Block Ciphers and the Data Encryption Standard

Presented by Johannes Sianipar

Lecture slides by Lawrie Brown
22 September 2019
Block vs Stream Ciphers

■ block ciphers process messages into blocks, each of which is then

en/decrypted
■ like a substitution on very big characters
□ 64-bits or more
■ stream ciphers process messages a bit or byte at a time when
en/decrypting
■ many current ciphers are block ciphers

Block Ciphers and

the Data
Encryption
Standard

Chart 2
Block Cipher Principles, Services and
Mechanisms

■ block ciphers look like an extremely large substitution

■ would need table of 264 entries for a 64-bit block
■ arbitrary reversible substitution cipher for a large block size is not
practical
□ 64-bit general substitution block cipher, key size 264!
■ most symmetric block ciphers are based on a Feistel Cipher
Structure
■ must be able to decrypt ciphertext to recover messages efficiently

Block Ciphers and

the Data
Encryption
Standard

Chart 3
C. Shannon and Substitution-Permutation Ciphers

■ in 1949 Shannon introduced idea of substitution-

permutation (S-P) networks
□ modern substitution-transposition product cipher
■ these form the basis of modern block ciphers
■ S-P networks are based on the two primitive
cryptographic operations we have seen before:
□ substitution (S-box)
Block Ciphers and
□ permutation (P-box) (transposition) the Data
Encryption
■ provide confusion and diffusion of message Standard

Chart 4
Diffusion and Confusion (1)

■ Introduced by Claude Shannon to thwart cryptanalysis

based on statistical analysis
□ Assume the attacker has some knowledge of the
statistical characteristics of the plaintext
■ cipher needs to completely obscure statistical properties
of original message
■ a one-time pad does this
Block Ciphers and
the Data
Encryption
Standard

Chart 5
Diffusion and Confusion (2)

■ more practically Shannon suggested combining elements

to obtain:
■ diffusion – dissipates statistical structure of plaintext over
bulk of ciphertext
□ Classical transposition cipher
■ confusion – makes relationship between ciphertext and
key as complex as possible
Block Ciphers and
□ Classical substitution cipher the Data
Encryption
Standard

Chart 6
Feistel Cipher Structure

■ Horst Feistel devised the feistel cipher

□ implements Shannon’s substitution-permutation
network concept
■ partitions input block into two halves
□ process through multiple rounds which
□ perform a substitution on left data half
□ based on round function of right half & subkey Block Ciphers and
the Data
□ then have permutation swapping halves Encryption
Standard

Chart 7
Block Ciphers and
the Data
Encryption
Standard

Chart 8
Feistel Cipher

■ n sequential rounds
■ A substitution on the left half Li
□ 1. Apply a round function F to the right half Ri and
□ 2. Take XOR of the output of (1) and Li
■ The round function is parameterized by the subkey Ki
□ Ki are derived from the overall key K
Block Ciphers and
the Data
Encryption
Standard

Chart 9
Feistel Cipher Design Principles

■ block size
□ increasing size improves security, but slows cipher
■ key size
□ increasing size improves security, makes exhaustive key searching
harder, but may slow cipher
■ number of rounds
□ increasing number improves security, but slows cipher
■ subkey generation
□ greater complexity can make analysis harder, but slows cipher Block Ciphers and
the Data
■ round function Encryption
Standard
□ greater complexity can make analysis harder, but slows cipher
■ fast software en/decryption & ease of analysis
□ are more recent concerns for practical use and testing Chart 10
Feistel Cipher
Decryption

Block Ciphers and

the Data
Encryption
Standard

Chart 11
Data Encryption Standard (DES)

■ most widely used block cipher in world

■ adopted in 1977 by NBS (now NIST)
□ as FIPS PUB 46
■ encrypts 64-bit data using 56-bit key
■ has widespread use

Block Ciphers and

the Data
Encryption
Standard

Chart 12
DES History

■ IBM developed Lucifer cipher

□ by team led by Feistel
□ used 64-bit data blocks with 128-bit key
■ then redeveloped as a commercial cipher with input from NSA and
others
■ in 1973 NBS issued request for proposals for a national cipher
standard
■ IBM submitted their revised Lucifer which was eventually
accepted as the DES Block Ciphers and
the Data
Encryption
Standard

