Block Ciphers

II: BLOCK CIPHERS
Ms. Stevina Correia

Block Ciphers
 A block cipher is one in which a block of plaintext is
treated as a whole and used to produce a ciphertext
block of equal length.
 Typically, a block size of 64 or 128 bits is used.
 As with a stream cipher, the two users share a
symmetric encryption key
 Using some of the modes of operation a block cipher
can be used to achieve the same effect as a stream
cipher.
Prof. Stevina Correia-DJSCOE
Block Cipher Principles
 Stream Ciphers and Block Ciphers

 The Fiestal Cipher
 theuse of a cipher that alternates substitutions and
permutations
 Can have 3 components : self invertible (XOR operation),
invertible (straight D box) and non-invertible
(compression, expansion d boxes)
 Non-Fiestal Ciphers
 Uses only invertible components.

 Diffusion
 Hide relationship between cipher text and plain text
 Frustrate adversary who uses cipher text statistics to find plaintext
 Confusion
 Hide relationship between cipher text and key
 Frustrate adversary who uses ciphertext to find key
 Avalanche effect
 A desirable property of any encryption algorithm is that a
small change in either the plaintext or the key should produce
a significant change in the ciphertext.
 In particular, a change in one bit of the plaintext or one bit of
the key should produce a change in many bits of the
ciphertext. This is referred to as the avalanche effect.

Substitution or transposition
 Modern block ciphers are designed as keyed
substitution ciphers because transposition (preserving
the no. of 0s and 1s)makes cipher vulnerable to
exhaustive search attacks.
 To provide confusion and diffusion , modern block

cipher is made up of combination of transposition
units for diffusion (D-boxes-straight, compression,
expansion), substitution units (S-boxes)

Modes of operation
 To apply a block cipher in a variety of applications,
five modes of operation have been defined by NIST
(National Institute of Standards and Technology)
 A mode of operation is a technique for enhancing the

effect of a cryptographic algorithm or adapting the
algorithm for an application, such as applying a block
cipher to a sequence of data blocks or a data stream.

Electronic Code Book (ECB)
 Single key is used
 If Pi repeats,
corresponding Ci also
repeats.
 Suitable for
encrypting small
messages

Cipher Block Chaining (CBC)
 In ECB, if Pi repeats, corresponding Ci also
repeats.
 CBC ensures that if Pi repeats then identical
plaintext blocks yield totally different Ci blocks.
 CBC uses feedback mechanism

 IV (initialization vector)has no special meaning. It
is used to make each message unique.
 IV is randomly generated.
 It is not necessary to keep IV secret. But for
maximum security, both key and IV are kept secret.

Cipher Feedback Mode (CFB)
 CFB is used in cases where data to be encrypted is
smaller than the predetermined block size n. (n=64
for DES, 128 for AES)
 To encrypt 8 bit (s bits) ASCII character, instead of
using traditional ciphers which are insecure we use
AES/ DES in CFB mode.

 In CFB, initialization vector(IV) is stored in a shift
register.
 IV is encrypted to produce the corresponding
ciphertext.
 Leftmost (s) bits of encrypted IV are XORed with s
bits of the first plaintext block.
 For each block (2 onwards), the shift register (IV) is
made by shifting previous IV by s bits to the left and
filling the rightmost by previous Ciphertext block.
Output Feedback Mode (OFB)
 Similar to CFB.
 In CFB, the shift register (IV) is made by shifting
previous IV by s bits to the left and filling the
rightmost by previous Ciphertext block.
 In case of OFB, the output of the IV encryption
process is fed to the next stage.

Counter (CTR)mode

 Counter1 =constant value
 For each block a updated counter value is used.
Counter is generally incremented by 1.

Data Encryption Standard
 Real life cryptographic algorithm
 Used in ECB, CBC, CFB mode
 Found vulnerable against very powerful attacks

How DES works??
 DES is a block cipher
 Encrypts data in block of 64 bit each
 Key length is 56 bits
 Same algorithm and key is used for encryption and decryption
with minor differences

Initial Permutation
 Happens only once, before the
1st round.
 Replace 1st bit of original
plaintext block with 58th bit of
original plaintext block
 After IP, the resultant block is
divided into 2 half blocks (LPT
& RPT 32 bit each)
 16 rounds are preformed on
these 2 blocks

 There are 16 steps, each is called a round.
 Each round performs the steps of substitution and
transposition.

