Lecture 3

Data Encryption Standard

• 􀂄We focus now on the most widely used symmetric cipher: DES
– 􀂉DES has been replaced by AES as a standard
– 􀂉We will use DES to illustrate the principles of modern symmetric
ciphers
• 􀂄Adopted in 1977 by the National Bureau of Standards (US),
nowadays NIST
• 􀂄Originates from an IBM project from late 1960s led by Feistel
– 􀂉Project ended in 1971 with the development of LUCIFER (key 128
bits)
– 􀂉LUCIFER was then refined with the help of NSA to produce DES (key
56 bits)
– 􀂉Immediate criticism: the reduction in key length was enormous and the
internal details of the design were (and remained) classified information
– 􀂉1994: DES is reaffirmed as a standard for 5 more years
– 􀂉1999: DES should only be used for legacy systems and 3DES should
replace it
 Block cipher principles

• Stream cipher is one that encrypts a digital data

stream one bit (or byte) at a time
– 􀂉Example: autokey Vigenère system
• 􀂄Block cipher is one in which the plaintext is
divided in blocks and one block is encrypted at
one time producing a ciphertext of equal length
– 􀂉Similar to substitution ciphers on very big
characters: 64 bits or 128 bits are typical block
lengths
– 􀂉Many modern ciphers are block ciphers
Principle: Substitution-Permutation
Ciphers
• 􀂄Claude Shannon (1949) introduced idea of substitution-
permutation (S-P) networks
– 􀂉These form the basis for modern substitution-transposition
product cipher
• 􀂄S-P networks are based on the two primitive
cryptographic operations
• 􀂉 substitution(S-box)
• 􀂉 permutation (P-box)
• 􀂄The goal is to provide confusion and diffusion of
message
•
Shannon’s building blocks
Shannon proposed product ciphers with
two components
– S-Boxes -- substitution
• providing confusion of input bits
– P-Boxes -- permutation
• providing diffusion across S-box inputs
• n rounds of S-P boxes
 Confusion and Diffusion
• Cipher need to completely obscure statistical
properties of original message
– 􀂉A one-time pad does this
• Diffusion
– Makes the statistical relationship plaintext -ciphertext
as complex as possible
– Achieved by requiring that every digit of the plaintext
affects many digits of the ciphertext (equivalently,
every digit of the ciphertext is affected by many digits
of the plaintext
 Confusion & Diffusion
• Diffusion complicates the statistics of the cipher text, and
makes it difficult to discover the key of the encryption
process.
• The process of confusion, makes the use of the key so
complex, that even when an attacker knows the
statistics, it is still difficult to deduce the key.
• Confusion can be accomplished by using a complex
substitution algorithm.
• The principles of confusion and diffusion are the most
essential concepts in the design of modern block ciphers
they defend against statistical attacks
 Feistel Cipher Structure
• Virtually all modern block encryption algorithms use the Feistel
structure
• 􀂄Horst Feistel was the leader of the IBM team that worked in late
1960s on LUCIFER
• 􀂄He devised the so-called “feistelcipher”
• 􀂄Algorithm structure –perform n rounds, each round has the
following structure (for encryption and decryption):
– 􀂉Input is of length 2w (bits), key is K
– 􀂉Divide the input into two halves L0and R0
– 􀂉L1= R0, R1=L0⊕f(R0,K)
– 􀂉In the next round use (L1, R1) instead of (L0, R0), etc.
– 􀂉Function f is the same in all rounds but uses a different subkeyin each
round –the subkeyof each round is generated from the key
 Feistel Cipher Structure
• Block size: larger block sizes mean greater
security
• Key Size: larger key size means greater security
• Number of rounds: multiple rounds offer
increasing security
• Subkey generation algorithm: greater
complexity will lead to greater difficulty of
cryptanalysis.
• Fast software encryption/decryption: the speed
of execution of the algorithm becomes a concern
 Sub key
• Sub keys are created from the original key
by a key expansion algorithm designed for
multiple-round ciphers called a key
schedule. A popular method of combining
a sub key with data is bitwise XOR. In
each round, after the key mixing, the data
is scrambled further using substitution and
permutation functions.
 SOLVE TO GET POINTS
On 2 August 1943, Australian Coast watcher Lieutenant Arthur Reginald Evans of
the Royal Australian Naval Volunteer Reserve saw a pinpoint of flame on the dark
waters of Blackett Strait from his jungle ridge on Kolombangara Island, one of the
Solomons. He did not know that the Japanese destroyer Amagiri had rammed and
sliced in half an American patrol boat PT-109, under the command of Lieutenant
John F. Kennedy, United States Naval Reserve. Evans received the following
message at 0930 on the morning of the 2 of August 1943:

