Cryptography and Network Security

Unit -2

Chapter 3 – Block Ciphers and the

Data Encryption Standard

Reference: Cryptography and Network Security, 4/e and 5/e or 6/e, By

William Stallings
 BLOCK CIPHER PRINCIPLES
• Virtually all symmetric block encryption
algorithms in current use are based on a
structure referred to as a Feistel Cipher.
Stream cipher and Block Cipher
• A stream cipher is one that encrypts a digital
data stream one bit or one byte at a time.
• Examples : vigenere cipher and vernam
cipher
• A block cipher is one in which a block of plain
text is treated as a whole and used to produce
a ciphertext block of equal length.

• Typically, a block size of 64 or 128 bits is used.

• Using some modes of operation explained

later in this chapter, a block cipher can be
used to achieve the same effect as stream
cipher.
Ideal Block Cipher
 Ideal Block Cipher
• Operates on block on n bits to
produce n bit output
• 2n possible different plaintext blocks
and for encryption to be reversible each
must produce a unique ciphertext
block.
• No of different transformation is 2n !
 Problem with Ideal Block Cipher

• small block size n = 4.

• Key length (4 bits) x (16 rows) = 64
bits.
• N bit ideal block cipher , length of the
key is n x 2n bits.
• For 64 bit block key length is 64 x 2 64
= 2 70
 Feistel Cipher
• Feistel proposed the use of a cipher that
alternates substitutions and permutations.
• In fact , this is a practical application of a
proposal by Shannon to develop a product
cipher that alternates confusion and diffusion
functions.
• The feistel cipher structure , which dates back
over a quarter century and which, in turn, is
based on Shannon’s proposal of 1945, is the
structure used by most significant symmetric
block ciphers currently in use.
 Diffusion and confusion
• Shannon’s concern was to prevent
cryptanalysis based on statistical analysis.
• The reason is as follows.
• Assume the attacker has some knowledge of
the statistical characteristics of the plaintext.
• For example, in a human-readable message in
some language ,the frequency distribution of
the various letters may be known.
• or there may be words or phrases likely to
appear in the message (probable words).
• If these statistics are in any way reflected in
the ciphertext , the cryptanalyst may be able
to deduce the encryption key , or part of the
key.
• In what Shannon refers to as a strongly ideal
cipher, all statistics of the ciphertext are
independent of the particular key used.
• Shannon suggests two methods for frustrating
statistical cryptanalysis :
– Diffusion
– Confusion

• Diffusion : the statistical structure of the plaintext is

dissipated into long range statistics of the ciphertext.