Chart 13
DES Design Controversy

■ although DES standard is public

■ was considerable controversy over design
□ in choice of 56-bit key (vs Lucifer 128-bit)
■ subsequent events and public analysis show in fact
design was appropriate
■ DES has become widely used, especially in financial
applications
Block Ciphers and
the Data
Encryption
Standard

Chart 14
DES Encryption

Block Ciphers and

the Data
Encryption
Standard

Chart 15
Initial Permutation IP

■ first step of the data computation

■ IP reorders the input data bits
■ quite regular in structure
□ see text Table 3.2
■ example:
IP(675a6967 5e5a6b5a) = (ffb2194d 004df6fb)

Block Ciphers and

the Data
Encryption
Standard

Chart 16
DES Round Structure

■ uses two 32-bit L & R halves

■ as for any Feistel cipher can describe as:
□ Li = Ri–1
□ Ri = Li–1 xor F(Ri–1, Ki)
■ takes 32-bit R half and 48-bit subkey and:
□ expands R to 48-bits using Expansion Permutation E (Table 3.2 c.)
□ adds to subkey
□ passes through 8 S-boxes to get 32-bit result
Block Ciphers and
□ finally permutes this using 32-bit Permutation Function P (Table 3.2 d) the Data
Encryption
Standard

Chart 17
DES
Round

Block Ciphers and

the Data
Encryption
Standard

Chart 18
Permutation

Block Ciphers and

the Data
Encryption
Standard

Chart 19
The round function F(R,K)

Block Ciphers and

the Data
Encryption
Standard

Chart 20
Substitution Boxes S

■ 8 S-boxes (Table 3.3 )

■ Each S-Box maps 6 to 4 bits
□ outer bits 1 & 6 (row bits) select the row
□ inner bits 2-5 (col bits) select the column
□ For example, in S1, for input 011001,
– the row is 01 (row 1)
– the column is 1100 (column 12).
– The value in row 1, column 12 is 9
Block Ciphers and
– The output is 1001. the Data
Encryption
■ result is 8 X 4 bits, or 32 bits Standard

Chart 21
S-Boxes

Block Ciphers and

the Data
Encryption
Standard

Chart 22
DES Key Schedule (1)

■ forms subkeys used in each round

■ 1. initial permutation of the key PC1 (Table 3.4b)
■ 2. divide the 56-bits in two 28-bit halves
■ 3. at each round
□ 3.1. Left shift each half (28bits) separately either 1 or 2 places based
on the left shift schedule (Table 3.4d)
□ Shifted values will be input for next round
□ 3.2. Combine two halfs to 56 bits, permuting them by PC2 (Table 3.4c)
for use in function f Block Ciphers and
the Data
□ PC2 takes 56-bit input, outputs 48 bits Encryption
Standard

Chart 23
DES Key Schedule (2)

Block Ciphers and

the Data
Encryption
Standard

Chart 24
DES Key Schedule (3)

Block Ciphers and

the Data
Encryption
Standard

Chart 25
DES Decryption

■ decrypt must unwind steps of data computation

■ with Feistel design, do encryption steps again
■ using subkeys in reverse order (SK16 … SK1)
■ note that IP undoes final FP step of encryption
■ 1st round with SK16 undoes 16th encrypt round
■ ….
■ 16th round with SK1 undoes 1st encrypt round
■ then final FP undoes initial encryption IP
■ thus recovering original data value Block Ciphers and
the Data
Encryption
Standard

Chart 26
Avalanche Effect

■ key desirable property of encryption alg

■ DES exhibits strong avalanche

■ where a change of one input or key bit results in changing approx

half output bits

Block Ciphers and

the Data
Encryption
Standard

Chart 27
Strength of DES – Key Size

■ 56-bit keys have 256 = 7.2 x 1016 values

■ brute force search looks hard
■ recent advances have shown is possible
□ in 1997 on Internet in a few months
□ in 1998 on dedicated hardware (EFF) in a few days
□ in 1999 above combined in 22hrs!
■ still must be able to recognize plaintext
Block Ciphers and
■ now considering alternatives to DES the Data
Encryption
Standard

Chart 28
Strength of DES – Timing Attacks

■ attacks actual implementation of cipher

■ use knowledge of consequences of implementation to
derive knowledge of some/all subkey bits
■ specifically use fact that calculations can take varying
times depending on the value of the inputs to it

