Lecture 7 Dr.

Alshaimaa Abo-alian
Block Cipher Operation [email protected]
Lecture Outline

➢Multiple Encryption
– Double Encryption (e.g. Double DES or 2DES)
– Triple Encryption (e.g. Triple DES or 3DES)
➢Modes of operation
– Electronic Codebook (ECB)
– Cipher Block Chaining (CBC)
– Cipher Feedback (CFB)
– Output Feedback (OFB)
– Counter (CTR)

2
Multiple Encryption

▪ Because of the DES vulnerability to cryptanalytic and

brute-force attacks, it is replaced by stronger encryption
schemes.
▪ One approach is to design a completely new algorithm such
as AES
▪ Another alternative is to use multiple encryption with DES
and multiple keys.

3
 Multiple Encryption
Double Encryption:
Given a plaintext P and two encryption
keys K1 and K2 , ciphertext C
is generated as

C = E(K2 , E(K1 , P ))

Decryption requires that the keys be

applied in reverse order:

P = D(K1 , D(K2 , C ))
X = E(K1, P) = D(K2, C)
For DES, this scheme involves a key
length of 56 * 2 = 112 bits
4
Brute Force Attack

▪ Applying brute force attack on Block cipher with k-bits key

size :
✓ For each encryption, the attacker needs to try all
possible keys, which amounts to 2k possible keys.
▪ In a double encryption scheme, the total number of
operations required for a brute force attack is the product
of the number of keys for each encryption:
×
𝟐𝒌 𝟐𝒌 = 22k
▪ For 2DES, 2 × 56-bit keys, meaning 112-bit key length
➔ Requires 2112 operations for brute force attack
5
 Meet-in-The-Middle Attack

▪ It is a known plaintext attack, meaning the attacker has access

to both the plaintext and its corresponding ciphertext.
▪ Reduces the computational effort required compared to a
brute-force attack.
▪ The attacker divides the encryption process into two halves:
1. The first half: Encrypt plaintexts using all possible keys and
store the intermediate results (often referred to as
"encryption table“)
2. The second half: Decrypt ciphertexts using all possible keys
and compare the intermediate results with those in the
stored encryption table
Known-Plaintext Attack on
Double DES
▪ Double DES Encryption: C = E (K2, E(K1, P))
▪ Say X = E(K1, P) = D(K2, C)
▪ Attacker knows two plaintext, ciphertext pairs (Pa, Ca) and (Pb, Cb)
1. Encrypt Pa using all 256 values of K1 to get multiple values of X
2. Store results in table and sort by X
3. Decrypt Ca using all 256 values of K2
4. As each decryption result produced, check against table
5. If match, check current K1, K2 on Cb. If Pb obtained, then accept
the keys
➔ Encrypt/decrypt operations required: 256 (twice as many as single
DES)
7
Known-Plaintext Attack on
Double DES

For a block cipher with a k-bit key, a known-

plaintext attack defeats double encryption using
on the order of 2k operations and 2k storage.

8
Example
Consider a 4-bit block cipher, called ABC, that uses 2-bit keys.

Key Key
Plaintext 00 01 10 11 Plaintext 00 01 10 11

0000 0001 0101 1101 0111 1000 1000 1011 0101 1001
0001 1101 0111 1000 0101 1001 1100 0000 0010 0110
0011 0000 0110 0111 1010 1010 1010 0010 0000 0100
0010 0101 1101 1111 0011 1011 1011 0100 1001 1000
0100 0111 1000 1100 1101 1100 0110 0011 1010 1100
0101 1001 1111 1011 0001 1101 1111 1110 0100 0000
0110 0011 1001 0001 1110 1110 0100 1100 0011 0010
0111 1110 0001 0110 1111 1111 0010 1010 1110 1011

Consider Double-ABC, which involves applying the block cipher ABC two times using two
different 2-bit keys. Show how the meet-in-the-middle attack can be applied to find the
keys used if the attacker already knows the pairs: (0000, 1110) & (0011, 0001)
9
Triple DES (3DES)

▪ This approach is commonly referred to as 3DES, or Triple

Data Encryption Algorithm (TDEA).
▪ There are two versions of 3DES:
– 3DES with two keys
– 3DES with three keys.

