1
Information Security and
Management
3. Block Ciphers and the
Data Encryption Standard
Chih-Hung Wang
Fall 2011
2
Block Cipher Principles
• Block Ciphers and Stream Ciphers
▫ Block ciphers is one in which a block of plaintext
is treated as a whole and used to produce a
ciphertext block of equal length.
▫ like a substitution on very big characters
 64/128-bits or more
▫ Stream ciphers is one that encrypts a digital data
stream one bit or one byte at a time.
▫ Many current ciphers are block ciphers
3
Block Ciphers and Stream Ciphers
4
Motivation
• Reversible Mapping
Reversible Mapping
Irreversible Mapping
Plaintext
Ciphertext
Plaintext
Ciphertext
00
11
00
11
01
10
01
10
10
00
10
01
11
01
11
01
5
A General Substitution Cipher
• If a small block size, such n=4, is used, then the system is equivalent to
a classical substitution cipher.  are vulnerable to statistical analysis
of the plaintext.
• An arbitrary reversible substitution cipher for a large block size is not
practical.
6
A General Substitution Cipher
The size of key
is n  2 n
For a 64-bits
block, key size
64
21
is 64  2  10
bits
7
Block Cipher Principles
• most symmetric block ciphers are based on a
Feistel Cipher Structure
• Feistel proposed the use of a cipher that alternates
substitutions and permutations
• needed since must be able to decrypt ciphertext to
recover messages efficiently
• block ciphers look like an extremely large
substitution
• would need table of 264 entries for a 64-bit block
• instead create from smaller building blocks
• using idea of a product cipher
8
Claude Shannon and SubstitutionPermutation Ciphers
• in 1949 Claude Shannon introduced idea of
substitution-permutation (S-P) networks
▫ modern substitution-transposition product cipher
• these form the basis of modern block ciphers
• S-P networks are based on the two primitive
cryptographic operations we have seen before:
▫ substitution (S-box)
▫ permutation (P-box)
• provide confusion and diffusion of message
9
Diffusion and Confusion
• Cipher needs to completely obscure statistical
properties of original message
• a one-time pad does this
• more practically Shannon suggested combining
elements to obtain:
• diffusion – the statistical structure of the plaintext
is dissipated into long range statistics of the
ciphertext
• confusion – makes relationship between
ciphertext and key as complex as possible
10
Feistel Cipher Structure
• Horst Feistel devised the feistel cipher
▫ based on concept of invertible product cipher
• Partitions input block into two halves
▫ The two halves of the data pass through n rounds
of processing and then combine to produce the
ciphertext block.
• Implements Shannon’s substitutionpermutation network concept
11
Feistel Cipher Structure
12
Feistel Cipher Design Principles
• Block size
▫ larger block sizes mean greater security but reduced e/d speed
• Key size
▫ increasing size improves security, makes exhaustive key searching
harder, but may slow cipher
• Number of rounds
▫ a single round offers inadequate security
▫ increasing number improves security, but slows cipher
• Subkey generation
▫ greater complexity should lead to greater difficulty of cryptanalysis
• Round function
▫ greater complexity means greater resistance to cryptanalysis
• Fast software encryption/decryption
• Ease of analysis
▫ DES does not have an easily analyzed functionality
13
Feistel Cipher Decryption
• Use the ciphertext as input to the algorithm, but
use subkey Ki in reverse order.
LE16  RE15
RE16  LE15  F ( RE15 , K16 )
Decryption
LD1  RD0  LE16  RE15
RD1  LD0  F ( RD0 , K16 )
 RE16  F ( RE15 , K16 )
 [ LE15  F ( RE15 , K16 )]  F ( RE15 , K16 )
14
Feistel Cipher
Decryption
15
General Form of Feistel Cipher
LEi  RE i 1
RE i  LEi 1  F ( RE i 1 , K i )
RE i 1  LEi
LEi 1  RE i  F ( RE i 1 , K i )  RE i  F ( LEi , K i )
16
Data Encryption Standard (DES)
• History
▫ National Bureau of Standards (now the National
Institute of Standards and Technology:NIST)
1977-> as Federal Information Processing
Standard 46(FIPS PUB 46)
▫ 1960:IBM LUCIFER project
17
DES
• Critique
▫ The key length
 In IBM’s original LUCIFER algorithm is 128 bits,
but that of the proposed system was only 56 bits.
