Block Ciphers and Data

Encryption Standard
(Class-L8, L18, L9,L10 )
Algorithm Types
It defines what size of plain text
should be encrypted in each step of
algorithm

Stream Cipher
Block Cipher
Stream Cipher
Plaintext is encrypted one bit at a time
Suppose message is Pay 101 in ASCII
In binary it can be a series of 1 and 0;
Every bit will be applied with a encryption
algorithms
Let Say binary data is 10010101
Apply XOR with a key operation will get a cipher
text
Block Ciphers
A block of bits is encrypted at one go
Suppose a plaint text is
FOUR_AND_FOUR
It can be encrypted in blocks of
FOUR, _AND_, and FOUR

How to use a block cipher?
Block ciphers encrypt fixed size blocks
E.g. DES encrypts 64-bit blocks
We need some way to encrypt a message of
arbitrary length
E.g. a message of 1000 bytes
NIST defines five ways to do it
Called modes of operations





5
Algorithm Modes (L18)
It is a combination of a series of the
basic algorithm steps on block cipher
and kind of feedback from the
previous steps
Five Modes of Operation
Electronic codebook mode (ECB)
Cipher block chaining mode (CBC) most
popular
Output feedback mode (OFB)
Cipher feedback mode (CFB)
Counter mode (CTR)





7
Electronic Code Book
(ECB)
The plaintext is broken into blocks, P
1
, P
2
, P
3
, ...
Each block contains 64 bits each
Each block is encrypted independently of the other
blocks
For all blocks in a message, the same key is used
for encryption
At the Receiver end, the incoming data is divided
into 64-bit blocks and used the same key for
decryption

8
Remarks on ECB
Strength: its simple.
Weakness:
Repetitive information contained in the
plaintext may show in the ciphertext, if
aligned with blocks.
If the same message (e.g., an SSN) is
encrypted (with the same key) and sent
twice, their cipher texts are the same.
Typical application: secure transmission of
short pieces of information

9
Cipher Block Chaining
(CBC)
( )
( )
1 2 3
1
The plaintext is broken into blocks: , , , ...
Each plaintext block is XORed chained with the previous
ciphertext block before encryption (hence the name):
E

i K i i
P P P
C C P

-
-
=
( )
0
1
IV
Use an Initial Vector IV to start the process.
Decryption : D ( )
Application : general block-oriented transmission.
i i K i
C
P C C

=
-
- =
-
10
Cipher Block Chaining (CBC)
11
Remarks on CBC

The encryption of a block depends on the
current and all blocks before it.
So, repeated plaintext blocks are encrypted
differently.
Initialization Vector (IV)
Must be known to both the sender & receiver
Typically, IV is either a fixed value or is sent
encrypted in ECB mode before the rest of
ciphertext.
12
13
Cipher feedback mode (basic
version)
Plaintext blocks: p
1
, p
2
,

Key: k
Basic idea: construct key stream k
1
, k
2
, k
3
,
Encryption:
0
1
IV
( ), for 1
, for 1
i k i
i i i
c
k E c i
c p k i

= >

= >

Cipher Feedback (CFB)

Mode
1 2 3 4
1 2 3 4
The plaintext is a sequence of of bits
(where block-size): , , , ,
Encryption is used to generate a sequence of keys,
each of bits: , , , ,
The ci
segments s
s P P P P
s K K K K
-
s .
-
.
-
1 2 3 4
phertext is , , , , , where

How to generate the key stream?
i i i
C C C C
C P K
.
=
-
14
Generating Key Stream for
CFB
1
1 1
The input to the block cipher is a shift register ;
its value at stage is denoted as .
Initially, an initial vector (IV).
For 1, shift-left- -bits( ) .
Then, -mos
i
i i i
i
x
i x
x
i x s x C
K s

