### Chapter 3 – Block Ciphers and the

### Data Encryption Standard

### • Simplified DES

### • Block Ciphers (Feistel cipher)

### • Data Encryption Standard (DES)

### • Differential & Linear Cryptanalysis

### • Block Ciphers Design Principles

2

## Simplified DES

_{1 }

• Similar properties and structure to DES with smaller parameters

• Education scheme by professor Edward Schaefer of Santa Clara University

• Encryption takes an 8-bit block of plaintext and a 10-bit key as input and produces 8-bit block of ciphertext as output

• Decryption reverses the process with the same 10-bit key

## Simplified DES

_{2 }

### • Scheme

– Ciphertext = IP-1_{(f}k2(SW(fk1(IP(plaintext))))) • K

_{1}=P8(Shift(P10(key))) • K

_{2}=P8(Shift(Shift(P10(key)))) – Plaintext = IP-1

_{(f}k1(SW(fk2(IP(ciphertext )))))

4

### • Key generation

6

## Simplified DES

_{5 }

• Key generation example

• P10(k_{1}k_{2}k_{3}k_{4}k_{5}k_{6}k_{7}k_{8}k_{9}k_{10})=(k_{3}k_{5}k_{2}k_{7}k_{4}k_{10}k_{1}k_{9}k_{8}k_{6})
• P8(k_{1}k_{2}k_{3}k_{4}k_{5}k_{6}k_{7}k_{8}k_{9}k_{10})=(k_{6}k_{3}k_{7}k_{4}k_{8}k_{5}k_{10}k_{9})
• K=(10100 00010)
– P10(10100 00010)=(10000 01100)
– LS-1(10000)=(00001)
– LS-1(01100)=(11000)
– K_{1}=P8(00001 11000)=(1010 0100)
• Similarly
– K_{2}= P8(LS-2(00001) LS-2(11000))=P8(00100 00011)
=(0100 0011)

### • Detail

### encryption

8

## Simplified DES

_{7 }

### • 5 functions involved

– IP, f_{k1}(L, R), SW, f

_{k2}(L,R), IP-1 – IP(i

_{1}i

_{2}i

_{3}i

_{4 }i

_{5}i

_{6}i

_{7}i

_{8})=(i

_{2}i

_{6}i

_{3}i

_{1}i

_{4}i

_{5}i

_{8}i

_{7}) – IP-1

_{(i}2i6i3i1i4i5i8i7)=(i1i2i3i4 i5i6i7i8)

– SW: switch the left and right 4 bits
– f_{k}(L, R) = (LF(R, SK), R)

• L: left 4 bits; R: right 4 bits • : XOR

• F: a mapping involving E/P, S_{0} box, S_{1} box, P4
• SK: subkey

## Simplified DES

_{8 }

### • F function:

– EP(n_{1}n_{2}n_{3}n_{4})=(n_{4}n_{1}n_{2}n_{3}n_{2}n_{3}n_{4}n_{1})

– Let 8-bit subkey K_{1}=(k_{11}k_{12}k_{13}k_{14}k_{15}k_{16}k_{17}k_{18})
– E/P K_{1} :
18
1
14
3
17
4
13
2
16
3
12
1
15
2
11
4

*k*

*n*

*k*

*n*

*k*

*n*

*k*

*n*

*k*

*n*

*k*

*n*

*k*

*n*

*k*

*n*

10

• E/P K_{1} (rename):
• S0 box:

• S1 box:

• The 1st 4 bit (1st row) are fed into S0 box to produce a 2-bit output

• The last 4 bit (2nd row) are fed into S1 box to produce another 2-bit output

## Simplified DES

_{9 }

3
,
1
3
,
0
2
,
1
2
,
0
1
,
1
1
,
0
0
,
1
0
,
0
*p*

*p*

*p*

*p*

*p*

*p*

*p*

*p*

2
3
1
3
3
1
2
0
0
1
2
3
2
3
0
1
0
*s* 3 0 1 2 0 1 0 3 3 1 0 2 3 2 1 0 1

*s*

• P4

### (n

_{1}

### n

_{2}

### n

_{3}

### n

_{4}

### )=(n

_{2}

### n

_{4}

### n

_{3}

### n

_{1}

### )

12

## Simplified DES

_{11 }

### • Encryption example

### • 8-bit plain text: (1011 1101)

### • IP(1011 1101)=(0111

**1110**

### )

### • EP(n

_{1}

### n

_{2}

### n

_{3}

### n

_{4}

### )=(n

_{4}

### n

_{1}

### n

_{2}

### n

_{3}

### n

_{2}

### n

_{3}

### n

_{4}

### n

_{1}

### )

### • EP(

**1110**

### )=(0111 1101)

### • Let 8-bit subkey K

_{1}

### =

(1010 0100) • E/P###

### K

_{1}: 0 1 0 1 0 0 1 1 1 1 0 1 0 1 1 0

• E/P

###

K_{1}:

