Block Ciphers - DES

Stream & Block Ciphers

 Stream Ciphers: Encrypt one bit/byte at a time

 Examples: OTP, autokeyed Vigenère cipher, RC4
 Problem: Key sharing: a practical solution is to use strongly secured key
generators functions that produces unpredictable stream of bits, given any
portions of bits.
 Block Ciphers: Encrypt N bit at once
Stream & Block Ciphers
Feistel Cipher Structure

 Feistel proposed [FEIS73] that we can approximate the ideal block cipher
by utilizing the concept of a product cipher, which is the execution of two
or more simple ciphers in sequence in such a way that the final result or
product is cryptographically stronger than any of the component ciphers.
 It develop a block cipher with a key length of k bits and a block length of
n bits so that there are a total of 2𝑘 transformation instead of 2𝑛 !.
 It alternates substitutions and permutations.
Ideal Block Cipher

 It is an arbitrary reversible substitution cipher for a large block size.

 The mapping itself constitutes the key.
 Therefore, it is not practical, from an implementation and performance point of view.
 General 𝑛-to-𝑛 bit Block Substitution

 For 𝑛-to-𝑛 bit mapping, there are 2𝑛 ! possible mappings.

 If 𝒏 is large enough, the statistical characteristics of the source plaintext are masked
to such an extent that this type of cryptanalysis is infeasible

ciphertext plaintext ciphertext

11 00 11
01 Irreversible 01 Reversible 01
mapping mapping
00 10 00
01 11 10
Block Substitution Keys

 Keys should determine mapping. How?

 Key could equal all ciphertext concatenated
 i.e. Key= 𝐶0 ∥ 𝐶1 ∥ ⋯ ∥ 𝐶𝑛−1
 Key will be 𝑛 × 2𝑛 . Too much for large n (e.g. n>=64)
 Key could be an arguments of a linear equation.
 Problem: similar to Hill, it is easier to extract the key using known plaintext attacks
(i.e. given some ciphertexts with their corresponding plaintexts).
 Claude Shannon and Substitution-
Permutation Ciphers

 Claude Shannon proposed to develop a product cipher that alternates confusion and diffusion functions.
 His concern was to thwart cryptanalysis based on statistical analysis.
 confusion – makes relationship between ciphertext and key as complex as possible.
 Implemented using complex substitution function (S-Box).
 diffusion – dissipates statistical structure of plaintext into long-range statistics of ciphertext.
 One (plaintext digit/symbol) affect many (digits/symbols of ciphertext) and vice versa.
 Example: 𝐶𝑛 = σ𝑘𝑖 𝑚𝑖 𝑚𝑜𝑑 26
 In binary, it is achieved as follows 𝐶 = 𝐹 𝑃 𝑚 where 𝐹 and 𝑃 are a function and permutation (P-Box) respectively
 Feistel cipher structure is based on Shannon’s proposal, and it is the structure used by a number of significant
symmetric block ciphers currently in use.
Statistical and Mathametical
Relationships

Diffusion
Statistical relationship
Plaintext Ciphertext
relationship
Confusion

Key
Feistel Cipher Design Elements

 block size
 key size
 number of rounds
 subkey generation algorithm
 round function
 Expansion/Compression Permutation and Substitution function (S-BOX)
 fast software en/decryption
 ease of analysis
DES: core idea – Feistel Network

 Given functions f1, …, fd: {0,1}n ⟶ {0,1}n

 Goal: build invertible function F: {0,1}2n ⟶ {0,1}2n
n-bits n-bits

R0 R1 R2 Rd-1 Rd
f1 f2
L0 ⊕ L1 ⊕ L2
⋯ Ld-1
fd
⊕ Ld
input output

𝐿𝑖 = 𝑅𝑖−1
In symbols: ቊ
𝑅𝑖 = 𝐿𝑖−1 ⊕ 𝐹𝑖 𝑅𝑖−1
Data Encryption Standard (DES)

 most widely used block cipher in world

 adopted in 1977 by NBS (now NIST)
 as FIPS PUB 46
 encrypts 64-bit data using 56-bit key
 has widespread use
 has been considerable controversy over its security
DES History