KXJEY UREBE ZWEHE WRYTU HEYFSKREHE GOYFI WTTTU OLKSY CAJPO

BOTEI ZONTX BYBNT GONEY CUZWRGDSON SXBOU YWRHE BAAHY USEDQ

The key used was royal new zealand navy.

When the PT-109 American patrol boat, under the command of
Lieutenant John F. Kennedy, was sunk by a Japanese destroyer, a
message was received at an Australian wireless station in Playfair
 Data Encryption Standard

• 􀂄We focus now on the most widely used symmetric cipher: DES
– 􀂉DES has been replaced by AES as a standard
– 􀂉We will use DES to illustrate the principles of modern symmetric
ciphers
• 􀂄Adopted in 1977 by the National Bureau of Standards (US),
nowadays NIST
• 􀂄Originates from an IBM project from late 1960s led by Feistel
– 􀂉Project ended in 1971 with the development of LUCIFER (key 128
bits)
– 􀂉LUCIFER was then refined with the help of NSA to produce DES (key
56 bits)
– 􀂉Immediate criticism: the reduction in key length was enormous and the
internal details of the design were (and remained) classified information
– 􀂉1994: DES is reaffirmed as a standard for 5 more years
– 􀂉1999: DES should only be used for legacy systems and 3DES
shouldreplace it
 Conventional Encryption
Algorithms
• Data Encryption Standard (DES)
– The most widely used encryption scheme
– The algorithm is reffered to the Data
Encryption Algorithm (DEA)
– DES is a block cipher
– The plaintext is processed in 64-bit blocks
– The key is 56-bits in length
 DES encryption scheme

• 􀂄The plaintext (64 bits) passes through an

initial permutation IP(on 64 bits)
• 􀂄Then follow 16 identical rounds –in each
round a different sub key is used; each
sub key is generated from the key
• 􀂄After round 16, swap the left half with the
right half
• 􀂄Apply the inverse of the initial
permutation IP-1(on 64 bits)
 Sub key generation
Before round 1 of DES, they key is permuted
according to a table labeled Permuted Choice
One –the resulting 56-bit key is split into its two
28-bit halves labeled C0and D0􀂄
• In each round, Ci-1 and Di-1 are separately
subjected to a circular left shift of one or two bits
according to the table on the next slide –the
shifted values will be input to next round􀂄
• The shifted values serve as input to Permuted
Choice Two which produces a 48-bit output: the
sub key of the current round
 Example of DES
• M = 0123456789ABCDEF
– M = 0000 0001 0010 0011 0100 0101 0110 0111 1000 1001 1010 1011 1100
1101 1110 1111

• K = 133457799BBCDFF1
– K = 00010011 00110100 01010111 01111001 10011011 10111100 11011111
11110001
 Step 1: Create 16 sub keys, each of which is 48-bits
long.

