Cryptography and Network Security Unit 3

Unit 3 Block Cipher Principles and

Data Encryption Standard
Structure:
3.1 Introduction
Objectives
3.2 Principles of Block Cipher
3.3 Data Encryption Standard (DES)
3.4 DES Strength
3.5 Differential and Linear Cryptanalysis
3.6 Block Cipher Design Principles
3.7 Summary
3.8 Terminal Questions
3.9 Answers

3.1 Introduction
In the last unit, we discussed the basic principles of encryption and two
simple encryption methods: substitution and transposition. In cryptography,
a block cipher is a deterministic algorithm that operates on fixed-length
groups of bits, called blocks, with an unvarying transformation that is
specified by a symmetric key. Many cryptographic protocol designs use
block ciphers for encryption of bulk data. The block ciphers design is based
on an iterated product cipher which means that they transform fixed-size
blocks of plain-text into identical size blocks of ciphertext through the
repeated application of an invertible transformation known as the round
function and each iteration referred to as a round.
Claude Shannon analyzed product ciphers as a means to effectively
improve security by using combining operations like substitutions and
permutations. These iterated product ciphers carry out encryption in multiple
rounds, each uses a different sub key derived from the original key. Feistel
network named after Horst Feistel is one such cipher and is implemented in
the DES cipher. Many other realizations of block ciphers, for example AES,
are classified as substitution-permutation networks.
In this unit, we will discuss Block Cipher principles, Data encryption
standard (DES) and its strength. We also study differential and linear
cryptanalysis and Block Cipher design principles.

Sikkim Manipal University B2069 Page No.: 43

Cryptography and Network Security Unit 3

Objectives:
After studying this unit, you should be able to:
• explain block cipher principles
• define and explain data encryption standard (DES)
• discuss DES Strength
• discuss differential and linear cryptanalysis
• explain block cipher design principles

3.2 Principles of Block Cipher

All symmetric block encryption algorithms currently used are based on a
structure called Fiestel block cipher. So, it is important for us to examine the
Fiestel cipher’s design principles. But before doing that, let us see the
comparison of stream cipher with block cipher.
A stream cipher is one that performs encryption of a digital data stream
one byte or one bit at a time. Here a bit from a key stream is added to a
plaintext bit. E.g., Vigenere cipher, Vernam cipher. Stream ciphers can be
synchronous or asynchronous. In the case of synchronous stream ciphers,
the key stream depends only on the key whereas in asynchronous stream
ciphers, the key stream also depends on the ciphertext. For practical
reasons the bit-stream generator is implemented as an algorithmic
procedure as shown in figure 3.1.

Figure 3.1: Stream cipher: Using Bit-stream Generator Algorithm

The bit-stream generator which is a key-controlled algorithm must produce a

cryptographically strong bit stream.
A block cipher is one in which a block of plaintext (i.e. a given number of
bits of plaintext) is treated as a whole and encrypted into a cipher text block
of equal length. Note that encryption will be done for entire block of plaintext
Sikkim Manipal University B2069 Page No.: 44
Cryptography and Network Security Unit 3

bits at a time using the same key. The majority of block ciphers either have
a block length of 128 bits (16 bytes) like advanced encryption standard
(AES), or a block length of 64 bits (8 bytes) such as the data encryption
standard (DES) or triple DES (3DES) algorithm. The figure 3.2 shows the
block cipher encryption method.

Figure 3.2: Block Cipher

A block cypher encryption algorithm accepts two inputs: a plain text input
block of size n bits and a key of size k bits and produces an n-bit output
block called cypher text as shown in figure 3.2.
Feistel Cipher
A Feistel cipher is a symmetric structure employed in the construction
of block ciphers. Feistel Cipher is named after the cryptographer Horst
Feistel and it is also known as a Feistel network.
We can approximate the ideal block cipher using a product cipher and
execution of two or more simple ciphers in sequence to produce final result
or product. This cryptography is stronger than any of the component
ciphers. The very idea of this technique is that we can develop a block
cipher with a key length of k bits and a block length of n bits so that we can
have a total a of 2K possible transformations. Feistel use cipher that
alternates substitutions and permutations
• Substitution: Ciphertext element or group of elements replaces uniquely
corresponding each plaintext element or group of elements.

