Applied Cryptography

17022522
-Block Ciphers and the Data Encryption
Standard-
Lecture slides by Dr. Eman Daraghmi
Associate Professor
1
2020 - 2021
Topics To be Covered …

vBlock Cipher Principles

vFeistel Structure

vThe Data Encryption Standard (DES)

vKey Generation

2
Part I: Block Ciphers Principles

3
Traditional Symmetric Ciphers vs.
Modern Symmetric Ciphers
Symmetric
Ciphers

Traditional cipher Modern cipher

(Char-oriented) (bit-oriented)

Stream Block Block Stream

Cipher cipher cipher Cipher

4
Block Ciphers vs. Stream Ciphers
vIn block cipher, a block of plaintext is used to produce a ciphertext block
of equal length.
vTypically, a block size of 64 or 128 bits is used. The choice of block size
does not directly affect to the strength of encryption scheme. The
strength of cipher depends up on the key length.
vPadding algorithms could be used if necessary

vA stream cipher encrypts one bit or one byte at a time. Technically,

stream ciphers are block ciphers with a block size of one bit.

5
Padding Example
How many padding bits must be added to a message of 100 characters if 8-bit
ASCII is used for encoding and the block cipher accepts blocks of 64 bits?

6
Padding Example
How many padding bits must be added to a message of 100 characters if 8-bit
ASCII is used for encoding and the block cipher accepts blocks of 64 bits?

Answer:

Encoding 100 characters using 8-bit ASCII results in an 800-bit message.

The plaintext must be divisible by 64.
If | M | and |Pad| are the length of the message and the length of the padding,

7
 Reversible/Singular Mapping or
Transformation
v Reversible Encryption = v Irreversible Encryption =
each plaintext block must produce More than one plaintext block may
produce the same ciphertext block.
a unique ciphertext block.

8
General n-bit-n-bit Block
Substitution (n = 4)

9
Claude Shannon and Substitution-Permutation Ciphers

vClaude Shannon introduced idea of substitution-

permutation (S-P) networks in 1949 paper
vIt forms basis of modern block ciphers
vS-P nets are based on the two primitive cryptographic
operations :
qsubstitution (S-box)
qpermutation (P-box)
vHe provides confusion & diffusion of message & key
qdiffusion – dissipates statistical structure of plaintext over bulk of
ciphertext
qconfusion – makes relationship between ciphertext and key as
complex as possible

10
Components of Modern Cipher
1- P-Boxes (Permutation Boxes): Perform Transposition

2- S-Boxes (Substitution Boxes): Perform Substitution

11
Components of Modern Cipher
1- Straight P-Boxes: It takes n inputs and produces n outputs via
permutation
Example of a 64 × 64 straight P-Box

2- Compression P-Boxes: is a P-box with n inputs and m outputs

where m < n.
Example of a 32 × 24 Compression P-Box

3- Expansion P-Box: is a P-box with n inputs and m outputs where m

> n.
Example of a 12 × 16 Expansion P-Box

12
 Components of Modern Cipher -
Example
• Design an 8 × 8 permutation table for a straight P-
box that moves the two middle bits (bits 4 and 5) in
the input word to the two ends (bits 1 and 8) in the
output words. Relative positions of other bits
should not be changed.

13
Part II: Feistel Block Cipher

14
 Feistel Block Cipher

v A Feistel cipher is a symmetric structure used in the construction

of block ciphers, named after the German-born physicist and
cryptographer Horst Feistel

v Feistel proposal employs the concept of a product cipher, which is

the execution of two or more simple ciphers in sequence in such a
way that the final result or product is cryptographically stronger
than any of the component ciphers.

v It has three types of components: self-invertible, invertible and

non-invertible.

15
Feistel Block Cipher

16
 Feistel Block Cipher

This is a trivial example. The plaintext and ciphertext are each 4 bits long and the
key is 3 bits long. Assume that the function takes the first and third bits of the
key, interprets these two bits as a decimal number, squares the number, and
interprets the result as a 4-bit binary pattern. Show the results of encryption and
decryption if the original plaintext is 0111 and the key is 101.
 Feistel Block Cipher

This is a trivial example. The plaintext and ciphertext are each 4 bits long and the
key is 3 bits long. Assume that the function takes the first and third bits of the
key, interprets these two bits as a decimal number, squares the number, and
interprets the result as a 4-bit binary pattern. Show the results of encryption and
decryption if the original plaintext is 0111 and the key is 101.