• In the general scheme of DES is shown that a 64-bit key is used –the bits of the key
are numbered from 1 to 64. 􀂄
• The algorithm ignores every 8, 16, 24, 32, 40, 48, 56, and 64 bit –thus, the key for
DES is effectively 56-bit long
 Sub keys cont’d
• Example: From the original 64-bit key
– K = 00010011 00110100 01010111 01111001
10011011 10111100 11011111 11110001
– we get the 56-bit permutation
• K+ = 1111000 0110011 0010101 0101111
0101010 1011001 1001111 0001111
• Next, split this key into left and right halves, C0
and D0, where each half has 28 bits.
Example: From the permuted key K+, we get
C0 = 1111000 0110011 0010101 0101111
D0 = 0101010 1011001 1001111 0001111

C1 = 1110000110011001010101011111
D1 = 1010101011001100111100011110
C2 = 1100001100110010101010111111
D2 = 0101010110011001111000111101
C3 = 0000110011001010101011111111
D3 = 0101011001100111100011110101
C4 = 0011001100101010101111111100
D4 = 0101100110011110001111010101
C5 = 1100110010101010111111110000
D5 = 0110011001111000111101010101
C6 = 0011001010101011111111000011
D6 = 1001100111100011110101010101
C7 = 1100101010101111111100001100
D7 = 0110011110001111010101010110
…
……….
Sub key contd
• We now form the keys Kn, for 1<=n<=16, by
applying the following permutation table to each of
the concatenated pairs CnDn. Each pair has 56

bits, but PC-2 only uses 48 of these

• Example: For the first key we

have C1D1 = 1110000 1100110
0101010 1011111 1010101
0110011 0011110 0011110
• which, after we apply the
permutation PC-2, becomes
• K1 = 000110 110000 001011
101111 111111 000111 000001
110010
 Sub key gnerated
• For the other keys we have
• K2 = 011110 011010 111011 011001 110110 111100 100111 100101
K3 = 010101 011111 110010 001010 010000 101100 111110 011001
K4 = 011100 101010 110111 010110 110110 110011 010100 011101
K5 = 011111 001110 110000 000111 111010 110101 001110 101000
K6 = 011000 111010 010100 111110 010100 000111 101100 101111
K7 = 111011 001000 010010 110111 111101 100001 100010 111100
K8 = 111101 111000 101000 111010 110000 010011 101111 111011
K9 = 111000 001101 101111 101011 111011 011110 011110 000001
K10 = 101100 011111 001101 000111 101110 100100 011001 001111
K11 = 001000 010101 111111 010011 110111 101101 001110 000110
K12 = 011101 010111 000111 110101 100101 000110 011111 101001
K13 = 100101 111100 010111 010001 111110 101011 101001 000001
K14 = 010111 110100 001110 110111 111100 101110 011100 111010
K15 = 101111 111001 000110 001101 001111 010011 111100 001010
K16 = 110010 110011 110110 001011 000011 100001 011111 110101
 Step 2: Encode each 64-bit block of
data
• M = 0123456789ABCDEF
– M = 0000 0001 0010 0011 0100 0101 0110 0111 1000 1001 1010 1011 1100 1101 1110 1111

• There is an initial permutation IP of the 64 bits of the message data M. This rearranges the bits
according to the following table
• Example: Applying the initial permutation to the block of text M, given previously, we get
• M = 0000 0001 0010 0011 0100 0101 0110 0111 1000 1001 1010 1011 1100 1101 1110
1111
IP = 1100 1100 0000 0000 1100 1100 1111 1111 1111 0000 1010 1010 1111 0000 1010
1010
 Step 2 contd
• Next divide the permuted block IP into a left half L0 of 32 bits, and a right half R0 of
32 bits.
• Example: From IP, we get L0 and R0
• L0 = 1100 1100 0000 0000 1100 1100 1111 1111
R0 = 1111 0000 1010 1010 1111 0000 1010 1010
• for 1<=n<=16, using a function f which operates on two blocks--a data block
of 32 bits and a key Kn of 48 bits--to produce a block of 32 bits. Let +
denote XOR addition, Then for n going from 1 to 16 we calculate
• Ln = Rn-1
Rn = Ln-1 + f(Rn-1,Kn)
• Example: For n = 1, we have
– K1 = 000110 110000 001011 101111 111111 000111 000001 110010
L1 = R0 = 1111 0000 1010 1010 1111 0000 1010 1010
R1 = L0 + f(R0,K1)
 Step 2 contd
• To calculate f, we first expand each block Rn-1 from 32 bits to 48 bits. This is done by
using a selection table
• Example: We calculate E(R0) from R0 as follows:
• R0 = 1111 0000 1010 1010 1111 0000 1010 1010
E(R0) = 011110 100001 010101 010101 011110 100001 010101 010101