Sikkim Manipal University B2069 Page No.: 45

Cryptography and Network Security Unit 3

• Permutation: A sequence of plaintext elements is replaced by a

permutation of that sequence. Here only the order in which the elements
appear in the sequence is changed but no elements are added or deleted
or replaced in the sequence.
Feistel is a practical application of Claude Shannon’s proposal to develop a
product cipher that alternates confusion and diffusion functions. Every block
cipher involves a conversion of a block of plaintext into a block of cipher
text, depending on the key. In diffusion, the statistical relationship between
the plaintext and cipher text will be made as complex as possible to thwart
attempts to deduce the key. In Confusion on the other hand, relationship
between the statistics of the ciphertext and the value of the encryption key
will be made as complex as possible, again to thwart attempts to discover
the key.
Feistel Cipher Structure:
Most of the symmetric block ciphers use Feistel Cipher structure to decrypt
cipher text in order to recover messages efficiently. Block ciphers may
require table of 264 entries for a 64-bit block. A block cipher converts
plaintext block of n letters into an encrypted block called cyphertext. There
are 2n possible different plaintext blocks and each must produce a unique
ciphertext block for efficient decryption. Such a transformation is called
reversible or non-singular transformation. In other words, for decryption
process, mapping should be one-to-one. So plaintext block should produce
a unique ciphertext block. For secure cryptographic scheme, the length of
block n should not be too short. Suppose block n = 1 then it gives a mono
alphabetic cipher and hence schemes like this are easily vulnerable to
frequency analysis and brute-force attacks. This poses the problem of
providing enough security with a small size key and is a major challenge in
designing a symmetric key cryptographic scheme.
There are multiple rounds of processing of the plaintext in Feistel structure
and each round consists of a “substitution” step followed by a permutation
step. The encryption algorithms accept the inputs such as a plaintext block
of length w bits and a key K. The plaintext block is split or divided into two
halves L0 and R0. The two halves of the data pass through n rounds of
processing and then are combined to produce the ciphertext block. Each
round “I” has inputs Li-1 and Ri-1, derived from the previous round, and the

Sikkim Manipal University B2069 Page No.: 46

Cryptography and Network Security Unit 3

subkey Ki, derived from the overall key K. Note that, the subkeys Ki and key
K are not the same. () The structure will remain same for all rounds. A
substitution takes place on the left half of the data by applying a round
function F to the right half of the data and then taking the XOR of the output
of that function and the left half of the data. Though the general structure is
same for round function, it is parameterized by the round subkey ki. After
substitution, a permutation is performed and this consists of the interchange
of the two halves of the data. So this structure is a particular form of the
substitution-permutation (S-P) network.
The Feistel network will be realized depending on the choice of the following
parameters and design features:
• Block size – Increase in the block size also improves security, but slows
cipher
• Key size – Increasing in size improves security, makes exhaustive key
searching harder, but may slow cipher
• Number of rounds – More number of rounds improves security but it
slows cipher
• Subkey generation – More the complexity, harder is the analysis, but it
slows cipher
• Round function – As the complexity increases analysis becomes
harder, but slows cipher
• Fast software en/decryption & ease of analysis – are more recent
concerns for practical use and testing.

Sikkim Manipal University B2069 Page No.: 47

Cryptography and Network Security Unit 3

The figure 3.3(a) shows the Feistel network and figure 3.3(b) shows the
encryption and decryption of Feistel network.

Figure 3.3: (a) Feistel Network

Sikkim Manipal University B2069 Page No.: 48

Cryptography and Network Security Unit 3

Figure 3.3: (b) The encryption and decryption of Feistel network

The decryption process is similar to the encryption process. The rule is: use
the cipher text as input to the algorithm, but use the subkey ki in reverse
order. i.e., kn in the first round, kn-1 in second round and so on. But for our
convenience we use the notation LEi and REi for data traveling through the
decryption algorithm. The intermediate value of the decryption process at
each round is not changed and is equal to the corresponding value of the
encryption process with two halves of the value swapped.
i.e., REi || LEi (or) RD16-i || LD16-i

