Block Ciphers and DES

1
 Modern Block Ciphers
• One of the most widely used types of
cryptography algorithms
• It provide strong secrecy and/or
authentication services
• In particular, we will introduce DES (Data
Encryption Standard)

2
 Block vs Stream Ciphers
• Block ciphers process messages into blocks,
each of which is then en/decrypted
• Like a substitution on very big characters
– 64-bits or more
• Stream ciphers process messages a bit or byte
at a time when en/decrypting
• Many current ciphers are block ciphers

3
4
5
 Block Cipher Principles
• Block ciphers look like an extremely large
substitution
• We would need table of 264 entries for a 64-bit block
• Arbitrary reversible substitution cipher for a large
block size is not practical
– 64-bit general substitution block cipher, key size 264!
• Most symmetric block ciphers are based on a Feistel
Cipher Structure
• Needed since must be able to decrypt ciphertext to
recover messages efficiently

6
 Shannon Substitution-Permutation Ciphers

• In 1949, Shannon introduced idea of substitution-

permutation (S-P) networks
– modern substitution-transposition product cipher
• These form the basis of modern block ciphers
• S-P networks are based on the two primitive
cryptographic operations:
– substitution (S-box)
– permutation (P-box) (transposition)
• He also introduced the ideas of confusion and
diffusion

7
 Diffusion and Confusion
• Introduced by Claude Shannon to thwart
cryptanalysis based on statistical analysis
– Assume the attacker has some knowledge of the
statistical characteristics of the plaintext
• Cipher needs to completely obscure statistical
properties of original message

8
 Diffusion and Confusion

• More practically Shannon suggested

combining elements to obtain:
– diffusion – dissipates statistical structure of
plaintext over bulk of ciphertext
– confusion – makes relationship between
ciphertext and key as complex as possible

9
 Feistel Cipher Structure
• Horst Feistel devised the feistel cipher
– implements Shannon’s substitution-permutation
network concept
• Partitions input block into two halves
– process through multiple rounds which
– perform a substitution on left data half
– based on round function of right half & subkey
– then have permutation swapping halves

10
Feistel Cipher Structure

11
 Feistel Cipher
• n sequential rounds
• A substitution on the left half Li
– 1. Apply a round function F to the right half Ri and
– 2. Take XOR of the output of (1) and Li
• The round function is parameterized by the
subkey Ki
– Ki are derived from the overall key K

12
 Feistel Cipher Design Principles
• block size
– increasing size improves security, but slows cipher
• key size
– increasing size improves security, makes exhaustive key searching
harder, but may slow cipher
• number of rounds
– increasing number improves security, but slows cipher
• subkey generation
– greater complexity can make analysis harder, but slows cipher
• round function
– greater complexity can make analysis harder, but slows cipher
• fast software en/decryption & ease of analysis
– are more recent concerns for practical use and testing

13
 Feistel Cipher Decryption
• The rule is as follows: Use the ciphertext as
input to the algorithm, but use the subkeys Ki
in reverse order.
• That is, use Kn in the first round, Kn–1 in the
second round, and so on until K1 is used in the
last round.
• We need not implement two different
algorithms, one for encryption and one for
decryption.

14
Feistel Cipher Decryption

15
 Data Encryption Standard (DES)
• most widely used block cipher in world
• adopted in 1977 by NBS (now NIST)
– as FIPS PUB 46
• encrypts 64-bit data using 56-bit key
• has widespread use

16
 DES History
• IBM developed Lucifer cipher
– by team led by Feistel
– used 64-bit data blocks with 128-bit key
• then redeveloped as a commercial cipher with
input from NSA and others
• in 1973 NBS issued request for proposals for a
national cipher standard
• IBM submitted their revised Lucifer which was
eventually accepted as the DES
17
 DES Design Controversy
• although DES standard is public
• was considerable controversy over design
– in choice of 56-bit key (vs Lucifer 128-bit)
• subsequent events and public analysis
show in fact design was appropriate
• DES has become widely used, especially in
financial applications

18
DES - Popular Example of Symmetric Cryptosystem
In 1973, the NBS (National Bureau of Standards, now called NIST -
National Institute of Standards and Technology) published a request for
an encryption algorithm that would meet the following criteria:
have a high security level
be easily understood
not depend on the algorithm's confidentiality
be adaptable and economical
be efficient and exportable

