NUST

Block
Ciphers

March 8, 2010
 Design Philosophy of
Block Ciphers

March 8, 2010
Perfect Secrecy
A cryptosystem has perfect secrecy if

Pr[x|y] = Pr[x]  xP, yC

a posteriori probability = a priori probability

March 8, 2010
Block Cipher
In a block cipher the message is broken into
blocks, each of which is then encrypted

March 8, 2010
Shannon’s Theory of Secrecy Systems
Claude Shannon wrote some of the pivotal papers on
modern cryptology theory in 1949:

 C E Shannon, "Communication Theory of Secrecy

Systems", Bell System Technical Journal, Vol 28,
Oct 1949, pp 656-715
 C E Shannon, "Prediction and Entropy of printed
English", Bell System Technical Journal, Vol 30, Jan
1951, pp 50-64
In these he developed the concepts of:
 entropy of a message,
 redundancy in a language,
 theories about how much information is needed to
break a cipher
 defined the concepts of computationally secure vs
Marchunconditionally
8, 2010 secure ciphers
Shannon’s Theory of Secrecy Systems
The Vernam cipher is the only currently
known unconditionally secure cipher,
provided the key is truly random
If try to encrypt English text by adding to
other English text this is not secure since
English is 80% redundant, giving ciphertext
with 60% redundancy, enough to break
A similar technique can also be used if the
same random key stream is used twice on
different messages, the redundancy in the
messages is sufficient to break this
March 8, 2010
 Vernam One-Time Pad
The most famous cryptosystem that has
perfect secrecy is the Vernam one-time pad
The Vernam one-time pad encrypts bitstrings
of length n. Plaintext space, ciphertext space,
and key space are P=C = K, = {0,1}n
The encryption function fork  { 0 ,1 } n

E k : {0,1}n  {0,1}n , c  p  k

March 8, 2010
 Vernam One-Time Pad
p  { 0 ,1 } n
To encrypt a plaintext , Alice
chooses a key k randomly with uniform
distribution
{ 0 ,1 } n from the set c pk
. She computes the cipher text

This system is perfectly secure because the

uniform distribution is used on the key space
c plaintext
and for each p  k p and each ciphertext c
there is exactly one key k with

March 8, 2010
Vernam One-Time Pad
This cryptosystem was invented and
patented in 1917 by Gilbert Vernam.
However, it was not until 1949 that
Shannon proved that the Vernam one-time
pad has perfect secrecy.
 Unfortunately, the one-time pad is not
very efficient. To secretly communicate a
plaintext of length n, Alice and Bob must
randomly generate and exchange a key of
length n. This is the reason for the name
"one-time pad". Each key can be used only
once.
March 8, 2010
 Substitution-Permutation Ciphers
In his 1949 paper Shannon also introduced
the idea of substitution-permutation (S-P)
networks, which now form the basis of
modern block ciphers
An S-P network is the modern form of a
substitution-transposition product cipher
S-P networks are based on the two primitive
cryptographic operations

March 8, 2010
 Substitution-Permutation Ciphers
Substitution Operation
A binary word is replaced by some other
binary word
The whole substitution function forms the
key
if use n bit words, the key is (2n)! bits,
grows rapidly
Can also think of this as a large lookup
table, with n address lines (hence 2^(n)
addresses), each n bits wide being the
output value

March 8, 2010
Substitution-Permutation Ciphers

March 8, 2010
Substitution-Permutation Ciphers
Permutation Operation
A binary word has its bits reordered
(permuted)
The re-ordering forms the key
If use n bit words, the key is n! bits, which
grows more slowly, and hence is less secure
than substitution

March 8, 2010
Substitution-Permutation Ciphers

March 8, 2010
 Substitution-Permutation Ciphers
Shannon combined these two primitives
and called these mixing transformations

March 8, 2010
Substitution-Permutation Ciphers

March 8, 2010
Confusion and diffusion
In Shannon's original definitions,
confusion refers to making the
relationship between the key and
the ciphertext as complex and as
involved as possible; diffusion
refers to the property that
redundancy in the statistics of
the plaintext is "dissipated" in the
statistics of the ciphertext.
March 8, 2010
 Diffusion:
the theory given by Shannon
“The statistical structure of the plaintext is
spread (dissipated) into long-range statistics
of the ciphertext.”
Achieved by having each plaintext digit affect the
value of many ciphertext digits.
Objective is to globalize the local affects.
Diffusion implies that if we change just one
character in the PT we cause a big change in the
CT
Thus we need a large amount of CT to capture
redundancy in PT
March 8, 2010
 Diffusion:
Diffusion complicates the statistics of the
ciphertext, and makes it difficult to discover
the key of the encryption process.

