Cryptography and Network Security

Spring 2006
http://www.abo.fi/~ipetre/crypto/

Lecture 3: Block ciphers and DES

Ion Petre
Academy of Finland and
Department of IT, Åbo Akademi University

March 23-28, 2006 1

Data Encryption Standard

„ We focus now on the most widely used symmetric cipher: DES

‰ DES has been replaced by AES as a standard
‰ We will use DES to illustrate the principles of modern symmetric ciphers
„ Adopted in 1977 by the National Bureau of Standards (US), nowadays NIST
„ Originates from an IBM project from late 1960s led by Feistel
‰ Project ended in 1971 with the development of LUCIFER (key 128 bits)
‰ LUCIFER was then refined with the help of NSA to produce DES (key 56 bits)
‰ Immediate criticism: the reduction in key length was enormous and the internal
details of the design were (and remained) classified information
‰ 1994: DES is reaffirmed as a standard for 5 more years
‰ 1999: DES should only be used for legacy systems and 3DES should replace it

March 23-28, 2006 2

Block cipher principles

„ Stream cipher is one that encrypts a digital data stream one bit (or
byte) at a time
‰ Example: autokey Vigenère system
„ Block cipher is one in which the plaintext is divided in blocks and
one block is encrypted at one time producing a ciphertext of equal
length
‰ Similar to substitution ciphers on very big characters: 64 bits or 128 bits
are typical block lengths
‰ Many modern ciphers are block ciphers

March 23-28, 2006 3

Principle: Substitution-Permutation Ciphers

„ Claude Shannon (1949) introduced idea of substitution-permutation

(S-P) networks
‰ These form the basis for modern substitution-transposition product
cipher
„ S-P networks are based on the two primitive cryptographic
operations we have seen before:
‰ substitution (S-box)
‰ permutation (P-box)
„ The goal is to provide confusion and diffusion of message

March 23-28, 2006 4

 Confusion and Diffusion

„ Cipher need to completely obscure statistical properties of original message

‰ A one-time pad does this
„ More practically Shannon (1949) suggested to combine elements to obtain:
‰ Diffusion – dissipates statistical structure of plaintext over bulk of ciphertext
„ Makes the statistical relationship plaintext - ciphertext as complex as possible
„ Achieved by requiring that every digit of the plaintext affects many digits of the
ciphertext (equivalently, every digit of the ciphertext is affected by many digits of the
plaintext)
‰ Confusion – makes relationship between ciphertext and key as complex as
possible
„ Makes it difficult to discover the key starting from the ciphertext
„ The principles of confusion and diffusion are the most essential concepts in
the design of modern block ciphers – they defend against statistical attacks

March 23-28, 2006 5

Feistel Cipher Structure

„ Virtually all modern block encryption algorithms use the Feistel

structure
„ Horst Feistel was the leader of the IBM team that worked in late 1960s
on LUCIFER
„ He devised the so-called “feistel cipher”
„ Algorithm structure – perform n rounds, each round has the following
structure (for encryption and decryption):
‰ Input is of length 2w (bits), key is K
‰ Divide the input into two halves L0 and R0
‰ L1= R0, R1=L0 ⊕ f(R0,K)
‰ In the next round use (L1, R1) instead of (L0, R0), etc.
‰ Function f is the same in all rounds but uses a different subkey in each
round – the subkey of each round is generated from the key

March 23-28, 2006 6

 ⊕

Feistel Cipher Structure

⊕

March 23-28, 2006 7

Feistel Cipher Design Principles

„ block size
‰ increasing size improves security, but slows cipher
„ key size
‰ increasing size improves security, makes exhaustive key searching harder, but may slow
cipher
„ number of rounds
‰ increasing number improves security, but slows cipher
„ subkey generation
‰ greater complexity can make analysis harder, but slows cipher
„ round function
‰ greater complexity can make analysis harder, but slows cipher

„ fast software en/decryption & ease of analysis

‰ are more recent concerns for practical use and testing

March 23-28, 2006 8

 ⊕
⊕

Feistel Cipher ⊕
⊕
Decryption:
the same
algorithm (with
keys in reverse
order)
⊕
⊕

