Block Ciphers

and
Data Encryption Standard,
Block Cipher modes
 Groups Contd
• A group is said to be abelian if it satisfies the
following additional condition: (A5) Commutative:
a*b=b*a for all a, b in G.

• A group G is cyclic if every element of G is a power ak

(k is an integer) of a fixed element a ∈ G. The
element a is said to generate the group G or to be a
generator of G. A cyclic group is always abelian and
may be finite or infinite.
Rings
• A field F, sometimes denoted by {F, +, * }, is a
set of elements with two binary operations,
called addition and multiplication, such that
for all a, b, c in F the following axioms are
obeyed.
• Multiplicative inverse: For each a in F, except
0, there is an element a-1 in F such that a. a-1 =
(a-1)a = 1
 Modern Block Ciphers

 most widely used types of cryptographic algorithms

 provide secrecy /authentication services

 focus on DES (Data Encryption Standard)

 Stream cipher

• stream cipher encrypts plaintext

– one byte at a time

– or one bit at a time

Classical stream ciphers are Vignere and Vernam

Ciphers.
Structure -
 key

• is input to a pseudorandom bit generator

Pseudorandom stream

– generated by an algorithm but is unpredictable without knowledge

of the input key.
The output of the generator - called a key stream,

Keystream - one byte XOR with the plaintext stream

Stream Cipher Structure
• For example, if the next byte generated by the generator is
01101100
• and the next plaintext byte is
11001100
• then the resulting cipher text byte is:
10100000
• Decryption requires the use of the same pseudorandom sequence:
10100000 cipher text
01101100 key stream
11001100 plaintext
1. The encryption sequence should have a large period.

A pseudorandom number generator uses a function that

produces a deterministic stream of bits that eventually
repeats.

The longer the period of repeat the more difficult it will be to

do cryptanalysis.
2. The key stream should approximate the properties of a true random number
stream as close as possible.

For example, there should be an approximately equal number of 1s

and 0s.

The more random-appearing the key stream is, the more randomized the
cipher text is, making cryptanalysis more difficult.
3. The output of the pseudorandom number generator is
conditioned on the value of the input key.

To guard against brute-force attacks, the key needs to be

sufficiently long.

The same considerations apply for block ciphers.

Thus, with current technology, a key length of at least 128

bits is desirable.
• The primary advantage of a stream cipher –

– are almost always faster

– and use far less code than do block ciphers.

• RC4 can be implemented in just a few lines of code.

Block vs Stream Ciphers
 Block Cipher Principles
• symmetric block ciphers - based on a Feistel Cipher
Structure
• block ciphers –block of plaintext is treated as a whole and
ciphertext of equal length is produced.
• Block size (bits) – 64, 128, ....

• Applicable to broader range of applications

• Majority of network-based symmetric applications use block

ciphers.
 Motivation for Fiestal Cipher
Structure
1. Reversible mapping
2. Irreversible mapping
3. The disadvantage of reversible mapping is that as and
when the plain text block size increases the key length
increases exponentially. Typically for a 64 bit PT block the
key size is 64 X 264
4. Fiestal suggested approximation to this ideal block cipher
system that are easily realizable.
 The Feistel Cipher

Feistel proposed approximation of the simple substitution cipher

by utilizing the concept of a product cipher, which is performing
of two or more basic ciphers in sequence in such a way that the
final result or product is cryptographically stronger than any of
the component ciphers.
Essence of the approach – block cipher with key k bits and block
n bits allowing a total of 2k possible transformations
Fiestal proposed alternating Substitution and Permutation.
• This is a practical application of a proposal by Claude Shannon
to develop a product cipher that alternates confusion and
diffusion functions.
 In diffusion, the statistical structure of the plaintext is dissipated
into long range statistics of the ciphertext. This is achieved by
having each plaintext digit affect the value of many ciphertext
digits, which is equivalent to saying that each ciphertext digit is
affected by many plain text digits.

 Confusion seeks to make the relationship between the statistics of

the ciphertext and the value of the encryption key as complex as
possible, again to thwart attempts to discover the key. Thus, even
if the attacker can get some handle on the statistics of the
ciphertext, the way in which the key was used to produce that
ciphertext is so complex as to make it difficult to deduce the key.
The inputs to the encryption algorithm are a plaintext
block of length 2w bits and a key K.

