UNIT-II (BLOCK CIPHER)

2.1 Data Encryption Standard (DES)

The Data Encryption Standard (DES) is a symmetric-key block cipher published by the
National Institute of Standards and Technology (NIST).
DES is an implementation of a Feistel Cipher. It uses 16 round Feistel structure. The block size
is 64-bit. Though, key length is 64-bit, DES has an effective key length of 56 bits, since 8 of the
64 bits of the key are not used by the encryption algorithm (function as check bits only).
General Structure of DES is depicted in the following illustration −

Since DES is based on the Feistel Cipher, all that is required to specify DES is −

 Round function
 Key schedule
 Any additional processing − Initial and final permutation


2.1.1 Modes of DES

Initial and Final Permutation
The initial and final permutations are straight Permutation boxes (P-boxes) that are inverses of
each other. They have no cryptography significance in DES. The initial and final permutations
are shown as follows −

Round Function
The heart of this cipher is the DES function, f. The DES function applies a 48-bit key to the
rightmost 32 bits to produce a 32-bit output.

 Expansion Permutation Box − Since right input is 32-bit and round key is a 48-bit, we
first need to expand right input to 48 bits. Permutation logic is graphically depicted in
the following illustration −
 The graphically depicted permutation logic is generally described as table in DES
specification illustrated as shown −

 XOR (Whitener). − After the expansion permutation, DES does XOR operation on the
expanded right section and the round key. The round key is used only in this operation.
 Substitution Boxes. − The S-boxes carry out the real mixing (confusion). DES uses 8 S-
boxes, each with a 6-bit input and a 4-bit output. Refer the following illustration −

 The S-box rule is illustrated below −

  There are a total of eight S-box tables. The output of all eight s-boxes is then combined
in to 32 bit section.
 Straight Permutation − The 32 bit output of S-boxes is then subjected to the straight
permutation with rule shown in the following illustration:

Key Generation
The round-key generator creates sixteen 48-bit keys out of a 56-bit cipher key. The process of
key generation is depicted in the following illustration −
The logic for Parity drop, shifting, and Compression P-box is given in the DES description.
2.1.2 Analysis In DES
The DES satisfies both the desired properties of block cipher. These two properties make cipher
very strong.
 Avalanche effect − A small change in plaintext results in the very great change in the
ciphertext.
 Completeness − Each bit of ciphertext depends on many bits of plaintext.

During the last few years, cryptanalysis have found some weaknesses in DES when key selected
are weak keys. These keys shall be avoided.
DES has proved to be a very well designed block cipher. There have been no significant
cryptanalytic attacks on DES other than exhaustive key search.
The speed of exhaustive key searches against DES after 1990 began to cause discomfort
amongst users of DES. However, users did not want to replace DES as it takes an enormous
amount of time and money to change encryption algorithms that are widely adopted and
embedded in large security architectures.
The pragmatic approach was not to abandon the DES completely, but to change the manner in
which DES is used. This led to the modified schemes of Triple DES (sometimes known as
3DES).
Incidentally, there are two variants of Triple DES known as 3-key Triple DES (3TDES) and 2-
key Triple DES (2TDES).
2.1.2.1 Triple DES (3-KEY Triple DES)
Before using 3TDES, user first generate and distribute a 3TDES key K, which consists of three
different DES keys K1, K2 and K3. This means that the actual 3TDES key has length 3×56 = 168
bits. The encryption scheme is illustrated as follows −

The encryption-decryption process is as follows −

 Encrypt the plaintext blocks using single DES with key K1.
 Now decrypt the output of step 1 using single DES with key K2.
 Finally, encrypt the output of step 2 using single DES with key K3.
 The output of step 3 is the ciphertext.
 Decryption of a ciphertext is a reverse process. User first decrypt using K 3, then encrypt
with K2, and finally decrypt with K1.
Due to this design of Triple DES as an encrypt–decrypt–encrypt process, it is possible to use a
3TDES (hardware) implementation for single DES by setting K 1, K2, and K3 to be the same
value. This provides backwards compatibility with DES.
2.1.2.2 Double DES
Second variant of Triple DES (2TDES) is identical to 3TDES except that K 3 is replaced by K1.
In other words, user encrypt plaintext blocks with key K 1, then decrypt with key K2, and finally
encrypt with K1 again. Therefore, 2TDES has a key length of 112 bits.
Triple DES systems are significantly more secure than single DES, but these are clearly a much
slower process than encryption using single DES.

