Block Ciphers

And
Data Encryption Standard (DES)
Stream ciphers and Block ciphers
 A stream cipher is one that encrypts a digital data stream one bit or one
byte at a time. E.g. Vernam cipher

 A block cipher is one in which a block of plaintext is treated as a whole

and used to produce a ciphertext block of equal length.

 Typically, a block size of 64 or 128 bits is used.

2
 Stream cipher Block Cipher

It encrypts the message bit by bit It encrypts the message block by

or byte by byte. block.

Key can not be reused. Key can be reused.

Cryptanalysis is easy compared Cryptanalysis is difficult compared

to block cipher to stream cipher

It is faster than block cipher. It slower than stream cipher

It is better to use in browser. It is better to use for file transfer,

email, database.

E.g. RC4 E.g. DES

3
Motivation for the feistel cipher structure
 A block cipher operates on a plaintext block of n bits to produce a
ciphertext block of n bits.

 There are 2n possible different plaintext blocks and for the encryption to be
reversible (i.e., for decryption to be possible), each must produce a unique
ciphertext block. Such a transformation is called reversible, or nonsingular.

 For n=2,

Plaintext ciphertext Plaintext ciphertext

00 11 00 11

01 10 01 10

10 00 10 01

11 01 11 01
4
Ideal Block Cipher

5
Ideal Block Cipher (Conti…)

 Above figure illustrate the logic of general substitution cipher

for n=4.

 A 4-bit input produces one of 16 possible input states, which is

mapped by the substitution cipher into a unique one of 16
possible output state, each of which is represented by 4
ciphertext, it is known as ideal block cipher.

6
Ideal Block Cipher (Conti…)

 Encryption and Decryption tables for substitution cipher of above figure

Plaintext ciphertext Ciphertext Plaintext

0000 1110 0000 1110
0001 0100 0001 0011
0010 1101 0010 0100
0011 0001 0011 1000
0100 0010 0100 0001
0101 1111 0101 1100
0110 1011 0110 1010
0111 1000 0111 1111
1000 0011 1000 0111
1001 1010 1001 1101
1010 0110 1010 1001
1011 1100 1011 0110
1100 0101 1100 1011
1101 1001 1101 0010
1110 0000 1110 0000
1111 0111 1111 0101

7
Ideal Block Cipher (Conti…)

 Limitations of ideal block cipher

 If a small block size, such as n=4 is used then the system is

equivalent to a classical substitution cipher. Such systems are
vulnerable to a statistical analysis of the plaintext.

 However, the ideal block cipher for a large block size is not
practical from an implementation and performance point of
view.

8
Diffusion and Confusion
 The terms diffusion and confusion were introduced by Claude
Shannon.

 Shannon’s concern was to prevent cryptanalysis based on

statistical analysis.

9
 Diffusion Confusion

Look for to make the statistical Look for to make the statistical
relationship between plaintext and relationship between ciphertext and
ciphertext as complex as possible encryption key as complex as possible

Achieved by having each ciphertext digit Achieved by the use of a complex

be affected by many plain text digits. substitution algorithm.

Modern Transposition ciphers take in N Modern substitution ciphers take in N bits

bits and permute using lookup table and substitute N bits using lookup table:
called P-Boxes called S-Boxes.

“Diffusion” = Transposition “Confusion” = Substitution

abcd -> dacb a -> b
DES Caesar cipher
10
Substitution Permutation Network (SPN) Ciphers
 Claude Shannon introduced idea of substitution-permutation (S-P)
networks in 1949 paper

 A SP network is a product cipher composed of a number of stages each

involving substitutions and permutations

 Encryption and decryption easy to implement in hardware.

11
The feistel cipher
 Feistel proposed the idea that use the concept of a product
cipher, which is the execution of two or more simple ciphers
in sequence in such a way that the final resulting cipher is
cryptographically stronger than any of the component ciphers.

 If S1: A → B and S2: B → C are ciphers,

 so S = S1 x S2 : A → C.