Solution

The function extracts the first and second bits to get 11 in binary or 3 in decimal. The
result of squaring is 9, which is 1001 in binary.
 Feistel Cipher Structure- Encryption Process

v The encryption process uses the Feistel structure

consisting multiple rounds of processing of the
plaintext, each round consisting of a “substitution”
step followed by a permutation step.
v Partitions input block into two halves
q process through multiple rounds which
q perform a substitution on left data half
q based on round function of right half & sub key
q then have permutation swapping halves
v implements Shannon’s S-P net concept

19
 Feistel Cipher Decryption

The process of decryption with a Feistel

cipher is essentially the same as the
encryption process.

• The rule is as follows:

ü Use the ciphertext as input to the

algorithm, but use the subkeys Ki in
reverse order.

ü That is, use Kn in the first round, Kn-1

in the second round, and so on until K1
is used in the last round.

20
 Feistel Cipher Design Elements

• block size: increasing size improves security, but slows cipher

• key size: increasing size improves security, makes key
searching harder, but may slow cipher
• number of rounds: increasing number improves security, but
slows cipher
• Sub-key generation algorithm: greater complexity can make
analysis harder, but slows cipher
• round function: greater complexity can make analysis harder,
but slows cipher
• fast software en/decryption: greater complexity can make
analysis harder, but slows cipher
• ease of analysis: for easier validation & testing of strength

21
Part III: Data Encryption Standard
(DES)

22
 Data Encryption Standard (DES)

vThe Data Encryption Standard (DES) is a symmetric-

key block cipher published by the National Institute of
Standards and Technology (NIST)

v DES is an implementation of a Feistel Cipher.

vIt uses 16 round Feistel structure.

vThe block size is 64-bit. Though, key length is 64-bit,

DES has an effective key length of 56 bits, since 8 of
the 64 bits of the key are not used by the encryption
algorithm (function as check bits only).

23
 DES Design Controversy
valthough DES standard is public
vwas considerable controversy over design
qin choice of 56-bit key (vs Lucifer 128-bit)
qand because design criteria
vsubsequent events and public analysis show in
fact design was appropriate
vuse of DES has flourished
qespecially in financial applications
qstill standardised for legacy application use

24
DES Encryption
1- plaintext 64 bits
Process

Two Inputs for the

algorithm
2- a key
56 bits

25
DES Encryption Process

vDES is based on R1
three basics phases
qInitial Permutation
qPermutation and R2
substitution
qPermutation
(inverse the initial
permutation)
R16

26
 Initial Permutation IP
v The initial and final permutations are straight Permutation boxes (P-
boxes) that are inverses of each other.

v Rearrange the bits according to the following table, e.g. the 58bits
of the input becomes the first bit after the IP

27
 Initial Permutation IP Example

• Plaintext
675a6967 5e5a6b5a

Convert it to binary

0110 0111 0101 1010 0110 1001 0110 0111

0101 1110 0101 1010 0110 1011 0101 1010

28
0110 0111 0 1 0 1 1 0 1 0 0 1 1 0
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20
1 0 0 1 0 1 1 0 0 1 1 1 0 1 0 1
21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36
1 1 1 0 0 1 0 1 1 0 1 0
37 38 39 40 41 42 43 44 45 46 47 48
0 1 1 0 1 0 1 1 0 1 0 1 1 0 1 0
49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64
• Apply the Initial Permutation
1111 1111 1011 0010 0001 1001 0100 1001
0000 0000 0100 1101 1111 0110 1111 1011

Convert to HEX = ffb2 194d 004df6fb

29
 IP Example 2
• Consider the following Plaintext
and apply the IP
0000 0001 0010 0011 0100 0101 0110 0111
1000 1001 1010 1011 1100 1101 1110 1111
IP =
1100 1100 0000 0000 1100 1100 1111 1111
1111 0000 1010 1010 1111 0000 1010 1010

