Block Ciphers

Dr. Md. Mahbubur Rahman

 Introduction
Many symmetric block encryption algorithms in current use are
based on a structure referred to as a Feistel block cipher
For that reason, it is important to examine the design principles
of the Feistel cipher.
A comparison of stream ciphers and block ciphers will be made
 Block Ciphers
Encrypt a block of plaintext as a whole to produce same sized
cipher text
Typical block sizes are 64 or 128 bits
As with a stream cipher, the two users share a symmetric
encryption key
Using some modes of operation block cipher can be used to
achieve the same effect as a stream cipher.
applicable to a broader range of
applications than stream ciphers.

Block cipher
 Stream Ciphers
 Encrypts a digital data stream one bit or one byte at a time
 One time pad is example; but has practical limitations
 Typical approach for stream cipher:
 Key (K) used as input to bit-stream generator algorithm
 Algorithm generates cryptographic bit stream (ki ) used to
encrypt plaintext
 Users share a key; use it to generate keystream

Stream cipher using

algorithmic bit-stream
generator
 Motivation for the Feistel Cipher Structure : Reversible and
irreversible Mappings
 n-bit block cipher takes n bit plaintext and produces n bit ciphertext
 In n bits, 2n possible different plaintext blocks
 Encryption to be reversible (i.e., for decryption to be possible), each must
produce a unique ciphertext
 For n = 2,

 If we limit ourselves to reversible mappings, the number of different

transformations is (2n)!.
5
 Ideal Block Cipher
n-bit input maps to 2n possible input states
Substitution used to produce 2n output states
Output states map to n-bit output
Feistel refers to this as Ideal block cipher because it allows maximum
number of possible encryption mappings from plaintext block
Problems with ideal block cipher:
Small block size: equivalent to classical substitution cipher;
cryptanalysis based on statistical characteristics feasible
Large block size: key must be very large; performance/implementation
problems
 Ideal block cipher example

2 bit block, 22=4 mappings

Input 00, Output 10 if K15 is used,

as K15=10 01 00 11
 Ideal : n-bit block, 2n Mappings.
 Total n. 2n mappings

 Any Key length (to represent any mapping) n. 2n bits (each

mapping contains n bits)

 Fiestel: n-bit block, 2K mappings, key length K

 Substitution/Block cipher
 4-bit input produces one of 16 input states
 which is mapped by the substitution cipher into a unique one of 16
possible output states, each of which is represented by 4 ciphertext bits.
 This is the most general form of block cipher and can be used to define
any reversible mapping between plaintext and ciphertext.

Figure illustrates the

logic of a general
substitution cipher for
n = 4.
9
Encryption and Decryption Tables for Substitution Cipher

CSE 6091: Cryptography

 Substitution-permutation (S-P) networks

Claude Shannon and Substitution-Permutation Ciphers

 Claude Shannon introduced idea of substitution-permutation (S-P)

networks in 1949 paper
 This idea is the basis of modern block ciphers
 S-P nets are based on the two primitive cryptographic operations seen
before:
 substitution (S-box)
 permutation (P-box)
 Provide confusion & diffusion of message & key

11
 Diffusion and Confusion

Diffusion
Dissipates statistical structure of plaintext over bulk of ciphertext
E.g. a plaintext letter affects the value of many ciphertext letters
How: repeatedly apply permutation (transposition) to data, and then apply
function

Confusion
Makes relationship between ciphertext and key as complex as possible even if
attacker can find some statistical characteristics of ciphertext, hard to
find key

How: apply complex (non-linear) substitution algorithm

 Diffusion

 How to achieve this?

 Develop a many-to-many mapping between plain-ciphertext
 Having each plaintext digit affect the value of many
ciphertext digits;
 An example: encrypt a message of characters with an
averaging operation: adding k successive letters to get a
ciphertext letter yn.
𝑀 =𝑚1 , 𝑚2 ,𝑚 3 , …

mod 26

13
 Confusion

 How to achieve this?

 Achieved by the use of a complex substitution algorithm.
 In contrast, a simple linear substitution function would add
little confusion.

14
 Components of a Modern Block Cipher

Modern block ciphers normally are keyed substitution ciphers in

which the key allows only partial mappings from the possible
inputs to the possible outputs.

P-Boxes

A P-box (permutation box) parallels the traditional transposition

cipher for characters. It transposes bits.