Block Ciphers and

the Data
Encryption
Standard

Chart 29
Strength of DES – Analytic Attacks

■ now have several analytic attacks on DES

■ these utilise some deep structure of the cipher
□ by gathering information about encryptions
□ can eventually recover some/all of the sub-key bits
□ if necessary then exhaustively search for the rest
■ generally these are statistical attacks
■ include
Block Ciphers and
□ differential cryptanalysis the Data
Encryption
□ linear cryptanalysis Standard

□ related key attacks

Chart 30
Differential Cryptanalysis

■ one of the most significant recent (public) advances in

cryptanalysis
■ known in 70's with DES design
■ Murphy, Biham & Shamir published 1990
■ powerful method to analyse block ciphers
■ used to analyse most current block ciphers with varying
degrees of success
■ DES reasonably resistant to it Block Ciphers and
the Data
■ Differential Cryptanalysis compares two related pairs of Encryption
encryptions Standard

■
Chart 31
Differential Cryptanalysis Compares Pairs of
Encryptions

■ Differential cryptanalysis is complex

■ with a known difference in the input
■ searching for a known difference in output

Block Ciphers and

the Data
Encryption
Standard

Chart 32
Differential Cryptanalysis

■ have some input difference giving some output difference

with probability p
■ if find instances of some higher probability input / output
difference pairs occurring
■ can infer subkey that was used in round
■ then must iterate process over many rounds
■
Block Ciphers and
the Data
Encryption
Standard

Chart 33
Linear Cryptanalysis

■ another recent development

■ also a statistical method
■ based on finding linear approximations to model the
transformation of DES
■ can attack DES with 247 known plaintexts, still in practise
infeasible

Block Ciphers and

the Data
Encryption
Standard

Chart 34
Criteria for S-Boxes

■ No output of any S-Box is too close to a linear function of

the input bits
■ Each row of an S-Box includes all 16 possible output bit
combinations
■ If two inputs to an S-box differ in one bit, the output bits
differ in at least two bits
■ If two inputs differ is the two middle bits, outputs must
differ at least two bits
Block Ciphers and
■ Defend against differential analysis and provide good the Data
confusion properties Encryption
Standard

Chart 35
Block Cipher Design Principles

■ basic principles still like Feistel in 1970’s

■ number of rounds
□ more is better, makes exhaustive search best attack
□ 16 rounds: brute force 255
□ differential analysis: 255.1

Block Ciphers and

the Data
Encryption
Standard

Chart 36
Block Cipher Design Principles

■ function F:
□ provides “confusion”, is nonlinear, avalanche
□ Strict Avalanche Criterion (SAC)
– Any output bit i should change with p=1/2 when any
single input bit j is inverted, for all i,j
– Applies to both S-Boxes and the overall F function
■ key schedule Block Ciphers and
the Data
□ No general rule has been discovered Encryption
Standard
□ complex subkey creation, key avalanche

Chart 37
Modes of Operation

■ block ciphers encrypt fixed size blocks

■ eg. DES encrypts 64-bit blocks, with 56-bit key
■ need way to use in practise, given usually have arbitrary
amount of information to encrypt
■ four were defined for DES in ANSI standard ANSI X3.106-
1983 Modes of Use
□ DES is the basic building block
Block Ciphers and
■ have block and stream modes the Data
Encryption
Standard

Chart 38
Electronic Codebook Book (ECB)

■ message is broken into independent blocks which are

encrypted
■ each block is a value which is substituted, like a
codebook, hence name
□ Each DES is a very complex 64-bit to 64-bit substitution
■ each block is encoded independently of the other blocks
Ci = DESK1 (Pi)
Block Ciphers and
■ uses: secure transmission of single values the Data
Encryption
□ Repeated input blocks have same output Standard

□ Not secure for long transmission

Chart 39
Electronic Codebook Book (ECB)

Block Ciphers and

the Data
Encryption
Standard

Chart 40
Advantages and Limitations of ECB

■ repetitions in message may show in ciphertext

□ if aligned with message block
□ particularly with data such graphics
□ or with messages that change very little, which become
a code-book analysis problem
■ weakness due to encrypted message blocks being
independent
Block Ciphers and
■ main use is sending a few blocks of data the Data
Encryption
Standard