-
- =
> =
- = t-significant-bits(E ( )).
K i
x
15
Encryption in CFB Mode
16
Decryption in CFB Mode
1 2 3 4
Generate key stream , , , ,
the same way as for encryption.
Then decrypt each ciphertext segment as:

i i i
K K K K
P C K
- .
-
=
17
Remark on CFB
The block cipher is used as a stream cipher.
Appropriate when data arrives in bits/bytes.
s can be any value; a common value is s = 8.
A ciphertext segment depends on the current and
all preceding plaintext segments.
A corrupted ciphertext segment during
transmission will affect the current and next
several plaintext segments.
18
19
Output feedback mode (basic
version)
Plaintext blocks: p
1
, p
2
,

Key: k
Basic idea: construct key stream k
1
, k
2
, k
3
,
Encryption:
0
1
IV
( ), for 1
, for 1
i k i
i i i
k
k E k i
c p k i

= >

= >

Output Feedback (OFB)

Mode
1 1
Very similar to Cipher Feedback in structure.
But rather than is fed back to the next stage.
As in CFB, the input to the block cipher is a shift
register ; its value at stage
i i
K C
x i

-
-
-
1
1 1
is denoted as .
Initially, an initial vector (IV).
For 1, shift-left- -bits( ) .
Then, -most-significant-bits(E ( )).
i
i i i
i K i
x
x
i x s x K
K s x

- =
> =
- =
20
Cipher Feedback






Output Feedback
21
Remark on OFB
The block cipher is used as a stream cipher.
Appropriate when data arrives in bits/bytes.
Advantage:
more resistant to transmission errors; a bit error in a ciphertext
segment affects only the decryption of that segment.
Disadvantage:
Cannot recover from lost ciphertext segments; if a ciphertext
segment is lost, all following segments will be decrypted
incorrectly (if the receiver is not aware of the segment loss).
IV should be generated randomly each time and sent with
the ciphertext.

22
Counter Mode (CTR)
Plaintext blocks: p
1
, p
2
, p
3
,

Key: k
Basic idea: construct key stream k
1
, k
2
, k
3
,
Encryption:

T
1
= IV
T
i
= T
i-1
+ 1
C
i
= P
i
E
K
(T
i
)
C = (IV, C
1
, C
2
, C
3
, ...)

23
Remark on CTR
Strengthes:
Needs only the encryption algorithm
Fast encryption/decryption; blocks can be processed
(encrypted or decrypted) in parallel; good for high
speed links
Random access to encrypted data blocks
IV should not be reused.

24
Data Encryption Standard
(DES)
most widely used block cipher in
world
adopted in 1977 by NBS (now NIST)
encrypts 64-bit data using 56-bit key
has widespread use
has been considerable controversy
over its security

DES History
IBM developed Lucifer cipher
by team led by Feistel in late 60s
used 64-bit data blocks with 128-bit key
then redeveloped as a commercial cipher
with input from NSA and others
in 1973 NBS issued request for proposals
for a national cipher standard
IBM submitted their revised Lucifer which
was eventually accepted as the DES
DES Design Controversy
although DES standard is public
was considerable controversy over
design
in choice of 56-bit key (vs Lucifer 128-bit)
and because design criteria were classified
subsequent events and public analysis
show in fact design was appropriate
use of DES has flourished
especially in financial applications
still standardised for legacy application use

DES : Basic Principles
DES is a Block Cipher.
It Encrypts data in blocks of size 64
bits each
64 bits of plain text goes as the
input to DES, which produces 64 bits
of Cipher Text.
The key length is 56 Bits.
How Does DES Works
???

Key Size (56 Bits) How
???
The Initial Key Consists of 64 bits.

Before the DES process starts, every 8
th

bit of the key is discarded to produce a 56
bit key.

Bit positions (8, 16, 24, 32, 40,48,56,64)
are discarded.

