Block Ciphers

and
The Data Encryption Standard

Dr A K Sahoo
 Modern Block Ciphers
• One of the most widely used types of
cryptographic algorithms
• Provide secrecy /authentication services
• Focus on DES (Data Encryption Standard)
• To illustrate block cipher design principles
 Block versus Stream Ciphers
• Block ciphers process messages in blocks,
each of which is then en/decrypted
• Like a substitution on very big characters
– 64-bits or more
• Stream ciphers process messages a bit or
byte at a time when en/decrypting
• Many current ciphers are block ciphers
• Broader range of applications
 Block Cipher Principles
• Most symmetric block ciphers are based on a
Feistel cipher structure
• Needed since must be able to decrypt
ciphertext to recover messages efficiently
• Block ciphers look like an extremely large
substitution
• Would need table of 264 entries for a 64-bit
block
• Instead create from smaller building blocks
• Using idea of a product cipher
Ideal Block Cipher
 Claude Shannon and Sub/Per Ciphers
• Claude Shannon introduced idea of
substitution-permutation (S-P) networks
• Form basis of modern block ciphers
• S-P nets are based on the two primitive
cryptographic operations seen before:
– Substitution (s-box)
– Permutation (p-box)
• Provide confusion & diffusion of message &
key
 Confusion and Diffusion
• Cipher needs to completely obscure
statistical properties of original message
• More practically Shannon suggested
combining S & P elements to obtain:
• Diffusion – dissipates statistical structure
of plaintext over bulk of ciphertext
• Confusion – makes relationship between
ciphertext and key as complex as possible
 Feistel Cipher Structure
• Horst Feistel devised the Feistel cipher
– Based on concept of invertible product cipher
• Partitions input block into two halves
– Process through multiple rounds which
– Perform a substitution on left data half
– Based on round function of right half & subkey
– Then have permutation swapping halves
• Implements Shannon’s S-P net concept
Feistel Cipher Structure
 Feistel Cipher Design Elements
• Block size
• Key size
• Number of rounds
• Subkey generation algorithm
• Round function
• Fast software en/decryption
• Ease of analysis
Feistel Cipher Decryption
 Data Encryption Standard (DES)
• Most widely used block cipher in
world
• Adopted in 1977 by National Bureau
of Standards (now NIST)
• Encrypts 64-bit data using 56-bit key
• Has widespread use
• Has been considerable controversy
over its security
 DES History
• IBM developed Lucifer cipher
– by team led by Feistel in late 60’s
– used 64-bit data blocks with 128-bit key
• Then redeveloped as a commercial cipher
with input from National Security Agency
and others
• In 1973, NBS issued request for proposals
for a national cipher standard
• IBM submitted their revised lucifer which
was eventually accepted as the DES
 DES Design Controversy
• Although DES standard is public
• Was considerable controversy over design
– In choice of 56-bit key (vs lucifer 128-bit)
– And because design criteria were classified
• Subsequent events and public analysis
show in fact design was appropriate
• Use of DES has flourished
– Especially in financial applications
– Still standardised for legacy application use
DES Encryption Overview
 Initial Permutation IP
• First step of the data computation
• IP reorders the input data bits
• Even bits to LH half, odd bits to RH half
• Quite regular in structure (easy in h/w)
• Example:

IP(675a6967 5e5a6b5a) =
(ffb2194d 004df6fb)
 DES Round Structure
• Uses two 32-bit L & R halves
• As for any Feistel cipher can describe as:
Li = Ri–1
Ri = Li–1  F(Ri–1, Ki)
• F takes 32-bit R half and 48-bit subkey:
– Expands R to 48-bits using perm E
– Adds to subkey using XOR
– Passes through 8 S-boxes to get 32-bit result
– Finally permutes using 32-bit perm P
DES Round Structure
 Substitution Boxes [S]
• Have eight s-boxes which map 6 to 4 bits
• Each S-box is actually 4 little 4 bit boxes
– Outer bits 1 & 6 (row bits) select one row of 4
– Inner bits 2-5 (col bits) are substituted
– Result is 8 lots of 4 bits, or 32 bits
• Row selection depends on both data & key
– Feature known as autoclaving (auto-keying)
• Example:
– S(18 09 12 3d 11 17 38 39) = 5fd25e03
 DES Key Schedule
• Forms sub-keys used in each round
– Initial permutation of the key (PC1) which
selects 56-bits in two 28-bit halves
– 16 stages consisting of:
• Rotating each half separately either 1 or 2 places
depending on the key rotation schedule K
• Selecting 24-bits from each half & permuting them
by PC2 for use in round function F
• Note practical use issues in h/w vs s/w
 DES Decryption
• Decrypt must unwind steps of data
computation
• With Feistel design, do encryption steps again
using sub-keys in reverse order (SK16 … SK1)
– IP undoes final FP step of encryption
– 1st round with SK16 undoes 16th encrypt round
– ….