10
 Triple DES with Two keys

▪Two-key triple encryption was

first proposed by Tuchman.
▪The function follows an
encrypt-decrypt-encrypt (EDE)
sequence :
C = E(K1, D(K2, E(K1, P)))
P = D(K1, E(K2, D(K1, C)))

A = E(K1, P) = E(K2, B)
B = D (K2, A) = D (K1, C)
11
 Triple DES with Three keys

▪ The function follows an

encrypt-decrypt-encrypt
(EDE) sequence :
C = E(K3, D(K2, E(K1, P)))
P = D(K1, E(K2, D(K3, C)))

A = E(K1, P) = E(K2, B)
B = D (K2, A) = D (K3, C)
12
Known-Plaintext Attack on 3DES
with 2 keys

13
Known-Plaintext Attack on
3DES with 2 keys
Given a known pair (P, C) , the attack proceeds as follows:
1. Obtain n (P , C ) pairs. This is the known plaintext. Place
these in a table (Table 1) sorted on the values of P.
2. Pick an arbitrary value a for A, and create a second table
with entries defined as follows:
▪ For each of the 256 possible keys K1 = i, calculate the
plaintext value P, such that Pi = D(i, a)
▪ For each Pi that matches an entry in Table 1, create an
entry in Table 2 consisting of the K1 value and the value of
B that is produced for the (P, C) pair from Table 1 ➔ Bj =
D(i, Ci)
▪ Sort Table 2 on the values of B.
14
Known-Plaintext Attack on
3DES with 2 keys
We now have a number of candidate values of K1 in Table 2
and want to search for a value of K2.
3. For each of the 256 possible keys K2 = j, calculate the
second intermediate value for our chosen value of a:
Bj = D(j, a)
4. At each step, look up Bj in Table 2. If there is a match, then
the corresponding key i from Table 2 plus this value of j
are candidate values for the unknown keys (K1, K2).
5. Test each candidate pair of keys (i, j) on a few other
plaintext–ciphertext pairs.
▪ If a pair of keys produces the desired ciphertext, the task is complete.
▪ If no pair succeeds, repeat from step 1 with a new value of a.
15
Modes of Operation
▪ A block cipher takes a fixed-length block of text of length n
bits and a key as input and produces a n-bit block of
ciphertext.
What about encrypting plaintext longer than n bits?
▪ Breaking the plaintext up into n-bit blocks and applying
cipher on each block
▪ When multiple blocks of plaintext are encrypted using the
same key, a number of security issues arise.
▪ A mode of operation is a technique for enhancing the effect
of a cryptographic algorithm
▪ As defined by NIST, there are 5 modes of operation for use
with any symmetric block cipher. 17
 Modes of Operation
Mode Description Typical Application

Electronic Each block of plaintext bits is encoded • Secure transmission of

Codebook (ECB) independently using the same key. single values (e.g., an
encryption key)
Cipher Block The input to the encryption algorithm is the • General-purpose block-
Chaining (CBC) XOR of the next block of plaintext and the oriented transmission
preceding block of ciphertext. • Authentication
Cipher Feedback Input is processed s bits at a time. • General-purpose stream-
(CFB) Preceding ciphertext is used as input to the oriented transmission
encryption algorithm to produce • Authentication
pseudorandom output, which is XO Red with
plaintext to produce next unit of ciphertext.
Output Feedback Similar to CFB, except that the input to the • Stream-oriented
(OFB) encryption algorithm is the preceding transmission over noisy
encryption output, and full blocks are used. channel (e.g., satellite
communication)
Counter (CTR) Each block of plaintext is XORed with an • General-purpose block-
encrypted counter. The counter is oriented transmission
incremented for each subsequent block. • Useful for high-speed
requirements 18
 Electronic Codebook (ECB) Mode
▪ Encrypt each block
separately using the same
key.
▪ For a given key, there is a
unique ciphertext for every
n-bit block of plaintext.
➔ That’s why it is called
“codebook”

19
 Electronic Codebook (ECB) Mode
▪ We can define ECB mode as follows.

▪ The ECB mode should be used only to secure messages

shorter than a single block of underlying cipher (i.e., 64 bits
for 3DES and 128 bits for AES), such as to encrypt a secret
key.
▪ Block ciphers do not hide data patterns (i.e., identical
ciphertext blocks imply identical plaintext blocks).
➔ For this reason, the ECB mode is not recommended for
messages longer than one block
20
 Cipher Block Chaining (CBC)
Mode
▪ In this mode, the input to
the encryption algorithm
is the XOR of the current
plaintext block and the
preceding ciphertext
block
▪ The same key is used for
each block.
▪ It involves use of an n-
bit initialization vector
(IV)

22
 Cipher Block Chaining (CBC)
Mode
▪ We can define CBC mode as follows.
Cj = E(K, (Cj-1 ⊕ Pj ))
Pj = Cj-1 ⊕ D(K, Cj )
▪ To produce the first block of ciphertext, an initialization
vector (IV) is XORed with the first block of plaintext.
C1= E(K, (IV ⊕ P1 ))
P1 = IV ⊕ D(K, C1)

23
 Properties of the CBC Mode
▪ Randomized encryption: Identical ciphertext blocks results in
different ciphertext.

▪ Chaining dependencies: Proper encryption/decryption of a

correct block requires a correct encryption/decryption of a
preceding ciphertext block.