Rounds
 Each of the 16 rounds, consists of following steps:

Parity drop c(compression
transposition step)
 Actually key is 64 bits
 Before DES process starts, every 8th bit of the key
(8, 16, 24, 32, 40, 48, 56,64)is discarded to produce
a 56 bit key
 Compression d box is used for parity drop

 Key Transformation:
 Initialkey: 64 bits discard 8th bit56 bit key a
different 48 bit key is generated using key
transformation
 Here, 56 bit key is divided into 2 halves, 28 bit each
 These halves are circularly shifted left depending upon

the round as follows:

 The compression (D box/ P box) box changes the 56 bits
to 48 bits.
 Key transformation process involves permutation as well as
compression (bit 18+7 more), hence it s called compression
permutation
Table 6.14 Key-compression table

 Expansion Permutation:
 Recall that after IP, the resultant block is divided into 2
half blocks (LPT & RPT 32 bit each)
 During expansion permutation, RPT is expanded from 32
bits to 48 bits
 This process involves permutation as well as expansion,
hence it s called expansion permutation
 Process:
 32bit RPT is divided into 8 blocks (4 bits each)
 Each 4 bit block is expanded to a 6 bit block

Table 6.6 Expansion D-box/ P-box table
 Now, 48-bit key is XORed with 48bit RPT

 S-box Substitution:
 Receives 48 bit input and produces 32 bit output using
substitution technique (using 8 substitution boxes/ S-
boxes).
 Each S-box takes 6 bit input and produces 4-bit output.
 48 bits are divided into 8 sub-blocks (6 bit each). Each

sub block is given to 8 S-boxes
 S-box is conceptually a table that has 4 rows (0-3) and 16
columns (0-15)

Eg:
1. input to S-box 1 is 100011. what is
the o/p
2. input to S-box 2 is 101101. what is
the o/p

S-boxes (substitution s boxes)

 P-Box Permutation/ straight permutation/
straight D-box
 Just permuting the input 32 bits to obtain 32 bit output

 XOR & Swap:
 Step1-4 are done only on RPT. LPT is untouched yet.
 LPT is XORed with step 4 o/p (o/p of P box
permutation)
 Result becomes new RPT and old RPT becomes LPT

Final permutation
 At the end of 16 rounds final permutation is
performed (only once)
 o/p of final permutation is the 64-bit encrypted
block

DES Decryption
 The only difference between encryption and
decryption is the reversal of key portions.
 If original key K was divided into K1, K2…..K16

for 16 encryption rounds, then for decryption, the
key should be used as K16, K15, …..K1

Double DES

 Double DES/ 2-DES suffers from meet in the
middle attack.
 To overcome this triple DES/ 3-DES was
developed.

Meet in the Middle Attack
 At first glance, it looks like double DES increases the number of tests for
key search from 2^56 (in single DES) to 2^112 (in double DES).
 However, using a known-plaintext attack called meet-in-the-middle attack
proves that double DES improves this vulnerability slightly (to 2^57 tests),
but not tremendously (to 2^112).

 The point is that the middle text, the text created by the first encryption or
first decryption, M, should be the same for encryption and decryption to
work. In other words, we have two relationships:
 M=Ek1(P) and M=Dk2(C)

Triple DES
 Triple DES with 2 keys

Triple DES
 Triple DES with 3 keys

Cryptanalysis of DES
 Brute Force
 Bestcase=1 attempt
 Worst case: 2^n (n is size of the key)
 Average case: 2^(n-1)

 Differential Cryptanalysis: uses chosen plaintext
attack
 #rounds and s boxes are designed to make DES resistant
against this type of attack.
 Itis shown that DES can be broken with 2^47 chosen

plaintexts or 2^55 known plaintexts. (impractical)

 Linear Cryptanalysis: uses known plaintext attacks
 More vulnerable to this type of attacks
 S boxes are not resistant to linear cryptanalysis
 Can be broken using 2^43 pairs of known plaintext

(unlikely)

