BLOCK CIPHERS AND THE DATA

ENCRYPTION STANDARD
The way in which the plaintext is processed.
A block cipher processes the input one block of elements
at a time, producing an output block for each input block.
A stream cipher processes the input elements
continuously, producing output one element at a time,
The basic scheme of a block cipher is depicted as follows
−
• A block cipher takes a block of plaintext bits and
generates a block of cipher text bits, generally of same
size. The size of block is fixed in the given scheme. The
choice of block size does not directly affect to the
strength of encryption scheme. The strength of cipher
depends up on the key length.
 Block Size
• Though any size of block is acceptable, following aspects are borne
in mind while selecting a size of a block.
• Avoid very small block size − Say a block size is m bits. Then the
possible plaintext bits combinations are then 2 m. If the attacker
discovers the plain text blocks corresponding to some previously
sent ciphertext blocks, then the attacker can launch a type of
‘dictionary attack’ by building up a dictionary of plaintext/ciphertext
pairs sent using that encryption key. A larger block size makes attack
harder as the dictionary needs to be larger.
• Do not have very large block size − With very large block size, the
cipher becomes inefficient to operate. Such plaintexts will need to
be padded before being encrypted.
• Multiples of 8 bit − A preferred block size is a multiple of 8 as it is
easy for implementation as most computer processor handle data
in multiple of 8 bits.
• Block ciphers process blocks of fixed sizes (say 64 bits).
The length of plaintexts is mostly not a multiple of the
block size. For example, a 150-bit plaintext provides two
blocks of 64 bits each with third block of balance 22 bits.
The last block of bits needs to be padded up with
redundant information so that the length of the final
block equal to block size of the scheme. In our example,
the remaining 22 bits need to have additional 42
redundant bits added to provide a complete block. The
process of adding bits to the last block is referred to
as padding.
• Too much padding makes the system inefficient. Also,
padding may render the system insecure at times, if the
padding is done with same bits always.
 Feistel Block Cipher
Feistel Cipher is not a specific scheme of block cipher. It is a
design model from which many different block ciphers are
derived. DES is just one example of a Feistel Cipher. A
cryptographic system based on Feistel cipher structure uses
the same algorithm for both encryption and decryption.
FEISTEL CIPHER DESIGN ELEMENTS
• block size
• key size
• number of rounds
• subkey generation algorithm
• round function
• fast software en/decryption
• ease of analysis
• Substitution: Each plaintext element or group
of elements is uniquely replaced by a
corresponding ciphertext element or group of
elements.
• Permutation: A sequence of plaintext
elements are replaced by a permutation of
that sequence. That is, no elements are added
or deleted or replaced in the sequence, rather
the order in which the elements appear in the
sequence is changed.
In fact, Feistel’s is a practical application of a proposal by
Claude Shannon to develop a product cipher that alternates
confusion and diffusion functions [SHAN49]. The Feistel cipher
structure, which dates back over a quarter century and which,
in turn, is based on Shannon’s proposal of 1945, is the
structure used by many significant symmetric block ciphers
currently in use.
DIFFUSION AND CONFUSION The terms diffusion and confusion were
introduced by Claude Shannon to capture the two basic building blocks for
any cryptographic m system [SHAN49]. Shannon’s concern was to thwart
cryptanalysis based on statistical analysis.
The reasoning is as follows. Assume the attacker has some knowledge of the
statistical characteristics of the plaintext. For example, in a human-readable
message in some language, the frequency distribution of the various letters
may be known. Or there may be words or phrases likely to appear in the
message (probable words). If these statistics are in any way reflected in the
ciphertext, the cryptanalyst may be able to deduce the encryption key, part of
the key, or at least a set of keys likely to contain the exact key. In what
Shannon refers to as a strongly ideal cipher, all statistics of the ciphertext are
independent of the particular key used. The arbitrary substitution cipher that
we discussed previously , but as we have seen, it is impractical. Other than
recourse to ideal systems, Shannon suggests two methods for frustrating
statistical cryptanalysis: diffusion and confusion.
In diffusion, the statistical structure of the
plaintext is degenerate into long-range statistics
of the ciphertext. This is achieved by having
each plaintext digit affect the value of many
ciphertext digits; generally, this is equivalent to
having each ciphertext digit be affected by many
plaintext digits.
• The confusion seeks to make the relationship
between the statistics of the ciphertext and
the value of the encryption key as complex as
possible . It should be as complex as attacker
must be confused to deduce the key. This is
achieved by the use of complex substitution
algorithm.
 DES (History)
• IBM developed Lucifer cipher – by team led by
Feistel in late 60’s – used 64‐bit data blocks
with 128‐bit key • then redeveloped as a
commercial cipher with input from NSA and
others • in 1973 NBS issued request for
proposals for a national cipher standard • IBM
submitted their revised Lucifer which was
eventually accepted as the DES
 Data Encryption Standard
• The Data Encryption Standard (DES) is a symmetric-
key block cipher published by the National Institute
of Standards and Technology (NIST).
• DES is an implementation of a Feistel Cipher. It uses
16 round Feistel structure. The block size is 64-bit.
Though, key length is 64-bit, DES has an effective
key length of 56 bits, since 8 of the 64 bits of the
key are not used by the encryption algorithm
(function as check bits only). General Structure of
DES is depicted in the following illustration −
 Encryption Process-----
The encryption process uses the Feistel
structure consisting multiple rounds of
processing of the plaintext, each round
consisting of a “substitution” step followed by a
permutation step.
Feistel Structure is shown in the following
illustration −
STEPS
• The input block to each round is divided into two halves that
can be denoted as L and R for the left half and the right half.
• In each round, the right half of the block, R, goes through
unchanged. But the left half, L, goes through an operation
that depends on R and the encryption key. First, we apply an
encrypting function ‘f’ that takes two input − the key K and R.
The function produces the output f(R,K). Then, we XOR the
output of the mathematical function with L.
• In real implementation of the Feistel Cipher, such as DES,
instead of using the whole encryption key during each round,
a round-dependent key (a subkey) is derived from the
encryption key. This means that each round uses a different
key, although all these subkeys are related to the original key.
• The permutation step at the end of each round swaps the
modified L and unmodified R. Therefore, the L for the next
round would be R of the current round. And R for the next
round be the output L of the current round.
• Above substitution and permutation steps form a ‘round’.
The number of rounds are specified by the algorithm
design.
• Once the last round is completed then the two sub blocks,
‘R’ and ‘L’ are concatenated in this order to form the
ciphertext block.
• The difficult part of designing a Feistel Cipher is selection of
round function ‘f’. In order to be unbreakable scheme, this
function needs to have several important properties that
are beyond the scope of our discussion.
 Decryption Process
• The process of decryption in Feistel cipher is almost similar.
Instead of starting with a block of plaintext, the ciphertext
block is fed into the start of the Feistel structure and then
the process thereafter is exactly the same as described in the
given illustration.
• The process is said to be almost similar and not exactly
same. In the case of decryption, the only difference is that
the subkeys used in encryption are used in the reverse order.
• The final swapping of ‘L’ and ‘R’ in last step of the Feistel
Cipher is essential. If these are not swapped then the
resulting ciphertext could not be decrypted using the same
algorithm.
 Number of Rounds
• The number of rounds used in a Feistel Cipher
depends on desired security from the system.
More number of rounds provide more secure
system. But at the same time, more rounds
mean the inefficient slow encryption and
decryption processes. Number of rounds in
the systems thus depend upon efficiency–
security tradeoff.
• 128 bit
• 64 bit 64 bit R(56 bits key)K1
• (F(K, k1)
• L (64 bit)+56 bit (XOR)
• Output- R
• Since DES is based on the Feistel Cipher, all
that is required to specify DES is −
• Round function
• Key schedule
• Any additional processing − Initial and final
permutation
 Initial and Final Permutation
• The initial and final permutations are straight
Permutation boxes (P-boxes) that are inverses
of each other. They have no cryptography
significance in DES. The initial and final
permutations are shown as follows −
 Round Function
The heart of this cipher is the DES function, f. The DES function applies a 48-bit key to the rightmost 32 bits to
produce a 32-bit output. 64 bits key-56bit-k1(48bit)
• 64 bits PT
• Initial permutation
• L(32) R(32)
• Key Length-K 64bit (56 bits)-K1(Sub-key)48 bit
• K1(48 bits) R(32)
• K1(48 bit) R(48 bit) (expand) and,or,nor,xor,xand
• F(K,R)—XOR=output(48) xor Left hand side(32)
• Output –shift Right
• Right(32)-shift Left
• 16 round
• Final permutation
• Cipher text
Expansion Permutation Box − Since right input is 32-bit and round key is a
48-bit, we first need to expand right input to 48 bits. Permutation logic is
graphically depicted in the following illustration −
The graphically depicted permutation logic is generally described as

