Lecture 4:

Block Ciphers and

DES

4 th Year- Course, CCSIT, UoA

1
Information Security Sufyan Al-Janabi 2015
 Lecture Goals
1. To introduce the notion of a block cipher in the
modern context.
2. To introduce the notion of the Feistel Cipher
Structure
3. To go over DES, the Data Encryption Standard

2
Information Security Sufyan Al-Janabi 2015
 Stream Ciphers
 A stream cipher is one that encrypts a digital data
stream one bit or one byte at a time. Examples of
classical stream ciphers are the autokeyed Vigenère
cipher and the Vernam cipher.
 For practical reasons, the bit-stream generator must be
implemented as an algorithmic procedure, so that the
cryptographic bit stream can be produced by both
users. In this approach (see next Figure), the bit-stream
generator is a key-controlled algorithm and must
produce a bit stream that is cryptographically strong.
 The two users need only share the generating key, and
each can produce the keystream.

3
Information Security Sufyan Al-Janabi 2015
 4
Information Security Sufyan Al-Janabi 2015
 Block Ciphers
 A block cipher is one in which a block of plaintext is
treated as a whole and used to produce a ciphertext
block of equal length. Typically, a block size of 64 or
128 bits is used. As with a stream cipher, the two users
share a symmetric encryption key (see next Figure).
 Using some of the modes of operation (explained
later), a block cipher can be used to achieve the same
effect as a stream cipher.
 Far more effort has gone into analyzing block ciphers.
In general, they seem applicable to a broader range of
applications than stream ciphers.

5
Information Security Sufyan Al-Janabi 2015
 6
Information Security Sufyan Al-Janabi 2015
 The Feistel Structure for Block
Ciphers (1)
 Named after the IBM cryptographer Horst Feistel and
first implemented in the Lucifer cipher by Horst
Feistel and Don Coppersmith.
 A cryptographic system based on Feistel structure uses
the same basic algorithm for both encryption and
decryption.
 As shown in the next Figure, the Feistel structure
consists of multiple rounds of processing of the
plaintext, with each round consisting of a substitution
step followed by a permutation step.

7
Information Security Sufyan Al-Janabi 2015
 The Feistel Structure for Block
Ciphers (2)
 The input block to each round is divided into two
halves that we can denote L and R for the left half
and the right half.
 In each round, the right half of the block, R, goes
through unchanged. But the left half, L, goes through
an operation that depends on R and the encryption
key.
 The permutation step at the end of each round consists
of swapping the modified L and R. Therefore, the L for
the next round would be R of the current round. And R
for the next round be the output L of the current round.

8
Information Security Sufyan Al-Janabi 2015
 9
Information Security Sufyan Al-Janabi 2015
 Mathematical Description of Each Round
in the Feistel Structure (1)
 Let LEi and REi denote the output half-blocks at the end
of the ith round of processing. The letter 'E' denotes
encryption.
 We obviously have

 where ⊕ denotes the bitwise EXCLUSIVE OR

operation. The symbol F denotes the operation that
"scrambles" REi-1 of the previous round with the
current round key Ki.

10
Information Security Sufyan Al-Janabi 2015
Mathematical Description of Each Round
in the Feistel Structure (2)

 Note that the round key Ki is derived from the main

encryption key as we will explain later.
 F is referred to as the Feistel function, after Horst
Feistel, naturally.
 Assuming 16 rounds of processing (which is typical),
the output of the last round of processing is given by

11
Information Security Sufyan Al-Janabi 2015
 Decryption in Ciphers Based on the
Feistel Structure (1)
 As shown in the next Figure, the decryption algorithm
is exactly the same as the encryption algorithm with
the only difference that the round keys are used in the
reverse order.
 The output of each round during decryption is the input
to the corresponding round during encryption. This
property holds true regardless of the choice of the
Feistel function F .
 To prove the above claim, let LDi and RDi denote the
left half and the right half of the output of the ith round.

12
Information Security Sufyan Al-Janabi 2015
 Decryption in Ciphers Based on the
Feistel Structure (2)

 That means that the output of the first decryption

round consists of LD1 and RD1. So we can denote the
input to the first decryption round by LD0 and RD0.
 The relationship between the two halves that are input
to the first decryption round and what is output by the
encryption algorithm is

13
Information Security Sufyan Al-Janabi 2015
 Decryption in Ciphers Based on the
Feistel Structure (3)
 We can write the following equations for the output of
the first decryption round

 This shows that the output of the first round of decryption is the
same as the input to the last stage of the encryption round since
we have LD1 = RE15 and RD1 = LE15

14
Information Security Sufyan Al-Janabi 2015
 Decryption in Ciphers Based on the
Feistel Structure (4)

 The following equalities are used in the above

derivation. Assume that A, B, and C are bit arrays.

The above result is independent of the precise

nature of F .

