MODULE - II

BLOCK CIPHER PRINCIPLES

Virtually, all symmetric block encryption algorithms in current use are based on a structure referred
to as Fiestel block cipher. For that reason, it is important to examine the design principles of the
Fiestel cipher. We begin with a comparison of stream cipher with block cipher.
• A stream cipher is one that encrypts a digital data stream one bit or one byte at a time. E.g, vigenere
cipher. A block cipher is one in which a block of plaintext is treated as a whole and used to
produce a cipher text block of equal length. Typically a block size of 64 or 128 bits is used.

Block cipher principles

• most symmetric block ciphers are based on a Feistel Cipher Structure needed since must be
able to decrypt ciphertext to recover messages efficiently. block ciphers look like an extremely
large substitution
• would need table of 264 entries for a 64-bit block
• Instead create from smaller building blocks
• using idea of a product cipher in 1949 Claude Shannon introduced idea of substitu-
tion-permutation (S-P) networks called modern substitution-transposition product cipher
these form the basis of modern block ciphers
• S-P networks are based on the two primitive cryptographic operations we have seen before:
• substitution (S-box)
• permutation (P-box)
• provide confusion and diffusion of message
• diffusion – dissipates statistical structure of plaintext over bulk of ciphertext
• confusion – makes relationship between ciphertext and key as complex as possible

DATA ENCRYPTION STANDARD (DES)

In May 1973, and again in Aug 1974 the NBS (now NIST) called for possible encryption algorithms
for use in unclassified government applications response was mostly disappointing, however IBM
submitted their Lucifer design following a period of redesign and comment it became the Data
Encryption Standard (DES)
it was adopted as a (US) federal standard in Nov 76, published by NBS as a hardware only scheme
in Jan 77 and by ANSI for both hardware and software standards in ANSI X3.92-1981 (also X3.106-
1983 modes of use) subsequently it has been widely adopted and is now published in many standards
around the world cf Australian Standard AS2805.5-1985

one of the largest users of the DES is the banking industry, particularly with EFT, and EFTPOS
 it is for this use that the DES has primarily been standardized, with ANSI having twice reconfirmed
its recommended use for 5 year periods - a further extension is not expected however although the
standard is public, the design criteria used are classified and have yet to be released there has been
considerable controversy over the design, particularly in the choice of a 56-bit key
• recent analysis has shown despite this that the choice was appropriate, and that DES is well
designed

• rapid advances in computing speed though have rendered the 56 bit key susceptible to
exhaustive key search, as predicted by Diffie & Hellman

• the DES has also been theoretically broken using a method called Differential
Cryptanalysis, however in practice this is unlikely to be a problem (yet)

Overview of the DES Encryption Algorithm

• the basic process in enciphering a 64-bit data block using the DES consists of:

o an initial permutation (IP)

o 16 rounds of a complex key dependent calculation f
o a final permutation, being the inverse of IP
• in more detail the 16 rounds of f consist of:
• this can be described functionally as

L(i) = R(i-1)
R(i) = L(i-1) (+) P(S( E(R(i-1))(+) K(i) ))

and forms one round in an S-P network

• the subkeys used by the 16 rounds are formed by the key schedule which consists of:
o an initial permutation of the key (PC1) which selects 56-bits in two 28-bit halves
o 16 stages consisting of
o selecting 24-bits from each half and permuting them by PC2 for use in function f,
o rotating each half either 1 or 2 places depending on the key rotation schedule KS
• this can be described functionally as:
K(i) = PC2(KS(PC1(K),i))
• the key rotation schedule KS is specified as:
Round 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16
KS 1 1 2 2 2 2 2 2 1 2 2 2 2 2 2 1
Total Rot 1 2 4 6 8 10 12 14 15 17 19 21 23 25 27 28
• more details on the various DES functions can be found in your textbooks
• following is a walk-through of a DES encryption calculation taken from:
H Katzan, "The Standard Data Encryption Algorithm", Petrocelli Books, New York, 1977

DES Modes of Use

• DES encrypts 64-bit blocks of data, using a 56-bit key
• we need some way of specifying how to use it in practise, given that we usually have an
arbitrary amount of information to encrypt