In late 1974, IBM proposed "Lucifer", which was then modified by

NSA (National Security Agency) in 1976 to become the DES (Data
Encryption Standard). The DES was approved by the NBS in 1978. The
DES was standardized by the ANSI under the name of ANSI X3.92, also
known as DEA (Data Encryption Algorithm).
DES- Example of Symmetric Cryptosystem …
DES Utilizes block cipher, which means that during the encryption
process, the plaintext is broken into fixed length blocks of 64 bits.
The key is 56 bits wide. 8-bit out of the total 64-bit block key is
used for parity check (for example, each byte has an odd number
of bits set to 1).
56-bit key gives 256 ( 7.2*1016) possible key variations

DES algorithm involves carrying out combinations, substitutions

and permutations between the text to be encrypted and the key,
while making sure the operations can be performed in both
directions (for decryption).
The combination of substitutions and permutations is called a
product cipher.
DES- Example of Symmetric Cryptosystem …

DES was best suited for implementation in hardware,

probably to discourage implementations in software, which
tend to be slow by comparison during that time.
Modern computers are so fast that satisfactory software
implementations for DES are possible.
DES is the most widely used symmetric algorithm despite
claims whether 56 bits is long enough to guarantee security.
Using current technology, 56-bit key size is vulnerable to a
brute force attack.
DES- Example of Symmetric Cryptosystem …

DES Encryption starts with an initial permutation (IP) of the 64

input bits. These bits are then divided into two 32-bit halves
called L and R. The encryption then proceeds through 16
rounds, each using the L and R parts, and a subkey.
The R and subkeys are processed in the so called f-function, and
exclusive-or of the output of the f-function with the existing L
part to create the new R part. The new L part is simply a copy of
the incoming R part.
In the final round, the L and R parts are swapped once more
before the final permutation (FP) producing the output block.
Decryption is identical to encryption, except that the subkeys are
used in the opposite order. That is, subkey 16 is used in round 1,
subkey 15 is used in round 2, etc., ending with subkey 1 being
used in round 16.
DES Algorithm - Overall and Detail Structure
DES- Example of Symmetric Cryptosystem …

The f-function mixes the bits of the R portion using the

Subkey for the current round. First the 32-bit R value is
expanded to 48 bits using a permutation E. That value is
then exclusive-or'ed with the subkey.
The 48 bits are then divided into eight 6-bit chunks, each of
which is fed into an S-Box that mixes the bits and produces
a 4-bit output. A little bit funny operation!!
Those 4-bit outputs are combined into a 32-bit value, and
permuted once again to produce the f-function output.
 The S-Box S1- Box

IfIf SS1 isisthe

thefunction
functiondefined
definedininthis
thistable
tableand
and BBisisaablock
blockofof66bits,
bits,then
then SS1(B) is determined as
1 1(B) is determined as

follows:
follows:The
Thefirst
firstand
andlast
lastbits
bitsofof BBrepresent
representininbase
base22aanumber
numberininthe
thedecimal
decimalrange
range00toto33(or
(or
binary
binary0000toto11).
11).Let
Letthat
thatnumber
numberbe bei.i.The
Themiddle
middle44bits
bitsofofBBrepresent
representininbase
base22aanumber
numberininthe
the
decimal
decimalrange
range00toto15
15(binary
(binary0000
0000toto1111).
1111).Let
Letthat
thatnumber
numberbe bej.j.Look
Lookup upininthe
thetable
tablethe
thenumber
number
ininthe
thei-th
i-throw
rowand
andj-th
j-thcolumn.
column.ItItisisaanumber
numberininthe
therange
range00toto15
15andandisisuniquely
uniquelyrepresented
representedby
byaa
44bit
bitblock.
block.That
Thatblock
blockisisthe
theoutput
output SS1(B) of S1 for the input B. For example, for input block B =
1(B) of S1 for the input B. For example, for input block B =

011011
011011the
thefirst
firstbit
bitisis"0"
"0"and
andthe
thelast
lastbit
bit"1"
"1"giving
giving01
01as
asthe
therow.
row.This
Thisisisrow
row1.1.The
Themiddle
middlefour
fourbits
bits
are
are"1101".
"1101".This
Thisisisthe thebinary
binaryequivalent
equivalentofofdecimal
decimal13,
13,so
sothe
thecolumn
columnisiscolumn
columnnumber
number13.
13.InInrow
row
1,1,column
column13
13appears
appears5.5.This
Thisdetermines
determinesthe
theoutput;
output;55isisbinary
binary 0101,
0101,so
sothat
thatthe
theoutput
outputisis0101.
0101.
Hence S (011011) = 0101.
DES- Algorithm, the f-function
DES- Example of Symmetric Cryptosystem …

