 identical rounds with round
keys ki of 48 bit length

Encryption process
1. step: permutation performed on the input block
2. step: generation of round keys
3. step: performing 16 identical rounds
4. step: inverse permutation to step 1
FAST-NUCES
DES Encryption Process

FAST-NUCES
Step 1 & 4: Initial and Final Permutation
Input permutation
See each 64-bit block as 8 Bytes, arranged in a matrix
Diffusion of bits over all bytes
Bits of a column are packed into a row
First byte is spread into 8th bits of all bytes
Second byte is spread into 7th bits of all bytes
...

FAST-NUCES
Step 2: Generation of Round Keys

Preparation: divide KDES into left block (C0) and right

block (D0) (each 28 bit long - no parity bits) by
performing permutations similar to DES initial
permutation (which has no security value)

Now: round keys Ki are computed in 16 rounds from

Ci and Di:

FAST-NUCES
Step 2: Generation of Round Keys

FAST-NUCES
Step 2: Generation of Round Keys
Initial Key permutation and parity bit drop table

Number of bits shift

FAST-NUCES
Step 2: Generation of Round Keys
Characteristics of key generation
Left shift
round 1, 2, 9, and 16: left shift of 1 bit
other rounds: left shift of 2 bits
Notice: 10 years later it was found, that performing the left shift with varying
step sizes makes the algorithm more secure
Left half of Ki is only determined by Ci, right side only by Di
Permutations (compression P-box):
perform permutations on remaining bits of Ci and Di to obtain Ki (48 bits)
Ci: bits 9, 18, 22, and 25 are discarded (remaining: 24 bits)
 Di: bits 35, 38, 43, and 54 are discarded (remaining: 24 bits)

Notice: the choice of the permutations on Ci and Di influence the security

of DES, because they determine the quality of the round keys

FAST-NUCES
Step 2: Generation of Round Keys
Compression P-Box (key compression table)

FAST-NUCES
Step 3: Application of Rounds (16 round Feistel network)

k
key

k1 k2 ⋯
expansion
k16

16 round

64 bits
64 bits

IP Feistel network or IP-1

cipher functions

input output
To invert, use keys in reverse order

FAST-NUCES
One DES round
Divide input block into two 32-bit blocks Li and Ri
Compute Li+1 as Ri, and Ri+1 as Li ⊕ F(Ri, Ki)
F is cipher function, i.e. combination of substitution and
permutation
Security provided by DES depends on the quality of the cipher function
Decryption: uses the same algorithm, has same expense like encryption

Ri-1 Ri
Fi

Li-1 Li
⊕

FAST-NUCES
The function F(x, ki)

S-box: function {0,1}6 ⟶ {0,1}4 , implemented as look-up table.

FAST-NUCES
E: Expansion P-box
 since Ri−1 is a 32-bit input and ki is a 48-bit key, we first need to
expand Ri−1 to 48 bits.
Expansion Permutation

FAST-NUCES
Expansion P-Box Table
XOR: Key and Expanded R bits

FAST-NUCES
Application of S-Boxes
 The S-boxes do the real mixing (confusion --- nonlinearity).
DES uses 8 S-boxes, each with a 6-bit input and a 4-bit
output.
Si: {0,1}6 ⟶ {0,1}4

FAST-NUCES
The S-Boxes

S-Box rule

FAST-NUCES
The S-Boxes

FAST-NUCES
Final Straight Permutation on S-Box Output

Straight Permutation Table

FAST-NUCES
Example
We choose a random plaintext block and a random key, and
determine what the ciphertext block would be (all in
hexadecimal):

Trace of data for Example

FAST-NUCES
Example (contd)

Trace of data for Example (Conintued

FAST-NUCES
 Example (contd)
Let us see how Bob, at the destination, can decipher the
ciphertext received from Alice using the same key. Table 6.16
shows some interesting points.

