CEN 448
Security and Internet Protocols
Chapter 3
Block Ciphers and DES
Dr. Mostafa Hassan Dahshan
Computer Engineering Department
College of Computer and Information Sciences
King Saud University
Block Ciphers
Encrypt data one block at a time
 Used in broader range of applications
 Typical block size 64 – 128 bits
 Most algorithms based on a structure
referred to as Feistel block cipher

2
Block Ciphers
Operate on a plaintext block of n bits
 Produce a ciphertext block of n bits
 2n possible plaintext blocks
 Reversible/nonsingular encryption

 Each

Irreversible/singular
 More

has unique ciphertext
than one plaintext  same ciphertext
Number of mappings 2n! (why?)
3
Reversible VS Irreversible
Reversible Mapping
Irreversible Mapping
Plaintext
Ciphertext
Plaintext
Ciphertext
00
11
00
11
01
10
01
10
10
00
10
01
11
01
11
01
4
Logic of General Substitution
5
Logic of General Substitution
6
Key Length
In previous example, key is mapping
 Key length 16 × 4 bits = 64 bits

 i.e.
concatenate all bits of ciphertext table
In general, key length is 2n × n
 Actual block size is at least 64 bits
 Key length will be 264 × 64 ≈ 1021 bits
 Ability to map any plaintext to any
ciphertext is the ideal block cipher

7
Feistel Cipher
Build strong cipher from a product of
multiple simple ciphers
 Alternate substitutions & permutations
 Key length k, block length n
 2k possible transformations,
rather than 2n!

8
Diffusion and Confusion
Concepts introduced by Claude Shannon
 Two basic building blocks for block cipher
 Obscure plaintext statistics in ciphertext
 Ideally achieved by arbitrary substitution
cipher

9
Diffusion
Statistical structure of plaintext is
dissipated into long-range statistics of
ciphertext
 Each plaintext digit affects the value of
many ciphertext digits
 Ciphertext has nearly equal letter
frequency than plaintext
 Achieved by multiple permutations
followed by applying a function

10
Diffusion – Example

Message M = m1, m2, m3, …

Ciphertext letter yn results from adding k
successive plaintext letters
 Also known as avalanche effect

11
Confusion
Maximize complexity of the relation
between key and ciphertext statistics
 Achieved by using complex substitution
algorithms

12
Feistel Cipher Structure

Input
 plaintext
 key
block of length 2w
K
Plaintext block divided to L0, R0
 Pass thru n rounds of processing
 Each round i has

 Li-1,
Ri-1 derived from previous round
 subkey Ki derived from overall K
13
Feistel Cipher Structure
14
Feistel Cipher Structure

Substitution performed to left half
 apply
round function F to right half
 take XOR of output with left half
 F is parameterized by round subkey Ki

Permutation of left and right halves
 interchange
left and right halves
15
Design Parameters

Block size
 larger:
greater security (diffusion)
 smaller: faster encryption, decryption
 typical: 64 bit, 128 bit AES

Key size
 larger:
greater security (brute-force resist)
 smaller: faster encryption, decryption
 typical: 128 bit
16
Design Parameters

Number of rounds
 multiple
rounds increase security
 typical: 16

Subkey generation algorithm
 complexity

makes cryptanalysis difficult
Round function
 complexity
makes cryptanalysis difficult
17
Design Considerations

Speed of execution
 required

for embedded systems
Ease of analysis
 algorithm
easy to understand is easy to
identify vulnerabilities
 DES isn’t easy to analyze
18
Feistel Decryption Algorithm
Ciphertext is used as input
 Use subkeys Ki in reverse order
 Same algorithm is used
 Notation

 LEi
: left half in encryption algorithm
 REi : right half in encryption algorithm
 LDi : left half in decryption algorithm
 RDi : right half in decryption algorithm
19
Feistel Decryption Algorithm
Output of ith encryption round  input to
(16-i)th decryption round swapped
 LEi||REi ≡ RD16-i||LD16-i

20
21
Decryption Proof

Encryption side
 LE16
= RE15
 RE16 = LE15  F(RE15, K16)

