Chapter 3

Modern Cryptography
 Modern Block Ciphers
 now look at modern block ciphers
 one of the most widely used types of cryptographic algorithms
 provide secrecy /authentication services
 to illustrate block cipher design principles
 focus on DES (Data Encryption Standard)
 Block vs Stream Ciphers
block ciphers process messages in blocks, each
of which is then en/decrypted
like a substitution on very big characters
– 64-bits or more
stream ciphers process messages a bit or byte
at a time when en/decrypting
many current ciphers are block ciphers
broader range of applications
 Block Cipher Principles
most symmetric block ciphers are based on a Feistel
Cipher Structure
needed since must be able to decrypt ciphertext to
recover messages efficiently
block ciphers look like an extremely large
substitution
would need table of 264 entries for a 64-bit block
instead create from smaller building blocks
using idea of a product cipher
Ideal Block Cipher
 Claude Shannon and Substitution-
Permutation Ciphers
 Claude Shannon introduced idea of substitution-
permutation (S-P) networks in 1949 paper
 form basis of modern block ciphers
 S-P nets are based on the two primitive cryptographic
operations seen before:
 substitution (S-box)
 permutation (P-box)

 provide confusion and diffusion of message and key

 Confusion and Diffusion
cipher needs to completely obscure statistical
properties of original message
a one-time pad does this
more practically Shannon suggested
combining S & P elements to obtain:
diffusion – dissipates statistical structure of
plaintext over bulk of ciphertext
confusion – makes relationship between
ciphertext and key as complex as possible
 Feistel Cipher Structure
Horst Feistel devised the feistel cipher
partitions input block into two halves
process through multiple rounds which
perform a substitution on left data half
based on round function of right half and subkey
then have permutation swapping halves

implements Shannon’s S-P net concept

Feistel Cipher Structure
 Feistel Cipher Design Elements
block size
key size
number of rounds
sub key generation algorithm
round function
fast software en/decryption
ease of analysis
Feistel Cipher Decryption
 Data Encryption Standard (DES)
most widely used block cipher in world
adopted in 1977 by National Bureau of
Standards(NBS) (now NIST)
as Federal Information Processing Standard 46
(FIPS PUB 46)
encrypts 64-bit data using 56-bit key
has widespread use
has been considerable controversy over its
security
 DES History
IBM developed Lucifer cipher
by team led by Feistel in late 60’s
used 64-bit data blocks with 128-bit key
then redeveloped as a commercial cipher with
input from NSA and others
in 1973 NBS issued request for proposals for a
national cipher standard
IBM submitted their revised Lucifer which
was eventually accepted as the DES
 DES Design Controversy
although DES standard is public
was considerable controversy over design
in choice of 56-bit key (vs Lucifer 128-bit)
and because design criteria were classified
subsequent events and public analysis show in
fact design was appropriate
use of DES has flourished
especially in financial applications
still standardised for legacy application use
DES Encryption Overview
 Initial Permutation IP
first step of the data computation
IP reorders the input data bits
even bits to LH half, odd bits to RH half
quite regular in structure (easy in h/w)
• example:

IP(675a6967 5e5a6b5a) = (ffb2194d 004df6fb)

 Initial Permutation (IP)
58 50 42 34 26 18 10 2
60 52 44 36 28 20 12 4
62 54 46 38 30 22 14 6
64 56 48 40 32 24 16 8
57 49 41 33 25 17 9 1
59 51 43 35 27 19 11 3
61 53 45 37 29 21 13 5
63 55 47 39 31 23 15 7
 Inverse Initial Permutation

40 8 48 16 56 24 64 32
39 7 47 15 55 23 63 31
38 6 46 14 54 22 62 30
37 5 45 13 53 21 61 29
36 4 44 12 52 20 60 28
35 3 43 11 51 19 59 27
34 2 42 10 50 18 58 26
33 1 41 9 49 17 57 25
 DES Round Structure
uses two 32-bit L & R halves
as for any Feistel cipher can describe as:
Li = Ri–1
Ri = Li–1  F(Ri–1, Ki)
F takes 32-bit R half and 48-bit subkey:
expands R to 48-bits using perm E
adds to subkey using XOR
passes through 8 S-boxes to get 32-bit result
finally permutes using 32-bit perm P
 Expansion Permutation (E)

32 1 2 3 4 5
4 5 6 7 8 9
8 9 10 11 12 13
12 13 14 15 16 17
16 17 18 19 20 21
20 21 22 23 24 25
24 25 26 27 28 29
28 29 30 31 32 1
 Permutation Function (P)

16 7 20 21 29 12 28 17
1 15 23 26 5 18 31 10
2 8 24 14 32 27 3 9
19 13 30 6 22 11 4 25
S- box
 Permuted Choice One (PC-1)

