Block 3: Modern Symmetric Key Cryptography

Objectives
Appreciate that many block ciphers are Feistel ciphers.
Be able to explain how a Feistel cipher works.
Be able to outline the architecture, modes of operation
and applications of the DES.
Be able to outline the architecture of the AES.

Feistel Ciphers and the DES

Block Ciphers
The Data Encryption Standard (DES) developed from IBM's
Lucifer Cipher
It is based on the Feistel Ladder
Almost all block ciphers since Lucifer have been Feistel
ciphers
Such ciphers have a flat keyspace (with possible exception of
few weak keys)
o this means the cipher is equally difficult to attack
whichever key is chosen.
The 3G system encryption and integrity algorithms are both
built around the KASUMI block cipher which is a Feistel cipher
with 8 rounds.

Feistel Ciphers
The plaintext is viewed as a pair of n bit words w , w . A
function f is chosen and the pair w , f (w ) w is formed,
where is bitwise addition modulo 2.
1

This step is called a round and is repeated as many times as

required, choosing a different f each time.
n bits

n bits
w1

w2

f ( w2 )

1 ROUND

w2 , f w2 w1

A Feistel cipher gets its strength from the fact that a number of
rounds involving non-linear transformations are applied to the
data.
Careful choice of the nonlinear functions can help ensure that
easy to solve sets of equations are unlikely to arise.

The Feistel Ladder

m1

m0
fk1
+
fk2
m2

+
fk3
m3

+
fk4
+

m4
fk5
+

m5
fk6
+

m6
fk7
+

m7

m8

Example Feistel Cipher

To make the example easier to follow we use functions over
the set 0, 1, 2, 3, 4 and addition modulo 5 as our mixing
operation. Plaintext pair 3, 2 is enciphered as follows:

Encode

2
04
12
24
31
41

2
f2

03
12
24
32
40
00
12
23
30
43

f1

f3

1
Communication
Channel

Ciphertext is deciphered as follows:

Communication
Channel

f3

Decode
4

f1

03
12
24
32
40

04
12
24
31
41

f2

To emphasise that this process is invertible for every message

every plaintext block of two characters was encrypted.
ALL POSSIBLE PLAINTEXT PAIRS
0,0
1,0
2,0
3,0
4,0

0,1
1,1
2,1
3,1
4,1

0,2
1,2
2,2
3,2
4,2

0,3
1,3
2,3
3,3
4,3

0,4
1,4
2,4
3,4
4,4

CORRESPONDING CIPHERTEXTS
0,4
3,0
2,4
4,0
2,1

0,2
3,3
1,1
4,3
3,1

2,2
0,0
4,4
1,4
4,1

0,1
2,0
0,3
3,4
1,2

1,3
3,2
1,0
4,2
2,3

Notice that the corresponding ciphertext pairs are all distinct.

The Data Encryption Standard (DES)

An algorithm published in 1977 by the American National
Bureau of Standards
A monoalphabetic (block) cipher with an alphabet of
letters.

2 64

Officially it is now known as the Data Encryption Algorithm

(DEA), but it is still usually referred to as DES.
The operation of DES is complex and a demonstration of its
operation is provided in CrypTool which you can run at your
own pace.
In the pull down menu go to:
Indiv. Procedures/Visualization of Algorithms/DES
A summary of the operation of DES is provided below which
you should read in conjunction with the demonstration.
The cipher used to encrypt data traffic in WiMAX 802.16-2004
is 56-bit DES in cipher block chaining (CBC) mode.

After passing through an initial bit permutation (IP) the 64 bits

are passed through a 16 round Feistel cipher and then
through IP-1.
The initial permutation is not cryptographically significant.
The DES ladder is a Feistel ladder with 16 stages or rounds.
Each of the stages in the ladder has the following structure:
Each of the 16 stages requires a 48 bit subkey, ki.
These are generated from the original 56 bit key according to
the following key schedule.
56 bit key

28 bits

28 bits

48 bit subkey

The E-box expands a 32 bit block to a 48 bit block by

permuting bits and repeating some.
This ensures that each input bit can affect the result of more
than one application of S-box so that each output bit depends
on every input bit after as few rounds of the cipher as
possible.
The E-box also makes result the same size as the key for the
XOR operation and provides a longer result that can be
compressed in the S-box.
The 56 bit key is split into two halves, then the halves are
circularly shifted by either one or two bits, depending on the
round, finally 48 of the 56 bits are selected and their order
permuted.
The S-box splits its 48 bit input into 8 blocks of 6 bits. Each 6
bit block is mapped to a 4 bit result in a substitution table and
thus the output of S is again 32 bits.
Note that these 8 substitutions are independent of each other.
Much of the work in designing DES was to design the 8 S box
tables.
The S-box tables are nonlinear transformations, the crucial
elements of the cipher.
Resulting 32 bits are permuted in the P-box.

