1

2
3
MODULE 1
BLOCK CIPHERS AND THE DATA
ENCRYPTION STANDARD
TECHNIQUES

4
◼ The objective of this chapter is to illustrate the
principles of modern symmetric ciphers.
◼ For this purpose, we focus on the most widely used
symmetric cipher: the Data Encryption Standard
(DES).
◼ A detailed study of DES provides an understanding of
the principles used in other symmetric ciphers.
◼ This chapter begins with a discussion of the general
principles of symmetric block ciphers followed by a
detailed study of DES.
5
◼ A block cipher is an encryption/decryption scheme
in which a block of plaintext is treated as a whole and
used to produce a ciphertext block of equal length.
◼ Many block ciphers have a Feistel structure. Such a
structure consists of a number of identical rounds of
processing. In each round, a substitution is performed
on one half of the data being processed, followed by
a permutation that interchanges the two halves.
◼ The original key is expanded so that a different key is
used for each round.
6
◼ The Data Encryption Standard (DES) has been the
most widely used encryption algorithm until
recently. It exhibits the classic Feistel structure.
◼ DES uses a 64-bit block and a 56-bit key.
◼ Two important methods of cryptanalysis are
differential cryptanalysis and linear cryptanalysis.
◼ DES has been shown to be highly resistant to
these two types of attack.
7
BLOCK CIPHER PRINCIPLES

◼ Many symmetric block encryption algorithms in

current use are based on a structure referred to
as a Feistel block cipher.
◼ For that reason, it is important to examine the
design principles of the Feistel cipher.
◼ We begin with a comparison of stream ciphers
and block ciphers.
◼ Then we discuss the motivation for the Feistel
block cipher structure. Finally, we discuss some
of its implications.
8
9
◼ In the ideal case, a one-time pad version of the
Vernam cipher would be used in which the keystream
is as long as the plaintext bit stream.
◼ If the cryptographic keystream is random, then this
cipher is unbreakable by any means other than
acquiring the keystream.
◼ However, the keystream must be provided to both
users in advance via some independent and secure
channel.
◼ This introduces insurmountable logistical problems if
the intended data traffic is very large. 10
11
◼ Typically, a block size of 64 or 128 bits is used.
◼ As with a stream cipher, the two users share a
symmetric encryption key

12
MOTIVATION FOR THE FEISTEL CIPHER
STRUCTURE

◼ A block cipher operates on a plaintext block of n

bits to produce a ciphertext block of n bits.
◼ There are 2n possible different plaintext blocks
and, for the encryption to be reversible (i.e., for
decryption to be possible), each must produce a
unique ciphertext block. Such a transformation
is called reversible, or non-singular.

13
◼ The following examples illustrate nonsingular and
singular transformations for n = 2.

◼ In the latter case, a ciphertext of 01 could have

been produced by one of two plaintext blocks. So 14
if we limit ourselves to reversible mappings, the
◼ Figure 3.2 illustrates the logic of a general
substitution cipher for n=4.

15
◼ A 4-bit input produces one of 16 possible input states,
which is mapped by the substitution cipher into a
unique one of 16 possible output states, each of which
is represented by 4 ciphertext bits.
◼ The encryption and decryption mappings can be
defined by a tabulation, as shown in Table 3.1.
◼ This is the most general form of block cipher and can
be used to define any reversible mapping between
plaintext and ciphertext.
◼ Feistel refers to this as the ideal block cipher, because
it allows for the maximum number of possible16
encryption mappings from the plaintext block
17
Problem with Feistel - Ideal block cipher:
◼ Ideal block cipher is like substitution cipher.
◼ As the block size is small, Vulnerable to statistical analysis.
◼ For large block size , ideal block building implementation
and ideal block storing is infeasible.

◼ For 4 bits, 16 rows are needed. Required length of key is 64

bits (4 bits of 16 rows).
◼ For n bits, nx2n bits.
◼ For a 64-bit block, which is a desirable length to thwart
statistical attacks, the required key length is 64x264 bits =
18

270 ≈ 1021 bits.

FEISTEL CIPHER:

◼ Idea is to have a Block cipher having k bits in

key and n bits in a block. So 2k possible
transformations not 2n!.
◼ Feistel suggested to use substitution and
permutation alternatively to produce
ciphertext.