These bits can be used for parity checking
to ensure that the key does not contain
any error

56 Bit key
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16
17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32
33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48
49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64
Key Discarding Process

DES - Basics
DES uses the two basic techniques of
cryptography Substitution
Technique (confusion) and
Transposition Technique (diffusion).
DES consists of 16 Steps, each of
which is known as round
Each round performs the steps of
Substitution and Transposition
Level of steps in DES
1. The 64 bit plain text block is handed
over to an Initial Permutation (IP)
function
2. The IP is performed on plain text
3. The IP produces two halves of the
permuted block:
LPT (Left Plain Text)
RPT (Right Plain Text)

Level of steps in DES
4. Each of LPT and RPT go through 16 rounds
of encryption process

5. In the End, LPT and RPT are rejoined, and
a Final Permutation (FP) is performed on
the combined block

6. The result produces 64-bit cipher text.


Broad Level steps in DES

DES Encryption Overview
Initial Permutation (IP)
IP happens only once and it happens before
the first round
It suggests how the transposition in IP
should proceed
It says that the IP replaces the first bit
of the original plain text block with the
58
th
bit of the original plain text block
2
nd
bit with 50
th
bit and so on.
Idea of IP

IP TABLE
58 50 42 34 26 18 10 2 60 52 44 36 28 20 12 4
62 54 46 38 30 22 14 6 64 56 48 40 32 24 16 8
57 49 41 33 25 17 9 1 59 51 43 35 27 19 11 3
61 53 45 37 29 21 13 5 63 55 47 39 31 23 15 7
Initial Permutation IP
The resulting 64 bits text block is
divided into two half blocks (each 32
bits)
16 rounds are performed on these
two blocks

Permutation on 56 Bit Key

57 49 41 33 25 17 9 1 58 50 42 34 26 18
10 2 59 51 43 35 27 19 11 3 60 52 44 36
63 55 47 39 31 23 15 7 62 54 46 38 30 22
14 6 61 53 45 37 29 21 13 5 28 20 12 4
Details Of one Round in
DES

Step 1 : Key
Transformation
For each round, 56 bit key is available

From this 56 bit key, a different 48-bit sub key
is generated during each round using a process
called as Key Transformation

In this method, a 56 bit key is divided into two
halves, each of 28 bits

These halves are circularly shifted by 1 or 2
positions, depending on the round
Number of Key bits
shifted per round
Round
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16
Shift
1 1 2 2 2 2 2 2 1 2 2 2 2 2 2 1
56 Bit key
57 49 41 33 25 17 9 1 58 50 42 34 26 18
10 2 59 51 43 35 27 19 11 3 60 52 44 36
63 55 47 39 31 23 15 7 62 54 46 38 30 22
14 6 61 53 45 37 29 21 13 5 28 20 12 4
56 Bit key
57 49 41 33 25 17 9 1 58 50 42 34 26 18
10 2 59 51 43 35 27 19 11 3 60 52 44 36
63 55 47 39 31 23 15 7 62 54 46 38 30 22
14 6 61 53 45 37 29 21 13 5 28 20 12 4
After Round-1
56 Bit Key:

49 41 33 25 17 9 1 58 50 42 34 26 18 10
2 59 51 43 35 27 19 11 3 60 52 44 36 57
55 47 39 31 23 15 7 62 54 46 38 30 22 14
6 61 53 45 37 29 21 13 5 28 20 12 4 63
How to Select 48 bit Key
from 56 Bit key
Since the Key Transformation process involves
permutation as well as selection of a 48 bit sub-
set of the original 56-bit key, It is called as
Compression Permutation
14 17 11 24 1 5 3 28 15 6 21 10
23 19 12 4 26 8 16 7 27 20 13 2
41 52 31 37 47 55 30 40 51 45 33 48
44 49 39 56 34 53 46 42 50 36 29 32
18 bit number is discarded
Step 2 : Expansion
Permutation
The RPT is expanded from 32 bits to
48 bits
The RPT is divided into 8 blocks, with
each block consists of 4 bits
For per 4-bit block, 2 more bits are
added.