⊕
⊕

March 23-28, 2006 9

 Feistel decryption
„ Decryption is the same as
Decryption
encryption and does not require
any property for function f (not •Input: The ciphertext (LD0, RD0)= (RE16, LE16)
even to be invertible)
•Round i (1 to 16) performs on input (LDi-1, RDi-1)
„ LD/RD – left/right half in the
decryption algorithm
the operations:
„ LE/RE – left/right half in the –LDi=RDi-1, RDi=LDi-1⊕f(RDi-1,K16-i)
encryption algorithm –This is the input to next round
„ ⊕ denotes XOR: 0⊕0=0, 1⊕1=0, •The key of round i is K16-i,
0⊕1= 1⊕0=1 •This algorithm is CORRECT – after round i we
have LDi=RE16-i, RDi=LE16-i:
Encryption •PROOF:
•Input to the first round:
•Input: the plaintext (LE0, RE0) –LD0=RE16, RD0=LE16
•Round i (1 to 16) performs on input •Result of the first round
(LEi-1, REi-1) the operations: –LD1=RD0=LE16=RE15
–LEi=REi-1, REi=LEi-1⊕f(REi-1,Ki) –RD1=LD0 ⊕ f(RD0, K16)=RE16 ⊕ f(RE15,
–This is the input to next round K16)=(LE15 ⊕f(RE15,K16)) ⊕f(RE15,K16)=LE15
•The key of round i is Ki, –Result: (RE15, LE15)
•Output: the ciphertext (RE16, LE16) •Output: the plaintext (RD16, LD16)=(LE0, RE0)

March 23-28, 2006 10

DES

„ DES encryption/decryption
„ Strength of DES
„ Design principles
„ Cryptanalysis

March 23-28, 2006 11

 DES encryption scheme

March 23-28, 2006 12

DES encryption scheme

„ The plaintext (64 bits) passes through an initial permutation IP (on

64 bits)
„ Then follow 16 identical rounds – in each round a different subkey
is used; each subkey is generated from the key
„ After round 16, swap the left half with the right half
„ Apply the inverse of the initial permutation IP-1 (on 64 bits)

March 23-28, 2006 13

Initial permutation
and its inverse

March 23-28, 2006 14

A single round of
DES

March 23-28, 2006 15

 The scheme of the function F(R,K) in DES

March 23-28, 2006 16

Details of a single round of DES

„ Consider L the left half of the input to the round and R its right half – each of
them have 32 bits
„ As in any Feistel cipher the overall processing is
Li=Ri-1, Ri=Li-1⊕ F(Ri-1,Ki)
„ The round subkey Ki has 48 bits (details later on how it is generated)
„ R is expanded from 32 to 48 bits using an “expansion permutation” E
(shown on the next slide) – this is a table that defines a permutation,
duplicating in the same time 16 of the bits in R
„ These 48 bits are XORED with the subkey Ki
„ The 48-bit result passes through a substitution function that produces a 32-
bit output
„ Apply then a permutation P (shown on the next slide)

March 23-28, 2006 17

Details of a single
round of DES

March 23-28, 2006 18

The substitutions in the DES rounds: S-boxes

„ There are 8 S-boxes, each of them accepting a 6-bit input and

producing 4-bit output
„ The S-boxes are 4 x 16 tables (shown on the next slide) and are
used as follows:
‰ The first and the last bit of the input to the S-box form a 2-bit binary
number that selects the row of the S-box (rows are from 0 to 3)
‰ The middle four bits select the column of the S-box (columns are from
0 to 15)
‰ The decimal value in the selected entry of the S-box is converted to
its 4-bit binary representation to produce the output

March 23-28, 2006 19

 Definition of S-boxes

„ Example: consider the input 011001to

S-box S1
„ The row is 011001: 01 (i.e. 1)
„ The column is 011001: 1100 (i.e. 12)
„ The value in the selected cell is 9
„ Output is 1001

„ Note that each row of each S-box is in

fact an invertible substitution on 4 bits
(permutation of numbers from 0 to 15)
„ Note also that the output of the S-box
is immediately permuted in DES so
that it spreads in the ciphertext