The plaintext block is divided into two halves, L0 and R0 .

The two halves of the data pass through n rounds of
processing and then combine to produce the ciphertext
block.

Each round i has as inputs Li-1 and Ri-1, derived from the
previous round, as well as a subkey Ki, derived from the
overall K. In general, the subkeys Ki are different from K
and from each other.
• Substitution is performed on the left half of the data. This is
done by applying a round function F to the right half of the
data and then taking the exclusive-OR of the output of that
function and the left half of the data. The round function has
the same general structure.

• Permutation is performed that consists of the interchange of

the two halves of the data. This structure is a particular form
of the substitution-permutation Network (SPN) proposed by
Shannon.
• Decryption with Feistel cipher is essentially the same as
the encryption process.

• Use the cipher text as input to the algorithm, but use

the subkeys Ki in reverse order. That is, use Kn in the
first round, K n-1 in the second round, and so on until K1
is used in the last round.

• This is a nice feature because it means we need not

implement two different algorithms, one for encryption
and one for decryption
We use the notation LEi and REi for data traveling through
the encryption algorithm and LDi and RDi for data traveling
through the decryption algorithm.

The diagram indicates that, at every round the

intermediate value of the decryption process is equal to the
corresponding value of the encryption process with the two
halves of the value swapped.
 Feistel Cipher Design Elements
 Block size –
 64 bit – larger block – greater security – greater diffusion
 Reduces en / dn speed
 Key size
 68 bits or 128 bit
 Larger key size – greater security
 but reduces en/dn speed
 Number of rounds
 Multiple rounds - greater security
 16 rounds
 Subkey generation algorithm – have greater complexity –
resistance to cryptanalysis
 Round function F - have greater complexity – resistance to
cryptanalysis
 Design Features of Feistel Network

 Fast Software encryption/Decryption: the speed of

execution of the algorithm is important.
 Ease of Analysis: to be able to develop a higher level
of assurance as to its strength
The output of the ith encryption round be Le i || REi
equivalently, RD16-i || LD16- i.

After the last iteration of the encryption process, the two halves
of the output are swapped, so that the cipher text is RE16 || LE16.
The output of that round is the cipher text. Now take the cipher
text and use it as input to the same algorithm. The input to the
first round is RE16 || LE16 which is equal to 32 bit swap of the
output of the sixteenth round of the encryption process.
LE16 = RE15
RE16 = LE15  F(RE15, K16)
The cipher text is RE16 || LE16.
On the decryption side,
LD0=RE16
RD0=LE16
LD1 = RD0 = LE16 = RE15
RD1 = LD0  F(RD0, K16)
= RE16  F(RE15, K16)
= [LE15  F(RE15, K16)]  F(RE15, K16)
= LE15
The XOR has the following properties:
[A  B]  C =A  [B  C]
D  D=0
E0=E
We have LD1 = RE15 and RD1 = LE15. Therefore the output of the
first round of the decryption process is RE15 || LE15, which is 32
bit swap of the input to the sixteenth round of the encryption.
For the ith iteration of the encryption algorithm.
LEi = REi-1
REi = LEi-1  F(REi-1, Ki)
Rearranging terms,
REi-1 = LEi
LEi-1 = REi  F(REi-1, Ki) = REi  F(LEi, Ki)
The output of the last round of the decryption process is RE 0 ||
LE0. A 32 bit swap recovers the original plaintext,
demonstrating the validity of the Feistel decryption process.
 The Data Encryption Standard
Most widely used encryption scheme is based on the Data
Encryption Standard (DES) adopted in 1977 by the National
Bureau of Standards

Data are encrypted in 64 bit blocks using a 56 bit key.

The algorithm transforms 64 bit input in a series, of steps

into a 64 bit output. The same steps, with the same key are
used to reverse the encryption.
History :
LUCIFER is a Feistel block cipher that operates on blocks of 64 bits,
using a key size of 128 bits designed by Horst Feistel as a part of a
research project at IBM.

• IBM designed a cipher which was refined commercial version of

LUCIFER that was more resistant to cryptanalysis but had a
reduced key size of 56 bits to fit on a single chip.

