Block Cipher Design Principles

Unit 2
 INTRODUCTION
Block ciphers:
• Encrypts a block of plaintext as a whole to
produce same sized ciphertext.
• Typical block sizes are 64 or 128 bits
• Most of the ciphers are block ciphers.
• If the message is large modes of operations
are used.
 Introduction contd..
Stream ciphers:
• Stream ciphers process messages a bit or byte
at a time when en/decrypting
 Block cipher basic principles
General condition in creating secure block
ciphers:
1. The block size has to be large
2. The key space (then key length) must be large
 Block cipher basic principles contd..
General principles in designing secure block ciphers :
Diffusion:
• Diffusion hides the relationship b/w ciphertext and
plaintext.
• The goal is to spread the information from the plaintext
over the entire ciphertext so that changes in plaintext
affect many parts in ciphertext.
Confusion:
• Confusion hides the relationship b/w ciphertext and key.
• The dependence of the ciphertext on the plaintext should
be complex enough so that enemy can’t find the rules
Block cipher basic principles contd..
 Block cipher basic principles contd..
The Feistel structure: processing in rounds
• Block ciphers are designed with many rounds
where basic round accomplishes the core
function f for basic confusion and diffusion.
• The input of a round is the output of the
previous round and a subkey which is
generated by a key-schedule algorithm.
• The decryption is a reverse process where the
sub-keys are handled in the reverse order
 Block cipher basic principles contd..
Feistel cipher design principles:
 Block cipher design principles
1. Number of rounds
2. Design of function F
3. S-box design
 Block cipher design principles
1. Number of Rounds
• The greater the number of rounds, the more
difficult it is to perform cryptanalysis, even for
a relatively weak F.

• It is easy to determine the strength of an

algorithm and to compare different
algorithms.
 Block cipher design principles
2. Design of Function F
• The heart of a Feistel block cipher is the function F.
• The function F provides the element of confusion.
Characteristics of F:
1. F should be nonlinear. i.e not straight forward
– The more nonlinear F, the more difficult.
2. Have good avalanche properties.
– Strict Avalanche Criterion (SAC)
3. The bit independence criterion (BIC)
– States that output bits j and k should change independently when
any single input bit i is inverted, for all i, j, and k.
 Block cipher design principles
3. S-box design
• One obvious characteristic of the S-box is its
size.
– An n x m S-box has n input bits and m output bits.
• DES has 6 x 4 S-boxes.
• Blowfish has 8 x 32 S-boxes.
– Larger S-boxes are more resistant to differential
and linear cryptanalysis.
• For practical reasons, a limit of n equal to about 8 to 10
is usually imposed.
 Block cipher design principles
3. S-box design contd..
• S-boxes are typically organized in a different
manner than used in DES.
– An n x m S-box typically consists of 2n rows of m
bits each.
– Example, in an 8 x 32 S-box
• If the input is 00001001, the output consists of the 32
bits in row 9.
 Block cipher design principles
3. S-box design contd…
• Mister and Adams proposed for S-box design.
– S-box should satisfy both SAC and BIC.
– All linear combinations of S-box columns should
be bent.
• Bent functions
– A special class of Boolean functions that are highly nonlinear
according to certain mathematical criteria.
 Avalanche effect
• A small change in either the plaintext or the
key should produce a significant change in the
ciphertext.
• In particular, one bit change in either the
plaintext or the key half bits change in
ciphertext
 Differential cryptanalysis
• Differential cryptanalysis is a form of
cryptanalysis which studies cryptographic
algorithms by observing how differences in
input affect differences on output.
Attack:
• chosen plaintext/ciphertext pairs
Modes of operation
 Modes of operation
• A block cipher algorithm takes on a fixed-length input,
i.e. a block, and output a block of the same length.
• To encrypt files of various lengths we need to divide a
file into blocks of that given fixed length then the block
cipher works on each block separately.
Operation mode:
• The manner and structure in which we feed the block
cipher with blocks of the plaintext file and then pickup
and combine the output blocks to produce the
ciphertext file.
Note:
• we can use the same operation mode with different
block ciphers to construct different encryption systems
Modes of operation
 1 . Electronic Codebook (ECB) Mode

• This is the simplest mode of operation.

• Message is broken into independent blocks which are
encrypted using the same key.
• Each block is encoded independently of the other
blocks.
• It is like a codebook (huge) lookup
Code book : Because, for a given key, there is a unique
ciphertext for every b-bit block of plaintext.
Ex:
• Each block of 64-bit plaintext is handled independently.
• The same 64-bit block has the same cipher text
1 . Electronic Codebook (ECB) Mode contd..
1 . Electronic Codebook (ECB) Mode contd..

– Key: K
– Plaintext: P = P1 P2…PN-1PN
– Ciphertext: C = C1C2…CN
• Encryption
• Ci = EK(Pi), 1≤i≤N
• Decryption
• Pi = DK(Ci), 1≤i≤N
1. Electronic Codebook (ECB) Mode contd..
• If the plaintext length is greater than b-bits, then
the plaintext is divided into b-bit blocks.
• Suppose if the last block is not equal to block size,
then remaining bits are padded.
Error Propagation
• A single bit error in transmission can create
errors in several in the corresponding block.
• The error does not have any effect on the other
blocks
Applications
– Secured Transmission of Encryption Keys.
Example:
1 Electronic Codebook (ECB) Mode contd..