15
 Continued

Three types of P-boxes

16
 Continued

Example

Figure shows all 6 possible mappings of a 3 × 3

P-box.
The possible mappings of a 3 × 3 P-box

17
 Continued
Straight P-Boxes

Example of a permutation table for a straight P-box

5.18
 Continued

Example

Design an 8 × 8 permutation table for a straight P-box that

moves the two middle bits (bits 4 and 5) in the input word to
the two ends (bits 1 and 8) in the output words. Relative
positions of other bits should not be changed.

Solution

We need a straight P-box with the table [4 1 2 3 6 7 8

5]. The relative positions of input bits 1, 2, 3, 6, 7, and 8
have not been changed, but the first output takes the fourth
input and the eighth output takes the fifth input.

5.19
 Continued
Compression P-Boxes

A compression P-box is a P-box with n inputs and

m outputs where m < n.

Table Example of a 32 × 24 permutation table

5.20
 Expansion P-Box Continued

An expansion P-box is a P-box with n inputs and m

outputs where m > n.

Table Example of a 12 × 16 permutation table

5.21
 P-Boxes: Invertibility Continued

A straight P-box is invertible, but compression

and expansion P-boxes are not.

5.22
 Continued

Example

Figure shows how to invert a permutation table

represented as a one-dimensional table.
Figure Inverting a permutation table

5.23
 Continued

Figure Compression and expansion P-boxes are non-invertible

5.24
 Continued

S-Box
An S-box (substitution box) can be thought of as a
miniature substitution cipher.

An S-box is an m × n substitution unit, where m

and n are not necessarily the same.

5.25
 Continued
Example

In an S-box with three inputs and two outputs, we have

The S-box is linear because a1,1 = a1,2 = a1,3 = a2,1 = 1 and

a2,2 = a2,3 = 0. The relationship can be represented by matrices, as shown
below:

5.26
 Continued
Example

In an S-box with three inputs and two outputs, we have

where multiplication and addition is in GF(2). The S-box is

nonlinear because there is no linear relationship between
the inputs and the outputs.

5.27
 Continued
Example

The following table defines the input/output relationship for an S-box of

size 3 × 2. The leftmost bit of the input defines the row; the two
rightmost bits of the input define the column. The two output bits are
values on the cross section of the selected row and column.

Based on the table, an input of 010 yields the output 01. An input of
101 yields the output of 00.
5.28
 Continued

Example

Figure shows an example of an invertible S-box. For example, if the

input to the left box is 001, the output is 101. The input 101 in the right
table creates the output 001, which shows that the two tables are
inverses of each other.

Figure S-box tables for Example

5.30
 Continued

Exclusive-Or

An important component in most block ciphers is the exclusive-or

operation.

Figure Invertibility of the exclusive-or operation

5.31
 Continued
Exclusive-Or (Continued)

An important component in most block ciphers is the exclusive-or

operation. Addition and subtraction operations in the GF(2n) field are
performed by a single operation called the exclusive-or (XOR).

The five properties of the exclusive-or operation in the GF(2n) field

makes this operation a very interesting component for use in a block
cipher: closure, associativity, commutativity, existence of identity, and
existence of inverse.

5.32
 Continued
Figure Invertibility of the exclusive-or operation

5.34
 Continued

Circular Shift

Another component found in some modern block ciphers is the circular

shift operation.

Figure Circular shifting an 8-bit word to the left or right

5.35
 Continued

Swap

The swap operation is a special case of the circular shift

operation where k = n/2.
Figure Swap operation on an 8-bit word

5.36
 Split and Combine Continued

Two other operations found in some block ciphers are split and combine.

Figure 5.12 Split and combine operations on an 8-bit word

5.37
 Continued

Figure Split and combine operations on an 8-bit word

5.38
 Product Ciphers

Shannon introduced the concept of a product cipher. A product

cipher is a complex cipher combining substitution, permutation, and
other components.

5.39
 Continued

Diffusion
The idea of diffusion is to hide the relationship between the
ciphertext and the plaintext.

Diffusion hides the relationship between the

ciphertext and the plaintext.

5.40
 Continued

Confusion
The idea of confusion is to hide the relationship between the
ciphertext and the key.

Confusion hides the relationship between the

ciphertext and the key.

5.41
 Continued

Rounds

Diffusion and confusion can be achieved using iterated product

ciphers where each iteration is a combination of S-boxes, P-boxes,
and other components.

5.42
 Continued
Figure A product cipher made of two rounds

5.43
 Continued
Figure Diffusion and confusion in a block cipher

5.44
 Two Classes of Product Ciphers

Modern block ciphers are all product ciphers, but they are
divided into two classes.