• the way we use a block cipher is called its Mode of Use and four have been defined for the
DES by ANSI in the standard: ANSI X3.106-1983 Modes of Use)

• modes are either:

Block Modes
Splits messages in blocks (ECB, CBC)
Electronic Codebook Book (ECB)
- Where the message is broken into independent 64-bit blocks which are encrypted
C_(i) = DES_(K1) (P_(i))

Cipher Block Chaining (CBC)

Again the message is broken into 64-bit blocks, but they are linked together in the encryption
operation with an IV C_(i) = DES_(K1) (P_(i)(+)C_(i-1)) C_(-1)=IV

Stream Modes
On bit stream messages (CFB, OFB)

Cipher Feedback (CFB)

- Where the message is treated as a stream of bits, added to the output of the DES, with the result
being feedback for the next stage
C_(i) = P_(i)(+) DES_(K1) (C_(i-1)) C_(-1)=IV

Output Feedback (OFB)

- Where the message is treated as a stream of bits, added to the message, but with the feedback
being independent of the message
C_(i) = P_(i)(+) O_(i) O_(i) = DES_(K1)(O_(i-1)) O_(-1)=IV
• each mode has its advantages and disadvantages
Limitations of Various Modes

ECB
• repetitions in message can be reflected in ciphertext

o if aligned with message block

o particularly with data such graphics
o or with messages that change very little, which become a code-book analysis
problem
• weakness is because enciphered message blocks are independent of each other

CBC
• use result of one encryption to modify input of next

o hence each ciphertext block is dependent on all message blocks before it

o thus a change in the message affects the ciphertext block after the change as well as
the original block

to start need an Initial Value (IV) which must be known by both sender and receiver
o however if IV is sent in the clear, an attacker can change bits of the first block, and
change IV to compensate hence either IV must be a fixed value (as in EFTPOS) or it must be sent
 encrypted in ECB mode before rest of message
• also at the end of the message, have to handle a possible last short block
o either pad last block (possible with count of pad size), or use some fiddling to
double up last two blocks

o see Davies for examples

CFB
• when data is bit or byte oriented, want to operate on it at that level, so use a stream mode

• the block cipher is use in encryption mode at both ends, with input being a feed-back
copy of the ciphertext
• can vary the number of bits feed back, trading off efficiency for ease of use

• again errors propogate for several blocks after the error

 OFB
• also a stream mode, but intended for use where the error feedback is a problem, or where
the encryptions want to be done before the message is available

• is superficially similar to CFB, but the feedback is from the output of the block cipher and
is independent of the message, a variation of a Vernam cipher

• again an IV is needed
• sender and receiver must remain in sync, and some recovery method is needed to ensure
this occurs

• although originally specified with varying m-bit feedback in the standards, subsequent
research has shown that only 64-bit OFB should ever be used (and this is the most efficient use
anyway), see
D Davies, G Parkin, "The Average Cycle Size of the Key Stream in Output Feedback Encipherment"
in Advances in Cryptology - Crypto 82, Plenum Press, 1982, pp97-98

DES Weak Keys

• with many block ciphers there are some keys that should be avoided, because of reduced
cipher complexity
• these keys are such that the same sub-key is generated in more than one round, and they
include:

Weak Keys
• he same sub-key is generated for every round

• DES has 4 weak keys

Semi-Weak Keys
• only two sub-keys are generated on alternate rounds

• DES has 12 of these (in 6 pairs)

 Demi-Semi Weak Keys
• have four sub-keys generated

• none of these cause a problem since they are a tiny fraction of all available keys

• however they MUST be avoided by any key generation program

DES Design Principles

Although the standard for DES is public, the design criteria used are classified and have yet to be
released. some information is known, and more has been deduced
L P Brown, "A Proposed Design for an Extended DES", in Computer Security in the Age of
Information, W. J. Caelli (ed), North-Holland, pp 9-22, 1989
L P Brown, J R Seberry, "On the Design of Permutation Boxes in DES Type Cryptosystems", in
Advances in Cryptology - Eurocrypt '89, Lecture Notes in Computer Science, vol 434, pp 696- 705,
J.J. Quisquater, J. Vanderwalle (eds), Springer-Verlag, Berlin, 1990.

