Chapter 3

Block Ciphers and the Data

Encryption Standard
 Learning Outcomes

After studying this chapter, you should be able to

• Understand the distinction between stream ciphers and block
ciphers.
• Present an overview of the Feistel cipher and explain how
decryption is
• the inverse of encryption.
• Present an overview of Data Encryption Standard (DES).
• Explain the concept of the avalanche effect.
• Discuss the cryptographic strength of DES.
• Summarize the principal block cipher design principles.
 Stream Cipher
For practical reasons the
In the ideal case a one-
bit-stream generator must
time pad version of the
Encrypts a digital data be implemented as an
Vernam cipher would be
stream one bit or one byte algorithmic procedure so
used, in which the
at a time that the cryptographic bit
keystream is as long as
stream can be produced
the plaintext bit stream
by both users
Examples: If the cryptographic It must be
• Autokeyed Vigenère keystream is random, computationally
cipher then this cipher is impractical to predict
• Vernam cipher unbreakable by any future portions of the
means other than bit stream based on
acquiring the previous portions of
keystream the bit stream
• Keystream must be
provided to both users in
advance via some
independent and secure
channel
• This introduces The two users need
insurmountable logistical only share the
problems if the intended generating key and
data traffic is very large each can produce the
keystream
 Block Cipher

A block of
plaintext is treated
Typically a block
as a whole and
size of 64 or 128
used to produce a
bits is used
ciphertext block of
equal length

The majority of
As with a stream network-based
cipher, the two symmetric
users share a cryptographic
symmetric applications make
encryption key use of block
ciphers
Stream Cipher and
Block Cipher
• A block cipher operates on a plaintext block of n
bits to produce a ciphertext block of n bits.
• There are 2n possible different plaintext blocks and,
for the encryption to be reversible (i.e., for
decryption to be possible), each must produce a
unique ciphertext block.
• Such a transformation is called reversible, or
nonsingular.
• reversible mappings, the number of different
transformations is 2n!.
 Table 3.1
Encryption and Decryption Tables for Substitution Cipher of Figure
3.2

• Feistel refers to this as the ideal block cipher because it allows for maximum number of
possible encryption mappings from the plaintext block
• There is a practical problem with the ideal block cipher (for small size, equivalent to a
classical substitution cipher, for large size not practicle from an implementation and
performance point of view)
 Table 3.1

• If a small blocksize, such as n = 4, is used, then the system is

equivalent to a classical substitution cipher.

• Such systems, as we have seen, are vulnerable to a statistical

analysis of the plaintext.

• This weakness is not inherent in the use of a substitution cipher

but rather results from the use of a small block size.

• If n is sufficiently large and an arbitrary reversible substitution

between plaintext and ciphertext is allowed, then the statistical
characteristics of the source plaintext are masked to such an
extent that this type of cryptanalysis is infeasible.
 Feistel Cipher
• In general, for an n-bit ideal block cipher, the length of the key
defined in this fashion is n x 2n bits.

• In particular, Feistel proposed the use of a cipher that alternates

substitutions and permutations,

• In fact, Feistel’s is a practical application of a proposal by Claude

Shannon to develop a product cipher that alternates confusion
and diffusion functions

• Shannon suggests two methods for frustrating statistical

cryptanalysis: diffusion and confusion
 Feistel Cipher
• Proposed the use of a cipher that alternates
substitutions and permutations (approximate the
ideal block cipher)
• Each plaintext element or group of elements
Substitutions is uniquely replaced by a corresponding
ciphertext element or group of elements

• No elements are added or deleted or

Permutation replaced in the sequence, rather the order
in which the elements appear in the
sequence is changed

• Execution of two or more simple ciphers in a

sequence
• Is the structure used by many significant
symmetric block ciphers currently in use
 Diffusion and Confusion
• Terms introduced by Claude Shannon to capture
the two basic building blocks for any
cryptographic system
• Shannon’s concern was to thwart cryptanalysis
based on statistical analysis
Diffusion
• The statistical structure of the plaintext is dissipated into long-range statistics of
the ciphertext
• This is achieved by having each plaintext digit affect the value of many ciphertext
digits

Confusion
• Seeks to make the relationship between the statistics of the ciphertext and the
value of the encryption key as complex as possible
• Even if the attacker can get some handle on the statistics of the ciphertext, the
way in which the key was used to produce that ciphertext is so complex as to
make it difficult to deduce the key
 Diffusion and Confusion
• Terms introduced by Claude Shannon to capture the two basic
building blocks for any cryptographic system
• Shannon’s concern was to thwart cryptanalysis based on
statistical analysis
• An example of diffusion is to encrypt a message
• M = m1, m2, m3, . . . of characters with an averaging operation:

