Block Ciphers and the Data

Encryption Standard
Block vs Stream Ciphers
 block ciphers process messages in blocks, each of
which is then en/decrypted
 like a substitution on very big characters
 64-bits or more
 stream ciphers process messages a bit or byte at a
time when en/decrypting
 many current ciphers are block ciphers
 broader range of applications
Simplest Stream Cipher

Key Key

Plaintext Ciphertext Plaintext

Ciphertext
Block Cipher
Block Cipher Principles
 most symmetric block ciphers are based on a
Feistel Cipher Structure
 needed since must be able to decrypt ciphertext to
recover messages efficiently
 block ciphers look like an extremely large
substitution
 would need table of 264 entries for a 64-bit block
 instead create from smaller building blocks
 using idea of a product cipher
Ideal Block Cipher
 Claude Shannon and Substitution-
Permutation Ciphers
 Claude Shannon introduced idea of
substitution-permutation (S-P) networks in
1949 paper
 form basis of modern block ciphers
 S-P nets are based on the two primitive
cryptographic operations seen before:
 substitution (S-box)
 permutation (P-box)
 provide confusion & diffusion of message &
key
Confusion and Diffusion
 cipher needs to completely obscure statistical
properties of original message
 a one-time pad does this
 more practically Shannon suggested
combining S & P elements to obtain:
 diffusion – dissipates statistical structure of
plaintext over bulk of ciphertext
 confusion – makes relationship between
ciphertext and key as complex as possible
Feistel Cipher Structure
 Horst Feistel devised the feistel cipher
 based on concept of invertible product cipher
 partitions input block into two halves
 process through multiple rounds which
 perform a substitution on left data half
 based on round function of right half & subkey
 then have permutation swapping halves
Feistel Network
 iterated cipher mapping (L0, R0) to (Rr, Lr) through r-round
process, (Li−1, Ri−1) Ki (Li, Ri) as follows
 Li = Ri−1, Ri = Li−1  f(Ri−1, Ki), Ki is derived from K

Li-1 Ri-1

Ki

Li Ri
Feistel Cipher Structure
Feistel Cipher Structure

 Block size: larger block sizes mean greater

security
 Key Size: larger key size means greater security
 Number of rounds: multiple rounds offer
increasing security
 Subkey generation algorithm: greater
complexity will lead to greater difficulty of
cryptanalysis.
 Fast software encryption/decryption: the speed
of execution of the algorithm becomes a concern
Feistel Cipher Decryption
Data Encryption Standard (DES)
 most widely used block cipher in world
 adopted in 1977 by NBS (now NIST)
 as FIPS PUB 46
 encrypts 64-bit data using 56-bit key
 has widespread use
 has been considerable controversy over its
security
DES History
 IBM developed Lucifer cipher
 by team led by Feistel in late 60’s
 used 64-bit data blocks with 128-bit key
 then redeveloped as a commercial cipher
with input from NSA and others
 in 1973 NBS issued request for proposals for
a national cipher standard
 IBM submitted their revised Lucifer which was
eventually accepted as the DES
DES Design Controversy
 although DES standard is public
 was considerable controversy over design
 in choice of 56-bit key (vs Lucifer 128-bit)
 and because design criteria were classified
 subsequent events and public analysis show in
fact design was appropriate
 use of DES has flourished
 especially in financial applications
 still standardised for legacy application use
DES Encryption Overview
DES
DES Round Structure
 uses two 32-bit L & R halves
 as for any Feistel cipher can describe as:
Li = Ri–1
Ri = Li–1  F(Ri–1, Ki)
 F takes 32-bit R half and 48-bit subkey:
 expands R to 48-bits using perm E
 adds to subkey using XOR
 passes through 8 S-boxes to get 32-bit result
 finally permutes using 32-bit perm P
Initial Permutation IP
 first step of the data computation
 IP reorders the input data bits
 even bits to LH half, odd bits to RH half
 The values in each matrix identify where each bit
of the input message is mapped to in the output
message. For example, The matrix for IP shows
that the 58th bit from the input gets mapped to the
first bit of the output; the 50th of the input maps to
the second of the output, and so on.
 IP IP-1

58 50 42 34 26 18 10 2 40 8 48 16 56 24 64 32

60 52 44 36 28 20 12 4 39 7 47 15 55 23 63 31

62 54 46 38 30 22 14 6 38 6 46 14 54 22 62 30

64 56 48 40 32 24 16 8 37 5 45 13 53 21 61 29

57 49 41 33 25 17 9 1 36 4 44 12 52 20 60 28

59 51 43 35 27 19 11 3 35 3 43 11 51 19 59 27

61 53 45 37 29 21 13 5 34 2 42 10 50 18 58 26

63 55 47 39 31 23 15 7 33 1 41 9 49 17 57 25

Table 2. Initial and final permutation matrices for DES.