– 16th round with SK1 undoes 1st encrypt round
– Then final FP undoes initial encryption IP
– Thus recovering original data value
 Avalanche Effect
• Key desirable property of encryption
algorithm
• Where a change of one input or key
bit results in changing approx half
output bits
• Making attempts to “home-in” by
guessing keys impossible
• DES exhibits strong avalanche
 Strength of DES – Key Size
• 56-bit keys have 256 = 7.2 x 1016 values
• Brute force search looks hard
• Recent advances have shown is possible
– In 1997 on Internet in a few months
– In 1998 on dedicated h/w (EFF) in a few days
– In 1999 above combined in 22hrs!
• Still must be able to recognize plaintext
• Must now consider alternatives to DES
 Strength of DES – Analytic Attacks
• Now have several analytic attacks on DES
• These utilise some deep structure of the cipher
– By gathering information about encryptions
– Can eventually recover some/all of the sub-key bits
– If necessary then exhaustively search for the rest
• Generally these are statistical attacks
• Include
– Differential cryptanalysis
– Linear cryptanalysis
– Related key attacks
 Strength of DES – Timing Attacks
• Attacks actual implementation of cipher
• Use knowledge of consequences of
implementation to derive information about
some/all sub-key bits
• Specifically use fact that calculations can take
varying times depending on the value of the
inputs to it
• Particularly problematic on smartcards
 Differential Cryptanalysis
• One of the most significant recent
(public) advances in cryptanalysis
• Known by NSA in 70's of DES design
• Murphy, Biham & Shamir published in
90’s
• Powerful method to analyse block ciphers
• Used to analyse most current block
ciphers with varying degrees of success
• DES reasonably resistant to it
 Differential Cryptanalysis
• A statistical attack against Feistel ciphers
• Uses cipher structure not previously used
• Design of S-P networks has output of function
F influenced by both input & key
• Hence cannot trace values back through
cipher without knowing value of the key
• Differential cryptanalysis compares two
related pairs of encryptions
 Differential Cryptanalysis Compares
Pairs of Encryptions
• With a known difference in the input
• Searching for a known difference in output
• When same sub-keys are used
 Differential Cryptanalysis
• Have some input difference giving some
output difference with probability p
• If find instances of some higher
probability input / output difference pairs
occurring
• Can infer sub-key that was used in round
• Then must iterate process over many
rounds (with decreasing probabilities)
Differential Cryptanalysis
 Differential Cryptanalysis
• Perform attack by repeatedly encrypting plaintext pairs
with known input XOR until obtain desired output XOR
• When found
– If intermediate rounds match required XOR have a right pair
– If not then have a wrong pair, relative ratio is S/N for attack
• Can then deduce keys values for the rounds
– Right pairs suggest same key bits
– Wrong pairs give random values
• For large numbers of rounds, probability is so low that
more pairs are required than exist with 64-bit inputs
• Biham and Shamir have shown how a 13-round iterated
characteristic can break the full 16-round DES
 Linear Cryptanalysis
• Another recent development
• Also a statistical method
• Must be iterated over rounds, with decreasing
probabilities
• Developed by Matsui et al in early 90's
• Based on finding linear approximations
• Can attack DES with 243 known plaintexts,
easier but still in practice infeasible
 Linear Cryptanalysis
• Find linear approximations with prob p != ½
P[i1,i2,...,ia]  C[j1,j2,...,jb] =
k[k1,k2,...,Kc]
Where ia,jb,kc are bit locations in P,C,K
• Gives linear equation for key bits
