5 Block Ciphers
5 Block Ciphers
Dhananjoy Dey
February 2, 2021
1
All the pictures used in this presentation are taken from freely available
websites.
1
All the pictures used in this presentation are taken from freely available
websites.
2
If there is a reference on a slide all of the information on that slide is
attributable to that source whether quotation marks are used or not.
1
All the pictures used in this presentation are taken from freely available
websites.
2
If there is a reference on a slide all of the information on that slide is
attributable to that source whether quotation marks are used or not.
3
Any mention of commercial products or reference to commercial
organizations is for information only; it does not imply recommendation
or endorsement nor does it imply that the products mentioned are
necessarily the best available for the purpose.
1 Introduction
2 Feistel Network
DES
3 SPN
AES
4 Modes of Operation
Outline
1 Introduction
2 Feistel Network
DES
3 SPN
AES
4 Modes of Operation
Block Cipher
A block cipher is a function
fK : PnA → CmA ,
Definition
A mapping f{0,1}k : {0, 1}n → {0, 1}n is called a block cipher with block size n
bits and key size k bits, if the mapping fK (·) is a bijection for each K ∈ {0, 1}k ,
i.e., if fK−1 (·) exists with fK−1 ( fK (x)) = x for each K ∈ {0, 1}k & x ∈ {0, 1}n .
Simple Substitution
Example
Simple Substitution
Example
Simple Substitution
Example
Example
AAAA AAAB AAAC ··· ZZZZ
QAQZ WIJT ENTO ··· MIHB
Example
AAAA AAAB AAAC ··· ZZZZ
QAQZ WIJT ENTO ··· MIHB
‘code book ’
Example
AAAA AAAB AAAC ··· ZZZZ
QAQZ WIJT ENTO ··· MIHB
‘code book ’
If blocks are large enough, then frequency analysis becomes
impossible (infeasible).
Block Cipher
Block Cipher
Block Cipher
Block Cipher
Block Cipher
Attack Models
Attack Models
Attack Models
Attack Models
Attack Models
Security Goals
Security Goals
Even-Mansour
f = fr ◦ fr−1 ◦ · · · ◦ f2 ◦ f1
C. E. SHANNON,
Communication Theory of Secrecy Systems, 1949.
Confusion: is intended to make the relationship between the key and ciphertext
as complex as possible.
Confusion: is intended to make the relationship between the key and ciphertext
as complex as possible.
Today, a common element for achieving confusion is substitution/S-box, which is
found in both AES and DES.
Confusion: is intended to make the relationship between the key and ciphertext
as complex as possible.
Today, a common element for achieving confusion is substitution/S-box, which is
found in both AES and DES.
Diffusion: refers to rearranging or spreading out the bits in the message so that
any redundancy in the plaintext is spread out over the ciphertext.
Confusion: is intended to make the relationship between the key and ciphertext
as complex as possible.
Today, a common element for achieving confusion is substitution/S-box, which is
found in both AES and DES.
Diffusion: refers to rearranging or spreading out the bits in the message so that
any redundancy in the plaintext is spread out over the ciphertext.
A simple diffusion element is the bit permutation, which is frequently used within
DES.
Confusion: is intended to make the relationship between the key and ciphertext
as complex as possible.
Today, a common element for achieving confusion is substitution/S-box, which is
found in both AES and DES.
Diffusion: refers to rearranging or spreading out the bits in the message so that
any redundancy in the plaintext is spread out over the ciphertext.
A simple diffusion element is the bit permutation, which is frequently used within
DES.