Expansion Table
 Expands the 32 bit data to 48 bits
 Result(i)=input( array(i))
 The expansion table defines a permutation
plus an expansion that involves duplication of
16 of the bits.
32 1 2 3 4 5
4 5 6 7 8 9
8 9 10 11 12 13
12 13 14 15 16 17
16 17 18 19 20 21
20 21 22 23 24 25
24 25 26 27 28 29
28 29 30 31 32 1
S-Boxes
 The resulting 48 bits are XORed with key.
 This 48 bit result passes through a substitution
function comprising 8 S-boxes.
 Which each map 6 input bits to 4 output bits.

 Given 6-bits B=b1b2b3b4b5b6,

 Row r=b1b6
 Column c=b2b3b4b5
 S(B)=S(r,c) written in binary of length 4
DES Round Structure
S-Box
 6 bit input, 4 bit output
 27 = 011011 = (01)
(1101)
 S1-Box output for 27 = 5

0 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15
0 14 4 13 1 2 15 11 8 3 10 6 12 5 9 0 7
1 0 15 7 4 14 2 13 1 10 6 12 11 9 5 3 8
2 4 1 14 8 13 6 2 11 15 12 9 7 3 10 5 0
3 15 12 8 2 4 9 1 7 5 11 3 14 10 0 6 13
Permutation Table
 The permutation after each round

16 7 20 21
29 12 28 17
1 15 23 26
5 18 31 10
2 8 24 14
32 27 3 9
19 13 30 6
22 11 4 25
DES Key Schedule
 The 64 –bit key input is first processed by permuted
choice One.
 The resulting 56-bit key is then treated as two 28-bit
quantities C and D.
 In each round forms subkeys
 rotating each half separately either 1 or 2 places
depending on the key rotation schedule K
 selecting 24-bits from each half & permuting

them by PC2 for use in round function F

 note practical use issues in h/w vs s/w
Permutation Tables

57 49 41 33 25 17 9
1 58 50 42 34 26 18
10 2 59 51 43 35 27
19 11 3 60 52 44 36
63 55 47 39 31 23 15
7 62 54 47 38 30 22
14 6 61 53 45 37 29
21 13 5 28 20 12 4

Permutation table P1
After this permutation, the key is split into two halves, C and
D. After each round, each half is independently shifted to the
left by either one or two bits, depending on which round is
executing .The shift is rotational, so that bits that get shifted
off of one end get placed back on the other end.

Round 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16

Shifts 1 1 2 2 2 2 2 2 1 2 2 2 2 2 2 1

Table. Key Shifting Factors for each round of DES.

Finally, the subkey function is used to convert the key into a 48
bit block, to be used in the actual encryption. Again, this is
expressed in matrix form, as shown below.

Subkey Permutation

14 17 11 24 1 5
3 28 15 6 21 10
23 19 12 4 26 8
16 7 27 20 13 2
41 52 31 37 47 55
30 40 51 45 33 48
44 49 39 56 34 53
46 42 50 36 29 32
DES Decryption
 decrypt must unwind steps of data computation
 with Feistel design, do encryption steps again using
subkeys in reverse order (SK16 … SK1)
 IP undoes final FP step of encryption
 1st round with SK16 undoes 16th encrypt round
 ….
 16th round with SK1 undoes 1st encrypt round
 then final FP undoes initial encryption IP
 thus recovering original data value
Avalanche Effect
 A desirable property of any encryption
algorithm is that a small change in either the
plaintext or the key should produce a
significant change in the ciphertext . where a
change of one input or key bit results in
changing approx half output bits
 making attempts to “home-in” by guessing
keys impossible
 DES exhibits strong avalanche
Strength of DES – Key Size
 56-bit keys have 256 = 7.2 x 1016 values
 brute force search looks hard
 recent advances have shown is possible
 in 1997 on Internet in a few months
 in 1998 on dedicated h/w (EFF) in a few days
 in 1999 above combined in 22hrs!
 still must be able to recognize plaintext
 must now consider alternatives to DES
Strength of DES – Analytic Attacks
 now have several analytic attacks on DES
 these utilise some deep structure of the cipher
 by gathering information about encryptions
 can eventually recover some/all of the sub-key bits
 if necessary then exhaustively search for the rest

 generally these are statistical attacks

 include
 differential cryptanalysis
 linear cryptanalysis
 related key attacks
Differential Cryptanalysis
 one of the most significant recent (public)
advances in cryptanalysis
 known by NSA in 70's cf DES design
 Murphy, Biham & Shamir published in 90’s
 powerful method to analyse block ciphers
 used to analyse most current block ciphers
with varying degrees of success
 DES reasonably resistant to it, cf Lucifer
Differential Cryptanalysis