• Get one key bit using max likelihood algorithm
• Using a large number of trial encryptions
 DES Design Criteria
• As reported by Coppersmith in [COPP94]
• 7 criteria for S-boxes provide for
– Non-linearity
– Resistance to differential cryptanalysis
– Good confusion
• 3 criteria for permutation P provide for
– Increased diffusion
 Block Cipher Design
• Basic principles still like Feistel’s in 1970’s
• Number of rounds
– More is better, exhaustive search best attack
• Function F:
– Provides “confusion”, is nonlinear, avalanche
– Have issues of how S-boxes are selected
• Key schedule
– Complex sub-key creation, key avalanche
 Multiple Encryption & DES
• Clearly a replacement for DES was needed
– Theoretical attacks that can break it
– Demonstrated exhaustive key search attacks
• AES is a new cipher alternative
• Prior to this alternative was to use
multiple encryption with DES
implementations
• Triple-DES (3DES) is the chosen form
 Double-DES?
• Could use 2 DES encrypts on each block
– C = EK2(EK1(P))
• Issue of reduction to single stage
• And have “meet-in-the-middle” attack
– Works whenever use a cipher twice
– Since X = EK1(P) = DK2(C)
– Attack by encrypting P with all keys and store
– Then decrypt C with keys and match X value
– Can show takes O(256) steps
 Triple-DES with Two-Keys
• Hence must use 3 encryptions
–Would seem to need 3 distinct keys
• But can use 2 keys with E-D-E sequence
–C = ek1(dk2(ek1(p)))
–NB encrypt & decrypt equivalent in
security
–If K1=K2 then can work with single DES
• Standardized in ANSI X9.17 & iso8732
• No current known practical attacks
 Triple-DES with Three-Keys
• Although are no practical attacks on
two-key Triple-DES have some
indications
• Can use Triple-DES with Three-Keys to
avoid even these
–C = EK3(DK2(EK1(P)))
• Has been adopted by some Internet
applications, e.g. PGP, S/MIME
 Modes of Operation

Block Ciphers vs Stream Ciphers

• Electronic Code Book (ECB)
• Cipher Block Chaining (CBC)
• Cipher Feed Back (CFB)
• Output Feed Back (OFB)
• Counter (CTR)
 Modes of Operation
• Block ciphers encrypt fixed size blocks
– e.g. DES encrypts 64-bit blocks with 56-bit
key
• Need some way to en/decrypt arbitrary
amounts of data in practice
• ANSI X3.106-1983 Modes of Use (now
FIPS 81) defines 4 possible modes
• Subsequently 5 defined for AES & DES
• Have block and stream modes
 Electronic Code Book (ECB)
• Message is broken into independent
blocks which are encrypted
• Each block is a value which is substituted,
like a codebook, hence name
• Each block is encoded independently of
the other blocks
Ci = DESK1(Pi)
• Uses: secure transmission of single values
Electronic Codebook Book (ECB)
 Advantages and Limitations of ECB
• Message repetitions may show in ciphertext
– If aligned with message block
– Particularly with data such graphics
– Or with messages that change very little, which
become a code-book analysis problem
• Weakness is due to the encrypted message
blocks being independent
• Primary use is sending a few blocks of data
 Cipher Block Chaining (CBC)
• Message is broken into blocks
• Linked together in encryption operation
• Each previous cipher blocks is chained
with current plaintext block, hence name
• Use Initial Vector (IV) to start process
Ci = DESK1(Pi XOR Ci-1)
C-1 = IV
• Uses: bulk data encryption, authentication
Cipher Block Chaining (CBC)
 Message Padding
• At end of message must handle a possible last
short block
– Which is not as large as block size of cipher
– Pad either with known non-data value (e.g. NULL)
– Or pad last block along with count of pad size
• e.g. [ B1 B2 B3 0 0 0 0 5]
• Means have 3 data bytes, then 5 bytes pad+count
– This may require an extra entire block over those
in message
• There are other modes, which avoid the need
for an extra block.
