Information Security

Block Ciphers & Data Encryption Standard

Block Cipher Principles
Stream vs. Block Cipher
 Stream cipher is one that encrypts a digital
data stream one bit or one byte at a time
 e.g.Vigenere cipher
 Block cipher is one in which a block of
plaintext is treated as a whole and used to
produce a ciphertext block of equal length
 e.g. DES and AES
 The vast majority of network-based
cryptographic applications make use of block
cipher.
Claude Shannon and Substitution-
Permutation Ciphers
 in 1949 Claude Shannon introduced idea of
substitution-permutation (S-P) networks
 modern substitution-transposition product cipher
 these form the basis of modern block ciphers
 S-P networks are based on the two primitive
cryptographic operations we have seen before:
 substitution (S-box)
 permutation (P-box)
 provide confusion and diffusion of message
Confusion and Diffusion
 Cipher needs to completely obscure statistical
properties of original message
 Shannon suggested combining elements to obtain:
 confusion
 This is achieved by the use of a complex substitution
algorithm.
 The idea of confusion is to hide the relationship
between the ciphertext and the key.
 Diffusion
 This is achieved through numerous permutations
 The idea of diffusion is to hide the relationship between
the ciphertext and the plaintext
Rounds

 Diffusion and Confusion can be achieved using

iterated product ciphers where each iteration
is a combination of S-boxes, P-boxes, and other
components.
Product
Cipher
Diffusion and
Confusion can be
achieved using
iterated product
ciphers where each
iteration is a
combination of
S-boxes, P-boxes,
and other A product
components. cipher made
of two
rounds 7
Two Classes of Product Ciphers
 Modern block ciphers are all product ciphers,
but they are divided into two classes.

 Feistel ciphers

 Non-Feistel ciphers
Feistel Cipher
 Horst Feistel devised the feistel cipher
 based on concept of invertible product cipher
 partitions input block into two halves
 process through multiple rounds which
 perform a substitution on left data half
 based on round function of right half & subkey
 then have permutation swapping halves
 implements Shannon’s substitution-
permutation network concept
Feistel Cipher Structure
Feistel Cipher Design Principles
 block size  round function
 increasing size improves  greater complexity can make
security, but slows cipher analysis harder, but slows
 key size cipher
 increasing size improves  fast software en/decryption
security, makes exhaustive  embed encryption in
key searching harder, but software in such a way as to
may slow cipher preclude a hardware
 number of rounds implementation
 increasing number improves  ease of analysis
security, but slows cipher  if the algorithm can be easily
 subkey generation explained, it is easier to
analyze that algorithm for
 greater complexity can make vulnerabilities and therefore
analysis harder, but slows develop a higher level of
cipher assurance for its strength
Feistel
Cipher
 Simplified Data
Encryption Standard
S-DES
S-DES: An Overview
 Similar properties and structure to DES, with
much smaller parameters.
 Encryption
 It takes an 8-bit block of plain text and a 10-bit key
as input and produces an 8-bit block of cipher text
as output.
 Decryption
 It takes an 8-bit block of cipher text and the same
10-bit key used to produce that Ciphertext as input
and produces the original 8-bit block of plaintext.
S-DES Algorithm
Algorithm involves 5 functions
1. An initial permutation (IP).
2. A complex function, fk , that involves both
permutation and substitution operations and
depends on a key input.
3. A simple permutation function that switches the
two halves of the data (SW).
4. The function fk again.
5. A permutation function that is the inverse of the
initial one (IP-1).
S-DES Algorithm
C  (IP  f K 2  SW  f K1  IP)
-1

or
Ciphertext  IP -1(f K 2 (SW(f K1 (IP(plaintext)))))
where
K1  P8(Shift(P10(key)))
K 2  P8(Shift(Shift(P10(key))))
and
Plaintext  IP -1(f K1 (SW(f K 2 (IP(ciphertext)))))
S-DES
Algorithm

17
S-DES Key Generation
 A 10-bit key is shared between
sender and receiver.
 From this key, two 8-bit sub keys
are produced for use in particular
stages of the encryption and
decryption algorithm.
 First permute the key:
P10(k1,k2,k3,k4,k5,k6,k7,k8,k9,k10)
=(k3,k5,k2,k7,k4,k10,k1,k9,k8,k6)
S-DES Key Generation (contd.)
 Next perform a circular-left shift
(LS-1), or rotation, separately on
the first five bits and the second
five bits.
LS-1(k1,k2,k3,k4,k5)=(k2,k3,k4,k5,k1)
 Next apply P8, which permutes 8
of the 10 bits according to the
following rule
P8(k1,k2,k3,k4,k5,k6,k7,k8,k9,k10)
=(k6,k3,k7,k4,k8,k5,k10,k9)
 The result is sub-key 1 (K1)
S-DES Key Generation (contd.)
 To get the second sub-key (K2),
perform again a 2-bit circular-left
shift LS-2 on the product of LS-1
LS-2(LS-1(k1,k2,k3,k4,k5)
LS-2(k2,k3,k4,k5,k1)
=(k4,k5,k1, k2,k3)
 Finally, P8 is applied again to
produce second sub-key K2.
Example - Key Generation
 Permute 10-bit key: 1010000010
P10(1010000010) = 1000001100
 Perform circular left shift, separately, on first 5 bits and
second 5 bits (LS-1).
LS-1(10000) = 00001 and LS-1(01100) = 11000
 Pick out and permute 8 of the 10 bits: (P8)
P8(0000111000) = 10100100
 Result is K1
 Now perform circular left shift of 2 bit positions, on first
5 bits and second 5 bits (LS-2) on the result LS-1.
LS-2(00001) = 00100 and LS-2(11000) = 00011
 Apply (P8) again.
P8(0010000011) = 01000011
 Result is K2
S-DES Encryption
S-DES Encryption
 Initial and final permutations

