Block Ciphers And the Data

Encryption Standard
Stream ciphers and Block ciphers

■ A stream cipher is one that encrypts a digital data stream one

bit or one byte at a time. E.g. Vernam cipher
■ A block cipher is one in which a block of plaintext is treated as
a whole and used to produce a ciphertext block of equal
length.
■ Typically, a block size of 64 or 128 bits is used.
■ For block cipher cryptanalysis is very difficult
■ They seem applicable to a broader range of applications than
stream cipher.
■ The vast majority of network-based symmetric cryptographic
applications make use of block ciphers
Motivation for the feistel cipher structure

■ A block cipher operates on a plaintext block of n bits to

produce a ciphertext block of n bits.
■ There are 2n possible different plaintext blocks and for the
encryption to be reversible (i.e., for decryption to be possible),
each must produce a unique ciphertext block. Such a
transformation is called reversible, or nonsingular.
■ For n=2
■ Plaintext ciphertext Plaintext ciphertext
■ 00 11 00 11
■ 01 10 01 10
■ 10 00 10 01
■ 11 01 11 01
Ideal Block Cipher
Ideal Block Cipher (Conti…)

■ Above figure illustrate the logic of general substitution cipher

for n=4.

■ A 4-bit input produces one of 16 possible input states, which is

mapped by the substitution cipher into a unique one of 16
possible output state, each of which is represented by 4
ciphertext, it is known as ideal block cipher.
Ideal Block Cipher (Conti…)

■ Encryption and Decryption tables for substitution cipher of above figure

Plaintext ciphertext Ciphertext Plaintext

0000 1110 0000 1110
0001 0100 0001 0011
0010 1101 0010 0100
0011 0001 0011 1000
0100 0010 0100 0001
0101 1111 0101 1100
0110 1011 0110 1010
0111 1000 0111 1111
1000 0011 1000 0111
1001 1010 1001 1101
1010 0110 1010 1001
1011 1100 1011 0110
1100 0101 1100 1011
1101 1001 1101 0010
1110 0000 1110 0000
1111 0111 1111 0101
Ideal Block Cipher (Conti…)

■ Limitations of ideal block cipher

■ If a small block size, such as n=4 is used then the system is

equivalent to a classical substitution cipher. Such systems are
vulnerable to a statistical analysis of the plaintext.

■ An arbitrary reversible substitution cipher (the ideal block

cipher) for a large block size is not practical, however, from an
implementation and performance point of view
The feistel cipher

■ Feistel proposed the idea that use the concept of a product

cipher, which is the execution of two or more simple ciphers in
sequence in such a way that the final result or product is
cryptographically stronger than any of the component ciphers.

■ def: combines two or more transformations in a manner

intending that the resulting cipher is more secure than the
individual components

■ If S1: A → B and S2: B → C are ciphers,

■ so is S = S1 x S2 : A → C.
Diffusion and Confusion

■ The terms diffusion and confusion were introduced by claude

shannon.
■ Shannon’s concern was to prevent cryptanalysis based on
statistical analysis.
■ “Diffusion” = Transposition or Permutation
❑ abcd -> dacb

❑ DES

■ The mechanism of diffusion look for to make the statistical

relationship between the plaintext and ciphertext as complex
as possible in order to prevent attempts to deduce the key.
• modern Transposition ciphers take in N bits and permute using
lookup table : called P-Boxes
Diffusion and Confusion (Conti…)

■ “Confusion” = Substitution
❑ a -> b

❑ Caesar cipher

■ Confusion look for to make the relation between the statistic s

of the ciphertext and the value of the encryption key as
complex as possible again to prevent attempts to discover the
key.
• Modern substitution ciphers take in N bits and substitute N bits
using lookup table: called S-Boxes
Substitution Permutation Network (SPN) Ciphers
■ Claude Shannon introduced idea of substitution-permutation (S-P)
networks in 1949 paper
■ A SP network is a product cipher composed of a number of stages each
involving substitutions and permutations
■ encryption and decryption easy to implement in hardware.
Feistel cipher structure

■ Classical Feistel Network

Feistel cipher structure (Conti…)

■ Above figure shows the structure proposed by feistel.