• This is achieves by having each plaintext digit affect the

value of many ciphertext digits.
• Which is equivalent to saying that each
ciphertext digit is affected by many plaintext
digits.
• An example of diffusion is to encrypt a
message M= m1, m2, m3…..of characters with
an averaging operation.
• yn =Σi=1 to n m n+i (mod 26)
• In a binary block cipher diffusion can applying
by repeatedly performing some permutation
on the data followed by applying a function to
that permutation.
• The mechanisms of diffusion seeks to make
the relationship between the plaintext and
ciphertext as complex as possible in order to
prevent attempts to deduce the key.
• On other hand, confusion seeks to make the
relationship between the statistics of the
ciphertext and the value of the encryption
key as complex as possible. Again to prevent
attempts to discover the key.
 Classical Feistel network
• The exact realization of a Feistel network
depends on the choice of the following
parameters and design features.
• Block size : larger block size means greater
security but reduce encryption/decryption
speed.
• A block size of 64 bits is a reasonable tradeoff
and nearly universal in block cipher design.
• AES : 128 bit block size
• Key size : larger key size means greater
security but reduce encryption/decryption
speed.
• Key sizes of 64 bits or less are now widely
considered as to be inadequate ,and 128 bits
has become a common size.
• Number of rounds: the multiple rounds
offer increasing security
• A typical size is 16 rounds.
• Subkey generation algorithms : greater
complexity in this algorithm should lead to
greater difficulty of cryptanalysis.
• Round function : again , greater complexity
generally means greater resistance to
cryptanalysis.
• There are two other considerations in the
design of a Feistel cipher.
• Fast software encryption / decryption
• Easy of analysis (algorithm clearly explained)
 Block Cipher Principles
• most symmetric block ciphers are based on a Feistel
Cipher Structure
• needed since must be able to decrypt ciphertext to
recover messages efficiently
• block ciphers look like an extremely large
substitution
• would need table of 264 entries for a 64-bit block
• using idea of a product cipher
 Feistel Cipher Structure
• Horst Feistel devised the feistel cipher
– based on concept of invertible product cipher
• partitions input block into two halves
– process through multiple rounds which
– perform a substitution on left data half
– based on round function of right half & subkey
– then have permutation swapping halves
• implements Shannon’s S-P net concept
Feistel Cipher Structure
 Feistel Cipher Design Elements
• block size – 64 bits
• key size -128 bits
• number of rounds - 16
• subkey generation algorithm
• round function
• fast software en/decryption
• ease of analysis
Feistel Cipher Decryption
 Feistel Cipher Decryption
On encryption Side
LE 16 = RE 15
RE 16 = LE 15 x F(RE 15, K16)
On decryption Side
LD 1 = RD 0 = LE 16 = RE 15
RD1 = LD 0 X F(RD0 , K16)
= RE 16 X F(RE15, K16)
= [ LE 15 X F( RE15 , K16) ] X F(Re15 , K16)
= LE 15 ( properties of XOR Function)
Output of first round of the decryption process is LE15 | | RE15
Which is the 32 bit swap of the input to the sixteenth round of the
encryption.
For the I th round of the encryption algorithm
LE i = RE i -1
RE i = LE i -1 X F(RE i-1, Ki)
 Relationship to DES
• DES operates on 64-bit blocks of inputs.
• A 56-bit key is used.
• From which sixteen 48-bit sub keys are
calculated.
• There is an initial permutation of 56 bits
followed by a sequence of shifts and
permutations of 48 bits.
• There are 8 rows ,corresponding to 8 S-boxes.
• Each S-box has 4 rows and 16 columns.
• The first and last bit of a row of the preceding
matrix picks out a row of an S-box.
• And the middle 4 bits pick out a column.
 Data Encryption Standard (DES)
• most widely used block cipher in world
• encrypts 64-bit data using 56-bit key
• has widespread use
DES Encryption Overview
• Looking to L.H.S of the figure, we can that the processing
of the plaintext proceeds in three phases.
– The 64 bit passes through an initial permutation (IP) that
rearranges the bits to produce the permitted input.
– This is followed by a phase consisting of 16 rounds of the same
function. The output of the last round(sixteenth) round consist