19
◼ Substitution- Each plaintext element or group of
elements is replaced by a corresponding ciphertext
element or group of elements. Here the Replacement
is unique.
◼ Permutation - A sequence of plaintext elements is
replaced by a permutation of that sequence.
◼ That is, no elements are added or deleted or replaced
in the sequence, rather the order in which the
elements appear in the sequence is changed.
20
◼ Claude Shannon’s 1949 paper has the key ideas
that led to the development of modern block
ciphers.
◼ Critically, it was the technique of layering groups
of S-boxes separated by a larger P-box to form the
S-P network, a complex form of a product cipher.
◼ He also introduced the ideas of confusion and
diffusion, notionally provided by S-boxes and P-
boxes (in conjunction with S-boxes).
21
 DIFFUSION AND CONFUSION

◼ Introduced by Claude Shannon to thwart

cryptanalysis based on statistical analysis.
◼ Assume the attacker has some knowledge of the
statistical characteristics of the plaintext.
◼ Cipher needs to completely obscure statistical
properties of original message.

22
◼ More practically Shannon suggested combining
elements to obtain:
◼ diffusion – dissipates statistical structure of
plaintext over bulk of ciphertext
◼ confusion – makes relationship between
ciphertext and key as complex as possible.

23
◼DIFFUSION
The statistical structure of the plaintext is
dissipated into long-range statistics of the
ciphertext.
◼ This is achieved by having each plaintext digit
affect the derivation of the value of several
ciphertext digits.
◼ Message M=m1m2m3…. mk consecutive letters are
added to derive the letter of ciphertext yn

◼ Statistical relation between plaintext and

ciphertext is dissipated and it is tricky to derive
24
CONFUSION

◼ The statistical relationship between ciphertext

and encryption key is so complex that it is
difficult to derive key.
◼ Confusion is created by applying substitution
algorithm in complex way.

25
◼ The mechanism of diffusion seeks to make the
statistical relationship between the plaintext
and ciphertext as complex as possible in order
to thwart attempts to deduce the key.
◼ Confusion seeks to make the relationship
between the statistics of the ciphertext and
the value of the encryption key as complex as
possible, again to thwart attempts to discover the
key.
26
FEISTEL CIPHER STRUCTURE

◼ Horst Feistel, working at IBM Thomas J Watson

Research Labs devised a suitable invertible cipher
structure in early 70’s.
◼ Partitions input block into two halves
◼ process through multiple rounds which perform
a substitution on left data half based on round
function of right half & subkey.
◼ then have permutation swapping halves
◼ Implements Shannon’s S-P network concept

27
28
◼ Such a network takes a block of the plaintext and
the key as inputs, and applies several alternating
rounds or layers of substitution boxes (S-boxes)
and permutation boxes (P-boxes) to produce
the ciphertext block.
◼ The S-boxes and P-boxes transform (sub-)blocks of
input bits into output bits.
◼ It is common for these transformations to be
operations that are efficient to perform in hardware,
such as exclusive or (XOR) and bitwise rotation.
◼ The key is introduced in each round, usually in the29

form of "round keys" derived from it.

30
◼ The inputs to the encryption algorithm are a plaintext
block of length 2w bits and a key K.
◼ The plaintext block is divided into two halves, L 0 and R0
◼ The two halves of the data pass through rounds of
processing and then combine to produce the
ciphertext block
◼ Each round is denoted by i having inputs L i-1 and Ri-1
generated by the preceding round along with the
subkey Ki is derived from overall K.

31
32
◼ All rounds have the same structure. A substitution
is performed on the left half of the data.
◼ This is done by applying a round function F to the
right half of the data and then taking the exclusive-
OR of the output of that function and the left half of
the data.
◼ The round function has the same general structure
for each round but is parameterized by the round
subkey Ki
33
◼ Li = Ri-1
◼ Ri = Li-1 F(Ri-1 , Ki )

34
◼ The exact realization of a Feistel network
depends on the choice of the following
parameters and design features:
◼ Block size - increasing size improves
security, but slows cipher. The greater security
is achieved by greater diffusion.
◼ Traditionally, a block size of 64 bits has been
considered a reasonable tradeoff and was
nearly universal in block cipher design.
However, the new AES uses a 128-bit block 35

size.
• Key size - increasing size improves security, makes
exhaustive key searching harder.
◼ The greater security is achieved by greater resistance
to brute-force attacks and greater confusion.
◼ Key sizes of 64 bits or less are now widely considered
to be inadequate, and 128 bits has become a
common size.