10

One DES ROUND

+
fki
+

ki
32

48

48

48

32

32

11

DES Configuratons
They are defined in the ANSI Standard X3.106-1982, Modes
of Operation of the DEA.
ECB: Electronic Codebook
In this mode a 64 bit plaintext is encrypted once using one 56
bit DES key.
This mode is vulnerable to known plaintext attack by
exhaustive key search.
A symmetry means that there are only 2 keys to try. This is
a big number, but not so big that it is out of range of special
purpose hardware, or massively parallel processors.
55

Plain Text

Cipher Text

Input Block

Input Block

DES Encrypt

DES Decrypt

Output Block

Output Block

Cipher Text

Plain Text
12

ECB mode is generally used only for key encryption.

The Electronic Frontier Foundation funded a team of
engineers to build a DES cracking machine at a cost of
$210,000.
o In a demonstration at a 1998 Crypto conference, the
device produced the plaintext to a DES message in less
than 24 hours.
More recently, the vulnerability of DES in this mode to a
known plaintext attack have led to its replacement by triple
DES.
Triple Encryption
One could increase the strength of a block cipher by applying
it twice with different keys; this would appear to increase the
size of the keyspace to search to 2 keys (from 2 ).
2n

BUT double-DES is vulnerable to a known plaintext attack, the

meet-in-the-middle attack that only needs 2 rather 2 than
encryptions to be performed.
n 1

2n

Better is triple DES with three different DES keys.

Triple DES works because DES is not a group, so encrypting
a plaintext under one DES key and then encrypting the result

13

DES Encrypt

K3

DES Decrypt

DES Encrypt

K2

DES Decrypt

K1

DES Decrypt

Plain Text

DES Encrypt

under another key is not always equivalent to a single

encryption under a single key.

Cipher Text

Triple DES is now very popular primarily because Key size

remains in practice the only true point of attack in DES.
The best meet in the middle attack for triple DES with three
keys requires 2 trial encryptions, and thus effectively
doubles the key size of DES to 112 bits, and should prevent
decryption by an enemy capable of single-key exhaustive
search.
2n

Of course, using triple-encryption takes three times as long as

single-encryption DES.
WiMAX 802.16-2004 uses Triple-DES key wrapping in its
Privacy and Key Management protocol.
14

.
CBC: Cipher Block Chaining
In CBC mode, a random initialisation vector (IV) is transmitted
and also XORed with the first block of plaintext.
The result is then encrypted with DES and transmitted.
The result is also XORed with the next data block and the
process repeated.
CBC mode helps protect against certain attacks although not
against exaustive search or a technique called differential
analysis.
This is a useful technique for preventing an adversary from
building up a codebook of plaintext-ciphertext pairs.
It also prevent replay and deletions of single blocks, although
it does not provide full authentication.
In practice, CBC is a widely used mode of DES, and is
specified in several standards.
For additional security, one could use triple encryption with
CBC, but since single DES in CBC mode is usually
considered secure enough, triple encryption is not often used.

15

IV

IV

Plain Text

Plain Text

Plain Text

DES Encrypt

DES Encrypt

DES Encrypt

Cipher Text

Cipher Text

Cipher Text

DES Decrypt

DES Decrypt

DES Decrypt

Plain Text

Plain Text

Plain Text

16

CFB: Cipher Feedback Mode

This is a variant of CBC which does not require that a full 64

bit block is received before encryption can begin.
The plaintext is enciphered in blocks of k bits at a time and
each ciphertext block of k bits is fed into a 64 bit shift register.
The shift register is the input to the DES for the next block of k
bits.
This mode is useful when the text is character-based and in
some network applications where data blocks are smaller the
64 bits.
Both CBC and CFB have the disadvantage that any missing
or inserted bits at any point in the message will cause all
subsequent message blocks to be incorrectly deciphered.
o This is called error propogation.

17

18

OFB: Output Feedback

OFB mode protects against error propogation because

ciphertext is not fed back into either the encryption or
decryption process.
For security, even if only k bits are output at each stage, all 64
bits should be used for feedback.