 Advantages and Limitations of CBC
• A ciphertext block depends on all blocks
before it
• Any change to a block affects all following
ciphertext blocks
• Need Initialization Vector (IV)
– Which must be known to sender & receiver
– If sent in clear, attacker can change bits of first block, and
change IV to compensate
– Hence IV must either be a fixed value (as in EFT-POS)
– Or must be sent encrypted in ECB mode before rest of
message
 Cipher Feed Back (CFB)
• Message is treated as a stream of bits
• Added to the output of the block cipher
• Result is feed back for next stage (hence name)
• Standard allows any number of bit (1,8, 64 or 128
etc) to be feed back
– Denoted CFB-1, CFB-8, CFB-64, CFB-128 etc
• Most efficient to use all bits in block (64 or 128)
Ci = Pi XOR DESK1(Ci-1)
C-1 = IV
• Uses: stream data encryption, authentication
Cipher Feed Back (CFB)
 Advantages and Limitations of CFB
• Appropriate when data arrives in bits/
bytes
• Most common stream mode
• Limitation is need to stall while do block
encryption after every n-bits
• Note that the block cipher is used in
encryption mode at both ends
• Errors propagate for several blocks after
the error
 Output Feed Back (OFB)
• Message is treated as a stream of bits
• Output of cipher is added to message
• Output is then feed back (hence name)
• Feedback is independent of message
• Can be computed in advance
Ci = Pi XOR Oi
Oi = DESK1(Oi-1)
O-1 = Nonce
• Uses: stream encryption on noisy
Output Feed Back (OFB)
 Advantages and Limitations of OFB
• Bit errors do not propagate
• More vulnerable to message stream
modification
• A variation of a Vernam cipher
– Hence must never reuse the same
sequence (key+ Nonce)
• Sender & receiver must remain in sync
• Originally specified with m-bit feedback
• Subsequent research has shown that only full
block feedback (i.e. CFB-64 or CFB-128)
should ever be used
 Counter (CTR)
• A “new” mode, though proposed early on
• Similar to OFB but encrypts counter value
rather than any feedback value
• Must have a different key & counter value
for every plaintext block (never reused)
Ci = Pi XOR Oi
Oi = DESK1(i)
• Uses: high-speed network encryptions
Counter (CTR)
 Advantages and Limitations of CTR
• Efficiency
– Can do parallel encryptions in h/w or s/w
– Can preprocess in advance of need
– Good for bursty high speed links
• Random access to encrypted data blocks
• Provable security (good as other modes)
• But must ensure never reuse key/counter
values, otherwise could break
 Stream Ciphers
• Process message bit by bit (as a stream)
• Have a pseudo random keystream
• Combined (XOR) with plaintext bit by bit
• Randomness of stream key completely
destroys statistically properties in
message
– Ci = Mi XOR StreamKeyi
• But must never reuse stream key
– Otherwise can recover messages
Stream Cipher Structure
 Stream Cipher Properties
• Some design considerations are:
– Long period with no repetitions
– Statistically random
– Depends on large enough key
– Large linear complexity
• Properly designed, can be as secure as a
block cipher with same size key
• But usually simpler & faster