March 8, 2010
 Confusion
“Attempts to make the relationship
between the ciphertext and the
encryption key as complex as possible.”
Good confusion can only be achieved when
each character of the ciphertext depends on
several parts of the key, and this dependence
appears to be random to the observer.
Even if an attacker can have some handle on
the statistics of the ciphertext, it is very
difficult to deduce the key.

March 8, 2010
Confusion and diffusion
Substitution has been identified as a
mechanism for primarily confusion

Transposition (rearranging the order of

symbols, see P-box) is a technique for
diffusion

March 8, 2010
Substitution-Permutation Ciphers
Shannons mixing transformations are a special
form of product ciphers where
S-Boxes
provide confusion of input bits
P-Boxes
provide diffusion across S-box inputs

March 8, 2010
 Avalanche effect (Due to Diffusion)
where changing one input bit results in changes of
approx half the output bits

More formally, a function f has a good avalanche

effect if for each bit i,0<=i<m, if the 2^(m)
plaintext vectors are divided into 2^(m-1) pairs X
and X_(i) with each pair differing only in bit i; and if
the 2^(m-1) exclusive-or sums, termed avalanche
vectors
V_(i) = f(X) (+) f(X_(i))
are compared, then about half of these sums should
be found to be 1.

March 8, 2010
Practical Substitution-Permutation
Networks
In practice we need to be able to decrypt
messages, as well as to encrypt them,
hence either:
have to define inverses for each of our S
& P-boxes, but this doubles the
code/hardware needed, or define a
structure that is easy to reverse, so can
use basically the same code or hardware
for both encryption and decryption

March 8, 2010
Practical Substitution-Permutation
Networks
Horst Feistel, working at IBM Thomas J
Watson Research Labs devised just such a
structure in early 70's, which we now call
a feistel cipher
The idea is to partition the input block
into two halves, L(i-1)and R(i-1), and use
only R(i-1) in each round i (part) of the
cipher
The function g incorporates one stage of
the S-P network, controlled by part of the
key K(i) known as the ith subkey
March 8, 2010
Practical Substitution-Permutation Networks

March 8, 2010
March 8, 2010
Lucifer
In cryptography, Lucifer was the name given
to several of the earliest civilian block
ciphers, developed by Horst Feistel and his
colleagues at IBM. Lucifer was a direct
precursor to the Data Encryption Standard.
One version, alternatively named DTD-1, saw
commercial use in the 1970s for electronic
banking.

March 8, 2010
Cryptography after
WW2
Academia largely disinterested
NSA Largest Employer of mathematicians in
the world.
IBM hired by Lloyds of London to arrange
security for a cash dispensing network (early
ATM machines.)

March 8, 2010
Cryptography after
WW2
IBM developed “Lucifer” cipher
Symmetric Algorithm
explicit encrypt/decrypt
112 bit key
 Substitution and transposition within
8-character blocks

March 8, 2010
Structure of Lucifer
The exact realization of a Feistel network
depends on the choice of the following
parameters and design features:
 Block size - increasing size improves security, but slows cipher
 Key size - increasing size improves security, makes exhaustive
key searching harder, but may slow cipher
 Number of rounds - increasing number improves security, but
slows cipher
 Subkey generation algorithm - greater complexity can make
analysis harder, but slows cipher
 Round function - greater complexity can make analysis harder,
but slows cipher
 Fast software en/decryption - more recent concern for
practical use
 Ease of analysis - for easier validation & testing of strength

March 8, 2010
 Structure of Lucifer
LUCIFER enciphered blocks of 128 bits,
and it used a 128-bit key
The F-function in LUCIFER had a high degree
of symmetry, and could be implemented in
terms of operations on one byte of the right
half of the message at a time.

March 8, 2010
Structure of Lucifer
Subkey generation
Each round uses a 72-bit subkey. The subkey
for the first round consists of the first byte of
the key repeated twice, followed by the next
seven bytes of the key. Rotate the key left by
seven bytes, then generate the subkey for the
next round.