Sikkim Manipal University B2069 Page No.: 49

Cryptography and Network Security Unit 3

After the final iteration of the encryption process, swapping of two output
halves will be done such that cipher text is RE16 || LE16. The output of that
round is the cipher text. Now take the cipher text and use it as input to the
same algorithm. RE16 || LE16 is the input to the first round and is equal to
the 32-bit swap of the output of the sixteenth round of the encryption
process. Now let us see how the first round output of the decryption process
is equal to a 32-bit swap of the input to the sixteenth round of the encryption
process.
On the encryption process,
LE16 = RE15
RE16 = LE15 ⊕F (RE15, K16)
On the decryption process side,
LD1 =RD0 = LE16 =RE15
RD1 = LD0 ⊕F (RD0, K16)
= RE16 ⊕F (RE15, K16)
= [LE15 ⊕F (RE15, K16)] F (RE15, K16)
= LE15
Therefore, LD1 = RE15
RD1 = LE15

In general, for the ith iteration of the encryption algorithm,

LEi = REi-1
REi = LEi-1⊕ F (REi-1, Ki)
Finally, the last round output of the decryption process is RE0 || LE0. A 32-
bit swap recovers the original plaintext.
Self-Assessment Questions
1. All symmetric block encryption algorithms currently used are based on
a structure called __________________________________.
2. A ___________________ is one, in which a block of plaintext is treated
as a whole and used to produce a cipher text block of equal length.
3. In Feistel structure multiple rounds of processing of the plaintext takes
place and each round consists of a substitution followed by a
permutation. (State True or False)

Sikkim Manipal University B2069 Page No.: 50

Cryptography and Network Security Unit 3

3.3 Data Encryption Standard (DES)

Data Encryption Standard (DES) was the main encryption scheme that was
used until recently. National Bureau of Standards now called the National
Institute of Standards and Technology (NIST) adopted this standard. Since
DES is now considered to be insecure for many applications, it has been
replaced by a new standard called Advanced Encryption Standard (AES)
which we will discuss in the unit 4. Now, let us discuss DES. The Data
Encryption Standard (DES) is a block cipher that uses shared secret
encryption. The algorithm itself is called as the Data Encryption Algorithm
(DEA). In DES, encryption of data will be done in 64-bit blocks using a 56-bit
key. The algorithm transforms 64-bit input in a series of steps into a 64-bit
output. The important point to remember is that same key and the same
steps are used to reverse the encryption.
DES Encryption
The figure 3.4 shows the DES encryption scheme.

Figure 3.4: DES Encryption Algorithm

Sikkim Manipal University B2069 Page No.: 51

Cryptography and Network Security Unit 3

The two inputs of encryption are: plaintext and the key. The plaintext length
must be 64 bits and the key length is 56 bits. Looking at figure 3.4, we can
observe that three phases are involved in processing of the plaintext. First,
the 64-bit plaintext undergoes an initial permutation (IP) where rearranging
of the bits will be done to produce the permuted input. Then in the next
phase consisting of sixteen rounds of the same function uses both
permutation and substitution functions. The output of the last round
(sixteenth) consists of 64 bits that are a function of the input plaintext and
the key. The two halves called left halve and right halve of the output are
swapped to get preoutput. This preoutput is then passed through a
permutation [IP-1] that is the inverse of the initial permutation function to
produce the 64-bit ciphertext.
The Avalanche Effect
One desirable property of any encryption algorithm is that a small change in
either plaintext or key produces significant changes in the ciphertext. DES
exhibits a strong avalanche effect. A change in one bit of the plaintext or
one bit of the key produces a change in many bits of the ciphertext. This is
known the avalanche effect and is shown in the table 3.1.
Table 3.1: Avalanche effect