Confusion
Example
Let x, y & k ∈ {0, 1}8 and y = con f (x, k), where
y1 = x1 ⊕ x2 ⊕ x3 ⊕ x4 ⊕ k1 ⊕ k2 ⊕ k3 ⊕ k4
y2 = x2 ⊕ x3 ⊕ x4 ⊕ x5 ⊕ k2 ⊕ k3 ⊕ k4 ⊕ k5
y3 = x3 ⊕ x4 ⊕ x5 ⊕ x6 ⊕ k3 ⊕ k4 ⊕ k5 ⊕ k6
y4 = x4 ⊕ x5 ⊕ x6 ⊕ x7 ⊕ k4 ⊕ k5 ⊕ k6 ⊕ k7
y5 = x5 ⊕ x6 ⊕ x7 ⊕ x8 ⊕ k5 ⊕ k6 ⊕ k7 ⊕ k8
y6 = x6 ⊕ x7 ⊕ x8 ⊕ x1 ⊕ k6 ⊕ k7 ⊕ k8 ⊕ k1
y7 = x7 ⊕ x8 ⊕ x1 ⊕ x2 ⊕ k7 ⊕ k8 ⊕ k1 ⊕ k2
y8 = x8 ⊕ x1 ⊕ x2 ⊕ x3 ⊕ k8 ⊕ k1 ⊕ k2 ⊕ k3
Confusion
Example
Let x, y & k ∈ {0, 1}8 and y = con f (x, k), where
y1 = x1 ⊕ x2 ⊕ x3 ⊕ x4 ⊕ k1 ⊕ k2 ⊕ k3 ⊕ k4
y2 = x2 ⊕ x3 ⊕ x4 ⊕ x5 ⊕ k2 ⊕ k3 ⊕ k4 ⊕ k5
y3 = x3 ⊕ x4 ⊕ x5 ⊕ x6 ⊕ k3 ⊕ k4 ⊕ k5 ⊕ k6
y4 = x4 ⊕ x5 ⊕ x6 ⊕ x7 ⊕ k4 ⊕ k5 ⊕ k6 ⊕ k7
y5 = x5 ⊕ x6 ⊕ x7 ⊕ x8 ⊕ k5 ⊕ k6 ⊕ k7 ⊕ k8
y6 = x6 ⊕ x7 ⊕ x8 ⊕ x1 ⊕ k6 ⊕ k7 ⊕ k8 ⊕ k1
y7 = x7 ⊕ x8 ⊕ x1 ⊕ x2 ⊕ k7 ⊕ k8 ⊕ k1 ⊕ k2
y8 = x8 ⊕ x1 ⊕ x2 ⊕ x3 ⊕ k8 ⊕ k1 ⊕ k2 ⊕ k3
Diffusion
Example
y1 = f1 (x1 , x2 , k1 , k2 )
y2 = f2 (x2 , x3 , k2 , k3 )
y3 = f3 (x3 , x4 , k3 , k4 )
y4 = f4 (x4 , x5 , k4 , k5 )
y5 = f5 (x5 , x6 , k5 , k6 )
y6 = f6 (x6 , x7 , k6 , k7 )
y7 = f7 (x7 , x8 , k7 , k8 )
y8 = f8 (x8 , x1 , k8 , k1 )
Diffusion
Example
y1 = f1 (x1 , x2 , k1 , k2 )
y2 = f2 (x2 , x3 , k2 , k3 )
y3 = f3 (x3 , x4 , k3 , k4 )
y4 = f4 (x4 , x5 , k4 , k5 )
y5 = f5 (x5 , x6 , k5 , k6 )
y6 = f6 (x6 , x7 , k6 , k7 )
y7 = f7 (x7 , x8 , k7 , k8 )
y8 = f8 (x8 , x1 , k8 , k1 )
Diffusion
Example
y1 = x1 ⊕ x2 ⊕ x3 ⊕ x4 ⊕ k1 ⊕ k2 ⊕ k3 ⊕ k4
y2 = x2 ⊕ x3 ⊕ x4 ⊕ x5 ⊕ k2 ⊕ k3 ⊕ k4 ⊕ k5
y3 = x3 ⊕ x4 ⊕ x5 ⊕ x6 ⊕ k3 ⊕ k4 ⊕ k5 ⊕ k6
y4 = x4 ⊕ x5 ⊕ x6 ⊕ x7 ⊕ k4 ⊕ k5 ⊕ k6 ⊕ k7
y5 = x5 ⊕ x6 ⊕ x7 ⊕ x8 ⊕ k5 ⊕ k6 ⊕ k7 ⊕ k8
y6 = x6 ⊕ x7 ⊕ x8 ⊕ x1 ⊕ k6 ⊕ k7 ⊕ k8 ⊕ k1
y7 = x7 ⊕ x8 ⊕ x1 ⊕ x2 ⊕ k7 ⊕ k8 ⊕ k1 ⊕ k2
y8 = x8 ⊕ x1 ⊕ x2 ⊕ x3 ⊕ k8 ⊕ k1 ⊕ k2 ⊕ k3
Design Criteria
Design Criteria
Design Criteria
Design Criteria
Design Criteria
Confusion Diffusion
Padding
Padding
Padding
Padding
Padding
Outline
1 Introduction
2 Feistel Network
DES
3 SPN
AES
4 Modes of Operation
Introduction
Introduction
———————————————————————————
It was designed by IBM, verified by NSA and published by the NBS.