1. Feistel ciphers

2. Non-Feistel ciphers

45
 Two Classes of Product Ciphers (cont.)

Feistel Ciphers

Feistel designed a very intelligent and interesting cipher

that has been used for decades. A Feistel cipher can have
three types of components: self-invertible, invertible, and
noninvertible.

46
 Continued

The first thought in Feistel cipher design

Non-invertible elements cancels out when X-ored

Diffusion hides the relationship between the

ciphertext and the plaintext.
47
Two algorithms are inverses of each other:
If C2=C1 then P2=P1
 Continued

Example

The plaintext and ciphertext are each 4 bits long and the key is 3 bits
long. Assume that the function takes the first and third bits of the key,
interprets these two bits as a decimal number, squares the number,
and interprets the result as a 4-bit binary pattern. Show the results of
encryption and decryption if the original plaintext is 0111 and the key is
101.

Solution

The function extracts the first and third bits to get 11 in binary or 3 in decimal.
The result of squaring is 9, which is 1001 in binary.
 Continued

The improvement in Feistel cipher design

50
Two algorithms are inverses of each other:
If L3=L2 and R3=R2
The final design of Feistel cipher Continued

Final
design
Flaw: no
change in
Right half.
Inc: rounds
Add:
swapper

52
Two algorithms are inverses of each other:
If L6=L1 and R6=R1 assuming that
L4=L3 and R4=R3

Then it is easy to prove that the holds for

two plaintext blocks
 Non-Feistel Ciphers

A non-Feistel cipher uses only invertible

components. A component in the encryption
cipher has the corresponding component in the
decryption cipher.

54
 Feistel Structure for Block Ciphers

Feistel proposed applying two or more simple ciphers in

sequence so final result is cryptographically stronger than
component ciphers
n-bit block length; k-bit key length; 2k transformations
Feistel cipher alternates: substitutions, transpositions
(permutations)
Applies concepts of diffusion and confusion
Applied in many ciphers today
 Feistel Cipher Structure
 Horst Feistel devised the feistel cipher
 based on concept of invertible product cipher
 Partitions input block into two halves
Subkeys (or round keys) generated from key
Round function, F, applied to right half
Apply substitution on left half using XOR
F(REi, Ki+1)
Apply permutation: interchange to halves

 Implements Shannon’s S-P net concept

56
 Using the Feistel Structure
Exact implementation depends on various design features
 Block size, e.g. 64, 128 bits: larger values leads to more
diusion
 Key size, e.g. 128 bits: larger values leads to more confusion,
resistance against brute force
 Number of rounds, e.g. 16 rounds
 Subkey generation algorithm: should be complex
 Round function F: should be complex

Other factors include fast encryption in software and ease of

analysis
Trade-off: security vs. performance
Feistel Cipher Structure Encryption

58
Feistel Cipher Structure Decryption

59
General Formula for Encryption/Decryption

 For the ith iteration of the encryption algorithm

 Rearranging terms gives the decryption:

60
 Relation between output and input
 Show that the output of the first round of the
decryption process is equal to a 32-bit swap
of the input to the sixteenth round of the
encryption process.
 consider the encryption

 decryption side

 Thus, we have
 Therefore, the output of the first round
of the decryption process is , which
is the 32-bit swap of the input to the sixteenth
round of the encryption

61
 Feistel Cipher Design Elements Discussions
 Block size
 Larger block sizes mean greater security
 Key size
 Larger key size means greater security but may decrease
encryption/decryption speed
 Number of rounds
 a single round offers inadequate security but that multiple
rounds offer increasing security
 Subkey generation algorithm
 Greater complexity leads to greater difficulty of cryptanalysis
 Round function
 Same as subkey gen.

62
 Feistel Cipher Design Elements Discussions

 Fast software en/decryption

 the speed of execution of the algorithm becomes a
concern
 Ease of analysis
 if the algorithm can be concisely and clearly
explained, it is easier to analyze that algorithm for
cryptanalytic vulnerabilities and therefore develop a
higher level of assurance as to its strength

63
 Dependency on function F
 The derivation does not require that F be a reversible function.
 For example, F produces a constant output (e.g., all ones) regardless of the
values of its two arguments.