• (P_{00},P_{03})=(11) 3, (P_{01},P_{02})=(10) 2

– From S0 box, row 3, column 2, gets **3 **** (11) in binary **

• (P_{10},P_{13})=(11) 3, (P_{11},P_{12})=(00) 0

– From S1 box, row 3, column 0, gets **2 **** (10) in binary **

• After S0, S1 boxes, we get (1110)

• P4(1110)=(1011) // end of F function

## Simplified DES

_{12 }

0
1
0
1
0
0
1
1
1
1
0
1
0
1
1
0
14

### • f

_{k1}

### (L, R) = (L

###

### F(R, SK), R)

– = ((0111) (1011), 1110) – = (1100 1110)

• SW(1100 1110)=(1110 1100)

**• Starting the f _{k2} function **

• EP(1100)=(0110 1001)

### • K

_{2}

### =

(0100 0011) • E/P###

K_{2}:

## Simplified DES

_{13 }

1
1
0
0
1
0
0
1
0
0
1
1
0
1
0
0
• E/P

###

K_{2}:

• (P_{00},P_{03})=(00) 0, (P_{01},P_{02})=(01) 1

– From S0 box, row 0, column 1, gets **0 **** (00) in binary **

• (P_{10},P_{13})=(10) 2, (P_{11},P_{12})=(01) 1

– From S1 box, row 2, column 1, gets **0 **** (00) in binary **

• After S0, S1 boxes, we get (0000)

• P4(0000)=(0000) // end of F function

## Simplified DES

_{14 }

0
0
1
1
0
0
1
0
16

### • f

_{k2}

### (L, R) = (L

###

### F(R, SK), R)

– = ((1110) (0000), 1100) – = (1110 1100)

**• IP**

**-1**

_{(1110 1100)=}

_{(1110 1100)=}

_{(0111 0101) }

_{(0111 0101) }

**– Ciphertext of **plain text: (1011 1101)

– using keys: K_{1}=(1010 0100), K_{2}=(0100 0011)

## Block Ciphers

_{1 }

### • block ciphers

### process messages in into

### blocks, each of which is then en/decrypted

### • like a substitution on very big characters

– 64-bits or more

### • stream ciphers

### process messages a bit or

### byte at a time when en/decrypting

### • many current ciphers are block ciphers

### • hence are focus of course

18

## Block Cipher Principles

• most symmetric block ciphers are based on a

**Feistel Cipher Structure **

**• needed since must be able to decrypt ciphertext to **
recover messages efficiently

• block ciphers look like an extremely large substitution

• would need table of 264_{ entries for a 64-bit block }

• instead create from smaller building blocks • using idea of a product cipher

### Claude Shannon and

### Substitution-Permutation Ciphers

• in 1949 Claude Shannon introduced idea of substitution-permutation (S-P) networks

– modern substitution-transposition product cipher

• these form the basis of modern block ciphers • S-P networks are based on the two primitive

cryptographic operations we have seen before:

*– substitution (S-box) *
*– permutation (P-box) *

20

## Confusion and Diffusion

• cipher needs to completely obscure statistical properties of original message

• a one-time pad does this

• more practically Shannon suggested combining elements to obtain:

**• diffusion – dissipates statistical structure of **
plaintext over bulk of ciphertext

**• confusion – makes relationship between **
*ciphertext and key as complex as possible *

## Feistel Cipher Structure

**• Horst Feistel devised the feistel cipher **

– based on concept of invertible product cipher

• partitions input block into two halves

– process through multiple rounds which – perform a substitution on left data half

– based on round function of right half & subkey – then have permutation swapping halves

• implements Shannon’s substitution-permutation network concept

22

## Feistel Cipher Structure

Substitution Permutation

## Feistel Cipher Design Principles

**• block size **

– increasing size improves security, but slows cipher

**• key size **

– increasing size improves security, makes exhaustive key searching harder, but may slow cipher

**• number of rounds **

– increasing number improves security, but slows cipher

**• subkey generation **

– greater complexity can make analysis harder, but slows cipher

**• round function **

– greater complexity can make analysis harder, but slows cipher

**• fast software en/decryption & ease of analysis **

24

### Data Encryption Standard (DES)

### • most widely used block cipher in world

### • adopted in 1977 by NBS (now NIST)

– as FIPS PUB 46

### • encrypts 64-bit data using 56-bit key

### • has widespread use

### • has been considerable controversy over its

### security

26

## DES History

• IBM developed Lucifer cipher

– by team led by Feistel

– used 64-bit data blocks with 128-bit key

• then redeveloped as a commercial cipher with input from NSA and others

• in 1973 NBS issued request for proposals for a national cipher standard

• IBM submitted their revised Lucifer which was eventually accepted as the DES

## DES Design Controversy

### • although DES standard is public

### • was considerable controversy over design

– in choice of 56-bit key (vs Lucifer 128-bit) – and because design criteria were classified