———————————————————————————
Introduction
———————————————————————————
It was designed by IBM, verified by NSA and published by the NBS.
———————————————————————————
2004 : NIST withdrew DES
2009 : NIST withdrew 2-key TDES
until 2030 : 3-key TDES
Introduction
Introduction
DES Numerology
Encryption Algorithm
Encryption Algorithm
DES Round Function
Encryption Algorithm
DES Round Function
Encryption Algorithm
E P
32 1 2 3 4 5 16 7 20 21
4 5 6 7 8 9 29 12 28 17
8 9 10 11 12 13 1 15 23 26
12 13 14 15 16 17 5 18 31 10
16 17 18 19 20 21 2 8 24 14
20 21 22 23 24 25 32 27 3 9
24 25 26 27 28 29 19 13 30 6
28 29 30 31 32 1 22 11 4 25
Encryption Algorithm
DES S-boxes
DES Diffusion
The 4 bits output from an S-box are distributed so that they affect 6
different S-boxes in the following round (4 boxes directly and 2 via the
expansion mapping).
If an output bit from S-box i affects one of the 2 middle input bits to
S-box j (in the next round), then an output bit from S-box i cannot affect
a middle bit of S-box i.
The middle 6 inputs to 2 neighbouring S-boxes (those not shared by any
other S-boxes) are constructed from the outputs from 6 different S-boxes
in the previous round.
The middle 10 input bits to 3 neighbouring S-boxes, 4 bits from the 2
outer S-boxes and 6 from the middle S-box (i.e., those not shared by any
other S-boxes), are constructed from the outputs from all S-boxes in the
previous round.
Structural Properties
Complementation Property
Structural Properties
Weak Keys
Definition
A DES key k is said to be weak if the following relationship holds
0101010101010101 fefefefefefefefe
1f1f1f1f1f1f1f1f e0e0e0e0e0e0e0e0
Structural Properties
Semi-Weak Keys
Definition
A pair of keys k1 & k2 is said to be semi-weak keys if the following
relation satisfies
DES k1 (DES k2 (m)) = m, ∀ m.
Weak Permutation
Definition
A permutation F is called a weak permutation if given
Question
Does 3 rounds of DES form a weak permutation?
Outline
1 Introduction
2 Feistel Network
DES
3 SPN
AES
4 Modes of Operation
Joan Daemen
Vincent Rijmen
Introduction I
Introduction II
Rijndael (86)
Serpent (59)
RC6 (31)
Mars (23)
Twofish (13)
Oct 2000 : NIST announced that Rijndael was “the best overall
algorithm for the AES".
Nov 2001 : Dept of Commerce officially declared Rijndael as
the AES. (FIPS 197)
May 2002 : AES is effective
AES Numerology
Mathematical Background
Mathematical Background
57 + 83 =?
Mathematical Background
57 + 83 =?
(x6 + x4 + x2 + x + 1) + (x7 + x + 1) = x7 + x6 + x4 + x2
Mathematical Background
57 + 83 =?
(x6 + x4 + x2 + x + 1) + (x7 + x + 1) = x7 + x6 + x4 + x2
01010111 ⊕ 10000011 = 11010100 = D4
Mathematical Background
Multiplication
Multiplication in GF(28 ) corresponds with multiplication of polynomials modulo an
irreducible polynomial over GF(2) of degree 8
m(x) = x8 + x4 + x3 + x + 1or11B.
Mathematical Background
Multiplication
Multiplication in GF(28 ) corresponds with multiplication of polynomials modulo an
irreducible polynomial over GF(2) of degree 8
m(x) = x8 + x4 + x3 + x + 1or11B.
Example
57 × 83 =?