IP
2 6 3 1 4 8 5 7

IP-1
4 1 3 5 7 2 8 6
Function F
Input is 4-bit number (n1n2n3n4) fed
to Expansion/Permutation
operation

n4 n1 n2 n3
n2 n3 n4 n1

8-bit sub key K1 is added to output

of E/P using exclusive-OR.
Function F (contd.)
 First 4 bits fed to S-box S0,
second 4 bits fed to S-box S1.
 S-box uses 1st and 4th bits to
specify a row,2nd and 3rd bits to
specify a column. Entry in that
position (base 2) is 2-bit output.
 4-bits produced by S-Boxes are
permuted using P4 = (k2k4k3k1)
 Output of P4 is output of F.
The Switch function
 The function fk only alters the leftmost 4-bits of the
input.
 Switch function interchanges left and right 4 bits so
that second instance of fk operates on a different 4
bits.
 In this second instance, the E/P, S0, S1, and P4
functions are same.
 The key input is K2.
Example - Encryption
 Assume input 10-bit key, K, is: 1010000010
 Assume 8-bit plaintext, P, is : 01110010

 The resulting 8-bit ciphertext , C, is: 01110111

S-DES vs. DES
Data Encryption Standard

DES
About DES
 The original ideas behind the Data Encryption
Algorithm were developed by IBM in the 1960's
and was based on Claude Shannon’s concept.
 The technique was first called as Lucifer and later
refined and renamed as the DEA (Data
Encryption Algorithm)
 In 1977 the United States Government chose the
Data Encryption Standard (DES)
 DES was widely adopted by industry for secure
communication
 DES is/was used to encrypt personal identification
numbers (PINs) and account transactions in automated
teller machines (ATMs)
DES Encryption

64-bit key
Data Encryption Standard
 There are two inputs to the encryption function, i.e.
the plaintext and the key.
 The plain text must be 64 bits and the key is 56 bits in
length.
 Processing of the plaintext proceeds in three phases,
 The 64 bit plaintext passes through an Initial Permutation (IP)
 Then a 16 "rounds" of operations which involves both
permutation and substitution functions that mix the data and
key together in a prescribed manner.
 The pre-output obtained from swapping the left and right
halves of the output in each round, is then passed through a
Permutation (IP-1) that is the inverse of the initial
permutation function, to produce the 64-bit ciphertext.
Why 16 rounds?
 The goal is to completely scramble the data and key
so that every bit of the ciphertext depends on every
bit of the data and every bit of the key (a 56-bit
quantity for the DES).
 After sufficient "rounds" with a good algorithm, there
should be no correlation between the ciphertext and
either the original data or key.
 The DES uses 16 rounds for some solid reasons.
 First, a minimum of 12 rounds were needed to sufficiently
scramble the key and data together; the others provided a
margin of safety.
 Second, the operation of 16 rounds would return the key
back to its original position in an electronic device for the
next use when used in accordance with the published
algorithm.
Initial and Final Permutations
Initial and final permutation tables
DES Round Structure
 uses two 32-bit L & R halves
 as for any Feistel cipher can describe as:
Li = Ri–1
Ri = Li–1  F(Ri–1, Ki)
 F takes 32-bit R half and 48-bit subkey:
 expands R to 48-bits using perm E
 adds to subkey using XOR
 passes through 8 S-boxes to get 32-bit result
 finally permutes using 32-bit perm P
DES Round Structure

DES uses 16 rounds. Each round of DES is a

Feistel cipher.
Substitution Boxes S
 have eight S-boxes which map 6 to 4 bits
 each S-box is actually 4 little 4 bit boxes
 outer bits 1 & 6 (row bits) select one row of 4
 inner bits 2-5 (col bits) are substituted
 result is 8 lots of 4 bits, or 32 bits
 row selection depends on both data & key
DES Function
Expansion P-box table
XOR
 After the expansion permutation, DES uses the
XOR operation on the expanded right section
and the round key.
 Note that both the right section and the key
are 48-bits in length.
 Also note that the round key is used only in
this operation.
S-Boxes