L P Brown and J R Seberry, "Key Scheduling in DES Type Cryptosystems," in Advances in

Cryptology - Auscrypt '90, Lecture Notes in Computer Science, vol 453, pp 221-228, J. Seberry, J.
Pieprzyk (eds), Springer-Verlag, Berlin, 1990.

will briefly overview the basic results, for more detailed analyses see the above papers

DES S-Box Design Criteria

Each S-box may be considered as four substitution functions

o these 1-1 functions map inputs 2,3,4,5 onto output bits

o a particular function is selected by bits 1,6
o this provides an autoclave feature
DES Design Criteria
• there were 12 criterion used, resulting in about 1000

• possible S-Boxes, of which the implementers chose 8

• these criteria are CLASSIFIED SECRET

• however, some of them have become known

• The following are design criterion:

R1: Each row of an S-box is a permutation of 0 to 15
R2: No S-Box is a linear of affine function of the input
R3: Changing one input bit to an S-box results in changing at least two output bits
 R4: S(x) and S(x+001100) must differ in at least 2 bits

• The following are said to be caused by design criteria

R5: S(x) [[pi]] S(x+11ef 00) for any choice of e and f
R6: The S-boxes were chosen to minimize the difference between the number of 1's and 0's in any
S-box output when any single input is held constant

R7: The S-boxes chosen require significantly more minterms than a random choice would require
Meyer Tables 3-17, 3-18

DES Permutation Tables

• there are 5 Permutations used in DES:

o IP and IP^(-1) , P, E, PC1, PC2

• their design criteria are CLASSIFIED SECRET

• it has been noted that IP and IP^(-1) and PC1 serve no cryptological function when DES
is used in ECB or CBC modes, since searches may be done in the space generated after they have
been applied
• E, P, and PC2 combined with the S-Boxes must supply the required dependence of the
output bits on the input bits and key bits (avalanche and completeness effects)

Ciphertext Dependence on Input and Key

• the role of P, E, and PC2 is distribute the outputs of the S-boxes so that each output bit
becomes a function of all the input bits in as few rounds as possible

• Carl Meyer (in Meyer 1978, or Meyer & Matyas 1982) performed this analysis on the current
DES design

Ciphertext dependence on Plaintext

• define G_(i,j) a 64*64 array which shows the dependence of output bits X(j) on input bits
X(i)

• examine G_(0,j) to determine how fast complete dependence is achieved

• to build G_(0,1) use the following

L(i) = R(i-1)
R(i) = L(i-1) (+) f( K(i), R(i-1))

• DES P reaches complete dependence after 5 rounds

• []
Ciphertext dependence on Key

• Carl Meyer also performed this analysis

• define F_(i,j) a 64*56 array which shows the dependence of output bits X(j) on key bits
U(i) (after PC1 is used)
• examine F_(0,j) to determine how fast complete dependence is achieved

• DES PC2 reaches complete dependence after 5 rounds

Key Scheduling and PC2

• Key Schedule

o is a critical component in the design

o must provide different keys for each round otherwise security may be compromized
(see Grossman & Tuckerman 1978)

o current scheme can result in weak keys which give the same, 2 or 4 keys over the
16 rounds

• Key Schedule and PC-2 Design

o is performed in two 28-bit independent halves
o C-side provides keys to S-boxes 1 to 4
o D-side provides keys to S-boxes 5 to 8
o the rotations are used to present different bits of the key for selection on successive
rounds

o PC-2 selects key-bits and distributes them over the S-box inputs
Possible Techniques for Improving DES
• multiple enciphering with DES
• extending DES to 128-bit data paths and 112-bit keys

• extending the Key Expansion calculation

Triple DES
• DES variant

• standardised in ANSI X9.17 & ISO 8732 and in PEM for key management

• proposed for general EFT standard by ANSI X9

• backwards compatible with many DES schemes

• uses 2 or 3 keys
C = DES_(K1) Bbc{(DES^(-1)_(K2)Bbc{(DES_(K1)(P)))
• no known practical attacks
o brute force search impossible
o meet-in-the-middle attacks need 2^(56) PC pairs per key
• popular current alternative