12
Feistel cipher structure
 The input to the encryption
algorithm are a plaintext block
of length 2w bits and a key K.
 The plaintext block is divided
into two halves, L0 and R0.
 Two halves of the data pass
through n rounds of processing
and then combine to produce
the ciphertext block.
 Each round i has input Li-1 and
Ri-1, derived from the previous
round, as well as a subkey Ki,
derived from overall K.
 In general, the sub keys Ki are
different from K and from
13
each other.
Feistel cipher structure (Conti…)

 All rounds have same structure.

 A substitution is performed on the left half of the data. This is done by

applying a round function F to the right half of the data and then taking the
exclusive-OR of the output of that function and the left half of the data. The
function has the same general structure for each round but is parameterized
by the round subkey Ki.

 Following this substitution, a permutation is performed that consists of the

interchange of the two halves of the data.

 This structure is a particular form of the substitution-permutation network

(SPN) proposed by shannon.

14
Feistel Cipher Design Elements

 Block size

 Larger block sizes mean greater security but reduced

encryption/decryption speed for a given algorithm.

 The greater security is achieved by greater diffusion.

Traditionally, a block size of 64 bits has been considered a
reasonable tradeoff and was nearly universal in block cipher
design.

 However, the new AES uses a 128-bit block size.

15
Feistel Cipher Design Elements (Conti…)

 Key size

 Larger key size means greater security but may decrease

encryption/decryption speed.

 The greater security achieved by greater resistance to brute-

force attacks and greater confusion.

 Key sizes of 64 bits or less are now widely considered to be

insufficient, and 128 bits has become a common size.

16
 Feistel Cipher Design Elements (Conti…)

Number of rounds

 The essence of the feistel cipher if that a single round offers inadequate
security but that multiple rounds offers increasing security.

 A typical size is 16 rounds.

Subkey generation algorithm

 Greater complexity in this algorithm should lead to greater difficulty of

cryptanalysis.

Round function

 Greater complexity generally means greater resistance to cryptanalysis.

17
Feistel Encryption Decryption Algorithm

20
Feistel Encryption Decryption Algorithm (Conti…)

 Let
 F be the round function and
 K0,K1,K2, . . . ,KN+1 be the sub-keys for
 the rounds 0,1,2,3,….n respectively
 Basic operation:
 split the plaintext block into two equal pieces, (L0, R0)
 for each round , compute
 Li+1 = Ri
 Ri+1 = Li F(Ri, Ki)
 Then the ciphertext is (Rn, Ln)
 Commonly, two pieces Rn and Ln are not switched after
the last round

21
Feistel Encryption Decryption Algorithm (Conti…)

 Decryption of a ciphertext (Rn, Ln) is accomplished by

computing for i=0,1,2,3,….n

 Ri = Li+1 F(Li+1, Ki)

 Li = Ri+1

 Then (L0,R0) is the plaintext again.

 One advantage of this model is that the round function F does

not have to be invertible, and can be very complex.

22
Data Encryption Standard- History

 The most widely used encryption scheme is based on the Data Encryption
Standard (DES) adopted in 1977 by the National Bureau of Standards, now
the National Institute of Standards and Technology (NIST).

 In the late 1960’s IBM set up a research project in computer cryptography

led by horst feistel.

 The project concluded in 1971 with the development of an algorithm with

the designation LUCIFER, which was sold to one of company of london
for use in a cash-dispensing system, also developed by IBM.

 LUCIFER is a feistel block cipher that operates on blocks of 64 bits, using

a key size of 128 bits.

23
Data Encryption Standard- History (Conti…)
 Because of the promising results produced by the LUCIFER project, IBM
embarked on an effort to develop a marketable commercial encryption product
that ideally could be implemented on a single chip.

 The effort was headed by walter tuchman and carl meyer, and it involved not
only IBM researchers but also outside consultants and technical advice from
NSA.