March 8, 2010
Structure of Lucifer
The f-function
XOR the right half of the block with the last
eight bytes of the subkey for the round.
Based on the bits of the first byte of the subkey
for that round, swap nibbles in the eight
bytes of that result for those bytes which
correspond to a 1 bit.

March 8, 2010
Structure of Lucifer
The f-function
Use S-box 0 for the most significant nibble of
each of these eight bytes, and S-box 1 for the
least significant nibble of each byte:

March 8, 2010
Structure of Lucifer
Input: 0 1 2 3 4 5 6 7
S-box 0 output: 12 15 7 10 14 13 11 0
S-box 1 output: 7 2 14 9 3 11 0 4

Input: 8 9 10 11 12 13 14 15
S-box 0 output:2 6 3 1 9 4 5 8
S-box 1 output:12 13 1 10 6 15 8 5

March 8, 2010
Structure of Lucifer
Permute the 64 bits of the result, numbered
from 0 (for the most significant bit) to 63 (for
the least significant bit), by the following
permutation:

March 8, 2010
Structure of Lucifer
The General Structure
LUCIFER has sixteen rounds. In each round,
the f-function is calculated using that round's
subkey and the left half of the block. The
result is then XORed to the right half of the
block, which is the only part of the block
altered for that round.
After every round except the last one, the
right and left halves of the block are swapped

March 8, 2010
Structure of Lucifer

March 8, 2010
Structure of Lucifer

Comments
Although LUCIFER has a larger block and
key size than DES, it is considerably more
vulnerable to attacks from differential
cryptanalysis, and is also weak due to the
regular nature of its key schedule.

March 8, 2010
 DES
Data Encryption Standard

March 8, 2010
DES
The Data Encryption Standard (DES) is a
cipher (a method for encrypting information)
that was selected by NBS as an official
Federal Information Processing Standard
(FIPS) for the United States in 1976 and
which has subsequently enjoyed widespread
use internationally.

March 8, 2010
 General
Designers IBM
First published 1975 (standardized
on January 1977)
Derived from Lucifer
Successors Triple DES, G-
DES,
DES-X, LOKI89, ICE
Cipher detail
Key sizes 56 bits, Block sizes 64 bits
Structure Feistel network, Rounds 16

March 8, 2010
 General

Date Year Event

15 May 1973 NBS publishes a first
request for a standard
encryption algorithm
27 August 1974 NBS publishes a
second request for encryption
algorithms
17 March 1975 DES is published in
the Federal Register for
comment
August
March 8, 2010
1976 First workshop on DES
 General

 September 1976 Second workshop, discussing

mathematical foundation of DES
 November 1976 DES is approved as a standard
 15 January 1977 DES is published as a FIPS standard FIPS
PUB 46
 1983 DES is reaffirmed for the first time
 1986 Videocipher II, a TV satellite
scrambling system based upon DES
begins use by HBO
 22 January 1988 DES is reaffirmed for the second time as
FIPS 46-1, superseding FIPS PUB 46
 July 1990 Biham and Shamir rediscover differential
cryptanalysis, and apply it to a 15-
round DES- like cryptosystem.
March 8, 2010
 General
 1992 Biham and Shamir report the first theoretical
attack with less complexity than brute force:
differential
cryptanalysis. However, it requires an
unrealistic 247 chosen plaintexts.
 30 Dec 93 DES is reaffirmed for the third time as FIPS
46-2
 1994 The first experimental cryptanalysis of DES is
performed using linear cryptanalysis (Matsui,
1994).
 June 1997 The DESCHALL Project breaks a message
encrypted with DES for the first time in
public.
 July 1998 The EFF's DES cracker (Deep Crack) breaks a
DES key in 56 hours.
 Jan 1999 Together, Deep Crack and distributed.net break
aMarch
DES 8, 2010 key in 22 hours and 15 minutes.
 General
 26 November 2001 The Advanced Encryption
Standard is published in FIPS 197
 26 May 2002 The AES standard becomes
effective
 26 July 2004 The withdrawal of FIPS 46-3
(and a couple of related standards) is
proposed in the Federal Register[11]
 19 May 2005 NIST withdraws FIPS 46-3
(see Federal Register vol 70, number
96)
 15 March 2007 The FPGA based parallel machine
COPACOBANA of the
University of Bochum and Kiel,
MarchGermany,
8, 2010 breaks DES in 6.4 days at
 Criticism on DES
 The United States Senate Select Committee on
Intelligence (1978):
"In the development of DES, NSA convinced IBM that a
reduced key size was sufficient; indirectly assisted in the
development of the S-box structures; and certified that
the final DES algorithm was, to the best of their
knowledge, free from any statistical or mathematical
weakness.”