■ The input to the encryption algorithm are a plaintext block of
length 2w bits and a key K.
■ The plaintext block is divided into two halves, L0 and R0.
■ Two halves of the data pass through n rounds of processing
and then combine to produce the ciphertext block.
■ Each round i has input Li-1 and Ri-1, derived from the previous
round, as well as a subkey Ki, derived from overall K.
■ In general, the sub keys Ki are different from K and from each
other.
Feistel cipher structure (Conti…)

■ All rounds have same structure.

■ A substitution is performed on the left half of the data. This is
done by applying a round function F to the right half of the
data and then taking the exclusive-OR of the output of that
function and the left half of the data. The function has the
same general structure for each round but is parameterized by
the round subkey Ki.
■ Following this substitution, a permutation is performed that
consists of the interchange of the two halves of the data.
■ This structure is a particular form of the
substitution-permutation network (SPN) proposed by shannon.
Feistel Cipher Design Elements

■ Block size

■ Larger block sizes mean greater security but reduced

encryption/decryption speed for a given algorithm.
■ The greater security is achieved by greater diffusion.
Traditionally, a block size of 64 bits has been considered a
reasonable tradeoff and was nearly universal in block cipher
design.
■ However, the new AES uses a 128-bit block size.
Feistel Cipher Design Elements (Conti…)

■ Key size

■ Larger key size means greater security but may decrease

encryption/decryption speed.
■ The greater security achieved by greater resistance to
brute-force attacks and greater confusion.
■ Key sizes of 64 bits or less are now widely considered to be
insufficient, and 128 bits has become a common size.
Feistel Cipher Design Elements (Conti…)

■ Number of rounds
■ The essence of the feistel cipher if that a single round offers
inadequate security but that multiple rounds offers increasing
security.
■ A typical size is 16 rounds.
■ Subkey generation algorithm
■ Greater complexity in this algorithm should lead to greater
difficulty of cryptanalysis.
■ Round function
■ Greater complexity generally means greater resistance to
cryptanalysis.
Feistel Cipher Design Elements (Conti…)

■ Fast software encryption/decryption

■ In many cases, encryption is embedded in applications or

utility functions in such a way as to prevent a hardware
implementation.
■ Accordingly, the speed of execution of the algorithm becomes
a concern.
Feistel Cipher Design Elements (Conti…)

■ Ease of analysis

■ Although we would like to make our algorithm as difficult as

possible to cryptanalysis, there is great benefit in making the
algorithm easy to analyze.
■ That is, if the algorithm can be concisely and clearly
explained, it is easier to analyze that algorithm for
cryptanalytic vulnerabilities and therefore develop a higher
level of assurance as to its strength.
■ DES, for example, does not have an easily analyzed
functionality.
Feistel Encryption Decryption Algorithm
Feistel Encryption Decryption Algorithm (Conti…)
Feistel Encryption Decryption Algorithm (Conti…)

■ Let
❑ F be the round function and
❑ K0,K1,K2, . . . ,KN+1 be the sub-keys for
❑ the rounds 0,1,2,3,….n respectively
■ Basic operation:
❑ split the plaintext block into two equal pieces, (L0, R0)
❑ for each round , compute
■ Li+1 = Ri
■ Ri+1 = Li F(Ri, Ki)
■ Then the ciphertext is (Rn, Ln)
■ Commonly, two pieces Rn and Ln are not switched after
the last round

Information & Network Security

Feistel Encryption Decryption Algorithm (Conti…)

■ Decryption of a ciphertext (Rn, Ln) is accomplished by

computing for i=0,1,2,3,….n
❑ R = L
i i+1
❑ L = R F(Li+1, Ki)
i i+1
■ Then (L0,R0) is the plaintext again.
■ One advantage of this model is that the round function F does
not have to be invertible, and can be very complex.
Feistel Encryption Decryption Algorithm (Conti…)

■ Round function in a Feistel cipher

Feistel Encryption Decryption Algorithm (Conti…)
Data Encryption Standard- History