30
 DES Details of a single Round

1- Dividing the permuted block IP into a left half

L0 of 32 bits, and a right half R0 of 32 bits

• Example: From IP, we get L0 and R0

L0 = 1100 1100 0000 0000 1100 1100 1111 1111
R0 = 1111 0000 1010 1010 1111 0000 1010 1010

31
2- Proceeding through 16 iterations, for
1<=i<=16, using a function f which
operates on two blocks
--a data block of 32 bits and a key Ki of 48
bits--to produce a block of 32 bits.
--The heart of this cipher is the DES
function, f. The DES function applies a 48-
bit key to the rightmost 32 bits to produce
a 32-bit output.
• Li = Ri-1
• Ri = Li-1 ⊕ F(Ri-1, Ki)

32
From the Previous Example (example #2)
• Consider the following Plaintext and apply the IP
0000 0001 0010 0011 0100 0101 0110 0111
1000 1001 1010 1011 1100 1101 1110 1111
IP =
1100 1100 0000 0000 1100 1100 1111 1111
1111 0000 1010 1010 1111 0000 1010 1010

33
Example
vExample: For R = 1, we have
K1 =
000110 110000 001011 101111
111111 000111 000001 110010
L1 = R0 =
1111 0000 1010 1010 1111 0000 1010
1010
R1 = L0 ⊕ f(R0,K1)

34
 Example
vExample: For R = 1, we have
K1 =
000110 110000 001011 101111
111111 000111 000001 110010
L1 = R0 =
1111 0000 1010 1010 1111 0000 1010
1010
R1 = L0 ⊕ f(R0,K1)

It remains to explain how the function f works

35
 Round Function Explanation

v Expansion Permutation
Box (E(Ri))

Since right input is 32-bit and

round key is a 48-bit, we first need
to expand right input to 48 bits.

36
 Expansion Permutation Box

v Permutation logic is graphically depicted in the following

illustration

37
 Expansion Permutation Box

v The graphically depicted permutation logic is generally described as

table in DES specification illustrated as shown

38
 Example (R0 from previous step)

• R0 = 1111 0000 1010 1010 1111 0000 1010 1010

1111 0000 10 1 0 1 0 1 0
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16
1 1 1 1 0 0 0 0 1 0 1 0 1 0 1 0
17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32
After Expansion Permutation Box:
E(R0) =
011110 100001 010101 010101
011110 100001 010101 010101

39
 Round Function Explanation

vXOR (Whitener).
qAfter the expansion
permutation, DES does XOR
operation on the expanded
right section and the round
key.
qThe round key is used only in
this operation.
qMathematically ki + E(n-1)
INPUT OUTPUT
A B A XOR B
0 0 0
0 1 1
1 0 1
1 1 0 40
 XOR (Whitener) Example

Example:

For K1 , E(R0), we have

K1 = 000110 110000 001011 101111 111111 000111 000001 110010
E(R0) = 011110 100001 010101 010101 011110 100001 010101 010101

K1 XOR E(R0) = 011000 010001 011110 111010 100001 100110 010100

100111.

41
 Round Function Explanation

v Substitution Boxes:

qThe S-boxes carry out the real

mixing (confusion)

qDES uses 8 S-boxes, each with a

6-bit input and a 4-bit output

42
 Substitution Boxes

v With each group of six bits, DES uses them as addresses in tables
called “S boxes”
v Each group of six bits will give us an address in a different S box.
v Located at that address will be a 4 bit number. This 4 bit number will
replace the original 6 bits.
v The net result is that the eight groups of 6 bits are transformed into
eight groups of 4 bits (the 4-bit outputs from the S boxes) for 32 bits
total.

43
 Substitution Boxes

• From the previous result, which is 48 bits, in the form:

Kn + E(Rn-1) =B1B2B3B4B5B6B7B8,
where each Bi is a group of six bits.
• We now calculate
• S1(B1)S2(B2)S3(B3)S4(B4)S5(B5)S6(B6)S7(B7)S8(B8)
where Si(Bi) referrers to the output of the i-th S box.

44
 Substitution Boxes
Table for S1 box

• The first and last bits of B represent in base 2 a number in the decimal range 0 to 3
(or binary 00 to 11). Let that number be i.
• The middle 4 bits of B represent in base 2 a number in the decimal range 0 to 15
(binary 0000 to 1111). Let that number be j.
Look up in the table the number in the i-th row and j-th column. It is a
number in the range 0 to 15 and is uniquely represented by a 4 bit block.
That block is the output S1(B) of S1 for the input B.