2.1.3 Strength in DES Strength-

The strength of DES lies on two facts:

a. The use of 56-bit keys: 56-bit key is used in encryption, there are 256 possible keys. A brute
force attack on such number of keys is impractical.
b. The nature of algorithm: Cryptanalyst can perform cryptanalysis by exploiting the
characteristic of DES algorithm but no one has succeeded in finding out the weakness.

Weakness- Weakness has been found in the design of the cipher:

a. Two chosen input to an S-box can create the same output.
b. The purpose of initial and final permutation is not clear.

2.2 AES (Advance Encryption Standard)

The features of AES are as follows −

 Symmetric key symmetric block cipher

 128-bit data, 128/192/256-bit keys
 Stronger and faster than Triple-DES
 Provide full specification and design details
 Software implementable in C and Java
Operation of AES
AES is an iterative rather than Feistel cipher. It is based on ‘substitution–permutation network’.
It comprises of a series of linked operations, some of which involve replacing inputs by specific
outputs (substitutions) and others involve shuffling bits around (permutations).
Interestingly, AES performs all its computations on bytes rather than bits. Hence, AES treats the
128 bits of a plaintext block as 16 bytes. These 16 bytes are arranged in four columns and four
rows for processing as a matrix −
Unlike DES, the number of rounds in AES is variable and depends on the length of the key.
AES uses 10 rounds for 128-bit keys, 12 rounds for 192-bit keys and 14 rounds for 256-bit
keys. Each of these rounds uses a different 128-bit round key, which is calculated from the
original AES key.

2.2.1 Structure of AES

The schematic of AES structure is given in the following illustration −
Encryption Process
Here, we restrict to description of a typical round of AES encryption. Each round comprise of
four sub-processes. The first round process is depicted below −

Byte Substitution (SubBytes)

The 16 input bytes are substituted by looking up a fixed table (S-box) given in design. The
result is in a matrix of four rows and four columns.
Shiftrows
Each of the four rows of the matrix is shifted to the left. Any entries that ‘fall off’ are re-inserted
on the right side of row. Shift is carried out as follows −
 First row is not shifted.
 Second row is shifted one (byte) position to the left.
 Third row is shifted two positions to the left.
 Fourth row is shifted three positions to the left.
 The result is a new matrix consisting of the same 16 bytes but shifted with respect to
each other.
MixColumns
Each column of four bytes is now transformed using a special mathematical function. This
function takes as input the four bytes of one column and outputs four completely new bytes,
which replace the original column. The result is another new matrix consisting of 16 new bytes.
It should be noted that this step is not performed in the last round.
Addroundkey
The 16 bytes of the matrix are now considered as 128 bits and are XORed to the 128 bits of the
round key. If this is the last round then the output is the ciphertext. Otherwise, the resulting 128
bits are interpreted as 16 bytes and we begin another similar round.
Decryption Process
The process of decryption of an AES ciphertext is similar to the encryption process in the
reverse order. Each round consists of the four processes conducted in the reverse order −

 Add round key

 Mix columns
 Shift rows
 Byte substitution
Since sub-processes in each round are in reverse manner, unlike for a Feistel Cipher, the
encryption and decryption algorithms need to be separately implemented, although they are
very closely related.

2.2.2 Transforming function of AES

The AES encryption algorithm defines a number of transformations that are to be performed on
data stored in an array. The first step of the cipher is to put the data into an array; after which the
cipher transformations are repeated over a number of encryption rounds. The number of rounds
is determined by the key length, with 10 rounds for 128-bit keys, 12 rounds for 192-bit keys and
14 rounds for 256-bit keys.

The first transformation in the AES encryption cipher is substitution of data using a substitution
table; the second transformation shifts data rows, the third mixes columns. The last
transformation is a simple exclusive or (XOR) operation performed on each column using a
different part of the encryption key -- longer keys need more rounds to complete.