• NBS issued a request for proposals for a national cipher

standard. IBM submitted the results of its Tuchman Meyer
project. This algorithm was adopted in 1977 as the Data
Encryption Standard.

• The key length in IBM’S original LUCIFER algorithm was 128

bits, but that of the proposed system was only 56 bits, an
enormous reduction in key size of 72 bits.
• Critics feared that this key length was too short to withstand
brute-force attacks.

The second area of concern was that the design criteria for the
internal structure of DES, the S-Boxes, were classified. Thus,
users could not be sure that the internal structure of DES was
free of any hidden weak points that would enable NSA to
decipher messages without benefit of the key.
• DES has flourished and is widely used, especially in financial
applications.
•NIST reaffirmed DES for federal use for another five years.
 DES
Looking at the left-hand side of the figure, we can see
that the processing of the plaintext proceeds in three
phases.

• First, the 64-bit plaintext passes through and initial

permutation (IP) that rearranges the bits to produce
the permuted input.

• This is followed by a phase consisting of 16 rounds of

the same function, which involves both permutation
and substitution functions.
• Finally the preoutput is passed through a
permutation (IP-1) that is the inverse of the initial
permutation function, to produce the 64-bit
ciphertext.

• With the exception of the initial and final

permutations, DES has the exact structure of a Feistel
cipher, as shown in figure.

• The right- hand portion of figure shows the way

which the 56-bit key is used.
• Initially, the key is passed through a permutation function.

• Then, for each of the 16 rounds, a subkey (Ki) is produced

by the combination of a left circular shift and a
permutation.

• The permutation function is the same for each round, but

a different subkey is produced because of the repeated
iteration of the key bits.
 INITIAL
PERMUTATION

• The initial permutation and its

inverse are defined by tables, as
shown.
• The tables are to be interpreted
as follows.
• The input to a table consist of
64 bits numbered from 1 to 64.
• The 64 entries in the
permutation table contain a
permutation of the numbers from
1 to 64.
• Each entry in the permutation table indicates the
positions of a numbered input bit in the output, which
also consists of 64 bits.

• To see that these two permutation functions are indeed

the inverse of each other, consider the following 64-bit
input M:

• where Mi is a binary digit. Then the permutation

X=IP(M) is as follows :

• If we then take the inverse permutation Y=IP-1 (X)=IP-

1
(IP(M)), it can be seen that the original ordering of the
bits is restored.
DETAILS OF SINGLE ROUND

• Figure shows the internal structure of a single round.

• Again, begin by focusing on the left-hand side of the

diagram.

• The left and right halves of each 64-bit intermediate value

are treated as separate 32-bit quantities, labeled L (left) and
R (right).
Permutation Tables for DES
 BLOCK CIPHERS AND DES
• Permutations Tables for DES
• Initial Permutation (IP)
• Inverse Initial Permutation (IP-1)
• Expansion Permutation (E)
• Permutation Function (P)

•As in any classic Feistel cipher, the overall processing at each

row can be summarized in the following formulas:

Li= Ri-1
Ri=Li-1  F(Ri-1, Ki)
• The round key Ki is 48 bits

• The R input is 32 bits.

• This R input is first expanded to 48 bits by using a table

that defines a permutation plus an expansion that
involves duplication of 16 of the R bits

• The resulting 48 bits are XORed with Ki.

• This 48-bit result passes through a substitution function

that produces a 32-bit output, which is permuted as
defined by Table.
• The role of S-boxes in the function F is is shown in fig.

• The substitution consists of a set of eight S-boxes, each of

which accepts 6 bits as input and produces 4 bits as output.

• These transformations are defined in Table, which is

interpreted as follows :

• The first and last bits of the input to box Si form a 2-bit
binary number to select one of four substitutions defined by the
four rows in the table for Si.

• The middle four bits select one of the sixteen columns.

• The decimal value in the cell selected by the row and column
is then converted to its 4-bit representation to produce the
output.
Definition of DES S-Boxes
• For example, in Si, for input 011001, the row is 01(row 1)
and the column is 1100(column 12). The value in row 1,
column 12 is 9, so the output is 1001.