• Number of rounds - increasing number improves

security, but slows cipher. A typical size is 16 rounds.
36
• Subkey generation algorithm - greater
complexity can make analysis harder
• Round function - greater complexity means
greater resistance to cryptanalysis

37
• Fast software en/decryption - In many cases,
encryption is embedded in applications or utility
functions in such a way as to exclude a hardware
implementation.
• Accordingly, the speed of execution of the
algorithm becomes a concern.
• Ease of analysis - for easier validation &
testing of strength
• if the algorithm can be concisely and clearly
explained, it is easier to analyze that algorithm
for cryptanalytic vulnerabilities and therefore
develop a higher level of assurance as to its
strength. 38
FEISTEL DECRYPTION ALGORITHM

◼ The process of decryption with a Feistel cipher is

essentially the same as the encryption process.
◼ The rule is as follows: Use the ciphertext as input
to the algorithm, but use the subkeys Ki in
reverse order. That is, use Kn in the first round,
Kn-1 in the second round, and so on, until K1 is
used in the last round.

39
◼ To see that the same algorithm with a reversed
key order produces the correct result, Figure 3.3
shows the encryption process going down the
left-hand side and the decryption process going
up the right-hand side for a 16-round algorithm.

40
41
42
◼ For clarity, we use the notation LEi and REi and
for data traveling through the encryption
algorithm and and for LDi and RDi data traveling
through the decryption algorithm.
◼ Let the output of the ith encryption round be LEi
|| REi (LEi concatenated with REi ).Then the
corresponding output of the (16 – i) th
decryption round is REi || LEi or, equivalently,
LD16-i and RD16-i .
43
◼ After the last iteration of the encryption process,
the two halves of the output are swapped, so that
the ciphertext is RE16 || LE16
◼ The output of that round is the ciphertext.
◼ Now take that ciphertext and use it as input to the
same algorithm.
◼ The input to the first round is RE16 || LE16 , which
is equal to the 32-bit swap of the output of the
sixteenth round of the encryption process.
44
◼ Now we would like to show that the output of
the first round of the decryption process is equal
to a 32-bit swap of the input to the sixteenth
round of the encryption process.
◼ First, consider the encryption process. We see
that

45
46
◼ Thus, we have LD1 = RE15 and RD1 = LE15
◼ Therefore, the output of the first round of the
decryption process is RE15 || LE15 which is the
32-bit swap of the input to the sixteenth round
of the encryption. This correspondence holds all
the way through the 16 iterations, as is easily
shown.

47
◼ We can cast this process in general terms. For
the ith iteration of the encryption algorithm

◼ Rearranging terms:

48
◼ Thus, we have described the inputs to the ith
iteration as a function of the outputs, and these
equations confirm the assignments shown in the
right-hand side of Figure 3.3.

◼ Finally, we see that the output of the last round of

the decryption process is RE0 || LE0

◼ A 32-bit swap recovers the original plaintext,

demonstrating the validity of the Feistel decryption
49

process.
◼ To help clarify the preceding concepts, let us look at a
specific example (Figure 3.4) and focus on the
fifteenth round of encryption, corresponding to the
second round of decryption.
◼ Suppose that the blocks at each stage are 32 bits
(two 16-bit halves) and that the key size is 24 bits.
◼ Suppose that at the end of encryption round
fourteen, the value of the intermediate block (in
hexadecimal) is DE7F03A6. Also assume that the
value of is K15 is 12DE52
50
LE RE 03A6
14 14 LD RD
2 2

03A6
RE
LE
15 LD RD
15
1 1
 DATA ENCRYPTION STANDARD (DES)

◼ The Data Encryption Standard (DES) is a

symmetric-key block cipher published by the
National Institute of Standards and Technology
(NIST).