AES (Advanced Encryption
Standard)
 3 criteria for selecting AES:
 Security, cost and implementation.
 Features of AES:
 Symmetric and parallel structure.
 Stands up well against cryptanalysis attacks.
 Adopted to modern processors.
 Suited to smart cards.
 AES is a non-Feistel cipher that encrypts and

decrypts a data block of 128 bits, or 16 bytes.
Data Units
 Bit: 0,1
 1 Byte: 8 bits
 Word: 32 bits = 4 bytes
 Block: 128 bits (AES)=16 bytes
 State: 16 bytes of block treated as matrices of 4*4
bytes

7.1.4 Continue
Example 7.1 Continue
Figure 7.4 Changing plaintext to state
7.55
7.1.3 Continue
Figure 7.1 General design of AES encryption cipher
7.56
Broad Steps (AES-128)
 Generate round keys using key expansion
schedule
 Actual rounds depending upon no. of rounds

Generate round keys using key expansion
schedule
 No. of round keys=no. of rounds+1
 AES-128, #rounds=10=>#round Keys=11
 Original
key of 16 bytes (128bits) is expanded into a
key containing 11*16 bytes (176 bytes=1408 bits)
 11 states (matrices) of 4*4 bytes

Key expansion schedule
 The AES key expansion algorithm takes as input a
four-word (16-byte) key (original) and produces a
linear array of 44 words (176 bytes).
 This is sufficient to provide a four word round key

for the initial AddRoundKey stage and each of the
10 rounds of the cipher.

 The original key is copied into the first four words of
the expanded key.
 The remainder of the expanded key is filled in four
words at a time.
 Each added word w[i] depends on the immediately
preceding word, w[i - 1], and the word four positions
back, w[i - 4].
 In three out of four cases, a simple XOR is used.
 For a word whose position in the w array is a
multiple of 4, a more complex function is used.

 Rotate: [B1, B2, B3,
B4][B2, B3, B4,B1]
 Substitute: byte
substitution using s box

example
 Suppose 4-word key is as follows:
Byte 0 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15
positi
on
Value 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F
W0 W1 W2 W3

 W[4]=?
 Temp=W[3]
 0C 0D 0E 0F
 Rotate(W[3])
 0D 0E 0F 0C
 Subword(0D 0E 0F 0C)
 D7 AB 76 FE
 Add constant(i/4)=1=01
 D7 AB 76 FE xor 01 00 00 00
 D6 AB 76 FE
 W[4]=W[0] xor D6 AB 76 FE
 D6 AA 74 FD Prof. Stevina Correia-DJSCOE
Actual rounds depending upon
#rounds
 Each round consist of four distinct transformation
functions:
 SubBytes, ShiftRows, MixColumns, and AddRoundKey
 Pre round section uses only single transformation
(AddRoundKey) before the first round, which
can be considered Round 0.
 The final round contains only three
transformations (SubBytes, ShiftRows, and
AddRoundKey)
7.1.5 Structure of Each Round
Figure 7.5 Structure of each round at the encryption site
7.68
 SubBytes (substitute Bytes): provides confusion
effect
 To substitute a byte, we interpret the byte as two
hexadecimal digits.
 Predefined S-box is used

subByte transformation table

InvSubByte transformation table

Example of subbyte

 ShiftRows
 In the encryption, the transformation is called
ShiftRows.
 InvShiftRows
 In the decryption, the transformation is called
InvShiftRows and the shifting is to the right.

 MixColumns:
 We need an interbyte transformation that changes the bits
inside a byte, based on the bits inside the neighboring
bytes. We need to mix bytes to provide diffusion at the bit
level.
Figure: Constant matrices used by MixColumns and InvMixColumns

Prof. Stevina Correia-
DJSCOE
 Multiplication is performed over Galois Field.
 Very complex but can be done easily with the use of 2 look up
tables (L-table and E-table)
 Nos. to be multiplied using Mixcol will form 2digit no. (if single
digit append 0)
 1st digit horizontal, 2nd digit vertical
 Eg: AB*CD, L(AB)+L(CD)=x

 if x>FF, x=x-FF
 E(x)

L table

E table

 What is AF*8 over Galois field
 L(AF)=B7
 L(08)=4B
 B7+4B=102>FF
 E(102-FF=03)=0F

 [2 3 1 1 ] 87
6E
46
A6
 2*87 xor 3*6E xor 1*46 xor 1*A6
 E(L(02)+L(87))

 AddRoundKey (Exor)
 AddRoundKey proceeds one column at a time.
AddRoundKey adds a round key word with each state
column matrix; the operation in AddRoundKey is
matrix addition.
 The AddRoundKey transformation is the

inverse of itself.