 Differential cryptanalysis is a general form of

cryptanalysis applicable primarily to block ciphers ,
but also to stream ciphers and cryptographic hash
functions
 uses cipher structure not previously used
 design of S-P networks has output of function f
influenced by both input & key
 hence cannot trace values back through cipher
without knowing value of the key
 it is the study of how differences in an input can affect
the resultant difference at the output.
 differential cryptanalysis compares two related pairs
of encryptions
Differential Cryptanalysis Compares
Pairs of Encryptions
 with a known difference in the input
 searching for a known difference in output
 when same subkeys are used
Differential Cryptanalysis
 have some input difference giving some
output difference with probability p
 if find instances of some higher probability
input / output difference pairs occurring
 can infer subkey that was used in round
 then must iterate process over many rounds
(with decreasing probabilities)
Differential Cryptanalysis
Linear Cryptanalysis
 another recent development
 also a statistical method
 must be iterated over rounds, with decreasing
probabilities
 developed by Matsui et al in early 90's
 based on finding linear approximations
 can attack DES with 243 known plaintexts,
easier but still in practise infeasible
Linear Cryptanalysis
 find linear approximations with prob p != ½
P[i1,i2,...,ia]  C[j1,j2,...,jb] =
K[k1,k2,...,kc]
where ia,jb,kc are bit locations in P,C,K
 gives linear equation for key bits
 get one key bit using max likelihood alg
 using a large number of trial encryptions
 effectiveness given by: |p–1/2|
 Cipher Block Modes of Operation

 A symmetric block cipher

processes one bit block of
data at a time.
Operation Modes
 Electronic Code Book (ECB):
In this case each block plaintext
is encrypted using the same
key.
 Typical application: secure
transmission of single values
(e.g. an encryption key)
Electronic Codebook Book (ECB)
 With ECB, if the same 64-
bit block of plaintext
appears more than once
in the message, it always
produces the same
ciphertext. Because of
this, for lengthy
messages, the ECB
mode may be no secure.
Advantages and Limitations of ECB
 message repetitions may show in ciphertext
 if aligned with message block
 particularly with data such as graphics
 or with messages that change very little, which
become a code-book analysis problem
 weakness is due to the encrypted message blocks
being independent
 main use is sending a few blocks of data
 Cipher Block Chaining (CBC)
 message is broken into blocks
 linked together in encryption operation
 each previous cipher blocks is chained with
current plaintext block, hence name
 use Initial Vector (IV) to start process
Ci = DESK1(Pi XOR Ci-1)
C0 = IV
 uses: bulk data encryption, authentication
Cipher Block Chaining (CBC)
 Message Padding
 at end of message must handle a possible last
short block
 which is not as large as blocksize of cipher
 pad either with known non-data value (eg nulls)
 or pad last block along with count of pad size
 eg. [ b1 b2 b3 0 0 0 0 5]
 means have 3 data bytes, then 5 bytes pad+count
 this may require an extra entire block over those in
message
 Advantages and Limitations of CBC
 a ciphertext block depends on all blocks before it
 any change to a block affects all following
ciphertext blocks
 need Initialization Vector (IV)
 which must be known to sender & receiver
 if sent in clear, attacker can change bits of first block,
and change IV to compensate
 must be sent encrypted in ECB mode before rest of
message
Cipher FeedBack (CFB)
 message is treated as a stream of bits
 added to the output of the block cipher
 result is feed back for next stage (hence
name)
 standard allows any number of bit (1,8, 64 or
128 etc) to be feed back
 denoted CFB-1, CFB-8, CFB-64, CFB-128 etc
 most efficient to use all bits in block (64 or
128)
Ci = Pi XOR DESK1(Ci-1)
C0 = IV
 uses: stream data encryption, authentication
Cipher FeedBack (CFB)
Advantages and Limitations of CFB
 appropriate when data arrives in bits/bytes
 most common stream mode
 limitation is need to stall while do block
encryption after every n-bits
 note that the block cipher is used in
encryption mode at both ends
 errors propogate for several blocks after the
error
 Output FeedBack (OFB)
 message is treated as a stream of bits
 output of cipher is added to message
 output is then feed back (hence name)
 feedback is independent of message
 can be computed in advance
Ci = Pi XOR Oi
Oi = DESK1(Oi-1)
O0 = IV
 uses: stream encryption on noisy channels
Output FeedBack (OFB)
Advantages and Limitations of OFB
 bit errors do not propagate
 more vulnerable to message stream
modification
 a variation of a Vernam cipher
 hence must never reuse the same sequence
(key+IV)
 sender & receiver must remain in sync
Counter (CTR)
 a “new” mode, though proposed early on
 similar to OFB but encrypts counter value
rather than any feedback value
 must have a different key & counter value for
every plaintext block (never reused)
Ci = Pi XOR Oi
Oi = DESK1(i)
 uses: high-speed network encryptions
Counter (CTR)
Advantages and Limitations of CTR
 efficiency
 can do parallel encryptions in h/w or s/w
 can preprocess in advance of need
 good for bursty high speed links
 random access to encrypted data blocks
 provable security (good as other modes)
 but must ensure never reuse key/counter
values, otherwise could break (cf OFB)