 "NSA did not tamper with the design of the algorithm in

any way. IBM invented and designed the algorithm, made
all pertinent decisions regarding it, and concurred that
the agreed upon key size was more than adequate for all
commercial applications for which the DES was intended."
March 8, 2010
 Security of DES
The main weakness is the short key (brute-
force attacks are possible).
Also the block length is too small.
 Besides of this – a very secure design:
after more than 30 decades still the most practical
attack is brute-force!
The only attacks so far:
 differential cryptanalysis
 linear cryptanalysis

are rather theoretical.

March 8, 2010
Brute-force attacks on DES
1977
Diffie and Hellman proposed a machine costing
20 million $ breaking DES in 1 day.
1993
Wiener proposed a machine costing 1 million $
breaking DES in 7 hours.
1997
DESCHALL Project broke a “DES Challenge”
(published by RSA) in 96 days using idle cycles
of thousands of computers across the Internet.
March 8, 2010
 Brute-force attacks on DES
COPACOBANA (the Cost-Optimized Parallel
COde Breaker) breaks DES in 1 week and costs
10,000$
1998
DES-cracker was built by the Electronic
Frontier Foundation (EFF), at the cost of
approximately 250,000$

March 8, 2010
Theoretical attacks on DES – differential
cryptoanalysis
Biham and Shamir (late 1980s):

differential cryptanalysis

They show how to break DES using a chosen-

plaintext attack
247 times

plaintext

ciphertext
DES Not very practical...
March 8, 2010
Theoretical attacks on DES – differential
cryptoanalysis

A small change in the design of DES would

make the differential cryptanalysis much more
successful.

Moral
NSA and IBM knew it!

March 8, 2010
Theoretical attacks on DES – linear
cryptanalysis
Matsui (early 1990s):

Linear Cryptanalysis
uses a known-plaintext attack , 2^43
(plaintext, ciphertext) pairs

the plaintexts don’t need to be chosen by

the adversary.
March 8, 2010
Structure
64 bits

input

initial permutation (IP)

key k Feistel network

final permutation (IP-1)

output
March 8, 2010
March 8, 2010
 subkeys 32 bits 32 bits
(48 bits):
L0 R0

k1 f1

56 bit
key L1 R1

k2 f2

16 rounds
key
schedule
...

...
k16 f16
here no twist

L16 R16
March 8, 2010
 A nice propery of Feistel rounds
Even if f is not easily invertible, each round can be easily inverted!

Li Ri

Li+1 := Ri Ri+1:= Li xor f(Ri)

inversion:
f

(Li xor f (Ri)) xor f(Li+1) Ri

=

March 8, 2010
Li
Hence: the Feistel network can be “inverted”!
Example: 3 round Feistel network

L0 R0 L3 R3

f1 f3

L1 R1 L2 R2

f2 f2

L2 R2 L1 R1

f3 f1

L3 R3 L0 R0
March 8, 2010
Without a “twist” in the last round:

L0 R0 L3 R3

f1 f3

L1 R1 L2 R2

f2 f2

L2 R2 L1 R1

f3 f1

L3 R3 L0 R0
March 8, 2010
 How to decrypt?
Reverse the key schedule!
L0 R0

k16 f1

56 bit
key L1 R1

k15 f2
key
schedule
...

k1 ...
f16

March 8, 2010
L16 R16
 DES key schedule
48 bits

k1

56 bits

k2

key
schedule

...
k16

each subkey ki consists of some bits of k

March 8, 2010
 DES key schedule

Although the input key for DES is 64 bits

long, the actual key used by DES is only 56
bits in length. The least significant (right-
most) bit in each byte is a parity bit, and
should be set so that there are always an odd
number of 1s in every byte. These parity bits
are ignored, so only the seven most
significant bits of each byte are used,
resulting in a key length of 56 bits.