### • subsequent events and public analysis show

### in fact design was appropriate

### • DES has become widely used, esp in

### financial applications

28

## Initial Permutation IP

### • first step of the data computation

### • IP reorders the input data bits

### • even bits to LH half, odd bits to RH half

### • quite regular in structure (easy in h/w)

### • see text Table 3.2

### • example:

– 64 bits, 4 bits for each symbol

30

32

## DES Round Structure

• uses two 32-bit L & R halves

• as for any Feistel cipher can describe as:

*L _{i} = R_{i–1 }*

*R _{i} = L_{i–1} xor F(R_{i–1}, K_{i}*)

• takes 32-bit R half and 48-bit subkey and:

– expands R to 48-bits using perm E – adds to subkey

– 48 bits partitioned into 8 6-bit inputs to the 8 s-boxes – passes through 8 S-boxes to get 32-bit result

34

## DES S Boxes

### • 6 bits input to S

_{1}

### box

### 0

### 1100

### 1

– 01 ->1, row # 1; 1100 ->12, column #12

36

## DES Key Schedule

• forms subkeys used in each round • consists of:

– initial permutation of the key (PC1) which selects 56-bits in two 28-bit halves

• Table 3.4 (a), (b)

– 16 stages consisting of:

• selecting 28-bits from each half, C_{i}, D_{i }

**• rotating each half separately either 1 or 2 places depending on **
**the key rotation schedule K **

38

40

## DES Decryption

• decrypt must unwind steps of data computation • with Feistel design, do encryption steps again

• using subkeys in reverse order (SK16 … SK1)

• note that IP undoes final FP step of encryption • 1st round with SK16 undoes 16th encrypt round • ….

• 16th round with SK1 undoes 1st encrypt round • then final FP undoes initial encryption IP

## Avalanche Effect

### • key desirable property of encryption

### algorithm

**• where a change of one input or key bit **

**results in changing approx half output bits **

### • making attempts to “home-in” by guessing

### keys impossible

42

## Strength of DES – Key Size

### • 56-bit keys have 2

56_{ = 7.2 x 10}

16_{ values }

### • brute force search looks hard

### • recent advances have shown is possible

– in 1997 on Internet in a few months

– in 1998 on dedicated h/w (EFF) in a few days – in 1999 above combined in 22hrs!

### • still must be able to recognize plaintext

### • now considering alternatives to DES

44

### Strength of DES – Analytic Attacks

• now have several analytic attacks on DES

• these utilise some deep structure of the cipher

– by gathering information about encryptions

– can eventually recover some/all of the sub-key bits – if necessary then exhaustively search for the rest

• generally these are statistical attacks • include

– differential cryptanalysis: 247_{ chosen plaintext}
– linear cryptanalysis: 247_{ known plaintext }

## Differential Cryptanalysis

### • one of the most significant recent (public)

### advances in cryptanalysis

### • known by NSA in 70's cf DES design

### • Murphy, Biham & Shamir published 1990

### • powerful method to analyse block ciphers

### • used to analyse most current block ciphers

### with varying degrees of success

46

## Differential Cryptanalysis

### • a statistical attack against Feistel ciphers

### • uses cipher structure not previously used

### • design of S-P networks has output of

*function f influenced by both input & key *

### • hence cannot trace values back through

### cipher without knowing values of the key

### • Differential Cryptanalysis compares two

### Differential Cryptanalysis Compares

### Pairs of Encryptions

### • with a known difference in the input

### • searching for a known difference in output

### • when same subkeys are used

48

## Differential Cryptanalysis

### • have some input difference giving some

### output difference with probability p

### • if find instances of some higher probability

### input / output difference pairs occurring

### • can infer subkey that was used in round

### • then must iterate process over many rounds

### (with decreasing probabilities)

50

## Differential Cryptanalysis

• perform attack by repeatedly encrypting plaintext pairs with known input XOR until obtain desired output XOR • when found

**– if intermediate rounds match required XOR have a right pair **
**– if not then have a wrong pair, relative ratio is S/N for attack **

• can then deduce keys values for the rounds

– right pairs suggest same key bits – wrong pairs give random values

• for large numbers of rounds, probability is so low that more pairs are required than exist with 64-bit inputs • Biham and Shamir have shown how a 13-round iterated