table in DES specification illustrated as shown −

XOR (Whitener). − After the expansion permutation, DES does XOR operation
on the expanded right section and the round key. The round key is used only
in this operation.
Substitution Boxes. − The S-boxes carry out the real mixing (confusion). DES
uses 8 S-boxes, each with a 6-bit input and a 4-bit output. Refer the following
illustration −
The S-box rule is illustrated below −
 There are a total of eight S-box tables. The output of all eight s-boxes is then combined in to 32 bit section.
Straight Permutation − The 32 bit output of S-boxes is then subjected to the straight permutation with rule shown in the following

illustration :
 Key Generation
The round-key generator creates sixteen 48-bit keys out of a 56-bit cipher key. The process of key generation is depicted in the
following illustration −
 DES Analysis

• The DES satisfies both the desired properties of block

cipher. These two properties make cipher very strong.
• Avalanche effect − A small change in plaintext results in
the very great change in the ciphertext.
• Completeness − Each bit of ciphertext depends on many
bits of plaintext. During the last few years, cryptanalysis
have found some weaknesses in DES when key selected
are weak keys. These keys shall be avoided.
• DES has proved to be a very well designed block cipher.
There have been no significant cryptanalytic attacks on DES
other than exhaustive key search.
 STRENGTH OF DES – KEY SIZE
• 56‐bit keys have 256 = 7.2 x 1016 values
• brute force search looks hard
• recent advances have shown is possible – in
1997 on Internet in a few months – in 1998 on
dedicated h/w (EFF) in a few days – in 1999
above combined in 22hrs!
• still must be able to recognize plaintext
• must now consider alternatives to DES
 Strength of DES – Analytic Attack
• now have several analytic attacks on DES
• these utilize some deep structure of the
cipher – by gathering information about
encryptions – can eventually recover some/all of
the sub‐key bits – if necessary then exhaustively
search for the rest
• generally these are statistical attacks
• include – differential cryptanalysis – linear
cryptanalysis – related key attacks
 Strength of DES – Timing attack
• attacks actual implementation of cipher
• use knowledge of consequences of
implementation to derive information about
some/all subkey bits
• specifically use fact that calculations can take
varying times depending on the value of the
inputs to it