Cryptography

and Network
Security
Sixth Edition
by William Stallings
 Chapter 3

Block Ciphers and the Data

Encryption Standard
“All the afternoon Mungo had been working on
Stern's code, principally with the aid of the latest
messages which he had copied down at the Nevin
Square drop. Stern was very confident. He must be
well aware London Central knew about that drop. It
was obvious that they didn't care how often Mungo
read their messages, so confident were they in the
impenetrability of the code.”
—Talking to Strange Men,
Ruth Rendell
Block vs Stream Ciphers

• block ciphers process messages in blocks, each of which is then

en/decrypted
• like a substitution on very big characters
• 64-bits or more
• stream ciphers process messages a bit or byte at a time when
en/decrypting
• many current ciphers are block ciphers
• better analysed
• broader range of applications
Stream Cipher
For practical reasons the bit-
In the ideal case a one-time
stream generator must be
pad version of the Vernam
implemented as an
Encrypts a digital data stream cipher would be used, in
algorithmic procedure so
one bit or one byte at a time which the keystream is as
that the cryptographic bit
long as the plaintext bit
stream can be produced by
stream
both users
Examples: If the cryptographic It must be
•Autokeyed Vigenère cipher keystream is random, computationally
•Vernam cipher then this cipher is impractical to predict
unbreakable by any future portions of the
means other than bit stream based on
acquiring the keystream previous portions of the
•Keystream must be provided bit stream
to both users in advance via
some independent and
secure channel
•This introduces
insurmountable logistical
problems if the intended
The two users need
data traffic is very large only share the
generating key and each
can produce the
keystream
Block Cipher

A block of plaintext
is treated as a
Typically a block
whole and used to
size of 64 or 128
produce a
bits is used
ciphertext block of
equal length

The majority of
As with a stream
network-based
cipher, the two
symmetric
users share a
cryptographic
symmetric
applications make
encryption key
use of block ciphers
Stream Cipher and Block Cipher
Modern Block Ciphers

now look at modern block ciphers

one of the most widely used types of cryptographic algorithms
provide secrecy /authentication services
focus on DES (Data Encryption Standard)
to illustrate block cipher design principles
Table 3.1
Encryption and Decryption Tables for Substitution Cipher of Figure 3.2
Feistel Cipher

• Proposed the use of a cipher that alternates substitutions and

permutations

• Each plaintext element or group of elements is

Substitutions uniquely replaced by a corresponding ciphertext
element or group of elements

• No elements are added or deleted or replaced

Permutation in the sequence, rather the order in which the
elements appear in the sequence is changed

• Is a practical application of a proposal by Claude

Shannon to develop a product cipher that alternates
confusion and diffusion functions
• Is the structure used by many significant symmetric
block ciphers currently in use
Diffusion and Confusion

• Terms introduced by Claude Shannon to capture the two basic

building blocks for any cryptographic system
• Shannon’s concern was to thwart cryptanalysis based on statistical
analysis

Diffusion
• The statistical structure of the plaintext is dissipated into long-range statistics of the
ciphertext
• This is achieved by having each plaintext digit affect the value of many ciphertext digits

Confusion
• Seeks to make the relationship between the statistics of the ciphertext and the value of
the encryption key as complex as possible
• Even if the attacker can get some handle on the statistics of the ciphertext, the way in
which the key was used to produce that ciphertext is so complex as to make it difficult to
deduce the key
Feistel Cipher Structure
Feistel Cipher Design Features
• Block size • Round function F
• Larger block sizes mean greater • Greater complexity generally
security but reduced means greater resistance to
encryption/decryption speed for cryptanalysis
a given algorithm
• Key size • Fast software
encryption/decryption
• Larger key size means greater
security but may decrease • In many cases, encrypting is
encryption/decryption speeds embedded in applications or
utility functions in such a way as
• Number of rounds to preclude a hardware
• The essence of the Feistel cipher implementation; accordingly,
is that a single round offers the speed of execution of the
inadequate security but that algorithm becomes a concern
multiple rounds offer increasing • Ease of analysis
security
• If the algorithm can be concisely
• Subkey generation algorithm and clearly explained, it is easier
• Greater complexity in this to analyze that algorithm for
algorithm should lead to greater cryptanalytic vulnerabilities and
difficulty of cryptanalysis therefore develop a higher level
of assurance as to its strength
Feistel Example
Data Encryption Standard (DES)
• Issued in 1977 by the National Bureau of Standards (now NIST) as
Federal Information Processing Standard 46
• Was the most widely used encryption scheme until the
introduction of the Advanced Encryption Standard (AES) in 2001
• Algorithm itself is referred to as the Data Encryption Algorithm
(DEA)
• Data are encrypted in 64-bit blocks using a 56-bit key
• The algorithm transforms 64-bit input in a series of steps into a 64-bit
output
• The same steps, with the same key, are used to reverse the encryption
DES
Encryption
Algorithm
Bit Permutation (1-to-1)