Decryption side
 LD1
= RD0 = LE16 = RE15
 LD0 = RE16
 RD1 = LD0  F(RD0, K16)
= RE16  F(RE15, K16)
= [LE15  F(RE15, K16)]  F(RE15, K16)
22
Decryption Proof

XOR properties
 B]  C = A  [B  C]
D  D = 0
E  0 = E
 [A

Thus
= [LE15  F(RE15, K16)]  F(RE15, K16)
= LE15
 RD1

F does not have to be reversible
23
Data Encryption Standard
Most widely used encryption scheme
 Adopted by NIST (formerly NBS) in 1977
 Based on IBM LUCIFER algorithm

 had
128-bit key, reduced to 56 bits in DES
Algorithm is referred to as Data Encryption
Algorithm (DEA)
 Now replaced by Triple DES and AES

24
DES Encryption
64-bit plaintext block
 56-bit key
 Exact structure as Feistel except

 initial
permutation of plaintext
 final permutation of last round’s output
25
DES Encryption
26
DES Encryption Three Phases

64 bit plaintext pass thru initial permutation
 rearrange

bit to produce permuted input
Followed by 16 rounds of same function
 involve
permutation & substitution functions
 output of last round swapped (LH, RH) to
produce preoutput

Preoutput pass thru a permutation (IP-1)
 inverse
of IP to produce 64 bit ciphertext
27
Initial Permutation (IP)
28
Inverse Initial Permutation (IP-1)
29
Details of Single Round

Left and right halves of 64 bits are separated
into two 32-bit parts L,R
 Li
= Ri-1
 Ri = Li-1  F(Ri-1,Ki)




R is expanded to 48 bits using permutation E
Resulting 48 bits are XORed with Ki
48 bit result passes thru substitution function F
(8 S-boxes) producing 32-bit output
Output is permuted using permutation function P
30
Details of Single Round
31
Permutation Tables E, P
32
Role of S-Boxes
8 s-boxes, each has 6 bits input, 4 bits out
 outer 2 bits (1,6) used to select row
 inner 4 bits (2-5) used to select column
 decimal value of cell converted to 4 bits out

 note

that decimal values are [0-15]
8 4-bit groups produce 32 bit output
33
Role of S-Boxes
34
Role of S-Boxes
35
Example
Using S1
 Input: 011001
 Row is 01: (1)
 Column 1100: (12)
 Value of row 1, column 12 is 9
 Output is 1001

36
Key Generation





64-bit key used as input (8 × 8 table)
8th bit in each row is ignored  56 bits
key is permuted using table PC-1
resulting 56 bits separated into two 28-bit parts
C0, D0
Each round
 circular
left shift Ci-1, Di-1 of 1 or 2 bits (table)
 shifted values go to next round
 also used as input to table PC-2
 PC-2 produce 48-bit output Ki used in F(Ri-1, Ki)
37
Key Generation
38
Key Generation
39
Key Generation
40
Avalanche Effect
Small change in P  large change in C
 1 bit change in P/K  many bit change in C
 Makes cryptanalysis more difficult
 DES exhibits strong avalanche effect

41
Avalanche Effect – Example

Two plaintexts used, with 1 bit difference
 00000000
00000000 00000000 00000000
00000000 00000000 00000000 00000000
 10000000
00000000 00000000 00000000
00000000 00000000 00000000 00000000

Key
 0000001
1001011 0100100 1100010 0011100
0011000 0011100 0110010


After 3 rounds, 21 bits differ
On completion, 34 bits differ
42
Avalanche Effect – Example

Single plaintext
 01101000
10000101 00101111 01111010
00010011 01110110 11101011 10100100

Two keys, with 1 bit difference
 1110010
1111011 1101111 0011000
0011101 0000100 0110001 11011100
 0110010
1111011 1101111 0011000
0011101 0000100 0110001 11011100


After 4 rounds, 32 bits differ
On completion, 35 bits differ
43
Avalanche Effect – Example
44
DES Security

1977
 estimated
brute-force attack
 cost: ~ $20 million
Must be able to
recognize plaintext!
 time: ~ 10 hours

1998
 DES
definitely proved insecure
 EFF designed “DES Cracker”
 cost: < $250,000
 time: < 3 days
45
Reading Assignment

Textbook
 chapter

3
3.1, 3.2, 3.3
46