15
Information Security Sufyan Al-Janabi 2015
 16
Information Security Sufyan Al-Janabi 2015
 Feistel Network Parameters
1. Block size: Larger block sizes mean greater security but
reduced encryption/decryption speed for a given algorithm.
2. Key size: Larger key size means greater security but may
decrease encryption/ decryption speed.
3. Number of rounds: The essence of the Feistel cipher is that
a single round offers inadequate security but that multiple
rounds offer increasing security.
4. Subkey generation algorithm: Greater complexity in this
algorithm should lead to greater difficulty of cryptanalysis.
5. Round function F : Again, greater complexity generally
means greater resistance to cryptanalysis.

17
Information Security Sufyan Al-Janabi 2015
 The F Function
1. The heart of a Feistel block cipher is the function F,
which provides the element of confusion (will be
explained latter) in a Feistel cipher.
2. Thus, it must be difficult to “unscramble” the
substitution performed by F.
3. One obvious criterion is that F be nonlinear. The
more nonlinear F, the more difficult any type of
cryptanalysis will be.

18
Information Security Sufyan Al-Janabi 2015
 DES: The Data Encryption
Standard (1)
 Adopted by NIST in 1977.
 Based on a cipher (Lucifer) developed earlier by IBM.
 DES uses the Feistel cipher structure with 16 rounds of
processing.
 DES uses a 56-bit encryption key. (The key size was
apparently dictated by the memory and processing
constraints imposed by a single-chip implementation of
the algorithm for DES.)
 The key itself is specified with 8 bytes, but one bit of
each byte is used as a parity check.

19
Information Security Sufyan Al-Janabi 2015
 DES (2)
 DES encryption was broken in 1999 by Electronics
Frontiers Organization. This resulted in NIST issuing a
new directive that year that required organizations to use
Triple DES, that is three consecutive applications of
DES.
 That DES was found to be not as strong as originally
believed also prompted NIST to initiate the development
of new standards for data encryption in 2001. The result
is AES (Advanced Encryption Standard).
 Triple DES continues to enjoy wide usage in commercial
applications. To understand Triple DES, you must first
understand the basic DES encryption.

20
Information Security Sufyan Al-Janabi 2015
 DES (3)
 As mentioned, DES uses the Feistel structure with 16
rounds.
 What is specific to DES is:
1. the implementation of the F function in the
algorithm
2. and how the round keys are derived from the main
encryption key.
 The round keys are generated from the main key by a
sequence of permutations. Each round key is 48 bits in
length.
 The figure in the next page shows the general description
of DES encryption process.

21
Information Security Sufyan Al-Janabi 2015
 22
Information Security Sufyan Al-Janabi 2015
 DES Round Key Generation Algorithm

23
Information Security Sufyan Al-Janabi 2015
 DES Decryption
1. As with any Feistel cipher, decryption uses the same
algorithm as encryption, except that the application
of the subkeys is reversed.

2. Additionally for DES, the initial and final

permutations are reversed (Note that these two
permutations can be omitted from DES without
security degradation).

24
Information Security Sufyan Al-Janabi 2015
 One Round of Processing in DES (1)
The next Figure a single round of processing in DES.
The dotted rectangle constitutes the F function.
The 32-bit right half of the 64-bit input data block is
expanded by into a 48-bit block. This is referred to as
the expansion permutation step (E-step).
The above-mentioned E-step entails the following:
1. first divide the 32-bit block into eight 4-bit words
2. attach an additional bit on the left to each 4-bit word
that is the last bit of the previous 4-bit word
3. attach an additional bit to the right of each 4-bit
word that is the beginning bit of the next 4-bit word.

25
Information Security Sufyan Al-Janabi 2015
 26
Information Security Sufyan Al-Janabi 2015
 One Round of DES (with round key generation)

27
Information Security Sufyan Al-Janabi 2015
 One Round of Processing in DES (2)
Note that what gets prefixed to the first 4-bit block is
the last bit of the last 4-bit block. By the same token,
what gets appended to the last 4-bit block is the first bit
of the first 4-bit block.
The 56-bit key is divided into two halves, each half
shifted separately, and the combined 56-bit key
permuted/contracted to yield a 48-bit round key.
The 48 bits of the expanded output produced by the E-
step are XORed with the round key. This is referred to
as key mixing.

28
Information Security Sufyan Al-Janabi 2015
 Expansion permutation step (E-step)

29
Information Security Sufyan Al-Janabi 2015
 One Round of Processing in DES (3)
The output produced by the previous step is broken into
eight six-bit words. Each six-bit word goes through a
substitution step; its replacement is a 4-bit word. The
substitution is carried out with an S-box.
So after all the substitutions, we again end up with a 32-
bit word.
The 32-bits of the previous step then go through a
P-box based permutation, to be shown later.
What comes out of the P-box is then XORed with the
left half of the 64-bit block that we started out with. The
output of this XORing operation gives us the right half
block for the next round.

30
Information Security Sufyan Al-Janabi 2015
 One Round of Processing in DES (4)
Note that the goal of the substitution step implemented
by the S-box is to introduce diffusion in the generation
of the output from the input. Diffusion means that each
plaintext bit must affect as many ciphertext bits as
possible.
The strategy used for creating the different round keys
from the main key is meant to introduce confusion into
the encryption process. Confusion in this context
means that the relationship between the encryption
key and the ciphertext must be as complex as possible.
Diffusion and confusion are the two cornerstones of
block cipher design.