Sikkim Manipal University B2069 Page No.: 52

Cryptography and Network Security Unit 3

3.4 DES Strength

One should be concerned with the level of security provided by DES in two
areas: key size and the nature of the algorithm.
The Use of 56-Bit Keys
If we use a key length of 256 bits, then approximately 7.28* 1016 keys are
possible. Thus a brute-force attack appears impractical. To search half the
key space, a single machine that performs one DES encryption per
microsecond would take more than a thousand years to break the cipher.
However, the assumption of one encryption per microsecond is overly
conservative.
As far back as 1977, Diffie and Hellman postulated that the technology
existed to build a parallel machine with 1 million encryption devices and
each device could perform one encryption per microsecond. It is important
to note that a key-search attack is more than running through all possible
keys. Suppose the message is just plain text in English, then the result pops
out easily. If the text message has been compressed before encryption,
then recognizing it is difficult. If the message is general type of data like a
numerical file, and is compressed, then automation of it is very difficult. So,
some knowledge about the expected plaintext is needed to supplement the
brute-force approach. AES and triple DES are the important alternatives to
DES.
DES Algorithm’s Nature:
We can have cryptanalysis by exploiting the characteristics of the DES
algorithm. S-boxes are used in each iteration. Since the design criteria for
these boxes were not made public, the suspicion about construction of
boxes may arise that allows us to think that cryptanalysis is possible for an
opponent who knows the weaknesses in the S-boxes. But no one has so far
succeeded in discovering the supposed fatal weaknesses in the S-boxes.
Timing Attacks
In timing attack we get the information of the key or the plaintext by
observing the time taken for a given implementation to perform decryptions
on various ciphertexts. This attack also exploits the fact that an encryption
or decryption algorithm often uses different amounts of time on different
inputs reports on an approach that gives the Hamming weight (number of

Sikkim Manipal University B2069 Page No.: 53

Cryptography and Network Security Unit 3

bits equal to one) of the secret key. But this is a long way from knowing the
actual key.
Self-Assessment Questions
4. In _____________ effect, change in one bit of the plaintext or one bit of
the key produces a change in many bits of the ciphertext.
5. DES stands for _____________________________.
6. If we use a key length of 256 bits, then possible keys are approximately
7.28* 1016 keys. (State True or False)
7. AES and triple DES are the important alternatives to DES. (State True
or False)
8. In __________________ attack we get the information about the key
or the plaintext by observing the time taken for a given implementation
to perform decryptions on various ciphertexts.

3.5 Differential and Linear Cryptanalysis

DES key length is relatively short about 56 bits. So it is easily vulnerable to
brute-force attack. But if we use longer key lengths, including triple DES,
then brute-force attacks becomes impractical. So there has been increased
emphasis on cryptanalytic attacks on DES and other symmetric block
ciphers. Now let us study two most important promising and powerful
approaches: differential cryptanalysis and linear cryptanalysis.
Differential Cryptanalysis
Differential cryptanalysis can be considered as one of the most significant
advances in recent years as far as the cryptanalysis is concerned. It is the
first attack that can break DES in less than 255 encryptions. The scheme can
cryptanalyze DES with an effort on the order of 247encryptions, requiring 247
chosen plaintexts. Differential cryptanalysis is a powerful tool, but it does not
do very well against DES. The use of differential cryptanalysis for
strengthening DES against attacks played a major role in S-boxes and the
permutation P design. Differential cryptanalysis of an eight-round LUCIFER
algorithm would require only 256 chosen plaintexts, whereas an attack on
an eight-round version of DES requires 247 chosen plaintexts.
Differential Cryptanalysis Attack: It is a complex attack. The reason
behind this attack is observing the behavior of pairs of text blocks evolving
along each round of the cipher, rather than observing the evolution of a

Sikkim Manipal University B2069 Page No.: 54

Cryptography and Network Security Unit 3

single text block. If m is original plaintext block with m0 and m1 are the two
halves, then each round of DES maps the right-hand input into the left-hand
output and sets the right-hand output to be a function of the left-hand input
and the subkey for this round. So, only one new 32-bit block is created at
each round. If new block is mi (2≤ i ≤ 17) then the halves of intermediate
message are related as:

mi+1 = mi-1 ⊕f(mi, Ki), i = 1, 2,3,…., 16

If m and mIc are two messages with XOR difference ∆m = m⊕ mI and the
difference between the intermediate message halves is: ∆mi ⊕ mi i Then we
have,

If we know ∆mi-1 and ∆mi with high probability, then we know ∆mi+1 with high
probability. The overall strategy of differential cryptanalysis is based on
these considerations for a single round. The procedure is: begin with two
plaintext messages m and mi with a given difference and get probable
difference for the ciphertext by tracing through a probable pattern of
differences after each round. There are two probable patterns of differences
for the two 32-bit halves: ∆m17 II ∆m16. Then submit m and mI for encryption
to know actual difference under the unknown key and compare the result to
the probable difference. If there is a match,
E(K, m) ⊕ E(K, mI) =( ∆m17 II ∆m16 )

We can suspect the correctness of all the probable patterns at all the
intermediate rounds. Now with this we can make some deductions about the
key bits. We repeat this procedure many times to determine all the key bits.
Figure 3.5 shows the propagation of differences through three rounds of
DES.