▫ Design Criteria for the internal structure
 S-boxes
 Any hidden weak points that could enable NSA to
decipher message without benefit the key?
 Differential cryptanalysis -> DES has a very strong
internal structure
18
DES
• Not Secure?
▫ DES has flourished and is widely used, especially
in financial applications
▫ In 1994, NIST reaffirmed DES for federal use for
another five years
▫ NIST recommends the use of DES for
applications other than protection of classified
information
19
DES Encryption
• Data are encrypted in 64-bit blocks using 56 bit
key.
• Transforms 64-bit input in a series of steps into
64-bit output.
20
The Structure of Block Cipher
Plaintext
n bits
1-st round
Weak
cipher
2-nd round
Weak
cipher
…...
t-th round
Weak
cipher
…...
K1
Key
k bits
K2
Sub-key generator
Kt
Ciphertext
21
General
Depiction
22
Details of Single Round
23
Details of Single Round
• Li = Ri-1 ; Ri = Li-1 ⊕ f(Ri-1, Ki) (i=1…15)
• Li = Li-1 ⊕ f(Ri-1, Ki) ; Ri = Ri-1 (i=16)
24
Feistel Encryption
Input
IP
f
f
f
f
IP-1
Output
… 32
… 32
… 32
… 32
… 32
1,2,3,…
L0
1,2,3,….
L1
1,2,3,….
L2
1,2,3,….
Li
1,2,3,….
L16
1,2,3,….
1,2,3,…
…..
64
R0
1,2,3,….
R1
1,2,3,….
R2
1,2,3,….
Ri
1,2,3,….
R16
64
1,2,3,….
…..
… 32
… 32
… 32
… 32
… 32
k1
k2
ki
k16
25
IP and IP-1
IP (Initial Permutation)
IP-1 (Inverse Initial Permutation)
-1
IP
IP
58 50 42
34 26 18
60 52 44
36 28
62 54 46
38
48
10 2
40 8 48 16 56 24 64 32
12
4
39
7
47
15
55
23
63 31
30
22 14
6
38
6
46
14
54
22
62
30
40
32
24
16
8
37
5
45
13
53
21
61
29
57 49 41
33
25
17
9
1
36
4
44
12
52
20
60
28
59 51 43
35
27
19
11
3
35
3
43
11
51
19
59
27
61 53 45
37 29
21
13
5
34
2
42 10
50 18
58
26
39 31 23
15
7
33
1
41
17
57
25
64 56
63 55
47
20
9
49
26
Expansion & Permutation
Expansion (E)
32
4
8
12
16
20
24
28
1
5
9
13
17
21
25
29
2
6
10
14
18
22
26
30
3
7
11
15
19
23
27
31
Permutation (P)
4
8
12
16
20
24
28
32
5
9
13
17
21
25
29
1
16
1
2
19
7
15
8
13
20
23
24
30
21 29 12 28 17
26 5 18 31 10
14 32 27 3 9
6 22 11 4 25
27
Calculation of F(R,K)
R (32 bits)
E
48 bits
S1
S2
S3
Subkey ki (48bits)
S4
S5
P
Output F (32 bits)
S6
S7
S8
28
S-box (EX. S1)
Column
row 0
1
2
3
4
5
7
8
9
13 1
2
15 11 8
3
10 6
0
14 4
1
0
15 7
2
4
1
3
15 12 8
6
12 5
9
0
7
12 11 9
5
3
8
10 5
0
4
14 2
13 1
14 8
13 6
2
11 15 12 9
7
4
1
7
14 10 0
2
9
10 6
10 11 12 13 14 15 S-box
5
11 3
row
011001
column
1001
9
3
6
13
S1
29
Key Generation
1,2,3
1,2,3
1,2,3
1,2,3
1,2,3, ..…
C0
….. 28
Left shift
….. 28
….. 28
D1
Left shift
D0
….. 28
…….. 64
56-bit Key
PC-1
1,2,3
1,2,3
Left shift
C1
Left shift
D16
….. 28
Left shift
….. 28
Di
Left shift
1,2,3
1,2,3
Left shift
Ci
….. 28
Left shift
C
16
….. 28
PC-2
PC-2
PC-2
k16
ki
k1
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16
------------------------------------------1122222212 2 2 2 2 2 1
30
Key Generation
Left shift
Round
number
Bits
rotated
57
1
10
19
63
7
14
21
49
58
2
11
55
62
6
13
1
2
3
4
5
6
7
8
9
10 11 12 13 14 15 16
1
1
2
2
2
2
2
2
1
2
PC-1
41 33
50 42
59 51
3 60
47 39
54 46
61 53
5 28
25
34
43
52
31
38
45
20
17
26
35
44
23
30
37
12
|
9 |
18 |
27 |
36 |
15 |
22 |
29 |
4 |
14
3
23
16
41
30
44
46
17
28
19
7
52
40
49
42
2
2
PC-2
11
15
12
27
31
51
39
50
24
6
4
20
37
45
56
36
2
1
21
26
13
47
33
34
29
2
2
5
10
8