 IBM developed Lucifer cipher

 by team led by Feistel in late 60’s
 used 64-bit data blocks with 128-bit key
 then redeveloped as a commercial cipher with input from NSA and others
 in 1973 NBS issued request for proposals for a national cipher standard
 IBM submitted their revised Lucifer which was eventually accepted as the
DES
DES Design Controversy

 although DES standard is public

 was considerable controversy over design
 in choice of 56-bit key (vs Lucifer 128-bit)
 and because design criteria were classified
 subsequent events and public analysis show in fact design was
appropriate
 use of DES has flourished
 especially in financial applications
 still standardised for legacy application use
 DES
Encryption Overview
DES Key Schedule

 forms subkeys used in each round

 initial permutation of the key (PC1) which selects 56-bits in two 28-bit halves
 16 stages consisting of:
 rotating each half separately either 1 or 2 places depending on the key rotation
schedule K
 selecting 24-bits from each half & permuting them by PC2 for use in round function F

 note practical use issues in h/w vs s/w

DES

 Data length is 64bit = 8Byte

 Key length is 8Byte with the 8th bit is ignored in every byte = 8×7=56bits

Key
𝟖 × 𝟕 = 𝟓𝟔bit

1234567812345678 12345678
DES | Example

 Example:
 DES(m,k)=DES(0x8787878787878787, 0x0E329232EA6D0D73)=0x0000000000000000
 What if the message isn’t multiple of 8Bytes.
 Message should be padded to become multiple of 8Bytes.
 Example: “Hello Dr Adnan”
Padding

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16
H e l l o D r A d n a n
48 65 6C 6C 6F 20 44 72 20 41 64 6E 61 6E 00 00
 DES | SubKey Generation | 1st Step

 K = 133457799BBCDFF1, K(64b) = 00010011 00110100 01010111 01111001 10011011 10111100 11011111 11110001
 PK(56b)=𝑃(𝐾, 𝑃1 )=1111000 0110011 0010101 0101111 0101010 1011001 1001111 0001111, where 𝑃(𝐾, 𝑃1 ) denotes
the permutation of K binary sequence using the first permutation indices sequence 𝑃1 .

index 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32
1 3 3 4 5 7 7 9
Key
0 0 0 1 0 0 1 1 0 0 1 1 0 1 0 0 0 1 0 1 0 1 1 1 0 1 1 1 1 0 0 1
Permutation 57 49 41 33 25 17 9 1 58 50 42 34 26 18 10 2 59 51 43 35 27 19 11 3 60 52 44 36 63 55 47 39
PermKey 1 1 1 1 0 0 0 0 1 1 0 0 1 1 0 0 1 0 1 0 1 0 1 0 1 1 1 1 0 1 0 1

Index 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64
9 B B C D F F 1
Key
1 0 0 1 1 0 1 1 1 0 1 1 1 1 0 0 1 1 0 1 1 1 1 1 1 1 1 1 0 0 0 1
permutation 31 23 15 7 62 54 46 38 30 22 14 6 61 53 45 37 29 21 13 5 28 20 12 4
PermKey 0 1 0 1 0 1 1 0 0 1 1 0 0 1 1 1 1 0 0 0 1 1 1 1
Initial Key Permutation

8 16 24 32 40 48 56 64

8 16 24 32 40 48 56

Cipher
DES | 16 SubKeys Generation

 PK(56b)=1111000 0110011 0010101 0101111 0101010 1011001 1001111 0001111

 Divide the permuted key (PK) into 2 divisions
 𝐶0 = 1111000 0110011 0010101 0101111, 𝐷0 = 0101010 1011001 1001111 0001111
 Now, Create the 16 subkeys by left circular shifting (i.e. 𝑋𝑛 = 𝐶𝐿𝑆(𝑋𝑛−1 , 𝑆𝑛 ) where 𝑆𝑛
denotes the number of cyclic lift shift for the 𝑛𝑡ℎ iteration, and 𝐶𝐿𝑆 denotes the
Cyclic left shift, and 𝑋𝑛 denotes either 𝐶𝑛 or 𝐷𝑛 .
 𝐶1 = 1110000110011001010101011111, 𝐷1 = 1010101011001100111100011110
 𝐶2 = 1100001100110010101010111111, 𝐷2 = 0101010110011001111000111101

Iteration Number of 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16
Number Cyclic Left Shifts 1 1 2 2 2 2 2 2 1 2 2 2 2 2 2 1
DES | 16 SubKeys Generation | Contd.