FAST-NUCES
DES Design Criteria
What are the design criteria for the building blocks of the DES algorithm?
This is out of the scope of this course. Interested parties are referred to the
following references:

 B. Schneier, Applied Cryptography, 2nd Edition, John Wiley & Sons,

1996, pp. 293–294.
 D. Coppersmith, The Data Encryption Standard (DES) and Its Strength
Against Attacks, IBM Journal of Research and Development, May
1994.

FAST-NUCES
Comments

Security of DES
DES is seen as very secure (except for the key length)
No attacks with lower costs than a Brute Force attack are
known as far
There are some so-called weak keys and semi-weak keys
These keys should not be used!
Questions on DES
Design process for DES was not public
Are details well-chosen for strength of the DES algorithm?
Are some weaknesses useful for people involved in the design
process?
Are there other weak keys than the known ones?

FAST-NUCES
Choosing the S-boxes and P-box
Choosing the S-boxes and P-box at random would result
in an insecure block cipher (key recovery after ≈2 24 outputs)
[BS’89]
Several rules used in choice of S and P boxes:

No output bit should be close to a linear function of the input bits
Ensure that bits of the output of an S-Box on one round affects
the input of multiple S-Boxes in the next round
Two of the output bits of one S-Box should influence the middle
of the result, the other two bits should influence the edges
The 4 output bits should form the input of 6 S-Boxes in the next
round
⋮
FAST-NUCES
Properties
Two desired properties of a block cipher are the completeness
and the avalanche effect.
 Completeness effect means that each bit of the ciphertext
needs to depend on many bits on the plaintext
 Avalanche effect means a small change in either the plaintext
or the key should produce a significant change in the
ciphertext.
 The avalanche effect is in fact a measure of diffusion.
 Remark: Linear functions are usually for diffusion.

FAST-NUCES
Example of Avalanche Effect
To check the avalanche effect in DES, let us encrypt two
plaintext blocks (with the same key) that differ only in one bit
and observe the differences in the number of bits in each round.

FAST-NUCES
 Example of Avalanche Effect

Although the two plaintext blocks differ only in the rightmost bit,
the ciphertext blocks differ in 29 bits. This means that changing
approximately 1.5 percent of the plaintext creates a
change of approximately 45 percent in the ciphertext.

Number of bit differences for Example

FAST-NUCES
To Summarize
S-Boxes
The design provides confusion (non-linearity) of bits
from each round to the next.
P-Boxes
They provide diffusion of bits.

Number of Rounds
DES uses sixteen rounds of Feistel ciphers. the
ciphertext is thoroughly a random function of plaintext
and ciphertext.

FAST-NUCES
Security of DES

DES, as the first important block cipher, has gone through much scrutiny.
Among the attempted attacks, three are of interest:
Brute-force
 Due to the weakness of short cipher key DES can be broken using 255
encryptions.
Differential Cryptanalysis
 It has been revealed that the designers of DES already knew about this type of
attack and designed S-boxes and chose 16 as the number of rounds to make DES
specifically resistant to this type of attack.
Linear Cryptanalysis
 Linear cryptanalysis is newer than differential cryptanalysis. DES is more
vulnerable to linear cryptanalysis than to differential cryptanalysis. S-boxes are
not very resistant to linear cryptanalysis. It has been shown that DES can be
broken using 243 pairs of known plaintexts. However, from the practical point of
view, finding so many pairs is very unlikely.

FAST-NUCES
 Advance Encryption Standard (AES)

FAST-NUCES
The AES process
1997: NIST publishes request for proposal

1998: 15 submissions.

1999: NIST chooses 5 finalists

2000: NIST chooses Rijndael as AES (designed in Belgium)

 Key sizes: 128, 192, 256 bits.

 Block size: 128 bits

 Rounds:
10 rounds of repetition for 128-bit keys.
12 rounds of repetition for 192-bit keys.
14 rounds of repetition for 256-bit keys.