 15th round of encryption corresponds to 2nd round of decryption

 Block size is 32 bits (two 16-bit halves) and key size is 24 bits

64
Dependency on function F

65
 Symmetric Block Cipher Algorithms

DES (Data Encryption Standard)

3DES (Triple DES)
AES (Advanced Encryption Standard)
 Data Encryption Standard

Symmetric block cipher

 56-bit key, 64-bit input block, 64-bit output block

One of most used encryption systems in world

 Developed in 1977 by NBS/NIST
 Designed by IBM (Lucifer) with input from NSA
 Principles used in other ciphers, e.g. 3DES, IDEA

Simplied DES (S-DES)

Cipher using principles of DES
Developed for education (not real world use)
 Simplified DES
Input (plaintext) block: 8-bits
Output (ciphertext) block: 8-bits
Key: 10-bits
Rounds: 2
Round keys generated using permutations and left shifts
Encryption: initial permutation, round function, switch halves
Decryption: Same as encryption, except round keys used in
opposite order
S-DES Key Generation
 S-DES Operations

P10 (permutate)
Input : 1 2 3 4 5 6 7 8 9 10
Output: 3 5 2 7 4 10 1 9 8 6
P8 (select and permutate)
Input : 1 2 3 4 5 6 7 8 9 10
Output: 6 3 7 4 8 5 10 9
P4 (permutate)
Input : 1 2 3 4
Output: 2 4 3 1
 Example S-DES : Key generation

Assume input 10-bit key, K, is: 1010000010

Then the steps for generating the two 8-bit round keys, K1 and K2, are:

1. Rearrange K using P10: 1000001100

2. Left shift by 1 position both the left and right halves: 00001 11000

3. Rearrange the halves with P8 to produce K1: 10100100

4. Left shift by 2 positions the left and right halves: 00100 00011

5. Rearrange the halves with P8 to produce K2: 01000011

K1 and K2 are used as inputs in the encryption and decryption stages.

S-DES Encryption Details
 S-DES Operations

EP (expand and permutate)

Input : 1 2 3 4
Output: 4 1 2 3 2 3 4 1
IP (initial permutation)
Input : 1 2 3 4 5 6 7 8
Output: 2 6 3 1 4 8 5 7
IP-1 (inverse of IP)
LS-1 (left shift 1 position)
LS-2 (left shift 2 positions)
 Example S-DES Encryption
Assume a 8-bit plaintext, P: 01110010
Then the steps for encryption are:
1. Apply the initial permutation, IP, on P: 10101001
2. Assume the input from step 1 is in two halves, L and R: L=1010, R=1001
3. Expand and permutate R using E/P: 11000011
4. XOR input from step 3 with K1: 10100100 XOR 11000011 = 01100111
5. Input left halve of step 4 into S-Box S0 and right halve into S-Box S1:
a. For S0: 0110 as input: b1,b4 for row, b2,b3 for column
b. Row 00, column 11 -> output is 10
c. For S1: 0111 as input:
d. Row 01, column 11 -> output is 11
6. Rearrange outputs from step 5 (1011) using P4: 0111
7. XOR output from step 6 with L from step 2: 0111 XOR 1010 = 1101
8. Now we have the output of step 7 as the left half and the original R as
the right half. Switch the halves and move to round 2: 1001 1101
9. E/P with right half: E/P(1101) = 11101011
10. XOR output of step 9 with K2: 11101011 XOR 01000011 = 10101000
11. Input to s-boxes:
a. For S0, 1010
b. Row 10, column 01 -> output is 10
c. For S1, 1000
d. Row 10, column 00 -> output is 11
12. Rearrange output from step 11 (1011) using P4: 0111
13. XOR output of step 12 with left halve from step 8: 0111 XOR 1001 =
1110
14. Input output from step 13 and right halve from step 8 into inverse IP
a. Input us 1110 1101, b. Output is: 01110111
 S-DES S-Boxes
S-DES (and DES) perform substitutions using S-Boxes
S-Box considered as a matrix: input used to select row/column; selected element
is output
4-bit input: bit1; bit2; bit3; bit4
bit1bit4 species row (0, 1, 2 or 3 in decimal)
bit2bit3 species column

2-bit output
Comparing DES and S-DES
 S-DES Summary

Educational encryption algorithm

S-DES expressed as functions:

Security of S-DES:
 10-bit key, 1024 keys: brute force easy
 If know plaintext and corresponding ciphertext, can we

determine key? Very hard

 Data Encryption Standard (DES)

most widely used block cipher in world

adopted in 1977 by NBS (now NIST)
 as FIPS PUB 46
encrypts 64-bit data using 56-bit key
has widespread use
has considerable controversy over its security
 DES History