1 2 3 4 32
Input: 0 0 1 0 ……. 1

1 bit

Output 1 0 1 1 …….. 1
22 6 13 32 3
 Bits Expansion (1-to-m)
1 2 3 4 5 32
Input: 0 0 1 0 …….
1 1

Output

1 0 0 1 0 1 0 1 …….. 1 0

1 2 3 4 5 6 7 8 4
Initial and Final Permutations

• Initial permutation (IP)

• View the input as M: 8(-byte) by 8(-bit) matrix
• Transform M into M1 in two steps
• Transpose row x into column (9-x), 0<x<9
• Apply permutation on the rows:
• For even column y, it becomes row y/2
• For odd column y, it becomes row (5+y/2)
• Final permutation FP = IP-1
 Initial Permutation IP
first step of the data computation
IP reorders the input data bits
even bits to LH half, odd bits to RH half
quite regular in structure (easy in h/w)
example:

IP(675a6967 5e5a6b5a) = (ffb2194d 004df6fb)

DES Round Structure

• uses two 32-bit L & R halves

• as for any Feistel cipher can describe as:
Li = Ri–1
Ri = Li–1  F(Ri–1, Ki)
• F takes 32-bit R half and 48-bit subkey:
• expands R to 48-bits using perm E
• adds to subkey using XOR
• passes through 8 S-boxes to get 32-bit result
• finally permutes using 32-bit perm P
DES Round Structure
 S-Box (Substitute and Shrink)
• 48 bits ==> 32 bits. (8*6 ==> 8*4)
• 2 bits used to select amongst 4 permutations for the rest of the 4-bit
quantity

2 bits I1
row I2
I3 Si O1
O2
I4 O3
I5 O4

4 bits I6
column i = 1,…8.
Substitution Boxes S

have eight S-boxes which map 6 to 4 bits

each S-box is actually 4 little 4 bit boxes
outer bits 1 & 6 (row bits) select one row of 4
inner bits 2-5 (col bits) are substituted
result is 8 lots of 4 bits, or 32 bits
row selection depends on both data & key
feature known as autoclaving (autokeying)
example:
S(18 09 12 3d 11 17 38 39) = 5fd25e03
DES Key Schedule

forms subkeys used in each round

initial permutation of the key (PC1) which selects 56-bits in two 28-bit halves
16 stages consisting of:
• rotating each half separately either 1 or 2 places depending on the key rotation
schedule K
• selecting 24-bits from each half & permuting them by PC2 for use in round function F
note practical use issues in h/w vs s/w
DES Decryption

• decrypt must unwind steps of data computation

• with Feistel design, do encryption steps again using subkeys in
reverse order (SK16 … SK1)
• IP undoes final FP step of encryption
• 1st round with SK16 undoes 16th encrypt round
• ….
• 16th round with SK1 undoes 1st encrypt round
• then final FP undoes initial encryption IP
• thus recovering original data value
Table 3.2

DES
Example

(Table can be found on

page 75 in textbook)

Note: DES subkeys are shown as eight 6-bit values in hex format
Table 3.3 Avalanche Effect in DES: Change in Plaintext
Table 3.4 Avalanche Effect in DES: Change in Key
Avalanche in DES
Avalanche Effect

• key desirable property of encryption alg

• where a change of one input or key bit results in changing approx
half output bits
• making attempts to “home-in” by guessing keys impossible
• DES exhibits strong avalanche
Table 3.5
Average Time Required for Exhaustive Key Search
Strength of DES