19

Example: Mickey Mouse

Original picture

20

Encrypted in ECB mode

21

Encrypted in CBC mode

Weak Keys
In DES there are four keys for which encryption is exactly the
same as decryption so encrypting twice with one of these
weak keys recovers the original plaintext.
However, the number of weak keys is such a small fraction of
all possible keys that the chance of picking one at random is
very small so they pose no significant threat to security.
Algebraic Attacks

22

DES is not open to any attack based on the algebraic

structure of groups because it has been proved not to be a
group.
DES has been controversial since its inception for a
number of reasons:
Design details were kept secret.
This led to speculation that it had a trapdoor (In reality the
reason was that DES was designed to be resistant to
differential cryptanalysis.
When DES was designed this method of attack was known
only to the intelligence community and was classified).
Shortness of the key also caused controversy.
It has been argued that it should be 128 bits as in the original
Lucifer system.
DES is now very old and ECB mode is now vulnerable to a
known plaintext attack by exhaustive key search.
Advanced Encryption Standard (AES) has been proposed as
the replacement for DES.
There are of course other block ciphers and the following have
gained commercial acceptance:
23

IDEA, Blowfish, RC4, CAST-128.

24

Modes of operation for symmetric key block ciphers

In 2001 NIST issued a recommendation that: defines five

confidentiality modes of operation for use with an underlying
symmetric key block cipher algorithm:

Electronic Codebook (ECB)

Cipher Block Chaining (CBC)
Cipher Feedback (CFB)
Output Feedback (OFB)
Counter (CTR)

Used with an underlying block cipher algorithm that is

approved in a Federal Information Processing Standard
(FIPS), these modes can provide cryptographic protection for
sensitive, but unclassified, computer data.

25

CTR: Counter
In both CTR encryption and CTR decryption, the forward
cipher functions can be performed in parallel.
Similarly, the plaintext block that corresponds to any particular
ciphertext block can be recovered independently from the
other plaintext blocks if the corresponding counter block can
be determined.
Moreover, the forward cipher functions can be applied to the
counters prior to the availability of the plaintext or ciphertext
data.
In Wi-Fi RSN the security protocol built around AES is called
Counter Mode CBC MAC Protocol or CCMP.
Basic counter mode does not provide any message
authentication, only encryption.
o Therefore, for RSN, additional capabilities are added.

26

27

Advanced Encryption Standard

DEA was designed for hardware implementation and
consequently cannot be implemented efficiently in software.
Consequently, Triple DES is relatively slow to encrypt and
decrypt when implemented in software and a more efficient
replacement is desirable.
Furthermore, Triple DES encodes messages in blocks of 64bits and a larger block size, giving a larger input alphabet, is
desirable for greater security.
In 1997 the US National Institute for Standards and
Technology (NIST) announced it would be developing an
Advanced Encryption Standard (AES) as a replacement for
DES.
NIST stipulated that AES would specify an unclassified
publicly disclosed encryption algorithm available royalty free,
worldwide, and that the algorithm would be a symmetric key
block cipher supporting input blocks of at least 128 bits and
key sizes of 128, 192, and 256 bits.
After a rigorous evaluation process, from an original field of 15
candidates on 2 October 2000 the Rijndael cipher was
selected by NIST for the AES.
The Rijndael cipher was invented by Belgian researchers
Joan Daemen and Vincent Rijmen.
28

AES was published as Federal Information Processing

Standards (FIPS) publication 197 on 4 December 2001.
Algorithm specification
The Rijndael cipher is an iterated block cipher with a variable
block length and variable key length where a block is the
smallest data size the algorithm will encrypt.
The block length and key length can be independently
specified to be 128, 192 or 256 bits.
However, the variations of Rijndael which act on the larger
block sizes are not included in AES.
Rijndael is not a Feistel cipher.
AES contains nonlinear (S-box substitution) and linear
(shiftrow and mixcolumn) mixing layers.
Each block of plain text is encrypted several times with a
repeating sequence of various functions that constitute a so
called round.
The number of rounds used depends on the key length.
For a key length of 128 bits 10 rounds are used, for a key
length of 192 bits 12 rounds are used, and for a key length of
256 bits 14 rounds are used.

29

For an excellent demonstration of 10 round AES encryption

from the CrypTool pull down menu choose:
Indiv.Procedures/VisualizationofAlgorithms/AES/Rijndael
Animation
For an illustration of AES decryption choose:
Indiv.Procedures/VisualizationofAlgorithms/AES/Rijndael
Inspector

30

Concluding Remarks
On 17 May 2005 software implementations of AES were
shown to be vulnerable to a timing attack.
o Timing attacks assumes that an attacker knows how long
a particular encryption operation takes.
o At the moment is not clear how serious a problem this
attack represents.
The recommended modes of operation of AES are ECB, CBC,
CFB, OFB and CTR, although many others have been
proposed.
The result of every step in the encryption process is
dependent on every bit of the key.
AES has very limited RAM and ROM memory requirements
and so is suitable for use in restricted-resource environments
such as smart cards.
o One current recommendation is for 3GPP AKA algorithms
is MILENAGE which is based on AES
It is likely to take several years for AES to replace DES.
It is important to note that AES is freely available worldwide.

31