BLOCK CIPHERS

(Iterated) Block Cipher

• Plaintext and ciphertext consist of fixed-sized
blocks
• Ciphertext obtained from plaintext by iterating
a round function
• Input to round function consists of key and
output of previous round
 Feistel Cipher: Encryption
• Feistel cipher is a type of block cipher is a general
cipher design principle
– Not a specific block cipher
• Split plaintext block into left and right halves: P =
(L0, R0)
• For each round i = 1, 2, ..., n, compute
Li = Ri1
Ri = Li1  F(Ri1, Ki)
where F is round function and Ki is subkey
• Ciphertext: C = (Ln, Rn)
Feistel Cipher: Encryption
 Feistel Cipher: Decryption
• Start with ciphertext C = (Ln, Rn)
• For each round i = n, n1, …, 1, compute
Ri1 = Li
Li1 = Ri  F(Ri1, Ki)
where F is round function and Ki is subkey
• Plaintext: P = (L0, R0)
Feistel Cipher
 Data Encryption Standard (DES)
• DES is a symmetric-key block cipher published by
National Institute of Standards and Technology (NIST).
• DES is an implementation of a Feistel Cipher.
– It uses 16 round Festial structure.
– The block size is 64-bits, each Li and Ri is 32 bits.
– Though, key length is 64-bit, DES has an effective key
length of 56 bits.
– 8 of the 64 bits of the key are not used by the encryption
algorithm.
– 16 intermediary keys, each 48 bits.
Data Encryption Standard (DES)
Data Encryption Standard (DES)
 Key Generation
• The bits of the key are numbered from 1 through 64.
• The keys are actually stored as being 64 bits long, but every 8th bit in the key is not used (i.e.
bits numbered 8, 16, 24, 32, 40, 48, 56, and 64). As you will see, the eight bits just mentioned
get eliminated when we create subkeys.

• The key is first subjected to Permuted Choice One

 Key Generation
• The resulting 56-bit key is then treated as two 28-bit
quantities, labeled C0 and D0
• At each round, Ci-1 and Di-1 are separately subjected
to a circular left shift, or rotation, of 1 or 2 bits
 Key Generation
• These shifted values serve as input to the next round.
• They also serve as input to Permuted Choice Two,
which produces a 48-bit output that serves as input
to the function F(Ri-1, Ki)
Key Generation
 DES Encryption
• As with any encryption scheme, there are two
inputs to the encryption function: the
plaintext to be encrypted and the key.
 DES Encryption
• The processing of the plaintext proceeds in
three phases:
1. The 64-bit plaintext passes through an initial
permutation (IP) that rearranges the bits to
produce the permuted input.
 DES Encryption
2. This is followed by a phase consisting of 16
rounds of the same function, which involves both
permutation and substitution functions.
• The output of the last (sixteenth) round consists of
64 bits that are a function of the input plaintext and
the key.
• The left and right halves of the output are swapped
to produce the preoutput.
 DES Encryption
3. Finally, the preoutput is passed through a permutation
() that is the inverse of the initial permutation
function, to produce the 64-bit ciphertext.
 Single Round of DES Encryption
• The left and right halves of each 64-bit
intermediate value are treated as separate 32-
bit quantities, labeled L (left) and R (right).
• As in any classic Feistel cipher, the overall
processing at each round can be summarized
in the following formulas:
– Li = Ri−1
– Ri = Li−1 ⊕ F(Ri−1, Ki)
 Single Round of DES Encryption
• This function F is the main part of every round
and consists of four separate stages:
1. The E-box expansion permutation: here the 32-
bit input data from Ri−1 is expanded and
permuted to give the 48 bits necessary for
combination with the 48 bit key
Single Round of DES Algorithm
 Single Round of DES Encryption
2. Exclusive OR of the E-box output and 48 bit subkey Ki .
3. The S-box substitution: this is a highly important
substitution which accepts a 48-bit input and outputs a
32-bit number.
• There are 8 S-boxes (S1, S2, . . . , S8) each of which accepts
one of the 6 bit blocks.
• The output of each S-box is:
4 bit number.
S-box substitution
S-box substitution
 S-box substitution
• Each of the S-boxes can be thought of as a 4 × 16 matrix.
• Each cell of the matrix is identified by a coordinate pair (i,
j), where 0 ≤ i ≤ 3 and 0 ≤ j ≤ 15.
• The value of i is taken as the decimal representation of the
first and last bits of the input to each S-box, i.e. Dec(b1b6)
= i and the value of j is take from the decimal
representation of the inner four bits that remain, i.e.
Dec(b2b3b4b5) = j.
• Each cell within the S-box matrices contains a 4-bit number
which is output once that particular cell is selected by the
input.
 S-box substitution
• Example 1 The input to S-box 1 is 100011. What is
the output?
• Solution If we write the first and the sixth bits
together, we get 11 in binary, which is 3 in decimal.
• The remaining bits are 0001 in binary, which is 1 in
decimal. We look for the value in row 3, column 1,
• in (S-box 1). The result is 12 in decimal, which in
binary is 1100.
• So the input 100011 yields the output 1100.
 Single Round of DES Encryption
4. The P-box permutation: This simply permutes the output
of the S-box without changing the size of the data.
• It is simply a permutation and nothing else.
 DES Decryption
• As with any Feistel cipher, decryption uses the
same algorithm as encryption, except that the
order of the subkeys is reversed
 DES Weak Keys
• DES has 4 weak keys (64-bit) – 01010101 01010101 –
FEFEFEFE FEFEFEFE – E0E0E0E0 F1F1F1F1 – 1F1F1F1F
0E0E0E0E
• Using weak keys, the outcome of the Permuted Choice 1 (PC1)
in the DES key schedule leads to round keys (K 1---K16) being
either all zeros, all ones or alternating zero-one patterns.
• Since all the subkeys are identical, and DES is a Feistel
network, the encryption function becomes self-inverting; that
is, encrypting twice with a weak key K produces the original
plaintext. – E K(E K(x))=x for all x, i.e., the encryption and the
decryption are the same
• Weak keys should be avoided at key generation
Double DES
 Triple DES
• Use three different keys
• Encrypt: C = EK3 [ DK2 [ EK1 [P] ] ]
• Decrypt: P = DK1 [ EK2 [ DK3 [C] ]
• The standard specifies three keying options:
1) Keying option 1: All three keys are independent.
2) Keying option 2: K1 and K2 are independent, and
K3 = K1 .
3) Keying option 3: All three keys are identical, i.e.
K1 = K2 = K3 .
Triple DES (Encryption)
Triple DES
 Triple DES
• Using keying option 1: the key space is 56 x 3 =
168 bits No known practical attack against it.
• Keying option 2 provides less security than
option 1, with 2 × 56 = 112 key bits. However,
this option is stronger than double DES (with
K1 and K2).
• Keying option 3 is equivalent to DES, with only
56 key bits.