31
Information Security Sufyan Al-Janabi 2015
 The S-boxs Step in Each Round (1)
As shown in the next Figure, the 48-bit input word is
divided into eight 6-bit words and each 6-bit word fed
into a separate S-box. Each S-box produces a 4-bit
output. Therefore, the 8 S-boxes together generate a 32-
bit output. As you can see, the overall substitution step
takes the 48-bit input back to a 32-bit output.
Each of the eight S-boxes consists of a 4 × 16 table
lookup for an output 4-bit word. The first and the last bit
of the 6-bit input word are decoded into one of 4 rows
and the middle 4 bits into one of 16 columns for the
table lookup.

32
Information Security Sufyan Al-Janabi 2015
 The S-boxs Step in Each Round (2)
The goal of the substitution carried out by an S-box is
to enhance diffusion.
As mentioned previously, the expansion-permutation
step (the E-step) expands a 32- bit block into a 48-bit
block by attaching a bit at the beginning and a bit at the
end of each 4-bit sub-block, the two bits needed for
these attachments belong to the adjacent blocks.
Thus, the row lookup for each of the eight S-boxes
becomes a function of the input bits for the previous
S-box and the next S-box.

33
Information Security Sufyan Al-Janabi 2015
 34
Information Security Sufyan Al-Janabi 2015
The Substitution Tables

 One can similarly specify tables for the other six substitution
boxes (S3, … , S8).

35
Information Security Sufyan Al-Janabi 2015
 The P-box Permutation in the F Function

As with all permutation tables, this permutation table

simply means that the first output bit will be the 16th bit of
the input, the second output bit the 7th bit of the input,
and so on, for all of the 32 bits of the output that are
obtained from the 32 bits of the input. Note that bit
indexing starts with 1 and not with 0.

36
Information Security Sufyan Al-Janabi 2015
Round Key Generation
1. The initial 56-bit key may be represented as 8 bytes, with the last
bit of each byte used as a parity bit.
2. The relevant 56 bits are subject to a permutation at the beginning
before any round keys are generated. This is our Permutation
Choice 1.
3. At the beginning of each round, we divide the 56 relevant key
bits into two 28 bit halves and circularly shift each half by one or
two bits.
4. For generating round key, we join together the two halves and
apply a 56 bit to 48 bit contracting permutation (Permutation
Choice 2) to the joined bit pattern. The resulting 48 bits constitute
our round key.
5. The two halves generated in each round are fed as the two halves
going into the next round.

37
Information Security Sufyan Al-Janabi 2015
 Initial Permutation of the Encryption Key

 Note that the bit positions assume that the key bits are addressed 1
through 64 in an 8-byte bit pattern. But note that the last bit of each byte
is used as a parity bit. Also note that the permutation shown is not a table,
in the sense that the rows and the columns do not carry any special and
separate meanings. The permutation order for the bits is given by reading
the entries shown from the upper left corner to the lower right corner.

38
Information Security Sufyan Al-Janabi 2015
 Contraction-permutation that Generates
the 48-bit Round Key from the 56 Key

 Also note that the permutation shown is not a table, in the sense that
the rows and the columns do not carry any special and separate
meanings. The permutation order for the bits is given by reading the
entries shown from the upper left corner to the lower right corner.

39
Information Security Sufyan Al-Janabi 2015
 Security of DES (1)
 The substitution step is very effective as far as diffusion
is concerned. It has been shown that if you change just
one bit of the 64-bit input data block, on the average that
alters 34 bits of the ciphertext block.
 The manner in which the round keys are generated from
the encryption key is also very effective as far as
confusion is concerned. It has been shown that if you
change just one bit of the encryption key, on the average
that changes 35 bits of the ciphertext.
 Both effects mentioned above are referred to as the
avalanche effect.

40
Information Security Sufyan Al-Janabi 2015
 Security of DES (2)
 And, of course, the 56-bit encryption key means a key
space of size 256  7.2×1016.
 Assuming that, on the average, you'd need to try half the
keys in a brute-force attack, a machine trying one key
per microsecond would take 1142 years to break the
code.
 However, a parallel-processing machine trying 1 million
keys simultaneously would need only about 10 hours.

41
Information Security Sufyan Al-Janabi 2015
 Security of DES (3)
In the design of the DES, the S-boxes were tuned to
enhance the resistance of DES to what is known as the
differential cryptanalysis attack. Even a slight
modification of the S-boxes can weaken the DES to
differential cryptanalysis attack.

For more details on this issue, the student is requested

to refer to the textbook.

42
Information Security Sufyan Al-Janabi 2015
 Finally . . .
 Acknowledgment: These lecture notes are based on
the textbook by William Stallings and notes prepared
by Avinash Kak, Purdue University. My sincere thanks
are devoted to them and to all other people who
offered the material on the web.
 Students are advised to study and solve the problems
and answer the questions in Assignment-4.
Students are also advised to read the following:
1. The appendix on Simplified DES (S-DES)
2. Tutorial by Howard Heys on differential cryptanalysis

43
Information Security Sufyan Al-Janabi 2015