▪ Error propagation: A single bit error in ciphertext block cj

affects decryption of blocks cj and cj+1

24
 ECB vs. CBC
Encrypted image
Using ECB mode

Encrypted image
Using CBC mode
Original image
25
 Cipher Feedback (CFB) Mode
▪ It is possible to convert a block cipher into a stream cipher,
using one of the following three modes:
1. Cipher feedback (CFB) mode
2. Output feedback (OFB) mode
3. Counter (CTR) mode.
▪ A stream cipher eliminates the need to pad a message to be
an integral number of blocks.
▪ If a character stream is being transmitted, each character
can be encrypted and transmitted immediately

27
 C F B Mode Ij = LSBb-s (Ij-1 ) || Cj-1
Cj = Pj ⊕ MSBs (Oj )
I1 = IV
Oj = E (K, Ij)

28
C F B Mode

29
C F B Mode
▪ It is assumed that the unit of transmission is s bits; a
common value is s =8 .
▪ As with CBC, the units of plaintext are chained together, so
that the ciphertext of any plaintext unit is a function of all
the preceding plaintext.
▪ We can define CFB mode as follows.

30
C F B Mode
– The input to the encryption function is a n-bit shift register that is
initially set to some initialization vector (IV).

– The leftmost (most significant) s bits of the output of the

encryption function are XORed with the first segment of
plaintext P1 to produce the first unit of ciphertext C1 , which is
then transmitted.

– In addition, the contents of the shift register are shifted left by s

bits, and C1 is placed in the rightmost (least significant) s bits
of the shift register.

– This process continues until all plaintext units have been

encrypted. 31
Properties of CFB Mode

▪ Does it conform to the typical construction of a stream

cipher?

▪ Chaining?

▪ Error Propagation?

32
O F B Mode

Nonce is a data block that is unique to each execution of the

encryption operation 33
O F B Mode

34
 O F B Mode
▪ Similar in structure to that of CFB.

▪ For OFB, the output of the encryption function is fed back to

become the input for encrypting the next block of plaintext
▪ In CFB, the output of the XOR unit is fed back to become
input for encrypting the next block.

▪ The other difference is that the OFB mode operates on full

blocks of plaintext and ciphertext, whereas CFB operates
on an s -bit subset.

35
 O F B Mode
▪ We can define OFB mode as follows.

36
Properties Of OFB Mode

▪ The IV must be nonce. Why?

▪ Does OFB have the structure of a typical stream cipher?

▪ Chaining dependencies?

▪ Error propagation?

37
 Counter (CTR) Mode

▪ OFB has the structure of a typical stream cipher, because the

cipher generates a stream of bits as a function of an initial
value and a key
▪ The generated stream that is XORed with the plaintext is
itself independent of the plaintext

▪ One distinction from the stream ciphers is that OFB encrypts

plaintext a full block at a time, where typically a block is 64
or 128 bits. Many stream ciphers encrypt one byte at a time.

38
 CTR Mode

▪ A counter equal to the plaintext block size is used.

▪ The only requirement is that the counter value must be
different for each plaintext block that is encrypted.
▪ Typically, the counter is initialized to some value and then
incremented by 1 for each subsequent block
▪ For encryption, the counter is encrypted and then XORed with
the plaintext block to produce the ciphertext block
▪ There is no chaining.

39
Advantages of C T R

1. Efficiency
2. Preprocessing
3. Random access
4. Simplicity

40
Choose The Correct Answer
1. The simplest form of multiple encryption has __________
encryption stages and __________ keys.
A. four, two B. two, three
C. two, two D. three, two
2. Which of the following modes of operations can be
followed for both stream ciphers as well as block ciphers?
A. CBC (Cipher Block Chaining)
B. ECB (Electronic CodeBook)
C. CFB (Ciphertext FeedBack)
D. All of the above
41
Choose The Correct Answer
3. Which of the following is the major drawback of ECB?
A. Padding is required to make the plaintext divisible into blocks
of fixed size
B. It is prone to cryptanalysis since there is a direct relationship
between plaintext and ciphertext.
C. It requires large block size
D. None of the above
4. Which of the following modes implement chaining?
A. CBC B. OFB
C. ECB D. CTR
42
Try By Yourself

▪ Using block cipher ABC (in slide 9), Encrypt the

plaintext 00101010 with key 01 and IV = 0110
using the following different modes of operation:
➢ECB
➢CBC
➢CFB (s=2)
➢OFB
➢CTR

43
Thank you

44