Fifth Edition

by William Stallings
 Block Cipher Principles
 The Data Encryption Standard
 Simplified-DES
 DES Details
 DES Design Issues and Attacks
 3DES, AES and Other Block Ciphers
 now look at modern block ciphers
 one of the most widely used types of
cryptographic algorithms
 provide secrecy /authentication services
 focus on DES (Data Encryption Standard)
 to illustrate block cipher design principles
 Input (plaintext) block: 8-bits
 Output (ciphertext) block: 8-bits
 Key: 10-bits
 Rounds: 2
 Round keys generated using permutations and left shifts
 Encryption: initial permutation, round function, switch
halves
 Decryption: Same as encryption, except round keys used
in opposite order
IP = { 2, 6, 3, 1, 4, 8, 5 , 7 }

IP -1 = { 4,1 ,3 ,5 ,7 ,2 ,8 , 6}
P10 = { 3, 5, 2, 7, 4, 10, 1, 9, 8, 6}

P8 = { 6, 3, 7, 4, 8, 5, 10, 9}
 IP = { 2.,6, 3 , 1 , 4 , 8 , 5 , 7 }

EP = { 4, 1, 2, 3, 2, 3, 4, 1}

P4 = { 2, 4, 3, 1}

IP -1 = { 4.,1 ,3 , 5 , 7 , 2, 8 , 6}
 S-DES (and DES) perform substitutions using S-Boxes
 S-Box considered as a matrix: input used to select
row/column; selected element is output
 4-bit input: bit1; bit2; bit3; bit4
◦ bit1 , bit4 species row (0, 1, 2 or 3 in decimal)
◦ bit2bit3 species column
◦ 2-bit output
 S-DES expressed as functions:

 Security of S-DES:
◦ 10-bit key, 1024 keys: brute force easy
◦ If know plaintext and corresponding ciphertext, can
we determine key? Very hard
 Encrypt data one block at a time
 „Used in broader range of applications
 „Typical block size 64 – 128 bits 128 bits
 „Most algorithms based on a structure
referred to as Feistel block cipher
 n-bit block cipher takes n bit plaintext and produces n bit
ciphertext
 2n possible different plaintext blocks
 Encryption must be reversible (decryption possible)
 Each plaintext block must produce unique ciphertext block
 Total transformations is 2n!
key is mapping ; Key length 16 × 4 bits = 64 bits . i.e. concatenate all bits of ciph
 n-bit input maps to 2n possible input states
 Substitution used to produce 2n output states
 Output states map to n-bit output
 Ideal block cipher allows maximum number of possible encryption
mappings from plaintext block
 Problems with ideal block cipher:
◦ Small block size: equivalent to classical substitution cipher;
cryptanalysis based on statistical characteristics feasible
◦ Large block size: key must be very large;
performance/implementation problems
 Key length :
◦ In general, key length is 2n × n
◦ „Actual block size is at least 64 bit ( „Key length will be 2 64× 64 ≈ 1021 „bits)
 Diffusion
◦ Statistical nature of plaintext is reduced in ciphertext
◦ E.g. A plaintext letter affects the value of many ciphertext
letters
◦ How: repeatedly apply permutation (transposition) to data,
and then apply function
 Confusion
◦ Make relationship between ciphertext and key as complex
as possible
◦ Even if attacker can find some statistical characteristics of
ciphertext, still hard to find key
◦ How: apply complex (non-linear) substitution algorithm
 Feistel proposed applying two or more simple ciphers in sequence so
final result cryptographically stronger than component ciphers
 n-bit block length; k-bit key length; 2k transformations (rather than 2n !)
 Feistel cipher alternates: substitutions, transpositions (permutations)
 Applies concepts of diffusion and confusion
 Applied in many ciphers today
 Approach:
◦ Plaintext split into halves
◦ Subkeys (or round keys) generated from key
◦ Round function, F, applied to right half
◦ Apply substitution on left half using XOR
◦ Apply permutation: interchange to halves
 implements Shannon’s S-P net concept
 Exact implementation depends on various design features
 Block size, e.g. 64, 128 bits: larger values leads to more
diffusion
 Key size, e.g. 128 bits: larger values leads to more confusion,
resistance against brute force
 Number of rounds, e.g. 16 rounds
 Subkey generation algorithm: should be complex
 Round function F: should be complex
 Other factors include fast encryption in software and ease
of analysis
 Tradeoff : security vs performance
 Symmetric block cipher
◦ 56-bit key, 64-bit input block, 64-bit output block

 One of most used encryption systems in world

◦ Developed in 1977 by NBS/NIST
◦ Designed by IBM (Lucifer) with input from NSA
◦ Principles used in other ciphers, e.g. 3DES, IDEA

 Simplified DES (S-DES)

◦ Cipher using principles of DES
◦ Developed for education (not real world use)
 S-DES  DES
◦ 8-bit blocks ◦ 64-bit blocks
◦ 10-bit key: 2 x 8- ◦ 56-bit key: 16 x
bit round keys 48-bit round keys
◦ IP: 8-bits ◦ IP: 64 bits
◦ F operates on 4 bits ◦ F operates on 32
◦ 2 S-Boxes bits
◦ 2 rounds ◦ 8 S-Boxes
◦ 16 rounds
3: Expansion permutation (E )

4 : Permutation Function (P)

27
31
 Aim: small change in key (or plaintext) produces large change
in ciphertext
 Avalanche effect is present in DES (good for security)
 Following examples show the number of bits that change in
output when two different inputs are used, differing by 1 bit
◦ Plaintext 1: 02468aceeca86420
◦ Plaintext 2: 12468aceeca86420
◦ Ciphertext difference: 32 bits
◦ Key 1: 0f1571c947d9e859
◦ Key 2: 1f1571c947d9e859
◦ Ciphertext difference: 30
 Although 64 bit initial key, only 56 bits used
in encryption (other 8 for parity check)
 256 = 7.2 x 1016
◦ 1977: estimated cost $US20m to build machine to
break in 10 hours
◦ 1998: EFF built machine for $US250k to break in 3
days
◦ Today: 56 bits considered too short to withstand
brute force attack
 3DES uses 128-bit keys
 Timing Attacks
◦ Information gained about key/plaintext by
observing how long implementation takes to
decrypt on various ciphertexts
◦ No known useful attacks on DES
 Differential Cryptanalysis
◦ Observe how pairs of plaintext blocks evolve
◦ Break DES in 247 encryptions (compared to 255);
but require 247 chosen plaintexts
 Linear Cryptanalysis
◦ Find linear approximations of the transformations
◦ Break DES using 243 known plaintexts
 DES was designed in private; questions about
the motivation of the design
◦ S-Boxes provide non-linearity: important part of
DES, generally considered to be secure
◦ S-Boxes provide increased confusion
◦ Permutation P chosen to increase diffusion
 DES is vulnerable to brute force attack
 Alternative block cipher that makes use of
DES software/equipment/knowledge: encrypt
multiple times with different keys
 Options:
◦ 1. Double DES: not much better than single DES
◦ 2. Triple DES (3DES) with 2 keys: brute force 2112
◦ 3. Triple DES with 3 keys: brute force 2168
 For DES, 2 56-bit keys, meaning 112-bit key
length
 Requires 2111 operations for brute force?
 Meet-in-the-middle attack makes it easier
 2 keys, 112 bits
 3 keys, 168 bits
 Why E-D-E? To be compatible with single
DES:
 have considered:
◦ block vs stream ciphers
◦ Feistel cipher design & structure
◦ DES
 details
 strength
◦ Doupbe DES
◦ Triple DES