 𝐾𝑛 = 𝑃(𝐶𝑛 | 𝐷𝑛 , 𝑃2 , where || denotes concatenation, 𝑃2 denotes the second

permutation indices sequence.
 𝑃2 = 𝑃𝐶2 = [14, 17, 11, 24, 1, 5, 3, 28, 15, 6, 21, 10, 23, 19, 12, 4, 26, 8, 16
, 7, 27, 20, 13, 2, 41, 52, 31, 37, 47, 55, 30, 40, 51, 45, 33, 48, 44, 49, 39
, 56, 34, 53, 46, 42, 50, 36, 29, 32]
 All subkeys 𝐾𝑛 are 48bits, Since the length of 𝑃2 is 48.
DES SubKey Generation
 DES | Message | Initial Permutation

 ഥ = 𝑃(𝑀, 𝐼𝑃)=𝐿0 ||𝑅0

𝑀 Row Index
 𝐿𝑛 = 𝑅𝑛−1 , 𝑅𝑛 = 𝐿𝑛−1 ⊕ 𝑓 𝑅𝑛−1 , 𝐾𝑛
 𝑓 = 𝑃 𝑆 𝐵 , 𝑆𝑃 , 𝑤ℎ𝑒𝑟𝑒 𝐵 = 𝐾𝑛 ⊕ 𝑃 𝑅𝑛−1 , 𝐸𝑃 = [𝐵1 𝐵2 𝐵3 𝐵4 𝐵5 𝐵6 𝐵7 𝐵8 ] and 𝐵𝑛 = [𝒃𝒏𝟏 𝑏2𝑛 𝑏3𝑛 𝑏4𝑛 𝑏5𝑛 𝒃𝒏𝟔 ]
 𝑆 𝐵 = 𝑆1 𝐵1 , … , 𝑆8 𝐵8 , where 𝑆𝑛 𝐵𝑛 = 𝑆𝑛 𝑐𝑜𝑙 = 𝑏2𝑛 𝑏3𝑛 𝑏4𝑛 𝑏5𝑛 , 𝑟𝑜𝑤 = 𝑏1𝑛 𝑏6𝑛
Col Index
 𝐶 = 𝑃(𝑅16 | 𝐿16 , 𝐼𝑃−1
IP-1 SP EP IP
40 8 48 16 56 24 64 32 16 7 20 21 32 1 2 3 4 5 58 50 42 34 26 18 10 2
39 7 47 15 55 23 63 31 29 12 28 17 4 5 6 7 8 9 60 52 44 36 28 20 12 4
38 6 46 14 54 22 62 30 1 15 23 26 8 9 10 11 12 13 62 54 46 38 30 22 14 6
37 5 45 13 53 21 61 29 5 18 31 10 12 13 14 15 16 17 64 56 48 40 32 24 16 8
36 4 44 12 52 20 60 28 2 8 24 14 16 17 18 19 20 21 57 49 41 33 25 17 9 1
35 3 43 11 51 19 59 27 32 27 3 9 20 21 22 23 24 25 59 51 43 35 27 19 11 3
34 2 42 10 50 18 58 26 19 13 30 6 24 25 26 27 28 29 61 53 45 37 29 21 13 5
33 1 41 9 49 17 57 25 22 11 4 25 28 29 30 31 32 1 63 55 47 39 31 23 15 7
 DES | Message | Initial Permutation

 ഥ = 𝑃(𝑀, 𝐼𝑃)=𝐿0 ||𝑅0

𝑀 Row Index
 𝐿𝑛 = 𝑅𝑛−1 , 𝑅𝑛 = 𝐿𝑛−1 ⊕ 𝑓 𝑅𝑛−1 , 𝐾𝑛
 𝑓 = 𝑃 𝑆 𝐵 , 𝑆𝑃 , 𝑤ℎ𝑒𝑟𝑒 𝐵 = 𝐾𝑛 ⊕ 𝑃 𝑅𝑛−1 , 𝐸𝑃 = [𝐵1 𝐵2 𝐵3 𝐵4 𝐵5 𝐵6 𝐵7 𝐵8 ] and 𝐵𝑛 = [𝒃𝒏𝟏 𝑏2𝑛 𝑏3𝑛 𝑏4𝑛 𝑏5𝑛 𝒃𝒏𝟔 ]
 𝑆 𝐵 = 𝑆1 𝐵1 , … , 𝑆8 𝐵8 , where 𝑆𝑛 𝐵𝑛 = 𝑆𝑛 𝑐𝑜𝑙 = 𝑏2𝑛 𝑏3𝑛 𝑏4𝑛 𝑏5𝑛 , 𝑟𝑜𝑤 = 𝑏1𝑛 𝑏6𝑛
After Subst.
Col Index
 𝐶 = 𝑃(𝑅16 | 𝐿16 , 𝐼𝑃−1 Permutation Expansion Permutation