FAST-NUCES
AES is a Subs-Perm network (not Feistel)
kn
k1 k2
S1 S1 S1

S2 S2 S2

S3 S3 S3
⋯

output
output
input
input

⨁
⨁
⨁

⋯
⋯
⋯

S8 S8 S8
subs. perm.
layer layer inversion

FAST-NUCES
High-level Description of AES
KeyExpansion—round keys are derived from the cipher key using Rijndael's
key schedule.
http://en.wikipedia.org/wiki/Rijndael_key_schedule
Initial Round
AddRoundKey—each byte of the state is combined with the round key using bitwise
xor.
Rounds
SubBytes—a non-linear substitution step where each byte is replaced with another
according to a lookup table.
ShiftRows—a transposition step where each row of the state is shifted cyclically a
certain number of steps.
MixColumns—a mixing operation which operates on the columns of the state,
combining the four bytes in each column.
AddRoundKey
Final Round (no MixColumns)
SubBytes
ShiftRows
AddRoundKey
FAST-NUCES *source = wiki
 AES-128 schematic 10 rounds

4
(1) ByteSub
4 input
(1)
(2)
ByteSub
ShiftRow
(1)
(2)
ByteSub
ShiftRow ⋯ (2) ShiftRow

⨁
⨁
⨁

(3) MixColumn (3) MixColumn

invertible
k0 k1 k2 k9

⨁
k10
key 4
key expansion: output
16 bytes 16 bytes ⟶176 bytes 4

FAST-NUCES
Encryption Process

FAST-NUCES
Transformation

FAST-NUCES
SubBytes
In the SubBytes step, each byte in the state is replaced
with its entry in a fixed 8-bit lookup able, S; bij = S(aij).

FAST-NUCES *source = wiki

ShiftRows
 In the ShiftRows step, bytes in each row of the state are
shifted cyclically to the left. The number of places each
byte is shifted differs for each row

FAST-NUCES *source = wiki

MixColumns
 In the MixColumns step, each column of the state is
multiplied with a fixed polynomial c(x).

FAST-NUCES *source = wiki

MixColumns
 The multiplication operation is defined as:
multiplication by 1 means no change
multiplication by 2 means shifting to the left
multiplication by 3 means shifting to the left and then
performing xor with the initial unshifted value.

FAST-NUCES *source = wiki

AddRoundKey
 In the AddRoundKey step, each byte of the state is combined with a
byte of the round subkey using the XORoperation (⊕).

FAST-NUCES *source = wiki

Example (Input)

FAST-NUCES
Example (Initial round)

FAST-NUCES
Example (R1-SubBytes)

SubBytes

FAST-NUCES
Example (R1-ShiftRows)

ShiftRows

FAST-NUCES
Example (R1-MixColumns)

MixColumns

FAST-NUCES
Example (R1-AddRoundKey)

AddRoundKey

FAST-NUCES
FAST-NUCES
FAST-NUCES
Code size/performance tradeoff
Code size Performance
Pre-compute fastest:
round functions largest table lookups
(24KB or 4KB) and xors
Pre-compute
S-box only (256 smaller slower
bytes)
No pre-computation smallest slowest

FAST-NUCES
Example: Javascript AES

AES in the browser:

AES library (6.4KB)

no pre-computed tables

Prior to encryption:
pre-compute tables
Then encrypt using tables

FAST-NUCES http://crypto.stanford.edu/sjcl/
AES in hardware

AES instructions in Intel Westmere:

aesenc, aesenclast: do one round of AES
128-bit registers: xmm1=state, xmm2=round key
aesenc xmm1, xmm2 ; puts result in xmm1
aeskeygenassist: performs AES key expansion
Claim 14 x speed-up over OpenSSL on same
hardware

Similar instructions on AMD Bulldozer

FAST-NUCES
Attacks

Best key recovery attack:

 four times better than ex. search [BKR’11]

Related key attack on AES-256: [BK’09]

 Given 299 inp/out pairs from four related keys in AES-256
can recover keys in time ≈299

FAST-NUCES
Performance:
AMD Opteron, 2.2 GHz ( Linux)

CipherBlock/key size Speed (MB/sec)

RC4 126
stream

Salsa20/12 643
Sosemanuk 727

3DES 64/168 13
block

AES-128 128/128 109

FAST-NUCES
One-time and Many-time keys
One-time keys
1. Adversary’s power:
Adv sees only one ciphertext (one-time key)