Division of 32 bit RPT
into Eight 4-bit block

RPT Expansion Process

Expansion Permutation
Table
32 1 2 3 4 5 4 5 6 7 8 9
8 9 10 11 12 13 12 13 14 15 16 17
16 17 18 19 20 21 20 21 22 23 24 25
24 25 26 27 28 29 28 29 30 31 32 1
Expansion Permutation
Table
32 1 2 3 4 5 4 5 6 7 8 9
8 9 10 11 12 13 12 13 14 15 16 17
16 17 18 19 20 21 20 21 22 23 24 25
24 25 26 27 28 29 28 29 30 31 32 1
S-Box Substitution
It is a Process that accepts the 48-
bit input from the XOR operation
involving the compressed key and
Expanded RPT and Produces a 32 bit
output using Substitution Technique
Way to S-Box
Substitution

S-Box Substitution

Selecting an Entry in a S-
Box based on the 6-bit
input

Example

P-Box Permutation
The output of S-box Contains 32 bits
These 32 bits are permuted using P-
Box

P-Box Permutation
16 7 20 21 29 12 28 17 1 15 23 26 5 18 31 10
2 8 24 14 32 27 3 9 19 13 30 6 22 11 4 25
XOR and SWAP

Final Permutation
(IP inverse)
40 8 48 16 56 24 64 32 39 7 47 15 55 23 63 31
38 6 46 14 54 22 62 30 37 5 45 13 53 21 61 29
36 4 44 12 52 20 60 28 35 3 43 11 51 19 59 27
34 2 42 10 50 18 58 26 33 1 41 9 49 17 57 25
DES Example - Key
K = 581FBC94D3A452EA
X = 3570E2F1BA4682C7
K = ( 0101 1000 0001 1111 1011 1100 1001 0100
1101 0011 1010 0100 0101 0010 1110 1010 )
C
0
= ( 10111100110100
01101001000101 )
D
0
= ( 11010010001011
10100001111111 )
DES Example - Key
C
1
= ( 0111 1001 1010 0011 0100 1000 1011 )
D
1
= ( 1010 0100 0101 1101 0000 1111 1111 )
K
1
= ( 001001 111010 000101 101001
111001 011000 110111 011010 )
C
2
= ( 1111 0011 0100 0110 1001 0001 0110 )
D
2
= ( 0100 1000 1011 1010 0001 1111 1111 )
K
2
= ( 110110 101001 000111 011101
110101 111011 011101 001000 )
DES Example - Data
K=581FBC94D3A452EA
X=3570E2F1BA4682C7
X = (x
1
, x
2
, x
3
, , x
64
)
= ( 0011 0101 0111 0000 1110 0010 1111 0001
1011 1010 0100 0110 1000 0010 1100 0111)
This plaintext X is first subjected to an Initial Permutation
IP which gives
L
0
= ( 1010 1110 0001 1011 1010 0001 1000 1001)
A E 1 B A 1 8 9
R
0
= ( 1101 1100 0001 111 0001 0000 1111 0100)
D C 1 F 1 0 F 4
DES Example - Data
E(R
0
) = ( 011011 111000 000011 111110
100010 100001 01110 101001)
I
1
= E(R
0
) K
1
= ( 010010 000010 000110 010111
011011 111001 101001 110011)
S
5
01
(1101) = S
5
1
(13) = 9 = 1001
S
6
11
(1100) = S
6
3
(12) = 6 = 0110

S
7
11
(0100) = S
7
3
(4) = 1 = 0001

S
8
11
(1001) = S
8
3
(9) = 12 = 1100

DES Example - Data
B
1
= (1010 0001 1110 1100 1001 0110 0001 1100)
P(B
1
) = (0010 1011 1010 0001 0101 0011 0110 1100)
R
1
= P(B
1
) L
0

= (1000 0101 1011 1010 1111 0010 1110 0101)
8 5 B A F 2 E 5
DES Example - Data
L
1
= (1101 1100 0001 1111 0001 0000 1111 0100)
D C 1 F 1 0 F 4
E(R
1
) = ( 110000 001011 110111 110101
011110 100101 011100 001011)
I
2
= E(R
1
) K
2
= ( 000110 100010 110000 101000
101011 011110 000001 000011)
DES Example - Data
S
1
00
(0011) = S
1
1
(3) = 1 = 0001
S
2
10
(0001) = S
2
3
(1) = 14 = 1110