Sikkim Manipal University B2069 Page No.: 55

Cryptography and Network Security Unit 3

Figure 3.5: Propagation Difference through three rounds of DES

(Numbers in hexadecimal)

The probabilities represent the probability that a given set of intermediate

differences will appear as a function of the input differences. After three
rounds, there is the probability that the output difference is equal to 0.25 * 1
* 0.25 = 0.0625.
Linear Cryptanalysis
A linear cryptanalysis attack is based on finding linear approximations for
description of the transformations performed in DES. This method can find a
DES key given 243 known plaintexts. Linear cryptanalysis is infeasible as an
attack on DES.
Let us see the principle of linear cryptanalysis. Let us assume a cipher with
n-bit plaintext and ciphertext blocks and an m-bit key. Let the plaintext block

Sikkim Manipal University B2069 Page No.: 56

Cryptography and Network Security Unit 3

be labelled P[1], …[Pn] , the cipher text block, C[1],…C[n],and the key K[1]
to K[m]. Then define

A[i, j, Á , k] = A[i] ⊕A[ j] ⊕, ……. A[k]

The aim of linear cryptanalysis is to find an effective linear equation of the

form:

Where x = 0 or 1; 1≤ a; b ≤ n; and c ≤m and β and γ terms represent fixed,

unique bit locations that holds with probability p≠0.5. The p is from 0.5.
Determine relation, and then compute the results of the left-hand side of the
preceding equation for a large number of plaintext ciphertext pairs. If the
result is 0 more than half the time, assume K[γ1 ,γ2,… γc ]=0. If the result is 1
most of the time, then assume K[γ1 ,γ2,… γc ]=1. This gives us a linear
equation on the key bits.
Self-Assessment Questions
9. The differential cryptanalysis is simple a attack. (State True or False)
10. A _______________ attack is based on finding linear approximations
for description of the transformations performed in DES.

3.6 Block Cipher Design Principles

Even though there has been a progress in designing block ciphers for
stronger cryptography, the basic principles have not been changed much.
So we will look at DES design criteria.
DES Design Criteria
The DES design criteria are focused on the design of the S-boxes and the P
function that takes the output of the S-boxes. The figure 3.6 shows the
calculation of F(R, K).

Sikkim Manipal University B2069 Page No.: 57

Cryptography and Network Security Unit 3

Figure 3.6: F(R, K) calculation

E represents the function that takes input of block of 32 bits and produces a
block of 48 bits.
The criteria for the S-boxes are:
1. S-box output bit should not be too close a linear function of the input
bits. If any output bit and any subset of the six input bits are selected,
then the fraction of inputs for which this output bit equals the XOR of
these input bits should be near ½ but not be close to 0 or 1.
2. Each row of an S-box should include all 16 possible output bit
combinations.
3. If two inputs to an S-box differ in exactly one bit, the outputs must differ
in at least two bits.
4. Outputs differ in at least two bits when two inputs to an S-box differ in
the two middle bits.
5. If two inputs to an S-box differ in their first two bits and are identical in
their last two bits, the two outputs must be different. i.e. they should not
be the same.
6. For any nonzero 6-bit difference between inputs, no more than eight of
the 32 pairs of inputs exhibiting that difference may result in the same
output difference.

Sikkim Manipal University B2069 Page No.: 58

Cryptography and Network Security Unit 3

7. This is a criterion similar to the previous one, but for the case of three S-
boxes.
The only nonlinear parts of DES are S-boxes. If the S-boxes were linear,
the entire algorithm would be linear and easily broken.
The criteria for the permutation P are:
1. The four output bits from each S-box at round are distributed so that two
of them affect middle bits of round (i+1) and the other two affect end
bits. The two middle bits of input to an S-box are not shared with
adjacent S-boxes. The end bits are the two left-hand bits and the two
right-hand bits, which are shared with adjacent S-boxes.
2. The four output bits of each S-box affect six different S-boxes on the
next round, and no two affect the same S-box.
3. For two S-boxes j and k, if an output bit from Sj affects a middle bit of Sk
on the next round, then an output bit from Sk cannot affect a middle bit
of Sj. This means that, for j=k, an output bit from Sj must not affect a
middle bit of Sj.
These criteria increase the diffusion of the algorithm.
Number of Rounds
The cryptographic strength of a Feistel cipher derives from three aspects of
the design. They are:
(i) Number of rounds
(ii) Function F
(iii) Key schedule algorithm
Let us first look at the choice of the number of rounds.
When the number of rounds is greater, it will be more difficult to perform
cryptanalysis, even for a weak F. So the number of rounds is chosen such
that greater effort required for known cryptanalytic efforts than a simple
brute-force key search attack. This was used in DES design. A differential
cryptanalysis attack for 16-round DES is somewhat less efficient than brute
force. The differential cryptanalysis attack requires 255.1 operations, but brute
force requires 255. If DES had 15 or fewer rounds, then differential
cryptanalysis would require less effort than a brute-force key search. This
criterion shows the strength of an algorithm and to compare different
algorithms.