• adding k successive letters to get a ciphertext letter yn

• Diffusion makes the statistical relationship between the
plaintext and ciphertext as complex as possible
• Confusion makes the statistical relation between the
ciphertext and the value of key as complex as possible
Feistel Cipher
Structure
 Feistel Cipher Design
Features
• Block size • Round function F
• Larger block sizes mean greater
security but reduced • Greater complexity generally
encryption/decryption speed for means greater resistance to
a given algorithm cryptanalysis

• Key size • Fast software

encryption/decryption
• Larger key size means greater
security but may decrease • In many cases, encrypting is
encryption/decryption speeds embedded in applications or
utility functions in such a way as
to preclude a hardware
• Number of rounds implementation; accordingly,
• The essence of the Feistel cipher the speed of execution of the
is that a single round offers algorithm becomes a concern
inadequate security but that
multiple rounds offer increasing • Ease of analysis
security
• If the algorithm can be concisely
and clearly explained, it is easier
• Subkey generation algorithm to analyze that algorithm for
• Greater complexity in this cryptanalytic vulnerabilities and
algorithm should lead to greater therefore develop a higher level
difficulty of cryptanalysis of assurance as to its strength
Feistel Example
 Data Encryption Standard (DES)

• Issued in 1977 by the National Bureau of Standards

(now NIST) as Federal Information Processing
Standard 46
• Was the most widely used encryption scheme until the
introduction of the Advanced Encryption Standard
(AES) in 2001
• Algorithm itself is referred to as the Data Encryption
Algorithm (DEA)
• Data are encrypted in 64-bit blocks using a 56-bit key
• The algorithm transforms 64-bit input in a series of steps
into a 64-bit output
• The same steps, with the same key, are used to reverse
the encryption
 DES
Encryption
Algorithm

Each round performs permutation

and substitution
Table 3.2

DES
Example
(Table can be found on
page 95 in textbook)

Note: DES subkeys are shown as eight 6-bit values in hex format
 Avalanche Effect
• A desirable property of any encryption algorithm is that:
• A small change in either the plaintext or the key should
produce a significant change in the ciphertext.
• In particular, a change in one bit of the plaintext or one bit of
the key should produce a change in many bits of the
ciphertext. This is referred to as the avalanche effect
• If the change were small, this might provide a way to reduce
the size of the plaintext or key space to be searched.
Table 3.3 Avalanche Effect in DES: Change in Plaintext
Table 3.4 Avalanche Effect in DES: Change in Key
 Table 3.5
Average Time Required for Exhaustive Key Search
 Strength of DES
• Timing attacks
• One in which information about the key or the
plaintext is obtained by observing how long it takes
a given implementation to perform decryptions on
various ciphertexts
• Exploits the fact that an encryption or decryption
algorithm often takes slightly different amounts of
time on different inputs
• So far it appears unlikely that this technique will
ever be successful against DES or more powerful
symmetric ciphers such as triple DES and AES
Block Cipher Design Principles:
Number of Rounds

In general, the
criterion should be
that the number of
rounds is chosen so If DES had 15 or
The greater the that known fewer rounds,
number of rounds, cryptanalytic efforts differential
the more difficult it is require greater effort cryptanalysis would
to perform than a simple brute- require less effort
cryptanalysis force key search than a brute-force
attack key search
 Block Cipher Design Principles:
Design of Function F
• The heart of a Feistel The algorithm should have good
block cipher is the
function F avalanche properties

• The more nonlinear F,

the more difficult any • Strict avalanche criterion (SAC)
type of cryptanalysis will • States that any output bit j of an S-box should
change with probability 1/2 when any single input bit
be i is inverted for all i , j

• The SAC and BIC • Bit independence criterion (BIC)

• States that output bits j and k should change
criteria appear to independently when any single input bit i is inverted
for all i , j , and k
strengthen the
effectiveness of the
confusion function
Block Cipher Design Principles:
Key Schedule Algorithm
• With any Feistel block cipher, the key is used to
generate one subkey for each round

• In general, we would like to select subkeys to

maximize the difficulty of deducing individual
subkeys and the difficulty of working back to the
main key

• It is suggested that, at a minimum, the key

schedule should guarantee key/ciphertext Strict
Avalanche Criterion and Bit Independence
Criterion
 Summary
• Traditional Block • The strength of DES
Cipher Structure • Use of 56-bit keys
• Stream ciphers • Nature of the DES
• Block ciphers algorithm
• Feistel cipher • Timing attacks

• The Data Encryption • Block cipher design

Standard (DES) principles
• Encryption • DES design criteria
• Decryption • Number of rounds
• Avalanche effect • Design of function F
• Key schedule
algorithm