Avalanche Effect
 The Avalanche Effect
 DES and AES exhibit avalanche effect.
 AES exhibits a very strong avalanche effect.
 AES avalanche effect is stronger than that for DES

Key Expansion in AES-192 and
AES-256

Analysis of AES
 Security
 AES was designed after DES. Most known attacks on DES
were tested on AES; none has broken the security of AES.
 Brute Force: 2^128 test (minimum)to find the key

(impossible)
 Statistical attack: strong confusion and diffusion provided

by SubBytes, ShiftRows, MixCol transformations.
 Differential and linear cryptanalysis: no such attacks on

AES yet.

 Implementation
 Can be implemented in s/w, h/w and firmware
 Transformation can be byte oriented or word oriented.
 For byte oriented: algo can use 8 bit processor.
 Word oriented: 32 bit processor.
 Simplicity and Cost

 Algorithms used in AES are simple and can be easily
implemented using cheap processors and minimum
amount of memory.

Block Ciphers

Uploaded by

Document Information

Original Description:

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Block Ciphers

Uploaded by

Copyright:

Available Formats

II: BLOCK CIPHERS

Ms. Stevina Correia

 Stream Ciphers and Block Ciphers

Prof. Stevina Correia-DJSCOE

Prof. Stevina Correia-DJSCOE

 To provide confusion and diffusion , modern block

Prof. Stevina Correia-DJSCOE

 A mode of operation is a technique for enhancing the

Prof. Stevina Correia-DJSCOE

Prof. Stevina Correia-DJSCOE

Prof. Stevina Correia-DJSCOE

Prof. Stevina Correia-DJSCOE

Prof. Stevina Correia-DJSCOE

Prof. Stevina Correia-DJSCOE

Prof. Stevina Correia-DJSCOE

Prof. Stevina Correia-DJSCOE

Prof. Stevina Correia-DJSCOE

Prof. Stevina Correia-DJSCOE

Prof. Stevina Correia-DJSCOE

Prof. Stevina Correia-DJSCOE

Prof. Stevina Correia-DJSCOE

Prof. Stevina Correia-DJSCOE

 These halves are circularly shifted left depending upon

Prof. Stevina Correia-DJSCOE

Table 6.14 Key-compression table

Prof. Stevina Correia-DJSCOE

Prof. Stevina Correia-DJSCOE

Prof. Stevina Correia-DJSCOE

 48 bits are divided into 8 sub-blocks (6 bit each). Each

Prof. Stevina Correia-DJSCOE

Prof. Stevina Correia-DJSCOE

Prof. Stevina Correia-DJSCOE

Prof. Stevina Correia-DJSCOE

Prof. Stevina Correia-DJSCOE

Prof. Stevina Correia-DJSCOE

 If original key K was divided into K1, K2…..K16

Prof. Stevina Correia-DJSCOE

Prof. Stevina Correia-DJSCOE

Prof. Stevina Correia-DJSCOE

Prof. Stevina Correia-DJSCOE

Prof. Stevina Correia-DJSCOE

Prof. Stevina Correia-DJSCOE

Prof. Stevina Correia-DJSCOE

 Average case: 2^(n-1)

Prof. Stevina Correia-DJSCOE

 Itis shown that DES can be broken with 2^47 chosen

Prof. Stevina Correia-DJSCOE

 Can be broken using 2^43 pairs of known plaintext

Prof. Stevina Correia-DJSCOE

 Adopted to modern processors.

 Suited to smart cards.

 AES is a non-Feistel cipher that encrypts and

Prof. Stevina Correia-DJSCOE

Example 7.1 Continue

Figure 7.4 Changing plaintext to state

Figure 7.1 General design of AES encryption cipher

 Actual rounds depending upon no. of rounds

Prof. Stevina Correia-DJSCOE

 No. of round keys=no. of rounds+1

 AES-128, #rounds=10=>#round Keys=11

Prof. Stevina Correia-DJSCOE

 This is sufficient to provide a four word round key

Prof. Stevina Correia-DJSCOE