Mathematical Background
Multiplication
Multiplication in GF(28 ) corresponds with multiplication of polynomials modulo an
irreducible polynomial over GF(2) of degree 8
m(x) = x8 + x4 + x3 + x + 1or11B.
Example
57 × 83 =?
(x6 + x4 + x2 + x + 1) × (x7 + x + 1)
= x13 + x11 + x9 + x8 + x6 + x5 + x4 + x3 + 1
Mathematical Background
Multiplication
Multiplication in GF(28 ) corresponds with multiplication of polynomials modulo an
irreducible polynomial over GF(2) of degree 8
m(x) = x8 + x4 + x3 + x + 1or11B.
Example
57 × 83 =?
(x6 + x4 + x2 + x + 1) × (x7 + x + 1)
= x13 + x11 + x9 + x8 + x6 + x5 + x4 + x3 + 1
(x13 + x11 + x9 + x8 + x6 + x5 + x4 + x3 + 1) mod m(x)
= x7 + x6 + 1 = C1
Mathematical Background
Mathematical Background
b(x)a(x) + m(x)c(x) = 1.
It follows that the set of 256 possible byte values, with the XOR as
addition and the multiplication defined as above has the structure
of the finite field GF(28 ).
Mathematical Background
Multiplication by x
If we multiply b(x) by the polynomial x, we have :
b7 x8 + b6 x7 + b5 x6 + b4 x5 + b3 x4 + b2 x3 + b1 x2 + b0 x
Example
57 × 13 = 57 × (01 ⊕ 02 ⊕ 10)
Mathematical Background
Multiplication by x
If we multiply b(x) by the polynomial x, we have :
b7 x8 + b6 x7 + b5 x6 + b4 x5 + b3 x4 + b2 x3 + b1 x2 + b0 x
Example
57 × 13 = 57 × (01 ⊕ 02 ⊕ 10)
= 57 ⊕ AE ⊕ 07 = FE.
AES Encryption
Input Block
S-box
Shift Rows
Shift Rows
Mix Columns
Mix Columns
Inverse S-box
Key Schedule
Key Schedule
AES Diffusion
3 φ2 : GF(28 ) → GF(28 )
f 7→ (x6 + x5 + x + 1) + f
Sbox = φ2 ◦ L ◦ φ1 .
Recommendation
Primitive Legacy Future
AES X X
Camellia X X
Recommendation
Primitive Legacy Future
AES X X
Camellia X X
Three-Key-3DES X ×
Two-Key-3DES X ×
Kasumi X ×
Blow≥ 80−bit keys X ×
Recommendation
Primitive Legacy Future
AES X X
Camellia X X
Three-Key-3DES X ×
Two-Key-3DES X ×
Kasumi X ×
Blow≥ 80−bit keys X ×
DES × ×
Outline
1 Introduction
2 Feistel Network
DES
3 SPN
AES
4 Modes of Operation
Properties of ECB
Advantages
i. No block synchronization between sender and receiver is required.
ii. Bit errors caused by noisy channels only affect the corresponding
block but not succeeding blocks.
iii. Block cipher operating can be parallelized for high-speed
implementations.
Disadvantages
i. Identical plaintexts result in identical ciphertexts.
ii. An attacker recognizes if the same message has been sent twice.
iii. Plaintext blocks are encrypted independently of previous blocks.
iv. An attacker may reorder ciphertext blocks which results in valid
plaintext.
Properties of CBC
Properties of OFB
Properties of CFB
Encryption : ci = pi ⊕ E K (Nonce||CT R)
Decryption : pi = ci ⊕ Ek (Nonce||CT R)
Dhananjoy Dey (Indian Institute of Information Technology,
Block
[email protected])
Ciphers February 2, 2021 84 / 88
Modes of Operation
Properties of CTR
g(x) = x128 + x7 + x2 + x + 1
g(x) = x128 + x7 + x2 + x + 1
Crypto Applications
Algorithm
TDES ATM, BlackBerry, SSH, PGP,S/MIME
IDEA PGP, SSH
CAST-128 PGP (Session Key Generation)
Encryption runs in cipher feedback mode
AES BlackBerry, HTTPS,
AES-256 iOS (Apple)
Blowfish SSH, PGP