Chart 41
Cipher Block Chaining (CBC)

■ message is broken into blocks

■ but these are linked together in the encryption operation
■ each previous cipher blocks is chained with current
plaintext block, hence name
■ use Initial Vector (IV) to start process
Ci = DESK1(Pi XOR Ci-1)
C-1 = IV
Block Ciphers and
■ uses: bulk data encryption, authentication the Data
Encryption
Standard

Chart 42
Cipher Block Chaining (CBC)

Block Ciphers and

the Data
Encryption
Standard

Chart 43
Advantages and Limitations of CBC

■ each ciphertext block depends on all message blocks

■ thus a change in the message affects all ciphertext
blocks after the change as well as the original block
■ need Initial Value (IV) known to sender & receiver
□ however if IV is sent in the clear, an attacker can
change bits of the first block, and change IV to
compensate
□ hence either IV must be a fixed value (as in EFTPOS) Block Ciphers and
or it must be sent encrypted in ECB mode before rest the Data
Encryption
of message Standard

Chart 44
Cipher FeedBack (CFB)

■ message is treated as a stream of bits

■ added to the output of the block cipher
■ result is feed back for next stage (hence name)
■ standard allows any number of bit (1,8 or 64 or
whatever) to be feed back
□ denoted CFB-1, CFB-8, CFB-64 etc
■ is most efficient to use all 64 bits (CFB-64)
Ci = Pi XOR DESK1(Ci-1) Block Ciphers and
the Data
Encryption
C-1 = IV Standard

■ uses: stream data encryption, authentication

Chart 45
Cipher FeedBack (CFB)

Block Ciphers and

the Data
Encryption
Standard

Chart 46
Advantages and Limitations of CFB

■ appropriate when data arrives in bits/bytes

■ most common stream mode
■ note that the block cipher is used in encryption mode at
both ends
■ errors propagate for several blocks after the error
□ Must use over a reliable network channel
Block Ciphers and
the Data
Encryption
Standard

Chart 47
Output FeedBack (OFB)

■ message is treated as a stream of bits

■ output of cipher is added to message
■ output is then feed back (hence name)
■ feedback is independent of message
■ can be computed in advance
Ci = Pi XOR Oi
Oi = DESK1(Oi-1) Block Ciphers and
the Data
Encryption
O-1 = IV Standard

■ uses: stream encryption over noisy channels

Chart 48
Output FeedBack (OFB)

Block Ciphers and

the Data
Encryption
Standard

Chart 49
Advantages and Limitations of OFB

■ used when error feedback a problem or where need to

encryptions before message is available
■ superficially similar to CFB
■ but feedback is from the output of cipher and is independent of
message
□ Errors do not propagate
■ sender and receiver must remain in sync, and some recovery
method is needed to ensure this occurs
■ Because the "random" bits are independent of the message, they Block Ciphers and
must never be used more than once the Data
Encryption
□ otherwise the 2 ciphertexts can be combined, cancelling these Standard
bits)

Chart 50
Counter (CTR)

■ a “new” mode, though proposed early on

■ encrypts counter value rather than any feedback value
■ must have a different key & counter value for every
plaintext block (never reused)
Ci = Pi XOR Oi
Oi = DESK1(i)
■ uses: high-speed network encryptions Block Ciphers and
the Data
Encryption
Standard

Chart 51
Counter (CTR)

Block Ciphers and

the Data
Encryption
Standard

Chart 52
Advantages and Limitations of CTR

■ efficiency
□ can do parallel encryptions
□ in advance of need
□ good for bursty high speed links
■ random access to encrypted data blocks
□ Do not have to decode from the beginning
■ provable security (good as other modes)
Block Ciphers and
■ but must ensure never reuse key/counter values, the Data
otherwise could break (cf OFB) Encryption
Standard

Chart 53
Summary

■ have considered:
□ block cipher design principles
□ DES
– details
– strength
□ Differential & Linear Cryptanalysis
□ Modes of Operation Block Ciphers and
the Data
– ECB, CBC, CFB, OFB, CTR Encryption
Standard

Chart 54
 Insert picture by
clicking the icon

Thank you
for your attention!
Johannes Sianipar