IP-1 SP EP IP
40 8 48 16 56 24 64 32 16 7 20 21 32 1 2 3 4 5 58 50 42 34 26 18 10 2
39 7 47 15 55 23 63 31 29 12 28 17 4 5 6 7 8 9 60 52 44 36 28 20 12 4
38 6 46 14 54 22 62 30 1 15 23 26 8 9 10 11 12 13 62 54 46 38 30 22 14 6
37 5 45 13 53 21 61 29 5 18 31 10 12 13 14 15 16 17 64 56 48 40 32 24 16 8
36 4 44 12 52 20 60 28 2 8 24 14 16 17 18 19 20 21 57 49 41 33 25 17 9 1
35 3 43 11 51 19 59 27 32 27 3 9 20 21 22 23 24 25 59 51 43 35 27 19 11 3
34 2 42 10 50 18 58 26 19 13 30 6 24 25 26 27 28 29 61 53 45 37 29 21 13 5
33 1 41 9 49 17 57 25 22 11 4 25 28 29 30 31 32 1 63 55 47 39 31 23 15 7
 DES | S Boxes (One per Block B)
S1 S5
14 4 13 1 2 15 11 8 3 10 6 12 5 9 0 7 2 12 4 1 7 10 11 6 8 5 3 15 13 0 14 9
0 15 7 414 2 13 1 10 6 12 11 9 5 3 8 14 11 2 12 4 7 13 1 5 0 15 10 3 9 8 6
4 1 14 813 6 2 11 15 12 9 7 3 10 5 0 4 2 1 11 10 13 7 8 15 9 12 5 6 3 0 14
15 12 8 2 4 9 1 7 5 11 3 14 10 0 6 13 11 8 12 7 1 14 2 13 6 15 0 9 10 4 5 3
S2 S6
15 1 8 14 6 11 3 4 9 7 2 13 12 0 5 10 12 1 10 15 9 2 6 8 0 13 3 4 14 7 5 11
3 13 4 7 15 2 8 14 12 0 1 10 6 9 11 5 10 15 4 2 7 12 9 5 6 1 13 14 0 11 3 8
0 14 7 11 10 4 13 1 5 8 12 6 9 3 2 15 9 14 15 5 2 8 12 3 7 0 4 10 1 13 11 6
13 8 10 1 3 15 4 2 11 6 7 12 0 5 14 9 4 3 2 12 9 5 15 10 11 14 1 7 6 0 8 13
S3 S7
10 0 9 14 6 3 15 5 1 13 12 7 11 4 2 8 4 11 2 14 15 0 8 13 3 12 9 7 5 10 6 1
13 7 0 9 3 4 6 10 2 8 5 14 12 11 15 1 13 0 11 7 4 9 1 10 14 3 5 12 2 15 8 6
13 6 4 9 8 15 3 0 11 1 2 12 5 10 14 7 1 4 11 13 12 3 7 14 10 15 6 8 0 5 9 2
1 10 13 0 6 9 8 7 4 15 14 3 11 5 2 12 6 11 13 8 1 4 10 7 9 5 0 15 14 2 3 12
S4 S8
7 13 14 3 0 6 9 10 1 2 8 5 11 12 4 15 13 2 8 4 6 15 11 1 10 9 3 14 5 0 12 7
13 8 11 5 6 15 0 3 4 7 2 12 1 10 14 9 1 15 13 8 10 3 7 4 12 5 6 11 0 14 9 2
10 6 9 0 12 11 7 13 15 1 3 14 5 2 8 4 7 11 4 1 9 12 14 2 0 6 10 13 15 3 5 8
3 15 0 6 10 1 13 8 9 4 5 11 12 7 2 14 2 1 14 7 4 10 8 13 15 12 9 0 3 5 6 11
The S-boxes

𝑆𝑖 : 0,1 6 ⟶ 0,1 4
𝑆5 : 011011 ⟶ 1001
DES Round Structure
DES Structure Overview
 The Avalanche Effect

 A small change in either the plaintext or the key should produce a significant change in the ciphertext.
 It is a desirable property of any encryption algorithm
 DES exhibits strong avalanche
Strength of DES – Key Size

 56-bit keys have 256 = 7.2 x 1016 values

 brute force search looks hard
 recent advances have shown is possible
 in 1997 on Internet in a few months
 in 1998 on dedicated h/w (EFF) in a few days
 in 1999 above combined in 22hrs!
 still must be able to recognize plaintext
 must now consider alternatives to DES
Triple-DES (3DES)