 The S-boxes do
the real mixing
(confusion)
 DES uses 8
S-boxes, each
with a 6-bit input
and a 4-bit
output.
S-Box 1
Table shows the permutation for S-box 1. For the rest of the
boxes see the textbook.
S1 0 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15
0 14 4 13 1 2 15 11 8 3 10 6 12 5 9 0 7
1 0 15 7 4 14 2 13 1 10 6 12 11 9 5 3 8
2 4 1 14 8 13 6 2 11 15 12 9 7 3 10 5 0
3 15 12 8 2 4 9 1 7 5 11 3 14 10 0 6 13
Straight P-box

Straight P-box
16 7 20 21 29 12 28 17
1 15 23 26 5 18 31 10
2 8 24 14 32 27 3 9
19 13 30 6 22 11 4 25
DES Key Schedule
 forms subkeys used in each round
 consists of:
 initial permutation of the key (PC1) which selects
56-bits in two 28-bit halves
 16 stages consisting of:
 selecting 24-bits from each half
 permuting them by PC2 for use in function f,
 rotating each half separately either 1 or 2 places
depending on the key rotation schedule K
 KEY
PC-1

Key Generation
C0 D0

C1 D1

Rounds Shift
1, 2, 9, 16 One bit C2 D2

Others Two bits

C16 D16
Permuted Choice 1 (PC-1)
57 49 41 33 25 17 9 1

Left 28 bits 58 50 42 34 26 18 10 2
to the output
59 51 43 35 27 19 11 3
(C0)
60 52 44 36 63 55 47 39
31 23 15 7 62 54 46 38
Right 28 bits
30 22 14 6 61 53 45 37 to the output
(D0)
29 21 13 5 28 20 12 4
Note that only 56 bits of the 64 bits of the input are selected;
the remaining eight bits (8, 16, 24, 32, 40, 48, 56, 64) were
specified for use as parity bits only and are dropped here.
Permuted Choice 2 (PC-2)
Also called Key-Compression Table / Compression P-box
14 17 11 24 1 5
3 28 15 6 21 10
23 19 12 4 26 8
16 7 27 20 13 2
41 52 31 37 47 55
30 40 51 45 33 48
44 49 39 56 34 53
46 42 50 36 29 32
This permutation selects the 48-bit subkey for each round from
the 56-bit key-schedule state and ignores the following 8 bits:
9,18,22,25,35,38,43,54
DES
Encryption
DES Decryption
 decrypt must unwind steps of data
computation
 with Feistel design, do encryption steps again
using subkeys in reverse order (SK16 … SK1)
 IP undoes final FP step of encryption
 1st round with SK16 undoes 16th encrypt round
 ….
 16th round with SK1 undoes 1st encrypt round
 then final FP undoes initial encryption IP
 thus recovering original data value
Avalanche Effect
 key desirable property of encryption algorithm
 where a change of one input or key bit results
in changing approx half output bits
 making attempts to “home-in” by guessing keys
impossible
 DES exhibits strong avalanche
Avalanche Effect
 To check the avalanche effect in DES, let us
encrypt two plaintext blocks (with the same
key) that differ only in one bit and observe the
differences in the ciphertext

 Here changing 1 bit (~1.5%) of the plaintext creates

a change of 29 bits (~45%) in the ciphertext
Triple DES
Multiple Encryption & DES
 A replacement for DES was needed
 theoretical attacks that can break it
 demonstrated exhaustive key search attacks
 AES is a new cipher alternative
 prior to this alternative was to use multiple
encryption with DES implementations
 Triple-DES is the chosen form
Double-DES?
 could use 2 DES encrypts on each block
 C = EK2(EK1(P))
 issue of reduction to single stage
 and have “meet-in-the-middle” attack
 works whenever use a cipher twice
 since X = EK1(P) = DK2(C)
 attack by encrypting P with all keys and store
 then decrypt C with keys and match X value
 proves that double DES improves this vulnerability
slightly (to 257 tests), but not tremendously (to 2112).
Double-DES
Triple-DES with Two-Keys
 hence must use 3 encryptions
 would seem to need 3 distinct keys
 but can use 2 keys with E-D-E sequence
 C = EK1(DK2(EK1(P)))
 nb encrypt & decrypt equivalent in security
 if K1=K2 then can work with single DES
 standardized in ANSI X9.17 & ISO8732
Triple-DES with Two-Keys
Triple-DES with Three-Keys
 although there are no practical attacks on two-
key 3-DES, still has some limitations
 can use Triple-DES with Three-Keys to avoid
even these
 C = EK3(DK2(EK1(P)))
 has been adopted by some Internet
applications,e.g. PGP, S/MIME
Summary
 Modern Block Cipher Principals
 Simplified DES
 DES
 Using Multiple DES