2
55
48
53
32
1
31
DES Decryption
• Decryption uses the same algorithm as
encryption, except that the application of the
subkeys is reversed.
▫ K16, K15 , …, K1
32
DES Example
33
The Avalanche Effect
• DES exhibits a strong avalanche effect
▫ Two plaintexts differ by one bit
▫ Two keys differ by one bit
(a) Change in Plaintext (1 bits)
Round
1
4
8
12
16
Number of bits that differ
6
39
29
30
34
(b) Change in Key (1 bits)
Round
1
4
8
12
16
Number of bits that differ
2
32
34
33
35
34
DES Avalanche Effect-Change in
Plaintext
35
DES Avalanche Effect-Change in
Key
36
The Strength of DES
• 56-bit DES
▫ 1977 Diffie & Hellman
 Parallel machine with 1 million encryption devices,
each of which could perform one encryption per
microsecond.
 Average search time down to about 10 hours
 The cost would be about $20 million
37
The Strength of DES
▫ 1993 Wiener
 Key search rate of 50 million keys per second
 Design a module that costs $100,000 and contains
5750 key search chips
Key search machine Unit Expected search time
Cost
$100,000
35 hours
$1,000,000
3.5 hours
$10,000,000
21 minutes
38
The Strength of DES
• RSA Laboratories
▫ The Challenge
 Offered a $10,000 reward, was to find a DES key
given a ciphertext for a plaintext consisting of an
unknown plaintext message preceeded by three
known blocks of text containing the 24-character
phrase “the unknown message is:”
 January 29, 1997, developed a brute-force program
and distributed it over the internet.
 The project linked numerous machines over the
Internet and eventually grew to over 70,000
systems
 Ended 96 days later when the correct key was
found after examining about one-quarter of all
possible keys.
39
Cryptanalysis of DES
• Differential Cryptanalysis
▫ Biham and Shamir [1993] [BIHA93]
 Can successfully cryptanalyze DES with an effort
on the order 247, requiring 247 chosen plaintexts
(brute-force method: 255)
 Not very well. The differential cryptanalysis was
known to the IBM team as early as 1974.
▫ Linear Cryptanalysis
▫ Weak keys; Semi-weak keys
40
Differential Cryptanalysis
• A statistical attack against Feistel ciphers
• Uses cipher structure not previously used
• Design of S-P networks has output of function f
influenced by both input & key
• Hence cannot trace values back through cipher
without knowing values of the key
• Differential Cryptanalysis compares two related
pairs of encryptions
41
Differential Cryptanalysis Compares Pairs of
Encryptions
• With a known difference in the input
• Searching for a known difference in output
• When same subkeys are used
42
Differential Cryptanalysis (Three Round of
DES)
43
Linear Cryptanalysis
• Another recent development
• Also a statistical method
• Must be iterated over rounds, with decreasing
probabilities
• Developed by Matsui et al in early 90's [MATS93]
• Based on finding linear approximations
• Can attack DES given 247 known plaintexts, still
infeasible as an attack on DES
44
Block Cipher Design Principles
• Basic principles still like Feistel in 1970’s
• DES design criteria [COPP94] (Coppersmith)
• Number of rounds
▫ The greater the number of rounds, the more difficult it is to
perform cryptanalysis, even for a relatively weak F.