The first step is to pass the 64-bit key

through a permutation called Permuted
Choice 1, or PC-1 for short. The table for this
is given below. Note that in all subsequent
Marchdescriptions
8, 2010 of bit numbers, 1 is the left-
 DES key schedule
 For example, we can use the PC-1
table to figure out how bit 30 of
the original 64-bit key transforms
to a bit in the new 56-bit key. Find
the number 30 in the table, and
notice that it belongs to the
column labeled 5 and the row
labeled 36. Add up the value of the
row and column to find the new
position of the bit within the key.
For bit 30, 36 + 5 = 41, so bit 30
becomes bit 41 of the new 56-bit
key. Note that bits 8, 16, 24, 32,
40, 48, 56 and 64 of the original
key are not in the table. These are
the unused parity bits that are
discarded when the final 56-bit key
March 8, 2010
is created.
Now that we have the 56-bit key, the next
step is to use this key to generate 16 48-bit
sub-keys, called K[1]-K[16], which are used
in the 16 rounds of DES for encryption and
decryption. The procedure for generating
the sub-keys known as key scheduling - is
fairly simple:

March 8, 2010
 1. Set the round number R to 1.
2. Split the current 56-bit key, K, up
into two 28-bit blocks, L (the left-hand
half) and R (the right-hand half).
3. Rotate L left by the number of bits
specified in the table below, and rotate
R left by the same number of bits as
well.
4. Join L and R together to get the new
K.

March 8, 2010
 5. Apply Permuted Choice 2
(PC-2) to K to get the final K[R],
where R is the round number we
are on.

6. Increment R by 1 and repeat

the procedure until we have all
16 sub-keys K[1]-K[16].

March 8, 2010
 Once the key scheduling has been
performed, the next step is to prepare
the plaintext for the actual encryption.
This is done by passing the plaintext
through a permutation called the Initial
Permutation, or IP for short. This table
also has an inverse, called the Inverse
Initial Permutation, or IP^(-1).
Sometimes IP^(-1) is also called the
Final Permutation.

March 8, 2010
March 8, 2010
These tables are used just like PC-1 and
PC-2 were for the key scheduling. By
looking at the table it becomes apparent
why one permutation is called the
inverse of the other. For example, let's
examine how bit 32 is transformed under
IP. In the table, bit 32 is located at the
intersection of the column labeled 4 and
the row labeled 25. So this bit becomes
bit 29 of the 64-bit block after the
permutation. Now let's apply IP^(-1). In
IP^(-1), bit 29 is located at the
intersection of the column labeled 7 and
the row labeled 25. So this bit becomes
bit 32 after the permutation. And this is
the bit position that we started with
before the first permutation. So IP^(-1)
really
March 8, 2010 is the inverse of IP. It does the
function f:
32 bits 48 bits

half-block X subkey Ki

expansion
half-block Y
48 bits

Y xor Ki
“confusion”
“S – boxes”
Si : {0,1}6 → {0,1}4 S1 S2 S3 S4 S5 S6 S7 S8

“diffusion”
permutation P

March 8, 2010
32 bits
 The expansion function
32 1 2 3 4 5
4 5 6 7 8 9
8 9 10 11 12 13
12 13 14 15 16 17
16 17 18 19 20 21
20 21 22 23 24 25
24 25 26 27 28 29
28 29 30 31 32 1

March 8, 2010
 The substitution boxes
(S-boxes)
Example of an S-box

Middle 4 bits of input

S5 000 000 001 001 010 010 011 011 100 100 101 101 110 110 111 111
0 1 0 1 0 1 0 1 0 1 0 1 0 1 0 1
100
00 00101100010000010111101010110110100001010011111111010000 1110
1
011
01 11101011001011000100011111010001010100001111101000111001 1000
Outer 0
bits 111
10 01000010000110111010110101111000111110011100010101100011 0000
0
001
11 10111000110001110001111000101101011011110000100110100100 0101
1

March 8, 2010
 The substitution boxes
(S-boxes)

March 8, 2010
 Encryption Function
Once the key scheduling and plaintext
preparation have been completed, the
actual encryption or decryption is
performed by the main DES algorithm.
The 64-bit block of input data is first
split into two halves, L and R. L is the
left-most 32 bits, and R is the right-most
32 bits. The following process is repeated
16 times, making up the 16 rounds of
standard DES. We call the 16 sets of
halves L[0]-L[15] and R[0]-R[15].