 The outcome of this effort was a refined version of LUCIFER that was more
resistant to cryptanalysis but that had a reduced key size of 56 bits, to fit on a
single chip.

 In 1973, the national Bureau of Standards (NBS) issued a request for proposals
for a national cipher standard.

 IBM submitted the results of its Tuchman-Meyer project and this by far the
best algorithm proposed and was adopted in 1977 as the Data Encryption
24
Standard.
DES Overview

 at the basic level, the algorithm is nothing more than

 a combination of the two basic techniques of encryption
 confusion and diffusion

 initial permutation followed by

 rounds of substitution and permutation on the text based on the key

 16 such Rounds

 employs
 standard repetitions of arithmetic/logical operations on numbers
of 64 bits

 suitable for chip implementation 25

DES Overview (Conti…)

 encrypts 64-bit data using a 56-bit key

 Keys
 64 but actually 56 bits

 every 8th bit is parity and is ignored

 blocks
 64 bit blocks in/out

 composed of bits numbered from left to right, i.e., the left

most bit of a block is bit one.

26
DES Encryption

27
DES Encryption (Conti…)

 Initial Permutation
 X=IP(M)

28
DES Encryption (Conti…)

 Inverse Initial Permutation (IP-1)

 Y = IP-1(X) = IP-1(IP(M))

29
Details of Single Round of DES Algorithm

30
Details of Single Round of DES Algorithm (Conti…)

 Above fig. shows the internal structure of a single round.

 The left and right halves of each 64-bit intermediate value are
treated as separate 32-bit quantities, labeled L (left) and R
(right).

 The round key Ki is 48 bits.

 The R input is first expanded to 48 bits by using a table that

defines a permutation plus an expansion that involves
duplication of 16 of the R bits.

31
Details of Single Round of DES Algorithm (Conti…)

 Expansion Permutation table (E-table)

32
Details of Single Round of DES Algorithm (Conti…)

 Permutation Function (P)

33
Details of Single Round of DES Algorithm (Conti…)

 Substitution (s-box)
The substitution consists of a set of eight S-boxes, each of which accepts
6 bits as input and produces 4 bits as output.

34
S-Boxes

35
Details of Single Round of DES Algorithm (Conti…)

 The first and last bits of the input to box form a 2-bit binary number
to select one of four substitutions defined by the four rows in the
table for .

 The middle four bits select one of the sixteen columns.

 The decimal value in the cell selected by the row and column is then
converted to its 4-bit representation to produce the output.

Example:

 011001

 First and last bits 01=row 1

 Column = 1100= column 12

 The value in row 1, column 12 is 9, so the output is 1001. 36

Details of Single Round of DES Algorithm (Conti…)

37
38
Details of Single Round of DES Algorithm (Conti…)

 Substitution (s-box)
The substitution consists of a set of eight S-boxes, each of which accepts
6 bits as input and produces 4 bits as output.

39
DES Encryption

40
Details of Single Round of DES Algorithm (Conti…)
 Key Generation
 64-bit key is used as input to the algorithm.
 The bits of the key are numbered from 1 through 64; every eighth
bit is ignored.

41
Details of Single Round of DES Algorithm (Conti…)

 Permuted choice one (PC-1)

42
Details of Single Round of DES Algorithm (Conti…)

 Substitution (s-box)
The substitution consists of a set of eight S-boxes, each of which accepts
6 bits as input and produces 4 bits as output.

43
Details of Single Round of DES Algorithm (Conti…)
 Key Generation (Conti…)

 The resulting 56-bits key of (PC-1) is then treated as two 28-bit quantities,
labeled C0 and D0.

 At each round Ci-1 and Di-1 are separately subjected to a circular left shift of 1
or 2 bits governed by following table.

 These shifted values serve as input to the next round.

 They also serve as input to permuted choice two (PC-2) table.

44
Details of Single Round of DES Algorithm (Conti…)

45
The Strength of DES
 The use of 56-bit keys

 With the key length of 56 bits, there are 256 possible keys, which is
approximately 7.2x1016 keys. Thus, on the face of it, brute-force attack
appears impractical.