March 23-28, 2006 20

 Subkey generation
„ In the general scheme of DES is shown that
a 64-bit key is used – the bits of the key are
numbered from 1 to 64.
„ The algorithm ignores every 8th bit – thus,
the key for DES is effectively 56-bit long
„ Before round 1 of DES, they key is
permuted according to a table labeled
Permuted Choice One (see next slide) – the
resulting 56-bit key is split into its two 28-bit
halves labeled C0 and D0
„ In each round, Ci-1 and Di-1 are separately
subjected to a circular left shift of one or two
bits according to the table on the next slide
– the shifted values will be input to next
round
„ The shifted values serve as input to
Permuted Choice Two (see next slide)
which produces a 48-bit output: the subkey
of the current round

March 23-28, 2006 21

 Subkey generation

„ In the general scheme of DES is shown that

a 64-bit key is used – the bits of the key are
numbered from 1 to 64.
„ The algorithm ignores every 8th bit – thus,
the key for DES is effectively 56-bit long
„ Before round 1 of DES, they key is
permuted according to a table labeled
Permuted Choice One – the resulting 56-bit
key is split into its two 28-bit halves labeled
C0 and D0
„ In each round, Ci-1 and Di-1 are separately
subjected to a circular left shift of one or two
bits according to the table on the next slide
– the shifted values will be input to next
round
„ The shifted values serve as input to
Permuted Choice Two which produces a
48-bit output: the subkey of the current
round

March 23-28, 2006 22

DES decryption

„ Like in any Feistel cipher, decryption works just like encryption with
the subkeys used in reverse order

March 23-28, 2006 23

Analysis of DES

„ Avalanche effect: this is a desirable property of any encryption

algorithm
‰ A small change (even 1 bit) in the plaintext should produce significant
change in the ciphertext
„ Example: consider two blocks of 64 zeros and in the second block rewrite 1
on the first position. Encrypt them both with DES: depending on the key, the
result may have 34 different bits!
‰ A small change (even 1 bit) in the key should produce significant
change in the ciphertext
„ Example: a change of one bit in the DES key may produce 35 different bits
in the encryption of the same plaintext

March 23-28, 2006 24

Strength of DES

„ Two main concerns with DES: the length of the key and the nature of the
algorithm
„ The key is rather short: 56 bits – there are 256 possible keys, around 7.2 x
1016
‰ In average, only half of the keys have to be tried to break the system
‰ In principle it should take long time to break the system
‰ Things are quicker with dedicated hardware: 1998 – a special machine was built
for less than 250 000 $ breaking DES in less than 3 days, 2006 – estimates are
that a hardware costing around 20.000$ may break DES within a day
„ DES has no export restrictions from NSA!
„ 40-bit RC4 key is also insecure
„ 128-but keys seem to be secure
„ Important difficulty in breaking any system: unless the plaintext is known,
we have to recognize when we have broken the system: we have to
recognize the plaintext when we find it
‰ This is not trivial if the file is binary, compressed, etc.
‰ Automated procedures to do that are needed (and indeed some exist)

March 23-28, 2006 25

Strength of DES

„ Nature of the algorithm

„ There has always been a concern about the design of DES, especially
about the design of S-boxes – perhaps they have been designed in such a
way as to ensure a trapdoor to the algorithm – break it without having to
search for the key
‰ The design criteria for the S-boxes (and for the rest of the algorithm) have been
classified information and NSA was involved in the design
‰ Many regularities and unexpected behavior of the S-boxes have been reported
‰ On the other hand, changing the S-boxes slightly seems to weaken the algorithm
‰ No fatal weaknesses in the S-boxes have been (publicly) reported so far

March 23-28, 2006 26

Cryptanalysis of DES

„ There are ways to break DES significantly quicker than with the brute-force
attack: differential and linear cryptanalysis
„ Differential cryptanalysis
‰ Published in the open literature after 1990: Murphy and then Biham and Shamir
(published a book on this)
‰ Idea: Knowing the XOR of the message halves before and after a round, one
may try to deduce the subkey used in that round
‰ DES can be broken in 247 steps, requiring 247 chosen plaintexts
„ The need for so many chosen plaintexts makes its applicability limited
‰ This attack seems to have been known to the DES design team and NSA 20
years before it was published in the open literature!
„ Linear cryptanalysis
‰ More recent attack (Matsui, 1993): find linear approximations to describe the
transformations in DES
‰ Can find the DES key given 247 known plaintexts
‰ Still impractical method

March 23-28, 2006 27