UNIT – II Block Ciphers and Data

Encryption Standard
Learning Outcomes
 To make the students

 understand few Encryption and Decryption methods

 evaluation the strength of those encryption and decryption

methods

 learn cipher modes of operation

Syllabus
 Block Cipher Principles
 Data Encryption Standard
 Strength of DES
 Differential and Linear Cryptanalysis
 Block Cipher Design Principles
 Advanced Encryption Standard
 Evaluation Criteria of AES
 AES Cipher
 More on Symmetric Ciphers
 Multiple encryption and Triple DES
 Block Cipher Modes of Operation
 RC4
Block Cipher Principles
Conventional Encryption Principles
 An encryption scheme has five ingredients:
 Plaintext
 Encryption algorithm
 Secret Key
 Ciphertext
 Decryption algorithm
 Security depends on the secrecy of the key, not
the secrecy of the algorithm
Conventional Encryption Principles
Cryptography
 Classified along three independent dimensions:
 The type of operations used for transforming
plaintext to ciphertext
 The number of keys used
 symmetric (single key)
 asymmetric (two-keys, or public-key encryption)
 The way in which the plaintext is processed
Modern Block Ciphers
 will now look at modern block ciphers
 one of the most widely used types of
cryptographic algorithms
 provide secrecy and/or authentication services
 in particular will introduce DES (Data
Encryption Standard)
Block vs Stream Ciphers
 block ciphers process messages in into blocks,
each of which is then en/decrypted
 like a substitution on very big characters
 64-bits or more
 stream ciphers process messages a bit or byte
at a time when en/decrypting
 many current ciphers are block ciphers
 hence are focus of course
Block Cipher Principles
 most symmetric block ciphers are based on a
Feistel Cipher Structure
 needed since must be able to decrypt
ciphertext to recover messages efficiently
 block ciphers look like an extremely large
substitution
 would need table of 264 entries for a 64-bit
block
 instead create from smaller building blocks
 using idea of a product cipher
Claude Shannon and Substitution-
Permutation Ciphers
 In 1949 Claude Shannon introduced idea of
substitution-permutation (S-P) networks
 modern substitution-transposition product cipher
 These form the basis of modern block
ciphers
 S-P networks are based on the two primitive
cryptographic operations we have seen
before:
 substitution (S-box)
 permutation (P-box)
 Provide confusion and diffusion of message
Confusion and Diffusion
 Cipher needs to completely obscure statistical
properties of original message
 A one-time pad does this
 More practically Shannon suggested combining
elements to obtain:
 Diffusion – dissipates statistical structure of
plaintext over bulk of ciphertext
 Confusion – makes relationship between
ciphertext and key as complex as possible
Feistel Cipher Structure
 Horst Feistel devised the feistel cipher
 based on concept of invertible product cipher
 Partitions input block into two halves
 process through multiple rounds which
 perform a substitution on left data half
 based on round function of right half & subkey
 then have permutation swapping halves
 Implements Shannon’s substitution-
permutation network concept
Feistel Cipher Design Principles
 Block size
 increasing size improves security, but slows cipher
 Key size
 increasing size improves security, makes exhaustive key
searching harder, but may slow cipher
 Number of rounds
 increasing number improves security, but slows cipher
 Subkey generation
 greater complexity can make analysis harder, but slows
cipher
 Round function
 greater complexity can make analysis harder, but slows
cipher
 Fast software en/decryption & ease of analysis
 are more recent concerns for practical use and testing
consider encryption process,
LE16=RE15
RE16=LE15+F(RE15,K16)
On the decryption side,
LD1=RD0=LE16=RE15
RD1=LD0+F(RD0,K16)
=RE16+F(RE15,K16)