45
 Substitution Boxes

v For input block B = 011011 the first bit is "0" and the last bit "1" giving 01
as the row. This is row 1.
v The middle four bits are "1101". This is the binary equivalent of decimal
13, so the column is column number 13.
v In row 1, column 13 appears 5.
v This determines the output; 5 is binary 0101, so that the output is 0101.
v Hence S1(011011) = 0101.

46
 Substitution Boxes
v The tables defining the functions S1,...,S8 are the following:

47
Substitution Boxes

48
Substitution Boxes

49
Substitution Boxes

50
 Substitution Boxes Example (continued)

• Example: For the first round, we obtain as the output of the

eight S boxes:

• K1 + E(R0) = 011000 010001 011110 111010 100001

100110 010100 100111.
• S1(B1)S2(B2)S3(B3)S4(B4)S5(B5)S6(B6)S7(B7)S8(B8) =
0101 1100 1000 0010 1011 0101 1001 0111

51
 Round Function Explanation

v Straight Permutation − The 32 bit output of S-boxes is then

subjected to the straight permutation.

v The permutation P is defined in the following table. P yields a

32- bit output from a 32-bit input by permuting the bits of the
input block.

52
Straight Permutation Example (continued ..)

• Example: From the output of the eight S boxes:

S1(B1)S2(B2)S3(B3)S4(B4)S5(B5)S6(B6)S7(B7)S8(B8) = 0101 1100 1000
0010 1011 0101 1001 0111

we get
f = 0010 0011 0100 1010 1010 1001 1011 1011

53
Example (continued ..)
The result of the first round
• R1 = L0 XOR f(R0,K1)

= 1100 1100 0000 0000 1100 1100 1111 1111

+ 0010 0011 0100 1010 1010 1001 1011 1011
= 1110 1111 0100 1010 0110 0101 0100 0100

54
Summary: DES Details of a single Round

v uses two 32-bits L & R halves

v as for any Feistel cipher can
describe as:
Li = Ri–1
Ri = Li–1 Å F(Ri–1, Ki)
v F takes 32-bit R half and 48-bit
sub key:
q expands R to 48-bits using perm E
q adds to subkey using XOR
q passes through 8 S-boxes to get 32-
bit result
q finally permutes using 32-bit perm P

55
Part IV: Creating 16 DES sub keys

56
 Creating 16 DES sub keys

• DES operates on the 64-bit blocks PC-1

using key sizes of 56- bits. 57 49 41 33 25 17 9
1 58 50 42 34 26 18
• The keys are actually stored as
being 64 bits long, but every 8th 10 2 59 51 43 35 27
bit in the key is not used (i.e. bits 19 11 3 60 52 44 36
numbered 8, 16, 24, 32, 40, 48,
63 55 47 39 31 23 15
56, and 64).
• The 64-bit key is permuted 7 62 54 46 38 30 22
according to the following table, 14 6 61 53 45 37 29
PC-1 to produce k+
21 13 5 28 20 12 4

57
 Creating 16 DES sub keys

v Example: Let K be the hexadecimal key

PC-1
K = 133457799BBCDFF1. 57 49 41 33 25 17 9
v This gives us as the binary key (setting 1 =0001, 3 = 1 58 50 42 34 26 18
0011, etc.,
10 2 59 51 43 35 27
K = 00010011 00110100 01010111 01111001 10011011 19 11 3 60 52 44 36
10111100 11011111 11110001
63 55 47 39 31 23 15
v Applying the key to the PC-1 table, we get the 56-bits
7 62 54 46 38 30 22
permutation
14 6 61 53 45 37 29
v K+ = 1111000 0110011 0010101 0101111 0101010
1011001 1001111 0001111 21 13 5 28 20 12 4

58
 Creating 16 DES sub keys

v Next, split this key into left and right halves, C0 and D0,
where each half has 28 bits.
v Example: From the permuted key K+, we get
q C0 = 1111000 0110011 0010101 0101111
q D0 = 0101010 1011001 1001111 0001111
v With C0 and D0 defined, we now create sixteen blocks Cn
and Dn, 1<=n<=16.
v Each pair of blocks Cn and Dn is formed from the
previous pair Cn-1 and Dn-1, respectively, for n = 1, 2, ...,
16, using the following schedule of "left shifts" of the
previous block.
v To do a left shift, move each bit one place to the left,
except for the first bit, which is cycled to the end of the
block.
59
 Creating 16 DES sub keys

v This means, for example, C3 and D3 are obtained from C2 and D2,
respectively, by two left shifts, and C16 and D16 are obtained
from C15 and D15, respectively, by one left shift.