2. Adversary’s goal:
Learn info about PT from CT (semantic security)

Many-time keys
3. Adversary’s power:
Adv have access to plaintext and its corresponding ciphertext

2. Adversary’s goal:
Learn info about PT and Key from CT/PT pair (semantic security against
chosen/known Plaintext attacks)

FAST-NUCES
 Modes of Encryption

FAST-NUCES
Electronic Codebook (ECB) mode
Simplest method: divide a message into blocks and
encrypt each one
Advantage: fast access to single blocks

FAST-NUCES
*image source = wiki (also for several following images)
Electronic Codebook (ECB) mode
 Does not hide data patterns well and doesn't provide serious message
confidentiality
 Not recommended for use in cryptographic protocols at all.

 Make protocols without integrity protection more susceptible to replay attacks

 Each block gets decrypted in exactly the same way.

FAST-NUCES
*image source = wiki (also for several following images)
Electronic Codebook (ECB) mode
 Disadvantage: Too simple, too dangerous; does not satisfy the requirements
 Identical blocks are encrypted to the same cipher block and can be identified by an
attacker i.e. if m1=m2 then c1=c2
 The message structure can be identified
 If the attacker knows, what context the plaintext has, parts of message can be
manipulated
 ECB is not semantically secure for messages that contain more than one block.

Original Image Encrypted using ECB mode

FAST-NUCES
Cipher Block Chaining (CBC) mode
 Invented by IBM in 1976
 Each block of plaintext is XORed with the previous ciphertext block before
being encrypted
 Each ciphertext block depends on all plaintext blocks processed up to that point
 For Uniqueness, an initialization vector (IV) must be used in the first block.

Mathematical Formula

FAST-NUCES
Cipher Block Chaining (CBC) mode
 For each message to be encoded, a new IV should be used
 Usage of the same IV for all messages would cause some problems:
 Differences in similar messages can be found by an attacker
 Old messages can be sent by an attacker at a later time
 Chosen plaintext can be applied as an attack

Mathematical Formula

FAST-NUCES
Cipher Block Chaining (CBC) mode
 Drawback(s)
 Encryption is sequential (cannot be parallelized).
 A one-bit change in a plaintext or IV affects all following ciphertext blocks.
 For Decryption Incorrect IV causes only the first block of plaintext to be
corrupt
 Plaintext block can be recovered from two adjacent blocks of ciphertext
 Decryption cannot be parallelized
 one-bit change to the ciphertext causes complete corruption of the corresponding
block of plaintext
 rest of the blocks remain intact.

FAST-NUCES
Original Image Encrypted using CBC mode
Cipher Feedback (CFB) mode
 Close relative of CBC, makes a block cipher into a self-synchronizing stream
cipher

Mathematical Formula

FAST-NUCES
Cipher Feedback (CFB) mode
CFB decryption is almost identical to CBC
encryption performed in reverse

FAST-NUCES
Output Feedback (OFB) mode
 Makes a block cipher into a synchronous stream cipher
 Just as with other stream ciphers, flipping a bit in the ciphertext produces a
flipped bit in the plaintext at the same location

Mathematical Formula

FAST-NUCES
Output Feedback (OFB) mode
Because of the symmetry of the XOR operation,
encryption and decryption are exactly the same:

FAST-NUCES
Counter Mode (CTR) mode
 Like OFB, counter mode turns a block cipher into a stream cipher
 The counter can be any function which produces a sequence which is
guaranteed not to repeat for a long time
 CTR mode is widely accepted and CBC, CTR modes are recommended by
Niels Ferguson and Bruce Schneier
 CTR mode is well suited to operate on a multi-processor machine where blocks
can be encrypted in parallel

FAST-NUCES
Counter Mode (CTR) mode

FAST-NUCES
Acknowledgements

Material in this lecture are taken from the slides prepared by:
Prof. Dan Boneh (Stanford)
Prof. O. Spaniol (RWTH Aachen)

FAST-NUCES