=[LE15+F(RE15,K16)]+F(RE15,K16)]
= LE15
Thus, we have
LD1=RE15
RD1=LE15,
So, we got that output of the 1st stage of decryption process is
equal to 32-bit swap of the 15th round of the encryption
process
DES
Data Encryption Standard (DES)
 Most widely used block cipher in world
 Adopted in 1977 by NBS (now NIST)
 as FIPS PUB 46
 Encrypts 64-bit data using 56-bit key
 Has widespread use
 Has been considerable controversy over its
security
DES History
 IBM developed Lucifer cipher
 by team led by Feistel
 used 64-bit data blocks with 128-bit key
 Then redeveloped as a commercial cipher with
input from NSA and others
 In 1973 NBS issued request for proposals for a
national cipher standard
 IBM submitted their revised Lucifer which was
eventually accepted as the DES
DES Design Controversy
 Although DES standard is public
 Was considerable controversy over design
 in choice of 56-bit key (vs Lucifer 128-bit)
 and because design criteria were classified
 Subsequent events and public analysis show in
fact design was appropriate
 DES has become widely used, esp in financial
applications
DES Encryption
Initial Permutation IP
 First step of the data computation
 IP reorders the input data bits
 Even bits to LH half, odd bits to RH half
 Quite regular in structure (easy in h/w)
 Example:
IP(675a6967 5e5a6b5a) = (ffb2194d 004df6fb)
Videos
 DES
DES Round Structure
 Uses two 32-bit L & R halves
 As for any Feistel cipher can describe as:
Li = Ri–1
Ri = Li–1 xor F(Ri–1, Ki)
 Takes 32-bit R half and 48-bit subkey and:
 expands R to 48-bits using perm E
 adds to subkey
 passes through 8 S-boxes to get 32-bit result
 finally permutes this using 32-bit perm P
DES Round Structure
Substitution Boxes S
 Have eight S-boxes which map 6 to 4 bits
 Each S-box is actually 4 little 4 bit boxes
 outer bits 1 & 6 (row bits) select one rows
 inner bits 2-5 (col bits) are substituted
 result is 8 lots of 4 bits, or 32 bits
 Row selection depends on both data & key
 feature known as autoclaving (autokeying)
 Example:
S(18 09 12 3d 11 17 38 39) = 5fd25e03
DES Key Schedule
 Forms subkeys used in each round
 Consists of:
 initial permutation of the key (PC1) which selects
56-bits in two 28-bit halves
 16 stages consisting of:
 selecting 24-bits from each half
 permuting them by PC2 for use in function f,
 rotating each half separately either 1 or 2 places
depending on the key rotation schedule K
DES Decryption
 Decrypt must unwind steps of data
computation
 With Feistel design, do encryption steps again
 Using subkeys in reverse order (SK16 … SK1)
 Note that IP undoes final FP step of encryption
 1st round with SK16 undoes 16th encrypt
round
 ….
 16th round with SK1 undoes 1st encrypt round
 then final FP undoes initial encryption IP
 thus recovering original data value
Avalanche Effect
 Key desirable property of encryption alg
 where a change of one input or key bit results
in changing approx half output bits
 DES exhibits strong avalanche effect
Strength of DES
Strength of DES – Key Size
 56-bit keys have 256 = 7.2 x 1016 values
 Brute force search looks hard
 Recent advances have shown is possible
 in 1997 on Internet in a few months
 in 1998 on dedicated h/w (EFF) in a few days
 in 1999 above combined in 22hrs!
 Still must be able to recognize plaintext
 Now considering alternatives to DES
Strength of DES – Timing Attacks
 Attacks actual implementation of cipher
 Use knowledge of consequences of
implementation to derive knowledge of some/all
subkey bits
 Specifically use fact that calculations can take
varying times depending on the value of the
inputs to it
 Particularly problematic on smartcards
Strength of DES – Analytic Attacks
 Now have several analytic attacks on DES
 These utilise some deep structure of the
cipher
 by gathering information about encryptions
 can eventually recover some/all of the sub-key
bits
 if necessary then exhaustively search for the rest
 Generally these are statistical attacks
 Include
 differential cryptanalysis
 linear cryptanalysis
 related key attacks
Block Cipher Modes
Modes of Operation
 Block ciphers encrypt fixed size blocks
 Eg. DES encrypts 64-bit blocks, with 56-bit key
 Need way to use in practise, given usually have
arbitrary amount of information to encrypt
 Four were defined for DES in ANSI standard
ANSI X3.106-1983 Modes of Use
 Subsequently now have 5 for DES and AES
 Have block and stream modes
Cipher Block Modes of Operation