IBM developed Lucifer cipher

 by team led by Feistel in late 60’s
 used 64-bit data blocks with 128-bit key
then redeveloped as a commercial cipher with input from NSA and others
in 1973 NBS issued request for proposals for a national cipher standard
IBM submitted their revised Lucifer which was eventually accepted as the
DES
 DES Design Controversy (Concerns)
although DES standard is public, considerable controversy over design (two
concerns)
 in choice of 56-bit key (vs Lucifer 128-bit)
 and because design criteria were classified
subsequent events and public analysis show in fact design was appropriate
use of DES has flourished
 especially in financial applications
 still standardised for legacy application use
 Time to Break a DES Code (assuming 106 decryptions/s)

Using
Electronic
Frontier
Foundation
(EFF) DES
cracker

Appx 10 hrs.
for DES
 Triple DES

Triple DES (3DES) was first standardized for use in financial

applications in ANSI standard X9.17 in 1985.
3DES was incorporated as part of the Data Encryption
Standard in 1999 with the publication of FIPS 46-3.
 Triple DES
3DES uses three keys and three executions of the DES algorithm.The
function follows an encrypt-decrypt-encrypt (EDE) sequence

There is no cryptographic significance to the use of decryption for

the second stage of 3DES encryption.
 Triple DES comments
3DES is the FIPS approved symmetric encryption algorithm of choice.
The original DES, which uses a single 56-bit key, is permitted under the
standard for legacy systems only. New procurements should support 3DES.
Government organizations with legacy DES systems are encouraged to
transition to 3DES.
It is anticipated that 3DES and the Advanced Encryption Standard (AES) will
coexist as FIPS-approved algorithms, allowing for a gradual transition to AES.

FIPS: Federal Information Processing Standards

The purpose of FIPS is to ensure that all federal government and agencies
adhere to the same guidelines regarding security and communication.
 A DES decryption

1. As with any Feistel cipher, decryption uses the same

algorithm as encryption, except that the application of the
subkeys is reversed.

2. Additionally, the initial and final permutations are reversed.

 DES

For DES, data are encrypted in 64-bit blocks using a

56-bit key.
The algorithm transforms 64-bit input in a series of steps into a
64-bit output.
The same steps, with the same key, are used to reverse the
encryption.
With the exception of the initial and final permutations, DES
has the exact structure of a Feistel cipher.
 DES Encryption

 As with any encryption scheme, there are two inputs to the encryption
function: the plaintext to be encrypted and the key
 the processing of the plaintext proceeds in three phases.

1. First, the 64-bit plaintext passes through an initial permutation (IP) that
rearranges the bits to produce the permuted input.
2. This is followed by a phase consisting of sixteen rounds of the same
function, which involves both permutation and substitution functions.
3. The left and right halves of the output are swapped to produce the
preoutput.
4. Finally, the preoutput is passed through a permutation [IP -1] that is the
inverse of the initial permutation function, to produce the 64-bit ciphertext.
 DES Encryption Algorithm Overview

Round
 1. Initial and Final Permutation

Input bit 58 goes to output bit 1

Input bit 50 goes to output bit 2, …
Even bits to LH half, odd bits to RH half
Quite regular in structure (easy in h/w)
2. DES Round Structure
Substitution boxes
 3. Sub-Key generation

Initially, the key is passed through a permutation function.

Then, for each of the sixteen rounds, a subkey (Ki) is produced
by the combination of a left circular shift and a permutation.
DES Key Schedule Calculation
Single Round of DES Algorithm
Permutation Tables for DES
Definition of DES S-Boxes
Definition of DES S-Boxes
 DES example

For this example, the plaintext is a hexadecimal palindrome. The

plaintext, key, and resulting ciphertext are as follows:
 Results

shows the progression of the algorithm.

 The Avalanche Effect

Aim: small change in key (or plaintext) produces large change in

ciphertext
Avalanche eect is present in DES (good for security)
Following examples show the number of bits that change in
output when two dierent inputs are used, differing by 1 bit
shows the result when
Plaintext 1: 02468aceeca86420 the fourth
Plaintext 2: 12468aceeca86420 bit of the plaintext is
changed, so that the
Ciphertext difference: 32 bits plaintext is
 Key 1: 0f1571c947d9e859 12468aceeca86420.
 Key 2: 1f1571c947d9e859
 Ciphertext difference: 307
 Avalanche Effect in DES: Change in Plaintext
The second column of
the table shows the
intermediate 64-bit
values at the end of
each
round for the two
plaintexts.