Advantages and Limitations of ECB

• Repetitions in message generate the same
ciphertext , particularly with data such
graphics
• Main use is sending a few blocks of data
– To transmit a DES or AES key securely, ECB is the
appropriate mode to use.
• For lengthy messages, the ECB mode may not
be secure.
 2 Cipher Block Chaining (CBC) Mode
• In CBC mode, each plaintext block is exclusive-ored
with the previous ciphertext block before being
encrypted.
• message is broken into blocks
• but these are linked together in the encryption
operation
• each previous cipher blocks is chained with current
plaintext block, hence name
• use Initial Vector (IV) to start process
• Ci = DESK1(Pi XOR Ci-1)
• C-1 = IV
• uses: bulk data encryption, authentication
2. Cipher block chaining (CBC) mode contd…
2. Cipher block chaining (CBC) mode contd…
• Message is broken into blocks
• But these are linked together in the encryption
operation
• Each previous cipher blocks is chained with
current plaintext block, hence name.
• Use initial vector (IV) to start process
• Ci = EK(Pi XOR Ci-1)
• C0 = IV
APPLICATION :-
• Bulk data encryption, authentication.
2. Cipher block chaining (CBC) mode contd…

Initialization Vector (IV)

• The initialization vector (IV) should be known
by the sender and the receiver.
Error Propagation
• In CBC mode, a single bit error in ciphertext
block Cj during transmission may create error
in most bits in plaintext block Pj during
decryption.
2. Cipher block chaining (CBC) mode contd…
• Goal:
– the same plaintext block is encrypted into different
ciphertext block
• Initial vector (IV)
– 64-bit long
– Fixed
Encryption:
• Padded plaintext: P’= P1P2…PN
• Ciphertext: C = C1C2…CN
– C1=EK(IV ⊕ P1)
– Ci=EK(Ci-1 ⊕ Pi), 2≤i≤N
2. Cipher block chaining (CBC) mode contd…

Decryption
• Key: K
• Ciphertext: C=C1C2…CN
• Padded plaintext: P=P1P2…PN
• P1=DK(C1) ⊕ IV
• Pi= DK(Ci) ⊕ Ci-1= Ci-1⊕Pi⊕Ci-1
2. Cipher block chaining (CBC) mode contd…

Advantages and Limitations of CBC

• each ciphertext block depends on all message
blocks
• thus a change in the message affects all ciphertext
blocks after the change as well as the original
block need
• Initial Value (IV) known to sender & receiver
– however if IV is sent in the clear, an attacker can change
bits of the first block, and change IV to compensate
– hence either IV must be a fixed value or it must be sent
encrypted in ECB mode before rest of message
 3 Cipher Feedback (CFB) Mode
In some situations, we need to use DES or AES as secure
ciphers, but the plaintext or ciphertext block sizes are to be
smaller.
 3 Cipher Feedback (CFB) Mode contd..

Note:
• In CFB mode, encipherment and decipherment
use the encryption function of the underlying
block cipher.

The relation between plaintext and ciphertext blocks is

shown below:
 3 Cipher Feedback (CFB) Mode contd..
CFB as a Stream Cipher

Cipher feedback (CFB) mode as a stream cipher

3 Cipher Feedback (CFB) Mode contd..

• Advantages and Limitations of CFB

appropriate when data arrives in bits/bytes
most common stream mode
 4. Output Feedback (OFB) Mode
In this mode each bit in the ciphertext is independent of the
previous bit or bits. This avoids error propagation.
4. Output Feedback (OFB) Mode contd..
OFB as a Stream Cipher
4. Output Feedback (OFB) Mode contd..

• Error propagation: Single bit error on cj may

only affect the corresponding bit of xj.
• IV need not be secret, but should be changed
if a previously used key is to be used again
Encryption:
Ci=Pi ⊕ E(K, [Ci-1 ⊕ Pi-1 ])
Decryption:
Pi =Ci ⊕ E(K, [Ci-1 ⊕ Pi-1 ])
 5. Counter (CTR) Mode
In the counter (CTR) mode, there is no feedback. The
pseudorandomness in the key stream is achieved using a
counter.
 5. Counter (CTR) Mode

Counter (CTR) mode as a stream cipher

Comparison of Different Modes
Mode Description Typical Application

Electronic Codebook (ECB) Each block of 64 plaintext bits is

encoded independently using the same •Secure transmission of single values
key. (e.g., an encryption key)

Cipher Block Chaining (CBC) The input to the encryption algorithm is

the XOR of the next 64 bits of plaintext •General-purpose block-oriented
and the preceding 64 bits of ciphertext. transmission
•Authentication

Cipher Feedback (CFB) Input is processed j bits at a time.

Preceding ciphertext is used as input to •General-purpose stream-oriented
the encryption algorithm to produce transmission
pseudorandom output, which is XORed •Authentication
with plaintext to produce next unit of
ciphertext.

Output Feedback (OFB) Similar to CFB, except that the input to

the encryption algorithm is the •Stream-oriented transmission over
preceding DES output. noisy channel (e.g., satellite
communication)

Counter (CTR) Each block of plaintext is XORed with an

encrypted counter. The counter is •General-purpose block-oriented
incremented for each subsequent transmission
block. •Useful for high-speed requirements