 Cipher Block Chaining Mode (CBC)

 The input to the encryption algorithm is the XOR
of the current plaintext block and the preceding
ciphertext block.
 Repeating pattern of 64-bits are not exposed

Ci  E k [Ci 1  Pi ]

D K [Ci ]  D K [E K (Ci 1  Pi )]
D K [Ci ]  (Ci 1  Pi )
Ci 1  D K [Ci ]  Ci 1  Ci 1  Pi  Pi
Triple DES
Triple DEA
 Use three keys and three executions of the DES
algorithm (encrypt-decrypt-encrypt)

C = EK3[DK2[EK1[P]]]
 C = ciphertext
 P = Plaintext
 EK[X] = encryption of X using key K
 DK[Y] = decryption of Y using key K
 Effective key length of 168 bits
Triple DEA
Other Symmetric Block Ciphers
 International Data Encryption Algorithm (IDEA)
 128-bit key
 Used in PGP
 Blowfish
 Easy to implement
 High execution speed
 Run in less than 5K of memory
Other Symmetric Block Ciphers
 RC5
 Suitable for hardware and software
 Fast, simple
 Adaptable to processors of different word lengths
 Variable number of rounds
 Variable-length key
 Low memory requirement
 High security
 Data-dependent rotations
 Cast-128
 Key size from 40 to 128 bits
 The round function differs from round to round
Stream Ciphers
 Process the message bit by bit (as a stream)
 Typically have a (pseudo) random stream key
 Combined (XOR) with plaintext bit by bit
 Randomness of stream key completely destroys any
statistically properties in the message
 Ci = Mi XOR StreamKeyi
 What could be simpler!!!!
 But must never reuse stream key
 otherwise can remove effect and recover messages
Stream Cipher Properties
 Some design considerations are:
 long period with no repetitions
 statistically random
 depends on large enough key
 large linear complexity
 correlation immunity
 confusion
 diffusion
 use of highly non-linear boolean functions
AES
Advanced Encryption Standard
Videos
 AES
RC4
RC4
 A proprietary cipher owned by RSA DSI
 Another Ron Rivest design, simple but effective
 Variable key size, byte-oriented stream cipher
 Widely used (web SSL/TLS, wireless WEP)
 Key forms random permutation of all 8-bit
values
 Uses that permutation to scramble input info
processed a byte at a time
RC4 Key Schedule
 Starts with an array S of numbers: 0..255
 Use key to well and truly shuffle
 S forms internal state of the cipher
 Given a key k of length l bytes
for i = 0 to 255 do
S[i] = i
j=0
for i = 0 to 255 do
j = (j + S[i] + k[i mod l]) (mod 256)
swap (S[i], S[j])
RC4 Encryption
 Encryption continues shuffling array values
 Sum of shuffled pair selects "stream key"
value
 tXOR with next byte of message to
en/decrypt
i=j=0
for each message byte Mi
i = (i + 1) (mod 256)
j = (j + S[i]) (mod 256)
swap(S[i], S[j])
t = (S[i] + S[j]) (mod 256)
Ci = Mi XOR S[t]
RC4 Security
 Claimed secure against known attacks
 have some analyses, none practical
 Result is very non-linear
 Since RC4 is a stream cipher, must never
reuse a key
 Have a concern with WEP, but due to key
handling rather than RC4 itself