AES
encryption transforms array data by shuffling rows and columns, and substitutions based on the
encryption key.
AES Analysis
In present day cryptography, AES is widely adopted and supported in both hardware and
software. Till date, no practical cryptanalytic attacks against AES have been discovered.
Additionally, AES has built-in flexibility of key length, which allows a degree of ‘future-
proofing’ against progress in the ability to perform exhaustive key searches.

2.3 Block Cipher Principles:

Encryption algorithms are divided into two categories based on input type, as block cipher and
stream cipher. Block cipher is an encryption algorithm which takes fixed size of input say b bits
and produces a ciphertext of b bits again. If input is larger than b bits it can be divided further.
For different applications and uses, there are several modes of operations for a block cipher.
These are procedural rules for a generic block cipher. Interestingly, the different modes result in
different properties being achieved which add to the security of the underlying block cipher.
A block cipher processes the data blocks of fixed size. Usually, the size of a message is larger
than the block size. Hence, the long message is divided into a series of sequential message
blocks, and the cipher operates on these blocks one at a time.
2.3.1 Electronic Code Book (ECB) Mode
This mode is a most straightforward way of processing a series of sequentially listed message
blocks.
Operation
 The user takes the first block of plaintext and encrypts it with the key to produce the first
block of ciphertext.
 He then takes the second block of plaintext and follows the same process with same key
and so on so forth.
The ECB mode is deterministic, that is, if plaintext block P1, P2,…, Pm are encrypted twice
under the same key, the output ciphertext blocks will be the same.
In fact, for a given key technically we can create a codebook of ciphertexts for all possible
plaintext blocks. Encryption would then entail only looking up for required plaintext and select
the corresponding ciphertext. Thus, the operation is analogous to the assignment of code words
in a codebook, and hence gets an official name − Electronic Codebook mode of operation
(ECB). It is illustrated as follows −

Analysis of ECB Mode

In reality, any application data usually have partial information which can be guessed. For
example, the range of salary can be guessed. A ciphertext from ECB can allow an attacker to
guess the plaintext by trial-and-error if the plaintext message is within predictable.
For example, if a ciphertext from the ECB mode is known to encrypt a salary figure, then a
small number of trials will allow an attacker to recover the figure. In general, we do not wish to
use a deterministic cipher, and hence the ECB mode should not be used in most applications.
Advantages of using ECB –
 Parallel encryption of blocks of bits is possible, thus it is a faster way of encryption.
 Simple way of block cipher.
Disadvantages of using ECB –
 Prone to cryptanalysis since there is a direct relationship between plaintext and ciphertext.

2.3.2 Cipher Block Chaining (CBC) Mode

CBC mode of operation provides message dependence for generating ciphertext and makes the
system non-deterministic.
Operation
The operation of CBC mode is depicted in the following illustration. The steps are as follows −
 Load the n-bit Initialization Vector (IV) in the top register.
 XOR the n-bit plaintext block with data value in top register.
 Encrypt the result of XOR operation with underlying block cipher with key K.
 Feed ciphertext block into top register and continue the operation till all plaintext blocks
are processed.
 For decryption, IV data is XORed with first ciphertext block decrypted. The first
ciphertext block is also fed into to register replacing IV for decrypting next ciphertext
block.

Analysis of CBC Mode

In CBC mode, the current plaintext block is added to the previous ciphertext block, and then the
result is encrypted with the key. Decryption is thus the reverse process, which involves
decrypting the current ciphertext and then adding the previous ciphertext block to the result.
Advantage of CBC over ECB is that changing IV results in different ciphertext for identical
message. On the drawback side, the error in transmission gets propagated to few further block
during decryption due to chaining effect.
It is worth mentioning that CBC mode forms the basis for a well-known data origin
authentication mechanism. Thus, it has an advantage for those applications that require both
symmetric encryption and data origin authentication.
Advantages of CBC –
 CBC works well for input greater than b bits.
 CBC is a good authentication mechanism.
 Better resistive nature towards cryptanalsis than ECB.
Disadvantages of CBC –
 Parallel encryption is not possible since every encryption requires previous cipher.

