Modern Block Ciphers

Introduction to Network
Security

Basic idea of modern block ciphers

From classical ciphers, we learn two techniques that
may improve security:
Encrypt multiple letters at a time
Use multiple ciphertext alphabets (Polyalphabetic ciphers)

Combining these two techniques

encrypt eight (or more) letters at a time
called a block cipher

and use an extremely large number of ciphertext

alphabets
will be called modes of operation

What is Simplified DES

Developed 1996 as a teaching tool
Santa Clara University
Prof. Edward Schaefer

Takes an 8-bit block plaintext, a 10 bit key

and produces an 8-bit block of ciphertext
Decryption takes the 8-bit block of
ciphertext, the same 10-bit key and
produces the original 8-bit block of
plaintext

S-DES Scheme
Encryption

Decryption
P10

8-bit plaintext

8-bit plaintext
SHIFT

IP

IP - 1
K1

fk

P8

K1

SHIFT

SW
K2

P8

fk

SW
K2

fk

fk

IP - 1

IP

8-bit ciphertext

8-bit ciphertext

Five Functions to Encrypt

IP an initial permutation
fk - a complex, 2-input function
SW a simple permutation that swaps the two
nybles

fk - a complex, 2-input function; again

IP inverse permutation of the initial permutation

Key Generation
Operations
(A) Apply permutation P10:

10
P10
5

LS-1

LS-1

(B) Apply LS-1 (left shift 1) to each 5-bit group.

5
(C) Apply permutation P8:
P8

(D) Apply LS-2 (left shift 2) to each 5-bit group.

K1
LS-2

LS-2

5
P8

K2

IP
4

E/P
8
4

K1
4
S1

S0
2

Encryption Detail

P4

2
4

SW

The permutation IP

E/P
K2

The permutation IP-1

(A) Apply expansion/permutation E/P to input 4 bits

(B) Add the 8-bit key (use XOR)

(C) Pass the left 4 bits through S-box S0 and the
right 4 bits through S-box S1
(D) Apply permutation P4:

S0

S1
P4

I P -1

S-box Operation
(1)
(2)
(3)
(4)

First and fourth bits give row number

Second and third bits give column number
Look up number in specified row and column
Convert to binary
S0:
1
3
0
3

S1:
0
2
2
1

3
1
1
3

2
0
3
2

0
2
3
2

1
0
0
1

2
1
1
0

3
3
0
3

The function FK( 8-bits ) ---------> ( 8-bits )

Let L, R be the left 4 bits and right 4 bits of the input. Then
FKey( L , R ) = (L XOR f(R, Key), R)

Block Ciphers
In general, a block cipher replaces a block of N plaintext bits
with a block of N ciphertext bits. (E.g., N = 64 or 128.)
A block cipher is a monoalphabetic cipher.
Each block may be viewed as a huge character.
The alphabet consists of 2N gigantic characters.
Each particular cipher is a one-to-one mapping from the
plaintext alphabet to the ciphertext alphabet.
There are 2N! such mappings.
A secret key indicates which mapping to use.

Ideal Block Cipher

An ideal block cipher would allow us to use
any of these 2N! mappings.
The key space would be extremely large.

But this would require a key of log 2(2N!) bits.

If N = 64,
log2(2N!) N x 2N 1021 bits 1011 GB.
Infeasible!
10

Practical Block Ciphers

Modern block ciphers use a key of K bits to specify a
random subset of 2K mappings.
If K N,
2K is much smaller than 2N!
But is still very large.

If the selection of the 2K mappings is random, the

resulting cipher will be a good approximation of the
ideal block cipher.
Horst Feistel, in1970s, proposed a method to achieve
this.
11

The Feistel Cipher Structure

Input: a data block and a key
Partition the data block into two halves L and
R.
Go through a number of rounds.
In each round,
R does not change.
L goes through an operation that depends on R
and a round key derived from the key.
12

The
Feistel
Cipher
Structure

Round i
Li-1

Ri-1

f
+

Li
Ri

ki

Mathematical Description of
Round i
Let Li 1 and Ri 1 be the input of round i, and
Li and Ri the output.
We have
Li : Ri 1
Ri : Li 1 F ( Ri 1 , Ki )
Or,

(Li , Ri ) : oi ( Li 1 , Ri 1 ), where

i : ( x, y ) ( x F ( y , ki ), y ).
: ( x, y ) ( y, x ).
Note that i 1 i and 1 .
15

Feistel Cipher
Goes through a number of rounds, say 16 rounds.
A Feistel cipher encrypts a plaintext block m as:
c : E k ( m) : o o16 oL o o2 o o1 ( m)
The decryption will be:
Dk ( c ) 11 o 1 o21 oL o 1 o161 o 1 o 1 (c )
o o1 o o2 oL o o16 ( c)
The descryption algorithm is the same as the
encryption algorithm, but uses round keys in the
reverse order.
16

DES: The Data Encryption Standard

Most widely used block cipher in the world.
Adopted by NIST in 1977.
Based on the Feistel cipher structure with 16
rounds of processing.
Block = 64 bits
Key = 56 bits
What is specific to DES is the design of the F
function and how round keys are derived from
the main key.
17

Design Principles of DES

To achieve high degree of diffusion and
confusion.
Diffusion: making each plaintext bit affect
as many ciphertext bits as possible.
Confusion: making the relationship
between the encryption key and the
ciphertext as complex as possible.
1

DES Encryption
Overview

Round Keys Generation

Main key: 64 bits.
56-bits are selected and permuted using Permuted
Choice One (PC1); and then divided into two 28-bit
halves.
In each round:

Left-rotate each half separately by either 1 or 2

bits according to a rotation schedule.
Select 24-bits from each half, and permute the
combined 48 bits.
This forms a round key.