To generate the subkeys, start with the 56-bit key (64 bits if
you include the parity bits). These are permuted and
divided into two halves called C and D.
For each round, C and D are each shifted left circularly one
or two bits (the number of bits depending on the round).
The 48-bit subkey is then selected from the current C and
D bits.
DES- Algorithm - Key Schedule and Subkey Generation
DES- Algorithm – One Round of DES
DES- Permutation principles

Initial Permutation (IP) Final Permutation(FP)

IP-1
IP
40 8 48 16 56 24 64 32
58 50 42 34 26 18 10 2
39 7 47 15 55 23 63 31
60 52 44 36 28 20 12 4
38 6 46 14 54 22 62 30
62 54 46 38 30 22 14 6
64 56 48 40 32 24 16 8 37 5 45 13 53 21 61 29

57 49 41 33 25 17 9 1 36 4 44 12 52 20 60 28

59 51 43 35 27 19 11 3 35 3 43 11 51 19 59 27
34 2 42 10 50 18 58 26
61 53 45 37 29 21 13 5
33 1 41 9 49 17 57 25
63 55 47 39 31 23 15 7

“First Bit of the output is taken from the 58th bit of the input, etc...”
 DES- Permutation principles
Expansion/Permutation Contraction/Permuted Choice (PC-2)

The 32-bit half-block of data is expanded Selects/Extracts the 48-bit subkey for each
to 48 bits. round from the 56-bit key-schedule state.
E PC-2
32 1 2 3 4 5 14 17 11 24 1 5
4 5 6 7 8 9 3 28 15 6 21 10
8 9 10 11 12 13 23 19 12 4 26 8
12 13 14 15 16 17 16 7 27 20 13 2
16 17 18 19 20 21 41 52 31 37 47 55
20 21 22 23 24 25 30 40 51 45 33 48
24 25 26 27 28 29 44 49 39 56 34 53
28 29 30 31 32 1 46 42 50 36 29 32
DES- Algorithm, General depiction (W. Stallings)
DES- Single round of DES Algorithm (W. Stallings)
DES- Example of Symmetric Cryptosystem …

Cracking: The most basic method of attack for any cypher

is brute force - trying every possible key in turn.
The length of the key determines the number of possible
keys, and hence the feasibility of the approach.
DES is not adequate with this regard due to its key size
In academia, various proposals for a DES-cracking machine
were advanced.
In 1977, Diffie and Hellman proposed a machine costing an
estimated US$20 million which could find a DES key in a single
day.
By 1993, Wiener had proposed a key-search machine costing US$1
million which would find a key within 7 hours.
However, none of these early proposals were ever
implemented.
DES- Example of Symmetric Cryptosystem …

The vulnerability of DES was practically demonstrated in

1997, where RSA Security sponsored a series of contests,
offering a $10,000 prize to the first team that broke a
message encrypted with DES for the contest. That contest
was won by the DESCHALL Project, led by Rocke Verser,
Matt Curtin, and Justin Dolske, using idle cycles of
thousands of computers across the Internet.
The feasibility of cracking DES quickly was demonstrated
in 1998 when a custom DES-cracker was built by the
Electronic Frontier Foundation (EFF), a cyberspace civil
rights group, at the cost of approximately US$250,000.
Their motivation was to show that DES was breakable in
practice as well as in theory.
DES- Example of Symmetric Cryptosystem …

The EFF's US$250,000 DES

cracking machine
contained 1,856 custom
chips and could brute force
a DES key in a matter of
days - the photo shows a
DES Cracker circuit board
fitted with several Deep
Crack chips.
DES- Example of Symmetric Cryptosystem …
A variant of DES, Triple DES (3-DES), provides enhanced security by executing
the core algorithm three times in a row.
With triple length key of three 56-bit keys K1, K2 & K3, encryption is:
 Encrypt with K1
 Decrypt with K2
 Encrypt with K3
Decryption is the reverse process:
 Decrypt with K3
 Encrypt with K2
 Decrypt with K1

Setting K3 equal to K1 in these processes gives us a double length key K1, K2.
Setting K1, K2 and K3 all equal to K has the same effect as using a single-length
(56-bit key).
Thus it is possible for a system using triple-DES to be compatible with a system
using single-DES.
 Avalanche Effect
• Key desirable property of encryption
algorithm
• DES exhibits strong avalanche, where a
change of one input or key bit results in
changing approx. half output bits

38