S
3
10
(1000) = S
3
3
(8) = 11 = 1011

S
4
10
(0100) = S
4
3
(4) = 12 = 1100

S
5
11
(0101) = S
5
1
(5) = 14 = 1110
S
6
00
(1111) = S
6
3
(15) = 11 = 1011

S
7
01
(0000) = S
7
3
(0) = 13 = 1101

S
8
01
(0001) = S
8
3
(1) = 15 = 1111
DES Example - Data
B
2
= (0001 1110 1011 1100 1110 1011 1101 1111)
P(B
2
) = (0101 1111 0011 1110 0011 1001 1111 0111)
R
2
= P(B
2
) L
1

= (1000 0011 0010 0001 0010 1001 0000 0011)
8 3 2 1 2 9 0 3
L
2
= R
1
= (1000 0101 1011 1010 1111 0010 1110 0101)
8 5 B A F 2 E 5
DES Example - Data -
Done !
Y = (y
1
, y
2
,y
3
, , y
64
)
= ( 1101 0111 0110 1001 1000 0010 0010 0100
0010 1000 0011 1110 0000 1010 1110 1010)
= ( D 7 6 9 8 2 2 4 2 8 3 E 0 A E A)
Strength of DES Key
Size
56-bit keys have 2
56
= 7.2 x 10
16
values
brute force search looks hard
recent advances have shown is possible
in 1997 on Internet in a few months
in 1998 on dedicated h/w (EFF) in a few days
in 1999 above combined in 22hrs!
still must be able to recognize plaintext
must now consider alternatives to DES
Strength of DES Analytic
Attacks
now have several analytic attacks on DES
these utilise some deep structure of the cipher
by gathering information about encryptions
can eventually recover some/all of the sub-key
bits
if necessary then exhaustively search for the
rest
generally these are statistical attacks
include
differential cryptanalysis
linear cryptanalysis
related key attacks

Strength of DES Timing
Attacks
attacks actual implementation of cipher
use knowledge of consequences of
implementation to derive information
about some/all subkey bits
specifically use fact that calculations can
take varying times depending on the value
of the inputs to it

Differential
Cryptanalysis
one of the most significant recent (public)
advances in cryptanalysis
known by NSA in 70's DES design
Murphy, Biham & Shamir published in 90s
powerful method to analyse block ciphers
used to analyse most current block ciphers
with varying degrees of success
DES reasonably resistant to it, Lucifer
Differential
Cryptanalysis
uses cipher structure not previously
used
design of S-P networks has output of
function f influenced by both input &
key
hence cannot trace values back
through cipher without knowing value
of the key
differential cryptanalysis compares
two related pairs of encryptions
Differential Cryptanalysis
Compares Pairs of
Encryptions
with a known difference in the input
searching for a known difference in
output
when same subkeys are used
Differential
Cryptanalysis
have some input difference giving some
output difference with probability p
if find instances of some higher
probability input / output difference pairs
occurring
can infer subkey that was used in round
then must iterate process over many
rounds (with decreasing probabilities)
Differential
Cryptanalysis
Differential
Cryptanalysis
perform attack by repeatedly encrypting plaintext pairs
with known input XOR until obtain desired output XOR
when found
if intermediate rounds match required XOR have a right
pair
if not then have a wrong pair, relative ratio is S/N for
attack
can then deduce keys values for the rounds
right pairs suggest same key bits
wrong pairs give random values
for large numbers of rounds, probability is so low that more
pairs are required than exist with 64-bit inputs
Biham and Shamir have shown how a 13-round iterated
characteristic can break the full 16-round DES
Linear Cryptanalysis
another recent development
also a statistical method
must be iterated over rounds, with
decreasing probabilities
developed by Matsui et al in early 90's
based on finding linear approximations
can attack DES with 2
43
known plaintexts,
easier but still in practise infeasible
DES Design Criteria
as reported by Coppersmith in
[COPP94]
7 criteria for S-boxes provide for
non-linearity
resistance to differential cryptanalysis
good confusion
3 criteria for permutation P provide
for
increased diffusion

Block Cipher Design
Principles
number of rounds
more is better, exhaustive search best
attack
function f:
provides confusion, is nonlinear
have issues of how S-boxes are selected
key schedule
complex subkey creation