of 64 bits that are a function of the plaintext and the key.
– The left and right halves of the output are swapped to produce
pre output.
– Finally, the pre output is passed through a permutation (IP-1)
that is reverse of the initial permutation function, to produce
the 64-bits ciphertext.
 Initial Permutation IP
• first step of the data computation
• IP reorders the input data bits
• even bits to LH half, odd bits to RH half
• quite regular in structure (easy in h/w)
 DES Encryption
INPUT - 64 – Bit
DES Encryption
 DES Encryption
OUTPUT of IP
DES Round Structure
 DES Round Structure
• uses two 32-bit L & R halves
• as for any Feistel cipher can describe as:
Li = Ri–1
Ri = Li–1  F(Ri–1, Ki)
• F takes 32-bit R half and 48-bit subkey:
– expands R to 48-bits using perm E
– adds to subkey using XOR
– passes through 8 S-boxes to get 32-bit result
– finally permutes using 32-bit perm P
 DES Encryption
Expansion / Permutation
 DES Round Structure
Calculation of Fk
 DES Encryption
S- Boxes
 Substitution Boxes S
• have eight S-boxes which map 6 to 4 bits
• each S-box is actually 4 little 4 bit boxes
– outer bits 1 & 6 (row bits) select one row of 4
– inner bits 2-5 (col bits) are substituted
– result is 8 lots of 4 bits, or 32 bits
• row selection depends on both data & key
– feature known as autoclaving (autokeying)
• example:
– S(18 09 12 3d 11 17 38 39) = 5fd25e03
 DES Encryption
Permutation
 DES Key Schedule
• forms subkeys used in each round
– initial permutation of the key (PC1) which selects
56-bits in two 28-bit halves
– 16 stages consisting of:
• rotating each half separately either 1 or 2 places
depending on the key rotation schedule K
• selecting 24-bits from each half & permuting them by
PC2 for use in round function F
 DES Decryption
• decrypt must unwind steps of data computation
• with Feistel design, do encryption steps again using
subkeys in reverse order (SK16 … SK1)
– IP undoes final FP step of encryption
– 1st round with SK16 undoes 16th encrypt round
– ….
– 16th round with SK1 undoes 1st encrypt round
– then final FP undoes initial encryption IP
– thus recovering original data value
 Avalanche Effect
• key desirable property
of encryption algorithm
• where a change of one
input or key bit results
in changing approx half
output bits
• making attempts to
“home-in” by guessing
keys impossible
• DES exhibits strong
avalanche
 Strength of DES – Key Size
• 56-bit keys have 256 = 7.2 x 1016 values
• brute force search looks hard
• recent advances have shown is possible
– in 1997 on Internet in a few months
– in 1998 on dedicated h/w (EFF) in a few days
– in 1999 above combined in 22hrs!
• still must be able to recognize plaintext
• must now consider alternatives to DES
 Strength of DES – Analytic Attacks
• now have several analytic attacks on DES
• these utilise some deep structure of the cipher
– by gathering information about encryptions
– can eventually recover some/all of the sub-key bits
– if necessary then exhaustively search for the rest
• generally these are statistical attacks
• include
– differential cryptanalysis
– linear cryptanalysis
– related key attacks
 Strength of DES – Timing Attacks
• attacks actual implementation of cipher
• use knowledge of consequences of
implementation to derive information about
some/all subkey bits
• specifically use fact that calculations can take
varying times depending on the value of the
inputs to it
• particularly problematic on smartcards
 DES Design Criteria
• as reported by Coppersmith in [COPP94]
• 7 criteria for S-boxes provide for
– non-linearity
– resistance to differential cryptanalysis
– good confusion
• 3 criteria for permutation P provide for
– increased diffusion
 Block Cipher Design
• basic principles still like Feistel’s in 1970’s
• number of rounds
– more is better, exhaustive search best attack
• function f:
– provides “confusion”, is nonlinear, avalanche
– have issues of how S-boxes are selected
• key schedule
– complex subkey creation, key avalanche
Cryptography and Network
Security
Chapter 5
 Origins
• clear a replacement for DES was needed
– have theoretical attacks that can break it
– have demonstrated exhaustive key search attacks
• can use Triple-DES – but slow, has small blocks
• US NIST issued call for ciphers in 1997
• 15 candidates accepted in Jun 98
• 5 were shortlisted in Aug-99