## Linear Cryptanalysis

### • another recent development

### • also a statistical method

### • must be iterated over rounds, with

### decreasing probabilities

### • developed by Matsui et al in early 90's

### • based on finding linear approximations

### • can attack DES with 2

47_{ known plaintexts, }

52

## Linear Cryptanalysis

• find linear approximations with prob p != ½

P[i1,i2,...,ia](+)C[j1,j2,...,jb] = K[k1,k2,...,kc]

where ia,jb,kc are bit locations in P,C,K

• gives linear equation for key bits

• get one key bit using max likelihood alg • using a large number of trial encryptions • effectiveness given by: |p–½|

## Block Cipher Design Principles

### • basic principles still like Feistel in 1970’s

### • number of rounds

– more is better, exhaustive search best attack

### • function f:

– provides “confusion”, is nonlinear, avalanche

### • key schedule

54

## Modes of Operation

• block ciphers encrypt fixed size blocks

• eg. DES encrypts 64-bit blocks, with 56-bit key • need way to use in practise, given usually have

arbitrary amount of information to encrypt • four were defined for DES in ANSI standard

**ANSI X3.106-1983 Modes of Use **

• subsequently now have **5** for DES and AES
**• have block and stream modes **

56

### Electronic Codebook Book (ECB)

### • message is broken into independent blocks

### which are encrypted

### • each block is a value which is substituted, like

### a codebook, hence name

### • each block is encoded independently of the

### other blocks

C_{i} = DES_{K1} (P_{i})

### • uses: secure transmission of single values

58

### Advantages and Limitations of ECB

• repetitions in message may show in ciphertext

– if aligned with message block

– particularly with data such graphics

– or with messages that change very little, which become a code-book analysis problem

• weakness due to encrypted message blocks being independent

## Cipher Block Chaining (CBC)

• message is broken into blocks

• but these are linked together in the encryption operation

• each previous cipher blocks is chained with current plaintext block, hence name

• use Initial Vector (IV) to start process

C_{i} = DES_{K1}(P_{i} XOR C_{i-1})
C_{-1} = IV

60

### Advantages and Limitations of CBC

**• each ciphertext block depends on all message blocks **

• thus a change in the message affects all ciphertext blocks after the change as well as the original block

**• need Initial Value (IV) known to sender & receiver **

– however if IV is sent in the clear, an attacker can change bits of the first block, and change IV to compensate

– hence either IV must be a fixed value (as in EFTPOS) or it must be sent encrypted in ECB mode before rest of message

• at end of message, handle possible last short block

– by padding either with known non-data value (eg nulls) – or pad last block with count of pad size

62

## Cipher FeedBack (CFB)

• message is treated as a stream of bits • added to the output of the block cipher

• result is feed back for next stage (hence name) • standard allows any number of bit (1,8 or 64 or

whatever) to be feed back

– denoted CFB-1, CFB-8, CFB-64 etc

• is most efficient to use all 64 bits (CFB-64)

C_{i} = P_{i} XOR DES_{K1}(C_{i-1})
C_{-1} = IV

64

### Advantages and Limitations of CFB

### • appropriate when data arrives in bits/bytes

### • most common stream mode

### • limitation is need to stall while do block

### encryption after every n-bits

### • note that the block cipher is used in

**encryption mode at both ends **

### • errors propogate for several blocks after the

### error

## Output FeedBack (OFB)

• message is treated as a stream of bits • output of cipher is added to message • output is then feed back (hence name) • feedback is independent of message • can be computed in advance

C_{i} = P_{i} XOR O_{i}
O_{i} = DES_{K1}(O_{i-1})
O_{-1} = IV

66

### Advantages and Limitations of OFB

• used when error feedback a problem or where need to encryptions before message is available

• superficially similar to CFB

• but feedback is from the output of cipher and is independent of message

• a variation of a Vernam cipher

**– hence must never reuse the same sequence (key+IV) **

• sender and receiver must remain in sync, and some recovery method is needed to ensure this occurs

• originally specified with m-bit feedback in the standards
**• subsequent research has shown that only OFB-64 should **

68

## Counter (CTR)

### • a “new” mode, though proposed early on

### • similar to OFB but encrypts counter value

### rather than any feedback value

### • must have a different key & counter value

### for every plaintext block (never reused)

C_{i} = P_{i} XOR O_{i}
O_{i} = DES_{K1}(i)

70

### Advantages and Limitations of CTR

### • efficiency

– can do parallel encryptions – in advance of need

– good for bursty high speed links

### • random access to encrypted data blocks

### • provable security (good as other modes)

### • but must ensure never reuse key/counter

## Summary

### • have considered:

### • block cipher design principles

### • DES

– details – strength