The third
column
shows the
number of
bits that differ
between the
two
intermediate
values.
 Avalanche Eect in DES: Change in Key

shows a similar
test using the
original plaintext
of with two keys
that
differ in only the
fourth bit
position:
 Concerns of DES

Key size and the nature of the algorithm

Although 64 bit initial key, only 56 bits used in encryption (other 8 for parity check)
256 = 7.2* 1016
 1977: estimated cost $US20m to build machine to break in 10 hours
 1998: EFF built machine for $US250k to break in 3 days
 Today: 56 bits considered too short to withstand brute force attack

Recent offerings confirm this. Both Intel and AMD now offer hardware-based
instructions to accelerate the use of AES. Test run on a contemporary multicore
Intel machine resulted in an encryption rate of about half a billion encryptions per
second.
3DES uses 128-bit keys
 Concern of DES

The Nature of the DES Algorithm

Another concern is the possibility that cryptanalysis is possible
by exploiting the characteristics of the DES algorithm
Because the design criteria for these S-boxes, and indeed for
the entire algorithm, were not made public, there is a suspicion
that the boxes were constructed in such a way that
cryptanalysis is possible for an opponent who knows the
weaknesses in the S-boxes.
 Attacks on DES
Timing Attacks
Information gained about key/plaintext by observing how long
implementation takes to decrypt
No known useful attacks on DES

Differential Cryptanalysis
Observe how pairs of plaintext blocks evolve
Break DES in 247 encryptions (compared to 255); but require 247 chosen
plaintexts

Linear Cryptanalysis
Find linear approximations of the transformations
Break DES using 243 known plaintexts
 Choosing F
Non-linerity in rough terms, the more difficult it is to approximate
F by a set of linear equations, the more nonlinear F is.

A more stringent version of this is the strict avalanche criterion

(SAC), which states that any output bit j of an S-box (see
Appendix S for a discussion of S-boxes) should change with
probability 1/2 when any single input bit i is inverted for all i, j.

Another criterion proposed in [WEBS86] is the bit independence

criterion (BIC), which states that output bits j and k should
change independently when any single input bit i is inverted for
all i, j, and k.
 DES Algorithm Design

DES was designed in private; questions about the motivation

of the design
S-Boxes provide non-linearity: important part of DES,
generally considered to be secure
S-Boxes provide increased confusion
Permutation P chosen to increase diffusion
 Multiple Encryption with DES

DES is vulnerable to brute force attack

Alternative block cipher that makes use of DES
software/equipment/knowledge: encrypt multiple times with
different keys

Options:
1. Double DES: not much better than single DES
2. Triple DES (3DES) with 2 keys: brute force 2112
3. Triple DES with 3 keys: brute force 2168
 Double Encryption

For DES, 2 56-bit keys, meaning 112-bit key length

Requires 2111 operations for brute force?
Meet-in-the-middle attack makes it easier
Meet-in-the-Middle Attack
Triple Encryption
Other Symmetric Encryption Algorithms
Cryptanalysis on Block Ciphers
 Multiple Encryption & DES

clear a replacement for DES was needed

 theoretical attacks that can break it
 demonstrated exhaustive key search attacks

AES is a new cipher alternative

prior to this alternative was to use multiple encryption with DES
implementations
Triple-DES is the chosen form
 Double-DES?
could use 2 DES encrypts on each block
 C = EK2(EK1(P))

issue of reduction to single stage

and have “meet-in-the-middle” attack
works whenever use a cipher twice
since X = EK1(P) = DK2(C)
attack by encrypting P with all keys and store
then decrypt C with keys and match X value
takes O(256) steps
 Triple-DES with Two-Keys

hence must use 3 encryptions

 would seem to need 3 distinct keys

but can use 2 keys with E-D-E sequence

 C = E (D (E (P)))
K1 K2 K1
 nb encrypt & decrypt equivalent in security
 if K1=K2 then can work with single DES

standardized in ANSI X9.17 & ISO8732

no current known practical attacks
 several proposed impractical attacks might become basis of future
attacks
 Triple-DES with Three-Keys

although no practical attacks on two-key Triple-DES have some concerns

 Two-key: key length = 56*2 = 112 bits
 Three-key: key length = 56*3 = 168 bits

can use Triple-DES with Three-Keys to avoid even these

 C = E (D (E (P)))
K3 K2 K1
has been adopted by some Internet applications, eg PGP, S/MIME