Permuted Choice One (PC1)

57
1
10
19
63
7
14
21

49
58
2
11
55
62
6
13

41
50
59
3
47
54
61
5

33
42
51
60
39
46
53
28

25
34
43
52
31
38
45
20

17
26
35
44
23
30
37
12

9
18
27
36
15
22
29
4
21

Initial Permutation IP

IP: the first step of the encryption.

It reorders the input data bits.
The last step of encryption is the inverse of IP.
IP and IP-1 are specified by tables (see
Stallings book, Table 3.2) or
http://en.wikipedia.org/wiki/DES_supplementar
y_material

Round i
Li-1

Ri-1
32

32

Li
Ri

F
+

32

48

ki

The F function of DES

The L and R each have 32 bits, and the round key K 48 bits.
The F function, on input R and K , produces 32 bits:
F ( R, K ) P S E ( R ) K
where E : expands 32 bits to 48 bits;
S : shrinks it back to 32 bits;
P : permutes the 32 bits.

24

The F function of DES

The Expansion Permutation E

The S-Boxes
Eight S-boxes each map 6 to 4 bits
Each S-box is specified as a 4 x 16 table
each row is a permutation of 0-15
outer bits 1 & 6 of input are used to select one
of the four rows
inner 4 bits of input are used to select a
column

All the eight boxes are different.

Box S1
0

0 14

4 13

0 15

3
1

2 15 11

8
8

9 10 11 12 13 14 15
3 10

6 12 11

3 10

4 14

2 13

1 14

8 13

2 11 15 12

3 14 10

3 15 12

1 10

6 12

5 11

6 13

For example, S1(101010) = 6 = 0110.

28

Permutation Function P
P
16

20

21

29

12

28

17

15

23

26

18

31

10

24

14

32

27

19

13

30

22

11

25
1

Avalanche Effect
Avalanche effect:
A small change in the plaintext or in the key results in a
significant change in the ciphertext.
an evidence of high degree of diffusion and confusion

a desirable property of any encryption algorithm

DES exhibits a strong avalanche effect

Changing 1 bit in the plaintext affects 34 bits in the
ciphertext on average.
1-bit change in the key affects 35 bits in the ciphertext on
average.

Attacks on DES
Brute-force key search
Needs only two plaintext-ciphertext samples
Trying 1 key per microsecond would take 1000+ years on
average, due to the large key space size, 256 7.21016.

Differential cryptanalysis
Possible to find a key with 247 plaintext-ciphertext samples
Known-plaintext attack

Liner cryptanalysis:
Possible to find a key with 243 plaintext-ciphertext samples
Known-plaintext attack
31

DES Cracker
DES Cracker:
A DES key search machine
contains 1536 chips
Cost: $250,000.
could search 88 billion keys per second
won RSA Laboratorys DES Challenge II-2 by
successfully finding a DES key in 56 hours.

DES is feeling its age. A more secure

cipher is needed.
32

Multiple Encryption with DES

In 2001, NIST published the Advanced Encryption
Standard (AES) to replace DES.
But users in commerce and finance are not ready to give
up on DES.
As a temporary solution to DESs security problem, one
may encrypt a message (with DES) multiple times using
multiple keys:
2DES is not much securer than the regular DES
So, 3DES with either 2 or 3 keys is used
33

2DES
Consider 2DES with two keys:
C = EK2(EK1(P))
Decryption:

P = DK1(DK2(C))

Key length: 56 x 2 = 112 bits

This should have thwarted brute-force attacks?
Wrong!
34

Meet-in-the-Middle Attack on 2DES

2-DES:

C = EK2(EK1(P))

EK1

EK2

Given a known pair (P, C), attack as follows:

Encrypt P with all 256 possible keys for K1.
Decrypt C with all 256 possible keys for K2.
If EK1(P) = DK2(C), try the keys on another (P, C).
If works, (K1, K2) = (K1, K2) with high probability.
Takes O(256) steps; not much more than attacking 1-DES.

35

3DES with 2 keys

A straightforward implementation would be :

c : Ek1 Ek2 Ek1 ( m)

In practice : c : Ek1 Dk2 Ek1 ( m)

g Also referred to as EDE encryption

Reason : if k1 k2 , then 3DES 1DES.
Thus, a 3DES software can be used as a single-DES.
Standardized in ANSI X9.17 & ISO 8732.
No practical attacks are known.

36

3DES with 3 keys

Encryption: c : Ek3 Dk2 Ek1 ( m) .

If k1 k3 , it becomes 3DES with 2 keys.
If k1 k2 k3 , it becomes the regular DES.
So, it is backward compatible with both 3DES with 2 keys
and the regular DES.
Some internet applications adopt 3DES with three keys;
e.g. PGP and S / MIME.

37