 As far back as 1977, diffie and hellman postulated that the technology
existed to build a parallel machine with 1 million encryption devices,
each of which could perform one encryption per microsecond.

 The authors estimated that the cost would be about $20 million in 1977.

 DES finally and definitively proved insecure in july 1998, when the
Electronic Frontier Foundation (EFF) announced that it had broken a
DES encryption using a special-purpose “DES Crackers” machine that
was built for less than $250000.
46
The Strength of DES (Conti…)
The nature of the DES Algorithm.

 Another concern is the possibility that cryptanalysis is possible by exploiting

the characteristics of the DES algorithm.

 The focus of concern has been on the eight substitution tables (S-boxes) that
are used in each iteration.

 Because the design criteria for these boxes, and indeed for the entire algorithm,
were not made public, there is a mistrust that the boxes were constructed in
such a way that cryptanalysis is possible for an adversary who knows the
weakness in the S-boxes.

 This statement is attracting and over the years a number of regularities and
unexpected behaviors of the S-boxes have been discovered.

 Even if this , no one has so far succeeded in discovering the supposed fatal
weaknesses in the S-boxes. 47
The Strength of DES (Conti…)
Timing Attacks

 Timing attack is one in which information about the key or the plaintext is
obtained by observing how long it takes a given implementation to perform
decryptions on various ciphertext.

 A timing attack exploits the fact that an encryption or decryption algorithm

often takes slightly different amounts of time on different inputs.

 DES appears to be fairly resistant to a successful timing attack.

48
The Strength of DES (Conti…)
Linear Cryptanalysis Attack

 This attack is based on finding linear approximations to describe the

transformations performed in DES.

 Linear cryptanalysis is usually on a known plain text.

 For example, the following equation, states the XOR sum of the first and
third plaintext bits and the first ciphertext bit is equal to the second bit of
the key:

 This attack is generally not practical because it can find a DES key given
243known plaintexts.

49
The Strength of DES (Conti…)
Differential cryptanalysis Attack:

 it is the study of how differences in information input can affect the

resultant difference at the output

 Differential cryptanalysis is usually on a chosen plain text.

 The basic method uses pairs of plaintext related by a constant difference;

The attacker then computes the differences of the corresponding cipher
texts, hoping to detect statistical patterns in their distribution.

 This attack is generally not practical because it can find a DES key given
247 chosen plaintexts.

50
Number of Rounds
 The greater the number of rounds, the more difficult it is to perform
cryptanalysis,

 the number of rounds is chosen so that known cryptanalytic efforts

require greater effort than a simple brute-force key search attack.

 It is observed that If DES had 15 or fewer rounds, differential

cryptanalysis would require less effort than a brute-force key search.

 But for 16-round DES, a differential cryptanalysis attack is slightly

less efficient than brute force. The differential cryptanalysis attack
requires 255.1 operations, whereas brute force requires 255.

52
Key Schedule Algorithm
 With any Feistel block cipher, one key is used to generate one
subkey for each round.

 We should select subkeys to maximize the difficulty of

deducing individual subkeys and the difficulty of working
back to the main key.

53
Design of function F
Algorithm of F should have good avalanche properties.

 Avalanche Effect: A desirable property of any encryption algorithm

is that a small change in either the plaintext or the key should
produce significant change in the ciphertext.

 Strict Avalanche Criterion (SAC): it states that output bit j should

change with probability 1/2 when any single input bit i is inverted
for all i and j.

 Bit Independence Criterion (BIC): it states that output bits j and k

should change independently when any single input bit i is inverted
for all i, j & k.
54
 S-Box Design: Larger S-boxes are more resistant to
differential and linear cryptanalysis. On the other hand, the
larger the dimension, the larger the lookup table.

 Thus, for practical reasons, a limit of equal to about 8 to 10 is

usually imposed.

55