60
Creating 16 DES sub keys

61
Creating 16 DES sub keys

62
Creating 16 DES sub keys

63
Creating 16 DES sub keys

64
Creating 16 DES sub keys

65
 Creating 16 DES sub keys

v We now form the keys Kn, for 1<=n<=16, by applying the following
permutation table to each of the concatenated pairs CnDn.
v Each pair has 56 bits, but PC-2 only uses 48 of these.

66
 Creating 16 DES sub keys

v Example: For the first key we have C1D1 = 1110000 1100110

0101010 1011111 1010101 0110011 0011110 0011110

v which, after we apply the permutation PC-2, becomes

v K1 = 000110 110000 001011 101111 111111 000111 000001

110010

67
 Creating 16 DES sub keys

v K2 = 011110 011010 111011 011001 110110 111100 100111 100101

v K3 = 010101 011111 110010 001010 010000 101100 111110 011001
v K4 = 011100 101010 110111 010110 110110 110011 010100 011101
v K5 = 011111 001110 110000 000111 111010 110101 001110 101000
v K6 = 011000 111010 010100 111110 010100 000111 101100 101111

68
 Creating 16 DES sub keys

v K7 = 111011 001000 010010 110111 111101 100001 100010 111100

v K8 = 111101 111000 101000 111010 110000 010011 101111 111011
v K9 = 111000 001101 101111 101011 111011 011110 011110 000001
v K10 = 101100 011111 001101 000111 101110 100100 011001 001111
v K11 = 001000 010101 111111 010011 110111 101101 001110 000110

69
 Creating 16 DES sub keys

v K12 = 011101 010111 000111 110101 100101 000110 011111 101001

v K13 = 100101 111100 010111 010001 111110 101011 101001 000001
v K14 = 010111 110100 001110 110111 111100 101110 011100 111010
v K15 = 101111 111001 000110 001101 001111 010011 111100 001010
v K16 = 110010 110011 110110 001011 000011 100001 011111 110101

70
 DES Key Schedule
v forms sub keys used in each round
q initial permutation of the key (PC1)
which selects 56-bits in two 28-bit
halves
q 16 stages consisting of:
§ rotating each half separately either 1
or 2 places depending on the key
rotation schedule K
§ permuting them by PC2 for use in
round function F

71
 DES Decryption

v decrypt must unwind steps of data

computation
v with Feistel design, do encryption steps again
using subkeys in reverse order (SK16 … SK1)
q IP undoes final FP step of encryption
q 1st round with SK16 undoes 16th encrypt
round
q ….
q 16th round with SK1 undoes 1st encrypt
round
q then final FP undoes initial encryption IP
q thus recovering original data value

72
Analyzing DES

73
 Avalanche Effect

v A desirable property of encryption algorithm

• means a small change in the plaintext (or key) should create a
significant change in the ciphertext.
• DES has been proved to be strong with regard to this property.

74
Avalanche Effect - Example 1:

75
Avalanche Effect – Example 2
• This table shows a similar test in which a single plaintext
is input:
01101000 10000101 00101111 01111010 00010011
01110110 11101011 10100100
• with two keys that differ in only one bit position:
1110010 1111011 1101111 0011000 0011101 0000100
0110001 11011100
0110010 1111011 1101111 0011000 0011101 0000100
0110001 11011100

• Results show that about half of the bits in the ciphertext

differ and that the avalanche effect is pronounced after
just a few rounds.

76
Summary

v have considered:
qblock vs stream ciphers
qFeistel cipher design & structure
qDES
§ details
§ Key generation

77
Summary

v have considered:
qblock vs stream ciphers
qFeistel cipher design & structure
qDES
§ details
§ Key generation
§ Strength of DES

78