• Rijndael was selected as the AES in Oct-2000
• issued as FIPS PUB 197 standard in Nov-2001
 AES Requirements
• private key symmetric block cipher
• 128-bit data, 128/192/256-bit keys
• stronger & faster than Triple-DES
• active life of 20-30 years (+ archival use)
• provide full specification & design details
• both C & Java implementations
• NIST have released all submissions &
unclassified analyses
 AES Evaluation Criteria
• initial criteria:
– security – effort for practical cryptanalysis
– cost – in terms of computational efficiency
– algorithm & implementation characteristics
• final criteria
– general security
– ease of software & hardware implementation
– implementation attacks
– flexibility (in en/decrypt, keying, other factors)
 AES Shortlist
• after testing and evaluation, shortlist in Aug-99:
– MARS (IBM) - complex, fast, high security margin
– RC6 (USA) - v. simple, v. fast, low security margin
– Rijndael (Belgium) - clean, fast, good security margin
– Serpent (Euro) - slow, clean, v. high security margin
– Twofish (USA) - complex, v. fast, high security margin
• then subject to further analysis & comment
• saw contrast between algorithms with
– few complex rounds verses many simple rounds
– which refined existing ciphers verses new proposals
 The AES Cipher - Rijndael
• designed by Rijmen-Daemen in Belgium
• has 128/192/256 bit keys, 128 bit data
• an iterative rather than feistel cipher
– processes data as block of 4 columns of 4 bytes
– operates on entire data block in every round
• designed to be:
– resistant against known attacks
– speed and code compactness on many CPUs
– design simplicity
 Rijndael
• data block of 4 columns of 4 bytes is state
• key is expanded to array of words
• has 9/11/13 rounds in which state undergoes:
– byte substitution (1 S-box used on every byte)
– shift rows (permute bytes between groups/columns)
– mix columns (subs using matrix multipy of groups)
– add round key (XOR state with key material)
– view as alternating XOR key & scramble data bytes
• initial XOR key material & incomplete last round
• with fast XOR & table lookup implementation
 AES
Encryption
Process
Rijndael
 Mathematical Preliminaries
• All bytes in the AES algorithm are interpreted as
finite field elements using the notation. Finite field
elements can be added and multiplied, but these
operations are different from those used for
numbers.
1 Addition
• The addition of two elements in a finite field is
achieved by “adding” the coefficients for the
corresponding powers in the polynomials for the two
elements.
 Mathematical Preliminaries
• The addition is performed with the XOR operation
(denoted by ) Consequently, subtraction of
polynomials is identical to addition of polynomials.
• Alternatively, addition of finite field elements can be
described as the modulo 2 addition of corresponding
bits in the byte. For two bytes {a7a6a5a4a3a2a1a0}
and {b7b6b5b4b3b2b1b0}, the sum is
{c7c6c5c4c3c2c1c0}, where each ci = ai bi (i.e., c7 =
a7 XOR b7, c6 = a6 XOR b6, ...c0 = a0 XOR b0).
Mathematical Preliminaries
 Mathematical Preliminaries
2 Multiplication
• In the polynomial representation, multiplication in GF(28)
(denoted by •) corresponds with the multiplication of
polynomials modulo an irreducible polynomial of degree 8.
• A polynomial is irreducible if its only divisors are one and
itself. For the AES algorithm, this irreducible polynomial is
m(x) = x8 + x4 + x3 + x +1,
Mathematical Preliminaries
 Substitution Byte Transformation
• a simple substitution of each byte
• uses one table of 16x16 bytes containing a
permutation of all 256 8-bit values
• each byte of state is replaced by byte indexed by row
(left 4-bits) & column (right 4-bits)
– eg. byte {95} is replaced by byte in row 9 column 5
– which has value {2A}
• S-box constructed using defined transformation of
values in GF(28)
• designed to be resistant to all known attacks
 Substitution Byte Transformation
• The SubBytes() transformation is a non-linear byte
substitution that operates independently on each byte of the
State using a substitution table (S-box).
• This S-box (Fig), which is invertible, is constructed by
composing two transformations:
– Take the multiplicative inverse in the finite field GF(28) the
element {00} is mapped to itself.
– Apply the following affine transformation (over GF(2) ):