52
DES – HISTORY
◼ In the late 1960s, IBM set up a research project in
computer cryptography led by Horst Feistel.
◼ The project concluded in 1971 with the development of
the LUCIFER algorithm. LUCIFER is a Feistel block cipher
that operates on blocks of 64 bits, using a key size of 128
bits.
◼ Because of the promising results produced by the
LUCIFER project, IBM embarked on an effort, headed by
Walter Tuchman and Carl Meyer, to develop a marketable
commercial encryption product that ideally could be
implemented on a single chip.
◼ It involved not only IBM researchers but also outside
53
consultants and technical advice from NSA.
◼ The outcome of this effort was a refined version of
LUCIFER that was more resistant to cryptanalysis
but that had a reduced key size of 56 bits, to fit on
a single chip.
◼ In 1973, the National Bureau of Standards (NBS)
issued a request for proposals for a national cipher
standard. IBM submitted the modified LUCIFER.
◼ It was by far the best algorithm proposed and was
adopted in 1977 as the Data Encryption Standard.
54
DES DESIGN CONTROVERSY

◼ Before its adoption as a standard, the proposed

DES was subjected to intense & continuing
criticism over the size of its key & the classified
design criteria.
◼ It is vulnerable to key attack when a weak key is
used.
◼ In January 1999 distributed.net and the
Electronic Frontier Foundation (EFF) collaborated
to publicly break a DES key in 22 hours and 15 55

minutes.
◼ The algorithm is believed to be practically
secure in the form of Triple DES, although there
are theoretical attacks.
◼ In recent years, the cipher has been superseded
by the Advanced Encryption Standard
(AES). DES has flourished and is widely used,
especially in financial applications.
◼ It is still standardized for legacy systems, with
either AES or triple DES for new applications.
56
57
58
59
◼ The next step is to permute the key using the
PC-1 table below. This is, the first bit of our 56-
bit permutation key will be the 57th bit of our
original key, and so on.

60

Permuted Choice One

(PC-1)
61
Initial Permutation
(IP)

62
63
Schedule of Left
shifts
64
Permuted Choice Two
(PC-2)
65
66
67
68
69
70
Permutation
Function (P)
71
72
Inverse Initial
Permutation IP-1 73
74
Figure 3.5 General Depiction of DES Encryption
Algorithm
75
76
77
78
◼ Initial and Final Permutations Figure 3.2 shows
the initial and final permutations (P-boxes).
◼ Each of these permutations takes a 64-bit input
and permutes them according to a predefined
rule.

79
DES ROUND STRUCTURE

◼ Uses two 32-bit L & R halves

◼ as for any Feistel cipher can describe as:
Li = Ri–1
Ri = Li–1 ⊕ F(Ri–1, Ki)
◼ F takes 32-bit R half and 48-bit subkey:
◼ expands R to 48-bits using perm E
◼ adds to subkey using XOR
◼ passes through 8 S-boxes to get 32-bit result
◼ finally permutes using 32-bit perm P 80
◼ Figure 3.5 illustrates the internal structure of the
DES round function F.
◼ The R input is first expanded to 48 bits by using
expansion table E that defines a permutation plus
an expansion that involves duplication of 16 of
the R bits (refer Table 3.2c).
◼ The resulting 48 bits are XORed with Ki. This 48-
bit result passes through a substitution function
comprising 8 S-boxes which each map 6 input bits
to 4 output bits, producing a 32-bit output, which
is then permuted by permutation P as defined by 81

Stallings Table 3.2d.

SUBSTITUTION BOXES S

◼ Have eight s-boxes which map 6 to 4 bits

◼ Each s-box is actually of 4 bit of data
◼ Outer bits 1 & 6 (row bits) select one row of 4
◼ Inner bits 2-5 (col bits) are substituted
◼ Result is 8 lots of 4 bits, or 32 bits
◼ Row selection depends on both data & key
◼ Feature known as autoclaving (autokeying)

82
83
84
85
86
87
DES KEY SCHEDULE

◼ Forms subkeys used in each round

◼ Initial permutation of the key (PC1) which
selects 56-bits in two 28-bit halves
◼ 16 stages consisting of:
◼ Rotating each half separately either 1 or 2
places depending on the key rotation
schedule K
◼ Selecting 28-bits from each half & permuting
them by PC2 for use in round function F
88
DES DECRYPTION

◼ Decrypt must unwind steps of data computation

◼ with Feistel design, do encryption steps again
using subkeys in reverse order (SK16 … SK1)
◼ IP undoes final IP-1 step of encryption
◼ 1st round with SK16 undoes 16th encrypt round
◼ ….
◼ 16th round with SK1 undoes 1st encrypt round
◼ then final IP-1 undoes initial encryption IP
◼ thus recovering original data value 89
90
91
92
93
94
95
96