March 8, 2010
 R[I-1] - where I is the
round number,
starting at 1 - is taken
and fed into the E-Bit
Selection Table, which
is like a permutation,
except that some of
the bits are used more
than once. This
expands the number
R[I-1] from 32 to 48
bits to prepare for the
next step.

March 8, 2010
The 48-bit R[I-1] is XORed with K[I] and
stored in a temporary buffer so that R[I-
1] is not modified.

The result from the previous step is now

split into 8 segments of 6 bits each. The
left-most 6 bits are B[1], and the right-
most 6 bits are B[8]. These blocks form
the index into the S-boxes, which are
used in the next step. The Substitution
boxes, known as S-boxes, are a set of 8
two-dimensional arrays, each with 4
rows and 16 columns. The numbers in
the boxes are always 4 bits in length, so
their
March 8, 2010 values range from 0-15. The S-
Starting with B[1], the first and last bits
of the 6-bit block are taken and used as an
index into the row number of S[1], which
can range from 0 to 3, and the middle four
bits are used as an index into the column
number, which can range from 0 to 15.
The number from this position in the S-
box is retrieved and stored away. This is
repeated with B[2] and S[2], B[3] and
S[3], and the others up to B[8] and S[8].
At this point, you now have 8 4-bit
numbers, which when strung together one
after the other in the order of retrieval,
give a 32-bit result.

March 8, 2010
 The result from the previous stage is now
passed into the P Permutation

March 8, 2010
This number is now XORed with L[I-1], and moved
into R[I]. R[I-1] is moved into L[I].

At this point we have a new L[I] and R[I]. Here,

we increment I and repeat the core function until
I = 17, which means that 16 rounds have been
executed and keys K[1]-K[16] have all been used.

When L[16] and R[16] have been obtained, they

are joined back together in the same fashion they
were split apart (L[16] is the left-hand half, R[16]
is the right-hand half), then the two halves are
swapped, R[16] becomes the left-most 32 bits and
L[16] becomes the right-most 32 bits of the pre-
output block and the resultant 64-bit number is
called
March 8, 2010
the pre-output.
 An example of DES

March 8, 2010
Some Remarks on DES
In a good cipher system, each bit of the CT
should depend upon on all bits of the PT. The
expansion “E” is designed so that it will
happen in a few rounds.
The purpose of the IP is not completely
clear. It has no Cryptographic purpose.
The S-boxes are the heart of the algorithm
and provide the security.

March 8, 2010
S-box design was somewhat of a mystery until IBM
published the following criteria in the early 1990’s:
Each S-box has 6 input bits and 4 output bits. This was
the largest that could be put on one chip in 1974.
The outputs of the S-boxes should not be close to being
linear functions of the inputs.
Each row of an S-box contains all numbers from 0 to 15
If two inputs to an S-box differ by 1 bit, the outputs
must differ by 2 bits.
If two inputs to an S-box differ in their first two bits but
have the same last 2 bits, the outputs must be unequal.
There are 32 pairs of inputs having a given XOR. For
each of these pairs, compute the XOR of the outputs. No
more than eight of these output XORs should be the
same. (This is to avoid differential cryptanalysis)
A similar criterion to previous but involving three S-
boxes
March 8, 2010
 DES is not a group
One possible way of effectively increasing
the key size of DES is to double encrypt. That
is if we take two keys k1 and k2 and encrypt
a PT by Ek2(Ek1(P)).
If an attacker has sufficient memory, double
encryption can provide little extra protection
against some attacks.
But if a cryptosystem is such that double
encryption is equivalent to a single
encryption then double encryption will not
provide any extra protection.
For affine ciphers and for RSA double
encrypting with two keys k1 and k2 is
equivalent to encrypting with a third key k3.
March 8, 2010
 DES is not a group
Is the same true for DES??
Namely is there a key K3 such that E k3 = Ek2
Ek1
 This question is often rephrased as “Is DES
a group” Another way of asking is “Is DES
closed under composition”.
Fortunately it turns out that DES is
not a group

March 8, 2010