2.3.3 Cipher Feedback Mode(CFB)

In this mode, each ciphertext block gets ‘fed back’ into the encryption process in order to
encrypt the next plaintext block.
Operation
The operation of CFB mode is depicted in the following illustration. For example, in the present
system, a message block has a size ‘s’ bits where 1 < s < n. The CFB mode requires an
initialization vector (IV) as the initial random n-bit input block. The IV need not be secret. Steps
of operation are −
 Load the IV in the top register.
 Encrypt the data value in top register with underlying block cipher with key K.
 Take only ‘s’ number of most significant bits (left bits) of output of encryption process
and XOR them with ‘s’ bit plaintext message block to generate ciphertext block.
 Feed ciphertext block into top register by shifting already present data to the left and
continue the operation till all plaintext blocks are processed.
 Essentially, the previous ciphertext block is encrypted with the key, and then the result is
XORed to the current plaintext block.
 Similar steps are followed for decryption. Pre-decided IV is initially loaded at the start of
decryption.

Analysis of CFB Mode

CFB mode differs significantly from ECB mode, the ciphertext corresponding to a given
plaintext block depends not just on that plaintext block and the key, but also on the previous
ciphertext block. In other words, the ciphertext block is dependent of message.
CFB has a very strange feature. In this mode, user decrypts the ciphertext using only the
encryption process of the block cipher. The decryption algorithm of the underlying block cipher
is never used.
Apparently, CFB mode is converting a block cipher into a type of stream cipher. The encryption
algorithm is used as a key-stream generator to produce key-stream that is placed in the bottom
register. This key stream is then XORed with the plaintext as in case of stream cipher.
By converting a block cipher into a stream cipher, CFB mode provides some of the
advantageous properties of a stream cipher while retaining the advantageous properties of a
block cipher.
On the flip side, the error of transmission gets propagated due to changing of blocks.
Advantages of CFB –
 Since, there is some data loss due to use of shift register, thus it is difficult for applying
cryptanalysis.
2.3.4 Output Feedback Mode(OFB)

It involves feeding the successive output blocks from the underlying block cipher back to it.
These feedback blocks provide string of bits to feed the encryption algorithm which act as the
key-stream generator as in case of CFB mode.
The key stream generated is XOR-ed with the plaintext blocks. The OFB mode requires an IV
as the initial random n-bit input block. The IV need not be secret.
The operation is depicted in the following illustration −

2.3.5 Counter Mode

 It can be considered as a counter-based version of CFB mode without the feedback. In this
mode, both the sender and receiver need to access to a reliable counter, which computes a new
shared value each time a ciphertext block is exchanged. This shared counter is not necessarily a
secret value, but challenge is that both sides must keep the counter synchronized.
Operation
Both encryption and decryption in CTR mode are depicted in the following illustration. Steps in
operation are −
 Load the initial counter value in the top register is the same for both the sender and the
receiver. It plays the same role as the IV in CFB (and CBC) mode.
 Encrypt the contents of the counter with the key and place the result in the bottom
register.
 Take the first plaintext block P1 and XOR this to the contents of the bottom register. The
result of this is C1. Send C1 to the receiver and update the counter. The counter update
replaces the ciphertext feedback in CFB mode.
 Continue in this manner until the last plaintext block has been encrypted.
 The decryption is the reverse process. The ciphertext block is XORed with the output of
encrypted contents of counter value. After decryption of each ciphertext block counter is
updated as in case of encryption.
Analysis of Counter Mode
It does not have message dependency and hence a ciphertext block does not depend on the
previous plaintext blocks.
Like CFB mode, CTR mode does not involve the decryption process of the block cipher. This is
because the CTR mode is really using the block cipher to generate a key-stream, which is
encrypted using the XOR function. In other words, CTR mode also converts a block cipher to a
stream cipher.
The serious disadvantage of CTR mode is that it requires a synchronous counter at sender and
receiver. Loss of synchronization leads to incorrect recovery of plaintext.
However, CTR mode has almost all advantages of CFB mode. In addition, it does not propagate
error of transmission at all.