• Note that each block of 4 original bits has been

expanded to a block of 6 output bits
 Step 2 contd
• Next in the f calculation, we XOR the
output E(Rn-1) with the key Kn:
• Kn + E(Rn-1).
• Example: For K1 , E(R0), we have
• K1 = 000110 110000 001011 101111 111111 000111 000001 110010
E(R0) = 011110 100001 010101 010101 011110 100001 010101 010101
K1+E(R0) = 011000 010001 011110 111010 100001 100110 010100
100111
• We have not yet finished calculating the function f . To this point we have
expanded Rn-1 from 32 bits to 48 bits, using the selection table, and
XORed the result with the key Kn . We now have 48 bits, or eight groups of
six bits.
 Step 2 contd
• with each group of six bits: we use them
as addresses in tables called "S boxes"
• Write the previous result, which is 48 bits,
in the form:
• Kn + E(Rn-1) =B1B2B3B4B5B6B7B8,
• where each Bi is a group of six bits. We
now calculate
• S1(B1)S2(B2)S3(B3)S4(B4)S5(B5)S6(B6
)S7(B7)S8(B8)
S-boxes
• Example: consider the input
011001 to S-box S1􀂄
• The row is 011001:01(i.e. 1)􀂄
• The column is 011001: 1100
(i.e. 12)􀂄
• The value in the selected cell
is 9􀂄Output is 1001
• Example: For the first round, we
obtain as the output of the eight S
boxes:
• K1 + E(R0) = 011000 010001 011110
111010 100001 100110 010100
100111.
• S1(B1)S2(B2)S3(B3)S4(B4)S5(B5)S6
(B6)S7(B7)S8(B8) = 0101 1100 1000
0010 1011 0101 1001 0111
 Step 2 contd
• The final stage in the calculation of f is to do a permutation P of the S-box output to obtain
the final value of f:
• f = P(S1(B1)S2(B2)...S8(B8))
• P yields a 32-bit output from a 32-bit input by permuting the bits of the input block
• Example: From the output of the eight S boxes:
• S1(B1)S2(B2)S3(B3)S4(B4)S5(B5)S6(B6)S7(B7)S8(B8) = 0101 1100 1000 0010 1011
0101 1001 0111 we get f = 0010 0011 0100 1010 1010 1001 1011 1011
• R1 = L0 + f(R0 , K1 )
= 1100 1100 0000 0000 1100 1100 1111 1111
+ 0010 0011 0100 1010 1010 1001 1011 1011

= 1110 1111 0100 1010 0110 0101 0100 0100

 Step 2 contd
• We then reverse the order of the two blocks into
the 64-bit block R16L16
• and apply a final permutation IP-1 as defined by the
following table:
 Step 2 contd
• Example: If we process all 16 blocks using the method
defined previously, we get, on the 16th round,
• L16 = 0100 0011 0100 0010 0011 0010 0011 0100
R16 = 0000 1010 0100 1100 1101 1001 1001 0101
• We reverse the order of these two blocks and apply the
final permutation to
• R16L16 = 00001010 01001100 11011001 10010101
01000011 01000010 00110010 00110100
• IP-1 = 10000101 11101000 00010011 01010100
00001111 00001010 10110100 00000101
• which in hexadecimal format is
• 85E813540F0AB405.
 Strength of DES

