WELCOME TO

CSSE 4540 COMPUTER SECURITY

Block Ciphers and

the Data Encryption Standard

Omid Aghili
Acknowledgements
The following book contributed to this session:

• William Stallings (2020), Cryptography and Network

Security: Principles and Practice, Pearson, 8th edition
Stream Ciphers vs. Block Ciphers
Symmetric cryptography is split into block ciphers and stream ciphers,
which are easy to distinguish. Figure below depicts the operational
differences between stream (a) and block (b) ciphers when we want to
encrypt b bits at a time, where b is the width of the block cipher.
Stream Cipher (1 of 2)
• Encrypts a digital data stream one bit or one byte at a time
• Examples:
• Autokeyed Vigenère cipher
• Vernam cipher
• In the ideal case, a one-time pad version of the Vernam cipher would
be used, in which the keystream is as long as the plaintext bit stream
• If the cryptographic keystream is random, then this cipher is
unbreakable by any means other than acquiring the keystream
• Keystream must be provided to both users in advance via some
independent and secure channel
• This introduces insurmountable logistical problems if the intended
data traffic is very large
Stream Cipher (2 of 2)
• For practical reasons the bit-stream generator must be implemented
as an algorithmic procedure so that the cryptographic bit stream can
be produced by both users
• It must be computationally impractical to predict future portions of
the bit stream based on previous portions of the bit stream
• The two users need only share the generating key and each can
produce the keystream
Block Cipher

• A block of plaintext is treated as a whole and used to produce a

ciphertext block of equal length
• Typically a block size of 64 or 128 bits is used
• As with a stream cipher, the two users share a symmetric encryption
key
• The majority of network-based symmetric cryptographic applications
make use of block ciphers
Stream Cipher and Block Cipher
Diffusion and Confusion

• Terms introduced by Claude Shannon to capture the two basic building

blocks for any cryptographic system
• Shannon’s concern was to thwart cryptanalysis based on statistical
analysis
• Shannon suggests two methods for frustrating statistical cryptanalysis:
Confusion

• Confusion
• Seeks to make the relationship between the statistics of the ciphertext and
the value of the encryption key as complex as possible
• An encryption operation where the relationship between key and
ciphertext is obscured.
• Even if the attacker can get some handle on the statistics of the
ciphertext, the way in which the key was used to produce that ciphertext
is so complex as to make it difficult to deduce the key
Diffusion and Confusion

• Diffusion
• The statistical structure of the plaintext is dissipated into long-
range statistics of the ciphertext
• This is achieved by having each plaintext digit affect the value of
many ciphertext digits
• An encryption operation where the influence of one plaintext
symbol is spread over many ciphertext symbols with the goal of
hiding statistical properties of the plaintext.
Diffusion and Confusion
• In a binary block cipher, diffusion can be achieved by repeatedly performing some
permutation on the data followed by applying a function to that permutation; the effect
is that bits from different positions in the original plaintext contribute to a single bit of
ciphertext.
• Confusion can be achieved by the use of a complex substitution algorithm. In contrast, a
simple linear substitution function would add little confusion.

• Diffusion and confusion have become the cornerstone of modern block cipher design.

• Both operations by themselves cannot provide security. The idea is to concatenate

confusion and diffusion elements to build so called product ciphers.
Product Cipher
• Most of today‘s block ciphers are product
ciphers as they consist of rounds which are
applied repeatedly to the data.
• Can reach excellent diffusion: changing of one
bit of plaintext results on average in the
change of half the output bits.
Feistel Cipher
• Feistel proposed the use of a cipher that alternates substitutions
and permutations
• Substitutions
• Each plaintext element or group of elements is uniquely
replaced by a corresponding ciphertext element or group of
elements
• Permutation
• No elements are added or deleted or replaced in the
sequence, rather the order in which the elements appear in the
sequence is changed
• Is a practical application of a proposal by Claude Shannon to develop
a product cipher that alternates confusion and diffusion functions
• Is the structure used by many significant symmetric block ciphers
currently in use
Feistel Cipher