• Design of function F:
▫ S-box design
▫ Provides “confusion”, is nonlinear, avalanche
• Key schedule
▫ Complex subkey creation, key (strict) avalanche, bit
independence [ADAM94]
45
Block Cipher Modes
Plaintext M
64 bits
64 bits
64 bits
DES Cipher
Ciphertext C
…
64 bits
Apply DES in Multiple Data Blocks
46
Block Cipher Modes
• Four modes have been defined (FIPS PUB 74, 81)
▫
▫
▫
▫
Electronic Codebook (ECB)
Cipher Block Chaining (CBC)
Cipher Feedback (CFB)
Output Feedback (OFB)
• NIST has expanded the list of recommended modes
to five in special Publication 800-38A
▫ ** Counter (CTR)
47
ECB
48
ECB
• Each block of 64 plaintext bits is encoded
independently using the same key
• Typical Application
▫ Secure transmission of single values (e.g., an
encryption key)
49
ECB
• Security
▫ For lengthy messages, the ECB mode may not be
secure.
 If the message is highly structured, it may be
possible for a cryptanalyst to exploit these
regularities.
 For example: the message always starts out with
certain predefined fields.
 The message has repetitive elements, with a period
of repetition a multiple of 64 bits.
50
CBC
51
CBC
• The input to the encryption algorithm is the
XOR of the next 64 bits of plaintext and the
preceding 64 bits of ciphertext.
• Typical Application
▫ General-purpose block-oriented transmission
52
CBC
• Expression
▫ Encryption
 Cn = EK(Cn-1 Pn)
▫ Decryption
 DK[Cn] = DK[EK(Cn-1 Pn)
= (Cn-1 Pn)
=> Cn-1 DK[Cn] = Cn-1  Cn-1Pn = Pn
53
CBC
• IV: initialization vector
▫ Must be known to both the sender and receiver.
▫ IV should be protected as well as the key.
▫ This should be done by sending the IV using ECB
encryption
▫ If an opponent can predictably change bits in IV, the
corresponding bits of the received value of P1 can be
changed.
54
CFB
• Encryption
55
CFB
• Decryption
56
5e book
(CFB)
57
CFB
• Input is processed J bits at a time. Preceding
ciphertext is used as input to the encryption
algorithm to produce pseudorandom output, which
is XORed with plaintext to produce next unit of
ciphertext.
• Typical Application
▫ General-purpose stream-oriented transmission
▫ Authentication
58
CFB
• Stream Cipher
▫ It is possible to convert DES into a stream cipher,
using either CFB or OFB.
▫ A stream cipher eliminates the need to pad a
message to be an integral number of blocks.
▫ A stream cipher can operate in real time.
59
OFB
• Encryption
60
OFB
• Decryption
61
5e book
OFB
62
OFB
• Similar to CFB, except that the input to the
encryption algorithm is the preceding DES
output.
• Typical Application
▫ Stream-oriented transmission over noisy channel
(e.g., satellite communication)
63
OFB
• Advantage
▫ Bit errors in transmission do not propagate. If a
bit error occurs in C1, only the recovered value of
P1 is affected.
• Disadvantage
▫ It is more vulnerable to a message stream
modification attack than is CFB.
64
Counter Mode (CTR)
• Encryption
65
CTR
• Decryption
66
CTR
• This mode was proposed early on [DIFF79]
• Applications to ATM (asynchronous transfer mode)
network security and IPSec (IP Security)
• Advantages [LIPM00]
▫
▫
▫
▫
▫
▫
Hardware efficiency
Software efficiency
Preprocessing
Random access
Provable
Simplicity
67
5e book
CTR