57 49 41 33 25 17 9
1 58 50 42 34 26 18
10 2 59 51 43 35 27
19 11 3 60 52 44 36
63 55 47 39 31 23 15
7 62 54 46 38 30 22
14 6 61 53 45 37 29
21 13 5 28 20 12 4
 Permuted Choice Two (PC-2)

14 17 11 24 1 5 3 28
15 6 21 10 23 19 12 4
26 8 16 7 27 20 13 2
41 52 31 37 47 55 30 40
51 45 33 48 44 49 39 56
34 53 46 42 50 36 29 32
DES Round Structure
 Substitution Boxes S
have eight S-boxes which map 6 to 4 bits
each S-box is actually 4 little 4 bit boxes
outer bits 1 & 6 (row bits) select one row of 4
inner bits 2-5 (col bits) are substituted
result is 8 lots of 4 bits, or 32 bits
row selection depends on both data & key
feature known as autoclaving (autokeying)
• example:
– S(18 09 12 3d 11 17 38 39) = 5fd25e03
 DES Key Schedule
forms subkeys used in each round
initial permutation of the key (PC1) which selects 56-
bits in two 28-bit halves
16 stages consisting of:
• rotating each half separately either 1 or 2 places depending
on the key rotation schedule K
• selecting 24-bits from each half & permuting them by PC2
for use in round function F
 DES Decryption
decrypt must unwind steps of data computation
with Feistel design, do encryption steps again using
subkeys in reverse order (SK16 … SK1)
 IP undoes final FP step of encryption
 1st round with SK16 undoes 16th encrypt round
 ….
 16th round with SK1 undoes 1st encrypt round
 then final FP undoes initial encryption IP
 thus recovering original data value
 Avalanche Effect
• key desirable property of encryption alg
• where a change of one input or key bit results
in changing approx half output bits
• making attempts to “home-in” by guessing
keys impossible
• DES exhibits strong avalanche
 Strength of DES – Key Size
• 56-bit keys have 256 = 7.2 x 1016 values
• brute force search looks hard
• recent advances have shown is possible
– in 1997 on Internet in a few months
– in 1998 on dedicated h/w (EFF) in a few days
• must now consider alternatives to DES
 Strength of DES – Analytic Attacks
• now have several analytic attacks on DES
• these utilise some deep structure of the cipher
– by gathering information about encryptions
– can eventually recover some/all of the sub-key bits
– if necessary then exhaustively search for the rest
• generally these are statistical attacks
• include
– differential cryptanalysis
– linear cryptanalysis
 Differential Cryptanalysis
• one of the most significant recent (public)
advances in cryptanalysis
• known by NSA in 70's cf DES design
• Murphy, Biham & Shamir published in 90’s
• powerful method to analyse block ciphers
• used to analyse most current block ciphers
with varying degrees of success
• DES reasonably resistant to it, cf Lucifer
 Differential Cryptanalysis
• a statistical attack against Feistel ciphers
• uses cipher structure not previously used
• design of S-P networks has output of function
f influenced by both input & key
• hence cannot trace values back through cipher
without knowing value of the key
• differential cryptanalysis compares two
related pairs of encryptions
 Differential Cryptanalysis Compares Pairs
of Encryptions
• with a known difference in the input
• searching for a known difference in output
• when same subkeys are used
 Differential Cryptanalysis
• have some input difference giving some
output difference with probability p
• if find instances of some higher probability
input / output difference pairs occurring
• can infer subkey that was used in round
• then must iterate process over many rounds
(with decreasing probabilities)
 Linear Cryptanalysis
• another recent development
• also a statistical method
• must be iterated over rounds, with decreasing
probabilities
• developed by Matsui et al in early 90's
• based on finding linear approximations
• can attack DES with 243 known plaintexts,
easier but still in practise infeasible
 Block Cipher Design
• basic principles still like Feistel’s in 1970’s
• number of rounds
– more is better, exhaustive search best attack
• function f:
– provides “confusion”, is nonlinear, avalanche
– have issues of how S-boxes are selected
• key schedule
– complex subkey creation, key avalanche
 Summary
• have considered:
– block vs stream ciphers
– Feistel cipher design & structure
– DES
• details
• strength
– Differential & Linear Cryptanalysis
– block cipher design principles
 Modular Arithmetic
• define modulo operator “a mod n” to be