Feistel cipher utilizes the concept of a product cipher, which is the execution of
two or more simple ciphers in sequence in such a way that the final result or
product is cryptographically stronger than any of the component ciphers.
Feistel Encryption and Decryption (16 rounds)
Feistel Cipher Design Features (1 of 2)
• Block size
• Larger block sizes mean greater security but
reduced encryption/decryption speed for a given
algorithm
• Key size
• Larger key size means greater security but may
decrease encryption/decryption speeds
• Number of rounds
• The essence of the Feistel cipher is that a single
round offers inadequate security but that multiple
rounds offer increasing security
• Subkey generation algorithm
• Greater complexity in this algorithm should lead to
greater difficulty of cryptanalysis
Feistel Cipher Design Features (2 of 2)
• Round function F
• Greater complexity generally means greater
resistance to cryptanalysis
• Fast software encryption/decryption
• In many cases, encrypting is embedded in
applications or utility functions in such a way as to
preclude a hardware implementation; accordingly,
the speed of execution of the algorithm becomes a
concern
• Ease of analysis
• If the algorithm can be concisely and clearly
explained, it is easier to analyze that algorithm for
cryptanalytic vulnerabilities and therefore develop a
higher level of assurance as to its strength
Feistel Example
Classification of DES in the Field of Cryptology
Data Encryption Standard (DES)

• Developed by IBM based on the cipher Lucifer under influence of the

National Security Agency (NSA), the design criteria for DES have not been
published
• Standardized 1977 by the National Bureau of Standards (NBS) today
called National Institute of Standards and Technology (NIST)
• Most popular block cipher for most of the last 30 years.
• By far best studied symmetric algorithm.
• Was the most widely used encryption scheme until the introduction of the
Advanced Encryption Standard (AES) in 2001
Data Encryption Standard (DES)

• Algorithm itself is referred to as the Data Encryption Algorithm (DEA)

• Data are encrypted in 64-bit blocks using a 56-bit key
• The algorithm transforms 64-bit input in a series of steps into a 64-
bit output
• The same steps, with the same key, are used to reverse the
encryption
• Nowadays considered insecure due to the small key length of 56 bit.
• But: 3DES yields very secure cipher, still widely used today.
Overview of the DES Algorithm
• Encrypts blocks of size 64 bits.
• Uses a key of size 56 bits.
• Symmetric cipher: uses same key for
encryption and decryption
• Uses 16 rounds which all perform the
identical operation
• Different subkey in each round derived from
main key
The Feistel structure of DES
• DES structure is a Feistel network
• Advantage: encryption and decryption differ
only in keyschedule

• Bitwise initial permutation, then 16 rounds

1.Plaintext is split into 32-bit halves Li
and Ri
2.Ri is fed into the function f, the output
of which is then XORed with Li
3.Left and right half are swapped

Rounds can be expressed as:

The Feistel structure of DES

L and R swapped again at the end of the

cipher, i.e., after round 16 followed by a
final permutation
General Depiction of DES Encryption Algorithm
DES Example

• The first row shows the 32-bit values of

the left and right halves of data after the
initial permutation.
• The next 16 rows show the results after
each round. Also shown is the value of
the 48-bit subkey generated for each
round.
• Note that Li = Ri-1. The final row shows
the left- and right-hand values after the
inverse initial permutation. These two
values combined form the ciphertext.
Avalanche Effect in DES
• A desirable property of any encryption algorithm is that a small
change in either the plaintext or the key should produce a significant
change in the ciphertext.