■ The most widely used encryption scheme is based on the Data

Encryption Standard (DES) adopted in 1977 by the National
Bureau of Standards, now the National Institute of Standards
and Technology (NIST).
■ In the late 1960’s IBM set up a research project in computer
cryptography led by horst feistel.
■ The project concluded in 1971 with the development of an
algorithm with the designation LUCIFER, which was sold to
one of company of london for use in a cash-dispensing system,
also developed by IBM.
■ LUCIFER is a feistel block cipher that operates on blocks of
64 bits, using a key size of 128 bits.
Data Encryption Standard- History (Conti…)
■ Because of the promising results produced by the LUCIFER
project, IBM embarked on an effort to develop a marketable
commercial encryption product that ideally could be
implemented on a single chip.
■ The effort was headed by walter tuchman and carl meyer, and
it involved not only IBM researchers but also outside
consultants and technical advice from NSA.
■ The outcome of this effort was a refined version of LUCIFER
that was more resistant to cryptanalysis but that had a reduced
key size of 56 bits, to fit on a single chip.
■ In 1973, the national Bureau of Standards (NBS) issued a
request for proposals for a national cipher standard.
■ IBM submitted the results of its Tuchman-Meyer project and
this by far the best algorithm proposed and was adopted in
1977 as the Data Encryption Standard.
DES Overview

■ at the basic level, the algorithm is nothing more than

❑ a combination of the two basic techniques of encryption
■ confusion and diffusion
❑ initial permutation followed by
■ rounds of substitution and permutation on the text based on the key
■ 16 such Rounds
■ employs
❑ standard repetitions of arithmetic/logical operations on numbers
of 64 bits
❑ suitable for chip implementation
DES Overview (Conti…)

■ encrypts 64-bit data using a 56-bit key

■ Keys
❑ 64 bit but actually 56 bits

❑ every 8th bit is parity and is ignored

■ blocks
❑ 64 bit blocks in/out

❑ composed of bits numbered from left to right, i.e., the left

most bit of a block is bit one.

DES Encryption
DES Encryption (Conti…)

■ Initial Permutation
■ X=IP(M)

58 50 42 34 26 18 10 2
60 52 44 36 28 20 12 4
62 54 46 38 30 22 14 6
64 56 48 40 32 24 16 8
57 49 41 33 25 17 9 1
59 51 43 35 27 19 11 3
61 53 45 37 29 21 13 5
63 55 47 39 31 23 15 7
DES Encryption (Conti…)

■ Inverse Initial Permutation (IP-1)

■ Y = IP-1(X) = IP-1(IP(M))

40 8 48 16 56 24 64 32
39 7 47 15 55 23 63 31
38 6 46 14 54 22 62 30
37 5 45 13 53 21 61 29
36 4 44 12 52 20 60 28
35 3 43 11 51 19 59 27
34 2 42 10 50 18 58 26
33 1 41 9 49 17 57 25
Details of Single Round of DES Algorithm
Details of Single Round of DES Algorithm (Conti…)

■ Above fig. shows the internal structure of a single round.

■ The left and right halves of each 64-bit intermediate value are
treated as separate 32-bit quantities, labeled L (left) and R
(right).
■ The round key Ki is 48 bits.
■ The R input is first expanded to 48 bits by using a table that
defines a permutation plus an expansion that involves
duplication of 16 of the R bits.
Details of Single Round of DES Algorithm (Conti…)

■ Expansion Permutation table (E-table)

32 1 2 3 4 5
4 5 6 7 8 9
8 9 10 11 12 13
12 13 14 15 16 17
16 17 18 19 20 21
20 21 22 23 24 25
24 25 26 27 28 29
28 29 30 31 32 1
Details of Single Round of DES Algorithm (Conti…)

■ Substitution (s-box)
Details of Single Round of DES Algorithm (Conti…)

■ Substitution (s-box) (Conti…)

■ Example:
■ 011001
■ First and last bits 01=row 1
■ Column = 1100= column 12
■ The value in row 1, column 12 is 9, so the output is 1001.
Details of Single Round of DES Algorithm (Conti…)
Details of Single Round of DES Algorithm (Conti…)

■ Permutation Function (P)

16 7 20 21 29 12 28 17
1 15 23 26 5 18 31 10
2 8 24 14 32 27 3 9
19 13 30 6 22 11 4 25
Details of Single Round of DES Algorithm (Conti…)
■ Key Generation
■ 64-bit key is used as input to the algorithm.
■ The bits of the key are numbered from 1 through 64; every eighth
bit is ignored.
■ Input key
1 2 3 4 5 6 7 8
9 10 11 12 13 14 15 16
17 18 19 20 21 22 23 24
25 26 27 28 29 30 31 32
33 34 35 36 37 38 39 40
41 42 43 44 45 46 47 48
49 50 51 52 53 54 55 56
57 58 59 60 61 62 63 64
Details of Single Round of DES Algorithm (Conti…)