Sikkim Manipal University B2069 Page No.: 59

Cryptography and Network Security Unit 3

Design of Function F
The function F is the heart of a Feistel block cipher and it relies on the use
of S-boxes in in DES.
Design criteria for F
The function F provides the element of confusion in a Feistel cipher. It must
be difficult to “unscramble” the substitution performed by F. One criterion
would be making F nonlinear. For more the number of nonlinear F are, the
more difficult any type of cryptanalysis will be. We can also consider several
other criteria while designing F. The algorithm with good avalanche
properties is required for producing change in many bits of the output when
there is a change in one bit of the input. A more stringent version of this is
the strict avalanche criterion (SAC). According to this, any output bit of an
S-box should change with probability 1/2 when any single input bit is
inverted for all i, j. According to another criterion called Bit independence
criterion (BIC), when any single input bit is inverted for all i, j, and k, output
bits j and k change independently.
S-Box design
One important characteristic of the S-box is its size. An n×m S-box has
input bits and output bits. DES consists of 6×4 S-boxes. The encryption
algorithm Blowfish has 8 × 32 S-boxes. Larger S-boxes pose resistance to
differential and linear cryptanalysis. If the dimension n is larger, then also
the lookup table. So, a limit of n with value of about 8 to 10 is usually
imposed for practical reasons. Another consideration is that larger the S-box
gets, more difficult it is to design it properly.

The arrangement of S-boxes is different than one used in DES. An n×m S-

box has 2n rows of m bits each. The n bits of input select one of the rows of
the S-box, and the m bits in that row are the output. For example, if the input
is 00001001 for 8 × 32 S-box, the output consists of the 32 bits in row 9 (the
first row is labelled row 0).
According to Mister and Adams, the criteria for design of S-box s is that it
should satisfy both SAC and BIC and all linear combinations of S-box
columns should be bent. A special class of Boolean functions called Bent
functions are highly nonlinear according to certain mathematical criteria.

Sikkim Manipal University B2069 Page No.: 60

Cryptography and Network Security Unit 3

The guaranteed avalanche (GA) criterion is defined as follows: An S-box

satisfies GA of order γ if, for a 1-bit input change, at least γ output bits
change. GA in the range of order 2 to order 5 provides strong diffusion
characteristics for the overall encryption algorithm. Now one can ask the
question, for larger S-boxes, such as 8 × 32, what is the best method of
selecting the S-box entries in order to meet the type of criteria that we
discussed so far. Nyberg, who has written a lot about the theory and
practice of S-box design, suggests the following approaches.
• Random: Generate the entries in the S-boxes by using some
pseudorandom number generation or some table of random digits. This
may lead to boxes with undesirable characteristics for small sizes (e.g.
6 × 4) but should be acceptable for large S-boxes (e.g., 8 × 32).
• Random with testing: Choose entries for S-box randomly and test the
results against various criteria, leave those that do not pass.
• Human-made: This is a manual technique used in the DES design and
is difficult to carry through for large S-boxes.
• Math-made: according to mathematical principles, S-boxes will be
generated. S-boxes can be constructed by using mathematical
construction for proven security against linear and differential
cryptanalysis, along with good diffusion.
A variation on the first technique is to use S-boxes that are both dependent
and key random. A Blowfish approach, for example, starts with S-boxes
filled with pseudorandom digits and then contents get altered using the key.
The advantage of key-dependent S-boxes is that it is impossible to analyse
the S-boxes ahead of time to look for weaknesses since they are not fixed.
Key Schedule Algorithm
This is the final area of block cipher design. With any Feistel block cipher,
one subkey will be generated in each round using the key. We can even
select subkeys to increase the difficulty of deducing individual subkeys and
the difficulty of working back to the main key. According to Hall, the
minimum requirement is the key schedule should guarantee key/ciphertext
strict avalanche criterion and bit independence criterion.