• In particular, a change in one bit of the plaintext or one bit of the key
should produce a change in many bits of the ciphertext. This is referred
to as the avalanche effect.
Avalanche Effect in DES: Change in Plaintext
• This slide shows the result
when the fourth bit of the
plaintext is changed, so that the
plaintext is 12468aceeca86420.
• The second column of the table
shows the intermediate 64-bit
values at the end of each round
for the two plaintexts.
• The third column shows the
number of bits that differ
between the two intermediate
values
Avalanche Effect in DES: Change in Key

• This slide shows the result

when the fourth bit of the key is
changed, so that the key is
1f1571c947d9e859
Average Time Required for Exhaustive Key
Search
Number of Time Required
Key Size Alternative Time Required at 109 at 1013
(bits) Cipher Keys Decryptions/s Decryptions/s
56 DES 256 ≈ 7.2 × 1016 255 ns = 1.125 years 1 hour

128 AES 2128 ≈ 3.4 × 1038 2127 ns = 5.3 × 1021 5.3 × 1017
years years
168 Triple DES 2168 ≈ 3.7 × 1050 2167 ns = 5.8 × 1033 5.8 × 1029
years years
192 AES 2192 ≈ 6.3 × 1057 2191 ns = 9.8 × 1040 9.8 × 1036
years years
256 AES 2256 ≈ 1.2 × 1077 2255 ns = 1.8 × 1060 1.8 × 1056
years years
26 Monoalphabet 2! = 4 × 1026 2 × 1026 ns = 6.3 × 109 6.3 × 106 years
characters ic years
(permutation
)
Internal Structure of DES

The structure of DES as depicted in previous slides shows the internal

functions. The building blocks are the initial and final permutation, the
actual DES rounds with its core, the f -function, and the key schedule.
Initial and Final Permutation

• Bitwise Permutations
• Inverse operations
• Described by tables IP and 𝐼𝑃−1 .
Single Round of DES Algorithm

Li = Ri-1
Ri = Li-1 F(Ri-1, Ki)
The f-Function
The Expansion Function E
Add Round Key
The DES S-Boxes
Permutation P
Strength of DES
• Timing attacks
• One in which information about the key or the plaintext
is obtained by observing how long it takes a given
implementation to perform decryptions on various
ciphertexts
• Exploits the fact that an encryption or decryption
algorithm often takes slightly different amounts of time
on different inputs
• So far it appears unlikely that this technique will ever be
successful against DES or more powerful symmetric
ciphers such as triple DES and AES
Block Cipher Design Principles: Number of
Rounds
• The greater the number of rounds, the more difficult it
is to perform cryptanalysis
• In general, the criterion should be that the number of
rounds is chosen so that known cryptanalytic efforts
require greater effort than a simple brute-force key
search attack
• If DES had 15 or fewer rounds, differential cryptanalysis
would require less effort than a brute-force key search
Block Cipher Design Principles: Design of
Function F
• The heart of a Feistel block cipher is the function F
• The more nonlinear F, the more difficult any type of cryptanalysis will be
• The SAC and BIC criteria appear to strengthen the effectiveness of the
confusion function

The algorithm should have good avalanche properties

• Strict avalanche criterion (SAC)

• States that any output bit j of an S-box should change with
probability 1/2 when any single input bit i is inverted for all i , j
• Bit independence criterion (BIC)
• States that output bits j and k should change independently when any
single input bit i is inverted for all i , j , and k
Block Cipher Design Principles:
Key Schedule Algorithm
• With any Feistel block cipher, the key is used to generate
one subkey for each round
• In general, we would like to select subkeys to maximize
the difficulty of deducing individual subkeys and the
difficulty of working back to the main key
• It is suggested that, at a minimum, the key schedule
should guarantee key/ciphertext Strict Avalanche
Criterion and Bit Independence Criterion
Summary
• Explain the concept of the avalanche effect
• Discuss the cryptographic strength of DES
• Summarize the principal block cipher design principles
• Understand the distinction between stream ciphers and block
ciphers
• Present an overview of the Feistel cipher and explain how
decryption is the inverse of encryption
• Present an overview of Data Encryption Standard (DES)
Questions
&
Discussions