remainder when a is divided by n
• use the term congruence for: a = b mod n
– when divided by n, a & b have same remainder
– eg. 100 = 34 mod 11
• b is called a residue of a mod n
– since with integers can always write: a = qn + b
– usually chose smallest positive remainder as residue
• ie. 0 <= b <= n-1
– process is known as modulo reduction
• eg. -12 mod 7 = -5 mod 7 = 2 mod 7 = 9 mod 7
 Divisors
• say a non-zero number b divides a if for some
m have a=mb (a,b,m all integers)
• that is b divides into a with no remainder
• denote this b|a
• and say that b is a divisor of a
• eg. all of 1,2,3,4,6,8,12,24 divide 24
 Modular Arithmetic Operations
• is 'clock arithmetic'
• uses a finite number of values, and loops back
from either end
• modular arithmetic is when do addition &
multiplication and modulo reduce answer
• can do reduction at any point, ie
– a+b mod n = [a mod n + b mod n] mod n
 Modular Arithmetic
• can do modular arithmetic with any group of
integers: Zn = {0, 1, … , n-1}
• form a commutative ring for addition
• with a multiplicative identity
• note some peculiarities
– if (a+b)=(a+c) mod n
then b=c mod n
– but if (a.b)=(a.c) mod n
then b=c mod n only if a is relatively prime to n
Modulo 8 Addition Example
+ 0 1 2 3 4 5 6 7
0 0 1 2 3 4 5 6 7
1 1 2 3 4 5 6 7 0
2 2 3 4 5 6 7 0 1
3 3 4 5 6 7 0 1 2
4 4 5 6 7 0 1 2 3
5 5 6 7 0 1 2 3 4
6 6 7 0 1 2 3 4 5
7 7 0 1 2 3 4 5 6
 Greatest Common Divisor (GCD)
• a common problem in number theory
• GCD (a,b) of a and b is the largest number that
divides evenly into both a and b
– eg GCD(60,24) = 12
• often want no common factors (except 1) and
hence numbers are relatively prime
– eg GCD(8,15) = 1
– hence 8 & 15 are relatively prime
 Euclidean Algorithm
• an efficient way to find the GCD(a,b)
• uses theorem that:
– GCD(a,b) = GCD(b, a mod b)
• Euclidean Algorithm to compute GCD(a,b) is:
EUCLID(a,b)
1. A = a; B = b
2. if B = 0 return A = gcd(a, b)
3. R = A mod B
4. A = B
5. B = R
6. goto 2
 Example GCD(1970,1066)
1970 = 1 x 1066 + 904 gcd(1066, 904)
1066 = 1 x 904 + 162 gcd(904, 162)
904 = 5 x 162 + 94 gcd(162, 94)
162 = 1 x 94 + 68 gcd(94, 68)
94 = 1 x 68 + 26 gcd(68, 26)
68 = 2 x 26 + 16 gcd(26, 16)
26 = 1 x 16 + 10 gcd(16, 10)
16 = 1 x 10 + 6 gcd(10, 6)
10 = 1 x 6 + 4 gcd(6, 4)
6 = 1 x 4 + 2 gcd(4, 2)
4 = 2 x 2 + 0 gcd(2, 0)
 Prime Numbers
• prime numbers only have divisors of 1 and self
– they cannot be written as a product of other numbers
– note: 1 is prime, but is generally not of interest
• eg. 2,3,5,7 are prime, 4,6,8,9,10 are not
• prime numbers are central to number theory
• list of prime number less than 200 is:
2 3 5 7 11 13 17 19 23 29 31 37 41 43 47 53 59
61 67 71 73 79 83 89 97 101 103 107 109 113 127
131 137 139 149 151 157 163 167 173 179 181 191
193 197 199
 Prime Factorisation
• to factor a number n is to write it as a product
of other numbers: n=a x b x c
• note that factoring a number is relatively hard
compared to multiplying the factors together
to generate the number
• the prime factorisation of a number n is when
its written as a product of primes
– eg. 91=7x13 ; 3600=24x32x52
 Relatively Prime Numbers & GCD
• two numbers a, b are relatively prime if have no
common divisors apart from 1
– eg. 8 & 15 are relatively prime since factors of 8 are 1,2,4,8
and of 15 are 1,3,5,15 and 1 is the only common factor
• conversely can determine the greatest common
divisor by comparing their prime factorizations and
using least powers
– eg. 300=21x31x52 18=21x32 hence
GCD(18,300)=21x31x50=6
 Euler Totient Function ø(n)
• when doing arithmetic modulo n
• complete set of residues is: 0..n-1
• reduced set of residues is those numbers (residues)
which are relatively prime to n
– eg for n=10,
– complete set of residues is {0,1,2,3,4,5,6,7,8,9}
– reduced set of residues is {1,3,7,9}
• number of elements in reduced set of residues is
called the Euler Totient Function ø(n)
 Euler Totient Function ø(n)
• to compute ø(n) need to count number of
residues to be excluded
• in general need prime factorization, but
– for p (p prime) ø(p) = p-1
– for p.q (p,q prime) ø(pq) =(p-1)x(q-1)
• eg.
ø(37) = 36
ø(21) = (3–1)x(7–1) = 2x6 = 12
 Euler's Theorem
• a generalisation of Fermat's Theorem
• aø(n) = 1 (mod n)
– for any a,n where gcd(a,n)=1
• eg.
a=3;n=10; ø(10)=4;
hence 34 = 81 = 1 mod 10
a=2;n=11; ø(11)=10;
hence 210 = 1024 = 1 mod 11