• for 0 <= i < 8, where bi is the i bit of the byte, and ci is the i bit of
th th

a byte c with the value {63} or {01100011}. Here and elsewhere,

a prime on a variable (e.g., b’ ) indicates that the variable is to
be updated with the value on the right.
Byte Substitution
Byte Substitution
 Shift Rows
• a circular byte shift in each each
– 1st row is unchanged
– 2nd row does 1 byte circular shift to left
– 3rd row does 2 byte circular shift to left
– 4th row does 3 byte circular shift to left
• decrypt inverts using shifts to right
• since state is processed by columns, this step
permutes bytes between the columns
Shift Rows
 Mix Columns
• each column is processed separately
• each byte is replaced by a value dependent on
all 4 bytes in the column
• effectively a matrix multiplication in GF(28)
using prime poly m(x) =x8+x4+x3+x+1
Mix Columns
 Mix Columns
• can express each col as 4 equations
– to derive each new byte in col
• decryption requires use of inverse matrix
– with larger coefficients, hence a little harder
• have an alternate characterisation
– each column a 4-term polynomial
– with coefficients in GF(28)
– and polynomials multiplied modulo (x4+1)
 Add Round Key
• XOR state with 128-bits of the round key
• again processed by column (though effectively
a series of byte operations)
• inverse for decryption identical
– since XOR own inverse, with reversed keys
• designed to be as simple as possible
– a form of Vernam cipher on expanded key
– requires other stages for complexity / security
Add Round Key
AES Round
 AES Key Expansion
• takes 128-bit (16-byte) key and expands into
array of 44/52/60 32-bit words

• This is sufficient to provide a four-word round

key for the initial AddRoundKey stage and
each of the 10 rounds of the cipher
 AES Key Expansion (Pseudocode)
KeyExpansion (byte key[16], word w[44])
{ word temp
for (i = 0; i < 4; i++) w[i] = (key[4*i], key[4*i+1],
key[4*i+2],
key[4*i+3]);
for (i = 4; i < 44; i++)
{
temp = w[i – 1];
if (i mod 4 = 0) temp = SubWord (RotWord (temp))
Rcon[i/4];
w[i] = w[i–4] temp
}}
 AES Key Expansion
• The key is copied into the first four words of the expanded
key.
• The remainder of the expanded key is filled in four words at a
time. Each added word depends on the immediately
preceding word, , and the word four positions back,.
• In three out of four cases, a simple XOR is used. For a word
whose position in the w array is a multiple of 4, a more
complex function is used.
• Figure illustrates the generation of the expanded key, using
the symbol g to represent that complex function. The function
g consists of the following subfunctions.
AES Key Expansion
 AES Key Expansion
1. RotWord performs a one-byte circular left shift on a word. This means that
an input word [B0, B1, B2, B3] transformed into [B1, B2, B3, B0].
2. SubWord performs a byte substitution on each byte of its input word, using
the S-box (Table).
3. The result of steps 1 and 2 is XORed with a round constant, Rcon[j].

• The round constant is a word in which the three rightmost

bytes are always 0.
• Thus, the effect of an XOR of a word with Rcon is to only
perform an XOR on the leftmost byte of the word. The round
constant is different for each round and is defined as
 Key Expansion Rationale
• designed to resist known attacks
• design criteria included
– knowing part key insufficient to find many more
– invertible transformation
– fast on wide range of CPU’s
– use round constants to break symmetry
– diffuse key bits into round keys
– enough non-linearity to hinder analysis
– simplicity of description
 AES Decryption
• AES decryption is not identical to encryption
since steps done in reverse
• but can define an equivalent inverse cipher
with steps as for encryption
– but using inverses of each step
– with a different key schedule
• works since result is unchanged when
– swap byte substitution & shift rows
– swap mix columns & add (tweaked) round key
AES Decryption
 AES Example
Key Expansion
AES Example
Encryption
AES Example
Avalanche
 Implementation Aspects
• can efficiently implement on 8-bit CPU
– byte substitution works on bytes using a table of
256 entries
– shift rows is simple byte shift
– add round key works on byte XOR’s
– mix columns requires matrix multiply in GF(28)
which works on byte values, can be simplified to
use table lookups & byte XOR’s
 Implementation Aspects
• can efficiently implement on 32-bit CPU
– redefine steps to use 32-bit words
– can precompute 4 tables of 256-words
– then each column in each round can be computed
using 4 table lookups + 4 XORs
– at a cost of 4Kb to store tables
• designers believe this very efficient
implementation was a key factor in its
selection as the AES cipher