Sikkim Manipal University B2069 Page No.: 61

Cryptography and Network Security Unit 3

Self-Assessment Questions
11. The only _______________ parts of DES are S-boxes.
12. __________________ pose more resistance to differential and linear
cryptanalysis.
13. GA stands for ___________________________________.
14. ____________________ final area of block cipher design.

3.7 Summary
Let us recapitulate the important concepts discussed in this unit:
• Many cryptographic protocols design use block ciphers for encryption of
bulk data.
• Claude Shannon analyzed product ciphers as a means to effectively
improve security by using combining operations like substitutions and
permutations.
• A stream cipher is one that performs encryption of a digital data stream
one bit or one byte at a time. Here a bit from a key stream is added to a
plaintext bit. E.g., Vigenere cipher, Vernam cipher.
• A block cipher is one in which a block of plaintext is treated as a whole
and used to produce a cipher text block of equal length.
• Substitution: Ciphertext element or group of elements replaces uniquely
corresponding each plaintext element or group of elements.
• Permutation: A sequence of plaintext elements is replaced by a
permutation of that sequence.
• Most symmetric block ciphers are based on a Feistel Cipher structure to
decrypt ciphertext in order to recover messages efficiently.
• A change in one bit of the plaintext or one bit of the key produces a
change in many bits of the ciphertext. This is referred to as the
avalanche effect.
• By exploiting the characteristics of the DES algorithm, it is possible to
have cryptanalysis.
• The differential cryptanalysis is complex attack.
• The DES design criteria focused on the design of the S-boxes and the
P function that takes the output of the S-boxes.

Sikkim Manipal University B2069 Page No.: 62

Cryptography and Network Security Unit 3

• For 16-round DES, a differential cryptanalysis attack is less efficient

than brute force:

3.8 Terminal Questions

1. Why is it important to study the Feistel cipher?
2. What is avalanche effect?
3. What is the difference between a block cipher and a stream cipher?
4. Explain data encryption standard (DES).
5. Explain the following
i) Differential cryptanalysis attack
ii) Linear cryptanalysis attack
6. Explain S-box design.

3.9 Answers
Self-Assessment Questions
1. Fiestel block cipher
2. Block cipher
3. True
4. Avalanche effect
5. Data Encryption Standard
6. True
7. True
8. Timing
9. False
10. Linear cryptanalysis
11. Nonlinear
12. Larger S-boxes
13. Guaranteed avalanche
14. Key Schedule Algorithm
Terminal Questions
1. All symmetric block encryption algorithms used currently are based on a
structure called Fiestel block cipher. So, it is important for us to study
the design principles of the Fiestel cipher. (Refer to section 3.2)

Sikkim Manipal University B2069 Page No.: 63

Cryptography and Network Security Unit 3

2. In any encryption algorithm, change in one bit of the plaintext or one bit
of the key produces a change in many bits of the ciphertext. This is
known as the avalanche effect. (Refer to section 3.2)
3. A stream cipher is one that encrypts a digital data stream one bit or one
byte at a time. Here a bit from a key stream is added to a plaintext bit. A
block cipher is one in which a block of plaintext is treated as a whole
and used to produce a cipher text block of equal length. Note that in this
case, encryption will be done for entire block of plaintext bits at a time
with the same key. (Refer to section 3.2 for more details.)
4. The Data Encryption Standard (DES) is a block cipher that uses shared
secret encryption. Refer to section 3.3 for more details.)
5. The differential cryptanalysis attack is complex. The reason being
observing the behavior of pairs of text blocks evolving along each round
of the cipher, rather than observing the evolution of a single text block.
Linear cryptanalysis attack is based on finding linear approximations to
describe the transformations performed in DES. (Refer to section 3.5 for
more details)
6. One important characteristic of the S-box is its size. An n×m S-box has
input bits and output bits. DES has 6×4 S-boxes. The encryption
algorithm Blowfish, has 8 × 32 S-boxes. (Refer to section 3.6 for more
details).

Sikkim Manipal University B2069 Page No.: 64