• Each row of an S-box defines a general reversible

substitution. Figure 3.4 may be useful in understanding the
mapping. The figure shows the substitution for row 0 of
box Si.

• The operation of the S-boxes is worth further comment.

Ignore for the moment the contribution of the key (Ki).

• If you examine the expansion table, you see that the 32 bits
of input are split into groups of 4 bits, and then become
groups of 6 bits by taking the outer bits from the two
adjacent groups.
• For example, if part of the input word is
• ………….efgh ijkl mnop….
This becomes
… defghi hijklm lmnopq ….

• The outer two bits of each group select one of four possible
substitutions (one row of an S-box).

Then a 4-bit output value is substituted for the particular 4-

bit input (the middle four input bits).

The 32-bit output from the eight S-boxes is then permuted,

so that on the next round the output from each S-box
immediately affects as many others as possible.
 DES key Schedule Calculation

•Input Key

• Permuted Choice One (PC-1)

• Permuted Choice Two(PC-2)

• Schedule of Left Shifts

DES Key Schedule Calculation
 The Avalanche Effect
• A desirable property of any encryption algorithm is that a small
change in either plaintext or the key should produce a significant
change in the cipher text.

•In particular, a change in one bit of the plaintext or one bit of

the key should produce a change in many bits of the cipher text.

•If the change were small, this might provides a way to reduce
the size of the plaintext or key space to be searched.

• DES exhibits a strong avalanche effect. Table shows results

 The Strength of DES

The Use of 56-Bit Keys

• With a key length of 56 bits, there are 256 possible keys, which is
approximately 7.2 X 1016 keys.

A brute-force attack appears impractical.

As 1977, Diffie and Hellman postulated that the technology

existed to build a parallel machine with 1 million encryption
devices, each of which could perform one encryption per
microsecond.
This would bring the average search time down to about 10
hours.

Diffie and Hellman estimated that the cost would be about $20
million in 1977 .

DES finally was proved insecure in July 1998, when the

Electronic Frontier Foundation (EFF) announced that it had
broken a DES encryption using a special-purpose “DES
cracker” machine that was built for less than $250,000. the
attack took less than three days.
 The Nature of the DES Algorithm
• The focus of concern has been on the eight substitution tables,
or S-boxes, that are used in each iteration.
• Because the design criteria for these boxes, and indeed for the
entire algorithm, were not made public, there is a suspicion that
the boxes were constructed in such a way that cryptanalysis is
possible for an opponent who knows the weaknesses in the S-
boxes.
• Over the years a number of regularities and unexpected
behaviors of the S-boxes have been discovered.
• So far no one has succeeded in discovering the supposed fatal
weaknesses in the S-boxes.
 Timing Attacks
• timing attack - information about the key or the plaintext is obtained by
observing how long it takes a given implementation to perform
decryptions on various ciphertexts.
• A timing attack exploits the fact that an encryption or decryption
algorithm often takes slightly different amounts of time on different
inputs.
• Although this is an interesting line of attack, it so far appears unlikely
that this technique will ever be successful against DES or more
powerful symmetric ciphers such as triple DES and AES.
 Differential and Linear Cryptanalysis
Differential Cryptanalysis
• The cryptanalysis of a block cipher called FEAL by
Murphy.
• This was followed by a number of papers by Biham and
Shamir, who demonstrated this form of attack on a variety
of encryption algorithms and hash functions.
• Differential cryptanalysis is the first published attack that
is capable of breaking DES in less than 255 complexity.
• The scheme, as reported in can successfully cryptanalyze
DES with an effort on the order of 247 encryptions,
requiring 247 chosen plaintexts.
• Although 247 is certainly significantly less than 255, the need
for the adversary to find 247 chosen plaintexts makes this
attack of only theoretical interest.
If there is a match
Differential Propagation through
Three Rounds of DES
(numbers in hexadecimal)
Linear Cryptanalysis
• A more recent development is linear cryptanalysis.

• This attack is based on finding linear approximations to

describe the transformations performed in DES.
• This method can find a DES key given 243 known
plaintexts, as compared to 247 chosen plaintexts for
differential cryptanalysis.
BLOCK CIPHER DESIGN PRINCIPLES
• DES Design Criteria
Design of S-box