􀂄Two main concerns with DES: the length of the

key and the nature of the algorithm
• 􀂄The key is rather short: 56 bits –
– 􀂉In average, only half of the keys have to be tried to
break the system
– 􀂉In principle it should take long time to break the
system
– 􀂉Things are quicker with dedicated hardware: 1998 –
a special machine was built for less than 250 000 $
breaking DES in less than 3 days, 2006 –estimates
are that a hardware costing around 20.000$ may
break DES within a day
 Strength of DES
• Nature of the algorithm
• 􀂄There has always been a concern about the design of DES,
especially about the design of S-boxes –perhaps they have been
designed in such a way as to ensure a trapdoor to the algorithm –
break it without having to search for the key
• 􀂉The design criteria for the S-boxes (and for the rest of the
algorithm) have been classified information and NSA was involved
in the design
• 􀂉Many regularities and unexpected behavior of the S-boxes have
been reported
• 􀂉On the other hand, changing the S-boxes slightly seems to
weaken the algorithm
• 􀂉No fatal weaknesses in the S-boxes have been (publicly) reported
so far
 Analysis of DES
• 􀂄Avalanche effect: this is a desirable property of any
encryption algorithm
• 􀂉A small change (even 1 bit) in the plaintext should
produce significant change in the ciphertext
• 􀂄Example: consider two blocks of 64 zeros and in the
second block rewrite 1 on the first position. Encrypt them
both with DES: depending on the key, the result may
have 34 different bits!
• 􀂉A small change (even 1 bit) in the key should produce
significant change in the ciphertext
• 􀂄Example: a change of one bit in the DES key may
produce 35 different bits in the encryption of the same
plaintext
 Most important symmetric ciphers
currently in use

• Triple DES
• 􀂉RC5
• 􀂉RC4
• 􀂉Blowfish (read from the book or other
reference)
 Replacing DES

• 􀂄DES is vulnerable nowadays to a brute-force

attack
• 􀂄It is replaced as a standard by AES
• 􀂄There has been interest to provide another
algorithm during the transition to AES
• 􀂄Also interest to preserve the existing
investment in software and hardware, increasing
the security
• 􀂄Solution: 2 DES
 Obvious solution: double DES

• 􀂄Use two keys K1, K2 and encrypt the text

using the two keys

• C=EK2(EK1(P))
• 􀂄To decrypt simply use DES decryption twice

• P=DK1(DK2(C))
• 􀂄The scheme involves now a key of 112 bits
which should make it much more secure than
DES, at least in principle
 Meet-in-the-middle attack
• The meet-in-the-middle attack targets block cipher cryptographic
functions

• Main observation: if C=EK2(EK1(P)), then

• X=EK1(P)=DK2(C)
• 􀂄Assume we have two pairs of plaintext-ciphertext (of only one byte
each!)
• 􀂄Given a known pair (P,C) attack as follows:
– 􀂉Encrypt P for all 2^56possible keys K1
– 􀂉Store the results in a table and sort the table by the values of X
– 􀂉Decrypt C using all possible 2^56possible keys K2
– 􀂄For each decryption check the result in the table
– 􀂄In case of match, either we have the answer, or a false positive
– 􀂄Test the two keys with the second pair of plaintext-ciphertext: if they
match, the correct keys were found
 Triple DES
• use three stages of encryption with three
different keys
• C=EK3(EK2(EK1(P)))
– 􀂉Drawback: keys is now 168 bits which
makes it slower
– 􀂉Alternative: 3DES with 2 keys: K3=K1
• 􀂄Another alternative: instead of three
encryptions, use 2 encryptions and one
decryption
 Triple DES
• Use three keys and three executions of
the DES algorithm (encrypt-decrypt-
encrypt)
C = EK3[DK2[EK1[P]]]
• C = ciphertext
• P = Plaintext
• EK[X] = encryption of X using key K
• DK[Y] = decryption of Y using key K
Triple DEA