• Timing attacks
• One in which information about the key or the
plaintext is obtained by observing how long it takes a
given implementation to perform decryptions on
various ciphertexts
• Exploits the fact that an encryption or decryption
algorithm often takes slightly different amounts of time
on different inputs
• So far it appears unlikely that this technique will ever
be successful against DES or more powerful symmetric
ciphers such as triple DES and AES
Block Cipher Design Principles:
Number of Rounds

In general, the
criterion should be
If DES had 15 or
that the number of
The greater the fewer rounds,
rounds is chosen so
number of rounds, differential
that known
the more difficult it cryptanalysis would
cryptanalytic efforts
is to perform require less effort
require greater
cryptanalysis than a brute-force
effort than a simple
key search
brute-force key
search attack
Block Cipher Design Principles:
Design of Function F
• The heart of a Feistel The algorithm should have good
block cipher is the avalanche properties
function F
• The more nonlinear F, Bit
the more difficult any Strict avalanche
independence
type of cryptanalysis criterion (SAC)
criterion (BIC)
will be
•The SAC and BIC States that any output bit States that output bits j
criteria appear to j of an S-box should
change with probability
and k should change
strengthen the 1/2 when any single
independently when
any single input bit i is
effectiveness of the input bit i is inverted for
all i , j
inverted for all i , j , and
k
confusion function
Block Cipher Design Principles:
Key Schedule Algorithm
• With any Feistel block cipher, the key is used to generate one
subkey for each round
• In general, we would like to select subkeys to maximize the
difficulty of deducing individual subkeys and the difficulty of
working back to the main key
• It is suggested that, at a minimum, the key schedule should
guarantee key/ciphertext Strict Avalanche Criterion and Bit
Independence Criterion
Data Encryption Standard (DES)

• most widely used block cipher in world

• adopted in 1977 by NBS (now NIST)
• as FIPS PUB 46
• encrypts 64-bit data using 56-bit key
• has widespread use
• has been considerable controversy over its security
DES History

• IBM developed Lucifer cipher

• by team led by Feistel in late 60’s
• used 64-bit data blocks with 128-bit key
• then redeveloped as a commercial cipher with input from NSA and
others
• in 1973 NBS issued request for proposals for a national cipher
standard
• IBM submitted their revised Lucifer which was eventually accepted as
the DES
DES Design Controversy

• although DES standard is public

• was considerable controversy over design
• in choice of 56-bit key (vs Lucifer 128-bit)
• and because design criteria were classified
• subsequent events and public analysis show in fact design was
appropriate
• use of DES has flourished
• especially in financial applications
• still standardised for legacy application use
Multiple Encryption & DES

• clear a replacement for DES was needed

• theoretical attacks that can break it
• demonstrated exhaustive key search attacks
• AES is a new cipher alternative
• prior to this alternative was to use multiple encryption with DES
implementations
• Triple-DES is the chosen form
 Double-DES?
• could use 2 DES encrypts on each block
• C = EK2(EK1(P))
• issue of reduction to single stage
• and have “meet-in-the-middle” attack
• works whenever use a cipher twice
• since X = EK1(P) = DK2(C)
• attack by encrypting P with all keys and store
• then decrypt C with keys and match X value
• can show takes O(256) steps
 Triple-DES with Two-Keys
• hence must use 3 encryptions
• would seem to need 3 distinct keys
• but can use 2 keys with E-D-E sequence
• C = EK1(DK2(EK1(P)))
• nb encrypt & decrypt equivalent in security
• if K1=K2 then can work with single DES
• standardized in ANSI X9.17 & ISO8732
• no current known practical attacks
• several proposed impractical attacks might become basis of future attacks
Triple-DES with Three-Keys

• although are no practical attacks on two-key Triple-DES have some

indications
• can use Triple-DES with Three-Keys to avoid even these
• C = EK3(DK2(EK1(P)))
• has been adopted by some Internet applications, eg PGP, S/MIME
Summary

• Traditional Block Cipher • The strength of DES

Structure • Use of 56-bit keys
• Stream ciphers • Nature of the DES algorithm
• Block ciphers • Timing attacks
• Feistel cipher • Block cipher design principles
• The Data Encryption • DES design criteria
Standard (DES) • Number of rounds
• Encryption • Design of function F
• Decryption • Key schedule algorithm
• Avalanche effect