■ Key Generation (Conti…)

■ Permuted choice one (PC-1)

57 49 41 33 25 17 9
1 58 50 42 34 26 18
10 2 59 51 43 35 27
19 11 3 60 52 44 36
63 55 47 39 31 23 15
7 62 54 46 38 30 22
14 6 61 53 45 37 29
21 13 5 28 20 12 4
Details of Single Round of DES Algorithm (Conti…)
■ Key Generation (Conti…)
■ The resulting 56-bits key of (PC-1) is then treated as two 28-bit
quantities, labeled C0 and D0.
■ At each round Ci-1 and Di-1 are separately subjected to a circular
left shift of 1 or 2 bits governed by following table.
■ These shifted values serve as input to the next round.
■ They also serve as input to permuted choice two (PC-2) table.
■ Schedule of left Shift
Round 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16
No
Bits 1 1 2 2 2 2 2 2 1 2 2 2 2 2 2 1
rotated
Details of Single Round of DES Algorithm (Conti…)

■ Key Generation (Conti…)

■ Permutation choice two (PC-2)

14 17 11 24 1 5 3 28

15 6 21 10 23 19 12 4

26 8 16 7 27 20 13 2

41 52 31 37 47 55 30 40

51 45 33 48 44 49 39 56

34 53 46 42 50 36 29 32
The Avalanche Effect

■ A desirable property of any encryption algorithm is that a

small change in either the plaintext or the key should produce
significant change in the ciphertext – avalanche effect.
■ In particular, a change in one bit of the plaintext or one bit of
the key should produce a change in many bits of the
ciphertext.
■ If the change were small, this might provide a way to reduce
the size of the plaintext or size of key space.
The Strength of DES
■ The use of 56-bit keys
■ With the key length of 56 bits, there are 256 possible keys, which is
approximately 7.2x1016 keys. Thus, on the face of it, brute-force
attack appears impractical.
■ As far back as 1977, diffie and hellman postulated that the
technology existed to build a parallel machine with 1 million
encryption devices, each of which could perform one encryption per
microsecond.
■ The authors estimated that the cost would be about $20 million in
1977.
■ DES finally and definitively proved insecure in july 1998, when the
Electronic Frontier Foundation (EFF) announced that it had broken a
DES encryption using a special-purpose “DES Crackers” machine
that was built for less than $250000.
The Strength of DES (Conti…)
■ The nature of the DES Algorithm.
■ Another concern is the possibility that cryptanalysis is possible by
exploiting the characteristics of the DES algorithm.
■ The focus of concern has been on the eight substitution tables, or
S-boxes, that are used in each iteration.
■ Because the design criteria for these boxes, and indeed for the entire
algorithm, were not made public, there is a mistrust that the boxes
were constructed in such a way that cryptanalysis is possible for an
adversary who knows the weakness in the S-boxes.
■ This statement is attracting and over the years a number of
regularities and unexpected behaviors of the S-boxes have been
discovered.
■ Even if this , no one has so far succeeded in discovering the
supposed fatal weaknesses in the S-boxes.
The Strength of DES (Conti…)

■ Timing Attacks
■ Timing attack is one in which information about the key or the
plaintext is obtained by observing how long it takes a given
implementation to perform decryptions on various ciphertext.
■ A timing attack exploits the fact that an encryption or
decryption algorithm often takes slightly different amounts of
time on different inputs.
■ DES appears to be fairly resistant to a successful timing attack.
Differential and Linear Cryptanalysis

■ Differential Cryptanalysis attack

■ It found in 1990.
■ It required 247 chosen plain text.
■ The idea behind differential cryptanalysis is to observe the behavior
of pairs of text blocks evolving along each round of the cipher,
instead of observing the evolution of a single text block.
■ Linear Cryptanalysis
■ It is a minor improvement over differential cryptanalysis
■ This attack is based on finding linear approximations to describe the
transformations performed in DES.
■ This method can find a DES key given 243 known plaintexts, as
compared to 247 chosen plaintexts for differential cryptanalysis.
Block cipher design principles

■ DES design criteria

■ Number of rounds
■ Design of function F
■ Key schedule Algorithm